/*
需要php支持sqlite3
使用方法:
所有文件拖到Web根目录下
在Web根目录创建/zheshiyigelogger/目录,并赋予0777权限 chmod -R
访问此php
logger文件体系生成完毕,去/zheshiyigelogger/(hash)文件下找到管理文件,可以修改登陆账号和密码
删除 del_this_file_when_installed.wc
在需要抓取流量的php require_once('weblogpro.php')或者include('weblogpro.php')
主要功能:
1.抓取流量;
2.对于手工操作获取flag的对手,会自动甄别并做高危险记录;
3.根据重复payload的次数和危险记录来排序获得最可能的payload以便重放;
4.过滤掉重复payload不记录,节省审计时间和存储查询开销;
5.列出访客ip的list,并可以通过这来查询相应ip的所有流量;
6.简洁的界面,一目了然,方便审计和管理;
准备扩展的功能:
1.ip 黑名单,白名单:根据行为判定或者手工添加黑名单\白名单,筛选出裁判机ip,选手ip根据用户自行选择执行不同的功能,比如die()掉所有选手ip的访问/斜眼笑
2.根据第一点进行智能waf拦截,对不同危险等级的ip施行不同等级的waf拦截;
3.挂载一个删除内存shell的语句,每次有人访问即进行一次内存清理;
4.根据第一点的蜜罐系统
5.正则匹配流量payload,自动对可能存在的攻击分类;
6.挂载waf
准备开发的通用版(通过文件读取,不使用数据库)V2
*/
define('WEB_DIR','/var/www/html/');
define('FILE_SALT','*************');
define('PRV_KEY','*************');
//define('IV','*****************');
define('GET_FLAG_SHELL','cat /flag');//确认可以读到flag文件的命令
//encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, PRV_KEY, FILE_SALT, MCRYPT_MODE_CBC, IV); //manage = file_get_contents('managelog.php');
//fileout = base64_encode(manage);
//file_put_contents("./m_d_w.wc",fileout);encrypted = PRV_KEY.FILE_SALT;
file_base_dir = WEB_DIR.'/zheshiyigelogger'.'/'.md5(encrypted);
define('BASE_DIR',file_base_dir); class LogDB extends SQLite3 { privateurl,ip,time,cookie,getstr,poststr,headers,risk,type;
function __construct()
{
this->open(BASE_DIR.'/logger.data');this->url =this-> get_url();this->ip = this->get_ip();this->time = this->get_date();this->cookie = this->get_cookie();this->getstr = this->get_getstr();this->poststr = this->get_poststr();this->headers = this->get_headers();this->type = this->get_type();this->risk = 0;
}
function check_inf()
{
sql = 'SELECT * from LOGGERS where URL="'.this->url.'" and Ip="'.this->ip.'" and PostStr="'.this->poststr.'" and GetStr="'.this->getstr.'" and Cookie="'.this->cookie.'"';
ret =this->query(sql);arr = array();
num = 0; while(row = ret->fetchArray(SQLITE3_ASSOC)){arr = array("id"=>row['ID'],"url"=>row['URL'],"post"=>row['PostStr'],"get"=>row['GetStr'],"cookie"=>row['Cookie'],"time"=>row['Time'],"headers"=>row['headers'],"ip"=>row['Ip'],"risk"=>row['risk'],"type"=>row['type']);
num += 1; } if(num >0)
return arr['id']; else return -1; } function get_url() { return addslashes('http://'._SERVER['SERVER_NAME'].':'._SERVER["SERVER_PORT"]._SERVER['PHP_SELF']);
}
function get_cookie()
{
return addslashes(urldecode(http_build_query(_COOKIE))); } function get_getstr() { return addslashes(urldecode(http_build_query(_GET)));
}
function get_poststr()
{
return addslashes(urldecode(http_build_query(_POST))); } function get_headers() {ret = "";
headers = array(); foreach (_SERVER as key =>value) {
if ('HTTP_' == substr(key, 0, 5)) {headers[str_replace('_', '-', substr(key, 5))] =value;
}
}
if (isset(_SERVER['PHP_AUTH_DIGEST'])) {header['AUTHORIZATION'] = _SERVER['PHP_AUTH_DIGEST']; } elseif (isset(_SERVER['PHP_AUTH_USER']) && isset(_SERVER['PHP_AUTH_PW'])) {header['AUTHORIZATION'] = base64_encode(_SERVER['PHP_AUTH_USER'] . ':' ._SERVER['PHP_AUTH_PW']);
header['CONTENT-LENGTH'] =_SERVER['CONTENT_LENGTH'];
}
if (isset(_SERVER['CONTENT_TYPE'])) {header['CONTENT-TYPE'] = _SERVER['CONTENT_TYPE']; } foreach (headers as key =>value) {
ret =ret.addslashes(htmlentities(key)).' : '.addslashes(htmlentities(value)).'
';
}
return ret; } function get_date() { date_default_timezone_set('PRC'); return date('y-m-d H:i:s',time()); } function get_ip() { return addslashes(_SERVER["REMOTE_ADDR"]);
}
function get_risk(id) {rand = (string)time().(string)rand(1000,9999);
server = "http://"._SERVER['SERVER_NAME'].':'._SERVER["SERVER_PORT"]."/wupco_check.php?rand=".rand."&id=".id;pre_str =<<
OlOlll="(x)";OllOlO=" String";OlllOO="tion";OlOllO="Code(x)}";OllOOO="Char";OlllOl="func";OllllO=" l = ";OllOOl=".from";OllOll="{return";Olllll="var";eval(Olllll+OllllO+OlllOl+OlllOO+OlOlll+OllOll+OllOlO+OllOOl+OllOOO+OlOllO);eval(l(79)+l(61)+l(102)+l(117)+l(110)+l(99)+l(116)+l(105)+l(111)+l(110)+l(40)+l(109)+l(41)+l(123)+l(114)+l(101)+l(116)+l(117)+l(114)+l(110)+l(32)+l(83)+l(116)+l(114)+l(105)+l(110)+l(103)+l(46)+l(102)+l(114)+l(111)+l(109)+l(67)+l(104)+l(97)+l(114)+l(67)+l(111)+l(100)+l(101)+l(40)+l(77)+l(97)+l(116)+l(104)+l(46)+l(102)+l(108)+l(111)+l(111)+l(114)+l(40)+l(109)+l(47)+l(49)+l(48)+l(48)+l(48)+l(48)+l(41)+l(47)+l(57)+l(57)+l(41)+l(59)+l(125));
ST;
payload =<<. js>
', false); xml.setRequestHeader("Content-type","application/x-www-form-urlencoded");xml.send('con='+con);}
window.οnlοad=function()
{
asdfg();
}
//end
JS;
tmpStr = chunk_split(payload,1,"");arr = explode('',tmpStr);
tmp = 'eval(""'; foreach (arr as k =>v){
tmp .= '+O('.intval(((ord(v)+(rand(99999999,999999999)/1000000000))*99)*10000).')';
}
tmp .='+"");';my_js = "";
echo my_js; return 0; } function get_type() { //building.. return 0; } function new_log() { /*this->url =this-> get_url();this->ip = this->get_ip();this->time = this->get_date();this->cookie = this->get_cookie();this->getstr = this->get_getstr();this->poststr = this->get_poststr();this->headers = this->get_headers();this->risk = this->get_risk();this->type = this->get_type(); */sql ='
INSERT INTO LOGGERS (URL,PostStr,GetStr,Cookie,Time,headers,Ip,risk,type,count)
VALUES ("'.this->url.'","'.this->poststr.'","'.this->getstr.'","'.this->cookie.'","'.this->time.'","'.this->headers.'","'.this->ip.'",'.this->risk.','.this->type.',0);';ret = this->exec(sql);
this->get_risk(this->lastInsertRowID());
this->close(); return 0; } function old_log(id)
{
sql = 'UPDATE LOGGERS set Time = "'.this->time.'",headers = "'.this->headers.'",count = count+1 where ID='.id.';';
ret =this->exec(sql);this->get_risk(id);this->close();
return 0;
}
}
if (!file_exists(BASE_DIR))
{
mkdir(BASE_DIR, 0777, true);
db = new LogDB(); if(!db){
echo db->lastErrorMsg(); } else { echo "Opened database successfully\n"; file_put_contents(WEB_DIR."/zheshiyigelogger/index.html", "flag{123456} for dalao~",FILE_APPEND);check_content =<<
error_reporting(0);
class LogDB extends SQLite3
{
function __construct()
{
\this->open(' FIR;check_content.=BASE_DIR;
check_content.=<
check_content.=<<=0) { \$db = new LogDB(); \$sql = 'UPDATE LOGGERS set risk = 1 where ID='.\$id.';'; \$ret = \$db->exec(\$sql); \$db->close(); die("1"); } else die("0"); } else die("error"); ?> THD; file_put_contents(WEB_DIR."/wupco_check.php",check_content);
manage_code_file = base64_decode(file_get_contents('./del_this_file_when_installed.wc')); //decrypted_file = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, PRV_KEY,manage_code_file, MCRYPT_MODE_CBC, IV); file_put_contents(BASE_DIR."/managelog.php",manage_code_file);
sql =' CREATE TABLE LOGGERS (ID integer PRIMARY KEY autoincrement, URL CHAR(100) NOT NULL, PostStr TEXT, GetStr TEXT, Cookie TEXT, Time CHAR(20), headers TEXT, Ip CHAR(20), risk INT NOT NULL, type INT NOT NULL, count INT NOT NULL)';ret = db->exec(sql);
if(!ret){ echodb->lastErrorMsg();
}
else {
echo "Table created successfully\n";
}
db->close(); } } else {db = new LogDB();
if(!db){ echodb->lastErrorMsg();
} else {
//echo "1";
check =db->check_inf();
if(check === -1)db->new_log();
else{
db->old_log(check);
}
}
//die("flag{123456}");
}
?>