All posts by Jesus Castello
Squashing spaces
If we want to remove extra spaces in a text like this:
|
1 |
This is some interesting text. |
You could be tempted to use sed, but there is a simpler way using tr
|
1 |
tr -s ' ' |
And we end up with:
|
1 |
This is some interesting text. |
With tr you can also delete characters instead of compressing them. Let’s say we wanted to get rid of the vowels.
|
1 |
tr -d 'aeiou' |
We get:
|
1 |
Ths s sm ntrstng txt. |
Variables with Awk
Awk comes with some predefined variables, like NF for number of fields or OFS for field separator. If you wanna know more about these ‘man awk’ and search for ‘Built-in Variables’. In this post we are going to talk about using your own variables just like in any other programming language. If you are new to awk start here: http://www.blackbytes.info/2012/01/intro-to-awk/
Awk variables example
If we want to find the biggest number in a file we could do something like this:
|
1 |
awk '{ if($1 > max) max = $1; } END { print max }' my_file |
There is a few interesting things in this line. To start with we don’t need to declare our variable which is cool, but what I want you to pay attention to is that variables in awk don’t have a leading $, neither when assigning or accessing the value, this may be a bit confusing if you are used to do bash scripting. Here the leading $ always references fields so if you used $max instead it wouldn’t work as expected.
Then there is this END statement, which allows us to execute some code after all the lines of input have been processed. There is also a BEGIN statement which does exactly what you would expect.
Finally here is an Awk reference card you may find useful: http://www.catonmat.net/download/awk.cheat.sheet.pdf
Analysis of a backdoored Web shell
I frequent the elearnsecurity student forums, an one of the common questions is about webshells and it ends up with a link to backdoored scripts. Here is my quick analysis of one of them.
I start downloading our target and open it with a text editor, and what I see is immediately suspicious: the code is all packed on one line and what seems to be base64 encoding, scrolling all the way to the end confirms this:
Time to reach for some base64 tool. In this case I used:
http://www.opinionatedgeek.com/dotnet/tools/base64decode/
Clicking on “Decode safely as text” will get us the decoded script. Now I paste this into my text editor for syntax highlighting and skimmed over the code to see if something stood out. First thing I noticed is it seemed that no further obfuscation has been done in this code other than a few blobs of base64 that seem to be some images and a bind shell script in perl. By the end of the file something got my attention; a script tag loading some js code from the site this was downloaded from.
A wget later we get this:
Well, looks like we found what we where looking for! This is loaded when you use the shell. And what it does is create an invisible image that request a script from the malicious domain sending our current url, this means that these guys are getting reported of websites that have been compromised using their shell so they can use it to get access and do whatever they please without any effort. I think I don’t need to tell you how bad this would be if this happens to be a pentesting client.
Alphanumeric sorting
Time for a bit more sorting. Today our task is to sort an array of file names based on the numeric value. This what the array looks like:
|
1 |
["20.mp3", "11.mp3", "3.mp3", "2.mp3", "21.mp3", "10.mp3", "1.mp3"] |
If you try a simple sort it won’t come out as you expect…
|
1 |
["1.mp3", "10.mp3", "11.mp3", "2.mp3", "20.mp3", "21.mp3", "3.mp3"] |
Ruby sort by value
This is not what we want, so we will have to reach for sort_by again:
|
1 2 |
files.sort_by{ |m| m.scan(/\d+/)[0].to_i } => ["1.mp3", "2.mp3", "3.mp3", "10.mp3", "11.mp3", "20.mp3", "21.mp3"] |
And this time we get what we want. What we are doing here is taking each element of the array and using a regexp to scan for decimal numbers (\d+ or also [0-9]+) since we get an string back we need to convert it to a number with to_i. Hope you find it useful.
Ruby-doc: http://ruby-doc.org/core-1.9.3/Enumerable.html#method-i-sort_by
Mass renaming
Say you have a bunch of files that you want to rename, there is 2 easy approaches to this problem: you can use the aptly named ‘rename‘ utility which should be available on most Linux or you can use a FOR loop. Let’s explore see both ways of mass renaming.
Our job is to rename these images to have a lowercase extension:
|
1 2 |
$ ls image1.JPG image2.JPG image3.JPG image4.JPG |
Using the rename tool
We can achieve this with the rename command:
|
1 2 3 |
$ rename 's/.JPG/.jpg/' * $ ls image1.jpg image2.jpg image3.jpg image4.jpg |
Problem solved, easy as that! As you can see the syntax is similar to sed. Basically we are saying “substitute .JPG for .jpg for all files in this directory”
Using a for loop
Now using a for loop we are going to convert these extensions back to uppercase.
|
1 2 3 |
$ for i in *.jpg; do mv $i ${i/.jpg/.JPG}; done $ ls image1.JPG image2.JPG image3.JPG image4.JPG |
There is also a slight variation:
|
1 |
for i in *.JPG; do mv $i ${i%%.JPG}.jpg; done |