惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
P
Privacy International News Feed
Security Latest
Security Latest
H
Hacker News: Front Page
T
Tenable Blog
The Hacker News
The Hacker News
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Security @ Cisco Blogs
Project Zero
Project Zero
O
OpenAI News
AI
AI
Spread Privacy
Spread Privacy
C
CERT Recently Published Vulnerability Notes
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Scott Helme
Scott Helme
Application and Cybersecurity Blog
Application and Cybersecurity Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
CXSECURITY Database RSS Feed - CXSecurity.com
NISL@THU
NISL@THU
A
Arctic Wolf
T
Threat Research - Cisco Blogs
PCI Perspectives
PCI Perspectives
N
News and Events Feed by Topic
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Cybersecurity and Infrastructure Security Agency CISA
Simon Willison's Weblog
Simon Willison's Weblog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
L
LINUX DO - 最新话题
U
Unit 42
S
Security Affairs
有赞技术团队
有赞技术团队
WordPress大学
WordPress大学
博客园 - 【当耐特】
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
月光博客
月光博客
Engineering at Meta
Engineering at Meta
腾讯CDC
F
Full Disclosure
Cyberwarzone
Cyberwarzone
S
SegmentFault 最新的问题
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 司徒正美
The Cloudflare Blog

AresX's Blog

从两篇 X 文章开始:我第一次构建量化系统的回忆录 SSL 指纹识别和绕过 HTB - You know 0xDiablos Docsify 自动生成sidebar.md脚本 Shiro高版本加密方式下的漏洞利用 Xray tomcat回显Gadget对应Payload提取 IDEA远程调试Docker中程序的方法 解决goldenPac报错问题 域渗透学习(七)PTT 票据传递攻击 域渗透学习(六)PTH 哈希传递攻击 域渗透学习(五)基于IPC的远程连接 域渗透学习(四)Dump Password & Hash 域渗透学习(三)域内信息搜集 域渗透学习(二)Kerberos协议 域渗透学习(一)Windows认证机制 Linux后门 JAVA反射机制瞎扯篇 戏说地狱三头犬 关于IPC和PTH用户权限问题 Goindex添加隐藏目录功能
Xray Crack Patching
AresX · 2023-12-24 · via AresX's Blog

Write this blog due to Xray was EOL. Last version 1.9.11.

1. Patching Walkthrough for x86

  1. run program
1
2
./xray_darwin_amd64
this license is expired, expiration time is 2022-08-03 08:00:00
  1. find and locate string
1
2
3
4
00000000: 74 68 69 73 20 6c 69 63 65 6e 73 65 20 69 73 20  this license is 
00000010: 65 78 70 69 72 65 64 2c 20 65 78 70 69 72 61 74 expired, expirat
00000020: 69 6f 6e 20 74 69 6d 65 20 69 73 20 25 73 ion time is %s

  1. find references
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
04f92ba3  e838fdffff         call    sub_4f928e0
04f92ba8 440f11bc24980000…movups xmmword [rsp+0x98 {var_48}], xmm15
04f92bb1 e8eabf07ff call sub_400eba0
04f92bb6 488d0dc3d46800 lea rcx, [rel data_5620080]
04f92bbd 48898c2498000000 mov qword [rsp+0x98 {var_48}], rcx {data_5620080}
04f92bc5 48898424a0000000 mov qword [rsp+0xa0 {var_48+0x8}], rax
04f92bcd 488d05657aab00 lea rax, [rel data_5a4a639] {"this license is expired, expirat…"}
04f92bd4 bb2e000000 mov ebx, 0x2e
04f92bd9 488d8c2498000000 lea rcx, [rsp+0x98 {var_48}]
04f92be1 bf01000000 mov edi, 0x1
04f92be6 4889fe mov rsi, rdi {0x1}
04f92be9 e8d21417ff call sub_41040c0
04f92bee 4889d9 mov rcx, rbx {0x2e}
04f92bf1 4889c3 mov rbx, rax
04f92bf4 31c0 xor eax, eax {0x0}
04f92bf6 488bac24d8000000 mov rbp, qword [rsp+0xd8 {__saved_rbp}]
04f92bfe 4881c4e0000000 add rsp, 0xe0
04f92c05 c3 retn {__return_addr}

04f92ba3 was jumped from 04f92a26

1
2
3
04f92a1f  488b5838           mov     rbx, qword [rax+0x38]
04f92a23 4839fb cmp rbx, rdi
04f92a26 0f8c77010000 jl 0x4f92ba3
  1. NOP the jl to force ignore license expire date
1
2
3
4
5
6
7
8
04f92a1f  488b5838           mov     rbx, qword [rax+0x38]
04f92a23 4839fb cmp rbx, rdi
04f92a26 90 nop
04f92a27 90 nop
04f92a28 90 nop
04f92a29 90 nop
04f92a2a 90 nop
04f92a2b 90 nop
  1. save binary as xray_darwin_amd642

2. Test Patched Binary

need a expired license , can be found anywhere.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
chmod +x ./xray_darwin_amd642 && ./xray_darwin_amd642

____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

NAME:
xray - A powerful scanner engine [https://docs.xray.cool]

USAGE:
[global options] command [command options] [arguments...]

COMMANDS:
webscan, ws Run a webscan task
servicescan, ss Run a service scan task
subdomain, sd Run a subdomain task
poclint, pl, lint lint yaml poc
burp-gamma, btg Convert the export file of burp historical proxy records to POC format
transform transform other script to gamma
reverse Run a standalone reverse server
convert convert results from json to html or from html to json
genca GenerateToFile CA certificate and key
upgrade check new version and upgrade self if any updates found
version Show version info
x A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--config FILE Load configuration from FILE (default: "config.yaml")
--log-level value Log level, choices are debug, info, warn, error, fatal
--help, -h show help
[INFO] 2023-12-24 18:16:39 [default:entry.go:226] Loading config file from config.yaml

没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/

按任意键继续... / Press Enter to continue...


3. ARM Version

Walkthrough is 99% same as x86 version

1
2
3
4
100f14820  021c40f9   ldr     x2, [x0, #0x38]
100f14824 5f0001eb cmp x2, x1
100f14828 eb0e0054 b.lt 0x100f14a04

NOP the b.lt

1
2
3
4
5
6
7
8
100f14820  021c40f9   ldr     x2, [x0, #0x38]
100f14824 5f0001eb cmp x2, x1
100f14828 1f2003d5 nop
100f1482c 1f2003d5 nop
100f14830 a00080d2 mov x0, #0x5
100f14834 e01300f9 str x0, [sp, #0x20 {var_e0}] {0x5}
100f14838 ffff02a9 stp xzr, xzr, [sp, #0x28] {var_d0} {0x0} {0x0}

4. Exit with Killed

1
2
chmod +x ./xray_darwin_arm642 && ./xray_darwin_arm642
[1] 94656 killed ./xray_darwin_arm642

resign the binary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
codesign --force --deep --sign - ./xray_darwin_arm642 && ./xray_darwin_arm642
./xray_darwin_arm642: replacing existing signature

____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

NAME:
xray - A powerful scanner engine [https://docs.xray.cool]

USAGE:
[global options] command [command options] [arguments...]

COMMANDS:
webscan, ws Run a webscan task
servicescan, ss Run a service scan task
subdomain, sd Run a subdomain task
poclint, pl, lint lint yaml poc
burp-gamma, btg Convert the export file of burp historical proxy records to POC format
transform transform other script to gamma
reverse Run a standalone reverse server
convert convert results from json to html or from html to json
genca GenerateToFile CA certificate and key
upgrade check new version and upgrade self if any updates found
version Show version info
x A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
help, h Shows a list of commands or help for one command

GLOBAL OPTIONS:
--config FILE Load configuration from FILE (default: "config.yaml")
--log-level value Log level, choices are debug, info, warn, error, fatal
--help, -h show help
[INFO] 2023-12-24 18:38:53 [default:entry.go:226] Loading config file from config.yaml

没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/

按任意键继续... / Press Enter to continue...

5. Verify Advanced License Workable

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
./xray_darwin_arm642 webscan --url http://127.0.0.1:8080/

____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/

Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00

[INFO] 2023-12-24 18:51:05 [default:entry.go:226] Loading config file from config.yaml
[!] Warning: you should use --html-output, --webhook-output or --json-output to persist your scan result

Enabled plugins: [dirscan xss baseline crlf-injection jsonp sqldet fastjson xxe shiro thinkphp xstream brute-force cmd-injection path-traversal redirect ssrf upload phantasm struts]

[INFO] 2023-12-24 18:51:05 [phantasm:phantasm.go:185] 819 pocs have been loaded (debug level will show more details)
[INFO] 2023-12-24 18:51:05 [shiro:shiro.go:92] shiro key count 117
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/
Plugins:
fastjson/fastjson/cve-2022-25845
fastjson/fastjson/deserialization
poc-go-apache-log4j2-rce
poc-go-weblogic-cve-2023-21839
poc-yaml-apache-druid-kafka-rce
poc-yaml-apache-spark-rce-cve-2022-33891
poc-yaml-dlink-cve-2019-16920-rce
poc-yaml-dotnetnuke-cve-2017-0929-ssrf
poc-yaml-drawio-cve-2022-1713-ssrf
poc-yaml-full-read-ssrf-in-spring-cloud-netflix
poc-yaml-ghostscript-cve-2018-19475-rce
poc-yaml-gitlab-cve-2021-22214-ssrf
poc-yaml-httpd-ssrf-cve-2021-40438
poc-yaml-jenkins-cve-2018-1000600
poc-yaml-jira-cve-2019-11581
poc-yaml-jira-ssrf-cve-2019-8451
poc-yaml-keycloak-cve-2020-10770-ssrf
poc-yaml-kibana-cve-2019-7609-rce
poc-yaml-landray-oa-datajson-rce
poc-yaml-lg-n1a1-nas-cnnvd-201607-467-rce
poc-yaml-mongo-express-cve-2019-10758
poc-yaml-oracle-ebs-cve-2018-3167-ssrf
poc-yaml-pandorafms-cve-2019-20224-rce
poc-yaml-php-imap-cve-2018-19518-rce
poc-yaml-ruanhong-oa-xxe
poc-yaml-saltstack-cve-2020-16846
poc-yaml-solr-cve-2017-12629-xxe
poc-yaml-spiderflow-save-remote-command-execute
poc-yaml-spring-cloud-gateway-cve-2022-22947-rce
poc-yaml-supervisord-cve-2017-11610
poc-yaml-wavlink-cve-2020-13117-rce
poc-yaml-weblogic-cve-2017-10271
poc-yaml-yongyou-nc-iupdateservice-xxe
poc-yaml-zoho-manageengine-adaudit-plus-cve-2022-28219-xxe
ssrf/ssrf/default
struts/s2-052/default
struts/s2-059/default
struts/s2-061/default
struts/s2-062/default
xstream/Arbitrary-File-Deletion/CVE-2020-26259
xstream/Arbitrary-File-Deletion/CVE-2021-21343
xstream/DoS/CVE-2021-21341
xstream/DoS/CVE-2021-21348
xstream/DoS/CVE-2021-39140
xstream/RCE(LDAP)/CVE-2021-21344
xstream/RCE(LDAP)/CVE-2021-39141
xstream/RCE(LDAP)/CVE-2021-39146
xstream/RCE/CVE-2013-7285
xstream/RCE/CVE-2020-26217
xstream/RCE/CVE-2021-21345
xstream/RCE/CVE-2021-21346
xstream/RCE/CVE-2021-21347
xstream/RCE/CVE-2021-21350
xstream/RCE/CVE-2021-21351
xstream/RCE/CVE-2021-39139
xstream/RCE/CVE-2021-39144
xstream/RCE/CVE-2021-39145
xstream/RCE/CVE-2021-39147
xstream/RCE/CVE-2021-39148
xstream/RCE/CVE-2021-39149
xstream/RCE/CVE-2021-39151
xstream/RCE/CVE-2021-39153
xstream/RCE/CVE-2021-39154
xstream/SSRF/CVE-2020-26258
xstream/SSRF/CVE-2021-21342
xstream/SSRF/CVE-2021-21349
xstream/SSRF/CVE-2021-39150
xstream/SSRF/CVE-2021-39152
xxe/xxe/blind


[INFO] 2023-12-24 18:51:05 [default:dispatcher.go:444] processing GET http://127.0.0.1:8080/
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload linux
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload windows
[INFO] 2023-12-24 18:51:05 [shiro:default.go:82] checking cookie names [rememberMe]
[INFO] 2023-12-24 18:51:05 [shiro:default.go:88] target is shiro, trying get shiro key with mode gcm
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload hasPrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload nonePrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload linux
[INFO] 2023-12-24 18:51:07 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload win
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req01
[INFO] 2023-12-24 18:51:09 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req03
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req04
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-bitbucket-unauth run payload path01
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req05
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload linux
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload win
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path02
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path03
[*] scanned: 0, pending: 1, requestSent: 659, latency: 162.86ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path04
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req01
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path05
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path06
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path07
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path08
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload oracle
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mysql
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req01
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mssql
[INFO] 2023-12-24 18:51:11 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload windows
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p1
[INFO] 2023-12-24 18:51:12 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload linux
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p2
[INFO] 2023-12-24 18:51:13 [shiro:default.go:88] target is shiro, trying get shiro key with mode cbc
[Vuln: shiro]
Target "http://127.0.0.1:8080/"
VulnType "shiro/default-key"
key "kPH+bIxk5D2deZiIxcaaaA=="
cookie_name "rememberMe"
origin_count "1"
current_count "0"
mode "cbc"

[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:73] shiro key is kPH+bIxk5D2deZiIxcaaaA==, cookie key is rememberMe
[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:74] now trying to check tomcat echo
[Vuln: shiro]
Target "http://127.0.0.1:8080/"
VulnType "shiro/rememberme-deserialization"
cookie_name "rememberMe"
follow_redirect "true"
mode "cbc"
key "kPH+bIxk5D2deZiIxcaaaA=="
gadget "CommonsCollectionsK1"
gadget_type "tomcat_echo"

[INFO] 2023-12-24 18:51:13 [controller:dispatcher.go:553] wait for reverse server finished
[*] All pending requests have been scanned
[*] scanned: 1, pending: 0, requestSent: 1148, latency: 117.57ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:16 [controller:dispatcher.go:573] controller released, task done