Snappyjack pwn

afl+preeny实现对交互应用的fuzz

先知社区投稿

UDP通信程序的fuzz思路与CVE-2018-18066分析

先知社区投稿

Rick教你写shellcode系列之邪恶的pdf

先知社区投稿

Rick提权CVE-2020-8835下的几种另类提权尝试

先知社区投稿

MuddyWaterAPT之宏病毒分析

先知社区投稿

CVE-2019-6445分析复现

先知社区投稿

APT37分析之Final1stspy

先知社区投稿

理解DynELF

关于DynELF的总结

Frida试用

Frida试用总结

falco与sysdig试用

工具试用

iterm2+sshpass实现远程ssh与文件传输

iterm2+sshpass实现远程ssh与文件传输

关于LD_PRELOAD对抗总结

关于LD_PRELOAD对抗

HELK安装和试用

threat hunting

网络层面识别横向移动

wireshark,scapy

bluespawn工具试用

工具试用

试用JA3进行STL流量监控

STL监控

Domain Fronting配置手册

Domain Fronting

dnscat2工具使用

工具试用

cve-2020-8647

unsortbin attack

magicheap unsortbin attack

unsortbin attack

heapcreator heap off by one

heap off by one

bamboobox house of force and unlink

house of force and unlink

babysecretgarden fastbin attack

fastbin attack

hacknote:UAF的简单利用

UAF的简单利用

linux系统编程之高级IO

linux系统编程

linux系统编程之IPC通信

linux系统编程

userfaltfd在内核中的利用

kernel pwn

kernel pwn 之 ret2dir

kernel pwn

栈变量未初始化漏洞

kernel pwn

堆喷相关

kernel pwn

任意读写漏洞进行提权

kernel pwn

kernel pwn wctf2018-klist

kernel pwn

Linux kernel 4.20 BPF 漏洞复现

漏洞复现

TCP协议通信的fuzz方法

fuzz

使用Syzkaller进行内核fuzz

内核Fuzz

CISCN2017 babydriver

kernel pwn

2019 STARCTF hackme

利用modprobe_path方法提权

2018 kernel pwn core

kernel pwn

2018 0CTF Finals Baby Kernel

kernel pwn

af-fuzz的完整过程

alf-fuzz AddressSanitizer

宏病毒提取姿势

简宏病毒提取姿势

算法逆向第一课

简单的算法逆向

Windbg preview+virtualbox双机内核调试环境搭建

内核调试

跟着ATT&CK学安全之privilege-escalation

跟着ATT&CK学安全之privilege-escalation

跟着ATT&CK学安全之lateral-movement

跟着ATT&CK学安全之lateral-movement

跟着ATT&CK学安全之exfiltration

跟着ATT&CK学安全之exfiltration

跟着att&ck学安全之discovery

layout: post title: 跟着ATT&CK学安全之discovery excerpt: “跟着ATT&CK学安全之discovery” categories: [ATT&CK] comments: true

T1087 - Account Discovery

对于windows,可使用net user,net group,net localgroup.使用Net工具集或者dsquery.提供所有者/用户的发现:红队想查看主要的用户,当前登陆的用户,通常红队使用Credential Dumping来检索用户名称

对于linux ,使用/etc/passwd来查看用户

测试1 linux上枚举所有账户
cat /etc/passwd

成功复现

测试2 查看sudoer权限账户
cat /etc/sudoers

成功复现

测试3 View accounts with UID 0
grep 'x:0:' /etc/passwd

成功复现

测试4 List opened files by user
lsof -u $username

成功复现

测试5 Show if a user account has ever logger in remotely
lastlog

成功复现

测试6 Enumerate users and groups
groups
id

成功复现

测试7 Enumerate all accounts
net user
net user /domain
dir c:\Users\
cmdkey.exe /list
net localgroup "Users"
net localgroup

win10成功复现

测试8 Enumerate all accounts via PowerShell
net user
net user /domain
get-localuser
get-localgroupmember -group Users
cmdkey.exe /list
ls C:/Users
get-childitem C:\Users\
dir C:\Users\
get-aduser -filter *
get-localgroup
net localgroup

win10成功复现

测试9 Enumerate logged on users
query user

win10成功复现

T1124 - System Time Discovery

net time \\#{computer_name}

例如

net time \\localhost

或者

w32tm /tz

或者在powershell中

Get-Date

T1010 - Application Window Discovery

红队可以使用如下进行应用程序列表的查看

测试1 List Process Main Windows - C# .NET

使用源码编译一个exe然后查看运行的process

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} T1010.cs
#{output_file_name}

还挺好用的

win10成功复现

T1217 - Browser Bookmark Discovery

测试1 List Mozilla Firefox Bookmark Database Files on Linux
find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;

回去用我的笔记本试一下

测试2 List Google Chrome Bookmarks on Windows with powershell
where.exe /R C:\Users\ Bookmarks

win10成功复现

测试3 List Google Chrome Bookmarks on Windows with command prompt
where /R C:\Users\ Bookmarks

win10成功复现

T1482 - Domain Trust Discovery

关于域信任关系:在同一个域内,成员服务器根据Active Directory中的用户账号,可以很容易地把资源分配给域内的用户.但一个域的作用范围毕竟有限,有些企业会用到多个域,那么在多域环境下,我们该如何进行资源的跨域分配呢?也就是说,我们该如何把A域的资源分配给B域的用户呢?一般来说,我们有两种选择,一种是使用镜像账户.也就是说,我们可以在A域和B域内各自创建一个用户名和口令都完全相同的用户账户,然后在B域把资源分配给这个账户后,A域内的镜像账户就可以访问B域内的资源了

红队通过收集域信任关系从而进行横向移动.通过调用DSEnumerateDomainTrusts() Win32 API,来进行枚举

测试1 Windows - Discover domain trusts with dsquery
dsquery * -filter "(objectClass=trustedDomain)" -attr *

制定的域不存在,应该可以复现

测试2 Windows - Discover domain trusts with nltest

使用nltest发现信任的域名,这个技术曾被Trickbot病毒家族使用

nltest /domain_trusts

win10成功复现

测试3 Powershell enumerate domains and forests
Get-NetDomainTrust
Get-NetForestTrust
Get-ADDomain
Get-ADGroupMember Administrators -Recursive

没有复现成功

T1083 - File and Directory Discovery

红队可以枚举文件和目录进行信息收集,通常用treedir命令,或者使用window的api,对于linux,使用lsfindlocate来收集

测试1 File and Directory Discovery
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\download

win10成功复现

测试2 File and Directory Discovery

在powershell中运行

ls -recurse
get-childitem -recurse
gci -recurse

win10成功复现

测试3 Nix File and Diectory Discovery
ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
file */* *>> ../files.txt
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh

成功复现

测试4 Nix File and Directory Discovery
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
find . -type f -name ".*"

成功复现

T1046 - Network Service Scanning

测试1 Port Scan

在linux中

for port in {1..65535};
do
  echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done

成功复现

测试2 Port Scan Nmap
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

成功复现

T1135 - Network Share Discovery

对于windows,通常使用SMB协议进行文件分享,net view \remotesystem可以用来查询远程及其是否开启了远程共享.也可以使用net share.查看本地开启的共享服务,红队可以根据这个进行更进一步的横向移动

测试1 Network Share Discovery
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}

成功复现

测试2 Network Share Discovery command prompt
net view \\#{computer_name}
例如
net view localhost

win10成功复现

T1040 - Network Sniffing

这个没什么说的,就是抓流量

T1201 - Password Policy Discovery

红队根据获取企业网络中的密码规则,从而减小爆破的量.对于windows,可以使用net accountsnet accounts /domain,对于linux,使用chage -lcat /etc/pam.d/common-password

测试1 Examine password complexity policy - Ubuntu
cat /etc/pam.d/common-password

应该可以

测试2 Examine password complexity policy - CentOS/RHEL 7.x
cat /etc/security/pwquality.conf

成功复现

测试3 Examine password complexity policy - CentOS/RHEL 6.x
cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf

成功复现

测试4 Examine password expiration policy - All Linux
cat /etc/login.defs

成功复现

测试5 Examine local password policy - Windows
net accounts

win10成功复现

测试6 Examine domain password policy - Windows
net accounts /domain

win10成功复现

T1069 - Permission Groups Discovery

红队通过查找本地或者远程的组来获取权限,对于windows,使用net group /domainnet localgroup来查看,对于linux,使用groupsldapsearch

测试1 Permission Groups Discovery
dscacheutil -q group
dscl . -list /Groups
groups

成功复现

测试2 Basic Permission Groups Discovery Windows
net localgroup
net group /domain

成功复现

测试3 Permission Groups Discovery PowerShell

在powershell中运行

get-localgroup
get-ADPrincipalGroupMembership #{user} | select name

win10成功复现

测试4 Elevated group enumeration using net group
net group /domai 'Domain Admins'
net groups 'Account Operators' /doma
net groups 'Exchange Organization Management' /doma
net group 'BUILTIN\Backup Operators' /doma

没有成功复现

T1057 - Process Discovery

测试1 Process Discovery - ps

linux中

ps >> #{output_file}
ps aux >> #{output_file}

成功复现

测试2 Process Discovery - tasklist

windows中

tasklist

win10成功复现

T1018 - Remote System Discovery

测试1 Remote System Discovery - net
net view /domain
net view

win10成功复现

测试2 Remote System Discovery - net group Domain Computers
net group "Domain Computers" /domain

应该可以

测试3 Remote System Discovery - nltest
nltest.exe /dclist:#{target_domain}

应该可以

测试4 Remote System Discovery - ping sweep
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i

win10成功复现

测试5 Remote System Discovery - arp
arp -a

win10成功复现

测试6 Remote System Discovery - arp nix
arp -a | grep -v '^?'

成功复现

测试7 Remote System Discovery - sweep
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

成功复现

测试8 Remote System Discovery - nslookup

powershell中运行

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

win10成功复现

T1518 - Software Discovery

测试1 Find and Display Internet Explorer Browser Version
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion

win10成功复现

测试2 Applications Installed
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize

win10成功复现

T1082 - System Information Discovery

测试1 System Information Discovery
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

win10成功复现

测试2 System Information Discovery
systemsetup
system_profiler
ls -al /Applications

没有成功复现

测试3 List OS Information
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt

成功复现

测试4 Linux VM Check via Hardware
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"

成功复现

测试5 Linux VM Check via Kernel Modules
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"

成功复现

测试6 Hostname Discovery (Windows and linux)
hostname

win10和linux成功复现

测试7 Windows MachineGUID Discovery
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

win10成功复现

T1016 - System Network Configuration Discovery

测试1 System Network Configuration Discovery
ipconfig /all
netsh interface show
arp -a
nbtstat -n
net config

win10成功复现

测试2 List Windows Firewall Rules
netsh advfirewall firewall show rule name=all

win10成功复现

测试3 System Network Configuration Discovery
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig

成功复现

测试4 System Network Configuration Discovery (Trickbot Style)
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

win10成功复现

测试5 List Open Egress Ports

就是查看防火墙的出口过滤规则,在powershell中运行

1..1024 | % {$test= new-object system.Net.Sockets.TcpClient; $wait = $test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "

或者

21,22,23,25,80,443,1337 | % {$test= new-object system.Net.Sockets.TcpClient; $wait =$test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "

或者

80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646,5000,5631,631,49153,8081,2049,88,79,5800,106,2121,1110,49155,6000,513,990,5357,427,49156,543,544,5101,144,7,389,8009,3128,444,9999,5009,7070,5190,3000,5432,3986,13,1029,9,6646,49157,1028,873,1755,2717,4899,9100,119,37,1000,3001,5001,82,10010,1030,9090,2107,1024,2103,6004,1801,19,8031,1041,255,3703,17,808,3689,1031,1071,5901,9102,9000,2105,636,1038,2601,7000 | % {$test= new-object system.Net.Sockets.TcpClient; $wait =$test.beginConnect("allports.exposed",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "

win10成功复现

T1049 - System Network Connections Discovery

这个就是网络状态的查看

测试1 System Network Connections Discovery
netstat
net use
net sessions

win10成功复现

测试2 System Network Connections Discovery with PowerShell
Get-NetTCPConnection

win10成功复现

测试3 System Network Connections Discovery Linux & MacOS
netstat
who -a

成功复现

T1033 - System Owner/User Discovery

测试1 System Owner/User Discovery
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe" /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

win10成功复现

测试2 System Owner/User Discovery
users
w
who

成功复现

macos

T1217 - Browser Bookmark Discovery

红队根据查找浏览器书签栏的内容,查找更多内容

Demo1 查找firefox书签栏的内容
find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null
Demo2 查找chrome书签栏的内容
find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

T1087.001 - Local Account

一些查找本地用户的方法

cat /etc/passwd

查看suder

sudo cat /etc/sudoers

枚举用户名和用户组

dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
dscacheutil -q group
dscacheutil -q user

T1201 - Password Policy Discovery

红队可以根据查看密码策略做后续的爆破工作

pwpolicy getaccountpolicies

T1046 - Network Service Scanning

通过tcp连接来判断tcp连接
for port in {1..65535};
do
  echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done
使用一些工具来判断端口开放情况
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

T1069.001 - Local Groups

一些用户组的查询

if [ -x "$(command -v dscacheutil)" ]; then dscacheutil -q group; else echo "dscacheutil is missing from the machine. skipping..."; fi;
if [ -x "$(command -v dscl)" ]; then dscl . -list /Groups; else echo "dscl is missing from the machine. skipping..."; fi;
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;

跟着ATT&CK学安全之command-and-control

跟着ATT&CK学安全之command-and-control

跟着ATT&CK学安全之persistence

跟着ATT&CK学安全之persistence

跟着ATT&CK学安全之initial access

跟着ATT&CK学安全之initial access

跟着ATT&CK学安全之execution

跟着ATT&CK学安全之execution

跟着ATT&CK学安全之defense-evasion

跟着ATT&CK学安全之defense-evasion

跟着ATT&CK学安全之credential-access

跟着ATT&CK学安全之credential-access

跟着ATT&CK学安全之collection

跟着ATT&CK学安全之collection

恶意程序分析

恶意程序分析

Windows核心编程入门笔记

Windows核心编程入门笔记

通过ssh访问NAT网络模式下的Linux虚拟机

通过ssh访问NAT网络模式下的Linux虚拟机

pwn BCTF2017 babyuse

BCTF2017 babyuse writeup

qemu环境搭建

ubuntu 18.04中的qemu环境搭建

CVE-2018-5767 httpd

httpd RCE

pwn lctf2018 easy_heap

lctf2018 easy_heap writeup

pwn BCTF2016 bcloud

BCTF2016 bcloud writeup

pwn 0ctf2017 babyheap

0ctf2017 babyheap writeup

pwn plaidctf2015 plaiddb

plaidctf plaiddb writeup

heap教程(二)

heap教程之unlink和mmap

pwn 0ctf2015 freenote

0ctf2015 freenote writeup

KernelROP

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/linux-kernel-rop-ropping-your-way-to-part-1/

Seccomp and Ptrace

Seccomp and Ptrace

fastbin attack

heap教程之fastbin attack

pwn HITBCTF2017_1000levels

HITBCTF2017 1000levels wirteup

SystemTap安装

SystemTap安装教程

CVE-2017-9430 DNSTracer

DNSTracer 栈溢出漏洞

AFL工具总结

american fuzzy lop工具使用记录

CVE-2016-4971 wget

wget 任意文件上传漏洞

CVE-2017-13089 wget

wget skip_short_body 栈溢出漏洞

CVE-2017-11543 tcpdump sliplink_print

tcpdump sliplink_print 栈溢出漏洞复现

pwn pwnable login

pwnable login wirteup

pwn DefCampCTF2016 SMS

DefCampCTF2016 SMS wirteup

pwn BCTF2017 100levels

BCTF2017 100levels wirteup

pwn 360ichunqiu2017 smallest

360ichunqiu2017 smallest wirteup

pwn pwnable login

pwnable login wirteup

pwn Alictf2016 vss

Alictf2016 vss wirteup

pwn prectf2015 xpl

prectf2015 xpl wirteup

pwn XCTF2016 b0verfl0w

LCTF2016 pwn100 wirteup

pwn LCTF2016 pwn100

LCTF2016 pwn100 wirteup

C语言总结

pwn中使用的C语言总结

pwn grehackctf2017 beerfighter

grehackctf2017 beerfighter writeup

glibc内存管理ptmalloc源代码分析笔记

精读1-27,粗读剩下的.先通读,再用作工具书

OneGadget与获取maps运行权限

64位系统下的ROP

堆溢出之house of 系列

sploitfun系列教程之3.2 Heap overflow using Malloc Maleficarum

二进制中的常见保护

ASLR NX PIE StackGuard RELRO等

二进制中遇到的问题汇总

问题汇总

Protostar教程之unlink

heap漏洞之unlink

Linux_x64 PWN

64位的pwn

给libc添加debug symbol

给libc添加debug symbol的操作方法

GHOST PoC Explained

CVE-2015-0235漏洞复现

pwn XDCTF2015 pwn200

XDCTF2015 pwn200 wirteup

return to Dynamic Resolver

return to Dynamic Resolver

pwn LCTF2016 pwn200

LCTF2016 pwn200 wirteup

pwn BackdoorCTF2017 Fun-Signals

BackdoorCTF2017 Fun-Signals writeup

基于堆的Off-By-One漏洞

sploitfun系列教程之1.3基于堆的Off-By-One漏洞

pwn HCTF2016 brop

HCTF2016 brop wirteup

pwn NJCTF2017 pingme

NJCTF2017 pingme wirteup

查找function加载的地址

翻译文,原文来自https://uaf.io/exploitation/misc/2016/04/02/Finding-Functions.html

通过GOT overwrite 和GOT dereference绕过ASLR

sploitfun系列教程之2.3.3 GOT overwrite 和GOT dereference

堆溢出之unlink

sploitfun系列教程之3.1 堆溢出之unlink

通过return to plt绕过ASLR

sploitfun系列教程之2.3.1 return_to_plt

通过return-to-libc绕过NX

sploitfun系列教程之2.1 return-to-libc

通过chained return-to-libc绕过NX

sploitfun系列教程之2.2 chained return-to-libc

通过brute force绕过ASLR

sploitfun系列教程之2.3.2 brute_force

编写EXP常见的问题

为什么gdb调试和直接运行程序会有不同的结果

整数溢出

sploitfun系列教程之1.2整数溢出

基于栈的Off-By-One漏洞

sploitfun系列教程之1.3基于栈的Off-By-One漏洞

经典的栈溢出

sploitfun系列教程之1.1经典的栈溢出

基于Mitmproxy实现的多终端全网流量监控

完整代码地址: https://github.com/snappyJack/mitmdump_monitor/blob/master/mitmdump_monitor.py

CVE-2018-16373

Frog CMS 0.9.5 has a file upload Vulnerability in /admin/?/plugin/file_manager/save

CVE-2018-16370

PECSM-TEAM 2.2.2 has a file upload vulnerability

demo

demo