Shell Inject Payload

凡是被认为能够执行操作系统命令的地方,都存在执行命令绕过的可能,导致任意命令执行。使用该工具和Payload可以进行盲shell inject 测试。结合DNS/Web Log平台和API即可快速获取执行结果。

工具地址

https://github.com/ewilded/shelling

工具介绍如下

SHELLING – an offensive approach to the anatomy of improperly written OS command injection sanitisers

In order to improve the accuracy of our blind OS command injection testing, we need a comprehensive, analytic approach. In general, all the injection payloads can fail due to:
– the eventual syntax of the expression we are injecting into (solution: base payload variants)
– input sanitising mechanisms, which refuse forbidden characters (solution: evasive techniques)
– platform specific conditions (e.g. using a windows command on a nix host)
– bad callback method (e.g. asynchronous execution, no outbound traffic etc., solution: base payload variants)

BASE PAYLOAD VARIANTS (BASIC CASES)

  • MALICIOUS_COMMAND (will this ever happen? yes it will, in argument injections like $USER_SUPPLIED or $(USER_SUPPLIED))
  • MALICIOUS_COMMAND+COMMAND_TERMINATOR (in case there was write and command separators were unallowed?)
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND (for simple injections with no filtering, like cat $USER_SUPPLIED
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR (for simple injections with no filtering and appended fixed shite, like cat $USER_SUPPLIED something)
  • COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX (for simple injections like cat \(USER_SUPPLIED something, with filtering like \w+\))
  • PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR (for injections with shitty filtering like \w+ and some appended fixed shite, like cat $USER_SUPPLIED something)
  • PREFIX+COMMAND_SEPARATOR+MALICIOUS_COMMAND+COMMAND_SEPARATOR+SUFFIX (for injections with appended fixed shite, like cat \(USER_SUPPLIED something, with shitty filtering like ^\w+\s+.*\w+\))
  • PREFIX+MALICIOUS_COMMAND+SUFFIX (“ and $() notations)

EVASIVE TECHNIQUES USED
– alternative COMMAND_SEPARATORS
– alternative ARGUMENT_SEPARATORS
– alternative COMMAND_TERMINATORS
– additional prefixes and suffixes to go around lax filters
– additional prefixes and suffixes to fit into quoted expressions

Other evasive techniques considered:
– alternative payloads to avoid particular badcharacters
– encoding-related variations, like double URL encoding

php zval类型定义

#define IS_NULL 0
#define IS_LONG 1
#define IS_DOUBLE 2
#define IS_BOOL 3
#define IS_ARRAY 4
#define IS_OBJECT 5
#define IS_STRING 6
#define IS_RESOURCE 7
#define IS_CONSTANT 8
#define IS_CONSTANT_ARRAY 9
#define IS_CALLABLE 10

Kali2 更新源

#阿里云kali源
deb http://mirrors.aliyun.com/kali sana main non-free contrib
deb-src http://mirrors.aliyun.com/kali sana main non-free contrib
deb http://mirrors.aliyun.com/kali-security sana/updates main contrib non-free
deb-src http://mirrors.aliyun.com/kali-security sana/updates main contrib non-free

#中科大kali源
deb http://mirrors.ustc.edu.cn/kali sana main non-free contrib
deb-src http://mirrors.ustc.edu.cn/kali sana main non-free contrib
deb http://mirrors.ustc.edu.cn/kali-security sana/updates main contrib non-free
deb-src http://mirrors.ustc.edu.cn/kali-security sana/updates main contrib non-free

PCI/PCIE千兆以太网网络存储的坑

最近新买一台小型HP服务器GEN8,想跟之前的的服务器接到一起,GEN8做存储(ISCSI/Centos),之前的服务器做ESXi来使用ISCSI的存储.
问题来了,写入速度只有20M/s,千兆以太网链路.
经过各方研究,最后在国外的一篇文章中发现一个提示.
http://iscsi-enterprise-target.996254.n3.nabble.com/Slow-iscsitarget-Performance-help-td9866.html

然后,就开始思考PCI/PCIE是不是会有差别,虽然同样是千兆网卡.于是,将之前服务器的两个网卡链路对调(ESXi配置),将网线对调,然后重新测速;速度能够达到50-80M/s,看来问题就在于PCIE/PCI上.

上面是ISCSI测速截图
这是NFS+ESXi Cache开启的情况下的测速

CPU当然还是ISCSI高,因为我的那块PCIE的卡不支持巨型帧(MTU9000)