awd 平台搭建
参考:https://blog.csdn.net/qq_43277152/article/details/113308517
https://zhuanlan.zhihu.com/p/348402329
官方配置:https://cardinal.ink/guide/first-running.html#%E5%91%BD%E4%BB%A4%E8%A1%8C%E5%90%91%E5%AF%BC
awd靶场:
https://github.com/glzjin/20190511_awd_docker
awd 防守:https://www.freebuf.com/articles/web/263534.html
awd攻防学习笔记:https://blog.csdn.net/qq_43442524/article/details/102653414
ctf线下awd攻防步骤总结:https://blog.csdn.net/qq_43442524/article/details/102652029
awd模式下简单的CMS代码审计:https://blog.csdn.net/qq_43442524/article/details/102653414
awd 攻防工具脚本汇总:https://www.cnblogs.com/-qing-/p/11182162.html
漏洞fix方案:
awd攻防赛之各类漏洞fix方案:https://www.freebuf.com/articles/web/208778.html
查看隐藏用户
查看home目录下是否有其他用户 /etc/passwd是否有/bin/bash的用户 cat /etc/passwd | grep /bin/bash
扫描后门
# 简单的查找后门 find . -name '*.php' | xargs grep -n 'eval(' find . -name '*.php' | xargs grep -n 'assert(' find . -name '*.php' | xargs grep -n 'system('
扫描当前及其子目录 xargs 相当于echo , 用作文本转换
文件监控脚本
自动备份,文件名md5命名,任何的文件的改动都会被检测
移除上传文件,防止任意恶意文件被修改,还原被修改文件,并产生日志信息
# -*- coding: utf-8 -*- #use: python file_check.py ./ import os import hashlib import shutil import ntpath import time CWD = os.getcwd() FILE_MD5_DICT = {} # 文件MD5字典 ORIGIN_FILE_LIST = [] # 特殊文件路径字符串 Special_path_str = 'drops_JWI96TY7ZKNMQPDRUOSG0FLH41A3C5EXVB82' bakstring = 'bak_EAR1IBM0JT9HZ75WU4Y3Q8KLPCX26NDFOGVS' logstring = 'log_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD' webshellstring = 'webshell_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD' difffile = 'diff_UMTGPJO17F82K35Z0LEDA6QB9WH4IYRXVSCN' Special_string = 'drops_log' # 免死金牌 UNICODE_ENCODING = "utf-8" INVALID_UNICODE_CHAR_FORMAT = r"\?%02x" # 文件路径字典 spec_base_path = os.path.realpath(os.path.join(CWD, Special_path_str)) Special_path = { 'bak' : os.path.realpath(os.path.join(spec_base_path, bakstring)), 'log' : os.path.realpath(os.path.join(spec_base_path, logstring)), 'webshell' : os.path.realpath(os.path.join(spec_base_path, webshellstring)), 'difffile' : os.path.realpath(os.path.join(spec_base_path, difffile)), } def isListLike(value): return isinstance(value, (list, tuple, set)) # 获取Unicode编码 def getUnicode(value, encoding=None, noneToNull=False): if noneToNull and value is None: return NULL if isListLike(value): value = list(getUnicode(_, encoding, noneToNull) for _ in value) return value if isinstance(value, unicode): return value elif isinstance(value, basestring): while True: try: return unicode(value, encoding or UNICODE_ENCODING) except UnicodeDecodeError, ex: try: return unicode(value, UNICODE_ENCODING) except: value = value[:ex.start] + "".join(INVALID_UNICODE_CHAR_FORMAT % ord(_) for _ in value[ex.start:ex.end]) + value[ex.end:] else: try: return unicode(value) except UnicodeDecodeError: return unicode(str(value), errors="ignore") # 目录创建 def mkdir_p(path): import errno try: os.makedirs(path) except OSError as exc: if exc.errno == errno.EEXIST and os.path.isdir(path): pass else: raise # 获取当前所有文件路径 def getfilelist(cwd): filelist = [] for root,subdirs, files in os.walk(cwd): for filepath in files: originalfile = os.path.join(root, filepath) if Special_path_str not in originalfile: filelist.append(originalfile) return filelist # 计算机文件MD5值 def calcMD5(filepath): try: with open(filepath,'rb') as f: md5obj = hashlib.md5() md5obj.update(f.read()) hash = md5obj.hexdigest() return hash except Exception, e: print u'[!] getmd5_error : ' + getUnicode(filepath) print getUnicode(e) try: ORIGIN_FILE_LIST.remove(filepath) FILE_MD5_DICT.pop(filepath, None) except KeyError, e: pass # 获取所有文件MD5 def getfilemd5dict(filelist = []): filemd5dict = {} for ori_file in filelist: if Special_path_str not in ori_file: md5 = calcMD5(os.path.realpath(ori_file)) if md5: filemd5dict[ori_file] = md5 return filemd5dict # 备份所有文件 def backup_file(filelist=[]): # if len(os.listdir(Special_path['bak'])) == 0: for filepath in filelist: if Special_path_str not in filepath: shutil.copy2(filepath, Special_path['bak']) if __name__ == '__main__': print u'---------start------------' for value in Special_path: mkdir_p(Special_path[value]) # 获取所有文件路径,并获取所有文件的MD5,同时备份所有文件 ORIGIN_FILE_LIST = getfilelist(CWD) FILE_MD5_DICT = getfilemd5dict(ORIGIN_FILE_LIST) backup_file(ORIGIN_FILE_LIST) # TODO 备份文件可能会产生重名BUG print u'[*] pre work end!' while True: file_list = getfilelist(CWD) # 移除新上传文件 diff_file_list = list(set(file_list) ^ set(ORIGIN_FILE_LIST)) if len(diff_file_list) != 0: # import pdb;pdb.set_trace() for filepath in diff_file_list: try: f = open(filepath, 'r').read() except Exception, e: break if Special_string not in f: try: print u'[*] webshell find : ' + getUnicode(filepath) shutil.move(filepath, os.path.join(Special_path['webshell'], ntpath.basename(filepath) + '.txt')) except Exception as e: print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filepath) try: f = open(os.path.join(Special_path['log'], 'log.txt'), 'a') f.write('newfile: ' + getUnicode(filepath) + ' : ' + str(time.ctime()) + '\n') f.close() except Exception as e: print u'[-] log error : file move error: ' + getUnicode(e) # 防止任意文件被修改,还原被修改文件 md5_dict = getfilemd5dict(ORIGIN_FILE_LIST) for filekey in md5_dict: if md5_dict[filekey] != FILE_MD5_DICT[filekey]: try: f = open(filekey, 'r').read() except Exception, e: break if Special_string not in f: try: print u'[*] file had be change : ' + getUnicode(filekey) shutil.move(filekey, os.path.join(Special_path['difffile'], ntpath.basename(filekey) + '.txt')) shutil.move(os.path.join(Special_path['bak'], ntpath.basename(filekey)), filekey) except Exception as e: print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filekey) try: f = open(os.path.join(Special_path['log'], 'log.txt'), 'a') f.write('diff_file: ' + getUnicode(filekey) + ' : ' + getUnicode(time.ctime()) + '\n') f.close() except Exception as e: print u'[-] log error : done_diff: ' + getUnicode(filekey) pass time.sleep(2) # print '[*] ' + getUnicode(time.ctime())