Analysis of the Latest Arbitrary File Read in Grafana and Explanation of Derived Issues
This morning I saw a screenshot of the vulnerability tweet posted by chybeta in the group chat. I vaguely remembered that we were also using it, but I didn't pay much attention until chybeta and p🐂 quickly reproduced the pressure and it came to me. Helplessly, I forced myself to open GitHub to look at the latest version of Grafana's code. After spending the whole noon and having a pork knuckle meal, I finally finished the analysis. (Sigh, I feel like hanging myself)
Penetration of backend permissions, database, server
Cracking and customizing scripts for domestic and overseas sites and apps
This morning I saw a screenshot of the vulnerability tweet posted by chybeta in the group chat. I vaguely remembered that we were also using it, but I didn't pay much attention until chybeta and p🐂 quickly reproduced the pressure and it came to me. Helplessly, I forced myself to open GitHub to look at the latest version of Grafana's code. After spending the whole noon and having a pork knuckle meal, I finally finished the analysis. (Sigh, I feel like hanging myself)
Penetration of backend permissions, database, server
Cracking and customizing scripts for domestic and overseas sites and apps
Black hole technology specializes in professional crypto community fans, pure foreign crypto fans, precise fans, and precise domestic crypto fans. Crypto circle data, stock investor data, Japanese data, Korean data, and so on are all first-hand resource sources, capable of helping to build your own data pool and develop software to generate fans.
As long as the data is used well, the amount of USD needed is not a problem.
Penetrate backend permissions, databases, servers.
Custom cracking scripts for domestic and overseas sites and apps.
As long as the data is used well, the amount of USD needed is not a problem.
Penetrate backend permissions, databases, servers.
Custom cracking scripts for domestic and overseas sites and apps.
• alert: This file includes all warning information.
• gpsxml: If a GPS source is used, the related GPS data is saved in this file.
• nettxt: Includes all collected text output information.
• netxml: Includes all data in XML format.
• pcapdump: Includes the entire session captured packets
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas sites, APP scripts
• gpsxml: If a GPS source is used, the related GPS data is saved in this file.
• nettxt: Includes all collected text output information.
• netxml: Includes all data in XML format.
• pcapdump: Includes the entire session captured packets
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas sites, APP scripts
SPEL Injection in Higher JDK Versions (MethodHandle)
After solving the above problem, I thought this vulnerability was over, but then I encountered another more complex environment. It can execute commands but cannot load bytecode. After going in circles for a long time, I finally remembered to check the system variables of the target environment, which is JDK 18. There are few exploitation articles for higher versions, so I am recording this.
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
After solving the above problem, I thought this vulnerability was over, but then I encountered another more complex environment. It can execute commands but cannot load bytecode. After going in circles for a long time, I finally remembered to check the system variables of the target environment, which is JDK 18. There are few exploitation articles for higher versions, so I am recording this.
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
DoH has not yet become a global standard on the Internet; most connections still rely on basic DNS. So far, only Google and Mozilla have ventured into this field. Google is currently testing this feature with some users. In addition, there are applications for mobile devices that can also surf the web via DoH. Android Pie also offers an option to enable HTTPS-based DNS through network settings.
Penetrate background permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
Penetrate background permissions, databases, servers
Crack and customize scripts for domestic and overseas sites and apps
Because the AD domain service is a server function, the "Server" service must be enabled in the services of the Windows Server machine.
Check "Control Panel" - "System and Security" - "Administrative Tools" - "Services" (or directly enter "services.msc" in "Run"), select "Server" there, double-click to enter its properties page, change the startup type to "Automatic", then "Apply" and "Start" the service:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
Check "Control Panel" - "System and Security" - "Administrative Tools" - "Services" (or directly enter "services.msc" in "Run"), select "Server" there, double-click to enter its properties page, change the startup type to "Automatic", then "Apply" and "Start" the service:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
At this time, I add the computer (web-2012) to the parent domain controller for management. The computer here is Windows Server 2012 R2.
1. Right-click "Computer" - "Properties" - "Change settings":
2. Then change the computer name to join the parent domain: redteam.com
Before confirming, we need to set the current machine's IP address and DNS, otherwise it cannot join the domain:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
1. Right-click "Computer" - "Properties" - "Change settings":
2. Then change the computer name to join the parent domain: redteam.com
Before confirming, we need to set the current machine's IP address and DNS, otherwise it cannot join the domain:
Penetration of backend permissions, databases, servers
Custom cracking scripts for domestic and overseas sites and apps
VMware vCenter RCE Vulnerability Pitfalls Record — What Knowledge Can a Simple RCE Vulnerability Really Reveal
Avoid all pitfalls and quickly reproduce this vulnerability
You can browse 0x01 Vulnerability Environment Setup -> Following the steps below will definitely succeed and 0x02 Vulnerability PoC Construction -> Following the steps below will definitely succeed
Browse by problem guidance
If you also encounter similar issues, see here
Environment setup always fails
Browse 0x01 Vulnerability Environment Setup -> Pitfall 1: Do not use the 7.0.x ISO image with this method, there is an unsolvable BUG!
Pitfall 2: Virtual machine network adapter set to NAT mode cannot save hostname
Manual modification of uploaded packets causes failure and using macOS tar packaging will cause problems
Browse 0x02 Vulnerability PoC Construction -> Pitfall 2: Why can't the data packet be directly modified?
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
Avoid all pitfalls and quickly reproduce this vulnerability
You can browse 0x01 Vulnerability Environment Setup -> Following the steps below will definitely succeed and 0x02 Vulnerability PoC Construction -> Following the steps below will definitely succeed
Browse by problem guidance
If you also encounter similar issues, see here
Environment setup always fails
Browse 0x01 Vulnerability Environment Setup -> Pitfall 1: Do not use the 7.0.x ISO image with this method, there is an unsolvable BUG!
Pitfall 2: Virtual machine network adapter set to NAT mode cannot save hostname
Manual modification of uploaded packets causes failure and using macOS tar packaging will cause problems
Browse 0x02 Vulnerability PoC Construction -> Pitfall 2: Why can't the data packet be directly modified?
Penetrate backend permissions, database, server
Domestic and overseas sites APP script cracking customization
CNCF (Cloud Native Computing Foundation) mentions in its definition of cloud native that "representative technologies of cloud native include containers, service mesh, microservices, immutable infrastructure, and declarative APIs";
The vulnerabilities and exploitation techniques we discuss today closely revolve around the above-mentioned technologies and various technical architectures evolved from cloud native related technologies, including but not limited to containers, service mesh, microservices, immutable infrastructure, declarative APIs, serverless architecture, function computing, DevOps, etc. It also involves common security issues encountered by development teams when using some cloud native open source components and during self-developed or secondary development. We do not extend or elaborate much on the concept of "cloud native security," and all mentioned security vulnerabilities have practical exploitation experience accumulated through internal and external offensive and defensive exercises and vulnerability hunting by the "Tencent Blue Team."
If you are not familiar with Kubernetes PODs, the above configuration is actually quite similar to executing the following docker commands on a business server where ROOT privileges are desired:
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas site APP scripts
The vulnerabilities and exploitation techniques we discuss today closely revolve around the above-mentioned technologies and various technical architectures evolved from cloud native related technologies, including but not limited to containers, service mesh, microservices, immutable infrastructure, declarative APIs, serverless architecture, function computing, DevOps, etc. It also involves common security issues encountered by development teams when using some cloud native open source components and during self-developed or secondary development. We do not extend or elaborate much on the concept of "cloud native security," and all mentioned security vulnerabilities have practical exploitation experience accumulated through internal and external offensive and defensive exercises and vulnerability hunting by the "Tencent Blue Team."
If you are not familiar with Kubernetes PODs, the above configuration is actually quite similar to executing the following docker commands on a business server where ROOT privileges are desired:
Penetrate backend permissions, databases, servers
Custom cracking of domestic and overseas site APP scripts
This video demonstrates how an unauthenticated attacker can access any user's files.
CVE-2023-49105: Privilege Escalation, Remote Code Execution
This vulnerability is unrelated to Docker, with a CVSS score of 9.8. It affects all ownCloud versions from 10.6.0 to 10.13.0. Unfortunately, ownCloud's announcement is not precise enough and only partially describes the impact on unauthenticated users.
The real impact is twofold:
Attackers without an account can control (CRUD) all files under any account. In some cases, they can even perform RCE.
Attackers with standard account credentials can escalate to admin and gain RCE.
Let's first start with the unauthenticated attack.
From Anonymous to User (and RCE)
When requests are made to certain parts of the site (including WEBDAV and CALDAV), users can authenticate by providing a username and a signature. The signature is calculated based on the user's specific key and elements in the HTTP request (such as GET parameters, HTTP method, etc.). Unfortunately, by default, users do not set a key. In this case, their signature key defaults to an empty string. Therefore, an unauthenticated attacker who knows the username can impersonate any user.
Penetrate backend permissions, database, server
Custom cracking of domestic and overseas site APP scripts
CVE-2023-49105: Privilege Escalation, Remote Code Execution
This vulnerability is unrelated to Docker, with a CVSS score of 9.8. It affects all ownCloud versions from 10.6.0 to 10.13.0. Unfortunately, ownCloud's announcement is not precise enough and only partially describes the impact on unauthenticated users.
The real impact is twofold:
Attackers without an account can control (CRUD) all files under any account. In some cases, they can even perform RCE.
Attackers with standard account credentials can escalate to admin and gain RCE.
Let's first start with the unauthenticated attack.
From Anonymous to User (and RCE)
When requests are made to certain parts of the site (including WEBDAV and CALDAV), users can authenticate by providing a username and a signature. The signature is calculated based on the user's specific key and elements in the HTTP request (such as GET parameters, HTTP method, etc.). Unfortunately, by default, users do not set a key. In this case, their signature key defaults to an empty string. Therefore, an unauthenticated attacker who knows the username can impersonate any user.
Penetrate backend permissions, database, server
Custom cracking of domestic and overseas site APP scripts