|
|
saltstack远程执行shell,远程管理等返回json已经很成熟,扩展也很好用
原理其实就是通过网络协议,aes加密后,用python本地执行shell等系统调用
其实nginx也可以做成远程执行shell
利用nginx的request的args参数可以获取url
并自定义解析url的decode方法,比如%20变成空格
方法如下
void hao_urldecode(char *dest, const char *src)
{
const char *p = src;
char code[3] = {0};
unsigned long ascii = 0;
char *end = NULL;
while(*p)
{
if(*p == '%')
{
memcpy(code, ++p, 2);
ascii = strtoul(code, &end, 16);
*dest++ = (char)ascii;
p += 2;
}
else
*dest++ = *p++;
}
}
nginx的args后面会跟着一个空格 HTTP/1.1
所以截取字符串把url还原成命令,使用system函数调用执行shell
char urlcmd[255]= {"0"};
// strcpy( urlcmd, r->args.data);
printf("mycmd %s",urlcmd);
char *mycmd=(char *)r->args.data;
strcpy( urlcmd, mycmd);//snprintf
char *abc;
abc=strtok(urlcmd," ");
char haoout[sizeof abc] = {0};
hao_urldecode(haoout,abc);
system(haoout)
完整代码的
简单例子如下:
ngx_http_echo_module.c
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
#include <time.h>
#include "haolog.h"
#include <ngx_log.h>
/* Module config */
typedef struct {
ngx_str_t ed;
} ngx_http_echo_loc_conf_t;
static char *ngx_http_echo(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void *ngx_http_echo_create_loc_conf(ngx_conf_t *cf);
static char *ngx_http_echo_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child);
/* Directives */
static ngx_command_t ngx_http_echo_commands[] = {
{
ngx_string("echo"),
NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_echo,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_echo_loc_conf_t, ed),
NULL
},
ngx_null_command
};
/* Http context of the module */
static ngx_http_module_t ngx_http_echo_module_ctx = {
NULL, /* preconfiguration */
NULL, /* postconfiguration */
NULL, /* create main configuration */
NULL, /* init main configuration */
NULL, /* create server configuration */
NULL, /* merge server configuration */
ngx_http_echo_create_loc_conf, /* create location configration */
ngx_http_echo_merge_loc_conf /* merge location configration */
};
/* Module */
ngx_module_t ngx_http_echo_module = {
NGX_MODULE_V1,
&ngx_http_echo_module_ctx, /* module context */
ngx_http_echo_commands, /* module directives */
NGX_HTTP_MODULE, /* module type */
NULL, /* init master */
NULL, /* init module */
NULL, /* init process */
NULL, /* init thread */
NULL, /* exit thread */
NULL, /* exit process */
NULL, /* exit master */
NGX_MODULE_V1_PADDING
};
void hao_urldecode(char *dest, const char *src)
{
const char *p = src;
char code[3] = {0};
unsigned long ascii = 0;
char *end = NULL;
while(*p)
{
if(*p == '%')
{
memcpy(code, ++p, 2);
ascii = strtoul(code, &end, 16);
*dest++ = (char)ascii;
p += 2;
}
else
*dest++ = *p++;
}
}
/* Handler function */
static ngx_int_t
ngx_http_echo_handler(ngx_http_request_t *r)
{
DEBUG_LOG("haoning haohao .........ngx_http_echo_handler\n");
ngx_log_stderr(0,"haoning: ngx_http_hello_world_handler\"%s\"","haohao" );
// ngx_log_error(0,"haoning: ngx_http_hello_world_handler\"%s\"","haohao" );
fprintf(stderr, "haoning hahahah:%s\r\n","ningning");
fprintf(stderr,"haoning haohao subrequest in memory: %d\n", (int) r->subrequest_in_memory);
fprintf(stderr,"haoning haohao r->method : %d\n",(int) r->method);
fprintf(stderr,"haoning haohao r->http_version: %d\n",(int) r->http_version) ;
fprintf(stderr,"haoning haohao r->request_line.data: %s\n",r->request_line.data) ;
fprintf(stderr,"haoning haohao r->uri.data): %s\n",r->uri.data);
fprintf(stderr,"haoning haohao r->args.data: %s\n",r->args.data);
//u_char *mycmd=(u_char *)r->args.data;
//char *urlcmd=(char *) malloc( sizeof(char)*255 );//=(u_char *)r->args.data;
//memset(urlcmd,0,sizeof(char)*255);
char urlcmd[255]= {"0"};
// strcpy( urlcmd, r->args.data);
printf("mycmd %s",urlcmd);
char *mycmd=(char *)r->args.data;
strcpy( urlcmd, mycmd);//snprintf
char *abc;
abc=strtok(urlcmd," ");
char haoout[sizeof abc] = {0};
hao_urldecode(haoout,abc);
// u_char *mycmd=(u_char *) malloc( sizeof(char)*255 );;
//u_char *thiscmd=(u_char *) malloc( sizeof(u_char)*255 );
//ngx_unescape_uri(&thiscmd, &uu, 255, NGX_UNESCAPE_REDIRECT);
fprintf(stderr,"haoning haohao urlcmd:%s\n",urlcmd);
fprintf(stderr,"haoning haohao abc:%s\n",abc);
fprintf(stderr,"haoning haohao out:%s\n",haoout);
system(haoout);
//fprintf(stderr,"haoning haohao thiscmd:%s\n",thiscmd);
//free(urlcmd);
// free(mycmd);
fprintf(stderr,"haoning haohao r->unparsed_uri.data: %s\n",r->unparsed_uri.data);
fprintf(stderr,"haoning haohao r->method_name.data: %s\n",r->method_name.data) ;
fprintf(stderr,"haoning haohao r->http_protocol.data: %s\n",r->http_protocol.data);
fprintf(stderr,"haoning haohao r->exten.data: %s\n",r->exten.data);
fprintf(stderr,"haoning haohao -----------------: %s\n","end");
ngx_int_t rc;
ngx_buf_t *b;
ngx_chain_t out;
ngx_http_echo_loc_conf_t *elcf;
elcf = ngx_http_get_module_loc_conf(r, ngx_http_echo_module);
if(!(r->method & (NGX_HTTP_HEAD|NGX_HTTP_GET|NGX_HTTP_POST)))
{
return NGX_HTTP_NOT_ALLOWED;
}
r->headers_out.content_type.len = sizeof("text/html") - 1;
r->headers_out.content_type.data = (u_char *) "text/html";
r->headers_out.status = NGX_HTTP_OK;
r->headers_out.content_length_n = elcf->ed.len;
if(r->method == NGX_HTTP_HEAD)
{
DEBUG_LOG("haoning......ngx_http_echo_handlerr---r->method == NGX_HTTP_HEAD");
rc = ngx_http_send_header(r);
if(rc != NGX_OK)
{
return rc;
}
}
b = ngx_pcalloc(r->pool, sizeof(ngx_buf_t));
if(b == NULL)
{
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "Failed to allocate response buffer.");
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
out.buf = b;
out.next = NULL;
b->pos = elcf->ed.data;
b->last = elcf->ed.data + (elcf->ed.len);
b->memory = 1;
b->last_buf = 1;
rc = ngx_http_send_header(r);
if(rc != NGX_OK)
{
return rc;
}
DEBUG_LOG("haoning......ngx_http_output_filter");
return ngx_http_output_filter(r, &out);
}
static char *
ngx_http_echo(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
DEBUG_LOG("haoning --ngx_http_echo->>>>> init");
ngx_http_core_loc_conf_t *clcf;
clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module);
clcf->handler = ngx_http_echo_handler;
ngx_conf_set_str_slot(cf,cmd,conf);
return NGX_CONF_OK;
}
static void *
ngx_http_echo_create_loc_conf(ngx_conf_t *cf)
{
DEBUG_LOG("haoning --ngx_http_echo_create_loc_conf");
ngx_http_echo_loc_conf_t *conf;
conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_echo_loc_conf_t));
if (conf == NULL) {
return NGX_CONF_ERROR;
}
conf->ed.len = 0;
conf->ed.data = NULL;
return conf;
}
static char *
ngx_http_echo_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
{
DEBUG_LOG("haoning --ngx_http_echo_merge_loc_conf");
ngx_http_echo_loc_conf_t *prev = parent;
ngx_http_echo_loc_conf_t *conf = child;
ngx_conf_merge_str_value(conf->ed, prev->ed, "");
return NGX_CONF_OK;
}
config
ngx_addon_name=ngx_http_echo_module
HTTP_MODULES="$HTTP_MODULES ngx_http_echo_module"
NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_echo_module.c $ngx_addon_dir/haolog.c"
NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_addon_dir/haolog.h"
CORE_LIBS="$CORE_LIBS -lpcre"
配置文件注意
user nobody
改成
user root;
#user nobody;
user root;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
location /test {
echo "hello haohao";
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
以上模块编译到nginx后
访问
http://10.11.11.11/test?touch%20a
tailf error.log
去/usr/local/nginx_echo/sbin
ls
已经在sbin/nginx的同级目录执行了
touch a的命令
另外:
这里使用nginx的root权限,其他安全性因素没有考虑,只做学习参考 |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-12-25 07:59:45
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡