I was following this tutorial:
https://flaviocopes.com/express-letsencrypt-ssl/
…and finally we get to the verification phase!
Create a file containing just this data:
TS_oZ2-ji23jrio3j2irj3iroj_U51u1o0x7rrDY2E.1DzOo_voCOsrpddP_2kpoek2opeko2pke-UAPb21sW1c
And make it available on your web server at this URL:
Where do I get this long string mentioned there? I didn't copy it when I made the certs with certbot but now I need to confirm my domain with such string. Where is it located?
The string is the output of the process described in the link. It will change every single time you go through this process.
You need to copy it from the command line and create a file containing that (and only that) string.
If you didn't copy it, you need to start the process again and get a new string.
Related
I'm talking to a server that creates a new zip file daily, ex: (data-1234.zip). Every day the name of the previous zip is removed and a new one is created with an incremented number, ex: (data-1235.zip). The script will be run sporadically throughout the week but it's on a lab system where the user can't manually update the name with what's on the server.
The server only has one zip file in that directory, it's just a matter of getting the correct naming convention. There is, however a "data.ini" file in the folder as well, so something just searching by first name wouldn't necessarily work. I've seen posts similar to This question using regex but the file is currently on 10,609 and I'd rather not use expansion for potentially thousands of calls depending on access to modify the script in the coming years. I've been searching for something similar to "data-*.zip" but haven't had any luck.
Question was solved by changing commands and running
lftp https://download.companyname.com/product/data/ -e "mget data-*.zip; bye"
since lftp allows wildcards in the filename, unlike curl.
I am trying to figure out the best solution for below.
[user]:~>BLAH=$"cat text.txt"
[user]:~>ipa-getcert stop-tracking -i $BLAH
the text.txt document hosts the Request ID of a cert.
However, its not actually putting the info in the command. Is there an IPA command that can find and replace the old certs with out manual Request ID entries?
Or is there another way to inject the ID that is inside the text.txt?
first attempt at posting this question was with severe jet lag. This re-edit of the question I only have the associated sleep deprivation...
I want to know the best way to use the installer to capture path information and then remove any reference to the user profile.
My program is designed to run from a central network location. To reduce network traffic some files are copied to a local drive, eg. AppData\MyProg\
I use a file browse dialogue so the person installing can specify the location:
pg_LocalPaths := CreateInputDirPage(pg_CentralPaths.id,
'Confirm File Locations For User Settings', 'To improve user experience these locations should be off the network.',
'Default Locations are:', False, 'New Folder');
// Add file browswer item (with an empty caption)
pg_LocalPaths.Add('Supporting files will be copied here by the application:');
pg_LocalPaths.Add('User settings (for a single user) will be saved here:');
// Set initial value
pg_LocalPaths.Values[0] := GetPreviousData('pg_LocalPaths0', ExpandConstant('{userappdata}\{#pFolder}'));
pg_LocalPaths.Values[1] := GetPreviousData('pg_LocalPaths1', ExpandConstant('{userappdata}\{#pFolder}'));
During install the local drive location is specified and stored in a config file.
An issue that I failed to predict is that when the program is installed, the path in the config file is defined for a single user, namely the user performing the install. In practice any user should be able to run the program...
To get the correct path for any given user, my software looks for a string "{UserName}" and replaces it with: Environ(UserName)
MyPath = Replace(MyPath, "{UserName}", Environ(UserName))
So, for example, in the installer I need to replace:
C:\Users\My Name\My Program OR C:\Users\My Admin\My Program
with something like:
C:\Users\\{UserName}\My Program
I alreay have this working in My Program but I am not sure of the best way to get it working in Inno... My inital thought was to write the config file like this:
StringChangeEx(MyPath, "My Name", "{UserName}", True)
Would like some perspective on this, not sure how to get it working for all situations.
Cheers,
You're doing it the wrong way.
Don't store the complete path in the config file; merely store a value that indicates that the user wishes to store data in the usual per-user location. (Or don't store any value, since that should be the default anyway.)
Then in your application, on every run of your application, use the Shell API to fetch the current AppData path for the current user and append your app's unique subfolder to this.
Note that it is perfectly valid for the user's AppData path to not contain their username, and not even be on C:. Don't make assumptions; use the Shell API. That's what it's for.
(Exactly which one to use and how to call it varies depending on target OS and your programming language of choice, which you haven't specified.)
I have a Java Web App running on Tomcat on which I'm supposed to exploit Path traversal vulnerability. There is a section (in the App) at which I can upload a .zip file, which gets extracted in the server's /tmp directory. The content of the .zip file is not being checked, so basically I could put anything in it. I tried putting a .jsp file in it and it extracts perfectly. My problem is that I don't know how to reach this file as a "normal" user from browser. I tried entering ../../../tmp/somepage.jsp in the address bar, but Tomcat just strips the ../ and gives me http://localhost:8080/tmp/ resource not available.
Ideal would be if I could somehow encode ../ in the path of somepage.jsp so that it gets extracted in the web riot directory of the Web App. Is this possible? Are there maybe any escape sequences that would translate to ../ after extracting?
Any ideas would be highly appreciated.
Note: This is a school project in a Security course where I'm supposed to locate vulnerabilities and correct them. Not trying to harm anyone...
Sorry about the downvotes. Security is very important, and should be taught.
Do you pass in the file name to be used?
The check that the server does is probably something something like If location starts with "/tmp" then allow it. So what you want to do is pass `/tmp/../home/webapp/"?
Another idea would be to see if you could craft a zip file that would result in the contents being moved up - like if you set "../" in the filename inside the zip, what would happen? You might need to manually modify things if your zip tools don't allow it.
To protect against this kind of vulnerability you are looking for something like this:
String somedirectory = "c:/fixed_directory/";
String file = request.getParameter("file");
if(file.indexOf(".")>-1)
{
//if it contains a ., disallow
out.print("stop trying to hack");
return;
}
else
{
//load specified file and print to screen
loadfile(somedirectory+file+".txt");
///.....
}
If you just were to pass the variable "file" to your loadfile function without checking, then someone could make a link to load any file they want. See https://www.owasp.org/index.php/Path_Traversal
I have one file delivered in a ftp daily. This file doesn´t have the same name everyday. It has the date and the hour of the creation. For example, today the file has the name 20130814_XX_YY_20130814152345, created at 15:23:45 and tomorrow the file can name 20130815_XX_YY_20130815152421. The _XX_YY_ is always the same but the hour will change everyday.
I want to create a host jcl that gets this file with variable name and rename it to a host file. How can I do this ?
Thank you
Regards
Chuchito
STEP1: You can use LS in FTP to write to disk, so you can have a file with the file-name in it. Then GET that file.
STEP2: Process the contents of your file to generate the FTP Control Cards (at least for the GET). The GET generated will be of the form GET 20130814_XX_YY_20130814152345 'HLQ.MAINFRAM.DATASET', where the server name has come from the file GETted in STEP1 and the local (Mainframe) file can be hard-coded, or supplied to the generation if flexibility is required.
STEP3: Run FTP again with the Control Card(s) generated.
Isn't there anything in the Spec?
Sometimes we create complexities where an "out of the box" solution simplifies life considerably.
After the post updated, I now understand the problem a bit better.
If the name is required to be so specific, then the other suggested solution (if i understand it) is to have a fixed file name on the server that contains a list of file names to be uploaded.
In fact, the server could create a fixed file name that is really the JCL to run on the mainframe!!! This file would include the //SYSIN DD * and GET commands! The mainframe uploads this file and submits it as-is to the job reader, which then runs on the mainframe. The last step of this job (created by the server, but run on the mainframe) is to FTP an empty JCL file back to the server, in this way the server "knows" that the mainframe has uploaded the files.
Alternatively, why does the non-Z\os system need to name the file with time information? If the mainframe processes the file daily then date should be sufficient.
With this change the mainframe can reliably predict the file name for the day, generate the appropriate GET command and run.
With a job scheduler it would be easy to run the upload to the mainframe twice a day. This might address any concerns that are expressed in the desire to include a time in the file's name.
Run a Rexx step via a Background TSO step:
Background TSO step
You can then run a listcat to get all the files. You could either write the listcat output to a file and read it in or trap the output via the Address command
or the OutTrap function.
Then use the standard TSO Rename command.
Alternatively you could run ISPF background rexx program and use the ISPF equivalents to get the file name
(1) The real solution to this should be through a scheduling tool for Mainframe jobs. These tools provide capabilities to take care of formatting like the one you described.
(2) Alternatives: REXX and COBOL
(3) If you don't want to prefer REXX, here's a little brief into how you could create the JCL dynamically using COBOL:
A COBOL program that would read a "template" JCL.
Using INSPECT / REPLACE, you could substitute the prototypes with the string that is populated with the date of your choice (you could supply this as a simple SYSIN parm too, if you want the COBOL code to be flexible on the date selection)
Now that your formatted JCL is ready, you could write it to the output stream
//OUTFILE DD SYSOUT=(INTRDR,)
or
//OUTFILE DD SYSOUT=(,INTRDR)
Anything that is written to INTRDR (Internal Reader), goes straight to JES to submit your job!
Hope this helps.