=Start=
缘由:
- 收集服务器上运行中的Jenkins版本,了解版本分布情况,好做针对性的安全防护。
- Java类应用的版本检测功能大同小异,方法可以移植,在此记录方便以后参考。
参考解答:
1.在 CentOS 上安装 Jenkins
https://wiki.jenkins-ci.org/display/JENKINS/Installing+Jenkins+on+Red+Hat+distributions
$ sudo yum install java-1.7.0-openjdk #针对部分CentOS机器 $ sudo wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat/jenkins.repo $ sudo rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key $ sudo yum install jenkins
2.Jenkins的使用
https://wiki.jenkins-ci.org/display/JENKINS/Administering+Jenkins
https://wiki.jenkins-ci.org/display/JENKINS/Use+Jenkins
3.获取 Jenkins 版本信息
$ unzip -c /usr/lib/jenkins/jenkins.war META-INF/MANIFEST.MF | egrep ^Jenkins-Version: | awk '{print $2}' | tr -d '\r' # 或 $ java -jar /usr/lib/jenkins/jenkins.war --version
更多参考链接:
查看 Jenkins 上安装了哪些插件
=END=
《 “服务器上运行中的Jenkins版本检测” 》 有 14 条评论
Linux系统上Node.js已安装模块信息收集
`
1. 运行着 node 实例,且可以获取 node 的全路径信息
2. 临时修改环境变量 PATH=${NODE%/*}:$PATH 以正确执行命令 npm ls -g –depth=0 2>/dev/null | awk ‘NR>1 {print $2}’
3. 可能要注意的问题:
权限是否正确;
路径是否正确(若不正确则只能获取全局状态下的已安装模块);
环境变量是否正确(/usr/bin/env: node: 没有那个文件或目录);
`
获取 node.js 已安装的模块信息:
get all nodejs modules
centos get installed nodejs modules
参考链接:
http://stackoverflow.com/questions/13981938/print-a-list-of-all-installed-node-js-modules
http://stackoverflow.com/questions/17937960/how-to-list-npm-user-installed-packages
http://stackoverflow.com/questions/5926672/where-does-npm-install-packages
http://serverfault.com/questions/299288/how-do-you-install-node-js-on-centos
http://tecadmin.net/install-latest-nodejs-and-npm-on-centos/
http://ask.xmodulo.com/install-node-js-linux.html
一次Web访问的顺序:Web浏览器 -> Web服务器(狭义) -> (Web容器 -> )应用服务器 -> 数据库服务器
#Java (java进程)
Spring Struts/Struts2 [WebFramework]
Jenkins [WebApp]
#Python (python进程)
Django Flask Tornado Pyramid web2py [WebFramework]
#PHP (nginx/httpd)+(php-fpm/php-cgi/…进程)
Laravel Yii Symfony CakePHP ThinkPHP zend [WebFramework]
WordPress Joomla Drupal Typecho PHPCMS Discuz! [WebApp]
#Ruby (ruby进程)
RoR Sinatra [WebFramework]
#Nodejs (node进程)
Express [WebFramework]
#Golang (go进程)
Revel Beego [WebFramework]
https://en.wikipedia.org/wiki/Web_framework#External_links
https://github.com/showcases/web-application-frameworks
Jenkins
https://jenkins.io/doc/ # `java -jar jenkins.war`
https://ixyzero.com/blog/archives/2627.html
如何检测 Django 的版本
https://stackoverflow.com/questions/6468397/how-to-check-django-version
如何检测 Flask 的版本
https://stackoverflow.com/questions/5285858/determining-what-version-of-flask-is-installed
如何检测 Tornado 的版本
https://stackoverflow.com/questions/31146153/get-python-tornado-version
`
$ /proc/$pid/exe -c “import django; print(django.get_version())”
$ /proc/$pid/exe -c “import flask; print(flask.__version__)”
$ /proc/$pid/exe -c “import tornado; print(tornado.version)”
`
免费的Web应用程序漏洞和版本扫描程序(Free web-application vulnerability and version scanner)
https://github.com/fgeek/pyfiscan
Joomla 修复了潜藏在系统8年的 LDAP 注入
https://threatpost.com/joomla-patches-eight-year-old-ldap-injection-vulnerability/128069/
https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
https://www.seebug.org/vuldb/ssvid-96561
Jenkins 应用三十六计-插件信息
http://greatops.net/?id=233
Cacti版本检测
https://github.com/worlak2/cactiVersionCheck/blob/master/check.py
关于知名服务器监测工具漏洞的备忘清单(Zabbix/Nagios/Cacti)
https://github.com/HD421/Monitoring-Systems-Cheat-Sheet
用 Python2.7 写的识别 NagiosXI 或 Zabbix 等监控工具的版本,以及尝试根据版本获取对应的 CVE 漏洞列表
https://github.com/HD421/Monitoring-Systems-Version-Check
VER-OBSERVER 一个可以探测框架及依赖版本的命令行工具
http://blog.neargle.com/2018/01/29/ver-observer-a-tool-about-version-detection/
https://github.com/neargle/ver-observer
中间件渗透工具-Clusterd
https://mp.weixin.qq.com/s/KJbOGZ6PW2vnVT9auQ9aKQ
https://github.com/hatRiot/clusterd
`
Clusterd是一款专门用于攻击应用服务器开源工具包,可以自动化的识别服务器指纹、探测并且自动对服务器进行攻击。简而言之clusterd就是一个中间件渗透软件,它能识别的中间件件有JBoss、ColdFusion、WebLogic、Tomcat、Railo、Axis2、Glassfish。
`
中间件安全-Tomcat安全测试概要
https://mp.weixin.qq.com/s/_-AtrbMNROUFRbaime3NrA
利用 Apache Tomcat text interface 部署 war 包的利用脚本
https://github.com/incredibleindishell/exploit-code-by-me/tree/master/Apache-Tomcat-Text_interface-shell-upload
Drupal 高危远程代码执行漏洞补丁发布(CVE-2018-7600)
https://www.drupal.org/sa-core-2018-002
Joomla内核SQL注入漏洞(CVE-2018-8045)分析
http://blog.nsfocus.net/cve-2018-804-analysis/
PEP 314 — Metadata for Python Software Packages v1.1
https://www.python.org/dev/peps/pep-0314/
PEP 566 — Metadata for Python Software Packages 2.1
https://www.python.org/dev/peps/pep-0566/
Core metadata specifications
https://packaging.python.org/specifications/core-metadata/
https://stackoverflow.com/questions/20683118/how-to-access-python-package-metadata-from-within-the-python-console
What is a Python egg?
https://stackoverflow.com/questions/2051192/what-is-a-python-egg
`
Same concept as a .jar file in Java, it is a .zip file with some metadata files renamed .egg, for distributing code as bundles.
`
https://pypi.org/project/pkginfo/