The TinycallProxy module is used to indirectly call target functions. HijackLoader overwrites the TinycallProxy module into the code segment of a DLL, passing the target function and parameters to the TinycallProxy module, which then invokes the target function.
When calling sensitive functions such as CoInitialize and CoCreateInstance, this module invokes TinycallProxy to prevent stack backtracking.
Contact: @Rolllli
When calling sensitive functions such as CoInitialize and CoCreateInstance, this module invokes TinycallProxy to prevent stack backtracking.
Contact: @Rolllli
No matter how robust a system and its security measures are, they are ultimately controlled by humans, and humans are the root of vulnerabilities.
No technical skills are required; anyone with at least an elementary school education and an intelligence no below average can launch a hacking attack.
* Weak password mass intrusion
No technical skills are required; anyone with at least an elementary school education and an intelligence no below average can launch a hacking attack.
* Weak password mass intrusion
Integrating web routing
Some scenarios for extending routing rules:
The asset is a public domain name address with strong authentication. Any route path will redirect to the
Although the routing is uncontrollable, the bundled JS file is obtained.
Some scenarios for extending routing rules:
The asset is a public domain name address with strong authentication. Any route path will redirect to the
account, but account is an overridden class and doesn't exist.Although the routing is uncontrollable, the bundled JS file is obtained.
This address actually corresponds to the
So we can patch this function to achieve the effect of bypassing
Contact: @Rolllli
EtwpEventWirteFull function, but this function is not visible in x64dbg. We can check it in Ida, which I won't show you here; you can look it up yourself.So we can patch this function to achieve the effect of bypassing
Etw. We can directly replace its call instruction with a nop instruction. The call instruction is 1 byte, and if it's followed by an address, the address is 4 bytes. This means that if we want to replace the call instruction, we definitely need at least 5 bytes. The opcode for the nop instruction is 90.Contact: @Rolllli
An intuitive graphical user interface with many seamlessly integrated penetration testing tools, allowing for both automated and manual penetration testing.
Quickly enumerates pages within web applications, used by professional web application security researchers and bug bounty hunters. Its functionality can be enhanced by installing add-ons called BApps.
Documented and fast attack speed.
Burp Suite is a comprehensive web application security tool covering many known vulnerabilities in web applications. It can enumerate and analyze the application's attack surface and find and exploit security vulnerabilities.
Quickly enumerates pages within web applications, used by professional web application security researchers and bug bounty hunters. Its functionality can be enhanced by installing add-ons called BApps.
Documented and fast attack speed.
Burp Suite is a comprehensive web application security tool covering many known vulnerabilities in web applications. It can enumerate and analyze the application's attack surface and find and exploit security vulnerabilities.
Synchronous loading typically involves embedding or linking external JavaScript files directly within the HTML document using the
Asynchronous loading of JavaScript can be achieved using the
Contact: @Rolllli
<script> tag. In this method, the browser waits for the JavaScript file to load and execute before continuing to parse the rest of the HTML document.Asynchronous loading of JavaScript can be achieved using the
async or defer attribute within the <script> tag. Asynchronous loading allows the browser to continue parsing the HTML without waiting for the JavaScript file to load and execute.Contact: @Rolllli
Remove unnecessary users or groups, retaining only those requiring the necessary permissions. Create token objects using GPO policies: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create Token Object.
Restrict who can create process-level tokens for local and network services via GPOs: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace Process-Level Tokens.
Restrict who can create process-level tokens for local and network services via GPOs: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace Process-Level Tokens.
For example, some management processes in virtual machines, such as vmtools.exe, can be blacklisted, while common office software, such as WeChat and Lark, can be considered whitelisted.
In any network using Kerberos authentication, a Service Provider Name (SPN) must be registered for the service under a machine account or user account (each service using Kerberos requires an SPN). Within the internal network, SPN scanning performs service discovery by querying the domain controller.
Here, we search for the MSSQL service.
Contact: @Rolllli
Setspn -q */* retrieves all services.Here, we search for the MSSQL service.
Setspn -q */* | findstr "MSSQL"Contact: @Rolllli
Decrypting Configuration Information (Config)
In V2.X and V3, Fodcha uses a parallel organization method for Config, while in V4 and V4.X, it uses a structured organization method for Config.
After reverse engineering, we wrote the following IDAPYTHON script to decrypt the configuration information.
The decrypted Config information is shown in the following table. It can be seen that the "surrender" Easter egg is still preserved in index 11. Additionally, it's worth noting that index 12 is the reporter server address.
@Rolllli
In V2.X and V3, Fodcha uses a parallel organization method for Config, while in V4 and V4.X, it uses a structured organization method for Config.
After reverse engineering, we wrote the following IDAPYTHON script to decrypt the configuration information.
The decrypted Config information is shown in the following table. It can be seen that the "surrender" Easter egg is still preserved in index 11. Additionally, it's worth noting that index 12 is the reporter server address.
@Rolllli
Recordar uma captura de site simples
Introdução: #
Primeiro, a situação é a seguinte: alguém me enviou uma mensagem dizendo que um site tinha uma injeção SQL (já autorizada), mas ele só conseguiu obter o nome de utilizador e a palavra-passe do administrador. Não tinha a mínima ideia sobre o back-end ou como obter acesso remoto. Então, como estava no intervalo de almoço, pensei em ajudar e eis que se seguiu uma série de operações clássicas. #
Processo de infiltração: #
Primeiro passo, recolha de informações: #
Como havia uma injeção SQL, a recolha de informações foi simples: verifiquei o IP e a porta #
De forma simples e bruta - password, desencriptar md5, entrar na base de dados e procurar directamente o valor hash do administrador na base de dados
Entrar no back-end: #
Queixo-me de que ele não conseguiu aceder ao back-end, porque o caminho do back-end foi alterado, o que foi a razão pela qual o aprendiz não encontrou o endereço de login do back-end. Porém, eu, milagrosamente, encontrei o endereço de login do back-end na página inicial e consegui entrar no back-end com sucesso
@Rolllli
Introdução: #
Primeiro, a situação é a seguinte: alguém me enviou uma mensagem dizendo que um site tinha uma injeção SQL (já autorizada), mas ele só conseguiu obter o nome de utilizador e a palavra-passe do administrador. Não tinha a mínima ideia sobre o back-end ou como obter acesso remoto. Então, como estava no intervalo de almoço, pensei em ajudar e eis que se seguiu uma série de operações clássicas. #
Processo de infiltração: #
Primeiro passo, recolha de informações: #
Como havia uma injeção SQL, a recolha de informações foi simples: verifiquei o IP e a porta #
De forma simples e bruta - password, desencriptar md5, entrar na base de dados e procurar directamente o valor hash do administrador na base de dados
Entrar no back-end: #
Queixo-me de que ele não conseguiu aceder ao back-end, porque o caminho do back-end foi alterado, o que foi a razão pela qual o aprendiz não encontrou o endereço de login do back-end. Porém, eu, milagrosamente, encontrei o endereço de login do back-end na página inicial e consegui entrar no back-end com sucesso
@Rolllli