Aggregator
Heads Up Gamers! Fake Fortnite Android Apps Are Being Spread via YouTube Videos
Does the name “Fortnite” ring any bells? It should, because it’s probably the most popular video game in the world...
The post Heads Up Gamers! Fake Fortnite Android Apps Are Being Spread via YouTube Videos appeared first on McAfee Blog.
New Campaign Targeting Apache Struts 2, WebLogic Deploys Malware Using VBScript
We Are Akamai: What Led Us Here
Spring 2018 Password Attacks
记一次对某企业的渗透测试实战
本文总结一下漫长的渗透测试过程,想尽了各种方法,终于找到了突破口。so没有绝对的安全,所谓的安全性其实都是相对的~
信息踩点在这里其实没办法去做一些有价值的收集,只能踩点,踩坑。
信息难点: 传输加密:要做渗透的目标是一个APP,根据抓到的请求包发现这个APP是经过某产品加固过的,所以HTTP的POST请求正文部分(Data)是神奇的密文~
分析难点分析:
- 信息踩点其实也是解决难点的过程,在这里我们尝试对APP进行逆向,发现并没有什么东西,因为被加固了。
- 对APP进行功能的整理,逐个功能点进行抓包分析:
- 请求正文(data)虽然是密文,但是请求的URI还是真正按照对应的功能去请求的(参考URI的命名和功能的相对应性)
在这里请教了师傅,说可能GET请求参数并没有经过加密,而后台很有可能是这样写的:
<?php $mstsec = $_REQUEST['vulkey'];//注意这里使用的是$_REQUEST 默认情况下包含了 $_GET,$_POST 和 $_COOKIE 的数组。 ?>- 一点即通,首先我可以去测试是否是真的这样的后端处理接收。
- 为了满足第一步的验证,我需要想办法找到一个GET请求的包并且有带有GET参数,这样我才能判断规则,不然就是大海捞针。
其实对APP做渗透测试,大部分情况下还是对网站做渗透测试。
所以在这里抓包获取到的HOST,直接对其进行了前期的常规信息刺探(端口、目录、指纹…)
中间件:Tomcat
目录开放:/fileUpload/
端口开放:8001 1444
APP三个功能点:个人用户、资金管理、生活栏目
渗透开端一开始粗略的对整个APP进行抓包,然后做一些简单的测试,发现并没有那种明面上的漏洞(SQL注入、XSS等等…),但是获取了这几条URI:
- /userCenter/getUser [获取用户信息URI POST]
- /userCenter/pay/getSign?userSign= [获取Sign POST]
- /userCenter/life/showShop?pId= [获取商品信息 GET]
- /userCenter/showQRcode [获取二维码图片 POST]
仔细的对每个功能点进行测试的时候,抓到了一些”逃出加固命运”的明文报文。
- 发现了S2-005这个历史悠久的Struts2框架远程代码执行问题:
执行了whoami:
- 发现了SQL注入,这里需要做一些简单的绕过(e.g. AandND 1 like 1):
然而没看清楚,一下次给日错地方了…很尴尬。
关联分析日偏后我分析了一下两者的特征,发现应该出自同一个程序员之手,并且这个程序员很喜欢使用驼峰命名法…
验证设想(A)在这里我尝试根据每个URI功能点生成GET请求参数的dict:
-
/userCenter/getUser [获取用户信息URI POST]
dict: [uId, userId, uName, userName …]
-
/userCenter/showQRcode [获取二维码图片 POST]
dict: [uId, userId, uName, userName, imagePath, filePath, codePath, fileName …]
生成请求:
GET /userCenter/getUser?uId=10001 GET /userCenter/getUser?userId=10001 GET /userCenter/getUser?uName=test001 GET /userCenter/getUser?userName=test001 ... GET /userCenter/showQRcode?uId=10001 GET /userCenter/showQRcode?userId=10001 GET /userCenter/showQRcode?uName=test001 GET /userCenter/showQRcode?userName=test001 GET /userCenter/showQRcode?imagePath=../../index.do GET /userCenter/showQRcode?filePath=../../index.do GET /userCenter/showQRcode?codePath=../../index.do GET /userCenter/showQRcode?fileName=../../index.do ... 结论现实残酷,打败了设想。
绝处逢生就在想放弃的时候,决定打算”垂死挣扎”一下,重新开始”审视”了各个功能模块,眼光又转到了这个二维码地方。(因为二维码的”皮相”,所以很多人都会忽略它)
这里我去解析了二维码的地址:
失算…失算…,当去访问这个地址的时候,响应报文中会多出这样的头:
... Set-Cookie: USESSIONPID=xxx; ... jpg content这时候我就知道是时候修改uId了,然而修改了没用,根据多年的经验(吹牛)我认为是uSign参数起了作用,这时候对uSign进行删除发现不行,会提示uSign参数不存在,当我置空这个参数,发现居然成功了又返回了用户的Cookie凭证…好吧,说明这里有一个逻辑问题…
到这下去就很简单了,获取管理员权限有上传点,测试使用jhtml的后缀可以直接绕过上传,但是上传上去之后,直接访问就给你download下来了(很多次遇到这种问题…)
好吧,管理员也没啥能危害到服务器的东西了…不过回过头再来看看,二维码这个点还没啃完呢,fileName这个参数还没去测试,fuzzdb了解一下,先怼lfi的字典进去跑(有个坑这里一定要填写完整[uId, uSign]),然后再进行Fuzz:
从intruder模块(BurpSuite)的测试结果发现这里是可以读取文件的,并且判断这个web服务是root权限运行的因为我修改fileName参数的值为../../../etc/shadow时我直接可以获取到文件的内容,从而获取root账号权限的密码:
(解密不了),怎么通过这个本地文件读取漏洞拿到shell?我的思路是通过读取tomcat的密码配置文件然后进入tomcat的Web管理部署war包进行getwebshell,但是这里做了一圈的目录猜解,死活没找到tomcat的应用目录…
读取/root/.bash_history啊(这个文件是记录root用户输入过的命令-老师傅提醒到),突然间我茅塞顿开,是啊,一般运维人员会通过命令行进行管理,那么肯定会有目录出现啊。
我修改fileName参数的值为../../../root/.bash_history,搜索下关键词tomcat就发现了:
成功的发现了root用户的命令历史并且找到了Tomat的应用安装路径,那么我只需要修改fileName的参数值为../../../../home/apache-tomcat-7.0.67/conf/tomcat-users.xml,直接就可以读取到Tomcat的管理员账号权限,从而直接通过外部访问的形式进入Tomcat的管理界面进行控制。
登录进来之后直接到WAR file to deploy功能点,进行war包的部署(在这里使用压缩的方式将网站后门压缩成zip格式然后修改后缀名.zip为.war即可),点击Browser选择war包然后点击Deploy:
这里部署上去之后回到Applications功能点,可以看到部署的情况,点击你的命名链接然后加上你压缩的文件名(这里我的是 /vulkey/vulkey.jsp)使用Webshell管理工具进行管理,看见了我久违的界面,久违的root权限:
总结因为后渗透可能会影响正常业务的运行,所以没有继续进行下去,很遗憾,希望下次有机会。 END: 送给大家一句话:心细则挖天下。
Linux kernel networking: a general introduction
Russian Attacks Against Singapore Spike During Trump-Kim Summit
米家 LED 智能台灯简单分析
开发一个简单的 Chrome 拓展
每次复制域名时都会被 Chrome 复制地址时的 https:// 烦到, 所以干脆自己写个拓展来解决这个问题. Chrome 拓展其实就是一个小网页, 也就是 HTML, 所以我们可以用 JavaScript 来实现获取域名和复制的操作. 具体实现如下.
Anatomy of the Linux 'bdev' file system
Anatomy of the Linux block device driver
互联网安全小兵的日常:如何“体面”地与业务打交道
New Cortana Vulnerability Could Allow Cybercriminals to Bypass Lock Screen On Windows 10
Digital assistants help us look up the weather, play our favorite music, and allow us to quickly access a lot...
The post New Cortana Vulnerability Could Allow Cybercriminals to Bypass Lock Screen On Windows 10 appeared first on McAfee Blog.
June 2018 Security Releases
For of all sad words of tongue or pen, the saddest are these: 'We weren’t logging’
It doesn’t rhyme and it’s not what Whittier said but it’s true. If you don’t log it when it happens, the evidence is gone forever. I know personally of many times where the decision was made not to enable logging and was later regretted when something happened that could have been explained, attributed or proven had the logs been there. On the bright-side there’re plenty of opposite situations where thankfully the logs were there when needed. In fact, in a recent investigation we happened to enable a certain type of logging hours before the offender sent a crucial email that became the smoking gun in the case thanks to our ability to correlate key identifying information between the email and log.
Why don’t we always enable auditing everywhere? Sometimes it’s simple oversight but more often the justification is:
- We can’t afford to analyze it with our SIEM
- We don’t have a way to collect it
- It will bog down our system
Let’s deal with each of those in turn and show why they aren’t valid.
We can’t afford to analyze it with our SIEM
Either because of hardware resources, scalability constraints or volume-based licensing organizations limit what logging they enable. Let’s just assume you really can’t upgrade your SIEM for whatever reason. That doesn’t stop you from at least enabling the logging. Maybe it doesn’t get analyzed for intrusion detection. But at least it’s there (the most recent activity anyway) when you need it. Sure, audit logs aren’t safe and shouldn’t be left on the system where they are generated but I’d still rather have logging turned on even if it just sits there being overwritten. Many times, that’s been enough to explain/attribute/prove what happened. But here’s something else to consider, even if you can’t analyze it “live” in your SIEM, doesn’t mean you have to leave it on the system where it’s generated – where’s it’s vulnerable to deletion or overwriting as it ages out. At least collect the logs into a central, searchable archive like open-source Elastic.
We don’t have a way to collect it
That just doesn’t work either. If your server admins or workstation admins push back against installing an agent, you don’t have to resort to remote polling-based log collection. On Windows use native Windows Event Forwarding and on Linux use syslog. Both technologies are agentless and efficient. And Windows Event Forwarding is resilient. You can even define noise filters so that you don’t clog your network and other resources with junk events.
Logging will bog down our system
This bogey-man is still active. But it’s just not based on fact. I’ve never encountered a technology or installation where properly configured auditing made a material impact on performance. And today storage is cheap and you only need to worry about scheduling and compression on the tiniest of network pipes – like maybe a ship with a satellite IP link. Windows auditing is highly configurable and as noted earlier you can further reduce volume by filtering noise at the source. SQL Server auditing introduced in 2008 is even more configurable and efficient. If management is serious they will require this push-back be proven in tests and – if you carefully configure your audit policy and output destination - likely the tests will show auditing has negligible impact.
When it comes down to it, you can’t afford not to log. Even if today you can’t collect and analyze all your logs in real-time at least turn on logging in each system and application. And keep working to expand collection and analysis. You won’t regret it.
“This article by Randy Smith was originally published by EventTracker”https://www.eventtracker.com/tech-articles/for-of-all-sad-words-of-tongue-or-pen-the-saddest-are-these-we-werent-logging/