准则
0x00 创造价值
小鸡问母鸡:可否不用下蛋,带我出去玩啊?母鸡道:不行,我要工作!
小鸡说:可你已经下了这么多蛋了!母鸡意味深长地对小鸡说:一天一个蛋,菜刀靠边站,一月不生蛋,高压锅里见。
存在是因为你创造价值,淘汰是因为你失去价值。过去的价值不代表未来,所以每天都要努力!
SqlmapApi 常用方法封装
0x00 代码如下
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import threading
import requests
import json
from time import sleep
class Sqli(threading.Thread):
"""docstring for AutoSqli"""
def __init__(self, server, target, data='', referer='', cookie=''):
threading.Thread.__init__(self)
self.server = server[0:-1] if server[-1]=='/' else server
self.target = target
self.data = data
self.referer = referer
self.cookie = cookie
self.taskid = ''
self.data
def new_task(self):
url = "{}/task/new".format(self.server)
self.taskid = json.loads(requests.get(url).text)['taskid']
if len(self.taskid)>0:
print "Create new task,taskid is: %s" % self.taskid
return True
return False
def set_option(self):
headers = {'Content-Type': 'application/json'}
option = {"options": {
"smart": True,
}
}
url = "{}/option/{}/set".format(self.server,self.taskid)
resp = requests.post(url, data=json.dumps(option), headers=headers)
return json.loads(resp.text)['success']
def start_scan(self):
headers = {'Content-Type': 'application/json'}
payload = {
'url': self.target,
'data': self.data,
'cookie': self.cookie,
'referer': self.referer
}
url = "{}/scan/{}/start".format(self.server,self.taskid)
t = json.loads(requests.post(url,data=json.dumps(payload),headers=headers).text)
if len(str(t['engineid'])) > 0 and t['success']:
print "[%s] Start scan" % self.taskid
return True
return False
def get_status(self):
url = "{}/scan/{}/status".format(self.server,self.taskid)
status = json.loads(requests.get(url).text)['status']
if status == 'running':
return 'running'
elif status == 'terminated':
return 'terminated'
else:
return 'error'
def get_data(self):
url = "{}/scan/{}/data".format(self.server,self.taskid)
data = json.loads(requests.get(url).text)['data']
if len(data) == 0:
print '[] not injection:\t' + self.target
else:
print '=======> injection:\t' + self.target
self.data = data
def delete_task(self):
url = "{}/task/{}/delete".format(self.server,self.taskid)
if json.loads(requests.get(url).text)['success']:
print "[%s] Delete task" % self.taskid
return True
return False
def write_to_file(self,msg):
with open('result.txt','a+') as f:
f.write(json.dumps(msg)+'\n\n')
def run(self):
try:
if not self.new_task():
return False
self.set_option()
if not self.start_scan():
return False
while True:
if self.get_status() == 'running':
sleep(10)
elif self.get_status() == 'terminated':
break
else:
break
self.get_data()
self.write_to_file(self.data)
self.delete_task()
except Exception, e:
print e
if __name__ == '__main__':
server = 'http://127.0.0.1:8775'
target = 'http://192.168.188.134/sqli/Less-1/?id=1'
sqli = Sqli(server, target)
sqli.start()
sqli.join()
Python 爆破 zip 压缩包
0x00 代码
多线程爆破加密的zip压缩包
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import optparse
import zipfile
import threading
import Queue
queue = Queue.Queue()
lock = threading.Lock()
result = ''
def load_pwd(filename):
for line in open(filename,'r'):
if line:
queue.put(line.strip())
def bruter(zipname,queue):
global result
zFile = zipfile.ZipFile(zipname)
while not queue.empty():
password = queue.get()
try:
zFile.extractall(pwd=password) # 解压
lock.acquire()
print "[Ok] password is: %s" % password
lock.release()
result = password
except:
lock.acquire()
print "[Error] password not is: %s" % password
lock.release()
queue.task_done()
def main():
parser = optparse.OptionParser()
parser.add_option('-f', '--file', dest='zipfile',
type='string', help='Target zip file.')
parser.add_option('-p', '--pfile', dest='pwdfile',default='pass.txt',
type='string', help='Password file.')
parser.add_option('-t', '--thread_num', dest='thread_num',default=60,
type='int', help='Thread number.')
(options, args) = parser.parse_args()
if options.zipfile and options.pwdfile:
load_pwd(options.pwdfile)
else:
parser.print_help()
sys.exit(0)
threads = []
for x in range(options.thread_num):
t = threading.Thread(target=bruter,args=(options.zipfile,queue,))
t.setDaemon(True)
t.start()
queue.join()
print "result is: %s" % result
if __name__ == '__main__':
main()
Python 实现代理
0x00 帮助信息
0x01 代码如下
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'This is a proxy'
__author__ = 'xxx'
import sys
import socket
import threading
import optparse
lock = threading.Lock()
def locker(msg):
lock.acquire()
print msg
lock.release()
def hexdump (src,length=16):#十六进制导出函数
result = []
digits = 4 if isinstance(src,unicode) else 2
for i in xrange(0,len(src),length):
s = src[i:i+length]
hexa = b' '.join("[%0*X]" % (digits,ord(x)) for x in s)
text = b''.join([x if 0x20 <= ord(x) < 0x7F else b'.' for x in s])
result.append(b"%04X %-*s %s" % (i,length*(digits+1),hexa,text))
print b'\n'.join(result)
def receive_from (connection):
buffer = ""
#我们设置了1秒的超时,这取决于目标的情况,可能需要调整
connection.settimeout(1)
try:
#持续从缓存中读取数据直到没有数据或者超时
while True:
data = connection.recv(4096)
if not data:
break
buffer += data
except:
pass
return buffer
#对目标是远程主机的请求进行修改
def request_handler (buffer):
#执行包修改
return buffer
#对目标是本地主机的响应进行修改
def response_handler (buffer):
#执行包修改
return buffer
def proxy_handler (client_socket,remote_host,remote_port,receive_first):
#连接远程主机
remote_socket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
remote_socket.connect((remote_host,remote_port))
#如果必要从远程主机接收数据
if receive_first:
remote_buffer = receive_from(remote_socket)
if len(remote_buffer):
print "\n[==>] Received %d bytes from remote." % len(remote_buffer)
# hexdump(remote_buffer)
#发送给我们的相应处理
remote_buffer = response_handler(remote_buffer)
#若我们有数据传递给本地客户端,发送它
if len(remote_buffer):
print "[<==] Sending %d bytes to localhost.\n" % len(remote_buffer)
client_socket.send(remote_buffer)
#现在我们从本地循环读取数据,发送给远程主机和本地主机
while True:
#从本地读取数据
local_buffer = receive_from(client_socket)
if len(local_buffer):
print "\n[==>] Received %d bytes from localhost." % len(local_buffer)
# hexdump(local_buffer)
#发送给我们的本地请求
local_buffer = request_handler(local_buffer)
#发送给远程主机
remote_socket.send(local_buffer)
print "[==>] Sent to remote."
#接收响应的数据
remote_buffer = receive_from(remote_socket)
if len(remote_buffer):
print "\n[<==] Received %d bytes from remote." % len(remote_buffer)
# hexdump(remote_buffer)
#发送数据到响应处理函数
remote_buffer = response_handler(remote_buffer)
#将响应发送给本地socket
client_socket.send(remote_buffer)
print "[==>] Sent to localhost."
#若两边都没有数据,关闭连接
if not len(local_buffer) or not len(remote_buffer):
client_socket.close()
remote_socket.close()
print "[*] No more data. Closing connections."
break
def server_loop(local_host,local_port,remote_host,remote_port,receive_first):
server = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
server.bind((local_host,local_port))
except:
print "[!!] Failed to listen on %s:%d" % (local_host,local_port)
print "[!!] Check for other listening sockets or correct permisssions."
sys.exit(0)
print "[*] Listening on %s:%d......" % (local_host,local_port)
server.listen(5)
while True:
client_socket,addr = server.accept()
#打印本地连接信息
print "\n[==>] Received incoming connection from %s:%d" % (addr[0],addr[1])
#开启一个线程与远程主机通信
proxy_thread = threading.Thread(target=proxy_handler,args=(client_socket,remote_host,remote_port,receive_first))
proxy_thread.start()
def main ():
parser = optparse.OptionParser()
parser.add_option('--lh', '--localhost', dest='localhost',default='127.0.0.1',
type='string', help='Localhost.')
parser.add_option('--lp', '--localport', dest='localport',default=8888,
type='int', help='Localport.')
parser.add_option('--rh', '--remotehost', dest='remotehost', default='127.0.0.1',
type='string', help='Remotehost.')
parser.add_option('--rp', '--remoteport', dest='remoteport', default=8080,
type='int', help='Remoteport.')
parser.add_option('--rf', '--receivefirst', dest='receive_first', default=False,
action='store_true',help='Connection before send and receive data.')
(options, args) = parser.parse_args()
#设置本地监听参数
if options.localhost:
local_host = options.localhost
if options.localport:
local_port = options.localport
#设置远程目标
if options.remotehost:
remote_host = options.remotehost
if options.remoteport:
remote_port = options.remoteport
receive_first = options.receive_first
# print local_host,local_port,remote_host,remote_port,receive_first
#现在设置好我们的监听socket
server_loop(local_host,local_port,remote_host,remote_port,receive_first)
main()
0x02 效果图
Python 封装 MySQL 类
0x00 安装
有两种,一个是MySQLdb,一个是pymysql
- 下载MySQL-python然后安装
- sudo pip install pymysql(推荐,因为py3已经不支持MySQLdb了)
0x01 简单表设计如下
insert into mysql.user(Host,User,Password) values('%','python','123456');
drop database if exists python;
create database python;
use python;
drop table if exists msg;
create table msg(
id int not null auto_increment primary key,
ip varchar(40) not null default '127.0.0.1' comment 'ip地址',
domain varchar(100) not null default 'www.xx.com' comment '域名'
);
grant all privileges on python.* to 'python'@'%' identified by '123456';
flush privileges;
0x02 MySQLdb封装代码
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import MySQLdb
class mysql(object):
"""docstring for mysql"""
def __init__(self, dbconfig):
self.host = dbconfig['host']
self.port = dbconfig['port']
self.user = dbconfig['user']
self.passwd = dbconfig['passwd']
self.dbname = dbconfig['dbname']
self.charset = dbconfig['charset']
self._conn = None
self._connect()
self._cursor = self._conn.cursor()
def _connect(self):
try:
self._conn = MySQLdb.connect(host=self.host,
port = self.port,
user=self.user,
passwd=self.passwd,
db=self.dbname,
charset=self.charset)
except MySQLdb.Error,e:
print e
def query(self, sql):
try:
result = self._cursor.execute(sql)
except MySQLdb.Error, e:
print e
result = False
return result
def select(self, table, column='*', condition=''):
condition = ' where ' + condition if condition else None
if condition:
sql = "select %s from %s %s" % (column,table,condition)
else:
sql = "select %s from %s" % (column,table)
self.query(sql)
return self._cursor.fetchall()
def insert(self, table, tdict):
column = ''
value = ''
for key in tdict:
column += ',' + key
value += "','" + tdict[key]
column = column[1:]
value = value[2:] + "'"
sql = "insert into %s(%s) values(%s)" % (table,column,value)
try:
self._cursor.execute(sql)
self._conn.commit()
except:
self.rollback()
return self._cursor.lastrowid #返回最后的id
def update(self, table, tdict, condition=''):
if not condition:
print "must have id"
exit()
else:
condition = 'where ' + condition
value = ''
for key in tdict:
value += ",%s='%s'" % (key,tdict[key])
value = value[1:]
sql = "update %s set %s %s" % (table,value,condition)
try:
self._cursor.execute(sql)
except:
self.rollback()
return self.affected_num() #返回受影响行数
def delete(self, table, condition=''):
condition = 'where ' + condition if condition else None
sql = "delete from %s %s" % (table,condition)
try:
self._cursor.execute(sql)
self._conn.commit()
except:
self.rollback()
return self.affected_num() #返回受影响行数
def rollback(self):
self._conn.rollback()
def affected_num(self):
return self._cursor.rowcount
def __del__(self):
try:
self._cursor.close()
self._conn.close()
except:
pass
def close(self):
self.__del__()
if __name__ == '__main__':
dbconfig = {
'host':'192.168.188.134',
'port':3306,
'user':'python',
'passwd':'123456',
'dbname':'python',
'charset':'utf8'
}
db = mysql(dbconfig)
# print db.select('msg','id,ip,domain')
# print db.select('msg','id,ip,domain','id>2')
# print db.affected_num()
# tdict = {
# 'ip':'111.13.100.91',
# 'domain':'baidu.com'
# }
# print db.insert('msg', tdict)
# tdict = {
# 'ip':'111.13.100.91',
# 'domain':'aaaaa.com'
# }
# print db.update('msg', tdict, 'id=5')
# print db.delete('msg', 'id>3')
db.close()
0x03 pymysql封装代码
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import urlparse
import pymysql
import contextlib
class MySQLX(object):
def __init__(self, mysql_uri):
super(MySQLX, self).__init__()
self.mysql_uri = mysql_uri
self.mysql_info = self.mysql_parse_uri()
def mysql_parse_uri(self):
p = urlparse.urlparse(self.mysql_uri)
host = p.hostname
port = p.port
user = p.username
password = p.password
dbname = p.path.strip('/')
charset = urlparse.parse_qs(p.query)['charset'][0]
return {
'host': host,
'port': port,
'user': user,
'password': password,
'db': dbname,
'charset': charset,
'cursorclass': pymysql.cursors.DictCursor,
}
@contextlib.contextmanager
def init(self):
dbconn = pymysql.connect(**self.mysql_info)
cursor = dbconn.cursor()
# dbconn = pymysql.connect(
# host=mysql_info.get('host'),
# user=mysql_info.get('user'),
# password=mysql_info.get('password'),
# db=mysql_info.get('db'),
# charset=mysql_info.get('charset')
# )
# cursor = dbconn.cursor(cursor=pymysql.cursors.DictCursor)
try:
yield cursor #这里就是with返回的
finally:
dbconn.commit()
cursor.close()
dbconn.close()
def query(self, sql, arg=''):
try:
with self.init() as cursor:
if arg:
cursor.execute(sql,arg) #返回受影响行数
else:
cursor.execute(sql)
result = cursor.fetchall() #返回数据格式是[{},{}]
# result = cursor.fetchone() #返回数据格式是{}
return result
except Exception as e:
print sql,str(e)
if __name__ == '__main__':
mysql_uri = "mysql+pymysql://root:root@localhost:3306/rtest?charset=utf8mb4"
sqlconn = MySQLX(mysql_uri)
sql = "select * from `msg` where id=%s"
result = sqlconn.query(sql,"2")
print result
Tmux 的使用
0x00 Tmux 的快捷键前缀
在 Tmux 下想要使用快捷键时,需要先按下快捷键前缀,然后再按下快捷键。
默认情况下,Tmux 的快捷键前缀是 Ctrl+b,即所有的命令都以 Ctrl+b 开头。
more...POC 框架 Pocsuite
0x00 关于Pocsuite
Pocsuite 是知道创宇安全研究团队打造的一款基于漏洞与 POC 的远程漏洞验证框架。可以让我们不用考虑过多的细节,只要考虑验证代码就可以,它封装了一些我们常用的东西,比如requests,在我们平常使用requests是要考虑cookie、要考虑header,但是在框架下则不需要有这些考虑,因为这些东西框架都帮你解决了。
more...Sublime Text 3 几个好用的插件
0x00 Package Control
安装完这个插件后可以更容易的管理(安装、删除、查看等)其他插件
- 代码安装
ctrl+~快捷键调出console,将下面代码粘贴进去,然后Enter执行(注意单引号)
import urllib.request,os; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); open(os.path.join(ipp, pf), 'wb').write(urllib.request.urlopen( 'http://sublime.wbond.net/' + pf.replace(' ','%20')).read())
- 手动安装
- 点击https://sublime.wbond.net/Package%20Control.sublime-package 下载文件
- 将下载的文件放在root path/Data/Installed Packages下
- 重启Sublime Text
- 使用方法
Ctrl+Shift+P调出菜单然后选择相应操作
more...
PHP 安全配置
0x00 PHP的配置
PHP的配置文件为php.ini,其中有些项配置不当的话就会造成一些安全问题
0x01 远程文件包含
- 涉及配置项
- allow_url_include
- 配置为On时允许进行远程文件包含
- allow_url_fopen
- 配置为On时允许使用函数fopen、file_put_contents
- allow_url_include
- 配置方案
- alllow_url_include = Off
- allow_url_fopen = Off
0x02 关闭错误回显
- 涉及配置项
- display_errors
- 配置为On时会显示错误信息
- display_errors
- 配置方案
- display_errors = Off
- log_errors = On
- error_log = /var/log/php_error.log
0x03 隐藏php版本
- 涉及配置项
- expose_php
- 为Off时会隐藏php版本
- expose_php
- 配置方案
- expose_php = Off
0x04 魔术引号
- 涉及配置项
- magic_quotes_gpc
- 过滤get、post、cookie的单引号、双引号、反斜杠、空字符,但不过滤$_SERVER
- magic_quotes_runtime
- 对文件或数据库中取出的数据进行过滤,可防止二次注入
- magic_quotes_gpc
- 配置方案
- 做逻辑判断时需要去掉反斜杠,所以用全局过滤框架做过滤吧
0x05 安全模式
- 涉及配置项
- safe_mode
- 开启后安全系数提升,但会限制函数使用权限和操作目录文件权限等
- safe_mode
- 配置方案
- 在安全模式下可以使用safe_mode_include_dir = /var/www/common来排除某些文件
0x06 目录权限控制
- 涉及配置项
- open_basedir
- 开启后可将用户访问范围限定,可防止跨站,但会影响性能
- open_basedir
- 配置方案
- open_basedir = /var/www/web1/:/var/www/web2/ (后面的斜杠不能少)
0x07 禁止函数
- 涉及配置项
- disable_functions
- 禁止某些命令执行函数和文件操作函数的使用
- disable_functions
- 配置方案
- disable_functions = system,passthru,exec,shell_exec,popen,pcntl_exec, proc_open,chdir,chroot,getcwd,readdir,mkdir,copy,file_get_contents,
0x08 注册全局变量
- 涉及配置项
- register_globals
- 值为On是会开启全局注册变量功能
- register_globals
- 配置方案
- register_globals = Off
Python 的模块
0x00 Python的模块
- 在python中,任何一个python文件都可以看作一个模块
- 不同包下有相同模块名并不会冲突,且包下必须有文件
__init__.py - from lib import * 意思是从包lib中导入所有模块(若lib为模块名则为导入模块的所有函数)
- from lib.module1 import test 意思是从lib这个包下的module1模块中导入函数test
- import导入模块时会从sys.path输出的结果路径中查找模块然后导入
sys.path.append('D:/xx/xx/xx/code')可以添加搜索路径- 使用
if __name__ == '__main__':
0x01 实例
- 文件结构如下
Previous Page
8 of 18
Next Page