Hack

从http://www.shell-fu.org/lister.php?random 会随机的显示一条脚本技巧. 把下面的内容放到bashrc中，运行shellfu即可，enjoy！ shellfu(){ curl -s "http://www.shell-fu.org/lister.php?random" | sed -e 's/ /\n<\/div>\n/g' | sed -n -e "/ /,/<\/div>/p" | lynx -stdin -dump -nolist; } 运行效果： 518 ~>shellfu The commmands below show the ten largest files/dirs in the working directory. Both commands give similar results, though handle things slightly differently. The 'du' option is good if you also need sizes of subdirectories, but the 'ls' option gives more detail. ls -laSh | head -10 du -s * | sort -nr | head -10 I find both to be useful in situations where I need to make more free space. 518 ~>shellfu Mail somebody about space running low in some path (ksh, bash): PATHS="/export/home /home" AWK=/usr/bin/awk DU="/usr/bin/du -ks" GREP=/usr/bin/grep DF="/usr/bin/df -k" TR=/usr/bin/tr SED=/usr/bin/sed CAT=/usr/bin/cat MAILFILE=/tmp/mailviews$$ MAILER=/bin/mailx mailto="[email protected]" for path in $PATHS do DISK_AVAIL=`$DF $path | $GREP -v "Filesystem" | $AWK '{print $5}'|$SED 's/%//g'` if [ $DISK_AVAIL -gt 90 ];then echo "Please clean up your stuff\n\n" > $MAILFILE $CAT $MAILFILE | $MAILER -s "Clean up stuff" $mailto fi done

allow_url_include 如果打开，则可以include远程文件 这是个很古老的安全问题了，今天做了下实验，才意识到危害性。 以前一位include 只是取到静态html内容，把它原样输出，没想到它会对获取倒内容中的php代码进行解释执行，很危险。 机器a上： wang@wang-desktop:~/www$ cat inc.php EOF ?> 然后在另一台机器b上： ...

关于shell中的eval 对于命令注入后，一条命令可能需要的字符大概有这几个吧 $ ' " ; && || [ ] ` > <; 可以看到是很多的，所以黑名单过滤的方法肯定是有问题的,因为是肯可能绕过去的。 加入对所有GET, POST的参数都用了htmlspecialchars做了处理，那么所有的< > 都会被转义成html字符 那么就没办法使用重定向符号了吗？ 参考下下面的利用eval来使用管道符号 The shell takes care of pipes and I/O redirection before variable substitution, so it never recognizes the pipe symbol inside pipe. The result is that the three arguments |, wc, and -l are passed to ls as arguments. ...

在100个最佳网络安全工具里找了下，排12的是个Nikto,也是[10个最佳web扫描器](http://sectools.org/web- scanners.html)里排第一个的，装了试一下，挺不错 wang@wang-laptop:~$ sudo apt install nokto wang@wang-laptop:~$ nikto -Help Options: -config+ use this config file -Cgidirs+ scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/" -Display+ turn on/off display outputs: 1 Show redirects 2 Show cookies received 3 Show all 200/OK responses 4 Show URLs which require authentication D Debug Output V Verbose Output -dbcheck check database and other key files for syntax errors (cannot be abbreviated) -evasion+ ids evasion technique: 1 Random URI encoding (non-UTF8) 2 Directory self-reference (/./) 3 Premature URL ending 4 Prepend long random string 5 Fake parameter 6 TAB as request spacer 7 Change the case of the URL 8 Use Windows directory separator (\) -findonly find http(s) ports only, don't perform a full scan -Format+ save file (-o) format: htm HTML Format csv Comma-separated-value txt Plain text (default if not specified) xml XML Format -host+ target host -Help Extended help information -id+ host authentication to use, format is userid:password -mutate+ Guess additional file names: 1 Test all files with all root directories 2 Guess for password file names 3 Enumerate user names via Apache (/~user type requests) 4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) -nolookup skip name lookup -output+ write output to this file -port+ port to use (default 80) -Pause+ pause between tests (seconds) -root+ prepend root value to all requests, format is /directory -ssl force ssl mode on port -Single Single request mode -timeout+ timeout (default 2 seconds) -Tuning+ scan tuning: 0 File Upload 1 Interesting File / Seen in logs 2 Misconfiguration / Default File 3 Information Disclosure 4 Injection (XSS/Script/HTML) 5 Remote File Retrieval - Inside Web Root 6 Denial of Service 7 Remote File Retrieval - Server Wide 8 Command Execution / Remote Shell 9 SQL Injection a Authentication Bypass b Software Identification c Remote Source Inclusion x Reverse Tuning Options (i.e., include all except specified) -useproxy use the proxy defined in config.txt -update update databases and plugins from cirt.net (cannot be abbreviated) -Version print plugin and database versions -vhost+ virtual host (for Host header) + requires a value 试着扫了下自己的笔记本，发现还是扫到很有意思的东西 环境： ubuntu9.10 + apache2（默认配置） 居然有这么个地址 http://localhost/server-status 记录的是apache运行状态。 ...