Write this blog due to Xray was EOL. Last version 1.9.11.
- run program
./xray_darwin_amd64
this license is expired, expiration time is 2022-08-03 08:00:00- find and locate string
00000000: 74 68 69 73 20 6c 69 63 65 6e 73 65 20 69 73 20 this license is
00000010: 65 78 70 69 72 65 64 2c 20 65 78 70 69 72 61 74 expired, expirat
00000020: 69 6f 6e 20 74 69 6d 65 20 69 73 20 25 73 ion time is %s
- find references
04f92ba3 e838fdffff call sub_4f928e0
04f92ba8 440f11bc24980000…movups xmmword [rsp+0x98 {var_48}], xmm15
04f92bb1 e8eabf07ff call sub_400eba0
04f92bb6 488d0dc3d46800 lea rcx, [rel data_5620080]
04f92bbd 48898c2498000000 mov qword [rsp+0x98 {var_48}], rcx {data_5620080}
04f92bc5 48898424a0000000 mov qword [rsp+0xa0 {var_48+0x8}], rax
04f92bcd 488d05657aab00 lea rax, [rel data_5a4a639] {"this license is expired, expirat…"}
04f92bd4 bb2e000000 mov ebx, 0x2e
04f92bd9 488d8c2498000000 lea rcx, [rsp+0x98 {var_48}]
04f92be1 bf01000000 mov edi, 0x1
04f92be6 4889fe mov rsi, rdi {0x1}
04f92be9 e8d21417ff call sub_41040c0
04f92bee 4889d9 mov rcx, rbx {0x2e}
04f92bf1 4889c3 mov rbx, rax
04f92bf4 31c0 xor eax, eax {0x0}
04f92bf6 488bac24d8000000 mov rbp, qword [rsp+0xd8 {__saved_rbp}]
04f92bfe 4881c4e0000000 add rsp, 0xe0
04f92c05 c3 retn {__return_addr}
04f92ba3 was jumped from 04f92a26
04f92a1f 488b5838 mov rbx, qword [rax+0x38]
04f92a23 4839fb cmp rbx, rdi
04f92a26 0f8c77010000 jl 0x4f92ba3- NOP the
jlto force ignore license expire date
04f92a1f 488b5838 mov rbx, qword [rax+0x38]
04f92a23 4839fb cmp rbx, rdi
04f92a26 90 nop
04f92a27 90 nop
04f92a28 90 nop
04f92a29 90 nop
04f92a2a 90 nop
04f92a2b 90 nop - save binary as
xray_darwin_amd642
need a expired license , can be found anywhere.
chmod +x ./xray_darwin_amd642 && ./xray_darwin_amd642
____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/
Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00
NAME:
xray - A powerful scanner engine [https://docs.xray.cool]
USAGE:
[global options] command [command options] [arguments...]
COMMANDS:
webscan, ws Run a webscan task
servicescan, ss Run a service scan task
subdomain, sd Run a subdomain task
poclint, pl, lint lint yaml poc
burp-gamma, btg Convert the export file of burp historical proxy records to POC format
transform transform other script to gamma
reverse Run a standalone reverse server
convert convert results from json to html or from html to json
genca GenerateToFile CA certificate and key
upgrade check new version and upgrade self if any updates found
version Show version info
x A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--config FILE Load configuration from FILE (default: "config.yaml")
--log-level value Log level, choices are debug, info, warn, error, fatal
--help, -h show help
[INFO] 2023-12-24 18:16:39 [default:entry.go:226] Loading config file from config.yaml
没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/#/guide/faq?id=no-command-provided
按任意键继续... / Press Enter to continue...
Walkthrough is 99% same as x86 version
100f14820 021c40f9 ldr x2, [x0, #0x38]
100f14824 5f0001eb cmp x2, x1
100f14828 eb0e0054 b.lt 0x100f14a04
NOP the b.lt
100f14820 021c40f9 ldr x2, [x0, #0x38]
100f14824 5f0001eb cmp x2, x1
100f14828 1f2003d5 nop
100f1482c 1f2003d5 nop
100f14830 a00080d2 mov x0, #0x5
100f14834 e01300f9 str x0, [sp, #0x20 {var_e0}] {0x5}
100f14838 ffff02a9 stp xzr, xzr, [sp, #0x28] {var_d0} {0x0} {0x0}
chmod +x ./xray_darwin_arm642 && ./xray_darwin_arm642
[1] 94656 killed ./xray_darwin_arm642resign the binary
codesign --force --deep --sign - ./xray_darwin_arm642 && ./xray_darwin_arm642
./xray_darwin_arm642: replacing existing signature
____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/
Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00
NAME:
xray - A powerful scanner engine [https://docs.xray.cool]
USAGE:
[global options] command [command options] [arguments...]
COMMANDS:
webscan, ws Run a webscan task
servicescan, ss Run a service scan task
subdomain, sd Run a subdomain task
poclint, pl, lint lint yaml poc
burp-gamma, btg Convert the export file of burp historical proxy records to POC format
transform transform other script to gamma
reverse Run a standalone reverse server
convert convert results from json to html or from html to json
genca GenerateToFile CA certificate and key
upgrade check new version and upgrade self if any updates found
version Show version info
x A command that enables all plugins.
You can customize new commands or modify the plugins enabled by a command in the configuration file.
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--config FILE Load configuration from FILE (default: "config.yaml")
--log-level value Log level, choices are debug, info, warn, error, fatal
--help, -h show help
[INFO] 2023-12-24 18:38:53 [default:entry.go:226] Loading config file from config.yaml
没有命令输入,请在终端中运行此程序。/ No command provided, please run this program in terminal.
参考链接(Help link):https://docs.xray.cool/#/guide/faq?id=no-command-provided
按任意键继续... / Press Enter to continue..../xray_darwin_arm642 webscan --url http://127.0.0.1:8080/
____ ___.________. ____. _____.___.
\ \/ /\_ __ \ / _ \ \__ | |
\ / | _ _/ / /_\ \ / | |
/ \ | | \/ | \ \____ |
\___/\ \ |____| /\____|_ / / _____/
\_/ \_/ \_/ \/
Version: 1.9.11/eb0c331d/COMMUNITY-ADVANCED
Licensed to tangshoupu, license is valid until 2022-08-03 08:00:00
[INFO] 2023-12-24 18:51:05 [default:entry.go:226] Loading config file from config.yaml
[!] Warning: you should use --html-output, --webhook-output or --json-output to persist your scan result
Enabled plugins: [dirscan xss baseline crlf-injection jsonp sqldet fastjson xxe shiro thinkphp xstream brute-force cmd-injection path-traversal redirect ssrf upload phantasm struts]
[INFO] 2023-12-24 18:51:05 [phantasm:phantasm.go:185] 819 pocs have been loaded (debug level will show more details)
[INFO] 2023-12-24 18:51:05 [shiro:shiro.go:92] shiro key count 117
These plugins will be disabled as reverse server is not configured, check out the reference to fix this error.
Ref: https://docs.xray.cool/#/configration/reverse
Plugins:
fastjson/fastjson/cve-2022-25845
fastjson/fastjson/deserialization
poc-go-apache-log4j2-rce
poc-go-weblogic-cve-2023-21839
poc-yaml-apache-druid-kafka-rce
poc-yaml-apache-spark-rce-cve-2022-33891
poc-yaml-dlink-cve-2019-16920-rce
poc-yaml-dotnetnuke-cve-2017-0929-ssrf
poc-yaml-drawio-cve-2022-1713-ssrf
poc-yaml-full-read-ssrf-in-spring-cloud-netflix
poc-yaml-ghostscript-cve-2018-19475-rce
poc-yaml-gitlab-cve-2021-22214-ssrf
poc-yaml-httpd-ssrf-cve-2021-40438
poc-yaml-jenkins-cve-2018-1000600
poc-yaml-jira-cve-2019-11581
poc-yaml-jira-ssrf-cve-2019-8451
poc-yaml-keycloak-cve-2020-10770-ssrf
poc-yaml-kibana-cve-2019-7609-rce
poc-yaml-landray-oa-datajson-rce
poc-yaml-lg-n1a1-nas-cnnvd-201607-467-rce
poc-yaml-mongo-express-cve-2019-10758
poc-yaml-oracle-ebs-cve-2018-3167-ssrf
poc-yaml-pandorafms-cve-2019-20224-rce
poc-yaml-php-imap-cve-2018-19518-rce
poc-yaml-ruanhong-oa-xxe
poc-yaml-saltstack-cve-2020-16846
poc-yaml-solr-cve-2017-12629-xxe
poc-yaml-spiderflow-save-remote-command-execute
poc-yaml-spring-cloud-gateway-cve-2022-22947-rce
poc-yaml-supervisord-cve-2017-11610
poc-yaml-wavlink-cve-2020-13117-rce
poc-yaml-weblogic-cve-2017-10271
poc-yaml-yongyou-nc-iupdateservice-xxe
poc-yaml-zoho-manageengine-adaudit-plus-cve-2022-28219-xxe
ssrf/ssrf/default
struts/s2-052/default
struts/s2-059/default
struts/s2-061/default
struts/s2-062/default
xstream/Arbitrary-File-Deletion/CVE-2020-26259
xstream/Arbitrary-File-Deletion/CVE-2021-21343
xstream/DoS/CVE-2021-21341
xstream/DoS/CVE-2021-21348
xstream/DoS/CVE-2021-39140
xstream/RCE(LDAP)/CVE-2021-21344
xstream/RCE(LDAP)/CVE-2021-39141
xstream/RCE(LDAP)/CVE-2021-39146
xstream/RCE/CVE-2013-7285
xstream/RCE/CVE-2020-26217
xstream/RCE/CVE-2021-21345
xstream/RCE/CVE-2021-21346
xstream/RCE/CVE-2021-21347
xstream/RCE/CVE-2021-21350
xstream/RCE/CVE-2021-21351
xstream/RCE/CVE-2021-39139
xstream/RCE/CVE-2021-39144
xstream/RCE/CVE-2021-39145
xstream/RCE/CVE-2021-39147
xstream/RCE/CVE-2021-39148
xstream/RCE/CVE-2021-39149
xstream/RCE/CVE-2021-39151
xstream/RCE/CVE-2021-39153
xstream/RCE/CVE-2021-39154
xstream/SSRF/CVE-2020-26258
xstream/SSRF/CVE-2021-21342
xstream/SSRF/CVE-2021-21349
xstream/SSRF/CVE-2021-39150
xstream/SSRF/CVE-2021-39152
xxe/xxe/blind
[INFO] 2023-12-24 18:51:05 [default:dispatcher.go:444] processing GET http://127.0.0.1:8080/
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload linux
[INFO] 2023-12-24 18:51:05 script poc-yaml-pbootcms-rce-cve-2022-32417 run payload windows
[INFO] 2023-12-24 18:51:05 [shiro:default.go:82] checking cookie names [rememberMe]
[INFO] 2023-12-24 18:51:05 [shiro:default.go:88] target is shiro, trying get shiro key with mode gcm
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload hasPrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-alibaba-nacos-v1-auth-bypass run payload nonePrefix
[INFO] 2023-12-24 18:51:06 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload linux
[INFO] 2023-12-24 18:51:07 script poc-yaml-php-proxy-cve-2018-19458-fileread run payload win
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req01
[INFO] 2023-12-24 18:51:08 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req01
[INFO] 2023-12-24 18:51:09 script poc-yaml-laravel-filemanager-cve-2022-40734-path-traversal run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req03
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req04
[INFO] 2023-12-24 18:51:09 script poc-yaml-circarlife-scada-cve-2018-12634-info-leak run payload req02
[INFO] 2023-12-24 18:51:09 script poc-yaml-bitbucket-unauth run payload path01
[INFO] 2023-12-24 18:51:09 script poc-yaml-mantisbt-cve-2017-7615-unauth run payload req05
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload linux
[INFO] 2023-12-24 18:51:09 script poc-yaml-adobe-experience-manager-cve-2019-8086-xxe run payload win
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path02
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path03
[*] scanned: 0, pending: 1, requestSent: 659, latency: 162.86ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path04
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req01
[INFO] 2023-12-24 18:51:10 script poc-yaml-bitbucket-unauth run payload path05
[INFO] 2023-12-24 18:51:10 script poc-yaml-gurock-testrail-cve-2021-40875-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path06
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path07
[INFO] 2023-12-24 18:51:11 script poc-yaml-bitbucket-unauth run payload path08
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload oracle
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mysql
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req01
[INFO] 2023-12-24 18:51:11 script poc-yaml-glpi-telemetry-cve-2021-39211-info-leak run payload req02
[INFO] 2023-12-24 18:51:11 script poc-yaml-wanhu-ezoffice-documentedit-sqli run payload mssql
[INFO] 2023-12-24 18:51:11 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload windows
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p1
[INFO] 2023-12-24 18:51:12 script poc-yaml-manageengine-servicedesk-cve-2017-11512-lfi run payload linux
[INFO] 2023-12-24 18:51:12 script poc-yaml-kevinlab-bems-backdoor-cve-2021-37292 run payload p2
[INFO] 2023-12-24 18:51:13 [shiro:default.go:88] target is shiro, trying get shiro key with mode cbc
[Vuln: shiro]
Target "http://127.0.0.1:8080/"
VulnType "shiro/default-key"
key "kPH+bIxk5D2deZiIxcaaaA=="
cookie_name "rememberMe"
origin_count "1"
current_count "0"
mode "cbc"
[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:73] shiro key is kPH+bIxk5D2deZiIxcaaaA==, cookie key is rememberMe
[INFO] 2023-12-24 18:51:13 [shiro:deserialization.go:74] now trying to check tomcat echo
[Vuln: shiro]
Target "http://127.0.0.1:8080/"
VulnType "shiro/rememberme-deserialization"
cookie_name "rememberMe"
follow_redirect "true"
mode "cbc"
key "kPH+bIxk5D2deZiIxcaaaA=="
gadget "CommonsCollectionsK1"
gadget_type "tomcat_echo"
[INFO] 2023-12-24 18:51:13 [controller:dispatcher.go:553] wait for reverse server finished
[*] All pending requests have been scanned
[*] scanned: 1, pending: 0, requestSent: 1148, latency: 117.57ms, failedRatio: 0.00%
[INFO] 2023-12-24 18:51:16 [controller:dispatcher.go:573] controller released, task done
文章来源: https://ares-x.com/2023/12/24/Xray-Crack/
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh