Help
RSS
API
Feed
Maltego
Contact
Domain > neargle.com
×
More information on this domain is in
AlienVault OTX
Is this malicious?
Yes
No
DNS Resolutions
Date
IP Address
2023-10-16
43.152.180.187
(
ClassC
)
2025-11-25
172.67.217.151
(
ClassC
)
Port 80
HTTP/1.1 200 OKDate: Tue, 25 Nov 2025 02:40:30 GMTContent-Type: text/html; charsetUTF-8Transfer-Encoding: chunkedConnection: keep-aliveReport-To: {group:cf-nel,max_age:604800,endpoints:{url:https://a.nel.cloudflare.com/report/v4?sdMIyeruMHhhzCax1dtVtjXcOVLW0JvzxpogiPQwPsAR238qW0lkHkhFJDhiv1gj1R5I39LW%2F2P1js2FrhRLTNl1iEin7WK7ec7%2F9}}vary: Accept-Encodingserver: cloudflarex-turbo-charged-by: LiteSpeedNel: {report_to:cf-nel,success_fraction:0.0,max_age:604800}cf-cache-status: DYNAMICCF-RAY: 9a3dc81aaf61817f-PDXalt-svc: h3:443; ma86400 !DOCTYPE html>html>head> style> .footer { background-color: #333; color: #fff; text-align: center; padding: 10px 0; width: 100%; bottom: 0; }.slider { position: relative; overflow: hidden;}.slides { display: flex; transition: transform 0.5s ease-in-out;}.slide { min-width: 100%; box-sizing: border-box;}.slide img { width: 10%; height: auto;}.slider-nav { position: absolute; top: 50%; width: 100%; display: flex; justify-content: space-between; transform: translateY(-50%);}.slider-nav button { background-color: rgba(0, 0, 0, 0.5); border: none; color: white; padding: 10px; cursor: pointer;} /style> meta http-equivContent-Type contenttext/html; charsetUTF-8/> title>Nearg1e - Web Develop&Security / 安全研究 / 漏洞挖掘 / 安全开发 / Pyer / Anime/title> link relcanonical hrefhttps://blog.neargle.com /> meta http-equivX-UA-Compatible contentIEedge> meta nameviewport contentwidthdevice-width, initial-scale1> script typetext/javascript srcjs/highlight.pack.js>/script> script typetext/javascript srcstats-sId-58637942.js charsetUTF-8>/script> link relicon hreffavicon.ico> link relalternative hrefatom.xml titleNearg1e typeapplication/atom+xml> !--if lt IE 9> script typetext/javascript src/js/html5.js>/script> script typetext/javascript src/js/css3-mediaqueries.js>/script> !endif--> link relstylesheet hrefcss/style.css> link relstylesheet hrefcss/highlight.css>/head>body> header idheader> div classnav-warp> nav idnav classw> a classmain-nav-link href/>Home/a> a classmain-nav-link hrefarchives/>Archives/a> a classmain-nav-link hrefabout/>About/a> a classmain-nav-link hrefabout/#link>Link/a> a classmain-nav-link hrefatom.xml>RSS/a> a classmain-nav-link hrefhttps://github.com/neargle>Project/a> a idnav-search classicon-search fr onclickshow_search() title搜索>/a> div idnav-search-input classhide> form classsearch-form onsubmitreturn dispatch()> input typehidden idsite valuesite:https://blog.neargle.com> input typetext idq classinput-text nameq placeholder搜索> input typesubmit value classinput-submit> /form> /div> /nav> /div> div idlogo> div classhg> h1 idsite-title> a href/>Nearg1e/a> /h1> h2 idsite-description>Web Develop&Security / 安全研究 / 漏洞掘 / 安全开发 / Pyer / Anime/h2> !-- p>微:a hrefhttps://weibo.com/neargle>@Neargle/a>/p> --> /div> /div> /header> !-- div idwrap> --> div idouter> section idmain> article classpost> header classpost-head> h2 classpost-title> a href2018/02/14/hacking-chrome-extensions-chapter-one-a-uxss/>Chrome 扩展安研究 - 一个UXSS的挖掘经历/a> /h2>time datetime2018-02-14T05:42:21.000Z classpost-time>2018-02-14/time> /header> section classpost-content typo> p>首发于: a hrefhttps://www.anquanke.com/post/id/98917 target_blank relnoopener>https://www.anquanke.com/post/id/98917/a>/p>h2 id引言>a href#引言 classheaderlink title引言>/a>引言/h2>p>有点想把标题换成 chrome 全研究: 一个uxss的挖经历> 来骗一波点击但毕竟其实是扩展的问题,还是老实点写“扩”吧。/chrome>/p>p>这我春节前挖到的一个漏,大概抓取了用户量top400的 Chrome 扩展,对比较在意的几个问题写了脚删选了一部分出来,再个审计。本次讲的这个漏洞是想产出 UXSS 的时挖的 UXSS 漏洞之一。我得比较典型,涉及到 content_scripts 和 background 脚本及其他 Chrome 扩展的特性,相对来说比较有趣坑也稍微多一点。/p>p>由于不能公开插件详情我把该插件和漏洞相关的源码抽出来,去掉一带有公司名的关键字,到 github 上:/p>p>a hrefhttps://github.com/neargle/hacking-extensions/tree/master/content_scripts_uxss target_blank relnoopener>https://github.com/neargle/hacking-extensions/tree/master/content_scripts_uxss/a>/p>p>code>git clone/code> 到本地,打开 chrome://extensions/, 开启“开发者式”, 点击 “加载已解压的扩展程序…” 按钮选择 content_scripts_uxss 件夹即可。/p>p>img srct01c468de71c3e4dbac.jpg alt>/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/安全研究-浏览器安全/>#安全研究, 浏览器安全/a>/li> /ul> a href2018/02/14/hacking-chrome-extensions-chapter-one-a-uxss/#more classpost-foot-link fr>阅读文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2018/01/29/ver-observer-a-tool-about-version-detection/>VER-OBSERVER 一可以探测框架及依赖版本的命令行工具/a> /h2>time datetime2018-01-28T19:01:11.000Z classpost-time>2018-01-29/time> /header> section classpost-content typo> p>项目地址: a hrefhttps://github.com/neargle/ver-observer target_blank relnoopener>https://github.com/neargle/ver-observer/a>/p>p>/p>p>用最著名的文学感类博客测试一下, 看效果。请大家测试的时请参照这个 a hrefhttps://asciinema.org/a/ua1WOqMkUummi25QxImlFRNpN target_blank relnoopener>视频/a>,自己搭建 django 环境,不要浪费博主的流量,谢谢。/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/编程开发/>#编程开发/a>/li> /ul> a href2018/01/29/ver-observer-a-tool-about-version-detection/#more classpost-foot-link fr>阅读全文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2018/01/21/yulong-hids-windows-eventlog-iteration/>使用 golang 解析 Windows 日志的四种方法/a> /h2>time datetime2018-01-21T05:28:54.000Z classpost-time>2018-01-21/time> /header> section classpost-content typo> h2 id关于驭HIDS>a href#关于驭龙HIDS classheaderlink title关于驭龙HIDS>/a>关于驭龙HIDS/h2>p>驭龙HIDS (a hrefhttps://github.com/ysrc/yulong-hids target_blank relnoopener>https://github.com/ysrc/yulong-hids/a>) 是一款由 YSRC 发的入侵检测系统,集异常检测、监控管理为体,拥有异常行为发现快速阻断、高级分析等功能,可从多个维度行信息中发现入侵行为。前,驭龙agent主要会收系统信息,计划任务,存活端口,登录日志,程信息,服务信息,启项,用户列表,web路径等信息,其中Windows用户录信息读取了Windows的EventLog,经历了几个版本更换了好几个方法,最成型。这篇文章就稍微说一下这几种方法的思和实现。如果有更好的路或实现,期待各位交流指教。/p>h2 idWindows事件查看器与日志ID>a href#Windows事件查看器与志ID classheaderlink titleWindows事件查看器与日ID>/a>Windows事件查看器与日志ID/h2>p>我们知道Windows会把系统登录日志录在Windows安全日志里,我们可以在事件查看器筛选查看这些系统日志/p>p>/p>p>那如果要登录相关的系统日志呢可以用事件ID进行筛选其中登录失败的事件ID 4625, 而成功的登录ID 4624。大部分的登录信会包含在这两个事件ID面。/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/golang-hids/>#golang, hids/a>/li> /ul> a href2018/01/21/yulong-hids-windows-eventlog-iteration/#more classpost-foot-link fr>阅读全/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2017/09/28/Exploiting-Python-PIL-Module-Command-Execution-Vulnerability/>Exploiting Python PIL Module Command Execution Vulnerability/a> /h2>time datetime2017-09-28T05:28:54.000Z classpost-time>2017-09-28/time> /header> section classpost-content typo> p>这是我用来支持先知和代码审计密圈活动的文章,首发: a hrefhttps://xianzhi.aliyun.com/forum/read/2163.html target_blank relnoopener>https://xianzhi.aliyun.com/forum/read/2163.html/a>/p>p>strong>PIL/strong> (Python Image Library) 应该是 Python 图片处库中运用最广泛的,它有强大的功能和简洁的API。很多Python Web应用在要实现处理图片的功能时,都会选择使用PIL。/p>p>PIL在对 eps 图片格式进行处理的时候,如果境内装有 GhostScript,则调用 GhostScript 在dSAFER式下处理图片,即使是新版本的PIL模块,也会受到 code>GhostButt CVE-2017-8291/code> dSAFER模式Bypass洞的影响,产生命令执漏洞。/p>p>据说大牛看源码和 dockerfile 就可以了:a hrefhttps://github.com/neargle/PIL-RCE-By-GhostButt target_blank relnoopener>https://github.com/neargle/PIL-RCE-By-GhostButt/a>/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/Python/>#Python/a>/li> /ul> a href2017/09/28/Exploiting-Python-PIL-Module-Command-Execution-Vulnerability/#more classpost-foot-link fr>阅读全文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2017/09/01/use-request-merging-to-bypass-referer-check/>使用request merging bypass referer(jsonp) 检测/a> /h2>time datetime2017-08-31T19:01:11.000Z classpost-time>2017-09-01/time> /header> section classpost-content typo> p>em>更新两之前在其他地方发过的章/em>/p>h2 id1-关于request-merging和其会产生的问题>a href#1-关于request-merging和其会产生的问 classheaderlink title1. 关于request merging和其会生的问题>/a>1. 关于request merging和其会产生的问题/h2>p>request merging : 浏览器会把多次相同的请(并非所有请求)合并成次,以加快资源加载速。/p>p>e.g.br>figure classhighlight html>table>tr>td classgutter>pre>span classline>1/span>br>span classline>2/span>br>span classline>3/span>br>/pre>/td>td classcode>pre>span classline>span classtag><span classname>script/span> span classattr>type/span>span classstring>text/javascript/span> span classattr>src/span>span classstring>https://0.0.0.0:8888/jsonp/1/span>>/span>span classundefined>/span>span classtag></span classname>script/span>>/span>/span>br>span classline>span classtag><span classname>script/span> span classattr>type/span>span classstring>text/javascript/span> span classattr>src/span>span classstring>https://0.0.0.0:8888/jsonp/1/span>>/span>span classundefined>/span>span classtag></span classname>script/span>>/span>/span>br>span classline>span classtag><span classname>script/span> span classattr>type/span>span classstring>text/javascript/span> span classattr>src/span>span classstring>https://0.0.0.0:8888/jsonp/1/span>>/span>span classundefined>/span>span classtag></span classname>script/span>>/span>/span>br>/pre>/td>/tr>/table>/figure>/p>p>只会请求并载一次”a hrefhttps://0.0.0.0:8888/jsonp/1"资源 target_blank relnoopener>https://0.0.0.0:8888/jsonp/1"资源。/a>/p>p>em>经有研究指出,这种请合并想象在iframe里也存在/em>,那么浏览器的这种特性就可以用来bypass分程序的referer的判断,如jsonp的防御机制。/p>h2 id2-环境和POC>a href#2-环境和POC classheaderlink title2. 环境和POC>/a>2. 环境和POC/h2>p>绕过referer检测,攻击者能否拿进行referer保护的用户息?/p>p>攻击者服务: a hrefhttps://example.com:8081/ target_blank relnoopener>https://example.com:8081/a>br>目标服务器: a hrefhttps://example.com:8082/ target_blank relnoopener>https://example.com:8082/a>br>referer检测: referer是否以a hrefhttps://example.com:8082”开头/ target_blank relnoopener>https://example.com:8082”开头/a>br>目标: 攻击者拿到属于用户的 “security content”/p>h3 id环境:>a href#环境 classheaderlink title环境:>/a>环境:/h3>p>/jsonp.phpbr>figure classhighlight php>table>tr>td classgutter>pre>span classline>1/span>br>span classline>2/span>br>span classline>3/span>br>span classline>4/span>br>span classline>5/span>br>span classline>6/span>br>span classline>7/span>br>span classline>8/span>br>span classline>9/span>br>span classline>10/span>br>span classline>11/span>br>span classline>12/span>br>span classline>13/span>br>span classline>14/span>br>span classline>15/span>br>span classline>16/span>br>/pre>/td>td classcode>pre>span classline>span classmeta><?php/span>/span>br>span classline>/span>br>span classline>span classfunction>span classkeyword>function/span> span classtitle>startsWith/span>span classparams>($url, $domain)/span> /span>{/span>br>span classline> $length strlen($domain);/span>br>span classline> span classkeyword>return/span> (substr($url, span classnumber>0/span>, $length) $domain);/span>br>span classline>}/span>br>span classline>/span>br>span classline>$referrer @$_SERVERspan classstring>HTTP_REFERER/span>;/span>br>span classline>/span>br>span classline>span classkeyword>if/span> (startsWith($referrer, span classstring>https://example.com:8082/span>)) {/span>br>span classline> $js_code span classstring>function jquery() { return security content;}/span>;/span>br>span classline> span classkeyword>echo/span> $js_code;/span>br>span classline>} span classkeyword>else/span> {/span>br>span classline> $js_code span classstring>function jquery() { return nothing;}/span>;/span>br>span classline> span classkeyword>echo/span> $js_code;/span>br>span classline>}/span>br>/pre>/td>/tr>/table>/figure>/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/前端安全/>#前端安全/a>/li> /ul> a href2017/09/01/use-request-merging-to-bypass-referer-check/#more classpost-foot-link fr>阅读全文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2017/09/01/ddctf-web-xss-sqli-writeup/>ddctf 两道web题的Writeup (sqli & xss)/a> /h2>time datetime2017-08-31T19:01:10.000Z classpost-time>2017-09-01/time> /header> section classpost-content typo> p>em>更新两篇之前在其他方发过的文章/em>/p>h2 idsqli>a href#sqli classheaderlink titlesqli>/a>sqli/h2>p>地址: a hrefhttps://118.190.134.8/t1/news.php?id1 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1/a>/p>p>尝试sql入,会发现过滤了’和空格等。使用br>a hrefhttps://118.190.134.8/t1/news.php?id1%0aand%0a11 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1%0aand%0a11/a> 和 a hrefhttps://118.190.134.8/t1/news.php?id1%0aand%0a12 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1%0aand%0a12/a> 判断注入存在,开始思出数据的方法/p>p>a hrefhttps://118.190.134.8/t1/news.php?id1%0aorder%0aby%0a5 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1%0aorder%0aby%0a5/a>br>判字段数为4/p>p>a hrefhttps://118.190.134.8/t1/news.php?id1union%0aselect%0a1,2,3,4 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1union%0aselect%0a1,2,3,4/a>br>发现过滤了逗号/p>p>那就不好用union出数据,可选择使用盲注出数比如code>(select%a0ascii(substr((select%a0TABLE_NAME%a0from%a0information_schema.tables%a0where%a0TABLE_TYPE%a0%a0"BASE%a0TABLE"%a0limit%a01%a0OFFSET%a02)%a0from%a01%a0for%a01))1)%23/code>。但是这里其实有一个union出数据的tip可以使用:/p>figure classhighlight plain>table>tr>td classgutter>pre>span classline>1/span>br>span classline>2/span>br>span classline>3/span>br>span classline>4/span>br>span classline>5/span>br>span classline>6/span>br>/pre>/td>td classcode>pre>span classline>mysql $> select 1,2,3,4 Union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d/span>br>span classline>+-----+-----+-----+-----+/span>br>span classline>| 1 | 2 | 3 | 4 |/span>br>span classline>|-----+-----+-----+-----|/span>br>span classline>| 1 | 2 | 3 | 4 |/span>br>span classline>+-----+-----+-----+-----+/span>br>/pre>/td>/tr>/table>/figure> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/CTF/>#CTF/a>/li> /ul> a href2017/09/01/ddctf-web-xss-sqli-writeup/#more classpost-foot-link fr>阅全文/a> /section> /footer>/article> nav classpage-nav> a hrefpage/2/>下一页 »/a> /nav>/section> /div> !-- /div> --> footer idfooter> div classfoot-warp> p>© 2014 Nearg1e/p> /div> /footer> script srcjs/tools.js>/script> script> var disqus_shortname neargle; (function(){ var dsq document.createElement(script); dsq.type text/javascript; dsq.async true; dsq.src // + disqus_shortname + .disqus.com/count.js; (document.getElementsByTagName(head)0 || document.getElementsByTagName(body)0).appendChild(dsq); })(); /script> footer classfooter> p>© @2025 All Rights Reserved./p> !-- Slider in Footer --> div classslider idpartner-slider> div classslides idslides> div classslide>a hrefhttps://woodtracecommunity.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://woodtracecommunity.com/>/a>/div>div classslide>a hrefhttps://www.rocklandfamilyshelter.org/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://www.rocklandfamilyshelter.org/>/a>/div>div classslide>a hrefhttps://www.jackorourkesongs.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://www.jackorourkesongs.com/>/a>/div>div classslide>a hrefhttps://texaseventcentermansionbythesea.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://texaseventcentermansionbythesea.com/>/a>/div>div classslide>a hrefhttps://www.mainstreetantiquemalls.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://www.mainstreetantiquemalls.com/>/a>/div>div classslide>a hrefhttps://promo.downtownmp.com/ target_blank>img srchttps://downtownmp.com/fe2cfe6dab274a7989e2d347be8702f8/i/ec241a35e675416eb5429de91ad48354/1/5feFb8zhrk/13310569_10153747955924370_2418731519278619106_n.jpg althttps://promo.downtownmp.com/>/a>/div>div classslide>a hrefhttps://lonecrowaudio.com/ target_blank>img srchttps://lonecrowaudio.com/img/hongkonglotto.webp althttps://lonecrowaudio.com/>/a>/div>div classslide>a hrefhttps://www.honeybearlodge.com/ target_blank>img srchttps://www.honeybearlodge.com/Assets/logopemudatogel.webp althttps://www.honeybearlodge.com/>/a>/div>div classslide>a hrefhttps://www.greasemonkeyksa.com/ target_blank>img srchttps://www.greasemonkeyksa.com/Assets/logo-pemudatogel.webp althttps://www.greasemonkeyksa.com/>/a>/div>div classslide>a hrefhttps://neosushiclinton.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://neosushiclinton.com/>/a>/div> /div> div classslider-nav> button idprev>❮/button> button idnext>❯/button> /div> /div>/footer>script> // JavaScript for Slider let currentIndex 0; function showSlide(index) { const slides document.querySelectorAll(.slide); const totalSlides slides.length; // Loop around if (index > totalSlides) { currentIndex 0; } if (index 0) { currentIndex totalSlides - 1; } document.getElementById(slides).style.transform `translateX(-${currentIndex * 100}%)`; } document.getElementById(next).addEventListener(click, () > { currentIndex++; showSlide(currentIndex); }); document.getElementById(prev).addEventListener(click, () > { currentIndex--; showSlide(currentIndex); }); // Auto-slide every 5 seconds setInterval(() > { currentIndex++; showSlide(currentIndex); }, 5000); // Initialize showSlide(currentIndex);/script>/body>/html>
Port 443
HTTP/1.1 200 OKDate: Tue, 25 Nov 2025 02:40:30 GMTContent-Type: text/html; charsetUTF-8Transfer-Encoding: chunkedConnection: keep-aliveReport-To: {group:cf-nel,max_age:604800,endpoints:{url:https://a.nel.cloudflare.com/report/v4?sBjaaU2WR7Uetp79SVQpJSvIe43K0N%2BPRRrqhRbHGwNwIUGm6H9P%2F6%2B0QacPOEvB1aseUsQcgR9bYY0aXppa7fcwizAFSDeFE4g%3D%3D}}vary: Accept-EncodingServer: cloudflarex-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICNel: {report_to:cf-nel,success_fraction:0.0,max_age:604800}CF-RAY: 9a3dc81dac6cef5f-PDXalt-svc: h3:443; ma86400 !DOCTYPE html>html>head> style> .footer { background-color: #333; color: #fff; text-align: center; padding: 10px 0; width: 100%; bottom: 0; }.slider { position: relative; overflow: hidden;}.slides { display: flex; transition: transform 0.5s ease-in-out;}.slide { min-width: 100%; box-sizing: border-box;}.slide img { width: 10%; height: auto;}.slider-nav { position: absolute; top: 50%; width: 100%; display: flex; justify-content: space-between; transform: translateY(-50%);}.slider-nav button { background-color: rgba(0, 0, 0, 0.5); border: none; color: white; padding: 10px; cursor: pointer;} /style> meta http-equivContent-Type contenttext/html; charsetUTF-8/> title>Nearg1e - Web Develop&Security / 安全研究 / 漏洞挖掘 / 安全开发 / Pyer / Anime/title> link relcanonical hrefhttps://blog.neargle.com /> meta http-equivX-UA-Compatible contentIEedge> meta nameviewport contentwidthdevice-width, initial-scale1> script typetext/javascript srcjs/highlight.pack.js>/script> script typetext/javascript srcstats-sId-58637942.js charsetUTF-8>/script> link relicon hreffavicon.ico> link relalternative hrefatom.xml titleNearg1e typeapplication/atom+xml> !--if lt IE 9> script typetext/javascript src/js/html5.js>/script> script typetext/javascript src/js/css3-mediaqueries.js>/script> !endif--> link relstylesheet hrefcss/style.css> link relstylesheet hrefcss/highlight.css>/head>body> header idheader> div classnav-warp> nav idnav classw> a classmain-nav-link href/>Home/a> a classmain-nav-link hrefarchives/>Archives/a> a classmain-nav-link hrefabout/>About/a> a classmain-nav-link hrefabout/#link>Link/a> a classmain-nav-link hrefatom.xml>RSS/a> a classmain-nav-link hrefhttps://github.com/neargle>Project/a> a idnav-search classicon-search fr onclickshow_search() title搜索>/a> div idnav-search-input classhide> form classsearch-form onsubmitreturn dispatch()> input typehidden idsite valuesite:https://blog.neargle.com> input typetext idq classinput-text nameq placeholder搜索> input typesubmit value classinput-submit> /form> /div> /nav> /div> div idlogo> div classhg> h1 idsite-title> a href/>Nearg1e/a> /h1> h2 idsite-description>Web Develop&Security / 安全研究 / 漏洞掘 / 安全开发 / Pyer / Anime/h2> !-- p>微:a hrefhttps://weibo.com/neargle>@Neargle/a>/p> --> /div> /div> /header> !-- div idwrap> --> div idouter> section idmain> article classpost> header classpost-head> h2 classpost-title> a href2018/02/14/hacking-chrome-extensions-chapter-one-a-uxss/>Chrome 扩展安研究 - 一个UXSS的挖掘经历/a> /h2>time datetime2018-02-14T05:42:21.000Z classpost-time>2018-02-14/time> /header> section classpost-content typo> p>首发于: a hrefhttps://www.anquanke.com/post/id/98917 target_blank relnoopener>https://www.anquanke.com/post/id/98917/a>/p>h2 id引言>a href#引言 classheaderlink title引言>/a>引言/h2>p>有点想把标题换成 chrome 全研究: 一个uxss的挖经历> 来骗一波点击但毕竟其实是扩展的问题,还是老实点写“扩”吧。/chrome>/p>p>这我春节前挖到的一个漏,大概抓取了用户量top400的 Chrome 扩展,对比较在意的几个问题写了脚删选了一部分出来,再个审计。本次讲的这个漏洞是想产出 UXSS 的时挖的 UXSS 漏洞之一。我得比较典型,涉及到 content_scripts 和 background 脚本及其他 Chrome 扩展的特性,相对来说比较有趣坑也稍微多一点。/p>p>由于不能公开插件详情我把该插件和漏洞相关的源码抽出来,去掉一带有公司名的关键字,到 github 上:/p>p>a hrefhttps://github.com/neargle/hacking-extensions/tree/master/content_scripts_uxss target_blank relnoopener>https://github.com/neargle/hacking-extensions/tree/master/content_scripts_uxss/a>/p>p>code>git clone/code> 到本地,打开 chrome://extensions/, 开启“开发者式”, 点击 “加载已解压的扩展程序…” 按钮选择 content_scripts_uxss 件夹即可。/p>p>img srct01c468de71c3e4dbac.jpg alt>/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/安全研究-浏览器安全/>#安全研究, 浏览器安全/a>/li> /ul> a href2018/02/14/hacking-chrome-extensions-chapter-one-a-uxss/#more classpost-foot-link fr>阅读文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2018/01/29/ver-observer-a-tool-about-version-detection/>VER-OBSERVER 一可以探测框架及依赖版本的命令行工具/a> /h2>time datetime2018-01-28T19:01:11.000Z classpost-time>2018-01-29/time> /header> section classpost-content typo> p>项目地址: a hrefhttps://github.com/neargle/ver-observer target_blank relnoopener>https://github.com/neargle/ver-observer/a>/p>p>/p>p>用最著名的文学感类博客测试一下, 看效果。请大家测试的时请参照这个 a hrefhttps://asciinema.org/a/ua1WOqMkUummi25QxImlFRNpN target_blank relnoopener>视频/a>,自己搭建 django 环境,不要浪费博主的流量,谢谢。/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/编程开发/>#编程开发/a>/li> /ul> a href2018/01/29/ver-observer-a-tool-about-version-detection/#more classpost-foot-link fr>阅读全文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2018/01/21/yulong-hids-windows-eventlog-iteration/>使用 golang 解析 Windows 日志的四种方法/a> /h2>time datetime2018-01-21T05:28:54.000Z classpost-time>2018-01-21/time> /header> section classpost-content typo> h2 id关于驭HIDS>a href#关于驭龙HIDS classheaderlink title关于驭龙HIDS>/a>关于驭龙HIDS/h2>p>驭龙HIDS (a hrefhttps://github.com/ysrc/yulong-hids target_blank relnoopener>https://github.com/ysrc/yulong-hids/a>) 是一款由 YSRC 发的入侵检测系统,集异常检测、监控管理为体,拥有异常行为发现快速阻断、高级分析等功能,可从多个维度行信息中发现入侵行为。前,驭龙agent主要会收系统信息,计划任务,存活端口,登录日志,程信息,服务信息,启项,用户列表,web路径等信息,其中Windows用户录信息读取了Windows的EventLog,经历了几个版本更换了好几个方法,最成型。这篇文章就稍微说一下这几种方法的思和实现。如果有更好的路或实现,期待各位交流指教。/p>h2 idWindows事件查看器与日志ID>a href#Windows事件查看器与志ID classheaderlink titleWindows事件查看器与日ID>/a>Windows事件查看器与日志ID/h2>p>我们知道Windows会把系统登录日志录在Windows安全日志里,我们可以在事件查看器筛选查看这些系统日志/p>p>/p>p>那如果要登录相关的系统日志呢可以用事件ID进行筛选其中登录失败的事件ID 4625, 而成功的登录ID 4624。大部分的登录信会包含在这两个事件ID面。/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/golang-hids/>#golang, hids/a>/li> /ul> a href2018/01/21/yulong-hids-windows-eventlog-iteration/#more classpost-foot-link fr>阅读全/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2017/09/28/Exploiting-Python-PIL-Module-Command-Execution-Vulnerability/>Exploiting Python PIL Module Command Execution Vulnerability/a> /h2>time datetime2017-09-28T05:28:54.000Z classpost-time>2017-09-28/time> /header> section classpost-content typo> p>这是我用来支持先知和代码审计密圈活动的文章,首发: a hrefhttps://xianzhi.aliyun.com/forum/read/2163.html target_blank relnoopener>https://xianzhi.aliyun.com/forum/read/2163.html/a>/p>p>strong>PIL/strong> (Python Image Library) 应该是 Python 图片处库中运用最广泛的,它有强大的功能和简洁的API。很多Python Web应用在要实现处理图片的功能时,都会选择使用PIL。/p>p>PIL在对 eps 图片格式进行处理的时候,如果境内装有 GhostScript,则调用 GhostScript 在dSAFER式下处理图片,即使是新版本的PIL模块,也会受到 code>GhostButt CVE-2017-8291/code> dSAFER模式Bypass洞的影响,产生命令执漏洞。/p>p>据说大牛看源码和 dockerfile 就可以了:a hrefhttps://github.com/neargle/PIL-RCE-By-GhostButt target_blank relnoopener>https://github.com/neargle/PIL-RCE-By-GhostButt/a>/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/Python/>#Python/a>/li> /ul> a href2017/09/28/Exploiting-Python-PIL-Module-Command-Execution-Vulnerability/#more classpost-foot-link fr>阅读全文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2017/09/01/use-request-merging-to-bypass-referer-check/>使用request merging bypass referer(jsonp) 检测/a> /h2>time datetime2017-08-31T19:01:11.000Z classpost-time>2017-09-01/time> /header> section classpost-content typo> p>em>更新两之前在其他地方发过的章/em>/p>h2 id1-关于request-merging和其会产生的问题>a href#1-关于request-merging和其会产生的问 classheaderlink title1. 关于request merging和其会生的问题>/a>1. 关于request merging和其会产生的问题/h2>p>request merging : 浏览器会把多次相同的请(并非所有请求)合并成次,以加快资源加载速。/p>p>e.g.br>figure classhighlight html>table>tr>td classgutter>pre>span classline>1/span>br>span classline>2/span>br>span classline>3/span>br>/pre>/td>td classcode>pre>span classline>span classtag><span classname>script/span> span classattr>type/span>span classstring>text/javascript/span> span classattr>src/span>span classstring>https://0.0.0.0:8888/jsonp/1/span>>/span>span classundefined>/span>span classtag></span classname>script/span>>/span>/span>br>span classline>span classtag><span classname>script/span> span classattr>type/span>span classstring>text/javascript/span> span classattr>src/span>span classstring>https://0.0.0.0:8888/jsonp/1/span>>/span>span classundefined>/span>span classtag></span classname>script/span>>/span>/span>br>span classline>span classtag><span classname>script/span> span classattr>type/span>span classstring>text/javascript/span> span classattr>src/span>span classstring>https://0.0.0.0:8888/jsonp/1/span>>/span>span classundefined>/span>span classtag></span classname>script/span>>/span>/span>br>/pre>/td>/tr>/table>/figure>/p>p>只会请求并载一次”a hrefhttps://0.0.0.0:8888/jsonp/1"资源 target_blank relnoopener>https://0.0.0.0:8888/jsonp/1"资源。/a>/p>p>em>经有研究指出,这种请合并想象在iframe里也存在/em>,那么浏览器的这种特性就可以用来bypass分程序的referer的判断,如jsonp的防御机制。/p>h2 id2-环境和POC>a href#2-环境和POC classheaderlink title2. 环境和POC>/a>2. 环境和POC/h2>p>绕过referer检测,攻击者能否拿进行referer保护的用户息?/p>p>攻击者服务: a hrefhttps://example.com:8081/ target_blank relnoopener>https://example.com:8081/a>br>目标服务器: a hrefhttps://example.com:8082/ target_blank relnoopener>https://example.com:8082/a>br>referer检测: referer是否以a hrefhttps://example.com:8082”开头/ target_blank relnoopener>https://example.com:8082”开头/a>br>目标: 攻击者拿到属于用户的 “security content”/p>h3 id环境:>a href#环境 classheaderlink title环境:>/a>环境:/h3>p>/jsonp.phpbr>figure classhighlight php>table>tr>td classgutter>pre>span classline>1/span>br>span classline>2/span>br>span classline>3/span>br>span classline>4/span>br>span classline>5/span>br>span classline>6/span>br>span classline>7/span>br>span classline>8/span>br>span classline>9/span>br>span classline>10/span>br>span classline>11/span>br>span classline>12/span>br>span classline>13/span>br>span classline>14/span>br>span classline>15/span>br>span classline>16/span>br>/pre>/td>td classcode>pre>span classline>span classmeta><?php/span>/span>br>span classline>/span>br>span classline>span classfunction>span classkeyword>function/span> span classtitle>startsWith/span>span classparams>($url, $domain)/span> /span>{/span>br>span classline> $length strlen($domain);/span>br>span classline> span classkeyword>return/span> (substr($url, span classnumber>0/span>, $length) $domain);/span>br>span classline>}/span>br>span classline>/span>br>span classline>$referrer @$_SERVERspan classstring>HTTP_REFERER/span>;/span>br>span classline>/span>br>span classline>span classkeyword>if/span> (startsWith($referrer, span classstring>https://example.com:8082/span>)) {/span>br>span classline> $js_code span classstring>function jquery() { return security content;}/span>;/span>br>span classline> span classkeyword>echo/span> $js_code;/span>br>span classline>} span classkeyword>else/span> {/span>br>span classline> $js_code span classstring>function jquery() { return nothing;}/span>;/span>br>span classline> span classkeyword>echo/span> $js_code;/span>br>span classline>}/span>br>/pre>/td>/tr>/table>/figure>/p> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/前端安全/>#前端安全/a>/li> /ul> a href2017/09/01/use-request-merging-to-bypass-referer-check/#more classpost-foot-link fr>阅读全文/a> /section> /footer>/article> article classpost> header classpost-head> h2 classpost-title> a href2017/09/01/ddctf-web-xss-sqli-writeup/>ddctf 两道web题的Writeup (sqli & xss)/a> /h2>time datetime2017-08-31T19:01:10.000Z classpost-time>2017-09-01/time> /header> section classpost-content typo> p>em>更新两篇之前在其他方发过的文章/em>/p>h2 idsqli>a href#sqli classheaderlink titlesqli>/a>sqli/h2>p>地址: a hrefhttps://118.190.134.8/t1/news.php?id1 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1/a>/p>p>尝试sql入,会发现过滤了’和空格等。使用br>a hrefhttps://118.190.134.8/t1/news.php?id1%0aand%0a11 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1%0aand%0a11/a> 和 a hrefhttps://118.190.134.8/t1/news.php?id1%0aand%0a12 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1%0aand%0a12/a> 判断注入存在,开始思出数据的方法/p>p>a hrefhttps://118.190.134.8/t1/news.php?id1%0aorder%0aby%0a5 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1%0aorder%0aby%0a5/a>br>判字段数为4/p>p>a hrefhttps://118.190.134.8/t1/news.php?id1union%0aselect%0a1,2,3,4 target_blank relnoopener>https://118.190.134.8/t1/news.php?id1union%0aselect%0a1,2,3,4/a>br>发现过滤了逗号/p>p>那就不好用union出数据,可选择使用盲注出数比如code>(select%a0ascii(substr((select%a0TABLE_NAME%a0from%a0information_schema.tables%a0where%a0TABLE_TYPE%a0%a0"BASE%a0TABLE"%a0limit%a01%a0OFFSET%a02)%a0from%a01%a0for%a01))1)%23/code>。但是这里其实有一个union出数据的tip可以使用:/p>figure classhighlight plain>table>tr>td classgutter>pre>span classline>1/span>br>span classline>2/span>br>span classline>3/span>br>span classline>4/span>br>span classline>5/span>br>span classline>6/span>br>/pre>/td>td classcode>pre>span classline>mysql $> select 1,2,3,4 Union select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d/span>br>span classline>+-----+-----+-----+-----+/span>br>span classline>| 1 | 2 | 3 | 4 |/span>br>span classline>|-----+-----+-----+-----|/span>br>span classline>| 1 | 2 | 3 | 4 |/span>br>span classline>+-----+-----+-----+-----+/span>br>/pre>/td>/tr>/table>/figure> /section> footer classpost-foot> section classpost-foot-warp clear> ul classpost-tag home-tag icon-tag fl> li>a hreftags/CTF/>#CTF/a>/li> /ul> a href2017/09/01/ddctf-web-xss-sqli-writeup/#more classpost-foot-link fr>阅全文/a> /section> /footer>/article> nav classpage-nav> a hrefpage/2/>下一页 »/a> /nav>/section> /div> !-- /div> --> footer idfooter> div classfoot-warp> p>© 2014 Nearg1e/p> /div> /footer> script srcjs/tools.js>/script> script> var disqus_shortname neargle; (function(){ var dsq document.createElement(script); dsq.type text/javascript; dsq.async true; dsq.src // + disqus_shortname + .disqus.com/count.js; (document.getElementsByTagName(head)0 || document.getElementsByTagName(body)0).appendChild(dsq); })(); /script> footer classfooter> p>© @2025 All Rights Reserved./p> !-- Slider in Footer --> div classslider idpartner-slider> div classslides idslides> div classslide>a hrefhttps://woodtracecommunity.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://woodtracecommunity.com/>/a>/div>div classslide>a hrefhttps://www.rocklandfamilyshelter.org/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://www.rocklandfamilyshelter.org/>/a>/div>div classslide>a hrefhttps://www.jackorourkesongs.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://www.jackorourkesongs.com/>/a>/div>div classslide>a hrefhttps://texaseventcentermansionbythesea.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://texaseventcentermansionbythesea.com/>/a>/div>div classslide>a hrefhttps://www.mainstreetantiquemalls.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://www.mainstreetantiquemalls.com/>/a>/div>div classslide>a hrefhttps://promo.downtownmp.com/ target_blank>img srchttps://downtownmp.com/fe2cfe6dab274a7989e2d347be8702f8/i/ec241a35e675416eb5429de91ad48354/1/5feFb8zhrk/13310569_10153747955924370_2418731519278619106_n.jpg althttps://promo.downtownmp.com/>/a>/div>div classslide>a hrefhttps://lonecrowaudio.com/ target_blank>img srchttps://lonecrowaudio.com/img/hongkonglotto.webp althttps://lonecrowaudio.com/>/a>/div>div classslide>a hrefhttps://www.honeybearlodge.com/ target_blank>img srchttps://www.honeybearlodge.com/Assets/logopemudatogel.webp althttps://www.honeybearlodge.com/>/a>/div>div classslide>a hrefhttps://www.greasemonkeyksa.com/ target_blank>img srchttps://www.greasemonkeyksa.com/Assets/logo-pemudatogel.webp althttps://www.greasemonkeyksa.com/>/a>/div>div classslide>a hrefhttps://neosushiclinton.com/ target_blank>img srchttps://dallascharge.com/wp-content/themes/dallascharge/images/logo.png althttps://neosushiclinton.com/>/a>/div> /div> div classslider-nav> button idprev>❮/button> button idnext>❯/button> /div> /div>/footer>script> // JavaScript for Slider let currentIndex 0; function showSlide(index) { const slides document.querySelectorAll(.slide); const totalSlides slides.length; // Loop around if (index > totalSlides) { currentIndex 0; } if (index 0) { currentIndex totalSlides - 1; } document.getElementById(slides).style.transform `translateX(-${currentIndex * 100}%)`; } document.getElementById(next).addEventListener(click, () > { currentIndex++; showSlide(currentIndex); }); document.getElementById(prev).addEventListener(click, () > { currentIndex--; showSlide(currentIndex); }); // Auto-slide every 5 seconds setInterval(() > { currentIndex++; showSlide(currentIndex); }, 5000); // Initialize showSlide(currentIndex);/script>/body>/html>
View on OTX
|
View on ThreatMiner
Please enable JavaScript to view the
comments powered by Disqus.
Data with thanks to
AlienVault OTX
,
VirusTotal
,
Malwr
and
others
. [
Sitemap
]